Slashdot Mirror
Security Research and Blackmail
harryjohnston alerts us to a story picked up by a few bloggers in the security space. A Russian security research company, Gleg, has discovered a zero-day in the latest version of RealPlayer 11. But they won't reveal details to Real, or to CERT, despite repeated requests. Details are available only to their clients who pay a lot of money for early access to such knowledge. To describe Gleg's business model Daniweb rather cautiously puts forward the word "blackmail." The story was first exposed in Ryan Nariane's Securitywach blog.
Seems fair they have information and want to be paid for it
If you're not actually shaking down the vendor, it's not blackmail. I mean, if you get a piece of information, are you obligated to inform anyone?
It is sleazy, don't get me wrong, because what other reason would someone other than Real want to purchase the information except to do no good? But I'm having a hard time feeling sorry for Real, because they suck so fucking bad. I keep trying to replace them in my mind with some company I like to analyze the situation, but it just keeps switching back to Real.
I mean, it's not like someone's going to get killed or anything. Unless, of course, Putin wants that done.
expandfairuse.org
I don't call it blackmail, I call it a free market...
Companies have a financial incentive for keeping their products secure, open source projects have less of an issue because the money just isn't in it.
All this is - is one company spending real money, hiring well paid analysis to plow through machine code or source code and analyse vulnerabilities.
The reason they can afford to do this is because the market is full of companies willing to pay for this stuff...
Thats where your code of ethics goes out of the window!
With open-source projects, there is still a market of companies using that software but at the same time there's a limited timespan before it's usually discovered by somebody else.
You know very well that if you advertise you've found a security flaw in open source XX product you're going to have hundereds of people scrutinising it and to develop a fix - because it's benificial to everybody (so the code of ethics lives strong).
It doesn't help that `Real' has a bad reputation, but by doing this and with holding it, Gleg are doing exactly what they set out to do in the first place and doing as any successful business man/woman does: identifying the market and targeting it appropriately.
This happens every day not just in software security, but in every other industry yet people just consider it a normal day in the office and maybe grumble a bit about it.
In an ideal situation ethics and social benifit would come first though... yet this is in practice incompatible with the free market, just for the reasons above.
So, I have one question, does UAC actually help trap exploits like this?
Not that I would ever install Realplayer outside of a locked down VM anyway. Assume I had a seizure or something and wanted to put this on my host OS.
When companies ship software with security holes, it's a product defect. If they don't want to be embarrassed by that in public, they should simply not introduce security holes.
Way to completely sidestep the word 'ethics' there...
"In unregulated areas (i.e. new markets) they have a much more "rapacious" concept of it than the west. The public good is an inconvenient idea."
FTFY
"Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
Sorry, but this is blackmail. As there are two potential customers:
1. Real.
2. Criminal buyers.
The sale of this information to criminals has the additional effect of potentially severely damaging Real's business and Real's customers (you and me).
So, offering up this bug for a fee to any one other than Real, even as an idle threat, is nothing short of blackmail.
These guys are not "security researchers", they are criminals.
Yes, but you have missed the key point.
There are three classes of potential customers: product owners, users, and criminals. If the researcher makes it clear they are willing to sell their information to the third class - criminals - then it matters little if they are also willing to sell to the other two classes or not.
Clearly, the implication is they do not want to sell to the product owner class as that would be a single sale. By selling the information to users and criminals they ensure that they have a substantial number of potential sales as well as motivating the users to buy rapidly or else they will be victims of the criminal class.
If you sell software under a restricted proprietary license you have set the rules for all dealings with with your code as being based purely on monetary gain. So if some programmers figure out a security flaw with your software they like you "don't have to give away their code or IP for nothing" because you also insist on not give away your IP either.
Does anyone use RealPlayer? I mean, it's worse than QuickTime (and I HATE QuickTime).
If the prevailing logic (that the Russian company should cough up the goods for free) is applied, all pharma companies would be non-profit charities...
How long before Real change their EULA demanding that licensees reveal any exploits to them within 24 hours of discovery?
Blog
The fact that they're not releasing it into the wild is a problem. Until it gets released (or Real pays up or finds it themselves) it will be a nasty weapon used for nefarious deeds.
Mever nind the typos.
How else are they going to get paid? They did work, Real expect them to donate their work for free. I don't see it as unreasonable to ask for payment, whether Real think the price is too high is a matter for them (and their customers?)