Neither Google nor Googler can wash hands of Windows bug disclosure

Google security engineer may have acted on his own, but both parties own the results

Google security engineer Tavis Ormandy is either naïve or disingenuous when he protests that his controversial disclosure of an unpatched Microsoft bug reflects solely on him and not at all on his employer.

Google is simply attempting damage control when it makes the same claim.

The real world doesn't work that way.

(2010's 25 Geekiest 25th Anniversaries)

 This IDG News Service story has details of the vulnerability, which effects Windows XP and Windows Server 2003. Microsoft issued an advisory yesterday and is working on a patch. From the news story:

The advisory was prompted by the bug's disclosure early Thursday, and the release of proof-of-concept attack code. Tavis Ormandy, a security engineer who works for Google in Switzerland, defended the decision to reveal the flaw only five days after reporting it to Microsoft. But Microsoft and other researchers questioned the quick publication.

Microsoft made no distinction between Ormandy and his employer in a blog post Thursday.

"This issue was reported to us on June 5, 2010 by a Google security researcher and then made public less than four days later, on June 9, 2010," said Mike Reavey, the director of the Microsoft Security Response Center (MSRC). "Public disclosure of the details of this vulnerability and how to exploit it, without giving us time to resolve the issue for our potentially affected customers, makes broad attacks more likely and puts customers at risk."

Microsoft may be milking the Google connection for more than it's worth, but not without justification. Google's position on responsible disclosure is clear, and its employee in this case clearly did not adhere to that position.

Ormandy's attempt to separate the two rings hollow, as with this message from his Twitter account. "The HelpCtr bug today was intended as a personal project. It sucks that work has been dragged into it."

It may suck, but Ormandy did the dragging. He's a Google security researcher who conducted security research about a Google competitor's product. What he wants is to be able to don a separate persona when making public the fruits of that labor.

Google says publicly it wants the same thing, telling CNet in a statement: "Tavis acted independently using research conducted in his own time. Tavis' personal views on disclosure don't necessarily reflect the views of his colleagues at Google or Google as a whole."

Not good enough.

What you do on your own time reflects upon your employer whether you or your employer wants it to or not; this has been true since the beginning of time. The closer the connection between your personal activities and your employer's business, the brighter that reflection will become. When, as is the case here, your personal and business activities overlap, your choices are almost always to toe the company line or start polishing the resume.  

It won't shock me if Ormandy soon has a lot more time for personal projects.

Welcome regulars and passersby. Here are a few more recent Buzzblog items. And, if you'd like to receive Buzzblog via e-mail newsletter, here's where to sign up.

2010's 25 Geekiest 25th Anniversaries.

Good news for the economy: More people are quitting their jobs.

Scientist 'infected by computer virus' catches publicity fever

        8 in 10 browsers leave identifiable "fingerprints," EFF warns.

How many zettabytes can dance on the had of a pin?

Dear Apple: Please make "magical" disappear from your iPad marketing.

How the 'Net would have saved Coke from New Coke.

I have absolutely nothing to say about the iPad.

Clever video technique shows there really are two sides to any story.

Doing the Laptop Drive of Shame, Part III

True: This site is not

Cell-phone gabber in fast-food line gets his just deserts

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2010 IDG Communications, Inc.