Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Courts Government Bug Security News Your Rights Online

Hacker Indicted In France For Publishing Exploits 561

Guillermito writes "Hello. I'm a French scientist living in Boston. I analyse small security softwares under Windows as a hobby, for fun and curiosity. For example, I showed how to easily extract hidden information from a dozen of steganography softwares, often commercial programs claiming a very high security level. I did the same with a french generic anti-virus, showing several security flaws, and that it didn't stop '100% of known and unknown viruses' as claimed. First the company called me a 'terrorist,' than sued me. I've just been indicted last week in Paris. It seems that it's a general trend in France, and maybe in Europe, these days."
This discussion has been archived. No new comments can be posted.

Hacker Indicted In France For Publishing Exploits

Comments Filter:
  • by Anonymous Coward on Wednesday March 31, 2004 @12:21PM (#8726491)
    Now you get to search for holes in the French jail system. Find a big enough one and you're free!
    • by Orgazmus ( 761208 ) on Wednesday March 31, 2004 @12:42PM (#8726784)
      I think the other inmates might look for holes in him too.
      • by da5idnetlimit.com ( 410908 ) on Wednesday March 31, 2004 @01:10PM (#8727093) Journal
        1/ Call France 3, TF1 if you can.
        TF1 certainly won't give a damn, but France 3 has a local news agency that is capable of nicely covering your story.

        2/ Attack the company for "Publicite mensongere" (you Grammar Nazis translate for yourselfs, the guy is french...), bringing with you the proofs you digged out.

        2bis/ Attack them for "tentative d'intimidation", and another one with Libel (atteinte a l'honneur)
        The Libel one will only bring you 1Eu (the official price for honor)

        3/ Include the Paris Chamber of Commerce, 60 millions de Consommateurs, and probably one or two IT Newspapers (01 Informatique, Le Monde Informatique), write to the Minister of Justice (Sarkozi is out of Interior, and he won't care anyhow)

        60 Millions de Consommateur is very possibly the best first to call, as they are very touchy on such issues, and help people defend their case.

        Just doing the counter attack on "Publicite mensongere" to the responsible organisation will be a frightening step for Tengram...

        Also, publishing your discoveries on CERN and all others security sites (french and internationals) will be a de-facto victory.

        Also, have the court ask for an independent expert to verify your findings... In France, there is a law against punishing people that just said the truth...

        If you really want to be vicious, take a look on their webpage, check all their "reference customers" and have them see your papers and security holes...If one of their customers is a French Governemental Agency, they can be in for a very hard time... Lying to the French Administration, and putting their security under threat for innefiency can bring them under a lot more problems than you can think.
        So, this is just the top of my head ideas, but I hope it will help you...

        In such cases, the better defense is offense...

        Bonne Chance, Courage, et ne te laisses pas faire !!!!
        • by Petronius ( 515525 ) on Wednesday March 31, 2004 @01:30PM (#8727316)
          Mon conseil:
          - marrie toi a une americaine
          - prends la citoyennete US
          - ne retourne jamais en France

          (ou la meme chose avec une Canadienne si tu aimes la neige).
          • by niom ( 638987 ) on Wednesday March 31, 2004 @02:22PM (#8727893)
            Because we all know this could never have happened in the U.S.
        • by valmont ( 3573 ) on Wednesday March 31, 2004 @01:47PM (#8727454) Homepage Journal

          Bien vu tout ca!

          Is "Arte [arte-tv.com]", channel 5 still around? I'd definitely give these guys a call. While their audience is prolly a small fraction of France 3's, they're usually an educated audience. They like doing documentaries, seek out truth and present things as they are. i couldn't find any direct contact information beside this mailing address:

          ARTE G.E.I.E.

          4, Quai du Chanoine Winterer
          F-67080 Strasbourg Cedex

          I'd do whois arte-tv.com and send an email to the contact info on there, you never know.

          Bon courage vieux! Fous-leurs une grosse bite au cul de ma part, avec mes remerciments ;]

  • by AssProphet ( 757870 ) * on Wednesday March 31, 2004 @12:22PM (#8726495) Homepage Journal

    What does stenography have to do with software? Didn't they become extinct millions of years ago?
  • Good luck! (Score:5, Interesting)

    by Anonymous Coward on Wednesday March 31, 2004 @12:23PM (#8726508)
    I wish you the best. You should be given job offers, contracts, and cash for what do you, not put on a cross to die! It's a shame, really. Hopefully your case goes public and some good lawyers will help you for cheap if they think the press for themselves is worthwhile. Good luck!

    • Re:Good luck! (Score:4, Informative)

      by gilesjuk ( 604902 ) <giles DOT jones AT zen DOT co DOT uk> on Wednesday March 31, 2004 @01:06PM (#8727050)
      The problem is such exploits are published and not referred to the companies in question for them to fix these faults.

      By publishing exploits you are on one hand helping consumers choose their security software wisely, but on the other hand you are providing hackers will methods to penetrate systems.
      • Re:Good luck! (Score:4, Insightful)

        by Buran ( 150348 ) on Wednesday March 31, 2004 @02:01PM (#8727610)
        On the third hand (this guy must be a mutant! ;)) a lot of companies won't bother to fix flaws if they aren't publicly and obviously posted, so crackers might find the flaws and use them for exploits, while the company that makes the software gleefully ignores the problem and gets to avoid responsibility and liability. That's definitely not good. I don't know (it's not clear from the English writeup) whether any attempt was made to notify, but many people who release exploit data do so only as a last resort.
      • Re:Good luck! (Score:5, Insightful)

        by maxpublic ( 450413 ) on Wednesday March 31, 2004 @07:30PM (#8731738) Homepage
        The problem is such exploits are published and not referred to the companies in question for them to fix these faults.

        And there's absolutely no ethical obligation on the part of the person who finds the flaw to inform the company before informing the public. It's up to the company to prevent the sudden appearance of egg all over their faces, not folks who aren't their employees and aren't getting paid by said company to find such faults in the first place.

        Funny how well corporations have managed to brainwash some people into thinking otherwise...as if in the end we're all their employees and 'owe' them something beyond the price we pay for their (buggy and insecure) software. I wonder when this little tidbit was included in the definition of 'capitalism'?

        Max
  • by ThisIsFred ( 705426 ) on Wednesday March 31, 2004 @12:24PM (#8726519) Journal
    There is no faster way to make enemies than to point out someone's stupidity, and then prove it publicly. But I am on your side. Companies that market security products that aren't are committing fraud, IMO. And I'd rather have you publish the vulnerability than someone else publish the automated exploit.
    • by LionMage ( 318500 ) on Wednesday March 31, 2004 @04:47PM (#8729871) Homepage
      There is no faster way to make enemies than to point out someone's stupidity, and then prove it publicly.

      Never have truer words been spoken on Slashdot. (Well, OK, that's probably not true, but this is an idiomatic expression in English...)

      After publicly commenting in my weblog that I found a WiFi access point in my office building being run wide-open, with no security (not even a password), and noting that this access point belonged to someone in the Honeywell office just down the hall, I ran into an interesting situation several months later...

      It seems that one of Honeywell's lawyers noticed this blog entry and found out that I was employed by a consulting firm that had Honeywell as one of its biggest customers. So Honeywell's solution to the embarrassment of having a gaping security hole pointed out publicly was to pressure my employer into firing me. Luckily, cooler heads prevailed, and I let Honeywell image the hard drive on my laptop; the Honeywell employee who set up the rogue access point wasn't so lucky.

      The moral of the story is, large companies are humorless, and the bigger the company, the more draconian the steps they'll take to protect themselves and their corporate image. That doesn't mean you should cower in fear whenever these companies flex their muscles.
  • by BJZQ8 ( 644168 ) on Wednesday March 31, 2004 @12:24PM (#8726528) Homepage Journal
    I'm glad to see that the EU has broken the U.S. monopoly on wacky, mindless computer lawsuits!
  • by The I Shing ( 700142 ) * on Wednesday March 31, 2004 @12:24PM (#8726529) Journal
    I sure am glad I live here in the USA where my right to expose the weaknesses of corporate products is enshrined in our beloved Constitut...

    Hold on, there's a SWAT team banging on my door.

    I'd better go let them know that they must have the wrong house.
    • by ThisIsFred ( 705426 ) on Wednesday March 31, 2004 @12:28PM (#8726589) Journal
      Hold on, there's a SWAT team banging on my door.

      Excellent! Would it be too much trouble for you to go outside and ask the SWAT dev team why the default is to look for smb.conf inside /usr/lib instead of /etc/samba? I mean, who puts configuration files in with userland libraries?
    • by paranode ( 671698 ) on Wednesday March 31, 2004 @12:32PM (#8726644)
      You joke as if people here do not have that right, but it has already been shown that such free speech is protected here. Not only that, but you can even distribute source code to exploit it.
      • by The I Shing ( 700142 ) * on Wednesday March 31, 2004 @12:35PM (#8726693) Journal
        You joke as if people here do not have that right, but it has already been shown that such free speech is protected here. Not only that, but you can even distribute source code to exploit it.
        And, by God, let's pray that it stays that way, brother.
      • by Maestro4k ( 707634 ) on Wednesday March 31, 2004 @01:20PM (#8727207) Journal
        • You joke as if people here do not have that right, but it has already been shown that such free speech is protected here. Not only that, but you can even distribute source code to exploit it.
        At one time I would have agreed with you. Having had an encounter with the government over false accusations made against me (not even computer-related), and having seen the results, I have to say that in theory we have freedom of speech, in PRACTICE, the government can quite easily ruin your life over something you say, even if they can't even charge you with anything.

