[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] 0-day "vulnerability"
- To: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
- Subject: Re: [Full-disclosure] 0-day "vulnerability"
- From: Curt Purdy <infosysec@xxxxxxxxx>
- Date: Thu, 28 Oct 2010 14:05:47 -0400
Along the same lines, from DHS to Symantec, the threat level is always
"Elevated". So yellow is now the new green. I think ISS (IBM now) is
one of the few that leave their alert level at "1" until there is
really a "2-4" situation to deal with. I don't need more stress in my
day than the crackers already provide...
Of course, I know keeping things in perspective are hard these days,
i.e. I was reading the Washington Post on the Metro this morning,
looking at a map of the four stations that al-Qaeda planned to bomb,
as I passed all four of them. I would say my PTL (Personal Threat
Level) is red.
BTW Hammer, I think of is an OK middle name, but I think your last
name is a little presumptuous ;)
Curt
On Thu, Oct 28, 2010 at 1:14 PM, Thor (Hammer of God)
<thor@xxxxxxxxxxxxxxx> wrote:
> I would further define it as "code that can be run on a machine remotely
> without any human interaction." What I think would be ultimately effective
> is if researches and those who make disclosure announcements quit trying to
> make their discoveries or processes "cool" and just stick to the facts.
> Vendors want to downplay vulnerabilities, disclosures want it to sound as
> bad as it can be. That's why we have people describing a user following a
> link in an email to download something from their site to be subsequently
> executed as "Remote Code Execution" that is "Moderately Critical" as if there
> are actually varying degrees of "Critical."
>
> The same holds true for quantifying "likelihood of exploitation" as "high"
> based on what researchers call "extremely common deployment environments in
> many businesses" when they are actually inferring what they THINK is common
> based on what two of their 5-10 workstation clients are doing with XP
> peer-to-peer configurations.
>
> I think that the only people really paying any attention to this are other
> researchers, who basically ignore what other people call something - this
> doesn't really benefit the "user." People want the "vulnerability" they
> "discover" to be awesome and cool and critical because it substantiates their
> egos. For now, preceding anything with "0-day" is a way of invoking fear and
> urgency as if it represents some immanent disaster, but soon people will
> become desensitized to that as well.
>
> t
>
>>-----Original Message-----
>>From: Curt Purdy [mailto:infosysec@xxxxxxxxx]
>>Sent: Thursday, October 28, 2010 9:51 AM
>>To: Thor (Hammer of God)
>>Cc: w0lfd33m@xxxxxxxxx; full-disclosure-bounces@xxxxxxxxxxxxxxxxx; full-
>>disclosure@xxxxxxxxxxxxxxxxx
>>Subject: Re: [Full-disclosure] 0-day "vulnerability"
>>
>>Right as usual t-man, but while we are doing F&Ws job for them, "Remote
>>code execution" is: any program you can run on a machine you can't touch (for
>>further explanation, "man touch").
>>
>>Curt
>>
>>
>>
>>On Thu, Oct 28, 2010 at 12:35 PM, Thor (Hammer of God)
>><thor@xxxxxxxxxxxxxxx> wrote:
>>> None of this really matters. People will call it whatever they want
>>to. Generally, all software has some sort of vulnerability. If they want to
>>call
>>the process of that vulnerability being communicated for the first time "0 day
>>vulnerability" then so what.
>>>
>>> The industry can't (and won't) even come up with what "Remote Code
>>Execution" really means, so trying to standardize disclosure nomenclature is a
>>waste of time IMO.
>>> t
>>>
>>>>-----Original Message-----
>>>>From: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>>>>[mailto:full-disclosure- bounces@xxxxxxxxxxxxxxxxx] On Behalf Of
>>>>w0lfd33m@xxxxxxxxx
>>>>Sent: Thursday, October 28, 2010 9:25 AM
>>>>To: Curt Purdy; full-disclosure-bounces@xxxxxxxxxxxxxxxxx; full-
>>>>disclosure@xxxxxxxxxxxxxxxxx
>>>>Subject: Re: [Full-disclosure] 0-day "vulnerability"
>>>>
>>>>Yep. Totally agree. Vulnerability exists in the system since it has
>>>>been developed. It is just the matter when it has been disclosed or being
>>exploited.
>>>>
>>>>I would suggest " 0 day disclosure" instead of "0 day vulnerability"
>>>>:)
>>>>
>>>>
>>>>------Original Message------
>>>>From: Curt Purdy
>>>>Sender: full-disclosure-bounces@xxxxxxxxxxxxxxxxx
>>>>To: full-disclosure@xxxxxxxxxxxxxxxxx
>>>>Subject: [Full-disclosure] 0-day "vulnerability"
>>>>Sent: Oct 28, 2010 8:48 PM
>>>>
>>>>Sorry to rant, but I have seen this term used once too many times to
>>>>sit idly by. And used today by what I once thought was a respectable
>>>>infosec publication (that will remain nameless) while referring to the
>>>>current Firefox vulnerability (that did, by the way, once have a 0-day
>>>>sploit) Also, by definition, a 0-day no longer exists the moment it
>>>>is announced ;)
>>>>
>>>>For once and for all: There is no such thing as a "zero-day vulnerability"
>>>>(quoted), only a 0-day exploit...
>>>>
>>>>Curt Purdy CISSP, GSNA, GSEC, MCSE+I, CCNA
>>>>
>>>>_______________________________________________
>>>>Full-Disclosure - We believe in it.
>>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>Hosted and sponsored by Secunia - http://secunia.com/
>>>>
>>>>
>>>>Sent from BlackBerry(r) on Airtel
>>>>_______________________________________________
>>>>Full-Disclosure - We believe in it.
>>>>Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>>>Hosted and sponsored by Secunia - http://secunia.com/
>>>
>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/