Forgot your password?
typodupeerror
Mozilla It's funny.  Laugh. Technology

Mozilla Finds Flaw With Black Hat Video Stream 106

Posted by timothy
from the fair-play dept.
An anonymous reader writes "Mozilla web security researcher Michael Coates found a flaw in Black Hat's paid video feed. The flaw allowed him to watch a live feed of the conference for free instead of the $395 a head to connect. Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue."
This discussion has been archived. No new comments can be posted.

Mozilla Finds Flaw With Black Hat Video Stream

Comments Filter:
  • Of course (Score:5, Insightful)

    by Anonymous Coward on Monday August 02, 2010 @01:01AM (#33107376)

    Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

    If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?

    • Re: (Score:2, Interesting)

      by pspahn (1175617)
      Maybe too late? What was he doing trying to score free video? You can't always be sure about someone's motives.
    • Re: (Score:3, Funny)

      by Volante3192 (953645)

      I think the "unlike" part of this story is that the issue was fixed rather than sat on for months.

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?

      If this post sounds like cynicism, it is.

    • Re:Of course (Score:4, Insightful)

      by RebelWebmaster (628941) on Monday August 02, 2010 @08:20AM (#33109180)
      I would say that "Do unto others as you would have them do unto you" would be appropriate in this situation.
    • by GooberToo (74388)

      If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?

      Fixed it for you.

      If that seems like altruism, think: why would Mozilla want a bunch of black hat hypocritical hackers pissed off at them? After all, such rational is what black hatters use to justify almost every action, disclosure, and exploitation. To be pissed at such an exploit would mean thy are a bunch of small minded, hypocritical bitches.

    • I don't care for Firefox one bit...too many problems and glitches for me. I went back to IE8 in a hurry. I'm a gamer, and my nephew told me that Firefox is better for gamers. I don't agree.
  • by Anonymous Coward on Monday August 02, 2010 @01:08AM (#33107404)

      Applications find bugs on black hats.

  • responsibility (Score:3, Interesting)

    by Anonymous Coward on Monday August 02, 2010 @01:14AM (#33107430)

    The responsibility aspect is one area where the Black Hat guys could earn a lot of respect by doing the right thing. It's a dick move to just disclose stuff without giving companies a chance to fix their mistakes, no matter how stupid it is.

    • Re:responsibility (Score:5, Insightful)

      by Cylix (55374) * on Monday August 02, 2010 @01:18AM (#33107442) Homepage Journal

      Then exactly how would they sale online streaming events for 395 and equally expensive conference tickets?

      • by benji fr (632243)
        maybe because some people are living far away from Vegas, and that the trip to and from Vegas will cost them at least 3 times the ticket, (and I don't mention hotel and food...)
        • by Khyber (864651)

          bandwidth certainly doesn't cost that much, and the equipment used has more than likely been paid for/paid for itself.

          it's just a flat-out money pit.

          • So? Is it not allowed to be?
          • Re: (Score:3, Insightful)

            by Hinhule (811436)

            Most likely they want actual attendees and if it's too cheap to just watch the stream these computer people may just sit and watch it from the comfort of their own mancave instead of showing up.

            • by Khyber (864651)

              That's easier access. Think about that for a moment. 500 physical attendees at so much a pop or MILLIONS of online attendees at a lower cost and still making more money?

              DUH.

      • by Linker3000 (626634) on Monday August 02, 2010 @03:36AM (#33107990) Journal
        If the cost of attendance and video streaming is worrying you, why not just persuade your local ATM to provide the cash for you. I believe there was a presentation about this..but then things get recursive...
        • by socz (1057222)
          That's why you pay the $395, because the room was full and you couldn't get in :P
      • I sell, You sell, They sell.
    • by plover (150551) *

      Excuse me, but were you there at Blackhat? No? Surprise.

      Had you attended, you would have noticed that every presenter discussed vulnerabilities only after responsible disclosure. Nobody at Blackhat was surprising any vendors with 0day exploits. Timothy's summary above is full of shit.

      Now, I won't say every vendor was responsible about patching their systems upon notification. Too bad for them. But the Blackhat guys were all approaching the topic responsibly.

    • by couchslug (175151)

      "The responsibility aspect is one area where the Black Hat guys could earn a lot of respect by doing the right thing. "

      That assumes DTRT is "respected" instead of "punished".

  • Prisoner's Dilemma? (Score:2, Interesting)

    by nmb3000 (741169)

    Interesting. You have an unknown number of users accessing the video feeds for free. The system has equilibrium and is yet unstable (they might find out at any time and block everyone). Now enter one prisoner who rats out everyone else. The end result? That one individual gets a free legitimate account and free access to the video streams while everyone else has their access blocked.

    Honestly? It sounds like Michael Coates is a little bit of a douche. A small handful of users accessing the stream for

    • The product has a price. If you take the product without paying, you're stealing the product.

      Why am I supposed to feel ad for those who had illegal free feeds and no longer do?

      Bandwidth does cost money you know. I'll tell you what, I'll just start siphoning gas out of your car. Not so much that you can't afford it, but just a little. No harm done, right?

      • by Compaqt (1758360)

        Umm, yeah, well, blackhats would never steal digital products, of course.

        Watching a few self-proclaimed bad guys talk about security is like stealing from Mother Teresa, right?

      • by Anonymous Coward

        $395 worth of bandwidth? Hmm, someone needs to get out of the early 90's...

        • Re: (Score:3, Insightful)

          by YesIAmAScript (886271)

          Just because the price is high doesn't make it not stealing.

          If you think the product provides a poor value, then don't buy it and do without. Just as you would do if it were a shirt in a store.

          • by iammani (1392285) on Monday August 02, 2010 @02:49AM (#33107824)
            Ahh can we please stop calling it 'stealing'. If I were to steal a shirt in a store, the store would deprived of the shirt. That is not the case here

            Call it unethical, freeloading, leeching, but not stealing.
            • Re: (Score:3, Informative)

              by Fulminata (999320)
              In this case though, it really is stealing. Someone is paying for the increased bandwidth being used.

              That cost may be less than $395, but it's also greater than $0, so real theft is involved because someone is out some money as a result of the action. Not theoretical "lost sale" money, but real money that someone will have to actually pay.
            • by dave420 (699308)
              Well, in this case, the people downloading for free were not paying for their bandwidth usage, something which is not so abstract. Obviously it's not worth $400, maybe a few cents, but even so. Otherwise I agree with your point entirely.
          • by mblase (200735)

            If only I could deal with my taxes in the same way.

      • by Khyber (864651)

        "Bandwidth does cost money you know"

        Bandwidth does not cost $395 per person for a medium-bitrate 24/7 video and audio feed from a conference.

        Please. I could spend maybe 99 bucks per month for 2TB data throughput for my Camfrog video server and serve 10,000+ video streams simultaneously, and it would still take me about half a month to reach my cap.

        • by Americano (920576)

          And would that "bandwidth" just magically work, with no outside maintenance or infrastructure? What? You mean it requires servers, and salaried employees, and a host of properly implemented technology to provide bandwidth? And the company needs to actually make an operating profit in order to expand its offerings, replace old infrastructure, and develop new business? And you're also learning something new from a bunch of security experts?

          Gee, maybe that's why it costs $395?

          Your view is so reductionist i

          • by Khyber (864651)

            I used to work for an ISP. I can do all of that MYSELF. No staff needed.

            I ACTUALLY DO IT. Right now there's development on a multi-video monitoring station for each of our hydroponic tiers.

            If you think it takes that much experience and knowledge, you're a fool. I've been at it since I was 16 broadcasting with a 10FPS webcam at 252x144 resolutions from my school's LAN.

            • by Americano (920576)

              I'm sure you *can* do all of that yourself.

              I'm also sure that you *cannot* do all of that yourself in a reasonably timely fashion at no cost.

              Pray tell - did your school's LAN infrastructure just magically self-assemble? Or did it cost money to build & maintain? And all of that just for your little cyber sessions - now imagine scaling it up to hundreds or thousands of users spread around the world.

              If you continue to assert that it can be done at the scale of this conference without experience, knowledg

      • by Redlazer (786403)
        If gas cost as little as bandwidth did, and continued to fall steadily like bandwidth does, then your analogy would be totally worthless.

        You can't equate the two. Bandwidth gets easier and cheaper with time. Oil gets rarer and has to be physically moved.

      • by SheeEttin (899897)

        Why am I supposed to feel ad for those who had illegal free feeds and no longer do?

        Because 99% of those watching for free can't or won't pay for it, and now they get nothing. Same reasons people pirate.

        Bandwidth does cost money you know. I'll tell you what, I'll just start siphoning gas out of your car. Not so much that you can't afford it, but just a little. No harm done, right?

        It's all right with me, as long as there's still gas for everyone else.
        One person watching for free doesn't deprive everyone el

    • Re: (Score:2, Interesting)

      by Psaakyrn (838406)
      No real harm except to the reputation of the conference itself. A conference about security should probably be secure, unless intentionally insecure. It doesn't sound like it's intentional.
  • I work with (Score:2, Insightful)

    by Anonymous Coward

    the company that organizes these online events. Believe me, this stuff is expensive to put together and while $395 is a lot of money, it does need to be paid for if conferences like this are to exist. Letting people in for free will detract from the exclusivity and ultimate quality of the event online or physical. Being Black Hat, it's not surprising someone figured out an exploit!

    • Re: (Score:1, Insightful)

      by Anonymous Coward

      Let's face it, black hat is just a shitty conference attended by self-proclaimed security researchers. And it's too expensive.

  • by TXISDude (1171607) * on Monday August 02, 2010 @01:58AM (#33107642)
    As one who has attended many BlackHat conferences - I take offense to the line "Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue" In my experience, BlackHat presenters have followed responsible disclosure - including this year's high profile ATM exploit talk, which, for instance can not be replicated by those in attendence (proof was given that it can be hacked, but the sourcecode was not released) - and the industry certainly knew it was coming for > 1 year - and the end of the presentation gave simple directions about how to mitigate the issues. . .
    • by elrous0 (869638) *
      More often than not, it's not the black hats themselves who behave irresponsibly--it's the software companies who, when notified of a flaw, drag their heals on fixing the problem and then have the gall to bitch about it when the hacker finally gets tired of it and goes public.
  • Misleading (Score:5, Insightful)

    by Anonymous Coward on Monday August 02, 2010 @02:21AM (#33107698)

    Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

    It's obvious why it was quickly fixed - because he disclosed it to the people who were losing out from the flaw.

    A false contrast is being drawn to situations where a supplier, whose OWN security is not at risk and who frequently see discovery of flaws as more of a cost than a benefit, is not given sole access to the details of the flaw.

  • by Okind (556066) on Monday August 02, 2010 @02:37AM (#33107766) Homepage

    Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

    Bugs cost money to fix. In this case, fixing the bug could also cause more paying customers (the freeloaders also willing to pay, no matter how small their number). So it was in their best interest to fix the bug.

    But let's be realistic here: Micheal Coates was lucky.

    There are many instances (some of them documented extensively here), where reporting the bug causes the reporter financial and legal harm. Especially with security related bugs, companies see no potential gain in fixing the bug and cleaning up -- only costs, which piss off their investors. That is, unless the story gets out and people get angry. But by starting a fight with the honest, reponsible reporter, people are much more likely to think: 'must be a disgruntled customer/ex-employee/...'. Result: not enough bad publicity to raise a stink.

  • ... irony.

  • Obv (Score:3, Funny)

    by Sockatume (732728) on Monday August 02, 2010 @04:25AM (#33108150)

    In Soviet Russia, Mozilla finds security flaw in Black Hat!

  • That is the problem with Black Hat "Hackers" today... They are way too honest for their own good. Heck in back in my day, we would have all gotten in that conference for free, and we would be on our way to Paris to discuss it.

Nothing happens.

Working...