Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Censorship Security Your Rights Online Entertainment Games

GameSpy Sends DMCA-Based C&D To Security Researcher 479

chowbok writes "Luigi Auriemma has found several security holes GameSpy software over the past few months. He has reported them all to GameSpy but never got a response... until today, when he got a threatening letter from their lawyers. It says he's violating the DMCA, he needs to cease-and-desist, yadda yadda yadda." Update: 11/12 21:09 GMT by S : GameSpy has now posted an official response from the company's founder, Mark Surfas.
This discussion has been archived. No new comments can be posted.

GameSpy Sends DMCA-Based C&D To Security Researcher

Comments Filter:
  • by HebrewToYou ( 644998 ) on Wednesday November 12, 2003 @12:45PM (#7454530)
    Always hating on the guy trying to enforce rigid security standards. Can't we all recognize that the only real harm caused would be by *not* reporting on these security holes. C&D letters only cause anti-corporate sentiment due to their rather accusatory tone. For shame. Good thing I don't use gamespy...
    • by HeX314 ( 570571 )
      Ironically, lawyers base some of their strategies on loopholes found in legislation. Hackers do the same thing with security flaws (loopholes) in software.

      Is it fair for someone to use the loopholes in one system to attack someone that finds loopholes in another?
      • Except, if you reversed what the lawyers and people like this guy are doing, the lawyers would turn into malicious attackers EXPLOITING the problems in the software and the guy doing the security research would turn into judges or lawmakers trying to plug the problem in the law.

        Just confirmation that corporate lawyers really are hellspawned demons, that's all.

  • Hear that? (Score:4, Insightful)

    by Pxtl ( 151020 ) on Wednesday November 12, 2003 @12:46PM (#7454537) Homepage
    That's the sound of nobody being surprised.

    Note for future reference: hackers, if you want someone to improve their security, don't go to the admin with your 'sploit, but anonymously release it into the wild. After all, the constant cease-and-decist letters _obviously_ say that that's what today's software companies want.
    • Just following Microsoft's lead with the tried-and-true security-by-obscurity method.
    • Re:Hear that? (Score:5, Insightful)

      by GoofyBoy ( 44399 ) on Wednesday November 12, 2003 @12:54PM (#7454652) Journal
      > anonymously release it into the wild

      Unfortunately thats what is going to happen.

      A "nice" person would contact the company and inform them before it becomes a note-worthy problem. But what do these "nice" people get? A threat from lawyers.

      So the alternative is to release something that would create a note-worthy problem, and due to media/customer base screaming, fix the problem.

      Its a shame that it is coming to this. This use of the DMCA is turing "nice" people into "not-so nice" people.
      • Re:Hear that? (Score:4, Interesting)

        by IA-Outdoors ( 715597 ) on Wednesday November 12, 2003 @01:28PM (#7455038)
        Also, it's probably worth noting that incidents like this kill a companies credibility in the various security circles. So, on the upside, I now know to avoid GameSpy software which should have their marketing people trying to figure out how to do damage control on this. Don't underestimate the power of being /.'d
    • Full disclosure wins (Score:5, Interesting)

      by Pac ( 9516 ) <paulo...candido@@@gmail...com> on Wednesday November 12, 2003 @12:58PM (#7454695)
      I think it also settles the question about full and limited disclosure. Limited disclosure is clearly a tool that allows lazy admins and developers to sit on their lazy asses while their company lawyers shoot the messengers.

      What is needed now is an "official" infrastructure (mailing list/site/IRC channel/whatever) harboured somewhere with sensible laws and clearly geared toward transparent evaluation, discussion and discovery of security bugs in public software. Developers, admins and security experts welcomed, no matter their colour of their hats.
      • by EZmagz ( 538905 ) on Wednesday November 12, 2003 @01:11PM (#7454865) Homepage
        Just curious, but didn't you just describe Bugtraq? Granted, Securityfocus got bought out by Symantic IIRC, so there's the whole "do we REALLY trust them?" bit, but still...I've always seen Bugtraq as a reasonably-moderated open forum for new bugs, exploits, and discussion. Although it would be pretty neat to see something hosted offshore from the US with the primary goal being to bring the ruckus via full disclosure. Honestly, I'm surprised nobody has done this yet, with the main banner saying "What The DMCA Doesn't Want You To Know!".
  • Not a US citizen (Score:3, Interesting)

    by Anonymous Coward on Wednesday November 12, 2003 @12:46PM (#7454538)
    It is important to note that Luigi Auriema is in fact, an Italian citizen, and not a USian
  • Mirror (Score:2, Informative)

    by ms139us ( 723585 )
  • takes care of any GameSpy street cred, right?

  • Send some love (Score:5, Insightful)

    by Del Vach ( 449393 ) on Wednesday November 12, 2003 @12:47PM (#7454563)
    To the Gamespy Feedback Page [gamespy.com]
    • To the Gamespy Feedback Page

      Thanks. I used it to tell GameSpy that I found their actions reprehensible.

      To everyone else reading this:
      • have you told GameSpy off too?
      • Or do you think GameSpy did the right thing?
      • Or are you just so apathetic you'll let anyone with a lawyer take your rights away?
    • Re:Send some love (Score:5, Informative)

      by HunterWare ( 128177 ) on Wednesday November 12, 2003 @01:18PM (#7454934)
      In response to an email my email I got the prompt response:

      (SNIP)
      Hi Hunter -

      Unfortunately, he's not telling the truth. What is happening is simply attempted extortion. He didn't contact us, never has, and has been harassing us for over a year.

      Mark
      (/SNIP)
      • Re:Send some love (Score:5, Insightful)

        by mbbac ( 568880 ) on Wednesday November 12, 2003 @01:25PM (#7455001)
        How is he harassing them if he hasn't contacted them?
      • Re:Send some love (Score:3, Interesting)

        by MartinG ( 52587 )
        How do you harass someone without contacting them?
      • Re:Send some love (Score:4, Informative)

        by apankrat ( 314147 ) on Wednesday November 12, 2003 @01:42PM (#7455207) Homepage

        Yeah, right.

        Harassing them with fully disclosed vulnerabilities [google.com],
        which would take under a day to patch even in case of the unimaginably
        horrible code ?
        • Re:Send some love (Score:5, Informative)

          by mcpkaaos ( 449561 ) on Wednesday November 12, 2003 @02:47PM (#7456020)
          There's one problem with your logic. To my knowledge, Gamespy still doesn't actually own the source to Gamespy3D, to which I believe these security holes refer. That codebase is owned by the original coders of Quakespy, the program that got the company started. The deal was: Surfas owned the brand, the coders owned the code. Never at any time could he talk them into selling it. That is the primary reason for the original development of Arcade - to bring ownership of some form of Gamespy software in- house.

          How do I know? I was one of the original coders at the company back when Arcade was just an idea tossed around the Tuesday morning staff meetings. And no, I didn't have much of a hand in Arcade, thankfully, so please don't put a pox on me.

          Of course, if this guy was pointing out holes in Arcade (to be honest, I couldn't tell from his website, it didn't seem 100% clear which product he was testing) - well, it's going to take *alot* more than a single day to fix.

          Not that you really want to know this, but Arcade was very tightly coupled to a stock MFC, App-Wizard generated Doc/View project, and didn't stray too far throughout its lifetime. In fact, by the time I left, most of the code was essentially layered on top of rather poorly implemented MFC classes. (Props, Walla!) It gets even uglier (like data and UI being completely interleaved), but I'll save you the anguish.

          Suffice it to say, you would be ill-advised to hold your breath while waiting for these issues to be fixed. Better to use the All Seeing Eye [udpsoft.com] instead. That's what I do. And this coming from a Gamespy stock holder! hehe.
          • Re:Send some love (Score:4, Interesting)

            by mcpkaaos ( 449561 ) on Wednesday November 12, 2003 @03:39PM (#7456658)
            Sorry to reply to myself, but a thought just occured to me. It's a rare thing, so I had to act on it. Okay, bear with me, this is liable to get a little bumpy.

            If GSI doesn't actually own the code to Gamespy3D, merely owning the brand, and it is, in fact, the product in question, do they actually have the right to cite the DMCA in this case? I'm probably nuts for this, but hear me out...

            If I have a brand and you have the technology, and I pay you a fee to sell your product under my branding without purchasing the technology itself, I still only own the brand, right? In other words, I'd only effectively be licensing the usage of your technology, but the ownership, and all rights thereof, remain in your hands? Presuming that's correct, if something or someone comes along and "threatens" that technology, but not the brand itself, as in this case, how can I assert the right to take any legal action in regards to said technology? I don't think the DMCA covers branding, so I would imagine this case has to be in explicit regards to the technology. Unless I was acting on official behalf of the owners of that technology, would I even have a leg to stand on? Isn't that like taking some guy to Judge Judy to sue him for kicking your vacationing neighbor's dog while you were babysitting it? The mind boggles.

            Are there any lawyers that care to comment? It would be very interesting to see if the DMCA would still apply.

            If I'm not making any sense (which, undoubtedly, I am not), please reply and let me know. I'll try to make some kind of sense out of it.
      • Re:Send some love (Score:5, Interesting)

        by dboyles ( 65512 ) on Wednesday November 12, 2003 @02:50PM (#7456048) Homepage
        About 90% of the posts prior to mine say something to the effect of, "If he hasn't contacted them, how could he have harassed them?" I think the objective thing to do is at least consider the fact that Gamespy could be telling the truth. Most posts related to this response are really dealing with semantics. This response from "Mark" was obviously almost casual in nature, so it's not a stretch to think that he may have accidentally contradicted himself with his words.

        I admit that the way most of these things work out, it's likely that the company is in the wrong (not responding to bug disclosure and overreacting when the exploits get posted). But don't take everything you read on Slashdot as gospel.

        Before you flame put yourself in the other guy's shoes, and before you mod me down consider if you're doing it because you disagree with me.
        • This response from "Mark" was obviously almost casual in nature, so it's not a stretch to think that he may have accidentally contradicted himself with his words.

          Well, then he went and contradicted himself in the official response as well:

          Unfortunately, he's not telling the truth. What is happening is simply attempted extortion. He didn't contact us, never has, and has been harassing us for over a year.

          At first we welcomed his bug alerts. We responded to him immediately and thanked him for his bug re
    • by fahrvergnugen ( 228539 ) <fahrv@hotmail.cDALIom minus painter> on Wednesday November 12, 2003 @01:28PM (#7455026) Homepage
      Thanks for the link! Here's what I sent them:

      I read with great interest a news article about Gamespy siccing its lawyer brigade on an Italian security researcher who, after making good-faith efforts to make Gamespy aware of its security shortcomings and receiving no response, went public with the exploits he found.

      It's a pity you're so short-sighted. Now, instead of working with a co-operative third party researcher willing to perform QA on your product for free, you instead face the prospect of having much more of this kind of attention being focused on your organization by some very, very clever individuals. Further, from now on, nobody's going to be stupid enough to tell you when they find an exploit. Instead, all of their findings will be released into the cracker underground, as anonymously as possible. In the future, when exploits are found for Gamespy's servers, Gamespy won't know until they've already been pwned.

      gg.

      Hear that? It's the sound of me uninstalling your software, calling all my friends and advising them to do the same, telling our ad-blocker software not to display your ads anymore, and then all of us getting out our credit cards so we can reward the fine people who created the All-Seeing Eye.

      Hope you enjoyed it, you had a pretty good run while it lasted.
    • As a loyal Gamespy user I was shocked/angered at your C&D letter to a bug finder. What you have managed to do is piss off a lot of people - some of which will probably now target these very vulnerabilities you've ignored for so long just because of your attitude.

      The general sentiment on Slashdot is that the next time a hole in your software is found, it should just be anonymously published as a worm instead. God knows, no one wants to be sued, right? Using the DMCA and chasing after people like this is
  • Wow (Score:4, Interesting)

    by Kierthos ( 225954 ) on Wednesday November 12, 2003 @12:48PM (#7454568) Homepage
    I didn't think it was possible, but my opinion of Gamespy just went even lower. If it wasn't for them hosting old Nodwick strips, they'd have no redeeming values at all.

    I mean, let's face it, anyone who wants to exploit Gamespy's servers probably already knows how to do so, this guy's bug reports notwithstanding...

    Kierthos
  • by HuggybearVT ( 576997 ) on Wednesday November 12, 2003 @12:48PM (#7454571) Homepage
    quote: I'm 22 years old and I live in Milan district in Italy. The DMCA doesn't apply to him. Cease and decist this!
  • by Corporate Drone ( 316880 ) on Wednesday November 12, 2003 @12:48PM (#7454574)
    From Gamespy's email: "In contrast to simply advising GameSpy of these vulnerabilities, by publishing this software to the world at large you are clearly facilitating the intentional crashing of GameSpy's server by others".

    so, incredulously, he asks whether bug research is a criminal act and bug researchers criminals.

    Unfortunately, the answer today in America is a simple "yes". that is, unless you feel like researching and then hoarding your findings.

    • Unfortunately, the answer today in America is a simple "yes". that is, unless you feel like researching and then hoarding your findings.

      Except for one tiny little nuance that the Gamespy lawyers seem to have missed: Luigi lives in Milan, Italy [altervista.org] and therefore is not subject to US law.

      Crispin
      ----
      Crispin Cowan, Ph.D.
      Chief Scientist, Immunix Inc. [immunix.com]

      • One tiny nuance? Ha! So tiny, that it's not even worth considering! GameSpy could just send some mercenary troops to go take care of him and his little oversight. After all, it must be terrorism! ON US SOIL! Luigi (where is mario?) deserves it, having the sick religious zealotry to attack not just one but multiple Americans with such relentless force... send in the troops.
    • so, incredulously, he asks whether bug research is a criminal act and bug researchers criminals.

      Unfortunately, the answer today in America is a simple "yes". that is, unless you feel like researching and then hoarding your findings.


      A mild short-sightedness in the DMCA

      I don't subscribe to the oft-held (here) view that computer hacking isn't a crime. It is. However, there is "white" hacking, and that should NOT be illegal. But, the DMCA makes no provision for white-hat hacking.

      Imagine how different thi
  • by the_ed_dawg ( 596318 ) on Wednesday November 12, 2003 @12:48PM (#7454578) Journal
    One might think that notifying GameSpy about its security problems might be A Good Thing (R) because they could be fixed before being exploited. Just another reminder that, in the United States of America, no good deed goes unpunished.
  • Comment removed (Score:3, Insightful)

    by account_deleted ( 4530225 ) on Wednesday November 12, 2003 @12:49PM (#7454586)
    Comment removed based on user account deletion
  • Now that the word is out, I bet someone will find their vulnerabilities on their own, and go one step further and exploit them. Then this guy willbe blamed for the whole thing.
  • Use ventrilo [ventrilo.com]. free and has a few different ports. My clan uses it when we play eve-online [eve-online.com]
  • by t0ny ( 590331 ) on Wednesday November 12, 2003 @12:49PM (#7454593)
    This is a highly stupid move on GameSpy's part.
    This guy wasnt posting his findings on the internet, or seeking publicity for himself; he was just using his skills to help out and try to improve GameSpy's product (and it needs all the help it can get, IMO).

    If you ignore security, it will go away...
  • implicitly implies that you should have found/fixed the flaws before releasing the software. Shutting up anyone that notes the security flaws you never noticed/corrected leaves you free to claim to have none. That's doublegood. By the way, they've raised the chocolate rations to 5 units.
  • Confused (Score:5, Insightful)

    by LizardKing ( 5245 ) on Wednesday November 12, 2003 @12:50PM (#7454600)
    Does the DMCA apply outside the US? How can this guy be breaking US and Federal law while carrying out his research in Milan, Italy? Chris
  • Use and abuse (Score:3, Insightful)

    by Space cowboy ( 13680 ) on Wednesday November 12, 2003 @12:50PM (#7454603) Journal
    From the article:

    "Bug research is a crime and bug researchers are criminals, didn't you know that?"

    I know he's being sarcastic, but how long until he's correct ?

    One more reason to despise the DMCA, I'm not even sure how it could apply - certainly the lawyer's reasons don't make any technical sense.

    Simon
    • I know he's being sarcastic, but how long until he's correct ?

      Just until the first prosecution sticks. It was almost Skylarov, but he got off, and "only" had to be incarcerated for a while, and was kept from his home country and family for 9 months.
  • by acomj ( 20611 ) on Wednesday November 12, 2003 @12:51PM (#7454608) Homepage
    Laws are really needed to help protect people conducting security research and find problems and reporting them without doing anything malicious.

    Having hackers poking and proding makes everything more secure ("So the first woodpecker to come along doesn't destroy civilization").

    The only one winning here seem to be the lawyers.
  • Two things (Score:3, Interesting)

    by Platinum Dragon ( 34829 ) on Wednesday November 12, 2003 @12:51PM (#7454610) Journal
    1) Nice to another another justification for moving security research out of the US. So Alan Cox isn't a paranoid raving nut, after all... unfortunately.

    2) It doesn't look like he's taken down the stuff, yet. Mirror time?
  • DMCA Wall O' Shame (Score:5, Interesting)

    by pclminion ( 145572 ) on Wednesday November 12, 2003 @12:51PM (#7454615)
    Is there a site out there like a "Wall of Shame" where we can go to see a list of fuckheads who have C&D'd people using the DMCA as a threat?

    It would be nice to have a list of all of them all in one place so I can make sure to never ever pay money to any organization that has used the DMCA against someone.

    • by chowbok ( 467829 ) on Wednesday November 12, 2003 @01:01PM (#7454731) Homepage
      This isn't exactly what you want, but I think you'll find it of interest:
      Chilling Effects [chillingeffects.org]
    • I believe they collect DCMA supoenas:

      http://www.chillingeffects.org/dmca-sub/ [chillingeffects.org]
      • Yeah, I knew about Chilling Effects. But their presentation isn't quite what I am thinking of. I'm thinking more of a very simple page with a simple three-column list of organizations. No commentary or anything like that. A simple "Wall of Shame."

        If I had the bandwidth to do it, I'd start one up myself. Unfortunately that's not possible right now... And it's definitely the type of site that would be Slashdotted eventually, and why the hell would I want to bring THAT shitstorm down on myself? ;-)

    • see a list of fuckheads who have C&D'd people using the DMCA as a threat?

      ChillingEffects.org [chillingeffects.org]

    • It's not just the fact that they're using the DMCA like this, it's also that they don't care about the integrity of their software. They're basically saying "we'd rather not have you help us, for free even, because we care more about our image and will do anything to keep people from finding bad things about our product."

      Seriously, if they don't care enough about their security to appreciate the bug reports, what do I, the potential customer, think about how much they care about other aspects of their sof
  • by mdemeny ( 35326 ) on Wednesday November 12, 2003 @12:52PM (#7454620) Homepage
    I know what in trademark cases, companies have to enforce their trademark or risk losing it (i.e. xerox, kleenex, rollerblade) - but is there any similar clause in the DMCA which dictates that corporations must send cease-and-desists instead of taking these suggestions seriously? That seems to be the standard method companies employ in these circumstances, and I was wondering if it was a legitimate legal issue, or lawyers just being, well, lawyers.
    • I'm sure there isn't anything in the letter of the law that says you have to be an asshat about dealing with independent bug reports. However, given the backers of and the intent behind the DMCA, being a jerk certainly fits with the spirit of the law...
  • Not surprising (Score:3, Insightful)

    by EZmagz ( 538905 ) on Wednesday November 12, 2003 @12:52PM (#7454626) Homepage
    Let's face it guys, this is the kind of corporate attitude everyone should expect from companies like Gamespy. In their mind it's far easier to send a C&D letter, citing the DMCA, to shut up someone who found found gaping holes in their products than it is to sit down and pay coders to actually FIX the problem. Keep in mind, I said "In their mind".

    "Good samaritan" acts like this tend not to go over well with companies when their products are on the line. They think we're just a bunch of reckless hackers trying to H4CK TEH PLAN3T! The thing they fail to realize is that by shutting up honest people like this via the DMCA and unleashing lawyers on white hats, then the only people left WILL be the bad guys. And frankly, I'd like to see some black hats get nasty on companies like this. This DMCA bullshit is getting tiring.

  • by Anonymous Coward on Wednesday November 12, 2003 @12:53PM (#7454638)
    Publish all the exploits underground, as anonymously as possible. This way the exploits are in the wild and the sloppy code has to _fixed_ instead of covered up with a mountain of legal manure.

    This is not what GS wants, nor what they mean. It is, however, what they are apt to get. Had they thought (ha!) things through this mistaken mistreatment of someone sending friendly warnings would not have occured.

    Hey, GS. Why not try shooting at the real target? You just hit your foot.
  • by Just-A-Buck ( 695477 ) on Wednesday November 12, 2003 @12:55PM (#7454654)
    I'll never get it:

    Those guys researching security flaws in your software are working for free for your company. You just saved some money for security audits...
    Be grateful, perhaps offer them a contract for more research, but don't threaten them with lawsuits. Some people may not like it and won't contact you before spreading an exploit.
    • You know, this guy was probably researching these bugs because he actually likes and wants to use Gamespy's software (I'm betting it started with Roger Wilco for him). Not only was he their customer, but he was also their fan. He took his own time and donated it to help them create decent and reliable software. People this helpful are rare and should be encouraged. If this man were my customer, I'd be thanking him for the help and talking to him about how he worked on it. I'm no fan of what GS has become, b
  • What better way to get your bugs known by every technically literate person on the planet than to send a C & D letter like this, leading to a reference that gets posted on Slashdot as a home page story?

    I congratulate Gamespy on their great word-of-mouth campaign to get all of their exploitable bugs known by the widest possible audience...
  • I think... (Score:3, Insightful)

    by mgcsinc ( 681597 ) on Wednesday November 12, 2003 @12:56PM (#7454664)
    I think the issue here is much less one of the right to publish and to speak, though of course in the end that will always be most important. This story is really one for universal concern because it exposes the way in which companies like Gamespy are spelling their own death by sending out these letters. It is publicly revealed information that inspires companies to take security seriously and act quickly toward hole-patching. There should be no doubt in anyone's mind that this information will be disseminated irregardless of its wide publication, and so challenges to security will still happen. Is it not in everyone's best interest that change-motivating embarrassing public releases of information like this be allowed? And plus, doesn't the even wider attention which a company stands to garner by sending out C&D's to avid exposers of flaws like this make them completely worthless?
  • Chilling Effects... (Score:3, Informative)

    by Misch ( 158807 ) on Wednesday November 12, 2003 @12:56PM (#7454672) Homepage
    Don't forget to report the letter to CHilling Effects [chillingeffects.org]
  • by Sheetrock ( 152993 ) on Wednesday November 12, 2003 @12:57PM (#7454677) Homepage Journal
    I grew up during the times when security research was all to the good, when companies actually rewarded individuals who took time out of their days to research, document, and reveal flaws in products to them.

    But it looks like the economic incentive to cover up rather than fix makes the concept of welcome full disclosure a myth akin in proportion to the commonly-misheld belief that chopsticks of course originated in Asia. Interesting story: the recently uncovered truth of the matter is that they were actually designed as a gimmick by immigrants cooking in American mining communities in the 1800s and later carried back to Asia as a less resource-intensive means of preparing and serving food. Ironically, the U.S. is the largest exporter of chopsticks, with something like 3% of U.S. lumber production going towards the effort to supply Asia, where chopstick use grew to outstrip other utensils within the last century.

    The point is that when you look at the bigger picture, you realize that there is an economic disincentive to do the right thing; or rather, an incentive to do whatever it takes to improve the bottom line. I think it's unfortunate that they're choosing to punish an individual that was trying to help, and that it's this sort of attitude that drives good hackers underground. When code is owned by outlaws, only outlaws own the code.

  • Why Use Gamespy (Score:2, Informative)

    by RancidLM ( 723035 )
    i haven't used Game spy in years... in my view its nothing but Addware every where... My best advice for every one is Stop using it and goto Kali
    www.kali.net
    I have been using it for years.. and its the best Gaming comunity every...
  • Companies foolishly think that just becuase it is illegal to explore a product for security hole, this will somehow make the security holes go away.
  • I too must regretfully must send you a C&D letter base on the fact that your software violates DMCA laws by allowing unlawful access to copyrighted information stored on my computer and my network of computers. Until you can correct the programming errors in your software which allow this DMCA violation, I ask that you shut down all end user services provided by GameSpy.

    Thankyou and good riddance,
    HFC.

  • US Tort Law (Score:3, Interesting)

    by darthtuttle ( 448989 ) <meconlen@obfuscated.net> on Wednesday November 12, 2003 @12:59PM (#7454707) Homepage
    If users computers are broken in to as a result of not fixing known vulnerabilities I wonder what kind of liability GameSpy would have under US Tort law for being negligent.
  • ... GameSpy (and associated) are now off my use or recommend list. Any company not willing to take proper action about potential problems with their products and tells people who bring to light these problems to stop and go away, are not worth my dollar or time.
  • "No good deed goes unpunished."

    Really doesn't make you want to bother with preferential disclosure, does it?
  • Time to update my Smoked Company Instant Poll:

    Who smoked the most crack in 2003?

    (_) SCO
    (_) Belkin
    (_) Verisign
    (_) *A (MPAA, RIAA, ARIA)
    (_) GameSpy
    (_) All of the above

  • It belongs to Clinton. It's ugly, slimy, hairy, and it gets inserted in the most unlikely places.

    No, I'm not talking about his dick, you perv! I'm talking about the DMCA, President Clinton's personal gift [webopedia.com] to the IT world.

    Seriously, I have a problem here. My job is to make customers' IT systems work with my employer's product. It involves testing software and fixing bugs. It means poking into third-party products and trying to find potentially damaging flaws.

    If this becomes a crime, we IT grunts bett

  • With this sort of rediculous stuff going on, I figured someone should register fuckedcountry.com (as in fuckedcompany.com), and add the USA to it.

    Then, for a joke, I tried the URL.. [fuckedcountry.com]

    someone's already been there and done that.

  • What a dipshit (Score:4, Insightful)

    by frenetic3 ( 166950 ) <houstonNO@SPAMalum.mit.edu> on Wednesday November 12, 2003 @01:12PM (#7454872) Homepage Journal
    I don't blame Gamespy at all. This jackass has basically enabled untold numbers of 12 year old pricks to tie up public game servers for their shallow amusement.

    The general method of DoS he employs is not a "security flaw" but a byproduct of how multiplayer games are typically designed. You could theoretically do the same thing by going into an office and starting up a bunch of instances of the game on a bunch of PCs and logging into a server and leaving them there -- the "proofs of concept" that this guy Luigi wrote just automates this, simulating clients and hanging them.

    The "problem" is that lots of games (hell, most network services of any kind) inherently require one TCP connection or UDP stream that stays alive throughout the entire multiplayer game and that begin with some authentication process, and most games only maintain a small number of slots (listening sockets).

    Generous timeouts are also often needed to support spotty connections/freezes without disconnecting, so simply checking for timeouts might not help servers get past this issue. (However, maybe they could add some simple limit on how long a client can stay in the preliminary authentication/non-'playing' stages before booting them, requiring a prohibitively large amount of additional reverse engineering/sophistication to simulate a playing client.)

    Getting around it will force game devs to play a stupid game of cat and mouse and to implement complicated challenge/response and other antispoofing mechanisms (IP banning, timeouts, etc.) -- time that could be, and ought to be spent on making fun games.

    Too bad that Gamespy invoked the DMCA but that's probably the only legal leg they can stand on. Furthermore, Gamespy has nothing to do with the implementation of various game developers' servers.

    Perhaps a better avenue would be for game devs to sue the guy for posting key gen algorithm internals [altervista.org] and other shit like that.

    I think though that breaking both his legs and giving him a donkey punch (#3) or dirty sanchez (3rd from bottom) [drunkenwhores.com] would be more fitting, and funnier.

    -fren
    • Re:What a dipshit (Score:4, Interesting)

      by Tom7 ( 102298 ) on Wednesday November 12, 2003 @01:24PM (#7454983) Homepage Journal
      Hey man, there are technological fixes for these bugs. He is pointing out the weaknesses. On-line games aren't exactly critical infrastructure, but it is still important to know what the problems are so that they can be fixed or avoided in the future.
      In any case, the DMCA is ridiculous here; he's not circumventing any technological measures, and there are no copyrighted works being accessed. The DMCA does not outlaw hacking.
    • Narf? (Score:5, Insightful)

      by Chibi Merrow ( 226057 ) <mrmerrow@monkeyi ... t minus math_god> on Wednesday November 12, 2003 @02:11PM (#7455573) Homepage Journal
      The exploits I read were for the most part buffer overflows... Which are the result of improper bounds checking and just general sloppy coding. This has NOTHING TO DO with Gamespy's servers, and everything to do with their client software. The guy claims he informed them, they claim he didn't. If he did inform them, then tough luck. They deserve any negative publicity out of this. If he didn't inform them, then he needs to be dealt with.

      Proof of concept code often is the only way to force a company to do something about its security problems... It's specifically because 12 year old script kiddies are exploiting the vulnerability that the company fixes it. Suing a security researcher for bringing this about is silly. Spend the money on fixing the problem, not on a Lawyer's retainer.
  • Isn't that what really matters?

    I'm sure we'll find out that this was just a misunderstanding, and bugs are already being fixed.
  • by Dave21212 ( 256924 ) <dav@spamcop.net> on Wednesday November 12, 2003 @01:25PM (#7455000) Homepage Journal

    From the bottom of the page:
    Want to link to this message? Use this URL:
    Simple enough, eh ? The link in the story is currently not the recommended link...
  • by dark-br ( 473115 ) on Wednesday November 12, 2003 @01:32PM (#7455069) Homepage
    Yesterday,
    Algorithms programmed in any way
    Now it looks as though there's liabilit-ay
    And, it's 'cause of the D-M-C-A

    Suddenly,
    I'm not allowed to speak in C
    There's a shadow hanging over me
    Oh how D-M-C-A makes silence be

    How some bits do flow, you can't know,
    We couldn't say
    I said something wrong
    now I'm among, law D-M-C-A-ay-ay-ay

    Yesterday,
    "code" was such an easy game to play
    Now I need a place to hide away
    And, it's 'cause of the D-M-C-A

    • by dark-br ( 473115 ) on Wednesday November 12, 2003 @01:35PM (#7455095) Homepage
      Young man, you've been writing some code, I said,
      Young man, think it ought to be showed, I said,
      Young man, but what you shoulda knowed, is some
      Things... must... be... left... un-said

      Young man, there's a law that's been passed, I said,
      Young man, we hoped it wouldn't last, but now,
      Young man, if you break it, your ass will be
      Hauled... a-way... to... Club Fed

      We cannot stay with the DMCA
      Get hauled away with the DMCA

      You cannot circumvent
      Any music or book
      Can't even let your kid take a look

      That's why we're flamin' the DMCA
      Our guy was framed on the DMCA
      The Man gives us rules
      That we've got to obey
      But encryption just gets in the waaaaaay...

      Young man, there's no need to feel down, I said,
      Young man, hide yourself underground, I said,
      Young man, 'cause the Feds are in town, you know,
      There's no place you can hide,
      Young man, there's no place you can go, I said,
      Young man, when they don't like your code, if you
      Stay here, I am sure you will find
      That you haven't got no more time.

      (chorus)

      You sir, I hope you understand, we're im-
      Pa-tient, hope the Feds free our man, but no-
      Bo-dy... can resist our demand, we'll shout
      Til... they... free... D-mi-try

      Dima's... fate lies in our own hands, so please
      Help us... make them meet our demands, so call
      D.C., make them send this young man, back to
      His... own... home... and... fam'ly

      (chorus)
  • by skintigh2 ( 456496 ) on Wednesday November 12, 2003 @01:45PM (#7455237)
    Want to take over another user's identity, or just screw them in a ladder? Follow these simple steps:
    1) make a new user with the same username as your target
  • by trelanexiph ( 605826 ) on Wednesday November 12, 2003 @01:46PM (#7455255) Homepage
    Your Cease and Desist letter to is utterly inappropriate. So, as a security analyst I'm going to take the next 5 minutes of your time to educate you as to what you did wrong, because we all know you'll do better in the future right?
    1. Don't threaten us, we're trying to help you, contacting you quietly is a helluva lot better than say releasing the vulnerability into the wild first, but if you'd like to skip the contact step by sending things like cease-desist notices JUST SAY SO, as opposed to threatening us (see beginning of rule 1), we can move directly to putting the vulnerability into the wild.
    2. Lawyers don't fix shoddy code, people do.
    3. please get your legal department a map (so that they can determine that the DMCA ISNT the law of the land in Italy (it's this whole other place, right? and our laws don't apply there).
    4. please explain in very short and simple words the difference between the gamespy CLIENT, and the gamespy SERVER to your legal and executive department, clearly such simple concepts elude them.
    5. geektools.com contains links to traceroute, and whois programs to determine where on the internet various information is.
    I would assume by this point you aren't particularly happy with me. So I'm going to let you in on a secret as to how to avoid such complaints from me again. It's very simple, treat us with respect when we protect your customers from you. Fix your bugs when we report them, they are YOUR REPSONSIBILITY. NEXT, send an APOLOGY letter to Luigi, just to show that you're good people and this was all a big mistake, because it was right? Do these things and you will find the computer security analysts will be good friends of yours, they'll look out for you and make sure your software runs right for you. Do it not, and the entire community will tear your software apart, and post anything and everything anonymously to bugtraq. Your behavior which borderlines on a legal fishing expidition to see what you can catch is grossly inappropriate, please stop.
    Ooh and 1 meg pdf's sent via e-mail might in some circles be considered e-mail abuse, that doesn't engender much love for your company, and would potentially be grounds for a blacklisting.
    Andrew D Kirch
    Security Administrator
    2mbit.com
    Administrator
    Abusive Hosts Blocking list
    ahbl.org
    trelane@2mbit.com
  • by GoNINzo ( 32266 ) <<moc.oohay> <ta> <ozNINoG>> on Wednesday November 12, 2003 @03:40PM (#7456666) Journal
    I don't know about this because there are two ways to look at it.

    First, it could be the code that GameSpy3D uses because that's entirely Joe, Tim and Jack. That's an entirely different product. That's Spy Software that holds the code itself, not GSI. It is hard to fix code you don't actually have!

    Secondly, has he been giving them a chance to fix the code? Think about it, he's hacking a protocol that is nearly the same since Quake 2. That's how many engines you'd have to change to get a real fix in place. Hell, I have a friend who still plays Heretic 2 online! heh That's a lot of changes. So, I think they just want him to calm down while they fix the issues.

    Finally, I will point out that Mark's nickname is Bastard, but he's not an entirely bad guy. He's been one of the few guys to survive the dotcombomb and not sell out completely. He has some business sense and is trying to protect his business. And a big chunk of his business is reliable internet servers and keeping people using his browser. Personally, I think the cause of reliable online gaming to be worth a 'stop a moment while we fix this stuff.'

    Then again, I'm biased, I did run a server for four years for them.

  • by James Lewis ( 641198 ) on Wednesday November 12, 2003 @06:30PM (#7458949)
    It seems most of the posts here take the side of the "hacker" which isn't surprising given this is Slashdot. But if you go look at his site, he is posting working source for DDos attacks for various games and exploits. Here is one description:

    "Half-Life 1.1.1.0 client's "Unknown command" format string bug test 0.1 This is a tool to test a format string bug I have found in the Half-Life client. I have not released an advisory because at the moment I don't know if this bug lets remote code execution or not. Feel free to check it (in the zip file there is also the mail I have sent to vuln-dev that contains some details)"

    In this case he's posting source for the exploitation of a bug before HE EVEN KNOWS WHAT THE BUG DOES. This makes me doubt how responsible he is in informing companies of bugs in their products. How about this changelog in the source of his UTDDos attack:

    "CHANGELOG: - Now supports UT2003 servers!!! - better allocation method (now it's not limited, and the memory used is very very small!) - big code optimizations - a lot of bug fixes (libnet name resolution and other little problems)"

    Why would these changes be necessary for a proof of concept? Sounds more like he wants anybody to be able to easily compile and use his programs to exploit not just UT servers, but UT2003 servers as well.

    I think hackers should have as much restraint as possible in releasing "proof of concept" programs. Because really, what do these programs do? It does exactly what you are afraid people will do with the bug you found, exploit it. When you release that to the public, you are ENSURING that the bug will be exploited. Only in extreme cases should this be used to force a company to fix a bug, because at best the result is a brief period of time in which the bug is exploited widely, before the company fixes it. However, I think there is a serious risk of more harm being done in this period of time than would have ever been done if the proof of concept program had never been released, and the bug taken longer to be fixed or perhaps not fixed at all.

    This guy is obviously not using proof of concept programs as a last resort. In fact, check out this comment:

    "CD-Key hash changer for UnrealTournament 2003 v2225 for Win32 0.1 practically this proof-of-concept lets you to use a custom cd-key hash. The main idea was to find a cd-key theft bug but fortunally this bug doesn't exist so this tool can be considered only a test just for fun"

    He wants people to use it "for fun"? What kind of white hat hacker releases a proof of concept program for "fun"? If I read this right, he was hoping to be able to steal CD keys with this, which he probably would have released as well. That would of been a huge mess, and is what I mean when I say there is serious risk of a concept program doing a lot more harm than good. So, it turns out it only lets you use other people's CD hashes, which you can get just from joining a game. This would allow you to steal someone's CD hash that you didn't like, and then go make a total ass of yourself on a server and get him banned. Sounds "fun" don't you think? Gamespy may not be my favorite company, but this guy give hackers a bad name.

Adding features does not necessarily increase functionality -- it just makes the manuals thicker.

Working...