Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Research and Blackmail

Posted by kdawson on from the pay-to-play dept.

harryjohnston alerts us to a story picked up by a few bloggers in the security space. A Russian security research company, Gleg, has discovered a zero-day in the latest version of RealPlayer 11. But they won't reveal details to Real, or to CERT, despite repeated requests. Details are available only to their clients who pay a lot of money for early access to such knowledge. To describe Gleg's business model Daniweb rather cautiously puts forward the word "blackmail." The story was first exposed in Ryan Nariane's Securitywach blog.

47 of 307 comments (clear)

  1. Intellectual Property by thebear05 · · Score: 5, Interesting

    Seems fair they have information and want to be paid for it

    1. Re:Intellectual Property by Penguinisto · · Score: 3, Insightful
      If I knew how to break into your house, then told you that I was able to but won't tell you how unless you paid up a fee?

      I'm sure that you'd easily come up with a lot of reasons why it isn't cool.

      On certain superficial moral levels, sure - proprietary closed-source shops would have it coming in a fashion. They make money from hidden information, so hiding information from them until a fee is paid sounds a bit like karma.

      OTOH, that's not how we're supposed to work as a community, for one simple reason: end-users don't deserve the grief (which they would get in increased costs that would be passed onto them). Morally, a security researcher isn't supposed to hold information hostage and then credibly claim to be part of any ethical hacking community. At level best, they would be called grey hats; many would rightly call them black-hats.

      ...and what if the info turns out to be bogus, or an attempt to manipulate the best-guess fix into becoming an even bigger security hole?

      Sorry, but there's a distinct lack of responsibility and ethics going on here, no matter how much you think the primary target may deserve it.

      /P

      --
      Quo usque tandem abutere, Nimbus, patientia nostra?
    2. Re:Intellectual Property by thebear05 · · Score: 2, Insightful

      How does your argument differ from the profession of a lock smith? They know how to get in your house, and you can pay them to get you into your house. Now is it ethical to withhold information that could be used to hurt others, I would say that I personally think no But if they have discovered something that is beneficial to someone compensation does not seem unfair if reasonable.

    3. Re:Intellectual Property by vux984 · · Score: 2, Insightful

      How does your argument differ from the profession of a lock smith? They know how to get in your house, and you can pay them to get you into your house.

      Great analagy! Lets work with that.

      Can you pay a locksmith to open someone elses house for you? Can you pay him to show you how so you can do it yourself?

      Of course not.

      But it goes further than that... locksmiths are both Licensed, and Bonded in most civilised countries to help prevent exactly these sorts of activities, as well as any other sort of unethical activities he'd be able commit.

      Now if the locksmith discovered some fatal flaw of some widely distributed type of lock, I wouldn't say he's obligated to turn the information over to the lock manufacturer. And if he wants to sell them the information that's fine too.

      But in the meantime, he still can't go around disclosing the information (for money or otherwise) or using it himself, outside of the ehtical constraints of his trade. (that is of only openining locks for the owners, at their specific request.)

      Your locksmith analagy is apt. Perhaps security researchers should also be licensed and bonded before they are allowed to to work professionally and provide services to the public. (Hobbyists hackers would still be free to bang away at their own locks in their own homes.)

    4. Re:Intellectual Property by timeOday · · Score: 4, Insightful

      How does your argument differ from the profession of a lock smith? They know how to get in your house, and you can pay them to get you into your house.
      Go ahead and advertise a "locksmith" service to open the doors on anybody's home, without the owner's consent, for a fee. Then have fun in jail.

      Here's a better analogy for a legal activity: auto makers who sell SUVs to whomever wants them, then tell the rest of us we need one to keep our families safe in the event of being hit by one. It's a classic arms race, the only real winner is the arms dealer.

    5. Re:Intellectual Property by clarkkent09 · · Score: 5, Insightful

      If I knew how to break into your house, then told you that I was able to but won't tell you how unless you paid up a fee? I'm sure that you'd easily come up with a lot of reasons why it isn't cool.

      Honestly, I couldn't. I am sure there are security experts out there who would be able to improve security of my house but I certainly wouldn't expect them to do it for free. This idea that if you find bugs in a software product, you have the responsibility to give that information to the company that makes it, and therefore help them improve their product, for free is completely bogus.

      Sorry, but there's a distinct lack of responsibility and ethics going on here, no matter how much you think the primary target may deserve it.

      I don't see any ethical problems here and its completely irrelevant who the party involved is. I would actually argue that there is more of an ethical problem with testing a company's product for free, as it devalues the work of their own QA personnel, and it encourages companies to release shoddy products too early, with expectation that paying customers will help them fix the bugs.

      --
      Negative moral value of force outweighs the positive value of good intentions.
    6. Re:Intellectual Property by forgotten_my_nick · · Score: 3, Informative

      "If I knew how to break into your house, then told you that I was able to but won't tell you how unless you paid up a fee?"

      That in itself is a fair point. I mean what if you are working in the security industry and are trying to secure someones business. You certainly aren't going to do it for free.

      The issue here is more like after the home owner saying they don't have the money or can't pay that you sell the information to whoever wants it. That I am pretty sure is illegal.

    7. Re:Intellectual Property by martinX · · Score: 4, Funny

      Security researchers. In Russia. Licensed and bonded. I can see that working...

      --
      When they came for the communists, I said "He's next door. Take him away. Goddam commies."
    8. Re:Intellectual Property by bluefoxlucid · · Score: 2, Insightful

      Because if they don't, your kid can starve or freeze to death or get cooked in the summer. Babies have died in cars. And letting people off "because they can't pay" is complex and leads to scams and paranoia and all kinds of weird legal confusion so it's easier to just say "Screw this, don't worry about the money" and refuse to take payment at all. I guess some people just find it hard to put a price on someone's life, at least a price on a few dollars of gas and 20 minutes of work time against someone's life.

      --
      Support my political activism on Patreon.
    9. Re:Intellectual Property by somersault · · Score: 4, Insightful

      Your analogy is slightly off. Even from just reading the summary you can see that this is like a locksmith with a list of criminals who subscribe to his mailing list. The locksmith works out the vulnerabilities in your security (most houses are pathetically insecure via lockpicking anyway, if you really want into a house it's not gonna be hard to get in), then lets these criminals know them, but refuses to let you yourself know what the vulnerability is. He doesn't demand payment from you - he refuses to give you the information for any price, because you almost certainly won't pay as much as all his other clients. Because you have millions of houses, with millions of [currency]s worth of currency.

      For some reason when I first read the summary I was thinking of this company's clients as benign, but a second reading made me rethink :P

      --
      which is totally what she said
    10. Re:Intellectual Property by wireloose · · Score: 2, Insightful

      I see this as a good opportunity for a security firm to make a little cash for their efforts. The auction approach is not necessarily the best or most ethical approach as far as we, the consumers, are concerned, but we have no proof that they didn't approach Real prior to the auction, with a private offer.

      Security firms take a huge risk these days even announcing they've found exploits and publishing them. How many links do you need to articles on lawsuits against blackhats for revealing an exploit, just because some software author doesn't want it known that they have security holes? I ask myself, "How many unpublished exploits are still to be found in existing platforms because the company knows about it but has buried the information and is in no rush to develop a fix?"

    11. Re:Intellectual Property by ultranova · · Score: 2, Funny

      In Soviet Russia, security bonds you !

      --

      Forget magic. Any technology distinguishable from divine power is insufficiently advanced.

    12. Re:Intellectual Property by gunnk · · Score: 4, Insightful

      I think you've hit the nail on the head.

      If the company knows of an exploit and wants to sell the information about it to the vendor that's perfectly fine as long as they aren't threatening to tell others about it.

      It's much list noticing my neighbor has an open wifi point advertising his file shares. Nothing wrong with offering to show them exactly what the problem is for a fee. If he doesn't want to pay for my expertise -- well, I told him his wifi point is leaving him open to hackers, so he has been warned. Now if I say I'm going to sell the information to others if he doesn't pay me -- that's extortion.

      I couldn't tell with certainty from the article whether or not the firm is showing the actual exploit to their subscribers or not. They may just be informing their clients of the existence of the exploit and giving guidelines about the severity and potential impact to business operations. If that's all they're doing, I'd say they are playing to win, but playing by the rules.

      On the other hand, if they sold the actual exploit to their subscribers then they're criminals.

      --
      Life is short: void the warranty.
    13. Re:Intellectual Property by spinkham · · Score: 2, Informative

      See rock meet glass. See glass break. Break glass break ! Have you eve tried to break a modern car window?
      I have, and:
      1) it's not easy. It takes a LOT of force to crack the window.
      2) You get little pieces of glass with shard edges EVERYWHERE. They're not long jagged pieces like you would get from a non-laminated glass, but they can still cut you up pretty well.

      It is possible with the right kind of tools (heavy blow, small area) to crack the window without blasting pieces everywhere, but with a simple rock, that result is not likely.

      Shattering a window with a small child in the car is better then letting them cook, but still not a very safe thing to do.
      --
      Blessed are the pessimists, for they have made backups.
    14. Re:Intellectual Property by gunnk · · Score: 2, Insightful

      Suppose I run a company that does security work for my clients. One of the things I do for them is run a battery of tests to see if I can break their security via any of their installed software. It seems to me that you are arguing that if I find something I have a moral obligation to inform not just my clients, but the vendor of the software.

      Well, that's an interesting argument. I'm not sure I agree, but I'm not sure I disagree either.

      On one hand, making sure the vulnerability is explained in detail to the vendor so that the vendor can fix it helps everyone globally that uses their software. On the other hand, why should I turn the results of my work over to them for free when they could have (should have?) found the problem themselves. It's kind of grey to me, so that's why I described it as "playing to win". I'm not making any statement whatsoever as to what you call the "qualifications" of the recipient of the information.

      My big point is that I would withhold rabid condemnations of the security firm unless they are actually releasing the technical details to the highest bidder while withholding those details from the vendor.

      Reporting details free of charge to the vendor is magnanimous. Notifying the vendor and offering to sell them the details (contingent on proving to them the problem really is on their end) strikes me as simply business. Notifying the vendor that you are selling off the details to anyone willing to pay is blackmail.

      --
      Life is short: void the warranty.
    15. Re:Intellectual Property by lucifuge31337 · · Score: 2, Informative

      You did it wrong.

      Improvised side-auto glass breaking 101:
      1.) Get an antenna from your car or the nearest one. Break it off.
      2.) Make it into a U - hold both free ends in your one hand.
      3.) Place this hand just outside the one corner of the window (your hand on the body of the car) with the rest of your "u" going across the window at an angle. Try to get the tip to hit in the bottom right or left corner of the window, about an inch or 2 from the edge.
      4.) Pull the tip back with your other hand. Let go.

      I mention this for one reason only - the getting child out situation. Anyone with malicious intent will simply use a brick, or, the proper tool (a spring loaded center punch). This way minimizes and flying glass, and make the window pretty much fall straight down in small pieces. Obviously you want to choose the window furthest from the child if you need to do this. Front and rear glass will likely not work with this technique, as they are laminated. We have specific saws and picks for this (glass masters).

      Yes....I'm a PA certified vehicle rescue technician. Yes, I've pulled people out of cars using this method in a pinch.

      --
      Do not fold, spindle or mutilate.
  2. Blackmail eh? by QuantumG · · Score: 3, Insightful

    How about just "proprietary knowledge".. ya know, like the source code of Real Player?

    --
    How we know is more important than what we know.
    1. Re:Blackmail eh? by QuantumG · · Score: 5, Insightful

      huh? Call me crazy, but isn't extortion where you demand someone pay you to keep quiet? These guys are not demanding a silence payment.. they're just selling their proprietary information to whoever wants to pay for it.

      --
      How we know is more important than what we know.
  3. it's tough by rastoboy29 · · Score: 2, Interesting

    If you're not actually shaking down the vendor, it's not blackmail.  I mean, if you get a piece of information, are you obligated to inform anyone?

    It is sleazy, don't get me wrong, because what other reason would someone other than Real want to purchase the information except to do no good?  But I'm having a hard time feeling sorry for Real, because they suck so fucking bad.  I keep trying to replace them in my mind with some company I like to analyze the situation, but it just keeps switching back to Real.

    I mean, it's not like someone's going to get killed or anything.  Unless, of course, Putin wants that done.

    --
    expandfairuse.org
    1. Re:it's tough by thedarknite · · Score: 2, Informative

      But it does come close to racketeering.

      --
      A game has objectives and is competitive, anything else is just play
    2. Re:it's tough by fosterNutrition · · Score: 2, Insightful

      I don't see it that way. In my view, they're not "threatening damage" but promising results. They're essentially saying "Hey Real, if you hire us to do a security audit, we can guarantee we will find at least one serious vulnerability, and your money will have been well spent." It's a bit disingenuous to phrase it this way, but it essentially boils down to the same thing.

      Think of it as "we guarantee value for your money" rather than "give us money or we guarantee you'll wish you had," which, if you consider missed opportunities valuable, mean the same thing.

    3. Re:it's tough by Ambush+Commander · · Score: 2, Insightful

      It's one thing for RealMedia to cause damage (release a product with a security flaw in it). It is another thing to actively exacerbate this damage (release an exploit to the blackhat community for large sums of money, and refuse to tell the vendor what the exploit is).

  4. It's called capitalism by enos · · Score: 5, Insightful

    It's called capitalism, and it's been breaking out in eastern Europe ever since the USSR fell. In unregulated areas (i.e. new markets) they have a much more "pure" concept of it than the west. The public good is a socialist idea. This same thing happens in a lot of places in the west where there are shops that specialize in IP of some sort. They have to make their living somehow. It's just that people are used to security companies giving this stuff away for free.

    --
    boldly going forward, 'cause we can't find reverse
    1. Re:It's called capitalism by thelexx · · Score: 2, Interesting

      Way to completely sidestep the word 'ethics' there...

      "In unregulated areas (i.e. new markets) they have a much more "rapacious" concept of it than the west. The public good is an inconvenient idea."

      FTFY

      --
      "Gold still represents the ultimate form of payment in the world." - Alan Greenspan, 1999
    2. Re:It's called capitalism by skribe · · Score: 4, Interesting

      How long before Real change their EULA demanding that licensees reveal any exploits to them within 24 hours of discovery?

      --
      Blog
  5. chilling effects of free market capitalism by drspliff · · Score: 5, Interesting

    I don't call it blackmail, I call it a free market...

    Companies have a financial incentive for keeping their products secure, open source projects have less of an issue because the money just isn't in it.
    All this is - is one company spending real money, hiring well paid analysis to plow through machine code or source code and analyse vulnerabilities.
    The reason they can afford to do this is because the market is full of companies willing to pay for this stuff...

    Thats where your code of ethics goes out of the window!

    With open-source projects, there is still a market of companies using that software but at the same time there's a limited timespan before it's usually discovered by somebody else.
    You know very well that if you advertise you've found a security flaw in open source XX product you're going to have hundereds of people scrutinising it and to develop a fix - because it's benificial to everybody (so the code of ethics lives strong).

    It doesn't help that `Real' has a bad reputation, but by doing this and with holding it, Gleg are doing exactly what they set out to do in the first place and doing as any successful business man/woman does: identifying the market and targeting it appropriately.

    This happens every day not just in software security, but in every other industry yet people just consider it a normal day in the office and maybe grumble a bit about it.

    In an ideal situation ethics and social benifit would come first though... yet this is in practice incompatible with the free market, just for the reasons above.

  6. Blackmail? by clarkkent09 · · Score: 5, Insightful

    If this is valuable information (as in there are people willing to pay money for it) why should they give it for free? Companies pay good money to consultants to come over and fix problems with their business, why shouldn't they have to pay people who help them fix problems with their software products.

    --
    Negative moral value of force outweighs the positive value of good intentions.
    1. Re:Blackmail? by xtracto · · Score: 2, Insightful

      Yeah, screw Real and the others. They create closed source software, how can they expect to get free security consultancy? If this company is spending their resources on finding methods to secure third party insecure software then they have all the right to sell such information. If people at Real want to know about these problems they should 1. Spend their money getting good security consultancy or 2. open source the programs and then maybe people will submit patches for free.

      Just imagine if Microsoft was in the same situation, oh shit, they are with viruses and whatnot. Is as if they told Symantec, McAfee and all those useless crap vendors to give them their technology for free... "oh shit, my software is buggy as hell, please give me the corrections you made... oh but I wont give you nothing in return, not the source not anything but i really like free lunch".

      Charge them, and charge them dearly.

      --
      Ubuntu is an African word meaning 'I can't configure Debian'
    2. Re:Blackmail? by dissy · · Score: 3, Insightful

      It's one thing to inform the vendor that a flaw exists and demanding money for the details of the flaw. It's a whole different thing in my book to sell the details to _anybody_ else than the vendor. Indeed. Unfortunatly in the USA, by law if you inform the vendor of the problem, and so much as ask for payment, it falls enough into the legal definition of blackmail to get you in trouble if they push the issue. And you never know if they will push it to court, or thank you for your trouble.
      If I was running a large company with lots of finantual backing, and thought I was in the right (or to be more specific, if my legal team thought i was in the right) then I would definatly go to court to fight it.
      However being an individual, there is no way in hell I would willingly expose myself to that type of risk.

      Selling to everyone else however can't possibly be blackmail, since they can just say no and nothing bad happens to them. It doesn't match either the legal or english definition of the word.

      It's very smart from a legal point of view. Offer your services and 'IP' to everyone that you know wont sue you for it, and avoid the one person/company that could.

      If the laws were different and more sane, then they COULD sell to everyone including the vendor, or perhaps it would be at a price where they can afford to sell to ONLY the vendor.
      Sadly, they arnt.

      Capitalists gotta eat after all!
  7. Re:I for one ... by mysidia · · Score: 5, Insightful

    Not blackmail. But poorly designed software tends to have security bugs.

    These bugs pose a problem for users of the software. It makes sense that third party services exist that scour software for bugs like this, for the benefit of the software's users and prospective users.

    So they can know whether to use the software or whether to take extra precautions/refrain from using it.

    The cost of performing this type of analysis is high. Much time and energy is required.

    It makes sense that you need to pay to review their findings in detail, or to review them before they are publicly released (for free).

    If they merely submit their findings to the software vendor, then they have provided the vendor with high-quality, costly labor for free.

    Why should the software vendor get free labor from security researchers, and be able to freely follow poor design practices in the design of their software, while relying on the public to find and report the issues gradually? (For them to lazily fix _after_ the defect is drawn to their attention)

    If the security researcher wishes to serve the community, then they have the option of practicing full disclosure, but they may be more fairly compensated for their work by providing paying customers with key information in advance, so their customers can mitigate the problem, before it has become public (and known to the bad guys).

    One way you mitigate the problem is very simple: uninstall the defective real player 11. Re-install the fixed version, when it becomes available.

  8. Vista by Joe+U · · Score: 2, Interesting

    So, I have one question, does UAC actually help trap exploits like this?

    Not that I would ever install Realplayer outside of a locked down VM anyway. Assume I had a seizure or something and wanted to put this on my host OS.

  9. Why does this remind me of Fermat's Last Theorem? by AB3A · · Score: 2, Insightful

    I have this lovely demonstration, but you have to pay me to show you how it works. How do we know it is a real hack? How do we know it isn't a shake down?

    This is a shade of Fermat's last theorem. Wiles, after he finally proved it, said that he doubted Fermat actually knew a viable proof.

    We don't know what these guys have. Whether it's blackmail or not, it still smells bad. I think the money would be better spent on real security researchers who disclose what they find.

    --
    Nearly fifty percent of all graduates come from the bottom half of the class!
  10. Re:I for one ... by cdrguru · · Score: 4, Interesting

    Yes, but you have missed the key point.

    There are three classes of potential customers: product owners, users, and criminals. If the researcher makes it clear they are willing to sell their information to the third class - criminals - then it matters little if they are also willing to sell to the other two classes or not.

    Clearly, the implication is they do not want to sell to the product owner class as that would be a single sale. By selling the information to users and criminals they ensure that they have a substantial number of potential sales as well as motivating the users to buy rapidly or else they will be victims of the criminal class.

  11. Why? by BraneSpace · · Score: 2, Insightful

    I suppose this really comes down to the intent of the security firm. WHY did they go looking for vulnerabilities? A common theme I see repeated here is that they spent time and effort looking for vulnerabilities. Why would they do so? What is their profit model? I see three real(hehe) possibilities.

    1. They are planning to sell the information to (criminal) third parties.
    2. They are planning to sell the information to Real.
    3. They are trying to sell services to Real.

    The fact that they offer it to third parties before offering it to the vendor (or at least offering a grace period) is very telling. They are trying to coerce Real to buy the vulnerability information before attacks appear in the wild. Failing to do so would lose them profit and face in the digital world, especially as this is being highly publicized.

    Thus, either the firm is finding and selling vulnerabilities for criminal purposes or doing so to pressure companies into buying them. Either way, they are doing harm (to Real and/or end users). While it may not be illegal per se, this is a very underhanded thing to do.

  12. Fight fire with fire by SamP2 · · Score: 3, Insightful

    According to Russian copyright law, "purely informational reports on events and facts are not copyrightable". The copyright on the code itself belongs to RP (and copyright to all other flaws discovered by this Russian company belong to their respective owners), and the simple informational fact of knowledge about flaw is not subject to copyright.

    RP can legally subscribe to be a "customer" of this security firm, and then just take all information they deliver, and pass it on to all parties involved (in other words, send flaws to all companies whose code has a vulnerability the relevant information). Several companies can team up and split the "subscription fee".

    Consider this to be the security (and legal) version of ripping a pay porn site and dumping the contents on eMule. The Russian company won't go far with a single paying subscriber.

  13. Ah!, the down side to proprietry software by EEPROMS · · Score: 4, Interesting

    If you sell software under a restricted proprietary license you have set the rules for all dealings with with your code as being based purely on monetary gain. So if some programmers figure out a security flaw with your software they like you "don't have to give away their code or IP for nothing" because you also insist on not give away your IP either.

  14. Re:Wrong. by Deanalator · · Score: 2, Informative

    Plenty of pen testers use 0day when evaluating companies. The theory is that busting a single machine on the corporate network should not give you the "keys to the kingdom". Properly implemented security architecture should be able to mitigate single point failures. Immunity and core (American companies) both buy and sell 0day without informing the vendor. Wabisabilabi has a very convenient marketplace for such transactions as well. It's all supply and demand. Sure it's sketchy, but aren't you glad that these are being sold in public, and not just on the black market?

  15. Re:But... by techno-vampire · · Score: 4, Informative
    But who does use RealPlayer anyway, that this could possibly affect?


    All the Aunt Tillies out there who use Windows because it came installed on their computers and have no idea what an operating system is. They use IE for the same reason, and when they want to hear an audio file, guess what IE tells them to install? One hint: it won't be VLC.

    --
    Good, inexpensive web hosting
  16. Not trying to be a smart-ass, but... by s_p_oneil · · Score: 4, Interesting

    Does anyone use RealPlayer? I mean, it's worse than QuickTime (and I HATE QuickTime).

  17. Nothing's free... by Quixote · · Score: 4, Interesting
    If a pharmaceutical company comes up with a cure for (say) AIDS, should they be forced to give it out to the rest of the world for free? I mean, lives are at stake there, and presumably lives are more valuable than Junior's ability to play the latest Brittney hits.

    If the prevailing logic (that the Russian company should cough up the goods for free) is applied, all pharma companies would be non-profit charities...

  18. Re:Non free morals, the victim is also a criminal. by willyhill · · Score: 2, Informative
    The more reprehensible of non free software companies will deny a flaw exists when it's presented to them and beg the discoverer to keep quiet while they "fix" the problem ... forever and then act angry when the flaw is revealed to the public.

    You mean like Mozilla? I'm not sure if private security mailing lists, "confidential bugs" and all that are reprehensible, but they might be. Or do you mean another type of "reprehensible"?

    Their existence may be repulsive

    You mean like Mozilla, or do you mean another type of "repulsive"?

    My patience for these parasites is exhausted.

    Indeed.

    --
    The twitter monologues. Click on my homepage and be amazed.
  19. Why not compromise by martinlp · · Score: 3, Informative

    This is exactly what the Tippingpoint zero day initiative is for. To give credit and a bit money to researchers who spend time and effort to discover vulnerabilities in software.
    Sure these researches should get money/credit, but what if they become greedy or irresponsible?

  20. nothing by vespacide2 · · Score: 2, Interesting

    How much would it damage Real if they (Gleg) just released the exploit into the wild? Far more than 10k's worth, assuredly.
    If it was released into the wild, Real could (most likely) have it patched in a matter of hours.
    The fact that they're not releasing it into the wild is a problem. Until it gets released (or Real pays up or finds it themselves) it will be a nasty weapon used for nefarious deeds.
    --
    Mever nind the typos.
  21. Common Business Model! by Jane+Q.+Public · · Score: 4, Insightful

    Hmmmm...

    I am in the lawn care business. I know why your lawn is dying. I will make it green, for a fee.

    I am in the computer tech business. I know why your sound card has a problem. I will fix it... for a fee.

    I am in the computer tech business. I know how to fix the virus(es) in your computer. For a fee.

    I am a chef. I know how to cook your dinner. Do you expect the recipe for free?

    And so on. It would be "giving to the community" to give them the information for free, but this kind of business model *IS* all around us. No point in singling them out.

  22. Real has all the information already by flyingfsck · · Score: 2, Insightful

    Real has the source code. They don't need to pay anybody else to find the bug, they can do their own code review.

    --
    Excuse me, but please get off my Pennisetum Clandestinum, eh!
  23. $10,000 for periodic updates by mapkinase · · Score: 2, Insightful

    Seems like not a bad price for a company whose software runs in millions and millions of copies around the world.

    If we assume that $10,000 is for a year: that is the cost of one tenth of a full time internally hired security expert.

    I think Real should consider subscribing to the services of Gleg.

    --
    I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
  24. How else are they... by fozzmeister · · Score: 2, Interesting

    How else are they going to get paid? They did work, Real expect them to donate their work for free. I don't see it as unreasonable to ask for payment, whether Real think the price is too high is a matter for them (and their customers?)