Tuesday, February 16, 2016

Why 0day is a nebulous concept, part 1!

There is an inherent problem with taking things that come out of the technical community as slang and then attaching legal meanings to them. But of course, the law profession is not without its hubris and thinks that it can pretty much define anything. Sometimes they even try to redefine mathematical constants such as Pi.

In that way, law is not a science, as much as engineering. So not to pick on any particular lawyer, but I want to quote some brief twitter exchanges to help illustrate the concept.

My analysis of how OPSEC decisions are made is entirely aligned with everyone else in the field, but we don't usually let lawyers in on it because we have to start our discussion from scratch, is what I read from that. :)

I enjoyed her responses a lot more knowing she had no idea what my background was. Someday Susan and I will have a beer and a good laugh about it.

Let's talk about a better mental model for lawyers to use when they are talking about the wild and wonderful world of vulnerabilities! It may help them understand why the concept of "0day" is so slippery in real life, and even of "exploit" and "vulnerability". (c.f. This Phrack Paper for some historical details on terminology dating to 2002, which were already widely used within the world of security engineers.)

Here are some key concepts:

  1. Code flaws are often used to create multiple primitives. Multiple primitives are used to create exploit logic - and you can combine them in lots of exciting ways, like when you create cookies. 
  2. 0day is a label that assumes what other people don't know. It is a model of the mind, not a scientific principle you can hang regulation on.
  3. Exploit engineers don't generally use the term "payload" - and incident response people use it to mean "trojan stage" or "dropper" which is confusing.
So in this sense, when lawyers say they handle the term "Vulnerability" just fine, neveryoumind, what they mean is "We don't know if it means code flaw, exploit primitive, use of that exploit primitive in an exploit, or what?" and when they say "0day" they are expecting you to be omniscient, which is optimistic, at best.


  1. You can imagine how an auto engineer might scoff at lawyers trying to pen some traffic regulation, "that is not how engineers talk about cars", "this ignores that I can attach an engine to a box and make it move", "we don't use the term 'tires', we say 'rotational discs'"...etc. Those laws still kinda seem to work though, right?

  2. I don't share your optimism about that analogy. The repercussions for failure here are huge, and are clearly demonstrated by Wassenaar agreement, among others.