Microsoft lashes out at Googler for making Windows vulnerability public

[wraith808]

P.S. I think Google is only biding it's time and letting the dust settle before they hand Tavis Ormandy his walking papers. To paraphrase The Godfather: Keep your friends close, and keep employees that did something which might get you hauled into court even closer.

-40hz (June 16, 2010, 02:04 PM)

You think they'll hand him his walking papers on something like this?  I for one, never associated his actions with Google other than peripherally, and didn't realize that so many people bought into the conspiracy theory surrounding that association.

[f0dder]

Five Three Days.  Now that we're to the "it's MS's bug and he made an error in judgement" phase, how is 3 days slowly?

-wraith808 (June 16, 2010, 01:27 PM)

+1

Let's not forget what happened when MS put out a faulty patch recently which had people screaming for blood over the inconvenience it caused. Patching holes is not necessarily a simple matter, I imagine testing a patch is enormously complicated.

Rushing out a patch for an exploit not already in the wild would have been irresponsible on MS's part.

-Eóin (June 16, 2010, 01:50 PM)

+1. Btw, was that the problematic patch that turned out not to be MS's fault, but a piece of nasty malware causing the BSODs? Or was that another incident?

[Eóin]

Yep it's that one.

I suppose I should add for clarity's sake; I'm not suggesting that patch was rushed, I've no idea if it was or not. But it's a good example of peoples reaction when a patch itself goes wrong.

[Paul Keith]

Paul, I have read this entire thread several times, and what I get out of this is, "Ignore what the guy did, ignore Google, and focus on why Microsoft isn't fixing the problem!"  Am I right here?  Under the assumption that I am, I am going to ask you:  How can they fix it if they only recently learned of it?  If they don't respond, everyone and their brother will assume they knew about it for months and are just the same old "we will fix it when it becomes an issue" instead of being proactive.  Yes, this is an issue, but I agree with most others here that the "Hacker" who released it is the bigger problem and issue in this case.  Microsoft, I am sure, has people working feverishly on this, but there are others that MUST respond to this so all know that they were working in good faith (even if the extent of that is debatable) and the Google employee, with or without Google condoning his act, acted at best irresponsibly and at worst, maliciously.

-steeladept

Sorry steel, you are mistaken there.

If I ever gave you the impression that Google needs to be ignored, it is only in the context of separating who Google is from what Google done and that's only for those who have already fallen to the Google vs. Microsoft line of argument.

Again in the context of analogical hyperbole, it would be like having someone from either the Left or Right reveal a false flag operation to help reduce any modern day American pseudo-war, pseudo-imperialism efforts and then having their actions villified because it was illegal and risked the lives of many soldiers and then the entire public outcry is all about how that person (whichever his affiliation) become a case of Right vs. Left and which side was wrong or right.

My reply would then be tantamount to saying to those people: "We should lessen our focus on the illegality or affiliation the whistle blower represents and focus just as much on how even when it was revealled, our government remains vigilant in selling us propaganda and keeping us distracted from the core issue or even worse, force us to argue against our own biases rather than make us aware how even though several administrations have ended the war, they are still trying to create a new one even as they have not yet totally washed their hands of their previous bloody history."

As far "why isn't Microsoft fixing the problem?" that was a non-relevant issue to me as the original article didn't really hint to that one way or another. However, I don't really see why Microsoft wouldn't fix the problem. Even if they aren't focusing on security nowadays, news of this just makes them look worse especially after the statement has dilluted the point of how some people may be exasperated by their past history. To me, it's a clear necessity from all sides that they should fix the issue.  

[Renegade]

Boy, you guys sure have a lot of certainty at arm's length (or more). I'm afraid I can't compete with that kind of clarity of vision. But the release of demo exploit code is far from unprecedented...

-JavaJones (June 16, 2010, 02:17 AM)

No, not unprecedented.  Not clarity of vision nor certainty on the actual discussions or conversations either.

But the 5 days to release an exploit is the part I'm having a hard time with.  Can you give *any* circumstances where it's OK to release actual working exploit code after 5 days notice?

Let's err on his side.
1. I find an exploit.
2. I contact MS.
3. They're complete and utter douches and won't work with me at all nor give me the time of day.
4. I release exploit code after 5 days.

