Gamespy Vs. Luigi
MonsieurEvil
Join Date: 2002-01-22 Member: 4Members, Retired Developer, NS1 Playtester, Contributor
Join Date: 2002-01-22 Member: 4Members, Retired Developer, NS1 Playtester, Contributor
in Discussions
<div class="IPBDescription">I.E... hacking ethically (or at all)</div> There is a big contretemps brewing between Gamespy and a self-proclaimed hacker named Luigi Auriemma.
First, read this:
<a href='http://www.securityfocus.com/archive/1/344214/2003-11-09/2003-11-15/2' target='_blank'>http://www.securityfocus.com/archive/1/344...09/2003-11-15/2</a>
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Just today (12 Nov 2003) opening my mailbox I have found a mail of about 1
megabyte and half and fortunally for the sender I don't use filters.
The mail has been sent by the Gamespy's lawyers asking me to remove my bug
research stuff from my site.
The stuff is composed by my proof-of-concepts and advisories written to test
and explain the bugs in the Gamespy's products found and signaled to them a
lot of months ago and completely ignored by Gamespy.
All my advisories were released to the most known and pubblic security
mailing-lists in the past so everyone can see all the release dates of them
and how Gamespy manages the bugs in its products... the best example is just
a remote buffer-overflow found and signaled to Gamespy at the end of May
2003 and still existent in the actual version of the program RogerWilco.
The other incredible thing is that the lawyers have included in the list of
"stuff to remove" also a simple program that is not a proof-of-concept or an
advisory and moreover is not directly related to Gamespy... really comic...
Continuing to read the mail (a pdf file) can be found a lot of senseless
affirmations, some reported below:
- "you have committed numerous violations of state and federal law by
illegally accessing Gamespy servers and by creating, marketing, and
distributing software which circumvents the encryption mechanism that
protects access to Gamespy's servers"... are we talking about security
bugs??? what I market???
- they say my proof-of-concepts "purport to permit to circumvent the
encryption protection of Gamespy's proprietary software, including GameSpy
3D and Roger Wilco, to obtain access to computer servers owned and operated
by GameSpy, or in some cases to cause those servers to crash"... I'm very
interested about what of my proof-of-concepts "circumemvent the encryption
protection of Gamespy". The bugs I have found are in the Gamespy's products
NOT in the Gamespy's servers.
- but the most comic affirmation is "In contrast to simply advising GameSpy
of these vulnerabilities, by publishing this software to the world at large
you are clearly facilitating the intentional crashing of GameSpy's server by
others"... I have tried to contact Gamespy EVERYTIME I have found a new bug
for MULTIPLE times but they have EVER ignored my signalations or, as
happened for the first bug in RogerWilco, they have simply "feigned" to
patch the bugs so insulting me and my research (who has read my
wilco-remix-adv.txt knows all the shameful story).
So the "common time delay" to release advisories (a week or sometimes a
month from the signalation of the bug without receiving replies) was FULLY
respected in all the occasions.
The last part of the mail/pdf talks about various DMCA's violations, US's
laws and moreover "crime"!
Bug research is a crime and bug researchers are criminals, didn't you know
that?
Is really shameful to see a company spending money for useless lawyers
instead to quickly patch their incredibly bugged products and moreover to
support who do bug research... what Gamespy wants is to destroy the full
disclosure and the free information encouraging the underground scene.
I think is not good for the Gamespy's users to know that the main goal of
Gamespy is just to protect itself instead to protect its users and clients.
That's the situation...
BYEZ
---
Luigi Auriemma
<a href='http://aluigi.altervista.org' target='_blank'>http://aluigi.altervista.org</a>
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
Then, read this:
<a href='http://www.forumplanet.com/gamespy/topic.asp?fid=1897&tid=1214612' target='_blank'>http://www.forumplanet.com/gamespy/topic.a...897&tid=1214612</a>
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->GameSpy welcomes any and all help finding genuine bugs and security breaches on our servers. What we don't welcome are people publishing security hacks that have the potential to hurt our products. GameSpy products are supposed to be about having fun, but hacks and Denial of Service (DoS) attacks take the fun out of it. It doesn't simply hurt GameSpy; it hurts every person playing games with our products.
What this person did was more than reverse engineer two of our products, RogerWilco and GameSpy3D-he was describing our backend services and publishing CDkey generation information without letting us know. At first we welcomed his bug alerts. We responded to him immediately and thanked him for his bug research, as we do with everyone who contacts us with bug information. We even sent him a thank you letter, which we have on file.
But then we found out he was also publishing how to brute force our RogerWilco CDkeys and had published hacks on other game CDkeys as well. He was doing more than reporting bugs; he was publishing game pirating techniques. He published how to attack our network. This is not the way ethical security researchers operate. It was at this point that we stopped our communication with him and asked him to remove the materials in question.
When we were first contacted, this person was associated with a small software security company. They asked if GameSpy wanted to pay a "consulting fee" to fix the hacks. However, these were not bugs; it was information about how our products work. When we brought this to the software security company's attention, they disavowed their relationship with that person and removed him from their servers.
Let me repeat-we welcome any bug alerts and will fix any and all security breaches that come to our attention. We find and fix nearly all of them before any external sources find them. It's all about playing games and having fun, people! That's why we do what we do! However, we won't pay "consulting fees" to people who create CDkey hacks of our proprietary software, then post the results if we don't pay them.
Gamers trust us. We have to protect them from any and all attacks on our network that affect gamers.
Mark Surfas
Chairman & Founder
GameSpy
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
So, each one makes separate claims. I am inclined to believe Gamespy's (GSI) take on this at first blush, as having worked with them on a few occasions from a programming standpoint, I found their developers to be good guys with a real desire to make a good product. When there were issues in their app (it was packaging GS Arcade for NS 2.0), they acknowledged them without reservation and tried to make good. On the other hand, from reading this guys website, I notice that he has written an awful lot of utilities that have nothing to do with security. In fact, they mainly seem to be denial of service attacks. GSI saying he tried to blackmail them doesn't help, if you believe that.
Put that aside for a second though - do you think that this guy's reasoning is correct? Does attempting to hack a system then telling people about it on the internet qualify as white or black hat hacking? Did GSI do the right thing in their response? Does this guy deserve h4te or l0ve? The usual zealot cults (aka Blues News/Slashdot/Slashdot messageboards) of course immediately decried GSI without bothering to do anything like good reporting, so the community has already polarized heavily. What are your thoughts?
First, read this:
<a href='http://www.securityfocus.com/archive/1/344214/2003-11-09/2003-11-15/2' target='_blank'>http://www.securityfocus.com/archive/1/344...09/2003-11-15/2</a>
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->Just today (12 Nov 2003) opening my mailbox I have found a mail of about 1
megabyte and half and fortunally for the sender I don't use filters.
The mail has been sent by the Gamespy's lawyers asking me to remove my bug
research stuff from my site.
The stuff is composed by my proof-of-concepts and advisories written to test
and explain the bugs in the Gamespy's products found and signaled to them a
lot of months ago and completely ignored by Gamespy.
All my advisories were released to the most known and pubblic security
mailing-lists in the past so everyone can see all the release dates of them
and how Gamespy manages the bugs in its products... the best example is just
a remote buffer-overflow found and signaled to Gamespy at the end of May
2003 and still existent in the actual version of the program RogerWilco.
The other incredible thing is that the lawyers have included in the list of
"stuff to remove" also a simple program that is not a proof-of-concept or an
advisory and moreover is not directly related to Gamespy... really comic...
Continuing to read the mail (a pdf file) can be found a lot of senseless
affirmations, some reported below:
- "you have committed numerous violations of state and federal law by
illegally accessing Gamespy servers and by creating, marketing, and
distributing software which circumvents the encryption mechanism that
protects access to Gamespy's servers"... are we talking about security
bugs??? what I market???
- they say my proof-of-concepts "purport to permit to circumvent the
encryption protection of Gamespy's proprietary software, including GameSpy
3D and Roger Wilco, to obtain access to computer servers owned and operated
by GameSpy, or in some cases to cause those servers to crash"... I'm very
interested about what of my proof-of-concepts "circumemvent the encryption
protection of Gamespy". The bugs I have found are in the Gamespy's products
NOT in the Gamespy's servers.
- but the most comic affirmation is "In contrast to simply advising GameSpy
of these vulnerabilities, by publishing this software to the world at large
you are clearly facilitating the intentional crashing of GameSpy's server by
others"... I have tried to contact Gamespy EVERYTIME I have found a new bug
for MULTIPLE times but they have EVER ignored my signalations or, as
happened for the first bug in RogerWilco, they have simply "feigned" to
patch the bugs so insulting me and my research (who has read my
wilco-remix-adv.txt knows all the shameful story).
So the "common time delay" to release advisories (a week or sometimes a
month from the signalation of the bug without receiving replies) was FULLY
respected in all the occasions.
The last part of the mail/pdf talks about various DMCA's violations, US's
laws and moreover "crime"!
