Discover your moment on Lufthansa.
January 11, 2005 7:57 AM PST
Researcher faces jail for finding bugs
- Related Stories
-
Hacker worries raise hackles
January 10, 2005 -
IE flaw threat hits the roof
January 7, 2005 -
Firefox: When is a flaw not a flaw?
January 7, 2005 -
Flaw opens crack in Windows servers
November 30, 2004 -
Hackers, spoofers and malware--oh my!
November 4, 2004
In 2001, French researcher Guillaume Tena found a number of vulnerabilities in the Viguard antivirus software published by Tegam International, which is based in Paris. Tena, who at the time was known by his pseudonym Guillermito, published his research online in March 2002.
However, Tena's actions were not viewed kindly by Tegam, which initiated legal action against the researcher. That action resulted in a case being brought to trial in Paris. The trial kicked off on Jan. 4. The prosecution claims that Tena violated article 335.2 of the intellectual property code and is asking for a four-month jail term and a fine of about $7,900 (6,000 euros) . Additionally, Tegam is proceeding with a civil case against Tena and asking for about $1.2 million in damages.
According to Tena's Web site, his research "showed how the program worked, demonstrated a few security flaws and carried out some tests with real viruses. Unlike the advertising claimed, this software didn't detect and stop '100 percent of viruses.'"
Tena, who is currently a researcher for Harvard University in Massachusetts, said that Tegam responded in a "weird way" by first branding him a terrorist and then filing a formal complaint in Paris. During the resulting tribunal, Tena said the judge decided that because the published exploits included some re-engineered source code from Viguard?s software, he had violated French copyright laws.
According to French security site K-OTik, Tena had technically broken copyright laws because his exploits were "not for personal use, but were communicated to a third party".
However, K-OTik, which regularly publishes exploit codes, claims that the ruling could create a precedent so that vulnerabilities in software, however critical, could not be declared publicly without prior agreement from the software publisher.
K-OTik?s editors say the ruling is "unimaginable and unacceptable in any other field of scientific research".
On Tena's Web site, he claims that if independent researchers are not allowed to freely publish their findings about security software then consumers will be only have "marketing press releases" to assess the quality of the software. "Unfortunately, it seems that we are heading this way in France and maybe in Europe," Tena said.
"To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realized that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site, then Ford could file a complaint against me," added Tena.
Philip Argy, senior partner of the intellectual property and technology group at Australian law firm Mallesons Stephen Jaques, said that if a similar case was put to trial in Australia, the prosecution would be unlikely to get a conviction because of our "fair comment provisions."
"We have strong copyright protection as well as strong anti-hacking laws, but from what I can glean from the translations, all that Guillermito did was to publish the details of the parts of the code which contained serious bugs that made the software erroneously treat as a virus some legitimate software," Argy said.
The final ruling is set for March 8.
Munir Kotadia of ZDNet Australia reported from Sydney.
See more CNET content tagged:
anti-hacking,
copyright law,
researcher,
Paris,
antivirus software
The only people they should show how to exploit is the company's that own the right's to the development of it.
The only people they should show how to exploit is the company's that own the right's to the development of it.
I think the company that made the software needs to re-evaluate their quaility control before releasing half baked products to the market place.
I think the company that made the software needs to re-evaluate their quaility control before releasing half baked products to the market place.
In this day and age of greedy corporations that only care about money what was done was the only thing that could be done. It happens all the time in the US as it should.
Besides the chances are criminals either already knew about it or would have shortly anyways. How many times has a virus or other bit of crap come out to take advantage of security hole that was never mentioned to the public until after the virus was discovered.
As for telling the public that there was a problem without showing proof, that would have gotten him laughed at for now proving his findings and that would have simply given the company in question the abilitiy to make him out to be a crack pot and then cover it up as I said.
No the only way things like this get fixed are after the world hears about it and sees the proof for themselves. Any country that puts the rights of the company ahead of the consumer for things like that are countries that should be blown off the face of the Earth.
Robert
In this day and age of greedy corporations that only care about money what was done was the only thing that could be done. It happens all the time in the US as it should.
Besides the chances are criminals either already knew about it or would have shortly anyways. How many times has a virus or other bit of crap come out to take advantage of security hole that was never mentioned to the public until after the virus was discovered.
As for telling the public that there was a problem without showing proof, that would have gotten him laughed at for now proving his findings and that would have simply given the company in question the abilitiy to make him out to be a crack pot and then cover it up as I said.
No the only way things like this get fixed are after the world hears about it and sees the proof for themselves. Any country that puts the rights of the company ahead of the consumer for things like that are countries that should be blown off the face of the Earth.
Robert
Since advertised for protection and profiting on that, it is expected to be "bullet-proof" instead of containing bugs.
Any bug-finder, no matter how found, bears the OBLIGATION to blow the whistle to the community.
Okay, Guillermito was a bit stupid publishing the code, instead of communicating Tegam first, for he even could have been rewarded for that. Good with bytes, lousy with people.
But attention: damages are also on the customer's side! Let's spread the word like: Tegam sues Guillermito for US$1.2million and every customer that paid for the software sues Tegam for US$120,000 for damages and false advertising, alternatively demanding the former suit to be dropped immediately. And of course, no jail time unless proven intent on damaging Tegam.
If I were the judge on the civil suit, I would sentence Guillermito on paying not more than four months of his salary to Tegam.
Since advertised for protection and profiting on that, it is expected to be "bullet-proof" instead of containing bugs.
Any bug-finder, no matter how found, bears the OBLIGATION to blow the whistle to the community.
Okay, Guillermito was a bit stupid publishing the code, instead of communicating Tegam first, for he even could have been rewarded for that. Good with bytes, lousy with people.
But attention: damages are also on the customer's side! Let's spread the word like: Tegam sues Guillermito for US$1.2million and every customer that paid for the software sues Tegam for US$120,000 for damages and false advertising, alternatively demanding the former suit to be dropped immediately. And of course, no jail time unless proven intent on damaging Tegam.
If I were the judge on the civil suit, I would sentence Guillermito on paying not more than four months of his salary to Tegam.