5 May 2005: welcome to the readers of the eEye newsletter. A quick update just for them, because they at least know what we are talking about here, I mean technically, here is the asm source code of the demonstration that police and judges kept asking me about. The bytes from the software are in bold, they are the two XOR keys (I changed them to 0 of course). You can count them. They represent more or less 10 millionths of the software itself, and they are not even executed. That's why I was condamned, as the conclusion of the judges said : "... so Guillaume T. actually reproduced, modified, and re-assembled all or a part of V. software, and then freely distributed software based on the sources of the V. softare. So he will be declared guilty and condamned...".
March 31: This is a quick translation of the original page I wrote in french. When I'm pissed off, I write much better in french :)
March 25 2004
It's quite interesting to discover, from the inside, how the french justice system works. I'm back from Paris. I've just been indicted and charged of distributing programs that contained part of copyrighted material (literally translated, it's "counterfeiting and concealment of counterfeiting"). Maximum punishment for these charges are two years in jail and a fine of 150.000 euros. I'm not yet judged guilty or innocent, but I already had to pay around two or three thousands dollars for two trips to Paris (I live in Boston, MA, USA), plane tickets, and lawyer fees. I already talked about my story here (in french).
Let's start from the beginning. In 2001 and 2002, two journalists suddenly pop up in the french usenet forum fr.comp.securite.virus. They are preparing a serie of two articles (published in no 9 et no 12) in the paper magazine "Pirates Mag'" (an independant journal, 2600-style, which is now almost officially forbidden) about the french generic anti-virus Viguard, by a company called Tegam. They need some independant point of view, and my curiosity about security software is picked up. In march 2002, I published on my website a long analysis about this software. This webpage showed how the program worked, demonstrated a few security flaws, and some tests with real viruses. I showed that, unlike the advertizing claimed, this software didn't detect and stopped "100% of viruses". So, nothing really extraordinary. The company first reacted in a weird way: they denounced me publicly as a "terroriste", probably a nice attempt to make me change my mind. Later on, they filed a formal complaint against me in a Paris tribunal. The computer on which my website was hosted in France was seized by the police, and disconnected (the incriminating analysis of the anti-virus is still present - written in french - on the Internet Archive, and cached by some other people). The redirection with which I signed my e-mails and Usenet posts (guillermito.net) was blocked at the french registrar level, to follow a judge orders. The actual problem is that I coded and shared a few "exploits", ie the practical demonstration of my thorical analysis, which demonstrated the reality of the flaws I discovered, in a way that everybody could reproduce them on their own computer. The judge says that these demonstrations "reproduct and copy the code and structure of the Viguard software", hence the counterfeiting. Since then, I analysed the same way a dozen of steganography softwares (in english this time), and coded a few exploits for them too. Some of these softwares claim to be "unbreakable" or use "military grade encryption", but the hidden data is actually very easily detectable and often retrievable. No security at all.
If independant researchers cannot analyse security softwares and publish their discoveries, final users will just have marketing press releases from editors to assess the quality of a sofware. Unfortunately, it seems that we are heading to this kind of world in France and maybe in Europe.
To use an analogy, it's a little bit as if Ford was selling cars with defective brakes, if I realized that there was a problem, opened the hood and took a few pictures to prove it, and published everything on my website. And then Ford filed a complaint against me for that.
More in my professional domain, because I am a biologist and my job is to discover how biological systems work and publish my results, one can imagine the scandal if a pharmaceutical company filed a complaint against me because I published, for example, that a drug is not as efficient as their advertizing claims.
But when we are talking about computer security, there is no more rationality.
There is something very strange when you are in front of the judge who is doing the preliminary investigation: we do not speak the same language. I'm unable to understand law jargon, and the person in front of me does not understand anything about computer security and the internet. The lawyer is supposed to be the translator. But the lawyer in this case cannot speak during my declarations. It's kind of weird. You have to find a good argumentation, try to explain in simple words complex methods, how programs work, try to show that the accusations of the company are basically void.
There never was a similar judgement in France. The few "counterfeiting" cases I could find concerned people who copied and sold hundred of unlicensed programs, to make some money. That's very different from my case. So my case, like the Tati/Kitetoa case before (Kitetoa showed a commercial website flaw; I showed a commercial software flaw; in both cases the company filed a complaint; Kitetoa was finally cleared of any wrongdoing after two years of a costly procedure), is going to set a precedent. The question: is it possible in France today to publish software flaws, and the practical demonstration of these flaws? I am not yet judged, but I am pessimistic about it, and it seems that we are heading towards a negative response. If I am declared guilty, full disclosure is going to be de facto forbidden in my country. Users will have to use marketing press releases from editors to be informed. Except Transfert (RIP - it was an excellent online news agency) and a few friends, nobody really seems to care about it.
For those of you who are not familiar with the computer security world, numerous advisories about software
It's a nice world we are heading towards. A world in which software editors have the right to lie blatantly, but an isolated individual cannot publish the technical truth. No more possible counter-balance power. Everything for companies, and too bad for consumers.
To give a quick feeling about the good faith of the two parties involved here, let me remind the reader that the company which filed a complaint against me, Tegam, accused me publically six or seven times at the beginning of 2002 to be a "terrorist wanted by the DST (French secret service) and the FBI", and a "computer pirate". The truth, because I have to tell it, is that I am a researcher in molecular biology in both the department of Genetics of Harvard University and the department of molecular biology in the Massachusetts General Hospital, two venerable institutions which, as everybody knows, are very famous for employing a lot of terrorists. This same company claimed that its software detected "100% of known and unknown viruses". I've shown that, of course, it was untrue. I've read in several forums that I "worked for another anti-virus company". That I was probably part of a conspiracy, "payed on secret bank accounts". That I was "hiding in an offshore country". That I was part of an "economic war" against them. Everything is false. Another example of their ethics? The basis of Tegam marketing is about the danger of classical anti-virus scanners which use a database of signatures. But discreetly on their website, they distribute a scanner using signatures [Update April 20: the link disappeared, but this scanner is now available here, and, oh surprise, it is now distributed under the GPL, maybe because of this message?]. A lot of friends do not believe me when I tell all of this, like a company would never do that. But unfortunately, I'm not inventing any of this.
Of course I'm going to defend myself, with the help of my (excellent) lawyer, but to be frank, I'm kind of pessimistic. It's so easy to impress judges with heavily connoted words like "virus", "pirate", "terrorist", "hacker", and it's so difficult on the other hand to explain the scientific method and the deep curiosity that makes us analyze how software works and find their flaws.
Eternal war between money and knowledge. I've chosen my side a long time ago.
[PS: There are a lot of french people talking about it right now (check the french version of this page), but few articles in english. Like here, and here ("Say the truth, be sued"). And I've just been Slashdotted. New ones here and here, and here, and here, and here, and here, and here, and here, and here, and here, and here already. And even three in italian: here, here and here, and one in dutch here, and four in portuguese here and here and here and here, and two in german here and here, and three in polish here and here and here, y uno en castellano aquí que esta tambien aquí, y aquí, y aquí, y aquí, y aquí, y aquí, y aquí, y aquí, y aquí, y aquí, y aquí, y aquí. Words, knowledge, and information: the defense I prefer]