Mozilla Finds Flaw With Black Hat Video Stream

An anonymous reader writes "Mozilla web security researcher Michael Coates found a flaw in Black Hat's paid video feed. The flaw allowed him to watch a live feed of the conference for free instead of the $395 a head to connect. Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue."

Of course

Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?

Re:Of course

[pspahn]

Maybe too late? What was he doing trying to score free video? You can't always be sure about someone's motives.

Re:Of course

[Volante3192]

I think the "unlike" part of this story is that the issue was fixed rather than sat on for months.

Re:Of course

[RebelWebmaster]

I would say that "Do unto others as you would have them do unto you" would be appropriate in this situation.

in soviet rusia

  Applications find bugs on black hats.

responsibility

The responsibility aspect is one area where the Black Hat guys could earn a lot of respect by doing the right thing. It's a dick move to just disclose stuff without giving companies a chance to fix their mistakes, no matter how stupid it is.

Re:responsibility

[Cylix]

Then exactly how would they sale online streaming events for 395 and equally expensive conference tickets?

Re:responsibility

[Linker3000]

If the cost of attendance and video streaming is worrying you, why not just persuade your local ATM to provide the cash for you. I believe there was a presentation about this..but then things get recursive...

Re:responsibility

[Hinhule]

Most likely they want actual attendees and if it's too cheap to just watch the stream these computer people may just sit and watch it from the comfort of their own mancave instead of showing up.

Re:responsibility

[plover]

Excuse me, but were you there at Blackhat? No? Surprise.

Had you attended, you would have noticed that every presenter discussed vulnerabilities only after responsible disclosure. Nobody at Blackhat was surprising any vendors with 0day exploits. Timothy's summary above is full of shit.

Now, I won't say every vendor was responsible about patching their systems upon notification. Too bad for them. But the Blackhat guys were all approaching the topic responsibly.

Prisoner's Dilemma?

[nmb3000]

Interesting. You have an unknown number of users accessing the video feeds for free. The system has equilibrium and is yet unstable (they might find out at any time and block everyone). Now enter one prisoner who rats out everyone else. The end result? That one individual gets a free legitimate account and free access to the video streams while everyone else has their access blocked.

Honestly? It sounds like Michael Coates is a little bit of a douche. A small handful of users accessing the stream for free doesn't really hurt anything and it's not like this was some serious security vulnerability. Reading his blog post, he makes it sounds more like he uncovered some huge security exploit. Truth is all he really did is save a somewhat inept third party development company a little bandwidth money.

He should have just waited until the conference was finished and then notified them for future reference. That way everyone clever enough to notice the exploit got their little bonus and the company learns its lesson. No real harm done.

Re:Prisoner's Dilemma?

Its a "black hat" conference. Perhaps the reward for them being stupid enough to have hire a dumb 3rd party to do the video conference is to have, like the OP said, a few (note: "few") people be able to stream for free. The biggest irony is it would be "black-hats" streaming for free from black hats, so the conference people really have no say if they do not want to appear hypocritical.

Re:Prisoner's Dilemma?

[johnhp]

And if there's one thing attendees of Black Hat respect, it's intellectual property... oh wait. Ordinarily I'd say pirating video streams is morally questionable, but hacking access to the video stream of a security conference is so poetic that I refuse to believe it could be evil.

Re:Prisoner's Dilemma?

[martin-boundary]

True, he should have first posted the streamdumps on rapidshare, and then told the organizers how to fix the flaw. Bandwidth problem solved, everybody is happy :)

Re:Prisoner's Dilemma?

[c0lo]

Ordinarily I'd say pirating video streams is morally questionable, but hacking access to the video stream of a security conference is so poetic that I refuse to believe it could be evil.

The best example that being a cracker is not synonym with being dishonest.
Even more, I see it as a good example of a wise strategy on long term: if disclosing the flaw before giving a chance the organizers to patch it would have exposed the organizers to ridicule. And one would rely on the same ridiculed persons to have a DEFCON 2011? Opportunism rarely make good sense in scarcity conditions.

because it's stealing

[YesIAmAScript]

The product has a price. If you take the product without paying, you're stealing the product.

Why am I supposed to feel ad for those who had illegal free feeds and no longer do?

Bandwidth does cost money you know. I'll tell you what, I'll just start siphoning gas out of your car. Not so much that you can't afford it, but just a little. No harm done, right?

Re:because it's stealing

[YesIAmAScript]

Just because the price is high doesn't make it not stealing.

If you think the product provides a poor value, then don't buy it and do without. Just as you would do if it were a shirt in a store.

Re:because it's stealing

[iammani]

Ahh can we please stop calling it 'stealing'. If I were to steal a shirt in a store, the store would deprived of the shirt. That is not the case here

Call it unethical, freeloading, leeching, but not stealing.

Re:because it's stealing

In any case, here you deprive somebody of the money he should have received,

Agreed, some people deserve money just because!

Re:because it's stealing

[martin-boundary]

Stealing is a word, not a reference to the criminal law code in your particular jurisdiction.

I agree with you, and I also move that we start calling all RIAA employees pedophiles. It's a fine word, not a reference to the criminal code!

Re:because it's stealing

[Fulminata]

In this case though, it really is stealing. Someone is paying for the increased bandwidth being used.

That cost may be less than $395, but it's also greater than $0, so real theft is involved because someone is out some money as a result of the action. Not theoretical "lost sale" money, but real money that someone will have to actually pay.

Re:because it's stealing

[mike2R]

steal
v. stole (stl), stolen (stln), stealing, steals
v.tr.
1. To take (the property of another) without right or permission.
2. To present or use (someone else's words or ideas) as one's own.
3. To get or take secretly or artfully: steal a look at a diary; steal the puck from an opponent.
4. To give or enjoy (a kiss) that is unexpected or unnoticed.
5. To draw attention unexpectedly in (an entertainment), especially by being the outstanding performer: The magician's assistant stole the show with her comic antics.
6. Baseball To advance safely to (another base) during the delivery of a pitch, without the aid of a base hit, walk, passed ball, or wild pitch.

v.intr.
1. To commit theft.
2. To move, happen, or elapse stealthily or unobtrusively.
3. Baseball To steal a base.

n.
1. The act of stealing.
2. Slang A bargain.
3. Baseball A stolen base.
4. Basketball An act of gaining possession of the ball from an opponent.

Re:because it's stealing

[tehcyder]

In any case, here you deprive somebody of the money he should have received,

Agreed, some people deserve money just because!

No, they deserve money because they provided a service. Or do you not think that lawyers, programmers, stockbrokers and architects should not be paid, just because they haven't created a physical object?

I work with

the company that organizes these online events. Believe me, this stuff is expensive to put together and while $395 is a lot of money, it does need to be paid for if conferences like this are to exist. Letting people in for free will detract from the exclusivity and ultimate quality of the event online or physical. Being Black Hat, it's not surprising someone figured out an exploit!

Responsible Disclosure

[TXISDude]

As one who has attended many BlackHat conferences - I take offense to the line "Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue" In my experience, BlackHat presenters have followed responsible disclosure - including this year's high profile ATM exploit talk, which, for instance can not be replicated by those in attendence (proof was given that it can be hacked, but the sourcecode was not released) - and the industry certainly knew it was coming for > 1 year - and the end of the presentation gave simple directions about how to mitigate the issues. . .

Misleading

Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

It's obvious why it was quickly fixed - because he disclosed it to the people who were losing out from the flaw.

A false contrast is being drawn to situations where a supplier, whose OWN security is not at risk and who frequently see discovery of flaws as more of a cost than a benefit, is not given sole access to the details of the flaw.

It could have ended up very different

[Okind]

Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

Bugs cost money to fix. In this case, fixing the bug could also cause more paying customers (the freeloaders also willing to pay, no matter how small their number). So it was in their best interest to fix the bug.

But let's be realistic here: Micheal Coates was lucky.

There are many instances (some of them documented extensively here), where reporting the bug causes the reporter financial and legal harm. Especially with security related bugs, companies see no potential gain in fixing the bug and cleaning up -- only costs, which piss off their investors. That is, unless the story gets out and people get angry. But by starting a fight with the honest, reponsible reporter, people are much more likely to think: 'must be a disgruntled customer/ex-employee/...'. Result: not enough bad publicity to raise a stink.

Obv

[Sockatume]

In Soviet Russia, Mozilla finds security flaw in Black Hat!