Slashdot Mirror
GameSpy Sends DMCA-Based C&D To Security Researcher
chowbok writes "Luigi Auriemma has found several security holes GameSpy software over the past few months. He has reported them all to GameSpy but never got a response... until today, when he got a threatening letter from their lawyers. It says he's violating the DMCA, he needs to cease-and-desist, yadda yadda yadda." Update: 11/12 21:09 GMT by S : GameSpy has now posted an official response from the company's founder, Mark Surfas.
Always hating on the guy trying to enforce rigid security standards. Can't we all recognize that the only real harm caused would be by *not* reporting on these security holes. C&D letters only cause anti-corporate sentiment due to their rather accusatory tone. For shame. Good thing I don't use gamespy...
I'm not popular enough to be different.
Homer Simpson, The Simpsons
That's the sound of nobody being surprised.
Note for future reference: hackers, if you want someone to improve their security, don't go to the admin with your 'sploit, but anonymously release it into the wild. After all, the constant cease-and-decist letters _obviously_ say that that's what today's software companies want.
It is important to note that Luigi Auriema is in fact, an Italian citizen, and not a USian
To the Gamespy Feedback Page
I didn't think it was possible, but my opinion of Gamespy just went even lower. If it wasn't for them hosting old Nodwick strips, they'd have no redeeming values at all.
I mean, let's face it, anyone who wants to exploit Gamespy's servers probably already knows how to do so, this guy's bug reports notwithstanding...
Kierthos
Mr. Hu is not a ninja.
quote: I'm 22 years old and I live in Milan district in Italy. The DMCA doesn't apply to him. Cease and decist this!
so, incredulously, he asks whether bug research is a criminal act and bug researchers criminals.
Unfortunately, the answer today in America is a simple "yes". that is, unless you feel like researching and then hoarding your findings.
mmm... yeah... You see, we're putting the cover sheets on all TPS reports now before they go out...
One might think that notifying GameSpy about its security problems might be A Good Thing (R) because they could be fixed before being exploited. Just another reminder that, in the United States of America, no good deed goes unpunished.
There are two types of people: those prepared for the zombie apocalypse and those who will be eaten.
Does the DMCA apply outside the US? How can this guy be breaking US and Federal law while carrying out his research in Milan, Italy? Chris
1) Nice to another another justification for moving security research out of the US. So Alan Cox isn't a paranoid raving nut, after all... unfortunately.
2) It doesn't look like he's taken down the stuff, yet. Mirror time?
Someday, you're going to die. Get over it.
It would be nice to have a list of all of them all in one place so I can make sure to never ever pay money to any organization that has used the DMCA against someone.
Publish all the exploits underground, as anonymously as possible. This way the exploits are in the wild and the sloppy code has to _fixed_ instead of covered up with a mountain of legal manure.
This is not what GS wants, nor what they mean. It is, however, what they are apt to get. Had they thought (ha!) things through this mistaken mistreatment of someone sending friendly warnings would not have occured.
Hey, GS. Why not try shooting at the real target? You just hit your foot.
I'll never get it:
Those guys researching security flaws in your software are working for free for your company. You just saved some money for security audits...
Be grateful, perhaps offer them a contract for more research, but don't threaten them with lawsuits. Some people may not like it and won't contact you before spreading an exploit.
Tread softly because you tread on my dreams. -- Yeats
What better way to get your bugs known by every technically literate person on the planet than to send a C & D letter like this, leading to a reference that gets posted on Slashdot as a home page story?
I congratulate Gamespy on their great word-of-mouth campaign to get all of their exploitable bugs known by the widest possible audience...
The party of stupid and the party of evil get together and do something both stupid and evil, then call it bipartisan.
All his proof-of-concept exploits are on his website ... BUT, he did notify the company AND gave them lead time to fix each problem before publishing. Sounds like a perfectly responsible approach, similar to that used by university researchers here in the US.
I think it also settles the question about full and limited disclosure. Limited disclosure is clearly a tool that allows lazy admins and developers to sit on their lazy asses while their company lawyers shoot the messengers.
