Re: Bugfinder Being Indicted As Criminal ("Counterfeiter") in France

[K-OTiK Security <Special-Alerts () k-otik com>]

In-Reply-To: <20040403204252.8002.qmail () search securityfocus com>


> From: Chris Wysopal <cwysopal () atstake com>
> Subject: Re: Bugfinder Being Indicted As Criminal ("Counterfeiter") in France
>
> Sure looks like the penalty for publishing an exploit tool will be equivalent to using the tool to commit a computer 
> crime. I guess there aren't going to be any computer security conferences in France ever again.  Will Securityfocus 
> and PacketStorm need to filter French addresses?  Will we have to stop selling penetration testing products to French 
> citizens? 

Here is the last updated version of this Art. 323-3-1 :

"The fact, without legitimate reason, to import, hold, offer, yield or place at the disposal a data-processing program 
conceived or especially adapted to commit one or more offences envisaged by articles 323-1 to 323-3 is punished sorrows 
planned for the infringement itself or the infringement most severely repressed"

As you can see, the vicious legislators introduced into the new version of this article the term "hold...without 
legitimate reason" - 

Concretely, this wants to say : "Any person handling exploits/viruses (researcher,consultant,hacker or kiddie) is 
guilty, and is in an illegal situation which could lead him to be charged - And if you are charged, YOU have to prove 
that you are innocent"

(Remember? "Universal Declaration of Human Rights (Article 11)")

So, if this law is voted next week, France will replace the presumption of innocence by the "presumption of 
culpability", and all security consultants/researchers here, will have the criminal status !

Bekrar Chaouki - Security Consultant
http://www.k-otik.com