Clowns

A few days ago, a presentation at the previously obscure Toorcon security conference features a pair of self-styled hackers who claimed they had discovered a zero-day exploit in Firefox. On a scale of 1 to 10, this is about a 13, especially with the added detail that devising a patch might be difficult or even impossible.

 I chose not to write about it here or at ZDNet, because something just didn’t feel right about this story.

Now, it turns out, one of the two presenters admits they were just clowning around:

[Mischa] Spiegelmock, a developer at Six Apart, a blog software company in San Francisco, now says the ToorCon talk was meant “to be humorous” and insists the code presented at the conference cannot result in code execution.

If these two really were just clowns, it wouldn’t be a big deal. But one of the two works for Six Apart, which runs the TypePad and LiveJournal blogging services and sells the Movable Type blogging platform. Having a heavyweight name on his business card probably has at least something to do with why these guys were selected to speak, and why the security community took them seriously. Pulling a fire alarm isn’t funny, and it no doubt sent a lot of security professionals scrambling to perform work that wasn’t necessary. They have every right to be pissed off.

eWeek’s Ryan Naraine and Brian Krebs of the Washington Post are both excellent reporters. I hope the folks at Six Apart turn over every rock to find the real story. If Naraine and Krebs are reporting accurately, someone needs to be fired – or sent to work night shifts on the Clueless Newbies support desk.