Slashdot Mirror
Mozilla Finds Flaw With Black Hat Video Stream
An anonymous reader writes "Mozilla web security researcher Michael Coates found a flaw in Black Hat's paid video feed. The flaw allowed him to watch a live feed of the conference for free instead of the $395 a head to connect. Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue."
Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.
If that seems like altruism, think: why would Mozilla want a bunch of black hat hackers pissed off at them?
Applications find bugs on black hats.
Then exactly how would they sale online streaming events for 395 and equally expensive conference tickets?
"You should always go to other people's funerals; otherwise, they won't come to yours." -- Yogi Berra
And if there's one thing attendees of Black Hat respect, it's intellectual property... oh wait. Ordinarily I'd say pirating video streams is morally questionable, but hacking access to the video stream of a security conference is so poetic that I refuse to believe it could be evil.
As one who has attended many BlackHat conferences - I take offense to the line "Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue" In my experience, BlackHat presenters have followed responsible disclosure - including this year's high profile ATM exploit talk, which, for instance can not be replicated by those in attendence (proof was given that it can be hacked, but the sourcecode was not released) - and the industry certainly knew it was coming for > 1 year - and the end of the presentation gave simple directions about how to mitigate the issues. . .
Hope is the worst of evils, for it prolongs the torment of man. -- Friedrich Nietzsche
Unlike many presenters at Black Hat, Michael responsibly disclosed the flaw to organizers, who quickly fixed the issue.
It's obvious why it was quickly fixed - because he disclosed it to the people who were losing out from the flaw.
A false contrast is being drawn to situations where a supplier, whose OWN security is not at risk and who frequently see discovery of flaws as more of a cost than a benefit, is not given sole access to the details of the flaw.
Bugs cost money to fix. In this case, fixing the bug could also cause more paying customers (the freeloaders also willing to pay, no matter how small their number). So it was in their best interest to fix the bug.
But let's be realistic here: Micheal Coates was lucky.
There are many instances (some of them documented extensively here), where reporting the bug causes the reporter financial and legal harm. Especially with security related bugs, companies see no potential gain in fixing the bug and cleaning up -- only costs, which piss off their investors. That is, unless the story gets out and people get angry. But by starting a fight with the honest, reponsible reporter, people are much more likely to think: 'must be a disgruntled customer/ex-employee/...'. Result: not enough bad publicity to raise a stink.
Ahh can we please stop calling it 'stealing'. If I were to steal a shirt in a store, the store would deprived of the shirt. That is not the case here
Call it unethical, freeloading, leeching, but not stealing.
If the cost of attendance and video streaming is worrying you, why not just persuade your local ATM to provide the cash for you. I believe there was a presentation about this..but then things get recursive...
AT&ROFLMAO
I agree with you, and I also move that we start calling all RIAA employees pedophiles. It's a fine word, not a reference to the criminal code!