Today's worst person in the (infosecurity) world

Today's worst person in the (infosecurity) world

Summary: Borrowing a page from Keith Olbermann's Countdown playbook, I nominate security researcher Michal Zalewski as today's the worst person in the world (of info security) for releasing details of a zero-day exploit of Internet Explorer as what he calls an act of "civil disobedience". For some reason, Zalewski thinks it's OK to put millions of IE users at risk to make a public statement about his issues with how Microsoft works with the security community.

SHARE:
TOPICS: Malware
7

Borrowing a page from Keith Olbermann's Countdown playbook, I nominate security researcher Michal Zalewski as today's the worst person in the world (of info security) for releasing details of a zero-day exploit of Internet Explorer as what he calls an act of "civil disobedience". For some reason, Zalewski thinks it's OK to put millions of IE users at risk to make a public statement about his issues with how Microsoft works with the security community.

As we used to say in my neighborhood growing up, "What a yutz!"

eWEEK has details concerning the exploit and Zalewski's "unapologetic" posture regarding his unilateral decision to go public with the exploit without sharing his findings with Microsoft. If you want the technical details, read their coverage. What has me shaking my head in disbelief is the unmitigated arrogance and complete lack of concern for consequences his grandstanding displays. The eWEEK article quotes Zalewski as saying,

"I didn't give an advance notification to Microsoft, because I strongly oppose their handling of the vulnerability patching process. Although I can't make a difference, it's the tiny bit of civil disobedience I can afford whenever I can reasonably believe that no immediate harm would be done to third parties."

I surely hope his "reasonable belief" is correct. If he's wrong, millions of people will potentially pay the price for this bonehead stunt. I'm in no mood to debate the merits of his justifications for taking this approach. It's a bad decision.

Topic: Malware

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

7 comments
Log in or register to join the discussion
  • "Unmitigated Arrogance"?

    If you understood the technical details of the vulnerability, you'd understand why it's virtually impossible to exploit. Accordingly, it's more than likely that Zalewski is correct.

    Further, it is more-than-likely in everyone's long term interests if Microsoft gets its arms twisted around sooner, rather than later. Their patch process continues to put customers at risk simply because it is grossly mismanaged and unforgivably slow.

    I've had the, erm... pleasure... of dealing with it on occasion, and I can certainly say that I don't blame Zalewski a bit.
    SecurityGeek_z
    • Absolutely - this is not how to solve the problem

      Before you get all uber-geek arrogant on me - I [i]do[/i] understand the technical details. I [i]do[/i] understand that this is not an especially easy exploit vector to take advantage of. I also know that there are terribly clever people with no scruples who you simply do not provide this kind of information to in this fashion.

      If you want to arm wrestle Microsoft into compliance this is not the way to do it. A unilateral power play like this sets an extraordinarily bad precedent and it is inexcusable for that reason alone. What happens when someone else with fewer scruples decides to follow Zalewski's example and reveals something easier to exploit?

      Get involved with a group of people - air your greivances in public - try to bring Microsoft to the table if you really think they are as bad as Zalewski describes them. But do not, under any circumstances, put the public at risk making a bonehead grandstand plays for attention. It's unprofessional. It's irresponsible. It's indefensible.

      Period.
      morchant
  • Agreed.

    Should he be convicted of a criminal offense?
    The laws against exploits might be sufficient.

    The case in favor of putting him in jail would be even less ambiguous if his contribution were used to create malware that was spread.

    I wonder, too, if the report of his actions in the press has started an investigation. If not, I wonder why not.

    A sentence of, say, 20 years would demonstrate an appropriate concern for such actions.
    Anton Philidor
    • 20 years?

      Not THAT bad, was it? He SHOULD HAVE contacted M$ and given them 30 days to respond. That is the compromise between the two camps.
      Roger Ramjet
      • Absolutely right Roger

        That's my point. Give them a reasonable amount of time to respond (regardless of what you think about their past perfromance). If they blow you off, then you are at least on the middle, if not the high road when you take your discovery public.
        morchant
        • Screw that

          Political posturing about the high road?

          Screw that! I'll tell you what. I'm sure this guy, at some point, tried to get through to them. I'm sure at some point, he attempted to do things the right way, and in fact they probably disregarded him.

          It may not have been with regards to this issue-- but let's face it, motivation doesn't appear out of thin air!

          ...and anarchists are made, not born that way.

          Also, his "unapologetic posture" is, IMHO, exactly the response that Microsoft deserves. Speaking of "unapologetic posture," I can think of a great deal of the IT community that would apply those words to Microsoft.

          And as for the legal ramifications fellas, it is one thing to say something, and another to materially contribute to it. Think of the authors of books about how to build bombs-- thanks to our laws, their not liable without materially contributing.
          kckn4fun
          • Why are you so sure?

            Because you have an attitude about Microsoft that makes you sympathetic to anyone who pokes a stick in their eye?

            Microsoft isn't the issue here. I could care less whether this causes them embarrasment or pain. They're a big, insanely profitable company and they can (and do) look after themselves.

            The high road is to think about the innocent victims in all of this because, if there are to be any, it's your family, friends, and neighbors who will be the losers as a result of what this man has done.

            So stop skirting the issue by making this about whether his lame justification is more or less lame. And spare me the moral relativism of that tired old "guns don't kill people" philosophical babble.

            I repeat... there is NO justification for what Zalewski did.
            morchant