        Remember, publicity about something you're accused of is all the court of public opinion needs to convict you. Winning at trial (if you're charged) or having things dropped later on aren't enough to undo that. To use what's probably a bad example, remember the OJ trial? He was found not guilty of murder, but exactly how many people do you know who believe that to be the truth? And how many do you know who'd hire him to work for them, even if it was digging ditches?

        Finally don't forget that fighting charges against you can bankrupt you. Even if you end up innocent, you may find your life utterly and totally destroyed thanks to this. Frankly our "justice" system has lost all its justice, and innocent into proven guilty has gotten forgotten somewhere along the way.

      • Unless you're accused of "Terrorism" (as the poster was). That's the tricky point - even here in the U.S., if they use the "magic word", the Patriot Act trumps the constitution. I'm not being facetious - that was the whole (only) point of the Patriot Act. "The bill of rights makes it hard to fight terrorism, so repeal it for people we say are terrorists. We promise we won't abuse it."

  • 'Bout Time (Score:5, Funny)

    by LooseChanj ( 17865 ) on Wednesday March 31, 2004 @12:24PM (#8726531) Homepage
    To move to a sane country. There any left?
    • Re:'Bout Time (Score:3, Interesting)

      by Orgazmus ( 761208 )
      Could try Norway?
      DVD-Jon got off the hook over here, why should'nt it work this time? ;)
    • Re:'Bout Time (Score:5, Insightful)

      by kajoob ( 62237 ) on Wednesday March 31, 2004 @12:36PM (#8726714)
      Instead of packing up and running every time something happens that you don't like, why not stick around here and fight for what you believe in? You can start by sending a few bucks to the EFF [eff.org].

  • Proposterous! (Score:5, Insightful)

    by Doesn't_Comment_Code ( 692510 ) on Wednesday March 31, 2004 @12:25PM (#8726533)
    I'll admit right away that I'm not familiar with France's free speech laws.

    But from a common sense point of view, I really don't see how telling the truth about weak software can be illegal. It may lead to damage to a company, but that damage was caused by the security holes, not someone exposing them (hidden defects are a ticking timebomb anyway.)

    From the common sense view point, it also seems right to inform the company first, before telling everybody. But telling the truth should not be illegal.
    • Re:Proposterous! (Score:5, Insightful)

      by gl4ss ( 559668 ) on Wednesday March 31, 2004 @12:32PM (#8726645) Homepage Journal
      well most likely they made up most of their claims(of what the poster had done) and just want to set an example or something insane like that.

      just like there's jerks in usa there's jerks in europe as well.. and probably in middle-east and far -east as well. there's quite a few of totally broken 'security' products that are not even meant to work more than just give false assurance to their users, they're people selling snake oil and as far as their products go their just as good as some "miracle magnets" for fuel-lines & etc. there's no point in informing the company in such case since the fuckin company is just basically fraudsters in the first place.

  • by JDRipper ( 610930 ) on Wednesday March 31, 2004 @12:26PM (#8726549)
    If they publicly called you a terroist in writing without sufficient evidence, can't you sue their berets off for libel?
    • The ironic thing is that if he had told the company before he released the exploit, they could probably have been able to charge him with the French equivalent of Blackmail.

      It kind of brings a whole new meaning to the saying, "you're damned if you do and damned if you don't."
  • by Anonymous Coward on Wednesday March 31, 2004 @12:26PM (#8726551)
    We sue first, and then we call you a terrorist.
  • by crimethinker ( 721591 ) on Wednesday March 31, 2004 @12:26PM (#8726554)
    Well, since you are French, there is only one thing you can do:

    SURRENDER to the authorities.

    Seriously, though, this sucks ass.

    However, I'm quite sure that you're a terrorist, because we all know that terrorists publish the exploits they find. Why, back in June of 2001, I saw an article about how to smuggle knives onto airplanes. I also remember seeing an article shortly after that about putting plastic explosive in your shoes (i.e. Richard Reid). Come on, folks, people who find and PUBLISH weaknesses in software are not the problem.

    -paul

  • by Le Marteau ( 206396 ) on Wednesday March 31, 2004 @12:27PM (#8726558) Journal
    "It's dangerous to be right when the government is wrong".

    This is a case in point. The author may be in the right, but we are living in hysterical times, and woe unto the man who walks in front of the governmental steam roller with a team of jackasses and corrupt, ignorant polititians at the wheel.

    • by MarkusH ( 198450 ) on Wednesday March 31, 2004 @12:39PM (#8726742)
      That would be Voltaire.

      Another good quote: "There are some acts of justice which corrupt those who perform them." - Joubert
    • by WormholeFiend ( 674934 ) on Wednesday March 31, 2004 @12:51PM (#8726879)
      ohh ohhh a quotation contest!

      "Where is the justice of political power if it executes the murderer and jails the plunderer, and then itself marches upon neighboring lands, killing thousands and pillaging the very hills?"
      Kahlil Gibran

      "The very first law in advertising is to avoid the concrete promise and cultivate the delightfully vague."
      Bill Cosby

      "It is from numberless diverse acts of courage and belief that human history is shaped. Each time a man stands up for an ideal, or acts to improve the lot of others, or strikes out against injustice, he sends forth a tiny ripple of hope, and crossing each other from a million different centers of energy and daring, those ripples build a current that can sweep down the mightiest walls of oppression and resistance."
      Robert Francis Kenedy
      - /got nuthin
      -

      • by Le Marteau ( 206396 ) on Wednesday March 31, 2004 @01:15PM (#8727145) Journal
        ohh ohhh a quotation contest!

        "Did you really think that we want those laws to be observed? We want them broken.
        You'd better get it straight that it's not a bunch of boy scouts you're up against . . .
        We're after power and we mean it. You fellows were pikers, but we know the real trick,
        and you'd better get wise to it. There's no way to rule innocent men. The only power
        any government has is the power to crack down on criminals. Well, when there aren't
        enough criminals, one makes them. One declares so many things to be a crime that it
        becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding
        citizens? What's there in that for anyone? But just pass the kind of laws that can
        neither be observed nor enforced nor objectively interpreted - and you
        create a nation of law-breakers - and then you cash in on guilt. Now that's the system,
        Mr. Rearden, and once you understand it, you'll be much easier to deal with."

        From "Atlas Shrugged" by Ayn Rand
  • Signs of the future? (Score:5, Interesting)

    by Anonymous Coward on Wednesday March 31, 2004 @12:27PM (#8726559)
    Now, if Microsoft is forced to release the windows source because of the EU, does this mean anyone who points out vulnerabilities will get sued too?

    Seems like a strange way to thank someone for helping them. It's like beating someone to death with a tire-iron because they told you your tire is flat.
  • by RubiCon ( 158847 ) on Wednesday March 31, 2004 @12:27PM (#8726569) Homepage
    Umm, you can't do that - I think I first saw the relevant paradox in Ralf Burger's book on viruses and it goes something like this: Say you've got some blackbox routine called is_a_virus() that does just what these guys claim; all you do is build it into a virus like so:
    if ( is_a_virus(me) ) { do_nothing() } else { replicate() }
    So, if you're a virus, you're not a virus - but if you're not, you are. Reductio ad absurdum, anyone?
  • contact the eff (Score:5, Informative)

    by gmr2048 ( 176781 ) * on Wednesday March 31, 2004 @12:27PM (#8726574) Homepage
    dunno if they can help with french courts, but it's prolly worth it to at least bring it to thier attention:

    www.eff.org [eff.org]

    -gary
  • by Murf_E ( 754550 ) <murrayegger&hotmail,com> on Wednesday March 31, 2004 @12:28PM (#8726594)
    don't go tell the company that their product is flawed but rather use your discovery to exploit people who use their product. Either way you will be sued but at least this way they have to find you
  • by lazy_arabica ( 750133 ) on Wednesday March 31, 2004 @12:29PM (#8726599) Homepage
    Is looks like looking for security flaws is increasingly seen as an illegal action by both companies and governments.

    Would I be sued if I told a company manufacturing bicycles that their products are not solid enough, and then can be dangerous ? Probably not.

    It will soon be forbidden to even talk about flaws. As a french citizen I feel very sad about it...
    • "Would I be sued if I told a company manufacturing bicycles that their products are not solid enough, and then can be dangerous ? Probably not."

      Probably not, no. But you could easily get a lawyer to get someone to fake an accident and sue the bicycle manufacturer for damages.
    • by Anonymous Coward
      Yes (at least if you publish the info). Consumer Reports has been sued for demonstrating flaws in products .
  • Good or Not? (Score:5, Interesting)

    by Prince Vegeta SSJ4 ( 718736 ) on Wednesday March 31, 2004 @12:30PM (#8726614)
    I haven't brushed up on the law concerning publishing exploits in either France or the US, but it seems a little ridiculous to indict someone for pointing out a security hole.

    Sure it can be said that publishing an exploit will encourage a hacker to take advantage of said exploit, but by not publishing & letting it remain a secret is no guarantee that someone is not exploiting that same exploit. In fact, I'm willing to bet that some 3v1| H4x0r would eventually find it anyway. But I would rather know that it exists so that I may act, since, in my experience software companies are slow to react and try to hide or downplay flaws.

    Security solely by obscurity doesn't work.

    On the flip side, if the door to my house was wide open, I wouldn't want anybody yelling hey your door is wide open (to the world) without allowing me to fix it.

    IMO it boils down to common sense, and in this case I think that it is a beneficial thing to publish that sort of information. An even better route would be to alert the software makers first, and give them a 'short' time to release a patch. But only a very short time.

    • Re:Good or Not? (Score:5, Insightful)

      by earthforce_1 ( 454968 ) <earthforce_1@y a h oo.com> on Wednesday March 31, 2004 @12:47PM (#8726828) Journal

      If you discovered a critical safety flaw in a particular model of automobile, do you:

      i) Let everybody know, so those who drive that particular model can get it fixed, or

      ii) Let only the manufacturer know, so they can fix it in next years model first.

      What about the poor souls who are relying on the software for the security of their business? With your door analogy, it is equivalent to letting the lock manufacturer know that their locks are defective, without notifying the homeowner. (End user) It is their doors that are vulnerable. Of course by broadcasting this to the world, you let the bad guys know at the same time, but IMHO it is better than saying nothing.

  • Note to Europeans (Score:3, Insightful)

    by strictnein ( 318940 ) * <strictfoo-slashdot AT yahoo DOT com> on Wednesday March 31, 2004 @12:33PM (#8726657) Homepage Journal
    Note to Europeans: while it is fun to point and laugh at us "stupid" Americans and our silly laws and lawsuits, you might want to take note that the same things are going on in your countries too, and will continue to get even worse.
  • This sucks (Score:4, Insightful)

    by Nevo ( 690791 ) on Wednesday March 31, 2004 @12:33PM (#8726658)
    Unfortunately, it appears that expertise in French law is lacking here at slashdot.

    I second the suggestion above: contact eff. Now. If they can't help they probably can point you to organizations that can.
    • by mblase ( 200735 )
      Unfortunately, it appears that expertise in French law is lacking here at slashdot.

      You must be new here. On Slashdot, everyone is a legal expert in everything.
  • France is Stupid (Score:3, Informative)

    by Omega037 ( 712939 ) on Wednesday March 31, 2004 @12:35PM (#8726700)
    I know a guy who for his senior thesis worked with a group of people and hacked a company's network. At the end of the semester, they gave the company a 42 page document stating all the problems and exploits the company had.
    He got an A for the class and a job offer from the company. Granted, he already had better offers, but it is a good example of how it should be.
  • by randall_burns ( 108052 ) <randall_burnsNO@SPAMhotmail.com> on Wednesday March 31, 2004 @12:38PM (#8726735)
    I would like to write a letter in support of you. The people that should be legally hassled here is the software vendor whose fraud you exposed-not
    you.

    IMHO a pile of letters coming from all parts of the world in your support might send a signal. I also think that Amnesty International should be contacted here. This is even more sleezy than most of the stuff they take on--in this case you appear to be hassled not because of your political opinions, but because French officials are using their offices on the behest of corrupt corporate interests.
  • by Stevyn ( 691306 ) on Wednesday March 31, 2004 @12:40PM (#8726753)
    This is like a mechanical engineer publishing tips and tricks on how to break open safes that claim to be "burgler proof." Or Diebold suing someone who figured out how to rig elections. This is like the "wag the dog" scenario where you start a fight with someone to move attention to them and away from your shortcomming.
  • Donations!! (Score:5, Insightful)

    by 3terrabyte ( 693824 ) on Wednesday March 31, 2004 @12:45PM (#8726809) Journal
    If anyone knows of a way to donate to this guy to pay for his legal bills, and (hopefully not) fines, please post a link.

  • by aepervius ( 535155 ) on Wednesday March 31, 2004 @12:48PM (#8726844)
    Plese note that he has been accused of copyright infrigement. He seems to have reverse engineered and copied/used part of the intern code of the programs. Whether we like it or not DMCA like law forbid it except in a few case (interroperability and maybe for academia). Since he did not publish it for academia, and he did not contact first the company, they can fall on him and he has big probability of being judged guilty.

    The law might be broken in that case (as we all know for DMCA like laws) but nonetheless the company has a case...
    • Sweet:

      1. Create really shitty code.

      2. Claim code is UNHACKABLE and will detect ANY unknown virus

      3. Wait to get hacked (should take about 2 minutes)

      4. Sue hacker(s).

      5. Profit!

      6. Sell your crappy code to microsoft

      7. More profit!!

      (Does this mean we could make a class action suit against SecurityFocus?)
  • by Progman3K ( 515744 ) on Wednesday March 31, 2004 @12:53PM (#8726909)
    It should also be a punishable offense for a software maker to NOT close exploit holes in a timely manner.

    I can see the case being made that leaving exploits open is essentially supporting terrorism, or depraved indifference at least.
  • Fighting back (Score:5, Insightful)

    by Animats ( 122034 ) on Wednesday March 31, 2004 @12:54PM (#8726931) Homepage
    It's going to cost him, but this guy needs to file false-advertising and libel claims in France. France has stricter laws against both than the US does. Then he needs to get a few good articles published in some French papers. Libe [libe.com], for starters.

    He may be in Le Figaro [lefigaro.fr] today. Look for "Quand les createurs de virus se font la guerre" in Le Figaro's archive. You have to pay to read the article, though.

  • by Morologous ( 201459 ) on Wednesday March 31, 2004 @12:55PM (#8726933)
    I would strenuously advise you *NOT* to discuss your legal situation or case with anyone but your lawyer.

    I'm aware you're French, and likely will be prosecuted in France, however, it's generally the case that any public statements you make can and will be used against you in court, thus, I would advise that you seek professional legal counsel and stop publicly discussing your upcoming case. It can (and usually does) limit the variety of strategies that your lawyer can use to defend you.

    • Sure, but with the laws they've been comming up with lately, once he's arrested he might not be heard from again. I think it was a necessary move to make the situation publically known. Otherwise, all you see is a blurb on page 12 of the newspaper saying "French Hacker Arrested" and no one thinks anything about it.

      Though, do seek professional counsel.
  • by tuxette ( 731067 ) * <.moc.liamg. .ta. .ettexut.> on Wednesday March 31, 2004 @01:01PM (#8726991) Homepage Journal
    The question: is it possible in France today to publish software flaws, and the practical demonstration of these flaws? I am not yet judged, but I am pessimist about it, and it seems that we are heading towards a negative response. If I am declared guilty, full disclosure is going to be de facto forbidden in my country.

    I'd be surprised if he were not acquitted, but you never know these days. It's very easy to pay off a judge. Anyways, one thing I would like to know is how publishing code in order to expose security flaws, and where the author(s)/owners of the code are referred to, is any different than publishing excerpts from a book in order to expose, say racist sentiment.

  • Other side? (Score:5, Insightful)

    by BillFarber ( 641417 ) on Wednesday March 31, 2004 @01:04PM (#8727019)
    The court of Slashdot seems to be siding against the French judicial system, but shouldn't we hear their side of the story first? I'm not saying this guy is lying - just that there are two sides to every story.
    • No other side (Score:5, Informative)

      by greppling ( 601175 ) on Wednesday March 31, 2004 @02:22PM (#8727906)
      Unless he is lying extremely grossly (about which we would have gotten to know about it by now), I really cannot see how there can be a "other side" that is worth hearing.

      I read his originial analysis (in french) of this antivirus software which, according to him, prompted the charges of "counterfeiting". This article contains a description of the software, a section about "exploits" (you will agree about my question marks in a minute), a section where he demonstrates false positives, a test against a couple of known viruses, a short section about 2 points he liked about the software, then a list of detailed suggestions to improve the product, and finally an epilogue on the response from the company.

      Probably didn't like the first suggestion for improvement "First of all: stop making believe that Viguard can do miracles." (The other suggestions are completely technical.) But let's focus on section 2, containing the 6 "exploits":

      • 2.2 Deactivating Viguard by simulating the mouse-clicks with which a human would deactivate it
      • 2.3 Just use TerminateProcess() (the windows equivalent of kill -9 if I understand correctly)
      • 2.4 Add the md5sum of the trojan to an (unencrypted) whitelist of md5sums maintained by Viguard
      • 2.5 In each directory, Viguard maintains a file "certify.bvd" which lists all known-good executables in this directory, "encrypted" by a XOR with a fixed key. So a virus just has to install itself in a new directory along with the appropriate certify.bvd file.
      • 2.6 "For a good laugh": Rename a virus from .exe to .bat
      • 2.7 Almost the same as 2.5.
      All completely trivial. The only thing that comes close to the counterfeiting charges is that he offered programs for download that decrypt the configuration file and the certify.bvd files (both "encrypted" by XOR with a constant and short byte sequence).
  • by WildBeast ( 189336 ) on Wednesday March 31, 2004 @01:07PM (#8727060) Journal
    I remember some articles on Slashdot about something like this happening to hackers like that. Obviously this hacker missed those articles. And now with all the terrorist crap and new laws, it's very easy to put people in prison for anything.
  • by weld ( 4477 ) on Wednesday March 31, 2004 @01:12PM (#8727114)
    At a recent Yale conference, Digital Cops in a Virtual Environment [yale.edu], Jennifer Granick [granick.com] presented a paper, Computer Crimes and Intermediary Liability: The Case for Protecting Vulnerability Publications [yale.edu] on the legality of publishing vulnerability information.

    Vulnerabilities in security products, especially those making outrageous claims, need to be exposed.

    excerpt from NAI ePolicy Orchestrator Format String Vulnerability [atstake.com]

    "When deploying new security products within the enterprise, organizations should understand the risks that new security solutions may introduce."

    -weld

  • by rfrenzob ( 163001 ) on Wednesday March 31, 2004 @01:13PM (#8727122)
    Computer security can be increased by the following methods:

    1) Deny the flaw exists
    2) Sue the person who discovered the flaw under the DMCA or something similar in your locale
    3) Blame "hax0rs" who write tools like diff
    4) "Donate" to campagin funds of elected officals who pass laws that make security research a federal crime

    Not an all inclusive list, but it should be a good start for your security minded company or .com
  • by Anthony Boyd ( 242971 ) on Wednesday March 31, 2004 @01:26PM (#8727270) Homepage

    <cynicism>
    I have no sympathy for terrorists. I'm glad this company is protecting us.
    <cynicism>

  • by Catbeller ( 118204 ) on Wednesday March 31, 2004 @01:33PM (#8727334) Homepage
    I've mentioned it, over and over on various fora since 9/11: anti-terrorist laws were not written to prosecute terrorists.

