[ISN] Court Decision Could Gag French Security Site Kitetoa

From: InfoSec News (isnat_private)
Date: Mon Mar 04 2002 - 01:47:45 PST

  • Next message: InfoSec News: "[ISN] New University of Illinois Center Focuses on Information Security"

    By Brian McWilliams, Newsbytes
    01 Mar 2002, 4:58 PM CST
    Antoine Champagne has been offered thanks and even job offers from
    high-profile Web site owners whose insecurity he's exposed. But from
    now on, any more white-hat hacking by "Kitetoa" could cost him.
    Last month, a French court fined Champagne 1,000 euros (US$865) for
    publicizing at his Web site, Kitetoa.com, security holes he found at
    Tati.fr, the homepage of a Paris-based clothing retailer.
    According to Champagne, a journalist by profession, the prosecutor
    suspended the fine on the condition that he avoid any other
    convictions for the next five years.
    The "strange judgment," as Champagne calls it, is unlikely to have any
    bearing on legal decisions in the United States. But word of the
    decision has sent a ripple though the computer security community this
    In recent years, Champagne, with the assistance of a few friends who
    help to run Kitetoa.com, has found and publicized security holes at
    sites operated by such leading companies as DoubleClick, Bull Groupe,
    Veridian and ChoicePoint.
    In each instance, Champagne said, Kitetoa has withheld publishing its
    discoveries until the affected companies have been given an
    opportunity to secure their systems.
    According to court documents posted at Kitetoa.com, attorneys for Tati
    accused Champagne at his Jan. 23 trial of fraudulently accessing a
    Microsoft Access database at the company's Web site from 1999 to 2001.
    But Champagne claimed that he merely used a Web browser to locate the
    file, which was stored in an improperly secured directory with "read
    access" to anyone on the Internet.
    >From May 2000 through February 2001 Kitetoa.com published several
    short papers noting the vulnerability at Tati.fr and including screen
    shots of some of the databases, with personal information redacted.
    As proof that he intended no harm, Champagne's attorneys produced an
    exchange of e-mails over the period between Champagne and Tati's
    Webmaster, including one in which the clothing site's administrator
    thanked Champagne for notifying him of the exposed database and
    helping him secure it.
    Attorneys for the defendant also pointed to a 1978 French privacy law
    that they said requires companies to "to take all useful precautions
    in order to preserve the security of information" in their databases.
    According to Champagne, the court's decision not to slap him with an
    immediate fine denied Tati some satisfaction. But he said the judgment
    has also cast a pall over Kitetoa.com's future.
    "From now on, you can find yourself in front of a court accused of
    hacking just for using Netscape Navigator," said Champagne, who noted
    that French police have threatened to search his house and confiscate
    his computers if he similarly runs afoul of the law again.
    According to Champagne, he is weighing the possibility of closing
    Kitetoa.com and discontinuing his writings about insecure sites, but
    he said he has not yet made a decision.
    One option not being considered by Champagne is hiring himself out as
    a security consultant.
    After Kitetoa discovered several insecure internal databases at
    ChoicePoint's site earlier this year, officials at the online data
    firm inquired whether Kitetoa would be willing to assist in a security
    audit of ChoicePoint's Web properties.
    Champagne declined the offer, stating simply, "I don't sell anything."
    Kitetoa is at http://www.kitetoa.com
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Mar 04 2002 - 05:24:56 PST