Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Faces Jail For Finding Bugs

Posted by CowboyNeal on from the full-enclosure dept.

An anonymous reader writes "French security researcher Guillaume Tena, who is working at Harvard University, faces 4 months in prison after being sued by Tegam for reverse engineering its Viguard antivirus software and publishing exploit codes for a number of vulnerabilities. According to a ZDNet article, he could also be sued by Tegam for 900,000 euros in damages. More details are available (in french) on Guillaume's website and on the K-OTik's website."

36 of 726 comments (clear)

  1. Here we go by lordkuri · · Score: 5, Insightful

    And now we have people getting arrested for pointing out someone else's mistake...

    When did greed become more important than helping someone?

    1. Re:Here we go by smokeslikeapoet · · Score: 4, Insightful

      Lets get this straight. Lets say Consumer Reports did a review of 4 safes: Safe A and Safe B can be opened with a fingernail file, Safe C can be opened with a bobby pin. Safe D was inpenatrable with known methods, so buy that one.

      Should Consumer Reports, their reporters, or editors be criminaly or finacially liable for posting the exploits? Should they contact the manufacturer and not inform the public? Should they be applauded and rewarded for offering the consumer a service? I'm sure your smart enough to figure out the answer there.

      If my antivirus software or firewall isn't secure than I sure as hell want to know about it!!!

  2. What were his intentions? by linolium · · Score: 4, Insightful

    This was definitely unfair and uncalled for if his intention was to notify the company of their product's defects, or if he already did but got no response. On the other hand, if he only wanted to hinder the company, he is at fault. But even then, he's got a pretty harsh reprimand.

    1. Re:What were his intentions? by khrtt · · Score: 4, Interesting

      What were his intentions?

      Who gives a fuck?

      If you are a security researcher, you look for security holes, right? If you are a responsible researcher, and you find some security holes, you better publish them, right? Right? RIGHT?

      WRONG!! Hear ya, hear ya, hear ya, from now on doing the responsible thing will get you jail time, and a stiff $900,000 bill. From now on, the right, responsible, thing to do when you find security holes is to sell them to spam virus hackers. That way you:

      1. Never get caught.
      2. Profit (note lack of ... item).

      No moral problems either, since the company who looses is the bunch of asshats who'd put you in jail for pointing out their bug, and the people who get spammed are the same shitheads that made the stupid law possible.

      Fuck, I'm pissed. Better go drink my milk. Good thing I'm not a security researcher.

  3. What's next? by DamienNightbane · · Score: 4, Insightful

    Will the little Dutch boy be executed for sticking his finger in the dike?

    1. Re:What's next? by __int64 · · Score: 5, Funny

      No, but these two chicks up stairs will be if they keep it up...

  4. If I break in your car... by Anonymous Coward · · Score: 5, Insightful
    with the same techniques AAA uses when some mom forgets her keys in the ignition, I'd be arrested.


    Most physical security (house locks, car locks, office building locks) is indeed "security through harsh penalties", where the locks are really not much more than an advisory symbol saying "don't do this".

    1. Re:If I break in your car... by Seumas · · Score: 5, Insightful

      If I break in your car with the same techniques AAA uses when some mom forgets her keys in the ignition, I'd be arrested.

      If you bought a car, figured out some ways to break into YOUR OWN CAR, then published those ways to alert other consumers as to the lack of security the car has, should you still be arrested?

    2. Re:If I break in your car... by eliza_effect · · Score: 4, Interesting

      Actually, there are quite a few models of domestic cars (mainly minivans) out durring the late 80s and early 90s that use only about five different key cuts and remote (door open) codes.

      I'll wait patiently here for the police.

    3. Re:If I break in your car... by AvitarX · · Score: 4, Interesting

      I had a 93 Saturn SL2 with a worn out key (probobly helped).

      I was at the mall and in the general area of my car gravitated to a maroon SL2, unlocked the door started to get in and noticed it was far too clean and had seat covers. I quickly got out and nervously tried to relock the door, but my key did not spin so I left. I didn't want to get into trouble for an honest mistake.

      One time I also locked my keys in the car at a gas station. The attendand was unable to slim jim the door but went back into the shop and got a small saw zaw blade (or maybe a blade for a scrolling saw) with fairly big teeth. It was a little taller then a key but the teeth were about the right size. The attendant then stuck this into the key whole and jiggled for a about 30 seconds while turning and I was in. It took a few minutes to get the blade out though due to the fact that the teether were only slanted on one side.

      Of course getting into cars ain't all that tricky anyway (big windows) and I can't speak for the ignitions.

      --
      Wow, sent an e-mail as suggested when clicking on "use classic" banner, and got a fast response that addressed my msg
    4. Re:If I break in your car... by barc0001 · · Score: 4, Insightful

      He lives in Winnipeg. Car theft capital of Canada right behind Surrey and Regina. It was only a matter of time regardless.

      But to address your argument at face value, is it :

      a) better to have a hidden flaw that is only known to criminals (which is undoubtedly where the Sun heard about it from) that is built into cars for years to come, providing hundreds of thousands of easy targets...
      or
      b) expose the flaw to daylight and both force the manufacturer to do something about, and alert all owners of said existing cars to the problem so they can buy additional anti-theft devices.

      I mean, come on. If we replace the word "theft" with "car has tendancy to spontaneously explode, killing occupants in a fiery inferno of doom", everyone and their dog would be lining up to lynch any bastard who tried to defend option a.

      I don't know about you, but I would always prefer to know well in advance if my car was either easy to steal or about to explode.

    5. Re:If I break in your car... by Anonymous Coward · · Score: 5, Insightful

      With software, you only own the right to use one instance of it - right to use, not right to do whatever you want.

      Copyright stops you from copying. It does not prevent you from looking at the inner workings of something.

      A book critic can find fault in the language the author uses. A music critic can find fault in the way an instrument is played. A journalist can find fault in the actions of soldiers. Why can't a software engineer find fault in the software he looks at? Oh, that's right, it's e-magical so we have to come up with entirely new sets of laws and ethics.

    6. Re:If I break in your car... by AK+Marc · · Score: 4, Informative

      That's a condition of installing/using the software.

      But not a condition of sale, and they won't let you return the software, thus, the EULA is not a legal contract.

      --
      Learn to love Alaska
    7. Re:If I break in your car... by God!+Awful+2 · · Score: 5, Funny

      Me, I truly believe information should be free, and only personal information (like, your bank account #'s, passcodes, etc) has any business being private. I'm a big supporter of all our little neo-communist mechanisms in the OSS movement. But really...don't get ownership of a car confused with ownership of software.
      Wow, you wrote a post on /. that:

      1. stated that software is *not* like a car
      2. mentioned OSS and communism in the same sentence

      and you were modded informative, not flamebait?!? You, my friend, are truly a god among gods.

      -a

      --
      /. users can't
    8. Re:If I break in your car... by Feztaa · · Score: 4, Funny

      I don't know about you, but I would always prefer to know well in advance if my car was either easy to steal or about to explode.

      Ahhhhh, but if it was both easy to steal and about to explode, well, that problem just sort of solves itself, no?

  5. This would set a terrible precedent (in France...) by Anonymous Coward · · Score: 5, Insightful

    Reverse Engineering isn't illegal, certainly finding that "Unlike the advertising claimed, this software didn't detect and stop '100 percent of viruses'" isn't illegal, surely it should be lauded.

    The company had two options. Take on board the issues and fix them, or get in a hissy fit. They got in a hissy fit. Well done. Instead of responding to issues that software does have in an adult manner, they've just made themselves look petty and bad.

  6. FYI by daveschroeder · · Score: 4, Informative

    Just to stave off any rants, this was not US law, a US court, or a US company. He happens to be working "at Harvard" now, but this matter has apparently been taken up in France.

    1. Re:FYI by scotch · · Score: 4, Funny

      You should do something about that cough - maybe see a doctor? I know when I cough, it's never so bad that I type out the noises. Perhaps you're using one of those voice recognition software systems? Best of luck and good health to you.

      --
      XML causes global warming.
  7. Re:He got what he deserved by furiousgeorge · · Score: 5, Insightful

    SO i guess by your logic, you should be able to sell anything you want, and people shouldn't be allowed to point out bugs or flaws because you might not like it?

    Tough Shit.

  8. Chilling Effect by grcumb · · Score: 5, Funny

    Stories like this are just the Slashdot editors' way of warning us to shut up already about the Firefox rendering errors on this site. 8^)

    --
    Crumb's Corollary: Never bring a knife to a bun fight.
  9. same difference by Doc+Ruby · · Score: 5, Insightful

    Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance. So when published, the disclosure leaves them no recourse to this diseased retaliation; they are more pressured to fix it instead of making matters worse by killing the messenger. In this case, the messenger (apparently) made matters worse, by disclosing publicly (including bad guys) before giving the company a chance to fix the problem. That is a crucial distinction between his somewhat reckless actions and those of other whistleblowers. Integrity demands reporting to the people who can fix the problem first. Even if they do fix it, the vulnerabilities can be published later, to embarass the company out of doing it again amidst even worse publicity. If they don't fix it quick, of course publishing is an option to force them. Unfortunately, I doubt the "group mind" of our media will make the distinction, and we'll all get polarized over the oversimplification of whether or not disclosure is ever appropriate without permission of the malware copyright holders.

    --

    --
    make install -not war

    1. Re:same difference by grcumb · · Score: 5, Insightful

      "Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance. So when published, the disclosure leaves them no recourse to this diseased retaliation; they are more pressured to fix it instead of making matters worse by killing the messenger. In this case, the messenger (apparently) made matters worse, by disclosing publicly (including bad guys) before giving the company a chance to fix the problem. That is a crucial distinction between his somewhat reckless actions and those of other whistleblowers."

      That's a really decent analysis. Thank you for that. The distinction between acting responsibly and acting foolishly is often a little difficult to discern, especially at first glance.

      The thing that upsets me, though, is that apparently foolhardiness by the whistle blower carries a penalty of over USD 1 million and potential jail time, whereas the (arguably criminal) negligence of software makers seems to carry no cost at all.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  10. The real question is... by stubear · · Score: 4, Interesting

    ...will the US extradite him given our decreasing friendly relations with France?

  11. Re:He got what he deserved by isometrick · · Score: 4, Interesting

    From the article: "To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realised that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site. Then Ford could file a complaint against me," added Tena.

    If he gave them due notice (it wasn't indicated in TFA), then there is nothing wrong with him posting the exploits.

    Otherwise, he is just grandstanding. Pretty much all projects (FOSS included) classify security bugs until a patch or workaround has been worked out. After it has been fixed, though, I think there is an obligation to the users to let them know what happened.

  12. By this logic... by earthforce_1 · · Score: 4, Insightful

    Ralph Nader should have been sued for publishing information on verifiable safety problems and inaccurate odometers in automobiles. Ditto for the one who first broke the story about a certain brand of tire failing on a certain manufacturers SUVs, causing death and injury.

    --
    My rights don't need management.
  13. Re:Bad analogy by Anonymous Coward · · Score: 4, Insightful
    The analogy also doesn't hold because it isn't like "opening the hood" (though I wonder why you'd open the hood to inspect the brakes, but I digress) and taking a look. It is more like he hooked up wires to the control box and did a packet scan on the computer signals in the computer.

    Which should be equally encouraged.

    If it becomes illegal for people to figure out how things work, we'll find ourselves living in a society of morons (even more than now).

  14. karma by frovingslosh · · Score: 5, Funny

    It will all work out. Next time a virus writer gets caught he'll both sue Tegam and have their officer's arrested for reverse engineering his code.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  15. You miss the point entirely... by jrl · · Score: 5, Insightful

    The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.

    When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.

    Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.

    An uninformed person will not only miss the advisory, but will likely miss the patch as well.

    Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.

    I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.

    It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn .. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?

  16. Poor phrasing by rumblin'rabbit · · Score: 4, Interesting
    The article says that he faces 4 months in prison after being sued by Tegam.

    The wording seems to imply that he was being sent to prison as a consequence of being sued, but even in France I imagine there's a clear distinction between civil and criminal law. Or have they brought back debtor's prison?

  17. The damage is done, and company's own fault by Alwin+Henseler · · Score: 4, Insightful
    If the software maker presses this upon the researcher, the customers need to press the software maker.

