Feeds

Full disclosure put on trial in France

Security research faces the guillotine?

  • alert
  • submit to reddit

High performance access to file storage

The trial of a French security researcher last week has become a cause celebre. Its outcome will decide if interested parties can "peek under the bonnet" in testing the road-worthiness of security products without falling foul of French law.

The case began more than three years ago when Guillaume Tena (AKA Guillermito) released proof of concept code to highlight security bypass and worm evasion flaws in Viguard, an antivirus product, from French company Tegam. Tena produced exploits showing that Tegam's generic anti-virus failed to stop "100 per cent of known and unknown viruses" as claimed. He posted his findings to a French usenet newsgroup in the summer of 2001 before published the research on a website in March 2002.

Tegam reacted by denouncing Tena as a 'terrorist', before sending its lawyers against him. In June 2002, Tena was prosecuted under violation of French copyright law. Tegam argued a warez version of its software was used in Tena's tests and claimed that he decompiled or disassembled Viguard and distributed part of its source code on his website. Tena denies these accusations. Tegam claims tens of thousands of Viguard users in France. However, the product is little used outside the country.

Tegam's case against Tena came to trial at a Tribunal correctionnel in Paris last week (4 January) with the prosecution calling for the 35 year-old to receive a suspended sentence of four months and a fine of €6,000. Tegam has raised the stakes and is demanding €900,000 in damages, a vast sum even the prosecutor isn't supporting. Tena, a French national researching molecular biology at Harvard University while working at Massachusetts General Hospital, hopes for an acquittal. A verdict is due to be returned on March 8.

Tena said the case could have a big impact on the French computer security community. "This case is not about violating intellectual property, it's about Tegam trying to shut me up," he told El Reg. "If security research is stifled, companies could produce a flawed product and no-one would know any better."

Although a molecular biologist by profession, Tena has maintained a hobby in computing (in particular anti-virus and steganography) since 1995. "I like to look inside programs for the same reason I'm interested in finding out the inner workings of cells," he explained.

Tena developed new viruses to test Tegam's product but he didn't post them on his website. He downplayed any suggestion his research could give ideas to malicious hackers or virus writers. Full disclosure postings are an effective means to pressurise vendors into producing more secure software, he argues.

French security researchers are alarmed at the possible impact of the case. "Full disclosure could become illegal in France," Gilles Fabienni, a security engineer at K-OTik Security Research, told The Register. He added that Tena's case predates the introduction of the EU Copyright Directive which tilts the scales of justice even further against French security researchers. ®

Related stories

California enacts full disclosure security breach law
Elcomsoft not guilty DoJ retreats from Moscow
Jury scrutinises DMCA in ElcomSoft case
DMCA strikes again in N2H2 filtering list case
Slammer: Why security benefits from proof of concept code

High performance access to file storage

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
HP ArcSight ESM solution helps Finansbank
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.