Wednesday, March 09, 2005

Security Researcher Condemned for Publication Vulnerability + Update

Yesterday the French security researcher Guillame Tena, aka Guillermito, has been fined a suspended fine of 5000 euros by a French court for publishing a vulnerability in the Viguard anti-virus software of the company Tegam. Extensive details on the (copyright infringement) charge and the questionable tactics of Tegam can be found in this earlier posting.

That the fine is suspended means that Guillermito will have to pay up if he continues to publish about the vulnerability and other software vulnerabilities. As a result he has taken the Tegam publication, and a dozen others, from his website. He writes:
No more demonstration of security software weaknesses. It's now forbidden in my country. On march 8 2005 I've been condemned for exposing flaws in the anti-virus software and publishing proof of concept programs to demonstrate them. That's exactly what I did for a dozen or so steganography program, which often contained security holes so big you could pass a truck through.

So now you have to believe the editors marketing. Welcome in DisneyWorld. All steganography programs are perfect, super-solid, unbreakable, undetectable, without bugs nor flaws. They are all perfect. Use them. Hahaha. What a joke.

This ruling can cripple the security research in France, making it illegal to publish security vulnerabilities or the proof thereof by reverse engineering. Without being able to tamper software the actually studying and consequent publication of vulnerabilities is made impossible. While the criminal case against Guillermito has come to an end with this ruling, Tegam is pursuing a civil case and demanding 900,000 euros in damages. The Harvard based researcher did escape a jail sentence, but these are troubeling developments. For security research, (freedom of) academic research in general and not to speak of the future security of soft- and hardware.
- - -
Guillermito site
French news on the case (French)

- - -

At Copyfight they wonder about the legal provisions in play and this post has been Slashdotted, with some readers craving for more details. I wrote them in the earlier post on the subject I refererred to above. But to give a second overview, more related to yesterday's ruling, here's what I can additionally make up from a French account of the ruling. Read it if you're more fleunt in French than I am. If you want to skip the following, be sure to read the end of this update, it throws a different light on the case:

-Guillermito has been convicted for counterfeiting, I presume under article L335.3 of the French Intellectual Property Code.

-The Court established that there was a reproduction of parts of the source code of the program, which characterizes the counterfeiting.

-The Court puts aside the exeption of article L.122-6-1 of the Intellectual Property Code, because on the one hand Guillermito's handling was not aimed at solving compatability problems, and on the other hand article L.122-6-1 requires that he who handles has a license and does not harm the author's rights. Here's part of the text of the article:

III. A person having the right to use the software shall be entitled, without the authorization of the author, to observe, study or test the functioning of the software in order to determine the ideas and principles which underlie any element of the software if he does so while performing any of the acts of loading, displaying, running, transmitting or storing the software which he is entitled to do.

IV. Reproduction of the code of the software or translation of the form of that code shall not require the authorization of the author where reproduction or translation within the meaning of item 1 or 2 of Article L. 122-6 is indispensable for obtaining the information necessary to achieve the interoperability of independently created software with other software, providing that the following conditions are met:

1°.these acts are performed by a person entitled to use a copy of the software or on his behalf by a person authorized to do so;

2°.the information necessary to achieve interoperability has not previously been readily available to the persons referred to in item 1, above;

3°.and these acts are confined to the parts of the original software which are necessary to achieve interoperability.

The information thus obtained may not:

1°.be used for goals other than to achieve the interoperability of the independently created software;

2°.be given to others, except where necessary for the interoperability of the independently created software;

3°.or be used for the development, production or marketing of software substantially similar in its expression, or for any other act which infringes copyright.

V. This Article may not be interpreted in such a way as to prejudice the normal exploitation of the software or to cause unreasonable prejudice to the author’s legitimate interests.

The full English text of the French Intellectual Property Code can be found here.

-The exception of private copying exception or short quotation was not taken into consideration.

-To the interpretation of the French account I referred to above, why Guillermito was probably convicted is that het used a pirated version of the Viguard anti-virus software for his research. It is questionable if the same outcome would be reached if a legimite version had been used.

This is enlightening, not the least on my part. However, the tactics of Tegam stand (see earlier posting), and it raises another question: if Tegam is actually using counterfeiting claims to effectively prevent the publication of Guillermito's research.
More subtle, still a negative outcome for the abillity to freely publish on security vulnerabilities.

The judgement in this ciminal case is yet to be published. The civil court case will follow at April 12th.


Anonymous Anonymous said...

Here comes /. (SlashDot)!

9/3/05 21:20  
Anonymous Anonymous said...

The rest of the world should follow suit. Then software companies won't have to worry about implementing effective security in their products because it would be illegal to exploit them.

9/3/05 21:32  
Blogger Calvin Lawson said...

This is sad sad sad. I wouldn't be suprised if something like this gets passed in the US. Only it would be our corporate friendly congress, most likely.

9/3/05 21:49  
Anonymous Anonymous said...

....except for the government right? it should be allowed to exploit these companies' shitty software design whenever it feels like it to 'uphold the law'?

9/3/05 21:50  
Anonymous Anonymous said...

It's already illegal to exploit them. Rather, it's already illegal to cause damage to others.

The problem is that bugs in software aren't damaging to the vendor, but to the users of that software.

Vulnerability proofs are the way that real users can find out about what level of effort is actually necessary to cost them money. If it's more than they can cost, the users can feel safe, but if it isn't, users need to be afraid.

Full disclosure is about showing users how the Vendor can/is presently hurting them.

The problem is that Vendors feel like reputations aren't to be earned.

Vendors can't be allowed to protect a reputation except from falsehood in court.

9/3/05 21:56  
Anonymous Anonymous said...

I've come to expect stuff like this from the French.

9/3/05 22:05  
Anonymous Anonymous said...

"This ruling can cripple the security research in France, making it illegal to publish security vulnerabilities or the proof thereof by reverse engineering."

Given that French law isn't based on case law and precedent as common law is, it's not as bad as it would have been if it were the case.

9/3/05 23:09  
Anonymous Anonymous said...

I read "Then software companies won't have to worry about implementing effective security in their products because it would be illegal to exploit them." above.

This is similar to the cellular telephone ruling in the US - it's illegal to listen to cellular calls because vendors didn't want to worry about implementing effective encryption in their products.

The irony -- a politician in Florida reported on illegal activity by a competitor, except his staff got the material by evesdropping on the competitor's phone call. Issue quickly dropped!

9/3/05 23:47  
Anonymous Anonymous said...

In the end this will hurt only consumers. Very sad.

10/3/05 00:58  
Anonymous Anonymous said...

Congratulations to the French court!You have now thrown your country in a dangerous situation, one which means you will live unsafe lives.

Viva Euro Disney!
Touts logiciels sont parfaits!

Crypto=Protection=Liberté. La France est foutue.

10/3/05 02:40  
Anonymous Anonymous said...

It's like watching someone shoot themselves in the foot and to make sure they do, they have a police officer and restraining order to keep you from doing helping them.

Security companies are taking the highest risk of claiming they can protect and need to work with those that are willing to do the required work (Vendor sure didn't do it, did they?).

Consumers will purchase items they can trust in. The result is you cannot trust French products, therefore, the consumer will act upon their best interest and purchase products they can trust (outside of courtry).

10/3/05 05:16  
Blogger Eolas said...

You understood perfectly the meaning of the decision, I have nothing to add or withdraw of your explanation.

The important thing to my point of view (I could read the full decision at the court) is that the principle of full disclosure is not discussed (not approved nore disapproved) by the court.

The warez Vigard was Guillermito's doom.

10/3/05 15:46  
Blogger Rik Lambers said...

Eolas, thanks for the insightful analysis on your blog. It certainly made the case more clear (for me).

11/3/05 14:59  
Anonymous Anonymous said...

Interesting post, i like your blog very much
telecharger emule

13/9/05 17:29  
Anonymous WOW GOLD said...

I liked this blog. its very nice posting!

7/9/09 09:40  

Post a Comment

<< Home