Slashdot Mirror

← Back to Stories (view on slashdot.org)

GameSpy Sends DMCA-Based C&D To Security Researcher

Posted by timothy on from the these-so-called-bugs dept.

chowbok writes "Luigi Auriemma has found several security holes GameSpy software over the past few months. He has reported them all to GameSpy but never got a response... until today, when he got a threatening letter from their lawyers. It says he's violating the DMCA, he needs to cease-and-desist, yadda yadda yadda." Update: 11/12 21:09 GMT by S : GameSpy has now posted an official response from the company's founder, Mark Surfas.

18 of 479 comments (clear)

  1. Mirror by ms139us · · Score: 2, Informative

    Mirror here: www.outputservices.com/marty/mirrors/secfocus.html

  2. He lives Italy, so who chares?? by HuggybearVT · · Score: 4, Informative

    quote: I'm 22 years old and I live in Milan district in Italy. The DMCA doesn't apply to him. Cease and decist this!

  3. Screw RocerWilco anyway by erik+umenhofer · · Score: 2, Informative

    Use ventrilo. free and has a few different ports. My clan uses it when we play eve-online

  4. Chilling Effects... by Misch · · Score: 2, Informative

    Don't forget to report the letter to CHilling Effects

    --

    --You will rephrase your request for me to go to hell. Goto statements are not acceptable programming constructs
  5. Why Use Gamespy by RancidLM · · Score: 2, Informative

    i haven't used Game spy in years... in my view its nothing but Addware every where... My best advice for every one is Stop using it and goto Kali
    www.kali.net
    I have been using it for years.. and its the best Gaming comunity every...

  6. Re:DMCA Wall O' Shame by chowbok · · Score: 4, Informative

    This isn't exactly what you want, but I think you'll find it of interest:
    Chilling Effects

  7. Re:Full disclosure wins by EZmagz · · Score: 3, Informative

    Just curious, but didn't you just describe Bugtraq? Granted, Securityfocus got bought out by Symantic IIRC, so there's the whole "do we REALLY trust them?" bit, but still...I've always seen Bugtraq as a reasonably-moderated open forum for new bugs, exploits, and discussion. Although it would be pretty neat to see something hosted offshore from the US with the primary goal being to bring the ruckus via full disclosure. Honestly, I'm surprised nobody has done this yet, with the main banner saying "What The DMCA Doesn't Want You To Know!".

    --

    "Hell hath no fury like a woman scorned for SEGA. ..."

  8. Re:Send some love by HunterWare · · Score: 5, Informative

    In response to an email my email I got the prompt response:

    (SNIP)
    Hi Hunter -

    Unfortunately, he's not telling the truth. What is happening is simply attempted extortion. He didn't contact us, never has, and has been harassing us for over a year.

    Mark
    (/SNIP)

  9. Re:Full disclosure wins by ryanr · · Score: 4, Informative

    Most people didn't notice, but Bugtraq was moved to Canada, and turned over to a Canadian moderator a couple of years ago.

  10. Norwegian Law by bstadil · · Score: 3, Informative

    FYI, He is being tried under Norwegian law, nothing to do with the US DMCA. Look at This link. I know it is being appealed but this is the status now.

    --
    Help fight continental drift.
  11. FYI on the link provided... by Dave21212 · · Score: 2, Informative

    From the bottom of the page:
    Want to link to this message? Use this URL:
    http://www.securityfocus.com/archive/1/344214
    Simple enough, eh ? The link in the story is currently not the recommended link...
    --
    "Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
  12. Re:Full disclosure wins by Vainglorious+Coward · · Score: 3, Informative

    In recent months, I have found Bugtraq to be much less useful than the Full Disclosure mailing list.

    --
    My next sig will be ready soon, but subscribers can beat the rush
  13. Italy has adopted an equivalent law by morcheeba · · Score: 3, Informative

    On march 28th, italy implemented the EU copyright directive, which is modeled after the DMCA, but with fewer exemptions. All 15 EU members were supposed to adopt this by last december, but only a handful of countries have done it yet. The UK just became the sixth to adopt.

    How did I get so interested in the DMCA? I recently interfaced the Ritz disposable digital camera to my computer, and didn't like how the DMCA has been used to stifle competition.

    Text of the EUCD (eu copyright directive)

    --
    HIV Crosses Species Barrier... into Muppets
  14. Re:Send some love by apankrat · · Score: 3, Informative


    Yeah, right.

    Harassing them with fully disclosed vulnerabilities,
    which would take under a day to patch even in case of the unimaginably
    horrible code ?

    --
    3.243F6A8885A308D313
  15. Re:Hear that? by cduffy · · Score: 3, Informative

    The subject of this article first fell into the former category, and only after they were ignored moved themselves into the latter.

    Personally, I don't think that's so inappropriate -- as one of the deployment/security engineers for my company's product, I'd be damned (not to mention in muddy legal waters, given the sensitivity of the data our app handles) if I let a security-relevant bug report go unresolved for multiple releases.

    Folks who screw themselves over that badly (by ignoring security-relevant bug reports) deserve what they get.

  16. Re:What a dipshit by Anonymous Coward · · Score: 1, Informative

    *laugh* Yes. A good RNG. Unless you're talking about someone flipping coins or rolling dice, every way to do so with a computer will use *gasp* an algorithm.

    There's also the small problem with knowing which keys are good ones when you just generate them "randomly".

  17. Re:Send some love by mcpkaaos · · Score: 4, Informative

    There's one problem with your logic. To my knowledge, Gamespy still doesn't actually own the source to Gamespy3D, to which I believe these security holes refer. That codebase is owned by the original coders of Quakespy, the program that got the company started. The deal was: Surfas owned the brand, the coders owned the code. Never at any time could he talk them into selling it. That is the primary reason for the original development of Arcade - to bring ownership of some form of Gamespy software in- house.

    How do I know? I was one of the original coders at the company back when Arcade was just an idea tossed around the Tuesday morning staff meetings. And no, I didn't have much of a hand in Arcade, thankfully, so please don't put a pox on me.

    Of course, if this guy was pointing out holes in Arcade (to be honest, I couldn't tell from his website, it didn't seem 100% clear which product he was testing) - well, it's going to take *alot* more than a single day to fix.

    Not that you really want to know this, but Arcade was very tightly coupled to a stock MFC, App-Wizard generated Doc/View project, and didn't stray too far throughout its lifetime. In fact, by the time I left, most of the code was essentially layered on top of rather poorly implemented MFC classes. (Props, Walla!) It gets even uglier (like data and UI being completely interleaved), but I'll save you the anguish.

    Suffice it to say, you would be ill-advised to hold your breath while waiting for these issues to be fixed. Better to use the All Seeing Eye instead. That's what I do. And this coming from a Gamespy stock holder! hehe.

    --
    It goes from God, to Jerry, to me.
  18. This just in, GSI's response by Anonymous Coward · · Score: 1, Informative

    GameSpy's official response.

    ---

    GameSpy welcomes any and all help finding genuine bugs and security breaches on our servers. What we don't welcome are people publishing security hacks that have the potential to hurt our products. GameSpy products are supposed to be about having fun, but hacks and Denial of Service (DoS) attacks take the fun out of it. It doesn't simply hurt GameSpy; it hurts every person playing games with our products.

    What this person did was more than reverse engineer two of our products, RogerWilco and GameSpy3D-he was describing our backend services and publishing CDkey generation information without letting us know. At first we welcomed his bug alerts. We responded to him immediately and thanked him for his bug research, as we do with everyone who contacts us with bug information. We even sent him a thank you letter, which we have on file.

    But then we found out he was also publishing how to brute force our RogerWilco CDkeys and had published hacks on other game CDkeys as well. He was doing more than reporting bugs; he was publishing game pirating techniques. He published how to attack our network. This is not the way ethical security researchers operate. It was at this point that we stopped our communication with him and asked him to remove the materials in question.

    When we were first contacted, this person was associated with a small software security company. They asked if GameSpy wanted to pay a "consulting fee" to fix the hacks. However, these were not bugs; it was information about how our products work. When we brought this to the software security company's attention, they disavowed their relationship with that person and removed him from their servers.

    Let me repeat-we welcome any bug alerts and will fix any and all security breaches that come to our attention. We find and fix nearly all of them before any external sources find them. It's all about playing games and having fun, people! That's why we do what we do! However, we won't pay "consulting fees" to people who create CDkey hacks of our proprietary software, then post the results if we don't pay them.

    Gamers trust us. We have to protect them from any and all attacks on our network that affect gamers.

    Mark Surfas
    Chairman & Founder
    GameSpy

    ---

    I can't be bothered to create an account on a site that forms lynch mobs without even considering the possibility that there is another viewpoint, so I remain, simply,

    A GameSpy fan.