http://www.newsbytes.com/news/02/174910.html By Brian McWilliams, Newsbytes PARIS, FRANCE, 01 Mar 2002, 4:58 PM CST Antoine Champagne has been offered thanks and even job offers from high-profile Web site owners whose insecurity he's exposed. But from now on, any more white-hat hacking by "Kitetoa" could cost him. Last month, a French court fined Champagne 1,000 euros (US$865) for publicizing at his Web site, Kitetoa.com, security holes he found at Tati.fr, the homepage of a Paris-based clothing retailer. According to Champagne, a journalist by profession, the prosecutor suspended the fine on the condition that he avoid any other convictions for the next five years. The "strange judgment," as Champagne calls it, is unlikely to have any bearing on legal decisions in the United States. But word of the decision has sent a ripple though the computer security community this week. In recent years, Champagne, with the assistance of a few friends who help to run Kitetoa.com, has found and publicized security holes at sites operated by such leading companies as DoubleClick, Bull Groupe, Veridian and ChoicePoint. In each instance, Champagne said, Kitetoa has withheld publishing its discoveries until the affected companies have been given an opportunity to secure their systems. According to court documents posted at Kitetoa.com, attorneys for Tati accused Champagne at his Jan. 23 trial of fraudulently accessing a Microsoft Access database at the company's Web site from 1999 to 2001. But Champagne claimed that he merely used a Web browser to locate the file, which was stored in an improperly secured directory with "read access" to anyone on the Internet. >From May 2000 through February 2001 Kitetoa.com published several short papers noting the vulnerability at Tati.fr and including screen shots of some of the databases, with personal information redacted. As proof that he intended no harm, Champagne's attorneys produced an exchange of e-mails over the period between Champagne and Tati's Webmaster, including one in which the clothing site's administrator thanked Champagne for notifying him of the exposed database and helping him secure it. Attorneys for the defendant also pointed to a 1978 French privacy law that they said requires companies to "to take all useful precautions in order to preserve the security of information" in their databases. According to Champagne, the court's decision not to slap him with an immediate fine denied Tati some satisfaction. But he said the judgment has also cast a pall over Kitetoa.com's future. "From now on, you can find yourself in front of a court accused of hacking just for using Netscape Navigator," said Champagne, who noted that French police have threatened to search his house and confiscate his computers if he similarly runs afoul of the law again. According to Champagne, he is weighing the possibility of closing Kitetoa.com and discontinuing his writings about insecure sites, but he said he has not yet made a decision. One option not being considered by Champagne is hiring himself out as a security consultant. After Kitetoa discovered several insecure internal databases at ChoicePoint's site earlier this year, officials at the online data firm inquired whether Kitetoa would be willing to assist in a security audit of ChoicePoint's Web properties. Champagne declined the offer, stating simply, "I don't sell anything." Kitetoa is at http://www.kitetoa.com - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Mon Mar 04 2002 - 05:24:56 PST