p2pnet.net News:- French security expert Guillaume Tena, the Harvard University researcher who posted exploits that could tap flaws in Tegam’s Viguard anti-virus application, has received a suspended e5,000 (about $6,670.00) fine. It becomes payable only if Tena publishes further information on security vulnerabilities.

Prosecutors had asked for a four month jail term and a e6,000 fine. However, Tegam is still demanding damages of e900,000 in a civil case.

In the meanwhile, Welcome to Disney World, says Tena on his web page.

“No more demonstration of security software weaknesses. It’s now forbidden in my country.”

Tena exposed flaws in anti-virus software and published proof of concept programs to demonstrate them. “That’s exactly what I did for a dozen or so steganography program, which often contained security holes so big you could pass a truck through,” he says.

“So now you have to believe the editors marketing. Welcome in DisneyWorld. All steganography programs are perfect, super-solid, unbreakable, undetectable, without bugs nor flaws. They are all perfect. Use them. Hahaha. What a joke.”

Earlier, he posted:

“It’s quite interesting to discover, from the inside, how the french justice system works,” Tega says on his web page. “I’m back from Paris. I’ve just been indicted and charged of distributing programs that contained part of copyrighted material (literally translated, it’s ‘counterfeiting and concealment of counterfeiting’). Maximum punishment for these charges are two years in jail and a fine of 150.000 euros. I’m not yet judged guilty or innocent, but I already had to pay around two or three thousands dollars for two trips to Paris (I live in Boston, MA, USA), plane tickets, and lawyer fees.”

Chaouki Bekrar, a security consultant and co-founder of French Web site K-Otik, told ZDNet Australia that although it’s good news that Tena didn’t land in jail, it’s bad for France’s security research industry.

” Publishing a security vulnerability or a proof of concept using reverse engineering or disassembly is now illegal in France,” he’s quoted as saying, gong on, “how can a researcher publish a vulnerability if he can’t study the software’s structure?”

The Harvard Crimson quotes Tena, who researches the immune systems of plants, as saying “fooling around” with computers has always been a hobby, and that “detecting ways to fight bugs in biological research is similar to finding bugs in computer programs”.

Here’s hoping …
“After reading both Tena’s and Tegam’s side, the crux of the argument does not seem to be addressed,” posted p2pnet reader Tom K following news of the Tegam suit, going on:

“If Tena supposedly violated Tegam’s copyright, how was he privy to copyrighted material? Did he hack into Tegam’s systems, steal source code, and publish it to the world? I certainly don’t think so; hardly the type of thing a molecular biologist would have the time to do.

“Seems to me that Tena was curious about a security product, found vulnerabilities, and published his findings. Such a practice can be deemed needed or dangerous depending on one’s point of view. Personally I see both the costs and benefits. To use Tena’s own analogy, I’m glad that public disclosure of Ford’s safety problems years ago lead to better tire development and increased safety. At the same time, I would not want detailed blueprints and security procedures for government buildings in Washington DC to be available to those who would use them to cause death and destruction.

“I would rather security professionals report vulnerabilities to producing vendors privately and allow them to fix the problem. However, this is not law, and this is not what has Mr. Tena facing imprisonment.

“If one removes this value judgment argument and concentrates on the indictment itself, it would seem (from a cursory point of view) that Tegam’s accusation is ridiculous on its face. Tegam seems not to be trying to protect its intellectual property from unauthorized duplication but rather protect its product from bad press. The former is prevention of theft; the latter is the suppression of dissent.

“I hope our brothers across the Atlantic hold individual liberty dear enough to rule wisely in this case.

“Tom K.
CISSP (Information Security Professional), USA”

Something you think we should know? tips[at]p2pnet.net

===================

See:-
Viguard anti-virus – Tena vs Tegam, p2pnet, January 11, 2005
web page – The end, March 8, 2005
ZDNet Australia – Publishing exploit code ruled illegal in France?, March 9, 2005
Harvard Crimson – Software Company Sues HMS Researcher, January 21, 2005

This entry was posted on Wednesday, March 9th, 2005 at 3:05 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

HOME

Viewed 1639 times