Judge drops DMCA claims that Bungie reverse-engineered Destiny 2 cheats
Legal boop —
Kevin Purdy
—
Enlarge / Using Bungie’s own licenses against it worked once for the makers of Aimjunkies, but this time a judge ruled that a bit more finesse (i.e. evidence) was required.
Bungie / Ars Technica
Months after failing to prove that Destiny 2 cheat makers had infringed their copyright, Bungie has surged ahead in the late game, as a quirky counterclaim accusing Bungie of «hacking» the cheat makers’ computers has been dismissed.
AimJunkies, a division of Phoenix Digital, makers of cheating tools for many popular games, including Destiny 2 (since removed but archived), had survived the typically effective claim that their cheat software illegally copied aspects of an original game to function. It was a tactic successfully used by the makers of Grand Theft Auto Online, Overwatch, Rainbow Six, Fortnite, and other properties.
Western District of Washington Judge Thomas Zilly had struck down most of those claims in late April, ruling that Bungie had «not pleaded sufficient facts to plausibly allege that [the cheat maker] copied constituent elements of Bungie’s work.» Zilly also ruled at the time that Bungie’s own license agreement for Destiny 2, which forces arbitration for circumvention and other disputes, meant that its claims could not go forward in federal court before first trying arbitration. Zilly did, however, allow Bungie time to restate its case, and it focused on trademark infringement, reverse engineering, and code copying.
Advertisement
AimJunkies fired back with subpoenas and press releases in August and, remarkably, counterclaims under the Computer Fraud and Abuse Act (CFAA) and the anti-circumvention clauses of the DMCA.
Once again, the claims sprang from Bungie’s own licenses, specifically its Limited Software License Agreement (LSLA).
Bungie’s current LSLA, updated August 21, 2021, gives its BattleEye software the right to scan a computer for cheating tools. AimJunkies’ James May states in counterclaims that Bungie accessed his computer «on at least 104 occasions» between fall 2019 and May 2021. AimJunkies also claimed that Bungie had «decompiled, reverse engineered and/or otherwise inspected the internal workings» of its cheat software, in violation of the DMCA.
Zilly’s ruling (PDF), obtained by TorrentFreak, largely agreed with Bungie’s responses. May’s evidence of Bungie accessing his computer was unexplained, Zilly writes, and he also failed to prove that the harm from such access would have exceeded the $5,000 necessary for a CFAA claim. «Although detailed factual allegations are not required … additional factual content is necessary,» Zilly writes.
As for the DMCA circumvention claim, that, too, lacked evidence, Zilly ruled.
Neither May nor Phoenix Digital offered proof of Bungie working around digital protections, nor that anything Bungie might have accessed was copyrighted. Bungie’s breach of Phoenix Digital’s license for AimJunkies similarly lacked both evidence and proof of damages, Zilly writes. Zilly adds that Phoenix Digital’s delays and unfounded claims could have resulted in dismissing their claims with prejudice, preventing amendment and refiling, but upcoming deadlines in other case matters prevent him from doing so.
Phoenix Digital has until November 21 to amend its counterclaims. Bungie’s pursuit of trademark claims is still pending.
Cheat Maker Sues Bungie for Hacking Its ‘Destiny 2’ Hacks
Screenshot by Bungie.
Bungie, has been countersued by the popular cheat maker AimJunkies over claims that Bungie violated the DMCA on AimJunkies cheats, hacked one of their contractor’s computers, and violated copyright law by reverse engineering the software to build countermeasures against it.
This suit is only possible because of evidence presented by Bungie in its amended suit against AimJunkies for developing cheats. News of the countersuit was first reported by TorrentFreak.
Advertisement
Essentially, evidence gathered through the discovery process revealed how Bungie tracks and reverse engineers cheats, and the makers of AimJunkies are trying to capitalize on it and go on the counterattack.
“The fruits of those illegal actions should not reap them rewards in the judicial system. They have the balls to go in court and allege we decompiled their software while at the same time they are illegally decompiling ours,” David Schaefer, the corporate president of Phoenix Digital Group, the company that owned AimJunkies until earlier this year and is part of the lawsuit, told Waypoint. “We are still waiting for them to show any proof that the principals of Phoenix Digital Group ever played the game or agreed to any [Limited Software Licensing Agreement] of theirs.
All these claims they have made in court documents. We have asked for that proof several times to no avail.”
In the original suit, Bungie alleged that AimJunkies had violated Bungie’s copyrights and trademarks on particular aspects of Destiny 2’s code, however, some aspects of the code were copyrighted after 2019, when the cheats began being sold. This meant that, at the time of their creation, the copyrights hadn’t been violated, a fact which AimJunkies presented to the court in the hopes of dismissing the case outright. The judge dismissed those particular charges citing both the copyright date and an insignificant amount of evidence proving that its work had been copied by the software, but allowed Bungie the opportunity to amend its case against AimJunkies and move forward with a trademark infringement case.
Advertisement
Upon presenting new evidence to the court regarding the role of particular AimJunkies members in producing the cheat software, Bungie revealed that some of the information had been gathered by checking files on James May’s computer.
May was a contractor working for AimJunkies who signed the Limited Software Licensing Agreement (LSLA) of Destiny 2 in 2019, which, as of 2019, did not allow for Bungie to monitor users files for anti-cheat purposes (although such a clause is now part of the game’s LSLA).
Furthermore, AimJunkies accused Bungie of having circumvented the DMCA of AimJunkies cheat software by purchasing, cracking, and reverse engineering the software to develop more advanced anti-cheat technology. AimJunkies then requests that Bungie pay it for damages, drop Bungie’s own charges, and halt the LSLA and DMCA violating practices.
AimJunkies has, throughout this entire process, repeatedly claimed that cheating in video games is not illegal. It is, however, annoying, and somehow manages to make every party involved from the cheaters themselves to the original studio look extremely goofy—much like the trial which it has spawned.
Schaefer also shared a message for all the people who played games made by Bungie between 2017 and 2021.
“You should be aware if you were banned there is a possibility your computer was entered illegally also and you would be entitled to restitution if proven so,” he said.
And to current players, Shaefer said: “You have agreed in the current LSLA to allow Bungie/Battleye to look at the game files and kernel level activities on your computer. Knowing what you know now from our experience, do you trust them to only be looking at that on your computer?”
UPDATE, Sept. 26, 12:21 p.m. ET: This story has been corrected. A previous version of this story stated James May was an AimJunkies employee, when he was actually a contractor.
10 most famous hackers in the world
Are you fans of Internet technology? Then please love hackers too. Despite the constantly improving information security systems, for each of them there will always be a computer genius ready to crack it. Our selection includes 10 talented hackers that the whole world is afraid of.
The story of each of them may well serve as a script for a film: a drama, a comedy, a spy thriller.
Natalia Polytsya
Jeremy Hammond of Chicago is currently serving a 10-year prison sentence for hacking into the emails of the intelligence and analytics firm Stratfor and other organizations that collaborated with the US government. The obtained data was published on the WikiLeaks website. This is not Hammond’s first term and far from the first arrest: in 2006, Jeremy was sentenced to two years in prison for hacking a computer of a conservative political organization — along with general information, 5,000 credit card numbers were stolen (although the money, according to Hammond, was not spent ). Previously, the young and talented hacker was repeatedly arrested for disturbing the order in the framework of public actions — at a demonstration against the Republican Convention, a student demonstration in Chicago, at a rally against the National Socialist Movement, against Chicago’s bid for the Olympic Games, etc.
In general , talents in the field of computer security are combined in a young man with an active civic position and disregard for the law.
Kevin Poulsen, aka Dark Dante is a retired hacker emeritus. A dangerous and mysterious burglar who specializes in telephone lines. Among his most notorious cases was the hacking into the telephone lines of the popular Los Angeles radio station KIIS-FM, which led to Poulsen «winning» a Porshe and other prizes that were raffled off the air. Deciding not to limit himself to petty cheating, Dark Dante began to use his abilities for good purposes. For example, it tracked and identified MySpace users who searched the web for child porn. Poulsen soon raised the bar for himself: he infiltrated the FBI database, gaining access to classified information about wiretapping. This, of course, did not please the American authorities, and Kevin Poulsen was caught and sentenced to 5 years. After serving a prison term, the famous hacker turned into an ordinary resident.
Today he works as the editor-in-chief of Wired News magazine, where he periodically writes about his past hacking exploits.
Jonathan Joseph James. His fate was not as rosy as that of the previous heroes. Jonathan went down in history as the first underage hacker to go to jail for breaking classified data. At the time of the crime, he was only 15 years old. Jonathan Joseph James did not change for small change: he penetrated the holy of holies of the Defense Threat Reduction Agency, subordinate to the US Department of Defense, and in 1999 attacked NASA databases. The latter led to a major scandal. For example, NASA spent $1.7 million on software that young Jonathan managed to steal. According to the hacker, the program code was not worth that kind of money. After serving his sentence, he began to lead the life of a law-abiding citizen. And in 2007, his name was associated with a wave of TJX hacks (the stolen data concerned customers’ credit cards). Denying any involvement, Jonathan Joseph James shot himself at the age of 24.
Operation Aurora was carried out by a group of hackers in 2009. 34 companies have been targeted by computer geniuses, including Google and Yahoo! Experts in the field of computer security suggest that a group of cyber spies, which in English-language sources was called the Elderwood Gang, was involved in a series of hacks. The Elderwood Gang is believed to be based in Shanghai and closely associated with the so-called Chinese People’s Liberation Army (PLA) Unit 61398, which is responsible for computer network operations. Google was the first to publicly report the theft of their intellectual property, unafraid to expose its vulnerability. Despite the fact that Gmail user accounts were also hacked (and the personal data of individuals were stolen), the main target of the hackers was still the source code of the Internet giants. After that, Google left China. And why do we have only the name of the operation instead of names and surnames? Because the identity of the hackers has not yet been established.
Adrian Lamo , nicknamed «the homeless hacker» — he earned this name due to the fact that he performed his main hacking exploits using a public Internet connection in cafes, libraries, hostels and other public places. Adrian Lamo was known as a man with a complex character. In 2004, he was convicted and sentenced to six months of house arrest and two years of probation for hacking the NY Times. Having penetrated their network, he added himself to the base of experts of a prestigious publication. Among the victims of hacker attacks by Adrian Lamo are Yahoo!, Bank of America and other large and reputable companies. Often, Lamo, finding a weak spot in the security of a particular system, hacked it and reported it to the company — so that they would know where and what they had a mistake. There are quite legitimate cooperation schemes for such noble gestures: however, they do not bring such loud fame. Today Lamo lectures, writes articles and consults on security issues.
Robert Tappan Morris is the patriarch of hacking. After graduating from Harvard University in 1987, Morris developed the idea of a worm as a tool for working with arrays. But for this innocent purpose, the «Morris worm» was too dangerous. Deadly dangerous. The worm guessed passwords for accounts and in 1988 paralyzed the work of 6,000 computers in the United States. A year later, Robert Tappan Morris became the first person to be charged with computer fraud. After the end of his suspended sentence, performing community service and paying a fine, Morris returned to scientific activity, and today his lectures can be heard at the Massachusetts Institute of Technology.
Cody Kretsinger, member of the hacker group LulzSec, pleaded guilty to hacking a Sony Playstation in 2011. Kretsinger gained access to the personal data of 77 million users, because of his attack, Sony Playstation was forced to suspend the network for 24 days.
The LulzSec group itself is often criticized for the lack of motivation for their actions: hackers should be people of ideas, and not just be engaged in demonstrating their own skills. LulzSec has hacked companies such as Mantech International, Sony, Nintendo and others. The consolation is that none of the LulzSec members used their skills for the purpose of financial fraud. Cody Kretsinger served a year in prison, and the identities of his other «colleagues» have not yet been established.
Jacob Applebaum — you may have heard about him in the context of WikiLeaks (he represented them at the HOPE conference in 2010), in connection with the Snowden case (as a journalist Applebaum makes a great contribution to the publication of documents released by Snowden) or as a key figure of the Tor project (systems for anonymous communication). Jacob Applebaum is a man of difficult fate. At the age of 6, he was taken from a dysfunctional family, at first he lived with relatives, then he was sent to an orphanage, a few years later his heroin-addicted father returned the right to guardianship.
Familiarity with computers and information technology, as Applebaum claimed, saved his life. Applebaum was not accused of hacker attacks, but this does not prevent him from being one of the threats to the information security of the American government. So, he is regularly detained at the airports of the world, they follow him and conduct searches.
Kevin Mitnick received the title of «the most dangerous hacker in the world» for many years of virtuoso hacking activity. The peak of Kevin Mitnick’s «career» came in 1980-90. His forte is phone hacking. Several convictions and prison terms, a compulsory course of treatment for «computer addiction», a ban on approaching the phone and a computer — and repeated violation of the law again and again. When Mitnick was released on probation from yet another prison in 1990, he could not resist the opportunity to misbehave: his warden’s phone number was suddenly blocked, the judge’s bank account took on a life of its own, and all information about the hacker disappeared from the database of the forensic computer.
The story of Tsutumu Shimomura, a leading American computer security specialist, is also noteworthy. Mintin masterfully hacked Shimomura’s computer. Is it necessary to say that the protection of honor for any Japanese is a matter of principle? Shimomura staged a real hunt for the joker Mitnick, and as a result, the latter was caught with the help of several police squads. After being released from prison (of course, he was again convicted), Mitnick returned to a law-abiding life: since the early 2000s, he has not been seen in hacker attacks, runs his own business (his company specializes in computer security) and cooperates with the police.
Gary McKinnon, Scottish hacker who eclipsed Kevin Mitnick on the hacker Olympus. For almost 15 years, the fate of Gary McKinnon has been hanging by a thread: the US authorities are actively seeking his extradition, and the UK is using various tricks to keep its subject from being extradited. In 2001-2002, Gary McKinnon hacked into hundreds of computers from NASA and various departments associated with the US Department of Defense.
After hacking into the Pentagon’s networks, McKinnon left a message: «Your security is crap.» He blocked more than 2,000 computers in the Washington military district for a day, suspended the supply of ammunition, deleted, according to US sources, critical files. His activities have been called the largest hacking of military computers in history. The hacker himself denies his interference in US military affairs, referring to the fact that the main subject of his interest was materials related to UFOs. In the UK, computer security offenses are not subject to extradition, but if the US authorities still win this seemingly endless process, McKinnon faces up to 70 years in prison. Moreover, it is quite possible that the Guantanamo prison could become the place of detention.
The fate of a hacker — Nag.ru News
which experts around the world estimated at $ 1 billion. The losses could have been much worse if not for a 23-year-old cybersecurity specialist from Britain, who almost by accident found a way to prevent the further spread of a virus attack.
However, Hutchins did not enjoy his fame for long: in America, where he came to the DefCon hacker conference, the recent hero was accused of cybercrime and arrested. The young man is still awaiting trial in the United States and cannot return to his homeland. About the ups and downs in the fate of the hacker, whose name thundered to the whole world last May, tells the American magazine New York Magazine.
By stopping WannaCry, Hutchins became a real celebrity: he was personally congratulated by former NSA agent Edward Snowden, articles about him were published by leading publications, and Cisco invited him to the largest hacker conference DefCon as a VIP participant. The year before, Marcus had attended the event, but it didn’t leave the best impression.
«I remember moving slowly through a crowded hall filled with a sea of people who smelled like they hadn’t washed in days,» he recalls.
But at DefCon 2017, things were very different: Hutchins became a star, with whom everyone strove to take a photo, and then post the picture online with the hashtag #WannaCrySlayer (#WannaCry killer).
In Las Vegas, Hutchins gave himself the kind of vacation that a 23-year-old can only dream of: he rented an apartment with the largest private pool through the Airbnb service, visited a shooting range where he fired from a machine gun, drove around the city in a rented Lamborghini , wandered around the casino, but not in order to play, but for the sake of free drinks. In a word, Hutchins was so carried away that he did not notice that he was being followed by American intelligence services. When at the airport, where Marcus was waiting for his flight to fly home, several agents approached him and asked him to go with them, this came as a complete surprise to the young man.
Unbeknownst to Hutchins, even before entering the US, the Wisconsin District Court accused him of being involved in the creation and distribution of the Kronos banking Trojan. For such crimes in America can face up to 40 years in prison.
After spending the weekend under arrest, Marcus appeared in court in Milwaukee, where he pleaded not guilty.
Hutchins was released on $30,000 bail. A sympathetic hacker, whom the Brit had never met, contributed the amount for it.
Markus was banned from leaving the country, and in anticipation of the next court hearings, the «WannaCry killer» had to settle in Los Angeles, where the office of the information security company Kryptos Logic, for which he works, is located.
Gradually, the American Themis eased the restrictions (first Hutchins was put under house arrest, then transferred to a curfew and ordered to wear a GPS tracker on his ankle), but the young man’s former life was practically destroyed. Marcus was abandoned by a girl, and in his position it was hardly worth counting on a new relationship. Although lawyers defended Hutchins pro bono, he had to sell most of his bitcoin savings to pay for immigration and tax consultations with lawyers. Markus slept poorly and was unable to work (one of the conditions for his release on bail was a ban on using the Internet, which was later removed, as well as a GPS bracelet).
“The FBI took everything from me: my job, my girlfriend, my bitcoins,” Hutchins complained in an interview with New York Magazine journalist Reeves Wiedeman, which took place in February 2018 in the resort town of Santa Monica in West Los Angeles.
Part of the note about the winner of WannaCry is devoted to an excursion into his biography. Marcus grew up in Ilfracombe, on the southwest coast of England, where about 11,000 people live. Having started learning programming at the age of 12, by the time he was in high school, he was already so skilled at it that the school administration suspected him of a cyber attack that disabled the servers of the educational institution. However, Hutchins himself insists on his innocence.
After leaving school, he studied for two years at a local technical school, where the level of teaching computer science seemed to him too primitive. In 2013, Markus started blogging Malwaretech.com, where he shared his amateur discoveries in the field of so-called reverse engineering, one of the key areas in the field of information security, the essence of which is to analyze malware to reveal the mechanisms of its work.
In one of the articles entitled «Viruses for fun, not for profit (after all, the latter is illegal)» Hutchins complained about the lack of worthy objects for analysis and admitted that because of this he himself tried to write a malicious program. However, he immediately reassured the readers of the blog: the bootkit he created for Windows XP exists only in an experimental version, which cannot be used for an attack.
Although Hutchins tried to find a job in the information security field and even applied to the UK Government Communications Headquaters (GCHQ) — the analogue of the National Security Agency in the United States, he claims that he became interested in hacking from nothing to do and never planned to build on this career.
Be that as it may, in 2015, the young man was noticed by the CEO of the security company Kryptos Logic, Salim Neino, who read Hutchins’ article about the Kelihos botnet and immediately offered him a job.
«He is very gifted.
Certain things can be taught, but in the field of computer security it is extremely important to have inclinations from nature,» his American boss described the Briton.
And so, at the age of 22, Hutchins suddenly began to receive a six-figure salary, while having two people under his command and working remotely according to a schedule that was convenient for him from his bedroom in his home. He quickly earned a reputation in the world of information security professionals, often selflessly helping colleagues. In 2017, Hutchins was invited to participate in an initiative by the UK’s National Cybersecurity Center to recruit the country’s best and brightest cybersecurity experts to work for the government.
When Hutchins first heard about the WannaCry ransomware virus in May 2017, he did not attach much importance to the news, since such incidents had already become commonplace. However, the attack, for which the hackers used the EternalBlue exploit, which uses the Windows SMB network protocol vulnerability, continued to gain momentum, and Hutchins became interested.
