Dailydave mailing list archives
Re: Hyenas of the Security Industry
From: Tavis Ormandy <taviso () cmpxchg8b com>
Date: Sat, 19 Jun 2010 21:35:51 +0200
dislosure () hushmail com wrote:
Such a long post Spender. I agree with many of your arguments but I also agree with many of RSnake's opinions. I don't want to talk about who's right or wrong, I just want to point out some facts
Your post is so difficult to parse that it was obviously filtered through automatic translation. You're taking extraordinary measures to stay anonymous, I suspect this is because a simple search online would uncover evidence of you doing something your employer hasn't sanctioned (evidence of a rowdy night out on facebook?). Associating my actions with my employer is just an attempt to fabricate controversy where none exists. I know you've concocted an exciting story, but it's just a fairy tale - stop trying to present it as fact.
Fact 1. Tavis actually only gave Microsoft ~3 business working day to fix the bug
The amount of time isn't relevant. What's important is that I concluded after initial negotiation that the amount of time required to prepare a patch would be make a non-negligible difference to the window of exposure. As you've obviously been researching my background, you'll know that I'm willing to compromise with vendors in cases where I think users are best served by waiting for official patches. In this case, I believe everybody was best served by publishing mitigation advice as soon as possible. I believe what I did was absolutely right.
Fact 2. Tavis did not either practice Full Disclosure or Responsible Disclosure * Full Disclosure: he would have sent out the advisory immediately to the community instead of inform Microsoft and wait for 05 days * Responsible Disclosure: he should have given Microsoft guy at least enough of time to fix, test and release the patch.
What's amusing is that your definition of "responsible disclosure" does not match Microsofts. Microsoft's definition is "give the vendor the vulnerability, then let them sit on it for as long as they want". In fact, you're right about full disclosure, your description is accurate. However, I recognise that reasonable people familiar with the debate can have different opinions, and I'm usually willing to compromise within reason. In this case, I do not believe a compromise that I would have found acceptable could have been reached.
Fact 3. His workaround on the advisory did not work which left all the users vulnerable to his 0day due to no workaround and no patch from Microsoft.
Incorrect, my workaround is identical to Microsoft's.
Fact 5. Google (like many other big companies) does have Code of Conduct for all employees.
Is stalking people you don't agree with online your companies policy?
Question: did Taviso violate Google Code of Conduct?
Have you stopped beating your wife? I'm sure your companies code of conduct doesn't permit that.
Fact 6. Google does have its Philosophy on many things. And Google Philosophy for Security strongly states the the importance of "Responsible disclosure". (http://www.google.com/corporate/security.html).
I am not Google. Do you really want to live in a world where every single action you take must be sanctioned by your employer? You must recognise how weak this argument is, you cannot possibly want your employer to control your every waking thought.
a. Did Taviso found that bug using Google tools? From his blog http://my.opera.com/taviso/blog/2008/08/16/update/ two years ago, he did mention that he found an IE bug and a number of other windows bugs by using a few tools he developed at work.
The answer is no, the tool I was talking about back in 2008 was "flayer", it's open source, you can download and play with it. http://code.google.com/p/flayer/ We wrote a paper about it as well. http://www.usenix.org/events/woot07/tech/full_papers/drewry/drewry.pdf
b. Did Google security guys discuss / play with this bug at work? Tavis did mentioned he got helped from some of Google security guys in his advisory
Discussed? Yes. Do you discuss your personal projects over lunch? Your plans for the weekend? Of course you do.
Cheers, - --Anonymous
This would be a much more fun argument if you tell me your name and where you worked. After all, your position is that this mail officially represents your company. I felt compelled to reply as Dave let this post through moderation, but I'd really rather this issue was allowed to die. Tavis. -- ------------------------------------- taviso () cmpxchg8b com | pgp encrypted mail preferred ------------------------------------------------------- _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Hyenas of the Security Industry Brad Spengler (Jun 17)
- Re: Hyenas of the Security Industry Marsh Ray (Jun 21)
- <Possible follow-ups>
- Re: Hyenas of the Security Industry dislosure (Jun 19)
- Re: Hyenas of the Security Industry Tavis Ormandy (Jun 19)
- Re: Hyenas of the Security Industry dave (Jun 24)
- Re: Hyenas of the Security Industry Tavis Ormandy (Jun 19)