MarkMaunder dot com

Where the term "Zero Day" comes from

June 16, 2014 | mark | Startups

After seeing a FOIA request earlier today that someone created asking for FBI training documents that teach staff how to understand/communicate using hacker leet-speak, I was reminded about something I’ve wanted to put in virtual ink for a while.

Leet speak or 133+ sp34k or hacker speak did not actually originate with hackers. Neither did the term “zero day”. Back in the late 80’s and early 90’s the Internet was but a pup and most of us communicated via BBS – a dialup modem (often a bank of modems on popular BBS’s) attached to an individual’s PC that members dialed into to connect. [We also used something called Prestel or Beltel which was essentially a big government run BBS]

Phone calls were expensive in those days so if you wanted to connect to BBS’s far away – and at the time I lived in South Africa and the best BBS’s were in the USA – then you needed to become a phone phreak. So I’d fire up a piece of DOS software called Bluebeep (created by the venerable Onkel Dietelmeyer), hold a headphone to a phone mouthpiece, generate CCITT5 tones and take control of international phone trunks to get free overseas phone calls. [I’d also hack into the Post Office X.25 network to get access to an overseas modem (a DTE) which I could then control with AT commands. X.25 was a precursor to the TCP/IP Internet]

Then once you’re connected to the BBS you could upload, download, send email via fidonet and talk to anyone else online. My favorite hacker BBS was in Orange County, Californa called Digital Decay and run by a chap called Arclight. Little did I know that my future wife was also in Orange County busy being a college kid.

At the time underground BBS’s were divided into two types: Those that were hacking and phreaking related and those run by the warez crowd. The hacker/phreak BBS’s would distribute exploits, tools like Bluebeep to hack the phone lines, copies of phrack and so on.

The warez crowd would distribute pirated software and they took their job very seriously. 133+ speak originated with the warez crowd and the hacking/phreaking crowd hated it.

The term Zero Day also originated in the warez scene. On warez BBS’s software would be divided into zero day, 1 to 7 day, 8 to 14 day and so on with the lower ‘day’ being the most elite and hardest to come by. The number of ‘days’ was the days since the software was released to the public and Zero Day was software that was not commercially released yet. So someone had hacked into the company servers to grab their commercial software before they released it.

The relationship between the warez crowd and the hacking/phreaking scene was that the hackers would invent the means to get zero day warez (exploits used to hack into a company), the phreaks invented and continually reinvented the means for ‘warez couriers’ distribute the warez among BBS’s (ways to circumvent trunk seize tone filters the phone companies were using for example). Hackers and phreaks looked down on the warez crowd – even though we’d get software from them – which was a little hypocritical.

This was all around 25 years ago. At some point ‘zero day’ became something applied to vulnerabilities and the number of days a vendor has had to fix them. And at some point ‘133t sp34k’ became something hackers use. I have no idea why or when this transition occurred. 133t sp34k used to be scorned by hackers as something warez ‘pups’ did.

Times change. Like hashtags originating on Twitter where they indicated subject, which originated on IRC where they were channels – and which syntactically may have been inspired by C preprocessor directives.

Edit: Very cool discussion thread on HN about this – including some other old-schoolers checking in.

18 Comments

    Not likely

    ParmasterX75 Gawd – I kinda remember some of that.

    Commented on June 16, 2014 at 11:11 pm

    slipstream

    and of course, the warez scene still uses the term “0day” today.

    Commented on June 17, 2014 at 1:24 am

    anonymous

    There was a THIRD set of BBSes… those dedicated to personal computer hardware (before IBM PCs and Apples) and free open source software to run on them.

    Commented on June 17, 2014 at 2:44 am

      Johnc

      I was just thinking the same thing, very few bbs’s were dedicated to warez and hacking, maybe this author hung out on them but they were the minority. I ran a BBS for years and mostly people used it to communicate via fidonet and relaynet and to play “door” games that were turn based games against other bbs users.

      Commented on June 17, 2014 at 8:32 am

    PaX Team

    the transition occured when the 0-day term got applied to *exploits* (and not vulnerabilities) meaning that such a 0-day exploit was just as fresh (=unknown to the rest of the world) as a 0-day warez release. this happened in the 90’s and later its meaning got diluted somewhat as the common press (as clueless as always) began to use it to refer to related but still different things. note also that a 0-day exploit is not the same thing as a 0-day vulnerability (this is what probably confused the ‘outsiders’ most), exploits can stay 0-day even after the underlying vulnerability becomes public and fixed.

