Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
Censorship Government Security The Courts The Internet Your Rights Online News

Publishing Exploit Code Ruled Illegal In France 362

Dexter writes "A French Court has condemned the security researcher Guillame Tena for publishing a security vulnerability in the Viguard anti-virus software of Tegam. This ruling makes the publication of security vulnerabilities and their proof of concept through reverse engneering illegal in France."
This discussion has been archived. No new comments can be posted.

Publishing Exploit Code Ruled Illegal In France

Comments Filter:
  • by fembots ( 753724 ) on Wednesday March 09, 2005 @03:18PM (#11892632) Homepage
    What good is it to publish software vulnerability, especially on closed source products?

    If one really wants to help, isn't it better to inform the software maker? If the latter couldn't care less, maybe one shouldn't care more?

    However, as the friendly article pointed out, the fine was for a copyright infringement charge, so it looks like you can still publish a vulnerability as long as it is subtle enough.
    • ACBM [acbm.com] publishes Pirates Mag which also describes such exploits.
      They once had to postpone one publications for a long time because they deontologically refuse to publish some story concerning a product that would not be patched.
      Now it was supposed to help others to protect similar products.
    • by crazyeddie740 ( 785275 ) on Wednesday March 09, 2005 @03:24PM (#11892733) Journal
      I think the general rule of thumb is to inform the software publisher first, and then go public after they've had a chance to fix it. Going public forces the publisher to fix the problem if it hasn't already, and it let's the public know that there's a problem and they should do an update. (Or if the publisher still hasn't fixed the problem, switch to a different program.) According to the article the article links to, the copyright infringement charge is somewhat similar to the anti-DeCSS application of the DMCA. The researcher, AFAICT, is being sued because he *reversed engineered* the program, which is a traditionally accepted practice.
      • by 4of12 ( 97621 ) on Wednesday March 09, 2005 @04:20PM (#11893473) Homepage Journal

        Going public forces the publisher to fix the problem if it hasn't already, and it let's the public know that there's a problem and they should do an update.

        I agree, going to the author first with an exploit is good etiquette. And that going public afterwards is important, too, after some decent interval that is as short as possible.

        Public disclosure gives the software user a tool to test just how vulnerable he is and whether various stopgap measures provide adequate protection against the exploit. Public disclosure is better than just having exclusive disclosure to black hats and vendors, IMHO.

      • by Mattcelt ( 454751 ) on Wednesday March 09, 2005 @04:24PM (#11893503)
        Remember that this is the country that for a LONG time outlawed encryption outright. Businesses couldn't even use it to protect their internal communication... Then they complained when the US NSA got wind of some less-than-honest business practices Airbus was using to get a contract.

        They might be vying with the Aussie minister for the "world's biggest luddite" award...

        And as for the google debacle... if I were Google, I'd consider pulling out of France altogether. Let them see what a world without Google is like.

        It's not that I don't like the French, but geez, they seem to be exceeding the limits of common sense lately.
    • by John Fulmer ( 5840 ) on Wednesday March 09, 2005 @03:25PM (#11892747)
      The 'good' is that it keeps closed source vendors honest.

      The 'full disclosure' idea came about because of the frustration of sysadmins finding security holes, and not being able to get the vendor to take it seriously.

      Good 'full disclosure' first notifies the vendor, and then if within a reasonable time the vendor takes no action or there is no response you disclose to something like BugTraq.

      It's been the reason that Microsoft and other vendors take such bugs VERY seriously. But they would be more than happy if it all just went away, or was criminialized.

      You decide which is more valuable: A company keeping their PR image spotless, or getting serious software bugs fixed.

      • by Anonymous Coward
        You decide which is more valuable: A company keeping their PR image spotless, or getting serious software bugs fixed.

