CVE fallout: The splintering of the standard vulnerability tracking system has begun The splintering of the global system for identifying and tracking security bugs in technology products has begun. Earlier this week, the widely used Common Vulnerabilities and Exposures (CVE) program faced doom as the US government discontinued funding for MITRE, the non-profit that operates the program. Uncle Sam U-turned at …
Lock, stock & barrel - ie including staff, web presence, etc. Make it seamless so that no one really notices.
The cost would be lost in EU spending, the UK should chip in as well. Others should be invited, eg China. The symbolism of multiple sources of funding would be more important than the cash.
Moving the whole of MITRE might be a problem, given its heavy involvement in US defense research. However, by analogy with ICANN we could imagine the creation of WECANT - a Worldwide Electronic Catalogue of Acknowledged and Numbered Threats - operating on a regionally-distributed basis.
You can't call it WECANT. Need to drop the T or make it a ! symbol. It;s the modern naming scheme. WECAN! The marketing team are in full agreement on the name. But don't go in there to check. It's like WW3 in there at the moment while they "discuss" which logo to use and the colour scheme. Especially the colour!
It'll be vetoed by people with no sense of humor. Although I would assume we will even get pushback on that...
"He didn’t have a sense of humour and, like most people without a sense of humour, prided himself on the sense of humour he hadn’t, in fact, got."
Move it organisationally to the UN, and perhaps out of Geneva.
If “You know who” does indeed pull US funding for the UN, I struggle to see why it’s Global HO will stay in New York - perhaps Trump could turning into a Global Casino and Resort - unless the stance is to just wait out Trump until 2029 election, death, removal from office by Congress (inc The Caddy) or Civil War ….whichever comes sooner.
I fully support a second system in EU available to all, paid for by my taxes.
Global lack of trust in U.S. decision making is a thing.
Especially in complex topics that cannot be described in 5 words or one short sentence to their Dear Leader.
Especially in security.
Who knows what the Trump administration, after knee-capping their own cyber defenses, will come up with next...
Having redundancy under the control of governments of the EU, who are - despite all deserved critism - acting at least completely rational, will help the industry and public maintain some oversight over security problems and their fixes.
That way the U.S. can concentrate on solving their sanity problem in the White House.
A single resource with multiple, mirrored servers works well in other circumstances. It could also have multiple coordinated maintainers so that if one gets funding dropped the work will continue. It would probably end up with the US leeching off other nations' work.
Not with the orang-in-chief and doggy boys running around. They continually demonstrate how they can fsck up a shot-put with a rubber hammer. (and that takes some effort) There should be an award for monumental incompetence of that level...
The AC above is alluding to Elon Musk's shoving parts of the US government "into the wood chipper." I wouldn't assume they think the wood-chipping is a good thing; it's just what Musk and his people are doing, in Musk's own words. The way I parse the comment is, "Redundancy is a good thing, but it doesn't do anything to keep MITRE going after the 11 months of funding are up." (Apologies to the AC in question if I'm misunderstanding.)
It seems like you're approaching decision-making from the perspective of what would be good. That's laudable, but it will get in the way of your understanding what the US government does, especially under this administration.
These people don't want their opponents to ever have power again, of course, but as insurance, they also want to make it hard for their opponents to reinstate anything if they do get back into power. That is, the purpose of the wood-chipping is to make it harder to bring back the institutions they're destroying. Musk's so-called "department" is not merely tearing down offices and agencies; it's doing so in a way that makes them difficult or impossible to reconstitute as they were. First, scare away as many staffers as possible by making the jobs so stressful and insecure that no one who leaves will ever want to come back; offer buyouts to ease their way out the door. Then, find reasons to fire the ones you can't scare off. (Make sure they're marked ineligible for rehire, of course.) After that, reshuffle whoever is left so that they're not working where their competencies are. By this point, you've already destroyed much of the institutional knowledge, so nobody will be standing the agency back up in its old form. Still, steal copies of all the sensitive data, too, just to be sure. That way, you can use the information against whoever it's about and keep yourself plenty busy for the next phase.
Dreadful stuff.
Right. Genuine thanks for enlightening me.
As for “…get in the way of your understanding what the US government does, especially under this administration”
You’re right - I have no fucking understanding at all what the Orange Fuckwit and Co are doing. But neither do they
"While it's likely that there will be coordination between the US NVD and the EUVD such that records available in one database mirror those in the other ...."
Tim Mackey, head of software supply chain risk strategy at app security firm Black Duck
"International coordination" has become a four letter curse word for the DEI hires in the Orange utan's administration. Also, the Orange utan wants to dismember the EU as he must be Number One and cannot endure another entity that might challenge his supremacy.
So I think any such coordination extremely unlikely.
I rather expect that Mitre and hence the CVE database will fall prey to the wholesale destruction of the federal level of the USA.
It's a big advantage to corporations to have a fractured system.
You are required to disclose any attacks or vulnerabilities publicly.
