Reactions of the experts in safety with respect to article 34 of the LEN
By Fabien Lesner (K-OTik.COM) - After the adoption in second reading in the night of Thursday to Friday April 9, 2004 of the bill on the numerical economy (LEN),article 34 of this law from now on is officially known, which raises many concerns in the medium French professionals and experts in safety. This article 34 of the LEN introduces new article 323-3-1 with the penal code, of which here the final version:
"I - The fact, without legitimate reason, to import, hold, offer, yield or place at the disposal equipment, instrument, a data-processing or very given program conceived or especially adapted to commit one or more offences envisaged by articles 323-1 to 323-3 is punished sorrows planned respectively for the infringement itself or the infringement most severely repressed.
II. - With articles 323-4 and 323-7 of the penal code, words : " articles 323-1 to 323-3 " are replaced by the words : " articles 323-1 to 323-3-1 ".
Two important concepts were definitively removed :
The first related to the manipulation/publication within the framework of scientific research (removed by the amendment n° 84), the second concept defined a framework of "not intentionnality" protecting the people pirated or infected by viruses (removed by the amendment n° 22).
The CLUSIF, since 2003, had transmitted its remarks and its concerns as for the new provisions of this article and in particular the vague concept of "legitimate reason".
The editor of TheHackademy Newspaper, magazine treating of the computer security, affirms his skepticism: "This law will not thus bring anything really effective, and is likely to be disastrous long-term on the level of safety of services Internet and the companies in France. The magazines and Web sites proposing of the information detailed on data-processing risks are likely to change, either by fear or by legal constraint, as content providers autocensuré of weak technical interest... and thus of low effectiveness for the safety of IF.".
No new response to the data-processing crimes is brought by this law, it adds: "the instigators of this law started from a creditable intention (to fight against the creators of virus), but the real implications of the naive text did not include/understand which they adopted: - the development independent of tools of computer security free will be very discouraged. Indeed much of these tools can be used at ends of attack (as the crackers of passwords or the scanners of vulnerabilities, however essential for the administrators). - the pirates will continue to seek faults and to develop tools of attack. They were already in the illegality and will remain it. - the hackers "white hat" or "grey hat", which develops the same tools and seeks the same faults but without intention to exploit them to harm, will hide (or will be discouraged) and will not thus publish more their discoveries. The persons in charge of security and general public will thus not be with the current of "the state of the art" in computer security... and the pirates will do what they want!"
An opinion divided by Frederic Raynal, editor of the magazine safety MISC : "It seems to to me that a certain number of points of the LEN are intended to reduce work of the judges. However, this article goes against this logic. Indeed, the nuance "without legitimate reason" will not be simple to establish ", it criticizes in particular the instoration of a passive safety in France: "A the hour when virus (see the increase and the propagation of the last vers/virus) and Maffia become increasingly virulent on the Net, per hour when companies as Cisco acknowledge that leur(s) product contien(nen)t backdoors, per hour when certain countries openly admit making Offensive Data-processing Fight, is reasonable to found to suppose it guilty? The "bad guys" will continue their activities, this law will not change nothing there. On the other hand, the question that I installation is: which benefits this article? And I am frankly not convinced that the answer is: with the public interest... ".
The technical team, as well as team R&D of K-OTik Security, affirm their determination in the fight against the data-processing insecurity in France, and at all do not think of changing their methods of publication of technical articles, exploits and faults of safety. A similar position was adopted by the writers of specialized magazines, which refuse a change of their leading line! One cannot evaluate the real extent of the risks of safety without including/understanding the techniques and methods used in practice by the pirates.
The LEN must now pass before the mixed Joint Committee (CMP) to be arranged before being promulgated, then applied. In the event of failure of the CMP, the law passes by again before the parliamentary assemblies. No date is still fixed!
LEN (adopted on April 08, 2004) -
http://ameli.senat.fr/publication_pl/2003-2004/144.html
Source: © K-OTik.COM (The Drafting)
