General discussion

Locked

Security researcher faces jail time for publishing software vulnerabilities

By Bill Detwiler Editor ·
Guillaume Tena, a French security researcher currently with Harvard University, could face jail time for publishing vulnerability research on TEGAM International's Viguard antivirus software. French prosecutors claim that Tena violated French copyright laws by publishing his research, which, according to a French judge included some re-engineered Viguard source code. Prosecutors are seeking a 4-month jail term and a 6,000 euro fine (approximately 7,890 US dollars).

Read the whole story:
http://virusthreatcenter.com/permalink.aspx?BlogId=113

How should we balance the developer's copyright and trade secret privileges with the public's need for secure software?

How do you believe software vulnerabilities should be disclosed?

Should researchers and IT professionals submit vulnerability research first to developers and allow for a fix before going public?

How long should developers be given to release a fix before vulnerability research is made public?

This conversation is currently closed to new comments.

13 total posts (Page 2 of 2)   Prev   01 | 02
Thread display: Collapse - | Expand +

All Comments

Collapse -

That's very true

by daappley In reply to Depends on how bad the ju ...

I suppose I didn't consider that he is an accomplice to hacker activity. Your viewpoint is very valid there. I suppose we will have to wait and see what the French courts have to say on it. Like you, I know nothing about French, or international, laws in this regard. Whatever the decision this is a HUGE precedent and I am interested to see the results.

Collapse -

Yes, common courtesy dictates

by Jessie In reply to Security researcher faces ...

that you approach the vendor first with your findings. It's the same thing I apply in my personal life, if I have a problem with something that's going on, I go to the "perpetrator" and explain the issue and my problem with it. If that doesn't help, THEN I go to a higher-up.

Collapse -

The real truth, or closer to it, and the bottom line

by EliSko In reply to Security researcher faces ...

First, the link in the article above doesn't seem to work anymore.

Googling the researcher's name brought me to this blog entry http://www.darknet.org.uk/2006/03/donations-flood-in-for-guilty-security-researcher-guillaume-tena/ where some helpful commenter provided a link to "Guillermito's" own site (in French) where the "crime" occurred http://web.archive.org/web/20030404161138/www.pipo.com/guillermito/viguard/index.html . If, like me, you can only vaguely decipher written French, you might also be helped by Google Translate http://translate.google.com/translate?prev=hp&hl=en&js=y&u=http%3A%2F%2Fweb.archive.org%2Fweb%2F20030404161138%2Fwww.pipo.com%2Fguillermito%2Fviguard%2Findex.html&sl=fr&tl=en&history_state0= (Of course, it only translates the first third of a veeery long web page.)

Basically, he rips through a seemingly very shoddy anti-virus program by showing how to test it. In the process, he gives a good introduction to HOW to test such programs which, unfortunately gives a good deal of theory as to how to write viruses, too. He writes a very basic "test" virus, and then installs one after another existing viruses, showing how the program does or does not detect them, and a little bit of why, and also gives a few software analysis tools that may be of help to people, white or black hat.

The actual code violation, according to one poster, is "65 bytes" but I didn't figure out exactly where - it seems to be some of the "reverse engineered" software that he deduces by black-box testing, which according to the French court matches the vendor's copyrighted software.

From the bottom of the web page, he shows where he corresponded with the company, but I can't figure out if the page was public before that point or not. In any case, the company stonewalls him and lies, claiming, according to his quote, that any viruses that their software doesn't detect are "harmless", anyway, so why bother checking for them? This, while their web site claims to stop ALL viruses.

If the "criminal" page wasn't live before that point, I can understand his righteous indignation in posting it afterwards.

In balance, a ZD|Net UK article http://news.zdnet.co.uk/itmanagement/0,1000000308,3**83786,00.htm says that Tegam International, the vendor, posted a "refutation" of his claims, saying that Guillermito's methods were shoddy, and that he had also "harrassed" the company about their vulnerabilities. Those links, though, no longer function.

Besides the criminal suit, the vendor was filing a civil suit against him for 900,000 Euros in damages! It seems that they were clutching at straws, though, because three months later they went bankrupt. http://translate.google.com/translate?hl=en&sl=fr&u=http://www.journaldunet.com/solutions/0505/050520_tegam.shtml&ei=JydvSoqUKsTOjAevwrWdBQ&sa=X&oi=translate&resnum=7&ct=result&prev=/search%3Fq%3Dtegam%2Binternational%26hl%3Den .

Personally, I wish they had stayed around, because if I were him I would have countersued for false advertising, in return. As it was, though, it seems that Guillermito got his fine paid with the help of others over the Internet, so he wasn't left in the wind.

The French are still left with the foul taste of this case as a legal precedent, though.

Anyway, it's all a page out of history now, four years later. I started writing up this comment before I twigged to the dates, and figured that I might as well put a post here with the final outcome of the story for any future readers. I just wonder why TR suddenly pulled this thread up as "most popular"?

Back to Malware Forum
13 total posts (Page 2 of 2)   Prev   01 | 02

Related Discussions

Related Forums