Re: Rant: Common Malware Enumeration (CME) gets mixed recepti on

["Fergie (Paul Ferguson)" <fergdawg () netzero net>]

Completely agreed -- as I mentioned earlier, it will be nice
to have common naming convention cross-reference ability.

The problem here (and perhaps not really a big problem) is the
target audiences are hugely different.

The CVE audience is a much smaller, specialized group of people.

The CME audience is a huge, public consumer audience, that is
trying to make sense of the security scare tactics. ;-)

Or perhaps I'm wrong, and that isn't the target audience.... :-)

- ferg


-- Florian Weimer <fw () deneb enyo de> wrote:

> For example, F-Secure mentioned that one of the newest Sober
> variants this morning had been assigned CME-151. Meanwhile,
> McAFee makes an AVERT announcement about a similar Sober variant
> that they feel warrants alerting their AVERT subscribers. However,
> if you go to the CME webpage, there is no listing for it, or any
> number of others.

Just like CVE, and it's not a real problem.  I don't think malware
life cycles are significantly shorter than vulnerability life cycles,
and you can always provide local description/cross references in your
own application, until the official ones are ready (the Debian testing
security team does this for CVE).

The real benefit is not the data MITRE provides, but the naming
service.  With CVE or CME, you can join information from completely
different databases.  For example, if you assign CVE names to your
security bugs, you can automatically tell your users if they are
remotely exploitable, simply by fetching the data from NVD (the NIST
iCAT successor).


--
"Fergie", a.k.a. Paul Ferguson
 Engineering Architecture for the Internet
 fergdawg () netzero net or fergdawg () sbcglobal net
 ferg's tech blog: http://fergdawg.blogspot.com/

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.