Forgot your password?
typodupeerror
Security

Security Research and Blackmail 307

Posted by kdawson
from the pay-to-play dept.
harryjohnston alerts us to a story picked up by a few bloggers in the security space. A Russian security research company, Gleg, has discovered a zero-day in the latest version of RealPlayer 11. But they won't reveal details to Real, or to CERT, despite repeated requests. Details are available only to their clients who pay a lot of money for early access to such knowledge. To describe Gleg's business model Daniweb rather cautiously puts forward the word "blackmail." The story was first exposed in Ryan Nariane's Securitywach blog.
This discussion has been archived. No new comments can be posted.

Security Research and Blackmail

Comments Filter:
  • by thebear05 (916315) on Sunday February 10, 2008 @11:38PM (#22375680)
    Seems fair they have information and want to be paid for it
    • Re: (Score:3, Insightful)

      by Penguinisto (415985)
      If I knew how to break into your house, then told you that I was able to but won't tell you how unless you paid up a fee?

      I'm sure that you'd easily come up with a lot of reasons why it isn't cool.

      On certain superficial moral levels, sure - proprietary closed-source shops would have it coming in a fashion. They make money from hidden information, so hiding information from them until a fee is paid sounds a bit like karma.

      OTOH, that's not how we're supposed to work as a community, for one simple reason:

      • Re: (Score:2, Insightful)

        by thebear05 (916315)
        How does your argument differ from the profession of a lock smith? They know how to get in your house, and you can pay them to get you into your house. Now is it ethical to withhold information that could be used to hurt others, I would say that I personally think no But if they have discovered something that is beneficial to someone compensation does not seem unfair if reasonable.
        • How does your argument differ from the profession of a lock smith?

          I don't have a locksmith soliciting me out of the blue, demanding payment for his knowledge?

          ...and what if the weak-point is in a window, not a door? What if the weakness is in the garage door, the attic vent, crawlspace, or some other place where you'd not find a keyed lock?

          Your locksmith is more akin to a security contractor or consultant - you specifically hire the guy to utilize his knowledge in order to fill a need which you yourself have (e.g. you locked yourself outside of the house or car). Y

          • by somersault (912633) on Monday February 11, 2008 @07:05AM (#22377640) Homepage Journal
            Your analogy is slightly off. Even from just reading the summary you can see that this is like a locksmith with a list of criminals who subscribe to his mailing list. The locksmith works out the vulnerabilities in your security (most houses are pathetically insecure via lockpicking anyway, if you really want into a house it's not gonna be hard to get in), then lets these criminals know them, but refuses to let you yourself know what the vulnerability is. He doesn't demand payment from you - he refuses to give you the information for any price, because you almost certainly won't pay as much as all his other clients. Because you have millions of houses, with millions of [currency]s worth of currency.

            For some reason when I first read the summary I was thinking of this company's clients as benign, but a second reading made me rethink :P
            • by gunnk (463227) <.ude.cnu.gpf.liam. .ta. .knnug.> on Monday February 11, 2008 @10:36AM (#22378908) Homepage
              I think you've hit the nail on the head.

              If the company knows of an exploit and wants to sell the information about it to the vendor that's perfectly fine as long as they aren't threatening to tell others about it.

              It's much list noticing my neighbor has an open wifi point advertising his file shares. Nothing wrong with offering to show them exactly what the problem is for a fee. If he doesn't want to pay for my expertise -- well, I told him his wifi point is leaving him open to hackers, so he has been warned. Now if I say I'm going to sell the information to others if he doesn't pay me -- that's extortion.

              I couldn't tell with certainty from the article whether or not the firm is showing the actual exploit to their subscribers or not. They may just be informing their clients of the existence of the exploit and giving guidelines about the severity and potential impact to business operations. If that's all they're doing, I'd say they are playing to win, but playing by the rules.

              On the other hand, if they sold the actual exploit to their subscribers then they're criminals.
        • Re: (Score:3, Insightful)

          by vux984 (928602)
          How does your argument differ from the profession of a lock smith? They know how to get in your house, and you can pay them to get you into your house.

