GameSpy Sends DMCA-Based C&D To Security Researcher

chowbok writes "Luigi Auriemma has found several security holes GameSpy software over the past few months. He has reported them all to GameSpy but never got a response... until today, when he got a threatening letter from their lawyers. It says he's violating the DMCA, he needs to cease-and-desist, yadda yadda yadda." Update: 11/12 21:09 GMT by S : GameSpy has now posted an official response from the company's founder, Mark Surfas.

Send some love

[Del+Vach]

To the Gamespy Feedback Page

Re:Send some love

[HunterWare]

In response to an email my email I got the prompt response:

(SNIP)
Hi Hunter -

Unfortunately, he's not telling the truth. What is happening is simply attempted extortion. He didn't contact us, never has, and has been harassing us for over a year.

Mark
(/SNIP)

Re:Send some love

[mbbac]

How is he harassing them if he hasn't contacted them?

DMCA Wall O' Shame

[pclminion]

Is there a site out there like a "Wall of Shame" where we can go to see a list of fuckheads who have C&D'd people using the DMCA as a threat?

It would be nice to have a list of all of them all in one place so I can make sure to never ever pay money to any organization that has used the DMCA against someone.

Message rec'd. Loud and clear.

Publish all the exploits underground, as anonymously as possible. This way the exploits are in the wild and the sloppy code has to _fixed_ instead of covered up with a mountain of legal manure.

This is not what GS wants, nor what they mean. It is, however, what they are apt to get. Had they thought (ha!) things through this mistaken mistreatment of someone sending friendly warnings would not have occured.

Hey, GS. Why not try shooting at the real target? You just hit your foot.

Re:Hear that?

[GoofyBoy]

> anonymously release it into the wild

Unfortunately thats what is going to happen.

A "nice" person would contact the company and inform them before it becomes a note-worthy problem. But what do these "nice" people get? A threat from lawyers.

So the alternative is to release something that would create a note-worthy problem, and due to media/customer base screaming, fix the problem.

Its a shame that it is coming to this. This use of the DMCA is turing "nice" people into "not-so nice" people.

Gamespy does a good job publicizing their bugs...

[_Sharp'r_]

What better way to get your bugs known by every technically literate person on the planet than to send a C & D letter like this, leading to a reference that gets posted on Slashdot as a home page story?

I congratulate Gamespy on their great word-of-mouth campaign to get all of their exploitable bugs known by the widest possible audience...

Think for a second before you take his side...

[James+Lewis]

It seems most of the posts here take the side of the "hacker" which isn't surprising given this is Slashdot. But if you go look at his site, he is posting working source for DDos attacks for various games and exploits. Here is one description:

"Half-Life 1.1.1.0 client's "Unknown command" format string bug test 0.1 This is a tool to test a format string bug I have found in the Half-Life client. I have not released an advisory because at the moment I don't know if this bug lets remote code execution or not. Feel free to check it (in the zip file there is also the mail I have sent to vuln-dev that contains some details)"

In this case he's posting source for the exploitation of a bug before HE EVEN KNOWS WHAT THE BUG DOES. This makes me doubt how responsible he is in informing companies of bugs in their products. How about this changelog in the source of his UTDDos attack:

"CHANGELOG: - Now supports UT2003 servers!!! - better allocation method (now it's not limited, and the memory used is very very small!) - big code optimizations - a lot of bug fixes (libnet name resolution and other little problems)"

Why would these changes be necessary for a proof of concept? Sounds more like he wants anybody to be able to easily compile and use his programs to exploit not just UT servers, but UT2003 servers as well.

I think hackers should have as much restraint as possible in releasing "proof of concept" programs. Because really, what do these programs do? It does exactly what you are afraid people will do with the bug you found, exploit it. When you release that to the public, you are ENSURING that the bug will be exploited. Only in extreme cases should this be used to force a company to fix a bug, because at best the result is a brief period of time in which the bug is exploited widely, before the company fixes it. However, I think there is a serious risk of more harm being done in this period of time than would have ever been done if the proof of concept program had never been released, and the bug taken longer to be fixed or perhaps not fixed at all.

This guy is obviously not using proof of concept programs as a last resort. In fact, check out this comment:

"CD-Key hash changer for UnrealTournament 2003 v2225 for Win32 0.1 practically this proof-of-concept lets you to use a custom cd-key hash. The main idea was to find a cd-key theft bug but fortunally this bug doesn't exist so this tool can be considered only a test just for fun"

He wants people to use it "for fun"? What kind of white hat hacker releases a proof of concept program for "fun"? If I read this right, he was hoping to be able to steal CD keys with this, which he probably would have released as well. That would of been a huge mess, and is what I mean when I say there is serious risk of a concept program doing a lot more harm than good. So, it turns out it only lets you use other people's CD hashes, which you can get just from joining a game. This would allow you to steal someone's CD hash that you didn't like, and then go make a total ass of yourself on a server and get him banned. Sounds "fun" don't you think? Gamespy may not be my favorite company, but this guy give hackers a bad name.