Is the Phoney War now over?
Well, now. Things just get interestinger and interestinger. Tavis Ormandy recently disclosed an MS zero-day bug on the Full Disclosure mailing list. This caused a bit of a stir. Much of the anti-malware industry was aghast. The anti-malware industry, in general, is not overkeen on what is called ‘full disclosure’. It prefers what it terms ‘responsible disclosure’, cleverly implying that anything that does not fall within the definition of ‘responsible disclosure’ is ‘irresponsible disclosure’. Tavis was criticised on two counts: firstly that he was irresponsible, and secondly that he was Google trying to score points against Microsoft. Let’s look at these. Irresponsible From Kurt Wismer i’m a little too late to the party to bother with vilifying him, but the arguments used to support him could stand and be reused in the future and those need to be addressed… full disclosure as disarmament and from Graham Cluley: In my opinion, Ormandy irresponsibly disclosed the vulnerability before Mi
