Web site takes exploits private
Robert Lemos 2006-03-20
Citing the nation's laws, the French Security Incident Response Team (FrSIRT) removed collected exploits from its front page last week, but still offers the code to paid subscribers.
The company had previously offered access to security advisories and exploits from its public site, ranking each in terms of severity. However, saying that it had been put "under pressure," the group removed the exploits from its public site on March 15.
"Publishing exploits on a public web seems to not be a legitimate reason (under French law)," the company said in a statement sent to SecurityFocus. "However, publishing the same exploits in a private channel dedicated to security professionals is regarded as a legitimate reason."
Other security researchers have fell afoul of French laws. A year ago, a national court ruled that security researcher Guillaume Tena acted unlawfully in publishing proof-of-concept code to highlight security flaws in an antivirus product created by French firm Tegam.
In the U.S., the disclosure debate heated up last year as well with a legal tussle between security researcher Michael Lynn and two companies--his former employer, Internet Security System, and networking giant Cisco. Lynn outlined a method of taking control of Cisco routers using flaws in the operating system. Prior to his presentation, no one had publicly demonstrated a way to run code on Cisco routers reliably.
The move by FrSIRT had initially been seen by many in the security community as a way to create a commercial product out of publicly available information. The French group denied that commercial interests had motivated the move.
No comments:
Post a Comment