[Legal] Fwd: Re: Gamespy uses DMCA to destroy bug research and full disclosure

Michael Shigorin mike на osdn.org.ua
Чт Ноя 13 16:33:53 MSK 2003


----- Forwarded message from C Ryll <carolynryll на hotmail.com> -----

Date: Wed, 12 Nov 2003 18:35:03 +0000
From: "C Ryll" <carolynryll на hotmail.com>
To: aluigi на altervista.org, bugtraq на securityfocus.com
Subject: Re: Gamespy uses DMCA to destroy bug research and full disclosure

Luigi,

It seems apparent that these lawyers are morons that are merely copy and 
pasting some of the contents of a Universal vs. Reimerdes related 
requisition (where DMCA was used to ward off breaking of DVD encryption 
mechanisms) into your notice, without having a full understanding of your 
stated proof of concept. A buffer overflow in a product does not break 
encryption mechanisms in Gamespy's servers, unless they suddenly told you a 
bug related to your proof of concept that you did not know about before... 
Now, that could be interesting.

I had researched the Universal vs. Reimerdes case details in the past, and 
am dumping some of what I wrote into the end of this reply to demonstrate 
similarities between what these lawyers are accusing you of, and what was 
seen at that time. These are just details of the case. Please do not abuse 
me for the DMCA, based on these case details. What it may help you to 
understand is how the courts view publicized code in terms of freedom of 
speech and the First Amendment, as well as get a perspective on if Gamespy 
has any legal ground (I didn't say "logical" ground) in their demands.

I have to admit that, if Gamespy were determined to have a legal ground in 
this situation (I.e., you posting some buffer overflow bugs), it would set a 
very bad precedent for this community.

Kind regards,
Carolyn.

-------------------------------------------------
Universal vs. Reimerdes Case Details
-------------------------------------------------
DeCSS is a program designed to circumvent CSS (Content Scramble System), 
which is the technology that motion picture studios (I.e., Universal) place 
on DVDs to prevent the unauthorized viewing and copying of motion pictures. 
CSS allows DVDs to be played on computers and DVD players, but does not 
allow the copying or manipulation of a DVD's contents.

DeCSS decrypts the CSS protection mechanisms, thus allowing the copying of a 
DVD's contents onto a computer system for full manipulation and copying of 
the newly created (and very large) computer file. The large file can be 
compressed using a freely available compression application entitled "DivX" 
that allows for the transfer of the compressed file back onto a DVD, or 
across the Internet. DeCSS was marketed for the playing of DVDs on multiple 
platforms, as well as for the copying of DVDs. The writers of DeCSS claim 
that their intention was to produce a program that allowed DVDs to be played 
on the Linux operating system (something that was not available at that 
time).

The movie industry tried to stem the onslaught of DeCSS-posting websites by 
sending cease-and-desist letters to many of the sites, but only with some 
success. This occurred in 1999. In 2000, the studios filed a lawsuit against 
Corley, Reimerdes, and Kazan, who run the website 2600.com. 2600.com 
produced an article about DeCSS, and offered both the object code and source 
code along with the article, as well as provided links to other websites 
where DeCSS could be obtained.

Arguments used by the defendants in the case of Universal vs. Reimerdes 
regarding violation of Constitutional rights pertains to the following:
1.  The DMCA oversteps limits in the Copyright Clause on the duration of 
copyright protection.

2.  The DMCA violates the First Amendment because computer code is speech 
entitled to full First Amendment protection and the DMCA fails to survive 
the exacting scrutiny accorded statutes that regulate speech. (Bernstein vs. 
the United States concluded that computer source code is speech because it 
is the "preferred means" of communication among computer programmers and 
cryptographers.)

3.  The DMCA violates the First Amendment and the Copyright Clause by unduly 
obstructing the fair use of copyrighted materials.

The Court issued the following decisions regarding the stated violations of 
Constitutional Rights: Regarding overstepping limits in the Copyright Clause 
on the duration of copyright protection, the Court stated that, while this 
argument may have merit in a future case, there is not any evidence in this 
case that any Plaintiff sought to prevent the copying of public domain 
works. As well as this, the Court stated that there does not currently 
appear to be a problem with encryption precluding access to public domain 
works.

Regarding violation of the First Amendment because computer code is speech 
entitled to full First Amendment protection, while the Court accepted code 
as speech, it also claimed that code combines non-speech and speech elements 
(I.e., functional and expressive elements). In this, the scope of a computer 
code's First Amendment protection is affected by its functionality. As the 
functionality of DeCSS enables users to copy movies from DVDs in digital 
form and transmit them instantly in unlimited quantities, thus preventing 
the movie producers from additional sales, the deemed unlawful access to 
materials in which the Plaintiffs have IPR (Intellectual Property Rights) 
thus limits the scope of First Amendment protection in this case.

Regarding violation of the First Amendment and the Copyright Clause unduly 
obstructing the fair use of copyrighted materials, the Court decided that no 
support for the premise was given that fair use of DVD  movies is 
constitutionally required to be made in the copying of the original work in 
its original format. That is, fair use would allow a camcorder with 
microphone to be aimed at the television set while a DVD is playing, thereby 
recording the contents of the DVD. However, the DVD would not be copied in 
its original protected format. It is stated by the Court that fair use has 
never been held as a guarantee of access to copyrighted material so that 
copying may occur in the format of the original, or in the fair user's 
preferred technique.

In Universal vs. Reimerdes, the Court ruled in favor of Universal.

-------------------------------------------------------
End Universal vs. Reimerdes Case Details
-------------------------------------------------------

>
>
>Luigi Auriemma <aluigi на altervista.org>
>2003-11-12 08:29 AM
>
>
>        To:     eff на eff.org
>bugtraq на securityfocus.com
>list на dshield.org
>dmca-activists на gnu.org
>dmca_discuss на lists.microshaft.org
>        cc:     (bcc: Carolyn Ryll/ATL-BTL/MS/PHILIPS)
>        Subject:        Gamespy uses DMCA to destroy bug research and full 
>disclosure
>        Classification:
>
>
>
>
>Just today (12 Nov 2003) opening my mailbox I have found a mail
>of about 1 megabyte and half and fortunally for the sender I
>don't use filters.
>
>The mail has been sent by the Gamespy's lawyers asking me to
>remove my bug research stuff from my site.
>
>The stuff is composed by my proof-of-concepts and advisories
>written to test and explain the bugs in the Gamespy's products
>found and signaled to them a lot of months ago and completely
>ignored by Gamespy.  All my advisories were released to the most
>known and pubblic security mailing-lists in the past so everyone
>can see all the release dates of them and how Gamespy manages
>the bugs in its products... the best example is just a remote
>buffer-overflow found and signaled to Gamespy at the end of May
>2003 and still existent in the actual version of the program
>RogerWilco.
>
>The other incredible thing is that the lawyers have included in
>the list of "stuff to remove" also a simple program that is not
>a proof-of-concept or an advisory and moreover is not directly
>related to Gamespy... really comic...
>
>Continuing to read the mail (a pdf file) can be found a lot of
>senseless affirmations, some reported below:
>
>- "you have committed numerous violations of state and federal
>law by illegally accessing Gamespy servers and by creating,
>marketing, and distributing software which circumvents the
>encryption mechanism that protects access to Gamespy's
>servers"... are we talking about security bugs??? what I
>market???
>
>- they say my proof-of-concepts "purport to permit to circumvent
>the encryption protection of Gamespy's proprietary software,
>including GameSpy 3D and Roger Wilco, to obtain access to
>computer servers owned and operated by GameSpy, or in some cases
>to cause those servers to crash"... I'm very interested about
>what of my proof-of-concepts "circumemvent the encryption
>protection of Gamespy". The bugs I have found are in the
>Gamespy's products NOT in the Gamespy's servers.
>
>- but the most comic affirmation is "In contrast to simply
>advising GameSpy of these vulnerabilities, by publishing this
>software to the world at large you are clearly facilitating the
>intentional crashing of GameSpy's server by others"... I have
>tried to contact Gamespy EVERYTIME I have found a new bug for
>MULTIPLE times but they have EVER ignored my signalations or, as
>happened for the first bug in RogerWilco, they have simply
>"feigned" to patch the bugs so insulting me and my research (who
>has read my wilco-remix-adv.txt knows all the shameful story).
>So the "common time delay" to release advisories (a week or
>sometimes a month from the signalation of the bug without
>receiving replies) was FULLY respected in all the occasions.
>
>The last part of the mail/pdf talks about various DMCA's
>violations, US's laws and moreover "crime"!
>
>Bug research is a crime and bug researchers are criminals,
>didn't you know that?
>
>Is really shameful to see a company spending money for useless
>lawyers instead to quickly patch their incredibly bugged
>products and moreover to support who do bug research... what
>Gamespy wants is to destroy the full disclosure and the free
>information encouraging the underground scene.
>
>I think is not good for the Gamespy's users to know that the
>main goal of Gamespy is just to protect itself instead to
>protect its users and clients.
>
>That's the situation...
>
>
>BYEZ
>
>
>
>--- Luigi Auriemma http://aluigi.altervista.org
>
>

_________________________________________________________________
Is your computer infected with a virus?  Find out with a FREE computer virus 
scan from McAfee.  Take the FreeScan now! 
http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

----- End forwarded message -----

-- 
 ---- WBR, Michael Shigorin <mike на altlinux.ru>
  ------ Linux.Kiev http://www.linux.kiev.ua/



Подробная информация о списке рассылки Legal