Mozilla Finds Flaw With Black Hat Video Stream

An anonymous reader writes "Mozilla web security researcher Michael Coates found a flaw in Black Hat's paid video feed. The flaw allowed him to watch a live feed of the conference for free instead of the $395 a head to connect. Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue."

Of course

[Anonymous Coward]

Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?

Re:

[pspahn]

Maybe too late? What was he doing trying to score free video? You can't always be sure about someone's motives.

Re:

[Crudely_Indecent]

Maybe he felt that full disclosure was a good form of payment.

Re:

[Volante3192]

I think the "unlike" part of this story is that the issue was fixed rather than sat on for months.

Re:

[Anonymous Coward]

If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?

If this post sounds like cynicism, it is.

Re:Of course

[RebelWebmaster]

I would say that "Do unto others as you would have them do unto you" would be appropriate in this situation.

Re:

[operagost]

Clearly, black hats don't subscribe to that belief.

Re:

[GooberToo]

If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?

Fixed it for you.

If that seems like altruism, think: why would Mozilla want a bunch of black hat hypocritical hackers pissed off at them? After all, such rational is what black hatters use to justify almost every action, disclosure, and exploitation. To be pissed at such an exploit would mean thy are a bunch of small minded, hypocritical bitches.

Re: Too many glitches

[doodles259]

I don't care for Firefox one bit...too many problems and glitches for me. I went back to IE8 in a hurry. I'm a gamer, and my nephew told me that Firefox is better for gamers. I don't agree.

in soviet rusia

[Anonymous Coward]

  Applications find bugs on black hats.

responsibility

[Anonymous Coward]

The responsibility aspect is one area where the Black Hat guys could earn a lot of respect by doing the right thing. It's a dick move to just disclose stuff without giving companies a chance to fix their mistakes, no matter how stupid it is.

Re:responsibility

[Cylix]

Then exactly how would they sale online streaming events for 395 and equally expensive conference tickets?

Re:

[benji fr]

maybe because some people are living far away from Vegas, and that the trip to and from Vegas will cost them at least 3 times the ticket, (and I don't mention hotel and food...)

Re:

[Khyber]

bandwidth certainly doesn't cost that much, and the equipment used has more than likely been paid for/paid for itself.

it's just a flat-out money pit.

Re:

[Richard_at_work]

So? Is it not allowed to be?

Re:

[Hinhule]

Most likely they want actual attendees and if it's too cheap to just watch the stream these computer people may just sit and watch it from the comfort of their own mancave instead of showing up.

Re:

[Khyber]

That's easier access. Think about that for a moment. 500 physical attendees at so much a pop or MILLIONS of online attendees at a lower cost and still making more money?

DUH.

Re:responsibility

[Linker3000]

If the cost of attendance and video streaming is worrying you, why not just persuade your local ATM to provide the cash for you. I believe there was a presentation about this..but then things get recursive...

Re:

[socz]

That's why you pay the $395, because the room was full and you couldn't get in :P

Re:

[Thundarr Trollgrim]

I sell, You sell, They sell.

Re:

[DickeyP]

It'll be worth $395 when Elisha Cuthbert and Jessica Alba release their first co-starring porno.

Re:

[martin-boundary]

I doubt it, they'd have to do some *very* kinky shit to compete with the, er, "cream" of what fills the net for free these days.

Re:

[plover]

Excuse me, but were you there at Blackhat? No? Surprise.

Had you attended, you would have noticed that every presenter discussed vulnerabilities only after responsible disclosure. Nobody at Blackhat was surprising any vendors with 0day exploits. Timothy's summary above is full of shit.

Now, I won't say every vendor was responsible about patching their systems upon notification. Too bad for them. But the Blackhat guys were all approaching the topic responsibly.

Re:

[couchslug]

"The responsibility aspect is one area where the Black Hat guys could earn a lot of respect by doing the right thing. "

That assumes DTRT is "respected" instead of "punished".

Prisoner's Dilemma?

[nmb3000]

Interesting. You have an unknown number of users accessing the video feeds for free. The system has equilibrium and is yet unstable (they might find out at any time and block everyone). Now enter one prisoner who rats out everyone else. The end result? That one individual gets a free legitimate account and free access to the video streams while everyone else has their access blocked.

Honestly? It sounds like Michael Coates is a little bit of a douche. A small handful of users accessing the stream for

Re:

[Anonymous Coward]

Its a "black hat" conference. Perhaps the reward for them being stupid enough to have hire a dumb 3rd party to do the video conference is to have, like the OP said, a few (note: "few") people be able to stream for free. The biggest irony is it would be "black-hats" streaming for free from black hats, so the conference people really have no say if they do not want to appear hypocritical.

Re:Prisoner's Dilemma?

[johnhp]

And if there's one thing attendees of Black Hat respect, it's intellectual property... oh wait. Ordinarily I'd say pirating video streams is morally questionable, but hacking access to the video stream of a security conference is so poetic that I refuse to believe it could be evil.

Re:

[c0lo]

Ordinarily I'd say pirating video streams is morally questionable, but hacking access to the video stream of a security conference is so poetic that I refuse to believe it could be evil.

The best example that being a cracker is not synonym with being dishonest.
Even more, I see it as a good example of a wise strategy on long term: if disclosing the flaw before giving a chance the organizers to patch it would have exposed the organizers to ridicule. And one would rely on the same ridiculed persons to have a DEFCON 2011? Opportunism rarely make good sense in scarcity conditions.

Re:

[pclminion]

I don't know where people get these ideas about Black Hat. Black Hat has some "interesting" attendees, but for the most part the audience is made up of security professionals. I go to Black Hat every year as part of work. Despite the name of the conference, the atmosphere there is very much "white hat." Some of the presenters are in the gray area, but most of the presenters are just other security professionals who are at the top of their game.

No punches are pulled at Black Hat, and the policy is full discl

Re:

[martin-boundary]

True, he should have first posted the streamdumps on rapidshare, and then told the organizers how to fix the flaw. Bandwidth problem solved, everybody is happy :)

because it's stealing

[YesIAmAScript]

The product has a price. If you take the product without paying, you're stealing the product.

Why am I supposed to feel ad for those who had illegal free feeds and no longer do?

Bandwidth does cost money you know. I'll tell you what, I'll just start siphoning gas out of your car. Not so much that you can't afford it, but just a little. No harm done, right?

Re:

[Compaqt]

Umm, yeah, well, blackhats would never steal digital products, of course.

Watching a few self-proclaimed bad guys talk about security is like stealing from Mother Teresa, right?

Re:

[Anonymous Coward]

$395 worth of bandwidth? Hmm, someone needs to get out of the early 90's...

Re:

[YesIAmAScript]

Just because the price is high doesn't make it not stealing.

If you think the product provides a poor value, then don't buy it and do without. Just as you would do if it were a shirt in a store.

Re:because it's stealing

[iammani]

Ahh can we please stop calling it 'stealing'. If I were to steal a shirt in a store, the store would deprived of the shirt. That is not the case here

Call it unethical, freeloading, leeching, but not stealing.

Re:because it's stealing

[martin-boundary]

Stealing is a word, not a reference to the criminal law code in your particular jurisdiction.

I agree with you, and I also move that we start calling all RIAA employees pedophiles. It's a fine word, not a reference to the criminal code!

Re:

[mike2R]

Well that makes sense, apart from the fact that it doesn't.

If the RIAA were involved in something that was something that was generally regarded to be pedophilia, but was not actually illegal but required the victim to sue, then I'm sure people would do so.

Bit like the way people call them bastards when most of them are probably legitimate.

Re:

[kevinNCSU]

Ask a random sampling of people in prison for killing other people if they consider themselves murderers. I suspect a majority do not consider what they did 'murder' either.

Re:

[mike2R]

I'm sure you are right about copying a CD from a friend. But someone who's entire iPod is full of pirated music? Or has a massive collection of pirated DVDs? Or who bypasses a paywall costing several hundred quid to get access to a conference?

On slashdot no, maybe most people wouldn't call that stealing. But out in the real world people very often would - this is the thing that I think many of the "information wants to be free" types don't quite get. Apart from student age groups and below, they are

Re:because it's stealing

[mike2R]

steal
v. stole (stl), stolen (stln), stealing, steals
v.tr.
1. To take (the property of another) without right or permission.
2. To present or use (someone else's words or ideas) as one's own.
3. To get or take secretly or artfully: steal a look at a diary; steal the puck from an opponent.
4. To give or enjoy (a kiss) that is unexpected or unnoticed.
5. To draw attention unexpectedly in (an entertainment), especially by being the outstanding performer: The magician's assistant stole the show with her comic antics.
6. Baseball To advance safely to (another base) during the delivery of a pitch, without the aid of a base hit, walk, passed ball, or wild pitch.

v.intr.
1. To commit theft.
2. To move, happen, or elapse stealthily or unobtrusively.
3. Baseball To steal a base.

n.
1. The act of stealing.
2. Slang A bargain.
3. Baseball A stolen base.
4. Basketball An act of gaining possession of the ball from an opponent.

Re:

[Ash Vince]

To take (the property of another) without right or permission.

So whether this counts as stealing all really comes down to whether we are going to allow intellectual property to be a type of property. Sounds like and interesting debate but it is still a complete waste of time.

The reality is that when all the people here advocating watching a stream without paying for the content grow up and get a job producing something that can be easily digitised they will realise it is not so hot when people do this and then do not pay you for your work. Hell, maybe it is too expens

Re:

[weirdcrashingnoises]

To take (the property of another) without right or permission.

So whether this counts as stealing all really comes down to whether we are going to allow intellectual property to be a type of property. Sounds like and interesting debate but it is still a complete waste of time.

I agree with the general emphasis and message of your post. However, you failed to notice that "take" and "copy" are two different words with different definitions.

Re:

[ScrewMaster]

That looks like a typical Webster's definition. Here's one from the 'Lectric Law Library [lectlaw.com]. If we're going to be discussing the legality of things, a legal definition is more relevant:

STEAL

the wrongful or willful taking of money or property belonging to someone else with intent to deprive the owner of its use or benefit either temporarily or permanently. No particular type of movement or carrying away is required.

Any appreciable change in the location of the property with the necessary willful intent

Re:

[mike2R]

Which quite neatly, takes us back to my original point about how these various crimes (or whatever you want to call them) of virtual property can quite correctly be called stealing in common usage, even if they do not fall under the legal definition of theft.

Re:

[Fulminata]

In this case though, it really is stealing. Someone is paying for the increased bandwidth being used.

That cost may be less than $395, but it's also greater than $0, so real theft is involved because someone is out some money as a result of the action. Not theoretical "lost sale" money, but real money that someone will have to actually pay.

Re:

[ScrewMaster]

If someone were to then go and take some of the crop (which would have spoiled anyway), should it have the same penalty as stealing it from the store?

Yes, because it's the same crime. A court might take into consideration, when determining punishment, whether anyone was harmed. But either way the rightful owner was deprived of his property. It's his choice how to dispose of his excess goods. It might be that he donates his overage to local charities ... in which case someone would be harmed by the criminal's actions.

Re:

[dave420]

Well, in this case, the people downloading for free were not paying for their bandwidth usage, something which is not so abstract. Obviously it's not worth $400, maybe a few cents, but even so. Otherwise I agree with your point entirely.

Re:

[Anonymous Coward]

In any case, here you deprive somebody of the money he should have received,

Agreed, some people deserve money just because!

Re:

[gutnor]

Because he released his work under a scheme offered by the government. His choice, not yours - not happy with the terms, don't buy it - but do not infringe his rights.

Re:

[tehcyder]

In any case, here you deprive somebody of the money he should have received,

Agreed, some people deserve money just because!

No, they deserve money because they provided a service. Or do you not think that lawyers, programmers, stockbrokers and architects should not be paid, just because they haven't created a physical object?

Re:

[The_mad_linguist]

Let's compromise. We'll agree not to pay the lawyers.

Re:

[mblase]

If only I could deal with my taxes in the same way.

Re:

[Khyber]

"Bandwidth does cost money you know"

Bandwidth does not cost $395 per person for a medium-bitrate 24/7 video and audio feed from a conference.

Please. I could spend maybe 99 bucks per month for 2TB data throughput for my Camfrog video server and serve 10,000+ video streams simultaneously, and it would still take me about half a month to reach my cap.

Re:

[delinear]

GGP suggested it's stealing because there was a measurable loss in the form of the bandwidth that the organisers had to pay for, nobody's disupting the cost of the content, but GGP was trying to bypass the arguments about whether content can be "stolen" (and the whole debate about a lost sale versus the lost possibility of a sale, etc), GP was merely demonstrating the tenuousness of this argument when the bandwidth cost is really just an incidental cost (it's like splitting your shopping at the store into t

Re:

[Americano]

And would that "bandwidth" just magically work, with no outside maintenance or infrastructure? What? You mean it requires servers, and salaried employees, and a host of properly implemented technology to provide bandwidth? And the company needs to actually make an operating profit in order to expand its offerings, replace old infrastructure, and develop new business? And you're also learning something new from a bunch of security experts?

Gee, maybe that's why it costs $395?

Your view is so reductionist i

Re:

[Khyber]

I used to work for an ISP. I can do all of that MYSELF. No staff needed.

I ACTUALLY DO IT. Right now there's development on a multi-video monitoring station for each of our hydroponic tiers.

If you think it takes that much experience and knowledge, you're a fool. I've been at it since I was 16 broadcasting with a 10FPS webcam at 252x144 resolutions from my school's LAN.

Re:

[Americano]

I'm sure you *can* do all of that yourself.

I'm also sure that you *cannot* do all of that yourself in a reasonably timely fashion at no cost.

Pray tell - did your school's LAN infrastructure just magically self-assemble? Or did it cost money to build & maintain? And all of that just for your little cyber sessions - now imagine scaling it up to hundreds or thousands of users spread around the world.

If you continue to assert that it can be done at the scale of this conference without experience, knowledg

Re:

[Redlazer]

If gas cost as little as bandwidth did, and continued to fall steadily like bandwidth does, then your analogy would be totally worthless.

You can't equate the two. Bandwidth gets easier and cheaper with time. Oil gets rarer and has to be physically moved.

Re:

[SheeEttin]

Why am I supposed to feel ad for those who had illegal free feeds and no longer do?

Because 99% of those watching for free can't or won't pay for it, and now they get nothing. Same reasons people pirate.

Bandwidth does cost money you know. I'll tell you what, I'll just start siphoning gas out of your car. Not so much that you can't afford it, but just a little. No harm done, right?

It's all right with me, as long as there's still gas for everyone else.
One person watching for free doesn't deprive everyone el

Re:

[Psaakyrn]

No real harm except to the reputation of the conference itself. A conference about security should probably be secure, unless intentionally insecure. It doesn't sound like it's intentional.

I work with

[Anonymous Coward]

the company that organizes these online events. Believe me, this stuff is expensive to put together and while $395 is a lot of money, it does need to be paid for if conferences like this are to exist. Letting people in for free will detract from the exclusivity and ultimate quality of the event online or physical. Being Black Hat, it's not surprising someone figured out an exploit!

Re:

[Anonymous Coward]

Let's face it, black hat is just a shitty conference attended by self-proclaimed security researchers. And it's too expensive.

Responsible Disclosure

[TXISDude]

As one who has attended many BlackHat conferences - I take offense to the line "Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue" In my experience, BlackHat presenters have followed responsible disclosure - including this year's high profile ATM exploit talk, which, for instance can not be replicated by those in attendence (proof was given that it can be hacked, but the sourcecode was not released) - and the industry certainly knew it was coming for > 1 year - and the end of the presentation gave simple directions about how to mitigate the issues. . .

Re:

[elrous0]

More often than not, it's not the black hats themselves who behave irresponsibly--it's the software companies who, when notified of a flaw, drag their heals on fixing the problem and then have the gall to bitch about it when the hacker finally gets tired of it and goes public.

Misleading

[Anonymous Coward]

Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

It's obvious why it was quickly fixed - because he disclosed it to the people who were losing out from the flaw.

A false contrast is being drawn to situations where a supplier, whose OWN security is not at risk and who frequently see discovery of flaws as more of a cost than a benefit, is not given sole access to the details of the flaw.

It could have ended up very different

[Okind]

Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

Bugs cost money to fix. In this case, fixing the bug could also cause more paying customers (the freeloaders also willing to pay, no matter how small their number). So it was in their best interest to fix the bug.

But let's be realistic here: Micheal Coates was lucky.

There are many instances (some of them documented extensively here), where reporting the bug causes the reporter financial and legal harm. Especially with security related bugs, companies see no potential gain in fixing the bug and cleaning up -- only costs, which piss off their investors. That is, unless the story gets out and people get angry. But by starting a fight with the honest, reponsible reporter, people are much more likely to think: 'must be a disgruntled customer/ex-employee/...'. Result: not enough bad publicity to raise a stink.

Wow...

[bhunachchicken]

... irony.

Re:

[Warll]

Drink some water, it should help with the after taste.

Obv

[Sockatume]

In Soviet Russia, Mozilla finds security flaw in Black Hat!

Yes but... back in the day...

[Kildjean]

That is the problem with Black Hat "Hackers" today... They are way too honest for their own good. Heck in back in my day, we would have all gotten in that conference for free, and we would be on our way to Paris to discuss it.