Publishing Exploit Code Ruled Illegal In France

Dexter writes "A French Court has condemned the security researcher Guillame Tena for publishing a security vulnerability in the Viguard anti-virus software of Tegam. This ruling makes the publication of security vulnerabilities and their proof of concept through reverse engneering illegal in France."

French Court: "Surrender Now"

[fembots]

What good is it to publish software vulnerability, especially on closed source products?

If one really wants to help, isn't it better to inform the software maker? If the latter couldn't care less, maybe one shouldn't care more?

However, as the friendly article pointed out, the fine was for a copyright infringement charge, so it looks like you can still publish a vulnerability as long as it is subtle enough.

Re:French Court: "Surrender Now"

[mirko]

ACBM publishes Pirates Mag which also describes such exploits.
They once had to postpone one publications for a long time because they deontologically refuse to publish some story concerning a product that would not be patched.
Now it was supposed to help others to protect similar products.

Re:French Court: "Surrender Now"

[crazyeddie740]

I think the general rule of thumb is to inform the software publisher first, and then go public after they've had a chance to fix it. Going public forces the publisher to fix the problem if it hasn't already, and it let's the public know that there's a problem and they should do an update. (Or if the publisher still hasn't fixed the problem, switch to a different program.) According to the article the article links to, the copyright infringement charge is somewhat similar to the anti-DeCSS application of the DMCA. The researcher, AFAICT, is being sued because he *reversed engineered* the program, which is a traditionally accepted practice.

Re:French Court: "Surrender Now"

[John+Fulmer]

The 'good' is that it keeps closed source vendors honest.

The 'full disclosure' idea came about because of the frustration of sysadmins finding security holes, and not being able to get the vendor to take it seriously.

Good 'full disclosure' first notifies the vendor, and then if within a reasonable time the vendor takes no action or there is no response you disclose to something like BugTraq.

It's been the reason that Microsoft and other vendors take such bugs VERY seriously. But they would be more than happy if it all just went away, or was criminialized.

You decide which is more valuable: A company keeping their PR image spotless, or getting serious software bugs fixed.

Re:French Court: "Surrender Now"

[standon]

It is better to first caution the software vendor. The ethical question of what to do in the case of ignorant companies is discussed here.

Re:French Court: "Surrender Now"

You decide which is more valuable: A company keeping their PR image spotless, or getting serious software bugs fixed.

How about, not going to jail for disclosing a bug! It's very valuable to me!

Re:French Court: "Surrender Now"

[nurd68]

Actually, if memory serves, MS *does* control these situations. If you are a Microsoft Partner (I don't know at which level this restriction starts, but I think it's just about any partner), then you are required to disclose the vulnerability to Microsoft, and cannot disclose it publically until Microsoft allows you to. Failure to adhere to this results in a loss of your favored status.

Re:French Court: "Surrender Now"

[lukewarmfusion]

If a company doesn't fix a problem that's brought to their attention, published or not, they could be found negligent for damages as a result of that security hole.

Can you really make a secure system? Open source or closed, there are going to be security risks. So what happens if the security hole would be so expensive to fix that you simply couldn't afford to address it? Keeping it quiet, while not always effective or preferred, is still security (through obscurity).

I discover security holes in web applications all the time. My protocol is to stop once I've proven it's possible to compromise, notify the company of the issue, the implications of the hole, and ways to go about fixing it. I always include a link to my company's website, but I never threaten to publish it or do anything that might be construed as extortion. I've never been accused to wrongdoing, I usually get a big thank you, and sometimes it lands me a meeting - which is where they become clients.

People generally appreciate a helpful tip, whether it's a "you have a word spelled wrong on your site" or "you have a SQL Injection vulnerability on your site." Just don't be an ass about it.

Re:French Court: "Surrender Now"

[maotx]

Lets say I discover exploit in Foo that allows me to have complete control of your computer. Foo is a very popular program used in homes to enterprises. Now lets say I send my exploit to Foo Company Inc. to have them patch it to prevent this horrible exploit from being..well..exploited. Foo sends you a "to-be-done" acknowledgement and thats the last you ever hear from them. Three service packs later and your exploit still works without a problem.
If you discovered this exploit then so can someone else. This someone else could then use this exploit to their every desire (Think beyond viruses, i.e. blackmail, stock market, etc.)
What do you do?

Nag the company to fix it?

Tell everyone how horrible the company is without proof?

Release your exploit into the wild to pressure the company in patching it and giving them motivation to pay more attention to security?

Most exploits that are released typically occur after the vendor has been notified.

Re:French Court: "Surrender Now"

[MooseGuy529]

If the [software maker] couldn't care less, maybe one shouldn't care more?

Um... because if vulnerable software is out there, it can be exploited. As we know with Microsoft's slow Windows patch cycle versus the constant updating of most Linux distros package repositories, it's better to disclose vulnerabilities early, write patches quickly, and distribute a fix before anyone can exploit it. Forcing people not to disclose details just adds one more person and one more vulnerability to the list of ways you don't know about to exploit your software.

Re:French Court: "Surrender Now"

What good is it to publish software vulnerability, especially on closed source products?

It punishes the software maker for putting bugs in their software.

If you notify the software vendor FIRST, you are telling them "It's okay to put out bad software, because someone will do your testing for you, for FREE". However unless you are getting paid for your software testing, you have no obligation to tell anybody anything, or to NOT tell anybody anything.

Is that the message you want to send to software authors? I would much rather send the message: "Don't like the expense of security holes in your product? Then don't put them in your product."

With open-source software I can allow a little leeway, but not much. Most open-source software is exactly like the closed-source software: the author puts out a shoddy product and claims it's finished and you can start using it right away, even though it's full of holes.

Security bugs aren't a "given". They can be eliminated or rendered ineffective. As usual I offer djb's software as proof. If he can do it, someone else can do it to.

Re:French Court: "Surrender Now"

You would think that vendors would pick up and listen, but as groups like w00w00 have shown, they don't. Sometimes warning the company isn't enough, nor is just publishing the theory. Sometimes someone with know-how must take the literal step of providing a working proof-of-concept before they will take heed. Even then, sometimes the company will only mask the vulnerability instead of addressing it.

In these instances, be thankful that the "white hats" found it first. The "black hats" are just likely to exploit and stay quiet while the vendor figures it out for themselves. By then the damage is done.

As for why anyone should care? Depending on the exploit, that machine may compromised in such a way as to become a part of a botnet and used to infect other machines, spam the piss out of you, or DDoS your favorite website into oblivion. They are not really concerned with preserving the vendors reputation and customer base.

Re:French Court: "Surrender Now"

[Kaa]

What good is it to publish software vulnerability, especially on closed source products?

A strange question. People who use these closed-source products (aka "the customers") would certainly be interested in knowing the true capabilities (or lack thereof) of the software they bought. People who are thinking about purchasing that software would be interested as well.

The head-in-the-sand technique doesn't work all that well in real life.

If I am running an anti-virus program, I most certainly want to know if that program is a close relative of swiss cheese...

If one really wants to help, isn't it better to inform the software maker? If the latter couldn't care less, maybe one shouldn't care more?

More strange questions... Let's see, there was this car, called Pinto, and its maker (Ford) for a while couldn't have cared less about certain umm... deficiencies in its construction and design. Are you suggesting that the proper response to the manufacturer's saying "I don't care" is replying "Oh, how wonderful, this means all is right in the world then"..?

Re:French Court: "Surrender Now"

[Ohreally_factor]

If a company doesn't fix a problem that's brought to their attention, published or not, they could be found negligent for damages as a result of that security hole.

Read any good EULAs lately?

Re:French Court: "Surrender Now"

[lgw]

What sort of constitutional free speech protection does a French citizen have? We saw how intricate the law get in America over stuff like this when the DeCSS stuff was a hot topic on Slashdot, but of course that has no bearing on French law.

Does this ruling actually set any sort of precedent? That would be bad news for both freedom of speech and academic freedoms. From the details it doesn't sound like it, however,; didn't they actually fine him for something else, suspend the fine, and then use the threat of the suspended fine to incent him to stop publishing? Bad news for the researcher, but it doesn't sound precedent-setting.

Anyone on Slashdot have an understanding of the principles of French Law?

Re:French Court: "Surrender Now"

[Ohreally_factor]

If you discovered this exploit then so can someone else.

It's always best to assume that someone already has, before you did. Always look at the worst case scenario. Unfortunately, marketing is king in the tech world, so companies would rather give us the overly optimistic view than the worst case scenario.

Re:French Court: "Surrender Now"

[darc]

It's long known that security through obscurity doesn't work. This is proven in cryptography. Hiding away an error doesn't make it go away. To mitigate the problem of making it too well known though, a patch warning period would be good to inform, but it should still be independently released for all to see afterward.

Re:French Court: "Surrender Now"

[shawn(at)fsu]

A strange question. People who use these closed-source products (aka "the customers") would certainly be interested in knowing the true capabilities (or lack thereof) of the software they bought. People who are thinking about purchasing that software would be interested as well.
I think you give too much credit to the consumer. Maybe you were talking about enterprise products. You can preach to home users all you want about how many security holes IE has in it and look how many still use it. I don't think as many people care as your or I would hope.

Re:French Court: "Surrender Now"

[Retric]

Can you really make a secure system?

Yes.

Security is not a hard problem. It does add to both the cost and complexity of a system though. The problem is most people avoid the issue or try and make some sort of wrapper around there software that makes it secure. Mostly it's people not separating the data that is moving though the system from the system it's self which leads to security problems. When you treat every interaction a system has with the outside world as a hostile transaction you can make vary secure software. But, few people really want to build secure systems, mostly its just get it out the door fast which is why you keep seeing companies with there pants down.

As to your idea that some bugs are to expensive to fix well that's like saying well we made the bridge. It come in early and under budget, granted it would fall down if anyone ever tried to use it but hay that's not our problem. Yes, you can build a system that's not secure at lower cost, but if a bank get's hacked because they where using your software then clearly you did not do your job.

PS: Yea, sorry that came off as a rant it just pisses me off that people accept that there systems can and will be hacked but hey so does everyone else's so it's ok.

Re:French Court: "Surrender Now"

Looking at your posting history, I am surprised that you take this attitude, you seem smart and capable. Fact is, if your computer has an exploitable bug then you become a threat to others on your network and those whom you share files with etc, it is only fair to expect that your infected/exploited system doesn't start disrupting others systems, that is why open disclosure is important. BugTraq has a unspoken rule that the vendor should be notified and given reasonable time to address the issue, most of the time, this results in the exploit ONLY being released AFTER the vendor applies a fix, and that is only to 'scare' the remaining people to patch their shit up. There are some companies who do not even reply, if they do not have the consideration to even reply to someone who is trying to help them, I hardly think they deserve consideration of helping them 'hide' the bug(s) or to bitch when the 'cat' is out of the bag.

BTW, This attitude you have is both selfish and lacks logic of any kind, you make yourself part of the problem, I write this in hopes you rethink your position.

Re:French Court: "Surrender Now"

[Zondar]

Found any EULAs where the "we're not responsible for the fact that our software really sucks, and if it causes you a beeeleeon dollars in damages, you can't sue us, nyaa nyaa" clause has actually been tested and held up in court?

Seems to me that you can put anything in a EULA. Getting it enforced in a court of law is yet another thing.

Re:French Court: "Surrender Now"

[4of12]

Going public forces the publisher to fix the problem if it hasn't already, and it let's the public know that there's a problem and they should do an update.

I agree, going to the author first with an exploit is good etiquette. And that going public afterwards is important, too, after some decent interval that is as short as possible.

Public disclosure gives the software user a tool to test just how vulnerable he is and whether various stopgap measures provide adequate protection against the exploit. Public disclosure is better than just having exclusive disclosure to black hats and vendors, IMHO.

Re:French Court: "Surrender Now"

[nurd68]

Since folks moderated this so highly, here's more info:

http://www.windowsitpro.com/Article/ArticleID/24 80 6/24806.html

It's one of the conditions of being a "Gold Level" partner.

Of course, this makes one realize how nonsensical the "window of vulnerability" arguments comparing Windows vs. Linux security are. For those of you who don't know, these arguments compare how much time time from announcement of a vulnerability to the time that the patch comes out. The F/OSS community is big into full disclosure, and the MS community isn't, so, the MS Window of vunlerability is almost always smaller, hence leading to claims that it's more secure. That is, until someone finds a bug that's been swept under the rug for a couple years and uses it to make the next Nimda.

Re:French Court: "Surrender Now"

[Mattcelt]

Remember that this is the country that for a LONG time outlawed encryption outright. Businesses couldn't even use it to protect their internal communication... Then they complained when the US NSA got wind of some less-than-honest business practices Airbus was using to get a contract.

They might be vying with the Aussie minister for the "world's biggest luddite" award...

And as for the google debacle... if I were Google, I'd consider pulling out of France altogether. Let them see what a world without Google is like.

It's not that I don't like the French, but geez, they seem to be exceeding the limits of common sense lately.

Re:French Court: "Surrender Now"

[nurd68]

Err, there are no spaces in the URL.

Farking /.

Re:French Court: "Surrender Now"

[swimmar132]

If there's a remote exploit in say, a firewall application, I want to know about it NOW so that I can either replace it or disable it or whatever.

If no one tells me about the exploit, then I'm a sitting duck.

Re:French Court: "Surrender Now"

[WhiplashII]

I agree that people could do far more than most currently do, but a "secure system" is a myth. My servers run full custom Java code, all data access is handled by wrappers that isolate the data to make various insertion attacks impossible, but it is not unhackable.

For instance, if a flaw is found in the DNS library for linux such that if you look up a specific hostname you can take over the machine - you could pass that parameter as your email address. When the email address is checked for validity, bam - there goes the server.

Computers, specifically OS interactions, have gotten so complex that security can only be increased, not achieved.

Re:French Court: "Surrender Now"

[Chris+Kamel]

Keeping it quiet, while not always effective or preferred, is still security (through obscurity).
No No No, security through obscurity is not security, a few hundred years ago locksmiths thought it was, but it never was and never will be

Re:French Court: "Surrender Now"

[mmkkbb]

Let them see what a world without Google is like.

Easy, they just give MSN search their attention.

Re:French Court: "Surrender Now"

[nurd68]

Actually, I purposely didn't, because the /. engine coders really piss me off in this regard. Auto detecting a URL and having your submit handle it correctly isn't hard. Why impose that burden on a user? It's just bad design (and I've never heard any rationale justifying it). Most blog and WiKi engines do it this way, why not Slashdot?

Re:French Court: "Surrender Now"

[lukewarmfusion]

I was going to respond to that post, but you have made the point for me.

As part of our work, we lease dedicated server for hosting. We only offer hosting to our clients, and we use that as a selling point - with a budget hosting account, your site will be sitting next to hundreds of other sites. No matter how well we secure your site, you have to trust that the other sites used competent, security-minded developers. A single compromise could extend to the entire server, including your own site.

Re:French Court: "Surrender Now"

[Zorilla]

link text here works quite well. Why not use that? It took about ten seconds to write. It's not that big of a deal.

Re:French Court: "Surrender Now"

[digidave]

This doesn't help a sysadmin who has deployed this software. If you give that sysadmin a proof of concept he or she can go about blocking the attack on the firewall, by disabling a service, etc until a real patch is made.

It's not about suing companies for building insecure software, it's about keeping your own data secure.

Re:French Court: "Surrender Now"

[nurd68]

I didn't say that any of those were hard. I'm saying it's hardER than just cutting and pasting a URL. And since it's hardER, my original question stands: why impose that burden on a user? Shouldn't you make it as easy as possible on your users?

Re:French Court: "Surrender Now"

[cuerty]

What about using grsecurity ACLS with Apache's suexec and hardened PHP?

Re:French Court: "Surrender Now"

[SunFan]

Then, why hasn't Microsoft been sued into oblivion fifty times over for the vast damage done by e-mail worms, for example. The file attachment execute feature is equivalent to selling a house with an extra unknown door that only criminals and the builders know about.

Re:French Court: "Surrender Now"

[DunbarTheInept]

The reason to publish a vulnerability is twofold:

1 - It forces the software producer to do something about it.

2 - It proves you aren't a raving conspiracy theorist lunatic when you make the claim that there is a flaw in the product.

#2 is rather important. The slandering, err - I mean "public relations" efforts of some companies would be running rampant against anyone claiming to have found a vulnerability if they were legally disallowed from backing up their claim with proof.

Re:French Court: "Surrender Now"

[xmp_phrack]

If you discovered this exploit then so can someone else.

why do you think ~el8, PHC, AcidBitches, and other anti-sec groups want to outlaw exploit code? once we go to a vendor-only or non-disclosure system, blackhats will rule the roost. if exploits are outlawed ...

Re:French Court: "Surrender Now"

Posting this as anonymous 'cos I'm scared of the wrath...

This is a Linux / Open source orientated site you fool! Since when did user friendly make it onto the requirements list?

Re:French Court: "Surrender Now"

[DunbarTheInept]

Because it's really annoying to find that because of someone misguided notion of "user-friendly", you can no longer type a bit of text that looks like a URL WITHOUT having it become a clickable link.

Re:French Court: "Surrender Now"

[Michael+Woodhams]

While this is a responsible way to behave, I think you're playing Russian roulette. I've seen many news reports of people facing criminal or civil action for doing exactly what you describe - and, as the French case demonstrates, the courts are not always reasonable.

If you haven't already done so, have a serious talk to your lawyer about this.

Re:French Court: "Surrender Now"

Luddites?

Remember, France was where the word 'Saboteur' was invented, describing people who disabled the automated cloth-weaving mills by throwing their wooden clogs (sabots) into the works.

Incidentally said cloth-weaving mills being made possible by another Frenchman's invention, the Jacquard loom, controlled by punch-cards.

See, of course, saboteur and Jacquard Loom

Re:French Court: "Surrender Now"

[TLLOTS]

Name to me someone with the vast sums of money and guts to take on microsoft over their EULA. The fact is that even though EULA's may not be enforcable, that doesn't mean one can't tie people up in court for years with it, and who really wants to go through all of that? At the end of the day it wouldn't be worth it.

Re:French Court: "Surrender Now"

[SQLz]

The do inform and let them know how long they have before the code will be relased. Usually, an update already exists once the exploit code is out. The threat of relasing the code forces them to relaease a patch that would probably not be released otherwise.

Re:French Court: "Surrender Now"

[PitaBred]

djb is a tool. There only haven't been security exploits in half his software because he refuses to change it and make it relevant to the current world. Anyone using qmail has tons of patches on it to make it useful, and according to his license, that makes it no longer a hole in his nearly-useful software.
You can trade features for security, yes. But you end up using non-Internet connected 286's with no removable media drives for the rest of your life then.

Re:French Court: "Surrender Now"

[ignorant_newbie]

> I think you give too much credit to the
> consumer... I don't think as many people
> care as your or I would hope.

and they're the ones who's exploited machines are currently being used to send me spam and SSH brute force attacks.

so, you see, even if they don't care, I do.

Re:French Court: "Surrender Now"

But what if I want to mention the URL of a site without influencing its ranking on search engines by actually making it a link? It is reasonable that someone may want to mention http://example.com/ without linking to http://example.com/ with the obligatory square-bracketed redundancy.

You purposefully didn't do what it said you should do and then complained about it afterward? If that were true you should have made your observation that manual trimming of the space would be required in the original post and not in a followup.

Get yourself (or write for yourself) a browser plug-in that is smart enough to wrap your pasted URLs in the markup appropriate for the site so you won't have to think about it ever again and never again get caught with your pants down in public.

Slashcode shouldn't have to cater to people who insist on being inconsiderate lazy assholes.

Re:French Court: "Surrender Now"

[DigitalSpyder]

Sorry, maybe I misunderstand but just how exactly does this keep the closed source vendors honest?

All I see is that this means that closed source vendors have LESS to fear in France, not the reverse.

Re:French Court: "Surrender Now"

[Audacious]

Neither and both. You do the following:

1. You contact the company and ask them how long they think it will take to fix the problem.
2. You ask them when you may release it into the wild and get a definite date/time.

2a. If they won't give you a definite date/time, make some suggestions and work with them to try to come to some understanding about it.

2b. If they still won't give you a definite date/time, ask them if you can release a general statement to everyone via something like BugTraq pointing everyone in the general direction of the problem but not giving specifics. Be sure to talk to the company and ask them who, in the (for want of a better place) BugTraq community they have dealt with in the past and that you can contact to have your problem verified (so you CAN post something to the site).

2b1. Contact the person the company is familiar with and have dealt with in the past. Show that person the problem and ask for their verification of the problem.

2b2. Using 2b1's verification post a general posting of "There is a problem with X" and let everyone know that you have already contacted the company as well as having verified the problem with Y. But that you can not yet release more information until date/time when the company has said the problem should be fixed and released to everyone.

2c. Once date/time has passed, post the entire set of information you wanted to release originally.

2c1. If someone contacts you via e-mail, phone, or flying saucer for more information then you should contact the company, let them know who has contacted you and why and let them handle any/all requests for information. In other words - keep them in the loop. If the person who contacted you does not want to talk to the company for some reason then you can be the go-between for the company and the person (and thus not reveal who it is that is dealing with you).

There are lots of reasons why the above is not done. Some are:

1. Fame. People get a rush for showing they are smarter than the programmers who wrote the software.

2. Misunderstanding. Sometimes there are language barriers which prevent people from being able to talk to other people. The usage of d00d, l8r, and the like are not the only reasons. Someone from Poland who is talking to someone from Africa may not use the same words in the same way. So people may take something as a threat when it is not. Three or four years ago a similar incident happened where someone gave a company five days to fix a problem. Then they went public with their information. This is a ridiculous amount of time to ask a company to fix something. Think of a bus. It is going 100mph down the road. Suddenly, within ten feet of the bus is a sign which reads "Road Out". A bus, going 100mph, can not stop in time to prevent a disaster from happening. Neither can a company. It takes time just to assign someone to either fix the problem or just to insert the code given and to test the code to see if it really does fix the problem or not. To put that in bus terms: It takes time to slow the bus down so it can come to a stop without killing everyone on board.

3. Revenge. Usually for some slight a company did or something the company said or boasted about. Like the "Our software can't be broken!" That, to many people, is a challenge and if the software can be broken some people like to take revenge for the company's boasts. This, again, is like #2 above - a misunderstanding. All companies say their software is the greatest or best. Would you ever buy the worst software ever made? Or second rate software? So (not that I want to defend companies but...) we have forced them to always say "Our software is the best," when it might be just so-so or even just plain bad. Because if they do not it is highly unlikely that the company will be around for long.

3a. This is one of the big differences between Open Source and Closed Source. In Open Source everyone can see the problems

Re:French Court: "Surrender Now"

[TeraCo]

Well, that's the rub isn't it.

Anyone with the clout to take Microsoft to court over losses will be more than happy to accept a deal.

[5 years free software sounds quite good to most Fortune 500 companies]

Re:French Court: "Surrender Now"

[g00set]

Maybe someone who is a little more educated in law can expand/correct this but from what I can tell an EULA is a contract. You or your company have certain legally acknowledged rights that cannot be trumped by a contract.

For example, if you have ever rented skis they have you sign a contract that says no matter what happens to you it is not their fault. Even if the lift comes tumbling down for whatever the reason. Say the lift does fail due to the company never performing the prescribed maintenance . The company may be found to be liable assuming either you or the government has decide to pursue (this is not the word I am looking for) them.

Re:French Court: "Surrender Now"

[Makoss]

Because if an account is compromised, then at the very least they will probably be able to mount a somewhat effective Denial Of Service. That though it may not kill the server (depending upon what sort of restrictions are placed on the applications) will decrease it's usefullness and may be enough to push it from 80% load to 120% load.

Obviously not as bad as if they got a root account, but still annoying that other peoples incompetence could bring down your site.

Re:French Court: "Surrender Now"

[blahtree]

In Word:

Tools->AutoCorrect Options->AutoFormat as You Type tab->Uncheck "Internet and network paths as hyperlinks".

Yes, it's annoying, but it can be turned off.

Re:French Court: "Surrender Now"

[Circlotron]

"People generally appreciate a helpful tip" Probably something about the diference in attitude between a small company and a big corporation.

Re:French Court: "Surrender Now"

[deepestblue]

Read any good EULAs lately?

And how many of them have held up in court? Not that they have been struck down either, but the mere existence of EULAs proves jackshit.

Re:French Court: "Surrender Now"

[maotx]

2b2. Using 2b1's verification post a general posting of "There is a problem with X" and let everyone know that you have already contacted the company as well as having verified the problem with Y. But that you can not yet release more information until date/time when the company has said the problem should be fixed and released to everyone.

Sounds like stereo instructions :P

In all seriousness though, in a perfect world where people have time to spend *hours?* following the "2-step" program this would be a great idea.
The point in releasing the exploit is to put pressure on the company to fix the problem. In my original post the scenario was that you send Foo Inc the exploit, they told you they would get on it, and never fixed it. If you can get a working dialog with a company who will actually FIX it then yes, don't release the exploit untill a patch has been released.

It takes time to slow the bus down so it can come to a stop without killing everyone on board.

If you give the bus a 2-mile warning with flashing lights and it still has a disaster is it wrong on your part? Releasing the exploit to the company is the same as informing the driver of the road being out up ahead. As the driver gets closer still accelerating its best to put a sign to remind the bus driver and alert the passengers what danger they are in by staying on the bus. If its 10 feet or 10 miles, it's best to warn the passengers then not at all. If the company cooperates and releases a fix, then the passengers will still see the sign on the road and hear it from the driver. They should then take the driver's advice and follow him to the latest and greatest bus heading on a newer patched road.

As for fame and revenge, I can't argue with you there. But then again, these people seem to disregard ethics of a "white hat" anyway and will release the exploit no matter what.
Just my $0.02

Re:French Court: "Surrender Now"

[Noryungi]

Anyone on Slashdot have an understanding of the principles of French Law?

Yes, I do. I'll try to answer your questions as best as I can.

What sort of constitutional free speech protection does a French citizen have?

Free speech is guaranteed, under French law, through (a) the 1789 Declaration of Human Rights, which is a part of the 1958 V Republic Constitution (Google is your friend if you want an English Translation of this text), (b) the UN Charter on Human Rights, of which France is a part and (c) the different European Community treaties, which also protect free speech.

Please note: The biggest difference with American Law is that 'hate speech' (anti-semitism, racism, fascism, nazism, Holocaust denials, etc) is specifically forbidden under French Law, and will be prosecuted. Anything else is allowed, except that the French government also reserves the right to censor publications in the name of 'national interest' (read: secrets of state). This censorship is very rarely used these days, however.

Does this ruling actually set any sort of precedent? That would be bad news for both freedom of speech and academic freedoms.

French Law does not recognize 'precedents'. It recognizes the primacy of law (vs precedents) and French courts do not have to follow precedents (previous decisions) taken by other court, in the absence of a binding law . If a binding law exists, the court has to respect that, and not any precedents.

This means that, if I publish vulnerabilities on product foobar from French company XYZ, and I am dragged into court, I may well be cleared of all charges. Also, if I win a case, company XYZ would have to pay for both its legal fees and mine. This is a strong deterrent against frivolous lawsuits.

Of course, the reverse is also true: a future decision may refer to a previous decision (precedent) and condemn me. That's when the legal games and fun begin, so to speak...

didn't they actually fine him for something else, suspend the fine, and then use the threat of the suspended fine to incent him to stop publishing?

No, Guillermito was fined because he used an illegal (pirated) copy of the software to find the vulnerabilities he published. Despite the harsh tone of the ruling, he was not really 'fined' ('sursis' means he does not have to come up with the money).

But, in any case, the court did not render a decision on the crucial matter of finding and publishing vulnerabilities, only on the use of an illegal copy of the software. Seems to me the judges were pretty pissed-off by the hysterical attitude of Tegam (the company who brought the lawsuit).

Hope this clears up a few things!

Re:French Court: "Surrender Now"

[iowannaski]

You can preach to home users all you want about how many security holes IE has in it and look how many still use it.

I'm a home user, I don't use IE (or Windows) anymore because I was made aware of its (their) shortcomings.

Re:French Court: "Surrender Now"

[iowannaski]

bah. Look how poorly I parsed the grandparents words. Sorry about the meainingless reply.

Re:French Court: "Surrender Now"

[Audacious]

I must disagree. To "Extort" means to obtain from a person by force, intimidation, or undue or illegal power. None of what I posted encourages anyone to do any of these things.

1. You are not forcing anyone to do anything. You are trying to work with the company(ies) to get the problem taken care of.

2. You are not using intimidation. You are asking them when you can release the information and working with them, in a positive manner, towards that goal.

3. You are not using undue or illegal power. At no time did I state that you should resort to lawyers and in fact - stated the opposite.

Therefore, saying that someone would be charged with extortion if they followed what I've written is like saying a whale can fly on its own. Further, your statement that it is far better to just post the information anonymously on the internet and not bother contacting the software company is a sure fire way to get yourself in trouble. After all, it has been proven time and again that there is no such thing as anonymous if a company wants to put forth the effort to find out who did the posting.

In actuality, your suggestion of brashly just dumping your information onto the internet falls under the "Revenge" portion of what I wrote. You must obviously hate whatever company you are thinking of (and I can think of quite a few who probably DO deserve having this done to them) and want them to fail. Because they have not earned your trust. They may have even done something to you in the past. I don't really know you so I can't say really. Still, if you are not out "to get them" (which is really nothing more than a revenge motive), then you must be out to help them by default. Or I guess you could be neutral - but your statements seem to state otherwise.

So, since your statements fall into the revenge section you will get what you deserve by just dumping your vital information into the public domain. Which will cause the company to be mad that you didn't have the decency to contact them first and give them a chance to react. Or to put that in bus terms - you saw that the road was going to end so you shot the driver rather than try to help him stop the bus. Or you could say that you leapt from the bus but then the bus was going 100mph and you'd be killed instantly so either way it doesn't solve the problem. Which is what you need to do. You need to learn how to work with the bus driver to get the bus to slow down and stop. Screaming, throwing temper tantrums, killing the bus driver, leaping off of the bus, or trying any other method of escaping your responsibility to act in a logical manner in order to maintain control over the bus won't work.

To stop a bus - especially a bus that is stick shift driven - requires a lot of coordination. The same is true for presenting unpleasant, sometimes irritating news. Any company which puts its darling of a piece of software out there hates it when the sweetheart software comes home looking like it has been to a grundge party. I'm not saying you have to be sugary sweet. Mr. Nicey-nicey. But you don't have to be Mr. Pointy either. (To borrow from Buffy, the Vampire Slayer.) You don't have to rant and rave against them any more than you have to do everything they ask you to do. But at least make the effort to offer them a chance to correct their mistakes.

And try to do it without all of the hate and fury that might have already built up inside of you because what they did was so stupid as to make you want to twist their heads off of their bodies or to kick their butts down the street and into the ocean. I know how frustrating it can be to try to deal with some of the idiots that are out there. But turn the mirror around. Can you, without anger or malice, put into words exactly what is the matter so that someone besides your l33t bro can understand it? Can you say more than just "It doesn't work!"? If so, then do this:

1. Layout exactly what the problem is in clear, easy to understand wh

Re:French Court: "Surrender Now"

[DunbarTheInept]

Yes, and of course a setting in MS Word has something to do with posts on slashdot...oh wait...

Re:French Court: "Surrender Now"

[take5]

None of the above.

The correct action is to market the information to the users of the software. Advertise (e-mail, other)to the users that you have valuable information for them for a small consulting fee. Once you are hired by the user of the software to check it, you do not have any problem with the company that sells it. Armed with your report, the paying customer every right to demand from the vendor his money's worth. You are not involved further, and you have mae a legal and deserved buck.

Re:French Court: "Surrender Now"

[Tony-A]

Actually, when dealing with anything security related, anything automated is probably a bad idea, including any form of automating clickable URLs.
Cut&paste (and removing extraneous spaces) is not that much of a burden on the user. The idea of URLs in HTML is:
<A HREF="non-work-safe-site"> faked-work-safe-description </A>

Re:French Court: "Surrender Now"

[91degrees]

Probably because MS can claim (quite reasonably) that they're not responsible for the actions of a malicious third party, and that when the hole was discovered, they put considerably effort into fixing it. And also that they can turn any court case into a war of attrition and they have the resources to keep that going forever.

If they leave a hole open their EULA will not protect them.

Re:French Court: "Surrender Now"

[nurd68]

Despite the tone of your response, you make a valid point in the first paragraph. Therefore I concede the point. Slashcode is fine the way it is because only the things you want to be links should be, and everything else should just be text. I was in error, and apologise.

Re:French Court: "Surrender Now"

[Audacious]

I can agree with you in many of the areas you talked about. It is very hard, sometimes to get a company to even believe you know what you are talking about. The language barrier is the biggest hurdle to overcome. Many times, just because you don't know the key words to say to trigger a "Oh, is it doing that?" kind of response - you get snubbed.

But I think it is still worth it to at least try talking to the companies. If nothing else, then when they start complaining loudly you can send them their e-mails back to them and point out that you were trying to do the right thing but they just brushed you off. Again, in courts it is really important to at least have made a good faith effort to bring a problem to the attention of a company. Then, when they fail to heed your warnings, you can proceed on down the trail of releasing the information to everyone else.

With Netscape, Mozilla, (and I assume Thunderbird) you can create folders and subfolders by simply right-clicking the main folder icon. Just make a folder for whatever company you are dealing with or make a main company with, say "Companies" and then make subfolders with the company's actual name. You can even make subfolders in a particular company's folder and put some meaningful title on to that folder. (Like 01/01/2005 or Problem_25.) Then just organize things by putting all sent and received messages into those folders. In this way you don't lose track of what is going on where and if they start acting rather foolishly (like saying they are going to sue you) - don't fall into the trap of responding angrily. Just send them back their e-mails (via cut & paste) and your e-mails showing where you only were trying to alert them to a problem and their responses. Many people think that, once sent, most e-mails just disappear. It is usually a shock to have your entire e-mail sent back to you and it can make them see that if they go to court over something they caused to happen, then it will only go badly for them.

As an example of the above, I will relate an actual incident. A few years ago our house was flooded. After contacting the insurance company I received an e-mail stating that our car would be inspected by an insurance agent. He never showed. I called a couple of times and got the run-around and finally had to write another e-mail. This resulted in the guy coming out and just slapping a "We now own this car," sticker onto the windshield and leaving. I wasn't home at the time and came home to find this bright orange packet on my windshield. Needless to say I got on the phone and was told that the insurance company now owned my car. I just went "Oh really?" Because I held the title to the vehicle. I finally wound up writing yet another e-mail demanding that the insurance company fix the car and quit playing around. After investigating my statements I was told to just go get the car fixed and to let them know how much it was going to cost them. I did so. It wasn't much. (Which, on a side note, if your car is ever flooded and you want to keep the vehicle then never let them start your engine. It will suck whatever water is in the engine all through it and that will be the last of your car.) Anyway, the insurance agency refused to pay the bill (which was only $1,500.00 and if they had bought the car it would have been over $6,000.00.) So when they refused I sent them back their e-mails where they said they would fix the vehicle. This greatly infuriated the manager I was talking to but I just reminded them that if they had not of tried to back out of what they had said to me in the past I would not have had to send them their e-mails to remind them of their promises. The car was fixed and paid for by the insurance company.

So it does work. Maybe not all of the time. But it does work. :-)

Re:French Court: "Surrender Now"

[lgw]

Thanks! It seems like, from the standpoint of legal prededent, then, this ruling changes nothing at all, and there's no "chilling effect" to future exploit publishers. All good news.

Re:French Court: "Surrender Now"

[blahtree]

Ahem...an artifact of browsing at 3+. I didn't see all the crud above. I am completely offtopic.

Re:French Court: "Surrender Now"

[Noryungi]

Thanks! It seems like, from the standpoint of legal prededent, then, this ruling changes nothing at all, and there's no "chilling effect" to future exploit publishers. All good news.

Except, of course, that (AFAIK) there are no laws about the publications of vulnerabilities in France.

In the absence of a law, and given the muddled decision of this court (condemning Guillermito without really condemning him, blah blah blah), it is highly possible that French security researchers will avoid publishing anything until the legal situation has been clarified.

This means this court decision may well have a chilling effect after all... until someone rich or foolish enough decides to publish another vulnerability and see what happens in front of another French court. Or a law gets passed, whatever 'solution' comes first.

Blame the victim

[Doc+Ruby]

What about Tegam? They published the exploit in every copy of Viguard. While telling everyone it would protect them. Why aren't they guilty? What kind of crappy lawyer lets their client get punished for telling the truth about dangerous products?

Re:Blame the victim

[scottennis]

Software? A 'dangerous' product? Well, I did hear about a guy who lost his eye to an early version of Windows, but that was a really freak accident.

Seriously though, you have a point. If a gas station was selling gasoline with sugar in it (very bad for your car engine) they would be liable for damages. It seems, however, that sofyware companies have no liability for their crappy product. Must be due to those lengthy licenses you agree to by opening the package.

Maybe gas stations should start printing up a 'licensing' agreement on their pumps.

"Notice: By lifting the handle, you agree to check the compatability of this product with your vehicle, etc., etc."

Re:Blame the victim

[carcajou]

I worked for a small software house for a while, as the installer/trainer. Our owner was very excited about laws that were passed in the US (state by state) making it almost impossible for someone to sue him as long as he could show he was working on the issues. IANAL, and don't profess to understand all the in's and out's of the legal system, but it seemed to me that these types of laws really hurt the industry more than they helped...His ability to put off bug fixes eventually gave him a bad reputation...

Re:Blame the victim

[Just+Some+Guy]

If a gas station was selling gasoline with sugar in it (very bad for your car engine)

No, it's not. Personal datapoint: some idiot put a bunch of sugar into my '68 Mustang's tank when I was in high school. I ran a couple of bottles of fuel treatment through just to be safe, but never noticed anything at all.

Re:Blame the victim

[networkBoy]

I know this is going to qualify for -1 nitpick, but:
If a gas station was selling gasoline with sugar in it (very bad for your car engine)
It's only bad for the fuel filter and possibly the pump. Sugar is not soluable in petrol, thus it would simply clog the fuel filter. (powdered sugar _may_ be a different story, but I havn't tried that yet.)
-nB

Re:Blame the victim

[kitty+tape]

Generally, the reason gas stations, for example, are liable for things and software companies are not is because law makers are not going to impose liability on an industry with lots of money until there is an obvious chance of someone getting killed or seriously injured from their product. I have a feeling that as we see more software controlling things like vehicles, software, at least that subset of it, will become something vendors are held liable for.

Re:Blame the victim

[ATMAvatar]

Software? A 'dangerous' product?

Yup. Ask the designers, or more importantly, the victims of Therac-25.

If something like that can happen as a result of bugs, imagine what can happen when there's someone intentionally exploiting a security flaw to cause maximum damage.

I can tell you from my own professional experience that there are hospitals out there that are simply ripe for exploit (combination of poor network security and management software with holes). I suspect it won't be too many years down the road when we hear of multiple deaths as a result of a black hat going in and trashing a system that's required to keep patients alive and/or let the doctors do their work effectively.

Contrary

[Ghetto_D]

I'm sure just to spite France President Bush will make it mandatory for all programmers to post exploits.

Re:Contrary

[buhatkj]

I hope Bush does exactly that. Whatever vulnerabilities a product has, the vendor should be working to find them out on it's own! I'll say this: If I made a piece of software designed to kill virii, I'd be thrilled if somebody told me it had a bug and showed me how to duplicate it. They are basically doing my work for me, for free...what kind of dipstick would ignore, or worse yet, sue them over this?? Just proves the French courts are not taking this seriously, or perhaps the judges are just dumb...take your pick...

Re:Contrary

[carpe_noctem]

Didn't you get the memo.. they're now called "freedom 0-days".

Re:Contrary

[RoboRay]

In recent history, it's the other way around. France automatically does the opposite of whatever the USA does, just because it's their stated foreign policy goal to counter the US in all matters.

So what ?

[Eu4ria]

Oh lets make it illegal to find problems in software, then if they cant be found they cant exist right?

Bye bye, France

[m50d]

Watch as the security community suddenly stops notifying the French of holes. I predict they will have to go back on this pretty soon. I just hope mandrake doesn't suffer too much.

Re:Bye bye, France

[m50d]

Yeah, I really ought to get round to fixing that. But I don't really believe in the web, so I tend to let it slide.

France

[clinko]

IF instr(HEADLINE, "FRANCE") > 0 THEN
PONDER_FRENCH_MATTERING
LAUGH("FRANCE")
ELSE
READ_ARTICLE
END IF

It's VB (SCREW YOU FOR JUDGING ME!)

Re:France

[Random+Web+Developer]

it has to be VB, look at all the caps :)

Re:France

[mdielmann]

Looks more like BASIC to me than VB. Most, if not all, keywords are not allcaps in VB5 and higher, and constants are usually not allcaps either (unless referencing Win32 constants, and that's a guideline).

That's right, VB doesn't have to make your eyes bleed, which will still not stop you from writing some really bad code if you want.

Re:France

[ggvaidya]

It's VB (SCREW YOU FOR JUDGING ME!)

It's VB. You're already screwed :).

Re:France

[smyle]

ELSE
READ_ARTICLE

You're new here, aren't you?

No details

[JaxWeb]

You may notice the article has no details.

I did a Google News Search and found this one which is much better.

Also, the guys own website.

Hope this helps.

Re:No details

[The+Amazing+Fish+Boy]

You may notice the article has no details.

There's an article?

Re:No details

[A+beautiful+mind]

I do not RTFM, therefore i am (on slashdot).

Forced application of the age old adage...

[Humorously_Inept]

What you don't know can't hurt you, and likewise its corollary: ignorance is bliss. What are their French equivalents?

Re:Forced application of the age old adage...

[PolyDwarf]

What you give into can't hurt you..

and, of course, it's corollary

Surrender is bliss.

Possibly, they believe in the Douglas Adams theory of "What I can't see can't see me", hence the sticking of their heads in the sand.

Re:Forced application of the age old adage...

[Jesrad]

French generally use an ellipse for that: Heureux les imbéciles...

Re:WOW!

[Rude+Turnip]

I don't know, but I hear these guys already did a search on Google to find out:

http://www.albinoblacksheep.com/text/victories.h tm l

Well...

[tsanth]

The condemned seems to think differently.

This is getting stupid.

[Enjoi]

This is simlar to the fact that you can distribute the exploit in text form for something, but you're not allowed to have a compiled version.

It's just weird, how hard is it to compile something?

Re:This is getting stupid.

[Lehk228]

what law is there prohibiting distribution of exploit binaries?

Re:This is getting stupid.

[Enjoi]

I don't know the exact law, but I've been told before off someone I rely on. I'm possibly wrong, but I assumed he was right.

Nevertheless, I'll continue to distribute binarys of sploits :)

rogue states

[bodrell]

Thank God we still have rogue states, where the government is either really small or too preoccupied with real problems to enforce these asinine laws.

Let's hear it for the Virgin Islands and the Bahamas! No software patents there. No export restrictions. True freedom of speech.

Instead of endlessly complain about it...

[Lead+Butthead]

Why not work to change the law(s) in question? I don't know how French legislative works, perhaps someone can shed some light on the subject?

Reminds me attempt to prohibit publishing

[thrad]

exploits online UNTIL official fix is released. In my opinion, it is a flawed tactic. Having usable exploit around motivates vendor to actually DO fixes. I greatly doubt MS will patch its bugs faster if exploits are unavailable to public.

Re:EDITORS SHOULD READ THE FUCKING ARTICLES

"That the fine is suspended means that Guillermito will have to pay up if he continues to publish about the vulnerability and other software vulnerabilities. As a result he has taken the Tegam publication, and a dozen others, from his website."

WOW, you are a retard to miss that.

the part you mentioned was in regards to DIFFERENT legal proceedings.

good lord you suck enermous balls for missing that stuff.

Judicial Insanity, Not just for Americans anymore.

[Lord+Kano]

It's simultaneously comforting and terrifying to see that stupid rulings by stupid judges aren't confined to the USA.

At least I'll feel better about it the next time the 9th Circuit Court of Appeals makes an insane decision.

LK

Re:Just another reason to hate the French..

[Hiigara]

Well, let's see, they provided weapons, military training and aid to the American Colonists in the Revolutionary War. They developed the most heavily armored and gunned tanks during the early German Blitz, one French Char B1-Bis held up an entire German Division for an entire day. One little short frenchie with a bad attitude almost conquered the entire world, twice.

They've developed nuclear weapons, were one of the original founders of the European Union, who's Euro continues to dominate the American Dollar. They were one of the first modern countries to pick on the buzzword "Democracy" long before a bunch of colonists got pissed at their King's latest tax law.

Oh, did I mention numerous American, Australian and British courts have upheld the same reverse engineering proof of concept rulings?

You Sir, are an uneducated bigot.

(Note: I am not anti-American, I'm just hitting him where it hurts. :))

Re:EDITORS SHOULD READ THE FUCKING ARTICLES

[vidarlo]

Yeah, and timothy seems to be especially biased. So, folks! Let's remove timothy from our front page. (look under authors, and remove the mark in front of the one you don't like...)

congratulations to French hackers and programmers!

Hackers: now you don't have to compete with legitimate security research! Your exploit vectors will remain safe from view. Feel free to build up a toolbox of 0-day 'splots (or even 10-day or 100-day, there's no rush!) Laugh as you see version after version of popular software released with the same obvious holes!

Programmers: companies who put their customers at risk by placing security holes in their software no longer have to worry about public embarrassment. Now that useless QA team can be pared down, and software can be delivered more quickly! Only the requirements have to be met, no longer do you have to worry about unexpected input! It's like college freshman year all over again.

Consumers of software? Sorry, maybe you'll get something next time. For now, check out some web sites for common ways to protect yourself from identity theft and hack attacks. You'll need it!

Did you read the articles?

I did read the article and the link in it to a previous article. The previous article stated that his exploit code was judged to be an illegal copy of Teagam's (or whatever their name is) code. I'm not sure exactly where you are getting the idea that his antivirus copy was not legitimate, but this conclusion does not seem to be supported by the articles.

This puts people out of business...

[JRHelgeson]

There are top notch security experts in France, specifically the folks at K-Otik http://www.k-otik.com/

I'm a security consultant and I look to these folks as a source of reputable information. I spent a LOT of time on their site when Microsoft was trying to deal with the fallout of the MSO3-026 vulnerability which begat the MSBlaster worm. I even got the source code for blaster from the K-Otik crew.

This is going to have huge ramifications if it is interpreted as described here.

Re:This puts people out of business...

[16K+Ram+Pack]

Couldn't they just move to Belgium?

Re:WOW!

I understand the argument against security through obscurity, but I can also observe a correlation between the publication of an exploit and a steep increase in usage of that exploit. Also, I do not observe a correlation between these events and the vulnerability being fixed.

The person who coined the phrase, "security through obscurity is no security at all", did so before we got wire to *everybody* and before there were so many script kiddies.

There might be some merit in attempting to keep stuff under wraps. It won't fix the problem, but if the disclosure itself tends to exacerbate the problem, the case can be made that it is prudent to do everything possible to limit the disclosure.

The error is in the idea that a *government* has any power to stop this kind of disclosure.

?publish or perish?

[Skeptical1]

The "virus definitions" files published by Symantic, McAfee, et. al. would seem to be in violation of this law.

Babelfish

[tsanth]

According to Babel Fish:
Ce que vous ne savez pas ne peut pas vous blesser and l'ignorance est bonheur.

Wrong step...

[DunderXIII]

The problem is that software makers tend not to care too much about security problems if it doesn't affect their sales. When a security concern gets published the fix priority jumps and get very important because the clients now have the choice of choosing a better product. With this kind of judgment the security holes will become a guarded secrets amongst hackers and they will probably live a better life. Granted the hole will also less hackers but then again the ones that are actually capabable of exploiting the holes probably knew about the hole anyway.

Symantec tried this too

[Nuclear+Elephant]

Symantec tried this about a year ago. Sadly, this is going to affect the businesses of security-based companies all over France.

Debugger forbidden...

[vidarlo]

Richard Stallmann has written a text about a future scenario, where owning debuggers is forbidden. It's recomended reading, and at least has showed me why we have to fight for our rights! The Right To Read also carries a informational part, which is non-ficitional, and highly interesting reading. Both parts is here

Re:Debugger forbidden...

[A+beautiful+mind]

The applications protected by the GPL are used and quite possibly gravitate on the billion or trillion dollar scale.

Seems to be a pretty fine sense of reality to me...

Re:Debugger forbidden...

[A+beautiful+mind]

Bush didn't invent the thing you call "US GNP".

Your analogy sucks.
Heh, it's almost as ironic when the government blaims the opposition for the state of the economy.

Re:Debugger forbidden...

[finkployd]

Your analogy sucks.

And yours is somehow even worse.

Finkployd

Re:WOW!

[Homology]

I'd like to think that the French National Security Directorate (or equivalent) will overrule this asinine ruling.

I would like to remind you that France is a democracy, and it does not have a Department of Fatherland Security. Actually, the "Old Europe", as the present Administration like to talk about, are the European countries whose democratically elected Governments listened to the overwhelming majority public opinion.

France is stupid (-1 Flamebait)

[Knights+who+say+'INT]

There used to be a great geocities-like free web space provider called altern.org.

I say geocities-like so you get the picture, but it was nothing like geocities. No nonsense interface -- all text, no pictures, no ads --, great webmail interface -- again, all text, no pictures, no ads. It was also the first (maybe the last, I just got my own paid hosting when it got ultracheap -- it wasn't, in the day) free web space provider to support PHP.

Yes, PHP. In the days where extensions were .phtml. I actually only began mucking around with PHP and server-side scripting because altern.org offered it. I still cook up some solutions with PHP and MySQL -- something that'd never have happened without mr. Valentin Lacambre's Flying Circus.

Apparently, the whole thing was ran by a techno-anarchist who prophecized in the future technology would make working unnecessary yadda yadda yadda. A sort of techno-optimist Guy Debord.

One day, one of altern.org's free websites had a parody of a France Telecom logo. Tartalacrem, if I'm not wrong. Legal hell ensued.

Not only it wasn't covered under any kind of fair use provisions, but France Telecom sued VALENTIN LACAMBRE, THE GUY WHO RAN THE FREE SERVICE.

Courts rejected his defense of not being responsible for everything hosted in his server as anyone could anonymously host content. Mr. Lacambre was forced to pay up fines and was told he was still responsible for anything held in altern.org.

So altern.org was taken down. That's France, folks.

Re:France is stupid (-1 Flamebait)

[JuanLou]

Damn right ! This must be France, I assume, and these moron judges don't have a clue what they rule about. I used altern.org (and still do for email), this used to be a great service.

Re:France is stupid (-1 Flamebait)

[bugnuts]

Same place that filed criminal charges against the owner of yahoo (IIRC) because the american site could be reached from france, and could contain nazi material, and levied fines on them. The french site didn't have such material, either.

Re:The 'condemned' him?

[BluedemonX]

A cognate. "Condamné" means convicted/punished in French, it doesn't have the same connotation in English.

obSimpsons

[The+Amazing+Fish+Boy]

What kind of crappy lawyer lets their client get punished for telling the truth about dangerous products?

Hutz: Thank you, Dr. Hibbert. I rest my case.
Judge: You rest your case?
Hutz: What? Oh no, I thought that was just a figure of speech. CASE CLOSED.

by the way...

[kebes]

just as a side-note: it is possible to publish a description of a vulnerability/weakness without publishing example code that exploits said weakness. Thus, even if providing exploit code is illegal, we can still put pressure on a company to fix a security hole by publicizing an explanation of a security vulnerability.

(Admitedly, this description could probably be turned into code very quickly by any hacker, but that's not the point.)

In any case, the article in question is about copyright violation, not making exploit-publication illegal.

Re:by the way...

[Piquan]

just as a side-note: it is possible to publish a description of a vulnerability/weakness without publishing example code that exploits said weakness.

This causes a couple of problems.

First, the sysadmins of the world can't tell if they're vulnerable. I've had many times when I couldn't tell from the description (from the vendor or the original report) whether the systems I'm responsible for are vulnerable or not.

When you get a security patch (from a closed-source vendor), it rarely says which specific security issues it addresses. More often, it's "Changes to the FOO module" or something equally vague. So the sysadmins still can't tell whether or not they're vulnerable.

Sometimes, patches-- if applied in a particular order-- can fail to close vulnerabilites. (Some Microsoft hotfixes worked this way: if you applied hotfix A before you installed subsystem B, but later installed subsystem B, then the vulnerability that hotfix A was meant to fix is still in subsystem B, but hotfix A won't install because it's been applied once already.)

That's the first problem. The second problem is one of denial. I'm going to pick on MS again, not just because it's so fun to do so (although that's part of it), but also because it's easy.

Last year, MS was told-- by a reputable security group-- of a vulnerability. I believe it was the DCOM vuln that another reply to you mentioned, but I could be mistaken. MS said, "It's only a theoretical problem" and said that they wouldn't be addressing it. The security group created exploit code. "It's not in the wild... we won't address it." Etc, etc... in short, MS refused to acknowledge that it was even a vulnerability until it was too late-- ie, until lots of people had viruses.

Public disclosure became commonplace because vendors refused to address-- or sometimes even acknowledge-- bugs unless they were made publicly known. (Why should they? It's not harming the company until they start losing consumer confidence. Remember, boys and girls, effective capitalism requires consumer knowledge about products!) Nowdays, we see the situation in which vendors refuse to acknowledge bugs that are only described; until it can be demonstrated, it doesn't exist. And unless it's in the public eye, it doesn't exist. So you have to demonstrate the vulnerability, in a public manner: ie, publish the exploit.

Here's the irony. Vendors are against public disclosure of vulnerabilities, and say that responsible people shouldn't publish their findings; it's irresponsible to make vulns known. But public disclosure only became commonplace because the vendors were irresponsible about fixing vulns. If they had been fixing them in a timely fashion, without needing public disclosure, then we wouldn't have set up things like BugTraq and the like.

Travel abroad

[rbanffy]

And so, the french who want to publish vulnerability reports and proof-of-concept code will have to travel abroad before doing so.

If I understood correctly, he was fined because his proof of concept code infringed the copyright of the original program he was trying to prove as vulnerable. Maybe some more careful coding could have avoided that.

What will happen under a more unified Europe? Will decisions made in one country be upheld in other countries - will other europeans have to worry about this decision in France?

Re:EDITORS SHOULD READ THE FUCKING ARTICLES

[p3d0]

What are you talking about? That's not what the article says at all.

Extortion?

[goldspider]

Am I the only one who finds this whole "Fix this now or else I will publish the exploit!" business a little shady?

I know it's not QUITE the same as extortion, as the person with the vulnerability knowledge isn't seeking financial gain.

But what is the purpose of publishing the exploit? What if the developers can't come up with a patch in time to meet thier imposed deadline?

It just doesn't seem very professional to me at all.

Re:Extortion?

[asc4]

Well, perhaps not direct financial gain, but there certainly is something to be said for security companies looking to prove their expertise (and consequently boost sales) by trumpeting all the exploits they've discovered.

That said, I think publishing exploits is a necessary thing. I think the discoverer of an exploit has a responsibility to all the other users of whatever software has the hole in it to make the hole known. However I think the discoverer also has a responsibility to make a genuine attempt to notify the software developers of the problem and give them the chance to release a patch before making any public proclamations. To me, the public announcement should be used as a last resort to try to prod an unresponsive software manufacturer into action.

Re:Extortion?

[fishbowl]

"I know it's not QUITE the same as extortion, as the person with the vulnerability knowledge isn't seeking financial gain."

Why is financial gain a necessary ingredient of extortion? Any "valuable consideration" should suffice. If commerce can use the barter system, why can't crime?

Re:Extortion?

[goldspider]

Why isn't it enough then to very publicly publish something along the lines of:

"There is a gaping vulnerability in Software X. As paying customers of Company X, I encourage you to encourage Company X to fix the software, and discontinue use of Software X until it is fixed."

Where is the benefit to the general public in publishing the exact mechanics/methods of the vulnerability?

Re:Extortion?

[asc4]

Because without proof-of-concept any moron out there can claim all sorts of vulnerabilities for no other reason than to try to tarnish the reputation of software companies.

Re:Extortion?

The benefit is simple: exploit code is proof that the vulnerability is real. Without proof, it's all just an unsubstantiated claim, and there's no way to know if you are in danger or not. Another benefit is that the exploit code allows anyone to verify that a supposed patch really fixes the problem.

Re:Extortion?

[SydShamino]

Let's say you are a mechanic, and you find an problem with a particular brand of car that could cause it to explode when, say, it was hit from behind.

Let's say you tell the automotive manufacturer about it, and he claims that your research was flawed and there was no problem, or he just says "ok we'll look at it" and does nothing for four years.

Let's say that, after those four years, you start reading stories of people dying "mysterious" in explosions during crashes in those cars. You tell the vendor again, but again they deny that their problem is causing the deaths, and they even deny that you contacted them about the problem four years before.

Do you continue to keep quiet, and let people die because telling the public about the problem would be "unprofessional"?

Would you have told the public after giving the manufacturer a month to find a fix, so everyone would know about the problem and could participate in the recall?

Would you have told the public as soon as you found the problem, so people could choose to not use the car while a fix was being designed?

What do YOU think is the professional thing to do?

Re:Extortion?

[asc4]

None. Provided that the publisher exhausted all reasonable means to notify the software manufacturer and still got no response, the responsibility then falls on the manufacturer for their failure to adequately address the problem in a reasonable timeframe after it was first brought to their attention.

Is the guy who first discovers a dangerous design flaw in a children's toy responsible for all the children injured as a result of the flaw if the company refuses to recall the toy?

Re:Extortion?

[JuanLou]

In this case the exploit was regarding a vulnerability on consumer personal data. Publishing it is a mean to force the webmaster protect sensitive consumer information, so it is a good thing (in the long term). People ought to be informed when they use sites that are not secure, it is fair to all users.

Re:Extortion?

[elpapacito]

It would be wrong to rear-end cars to prove that they have a serious defect, but there's no guarantee that any car or computer will be rear-ended because of the publication of the exploition ; it doesn't become neither more likely nor more probable, just relatively easier if you get to know about the exploit, decide to use the exploit.

For instace, when I evidently publish on a spray bottle that it contains flammable gases I do that for safety purposes, to let the users be aware.

Yet at the same time.. am I'm telling the wannabe delinquent that a spray bottle is a flamethrower or just making it easier for him to understand ?

Re:Extortion?

[jd]

IANAL, but I read about one in Henry Cecil's series of books. In England, it would be classified as being an "accessory to the fact", which makes NOT revealing information that relates to a crime or criminal activity, in itself a crime.

Now, you'd have to walk a fine line between publishing an exploit (in this case, publishing the safety hazard and, possibly, how/why it works) and exploiting the exploit (using that information to deliberately damage either cars or the manufacturer).

English law both protects and scrutinizes people through the concept of the reasonable person. It is a defence, in that anything that is nominally a crime can be excused on the grounds that any reasonable person would act the same way. That doesn't often happen, but it can.

It is a form of scrutiny, in that anything which is nominally protected, but is used UNreasonably can lose whatever protections there are.

In the case of publishing exploit code, it would seem to be a matter where reasonableness should take priority over any law or other ruling. Where there is an overriding public interest in knowing that the exploit exists, but there is a justifiable fear that the system maintainers would actively suppress the knowledge if possible, then it would seem eminently reasonable to make suppression impossible.

For example, there was another massive credit card theft (32,000) reported today. It took several months for the company to even notice what was happening. Were a group of "Grey Hats" to audit mission-critical systems of major companies and publish the results, I think it very likely that a case could be made for the reasonableness of such an audit and the apparent Public Interest in such information being revealed so that responsible parties can be held to account BEFORE the next disaster.

(Of course, we all know that theory != practice, even if the case reached court. Any company willing to play with fire on that scale, with the potential for massive damages and catastrophic PR, is unlikely to worry too much about whether Grey Hats are good building materials for bridges.)

Re:Extortion?

[xmp_phrack]

Let's say you tell the automotive manufacturer about it, and he claims that your research was flawed and there was no problem,

You take the population of vehicles in the field (A) and multiply it by the probable rate of failure (B), then multiply the result by the average cost of an out-of-court settlement (C).
A times B times C equals X. This is what it will cost if we don't initiate a recall.
If X is greater than the cost of a recall, we recall the cars and no one gets hurt.
If X is less than the cost of a recall, then we don't recall.

Re:Extortion?

[AlexCV]

There has never been problems with Ford Crown Victorias, this is FUD! ;-)

Re:Extortion?

[conteXXt]

ah not exactly.

This would be more like telling a newspaper about the deficiency, and including the information that they had to be hit "from the rear".

Hitting them yourself would be like actually releasing a virus (in the wild, not a proof of concept) based on the exploit.

I don't think that is actually what happened here.

Re:Extortion?

[SydShamino]

>> This would be more like telling a newspaper about the deficiency, and including the information that they had to be hit "from the rear".

Or publishing a book about it? Criminal!

So let me get this straight

[Jailbrekr]

The french are saying that finding and publishing expolit code is illegal. If someone finds an exploit and does not publish it, and the exploit eventually gets out into the wild, who is ultimately responsible for the damages? Is it the hackers who wrote the code, the company for not finding and patching the vulnerability, the person who found and did not publish the exploit, or is it the french gov't for gross legal mismanagement?

What they don't know can't hurt them

[Frodo+Crockett]

Oh, that's a great idea. If you keep a problem secret, it's not a problem anymore!

3rd country

[bogaboga]

They will publich remotely using servers in a 3rd country. The info can still be obtained. When will the bureaucracy understand how today's IT world operates? Heck, drugs (cocaine, marijuana) and the like are illegal but still obtainable by anyone who trys.

Where's the real info?

[k98sven]

Sorry, but the source here is a Blog post, which in turn refers to the convicted guy's home page.

Nowhere does it say what, exactly the guy was convicted of, or why. So how are we possibly supposed to be able to react to this?

I have a hard time accepting statements like:
This ruling can cripple the security research in France, making it illegal to publish security vulnerabilities or the proof thereof by reverse engineering. Without being able to tamper software the actually studying and consequent publication of vulnerabilities is made impossible.

Without seeing the judgement or at least a description of it from a neutral source.

Reverse engineering is legal in Europe, and is a protected right under European law. (91/250/EEC, article 6.)

I have a strong feeling the whole story is not being given here.

Re:Where's the real info?

[fishbowl]

"Reverse engineering is legal in Europe, and is a protected right under European law. (91/250/EEC [eu.int], article 6.)"

For now. But European law seems to be on a trend away from sanity, while people behave as if European law will always remain sane, and as if the USA has a monopoly on corruption and ignorance and insanity in government.

Re:Where's the real info?

[fabbers]

According to this blog http://maitre.eolas.free.fr/journal/index.php?2005 /03/08/87-guillermito-condamne-mais-tres-legeremen t/ (oh my god, it's in french!), he was convicted of counterfeiting, i.e using a pirated version of Viguard. The judge said that, in order to be legal in France, reverse engineering should be performed on legaly obtained software.

Re:Where's the real info?

[k98sven]

Of course, france might have implemented this european directive differently.

That is why I refered to the directive itself. I don't know exactly what the French implementation looks like.

However, I do know several nations (Sweden, Norway, Finland, Denmark) who in their implementations do specifically mention finding/fixing bugs (well 'errors' is the more common term in law) as a valid reason for reverse-engineering.

Re:Where's the real info?

[alain94040]

Glad you asked.

The guy got convicted for using a pirated copy of the software he reverse-engineered, not for the reverse-engineering or posting the exploit. And since the sentence was suspended, you can see that the judges actually saw as a positive the goal of the reverse-engineering.

PS: yes, it does happen that a /. headline is misleading :-)

Alain.

Re:EDITORS SHOULD READ THE FUCKING ARTICLES

[Vicegrip]

Please, read the articles before commenting. As usual on Slashdot, the news is misleading : he was not condemned for releasing exploit code, but simply for software piracy (the antivirus copy he had used was not legitimate).

After reading the article I see no information there about software piracy.

Following the links I did find some interesting tidbits that would indicate the company in question is less than honorable:
A factual issue, not part of the trial but seemingly of Tegam's scare tactics, is that Guillermito was accused publicly by the software company to be a "terrorist wanted by the DST (French secret service) and the FBI". This has not lead him to recluse in fear, but he is hardly optimistic of the outcome, scheduled for March this year...

It seems he was being procecuted for violating a European Directive which prohibits tampering with copyright protection measures. Ergo, that this researcher had to by-pass copyright-protection measures to find the flaws in their product.

Don't pick on corporations- or cooperate

[panurge]

This is like the McLibel case in the UK. In short, two individuals passed out London Greenpeace leaflets criticising a well known fast food chain. They were sued for libel. After a trial costing millions, in which the defendants were not legally represented because they could not afford it and the UK government refused to assist them, the judge awarded derisory damages. Both the UK Government and the fast food chain spent a lot of money buying lawyers yet another country mansion, yacht etc. The European court has just ruled the trial unfair for this reason, and tghe fast food chain has just had a second huge swathe of adverse publicity as the original case is dragged up again and the sheer unfairness of large corporation versus small individual is rehashed.

In this case an appeal to the European Court on grounds of effective suppression of fair comment sounds as though it might just be possible if funds were somehow made available. It seems on the fac of it obvious that the real reason for the case was a corporation trying to prevent any adverse publicity and using its superior economic power to get the decision it wanted, but it will need expensive experienced judges to point out what seems obvious to the majority of people.

Re:Don't pick on corporations- or cooperate

[RedWizzard]

This is like the McLibel case in the UK. In short, two individuals passed out London Greenpeace leaflets criticising a well known fast food chain.

Is there any reason why you didn't name McDonalds? It's not like it's a secret - they were the plaintiff, not the defendant.

Ruling make illegal?

[Zphbeeblbrox]

It has always annoys me when people say a ruling makes something illegal. Rulings don't make something illegal. Laws make things illegal. Rulings just enforce those laws. So either it was already illegal in the law or the court overstepped their bounds. Happens all the time here in the states. The courts say something is illegal and we just blithely go on about our business never once questioning whether they have the right to create law or not.

Re:Ruling make illegal?

[cpt+kangarooski]

Well, some opinions are just interpretations of laws. But in the US, we have a common law system, so yes, at times the courts do create laws. Since this dates back to the courts set up in England after the Norman Conquest, no one's really bothered complaining about it for a few centuries. It all works okay.

Re:Ruling make illegal?

[WhiplashII]

That is how it is supposed to work, but unfortunately it doesn't work that way. Courts often are asked to rule on things where there is no current law - so they have to find the closest law and try to apply it to the situation.

It happens a lot. People tend to not like it because they agree with your statement on what a courts job it - but what is the court supposed to do, wait for parliment?

Re:Ruling make illegal?

[Zphbeeblbrox]

The court is supposed to throw the case out. Its a well defined job. If no law applies then the case gets thrown out.

Re:Ruling make illegal?

[Zphbeeblbrox]

I'd be interested in seeing the legal basis of this practice. A document to the effect somewhere in our legislation is all we need. You show me the law that gives them this power and I'll lay all my complaints to rest.

Re:Ruling make illegal?

[WhiplashII]

Well, yes. But who decides if a law applies? The court, of course.

Thus they can extend any law they like, in effect making law.

Re:Ruling make illegal?

[Raistlin77]

You've got a point, but I think you are being too literal in the sense. Of course it does not mean that the act in question is now illegal, but it does make a precedence for future lawsuits regarding the same act.

In other words, if someone in France does the same thing Tena did, it will be easier for the company that is suing to win, citing that "in Tegam vs. Tena, the courts ruled in favor of Tegam and imposed a suspended fine of 5,000 euros against Tena". Because of this, it will now most likely take a law to undo the damage that has been done by that ruling.

Re:Ruling make illegal?

[Mjec]

Ugh, it's called caselaw. It's at least as important as, if not more important than, legislation. Basically it establishes a precedent of interpretation of the legislation. So legislation might say "don't steal stuff" and the judiciary decides what that means. Then they establish a precedent and judges, often in lower courts, can hand down decisions saying "in the past it was this way, so it's this way again - for that reason you punishment is X". Learn something about the legal system before spouting crap.

Re:Ruling make illegal?

[Zphbeeblbrox]

everything you just said I already knew. I just object to it. Just because a judge said it was this way in the past doesn't automatically mean the judge was right when he said so. Precedent/caselaw is a terrible way to run a court system. Just because it works that way now doesn't mean it's the right way. I still haven't seen anyone point me to a peice of legislation or law that says this a court has the power to create law or even to bend a law to apply where it doesn't. Every case should be decided on the basis of the law and nothing else. Any other basis of deciding is stepping outside of their boudaries as set by law. Laws should be created by elected officials in the legislature. Anywhere else and citizens begin to lose their ability to control the laws that affect them. Some judges aren't even elected. They are appointed. Jeremy Wall

Viva la America!

[null+etc.]

This ruling makes the publication of security vulnerabilities and their proof of concept through reverse engneering illegal in France.

Awesome! French software manufacturers can now use the threat of prosecution to avoid having faulty software criticized. French software manufacturers thus have less incentive to fix their broken software products.

Hopefully the French will start buying their software products from America!

Detailed proceedings ?

[dago]

It would be nice if somebody could point to the detailed condamnation and the motivations.

For all I've been able to (quickly) find, he has been condemned for intellectual property, namely counterfeiting.
One possibility is that it's becausehe has published source code, which looks strange because it would be probably be the fair use (short citation for eduction).
But it's probably because he pirated Tegam's software and didn't buy it.

You can also read on this lawyer blog that

"Il ne faut pas interpréter cette décision comme une condamnation du (EDIT : full disclosure), à mon sens : la même chose faite sur un programme licite ne tomberait probablement pas sous le coup de la loi."
So that it is NOT condemning full disclosure and that such publiction made on a legal software wouldn't be sanctionned.

At the moment, it really looks like some people are screaming as loud as possible about that, but until the details are know that just PR operations from Guillermito and the others.

oh great

[chalkoutline]

I now eagerly await some script kiddie writing a 'Freedom Virus' that posts anti-French messages all over your machine.

Re:oh great

[Lehk228]

i have enough anti-french stuff on my machine already i wouldn't notice.

Re: French legal decisions

[markdowling]

IANAL, but the French Civil Code system's rulings would find difficulty in being applied in a common law jurisdiction like the UK or Ireland.

For action to be taken, there would have to be some kind of framework like the European Arrest Warrant. Given the way the Eurocrats bullied through the recent patent legislation one can't rule it out.

Re:EDITORS SHOULD READ THE FUCKING ARTICLES

[Sam+H]

See this analysis by a lawyer who followed the trial: http://maitre.eolas.free.fr/journal/index.php?2005 /03/08/87-guillermito-condamne-mais-tres-legeremen t
(quote: "Ce qui a perdu Guillermito, c'est que sa version de ViGuard était piratée", eg. "What lost Guillermito was that his version of ViGuard was pirated").

Re:The 'condemned' him?

[SmokeHalo]

Thanks for pointing that out. I was going to comment that "condemned" seemed like a strong word, when all he got was a fine (and even that was suspended).

When exploit knowledge is outlawed...

[taanstaafl]

only the outlaws will have exploit knowledge. (to paraphrase a wingnut bumper-sticker)

VULNERABILITY

[Spy+der+Mann]

A vulnerability has been found in France's new legislation regarding publication of exploits.

The legislation has a loophole that allows people to give such info to 3rd parties outside France so they can publish such exploit.

The government's illegality detection can be easily bypassed with an SSL connection, provided one does not disclose his identity.

Proof of concept

Re:Just another reason to hate the French..

[goldspider]

"One little short frenchie with a bad attitude almost conquered the entire world, twice."

If you believe that Napoleon almost conquered the entire world, you have little room to question anyone's education.

Well they surrender to everyone else....

[gatkinso]

...why not the hackers too?

Re:Just another reason to hate the French..

[winkydink]

Well, let's see, they provided weapons, military training and aid to the American Colonists in the Revolutionary War.

Yes, the French continue to be well-known for always willing to make a profit, regardless of consequences.

One little short frenchie with a bad attitude almost conquered the entire world, twice.

Europe != World

developed the most heavily armored and gunned tanks during the early German Blitz, one French Char B1-Bis held up an entire German Division for an entire day.

Sadly, it appears that the next day, they surrendered. We'll skip over the Marshall Plan at the end of said war while we're at it.

They've developed nuclear weapons

First? Second? Third world countries have developed nuclear weapons. BFD.

Euro continues to dominate the American Dollar

You might want to look back a little further in historical performance of USD vs EUR.

They were one of the first modern countries to pick on the buzzword "Democracy" long before a bunch of colonists got pissed at their King's latest tax law.

Hmm Declaration of Independence: 1776. French Revolution: 1789.

You Sir, are an uneducated bigot

Glass houses.

As usual, only 1 side of story is presented

Tegam refutes his claims...

and

Tegam is adamant that Tena's claims are false and his motives are questionable.

BTW, was it already illegal in France to do what he did? If so, then the people should get the laws changed, not trash the judeges and judicial system for doing their jobs by upholding them...

Does this include MMORPG exploits?

[aapold]

Then I'm all in favor it. Dr. Twister will need to find a new place of exhile...

Sure they do

[Ironsides]

It's called the Ministry of the Interior.

Reclassify your "exploit" as a "hidden feature"

[Anonymous+Custard]

Just reclassify what you would have called an "exploit" as a "hidden feature".

As in,

"Hey there's a great new hidden feature I found in Internet Explorer for people who need to get remote root access their own systems:

Just load up this javascript + assembly code in a page in the browser, and Internet Explorer will automatically generate a stack overflow, so you can execute the assembly code! What a great new hidden feature I've found."

Re:Just another reason to hate the French..

[stupidfoo]

One little short frenchie with a bad attitude almost conquered the entire world, twice.

He really kicked Russia's ass

Re:EDITORS SHOULD READ THE FUCKING ARTICLES

[Ohreally_factor]

What, and miss the dupes?

Actually you've just hit upon the reason the dupe problem is so bad on slashdot. Obviously, the editors have each unchecked the boxes of all the other editors.

It had to be said...

[Evets]

Everybody already knows that the secret to getting past the Maginot Line is to simply go around it.

Even if nobody was allowed to talk about it, everybody would still know how to defeat it.

Now I have to rename my Freedom Fries!

[multi-flavor-geek]

I guess now instead of Freedom Fries (Instead of French Fries)Instead of Shoestring Potatoes fried in vats of lard)) I will have to start calling them 'Don't Reverse Engineer Software and Publish Vulnerabilities or you will rot in jail Fries'.
I do believe they are going to start hating me at McDonalds.

Re:Just another reason to hate the French..

[Grishnakh]

One little short frenchie with a bad attitude almost conquered the entire world, twice.

Actually, Napolean wasn't really French: he came from the island of Corsica, which I believe was a French territory at the time. Part of his bad attitude, IIRC, was that he wasn't accepted by his French peers while he was in school.

Free speech?

[AstroDrabb]

Doesn't France have free speech rights? I thought the USA was getting bad with slowing taking rights away from citizens and giving them to the government or corporations. It seems like France just beat out the USA IMO.

It looks like the rest of the world has pretty much caught up with the USA. France denies free speech, the EU bows to big corps and OKs software patents, AU is considering fines for people or corporations if they use the Internet to incite or promote suicide methods.

Is there any decent government left in the world?

Re:Free speech?

[Solilok]

There is a law in Australia that makes it illegal to commit or attempt suicide. Promoting or inciting suicide is illegal too, hence the fines. Besides it's easier to go after the promoters than after the suicidees.

Re:Free speech?

[SysKoll]

France has no free speech rights anywhere in its constitution or laws. Actually, the French "Law on the Freedom of the Press" is regularly amended to increasingly restrict -- you guessed it -- the freedom of the press.

The US have it so good. This only proves that Americans who are hyping the European institutions are totally clueless about Europe.

You shouldn't take the 1st Amendment as granted.

Hmmmm..... Minor points

[kaladorn]

They developed the most heavily armored and gunned tanks during the early German Blitz, one French Char B1-Bis held up an entire German Division for an entire day.

They capitulated and had a fairly sizable number of collaborators too. Not sure what either of these sound-bytes has to do with the current situation....

One little short frenchie with a bad attitude almost conquered the entire world, twice.

http://www.napoleonguide.com/ajaccio.htm

Corsican. That ain't the same thing, really.

They were one of the first modern countries to pick on the buzzword "Democracy" long before a bunch of colonists got pissed at their King's latest tax law.

Sure. Starting something gets you some credit. What have they done that was democratic lately? Seems the trend is in the opposite direction. These are the same people who invented (or at the very least endorse) the idea of policing their language. That's about as anti-democratic as you can really get.

France hasn't done much useful for about 150 years now. Resting on your historical laurels isn't really all that respectable and the willingness to sell weapons to both sides in just about every conflict regardless of the consequences doesn't exactly inspire one to think of France as a bastion of worldly wisdom. Nor, unfortunately, does the attitude referenced in this article. I give you that the US has gotten a wee bit adle-pated about patents and IP law, and France is not alone in Europe in being brain-absent, but that doesn't make them any sort of champion to herald....

Re:Hmmmm..... Minor points

[kaladorn]

May be we should get started on a discussion about the recent progress of American "Democracy".

What exactly does the state of American democracy have to do with France? I believe I asserted you can't champion France as the home of democracy. I don't believe I spoke even offhandedly pro-or-con about American democracy. I'll ignore your rant about the US (which is what this really is). If you think French democracy doesn't have all sorts of procedural holes (just like every other one), then you are pathetically naive. Or willfully stupid.

You have no idea what you are talking about. Do you think a recommendation from the French academy has any more influence on what words the French use than the "food pyramid" of the US FDA has an influence on what Americans eat?

The French actually make concious attempts to regulate their language and keep out anything that may be creeping into common usage from outside. That process of foreign words creeping in is a grassroots activity and as democratic as it is possible to imagine. And yet they make a serious *funded* attempt to thwart this. And they pass the kind of language legislation that helps support such efforts. If you love French democracy, maybe you should move there and get a close look at it with open eyes. Or maybe you are a French patriot, who looks at his country and cannot see the flaws. The Emperor's New Clothes are very nice, aren't they? Go peddle your unsupportable assertions elsewhere, AC. You don't even have the energy or courage to own up to a login name, so why would you bother actually trying to expend the energy to become educated on these matters or to open your mind?

Mod the parent down.

[MyLongNickName]

From the FA:
Yesterday the French security researcher Guillame Tena, aka Guillermito, has been fined a suspended fine of 5000 euros by a French court for publishing a vulnerability in the Viguard anti-virus software of the company Tegam.

Link to the Leaflet

[Ironsides]

Leaflet

Considering a lot of what they are saying and implying, I can understand why McDonalds's is suing. Lets start with McDonald's is directly involved in this economic imperialism, which keeps most black people poor and hungry while many whites grow fat. Hmm... like I've never seen a black person eat at Mics before nor a skiny white guy.

You can tell Harvard buys this myth

[WillAffleckUW]

After all, if they can just not admit people who hack their admissions web pages, the problem doesn't exist, right?

Right?

Um, how come Zaphod Beeblebrox just graduated from Harvard ... couldn't be that they should just fix the code, could it?

The same applies to the French firm.

TEGAM International's description

[sverrehu]

I found this one quite interesting:
http://www.viguard.com/en/news_view. php?num=88

Have no idea about the truth, though.

Re:Just another reason to hate the French..

[CrimsonAvenger]

They developed the most heavily armored and gunned tanks during the early German Blitz, one French Char B1-Bis held up an entire German Division for an entire day.

I've heard of this happening once in the USSR with a KV-1. I've never heard if it happening with a Char B.

Also, for what it's worth, the KV-1 had both heavier armour and a better gun than the Char B. And a better engine, better tracks & suspension, and a better crew layout to boot.

One little short frenchie with a bad attitude almost conquered the entire world, twice

Umm, no. The little Corsican (not Frenchman) didn't even come close to conquering "the entire world". He never quite managed to conquer Europe (Hitler did better), much less Eurasia, much less the rest of the world.

NOTE: I am not anti-French. I am truly grateful for the help they provided in our Revolution, since we would not likely have won without their aid. But since then, they've managed to look like complete imbeciles more often than not.

Nonsensel?

[bstadil]

The interpretation of law changes all the time.

Just look recently ruling where the Supreme COurt overturned Execution of Minors. Did the written law change? No! In the argument the majority argued that world opinion and decency standards had changed.

Re:Way to go France!

[fishbowl]

>Kudos to France for working so hard to "cut down on
>crime"!

If your prisons and justice system can generate a net profit, your government has a motivation to *increase* crime, particularly, to increase the number of intelligent, non-violent criminals.

Prisons don't actually have to create revenue to create a net profit, they only have to create jobs (for the employees, not the inmates.) Inmate labor is just gravy.

Re:The 'condemned' him?

[BluedemonX]

Fa' sheezy.

It's always amusing if you speak both languages to hear people find a similar word in their second language to their first which unfortunately has a completely different meaning.

Having worked for a French company for years, I don't even think about it anymore - I just mentally translate the cognates back and forth.

That's because he did not have a license

[dom1234]

As some linked texts say, it seams like he was accused because he did the work on a pirated/cracked version ; he did not buy the software.

Then I conclude it is more carful to buy the license before publishing security flaws, and then everything is ok. But a question arises : is it possible that a license states that the license holder is forbidden to publish security flaws about the software ? If so, then we are really stuck.

*Free software for finding a problem.

[SteveXE]

About a year or two ago I was checking for utility programs to install on my new PC, I came across a fairly known companys website i cant recall who it was or what the software was though. Anyways I went to the page where you can buy then download the software. I clicked the submit link without filling in any billing info...in fact i left every field blank. 10 seconds after hitting submit the software started to download. So, like any GOOD netizen would do i found the contact email address and promptly notified them of this potentialy buisness killing flaw in their software, 3 days later it was fixed, 2 weeks later I got an email from the company thanking me for notifying them instead of exploting the silly hole and now they give me a copy of every program they make..now if only i could find that outlook backup file that contains who they were I would be all set.

Re:Just another reason to hate the French..

[winkydink]

The enemy of my enemy is my friend. Unlike the French who couldn't fucking care less who they sell shit to as long as it's at a profit.

Re:Judicial Insanity, Not just for Americans anymo

[cpt+kangarooski]

And what makes the 9th Cir. stand out?

Re:WOW!

[gedeco]

In this case the French governement is only capable of stopping exploits being published in France.

Never admit you've find a exploit by reverse engineering. You'll found it by coïncidence.
Make someone else publish it in some other country.

Actually what's the difference between this and consumer testing toothpaste? They publish also the bad results?

Re:Just another reason to hate the French..

[meburke]

It's not worthwhile to hate the French. They are like most countries, mindless peasants disinterestedly moving at the whim of the 3% that actually make things work. Occasionally they respond vociferously but impotently to the stimulus provided by the popular pubs and the glass tit. They are simply people with delusions of superiority, just like most of the nationalists in the world, but they are not directly responsible for the actions of the ruling government and it's bureaucracies. In fact, when you get right down to it, the French populace probaly shares many of the same values that we do.

Government is a system. People buy into the system even when it produces deleterious results. You would think that we computer geeks are eminently capable of analyzing the system and showing the harmful effects, but this would probably not change anything because the system is supported by blind emotion rather than clear reason.

IMO, there is too much French government in French Sciences and Research, and not enough free thought, but then, I'm grateful I don't have to operate in France.

French courts vs. the internet

[Guillermito]

Is it me, or everytime a french court's ruling regarding the internet or some 'your rights online' related thing is mentioned in slashdot the verdict is: "French judges just don't get it". ... and before you ask, no, it's just a coincidence, I'm not related to the 'Guillermito' mentioned in the article.

Wrong...

Guillame Tena was condemned because he worked on an illegal copy of the Viguard anti-virus software of Tegam. This news was a bit too quickly published... arg! Slashdot is more and more like a tabloid newspaper... sad.

A small correction.

[jd]

George Bush is single-handedly IRresponsible WITH the US GNP.

Erm..

[t_allardyce]

So France is just coming into line with the US then?

Maybe it would be more productive to look

[MikeB90]

at http://www.viguard.com/en/news_view.php?num=88 which is viguard's side of the story. They quote a ZDNET story where Guilermito is a virus writer and then go step by step to reply to his accusations

Maybee Viguard is used by the parliament?

[northwind]

Great verdict. Goes to show that the reason why so many politicians like little children is because they want to be like them when they grow up.

Remember that a judge only administers the law - he doesn't make them.

Maginot II?

[ka9dgx]

Of course, the country that gave rise to the Maginot Line is going to want to legislate away anyone who suggests software might be insecure because there are ways around it.

History doesn't repeat itself, but it sure does rhyme.

--Mike--

Don't mod the parent down.

[Sam+H]

I suggest you read this article, too, in order to get a better understanding of what the decision really means.

Re:Don't mod the parent down.

[MyLongNickName]

Sorry, but you suggested that the editor had not read the linked story. The linked story says that, in fact, the French judged against him on the basis of his publishing a hack. Had you said that the article was incorrect, I woudn't suggest your being modded down.

I will, however, read the other article, as it is hard to believe that you can get busted for publishing an exploit like this.

Re:Don't mod the parent down.

[MyLongNickName]

Or at least I WOULD read it if I spoke French.

Bad publicity

[Autobahn]

From a marketing standpoint, they are making a horrible mistake. If they had done nothing, a few security professionals would have seen the exploit and not recommended their software. But now that they've sued over it, they have gotten a ton of free publicity advertising the following facts:

1. Their software has holes in it.
2. They don't want to fix it.
3. They don't want you to even know that the holes exist.

Now as a consumer, even if I don't understand the technical merits or implications, the message is that this company makes crappy software and is trying to cover it up.

Re:EDITORS SHOULD READ THE FUCKING ARTICLES

[vidarlo]

Actually you've just hit upon the reason the dupe problem is so bad on slashdot. Obviously, the editors have each unchecked the boxes of all the other editors.

Oh...Look! A blank front page

Re:I feel like feeding the troll...

Not to slap the French in the face, but before Vietnam, there was a little battle called Dien Bien Phuh... Don't quote me on the spelling, I don't care if its right...

The French allowed the Vietnamese to encircle them in a valley, and shoot mortar fire down into the camp, thus routing the French out of Vietnam before we ever got there...

At least we stuck around and fought them...

Re:The 'condemned' him?

[BluedemonX]

No, the best were the American tourists calling various phone numbers thinking "A louer" (to rent) was "A lover" and assuming it was part of the flesh trade.

That was the sound

[nurb432]

of more governmental censorship taking hold..

Re:Just another reason to hate the French..

[roard]

he came from the island of Corsica, which I believe was a French territory at the time.

You know, Corsica is still a french "territory" ? In fact it's just a french department like another.. (even if they have independentist, but frankly, the independentist movement in Corsica is more alike to mafia than anything at the moment.. and yes, part of my family is from Corsica).

I like my first ammendment

[Facekhan]

Our constitution enshrines free speech absolutely with very few exceptions for slander/libel/death threats/yelling fire in a theatre etc.

Although I think the standard of living in the US is headed into a death spiral resulting in what Warren Buffet calls a debt-peonage society, I don't really see myself moving to Europe or Canada because even when I am slave to my credit card company I will still be able to complain about it.

Back to binaries then?

[Alwin+Henseler]

> You decide which is more valuable: A company keeping their PR image spotless, or getting serious software bugs fixed.

>> How about, not going to jail for disclosing a bug! It's very valuable to me!

Oh well, you'll just have to go back to distributing exploits in binary form then. Leave it to manufacturers to reverse-engineer your exploit, to find out where the leak in their product is.

He used a pirated copy !!

[mehgul]

It says, right there, in TFA:

To the interpretation of the French account I referred to above, why Guillermito was probably convicted is that he used a pirated version of the Viguard anti-virus software for his research. It is questionable if the same outcome would be reached if a legimite version had been used.

Man, that is stupid !

Re:He used a pirated copy !!

[k98sven]

Exactly.

But TFA doesn't elaborate on that. Was he convicted only for pirating the program? Or for reverse-engineering it? Or for disseminating information aquired through those means? Or what?

And if they don't know, why are they already drawing these conclusions?

On one hand, you have a guy who might have been convicted of 'telling people about a security hole he found', which of course is awful, but also unlikely.

On the other hand, the guy might have been convicted for nothing more than a single count of software piracy, and is simply defending himself by hiding behind the guise of 'security research', something which I am not at all sympathetic to.

Re:He used a pirated copy !!

[mehgul]

By reading this document, one learns that the guy was convicted for counterfeiting ("Guillermito est déclaré coupable de contrefaçon"). He won't even have to pay the fine (-> deferred sentence). The judge showed a lot of comprehension towards Guillermito, indeed. However, the full reasons are not disclosed as the judgment is not published yet (the court is late). Apparently reverse-engineering is only allowed if you own a legal copy of the software. So he was convicted for reverse-engineering a piece of code he wasn't entitled to use.

Re:He used a pirated copy !!

[mehgul]

Är du Chalmerist (kemi), eller ??

Re:He used a pirated copy !!

[k98sven]

Nej, KTH. Och utexaminerad sedan ett par år. :)

Re:He used a pirated copy !!

[k98sven]

However, the full reasons are not disclosed as the judgment is not published yet (the court is late). Apparently reverse-engineering is only allowed if you own a legal copy of the software. So he was convicted for reverse-engineering a piece of code he wasn't entitled to use.

That is quite possible. Perhaps even likely.

OTOH, it does mean that the 'security research' argument doesn't quite hold; One must assume that real researchers will obtain their software through legal means.

Well, the guy is an idiot.

[MerlinTheWizard]

There's been another story in the past about some guy who had cracked the credit cards (those with chips), and made the vulnerabilities known. He got in serious trouble...

Publishing vulnerabilities in open source software is perfectly ok, but with closed source stuff: I don't think it is. You should give the vendor the opportunity to fix the flaws before everybody tries to take advantage of them. It's different from open source, because, well, open source is open! And this very fact usually leads to very quick fixes, whereas a software company may have some latency in solving the issues.

Meanwhile, by making what you found public, you not only affect the users: you affect the company itself. It's very different from open source.

A company's future (hence, all of the people living off of it) may be jeopardized here. This is some responsibility and that's why I think anyone finding vulnerabilities should warn the vendor first, in a discrete manner.

Making them public just shows that you want to be known as the guy who found them: it's kind of a cocky behavior - and well, it backfires.

Re:WOW!

[Buelldozer]

"Actually, the "Old Europe", as the present Administration like to talk about, are the European countries whose democratically elected Governments listened to the overwhelming majority public opinion."

While you are busy breaking your arm patting yourself on the back consider these two words:

Software Patents

Let Me Just Say...

[robocrop]

Since this sentiment is always echoed in reverse whenever our government does something stupid like this: "Thank God I live in America, where this kind of stuff doesn't happen."

I think there is more to the story...

[monkeySauce]

All these people are foaming at the mouth about some great injustice, when it's not even clear what is the situation. The original article is somebody's blog, which quotes and links to the website of the accused. I think there may be more to this story.

This article, for instance, paints a different picture: http://www.weblmi.com/sections/articles/2005/03/gu illaume_tena_cond/ (in French)

Allow me to provide a rough translation of one of the more interesting paragraphs: This judgement focuses not on the core issue, but rather on the methods "Guillermito" used to produce his findings, therefore the tribunal is punishing "Guillermito" for having used a pirated copy of Viguard Anti-Virus to discover it's vulnerabilities. Therefore the judgement seems not to question the right to publically criticise/publish exploits with supporting evidence, but rather that the exploit cannot be researched and discovered illegally [by using pirated software].

To re-analyze some of the analogies already put forth, should the courts go easy on someone who finds a problem with a particular brand of car that could cause it to explode; if they first stole the car and then studied it?

Re:EDITORS SHOULD READ THE FUCKING ARTICLES

[slicenglide]

You suck even larger balls for spelling enormous incorrectly. I would have also accepted Gi-normous, the unusual mating of Giant, and Enormous.

Because you don't want them to be liable.

[raehl]

Your analogy is bad. Software with vulnerabilities is not like gas with sugar in it. Software with vulnerabilities is like a gas tank without a lockable cap. It's a lot easier for someone who is malicious to harm your car if your gas tank doesn't have a lockable cap, just like it's a lot easier for someone to mess with your computer if your software is vulnerable.

But, the consumer doesn't want software without vulnerabilities. Well, sure, they want it, but they want it LESS than they want software they can actually afford to buy.

There simply, aside from a few critical applications, is not a market for software that is guaranteed to not be vulnerable. It is far preferable to most consumers to just accept that their software may not be perfect in exchange for a reasonable price.

Holding companies responsible for software flaws seems like a good idea, until you notice that nobody writes software anymore because too many software providers get sued into bankruptcy and/or the price for "software insurance" for software providers becomes so high that when passed onto the consumer the product is no longer affordable.

The market has spoken. The government should be loathe to act in opposition to the market.

Re:Because you don't want them to be liable.

[slaida1]

Problem lies in companies will to project an image of accountability, quality, security, etc. of their products and themselves.

Most software companies arent any more accountable than private OSS/free hobbyist software developers. Companies still act as if and that's what irks me about them. They won't pay for damages, they won't help without huge sums of money for their crappy services, they don't keep stuff stocked for years if something breaks (without huge sums of money, again), they will go out of business eg. disappear and cease to support their former customers in any way, they'll do something, try to sell it and after sale, try to dump any and all obligations.

In other words, they are just like private persons developing free software with the warning: "You use this software at your own risk, I'm not responsible for anything this software might cause. You have been warned." Companies just won't say that loud and clear, instead they bury these under massive legaleses/licenses/eulas/whatever. That sucks.

Tegam's response is totally devoid of facts

[Khashishi]

Tegam's response is totally devoid of facts.

A description of the alleged vulnerability and a demonstration of it's nonexistance would have gone far in my mind.

Other way round

[pjc50]

Certainly in the US, UK and other Common Law legal systems, law is made in the courts; rulings are precedents which must be followed. Statutes are statements about what the legislature wants the law to be. They seldom cover every possible situation in detail. So the law is made by the court which interprets the statutes in line with precedents and common sense.

Re:Where's the real info? Slandered by SlashDot

[elementary_penguin]

If anyone had RTFA at http://www.viguard.com/en/intro_en.php/ and gone to the bottom of the page to the link "TEGAM International against Guillermito" (Guillame Tena) They would have seen that Tena is not a computer expert he is a blogging biologist who for four years slandered and spread fud on Viguard on 15 discussion groups, Tena activly searched for questions about Viguard and presented false tests about the software (Viguard answers each of them in the article) Created a virus using copyrighted files (PCPASS) and now the court is handing him his ass. His blog is a complete lie about why he is in court, or that it had anything to do with reverse engineering or his rights. And no one at slashdot or zdnet even bothered to check with Viguard to see what the truth is. You've been had.

Ironically...

[Mysticalfruit]

That same day the French courts public website got cracked, by people using an unknown exploit...

Au Contraire

[serutan]

What planet do you guys live on? Just this week the US and France jointly demanded that Syria pull troops out of Lebanon. Bush himself said, "when the United States and France say withdraw, we mean complete withdrawal."

Doesn't sound to me like they're working at odds.

RTFA: He was nailed for using a pirated copy

[Raxanax]

Read The French Article... In a nutshell he mostly got nailed because he was using a pirated copy, so was not granted the right to observe, disassemble, etc.

Re:Just another reason to hate the French..

[mccoma]

Well, let's see, they provided weapons, military training and aid to the American Colonists in the Revolutionary War.
Well, if you want to get technical about it, that country (monarchy) doesn't exist anymore, there was this revolution and a new government replaced it. We did get a good land deal out of the new government.

They were one of the first modern countries to pick on the buzzword "Democracy" long before a bunch of colonists got pissed at their King's latest tax law.
Well, the French Revolution occurred after the American Revolution, so the US had a "democracy" (well, really a republic - but people seem to be using them interchangeably here) first. I would say the Greeks beat both countries, but they haven't had the same continuous government.

One little short frenchie with a bad attitude almost conquered the entire world, twice.
uh... nope..... others would have a better claim on that one.

I agree

[rjdohnert]

With this ruling. Its one thing to inform the public of a possible security flaw, but its another thing to publish code to take advantage of that exploit. My only hope is that the US follows in Frances footsteps on this issue.

There goes my career path...

[DarKry]

Publishing POC was always the final step in any exploit. First you contact the company. Then they stiff arm you. Then everyone using their software gets hacked. And finally you publish POC and they finally fix it. This won't last I am betting, just a clueless judge on a bad day.

Re:not surprising

[oskillator]

To whomever modded this a troll: I admit, I used the language of a troll, or to put it another way, I stated unpopular facts as I saw them without niceties.

If you disagree with my post, I'd appreciate if you would tell me which of the following statements you disagree with:
A) In France, police can search your hotel room without a warrant.
B) In France, you are guilty until proven innocent.
C) If A and B are true, then France is a police state.

If you plausibly refute any of these then I will concede the argument with apologies. I will warn you that C is close to axiomatic to me, and will be harder to refute in my view than simple data. Lest you think that this makes trying to refute C a waste of time, bear in mind that you may well convince other people reading the thread.

For extra credit, refute that having the phone number of a prostitute can get you in legal trouble in France.

Re:EDITORS SHOULD READ THE FUCKING ARTICLES

[Ohreally_factor]

You actually just made me guffaw, which I avoid due to it's awkwardness.

Wish I could mod you up.

Re:Just another reason to hate the French..

[domQ]

Very true, Mr. Hiigara, but those days are long gone and now France and its ideals are way down the toilet. Not that the US has been doing any better with its own legacy lately. But still.

They developed the most heavily armored and gunned tanks during the early German Blitz, one French Char B1-Bis held up an entire German Division for an entire day.

... And probably got kicked the bejeezus out of by some random Messerschmitt the following day, simply because we had no credible airborne forces whatsoever at the time. French military victories or lack thereof are not a fiction.
--
(Bitter? Who, me?)

Yes!

[Jugalator]

I, for one, think it's better that an exploit hackers may be using daily can not be revealed to the public!

:-P

Re:Just another reason to hate the French..

[BlueHands]

and yet another /.er shows that he doesnt know anything about "special friends"

Re:Just another reason to hate the French..

[BlueHands]

but they are FRENCH.

Error in the ./ post

[dolmen.fr]

Guillermito has not been condamned for publishing a security vulnerability.

He has been condamned for reversing a program for which he didn't have a licence, and for publishing code on which he didn't have rights.

Freedom of speech.

[jotaeleemeese]

France is a signatory of the European Convention on Human Rights, exposing vulnerabilities I am pretty sure is a matter of freedom of speech.

I hope this guy gets advised properly and appeals the ruling at the European level.

Re:I feel like feeding the troll...

[winkydink]

War of 1812 Spanish-American War

Re:I feel like feeding the troll...

[winkydink]

Let's see. Before the US entered the war, the Nazis had conquered all of Europe, save Great Britain. I would hardly call that an enemy on it's knees. At that time, the Nazia were in effect, fighting a 1-front war. Had that continued, it is doubtful the Russians would have prevailed (but it's a what-if... who knows). Also, who paid for rebuilding Europe after the war? Russia? France? The UK? Had the US turned their backs at that point, Europeans would all be calling each other comrade in their agrarian society.

Re:Just another reason to hate the French..

[CrimsonAvenger]

yes, he was french we he ruled. Otherwise, George Washington was the greatest british president.

You might consider reading a bit about the rise of nationalism and national identity. Generally, it takes more than a few years before a people accept a new "national identity".

For instance, are you aware that as of 1800, most Americans thought of themselves as citizens of their States? George Washington was a Virginian first, and an American second. And that relatively few Americans thought of themselves as "British"? After all, the vast majority of them, even in 1776, had been born in Virginia, or Pennsylvania, or one of the other colonies.

Napolean gallicized his name, in case you were interested - he wanted to appear more "French", which would have been unnecessary if Frenchmen of his time considered Corsicans to be really French (they were thought of in much the way many Americans today think of Puerto Ricans - not quite REAL Americans).

Also, for what it is worth, history is full of examples of Kings and such who were NOT, in fact, of the nationality they ruled - General Bernadotte , a Frenchman, was King of Sweden. Charlemagne, a Frank (they weren't French then - they had no sense of Style at all), was Emperor of Rome, as two obvious examples. William III of England was a Dutch Prince before he was King of England.

Wrong information, here is the truth

[FrenchNeal]

I'm french so I could read a report from the judgement of the court here :
http://maitre.eolas.free.fr/journal/index.php?2005 /03/08/87-guillermito-condamne-mais-tres-legeremen t
For the while, the only think he is convicted of is that he used a warez version of the antivirus software. He used it because in US he couldn't find the last version.
The judgement is : if in the 5 next years he uses a warez software, he would pay 5000 euros.
The April 12th, there will be a civil responsability judgement to determine what he must pay to TEGAM (the maximum will be 900 000 euros!).

Only in France

[Wytil]

I understand Academie Francie is going to pass a ruling making PI = 3.0. Wonder if the French courts will uphold that. At the same time is it going to become illegal in France to publish 'problems' with Windows XP, after all that will be trashing Microsoft's feelings.