mailing list archives
Re: the dangers of disclosing vulnerabilities when the guilty party is ignorant of industry standards
From: achurch () achurch org (Andrew Church)
Date: Sat, 02 Mar 2002 12:28:50 JST
Although the article below is a bit short on details, I think it's
worth noting that Champagne apparently was sued not for disclosing the
vulnerability, but for actually accessing the data:
"According to court documents posted at Kitetoa.com, attorneys
for Tati accused Champagne at his Jan. 23 trial of fraudulently
accessing a Microsoft Access database at the company's Web site
from 1999 to 2001."
And Champagne himself calls the data "improperly secured", which suggests
that he knew it was not supposed to be publicly available, i.e. that he was
not supposed to access it. Using the tired old house analogy (and yes, I
know it's not a good one, but it works well enough here), this would be
like claiming that "the door was unlocked" as a defense to theft. Whether
the actual crime (in this case, unauthorized computer access) should
actually be a crime at all is definitely a matter for debate, but given
that it currently is, Champagne had to be either ignorant or stupid not to
realize that he could have gotten into trouble for his actions.
As far as security and vulnerability testing in general goes, although
it's obviously difficult at best and impossible at worst to tell whether a
site is insecure without actually trying to break the security, I do think
"white hats" in general need to at least try to get permission before
checking (or else get the crime of accessing a computer without
authorization repealed). I, at least, would certainly be happier to be
notified of a potential problem beforehand instead of suddenly finding
strange entries in my logs, even if they were not malicious.
achurch () achurch org
A bit more on the situation with Antoine Champagne's Kitetoa.com is here:
Court Decision Could Gag French Security Site Kitetoa
The 1,000 euros fine is suspended on the condition that Champagne avoid any
other convictions in the next 5 years.
But the court decision is causing Kitetoa to consider shutting down.
"From now on, you can find yourself in front of a court accused of hacking
just for using Netscape Navigator," said Champagne, who noted that French
police have threatened to search his house and confiscate his computers if
he similarly runs afoul of the law again.
At 11:03 PM 2/27/2002, Brian Rea wrote:
eventhough this is political in nature, i chose to forward it along since it
relates DIRECTLY to full disclosure and reporting parties being attacked
financially and legally for doing the right and responsible thing.
----- Original Message -----
From: "Declan McCullagh" <declan () well com>
To: <politech () politechbot com>
Sent: Wednesday, February 27, 2002 21:29
Subject: FC: French site Kitetoa.com fined for expose of security hole
| Here's an article about Kitetoa.com's expose of Doubleclick:
| This is another good reason to publish sensitive information untraceably.
| Establish a persistent pseudonymous identity -- standard procedure would
| to generate a private-public keypair and sign your reports with it. You
| also received messages encrypted to your public key (so only you can
| decipher them) and dropped in a public place such as a Usenet newsgroup or
| popular mailing list. Eventually, if the legal threat disappears, you can
| reveal your truename and receive credit for your earlier work.
| Naturally it'll be difficult for you to get paid under this scenario, but
| doesn't everyone do this for the love of the craft? :)
| Date: Thu, 28 Feb 2002 02:43:06 +0100
| From: Solveig <solveig () transfert net>
| Organization: transfert
| To: declan () well com
| CC: "Kitetoa at Kitetoa . com" <kitetoa () kitetoa com>
| Subject: Kitetoa in danger
| Hello declan,
| Sorry for my bad English, but I think this story should be told...
| Sadly, there's only French links until now. But American media have
| already written some articles about Kitetoa, who disclosed some
| security flaws in DoubleClick last year, and recently, in Choicepoint...
| The webmaster of Kitetoa, a French group of security enthusiasts with a
| passion for
| showing how badly protected our personal data is, has been sentenced
| by a French court to a 1000 euros fine. Using nothing more than
| Netscape Navigator's features, he could access to Tati's (a
| clothes' discounter)file directory, and then to all consumers
| profiles. He had warned the webmaster of Tati one year before about
| the problem, but no
| effort was made to secure the server. So he disclosed the breach of
| security in an article on
| www.kitetoa.com. Tati did nothing until the news was republished by an
| offline mag called Newbiz - too much publicity for Tati, let's sue
| those disturbers. Notice that Newbiz wasn't targeted, only the small
| investigative website. Although the judge couldn't identify precisely
| the nature of the "computer fraud" Kitetoa was fined for, this
| sentence creates a dangerous precedent. It is likely to lead to some
| more lawsuits. Kitetoa will probably have to stop its activities.
| It reminds us, in France, of the story of Altern, an independent and
| non-profit Internet provider who hosted 40 000 websites. Altern had
| to close because it was held responsible for a nude picture of a
| top-model, was fined, and then was subject to a true rain
| of legal procedures coming from all the people who don't like free
| speech on the Web.
| Now, full disclosure is in danger.
| Kitetoa's file about Kitetoa vs Tati
| Some articles in French
| About Choicepoint in English :
| About DoubleClick in English :
| Best regards,
| Solveig Godeluck mailto:solveig () transfert net
| POLITECH -- Declan McCullagh's politics and technology mailing list
| You may redistribute this message freely if you include this notice.
| Declan McCullagh's photographs are at http://www.mccullagh.org/
| To subscribe to Politech: http://www.politechbot.com/info/subscribe.html
| This message is archived at http://www.politechbot.com/