In that way, law is not a science, as much as engineering. So not to pick on any particular lawyer, but I want to quote some brief twitter exchanges to help illustrate the concept.
|My analysis of how OPSEC decisions are made is entirely aligned with everyone else in the field, but we don't usually let lawyers in on it because we have to start our discussion from scratch, is what I read from that. :)|
|I enjoyed her responses a lot more knowing she had no idea what my background was. Someday Susan and I will have a beer and a good laugh about it.|
Let's talk about a better mental model for lawyers to use when they are talking about the wild and wonderful world of vulnerabilities! It may help them understand why the concept of "0day" is so slippery in real life, and even of "exploit" and "vulnerability". (c.f. This Phrack Paper for some historical details on terminology dating to 2002, which were already widely used within the world of security engineers.)
Here are some key concepts:
- Code flaws are often used to create multiple primitives. Multiple primitives are used to create exploit logic - and you can combine them in lots of exciting ways, like when you create cookies.
- 0day is a label that assumes what other people don't know. It is a model of the mind, not a scientific principle you can hang regulation on.
- Exploit engineers don't generally use the term "payload" - and incident response people use it to mean "trojan stage" or "dropper" which is confusing.