    Commented on June 17, 2014 at 3:09 am

      Ilya

      Could you elaborate on the last sentence? Having trouble getting it 🙁

      Commented on June 17, 2014 at 6:24 am

        PaX Team

        which part in particular? the distinction between exploit/vulnerability?

        Commented on June 17, 2014 at 9:27 am

        afekz

        I’m guessing that he’s referring to the distinction between zero day vulnerabilities and zero exploits, the former referring to when the vulnerability itself is not yet known publicly, whereas the latter only means that the exploit is not public. The latter often used to be traded on e.g. #darknet and the like.

        Commented on June 17, 2014 at 12:15 pm

    AlkQubit

    Makes me feel very old… o_O

    Commented on June 17, 2014 at 6:41 am

    J L

    “X.25 was a precursor to the TCP/IP Internet” is an incorrect statement.

    Commented on June 17, 2014 at 7:27 am

    afekz

    I do find this post quite amusing-it has been rather a long time.

    I’d suggest though that “zero day” was usually measured from the warez scene release date, so RISC trading 0-12 hour warez would be measured from scene release time, else theoretically you could upload pre-released warez to 0-3 day boards without getting your upload nuked for ages.

    Secondly, I’d suggest that little of the pre-released warez was obtained via hacks. “Suppliers” for pre-release (non-store pick-up) warez could range from guys who got the product into physical software stores before the public release date, magazine reviewers, guys at CD (well, originally disk) duplicating facilities, members of private beta test programmes and, probably most prized, industry insiders at software houses.

    A fellow slightly old skewl ZA’er…

    Commented on June 17, 2014 at 8:28 am

      Scott

      I agree with afekz. I seriously doubt there were any game companies that were so well tied to the internet that their source code would have been available to any kind of hackers. At the time TCP/IP was mostly for government agencies, colleges, and laboratories.

      Also I always thought ‘0 day’ generally meant ‘0 days since this hit store shelves’ although as the scene (d)evolved it began to include unreleased software as well. (In earlier times it would have been considered inferior and clearly marked but later on speed became the only thing that mattered.)

      Commented on June 17, 2014 at 10:05 am

    ch

    1337 5p34k, there is no plus sign.

    Commented on June 17, 2014 at 8:30 am

    noid

    Awesome read. I’d always wondered what happened to you ZA folks. I used to look forward to your (semi-)monthly connection to DNANet and thought it was so cool that I could call a local BBS and interact with hackers on the other side of the planet.

    Nowadays with the Internet I can interact with hackers from all over the globe in real time to find out that they’ve all had sex with my mother and that I am a ‘gayfag’. Yay future!

    P.S. I saw in the ycombinator post you also knew Maelstrom. Small world. Him and TDK spent a month living in my house prior to DEFCON one year. They’re both still around, btw.

    -noid

    Commented on June 17, 2014 at 9:40 am

    adam

    so the l33t speak in h/p culture came from the LoD/MoD war I’m pretty sure … as MoD just acted super crazy and kind of made it ‘ok’ to use it because they knew the LoD people (current hacker power base) hated it.
    It’s like a comedian using the word nigger or faggot in ways to make the words less ‘hurtful’.
    they were making fun of the h/ph pretentiousness and was trying to gel the crows (MoD was).
    You can see it in the MoD diaries you can find on textfiles.com
    good times those were.

    Commented on June 17, 2014 at 9:59 pm

Leave a Comment

Your email address will not be published. Required fields are marked *

My name is Mark Maunder. I've been blogging since around 2003 when I started on Movable Type and ended up on WordPress which is what I use to publish today. With my wife Kerry, I'm the co-founder of Wordfence which protects over 5 million WordPress sites from hackers and is run by a talented team of 36 people. I'm an instrument rated pilot and I fly a Cessna 206 along with a 1964 Cessna 172 in the Pacific Northwest and Colorado. I'm originally from Cape Town, South Africa but live in the US these days. I code in a bunch of languages and am quite excited about our emerging AI overlords and how they're going to be putting us to work for them.