Hacker Indicted In France For Publishing Exploits

Guillermito writes "Hello. I'm a French scientist living in Boston. I analyse small security softwares under Windows as a hobby, for fun and curiosity. For example, I showed how to easily extract hidden information from a dozen of steganography softwares, often commercial programs claiming a very high security level. I did the same with a french generic anti-virus, showing several security flaws, and that it didn't stop '100% of known and unknown viruses' as claimed. First the company called me a 'terrorist,' than sued me. I've just been indicted last week in Paris. It seems that it's a general trend in France, and maybe in Europe, these days."

Stops 100% of unknown viruses?

[RubiCon]

Umm, you can't do that - I think I first saw the relevant paradox in Ralf Burger's book on viruses and it goes something like this: Say you've got some blackbox routine called is_a_virus() that does just what these guys claim; all you do is build it into a virus like so:

if ( is_a_virus(me) ) { do_nothing() } else { replicate() }

So, if you're a virus, you're not a virus - but if you're not, you are. Reductio ad absurdum, anyone?

contact the eff

[gmr2048]

dunno if they can help with french courts, but it's prolly worth it to at least bring it to thier attention:

www.eff.org [eff.org]

-gary

France is Stupid

[Omega037]

I know a guy who for his senior thesis worked with a group of people and hacked a company's network. At the end of the semester, they gave the company a 42 page document stating all the problems and exploits the company had.
He got an A for the class and a job offer from the company. Granted, he already had better offers, but it is a good example of how it should be.

Re:Stops 100% of unknown viruses?

[HeghmoH]

This is nicely covered by Rice's Theorem [wikipedia.org]. In short, Rice's Theorem says that it's impossible to write a program to determine with 100% accuracy any property of another program's behavior or output.

Rice's Theorem is basically a generalized version of Turing's proof that the halting problem can't be solved, and it uses exactly the argument you outline.

Re:How can *this* be illegal ?

[Anonymous Coward]

Yes (at least if you publish the info). Consumer Reports has been sued for demonstrating flaws in products .

Re:Who was it that said...

[MarkusH]

That would be Voltaire.

Another good quote: "There are some acts of justice which corrupt those who perform them." - Joubert

Copyright infrigement

[aepervius]

Plese note that he has been accused of copyright infrigement. He seems to have reverse engineered and copied/used part of the intern code of the programs. Whether we like it or not DMCA like law forbid it except in a few case (interroperability and maybe for academia). Since he did not publish it for academia, and he did not contact first the company, they can fall on him and he has big probability of being judged guilty.

The law might be broken in that case (as we all know for DMCA like laws) but nonetheless the company has a case...

Re:French First Ammendment?

[aat]

Here is the English translation of the constitution of Fifth Republic, France's current constitution, written in 1958. Last time I looked at it, I couldn't find any free speech clause. (Some of France's earlier constitutions had such clauses though).

French constitution [assemblee-nat.fr]

Or maybe the Declaration of the Rights of Man [sar.org], which does have a free speech clause, and is a principle as mentioned in the Preamble to the French Constitution, has legal binding. I don't know.

You should also note that France heavily restricted the use (not just the export) of crypto for a long time, (except possibly if you deposited your keys with the government), so I really doubt their commitment to computer freedom per se.

Re:Enshrined protection of whatever

[bugnuts]

Free speech on security vulnerabilities is protected, you just can't be distributing code to bypass copy protection.

It's not just copy protection, but encryption schemes, which you can easily claim steganography is, since it shares many qualities. Remember that Adobe used the DMCA to prosecute someone for "breaking" their ROT13 encryption. And IIRC, 2600 lost their appeal for publishing links.

This law is being cited to enable all sorts of abuses by corporations that have roomfuls of attorneys, and has been used to leverage threats to a researcher from disclosing weaknesses at a convention. It was initially cited to threaten the guy that disclosed the "shift-key" exploit on CD protection. No sane researcher would rule it out in the USA -- you still would have to answer to it being abused.