But we did. We posted to the (checks notes) Azerbaijan ZX81 User Group Vulnerabilities list server
It's like the local newspapers in Bumfuck-Nowhere USA which are full of small print ad announcements of requests-for-tender which have to be "published" before you give the contract to your favourite political donor and only bidder
I await the de-reserving of the dollar worldwide due to Herr Cheeto's stupidity. He arrogantly believes that when the U.S. says "Jump!" that the rest of the world will gladly say "How high, me Masta?"; the moron is used to playing a boss in the little leagues and fails to understand that he is now in a field of equals, equals who have their own domains and can say "Stuff off, we don't need your [building contracts / business / approval], the 3 things he is used to getting from his (paid) subordinates.
He's a tiny, local punk now playing in the Big City and he thinks his rules still apply. People should have expected this...but they're in denial, the infatuation of wealth.
The biggest economy and most technically advanced country with the strictest laws should run the Vulnerability tracking - China. The EU does not have the funds or tech to run this as well as China. EU is a weak power that can't even defend itself on its own, it has no business managing IT risk of other countries.
About that.. https://cyberscoop.com/china-national-vulnerability-database-mss-recorded-future/
Last year, publication of the Microsoft Office vulnerability CVE-2017-0199 came out 57 days late on the Chinese database. In the meantime, a Chinese advanced persistent threat group exploited the vulnerability in cyber operations against Russian and Central Asian financial firms.
Tea. Which the Indians stole and made stronger. Then the British stole it and added milk and occasionally weird things like bergamot. Then the Yanks stole it and added ice, and used it as gimicky flavour in various baked goods, many of which they stole from the Germans.
Actually, successful tea in India was a result of Britain stealing the know-how from China, specifically Robert Fortune working for the East India Company.
There's a good book about this by Sarah Rose: "For All the Tea in China: Espionage, Empire and the Secret Formula for the World's Favourite Drink".
The East India Company had tried to grow (black) tea in India but always failed to get the plants to grow successfully. At the time, no westerners were allowed inside China except for port cities, not inland. Robert Fortune managed to get into China (in disguise) and find out how the tea was grown, then smuggled samples to India which became Indian tea.
In retrospect, China had reason at the time not to allow foreign spies into their country, but Fortune got around this.
https://www.goodreads.com/book/show/3081255-for-all-the-tea-in-china
Yea I started just saying the Brits stole it from the Chinese, but it improved the narrative to include India especially given their huge role in actually growing it. It seems unknown but perhaps non-commercial tea use in India provided some of the motivation for the East India Company to try to grow it there? And it is the native Indian varieties which generally remain strongest to this day (enjoying some good Assam as I type).
Sounds like an interesting book, I shall endeavour to check it out.
Moveable type was not a local invention,sorry. You are thinking of wood block printing, which they did independently invent, but then so did many others. Noodles are similar, once you have certain types of ground grain is discovered right away, sometimes even with other products.
Gunpowder is different but their metallurgy was not advanced enough to make it as useful as it might have been. This is initially confusing, as cursed metallurgy was quite advanced in certain ways, but once you look into the difficulties they had with high temperature furnace construction and the political wars over workshop rights out starts to make sense.
The compass was independently invented, actually multiple times for similar proprietary reasons. This led to it being far less available than it should have been.
Are you seeing a pattern here? Chinese companies will gladly sabotage each other and the rest of the world regardless of the intent of the government or population.
"You are thinking of wood block printing, which they did independently invent, but then so did many others."
No, printing with movable characters.
"The world's first movable type printing technology for paper books was made of porcelain materials and was invented around 1040 AD in China during the Northern Song dynasty by the inventor Bi Sheng (990–1051).[1] The earliest printed paper money with movable metal type to print the identifying code of the money was made in 1161 during the Song dynasty.[2] In 1193, a book in the Song dynasty documented how to use the copper movable type.[3]"
We also forgot porcelain (china) in the list of Chinese inventions.
"Can you name 1 product China has made, essentially EVER, that wasn't stolen from someone else's work, design or idea?"
Could say the same about the USA in past generations when they didn't honour non-USA copyright *at all* and pretty much ignored other nations patent systems while making hay with their products. Until relatively recently, the US was a "rogue nation" in that respect. But like all converts, they then took their conversion beliefs to the extreme.
> Can you name 1 product China has made, essentially EVER, that wasn't stolen from someone else's work, design or idea?
As you seem to have been asleep in junior school political geography, there is a whole Wikipedia page page on the subject.
Aka "Have you tried looking things up before opening your mouth?"
"there is a whole Wikipedia page page on the subject."
If you rather read it from paper to get more in-depth, there is the 7 volumes (27 books) of Science and Civilisation in China.
Well, they actually made Thorium reactors work. They're the only nation with a whole University dedicated to the very idea. And I think we've passed the point where Chinese EVs are mere knock offs of what's on the market.
Yes, there's still too much of that going on, but suggesting they don't have the ability to produce original work is the sort of tunnel vision the US would dearly continue to propagate, and I am old enough to recall Microsoft pretty much freezing development by acquiring anything that moved, with only Stack having a long enough breath to at leat make it hurt. Briefly.
At this point I would not trust anything from the US either, because their legal system is history. Not a surprise, someone with 34 indictments cannot afford to keep that operable.
We still don't know whether thorium reactors work, in China or anywhere else, because nobody who doesn't work for the Chinese government is allowed to see them. Sure we get the occasional triumphal announcement, but whether there's any actual there there, I don't know and nor do you.
I didn't upvote your post because I agree with it, but because it does ask for proof.
Now for the good news: I suspect you will start to see the evidence you're looking for as of this, latest next year.
Very much the only grip the US may have on this development is through Kirk Sorensen's Flibe company which has focused on developing the best salt mix to use in Thorium based reactors. To be honest, I suspect that the whole SMR push will also go the Thorium route because you can't do the "small" in SMR if you have to build a huge dome around the whole show for in case your overpressurised water escapes. Liquid salt is a far better approach. Add to that a 200x better use of fuel (99.5% vs 0.5%) and I really don't see any argument to remain with the "traditional" approach to nuclear energy.
Unless you want plutonium for bombs, of course, but I think we already have more than enough of that.
"is the sort of tunnel vision the US would dearly continue to propagate"
I rather imagine that all this butthurt is happening precisely because China has moved from low wage labour making our stuff to innovating with their own designs. And that terrifies the administration because if China isn't beholden and starts doing stuff for itself, what's America's role?
Can you name one product the USA has made, essentially EVER, that wasn't stolen from someone else's work, design or idea?
That's how technology works. People take what's already around and figure out ways to improve it and new things to do with it. It's what we used to call "progress". Every, and I mean every technology developed in the USA was built on top of knowledge it (by modern standards) "stole" from previous developments in other countries.
"If China is the "most technologically advanced country", why does Huawei have to steal chips via Singapore et al?"
Because the US prevents them from buying the Dutch machinery to make them.
A Taiwanese company, co-founded by the Dutch Philips company produces them. Even the US produced 4nm chips are made by a Taiwanese company. Oh, and they too use the Dutch machinery.
Summary, the USA is equally unable to produce 4nm chips without foreign companies.
If China is the "most technologically advanced country", why does Huawei have to steal chips via Singapore et al?
So you're admitting they had the tech know-how to develop the chips, just not to produce them. And I suspect that is likely to change as well at some point.
Many appear to be under the delusion that China does not have smart people itself. Even from a statistical perspective that is seriously unrealistic.
This is a terrible idea and you should know better. Their laws aren't strict in the way that makes CVE reporting reliable, but others, often unethical. They are not more advanced in most fields, I don't know where you get that idea. Not that Chinese science is bad, but they are still catching up in most areas.
And the EU is not that weak, not due funding this kind of operation cost much.
"Having a standardized system for identifying vulnerabilities is extremely important, and helps keep everyone — companies, vulnerability researchers, developers, governments — on the same page. "
It's already done by biologists so what's the problem?
Having a standardized system for identifying SPECIES is extremely important, and helps keep biologists —and everyone— on the same page.
What's your proposal? Because it seems the IT people didn't do anything from scratch. They formed an organization to assign codes to things, the same way that biologists created the International Commission on Zoological Nomenclature. The two organizations issued codes governing how things could be assigned, then outsourced the process of actually assigning those codes to the people who do it. The two processes seem to work in very similar ways.
The ICZN crisis was resolved by funding from Singapore, and the ICZN now operates out of the Lee Kong Chian Natural History Museum in Singapore.
Perhaps the Singaporeans could be asked to manage vulnerability record-keeping for us? They would be far more trustworthy custodians than the US, China, or the EU.
Killing off MITRE and CVEs would just lay the groundwork for the Cult Leader Orange Muppet to claim more "election fraud" and "stolen victories" by a hopeful blue wave that kicks Mike Johnson and John Thune out of power in '26 so we can sack Musk and his dog Orange.
Who really cares? Maybe the listed list - security researchers.
The simple fact is: patch your shit. If there's a patch available, that's a patch that needs patching. How do you know if this patch needs to be applied? -> Does it have a higher version number than your current version? Then it needs to be applied.
The only value that I've ever gotten from CVEs is looking up privilege elevation exploits for a particular version of software - the CVE reference is very direct and helpful, as opposed to .... it's hard to search for "exploits for SOFTWARE version X". They seem to be assistance for the attackers alone - otherwise, it's additional security by obscurity (what version does this apply to? what holes are in this version? hmm. -> If you don't believe Security by Obscurity[secrecy] is actual security, then leave your password in a follow-up comment. It should never be the *only* security.)
The kernel states it: every bug is a security bug. I.e. every patch is a security patch. If your skipping them, you have security vulnerabilities, CVE tag be damned.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2025
