1. Computing & Technology
About.com
Antivirus Software

Tavis Ormandy Chooses When Google or Not

From Mary Landesman, About.com GuideJune 30, 2010

Follow me on:

In yesterday's patches from Adobe, it was interesting to note the following in the acknowledgments section:

Tavis Ormandy of the Google Security Team

Indeed, if you read through Tavis' collection of exploit reports, you'll find he's frequently requesting acknowledgement as "Tavis Ormandy of the Google Security Team" or "Tavis Ormandy of Google, Inc."

It seems that when Tavis feels like responsibly disclosing exploits and working to protect people, he chooses to be acknowledged as a Google employee. But when he chooses to irresponsibly disclose and work to infect people, he petulantly claims that his actions do NOT relate to Google.

Personally, I don't think you can have it both ways. Pick your team, Tavis. Or better yet, Google pick your team.

Leave a Comment
Comments
June 30, 2010 at 6:15 pm
(1) Ρωχαμης :

Sure Google, go ahead pick your team.

Instead of hiring extremely smart people like Tavis, who are actually finding and exploiting vulnerabilities, hire run off the mill CISSPs, whose biggest claim to fame is being able to regurgitate some generic, over the hill stuff.

“work to infect people” <- this is irresponsible sensationalist journalism at its worst.

He found the vuln, he exploited and he did the right thing by informing Microsoft. If he was irresponsible, he could always drop the 0-day at a mailing list, such as Full Disclosure, or worse, keep it within private circles, where it would circulate for a long, long time (rpc.cmsd anyone? Doing the rounds for three years before being detected? Does that ring a bell?)

June 30, 2010 at 11:06 pm
(2) Dave Kennedy :

Kudos to Mary for calling for behavior that puts the protection of society, the commonwealth, and the infrastructure before egocentric promotion.

July 1, 2010 at 1:50 pm
(3) Mary Landesman :

>>” If he was irresponsible, he could always drop the 0-day at a mailing list, such as Full Disclosure”

This is exactly what he did do….

July 5, 2010 at 4:34 am
(4) Ρωχαμης :

“This is exactly what he did do …”
No. Since “the devil is in the details”, he respectfully tried to reach a resolution with Microsoft and only when that failed, he “went public”.
In any case, asking for Tavis to be fired from a public medium, is unethical at best, IMHO.

December 1, 2010 at 3:41 am
(5) anon :

there is no where in that page (http://taviso.decsystem.org/research.html) no mention of travis “frequently requesting acknowledgement as “Tavis Ormandy of the Google Security Team” or “Tavis Ormandy of Google, Inc.”" as you said.

December 10, 2010 at 5:02 am
(6) freak :

what do u know about security . How have you contributed to knowledge . Have you ever in your abysmal life found a vulnerability or exploited it ..

Ohhh i recall NOOO !!!!!!

Leave a Comment

Line and paragraph breaks are automatic. Some HTML allowed: <a href="" title="">, <b>, <i>, <strike>
Related Searches ormandy google

©2012 About.com. All rights reserved.

A part of The New York Times Company.