Re:And I thought the DMCA was bad ...

[Darby]

A lot of the recent France bashing is due to this, but that is hardly the only reason.

I personally do not like the French in general because both my father and step-father were in the Air Force in Vietnam.

That should be enough info for some of you out there, but for those who don't know:

Some Air Force personnel were shot down over North Vietnam and managed to get themselves safely to the French embassy thinking that since we were allies and we were fighting a war they had started in the first place that they would be smuggled back to their unit.

Instead the French, hoping to get in good for the after war profiteering, turned them over to the North Vietnamese who proceeded to torture and murder them.

That is one reason people (in general, not just Americans) hate the French.

Re:Good luck!

[gilesjuk]

The problem is such exploits are published and not referred to the companies in question for them to fix these faults.

By publishing exploits you are on one hand helping consumers choose their security software wisely, but on the other hand you are providing hackers will methods to penetrate systems.

Re:And I thought the DMCA was bad ...

[Deflagro]

Propaganda, that's the real enemy. Here in the US, Europe is seen as ignorant loaners who don't want to help anyone take over the world. I'm not a big fan of the french attitude, and I am french (Canadian). I just hate to see people blindly spout vulgarities when most of them probably have never met a real frenchman. In my experience, they're annoying but fun at parties.

Re:Enshrined protection of whatever

[Anonymous Coward]

2600 won the right to link (the Ford case). They lost the appeal regarding their publication of the DeCSS source code.

Look on the bright side...from another french...

[da5idnetlimit.com]

1/ Call France 3, TF1 if you can.
TF1 certainly won't give a damn, but France 3 has a local news agency that is capable of nicely covering your story.

2/ Attack the company for "Publicite mensongere" (you Grammar Nazis translate for yourselfs, the guy is french...), bringing with you the proofs you digged out.

2bis/ Attack them for "tentative d'intimidation", and another one with Libel (atteinte a l'honneur)
The Libel one will only bring you 1Eu (the official price for honor)

3/ Include the Paris Chamber of Commerce, 60 millions de Consommateurs, and probably one or two IT Newspapers (01 Informatique, Le Monde Informatique), write to the Minister of Justice (Sarkozi is out of Interior, and he won't care anyhow)

60 Millions de Consommateur is very possibly the best first to call, as they are very touchy on such issues, and help people defend their case.

Just doing the counter attack on "Publicite mensongere" to the responsible organisation will be a frightening step for Tengram...

Also, publishing your discoveries on CERN and all others security sites (french and internationals) will be a de-facto victory.

Also, have the court ask for an independent expert to verify your findings... In France, there is a law against punishing people that just said the truth...

If you really want to be vicious, take a look on their webpage, check all their "reference customers" and have them see your papers and security holes...If one of their customers is a French Governemental Agency, they can be in for a very hard time... Lying to the French Administration, and putting their security under threat for innefiency can bring them under a lot more problems than you can think.
So, this is just the top of my head ideas, but I hope it will help you...

In such cases, the better defense is offense...

Bonne Chance, Courage, et ne te laisses pas faire !!!!

publishing vulnerabilities paper

[weld]

At a recent Yale conference, Digital Cops in a Virtual Environment [yale.edu], Jennifer Granick [granick.com] presented a paper, Computer Crimes and Intermediary Liability: The Case for Protecting Vulnerability Publications [yale.edu] on the legality of publishing vulnerability information.

Vulnerabilities in security products, especially those making outrageous claims, need to be exposed.

excerpt from NAI ePolicy Orchestrator Format String Vulnerability [atstake.com]

"When deploying new security products within the enterprise, organizations should understand the risks that new security solutions may introduce."

-weld

Re:French First Ammendment?

[lxdbxr]

Article 10 of the European Convention of Human Rights [coe.int] might apply, though (IANAL) I believe the wording is rather weaker than the US version (with my emphasis):

1. Everyone has the right to freedom of expression. this right shall include freedom to hold opinions and to receive and impart information an ideas without interference by public authority and regardless of frontiers. This article shall not prevent States from requiring the licensing of broadcasting, television or cinema enterprises.

2. The exercise of these freedoms, since it carries with it duties and responsibilities, may be subject to such formalities, conditions, restrictions or penalties as are prescribed by law and are necessary in a democratic society, in the interests of national security, territorial integrity or public safety, for the prevention of disorder or crime, for the protection of health or morals, for the protection of the reputation or the rights of others, for preventing the disclosure of information received in confidence, or for maintaining the authority and impartiality of the judiciary.

France is a signatory to the Convention though I have no idea how (or indeed if) it is implemented in French law directly.

Re:Even though I am not a lawyer,

[happyfrogcow]

Sure, but with the laws they've been comming up with lately, once he's arrested he might not be heard from again. I think it was a necessary move to make the situation publically known. Otherwise, all you see is a blurb on page 12 of the newspaper saying "French Hacker Arrested" and no one thinks anything about it.

Though, do seek professional counsel.

Re:My only question...

[SillyNickName4me]

Yeah, and surprise surprise, companies try to sue the publishers of such reports as well.. not that they win often but you can always try.

Re:How can *this* be illegal ?

[Anonymous Coward]

The suzuki lawsuit against Consumers Union is still going strong over 10 years after the article critical of the "Suzuki Sumersault" came out.

Don't forget that talk show host Oprah Winfrey was sued by cattle ranchers when she exposed how dangerous America's beef supply was. Fortunately, she could fight back, although she has been quoted as saying it was the biggest hardship she ever had to endure (and she's a billionaire!).

Corporations are running the show in the USA, and are trying to create the same "investor friendly" environment elsewhere in the world. The results of new laws and such being passed are:

1) It becomes easier and easier for corporations to sue you for anything, no matter how nonsensical.
2) It becomes harder and harder for you to sue corporations for anything no matter how obvious their fault is.

your rights in cyberspace

[N3wsByt3]

Your rights may become even far less, if the EU gets away with it's latest round of internet-despotism.

Soon, scientists and others all over europe may become sued when exposing flaws or reverse-engineering stuff. I therefor urge everyone to react, and this is how:

*PLEASE HELP TO WIDESPREAD*

14-15 April 2004 : Brussels is the Hub to go

Conferences and LUG in Brussels European Parliament Chaired by Dany Cohn-Bendit MEP

http://plone.ffii.org/events/2004/bxl04

http://www.greens-efa.org/agenda

http://laurence.domainepublic.net

Most legal frame related to new technologies is cooked up at Brussels. To get a feet into European Parliament's door and show that you care right before the election. Its future Members will decide on the patentability of software, on data privacy issues, TPRM, and so on), join an install party within parliament (and bring your favourite MEP with you), attend a panel with eg Alan COX, Georg GREVE, Jon Lech JOHANSEN (of decss fame), participate in a guided tour through brussels (anti-swpats "demo"), meet LUGs and programming rights groups from all over the place, and some chaotic nerds of FFII. A Wiki DSL connection will be available.

On 14 April evening, there will be a diner/party at restaurant La Tentation, in the center of Brussels. http://plone.ffii.org/events/2004 (also to book you hotel).

