Gamespy uses DMCA to destroy bug research and full disclosure
Just today (12 Nov 2003) opening my mailbox I have found a mail of about 1
megabyte and half and fortunally for the sender I don't use filters.
The mail has been sent by the Gamespy's lawyers asking me to remove my bug
research stuff from my site.
The stuff is composed by my proof-of-concepts and advisories written to test
and explain the bugs in the Gamespy's products found and signaled to them a
lot of months ago and completely ignored by Gamespy.
All my advisories were released to the most known and pubblic security
mailing-lists in the past so everyone can see all the release dates of them
and how Gamespy manages the bugs in its products... the best example is just
a remote buffer-overflow found and signaled to Gamespy at the end of May
2003 and still existent in the actual version of the program RogerWilco.
The other incredible thing is that the lawyers have included in the list of
"stuff to remove" also a simple program that is not a proof-of-concept or an
advisory and moreover is not directly related to Gamespy... really comic...
Continuing to read the mail (a pdf file) can be found a lot of senseless
affirmations, some reported below:
- "you have committed numerous violations of state and federal law by
illegally accessing Gamespy servers and by creating, marketing, and
distributing software which circumvents the encryption mechanism that
protects access to Gamespy's servers"... are we talking about security
bugs??? what I market???
- they say my proof-of-concepts "purport to permit to circumvent the
encryption protection of Gamespy's proprietary software, including GameSpy
3D and Roger Wilco, to obtain access to computer servers owned and operated
by GameSpy, or in some cases to cause those servers to crash"... I'm very
interested about what of my proof-of-concepts "circumemvent the encryption
protection of Gamespy". The bugs I have found are in the Gamespy's products
NOT in the Gamespy's servers.
- but the most comic affirmation is "In contrast to simply advising GameSpy
of these vulnerabilities, by publishing this software to the world at large
you are clearly facilitating the intentional crashing of GameSpy's server by
others"... I have tried to contact Gamespy EVERYTIME I have found a new bug
for MULTIPLE times but they have EVER ignored my signalations or, as
happened for the first bug in RogerWilco, they have simply "feigned" to
patch the bugs so insulting me and my research (who has read my
wilco-remix-adv.txt knows all the shameful story).
So the "common time delay" to release advisories (a week or sometimes a
month from the signalation of the bug without receiving replies) was FULLY
respected in all the occasions.
The last part of the mail/pdf talks about various DMCA's violations, US's
laws and moreover "crime"!
Bug research is a crime and bug researchers are criminals, didn't you know
that?
Is really shameful to see a company spending money for useless lawyers
instead to quickly patch their incredibly bugged products and moreover to
support who do bug research... what Gamespy wants is to destroy the full
disclosure and the free information encouraging the underground scene.
I think is not good for the Gamespy's users to know that the main goal of
Gamespy is just to protect itself instead to protect its users and clients.
That's the situation...
BYEZ
---
Luigi Auriemma
http://aluigi.altervista.org