[ISN] Security researcher to be jailed for finding bugs in software?

Tue Jan 11 01:44:38 EST 2005

http://www.zdnet.com.au/news/security/0,2000061744,39176657,00.htm

By Munir Kotadia
ZDNet Australia 
11 January 2005 

A French security researcher who published exploit codes that could
take advantage of bugs in an anti-virus application, could be
imprisoned for violation of copyright laws.

In 2001, French security researcher Guillaume Tena found a number of
vulnerabilities in the Viguard antivirus software published by Tegam.  
Tena, who at the time was known by his pseudonym Guillermito,
published his research online in March 2002.

However, Tena's actions were not viewed kindly by Tegam, who initiated
legal action against the researcher. That action resulted in a case
being brought to trial at a Court in Paris, France. The trial kicked
off on January 4 after being deferred from its initially scheduled
start date of October 5, 2004. The prosecution claims that Tena
violated article 335.2 of the code of the intellectual property and is
asking for a four month jail term and a 6,000 euro fine. Additionally,
Tegam is proceeding with a civil case against Tena and asking for
900,000 euros in damages.

Accoridng to Tena's Web site, his research "showed how the program
worked, demonstrated a few security flaws and carried out some tests
with real viruses. Unlike the advertising claimed, this software
didn't detect and stop .100 percent of viruses.."

Tena, who is currently a researcher for Harvard University in
Massachusetts, said that Tegam responded in a "weird way" by first
branding him a terrorist and then filing a formal complaint in Paris.  
During the resulting tribunal, Tena said the judge decided that
because the published exploits included some re-engineered source code
from Viguard.s software, he had violated French copyright laws.

According to French security Web site K-OTik, Tena had technically
broken copyright laws because his exploits were "not for personal use,
but were communicated to a third party".

However, K-OTik, which regularly publishes exploit codes, claims that
the ruling could create a precedent so vulnerabilities in software,
however critical, could not be declared publicly without prior
agreement from the software publisher.

K-OTik.s editors say the ruling is "unimaginable and unacceptable in
any other field of scientific research".

On Tena's Web site, he claims that If independent researchers are not
allowed to freely publish their findings about security software then
users will be only have "marketing press releases" to assess the
quality of the software. "Unfortunately, it seems that we are heading
this way in France and maybe in Europe," Tena said.

"To use an analogy, it's a little bit as if Ford was selling cars with
defective brakes. If I realised that there was a problem, opened the
hood and took a few pictures to prove it, and published everything on
my Web site. Then Ford could file a complaint against me," added Tena.

Philip N Argy, senior partner of the intellectual property and
technology group at Australian law firm Mallesons Stephen Jaques, said
that if a similar case was put to trial in Australia the prosecution
would be unlikely to get a conviction because of our "fair comment
provisions".

"We have strong copyright protection as well as strong anti-hacking
laws, but from what I can glean from the translations, all that
Guillermito did was to publish the details of the parts of the code
which contained serious bugs that made the software erroneously treat
as a virus some legitimate software. I'd have thought that would be at
least within the fair comment provisions of Australian copyright law,"  
said Argy.

The final ruling will be made in Paris on March 8, 2005.