Re: [Full-disclosure] 0-day vulnerability
LMAO!! Regards; w0lf www.maestro-sec.com -- sent from BlackBerry -- -Original Message- From: Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 29 Oct 2010 03:23:57 To: Josey Yelsefhg_expo...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
I couldn't agree more. On Fri, Oct 29, 2010 at 6:56 PM, Tyler Borland tborla...@gmail.com wrote: I think it's getting ridiculous. Who cares about bureaucratical terms? I find more and more 'researchers' trying to just be auditors and categorize exploits and try to follow some kind of universal naming convention for exploits that doesn't exist and shouldn't exist. I'd rather see information on exploits and interesting ways to use them than saying it's one type or the other. This 'scene' is not about politics and terminology for me. On Fri, Oct 29, 2010 at 2:01 AM, w0lfd...@gmail.com wrote: LMAO!! Regards; w0lf www.maestro-sec.com -- sent from BlackBerry -- -Original Message- From: Cal Leeming [Simplicity Media Ltd] cal.leem...@simplicitymedialtd.co.uk Sender: full-disclosure-boun...@lists.grok.org.uk Date: Fri, 29 Oct 2010 03:23:57 To: Josey Yelsefhg_expo...@yahoo.com Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Cal Leeming Operational Security Support Team *Out of Hours: *+44 (07534) 971120 | *Support Tickets: * supp...@simplicitymedialtd.co.uk *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk *IM: *AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
On 10/29/2010 12:56 PM, Tyler Borland wrote: I think it's getting ridiculous. Who cares about bureaucratical terms? I agree that the term 0-day does not have universal agreement on its meaning, so its use can be a sign of having too few sources of information. But still, I think it can be useful. For example: The Stuxnet developers clearly had resources at their disposal because they were willing to burn four Windows 0-days and two code signing certs for the attack. In that case we know what 0-day means: an exploit the attacker can use at his option without any advance warning to the defender. A sneak attack, unfair to the defender (to the extent he was hoping the attacker to play fair). I find more and more 'researchers' trying to just be auditors and categorize exploits and try to follow some kind of universal naming convention for exploits that doesn't exist and shouldn't exist. I find myself using the technical term pwned quite regularly in professional discussions. It conveys a certain meaning that I don't is captured as well by any other terms. To me it conveys: 1. There is a significant vulnerability present in the target system 2. The attacker has already exploited this vulnerability, or is presumed to have the ability to exploit it 3. A successful exploit represents a near-total compromise of a critical protected resource, or it can likely be leveraged into it. 4. A successful exploit invalidates such fundamental assumptions of the system's security model that it's probably not useful to try to reason about distinctions in degrees of pwnage. 5. The fact that the spell-checker doesn't recognize the term, even though it has been in usage for many years now, should serve as a reminder that the attacker specializes in putting systems in ambiguous situations and causing them fail in unanticipated ways. 6. The speaker is not going to sugar coat the truth in politically- (or even grammatically-) correct terminology. I'd rather see information on exploits and interesting ways to use them than saying it's one type or the other. This 'scene' is not about politics and terminology for me. I think once you have more than a handful of different and interesting things, a terminology must emerge in order to be able to discuss them. But whether or not the terminology which emerges is descriptive, clearly-defined, agreed-upon, or the subject is becoming overly political, are all another matter! - Marsh ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] 0-day vulnerability
Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
The term 0-day vulnerability usually refers to a currently unpatched security issue in some specific product. The availability of an exploit, public or not, is optional in this case. That's why both terms have the right to exist. On Thu, Oct 28, 2010 at 17:18, Curt Purdy infosy...@gmail.com wrote: Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from BlackBerry® on Airtel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
OK, good points. And since my mac dictionary widget doesn't have the term yet, I vote for 0day dis It has a nice ring to it ;) Curt On Thu, Oct 28, 2010 at 12:24 PM, w0lfd...@gmail.com wrote: Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from BlackBerry® on Airtel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
None of this really matters. People will call it whatever they want to. Generally, all software has some sort of vulnerability. If they want to call the process of that vulnerability being communicated for the first time 0 day vulnerability then so what. The industry can't (and won't) even come up with what Remote Code Execution really means, so trying to standardize disclosure nomenclature is a waste of time IMO. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of w0lfd...@gmail.com Sent: Thursday, October 28, 2010 9:25 AM To: Curt Purdy; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from BlackBerry(r) on Airtel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
Even my dictionary doesn't have it but if it suits the most, we have include it ;) --Original Message-- From: Curt Purdy To: w0lfd...@gmail.com Cc: full-disclosure-boun...@lists.grok.org.uk Cc: full-disclosure@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 10:01 PM OK, good points. And since my mac dictionary widget doesn't have the term yet, I vote for 0day dis It has a nice ring to it ;) Curt On Thu, Oct 28, 2010 at 12:24 PM, w0lfd...@gmail.com wrote: Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from BlackBerry® on Airtel Sent from BlackBerry® on Airtel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
Right as usual t-man, but while we are doing FWs job for them, Remote code execution is: any program you can run on a machine you can't touch (for further explanation, man touch). Curt On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: None of this really matters. People will call it whatever they want to. Generally, all software has some sort of vulnerability. If they want to call the process of that vulnerability being communicated for the first time 0 day vulnerability then so what. The industry can't (and won't) even come up with what Remote Code Execution really means, so trying to standardize disclosure nomenclature is a waste of time IMO. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of w0lfd...@gmail.com Sent: Thursday, October 28, 2010 9:25 AM To: Curt Purdy; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from BlackBerry(r) on Airtel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
Yup. We arguing here on fine tuning industry accepted terms would hardly make any difference. But here we are just trying to argue what should had been the terminology. You can say that just cutting out time when there is really no work ;) :P Regards; w0lf -- sent from BlackBerry -- -Original Message- From: Thor (Hammer of God) t...@hammerofgod.com Date: Thu, 28 Oct 2010 16:35:33 To: w0lfd...@gmail.comw0lfd...@gmail.com; Curt Purdyinfosy...@gmail.com; full-disclosure-boun...@lists.grok.org.ukfull-disclosure-boun...@lists.grok.org.uk; full-disclosure@lists.grok.org.ukfull-disclosure@lists.grok.org.uk Subject: RE: [Full-disclosure] 0-day vulnerability None of this really matters. People will call it whatever they want to. Generally, all software has some sort of vulnerability. If they want to call the process of that vulnerability being communicated for the first time 0 day vulnerability then so what. The industry can't (and won't) even come up with what Remote Code Execution really means, so trying to standardize disclosure nomenclature is a waste of time IMO. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of w0lfd...@gmail.com Sent: Thursday, October 28, 2010 9:25 AM To: Curt Purdy; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from BlackBerry(r) on Airtel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
I would further define it as code that can be run on a machine remotely without any human interaction. What I think would be ultimately effective is if researches and those who make disclosure announcements quit trying to make their discoveries or processes cool and just stick to the facts. Vendors want to downplay vulnerabilities, disclosures want it to sound as bad as it can be. That's why we have people describing a user following a link in an email to download something from their site to be subsequently executed as Remote Code Execution that is Moderately Critical as if there are actually varying degrees of Critical. The same holds true for quantifying likelihood of exploitation as high based on what researchers call extremely common deployment environments in many businesses when they are actually inferring what they THINK is common based on what two of their 5-10 workstation clients are doing with XP peer-to-peer configurations. I think that the only people really paying any attention to this are other researchers, who basically ignore what other people call something - this doesn't really benefit the user. People want the vulnerability they discover to be awesome and cool and critical because it substantiates their egos. For now, preceding anything with 0-day is a way of invoking fear and urgency as if it represents some immanent disaster, but soon people will become desensitized to that as well. t -Original Message- From: Curt Purdy [mailto:infosy...@gmail.com] Sent: Thursday, October 28, 2010 9:51 AM To: Thor (Hammer of God) Cc: w0lfd...@gmail.com; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Right as usual t-man, but while we are doing FWs job for them, Remote code execution is: any program you can run on a machine you can't touch (for further explanation, man touch). Curt On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: None of this really matters. People will call it whatever they want to. Generally, all software has some sort of vulnerability. If they want to call the process of that vulnerability being communicated for the first time 0 day vulnerability then so what. The industry can't (and won't) even come up with what Remote Code Execution really means, so trying to standardize disclosure nomenclature is a waste of time IMO. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of w0lfd...@gmail.com Sent: Thursday, October 28, 2010 9:25 AM To: Curt Purdy; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from BlackBerry(r) on Airtel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
Along the same lines, from DHS to Symantec, the threat level is always Elevated. So yellow is now the new green. I think ISS (IBM now) is one of the few that leave their alert level at 1 until there is really a 2-4 situation to deal with. I don't need more stress in my day than the crackers already provide... Of course, I know keeping things in perspective are hard these days, i.e. I was reading the Washington Post on the Metro this morning, looking at a map of the four stations that al-Qaeda planned to bomb, as I passed all four of them. I would say my PTL (Personal Threat Level) is red. BTW Hammer, I think of is an OK middle name, but I think your last name is a little presumptuous ;) Curt On Thu, Oct 28, 2010 at 1:14 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: I would further define it as code that can be run on a machine remotely without any human interaction. What I think would be ultimately effective is if researches and those who make disclosure announcements quit trying to make their discoveries or processes cool and just stick to the facts. Vendors want to downplay vulnerabilities, disclosures want it to sound as bad as it can be. That's why we have people describing a user following a link in an email to download something from their site to be subsequently executed as Remote Code Execution that is Moderately Critical as if there are actually varying degrees of Critical. The same holds true for quantifying likelihood of exploitation as high based on what researchers call extremely common deployment environments in many businesses when they are actually inferring what they THINK is common based on what two of their 5-10 workstation clients are doing with XP peer-to-peer configurations. I think that the only people really paying any attention to this are other researchers, who basically ignore what other people call something - this doesn't really benefit the user. People want the vulnerability they discover to be awesome and cool and critical because it substantiates their egos. For now, preceding anything with 0-day is a way of invoking fear and urgency as if it represents some immanent disaster, but soon people will become desensitized to that as well. t -Original Message- From: Curt Purdy [mailto:infosy...@gmail.com] Sent: Thursday, October 28, 2010 9:51 AM To: Thor (Hammer of God) Cc: w0lfd...@gmail.com; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Right as usual t-man, but while we are doing FWs job for them, Remote code execution is: any program you can run on a machine you can't touch (for further explanation, man touch). Curt On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: None of this really matters. People will call it whatever they want to. Generally, all software has some sort of vulnerability. If they want to call the process of that vulnerability being communicated for the first time 0 day vulnerability then so what. The industry can't (and won't) even come up with what Remote Code Execution really means, so trying to standardize disclosure nomenclature is a waste of time IMO. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of w0lfd...@gmail.com Sent: Thursday, October 28, 2010 9:25 AM To: Curt Purdy; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from BlackBerry(r) on Airtel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com
Re: [Full-disclosure] 0-day vulnerability
Well, you know how it is, we all love calling bugs information security vulnerability exploits (pick any combo). It just there's a new one in the club, 0day. They're as much realistic as flying elephants can get. The good thing is, their use (in mail subjects) is often an indication of (a lack of) seriousness...making emails easier to ignore. Anywho, it really ain't unexpected social behavior, they're all hackers/pwners, no? Complaining won't do much! Cheers, Chris. On Thu, Oct 28, 2010 at 8:05 PM, Curt Purdy infosy...@gmail.com wrote: Along the same lines, from DHS to Symantec, the threat level is always Elevated. So yellow is now the new green. I think ISS (IBM now) is one of the few that leave their alert level at 1 until there is really a 2-4 situation to deal with. I don't need more stress in my day than the crackers already provide... Of course, I know keeping things in perspective are hard these days, i.e. I was reading the Washington Post on the Metro this morning, looking at a map of the four stations that al-Qaeda planned to bomb, as I passed all four of them. I would say my PTL (Personal Threat Level) is red. BTW Hammer, I think of is an OK middle name, but I think your last name is a little presumptuous ;) Curt On Thu, Oct 28, 2010 at 1:14 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: I would further define it as code that can be run on a machine remotely without any human interaction. What I think would be ultimately effective is if researches and those who make disclosure announcements quit trying to make their discoveries or processes cool and just stick to the facts. Vendors want to downplay vulnerabilities, disclosures want it to sound as bad as it can be. That's why we have people describing a user following a link in an email to download something from their site to be subsequently executed as Remote Code Execution that is Moderately Critical as if there are actually varying degrees of Critical. The same holds true for quantifying likelihood of exploitation as high based on what researchers call extremely common deployment environments in many businesses when they are actually inferring what they THINK is common based on what two of their 5-10 workstation clients are doing with XP peer-to-peer configurations. I think that the only people really paying any attention to this are other researchers, who basically ignore what other people call something - this doesn't really benefit the user. People want the vulnerability they discover to be awesome and cool and critical because it substantiates their egos. For now, preceding anything with 0-day is a way of invoking fear and urgency as if it represents some immanent disaster, but soon people will become desensitized to that as well. t -Original Message- From: Curt Purdy [mailto:infosy...@gmail.com] Sent: Thursday, October 28, 2010 9:51 AM To: Thor (Hammer of God) Cc: w0lfd...@gmail.com; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Right as usual t-man, but while we are doing FWs job for them, Remote code execution is: any program you can run on a machine you can't touch (for further explanation, man touch). Curt On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: None of this really matters. People will call it whatever they want to. Generally, all software has some sort of vulnerability. If they want to call the process of that vulnerability being communicated for the first time 0 day vulnerability then so what. The industry can't (and won't) even come up with what Remote Code Execution really means, so trying to standardize disclosure nomenclature is a waste of time IMO. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of w0lfd...@gmail.com Sent: Thursday, October 28, 2010 9:25 AM To: Curt Purdy; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all
Re: [Full-disclosure] 0-day vulnerability
For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Cool story, bro. Any thoughts on the use of the term hacker? /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
I lol'd at this thread. On Thu, Oct 28, 2010 at 11:02 PM, Michal Zalewski lcam...@coredump.cxwrote: For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Cool story, bro. Any thoughts on the use of the term hacker? /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Cal Leeming Operational Security Support Team *Out of Hours: *+44 (07534) 971120 | *Support Tickets: * supp...@simplicitymedialtd.co.uk *Fax: *+44 (02476) 578987 | *Email: *cal.leem...@simplicitymedialtd.co.uk *IM: *AIM / ICQ / MSN / Skype (available upon request) Simplicity Media Ltd. All rights reserved. Registered company number 7143564 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
Great way to split hairs. Fumbling between metaphors, you're better off contacting Merriam-Webster. --- On Thu, 10/28/10, Michal Zalewski lcam...@coredump.cx wrote: From: Michal Zalewski lcam...@coredump.cx Subject: Re: [Full-disclosure] 0-day vulnerability To: Curt Purdy infosy...@gmail.com Cc: full-disclosure@lists.grok.org.uk Date: Thursday, October 28, 2010, 10:02 PM For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Cool story, bro. Any thoughts on the use of the term hacker? /mz ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
