> "Art. 323-3-1. - The fact of offering, of yielding or of placing at > the disposal a data-processing program conceived to commit the > offences envisaged by articles 323-1 to 323-3 is punished sorrows > planned for the infringement itself or the infringement most severely > repressed " > > Sure looks like the penalty for publishing an exploit tool will be > equivalent to using the tool to commit a computer crime. I guess there > aren't going to be any computer security conferences in France ever > again. Will Securityfocus and PacketStorm need to filter French > addresses? Will we have to stop selling penetration testing products > to French citizens? The URL you translated does not hold the current text of this (future) law. It is now (google translation) : " The fact, without legitimate reason, of holding, of offering, of yielding or of placing at the disposal equipment, instrument, a data-processing or program conceived or especially adapted to make the facts envisaged by articles 323-1 to 323-3 is punished sorrows planned respectively for the infringement itself or the infringement most severely repressed." Two important things here : - having or distributing exploit code and/or detailed vulnerability information and/or information about hacking techniques, will be illegal in France. - it will stay legal, though, if this is done for "a legitimate reason". This is _very_ unclear. The judges will tell what, exactly, is a "legitimate reason". Things can go _very_ bad for us, or not. The first trial will tell... and that's a very unfortunate situation. Many people in France will have to ask themselves if "for fun" or "to see how someone could hack into my network" are legitimate reasons : even if they do not distribute their code, the sole fact of writting an exploit could lead to a 3-years jail sentence. Magazines and web sites distributing IT security information will be at risk, too. In France there are at least five newspapers dedicated to computer security. Some of them have a brandname with includes the term "hack" (like our "Hackademy Journal"), others says "security" (like "M.I.S.C."). But all of them basically talk about the same kind of information. Same thing with websites, which are considered as publications by the law (same as newspapers). So, the day one newspaper or one website is taken down by a judgement, that will mean _all_ websites and newspapers will have to stop distributing detailed computer security information in France. Now let's hope the judges will be smart enough to prevent the worst to happen. Fozzy Technical Director the Hackademy Journal & School, Paris "100% White Hat Hacking" http://www.thehackademy.net (french, see below for english version) ----------------------------------------------------------------------- The International edition of the Hackademy Journal is out April, 15th ! Send a blank mail to international@dmpfrance.com to get more information and learn how to subscribe. First issue will be free of charge. -----------------------------------------------------------------------
