<<< Date Index >>>     <<< Thread Index >>>

Vuln Info Disclosure may become illegal in France [was: Re: Bugfinder Being Indicted As Criminal]



> This article now reads (roughly translated) :
>
> (...)
>
> This article is not applicable when the offering, the yelding or
> the placing at disposal is justified by the needs of scentific or
> technical research or by the needs of the security or protection
> of communication networks or information systems"


This is no longer true. The law has gone through many discussions and
changes. Currently it only says "without legitimate reason", and does
not refer anymore to research or security. Unfortunatly.


The current version of the text can be found here (french, I google-
translated the relevant part of the article 34 in my previous post,
with minor changes : the current law forbids "any data" too, not only
programs and equipments !) :
http://www.assemblee-nationale.fr/12/ta/ta0235-2.pdf

Official informations on this law, including interesting discussions of
Senators and Deputies about this article 34, can be found here (french):
http://www.assemblee-nat.fr/12/dossiers/economie_numerique.asp

It seems french senators and deputies know only about viruses and remote
access software. They don't talk about exploits or vulnerability
information disclosure. Note that this law can still change, but it's
not likely. It will be examined by Senate tomorrow and the day after
tomorrow. If you know a french senator, it's time to go talk to him !


This law - in its current state - _could_ outlaw anyone who download
a tool on securityfocus.com or packetstorm, or publish detailed IT
security informations (on their websites, on Bugtraq...).
Basically, with this law, it _may_ be illegal to write, distribute or
even read an article such as the one from Aleph1 about how to exploit
buffer overflows and write shellcodes. Unless this is done "for a
legitimate reason", of which I bet a Phrack author may have some
difficulties to convince the judges. It means: if you can't give
a legitimate reason (the fact there is no illegitimate reason does not
matter !) you can be sentenced to a 5-years emprisonment. As security
experts, we all know some articles and codes like the Aleph1's allowed
major advances in computer security. But would a french judge say so ? 

More importantly, many independant vulnerability researchers may
have such a pressure on their heads that they will no longer publish
their results, thus keeping useful security knowledge hidden
underground. And obviously, the law will not stop "black hat" hackers to
share these informations... The unintended result of this law would be
a decrease of the security of people and compagnies connected to the
Internet, except for a small group of (underground?) security experts.

But the actual impact of this law will really depend on the first
judgement. Someone volunteers for a trial ?



Fozzy

Technical Director
the Hackademy Journal & School, Paris
"100% White Hat Hacking"
http://www.thehackademy.net (french, see below for improved english
version)

-----------------------------------------------------------------------
The International edition of the Hackademy Journal is out April, 15th !
Send a blank mail to international@xxxxxxxxxxxxx to get more information
and learn how to subscribe. First issue will be free of charge.
-----------------------------------------------------------------------