    All over the world, these travesties are now in place. For "evil to succeed", now all that is required is to redefine "terrorism". And we're well on the way for that: now reverse engineering is "terrorism". A marijuana smoker is a terrorist. Someone who criticizes the American government, like Bill Maher, can be advised to "watch what he says". Eventually EVERY infraction can be redefined as terrorism. The ground's the limit.

    For the life of me, I cannot see the difference between the Red Nightmare so feared for the last century by the Right, and what the Right is building for us now. Besides a lot of wealthy people and the option to own your own property, what is the real difference between the old Soviet empire and the Brave New World being built by our new jailors?

    What we're witnessing is a anti-civil rights movement across the world. The various governments and police/military/spy boys are in the middle of building a new system of law only tangentally related to English common law and the American constitution. They are creating a new world of harsh law unbounded by the rights of man. Altho as many have noticed, corporations aren't men, and aren't bound by any of these new paradigms.

    I don't have to even bother finding examples anymore. It's happening every day. Faster and faster, impossible to monitor because it's happening too fast for a single human mind to keep track of it all.

    The "terrorism" war is a crock. They aren't using these spiffy new un-laws to capture bombers and the other usual stereotypes. They're using them against US.
  • Once again (Score:5, Insightful)

    by KalvinB ( 205500 ) on Wednesday March 31, 2004 @01:40PM (#8727398) Homepage
    stop going through the wrong chain of command with these issues.

    First you take it to the company. And if they won't listen you take it to the authorities and they can decide if the company is defrauding their clients with false promises and whatnot. And if they won't listen you throw your hands up in the air and unless you know a company personally who uses the software you just let it go.

    Making it public information just makes the danger to the companies very real and very much now which in fact punishes them by not giving them time to deal with the issue.

    Unless you have a feasible immidiate solution to go with your findings all you're doing is sabatosing a lot of innocent companies who had no way to know and you've just tied their hands behind their backs and made them sitting ducks. Companies cannot just shut down software at a moments notice.

    And here's a nutty idea, if you're really obsessed with finding holes in a certain company's software seek a job. The obvious problem is that you're a problem person. You find problems and that's it. That doesn't help anybody. And when you then blackmail people with this information by going public if they don't deal with it, no duh you're going to get in trouble.

    If you're sincere about helping the company you find the problems, find the best solutions you can with the information you have and then go to the company and explain the situation and tell them you'd like to help and know how to fix the problems but need access to the source to do so. You then request a job as a programmer and get to work if they hire you. If they don't hire you, you leave them with your findings and move on.

    If you ever, in the process of these discussions, even hint at going public it's called blackmail and you'll rightfully be thrown in jail. Give one copy of your findings to the company and one copy to the proper authorities. That's it.

    By pressing the issue you assume you have some kind of right to tell the company what to do. You also assume that the company isn't working on the issue. And you also assume that the company owes you some kind of update on the status of the issue. Which are all three very wrong assumptions unless you actually work for the company and are in an upper position. By going public you've basically forced the company into a bad position because they didn't act in a time frame you thought was fast enough. You don't have a right to do that. DMCA or not.

    If you don't have a feasible immediate solution to go with the problems you've found going public is just hurting everyone and helping no one.

    If this is something you like to do, you should have gotten a job so that you'd be recognized as a legitimate software security expert that companies can hire for testing their software. But now you've kinda screwed yourself because nobody can trust you to work within the system. Your mouth is too big for the job.

    You've made yourself singularly responsible for anything bad that happens because of your findings. Instead of an "I told you so" you would have earned by going through the proper channels you earned an "it's your fault." Because you assumed anyone could have found and exploited the problem and now they can.

    Let the bad guys go public. If you have no solution and you go public without permission, you are the bad guy. With Open Source you have all the permission in the world to report hacks without posting solutions. Work on Open Source if you can't stand keeping secrets.

    Ben
    • Re:Once again (Score:4, Informative)

      by nate1138 ( 325593 ) on Wednesday March 31, 2004 @02:47PM (#8728208)
      stop going through the wrong chain of command with these issues

      What chain of command? If this company isn't paying his salary, he has NO obligation to tell them shit.

      punishes them by not giving them time to deal with the issue.

      And do you argue that companies that make claims like "catches 100% of known and unknown viruses" don't deserve to be punished for blatantly lying to the public?

      all you're doing is sabatosing a lot of innocent companies

      See the above point

      The obvious problem is that you're a problem person. You find problems and that's it. That doesn't help anybody.

      You don't think that finding problems in software that people rely on is helping? Would you prefer that people continue on with the illusion of security where none acutally exists?

