http://avi-rubin.blogspot.com/2006/11/krugman-way-off-base-on-alec-yasinsac.html (from late November)
The Security and Assurance in Information Technology Laboratory (SAIT) at Florida State is the best security research group in the state of Florida if not the Southeast. I'm quite familiar with their research. The professors there include Breno de Medeiros, a recent Ph.D. alumnus of our program at Johns Hopkins, Mike Bermester, a famous Cryptographer, and of course Alec Yasinsac. I have known Alec for about 12 years. He is an extremely talented researcher and well respected security expert. The state of Florida contacted SAIT because they are the top computer security research group in the state....
Hearing a high profile columnist such as Krugman refer to my friend Alec Yasinsac as a partisan hack really stings, and it causes me to now question every time I see someone painted with such a brush in the media. Furthermore, Krugman writes his pieces as though Alec would be performing the audit alone. What a difference it makes to actually know the people involved very well. Krugman would have done well to interview some computer scientists about Alec and SAIT before dismissing this audit out of hand.
Read the whole thing, and then read the whole report. Like the part where they say that the source code is flawed because it assumes that PEB data can be trusted, and it would need to be extensively rewritten to fix this architectural flaw.
I will certainly defer to Avi Rubin on this one. Academics tend to be pretty intense about respecting people who do good work, and disrespecting people who don't, without regard to politics. There are some limitations in the audit that need to be talked up (and I assume that people who know more about computer security than I do will spot more), but don't shoot the messengers.