The whole "day thing" is about the time between disclosure and patch/signature release. Disclosure starts the clock: Day-1. Day-0 is for talking about the day before disclosure.
That's what the term seems to have mutated into, but it wasn't its original intent.
The whole point of coining the term in the first place was to be able to discuss the unknown; i.e., to be able to assess the potential danger of currently unknown threats. Day-1 refers to disclosure, as such there's no way to talk about a specific 0-day because if you know what it is than it has to at least be day-1.
Sure it's abstract, but it's an important concept for developing security technologies and security procedures.
Between product buzzwords and the abstract nature of the term it's almost lost all meaning.
I think you might have misinterpreted what I meant, or perhaps I didn't make it clear in my original comment. It's not just that I no longer want to give the RIAA money, I want to actively take it away from them.
As a matter of principle I pay for music. I've spent thousands of dollars over the years and that was OK with me. This was mostly to support the artists, but also because I make my money in a similar fashion.
Now I think I should stop. I like the convenience of iTunes, so this might be difficult. But an organization like the RIAA is wholly without merit and needs to opposed; even though for me it means changing my principles.
What about the artist's cut? I could take the easy way out and figure that it was small anyway and they were mostly getting screwed, but I think that's a facile argument. I'll simply adopt the viewpoint that you get involved with cretins like the RIAA at your own risk and by so doing I'll have no qualms stealing from you.
Communism is all about having an all-powerful government...
No, it isn't. That would be Socialism. In theory, Socialism gives way to Communism; i.e., where the means of production are owned and controlled collectively. A government is supposed to be unnecessary.
All those Soviet, Chinese, Cuban, etc Communist parties you hear about aren't actually practicing Communism. Pretty much in the same way the US doesn't actually practice Laissez-Faire Capitalism.
The anti-virus/security industry has bent over backwards for over a decade to avoid even the appearance if impropriety. Recollect the public and nasty castigating of the University of Calgary over virus writing courses to "train" antivirus researchers. After this and other efforts there are still large numbers of people who still think antivirus companies write viruses. Offering bounties on vulnerabilities is no different from employing malware authors. This does nothing but harm to the reputation of the industry.
Further, selling vulnerabilities underground takes a hell of a lot more than cracking code with time and tools. It's a *goddamn* criminal endeavor that comes with the associated risks and effort. For the security industry to openly encourage and reward this sort of activity is a horrendous idea from both an ethical and practical standpoint.
The ethical standpoint should be obvious: activity threatening to the public should not be encouraged and rewarded.
The practical standpoint shouldn't be difficuld to grasp either: how to prevent the blackmarket resale of bountied exploits, how to contain the information so as not to inspire related exploits, how not to provide cover for blackmarket exploit purveyors who send in a few to pretend to legitimacy?
The idea that this could in any way be good or effective is at best ridiculously naive and at worst criminally negligent.
Re:High level languages vs. assembly
on
Beginning Ruby
·
· Score: 1
Absolutely.
Thanks for pointing those things out:)
Personally, about the only call I've had to hand code assembly in the last 5 years wasn't for speed, but rather to do some hinky things that the compiler wouldn't/couldn't do (basically, linking at runtime).
Re:When you step back and consider history
on
Beginning Ruby
·
· Score: 1
Mainly, the argument was that you didn't know what kind of code the compiler was going to emit. The thought was that with assembly you could be sure that you got tight fast code.
Even though overblown IMO, the footnote in my comment above concedes that for a period of time optimizing compilers weren't that great. That changed though, optimizers became, and are now, quite good.
Re:When you step back and consider history
on
Beginning Ruby
·
· Score: 1, Insightful
"...svelte complied language..."
What is that even supposed to mean? Especially vis-a-vis C++; the next round of standardization is considering adding GC and threading.
Let's even go a bit further, what is "compiled"?
Does a VM count? How about JIT'd code?
No, just native you say?
Then how about the fact the IA-32 instruction set ain't exactly native anymore?
This old cannard that dynamic runtime-based languages are somehow intrinsically inferior to native binaries is ridiculous. It's the same tired "I am t3h 1337 and neeh 100% control" argument that was wrong when it was used for arguing about assembler vs C*.
*OK, before optimizing compilers got decent it was true...but only for a little while.
"...a hidden software virus that recorded his every keystroke."
Yeah I know, everybody files all malware under 'virus'; but since the article comes off as somewhat technical it would be nice if this detail was correct. Keyloggers are almost always* trojans, not a viruses.
*The only reason I say "almost always" is because it would technically be possible to put keylogging functionality in a virus.
No, it doesn't.
There seems to be a lot of confusion about this, probably due to bad marketing campaigns.
The basic situation is this: if you know about it, it's not a zero-day (unless, of course, you're the one who found it).
