Cenzic 232 Patent
Paid Advertising
web application security lab

Windows Help Centre Vuln

Updated: clarified some points of contention.

Early this morning Google’s Tavis Ormandy published a vulnerability in the hcp protocol handler. It allows the attacker to run arbitrary commands as the user. In practice it created a lot of alerts and warnings for me - but the XP install I was using is somewhat locked down. So I’m not sure how practical this attack would be over any other attack that causes an alert, as the article mentions. Later his reports says it works around the alerts (I couldn’t reproduce that, but that was his intention). Either way, though, this is some pretty amazing research. However, there are some odd things about this that really struck me the wrong way.

Google has been the loudest proponent for responsible disclosure in the past. But if you look at the dates in his post, he says he reported it to Microsoft on the 5th of June (a Saturday), who responded the same day. He sent the advisory early in the morning today the 10th of June - meaning Google gave Microsoft less than 5 days to fix it to respond to his demand to have it fixed in 60 days. Even Mozilla backed down from 10 day turn around, and they’re only running a single software suite. How is that possibly reasonable to expect a company like MS to turn around a patch in 4-5 days and then get so upset that then you must go full disclosure? (Incorrectly stated) And it’s not like Tavis was acting on his own - he credits other security researchers inside of Google for their help lcamtuf who works at Google. So apparently it’s okay for Google Google’s employees to go full disclosure, but not for other researchers. The hypocrisy is amazing.

See, here’s the big problem. Either you are all about full disclosure (which is happening less and less these days), you use it only when you know the company won’t react otherwise or has all kinds of other hinky things they do behind your back (the same reason I advocate full disclosure against Google), or you use responsible disclosure. Google says it adheres to responsible disclosure, but at the same time they give Microsoft 5 days to fix their 0day agree to a 60 day patch cycle for exploit code that Google’s researchers themselves created! From Google’s own website:

This process of notifying a vendor before publicly releasing information is an industry standard best practice known as responsible disclosure. Responsible disclosure is important to the ecology of the Internet. It allows companies like Google to better protect our users by fixing vulnerabilities and resolving security concerns before they are brought to the attention of the bad guys. We strongly encourage anyone who is interested in researching and reporting security issues to observe the simple courtesies and protocols of responsible disclosure. Our Security team follows the same procedure when we discover and report security vulnerabilities to other companies.

… except when you don’t. Then Tavis puts a patch up on a domain that, no offense to Tavis, is more sketchy sounding than a lot of malware sites out there (http://lock.cmpxchg8b.com). Do you really expect a billion XP users to download and run that? (Non sequitur) There is evidence that it doesn’t even work in some cases, but it does appear to work against the one PoC Tavis put up in the test I ran. I don’t know, the whole thing just rubbed me the wrong way. But at least now no one has to pretend to do responsible disclosure with Google just because it’s the right thing to do - they don’t use it themselves. Even when MS finds a vuln in Google they do so responsibly. I don’t mean to say anything bad about Tavis, because he’s probably a good guy, with a lot of skill. But let’s stop pretending Google’s team is chivalrous, shall we? Let’s see what Google does when one of their own breaks their stated policies, whether the researcher is working in their own time or not.

40 Responses to “Windows Help Centre Vuln”

  1. anon Says:

    “Finally, a reminder that this documents contains my own opinions, I do not speak for or represent anyone but myself.”

  2. Mario Sun Says:

    I think 5 days is enough to second-largest-company-in-the-world fix a ridiculous XSS/input-validation vulnerability.

    Btw, no alerts and warnings for me on an XP SP3 machine without AV/IDS/etc.

  3. RSnake Says:

    @anon - Yes, I read that and promptly ignored it. That’s like me saying I don’t speak for my company. When a member of Google’s security team works with other members of Google’s security team and releases a security vulnerability, and they mention Google’s website in the post as a resource to understand the threat… I’m going to go out on a limb and say it’s Google. If it’s not sanctioned by Google, then I suppose they’ll be firing all those involved, since that’s completely against their stated public policy…. or something. I’m not holding my breath.

    Let me ask a question, if one of Microsoft’s researchers did the same thing, would you give them any slack? It’s hypocrisy.

    @Mario Sun - It’s not that easy to fix a problem if you have an ecosystem as complex as Microsoft. They don’t want to pull a McAfee move and break people’s computers accidentally. It takes time to test and deliver a patch - and yes, more than a weekend and two week days.

  4. Anony Says:

    Bit off topic, but you mind detailing your locked down XP?

  5. RSnake Says:

    @Anony - I wish I could tell you which setting(s) was/is causing all of the various popups and alerts warning me not to proceed. But I suspect it’s related to my IE settings, and not XP. Hard to say for sure without really digging in. Sorry.

  6. greg Says:

    You mentioned that Mozilla had backed down from the 10 day stance.

    Do you know of a list of target “time to fix” goals from various vendors/organizations?

  7. snxuev Says:

    how about change the url to..
    view-source:http://lock.cmpxchg8b.com

  8. cx Says:

    the old (polish|russian|african) proverb says: “if you don’t know what is something about, then you know it is about the money”

    does ms pay for 0days?

  9. Wladimir Palant Says:

    Robert, while I agree that the ethics of this disclosure are very questionable - you started this post with the wrong premise. Google is a company employing thousands of people. Why would you assume that the company policy is accepted by each and every employee? From what I can see there is no indication that Google endorsed this disclosure. Quite the opposite - Ormandy isn’t even using a Google email address which IMO indicates that he isn’t acting on behalf of his employer. The word “Google” is found twice in the text - once where he mentions Google Chrome along with Firefox and another time in a link where he thanks Michal Zalewski for his excellent Browser Security Handbook.

  10. RSnake Says:

    @Wladimir - that’s a fantastic question, and I’m glad you asked. Let me answer you by telling you a little story. Once upon a time I worked at eBay. I had access to tons of 0day, not just in eBay, but in companies like Google. Did I go out and smear them? No. I sat on it. Why? Because I was an eBay employee. Did I talk about it in my off time? No. Why? Because I was an eBay employee. Did I go off and do my own research. Of course. Did I talk about it publicly? No, because I was an eBay employee. There was no way to distinguish myself from my company, even though (almost) no one knew I was one in the same.

    But I could have very well, and probably correctly said that eBay never asked me to sign anything in terms of code of ethics that forbay’d me from talking about things unrelated to my desk job. But eBay didn’t have a web-page that specifically said that their policies include responsible disclosure either, like Google has. I knew better.

    Given that case, and knowing exactly how important that is to Google’s “ecosystem” this is either a direct assault on Google’s stated policy by it’s rogue security expert, or it’s sanctioned. Given the fact that he told other security researchers inside Google and got help from one or more of them, I would have to conclude that this was sanctioned by Google - or there’s going to be a whole lot of people getting fired over at Google.

    Either way, using another email address doesn’t absolve an employee of their ethics contract. http://investor.google.com/corporate/code-of-conduct.html

  11. Dominic White Says:

    Tavis evidently believes he can research with his colleagues in his and their off time and release a bug, explicitly identifying it as his own and not his employers, using his personal e-mail address and website.

    Rsnake on the other hand thinks you represent your company 24hrs a day.

    There’s possible merit for both views, but RSnake certainly hasn’t provided a definitive case for why Tavis is clearly representing Google despite his explicit statements otherwise. Until he does, the claims of “Google’s hypocrisy” are just plain untrue.

    At most you can argue that Tavis’ personal disclosure method wasn’t great and he should have given MS more time. However, his statement that he believes this is being exploited in the wild, and that he would have been dismissed without a sploit are somewhat defensible. It certainly isn’t clear that he behaved unethically.

  12. Joshbw Says:

    @RSnake - you may not have had to sign a code of ethics at eBay once upon a time but the last several enterprises I have worked at have all had policy regarding what an employee can publically disclose about a competitor, whether on their own time or not. The last two enterprises I have worked at have also had me sign explicit restrictions on disclosure of “research”.

    Regardless, even if none of that was spelled out, either generally in the policies that all employees need to review or specifically in policy for security folks, you are absolutely right that someone expected to be as astute as an AppSec guy is should know what constitutes acceptable conduct given that they represent a company no matter how they obscure their trail.

    And at the very least Tavis has asserted that he does not share the values his company claims to, and not minor small values either, which doesn’t leave Google much option. They either look like hypocrites or they let him go.

  13. RSnake Says:

    @Dominic White - I loved being talked to in the third party on my own blog - are you talking to me or to everyone reading this site? Hmm… So you’re saying your ethical boundaries stop at 5PM? I hope your future employers don’t see this. Either way, that stance is awfully convenient. Tavis never said it was being exploited in the wild - he came up with it. This is his bug. I’m not sure where you came up with that - URL?

    When you are known as a researcher for a company (there are dozens of examples of his name being directly tied to Google) you cannot suddenly pretend like you don’t work there. You become a spokesperson. Ask Matt Cutts - he wasn’t given the title of unofficial spokesperson - he took it by virtue of having something to say. Like it or not, Tavis and the others involved are Google Security engineers dropping 0days on competitors.

    I’d be 100% fine with that if Google didn’t care about full vs. responsible disclosure. If they weren’t crying about external researchers finding vulns in their crappy products and telling the world about it, I’d have no issues. That’s just not the case. This is a double standard, and if Google sincerely cared about this problem, they wouldn’t fund it.

  14. RSnake Says:

    @Joshbw - Well put. Incidentally, one of the reasons I probably never saw an ethics document is I always managed to social engineer my way out of signing those documents upon getting hired. I always acted ethically, but I didn’t think a paper changes who I am. I told my boss that I’d never sign an NDA because there’s no point. If I decided to become bad and steal or compete there’s nothing that could stop me, let alone some piece of paper.

    I feel bad for Tavis, sincerely. From everything I’ve heard, he’s a good guy in person. He very well may not have known what he was doing or what it represents. There’s no way I could know for sure one way or another. But this was certainly not what his employer demands of everyone else in the ecosystem.

  15. Joshbw Says:

    @RSnake -

    When folks above point out his use of a personal account and how that mitigates the ties to Google I suspect very much that Tavis was thinking the same way, and his greatest crime (other than being kind of a bastard towards MS) is naivitivity. What I don’t think people see is that competitors, despite heated rhetoric between each other, usually have some professional lines that don’t get crossed. When an employee does something like this on their own time there will always be the question “Was this the employee acting alone and in poor judgement, or is it the company using that as a lie to generate plausible deniability about their own actions” That’s generally why companies frown a great deal on that behavior, because like it or not questions of conduct come back at the company.

    Incidentally, Microsoft doesn’t seem to make a distinction that it was some guy on his own time either: http://blogs.technet.com/b/msrc/archive/2010/06/10/windows-help-vulnerability-disclosure.aspx

  16. btilly Says:

    What kind of “hinky things” does Google do behind our backs that you’re mad about? In short why do you think that they deserve to be shamed in public at every possible turn?

  17. RSnake Says:

    @btilly - Given that you work at Google (66-102-14-1.google.com) and are asking me what they are doing behind “our” backs that’s hinky…. Do you mean like pretending not to work at Google…? I mean, come on. This is so blatant, it’s insane.

    66.102.14.1 - - [10/Jun/2010:19:48:36 -0500] “POST /blog/wp-comments-post.php HTTP/1.1″ 302 - “http://ha.ckers.org/blog/20100610/windows-help-centre-vuln/” “Mozilla/5.0 (X11; U; Linux x86_64; en-US) AppleWebKit/533.4 (KHTML, like Gecko) Chrome/5.0.375.70 Safari/533.4″

    This. This is precisely what YOU do that’s hinky. YOU pretend to be unrelated to Google but come from Google IP space. YOU talk behind security researcher’s backs and defame us to our own clients who have to set the story straight - thankfully because they know the real story. YOU say things aren’t vulnerabilities when your own customers are getting owned by those very same “features” so that you can keep monetizing them. YOU disclose issues left in strict confidence while you expect us to do the same for you. YOU treat the security community as if they are evil, while you let your own security researchers drop 0day as if it were no big deal. I could go on for hours!

    Stop the BS. Please. Doesn’t anyone at Google get PR training?! Serious!

  18. bob! Says:

    seriously? you do know that google has free wifi?

  19. RSnake Says:

    @bob! - Yes. And? Google employees don’t use it, I suppose.

  20. Sasha Says:

    I guess that happens when you employ hackers, still out for the fame…despite a 200K salary. ;)

  21. RSnake Says:

    @bob! @btilly http://bentilly.blogspot.com/2010/02/developing-on-head-scales-to-google.html Google employee extraordinaire. Let’s drop the “no, really, he’s not a Google employee” crap, okay?

  22. adi Says:

    hahaha!!!! Thanks RSnake, this made my day and my week too…..i’ll laugh all day:)

  23. bob! Says:

    bob mmk! you seem to be correct!
    All hail the anony google!

  24. RSnake Says:

    I think I should add a note here, because I think this is very important and people’s actual jobs are at stake.

    I really don’t think the entire Google security team who helped with this vuln should be canned. Tavis is probably a great guy, who is obviously tremendously skilled - as is lcamtuf (a man I personally admire more than most) and the rest of the people mentioned. But Google cannot treat inbound security research any different than it treats outbound security research. Google needs to start treating external researchers the same way they treat their own internal researchers. Yes, that probably does include fair payment for vulns in the case of people who try to make a living selling them. Incidentally that description doesn’t fit me or my company, but I know what it’s like to try to make a living in this industry. All I wanted was the beer, personally, which I never received. Shame on you, Google. *tsk*

    If Google is simply opposed to the concept of full disclosure, then yes, they’d have to go on a firing spree (sucks, but that would be Google’s decision). Or they could take the better of the two paths and start treating the industry right. And yes, that means fixing the holes we send you.

    Or there’s the middle road - neglect.

  25. Wladimir Palant Says:

    Robert, let’s just pretend that you are a responsible guy - regardless of who your employer is. That, and you worked at a company that is very restrictive. So while you feel like you have an obligation to represent your company 24 hours a day, Ormandy likely feels differently. Also, just because he got some help from Michal Zalewski (that’s the only one he thanks) doesn’t mean than Michal was in on this.

    Now the media designated him as a “Google security researcher” so the thing with the private email address clearly didn’t work. Some companies would fire him on the spot because of that. Maybe Google will as well though I would rather expect a stern warning. Either way, I don’t expect the whole affair to end without consequences for him. But we will probably never know unless Google decides to issue a press release to explicitly distantiate itself from his actions.

  26. RSnake Says:

    @Wladimir - I agree with everything you just said except the very last sentence. I will definitely find out what happens. There’s no question. This industry is too small.

  27. Dominic White Says:

    Hey RSnake, I can’t post my rebuttal, is it in your mod que or something?

  28. RSnake Says:

    @Dominic - oddly I don’t see it. Sorry about that. Maybe one of the words hit the blog spam filter. Email it to me and I’ll throw it up for you & fix the blog filter at the same time if that’s the culprit.

  29. AppSec Says:

    First and foremost — full disclosure — I have not read everything about the vulnerability or how he discovered it.

    There are some things to consider, however:
    1) Did he use tools which were given to him by his employer (hardware or software)?
    2) Does he handle anything dealing with disclosing vulnerabilities found within Google.

    If the answer is yes, then you are even being too kind.

  30. Shoes Says:

    From his response on Full Disclosure it sounds like he was fully aware of the choice he was making.

    http://seclists.org/fulldisclosure/2010/Jun/236

    I’m not sure where he plants himself in the responsible disclosure “debate” but he obviously felt justified in releasing the way he did.

  31. thrill Says:

    I am amazed that no one has touched the obvious subject of “Why would a company like google, who have plenty of outstanding security issues themselves, spend ANY TIME AT ALL looking at other companies’ products for vulnerabilities??”

    This is the exact definition of “People in glass houses shouldn’t throw stones.”

    –thrill

  32. AppSec Says:

    @thrill

    To add at the marketing/negative image of their competitors.

    Sure, Google has issues, but what better way to avoid those than to use deflection.

  33. Tom T. Says:

    @ Anony: Firefox with NoScript add-on; in default mode, it prevents all executable content from running on sites other than your own trusted whitelist, unless you specifically allow it from the menu of code attempting to run. I went there, clicked the link, and nothing at all happened. Nada. Zip. Zilch. (Tip: Lock NS down completely: check *everything* on “Embeddings” page, including “Apply these restrictions to trusted sites too.”)

    They also have a surrogate script for Google-Analytics.com, which will allow sites that require you to run it, but send a dummy script that makes the page happy and tells Google nothing. (And other surrogates as well.)

    Throw in the RefControl and RequestPolicy add-ons, get a good Hosts file service, and then run it all in some sort of virtualized or sandboxed environment anyway. I’ve gone to the shadiest sites in the name of user tech support, and no problems.

    @ RSnake, in the first person :-) Allow me to present you with a new word, with my compliments: “Forbade” = past tense of “forbid”. (”Forbad” works, too, but it’s not common, and sounds like “for bad”, which was this guy: “for bad purposes”- confusing.) If there’s an auxiliary verb (was, have been, etc.), “forbidden”. “I was forbidden to disclose this; they forbade me from disclosure.”

    Re: Whether he “represented Google” — wrong question. He was acting as a hacker, and there are only two kinds: white-hat, who practice responsible disclosure regardless of what company and what their relationship is to it (employee, competitor, etc.), and black-hat, who do not use responsible disclosure. This person has just qualified himself as the latter, irrespective of everything else.

    Cheers, and it’s open season on attacking Google and their black-hat employees, and publishing to the world!

  34. kuza55 Says:

    Wow.

    Maybe it’s just me, but all my employment contracts in the past have clearly stated that what I do in my own time is owned by me and that my work has no right to tell me what to do with it.

    I think this whole thing is being blown a bit, but let me add some fuel to the fire.

    “YOU disclose issues left in strict confidence while you expect us to do the same for you.” - now I’m not going to say that you have done this (though if my memory is correct - which it might not be - you did post something someone sent you in confidence because you misunderstood that person’s intent), but your good friend Jeremiah did just this when he went to the press (I remember the register, but I don’t know if that was the original source of the leak) about the IE8 XSS Filter bug that sirdarckcat found (the one which would make normally not vulnerable sites vulnerable), that was being dealt with in confidence.

    I’d contend that Microsoft is the loudest proponent of responsible disclosure, and I really haven’t even seen Google espousing responsible disclosure anywhere (One obscure page on their corporate website doesn’t really count). Sure, they ask people to report vulnerabilities in their products, but I haven’t seen them brand it responsible disclosure like MS has.

    Having said that, sure, lets agree that Google’s team is not chivalrous, does anyone care if they are?

    P.S. Sure, lock.cmpexch8b sounds scaaaaaaaary to anyone who can’t read assembly, but I think it was targeted at sysadmins, not end-users, and most end-users are screwed anyway.

  35. RSnake Says:

    @kuza55 - I’m not sure what you’re referencing by the quote, but if I did post something in that context, it sounds like I did it as an accident, not intentionally (it’s hard to comment when I have no idea what you’re talking about). Quite a different scenario than what I’m describing though, it sounds like. I can’t speak to Jeremiah’s scenario either - I don’t know anything about the details.

    Maybe you haven’t seen Google speaking about responsible disclosure, but I have. Dozens of personal emails, several phone calls, a handful of in face meetings, etc… over the last 4-5 years - all encouraging responsible disclosure. I even fell for it several times and gave them vulns directly without ever posting about it anywhere else before or after, some of which were fixed quickly, some weren’t. Typical stuff.

    I think a lot of people care though. I think a lot of people seemingly believe Google is somehow better than any other large company, more ethical, etc… They’re not. I’m trying to spread awareness. If you were already aware, this message was not meant for you.

    And lastly, there is one thing you and I completely agree on - this has all gotten way out of hand. I’m over it.

  36. RSnake Says:

    Dominic White’s post that got nuked by the spam filter (the filter caught the term “differin” as part of “differing” whoops):

    A couple of responses:

    I loved being talked to in the third party on my own blog - are you talking to me or to everyone reading this site?

    Both, sorry if it offended.

    HmmÖ So youíre saying your ethical boundaries stop at 5PM? I hope your future employers donít see this.

    There’s two problems. First, you’re presupposing what he did was unethical, you haven’t shown that and he could argue that, in fact, he had an ethical obligation to disclose. Second, while I live my job, I see no problem with some people who feel what they do in their own time is theirs. That’s a legally supported view AFAIK.

    Either way, that stance is awfully convenient. Tavis never said it was being exploited in the wild - he came up with it. This is his bug. Iím not sure where you came up with that - URL?

    Sorry, I should have been more clear: Tavis believes it could be exploited in the wild. From his mail to FD: “Protocol handlers are a popular source of vulnerabilities, and hcp:// itself has been the target of attacks multiple times in the past. I’ve concluded that there’s a significant possibility that attackers have studied this component, and releasing this information rapidly is in the best interest of security.”

    When you are known as a researcher for a company (there are dozens of examples of his name being directly tied to Google) you cannot suddenly pretend like you donít work there. You become a spokesperson. Ask Matt Cutts - he wasnít given the title of unofficial spokesperson - he took it by virtue of having something to say. Like it or not, Tavis and the others involved are Google Security engineers dropping 0days on competitors.

    You left out “in their own time” from the end of that sentence, and that really makes all the differece. Sure, you could claim that Tavis & Google have differing disclosure ethics, but that’s not the same as hypocrisy. Especially in a large corporate like Google, you’re going to see a lot of personal differences with the company line. At best you could say the corporate PR machine has a right to be miffed. However, it’s a huge reach to claim that all of Tavis’ actions represent official moves by Google.

    That aside, if Google hiring Tavis meant his vast skills were no longer applied on anything but Google’s stuff, then we’d have a much bigger problem. Tavis found a serious vuln, it will get patched, we’re safer. Thanks Tavis. There’s certainly scope to say he could’ve worked with MS to better come up with a fix, but that’s not what you’ve been arguing.

    Iíd be 100% fine with that if Google didnít care about full vs. responsible disclosure. If they werenít crying about external researchers finding vulns in their crappy products and telling the world about it, Iíd have no issues. Thatís just not the case. This is a double standard, and if Google sincerely cared about this problem, they wouldnít fund it.

    This is your main point, and it’s the exact fallacy. You’re claiming hypocrisy on Google, when Tavis’ explicit statement is that this doesn’t represent Google. You’re tried to say he has a defacto Google-hat even if stating otherwise, but both the law and common sense say otherwise.

  37. RSnake Says:

    @Dominic White - the major thing I’m arguing is that Google shouldn’t hire/support people who work contrary to their own stated policy of responsible disclosure. Whether they knew about it before or not is an interesting topic to debate but somewhat irrelevant. The point is that they know about it now. So what are they going to do about it?

    Yes, he should have given MS more time, OR he should have just gone full disclosure (perhaps oddly, I don’t care which). But if he’s the type that likes full disclosure why is he working for a company who doesn’t? It doesn’t make sense. If he’s the type who is trying to make sure that people are safe, why is he linking to the metasploit module on his twitter acct giving attackers the easiest way to exploit it on their own? It all doesn’t add up. I don’t know why no one else thinks this is odd, either.

    The other thing that strikes me as strange is how everyone believes a few lines in a text file as God’s truth and that he did all this work on his own time without any help on the clock - just because he said something, doesn’t mean it’s true or accurate (just like his patch didn’t work). There’s no way for me or anyone else to know one way or another what was really going on in his head. All we can do is see what happened - a Google employee released an 0day in a competitor 5 days after telling them and released a broken patch. Those are the only facts we have, the rest is speculation.

    I concur, the world would be a worse place if Tavis and the rest of the Googler’s weren’t finding vulns, but there’s no reason it has to be contrary to Google’s own stated policy, and if he and his employer can’t reconcile, then he shouldn’t be working for them. If your whole life is spend finding vulns, why would you want to work for a company who hates vuln full-disclosure - and why would that company want him to work there? That’s the hypocrisy - or at least it strikes me as extremely odd. So Google has got to change or the employees. I don’t care which, but something does need to change. I know I won’t ever take Google’s disclosure policy on face value again, personally, not that I ever advocated responsible disclosure with Google in the first place, but still.

    But anyway, like I said, this thread has gotten completely over the top. If I knew everyone was going to get this upset over this post, I’d probably never have said anything. For the first time ever on this blog, I’m closing the thread. I’ll leave the post here for posterity, but really, I’m over it. Google can do what they want. So can Tavis and the rest of Google’s staff. Even if they can’t agree with one another. Applaud them or hate their tactics, either way… I don’t care enough to argue anymore. Back to work.

    – Thread Closed –

  38. RSnake Says:

    Okay, I’m re-opening comments. I wish I could put this one to bed, but there’s still a lot of controversy. Last night I was called out on Daily Dave mailing list:

    http://lists.immunitysec.com/pipermail/dailydave/2010-June/006130.html

    I was going to send this as an email but I don’t actually subscribe to Dave’s list, and this is kind of a better place for this conversation anyway. I’m not going to comment on the majority of the post, because it’s too long and covers a lot. But I am accountable for what I said and I felt I owed it to Tavis and everyone in the community to explain myself. So here goes:

    Finally we have the turd wrapped up in an enigma that is
    Robert Hansen/”RSnake”, CEO of SecTheory
    Reading his post:
    http://threatpost.com/en_us/blogs/does-google-have-double-standard-full-disclosure-061010
    http://ha.ckers.org/blog/20100610/windows-help-centre-vuln/
    it’s clear that he has an axe to grind with Tavis’ employer.

    You hit the nail on the head regarding Google. This is absolutely true; I have had a very long standing negative history with Google and a number of it’s employees. I freely admit this, and I regularly tell anyone who asks. This is actually very important as to why I posted this at all in the first place. I’ll explain below.

    He creates the false, repeated claim that Tavis only gave Microsoft 5 days to create a fix (not only that, he assigns this fault to Tavis’ employer, not Tavis himself).

