Re: Hyenas of the Security Industry

[dave <dave () immunityinc com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

One thing to remember is that in the States there is no differentiation between "your
time" and "your employers time". The standard employment contract says that anything
you do while employed, assuming you are salaried, is essentially owned by the
employer. This is both good and bad for the employer in the sense that they are
likely liable for anything you do - i.e. all the Immunity people presenting at
BlackHat are presenting as "Immunity" not "Some dude". This may help explain some of
the weirdness you saw when, say, an ISS employee wants to give a Cisco internals talk.

So it's possible that what you're seeing here is a bit of good old fashioned culture
clash.

- -dave

Tavis Ormandy wrote:
> dislosure () hushmail com wrote:
> > Such a long post Spender. I agree with many of your arguments but I also
> > agree with many of RSnake's opinions.  I don't want to talk about who's
> > right or wrong,  I just want to point out some facts
>
> Your post is so difficult to parse that it was obviously filtered through
> automatic translation. You're taking extraordinary measures to stay
> anonymous, I suspect this is because a simple search online would uncover
> evidence of you doing something your employer hasn't sanctioned (evidence of
> a rowdy night out on facebook?).
>
> Associating my actions with my employer is just an attempt to fabricate
> controversy where none exists. I know you've concocted an exciting story,
> but it's just a fairy tale - stop trying to present it as fact.
>
> > Fact 1.
> > Tavis actually only gave Microsoft ~3 business working day to fix the bug
>
> The amount of time isn't relevant. What's important is that I concluded
> after initial negotiation that the amount of time required to prepare a
> patch would be make a non-negligible difference to the window of exposure.
>
> As you've obviously been researching my background, you'll know that I'm
> willing to compromise with vendors in cases where I think users are best
> served by waiting for official patches. In this case, I believe everybody
> was best served by publishing mitigation advice as soon as possible.
>
> I believe what I did was absolutely right.
>
> > Fact 2. Tavis did not either practice Full Disclosure or Responsible
> > Disclosure * Full Disclosure: he would have sent out the advisory
> > immediately to the community instead of inform Microsoft and wait for 05
> > days * Responsible Disclosure: he should have given Microsoft guy at least
> > enough of time to fix, test and release the patch.
>
> What's amusing is that your definition of "responsible disclosure" does not
> match Microsofts. Microsoft's definition is "give the vendor the
> vulnerability, then let them sit on it for as long as they want".
>
> In fact, you're right about full disclosure, your description is accurate.
> However, I recognise that reasonable people familiar with the debate can
> have different opinions, and I'm usually willing to compromise within
> reason.
>
> In this case, I do not believe a compromise that I would have found
> acceptable could have been reached.
>
> > Fact 3. His workaround on the advisory did not work which left all the
> > users vulnerable to his 0day due to no workaround and no patch from
> > Microsoft.
>
> Incorrect, my workaround is identical to Microsoft's.
>
> > Fact 5. Google (like many other big companies) does have Code of Conduct
> > for all employees.
>
> Is stalking people you don't agree with online your companies policy?
>
> > Question: did Taviso violate Google Code of Conduct?
>
> Have you stopped beating your wife? I'm sure your companies code of conduct
> doesn't permit that.
>
> > Fact 6. Google does have its Philosophy on many things. And Google
> > Philosophy for Security strongly states the the importance of "Responsible
> > disclosure". (http://www.google.com/corporate/security.html).
>
> I am not Google.
>
> Do you really want to live in a world where every single action you take
> must be sanctioned by your employer? You must recognise how weak this
> argument is, you cannot possibly want your employer to control your every
> waking thought.
>
> > a. Did Taviso found that bug using Google tools? From his blog
> > http://my.opera.com/taviso/blog/2008/08/16/update/ two years ago, he did
> > mention that he found an IE bug and a number of other windows bugs by
> > using a few tools he developed at work.
>
> The answer is no, the tool I was talking about back in 2008 was "flayer",
> it's open source, you can download and play with it. 
>
> http://code.google.com/p/flayer/
>
> We wrote a paper about it as well.
>
> http://www.usenix.org/events/woot07/tech/full_papers/drewry/drewry.pdf
>
> > b. Did Google security guys discuss / play with this bug at work? Tavis
> > did mentioned he got helped from some of Google security guys in his
> > advisory
>
> Discussed? Yes. Do you discuss your personal projects over lunch? Your plans
> for the weekend? Of course you do.
>
> > Cheers,
> >
> > - --Anonymous
>
> This would be a much more fun argument if you tell me your name and where 
> you worked. After all, your position is that this mail officially represents
> your company.
>
> I felt compelled to reply as Dave let this post through moderation, but I'd
> really rather this issue was allowed to die.
>
> Tavis.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org

iEYEARECAAYFAkwj04wACgkQtehAhL0gheod8ACfVfLTmzgVuojUdm1OGhfqE8x9
ejkAn2vJSb2ATCAdVmLJOygKYSvvSNWJ
=2dsO
-----END PGP SIGNATURE-----
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave