[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4CCB1FB8.8020201@extendedsubset.com>
Date: Fri, 29 Oct 2010 14:25:44 -0500
From: Marsh Ray <marsh@...endedsubset.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: 0-day "vulnerability"
On 10/29/2010 12:56 PM, Tyler Borland wrote:
> I think it's getting ridiculous. Who cares about bureaucratical terms?
I agree that the term "0-day" does not have universal agreement on its
meaning, so its use can be a sign of having too few sources of
information. But still, I think it can be useful. For example:
"The Stuxnet developers clearly had resources at their disposal because
they were willing to burn four Windows 0-days and two code signing certs
for the attack."
In that case we know what "0-day" means: an exploit the attacker can use
at his option without any advance warning to the defender. A sneak
attack, "unfair" to the defender (to the extent he was hoping the
attacker to play fair).
> I find more and more 'researchers' trying to just be auditors and
> categorize exploits and try to follow some kind of universal naming
> convention for exploits that doesn't exist and shouldn't exist.
I find myself using the technical term "pwned" quite regularly in
professional discussions. It conveys a certain meaning that I don't is
captured as well by any other terms.
To me it conveys:
1. There is a significant vulnerability present in the target system
2. The attacker has already exploited this vulnerability, or is presumed
to have the ability to exploit it
3. A successful exploit represents a near-total compromise of a critical
protected resource, or it can likely be leveraged into it.
4. A successful exploit invalidates such fundamental assumptions of the
system's security model that it's probably not useful to try to reason
about distinctions in "degrees of pwnage".
5. The fact that the spell-checker doesn't recognize the term, even
though it has been in usage for many years now, should serve as a
reminder that the attacker specializes in putting systems in ambiguous
situations and causing them fail in unanticipated ways.
6. The speaker is not going to sugar coat the truth in politically-
(or even grammatically-) correct terminology.
> I'd
> rather see information on exploits and interesting ways to use them than
> saying it's one type or the other.
>
> This 'scene' is not about politics and terminology for me.
I think once you have more than a handful of different and interesting
things, a terminology must emerge in order to be able to discuss them.
But whether or not the terminology which emerges is descriptive,
clearly-defined, agreed-upon, or the subject is becoming overly
political, are all another matter!
- Marsh
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists