Update: My response to J.J.’s comment below:
I think we need to protect our systems as much as is necessary to protect against real attacks. If there aren’t many, then we don’t need as much protection; if there are a lot, then we need a lot of protection. Above all, I believe people should be able to make their own choices and live with the consequences. (I think vuln researchers are increasing the likelihood of consequences and ultimately doing less to protect us against future 0days).
It appears that most folks in the security community believe there are a lot of attacks (I lean in this direction but am amazed by the lack of supporting evidence). If that is the case, then our current process is not helping (we claim that it significantly impacts the 0days) and we should absolutely be turning to more secure system design and any other method we can think of to protect ourselves against the unidentified threat that doesn’t require identifying new, distracting threats to begin with.
J.J. says, "Since you never see them, they don’t exist " regarding unexpected breaches. I say that first, it is possible to see them (for some reason, people think this is impossible) as is evidenced below by TQBF’s experience; second, that is absolutely where we should be spending our time; and third, if you never see them, they exist but they must not matter (to the person being compromised, this is self-defining human behavior).
—————————————————————————————————————
TQBF did me right. He found the references I was looking for and now will drink for free, though I am guessing not as much as he hoped. (C’mon now, when I said 50 beers I was thinking the ever-so-delicious Coors Light). Bass Ale (or the other stuff if you can find it) on me in Chicago all night on 9/26/05, somewhere near here. (I think you said you live in Chicago now). Raindates acceptable if necessary.
And he didn’t even have to disclose anything secret or compromise any trust, etc… My total is now up to 3 in seven years.
[Btw, you can bring that guy with you who keeps talking to you in your blogs, unless he is your alternate personality. Then, leave him home. 
]
You’re on. I’m 5 minutes away from there.
=)
Or, for more examples:
o RealServer ../../../ overflow
o Any of the Immunity VSC releases (Mac OS X Kernel Local, anyone?)
o Samba bug that HDM got hacked with
The list goes on and on. Exploits being used as 0day is the rule, not the exception. If you were on DD you’d get to see a few more examples…
Why does the truth/myth of zero-days matter? The issue is merely academic. If we base any security design on the assumption that a given system is secure, then we have failed.
Whether through a sys admin not applying a patch/triage config quickly enough, carelessness in a configuration or the dancing pigs problem, every system has the potential to be compromised at some point once it’s deployed.
IDS detection of the attack has the same troubles.
Reference Matt Blaze’s whitepaper on safelocks. The best safe you can buy on the market can only be expected to deny a safecracker for 60 minutes. Blaze’s ultimate conclusion:
“Perhaps we would do better learning instead to design systems that recognize the inevitability of software errors, tolerating them as safe locks tolerate inevitable mechanical imperfections. ”
Maybe I’m missing a larger picture, but if we’re not building systems that assume the inevitability of compromise, then we’re failing to secure the systems.
Of course, you won’t know that, because it’s self-enforcing mindset. Since you’re not building systems that monitor secure systems for unexpected breaches, you’ll never see them. Since you never see them, they don’t exist – right?
J.J.
links:
dancing pigs: http://en.wikipedia.org/wiki/Dancing_pigs
matt blaze: http://www.crypto.com/papers/
If I buy a round, can I sit in for the floor show? After 25 beers apiece, I anticipate quite a barnburner.
0day’s don’t excite me but beer always gets my attention
There’s been a lot of back-and-forth between Pete Lindstrom, Adam Shostack, and TQBF regarding the benefits (or lack thereof) of vulnerability research and disclosure, culminating in Pete saying he’d buy beer…
C’mon, just poi…
http://www.securityfocus.com/news/11273/2
@David: that link is the honey monkey one that we discussed here: http://spiresecurity.typepad.com/spire_security_viewpoint/2005/08/thank_god_for_h.html. Bottom line: not a zero-day by my definition.
Where’s the Evidence?
Tom Ptacek offers up unsubstantiated rumors, and Lindstrom caves? Shoot. I did my chrooting DNS work when a customer’s DNS servers came under attack. Can I get beer without naming the customer? I thought Pete was demanding full details….
I’m with you on this issue. The underlying issue is that there is no data on which to separate out the truth from the fluff. The security community has grown up in so much of a secrecy environment that all claims are suspect, and all products are based on hype.
We need data, data, and more data. We need to unravel this attitude of not trusting anyone else with the things we’ve learnt. 50 beers is a cheap price to get the data.