| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 23 Dec 2004 00:16:55 -0800 From: Crispin Cowan <crispin@...unix.com> To: "Steven M. Christey" <coley@...re.org> Cc: bugtraq@...urityfocus.com Subject: Re: DJB's students release 44 *nix software vulnerability advisories Steven M. Christey wrote: >In addition to modeling the level of authentication needed, I've been >thinking that it might also be important to note how much user/victim >participation is required for activation of the exploit, i.e. whether >the issue can be automatically exploited by normal user activity >(e.g. by simply reading an email message) or whether there's some >social engineering involved. However, I haven't put much thought into >terminology for this besides: > > - automatic: exploit is automatically activated as a result of > normal usage of the product > > I call this class "worms", or more grammatically a class of remote vulnerabilities subject to worm attack. where the malware can propagate unassisted. > - complicit: requires some victim participation or inaction > > I call this class "viruses, same grammar hack as above. These require the victim to click on something, or such like, before the malware can propagate. > - opportunistic: can not really control when, or if, the victim > activates the exploit > > I'm having a hard time seeing the difference between "complicit" and "opportunistic". Crispin -- Crispin Cowan, Ph.D. http://immunix.com/~crispin/ CTO, Immunix http://immunix.com
Powered by blists - more mailing lists