
Everyone Has Been Hacked. Now What? - jordhy
http://www.wired.com/threatlevel/2012/05/everyone-hacked/
======
comex
> On Apr. 7, 2011, five days before Microsoft patched a critical zero-day
> vulnerability in Internet Explorer that had been publicly disclosed three
> months earlier on a security mailing list

I don't think "zero-day" means what you think it means.

~~~
lawnchair_larry
zero day has always meant an unpatched vuln.

~~~
roc
Zero-day was coined to describe malware being found in the wild that exploits
a _previously unknown_ vulnerability. The terminology is literally referring
to there being zero days between discovery of a vulnerability and discovery of
malware in the wild that exploits it.

They are prized in the black hat community specifically _because_ they've
never been disclosed and thus no-one has had any chance to patch the
vulnerability.

In this case the vulnerability was known and unpatched for three months. It
was more like a 90-day exploit than a 0-day exploit.

~~~
lawnchair_larry
That's not correct. We found and traded 0day exploits (referring to them as
0day at the time) on irc long before malware was exploiting it. Malware using
0day is a very new thing, and the advent of that certainly isn't when the term
was coined. The term actually originates in the warez scene, referring to the
days prior to RTM of some software. It was adopted in the hacker scene in the
early 90s.

And that doesn't make sense anyway. It was obviously known to _someone_ if
malware was written. These aren't found and written by skynet. I've been
around since about as long as the term was used, and long before the media
used it, and it was universally understood to mean something that wasn't
patched. Over time, more and more people would know about the 0day. So what
number are you using for "unknown"? 1 person knows about it? A hacker group? 2
hacker groups, because one of them stole it from the other? Or is that
semi-0day?

The zero days is between when it exists and when it is patched, even if it
ends up on full disclosure or bugtraq. When it did hit a list, its status goes
from "private" to "public", but this is orthogonal to its 0day status.

Ask tptacek, he was around back then ;) According to that nytimes article,
comex is 20 +/- 1 year, so I forgive him ;)

~~~
roc
> _"The term actually originates in the warez scene"_

A full etymology would certainly be interesting, but I was trying to stick to
the subject matter at hand.

> _"It was obviously known to someone if malware was written."_

Again, in the context of security, 'known' -- at least as far as I've ever
heard it used -- is shorthand for known to the security-minded public and/or
to the vendor. It could be known to a million black-hats writing a million
exploits and that still counts as 'unknown' until the day someone discloses it
to the wider public and/or the vendor.

~~~
lawnchair_larry
"A full etymology would certainly be interesting, but I was trying to stick to
the subject matter at hand."

The point is that you said it was "coined" to describe malware usage. In fact
that was neither the first use of the term in this context, nor where the term
originated at all.

------
option_greek
If they are taking the 'drastic' step of bringing everything offline, how
about banning future internet explorer use in all sensitive areas. Chrome
would provide much better security thanks to its update mechanism. Any
workplace still using this abomination is just begging to be hacked.

~~~
dkokelley
Here's the thing, network security needs to be balanced against organizational
operations. Internet Explorer has been sold to organizations as a platform
where thin client applications can be deployed cheaply. Internet Explorer
doesn't update automatically because the last thing Microsoft wants to do to
their clients is break all of their web apps through an untested update.
Security updates also need to have backwards compatibility, or large firms
won't upgrade, since their web apps might break.

Security and usability are at odds. Large organizations (thus far) tend to
favor usability. It's a cost-benefit analysis, and the benefit of not
redeveloping their web apps outweighs the cost of increasing security.

~~~
fjarlq
Considering the type of work that goes on at Oak Ridge, I'm not so sure they
correctly calculated the true cost of using Windows and Internet Explorer....

~~~
peeters
I'm not sure they (or any other really high-risk security company) calculated
the true cost of connecting their network to the internet at all. A really
simple, effective way of protecting sensitive data is to say that the network
that hosts it will have absolutely no path outside. Then give your employee
another machine on the same desk which connects to the internet but is on a
completely network.

It's annoying at first, but it works pretty damned well.

------
scotty79
I find it comforting that no matter how much money you have someone still can
get the information you are trying to hide.

~~~
keithpeter
So another way of 'shortening the perimeter' that you are trying to defend
would be to simply decide that some information does not have to be hidden?

How much information does a commercial company selling a product or service
_have_ to keep secret?

* User details

* Future plans that might affect customers or employees

* 'Secret Sauce' stuff like code if it is closed source or plans &c

What else?

~~~
scotty79
I'm all for operating as publicly as you can while being prepared that things
that you have not made public can become public at any moment.

I think companies should put more effort into looking for ways how to provide
service without gathering and storing user details.

Examples being lastpass and various storage services that can't access filess
you keep at their machines.

------
lordlicorice
This reads like a thinly-veiled advocacy for CISPA.

