[Kazan]

---==== Fourth Edit: Termination ===----

GameSpy appears to have acted in generally good faith in reguards to Mr Auriemma, while the DMCA casts a shadow on their action, the fact that they do not only rely on the DMCA makes up for it somewhat.  Furthermore my inital impression that Mr auriemma acted in good faith in relation to his utilities is cast into severe doubt by his "Patches" page in which he blatantly provides for the violation of copyrights.  His "verification programs" are not required to demonstrate the vulnerabilities and merely allow for script kiddies to exploit them.  Furthermore GameSpy claims in email that Mr Auriemma was once associated with a security firm in Italy and once demanded a "consultation fee" from GameSpy, after which said firm immediately disavowed relations with Mr Auriemma.


I look forward to continuing our relations with GameSpy, catiously.

(off i go to defend them from the Slashdot Horde)


---=== Third Edit: Disclaimer ===----

The position posted by me in this thread is not the official position of the SCP as of 12 Nov 2003 18:00 Central Time

I am just calling for this action as this time in response to GameSpy's actions - should this action be taken an official announcement shall be made in a new thread upon commitment to the resolution


---=== Second Edit: After much investigation ===---

From Below


Final Conclusion: GameSpy's claim that Mr Auriemma is circumventing copyprotection and encryption is completely baseless.  GameSpy is trying to silence a ciritic by use of the DMCA.   We should as a community demand GameSpy explain it's actions IMMEDIATELY or break all relations with GameSpy

See Below for investigation


---=== EDIT: More information has come to my attention, see below ==---

The SCP should not affiliate themselve with any organization that will abuse the DMCA to silence people criticizing their software, the SCP is founded on the concept of Open Source and information sharing,  GameSpy's recent action against a person who was informing GameSpy of weakness's in gamespy's software is in direct conflict with the community and ethics of Open Source Software.

The SCP Should immediately terminate all relations with GameSpy and it's network.  Here is an article summarizing GameSpy's DMCA abuse action http://yro.slashdot.org/article.pl?sid=03/11/12/1735212&mode=thread&tid=126&tid=127&tid=153&tid=172&tid=186&tid=99


[edit]
Responses to some IM's

We can move to VolitionWatch, or if the community could donate $120 I can get a domain name and one year of hosting with PHP, MySQL, 800MB harddrive space, and 40G/month transfer, with 400 email addresses -- i use this hosting provider for deepbluebettas.com -- they're world-class

[Kazan]

for those of you who don't understand what level of violation of free speech rights this is see : http://www-2.cs.cmu.edu/~dst/DMCA/Gallery/

(CMU is one of the aboslute leading schools in computer science)

[Unknown Target]

I'd donate!

[Kazan]

awesome UT - if I can get $120's pledged to it then I'll then ask for those pledges be sent in and when I get all of it i'll create the domain+hosting


note: $120 pledges = domain + hosting for 1 years
$200 pledges = domain + hosting for 2 years

[Inquisitor]

The only thing we use gamespy's servers for are these forums.

Site is on Telefragged, and the CVS is on Warpcore.

[Kazan]

yeah, but *wispers in inqui's ear about some website stuff*

severing all relations with GameSpy means moving the forums

my reliable sources tell me that VolitionWatch is dieing

[Fractux]

I don't know what to say.

I first the post he made on security focus [http://www.securityfocus.com/archive/1/344214/2003-11-09/2003-11-15/0 ]

then I read thew gamespy's response [ http://www.gamespydaily.com/news/fullstory.asp?id=5474 ]

then I had a look at what he had on his website because he was accused of "But then we found out he was also publishing how to brute force our RogerWilco CDkeys and had published hacks on other game CDkeys as well. He was doing more than reporting bugs; he was publishing game pirating techniques." by Gamespy.

I looked at his site: [ http://aluigi.altervista.org/index.htm ]

And it he has a lot of tools available to use exploits. I cannot make any assumptions however, because he says that he hunts for bugs, and all the tools he provides just demonstate these exploits.

While I can say I agree that it's good he is willing to take his time to hunt out all of these bugs, he doesn't have to make available his tools available( and then you may say that other's will just do it, but hear me through first ).

I think the fact that he has all these tools [go and look through all the sections and you'll see what I mean] available is being used as ammunition against him to get him to stop making their bugs known.

I don't like that tactic being used, and it's a biased point of view, which everyone realises.

I also don't think he needs to provide his tools for people to download, UNLESS the companies have not responded to him after he told them of the exploits and they just ignored him. [Which it was said that GS had done, but I don't know about all the other compnies who he has provided tools to "exploit" their products]

Since I don't know the history or the whole story, I will not pass judgment. I'll wait on any further info.

Cheers!

*EDIT* I forgot to mention... I'm not saying it's bad to realease tools to test for exploits, because you needs tools to test for exploits, but I'm talking about making them freely available. I know it's a fine line to walk, and that's why I'm not making any judments.

[Kazan]

I didn't notice he was distributing the tools, good call - that wasn't the brightest idea on his part to distribute the tools

This redeems gamespy some what - it redeems them enough that I think we should ask them if they are only going after him for that, or if they're trying to completely silence him


[edit after reading origional PDF of GameSpy's C&D]


GameSpy's lawyers do not mention the DMCA until late in the article along with several other things - but they do quote source code comments out of context, and to not consider the rebutal argument that only informing gamespy may lead to gamespy ignoring the problem.  While I agree that Mr. Auriemma should not be distributing tools to do this, especially not the CD Key tool, GameSpy's attacks on his advisories constitute a potential abuse of the DMCA


In light of this information I believe that we should contact GameSpy and ask them to explain themselves, if they are simply after him because of the hacking programs, then I will withdraw my call for relations termination.   If they want his advisories completely removed (instead of just changed as to not let everyone know how to break the servers - but still saying there is a problem) then I will assert my call for severing relations

[Woolie Wool]

Well if Mr. Surfas is right, this guy was posting some of the encryption code to RogerWilco and GameSpy 3D. GameSpy relies on the commercial versions of these programs for a good deal of their income, and I don't think they want hackers using this code to pirate their apps. Try to look at it from both points of view.

Besides, freedom of speech is NOT absolute. The Supreme Court said so during World War I. The fact is that what he said was NOT lawful speech. It is illegal to distribute information that can be used to circumvent copyright protection, and for good reason.

[Kazan]

the SCOTUS still upholds distributing information about weaknesses and vulnerabilities in software as free speech

when I first posted I had not noticed the CD Keygen for RogerWilco - this is a clear violation.  If GameSpy went after him just for the CD KeyGen I would completely withdraw my call to severe relations, however they are going after is his security advisories as well.

I am now reading his advisories to see if they cross the line into justifying GameSpy's demand's

[Kazan]

Mr Auriemma praises gamespy for using TCP for masterservers, and also says to use his tool for verification purposes only http://aluigi.altervista.org/adv/msddos-adv.txt [Game's using UDP Masterservers]

in http://aluigi.altervista.org/adv/wilco-adv.txt (Remote Server Lock exploit, Broadcast buffer overflow) which is one of the files explicitly named in GameSpy's C&D notice Mr Auriemma is simply stating bugs in an informative manner, like any other security adviser would, he mentions his tools in a "use this to test only" method.  The RogerWilco server vulnerable is the shareware GUI RogerWilco server (That simultaneously is a client).    There is no malicious intent in this document

http://aluigi.altervista.org/adv/wilco-remix-adv.txt (another named doc) just a rehash (as implied) of previous one, gamespy didn't really fix the problems and he simply pointed that out

http://aluigi.altervista.org/adv/wilco-recvbof-adv.txt - he mentions, in poor english - that he waited one week after contacting gamespy to release the adviser, as per security community ettiquette.  GAmeSpy did not contact him or do anything about the bug and thus his release of this advisory is completely justified

http://aluigi.altervista.org/adv/gs3d-ircbof-adv.txt -- his "explot" program does nothing but saves you from manually doing this with netcat - any exploit that can be triggered via a simple netcat is extremely henious, and diserves being exposed for all to see



I have no seen one spot where there is a CD Keygen, or anything else that allows for the circumvention of copy proteciton  thus making GameSpy's claims bogus and grounds for terminating relations -- I am going to further investigate being ruling on the subject

[Kazan]

The application in Wilco.zip does not contain a keygen, cd key, key brute force - or other copyprotection circumvention method
The application in gs3dirc.zip does not contain a keygen, cd key, key brute force - or other copyprotection circumvention method
The application gsinfo.zip does not contain a keygen, cd key, key brute force - or other copyprotection circumvention method


Final Conclusion: GameSpy's claim that Mr Auriemma is circumventing copyprotection and encryption is completely baseless.  GameSpy is trying to silence a ciritic by use of the DMCA.   We should as a community demand GameSpy explain it's actions IMMEDIATELY or break all relations with GameSpy

[Fineus]

I'm jumping in the deep end here by replying before I've trawled the links and read all the info - but this question does spring immediately to mind.

How associated is the SCP with GS anyway? Yes, HLP is hosted with them. But as far as I can tell that's where it ends - except perhaps some advertising on GSs part.

[Kazan]

Associations between SCP and GameSpy

A) Using a Forum on gamespy's server network
B) GameSpy wishes to enter a partnership with SCP to release useable FS2 versions will all the mediate + SCP exec and media additions
C) Advertising on GS

Results of Severing relations with GameSpy
A) Forums must be moved and reliable sources inform me that VolitionWatch may not last long
B) No GameSpy Release of FS2+SCP
C) No advertising on GameSpy unless spontaenously created by gamespy staff


Purpose for severing relations with Gamespy
A) To protest abuse of DMCA to limit free speech of Italian citizen criticising gamespy for bugs
B) To Protest blatant misinformation in GameSpy's legal document sent to Luigi Auriemma
C) To protest lack of resolution of critical bugs in gamespy software after it has been brought to their attention
D) To protect ourselves from being associated with GameSpy's now negative image in the world of Open Source Software

[Kazan]

(/me emails gamespy)

   I am a member of the FreeSpace 2: Source Code Project.  I am ready to call for breaking all relations between the SCP and GameSpy over the DMCA C&D Letter sent to ITALIAN CITIZEN Luigi Auriemma on 12 Nov 2003.  However, before I make a final push to call for severing relations I am going to give you an oppurtunity to explain yourselves and your reasoning in the hopes that you may redeem yourselves in my eyes and the eyes of the Open Source Community.

I looked into the claims in the letter and found that GameSpy has seemingly made false claims.  The sections of the letter quoting Mr. Auriemma are out of context and do not consider the possibility that he was pondering that a malicious user may use the vulnerabilities to do damage, and not that he was implying that he would (which he did not imply).  Second it appears that Mr Auriemma followed the good faith rules of the security community in trying to contact you before releasing his advisories.  Third the software written by Mr Auriemma is simply to verify that the exploits exist as he stated, and he states that said tool should only be used for such purposes.  Fourth the C&D Document claims that Mr Auriemma wrote software that circumvents copy protection, encryption, and brute forces cd keys.  There is no evidence of any program that does this on the entirety of his website.

Furthermore Mr. Auriemma had contacted you in the past, and received replies and beta versions with the vulnerabilities resolved, only to later have the public releases still have said vulnerabilities, or apparent rollbacks to previous versions that had vulnerabilities Mr. Auriemma had previously addressed and gotten fixed, only to have them reappear with this apparent version rollback.


To summarize: GameSpy appears to have just used to DMCA to attempt to silence a critic, instead of using that critic's information to fix the problems in said software.  Said Critic appears to have acted in good faith and attempted to contact you prior to publically releasing his security advisories.  In contacting you before hand he attempted to give you teim to fix the problem before announcing it to the world, where he knew there are potentially malicious people that would exploit the published information to harm GameSpy.  - He went out of his way to try and protect you from attack before releasing the information.  

In the end he has gotten threatened by your lawyers instead of thanked for attempting to help you.

P.S. You have severely harmed your image today in the Open Source community, I hope that we may resolve this issue and restore your image.


I await your reply,

Derek "Kazan" Meek
---------
http://www.deepbluebettas.com

Programmer for FreeSpace 2: The Source Code Project
http://freespace.volitionwatch.com/fsscp/

Author of FS2 Modding utilities
http://alliance.sourceforge.net

[Fineus]

I'm not passing any judgement on what you can or can't do - but I think you should talk with the other "big guys" involved in the SCP before you speak for it... If you're just making enquiries or whatever, that's fine.

Anyhow, this bears a lot of discussion I think, please be clean and nice about it everyone - don't want to make a mountain out of a mole hill....

[Killfrenzy]

Kaz, I must say that I'm with you and I may be able to find some donation money somewhere for the new domain.....just not sure where yet!

I am sick and tired of various computing companies (online or otherwise) crapping all over their users, or asserting unnecessary (and sometimes unethical) control over them via the software used. Windows XP is a golden example! It actually writes some code to your PC that prevents you using older versions of windows! What if you decide that XP is crap and want to 'downgrade' back to Win2000 or 98?

And then there's the stuff relating to M$'s access to your machine, without your knowledge (until it's too late) which is completely against all the principles of computing!

Gamespy is treading dangerously close to a simlilar 'we own you' path, and no company should be able to do that and get away with it. Not Gamespy, not Sony (for want of a better example) and certainly not Micro$oft!

[Kazan]

Originally posted by Kalfireth
I'm not passing any judgement on what you can or can't do - but I think you should talk with the other "big guys" involved in the SCP before you speak for it... If you're just making enquiries or whatever, that's fine.

Anyhow, this bears a lot of discussion I think, please be clean and nice about it everyone - don't want to make a mountain out of a mole hill....

I am just calling for this action - I am not saying that we are taking this action

[Fineus]

Ok, I just wanted to be clear on that - I'm going to get on with reading about whats gone on.

[Sticks]

How does this affect us again?

Whatever. This guy got a cease and desist. Big whoop. He's not in jail or anything.



I might add that I find that letter you sent to be irresponisble, hardly the views of the team, and even less the views in general of the open source community, which to be honest, we just barely represent.

I fail to understand why they need to explain themselves to you. The only explanation that needs to hold up is the one they present in court (if it ever gets there, which it won't).