Slashdot Mirror

← Back to Stories (view on slashdot.org)

Publishing Exploit Code Ruled Illegal In France

Posted by timothy on from the trying-to-think-with-cervelles-braisees dept.

Dexter writes "A French Court has condemned the security researcher Guillame Tena for publishing a security vulnerability in the Viguard anti-virus software of Tegam. This ruling makes the publication of security vulnerabilities and their proof of concept through reverse engneering illegal in France."

28 of 362 comments (clear)

  1. French Court: "Surrender Now" by fembots · · Score: 5, Informative

    What good is it to publish software vulnerability, especially on closed source products?

    If one really wants to help, isn't it better to inform the software maker? If the latter couldn't care less, maybe one shouldn't care more?

    However, as the friendly article pointed out, the fine was for a copyright infringement charge, so it looks like you can still publish a vulnerability as long as it is subtle enough.

    --
    Rock that crushes, Paper & Scissors that don't matter.
    1. Re:French Court: "Surrender Now" by mirko · · Score: 2, Informative

      ACBM publishes Pirates Mag which also describes such exploits.
      They once had to postpone one publications for a long time because they deontologically refuse to publish some story concerning a product that would not be patched.
      Now it was supposed to help others to protect similar products.

      --
      Trolling using another account since 2005.
    2. Re:French Court: "Surrender Now" by John+Fulmer · · Score: 5, Informative

      The 'good' is that it keeps closed source vendors honest.

      The 'full disclosure' idea came about because of the frustration of sysadmins finding security holes, and not being able to get the vendor to take it seriously.

      Good 'full disclosure' first notifies the vendor, and then if within a reasonable time the vendor takes no action or there is no response you disclose to something like BugTraq.

      It's been the reason that Microsoft and other vendors take such bugs VERY seriously. But they would be more than happy if it all just went away, or was criminialized.

      You decide which is more valuable: A company keeping their PR image spotless, or getting serious software bugs fixed.

    3. Re:French Court: "Surrender Now" by standon · · Score: 2, Informative

      It is better to first caution the software vendor. The ethical question of what to do in the case of ignorant companies is discussed here.

      --
      Sahil
    4. Re:French Court: "Surrender Now" by nurd68 · · Score: 5, Informative

      Actually, if memory serves, MS *does* control these situations. If you are a Microsoft Partner (I don't know at which level this restriction starts, but I think it's just about any partner), then you are required to disclose the vulnerability to Microsoft, and cannot disclose it publically until Microsoft allows you to. Failure to adhere to this results in a loss of your favored status.

    5. Re:French Court: "Surrender Now" by Mattcelt · · Score: 3, Informative

      Remember that this is the country that for a LONG time outlawed encryption outright. Businesses couldn't even use it to protect their internal communication... Then they complained when the US NSA got wind of some less-than-honest business practices Airbus was using to get a contract.

      They might be vying with the Aussie minister for the "world's biggest luddite" award...

      And as for the google debacle... if I were Google, I'd consider pulling out of France altogether. Let them see what a world without Google is like.

      It's not that I don't like the French, but geez, they seem to be exceeding the limits of common sense lately.

    6. Re:French Court: "Surrender Now" by DunbarTheInept · · Score: 1, Informative

      Because it's really annoying to find that because of someone misguided notion of "user-friendly", you can no longer type a bit of text that looks like a URL WITHOUT having it become a clickable link.

      --

      Don't label something "offtopic" unless you know the topic well enough to tell what's on topic.

    7. Re:French Court: "Surrender Now" by Anonymous Coward · · Score: 1, Informative

      Luddites?

      Remember, France was where the word 'Saboteur' was invented, describing people who disabled the automated cloth-weaving mills by throwing their wooden clogs (sabots) into the works.

      Incidentally said cloth-weaving mills being made possible by another Frenchman's invention, the Jacquard loom, controlled by punch-cards.

      See, of course, saboteur and Jacquard Loom

    8. Re:French Court: "Surrender Now" by Makoss · · Score: 2, Informative

      Because if an account is compromised, then at the very least they will probably be able to mount a somewhat effective Denial Of Service. That though it may not kill the server (depending upon what sort of restrictions are placed on the applications) will decrease it's usefullness and may be enough to push it from 80% load to 120% load.

      Obviously not as bad as if they got a root account, but still annoying that other peoples incompetence could bring down your site.

      --
      Building a better backup.
      Zettabyte Storage
    9. Re:French Court: "Surrender Now" by Noryungi · · Score: 4, Informative

      Anyone on Slashdot have an understanding of the principles of French Law?

      Yes, I do. I'll try to answer your questions as best as I can.

      What sort of constitutional free speech protection does a French citizen have?

      Free speech is guaranteed, under French law, through (a) the 1789 Declaration of Human Rights, which is a part of the 1958 V Republic Constitution (Google is your friend if you want an English Translation of this text), (b) the UN Charter on Human Rights, of which France is a part and (c) the different European Community treaties, which also protect free speech.

      Please note: The biggest difference with American Law is that 'hate speech' (anti-semitism, racism, fascism, nazism, Holocaust denials, etc) is specifically forbidden under French Law, and will be prosecuted. Anything else is allowed, except that the French government also reserves the right to censor publications in the name of 'national interest' (read: secrets of state). This censorship is very rarely used these days, however.

      Does this ruling actually set any sort of precedent? That would be bad news for both freedom of speech and academic freedoms.

      French Law does not recognize 'precedents'. It recognizes the primacy of law (vs precedents) and French courts do not have to follow precedents (previous decisions) taken by other court, in the absence of a binding law . If a binding law exists, the court has to respect that, and not any precedents.

      This means that, if I publish vulnerabilities on product foobar from French company XYZ, and I am dragged into court, I may well be cleared of all charges. Also, if I win a case, company XYZ would have to pay for both its legal fees and mine. This is a strong deterrent against frivolous lawsuits.

      Of course, the reverse is also true: a future decision may refer to a previous decision (precedent) and condemn me. That's when the legal games and fun begin, so to speak...

      didn't they actually fine him for something else, suspend the fine, and then use the threat of the suspended fine to incent him to stop publishing?

      No, Guillermito was fined because he used an illegal (pirated) copy of the software to find the vulnerabilities he published. Despite the harsh tone of the ruling, he was not really 'fined' ('sursis' means he does not have to come up with the money).

      But, in any case, the court did not render a decision on the crucial matter of finding and publishing vulnerabilities, only on the use of an illegal copy of the software. Seems to me the judges were pretty pissed-off by the hysterical attitude of Tegam (the company who brought the lawsuit).

      Hope this clears up a few things!

      --
      The right to offend is far more important than the right not to be offended. (Rowan Atkinson)
  2. No details by JaxWeb · · Score: 4, Informative

    You may notice the article has no details.

    I did a Google News Search and found this one which is much better.

    Also, the guys own website.

    Hope this helps.

    --
    - Jax
  3. Well... by tsanth · · Score: 2, Informative

    The condemned seems to think differently.

  4. Re:EDITORS SHOULD READ THE FUCKING ARTICLES by Anonymous Coward · · Score: 2, Informative

    "That the fine is suspended means that Guillermito will have to pay up if he continues to publish about the vulnerability and other software vulnerabilities. As a result he has taken the Tegam publication, and a dozen others, from his website."

    WOW, you are a retard to miss that.

    the part you mentioned was in regards to DIFFERENT legal proceedings.

    good lord you suck enermous balls for missing that stuff.

  5. Re:EDITORS SHOULD READ THE FUCKING ARTICLES by vidarlo · · Score: 2, Informative

    Yeah, and timothy seems to be especially biased. So, folks! Let's remove timothy from our front page. (look under authors, and remove the mark in front of the one you don't like...)

    --
    Assembling etherkillers for fun an profit
  6. Did you read the articles? by Anonymous Coward · · Score: 3, Informative

    I did read the article and the link in it to a previous article. The previous article stated that his exploit code was judged to be an illegal copy of Teagam's (or whatever their name is) code. I'm not sure exactly where you are getting the idea that his antivirus copy was not legitimate, but this conclusion does not seem to be supported by the articles.

  7. This puts people out of business... by JRHelgeson · · Score: 4, Informative

    There are top notch security experts in France, specifically the folks at K-Otik http://www.k-otik.com/

    I'm a security consultant and I look to these folks as a source of reputable information. I spent a LOT of time on their site when Microsoft was trying to deal with the fallout of the MSO3-026 vulnerability which begat the MSBlaster worm. I even got the source code for blaster from the K-Otik crew.

    This is going to have huge ramifications if it is interpreted as described here.

    --
    Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
  8. Re:The 'condemned' him? by BluedemonX · · Score: 2, Informative

    A cognate. "Condamné" means convicted/punished in French, it doesn't have the same connotation in English.

    --

    --- Jump!! Fire!! Bullet time!! - Lego version of the Matrix
  9. Re:EDITORS SHOULD READ THE FUCKING ARTICLES by Vicegrip · · Score: 2, Informative

    Please, read the articles before commenting. As usual on Slashdot, the news is misleading : he was not condemned for releasing exploit code, but simply for software piracy (the antivirus copy he had used was not legitimate).

    After reading the article I see no information there about software piracy.

    Following the links I did find some interesting tidbits that would indicate the company in question is less than honorable:
    A factual issue, not part of the trial but seemingly of Tegam's scare tactics, is that Guillermito was accused publicly by the software company to be a "terrorist wanted by the DST (French secret service) and the FBI". This has not lead him to recluse in fear, but he is hardly optimistic of the outcome, scheduled for March this year...

    It seems he was being procecuted for violating a European Directive which prohibits tampering with copyright protection measures. Ergo, that this researcher had to by-pass copyright-protection measures to find the flaws in their product.

    --
    Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
  10. Detailed proceedings ? by dago · · Score: 2, Informative

    It would be nice if somebody could point to the detailed condamnation and the motivations.

    For all I've been able to (quickly) find, he has been condemned for intellectual property, namely counterfeiting.
    One possibility is that it's becausehe has published source code, which looks strange because it would be probably be the fair use (short citation for eduction).
    But it's probably because he pirated Tegam's software and didn't buy it.

    You can also read on this lawyer blog that

    "Il ne faut pas interpréter cette décision comme une condamnation du (EDIT : full disclosure), à mon sens : la même chose faite sur un programme licite ne tomberait probablement pas sous le coup de la loi."
    So that it is NOT condemning full disclosure and that such publiction made on a legal software wouldn't be sanctionned.

    At the moment, it really looks like some people are screaming as loud as possible about that, but until the details are know that just PR operations from Guillermito and the others.

    --
    #include "coucou.h"
  11. Re:Just another reason to hate the French.. by winkydink · · Score: 2, Informative
    Well, let's see, they provided weapons, military training and aid to the American Colonists in the Revolutionary War.

    Yes, the French continue to be well-known for always willing to make a profit, regardless of consequences.

    One little short frenchie with a bad attitude almost conquered the entire world, twice.

    Europe != World

    developed the most heavily armored and gunned tanks during the early German Blitz, one French Char B1-Bis held up an entire German Division for an entire day.

    Sadly, it appears that the next day, they surrendered. We'll skip over the Marshall Plan at the end of said war while we're at it.

    They've developed nuclear weapons

    First? Second? Third world countries have developed nuclear weapons. BFD.

    Euro continues to dominate the American Dollar

    You might want to look back a little further in historical performance of USD vs EUR.

    They were one of the first modern countries to pick on the buzzword "Democracy" long before a bunch of colonists got pissed at their King's latest tax law.

    Hmm Declaration of Independence: 1776. French Revolution: 1789.

    You Sir, are an uneducated bigot

    Glass houses.

    --

    "I'd rather be a lightning rod than a seismometer." -Ken Kesey

  12. As usual, only 1 side of story is presented by Anonymous Coward · · Score: 3, Informative

    Tegam refutes his claims...

    and

    Tegam is adamant that Tena's claims are false and his motives are questionable.

    BTW, was it already illegal in France to do what he did? If so, then the people should get the laws changed, not trash the judeges and judicial system for doing their jobs by upholding them...

  13. Re:Extortion? by Anonymous Coward · · Score: 1, Informative

    The benefit is simple: exploit code is proof that the vulnerability is real. Without proof, it's all just an unsubstantiated claim, and there's no way to know if you are in danger or not. Another benefit is that the exploit code allows anyone to verify that a supposed patch really fixes the problem.

  14. TEGAM International's description by sverrehu · · Score: 2, Informative

    I found this one quite interesting:
    http://www.viguard.com/en/news_view. php?num=88

    Have no idea about the truth, though.

  15. That's because he did not have a license by dom1234 · · Score: 2, Informative

    As some linked texts say, it seams like he was accused because he did the work on a pirated/cracked version ; he did not buy the software.

    Then I conclude it is more carful to buy the license before publishing security flaws, and then everything is ok. But a question arises : is it possible that a license states that the license holder is forbidden to publish security flaws about the software ? If so, then we are really stuck.

  16. Wrong... by Anonymous Coward · · Score: 1, Informative

    Guillame Tena was condemned because he worked on an illegal copy of the Viguard anti-virus software of Tegam. This news was a bit too quickly published... arg! Slashdot is more and more like a tabloid newspaper... sad.

  17. Maybe it would be more productive to look by MikeB90 · · Score: 2, Informative

    at http://www.viguard.com/en/news_view.php?num=88 which is viguard's side of the story. They quote a ZDNET story where Guilermito is a virus writer and then go step by step to reply to his accusations

  18. Re:I feel like feeding the troll... by Anonymous Coward · · Score: 1, Informative

    Not to slap the French in the face, but before Vietnam, there was a little battle called Dien Bien Phuh... Don't quote me on the spelling, I don't care if its right...

    The French allowed the Vietnamese to encircle them in a valley, and shoot mortar fire down into the camp, thus routing the French out of Vietnam before we ever got there...

    At least we stuck around and fought them...

  19. I think there is more to the story... by monkeySauce · · Score: 2, Informative

    All these people are foaming at the mouth about some great injustice, when it's not even clear what is the situation. The original article is somebody's blog, which quotes and links to the website of the accused. I think there may be more to this story.

    This article, for instance, paints a different picture: http://www.weblmi.com/sections/articles/2005/03/gu illaume_tena_cond/ (in French)

    Allow me to provide a rough translation of one of the more interesting paragraphs: This judgement focuses not on the core issue, but rather on the methods "Guillermito" used to produce his findings, therefore the tribunal is punishing "Guillermito" for having used a pirated copy of Viguard Anti-Virus to discover it's vulnerabilities. Therefore the judgement seems not to question the right to publically criticise/publish exploits with supporting evidence, but rather that the exploit cannot be researched and discovered illegally [by using pirated software].

    To re-analyze some of the analogies already put forth, should the courts go easy on someone who finds a problem with a particular brand of car that could cause it to explode; if they first stole the car and then studied it?