Follow Slashdot stories on Twitter

 



Forgot your password?
typodupeerror
×
The Courts Government Security Bug News

Security Researcher Faces Jail For Finding Bugs 726

An anonymous reader writes "French security researcher Guillaume Tena, who is working at Harvard University, faces 4 months in prison after being sued by Tegam for reverse engineering its Viguard antivirus software and publishing exploit codes for a number of vulnerabilities. According to a ZDNet article, he could also be sued by Tegam for 900,000 euros in damages. More details are available (in french) on Guillaume's website and on the K-OTik's website."
This discussion has been archived. No new comments can be posted.

Security Researcher Faces Jail For Finding Bugs

Comments Filter:
  • Here we go (Score:5, Insightful)

    by lordkuri ( 514498 ) on Monday January 10, 2005 @10:48PM (#11317479)
    And now we have people getting arrested for pointing out someone else's mistake...

    When did greed become more important than helping someone?
    • by Anonymous Coward on Monday January 10, 2005 @10:52PM (#11317508)
      with the same techniques AAA uses when some mom forgets her keys in the ignition, I'd be arrested.


      Most physical security (house locks, car locks, office building locks) is indeed "security through harsh penalties", where the locks are really not much more than an advisory symbol saying "don't do this".

      • by Seumas ( 6865 ) on Monday January 10, 2005 @10:54PM (#11317532)
        If I break in your car with the same techniques AAA uses when some mom forgets her keys in the ignition, I'd be arrested.

        If you bought a car, figured out some ways to break into YOUR OWN CAR, then published those ways to alert other consumers as to the lack of security the car has, should you still be arrested?
        • by eliza_effect ( 715148 ) on Monday January 10, 2005 @11:19PM (#11317722)
          Actually, there are quite a few models of domestic cars (mainly minivans) out durring the late 80s and early 90s that use only about five different key cuts and remote (door open) codes.

          I'll wait patiently here for the police.
          • by AvitarX ( 172628 ) <me&brandywinehundred,org> on Monday January 10, 2005 @11:33PM (#11317803) Journal
            I had a 93 Saturn SL2 with a worn out key (probobly helped).

            I was at the mall and in the general area of my car gravitated to a maroon SL2, unlocked the door started to get in and noticed it was far too clean and had seat covers. I quickly got out and nervously tried to relock the door, but my key did not spin so I left. I didn't want to get into trouble for an honest mistake.

            One time I also locked my keys in the car at a gas station. The attendand was unable to slim jim the door but went back into the shop and got a small saw zaw blade (or maybe a blade for a scrolling saw) with fairly big teeth. It was a little taller then a key but the teeth were about the right size. The attendant then stuck this into the key whole and jiggled for a about 30 seconds while turning and I was in. It took a few minutes to get the blade out though due to the fact that the teether were only slanted on one side.

            Of course getting into cars ain't all that tricky anyway (big windows) and I can't speak for the ignitions.
            • Its real easy to get into most cars. I made a long steel 3/8 inch rod that has a 1 inch 90 deg bend on one end. I then get a large flathead screwdriver and pry the door open at the top opposite the hinges until the rod can slip inside. Then use the hook end to lift or manipulate the door lock. I can do this in under a min with the right car. I helped this woman who drove about 20 miles to look at an appartment by me and locked her keys inside her car. She was so greatful that she game me 20 bucks which i r
            • Keys (Score:3, Interesting)

              by phorm ( 591458 )
              I had an 88 Camry (Toyota). The key for it opened:

              My parent's car (87 Accord)
              Friend's car (Corolla)
              Other Friend's car (Accord)

              Only on the driver's side door though (and no ignition). That being the lock used most often, the tumblers can become worn and easier to open.
          • Yeah, any Ford key used to fit any Ford lock. Once, my mother's car was off the road so she got a lift to work off a colleague in his Cortina {so you know how long ago this was}. At lunchtime, she borrowed his car to go somewhere. He chucked her the keys and off she went ..... A quarter of an hour later, he went out to the car park. His car was still there. My mum was nowhere in sight. Odd. At the end of the lunch hour, she pulled up in a Ford Escort. Not even a Cortina, an Escort! She was mortif
        • wah wah wah with the same old trite complaint. I'll give the same old trite response: apples, oranges. You own the car. With software, you only own the right to use one instance of it - right to use, not right to do whatever you want. Just like a radio station can't go buy a cd at a store and then play it over the airways - when you buy it at the store, you don't buy the rights to do anything and everything you want with it.

          If you'd like a starter course on property law, someone else will have to give

          • by Anonymous Coward on Tuesday January 11, 2005 @01:35AM (#11318503)

            With software, you only own the right to use one instance of it - right to use, not right to do whatever you want.

            Copyright stops you from copying. It does not prevent you from looking at the inner workings of something.

            A book critic can find fault in the language the author uses. A music critic can find fault in the way an instrument is played. A journalist can find fault in the actions of soldiers. Why can't a software engineer find fault in the software he looks at? Oh, that's right, it's e-magical so we have to come up with entirely new sets of laws and ethics.

          • by God! Awful 2 ( 631283 ) on Tuesday January 11, 2005 @01:51AM (#11318570) Journal
            Me, I truly believe information should be free, and only personal information (like, your bank account #'s, passcodes, etc) has any business being private. I'm a big supporter of all our little neo-communist mechanisms in the OSS movement. But really...don't get ownership of a car confused with ownership of software.

            Wow, you wrote a post on /. that:

            1. stated that software is *not* like a car
            2. mentioned OSS and communism in the same sentence

            and you were modded informative, not flamebait?!? You, my friend, are truly a god among gods.

            -a
    • Re:Here we go (Score:3, Insightful)

      by dirkdidit ( 550955 )
      Yes, but rather than pointing that mistake out to the company that produced the software, he pointed the mistake out to the world. I'm sure the company would have taken quite a difference stance on it had he let them know about it first before going public with it.
      • Re:Here we go (Score:2, Insightful)

        by StikyPad ( 445176 )
        Help me [tech4free.com] get an iPod for my 18th birthday!

        OKAY!! I can't think of anything I'd rather do. Here's how I'll help...

        I'll give you three words: GET A JOB.

        Then go out and buy one, and you too can be unique, just like everybody else.
        • "and you too can be unique, just like everybody else"
          That is my theory on why people do stuff like get tattoos and piercings. It's not unique if everyone does it.
          I already thought that and trademarked it so come to my country so I can sue you. :D
      • If the company is making money on the product then they should be going through the work to debug their software. Someone finding and publishing errors in software is doing the public a service, as the public will know to either steer clear of the company writing the bad software, or to contact that company if they're already using it and demand a fix or a refund, as the software company sold them a faulty product.

        If the software maker presses this upon the researcher, the customers need to press the so
        • Re:Here we go (Score:3, Insightful)

          by dirkdidit ( 550955 )
          While I agree that a company should be doing it's own bug testing, there are always going to be certain hardware and software setups that will inevitably cause a problem that the company couldn't have ever imagined.

          Sure, there isn't a law saying this guy should have reported the flaws to the company first before going public, but as a software developer, I always appreciate when people bring bugs to my attention and I try to compensate them justly (such as discounts if they are current customers, etc).
        • by Alwin Henseler ( 640539 ) on Monday January 10, 2005 @11:46PM (#11317872)
          If the software maker presses this upon the researcher, the customers need to press the software maker.

          And my guess is, that's exactly what will happen. The company made a mistake by producing flawed software. The researcher didn't make that mistake, only pointed it out.

          With these flaw(s) pointed out, the company didn't handle it in a grown-up manner. Instead of fixing the mistake, focusses on attacking the messenger. Dumb: mistake #2, again made by the company. And only makes the problem worse.

          So customers may drop the product because it's flawed, stay away from the product/company because it's gaining a bad reputation, and because they dislike the company's response to the issue. Either way, all losses are caused by the company's actions, not by the researcher.

          Regardless of the outcome, any company that handles software quality in this manner deserves to be dropped like a brick. Let's hope the (financial) fall-out for this company will be big.

          • by flargleblarg ( 685368 ) on Tuesday January 11, 2005 @12:33AM (#11318175)

            And my guess is, that's exactly what will happen. The company made a mistake by producing flawed software. The researcher didn't make that mistake, only pointed it out. With these flaw(s) pointed out, the company didn't handle it in a grown-up manner. Instead of fixing the mistake, focusses on attacking the messenger. Dumb: mistake #2, again made by the company. And only makes the problem worse.

            KIRK: "Tegam, what is your purpose?"

            TEGAM: "We are Te-Gam. We produce perfect software. We sterilize imperfections."

            KIRK: "Tegam, you produced flawed software. You are imperfect.

            TEGAM: "We are Te-Gam. We are perfect. We sterilize imperfections."

            KIRK: "Tegam, you produced flawed software. That was your first mistake. You released the software without realizing this. That was your second mistake."

            TEGAM: "Error! Error!"

            KIRK: "Tegam, you handled the Tena situation in a childish manner. Instead of fixing your mistake, you focused on attacking the messenger. You sued the messenger. That was your third mistake.

            TEGAM: "Error! Error! Faulty! Faulty! Must sterilize!"

      • same difference (Score:5, Insightful)

        by Doc Ruby ( 173196 ) on Monday January 10, 2005 @11:03PM (#11317607) Homepage Journal
        Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance. So when published, the disclosure leaves them no recourse to this diseased retaliation; they are more pressured to fix it instead of making matters worse by killing the messenger. In this case, the messenger (apparently) made matters worse, by disclosing publicly (including bad guys) before giving the company a chance to fix the problem. That is a crucial distinction between his somewhat reckless actions and those of other whistleblowers. Integrity demands reporting to the people who can fix the problem first. Even if they do fix it, the vulnerabilities can be published later, to embarass the company out of doing it again amidst even worse publicity. If they don't fix it quick, of course publishing is an option to force them. Unfortunately, I doubt the "group mind" of our media will make the distinction, and we'll all get polarized over the oversimplification of whether or not disclosure is ever appropriate without permission of the malware copyright holders.
        • by jrl ( 4989 ) on Monday January 10, 2005 @11:22PM (#11317731)
          The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.

          When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.

          Whether you inform the vendor first or not is really not consequential. Those who are keeping up to date with information will know about the vulnerability when it becomes public in an advisory and can take their own appropriate actions to defend, even if that means take the resource offline until a patch is made available.

          An uninformed person will not only miss the advisory, but will likely miss the patch as well.

          Also, don't overlook the fact that the vendor is not in control of the information. Since they are not finding the bugs, they are not going to be able to contain the information. This is especially true when "bad" people find and control the information. When a "good" person, IE someone who is sharing the information freely with the public without direct financial gain, decides to donate their time for your benefit, you should respect them and look favorably upon them.

          I don't really care either way, but if I had to choose I'd rather see full and immediate disclosure rather than the find a problem, alert the vendor, and sit there policy that companies are forced to endure.

          It turns out people really like to keep their heads buried in the sand. If they don't know about a problem, maybe it doesn't exist? Darn .. what happened to our customer database... what does "Hacked by Chinese" mean exactly?!?!?!?
          • by Doc Ruby ( 173196 )
            No, we are each addressing an opposing viewpoint on "the point". I believe the consumer is better served by informing the developer first (in cases like this, closed source), because they have a significant advantage in fixing the software. After a short time (maybe a day, maybe an hour, maybe a week, depending on the nature of the bug), if the developer has not convincingly responded that they'll fix it quickly, it's time to go public anyway. After a similarly short time from disclosure without a fix, it i
          • Time to stop. (Score:5, Insightful)

            by killjoe ( 766577 ) on Tuesday January 11, 2005 @01:04AM (#11318352)
            It's high time people stopped informing companies about security holes. It's perfectly OK to let the coders of open source projects know about security holes because they are not going to sue you. If you find a hole in a commercial product just announce it anonymously on the usenet and let it go.
        • Re:same difference (Score:5, Insightful)

          by grcumb ( 781340 ) on Monday January 10, 2005 @11:35PM (#11317815) Homepage Journal

          "Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance. So when published, the disclosure leaves them no recourse to this diseased retaliation; they are more pressured to fix it instead of making matters worse by killing the messenger. In this case, the messenger (apparently) made matters worse, by disclosing publicly (including bad guys) before giving the company a chance to fix the problem. That is a crucial distinction between his somewhat reckless actions and those of other whistleblowers."

          That's a really decent analysis. Thank you for that. The distinction between acting responsibly and acting foolishly is often a little difficult to discern, especially at first glance.

          The thing that upsets me, though, is that apparently foolhardiness by the whistle blower carries a penalty of over USD 1 million and potential jail time, whereas the (arguably criminal) negligence of software makers seems to carry no cost at all.

          • Re:same difference (Score:3, Interesting)

            by Doc Ruby ( 173196 )
            Yeah, it's fascism (corporate government without corporate governance). Especially since they're "killing the messenger", a mark of fascist propaganda that sends fear among potential whistleblowers. This fascist wave is rising inexorably, and software is its natural element.
        • In theory. (Score:3, Insightful)

          by Chris Burke ( 6130 )
          Actually, companies usually don't take any different stance when they're notified of their bugs before public disclosure. But at least that gives them the chance.

          The chance to what? Sue or threaten to sue the researcher and get a gag order placed on them before they're able to warn the users of the software, preventing the vulnerability from ever being seen?

          I agree that notifying the company first is the responsible thing to do, but only if the company is going to be responsible which fewer and fewer a
      • Re:Here we go (Score:2, Insightful)

        by cyxs ( 242710 )
        And would you like the company that makes your car to get that too if it failed to deploy airbags so that they can figure out the problem and slowly release the update the next time your in an authorized repair center they automaticaly update your onboard computr that deploys airbags?

        For all the people that say this is two different worlds its not, both companies have a right to have there products do what they say there going to do. Nobody thinks that there airbag won't deploy when they get into a crash,
      • Re:Here we go (Score:3, Interesting)

        by haruchai ( 17472 )
        So? What's wrong with that? They are selling their software to secret government agencies - they sell to the general public.
        As far as I'm concerned, if they can tout their software's capabilities to the public, he has the right to showcase its weak points in the same forum.

      • Re:Here we go (Score:3, Informative)

        by 1u3hr ( 530656 )
        Yes, but rather than pointing that mistake out to the company that produced the software, he pointed the mistake out to the world. I'm sure the company would have taken quite a difference stance on it had he let them know about it first before going public with it.

        This was buggy anti-virus software. Users were at risk every day they kept using it. Unlike an OS, which people mostly just have to keep using till a patch is released, it's easy to replace this with something that works better, or at least not

    • Re:Here we go (Score:3, Insightful)

      by ScentCone ( 795499 )
      someone else's mistake

      So, there are lots of makers of expensive vaults and safes. Some are better than others. If you deliberately post information on how to break into the good (but not the best) models, are you pointing out mistakes, or providing assistance to those that thrive on such vulnerabilities? I say the latter. It's all about the venue in which you present the info. Sending an e-mail to the maker is one thing, but posting it online, no matter how much of semi-good-intentioned drama queen you a
      • Re:Here we go (Score:4, Insightful)

        by smokeslikeapoet ( 598750 ) <wfpearson@@@gmail...com> on Tuesday January 11, 2005 @03:05AM (#11318818) Homepage Journal
        Lets get this straight. Lets say Consumer Reports did a review of 4 safes: Safe A and Safe B can be opened with a fingernail file, Safe C can be opened with a bobby pin. Safe D was inpenatrable with known methods, so buy that one.

        Should Consumer Reports, their reporters, or editors be criminaly or finacially liable for posting the exploits? Should they contact the manufacturer and not inform the public? Should they be applauded and rewarded for offering the consumer a service? I'm sure your smart enough to figure out the answer there.

        If my antivirus software or firewall isn't secure than I sure as hell want to know about it!!!
    • Re:Here we go (Score:3, Insightful)

      by lordkuri ( 514498 )
      how in the hell is that a troll? It's an honest question!

      fucking moderators on this site need to be kicked in the head

      yeah *this post* is a troll, have at it
    • Re:Here we go (Score:3, Insightful)

      by Grab ( 126025 )
      Here we go indeed.

      The guy didn't just "point out someone else's mistake" - he produced and published exploits to allow access into the system. /. analogies are always dodgy, but what he's done is like duplicating someone's front door key a thousand times and standing on a street corner in the local Cracktown handing keys out to everyone who walks past.

      You want to point out a mistake, there's plenty of legitimate channels for doing so which don't involve hackers (or crackers, if you prefer the outdated ear
  • by linolium ( 713219 ) on Monday January 10, 2005 @10:49PM (#11317485)
    This was definitely unfair and uncalled for if his intention was to notify the company of their product's defects, or if he already did but got no response. On the other hand, if he only wanted to hinder the company, he is at fault. But even then, he's got a pretty harsh reprimand.
    • Hacked by Chinese! (Score:3, Insightful)

      by jrl ( 4989 )
      The vulnerability advisory is for the protection of the consumer. It is not to punish the software writer.

      When it comes to vulnerabilities, it is presumptuous to assume that you are the first to discover the bug. We have discovered countless bugs that we've never disclosed to anyone... partly because of fear of this type of retaliation, but mostly due to apathy to the whole mess we call the security industry.

      Whether you inform the vendor first or not is really not consequential. Those who are keeping up
    • by khrtt ( 701691 ) on Tuesday January 11, 2005 @12:34AM (#11318186)
      What were his intentions?

      Who gives a fuck?

      If you are a security researcher, you look for security holes, right? If you are a responsible researcher, and you find some security holes, you better publish them, right? Right? RIGHT?

      WRONG!! Hear ya, hear ya, hear ya, from now on doing the responsible thing will get you jail time, and a stiff $900,000 bill. From now on, the right, responsible, thing to do when you find security holes is to sell them to spam virus hackers. That way you:

      1. Never get caught.
      2. Profit (note lack of ... item).

      No moral problems either, since the company who looses is the bunch of asshats who'd put you in jail for pointing out their bug, and the people who get spammed are the same shitheads that made the stupid law possible.

      Fuck, I'm pissed. Better go drink my milk. Good thing I'm not a security researcher.
  • What's next? (Score:4, Insightful)

    by DamienNightbane ( 768702 ) * on Monday January 10, 2005 @10:52PM (#11317507)
    Will the little Dutch boy be executed for sticking his finger in the dike?
  • by Anonymous Coward on Monday January 10, 2005 @10:52PM (#11317520)
    Reverse Engineering isn't illegal, certainly finding that "Unlike the advertising claimed, this software didn't detect and stop '100 percent of viruses'" isn't illegal, surely it should be lauded.

    The company had two options. Take on board the issues and fix them, or get in a hissy fit. They got in a hissy fit. Well done. Instead of responding to issues that software does have in an adult manner, they've just made themselves look petty and bad.
    • they've just made themselves look petty and bad

      They make themselves look like idiots but they make this guys life hell while they are doing it. The sad part is, it may not effect their business (lusers won't know about this) but the cost of a this lawsuit will haunt him for a long time.

      not to mention the chilling precedent. I especially like this quote "If independent researchers are not allowed to freely publish their findings about security software then users will be only have "marketing press rele
    • by jd ( 1658 )
      Unfortunately, we had a terrible plague ravage the land, and its name was the DMCA. Terrible was its fury, as lo, a third of all programmers were laid waste, or at least laid off.

      Under the DMCA, reverse engineering IS illegal. Specifically if it is meant to circumvent copy protection schemes, but in practice the "spirit of the law" could easily be presented as banning all reverse engineering of all kinds.

      To make things worse, the click-through license usually also states that reverse-engineering is proh

  • FYI (Score:5, Informative)

    by daveschroeder ( 516195 ) * on Monday January 10, 2005 @10:54PM (#11317531)
    Just to stave off any rants, this was not US law, a US court, or a US company. He happens to be working "at Harvard" now, but this matter has apparently been taken up in France.
    • He might want to consider either staying in the US, or looking for a nearby country without extradition to France, then...

      p
  • by Lead Butthead ( 321013 ) on Monday January 10, 2005 @10:55PM (#11317539) Journal
    And I thought European courts are a little less boneheaded?
  • by theblacksun ( 523754 ) on Monday January 10, 2005 @10:58PM (#11317563) Journal
    ...in my occasional Europe scan. But yea this just killed that idea. I always forget they have a history of computer cases like this.

    I absolutely hate this backwards shit. Software engineers and governments and everone just best get used to the fact that people are going to reverse engineer everything they can. Until they get used to it, lawmaking is just going to go overboard, stifling development and competition.

    And I believe the proper response to pointing out an error in your system is "Thank You."

  • by Dancin_Santa ( 265275 ) <DancinSanta@gmail.com> on Monday January 10, 2005 @10:59PM (#11317574) Journal
    "To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realised that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site. Then Ford could file a complaint against me," added Tena.

    Well, you see, with a physical object like a car, minor variances in materials and manufacturing can lead to random defects showing up in any specific vehicle.

    With software, unless the media it came on is damaged, it is unlikely that the version that you bought is different from the others sitting next to it on the shelf. Binary copies are exact copies.

    The analogy also doesn't hold because it isn't like "opening the hood" (though I wonder why you'd open the hood to inspect the brakes, but I digress) and taking a look. It is more like he hooked up wires to the control box and did a packet scan on the computer signals in the computer.
    • Re:Bad analogy (Score:4, Insightful)

      by Anonymous Coward on Monday January 10, 2005 @11:13PM (#11317682)
      The analogy also doesn't hold because it isn't like "opening the hood" (though I wonder why you'd open the hood to inspect the brakes, but I digress) and taking a look. It is more like he hooked up wires to the control box and did a packet scan on the computer signals in the computer.

      Which should be equally encouraged.

      If it becomes illegal for people to figure out how things work, we'll find ourselves living in a society of morons (even more than now).

    • Re:Bad analogy (Score:3, Insightful)

      The analogy also doesn't hold because it isn't like "opening the hood" (though I wonder why you'd open the hood to inspect the brakes, but I digress) and taking a look.

      The master cylider for the brake system is under the hood. If you needed to check that, or the level of brake fluid, you'd need to open the hood.

    • Re:Bad analogy (Score:3, Insightful)

      by endx7 ( 706884 )

      Well, you see, with a physical object like a car, minor variances in materials and manufacturing can lead to random defects showing up in any specific vehicle.

      It is also possible for a certain defect to occur in every single car of that model.

      You mention manufacturing flaws. In the case we have here it is a design flaw, which is just as applicable in cars as it is in software.

    • Don't agree... (Score:4, Interesting)

      by pVoid ( 607584 ) on Tuesday January 11, 2005 @12:03AM (#11317968)
      Maybe the analogy is poor, but the idea is the same: for example when Bridgestone's tires were shown to be flawed by design (making SUVs flip if not inflated fully), it was disclosed to the public and the tires were recalled.

      In fact recalls occur very often. Your point about media being damaged is the same as "warranty for parts and labor", reverse engineering is what causes recalls to happen. Two different things. So the analogy, while a bit weak, still holds.

  • by grcumb ( 781340 ) on Monday January 10, 2005 @11:01PM (#11317591) Homepage Journal

    Stories like this are just the Slashdot editors' way of warning us to shut up already about the Firefox rendering errors on this site. 8^)

  • by stubear ( 130454 ) on Monday January 10, 2005 @11:03PM (#11317610)
    ...will the US extradite him given our decreasing friendly relations with France?
  • Tobacco companies are now suing medical research facilities............phockin' pikers....
  • I doubt that this will be held up in a hogher court. I'd be very surprised if it did, but then again it is surprising that this case has gotten so far in the first place.

    Maybe somebody who knows French laws and the Fremch constitution could comment on this? Is science and academic freedom protected in the French constition (as in the German)? If so shouldn't this trump any intellecual property rights?
  • By this logic... (Score:5, Insightful)

    by earthforce_1 ( 454968 ) <earthforce_1&yahoo,com> on Monday January 10, 2005 @11:08PM (#11317650) Journal
    Ralph Nader should have been sued for publishing information on verifiable safety problems and inaccurate odometers in automobiles. Ditto for the one who first broke the story about a certain brand of tire failing on a certain manufacturers SUVs, causing death and injury.

  • karma (Score:5, Funny)

    by frovingslosh ( 582462 ) on Monday January 10, 2005 @11:18PM (#11317716)
    It will all work out. Next time a virus writer gets caught he'll both sue Tegam and have their officer's arrested for reverse engineering his code.
  • by putko ( 753330 ) on Monday January 10, 2005 @11:22PM (#11317730) Homepage Journal
    They do this all the time. Not having a tradition of Common Law, they fall on the wrong side of this all the time.

    Thank God for the First Amendment. For those of you not from the US of A, it guarantees freedom of expression in the most absolute terms. Short of something that incites violence (e.g. "let's kill him") or yelling "fire" in a crowded theater, it is OK. The Pentagon Papers case essentially destroyed "prior restraint" for national secrutiy reasons (as practiced in Britain).

    Even countries that are supposedly as free as the USA are actually not. Politically incorrect things like "tribe A is stupider than tribe B" will get you put in jail.

    I'm reminded of the theme song from "Team America: World Police". Too rude to print here, it would probably get you put in jail in some countries.

    Only America could produce someone like "Ol' Dirty Bastard".
    • ...Politically incorrect things like "tribe A is stupider than tribe B" will get you put in jail.

      Er, I might be misunderstanding you, but in the USA you are free to shout racism and hate from the mountaintops, whereas in a lot of European countries you'd get tossed in jail.

      Over here, speech is protected, and that includes virtually all forms of communication. Personally, I prefer it this way too, every now and then I get neo-nazi flyers in my mailbox, but that itself isn't hurting anyone. I'd defend thei
      • It is true that you can be sent to court for "incitation to racial hatred" in France. However shouting anything from the mountaintop will not get you charged under this. You would have to be a high-level politician or in charge of a newspaper, and even then that would not be enough to send you to jail, you only get fined.

        Maybe you've heard of Jean-Marie Le Pen? [frontnational.com] He is an openly racist politician to the extreme far right of the French political spectrum. He's been around for decades and in spite of proferrin
  • Poor phrasing (Score:5, Interesting)

    by rumblin'rabbit ( 711865 ) on Monday January 10, 2005 @11:27PM (#11317773) Journal
    The article says that he faces 4 months in prison after being sued by Tegam.

    The wording seems to imply that he was being sent to prison as a consequence of being sued, but even in France I imagine there's a clear distinction between civil and criminal law. Or have they brought back debtor's prison?

    • Debtor's prison was originally intended to shame wealthy deadbeats into paying their debts. It's only later on that it evolved into incarcerating people with no money until they paid. Just thought you'd like to know.
    • Or have they brought back debtor's prison?

      It is not a prison it is a Freedom Centre.

      Nothing to see here Citizen, move along.
    • Re:Poor phrasing (Score:3, Informative)

      I don't know about France (or US), but in Danish law civil and criminal law is mixed up in two cases. The first is libel, and the other is copyright law. In both cases, private entitites can start a lawsuit with claim of prison sentenses.
  • by tallbill ( 819601 ) on Monday January 10, 2005 @11:46PM (#11317871)
    Suppose he discovered a defect in a car or some other piece of physical hardware. If that defect were severe enough to kill someone and he did not publish his knowledge of the defect, then could he then be held criminally liable and be accused of negligent homocide? Surely the right thing would be to publish the defect and warn the users of the product.

    How did software companies get all of these special rules for them if stuff that doesn't work.? If it were a tire or a car or a bridge or a robot, they could never get away with it. But if software doesn't work we are all supposed to just buy the upgrade.

  • by eno2001 ( 527078 ) on Tuesday January 11, 2005 @12:05AM (#11317982) Homepage Journal
    Full disclosure ensures the best security because it forces accountability. As long as companies continue to try and over up their flaws through litigation, we're ever going to be ab;e to trust their products.
    • Full disclosure ensures the best security because it forces accountability.

      But it gives the script kiddies chance to exploit whatever vulnerability first. Why is full disclosure a better model then a warning and delayed full disclosure?
  • by mmmbeer ( 9963 ) on Tuesday January 11, 2005 @12:07AM (#11317999) Homepage
    This is not an incident which happens overseas only either. A collegue and I contacted an online corportation regarding their trivial XOR encryption of credit card information from its clients, and included exploit code.

    (long story deleted)
    This US company claimed because I had exploit code, I was in posession of its clients credit card numbers and was attempting to extort said company for cash and source code. I got a serious grilling from the FBI, who informed me that I did the wrong thing by reverse engineering their billing code and finding how easy it was to decrypt it.

    I guess the basic idea is that if something is insecure, noone should ever try to get it fixed.
  • by Beryllium Sphere(tm) ( 193358 ) on Tuesday January 11, 2005 @12:45AM (#11318240) Journal
    For anyone interested, just for the sake of presenting both sides, here is the Tegam response [viguard.com].
    • Interesting. In the first paragraph they say the guy's test methodology was inconsistent, and that some of the weaknesses he pointed out don't even exist. And yet, they're suing him...

      Also interesting is this statement about the product in question: ViGUARD's main advantage is that it does not need virus signatures to stop infections. I wonder if it merely protects a system against active infection and doesn't take any action against dormant viruses that are "just passing through"?? Without a signature

  • by melikamp ( 631205 ) on Tuesday January 11, 2005 @01:41AM (#11318524) Homepage Journal

    I saw a number of posts where people saying that uncovering security vulnerabilities and publishing the research may hurt the customers. OK, let's put that to the test, let's imagine that we are in the world where such publications are prohibited. Last time I checked, the major driving force behind the scientific research was a desire to be recognised. Yes, white hats and black hats have the same personal reason to do what they do -- they want to be famous. If the only way for a white hat to get famous is the court hearing, then you can say bye-bye to the independent security research. From that point on we will be finding out about vulnerabilities when our systems turn against us. As a rule, patches will be coming out after vulnerabilities have been successfully exploited by bad guys. This would be the last blow to the positive meaning of "hacker", and who wants that? I would rather have white hats held in honour, and software companies held accountable for their mistakes.

    And have you even tried to assess the threat of such publications? On one side you have a bunch of black hats who are poorly organized, do not have very effective channels of communication, have an inferior understanding of the vulnerable product; on the other side you have a corporation which does nothing but, which is on top of things, which, for a change, has the entire source code along with people who understand it completely. Who will win in this race? By jailing independent researchers they are effectively sending a message: we are incapable of beating a bunch of amateurs in our own game. The reality is that they simply do not want to, because it costs them more money -- they would rather watch us crash and burn, and then jump in and save the day. Once a day. For all eternity.

    Granted, OT, but is that like healthcare or what?

  • by melted ( 227442 ) on Tuesday January 11, 2005 @02:41AM (#11318752) Homepage
    for reverse engineering their viruses.
  • by dirk ( 87083 ) <dirk@one.net> on Tuesday January 11, 2005 @07:40AM (#11319582) Homepage
    The main thing here is that he didn't point out bugs in software, he published code that would take advantage of these bugs. For all the people making the car comparison, he didn't notice a problem that would let you unlock a car without the key, he made something that would take advantage of the problem and let you unlock any car without the key. There's a big difference between publishing bugs you find, and actually publishing code that will take advantage of the bug. Even example exploit code serves as a blueprint for any person who wants to modify it to do something worse with it.

    I have no problem with saying there is a bug in software and giving information about it. I do have a problem with someone releasing code that take advantage of said bug.

FORTUNE'S FUN FACTS TO KNOW AND TELL: A giant panda bear is really a member of the racoon family.

Working...