######################################################################## Title: Comments, quotes, e-mails, proofs, analysis and destruction of the castle of lies and accusations after a month from the shameful actions of Gamespy Date: 12 Dec 2003 Author: Luigi Auriemma e-mail: aluigi@autistici.org web: aluigi.org ######################################################################## Exactly one month ago I was contacted by the lawyers of Gamespy with the incredible and absurd request to remove from my website the stuff about the vulnerability research I did on the "so called" software distribuited by Gamespy. So after a month I return again on the argument for two causes: 1) to dismount step by step all the accusations and the castle of lies that Gamespy has build about a certain person without a specific name but that has been linked to me by the incredible amount of analogies 2) to report what is changed (or is better to say what is not changed) after this time And in fact just from the beginning of the Gamespy's response called "Chairman details the need to protect gamers rights and provide security" we can see the first strange things: http://www.gamespydaily.com/news/fullstory.asp?id=5474 Don't exist names or specific references except the "casual" releasing of this response the same day I have sent my mail to Bugtraq http://www.securityfocus.com/archive/1/344214 This is a clear maneuver to shot lies and falsehoods against someone that is not directly identified by the author of the text but simply lets the other people to understand who is the real person. So is easy to understand that this response is false just from its beginning and that it has been written with the guide of the lawyers of Gamespy that probably have ever cured the event (from the first C&D of June 2003) without really contacting their clients because their C&D are full of trivialities (the second C&D is available here http://aluigi.org/misc/75395-1.pdf) as for example the reference to an application that has nothing related with Gamespy. But this is only the beginning, the analysis is long so let's go with order. The first strange phrase is about the thanks Gamespy has said to have sent me through a letter (note, they talk exactly about a "letter" not about an e-mail) that they have also saved in a file. These people didn't know neither I'm italian (read the C&D and the references to USA's laws) so they cannot send me letters. The unique discussion (so two people talking togheter) has happened only for the first 2 bugs in RogerWilco of the end of May 2003 and the only thanks word that I have received about the bugs has been a short "Thanks for the info" so something that is said by all the developers that receive feedback from an user and not something of special has said by Gamespy. In the response then Gamespy talks about the algorithm of key generation for RogerWilco and moreover they try to generalize the thing talking also about some "game pirating techniques". I'm very interested about what they mean with "game pirating techniques". The most interesting thing is that they have never asked me to remove the source code of the algorithm and it is not listed in the C&D (the second C&D is public and whoever can check it) so I don't understand why they talk about this thing only now. Then we must also consider that this source code was released for educational purposes (as written everywhere) and already exist over Internet the serial keys and real key generators for RogerWilco composed by GUI for easy usage, pre-compiled, without the availability of the source code and marked by the clear words "key generator". To note the continue usage of the word "CDKey" (four times) and the usage of capital letter just to highlight this word. Then there is also a wrong usage of the word "CDKey" because RogerWilco uses a serial code calculated on the e-mail address insert by the user in the registration field and not a cd-key. The mentioning of facts not inherents to the main argument (in this case the usage of DMCA for signaled security bugs and the disinterestedness of Gamespy to patch them) is a classical method used by who is in difficulty to change the attention from the main fact where they are wrong on another where they "think" to have more chances and use some commonplaces. In this case also the other argument is a hole in the water for Gamespy. The other interesting part of the response is composed just by the defaming accusations against the "person" without name in the response. In fact they talk about a request of "consulting fee" to fix the "hacks" and moreover about a security company involved in the "blackmail". The first question is: what are these "hacks"? We are talking about vulnerabilities in the software that are very dangerous and should be fixed in some hours but they say also "these were not bugs"... well, I invite everyone has a minimal knowledge of computer security to say that a buffer-overflow is not a security bug. Then they talk also about Denial of Service (DoS) that is just one of the causes of almost all the security bugs and so without patching the bug also the relative DoS will not be removed. After these affirmations is clear that Gamespy doesn't write software and has no knowledge or competence about computers but the most serious problem is that they are not ashamed to say these idiocies publicly. The second question instead is: what is the company that would have supported the "blackmail" and that then would have disavowed the relationship with the guy of the response? If the guy is me then the company should be PivX but: 1) I have ever personally found and signaled the bugs so what PivX got to do with it? PivX has never intruded in my bug reports just because I was the only to know the details of the bugs 2) the contract continues to exist, it is signed by me and PivX and is in my drawer. I have choosen to detach from PivX after the bugs found in Half-Life for philosophical reasons because I don't like the commercial and schematic tone of the companies, the same tone that is too visible in the last advisories released with PivX just about the bugs in Half-Life: http://aluigi.org/adv/hlbof-client-adv.txt http://aluigi.org/adv/hlbof-server-adv.txt http://aluigi.org/adv/hlmods-adv.txt Then I'm very curious to know why, if I have been "removed" from their servers, my stuff is still hosted on their servers... mah... I liked a lot to read on Slashdot http://yro.slashdot.org/article.pl?sid=03%2F11%2F12%2F1735212 the comments of the users where happen some contraddictions in the responses sent by Gamespy to the people before the releasing of the "official" response. For example one of the answers of Gamespy has been exactly: "Unfortunately, he's not telling the truth. What is happening is simply attempted extortion. He didn't contact us, never has, and has been harassing us for over a year." Contraddiction: how I have "harassed" them without contacting them? To highlight the "never has" and subsequent "for over a year". Then the first bugs of RogerWilco were found and signaled at the end of May 2003 so no more than six months before and that's also visible in my first advisory released for RogerWilco. The accusations of extorsion are really serious and are penally prosecutable that's why any name or references has been "intentionally" omitted by Gamespy also if exist the grounds to proceed with a lawsuit for defamation. But I don't have time and money to waste with lawyers and I prefer to destroy their accusations publicly on Internet with this document. At this point is needed to show some proofs because the words without proofs are only useless words and my name is not Mark Surfas. What I ever do when I find a bug in a software is simply to contact the programmers with at least 2 e-mails and if I don't receive an answer for long time or the bug is successfully patched I release the results of my research following the full-disclosure, so with all the technical details and with the demonstration code (called proof-of-concept). In the computer security don't exist "obligations" or "dates and times to respect" but everything is in the hands of who finds the bug. In fact exists who alerts the "vendor" in the same moment he releases the advisory, who don't contact the vendor and who waits an answer before releasing the stuff however is ever something of optional and positive (the other choice is the releasing of the info in the underground but this is not so pleasant for the users and the programmers of the vulnerable software). I have decided to contact Gamespy reporting the bugs and moreover waiting in vain before releasing my stuff publicly, that's just what I do ever. Just because I have found enough bugs until now, I have a lot of people and companies that can witness (witness = real proof, not words without sense as those of Gamespy) about my bug reports and moreover can say that the only thing I "require" is the confirmation of the existence of the signaled bugs (this proof is already visible in the article written by Robert Lemos http://news.com.com/2100-7355-5107305.html). Then also the same guys at Gamespy are witness in fact during the mails exchanged for the first bugs of RogerWilco just they have thanked me for my diligence and patience, so why then they have said different things about my behaviour in their C&D and response? Then as second proof I have just my advisories that are all publics (on Bugtraq http://www.securityfocus.com/archive/1 are also reported the releasing dates) and contain all my comments and details about the times spent or the eventual disinterestedness of the programmers to fix the signaled problems. And at last there are just the e-mails, the so discussed e-mails that Gamespy says contain blackmails and fee requests but they have only false words and I have all the dates of the e-mails exchanged from the "fake" correction of the first bugs in RogerWilco (so by the moment they have started to ignore me): From: Date: ------------------------------------- me Thu, 26 Jun 2003 10:18:11 +0000 me Wed, 30 Jul 2003 12:48:24 +0000 me Thu, 31 Jul 2003 12:28:49 +0000 them Thu, 31 Jul 2003 09:55:11 -0700 me Thu, 31 Jul 2003 19:09:49 +0000 me Thu, 28 Aug 2003 12:58:25 +0000 me Tue, 16 Sep 2003 10:43:01 +0000 me Sun, 21 Sep 2003 14:09:46 +0000 me bug report via web form UPDATE 16 Feb 2009: finally I have decided to publish all the original mails sent and received by me: http://aluigi.org/misc/gamespy_mails_of_shame.zip I avoid to waste space reporting also the text of the e-mails because they are only bug reports and requests of explanations about their disinterestedness on my reports. In the mail sent at July I have explicitally asked them to check the buffer-overflow reported a month before and moreover asking explanations about why they have not answered me before. The only answer I have received has been: "thanks, we have received your info and we are acting on it." If they have received my report about the buffer-overflow signaled a month before, why they did nothing for all this time? The same day I have also reported other new bugs and I have asked newly why nobody answered me before or if they didn't receive my e-mails but unfortunately I have never received an answer and believing in their "we are acting on it" I have waited other time in vain. So I have fully proved what I have said while they continue to have a lot of confused and contradicted lies. But I have no finished... The C&D is an obvious and moreover signed proof about blackmails and money requests, so here I have proved that Gamespy has really asked me money in case I didn't remove my stuff... "your money or your life!" This is just a real form of extorsion and blackmail. The last thing instead is about the continued usage by Gamespy of the word "network" meaning "their" network. The falsity of all their accusations (moreover in the C&D) is proved just by their products that don't need a central server to be used and (for who don't know these products) moreover in the first question/answer of the FAQ of RogerWilco http://rogerwilco.gamespy.com/products/rw/faq.html Q. Do I need to connect to a special server? A. No... Just to the computer of another friend whom you want to talk to. This Create/Join connectivity is the same used by many online games. Very good, the castle of lies of Gamespy is finally poorly fallen but we have not finished because a month is passed and is needed to check the current situation of the software and to confirm everything I have said from the first advisory released for RogerWilco about its unpatched vulnerabilities. In the report (the same report about the person without name) are "nice" the following phrases: "Let me repeat: We welcome any bug alerts and will fix any and all security breaches that come to our attention. We find and fix nearly all of them before any external sources find them" "Gamers trust us. We have to protect them from any and all attacks on our network that affect gamers." Do you know what is the current situations of the vulnerabilities in the software of Gamespy now that "everyone" in the world knows better the existence of these bugs and moreover after reading their "nice" words? STILL VULNERABLES!!! After a month from the C&D and after over six months from the first bug report the programs RogerWilco (latest version 1.4.1.6) and Gamespy3d (latest version 263021) are still vulnerable to the same bugs I have found a lot of time ago. So all this software seems just to be no longer supported and the phrase reported before by Gamespy must be considered completely false, without basis and a deceit for all the people that have read and trusted them. Receiving support for what has been bought is a right of the consumer moreover if damage can be caused by the ineptitude and disinterestedness of who sell a product without support. So who has paid RogerWilco and Gamespy3d in reality has paid the lawyers of Gamespy and not the support for what has been bought. In fact into the FAQ of RogerWilco is interesting to read the last question/andwer: Q. How much does Roger Wilco cost? A. Roger Wilco is a Shareware / Subscription product -- you can use it as long as you like, but if you subscribe today you'll get access to the subscriber benefits in ALL of GameSpy's software products (Roger Wilco, GameSpy Arcade and GameSpy3D) and you'll help support future Roger Wilco development! And I suggest to take a look also to the following phrase located in the main page of the program: "Plus, you'll be supporting further development of the revolutionary software that enables you to talk with friends, family and fellow gamers over your PC." It is also written by the same people of Gamespy that the money of the registered users will help the development of RogerWilco so these must be considered lies written to defraud the users. If someone has bought one of the two products I repeat that the existent bugs are really very dangerous and criticals, moreover those of RogerWilco where an attacker can execute remote code not only versus the computer of the user who runs the server but in some versions also versus all the connected clients, so I highly suggest to the users of these programs to use a better and moreover "supported" software. I have only words of disdain about a similar behaviour that cannot be tolerate. So another time: shame, shame and again shame! Not only for the request to remove my stuff and for all the false and defaming accusations written against me, but also for all the users tha are defrauded every day, for who has trusted at at least one word of the sea of lies that comes out from the spokesmen of Gamespy and at last for the usage of the DMCA with the unique intent of destroying the freedom of speech and information sanctioned in all the civil countries. Now I have finally concluded with my comments about this story and if the guy in the response is not me, well I have tried to enter in him and I have exposed my ideas but if the response is just about me finally I have fully clarified everything. ########################################################################