    My understanding is that Tavis gave MS an opportunity to release a patch in 60 days after they reproduced it, but when he was unable to get a quick answer from them about a time frame (they said they would get back to him by the end of that week) he released his exploit shortly thereafter. I’m actually not clear on what happened at that point but certainly something about that conversation bothered him. His actions may or may not be justified, I simply don’t know, I’m not in his brain - he’d have to weigh in there. But either way, we got what we got in 5 days from his initial contact. I’m sorry if I mis-stated there. It’s a fair point you make and I could have done a much better job of word-smithing that. I updated my post to reflect that.

    He then, again falsely, claims that Tavis wasn’t doing this in his own time, simply because some other individuals with the same employer appear in his greets section. Maybe they don’t teach this in clickjacking training, an extensive 5 week course, but “greets” is short for “greetings” — I’ve been mentioned in the list before, but it didn’t mean I had anything to do with the vulnerability discovery or released exploit.

    Lcamtuf was explicitly mentioned elsewhere in the FD article as having helped or even solved the critical technical problems associated with this bug. Lcamtuf (Michal Zalewski) works for Google as well. He is who I was referring to, not anyone in the greets section. I’m sorry if that was unclear, not everyone knows the handles of people working for these companies and perhaps I should have explicitly mentioned it. Honestly, I didn’t want to drag Michal into this any more than he always was at the time, out of respect (because as much as I dislike Google, I respect some of the people working there quite a lot).

    Not to mention that there’s nothing wrong with two employees of the same company collaborating on projects (or in this case, specific smaller aspects of a larger project) outside of work — being friends with others in the community, many of whom work for the same large companies, is nothing unusual.

    Correct, there is nothing wrong with that if that single fact stood on it’s own.

    “RSnake” then complains about the hostname Tavis chose to use for links in his advisory.

    It wasn’t really a complaint, it’s just an observation that it would be unwise to expect a billion people to patch themselves on that URL, given that it wasn’t a “trustworthy” looking URL (especially given the malware issues users already face with fake AV products and so on). I apologize for the observation, if it was out of school but mostly I wish I hadn’t said it because it distracted people from what I had intended when writing the post.

    Finally, after an entire article focusing on Tavis’ motives and ethics, he ends it with “I don’t mean to say anything bad about Tavis”

    Because I don’t, beyond the obvious that he doesn’t follow his employer’s policies. I don’t care about Tavis in the grand scheme of things. I think he’s an amazing researcher and it was an amazing find. I’m not out to lynch him. For me this is almost entirely about Google, and not Tavis, although he’s certainly been the catalyst for this debate. I’ll explain more below.

    – he means it so much he made a blog post trashing him, reposted to another site,

    Threatpost emailed me and asked if they could re-post it. Not the other way around. Semantics, but still.

    and repeated the same lies to any reporter that would listen to him.

    Greg Keizer called me out of the blue. I didn’t contact him or any other reporters. He is the only reporter who talked to me, although unfortunately, some of my points weren’t completely clear - as will happen sometimes in an interview. I don’t blame Greg for not properly conveying my point, a lot of people didn’t get it, even though I did attempt to re-explain myself in the comments of this post. I’ll explain more below.

    Towards the end of his comments on his ha.ckers.org blog, before locking it from additional comments because people didn’t agree with him, he states: “I’m over it.”

    That’s not why I closed comments. I closed comments because I didn’t want to continue a conversation I wasn’t actually interested in - the full vs. responsible disclosure debate and other unrelated issues. I frankly don’t care much about that topic although my words unfortunately were attributed to it. I’ll explain below.

    After calling for one of the most well-known and respected researchers to be fired and repeating those comments to reporters,

    It was one reporter, not multiple (again, semantics, but still), but unfortunately, my message was missed. I’m not claiming that Greg misquoted me, because he didn’t. But the theme of what I was saying to him was not accurately portrayed - or I didn’t do a good job of explaining myself, or both. Here is one unfortunate thing, I actually do not want Tavis to be fired. I emailed Dino about this the day everything was hitting the fan - I have no interest in getting Tavis canned, and Dino was right to push back on that idea wholesale, because I do too. Our conversation prompted some of my follow on comments explaining as much. Tavis was only helping frame a discussion. I was calling on Google to make a decision. Google has a stated policy that says that they and their employees abide by responsible disclosure. If their employees no longer follow that stated public policy, why is he working there? Either they should fire him (yes, this is where the quote came from) because they are so firm in their views on this matter or he should quit because he is. Especially because that’s a pretty fundamental and important difference of opinion given that Tavis’ professional career is dedicated to finding vulns at work and in his spare time. Or, and incidentally my actual preference, is that Google should start working with us when we find issues in their products - especially after not having fixed some of them in half a decade.

    See, the irony here is that Tavis and I actually agree on the methods for full disclosure as a method of last resort - it’s a tactic I’ve been forced to use with Google many times in the past. That was entirely my point. Given how many bad experiences I’ve had with Google, I am directly impacted by their stance. It really kills me to see Google’s own engineers doing exactly the opposite of what their company demands of the rest of us whether those employees are acting in their spare time or not. So yes, you were absolutely right in your initial statements about me. I do have an axe to grind with Google. Tavis is just a example of the problems that Google has relating to me and the dozen or so other researchers who have complained to me about similar problems that they have had with Google in the past - lying about vulns, not fixing them and so on. No, I don’t want Tavis fired. In fact, quite the opposite. I want Google to wake up and realize that even their own engineers don’t agree with their stance on vuln disclosure. I know, I’m an idealist… but a guy can try!

    I’m glad you had the empathy to finally conclude that everything is ok now and that you’re over it, because surely Tavis hasn’t been affected at all by your reckless, idiotic statements.

    I didn’t say everything is okay and I know it’s not. To be clear, I have absolutely nothing against Tavis or Michal. I’m sure they’re both really great guys and I have a lot of respect for their talents. I bet we would have been friends had circumstances been different. I said I was over “it” and by “it” I meant the fact that a) no one seemed to understand my point b) the unrelated conversations about industry-wide full vs responsible disclosure and other side tangents and c) the Google employees pretending not to be which seemed to appear in this thread out of nowhere. Incidentally, I actually agree that Tavis should go full disclosure if he’s not getting the results he feels are working best. But I don’t think he should be doing it while he works for Google - at least until their policies change. For what it’s worth I emailed an apology to Tavis’ lonestar account, explaining as much; this is about much more than him and his vuln (at least to me). I have not heard back from him. I don’t blame him for being upset with me if he is, but I have to stress, for me this is almost entirely about Google, not him. Google may not have known about this, it could have been Tavis and Michal alone who knew - I don’t know. But now Google does know and it flies in the face of their public facing disclosure policy. So what are they going to do about it?

    You stay classy out there, scumbag.

    I’m sorry if I came across as a asshole or otherwise. I really had no idea how controversial this would be. Most of the time people pretty much ignore my Google rants, so I had no reason to believe this would get any more attention than the dozens of other Google posts in the past. As much as I do think the evil advertising giant needed a wakeup call, if I had to do it over things would be different. I would have kept my mouth shut. So yes, I was reckless, and for that I am sorry to Tavis.

    But through all of this I do hope my actual point regarding Google’s policies got through to some people, otherwise all this truly will have been for nothing.

  39. Robert A. Says:

    I had to post something about this because it just isn’t dying.

    http://www.cgisecurity.com/2010/06/why-publishing-exploit-code-is-generally-a-bad-idea-if-youre-paid-to-protect.html

  40. TheLightCosine Says:

    Does anyone else see the hypocrisy in the daily dave post? He slams RSnake repeatedly throughout the post, and consistently reaches for ad hominem attacks. Calling Rsnake a ’scumbag’ and a ‘turd’ etc. The main thrust of his argument however, seems to be that Rsnake was reckless and irresponsible because he said inflammatory things that were harmful to Tavis Ormany. How can anyone take such a posting seriously? Honestly I have a hard time taking anyone seriously when their writing includes the use of the word ‘turd”. Are we in grade school here?

    I believe, and correct me if I am wrong here, that RSnake was not trying to rehash the Responsible Disclosure argument. I would suspect that many of us are done with that argument. The point RSnake was trying to make was in regards to the inconsistency that Google appears to have in this issue. It is a nebulous issue as to whether or not it is fair to associate Tavis in this capacity to his employer. The fact is that Tavis is very well known in the Industry and that association is nearly impossible to break. I would use some examples here, but I can’t think of any good ones that people would not find insulting to the involved parties. Just imagine somebody who is so famous that their name is synonymous with their organisation. If they do something controversial, their org will not be able to remove themselves from that event without direct action. Google could easily have issued a disclaimer “The actions of Tavis Ormandy in this matter, in no way reflect the positions or policies of Google” or some such.

    One final note of hypocrisy. The author of the daily dave post tries to discredit RSnake’s post by pointing out that he has a long standing negative history with Google. I seem to recall that this is not Mr Ormandy’s first full disclosure flap with Microsoft.

    And before anyone verbally lashes me, I will make the disclaimer that Rsnake, Tavis, and lcamtuf are three people I respect a great deal, and in no way are my remarks meant to impugn upon them.