      If you ever, in the process of these discussions, even hint at going public it's called blackmail

      Now there's the uninformed legal opinion I have come to expect from Slashdot. It's not blackmail unless you ask for money. Going public is pretty much standard practice in the security biz.

      And you also assume that the company owes you some kind of update on the status of the issue. Which are all three very wrong assumptions unless you actually work for the company

      So their customers have no right to status updates on problems with a product that they have purchased?

      Go home and read a book
  • by spood ( 256582 ) on Wednesday March 31, 2004 @02:19PM (#8727868) Homepage Journal
    This paragraph really hit home:
    There is something very strange when you are in front of the judge who is doing the preliminary investigation: we do not speak the same language. I'm unable to understand law jargon, and the person in front of me does not understand anything about computer security and the internet. The lawyer is supposed to be the translator. But the lawyer in this case cannot speak during my declarations. It's kind of weird. You have to find a good argumentation, try to explain in simple words complex methods, how programs work, try to show that the accusations of the company are basically void.
    Justice is supposed to be blind, but not the judges. I think that is the single biggest problem we face with existing computer crime legislation - neither the legislators nor the judges understand what it is that the law is actually saying.

    BTW, I really enjoyed your steganography articles. It's comforting to realize just how difficult it is to implement stego correctly. It really puts mainstream media hand-waving about terrorist use of steganography into perspective.
  • by christophe ( 36267 ) on Wednesday March 31, 2004 @02:26PM (#8727941) Journal
    A few years ago, Serge Humpich discovered a flaw in the French smart-card payment system, and proved that it was possible to get money from an ATM with a false card ; he never earned money with it and just showed journalists he could get money, and gave it back.
    Banks sued him, and won: 10 months jails (deferred), about 4000 euros to pay (amends+banks' laywers fee). Technically, he was guilty of "unallowed access to a computer system". Banks have denied that the flaw existed but changed their system ; it didn't prevent many false cards to appear in the following years. Disgusted, Humpich wrote a book ('Le Cerveau Bleu').

    Although similar, I hope it won't finish the same way. Guillermito didn't crack any computer, so the Humpich precedent does not apply. The European version of the DMCA is not yet voted in France (it won't last), and copyright infringment claims are stupid. But America does not have the monopoly of technically illiterate judges, and he influence of good lawyers, as was already shown in his case. The "terrorist" accusation should be enough to sue ("diffamation"). Ironically, cryptography and stenography are supposed to be terrorists' tools!

    I'd say he should contact "60 millions de consommateurs" and "UFC-Que Choisir", two powerful consumer organizations.

  • by NewtonsLaw ( 409638 ) on Wednesday March 31, 2004 @03:42PM (#8728949)
    The NZ government has gone out of their way to try and destroy my life since I publicized the risks associated with home-built cruise missiles.

    I still have my missile (largely due to the fact that a network of friends have stored it safely in such a way that I can honestly say "I have no idea where it is") and had considered taking it on a tour of the country so that people could actually see what I've been talking about.

    My lawyer advises me however, that to do so would almost certainly result in a very severe prison term. After all, they've already broken the law in respect to the actions they've taken against me so they've proven that, as far as they're concerned, the ends justifies the means.

    He's strongly of the opinion that the government is just itching for an excuse to throw me in jail on some trumped-up terrorism charge because I've become such a thorn in their side.

    In this country It's not illegal to build a cruise missile, and it's not even illegal to own one, nor is it illegal to transport one -- but, as a criminal lawyer of long standing he made it quite clear to me that under the new anti-terrorism laws we now live in a police state and that the government can do whatever it wants to who-ever it wants to -- by simply accusing them of terrorist activities.

    In the case of my tour, they'd likely accuse me of moving the missile as the precursor to a terrorist action.

    It wouldn't matter whether they were able to win such a trumped-up case, because here in NZ (as in the USA), people accused of such things seem to spend inordinately long periods of time in jail just waiting for their case to come to court. We have a guy here who's been in prison for 16 months already and, even though our High Court ruled [nzherald.co.nz] just the other day that the head of our Security Inteligence Service had shown bias against the guy and has had to resign -- the imprisoned "suspect" is still having to wait at least another 6 months for his day in court.

    It makes no difference apparently, that I've always been totally open in my activities and the reasoning behind them, and was planning to have a media contingent on my little tour. I don't recall any *real* terrorists inviting the media along on one of their attacks or offering to share all their information with the government.

    I don't know whether I should really angry that governments have used the war against terror to give themselves such draconian powers, or if I should feel sad that the public are allowing them to do this without even a whimper.

    I suspect that we will eventually regard these days as a dark period in the world's history -- not because of terrorist activities, but because so many people gave up so many freedoms so easily.

    P.T. Barnum was right I'm afraid :-(

GREAT MOMENTS IN HISTORY (#7): April 2, 1751 Issac Newton becomes discouraged when he falls up a flight of stairs.

Working...