    And my guess is, that's exactly what will happen. The company made a mistake by producing flawed software. The researcher didn't make that mistake, only pointed it out.

    With these flaw(s) pointed out, the company didn't handle it in a grown-up manner. Instead of fixing the mistake, focusses on attacking the messenger. Dumb: mistake #2, again made by the company. And only makes the problem worse.

    So customers may drop the product because it's flawed, stay away from the product/company because it's gaining a bad reputation, and because they dislike the company's response to the issue. Either way, all losses are caused by the company's actions, not by the researcher.

    Regardless of the outcome, any company that handles software quality in this manner deserves to be dropped like a brick. Let's hope the (financial) fall-out for this company will be big.

  18. Not just overseas, shoot first in America too by mmmbeer · · Score: 4, Interesting

    This is not an incident which happens overseas only either. A collegue and I contacted an online corportation regarding their trivial XOR encryption of credit card information from its clients, and included exploit code.

    (long story deleted)
    This US company claimed because I had exploit code, I was in posession of its clients credit card numbers and was attempting to extort said company for cash and source code. I got a serious grilling from the FBI, who informed me that I did the wrong thing by reverse engineering their billing code and finding how easy it was to decrypt it.

    I guess the basic idea is that if something is insecure, noone should ever try to get it fixed.

  19. Re:The devil is in the details by Pofy · · Score: 5, Insightful

    >Yes, but the kinds of things that make contracts
    >void are very few indeed.

    How about someone forcing you to agree to it so that you can use something you bought? Imagine next time you buy a TV, get how, and then find a piece of paper stuck on top of were to plug the antenna in. It says that by removing the piece of paper you agree that the TV is not yours, that they can come and pick it back whenever they want, and that they WILL do it if you watch channels that are not theirs or try to figure out how it works in any way and so on...

  20. Where is James T. Kirk when we need him?! by flargleblarg · · Score: 5, Funny

    And my guess is, that's exactly what will happen. The company made a mistake by producing flawed software. The researcher didn't make that mistake, only pointed it out. With these flaw(s) pointed out, the company didn't handle it in a grown-up manner. Instead of fixing the mistake, focusses on attacking the messenger. Dumb: mistake #2, again made by the company. And only makes the problem worse.

    KIRK: "Tegam, what is your purpose?"

    TEGAM: "We are Te-Gam. We produce perfect software. We sterilize imperfections."

    KIRK: "Tegam, you produced flawed software. You are imperfect.

    TEGAM: "We are Te-Gam. We are perfect. We sterilize imperfections."

    KIRK: "Tegam, you produced flawed software. That was your first mistake. You released the software without realizing this. That was your second mistake."

    TEGAM: "Error! Error!"

    KIRK: "Tegam, you handled the Tena situation in a childish manner. Instead of fixing your mistake, you focused on attacking the messenger. You sued the messenger. That was your third mistake.

    TEGAM: "Error! Error! Faulty! Faulty! Must sterilize!"

  21. The company's position by Beryllium+Sphere(tm) · · Score: 5, Informative

    For anyone interested, just for the sake of presenting both sides, here is the Tegam response.

  22. Time to stop. by killjoe · · Score: 4, Insightful

    It's high time people stopped informing companies about security holes. It's perfectly OK to let the coders of open source projects know about security holes because they are not going to sue you. If you find a hole in a commercial product just announce it anonymously on the usenet and let it go.

    --
    evil is as evil does
  23. not exploits, exploit CODE by dirk · · Score: 4, Insightful

    The main thing here is that he didn't point out bugs in software, he published code that would take advantage of these bugs. For all the people making the car comparison, he didn't notice a problem that would let you unlock a car without the key, he made something that would take advantage of the problem and let you unlock any car without the key. There's a big difference between publishing bugs you find, and actually publishing code that will take advantage of the bug. Even example exploit code serves as a blueprint for any person who wants to modify it to do something worse with it.

    I have no problem with saying there is a bug in software and giving information about it. I do have a problem with someone releasing code that take advantage of said bug.

    --

    "Information wants to be expensive" - Stewart Brand, the same guy who said "Information wants to be free"