Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Research and Blackmail

Posted by kdawson on from the pay-to-play dept.

harryjohnston alerts us to a story picked up by a few bloggers in the security space. A Russian security research company, Gleg, has discovered a zero-day in the latest version of RealPlayer 11. But they won't reveal details to Real, or to CERT, despite repeated requests. Details are available only to their clients who pay a lot of money for early access to such knowledge. To describe Gleg's business model Daniweb rather cautiously puts forward the word "blackmail." The story was first exposed in Ryan Nariane's Securitywach blog.

18 of 307 comments (clear)

  1. Intellectual Property by thebear05 · · Score: 5, Interesting

    Seems fair they have information and want to be paid for it

    1. Re:Intellectual Property by timeOday · · Score: 4, Insightful

      How does your argument differ from the profession of a lock smith? They know how to get in your house, and you can pay them to get you into your house.
      Go ahead and advertise a "locksmith" service to open the doors on anybody's home, without the owner's consent, for a fee. Then have fun in jail.

      Here's a better analogy for a legal activity: auto makers who sell SUVs to whomever wants them, then tell the rest of us we need one to keep our families safe in the event of being hit by one. It's a classic arms race, the only real winner is the arms dealer.

    2. Re:Intellectual Property by clarkkent09 · · Score: 5, Insightful

      If I knew how to break into your house, then told you that I was able to but won't tell you how unless you paid up a fee? I'm sure that you'd easily come up with a lot of reasons why it isn't cool.

      Honestly, I couldn't. I am sure there are security experts out there who would be able to improve security of my house but I certainly wouldn't expect them to do it for free. This idea that if you find bugs in a software product, you have the responsibility to give that information to the company that makes it, and therefore help them improve their product, for free is completely bogus.

      Sorry, but there's a distinct lack of responsibility and ethics going on here, no matter how much you think the primary target may deserve it.

      I don't see any ethical problems here and its completely irrelevant who the party involved is. I would actually argue that there is more of an ethical problem with testing a company's product for free, as it devalues the work of their own QA personnel, and it encourages companies to release shoddy products too early, with expectation that paying customers will help them fix the bugs.

      --
      Negative moral value of force outweighs the positive value of good intentions.
    3. Re:Intellectual Property by martinX · · Score: 4, Funny

      Security researchers. In Russia. Licensed and bonded. I can see that working...

      --
      When they came for the communists, I said "He's next door. Take him away. Goddam commies."
    4. Re:Intellectual Property by somersault · · Score: 4, Insightful

      Your analogy is slightly off. Even from just reading the summary you can see that this is like a locksmith with a list of criminals who subscribe to his mailing list. The locksmith works out the vulnerabilities in your security (most houses are pathetically insecure via lockpicking anyway, if you really want into a house it's not gonna be hard to get in), then lets these criminals know them, but refuses to let you yourself know what the vulnerability is. He doesn't demand payment from you - he refuses to give you the information for any price, because you almost certainly won't pay as much as all his other clients. Because you have millions of houses, with millions of [currency]s worth of currency.

      For some reason when I first read the summary I was thinking of this company's clients as benign, but a second reading made me rethink :P

      --
      which is totally what she said
    5. Re:Intellectual Property by gunnk · · Score: 4, Insightful

      I think you've hit the nail on the head.

      If the company knows of an exploit and wants to sell the information about it to the vendor that's perfectly fine as long as they aren't threatening to tell others about it.

      It's much list noticing my neighbor has an open wifi point advertising his file shares. Nothing wrong with offering to show them exactly what the problem is for a fee. If he doesn't want to pay for my expertise -- well, I told him his wifi point is leaving him open to hackers, so he has been warned. Now if I say I'm going to sell the information to others if he doesn't pay me -- that's extortion.

      I couldn't tell with certainty from the article whether or not the firm is showing the actual exploit to their subscribers or not. They may just be informing their clients of the existence of the exploit and giving guidelines about the severity and potential impact to business operations. If that's all they're doing, I'd say they are playing to win, but playing by the rules.

      On the other hand, if they sold the actual exploit to their subscribers then they're criminals.

      --
      Life is short: void the warranty.
  2. It's called capitalism by enos · · Score: 5, Insightful

    It's called capitalism, and it's been breaking out in eastern Europe ever since the USSR fell. In unregulated areas (i.e. new markets) they have a much more "pure" concept of it than the west. The public good is a socialist idea. This same thing happens in a lot of places in the west where there are shops that specialize in IP of some sort. They have to make their living somehow. It's just that people are used to security companies giving this stuff away for free.

    --
    boldly going forward, 'cause we can't find reverse
    1. Re:It's called capitalism by skribe · · Score: 4, Interesting

      How long before Real change their EULA demanding that licensees reveal any exploits to them within 24 hours of discovery?

      --
      Blog
  3. chilling effects of free market capitalism by drspliff · · Score: 5, Interesting

    I don't call it blackmail, I call it a free market...

    Companies have a financial incentive for keeping their products secure, open source projects have less of an issue because the money just isn't in it.
    All this is - is one company spending real money, hiring well paid analysis to plow through machine code or source code and analyse vulnerabilities.
    The reason they can afford to do this is because the market is full of companies willing to pay for this stuff...

    Thats where your code of ethics goes out of the window!

    With open-source projects, there is still a market of companies using that software but at the same time there's a limited timespan before it's usually discovered by somebody else.
    You know very well that if you advertise you've found a security flaw in open source XX product you're going to have hundereds of people scrutinising it and to develop a fix - because it's benificial to everybody (so the code of ethics lives strong).

    It doesn't help that `Real' has a bad reputation, but by doing this and with holding it, Gleg are doing exactly what they set out to do in the first place and doing as any successful business man/woman does: identifying the market and targeting it appropriately.

    This happens every day not just in software security, but in every other industry yet people just consider it a normal day in the office and maybe grumble a bit about it.

    In an ideal situation ethics and social benifit would come first though... yet this is in practice incompatible with the free market, just for the reasons above.

  4. Blackmail? by clarkkent09 · · Score: 5, Insightful

    If this is valuable information (as in there are people willing to pay money for it) why should they give it for free? Companies pay good money to consultants to come over and fix problems with their business, why shouldn't they have to pay people who help them fix problems with their software products.

    --
    Negative moral value of force outweighs the positive value of good intentions.
  5. Re:I for one ... by mysidia · · Score: 5, Insightful

    Not blackmail. But poorly designed software tends to have security bugs.

    These bugs pose a problem for users of the software. It makes sense that third party services exist that scour software for bugs like this, for the benefit of the software's users and prospective users.

    So they can know whether to use the software or whether to take extra precautions/refrain from using it.

    The cost of performing this type of analysis is high. Much time and energy is required.

    It makes sense that you need to pay to review their findings in detail, or to review them before they are publicly released (for free).

    If they merely submit their findings to the software vendor, then they have provided the vendor with high-quality, costly labor for free.

    Why should the software vendor get free labor from security researchers, and be able to freely follow poor design practices in the design of their software, while relying on the public to find and report the issues gradually? (For them to lazily fix _after_ the defect is drawn to their attention)

    If the security researcher wishes to serve the community, then they have the option of practicing full disclosure, but they may be more fairly compensated for their work by providing paying customers with key information in advance, so their customers can mitigate the problem, before it has become public (and known to the bad guys).

    One way you mitigate the problem is very simple: uninstall the defective real player 11. Re-install the fixed version, when it becomes available.

  6. Re:I for one ... by cdrguru · · Score: 4, Interesting

    Yes, but you have missed the key point.

    There are three classes of potential customers: product owners, users, and criminals. If the researcher makes it clear they are willing to sell their information to the third class - criminals - then it matters little if they are also willing to sell to the other two classes or not.

    Clearly, the implication is they do not want to sell to the product owner class as that would be a single sale. By selling the information to users and criminals they ensure that they have a substantial number of potential sales as well as motivating the users to buy rapidly or else they will be victims of the criminal class.

  7. Re:Blackmail eh? by QuantumG · · Score: 5, Insightful

    huh? Call me crazy, but isn't extortion where you demand someone pay you to keep quiet? These guys are not demanding a silence payment.. they're just selling their proprietary information to whoever wants to pay for it.

    --
    How we know is more important than what we know.
  8. Ah!, the down side to proprietry software by EEPROMS · · Score: 4, Interesting

    If you sell software under a restricted proprietary license you have set the rules for all dealings with with your code as being based purely on monetary gain. So if some programmers figure out a security flaw with your software they like you "don't have to give away their code or IP for nothing" because you also insist on not give away your IP either.

  9. Re:But... by techno-vampire · · Score: 4, Informative
    But who does use RealPlayer anyway, that this could possibly affect?


    All the Aunt Tillies out there who use Windows because it came installed on their computers and have no idea what an operating system is. They use IE for the same reason, and when they want to hear an audio file, guess what IE tells them to install? One hint: it won't be VLC.

    --
    Good, inexpensive web hosting
  10. Not trying to be a smart-ass, but... by s_p_oneil · · Score: 4, Interesting

    Does anyone use RealPlayer? I mean, it's worse than QuickTime (and I HATE QuickTime).

  11. Nothing's free... by Quixote · · Score: 4, Interesting
    If a pharmaceutical company comes up with a cure for (say) AIDS, should they be forced to give it out to the rest of the world for free? I mean, lives are at stake there, and presumably lives are more valuable than Junior's ability to play the latest Brittney hits.

    If the prevailing logic (that the Russian company should cough up the goods for free) is applied, all pharma companies would be non-profit charities...

  12. Common Business Model! by Jane+Q.+Public · · Score: 4, Insightful

    Hmmmm...

    I am in the lawn care business. I know why your lawn is dying. I will make it green, for a fee.

    I am in the computer tech business. I know why your sound card has a problem. I will fix it... for a fee.

    I am in the computer tech business. I know how to fix the virus(es) in your computer. For a fee.

    I am a chef. I know how to cook your dinner. Do you expect the recipe for free?

    And so on. It would be "giving to the community" to give them the information for free, but this kind of business model *IS* all around us. No point in singling them out.