Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Gamespy uses DMCA to destroy bug research and full disclosure

From: "C Ryll" <carolynryll () hotmail com>
Date: Wed, 12 Nov 2003 18:35:03 +0000
Luigi,
It seems apparent that these lawyers are morons that are merely copy and pasting some of the contents of a Universal vs. Reimerdes related requisition (where DMCA was used to ward off breaking of DVD encryption mechanisms) into your notice, without having a full understanding of your stated proof of concept. A buffer overflow in a product does not break encryption mechanisms in Gamespy's servers, unless they suddenly told you a bug related to your proof of concept that you did not know about before... Now, that could be interesting.
I had researched the Universal vs. Reimerdes case details in the past, and am dumping some of what I wrote into the end of this reply to demonstrate similarities between what these lawyers are accusing you of, and what was seen at that time. These are just details of the case. Please do not abuse me for the DMCA, based on these case details. What it may help you to understand is how the courts view publicized code in terms of freedom of speech and the First Amendment, as well as get a perspective on if Gamespy has any legal ground (I didn't say "logical" ground) in their demands.
I have to admit that, if Gamespy were determined to have a legal ground in this situation (I.e., you posting some buffer overflow bugs), it would set a very bad precedent for this community. 

Kind regards,
Carolyn.

-------------------------------------------------
Universal vs. Reimerdes Case Details
-------------------------------------------------
DeCSS is a program designed to circumvent CSS (Content Scramble System), which is the technology that motion picture studios (I.e., Universal) place on DVDs to prevent the unauthorized viewing and copying of motion pictures. CSS allows DVDs to be played on computers and DVD players, but does not allow the copying or manipulation of a DVD's contents.
DeCSS decrypts the CSS protection mechanisms, thus allowing the copying of a DVD's contents onto a computer system for full manipulation and copying of the newly created (and very large) computer file. The large file can be compressed using a freely available compression application entitled "DivX" that allows for the transfer of the compressed file back onto a DVD, or across the Internet. DeCSS was marketed for the playing of DVDs on multiple platforms, as well as for the copying of DVDs. The writers of DeCSS claim that their intention was to produce a program that allowed DVDs to be played on the Linux operating system (something that was not available at that time).
The movie industry tried to stem the onslaught of DeCSS-posting websites by sending cease-and-desist letters to many of the sites, but only with some success. This occurred in 1999. In 2000, the studios filed a lawsuit against Corley, Reimerdes, and Kazan, who run the website 2600.com. 2600.com produced an article about DeCSS, and offered both the object code and source code along with the article, as well as provided links to other websites where DeCSS could be obtained.
Arguments used by the defendants in the case of Universal vs. Reimerdes regarding violation of Constitutional rights pertains to the following: 1. The DMCA oversteps limits in the Copyright Clause on the duration of copyright protection.
2. The DMCA violates the First Amendment because computer code is speech entitled to full First Amendment protection and the DMCA fails to survive the exacting scrutiny accorded statutes that regulate speech. (Bernstein vs. the United States concluded that computer source code is speech because it is the "preferred means" of communication among computer programmers and cryptographers.)
3. The DMCA violates the First Amendment and the Copyright Clause by unduly obstructing the fair use of copyrighted materials.
The Court issued the following decisions regarding the stated violations of Constitutional Rights: Regarding overstepping limits in the Copyright Clause on the duration of copyright protection, the Court stated that, while this argument may have merit in a future case, there is not any evidence in this case that any Plaintiff sought to prevent the copying of public domain works. As well as this, the Court stated that there does not currently appear to be a problem with encryption precluding access to public domain works.
Regarding violation of the First Amendment because computer code is speech entitled to full First Amendment protection, while the Court accepted code as speech, it also claimed that code combines non-speech and speech elements (I.e., functional and expressive elements). In this, the scope of a computer code's First Amendment protection is affected by its functionality. As the functionality of DeCSS enables users to copy movies from DVDs in digital form and transmit them instantly in unlimited quantities, thus preventing the movie producers from additional sales, the deemed unlawful access to materials in which the Plaintiffs have IPR (Intellectual Property Rights) thus limits the scope of First Amendment protection in this case.
Regarding violation of the First Amendment and the Copyright Clause unduly obstructing the fair use of copyrighted materials, the Court decided that no support for the premise was given that fair use of DVD movies is constitutionally required to be made in the copying of the original work in its original format. That is, fair use would allow a camcorder with microphone to be aimed at the television set while a DVD is playing, thereby recording the contents of the DVD. However, the DVD would not be copied in its original protected format. It is stated by the Court that fair use has never been held as a guarantee of access to copyrighted material so that copying may occur in the format of the original, or in the fair user's preferred technique. 

In Universal vs. Reimerdes, the Court ruled in favor of Universal.

-------------------------------------------------------
End Universal vs. Reimerdes Case Details
-------------------------------------------------------




Luigi Auriemma <aluigi () altervista org>
2003-11-12 08:29 AM


        To:     eff () eff org
bugtraq () securityfocus com
list () dshield org
dmca-activists () gnu org
dmca_discuss () lists microshaft org
        cc:     (bcc: Carolyn Ryll/ATL-BTL/MS/PHILIPS)
Subject: Gamespy uses DMCA to destroy bug research and full disclosure 
        Classification:




Just today (12 Nov 2003) opening my mailbox I have found a mail of about 1
megabyte and half and fortunally for the sender I don't use filters.

The mail has been sent by the Gamespy's lawyers asking me to remove my bug
research stuff from my site.

The stuff is composed by my proof-of-concepts and advisories written to
test
and explain the bugs in the Gamespy's products found and signaled to them
a
lot of months ago and completely ignored by Gamespy.
All my advisories were released to the most known and pubblic security
mailing-lists in the past so everyone can see all the release dates of
them
and how Gamespy manages the bugs in its products... the best example is
just
a remote buffer-overflow found and signaled to Gamespy at the end of May
2003 and still existent in the actual version of the program RogerWilco.

The other incredible thing is that the lawyers have included in the list
of
"stuff to remove" also a simple program that is not a proof-of-concept or
an
advisory and moreover is not directly related to Gamespy... really
comic...

Continuing to read the mail (a pdf file) can be found a lot of senseless
affirmations, some reported below:

- "you have committed numerous violations of state and federal law by
illegally accessing Gamespy servers and by creating, marketing, and
distributing software which circumvents the encryption mechanism that
protects access to Gamespy's servers"... are we talking about security
bugs??? what I market???

- they say my proof-of-concepts "purport to permit to circumvent the
encryption protection of Gamespy's proprietary software, including GameSpy
3D and Roger Wilco, to obtain access to computer servers owned and
operated
by GameSpy, or in some cases to cause those servers to crash"... I'm very
interested about what of my proof-of-concepts "circumemvent the encryption
protection of Gamespy". The bugs I have found are in the Gamespy's
products
NOT in the Gamespy's servers.

- but the most comic affirmation is "In contrast to simply advising
GameSpy
of these vulnerabilities, by publishing this software to the world at
large
you are clearly facilitating the intentional crashing of GameSpy's server
by
others"... I have tried to contact Gamespy EVERYTIME I have found a new
bug
for MULTIPLE times but they have EVER ignored my signalations or, as
happened for the first bug in RogerWilco, they have simply "feigned" to
patch the bugs so insulting me and my research (who has read my
wilco-remix-adv.txt knows all the shameful story).
So the "common time delay" to release advisories (a week or sometimes a
month from the signalation of the bug without receiving replies) was FULLY
respected in all the occasions.

The last part of the mail/pdf talks about various DMCA's violations, US's
laws and moreover "crime"!

Bug research is a crime and bug researchers are criminals, didn't you know
that?

Is really shameful to see a company spending money for useless lawyers
instead to quickly patch their incredibly bugged products and moreover to
support who do bug research... what Gamespy wants is to destroy the full
disclosure and the free information encouraging the underground scene.

I think is not good for the Gamespy's users to know that the main goal of
Gamespy is just to protect itself instead to protect its users and
clients.

That's the situation...


BYEZ



---
Luigi Auriemma
http://aluigi.altervista.org




_________________________________________________________________
Is your computer infected with a virus? Find out with a FREE computer virus scan from McAfee. Take the FreeScan now! http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Previous By Date Next
Previous By Thread Next

Current thread: