Court Decision Could Gag French Security Site Kitetoa

[InfoSec News <isn () c4i org>]

http://www.newsbytes.com/news/02/174910.html

By Brian McWilliams, Newsbytes
PARIS, FRANCE,
01 Mar 2002, 4:58 PM CST
 
Antoine Champagne has been offered thanks and even job offers from
high-profile Web site owners whose insecurity he's exposed. But from
now on, any more white-hat hacking by "Kitetoa" could cost him.

Last month, a French court fined Champagne 1,000 euros (US$865) for
publicizing at his Web site, Kitetoa.com, security holes he found at
Tati.fr, the homepage of a Paris-based clothing retailer.
 
According to Champagne, a journalist by profession, the prosecutor
suspended the fine on the condition that he avoid any other
convictions for the next five years.

The "strange judgment," as Champagne calls it, is unlikely to have any
bearing on legal decisions in the United States. But word of the
decision has sent a ripple though the computer security community this
week.

In recent years, Champagne, with the assistance of a few friends who
help to run Kitetoa.com, has found and publicized security holes at
sites operated by such leading companies as DoubleClick, Bull Groupe,
Veridian and ChoicePoint.

In each instance, Champagne said, Kitetoa has withheld publishing its
discoveries until the affected companies have been given an
opportunity to secure their systems.

According to court documents posted at Kitetoa.com, attorneys for Tati
accused Champagne at his Jan. 23 trial of fraudulently accessing a
Microsoft Access database at the company's Web site from 1999 to 2001.

But Champagne claimed that he merely used a Web browser to locate the
file, which was stored in an improperly secured directory with "read
access" to anyone on the Internet.

> From May 2000 through February 2001 Kitetoa.com published several
short papers noting the vulnerability at Tati.fr and including screen
shots of some of the databases, with personal information redacted.

As proof that he intended no harm, Champagne's attorneys produced an
exchange of e-mails over the period between Champagne and Tati's
Webmaster, including one in which the clothing site's administrator
thanked Champagne for notifying him of the exposed database and
helping him secure it.

Attorneys for the defendant also pointed to a 1978 French privacy law
that they said requires companies to "to take all useful precautions
in order to preserve the security of information" in their databases.

According to Champagne, the court's decision not to slap him with an
immediate fine denied Tati some satisfaction. But he said the judgment
has also cast a pall over Kitetoa.com's future.

"From now on, you can find yourself in front of a court accused of
hacking just for using Netscape Navigator," said Champagne, who noted
that French police have threatened to search his house and confiscate
his computers if he similarly runs afoul of the law again.

According to Champagne, he is weighing the possibility of closing
Kitetoa.com and discontinuing his writings about insecure sites, but
he said he has not yet made a decision.

One option not being considered by Champagne is hiring himself out as
a security consultant.

After Kitetoa discovered several insecure internal databases at
ChoicePoint's site earlier this year, officials at the online data
firm inquired whether Kitetoa would be willing to assist in a security
audit of ChoicePoint's Web properties.

Champagne declined the offer, stating simply, "I don't sell anything."

Kitetoa is at http://www.kitetoa.com



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.