Gamespy's suit

[Urban Ranger]

The news article here detailed Gamespy's attempt to silence a security researcher with dirty legal tactics. This is nothing new, Adobe and other companies did the same thing before.

This is a very bad move on their part as this is only a move employed by companies who do not want to address the real issues, namely the lack of security in their software.

The way that DMCA can and has been used this way goes to show that it is a stupid law that needs to be repealed.

[Harry Seldon]

I subscribe to a security group he posts in. In his own words:

Quote:

Just today (12 Nov 2003) opening my mailbox I have found a mail of about 1 megabyte and half and fortunally for the sender I don't use filters. The mail has been sent by the Gamespy's lawyers asking me to remove my bug research stuff from my site. The stuff is composed by my proof-of-concepts and advisories written to test and explain the bugs in the Gamespy's products found and signaled to them a lot of months ago and completely ignored by Gamespy. All my advisories were released to the most known and pubblic security mailing-lists in the past so everyone can see all the release dates of them and how Gamespy manages the bugs in its products... the best example is just a remote buffer-overflow found and signaled to Gamespy at the end of May 2003 and still existent in the actual version of the program RogerWilco. The other incredible thing is that the lawyers have included in the list of "stuff to remove" also a simple program that is not a proof-of-concept or an advisory and moreover is not directly related to Gamespy... really comic... Continuing to read the mail (a pdf file) can be found a lot of senseless affirmations, some reported below: - "you have committed numerous violations of state and federal law by illegally accessing Gamespy servers and by creating, marketing, and distributing software which circumvents the encryption mechanism that protects access to Gamespy's servers"... are we talking about security bugs??? what I market??? - they say my proof-of-concepts "purport to permit to circumvent the encryption protection of Gamespy's proprietary software, including GameSpy 3D and Roger Wilco, to obtain access to computer servers owned and operated by GameSpy, or in some cases to cause those servers to crash"... I'm very interested about what of my proof-of-concepts "circumemvent the encryption protection of Gamespy". The bugs I have found are in the Gamespy's products NOT in the Gamespy's servers. - but the most comic affirmation is "In contrast to simply advising GameSpy of these vulnerabilities, by publishing this software to the world at large you are clearly facilitating the intentional crashing of GameSpy's server by others"... I have tried to contact Gamespy EVERYTIME I have found a new bug for MULTIPLE times but they have EVER ignored my signalations or, as happened for the first bug in RogerWilco, they have simply "feigned" to patch the bugs so insulting me and my research (who has read my wilco-remix-adv.txt knows all the shameful story). So the "common time delay" to release advisories (a week or sometimes a month from the signalation of the bug without receiving replies) was FULLY respected in all the occasions. The last part of the mail/pdf talks about various DMCA's violations, US's laws and moreover "crime"! Bug research is a crime and bug researchers are criminals, didn't you know that? Is really shameful to see a company spending money for useless lawyers instead to quickly patch their incredibly bugged products and moreover to support who do bug research... what Gamespy wants is to destroy the full disclosure and the free information encouraging the underground scene. I think is not good for the Gamespy's users to know that the main goal of Gamespy is just to protect itself instead to protect its users and clients. That's the situation...

[Urban Ranger]

Exactly. From what I have seen of previous suits that are similar, the company just gets upset because its lack of care for its clients gets exposed to the world.

[Ari Rahikkala]

http://www.gamespydaily.com/news/fullstory.asp?id=5474 (also linked to in Apolyton's misc. section)

Trusting people, it's such a delicate issue...

[Urban Ranger]

That's what they all say

[Nubclear]

This begs the question. Have they fixed the bugs?

[Urban Ranger]

Of course not.

[Harry Seldon]

Some of the others in the group suggested that as paying customers they should sue Gamespy for writing shoddy products and imperilling their computers with security risks.

[JohnT]

God, that guy sounds like a whiner. Sadly for him, his opinions and fan support ain't gonna count for shiite once the lawyers get to work.

If, as gamespy states, the man lost his job because of this same situation

Quote:

When we were first contacted, this person was associated with a small software security company. They asked if GameSpy wanted to pay a "consulting fee" to fix the hacks. However, these were not bugs; it was information about how our products work. When we brought this to the software security company's attention, they disavowed their relationship with that person and removed him from their servers.

and he still persisted with his efforts, then the onus is on him. He was duly warned (by both Gamespy and his former employer) and, apparently, ignored the warnings.

[Urban Ranger]

Harry,

Yes, they should


John,

For those of us who know how the computer security industry works, it appears that Gamespy is in the wrong. A lot of software companies, including MS, somehow are disinterested in patching security holes.