Slashdot Mirror
Publishing Exploit Code Ruled Illegal In France
Dexter writes "A French Court has condemned the security researcher Guillame Tena for publishing a security vulnerability in the Viguard anti-virus software of Tegam. This ruling makes the publication of security vulnerabilities and their proof of concept through reverse engneering illegal in France."
What good is it to publish software vulnerability, especially on closed source products?
If one really wants to help, isn't it better to inform the software maker? If the latter couldn't care less, maybe one shouldn't care more?
However, as the friendly article pointed out, the fine was for a copyright infringement charge, so it looks like you can still publish a vulnerability as long as it is subtle enough.
Rock that crushes, Paper & Scissors that don't matter.
What about Tegam? They published the exploit in every copy of Viguard. While telling everyone it would protect them. Why aren't they guilty? What kind of crappy lawyer lets their client get punished for telling the truth about dangerous products?
--
make install -not war
I'm sure just to spite France President Bush will make it mandatory for all programmers to post exploits.
Oh lets make it illegal to find problems in software, then if they cant be found they cant exist right?
IF instr(HEADLINE, "FRANCE") > 0 THEN
PONDER_FRENCH_MATTERING
LAUGH("FRANCE")
ELSE
READ_ARTICLE
END IF
It's VB (SCREW YOU FOR JUDGING ME!)
You may notice the article has no details.
I did a Google News Search and found this one which is much better.
Also, the guys own website.
Hope this helps.
- Jax
I don't know, but I hear these guys already did a search on Google to find out:
h tm l
http://www.albinoblacksheep.com/text/victories.
Bill Clinton: Pimp we can believe in. - The Shirt!!!
The condemned seems to think differently.
Let's hear it for the Virgin Islands and the Bahamas! No software patents there. No export restrictions. True freedom of speech.
Si la vida me da palo, yo la voy a soportar Si la vida me da palo, yo la voy a espabilar
"That the fine is suspended means that Guillermito will have to pay up if he continues to publish about the vulnerability and other software vulnerabilities. As a result he has taken the Tegam publication, and a dozen others, from his website."
WOW, you are a retard to miss that.
the part you mentioned was in regards to DIFFERENT legal proceedings.
good lord you suck enermous balls for missing that stuff.
It's simultaneously comforting and terrifying to see that stupid rulings by stupid judges aren't confined to the USA.
At least I'll feel better about it the next time the 9th Circuit Court of Appeals makes an insane decision.
LK
"Hi. This is my friend, Jack Shit, and you don't know him." - Lord Kano
Well, let's see, they provided weapons, military training and aid to the American Colonists in the Revolutionary War. They developed the most heavily armored and gunned tanks during the early German Blitz, one French Char B1-Bis held up an entire German Division for an entire day. One little short frenchie with a bad attitude almost conquered the entire world, twice.
:))
They've developed nuclear weapons, were one of the original founders of the European Union, who's Euro continues to dominate the American Dollar. They were one of the first modern countries to pick on the buzzword "Democracy" long before a bunch of colonists got pissed at their King's latest tax law.
Oh, did I mention numerous American, Australian and British courts have upheld the same reverse engineering proof of concept rulings?
You Sir, are an uneducated bigot.
(Note: I am not anti-American, I'm just hitting him where it hurts.
Yeah, and timothy seems to be especially biased. So, folks! Let's remove timothy from our front page. (look under authors, and remove the mark in front of the one you don't like...)
Assembling etherkillers for fun an profit
I did read the article and the link in it to a previous article. The previous article stated that his exploit code was judged to be an illegal copy of Teagam's (or whatever their name is) code. I'm not sure exactly where you are getting the idea that his antivirus copy was not legitimate, but this conclusion does not seem to be supported by the articles.
There are top notch security experts in France, specifically the folks at K-Otik http://www.k-otik.com/
I'm a security consultant and I look to these folks as a source of reputable information. I spent a LOT of time on their site when Microsoft was trying to deal with the fallout of the MSO3-026 vulnerability which begat the MSBlaster worm. I even got the source code for blaster from the K-Otik crew.
This is going to have huge ramifications if it is interpreted as described here.
Good security is based upon reality and common sense. Common sense is a function of having common knowledge.
Richard Stallmann has written a text about a future scenario, where owning debuggers is forbidden. It's recomended reading, and at least has showed me why we have to fight for our rights! The Right To Read also carries a informational part, which is non-ficitional, and highly interesting reading. Both parts is here
Assembling etherkillers for fun an profit
There used to be a great geocities-like free web space provider called altern.org.
.phtml. I actually only began mucking around with PHP and server-side scripting because altern.org offered it. I still cook up some solutions with PHP and MySQL -- something that'd never have happened without mr. Valentin Lacambre's Flying Circus.
I say geocities-like so you get the picture, but it was nothing like geocities. No nonsense interface -- all text, no pictures, no ads --, great webmail interface -- again, all text, no pictures, no ads. It was also the first (maybe the last, I just got my own paid hosting when it got ultracheap -- it wasn't, in the day) free web space provider to support PHP.
Yes, PHP. In the days where extensions were
Apparently, the whole thing was ran by a techno-anarchist who prophecized in the future technology would make working unnecessary yadda yadda yadda. A sort of techno-optimist Guy Debord.
One day, one of altern.org's free websites had a parody of a France Telecom logo. Tartalacrem, if I'm not wrong. Legal hell ensued.
Not only it wasn't covered under any kind of fair use provisions, but France Telecom sued VALENTIN LACAMBRE, THE GUY WHO RAN THE FREE SERVICE.
Courts rejected his defense of not being responsible for everything hosted in his server as anyone could anonymously host content. Mr. Lacambre was forced to pay up fines and was told he was still responsible for anything held in altern.org.
So altern.org was taken down. That's France, folks.
A cognate. "Condamné" means convicted/punished in French, it doesn't have the same connotation in English.
--- Jump!! Fire!! Bullet time!! - Lego version of the Matrix
What kind of crappy lawyer lets their client get punished for telling the truth about dangerous products?
Hutz: Thank you, Dr. Hibbert. I rest my case.
Judge: You rest your case?
Hutz: What? Oh no, I thought that was just a figure of speech. CASE CLOSED.
just as a side-note: it is possible to publish a description of a vulnerability/weakness without publishing example code that exploits said weakness. Thus, even if providing exploit code is illegal, we can still put pressure on a company to fix a security hole by publicizing an explanation of a security vulnerability.
(Admitedly, this description could probably be turned into code very quickly by any hacker, but that's not the point.)
In any case, the article in question is about copyright violation, not making exploit-publication illegal.
Sorry, but the source here is a Blog post, which in turn refers to the convicted guy's home page.
Nowhere does it say what, exactly the guy was convicted of, or why. So how are we possibly supposed to be able to react to this?
I have a hard time accepting statements like:
This ruling can cripple the security research in France, making it illegal to publish security vulnerabilities or the proof thereof by reverse engineering. Without being able to tamper software the actually studying and consequent publication of vulnerabilities is made impossible.
Without seeing the judgement or at least a description of it from a neutral source.
Reverse engineering is legal in Europe, and is a protected right under European law. (91/250/EEC, article 6.)
I have a strong feeling the whole story is not being given here.
Please, read the articles before commenting. As usual on Slashdot, the news is misleading : he was not condemned for releasing exploit code, but simply for software piracy (the antivirus copy he had used was not legitimate).
After reading the article I see no information there about software piracy.
Following the links I did find some interesting tidbits that would indicate the company in question is less than honorable:
A factual issue, not part of the trial but seemingly of Tegam's scare tactics, is that Guillermito was accused publicly by the software company to be a "terrorist wanted by the DST (French secret service) and the FBI". This has not lead him to recluse in fear, but he is hardly optimistic of the outcome, scheduled for March this year...
It seems he was being procecuted for violating a European Directive which prohibits tampering with copyright protection measures. Ergo, that this researcher had to by-pass copyright-protection measures to find the flaws in their product.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
In this case an appeal to the European Court on grounds of effective suppression of fair comment sounds as though it might just be possible if funds were somehow made available. It seems on the fac of it obvious that the real reason for the case was a corporation trying to prevent any adverse publicity and using its superior economic power to get the decision it wanted, but it will need expensive experienced judges to point out what seems obvious to the majority of people.
Panurge has posted for the last time. Thanks for the positive moderations.
It has always annoys me when people say a ruling makes something illegal. Rulings don't make something illegal. Laws make things illegal. Rulings just enforce those laws. So either it was already illegal in the law or the court overstepped their bounds. Happens all the time here in the states. The courts say something is illegal and we just blithely go on about our business never once questioning whether they have the right to create law or not.
If you see spelling or grammatical errors don't blame me. I tried to preview but IE here at work borked the CSS
It would be nice if somebody could point to the detailed condamnation and the motivations.
For all I've been able to (quickly) find, he has been condemned for intellectual property, namely counterfeiting.
One possibility is that it's becausehe has published source code, which looks strange because it would be probably be the fair use (short citation for eduction).
But it's probably because he pirated Tegam's software and didn't buy it.
You can also read on this lawyer blog that
"Il ne faut pas interpréter cette décision comme une condamnation du (EDIT : full disclosure), à mon sens : la même chose faite sur un programme licite ne tomberait probablement pas sous le coup de la loi."
So that it is NOT condemning full disclosure and that such publiction made on a legal software wouldn't be sanctionned.
At the moment, it really looks like some people are screaming as loud as possible about that, but until the details are know that just PR operations from Guillermito and the others.
#include "coucou.h"
only the outlaws will have exploit knowledge. (to paraphrase a wingnut bumper-sticker)
A vulnerability has been found in France's new legislation regarding publication of exploits.
The legislation has a loophole that allows people to give such info to 3rd parties outside France so they can publish such exploit.
The government's illegality detection can be easily bypassed with an SSL connection, provided one does not disclose his identity.
Proof of concept
Yes, the French continue to be well-known for always willing to make a profit, regardless of consequences.
One little short frenchie with a bad attitude almost conquered the entire world, twice.
Europe != World
developed the most heavily armored and gunned tanks during the early German Blitz, one French Char B1-Bis held up an entire German Division for an entire day.
Sadly, it appears that the next day, they surrendered. We'll skip over the Marshall Plan at the end of said war while we're at it.
They've developed nuclear weapons
First? Second? Third world countries have developed nuclear weapons. BFD.
Euro continues to dominate the American Dollar
You might want to look back a little further in historical performance of USD vs EUR.
They were one of the first modern countries to pick on the buzzword "Democracy" long before a bunch of colonists got pissed at their King's latest tax law.
Hmm Declaration of Independence: 1776. French Revolution: 1789.
You Sir, are an uneducated bigot
Glass houses.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Tegam refutes his claims...
and
Tegam is adamant that Tena's claims are false and his motives are questionable.
BTW, was it already illegal in France to do what he did? If so, then the people should get the laws changed, not trash the judeges and judicial system for doing their jobs by upholding them...
Just reclassify what you would have called an "exploit" as a "hidden feature".
As in,
"Hey there's a great new hidden feature I found in Internet Explorer for people who need to get remote root access their own systems:
Just load up this javascript + assembly code in a page in the browser, and Internet Explorer will automatically generate a stack overflow, so you can execute the assembly code! What a great new hidden feature I've found."
$8.95/mo web hosting
One little short frenchie with a bad attitude almost conquered the entire world, twice.
Actually, Napolean wasn't really French: he came from the island of Corsica, which I believe was a French territory at the time. Part of his bad attitude, IIRC, was that he wasn't accepted by his French peers while he was in school.
I found this one quite interesting:. php?num=88
http://www.viguard.com/en/news_view
Have no idea about the truth, though.
Just look recently ruling where the Supreme COurt overturned Execution of Minors. Did the written law change? No! In the argument the majority argued that world opinion and decency standards had changed.
Help fight continental drift.
Let's say you are a mechanic, and you find an problem with a particular brand of car that could cause it to explode when, say, it was hit from behind.
Let's say you tell the automotive manufacturer about it, and he claims that your research was flawed and there was no problem, or he just says "ok we'll look at it" and does nothing for four years.
Let's say that, after those four years, you start reading stories of people dying "mysterious" in explosions during crashes in those cars. You tell the vendor again, but again they deny that their problem is causing the deaths, and they even deny that you contacted them about the problem four years before.
Do you continue to keep quiet, and let people die because telling the public about the problem would be "unprofessional"?
Would you have told the public after giving the manufacturer a month to find a fix, so everyone would know about the problem and could participate in the recall?
Would you have told the public as soon as you found the problem, so people could choose to not use the car while a fix was being designed?
What do YOU think is the professional thing to do?
It doesn't hurt to be nice.
As some linked texts say, it seams like he was accused because he did the work on a pirated/cracked version ; he did not buy the software.
Then I conclude it is more carful to buy the license before publishing security flaws, and then everything is ok. But a question arises : is it possible that a license states that the license holder is forbidden to publish security flaws about the software ? If so, then we are really stuck.
at http://www.viguard.com/en/news_view.php?num=88 which is viguard's side of the story. They quote a ZDNET story where Guilermito is a virus writer and then go step by step to reply to his accusations
History doesn't repeat itself, but it sure does rhyme.
--Mike--
From a marketing standpoint, they are making a horrible mistake. If they had done nothing, a few security professionals would have seen the exploit and not recommended their software. But now that they've sued over it, they have gotten a ton of free publicity advertising the following facts:
1. Their software has holes in it.
2. They don't want to fix it.
3. They don't want you to even know that the holes exist.
Now as a consumer, even if I don't understand the technical merits or implications, the message is that this company makes crappy software and is trying to cover it up.
There is a law in Australia that makes it illegal to commit or attempt suicide. Promoting or inciting suicide is illegal too, hence the fines. Besides it's easier to go after the promoters than after the suicidees.
"Actually, the "Old Europe", as the present Administration like to talk about, are the European countries whose democratically elected Governments listened to the overwhelming majority public opinion."
While you are busy breaking your arm patting yourself on the back consider these two words:
Software Patents
All these people are foaming at the mouth about some great injustice, when it's not even clear what is the situation. The original article is somebody's blog, which quotes and links to the website of the accused. I think there may be more to this story.
u illaume_tena_cond/ (in French)
This article, for instance, paints a different picture: http://www.weblmi.com/sections/articles/2005/03/g
Allow me to provide a rough translation of one of the more interesting paragraphs: This judgement focuses not on the core issue, but rather on the methods "Guillermito" used to produce his findings, therefore the tribunal is punishing "Guillermito" for having used a pirated copy of Viguard Anti-Virus to discover it's vulnerabilities. Therefore the judgement seems not to question the right to publically criticise/publish exploits with supporting evidence, but rather that the exploit cannot be researched and discovered illegally [by using pirated software].
To re-analyze some of the analogies already put forth, should the courts go easy on someone who finds a problem with a particular brand of car that could cause it to explode; if they first stole the car and then studied it?
The US have it so good. This only proves that Americans who are hyping the European institutions are totally clueless about Europe.
You shouldn't take the 1st Amendment as granted.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
What planet do you guys live on? Just this week the US and France jointly demanded that Syria pull troops out of Lebanon. Bush himself said, "when the United States and France say withdraw, we mean complete withdrawal."
Doesn't sound to me like they're working at odds.