Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Researcher Faces Jail For Finding Bugs

Posted by CowboyNeal on from the full-enclosure dept.

An anonymous reader writes "French security researcher Guillaume Tena, who is working at Harvard University, faces 4 months in prison after being sued by Tegam for reverse engineering its Viguard antivirus software and publishing exploit codes for a number of vulnerabilities. According to a ZDNet article, he could also be sued by Tegam for 900,000 euros in damages. More details are available (in french) on Guillaume's website and on the K-OTik's website."

16 of 726 comments (clear)

  1. Here we go by lordkuri · · Score: 5, Insightful

    And now we have people getting arrested for pointing out someone else's mistake...

    When did greed become more important than helping someone?

  2. If I break in your car... by Anonymous Coward · · Score: 5, Insightful
    with the same techniques AAA uses when some mom forgets her keys in the ignition, I'd be arrested.


    Most physical security (house locks, car locks, office building locks) is indeed "security through harsh penalties", where the locks are really not much more than an advisory symbol saying "don't do this".

    1. Re:If I break in your car... by Seumas · · Score: 5, Insightful

      If I break in your car with the same techniques AAA uses when some mom forgets her keys in the ignition, I'd be arrested.

      If you bought a car, figured out some ways to break into YOUR OWN CAR, then published those ways to alert other consumers as to the lack of security the car has, should you still be arrested?

    2. Re:If I break in your car... by Anonymous Coward · · Score: 5, Insightful

      With software, you only own the right to use one instance of it - right to use, not right to do whatever you want.

      Copyright stops you from copying. It does not prevent you from looking at the inner workings of something.

      A book critic can find fault in the language the author uses. A music critic can find fault in the way an instrument is played. A journalist can find fault in the actions of soldiers. Why can't a software engineer find fault in the software he looks at? Oh, that's right, it's e-magical so we have to come up with entirely new sets of laws and ethics.

    3. Re:If I break in your car... by God!+Awful+2 · · Score: 5, Funny

      Me, I truly believe information should be free, and only personal information (like, your bank account #'s, passcodes, etc) has any business being private. I'm a big supporter of all our little neo-communist mechanisms in the OSS movement. But really...don't get ownership of a car confused with ownership of software.
      Wow, you wrote a post on /. that:

      1. stated that software is *not* like a car
      2. mentioned OSS and communism in the same sentence

      and you were modded informative, not flamebait?!? You, my friend, are truly a god among gods.

      -a

      --
      /. users can't
  3. This would set a terrible precedent (in France...) by Anonymous Coward · · Score: 5, Insightful

    Reverse Engineering isn't illegal, certainly finding that "Unlike the advertising claimed, this software didn't detect and stop '100 percent of viruses'" isn't illegal, surely it should be lauded.

    The company had two options. Take on board the issues and fix them, or get in a hissy fit. They got in a hissy fit. Well done. Instead of responding to issues that software does have in an adult manner, they've just made themselves look petty and bad.

  4. Re:What's next? by __int64 · · Score: 5, Funny

    No, but these two chicks up stairs will be if they keep it up...

  5. Re:He got what he deserved by furiousgeorge · · Score: 5, Insightful

    SO i guess by your logic, you should be able to sell anything you want, and people shouldn't be allowed to point out bugs or flaws because you might not like it?

    Tough Shit.

  6. Chilling Effect by grcumb · · Score: 5, Funny

    Stories like this are just the Slashdot editors' way of warning us to shut up already about the Firefox rendering errors on this site. 8^)

    --
    Crumb's Corollary: Never bring a knife to a bun fight.
  7. same difference by Doc+Ruby · · Score: 5, Insightful

    Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance. So when published, the disclosure leaves them no recourse to this diseased retaliation; they are more pressured to fix it instead of making matters worse by killing the messenger. In this case, the messenger (apparently) made matters worse, by disclosing publicly (including bad guys) before giving the company a chance to fix the problem. That is a crucial distinction between his somewhat reckless actions and those of other whistleblowers. Integrity demands reporting to the people who can fix the problem first. Even if they do fix it, the vulnerabilities can be published later, to embarass the company out of doing it again amidst even worse publicity. If they don't fix it quick, of course publishing is an option to force them. Unfortunately, I doubt the "group mind" of our media will make the distinction, and we'll all get polarized over the oversimplification of whether or not disclosure is ever appropriate without permission of the malware copyright holders.

    --

    --
    make install -not war

    1. Re:same difference by grcumb · · Score: 5, Insightful

      "Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance. So when published, the disclosure leaves them no recourse to this diseased retaliation; they are more pressured to fix it instead of making matters worse by killing the messenger. In this case, the messenger (apparently) made matters worse, by disclosing publicly (including bad guys) before giving the company a chance to fix the problem. That is a crucial distinction between his somewhat reckless actions and those of other whistleblowers."

      That's a really decent analysis. Thank you for that. The distinction between acting responsibly and acting foolishly is often a little difficult to discern, especially at first glance.

      The thing that upsets me, though, is that apparently foolhardiness by the whistle blower carries a penalty of over USD 1 million and potential jail time, whereas the (arguably criminal) negligence of software makers seems to carry no cost at all.

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
  8. karma by frovingslosh · · Score: 5, Funny

    It will all work out. Next time a virus writer gets caught he'll both sue Tegam and have their officer's arrested for reverse engineering his code.

    --
    I'm an American. I love this country and the freedoms that we used to have.
  9. You miss the point entirely... by jrl · · Score: 5, Insightful

    The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.

    When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.

    Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.

    An uninformed person will not only miss the advisory, but will likely miss the patch as well.

    Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.

    I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.

    It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn .. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?

  10. Re:The devil is in the details by Pofy · · Score: 5, Insightful

    >Yes, but the kinds of things that make contracts
    >void are very few indeed.

    How about someone forcing you to agree to it so that you can use something you bought? Imagine next time you buy a TV, get how, and then find a piece of paper stuck on top of were to plug the antenna in. It says that by removing the piece of paper you agree that the TV is not yours, that they can come and pick it back whenever they want, and that they WILL do it if you watch channels that are not theirs or try to figure out how it works in any way and so on...

  11. Where is James T. Kirk when we need him?! by flargleblarg · · Score: 5, Funny

    And my guess is, that's exactly what will happen. The company made a mistake by producing flawed software. The researcher didn't make that mistake, only pointed it out. With these flaw(s) pointed out, the company didn't handle it in a grown-up manner. Instead of fixing the mistake, focusses on attacking the messenger. Dumb: mistake #2, again made by the company. And only makes the problem worse.

    KIRK: "Tegam, what is your purpose?"

    TEGAM: "We are Te-Gam. We produce perfect software. We sterilize imperfections."

    KIRK: "Tegam, you produced flawed software. You are imperfect.

    TEGAM: "We are Te-Gam. We are perfect. We sterilize imperfections."

    KIRK: "Tegam, you produced flawed software. That was your first mistake. You released the software without realizing this. That was your second mistake."

    TEGAM: "Error! Error!"

    KIRK: "Tegam, you handled the Tena situation in a childish manner. Instead of fixing your mistake, you focused on attacking the messenger. You sued the messenger. That was your third mistake.

    TEGAM: "Error! Error! Faulty! Faulty! Must sterilize!"

  12. The company's position by Beryllium+Sphere(tm) · · Score: 5, Informative

    For anyone interested, just for the sake of presenting both sides, here is the Tegam response.