[ISN] France puts a damper on flaw hunting

InfoSec News isn at c4i.org
Fri Mar 18 02:34:45 EST 2005


Forwarded from: Kitetoa at Kitetoa.com <kitetoa at kitetoa.com>

> Forwarded from: security curmudgeon <jericho at attrition.org>
>
> Would be nice if some of the French speaking list members could
> translate the court ruling and help clear this up.


*************************************************


The question starts to spread on the mailing-lists and the forums
about computer security. Is the trial "Tegam versus Guillermito" and
the resulting suspended 5000 euros fine, for counterfeiing and
diffusion of a proof of concept program, a threat to the right to
search for bugs? Does this judgment mean the end, in France, of the
full disclosure concept? Does it create a permanent legal risk for the
security experts? In other words, is there a legal risk for all the
bug researchers if a company does not accept critics about its
software, as it was the case for the Tegam versus Guillermito trial?

Let me tell you what **I** think (what **I** think may not be true,
who knows?..).

Yes and No

Let's get back to the verdict.

This personal analysis, is not a legal analysis as i'm not a lawyer...

Guillermito was found guilty of counterfeiting and publishing the
result of the counterfeit stuff (which in fact were a few P.O.Cs.)

This means that the court indeed estimated that Guillermito *is*
guilty of counterfeiting Viguard, Tegam's software (because he didn't
have a valid licence)

According to the juges' ruling, he did publish the counterfeit
sofware. How do you do this when you are studying how a software works
(or doesn't work as it should)?

Guillermito did not buy his software (he lives in the US where he
could not buy it in the stores, neither online, and there were no demo
version available). Later on, before publishing anything on his
website, a Viguard user did send him his own software and licence
number. But the court did not buy this argument.

So... Guillermito worked on an unregistered version of Viguard. He
wrote a few P.O.Cs (proof of concept). And he published these P.O.Cs
on his web page. That is why the ruling says he did publish the «
counterfeit software ». Keep in mind all this is about intellectual
property and has nothing to do with re-creating a brand new Viguard,
which he didn't.

Security experts might say that because all of these details, the
situation is a little bit different from what they deal with every
day. There is also a big debate (the court didn't even mention this
fact) because Tegam says Guillermito used decompilation which he
strongly denies. Same stuff for the fact that Guillermito could not
get a valid licence of Viguard as it is not sold in the US. Same for
the fact that aparentlly, Tegam did include Guillermito's findings in
their next software version. But judges only look at the legal part.
They didn't get much into the technical side for the ruling.

So... will this ruling set a legal precedent for full disclosure?

Yes and no...

Yes, because as far as I know this is the first time in this country
that a bug hunter is sued by a software company (sir, he hadn't got a
licence!). In a future case like this one, a lawyer will certainly
mention this precedent.

The judge will not **have to** take the same decision. Moreover, this
is just a first decision. There may be an appeal.

No, because in this case, Guillermito didn't own a valid licence of
this software. Obviously french bug hunters will dodge this kind of
problem by buying the software they want to analyze. Of course, it
will be impossible to publish anything about a non-french program that
cannot be bought in a store or online.

This being said, this decision will produce some collateral damage on
bug hunting. As we already wrote about it on kitetoa.com, french
computer security mailing lists, french coputer security firms,
individuals, CERTs or CERTA will take a heavy legal risk if at one
point they decide to publish an advisory written by someone from
another country, without knowing if the hacker had a valid licence for
the software. They could probably be sued for publishing counterfeited
information if there is a POC. So, we can say that France just shot
herself in the foot. It is now difficult to publish and spread
computer security information, because each time, people will have to
verify that the work was done on a software with a valid licence. Good
luck.

Here are, for those who read french, some comments on this case made
by a lawyer who followed the whole story and was present during most
of the trial :

http://maitre.eolas.free.fr/journal/index.php?2005/03/08/87-guillermito-condamne-mais-tres-legerement

Finally, after reading this excellent comment by Maitre Eolas,
computer specialists can wonder wonder about the amount of bytes
reproduced in the POCs, which transform them into counterfeiting.
Viguard is probably around several megabytes of data. For how many
reproduced bytes we have a counterfeiting, if we don't have a valid
licence ? And what about if we do have a valid licence ?

Read also in english:

http://www.eweek.com/article2/0%2C1759%2C1758513%2C00.asp

http://www.theregister.co.uk/2005/03/10/tegam_ve
rdict/

http://www.theregister.co.uk/2005/01/12/full_disclosure_french_trial/

http://www.zdnet.com.au/news/security/0%2C2000061744%2C39183862%2C00.htm

http://www.zdnet.com.au/news/security/0,2000061744,39176657,00.htm

http://www.zdnet.com.au/news/security/0,2000061744,39176920,00.htm





More information about the ISN mailing list