November 13, 2003 3:29 PM PST
GameSpy warns security researcher
The Nov. 6 letter bases the legal request on assertions that the advisories and programs created by Luigi Auriemma, an independent researcher, violate the controversial Digital Millennium Copyright Act (DMCA), a law that makes it illegal to break the security that protects copyrighted content. Auriemma posted a copy of the letter to his Web site and on Thursday pulled down the offending files.
While the DMCA is a U.S. law and thus may not apply to Auriemma, GameSpy wanted to put a legal stake in the ground to establish its position on the vulnerability research, said Chris Wildermuth, vice president of corporate communications for the company.
Get Up to Speed on...
Get the latest headlines and
company-specific news in our
expanded GUTS section.
"It's the next step after asking him please not to do this," he said, adding that the company hopes to discourage Auriemma from making further disclosures. "Because we don't know what else he is working on."
The move, however, has been criticized by some lawyers and the vulnerability-research community as unhelpful to their quest of finding security bugs to be squashed and holding software makers to a high standard of quality.
"The problem with the DMCA is that it's so broad and relatively untested," said Jennifer Granick, executive director of Stanford Law School's Center for Internet and Society. Granick has frequently represented hackers and security researchers in such cases. "That's why people hate the DMCA and are so fearful of it."
Security researchers and hackers have long worried that companies might succeed in using the DMCA to quell their reports of vulnerabilities in software products. Hewlett-Packard threatened a security group with legal action under the DMCA after a member released information about the flaw before the company had prepared a patch. And complaints from software maker Adobe led to the indictment and trial of Dmitry Sklyarov and his employer, ElcomSoft, which published a utility for breaking the security of Adobe's e-book format.
To date, the success of such tactics has been mixed. HP backed off its legal action against the security group, Secure Network Operations, and Adobe retracted its support for the criminal prosecution of Sklyarov. Sklyarov was eventually dropped from the case, and ElcomSoft was found innocent of the charges. More recent legal actions against students who have poked holes in a CD copy protection system created by SunComm Technologies and an electronic election system created by Diebold Election Systems have both met stiff resistance.
GameSpy's Wildermuth stressed that the action his company has taken is not against security researchers in general but against one person who, the company maintains, has focused on the company maliciously.
"It is not that we don't welcome people talking about bugs--we do," he said.
Auriemma, an independent researcher, had posted on his Web site several advisories about vulnerabilities in GameSpy's voice chat program, Roger Wilco, and in the company's online game finder, GameSpy 3D. One flaw found by the Italian hacker could have allowed an attacker to break into and take control of GameSpy 3D servers.
"You have to question, why focus on this?" Wildermuth said. "There is not a high degree of criticality. You are not losing people's information. You are basically talking about pirating games."
Auriemma characterizes the collection of information as security research, not an attempt to aid software pirates.
"The stuff is composed (of) my proof-of-concepts (programs to test vulnerabilities) and advisories written to test and explain the bugs in the GameSpy's (sic) products found and signaled (sic) to them a lot of months ago," the Italian researcher wrote in a public posting to a security news group.
The research done by Auriemma focused on finding security flaws and reverse-engineering many aspects of online games, including "Half-Life," "Quake 3," "Soldier of Fortune" and "Tribes," as well as games based on the Unreal engine. While he doesn't recall why he initially focused on Roger Wilco, he said GameSpy didn't pay adequate attention to his bug reports.
"The story of Roger Wilco's bugs, for example, is really incredible," he wrote in an interview with CNET News.com conducted via e-mail. "I released the 2 bugs found in the 2001 version, (and) they patched it, (so) no problems there. The problems happen when they didn't answer to my mails for the other new and partial-old bugs."
The company later patched some, but not all, the flaws, he said.
"My only purpose is (to provide) free information," he added.
GameSpy said some flaws that appear not to have been patched were actually fixed through software changes to its server.
The case is complicated by several factors. Auriemma says he is in Italy, which is outside the jurisdiction of the DMCA. In addition, GameSpy has accused the researcher of conduct that could be considered extortion, saying he asked for a consulting fee before he would show the company the information. If GameSpy didn't pay, he said he would publish the information publicly, GameSpy's Wildermuth said.
"He is basically saying that you have a problem, and I will tell you what the problem is, or else I will publish what it is," Wildermuth said. "From our perspective, he did not seem to be a person just helping us fix some bugs; he was hoping to get compensated for it."
However, Auriemma denied that he ever asked the company for money. Security research firm PivX Solutions, which had previously employed Auriemma as a contractor, severed its relationship with him when GameSpy sent them a similar cease-and-desist letter in June. A PivX executive said all its vulnerability research has been provided to affected companies for free.
"PivX never asked for money from GameSpy nor did PivX submit any type of proposal for work," said Geoff Shively, chief technology officer for the Newport Beach, Calif.-based company.
An executive at another game company that had previously worked with Auriemma said the security researcher had always offered to help for free. Auriemma had found a flaw in that company's product as well. The executive asked that his name and that of his company not be used in this story.
"I can't speak for what he did or didn't do at GameSpy, but he has always acted professionally with us," the executive said, adding that he was surprised at the allegations. "He is totally professional and up-front and honest."
Another security researcher said companies that haven't often dealt with hackers can sometimes misread their intentions.
"Some people think that way just because you say, 'You should fix this problem, and I will tell people if you don't fix it,'" said Chris Wysopal, vice president of research and development at security firm @stake. "Some companies think of that as extortion."
Wysopal pointed to material available from the Organization for Internet Safety, a group promoting responsible disclosure of flaws and of which his company is a member, as a good guide for companies on how to handle security researchers. In the end, he said, going after the person pointing out the flaws is not productive.
"It just doesn't look good to be attacking the messenger," he said. "The person is really trying to help the company's customers."
While Wysopal believed that GameSpy will be hard pressed to apply the DMCA to Auriemma's research, Stanford Law School's Granick thought that the case should be closely watched.
"I don't think anything with the DMCA is an empty threat," she said.