Slashdot Mirror

← Back to Stories (view on slashdot.org)

Publishing Exploit Code Ruled Illegal In France

Posted by timothy on from the trying-to-think-with-cervelles-braisees dept.

Dexter writes "A French Court has condemned the security researcher Guillame Tena for publishing a security vulnerability in the Viguard anti-virus software of Tegam. This ruling makes the publication of security vulnerabilities and their proof of concept through reverse engneering illegal in France."

5 of 362 comments (clear)

  1. Re:French Court: "Surrender Now" by crazyeddie740 · · Score: 5, Insightful

    I think the general rule of thumb is to inform the software publisher first, and then go public after they've had a chance to fix it. Going public forces the publisher to fix the problem if it hasn't already, and it let's the public know that there's a problem and they should do an update. (Or if the publisher still hasn't fixed the problem, switch to a different program.) According to the article the article links to, the copyright infringement charge is somewhat similar to the anti-DeCSS application of the DMCA. The researcher, AFAICT, is being sued because he *reversed engineered* the program, which is a traditionally accepted practice.

  2. Debugger forbidden... by vidarlo · · Score: 5, Insightful

    Richard Stallmann has written a text about a future scenario, where owning debuggers is forbidden. It's recomended reading, and at least has showed me why we have to fight for our rights! The Right To Read also carries a informational part, which is non-ficitional, and highly interesting reading. Both parts is here

    --
    Assembling etherkillers for fun an profit
  3. Re:French Court: "Surrender Now" by maotx · · Score: 5, Insightful
    Lets say I discover exploit in Foo that allows me to have complete control of your computer. Foo is a very popular program used in homes to enterprises. Now lets say I send my exploit to Foo Company Inc. to have them patch it to prevent this horrible exploit from being..well..exploited. Foo sends you a "to-be-done" acknowledgement and thats the last you ever hear from them. Three service packs later and your exploit still works without a problem.
    If you discovered this exploit then so can someone else. This someone else could then use this exploit to their every desire (Think beyond viruses, i.e. blackmail, stock market, etc.)
    What do you do?

    Nag the company to fix it?

    Tell everyone how horrible the company is without proof?

    Release your exploit into the wild to pressure the company in patching it and giving them motivation to pay more attention to security?

    Most exploits that are released typically occur after the vendor has been notified.

    --
    I'm a virgo and on Slashdot. Coincidence? Yes.
  4. Re:French Court: "Surrender Now" by Ohreally_factor · · Score: 5, Insightful

    If a company doesn't fix a problem that's brought to their attention, published or not, they could be found negligent for damages as a result of that security hole.

    Read any good EULAs lately?

    --
    It's not offtopic, dumbass. It's orthogonal.
  5. Re:French Court: "Surrender Now" by nurd68 · · Score: 5, Insightful

    Since folks moderated this so highly, here's more info:

    http://www.windowsitpro.com/Article/ArticleID/24 80 6/24806.html

    It's one of the conditions of being a "Gold Level" partner.

    Of course, this makes one realize how nonsensical the "window of vulnerability" arguments comparing Windows vs. Linux security are. For those of you who don't know, these arguments compare how much time time from announcement of a vulnerability to the time that the patch comes out. The F/OSS community is big into full disclosure, and the MS community isn't, so, the MS Window of vunlerability is almost always smaller, hence leading to claims that it's more secure. That is, until someone finds a bug that's been swept under the rug for a couple years and uses it to make the next Nimda.