back to article CERT/CC: 'Sensational' bug names spark fear, hype – so we'll give flaws our own labels... like Suggestive Bunny

Many memorable events get named, whether they're hurricanes, political events, or security incidents like the Morris Worm, which surfaced 32 years ago yesterday. But named security incidents recently have editorialized their own importance with fear-mongering monikers like Heartbleed (2014), Meltdown, Spectre, and Foreshadow ( …

  1. Maelstorm Bronze badge

    Maybe CERT should take a clue from the military which uses codewords to obfuscate operations, places, people, and things. They are masters of it.

    1. DS999 Silver badge

      What they've come up with already sounds exactly like a list of SCI codewords.

      1. Yet Another Anonymous coward Silver badge

        Some are:

        Need to name the operation to secretly invade Russia? Name it after a famous German king that invaded Russia. Have a Radar system that uses a single dish - name it after a one-eyed God.

        Certain other world powers seem to base the names on what gives Generals a stiffy. You have to feel sorry for an officer who has to write to tell a mother that their child was killed in "Operation Thrusting Stallion"

      2. bombastic bob Silver badge
        Linux

        What they've come up with already sounds exactly like a list of SCI codewords.

        or Ubuntu releases

  2. IGotOut Silver badge

    Oh help us...

    Based on it's source, how long before

    Nazi Jew, Happy Slave or Vaccine Murderer.

  3. Beau
    Holmes

    Dung

    Mm, so now bugs will have to comply with political correctness. I'm thinking of the Dung Beetle?

  4. Alan J. Wylie

    Correct Horse

    I can't wait for the next password vulnerability to be called "Correct Horse".

    1. Kane
      Boffin

      Re: Correct Horse

      Obligatory

  5. Ken Moorhouse Silver badge

    Unfortunately...

    Unfortunately Dave Allen is no longer with us. He would have been good at evaluating names.

    (I am sure he did a sketch about "scuds" and "patriot missiles").

    1. Anonymous Coward
      Anonymous Coward

      Re: Unfortunately...

      >(I am sure he did a sketch about "scuds" and "patriot missiles").

      Ironic because one of the reasons for using names like "Scud" (NATO code names for Surface-Surface missiles begin with S) was to avoid the propaganda value of referring to Warsaw pact weapons with their original patriotic Soviet names.

  6. Pascal Monett Silver badge
    FAIL

    "there's a simple process to remove offensive names"

    And it should start by not drawing random words from a 3rd-party website.

    Create your vetted list in-house, do not include those scary words you have become so afraid of, avoid including potentially offensive words, and you won't have to have a process to remove anything afterwards.

    Of course, that requires a bit more work than just randomly calling on Wiktionary, but if you think about it, it would remove a lot of hassle in the long run.

    1. ThatOne Silver badge
      Joke

      Re: "there's a simple process to remove offensive names"

      > avoid including potentially offensive words, and you won't have to have a process to remove anything afterwards

      Not 100% foolproof. Example: "Middle Finger"...

    2. AdamWill

      Re: "there's a simple process to remove offensive names"

      "there's a simple process to remove offensive names"

      yes, it's called "use a standardized format based on essentially random numerical strings, which are almost impossibly unlikely to cause any such issues". Which is what we do already. So let's just ditch this whole nonsensical idea and stick with CVE-YYYY-NNNN...

      Cute names only work when there are only a few of them. Heck, Ubuntu's only up to what, 35 or so? And most non-ubuntu-fanatics can't remember most of those. No-one's going to use and remember "cute" names for *every* vuln.

      1. ThatOne Silver badge

        Re: "there's a simple process to remove offensive names"

        > No-one's going to use and remember "cute" names for *every* vuln

        While you're right of course, do we really need to remember them?

        It's (IMHO) more about the days/weeks after the initial publication, and the resulting floods of communications. I for one have a very bad memory for random numbers, so without a cheat sheet CVE numbers are gibberish to me, especially given they just keep coming. And I'm sure I'm not the only one. Giving them names should help keeping CVE-2020-1234 apart from CVE-2020-1235.

