Slashdot Mirror
Security Research and Blackmail
harryjohnston alerts us to a story picked up by a few bloggers in the security space. A Russian security research company, Gleg, has discovered a zero-day in the latest version of RealPlayer 11. But they won't reveal details to Real, or to CERT, despite repeated requests. Details are available only to their clients who pay a lot of money for early access to such knowledge. To describe Gleg's business model Daniweb rather cautiously puts forward the word "blackmail." The story was first exposed in Ryan Nariane's Securitywach blog.
Seems fair they have information and want to be paid for it
How about just "proprietary knowledge".. ya know, like the source code of Real Player?
How we know is more important than what we know.
But who does use RealPlayer anyway, that this could possibly affect? I mean, there's VLC and I daresay others out there that can play similar files.
If you're not actually shaking down the vendor, it's not blackmail. I mean, if you get a piece of information, are you obligated to inform anyone?
It is sleazy, don't get me wrong, because what other reason would someone other than Real want to purchase the information except to do no good? But I'm having a hard time feeling sorry for Real, because they suck so fucking bad. I keep trying to replace them in my mind with some company I like to analyze the situation, but it just keeps switching back to Real.
I mean, it's not like someone's going to get killed or anything. Unless, of course, Putin wants that done.
expandfairuse.org
I bet if they opened up their source code someone would be nice enough to look it over and tell them what they find. Too bad they're closed source. Oh well.
Error: Sig not found.
Why should they give the information for free? They spent time and effort to find the vulnerabilities, it's pretty enough just to know that they are exists. If CERT or Real really want to find those bugs - they can either
Pay for the information - it's the cost of doing business with proprietary software,
or
Find the bugs by theirselves: just have a tip about the bugs is a valuable information,
or
Open source and get the help of community in code review.
I don't know how this is even remotely blackmail. What do companies like Real pay their QA guys to find the exact kind of 0-day exploits that the Russians discovered? I'll bet it's not 0. And why should the Soviet's be required, morally, ethically, or otherwise, to provide something for free that any responsible software company pays talented people for? Maybe it's sort of dickish to sell it to Soviet hackers, but the fact is, it's their work that produced the knowledge of the exploit, and they should profit from it. Information isn't always free, nor should it be.
Indeed, for individuals, pointing out security problems can be dangerous. It isn't very nice of them, but then again, most software vendors aren't nice either. Calling this blackmail is a bit of a stretch.
It's called capitalism, and it's been breaking out in eastern Europe ever since the USSR fell. In unregulated areas (i.e. new markets) they have a much more "pure" concept of it than the west. The public good is a socialist idea. This same thing happens in a lot of places in the west where there are shops that specialize in IP of some sort. They have to make their living somehow. It's just that people are used to security companies giving this stuff away for free.
boldly going forward, 'cause we can't find reverse
I don't call it blackmail, I call it a free market...
Companies have a financial incentive for keeping their products secure, open source projects have less of an issue because the money just isn't in it.
All this is - is one company spending real money, hiring well paid analysis to plow through machine code or source code and analyse vulnerabilities.
The reason they can afford to do this is because the market is full of companies willing to pay for this stuff...
Thats where your code of ethics goes out of the window!
With open-source projects, there is still a market of companies using that software but at the same time there's a limited timespan before it's usually discovered by somebody else.
You know very well that if you advertise you've found a security flaw in open source XX product you're going to have hundereds of people scrutinising it and to develop a fix - because it's benificial to everybody (so the code of ethics lives strong).
It doesn't help that `Real' has a bad reputation, but by doing this and with holding it, Gleg are doing exactly what they set out to do in the first place and doing as any successful business man/woman does: identifying the market and targeting it appropriately.
This happens every day not just in software security, but in every other industry yet people just consider it a normal day in the office and maybe grumble a bit about it.
In an ideal situation ethics and social benifit would come first though... yet this is in practice incompatible with the free market, just for the reasons above.
They're fucking Ruskies What did you expect? If ever there were a people that are as crooked as an old man's dick, it's the ruskies.
If this is valuable information (as in there are people willing to pay money for it) why should they give it for free? Companies pay good money to consultants to come over and fix problems with their business, why shouldn't they have to pay people who help them fix problems with their software products.