          Great analagy! Lets work with that.

          Can you pay a locksmith to open someone elses house for you? Can you pay him to show you how so you can do it yourself?

          Of course not.

          But it goes further than that... locksmiths are both Licensed, and Bonded in most civilised countries to help prevent exactly these sorts of activities, as well as any other sort of unethical a
        • by timeOday (582209) on Monday February 11, 2008 @12:48AM (#22376086)

          How does your argument differ from the profession of a lock smith? They know how to get in your house, and you can pay them to get you into your house.
          Go ahead and advertise a "locksmith" service to open the doors on anybody's home, without the owner's consent, for a fee. Then have fun in jail.

          Here's a better analogy for a legal activity: auto makers who sell SUVs to whomever wants them, then tell the rest of us we need one to keep our families safe in the event of being hit by one. It's a classic arms race, the only real winner is the arms dealer.

          • by Blkdeath (530393)

            Go ahead and advertise a "locksmith" service to open the doors on anybody's home, without the owner's consent, for a fee. Then have fun in jail.

            FWIW, there are security firms that specialize in exactly that. House being one of a personal residence, a corporate office, a warehouse, or any secured facility that a company wants audited. What better way to audit one's security than to hire people with technical knowledge on how to enter establishments they shouldn't be in? It's one of those niche businesses that savvy reformed criminals tend to start up because they're the ones with the unique skill sets to do so.

            Here's a better analogy for a legal activity: auto makers who sell SUVs to whomever wants them, then tell the rest of us we need one to keep our families safe in the event of being hit by one. It's a classic arms race, the only real winner is the arms dealer.

            Ahh, a car analogy. Auto manufactur

        • Picking locks is an ancient art based on known flaws in lock construction. You can get a book on cracking any given lock, even 'pick-proof' locks (they have flaws, most are published, some just aren't yet known). Fixing them is expensive and difficult. And FYI, lock smiths don't charge for emergency situations; a lock smith will charge you $40 or so just to pop open the lock on your car if you lock your keys in, but if you've locked a kid in the car they go out immediately and do it for free (if not, don
      • by clarkkent09 (1104833) on Monday February 11, 2008 @01:15AM (#22376228)
        If I knew how to break into your house, then told you that I was able to but won't tell you how unless you paid up a fee? I'm sure that you'd easily come up with a lot of reasons why it isn't cool.

        Honestly, I couldn't. I am sure there are security experts out there who would be able to improve security of my house but I certainly wouldn't expect them to do it for free. This idea that if you find bugs in a software product, you have the responsibility to give that information to the company that makes it, and therefore help them improve their product, for free is completely bogus.

        Sorry, but there's a distinct lack of responsibility and ethics going on here, no matter how much you think the primary target may deserve it.

        I don't see any ethical problems here and its completely irrelevant who the party involved is. I would actually argue that there is more of an ethical problem with testing a company's product for free, as it devalues the work of their own QA personnel, and it encourages companies to release shoddy products too early, with expectation that paying customers will help them fix the bugs.
        • So show me where Real contracted these guys.

          Therein lies the problem. It's like some guy showing up at your house, saying that he knows exactly how he could break into that house, but he'll tell you how if you only pay him some money.

          In short, nobody asked them to research the bug. They did the research unbidden.

          If it's a question of fixing bugs for free, then quite simply they could just not do the research.

          /P

          • by QuantumG (50515)
            It's "just" like that except that there's a hundred more complications. Please fit into your analogy:

            * Intrusion Detection Systems.
            * Malware.
            * Anti-Malware, and Anti-virus software.
            * A rule that says you are not allowed to reverse engineer your own home.

            oh, and all the vulgarity of copyright law.

            This is why reasoning by analogy is not only stupid, but also pointless.
          • Well, perhaps then Real should include a note with their products saying "our product may contain security bugs, but pretty please don't try to find them as we prefer that nobody should know about them". It doesn't work. Bugs are there to be found, and somebody will find them sooner or later. If I was their customer, I would actually prefer to pay in order to have a security hole fixed, then to live with it and hope that nobody ever finds out. Take Consumer Reports. They find all kinds of problems with vari
      • BS. That is exactly what security analysts do. They research security problems. Whether it is how to break into your house or how to break into your computer is no different.

        If I want my house to be secure, I can either secure it myself or I can pay someone to tell me where the vulnerabilities are.
        • BS. That is exactly what security analysts do. They research security problems. Whether it is how to break into your house or how to break into your computer is no different.

          So if someone came up to you unannounced, and said they know exactly how to break into your house, but won't tell you unless you pay them some money, you'd have no problems with it?

          If I want my house to be secure, I can either secure it myself or I can pay someone to tell me where the vulnerabilities are.

          I don't argue against that. It's the unsolicited nature of it that irks.

          /P

          • I already know exactly how to break into your house. Hello official MIT lock picking course (which they condensed into a book you can pick up at your local Barnes & Nobel). I also know how to bypass most residential security alarm systems and some commercial ones (example, store glass with alarm tape? The grey stuff is metal conductive wire. Drill a small hole through a window next to (or through!) the tape, stick a wire through and to one side, use a soldering gun to secure the wires. Drill throug
      • by forgotten_my_nick (802929) on Monday February 11, 2008 @01:57AM (#22376478)
        "If I knew how to break into your house, then told you that I was able to but won't tell you how unless you paid up a fee?"

        That in itself is a fair point. I mean what if you are working in the security industry and are trying to secure someones business. You certainly aren't going to do it for free.

        The issue here is more like after the home owner saying they don't have the money or can't pay that you sell the information to whoever wants it. That I am pretty sure is illegal.
    • The problem is that there is only one legitimate customer- Real. Why would anyone else want this information? Only to break into your computer. There is no use selling to end users since they aren't going to be able to fix it even if they know about it (almost certainly). An end user only needs to know one piece of information- Real 11 isn't secure- and they've given that information free to the world.

      By selling to whoever pays, they are in effect blackmailing Real- "we are going to sell this info to lot
  • Blackmail eh? (Score:4, Insightful)

    by QuantumG (50515) <qg@biodome.org> on Sunday February 10, 2008 @11:38PM (#22375682) Homepage Journal
    How about just "proprietary knowledge".. ya know, like the source code of Real Player?

  • it's tough (Score:3, Interesting)

    by rastoboy29 (807168) * on Sunday February 10, 2008 @11:42PM (#22375702) Homepage
    If you're not actually shaking down the vendor, it's not blackmail.  I mean, if you get a piece of information, are you obligated to inform anyone?

    It is sleazy, don't get me wrong, because what other reason would someone other than Real want to purchase the information except to do no good?  But I'm having a hard time feeling sorry for Real, because they suck so fucking bad.  I keep trying to replace them in my mind with some company I like to analyze the situation, but it just keeps switching back to Real.

    I mean, it's not like someone's going to get killed or anything.  Unless, of course, Putin wants that done.
    • Re: (Score:2, Informative)

      by thedarknite (1031380)
      But it does come close to racketeering.
      • Mod parent up!

        To elaborate, Evgeny is threatening damage to Real (by this exploit) unless they pay up a sizable sum of money to purchase the exploit (whether or not he'd sell it to Real is another matter, although Real could always pose as a client and then purchase it).

        I know Real has got a pretty scummy reputation, but that's no excuse to condone this behavior.
        • by QuantumG (50515)
          How exactly are they threatening damage?

          • ...this is an exploit, after all.

            I understand where you're coming from; the only ones who seem to be directly affected are the poor end-users. However, if people stop using RealPlayer because of the exploits, and IT departments start uninstalling it because all there machines are getting owned, and it affects RealMedia's bottom-line, you can be sure as hell that's damage.
            • by QuantumG (50515)
              But *they* caused the damage.. they released a product with a security flaw in it. If some third party who doesn't even have the source code can find it, then so can RealMedia.

