Re: Hyenas of the Security Industry

[Tavis Ormandy <taviso () cmpxchg8b com>]

dislosure () hushmail com wrote:
> Such a long post Spender. I agree with many of your arguments but I also
> agree with many of RSnake's opinions.  I don't want to talk about who's
> right or wrong,  I just want to point out some facts

Your post is so difficult to parse that it was obviously filtered through
automatic translation. You're taking extraordinary measures to stay
anonymous, I suspect this is because a simple search online would uncover
evidence of you doing something your employer hasn't sanctioned (evidence of
a rowdy night out on facebook?).

Associating my actions with my employer is just an attempt to fabricate
controversy where none exists. I know you've concocted an exciting story,
but it's just a fairy tale - stop trying to present it as fact.

> Fact 1.
> Tavis actually only gave Microsoft ~3 business working day to fix the bug

The amount of time isn't relevant. What's important is that I concluded
after initial negotiation that the amount of time required to prepare a
patch would be make a non-negligible difference to the window of exposure.

As you've obviously been researching my background, you'll know that I'm
willing to compromise with vendors in cases where I think users are best
served by waiting for official patches. In this case, I believe everybody
was best served by publishing mitigation advice as soon as possible.

I believe what I did was absolutely right.

> Fact 2. Tavis did not either practice Full Disclosure or Responsible
> Disclosure * Full Disclosure: he would have sent out the advisory
> immediately to the community instead of inform Microsoft and wait for 05
> days * Responsible Disclosure: he should have given Microsoft guy at least
> enough of time to fix, test and release the patch.

What's amusing is that your definition of "responsible disclosure" does not
match Microsofts. Microsoft's definition is "give the vendor the
vulnerability, then let them sit on it for as long as they want".

In fact, you're right about full disclosure, your description is accurate.
However, I recognise that reasonable people familiar with the debate can
have different opinions, and I'm usually willing to compromise within
reason.

In this case, I do not believe a compromise that I would have found
acceptable could have been reached.

> Fact 3. His workaround on the advisory did not work which left all the
> users vulnerable to his 0day due to no workaround and no patch from
> Microsoft.

Incorrect, my workaround is identical to Microsoft's.

> Fact 5. Google (like many other big companies) does have Code of Conduct
> for all employees.

Is stalking people you don't agree with online your companies policy?

> Question: did Taviso violate Google Code of Conduct?

Have you stopped beating your wife? I'm sure your companies code of conduct
doesn't permit that.

> Fact 6. Google does have its Philosophy on many things. And Google
> Philosophy for Security strongly states the the importance of "Responsible
> disclosure". (http://www.google.com/corporate/security.html).

I am not Google.

Do you really want to live in a world where every single action you take
must be sanctioned by your employer? You must recognise how weak this
argument is, you cannot possibly want your employer to control your every
waking thought.

> a. Did Taviso found that bug using Google tools? From his blog
> http://my.opera.com/taviso/blog/2008/08/16/update/ two years ago, he did
> mention that he found an IE bug and a number of other windows bugs by
> using a few tools he developed at work.

The answer is no, the tool I was talking about back in 2008 was "flayer",
it's open source, you can download and play with it. 

http://code.google.com/p/flayer/

We wrote a paper about it as well.

http://www.usenix.org/events/woot07/tech/full_papers/drewry/drewry.pdf

> b. Did Google security guys discuss / play with this bug at work? Tavis
> did mentioned he got helped from some of Google security guys in his
> advisory

Discussed? Yes. Do you discuss your personal projects over lunch? Your plans
for the weekend? Of course you do.

> Cheers,
>
> - --Anonymous

This would be a much more fun argument if you tell me your name and where 
you worked. After all, your position is that this mail officially represents
your company.

I felt compelled to reply as Dave let this post through moderation, but I'd
really rather this issue was allowed to die.

Tavis.

-- 
-------------------------------------
taviso () cmpxchg8b com | pgp encrypted mail preferred
-------------------------------------------------------

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave