Bugtraq mailing list archives
Re: the dangers of disclosing vulnerabilities when the guilty party is ignorant of industry standards
From: Brian McWilliams <brian () pc-radio com>
Date: Fri, 01 Mar 2002 18:16:53 -0500
A bit more on the situation with Antoine Champagne's Kitetoa.com is here: Court Decision Could Gag French Security Site Kitetoa http://www.newsbytes.com/news/02/174910.htmlThe 1,000 euros fine is suspended on the condition that Champagne avoid any other convictions in the next 5 years.
But the court decision is causing Kitetoa to consider shutting down. Excerpt:"From now on, you can find yourself in front of a court accused of hacking just for using Netscape Navigator," said Champagne, who noted that French police have threatened to search his house and confiscate his computers if he similarly runs afoul of the law again.
Brian At 11:03 PM 2/27/2002, Brian Rea wrote:
eventhough this is political in nature, i chose to forward it along since it relates DIRECTLY to full disclosure and reporting parties being attacked financially and legally for doing the right and responsible thing. - Brian ----- Original Message ----- From: "Declan McCullagh" <declan () well com> To: <politech () politechbot com> Sent: Wednesday, February 27, 2002 21:29 Subject: FC: French site Kitetoa.com fined for expose of security hole | Here's an article about Kitetoa.com's expose of Doubleclick: | http://www.ecommercetimes.com/perl/story/8505.html | | This is another good reason to publish sensitive information untraceably. | Establish a persistent pseudonymous identity -- standard procedure would be | to generate a private-public keypair and sign your reports with it. You can | also received messages encrypted to your public key (so only you can | decipher them) and dropped in a public place such as a Usenet newsgroup or | popular mailing list. Eventually, if the legal threat disappears, you can | reveal your truename and receive credit for your earlier work. | | Naturally it'll be difficult for you to get paid under this scenario, but | doesn't everyone do this for the love of the craft? :) | | -Declan | | --- | | Date: Thu, 28 Feb 2002 02:43:06 +0100 | From: Solveig <solveig () transfert net> | Organization: transfert | To: declan () well com | CC: "Kitetoa at Kitetoa . com" <kitetoa () kitetoa com> | Subject: Kitetoa in danger | | Hello declan, | | Sorry for my bad English, but I think this story should be told... | Sadly, there's only French links until now. But American media have | already written some articles about Kitetoa, who disclosed some | security flaws in DoubleClick last year, and recently, in Choicepoint... | | The webmaster of Kitetoa, a French group of security enthusiasts with a | passion for | showing how badly protected our personal data is, has been sentenced | by a French court to a 1000 euros fine. Using nothing more than | Netscape Navigator's features, he could access to Tati's (a | clothes' discounter)file directory, and then to all consumers | profiles. He had warned the webmaster of Tati one year before about | the problem, but no | effort was made to secure the server. So he disclosed the breach of | security in an article on | www.kitetoa.com. Tati did nothing until the news was republished by an | offline mag called Newbiz - too much publicity for Tati, let's sue | those disturbers. Notice that Newbiz wasn't targeted, only the small | investigative website. Although the judge couldn't identify precisely | the nature of the "computer fraud" Kitetoa was fined for, this | sentence creates a dangerous precedent. It is likely to lead to some | more lawsuits. Kitetoa will probably have to stop its activities. | | It reminds us, in France, of the story of Altern, an independent and | non-profit Internet provider who hosted 40 000 websites. Altern had | to close because it was held responsible for a nude picture of a | top-model, was fined, and then was subject to a true rain | of legal procedures coming from all the people who don't like free | speech on the Web. | | Now, full disclosure is in danger. | | Kitetoa's file about Kitetoa vs Tati | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Tativersus_Kitetoa/index.sh tml | | Some articles in French | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Tati_versus_Kitetoa/papiers .txt | | About Choicepoint in English : | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin7/choicepoint-s uite-english.shtml | | About DoubleClick in English : | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin6/doubleclick-e nglish.shtml | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin6/doubleclick-r ound2-english.shtml | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin6/doubleclick-r ound3-english.shtml | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin6/doubleclick-r ound4-english.shtml | http://www.kitetoa.com/Pages/Textes/Les_Dossiers/Admins/Admin6/doubleclick-r ound5-english.shtml | | -- | Best regards, | Solveig Godeluck mailto:solveig () transfert net | | | | | ------------------------------------------------------------------------- | POLITECH -- Declan McCullagh's politics and technology mailing list | You may redistribute this message freely if you include this notice. | Declan McCullagh's photographs are at http://www.mccullagh.org/ | To subscribe to Politech: http://www.politechbot.com/info/subscribe.html | This message is archived at http://www.politechbot.com/ | ------------------------------------------------------------------------- | |
Current thread:
- the dangers of disclosing vulnerabilities when the guilty party is ignorant of industry standards Brian Rea (Feb 28)
- Re: the dangers of disclosing vulnerabilities when the guilty party is ignorant of industry standards Brian McWilliams (Mar 01)
- <Possible follow-ups>
- Re: the dangers of disclosing vulnerabilities when the guilty party is ignorant of industry standards Andrew Church (Mar 03)