1. Computing

Ormandy / Google: How Close is Too Close?

By June 18, 2010

Follow me on:

Supporters of Tavis Ormandy believe that his decision to spoon-feed attackers a play-by-play exploit to infect your computers was justified. And they're upset with what they deem bad press. Here are the two primary beefs they have:

1. Microsoft refused to give in to Tavis' demand to set their development schedule.

Rebuttal: Microsoft has customers and shareholders to which they must answer. Had Tavis followed the normal disclosure procedure, he would have stated his timeframe and then only released after/if the vendor (in this case, Microsoft) missed the deadline. The vendor doesn't agree or disagree with the timeline; they still get to set their own development schedule. 45-60 days warning is the norm. Not 4 or 5 days, and certainly not 2 working days.

This balance is practiced in both full and responsible disclosure by the majority of legitimate security researchers. This balance gives the vendor time to fully research the issue and the exploit is kept out of the hands of attackers for a pre-determined period of time. In the interim, users are kept out of the line of fire. Microsoft didn't fail here; Tavis did.

2. Journalists are calling out Google in their articles.

Rebuttal: Like it or not, Tavis IS a Google employee. A member of the Google security team no less. His efforts to create and irresponsibly disclose attacks that are used on innocent people (most of whom are Google users in one way or another) DO reflect (very poorly) on his employer. And it's certainly not as if Google could have been unaware of his background when they hired him.

Tavis' exploit writing began around 2004. He became an intern for Google in June 2006 after which, at some point, he became a full-time employee on the Google security team. It seems unlikely Google was not aware of his actions. After all, in Tavis' own words, here are the things he is most proud of:

"The vulnerabilities I'm most proud of are probably my attack against gpg signed messages, and my zlib heap overflow vulnerability."

"Although it's not widely known I was responsible, I discovered both of the libtiff vulnerabilities that ultimately led to the execution of unsigned code on the sony psp and the apple iphone."

As an aside, let me just point out that these comments make it readily apparent that Tavis is fully, completely aware of the ramifications of releasing exploit code. He himself refers to them as attacks and acknowledges they are used against innocent users.

The longer Tavis works at Google, the worse he becomes. In the beginning, or at least when he confined his exploit writing to his pet open source projects, he did practice responsible disclosure. Here's an example comment from one of his earlier efforts in 2006:

-------------------------------------------------------
Tavis Ormandy again poked on gpg and found this vulnerability.

The new version has been released yesterday and should by now be
available on all mirrors.

-------------------------------------------------------

Note that he posted the exploit only after a patch had been provided. This demonstrates that Tavis is fully accepting and understanding of responsible disclosure when it suits him.

Tavis didn't start delving into Windows until after October 2008, two years after starting work for Google. Based on how/where some of those were published, it looks as if he may have been double-dipping, engineering exploits while employed by Google and then selling them to exploit-for-hire consultancies. No complaints there though, as at least that kept them out of harm's way.

His power play (demanding xx response in xx time) - which is at the heart of this controversy - doesn't seem to have started until much more recently, after he graduated to bigger fish like Microsoft and Sun.

Remember, he did pretty much the same thing with Sun over the April 2010 Javaws exploit. Same consequences too - he gave Sun only a few days, after which he rushed to publish a ready-made exploit. And a few days later innocent Web surfers started getting screwed. Just like this time around with Microsoft. The only constant in both attacks has been Tavis Ormandy.

When you look at this pattern, it's pretty hard to understand Tavis or his defenders. What we have is a guy who discloses responsibly when he feels like it, (i.e. it's a company he likes or it's too small to get him any publicity), but irresponsibly discloses when it's a company he doesn't like (or is big enough to gain him wide publicity).

And for most of this time, he's been employed by Google, either as an intern or as a full-time member of their security team. Meantime, Google stands idly by and does nothing. And Tavis just keeps getting worse. It's pretty hard not to question whether there's a link. IS this behavior he's learning as he goes along? As a Google employee. You know, do no evil. Except when it involves the mass Internet population and a major competitor.

Tavis keeps an up-to-date list of his exploit writing, should you wish to check out this pattern yourself.

Comments
June 18, 2010 at 5:57 am
(1) Anon says:

I fail to see why you can not can not understand his reasoning. It is called lulz. Apparently, he is part of the hackers on steriods community known as Anon. Google is smart to have hired him as an ally rather than allowed him to develop as a foe. Microsoft should appreciate that he gave them a notice at all and simply did not release the code into the wild as soon as he found it.

June 30, 2010 at 5:42 pm
(2) Brad Spengler says:

How about some full disclosure?

From your bio:
“Also in 2009, Mary was awarded a Microsoft MVP for her work in consumer security.”

You’re a fool if you think letting a company sit on a long-standing vulnerability for 2 months when they’ve said they won’t release a fix by that time is better than releasing the vulnerability information after being told the fix won’t be available. Letting a company sit on a vulnerability being exploited in the wild for as long as they want is neither ethical nor responsible.

Does Microsoft give you anything else other than an MVP award for shilling for them?

June 30, 2010 at 5:57 pm
(3) Brad Spengler says:

As for the rest of your “detective work,” that’s quite a conspiracy you’ve concocted. Clearly the only explanation is that Tavis goes crazy 1 time out of 10 when disclosing a vulnerability to a major vendor. And yes, this only started happening once he started finding vulnerabilities in software from large companies — the pattern is so clear!

It obviously could have nothing to do with the fact that the authors of:
gzip
libtiff
gdb
prozilla
busybox
xli
xv
imagemagick
monkey
openssl
openssh
junkbuster
xloadimage
gnupg
netbsd
ncompress
lha
gas
libpng
glibc
pcre
bochs
thttpd
perl
linux
systrace
binutils
(the list goes on, all open source software BTW)
don’t find it ethical or responsible to leave their software vulnerable for 9 months to a reported vulnerability.

The pattern I see is of someone who is actually concerned about security, instead of protecting the illusion of it for a particular company at the expense of its users.

Your current employer is Cisco — they always do find creative ways to be hostile to security researchers, don’t they? Your readers will remember Ciscogate from 2005:
http://www.wired.com/science/discoveries/news/2005/08/68435

June 30, 2010 at 6:31 pm
(4) Ρωχαμης says:

“And it’s certainly not as if Google could have been unaware of his background when they hired him.” <– Once again, the tired old "3v1l background vs respectable pro" argument. Tavis background is exemplary, he researched quite a few vulnerabilities, which means he is invaluable as a member of ANY competent security team (sorry, that excludes the "clickjacking experts" or CEH/Security+ "experts").

"And a few days later innocent Web surfers started getting screwed. Just like this time around with Microsoft." <— Once again, sensationalist journalism of little value.

Can you please provide some proof of Tavis SELLING exploit code to "exploit-for-hire" consultancies (if such a thing exists)

"And a few days later innocent Web surfers started getting screwed. Just like this time around with Microsoft." <– this is not 1996, with people connecting using 33.6K modem and leaving ports open. Both of these attacks are easily mitigated, to say the least.

July 1, 2010 at 3:34 am
(5) Blank says:

Sorry, I realize you’re not a real journalist, but could you substantiate or at least clarify the following claim:

“Based on how/where some of those were published, it looks as if he may have been double-dipping, engineering exploits while employed by Google and then selling them to exploit-for-hire consultancies.”

This seems more like a loose ended attack than rigorous analysis.

I’m looking forward to your reply.

July 1, 2010 at 3:10 pm
(6) Mary Landesman says:

Brad, an MVP award simply recognizes someone’s work in a particular discipline, in my case for my work in helping to educate users about computer security. If you really want your tinfoil hat to go all shiny, I also used to be a Microsoft employee.

Neither of those have kept me from calling out Microsoft when I think they’ve done something wrong. Nor does it influence my calling out anyone else if I think they’ve done something counter to users’ best interests.

Blank et al, regarding the “Based on how/where…” comment, there’s nothing in that statement that says it is a definite. If you follow the link, look through where some of the exploits were originally published, some were published by companies engaged in exploit-for-hire payments. Is that proof Tavis’ has sold exploits? Absolutely not. But it does raise the possibility, which is what that statement questions.

July 2, 2010 at 9:31 am
(7) Brad Spengler says:

Can you direct me to a post of yours where you attack Microsoft with as much disrespect as you have this security researcher? Specifically, have you created three separate posts about how Microsoft sitting on a high importance vulnerability for 2 years without a fix is incredibly damaging to the real security of users? Or are you only interested in the appearance of security?

I’ve followed the link, and I don’t see any of this evidence you claim. How about giving us specific links? Some of the CVEs referenced cover multiple vulnerabilities — Tavis is mentioned at times in these references separately from the discoverers of other vulnerabilities the CVE covers, which may include exploit-for-hire companies. Tavis has never sold a vulnerability or exploit. If he had, and requested recognition, he would be recognized within the advisory produced by the exploit-for-hire company. Not retracting your baseless insinuation with an apology further demonstrates this trash post to be an intentionally malicious attack on a well-respected researcher.

Frankly, I find your attack on Tavis to be libelous. According to your own views, this must also reflect the position of Cisco. I’d call for you to be fired, but unlike Tavis, nobody cares about you or this blog. I only found it because someone in the industry linked to it, pointing out how much of a joke it is. I’ll make sure to mention you in the next posting I write — it’ll generate the most attention from the industry you’ve ever had in your life.

Both Cisco and nCircle Security were critical of Tavis’ disclosure. One of nCircle Security’s employees was recently arrested for terrorism. nCircle Security therefore sponsored and supported terrorism. Does this mean Cisco aligns itself with sponsors of terrorism? Absolutely not. But it does raise the possibility, which is what my statement questions.

Since you’ve never done anything in your long career in the industry to gain any sort of attention or respect, you resort to ankle-biting those who actually have. I understand your jealousy toward those with actual talent and ethics.

-Brad

July 3, 2010 at 12:35 pm
(8) Mary Landesman says:

>> Can you direct me to …

lrn2srch.

>> Since you’ve never done anything in your long career…

Obviously you know nothing about me or my career.

>> I understand your jealousy toward those with actual talent and ethics.

To the contrary, I greatly respect those I feel have talent and ethics.

July 5, 2010 at 4:46 am
(9) Ρωχαμης says:

Quoting:

“Blank et al, regarding the “Based on how/where…” comment, there’s nothing in that statement that says it is a definite. If you follow the link, look through where some of the exploits were originally published, some were published by companies engaged in exploit-for-hire payments. Is that proof Tavis’ has sold exploits? Absolutely not. But it does raise the possibility, which is what that statement questions.”

For the life of me, I do not comprehend what “exploit-for-hire” is. Perhaps you mean something like zero-day initiative, iDefence et al, which is not “exploit-for-hire”, heck, they even put “responsible disclosure”in their front-page.

This issue aside, you heavily imply Tavis selling 0-days as FACT, thinly disguised behind a “it looks as if he may” legalese cop-out. This is not responsible (that’s a trendy word!) journalism.

You are entitled to your (erroneous?) opinion but can we please leave cliches and yellow page call-for-actions aside?

July 20, 2010 at 5:54 pm
(10) HKT says:

My good God.

This piece amounts to character assassination. To go on record, in public, accusing someone of possibly, maybe “double-dipping” whilst in the pay of their employer is both unforgivably unprofessional/stupid (take your pick) and a gigantic nail in the coffin of any lofty claims to “responsibility”. How can you accuse Ormandy of irresponsiblity when writing code if you can’t put pen to paper without indulging in the same?

I will never attend a conference where Landesman speaks, nor will I fund or participate in any security forum or community of professional practice she appear in. This kind of writing has no place whatsoever in our field. I hope burning your credibility like this was worth it.

August 2, 2010 at 1:05 am
(11) anonnn says:

“(demanding xx response in xx time)”
In my option company’s like Microsoft should only be given 24 hours to patch vulnerabilities.
The company is worth billions, if a hacker can find exploits in their code (in his spare time as a hobby) obviously they don’t employ the right people, or pay enough to the staff they have.

Leave a Comment

Line and paragraph breaks are automatic. Some HTML allowed: <a href="" title="">, <b>, <i>, <strike>
  1. About.com
  2. Computing
  3. Antivirus Software

©2014 About.com. All rights reserved.