Negative moral value of force outweighs the positive value of good intentions.
Bought 8 years ago, I actually paid for a version of realplayer from best buy that lasted three weeks.
My only offer from them was to pay a lot more to get the next version, or not to be able to use the version I purchased to view content.
Frankly, supporting realplayer is dumb.
_ _ _ Go for the eyes Boo! GO FOR THE EYES!
It would be even better if they actually didn't have such info.
Not blackmail. But poorly designed software tends to have security bugs.
These bugs pose a problem for users of the software. It makes sense that third party services exist that scour software for bugs like this, for the benefit of the software's users and prospective users.
So they can know whether to use the software or whether to take extra precautions/refrain from using it.
The cost of performing this type of analysis is high. Much time and energy is required.
It makes sense that you need to pay to review their findings in detail, or to review them before they are publicly released (for free).
If they merely submit their findings to the software vendor, then they have provided the vendor with high-quality, costly labor for free.
Why should the software vendor get free labor from security researchers, and be able to freely follow poor design practices in the design of their software, while relying on the public to find and report the issues gradually? (For them to lazily fix _after_ the defect is drawn to their attention)
If the security researcher wishes to serve the community, then they have the option of practicing full disclosure, but they may be more fairly compensated for their work by providing paying customers with key information in advance, so their customers can mitigate the problem, before it has become public (and known to the bad guys).
One way you mitigate the problem is very simple: uninstall the defective real player 11. Re-install the fixed version, when it becomes available.
So, I have one question, does UAC actually help trap exploits like this?
Not that I would ever install Realplayer outside of a locked down VM anyway. Assume I had a seizure or something and wanted to put this on my host OS.
It's not like these guys are really putting anyone in a bind. Real Networks has a responsibility to inspect and maintain their own product, and since they have the source code, there's nothing preventing from doing so. And people who are uninterested in paying them umpteen bazillion dollars for their expertise are welcome to take my advice, given for free:
Uninstall RealPlayer.
When companies ship software with security holes, it's a product defect. If they don't want to be embarrassed by that in public, they should simply not introduce security holes.
I have this lovely demonstration, but you have to pay me to show you how it works. How do we know it is a real hack? How do we know it isn't a shake down?
This is a shade of Fermat's last theorem. Wiles, after he finally proved it, said that he doubted Fermat actually knew a viable proof.
We don't know what these guys have. Whether it's blackmail or not, it still smells bad. I think the money would be better spent on real security researchers who disclose what they find.
Nearly fifty percent of all graduates come from the bottom half of the class!
it helps to have something people want. Realplayer? Go ahead, kill the hostage.
THL phish sticks
I'm surprised nobody has said it yet, but Real deserves this.
When I was a kid, we only had one Darth.
Drug companies worldwide hold proprietary information that would greatly benefit the public but rather than release it they use it to further their own research. Obviously if you take that away you might as well ditch capitalism while you are at it.
By they way Real can simply have some moog in their office pretend to be a customer of the gleg service and buy the data and then pass it on to real. If there is some contractual reason why they can't they can just have that moog work out of a country where the contract means nothing and then leak the info to real. I mean seriously how hard could it be.
the firm found the vulnerability. Shouldn't they be compensated? they aren't running a charity. Real would be the only one to benefit by security firms simply "giving" the exploit to them. sure you can argue that it's leaving customers insecure but are you telling me Real can't afford $10,000?
Sorry, but this is blackmail. As there are two potential customers:
1. Real.
2. Criminal buyers.
The sale of this information to criminals has the additional effect of potentially severely damaging Real's business and Real's customers (you and me).
So, offering up this bug for a fee to any one other than Real, even as an idle threat, is nothing short of blackmail.
These guys are not "security researchers", they are criminals.
Yes, but you have missed the key point.
There are three classes of potential customers: product owners, users, and criminals. If the researcher makes it clear they are willing to sell their information to the third class - criminals - then it matters little if they are also willing to sell to the other two classes or not.
Clearly, the implication is they do not want to sell to the product owner class as that would be a single sale. By selling the information to users and criminals they ensure that they have a substantial number of potential sales as well as motivating the users to buy rapidly or else they will be victims of the criminal class.
I know I'm way off topic, but I have to ask. What is Real good for anyway? What do they do, for a fee, that isn't done by a variety of other sources for free? And I know their media player software is free, but in their case the fee is all the garbage that comes with it. Or you pay a monetary fee and likely still get a bunch of garbage you don't want.
So to make some on topic comment I will say that I fully support this form of capitalism. Real could pay them for the information - it's a better deal than hiring a consulting company that may or may not discover a problem. At least these people have already done work with positive results.
No sig for you. YOU GET NO SIG!
I suppose this really comes down to the intent of the security firm. WHY did they go looking for vulnerabilities? A common theme I see repeated here is that they spent time and effort looking for vulnerabilities. Why would they do so? What is their profit model? I see three real(hehe) possibilities.
1. They are planning to sell the information to (criminal) third parties.
2. They are planning to sell the information to Real.
3. They are trying to sell services to Real.
The fact that they offer it to third parties before offering it to the vendor (or at least offering a grace period) is very telling. They are trying to coerce Real to buy the vulnerability information before attacks appear in the wild. Failing to do so would lose them profit and face in the digital world, especially as this is being highly publicized.
Thus, either the firm is finding and selling vulnerabilities for criminal purposes or doing so to pressure companies into buying them. Either way, they are doing harm (to Real and/or end users). While it may not be illegal per se, this is a very underhanded thing to do.
According to Russian copyright law, "purely informational reports on events and facts are not copyrightable". The copyright on the code itself belongs to RP (and copyright to all other flaws discovered by this Russian company belong to their respective owners), and the simple informational fact of knowledge about flaw is not subject to copyright.
RP can legally subscribe to be a "customer" of this security firm, and then just take all information they deliver, and pass it on to all parties involved (in other words, send flaws to all companies whose code has a vulnerability the relevant information). Several companies can team up and split the "subscription fee".
Consider this to be the security (and legal) version of ripping a pay porn site and dumping the contents on eMule. The Russian company won't go far with a single paying subscriber.
Recently Yahoo announced that they were selling my music account to RealNetworks at twice the current subscription fee. Based on the poor history of that company there isn't a snowball's chance that I'll get a subscription to Rhapsody. Knowing that Real has security flaws in what they -claim- is a cleaned up version of their adware engine is no particular shocker. I don't care what happens to them - does anybody still use them anyway?
If the g'vt kept the data on you that google does you'd better believe you'd be calling it "doing evil"
and if this zero-day was targeted at mysql? Please mod down parent.
"...normal evolution would have gone Word to Frame to troff, but instead, the computer industry has gone the other way!"
for explaining what the orthodox definition of blackmail is.
Mever nind the typos.
This is an interesting revenue model. If company A pays for a security audit, any exploits found are "bought" only once by company A. In this case, these guys can keep selling the exploit again and again, including to company A, but then to many others.
Russia has taken Capitalism to their hearts--principles be damned, everything has a price. It's funny how most of slashdot is lamenting good vs evil, while a clear profit is to be had. What happened to American business spirit? We should be proud that we exported capitalism to Russia, and stop bitching when they do it better than us. </sarcasm>
In Soviet Russia, articles before post read *you*!
If you sell software under a restricted proprietary license you have set the rules for all dealings with with your code as being based purely on monetary gain. So if some programmers figure out a security flaw with your software they like you "don't have to give away their code or IP for nothing" because you also insist on not give away your IP either.
Mever nind the typos.
There's also a fourth class of potential customer - security product vendors (such as IPS or anti-malware vendors).
If you can sell knowledge of a zero day exploit to an IPS vendor, they can trumpet their 0-day protection when there isn't even a patch from the app vendor and by the looks of the wording in TFA, it looks as if this is their target market;
"Gleg sells exploits to about a dozen corporate customers around the world, with fees starting at $10,000 for periodic updates."
So for the IPS and anti-malware vendors, Gleg is a supplier of exploit information that they can use in a legitimate way and in that respect, prima facie, the business model is valid and any talk of blackmail could potentially be libelous.
Wait a second...
You're the person who was saying that P2P wasn't allowed By Comcast's TOS the other day...
I did waste my time taking you seriously.
Mever nind the typos.
Comment removed based on user account deletion
Mever nind the typos.
