funsec mailing list archives
Re: CME: A Total Failure -- Throw in the Towel
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 13 Mar 2006 00:04:50 +1300
Alexander Sotirov to me:
I have not followed the AV industry very closely, ...
So we may expect your comments to be relavant how?
... but I use the CVE dictionary every day. ...
I'm sure that's nice for you.
... Its main achievement is that it provides a common identifier for each vulnerability, and this identifier can be used to cross-reference multiple vulnerability databases with otherwise incompatible naming schemes. It doesn't matter that Microsoft, ISS, OSVDB, CERT and everybody else out there uses their own identifiers (we at Determina do too), as long as they include the CVE id so that I know that they are talking about the same thing.
Yawn... Are you going to tell me something interesting about CVE I don't already know? Better yet, something I didn't know _years_ ago??
Of course, getting the media to adopt CME names is impossible, but who cares about what the media calls a virus? The important thing for the security professionals is to have a unique identifier that we can use to talk about these things.
In the trivial numbers the "vulnerability" world deals with, I agree that that is nice. But unlike vulnerabilities, malware is (mostly) very shortlived and the _main effect_ of the naming confusion surrounding any "topical" malware is experienced _very early_ the "publicity cycle" of the malware. That is, before it is well-known that what Vendor A calls Grew.A and what vendor B calls Blakmal.E and what vendor C calls Blackmal.F and what seven other vendors call seven other things is all, actually, the same thing, it can be really useful to know that these are all the same because all vendors also cross-reference those 10+ names as CME-123. The trick in making this both useful _AND_ manageable is deciding what malware is "important enough" to warrant being given a CME identifier. But, as you openly admit, you have no idea what happens in the AV (virus, Trojans, etc) world. We deal with as many new things a week as your industry segment deals with in three months (and that's a damn slow week for us and the busiest quarter in history for the vulnerability folk). Unlike CVE, if CME is to be anywhere near "complete" the folk running it will have to have much more than an acceptably broad knowledge of general computer security issues. They will have to have well-tuned understanding of _all_ the finer workings of all manner of malware and associated issues. Long before enough of them develop those skills to be totally useful to CME, they wil find much more highly rewarded, complex and challenging employment in the AV industry (or closely related areas).
Even if the AV vendors refuse include the CME ids in their databases, CME would still provide a very valuable service. If you have a vendor specific malware name, you can go to http://cme.mitre.org/data/list.html and search for the that name. You will find the CME entry, which will lists all other names of this malware, essentially providing a translation service.
Hahahahahahahaha... Seriously -- that comment alone shows so little idea of what the malware naming problem is, I am not going to waste my time trying to begin to explain to you the multiple, massive errors in multiple, flawed assumption hidden in it. I was _very_ skeptical from the outset that "modelling" the "CME" name after "CVE" was a good idea. In fact, I thought it was a terrible mistake for _exactly_ the reasons that your comments above expose. I'll make it easy for you -- CME =/= "CVE for malware". Never was intended for that, never will be that no matter how much a few misguided souls at MITRE might think that it could be a possible goal for them to achieve. _I_ am not being obstructive -- despite working _in_ the Av industry I honestly believe that the malware naming problem can (mostly) be "solved". Further, I'm fairly sure I know the only way it can happen any time soon (I can see all kinds of other solutions that will "work" after a fashion, but they depend on all kinds of other much less likely scenarios coming into effect than we already have) and CME is not only not it, but far, far, far from what is likely to have a chance (but that doesn't matter for CME's purposes as CME is not intended to fix the naming problem and, at least for now, is the only thing the major AV developers seem at all willing to cooperate with). Regards, Nick FitzGerald _______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: CME: A Total Failure -- Throw in the Towel, (continued)
- Re: CME: A Total Failure -- Throw in the Towel Axel Pettinger (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Drsolly (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Blue Boar (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Drsolly (Mar 13)
- Re: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 13)
- Re: CME: A Total Failure -- Throw in the Towel Drsolly (Mar 13)
- RE: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 16)
- RE: CME: A Total Failure -- Throw in the Towel Drsolly (Mar 16)
- Re: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Nick FitzGerald (Mar 12)
- Virus Info Alliance == "new CME"?? (was: CME: A Total Failure) Young, Keith (Mar 12)
- Re: CME: A Total Failure -- Throw in the Towel Alexander Sotirov (Mar 12)