Slashdot Mirror
GameSpy Sends DMCA-Based C&D To Security Researcher
chowbok writes "Luigi Auriemma has found several security holes GameSpy software over the past few months. He has reported them all to GameSpy but never got a response... until today, when he got a threatening letter from their lawyers. It says he's violating the DMCA, he needs to cease-and-desist, yadda yadda yadda." Update: 11/12 21:09 GMT by S : GameSpy has now posted an official response from the company's founder, Mark Surfas.
Always hating on the guy trying to enforce rigid security standards. Can't we all recognize that the only real harm caused would be by *not* reporting on these security holes. C&D letters only cause anti-corporate sentiment due to their rather accusatory tone. For shame. Good thing I don't use gamespy...
I'm not popular enough to be different.
Homer Simpson, The Simpsons
That's the sound of nobody being surprised.
Note for future reference: hackers, if you want someone to improve their security, don't go to the admin with your 'sploit, but anonymously release it into the wild. After all, the constant cease-and-decist letters _obviously_ say that that's what today's software companies want.
It is important to note that Luigi Auriema is in fact, an Italian citizen, and not a USian
I, for one, welcome our new attorney overlords.
Oh, wait. They've been here ever since the first election in the country... Nevermind.
"If you want to improve, be content to be thought foolish and stupid." - Epictetus
He's in Italy. Tell them GameSpy to stick the DMCA up their bum.
Mirror here: www.outputservices.com/marty/mirrors/secfocus.html
takes care of any GameSpy street cred, right?
It's Christmas everyday with BitTorrent.
I don't use GameSpy or anything affiliated with them where possible. GaySpy sucks. FilePlanet is crap... Long live http://GamePhilez.us!
To the Gamespy Feedback Page
I didn't think it was possible, but my opinion of Gamespy just went even lower. If it wasn't for them hosting old Nodwick strips, they'd have no redeeming values at all.
I mean, let's face it, anyone who wants to exploit Gamespy's servers probably already knows how to do so, this guy's bug reports notwithstanding...
Kierthos
Mr. Hu is not a ninja.
quote: I'm 22 years old and I live in Milan district in Italy. The DMCA doesn't apply to him. Cease and decist this!
so, incredulously, he asks whether bug research is a criminal act and bug researchers criminals.
Unfortunately, the answer today in America is a simple "yes". that is, unless you feel like researching and then hoarding your findings.
mmm... yeah... You see, we're putting the cover sheets on all TPS reports now before they go out...
One might think that notifying GameSpy about its security problems might be A Good Thing (R) because they could be fixed before being exploited. Just another reminder that, in the United States of America, no good deed goes unpunished.
There are two types of people: those prepared for the zombie apocalypse and those who will be eaten.
This makes a lot of sense, really! Let's let someone do all the work for us in finding security holes, have him come directly to us and tell us about the holes, have him keep them to himself instead of releasing them for everyone to use, and then tell him he's doing a BAD thing and he needs to stop!
I fail to see ANY logical reasoning behind this.
Now that the word is out, I bet someone will find their vulnerabilities on their own, and go one step further and exploit them. Then this guy willbe blamed for the whole thing.
A sentence you'll never see on an Internet discussion board: "You know what? You're right."
Use ventrilo. free and has a few different ports. My clan uses it when we play eve-online
This is a highly stupid move on GameSpy's part.
This guy wasnt posting his findings on the internet, or seeking publicity for himself; he was just using his skills to help out and try to improve GameSpy's product (and it needs all the help it can get, IMO).
If you ignore security, it will go away...
Manipulate the moderator system! Mod someone as "overrated" today.
implicitly implies that you should have found/fixed the flaws before releasing the software. Shutting up anyone that notes the security flaws you never noticed/corrected leaves you free to claim to have none. That's doublegood. By the way, they've raised the chocolate rations to 5 units.
Does the DMCA apply outside the US? How can this guy be breaking US and Federal law while carrying out his research in Milan, Italy? Chris
From the article:
"Bug research is a crime and bug researchers are criminals, didn't you know that?"
I know he's being sarcastic, but how long until he's correct ?
One more reason to despise the DMCA, I'm not even sure how it could apply - certainly the lawyer's reasons don't make any technical sense.
Simon
Physicists get Hadrons!
Laws are really needed to help protect people conducting security research and find problems and reporting them without doing anything malicious.
Having hackers poking and proding makes everything more secure ("So the first woodpecker to come along doesn't destroy civilization").
The only one winning here seem to be the lawyers.
1) Nice to another another justification for moving security research out of the US. So Alan Cox isn't a paranoid raving nut, after all... unfortunately.
2) It doesn't look like he's taken down the stuff, yet. Mirror time?
Someday, you're going to die. Get over it.
It would be nice to have a list of all of them all in one place so I can make sure to never ever pay money to any organization that has used the DMCA against someone.
If you need a great server browser for HL and Q3-based games, look no further than ServerInfo.
Get it now! It's free-as-in-beer.
Disclaimer: The author is a friend of mine.
I know what in trademark cases, companies have to enforce their trademark or risk losing it (i.e. xerox, kleenex, rollerblade) - but is there any similar clause in the DMCA which dictates that corporations must send cease-and-desists instead of taking these suggestions seriously? That seems to be the standard method companies employ in these circumstances, and I was wondering if it was a legitimate legal issue, or lawyers just being, well, lawyers.
"Good samaritan" acts like this tend not to go over well with companies when their products are on the line. They think we're just a bunch of reckless hackers trying to H4CK TEH PLAN3T! The thing they fail to realize is that by shutting up honest people like this via the DMCA and unleashing lawyers on white hats, then the only people left WILL be the bad guys. And frankly, I'd like to see some black hats get nasty on companies like this. This DMCA bullshit is getting tiring.
"Hell hath no fury like a woman scorned for SEGA. ..."
Publish all the exploits underground, as anonymously as possible. This way the exploits are in the wild and the sloppy code has to _fixed_ instead of covered up with a mountain of legal manure.
This is not what GS wants, nor what they mean. It is, however, what they are apt to get. Had they thought (ha!) things through this mistaken mistreatment of someone sending friendly warnings would not have occured.
Hey, GS. Why not try shooting at the real target? You just hit your foot.
Just tell GameSpy to fuck off and go eat shit and die, if GameSpy does not want people testing their product then they should keep it locked up and NOT release it to the public...
i believe ANY software released to the public should be checked for vulnerabilitys, just like any other product if found defective then people need to be made aware of it...
Three of the Gamespy files are listed as "contact me via e-mail", they may never have been up in the first place. RogerWilco, which was one of the targeted programs, is still up. I'm looking for any other Gamespy-related stuff that might have been C&D'd for potential future mirroring purposes.
Someday, you're going to die. Get over it.
I'll never get it:
Those guys researching security flaws in your software are working for free for your company. You just saved some money for security audits...
Be grateful, perhaps offer them a contract for more research, but don't threaten them with lawsuits. Some people may not like it and won't contact you before spreading an exploit.
Tread softly because you tread on my dreams. -- Yeats
What better way to get your bugs known by every technically literate person on the planet than to send a C & D letter like this, leading to a reference that gets posted on Slashdot as a home page story?
I congratulate Gamespy on their great word-of-mouth campaign to get all of their exploitable bugs known by the widest possible audience...
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
I think the issue here is much less one of the right to publish and to speak, though of course in the end that will always be most important. This story is really one for universal concern because it exposes the way in which companies like Gamespy are spelling their own death by sending out these letters. It is publicly revealed information that inspires companies to take security seriously and act quickly toward hole-patching. There should be no doubt in anyone's mind that this information will be disseminated irregardless of its wide publication, and so challenges to security will still happen. Is it not in everyone's best interest that change-motivating embarrassing public releases of information like this be allowed? And plus, doesn't the even wider attention which a company stands to garner by sending out C&D's to avid exposers of flaws like this make them completely worthless?
WHAT gamespy street cred?!
In the future, I would want to not be isolated from my friends in the Space Station.
Don't forget to report the letter to CHilling Effects
--You will rephrase your request for me to go to hell. Goto statements are not acceptable programming constructs
But it looks like the economic incentive to cover up rather than fix makes the concept of welcome full disclosure a myth akin in proportion to the commonly-misheld belief that chopsticks of course originated in Asia. Interesting story: the recently uncovered truth of the matter is that they were actually designed as a gimmick by immigrants cooking in American mining communities in the 1800s and later carried back to Asia as a less resource-intensive means of preparing and serving food. Ironically, the U.S. is the largest exporter of chopsticks, with something like 3% of U.S. lumber production going towards the effort to supply Asia, where chopstick use grew to outstrip other utensils within the last century.
The point is that when you look at the bigger picture, you realize that there is an economic disincentive to do the right thing; or rather, an incentive to do whatever it takes to improve the bottom line. I think it's unfortunate that they're choosing to punish an individual that was trying to help, and that it's this sort of attitude that drives good hackers underground. When code is owned by outlaws, only outlaws own the code.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
i haven't used Game spy in years... in my view its nothing but Addware every where... My best advice for every one is Stop using it and goto Kali
www.kali.net
I have been using it for years.. and its the best Gaming comunity every...