zero day can happen to anyone. -- ciao JT ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
0-day is a scene word. Connotations are inferred, you're more precise definition is pretty much what people already assume. Desensitization to security is a serious issue also. Look at homeland security's warning level system. Look at the news of deaths in Iraq and Afghanistan. It's boring as looking up at the blue sky. --- On Thu, 10/28/10, Thor (Hammer of God) t...@hammerofgod.com wrote: From: Thor (Hammer of God) t...@hammerofgod.com Subject: Re: [Full-disclosure] 0-day vulnerability To: Curt Purdy infosy...@gmail.com, Thor (Hammer of God) t...@hammerofgod.com Cc: full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk, full-disclosure-boun...@lists.grok.org.uk full-disclosure-boun...@lists.grok.org.uk Date: Thursday, October 28, 2010, 5:14 PM I would further define it as code that can be run on a machine remotely without any human interaction. What I think would be ultimately effective is if researches and those who make disclosure announcements quit trying to make their discoveries or processes cool and just stick to the facts. Vendors want to downplay vulnerabilities, disclosures want it to sound as bad as it can be. That's why we have people describing a user following a link in an email to download something from their site to be subsequently executed as Remote Code Execution that is Moderately Critical as if there are actually varying degrees of Critical. The same holds true for quantifying likelihood of exploitation as high based on what researchers call extremely common deployment environments in many businesses when they are actually inferring what they THINK is common based on what two of their 5-10 workstation clients are doing with XP peer-to-peer configurations. I think that the only people really paying any attention to this are other researchers, who basically ignore what other people call something - this doesn't really benefit the user. People want the vulnerability they discover to be awesome and cool and critical because it substantiates their egos. For now, preceding anything with 0-day is a way of invoking fear and urgency as if it represents some immanent disaster, but soon people will become desensitized to that as well. t -Original Message- From: Curt Purdy [mailto:infosy...@gmail.com] Sent: Thursday, October 28, 2010 9:51 AM To: Thor (Hammer of God) Cc: w0lfd...@gmail.com; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Right as usual t-man, but while we are doing FWs job for them, Remote code execution is: any program you can run on a machine you can't touch (for further explanation, man touch). Curt On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God) t...@hammerofgod.com wrote: None of this really matters. People will call it whatever they want to. Generally, all software has some sort of vulnerability. If they want to call the process of that vulnerability being communicated for the first time 0 day vulnerability then so what. The industry can't (and won't) even come up with what Remote Code Execution really means, so trying to standardize disclosure nomenclature is a waste of time IMO. t -Original Message- From: full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.uk] On Behalf Of w0lfd...@gmail.com Sent: Thursday, October 28, 2010 9:25 AM To: Curt Purdy; full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought was a respectable infosec publication (that will remain nameless) while referring to the current Firefox vulnerability (that did, by the way, once have a 0-day sploit) Also, by definition, a 0-day no longer exists the moment it is announced ;) For once and for all: There is no such thing as a zero-day vulnerability (quoted), only a 0-day exploit... Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ Sent from BlackBerry(r) on Airtel ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com
Re: [Full-disclosure] 0-day vulnerability
Are you threatening the internet? --- On Fri, 10/29/10, Jubei Trippataka vpn.1.fana...@gmail.com wrote: From: Jubei Trippataka vpn.1.fana...@gmail.com Subject: Re: [Full-disclosure] 0-day vulnerability To: Curt Purdy infosy...@gmail.com Cc: full-disclosure@lists.grok.org.uk Date: Friday, October 29, 2010, 1:03 AM zero day can happen to anyone. -- ciao JT -Inline Attachment Follows- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
clearly sir, you are uneducated. http://www.youtube.com/watch?v=L74o9RQbkUA On Fri, Oct 29, 2010 at 2:18 AM, Josey Yelsef hg_expo...@yahoo.com wrote: Are you threatening the internet? --- On *Fri, 10/29/10, Jubei Trippataka vpn.1.fana...@gmail.com* wrote: From: Jubei Trippataka vpn.1.fana...@gmail.com Subject: Re: [Full-disclosure] 0-day vulnerability To: Curt Purdy infosy...@gmail.com Cc: full-disclosure@lists.grok.org.uk Date: Friday, October 29, 2010, 1:03 AM zero day can happen to anyone. -- ciao JT -Inline Attachment Follows- ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] 0-day vulnerability
Yeah, just for the record, this thread is now hitting google spam filters :S On Fri, Oct 29, 2010 at 2:03 AM, Josey Yelsef hg_expo...@yahoo.com wrote: 0-day is a scene word. Connotations are inferred, you're more precise definition is pretty much what people already assume. Desensitization to security is a serious issue also. Look at homeland security's warning level system. Look at the news of deaths in Iraq and Afghanistan. It's boring as looking up at the blue sky. --- On *Thu, 10/28/10, Thor (Hammer of God) t...@hammerofgod.com* wrote: From: Thor (Hammer of God) t...@hammerofgod.com Subject: Re: [Full-disclosure] 0-day vulnerability To: Curt Purdy infosy...@gmail.com, Thor (Hammer of God) t...@hammerofgod.com Cc: full-disclosure@lists.grok.org.uk full-disclosure@lists.grok.org.uk, full-disclosure-boun...@lists.grok.org.uk full-disclosure-boun...@lists.grok.org.uk Date: Thursday, October 28, 2010, 5:14 PM I would further define it as code that can be run on a machine remotely without any human interaction. What I think would be ultimately effective is if researches and those who make disclosure announcements quit trying to make their discoveries or processes cool and just stick to the facts. Vendors want to downplay vulnerabilities, disclosures want it to sound as bad as it can be. That's why we have people describing a user following a link in an email to download something from their site to be subsequently executed as Remote Code Execution that is Moderately Critical as if there are actually varying degrees of Critical. The same holds true for quantifying likelihood of exploitation as high based on what researchers call extremely common deployment environments in many businesses when they are actually inferring what they THINK is common based on what two of their 5-10 workstation clients are doing with XP peer-to-peer configurations. I think that the only people really paying any attention to this are other researchers, who basically ignore what other people call something - this doesn't really benefit the user. People want the vulnerability they discover to be awesome and cool and critical because it substantiates their egos. For now, preceding anything with 0-day is a way of invoking fear and urgency as if it represents some immanent disaster, but soon people will become desensitized to that as well. t -Original Message- From: Curt Purdy [mailto:infosy...@gmail.comhttp://mc/compose?to=infosy...@gmail.com ] Sent: Thursday, October 28, 2010 9:51 AM To: Thor (Hammer of God) Cc: w0lfd...@gmail.com http://mc/compose?to=w0lfd...@gmail.com; full-disclosure-boun...@lists.grok.org.ukhttp://mc/compose?to=full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.ukhttp://mc/compose?to=disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Right as usual t-man, but while we are doing FWs job for them, Remote code execution is: any program you can run on a machine you can't touch (for further explanation, man touch). Curt On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God) t...@hammerofgod.com http://mc/compose?to=t...@hammerofgod.com wrote: None of this really matters. People will call it whatever they want to. Generally, all software has some sort of vulnerability. If they want to call the process of that vulnerability being communicated for the first time 0 day vulnerability then so what. The industry can't (and won't) even come up with what Remote Code Execution really means, so trying to standardize disclosure nomenclature is a waste of time IMO. t -Original Message- From: full-disclosure-boun...@lists.grok.org.ukhttp://mc/compose?to=full-disclosure-boun...@lists.grok.org.uk [mailto:full-disclosure- boun...@lists.grok.org.ukhttp://mc/compose?to=boun...@lists.grok.org.uk] On Behalf Of w0lfd...@gmail.com http://mc/compose?to=w0lfd...@gmail.com Sent: Thursday, October 28, 2010 9:25 AM To: Curt Purdy; full-disclosure-boun...@lists.grok.org.ukhttp://mc/compose?to=full-disclosure-boun...@lists.grok.org.uk; full- disclos...@lists.grok.org.ukhttp://mc/compose?to=disclos...@lists.grok.org.uk Subject: Re: [Full-disclosure] 0-day vulnerability Yep. Totally agree. Vulnerability exists in the system since it has been developed. It is just the matter when it has been disclosed or being exploited. I would suggest 0 day disclosure instead of 0 day vulnerability :) --Original Message-- From: Curt Purdy Sender: full-disclosure-boun...@lists.grok.org.ukhttp://mc/compose?to=full-disclosure-boun...@lists.grok.org.uk To: full-disclosure@lists.grok.org.ukhttp://mc/compose?to=full-disclos...@lists.grok.org.uk Subject: [Full-disclosure] 0-day vulnerability Sent: Oct 28, 2010 8:48 PM Sorry to rant, but I have seen this term used once too many times to sit idly by. And used today by what I once thought