funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CME: A Total Failure -- Throw in the Towel

From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 13 Mar 2006 00:04:49 +1300
Blue Boar (to me, if you believe "References: 
<44141D51.14049.55218607 () nick virus-l demon co uk>"):


So what is the failure exactly?  ...


I didn't say that _CME_ was a failure (the AV industry's incessant 
rebellion against even thinking about how it could try to fix the 
naming problem _IS_ a failure, but CME hasn't a hope in hell of 
addressing that, and the MITRE folk are now pretty much painfuly aware 
of that...).


...  Were you expected the CME numbers to be 
a substitute for the existing naming conventions?  ...


Me -- no, not at all.

_I_ reckoned that _perhaps_ what CME was aiming for might be achievable 
_AND_ probably that might be (just) enough for most AV (corporate) 
customers (most of the time).  (I also saw trouble in getting proper 
media understanding of the intent, objective and expected outcome, but 
that had little to do with the intended/hoped for outcomes per se, and 
much to do with dealing with the media...).


...  I can't speak for the 
CME guys, ...


Neither, directly, can I, but I am on the "advisory board" and arguably 
one of the more "experienced" advisors to the CME effort.


... but I think that wasn't a goal.  ...


And, as I thought I was communicating in my message, you'd be right.  
As _I_ understand it, CME does not intend, and was not expected, by its 
backers, to "fix" the "naming problem".


...  If I am able to determine 
that two malware names refer to the same thing because they have the 
same CME number, then it's a success as far as I'm concerned.  ...


And _that_ was, pretty much, the expected "major usefulness" of CME, so 
according to your testimony, CME is a success, despite Ferg's, Lemos', 
etc suggestion to the contrary...


...  I get the 
impression that they have't kept up with the volume well, that would be 
the only failure I could see.


Ahhh -- well, there is some tension between those that would like to 
see CME cover "everything, or at least 'everything important'" and 
those who have a grasp on the pragmatics.

The problem is, of course, that _anything_ some arbitrary Jo[e] Bloggs' 
(or his/her client) considers "everything important" quickly adds up to 
so much of "everything" that CME would have to cover so close to 
"everything" that it would not be manageable or useful (as it is, CME 
certainly will not scale to anything within a couple of orders of 
magnitude of "everything").

Yes, CME can deal with more than it currently does, but working out 
what _most usefully_ comprises that "more" is _really_ tricky...


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: