mitre.org · Domains · Slashdot Mirror

Re:Summary: Too Little, Too Late by Thundersnatch · 2005-11-11 17:40 · Score: 1 · on Ignore Vista Until 2008

and get completely secure browsing for all sites

Completely secure, eh? Firefox has had 100 entires in the CVE database. The Foxie plug-in wouldn't have provided any additional protection against the majority of these vulnerabilities.

Not that IE is any better, but "completely secure"? Where can I get some of what you're smoking?

Re:an integer between 1 and 999 by Heinen · 2005-10-05 06:11 · Score: 1 · on Common Malware Enumeration Initiative

From the CME site:

B1. What is a CME identifier?

CME identifiers are assigned in the format 'CME-N' where N is an integer between 1 and 999, for example, "CME-123". To accommodate space-deprived anti-virus products, CME identifiers can be abbreviated (e.g., M123 or M-123), but the official format (i.e., CME-123) should be used in places such as Web pages, alerts, encyclopedias, etc. Additional digits will be added when the remaining unused identifier space becomes too small. For the sake of successful text-based comparisons, leading zeros will always be omitted in an identifier, e.g., CME-00123 will always be written as CME-123.

Re:an integer between 1 and 999 by starfishsystems · 2005-10-05 04:42 · Score: 1 · on Common Malware Enumeration Initiative

Considering that The number of known viruses surpassed 70,000 in January 2002 it does seem a bit strange to deliberately set this sort of limitation in the design.

It also seems to ignore the existing CVE numbering scheme which surely was designed with similar intent.

This all reminds me somewhat of the patch numbering schemes developed by different software vendors. The one that I've found best in practice comes from Sun Microsystems. Rather than being a plain integer or some equally cryptic enumerator, it's a pair of integers, one identifying the patch, and the other its version. This provides an explicit distinction between intent and implementation, very useful considering that patches themselves often undergo refinement over time, and may need to be reapplied to the same system.

We already know that a similar approach is needed for viruses as well, since many viruses are recognized as minor variants of the same code. The existing ad hoc virus naming scheme already takes this effect into account, though without the rigor that would potentially be available in a vendor-neutral format.

So there's no question that a common virus taxonomy is a great idea, and that CERT would be a natural candidate to be responsible for the virus database, as it has for the CVE list. But the scheme itself seems belated and remarkably toothless. Is this really offered as some kind of sop to the virus detection industry?

Re:Let the IE/FF comparisons begin by Mancat · 2005-09-30 13:35 · Score: 1 · on IE Flaw Exposes Users To Spoof-Based Attacks

And Firefox also had an exploit that was almost identical to the IE exploit this article centers around. It was just fixed in 1.0.7.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN- 2005-2703

Video of MITRE entry by eludom · 2005-09-29 04:10 · Score: 4, Informative · on DARPA Grand Challenge 2005

FYI there is a 5min introductory video clip of the the MITRE entry here:

http://www.mitre.org/tech/meteor/

I saw it a few months ago doing it's thing around the
parking lot. It will be interesting to see how they
do on a live course.

Much like Common Vulnerabilities & Exposures ( by Josh+Triplett · 2005-09-23 11:45 · Score: 1 · on Name That Worm

This project is likely intended to do for viruses, spyware, and other malicious programs what CERT's existing Common Vulnerabilities and Exposures (CVE) does for security issues. CVE has attained widespread acceptance for use in unique and unambiguous identification of security issues; hopefully this project will have the same level of success.

Re:Mac OS X is more secure, period. by pomo+monster · 2005-09-09 09:07 · Score: 1 · on Ready For the Big Mac Virus?

I disagree that the Mac world is mostly safe. Take a look at this recently patched OS X vulnerability:

Buffer overflow in AppKit for Mac OS X 10.3.9 and 10.4.2 allows external user-complicit attackers to execute arbitrary code via a crafted Rich Text Format (RTF) file.

Now remember that Mail.app uses AppKit to view RTF-formatted emails, and Safari uses it to view RTF documents. So if you so much as read your email, whether in Mail.app or Gmail, you could inadvertently infect yourself with a worm, and you wouldn't even know. And if this worm spreads via your Address Book email addresses--well, as a Mac user, you're likely to know a lot of other Mac users, aren't you? It could even use Spotlight to find every email address on your hard disk. The more the merrier, with very little extra effort for the worm.

Is it "automated"? It's close enough. Some of the best-known Windows worms of yore required you to open email attachments, and this hypothetical worm would require even less effort to spread.

What's more, I expect Mac virus authors to be more creative than their PC counterparts (it'd be a disgrace if they weren't, really). So maybe your worm does something ugly like grab a bunch of random documents from your home directory and send them to everyone in your address book. Financial projections, confidential company presentations, those steamy letters to your college roommate. SSNs and salaries of everyone in your department. Plans for the hydrogen bomb. This thing would be indiscriminate. Chaos reigns.

Anyway, there's a whole lot more vulnerabilities where that came from. It doesn't take a lot of imagination to figure out how to wreak havoc in the Mac-using world.

Re:Java had security from the start by XP-Cagey · 2005-08-27 06:56 · Score: 1 · on Comparison of Java and .NET security

If anything, Java was over-secure from the beginning, because you couldn't do anything. ;-)

Unless you exploited one of the security holes that the article talks about. You can say that there is effectively "no security" or "limited security" (your pick) in a sandbox system that can be defeated through known security flaws. That isn't, however, the point of the article.

You did read the article before getting belligerent about it, right? The article is making a value judgement between two systems and saying one is better relative to the other for a list of concrete reasons. Instead of debating the merits of its comparisons, you are twisting its words into a statement Java is inherently bad or should not be used--a judgement that doesn't appear anywhere in its conclusions--and then attacking that newly invented premise.

Several of the specific complexities that proved to be problematic in Java have been avoided in the .NET design, although .NET introduced new complexities of its own. Despite .NET's design certainly not being perfect, it does provide encouraging evidence that system designers can learn from past security vulnerabilities and develop more secure systems. We have no doubts, however, that system designers will continue to relearn from these principles for many years to come.
-- final sentences of the article.

This article isn't bashing Java for the sake of bashing Java, and where it discusses a problem gives detailed, concrete information about its complaints. If you're upset that your language of choice isn't perfect, I suggest adapting to reality--no virutal machine, OS, or application has a perfect design. If you need to persist in arguing that Java has never had "limited security" (what is "unlimited security", anyway?), you could start by telling CVE every past vulnerability they've documented is imaginary. As others have pointed out, 10 of the issues are due to the MS virtual machine, which leaves only 35 for you to argue.

Re:Not NY by Anonymous Coward · 2005-08-19 07:04 · Score: 0 · on Is Your Boss a Psychopath?

http://flrc.mitre.org/Tools/reports/product.pl?PID =3053
The guy on this page? Yes I am anonymous cause I AM a coward!

Enhancing Eschelon by mindpixel · 2005-08-01 02:32 · Score: 1 · on British Intel Shuts Down al-Qaeda Sites

From the Times article:

"Government-sponsored monitoring systems, such as Echelon, can track vast amounts of data but have so far proved of minimal benefit in preventing, or even warning, of attacks. And such systems are vulnerable to manipulation: low-ranking volunteers in terrorist organisations can create background chatter that ties up resources and maintains a threshold of anxiety. There are many tricks of the trade that give terrorists secure digital communication and leave no trace on the host computer."

Which is exactly where I come in. Mindpixel and my semantic spectrum technology can examine vast amounts of traffic and webpages and actually understand the intent of the messages, filtering out completely background chatter.

My GAC-80K based system is the only known automatic system that has actually made a terror prediction that seems to have been accurate. I released GAC-80K to the public for research purposes so that people could prove to themselves the value of the data for extracting meaning from text. All the right people currently have copies and I don't think it will be long before this technology is added to Escelon and Eshelon-like systems worldwide.

Re:BSD ? by Homology · 2005-07-31 04:49 · Score: 1 · on GNOME 2.12 Previewed

Your compiled lists includes programs that uses OpenSSL, so the same vulnerability is listed several times
CAN-2005-1247 . It's like counting each and every vulnerable application that uses a zlib with the recent security holes.