France Makes Finding Security Bugs Illegal

From CNet:

Researchers who reverse-engineer software to discover programming flaws can no longer legally publish their findings in France, after a court fined a security expert on Tuesday.

Edited to add:

Seems like the case did not center around the publication of the bug, but the use of pirated software.

Posted on March 23, 2005 at 9:15 AM • 14 Comments

Comments

Israel TorresMarch 23, 2005 9:43 AM

Big surprise: It's France.

Solution:
publish freely = create nym + find an anonymizing service (not JAP);

ivir yr senapr!

Israel Torres

YvesMarch 23, 2005 9:56 AM

It's not really the case. Actually, Guillaume lost its case because he used a pirated version of the software to find vulnerabilities. From an lawyer point a view, this is not a trial against the full disclosure, and if he used a legitimate version of the software he wouldn't had lost...
More info (in French) on http://maitre.eolas.free.fr/journal/index.php?...
Use google to translate. This guy is a lawyer and followed the case from the start.

ReeseMarch 23, 2005 10:23 AM

Yes, the courts found he was using an "illegal" copy of the software, whatever that means. Trialware versions of the Vigaurd antivirus product can be freely downloaded. http://www.viguard.com/en/download.php is the English language download page, I didn't look further. Yes, had he shown that he was using a bought & paid for copy, he would have been in a better position, legally. Meanwhile, the 5,000 euro suspended fine and Tegam's 900,000 euro civil case against Guillaume is blatantly vindictive and other security researchers in France seem to consider themselves on notice, per the CNet article. This is a bad ruling. It is damaging to the security community at large and to the French security community more specifically. It needs to be overturned or thrown out.

Reese

Chris WysopalMarch 23, 2005 10:40 AM

A company in the US, Sybase, wants to do the same thing using the clause in their EULA which forbids publication of "benchmark and performance" data which is how they classify vulnerability information.

eWeek has a full story:
http://www.eweek.com/article2/...

-Chris

GuillermitoMarch 23, 2005 5:35 PM

> This was debunked some time ago

Well, as you are talking about me, I have the written judgement right in front of my eyes, and the judge says (bad translation is mine) :

"... so Guillaume T. actually reproduced, modified, and re-assembled all or a part of V. software, and then freely distributed software based on the sources of the V. softare. So he will be declared guilty and condamned..."

To me, that sounds like a condamnation of full disclosure. If I hadn't published a proof of concept containing a handful of bytes (two XOR keys), I would never have been found guilty. If you want to see what this PoC looked like, it's here (in bold are the bytes from the software, obviously I changed the values).

http://www.guillermito2.net/tmp/vgnaked.asm.html

It's a condamnation of full disclosure for another reason, way beyond my own personal case (I live in the US and this particular software is not sold here, and there was no demo or trial for download) : now the french CERTs, or even security mailing-lists cannot publish any proof of concept if they don't know and cannot verify whether the original bug hunter had a valid licence of the software or not.

To publish a vulnerability in France now, you have to prove that you bought the software. I don't think it's a step in the right direction for information and for raising the global security level.

KitetoaMarch 23, 2005 6:01 PM

How many bytes do have to copy to counterfeit a software in France and stop being a bug hunter...?


The computer expert report, which was heavily used by the judges to condamn Guillermito, clearly indicates that he "disassembled, then reassembled some parts of Viguard software". The court condamned Guillermito for counterfeiting and publishing counterfeit data.

In my precedent post, about possible consequences of this legal precedent on bug hunting and full disclosure, I ended by a question :

�Finally, after reading this excellent comment by Maitre Eolas, we can - as computer specialists - wonder about the amount of bytes reproduced in the POCs, which transform them into counterfeiting. Viguard is probably around several megabytes of data. For how many reproduced bytes we have a counterfeiting, if we don't have a valid licence ? And what about if we do have a valid licence ?�

Let's try to answer this question, by simply looking a little bit closer to Guillermito's analysis of Viguard software.

The computer expert report clearly mentions an "utilisation and adaptation of the source of Viguard"

Let's see how many lines of source code Guillermito used or adapted.

According to the bug hunter, not a single one. He says he never decompiled the software, and never published any source code. Neither did he published any disassembled listing.

So what did he actually publish ? A few signatures used in boot virus detection, the precise boot verification routine but without any code, a few keywords considered as dangerous that Viguard detects inside scripts, all from memory.

During the justice investigation, it seems that all the attention focused on a Proof of Concept named VGNaked.

This program takes care of database files, called certify.bvd, created in each directory by Viguard, which store some information about each programs on this directory. If you run it, you will get two new files : certify.dec which is in the same binary format except that it is now decrypted, and certify.dmp, which is a dump, a sort of human readable version of the content of the original database file. Guillermito needed to know the content of these database files to find some vulnerabilities. For example, because Viguard only stored the first 16 bytes of code in the executable section of a Windows PE file, any virus which was going to modify more than these 16 bytes couldn't possibly be repaired by Viguard. He needed to show the proof of this affirmation, hence his Proof of Concept program.

These certify.bvd database files created by Viguard are encrypted by a fixed XOR key, obviously found in the memory when Viguard is run. Guillermito got these keys from the memory and used it to decrypt these databases as said above. This knowledge, in turn, was used later to find subsequent vulnerabilities (for example, a trojan could create on the fly a tailored database file for himself and immediately become certified and so, not detected by the anti-virus).

In the assembler source of his program, "VGNaked.asm", you can see all the code. Including, close to the beginning, in the data area, the infamous XOR key (so important that actually, in the next versions of Viguard, these keys are no more used and the database files aren't encrypted anymore).

It looks like that (obviously, the exact values of bytes were changed, I would not like Tegam to accuse me of publishing anything counterfeit ;)):

stupid_xor:
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0

stupid_xor_for_docs:
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0, 0, 0, 0, 0, 0
db 0, 0, 0

There are two keys. One for executables, and one for documents.

35 and 30 bytes (plus 15 bytes in another key in another PoC).

And that's it. All of what Guillermito "stole" from Viguard. 80 bytes from the memory, not even executed code.

More or less, Viguard weighting around 8 Mb, Guillermito cited 1/100.000 th of this program. Ten millionths.

Isn't that a beautiful example of counterfeiting ? Computer experts who may be reading us now know that very often their own research could now be considered as "counterfeiting" in France, and they can be sued for 80 bytes.

You can check what is written above by reading yourself the archived version of Guillermito's analysis page which detailed his research.

You can check what is written above by reading yourself the archived version of Guillermito's analysis page which detailed his research.

Tegam filed a complaint on june 6th 2002. Here is Guillermito's page as archived on june 1st.

http://web.archive.org/web/20020601124224/http://...

You can also play to "The Game of Counterfeiting" by clicking here, to have some fun (find the red X which is **the** ten millionths cited above.

http://www.kitetoa.com/Pages/Textes/Textes/...

wizMarch 23, 2005 6:45 PM

Everybody seems to want to stop independent investigation of "malware" as well as shut up the critics of same: "CEASE & DESIST" letters & threat of lawsuits to CastleCops, SpywareWarrior, etc. M$ not sued yet for their classification of "Spyware". Will they, w/ deep pockets, and cause of Windows LACK OF SECURITY cave in? Or, will they w/ NDA's lead the pack to prevent INDEPENDENT disclosure of flaws in OS & "default" installations?

Curt SampsonMarch 23, 2005 10:19 PM

Bruce, you're always talking about using legal liability as a stick to get companies to "do the right thing" when it comes to security. I wonder if there wouldn't be some way to apply this idea to this sort of situation, or any situation where companies make it harder for their users to make their system more secure.

For example, perhaps a company ought to have less liability for a security problem if they distribute source code to their users, since this gives the users themselves a means of finding (and, if given a build system, patching) security flaws. Contrawise, a company that denies their users this, forcing them to rely exclusively on the company for security fixes, might then have more liability should they not discover the problems or not fix them quickly.

This might also help the problem of liability laws versus open-source software. I've always felt that putting too much liability on the authors could badly hurt open source, since who would want to release something that could bankrupt him?

Phillip HofmeisterMarch 24, 2005 6:10 AM

Tegam is also proceeding with a civil case against Tena, in which it is asking for 900,000 euros in damages.

------------

It's too bad they will probably not be paying damages to any of their customers who were adversely affected by this problem =(.

Israel TorresMarch 28, 2005 11:38 AM

@Carlos,

I had meant to say:
ivir yr erfvfgnapr!
however I can blame it on no coffee ;)

Israel Torres

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..