topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • Thursday March 28, 2024, 10:14 am
  • Proudly celebrating 15+ years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Microsoft lashes out at Googler for making Windows vulnerability public  (Read 27076 times)

Paul Keith

  • Member
  • Joined in 2008
  • **
  • Posts: 1,989
    • View Profile
    • Donate to Member
The disclosure is only the more serious one in my opinion in the sense that it's the more obvious one. (the one that will fundamentally irk those in the know)

The weapon analogy doesn't fit in the context of the linked politics because it's a two way street. That's why for me it's easier to use politics as an example.

If I were to emulate the vitriole and style of all the previous analogies used by some posters, it would be like 9/11 turning into the Iraq War out of changing the severity of the words into Weapons of Mass Destructions.

It's a big jump from this situation but often times, it's easier to see the pattern from a big issue rather than little issues like this that end up contributing later on to a bigger one. In there too, it's not that the outcriers do not have a point especially the knowledgeable outcriers.

...but before that shift or rather during that shift in press conference terms, the whole issue got hijacked and it's not because people were too stupid to not point out how Osama has been replaced with Saddam. The truth is still in there.

But the focus, the importance, the one society needs to hear more or hear less...it's been shifted and once it has shifted because of the right terms, it's over and the only difference is magnitude and topics.


Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Honestly I think all this talk of politics and 'image in the public's eye' is frankly irrelevant. The employ here acted extremely irresponsibly, that much is a fact and therefore 'siding' with Google is a nonsense stance to take.

As for MS not putting the right PR spin on it all, well I see MS calling out the guy for the carelessness of his actions, remember this is all that was actually said

This issue was reported to us on June 5th, 2010 by a Google security researcher and then made public less than four days later, on June 9th, 2010.  Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk

and damn right I say, that quote sets the records straight. Frankly I can't even follow the politics slant that's being dragged into this discussion.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Well said, Eóin.
- carpe noctem

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
+1 Eóin.  In the end, the end-users are not techies, and don't know how to even start to do steps for a workaround.  No matter what vulnerabilities are found, the end users are the consumers and the risk takers in the end for most of this.  And disclosure like this makes the end user more vulnerable, no matter how you spin disclosure.  It's sort of like the whole whistleblower thread- disclosure vs responsibility.  And in this case, I definitely think responsibility should have won out.

Paul Keith

  • Member
  • Joined in 2008
  • **
  • Posts: 1,989
    • View Profile
    • Donate to Member
Honestly I think all this talk of politics and 'image in the public's eye' is frankly irrelevant. The employ here acted extremely irresponsibly, that much is a fact and therefore 'siding' with Google is a nonsense stance to take.

As for MS not putting the right PR spin on it all, well I see MS calling out the guy for the carelessness of his actions, remember this is all that was actually said

This issue was reported to us on June 5th, 2010 by a Google security researcher and then made public less than four days later, on June 9th, 2010.  Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk

and damn right I say, that quote sets the records straight. Frankly I can't even follow the politics slant that's being dragged into this discussion.

But the thing is, you already made this clear in your previous posts of how much you perceive end users and that's why it's easy to ignore the issue because it's easy to side with what you've already concluded and how much the article affects you initially.

I don't mean to make you sound closed-minded but people don't find politics in politics relevant either as contradictory as this may seem.

The majority of those political bashers of the Iraq War didn't find the "image in the public eye" politics issue that relevant either but in that same context even if they can narrow down and make fun of the change of wording into Weapons of Mass Destruction, they themselves failed to communicate their concern because many of them too could not separate the cultural impact beyond the surface level from the rational points that they possess.

The greatest thing about politics is it's ability to confuse what politics is. For example, the constant analogy of a gun or a whistle blower is akin to the initial "knowledgeable" protest of how the American government should approach their "retaliation of the terrorists".

And then later on when the problem builds up or becomes serious enough, then we get back to the stupidity of the masses for getting tricked or how the end users are not techies therefore we techies have a right to have our say but the majority of them are irrelevant because they don't even know how to provide a workaround.

