Anti-virus industry's bête noire Tavis Ormandy to enter the lion's den

Well, this could be interesting…

The anti-virus industry's bête noire to speak at the anti-virus industry conference

The Virus Bulletin conference is being held in Denver, Colorado, next month.

Here's the sneak peek at some of the highlights:

  • an interview with the notable and controversial Tavis Ormandy in a session called "Anti-Virus: Help or Hindrance?" The Google Project Zero researcher has uncovered and disclosed several explosive security vulnerabilities over the years, some of which severely impacted normal business operation for affected vendors;
  • a live drone demo from HPE showing how existing vulnerabilities in today’s GPS navigation systems can be exploited by attackers;
  • an overview of recent high-profile watering hole attacks by top APT actors from Kaspersky Lab’s Costin Raiu;
  • a snapshot of how to decrypt recent families of ransomware from Malwarebytes;
  • a closing keynote from well-known security researcher and journalist Morgan Marquis-Boire.

Woah! Rewind...

Google vulnerability researcher Tavis Ormandy, the bête noire of the anti-virus industry, is going to be there.

Ormandy, you may recall is an incredibly talented bug hunter. He can read hexadecimal code like mere mortals read assembly language. He has an impressively long history of uncovering security holes, and in recent years has turned his attention to finding flaws in anti-virus products and (most recently) password managers.

However, Ormandy is also a highly controversial figure. In the past he has been accused of disclosing flaws in software products, and publishing exploit code that could be used by malicious hackers, without giving vendors a decent chance at fixing the problem.

For instance, in 2010 Ormandy gave Microsoft only five days to fix a security vulnerability before going public with details of how hackers could write malicious code to exploit it.

Sure enough, malicious hackers then took advantage of Ormandy's disclosure to spread an attack which infected users.

In my opinion, Ormandy's actions were irresponsible and I found it shocking that a Google employee would do such a thing. Of course, some folks disagreed with me (including Tavis himself).

There's no doubt that Tavis Ormandy has proven himself capable of finding security holes in software that should have been found by the vendors themselves, and that it is better that such flaws get fixed than ignored. To that extent, he provides a valuable service.

But I also know that there are some who feel that the way he handles the disclosures is unprofessional, and in some cases could panic users unnecessarily or even put them at risk.

Tavis's session at the Virus Bulletin conference will be packed, I have no doubt about that.

But I wonder if there will be any representatives of security companies brave enough to put up their hands and ask him some awkward questions about how he has operated in the past?

My guess is that most of the anti-virus vendors will pussy-foot around for fear of earning his attention next time he decides to rip a product to shreds.

Learn more about the Virus Bulletin 2016 conference.

Tags: , , , ,

Smashing Security podcast
Check out "Smashing Security", the new weekly audio podcast, with Graham Cluley, Carole Theriault, and special guests from the world of information security.

"Three people having fun in an industry often focused on bad news" • "It's brilliant!" • "The Top Gear of computer security"

Latest episode:

, , , ,

4 Responses

  1. no one

    September 19, 2016 at 4:42 pm #

    What a bunch of pussys, afraid of a bug finder…..

  2. David L

    September 19, 2016 at 4:53 pm #

    Well Graham, you straddled the fence nicely.
    I am a fan of Ormandy, but, agree with you, that he could be more responsible, and has been, over time. But, I find it unconsciable for SECURITY vendors to have such Glaring holes in their software, that it truly makes me smile when the little guy embarrasses the vendors.

    A couple years back, at Blackhat Asia, another researcher named Koret took 14 different AV products to task, and he was a whole lot more unmerciful than Tavis is/was. Back then, Avast was one of only a few who had a bug bounty program to reward researchers, and actually paid Koret about (115 k) if I remember correctly. It's because Avast is proactive in this regard, and has the most features for Android, that I am satisfied with their products. Even if that means, they put a few respectable ads shown inside the Free Android app. Which I will view on purpose, just to help pay my way.

  3. Jim

    September 22, 2016 at 1:12 pm #

    "accused of disclosing flaws". I'm wondering if their are malicious hackers looking for flaws in software products which don't work to a timeline but exploit the flaw as soon as they find it.

  4. Graham Cluley

    January 17, 2017 at 5:32 pm #

    Update: Apparently Tavis ended up not attending the conference.

    Which is a shame.

Leave a Reply