Along the same lines, from DHS to Symantec, the threat level is always "Elevated". So yellow is now the new green. I think ISS (IBM now) is one of the few that leave their alert level at "1" until there is really a "2-4" situation to deal with. I don't need more stress in my day than the crackers already provide...
Of course, I know keeping things in perspective are hard these days, i.e. I was reading the Washington Post on the Metro this morning, looking at a map of the four stations that al-Qaeda planned to bomb, as I passed all four of them. I would say my PTL (Personal Threat Level) is red. BTW Hammer, I think of is an OK middle name, but I think your last name is a little presumptuous ;) Curt On Thu, Oct 28, 2010 at 1:14 PM, Thor (Hammer of God) <t...@hammerofgod.com> wrote: > I would further define it as "code that can be run on a machine remotely > without any human interaction." What I think would be ultimately effective > is if researches and those who make disclosure announcements quit trying to > make their discoveries or processes "cool" and just stick to the facts. > Vendors want to downplay vulnerabilities, disclosures want it to sound as bad > as it can be. That's why we have people describing a user following a link > in an email to download something from their site to be subsequently executed > as "Remote Code Execution" that is "Moderately Critical" as if there are > actually varying degrees of "Critical." > > The same holds true for quantifying "likelihood of exploitation" as "high" > based on what researchers call "extremely common deployment environments in > many businesses" when they are actually inferring what they THINK is common > based on what two of their 5-10 workstation clients are doing with XP > peer-to-peer configurations. > > I think that the only people really paying any attention to this are other > researchers, who basically ignore what other people call something - this > doesn't really benefit the "user." People want the "vulnerability" they > "discover" to be awesome and cool and critical because it substantiates their > egos. For now, preceding anything with "0-day" is a way of invoking fear and > urgency as if it represents some immanent disaster, but soon people will > become desensitized to that as well. > > t > >>-----Original Message----- >>From: Curt Purdy [mailto:infosy...@gmail.com] >>Sent: Thursday, October 28, 2010 9:51 AM >>To: Thor (Hammer of God) >>Cc: w0lfd...@gmail.com; full-disclosure-boun...@lists.grok.org.uk; full- >>disclos...@lists.grok.org.uk >>Subject: Re: [Full-disclosure] 0-day "vulnerability" >> >>Right as usual t-man, but while we are doing F&Ws job for them, "Remote >>code execution" is: any program you can run on a machine you can't touch (for >>further explanation, "man touch"). >> >>Curt >> >> >> >>On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God) >><t...@hammerofgod.com> wrote: >>> None of this really matters. People will call it whatever they want >>to. Generally, all software has some sort of vulnerability. If they want to >>call >>the process of that vulnerability being communicated for the first time "0 day >>vulnerability" then so what. >>> >>> The industry can't (and won't) even come up with what "Remote Code >>Execution" really means, so trying to standardize disclosure nomenclature is a >>waste of time IMO. >>> t >>> >>>>-----Original Message----- >>>>From: full-disclosure-boun...@lists.grok.org.uk >>>>[mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of >>>>w0lfd...@gmail.com >>>>Sent: Thursday, October 28, 2010 9:25 AM >>>>To: Curt Purdy; full-disclosure-boun...@lists.grok.org.uk; full- >>>>disclos...@lists.grok.org.uk >>>>Subject: Re: [Full-disclosure] 0-day "vulnerability" >>>> >>>>Yep. Totally agree. Vulnerability exists in the system since it has >>>>been developed. It is just the matter when it has been disclosed or being >>exploited. >>>> >>>>I would suggest " 0 day disclosure" instead of "0 day vulnerability" >>>>:) >>>> >>>> >>>>------Original Message------ >>>>From: Curt Purdy >>>>Sender: full-disclosure-boun...@lists.grok.org.uk >>>>To: full-disclosure@lists.grok.org.uk >>>>Subject: [Full-disclosure] 0-day "vulnerability" >>>>Sent: Oct 28, 2010 8:48 PM >>>> >>>>Sorry to rant, but I have seen this term used once too many times to >>>>sit idly by. And used today by what I once thought was a respectable >>>>infosec publication (that will remain nameless) while referring to the >>>>current Firefox vulnerability (that did, by the way, once have a 0-day >>>>sploit) Also, by definition, a 0-day no longer exists the moment it >>>>is announced ;) >>>> >>>>For once and for all: There is no such thing as a "zero-day vulnerability" >>>>(quoted), only a 0-day exploit... >>>> >>>>Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA >>>> >>>>_______________________________________________ >>>>Full-Disclosure - We believe in it. >>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>Hosted and sponsored by Secunia - http://secunia.com/ >>>> >>>> >>>>Sent from BlackBerry(r) on Airtel >>>>_______________________________________________ >>>>Full-Disclosure - We believe in it. >>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>Hosted and sponsored by Secunia - http://secunia.com/ >>> > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