Companies foolishly think that just becuase it is illegal to explore a product for security hole, this will somehow make the security holes go away.
There's a growing sense that even if The Future comes,
most of us won't be able to afford it.
-- Lemmy
All his proof-of-concept exploits are on his website ... BUT, he did notify the company AND gave them lead time to fix each problem before publishing. Sounds like a perfectly responsible approach, similar to that used by university researchers here in the US.
I too must regretfully must send you a C&D letter base on the fact that your software violates DMCA laws by allowing unlawful access to copyrighted information stored on my computer and my network of computers. Until you can correct the programming errors in your software which allow this DMCA violation, I ask that you shut down all end user services provided by GameSpy.
Thankyou and good riddance,
HFC.
As much as I hate both the patriot act, and the dmca (both being unnecessary unconstitutional pieces of crap designed to mollify capital hill scumbags) - doesn't the dmca have a provision regarding electronic security? Doesn't Gamespy have a legal (not to mention, moral and ethical) obligation to properly address these failures, as a matter of national security?
Dear Luigi
How dare you make us look like asses, we have the best programmers the third grade has to offer, we find your attempts to help us as a threat to our over inflated egos, so we must make you out to be a master criminal, you little bastard. dont ever tell us how to do OUR job, because you're only a mere mortal, consumer filth, you have no say in what we do, we make you, and you WILL buy it. that's how it works, so if you ever tell us what we screwed up on again, we'll make sure you're some sweaty tattooed 40 year old's buttery cornhole.
GameSpy inc.
btw, gamespy have always been assholes, they'll let sub-par sites get hosted, but never really god ones that might threaten their greatness.
I think it also settles the question about full and limited disclosure. Limited disclosure is clearly a tool that allows lazy admins and developers to sit on their lazy asses while their company lawyers shoot the messengers.
What is needed now is an "official" infrastructure (mailing list/site/IRC channel/whatever) harboured somewhere with sensible laws and clearly geared toward transparent evaluation, discussion and discovery of security bugs in public software. Developers, admins and security experts welcomed, no matter their colour of their hats.
I don't think it's against the law to do security research, these lawyers are just trying to stretch the DMCA to cover this guys bug notices. A lot of what they sent sounds like bolier plate put together and sent out to anyone and everyone. These (crappy) lawyers are probably just counting on him not wanting to have to defend himself in court. The bugs he seems to have raised are not directly circumventing encryption, a good lawyer would probably argue that the point of encryption is security, and by posting something that can crack the security of their software, you are circumventing security. The problem is that courts often don't understand the nuances of software - client server issues, encryption. etc. Unfortunately, I'm still in law school right now (as a matter of fact posting from Civil Procedure class), otherwise I'd take this guy's case for pro bono just to try to whittle away the DMCA. shark.
If users computers are broken in to as a result of not fixing known vulnerabilities I wonder what kind of liability GameSpy would have under US Tort law for being negligent.
Darthtuttle
Thought Architect
The sane reaction would be 'oh shit, thanks mate, have a beer on me'.
Naught more than silly managerial types.
Maybe we should go tell them what we think about this. And more importantly, make sure that gamespy users know about these vulnerabilities. Here are their forums.
... GameSpy (and associated) are now off my use or recommend list. Any company not willing to take proper action about potential problems with their products and tells people who bring to light these problems to stop and go away, are not worth my dollar or time.
An optimist believes we live in the best world possible; a pessimist fears this is true.
I believe they collect DCMA supoenas:
http://www.chillingeffects.org/dmca-sub/
"No good deed goes unpunished."
Really doesn't make you want to bother with preferential disclosure, does it?
"People who do stupid things with hazardous materials often die." -- Jim Davidson on alt.folklore.urban
Time to update my Smoked Company Instant Poll:
Who smoked the most crack in 2003?
(_) SCO
(_) Belkin
(_) Verisign
(_) *A (MPAA, RIAA, ARIA)
(_) GameSpy
(_) All of the above
Ceci n'est pas une signature
As it stands, Luigi can tell GameSpy to pound sand. But, as one engineer found out, don't travel to the US until you're sure your DMCA problems are taken care of. Also, hope that Italia isn't as accommidating as Norge to requests to run it's citizens through the legal wringer.
I have always been a frequent visitor of Gamespy websites, be it the Gamespy site itself or the Planet sites, I've also been a long time FilePlanet subscriber. Yet this will cease to be the case forever now that I have been made aware of your recent C&D letter to a security researcher who was trying to help you fix the flaws in your software. I'm outraged at your response for numerous reasons. First of all I would have thought that a company such as GameSpy is well aware of the issues of today and would find a document such as the DMCA to disagree with their views and those of its customers. I like many if not most of your customers feel that the DMCA is a troubled and over reaching document that limits user rights, threaten research and lowers the need for true progress in the field of security. Second, I am disgusted by your handling of security issues. If there are problems in your software then the way to fix them is with patches - not C&D letters. I would have expected GameSpy, a news site, to know that not once in the history of the DMCA has a C&D letter or even a full lawsuit ever fixed a security hole. Why attack the messenger? And finally I am baffled by the fact that the person you have sent a C&D letter to has in fact notified you of the holes and means to fix them before posting them online. I do not see how suing somebody who has just done some valuable QA for you is justified. It's just absurd! Imagine this, you are driving down the street in your car when all of a sudden the car behind you starts flashing your lights to get your attention, then pulls up to you and tells you that you're leaking gas. You instead of thanking the driver for making you aware of the risk you are under threaten him with a lawsuit because now that your gas leak has been noticed, somebody may light it. This is what's happening now. You are attacking somebody who helped you. You are trying to keep your software secure by hiding its flaws. It's the same as the car with the gas leak; no matter how you hide it, it's still there and a spark can make it all blow up in your face. Having said that, I will no longer be a customer of GameSpy, I will no longer visit any GameSpy affiliated site and I will contact every developer who promotes GameSpy services with their games to suggest using other services until some sort of public apology is offered to Luigi Auriemma. Sincerley yours,
Google Toolbar is SPYWARE!
No, I'm not talking about his dick, you perv! I'm talking about the DMCA, President Clinton's personal gift to the IT world.
Seriously, I have a problem here. My job is to make customers' IT systems work with my employer's product. It involves testing software and fixing bugs. It means poking into third-party products and trying to find potentially damaging flaws.
If this becomes a crime, we IT grunts better find a way out. Preferably before we're sent to jail for finding a flaw in a piece of software junk released by a company that spends more in lawyer fees than in R&D.
--
Mad science! Robots! Underwear! Cute girls! Full comic online! http://www.girlgeniusonline.com/
The DMCA provides safe harbor for encryption researchers circumventing copyright protection mechanisms in section 1201(g), as long as he can prove that he had authorization during the time he was testing and posting bugs then he won't have much to worry about. If he continues to make new post since the letter arrived there may be problems.
Secondly, finding security holes in GameSpy's software is not a violation under the DMCA, unless those holes happen to be related to Copyright Protection Measures.
It is a bit stunning, as this is a pattern in the software world that has been repeated many times. You'd think companies would have learned by now not to do things like that, how counterproductive it is, how it makes them look foolish at best, evil at worst.
It is interesting how lazyness tends to take priority over security. The DMCA is often used as an excuse for all this couch potato software development going on.
"...you have committed numerous violations of state and federal law by illegally accessing Gamespy servers and by creating, marketing, and distributing software which circumvents the encryption mechanism that protects access to Gamespy's servers." In other words, Gamespy servers are protected as long as you don't try to break in. Security through legislation, brilliant! Like my driving instructor told me: don't count on the law to protect you. "I suppose you could strap the book to your head for protection, but that's about all the protection you'll get when the guy in front of you cuts you off. Oh, and remember, in an emergency the lines on the road are just paint!"
Then, for a joke, I tried the URL..
someone's already been there and done that.
I don't blame Gamespy at all. This jackass has basically enabled untold numbers of 12 year old pricks to tie up public game servers for their shallow amusement.
The general method of DoS he employs is not a "security flaw" but a byproduct of how multiplayer games are typically designed. You could theoretically do the same thing by going into an office and starting up a bunch of instances of the game on a bunch of PCs and logging into a server and leaving them there -- the "proofs of concept" that this guy Luigi wrote just automates this, simulating clients and hanging them.
The "problem" is that lots of games (hell, most network services of any kind) inherently require one TCP connection or UDP stream that stays alive throughout the entire multiplayer game and that begin with some authentication process, and most games only maintain a small number of slots (listening sockets).
Generous timeouts are also often needed to support spotty connections/freezes without disconnecting, so simply checking for timeouts might not help servers get past this issue. (However, maybe they could add some simple limit on how long a client can stay in the preliminary authentication/non-'playing' stages before booting them, requiring a prohibitively large amount of additional reverse engineering/sophistication to simulate a playing client.)
Getting around it will force game devs to play a stupid game of cat and mouse and to implement complicated challenge/response and other antispoofing mechanisms (IP banning, timeouts, etc.) -- time that could be, and ought to be spent on making fun games.
Too bad that Gamespy invoked the DMCA but that's probably the only legal leg they can stand on. Furthermore, Gamespy has nothing to do with the implementation of various game developers' servers.
Perhaps a better avenue would be for game devs to sue the guy for posting key gen algorithm internals and other shit like that.
I think though that breaking both his legs and giving him a donkey punch (#3) or dirty sanchez (3rd from bottom) would be more fitting, and funnier.
-fren
"Where are we going, and why am I in this handbasket?"
Isn't that what really matters?
I'm sure we'll find out that this was just a misunderstanding, and bugs are already being fixed.
-... ---
That's a game I play with my 2 year old niece: she covers her eyes and thinks I'm not there.
It is not our abilities that show what we truly are... it is our choices.
Where lawyers are pitted against each other in some sort of arena in the style of Thunderdome. "2 lawyers enter - one lawyer leaves". The victor wins the case and we get the added benefit of reducing the number of lawyers in the world.
I always looked as a hacker as someone who goes into a computer, not to harm, but to learn and someone who goes in with a malicious attempt a criminal. This guy did no harm and was trying to help the company. There was an article in a newpaper saying that companies were hiring people like this because they knew what they were doing and they could fix their problems better than some suit that was taught to find things like that for a living. What ever happened to that.
...american idiocy got a bunch of Italians blown up too.
The world needs honest lawyers
The alternative to trying to make companies aware of their security failings would be posting them to Slashdot, on the front page if possible, anonymously. Then wanker companies like this would have hundreds or more of angry, sweaty programmers clamouring to abuse any security holes while shouting "omfg! die DMCA-loving fuckers!"
"Overrated?" Bleh, be a man (or a woman) and moderate it with something that will get metamoderated. If you disagree with it, have a little courage and respond.
This is the equivalent of arresting someone for pointing at a bank vault with no door.
I've worked for GameSpy in the past, and I'm sure this behavior comes as no surprise to anyone familiar with their dilusional take on business ethics.
The original GameSpy 3D developers (the ones that cared) have long been out of the picture. Don't bother. If you belong to the minority (those preferring quality over advertising), try this instead:
http://www.udpsoft.com/eye2/index.html
You can barely read a gaming article these days without four "Punch the Monkey" banners and a 600x400 javascripted Ronald McDonald pissing all over your desktop.
GG GAMESPY
if Gamespy responds to this, and if so, how.
Did their legal department just fire off the C&D without consulting with anyone or did the upper levels of Gamespy's management ask for it to be sent out?
Did the lawyers go off on their own or does Gamespy have a substantially different view of their corespondence with Luigi than the one we've got from Luigi's own website?
There's no question that they look like fools though. The mere act of using the DMCA to threaten a citizen of another country invites any number of comparisons, none of them flattering.
-H
"If there's anything more important than my ego, I want it caught and shot now." -- Z. Beeblebrox
2) The DMCA is a foul piece of legislation.
3) If this keeps up, white-hats will no longer play nice. Imagine if instead of alerting Gamespy of the problems, he released the info anonymously to IRC--virus and worms ensue.
With regards to 3), SERVES EM' RIGHT.
disgusted,
--rhad
Slashdot needs to interview Natalie Portman.
if GameSpy is enlisting help from their sister site, LawyerPlanet.com.
FYI, He is being tried under Norwegian law, nothing to do with the US DMCA. Look at This link. I know it is being appealed but this is the status now.
Help fight continental drift.
Your mare would never send you a C&D letter!
I contacted gamespy, informed them that I'm an independant security consultant, had heard about a Cease-Desist sent to a fellow analyst, and requested to be transferred to their legal department. I was put on hold for about 10 minutes, then the receptionist returned to the line, informed me the legal department was on another line and I was promptly hung up on. All in all 11 minutes of my time taken today dealing with them. I suggest you draw your own conclusions here, but I think if I come up with an insecurity in their software I'll merely publish it to bugtraq, slashdot and anywhere else that it'll be very hard to get rid of until they fix their code.
I'm responsible for the security of my machine.
Therefore, I will inspect anything that is put on that machine, and I will consider unidentified functionalities in software billed as having limited features to be breaches of that security, and I will take action against the purveyors of that insecure software.
And your license can't legally stop me, because shrink-wrap licenses doesn't abrogate my rights, it only protects yours.
So, I'd say the best way to do it would be to - 1. let them know, anonymously, of their security problem. 2. Wait 2-3 days. 3. Publish the exploit (underground channels/freenet/...).
The Raven
From the bottom of the page: Simple enough, eh ? The link in the story is currently not the recommended link...
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
I reckon we setup a blacklist for companies that give out threats - if you try and sue us for helping you then you go on the list, unless you send a swift apology or it was a clerical error that resulted in a DMCA threat being sent and it gets withdrawn. Anyone on this blacklist gets no help from geeks, if you find a security hole in one of their products you dont tell them. Then companies that are nice and appriciate people pointing out their bug will get help and companies that dont will get none. I would say post their bugs on the net but that would be kind of childish.. ah fuck it, post them anyway ;)
This comment does not represent the views or opinions of the user.
It's one of the categories that you can send the comment to. Here's my letter:
Subject: What the fuck are you doing?
I am so sick of your shit. Stop using a loophole in the DMCA to attack those who are willing to help you. If you were walking down the street, and someone told you to check your zipper, would you:
A. Thank them, and zip up, or
B. Sue them for looking
I might be rather embarrassed, but I'd take option A! If you zip up, NOBODY ELSE IS GOING TO NOTICE! If you don't, well, someone else could notice.
Oh, wait - you aren't ever zipped, because you jack off to the fucking DMCA, because you see that big hole and want to fuck with it.
Good day, sir, and go burn in hell.
Mod me down, if you like, but it had to be done.
Ok, so the guy says he tried contacting the company privately, and no one answered him.
I still don't see why thats perceived as the go-ahead to provide the world with his exploit programs.
It stinks of threats and extortion to me. e.g. "Fix this right now and give me credit for finding it, or I'll release it into the wild! haha!"
Did two wrongs start making a right?
You have to admit though that as a lawyer you are working for someone. It is not so much a matter of honest lawyer as it is just doing what the job entails. I mean, how many coders have given in to bad design because it was what the client wanted...it's business. The whole thing stinks though. I really think this is going to be a case of people not talking to each other within Gamespy. How much do you want to bet this is the first some of the staff there hear about this whole mess?
Perhaps we should campaign for companies to publicly state that they will provide a means for people to inform them of security problems and a statement that such people notifying them will not be prosecuted if (1) they notify the company first, (2) do not publicise their proposed solution within 90 days after notifying the company.
OK, IANAL (well, duh) but as far as I can see this form of protest gets leverage because there will be some enlightened companies that support it, and hence they will gain market advantage over those that don't. Then someone will commit to a 30 day window to stuff the guys who have a 90 day window and so on. Anyone can protest by asking a company why they havent signed up to this initiative, what have they got to hide?
naive - probably but it sounded good when I started.
On march 28th, italy implemented the EU copyright directive, which is modeled after the DMCA, but with fewer exemptions. All 15 EU members were supposed to adopt this by last december, but only a handful of countries have done it yet. The UK just became the sixth to adopt.
How did I get so interested in the DMCA? I recently interfaced the Ritz disposable digital camera to my computer, and didn't like how the DMCA has been used to stifle competition.
Text of the EUCD (eu copyright directive)
HIV Crosses Species Barrier... into Muppets
GameSpy business plan:
1) Eliminate competitors or workalikes with DMCA
2) Become only game server network
3) Profit!!!
It seems that the DMCA helps enable that "monopoly lock-in" business plan by allowing them to legally (albeit not practically) lock people out of the server protocols.
You eliminate competitors as well as people who find your weaknesses. Once you eliminate competitors, you get the MS-style monopoly-by-default.
Instead of having to be a dominant player by producing a better product, you get to just be a bully and be a dominant player by shutting everyone else out through legislation and legal maneuvering.
And we wonder why we're in decline.
I can't connect to gamespy, i think my university might be blocking/ have poisioned the DNS. anyone know the IP of the server? also, gamespy dosn't work in BF1942 for server brwoseing, it crashes everyones computer now... its quite weird
come comment on the madness at http://slashdot.org/~phreak03/journal/
I was expecting the summary to read "Gamespy finally acknowledged this guy's feedback and sent a CD for review" -- sort of like hiring a security consultant or something like that.
May be I am over estimating the common sense of companies and people.
S
Dont forget to contact any vendor from which you bought a game that included GameSpy. Let them know what you think of them bundling an unsafe product with irresponsible patch practices.
c h.cfg/php/ enduser/ask.php?
