lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Sun, 20 Apr 2008 01:02:15 +0100
From: n3td3v <xploitable@...il.com>
To: coderman <coderman@...il.com>
Cc: n3td3v <n3td3v@...glegroups.com>, full-disclosure@...ts.grok.org.uk,
	Gadi Evron <ge@...uxbox.org>
Subject: Re: defining 0day

On Sun, Apr 20, 2008 at 12:44 AM, coderman <coderman@...il.com> wrote:
> On Sat, Apr 19, 2008 at 3:44 PM, n3td3v <xploitable@...il.com> wrote:
>  > ...
>
> >  I just caught a news article that summed up nicely what 0day means...
>  >
>  >  "A zero-day flaw is a software vulnerability that has become public
>  >  knowledge but for which no patch is available. It is particularly
>  >  dangerous since users are exposed from day zero until the day a vendor
>  >  prepares a patch and notifies users it is ready."
>
>  this is still incorrect.
>
>  as discussed previously: 0day is a perspective.
>
>  if it comes from out of no where and pwns your ass, it is 0day.
>
>  where you are on the vulnerability disclosure time-line determines
>  your perspective.  one man's 0day is another man's old news.
>

It doesn't matter how old it is, as long as no patch is available, it
will always come out of no where and pwn your ass.

Just because the human is psychologically aware of the unpatched
vulnerability and that it exists, to the vulnerable computer it is
still a 0-day and can come out of no where and pwn your ass.

0-day is about computers, its not ment to be a reference to a human
perspective. The term 0-day is used to determine a threat against a
computer, not a human state of mind on how early the computer user was
alerted to a no patch available computer vulnerability.

The problems that arise is, people think 0day is a stage in human
psychology of becoming aware of a computer threat, when its actually
used to reference the threat level to a computer system, the human
mind is irrelevant to how pwnable your system is from public
disclosure until patch release day.

If the computer is vulnerable, the computer is vulnerable, the human
mind is irrelevant.

Regards,

n3td3v

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