[Dailydave] 0days Post

Dave Aitel dave.aitel at gmail.com
Wed Feb 13 18:51:15 UTC 2019


When in the course of human events, it becomes necessary for one person to
communicate information about an unknown vulnerability to the public, they
often do not do so in the manner to which you might expect: With all due
pomp and circumstance, a ringing of the sacred bells, a phone call to Kim
Zetter, and that sort of thing.

Instead, they announce their talk title as "TBD LOL!", put a code fragment
into their Keynote slidepack with the subtitle, "Could be interesting, who
knows!" or publish a slight update to their github repo with targets that
date back to SunOS4.

A friend of mine said recently "Hey, so I told someone that this particular
talk at INFILTRATE isn't going to have any 0day in it." But wait. For a lot
of people, just knowing what is exploitable and what might not be is worthy
of the title. Maybe the talk doesn't give out "the bug" but it gives out a
class of bugs. It gives out a bug that looks a bit like the bug. It gives
out the roughshod cadence of government employees dancing to 90's techno at
Nations after having read the source code of the bug earlier in the day.

What I mean to say is this: what is and is not a mirror depends on your own
eyes. 0day is most often about the thing Rumsfeld
<https://en.wikipedia.org/wiki/There_are_known_knowns> forgot: The unknown
knowns.

-dave
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.immunityinc.com/pipermail/dailydave/attachments/20190213/0a998078/attachment.html>


More information about the Dailydave mailing list