lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 29 Oct 2010 14:25:44 -0500
From: Marsh Ray <marsh@...endedsubset.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: 0-day "vulnerability"

On 10/29/2010 12:56 PM, Tyler Borland wrote:
> I think it's getting ridiculous.  Who cares about bureaucratical terms?

I agree that the term "0-day" does not have universal agreement on its 
meaning, so its use can be a sign of having too few sources of 
information. But still, I think it can be useful. For example:

"The Stuxnet developers clearly had resources at their disposal because 
they were willing to burn four Windows 0-days and two code signing certs 
for the attack."

In that case we know what "0-day" means: an exploit the attacker can use 
at his option without any advance warning to the defender. A sneak 
attack, "unfair" to the defender (to the extent he was hoping the 
attacker to play fair).

> I find more and more 'researchers' trying to just be auditors and
> categorize exploits and try to follow some kind of universal naming
> convention for exploits that doesn't exist and shouldn't exist.

I find myself using the technical term "pwned" quite regularly in 
professional discussions. It conveys a certain meaning that I don't is 
captured as well by any other terms.

To me it conveys:

1. There is a significant vulnerability present in the target system

2. The attacker has already exploited this vulnerability, or is presumed 
to have the ability to exploit it

3. A successful exploit represents a near-total compromise of a critical 
protected resource, or it can likely be leveraged into it.

4. A successful exploit invalidates such fundamental assumptions of the 
system's security model that it's probably not useful to try to reason 
about distinctions in "degrees of pwnage".

5. The fact that the spell-checker doesn't recognize the term, even 
though it has been in usage for many years now, should serve as a 
reminder that the attacker specializes in putting systems in ambiguous 
situations and causing them fail in unanticipated ways.

6. The speaker is not going to sugar coat the truth in politically-
(or even grammatically-) correct terminology.

> I'd
> rather see information on exploits and interesting ways to use them than
> saying it's one type or the other.
>
> This 'scene' is not about politics and terminology for me.

I think once you have more than a handful of different and interesting 
things, a terminology must emerge in order to be able to discuss them.

But whether or not the terminology which emerges is descriptive, 
clearly-defined, agreed-upon, or the subject is becoming overly 
political, are all another matter!

- Marsh

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists