Home > All, General Rants > The case of Tavis Ormandy; and when does a blogger become a journalist?

The case of Tavis Ormandy; and when does a blogger become a journalist?

From a journalist we expect facts. We use those facts to inform our opinions and define how we interact with the world. From a blogger we expect entertainment; a voyeuristic view into somebody else’s opinions. We tend not to define our day based on the blogs we read.

Both of these statements are generalisations. We allow our journalists to have some opinions and we expect bloggers to justify theirs with some facts. Nevertheless it is a broadly accurate distinction. And problems can arise when bloggers stray into journalism; and to a lesser degree when journalists become bloggers.

There is an example current today. On 10 June 2010, Tavis Ormandy, an English-born security researcher based in Switzerland, disclosed a hitherto unknown vulnerability in Windows XP and Server 2003. He waited five days from the time he reported the vulnerability until the time he invoked full disclosure. Those are the basic facts. We’re going to have a look at how those facts have been treated by three separate bloggers:

  • Brian Krebs, one time journalist with the Wall Street Journal, now mainstream blogger
  • Graham Cluley, award-winning security blogger
  • Roman Kenke, blogger

Brian Krebs wrote

Last week, Google researcher Tavis Ormandy  disclosed the details of a flaw in the Microsoft Help & Support Center on Windows XP and Server 2003 systems that he showed could be used to remotely compromise affected systems. Today, experts at security firm Sophos reported that they’re seeing the first malicious and/or hacked sites beginning to exploit the bug.

These are facts – blogged by a journalist. I have a slight concern over tagging Ormandy as a ‘Google researcher’ because it is not relevant to the facts – but nevertheless of interest to the reader.

Graham Cluley wrote

A Google security engineer, Tavis Ormandy, sent details of a zero-day vulnerability he had discovered in Windows XP to Microsoft on Saturday June 5th… In the early hours of Thursday (June 10th), just five days after informing Microsoft of the security hole, the Google researcher decided to make his findings public – posting details of the vulnerability and proof-of-concept code to the Full Disclosure mailing list.

There are facts included here; but note the concentration on ‘Google’. Note also the tone (which is clearly very negative towards Ormandy), and the semantically less stringent use of language. The implication is that Ormandy woke up on Thursday morning and decided on the spur of the moment to release his findings. I see no evidence for this; and strongly suspect that the events of the previous five days were implicit in Thursday’s actions.

Roman Kenke wrote

Tavis Ormandy: Asshole at work… Just some weeks ago this so called security expert (and Google employee) disclosed security problems in Java Webstart, today he disclosed security problem in Windows Help. The problem is not so much that he discloses security issues, but the way he does it. The pattern seems to be similar in both cases. He notifies the company of the security issue, giving them some time (in Java’s case it was at least a month) and then goes on to publish the full disclosure just a couple of days later for idiotic reasons.

This is a blogger. It is stronger on personal opinions and emotive language than facts; and some of these opinions are presented as facts (‘so called security expert’; well, Tavis Ormandy genuinely is a security expert). The language is contradictory: ‘The pattern seems to be similar’ when one is disclosed ‘a couple of days later’ while ‘in Java’s case it was at least a month’.

So what should we make of these three different treatments of the Ormandy story? I’m going to take the Kenke publication out of the argument because it is a blog and we know it is a blog. We’re not looking for facts; we’re looking either to enjoy the entry or to reinforce or upset our existing prejudices. It is true to its genre.

The Krebs story is a journalist at work. He states the facts without imposing his own opinions. If I want to know what happened, I would read Krebs.

The problem comes with Cluley. Don’t get me wrong; I read and enjoy Graham Cluley’s blog. But here is a blogger who has been so successful that he is beginning to be treated as journalist. People read Graham Cluley’s blog for facts. He has become a journalist. This is not his fault – it is the outcome of his own success.

But journalists have different responsibilities. Opinions must be justified, and counter opinions given space. Emotive language should be excluded.

Here’s an example. Twice in this extract Cluley links Ormandy to Google. The reader has to assume that this is relevant. So what is this relevance? A reasonable inference is that Cluley is associating Google with outing Microsoft. But a journalist cannot make such suggestions without evidence; and nowhere, in these or any other accounts, have I come across any proof that Google is at all involved.

So, first of all I apologise to these three authors. I have used their writing somewhat out of context to illustrate my own concern: when does a blogger become a journalist? There’s no easy answer. Krebs shows that a journalist is always a journalist; Kenke shows that a blogger is always a blogger. The difficulty comes with Graham Cluley: a blogger who is so successful that he is treated as a journalist; a source of facts. When this happens, the honorary journalist is honour-bound to relinquish his opinions and deal in facts. Or at least make it very clear that his writing is his own prejudiced (as all opinions are by definition) opinions. And as readers it is incumbent upon us to be aware of whether we are reading opinions or facts.

Categories: All, General Rants
  1. July 9, 2010 at 6:27 pm

    So.. are you saying I need to find a way to stop people treating me like a journalist? Or that I need to start acting more like a journalist?

    I’m not sure I know how to accomplish the former, and I’m not sure I want to do the latter.


    By the way, I don’t believe that Google were in any way involved in the disclosure, I think it’s more a case of Tavis Ormandy doing his thing and them turning a blind eye to what their employees get up to. It’s been a while since I wrote that blog post, but I expect I was trying to find a way of describing Ormandy other than using his name all the time!


    • July 9, 2010 at 10:04 pm

      Truth be told, the opposite is happening as well. Once upon a time we used to have journalist/reporters: writers who reported the facts in newspapers. There are very few left – we all, sorry, they all think they’re columnists paid to give their opinions rather than state the facts. OK, that’s too extreme; let’s just say it’s a trend.

      And it’s not fair of me to suggest you need to keep to the bare facts. You didn’t start as a journalist; and one of your strengths is your personal expertise. It’s personal. That means it includes your personal opinions. But I do think you need to bear in mind that you have a huge audience and can sway their opinions – and if you do that on purpose, that’s social engineering! (Incidentally, you probably guessed, my own sympathies tend to lie with Tavis Ormandy. In the overall sweep of things, I think he does more good than bad.)

      But it worries me. Where can we go just to get the facts these days?


  1. August 20, 2010 at 5:08 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s