Re: Bugfinder Being Indicted As Criminal ("Counterfeiter") in France
> "Art. 323-3-1. - The fact of offering, of yielding or of placing at
> the disposal a data-processing program conceived to commit the
> offences envisaged by articles 323-1 to 323-3 is punished sorrows
> planned for the infringement itself or the infringement most severely
> repressed "
>
> Sure looks like the penalty for publishing an exploit tool will be
> equivalent to using the tool to commit a computer crime. I guess there
> aren't going to be any computer security conferences in France ever
> again. Will Securityfocus and PacketStorm need to filter French
> addresses? Will we have to stop selling penetration testing products
> to French citizens?
The URL you translated does not hold the current text of this (future)
law. It is now (google translation) :
" The fact, without legitimate reason, of holding, of offering, of
yielding or of placing at the disposal equipment, instrument, a
data-processing or program conceived or especially adapted to
make the facts envisaged by articles 323-1 to 323-3 is punished sorrows
planned respectively for the infringement itself or the infringement
most severely repressed."
Two important things here :
- having or distributing exploit code and/or detailed vulnerability
information and/or information about hacking techniques, will be illegal
in France.
- it will stay legal, though, if this is done for "a legitimate reason".
This is _very_ unclear. The judges will tell what, exactly, is a
"legitimate reason". Things can go _very_ bad for us, or not. The
first trial will tell... and that's a very unfortunate situation.
Many people in France will have to ask themselves if "for fun" or
"to see how someone could hack into my network" are legitimate reasons :
even if they do not distribute their code, the sole fact of writting
an exploit could lead to a 3-years jail sentence.
Magazines and web sites distributing IT security information will be
at risk, too. In France there are at least five newspapers dedicated
to computer security. Some of them have a brandname with includes the
term "hack" (like our "Hackademy Journal"), others says "security"
(like "M.I.S.C."). But all of them basically talk about the same kind
of information. Same thing with websites, which are considered as
publications by the law (same as newspapers).
So, the day one newspaper or one website is taken down by a judgement,
that will mean _all_ websites and newspapers will have to stop
distributing detailed computer security information in France.
Now let's hope the judges will be smart enough to prevent the worst
to happen.
Fozzy
Technical Director
the Hackademy Journal & School, Paris
"100% White Hat Hacking"
http://www.thehackademy.net (french, see below for english version)
-----------------------------------------------------------------------
The International edition of the Hackademy Journal is out April, 15th !
Send a blank mail to international@xxxxxxxxxxxxx to get more information
and learn how to subscribe. First issue will be free of charge.
-----------------------------------------------------------------------