Hacker Indicted In France For Publishing Exploits 561
Guillermito writes "Hello. I'm a French scientist living in Boston. I analyse small security softwares under Windows as a hobby, for fun and curiosity. For example, I showed how to easily extract hidden information from a dozen of steganography softwares, often commercial programs claiming a very high security level. I did the same with a french generic anti-virus, showing several security flaws, and that it didn't stop '100% of known and unknown viruses' as claimed. First the company called me a 'terrorist,' than sued me. I've just been indicted last week in Paris. It seems that it's a general trend in France, and maybe in Europe, these days."
Proposterous! (Score:5, Insightful)
But from a common sense point of view, I really don't see how telling the truth about weak software can be illegal. It may lead to damage to a company, but that damage was caused by the security holes, not someone exposing them (hidden defects are a ticking timebomb anyway.)
From the common sense view point, it also seems right to inform the company first, before telling everybody. But telling the truth should not be illegal.
I'll burn in hell for this ... (Score:4, Insightful)
SURRENDER to the authorities.
Seriously, though, this sucks ass.
However, I'm quite sure that you're a terrorist, because we all know that terrorists publish the exploits they find. Why, back in June of 2001, I saw an article about how to smuggle knives onto airplanes. I also remember seeing an article shortly after that about putting plastic explosive in your shoes (i.e. Richard Reid). Come on, folks, people who find and PUBLISH weaknesses in software are not the problem.
-paul
Who was it that said... (Score:5, Insightful)
This is a case in point. The author may be in the right, but we are living in hysterical times, and woe unto the man who walks in front of the governmental steam roller with a team of jackasses and corrupt, ignorant polititians at the wheel.
Re:Glad to see... (Score:5, Insightful)
I realized France had joined the 'stupid lawsuit that wins anyway' club with the whole Mobilix/Obelix thing...
Of course (Score:1, Insightful)
How can *this* be illegal ? (Score:5, Insightful)
Would I be sued if I told a company manufacturing bicycles that their products are not solid enough, and then can be dangerous ? Probably not.
It will soon be forbidden to even talk about flaws. As a french citizen I feel very sad about it...
Re:How can *this* be illegal ? (Score:3, Insightful)
Probably not, no. But you could easily get a lawyer to get someone to fake an accident and sue the bicycle manufacturer for damages.
Re:Enshrined protection of whatever (Score:5, Insightful)
Re:Proposterous! (Score:5, Insightful)
just like there's jerks in usa there's jerks in europe as well.. and probably in middle-east and far -east as well. there's quite a few of totally broken 'security' products that are not even meant to work more than just give false assurance to their users, they're people selling snake oil and as far as their products go their just as good as some "miracle magnets" for fuel-lines & etc. there's no point in informing the company in such case since the fuckin company is just basically fraudsters in the first place.
Note to Europeans (Score:3, Insightful)
This sucks (Score:4, Insightful)
I second the suggestion above: contact eff. Now. If they can't help they probably can point you to organizations that can.
Well.... Let's be honest here... (Score:2, Insightful)
HOWEVER, if you were digging through reverse engineered proprietary code, and publishing exploits at the code level... well, that is infact illegal...
Good luck either way though...
"I used to have a sig, but a cheese eating surrender monkey ate it..."
--Ryan
Re:Enshrined protection of whatever (Score:5, Insightful)
Re:'Bout Time (Score:2, Insightful)
Re:Stops 100% of unknown viruses? (Score:1, Insightful)
Re:Just a thought... (Score:3, Insightful)
Re:'Bout Time (Score:5, Insightful)
Re:Proposterous! (Score:2, Insightful)
I think you're missing the point here. Freedom in genral does have one very important price, and that's responsibility. Sure you could point out those aspects of the software to the general public, but you have to ask yourself one question: with regards to the fact that leaking this information publicly could and most likely will lead to the compromise of systems using said software, is it the responsible thing to do? The common sense answer is NO. The responsible thing to do would be to privately alert the company of the security problem and perhaps documenting such to prove you warned them in case of inaction.
Been done in other respects (Score:3, Insightful)
Re:Enshrined protection of whatever (Score:1, Insightful)
Only if your security research has little to do with security and more to do with breaking copy protection. Free speech on security vulnerabilities is protected, you just can't be distributing code to bypass copy protection. I don't like that law too much either, but it's not really relevant at all to this issue.
Re:And I thought the DMCA was bad ... (Score:3, Insightful)
Donations!! (Score:5, Insightful)
Re:Good or Not? (Score:5, Insightful)
If you discovered a critical safety flaw in a particular model of automobile, do you:
i) Let everybody know, so those who drive that particular model can get it fixed, or
ii) Let only the manufacturer know, so they can fix it in next years model first.
What about the poor souls who are relying on the software for the security of their business? With your door analogy, it is equivalent to letting the lock manufacturer know that their locks are defective, without notifying the homeowner. (End user) It is their doors that are vulnerable. Of course by broadcasting this to the world, you let the bad guys know at the same time, but IMHO it is better than saying nothing.
Re:Good luck! (Score:3, Insightful)
Tim
This is sad... (Score:2, Insightful)
Anyone who buys this company's products needs their fucking heads examined!
In the interest of fairness (Score:3, Insightful)
I can see the case being made that leaving exploits open is essentially supporting terrorism, or depraved indifference at least.
Fighting back (Score:5, Insightful)
He may be in Le Figaro [lefigaro.fr] today. Look for "Quand les createurs de virus se font la guerre" in Le Figaro's archive. You have to pay to read the article, though.
Even though I am not a lawyer, (Score:5, Insightful)
I'm aware you're French, and likely will be prosecuted in France, however, it's generally the case that any public statements you make can and will be used against you in court, thus, I would advise that you seek professional legal counsel and stop publicly discussing your upcoming case. It can (and usually does) limit the variety of strategies that your lawyer can use to defend you.
Re:Proposterous! (Score:0, Insightful)
Re:Good luck! (Score:5, Insightful)
Sort of like calling spitting on the sidewalk a "terrorist act" because it could be labeled a "biohazard" if you really stretched it.
I echo the parent posters' sentiment: bon chance!
Questions... (Score:5, Insightful)
How many sides of this story do we have? Hmm, just this guy's side. Interesting.
Did he make any effort to alert the creators of the software before he published the info? Not that I could tell from the linked info. It sounds like he just posted it on his web page and published it in a crackers magazine and let the chips fall where they may. Not exactly responsible activism.
What exactly *is* the law regarding this in France? Here in the States we have the DMCA. It's a terrible law, but we all know what we're getting into if we break it. That's what civil disobedience is all about, isn't it? I seem to recall that Europe has similar laws on the books.
I'm sorry, but with the info we've been given this sounds a little like "I did something naughty and I got caught and now I might get PUNISHED! Oh poor me!"
All kneejerk reactions aside, maybe there's more to this situation than we've been given.
Re:Donations!! (Score:3, Insightful)
-- D3X
lots of unanswered questions here (Score:3, Insightful)
I'd be surprised if he were not acquitted, but you never know these days. It's very easy to pay off a judge. Anyways, one thing I would like to know is how publishing code in order to expose security flaws, and where the author(s)/owners of the code are referred to, is any different than publishing excerpts from a book in order to expose, say racist sentiment.
Re:Proposterous! (Score:5, Insightful)
No jackass, you're wrong, and you're thinking like one of "them". The "responsibility" lies with the comapnies making *FRADULENT* claims.
You're saying this fellow should politely inform these companies that they are lying? I think they know already.
Other side? (Score:5, Insightful)
Haven't he learned his lesson? (Score:3, Insightful)
My only question... (Score:5, Insightful)
Re:Proposterous! (Score:3, Insightful)
People need to be made aware of the vulerabilities of anything ASAP. The person that makes it public may not be the first person to find the issue. Network elements can be made to stop the exploits or reduce there impact. It's not fair to say well most people dont care about there systems so we will protect the lazy at the expence of the vigalent. Allways remember patching is not the only solution to an issue it's generaly the best in the long term but you can have a lot of other methods at your disposal as well in the short term.
But... (Score:5, Insightful)
Computers don't have infinite storage, so you could theoretically map out all possible states that a computer could be in and get a proof of termination (or any other property) that way.
Obviously this isn't practical by any means, but that's no excuse for being imprecise.
Cue conspiracy theory/tinfoil hat cliches (Score:5, Insightful)
All over the world, these travesties are now in place. For "evil to succeed", now all that is required is to redefine "terrorism". And we're well on the way for that: now reverse engineering is "terrorism". A marijuana smoker is a terrorist. Someone who criticizes the American government, like Bill Maher, can be advised to "watch what he says". Eventually EVERY infraction can be redefined as terrorism. The ground's the limit.
For the life of me, I cannot see the difference between the Red Nightmare so feared for the last century by the Right, and what the Right is building for us now. Besides a lot of wealthy people and the option to own your own property, what is the real difference between the old Soviet empire and the Brave New World being built by our new jailors?
What we're witnessing is a anti-civil rights movement across the world. The various governments and police/military/spy boys are in the middle of building a new system of law only tangentally related to English common law and the American constitution. They are creating a new world of harsh law unbounded by the rights of man. Altho as many have noticed, corporations aren't men, and aren't bound by any of these new paradigms.
I don't have to even bother finding examples anymore. It's happening every day. Faster and faster, impossible to monitor because it's happening too fast for a single human mind to keep track of it all.
The "terrorism" war is a crock. They aren't using these spiffy new un-laws to capture bombers and the other usual stereotypes. They're using them against US.
Once again (Score:5, Insightful)
First you take it to the company. And if they won't listen you take it to the authorities and they can decide if the company is defrauding their clients with false promises and whatnot. And if they won't listen you throw your hands up in the air and unless you know a company personally who uses the software you just let it go.
Making it public information just makes the danger to the companies very real and very much now which in fact punishes them by not giving them time to deal with the issue.
Unless you have a feasible immidiate solution to go with your findings all you're doing is sabatosing a lot of innocent companies who had no way to know and you've just tied their hands behind their backs and made them sitting ducks. Companies cannot just shut down software at a moments notice.
And here's a nutty idea, if you're really obsessed with finding holes in a certain company's software seek a job. The obvious problem is that you're a problem person. You find problems and that's it. That doesn't help anybody. And when you then blackmail people with this information by going public if they don't deal with it, no duh you're going to get in trouble.
If you're sincere about helping the company you find the problems, find the best solutions you can with the information you have and then go to the company and explain the situation and tell them you'd like to help and know how to fix the problems but need access to the source to do so. You then request a job as a programmer and get to work if they hire you. If they don't hire you, you leave them with your findings and move on.
If you ever, in the process of these discussions, even hint at going public it's called blackmail and you'll rightfully be thrown in jail. Give one copy of your findings to the company and one copy to the proper authorities. That's it.
By pressing the issue you assume you have some kind of right to tell the company what to do. You also assume that the company isn't working on the issue. And you also assume that the company owes you some kind of update on the status of the issue. Which are all three very wrong assumptions unless you actually work for the company and are in an upper position. By going public you've basically forced the company into a bad position because they didn't act in a time frame you thought was fast enough. You don't have a right to do that. DMCA or not.
If you don't have a feasible immediate solution to go with the problems you've found going public is just hurting everyone and helping no one.
If this is something you like to do, you should have gotten a job so that you'd be recognized as a legitimate software security expert that companies can hire for testing their software. But now you've kinda screwed yourself because nobody can trust you to work within the system. Your mouth is too big for the job.
You've made yourself singularly responsible for anything bad that happens because of your findings. Instead of an "I told you so" you would have earned by going through the proper channels you earned an "it's your fault." Because you assumed anyone could have found and exploited the problem and now they can.
Let the bad guys go public. If you have no solution and you go public without permission, you are the bad guy. With Open Source you have all the permission in the world to report hacks without posting solutions. Work on Open Source if you can't stand keeping secrets.
Ben
Re:Look on the bright side...from another french.. (Score:2, Insightful)
Mieux d'aller au Canada, qui est mille fois plus sensible que les USA.
(Je m'excuse pour des erreurs... je parle francais mais ce n'est pas ma langue maternelle. J'aime bien essayer de le parler de temps en temps.)
Re:Look on the bright side...from another french.. (Score:2, Insightful)
I agree with the previous poster, a good offense is the best defense. Hit them hard in the court of public opinion, and if it is indeed true that you cannot punish someone in France for telling the truth, then by all means, hammer away.
Re:Terrorist??? Sounds like libel to me. (Score:3, Insightful)
It kind of brings a whole new meaning to the saying, "you're damned if you do and damned if you don't."
Re:Enshrined protection of whatever (Score:3, Insightful)
Unless you're accused of "Terrorism" (as the poster was). That's the tricky point - even here in the U.S., if they use the "magic word", the Patriot Act trumps the constitution. I'm not being facetious - that was the whole (only) point of the Patriot Act. "The bill of rights makes it hard to fight terrorism, so repeal it for people we say are terrorists. We promise we won't abuse it."
Re:Questions... (Score:3, Insightful)
That raises an interesting question about responsible/ethical/legal vulnerability reporting practices. Could you imagine how absurd it would be to require similar restrictions upon political speech?
Re:Good luck! (Score:4, Insightful)
Re:'Bout Time (Score:4, Insightful)
Jeez, anyone who's taken Criminal Justice 101 knows that this is not double jeopardy!! If you steal a credit card number and make purchases on it, chances are, your state has a law against this kind of fraud, so you've committed a crime against the state. Theft of a credit card is also a Federal Offense. And you've probabally also violated a Civil law that will open you up to a lawsuit from the theft victim for his "pain and suffering". Yes, you've committed "one" act, but that act is a crime in three separate jurisdictions - ergo three separate crimes, which means each jurisdiction will have an opportunity to get a piece of you. Double Jeopardy would be if you had been aquitted of the State charges, and afterwords the State charged you again for the same crime.
DMCA? France? (Score:3, Insightful)
The US is not the World.
