Slashdot Mirror
GameSpy Sends DMCA-Based C&D To Security Researcher
chowbok writes "Luigi Auriemma has found several security holes GameSpy software over the past few months. He has reported them all to GameSpy but never got a response... until today, when he got a threatening letter from their lawyers. It says he's violating the DMCA, he needs to cease-and-desist, yadda yadda yadda." Update: 11/12 21:09 GMT by S : GameSpy has now posted an official response from the company's founder, Mark Surfas.
It is important to note that Luigi Auriema is in fact, an Italian citizen, and not a USian
I didn't think it was possible, but my opinion of Gamespy just went even lower. If it wasn't for them hosting old Nodwick strips, they'd have no redeeming values at all.
I mean, let's face it, anyone who wants to exploit Gamespy's servers probably already knows how to do so, this guy's bug reports notwithstanding...
Kierthos
Mr. Hu is not a ninja.
One might think that notifying GameSpy about its security problems might be A Good Thing (R) because they could be fixed before being exploited. Just another reminder that, in the United States of America, no good deed goes unpunished.
There are two types of people: those prepared for the zombie apocalypse and those who will be eaten.
1) Nice to another another justification for moving security research out of the US. So Alan Cox isn't a paranoid raving nut, after all... unfortunately.
2) It doesn't look like he's taken down the stuff, yet. Mirror time?
Someday, you're going to die. Get over it.
It would be nice to have a list of all of them all in one place so I can make sure to never ever pay money to any organization that has used the DMCA against someone.
I know what in trademark cases, companies have to enforce their trademark or risk losing it (i.e. xerox, kleenex, rollerblade) - but is there any similar clause in the DMCA which dictates that corporations must send cease-and-desists instead of taking these suggestions seriously? That seems to be the standard method companies employ in these circumstances, and I was wondering if it was a legitimate legal issue, or lawyers just being, well, lawyers.
I think it also settles the question about full and limited disclosure. Limited disclosure is clearly a tool that allows lazy admins and developers to sit on their lazy asses while their company lawyers shoot the messengers.
What is needed now is an "official" infrastructure (mailing list/site/IRC channel/whatever) harboured somewhere with sensible laws and clearly geared toward transparent evaluation, discussion and discovery of security bugs in public software. Developers, admins and security experts welcomed, no matter their colour of their hats.
If users computers are broken in to as a result of not fixing known vulnerabilities I wonder what kind of liability GameSpy would have under US Tort law for being negligent.
Darthtuttle
Thought Architect
Also, he didn't do anything that relates remotely to encryption/copyright protection
Ironically, lawyers base some of their strategies on loopholes found in legislation. Hackers do the same thing with security flaws (loopholes) in software.
Is it fair for someone to use the loopholes in one system to attack someone that finds loopholes in another?
For some odd reason the formating didn't paste into Slashdot...odd
I have always been a frequent visitor of Gamespy websites, be it the Gamespy site itself or the Planet sites, I've also been a long time FilePlanet subscribed. Yet this will cease to be the case forever now that I have been made aware of your recent C&D letter to a security researcher who was trying to help you fix the flaws in your software.
I'm outraged at your response for numerous reasons.
First of all I would have thought that a company such as GameSpy is well aware of the issues of today and would find a document such as the DMCA to disagree with their views and those of its customers. I like many if not most of your customers feel that the DMCA is a troubled and over reaching document that limits user rights, threaten research and lowers the need for true progress in the field of security.
Second, I am disgusted by your handling of security issues. If there are problems in your software then the way to fix them is with patches - not C&D letters. I would have expected GameSpy, a news site, to know that not once in the history of the DMCA has a C&D letter or even a full lawsuit ever fixed a security hole. Why attack the messenger?
And finally I am baffled by the fact that the person you have sent a C&D letter to has in fact notified you of the holes and means to fix them before posting them online. I do not see how suing somebody who has just done some valuable QA for you is justified. It's just absurd!
Imagine this, you are driving down the street in your car when all of a sudden the car behind you starts flashing your lights to get your attention, then pulls up to you and tells you that you're leaking gas. You instead of thanking the driver for making you aware of the risk you are under threaten him with a lawsuit because now that your gas leak has been noticed, somebody may light it.