Like I said, this issue has already been hijacked and at this point, this topic is old news by Internet terms but I just want to use this past examples to at least emphasize the point on why politics is just as much a relevant issue in a frank straight shooter manner.

You techies (I can't include myself because I don't have this knowledge. I just understood the urgency because of lurking at forums like this) You techies are not immune to politics. I don't mean to lump you all into one or claim you ever stated you were immune but because of the focus of your knowledge, it's easier to claim your outcries as relevant but as history showed, you guys were neither able to stop FUD or EEE. You were just able to understand it more and popularize perhaps the acronyms.

But regardless of your knowledge, you were no different in the clog of culture. Sometimes you even show that hint of your helplessness by resorting to how Windows taught/promoted end-users to be dumb and yet as a group, you couldn't penetrate through end-users beyond a guide because you too pushed them away as irrelevant when things were easier to set aside.

The idea that some if not many of you think the politics is irrelevant is not new. Again, I want to emphasize that I don't know better than techies or that I'm writing this to convince anyone that my stance is the correct one.

I write this because sometimes the pattern is covered in cultural difference. Sometimes you even provide the key word:

Frankly I can't even follow the politics slant that's being dragged into this discussion.


In the end, it's not like I've stated anything new. If I did, I'd have been able to do a much better job at relating my concern. What I just wanted to emphasize about this reply is that techies does not immediately equal higher resistance to being swept by PR. You can even remove politics in that. I originally just used that as an extreme analogy. If there's a word I'd rather focus it's cultural gap.

Cultural gap at least implies two or more sides are affected by each other and it's not an issue of just one side affecting another side. It is only analogous to the public eye image in the sense that it's out there online. However techies are still no different from the public in this case because unless you're directly involved in the incident, in the end your reactions are really no different from some end user reacting only you both may have possibly different perspectives on the issue because of your difference in knowledge but even if you end up with the same perspective, that's not really the point unless you can re-focus on what it means for Microsoft to be sincere about improving their security image beyond just those that would satisfy either or more party.

Paul Keith

  • Member
  • Joined in 2008
  • **
  • Posts: 1,989
    • View Profile
    • Donate to Member
"If they can get you asking the wrong questions, they don't have to worry about the answers."


Sorry about adding this semi-irrelevant quote. I originally wanted to add this in one of my earlier replies as a short succinct reply but I just couldn't remember the right quote until I eventually found it on PopUp Wisdom.

Set aside politics, set aside the idea that I'm trying to convince anyone, set aside the security issues and this is the only idea I want people to consider with my long replies. I know it's not exactly applicable to the thread especially the latter half of the quote but this is the shortest version I can think of as to why I hold my stance.

« Last Edit: June 14, 2010, 02:10 PM by Paul Keith »

Stoic Joker

  • Honorary Member
  • Joined in 2008
  • **
  • Posts: 6,646
    • View Profile
    • Donate to Member
Politics, is the Art of lying.

Technology is Science, not art.

We are the Peers Google's Jury is made of.

+1 for Eóin.

Paul Keith

  • Member
  • Joined in 2008
  • **
  • Posts: 1,989
    • View Profile
    • Donate to Member
err... sorry Stoic, you didn't really provide enough details to discuss.

For one thing, politics as the art of lying is very akin to equating technology with art. (or at least what little I understand of how you phrase it but apparently you seem to view technology as art as invalid while technology as science as valid so it's an easy analogy to show how confusing if not invalid your usage or focus on politics is. Not that modern politics isn't stereotyped as deceiving people but the art of lying...it's just...???)

The whole thing with peers, jury and Google... I mean no offense but to borrow Renegade's words, there's something way off base with your entire post except for the +1 for Eoin.



Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
Technology is Science, not art.

Just to go randomly off the rails here... ;)

Actually, I find that a lot of tech is art. I find that a lot of what I do is art. It might all be tech, but there's structure and elegance in there. I suppose the best sort of analogy is that tech is often like a fugue or canon as they have structure and a mathematical elegance.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

JavaJones

  • Review 2.0 Designer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,739
    • View Profile
    • Donate to Member
Evidently Ormandy was negotiating with MS for a patch release schedule and published only after he felt that negotiations were not being productive. His tweet about this is here: http://twitter.com/t...o/status/16005411316
And an article with a quote confirming this from Microsoft here: http://www.computerw...y_Microsoft_confirms
Microsoft confirmed that its security team had discussed a patch schedule with Ormandy.

"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week," said Bryant. "We were surprised by the public release of details on the 9th."

My sense that Ormandy was not so clearly "wrong, wrong wrong!" continues...

- Oshyan

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Evidently Ormandy was negotiating with MS for a patch release schedule and published only after he felt that negotiations were not being productive. His tweet about this is here: http://twitter.com/t...o/status/16005411316
And an article with a quote confirming this from Microsoft here: http://www.computerw...y_Microsoft_confirms
Microsoft confirmed that its security team had discussed a patch schedule with Ormandy.

"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week," said Bryant. "We were surprised by the public release of details on the 9th."

My sense that Ormandy was not so clearly "wrong, wrong wrong!" continues...

Why?  He communicated to them, and they didn't give him an immediate answer that they wanted, so he released it.  How does this change anything?  He couldn't wait until the end of the week?

Technology is Science, not art.

Just to go randomly off the rails here... ;)

Actually, I find that a lot of tech is art. I find that a lot of what I do is art. It might all be tech, but there's structure and elegance in there. I suppose the best sort of analogy is that tech is often like a fugue or canon as they have structure and a mathematical elegance.

I also find that what I do is an art form.  Science is reproducible in the same way by anyone given the same conditions and the same desired result.  As you get into more advanced programming- not so much.  Each programmer leaves his own signature on his code- I don't know that you do the same when dealing with pure science.
« Last Edit: June 15, 2010, 09:57 PM by wraith808 »

JavaJones

  • Review 2.0 Designer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,739
    • View Profile
    • Donate to Member
He communicated with them *for 5 days*, and they weren't playing ball, which if you look around is a fairly common story with MS and security researchers, especially smaller/independent ones that don't represent someone like Secunia, Sophos, etc. I'm not saying he's right or MS is wrong, just that it's not so clear cut as you and some others seem to feel. But then I'm completely on the opposite side of the "government secrets" debate too, hehe.

- Oshyan

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
He communicated with them *for 5 days*, and they weren't playing ball, which if you look around is a fairly common story with MS and security researchers, especially smaller/independent ones that don't represent someone like Secunia, Sophos, etc. I'm not saying he's right or MS is wrong, just that it's not so clear cut as you and some others seem to feel. But then I'm completely on the opposite side of the "government secrets" debate too, hehe.

He communicated with them for 5 days... on and off I'm sure, i.e. 5 days elapsed.  So actually 3 days, since they said they last communicated with him on the 7th and he released on the 9th.  On the 7th, they said that they'd know about their release schedule at the end of the week, i.e. the 11th.  Just because they wouldn't give him what he wanted on his terms, i.e. tell me that it's going to be released on my timetable now without even looking at the problem, he released it.  And why release the exploit code in such detail?  Why not release news of the exploit, then if they didn't come to the table if they were indeed not playing ball, he could release the exploit after giving them time?  That's the part that *is* clear cut.  He released the exploit *code* into the wild and someone apparently used *his* code to craft a drive-by.  How is that *ever* right?

Renegade

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 13,288
  • Tell me something you don't know...
    • View Profile
    • Renegade Minds
    • Donate to Member
He communicated with them *for 5 days*, and they weren't playing ball, which if you look around is a fairly common story with MS and security researchers, especially smaller/independent ones that don't represent someone like Secunia, Sophos, etc. I'm not saying he's right or MS is wrong, just that it's not so clear cut as you and some others seem to feel. But then I'm completely on the opposite side of the "government secrets" debate too, hehe.

He communicated with them for 5 days... on and off I'm sure, i.e. 5 days elapsed.  So actually 3 days, since they said they last communicated with him on the 7th and he released on the 9th.  On the 7th, they said that they'd know about their release schedule at the end of the week, i.e. the 11th.  Just because they wouldn't give him what he wanted on his terms, i.e. tell me that it's going to be released on my timetable now without even looking at the problem, he released it.  And why release the exploit code in such detail?  Why not release news of the exploit, then if they didn't come to the table if they were indeed not playing ball, he could release the exploit after giving them time?  That's the part that *is* clear cut.  He released the exploit *code* into the wild and someone apparently used *his* code to craft a drive-by.  How is that *ever* right?

iz rite 'cauz M$ windoze iz teh d3v!L

You're perfectly right all the way through.

To figure out a schedule can take time, and a few days isn't a big deal, unless you want to use it as an excuse to be malicious. (Nice for pointing out 3 days there.)

And releasing exploit code? That is very very very far off the beaten path. It's PURELY MALICIOUS and has zero legitimate reasons. Flat out, he wanted to do as much damage as possible. He acted maliciously. In no way can he remotely claim that it was anything to do with security -- it was a simple blackhat, malicious act. Period.

Now, I'm just wondering how long it will be before companies start prosecuting people for releasing exploit code. Because you KNOW that if it were Apple, his house would be raided, he'd be in jail, and there'd be law suits that would have his great-great grandchildren sold into slavery.
Slow Down Music - Where I commit thought crimes...

Freedom is the right to be wrong, not the right to do wrong. - John Diefenbaker

JavaJones

  • Review 2.0 Designer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,739
    • View Profile
    • Donate to Member
Boy, you guys sure have a lot of certainty at arm's length (or more). I'm afraid I can't compete with that kind of clarity of vision. But the release of demo exploit code is far from unprecedented...

- Oshyan

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
Boy, you guys sure have a lot of certainty at arm's length (or more). I'm afraid I can't compete with that kind of clarity of vision. But the release of demo exploit code is far from unprecedented...

No, not unprecedented.  Not clarity of vision nor certainty on the actual discussions or conversations either.

But the 5 days to release an exploit is the part I'm having a hard time with.  Can you give *any* circumstances where it's OK to release actual working exploit code after 5 days notice?

Let's err on his side.
1. I find an exploit.
2. I contact MS.
3. They're complete and utter douches and won't work with me at all nor give me the time of day.
4. I release exploit code after 5 days.

Even in *that* case, where is the justification for releasing *working* exploit code into the wild?

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
+1

Again, all he had to do was release his findings to one or two watchdog organizations - or go public with his findings, but without releasing specifics or the code - and wheels would gave been set in motion such that it would have been impossible for Microsoft to ignore the problem.

Unfortunately, his little snit with Microsoft now has the potential to become a problem for millions of Windows users worldwide.

You can slice and dice it from here till next December, split philosophical hairs and argue politics and business until you run out of breath. But at the end of the day, it still remains that it was a very (dare I say criminally?) irresponsible thing to do.

And considering he did so knowing there was no available fix to prevent it, I'm not 100% sure there aren't legal consequences as well.  

« Last Edit: June 16, 2010, 09:28 AM by 40hz »

steeladept

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,061
    • View Profile
    • Donate to Member
But the release of demo exploit code is far from unprecedented...

Yes, but it is then considered "hackers" or others that exploit it, rather than "white-hatters" who release the demo AFTER it has been patched or the company has been given months to respond with no response.

"If they can get you asking the wrong questions, they don't have to worry about the answers."

Paul, I have read this entire thread several times, and what I get out of this is, "Ignore what the guy did, ignore Google, and focus on why Microsoft isn't fixing the problem!"  Am I right here?  Under the assumption that I am, I am going to ask you:  How can they fix it if they only recently learned of it?  If they don't respond, everyone and their brother will assume they knew about it for months and are just the same old "we will fix it when it becomes an issue" instead of being proactive.  Yes, this is an issue, but I agree with most others here that the "Hacker" who released it is the bigger problem and issue in this case.  Microsoft, I am sure, has people working feverishly on this, but there are others that MUST respond to this so all know that they were working in good faith (even if the extent of that is debatable) and the Google employee, with or without Google condoning his act, acted at best irresponsibly and at worst, maliciously.

steeladept

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,061
    • View Profile
    • Donate to Member

And considering he did so knowing there was no available fix to prevent it, I'm not 100% sure there aren't legal consequences as well. 


That is something I would like to see actually occur, independent of the outcome (guilty or innocent).  Maybe that would finally be a wake-up call to some.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,153
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
First of all: if he's been in contact with MS and choose to release exploit code within a week... then he really deserves to be slapped around. Releasing exploit details is something you do either
1) after patches have been made public and have had time to be rolled out, or
2) if the organization has been ignoring you for "long enough" (which is definitely more than a couple of weeks).

When an exploit is reported, the company needs to investigate it, which includes being able to reproduce it reliably and finding a bugfix. Then that bugfix has to be tested thoroughly before a patch can be rolled out. Going public with exploit details within a week? Christ.
- carpe noctem

JavaJones

  • Review 2.0 Designer
  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 2,739
    • View Profile
    • Donate to Member
I'm not suggesting that he did nothing wrong by any means. I just felt like the castigation of Google was rather far of the mark, and that the whole situation was being seen in rather black and white terms. Try this on for size:

1: Google may or may not have had any involvement; in the absence of compelling evidence to prove its involvement, let's assume none. It's only sensible.

2: A security researcher whom is an employee of Google found a flaw in Windows, supposedly on his own time and for his own reasons. He contacted MS who reacted slowly so he got frustrated and made an error in judgment by releasing not just word of the exploit, but demo code as well. Perhaps part of the reason he released demo code was out of frustration for not being taken seriously (i.e. "Don't believe me? Well here it is, it's a real problem. Deal with it"), but that's not a good excuse, and he should not have released actionable code.

3: Microsoft is responsible for a bad bug in their code, one which has been reported previously in other variations and incarnations, going years back (if you believe the Slashdot discussions on the issue). They are also notorious douches, and tend not to "play ball" with security researchers unless they're well known or represent big companies. Microsoft needs to act quicker and be less prejudiced when dealing with reported security flaws.

Does that sound like a balanced view? It does to me.

- Oshyan

wraith808

  • Supporting Member
  • Joined in 2006
  • **
  • default avatar
  • Posts: 11,186
    • View Profile
    • Donate to Member
...He contacted MS who reacted slowly...

Five Three Days.  Now that we're to the "it's MS's bug and he made an error in judgement" phase, how is 3 days slowly?

Eóin

  • Charter Member
  • Joined in 2006
  • ***
  • Posts: 1,401
    • View Profile
    • Donate to Member
Let's not forget what happened when MS put out a faulty patch recently which had people screaming for blood over the inconvenience it caused. Patching holes is not necessarily a simple matter, I imagine testing a patch is enormously complicated.

Rushing out a patch for an exploit not already in the wild would have been irresponsible on MS's part.

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
FWIW I doubt very much that Google had much (if anything) to do with what went down.

I think you just had a researcher in Google forget that the rest of the world doesn't operate the way things do inside his company's research department. Especially when it's a company where people are allowed to "run and play" and the open sharing of information and code is the norm. Or at least it is on the "inside."

To my mind, there's nothing intrinsically wrong with living in an ivory tower. Just don't go dumping a chamber pot over the parapet and then expect whoever gets hit not to be upset about it.




« Last Edit: June 16, 2010, 02:06 PM by 40hz »

40hz

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 11,857
    • View Profile
    • Donate to Member
Rushing out a patch for an exploit not already in the wild would have been irresponsible on MS's part.

And ironically enough, Microsoft is very likely feeling pressure to rush the patch now that the code is out in the wild. It's become a race between them and the people that will try to take advantage of this vulnerability.

So how again did Tavis Ormandy make things better for everybody by doing what he did?

I think I missed that memo.

--------------

P.S. I think Google is only biding it's time and letting the dust settle before they hand Tavis Ormandy his walking papers. To paraphrase The Godfather: Keep your friends close, and keep employees that did something which might get you hauled into court even closer.
« Last Edit: June 16, 2010, 02:16 PM by 40hz »