-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

What exactly constitutes a 0day? From my perspective naming a
vulnerability 0day have absolutely no value whatsoever, it just doesn't
make any sense. 0day for who? The person who release it, sure, but for
the security community as a whole... nah.

I'm also personally starting to question the whole idea behind public
disclosure and advisories. Do they actually mean anything these days?
What good is it to know about a vulnerability that was "discovered" 6
months ago? The important thing is to know what can be done BEFORE the
patch has been released.

Also a big portion of "advisories" seem to be related to the most
obscure softwares and home made PHP applications that most of us never
even care about anyway. These advisories clutter the ones that have even
the slightest validity.

One more thing about "advisories". I think it would be better to release
them immediately and let people know what they are facing. With public
dissemination of a vulnerability perhaps someone will release a 3rd
party patch or another inventive way of protecting oneself. Holding it
"secret" really doesn't help anyone. If anything it prevents people from
trying to find a way to fix the vulnerability.

Michael Zalewski is in my opinion someone who is using the bug-traq list
in a way that is meaningful. He brings up topics for discussion that
concern us all. More people should do that.

Anyways, enough ranting.

/ Chris

Gadi Evron wrote:
> On Sat, 14 Jul 2007, Dragos Ruiu wrote:
>> On Tuesday 10 July 2007 08:53, Gadi Evron wrote:
>>> To paraphrase Guninski, this is still not a 0day. It is a vulnerability
>>> being disclosed.
>>
>> You're being pedantic Gadi. :-)
>>
>> We have to accept the term "0day" has passed into
>> the realm of meaningless nebulousness along with
>> "hacker" and other misused terms.
>>
>> If we are to be pedantic, the original meaning of
>> 0day is new warez release :-).
>
> I think there is still hope for us buddy, at least when professionals
> make releases.
> For example, instead of saying I'm being pedantic on this (which I am),
> you could (also, in addition) reply and say "yep" or "nope", thus
> contributing to some discussion. Meaning, we would either make a stand
> for our profession or at the very least get educated as we go along.
>
> Some people believe the way to reach a "mature industry" is time, others
> believe it's training or in a more specific fashion, certifications. I
> don't know what the answer is, and I am sure it isn't terminology (or
> certifications, hehe).
>
> I do know though, what a 0day is, and don't intend to compromise it for
> the sake of what the press makes of it. It's a strong term and concept
> which shouldn't be abused. That or we can decide on a new term for what
> 0day used to mean. How about "blubla"?
>
> From professionals, we can expect good language and for their work to
> speak for them. We shouldn't compromise on silly things like what 0day
> means.
>
> Maybe I will give this up next year, but for now, advisories named
> "0day" have disapeared lately. Maybe peer pressure does have some effect.
>
> The above is over-thinking and some could consider it very silly, but
> for now, I believe in it. It's just like I resent those among
> consultants who conduct themselves in a fashion that makes me ashamed of
> my profession, as a far-off analogy.
>
>> cheers,
>> --dr
>>
>> --
>> World Security Pros. Cutting Edge Training, Tools, and Techniques
>> Tokyo, Japan November 29/30 - 2007 http://pacsec.jp
>> pgpkey http://dragos.com/ kyxpgp
>>

- --
Chris Stromblad (CEH)
Security Engineer
Outpost24 UK

90 Long Acre
Covent Garden
London, WC2 E9RZ

- -------------------------
Tel: +44 (0) 207 849 3097
Dir: +44 (0) 208 099 6595
Fax: +44 (0) 207 849 3140
- -------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.5 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGndEz+CG0a/ZJxn8RAoqVAJ9QslNRDXd4GF4+j3mtj6glb2PEhQCg29aG
Ui8dzHJGsqWaUQXFiXd+guA=
=s5J6
-----END PGP SIGNATURE-----

[ reply ]