The Power of the Internet

The Internet is a truly amazing beast. Its power to help is so vast it is hard to put into words. But its risk of misuse is also equally far reaching.

Take, for instance, a story I have been following involving a very popular on-line game that I play. Battlefield 1942 (BF42) is a First Person Shooter (FPS) set in the WWII era that enjoys great popularity. BF42 has several modifications (called "mods") available which change the time era of the game. There is a mod available called Desert Combat (DC) which changes the game to take place in the Desert Storm conflict. This mod to the original BF42 game is available on the Internet completely free of charge and is enjoyed by thousands of gamers. These kinds of mods are generally supported and encouraged by the makers of the original games, as the players are required to purchase the original game before they can get the mod to work. In some cases, the mods become so popular that the retail company will sign the mod makers to a contract to start selling the mod as a stand alone retail game. None of this would be possible without the power of the Internet.

The Internet provides the mod makers the ability to advertise and deliver their games very cheaply. Then if the game catches on, the Internet enables the retail company to gage the popularity of the mod and decide if it is worthy of going retail. Very cool, very amazing.

But there is a down side. I have been following a forum thread where many server operators have been experiencing crashes to their servers. As it turns out, someone (or several) was attacking the servers with Denial of Service (DoS) attacks using a known security vulnerability in the game's server code. On the surface, this may seem to be no big deal. DoS attacks happen everyday on the Internet and administrators just need to work some magic to shut the problem down. But in this case, the Internet was used to not only communicate the existence of the security problem but a program was made available to allow anyone to exploit the vulnerability. I am sure many bored kids (and adults for that matter) downloaded the program and ran it just to "see what will happen".

The whole thing started with this bug report on a security forum. The author likes to examine game code to find vulnerabilities, and then if he finds them he reports them to the game maker. Apparently, he was being ignored, or the game maker didn't give him enough respect, or the game maker refused to pay him for his finding of the problem (hard to tell the real motivation), but the end result was the bug and the program which proved that the bug existed was released on the Internet. To the author's credit, he also released a way for server operators to fix the issue. What I have a problem with is the way in which one person is able to sit as judge and jury as to when a problem they find ought to be fixed and how they were able to dictate what they felt was appropriate action.

This type of on-line arm twisting isn't really new. You may argue that this is exactly how Microsoft has been forced to fix security flaws in their software. Microsoft now releases bug fixes on a regular basis and our computers are all the safer for it. Should one person be able to wield this kind of power? It is blackmail isn't it? "If you don't fix this problem, I will release the code that will crash your product". Probably 99% of the Internet population would not have the technical expertise to exploit these bugs even if they were so inclined. But once a program is made available, anyone has the ability to cause problems.

What do you think? Was this guy justified in making his findings public? Was he justified in making the exploit program available?