lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Tue Feb 14 13:02:36 2006
From: ad at heapoverflow.com (ad@...poverflow.com)
Subject: Re: On the "0-day" term

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
 
0day just mean the day released, its mostly a term used in the warez
scene to qualify new app/mp3 cracked each days, as exploits released
each days ...

Gadi Evron wrote:
> Steven M. Christey wrote:
>
> Hey Steve! :)
>
>> It's not necessarily that 0-days are a myth, it's that people have
>> been using the term "0-day" to mean two separate things:
>
> 0days are not a myth on their own.
> They are live and kickin`! :)
>
>>  - in-the-wild hacks of live systems using vulnerabilities previously
>>    unkown to the public and the vendor;
>>
>>  - release of exploit information for vulnerabilities previously
>>    unkown to the public and the vendor, for which there are no known
>>    in-the-wild hacks of live systems at the time of disclosure (though
>>    such hacks seem to occur very soon afterward)
>
> I don't know, last year I read an article about 0days being released
> vulnerabilities where the patch is not applied yet. Uh huh.
>
>>> Does anyone still think bad guys don't exploit (to whatever goals) a
>>> 0day if it is out there?
>>
>>
>> The answer seems obvious, but...
>>
>> It's not entirely clear to me how many in-the-wild 0-days exist and
>> are actively exploited.  Just because some "white hat" finds something
>> does not mean that we should ALWAYS assume that the "black hats"
>> already know about it.  The converse is also true, of course; see the
>
> On this point I disagree. We have to assume the worst, especially
> where we are specifically vulnerable. And as today we mostly rely on
> software security on-top of software security for our defense - we
> HAVE to assume the worst... we just don't have to hype it, and
> possibly, we can call it what it really is.
>
>> recent WMF issue.
>
> The goal of said 0day may be for specific attacks against specific
> targets. I don't see why anyone would waste their secret & strong
> resource on the wild west of the net - we don't often find 0days,
> right? Microsoft's or SecurityFocus's sites don't go down that
> often, right?
>
> WMF was an exploit of opportunity, i.e.: what is our window of
> opportunity to infect users with spyware before we are found out?
> In this case it was about 2 weeks.
>
> This came to show that spyware manufacturers either did their own
> R&D or bought 0days. This is not the first time, either.
>
>> Certainly, at least a couple in-the-wild 0-days are publicized a year,
>> and maybe more in the coming year, given the precedents of the past 6
>> months or so, as the honeymonkeys project and Websense have shown.
>>
>> One would hope that there is some critical mass (i.e. number of
>> compromised systems) beyond which any in-the-wild 0-day would become
>> publicly known.  This cricital mass would depend on the diligence of
>> the incident response community and the amount of coordination -
>> direct or indirect - with the vulnerability research community.
>
> Critical mass could also be one well-placed machine. Point is we
> need to differentiate between, but not limited to:
> 1. Vulns that were already disclosed to the vendor or CC's.
> 2. Vulns that are publicly announce OR released by advisory or similar.
> and
> 3. Vulns that no one knows exist, whether being exploited wildly,
> kept in a bunker or used on special targets.
>
> It's time we stopped guessing and starting regulating these terms,
> not because we can tell people how to use the term '0day' but rather
> what it might mean. Makes lives so much easier.
>
> In some of the above cases I will be proud to yell: "THERE ARE NO
> 0DAYS", while I know that's obviously false in other cases.
>
> The problem with this email, as well as any other to follow is that
> they are all full of opinions. We have to stop being an opinion-lead
> industry where opinions constitute 90% (didn't make any specific
> calculation, that's my opinion) of how we do things professionally.
>
>> - Steve
>
> I really hope this is not to become another long debate on religious
> terminology.. what have I done?!
>
>     Gadi.
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
 
iQIVAwUBQ/HU4K+LRXunxpxfAQJmSQ//fmj9Me1Zq3e+gczohbl6GnDDA7weLeQU
yzoZFTdKK8JuL+rjlgbLkzDXlah8UaS6CYImYANHg8YfJW2a27pMzIizGqC58ILe
LZSAcQw3K23cu/BuB7yX5kJoj0jcZzjz0mLqHzMGU9JcwiFl/UsLK6Jc7pRsa1/T
vspJYMkTj0b8pwCdkF8EGqr5pDL0qGeSTgONna2eZhmDq0kSXnDTtGOXjDsvvcvz
5QVrX/uXhAZWJSZKe690K+/tJzVLJtTtAm3yQfw0a+P5HsT3cTGSJQ0Dns4Yy357
Bzrzegz5V9MTYdUtlZresfQ+DXqTE0XbBskFeN0GmBB6pr1R0IPdnojXJyK2ZY+u
ukypO+n5kabSIAskdUamTQyszsDKuGmKdqV2osyt4nk50ob9eK4a6gSvOv0bcWc9
wTv51aCwEAX8MOR70SPu43b2YsFqsMkF8fxNmjY+X7xBt2FtuA9od4t2ApPiticU
wutSEvLk2UNmJNiR/YJESqHic8OVR+KEf65NEIJ/lZDgLXrocW2bFG99+T97j2zF
G+VnIG9qU28G0w3+tzOEoD3/krB/6l4tm5Zae6SMN543BhLgA3oGC7zeybYjeAOX
5OS3K0i1pUJIhUyp/bUx6a/2t1r02CUqCpcL26dOvTzkysXEUOlyF2Wj+7kXo2QD
trkEmkW5tk4=
=BS4A
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