        How about, not going to jail for disclosing a bug! It's very valuable to me!
      • by nurd68 ( 235535 ) on Wednesday March 09, 2005 @03:29PM (#11892817) Homepage
        Actually, if memory serves, MS *does* control these situations. If you are a Microsoft Partner (I don't know at which level this restriction starts, but I think it's just about any partner), then you are required to disclose the vulnerability to Microsoft, and cannot disclose it publically until Microsoft allows you to. Failure to adhere to this results in a loss of your favored status.
        • by nurd68 ( 235535 ) on Wednesday March 09, 2005 @04:23PM (#11893497) Homepage
          Since folks moderated this so highly, here's more info:

          http://www.windowsitpro.com/Article/ArticleID/24 80 6/24806.html

          It's one of the conditions of being a "Gold Level" partner.

          Of course, this makes one realize how nonsensical the "window of vulnerability" arguments comparing Windows vs. Linux security are. For those of you who don't know, these arguments compare how much time time from announcement of a vulnerability to the time that the patch comes out. The F/OSS community is big into full disclosure, and the MS community isn't, so, the MS Window of vunlerability is almost always smaller, hence leading to claims that it's more secure. That is, until someone finds a bug that's been swept under the rug for a couple years and uses it to make the next Nimda.
      • by lukewarmfusion ( 726141 ) on Wednesday March 09, 2005 @03:33PM (#11892892) Homepage Journal
        If a company doesn't fix a problem that's brought to their attention, published or not, they could be found negligent for damages as a result of that security hole.

        Can you really make a secure system? Open source or closed, there are going to be security risks. So what happens if the security hole would be so expensive to fix that you simply couldn't afford to address it? Keeping it quiet, while not always effective or preferred, is still security (through obscurity).

        I discover security holes in web applications all the time. My protocol is to stop once I've proven it's possible to compromise, notify the company of the issue, the implications of the hole, and ways to go about fixing it. I always include a link to my company's website, but I never threaten to publish it or do anything that might be construed as extortion. I've never been accused to wrongdoing, I usually get a big thank you, and sometimes it lands me a meeting - which is where they become clients.

        People generally appreciate a helpful tip, whether it's a "you have a word spelled wrong on your site" or "you have a SQL Injection vulnerability on your site." Just don't be an ass about it.
        • by Ohreally_factor ( 593551 ) on Wednesday March 09, 2005 @03:47PM (#11893082) Journal
          If a company doesn't fix a problem that's brought to their attention, published or not, they could be found negligent for damages as a result of that security hole.

          Read any good EULAs lately?
          • Found any EULAs where the "we're not responsible for the fact that our software really sucks, and if it causes you a beeeleeon dollars in damages, you can't sue us, nyaa nyaa" clause has actually been tested and held up in court?

            Seems to me that you can put anything in a EULA. Getting it enforced in a court of law is yet another thing.
        • by Retric ( 704075 ) on Wednesday March 09, 2005 @04:08PM (#11893336)
          Can you really make a secure system?

          Yes.

          Security is not a hard problem. It does add to both the cost and complexity of a system though. The problem is most people avoid the issue or try and make some sort of wrapper around there software that makes it secure. Mostly it's people not separating the data that is moving though the system from the system it's self which leads to security problems. When you treat every interaction a system has with the outside world as a hostile transaction you can make vary secure software. But, few people really want to build secure systems, mostly its just get it out the door fast which is why you keep seeing companies with there pants down.

          As to your idea that some bugs are to expensive to fix well that's like saying well we made the bridge. It come in early and under budget, granted it would fall down if anyone ever tried to use it but hay that's not our problem. Yes, you can build a system that's not secure at lower cost, but if a bank get's hacked because they where using your software then clearly you did not do your job.

          PS: Yea, sorry that came off as a rant it just pisses me off that people accept that there systems can and will be hacked but hey so does everyone else's so it's ok.
          • by WhiplashII ( 542766 ) on Wednesday March 09, 2005 @04:31PM (#11893584) Homepage Journal
            I agree that people could do far more than most currently do, but a "secure system" is a myth. My servers run full custom Java code, all data access is handled by wrappers that isolate the data to make various insertion attacks impossible, but it is not unhackable.

            For instance, if a flaw is found in the DNS library for linux such that if you look up a specific hostname you can take over the machine - you could pass that parameter as your email address. When the email address is checked for validity, bam - there goes the server.

            Computers, specifically OS interactions, have gotten so complex that security can only be increased, not achieved.

        • This doesn't help a sysadmin who has deployed this software. If you give that sysadmin a proof of concept he or she can go about blocking the attack on the firewall, by disabling a service, etc until a real patch is made.

          It's not about suing companies for building insecure software, it's about keeping your own data secure.
    • It is better to first caution the software vendor. The ethical question of what to do in the case of ignorant companies is discussed here [123helpme.com].
    • by maotx ( 765127 ) <maotxNO@SPAMyahoo.com> on Wednesday March 09, 2005 @03:37PM (#11892937)
      Lets say I discover exploit in Foo that allows me to have complete control of your computer. Foo is a very popular program used in homes to enterprises. Now lets say I send my exploit to Foo Company Inc. to have them patch it to prevent this horrible exploit from being..well..exploited. Foo sends you a "to-be-done" acknowledgement and thats the last you ever hear from them. Three service packs later and your exploit still works without a problem.
      If you discovered this exploit then so can someone else. This someone else could then use this exploit to their every desire (Think beyond viruses, i.e. blackmail, stock market, etc.)
      What do you do?

      Nag the company to fix it?

      Tell everyone how horrible the company is without proof?

      Release your exploit into the wild to pressure the company in patching it and giving them motivation to pay more attention to security?

      Most exploits that are released typically occur after the vendor has been notified.

      • If you discovered this exploit then so can someone else.

        It's always best to assume that someone already has, before you did. Always look at the worst case scenario. Unfortunately, marketing is king in the tech world, so companies would rather give us the overly optimistic view than the worst case scenario.
      • If you discovered this exploit then so can someone else.

        why do you think ~el8, PHC, AcidBitches, and other anti-sec groups want to outlaw exploit code? once we go to a vendor-only or non-disclosure system, blackhats will rule the roost. if exploits are outlawed ...
      • Neither and both. You do the following:

        1. You contact the company and ask them how long they think it will take to fix the problem.
        2. You ask them when you may release it into the wild and get a definite date/time.

        2a. If they won't give you a definite date/time, make some suggestions and work with them to try to come to some understanding about it.

        2b. If they still won't give you a definite date/time, ask them if you can release a general statement to everyone via something like BugTraq pointing everyon
    • If the [software maker] couldn't care less, maybe one shouldn't care more?

      Um... because if vulnerable software is out there, it can be exploited. As we know with Microsoft's slow Windows patch cycle versus the constant updating of most Linux distros package repositories, it's better to disclose vulnerabilities early, write patches quickly, and distribute a fix before anyone can exploit it. Forcing people not to disclose details just adds one more person and one more vulnerability to the list of ways you

    • by Anonymous Coward

      What good is it to publish software vulnerability, especially on closed source products?

      It punishes the software maker for putting bugs in their software.

      If you notify the software vendor FIRST, you are telling them "It's okay to put out bad software, because someone will do your testing for you, for FREE". However unless you are getting paid for your software testing, you have no obligation to tell anybody anything, or to NOT tell anybody anything.

      Is that the message you want to send to software au

    • by Anonymous Coward
      You would think that vendors would pick up and listen, but as groups like w00w00 have shown, they don't. Sometimes warning the company isn't enough, nor is just publishing the theory. Sometimes someone with know-how must take the literal step of providing a working proof-of-concept before they will take heed. Even then, sometimes the company will only mask the vulnerability instead of addressing it.

      In these instances, be thankful that the "white hats" found it first. The "black hats" are just likely to exp
    • by Kaa ( 21510 ) on Wednesday March 09, 2005 @03:45PM (#11893053) Homepage
      What good is it to publish software vulnerability, especially on closed source products?

      A strange question. People who use these closed-source products (aka "the customers") would certainly be interested in knowing the true capabilities (or lack thereof) of the software they bought. People who are thinking about purchasing that software would be interested as well.

      The head-in-the-sand technique doesn't work all that well in real life.

      If I am running an anti-virus program, I most certainly want to know if that program is a close relative of swiss cheese...

      If one really wants to help, isn't it better to inform the software maker? If the latter couldn't care less, maybe one shouldn't care more?

      More strange questions... Let's see, there was this car, called Pinto, and its maker (Ford) for a while couldn't have cared less about certain umm... deficiencies in its construction and design. Are you suggesting that the proper response to the manufacturer's saying "I don't care" is replying "Oh, how wonderful, this means all is right in the world then"..?

      • A strange question. People who use these closed-source products (aka "the customers") would certainly be interested in knowing the true capabilities (or lack thereof) of the software they bought. People who are thinking about purchasing that software would be interested as well.
        I think you give too much credit to the consumer. Maybe you were talking about enterprise products. You can preach to home users all you want about how many security holes IE has in it and look how many still use it. I don't think a
    • only the outlaws will have exploit knowledge. (to paraphrase a wingnut bumper-sticker)
    • What sort of constitutional free speech protection does a French citizen have? We saw how intricate the law get in America over stuff like this when the DeCSS stuff was a hot topic on Slashdot, but of course that has no bearing on French law.

      Does this ruling actually set any sort of precedent? That would be bad news for both freedom of speech and academic freedoms. From the details it doesn't sound like it, however,; didn't they actually fine him for something else, suspend the fine, and then use the th
      • by Noryungi ( 70322 ) on Wednesday March 09, 2005 @08:54PM (#11895815) Homepage Journal
        Anyone on Slashdot have an understanding of the principles of French Law?

        Yes, I do. I'll try to answer your questions as best as I can.

        What sort of constitutional free speech protection does a French citizen have?

        Free speech is guaranteed, under French law, through (a) the 1789 Declaration of Human Rights, which is a part of the 1958 V Republic Constitution (Google is your friend if you want an English Translation of this text), (b) the UN Charter on Human Rights, of which France is a part and (c) the different European Community treaties, which also protect free speech.

        Please note: The biggest difference with American Law is that 'hate speech' (anti-semitism, racism, fascism, nazism, Holocaust denials, etc) is specifically forbidden under French Law, and will be prosecuted. Anything else is allowed, except that the French government also reserves the right to censor publications in the name of 'national interest' (read: secrets of state). This censorship is very rarely used these days, however.

        Does this ruling actually set any sort of precedent? That would be bad news for both freedom of speech and academic freedoms.

        French Law does not recognize 'precedents'. It recognizes the primacy of law (vs precedents) and French courts do not have to follow precedents (previous decisions) taken by other court, in the absence of a binding law . If a binding law exists, the court has to respect that, and not any precedents.

        This means that, if I publish vulnerabilities on product foobar from French company XYZ, and I am dragged into court, I may well be cleared of all charges. Also, if I win a case, company XYZ would have to pay for both its legal fees and mine. This is a strong deterrent against frivolous lawsuits.

        Of course, the reverse is also true: a future decision may refer to a previous decision (precedent) and condemn me. That's when the legal games and fun begin, so to speak...

        didn't they actually fine him for something else, suspend the fine, and then use the threat of the suspended fine to incent him to stop publishing?

        No, Guillermito was fined because he used an illegal (pirated) copy of the software to find the vulnerabilities he published. Despite the harsh tone of the ruling, he was not really 'fined' ('sursis' means he does not have to come up with the money).

        But, in any case, the court did not render a decision on the crucial matter of finding and publishing vulnerabilities, only on the use of an illegal copy of the software. Seems to me the judges were pretty pissed-off by the hysterical attitude of Tegam (the company who brought the lawsuit).

        Hope this clears up a few things!
    • Just reclassify what you would have called an "exploit" as a "hidden feature".

