Main Area and Open Discussion > Living Room
Microsoft lashes out at Googler for making Windows vulnerability public
wraith808:
Evidently Ormandy was negotiating with MS for a patch release schedule and published only after he felt that negotiations were not being productive. His tweet about this is here: http://twitter.com/taviso/status/16005411316
And an article with a quote confirming this from Microsoft here: http://www.computerworld.com/s/article/9178084/Hackers_exploit_Windows_XP_zero_day_Microsoft_confirms
Microsoft confirmed that its security team had discussed a patch schedule with Ormandy.
"We were in the early phases of the investigation and communicated [to him] on 6/7 that we would not know what our release schedule would be until the end of the week," said Bryant. "We were surprised by the public release of details on the 9th."
--- End quote ---
My sense that Ormandy was not so clearly "wrong, wrong wrong!" continues...
-JavaJones (June 15, 2010, 09:47 PM)
--- End quote ---
Why? He communicated to them, and they didn't give him an immediate answer that they wanted, so he released it. How does this change anything? He couldn't wait until the end of the week?
Technology is Science, not art.
-Stoic Joker (June 14, 2010, 02:11 PM)
--- End quote ---
Just to go randomly off the rails here... ;)
Actually, I find that a lot of tech is art. I find that a lot of what I do is art. It might all be tech, but there's structure and elegance in there. I suppose the best sort of analogy is that tech is often like a fugue or canon as they have structure and a mathematical elegance.
-Renegade (June 14, 2010, 06:01 PM)
--- End quote ---
I also find that what I do is an art form. Science is reproducible in the same way by anyone given the same conditions and the same desired result. As you get into more advanced programming- not so much. Each programmer leaves his own signature on his code- I don't know that you do the same when dealing with pure science.
JavaJones:
He communicated with them *for 5 days*, and they weren't playing ball, which if you look around is a fairly common story with MS and security researchers, especially smaller/independent ones that don't represent someone like Secunia, Sophos, etc. I'm not saying he's right or MS is wrong, just that it's not so clear cut as you and some others seem to feel. But then I'm completely on the opposite side of the "government secrets" debate too, hehe.
- Oshyan
wraith808:
He communicated with them *for 5 days*, and they weren't playing ball, which if you look around is a fairly common story with MS and security researchers, especially smaller/independent ones that don't represent someone like Secunia, Sophos, etc. I'm not saying he's right or MS is wrong, just that it's not so clear cut as you and some others seem to feel. But then I'm completely on the opposite side of the "government secrets" debate too, hehe.
-JavaJones (June 15, 2010, 10:11 PM)
--- End quote ---
He communicated with them for 5 days... on and off I'm sure, i.e. 5 days elapsed. So actually 3 days, since they said they last communicated with him on the 7th and he released on the 9th. On the 7th, they said that they'd know about their release schedule at the end of the week, i.e. the 11th. Just because they wouldn't give him what he wanted on his terms, i.e. tell me that it's going to be released on my timetable now without even looking at the problem, he released it. And why release the exploit code in such detail? Why not release news of the exploit, then if they didn't come to the table if they were indeed not playing ball, he could release the exploit after giving them time? That's the part that *is* clear cut. He released the exploit *code* into the wild and someone apparently used *his* code to craft a drive-by. How is that *ever* right?
Renegade:
He communicated with them *for 5 days*, and they weren't playing ball, which if you look around is a fairly common story with MS and security researchers, especially smaller/independent ones that don't represent someone like Secunia, Sophos, etc. I'm not saying he's right or MS is wrong, just that it's not so clear cut as you and some others seem to feel. But then I'm completely on the opposite side of the "government secrets" debate too, hehe.
-JavaJones (June 15, 2010, 10:11 PM)
--- End quote ---
He communicated with them for 5 days... on and off I'm sure, i.e. 5 days elapsed. So actually 3 days, since they said they last communicated with him on the 7th and he released on the 9th. On the 7th, they said that they'd know about their release schedule at the end of the week, i.e. the 11th. Just because they wouldn't give him what he wanted on his terms, i.e. tell me that it's going to be released on my timetable now without even looking at the problem, he released it. And why release the exploit code in such detail? Why not release news of the exploit, then if they didn't come to the table if they were indeed not playing ball, he could release the exploit after giving them time? That's the part that *is* clear cut. He released the exploit *code* into the wild and someone apparently used *his* code to craft a drive-by. How is that *ever* right?
-wraith808 (June 15, 2010, 10:58 PM)
--- End quote ---
iz rite 'cauz M$ windoze iz teh d3v!L
You're perfectly right all the way through.
To figure out a schedule can take time, and a few days isn't a big deal, unless you want to use it as an excuse to be malicious. (Nice for pointing out 3 days there.)
And releasing exploit code? That is very very very far off the beaten path. It's PURELY MALICIOUS and has zero legitimate reasons. Flat out, he wanted to do as much damage as possible. He acted maliciously. In no way can he remotely claim that it was anything to do with security -- it was a simple blackhat, malicious act. Period.
Now, I'm just wondering how long it will be before companies start prosecuting people for releasing exploit code. Because you KNOW that if it were Apple, his house would be raided, he'd be in jail, and there'd be law suits that would have his great-great grandchildren sold into slavery.
JavaJones:
Boy, you guys sure have a lot of certainty at arm's length (or more). I'm afraid I can't compete with that kind of clarity of vision. But the release of demo exploit code is far from unprecedented...
- Oshyan
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version