How does a national ID standard limit liberty any more that the existing standard set by the state of Maine or any of the other 49 states? How does an ID database with your name prevent you from doing anything that you can do today. (not to mention that you are already in a Federal database, probably several like Social Security, IRS and so on)
You've answered your own question. Those examples are merely indicative that we've gone too far already. How does it limit you? The simple fact you can't conduct your personal affairs privately and without authorization.
Because it will be harder for Abu Mohammed to fake.
Bullshit. We're supposed to believe that the enemies you allude to have vast resources and total commitment. Such pedestrian measures as standardized ID is not going to be an effective protection. The only people that this sort of ID affects are the citizenry.
Uh, yeah it is. We have speed limits to keep me safe. I have to wear a seatbelt to keep me safe. I can't drink and drive to keep me (and you) safe... How is this any different?
Speed limits are anonymous. The seatbelt thing is also ridiculous, you should not be compelled to be cautious.
Lastly, cowardice is the natural enemy of liberty. Living in a free society is a dangerous proposition. If you don't accept that fine, say so.
We're supposed to be an independent people distrustful of government. The people who founded this country overthrew their own government for fuck's sake.
"Why not?" should never be the standard for anything that enhances government power and/or limits individual liberty.
The standard should be "Why should we?".
And no, "We have to keep you safe." is not an adequate reason.
Tubes as a metaphor wouldn't be problematic in and of itself. However, after saying "it's a series of tubes" he elaborated by saying "it's not a truck". Whilst babbling in this manner he said his staff sent him "an internet" and it took 2 days to get to him because the tubes were full.
He basically has no understanding of the subject and butchered what could have been an ok metaphor.
They aren't liable. This has been going on forever. I'll grant that they do get bad PR. E.G., most BSODs (fatal exception in ring 0) tend to come from third party drivers but MS gets gigged for it. As far as taking a risk "by getting into the business", this is irrelevant. Again, utility and security products are a special case in software. For years, Redmond has worked closely to assist these companies with whatever kernel hackery was needed. Now they're getting into the game themselves and restricting what the vendors can do. They'll find a way around the restrictions, but being heavy handed with the security community is an arrogant move.
No, it's not that simple. They're pissed because MS is dictating how the should design their products. Furthermore, they're doing it with an attitude of "yeah, you used to do this directly, but now you'll have to trust us to give it to you....maybe.". You can still have a robust kernel and have third parties able to interract with and extend it, take Linux or BSD for example.
Slashdot Mirror
And why, exactly, should anyone take your word over his?
Those aren't minus signs...just dashes; i.e., "Day One"/"Day Zero".
No. It wasn't.
The whole "day thing" is about the time between disclosure and patch/signature release. Disclosure starts the clock: Day-1. Day-0 is for talking about the day before disclosure.
That's what the term seems to have mutated into, but it wasn't its original intent.
The whole point of coining the term in the first place was to be able to discuss the unknown; i.e., to be able to assess the potential danger of currently unknown threats. Day-1 refers to disclosure, as such there's no way to talk about a specific 0-day because if you know what it is than it has to at least be day-1.
Sure it's abstract, but it's an important concept for developing security technologies and security procedures.
Between product buzzwords and the abstract nature of the term it's almost lost all meaning.
Perhaps then they could continue, and expand, the legacy of the TouchStream. I.E., the tech they bought, for the iPhone, from FingerWorks.
It probably nurned into the primary breeding ground for Godzilla.
I think you might have misinterpreted what I meant, or perhaps I didn't make it clear in my original comment. It's not just that I no longer want to give the RIAA money, I want to actively take it away from them.
As a matter of principle I pay for music. I've spent thousands of dollars over the years and that was OK with me. This was mostly to support the artists, but also because I make my money in a similar fashion.
Now I think I should stop. I like the convenience of iTunes, so this might be difficult. But an organization like the RIAA is wholly without merit and needs to opposed; even though for me it means changing my principles.
What about the artist's cut? I could take the easy way out and figure that it was small anyway and they were mostly getting screwed, but I think that's a facile argument. I'll simply adopt the viewpoint that you get involved with cretins like the RIAA at your own risk and by so doing I'll have no qualms stealing from you.
No. They don't.
This is just a tired old cannard. It's the same nonsense as "t3h AV companies write the VIRUSES!!1!".
Communism is all about having an all-powerful government...
No, it isn't. That would be Socialism. In theory, Socialism gives way to Communism; i.e., where the means of production are owned and controlled collectively. A government is supposed to be unnecessary.
All those Soviet, Chinese, Cuban, etc Communist parties you hear about aren't actually practicing Communism. Pretty much in the same way the US doesn't actually practice Laissez-Faire Capitalism.
Bullshit.
Complete and utter bullshit.
The anti-virus/security industry has bent over backwards for over a decade to avoid even the appearance if impropriety. Recollect the public and nasty castigating of the University of Calgary over virus writing courses to "train" antivirus researchers. After this and other efforts there are still large numbers of people who still think antivirus companies write viruses. Offering bounties on vulnerabilities is no different from employing malware authors. This does nothing but harm to the reputation of the industry.
Further, selling vulnerabilities underground takes a hell of a lot more than cracking code with time and tools. It's a *goddamn* criminal endeavor that comes with the associated risks and effort. For the security industry to openly encourage and reward this sort of activity is a horrendous idea from both an ethical and practical standpoint.
The ethical standpoint should be obvious: activity threatening to the public should not be encouraged and rewarded.
The practical standpoint shouldn't be difficuld to grasp either: how to prevent the blackmarket resale of bountied exploits, how to contain the information so as not to inspire related exploits, how not to provide cover for blackmarket exploit purveyors who send in a few to pretend to legitimacy?
The idea that this could in any way be good or effective is at best ridiculously naive and at worst criminally negligent.
Absolutely.
:)
Thanks for pointing those things out
Personally, about the only call I've had to hand code assembly in the last 5 years wasn't for speed, but rather to do some hinky things that the compiler wouldn't/couldn't do (basically, linking at runtime).
Mainly, the argument was that you didn't know what kind of code the compiler was going to emit. The thought was that with assembly you could be sure that you got tight fast code.
Even though overblown IMO, the footnote in my comment above concedes that for a period of time optimizing compilers weren't that great. That changed though, optimizers became, and are now, quite good.
"...svelte complied language..."
What is that even supposed to mean? Especially vis-a-vis C++; the next round of standardization is considering adding GC and threading.
Let's even go a bit further, what is "compiled"?
Does a VM count? How about JIT'd code?
No, just native you say?
Then how about the fact the IA-32 instruction set ain't exactly native anymore?
This old cannard that dynamic runtime-based languages are somehow intrinsically inferior to native binaries is ridiculous. It's the same tired "I am t3h 1337 and neeh 100% control" argument that was wrong when it was used for arguing about assembler vs C*.
*OK, before optimizing compilers got decent it was true...but only for a little while.
Actually, the FA doesn't mention an email.
Yeah I RTFA...and the email virus was just a vector for keylogging trojan it dropped.
"...a hidden software virus that recorded his every keystroke."
Yeah I know, everybody files all malware under 'virus'; but since the article comes off as somewhat technical it would be nice if this detail was correct. Keyloggers are almost always* trojans, not a viruses.
*The only reason I say "almost always" is because it would technically be possible to put keylogging functionality in a virus.
No, it doesn't. There seems to be a lot of confusion about this, probably due to bad marketing campaigns. The basic situation is this: if you know about it, it's not a zero-day (unless, of course, you're the one who found it).
You've answered your own question. Those examples are merely indicative that we've gone too far already. How does it limit you? The simple fact you can't conduct your personal affairs privately and without authorization.
Because it will be harder for Abu Mohammed to fake.
Bullshit. We're supposed to believe that the enemies you allude to have vast resources and total commitment. Such pedestrian measures as standardized ID is not going to be an effective protection. The only people that this sort of ID affects are the citizenry.
Uh, yeah it is. We have speed limits to keep me safe. I have to wear a seatbelt to keep me safe. I can't drink and drive to keep me (and you) safe... How is this any different?
Speed limits are anonymous. The seatbelt thing is also ridiculous, you should not be compelled to be cautious.
Lastly, cowardice is the natural enemy of liberty. Living in a free society is a dangerous proposition. If you don't accept that fine, say so.
What more reason do you need?
We're supposed to be an independent people distrustful of government. The people who founded this country overthrew their own government for fuck's sake.
"Why not?" should never be the standard for anything that enhances government power and/or limits individual liberty.
The standard should be "Why should we?".
And no, "We have to keep you safe." is not an adequate reason.
Not necessarily, it depends how the product is implemented. That said, email, IRC, and IM are all common malware vectors.
Tubes as a metaphor wouldn't be problematic in and of itself. However, after saying "it's a series of tubes" he elaborated by saying "it's not a truck". Whilst babbling in this manner he said his staff sent him "an internet" and it took 2 days to get to him because the tubes were full. He basically has no understanding of the subject and butchered what could have been an ok metaphor.
"...with enough soap you can blow up just about anything."
They aren't liable. This has been going on forever. I'll grant that they do get bad PR. E.G., most BSODs (fatal exception in ring 0) tend to come from third party drivers but MS gets gigged for it. As far as taking a risk "by getting into the business", this is irrelevant. Again, utility and security products are a special case in software. For years, Redmond has worked closely to assist these companies with whatever kernel hackery was needed. Now they're getting into the game themselves and restricting what the vendors can do. They'll find a way around the restrictions, but being heavy handed with the security community is an arrogant move.
No, it's not that simple. They're pissed because MS is dictating how the should design their products. Furthermore, they're doing it with an attitude of "yeah, you used to do this directly, but now you'll have to trust us to give it to you....maybe.". You can still have a robust kernel and have third parties able to interract with and extend it, take Linux or BSD for example.