Slashdot Mirror

← Back to Stories (view on slashdot.org)

Mozilla Finds Flaw With Black Hat Video Stream

Posted by timothy on from the fair-play dept.

An anonymous reader writes "Mozilla web security researcher Michael Coates found a flaw in Black Hat's paid video feed. The flaw allowed him to watch a live feed of the conference for free instead of the $395 a head to connect. Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue."

106 comments

  1. Keeping the Haxors on their Toes. by Anonymous Coward · · Score: 0, Insightful

    I Like it.

  2. Of course by Anonymous Coward · · Score: 5, Insightful

    Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

    If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?

    1. Re:Of course by pspahn · · Score: 2, Interesting

      Maybe too late? What was he doing trying to score free video? You can't always be sure about someone's motives.

      --
      Someone flopped a steamer in the gene pool.
    2. Re:Of course by Volante3192 · · Score: 2, Funny

      I think the "unlike" part of this story is that the issue was fixed rather than sat on for months.

    3. Re:Of course by Anonymous Coward · · Score: 1, Interesting

      If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?

      If this post sounds like cynicism, it is.

    4. Re:Of course by Crudely_Indecent · · Score: 1

      Maybe he felt that full disclosure was a good form of payment.

      --


      "Lame" - Galaxar
    5. Re:Of course by Anonymous Coward · · Score: 0

      Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

      If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?

      Doesn't matter if they're pissed off at them or not, Mozilla is big enough that they're probably going to be looked at regardless. I don't think any extra ire will do much of a difference.

    6. Re:Of course by RebelWebmaster · · Score: 3, Insightful

      I would say that "Do unto others as you would have them do unto you" would be appropriate in this situation.

    7. Re:Of course by operagost · · Score: 1

      Clearly, black hats don't subscribe to that belief.

      --

      Gamingmuseum.com: Give your 3D accelerator a rest.
    8. Re:Of course by GooberToo · · Score: 1

      If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?

      Fixed it for you.

      If that seems like altruism, think: why would Mozilla want a bunch of black hat hypocritical hackers pissed off at them? After all, such rational is what black hatters use to justify almost every action, disclosure, and exploitation. To be pissed at such an exploit would mean thy are a bunch of small minded, hypocritical bitches.

  3. in soviet rusia by Anonymous Coward · · Score: 4, Funny

      Applications find bugs on black hats.

  4. responsibility by Anonymous Coward · · Score: 3, Interesting

    The responsibility aspect is one area where the Black Hat guys could earn a lot of respect by doing the right thing. It's a dick move to just disclose stuff without giving companies a chance to fix their mistakes, no matter how stupid it is.

    1. Re:responsibility by Cylix · · Score: 4, Insightful

      Then exactly how would they sale online streaming events for 395 and equally expensive conference tickets?

      --
      "You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
    2. Re:responsibility by Anonymous Coward · · Score: 0

      But since when is video worth $395? I'd expect that from the MPAA but not a hacker's conference.

    3. Re:responsibility by benji+fr · · Score: 1

      maybe because some people are living far away from Vegas, and that the trip to and from Vegas will cost them at least 3 times the ticket, (and I don't mention hotel and food...)

      --
      -- .rats live on no evil staR
    4. Re:responsibility by Khyber · · Score: 1

      bandwidth certainly doesn't cost that much, and the equipment used has more than likely been paid for/paid for itself.

      it's just a flat-out money pit.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    5. Re:responsibility by Richard_at_work · · Score: 1

      So? Is it not allowed to be?

    6. Re:responsibility by Anonymous Coward · · Score: 0
      I continue to fail to see how, in any meaningful way, not disclosing it to the public is so terrible.

      Cooperation would certainly be better, but stupid or severely harmful? Doubt it.

    7. Re:responsibility by DickeyP · · Score: 1

      It'll be worth $395 when Elisha Cuthbert and Jessica Alba release their first co-starring porno.

    8. Re:responsibility by Linker3000 · · Score: 4, Funny

      If the cost of attendance and video streaming is worrying you, why not just persuade your local ATM to provide the cash for you. I believe there was a presentation about this..but then things get recursive...

      --
      AT&ROFLMAO
    9. Re:responsibility by martin-boundary · · Score: 1

      I doubt it, they'd have to do some *very* kinky shit to compete with the, er, "cream" of what fills the net for free these days.

    10. Re:responsibility by Hinhule · · Score: 2, Insightful

      Most likely they want actual attendees and if it's too cheap to just watch the stream these computer people may just sit and watch it from the comfort of their own mancave instead of showing up.

    11. Re:responsibility by Thundarr+Trollgrim · · Score: 1

      I sell, You sell, They sell.

    12. Re:responsibility by plover · · Score: 2

      Excuse me, but were you there at Blackhat? No? Surprise.

      Had you attended, you would have noticed that every presenter discussed vulnerabilities only after responsible disclosure. Nobody at Blackhat was surprising any vendors with 0day exploits. Timothy's summary above is full of shit.

      Now, I won't say every vendor was responsible about patching their systems upon notification. Too bad for them. But the Blackhat guys were all approaching the topic responsibly.

      --
      John
    13. Re:responsibility by socz · · Score: 1

      That's why you pay the $395, because the room was full and you couldn't get in :P

      --
      My abilities are only limited by my imagination
    14. Re:responsibility by couchslug · · Score: 1

      "The responsibility aspect is one area where the Black Hat guys could earn a lot of respect by doing the right thing. "

      That assumes DTRT is "respected" instead of "punished".

      --
      "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
    15. Re:responsibility by Khyber · · Score: 1

      That's easier access. Think about that for a moment. 500 physical attendees at so much a pop or MILLIONS of online attendees at a lower cost and still making more money?

      DUH.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
  5. Prisoner's Dilemma? by nmb3000 · · Score: 2, Interesting

    Interesting. You have an unknown number of users accessing the video feeds for free. The system has equilibrium and is yet unstable (they might find out at any time and block everyone). Now enter one prisoner who rats out everyone else. The end result? That one individual gets a free legitimate account and free access to the video streams while everyone else has their access blocked.

    Honestly? It sounds like Michael Coates is a little bit of a douche. A small handful of users accessing the stream for free doesn't really hurt anything and it's not like this was some serious security vulnerability. Reading his blog post, he makes it sounds more like he uncovered some huge security exploit. Truth is all he really did is save a somewhat inept third party development company a little bandwidth money.

    He should have just waited until the conference was finished and then notified them for future reference. That way everyone clever enough to notice the exploit got their little bonus and the company learns its lesson. No real harm done.

    --
    "What do you despise? By this are you truly known." --Princess Irulan, Manual of Muad'Dib
    /)
    1. Re:Prisoner's Dilemma? by Anonymous Coward · · Score: 2, Insightful

      Its a "black hat" conference. Perhaps the reward for them being stupid enough to have hire a dumb 3rd party to do the video conference is to have, like the OP said, a few (note: "few") people be able to stream for free. The biggest irony is it would be "black-hats" streaming for free from black hats, so the conference people really have no say if they do not want to appear hypocritical.

    2. Re:Prisoner's Dilemma? by johnhp · · Score: 5, Funny

      And if there's one thing attendees of Black Hat respect, it's intellectual property... oh wait. Ordinarily I'd say pirating video streams is morally questionable, but hacking access to the video stream of a security conference is so poetic that I refuse to believe it could be evil.

    3. Re:Prisoner's Dilemma? by Psaakyrn · · Score: 1, Interesting

      No real harm except to the reputation of the conference itself. A conference about security should probably be secure, unless intentionally insecure. It doesn't sound like it's intentional.

    4. Re:Prisoner's Dilemma? by martin-boundary · · Score: 2, Interesting

      True, he should have first posted the streamdumps on rapidshare, and then told the organizers how to fix the flaw. Bandwidth problem solved, everybody is happy :)

    5. Re:Prisoner's Dilemma? by c0lo · · Score: 2, Interesting

      Ordinarily I'd say pirating video streams is morally questionable, but hacking access to the video stream of a security conference is so poetic that I refuse to believe it could be evil.

      The best example that being a cracker is not synonym with being dishonest.
      Even more, I see it as a good example of a wise strategy on long term: if disclosing the flaw before giving a chance the organizers to patch it would have exposed the organizers to ridicule. And one would rely on the same ridiculed persons to have a DEFCON 2011? Opportunism rarely make good sense in scarcity conditions.

      --
      Questions raise, answers kill. Raise questions to stay alive.
    6. Re:Prisoner's Dilemma? by Anonymous Coward · · Score: 0

      The biggest irony is it would be "black-hats" streaming for free from black hats, so the conference people really have no say if they do not want to appear hypocritical.

      Yo dawg, we heard you liked black hats, so we black-hatted the streams from Black Hat, so you could be a Black Hat while streaming black hats from Black Hat...

    7. Re:Prisoner's Dilemma? by pclminion · · Score: 1

      I don't know where people get these ideas about Black Hat. Black Hat has some "interesting" attendees, but for the most part the audience is made up of security professionals. I go to Black Hat every year as part of work. Despite the name of the conference, the atmosphere there is very much "white hat." Some of the presenters are in the gray area, but most of the presenters are just other security professionals who are at the top of their game.

      No punches are pulled at Black Hat, and the policy is full disclosure in extreme detail, but we're mostly all there to figure out how to COMBAT the behavior of black hats, not become them ourselves. If you want an insane orgy of malice, that's what Defcon is for.

  6. because it's stealing by YesIAmAScript · · Score: 2, Insightful

    The product has a price. If you take the product without paying, you're stealing the product.

    Why am I supposed to feel ad for those who had illegal free feeds and no longer do?

    Bandwidth does cost money you know. I'll tell you what, I'll just start siphoning gas out of your car. Not so much that you can't afford it, but just a little. No harm done, right?

    --
    http://lkml.org/lkml/2005/8/20/95
    1. Re:because it's stealing by Compaqt · · Score: 1

      Umm, yeah, well, blackhats would never steal digital products, of course.

      Watching a few self-proclaimed bad guys talk about security is like stealing from Mother Teresa, right?

      --
      I'm not a lawyer, but I play one on the Internet. Blog
    2. Re:because it's stealing by Anonymous Coward · · Score: 1

      $395 worth of bandwidth? Hmm, someone needs to get out of the early 90's...

    3. Re:because it's stealing by YesIAmAScript · · Score: 3, Insightful

      Just because the price is high doesn't make it not stealing.

      If you think the product provides a poor value, then don't buy it and do without. Just as you would do if it were a shirt in a store.

      --
      http://lkml.org/lkml/2005/8/20/95
    4. Re:because it's stealing by iammani · · Score: 5, Insightful

      Ahh can we please stop calling it 'stealing'. If I were to steal a shirt in a store, the store would deprived of the shirt. That is not the case here

      Call it unethical, freeloading, leeching, but not stealing.

    5. Re:because it's stealing by Khyber · · Score: 1

      "Bandwidth does cost money you know"

      Bandwidth does not cost $395 per person for a medium-bitrate 24/7 video and audio feed from a conference.

      Please. I could spend maybe 99 bucks per month for 2TB data throughput for my Camfrog video server and serve 10,000+ video streams simultaneously, and it would still take me about half a month to reach my cap.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    6. Re:because it's stealing by Anonymous Coward · · Score: 0

      Just because the price is high doesn't make it not stealing.

      You're right, that's not what makes it not stealing.

    7. Re:because it's stealing by Redlazer · · Score: 1
      If gas cost as little as bandwidth did, and continued to fall steadily like bandwidth does, then your analogy would be totally worthless.

      You can't equate the two. Bandwidth gets easier and cheaper with time. Oil gets rarer and has to be physically moved.

      --
      Guns don't kill people, "with glowing hearts" kills people.
    8. Re:because it's stealing by Adult+film+producer · · Score: 0

      huh? You're not paying $395 for BW.. you're paying for the content.

    9. Re:because it's stealing by Anonymous Coward · · Score: 2, Funny

      In any case, here you deprive somebody of the money he should have received,

      Agreed, some people deserve money just because!

    10. Re:because it's stealing by mike2R · · Score: 0, Troll

      Ahh can we please stop calling it 'stealing'.

      Can we please stop obsessing about this meaningless piece of sophistry? Stealing is a word, not a reference to the criminal law code in your particular jurisdiction. The usage is fine.

      --
      This sig all sigs devours
    11. Re:because it's stealing by martin-boundary · · Score: 5, Informative

      Stealing is a word, not a reference to the criminal law code in your particular jurisdiction.

      I agree with you, and I also move that we start calling all RIAA employees pedophiles. It's a fine word, not a reference to the criminal code!

    12. Re:because it's stealing by mike2R · · Score: 1

      Well that makes sense, apart from the fact that it doesn't.

      If the RIAA were involved in something that was something that was generally regarded to be pedophilia, but was not actually illegal but required the victim to sue, then I'm sure people would do so.

      Bit like the way people call them bastards when most of them are probably legitimate.

      --
      This sig all sigs devours
    13. Re:because it's stealing by Fulminata · · Score: 3, Informative

      In this case though, it really is stealing. Someone is paying for the increased bandwidth being used.

      That cost may be less than $395, but it's also greater than $0, so real theft is involved because someone is out some money as a result of the action. Not theoretical "lost sale" money, but real money that someone will have to actually pay.

    14. Re:because it's stealing by gutnor · · Score: 1

      Because he released his work under a scheme offered by the government. His choice, not yours - not happy with the terms, don't buy it - but do not infringe his rights.

    15. Re:because it's stealing by philipmather · · Score: 0

      I've heard this argument before, that it's not theft/stealing because you aren't depriving the victim of any physical asset, this is however disingenuous at best. You may not be depriving them of the talk's content or IP but you are depriving them of the bandwidth needed to deliver it.

      I'd agree that in the real world the organizers would be buying such bandwidth in big chunks and that would imply that the odd hacker streaming it for free wouldn't push them over the edge of throughput capacity but it's quite possible that they're paying by amount used, amount used above a certain burst limit or that they don't factor that increased demand into next years budget and hence spend more on it the following year.

      Basically, you are depriving someone of real a physical asset, bandwidth or otherwise as someone else pointed out the money spent on that bandwidth so can we drop this "It's not stealing because I'm not depriving anyone" crutch?

      Finally, just because I've punched a logical hole in this particular point of contention you should not conclude that I don't, in some more general way agree with you on a wider standpoint.

      --
      Regards, Phil
    16. Re:because it's stealing by Anonymous Coward · · Score: 0

      No. The doubleplusgood redefinition of words is the beginning of everything bad. First you have to confuse the people of the meaning of words and then make it seem like it has always meant something else than it actually meant.

      No, we can't stop "obsessing" over words retaining their goddamn meaning.

    17. Re:because it's stealing by mike2R · · Score: 3, Informative

      steal
      v. stole (stl), stolen (stln), stealing, steals
      v.tr.
      1. To take (the property of another) without right or permission.
      2. To present or use (someone else's words or ideas) as one's own.
      3. To get or take secretly or artfully: steal a look at a diary; steal the puck from an opponent.
      4. To give or enjoy (a kiss) that is unexpected or unnoticed.
      5. To draw attention unexpectedly in (an entertainment), especially by being the outstanding performer: The magician's assistant stole the show with her comic antics.
      6. Baseball To advance safely to (another base) during the delivery of a pitch, without the aid of a base hit, walk, passed ball, or wild pitch.

      v.intr.
      1. To commit theft.
      2. To move, happen, or elapse stealthily or unobtrusively.
      3. Baseball To steal a base.

      n.
      1. The act of stealing.
      2. Slang A bargain.
      3. Baseball A stolen base.
      4. Basketball An act of gaining possession of the ball from an opponent.

      --
      This sig all sigs devours
    18. Re:because it's stealing by tehcyder · · Score: 2, Insightful

      In any case, here you deprive somebody of the money he should have received,

      Agreed, some people deserve money just because!

      No, they deserve money because they provided a service. Or do you not think that lawyers, programmers, stockbrokers and architects should not be paid, just because they haven't created a physical object?

      --
      To have a right to do a thing is not at all the same as to be right in doing it
    19. Re:because it's stealing by dave420 · · Score: 1

      Well, in this case, the people downloading for free were not paying for their bandwidth usage, something which is not so abstract. Obviously it's not worth $400, maybe a few cents, but even so. Otherwise I agree with your point entirely.

    20. Re:because it's stealing by Ash+Vince · · Score: 1

      To take (the property of another) without right or permission.

      So whether this counts as stealing all really comes down to whether we are going to allow intellectual property to be a type of property. Sounds like and interesting debate but it is still a complete waste of time.

      The reality is that when all the people here advocating watching a stream without paying for the content grow up and get a job producing something that can be easily digitised they will realise it is not so hot when people do this and then do not pay you for your work. Hell, maybe it is too expensive, but then so is my rent so I need to make money somehow.

      In both cases the seller gets to set the price of what they produce, that is simply how capitalism works, regardless of whether it is data or a physical item being sold. If something is priced too high, nobody buys it and the seller has to reduce the price. If enough people do buy it though, then the seller does not need to drop the price.

      I hated these concepts when I was a poor student though, since I had no money and everything like this seemed to expensive. I lived on that much per month, now I can spend it in a week easy.

      Now going back to the case at hand: Security researchers generally spend exceeding long hours doing what they do, for many years before they get any good. Then even after they discover something noteworthy they also have to spend time rehearsing their talk at the show. Then they have to travel there, probably at great expense via air from another country. So after investing all that time in something, should they not be able to get some return on that time investment?

      --
      I dont read /. to RTFA, I read /. to offend people in ignorance.
    21. Re:because it's stealing by Anonymous Coward · · Score: 0

      If someone earns money encouraging others to crack systems, it's difficult to say that the person cracking their system is in the wrong. At the very least it's incredibly morally ambiguous, if this person is allowed to profit from the kind of behaviour he's actively trying to stop being perpetrated against himself.

    22. Re:because it's stealing by Anonymous Coward · · Score: 0

      Ask a random sampling of people who have ever downloaded a song or copied a friend's CD if they consider themselves to be thieves. I suspect the majority of people do not consider this "stealing" as you suggest, it's just something perpetuated by the labels and big media and of course they're not biased at all. If it's such a horrendous crime as the labels suggest (and I'll let you judge for yourself if you think it is) it should stand on its own merits - if they can't get a sufficiently shocked reaction from the public by calling it copyright infringement, then maybe it's not as shocking a "crime" as they suggest. The irony is that the labels are the ones twisting the language to their own ends, and when people simply point out the correct usage of the language you think they are the ones who are in the wrong, not the ones who are outright lying to try and make a point?

    23. Re:because it's stealing by mblase · · Score: 1

      If only I could deal with my taxes in the same way.

    24. Re:because it's stealing by Americano · · Score: 1

      And would that "bandwidth" just magically work, with no outside maintenance or infrastructure? What? You mean it requires servers, and salaried employees, and a host of properly implemented technology to provide bandwidth? And the company needs to actually make an operating profit in order to expand its offerings, replace old infrastructure, and develop new business? And you're also learning something new from a bunch of security experts?

      Gee, maybe that's why it costs $395?

      Your view is so reductionist it's ridiculous. What you are paying for is the knowledge & expertise of the people who are presenting, and the people who are running the video stream - the "bandwidth" is a fraction of that total cost. People pay thousands of dollars to take college classes - are they "just paying to rent the use of a desk" for a night or two a week? You aren't "just paying for the bandwidth" anymore than those people are simply renting a desk.

      I'll explain to you why you pay $5 a cup for coffee at Starbucks as opposed to the pennies that the raw materials cost in my next class. It costs $395. I think that's a pretty remarkable deal.

    25. Re:because it's stealing by delinear · · Score: 1

      GGP suggested it's stealing because there was a measurable loss in the form of the bandwidth that the organisers had to pay for, nobody's disupting the cost of the content, but GGP was trying to bypass the arguments about whether content can be "stolen" (and the whole debate about a lost sale versus the lost possibility of a sale, etc), GP was merely demonstrating the tenuousness of this argument when the bandwidth cost is really just an incidental cost (it's like splitting your shopping at the store into two bags when you know it could fit in one, it's costing the store real money but they don't care, it's an incidental cost, what they really care about is whether you pay for your shopping).

    26. Re:because it's stealing by weirdcrashingnoises · · Score: 1

      To take (the property of another) without right or permission.

      So whether this counts as stealing all really comes down to whether we are going to allow intellectual property to be a type of property. Sounds like and interesting debate but it is still a complete waste of time.

      I agree with the general emphasis and message of your post. However, you failed to notice that "take" and "copy" are two different words with different definitions.

      --
      sigs... don't talk to me about sigs....
    27. Re:because it's stealing by kevinNCSU · · Score: 1

      Ask a random sampling of people in prison for killing other people if they consider themselves murderers. I suspect a majority do not consider what they did 'murder' either.

    28. Re:because it's stealing by mike2R · · Score: 1

      I'm sure you are right about copying a CD from a friend. But someone who's entire iPod is full of pirated music? Or has a massive collection of pirated DVDs? Or who bypasses a paywall costing several hundred quid to get access to a conference?

      On slashdot no, maybe most people wouldn't call that stealing. But out in the real world people very often would - this is the thing that I think many of the "information wants to be free" types don't quite get. Apart from student age groups and below, they are a minority, and not a large one.

      --
      This sig all sigs devours
    29. Re:because it's stealing by Anonymous Coward · · Score: 0

      Someone is paying for the increased bandwidth being used.

      Maybe... Do they pay a fixed "all you can eat" service plan, or are they getting charged by the (M|G)byte?

      It's kind of like a farmer who's harvested too much crop to fit on his trucks going to the store.
      If someone were to then go and take some of the crop (which would have spoiled anyway), should it have the same penalty as stealing it from the store?

    30. Re:because it's stealing by ScrewMaster · · Score: 1

      That looks like a typical Webster's definition. Here's one from the 'Lectric Law Library. If we're going to be discussing the legality of things, a legal definition is more relevant:

      STEAL

      the wrongful or willful taking of money or property belonging to someone else with intent to deprive the owner of its use or benefit either temporarily or permanently. No particular type of movement or carrying away is required.

      Any appreciable change in the location of the property with the necessary willful intent constitutes a stealing whether or not there is any actual removal of it from the owner's premises.

      This term imports, ex vi termini, nearly the same as larceny; but in common parlance, it does not always import a felony; as, for example, you stole an acre of my land.

      In slander cases, it seems that the term stealing takes its complexion from the subject-matter to which it is applied, and will be considered as intended of a felonious stealing, if a felony could have been committed of such subject-matter.

      I'll leave you to draw your own conclusions.

      --
      The higher the technology, the sharper that two-edged sword.
    31. Re:because it's stealing by ScrewMaster · · Score: 1

      If someone were to then go and take some of the crop (which would have spoiled anyway), should it have the same penalty as stealing it from the store?

      Yes, because it's the same crime. A court might take into consideration, when determining punishment, whether anyone was harmed. But either way the rightful owner was deprived of his property. It's his choice how to dispose of his excess goods. It might be that he donates his overage to local charities ... in which case someone would be harmed by the criminal's actions.

      --
      The higher the technology, the sharper that two-edged sword.
    32. Re:because it's stealing by The_mad_linguist · · Score: 1

      Let's compromise. We'll agree not to pay the lawyers.

    33. Re:because it's stealing by mike2R · · Score: 1

      Which quite neatly, takes us back to my original point about how these various crimes (or whatever you want to call them) of virtual property can quite correctly be called stealing in common usage, even if they do not fall under the legal definition of theft.

      --
      This sig all sigs devours
    34. Re:because it's stealing by Anonymous Coward · · Score: 0

      Lets say I put up a subscription and balance out for everyone who pays for it. It is enough if all 200 of my subscribers log in at the same time and get the whole thing in 10 mins. Then suddenly 10k extra users show up for the party (hey its FREE!) and now it takes 10 hours to download. How are you not stealing from the subscribers? You are taking their time as now their feeds will be slower. They paid for a fixed feed to be delivered in a quick fashion.

      To take something is not necessarily of something of monetary value. Also you are not necessarily stealing from 'the store'.

      How about we make this a car analogy. I have a perfect cloning machine. I can point it at something and make a perfect copy of it. Some dude owns a rare corvette only 50 were ever made. It is worth a lot of money. Its a nice neighborhood and he keeps it in his driveway once and awhile. He likes to show off a little. I show up and point my PCM at it and poof I drive off with my perfect copy of his car right down to the little ding his daughter put in the bumper. Did I steal from this guy? Yes and no. No in that he still has his car. He can still drive it around. It is still relatively rare there are 51 now instead of 50. Lets say my buddies show up and say 'hey that is a sweet ride can I have a copy'. Sure why not I can make a perfect copy and I still have mine and the orig dude still has his. Suddenly there are 200k of this car driving around, as its a pretty sweet ride and free. Here is where the yes part comes in. The value of the original car is now worthless. The second I took that copy I stole value from that guy and all the other owners. They had invested in those rare cars. But *I* decided to come along and make the money they put into it disappear.

