Forwarded from: Kitetoa at Kitetoa.com <kitetoa@private> > Forwarded from: security curmudgeon <jericho at attrition.org> > > Would be nice if some of the French speaking list members could > translate the court ruling and help clear this up. ************************************************* The question starts to spread on the mailing-lists and the forums about computer security. Is the trial "Tegam versus Guillermito" and the resulting suspended 5000 euros fine, for counterfeiing and diffusion of a proof of concept program, a threat to the right to search for bugs? Does this judgment mean the end, in France, of the full disclosure concept? Does it create a permanent legal risk for the security experts? In other words, is there a legal risk for all the bug researchers if a company does not accept critics about its software, as it was the case for the Tegam versus Guillermito trial? Let me tell you what **I** think (what **I** think may not be true, who knows?..). Yes and No Let's get back to the verdict. This personal analysis, is not a legal analysis as i'm not a lawyer... Guillermito was found guilty of counterfeiting and publishing the result of the counterfeit stuff (which in fact were a few P.O.Cs.) This means that the court indeed estimated that Guillermito *is* guilty of counterfeiting Viguard, Tegam's software (because he didn't have a valid licence) According to the juges' ruling, he did publish the counterfeit sofware. How do you do this when you are studying how a software works (or doesn't work as it should)? Guillermito did not buy his software (he lives in the US where he could not buy it in the stores, neither online, and there were no demo version available). Later on, before publishing anything on his website, a Viguard user did send him his own software and licence number. But the court did not buy this argument. So... Guillermito worked on an unregistered version of Viguard. He wrote a few P.O.Cs (proof of concept). And he published these P.O.Cs on his web page. That is why the ruling says he did publish the « counterfeit software ». Keep in mind all this is about intellectual property and has nothing to do with re-creating a brand new Viguard, which he didn't. Security experts might say that because all of these details, the situation is a little bit different from what they deal with every day. There is also a big debate (the court didn't even mention this fact) because Tegam says Guillermito used decompilation which he strongly denies. Same stuff for the fact that Guillermito could not get a valid licence of Viguard as it is not sold in the US. Same for the fact that aparentlly, Tegam did include Guillermito's findings in their next software version. But judges only look at the legal part. They didn't get much into the technical side for the ruling. So... will this ruling set a legal precedent for full disclosure? Yes and no... Yes, because as far as I know this is the first time in this country that a bug hunter is sued by a software company (sir, he hadn't got a licence!). In a future case like this one, a lawyer will certainly mention this precedent. The judge will not **have to** take the same decision. Moreover, this is just a first decision. There may be an appeal. No, because in this case, Guillermito didn't own a valid licence of this software. Obviously french bug hunters will dodge this kind of problem by buying the software they want to analyze. Of course, it will be impossible to publish anything about a non-french program that cannot be bought in a store or online. This being said, this decision will produce some collateral damage on bug hunting. As we already wrote about it on kitetoa.com, french computer security mailing lists, french coputer security firms, individuals, CERTs or CERTA will take a heavy legal risk if at one point they decide to publish an advisory written by someone from another country, without knowing if the hacker had a valid licence for the software. They could probably be sued for publishing counterfeited information if there is a POC. So, we can say that France just shot herself in the foot. It is now difficult to publish and spread computer security information, because each time, people will have to verify that the work was done on a software with a valid licence. Good luck. Here are, for those who read french, some comments on this case made by a lawyer who followed the whole story and was present during most of the trial : http://maitre.eolas.free.fr/journal/index.php?2005/03/08/87-guillermito-condamne-mais-tres-legerement Finally, after reading this excellent comment by Maitre Eolas, computer specialists can wonder wonder about the amount of bytes reproduced in the POCs, which transform them into counterfeiting. Viguard is probably around several megabytes of data. For how many reproduced bytes we have a counterfeiting, if we don't have a valid licence ? And what about if we do have a valid licence ? Read also in english: http://www.eweek.com/article2/0%2C1759%2C1758513%2C00.asp http://www.theregister.co.uk/2005/03/10/tegam_ve rdict/ http://www.theregister.co.uk/2005/01/12/full_disclosure_french_trial/ http://www.zdnet.com.au/news/security/0%2C2000061744%2C39183862%2C00.htm http://www.zdnet.com.au/news/security/0,2000061744,39176657,00.htm http://www.zdnet.com.au/news/security/0,2000061744,39176920,00.htm _________________________________________ Bellua Cyber Security Asia 2005 - http://www.bellua.com/bcs2005
This archive was generated by hypermail 2.1.3 : Fri Mar 18 2005 - 01:54:46 PST