lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 29 Oct 2010 03:23:57 +0100
From: "Cal Leeming [Simplicity Media Ltd]"
	<cal.leeming@...plicitymedialtd.co.uk>
To: Josey Yelsef <hg_exposed@...oo.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: 0-day "vulnerability"

Yeah, just for the record, this thread is now hitting google spam filters :S

On Fri, Oct 29, 2010 at 2:03 AM, Josey Yelsef <hg_exposed@...oo.com> wrote:

> 0-day is a scene word. Connotations are inferred, you're more precise
> definition is pretty much what people already assume.
>
> Desensitization to security is a serious issue also. Look at homeland
> security's warning level system. Look at the news of deaths in Iraq and
> Afghanistan. It's boring as looking up at the blue sky.
>
> --- On *Thu, 10/28/10, Thor (Hammer of God) <thor@...merofgod.com>* wrote:
>
>
> From: Thor (Hammer of God) <thor@...merofgod.com>
> Subject: Re: [Full-disclosure] 0-day "vulnerability"
> To: "Curt Purdy" <infosysec@...il.com>, "Thor (Hammer of God)" <
> thor@...merofgod.com>
> Cc: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>,
> "full-disclosure-bounces@...ts.grok.org.uk" <
> full-disclosure-bounces@...ts.grok.org.uk>
> Date: Thursday, October 28, 2010, 5:14 PM
>
> I would further define it as "code that can be run on a machine remotely
> without any human interaction."   What I think would be ultimately effective
> is if researches and those who make disclosure announcements quit trying to
> make their discoveries or processes "cool" and just stick to the facts.
> Vendors want to downplay vulnerabilities, disclosures want it to sound as
> bad as it can be.  That's why we have people describing a user following a
> link in an email to download something from their site to be subsequently
> executed as "Remote Code Execution" that is "Moderately Critical" as if
> there are actually varying degrees of "Critical."
>
> The same holds true for quantifying "likelihood of exploitation" as "high"
> based on what researchers call "extremely common deployment environments in
> many businesses" when they are actually inferring what they THINK is common
> based on what two of their 5-10 workstation clients are doing  with XP
> peer-to-peer configurations.
>
> I think that the only people really paying any attention to this are other
> researchers, who basically ignore what other people call something - this
> doesn't really benefit the "user."  People want the "vulnerability" they
> "discover" to be awesome and cool and critical because it substantiates
> their egos.  For now, preceding anything with "0-day" is a way of invoking
> fear and urgency as if it represents some immanent disaster, but soon people
> will become desensitized to that as well.
>
> t
>
> >-----Original Message-----
> >From: Curt Purdy [mailto:infosysec@...il.com<http://mc/compose?to=infosysec@gmail.com>
> ]
> >Sent: Thursday, October 28, 2010 9:51 AM
> >To: Thor (Hammer of God)
> >Cc: w0lfd33m@...il.com <http://mc/compose?to=w0lfd33m@gmail.com>;
> full-disclosure-bounces@...ts.grok.org.uk<http://mc/compose?to=full-disclosure-bounces@lists.grok.org.uk>;
> full-
> >disclosure@...ts.grok.org.uk<http://mc/compose?to=disclosure@lists.grok.org.uk>
> >Subject: Re: [Full-disclosure] 0-day "vulnerability"
> >
> >Right as usual t-man, but while we are doing F&Ws job for them, "Remote
> >code execution" is: any program you can run on a machine you can't touch
> (for
> >further explanation, "man touch").
> >
> >Curt
> >
> >
> >
> >On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God)
> ><thor@...merofgod.com <http://mc/compose?to=thor@hammerofgod.com>> wrote:
> >> None of this really matters.  People will call it whatever they want
> >to.  Generally, all software has some sort of vulnerability.  If they want
> to call
> >the process of that vulnerability being communicated for the first time "0
> day
> >vulnerability" then so what.
> >>
> >> The industry can't (and won't) even come up with what "Remote Code
> >Execution" really means, so trying to standardize disclosure nomenclature
> is a
> >waste of time IMO.
> >> t
> >>
> >>>-----Original Message-----
> >>>From: full-disclosure-bounces@...ts.grok.org.uk<http://mc/compose?to=full-disclosure-bounces@lists.grok.org.uk>
> >>>[mailto:full-disclosure- bounces@...ts.grok.org.uk<http://mc/compose?to=bounces@lists.grok.org.uk>]
> On Behalf Of
> >>>w0lfd33m@...il.com <http://mc/compose?to=w0lfd33m@gmail.com>
> >>>Sent: Thursday, October 28, 2010 9:25 AM
> >>>To: Curt Purdy; full-disclosure-bounces@...ts.grok.org.uk<http://mc/compose?to=full-disclosure-bounces@lists.grok.org.uk>;
> full-
> >>>disclosure@...ts.grok.org.uk<http://mc/compose?to=disclosure@lists.grok.org.uk>
> >>>Subject: Re: [Full-disclosure] 0-day "vulnerability"
> >>>
> >>>Yep. Totally agree. Vulnerability exists in the system since it has
> >>>been developed. It is just the matter when it has been disclosed or
> being
> >exploited.
> >>>
> >>>I would suggest " 0 day disclosure" instead of "0 day vulnerability"
> >>>:)
> >>>
> >>>
> >>>------Original Message------
> >>>From: Curt Purdy
> >>>Sender: full-disclosure-bounces@...ts.grok.org.uk<http://mc/compose?to=full-disclosure-bounces@lists.grok.org.uk>
> >>>To: full-disclosure@...ts.grok.org.uk<http://mc/compose?to=full-disclosure@lists.grok.org.uk>
> >>>Subject: [Full-disclosure] 0-day "vulnerability"
> >>>Sent: Oct 28, 2010 8:48 PM
> >>>
> >>>Sorry to rant, but I have seen this term used once too many times to
> >>>sit idly by. And used today by what I once thought was a respectable
> >>>infosec publication (that will remain nameless) while referring to the
> >>>current Firefox vulnerability (that did, by the way, once have a 0-day
> >>>sploit)  Also, by definition, a 0-day no longer exists the moment it
> >>>is announced ;)
> >>>
> >>>For once and for all: There is no such thing as a "zero-day
> vulnerability"
> >>>(quoted), only a 0-day exploit...
> >>>
> >>>Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
> >>>
> >>>_______________________________________________
> >>>Full-Disclosure - We believe in it.
> >>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>>Hosted and sponsored by Secunia - http://secunia.com/
> >>>
> >>>
> >>>Sent from BlackBerry(r) on Airtel
> >>>_______________________________________________
> >>>Full-Disclosure - We believe in it.
> >>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> >>>Hosted and sponsored by Secunia - http://secunia.com/
> >>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>



-- 

Cal Leeming

Operational Security & Support Team

*Out of Hours: *+44 (07534) 971120 | *Support Tickets: *
support@...plicitymedialtd.co.uk
*Fax: *+44 (02476) 578987 | *Email: *cal.leeming@...plicitymedialtd.co.uk
*IM: *AIM / ICQ / MSN / Skype (available upon request)
Simplicity Media Ltd. All rights reserved.
Registered company number 7143564

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