Even in *that* case, where is the justification for releasing *working* exploit code into the wild?

-wraith808 (June 16, 2010, 08:24 AM)

+1 for that. (See below for "justification".)

+1

Again, all he had to do was release his findings to one or two watchdog organizations - or go public with his findings, but without releasing specifics or the code - and wheels would gave been set in motion such that it would have been impossible for Microsoft to ignore the problem.

Unfortunately, his little snit with Microsoft now has the potential to become a problem for millions of Windows users worldwide.

You can slice and dice it from here till next December, split philosophical hairs and argue politics and business until you run out of breath. But at the end of the day, it still remains that it was a very (dare I say criminally?) irresponsible thing to do.

And considering he did so knowing there was no available fix to prevent it, I'm not 100% sure there aren't legal consequences as well. 

-40hz (June 16, 2010, 09:26 AM)

+1 again.

As for criminally, thank-you for bringing that up. While it may or may not be criminal, I think that in the future we'll see legislation making it illegal. At a minimum, it is reckless with serious consequences.

First of all: if he's been in contact with MS and choose to release exploit code within a week... then he really deserves to be slapped around. Releasing exploit details is something you do either
1) after patches have been made public and have had time to be rolled out, or
2) if the organization has been ignoring you for "long enough" (which is definitely more than a couple of weeks).

When an exploit is reported, the company needs to investigate it, which includes being able to reproduce it reliably and finding a bugfix. Then that bugfix has to be tested thoroughly before a patch can be rolled out. Going public with exploit details within a week? Christ.

-f0dder (June 16, 2010, 09:43 AM)

You forgot the cases where you do it because:

1) You want to embarrass the manufacturer
2) You want to cause maximum damage

 

I'm not suggesting that he did nothing wrong by any means. I just felt like the castigation of Google was rather far of the mark, and that the whole situation was being seen in rather black and white terms. Try this on for size:

1: Google may or may not have had any involvement; in the absence of compelling evidence to prove its involvement, let's assume none. It's only sensible.

2: A security researcher whom is an employee of Google found a flaw in Windows, supposedly on his own time and for his own reasons. He contacted MS who reacted slowly so he got frustrated and made an error in judgment by releasing not just word of the exploit, but demo code as well. Perhaps part of the reason he released demo code was out of frustration for not being taken seriously (i.e. "Don't believe me? Well here it is, it's a real problem. Deal with it"), but that's not a good excuse, and he should not have released actionable code.

3: Microsoft is responsible for a bad bug in their code, one which has been reported previously in other variations and incarnations, going years back (if you believe the Slashdot discussions on the issue). They are also notorious douches, and tend not to "play ball" with security researchers unless they're well known or represent big companies. Microsoft needs to act quicker and be less prejudiced when dealing with reported security flaws.

Does that sound like a balanced view? It does to me.

- Oshyan

-JavaJones (June 16, 2010, 01:15 PM)

1 - I'm not so sure. The recent press on Google abandoning Windows because of "security" just seems to timely. This stinks, and I wouldn't rule out Google involvement. How would you do it? You have to have a "lone wolf" to hang out to dry if things go south.

2 - Agreed.

3 - I wouldn't put much faith in Slashdot. It's full of radicals and lunatics. But yes, MS is responsible for having a bug.

FWIW I doubt very much that Google had much (if anything) to do with what went down.

I think you just had a researcher in Google forget that the rest of the world doesn't operate the way things do inside his company's research department. Especially when it's a company where people are allowed to "run and play" and the open sharing of information and code is the norm. Or at least it is on the "inside."

To my mind, there's nothing intrinsically wrong with living in an ivory tower. Just don't go dumping a chamber pot over the parapet and then expect whoever gets hit not to be upset about it.

-40hz (June 16, 2010, 01:57 PM)

+1 and well put. (I like the chamber pot example.)

[wraith808]

More information on the exploit from Tom's...

http://www.tgdaily.c...ro-day-vulnerability

[Renegade]

Yikes... Quoting a Sophos researcher in that article:

"So my question to Mr Ormandy is this - do you feel proud of your behavior? Do you think that you have helped raise security on the Internet? Or did you put your vanity ahead of others' safety?"