      As in,

      "Hey there's a great new hidden feature I found in Internet Explorer for people who need to get remote root access their own systems:

      Just load up this javascript + assembly code in a page in the browser, and Internet Explorer will automatically generate a stack overflow, so you can execute the assembly code! What a great new hidden feature I've found."
    • It's long known that security through obscurity doesn't work. This is proven in cryptography. Hiding away an error doesn't make it go away. To mitigate the problem of making it too well known though, a patch warning period would be good to inform, but it should still be independently released for all to see afterward.
    • If there's a remote exploit in say, a firewall application, I want to know about it NOW so that I can either replace it or disable it or whatever.

      If no one tells me about the exploit, then I'm a sitting duck.
  • Blame the victim (Score:5, Insightful)

    by Doc Ruby ( 173196 ) on Wednesday March 09, 2005 @03:19PM (#11892657) Homepage Journal
    What about Tegam? They published the exploit in every copy of Viguard. While telling everyone it would protect them. Why aren't they guilty? What kind of crappy lawyer lets their client get punished for telling the truth about dangerous products?
    • by scottennis ( 225462 ) on Wednesday March 09, 2005 @03:27PM (#11892792) Homepage
      Software? A 'dangerous' product? Well, I did hear about a guy who lost his eye to an early version of Windows, but that was a really freak accident.

      Seriously though, you have a point. If a gas station was selling gasoline with sugar in it (very bad for your car engine) they would be liable for damages. It seems, however, that sofyware companies have no liability for their crappy product. Must be due to those lengthy licenses you agree to by opening the package.

      Maybe gas stations should start printing up a 'licensing' agreement on their pumps.

      "Notice: By lifting the handle, you agree to check the compatability of this product with your vehicle, etc., etc."

      • If a gas station was selling gasoline with sugar in it (very bad for your car engine)

        No, it's not [snopes.com]. Personal datapoint: some idiot put a bunch of sugar into my '68 Mustang's tank when I was in high school. I ran a couple of bottles of fuel treatment through just to be safe, but never noticed anything at all.

      • I know this is going to qualify for -1 nitpick, but:
        If a gas station was selling gasoline with sugar in it (very bad for your car engine)
        It's only bad for the fuel filter and possibly the pump. Sugar is not soluable in petrol, thus it would simply clog the fuel filter. (powdered sugar _may_ be a different story, but I havn't tried that yet.)
        -nB
    • What kind of crappy lawyer lets their client get punished for telling the truth about dangerous products?

      Hutz: Thank you, Dr. Hibbert. I rest my case.
      Judge: You rest your case?
      Hutz: What? Oh no, I thought that was just a figure of speech. CASE CLOSED.
  • Contrary (Score:5, Funny)

    by Ghetto_D ( 670850 ) on Wednesday March 09, 2005 @03:20PM (#11892663)
    I'm sure just to spite France President Bush will make it mandatory for all programmers to post exploits.
    • Re:Contrary (Score:2, Insightful)

      by buhatkj ( 712163 )
      I hope Bush does exactly that. Whatever vulnerabilities a product has, the vendor should be working to find them out on it's own! I'll say this: If I made a piece of software designed to kill virii, I'd be thrilled if somebody told me it had a bug and showed me how to duplicate it. They are basically doing my work for me, for free...what kind of dipstick would ignore, or worse yet, sue them over this?? Just proves the French courts are not taking this seriously, or perhaps the judges are just dumb...tak
    • Didn't you get the memo.. they're now called "freedom 0-days".
    • Au Contraire (Score:3, Interesting)

      by serutan ( 259622 )
      What planet do you guys live on? Just this week the US and France jointly demanded [washingtonpost.com] that Syria pull troops out of Lebanon. Bush himself said, "when the United States and France say withdraw, we mean complete withdrawal." [usatoday.com]

      Doesn't sound to me like they're working at odds.
  • So what ? (Score:2, Insightful)

    by Eu4ria ( 110578 )
    Oh lets make it illegal to find problems in software, then if they cant be found they cant exist right?
  • Watch as the security community suddenly stops notifying the French of holes. I predict they will have to go back on this pretty soon. I just hope mandrake doesn't suffer too much.
  • France (Score:4, Funny)

    by clinko ( 232501 ) on Wednesday March 09, 2005 @03:23PM (#11892716) Journal

    IF instr(HEADLINE, "FRANCE") > 0 THEN
    PONDER_FRENCH_MATTERING
    LAUGH("FRANCE")
    ELSE
    READ_ARTICLE
    END IF

    It's VB (SCREW YOU FOR JUDGING ME!)
  • No details (Score:5, Informative)

    by JaxWeb ( 715417 ) on Wednesday March 09, 2005 @03:25PM (#11892744) Homepage Journal
    You may notice the article has no details.

    I did a Google News Search and found this one which is much better [zdnet.com].

    Also, the guys own website [guillermito2.net].

    Hope this helps.
  • What you don't know can't hurt you, and likewise its corollary: ignorance is bliss. What are their French equivalents?
  • rogue states (Score:3, Interesting)

    by bodrell ( 665409 ) on Wednesday March 09, 2005 @03:27PM (#11892781) Journal
    Thank God we still have rogue states, where the government is either really small or too preoccupied with real problems to enforce these asinine laws.

    Let's hear it for the Virgin Islands and the Bahamas! No software patents there. No export restrictions. True freedom of speech.

  • Why not work to change the law(s) in question? I don't know how French legislative works, perhaps someone can shed some light on the subject?
  • It's simultaneously comforting and terrifying to see that stupid rulings by stupid judges aren't confined to the USA.

    At least I'll feel better about it the next time the 9th Circuit Court of Appeals makes an insane decision.

    LK
  • by JRHelgeson ( 576325 ) on Wednesday March 09, 2005 @03:31PM (#11892845) Homepage Journal
    There are top notch security experts in France, specifically the folks at K-Otik http://www.k-otik.com/

    I'm a security consultant and I look to these folks as a source of reputable information. I spent a LOT of time on their site when Microsoft was trying to deal with the fallout of the MSO3-026 vulnerability which begat the MSBlaster worm. I even got the source code for blaster from the K-Otik crew.

    This is going to have huge ramifications if it is interpreted as described here.
  • Symantec tried this about a year ago [nuclearelephant.com]. Sadly, this is going to affect the businesses of security-based companies all over France.
  • by vidarlo ( 134906 ) <vidarlo@bitsex.net> on Wednesday March 09, 2005 @03:33PM (#11892882) Homepage
    Richard Stallmann has written a text about a future scenario, where owning debuggers is forbidden. It's recomended reading, and at least has showed me why we have to fight for our rights! The Right To Read also carries a informational part, which is non-ficitional, and highly interesting reading. Both parts is here [world-information.org]
  • by Knights who say 'INT ( 708612 ) on Wednesday March 09, 2005 @03:35PM (#11892908) Journal
    There used to be a great geocities-like free web space provider called altern.org.

    I say geocities-like so you get the picture, but it was nothing like geocities. No nonsense interface -- all text, no pictures, no ads --, great webmail interface -- again, all text, no pictures, no ads. It was also the first (maybe the last, I just got my own paid hosting when it got ultracheap -- it wasn't, in the day) free web space provider to support PHP.

    Yes, PHP. In the days where extensions were .phtml. I actually only began mucking around with PHP and server-side scripting because altern.org offered it. I still cook up some solutions with PHP and MySQL -- something that'd never have happened without mr. Valentin Lacambre's Flying Circus.

    Apparently, the whole thing was ran by a techno-anarchist who prophecized in the future technology would make working unnecessary yadda yadda yadda. A sort of techno-optimist Guy Debord.

    One day, one of altern.org's free websites had a parody of a France Telecom logo. Tartalacrem, if I'm not wrong. Legal hell ensued.

    Not only it wasn't covered under any kind of fair use provisions, but France Telecom sued VALENTIN LACAMBRE, THE GUY WHO RAN THE FREE SERVICE.

    Courts rejected his defense of not being responsible for everything hosted in his server as anyone could anonymously host content. Mr. Lacambre was forced to pay up fines and was told he was still responsible for anything held in altern.org.

    So altern.org was taken down. That's France, folks.
  • by kebes ( 861706 ) on Wednesday March 09, 2005 @03:36PM (#11892926) Journal
    just as a side-note: it is possible to publish a description of a vulnerability/weakness without publishing example code that exploits said weakness. Thus, even if providing exploit code is illegal, we can still put pressure on a company to fix a security hole by publicizing an explanation of a security vulnerability.

    (Admitedly, this description could probably be turned into code very quickly by any hacker, but that's not the point.)

    In any case, the article in question is about copyright violation, not making exploit-publication illegal.
  • They will publich remotely using servers in a 3rd country. The info can still be obtained. When will the bureaucracy understand how today's IT world operates? Heck, drugs (cocaine, marijuana) and the like are illegal but still obtainable by anyone who trys.
  • by k98sven ( 324383 ) on Wednesday March 09, 2005 @03:41PM (#11892997) Journal
    Sorry, but the source here is a Blog post, which in turn refers to the convicted guy's home page.

    Nowhere does it say what, exactly the guy was convicted of, or why. So how are we possibly supposed to be able to react to this?

    I have a hard time accepting statements like:
    This ruling can cripple the security research in France, making it illegal to publish security vulnerabilities or the proof thereof by reverse engineering. Without being able to tamper software the actually studying and consequent publication of vulnerabilities is made impossible.

    Without seeing the judgement or at least a description of it from a neutral source.

    Reverse engineering is legal in Europe, and is a protected right under European law. (91/250/EEC [eu.int], article 6.)

    I have a strong feeling the whole story is not being given here.
  • by panurge ( 573432 ) on Wednesday March 09, 2005 @03:42PM (#11893009)
    This is like the McLibel case in the UK. In short, two individuals passed out London Greenpeace leaflets criticising a well known fast food chain. They were sued for libel. After a trial costing millions, in which the defendants were not legally represented because they could not afford it and the UK government refused to assist them, the judge awarded derisory damages. Both the UK Government and the fast food chain spent a lot of money buying lawyers yet another country mansion, yacht etc. The European court has just ruled the trial unfair for this reason, and tghe fast food chain has just had a second huge swathe of adverse publicity as the original case is dragged up again and the sheer unfairness of large corporation versus small individual is rehashed.

    In this case an appeal to the European Court on grounds of effective suppression of fair comment sounds as though it might just be possible if funds were somehow made available. It seems on the fac of it obvious that the real reason for the case was a corporation trying to prevent any adverse publicity and using its superior economic power to get the decision it wanted, but it will need expensive experienced judges to point out what seems obvious to the majority of people.

    • Leaflet [mcspotlight.org]

      Considering a lot of what they are saying and implying, I can understand why McDonalds's is suing. Lets start with McDonald's is directly involved in this economic imperialism, which keeps most black people poor and hungry while many whites grow fat. Hmm... like I've never seen a black person eat at Mics before nor a skiny white guy.
  • Ruling make illegal? (Score:3, Interesting)

    by Zphbeeblbrox ( 816582 ) <zaphar@gmail.com> on Wednesday March 09, 2005 @03:43PM (#11893024) Homepage
    It has always annoys me when people say a ruling makes something illegal. Rulings don't make something illegal. Laws make things illegal. Rulings just enforce those laws. So either it was already illegal in the law or the court overstepped their bounds. Happens all the time here in the states. The courts say something is illegal and we just blithely go on about our business never once questioning whether they have the right to create law or not.
    • Nonsensel? (Score:3, Interesting)

      by bstadil ( 7110 )
      The interpretation of law changes all the time.

      Just look recently ruling where the Supreme COurt overturned Execution of Minors. Did the written law change? No! In the argument the majority argued that world opinion and decency standards had changed.

    • Well, some opinions are just interpretations of laws. But in the US, we have a common law system, so yes, at times the courts do create laws. Since this dates back to the courts set up in England after the Norman Conquest, no one's really bothered complaining about it for a few centuries. It all works okay.
  • This ruling makes the publication of security vulnerabilities and their proof of concept through reverse engneering illegal in France.

    Awesome! French software manufacturers can now use the threat of prosecution to avoid having faulty software criticized. French software manufacturers thus have less incentive to fix their broken software products.

    Hopefully the French will start buying their software products from America!

  • by dago ( 25724 ) on Wednesday March 09, 2005 @03:44PM (#11893033)
    It would be nice if somebody could point to the detailed condamnation and the motivations.

    For all I've been able to (quickly) find, he has been condemned for intellectual property, namely counterfeiting.
    One possibility is that it's becausehe has published source code, which looks strange because it would be probably be the fair use (short citation for eduction).
    But it's probably because he pirated Tegam's software and didn't buy it.

    You can also read on this lawyer blog [eolas.free.fr] that

    "Il ne faut pas interpréter cette décision comme une condamnation du (EDIT : full disclosure), à mon sens : la même chose faite sur un programme licite ne tomberait probablement pas sous le coup de la loi."
    So that it is NOT condemning full disclosure and that such publiction made on a legal software wouldn't be sanctionned.

    At the moment, it really looks like some people are screaming as loud as possible about that, but until the details are know that just PR operations from Guillermito and the others.

  • by Spy der Mann ( 805235 ) <spydermann.slash ... com minus distro> on Wednesday March 09, 2005 @03:49PM (#11893104) Homepage Journal
    A vulnerability has been found in France's new legislation regarding publication of exploits.

    The legislation has a loophole that allows people to give such info to 3rd parties outside France so they can publish such exploit.

    The government's illegality detection can be easily bypassed with an SSL connection, provided one does not disclose his identity.

    Proof of concept [siteoutsidefrance.com]
  • ...why not the hackers too?
  • by Anonymous Coward on Wednesday March 09, 2005 @03:52PM (#11893154)
    Tegam refutes his claims... [viguard.com]

    and

    Tegam is adamant that Tena's claims are false and his motives are questionable. [zdnet.com.au]

    BTW, was it already illegal in France to do what he did? If so, then the people should get the laws changed, not trash the judeges and judicial system for doing their jobs by upholding them...

  • Everybody already knows that the secret to getting past the Maginot Line is to simply go around it.

    Even if nobody was allowed to talk about it, everybody would still know how to defeat it.
  • Doesn't France have free speech rights? I thought the USA was getting bad with slowing taking rights away from citizens and giving them to the government or corporations. It seems like France just beat out the USA IMO.

    It looks like the rest of the world has pretty much caught up with the USA. France denies free speech, the EU bows to big corps and OKs software patents, AU is considering fines for people or corporations if they use the Internet to incite or promote suicide methods.

    Is there any decent

    • Re:Free speech? (Score:3, Interesting)

      by SysKoll ( 48967 )
      France has no free speech rights anywhere in its constitution or laws. Actually, the French "Law on the Freedom of the Press" is regularly amended to increasingly restrict -- you guessed it -- the freedom of the press.

      The US have it so good. This only proves that Americans who are hyping the European institutions are totally clueless about Europe.

      You shouldn't take the 1st Amendment as granted.

  • by sverrehu ( 22545 ) on Wednesday March 09, 2005 @04:14PM (#11893394) Homepage
    I found this one quite interesting:
    http://www.viguard.com/en/news_view. php?num=88

    Have no idea about the truth, though.
  • As some linked texts say, it seams like he was accused because he did the work on a pirated/cracked version ; he did not buy the software.

    Then I conclude it is more carful to buy the license before publishing security flaws, and then everything is ok. But a question arises : is it possible that a license states that the license holder is forbidden to publish security flaws about the software ? If so, then we are really stuck.
  • Maginot II? (Score:3, Funny)

    by ka9dgx ( 72702 ) on Wednesday March 09, 2005 @05:07PM (#11894016) Homepage Journal
    Of course, the country that gave rise to the Maginot Line [si.edu] is going to want to legislate away anyone who suggests software might be insecure because there are ways around it.

    History doesn't repeat itself, but it sure does rhyme.

    --Mike--

"...a most excellent barbarian ... Genghis Kahn!" -- _Bill And Ted's Excellent Adventure_

Working...