      You are using a mental justification for stealing from others.

      Rarity sometimes make for value. That rarity is how some people make money. You have somehow decided that rarity is not a good thing. Or as I like to tell people if everyone had a million dollars a million dollars is not worth much.

    35. Re:because it's stealing by Anonymous Coward · · Score: 0

      You are right, they should get paid to perform the *service* that needs to be done, e.g. creating the design, program, etc. Once that is created, they should be *done*, paid, and happy. Why should they get paid every time their product is *distributed*? That is not a useful service that we need to pay them for -- we are quite capable of distributing works ourselves, for free. In fact, trying to do otherwise leads to very unnatural consequences, as we are seeing with all these copyright violation issues. Other professions don't expect to be paid every time their product is *used*. They are paid to *produce* it. Why should authors and other content creators be different?

    36. Re:because it's stealing by Anonymous Coward · · Score: 0

      I provide a service. It might be something that people have no use for, but damn could I use some of that money I deserve.

    37. Re:because it's stealing by SheeEttin · · Score: 1

      Why am I supposed to feel ad for those who had illegal free feeds and no longer do?

      Because 99% of those watching for free can't or won't pay for it, and now they get nothing. Same reasons people pirate.

      Bandwidth does cost money you know. I'll tell you what, I'll just start siphoning gas out of your car. Not so much that you can't afford it, but just a little. No harm done, right?

      It's all right with me, as long as there's still gas for everyone else.
      One person watching for free doesn't deprive everyone else of their feed.

    38. Re:because it's stealing by Khyber · · Score: 1

      I used to work for an ISP. I can do all of that MYSELF. No staff needed.

      I ACTUALLY DO IT. Right now there's development on a multi-video monitoring station for each of our hydroponic tiers.

      If you think it takes that much experience and knowledge, you're a fool. I've been at it since I was 16 broadcasting with a 10FPS webcam at 252x144 resolutions from my school's LAN.

      --
      Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
    39. Re:because it's stealing by Americano · · Score: 1

      I'm sure you *can* do all of that yourself.

      I'm also sure that you *cannot* do all of that yourself in a reasonably timely fashion at no cost.

      Pray tell - did your school's LAN infrastructure just magically self-assemble? Or did it cost money to build & maintain? And all of that just for your little cyber sessions - now imagine scaling it up to hundreds or thousands of users spread around the world.

      If you continue to assert that it can be done at the scale of this conference without experience, knowledge and a significant hardware investment, you're clearly smoking whatever you're growing in your hydroponic tiers.

  7. I work with by Anonymous Coward · · Score: 2, Insightful

    the company that organizes these online events. Believe me, this stuff is expensive to put together and while $395 is a lot of money, it does need to be paid for if conferences like this are to exist. Letting people in for free will detract from the exclusivity and ultimate quality of the event online or physical. Being Black Hat, it's not surprising someone figured out an exploit!

    1. Re:I work with by Anonymous Coward · · Score: 1, Insightful

      Let's face it, black hat is just a shitty conference attended by self-proclaimed security researchers. And it's too expensive.

  8. Responsible Disclosure by TXISDude · · Score: 5, Interesting

    As one who has attended many BlackHat conferences - I take offense to the line "Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue" In my experience, BlackHat presenters have followed responsible disclosure - including this year's high profile ATM exploit talk, which, for instance can not be replicated by those in attendence (proof was given that it can be hacked, but the sourcecode was not released) - and the industry certainly knew it was coming for > 1 year - and the end of the presentation gave simple directions about how to mitigate the issues. . .

    --
    Hope is the worst of evils, for it prolongs the torment of man. -- Friedrich Nietzsche
    1. Re:Responsible Disclosure by elrous0 · · Score: 1

      More often than not, it's not the black hats themselves who behave irresponsibly--it's the software companies who, when notified of a flaw, drag their heals on fixing the problem and then have the gall to bitch about it when the hacker finally gets tired of it and goes public.

      --
      SJW: Someone who has run out of real oppression, and has to fake it.
    2. Re:Responsible Disclosure by Anonymous Coward · · Score: 0

      I gotta say I agree with this, the presenters at BH were for the most part releasing with CVE's already on the books, or a contact at the company already informed far in advance (for instance some of the bugs were fixed prior to release, so it was difficult to demo.) Also, much of BH wasn't about 'sploiting vulns. It was more conceptual and general. (See the difference in keynotes for instance.) Defcon had a few presentations, for instance the SCADA presentation, where the presenter basically fell on his face and let the world know of these vulns in highly sensitive systems but didn't disclose them to the manufacturer.

      I think this just goes more to the People don't know what the fuck they're talking about category. There's a lot of that, see the inquirer's article on General Hayden's keynote. (I'll give you a hint, he didn't say any of what they claim he did.)

  9. Misleading by Anonymous Coward · · Score: 5, Insightful

    Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

    It's obvious why it was quickly fixed - because he disclosed it to the people who were losing out from the flaw.

    A false contrast is being drawn to situations where a supplier, whose OWN security is not at risk and who frequently see discovery of flaws as more of a cost than a benefit, is not given sole access to the details of the flaw.

  10. Re:Watch out Mozilla, IE might eat your lunch! by Anonymous Coward · · Score: 0

    If anybody is on the path of eating Mozilla's lunch, it's Google.

  11. It could have ended up very different by Okind · · Score: 4, Insightful

    Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

    Bugs cost money to fix. In this case, fixing the bug could also cause more paying customers (the freeloaders also willing to pay, no matter how small their number). So it was in their best interest to fix the bug.

    But let's be realistic here: Micheal Coates was lucky.

    There are many instances (some of them documented extensively here), where reporting the bug causes the reporter financial and legal harm. Especially with security related bugs, companies see no potential gain in fixing the bug and cleaning up -- only costs, which piss off their investors. That is, unless the story gets out and people get angry. But by starting a fight with the honest, reponsible reporter, people are much more likely to think: 'must be a disgruntled customer/ex-employee/...'. Result: not enough bad publicity to raise a stink.

  12. Coordinated Vulnerability Disclosure? by cowbud · · Score: 0

    hrmmmmmm?

  13. Wow... by bhunachchicken · · Score: 1

    ... irony.

    --
    THE HONOUR OF THE KNIGHTS - CC Licensed Sci-Fi Novel
    1. Re:Wow... by Warll · · Score: 1

      Drink some water, it should help with the after taste.

  14. Obv by Sockatume · · Score: 2, Funny

    In Soviet Russia, Mozilla finds security flaw in Black Hat!

    --
    No kidding!!! What do you say at this point?
    1. Re:Obv by Anonymous Coward · · Score: 0

      Your headgear seems to be emitting a buzzing noise, sir. Perhaps you have a bee in your bonnet?

  15. $395 a head is an evil elitist rip-off scam by Anonymous Coward · · Score: 0

    Talk about evil. What a rip off. Sheesh, hacking used to be fun, Now the corporate blood suckers are using it to exploit the masses. Greed really sucks.

    1. Re:$395 a head is an evil elitist rip-off scam by Anonymous Coward · · Score: 0

      Corporate blood suckers? It's the same guys making a living chating "Information just wants to be free" who are charging this, not corporations.

  16. Yes but... back in the day... by Kildjean · · Score: 1

    That is the problem with Black Hat "Hackers" today... They are way too honest for their own good. Heck in back in my day, we would have all gotten in that conference for free, and we would be on our way to Paris to discuss it.

    --
    Nom de dieu de putain de bordel de merde de saloperie de connard d encule de ta mere.
  17. Re: Too many glitches by doodles259 · · Score: 1

    I don't care for Firefox one bit...too many problems and glitches for me. I went back to IE8 in a hurry. I'm a gamer, and my nephew told me that Firefox is better for gamers. I don't agree.

  18. Jerk off by dogzdik · · Score: 0

    He should have shared it with all his friends... made copies loaded them up via torrent...

    --

    .

    Voting up, Voting down - If I really gave a fuck about your approval or not, I'd come and ask you.