An impassioned defense of security researcher Tavis Ormandy, and counterattack against his detractors, was made on the Daily Dave mailing list last month. Meanwhile, the assaults on security researcher Tavis Ormandy's character continue.
In "Responsible disclosure and its irresponsible advocates," readers got a glimpse into how the advocates of so-called "responsible disclosure" reacted to Tavis Ormandy's "full disclosure" approach to dealing with a Microsoft security vulnerability he discovered recently. In summary, he has tried the "responsible disclosure" approach with Microsoft in the past, with severely disappointing results. After trying in vain to get Microsoft representatives to agree to a time period in which the flaw would be addressed, Ormandy decided to go ahead and disclose the vulnerability for the twin purposes of:
- warning users and implementing work-arounds and temporary fixes while waiting for Microsoft to do something about the software flaw
- "encouraging" Microsoft itself to do something about the vulnerability this year
Microsoft, being wedded to the "responsible disclosure" (aka "no disclosure, no bugfix if we can get away with it") approach, used the fact Ormandy was an employee of Google as an excuse to attack that company, regardless of the fact that Ormandy's vulnerability discovery and reporting activities were undertaken outside of his work. A number of people at least peripherally connected with the larger security community took this as an opportunity to expand on Microsoft's underhanded, misleading attacks on Google, and in some cases even went so far as to call Ormandy a "terrorist."
As should be clear by now, it is my position that regardless of whether the "full disclosure" approach is the best, it is not in and of itself proof that anyone has done anything wrong — but, rather, it is representative of a valid position on the matter of proper vulnerability reporting. Furthermore, there are really only two types of advocates of "responsible disclosure":
- the dishonest
- the unreasonably credulous
As demonstrated in some of the discussion following Responsible disclosure and its irresponsible advocates, there are those in the TechRepublic community who disagree with my assessment of the matter. For the most part, the discussion remained at least marginally civil, though one commenter who supports the "responsible disclosure" position saw fit to use insults and similarly fallacious arguments to attack the position of anyone who held a different opinion.
The truth is that, in a different venue and with different goals, Responsible disclosure and its irresponsible advocates may well have been written with a far harsher, more direct approach to calling out those who are unable to address the facts of the matter honestly. In short, in another world, it might have been written to bear a striking resemblance to a mailing list message bearing the title Hyenas of the Security Industry, sent by Bradley Spengler of grsecurity. I discovered this message after having already written about the subject in the Responsible disclosure and its irresponsible advocates article, and was surprised by the parallels between Spengler's email and my own article.
Of course, there are some significant differences. Choice of language and more incendiary tone certainly set Spengler's writing apart from my own, in this case. He makes a point of singling out some of the same people for much the same criticisms, however, and (at about 3000 words) longer than I wanted my article to be. For those interested in learning more about the excesses and transgressions of advocates for "responsible disclosure", it is certainly worth the read — and, regardless of its aggressive style, it is well-researched and well-reasoned. Be warned that in the most straight-laced of environments (where harsh language in reading materials might be forbidden) it could be considered Not Safe For Work.
In other news, there are still more idiotic references to Tavis Ormandy as a "terrorist":
- How did cyber terrorist Tavis Ormandy get a job at Google?
- Cyber terrorists start releasing Microsoft 0day in support of Tavis Ormandy
It appears there is something of a one-man campaign to destroy Ormandy's reputation by calling him a "terrorist" in as many ways, and as many venues, as possible. I have likewise seen this "n3td3v", Andrew Wallace, make that claim elsewhere. What surprises me about it is not that someone is trying to drum up virtual lynch mobs, but that the person has not been more immediately and thoroughly taken to task for such trollish, unreasonable behavior.
As always, the question comes to the TechRepublic community. What are your thoughts?
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.