Chad Perrin wrote: > On Sat, Sep 22, 2007 at 10:34:07PM -0700, Crispin Cowan wrote: > >> A "private 0day exploit" (the case I was concerned with) would be where >> someone develops an exploit, but does not deploy or publish it, holding >> it in reserve to attack others at the time of their choosing. Presumably >> if such a person wanted to keep it for very long, they would have to >> base it on a vulnerability that they themselves discovered, and did not >> publish. >> > In the case of that "private zero day exploit", then, nobody will ever > know about it except the person that has it waiting in reserve -- and if > someone else discovers and patches the vulnerability before the exploit > is ever used, it never becomes a "public" zero day exploit. In other > words, you can always posit that there's sort of a Heisenbergian state of > potential private zero day exploitedness, but in real, practical terms > there's no zero day anything unless it's public. > > The moment you have an opportunity to measure it, the waveforms collapse. > Its a little less abstract than that. Consider that the United States government might want to worry about whether some foreign nation is banking a large pool of private 0day exploits in preparation for war. Such a nation might farm these private 0day exploits by employing a pool of vulnerability researchers and exploit developers, and just not published the results. This is a perfectly viable way to produce what amounts to Internet munitions. The recent incident of Estonia Under *Russian Cyber Attack*? <http://www.internetnews.com/security/article.php/3678606> is an example of such a network brush war in which possession of such an arsenal would be very useful. Crispin -- Crispin Cowan, Ph.D. http://crispincowan.com/~crispin/ Director of Software Engineering http://novell.com AppArmor Chat: irc.oftc.net/#apparmor
