Slashdot Mirror
Publishing Exploit Code Ruled Illegal In France
Dexter writes "A French Court has condemned the security researcher Guillame Tena for publishing a security vulnerability in the Viguard anti-virus software of Tegam. This ruling makes the publication of security vulnerabilities and their proof of concept through reverse engneering illegal in France."
Let's hear it for the Virgin Islands and the Bahamas! No software patents there. No export restrictions. True freedom of speech.
Si la vida me da palo, yo la voy a soportar Si la vida me da palo, yo la voy a espabilar
Well, let's see, they provided weapons, military training and aid to the American Colonists in the Revolutionary War. They developed the most heavily armored and gunned tanks during the early German Blitz, one French Char B1-Bis held up an entire German Division for an entire day. One little short frenchie with a bad attitude almost conquered the entire world, twice.
:))
They've developed nuclear weapons, were one of the original founders of the European Union, who's Euro continues to dominate the American Dollar. They were one of the first modern countries to pick on the buzzword "Democracy" long before a bunch of colonists got pissed at their King's latest tax law.
Oh, did I mention numerous American, Australian and British courts have upheld the same reverse engineering proof of concept rulings?
You Sir, are an uneducated bigot.
(Note: I am not anti-American, I'm just hitting him where it hurts.
Hackers: now you don't have to compete with legitimate security research! Your exploit vectors will remain safe from view. Feel free to build up a toolbox of 0-day 'splots (or even 10-day or 100-day, there's no rush!) Laugh as you see version after version of popular software released with the same obvious holes!
Programmers: companies who put their customers at risk by placing security holes in their software no longer have to worry about public embarrassment. Now that useless QA team can be pared down, and software can be delivered more quickly! Only the requirements have to be met, no longer do you have to worry about unexpected input! It's like college freshman year all over again.
Consumers of software? Sorry, maybe you'll get something next time. For now, check out some web sites for common ways to protect yourself from identity theft and hack attacks. You'll need it!
I understand the argument against security through obscurity, but I can also observe a correlation between the publication of an exploit and a steep increase in usage of that exploit. Also, I do not observe a correlation between these events and the vulnerability being fixed.
The person who coined the phrase, "security through obscurity is no security at all", did so before we got wire to *everybody* and before there were so many script kiddies.
There might be some merit in attempting to keep stuff under wraps. It won't fix the problem, but if the disclosure itself tends to exacerbate the problem, the case can be made that it is prudent to do everything possible to limit the disclosure.
The error is in the idea that a *government* has any power to stop this kind of disclosure.
If a company doesn't fix a problem that's brought to their attention, published or not, they could be found negligent for damages as a result of that security hole.
Can you really make a secure system? Open source or closed, there are going to be security risks. So what happens if the security hole would be so expensive to fix that you simply couldn't afford to address it? Keeping it quiet, while not always effective or preferred, is still security (through obscurity).
I discover security holes in web applications all the time. My protocol is to stop once I've proven it's possible to compromise, notify the company of the issue, the implications of the hole, and ways to go about fixing it. I always include a link to my company's website, but I never threaten to publish it or do anything that might be construed as extortion. I've never been accused to wrongdoing, I usually get a big thank you, and sometimes it lands me a meeting - which is where they become clients.
People generally appreciate a helpful tip, whether it's a "you have a word spelled wrong on your site" or "you have a SQL Injection vulnerability on your site." Just don't be an ass about it.
There used to be a great geocities-like free web space provider called altern.org.
.phtml. I actually only began mucking around with PHP and server-side scripting because altern.org offered it. I still cook up some solutions with PHP and MySQL -- something that'd never have happened without mr. Valentin Lacambre's Flying Circus.
I say geocities-like so you get the picture, but it was nothing like geocities. No nonsense interface -- all text, no pictures, no ads --, great webmail interface -- again, all text, no pictures, no ads. It was also the first (maybe the last, I just got my own paid hosting when it got ultracheap -- it wasn't, in the day) free web space provider to support PHP.
Yes, PHP. In the days where extensions were
Apparently, the whole thing was ran by a techno-anarchist who prophecized in the future technology would make working unnecessary yadda yadda yadda. A sort of techno-optimist Guy Debord.
One day, one of altern.org's free websites had a parody of a France Telecom logo. Tartalacrem, if I'm not wrong. Legal hell ensued.
Not only it wasn't covered under any kind of fair use provisions, but France Telecom sued VALENTIN LACAMBRE, THE GUY WHO RAN THE FREE SERVICE.
Courts rejected his defense of not being responsible for everything hosted in his server as anyone could anonymously host content. Mr. Lacambre was forced to pay up fines and was told he was still responsible for anything held in altern.org.
So altern.org was taken down. That's France, folks.
Sorry, but the source here is a Blog post, which in turn refers to the convicted guy's home page.
Nowhere does it say what, exactly the guy was convicted of, or why. So how are we possibly supposed to be able to react to this?
I have a hard time accepting statements like:
This ruling can cripple the security research in France, making it illegal to publish security vulnerabilities or the proof thereof by reverse engineering. Without being able to tamper software the actually studying and consequent publication of vulnerabilities is made impossible.
Without seeing the judgement or at least a description of it from a neutral source.
Reverse engineering is legal in Europe, and is a protected right under European law. (91/250/EEC, article 6.)
I have a strong feeling the whole story is not being given here.
In this case an appeal to the European Court on grounds of effective suppression of fair comment sounds as though it might just be possible if funds were somehow made available. It seems on the fac of it obvious that the real reason for the case was a corporation trying to prevent any adverse publicity and using its superior economic power to get the decision it wanted, but it will need expensive experienced judges to point out what seems obvious to the majority of people.
Panurge has posted for the last time. Thanks for the positive moderations.
It has always annoys me when people say a ruling makes something illegal. Rulings don't make something illegal. Laws make things illegal. Rulings just enforce those laws. So either it was already illegal in the law or the court overstepped their bounds. Happens all the time here in the states. The courts say something is illegal and we just blithely go on about our business never once questioning whether they have the right to create law or not.
If you see spelling or grammatical errors don't blame me. I tried to preview but IE here at work borked the CSS
What sort of constitutional free speech protection does a French citizen have? We saw how intricate the law get in America over stuff like this when the DeCSS stuff was a hot topic on Slashdot, but of course that has no bearing on French law.
Does this ruling actually set any sort of precedent? That would be bad news for both freedom of speech and academic freedoms. From the details it doesn't sound like it, however,; didn't they actually fine him for something else, suspend the fine, and then use the threat of the suspended fine to incent him to stop publishing? Bad news for the researcher, but it doesn't sound precedent-setting.
Anyone on Slashdot have an understanding of the principles of French Law?
Socialism: a lie told by totalitarians and believed by fools.
It's long known that security through obscurity doesn't work. This is proven in cryptography. Hiding away an error doesn't make it go away. To mitigate the problem of making it too well known though, a patch warning period would be good to inform, but it should still be independently released for all to see afterward.
Tired of legitimate data sources? Try UNCYCLOPEDIA
One little short frenchie with a bad attitude almost conquered the entire world, twice.
Actually, Napolean wasn't really French: he came from the island of Corsica, which I believe was a French territory at the time. Part of his bad attitude, IIRC, was that he wasn't accepted by his French peers while he was in school.
Found any EULAs where the "we're not responsible for the fact that our software really sucks, and if it causes you a beeeleeon dollars in damages, you can't sue us, nyaa nyaa" clause has actually been tested and held up in court?
Seems to me that you can put anything in a EULA. Getting it enforced in a court of law is yet another thing.
Just look recently ruling where the Supreme COurt overturned Execution of Minors. Did the written law change? No! In the argument the majority argued that world opinion and decency standards had changed.
Help fight continental drift.
Let's say you are a mechanic, and you find an problem with a particular brand of car that could cause it to explode when, say, it was hit from behind.
Let's say you tell the automotive manufacturer about it, and he claims that your research was flawed and there was no problem, or he just says "ok we'll look at it" and does nothing for four years.
Let's say that, after those four years, you start reading stories of people dying "mysterious" in explosions during crashes in those cars. You tell the vendor again, but again they deny that their problem is causing the deaths, and they even deny that you contacted them about the problem four years before.
Do you continue to keep quiet, and let people die because telling the public about the problem would be "unprofessional"?
Would you have told the public after giving the manufacturer a month to find a fix, so everyone would know about the problem and could participate in the recall?
Would you have told the public as soon as you found the problem, so people could choose to not use the car while a fix was being designed?
What do YOU think is the professional thing to do?
It doesn't hurt to be nice.
I agree that people could do far more than most currently do, but a "secure system" is a myth. My servers run full custom Java code, all data access is handled by wrappers that isolate the data to make various insertion attacks impossible, but it is not unhackable.
For instance, if a flaw is found in the DNS library for linux such that if you look up a specific hostname you can take over the machine - you could pass that parameter as your email address. When the email address is checked for validity, bam - there goes the server.
Computers, specifically OS interactions, have gotten so complex that security can only be increased, not achieved.
while (sig==sig) sig=!sig;
The US have it so good. This only proves that Americans who are hyping the European institutions are totally clueless about Europe.
You shouldn't take the 1st Amendment as granted.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
What planet do you guys live on? Just this week the US and France jointly demanded that Syria pull troops out of Lebanon. Bush himself said, "when the United States and France say withdraw, we mean complete withdrawal."
Doesn't sound to me like they're working at odds.