p2pnet.net News:- French security expert Guillaume Tena, a Harvard University researcher who posted exploits that could take advantage of bugs in Tegam’s Viguard anti-virus application, could land in jail violation of copyright laws.

He published his findings online in 2002 but Tegam sued Tena, says ZDNet Australia, going on:

“That action resulted in a case being brought to trial at a Court in Paris, France. The trial kicked off on January 4 after being deferred from its initially scheduled start date of October 5, 2004. The prosecution claims that Tena violated article 335.2 of the code of the intellectual property and is asking for a four month jail term and a 6,000 euro fine. Additionally, Tegam is proceeding with a civil case against Tena and asking for 900,000 euros in damages.”

“It’s quite interesting to discover, from the inside, how the french justice system works,” Tega says on his web page. “I’m back from Paris. I’ve just been indicted and charged of distributing programs that contained part of copyrighted material (literally translated, it’s ‘counterfeiting and concealment of counterfeiting’). Maximum punishment for these charges are two years in jail and a fine of 150.000 euros. I’m not yet judged guilty or innocent, but I already had to pay around two or three thousands dollars for two trips to Paris (I live in Boston, MA, USA), plane tickets, and lawyer fees.”

The final ruling will be made in Paris on March 8, 2005.

Read on >>>>>>>>>>>>>>>>>>>>>>>>

Viguard vs Guillermito
By Guillaume Tena – Indicted

March 31: This is a quick translation of the original page I wrote in french. When I’m pissed off, I write much better in french

Let’s start from the beginning. In 2001 and 2002, two journalists suddenly pop up in the french usenet forum fr.comp.securite.virus. They are preparing a serie of two articles (published in no 9 et no 12) in the paper magazine "Pirates Mag’" (an independant journal, 2600-style, which is now almost officially forbidden) about the french generic anti-virus Viguard, by a company called Tegam. They need some independant point of view, and my curiosity about security software is picked up. In march 2002, I published on my website a long analysis about this software. This webpage showed how the program worked, demonstrated a few security flaws, and some tests with real viruses. I showed that, unlike the advertizing claimed, this software didn’t detect and stopped "100% of viruses". So, nothing really extraordinary. The company first reacted in a weird way: they denounced me publicly as a "terroriste", probably a nice attempt to make me change my mind. Later on, they filed a formal complaint against me in a Paris tribunal. The computer on which my website was hosted in France was seized by the police, and disconnected (the incriminating analysis of the anti-virus is still present – written in french – on the Internet Archive, and cached by some other people). The redirection with which I signed my e-mails and Usenet posts (guillermito.net) was blocked at the french registrar level, to follow a judge orders. The actual problem is that I coded and shared a few "exploits", ie the practical demonstration of my thorical analysis, which demonstrated the reality of the flaws I discovered, in a way that everybody could reproduce them on their own computer. The judge says that these demonstrations "reproduct and copy the code and structure of the Viguard software", hence the counterfeiting. Since then, I analysed the same way a dozen of steganography softwares (in english this time), and coded a few exploits for them too. Some of these softwares claim to be "unbreakable" or use "military grade encryption", but the hidden data is actually very easily detectable and often retrievable. No security at all.

If independant researchers cannot analyse security softwares and publish their discoveries, final users will just have marketing press releases from editors to assess the quality of a sofware. Unfortunately, it seems that we are heading to this kind of world in France and maybe in Europe.

To use an analogy, it’s a little bit as if Ford was selling cars with defective brakes, if I realized that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my website. And then Ford filed a complaint against me for that.

More in my professional domain, because I am a biologist and my job is to discover how biological systems work and publish my results, one can imagine the scandal if a pharmaceutical company filed a complaint against me because I published, for example, that a drug is not as efficient as their advertizing claims.

But when we are talking about computer security, there is no more rationality.

There is something very strange when you are in front of the judge who is doing the preliminary investigation: we do not speak the same language. I’m unable to understand law jargon, and the person in front of me does not understand anything about computer security and the internet. The lawyer is supposed to be the translator. But the lawyer in this case cannot speak during my declarations. It’s kind of weird. You have to find a good argumentation, try to explain in simple words complex methods, how programs work, try to show that the accusations of the company are basically void.

There never was a similar judgement in France. The few "counterfeiting" cases I could find concerned people who copied and sold hundred of unlicensed programs, to make some money. That’s very different from my case. So my case, like the Tati/Kitetoa case before (Kitetoa showed a commercial website flaw; I showed a commercial software flaw; in both cases the company filed a complaint; Kitetoa was finally cleared of any wrongdoing after two years of a costly procedure), is going to set a precedent. The question: is it possible in France today to publish software flaws, and the practical demonstration of these flaws? I am not yet judged, but I am pessimistic about it, and it seems that we are heading towards a negative response. If I am declared guilty, full disclosure is going to be de facto forbidden in my country. Users will have to use marketing press releases from editors to be informed. Except Transfert (RIP – it was an excellent online news agency) and a few friends, nobody really seems to care about it.

For those of you who are not familiar with the computer security world, numerous advisories about software flaws, often including the code to exploit them, are published daily in very famous mailing-lists like Bugtraq and others. Government official organizations in France like the CERTA do the same thing. Even computer engineering schools like EPITECH ask their students to find flaws in anti-viruses. Everybody does it. It’s an accepted and widespread methodology to increase the global security level. Even behemoth editors like Microsoft accept it, although not always with good grace, and thank people who discover flaws. I am indicted for doing the exact same thing.

It’s a nice world we are heading towards. A world in which software editors have the right to lie blatantly, but an isolated individual cannot publish the technical truth. No more possible counter-balance power. Everything for companies, and too bad for consumers.

To give a quick feeling about the good faith of the two parties involved here, let me remind the reader that the company which filed a complaint against me, Tegam, accused me publically six or seven times at the beginning of 2002 to be a "terrorist wanted by the DST (French secret service) and the FBI", and a "computer pirate". The truth, because I have to tell it, is that I am a researcher in molecular biology in both the department of Genetics of Harvard University and the department of molecular biology in the Massachusetts General Hospital, two venerable institutions which, as everybody knows, are very famous for employing a lot of terrorists. This same company claimed that its software detected "100% of known and unknown viruses". I’ve shown that, of course, it was untrue. I’ve read in several forums that I "worked for another anti-virus company". That I was probably part of a conspiracy, "payed on secret bank accounts". That I was "hiding in an offshore country". That I was part of an "economic war" against them. Everything is false. Another example of their ethics? The basis of Tegam marketing is about the danger of classical anti-virus scanners which use a database of signatures. But discreetly on their website, they distribute a scanner using signatures [Update April 20: the link disappeared, but this scanner is now available here, and, oh surprise, it is now distributed under the GPL, maybe because of this message?]. A lot of friends do not believe me when I tell all of this, like a company would never do that. But unfortunately, I’m not inventing any of this.

Of course I’m going to defend myself, with the help of my (excellent) lawyer, but to be frank, I’m kind of pessimistic. It’s so easy to impress judges with heavily connoted words like "virus", "pirate", "terrorist", "hacker", and it’s so difficult on the other hand to explain the scientific method and the deep curiosity that makes us analyze how software works and find their flaws.

Eternal war against money and knowledge. I’ve chosen my side a long time ago.

This entry was posted on Tuesday, January 11th, 2005 at 5:28 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 3946 times