Harvard University researcher punished for finding bugs

Summary:French security expert Guillaume Tena has lost an appeal and been fined in a closely watched case which could have widespread ramifications for the way security researchers publish information about flaws in products. The brouhaha kicked off in 2001 when Tena -- who at the time was known by his pseudonym Guillermito -- found a number of vulnerabilities in Tegam's Viguard anti-virus software.

French security expert Guillaume Tena has lost an appeal and been fined in a closely watched case which could have widespread ramifications for the way security researchers publish information about flaws in products.

The brouhaha kicked off in 2001 when Tena -- who at the time was known by his pseudonym Guillermito -- found a number of vulnerabilities in Tegam's Viguard anti-virus software.

Tena subsequently published his findings without cooperation from Tegam, who elected not to respond to several e-mails from him on the topic. Tegam subsequently accused Tena of violating copyright laws in his writings on the topic because as well as the exploit, he also included extracts from Viaguard's source code.

Tegam and Tena -- who now works for Harvard University in the United States -- have been involved in various legal processes since, but the case finally closed on February 21 when Tena lost his appeal against a verdict in Tegam's favour from a French court in June 2005.

However, the court chose to fine the researcher the equivalent of AU$23,000 -- far less than was originally flagged.

On Tuesday, Tena told ZDNet Australia  that he was unhappy about the outcome because it means software developers will be encouraged to go to court instead of fixing their products.

"Now computer companies will have a nice precedent.... They just have to wait for the researcher to publish his findings -- [a] detailed technical article with maybe some code or proof of concept -- and then they will sue. And they will win," said Tena.

However, Tegam's ex-chief technology officer (CTO) Eyal Dotan told ZDNet Australia  that the company supported full disclosure. He said the case was, however, about copyright issues.

"Neither [myself] nor Tegam are against full disclosure -- I'm actually giving lectures on security and showing attack methods in computer institutes and BlackHat. This was a copyright action, and this is what the judges concluded; not a trial against full disclosure," said Dotan.

This point is disputed by Tena, who argued that copyright and full disclosure go hand in hand: "If you want to publish an article ... you need to make all the information public.... That's how science works."

"In my case, I published 65 bytes.... I had to do that in order for other people to verify if what I said was right or wrong," he said, pointing out that this was a minute proportion of the software. "I naively thought that this would fit into an 'short citation' exception, that allows people to cite one or two phrases from a book without being sued," he added.

Tena believed he was justified in reproducing the data: "Computer security is all about trade-off. Is it better to publish a handful of copyrighted bytes to warn users that there is a flaw ... or is it better to just shut up," he said.

Tena's actions were praised by Rod Fewster, chief executive officer of Anti-virus Australia, which distributes the NOD32 Anti-virus application by ESET. According to Fewster, Tena should have been 'given a medal' instead of being sued.

"My personal view is that if I had a product that had flaws in it to the extent that the Tegam product had then I would be happy if a researcher came along and told me -- so I could fix them. If he had done it to me I would have given him a medal," Fewster told ZDNet Australia .

Fewster went on to say that software developers should be pleased when unpaid researchers such as Tena do their work for them: "Look at Microsoft. People are publishing exploits about Microsoft all the time. They are reverse engineering the operating system and Microsoft always patches the holes. They don't sue the guys."

"It is saving [Microsoft] a fortune -- I am sure they are happy to have this army of unpaid people looking for flaws," added Fewster.

Tena is concerned that researchers will be less keen to share their findings because of the threat of legal action.

"I am pretty sure that [researchers] will now think twice before publishing a discovery.... The real losers in this case are not the companies, not even the researchers. It's the end user. The only source of information for them will be advertising and computer magazines, who survive only because of the advertising by companies," said Tena.

The only ray of light for Tena was that Tegam's demands for almost one million euros in damages was slashed: "You have to remember that they asked for 900,000 euros and only got 14,300 euros, which I don't really consider a victory," Tena added.

Topics: Security

About

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.Munir was recognised as Austr... Full Bio

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.