Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Research and Blackmail

Posted by kdawson on from the pay-to-play dept.

harryjohnston alerts us to a story picked up by a few bloggers in the security space. A Russian security research company, Gleg, has discovered a zero-day in the latest version of RealPlayer 11. But they won't reveal details to Real, or to CERT, despite repeated requests. Details are available only to their clients who pay a lot of money for early access to such knowledge. To describe Gleg's business model Daniweb rather cautiously puts forward the word "blackmail." The story was first exposed in Ryan Nariane's Securitywach blog.

8 of 307 comments (clear)

  1. Re:it's tough by thedarknite · · Score: 2, Informative

    But it does come close to racketeering.

    --
    A game has objectives and is competitive, anything else is just play
  2. Re:Wrong. by Deanalator · · Score: 2, Informative

    Plenty of pen testers use 0day when evaluating companies. The theory is that busting a single machine on the corporate network should not give you the "keys to the kingdom". Properly implemented security architecture should be able to mitigate single point failures. Immunity and core (American companies) both buy and sell 0day without informing the vendor. Wabisabilabi has a very convenient marketplace for such transactions as well. It's all supply and demand. Sure it's sketchy, but aren't you glad that these are being sold in public, and not just on the black market?

  3. Re:But... by techno-vampire · · Score: 4, Informative
    But who does use RealPlayer anyway, that this could possibly affect?


    All the Aunt Tillies out there who use Windows because it came installed on their computers and have no idea what an operating system is. They use IE for the same reason, and when they want to hear an audio file, guess what IE tells them to install? One hint: it won't be VLC.

    --
    Good, inexpensive web hosting
  4. Re:Intellectual Property by forgotten_my_nick · · Score: 3, Informative

    "If I knew how to break into your house, then told you that I was able to but won't tell you how unless you paid up a fee?"

    That in itself is a fair point. I mean what if you are working in the security industry and are trying to secure someones business. You certainly aren't going to do it for free.

    The issue here is more like after the home owner saying they don't have the money or can't pay that you sell the information to whoever wants it. That I am pretty sure is illegal.

  5. Re:Non free morals, the victim is also a criminal. by willyhill · · Score: 2, Informative
    The more reprehensible of non free software companies will deny a flaw exists when it's presented to them and beg the discoverer to keep quiet while they "fix" the problem ... forever and then act angry when the flaw is revealed to the public.

    You mean like Mozilla? I'm not sure if private security mailing lists, "confidential bugs" and all that are reprehensible, but they might be. Or do you mean another type of "reprehensible"?

    Their existence may be repulsive

    You mean like Mozilla, or do you mean another type of "repulsive"?

    My patience for these parasites is exhausted.

    Indeed.

    --
    The twitter monologues. Click on my homepage and be amazed.
  6. Why not compromise by martinlp · · Score: 3, Informative

    This is exactly what the Tippingpoint zero day initiative is for. To give credit and a bit money to researchers who spend time and effort to discover vulnerabilities in software.
    Sure these researches should get money/credit, but what if they become greedy or irresponsible?

  7. Re:Intellectual Property by spinkham · · Score: 2, Informative

    See rock meet glass. See glass break. Break glass break ! Have you eve tried to break a modern car window?
    I have, and:
    1) it's not easy. It takes a LOT of force to crack the window.
    2) You get little pieces of glass with shard edges EVERYWHERE. They're not long jagged pieces like you would get from a non-laminated glass, but they can still cut you up pretty well.

    It is possible with the right kind of tools (heavy blow, small area) to crack the window without blasting pieces everywhere, but with a simple rock, that result is not likely.

    Shattering a window with a small child in the car is better then letting them cook, but still not a very safe thing to do.
    --
    Blessed are the pessimists, for they have made backups.
  8. Re:Intellectual Property by lucifuge31337 · · Score: 2, Informative

    You did it wrong.

    Improvised side-auto glass breaking 101:
    1.) Get an antenna from your car or the nearest one. Break it off.
    2.) Make it into a U - hold both free ends in your one hand.
    3.) Place this hand just outside the one corner of the window (your hand on the body of the car) with the rest of your "u" going across the window at an angle. Try to get the tip to hit in the bottom right or left corner of the window, about an inch or 2 from the edge.
    4.) Pull the tip back with your other hand. Let go.

    I mention this for one reason only - the getting child out situation. Anyone with malicious intent will simply use a brick, or, the proper tool (a spring loaded center punch). This way minimizes and flying glass, and make the window pretty much fall straight down in small pieces. Obviously you want to choose the window furthest from the child if you need to do this. Front and rear glass will likely not work with this technique, as they are laminated. We have specific saws and picks for this (glass masters).

    Yes....I'm a PA certified vehicle rescue technician. Yes, I've pulled people out of cars using this method in a pinch.

    --
    Do not fold, spindle or mutilate.