Results 1 to 7 of 7

Thread: Goodbye to Full Disclosure Concept? (No, not the list)

  1. #1
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Redondo Beach, CA

    Goodbye to Full Disclosure Concept? (No, not the list)

    So, I guess this means that if no one does research to find flaws, then they don't exist (a la Microsoft's claim that exploits don't exist "until the patch is released"). What's rather scary is that France may not be alone in this. Outlawing of security research (flaw/vulnerability finding) might cause more headaches for admins since we won't really know how secure something is since it isn't being tested outside of the company that makes it.

    Maybe it's just me.

    Publishing exploit code ruled illegal in France?

    Munir Kotadia, ZDNet Australia
    March 09, 2005
    Source: ZDNet Australia

    Researchers that reverse engineer software to discover programming flaws can no longer legally publish their findings in France after a court fined a security expert on Tuesday.

    In 2001, French security researcher Guillaume Tena found a number of vulnerabilities in the Viguard antivirus software published by Tegam. Tena, who at the time was known by his pseudonym Guillermito, published his research online in March 2002.

    However, Tena's actions were not viewed kindly by Tegam, who initiated legal action against the researcher. That action resulted in a case being brought to trial at a Court in Paris, France. The prosecution claimed that Tena violated article 335.2 of the code of intellectual property and was asking for a four month jail term and a 6,000 euro fine.

    On Tuesday, the French court ruled that Tena should not be imprisoned but gave him a suspended fine of 5,000 euros. This means he only has to pay the fine if he publishes more information on security vulnerabilities in software.

    Chaouki Bekrar, a security consultant and co-founder of French Web site K-Otik, which is known for regularly publishing exploit codes, told ZDNet Australia that although it is good news that Tena did not have to go to jail, the ruling is very bad news for the security research industry in France.

    "This seems to be a good news but that is not the case. Publishing a security vulnerability or a proof of concept using reverse engineering or disassembly is now illegal in France -- how can a researcher publish a vulnerability if he can't study the software's structure?" said Bekrar.

    On his Web site, Tena argued that if independent researchers were not allowed to freely publish their findings about security software then users would only have "marketing press releases" to assess the quality of the software. "Unfortunately, it seems that we are heading this way in France and maybe in Europe," Tena said.

    Tegam is also proceeding with a civil case against Tena and asking for 900,000 euros in damages.
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  2. #2
    Leftie Linux Lover the_JinX's Avatar
    Join Date
    Nov 2001
    Beverwijk Netherlands
    It's the Reverse-Engineering he used to discover the vulnerability which is outlawed, not the posting of exploit code !!

    This is a BAD article !
    ASCII stupid question, get a stupid ANSI.
    When in Russia, pet a PETSCII.

    Get your ass over to SLAYRadio the best station for C64 Remixes !

  3. #3
    ********** |ceWriterguy
    Join Date
    Aug 2004
    Bill Gates got a threatening look in his eye. Naturally, France quickly surrendered.
    Even a broken watch is correct twice a day.

    Which coder said that nobody could outcode Microsoft in their own OS? Write a bit and make a fortune!

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington
    This is a BAD article !
    Actually I would say that it is a bad law. The purpose of banning reverse-engineering/dissassembly is really to prevent plagiarism and theft of intellectual property.

    I would not have thought that reviewing for exploits actually fell into those categories.

    However it isn't the first badly drafted legislation we have seen, and I do not think that it will be the last

  5. #5
    Join Date
    Aug 2001
    The DMCA Act pretty much does the same... luckily, exeptions are made "to conduct encryption research, assess product interoperability, and test computer security systems".

    And in the French case: K-Otik on its website admits that there was indeed copyright violation on Tena's part, since he communicated what he found (source code, which is copyright protected) to third parties. I wouldn't be so sure that you can't get convicted for the same "offense" in the US if they wanted to...

  6. #6
    Join Date
    Dec 2003
    So, now the only people in France who are going to do security research are those who plan to break the law by using it maliciously anyway. Good plan. Seems like a reaction based on fear and panic, not rational thought.

  7. #7
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    United Kingdom: Bridlington

    since he communicated what he found (source code, which is copyright protected) to third parties
    Well, over here it is protected in so far as you cannot use it in your own product or sell it to others..............after all, who would want to buy or use stuff with known exploits in it?

    There might be a breach of contract case, as most EULAs prohibit reverse engineering?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts