|
GameSpy warns security researcher
By Robert Lemos
CNET News.com
Online-gaming service provider GameSpy Industries acknowledged this week that it had sent an Italian hacker a cease-and-desist letter requesting that he remove advisories and utilities that highlight vulnerabilities in the company's products.
The Nov. 6 letter bases the legal request on assertions that the advisories and programs created by Luigi Auriemma, an independent researcher, violate the controversial Digital Millennium Copyright Act (DMCA), a law that makes it illegal to break the security that protects copyrighted content. Auriemma posted a copy of the letter to his Web site and on Thursday pulled down the offending files.
While the DMCA is a U.S. law and thus may not apply to Auriemma, GameSpy wanted to put a legal stake in the ground to establish its position on the vulnerability research, said Chris Wildermuth, vice president of corporate communications for the company.
It's the next step after asking him please not to do this, he said, adding that the company hopes to discourage Auriemma from making further disclosures. Because we don't know what else he is working on.
The move, however, has been criticized by some lawyers and the vulnerability-research community as unhelpful to their quest of finding security bugs to be squashed and holding software makers to a high standard of quality.
The problem with the DMCA is that it's so broad and relatively untested, said Jennifer Granick, executive director of Stanford Law School's Center for Internet and Society. Granick has frequently represented hackers and security researchers in such cases. That's why people hate the DMCA and are so fearful of it.
Security researchers and hackers have long worried that companies might succeed in using the DMCA to quell their reports of vulnerabilities in software products. Hewlett-Packard threatened a security group with legal action under the DMCA after a member released information about the flaw before the company had prepared a patch. And complaints from software maker Adobe led to the indictment and trial of Dmitry Sklyarov and his employer, ElcomSoft, which published a utility for breaking the security of Adobe's e-book format.
To date, the success of such tactics has been mixed. HP backed off its legal action against the security group, Secure Network Operations, and Adobe retracted its support for the criminal prosecution of Sklyarov. Sklyarov was eventually dropped from the case, and ElcomSoft was found innocent of the charges. More recent legal actions against students who have poked holes in a CD copy protection system created by SunComm Technologies and an electronic election system created by Diebold Election Systems have both met stiff resistance.
GameSpy's Wildermuth stressed that the action his company has taken is not against security researchers in general but against one person who, the company maintains, has focused on the company maliciously.
It is not that we don't welcome people talking about bugs--we do, he said.
Auriemma, an independent researcher, had posted on his Web site several advisories about vulnerabilities in GameSpy's voice chat program, Roger Wilco, and in the company's online game finder, GameSpy 3D. One flaw found by the Italian hacker could have allowed an attacker to break into and take control of GameSpy 3D servers.
You have to question, why focus on this? Wildermuth said. There is not a high degree of criticality. You are not losing people's information. You are basically talking about pirating games.
Auriemma characterizes the collection of information as security research, not an attempt to aid software pirates.
The stuff is composed (of) my proof-of-concepts (programs to test vulnerabilities) and advisories written to test and explain the bugs in the GameSpy's (sic) products found and signaled (sic) to them a lot of months ago, the Italian researcher wrote in a public posting to a security news group.
The research done by Auriemma focused on finding security flaws and reverse-engineering many aspects of online games, including Half-Life, Quake 3, Soldier of Fortune and Tribes, as well as games based on the Unreal engine. While he doesn't recall why he initially focused on Roger Wilco, he said GameSpy didn't pay adequate attention to his bug reports.
The story of Roger Wilco's bugs, for example, is really incredible, he wrote in an interview with CNET News.com conducted via e-mail. I released the 2 bugs found in the 2001 version, (and) they patched it, (so) no problems there. The problems happen when they didn't answer to my mails for the other new and partial-old bugs.
The company later patched some, but not all, the flaws, he said.
My only purpose is (to provide) free information, he added.
GameSpy said some flaws that appear not to have been patched were actually fixed through software changes to its server.
The case is complicated by several factors. Auriemma says he is in Italy, which is outside the jurisdiction of the DMCA. In addition, GameSpy has accused the researcher of conduct that could be considered extortion, saying he asked for a consulting fee before he would show the company the information. If GameSpy didn't pay, he said he would publish the information publicly, GameSpy's Wildermuth said.
He is basically saying that you have a problem, and I will tell you what the problem is, or else I will publish what it is, Wildermuth said. From our perspective, he did not seem to be a person just helping us fix some bugs; he was hoping to get compensated for it.
The full article is at ZDNet
|
|
|
|
Posted on Monday, 17 November 2003 @ 04:35:00 EST by phoenix22
|
|
|
|
|
Login |
|
|
|
|
|
· New User? ·
Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
Average Score: 0
Votes: 0
|
|
|