-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 0day just mean the day released, its mostly a term used in the warez scene to qualify new app/mp3 cracked each days, as exploits released each days ...
Gadi Evron wrote: > Steven M. Christey wrote: > > Hey Steve! :) > >> It's not necessarily that 0-days are a myth, it's that people have >> been using the term "0-day" to mean two separate things: > > 0days are not a myth on their own. > They are live and kickin`! :) > >> - in-the-wild hacks of live systems using vulnerabilities previously >> unkown to the public and the vendor; >> >> - release of exploit information for vulnerabilities previously >> unkown to the public and the vendor, for which there are no known >> in-the-wild hacks of live systems at the time of disclosure (though >> such hacks seem to occur very soon afterward) > > I don't know, last year I read an article about 0days being released > vulnerabilities where the patch is not applied yet. Uh huh. > >>> Does anyone still think bad guys don't exploit (to whatever goals) a >>> 0day if it is out there? >> >> >> The answer seems obvious, but... >> >> It's not entirely clear to me how many in-the-wild 0-days exist and >> are actively exploited. Just because some "white hat" finds something >> does not mean that we should ALWAYS assume that the "black hats" >> already know about it. The converse is also true, of course; see the > > On this point I disagree. We have to assume the worst, especially > where we are specifically vulnerable. And as today we mostly rely on > software security on-top of software security for our defense - we > HAVE to assume the worst... we just don't have to hype it, and > possibly, we can call it what it really is. > >> recent WMF issue. > > The goal of said 0day may be for specific attacks against specific > targets. I don't see why anyone would waste their secret & strong > resource on the wild west of the net - we don't often find 0days, > right? Microsoft's or SecurityFocus's sites don't go down that > often, right? > > WMF was an exploit of opportunity, i.e.: what is our window of > opportunity to infect users with spyware before we are found out? > In this case it was about 2 weeks. > > This came to show that spyware manufacturers either did their own > R&D or bought 0days. This is not the first time, either. > >> Certainly, at least a couple in-the-wild 0-days are publicized a year, >> and maybe more in the coming year, given the precedents of the past 6 >> months or so, as the honeymonkeys project and Websense have shown. >> >> One would hope that there is some critical mass (i.e. number of >> compromised systems) beyond which any in-the-wild 0-day would become >> publicly known. This cricital mass would depend on the diligence of >> the incident response community and the amount of coordination - >> direct or indirect - with the vulnerability research community. > > Critical mass could also be one well-placed machine. Point is we > need to differentiate between, but not limited to: > 1. Vulns that were already disclosed to the vendor or CC's. > 2. Vulns that are publicly announce OR released by advisory or similar. > and > 3. Vulns that no one knows exist, whether being exploited wildly, > kept in a bunker or used on special targets. > > It's time we stopped guessing and starting regulating these terms, > not because we can tell people how to use the term '0day' but rather > what it might mean. Makes lives so much easier. > > In some of the above cases I will be proud to yell: "THERE ARE NO > 0DAYS", while I know that's obviously false in other cases. > > The problem with this email, as well as any other to follow is that > they are all full of opinions. We have to stop being an opinion-lead > industry where opinions constitute 90% (didn't make any specific > calculation, that's my opinion) of how we do things professionally. > >> - Steve > > I really hope this is not to become another long debate on religious > terminology.. what have I done?! > > Gadi. > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) iQIVAwUBQ/HU4K+LRXunxpxfAQJmSQ//fmj9Me1Zq3e+gczohbl6GnDDA7weLeQU yzoZFTdKK8JuL+rjlgbLkzDXlah8UaS6CYImYANHg8YfJW2a27pMzIizGqC58ILe LZSAcQw3K23cu/BuB7yX5kJoj0jcZzjz0mLqHzMGU9JcwiFl/UsLK6Jc7pRsa1/T vspJYMkTj0b8pwCdkF8EGqr5pDL0qGeSTgONna2eZhmDq0kSXnDTtGOXjDsvvcvz 5QVrX/uXhAZWJSZKe690K+/tJzVLJtTtAm3yQfw0a+P5HsT3cTGSJQ0Dns4Yy357 Bzrzegz5V9MTYdUtlZresfQ+DXqTE0XbBskFeN0GmBB6pr1R0IPdnojXJyK2ZY+u ukypO+n5kabSIAskdUamTQyszsDKuGmKdqV2osyt4nk50ob9eK4a6gSvOv0bcWc9 wTv51aCwEAX8MOR70SPu43b2YsFqsMkF8fxNmjY+X7xBt2FtuA9od4t2ApPiticU wutSEvLk2UNmJNiR/YJESqHic8OVR+KEf65NEIJ/lZDgLXrocW2bFG99+T97j2zF G+VnIG9qU28G0w3+tzOEoD3/krB/6l4tm5Zae6SMN543BhLgA3oGC7zeybYjeAOX 5OS3K0i1pUJIhUyp/bUx6a/2t1r02CUqCpcL26dOvTzkysXEUOlyF2Wj+7kXo2QD trkEmkW5tk4= =BS4A -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/