Mozilla Finds Flaw With Black Hat Video Stream

An anonymous reader writes "Mozilla web security researcher Michael Coates found a flaw in Black Hat's paid video feed. The flaw allowed him to watch a live feed of the conference for free instead of the $395 a head to connect. Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue."

Of course

Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?

Re:Of course

[RebelWebmaster]

I would say that "Do unto others as you would have them do unto you" would be appropriate in this situation.

in soviet rusia

  Applications find bugs on black hats.

responsibility

The responsibility aspect is one area where the Black Hat guys could earn a lot of respect by doing the right thing. It's a dick move to just disclose stuff without giving companies a chance to fix their mistakes, no matter how stupid it is.

Re:responsibility

[Cylix]

Then exactly how would they sale online streaming events for 395 and equally expensive conference tickets?

Re:responsibility

[Linker3000]

If the cost of attendance and video streaming is worrying you, why not just persuade your local ATM to provide the cash for you. I believe there was a presentation about this..but then things get recursive...

Re:Prisoner's Dilemma?

[johnhp]

And if there's one thing attendees of Black Hat respect, it's intellectual property... oh wait. Ordinarily I'd say pirating video streams is morally questionable, but hacking access to the video stream of a security conference is so poetic that I refuse to believe it could be evil.

Responsible Disclosure

[TXISDude]

As one who has attended many BlackHat conferences - I take offense to the line "Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue" In my experience, BlackHat presenters have followed responsible disclosure - including this year's high profile ATM exploit talk, which, for instance can not be replicated by those in attendence (proof was given that it can be hacked, but the sourcecode was not released) - and the industry certainly knew it was coming for > 1 year - and the end of the presentation gave simple directions about how to mitigate the issues. . .

Misleading

Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

It's obvious why it was quickly fixed - because he disclosed it to the people who were losing out from the flaw.

A false contrast is being drawn to situations where a supplier, whose OWN security is not at risk and who frequently see discovery of flaws as more of a cost than a benefit, is not given sole access to the details of the flaw.

Re:because it's stealing

[YesIAmAScript]

Just because the price is high doesn't make it not stealing.

If you think the product provides a poor value, then don't buy it and do without. Just as you would do if it were a shirt in a store.

It could have ended up very different

[Okind]

Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.

Bugs cost money to fix. In this case, fixing the bug could also cause more paying customers (the freeloaders also willing to pay, no matter how small their number). So it was in their best interest to fix the bug.

But let's be realistic here: Micheal Coates was lucky.

There are many instances (some of them documented extensively here), where reporting the bug causes the reporter financial and legal harm. Especially with security related bugs, companies see no potential gain in fixing the bug and cleaning up -- only costs, which piss off their investors. That is, unless the story gets out and people get angry. But by starting a fight with the honest, reponsible reporter, people are much more likely to think: 'must be a disgruntled customer/ex-employee/...'. Result: not enough bad publicity to raise a stink.

Re:because it's stealing

[iammani]

Ahh can we please stop calling it 'stealing'. If I were to steal a shirt in a store, the store would deprived of the shirt. That is not the case here

Call it unethical, freeloading, leeching, but not stealing.

Re:because it's stealing

[martin-boundary]

Stealing is a word, not a reference to the criminal law code in your particular jurisdiction.

I agree with you, and I also move that we start calling all RIAA employees pedophiles. It's a fine word, not a reference to the criminal code!

Re:because it's stealing

[Fulminata]

In this case though, it really is stealing. Someone is paying for the increased bandwidth being used.

That cost may be less than $395, but it's also greater than $0, so real theft is involved because someone is out some money as a result of the action. Not theoretical "lost sale" money, but real money that someone will have to actually pay.

Re:because it's stealing

[mike2R]

steal
v. stole (stl), stolen (stln), stealing, steals
v.tr.
1. To take (the property of another) without right or permission.
2. To present or use (someone else's words or ideas) as one's own.
3. To get or take secretly or artfully: steal a look at a diary; steal the puck from an opponent.
4. To give or enjoy (a kiss) that is unexpected or unnoticed.
5. To draw attention unexpectedly in (an entertainment), especially by being the outstanding performer: The magician's assistant stole the show with her comic antics.
6. Baseball To advance safely to (another base) during the delivery of a pitch, without the aid of a base hit, walk, passed ball, or wild pitch.

v.intr.
1. To commit theft.
2. To move, happen, or elapse stealthily or unobtrusively.
3. Baseball To steal a base.

n.
1. The act of stealing.
2. Slang A bargain.
3. Baseball A stolen base.
4. Basketball An act of gaining possession of the ball from an opponent.