Mozilla Finds Flaw With Black Hat Video Stream

An anonymous reader writes "Mozilla web security researcher Michael Coates found a flaw in Black Hat's paid video feed. The flaw allowed him to watch a live feed of the conference for free instead of the $395 a head to connect. Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue."

Re:Of course

[pspahn]

Maybe too late? What was he doing trying to score free video? You can't always be sure about someone's motives.

responsibility

[Anonymous Coward]

The responsibility aspect is one area where the Black Hat guys could earn a lot of respect by doing the right thing. It's a dick move to just disclose stuff without giving companies a chance to fix their mistakes, no matter how stupid it is.

Prisoner's Dilemma?

[nmb3000]

Interesting. You have an unknown number of users accessing the video feeds for free. The system has equilibrium and is yet unstable (they might find out at any time and block everyone). Now enter one prisoner who rats out everyone else. The end result? That one individual gets a free legitimate account and free access to the video streams while everyone else has their access blocked.

Honestly? It sounds like Michael Coates is a little bit of a douche. A small handful of users accessing the stream for free doesn't really hurt anything and it's not like this was some serious security vulnerability. Reading his blog post, he makes it sounds more like he uncovered some huge security exploit. Truth is all he really did is save a somewhat inept third party development company a little bandwidth money.

He should have just waited until the conference was finished and then notified them for future reference. That way everyone clever enough to notice the exploit got their little bonus and the company learns its lesson. No real harm done.

Re:Prisoner's Dilemma?

[Psaakyrn]

No real harm except to the reputation of the conference itself. A conference about security should probably be secure, unless intentionally insecure. It doesn't sound like it's intentional.

Responsible Disclosure

[TXISDude]

As one who has attended many BlackHat conferences - I take offense to the line "Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue" In my experience, BlackHat presenters have followed responsible disclosure - including this year's high profile ATM exploit talk, which, for instance can not be replicated by those in attendence (proof was given that it can be hacked, but the sourcecode was not released) - and the industry certainly knew it was coming for > 1 year - and the end of the presentation gave simple directions about how to mitigate the issues. . .

Re:Prisoner's Dilemma?

[martin-boundary]

True, he should have first posted the streamdumps on rapidshare, and then told the organizers how to fix the flaw. Bandwidth problem solved, everybody is happy :)

Re:Prisoner's Dilemma?

[c0lo]

Ordinarily I'd say pirating video streams is morally questionable, but hacking access to the video stream of a security conference is so poetic that I refuse to believe it could be evil.

The best example that being a cracker is not synonym with being dishonest.
Even more, I see it as a good example of a wise strategy on long term: if disclosing the flaw before giving a chance the organizers to patch it would have exposed the organizers to ridicule. And one would rely on the same ridiculed persons to have a DEFCON 2011? Opportunism rarely make good sense in scarcity conditions.

Re:Of course

[Anonymous Coward]

If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?

If this post sounds like cynicism, it is.