Security News > 2004 > January > Researcher for whom exploit code means freedom of speech
Forwarded from: William Knowles http://www.smh.com.au/articles/2004/01/14/1073877889610.html By Sam Varghese January 15, 2004 Georgi Guninski is a man who is respected on vulnerability mailing lists. The Bulgarian security expert - and this is one instance when the word can be safely used - has spread himself wide when it comes to security but all of his vulnerability posts merit attention. From kernel bugs to browser holes, Guninski has found them all. His advisories are terse and to the point but cause a predictable degree of consternation when they are put out. His own favourite discovery is a race condition in the OpenBSD kernel. While many formerly independent researchers are slowly going over to the corporates, and in the process losing their ability to freely reveal details about flaws in proprietary software, Guninski has kept the faith. Indeed, his advice to other researchers is precisely that: "Keep the faith." He is passionate about full disclosure and the posting of exploit code; he feels this is often the only way to get software vendors to patch buggy programs. There is logic behind his rationale - according to him, some vendors wait six months before issuing a patch when a flaw is reported to them; on the other hand, in one case when an exploit was released in the wild (without the bug which it was exploiting being reported to the vendor), and military computers got broken into, the same vendor issued a patch in double quick time. Guninski is often accused of being a publicity seeker but dismisses such talk by saying that it is merely put out by companies "and their puppies" who do not like him. To his credit, he does not favour this side or that - his own site has a long list of the vulnerabilities he's found and be it in open source or proprietary software, he sticks to his principles of disclosing things in full. To those who try to offer the excuse that software will always be buggy, Guninski has one piece of advice - go and get a job at McDonald's. He was interviewed by email. How did you come to be interested in computer security? Was it in the family or were you one of those little nerdy boys who's always dying to find out how things work? Not the family. I have always had an unexplainable passion for computers. And I am more interested to find how things don't work or work in "strange" ways than to find out how just things work ;). How is Bulgaria in terms of technology, compared to countries in the west? There are talented people in Bulgaria, but the country is poor and people migrate. What led to your first IT job? Karma. See below.
News URL
http://www.smh.com.au/articles/2004/01/14/1073877889610.html