Slashdot Mirror
Publishing Exploit Code Ruled Illegal In France
Dexter writes "A French Court has condemned the security researcher Guillame Tena for publishing a security vulnerability in the Viguard anti-virus software of Tegam. This ruling makes the publication of security vulnerabilities and their proof of concept through reverse engneering illegal in France."
What about Tegam? They published the exploit in every copy of Viguard. While telling everyone it would protect them. Why aren't they guilty? What kind of crappy lawyer lets their client get punished for telling the truth about dangerous products?
--
make install -not war
Oh lets make it illegal to find problems in software, then if they cant be found they cant exist right?
I think the general rule of thumb is to inform the software publisher first, and then go public after they've had a chance to fix it. Going public forces the publisher to fix the problem if it hasn't already, and it let's the public know that there's a problem and they should do an update. (Or if the publisher still hasn't fixed the problem, switch to a different program.) According to the article the article links to, the copyright infringement charge is somewhat similar to the anti-DeCSS application of the DMCA. The researcher, AFAICT, is being sued because he *reversed engineered* the program, which is a traditionally accepted practice.
It's simultaneously comforting and terrifying to see that stupid rulings by stupid judges aren't confined to the USA.
At least I'll feel better about it the next time the 9th Circuit Court of Appeals makes an insane decision.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Richard Stallmann has written a text about a future scenario, where owning debuggers is forbidden. It's recomended reading, and at least has showed me why we have to fight for our rights! The Right To Read also carries a informational part, which is non-ficitional, and highly interesting reading. Both parts is here
Assembling etherkillers for fun an profit
If you discovered this exploit then so can someone else. This someone else could then use this exploit to their every desire (Think beyond viruses, i.e. blackmail, stock market, etc.)
What do you do?
Nag the company to fix it?
Tell everyone how horrible the company is without proof?
Release your exploit into the wild to pressure the company in patching it and giving them motivation to pay more attention to security?
Most exploits that are released typically occur after the vendor has been notified.
I'm a virgo and on Slashdot. Coincidence? Yes.
What good is it to publish software vulnerability, especially on closed source products?
It punishes the software maker for putting bugs in their software.
If you notify the software vendor FIRST, you are telling them "It's okay to put out bad software, because someone will do your testing for you, for FREE". However unless you are getting paid for your software testing, you have no obligation to tell anybody anything, or to NOT tell anybody anything.
Is that the message you want to send to software authors? I would much rather send the message: "Don't like the expense of security holes in your product? Then don't put them in your product."
With open-source software I can allow a little leeway, but not much. Most open-source software is exactly like the closed-source software: the author puts out a shoddy product and claims it's finished and you can start using it right away, even though it's full of holes.
Security bugs aren't a "given". They can be eliminated or rendered ineffective. As usual I offer djb's software as proof. If he can do it, someone else can do it to.
I hope Bush does exactly that. Whatever vulnerabilities a product has, the vendor should be working to find them out on it's own! I'll say this: If I made a piece of software designed to kill virii, I'd be thrilled if somebody told me it had a bug and showed me how to duplicate it. They are basically doing my work for me, for free...what kind of dipstick would ignore, or worse yet, sue them over this?? Just proves the French courts are not taking this seriously, or perhaps the judges are just dumb...take your pick...
sometimes, i wonder if i'm the only conservative on teh intarweb. ah well, back to mah hogs and warmongerin'....
You would think that vendors would pick up and listen, but as groups like w00w00 have shown, they don't. Sometimes warning the company isn't enough, nor is just publishing the theory. Sometimes someone with know-how must take the literal step of providing a working proof-of-concept before they will take heed. Even then, sometimes the company will only mask the vulnerability instead of addressing it.
In these instances, be thankful that the "white hats" found it first. The "black hats" are just likely to exploit and stay quiet while the vendor figures it out for themselves. By then the damage is done.
As for why anyone should care? Depending on the exploit, that machine may compromised in such a way as to become a part of a botnet and used to infect other machines, spam the piss out of you, or DDoS your favorite website into oblivion. They are not really concerned with preserving the vendors reputation and customer base.
What good is it to publish software vulnerability, especially on closed source products?
A strange question. People who use these closed-source products (aka "the customers") would certainly be interested in knowing the true capabilities (or lack thereof) of the software they bought. People who are thinking about purchasing that software would be interested as well.
The head-in-the-sand technique doesn't work all that well in real life.
If I am running an anti-virus program, I most certainly want to know if that program is a close relative of swiss cheese...
If one really wants to help, isn't it better to inform the software maker? If the latter couldn't care less, maybe one shouldn't care more?
More strange questions... Let's see, there was this car, called Pinto, and its maker (Ford) for a while couldn't have cared less about certain umm... deficiencies in its construction and design. Are you suggesting that the proper response to the manufacturer's saying "I don't care" is replying "Oh, how wonderful, this means all is right in the world then"..?
Kaa
Kaa's Law: In any sufficiently large group of people most are idiots.
If a company doesn't fix a problem that's brought to their attention, published or not, they could be found negligent for damages as a result of that security hole.
Read any good EULAs lately?
It's not offtopic, dumbass. It's orthogonal.
only the outlaws will have exploit knowledge. (to paraphrase a wingnut bumper-sticker)
If you discovered this exploit then so can someone else.
It's always best to assume that someone already has, before you did. Always look at the worst case scenario. Unfortunately, marketing is king in the tech world, so companies would rather give us the overly optimistic view than the worst case scenario.
It's not offtopic, dumbass. It's orthogonal.
Can you really make a secure system?
Yes.
Security is not a hard problem. It does add to both the cost and complexity of a system though. The problem is most people avoid the issue or try and make some sort of wrapper around there software that makes it secure. Mostly it's people not separating the data that is moving though the system from the system it's self which leads to security problems. When you treat every interaction a system has with the outside world as a hostile transaction you can make vary secure software. But, few people really want to build secure systems, mostly its just get it out the door fast which is why you keep seeing companies with there pants down.
As to your idea that some bugs are to expensive to fix well that's like saying well we made the bridge. It come in early and under budget, granted it would fall down if anyone ever tried to use it but hay that's not our problem. Yes, you can build a system that's not secure at lower cost, but if a bank get's hacked because they where using your software then clearly you did not do your job.
PS: Yea, sorry that came off as a rant it just pisses me off that people accept that there systems can and will be hacked but hey so does everyone else's so it's ok.
Looking at your posting history, I am surprised that you take this attitude, you seem smart and capable. Fact is, if your computer has an exploitable bug then you become a threat to others on your network and those whom you share files with etc, it is only fair to expect that your infected/exploited system doesn't start disrupting others systems, that is why open disclosure is important. BugTraq has a unspoken rule that the vendor should be notified and given reasonable time to address the issue, most of the time, this results in the exploit ONLY being released AFTER the vendor applies a fix, and that is only to 'scare' the remaining people to patch their shit up. There are some companies who do not even reply, if they do not have the consideration to even reply to someone who is trying to help them, I hardly think they deserve consideration of helping them 'hide' the bug(s) or to bitch when the 'cat' is out of the bag.
BTW, This attitude you have is both selfish and lacks logic of any kind, you make yourself part of the problem, I write this in hopes you rethink your position.
Going public forces the publisher to fix the problem if it hasn't already, and it let's the public know that there's a problem and they should do an update.
I agree, going to the author first with an exploit is good etiquette. And that going public afterwards is important, too, after some decent interval that is as short as possible.
Public disclosure gives the software user a tool to test just how vulnerable he is and whether various stopgap measures provide adequate protection against the exploit. Public disclosure is better than just having exclusive disclosure to black hats and vendors, IMHO.
"Provided by the management for your protection."
Since folks moderated this so highly, here's more info:
4 80 6/24806.html
http://www.windowsitpro.com/Article/ArticleID/2
It's one of the conditions of being a "Gold Level" partner.
Of course, this makes one realize how nonsensical the "window of vulnerability" arguments comparing Windows vs. Linux security are. For those of you who don't know, these arguments compare how much time time from announcement of a vulnerability to the time that the patch comes out. The F/OSS community is big into full disclosure, and the MS community isn't, so, the MS Window of vunlerability is almost always smaller, hence leading to claims that it's more secure. That is, until someone finds a bug that's been swept under the rug for a couple years and uses it to make the next Nimda.
If there's a remote exploit in say, a firewall application, I want to know about it NOW so that I can either replace it or disable it or whatever.
If no one tells me about the exploit, then I'm a sitting duck.
Actually, I purposely didn't, because the /. engine coders really piss me off in this regard. Auto detecting a URL and having your submit handle it correctly isn't hard. Why impose that burden on a user? It's just bad design (and I've never heard any rationale justifying it). Most blog and WiKi engines do it this way, why not Slashdot?
This doesn't help a sysadmin who has deployed this software. If you give that sysadmin a proof of concept he or she can go about blocking the attack on the firewall, by disabling a service, etc until a real patch is made.
It's not about suing companies for building insecure software, it's about keeping your own data secure.
The global economy is a great thing until you feel it locally.
If you discovered this exploit then so can someone else.
...
why do you think ~el8, PHC, AcidBitches, and other anti-sec groups want to outlaw exploit code? once we go to a vendor-only or non-disclosure system, blackhats will rule the roost. if exploits are outlawed
From a marketing standpoint, they are making a horrible mistake. If they had done nothing, a few security professionals would have seen the exploit and not recommended their software. But now that they've sued over it, they have gotten a ton of free publicity advertising the following facts:
1. Their software has holes in it.
2. They don't want to fix it.
3. They don't want you to even know that the holes exist.
Now as a consumer, even if I don't understand the technical merits or implications, the message is that this company makes crappy software and is trying to cover it up.
There is a law in Australia that makes it illegal to commit or attempt suicide. Promoting or inciting suicide is illegal too, hence the fines. Besides it's easier to go after the promoters than after the suicidees.
But what if I want to mention the URL of a site without influencing its ranking on search engines by actually making it a link? It is reasonable that someone may want to mention http://example.com/ without linking to http://example.com/ with the obligatory square-bracketed redundancy.
You purposefully didn't do what it said you should do and then complained about it afterward? If that were true you should have made your observation that manual trimming of the space would be required in the original post and not in a followup.
Get yourself (or write for yourself) a browser plug-in that is smart enough to wrap your pasted URLs in the markup appropriate for the site so you won't have to think about it ever again and never again get caught with your pants down in public.
Slashcode shouldn't have to cater to people who insist on being inconsiderate lazy assholes.
"Actually, the "Old Europe", as the present Administration like to talk about, are the European countries whose democratically elected Governments listened to the overwhelming majority public opinion."
While you are busy breaking your arm patting yourself on the back consider these two words:
Software Patents