Supporters of Tavis Ormandy believe that his decision to spoon-feed attackers a play-by-play exploit to infect your computers was justified. And they’re upset with what they deem bad press. Here are the two primary beefs they have:

1. Microsoft refused to give in to Tavis’ demand to set their development schedule.

Rebuttal: Microsoft has customers and shareholders to which they must answer. Had Tavis followed the normal disclosure procedure, he would have stated his timeframe and then only released after/if the vendor (in this case, Microsoft) missed the deadline. The vendor doesn’t agree or disagree with the timeline; they still get to set their own development schedule. 45-60 days warning is the norm. Not 4 or 5 days, and certainly not 2 working days.

This balance is practiced in both full and responsible disclosure by the majority of legitimate security researchers. This balance gives the vendor time to fully research the issue and the exploit is kept out of the hands of attackers for a pre-determined period of time. In the interim, users are kept out of the line of fire. Microsoft didn’t fail here; Tavis did.

2. Journalists are calling out Google in their articles.

Rebuttal: Like it or not, Tavis IS a Google employee. A member of the Google security team no less. His efforts to create and irresponsibly disclose attacks that are used on innocent people (most of whom are Google users in one way or another) DO reflect (very poorly) on his employer. And it’s certainly not as if Google could have been unaware of his background when they hired him.

Read Full Post

Ormandy / Google: How Close is Too Close? originally appeared on About.com Antivirus Software on Friday, June 18th, 2010 at 04:20:11.

Permalink | Comment | Email this

View full post on About.com Antivirus Software