Anti-virus industry’s bête noire Tavis Ormandy to enter the lion’s den

Well, this could be interesting…

Graham Cluley
Graham Cluley
@[email protected]

The anti-virus industry's bête noire to speak at the anti-virus industry conference

The Virus Bulletin conference is being held in Denver, Colorado, next month.

Here’s the sneak peek at some of the highlights:

  • an interview with the notable and controversial Tavis Ormandy in a session called “Anti-Virus: Help or Hindrance?” The Google Project Zero researcher has uncovered and disclosed several explosive security vulnerabilities over the years, some of which severely impacted normal business operation for affected vendors;
  • a live drone demo from HPE showing how existing vulnerabilities in today’s GPS navigation systems can be exploited by attackers;
  • an overview of recent high-profile watering hole attacks by top APT actors from Kaspersky Lab’s Costin Raiu;
  • a snapshot of how to decrypt recent families of ransomware from Malwarebytes;
  • a closing keynote from well-known security researcher and journalist Morgan Marquis-Boire.

Woah! Rewind…

Sign up to our free newsletter.
Security news, advice, and tips.

Google vulnerability researcher Tavis Ormandy, the bête noire of the anti-virus industry, is going to be there.

Ormandy, you may recall is an incredibly talented bug hunter. He can read hexadecimal code like mere mortals read assembly language. He has an impressively long history of uncovering security holes, and in recent years has turned his attention to finding flaws in anti-virus products and (most recently) password managers.

However, Ormandy is also a highly controversial figure. In the past he has been accused of disclosing flaws in software products, and publishing exploit code that could be used by malicious hackers, without giving vendors a decent chance at fixing the problem.

For instance, in 2010 Ormandy gave Microsoft only five days to fix a security vulnerability before going public with details of how hackers could write malicious code to exploit it.

Sure enough, malicious hackers then took advantage of Ormandy’s disclosure to spread an attack which infected users.

In my opinion, Ormandy’s actions were irresponsible and I found it shocking that a Google employee would do such a thing. Of course, some folks disagreed with me (including Tavis himself).

There’s no doubt that Tavis Ormandy has proven himself capable of finding security holes in software that should have been found by the vendors themselves, and that it is better that such flaws get fixed than ignored. To that extent, he provides a valuable service.

But I also know that there are some who feel that the way he handles the disclosures is unprofessional, and in some cases could panic users unnecessarily or even put them at risk.

Tavis’s session at the Virus Bulletin conference will be packed, I have no doubt about that.

But I wonder if there will be any representatives of security companies brave enough to put up their hands and ask him some awkward questions about how he has operated in the past?

My guess is that most of the anti-virus vendors will pussy-foot around for fear of earning his attention next time he decides to rip a product to shreds.

Learn more about the Virus Bulletin 2016 conference.

Graham Cluley is an award-winning keynote speaker who has given presentations around the world about cybersecurity, hackers, and online privacy. A veteran of the computer security industry since the early 1990s, he wrote the first ever version of Dr Solomon's Anti-Virus Toolkit for Windows, makes regular media appearances, and is the co-host of the popular "Smashing Security" podcast. Follow him on Twitter, Mastodon, Threads, Bluesky, or drop him an email.

4 comments on “Anti-virus industry’s bête noire Tavis Ormandy to enter the lion’s den”

  1. no one

    What a bunch of pussys, afraid of a bug finder…..

  2. David L

    Well Graham, you straddled the fence nicely.
    I am a fan of Ormandy, but, agree with you, that he could be more responsible, and has been, over time. But, I find it unconsciable for SECURITY vendors to have such Glaring holes in their software, that it truly makes me smile when the little guy embarrasses the vendors.

    A couple years back, at Blackhat Asia, another researcher named Koret took 14 different AV products to task, and he was a whole lot more unmerciful than Tavis is/was. Back then, Avast was one of only a few who had a bug bounty program to reward researchers, and actually paid Koret about (115 k) if I remember correctly. It's because Avast is proactive in this regard, and has the most features for Android, that I am satisfied with their products. Even if that means, they put a few respectable ads shown inside the Free Android app. Which I will view on purpose, just to help pay my way.

  3. Jim

    "accused of disclosing flaws". I'm wondering if their are malicious hackers looking for flaws in software products which don't work to a timeline but exploit the flaw as soon as they find it.

  4. Graham CluleyGraham Cluley

    Update: Apparently Tavis ended up not attending the conference.

    Which is a shame.

What do you think? Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.