The root of the problem (Score:5, Insightful)
Justice is supposed to be blind, but not the judges. I think that is the single biggest problem we face with existing computer crime legislation - neither the legislators nor the judges understand what it is that the law is actually saying.
BTW, I really enjoyed your steganography articles. It's comforting to realize just how difficult it is to implement stego correctly. It really puts mainstream media hand-waving about terrorist use of steganography into perspective.
Re:Harvard? I think not. (Score:3, Insightful)
His English spelling and grammar are significantly better than my French spelling and grammar. You did notice that he is French, didn't you?
actual text of the indictment? (Score:3, Insightful)
Re:Look on the bright side...from another french.. (Score:2, Insightful)
I'm not as optimistic as the previous poster, remember what happened to Serge Humpich. This guy found a way to crack the so-called most secure bank card system in the world (french Carte Bleue). He then contacted the system's proprietor (GIE Cartes Bancaires), offering help (not freely, alas for him) to fix the system thanks to his expertise, and as a demonstration bought a handful of metro tickets. He was indicted, temporarily jailed and found guilty of fraud, falsification and unauthorized access to an automated system. During the trial GIE kept on claiming that their system was unbreakable, yet some time later the first "Yes-cards" appeared on the black market and cracking info spread on the Net. Had the GIE taken Humpich seriously, no yes-cards could have been produced and no businesses harmed (usually small ones such as automated video cassette rental).
Merde pour la suite (frenchmen never wish good luck)
Re:Good luck! (Score:5, Insightful)
And there's absolutely no ethical obligation on the part of the person who finds the flaw to inform the company before informing the public. It's up to the company to prevent the sudden appearance of egg all over their faces, not folks who aren't their employees and aren't getting paid by said company to find such faults in the first place.
Funny how well corporations have managed to brainwash some people into thinking otherwise...as if in the end we're all their employees and 'owe' them something beyond the price we pay for their (buggy and insecure) software. I wonder when this little tidbit was included in the definition of 'capitalism'?
Max
Re:Enshrined protection of whatever (Score:3, Insightful)
This became a rubber stamp court, with only one request out of over 7,500 since its inception being rejected by the judges. Of course, the people are unaware of it because the proceedings of the court are secret, and the defendents are usually unaware of the evidence being used against them.
The existence of the court is not secret though, as it was created by a law passed in the 80s, and the quantity of searches granted by the court is public. Indeed, the US government was accused of abusing this court recently to broaden its purpose, before the Patriot Act was "clarified" to permit such abuse by the US prosecutors, FBI and intelligence agencies. One of the judges on the panel scolded the US government for being deceptive in the types of cases it was bringing, indicating that the US government does try to bring people before FISA that are not spies, but instead ordinary criminals. The US appealed a decision to legally obtain a broading of the courts purpose, originally without legislation.
If I remember correctly, congress passed a law to "clarify" that the Patriot Act extended this to cover those suspects of "terrorism". Hasn't it occurred to anyone that none of the trials of suspected terrorists are public?
This is such a sad demise of the US Constitution and American liberty. To me, I'd be willing to die like our forefathers did to preserve American freedom and create the Bill of Rights. I just wish we weren't so willing to discard it today under the illusion that our life-spans will be longer. When I was a child, being willing to die to perserve American freedom was a common notion. Now, being willing to give up freedom to avoid the remotest chance of dying, no matter how statistically improbable, has become a de facto notion. To suggest otherwise, well, that would be unpatriotic! Or would it be terrorist?
Unfortunately, without the ability for the press or the people to attend trials of suspected terrorists, it's unlikely that this will ever be overturned. We'd have to prove that the system as used unjustly, but the Patriot Act has removed all accountability, so that it is nearly impossible to prove the injustice.
The question is, if it was "spies" yesterday, and now includes those labeled as "terrorist" or "threats to national security" by the investigators and prosecutors today, then what label is next? Or, are the current labels broad enough to permit US prosecutors to throw anyone in prison for life that they see fit? It's hard to discern when our government is no longer accountable to the people it's supposed to represent.
Is there anyway to determine what cases the government has filed to prevent public accountability under the Patriot Act? I'd like to follow up on this to at least try to estimate how many cases there are today. If at all possible, I'd like to know if it even remotely possible to discover any injustices occurring. Justice is, after all, the purpose of all this. Right?
Links:
THE SECRET FISA COURT: RUBBER STAMPING ON RIGHTS [mediafilter.org]
Secret court meets to consider Justice Department appeal [freedomforum.org]
Secret court gives U.S. gov't wiretap powers [japantoday.com]
Secret Court Rebuffs Ashcroft [commondreams.org]
Secret court may limit government power to spy on domestic terror [detnews.com]
These links aren't in chronological order, and I obtained them using a simple