Google Engineer Aiding Hackers.... Wait, What?

Something very bizarre going on here, but it appears that Google engineer Tavis Ormandy is publishing exploits and releasing details of code weaknesses in competing products (specifically Microsoft's, for now anyway) and he's doing it with the blessing of Google.

Business Insider has the full story here, but in brief it appears that Tavis has been upset by the speed at which Microsoft addresses weaknesses in its software and, rather than follow the white hacker ethics code, which would mean that companies would be given a 30-60 head start before the weakness was published in the wild, Tavis has reduced this timeline to seven days.

I'm struggling to see how this behaviour can be seen as anything but evil on Google and Tavis's part. Certainly it goes against the grain for a white hacker to effectively blackmail a company in this way. Google's employment and support in this very much brings into question the motives for doing this too.

Ultimately Microsoft is responsible for it weaknesses and failings and putting them right is an important part of Microsoft's system update services.

But with an installed use base and software catalogue the size of Microsoft's its unrealistic to expect everything to be totally watertight or for vulnerabilities to be addresses in seven scant days.

The actions of Google and Tavis Ormandy specifically hurt Microsoft's customers, many of whom are also Google's customers and won't be hugely appreciative of these sorts of actions.

If your bank account was wiped because of a Windows security failing you'll be rightly annoyed at Microsoft. If it was wiped because a Google engineer published an exploit which allowed any script kiddie to use an obscure weakness to empty your account I suspect that you'll reserve the largest part of your wrath for them.

All things considered not a particularly sensible move.

0 comments: