| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 26 Sep 2007 07:03:57 -0400 From: <full-disclosure@...hmail.com> To: <full-disclosure@...ts.grok.org.uk>,<redhowlingwolves@...lsouth.net> Subject: Re: defining 0day What gives any of you the right to define 0day? Let's leave defining 0day to those who can produce 0day. This is not you, Gadi and fat jewman cheerleaders. WMF, ANI, etc. On Tue, 25 Sep 2007 23:38:41 -0400 scott <redhowlingwolves@...lsouth.net> wrote: >This make sense,but if we can't even agree on what the public >perceives >as a threat that they know nothing about,until a patch comes out >or a >full blown exploit shows up ITW (such trivial bullshit),how can we >even >say that we agree on the terms like >disclosure,vulnerability,etc,etc,etc. > >How about we all agree that certain things can have different >terms that >mean the same thing.It's all semantics,really.I'm not going to go >to New >Orleans and tell them they speak English all wrong,although an >English >professor might try. > >Would he get anywhere?Very doubtful.Same thing applies here. > >Cheers, Scott > > > > >Gadi Evron wrote: >> On Wed, 26 Sep 2007, Charles Miller wrote: >>> On 26/09/2007, at 5:02 AM, Gadi Evron wrote: >>> >>>> Okay. I think we exhausted the different views, and maybe we >are now >>>> able to come to a conlusion on what we WANT 0day to mean. >>>> >>>> What do you, as professional, believe 0day should mean, >regardless >>>> of previous definitions? >>> >>> As a professional, I would be happy to see terms like '0day' >banished >>> from the lexicon entirely. It's an essentially meaningless -- >all >>> third-party exploits are zero-day to _somebody_ -- term of >boast >>> co-opted from the warez scene, and we can do perfectly well >without it. >>> >>> Quibbling over its precise definition seems a ridiculous waste >of bytes. >>> >> >> It would if we are to stay stuck in our niche, but you need to >> remember - security is about niches, we are all experts -- but >in very >> specific fields. >> >> These past 2 years we faced multiple targeted attacks with >previously >> unknown vulnerabilities. We experience MASSIVE exploitation of >users >> with 0days used on web sites and ine mail, etc. >> >> As an industry, as professionals, it is time to get our act >together >> on the basics. >> >> I am operations manager for ZERT, and for me, this is indeed at >the >> very heart of the matter. How you define this silliness is >directly >> linked to how you do two of the most essential parts of >security: >> >> 1. Vulnerability disclosure - for researchers. >> >> 2. Incident response - for.. responders. >> >> If a vulnerabiliy is fully disclosed, unpatched, being actively >> exploited, etc. caused real confusion, and non of us, or any of >the >> written material, can agree on the basics. >> >> It's not about fighting on what 0day means as much as it is >about how >> we as an industry, a community, conduct ourselves and can reach >a >> common language, which directly impacts operations. >> >> So, if WMF was disclosed today after being actively exploited >itw for >> a while, what would you call it? How would you respond to it? >How long >> would it stay unpatched and when will you realize its >importance? >> >>> C >> >> Gadi. >> > >_______________________________________________ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ -- See the stunning beauty of Europe via rail. Click now for more info! http://tagline.hushmail.com/fc/Ioyw6h4ePdgpQ0gi2SdQYv2g15h5odGclgmE3zKiwgw13bfagoeaxC/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists