lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 21 Sep 2007 09:25:59 -0700
From: "Michael Bitow" <michaelb@...f.org>
To: <bugtraq@...urityfocus.com>
Subject: RE: [Full-disclosure] 0day: PDF pwns Windows


 Name calling and arguing about semantics is about as useful and
enjoyable as a fart in an elevator.

Sheesh.  I thought it was just the Quake players that got in to e-peen
pissing contests.

And yes, I'm top-posting!



-----Original Message-----
From: Chad Perrin [mailto:perrin@...theon.com] 
Sent: Thursday, September 20, 2007 11:10 AM
To: bugtraq@...urityfocus.com
Subject: Re: [Full-disclosure] 0day: PDF pwns Windows

On Thu, Sep 20, 2007 at 06:34:03PM -0400, Joey Mengele wrote:
> Dear Fatboy,
> 
> Let's put aside for a minute the fact that you have no idea what you 
> are talking about and let's also, for the benefit of this very 
> valuable debate, assume your definition is correct. First, please 
> prove this bug was never used in the wild. After that, please prove 
> your credibility in the realm of defining words related to illegal 
> computer hacking. Thanks.

Tell me something -- what do *you* think "zero day" means that
differentiates it from "not zero day"?  I keep seeing people use the
term "zero day" (or "0day" or however you want to spell it) without any
regard for how this is meant to differentiate it from some alternative
to "zero day", and I have to wonder what these people think the term
means.  Do you just regard it as a way to make discovery of a
vulnerability as more "important" or "exciting"?  Why exactly use the
term if it has no meaning other than "look at this!"?

There is no such thing as a "zero day vulnerability".  A "zero day
exploit" is an exploit that has been used to compromise systems by the
"bad guys" before the "good guys" discovered it or, arguably, an exploit
being used by the "bad guys" before the "good guys" have developed a
patch for it.  It's not a proof of concept that no "bad guy" has any use
for, and it's not a vulnerability that someone outside of a vendor
discovered before the vendor announced its discovery.  If you have a
definition of the term "zero day" in a computer security context that
contradicts mine, I'd love to read your reasoning and see your sources.
After all, I can't learn anything new if I ignore things that I don't
already know.

--
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] MacUser, Nov.
1990: "There comes a time in the history of any project when it becomes
necessary to shoot the engineers and begin production."

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