Bug research is a crime and bug researchers are criminals, didn't you know
that?
Is really shameful to see a company spending money for useless lawyers
instead to quickly patch their incredibly bugged products and moreover to
support who do bug research... what Gamespy wants is to destroy the full
disclosure and the free information encouraging the underground scene.
I think is not good for the Gamespy's users to know that the main goal of
Gamespy is just to protect itself instead to protect its users and clients.
That's the situation...
BYEZ
---
Luigi Auriemma
<a href='http://aluigi.altervista.org' target='_blank'>http://aluigi.altervista.org</a>
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
Then, read this:
<a href='http://www.forumplanet.com/gamespy/topic.asp?fid=1897&tid=1214612' target='_blank'>http://www.forumplanet.com/gamespy/topic.a...897&tid=1214612</a>
<!--QuoteBegin--></span><table border='0' align='center' width='95%' cellpadding='3' cellspacing='1'><tr><td><b>QUOTE</b> </td></tr><tr><td id='QUOTE'><!--QuoteEBegin-->GameSpy welcomes any and all help finding genuine bugs and security breaches on our servers. What we don't welcome are people publishing security hacks that have the potential to hurt our products. GameSpy products are supposed to be about having fun, but hacks and Denial of Service (DoS) attacks take the fun out of it. It doesn't simply hurt GameSpy; it hurts every person playing games with our products.
What this person did was more than reverse engineer two of our products, RogerWilco and GameSpy3D-he was describing our backend services and publishing CDkey generation information without letting us know. At first we welcomed his bug alerts. We responded to him immediately and thanked him for his bug research, as we do with everyone who contacts us with bug information. We even sent him a thank you letter, which we have on file.
But then we found out he was also publishing how to brute force our RogerWilco CDkeys and had published hacks on other game CDkeys as well. He was doing more than reporting bugs; he was publishing game pirating techniques. He published how to attack our network. This is not the way ethical security researchers operate. It was at this point that we stopped our communication with him and asked him to remove the materials in question.
When we were first contacted, this person was associated with a small software security company. They asked if GameSpy wanted to pay a "consulting fee" to fix the hacks. However, these were not bugs; it was information about how our products work. When we brought this to the software security company's attention, they disavowed their relationship with that person and removed him from their servers.
Let me repeat-we welcome any bug alerts and will fix any and all security breaches that come to our attention. We find and fix nearly all of them before any external sources find them. It's all about playing games and having fun, people! That's why we do what we do! However, we won't pay "consulting fees" to people who create CDkey hacks of our proprietary software, then post the results if we don't pay them.
Gamers trust us. We have to protect them from any and all attacks on our network that affect gamers.
Mark Surfas
Chairman & Founder
GameSpy
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
So, each one makes separate claims. I am inclined to believe Gamespy's (GSI) take on this at first blush, as having worked with them on a few occasions from a programming standpoint, I found their developers to be good guys with a real desire to make a good product. When there were issues in their app (it was packaging GS Arcade for NS 2.0), they acknowledged them without reservation and tried to make good. On the other hand, from reading this guys website, I notice that he has written an awful lot of utilities that have nothing to do with security. In fact, they mainly seem to be denial of service attacks. GSI saying he tried to blackmail them doesn't help, if you believe that.
Put that aside for a second though - do you think that this guy's reasoning is correct? Does attempting to hack a system then telling people about it on the internet qualify as white or black hat hacking? Did GSI do the right thing in their response? Does this guy deserve h4te or l0ve? The usual zealot cults (aka Blues News/Slashdot/Slashdot messageboards) of course immediately decried GSI without bothering to do anything like good reporting, so the community has already polarized heavily. What are your thoughts?
Comments
And finaly, topping it off as MonsE said, the guy's site does seem to be a little unusual and put a slight emphasis towards the 'darker' side of hacking etc. Anyway, my 2Cents (btw, how do you do the cent sign? what key combo.)
BTW: What's his website? The securityfocus.com?
BTW: What's his website? The securityfocus.com? <!--QuoteEnd--> </td></tr></table><span class='postcolor'> <!--QuoteEEnd-->
<a href='http://aluigi.altervista.org' target='_blank'>http://aluigi.altervista.org</a> < that's his site. Securityfocus is an organization that organizes and advises companies on bugs and security issues in their product. Sort of a clearing house for stuff, that makes sure things are correctly explained and reproduceable and then advises the Microsoft's, Red Hats, IBM's, etc. of the world...
(nice try on the alt-f4-c by the way - I was a split second away from doing it...)
Well, both sides sound "legit" but as GSI is a company and thus they tend to be more inclined to keeping customers happy, i'll go with GSI on this.
But I can see some of the darker logic of the "hacker". GameSpy sometimes is...a bit irritating.
...
I think that illustrated my point the best. :X
However. I disagree with Luigi going public with the information, him attempting to find the problems is acceptable in my view, but him going public with the info is disagreeable, and distasteful.
...
I think that illustrated my point the best. :X
<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
Not quite analogous. If I discover that a simple radio transmitter can cause people's computer-controlled engine to pump massive amounts of fuel through the injectors and make your engine explode, killing you, and I then publish step-by-step instructions on the internet for how to do this (rather than contacting the manufacturer and having them do a recall), I am the one truly liable for your death. The manufacturer did not purposefully kill you, I did. No matter how good my intentions were, I was the instigator. Now, if I do not publish the information, and instead contact the manufacturer (who ignores me) and some other phenomonen (a radio station antenna let's say) makes such a situation happen by accident, the manufacturer is at fault, and I am blameless.
The usual debate comes down to the reasonable clause, and the level of detail that should be disclosed. The former depends on a lot of things, so I'll leave that to the more pedantic to make rules about -- something the researcher and the company can agree to. Obviously too early increases the chances that the problem is exploited, but too late makes the publication worthless for the researcher's reputation.
Appropriate level of detail gets a lot a flak. For the researcher there needs to be enough information to prove that they did in fact find something, which requires others be able to reproduce it. Obviously "Found a hole in MS Office, but won't tell you what it is, neener neener" makes for a pretty pathetic publication, where one including pre-built script kiddie tools is perhaps a little overdone. In the middle we find everything from Microsoft's "vulnerability in the Unicode decoding component of urlmon.dll" to normal traffic on SecurityFocus/BUGTRAQ (which usually includes a detailed technical discussion and proof of concent).
Now, Luigi's site annoys me. The overabundance of 'z's aside, he choses to provide tools expoiting flaws which are obviously intended to be used. On the other hand, he did do the work to discover how various GameSpy products work on a pro-bono basis and take the time to let them know their protection schemes had gaping holes. If they want to cry foul and threaten legal action it just guarantees that next time he won't tell them. And whether or not anyone else will is questionable, I would rather avoid being sued because some company decided that my reports went beyond reporting bugs and, say, bypassed their network security or allowed DOS possibilities (I enjoy Sufars' choice to exclude all cruicial bugs from being bugs).
I have BUGTRAQ publications on my CV, so have a certain bias toward full disclosure. If the company had hired me for the work they would have every right to prevent me publishing it, when I find something on an unpaid basis they can accept that it will be published. In notifying companies of vulnerabilities I have hit everything from a polite thanks to complete refusal to acknowledge my e-mail.
So yeah, both GameSpy and Luigi are being idiots...
I think Gamespy is being a bit stupid on this, this guy is trying to help them deliver a great product, and they're completely ignoring him.
Guess they're just paying people to think of new subscriber things for fileplanet.
Publishing the information may be reckless, but is not wrong, and neither should it be criminal. It is not you who does the killing, but the person who chooses to send the signal. The reasearch does not violate any contract and publishing information not governed by contracts is not criminal. This is similar to anti-abortion sites that keep a list of doctors who do abortions and cross out the names of those who were killed. It may be repulsive, but it is just information, and information which is publicly available.
[edit: spelling]
Saying something is 'just information' ignores the issue, in my mind. Most kinds of extortion and blackmail involve 'just information'.
I could reason that he has the best of intentions at heart, it appears he just wants the credit and to get these holes fixed, but he's doing it all wrong. Personally, i stand on GSI's side, they've done nothing in the wrong and Luigi's careless actions, no matter how well meaning they may be, cause more trouble than if he had just persisted in emailing them.
Lmfao thats gold.
Saying something is 'just information' ignores the issue, in my mind. Most kinds of extortion and blackmail involve 'just information'.<!--QuoteEnd--></td></tr></table><span class='postcolor'><!--QuoteEEnd-->
There is a popular statement: guns don't kill people, people kill people. It is not the fault of the gun manufacturer that someone does murder, and neither should it be the fault of an information supplier that someone uses the information to kill someone.
Edit: And Smith & Wesson doesn't advertise on their website that you should go out and shoot innocent people because they refuse to wear bullet-proof vests. Nor do they hand out free pistols and ammo for the task.
At first, I was under the impression that he was just hacking to see what was wrong with it, did he keep harassing Gamespy by exploiting them ? Or did he just find something wrong, give them an email, and that was it ?