let me try this very very simply. It honestly amazes me you don't get it yet.
he disclosed the exploit, but this doesn't mean that a: he created it or b: he's responsible for it.
You haven't done due diligence then. He took credit for the exploit in his post on seclists, which I already linked to.
.
who created it? Microsoft
Microsoft was responsible for the vulnerability. Not the exploit.
.
It's also a hell of a lot easier to figure out an exploit when there is a proof of concept
You appear to be confusing terms here. Do you mean to say that it's easier to understand a vulnerability when there is an exploit for it? The exploit *is* the proof of concept. In anycase, that argument is incorrect as well. The exploit proves that the vulnerability is exploitable. That's the proof-of-concept -- it proves that it's exploitable. It helps assign priority as well -- if you prove that it's exploitable, the priority on fixing it goes up -- so creating the exploit is a Good Thing. That is not being debated (to quote you, It honestly amazes me you don't get it yet). The point is, Ormandy should not have made the exploit public. He should provide it to MS. If after some time it appears they are doing nothing, then, if he decided to force their hand, he might have had a point. How much time -- I don't know exactly. Was 5 days (including saturday and sunday) enough? Not even close.
.
Yes, 5 days is a little short, but if this was critical MS could have said to him "please don't release it".
That's the second time you're making this stupid statement -- and the second time I'll remind you that responsible disclosure is the norm. MS should not have to ask him, and you don't even know that they didn't. He never even gave them a chance -- read his seclists posting. Educate yourself before mouthing off. He (Ormandy) himself has a twitter post now stating that perhaps he didn't do the right thing -- but here you are defending his actions anyway. At least he's man enough to admit when he's wrong.
.
What does matter beyond you being sidetracked? That I still don't hear of a hotfix or patch from MS.
No hotfix, because it simply can't be done this quickly. You just agreed that 5 days is a little short, but here you are 12 days on criticizing the lack of a hotfix? What information do you have that makes you think 12 days is a reasonable timeframe? I would really love to hear your timeline/work-item-breakdown for making a hotfix available in 12 days.
.
Somehow point fingers at google all day, but you can't see the forest for the trees.
Actually I don't know why you're so determined to keep bringing Google into the picture. You'll notice that I didn't mention them unti you did. I merely pointed out that something isn't adding up (about Ormandy acting alone, but using input from colleagues). I'm happy to drop that angle and just argue that making the disclosure public in 5 days was irresponsible. You are the one that keeps bringing Google back into it.
.
I do not consider it the duty of a security researcher to contact a vendor prior to full disclosure at all, meaning that no conditions have to be met.
So it would have been okay for Dan Kaminsky to post details of the DNS vuln. in 5 days (or even without notifying the vendors)?
.
However I do think that responsible disclosure is a good policy.
Very conveniently straddling both sidees. If it's 'good policy' why is it okay to not follow 'good policy'. What is the opposite of 'good policy' -- could it be 'bad policy' by any chance? Unless there are extenuating circumstances? So the same question yet again, asked in another way -- what would be the necessary and sufficient extenuating circumstances for not following this so-called 'good policy'?
.
First of all, what do you consider a reasonable time limit, and why?
It doesn't matter -- you rejected my axiom, remember? But I'll avoid skirting the question: responsible disclosure allows for variation in that time limit, because it recognizes that not all security bugs and fixes are equal. In this case, 5 days was not enough.
.
In this case the vulnerability is easily mitigated, so that alone is reason enough to release early in my opinion. A point you ignored.
Not ignored. If it's so easily mitigated, why did Ormandy think it was necessary for MS to drop-everything-now and address this issue?
.
An exploit absolutely exists in the wild because Microsoft sold people a vulnerable OS.
A vulnerability exists, because of MS. The exploit exists because of Ormandy.
.
Blackhats do not need help to write exploits, script kidies are far less dangerous.
You keep hiding behind this tenuous thread, but you refuse to take the burden of proof that Blackhats had found this hole and exploited it before Ormandy's action. Wonderful. You also ignore the strong correlation between Ormandy's going public and the attacks occuring in the wild. Wonderful.
.
We can actively protect ourselves against it because we have been informed.
Who is we? There are people who don't follow this stuff, or don't have the capability to even understand it. Ormandy should have followed responsible disclosure and only if MS was dismissive should he have resorted to this action. 5 days is not enough time for them to do anything.
.
as said, this only exists because of MS, their bug, period
How many more times can I concede this point, before you realize that it does not absolve Ormandy of acting irresponsibly?
.
Patched bugs are exploited on a larger scale then this, and visitors who haven't patched are still vulnerable. Successful responsible disclosure doesn't prevent small scale, unsophisticated attacks. Proactive people and organizations, on the other, hand are now safe due to disclosure, as mitigation for this bug is dead simple and MS has gratuitously provided a patch to their serf^Wvalued users.
