Slashdot Mirror

← Back to Stories (view on slashdot.org)

The People Who Are Branding Vulnerabilities

Posted by Soulskill on from the it's-marketing-all-the-way-down dept.

antdude points out a story at ZDNet about how the naming of security vulnerabilities and exploits has evolved into branding and awareness campaigns. Heartbleed set the trend early this year, having a distinct name and logo to represent a serious security problem. It seemed to work; the underlying bug got massive exposure, even in the mainstream media. This raises a new set of issues — should the response to the disclosure of a vulnerability be dependent on how catchy its name is? No, but it probably will be. Heartbleed charmed the public, and in a way, it was designed to do so. By comparison Shellshock, POODLE (aka clumsy "Poodlebleed"), Sandworm, the secretively named Rootpipe, Winshock, and other vulns seem like proverbial "red headed stepchildren" — despite the fact that each of these vulns are critical issues, some are worse than Heartbleed, and all of which needed fast responses. The next "big bug" after Heartbleed was Shellshock — real name CVE-2014-6271. Shellshock didn't have a company's pocketbook or marketing team behind it. So, despite the fact that many said Shellshock was worse than Heartbleed (rated high on severity but low on complexity, making it easy for attackers), creating a celebrity out of Shellshock faced an uphill climb.

64 comments

  1. Fuck That Shit by sexconker · · Score: 1, Informative

    Fuck naming shit to appeal to the plebes and media. It's not a popularity contest. It's a fucking security vulnerability that needs to be patched. You don't get points for media mentions.

    If you want to think up shitty names for shit you have two options:
    1: Go work for some Congressman's lawyer's office and think up names for bills that mean the complete opposite or what the bill actually does.
    2: Go work for the restaurant industry and come up fresh and creative hits that can stand alongside "Awesome Blossom", "Crispy Honey-Chipotle Chicken Crispers", "Razz-Ma-Tazz Raspberry Iced Tea", and "Yummy Nummy Chicken Drummies".

    1. Re:Fuck That Shit by thegarbz · · Score: 3, Insightful

      You don't get points for media mentions.

      You're right. You don't get points. You get funding and awareness which is far more important.

    2. Re:Fuck That Shit by Anonymous Coward · · Score: 0

      "Yummy Nummy Chicken Drummies" LOL

    3. Re:Fuck That Shit by grcumb · · Score: 1

      You don't get points for media mentions.

      You're right. You don't get points. You get funding and awareness which is far more important.

      Not necessarily. If the vulnerability du jour is catching media attention the way Ebola did, then you're probably not doing work you should be doing because you've got a CEO who just publicly pronounced that not one of your customers ever is going to get $EBOLA because of you. And suddenly your entire development cycle is in ruins, every manager everywhere has to explain in voluminous detail why his business unit will not be the cause of the next $EBOLA crisis, consultants will be hired to waste your time confirming that you really never were going to contribute to the global $EBOLA scare anyway....

      ... and meanwhile, your maintenance cycle is fucked, you have no budget left to do the upgrades that you need to avoid good old-fashioned data loss due to hardware failure, your children have forgotten who you are, and your wife just accidentally emailed her entire carpool pictures of her naughty bits (instead of her little piece on side, as she intended).

      And your dog ran away.

      NOW how does all that funding and awareness feel, eh kid?

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    4. Re:Fuck That Shit by Charliemopps · · Score: 1

      Fuck naming shit to appeal to the plebes and media. It's not a popularity contest. It's a fucking security vulnerability that needs to be patched. You don't get points for media mentions.

      If you want to think up shitty names for shit you have two options:
      1: Go work for some Congressman's lawyer's office and think up names for bills that mean the complete opposite or what the bill actually does.
      2: Go work for the restaurant industry and come up fresh and creative hits that can stand alongside "Awesome Blossom", "Crispy Honey-Chipotle Chicken Crispers", "Razz-Ma-Tazz Raspberry Iced Tea", and "Yummy Nummy Chicken Drummies".

      Ah... you're yet another person that would like to believe we should treat people how they should act, rather than treat them how they really act in the hopes they'll change as a result. Good luck with that.

    5. Re:Fuck That Shit by Anonymous Coward · · Score: 0

      Sounds like your year went as well as mine.

    6. Re:Fuck That Shit by s.petry · · Score: 1

      The people doing the branding of these things are often vultures trying to scavenge money. (You could say garnering reputation, but the ultimate purpose is identical). Media latches on to anything that sounds catchy and pushes today's agenda. Fear mongering is a good thing to the authoritarians who offer us a rescue from the bogey man at every turn.

      We had the one guy this year claiming to have billions of email addresses and passwords he "stole" acquired from "Russian Hackers!!!11!!!ONE!!". To see if you were on the list you had to PAY HIM MONEY, in addition to providing him your credentials! Some of the vulnerabilities were valid and long overdue in terms of needing a fix, but others were mostly noise like the Bash scare.

      IT pros need to just boycott these people trying to maximize personal profit from a vulnerability. Don't use the names these clowns assign to them, and treat the bugs and exploits for what they really are. Again, sometimes valid and sometimes not. I would have much rather seen people posting fixes and tests for the SSL heartbeat bug than read people bickering about who they thought was the most important person in the world for finding the bug, or who the worst developer in the world was for not implementing the fix.

      .

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    7. Re:Fuck That Shit by thegarbz · · Score: 1

      Wait. Are you saying that being able to justify why your programs don't relate or contain certain bugs is so hard that it is financially crippling for your project to go ahead? If that's the case maybe your project SHOULD be under this level of scrutiny, and your distracting dog put down for good measure.

      No the problem is that a lot of the bugs get glossed over. If something is serious and marketed in a way that people know it's serious it gets attention. CVEs get published all the time for systems we get from vendors and it's often like pulling teeth to get information out of vendors about the vulnerabilities. Heartbleed represented the first time the vendors came to us. It was refreshingly open, honest and quick.

      And if it takes some marketing nit with a funny logo to do it, then more power to him.

    8. Re:Fuck That Shit by tlhIngan · · Score: 1

      uck naming shit to appeal to the plebes and media. It's not a popularity contest. It's a fucking security vulnerability that needs to be patched. You don't get points for media mentions.

      I know, I mean, if they didn't call it "heartbleed" there would be millions of easily exploitable servers and security appliances out there to rip data from. instead they had to get media attention and force people to actually examine their systems and update them. After all, a few months later about 80% of vulnerable machines were patched.

      And stuff like OpenVPN would be much easier to break into if people didn't force updates to their VPN appliances and stuff.

    9. Re:Fuck That Shit by radarskiy · · Score: 1

      It is in your interest for everyone else to be prompted to respond to security issues, by whatever means is available, the same way it is in everyone else's interest for you to be prompted to respond to security issues. For example, how many people found all instances of the "Heartbleed" bug that affected them by code review? Did you?

      Self-righteousness is not a security protocol.

    10. Re:Fuck That Shit by HiThere · · Score: 1

      How do you explain to a nervous boss who doesn't program that your program isn't going to be affected? Some people won't be reassured, and also won't understand. And they can always find someone to justify their fears.

      My old boss came up through programming. I got a new boss. After a couple of years I decided to take early retirement. Some people you just can't explain things to...especially in areas they're ignorant of. (I'm willing to accept that he was a good accountant.)

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    11. Re:Fuck That Shit by thegarbz · · Score: 1

      You can't, but not every boss is an idiot boss despite what Dilbert says.

      I don't blame you that you took early retirement if your boss thinks he's technical but isn't. The worst thing any boss can do is not know something and then not listen to the deferred advice for experts.

      So far I've been lucky. Either my boss has known more than me, or my boss has trusted my judgement to do what I was hired to do, and hasn't taken it upon himself to try and understand every technicality.

      One of the other departments at my current employer .... well let's just say he seems to be advertising for a new systems engineer every other week.

  2. Go to know which hole to cover! by EzInKy · · Score: 1

    Look, we all know we all are vulnerable. Naming helps people determine how much armor we need to deploy. Vulnerabilities that aim to fuck us up the ass need especially thick armor.

    --
    Time is what keeps everything from happening all at once.
  3. been that way for years by Anonymous Coward · · Score: 0

    Exploit programs and attacks have had clever names since the days of win nuke. Land, smurf, jizz, papa smurf just to name a few of the oldies.

  4. Make a Name Contest! by AlejandroTejadaC · · Score: 1

    Why every bug should be named by the same people? Make a Name Contest for each bug and raise public awareness still more, about their real danger!!!

  5. Name them like hurricanes by davydagger · · Score: 3, Interesting
    I think they are similar to hurricanes in many regards, and I propose we name them as such.

    Start alphabetically, and with a long list of random names (take randomly from US+other census data, or other large pools), and each successive vulernbility gets the next name from the list, no exceptions.

    Not only did this work for hurricanes, this is actually how the US Government has decided on operation names for a while:
    How the US Army choses operation names

    1. Re:Name them like hurricanes by the_other_chewey · · Score: 2

      Start alphabetically, and with a long list of random names (take randomly from US+other census data, or other large pools), and each successive vulernbility gets the next name from the list, no exceptions.

      Not only did this work for hurricanes, this is actually how the US Government has decided on operation names for a while: How the US Army choses operation names

      You should read the articles you link to. They used to use random names, but they don't anymore, for PR reasons.

      "Just Cause", "Desert Shield", "Provide Comfort", "Northern Watch", "Desert Fox", "Desert Freedom", "Desert Storm", "Iraqi Freedom", "Enduring Freedom", ...

      Really not that random.

    2. Re:Name them like hurricanes by radarskiy · · Score: 1

      The point of those naming regimes is specifically to a) carry no implicit information and to be a pure identifier while b) still being pronounceable and memorable. What are advantageous of a) in the case of security vulnerabilities?

    3. Re:Name them like hurricanes by HiThere · · Score: 1

      The main advantage is that most of them are too complex to be explained, or even pointed to, in a couple of words. And more than once the understanding of the bug and its effects has changed after the name was assigned.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  6. WAGTD by sinij · · Score: 2

    Next vulnerability name - WAGTD (We all going to die!!!)

  7. What's the point? by Anonymous Coward · · Score: 0

    What's the point in making all vulnerabilities get so much main stream exposure? Heartbleed was special because it was important that people generate new certificates for their services despite the fact the the machines themselves were not compormised by malicious code. But apart from some special cases, what can regular users do against attacks? The answer is mostly nothing. They just have to wait for a patch and then apply it. So what is the point in all the scaremongering? I think promoting these vulnerabilities to people with no real interest in them does more harm than good.

    For example, look at how the OpenSSL developers faced some rather personal attacks by some people in the media who have no clue of software vulnerabilities nor even know what OpenSSL really is. Errors happen, and the developers still did a great service to all internet users, all for free in their spare time. They don't care about recognition or money - they don't deserve to be put in a spotlight like this. It was disgusting really. They didn't force anyone to use their software, after all.

    1. Re:What's the point? by Anonymous Coward · · Score: 0

      Bull. Heartbleed was a new function that transmitted data out to the internet checked into a critical security suite at 7:00 pm on New Year's Eve with no code review. It was obviously a planted vulnerability.

    2. Re:What's the point? by Lunix+Nutcase · · Score: 1

      Most OpenSSL developers are FIPS contractors. Working for free in their spare time? Hardly.

  8. I'm not sure where you work by Anonymous Coward · · Score: 0

    Where I work, Shellshock and POODLE definitely got the same level of attention Heartbleed did, if your IT department needs marketing to understand the issues you need a new IT department.

    1. Re: I'm not sure where you work by Anonymous Coward · · Score: 0

      Same here, infact so is the adobe flash player CVE that dropped on my RSS feed this morning. Heartbleed being so public actually worked against other bugs as my boss had me ring around hosting providers to check it was patched when I already knew they weren't running vulnerable versions of openssl in the first place.

  9. Re:I have HIV by Anonymous Coward · · Score: 0

    See? If HIV had a catchier name perhaps you would have patched your vulnerability.

  10. funny by Anonymous Coward · · Score: 0

    i've discovered and authored some vulnerabilities and the names attributed to some of these vulnerabilities is downright funny.

  11. More nefarious reasons? by Anonymous Coward · · Score: 0

    I wondered why a vulnerability in a non-MS product like heartblead got its own catchy name and logo, ditto shellshock, but the _shit ton_ of vulnerabilities in MS Windows in November alone, with some much much worse* and no media coverage, no catchy name, no logo.

    The MS Windows SSL vulnerability didn't just leak private information like heartblead, it allows arbitrary code execution at which point, you can get anything you could get from heartblead, directly, since you own the box.

    The MS windows KDC vulnerability allows any unpriv user to get admin privs in any organization running MS Domains. Seems quite a bit worse than a few _rare_ websites running bash scripts as CGIs.

    Seems curious-- especially the media blitz on non-MS vulnerabilities.

    Even Apple's goto fail got more attention. than the terrible bugs patched in Windows this month.

  12. is Microsoft behind it? by Anonymous Coward · · Score: 0

    The recent vulnerabilites that affect Linux got names and attention. Yet a 19 year old vulnerability got far less visibility. Why? Posting as AC because of the likely karma hit from the MS fanboys with modpoints.

    1. Re:is Microsoft behind it? by GuB-42 · · Score: 1

      - Linux has a greater market share in critical systems
      - Linux is expected to be more secure than Windows
      - Being a closed system, there isn't much you can do in Windows beside waiting the patch from MS. Linux is community based and more attention results in faster response.
      - Vulnerabilities like heartbleed are not linux-specific. OpenSSL may be used on many OSes including Windows.

    2. Re:is Microsoft behind it? by jones_supa · · Score: 1

      Linux is community based and more attention results in faster response.

      Hah hah! That is no guarantee. Very often the "response" is just crickets chirping. The actual benefit of Linux is that you can hire your own engineers to write code to the kernel or other open source components.

  13. Vulns? by tompaulco · · Score: 1

    noun: vuln; plural noun: vulns
    a vulnerability, especially one associated with computer security.

    According to Google, this usage of the word vuln has not been used much since the 1840s. Get with the times people!
    Apparently, computer viruses were a big thing back then.

    --
    If you are not allowed to question your government then the government has answered your question.
    1. Re:Vulns? by Hognoxious · · Score: 1

      The only usage I'm aware of is as a verb, and that's only used in heraldry, and even then only when referring to pelicans. Slightly obscure.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  14. Red headed step children by Anonymous Coward · · Score: 1

    Sorry but this term is quite offensive, and they way it's being used with the author's poor attempt to be cool is worrying. For those who think it's amusing, replace "red headed" with "black" in the same phrase, see what kind of uproar you get from the community.

    1. Re:Red headed step children by Anonymous Coward · · Score: 0

      "Black" is offensive! The politically correct word is "Obama".

    2. Re:Red headed step children by Anonymous Coward · · Score: 0

      You're wrong about the author attempting to be "cool." It's an ancient term, and I'd be willing to bet that the author disagrees with you that the term is offensive.
      It probably also means the author is over 40 and/or writing for an over-40 audience. (i.e. Not for cool/hipster tweens thru twenty-somethings.)

    3. Re:Red headed step children by Anonymous Coward · · Score: 0

      I happen to be a red-headed stepchild, so it's OK for me to use this term.

    4. Re:Red headed step children by Anonymous Coward · · Score: 0

      I happen to be a red-headed stepchild, so it's OK for me to use this term.

      Only a ginger can call another ginger "ginger".

    5. Re:Red headed step children by Anonymous Coward · · Score: 0

      Turns out this term is offensive, too. I tried addressing some of the Obama children in my neighborhood as such and I got a pretty nasty look, if you know what I mean.

    6. Re:Red headed step children by Anonymous Coward · · Score: 0

      If you can't use the term in front of someone with red hair without them punching you in the face, it's offensive.

  15. richter scale needed by e**(i+pi)-1 · · Score: 1

    Giving names is often part of propaganda. This is common in politics. No surprise that this happens in industries where lots of money is. Giving catchy names to vulnerabilities certainly was effective to raise awareness but once the storm is over people care even less or become immune. Especially if propaganda is evident, it does not work any more. Heartbleed was serious, but totally over hyped by the media, with poodle it worked less, with shellshock it was already pathetic Its best to keep being informed by trusted sources like Cert. What would be nice to know is a scale analogue to a Richter scale in earthquakes with a well defined gauge, taking into account how much damage the bug or malware has created, how many systems were affected in total, taking into account also a relative number.

  16. NEW? by darkain · · Score: 1

    "Heartbleed set the trend early this year"

    Wait, this is NEW!? http://en.wikipedia.org/wiki/B...

    1. Re:NEW? by darkain · · Score: 1

      And to go beyond my computing age, let's have something a little older: http://en.wikipedia.org/wiki/B...

    2. Re:NEW? by SeaFox · · Score: 1

      This is a ZDNet article. Their average reader doesn't have the attention span to remember back that far.

    3. Re:NEW? by Dutch+Gun · · Score: 1

      Viruses and trojans have been named for a long time. This is naming the actual vulnerability, not the exploiting/malicious code, so yes, it's actually different.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  17. "vuln" by Anonymous Coward · · Score: 0

    "Vuln", seriously. What kind of pseudo geek speak is this. Sounds like some MTV/syfy made for TV movie goof jargon.

  18. Shellshock doesn't make sense. by steelfood · · Score: 1

    Shellshock was a terrible name. Not all shells were vulnerable (especially not non-unix shells), only bash. The name for the vulnerability's name should've had "bash" in it at least.

    Heartbleed actually sounds physiologically dangerous. Shellshock (and some of the other names) sounds unfortunate. In fact, Poodle actually sounds cute...

    --
    "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
    1. Re:Shellshock doesn't make sense. by Anonymous Coward · · Score: 0

      Shellshock was a terrible name. Not all shells were vulnerable (especially not non-unix shells), only bash. The name for the vulnerability's name should've had "bash" in it at least.

      I've got it! We'll name the vulnerability Bashshell!

  19. Re:I have HIV by davester666 · · Score: 1

    putting a patch over that vulnerability results in a lot of other problems.

    --
    Sleep your way to a whiter smile...date a dentist!
  20. Stop sensationalizing them by Anonymous Coward · · Score: 0

    Before i patched problems and that was all now i walk through the office and for weeks and months i get to explain how yes we're now protected against the new SUPERDEATH exploit and then get asked to explain it to people who pretend to listen but then realize how unexciting the technical details of exploits are quickly and tune out, but still try to ask follow up questions based on more sensationalist media crap rather than anything that was said when actually explaining it

  21. Demote 99% of the vulnerabilities by Burz · · Score: 1

    Keep all the complex interfaces and code if you need them, but put them behind very small paravirtualization codebase ingrained into the OS which keeps them isolated -- from the core system, and from each other. Really, even your devices like USB controllers and NICs can be treated as untrusted in this way if you have an IOMMU. And you can have it in a normal desktop GUI.

    Kernel-implemented security is a failure; Its ridiculous to go through continued years & decades of pain by relying on it and worrying about breakouts from its weak sandboxing tactics.

  22. Re:I have HIV by Anonymous Coward · · Score: 0

    I've used Slashdot Deals to find a sex partner--several, in fact! Do I qualify for membership?

  23. Branding disasters by Taco+Cowboy · · Score: 1

    Nowadays they do assign names to typhoons / hurricanes, and TFA gives me an idea ... why stop at branding vulnerabilities when we can branding disasters?

    All we need to do is to supply a meme, a logo, a theme song, ... and we can even throw in a new aerobic dance step as a bonus!

    Anyone thinks such a venture might sell? How about we crowdsource our funding @ www.kickstarter.com?

    --
    Muchas Gracias, Señor Edward Snowden !
  24. Only the incompetent need the media to inform them by uolamer · · Score: 1

    A lot of people have no business being in charge of the security of a server. Those are the same people who need the media to bring an exploit to their attention. They might fix Heartbleed but they never fix CVE-2014-wxyz and others and their server is probably already compromised or could be anyway. Some of the hackers will help keep your system up to date, since they don't want some other hacker taking one of "their" servers.

    I found Heartbleed very simplistic and how it went unnoticed for so long is impressive. Why the hell did it let you specify the number of characters to send back and never check that? https://xkcd.com/1354/

    --
    s/©//g
  25. Re:I have HIV by jones_supa · · Score: 1

    A content-aware firewall made of rubber is the professional solution.

  26. spl. by Anonymous Coward · · Score: 0

    'vulns' Seriously?

  27. Some "worse than Heartbleed"? by Anonymous Coward · · Score: 0

    Heartbleed allowed unauthenticated remote attackers to steal server keys without being logged. Some huge percentage of the Internet wa vulnerable for the beter part of 2 years. How were any of the others even close to the impact and criticality of Heartbleed?

  28. So, Shellshock is more significant, hah. by Anonymous Coward · · Score: 0

    It is only an issue at all if you have web-facing services that fail. And they fall back to using bash if nobody bothered to put together a proper system.

    All of which can be addressed easily without a patch. Don't open services to the web arbitrarily. Don't use bash for the web facing system. Wow! That was so hard to fix that massive security alert with the scary name.

    Security holes, back doors, work arounds, failures are becoming mostly hype. The security teams are trying to push their brand forward. Buyer beware.

  29. It's quite simple. by Anonymous Coward · · Score: 0

    Nobody who actually works with security issues should really give a rats ass about it's name. On the other hand it's good that we have these shocking cool names every once in a while for the awareness of the general public. And with any luck some of those old computers might be patched. Most people have no clue, even in important positions who actually have the resources. And just the awareness for those key people is sometimes enough. It might not be that specific exploit they're thinking about. It's about not getting too lax on security.

  30. Re:Only the incompetent need the media to inform t by Anonymous Coward · · Score: 0

    What about the people in charge of hiring or budgeting?