Harvard University researcher punished for finding bugs

Harvard University researcher punished for finding bugs

Summary: French security expert Guillaume Tena has lost an appeal and been fined in a closely watched case which could have widespread ramifications for the way security researchers publish information about flaws in products. The brouhaha kicked off in 2001 when Tena -- who at the time was known by his pseudonym Guillermito -- found a number of vulnerabilities in Tegam's Viguard anti-virus software.

SHARE:
TOPICS: Security
10
French security expert Guillaume Tena has lost an appeal and been fined in a closely watched case which could have widespread ramifications for the way security researchers publish information about flaws in products.

The brouhaha kicked off in 2001 when Tena -- who at the time was known by his pseudonym Guillermito -- found a number of vulnerabilities in Tegam's Viguard anti-virus software.

Tena subsequently published his findings without cooperation from Tegam, who elected not to respond to several e-mails from him on the topic. Tegam subsequently accused Tena of violating copyright laws in his writings on the topic because as well as the exploit, he also included extracts from Viaguard's source code.

Tegam and Tena -- who now works for Harvard University in the United States -- have been involved in various legal processes since, but the case finally closed on February 21 when Tena lost his appeal against a verdict in Tegam's favour from a French court in June 2005.

However, the court chose to fine the researcher the equivalent of AU$23,000 -- far less than was originally flagged.

On Tuesday, Tena told ZDNet Australia  that he was unhappy about the outcome because it means software developers will be encouraged to go to court instead of fixing their products.

"Now computer companies will have a nice precedent.... They just have to wait for the researcher to publish his findings -- [a] detailed technical article with maybe some code or proof of concept -- and then they will sue. And they will win," said Tena.

However, Tegam's ex-chief technology officer (CTO) Eyal Dotan told ZDNet Australia  that the company supported full disclosure. He said the case was, however, about copyright issues.

"Neither [myself] nor Tegam are against full disclosure -- I'm actually giving lectures on security and showing attack methods in computer institutes and BlackHat. This was a copyright action, and this is what the judges concluded; not a trial against full disclosure," said Dotan.

This point is disputed by Tena, who argued that copyright and full disclosure go hand in hand: "If you want to publish an article ... you need to make all the information public.... That's how science works."

"In my case, I published 65 bytes.... I had to do that in order for other people to verify if what I said was right or wrong," he said, pointing out that this was a minute proportion of the software. "I naively thought that this would fit into an 'short citation' exception, that allows people to cite one or two phrases from a book without being sued," he added.

Tena believed he was justified in reproducing the data: "Computer security is all about trade-off. Is it better to publish a handful of copyrighted bytes to warn users that there is a flaw ... or is it better to just shut up," he said.

Tena's actions were praised by Rod Fewster, chief executive officer of Anti-virus Australia, which distributes the NOD32 Anti-virus application by ESET. According to Fewster, Tena should have been 'given a medal' instead of being sued.

"My personal view is that if I had a product that had flaws in it to the extent that the Tegam product had then I would be happy if a researcher came along and told me -- so I could fix them. If he had done it to me I would have given him a medal," Fewster told ZDNet Australia .

Fewster went on to say that software developers should be pleased when unpaid researchers such as Tena do their work for them: "Look at Microsoft. People are publishing exploits about Microsoft all the time. They are reverse engineering the operating system and Microsoft always patches the holes. They don't sue the guys."

"It is saving [Microsoft] a fortune -- I am sure they are happy to have this army of unpaid people looking for flaws," added Fewster.

Tena is concerned that researchers will be less keen to share their findings because of the threat of legal action.

"I am pretty sure that [researchers] will now think twice before publishing a discovery.... The real losers in this case are not the companies, not even the researchers. It's the end user. The only source of information for them will be advertising and computer magazines, who survive only because of the advertising by companies," said Tena.

The only ray of light for Tena was that Tegam's demands for almost one million euros in damages was slashed: "You have to remember that they asked for 900,000 euros and only got 14,300 euros, which I don't really consider a victory," Tena added.

Topic: Security

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • I wonder?

    I wonder if the customers that use viguard antivirus are aware of this story?
    anonymous
  • Tena loses case

    Disgusting.
    ralph.becker
  • This was a copyright issue

    The ***Real*** issue is how he obtained the source code.

    The issue is not the release of the vulnerability (and anyone who believes that ANY AV product has a 100% track record is just foolish) but one of publishing the source.

    This is NOT a part of the scientific process. I think a few people who *think* they are scientists need to go get some education.

    Craig
    anonymous
  • This was a copyright issue

    The ***Real*** issue is how he obtained the source code.

    The issue is not the release of the vulnerability (and anyone who believes that ANY AV product has a 100% track record is just foolish) but one of publishing the source.

    This is NOT a part of the scientific process. I think a few people who *think* they are scientists need to go get 'em some education.

    Craig
    anonymous
  • No

    The real point is, if they had listened to him in the first place, none of this would have happened and it would have been to the benefit of all involved
    anonymous
  • salut "Raoule"

    I was wondering how much time before you came here to "troll" as usual...
    Tena's lost the trial, but we all know who are the real loosers
    anonymous
  • Harvard University researcher punished for finding bugs

    Very strange! only 65 bytes! doesn't the judge know about fair quoting rules in academic and other publications? Maybe he should have warned them first, but quite probably he did and they had their noses stuck up in the air and the only way to bring their noses down to a reasonably humble level was to go ahead and publish so the users would be protected in the longer term.
    anonymous
  • Harvard University researcher punished for finding bugs

    Sorry, I should have read all the comments before posting. Yes, if he has the source then how did he obtain it? Maybe he worked his way back from the object code and it was easier because the debugging hooks had been left in.

    I am not happy about restrictions on the analysis of code to see how it works. I am not happy about software patents, or the patenting of algorithms generally, let alone the patenting of obvious "ideas", and certainly in terms of the philosophy behind patent law it is hypocritical to demand protection while also manouvreing to subvert disclosure. The lawyers are getting richer.
    anonymous
  • Scientific Method

    I was going to post my discovery of eternal youth and immortality but given the Doctors, Lawyers, Actuarial Accountants, Insurance comapanies, etc who would sue me...never mind...
    anonymous
  • Scientific Method

    I was going to post my discovery of eternal youth and immortality but given the Doctors, Lawyers, Actuarial Accountants, Insurance comapanies, etc who would sue me...never mind...
    anonymous