Security researcher to be jailed for finding bugs in software?

Security researcher to be jailed for finding bugs in software?

Summary: A French security researcher who published exploit codes that could take advantage of bugs in an anti-virus application, could be imprisoned for violation of copyright laws.In 2001, French security researcher Guillaume Tena found a number of vulnerabilities in the Viguard antivirus software published by Tegam.

TOPICS: Security, Legal, Malware
A French security researcher who published exploit codes that could take advantage of bugs in an anti-virus application, could be imprisoned for violation of copyright laws.

In 2001, French security researcher Guillaume Tena found a number of vulnerabilities in the Viguard antivirus software published by Tegam. Tena, who at the time was known by his pseudonym Guillermito, published his research online in March 2002.

However, Tena's actions were not viewed kindly by Tegam, who initiated legal action against the researcher. That action resulted in a case being brought to trial at a Court in Paris, France. The trial kicked off on January 4 after being deferred from its initially scheduled start date of October 5, 2004. The prosecution claims that Tena violated article 335.2 of the code of the intellectual property and is asking for a four month jail term and a 6,000 euro fine. Additionally, Tegam is proceeding with a civil case against Tena and asking for 900,000 euros in damages.

Accoridng to Tena's Web site, his research "showed how the program worked, demonstrated a few security flaws and carried out some tests with real viruses. Unlike the advertising claimed, this software didn't detect and stop '100 percent of viruses'."

Tena, who is currently a researcher for Harvard University in Massachusetts, said that Tegam responded in a "weird way" by first branding him a terrorist and then filing a formal complaint in Paris. During the resulting tribunal, Tena said the judge decided that because the published exploits included some re-engineered source code from Viguard's software, he had violated French copyright laws.

According to French security Web site K-OTik, Tena had technically broken copyright laws because his exploits were "not for personal use, but were communicated to a third party".

However, K-OTik, which regularly publishes exploit codes, claims that the ruling could create a precedent so vulnerabilities in software, however critical, could not be declared publicly without prior agreement from the software publisher.

K-OTik's editors say the ruling is "unimaginable and unacceptable in any other field of scientific research".

On Tena's Web site, he claims that If independent researchers are not allowed to freely publish their findings about security software then users will be only have "marketing press releases" to assess the quality of the software. "Unfortunately, it seems that we are heading this way in France and maybe in Europe," Tena said.

"To use an analogy, it's a little bit as if Ford was selling cars with defective brakes. If I realised that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my Web site. Then Ford could file a complaint against me," added Tena.

Philip N Argy, senior partner of the intellectual property and technology group at Australian law firm Mallesons Stephen Jaques, said that if a similar case was put to trial in Australia the prosecution would be unlikely to get a conviction because of our "fair comment provisions".

"We have strong copyright protection as well as strong anti-hacking laws, but from what I can glean from the translations, all that Guillermito did was to publish the details of the parts of the code which contained serious bugs that made the software erroneously treat as a virus some legitimate software. I'd have thought that would be at least within the fair comment provisions of Australian copyright law," said Argy.

The final ruling will be made in Paris on March 8, 2005.

Topics: Security, Legal, Malware

Munir Kotadia

About Munir Kotadia

Munir first became involved with online publishing in 1998 when he joined ZDNet UK and later moved into print publishing as Chief Reporter for IT Week, part of ZDNet UK, a weekly trade newspaper targeted at Enterprise IT managers. He later moved back into online publishing as Senior News Reporter for ZDNet UK.

Munir was recognised as Australia's Best Technology Columnist at the 5th Annual Sun Microsystems IT Journalism Awards 2007. In the previous year he was named Best News Journalist at the Consensus IT Writers Awards.

He no longer uses his Commodore 64.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • My company will never buy software from that company.
    How pathetic can you get?!
  • Reaserch in security is not possible without breaching it. Thats how laws are made iteratively, so do the security policies and softwares are made. Discourging independent resarchers is like hiding the threat(or may be hiding from threat) than facing it. These bugs would have cost industry a fortune if these bugs were found by some cracker who could break into systems and caused potentially irrecoverable damages and cost to law enforcement agencies.
  • hmmm, thats funny, what about sending all EURO-NCAP techs to jail ;) -
  • We've let it happen.
  • I completely Agree with Jane. I will never buy software from a company that takes action against some else that finds and publishes software bugs. How can you possibly trust that they won't cover up other issues or critical vulnerabilities. They are the ones that should be under legal scrutiny for not living up to the marketing claims they made about their software.
  • The question is: has Tena notified Tegam before publishing the bugs? Has he given them enough time to work out a patch? If not, then it is about time someone takes action against this so-called 'researchers'. The main reason for the recent outbreak of malicious codes is that most exploits are published before the software can be patched. By publishing the flaws, it only give the malware writers yet another way to exploit the software. Meaning, new worm variants. I can't imagine how these sporadic virus writers can discover the same flaws BY THEMSELVES only days after the exploits are announced, if only the announcement are limited to basic info and impact only. Some 'researchers' even blatantly explains HOW to exploit the flaw. Some even post the SOURCE CODE of the so-called 'proof of concept'. What good is that information to the general public? The only ones gaining practical knowledge from it are the software maker themselves, and virus writers seeking ways to hack the software. No other people can do anything with that knowledge except pressuring the software maker to work out a patch. Perhaps other rival software makers may learn to avoid the same exploits, but still the knowledge should only be limited to need-to-know basis. So the next time you see Secunia, F-Secure, or whatnot going about their next bug publishing, you should wonder whether they've good intentions by notifying the software makers months prior (and they have come out with a fix), or they're just out to make a name of themselves.

    BTW, the Ford analogy is very naive. People rarely make exploits out of car flaws, unless you're an professional GTA or ********in.
  • Get a clue.

    This is just clueless, first I think people should start to understand that "Security Research" and "Vulnerabily Research" are NOT the same things.