Slashdot Mirror

← Back to Domains

Domain: altervista.org

Stories and comments across the archive that link to altervista.org.

Comments · 153

  1. Re:Narf? by crt · · Score: 1 · on GameSpy Sends DMCA-Based C&D To Security Researcher
    You can read the official GameSpy response in the link at the top of this story, but the short of it is this: The "buffer overruns" you refer to are not the issue that brought this on. He published those and they were corrected by GameSpy quickly. However, when GameSpy wouldn't pay "consulting fees", instead of focusing on actual security issues, he quickly turned to hacking GameSpy servers and services, including publishing cracks for GameSpy software. Hardly the behavior of a "security researcher".

    The bulk of his "research" consists of Game Cracks and Game Cheats / Exploits / CDKey Generators. In particular, the brute-force CDKey generators are particularly bad - they basically pound publisher CDKey validation servers with random keys as fast as possible, to try and find valid ones - creating a DOS attack in many cases.

  2. What a dipshit by frenetic3 · · Score: 4, Insightful · on GameSpy Sends DMCA-Based C&D To Security Researcher

    I don't blame Gamespy at all. This jackass has basically enabled untold numbers of 12 year old pricks to tie up public game servers for their shallow amusement.

    The general method of DoS he employs is not a "security flaw" but a byproduct of how multiplayer games are typically designed. You could theoretically do the same thing by going into an office and starting up a bunch of instances of the game on a bunch of PCs and logging into a server and leaving them there -- the "proofs of concept" that this guy Luigi wrote just automates this, simulating clients and hanging them.

    The "problem" is that lots of games (hell, most network services of any kind) inherently require one TCP connection or UDP stream that stays alive throughout the entire multiplayer game and that begin with some authentication process, and most games only maintain a small number of slots (listening sockets).

    Generous timeouts are also often needed to support spotty connections/freezes without disconnecting, so simply checking for timeouts might not help servers get past this issue. (However, maybe they could add some simple limit on how long a client can stay in the preliminary authentication/non-'playing' stages before booting them, requiring a prohibitively large amount of additional reverse engineering/sophistication to simulate a playing client.)

    Getting around it will force game devs to play a stupid game of cat and mouse and to implement complicated challenge/response and other antispoofing mechanisms (IP banning, timeouts, etc.) -- time that could be, and ought to be spent on making fun games.

    Too bad that Gamespy invoked the DMCA but that's probably the only legal leg they can stand on. Furthermore, Gamespy has nothing to do with the implementation of various game developers' servers.

    Perhaps a better avenue would be for game devs to sue the guy for posting key gen algorithm internals and other shit like that.

    I think though that breaking both his legs and giving him a donkey punch (#3) or dirty sanchez (3rd from bottom) would be more fitting, and funnier.

    -fren

  3. Re:it's not that he just reported them, though... by Crispin+Cowan · · Score: 1 · on GameSpy Sends DMCA-Based C&D To Security Researcher
    Unfortunately, the answer today in America is a simple "yes". that is, unless you feel like researching and then hoarding your findings.
    Except for one tiny little nuance that the Gamespy lawyers seem to have missed: Luigi lives in Milan, Italy and therefore is not subject to US law.

    Crispin
    ----
    Crispin Cowan, Ph.D.
    Chief Scientist, Immunix Inc.