April 10th, 2004, 08:14 PM
France bans any disclosure (full or partial)!?
Apparently, based on the news release from the group K-OTik, France has decided any work in security that presents any possible "criminal activity" with OR without intent is a punishable offense. So items like Proof of Concepts, penetration testing, etc. could possibly result in criminal charges.
I'm personally a big fan of full disclosure but if France does this with any "success" then the potential for other countries to follow suit is huge. The general Full Disclosure "community" is very loose and I wonder how much directed political power they may have. I suppose it does boil down to whether or not full disclosure is helping more than it's hindering or vice-versa.
Source: Original Source in French Translation by: BabelFish (bold added by me)
Reactions of the experts in safety with respect to article 34 of the LEN
By Fabien Lesner (K-OTik.COM) - After the adoption in second reading in the night of Thursday to Friday April 9, 2004 of the bill on the numerical economy (LEN),article 34 of this law from now on is officially known, which raises many concerns in the medium French professionals and experts in safety. This article 34 of the LEN introduces new article 323-3-1 with the penal code, of which here the final version:
"I - The fact, without legitimate reason, to import, hold, offer, yield or place at the disposal equipment, instrument, a data-processing or very given program conceived or especially adapted to commit one or more offences envisaged by articles 323-1 to 323-3 is punished sorrows planned respectively for the infringement itself or the infringement most severely repressed.
II. - With articles 323-4 and 323-7 of the penal code, words : " articles 323-1 to 323-3 " are replaced by the words : " articles 323-1 to 323-3-1 ".
Two important concepts were definitively removed : The first related to the manipulation/publication within the framework of scientific research (removed by the amendment n° 84), the second concept defined a framework of "not intentionnality" protecting the people pirated or infected by viruses (removed by the amendment n° 22).
The CLUSIF, since 2003, had transmitted its remarks and its concerns as for the new provisions of this article and in particular the vague concept of "legitimate reason".
The editor of TheHackademy Newspaper, magazine treating of the computer security, affirms his skepticism: "This law will not thus bring anything really effective, and is likely to be disastrous long-term on the level of safety of services Internet and the companies in France. The magazines and Web sites proposing of the information detailed on data-processing risks are likely to change, either by fear or by legal constraint, as content providers autocensuré of weak technical interest... and thus of low effectiveness for the safety of IF.".
No new response to the data-processing crimes is brought by this law, it adds: "the instigators of this law started from a creditable intention (to fight against the creators of virus), but the real implications of the naive text did not include/understand which they adopted: - the development independent of tools of computer security free will be very discouraged. Indeed much of these tools can be used at ends of attack (as the crackers of passwords or the scanners of vulnerabilities, however essential for the administrators). - the pirates will continue to seek faults and to develop tools of attack. They were already in the illegality and will remain it. - the hackers "white hat" or "grey hat", which develops the same tools and seeks the same faults but without intention to exploit them to harm, will hide (or will be discouraged) and will not thus publish more their discoveries. The persons in charge of security and general public will thus not be with the current of "the state of the art" in computer security... and the pirates will do what they want!"
An opinion divided by Frederic Raynal, editor of the magazine safety MISC : "It seems to to me that a certain number of points of the LEN are intended to reduce work of the judges. However, this article goes against this logic. Indeed, the nuance "without legitimate reason" will not be simple to establish ", it criticizes in particular the instoration of a passive safety in France: "A the hour when virus (see the increase and the propagation of the last vers/virus) and Maffia become increasingly virulent on the Net, per hour when companies as Cisco acknowledge that leur(s) product contien(nen)t backdoors, per hour when certain countries openly admit making Offensive Data-processing Fight, is reasonable to found to suppose it guilty? The "bad guys" will continue their activities, this law will not change nothing there. On the other hand, the question that I installation is: which benefits this article? And I am frankly not convinced that the answer is: with the public interest... ".
The technical team, as well as team R&D of K-OTik Security, affirm their determination in the fight against the data-processing insecurity in France, and at all do not think of changing their methods of publication of technical articles, exploits and faults of safety. A similar position was adopted by the writers of specialized magazines, which refuse a change of their leading line! One cannot evaluate the real extent of the risks of safety without including/understanding the techniques and methods used in practice by the pirates.
The LEN must now pass before the mixed Joint Committee (CMP) to be arranged before being promulgated, then applied. In the event of failure of the CMP, the law passes by again before the parliamentary assemblies. No date is still fixed!
LEN (adopted on April 08, 2004) - http://ameli.senat.fr/publication_pl/2003-2004/144.html
Source: © K-OTik.COM (The Drafting)
April 10th, 2004, 08:46 PM
Yah I saw the article. I do not think this is good for anybody but other countries may adopt it depending on the success in France.
April 10th, 2004, 09:04 PM
This kind of stuff is not helpfull at all...
It won't stop any "criminal" activities, just lower awareness to exploits and hence help in a false sence of security, wich is only good for people with bad intentions..
This is what you get when the people making desicions are not well informed at all..
France is a lovely country, just a shame it is inhabited by french..
ASCII stupid question, get a stupid ANSI.
When in Russia, pet a PETSCII.
Get your ass over to SLAYRadio
the best station for C64 Remixes !
April 10th, 2004, 10:42 PM
Not really sorry to say......
France gets another "Bwahahahaha" for that.....
Let's be a tad realistic France..... If these people are smart enough to come up with the proof if concept they are probably smart enough not to publish it under the name email@example.com from their home connection......
Another example of "gubmint" getting in deeper than they can understand....
When will "lawmakers" understand that they _don't_ understand?????
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
April 11th, 2004, 03:40 AM
all this will do is help the bad guys but that seems to be a repetitive theme with them.
Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”
April 11th, 2004, 03:57 PM
It's along the same lines as gun laws in the U.S. People that already follow the law will follow the gun laws and those that could give a flying rat's ass about the law will still break them. This only ties the hands of many people who use these methods for good.
But then again it's France so IMHO "who cares."
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
April 11th, 2004, 04:26 PM
Ok, since when did grayhat hackers exist?? Are we gonna have a rainbow now?
April 11th, 2004, 04:28 PM
I don't recall seeing any example of grey hats in this thread, but greyhats have almost always been around. There's almost always three categories when dealing with levels of honor, nobility, and righteousness.
White--Good deeds, good goals
Black--Self-interest, whatever means
Grey--Goals of the white, means of the black
That should give you a pretty decent, perhaps overly simplistic, idea.
April 11th, 2004, 04:53 PM
the hackers "white hat" or "grey hat", which develops the same tools and seeks the same faults but without intention to exploit them to harm, will hide
April 11th, 2004, 04:56 PM
I appreciate you quoting that at me, although it did not help me at all. I had to use find to find the original citation, and then read in that area. Thank you for having quoted that, but in the future, if possible, please use the quote button so that it will say what thread, what post, and what user, as well as providing a link. Might've made things easier for me...
As it was, it was enough. Thank you for showing me that, since I didn't remember reading it at first. :-)