Slashdot Mirror
GameSpy Sends DMCA-Based C&D To Security Researcher
chowbok writes "Luigi Auriemma has found several security holes GameSpy software over the past few months. He has reported them all to GameSpy but never got a response... until today, when he got a threatening letter from their lawyers. It says he's violating the DMCA, he needs to cease-and-desist, yadda yadda yadda." Update: 11/12 21:09 GMT by S : GameSpy has now posted an official response from the company's founder, Mark Surfas.
Always hating on the guy trying to enforce rigid security standards. Can't we all recognize that the only real harm caused would be by *not* reporting on these security holes. C&D letters only cause anti-corporate sentiment due to their rather accusatory tone. For shame. Good thing I don't use gamespy...
I'm not popular enough to be different.
Homer Simpson, The Simpsons
That's the sound of nobody being surprised.
Note for future reference: hackers, if you want someone to improve their security, don't go to the admin with your 'sploit, but anonymously release it into the wild. After all, the constant cease-and-decist letters _obviously_ say that that's what today's software companies want.
To the Gamespy Feedback Page
so, incredulously, he asks whether bug research is a criminal act and bug researchers criminals.
Unfortunately, the answer today in America is a simple "yes". that is, unless you feel like researching and then hoarding your findings.
mmm... yeah... You see, we're putting the cover sheets on all TPS reports now before they go out...
and the Italian government will GUBO (Grease Up and Bend Over) and hand him over to the US unfortunately
This makes a lot of sense, really! Let's let someone do all the work for us in finding security holes, have him come directly to us and tell us about the holes, have him keep them to himself instead of releasing them for everyone to use, and then tell him he's doing a BAD thing and he needs to stop!
I fail to see ANY logical reasoning behind this.
This is a highly stupid move on GameSpy's part.
This guy wasnt posting his findings on the internet, or seeking publicity for himself; he was just using his skills to help out and try to improve GameSpy's product (and it needs all the help it can get, IMO).
If you ignore security, it will go away...
Manipulate the moderator system! Mod someone as "overrated" today.
Does the DMCA apply outside the US? How can this guy be breaking US and Federal law while carrying out his research in Milan, Italy? Chris
From the article:
"Bug research is a crime and bug researchers are criminals, didn't you know that?"
I know he's being sarcastic, but how long until he's correct ?
One more reason to despise the DMCA, I'm not even sure how it could apply - certainly the lawyer's reasons don't make any technical sense.
Simon
Physicists get Hadrons!
Laws are really needed to help protect people conducting security research and find problems and reporting them without doing anything malicious.
Having hackers poking and proding makes everything more secure ("So the first woodpecker to come along doesn't destroy civilization").
The only one winning here seem to be the lawyers.
"Good samaritan" acts like this tend not to go over well with companies when their products are on the line. They think we're just a bunch of reckless hackers trying to H4CK TEH PLAN3T! The thing they fail to realize is that by shutting up honest people like this via the DMCA and unleashing lawyers on white hats, then the only people left WILL be the bad guys. And frankly, I'd like to see some black hats get nasty on companies like this. This DMCA bullshit is getting tiring.
"Hell hath no fury like a woman scorned for SEGA. ..."
Publish all the exploits underground, as anonymously as possible. This way the exploits are in the wild and the sloppy code has to _fixed_ instead of covered up with a mountain of legal manure.
This is not what GS wants, nor what they mean. It is, however, what they are apt to get. Had they thought (ha!) things through this mistaken mistreatment of someone sending friendly warnings would not have occured.
Hey, GS. Why not try shooting at the real target? You just hit your foot.
I'll never get it:
Those guys researching security flaws in your software are working for free for your company. You just saved some money for security audits...
Be grateful, perhaps offer them a contract for more research, but don't threaten them with lawsuits. Some people may not like it and won't contact you before spreading an exploit.
Tread softly because you tread on my dreams. -- Yeats
What better way to get your bugs known by every technically literate person on the planet than to send a C & D letter like this, leading to a reference that gets posted on Slashdot as a home page story?
I congratulate Gamespy on their great word-of-mouth campaign to get all of their exploitable bugs known by the widest possible audience...
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
I think the issue here is much less one of the right to publish and to speak, though of course in the end that will always be most important. This story is really one for universal concern because it exposes the way in which companies like Gamespy are spelling their own death by sending out these letters. It is publicly revealed information that inspires companies to take security seriously and act quickly toward hole-patching. There should be no doubt in anyone's mind that this information will be disseminated irregardless of its wide publication, and so challenges to security will still happen. Is it not in everyone's best interest that change-motivating embarrassing public releases of information like this be allowed? And plus, doesn't the even wider attention which a company stands to garner by sending out C&D's to avid exposers of flaws like this make them completely worthless?
But it looks like the economic incentive to cover up rather than fix makes the concept of welcome full disclosure a myth akin in proportion to the commonly-misheld belief that chopsticks of course originated in Asia. Interesting story: the recently uncovered truth of the matter is that they were actually designed as a gimmick by immigrants cooking in American mining communities in the 1800s and later carried back to Asia as a less resource-intensive means of preparing and serving food. Ironically, the U.S. is the largest exporter of chopsticks, with something like 3% of U.S. lumber production going towards the effort to supply Asia, where chopstick use grew to outstrip other utensils within the last century.
The point is that when you look at the bigger picture, you realize that there is an economic disincentive to do the right thing; or rather, an incentive to do whatever it takes to improve the bottom line. I think it's unfortunate that they're choosing to punish an individual that was trying to help, and that it's this sort of attitude that drives good hackers underground. When code is owned by outlaws, only outlaws own the code.
Try not. Do or do not, there is no try.
-- Dr. Spock, stardate 2822-3.
All his proof-of-concept exploits are on his website ... BUT, he did notify the company AND gave them lead time to fix each problem before publishing. Sounds like a perfectly responsible approach, similar to that used by university researchers here in the US.
I'm sure there isn't anything in the letter of the law that says you have to be an asshat about dealing with independent bug reports. However, given the backers of and the intent behind the DMCA, being a jerk certainly fits with the spirit of the law...
Heck, even murderers often don't get handed over
What scares me is that the US probably care less about the murders than the DMCA violators, and they will try to get him handed over...
The corporations that influence the government so heavily don't really care when one of the people of the US gets killed, but when their profits are in danger... watch out!
"I'll have a Guinness, no wait, make that a Coors Light" -Grad student I work with, who shall remain anonymous...
It's not just the fact that they're using the DMCA like this, it's also that they don't care about the integrity of their software. They're basically saying "we'd rather not have you help us, for free even, because we care more about our image and will do anything to keep people from finding bad things about our product."
/cheapshot>
Seriously, if they don't care enough about their security to appreciate the bug reports, what do I, the potential customer, think about how much they care about other aspects of their software? If they're DMCA'ing security bugs, how seriously will they take regular bugs I encounter?
Plus, their site is ugly.
It's nothing but crumpled porno and Ayn Rand.
I don't blame Gamespy at all. This jackass has basically enabled untold numbers of 12 year old pricks to tie up public game servers for their shallow amusement.
The general method of DoS he employs is not a "security flaw" but a byproduct of how multiplayer games are typically designed. You could theoretically do the same thing by going into an office and starting up a bunch of instances of the game on a bunch of PCs and logging into a server and leaving them there -- the "proofs of concept" that this guy Luigi wrote just automates this, simulating clients and hanging them.
The "problem" is that lots of games (hell, most network services of any kind) inherently require one TCP connection or UDP stream that stays alive throughout the entire multiplayer game and that begin with some authentication process, and most games only maintain a small number of slots (listening sockets).
Generous timeouts are also often needed to support spotty connections/freezes without disconnecting, so simply checking for timeouts might not help servers get past this issue. (However, maybe they could add some simple limit on how long a client can stay in the preliminary authentication/non-'playing' stages before booting them, requiring a prohibitively large amount of additional reverse engineering/sophistication to simulate a playing client.)
Getting around it will force game devs to play a stupid game of cat and mouse and to implement complicated challenge/response and other antispoofing mechanisms (IP banning, timeouts, etc.) -- time that could be, and ought to be spent on making fun games.
Too bad that Gamespy invoked the DMCA but that's probably the only legal leg they can stand on. Furthermore, Gamespy has nothing to do with the implementation of various game developers' servers.
Perhaps a better avenue would be for game devs to sue the guy for posting key gen algorithm internals and other shit like that.
I think though that breaking both his legs and giving him a donkey punch (#3) or dirty sanchez (3rd from bottom) would be more fitting, and funnier.
-fren
"Where are we going, and why am I in this handbasket?"
Ok, so the guy says he tried contacting the company privately, and no one answered him.
I still don't see why thats perceived as the go-ahead to provide the world with his exploit programs.
It stinks of threats and extortion to me. e.g. "Fix this right now and give me credit for finding it, or I'll release it into the wild! haha!"
Did two wrongs start making a right?
The exploits I read were for the most part buffer overflows... Which are the result of improper bounds checking and just general sloppy coding. This has NOTHING TO DO with Gamespy's servers, and everything to do with their client software. The guy claims he informed them, they claim he didn't. If he did inform them, then tough luck. They deserve any negative publicity out of this. If he didn't inform them, then he needs to be dealt with.
Proof of concept code often is the only way to force a company to do something about its security problems... It's specifically because 12 year old script kiddies are exploiting the vulnerability that the company fixes it. Suing a security researcher for bringing this about is silly. Spend the money on fixing the problem, not on a Lawyer's retainer.
Maxim: People cannot follow directions.
Increases in truth directly with the length of time spent explaining them
Either he contacted them and offered to not disclose the bugs for money, or they are full of it.
Given that they arent trying to get criminal proceedings started for blackmail charges, but instead trying to get him to remove exploits and reports for bugs they should have fixed a long time ago, Occam's razor does not cut in their favour.
The most likely explanation of his words is that they find being forced to fix bugs by full disclosure bug reports harrassment. I have no sympathy for that.
First, it could be the code that GameSpy3D uses because that's entirely Joe, Tim and Jack. That's an entirely different product. That's Spy Software that holds the code itself, not GSI. It is hard to fix code you don't actually have!
Secondly, has he been giving them a chance to fix the code? Think about it, he's hacking a protocol that is nearly the same since Quake 2. That's how many engines you'd have to change to get a real fix in place. Hell, I have a friend who still plays Heretic 2 online! heh That's a lot of changes. So, I think they just want him to calm down while they fix the issues.
Finally, I will point out that Mark's nickname is Bastard, but he's not an entirely bad guy. He's been one of the few guys to survive the dotcombomb and not sell out completely. He has some business sense and is trying to protect his business. And a big chunk of his business is reliable internet servers and keeping people using his browser. Personally, I think the cause of reliable online gaming to be worth a 'stop a moment while we fix this stuff.'
Then again, I'm biased, I did run a server for four years for them.
Gonzo Granzeau
"Nothing the god of biomechanics wouldn't let you into heaven for.." -Roy Batty
I have no problem with the other things. If he figured out how to DDOS because of a gamespy bug, then that's just fine. That is definitely the kind of thing that people like him should be figuring out and sharing with everyone.
Project Steve
Oh, there's still plenty of theatrics and schoolyard idiocy (and the inevitable group that complains about same, launching interminable threads about what to do about it, introduce moderation, yadda yadda), BUT, that's what you inevitably get when you sign up for unmoderated full disclosure. I don't mind (and have filters to help) sifting the pearls from the shit; I recognise that others like yourself don't want to do this. I wouldn't suggest FD as a person's *only* source of security information and I would never claim that FD was the be-all end-all supreme list, just that I find it more useful than Bugtraq these days.
You're certainly right that potential subscribers should be aware that FD is high volume with less than outstanding signal-to-noise ratio.
My next sig will be ready soon, but subscribers can beat the rush
"Half-Life 1.1.1.0 client's "Unknown command" format string bug test 0.1 This is a tool to test a format string bug I have found in the Half-Life client. I have not released an advisory because at the moment I don't know if this bug lets remote code execution or not. Feel free to check it (in the zip file there is also the mail I have sent to vuln-dev that contains some details)"
In this case he's posting source for the exploitation of a bug before HE EVEN KNOWS WHAT THE BUG DOES. This makes me doubt how responsible he is in informing companies of bugs in their products. How about this changelog in the source of his UTDDos attack:
"CHANGELOG: - Now supports UT2003 servers!!! - better allocation method (now it's not limited, and the memory used is very very small!) - big code optimizations - a lot of bug fixes (libnet name resolution and other little problems)"
Why would these changes be necessary for a proof of concept? Sounds more like he wants anybody to be able to easily compile and use his programs to exploit not just UT servers, but UT2003 servers as well.
I think hackers should have as much restraint as possible in releasing "proof of concept" programs. Because really, what do these programs do? It does exactly what you are afraid people will do with the bug you found, exploit it. When you release that to the public, you are ENSURING that the bug will be exploited. Only in extreme cases should this be used to force a company to fix a bug, because at best the result is a brief period of time in which the bug is exploited widely, before the company fixes it. However, I think there is a serious risk of more harm being done in this period of time than would have ever been done if the proof of concept program had never been released, and the bug taken longer to be fixed or perhaps not fixed at all.
This guy is obviously not using proof of concept programs as a last resort. In fact, check out this comment:
"CD-Key hash changer for UnrealTournament 2003 v2225 for Win32 0.1 practically this proof-of-concept lets you to use a custom cd-key hash. The main idea was to find a cd-key theft bug but fortunally this bug doesn't exist so this tool can be considered only a test just for fun"
He wants people to use it "for fun"? What kind of white hat hacker releases a proof of concept program for "fun"? If I read this right, he was hoping to be able to steal CD keys with this, which he probably would have released as well. That would of been a huge mess, and is what I mean when I say there is serious risk of a concept program doing a lot more harm than good. So, it turns out it only lets you use other people's CD hashes, which you can get just from joining a game. This would allow you to steal someone's CD hash that you didn't like, and then go make a total ass of yourself on a server and get him banned. Sounds "fun" don't you think? Gamespy may not be my favorite company, but this guy give hackers a bad name.