The case of Tavis Ormandy; and when does a blogger become a journalist?
From a journalist we expect facts. We use those facts to inform our opinions and define how we interact with the world. From a blogger we expect entertainment; a voyeuristic view into somebody else’s opinions. We tend not to define our day based on the blogs we read.
Both of these statements are generalisations. We allow our journalists to have some opinions and we expect bloggers to justify theirs with some facts. Nevertheless it is a broadly accurate distinction. And problems can arise when bloggers stray into journalism; and to a lesser degree when journalists become bloggers.
There is an example current today. On 10 June 2010, Tavis Ormandy, an English-born security researcher based in Switzerland, disclosed a hitherto unknown vulnerability in Windows XP and Server 2003. He waited five days from the time he reported the vulnerability until the time he invoked full disclosure. Those are the basic facts. We’re going to have a look at how those facts have been treated by three separate bloggers:
- Brian Krebs, one time journalist with the Wall Street Journal, now mainstream blogger
- Graham Cluley, award-winning security blogger
- Roman Kenke, blogger
Last week, Google researcher Tavis Ormandy disclosed the details of a flaw in the Microsoft Help & Support Center on Windows XP and Server 2003 systems that he showed could be used to remotely compromise affected systems. Today, experts at security firm Sophos reported that they’re seeing the first malicious and/or hacked sites beginning to exploit the bug.
These are facts – blogged by a journalist. I have a slight concern over tagging Ormandy as a ‘Google researcher’ because it is not relevant to the facts – but nevertheless of interest to the reader.
A Google security engineer, Tavis Ormandy, sent details of a zero-day vulnerability he had discovered in Windows XP to Microsoft on Saturday June 5th… In the early hours of Thursday (June 10th), just five days after informing Microsoft of the security hole, the Google researcher decided to make his findings public – posting details of the vulnerability and proof-of-concept code to the Full Disclosure mailing list.
There are facts included here; but note the concentration on ‘Google’. Note also the tone (which is clearly very negative towards Ormandy), and the semantically less stringent use of language. The implication is that Ormandy woke up on Thursday morning and decided on the spur of the moment to release his findings. I see no evidence for this; and strongly suspect that the events of the previous five days were implicit in Thursday’s actions.
Tavis Ormandy: Asshole at work… Just some weeks ago this so called security expert (and Google employee) disclosed security problems in Java Webstart, today he disclosed security problem in Windows Help. The problem is not so much that he discloses security issues, but the way he does it. The pattern seems to be similar in both cases. He notifies the company of the security issue, giving them some time (in Java’s case it was at least a month) and then goes on to publish the full disclosure just a couple of days later for idiotic reasons.
This is a blogger. It is stronger on personal opinions and emotive language than facts; and some of these opinions are presented as facts (‘so called security expert’; well, Tavis Ormandy genuinely is a security expert). The language is contradictory: ‘The pattern seems to be similar’ when one is disclosed ‘a couple of days later’ while ‘in Java’s case it was at least a month’.
So what should we make of these three different treatments of the Ormandy story? I’m going to take the Kenke publication out of the argument because it is a blog and we know it is a blog. We’re not looking for facts; we’re looking either to enjoy the entry or to reinforce or upset our existing prejudices. It is true to its genre.
The Krebs story is a journalist at work. He states the facts without imposing his own opinions. If I want to know what happened, I would read Krebs.
The problem comes with Cluley. Don’t get me wrong; I read and enjoy Graham Cluley’s blog. But here is a blogger who has been so successful that he is beginning to be treated as journalist. People read Graham Cluley’s blog for facts. He has become a journalist. This is not his fault – it is the outcome of his own success.
But journalists have different responsibilities. Opinions must be justified, and counter opinions given space. Emotive language should be excluded.
Here’s an example. Twice in this extract Cluley links Ormandy to Google. The reader has to assume that this is relevant. So what is this relevance? A reasonable inference is that Cluley is associating Google with outing Microsoft. But a journalist cannot make such suggestions without evidence; and nowhere, in these or any other accounts, have I come across any proof that Google is at all involved.
So, first of all I apologise to these three authors. I have used their writing somewhat out of context to illustrate my own concern: when does a blogger become a journalist? There’s no easy answer. Krebs shows that a journalist is always a journalist; Kenke shows that a blogger is always a blogger. The difficulty comes with Graham Cluley: a blogger who is so successful that he is treated as a journalist; a source of facts. When this happens, the honorary journalist is honour-bound to relinquish his opinions and deal in facts. Or at least make it very clear that his writing is his own prejudiced (as all opinions are by definition) opinions. And as readers it is incumbent upon us to be aware of whether we are reading opinions or facts.