Publishing Exploit Code Ruled Illegal In France

Dexter writes "A French Court has condemned the security researcher Guillame Tena for publishing a security vulnerability in the Viguard anti-virus software of Tegam. This ruling makes the publication of security vulnerabilities and their proof of concept through reverse engneering illegal in France."

French Court: "Surrender Now"

[fembots]

What good is it to publish software vulnerability, especially on closed source products?

If one really wants to help, isn't it better to inform the software maker? If the latter couldn't care less, maybe one shouldn't care more?

However, as the friendly article pointed out, the fine was for a copyright infringement charge, so it looks like you can still publish a vulnerability as long as it is subtle enough.

Re:French Court: "Surrender Now"

[John+Fulmer]

The 'good' is that it keeps closed source vendors honest.

The 'full disclosure' idea came about because of the frustration of sysadmins finding security holes, and not being able to get the vendor to take it seriously.

Good 'full disclosure' first notifies the vendor, and then if within a reasonable time the vendor takes no action or there is no response you disclose to something like BugTraq.

It's been the reason that Microsoft and other vendors take such bugs VERY seriously. But they would be more than happy if it all just went away, or was criminialized.

You decide which is more valuable: A company keeping their PR image spotless, or getting serious software bugs fixed.

Re:French Court: "Surrender Now"

[nurd68]

Actually, if memory serves, MS *does* control these situations. If you are a Microsoft Partner (I don't know at which level this restriction starts, but I think it's just about any partner), then you are required to disclose the vulnerability to Microsoft, and cannot disclose it publically until Microsoft allows you to. Failure to adhere to this results in a loss of your favored status.

Re:French Court: "Surrender Now"

[Noryungi]

Anyone on Slashdot have an understanding of the principles of French Law?

Yes, I do. I'll try to answer your questions as best as I can.

What sort of constitutional free speech protection does a French citizen have?

Free speech is guaranteed, under French law, through (a) the 1789 Declaration of Human Rights, which is a part of the 1958 V Republic Constitution (Google is your friend if you want an English Translation of this text), (b) the UN Charter on Human Rights, of which France is a part and (c) the different European Community treaties, which also protect free speech.

Please note: The biggest difference with American Law is that 'hate speech' (anti-semitism, racism, fascism, nazism, Holocaust denials, etc) is specifically forbidden under French Law, and will be prosecuted. Anything else is allowed, except that the French government also reserves the right to censor publications in the name of 'national interest' (read: secrets of state). This censorship is very rarely used these days, however.

Does this ruling actually set any sort of precedent? That would be bad news for both freedom of speech and academic freedoms.

French Law does not recognize 'precedents'. It recognizes the primacy of law (vs precedents) and French courts do not have to follow precedents (previous decisions) taken by other court, in the absence of a binding law . If a binding law exists, the court has to respect that, and not any precedents.

This means that, if I publish vulnerabilities on product foobar from French company XYZ, and I am dragged into court, I may well be cleared of all charges. Also, if I win a case, company XYZ would have to pay for both its legal fees and mine. This is a strong deterrent against frivolous lawsuits.

Of course, the reverse is also true: a future decision may refer to a previous decision (precedent) and condemn me. That's when the legal games and fun begin, so to speak...

didn't they actually fine him for something else, suspend the fine, and then use the threat of the suspended fine to incent him to stop publishing?

No, Guillermito was fined because he used an illegal (pirated) copy of the software to find the vulnerabilities he published. Despite the harsh tone of the ruling, he was not really 'fined' ('sursis' means he does not have to come up with the money).

But, in any case, the court did not render a decision on the crucial matter of finding and publishing vulnerabilities, only on the use of an illegal copy of the software. Seems to me the judges were pretty pissed-off by the hysterical attitude of Tegam (the company who brought the lawsuit).

Hope this clears up a few things!

No details

[JaxWeb]

You may notice the article has no details.

I did a Google News Search and found this one which is much better.

Also, the guys own website.

Hope this helps.

This puts people out of business...

[JRHelgeson]

There are top notch security experts in France, specifically the folks at K-Otik http://www.k-otik.com/

I'm a security consultant and I look to these folks as a source of reputable information. I spent a LOT of time on their site when Microsoft was trying to deal with the fallout of the MSO3-026 vulnerability which begat the MSBlaster worm. I even got the source code for blaster from the K-Otik crew.

This is going to have huge ramifications if it is interpreted as described here.