Setting aside the debate as to whether or not they should have a dollar value, the bottom line is that exploits do have a dollar value. Someone can use an exploit to take your money, your bosses money, you government's money, etc., which will always give these things a value to people with the requisite lack of ethics needed to use them in that way. Because of this, there's simply no economic incentive for this company to give away their commodity of value for nothing. If this kind of thing is to be stopped, we'll need to find a way to change that balance...either by paying for the exploit (giving an economic incentive to disclose) or by some kind of legislative approach (to create an economic disincentive for not disclosing). The legislative approach has such a history (it worked so well on software piracy) that it probably won't work all that well, here, which leaves us with this. Got a better idea?
Stasis is death. Embrace change.
I'd really feel for them. You know, if it wasn't RealPlayer.
Come on! Who doesn't hate that pile of garbage?
Care about electronic freedom? Consider donating to the EFF!
An escrow arrangement might offer a way out of the lack of trust by the parties.
what other reason would someone other than Real want to purchase the information except to do no good?
****
What about security teams like metasploit and the like?
There are perfectly reasonable people who are interested in this exploit possibly for the sole purpose of protecting their business or personal computers. Your jump to the conclusion of "anyone wanting this except Real just wants it for criminal uses" is ridiculous to say the least.
How about:
3 cents, a half-eaten snickers bar, and nasty bout of syphilis.
Mever nind the typos.
Easy solution from Real's point of view: don't release products with major security flaws. If you do, don't expect people to put in lots of work to find them and then give them to you for free.
Negative moral value of force outweighs the positive value of good intentions.
With software is it even possible to ship a product without a defect?
In any other industry the manufacturer is responsible for their products. With software, the situation is quite different because software runs in an environment, and the environment has its own defects. It also evolves and changes. For example, a Windows application can break at anytime because of something in Windows or something new on the system. This doesn't just include mistakes. Sometimes a perfectly harmless update or patch can have adverse effects .
Of course, none of this matters because all software ships with a disclaimer. So REAL doesn't really care... But still it is an interesting problem.
Geeze Evgeny Legerov, you won't just give us the solution? You mean we have to pay you to be our security adviser?
I've only worked with one company in the last 3 years at least -- that would pay the expense for a permanent Q/A person. When developing software, companies will pay for time to code extra last minute features but not do any Q/A for them.
What are all those out of work Q/A people to do?
Does anyone use RealPlayer? I mean, it's worse than QuickTime (and I HATE QuickTime).
If the prevailing logic (that the Russian company should cough up the goods for free) is applied, all pharma companies would be non-profit charities...
It's a wonderful charity to create something like Ubuntu and all the programs and tools and kernel code that went into it; but should McDonalds be giving its food away for free because you need food to live? You have to get it somewhere, and everyone else is charging. I can't tell the difference between an idiot and an idealistic marxist living in a fantasy world.
Support my political activism on Patreon.
I am not sure I understand correctly, where people got the idea that that particular security research company sells info to "the bad guys". Unlike the open source software, inspecting and finding flaws in black box type of systems is more labor intensive (perhaps some of it can be automated but only some). Someone has to pay for this. Because if they do "the ethical thing" they will have no money to pay rent and buy food, and won't be able to continue what they do. That way users will still "suffer due to bugs", except it's more likely that some shady company will be able to afford to pay someone to find exploits for them ONLY versus selling it to other security testing companies.
Easiest solution is, of course, to pay for updates via cooperation between multiple companies that just happen to have extremely buggy software. If you have regular zero day exploits popping up every month, those $10000 are well spent. They don't want to pay their developers to change the process and improve the testing, then they pay third party for black-box audits and fix problems after the fact.
If you want to get on ever higher ethical horse, think about ethical problems of the company that keeps releasing buggy stuff over and over and over again. If you accidentally add poison to your cookies every few months (instead of just laxative, because you give the cookies away for free and get a fee from anti-diarrheal manufacturer for spikes in consumption), wouldn't you have ethical obligation to stop the bakery and re-evaluate your process? Of course pointing finger at third party that does poison testing of baked stuff and sells results to merchants and labs is much easier.
Hyperom.com
You mean like Mozilla? I'm not sure if private security mailing lists, "confidential bugs" and all that are reprehensible, but they might be. Or do you mean another type of "reprehensible"?
Their existence may be repulsive
You mean like Mozilla, or do you mean another type of "repulsive"?
My patience for these parasites is exhausted.
Indeed.
The twitter monologues. Click on my homepage and be amazed.
- Eben Moglen
How we know is more important than what we know.
After just taking a look at Real's market cap (a whopping $831 Million! - my gawd is it really worth that much?!), and Q4 revenue of $125 Million (!), the 10k they would spend on them is a tiny little drop in the bucket compared to what they should already be spending on heavy pentesting anyway. 10k wouldn't even cover the cost of Mt. Dew and Cheetos for a year of a highly qualified pentesters time.....
How much would it damage Real if they (Gleg) just released the exploit into the wild? Far more than 10k's worth, assuredly.
This is exactly what the Tippingpoint zero day initiative is for. To give credit and a bit money to researchers who spend time and effort to discover vulnerabilities in software.
Sure these researches should get money/credit, but what if they become greedy or irresponsible?
1- Bread is not software. Bread cannot be duplicated endlessly.
2- The marginal cost of bread is not zero. Not by far. Just like the cost of software is not zero, except when you duplicate it infinitely. See 1.
3- Moglen, like Stallman, believes we should all live in a barter-based society where we trade stuffed animals for steaks and toilet papers for C compilers. It's a nice vision that has never been proven to work beyond small social structures.
4- You lose at teh analogies. Thanks for playing.
Explain the concept of capitalism in eastern Europe:
1. Create EXPLOIT
2. Tease Masses with cure
3. PROFIT !!
4. Release EXPLOIT
5. Grab another bucket full of vodka
6. VOMIT !!
The fact that they're not releasing it into the wild is a problem. Until it gets released (or Real pays up or finds it themselves) it will be a nasty weapon used for nefarious deeds.
Mever nind the typos.
It's so disgusting that US companies hold back the spread of medicine for profit.
Mever nind the typos.
- Eben Moglen
How we know is more important than what we know.
Hmmmm...
I am in the lawn care business. I know why your lawn is dying. I will make it green, for a fee.
I am in the computer tech business. I know why your sound card has a problem. I will fix it... for a fee.
I am in the computer tech business. I know how to fix the virus(es) in your computer. For a fee.
I am a chef. I know how to cook your dinner. Do you expect the recipe for free?
And so on. It would be "giving to the community" to give them the information for free, but this kind of business model *IS* all around us. No point in singling them out.
CERT needs only to attach a license to their security advisories indicating, for example, unlimited right to use EXCEPT for named companies such as Gleg. Since Gleg undoubtedly uses much of CERT's content for their other advisories to paying customers, this would give them an incentive to share their information with the same community that they rely heavily upon.
QED
IANAL YMMV
The only way that the computer-using public can be properly protected from the most egregious excesses of the computer industry is for Government to mandate that every piece of computer software must be supplied with Source Code, or not at all.
Just because you get the Source Code doesn't mean you would have to get distribution rights (see PGP usage licence, Skype / Flash developers' licences and pre-GPL Java licences for examples of licences which grant access to Source Code while restricting distribution). And lack of Source Code hasn't done much to stop Office and Windows from being pirated.
Mandatory provision of Source Code would enable third party code auditing, which is important from the user's perspective. A whole secondary industry could grow up around auditing code and supplying upgrades (and these companies would be ideally placed to monitor licence compliance; in fact, for them to supply upgrades to improperly-licenced software would constitute Aiding and Abetting piracy. There's already a non-computer parallel: try and buy a TV set from a high street vendor without some sort of evidence that you have a fully paid-up TV licence).
No doubt there will be howls of protest from software vendors, who have been getting away for far too long with shipping inferior product under the disguise afforded by not supplying the Source Code. Fuck what they think. Users outnumber vendors, and the needs of the many must outweigh the whims and caprices of the few.
Je fume. Tu fumes. Nous fûmes!
Real has the source code. They don't need to pay anybody else to find the bug, they can do their own code review.
Excuse me, but please get off my Pennisetum Clandestinum, eh!
"If I knew how to break into your house, then told you that I was able to but won't tell you how unless you paid up a fee?"
That's called Anti-Virus, and a lot of companies get rich from it.
No seriously, is that really any different than saying:
"I know how to make sure you won't die from aids, but I won't save your life unless you pay me for the medicine"
If you accept the idea of Intellectual Property, I see this as a natural progression of IP. What's good for the goose is good for that gander.
You were mistaken. Which is odd, since memory shouldn't be a problem for you
The second situation is much more dodgy.
It's paying for exclusivity that tips the situation over the edge into possible criminal conspiracy if a major exploit subsequently happens. If your house gets looted because you forgot to lock a door, and your neighbours say afterwards that that they saw your door open but didn't get around to telling you, you might be a little disgruntled about it, but they can say that they were acting in good faith. After all, they aren't responsible for your house, and it's not up to them to tell you how to run your own affairs.
But if you find out that your neighbours had seen your door open, and had then decided to cash in by selling that information to a dodgy local private security firm just before you got burgled, you might have a few questions. If, after the burglary, your neighbours explain that they weren't allowed to tell you, because the security firm had paid them specifically not to tell you about your house's vulnerabilities, then you may get rather upset and conclude that the security firm are probably a bunch of crooks, and that neighbour is a nasty two-faced criminal piece of shit.
If someone decides to be a good neighbour, that's great. If they decide not to be a good neighbour, that's usually their decision. If they decide only to help you out if you pay them, that's also often understandable.
But if people don't help you out because they're specifically being paid not to be neighbourly to you, and not to help you even for money, because a company that wants to sell you a service is paying folk not to do anything that might undermine their exclusivity, so that they can charge higher prices ... then that's something potentially very different.
Eric Baird
...security breaches YOU!
Seems like not a bad price for a company whose software runs in millions and millions of copies around the world.
If we assume that $10,000 is for a year: that is the cost of one tenth of a full time internally hired security expert.
I think Real should consider subscribing to the services of Gleg.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
Real Player does not contain a Zero Day. It contains a Zero Day Vulnerability. If it did contain a Zero Day it would have been put their by real. :-)
America, Home of the Brave.
That analogy sucks because the Russian researchers didn't come up with a cure for anything; they came up with a possible exploit.
Here's a better analogy:
If a pharmaceutical company discovers a weakness in a certain ethnic group's genotype that allows an agent (normally harmless) to selectively kill members of that group, should they be allowed to sell the information to third-world dictatorships?
If your logic is applied, the pharmaceutical company should be able to be a party to genocide, with no legal consequences whatsoever.
Did you know that criminals drink Pepsi and eat at McDonalds?
How else are they going to get paid? They did work, Real expect them to donate their work for free. I don't see it as unreasonable to ask for payment, whether Real think the price is too high is a matter for them (and their customers?)
Hi nguy,
umm, ok, nobody else though of this because I'm a moron?
You do realize that doesn't make sense, right?
Mever nind the typos.
Yeah, they should have just found it before. (rolls eyes)
How? They can't even find it now.
Yeah, everyone just chooses not to avoid them. (no one's got it figured out like you) (and your perfect code)
Even Slashdot won't claim that:
Mever nind the typos.
When did insurgence against imperialism become a bad thing?
When you are the imperialists. Next!
meh
He's rational. You're a religious nut. Simple.
Seems like they leaked the information and want to be paid for that.
All 19 hijackers were known terrorists 09-10-2001. Lack of FBI intelligence does not justify warrantless wiretaps..
BS. You have no evidence that all their subscribers fall into those categories.
There can certainly be categories of potential subscribers that neither you nor I have anticipated.
Their service is not specific to Real: they are likely to have corporations as subscribers, corporations that are either in the business of writing one of the popular applications that has security issues, or are in the security business.
The vulnerability in Real would be merely one flaw that they have discovered in one particular software product.
Their purpose in life is not to solely share exploits related to Real products, therefore it makes no sense that their target audience has anything to do with real.
The subscription nature of such services, and the large number of software vendors and security vendors means that they _don't_ just make one sale, there is most certainly a large monthly fee involved.
Few sales are just fine, if the price is sufficient, and recurring prices are high enough.
You show no evidence that they target customers who have a possibility of using the information with criminal intent: whereas, it is very possible that they scrutinize their customers, they may perform background checks to help ensure that's not the case.
There is absolutely no evidence shown to support the contention that they are attempting blackmail or any kind of malice.