Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Vuln-Dev
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [Full-disclosure] 0day: PDF pwns Windows

from [Michael Bitow] Network Security [Permanent Link]
Subject: RE: [Full-disclosure] 0day: PDF pwns Windows
Date: Fri, 21 Sep 2007 09:25:59 -0700 

 Name calling and arguing about semantics is about as useful and
enjoyable as a fart in an elevator.

Sheesh.  I thought it was just the Quake players that got in to e-peen
pissing contests.

And yes, I'm top-posting!



-----Original Message-----
From: Chad Perrin [mailto:perrin@apotheon.com] 
Sent: Thursday, September 20, 2007 11:10 AM
To: bugtraq@securityfocus.com
Subject: Re: [Full-disclosure] 0day: PDF pwns Windows

On Thu, Sep 20, 2007 at 06:34:03PM -0400, Joey Mengele wrote:

Dear Fatboy,

Let's put aside for a minute the fact that you have no idea what you 
are talking about and let's also, for the benefit of this very 
valuable debate, assume your definition is correct. First, please 
prove this bug was never used in the wild. After that, please prove 
your credibility in the realm of defining words related to illegal 
computer hacking. Thanks.


Tell me something -- what do *you* think "zero day" means that
differentiates it from "not zero day"?  I keep seeing people use the
term "zero day" (or "0day" or however you want to spell it) without any
regard for how this is meant to differentiate it from some alternative
to "zero day", and I have to wonder what these people think the term
means.  Do you just regard it as a way to make discovery of a
vulnerability as more "important" or "exciting"?  Why exactly use the
term if it has no meaning other than "look at this!"?

There is no such thing as a "zero day vulnerability".  A "zero day
exploit" is an exploit that has been used to compromise systems by the
"bad guys" before the "good guys" discovered it or, arguably, an exploit
being used by the "bad guys" before the "good guys" have developed a
patch for it.  It's not a proof of concept that no "bad guy" has any use
for, and it's not a vulnerability that someone outside of a vendor
discovered before the vendor announced its discovery.  If you have a
definition of the term "zero day" in a computer security context that
contradicts mine, I'd love to read your reasoning and see your sources.
After all, I can't learn anything new if I ignore things that I don't
already know.

--
CCD CopyWrite Chad Perrin [ http://ccd.apotheon.org ] MacUser, Nov.
1990: "There comes a time in the history of any project when it becomes
necessary to shoot the engineers and begin production."
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Full-disclosure] 0day: PDF pwns Windows, Chad Perrin
Next by Date:  Re: [Full-disclosure] 0day: PDF pwns Windows, Wayne D. Hoxsie Jr.
Previous by Thread:  Re: [Full-disclosure] 0day: PDF pwns Windows, Chad Perrin
Next by Thread:  RE: [Full-disclosure] 0day: PDF pwns Windows, Jeff Wells (jmwells)
Indexes:  [Date] [Thread] [Top] [All Lists]