Publishing Exploit Code Ruled Illegal In France

← Back to Stories (view on slashdot.org)

Publishing Exploit Code Ruled Illegal In France

Posted by timothy on Wednesday March 9, 2005 @08:17AM from the trying-to-think-with-cervelles-braisees dept.

Dexter writes "A French Court has condemned the security researcher Guillame Tena for publishing a security vulnerability in the Viguard anti-virus software of Tegam. This ruling makes the publication of security vulnerabilities and their proof of concept through reverse engneering illegal in France."

12 of 362 comments (clear)

French Court: "Surrender Now" by fembots · 2005-03-09 08:18 · Score: 5, Informative

What good is it to publish software vulnerability, especially on closed source products?

If one really wants to help, isn't it better to inform the software maker? If the latter couldn't care less, maybe one shouldn't care more?

However, as the friendly article pointed out, the fine was for a copyright infringement charge, so it looks like you can still publish a vulnerability as long as it is subtle enough.

--
Rock that crushes, Paper & Scissors that don't matter.
1. Re:French Court: "Surrender Now" by crazyeddie740 · 2005-03-09 08:24 · Score: 5, Insightful
  
  I think the general rule of thumb is to inform the software publisher first, and then go public after they've had a chance to fix it. Going public forces the publisher to fix the problem if it hasn't already, and it let's the public know that there's a problem and they should do an update. (Or if the publisher still hasn't fixed the problem, switch to a different program.) According to the article the article links to, the copyright infringement charge is somewhat similar to the anti-DeCSS application of the DMCA. The researcher, AFAICT, is being sued because he *reversed engineered* the program, which is a traditionally accepted practice.
2. Re:French Court: "Surrender Now" by John+Fulmer · 2005-03-09 08:25 · Score: 5, Informative
  
  The 'good' is that it keeps closed source vendors honest.
  
  The 'full disclosure' idea came about because of the frustration of sysadmins finding security holes, and not being able to get the vendor to take it seriously.
  
  Good 'full disclosure' first notifies the vendor, and then if within a reasonable time the vendor takes no action or there is no response you disclose to something like BugTraq.
  
  It's been the reason that Microsoft and other vendors take such bugs VERY seriously. But they would be more than happy if it all just went away, or was criminialized.
  
  You decide which is more valuable: A company keeping their PR image spotless, or getting serious software bugs fixed.
3. Re:French Court: "Surrender Now" by nurd68 · 2005-03-09 08:29 · Score: 5, Informative
  
  Actually, if memory serves, MS *does* control these situations. If you are a Microsoft Partner (I don't know at which level this restriction starts, but I think it's just about any partner), then you are required to disclose the vulnerability to Microsoft, and cannot disclose it publically until Microsoft allows you to. Failure to adhere to this results in a loss of your favored status.
4. Re:French Court: "Surrender Now" by lukewarmfusion · 2005-03-09 08:33 · Score: 5, Interesting
  
  If a company doesn't fix a problem that's brought to their attention, published or not, they could be found negligent for damages as a result of that security hole.
  
  Can you really make a secure system? Open source or closed, there are going to be security risks. So what happens if the security hole would be so expensive to fix that you simply couldn't afford to address it? Keeping it quiet, while not always effective or preferred, is still security (through obscurity).
  
  I discover security holes in web applications all the time. My protocol is to stop once I've proven it's possible to compromise, notify the company of the issue, the implications of the hole, and ways to go about fixing it. I always include a link to my company's website, but I never threaten to publish it or do anything that might be construed as extortion. I've never been accused to wrongdoing, I usually get a big thank you, and sometimes it lands me a meeting - which is where they become clients.
  
  People generally appreciate a helpful tip, whether it's a "you have a word spelled wrong on your site" or "you have a SQL Injection vulnerability on your site." Just don't be an ass about it.
5. Re:French Court: "Surrender Now" by maotx · 2005-03-09 08:37 · Score: 5, Insightful
  
  Lets say I discover exploit in Foo that allows me to have complete control of your computer. Foo is a very popular program used in homes to enterprises. Now lets say I send my exploit to Foo Company Inc. to have them patch it to prevent this horrible exploit from being..well..exploited. Foo sends you a "to-be-done" acknowledgement and thats the last you ever hear from them. Three service packs later and your exploit still works without a problem.
  If you discovered this exploit then so can someone else. This someone else could then use this exploit to their every desire (Think beyond viruses, i.e. blackmail, stock market, etc.)
  What do you do?
  
  Nag the company to fix it?
  Tell everyone how horrible the company is without proof?
  Release your exploit into the wild to pressure the company in patching it and giving them motivation to pay more attention to security?
  
  Most exploits that are released typically occur after the vendor has been notified.
  
  --
  I'm a virgo and on Slashdot. Coincidence? Yes.
6. Re:French Court: "Surrender Now" by Ohreally_factor · 2005-03-09 08:47 · Score: 5, Insightful
  
  If a company doesn't fix a problem that's brought to their attention, published or not, they could be found negligent for damages as a result of that security hole.
  
  Read any good EULAs lately?
  
  --
  It's not offtopic, dumbass. It's orthogonal.
7. Re:French Court: "Surrender Now" by nurd68 · 2005-03-09 09:23 · Score: 5, Insightful
  
  Since folks moderated this so highly, here's more info:
  
  http://www.windowsitpro.com/Article/ArticleID/24 80 6/24806.html
  
  It's one of the conditions of being a "Gold Level" partner.
  
  Of course, this makes one realize how nonsensical the "window of vulnerability" arguments comparing Windows vs. Linux security are. For those of you who don't know, these arguments compare how much time time from announcement of a vulnerability to the time that the patch comes out. The F/OSS community is big into full disclosure, and the MS community isn't, so, the MS Window of vunlerability is almost always smaller, hence leading to claims that it's more secure. That is, until someone finds a bug that's been swept under the rug for a couple years and uses it to make the next Nimda.
Contrary by Ghetto_D · 2005-03-09 08:20 · Score: 5, Funny

I'm sure just to spite France President Bush will make it mandatory for all programmers to post exploits.
Re:Just another reason to hate the French.. by Hiigara · 2005-03-09 08:29 · Score: 5, Interesting

Well, let's see, they provided weapons, military training and aid to the American Colonists in the Revolutionary War. They developed the most heavily armored and gunned tanks during the early German Blitz, one French Char B1-Bis held up an entire German Division for an entire day. One little short frenchie with a bad attitude almost conquered the entire world, twice.

They've developed nuclear weapons, were one of the original founders of the European Union, who's Euro continues to dominate the American Dollar. They were one of the first modern countries to pick on the buzzword "Democracy" long before a bunch of colonists got pissed at their King's latest tax law.

Oh, did I mention numerous American, Australian and British courts have upheld the same reverse engineering proof of concept rulings?

You Sir, are an uneducated bigot.

(Note: I am not anti-American, I'm just hitting him where it hurts. :))
Debugger forbidden... by vidarlo · 2005-03-09 08:33 · Score: 5, Insightful

Richard Stallmann has written a text about a future scenario, where owning debuggers is forbidden. It's recomended reading, and at least has showed me why we have to fight for our rights! The Right To Read also carries a informational part, which is non-ficitional, and highly interesting reading. Both parts is here

--
Assembling etherkillers for fun an profit
France is stupid (-1 Flamebait) by Knights+who+say+'INT · 2005-03-09 08:35 · Score: 5, Interesting

There used to be a great geocities-like free web space provider called altern.org.

I say geocities-like so you get the picture, but it was nothing like geocities. No nonsense interface -- all text, no pictures, no ads --, great webmail interface -- again, all text, no pictures, no ads. It was also the first (maybe the last, I just got my own paid hosting when it got ultracheap -- it wasn't, in the day) free web space provider to support PHP.

Yes, PHP. In the days where extensions were .phtml. I actually only began mucking around with PHP and server-side scripting because altern.org offered it. I still cook up some solutions with PHP and MySQL -- something that'd never have happened without mr. Valentin Lacambre's Flying Circus.

Apparently, the whole thing was ran by a techno-anarchist who prophecized in the future technology would make working unnecessary yadda yadda yadda. A sort of techno-optimist Guy Debord.

One day, one of altern.org's free websites had a parody of a France Telecom logo. Tartalacrem, if I'm not wrong. Legal hell ensued.

Not only it wasn't covered under any kind of fair use provisions, but France Telecom sued VALENTIN LACAMBRE, THE GUY WHO RAN THE FREE SERVICE.

Courts rejected his defense of not being responsible for everything hosted in his server as anyone could anonymously host content. Mr. Lacambre was forced to pay up fines and was told he was still responsible for anything held in altern.org.

So altern.org was taken down. That's France, folks.