Dailydave mailing list archives

Re: RE: funny comments from Hack IIS6 contest admin


From: Dave Aitel <dave () immunitysec com>
Date: Wed, 18 May 2005 22:24:03 -0400

So last night I went to see Hitchhiker's Guide to the Galaxy and they had a Star Wars preview. I think my favorate scene was the evil guy getting up from his desk, asking if the Jedi's "were threatening him". Mayhem ensues! How cool is that? The Darth Vador weblog is awesome - totally puts another side to the story. (http://darthside.blogspot.com/) Anyways, it reminded me that whenever I do exploitation, I always hum the evil theme from Star Wars first. Does everyone do that? Maybe everyone gets their own song, like anorexic Bostonian lawyers.

Anyways, I think I wanted to note that I've never heard anyone refer to 0days other than as "bugs that are not public". Immunity's VSC at one point had a #86 value, as far as Mike Schiffman's "the value of vulnerabilities" matrix goes and we're not special in this regard - lots of people can use IDA and Ollydbg. So 0days do exist, after all. It's like those cave dwelling crocodiles in Madagascar. You wouldn't think they could hide in caves for years eating bats and lemurs, but it turns out they can. Even if they LIKE the sun, they don't need it to survive. Ever noticed how lots of exploits become public and seem to have about 10 years of QA on them - thousands of target types don't come cheap!

Or, as Clausewitz said, to follow doctrine is to ignore the power of individual genius. He said something like that. My German is non-existant. It's possible he was going over some minor point in German tax law, and the translator got confused.

One of the things I love about "hacking " contests is that...if someone gets in but doesn't want an Xbox, then you have a neat false negative. In fact, if someone gets in, and can prove they got in, but doesn't get caught, I will buy you either an Xbox, or a copy of BinDiff (a 999 value!). Of course, like most artists, exploit writers tend to barter art for art, rather than getting paid in money. Art is invaluable, and artists live cheap enough not to need money. Not that anyone is going to get in. These sorts of contests invariably end with a neat article in some magazine detailing the 100000s of attempts made, and then how unsuccessful people were.

I still think any corporate lawyer would cough out their skull if you suggested playing in a contest like that without a signed Hold Harmless. And doing legal negotiations costs more than an Xbox. :>

-dave


Roger A. Grimes wrote:

Well, I add the descriptor widespread because its mostly believed that many professional hackers and the armed services have plenty of unannounced hacks in their arsenal. The military in particular probably has dozens of vulnerabilities they know about that they keep in their computer ops quiver to use in the event they need them. That's particular what I mean in that many professional hackers don't make a lot of money discovering bugs. The armed services hacker probably discover lots of bugs, and for some low salary a year. And there are probably dozens of bugs that the vendor knows about in their product that haven't been widely exploited that are in the development queue to fix. None of those vulnerabilities do I consider 0-day exploits...they are...but they will probably never be known to us...and hence aren't 0-day attacks in the conventional sense.
-----Original Message-----
From: I)ruid [mailto:druid () caughq org] Sent: Tuesday, May 17, 2005 11:18 PM
To: Roger A. Grimes
Cc: dave () immunitysec com; dailydave () lists immunitysec com
Subject: RE: [Dailydave] RE: funny comments from Hack IIS6 contest admin

On Tue, 2005-05-17 at 16:52 -0400, Roger A. Grimes wrote:
When I say 0-day, I mean public 0-day attacks...like everyone traditionally means...which is [when] a widespread 
exploit happens using a previously undisclosed vulnerability.  The exploit is noticed and then the vulnerability found.

I'm not sure what traditions you subscribe to, but in any context I've ever heard the term '0-day' used, it has had 
nothing to do with the scope or severity of the impact it causes, but rather the nature of the public or community awareness of it.  The 
types of conditions that you describe above (among other things, like advisories) are precisely what cause a vulnerability or exploit to 
/no longer/ be 0-day.

But I digress, now we're just arguing Symantecs.

--
I)ruid, C²ISSP
druid () caughq org
http://druid.caughq.org

_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
https://lists.immunitysec.com/mailman/listinfo/dailydave


Current thread: