| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 5 Apr 2004 23:18:09 +0200 From: Fozzy <fozzy@...france.com> To: bugtraq@...urityfocus.com Subject: Vuln Info Disclosure may become illegal in France [was: Re: Bugfinder Being Indicted As Criminal] > This article now reads (roughly translated) : > > (...) > > This article is not applicable when the offering, the yelding or > the placing at disposal is justified by the needs of scentific or > technical research or by the needs of the security or protection > of communication networks or information systems" This is no longer true. The law has gone through many discussions and changes. Currently it only says "without legitimate reason", and does not refer anymore to research or security. Unfortunatly. The current version of the text can be found here (french, I google- translated the relevant part of the article 34 in my previous post, with minor changes : the current law forbids "any data" too, not only programs and equipments !) : http://www.assemblee-nationale.fr/12/ta/ta0235-2.pdf Official informations on this law, including interesting discussions of Senators and Deputies about this article 34, can be found here (french): http://www.assemblee-nat.fr/12/dossiers/economie_numerique.asp It seems french senators and deputies know only about viruses and remote access software. They don't talk about exploits or vulnerability information disclosure. Note that this law can still change, but it's not likely. It will be examined by Senate tomorrow and the day after tomorrow. If you know a french senator, it's time to go talk to him ! This law - in its current state - _could_ outlaw anyone who download a tool on securityfocus.com or packetstorm, or publish detailed IT security informations (on their websites, on Bugtraq...). Basically, with this law, it _may_ be illegal to write, distribute or even read an article such as the one from Aleph1 about how to exploit buffer overflows and write shellcodes. Unless this is done "for a legitimate reason", of which I bet a Phrack author may have some difficulties to convince the judges. It means: if you can't give a legitimate reason (the fact there is no illegitimate reason does not matter !) you can be sentenced to a 5-years emprisonment. As security experts, we all know some articles and codes like the Aleph1's allowed major advances in computer security. But would a french judge say so ? More importantly, many independant vulnerability researchers may have such a pressure on their heads that they will no longer publish their results, thus keeping useful security knowledge hidden underground. And obviously, the law will not stop "black hat" hackers to share these informations... The unintended result of this law would be a decrease of the security of people and compagnies connected to the Internet, except for a small group of (underground?) security experts. But the actual impact of this law will really depend on the first judgement. Someone volunteers for a trial ? Fozzy Technical Director the Hackademy Journal & School, Paris "100% White Hat Hacking" http://www.thehackademy.net (french, see below for improved english version) ----------------------------------------------------------------------- The International edition of the Hackademy Journal is out April, 15th ! Send a blank mail to international@...france.com to get more information and learn how to subscribe. First issue will be free of charge. -----------------------------------------------------------------------
Powered by blists - more mailing lists