Serfs? It sounds like you just have it in for MS's user's plain and simple. This has absolutely no bearing on the fact that Ormandy was irresponsible.
.
So what is the nature of the known infections? Are we talking about a few more zombies that would have otherwise be gotten with trojans/unpatched machines/unsuported versions of Windows or the massive data compromises that result from targeted attacks?
100% incorrect:
From Ormandy's own post: "Microsoft was informed about this vulnerability on 5-Jun-2010, and they
confirmed receipt of my report on the same day." Followed by:
"I would like to point out that if I had reported the MPC::HexToNum() issue
without a working exploit, I would have been ignored." That was the sum total of his justification for his behaviour. This is *his own* post. Now, he too is having second thoughts about what he did: http://twitter.com/taviso/statuses/15874332662/ .
Do you have proof that contradicts his account?
I hope you'll accept his own post on seclists, and his own twitter post as proof. At this point, you need to just admit that you're wrong to defend him, and he was irresponsible.
Working with people trying to practice responsible disclosure and addressing their concerns, however, is *common sense*
Are you claiming that Ormandy was trying to practice responsible disclosure (saturday through wednesday!!)? Or are you claiming that MS refused to work with him (do you have some inside line on the email exchange that took place)? What exactly are you claiming here???
Either way -- I don't see how this supports Ormandy's action.
Fine, don't take it as support, take it as context. If Google, indeed, got bitten by delayed action on Microsoft's part, that kind of thing affects ones actions.
(1) Google said he was acting idependantly. Google advocates responsible disclosure. You cannot have your cake and eat it too. Was he acting idependantly or not?
(2) If Google got 'bitten' and this affected their behaviour (their = google or Ormandy), then the obvious course of action is to deploy Ormandy's patch internally, and responsibly disclose the issue to MS.
.
Based on your axioms, yes. I reject the axioms as they are subject to debate.
Very well, state your axiom(s) then! What do you consider as necessary and sufficient conditions for a researcher to release exploit code within 5 days notice to a vendor?
.
Plenty of time to evaluate the severity and project a timeline, doesn't have to be set in stone, just reasonable and doable.
Now here's where we're dabbling with opinion. This is your opinion. You don't know what email exchange transpired between Ormandy and MS. You don't know if they gave any kind of estimate or not, and if Ormandy just decided he didn't like it. You don't know if they replied saying "we're trying to figure this out -- we'll get back to you". You don't know jack shit about that communication -- but we all know this for 100% certain -- an exploit absolutely does exist in the wild because Ormandy made sure it does, and at least one site has been compromised, and visitors to that site are vulnerable.
How did China hack Google? It started with targeted social engineering, getting an employee to follow a link which exploited IE6. It escalated from there. Sure, it can be targeted.
*rolls eyes*
Whatever makes you happy. Call it a targeted attack then. You still haven't addressed the main point.
Just read that link and realized that this was not a zero-day. Either way -- I don't see how this supports Ormandy's action. As I said before: if he had followed responsible disclosure policy, and then got fed up of waiting, he would have a point. Saturday through Wednesday? No leg to stand on.
Let me concede it a third time, and address it a third time. I said "there were no exploits in the wild". I should have said "there were no known exploits in the wild". I am not making an assumption here. I am going on what was reported. How does this constitute ignoring the point? Please be specific.
And you still have no data proving that there were indeed exploits in the wild.
I didn't claim that there are exploits in the wild, only that systems were vulnerable, particularly to skilled adversaries who are likely to find exploits on their own
It's not about you making the claim. The existence of exploits in the wild is the only thing that justifies Ormandy's action.
You need that data to prove that the disclosure was not damanging.
Well, I didn't make the claim.
It's not about you making the claim. The existence of exploits in the wild is the only thing that justifies Ormandy's action.
The only justification for Ormandy's actions is proof-positive that there are exploits in the wild.
Matter of opinion. It depends on how big of a threat you consider targeted stealth attacks to be compared to automated attacks against known vulnerabilities.
100% incorrect. Releasing the exploit has real, tangible, negative impact. You need more than "opinion" to justify that action. You need facts. Do not hide behind "opinion".
You need to provide that proof, or concede that your stance is incorrect.
Proof of what? That vulnerabilities have been exploited within overly long "known issue to patch" period? Here's a recent one. Proof that it had definitely been exploited before? I didn't make the claim and didn't base my stance on it.
Proof of an exploit for the vuln Ormandy discovered, that existed before he made his exploit public -- what did you think I was asking for?? Why are you linking to an unrelated zero-day?? The prior existing exploit is the only thing that justifies Ormandy's action.
I ask you again -- are you done playing word games?
Are you done unduly placing the burden of proof onto everyone who disagrees with you?
It's very a simple point. You chose to defend Ormandy's action, and this is what you need, to defend him successfully. Logic led us down this road.
It's not a word game. Your assumption that there were no exploits undermines your conclusion that disclosure was counterproductive.
And I concede the point again. There were no known exploits in the wild. However, the assumption isn't mine (it's been reported on). And you still have no data proving that there were indeed exploits in the wild. You need that data to prove that the disclosure was not damanging. You need that, because as soon as he disclosed the exploit, instances of it were seen in the wild. The correlation is strong. The only justification for Ormandy's actions is proof-positive that there are exploits in the wild. You need to provide that proof, or concede that your stance is incorrect. You pointed out the tiny little trivial flaw where I should have added the word *known* in my post -- and I have conceded that point twice now. I ask you again -- are you done playing word games?
It is usually a good idea to assume that it is, and is used for targeted attacks by skilled blackhats trying to stay under the radar.
1) The nature of this vulnerability is such that you cannot use it for a targeted attack. You can put the exploit on as many sites as you can, and try to lure traffic there, and accept whatever percentage of machines get compromised -- but you cannot use it for a targeted attack.
. 2) If you have data for other vulnerabilities definitively telling you that there are exploits in the wild for them, they get prioritized higher. Next -- if you have two vulns, and the complexity of the exploit is orders of magnitues apart, the assumption is more true for the easier exploit than it is for the one that is orders of magnitude tougher. In other words, the idea itself is fine and dandy -- assume that all vulnerabilities will be, and are being exploited, and fix everything instantly. In the real world, fixing everything instantly (or in the time between Saturday and Wednesday) is *slightly impractical*.
Another "feel sorry for Microsoft's security people, they are overloaded" post.
It's actually a "in the real world, things are complicated and take time" post.
.
If that is the case MS need to get more people on the problem, since patches can be worked on independently (interaction testing aside).
There are going to be times when they have more people than they need. There are going to be times when they have less people than they need. There are going to be times when multiple exploits are reported against the same component, so no matter how many people you have, it's the same core team that these get routed to, so one bug gets a higher priority and worked on immediately and one gets a lower priority and goes next -- even if the severities are enough that the team is working flat-out and around the clock. You're oversimplifying again! Re-read the mythical man-month. It's pretty basic & pretty ancient now, but even back then it was realized that merely throwing more people at the problem does not reduce the time it takes to solve it. You've also glossed over the inherently serial nature of some of those tasks: find appropriate owners/experts, understand severity, impact, exploitability, mitigating factors, create patch, test patch, deploy patch. The guy disclosed the vulnerability on a Saturday, and went public the following Wednesday, for crying out loud!
.
Microsoft is responsible for any and all holes in Windows, they made it, they aren't some underpaid third party trying to fix someone else's fuckups.
Nobody claimed otherwise. Not even MS.
.
60 more days of vulnerability to skilled blackhats without any recourse for the general public or even any guarantees that the issue will actually be addressed during that time frame would be very irresponsible.
That is the current status, because of Ormandy's actions. There were no exploits in the wild, until Ormandy released his exploit publicly. That implies, nobody knew about it, until then. So you just posted an argument based on very tenuous, very shaky logic.
He did. See his own post on seclists. In his own words "I've prepared a demonstration for a typical Windows XP installation with
Internet Explorer 8, and the default Windows Media Player 9." .
The fact that he told MS before releasing anything means, that well, MS's team knew about it
Before releasing anything? 5 minutes before? 5 days before? 5 weeks before? It makes a difference, y'know. In this case it was 5 days, including Saturday (day 1) and Sunday.
.
They could have asked him not release it, and guess what? He probably wouldn't have.
They did, and guess what? He released it anyway. Besides, they shouldn't have to ask -- he should have followed responsible disclosure guidelines. The guidelines are not fluff -- imagine if Dan Kaminsky had not followed responsible disclosure for the DNS issues? Would you be defending that action? If yes, then you are out of your mind. If not, then why is this issue special/different so that it is exempt from responsible disclosure?
.
Another nugget from Ormandy:
I would like to point out that if I had reported the MPC::HexToNum() issue
without a working exploit, I would have been ignored.
He has not explained why he went public. A working exploit is a good thing -- it absolutely does sway a vendor to take your issue more seriously. Releasing the working exploit publicly is the problem here. If he followed responsible disclosure guidelines, gave MS a working exploit, and got ignored, then he could take matters into his own hands and he'd have a semblance of a point. To alert them on Saturday and go public on Wednesday is attention-whoring bordering on malice.
.
Clearly though a large quantity of people are more interested in distributing blame because it's google as opposed to because it's microsoft, which is amazingly backwards.
Google does have something to answer for here. Everytime one of their employees fucks up, they cannot claim things like, "he did it in his own time", or "it was a summer intern and we didn't realize the code went live". They cannot be such vocal advocates of responsible disclosure, and have their own security researcher not follow the same guidelines that they themselves call for. They cannot claim that he acted independantly (used his own time/resources) when Ormandy, in his own post, states "Without access to extremely smart colleagues, I would likely have given up". Either his colleagues helped him with the exploit, or they helped guide his decision to not follow responsible disclosure guidelines (which his employer is in favor of). He very kindly and hypocritically goes on to provide some half-baked opinion on responsible disclosure/full-disclosure and a link to a Schneier article on the topic.
On getting notified of the issue, MS would have to make an assessment -- how many systems have the feature, how often is this feature used, how complicated would it be to develop an exploit, is there currently an exploit in the wild, what is the result of the exploit (data loss, denial of service, admin access, etc.), are there any mitigating factors, how much time would it take to develop a fix, how much time would it take to test the fix, etc. Rolling back a second -- they first have to route the issue to the right people for making these evaluations. This would hold true for each and every single security issue that gets reported to them, or that they find themselves.
.
Now consider that Ormandy's issue is not the first, last, or only security issue ever reported to them, or the only one they are currently working on. In fact, out of all the current issues they are working on, there might have been others with easier exploits or exploits already out in the wild, or affecting a larger number of people, or with worse implications. This is a big deal for sure -- but it's actually reasonable to believe that this wasn't the single most important, drop-everything-now, priority zero, severity zero security issue on MS's plate right now.
.
That being the case, Ormandy should have gone through the 'system'. If, after 60 days if he didn't get a response he liked and then forced MS's hand, he would have had some semblance of a point. The way he acted, I can only conclude that he wanted his 15 minutes of fame, and he doesn't give two hoots about the people affected by his irresponsible behavior.
I call BS. They didn't look like they were faking it in today's E3 demos and they didn't look like they were faking it a year ago when they first introduced it either.
Google seems to have forgotten the early days of the search engine wars in which Yahoo, Excite, et al vied for the most user-hostile, craptacular portal landing pages. I believe it was primarily their choice of a minimal utilitarian design that made people flock to Google
It's possible that times have changed, and user preferences have changed. You're referencing a period roughly 15 to 12 years ago, when people were still using dial up connections at 33kbps. The utlitarian page had an insurmountable performance advantage at that time. Now, with an asynchronous loading image, and DSL/cable/fiber connections, you can afford to be less spartan in your approach.
If you seriously think you addressed the points, go and apply for the patent. I mean that in the most serious way possible. Do you think you won't get one? Why not? You've addressed all the objections, haven't you? What's stopping you?
The semantic equality between logging and 'dumping memory' is pretty straightforward IN MY OPINION.
You're content to argue semantics to convince yourself that you have a point?
.
From you they have. You are contesting the fact that they did anything wrong at all.
No I am contesting whether they did anything ILLEGAL and actionable
You admit what they did was wrong then?
.
I am contesting your analysis that only intentional 'malice' or incompetence (in the sense of gross negligence, as opposed to) leads to an accidental capture of the data
So it's an accident, but it's not incompetence? How does that work? (cue lame analogy of accidents that could not be avoided irrespective of competence levels).
.
And bad PR isn't just a hot air with no financial impact, it affects the company financially by lowering their 'Goodwill'
When you abuse people's goodwill, you lose goodwill. Only the sheep will remain faithful.
You've made up your mind that Google is evil and needs to be punished
Your words -- not mine. My world isn't that black and white. Read everything I said -- there's not one word about punishment, and not one word about evil. I'm not saying there shouldn't be any punishment -- I'm just not addressing the issue, because I don't care quite that much about it.
.
The crash dump example is exactly analogous. The were LOGGING the data.
Not logging -- dumping the contents of memory. And did you not read the part where I said, if there's a problem there, then go after them as well?
.
Again, given the amount of PR, there is no way that Google has 'gotten a pass'
From you they have. You are contesting the fact that they did anything wrong at all. Therefore, by your logic, they should not have apologized (they did), had no reason to stop (they did), and do not even deserve the bad PR!
Slashdot Mirror
let me try this very very simply. It honestly amazes me you don't get it yet. he disclosed the exploit, but this doesn't mean that a: he created it or b: he's responsible for it.
You haven't done due diligence then. He took credit for the exploit in his post on seclists, which I already linked to.
.
who created it? Microsoft
Microsoft was responsible for the vulnerability. Not the exploit.
.
It's also a hell of a lot easier to figure out an exploit when there is a proof of concept
You appear to be confusing terms here. Do you mean to say that it's easier to understand a vulnerability when there is an exploit for it? The exploit *is* the proof of concept. In anycase, that argument is incorrect as well. The exploit proves that the vulnerability is exploitable. That's the proof-of-concept -- it proves that it's exploitable. It helps assign priority as well -- if you prove that it's exploitable, the priority on fixing it goes up -- so creating the exploit is a Good Thing. That is not being debated (to quote you, It honestly amazes me you don't get it yet). The point is, Ormandy should not have made the exploit public. He should provide it to MS. If after some time it appears they are doing nothing, then, if he decided to force their hand, he might have had a point. How much time -- I don't know exactly. Was 5 days (including saturday and sunday) enough? Not even close.
.
Yes, 5 days is a little short, but if this was critical MS could have said to him "please don't release it".
That's the second time you're making this stupid statement -- and the second time I'll remind you that responsible disclosure is the norm. MS should not have to ask him, and you don't even know that they didn't. He never even gave them a chance -- read his seclists posting. Educate yourself before mouthing off. He (Ormandy) himself has a twitter post now stating that perhaps he didn't do the right thing -- but here you are defending his actions anyway. At least he's man enough to admit when he's wrong.
.
What does matter beyond you being sidetracked? That I still don't hear of a hotfix or patch from MS.
No hotfix, because it simply can't be done this quickly. You just agreed that 5 days is a little short, but here you are 12 days on criticizing the lack of a hotfix? What information do you have that makes you think 12 days is a reasonable timeframe? I would really love to hear your timeline/work-item-breakdown for making a hotfix available in 12 days.
.
Somehow point fingers at google all day, but you can't see the forest for the trees.
Actually I don't know why you're so determined to keep bringing Google into the picture. You'll notice that I didn't mention them unti you did. I merely pointed out that something isn't adding up (about Ormandy acting alone, but using input from colleagues). I'm happy to drop that angle and just argue that making the disclosure public in 5 days was irresponsible. You are the one that keeps bringing Google back into it.
.
Do you get the difference?
Between what and what??
I do not consider it the duty of a security researcher to contact a vendor prior to full disclosure at all, meaning that no conditions have to be met.
So it would have been okay for Dan Kaminsky to post details of the DNS vuln. in 5 days (or even without notifying the vendors)?
.
However I do think that responsible disclosure is a good policy.
Very conveniently straddling both sidees. If it's 'good policy' why is it okay to not follow 'good policy'. What is the opposite of 'good policy' -- could it be 'bad policy' by any chance? Unless there are extenuating circumstances? So the same question yet again, asked in another way -- what would be the necessary and sufficient extenuating circumstances for not following this so-called 'good policy'?
.
First of all, what do you consider a reasonable time limit, and why?
It doesn't matter -- you rejected my axiom, remember? But I'll avoid skirting the question: responsible disclosure allows for variation in that time limit, because it recognizes that not all security bugs and fixes are equal. In this case, 5 days was not enough.
.
In this case the vulnerability is easily mitigated, so that alone is reason enough to release early in my opinion. A point you ignored.
Not ignored. If it's so easily mitigated, why did Ormandy think it was necessary for MS to drop-everything-now and address this issue?
.
An exploit absolutely exists in the wild because Microsoft sold people a vulnerable OS.
A vulnerability exists, because of MS. The exploit exists because of Ormandy.
.
Blackhats do not need help to write exploits, script kidies are far less dangerous.
You keep hiding behind this tenuous thread, but you refuse to take the burden of proof that Blackhats had found this hole and exploited it before Ormandy's action. Wonderful. You also ignore the strong correlation between Ormandy's going public and the attacks occuring in the wild. Wonderful.
.
We can actively protect ourselves against it because we have been informed.
Who is we? There are people who don't follow this stuff, or don't have the capability to even understand it. Ormandy should have followed responsible disclosure and only if MS was dismissive should he have resorted to this action. 5 days is not enough time for them to do anything.
.
as said, this only exists because of MS, their bug, period
How many more times can I concede this point, before you realize that it does not absolve Ormandy of acting irresponsibly?
.
Patched bugs are exploited on a larger scale then this, and visitors who haven't patched are still vulnerable. Successful responsible disclosure doesn't prevent small scale, unsophisticated attacks. Proactive people and organizations, on the other, hand are now safe due to disclosure, as mitigation for this bug is dead simple and MS has gratuitously provided a patch to their serf^Wvalued users.
Serfs? It sounds like you just have it in for MS's user's plain and simple. This has absolutely no bearing on the fact that Ormandy was irresponsible.
.
So what is the nature of the known infections? Are we talking about a few more zombies that would have otherwise be gotten with trojans/unpatched machines/unsuported versions of Windows or the massive data compromises that result from targeted attacks?
Relevance?