EA games (1942) is an example:
http://eatech.custhelp.com/cgi-bin/eate
Yesterday,
Algorithms programmed in any way
Now it looks as though there's liabilit-ay
And, it's 'cause of the D-M-C-A
Suddenly,
I'm not allowed to speak in C
There's a shadow hanging over me
Oh how D-M-C-A makes silence be
How some bits do flow, you can't know,
We couldn't say
I said something wrong
now I'm among, law D-M-C-A-ay-ay-ay
Yesterday,
"code" was such an easy game to play
Now I need a place to hide away
And, it's 'cause of the D-M-C-A
I think Cmdr Taco would pick B. His wife Kathleen is a bit of a mare.
A google search on "chopsticks" shows chopsticks have been around since well before the US railroads. Many historical examples contradict your assertion (indeed, "recently uncovered" is rather silly considering the immense written historical record of China). Maybe you're thinking of certain culinary dishes created by railroad workers instead?
In response to your main point, the irony is that invoking the DMCA is far from being established as the correct financial move. This costs lawyer fees, it may go to court, it generates bad PR and the holes will end up public anyway so they will have to be fixed, which means paying the programmers to patch it (usually easy and quick) and then testing the patched version (possibly expensive; people crying about this seem to ignore the fact that broken updates go out all the time, e.g. for MS products, so usually little money is spent here; and any company that actually does thorough testing probably would have caught the buffer overflow before it shipped in the first place).
So a prompt patch and good PR is actually financially the correct move, and the problem with invoking the DMCA is that it's a more expensive and thus bad move prompted by human failings of the management.
Is it just me or does the gamespy logo on software act like a badge of blame? I know everytime I see a crappy server list that seems like it was developed by a group of chimps it tends to have a 'powered by gamespy' logo on it. They are the Real Networks of online gaming. Let this move be one more on their path to irrelevance and eventual collapse.
Gamespy: The world will be better off without you.
Young man, you've been writing some code, I said,
Young man, think it ought to be showed, I said,
Young man, but what you shoulda knowed, is some
Things... must... be... left... un-said
Young man, there's a law that's been passed, I said,
Young man, we hoped it wouldn't last, but now,
Young man, if you break it, your ass will be
Hauled... a-way... to... Club Fed
We cannot stay with the DMCA
Get hauled away with the DMCA
You cannot circumvent
Any music or book
Can't even let your kid take a look
That's why we're flamin' the DMCA
Our guy was framed on the DMCA
The Man gives us rules
That we've got to obey
But encryption just gets in the waaaaaay...
Young man, there's no need to feel down, I said,
Young man, hide yourself underground, I said,
Young man, 'cause the Feds are in town, you know,
There's no place you can hide,
Young man, there's no place you can go, I said,
Young man, when they don't like your code, if you
Stay here, I am sure you will find
That you haven't got no more time.
(chorus)
You sir, I hope you understand, we're im-
Pa-tient, hope the Feds free our man, but no-
Bo-dy... can resist our demand, we'll shout
Til... they... free... D-mi-try
Dima's... fate lies in our own hands, so please
Help us... make them meet our demands, so call
D.C., make them send this young man, back to
His... own... home... and... fam'ly
(chorus)
...In an act of defiance?
And then invoked the DMCA on someone in Italy.
Sorry, didn't see that. I'm on Bugtraq so I had already read the message in my e-mail; when I brought up the web page I just looked at the first couple lines to make sure it was the same one and didn't scroll to the bottom.
if I find a bug and I don't tell anyone, isn't that kinda like being a witness to a crime but not telling anyone? Sure, it's not explicitly against the law to NOT tell in some cases, but if I find a bug, as a programmer I am eaten away by it, like the tell-tale heart of Poe's writings. This company needs to wise up and realize that this guy could just as easily have released the information to bad hackers, who would cause harm.
stuff |
a first post script is on its way
Well boys and girls, I hope we learned our lesson today:
When you find someone's wallet - keep it, because they will only bring you up on charges for stealing it when you try to return it anyway. You might as well run up a bunch of charges while you're at it...
A cynical approach to life is much more rewarding than believing everyone has common sense and decency.
Don't believe what your mother told you - she lied.
$humor="off"
Lodragan Draoidh
The more you explain it, the more I don't understand it. - Mark Twain
Never get let your lawyer give you PR advice.
Yet more proof that Mark Surfas is a complete and total jackass.
Want to take over another user's identity, or just screw them in a ladder? Follow these simple steps:
1) make a new user with the same username as your target
As a loyal Gamespy user I was shocked/angered at your C&D letter to a bug finder. What you have managed to do is piss off a lot of people - some of which will probably now target these very vulnerabilities you've ignored for so long just because of your attitude.
The general sentiment on Slashdot is that the next time a hole in your software is found, it should just be anonymously published as a worm instead. God knows, no one wants to be sued, right? Using the DMCA and chasing after people like this is a waste of time and money (watch the futile attempts of the movie industry to control DeCSS as an example). Bottom line: FIX YOUR PRODUCT and STOP WHINING ABOUT IT.
I'm writing to other game manufacturers like EA who use your services to let them know just how dissatisfied/disgusted I am with you folks. I will never buy a product with your logo on it until I am certain you've corrected this issue appropriately.
BTW, what are we to think of a company who ignores bug reports from the wild - especially those that may concern the security of my system?
Not smart guys. Really.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
Your Cease and Desist letter to is utterly inappropriate. So, as a security analyst I'm going to take the next 5 minutes of your time to educate you as to what you did wrong, because we all know you'll do better in the future right?
1. Don't threaten us, we're trying to help you, contacting you quietly is a helluva lot better than say releasing the vulnerability into the wild first, but if you'd like to skip the contact step by sending things like cease-desist notices JUST SAY SO, as opposed to threatening us (see beginning of rule 1), we can move directly to putting the vulnerability into the wild.
2. Lawyers don't fix shoddy code, people do.
3. please get your legal department a map (so that they can determine that the DMCA ISNT the law of the land in Italy (it's this whole other place, right? and our laws don't apply there).
4. please explain in very short and simple words the difference between the gamespy CLIENT, and the gamespy SERVER to your legal and executive department, clearly such simple concepts elude them.
5. geektools.com contains links to traceroute, and whois programs to determine where on the internet various information is.
I would assume by this point you aren't particularly happy with me. So I'm going to let you in on a secret as to how to avoid such complaints from me again. It's very simple, treat us with respect when we protect your customers from you. Fix your bugs when we report them, they are YOUR REPSONSIBILITY. NEXT, send an APOLOGY letter to Luigi, just to show that you're good people and this was all a big mistake, because it was right? Do these things and you will find the computer security analysts will be good friends of yours, they'll look out for you and make sure your software runs right for you. Do it not, and the entire community will tear your software apart, and post anything and everything anonymously to bugtraq. Your behavior which borderlines on a legal fishing expidition to see what you can catch is grossly inappropriate, please stop.
Ooh and 1 meg pdf's sent via e-mail might in some circles be considered e-mail abuse, that doesn't engender much love for your company, and would potentially be grounds for a blacklisting.
Andrew D Kirch
Security Administrator
2mbit.com
Administrator
Abusive Hosts Blocking list
ahbl.org
trelane@2mbit.com
Some companies just have their heads in the sand when it comes to security. I discovered a problem with Postmaster e-mail accounts - sent messages may be easily retrieved by other users of the machine.
Their response?
(The) "feature comes with IE and is not a Postmaster feature."
This was over two months ago and the problem's still there.
I'm scared of numbers that can't be written as a fraction. It's an irrational fear.
Dear Bringer of Progress:
How DARE you point out disugusting flaws and gaping holes in our client's insecure security program! According to the DMCA this is an encouraged practice to hide their poor in shop testing and sloppy coding along with monopoly foundation building. Do you honestly think things improve when defects are pointed out? Do you honestly think anybody else would even bother to exploit these things? Well THAT is why they have a clause in their license you paid for that makes them immune to their products shortcomings.
Cease and desist, or we will sue you so hard your dead grandmother will have to pay up.
Sincerely,
Bleedum, Drainum and Lowlife
DMCA Firm, the friendly maggots.
-1 Overrated (Too many big words for me to comprehend)
Or that people who are inclined to exploit security holes really care whether it is illegal to look for them.
why do we need to use spyware on peple.
it is all safe and remember life is short do good.
RogerWilco message board
Why is it that purveyors of defective software get to hide behind the law? In any other industry, it would simply not be tolerated.
If I buy a car and it has a defect, I take it back, the car company fixes it while loaning me a new car free of charge, they fix it for free, and they usually apologise profusely. If they don't, well, I buy my next car elsewhere; or I sue them.
It is simply mind-boggling that a consumer can be attacked for legitimately complaining about a defective product. Hasn't anyone tried suing one of these lame-assed product vendors: a company has an obligation to supply a product that is conformant with their marketing claims, and sending a lawyers letter invoking the DMCA when someone complains about a defect is astounding.
Can an expert on US law comment on this...?
They claimed I violated the DMCA just by posting a link to their public CVS Server. When will this madness end?
Unstable Apps: Our Android Apps Don't Suck
The exploits I read were for the most part buffer overflows... Which are the result of improper bounds checking and just general sloppy coding. This has NOTHING TO DO with Gamespy's servers, and everything to do with their client software. The guy claims he informed them, they claim he didn't. If he did inform them, then tough luck. They deserve any negative publicity out of this. If he didn't inform them, then he needs to be dealt with.
Proof of concept code often is the only way to force a company to do something about its security problems... It's specifically because 12 year old script kiddies are exploiting the vulnerability that the company fixes it. Suing a security researcher for bringing this about is silly. Spend the money on fixing the problem, not on a Lawyer's retainer.
Maxim: People cannot follow directions.
Increases in truth directly with the length of time spent explaining them
I refuse to support a bunch of DMCA-wielding fucknuggets.
Their tool for Quike2 was the only option but the interface and behaviour sucked. Well it was free, what can you say? I don't go to their lame site either...why should I pay for a 'professional review' (yeah right...payola...) when I can go to online forums and real comments from real people.
I hope they go belly up.
Blar.
OK he's going to figure out who's talking shit now fool. Better watch out.
I have been in and out Bugtraq along the years, and it is pretty fine. But I was thinking of something more than a mailing list, probably a whole set of tools (site/irc/list/foruns) geared toward the discovery, publicizing and reproduction of security problems.
Given the enormous teen audience such a beast would attract I don't think it would be even possible to keep it up without the services of the very good moderators and the best security experts around. But them again one may dream.
And then you have the geographic problem. Such a place would have to be hosted somewhere with very liberal laws and a government capable of (and willing to) resisting the vast pressure the targeted companies would put on it.
How do you extort someone and harrass someone without contacting them? Sounds like he found these security holes and asked for $$$ to tell them where they were and how to fix them?
/.
Whatever. It's funny how any one person claiming that someone slapped them with a DCMA threat can make
Hehe, I cancelled and told 'em why and here's what they offered. So, if you don't want to cancel, but you still want to stick it to 'em a little bit, you can get a discount. I said fuck 'em anyway and still cancelled.
GameSpy Services Cancellation Confirmation
We Have A Special Offer For You! We Want You Back!
We never like to see a member of the GameSpy family move on --
especially when we're gearing up to offer members more premium services
than ever before. To keep you coming back, we'd like to present you with
a special offer!
A 25% discount on your current subscription! This discounted price will
be in effect for the next 3 charge(s).
You'll save money and you won't miss out on the great stuff that your
subscription entitles you to.
Click here to take advantage of this offer and become a subscriber once
again! Hurry, this offer expires 11/19/2003.
Before I make this comment, know ahead of time that I was once employed by Gamespy... long, long ago... in another life... one I'm glad is over. So I actually can speak based upon facts, not hearsay. :)
--
A C&D, citing the DMCA, from a company who, for quite some time, hosted a file server called RipNBurn, is just wonderfully humorous. I'll give you 3 guesses as to the contents of that server. Okay, one. Yup, it was a rather impressive collection of primarily illegal mp3s, movies, etc. I only regret I didn't take the time to copy the archive before I left, hehe.
The icing to the cake: Mark Surfas had, at one point, hired an entire group of people whose sole duty to the company was to keep that server filled with new material. By the time I left that thing had around 300 gigs of music alone. Sadly, when he grew tired of the fad, he fired them all. They were the coolest folks in the company at the time, too. (By coolest, I mean they were somewhat sociable, heh.)
Go Gamespy!
Well, I for one hope this helps their business. Some of us ex-employees are still sitting on fat stock certificates that are currently worth, well, not a goddamn thing. And god knows their software isn't going to up the value, ahem. You people need to buy more FilePlanet subscriptions! Yeah.. I can't keep a straight face saying it either.
Uh oh. I hope this doesn't mean I'm gonna get a C&D notice, too! *shiver*
It goes from God, to Jerry, to me.
Or use thermal noise....
Last decade the company I worked for wanted some very random numbers, and with a $300 small pod like device that attached to a parallel port and got entropy from (as I remember) a hot diode we got them.
Don't know the current state of the market for these devices, or if they would apply to this architecture, but it can be easily and cheaply done.
Oh, and the contraction of "they are" is "they're," not "their," you ignorant git.
All their end-users are online and internet savvy, they are more sensitive to online criticism than traditional companies.
Luigi has posted the original document to http://aluigi.altervista.org/misc.htm at the end of the list.
Here is a Bittorrent.
Mark my account INACTIVE. I've added u to my spamassassin's blacklist
Si vis pacem, para bellum! For evil to succeed good men need only do nothing!
If you want to send a powerful message to GameSpy, hit them where it hurts. Their wallet. Tell all their advertizers that you find GameSpy's behavior reprehensible, and that you will not support those who support GameSpy. Nothing will make them do a 180 faster!
The best CD key generator is a true RNG (dont new Intel processors have these things build in?). Then you give the client a copy and you store copy of the key in a database (hashing lets you do searches plenty fast). Simple and the most secure method.
and I can't seem to fix it. Call me lame. If anyone can see what I did wrong, please let me know.
There's one problem with your logic. To my knowledge, Gamespy still doesn't actually own the source to Gamespy3D, to which I believe these security holes refer. That codebase is owned by the original coders of Quakespy, the program that got the company started.
If Gamespy has managed their software licensing so incompetently that they can't fix bugs in what they ship, that's their problem. They should go out of business and be replaced by a company that can put out products that don't endanger the security of my computer. Trying to suppress reporting of those bugs is not an acceptable response.
What this really shows us again is what a horrendous security mess closed source software is. We really need to replace that kind of junk with software we can trust.
I get the feeling that one of the major hurdles to getting to a technological utopia is the DMCA.....since ppl giving advice can be slapped with it. And unfortunately, ppl being slapped aren't the politicians and lawyers. (though, I would rather use a pitchfork for that).
(no offense)
We don't need laws specifically to protect research. That's bass-ackwards.
We need the ultra-restrictive corporate-enriching laws eliminated.
.sigs are for post^Hers.
Either he contacted them and offered to not disclose the bugs for money, or they are full of it.
Given that they arent trying to get criminal proceedings started for blackmail charges, but instead trying to get him to remove exploits and reports for bugs they should have fixed a long time ago, Occam's razor does not cut in their favour.
The most likely explanation of his words is that they find being forced to fix bugs by full disclosure bug reports harrassment. I have no sympathy for that.
Post the exploits on alt.hacker.malicious like everyone else. Once gamespy mysteriously starts losing it's customer base to exploits, they will fix them. - Flattery gets you nowhwere - nice guys finish last - no good deed goes unpunished
boycott slashdot February 10th - 17th check out: altSlashdot.org
Don't these guys realize that Luigi Auriemma is not subject to US laws and the DMCA? A simple whois search would tell your average 9 year old that.
Perhaps someone, and I'm not saying the entire slashdot community, just a few million of us, should email the idiot lawyer who sent off the letter. If they were so disposed, his email address is in the letter he sent: colestuart@paulhastings.com
I work for an unnamed ISP on the West coast of America. Recently I was in their colo room and happened to notice a new server, a Cobalt RAQ. Being a curious person, I ran nmap on it and found that it was not firewalled and had 10 or 15 services running on it. Not knowing what all of them were, I started telnetting to unknown ports, one of which simply dumped me into a root shell. Surprise, surprise! I grabbped a copy of /etc/shadow and sent it to my supervisors along with how I broke into the machine (albeit accidentally). The next day I came in to find out that I was 2 inches away from being fired and the only reason I kept my job was because I was friends with my department supervisor. Jesus. Talk about people being afraid. Perhaps I should simply release the IP address of this machine anonymously on the internet with a copy of the port scan so that they will fix their problem. But do be careful, even with the best of intentions you are liable to be hung out to dry these days, even by people you consider to be your "friends".
Ads? What ads?
These lawyers would not be sending out C&D's without direction from in-house counsel, and (likely) they not without go-ahead from their business management unit. It all points back to a poor business decision to take this direction, be it thru policy, bad decision/facts, or bad legal advice.
Sort of a case of dont blame the lawyers, they can't help themselves. And, your right, GameSpy et al probably has the hope/expectation that they will strike enough fear into his mortal soul to get him to comply with their demands.
UA
First, it could be the code that GameSpy3D uses because that's entirely Joe, Tim and Jack. That's an entirely different product. That's Spy Software that holds the code itself, not GSI. It is hard to fix code you don't actually have!
Secondly, has he been giving them a chance to fix the code? Think about it, he's hacking a protocol that is nearly the same since Quake 2. That's how many engines you'd have to change to get a real fix in place. Hell, I have a friend who still plays Heretic 2 online! heh That's a lot of changes. So, I think they just want him to calm down while they fix the issues.
Finally, I will point out that Mark's nickname is Bastard, but he's not an entirely bad guy. He's been one of the few guys to survive the dotcombomb and not sell out completely. He has some business sense and is trying to protect his business. And a big chunk of his business is reliable internet servers and keeping people using his browser. Personally, I think the cause of reliable online gaming to be worth a 'stop a moment while we fix this stuff.'
Then again, I'm biased, I did run a server for four years for them.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
An earlier poster touched on one issue with this, and that is that ISPs in the US owned or legally threatened by US corps and laws would start blocking access to the offshore systems/networks if they became too successfull.
What will we do with all those jokes about "The Great Firewall of China"? Just forget about it and start considering it bad manners to mention them in educated company?
About that email for "the most amazing vibrator ever"...
Could you forward that one to me, please?
anonymous_coward@whitehouse.gov
I wouldn't expect anything less out of this monkey barrel known as Gamespy.
Back when Game Spy Arcade was initially released, I downloaded and installed it because they quit releasing updates for the copy of Gamespy I had bought the year before. Shortly afterwards, I started having trouble with exception errors.
During my troubleshooting, I had dumped the traffic from several connections and saved them away to a text file. I used the traffic in this file to figure out how to log into their chat server without the GSA application, but with BitchX (remember, my GSA was busted).
The previous week, you couldn't hardly connect to anything Gamespy related. Having worked in the Information Security sector for a few years, it seemed like a DDoS. Their irc servers were very slow, as were their web servers. I know this doesn't sound relevent, but here comes the humor..
I navigated through their very slightly modified ircd to get to the support room for GSA. I sat in the support queue for a bit, then had a shot to ask my questions. I asked about the exception and was told via a copy/paste solution the needed information. Then I simply asked if their network was slow due to another DDoS attack.. Big mistake.
BitchX showed some CTCP requests from the moderator, then comes the "How did you know about the denial of service attacks?" and immediately accuses me of being a hacker. It didn't matter that I told them GSA would not open, this was my only way to get support without waiting in the email queue for days. Then I pointed out that if they were going to have a policy against people connecting to their ircd with any client besides GSA, they should do something with the code to enforce this, and not make accusations over such silly things. At least take it off port 6667....
Then several other moderators join in on me. One was saying my IP was one of the ones generating traffic in one of the attacks on their network, etc.
Basically, my account got a lifetime ban on it as a result of me simply asking for help with an exception error. They also claimed to have given my information over to their legal team and to expect to hear from a lawyer soon.
So since my account is banned and I've been threatened with legal action from three of their employees, I'm a little confused. So, I send an email to Gamespy requesting contact information for their legal department. They never respond.
So, over the next month, I send them multiple transcripts of the chat logs and threats made towards me (by their employees) while reminding them I had given them $45 for a product that no longer works, meanwhile demanding an explanation for their rude actions towards me. After another month, or so, I get a response back saying they spoke with the employees involved and they were "confident this incident never took place".
So I asked them why my account had been banned. Guess what? No response again.
I could have just created a new account with another email address, but that situation was enough to make me never want to see one of their banners again. I might accidentally click one and generate some revenue for them.
All Seeing Eye is, imho, far superior to GameSpy and nowhere near as bloated.
Party Time: Excellent
No way we could figure out if he actually tried to email them, but the post/email states that he posted to the Bugtraq list when he found these bugs/holes. If they are in the archive, I'd be inclined to believe him rather than anyone at GameSpy.
You mean like this? It was posted back in June! Try a search for "Luigi Auriemma Gamespy" here and see what you get.
I produce electronic music and write little games. Have a look.
GameSpy's official response.
---
GameSpy welcomes any and all help finding genuine bugs and security breaches on our servers. What we don't welcome are people publishing security hacks that have the potential to hurt our products. GameSpy products are supposed to be about having fun, but hacks and Denial of Service (DoS) attacks take the fun out of it. It doesn't simply hurt GameSpy; it hurts every person playing games with our products.
What this person did was more than reverse engineer two of our products, RogerWilco and GameSpy3D-he was describing our backend services and publishing CDkey generation information without letting us know. At first we welcomed his bug alerts. We responded to him immediately and thanked him for his bug research, as we do with everyone who contacts us with bug information. We even sent him a thank you letter, which we have on file.
But then we found out he was also publishing how to brute force our RogerWilco CDkeys and had published hacks on other game CDkeys as well. He was doing more than reporting bugs; he was publishing game pirating techniques. He published how to attack our network. This is not the way ethical security researchers operate. It was at this point that we stopped our communication with him and asked him to remove the materials in question.
When we were first contacted, this person was associated with a small software security company. They asked if GameSpy wanted to pay a "consulting fee" to fix the hacks. However, these were not bugs; it was information about how our products work. When we brought this to the software security company's attention, they disavowed their relationship with that person and removed him from their servers.
Let me repeat-we welcome any bug alerts and will fix any and all security breaches that come to our attention. We find and fix nearly all of them before any external sources find them. It's all about playing games and having fun, people! That's why we do what we do! However, we won't pay "consulting fees" to people who create CDkey hacks of our proprietary software, then post the results if we don't pay them.
Gamers trust us. We have to protect them from any and all attacks on our network that affect gamers.
Mark Surfas
Chairman & Founder
GameSpy
---
I can't be bothered to create an account on a site that forms lynch mobs without even considering the possibility that there is another viewpoint, so I remain, simply,
A GameSpy fan.
http://www.gamespydaily.com/news/fullstory.asp?id= 5474
This is how I see it,
Provide a page where someone can anonymously post details about a potential exploit with someone's proprietary software. The site keeps NO LOGS at all to protect the posts. The site then makes every effort to contact the company in question. After say a 60 day waiting period, a limited amount of information about the security problem is released to the public if nothing has been heard.
For every annoying gentoo user, are three even more annoying anti-gentoo crybabies. Take Yosh from #Gimp for example.
He claims they didn't. Wonder who's lying?
IveGotAChipOnMyShoulder writes "I'm going to make some nasty allegations against somebody I don't like, with no supporting evidence, using terrible terrible keywords that people will respond to like Pavlovian dogs, and get it posted to slashdot. Gosh, I hope that you don't bother looking into it, and if my target responds, I hope you don't actually mention it in the post; defending onself is for losers." Yup, there's no justice like angry mob justice.
Vintage computer games and RPG books available. Email me if you're interested.
This is one of the classic forms of troll- make a ridiculous claim in apparent sincerity, which many slashdotters will all feel compelled to correct. The only bizarre part is that it's been modded +3 insightful.
if any of you read gamespys response, then you would understand what they are doing. this "security researcher" was publishing ways to brute force cd keys, and publishing how to pirate the applications. That does not sound like a security issue. Sounds like someone hacking a program to get it for free.
if he sent them bugs on how he was doing that, then cool. if he goes and publishes how to get their software for free, that is illegal.
vs.
http://slashdot.org/comments.pl?sid=85636&cid=7454 934
Wait a minute...
So you worked with him but you never contacted him...
Wouldn't that be blackmail? IIRC, blackmail is coercing someone to do something by threatening to release information they don't want released, while extortion is coercing someone to give you something by threatening you with some consequences they don't.
Game Spy's Lawyers hath no fury like a /.'er scorned!
I would like nothing better to get away from the LameSpy Network. I currently have a site hosted by them, but only because it provides access to FilePlanet.
I would get my own domain and leave PlanetXXXX if there is another site that can host downloads like Fileplanet does. But the last time I looked, it appeared that GSI gobbled up all the other hosts.
Incidently, if you post a less than flattering remark about GSI in their forums, you get banned rather quickly. They seem to be rather sensitive about that. (hint, hint)
Looks like their editor revised the reply somewhat from earlier instances I've seen here. Here's the full text:
This is from our Chairman and Founder Mark Surfas:
GameSpy welcomes any and all help finding genuine bugs and security breaches on our servers. What we don't welcome are people publishing security hacks that have the potential to hurt our products. GameSpy products are supposed to be about having fun, but hacks and Denial of Service (DoS) attacks take the fun out of it. It doesn't simply hurt GameSpy; it hurts every person playing games with our products.
What this person did was more than reverse engineer two of our products, RogerWilco and GameSpy3D-he was describing our backend services and publishing Cdkey generation information without letting us know. At first we welcomed his bug alerts. We responded to him immediately and thanked him for his bug research, as we do with everyone who contacts us with bug information. We even sent him a thank you letter, which we have on file.
But then we found out he was also publishing how to brute force our RogerWilco Cdkeys and had published hacks on other game Cdkeys as well. He was doing more than reporting bugs; he was publishing game pirating techniques. He published how to attack our network. This is not the way ethical security researchers operate. It was at this point that we stopped our communication with him and asked him to remove the materials in question.
When we were first contacted, this person was associated with a small software security company. They asked if GameSpy wanted to pay a "consulting fee" to fix the hacks. However, these were not bugs; it was information about how our products work. When we brought this to the software security company's attention, they disavowed their relationship with that person and removed him from their servers.
Let me repeat-we welcome any bug alerts and will fix any and all security breaches that come to our attention. We find and fix nearly all of them before any external sources find them. It's all about playing games and having fun, people! That's why we do what we do! However, we won't pay "consulting fees" to people who create Cdkey hacks of our proprietary software, then post the results if we don't pay them.
Gamers trust us. We have to protect them from any and all attacks on our network that affects gamers.
Mark Surfas
Chairman & Founder
GameSpy
"The great thing about multitasking is that several things can go wrong at once." -me
First we have this remark from Mark Surfas at GameSpy in response to HunterWare's email:
As if that didn't seem contradictory enough, we also have this from the GameSpy official response (also written by Mark):
Ok, so which is it? Did he contact you or not? Did he report these vulnerabilities or not? Did he only report some of them or all of them, and can you prove it? (Because if anything, we really have even less reason to take GameSpy's word for it than we do for Luigi). Next Mark tells us why GameSpy got pissed:
Sorry Mark, but if the way your system works allows it to be exploited, then it's broken. There's no other word for it. Whether he did it ethically or not remains to be seen as GameSpy hasn't offered any evidence to the contrary yet. Now we get to the heart of GameSpy's complaint here:
I'd like to see the evidence of this. If he said he'd found vulnerabilities in their code and refused to tell them what those vulnerabilities were and threatened to reveal them publicly unless they paid him, then yes, that sounds like extortion. If, however, he did tell them what the vulnerabilities were, and they didn't act immediately to fix them, then it's GameSpy's fault completely. I don't know which way it actually happened, and until I see more evidence, it's hard to say who's in the wrong. Oh yeah, and I just though this closing was humorous
It's not enough to bash in heads, you've got to bash in minds. - Captain Hammer
oh ho ho... Not the buffer overruns? Okay, burn the guy at the stake. I, Merrow, am now officially throwing this guy to the wolves. Darn, sorry I got suckered in on that one. Apologies to anyone I argued with.
May this 'Luigi' suffer forever in the Hell of the Upside Down Drowned Sinners.
Maxim: People cannot follow directions.
Increases in truth directly with the length of time spent explaining them
It seems to me, from Gamespy's official release on their website, this guy requested a "security consultation fee". I, like all of us, don't know all the details but it seems odd that "consultation fees" would be requested from someone whose really trying to be a Good- Samaritan. Is it possible this guy was trying to appear helpful when all along his real goal was to get paid?
-- I'd give my right arm to be ambidextrous
According to the reply:
"What this person did was more than reverse engineer two of our products, RogerWilco and GameSpy3D -- he was describing our backend services and publishing CDkey generation information without letting us know. At first we welcomed his bug alerts. We responded to him immediately and thanked him for his bug research, as we do with everyone who contacts us with bug information. We even sent him a thank you letter, which we have on file."
I don't believe there's anything wrong with that.
"But then we found out he was also publishing how to brute force our RogerWilco CDkeys and had published hacks on other game CDkeys as well. He was doing more than reporting bugs; he was publishing game pirating techniques. He published how to attack our network. This is not the way ethical security researchers operate. It was at this point that we stopped our communication with him and asked him to remove the materials in question.
When we were first contacted, this person was associated with a small software security company. They asked if GameSpy wanted to pay a "consulting fee" to fix the hacks. However, these were not bugs; it was information about how our products work. When we brought this to the software security company's attention, they disavowed their relationship with that person and removed him from their servers"
People, I'm all against security through obscurity, but if you've played any multiplayer game you know that every damn script kiddie will be taking advantage of everything they get their hands on, ESPECIALLY cd keygens.
And you , offering a "consulting fee" sounds damn close to extortion. This wasn't good-faith bug reporting; it was "show me the goods or else".
Don't believe me? Go play Counter-strike and see how long you can stand the wallhacks and lag tricks. Multiplaying code isn't exactly secure. The last thing we need is people takng over your machine after a round of UT.
And oppose to closed software all you want, but the guy DID reverse-engineer an algortihm for VERY questionable purposes.
I AM sad that the DMCA has to be used. It's a POS piece of legislation. However if it is the way gamespy says, then this "researcher" isn't doing too much good for the gaming community either.
blah blah blah our shitty authentication and exploitable code is a feature not a bug blah blah blah.
Welllll, ok then. The question becomes do I not use gamespy because they're cracking down on a bug researcher, or because their products have exploitable holes that are "officially recognized" design features?
Did anybody read the C&D? It looks like they are not getting on him about finding bugs, but about writing up hacks and cracks, such as programs to crash their servers or to find information on their servers that isn't for public viewing. I like the fact that this guy is trying to find bugs, but from surfing his page and reading Gamespy's complaints, I really can't blame Gamespy. He was publicly posting things that were detrimental to Gamespy. From the looks of the response from Gamespy, and how his "company" disavowed knowing him, I'm wondering how much of martyr he really is.
Granted, I do agree that most of the time companies won't fix bugs unless they're put into the wild, that doesn't make putting them into the wild the right thing to do.
The best way to predict the future is to invent it.
Am I the only one that see the irony here? Whould Gamespy even exist if everyone else effectively used the DCMA to stop reverse engineering and exploiting of their code? THis looks to me like a case of a company who decrys the DCMA when used against them, but is quick to try to use it against others.
I'm an American. I love this country and the freedoms that we used to have.
The DCMA is a grummet if there was one (5 pounds of shit in a 1 pound bag) but all the same ....
am I the only who understands Mark when he is disgusted by the fact that this "researcher" was holding him over a barrel - "pay me consultant fees or I publish the hacks to generate CD keys"
???
Seems a little too slimy for a bugtracker.
No offense, but if I was in Marks' situation I would do whatever I could to stop getting blackmailed too.
Of course, then again, I would have started by not making grummet software but that's just me.
*grin*
- Jeff -
Read thier response. They claim he offered consulting fees to help fix the holes.
He was dropped from the security company for that.
My advice to those of you living in what used to be sovereign nations? Be Afraid. Be Very Afraid.
I wasn't satisfied with Mark Surfas' response to the criticism GameSpy has received. Here's what I wrote to him.
--Turkey
-Turkey
"Half-Life 1.1.1.0 client's "Unknown command" format string bug test 0.1 This is a tool to test a format string bug I have found in the Half-Life client. I have not released an advisory because at the moment I don't know if this bug lets remote code execution or not. Feel free to check it (in the zip file there is also the mail I have sent to vuln-dev that contains some details)"
In this case he's posting source for the exploitation of a bug before HE EVEN KNOWS WHAT THE BUG DOES. This makes me doubt how responsible he is in informing companies of bugs in their products. How about this changelog in the source of his UTDDos attack:
"CHANGELOG: - Now supports UT2003 servers!!! - better allocation method (now it's not limited, and the memory used is very very small!) - big code optimizations - a lot of bug fixes (libnet name resolution and other little problems)"
Why would these changes be necessary for a proof of concept? Sounds more like he wants anybody to be able to easily compile and use his programs to exploit not just UT servers, but UT2003 servers as well.
I think hackers should have as much restraint as possible in releasing "proof of concept" programs. Because really, what do these programs do? It does exactly what you are afraid people will do with the bug you found, exploit it. When you release that to the public, you are ENSURING that the bug will be exploited. Only in extreme cases should this be used to force a company to fix a bug, because at best the result is a brief period of time in which the bug is exploited widely, before the company fixes it. However, I think there is a serious risk of more harm being done in this period of time than would have ever been done if the proof of concept program had never been released, and the bug taken longer to be fixed or perhaps not fixed at all.
This guy is obviously not using proof of concept programs as a last resort. In fact, check out this comment:
"CD-Key hash changer for UnrealTournament 2003 v2225 for Win32 0.1 practically this proof-of-concept lets you to use a custom cd-key hash. The main idea was to find a cd-key theft bug but fortunally this bug doesn't exist so this tool can be considered only a test just for fun"
He wants people to use it "for fun"? What kind of white hat hacker releases a proof of concept program for "fun"? If I read this right, he was hoping to be able to steal CD keys with this, which he probably would have released as well. That would of been a huge mess, and is what I mean when I say there is serious risk of a concept program doing a lot more harm than good. So, it turns out it only lets you use other people's CD hashes, which you can get just from joining a game. This would allow you to steal someone's CD hash that you didn't like, and then go make a total ass of yourself on a server and get him banned. Sounds "fun" don't you think? Gamespy may not be my favorite company, but this guy give hackers a bad name.
I am so thankful I found all seeing eye. It what GS3D used to be. (Now gamespy 3d brings back some memories!) A light, powerful game matching program with little bloat and a lot of powerful uses. Granted it doesn't have a child safe UI, but what it lacks in visuals more then makes up in its options.
But I may be a bit bias because I hate gamespy with such an undying passion.
The secret to getting modded up is to allways say i've got karma to burn in your sig..
I hate the thought of the DMCA being upheld for any reason, but this guy is a CRACKER not a hacker. He will have a large legal bill on this one.
Therefore he should be hung by the balls.
Professional Politicians are not the solution, they ARE the problem.
... and not a single person did this?
"Suffice it to say, you would be ill-advised to hold your breath while waiting for these issues to be fixed. Better to use the All Seeing Eye instead. That's what I do. And this coming from a Gamespy stock holder! heh"
Disappointing.
Like a lot of people here I initially had a knee-jerk reaction in relation to the DMCA. However in this case it hit's home. I am a member of the FreeSpace 2: Source Code Project, our forums are on the gamespy network (http://3dap.com/hlp) and GameSpy wants to make a big deal out of the source code project with FS2 for download off fileplanet and everything.
So when I saw this I went ballistic and called for considering severing all ties with gamespy. After some investigation into gamespy's legal document I found nothing that clearly made their case. I had however overlooked Luigi Auriemma's "Patches" page, thinking it was just patches for his software. When I finally looked at it I am shown that I was quite wrong. It is an entire list of copy protection circumvention, which is clearly a DMCA violation (and should be), and a violation of the Computer Fraud and Abuse Act. Mr Auriemma is promoting piracy - including releasing information and files to patch UT 2003 Demo into UT 2003 Full Edition.
While GameSpy did overstep their bounds a tad in attacking his advisories, they are not heniously abusing the DMCA. While parts of the DMCA are henious, they are fortunately not relying on them, and not relying on the DMCA alone. GameSpy is right in attacking him for releasing "No-CD" tools that actually promote piracy along with other piracy promoting 'patches'. Mr Auriemma's "tools" are not required to show the exploit and should not have been released to the public, this just allows for 12 year old script kiddies to attack GameSpy servers.
After much deliberation I am not going to call for a break in relations between the SCP and GameSpy, and I look forward to continuing our current relationship with GameSpy. Although I do think they went a little far in naming his "security advisories" in the letter, I don't think it was henious - everyone is human.
So give GameSpy a break, not all uses of the DMCA are henious, and not all "security analysts" are benign. I am normally one of the first to attack DMCA abusers, but GameSpy isn't abusing it, and their letter doesn't need to reference it.
We wouldn't be having this conversation if they didn't mention the DMCA in the letter, but the letter would have been no less powerful legally had they not mentioned the DMCA.
If you cannot keep politics out of your moderation remove yourself from the Mod Lottery.. NOW!
Hi xxxx, This is from our Chairman and Founder Mark Surfas: GameSpy welcomes any and all help finding genuine bugs and security breaches on our servers. What we don't welcome are people publishing security hacks that have the potential to hurt our products. GameSpy products are supposed to be about having fun, but hacks and Denial of Service (DoS) attacks take the fun out of it. It doesn't simply hurt GameSpy; it hurts every person playing games with our products. What this person did was more than reverse engineer two of our products, RogerWilco and GameSpy3D-he was describing our backend services and publishing CDkey generation information without letting us know. At first we welcomed his bug alerts. We responded to him immediately and thanked him for his bug research, as we do with everyone who contacts us with bug information. We even sent him a thank you letter, which we have on file. But then we found out he was also publishing how to brute force our RogerWilco CDkeys and had published hacks on other game CDkeys as well. He was doing more than reporting bugs; he was publishing game pirating techniques. He published how to attack our network. This is not the way ethical security researchers operate. It was at this point that we stopped our communication with him and asked him to remove the materials in question. When we were first contacted, this person was associated with a small software security company. They asked if GameSpy wanted to pay a "consulting fee" to fix the hacks. However, these were not bugs; it was information about how our products work. When we brought this to the software security company's attention, they disavowed their relationship with that person and removed him from their servers. Let me repeat-we welcome any bug alerts and will fix any and all security breaches that come to our attention. We find and fix nearly all of them before any external sources find them. It's all about playing games and having fun, people! That's why we do what we do! However, we won't pay "consulting fees" to people who create CDkey hacks of our proprietary software, then post the results if we don't pay them. Gamers trust us. We have to protect them from any and all attacks on our network that affects gamers. Mark Surfas Chairman & Founder GameSpy If there's anything else we can do to help, please let us know. Karen "Cobby" Cobb Customer Service Manager GameSpy Industries karen@gamespy.com
According to http://aluigi.altervista.org/misc/75395-1.pdf Gamespy's lawyer is
Colbern C. Stuart III
colestuart@paulhastings.com
ph (858) 720 2820
fax (858) 720 2555
Paul, Hastings, Janofsky & Walker LLP
San Diego, CA
http://www.paulhastings.com/
Who is going to fund a lawyer for Luigi?
More like Mark Surfsass AM I RITE??????111oneoneone
The other day I was going down on my girlfriend... I said... "Jeez you got a big pussy! Jeez you got a big pussy!" She said, "Why'd you say that twice?" I said, "I didn't!"
See, it was cuz.. cuz of the echo...
This is from our Chairman and Founder Mark Surfas:
GameSpy welcomes any and all help finding genuine bugs and security breaches on our servers. What we don't welcome are people publishing security hacks that have the potential to hurt our products. GameSpy products are supposed to be about having fun, but hacks and Denial of Service (DoS) attacks take the fun out of it. It doesn't simply hurt GameSpy; it hurts every person playing games with our products.
What this person did was more than reverse engineer two of our products, RogerWilco and GameSpy3D-he was describing our backend services and publishing Cdkey generation information without letting us know. At first we welcomed his bug alerts. We responded to him immediately and thanked him for his bug research, as we do with everyone who contacts us with bug information. We even sent him a thank you letter, which we have on file.
But then we found out he was also publishing how to brute force our RogerWilco Cdkeys and had published hacks on other game Cdkeys as well. He was doing more than reporting bugs; he was publishing game pirating techniques. He published how to attack our network. This is not the way ethical security researchers operate. It was at this point that we stopped our communication with him and asked him to remove the materials in question.
When we were first contacted, this person was associated with a small software security company. They asked if GameSpy wanted to pay a "consulting fee" to fix the hacks. However, these were not bugs; it was information about how our products work. When we brought this to the software security company's attention, they disavowed their relationship with that person and removed him from their servers.
Let me repeat-we welcome any bug alerts and will fix any and all security breaches that come to our attention. We find and fix nearly all of them before any external sources find them. It's all about playing games and having fun, people! That's why we do what we do! However, we won't pay "consulting fees" to people who create Cdkey hacks of our proprietary software, then post the results if we don't pay them.
Gamers trust us. We have to protect them from any and all attacks on our network that affects gamers.
Mark Surfas
Chairman & Founder
GameSpy
If there's anything else we can do to help, please let us know.
Sincerely,
Dana Bryant
Lead Accounts Support
GameSpy Customer Service
dana@gamespy.com
If there is a buffer overflow in the product I want to know, if they cant fix it because they write unmaintanable code I still want to know.
The various OSs have huge codebases too, but fixing buffer overflows doesnt even take m$ as long as it has taken GS.
There is a problem with this posting in that it only tells a very small portion of the actual story. Gamespy was perfectly fine with him finding security holes and even sending him thank you notes for his work. Luigi had been posting the software that he made to find these holes and also posting cd cracking software. They sent the cease and desist letter telling him to remove these things from his website. In this case I think that Gamespy did NOT overreact because he was posting things on his site there shouldn't be released to the public. I'm ok with a person writing a program to test the security of something but I think that it's not ok to post said software publically, especially the source code. Here is the arstechnica posting on this which is much less biased in it's report of the incident here. In the end I think he should remove the stuff from the website but should face no legal action.
...that's what the man sounds like. Gamespy is dead on in dropping a legal bomb on these guys.
What we call folk wisdom is often no more than a kind of expedient stupidity.-Edward Abbey
> DMCA is overreaching and unconstitutional as is
So, what you're saying is that the DMCA is unconstitutional, yet it has been in your law books for five years and is actively applied.
So much for your constitution...
While I agree that distributing "keygens" is unethical, putting my "devil's advocate" hat on for a minute, I don't really see how it's an infringement of copyright:
Suppose I reverse-engineer an app that uses CD-keys (Gamespy 3D, say) and determine how it checks CD-keys.
Further, suppose I write a keygen which produces valid CD-keys on request. Remember, a CD-key is just a meaningless string with some particular property - if I remember correctly, one app a few years ago accepted any multiple of 7 as a key.
OK, now suppose I distribute the keygen, which consists entirely of my code.
If you assert that I infringed copyright at some point during that process: when did I distribute a creative work created by Gamespy?
If you think the situation I described would involve breaking the law: instead, suppose someone else reverse-engineered Gamespy 3D and told me how it checks keys, and I did a "clean-room" implementation of a keygen based on that. Would that be legal? If not, which of us would have broken the law?