What is needed now is an "official" infrastructure (mailing list/site/IRC channel/whatever) harboured somewhere with sensible laws and clearly geared toward transparent evaluation, discussion and discovery of security bugs in public software. Developers, admins and security experts welcomed, no matter their colour of their hats.
Time to update my Smoked Company Instant Poll:
Who smoked the most crack in 2003?
(_) SCO
(_) Belkin
(_) Verisign
(_) *A (MPAA, RIAA, ARIA)
(_) GameSpy
(_) All of the above
Ceci n'est pas une signature
For some odd reason the formating didn't paste into Slashdot...odd
I have always been a frequent visitor of Gamespy websites, be it the Gamespy site itself or the Planet sites, I've also been a long time FilePlanet subscribed. Yet this will cease to be the case forever now that I have been made aware of your recent C&D letter to a security researcher who was trying to help you fix the flaws in your software.
I'm outraged at your response for numerous reasons.
First of all I would have thought that a company such as GameSpy is well aware of the issues of today and would find a document such as the DMCA to disagree with their views and those of its customers. I like many if not most of your customers feel that the DMCA is a troubled and over reaching document that limits user rights, threaten research and lowers the need for true progress in the field of security.
Second, I am disgusted by your handling of security issues. If there are problems in your software then the way to fix them is with patches - not C&D letters. I would have expected GameSpy, a news site, to know that not once in the history of the DMCA has a C&D letter or even a full lawsuit ever fixed a security hole. Why attack the messenger?
And finally I am baffled by the fact that the person you have sent a C&D letter to has in fact notified you of the holes and means to fix them before posting them online. I do not see how suing somebody who has just done some valuable QA for you is justified. It's just absurd!
Imagine this, you are driving down the street in your car when all of a sudden the car behind you starts flashing your lights to get your attention, then pulls up to you and tells you that you're leaking gas. You instead of thanking the driver for making you aware of the risk you are under threaten him with a lawsuit because now that your gas leak has been noticed, somebody may light it.
This is what's happening now. You are attacking somebody who helped you. You are trying to keep your software secure by hiding its flaws. It's the same as the car with the gas leak; no matter how you hide it, it's still there and a spark can make it all blow up in your face.
Having said that, I will no longer be a customer of GameSpy, I will no longer visit any GameSpy affiliated site and I will contact every developer who promotes GameSpy services with their games to suggest using other services until some sort of public apology is offered to Luigi Auriemma.
Sincerley yours,
Google Toolbar is SPYWARE!
I don't blame Gamespy at all. This jackass has basically enabled untold numbers of 12 year old pricks to tie up public game servers for their shallow amusement.
The general method of DoS he employs is not a "security flaw" but a byproduct of how multiplayer games are typically designed. You could theoretically do the same thing by going into an office and starting up a bunch of instances of the game on a bunch of PCs and logging into a server and leaving them there -- the "proofs of concept" that this guy Luigi wrote just automates this, simulating clients and hanging them.
The "problem" is that lots of games (hell, most network services of any kind) inherently require one TCP connection or UDP stream that stays alive throughout the entire multiplayer game and that begin with some authentication process, and most games only maintain a small number of slots (listening sockets).
Generous timeouts are also often needed to support spotty connections/freezes without disconnecting, so simply checking for timeouts might not help servers get past this issue. (However, maybe they could add some simple limit on how long a client can stay in the preliminary authentication/non-'playing' stages before booting them, requiring a prohibitively large amount of additional reverse engineering/sophistication to simulate a playing client.)
Getting around it will force game devs to play a stupid game of cat and mouse and to implement complicated challenge/response and other antispoofing mechanisms (IP banning, timeouts, etc.) -- time that could be, and ought to be spent on making fun games.
Too bad that Gamespy invoked the DMCA but that's probably the only legal leg they can stand on. Furthermore, Gamespy has nothing to do with the implementation of various game developers' servers.
Perhaps a better avenue would be for game devs to sue the guy for posting key gen algorithm internals and other shit like that.
I think though that breaking both his legs and giving him a donkey punch (#3) or dirty sanchez (3rd from bottom) would be more fitting, and funnier.
-fren
"Where are we going, and why am I in this handbasket?"
The sort of street cred you get for having javascript errors on your site? I hear that's how these young punks rebel against their elders these days. It's the programmer's equivalent to wearing pants around your knees.
It's nothing but crumpled porno and Ayn Rand.
FYI, He is being tried under Norwegian law, nothing to do with the US DMCA. Look at This link. I know it is being appealed but this is the status now.
Help fight continental drift.
On march 28th, italy implemented the EU copyright directive, which is modeled after the DMCA, but with fewer exemptions. All 15 EU members were supposed to adopt this by last december, but only a handful of countries have done it yet. The UK just became the sixth to adopt.
How did I get so interested in the DMCA? I recently interfaced the Ritz disposable digital camera to my computer, and didn't like how the DMCA has been used to stifle competition.
Text of the EUCD (eu copyright directive)
HIV Crosses Species Barrier... into Muppets
Yesterday,
Algorithms programmed in any way
Now it looks as though there's liabilit-ay
And, it's 'cause of the D-M-C-A
Suddenly,
I'm not allowed to speak in C
There's a shadow hanging over me
Oh how D-M-C-A makes silence be
How some bits do flow, you can't know,
We couldn't say
I said something wrong
now I'm among, law D-M-C-A-ay-ay-ay
Yesterday,
"code" was such an easy game to play
Now I need a place to hide away
And, it's 'cause of the D-M-C-A
Young man, you've been writing some code, I said,
Young man, think it ought to be showed, I said,
Young man, but what you shoulda knowed, is some
Things... must... be... left... un-said
Young man, there's a law that's been passed, I said,
Young man, we hoped it wouldn't last, but now,
Young man, if you break it, your ass will be
Hauled... a-way... to... Club Fed
We cannot stay with the DMCA
Get hauled away with the DMCA
You cannot circumvent
Any music or book
Can't even let your kid take a look
That's why we're flamin' the DMCA
Our guy was framed on the DMCA
The Man gives us rules
That we've got to obey
But encryption just gets in the waaaaaay...
Young man, there's no need to feel down, I said,
Young man, hide yourself underground, I said,
Young man, 'cause the Feds are in town, you know,
There's no place you can hide,
Young man, there's no place you can go, I said,
Young man, when they don't like your code, if you
Stay here, I am sure you will find
That you haven't got no more time.
(chorus)
You sir, I hope you understand, we're im-
Pa-tient, hope the Feds free our man, but no-
Bo-dy... can resist our demand, we'll shout
Til... they... free... D-mi-try
Dima's... fate lies in our own hands, so please
Help us... make them meet our demands, so call
D.C., make them send this young man, back to
His... own... home... and... fam'ly
(chorus)
Your Cease and Desist letter to is utterly inappropriate. So, as a security analyst I'm going to take the next 5 minutes of your time to educate you as to what you did wrong, because we all know you'll do better in the future right?
1. Don't threaten us, we're trying to help you, contacting you quietly is a helluva lot better than say releasing the vulnerability into the wild first, but if you'd like to skip the contact step by sending things like cease-desist notices JUST SAY SO, as opposed to threatening us (see beginning of rule 1), we can move directly to putting the vulnerability into the wild.
2. Lawyers don't fix shoddy code, people do.
3. please get your legal department a map (so that they can determine that the DMCA ISNT the law of the land in Italy (it's this whole other place, right? and our laws don't apply there).
4. please explain in very short and simple words the difference between the gamespy CLIENT, and the gamespy SERVER to your legal and executive department, clearly such simple concepts elude them.
5. geektools.com contains links to traceroute, and whois programs to determine where on the internet various information is.
I would assume by this point you aren't particularly happy with me. So I'm going to let you in on a secret as to how to avoid such complaints from me again. It's very simple, treat us with respect when we protect your customers from you. Fix your bugs when we report them, they are YOUR REPSONSIBILITY. NEXT, send an APOLOGY letter to Luigi, just to show that you're good people and this was all a big mistake, because it was right? Do these things and you will find the computer security analysts will be good friends of yours, they'll look out for you and make sure your software runs right for you. Do it not, and the entire community will tear your software apart, and post anything and everything anonymously to bugtraq. Your behavior which borderlines on a legal fishing expidition to see what you can catch is grossly inappropriate, please stop.
Ooh and 1 meg pdf's sent via e-mail might in some circles be considered e-mail abuse, that doesn't engender much love for your company, and would potentially be grounds for a blacklisting.
Andrew D Kirch
Security Administrator
2mbit.com
Administrator
Abusive Hosts Blocking list
ahbl.org
trelane@2mbit.com
The exploits I read were for the most part buffer overflows... Which are the result of improper bounds checking and just general sloppy coding. This has NOTHING TO DO with Gamespy's servers, and everything to do with their client software. The guy claims he informed them, they claim he didn't. If he did inform them, then tough luck. They deserve any negative publicity out of this. If he didn't inform them, then he needs to be dealt with.
Proof of concept code often is the only way to force a company to do something about its security problems... It's specifically because 12 year old script kiddies are exploiting the vulnerability that the company fixes it. Suing a security researcher for bringing this about is silly. Spend the money on fixing the problem, not on a Lawyer's retainer.
Maxim: People cannot follow directions.
Increases in truth directly with the length of time spent explaining them
"Half-Life 1.1.1.0 client's "Unknown command" format string bug test 0.1 This is a tool to test a format string bug I have found in the Half-Life client. I have not released an advisory because at the moment I don't know if this bug lets remote code execution or not. Feel free to check it (in the zip file there is also the mail I have sent to vuln-dev that contains some details)"
In this case he's posting source for the exploitation of a bug before HE EVEN KNOWS WHAT THE BUG DOES. This makes me doubt how responsible he is in informing companies of bugs in their products. How about this changelog in the source of his UTDDos attack:
"CHANGELOG: - Now supports UT2003 servers!!! - better allocation method (now it's not limited, and the memory used is very very small!) - big code optimizations - a lot of bug fixes (libnet name resolution and other little problems)"
Why would these changes be necessary for a proof of concept? Sounds more like he wants anybody to be able to easily compile and use his programs to exploit not just UT servers, but UT2003 servers as well.
I think hackers should have as much restraint as possible in releasing "proof of concept" programs. Because really, what do these programs do? It does exactly what you are afraid people will do with the bug you found, exploit it. When you release that to the public, you are ENSURING that the bug will be exploited. Only in extreme cases should this be used to force a company to fix a bug, because at best the result is a brief period of time in which the bug is exploited widely, before the company fixes it. However, I think there is a serious risk of more harm being done in this period of time than would have ever been done if the proof of concept program had never been released, and the bug taken longer to be fixed or perhaps not fixed at all.
This guy is obviously not using proof of concept programs as a last resort. In fact, check out this comment:
"CD-Key hash changer for UnrealTournament 2003 v2225 for Win32 0.1 practically this proof-of-concept lets you to use a custom cd-key hash. The main idea was to find a cd-key theft bug but fortunally this bug doesn't exist so this tool can be considered only a test just for fun"
He wants people to use it "for fun"? What kind of white hat hacker releases a proof of concept program for "fun"? If I read this right, he was hoping to be able to steal CD keys with this, which he probably would have released as well. That would of been a huge mess, and is what I mean when I say there is serious risk of a concept program doing a lot more harm than good. So, it turns out it only lets you use other people's CD hashes, which you can get just from joining a game. This would allow you to steal someone's CD hash that you didn't like, and then go make a total ass of yourself on a server and get him banned. Sounds "fun" don't you think? Gamespy may not be my favorite company, but this guy give hackers a bad name.