Maybe CERT should take a clue from the military which uses codewords to obfuscate operations, places, people, and things. They are masters of it.
CERT/CC: 'Sensational' bug names spark fear, hype – so we'll give flaws our own labels... like Suggestive Bunny
Many memorable events get named, whether they're hurricanes, political events, or security incidents like the Morris Worm, which surfaced 32 years ago yesterday. But named security incidents recently have editorialized their own importance with fear-mongering monikers like Heartbleed (2014), Meltdown, Spectre, and Foreshadow ( …
COMMENTS
-
-
-
Tuesday 3rd November 2020 20:15 GMT Yet Another Anonymous coward
Some are:
Need to name the operation to secretly invade Russia? Name it after a famous German king that invaded Russia. Have a Radar system that uses a single dish - name it after a one-eyed God.
Certain other world powers seem to base the names on what gives Generals a stiffy. You have to feel sorry for an officer who has to write to tell a mother that their child was killed in "Operation Thrusting Stallion"
-
-
-
-
-
Tuesday 3rd November 2020 20:21 GMT Anonymous Coward
Re: Unfortunately...
>(I am sure he did a sketch about "scuds" and "patriot missiles").
Ironic because one of the reasons for using names like "Scud" (NATO code names for Surface-Surface missiles begin with S) was to avoid the propaganda value of referring to Warsaw pact weapons with their original patriotic Soviet names.
-
-
Tuesday 3rd November 2020 10:09 GMT Pascal Monett
"there's a simple process to remove offensive names"
And it should start by not drawing random words from a 3rd-party website.
Create your vetted list in-house, do not include those scary words you have become so afraid of, avoid including potentially offensive words, and you won't have to have a process to remove anything afterwards.
Of course, that requires a bit more work than just randomly calling on Wiktionary, but if you think about it, it would remove a lot of hassle in the long run.
-
Tuesday 3rd November 2020 19:06 GMT AdamWill
Re: "there's a simple process to remove offensive names"
"there's a simple process to remove offensive names"
yes, it's called "use a standardized format based on essentially random numerical strings, which are almost impossibly unlikely to cause any such issues". Which is what we do already. So let's just ditch this whole nonsensical idea and stick with CVE-YYYY-NNNN...
Cute names only work when there are only a few of them. Heck, Ubuntu's only up to what, 35 or so? And most non-ubuntu-fanatics can't remember most of those. No-one's going to use and remember "cute" names for *every* vuln.
-
Wednesday 4th November 2020 13:29 GMT ThatOne
Re: "there's a simple process to remove offensive names"
> No-one's going to use and remember "cute" names for *every* vuln
While you're right of course, do we really need to remember them?
It's (IMHO) more about the days/weeks after the initial publication, and the resulting floods of communications. I for one have a very bad memory for random numbers, so without a cheat sheet CVE numbers are gibberish to me, especially given they just keep coming. And I'm sure I'm not the only one. Giving them names should help keeping CVE-2020-1234 apart from CVE-2020-1235.
Now, one could argue that IT professionals should be able to put up with the abstraction, but I think that reducing the chances of confusion is always a good thing, and who cares if you don't remember 3 years later what "Prosthetic Signifier" stood for, chances are you've patched it since.
-
-
-
-
-
Tuesday 3rd November 2020 21:11 GMT Brian Miller
Re: Morris Worm
Robert Morris wrote a worm to have some fun with a vulnerability he reported. Yes, I remember that, grey hairs and all.
Now, I would think that vulnerabilities should be hyped, just like any serial killer, axe murderer, or wanton vegetarian. Calamitous Cthulhu should be right up there for a good vulnerability name.
-
-
Tuesday 3rd November 2020 20:34 GMT JavaJester
Might as well use Newspeak
You could have names like "Doubleplusungood CVE #", "Plusungood CVE #", "Ungood CVE #", or just the CVE # depending on how severe the finding is. This scheme would actually impart more information than the proposed naming scheme: you would have a good idea of how bad the vulnerability is by the name.
-
Wednesday 4th November 2020 00:59 GMT Claptrap314
Let me get this straight
1) The number of vulnerabilities each year is climbing.
2) The dependency of our daily lives on properly functioning software is climbing.
3) There are entire industries seeking to put our physical lives at the mercy of said software (motor vehicles, drug administration, medical equipment).
4) It is almost impossible to get managers to focus the needed resources to avoid these issues.
And the problem is that the names are TOO alarming? "Heartbleed" was not just a masterful name because it got attention. It was a masterful name because it enabled the techies to convince management, "No, really, we MUST do this..." We need more alarm on software vulnerabilities, not less.
As I believe you right-pondians put it, "muppets".
-
This post has been deleted by its author
-
Wednesday 4th November 2020 17:27 GMT SotarrTheWizard
Many years ago. . . .
. . . I ran a SOC team, and we were constantly seeing indicators of possible, or failed attacks. And, by contract, were supposed to report each and every one on initial detection. Which generally resulted in manglement reacting in typical spring-loaded fashion.
We ended up designating "possibles" as FLUFFY BUNNY incidents, and the disposition went to two categories: Actual attempts with any degree of success became WASCAWWY WABBITS, and all FLUFFY BUNNY incidents proven to be false alarms or unsuccessful were listed in the daily FUDD report.
In the 15 months I ran that shop, only one mangler realized that we were doing it, because they went all Looney Toons over the slightest issue. . . (Grin)