Having obtained a sample of WannaCry from one of his friends, the Briton dismantled the malware piece by piece. Analysis of the program code showed that the virus is requesting a non-existent iuqerfsodp9 domainifjaposdfjhgosurijfaewrwergwea.com, which prompted the idea to register such a name. By doing this, Hutchins stopped the further spread of the virus, which was triggered in the event of an unsuccessful domain request.
A couple of days later, the media found out who was behind saving the world from WannaCry, and Marcus’s photos were all over the tabloid covers. Hutchins was besieged by reporters, the Associated Press published an interview with him, and the number of followers on his Twitter account quadrupled.
In the cyber community, the merits of the British were praised to the skies. Markus was presented with the SC Awards Europe honorary award, which indicates the highest recognition in the field of information security.
However, Hutchins’ triumph was short-lived: it ended with the DefCon conference and a luxurious vacation in Vegas, when he was detained at the airport by agents of the FBI.
The Briton is suspected not only of creating the Kronos malware, which stole input data from computers for payments, but also of conspiring to sell the virus to cybercriminals and advertising a Trojan on the underground AlphaBay online platform, which was closed as a result of a large-scale international operation in July 2017.
Among security professionals, the news was perceived as a bolt from the blue. For once, a hacker became a hero, and suddenly such an embarrassment — he turns out to be a cybercriminal. Attacks and allegations suddenly rained down on Hutchins, saying that he created WannaCry, and stopped the attack only because it got out of his control. But the version was not confirmed: the authorities of the United States and other countries blamed WannaCry on North Korean hackers from the Lazarus group.
Some fell into conspiracy theories and said that all the charges were fabricated in order to force Hutchins to be more accommodating with the special services and work more closely with them.
Hutchins has collaborated with law enforcement on numerous occasions, including in the WannaCry case. He even publicly thanked the FBI for their help.
Others, seeking to protect the Briton, argued that he would not have had enough experience to create Kronos. This «justification» causes Hutchins no less annoyance than unfounded attacks.
«I don’t even know what is more offensive: when they consider you a scoundrel, or when they question your abilities as a programmer,» the young man admitted.
Meanwhile, a month after Hutchins’s arrest, cybersecurity journalist Brian Krebs wrote in an article about the connection he found between the British man’s identity and several hacker nicknames involved in minor cybercrimes that were committed when Hutchins was a teenager. Although the journalist found no evidence that Markus was involved in the creation of Kronos, after the publication there was talk that the young man’s past was far from flawless.
However, the dark pages in Marcus’ life do not bother his boss, Salim Neino.
«How else can people like Markus hone their talent? To improve, information security specialists need to face real threats. Therefore, many of them visit shadow hacker forums and make friends with cybercriminals,» notes the head of Kryptos Logic.
Quite often in the cyber community there are those who have moved from the dark side to the light side. As teenagers, many of them tested boundaries and broke the law, says Katie Moussouris, a well-known hacker personality who is now the official spokesperson for vulnerability contest platform HackerOne. According to her, in youth, you often want to go all out, prove your importance and skill, and get recognition.
Even the prosecutors who brought charges against Hutchins admit that his alleged crimes are «things of bygone days» and do not consider the Brit a social danger. Otherwise, why were all restrictions on Internet access removed from him — an extremely unusual practice in such cases.
According to law enforcement officers, during interrogation immediately after his arrest at the Las Vegas airport, Hutchins admitted to creating Kronos, but lawyers say that FBI agents put pressure on the young man, plus, during his testimony, he suffered from lack of sleep and was drunk. US authorities also have printouts of Hutchins’ online chats, in which he allegedly communicated with another unidentified suspect about the sale of Kronos and the division of profits.
Hutchins does not deny that he may have done questionable acts in the past, but in the Kronos case he retracted under duress and now maintains his innocence. Marcus did not discuss the details with the journalist, referring to the fact that the trial is still ongoing.
However, Hutchins is already punished: the young man fears that even if the matter can be settled, irreparable damage has already been done to his reputation. The cybersecurity business is all about trust, and after the allegations against him, Markus fears being out of a job.
