Security researcher to be jailed for finding bugs in software?
By Munir Kotadia, ZDNet Australia
11 January 2005
http://www.zdnet.com.au/news/security/0,2000061744,39176657,00.htm
A French security researcher who published exploit codes that could take
advantage of bugs in an anti-virus application, could be imprisoned for
violation of copyright laws.
In 2001, French security researcher Guillaume Tena found a number of
vulnerabilities in the Viguard antivirus software published by Tegam. Tena,
who at the time was known by his pseudonym Guillermito, published his
research online in March 2002.
However, Tena's actions were not viewed kindly by Tegam, who initiated legal
action against the researcher. That action resulted in a case being brought
to trial at a Court in Paris, France. The trial kicked off on January 4
after being deferred from its initially scheduled start date of October 5,
2004. The prosecution claims that Tena violated article 335.2 of the code of
the intellectual property and is asking for a four month jail term and a
6,000 euro fine. Additionally, Tegam is proceeding with a civil case against
Tena and asking for 900,000 euros in damages.
Accoridng to Tena's Web site, his research "showed how the program worked,
demonstrated a few security flaws and carried out some tests with real
viruses. Unlike the advertising claimed, this software didn't detect and
stop �100 percent of viruses�."
Tena, who is currently a researcher for Harvard University in Massachusetts,
said that Tegam responded in a "weird way" by first branding him a terrorist
and then filing a formal complaint in Paris. During the resulting tribunal,
Tena said the judge decided that because the published exploits included
some re-engineered source code from Viguard�s software, he had violated
French copyright laws.
According to French security Web site K-OTik, Tena had technically broken
copyright laws because his exploits were "not for personal use, but were
communicated to a third party".
However, K-OTik, which regularly publishes exploit codes, claims that the
ruling could create a precedent so vulnerabilities in software, however
critical, could not be declared publicly without prior agreement from the
software publisher.
K-OTik�s editors say the ruling is "unimaginable and unacceptable in any
other field of scientific research".
On Tena's Web site, he claims that If independent researchers are not
allowed to freely publish their findings about security software then users
will be only have "marketing press releases" to assess the quality of the
software. "Unfortunately, it seems that we are heading this way in France
and maybe in Europe," Tena said.
"To use an analogy, it's a little bit as if Ford was selling cars with
defective brakes. If I realised that there was a problem, opened the hood
and took a few pictures to prove it, and published everything on my Web
site. Then Ford could file a complaint against me," added Tena.
Philip N Argy, senior partner of the intellectual property and technology
group at Australian law firm Mallesons Stephen Jaques, said that if a
similar case was put to trial in Australia the prosecution would be unlikely
to get a conviction because of our "fair comment provisions".
"We have strong copyright protection as well as strong anti-hacking laws,
but from what I can glean from the translations, all that Guillermito did
was to publish the details of the parts of the code which contained serious
bugs that made the software erroneously treat as a virus some legitimate
software. I'd have thought that would be at least within the fair comment
provisions of Australian copyright law," said Argy.
The final ruling will be made in Paris on March 8, 2005.
You are a subscribed member of the infowarrior list. Visit
www.infowarrior.org for list information or to unsubscribe. This message
may be redistributed freely in its entirety. Any and all copyrights
appearing in list messages are maintained by their respective owners.
