Publishing Exploit Code Ruled Illegal In France

Dexter writes "A French Court has condemned the security researcher Guillame Tena for publishing a security vulnerability in the Viguard anti-virus software of Tegam. This ruling makes the publication of security vulnerabilities and their proof of concept through reverse engneering illegal in France."

Re:Just another reason to hate the French..

[Hiigara]

Well, let's see, they provided weapons, military training and aid to the American Colonists in the Revolutionary War. They developed the most heavily armored and gunned tanks during the early German Blitz, one French Char B1-Bis held up an entire German Division for an entire day. One little short frenchie with a bad attitude almost conquered the entire world, twice.

They've developed nuclear weapons, were one of the original founders of the European Union, who's Euro continues to dominate the American Dollar. They were one of the first modern countries to pick on the buzzword "Democracy" long before a bunch of colonists got pissed at their King's latest tax law.

Oh, did I mention numerous American, Australian and British courts have upheld the same reverse engineering proof of concept rulings?

You Sir, are an uneducated bigot.

(Note: I am not anti-American, I'm just hitting him where it hurts. :))

Re:French Court: "Surrender Now"

[lukewarmfusion]

If a company doesn't fix a problem that's brought to their attention, published or not, they could be found negligent for damages as a result of that security hole.

Can you really make a secure system? Open source or closed, there are going to be security risks. So what happens if the security hole would be so expensive to fix that you simply couldn't afford to address it? Keeping it quiet, while not always effective or preferred, is still security (through obscurity).

I discover security holes in web applications all the time. My protocol is to stop once I've proven it's possible to compromise, notify the company of the issue, the implications of the hole, and ways to go about fixing it. I always include a link to my company's website, but I never threaten to publish it or do anything that might be construed as extortion. I've never been accused to wrongdoing, I usually get a big thank you, and sometimes it lands me a meeting - which is where they become clients.

People generally appreciate a helpful tip, whether it's a "you have a word spelled wrong on your site" or "you have a SQL Injection vulnerability on your site." Just don't be an ass about it.

France is stupid (-1 Flamebait)

[Knights+who+say+'INT]

There used to be a great geocities-like free web space provider called altern.org.

I say geocities-like so you get the picture, but it was nothing like geocities. No nonsense interface -- all text, no pictures, no ads --, great webmail interface -- again, all text, no pictures, no ads. It was also the first (maybe the last, I just got my own paid hosting when it got ultracheap -- it wasn't, in the day) free web space provider to support PHP.

Yes, PHP. In the days where extensions were .phtml. I actually only began mucking around with PHP and server-side scripting because altern.org offered it. I still cook up some solutions with PHP and MySQL -- something that'd never have happened without mr. Valentin Lacambre's Flying Circus.

Apparently, the whole thing was ran by a techno-anarchist who prophecized in the future technology would make working unnecessary yadda yadda yadda. A sort of techno-optimist Guy Debord.

One day, one of altern.org's free websites had a parody of a France Telecom logo. Tartalacrem, if I'm not wrong. Legal hell ensued.

Not only it wasn't covered under any kind of fair use provisions, but France Telecom sued VALENTIN LACAMBRE, THE GUY WHO RAN THE FREE SERVICE.

Courts rejected his defense of not being responsible for everything hosted in his server as anyone could anonymously host content. Mr. Lacambre was forced to pay up fines and was told he was still responsible for anything held in altern.org.

So altern.org was taken down. That's France, folks.

Where's the real info?

[k98sven]

Sorry, but the source here is a Blog post, which in turn refers to the convicted guy's home page.

Nowhere does it say what, exactly the guy was convicted of, or why. So how are we possibly supposed to be able to react to this?

I have a hard time accepting statements like:
This ruling can cripple the security research in France, making it illegal to publish security vulnerabilities or the proof thereof by reverse engineering. Without being able to tamper software the actually studying and consequent publication of vulnerabilities is made impossible.

Without seeing the judgement or at least a description of it from a neutral source.

Reverse engineering is legal in Europe, and is a protected right under European law. (91/250/EEC, article 6.)

I have a strong feeling the whole story is not being given here.

Don't pick on corporations- or cooperate

[panurge]

This is like the McLibel case in the UK. In short, two individuals passed out London Greenpeace leaflets criticising a well known fast food chain. They were sued for libel. After a trial costing millions, in which the defendants were not legally represented because they could not afford it and the UK government refused to assist them, the judge awarded derisory damages. Both the UK Government and the fast food chain spent a lot of money buying lawyers yet another country mansion, yacht etc. The European court has just ruled the trial unfair for this reason, and tghe fast food chain has just had a second huge swathe of adverse publicity as the original case is dragged up again and the sheer unfairness of large corporation versus small individual is rehashed.

In this case an appeal to the European Court on grounds of effective suppression of fair comment sounds as though it might just be possible if funds were somehow made available. It seems on the fac of it obvious that the real reason for the case was a corporation trying to prevent any adverse publicity and using its superior economic power to get the decision it wanted, but it will need expensive experienced judges to point out what seems obvious to the majority of people.