Slashdot Mirror

← Back to Stories (view on slashdot.org)

The People Who Are Branding Vulnerabilities

Posted by Soulskill on from the it's-marketing-all-the-way-down dept.

antdude points out a story at ZDNet about how the naming of security vulnerabilities and exploits has evolved into branding and awareness campaigns. Heartbleed set the trend early this year, having a distinct name and logo to represent a serious security problem. It seemed to work; the underlying bug got massive exposure, even in the mainstream media. This raises a new set of issues — should the response to the disclosure of a vulnerability be dependent on how catchy its name is? No, but it probably will be. Heartbleed charmed the public, and in a way, it was designed to do so. By comparison Shellshock, POODLE (aka clumsy "Poodlebleed"), Sandworm, the secretively named Rootpipe, Winshock, and other vulns seem like proverbial "red headed stepchildren" — despite the fact that each of these vulns are critical issues, some are worse than Heartbleed, and all of which needed fast responses. The next "big bug" after Heartbleed was Shellshock — real name CVE-2014-6271. Shellshock didn't have a company's pocketbook or marketing team behind it. So, despite the fact that many said Shellshock was worse than Heartbleed (rated high on severity but low on complexity, making it easy for attackers), creating a celebrity out of Shellshock faced an uphill climb.

34 of 64 comments (clear)

  1. Fuck That Shit by sexconker · · Score: 1, Informative

    Fuck naming shit to appeal to the plebes and media. It's not a popularity contest. It's a fucking security vulnerability that needs to be patched. You don't get points for media mentions.

    If you want to think up shitty names for shit you have two options:
    1: Go work for some Congressman's lawyer's office and think up names for bills that mean the complete opposite or what the bill actually does.
    2: Go work for the restaurant industry and come up fresh and creative hits that can stand alongside "Awesome Blossom", "Crispy Honey-Chipotle Chicken Crispers", "Razz-Ma-Tazz Raspberry Iced Tea", and "Yummy Nummy Chicken Drummies".

    1. Re:Fuck That Shit by thegarbz · · Score: 3, Insightful

      You don't get points for media mentions.

      You're right. You don't get points. You get funding and awareness which is far more important.

    2. Re:Fuck That Shit by grcumb · · Score: 1

      You don't get points for media mentions.

      You're right. You don't get points. You get funding and awareness which is far more important.

      Not necessarily. If the vulnerability du jour is catching media attention the way Ebola did, then you're probably not doing work you should be doing because you've got a CEO who just publicly pronounced that not one of your customers ever is going to get $EBOLA because of you. And suddenly your entire development cycle is in ruins, every manager everywhere has to explain in voluminous detail why his business unit will not be the cause of the next $EBOLA crisis, consultants will be hired to waste your time confirming that you really never were going to contribute to the global $EBOLA scare anyway....

      ... and meanwhile, your maintenance cycle is fucked, you have no budget left to do the upgrades that you need to avoid good old-fashioned data loss due to hardware failure, your children have forgotten who you are, and your wife just accidentally emailed her entire carpool pictures of her naughty bits (instead of her little piece on side, as she intended).

      And your dog ran away.

      NOW how does all that funding and awareness feel, eh kid?

      --
      Crumb's Corollary: Never bring a knife to a bun fight.
    3. Re:Fuck That Shit by Charliemopps · · Score: 1

      Fuck naming shit to appeal to the plebes and media. It's not a popularity contest. It's a fucking security vulnerability that needs to be patched. You don't get points for media mentions.

      If you want to think up shitty names for shit you have two options:
      1: Go work for some Congressman's lawyer's office and think up names for bills that mean the complete opposite or what the bill actually does.
      2: Go work for the restaurant industry and come up fresh and creative hits that can stand alongside "Awesome Blossom", "Crispy Honey-Chipotle Chicken Crispers", "Razz-Ma-Tazz Raspberry Iced Tea", and "Yummy Nummy Chicken Drummies".

      Ah... you're yet another person that would like to believe we should treat people how they should act, rather than treat them how they really act in the hopes they'll change as a result. Good luck with that.

    4. Re:Fuck That Shit by s.petry · · Score: 1

      The people doing the branding of these things are often vultures trying to scavenge money. (You could say garnering reputation, but the ultimate purpose is identical). Media latches on to anything that sounds catchy and pushes today's agenda. Fear mongering is a good thing to the authoritarians who offer us a rescue from the bogey man at every turn.

      We had the one guy this year claiming to have billions of email addresses and passwords he "stole" acquired from "Russian Hackers!!!11!!!ONE!!". To see if you were on the list you had to PAY HIM MONEY, in addition to providing him your credentials! Some of the vulnerabilities were valid and long overdue in terms of needing a fix, but others were mostly noise like the Bash scare.

      IT pros need to just boycott these people trying to maximize personal profit from a vulnerability. Don't use the names these clowns assign to them, and treat the bugs and exploits for what they really are. Again, sometimes valid and sometimes not. I would have much rather seen people posting fixes and tests for the SSL heartbeat bug than read people bickering about who they thought was the most important person in the world for finding the bug, or who the worst developer in the world was for not implementing the fix.

      .

      --

      -The wise argue that there are few absolutes, the fool argues that there are no probabilities.

    5. Re:Fuck That Shit by thegarbz · · Score: 1

      Wait. Are you saying that being able to justify why your programs don't relate or contain certain bugs is so hard that it is financially crippling for your project to go ahead? If that's the case maybe your project SHOULD be under this level of scrutiny, and your distracting dog put down for good measure.

      No the problem is that a lot of the bugs get glossed over. If something is serious and marketed in a way that people know it's serious it gets attention. CVEs get published all the time for systems we get from vendors and it's often like pulling teeth to get information out of vendors about the vulnerabilities. Heartbleed represented the first time the vendors came to us. It was refreshingly open, honest and quick.

      And if it takes some marketing nit with a funny logo to do it, then more power to him.

    6. Re:Fuck That Shit by tlhIngan · · Score: 1

      uck naming shit to appeal to the plebes and media. It's not a popularity contest. It's a fucking security vulnerability that needs to be patched. You don't get points for media mentions.

      I know, I mean, if they didn't call it "heartbleed" there would be millions of easily exploitable servers and security appliances out there to rip data from. instead they had to get media attention and force people to actually examine their systems and update them. After all, a few months later about 80% of vulnerable machines were patched.

      And stuff like OpenVPN would be much easier to break into if people didn't force updates to their VPN appliances and stuff.

    7. Re:Fuck That Shit by radarskiy · · Score: 1

      It is in your interest for everyone else to be prompted to respond to security issues, by whatever means is available, the same way it is in everyone else's interest for you to be prompted to respond to security issues. For example, how many people found all instances of the "Heartbleed" bug that affected them by code review? Did you?

      Self-righteousness is not a security protocol.

    8. Re:Fuck That Shit by HiThere · · Score: 1

      How do you explain to a nervous boss who doesn't program that your program isn't going to be affected? Some people won't be reassured, and also won't understand. And they can always find someone to justify their fears.

      My old boss came up through programming. I got a new boss. After a couple of years I decided to take early retirement. Some people you just can't explain things to...especially in areas they're ignorant of. (I'm willing to accept that he was a good accountant.)

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    9. Re:Fuck That Shit by thegarbz · · Score: 1

      You can't, but not every boss is an idiot boss despite what Dilbert says.

      I don't blame you that you took early retirement if your boss thinks he's technical but isn't. The worst thing any boss can do is not know something and then not listen to the deferred advice for experts.

      So far I've been lucky. Either my boss has known more than me, or my boss has trusted my judgement to do what I was hired to do, and hasn't taken it upon himself to try and understand every technicality.

      One of the other departments at my current employer .... well let's just say he seems to be advertising for a new systems engineer every other week.

  2. Go to know which hole to cover! by EzInKy · · Score: 1

    Look, we all know we all are vulnerable. Naming helps people determine how much armor we need to deploy. Vulnerabilities that aim to fuck us up the ass need especially thick armor.

    --
    Time is what keeps everything from happening all at once.
  3. Make a Name Contest! by AlejandroTejadaC · · Score: 1

    Why every bug should be named by the same people? Make a Name Contest for each bug and raise public awareness still more, about their real danger!!!

  4. Name them like hurricanes by davydagger · · Score: 3, Interesting
    I think they are similar to hurricanes in many regards, and I propose we name them as such.

    Start alphabetically, and with a long list of random names (take randomly from US+other census data, or other large pools), and each successive vulernbility gets the next name from the list, no exceptions.

    Not only did this work for hurricanes, this is actually how the US Government has decided on operation names for a while:
    How the US Army choses operation names

    1. Re:Name them like hurricanes by the_other_chewey · · Score: 2

      Start alphabetically, and with a long list of random names (take randomly from US+other census data, or other large pools), and each successive vulernbility gets the next name from the list, no exceptions.

      Not only did this work for hurricanes, this is actually how the US Government has decided on operation names for a while: How the US Army choses operation names

      You should read the articles you link to. They used to use random names, but they don't anymore, for PR reasons.

      "Just Cause", "Desert Shield", "Provide Comfort", "Northern Watch", "Desert Fox", "Desert Freedom", "Desert Storm", "Iraqi Freedom", "Enduring Freedom", ...

      Really not that random.

    2. Re:Name them like hurricanes by radarskiy · · Score: 1

      The point of those naming regimes is specifically to a) carry no implicit information and to be a pure identifier while b) still being pronounceable and memorable. What are advantageous of a) in the case of security vulnerabilities?

    3. Re:Name them like hurricanes by HiThere · · Score: 1

      The main advantage is that most of them are too complex to be explained, or even pointed to, in a couple of words. And more than once the understanding of the bug and its effects has changed after the name was assigned.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
  5. WAGTD by sinij · · Score: 2

    Next vulnerability name - WAGTD (We all going to die!!!)

  6. Vulns? by tompaulco · · Score: 1

    noun: vuln; plural noun: vulns
    a vulnerability, especially one associated with computer security.

    According to Google, this usage of the word vuln has not been used much since the 1840s. Get with the times people!
    Apparently, computer viruses were a big thing back then.

    --
    If you are not allowed to question your government then the government has answered your question.
    1. Re:Vulns? by Hognoxious · · Score: 1

      The only usage I'm aware of is as a verb, and that's only used in heraldry, and even then only when referring to pelicans. Slightly obscure.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
  7. Red headed step children by Anonymous Coward · · Score: 1

    Sorry but this term is quite offensive, and they way it's being used with the author's poor attempt to be cool is worrying. For those who think it's amusing, replace "red headed" with "black" in the same phrase, see what kind of uproar you get from the community.

  8. Re:is Microsoft behind it? by GuB-42 · · Score: 1

    - Linux has a greater market share in critical systems
    - Linux is expected to be more secure than Windows
    - Being a closed system, there isn't much you can do in Windows beside waiting the patch from MS. Linux is community based and more attention results in faster response.
    - Vulnerabilities like heartbleed are not linux-specific. OpenSSL may be used on many OSes including Windows.

  9. richter scale needed by e**(i+pi)-1 · · Score: 1

    Giving names is often part of propaganda. This is common in politics. No surprise that this happens in industries where lots of money is. Giving catchy names to vulnerabilities certainly was effective to raise awareness but once the storm is over people care even less or become immune. Especially if propaganda is evident, it does not work any more. Heartbleed was serious, but totally over hyped by the media, with poodle it worked less, with shellshock it was already pathetic Its best to keep being informed by trusted sources like Cert. What would be nice to know is a scale analogue to a Richter scale in earthquakes with a well defined gauge, taking into account how much damage the bug or malware has created, how many systems were affected in total, taking into account also a relative number.

  10. NEW? by darkain · · Score: 1

    "Heartbleed set the trend early this year"

    Wait, this is NEW!? http://en.wikipedia.org/wiki/B...

    1. Re:NEW? by darkain · · Score: 1

      And to go beyond my computing age, let's have something a little older: http://en.wikipedia.org/wiki/B...

    2. Re:NEW? by SeaFox · · Score: 1

      This is a ZDNet article. Their average reader doesn't have the attention span to remember back that far.

    3. Re:NEW? by Dutch+Gun · · Score: 1

      Viruses and trojans have been named for a long time. This is naming the actual vulnerability, not the exploiting/malicious code, so yes, it's actually different.

      --
      Irony: Agile development has too much intertia to be abandoned now.
  11. Shellshock doesn't make sense. by steelfood · · Score: 1

    Shellshock was a terrible name. Not all shells were vulnerable (especially not non-unix shells), only bash. The name for the vulnerability's name should've had "bash" in it at least.

    Heartbleed actually sounds physiologically dangerous. Shellshock (and some of the other names) sounds unfortunate. In fact, Poodle actually sounds cute...

    --
    "If a nation expects to be ignorant and free in a state of civilization, it expects what never was and never will be."
  12. Re:What's the point? by Lunix+Nutcase · · Score: 1

    Most OpenSSL developers are FIPS contractors. Working for free in their spare time? Hardly.

  13. Re:I have HIV by davester666 · · Score: 1

    putting a patch over that vulnerability results in a lot of other problems.

    --
    Sleep your way to a whiter smile...date a dentist!
  14. Demote 99% of the vulnerabilities by Burz · · Score: 1

    Keep all the complex interfaces and code if you need them, but put them behind very small paravirtualization codebase ingrained into the OS which keeps them isolated -- from the core system, and from each other. Really, even your devices like USB controllers and NICs can be treated as untrusted in this way if you have an IOMMU. And you can have it in a normal desktop GUI.

    Kernel-implemented security is a failure; Its ridiculous to go through continued years & decades of pain by relying on it and worrying about breakouts from its weak sandboxing tactics.

  15. Branding disasters by Taco+Cowboy · · Score: 1

    Nowadays they do assign names to typhoons / hurricanes, and TFA gives me an idea ... why stop at branding vulnerabilities when we can branding disasters?

    All we need to do is to supply a meme, a logo, a theme song, ... and we can even throw in a new aerobic dance step as a bonus!

    Anyone thinks such a venture might sell? How about we crowdsource our funding @ www.kickstarter.com?

    --
    Muchas Gracias, Señor Edward Snowden !
  16. Only the incompetent need the media to inform them by uolamer · · Score: 1

    A lot of people have no business being in charge of the security of a server. Those are the same people who need the media to bring an exploit to their attention. They might fix Heartbleed but they never fix CVE-2014-wxyz and others and their server is probably already compromised or could be anyway. Some of the hackers will help keep your system up to date, since they don't want some other hacker taking one of "their" servers.

    I found Heartbleed very simplistic and how it went unnoticed for so long is impressive. Why the hell did it let you specify the number of characters to send back and never check that? https://xkcd.com/1354/

    --
    s/©//g
  17. Re:I have HIV by jones_supa · · Score: 1

    A content-aware firewall made of rubber is the professional solution.

  18. Re:is Microsoft behind it? by jones_supa · · Score: 1

    Linux is community based and more attention results in faster response.

    Hah hah! That is no guarantee. Very often the "response" is just crickets chirping. The actual benefit of Linux is that you can hire your own engineers to write code to the kernel or other open source components.