[Legal] Fwd: Re: Gamespy uses DMCA to destroy bug research and full
disclosure
Michael Shigorin
mike на osdn.org.ua
Чт Ноя 13 16:33:53 MSK 2003
----- Forwarded message from C Ryll <carolynryll на hotmail.com> -----
Date: Wed, 12 Nov 2003 18:35:03 +0000
From: "C Ryll" <carolynryll на hotmail.com>
To: aluigi на altervista.org, bugtraq на securityfocus.com
Subject: Re: Gamespy uses DMCA to destroy bug research and full disclosure
Luigi,
It seems apparent that these lawyers are morons that are merely copy and
pasting some of the contents of a Universal vs. Reimerdes related
requisition (where DMCA was used to ward off breaking of DVD encryption
mechanisms) into your notice, without having a full understanding of your
stated proof of concept. A buffer overflow in a product does not break
encryption mechanisms in Gamespy's servers, unless they suddenly told you a
bug related to your proof of concept that you did not know about before...
Now, that could be interesting.
I had researched the Universal vs. Reimerdes case details in the past, and
am dumping some of what I wrote into the end of this reply to demonstrate
similarities between what these lawyers are accusing you of, and what was
seen at that time. These are just details of the case. Please do not abuse
me for the DMCA, based on these case details. What it may help you to
understand is how the courts view publicized code in terms of freedom of
speech and the First Amendment, as well as get a perspective on if Gamespy
has any legal ground (I didn't say "logical" ground) in their demands.
I have to admit that, if Gamespy were determined to have a legal ground in
this situation (I.e., you posting some buffer overflow bugs), it would set a
very bad precedent for this community.
Kind regards,
Carolyn.
-------------------------------------------------
Universal vs. Reimerdes Case Details
-------------------------------------------------
DeCSS is a program designed to circumvent CSS (Content Scramble System),
which is the technology that motion picture studios (I.e., Universal) place
on DVDs to prevent the unauthorized viewing and copying of motion pictures.
CSS allows DVDs to be played on computers and DVD players, but does not
allow the copying or manipulation of a DVD's contents.
DeCSS decrypts the CSS protection mechanisms, thus allowing the copying of a
DVD's contents onto a computer system for full manipulation and copying of
the newly created (and very large) computer file. The large file can be
compressed using a freely available compression application entitled "DivX"
that allows for the transfer of the compressed file back onto a DVD, or
across the Internet. DeCSS was marketed for the playing of DVDs on multiple
platforms, as well as for the copying of DVDs. The writers of DeCSS claim
that their intention was to produce a program that allowed DVDs to be played
on the Linux operating system (something that was not available at that
time).
The movie industry tried to stem the onslaught of DeCSS-posting websites by
sending cease-and-desist letters to many of the sites, but only with some
success. This occurred in 1999. In 2000, the studios filed a lawsuit against
Corley, Reimerdes, and Kazan, who run the website 2600.com. 2600.com
produced an article about DeCSS, and offered both the object code and source
code along with the article, as well as provided links to other websites
where DeCSS could be obtained.
Arguments used by the defendants in the case of Universal vs. Reimerdes
regarding violation of Constitutional rights pertains to the following:
1. The DMCA oversteps limits in the Copyright Clause on the duration of
copyright protection.
2. The DMCA violates the First Amendment because computer code is speech
entitled to full First Amendment protection and the DMCA fails to survive
the exacting scrutiny accorded statutes that regulate speech. (Bernstein vs.
the United States concluded that computer source code is speech because it
is the "preferred means" of communication among computer programmers and
cryptographers.)
3. The DMCA violates the First Amendment and the Copyright Clause by unduly
obstructing the fair use of copyrighted materials.
The Court issued the following decisions regarding the stated violations of
Constitutional Rights: Regarding overstepping limits in the Copyright Clause
on the duration of copyright protection, the Court stated that, while this
argument may have merit in a future case, there is not any evidence in this
case that any Plaintiff sought to prevent the copying of public domain
works. As well as this, the Court stated that there does not currently
appear to be a problem with encryption precluding access to public domain
works.
Regarding violation of the First Amendment because computer code is speech
entitled to full First Amendment protection, while the Court accepted code
as speech, it also claimed that code combines non-speech and speech elements
(I.e., functional and expressive elements). In this, the scope of a computer
code's First Amendment protection is affected by its functionality. As the
functionality of DeCSS enables users to copy movies from DVDs in digital
form and transmit them instantly in unlimited quantities, thus preventing
the movie producers from additional sales, the deemed unlawful access to
materials in which the Plaintiffs have IPR (Intellectual Property Rights)
thus limits the scope of First Amendment protection in this case.
Regarding violation of the First Amendment and the Copyright Clause unduly
obstructing the fair use of copyrighted materials, the Court decided that no
support for the premise was given that fair use of DVD movies is
constitutionally required to be made in the copying of the original work in
its original format. That is, fair use would allow a camcorder with
microphone to be aimed at the television set while a DVD is playing, thereby
recording the contents of the DVD. However, the DVD would not be copied in
its original protected format. It is stated by the Court that fair use has
never been held as a guarantee of access to copyrighted material so that
copying may occur in the format of the original, or in the fair user's
preferred technique.
In Universal vs. Reimerdes, the Court ruled in favor of Universal.
-------------------------------------------------------
End Universal vs. Reimerdes Case Details
-------------------------------------------------------
>
>
>Luigi Auriemma <aluigi на altervista.org>
>2003-11-12 08:29 AM
>
>
> To: eff на eff.org
>bugtraq на securityfocus.com
>list на dshield.org
>dmca-activists на gnu.org
>dmca_discuss на lists.microshaft.org
> cc: (bcc: Carolyn Ryll/ATL-BTL/MS/PHILIPS)
> Subject: Gamespy uses DMCA to destroy bug research and full
>disclosure
> Classification:
>
>
>
>
>Just today (12 Nov 2003) opening my mailbox I have found a mail
>of about 1 megabyte and half and fortunally for the sender I
>don't use filters.
>
>The mail has been sent by the Gamespy's lawyers asking me to
>remove my bug research stuff from my site.
>
>The stuff is composed by my proof-of-concepts and advisories
>written to test and explain the bugs in the Gamespy's products
>found and signaled to them a lot of months ago and completely
>ignored by Gamespy. All my advisories were released to the most
>known and pubblic security mailing-lists in the past so everyone
>can see all the release dates of them and how Gamespy manages
>the bugs in its products... the best example is just a remote
>buffer-overflow found and signaled to Gamespy at the end of May
>2003 and still existent in the actual version of the program
>RogerWilco.
>
>The other incredible thing is that the lawyers have included in
>the list of "stuff to remove" also a simple program that is not
>a proof-of-concept or an advisory and moreover is not directly
>related to Gamespy... really comic...
>
>Continuing to read the mail (a pdf file) can be found a lot of
>senseless affirmations, some reported below:
>
>- "you have committed numerous violations of state and federal
>law by illegally accessing Gamespy servers and by creating,
>marketing, and distributing software which circumvents the
>encryption mechanism that protects access to Gamespy's
>servers"... are we talking about security bugs??? what I
>market???
>
>- they say my proof-of-concepts "purport to permit to circumvent
>the encryption protection of Gamespy's proprietary software,
>including GameSpy 3D and Roger Wilco, to obtain access to
>computer servers owned and operated by GameSpy, or in some cases
>to cause those servers to crash"... I'm very interested about
>what of my proof-of-concepts "circumemvent the encryption
>protection of Gamespy". The bugs I have found are in the
>Gamespy's products NOT in the Gamespy's servers.
>
>- but the most comic affirmation is "In contrast to simply
>advising GameSpy of these vulnerabilities, by publishing this
>software to the world at large you are clearly facilitating the
>intentional crashing of GameSpy's server by others"... I have
>tried to contact Gamespy EVERYTIME I have found a new bug for
>MULTIPLE times but they have EVER ignored my signalations or, as
>happened for the first bug in RogerWilco, they have simply
>"feigned" to patch the bugs so insulting me and my research (who
>has read my wilco-remix-adv.txt knows all the shameful story).
>So the "common time delay" to release advisories (a week or
>sometimes a month from the signalation of the bug without
>receiving replies) was FULLY respected in all the occasions.
>
>The last part of the mail/pdf talks about various DMCA's
>violations, US's laws and moreover "crime"!
>
>Bug research is a crime and bug researchers are criminals,
>didn't you know that?
>
>Is really shameful to see a company spending money for useless
>lawyers instead to quickly patch their incredibly bugged
>products and moreover to support who do bug research... what
>Gamespy wants is to destroy the full disclosure and the free
>information encouraging the underground scene.
>
>I think is not good for the Gamespy's users to know that the
>main goal of Gamespy is just to protect itself instead to
>protect its users and clients.
>
>That's the situation...
>
>
>BYEZ
>
>
>
>--- Luigi Auriemma http://aluigi.altervista.org
>
>
_________________________________________________________________
Is your computer infected with a virus? Find out with a FREE computer virus
scan from McAfee. Take the FreeScan now!
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
----- End forwarded message -----
--
---- WBR, Michael Shigorin <mike на altlinux.ru>
------ Linux.Kiev http://www.linux.kiev.ua/
Подробная информация о списке рассылки Legal