This is what's happening now. You are attacking somebody who helped you. You are trying to keep your software secure by hiding its flaws. It's the same as the car with the gas leak; no matter how you hide it, it's still there and a spark can make it all blow up in your face.
Having said that, I will no longer be a customer of GameSpy, I will no longer visit any GameSpy affiliated site and I will contact every developer who promotes GameSpy services with their games to suggest using other services until some sort of public apology is offered to Luigi Auriemma.
Sincerley yours,
Google Toolbar is SPYWARE!
Hey man, there are technological fixes for these bugs. He is pointing out the weaknesses. On-line games aren't exactly critical infrastructure, but it is still important to know what the problems are so that they can be fixed or avoided in the future.
In any case, the DMCA is ridiculous here; he's not circumventing any technological measures, and there are no copyrighted works being accessed. The DMCA does not outlaw hacking.
How do you harass someone without contacting them?
-- MartinG To mail me: echo kewyjlcxyzvjfxbqwh | tr bcefhjklqvwxyz
Also, it's probably worth noting that incidents like this kill a companies credibility in the various security circles. So, on the upside, I now know to avoid GameSpy software which should have their marketing people trying to figure out how to do damage control on this. Don't underestimate the power of being /.'d
You never saw a fish on the wall with its mouth shut.
The guys site is interesting I liked this paragraph about UT2003
Bush and Blair ate my sig!
As a loyal Gamespy user I was shocked/angered at your C&D letter to a bug finder. What you have managed to do is piss off a lot of people - some of which will probably now target these very vulnerabilities you've ignored for so long just because of your attitude.
The general sentiment on Slashdot is that the next time a hole in your software is found, it should just be anonymously published as a worm instead. God knows, no one wants to be sued, right? Using the DMCA and chasing after people like this is a waste of time and money (watch the futile attempts of the movie industry to control DeCSS as an example). Bottom line: FIX YOUR PRODUCT and STOP WHINING ABOUT IT.
I'm writing to other game manufacturers like EA who use your services to let them know just how dissatisfied/disgusted I am with you folks. I will never buy a product with your logo on it until I am certain you've corrected this issue appropriately.
BTW, what are we to think of a company who ignores bug reports from the wild - especially those that may concern the security of my system?
Not smart guys. Really.
"...Well, there's egg and bacon; egg sausage and bacon; egg and spam; egg bacon and spam; egg bacon sausage and spam..."
Your Cease and Desist letter to is utterly inappropriate. So, as a security analyst I'm going to take the next 5 minutes of your time to educate you as to what you did wrong, because we all know you'll do better in the future right?
1. Don't threaten us, we're trying to help you, contacting you quietly is a helluva lot better than say releasing the vulnerability into the wild first, but if you'd like to skip the contact step by sending things like cease-desist notices JUST SAY SO, as opposed to threatening us (see beginning of rule 1), we can move directly to putting the vulnerability into the wild.
2. Lawyers don't fix shoddy code, people do.
3. please get your legal department a map (so that they can determine that the DMCA ISNT the law of the land in Italy (it's this whole other place, right? and our laws don't apply there).
4. please explain in very short and simple words the difference between the gamespy CLIENT, and the gamespy SERVER to your legal and executive department, clearly such simple concepts elude them.
5. geektools.com contains links to traceroute, and whois programs to determine where on the internet various information is.
I would assume by this point you aren't particularly happy with me. So I'm going to let you in on a secret as to how to avoid such complaints from me again. It's very simple, treat us with respect when we protect your customers from you. Fix your bugs when we report them, they are YOUR REPSONSIBILITY. NEXT, send an APOLOGY letter to Luigi, just to show that you're good people and this was all a big mistake, because it was right? Do these things and you will find the computer security analysts will be good friends of yours, they'll look out for you and make sure your software runs right for you. Do it not, and the entire community will tear your software apart, and post anything and everything anonymously to bugtraq. Your behavior which borderlines on a legal fishing expidition to see what you can catch is grossly inappropriate, please stop.
Ooh and 1 meg pdf's sent via e-mail might in some circles be considered e-mail abuse, that doesn't engender much love for your company, and would potentially be grounds for a blacklisting.
Andrew D Kirch
Security Administrator
2mbit.com
Administrator
Abusive Hosts Blocking list
ahbl.org
trelane@2mbit.com
The really funny thing is that they are sending DMCA notices to a guy in Italy.
Jaysyn
There is a war going on for your mind.
I have been in and out Bugtraq along the years, and it is pretty fine. But I was thinking of something more than a mailing list, probably a whole set of tools (site/irc/list/foruns) geared toward the discovery, publicizing and reproduction of security problems.
Given the enormous teen audience such a beast would attract I don't think it would be even possible to keep it up without the services of the very good moderators and the best security experts around. But them again one may dream.
And then you have the geographic problem. Such a place would have to be hosted somewhere with very liberal laws and a government capable of (and willing to) resisting the vast pressure the targeted companies would put on it.
so, incredulously, he asks whether bug research is a criminal act and bug researchers criminals.
Unfortunately, the answer today in America is a simple "yes". that is, unless you feel like researching and then hoarding your findings.
A mild short-sightedness in the DMCA
I don't subscribe to the oft-held (here) view that computer hacking isn't a crime. It is. However, there is "white" hacking, and that should NOT be illegal. But, the DMCA makes no provision for white-hat hacking.
Imagine how different things might be if there was a provision in the case that:
1) A company has a clearly posted email address or bug submission system;
2) A person submits a bug as a "critical security issue", with exploit code if available;
3) The company has 60 days to respond with patches/updates;
4) After 60 days, the bug posted verbatim can be considered public domain. Further disclosure or expounding on the bug by the instigator would not be allowed.
This protocol would provide a reasonable vehicle wherein a company can be notified of an issue and have a reasonable amount of time to correct it, and at the same time, the researcher has a clear CYA path to full disclosure for the public benefit.
Why don't we all push for *that*!?
I have no problem with your religion until you decide it's reason to deprive others of the truth.
Which would mean someone from Gamespy would have been reading his site for over a year to know he was "harassing" them, in which case, they would still know about the vulnerabilities, and still haven't moved to fix them.
Much like SCO's public statements, there is no way to spin this without looking worse. The only solution is to actually prove Luigi never, ever contacted Gamespy and that these vulnerabilities were completely unknown to the company's coders--and even then, it makes them look incompetent.
Woops.
Someday, you're going to die. Get over it.
About 90% of the posts prior to mine say something to the effect of, "If he hasn't contacted them, how could he have harassed them?" I think the objective thing to do is at least consider the fact that Gamespy could be telling the truth. Most posts related to this response are really dealing with semantics. This response from "Mark" was obviously almost casual in nature, so it's not a stretch to think that he may have accidentally contradicted himself with his words.
I admit that the way most of these things work out, it's likely that the company is in the wrong (not responding to bug disclosure and overreacting when the exploits get posted). But don't take everything you read on Slashdot as gospel.
Before you flame put yourself in the other guy's shoes, and before you mod me down consider if you're doing it because you disagree with me.
-- "Complacency is a far more dangerous attitude than outrage." -Naomi Littlebear
Sorry to reply to myself, but a thought just occured to me. It's a rare thing, so I had to act on it. Okay, bear with me, this is liable to get a little bumpy.
If GSI doesn't actually own the code to Gamespy3D, merely owning the brand, and it is, in fact, the product in question, do they actually have the right to cite the DMCA in this case? I'm probably nuts for this, but hear me out...
If I have a brand and you have the technology, and I pay you a fee to sell your product under my branding without purchasing the technology itself, I still only own the brand, right? In other words, I'd only effectively be licensing the usage of your technology, but the ownership, and all rights thereof, remain in your hands? Presuming that's correct, if something or someone comes along and "threatens" that technology, but not the brand itself, as in this case, how can I assert the right to take any legal action in regards to said technology? I don't think the DMCA covers branding, so I would imagine this case has to be in explicit regards to the technology. Unless I was acting on official behalf of the owners of that technology, would I even have a leg to stand on? Isn't that like taking some guy to Judge Judy to sue him for kicking your vacationing neighbor's dog while you were babysitting it? The mind boggles.
Are there any lawyers that care to comment? It would be very interesting to see if the DMCA would still apply.
If I'm not making any sense (which, undoubtedly, I am not), please reply and let me know. I'll try to make some kind of sense out of it.
It goes from God, to Jerry, to me.