What Tavis Ormandy did was cyber terrorism and what these people are doing in support of him is cyber terrorism.

The government has to take a stand and arrest Ormandy and the people supporting him before this gets out of control.

Andrew

http://sites.google.com/site/n3td3v/

that is indeed true. it's got nothing to do with MS, it affects the users. Ormandy and others might say, then don't use MS products. well, that's for me to decide, and I expect a responsible 'security researcher' not to do things that put me in danger. or else they are simply with the 'other side'.

I actually agree with what they're doing. Do not forget that the reason Microsoft has "patch Tuesday" and has taken up MOST of their security maintenance on their software is because of open source software being more forthcoming with their security vulnerabilities.

By releasing these proof-of-concept security bulletins they will successfully force Microsoft's hand and also protect their own identity (which is obviously important because this world seems to run on fear, uncertainty, and doubt). Also, the code released is not enough for mere 'crackers' to use - you'd have to REALLY know what you're doing to make this actually DO anything.

So, the next time you open your mouth to call them terrorists, please consider that YOU are the people that f***** up country that we now live in: the United States. DMCA, PATRIOT Act, and soon ACTA - YOU people are the ones that made this happen because you let other people threaten you. You responded in fear and took away the civil liberties that many law-abiding citizens once enjoyed while making our country non-the-safer than before. Congrats.

Microsoft didn't think it was important, therefore he released the code.

If you want Tavis arrested, then MS' needs to be charged with gross negligence for ignoring reports.

Wow...terrorism? That's a really idiotic accusation.

“Disclosing vulnerabilities to the public before informing the vendor for a fix must be treated as cyber-terrorism”

Hmm… and what if disclosed vulnerabilities to the vendor remain unpatched during years?

Shouldn’t the vendor be sanctioned for exposing its end-users so carelessly?

And, what about a vendor who injects more security holes in patches than the patches were supposed to close?

Shouldn’t this behavior be considered as irresponsible and be sanctioned?

Your comments are short of any insight about the nature of the problem.

Despicable. Utterly. They obviously can't make an impact by being responsible, so they'll be irresponsible.
Hmm. Sounds like a lot of other criminal activity.

Terrorism? Give me a break - that's the word that's used by people trying to make a mountain out of a molehill basically, to make a situation or event seem way more serious than it actually is. You two need to unknot your panties and leave the analysis to people who actually have some idea of what they're talking about.

The Government will not arrest any researcher - simply because they are not acting against any current legislation.

The fact is you have no idea whether these exploits were previously discovered by criminals and have been used for years. You don't think they publish the exploits they're using do you? No one is monitoring for exploits that are not publically known. So for MS to leave them unpatched once they do know about them is grossly negligent.

Grow up, stop crying and bleating and leave the analysis to others thanks.

Well said Kevin.

I agree that this is nothing even close to terrorism, a word that should be used with far more care. The "Microsoft-Spurned Researcher Collectiv" is perhaps an over-reaction, or at least a very immature reaction, to a very serious issue.

I think that the most responsible action for a security researcher is to disclose the exploit to the company only, wait a reasonable amount of time, and then disclose it publicly. That said, it is ultimately up to the researcher and circumstances.

The whole point of public disclosure is to force a company to fix something. Companies often need to be pushed into taking security seriously, and these public disclosures are an embarrassment companies want to avoid.

There's a big difference between exposing a security hole for criminals to exploit and reporting on a hole criminals are already actively using.

No matter what security researchers do, systems will be compromised. If they keep their mouth shut, hackers can continue their pillage in secret, with an oblivious, incompetent, or apathetic Microsoft never implementing a fix. If the criminals haven't figured it out yet, they will eventually. Or, they can bring the issue to the light of day, which means more hackers might exploit it in the short term, but the flaw will be repaired, potentially protecting thousands of users.

Terrorism is defined as "the calculated use of violence (or the threat of violence) against civilians in order to attain goals that are political or religious or ideological in nature; this is done through intimidation or coercion or instilling fear".

Just because politicians throw around the word Terrorism without much thought doesn't mean you can too...

Not terrorism. These are nothing more than public bug reports.

So let me get your argument straight: suppose I find a security bug in the course of my work or my hobby or whatever. If you work with software a lot, you know that when you find a bug you initially don't know if it's a security flaw or not. All you know is that your program is not working right. So the natural (and correct) instinct is to seek help and advice from others. We all are aware that Microsoft just completely ignores communication about such things from individuals, so one is forced to ask the Internet. I don't blame Microsoft for this, all big companies behave this way.

So anyway HOW THE HECK are we software developers supposed to do our jobs if we are not "allowed" to discuss things that we don't even understand and only wish to understand further.

Good job, guys!
More public vulns = less private vulns, that can be exploited by criminals/government against us. Forza Hackers!

Yes! You are absolutely correct. Microsoft was utterly despicable in ignoring reports of a flaw and not repairing it and this acting totally irresponsible. And I agree the could make more of an impact by being responsible!

I guess you folks don't get the fundamental philosophical differences between white, gray & white hat security people.

Lets say that one person knows about a vuln and reports it and the company does nothing to fix it. Another person discovers it independently and hacks another companies database whereby your credit information is now out there and you're having to now fight identity theft.

If said initial discoverer had released said exploit, a patch would have come because the company is being forced to address it. At the same time companies (if they are doing their job) can then take action to mitigate the intrusions since they now know about it, apply the patch and move forward instead of sitting vulnerable with no clue.

Would you rather someone who finds a problem with your car sit on it because the manufacturer doesn't want to address it and you smack into a semi truck because your brakes failed? Or would you rather them go public so your brakes/accelerator/whatever get fixed?