Entrance is free however to access the building you have to register online before 7 April http://www.greens-efa.org/agenda

Contact : lvandewalle@europarl.eu.int

euroG/LUGparty

Brussels European Parliament room ASP 1G2

15 April 2004

The Greens in European parliament invite representatives of GNU/Linux Users Groups of the 25 Member States of the European Union to come to Brussels to

- enhance the networking among the free software community in Europe(in particular with the New Member states)

- prepare the second reading on the software patents directive

- show inside EP what free software is, how it works and what ideas lie behind

- participate to the FFII conference and demo against software patents on 14 April

Programme and registration on http://www.greens-efa.org

lvandewalle@europarl.eu.int

PROGRAMME

9.00-11.00 25 G/LUGs for a Free Europe

Gathering European GNU/Linux Users Groups and associations for the promotion of free software : BxLUG - Belgium, RWO - Plug - Poland, Vrijschrift - The Netherlands, LiLux - Luxemburg, FFS Software - Austria, APRIL - HNS-info.net - France, GUUG - Germany, SSLUG - Sweden&Denmark, LUGOS - Slovenia, Debian - Latvia, AKL - Lithuania, LugRoma - Italy, Grece, Cyprus, Finland, Estonia, ...

11.00-12.30 Linux Install Party for MEps with Monica Frassoni Dany Cohn-Bendit, Hiltrud Breyer, Bart Staes, ... organized by BxLug

15.00 PANEL I: FAIR USE/COPIE PRIVEE

Gwen Hinze(Electronic Fronteer Foundation), Laurence Lebersorg(Test-Achat Belgium), Jon Lech Johansen(DVD-Jon)

16.00 PANEL II: FREE/OPEN SOURCE SOFTWARE

Cristiano Paggetti(Italy): eGovernment,Andrea Glorioso (Italy) : Free Content, Herman Bruynickx(Belgium): Free software in education, Jens Muhlhaus(Germany): Public administration: Linux fur Munchen

17.00 PANEL III : FREE AS IN FREEDOM

Georg Greve, FSF Europe (Germany) Agenda 1910

17.30 Alan Cox www.linux.org.uk co-signatory of the letter sent by Linus Torvalds to the President of EP against software patents(UK)

Re:My only question...

[Anonymous Coward]

Do you realize that Consumer Reports has been defending itself against a lawsuit for about 10 years now. It is about a small SUV that they rated "Poor" because of it's tendency to roll-over. Well sales of that vehicle just died. So the manufacturer sued them.

Comsumer Reports will be *lucky* if they survive the financial costs for the never ending litigation.

Kill the lawyers first!

Re:Look on the bright side...from another french..

[valmont]

Bien vu tout ca!

Is "Arte [arte-tv.com]", channel 5 still around? I'd definitely give these guys a call. While their audience is prolly a small fraction of France 3's, they're usually an educated audience. They like doing documentaries, seek out truth and present things as they are. i couldn't find any direct contact information beside this mailing address:

ARTE G.E.I.E.

4, Quai du Chanoine Winterer
F-67080 Strasbourg Cedex

I'd do whois arte-tv.com and send an email to the contact info on there, you never know.

Bon courage vieux! Fous-leurs une grosse bite au cul de ma part, avec mes remerciments ;]

Bring Back Fully Informed Juries!

[spun]

See the American Jury Institue/FIJA [fija.org] page for more info. We need juries that also decide whether the laws are valid, not just whether they were broken. That is the whole reason we have juries and not 'Star Chambers.'

Re:Look on the bright side...from another french..

[Anonymous Coward]

The first comment recommended hiding from his accusers instead of fighting them. Specifically hiding in the USA or Canada. The second post agreed, and bemoaned the sad state that France is in these days, and how much nicer of a place to live the USA is.

Re:Hmm

[vrt3]

My council (advice):
- Marry to an American (woman, -in postfix like in German?)

Correct.

- Pretend you're a citizen of the US

I think: Get the US nationality.

- Never return to France again

Correct

Though I have no clue what the last one means, apart from mentioning "with a Canadian". Any better translators than me? :) And why the US? With the DMCA, isn't that going from the frying pan into the fire?

"Or the same thing with a Canadian, if you like the snow."

Translation

[SeanDuggan]

I haven't spoken French since High School, but I think this is doable:
My advice:
- Marry an American girl.
- Acquire a US citizenship.
- Never return to France

Or do the same thing with a Canadian girl if you like snow.

No other side

[greppling]

Unless he is lying extremely grossly (about which we would have gotten to know about it by now), I really cannot see how there can be a "other side" that is worth hearing.

I read his originial analysis (in french) of this antivirus software which, according to him, prompted the charges of "counterfeiting". This article contains a description of the software, a section about "exploits" (you will agree about my question marks in a minute), a section where he demonstrates false positives, a test against a couple of known viruses, a short section about 2 points he liked about the software, then a list of detailed suggestions to improve the product, and finally an epilogue on the response from the company.

Probably didn't like the first suggestion for improvement "First of all: stop making believe that Viguard can do miracles." (The other suggestions are completely technical.) But let's focus on section 2, containing the 6 "exploits":

• 2.2 Deactivating Viguard by simulating the mouse-clicks with which a human would deactivate it
• 2.3 Just use TerminateProcess() (the windows equivalent of kill -9 if I understand correctly)
• 2.4 Add the md5sum of the trojan to an (unencrypted) whitelist of md5sums maintained by Viguard
• 2.5 In each directory, Viguard maintains a file "certify.bvd" which lists all known-good executables in this directory, "encrypted" by a XOR with a fixed key. So a virus just has to install itself in a new directory along with the appropriate certify.bvd file.
• 2.6 "For a good laugh": Rename a virus from .exe to .bat
• 2.7 Almost the same as 2.5.

All completely trivial. The only thing that comes close to the counterfeiting charges is that he offered programs for download that decrypt the configuration file and the certify.bvd files (both "encrypted" by XOR with a constant and short byte sequence).

Re:Once again

[nate1138]

stop going through the wrong chain of command with these issues

What chain of command? If this company isn't paying his salary, he has NO obligation to tell them shit.

punishes them by not giving them time to deal with the issue.

And do you argue that companies that make claims like "catches 100% of known and unknown viruses" don't deserve to be punished for blatantly lying to the public?

all you're doing is sabatosing a lot of innocent companies

See the above point

The obvious problem is that you're a problem person. You find problems and that's it. That doesn't help anybody.

You don't think that finding problems in software that people rely on is helping? Would you prefer that people continue on with the illusion of security where none acutally exists?

If you ever, in the process of these discussions, even hint at going public it's called blackmail

Now there's the uninformed legal opinion I have come to expect from Slashdot. It's not blackmail unless you ask for money. Going public is pretty much standard practice in the security biz.

And you also assume that the company owes you some kind of update on the status of the issue. Which are all three very wrong assumptions unless you actually work for the company

So their customers have no right to status updates on problems with a product that they have purchased?

Go home and read a book

Re:Questions...

[greppling]

Did he make any effort to alert the creators of the software before he published the info? Not that I could tell from the linked info.

Well. The "exploits" he published are so trivial that the company certainly knew about them being possible (see my other post here). Any hacker caring about this product would be able to find them. In such a case, I agree that the responsible is to educate the public about the flaws.

Re:Look on the bright side...from another french..

[Anonymous Coward]

Actually, the second post asked why one would want to take out US citizenship, given how the Supreme Court, with the help of the president and neoconservatives, is taking away civil liberties. He highly recommends Canada instead.

Note to parent poster: Tu dois ameliorer ton francais! (And I live in New Jersey, hardly a bastion of French...)

counterfeiting

[Chep]

The creation of an unauthorised copy of a copyrighted work, in French law, is a form of counterfeiting ("you are creating illegitimate goods"). This just means he's indicted for a copyright violation and an attempt to conceal that he (allegedly) did.

Tough time for the guy. I hope he did things the right way (ie. that the allegations are proven false or falling within fair use), and has enough juice in the bank to countersue and prevail for his costs.

Re:There is no faster way

[LionMage]

There is no faster way to make enemies than to point out someone's stupidity, and then prove it publicly.

Never have truer words been spoken on Slashdot. (Well, OK, that's probably not true, but this is an idiomatic expression in English...)

After publicly commenting in my weblog that I found a WiFi access point in my office building being run wide-open, with no security (not even a password), and noting that this access point belonged to someone in the Honeywell office just down the hall, I ran into an interesting situation several months later...

It seems that one of Honeywell's lawyers noticed this blog entry and found out that I was employed by a consulting firm that had Honeywell as one of its biggest customers. So Honeywell's solution to the embarrassment of having a gaping security hole pointed out publicly was to pressure my employer into firing me. Luckily, cooler heads prevailed, and I let Honeywell image the hard drive on my laptop; the Honeywell employee who set up the rogue access point wasn't so lucky.

The moral of the story is, large companies are humorless, and the bigger the company, the more draconian the steps they'll take to protect themselves and their corporate image. That doesn't mean you should cower in fear whenever these companies flex their muscles.

Re:Look on the bright side...from another french..

[Bun]

" The first comment recommended hiding from his accusers instead of fighting them."

Actually, he recommended going to America, finding an American, (or Canadian - if you like snow) girlfriend, and marrying her for the citizenship so you could live there. It was funny.

"The second post agreed, and bemoaned the sad state that France is in these days, and how much nicer of a place to live the USA is."

Nope (or are you trying to be funny?). The second poster asked him why he would want to live in the USA when everyone in the world detests its citizens, when it has a government with a president that caters to rich people and their companies, etc., etc... He then said it was better to go to Canada, which is a thousand times more sensible than the USA. (I'm paraphrasing here, since my French isn't so good these days.)

Re:Look on the bright side...from another french..

[kubrick]

"Arte" ... They like doing documentaries, seek out truth and present things as they are.

This is the same station that did the documentary [arte-tv.com] about how Stanley Kubrick faked the moon landings for the Americans... screened here on April 1 a couple of years back, and from that link looks like they'll be playing it again very soon. :)

legal systems, insurance

[hak1du]

It's quite interesting to discover, from the inside, how the french justice system works. I'm back from Paris. I've just been indicted and charged of distributing programs that violated Intellectual Property rights (literally translated, it's "counterfeiting and concealment of counterfeiting"). Maximum punishment for these charges are two years in jail and a fine of 150.000 euros. I'm not yet judged guilty or innocent, but I already had to pay around two or three thousands dollars for two trips to Paris (I live in Boston, MA, USA), plane tickets, and lawyer fees. I already talked about my story here (in french).

That's the way justice systems work in general: if someone accuses you of a crime and makes what looks like a reasonable case to the police, it ends up costing you money. Welcome to the real world. Life sucks sometimes.

If it's a civil complaint, in some countries, the people sueing you may have to pay your expenses if they lose, but that's also not exactly a blessing--it also means that if you have a complaint against someone else, you may end up paying them a lot of money if you lose--a strong disincentive to enforcing your rights when you have been wronged.

In Europe, many people have private legal insurance, which will pay for legal fees and lawyers when you get sued; something like that might cover this case. Many people who work professionally in some field also get professional insurance, which also often covers them against lawsuits. So, the short answer is: in order to avoid getting bankrupted by frivolous legal claims, people insure themselves.

If you have been falsely accused, your accuser may have committed a criminal offense themselves and you may also be able to recover damages in civil court. However, in a case like this, that may be too hard to prove even if it is obvious to you and me.

If independant researchers cannot analyse security softwares and publish their discoveries, final users will just have marketing press releases from editors to assess the quality of a sofware. Unfortunately, it seems that we are heading to this kind of world in France and maybe in Europe.

No, it just means you have to go about exposing their product differently. Publish an article in a respected publication. Then, they'd have to take on the publisher.

Or file a complaint against them for false advertising. That could be either a complaint to an organization like the Better Business Bureau (or the French equivalent), or an legal complaint.

It may still be worth filing a counter-complaint at this point. You need to talk to a lawyer about that.