        Now, one could argue that IT professionals should be able to put up with the abstraction, but I think that reducing the chances of confusion is always a good thing, and who cares if you don't remember 3 years later what "Prosthetic Signifier" stood for, chances are you've patched it since.

  7. Anonymous Coward
    Anonymous Coward

    moist fanny flaps

    1. Anonymous Coward
      Anonymous Coward

      That's three words, so doesn't count!

      1. bombastic bob Silver badge
        Coat

        how about "naughty bits" ?

  8. Santa from Exeter

    Funky Gibbon anyone?

    1. Steve K

      Jive Bunny

      Jive Bunny

  9. Arthur the cat Silver badge

    randomized adjective noun combinations

    I suggest random adjective and politicians' names combinations for more fun.

    Squamous Gove, Pastinaceous(*) Corbyn.

    (*) Today's OED word of the day. "Of the nature of or resembling that of a parsnip." Appropriate for an allotment lover.

  10. TimMaher Silver badge
    Coat

    Morris Worm

    What a great name.

    Did it dance around, outside a country pub, while clacking some sticks together and tinkling some bells?

    Until somebody walked on it.

    Mine’s the one with fancy neckerchief and leg straps in the pocket.

    1. Brian Miller

      Re: Morris Worm

      Robert Morris wrote a worm to have some fun with a vulnerability he reported. Yes, I remember that, grey hairs and all.

      Now, I would think that vulnerabilities should be hyped, just like any serial killer, axe murderer, or wanton vegetarian. Calamitous Cthulhu should be right up there for a good vulnerability name.

    2. Citizen99

      Re: Morris Worm

      Cloggies Fracas.

      Morris dancing with extreme violence.

  11. Bitsminer Silver badge

    edits

    Is frumious bandersnatch taken?

  12. JavaJester
    Thumb Down

    Might as well use Newspeak

    You could have names like "Doubleplusungood CVE #", "Plusungood CVE #", "Ungood CVE #", or just the CVE # depending on how severe the finding is. This scheme would actually impart more information than the proposed naming scheme: you would have a good idea of how bad the vulnerability is by the name.

  13. razorfishsl

    Be prepared for bugs called

    "fuck me" , "fuck you",

    which might make congress a WAY more interesting place to watch.......

  14. Claptrap314 Silver badge

    Let me get this straight

    1) The number of vulnerabilities each year is climbing.

    2) The dependency of our daily lives on properly functioning software is climbing.

    3) There are entire industries seeking to put our physical lives at the mercy of said software (motor vehicles, drug administration, medical equipment).

    4) It is almost impossible to get managers to focus the needed resources to avoid these issues.

    And the problem is that the names are TOO alarming? "Heartbleed" was not just a masterful name because it got attention. It was a masterful name because it enabled the techies to convince management, "No, really, we MUST do this..." We need more alarm on software vulnerabilities, not less.

    As I believe you right-pondians put it, "muppets".

    1. Ken Moorhouse Silver badge

      Re: As I believe you right-pondians put it, "muppets".

      Us right-pondian's would ramp up the urgency by referring to a "Kermit in a Blender" event.

  15. This post has been deleted by its author

  16. SotarrTheWizard
    Trollface

    Many years ago. . . .

    . . . I ran a SOC team, and we were constantly seeing indicators of possible, or failed attacks. And, by contract, were supposed to report each and every one on initial detection. Which generally resulted in manglement reacting in typical spring-loaded fashion.

    We ended up designating "possibles" as FLUFFY BUNNY incidents, and the disposition went to two categories: Actual attempts with any degree of success became WASCAWWY WABBITS, and all FLUFFY BUNNY incidents proven to be false alarms or unsuccessful were listed in the daily FUDD report.

    In the 15 months I ran that shop, only one mangler realized that we were doing it, because they went all Looney Toons over the slightest issue. . . (Grin)

  17. Crypto Monad Silver badge

    Presumably the "three words" geolocation app has already had to deal with this issue.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like