              In the mean time, there's people who sell anti-malware. There's people who sell intrusion detection systems. There's people who get paid to maintain the security of corporate networks. All of these other people are willing to pay for information about the exploit.. some of them are even willing to pay for exclusivity - to the exte
              • Re: (Score:3, Insightful)

                It's one thing for RealMedia to cause damage (release a product with a security flaw in it). It is another thing to actively exacerbate this damage (release an exploit to the blackhat community for large sums of money, and refuse to tell the vendor what the exploit is).
                • by QuantumG (50515)
                  blah, RealMedia are free to plug the hole any time they want.. they just don't get the research used to find the hole for free.. they have to do their own damn research.
                • You know what's funny?
                  I thought Real was dead...
                  I had no idea they were still in business till today.
                  this is racketeering, and it's wrong. That said, I wish there was a culture of "Hey thanks for finding that whopper of a bug, here's a couple grand" for bugs that can be exploits, because should such a culture arise, your average geek would go for the bounty.
                  -nB
          • This is just like the 'potential damages' part of a media infringement trial, right?

            The part where the prosecutor pulls magic number out of the air, goes 'should have, would have, could have' and the jury are suddenly lobotomized?
        • Re: (Score:3, Insightful)

          I don't see it that way. In my view, they're not "threatening damage" but promising results. They're essentially saying "Hey Real, if you hire us to do a security audit, we can guarantee we will find at least one serious vulnerability, and your money will have been well spent." It's a bit disingenuous to phrase it this way, but it essentially boils down to the same thing.

          Think of it as "we guarantee value for your money" rather than "give us money or we guarantee you'll wish you had," which, if you consi
          • Yes, they are promising results, but the reason why they can "guarantee" these results is because they already know about them. This is a key distinction from a traditional security audit, where one presumably doesn't know the vulnerabilities before signing the contract.
        • I should add, whether or not we condone this behavior has no bearing on the issue at all. This is a clear issue of a product arising to supply a need; if we want to curb this capitalistic instinct we'll have to get the Russian Government to do something for the "greater good."

          What is the greater good? For me it's pretty clear: software without security vulnerabilities. Is it reasonable to expect security researchers not to make money off their knowledge? Is it reasonable to expect software not to have secur
        • I don't think so.
          I would still support Evgeny even if the product belonged to Apple.
          BECAUSE, Evgeny spent x amount of money to discover the bug, which should have been first discovered by Real.
          Now, after spending money and effort, you expect Real to be given that information Free, because Real made the defective product in the first place?
          That is not capitalism. Real is practising Fascism.
          The assumption is that Real with its army of lawyers could scam the legal and legislative system of russia and force Evg
    • It is sleazy, don't get me wrong, because what other reason would someone other than Real want to purchase the information except to do no good?

      Well, there are malware blocking programs that deal with plugging holes in other programs. Windows, and the various VB running Office programs are one source of bugs. I could see an antimalware company advertising itself as fixing holes in Real/Flash/Other malformed content.

    • IANAL. If I had a security exploit that if used could get someone killed and I refused to hand it over and instead sold it to a third party who then used it and killed someone I am pretty sure I would be liable in that instance.
      • by Blkdeath (530393)

        IANAL. If I had a security exploit that if used could get someone killed and I refused to hand it over and instead sold it to a third party who then used it and killed someone I am pretty sure I would be liable in that instance.

        Where are the small children and cute kittens and puppies in your sentiment? I mean, while we're going out on a limb and all ...

        We're talking one of a million software exploits out there in the great wilds of commercial software packages.

        Where, BTW, is the liability for the company who released the defective product in the first place? If this exploit can "get somebody killed" (or whatever actual damages can take place as a result of its use) why shouldn't RealMedia be held liable?

  • Indeed, for individuals, pointing out security problems can be dangerous. It isn't very nice of them, but then again, most software vendors aren't nice either. Calling this blackmail is a bit of a stretch.
    • by timeOday (582209)
      One interesting consequence of allowing this type of behavior is that software vulnerabilities would carry a financial consequence for the software makers. It's a sort of liability they can't simply disclaim in the license.
  • by enos (627034) on Sunday February 10, 2008 @11:48PM (#22375750)
    It's called capitalism, and it's been breaking out in eastern Europe ever since the USSR fell. In unregulated areas (i.e. new markets) they have a much more "pure" concept of it than the west. The public good is a socialist idea. This same thing happens in a lot of places in the west where there are shops that specialize in IP of some sort. They have to make their living somehow. It's just that people are used to security companies giving this stuff away for free.
    • Re: (Score:3, Interesting)

      by thelexx (237096)
      Way to completely sidestep the word 'ethics' there...

      "In unregulated areas (i.e. new markets) they have a much more "rapacious" concept of it than the west. The public good is an inconvenient idea."

      FTFY
    • by timeOday (582209)
      A lot of the responses here claim it's capitalism and therefore must not be blackmail, as if that were a dichotomy - it's not. Blackmail is capitalism, just as libel is speech. I really don't know whether Gleg's actions meet the legal definition of blackmail in Russia, or for that matter in the US. But that fact that Gleg can make money doing this is not, in itself, much of a defense against charges of blackmail.
    • by skribe (26534) on Monday February 11, 2008 @02:19AM (#22376566) Homepage
      How long before Real change their EULA demanding that licensees reveal any exploits to them within 24 hours of discovery?
      • How about they switch to GPL? That way, anyone who publishes a patch for client has to reveal the patch.

        Yes, it's a pipe dream for now, but that sort of security and performance flaw is partly why the GPL exists: to get the source, patches, and feature additions out into the open.
    • by pilgrim23 (716938)
      ----and it is certainly a case of d**ned if you do and dam*ed if you don't:
      Recently I had issues with a game I purchased. I finally figured out that the reason it refused to play was the machine I had this game on was not networked in an expected way and the game's DRM wanted to handshake with the company to let me play it. In the process of figuring this out I also figured out a crack for the DRM they were using and passed on my discovery to the company. I paid for the game, I like th
  • I don't call it blackmail, I call it a free market...

    Companies have a financial incentive for keeping their products secure, open source projects have less of an issue because the money just isn't in it.
    All this is - is one company spending real money, hiring well paid analysis to plow through machine code or source code and analyse vulnerabilities.
    The reason they can afford to do this is because the market is full of companies willing to pay for this stuff...

    Thats where your code of ethics goes out of the window!

    With open-source projects, there is still a market of companies using that software but at the same time there's a limited timespan before it's usually discovered by somebody else.
    You know very well that if you advertise you've found a security flaw in open source XX product you're going to have hundereds of people scrutinising it and to develop a fix - because it's benificial to everybody (so the code of ethics lives strong).

    It doesn't help that `Real' has a bad reputation, but by doing this and with holding it, Gleg are doing exactly what they set out to do in the first place and doing as any successful business man/woman does: identifying the market and targeting it appropriately.

    This happens every day not just in software security, but in every other industry yet people just consider it a normal day in the office and maybe grumble a bit about it.

    In an ideal situation ethics and social benifit would come first though... yet this is in practice incompatible with the free market, just for the reasons above.
  • Blackmail? (Score:5, Insightful)

    by clarkkent09 (1104833) on Sunday February 10, 2008 @11:54PM (#22375786)
    If this is valuable information (as in there are people willing to pay money for it) why should they give it for free? Companies pay good money to consultants to come over and fix problems with their business, why shouldn't they have to pay people who help them fix problems with their software products.
    • Re: (Score:3, Insightful)

      by xtracto (837672)
      Yeah, screw Real and the others. They create closed source software, how can they expect to get free security consultancy? If this company is spending their resources on finding methods to secure third party insecure software then they have all the right to sell such information. If people at Real want to know about these problems they should 1. Spend their money getting good security consultancy or 2. open source the programs and then maybe people will submit patches for free.

      Just imagine if Microsoft was
  • Vista (Score:3, Interesting)

    by Joe U (443617) on Sunday February 10, 2008 @11:59PM (#22375828) Homepage Journal
    So, I have one question, does UAC actually help trap exploits like this?

    Not that I would ever install Realplayer outside of a locked down VM anyway. Assume I had a seizure or something and wanted to put this on my host OS.
  • It's not like these guys are really putting anyone in a bind. Real Networks has a responsibility to inspect and maintain their own product, and since they have the source code, there's nothing preventing from doing so. And people who are uninterested in paying them umpteen bazillion dollars for their expertise are welcome to take my advice, given for free:

    Uninstall RealPlayer.
  • by nguy (1207026)
    When companies ship software with security holes, it's a product defect. If they don't want to be embarrassed by that in public, they should simply not introduce security holes.
  • by AB3A (192265) on Monday February 11, 2008 @12:10AM (#22375894) Homepage Journal
    I have this lovely demonstration, but you have to pay me to show you how it works. How do we know it is a real hack? How do we know it isn't a shake down?

    This is a shade of Fermat's last theorem. Wiles, after he finally proved it, said that he doubted Fermat actually knew a viable proof.

    We don't know what these guys have. Whether it's blackmail or not, it still smells bad. I think the money would be better spent on real security researchers who disclose what they find.
  • I know I'm way off topic, but I have to ask. What is Real good for anyway? What do they do, for a fee, that isn't done by a variety of other sources for free? And I know their media player software is free, but in their case the fee is all the garbage that comes with it. Or you pay a monetary fee and likely still get a bunch of garbage you don't want.

    So to make some on topic comment I will say that I fully support this form of capitalism. Real could pay them for the information - it's a better deal than hir
  • Why? (Score:2, Insightful)

    by BraneSpace (1190961)
    I suppose this really comes down to the intent of the security firm. WHY did they go looking for vulnerabilities? A common theme I see repeated here is that they spent time and effort looking for vulnerabilities. Why would they do so? What is their profit model? I see three real(hehe) possibilities.

    1. They are planning to sell the information to (criminal) third parties.
    2. They are planning to sell the information to Real.
    3. They are trying to sell services to Real.

    The fact that they offer it
  • by SamP2 (1097897) on Monday February 11, 2008 @12:48AM (#22376088)
    According to Russian copyright law [wikipedia.org], "purely informational reports on events and facts are not copyrightable". The copyright on the code itself belongs to RP (and copyright to all other flaws discovered by this Russian company belong to their respective owners), and the simple informational fact of knowledge about flaw is not subject to copyright.

    RP can legally subscribe to be a "customer" of this security firm, and then just take all information they deliver, and pass it on to all parties involved (in other words, send flaws to all companies whose code has a vulnerability the relevant information). Several companies can team up and split the "subscription fee".

    Consider this to be the security (and legal) version of ripping a pay porn site and dumping the contents on eMule. The Russian company won't go far with a single paying subscriber.
  • Recently Yahoo announced that they were selling my music account to RealNetworks at twice the current subscription fee. Based on the poor history of that company there isn't a snowball's chance that I'll get a subscription to Rhapsody. Knowing that Real has security flaws in what they -claim- is a cleaned up version of their adware engine is no particular shocker. I don't care what happens to them - does anybody still use them anyway?
  • This is an interesting revenue model. If company A pays for a security audit, any exploits found are "bought" only once by company A. In this case, these guys can keep selling the exploit again and again, including to company A, but then to many others.

    Russia has taken Capitalism to their hearts--principles be damned, everything has a price. It's funny how most of slashdot is lamenting good vs evil, while a clear profit is to be had. What happened to American business spirit? We should be proud that we expo
    • by superwiz (655733)

      What happened to American business spirit?
      At the same time as Russia got captured by the business spirit, USA has gotten captured by the socialist spirit. Just look at the latest elections. The sentiment of slashdotters (most of whom are Americans) is as much a proof of that as the latest primary elections.
  • by EEPROMS (889169) on Monday February 11, 2008 @01:04AM (#22376174)
    If you sell software under a restricted proprietary license you have set the rules for all dealings with with your code as being based purely on monetary gain. So if some programmers figure out a security flaw with your software they like you "don't have to give away their code or IP for nothing" because you also insist on not give away your IP either.
  • Setting aside the debate as to whether or not they should have a dollar value, the bottom line is that exploits do have a dollar value. Someone can use an exploit to take your money, your bosses money, you government's money, etc., which will always give these things a value to people with the requisite lack of ethics needed to use them in that way. Because of this, there's simply no economic incentive for this company to give away their commodity of value for nothing. If this kind of thing is to be stop
    • by EEPROMS (889169)
      Easy set a bounty price on bugs. A serious security flaw gets you $2k then regressing downwards in price depending on how important the bug is. Also make sure that that part of the bounty payment procedure is a contractual agreement regarding the IP. So if anyone decides (stupidly) to release any of the information it is a simple breach of contract. Lets be honest humans do not like doing things without some form of monetary or social gain and to pretend another alternate false reality exists is naive.
  • I'd really feel for them. You know, if it wasn't RealPlayer.

    Come on! Who doesn't hate that pile of garbage?
  • by s_p_oneil (795792) on Monday February 11, 2008 @01:52AM (#22376448) Homepage
    Does anyone use RealPlayer? I mean, it's worse than QuickTime (and I HATE QuickTime).
    • by EEPROMS (889169)
      At a meeting of fellow anime fans someone turned up with a DVD full of real media ripped files, we all laughed when we saw the files on the big screen (no one asked for a copy either). These days everything is either xvid/AVI/mp3 or the much preferred H.264/mkv/OGG (or AAC) high res files.
  • Nothing's free... (Score:5, Interesting)

    by Quixote (154172) * on Monday February 11, 2008 @01:58AM (#22376484) Homepage Journal
    If a pharmaceutical company comes up with a cure for (say) AIDS, should they be forced to give it out to the rest of the world for free? I mean, lives are at stake there, and presumably lives are more valuable than Junior's ability to play the latest Brittney hits.

    If the prevailing logic (that the Russian company should cough up the goods for free) is applied, all pharma companies would be non-profit charities...

  • I am not sure I understand correctly, where people got the idea that that particular security research company sells info to "the bad guys". Unlike the open source software, inspecting and finding flaws in black box type of systems is more labor intensive (perhaps some of it can be automated but only some). Someone has to pay for this. Because if they do "the ethical thing" they will have no money to pay rent and buy food, and won't be able to continue what they do. That way users will still "suffer due to
  • Why not compromise (Score:3, Informative)

    by martinlp (904606) <martin@system3.14159admin.co.za minus pi> on Monday February 11, 2008 @02:41AM (#22376670)
    This is exactly what the Tippingpoint zero day initiative [zerodayinitiative.com] is for. To give credit and a bit money to researchers who spend time and effort to discover vulnerabilities in software.
    Sure these researches should get money/credit, but what if they become greedy or irresponsible?
  • by Jane Q. Public (1010737) on Monday February 11, 2008 @04:48AM (#22377132)
    Hmmmm...

    I am in the lawn care business. I know why your lawn is dying. I will make it green, for a fee.

    I am in the computer tech business. I know why your sound card has a problem. I will fix it... for a fee.

    I am in the computer tech business. I know how to fix the virus(es) in your computer. For a fee.

    I am a chef. I know how to cook your dinner. Do you expect the recipe for free?

    And so on. It would be "giving to the community" to give them the information for free, but this kind of business model *IS* all around us. No point in singling them out.
  • by flyingfsck (986395) on Monday February 11, 2008 @06:01AM (#22377360)
    Real has the source code. They don't need to pay anybody else to find the bug, they can do their own code review.
  • by mapkinase (958129) on Monday February 11, 2008 @09:36AM (#22378372) Homepage Journal
    Seems like not a bad price for a company whose software runs in millions and millions of copies around the world.

    If we assume that $10,000 is for a year: that is the cost of one tenth of a full time internally hired security expert.

    I think Real should consider subscribing to the services of Gleg.
  • How else are they... (Score:3, Interesting)

    by fozzmeister (160968) on Monday February 11, 2008 @11:18AM (#22379342) Homepage
    How else are they going to get paid? They did work, Real expect them to donate their work for free. I don't see it as unreasonable to ask for payment, whether Real think the price is too high is a matter for them (and their customers?)

When the weight of the paperwork equals the weight of the plane, the plane will fly. -- Donald Douglas

Working...