That is what he is claiming
100% incorrect:
From Ormandy's own post:
"Microsoft was informed about this vulnerability on 5-Jun-2010, and they confirmed receipt of my report on the same day."
Followed by:
"I would like to point out that if I had reported the MPC::HexToNum() issue without a working exploit, I would have been ignored."
That was the sum total of his justification for his behaviour. This is *his own* post. Now, he too is having second thoughts about what he did: http://twitter.com/taviso/statuses/15874332662/
.
Do you have proof that contradicts his account?
I hope you'll accept his own post on seclists, and his own twitter post as proof. At this point, you need to just admit that you're wrong to defend him, and he was irresponsible.
Working with people trying to practice responsible disclosure and addressing their concerns, however, is *common sense*
Are you claiming that Ormandy was trying to practice responsible disclosure (saturday through wednesday!!)? Or are you claiming that MS refused to work with him (do you have some inside line on the email exchange that took place)? What exactly are you claiming here???
Either way -- I don't see how this supports Ormandy's action.
Fine, don't take it as support, take it as context. If Google, indeed, got bitten by delayed action on Microsoft's part, that kind of thing affects ones actions.
(1) Google said he was acting idependantly. Google advocates responsible disclosure. You cannot have your cake and eat it too. Was he acting idependantly or not?
(2) If Google got 'bitten' and this affected their behaviour (their = google or Ormandy), then the obvious course of action is to deploy Ormandy's patch internally, and responsibly disclose the issue to MS.
.
Based on your axioms, yes. I reject the axioms as they are subject to debate.
Very well, state your axiom(s) then! What do you consider as necessary and sufficient conditions for a researcher to release exploit code within 5 days notice to a vendor?
.
Plenty of time to evaluate the severity and project a timeline, doesn't have to be set in stone, just reasonable and doable.
Now here's where we're dabbling with opinion. This is your opinion. You don't know what email exchange transpired between Ormandy and MS. You don't know if they gave any kind of estimate or not, and if Ormandy just decided he didn't like it. You don't know if they replied saying "we're trying to figure this out -- we'll get back to you". You don't know jack shit about that communication -- but we all know this for 100% certain -- an exploit absolutely does exist in the wild because Ormandy made sure it does, and at least one site has been compromised, and visitors to that site are vulnerable.
How did China hack Google? It started with targeted social engineering, getting an employee to follow a link which exploited IE6. It escalated from there. Sure, it can be targeted.
*rolls eyes*
Whatever makes you happy. Call it a targeted attack then. You still haven't addressed the main point.
Why are you linking to an unrelated zero-day??
Just read that link and realized that this was not a zero-day. Either way -- I don't see how this supports Ormandy's action. As I said before: if he had followed responsible disclosure policy, and then got fed up of waiting, he would have a point. Saturday through Wednesday? No leg to stand on.
And I concede the point again.
No, you continue to ignore it.
Let me concede it a third time, and address it a third time. I said "there were no exploits in the wild". I should have said "there were no known exploits in the wild". I am not making an assumption here. I am going on what was reported. How does this constitute ignoring the point? Please be specific.
And you still have no data proving that there were indeed exploits in the wild.
I didn't claim that there are exploits in the wild, only that systems were vulnerable, particularly to skilled adversaries who are likely to find exploits on their own
It's not about you making the claim. The existence of exploits in the wild is the only thing that justifies Ormandy's action.
You need that data to prove that the disclosure was not damanging.
Well, I didn't make the claim.
It's not about you making the claim. The existence of exploits in the wild is the only thing that justifies Ormandy's action.
The only justification for Ormandy's actions is proof-positive that there are exploits in the wild.
Matter of opinion. It depends on how big of a threat you consider targeted stealth attacks to be compared to automated attacks against known vulnerabilities.
100% incorrect. Releasing the exploit has real, tangible, negative impact. You need more than "opinion" to justify that action. You need facts. Do not hide behind "opinion".
You need to provide that proof, or concede that your stance is incorrect.
Proof of what? That vulnerabilities have been exploited within overly long "known issue to patch" period? Here's a recent one. Proof that it had definitely been exploited before? I didn't make the claim and didn't base my stance on it.
Proof of an exploit for the vuln Ormandy discovered, that existed before he made his exploit public -- what did you think I was asking for?? Why are you linking to an unrelated zero-day?? The prior existing exploit is the only thing that justifies Ormandy's action.
I ask you again -- are you done playing word games?
Are you done unduly placing the burden of proof onto everyone who disagrees with you?
It's very a simple point. You chose to defend Ormandy's action, and this is what you need, to defend him successfully. Logic led us down this road.
It's not a word game. Your assumption that there were no exploits undermines your conclusion that disclosure was counterproductive.
And I concede the point again. There were no known exploits in the wild. However, the assumption isn't mine (it's been reported on). And you still have no data proving that there were indeed exploits in the wild. You need that data to prove that the disclosure was not damanging. You need that, because as soon as he disclosed the exploit, instances of it were seen in the wild. The correlation is strong. The only justification for Ormandy's actions is proof-positive that there are exploits in the wild. You need to provide that proof, or concede that your stance is incorrect. You pointed out the tiny little trivial flaw where I should have added the word *known* in my post -- and I have conceded that point twice now. I ask you again -- are you done playing word games?
If exploit in the wild
It is usually a good idea to assume that it is, and is used for targeted attacks by skilled blackhats trying to stay under the radar.
1) The nature of this vulnerability is such that you cannot use it for a targeted attack. You can put the exploit on as many sites as you can, and try to lure traffic there, and accept whatever percentage of machines get compromised -- but you cannot use it for a targeted attack.
.
2) If you have data for other vulnerabilities definitively telling you that there are exploits in the wild for them, they get prioritized higher. Next -- if you have two vulns, and the complexity of the exploit is orders of magnitues apart, the assumption is more true for the easier exploit than it is for the one that is orders of magnitude tougher. In other words, the idea itself is fine and dandy -- assume that all vulnerabilities will be, and are being exploited, and fix everything instantly. In the real world, fixing everything instantly (or in the time between Saturday and Wednesday) is *slightly impractical*.
There were no exploits in the wild
That is a positive statement, burden of proof is on you, no matter if you can prove it or not.
There were no known exploits in the wild. Happy? Or do you want to play more word games?
There were no exploits in the wild
Prove it.
http://en.wikipedia.org/wiki/Negative_proof
i.e. The burden is upon you to prove that one existed.
Another "feel sorry for Microsoft's security people, they are overloaded" post.
It's actually a "in the real world, things are complicated and take time" post.
.
If that is the case MS need to get more people on the problem, since patches can be worked on independently (interaction testing aside).
There are going to be times when they have more people than they need. There are going to be times when they have less people than they need. There are going to be times when multiple exploits are reported against the same component, so no matter how many people you have, it's the same core team that these get routed to, so one bug gets a higher priority and worked on immediately and one gets a lower priority and goes next -- even if the severities are enough that the team is working flat-out and around the clock. You're oversimplifying again! Re-read the mythical man-month. It's pretty basic & pretty ancient now, but even back then it was realized that merely throwing more people at the problem does not reduce the time it takes to solve it. You've also glossed over the inherently serial nature of some of those tasks: find appropriate owners/experts, understand severity, impact, exploitability, mitigating factors, create patch, test patch, deploy patch. The guy disclosed the vulnerability on a Saturday, and went public the following Wednesday, for crying out loud!
.
Microsoft is responsible for any and all holes in Windows, they made it, they aren't some underpaid third party trying to fix someone else's fuckups.
Nobody claimed otherwise. Not even MS.
.
60 more days of vulnerability to skilled blackhats without any recourse for the general public or even any guarantees that the issue will actually be addressed during that time frame would be very irresponsible.
That is the current status, because of Ormandy's actions. There were no exploits in the wild, until Ormandy released his exploit publicly. That implies, nobody knew about it, until then. So you just posted an argument based on very tenuous, very shaky logic.
but this implies that he created the exploit
He did. See his own post on seclists. In his own words "I've prepared a demonstration for a typical Windows XP installation with Internet Explorer 8, and the default Windows Media Player 9."
.
The fact that he told MS before releasing anything means, that well, MS's team knew about it
Before releasing anything? 5 minutes before? 5 days before? 5 weeks before? It makes a difference, y'know. In this case it was 5 days, including Saturday (day 1) and Sunday.
.
They could have asked him not release it, and guess what? He probably wouldn't have.
They did, and guess what? He released it anyway. Besides, they shouldn't have to ask -- he should have followed responsible disclosure guidelines. The guidelines are not fluff -- imagine if Dan Kaminsky had not followed responsible disclosure for the DNS issues? Would you be defending that action? If yes, then you are out of your mind. If not, then why is this issue special/different so that it is exempt from responsible disclosure?
.
Another nugget from Ormandy:
I would like to point out that if I had reported the MPC::HexToNum() issue without a working exploit, I would have been ignored.
He has not explained why he went public. A working exploit is a good thing -- it absolutely does sway a vendor to take your issue more seriously. Releasing the working exploit publicly is the problem here. If he followed responsible disclosure guidelines, gave MS a working exploit, and got ignored, then he could take matters into his own hands and he'd have a semblance of a point. To alert them on Saturday and go public on Wednesday is attention-whoring bordering on malice.
.
Clearly though a large quantity of people are more interested in distributing blame because it's google as opposed to because it's microsoft, which is amazingly backwards.
Google does have something to answer for here. Everytime one of their employees fucks up, they cannot claim things like, "he did it in his own time", or "it was a summer intern and we didn't realize the code went live". They cannot be such vocal advocates of responsible disclosure, and have their own security researcher not follow the same guidelines that they themselves call for. They cannot claim that he acted independantly (used his own time/resources) when Ormandy, in his own post, states "Without access to extremely smart colleagues, I would likely have given up". Either his colleagues helped him with the exploit, or they helped guide his decision to not follow responsible disclosure guidelines (which his employer is in favor of). He very kindly and hypocritically goes on to provide some half-baked opinion on responsible disclosure/full-disclosure and a link to a Schneier article on the topic.
Actually, I think he was blaming the guy that released the exploit, for releasing the exploit.
I think you're oversimplifying.
.
On getting notified of the issue, MS would have to make an assessment -- how many systems have the feature, how often is this feature used, how complicated would it be to develop an exploit, is there currently an exploit in the wild, what is the result of the exploit (data loss, denial of service, admin access, etc.), are there any mitigating factors, how much time would it take to develop a fix, how much time would it take to test the fix, etc. Rolling back a second -- they first have to route the issue to the right people for making these evaluations. This would hold true for each and every single security issue that gets reported to them, or that they find themselves.
.
Now consider that Ormandy's issue is not the first, last, or only security issue ever reported to them, or the only one they are currently working on. In fact, out of all the current issues they are working on, there might have been others with easier exploits or exploits already out in the wild, or affecting a larger number of people, or with worse implications. This is a big deal for sure -- but it's actually reasonable to believe that this wasn't the single most important, drop-everything-now, priority zero, severity zero security issue on MS's plate right now.
.
That being the case, Ormandy should have gone through the 'system'. If, after 60 days if he didn't get a response he liked and then forced MS's hand, he would have had some semblance of a point. The way he acted, I can only conclude that he wanted his 15 minutes of fame, and he doesn't give two hoots about the people affected by his irresponsible behavior.
I call BS. They didn't look like they were faking it in today's E3 demos and they didn't look like they were faking it a year ago when they first introduced it either.
http://memory-alpha.org/wiki/Lightship Ancient grace and function.
Google seems to have forgotten the early days of the search engine wars in which Yahoo, Excite, et al vied for the most user-hostile, craptacular portal landing pages. I believe it was primarily their choice of a minimal utilitarian design that made people flock to Google
It's possible that times have changed, and user preferences have changed. You're referencing a period roughly 15 to 12 years ago, when people were still using dial up connections at 33kbps. The utlitarian page had an insurmountable performance advantage at that time. Now, with an asynchronous loading image, and DSL/cable/fiber connections, you can afford to be less spartan in your approach.
If you seriously think you addressed the points, go and apply for the patent. I mean that in the most serious way possible. Do you think you won't get one? Why not? You've addressed all the objections, haven't you? What's stopping you?
http://news.cnet.com/8301-30684_3-20005668-265.html?tag=newsLeadStoriesArea.1
There's prior art.
There's no prior art for opening a hardware store in that particular town. That's part of the point
Very well -- go ahead and apply for the patent then. Maybe then you'll realize you have no point.
Why can't I patent that idea and stop any competition?
There's prior art.
based on the apparent contrarian nature
Which is?
.
The semantic equality between logging and 'dumping memory' is pretty straightforward IN MY OPINION.
You're content to argue semantics to convince yourself that you have a point?
.
From you they have. You are contesting the fact that they did anything wrong at all.
No I am contesting whether they did anything ILLEGAL and actionable
You admit what they did was wrong then?
.
I am contesting your analysis that only intentional 'malice' or incompetence (in the sense of gross negligence, as opposed to) leads to an accidental capture of the data
So it's an accident, but it's not incompetence? How does that work? (cue lame analogy of accidents that could not be avoided irrespective of competence levels).
.
And bad PR isn't just a hot air with no financial impact, it affects the company financially by lowering their 'Goodwill'
When you abuse people's goodwill, you lose goodwill. Only the sheep will remain faithful.
You've made up your mind that Google is evil and needs to be punished
Your words -- not mine. My world isn't that black and white. Read everything I said -- there's not one word about punishment, and not one word about evil. I'm not saying there shouldn't be any punishment -- I'm just not addressing the issue, because I don't care quite that much about it.
.
The crash dump example is exactly analogous. The were LOGGING the data.
Not logging -- dumping the contents of memory. And did you not read the part where I said, if there's a problem there, then go after them as well?
.
Again, given the amount of PR, there is no way that Google has 'gotten a pass'
From you they have. You are contesting the fact that they did anything wrong at all. Therefore, by your logic, they should not have apologized (they did), had no reason to stop (they did), and do not even deserve the bad PR!