Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Security Research and Blackmail

kdawson posted more than 6 years ago | from the pay-to-play dept.

Security 307

harryjohnston alerts us to a story picked up by a few bloggers in the security space. A Russian security research company, Gleg, has discovered a zero-day in the latest version of RealPlayer 11. But they won't reveal details to Real, or to CERT, despite repeated requests. Details are available only to their clients who pay a lot of money for early access to such knowledge. To describe Gleg's business model Daniweb rather cautiously puts forward the word "blackmail." The story was first exposed in Ryan Nariane's Securitywach blog.

Sorry! There are no comments related to the filter you selected.

Intellectual Property (5, Interesting)

thebear05 (916315) | more than 6 years ago | (#22375680)

Seems fair they have information and want to be paid for it

Re:Intellectual Property (3, Insightful)

Penguinisto (415985) | more than 6 years ago | (#22375856)

If I knew how to break into your house, then told you that I was able to but won't tell you how unless you paid up a fee?

I'm sure that you'd easily come up with a lot of reasons why it isn't cool.

On certain superficial moral levels, sure - proprietary closed-source shops would have it coming in a fashion. They make money from hidden information, so hiding information from them until a fee is paid sounds a bit like karma.

OTOH, that's not how we're supposed to work as a community, for one simple reason: end-users don't deserve the grief (which they would get in increased costs that would be passed onto them). Morally, a security researcher isn't supposed to hold information hostage and then credibly claim to be part of any ethical hacking community. At level best, they would be called grey hats; many would rightly call them black-hats.

...and what if the info turns out to be bogus, or an attempt to manipulate the best-guess fix into becoming an even bigger security hole?

Sorry, but there's a distinct lack of responsibility and ethics going on here, no matter how much you think the primary target may deserve it.

/P

Re:Intellectual Property (2, Insightful)

thebear05 (916315) | more than 6 years ago | (#22375900)

How does your argument differ from the profession of a lock smith? They know how to get in your house, and you can pay them to get you into your house. Now is it ethical to withhold information that could be used to hurt others, I would say that I personally think no But if they have discovered something that is beneficial to someone compensation does not seem unfair if reasonable.

Re:Intellectual Property (1)

Penguinisto (415985) | more than 6 years ago | (#22375938)

How does your argument differ from the profession of a lock smith?

I don't have a locksmith soliciting me out of the blue, demanding payment for his knowledge?

...and what if the weak-point is in a window, not a door? What if the weakness is in the garage door, the attic vent, crawlspace, or some other place where you'd not find a keyed lock?

Your locksmith is more akin to a security contractor or consultant - you specifically hire the guy to utilize his knowledge in order to fill a need which you yourself have (e.g. you locked yourself outside of the house or car). You don't have locksmiths coming to your door unbidden demanding payment.

/P

Re:Intellectual Property (2, Insightful)

vux984 (928602) | more than 6 years ago | (#22376062)

How does your argument differ from the profession of a lock smith? They know how to get in your house, and you can pay them to get you into your house.

Great analagy! Lets work with that.

Can you pay a locksmith to open someone elses house for you? Can you pay him to show you how so you can do it yourself?

Of course not.

But it goes further than that... locksmiths are both Licensed, and Bonded in most civilised countries to help prevent exactly these sorts of activities, as well as any other sort of unethical activities he'd be able commit.

Now if the locksmith discovered some fatal flaw of some widely distributed type of lock, I wouldn't say he's obligated to turn the information over to the lock manufacturer. And if he wants to sell them the information that's fine too.

But in the meantime, he still can't go around disclosing the information (for money or otherwise) or using it himself, outside of the ehtical constraints of his trade. (that is of only openining locks for the owners, at their specific request.)

Your locksmith analagy is apt. Perhaps security researchers should also be licensed and bonded before they are allowed to to work professionally and provide services to the public. (Hobbyists hackers would still be free to bang away at their own locks in their own homes.)

Re:Intellectual Property (4, Insightful)

timeOday (582209) | more than 6 years ago | (#22376086)

How does your argument differ from the profession of a lock smith? They know how to get in your house, and you can pay them to get you into your house.
Go ahead and advertise a "locksmith" service to open the doors on anybody's home, without the owner's consent, for a fee. Then have fun in jail.

Here's a better analogy for a legal activity: auto makers who sell SUVs to whomever wants them, then tell the rest of us we need one to keep our families safe in the event of being hit by one. It's a classic arms race, the only real winner is the arms dealer.

Re:Intellectual Property (1)

Blkdeath (530393) | more than 6 years ago | (#22376350)

Go ahead and advertise a "locksmith" service to open the doors on anybody's home, without the owner's consent, for a fee. Then have fun in jail.

FWIW, there are security firms that specialize in exactly that. House being one of a personal residence, a corporate office, a warehouse, or any secured facility that a company wants audited. What better way to audit one's security than to hire people with technical knowledge on how to enter establishments they shouldn't be in? It's one of those niche businesses that savvy reformed criminals tend to start up because they're the ones with the unique skill sets to do so.

Here's a better analogy for a legal activity: auto makers who sell SUVs to whomever wants them, then tell the rest of us we need one to keep our families safe in the event of being hit by one. It's a classic arms race, the only real winner is the arms dealer.

Ahh, a car analogy. Auto manufacturers sold products their customers asked for, and what their customers asked for was a bigger vehicle that was neither a pickup truck or a minivan, hence the SUV was born. How is being hit by an SUV different from being smucked by a minivan? Yaris and Fit don't work so well for families of 6 or 7.

As to your analogy, no, it's not comparable because RealNetworks aren't the ones selling the exploit code to people, they're the ones being "blackmailed". Hell-o?

Re:Intellectual Property (5, Insightful)

clarkkent09 (1104833) | more than 6 years ago | (#22376228)

If I knew how to break into your house, then told you that I was able to but won't tell you how unless you paid up a fee? I'm sure that you'd easily come up with a lot of reasons why it isn't cool.

Honestly, I couldn't. I am sure there are security experts out there who would be able to improve security of my house but I certainly wouldn't expect them to do it for free. This idea that if you find bugs in a software product, you have the responsibility to give that information to the company that makes it, and therefore help them improve their product, for free is completely bogus.

Sorry, but there's a distinct lack of responsibility and ethics going on here, no matter how much you think the primary target may deserve it.

I don't see any ethical problems here and its completely irrelevant who the party involved is. I would actually argue that there is more of an ethical problem with testing a company's product for free, as it devalues the work of their own QA personnel, and it encourages companies to release shoddy products too early, with expectation that paying customers will help them fix the bugs.

Re:Intellectual Property (1)

Edward Teach (11577) | more than 6 years ago | (#22376308)

BS. That is exactly what security analysts do. They research security problems. Whether it is how to break into your house or how to break into your computer is no different.

If I want my house to be secure, I can either secure it myself or I can pay someone to tell me where the vulnerabilities are.

Re:Intellectual Property (0)

piojo (995934) | more than 6 years ago | (#22376120)

I don't think the parent should be modded troll, though the comment seems to be sarcastic.

But in any case, what can we say about a company that makes its living by finding security vulnerabilities and offering to sell their findings to interested parties?

1) If they sell their findings to people who want to exploit them (rather than fix them), they are scum.
2) If they do not do (1), these companies are useful, as they do make it easier for flaws to be fixed, even if they do charge money (and won't help if you don't pay them).
3) It's *mean*. It's not nice to solicit someone and say "I could fix your problems (and it wouldn't even take me any work!), but you have to pay me a lot."

Point 3 does not change the fact that this company's existence is useful. Further, it's a necessity if they want to continue to exist. They need to be paid somehow. (I haven't read the article, and I will eat my shoe if they actually are selling exploits to third parties.)

Re:Intellectual Property (0, Flamebait)

jacquesm (154384) | more than 6 years ago | (#22376294)

even fairer, they *did* release information, precisely one bit worth: is there an unpatched exploit in real ? the answer is 'yes'. So now all real has to do is get off it's ass and do its job *or* open source their code and we'll help them ;)

Blackmail eh? (3, Insightful)

QuantumG (50515) | more than 6 years ago | (#22375682)

How about just "proprietary knowledge".. ya know, like the source code of Real Player?

Re:Blackmail eh? (1)

iksbob (947407) | more than 6 years ago | (#22376016)

I think "extortion" fits the situation a little better. Blackmail requires a criminal act.

Re:Blackmail eh? (5, Insightful)

QuantumG (50515) | more than 6 years ago | (#22376034)

huh? Call me crazy, but isn't extortion where you demand someone pay you to keep quiet? These guys are not demanding a silence payment.. they're just selling their proprietary information to whoever wants to pay for it.

Re:Blackmail eh? (0, Redundant)

Vectronic (1221470) | more than 6 years ago | (#22376162)

Extortion is basically the (ab)use of power to obtain something you wouldnt be able to obtain without the power.

Blackmail is generally the use of information or threats to extort something you desire from someone else.

Blackmail is essentially a method of extortion.

Re:Blackmail eh? (1)

QuantumG (50515) | more than 6 years ago | (#22376280)

Extortion is basically the (ab)use of power to obtain something you wouldnt be able to obtain without the power.
Hey man, you're free to define a word any way you like, but don't expect the rest of us to know what the hell you're talking about if you do.

http://www.google.com/search?hl=en&q=define%3AExtortion [google.com]

Re:Blackmail eh? (1)

Your Pal Dave (33229) | more than 6 years ago | (#22376136)

I think "extortion" fits the situation a little better.
And, the "X" makes it sound cool!

proprietaryness doesn't matter here! (1)

fishermonger (665593) | more than 6 years ago | (#22376122)

and if this zero-day was targeted at mysql? Please mod down parent.

Non free morals, the victim is also a criminal. (1)

twitter (104583) | more than 6 years ago | (#22376356)

The immoral nature of non free software means we should have less sympathy for the victim. Real has owners who use secrets against customers. Most non free software owners ship code with known problems at leave the users open to this kind of thing without batting an eye. The more reprehensible of non free software companies will deny a flaw exists when it's presented to them and beg the discoverer to keep quiet while they "fix" the problem ... forever and then act angry when the flaw is revealed to the public. Worse, they have robbed the public domain and then backed stupid patent laws that prohibit free software authors from various methods and features. Why should anyone care when non free rules and behavior are turned on them? My patience for these parasites is exhausted.

Nor am I certain all of the purchasers are criminals. Legitimate purchasers of the exploit include people who make tools to detect and guard against the problem. Their existence may be repulsive but it is supported by the larger crime which is non free software.

But... (1)

Eevee1 (1147279) | more than 6 years ago | (#22375684)

But who does use RealPlayer anyway, that this could possibly affect? I mean, there's VLC and I daresay others out there that can play similar files.

Re:But... (1)

Nossie (753694) | more than 6 years ago | (#22375700)

I think you're missing the point...

What if this article concerned 'VLC' and 'daresay others' ?

Re:But... (1)

Eevee1 (1147279) | more than 6 years ago | (#22375716)

Well, it would theoretically be possible to rewrite the code cheaper with open-source rather then with something like RealPlayer.

I know by saying this, the next response will be modded +5 Insightful or +5 Informative.

Re:But... (0)

Anonymous Coward | more than 6 years ago | (#22375732)

I think you're missing the point...

What if this article concerned 'VLC' and 'daresay others' ?
Well, the source is there. A thorough audit will likely find the issue(s).

Re:But... (1)

Nossie (753694) | more than 6 years ago | (#22375800)

true... but there are x patent violations in 'Linux' if you believe Microsoft... and yet nobody has found any of them and Microsoft is staying hush, is this not the same thing?

Re:But... (1)

kcbanner (929309) | more than 6 years ago | (#22375852)

No, it's not. We're talking about security vulnerabilities, not patent terminology.

Re:But... (0)

Anonymous Coward | more than 6 years ago | (#22376018)

"proprietary knowledge"

Anal are we? or just your standard case of geek OCD?

Re:But... (0)

Anonymous Coward | more than 6 years ago | (#22376054)

true... but there are x patent violations in 'Linux' if you believe Microsoft... and yet nobody has found any of them and Microsoft is staying hush, is this not the same thing?
There is no doubt that VLC violates patents. That is why VLC is developed in France. Mpeg2 is patented, mpeg4 (Xvid/divX/h264) is patented, mp3 is patented, aac is patented, css is patented, etc. VLC supports all of those.

Re:But... (0)

Anonymous Coward | more than 6 years ago | (#22376102)

were we talking about a media player that could or could not come with linux that could or could not include proprietary codecs or are we talking about the supposed x amount of patent violations in GNU LINUX?

keep also in mind that you can get VLC for windows too...

Re:But... (0)

Anonymous Coward | more than 6 years ago | (#22376212)

I don't see what GLEG is doing as being any more "blackmail" or immoral than software vendors who release products with security vulnerabilities and develop patches to close them but refuse to provide the patches unless they are paid. As long as there are vendors that are allowed to require a paid up support agreement (whatever they may choose to call it) in order to make a security patch available, then GLEG should be allowed to charge for their information.

Even if vendors are requried to include the cost of security patches in the original license purchase cost (i.e. everyone with a license to use has, by virtue of having purchased that license, a right to all security patches at no additional cost) GLEG should have the right to be paid for their work.

It doesn't mater what the product is.

How can people be so socialist on this issue yet capitalist on others? If GLEG is immoral for not giving away its information because it has social benefit, then why isn't Real immoral for not giving away RealPlay because it has social benefit (actually, I don't use RealPlayer, but so many people do I assume it has some benefit).

Re:But... (4, Informative)

techno-vampire (666512) | more than 6 years ago | (#22376264)

But who does use RealPlayer anyway, that this could possibly affect?


All the Aunt Tillies out there who use Windows because it came installed on their computers and have no idea what an operating system is. They use IE for the same reason, and when they want to hear an audio file, guess what IE tells them to install? One hint: it won't be VLC.

I for one ... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#22375698)

... welcome our russian blackmailing overlords

in soviet russia security blackmails you (for real!)

Re:I for one ... (5, Insightful)

mysidia (191772) | more than 6 years ago | (#22375824)

Not blackmail. But poorly designed software tends to have security bugs.

These bugs pose a problem for users of the software. It makes sense that third party services exist that scour software for bugs like this, for the benefit of the software's users and prospective users.

So they can know whether to use the software or whether to take extra precautions/refrain from using it.

The cost of performing this type of analysis is high. Much time and energy is required.

It makes sense that you need to pay to review their findings in detail, or to review them before they are publicly released (for free).

If they merely submit their findings to the software vendor, then they have provided the vendor with high-quality, costly labor for free.

Why should the software vendor get free labor from security researchers, and be able to freely follow poor design practices in the design of their software, while relying on the public to find and report the issues gradually? (For them to lazily fix _after_ the defect is drawn to their attention)

If the security researcher wishes to serve the community, then they have the option of practicing full disclosure, but they may be more fairly compensated for their work by providing paying customers with key information in advance, so their customers can mitigate the problem, before it has become public (and known to the bad guys).

One way you mitigate the problem is very simple: uninstall the defective real player 11. Re-install the fixed version, when it becomes available.

Wrong. (1, Interesting)

Anonymous Coward | more than 6 years ago | (#22375978)

Sorry, but this is blackmail. As there are two potential customers:

1. Real.
2. Criminal buyers.

The sale of this information to criminals has the additional effect of potentially severely damaging Real's business and Real's customers (you and me).

So, offering up this bug for a fee to any one other than Real, even as an idle threat, is nothing short of blackmail.

These guys are not "security researchers", they are criminals.

Re:Wrong. (2, Informative)

Deanalator (806515) | more than 6 years ago | (#22376176)

Plenty of pen testers use 0day when evaluating companies. The theory is that busting a single machine on the corporate network should not give you the "keys to the kingdom". Properly implemented security architecture should be able to mitigate single point failures. Immunity and core (American companies) both buy and sell 0day without informing the vendor. Wabisabilabi has a very convenient marketplace for such transactions as well. It's all supply and demand. Sure it's sketchy, but aren't you glad that these are being sold in public, and not just on the black market?

Re:I for one ... (4, Interesting)

cdrguru (88047) | more than 6 years ago | (#22376006)

Yes, but you have missed the key point.

There are three classes of potential customers: product owners, users, and criminals. If the researcher makes it clear they are willing to sell their information to the third class - criminals - then it matters little if they are also willing to sell to the other two classes or not.

Clearly, the implication is they do not want to sell to the product owner class as that would be a single sale. By selling the information to users and criminals they ensure that they have a substantial number of potential sales as well as motivating the users to buy rapidly or else they will be victims of the criminal class.

Re:I for one ... (0)

Anonymous Coward | more than 6 years ago | (#22376198)

There's also a fourth class of potential customer - security product vendors (such as IPS or anti-malware vendors).

If you can sell knowledge of a zero day exploit to an IPS vendor, they can trumpet their 0-day protection when there isn't even a patch from the app vendor and by the looks of the wording in TFA, it looks as if this is their target market;

"Gleg sells exploits to about a dozen corporate customers around the world, with fees starting at $10,000 for periodic updates."

So for the IPS and anti-malware vendors, Gleg is a supplier of exploit information that they can use in a legitimate way and in that respect, prima facie, the business model is valid and any talk of blackmail could potentially be libelous.

Re:I for one ... (1)

turbinewind (667970) | more than 6 years ago | (#22376244)

Oh, yes, yes. These "Security Researchers" are just fine, upstanding business people trying to make a living. So they spend their days trying to discover information that can be used to damage companies and then share that information.....if the price is right.

What a generous term - Security Research. It's like Intellectual Property Monetizer, or as frequently called here - patent troll. Both create an industry in the grey, dark, dank areas between folks who create stuff and folks who squash stuff. Their businesses have no inherent value, but because of how our technologies, societies and laws work, their existence persists and grows. I imagine soon "Security Research Firm" will have a strong lobby and we'll start to see new laws requiring known security flaws to be allowed to persist in software for specified periods of time so these fine (campaign contributing) business have the time to recoup their investment (collect their protection money).

What was wrong with the old model? Find a flaw, announce it to the whole world at once. If Real or other companies are the subject of too many of these announcements and/or are slow to respond, we stop buying/using their software - problem solved. Hey, wait, that's capitalism without blackmail...

Re:I for one ... (1)

clarkkent09 (1104833) | more than 6 years ago | (#22376332)

Easy solution from Real's point of view: don't release products with major security flaws. If you do, don't expect people to put in lots of work to find them and then give them to you for free.

it's tough (2, Interesting)

rastoboy29 (807168) | more than 6 years ago | (#22375702)

If you're not actually shaking down the vendor, it's not blackmail.  I mean, if you get a piece of information, are you obligated to inform anyone?

It is sleazy, don't get me wrong, because what other reason would someone other than Real want to purchase the information except to do no good?  But I'm having a hard time feeling sorry for Real, because they suck so fucking bad.  I keep trying to replace them in my mind with some company I like to analyze the situation, but it just keeps switching back to Real.

I mean, it's not like someone's going to get killed or anything.  Unless, of course, Putin wants that done.

Re:it's tough (2, Informative)

thedarknite (1031380) | more than 6 years ago | (#22375778)

But it does come close to racketeering.

Re:it's tough (1)

Ambush Commander (871525) | more than 6 years ago | (#22375830)

Mod parent up!

To elaborate, Evgeny is threatening damage to Real (by this exploit) unless they pay up a sizable sum of money to purchase the exploit (whether or not he'd sell it to Real is another matter, although Real could always pose as a client and then purchase it).

I know Real has got a pretty scummy reputation, but that's no excuse to condone this behavior.

Re:it's tough (1)

QuantumG (50515) | more than 6 years ago | (#22375882)

How exactly are they threatening damage?

Re:it's tough (1)

Ambush Commander (871525) | more than 6 years ago | (#22375912)

...this is an exploit, after all.

I understand where you're coming from; the only ones who seem to be directly affected are the poor end-users. However, if people stop using RealPlayer because of the exploits, and IT departments start uninstalling it because all there machines are getting owned, and it affects RealMedia's bottom-line, you can be sure as hell that's damage.

Re:it's tough (0)

Anonymous Coward | more than 6 years ago | (#22375998)

if people stop using RealPlayer because of the exploits, and IT departments start uninstalling it because all there machines are getting owned, and it affects RealMedia's bottom-line, you can be sure as hell that's

...a win for everyone. Besides Real.

Re:it's tough (1)

QuantumG (50515) | more than 6 years ago | (#22376026)

But *they* caused the damage.. they released a product with a security flaw in it. If some third party who doesn't even have the source code can find it, then so can RealMedia.

In the mean time, there's people who sell anti-malware. There's people who sell intrusion detection systems. There's people who get paid to maintain the security of corporate networks. All of these other people are willing to pay for information about the exploit.. some of them are even willing to pay for exclusivity - to the extent that this one research company can actually provide that, remember that anyone can do the same work they did and find the same defect. In the mean time, RealMedia are *not* sitting there saying "oh, but if you would just tell us what it was we'd so like to fix it!" They're cranking out more code with security flaws in it because they don't care enough to hire their own security analysis people.

Re:it's tough (2, Insightful)

Ambush Commander (871525) | more than 6 years ago | (#22376068)

It's one thing for RealMedia to cause damage (release a product with a security flaw in it). It is another thing to actively exacerbate this damage (release an exploit to the blackhat community for large sums of money, and refuse to tell the vendor what the exploit is).

Re:it's tough (1)

QuantumG (50515) | more than 6 years ago | (#22376248)

blah, RealMedia are free to plug the hole any time they want.. they just don't get the research used to find the hole for free.. they have to do their own damn research.

Re:it's tough (1)

networkBoy (774728) | more than 6 years ago | (#22376258)

You know what's funny?
I thought Real was dead...
I had no idea they were still in business till today.
this is racketeering, and it's wrong. That said, I wish there was a culture of "Hey thanks for finding that whopper of a bug, here's a couple grand" for bugs that can be exploits, because should such a culture arise, your average geek would go for the bounty.
-nB

Re:it's tough (1)

Omnifarious (11933) | more than 6 years ago | (#22376242)

You make an interesting point, and my feelings are along the same lines. But I'm very much on the fence about this. Really though, Real just made their own bed by releasing such buggy software.

Re:it's tough (2, Insightful)

fosterNutrition (953798) | more than 6 years ago | (#22375992)

I don't see it that way. In my view, they're not "threatening damage" but promising results. They're essentially saying "Hey Real, if you hire us to do a security audit, we can guarantee we will find at least one serious vulnerability, and your money will have been well spent." It's a bit disingenuous to phrase it this way, but it essentially boils down to the same thing.

Think of it as "we guarantee value for your money" rather than "give us money or we guarantee you'll wish you had," which, if you consider missed opportunities valuable, mean the same thing.

Re:it's tough (1)

Ambush Commander (871525) | more than 6 years ago | (#22376108)

Yes, they are promising results, but the reason why they can "guarantee" these results is because they already know about them. This is a key distinction from a traditional security audit, where one presumably doesn't know the vulnerabilities before signing the contract.

Re:it's tough (0)

Anonymous Coward | more than 6 years ago | (#22376310)

You're right, there's no threatening going on here, just a business transaction.

It's just like when cousin Guido stops by your grocery store and offers you some security - with guaranteed results.

"Hey kid, nice shop you got here... This is a tough neighborhood, sure it would be a real shame if something happened to it next Thursday. Now, if you hire me and the boys for security, I can GUARANTEE nothing will happen..."

Re:it's tough (1)

Ambush Commander (871525) | more than 6 years ago | (#22376126)

I should add, whether or not we condone this behavior has no bearing on the issue at all. This is a clear issue of a product arising to supply a need; if we want to curb this capitalistic instinct we'll have to get the Russian Government to do something for the "greater good."

What is the greater good? For me it's pretty clear: software without security vulnerabilities. Is it reasonable to expect security researchers not to make money off their knowledge? Is it reasonable to expect software not to have security problems? It is reasonable to expect people with vulnerabilities to make them public and not sell them to the black market?

Probably not. Still, we can dream (or say OPEN-SOURCE, although that really doesn't fix the problem if it never goes public.)

Re:it's tough (1)

freedom_india (780002) | more than 6 years ago | (#22376286)

I don't think so.
I would still support Evgeny even if the product belonged to Apple.
BECAUSE, Evgeny spent x amount of money to discover the bug, which should have been first discovered by Real.
Now, after spending money and effort, you expect Real to be given that information Free, because Real made the defective product in the first place?
That is not capitalism. Real is practising Fascism.
The assumption is that Real with its army of lawyers could scam the legal and legislative system of russia and force Evgeny to release this information to Real only.

Sorry to burst the bubble, but Russia practices pure capitalism. In this case Evgeny is free to sell it to largest payer.

Dear Real, get over it. This is not US where the laws ypur purchased could have forced Evgeny to hand over you the exploit free.
This is New Russia, so that means you pay, else watch as millions of Real players are off-the-grid.

Re:it's tough (1)

Actually, I do RTFA (1058596) | more than 6 years ago | (#22375868)

It is sleazy, don't get me wrong, because what other reason would someone other than Real want to purchase the information except to do no good?

Well, there are malware blocking programs that deal with plugging holes in other programs. Windows, and the various VB running Office programs are one source of bugs. I could see an antimalware company advertising itself as fixing holes in Real/Flash/Other malformed content.

thank you (1)

vespacide2 (1235470) | more than 6 years ago | (#22376142)

for explaining what the orthodox definition of blackmail is.

Re:metasploit would (1)

dkarma (985926) | more than 6 years ago | (#22376322)

what other reason would someone other than Real want to purchase the information except to do no good?

****

What about security teams like metasploit and the like?

There are perfectly reasonable people who are interested in this exploit possibly for the sole purpose of protecting their business or personal computers. Your jump to the conclusion of "anyone wanting this except Real just wants it for criminal uses" is ridiculous to say the least.

One sure way (0, Troll)

bherman (531936) | more than 6 years ago | (#22375712)

I bet if they opened up their source code someone would be nice enough to look it over and tell them what they find. Too bad they're closed source. Oh well.

Re:One sure way (0)

Anonymous Coward | more than 6 years ago | (#22375834)

I bet if they opened up their source code someone would be nice enough to look it over and tell them what they find.

Yep. Patent trolls and their hired guns would be very interested.

Re:One sure way (0)

Anonymous Coward | more than 6 years ago | (#22375870)

I bet if they opened up their source code someone would be nice enough to look it over and tell them what they find. Too bad they're closed source. Oh well.
Actually, to a certain extent they did [helixcommunity.org] .

One word: no (1)

WetCat (558132) | more than 6 years ago | (#22375734)

Why should they give the information for free? They spent time and effort to find the vulnerabilities, it's pretty enough just to know that they are exists. If CERT or Real really want to find those bugs - they can either
  Pay for the information - it's the cost of doing business with proprietary software,
or
  Find the bugs by theirselves: just have a tip about the bugs is a valuable information,
or
  Open source and get the help of community in code review.

Re:One word: no (0)

Anonymous Coward | more than 6 years ago | (#22375812)

I agree! CERT should open source! Those proprietary bastards! /sarcasm

and open source does not help in this situation, are you retarded? I can find a Linux TCP stack remote exploit and say I'll only tell Linus what it is for $10,000 - same situation.

Nothing's free (1)

StealthyRoid (1019620) | more than 6 years ago | (#22375740)

I don't know how this is even remotely blackmail. What do companies like Real pay their QA guys to find the exact kind of 0-day exploits that the Russians discovered? I'll bet it's not 0. And why should the Soviet's be required, morally, ethically, or otherwise, to provide something for free that any responsible software company pays talented people for? Maybe it's sort of dickish to sell it to Soviet hackers, but the fact is, it's their work that produced the knowledge of the exploit, and they should profit from it. Information isn't always free, nor should it be.

There's no fiduciary duty here (1)

Sangui5 (12317) | more than 6 years ago | (#22375746)

Indeed, for individuals, pointing out security problems can be dangerous. It isn't very nice of them, but then again, most software vendors aren't nice either. Calling this blackmail is a bit of a stretch.

Re:There's no fiduciary duty here (1)

timeOday (582209) | more than 6 years ago | (#22375982)

One interesting consequence of allowing this type of behavior is that software vulnerabilities would carry a financial consequence for the software makers. It's a sort of liability they can't simply disclaim in the license.

It's called capitalism (5, Insightful)

enos (627034) | more than 6 years ago | (#22375750)

It's called capitalism, and it's been breaking out in eastern Europe ever since the USSR fell. In unregulated areas (i.e. new markets) they have a much more "pure" concept of it than the west. The public good is a socialist idea. This same thing happens in a lot of places in the west where there are shops that specialize in IP of some sort. They have to make their living somehow. It's just that people are used to security companies giving this stuff away for free.

Re:It's called capitalism (2, Interesting)

thelexx (237096) | more than 6 years ago | (#22375888)

Way to completely sidestep the word 'ethics' there...

"In unregulated areas (i.e. new markets) they have a much more "rapacious" concept of it than the west. The public good is an inconvenient idea."

FTFY

Re:It's called capitalism (0)

Anonymous Coward | more than 6 years ago | (#22375892)

The individual capitalists finding a balance that is for the public good, fits within capitalism. Individuals choosing to act for the public good also fits into capitalism. It's only when teh government gets involved, and starts to redistribute wealth that you get socialism.

Re:It's called capitalism (1)

timeOday (582209) | more than 6 years ago | (#22375942)

A lot of the responses here claim it's capitalism and therefore must not be blackmail, as if that were a dichotomy - it's not. Blackmail is capitalism, just as libel is speech. I really don't know whether Gleg's actions meet the legal definition of blackmail in Russia, or for that matter in the US. But that fact that Gleg can make money doing this is not, in itself, much of a defense against charges of blackmail.

Re:It's called capitalism (1)

sempernoctis (1229258) | more than 6 years ago | (#22376164)

"The public good" is the motivating factor behind both socialism and capitalism. The difference is that socialism tries to address the public good through conditioning people to act with less regard to their own interests, where capitalism believes that providing personal rewards for people who are productive will increase the value of the society as a whole. Most IP laws (copyright, patent, etc...) were originally written to stimulate innovative and creative works that eventually will benefit everyone, by rewarding those who discover or create them. The two are, however, extremes, and like most extremes, the best solution is probably somewhere in between. The USSR illustrated the shortcomings of pure communism, and the U.S. has been gradually learning that there need to be checks in place to prevent pure capitalism from acting against the public good (anti-trust laws, for example). The USSR falling apart has caused major changes in that part of the world, and this "blackmail" activity looks like the proverbial pendulum swinging back a little too far. Of course, no matter which philosophy you follow, the people in power can still skew it in whichever direction is most convenient to their own agendas.

chilling effects of free market capitalism (5, Interesting)

drspliff (652992) | more than 6 years ago | (#22375780)

I don't call it blackmail, I call it a free market...

Companies have a financial incentive for keeping their products secure, open source projects have less of an issue because the money just isn't in it.
All this is - is one company spending real money, hiring well paid analysis to plow through machine code or source code and analyse vulnerabilities.
The reason they can afford to do this is because the market is full of companies willing to pay for this stuff...

Thats where your code of ethics goes out of the window!

With open-source projects, there is still a market of companies using that software but at the same time there's a limited timespan before it's usually discovered by somebody else.
You know very well that if you advertise you've found a security flaw in open source XX product you're going to have hundereds of people scrutinising it and to develop a fix - because it's benificial to everybody (so the code of ethics lives strong).

It doesn't help that `Real' has a bad reputation, but by doing this and with holding it, Gleg are doing exactly what they set out to do in the first place and doing as any successful business man/woman does: identifying the market and targeting it appropriately.

This happens every day not just in software security, but in every other industry yet people just consider it a normal day in the office and maybe grumble a bit about it.

In an ideal situation ethics and social benifit would come first though... yet this is in practice incompatible with the free market, just for the reasons above.

They're fucking Ruskies What did you expect? (0)

Anonymous Coward | more than 6 years ago | (#22375784)



They're fucking Ruskies What did you expect? If ever there were a people that are as crooked as an old man's dick, it's the ruskies.

Blackmail? (5, Insightful)

clarkkent09 (1104833) | more than 6 years ago | (#22375786)

If this is valuable information (as in there are people willing to pay money for it) why should they give it for free? Companies pay good money to consultants to come over and fix problems with their business, why shouldn't they have to pay people who help them fix problems with their software products.

RealPlayer Has other bugs? (1)

the_Bionic_lemming (446569) | more than 6 years ago | (#22375798)

Bought 8 years ago, I actually paid for a version of realplayer from best buy that lasted three weeks.

My only offer from them was to pay a lot more to get the next version, or not to be able to use the version I purchased to view content.

Frankly, supporting realplayer is dumb.

Root exploit, slashdot suicide (0)

Anonymous Coward | more than 6 years ago | (#22375898)

I actually paid for a version of realplayer

Frankly, supporting realplayer is dumb.
Declaring yourself stupid on slashdot? Wow, that root exploit is really having an adverse effect on people!

Re:Root exploit, slashdot suicide (1)

LaskoVortex (1153471) | more than 6 years ago | (#22375976)

Um, try some linguistic analysis. He bought real player 8 years ago (past-tense), but says supporting it is (present tense) dumb.

Great idea. (1)

v(*_*)vvvv (233078) | more than 6 years ago | (#22375802)

It would be even better if they actually didn't have such info.

Vista (2, Interesting)

Joe U (443617) | more than 6 years ago | (#22375828)

So, I have one question, does UAC actually help trap exploits like this?

Not that I would ever install Realplayer outside of a locked down VM anyway. Assume I had a seizure or something and wanted to put this on my host OS.

Advice for free (1)

Dachannien (617929) | more than 6 years ago | (#22375842)

It's not like these guys are really putting anyone in a bind. Real Networks has a responsibility to inspect and maintain their own product, and since they have the source code, there's nothing preventing from doing so. And people who are uninterested in paying them umpteen bazillion dollars for their expertise are welcome to take my advice, given for free:

Uninstall RealPlayer.

blackmail? product defect! (1, Interesting)

nguy (1207026) | more than 6 years ago | (#22375866)

When companies ship software with security holes, it's a product defect. If they don't want to be embarrassed by that in public, they should simply not introduce security holes.

laugh, snort, laugh (1)

vespacide2 (1235470) | more than 6 years ago | (#22376180)

When companies ship software with security holes, it's a product defect. If they don't want to be embarrassed by that in public, they should simply not introduce security holes.
Not the sharpest tool in the shed, eh?

Re:laugh, snort, laugh (0)

Anonymous Coward | more than 6 years ago | (#22376236)

Not the sharpest tool in the shed, eh?

Talking about yourself, eh?

Security holes are avoidable. I'm sorry you don't know how. If companies were liable for security holes, people like you would be out of a job.

Wow! (1)

vespacide2 (1235470) | more than 6 years ago | (#22376224)

they should simply not introduce security holes.
Why didn't anyone think of this before??
Wait a second...
You're the person who was saying that P2P wasn't allowed By Comcast's TOS the other day...
I did waste my time taking you seriously.

Why does this remind me of Fermat's Last Theorem? (2, Insightful)

AB3A (192265) | more than 6 years ago | (#22375894)

I have this lovely demonstration, but you have to pay me to show you how it works. How do we know it is a real hack? How do we know it isn't a shake down?

This is a shade of Fermat's last theorem. Wiles, after he finally proved it, said that he doubted Fermat actually knew a viable proof.

We don't know what these guys have. Whether it's blackmail or not, it still smells bad. I think the money would be better spent on real security researchers who disclose what they find.

because (1)

vespacide2 (1235470) | more than 6 years ago | (#22376276)

How do we know it is a real hack? How do we know it isn't a shake down?
Because they wouldn't get paid if was fake. It's not like the RealPlayer people are gonna send the money without proof.

Re:Why does this remind me of Fermat's Last Theore (1)

mudachuka (1237010) | more than 6 years ago | (#22376306)

An escrow arrangement might offer a way out of the lack of trust by the parties.

When it comes to blackmail.... (1)

gandhi_2 (1108023) | more than 6 years ago | (#22375914)

it helps to have something people want. Realplayer? Go ahead, kill the hostage.

hahahah (1)

vespacide2 (1235470) | more than 6 years ago | (#22376326)

How about:
3 cents, a half-eaten snickers bar, and nasty bout of syphilis.

Let me be the first to say... (0, Redundant)

rhizome (115711) | more than 6 years ago | (#22375918)

I'm surprised nobody has said it yet, but Real deserves this.

Same as drug companies (1, Insightful)

Anonymous Coward | more than 6 years ago | (#22375960)

Drug companies worldwide hold proprietary information that would greatly benefit the public but rather than release it they use it to further their own research. Obviously if you take that away you might as well ditch capitalism while you are at it.

By they way Real can simply have some moog in their office pretend to be a customer of the gleg service and buy the data and then pass it on to real. If there is some contractual reason why they can't they can just have that moog work out of a country where the contract means nothing and then leak the info to real. I mean seriously how hard could it be.

i don't get it (1)

bravo369 (853579) | more than 6 years ago | (#22375962)

the firm found the vulnerability. Shouldn't they be compensated? they aren't running a charity. Real would be the only one to benefit by security firms simply "giving" the exploit to them. sure you can argue that it's leaving customers insecure but are you telling me Real can't afford $10,000?

What is Real good for anyway? (1)

LoudMusic (199347) | more than 6 years ago | (#22376060)

I know I'm way off topic, but I have to ask. What is Real good for anyway? What do they do, for a fee, that isn't done by a variety of other sources for free? And I know their media player software is free, but in their case the fee is all the garbage that comes with it. Or you pay a monetary fee and likely still get a bunch of garbage you don't want.

So to make some on topic comment I will say that I fully support this form of capitalism. Real could pay them for the information - it's a better deal than hiring a consulting company that may or may not discover a problem. At least these people have already done work with positive results.

Why? (2, Insightful)

BraneSpace (1190961) | more than 6 years ago | (#22376082)

I suppose this really comes down to the intent of the security firm. WHY did they go looking for vulnerabilities? A common theme I see repeated here is that they spent time and effort looking for vulnerabilities. Why would they do so? What is their profit model? I see three real(hehe) possibilities.

1. They are planning to sell the information to (criminal) third parties.
2. They are planning to sell the information to Real.
3. They are trying to sell services to Real.

The fact that they offer it to third parties before offering it to the vendor (or at least offering a grace period) is very telling. They are trying to coerce Real to buy the vulnerability information before attacks appear in the wild. Failing to do so would lose them profit and face in the digital world, especially as this is being highly publicized.

Thus, either the firm is finding and selling vulnerabilities for criminal purposes or doing so to pressure companies into buying them. Either way, they are doing harm (to Real and/or end users). While it may not be illegal per se, this is a very underhanded thing to do.

Fight fire with fire (3, Insightful)

SamP2 (1097897) | more than 6 years ago | (#22376088)

According to Russian copyright law [wikipedia.org] , "purely informational reports on events and facts are not copyrightable". The copyright on the code itself belongs to RP (and copyright to all other flaws discovered by this Russian company belong to their respective owners), and the simple informational fact of knowledge about flaw is not subject to copyright.

RP can legally subscribe to be a "customer" of this security firm, and then just take all information they deliver, and pass it on to all parties involved (in other words, send flaws to all companies whose code has a vulnerability the relevant information). Several companies can team up and split the "subscription fee".

Consider this to be the security (and legal) version of ripping a pay porn site and dumping the contents on eMule. The Russian company won't go far with a single paying subscriber.

I don't use Real... (1)

keraneuology (760918) | more than 6 years ago | (#22376096)

Recently Yahoo announced that they were selling my music account to RealNetworks at twice the current subscription fee. Based on the poor history of that company there isn't a snowball's chance that I'll get a subscription to Rhapsody. Knowing that Real has security flaws in what they -claim- is a cleaned up version of their adware engine is no particular shocker. I don't care what happens to them - does anybody still use them anyway?

Re:I don't use Real... (1)

RuBLed (995686) | more than 6 years ago | (#22376132)

Apparently, the blackhats do...

Capitalism's heart (1)

dokebi (624663) | more than 6 years ago | (#22376166)

This is an interesting revenue model. If company A pays for a security audit, any exploits found are "bought" only once by company A. In this case, these guys can keep selling the exploit again and again, including to company A, but then to many others.

Russia has taken Capitalism to their hearts--principles be damned, everything has a price. It's funny how most of slashdot is lamenting good vs evil, while a clear profit is to be had. What happened to American business spirit? We should be proud that we exported capitalism to Russia, and stop bitching when they do it better than us. </sarcasm>

Ah!, the down side to proprietry software (4, Interesting)

EEPROMS (889169) | more than 6 years ago | (#22376174)

If you sell software under a restricted proprietary license you have set the rules for all dealings with with your code as being based purely on monetary gain. So if some programmers figure out a security flaw with your software they like you "don't have to give away their code or IP for nothing" because you also insist on not give away your IP either.

Like it or not, this was bound to happen (1)

SleepyHappyDoc (813919) | more than 6 years ago | (#22376282)

Setting aside the debate as to whether or not they should have a dollar value, the bottom line is that exploits do have a dollar value. Someone can use an exploit to take your money, your bosses money, you government's money, etc., which will always give these things a value to people with the requisite lack of ethics needed to use them in that way. Because of this, there's simply no economic incentive for this company to give away their commodity of value for nothing. If this kind of thing is to be stopped, we'll need to find a way to change that balance...either by paying for the exploit (giving an economic incentive to disclose) or by some kind of legislative approach (to create an economic disincentive for not disclosing). The legislative approach has such a history (it worked so well on software piracy) that it probably won't work all that well, here, which leaves us with this. Got a better idea?

Wow that sucks... (1)

Lally Singh (3427) | more than 6 years ago | (#22376296)

I'd really feel for them. You know, if it wasn't RealPlayer.

Come on! Who doesn't hate that pile of garbage?
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?