Security

Security hyenas and the abuse of the word 'terrorist'

An impassioned defense of security researcher Tavis Ormandy, and counterattack against his detractors, was made on the Daily Dave mailing list last month. Meanwhile, the assaults on security researcher Tavis Ormandy's character continue.

An impassioned defense of security researcher Tavis Ormandy, and counterattack against his detractors, was made on the Daily Dave mailing list last month. Meanwhile, the assaults on security researcher Tavis Ormandy's character continue.


In "Responsible disclosure and its irresponsible advocates," readers got a glimpse into how the advocates of so-called "responsible disclosure" reacted to Tavis Ormandy's "full disclosure" approach to dealing with a Microsoft security vulnerability he discovered recently. In summary, he has tried the "responsible disclosure" approach with Microsoft in the past, with severely disappointing results. After trying in vain to get Microsoft representatives to agree to a time period in which the flaw would be addressed, Ormandy decided to go ahead and disclose the vulnerability for the twin purposes of:

  1. warning users and implementing work-arounds and temporary fixes while waiting for Microsoft to do something about the software flaw
  2. "encouraging" Microsoft itself to do something about the vulnerability this year

Microsoft, being wedded to the "responsible disclosure" (aka "no disclosure, no bugfix if we can get away with it") approach, used the fact Ormandy was an employee of Google as an excuse to attack that company, regardless of the fact that Ormandy's vulnerability discovery and reporting activities were undertaken outside of his work. A number of people at least peripherally connected with the larger security community took this as an opportunity to expand on Microsoft's underhanded, misleading attacks on Google, and in some cases even went so far as to call Ormandy a "terrorist."

As should be clear by now, it is my position that regardless of whether the "full disclosure" approach is the best, it is not in and of itself proof that anyone has done anything wrong -- but, rather, it is representative of a valid position on the matter of proper vulnerability reporting. Furthermore, there are really only two types of advocates of "responsible disclosure":

  1. the dishonest
  2. the unreasonably credulous

As demonstrated in some of the discussion following Responsible disclosure and its irresponsible advocates, there are those in the TechRepublic community who disagree with my assessment of the matter. For the most part, the discussion remained at least marginally civil, though one commenter who supports the "responsible disclosure" position saw fit to use insults and similarly fallacious arguments to attack the position of anyone who held a different opinion.

The truth is that, in a different venue and with different goals, Responsible disclosure and its irresponsible advocates may well have been written with a far harsher, more direct approach to calling out those who are unable to address the facts of the matter honestly. In short, in another world, it might have been written to bear a striking resemblance to a mailing list message bearing the title Hyenas of the Security Industry, sent by Bradley Spengler of grsecurity. I discovered this message after having already written about the subject in the Responsible disclosure and its irresponsible advocates article, and was surprised by the parallels between Spengler's email and my own article.

Of course, there are some significant differences. Choice of language and more incendiary tone certainly set Spengler's writing apart from my own, in this case. He makes a point of singling out some of the same people for much the same criticisms, however, and (at about 3000 words) longer than I wanted my article to be. For those interested in learning more about the excesses and transgressions of advocates for "responsible disclosure", it is certainly worth the read -- and, regardless of its aggressive style, it is well-researched and well-reasoned. Be warned that in the most straight-laced of environments (where harsh language in reading materials might be forbidden) it could be considered Not Safe For Work.

In other news, there are still more idiotic references to Tavis Ormandy as a "terrorist":

It appears there is something of a one-man campaign to destroy Ormandy's reputation by calling him a "terrorist" in as many ways, and as many venues, as possible. I have likewise seen this "n3td3v", Andrew Wallace, make that claim elsewhere. What surprises me about it is not that someone is trying to drum up virtual lynch mobs, but that the person has not been more immediately and thoroughly taken to task for such trollish, unreasonable behavior.

As always, the question comes to the TechRepublic community. What are your thoughts?

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

14 comments
Dr_Zinj
Dr_Zinj

A person isn't a terrorist unless they are engaging in behavior of actual or threatened unlawful physical violence with the deliberately intent of causing fear of in one or more people for personal or political purposes. Like gay marriage, cyber terrorism is an inappropriately modified term; marriages being between a man and a woman, terrorism requiring physical violence. Although in extreme cases, such as that portrayed in "Live Free or Die Hard", the cyber attacks resulted in physical violence against the nation with the intent to cause fear, and do fit the definition of terrorism; most attacks are less "scarey" in their goals. I am an advocate of "responsible disclosure"; and I consider myself to be neither dishonest, nor unreasonably credulous. Speaking from a military security perspective (22 yrs active duty), I can tell you that there are times that you need to engage in operational security to use secrecy to preserve the lives of soldiers and ensure the success of the immediate, on-going mission. Once that mission is accomplished, there's usually no reason for further secrecy. I can also tell you that it is ethically and morally irresponsible, as well as criminally so in the military, to know of severe security vulnerabilities and fail to inform those so vulnerable. It's called hazarding your command. As we drive into the heads of men and women in uniform on a daily basis, security is everyone's responsibility. The users themselves have a responsibility to provide a level of security; a responsibility that it is impossible for them to discharge without knowing about it. Microsoft, or any other developer for that matter, deserves a reasonable period of operational security after discovering a vulnerability to secure the asset. Since most people who discover vulnerabilities, such as Tavis Ormandy, are pretty good at describing the problem and pointing where it exists, there is little reason other than apathy, sloth, or disrespect to not have a working fix coded within two weeks. Before that, the hackers will be exploiting the vulnerability and the entire world of users will be at their mercy, unless they are told of the problem. Two weeks, Microsoft. Either do your business, or get off the stinking pot.

TheOnly1
TheOnly1

Now I better understand why my pleadings for help, against a comprehensive hacker attack, fell on deaf, condescending ears. They, Microsoft, just don't give a s**t!

WDMilner
WDMilner

I believe one should go to the software developer first. However, should they prove unwilling to address the issue then as a service to all those at risk the vulnerability should be disclosed (though not necessarily any exploit sample code). The use of the word terrorist has been and will likely continue to be much abused. Its application to anyone whose opinions differ is not only Orwellian but reminiscent of the MacArthy era. As with many such "labelling" campaigns, it says more about the person pointing the finger than those being accused.

Sterling chip Camden
Sterling chip Camden

... I favor full disclosure. Vendors have to realize that vulnerabilities can be serious threats to their users, and that obscuring the issue is not a protection. If you can't handle that heat, you'd better leave the software kitchen to a better cook. Oh, and calling someone a terrorist for speaking the truth is certainly heading in an Orwellian direction.

bboyd
bboyd

Nine or so exploits in Microsoft's hands at zerodayinitiative.com multiple month and over a year on the list. I like the fact that they strove to actually fix Ormandy's discovered exploit after getting negative press. Seemed to me that disclosure worked. Wish that they and other vendors on the stack of shame would fix things.

RipVan
RipVan

Well, they do for those involved in politics who are NOT aligned with them, but otherwise, the word is becoming politically incorrect. So the worst we could possibly have here is a "computer caused disaster."

tim
tim

Surely...hyaenae or hyenae...if we are going to be precise about it (though hyenas is a perfectly acceptable option)

shryko
shryko

you've just pointed out one of the humourous cases I face daily, as both are valid spellings. They add flavour to our lives, colour to the internet... and divide the world with a "common" language.

Den2010
Den2010

The fact that more is revealed about the accuser than the accused when someone is labeled a "terrorist" is somewhat irrelevant. Sadly, once the volume level gets cranked up, and once the accusations begin to come thick and fast, the person accused will be damaged, sometimes beyond repair. "Terrorist" has become a meaningless term, because it's been so badly misused. Anyone who attacks something becomes a "terrorist." We used to be a bit more precise in our language; it seems that now we can't afford that luxury. Another sign of educational and social decline, I guess.

seanferd
seanferd

The constant abuse of words like "terrorist", as well as words that shouldn't even exist (like cyber-war or cyber-anything) is just too much, both within the arena addressed by the article, as well as elsewhere. Just more moral panic-inducing buzzwords. (Yes, I use both "moral panic" and "buzzword" in an exclusively derisive manner.) Not being a tone troll myself, I could easily embellish my words with other words that just aren't appropriate for TR, but may fly elsewhere. Such words may be used in reference to the ideas or their purveyors, but never in the form of argumentum ad hominem, as logical fallacies don't work for me. I know it is really hard for some people to tell the difference, such as those who use the phrase "ad hominem attack" because they wouldn't know what a logical fallacy was if it came up and bit them on their @sses, but it is a clearly defined difference. It is one thing to insult repeatedly sloppy thinking or a bad position, it is another thing to make your case that there is something wrong with a person's thinking or position based on the insults you have chosen to use. It is also something else to disregard a well-reasoned argument because the person putting the argument forward used... florid language without committing a logical fallacy while doing so. Well, that was a bit tangential, but I've had enough of that sort of thing, whether in the hubbub still surrounding Ormandy, or in ninety percent of the other arguments I run across. It is one thing to engage in subjective name-calling, but it is another thing entirely to use words like "terrorist" which have particular connotations and more or less objective denotations. Shenanigans!

Neon Samurai
Neon Samurai

"let's save the word 'Terrorist' for things that actually are"

Sterling chip Camden
Sterling chip Camden

We just change which terms we abuse. "Terrorist" in today's vernacular means the same thing that "enemy of the revolution" meant during the Reign of Terror. It's a convenient label, marking one for extermination.

Editor's Picks