oss-sec mailing list archives
Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies
From: "op7ic \\x00" <op7ica () gmail com>
Date: Sun, 6 Mar 2016 15:47:19 +0000
agree, the vanity hunting is going to be there but I suppose as with any bug ID that is going to happen. But beyond that I don't think it matters as much. In the end of the day if somebody can use OVI or OVE to identify their bug then at least we got some level of reference to look it up on google. I was toying with 4digit IDs that would be random enough, thats a possiblity too, the only problem is that there is a overhead of doing DB sorting and lookups to make sure their don't clash. Thats why ovi uses sequential numbers - its just easier to manage. Cheers, On Sun, Mar 6, 2016 at 3:09 PM, Solar Designer <solar () openwall com> wrote:
On Sun, Mar 06, 2016 at 12:39:46PM +0000, op7ic x00 wrote:www.freeovi.com -> it does have big `blue' button.Oh, I wasn't aware of it, and a Google search for "freeovi" or "ovi id" finds only irrelevant stuff now. I think it was not publicized enough. Also, there's a name clash of "freeovi" with some old Nokia maps stuff. As to the button (non-)issue, I brought it to Twitter poll. Of course, it's not the same crowd as oss-security, but I want to get an overall picture of how strongly people feel in favor of not wasting IDs, without spamming this list with "+1" replies: https://twitter.com/solardiz/status/706488297242140672 In fact, there are pretty strong results after a few minutes already. One of my concerns was that people would be hunting for vanity OVE IDs. I didn't want to encourage waste of time on that, nor attempts to increase the counter up to a pretty-looking number. The latter is one of the reasons why I chose to include the full date rather than just the year - this makes numbers like 7777 less valuable, since there's one of each of those every day. (Another reason to include the full date is that it may sometimes provide some insight into disclosure timelines, even if not reliably. I suspect some people won't like that, though.) I think OVI, if it gains popularity and is not adjusted, is far more "vulnerable" to such vanity ID hunting. Also, having the IDs increase up to a few thousand on each normal day may discourage deliberate/malicious attempts to do so, and people trying to skip IDs on such days and come back for lower IDs tomorrow. However, there appears to be a psychological aspect with spilling unrequested IDs on the page. It makes many people feel sorry. I think I underestimated that. (Another workaround would be to use randomized yet 4-digit IDs, but being able to get some sequential IDs is very nice for assigning them to related vulnerabilities. This is why the page currently spills 10 IDs at once on a second page load from the same IP address, and a few times more, as long as the current ID is sufficiently below 9999 to allow for this generosity.) Alexander
Current thread:
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies, (continued)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies me (Mar 06)
- CVE Replacement Via Blockchains (was: Concerns about CVE coverage shrinking - direct impact to researchers/companies) Tim (Mar 07)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Art Manion (Mar 10)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Simon Ward (Mar 07)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies David A. Wheeler (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies gremlin (Mar 05)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Rahul Pratap Singh (Mar 06)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 06)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies op7ic \x00 (Mar 06)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 06)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies op7ic \x00 (Mar 06)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Solar Designer (Mar 06)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Robert Paprocki (Mar 06)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Gsunde Orangen (Mar 06)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Amos Jeffries (Mar 06)
- RE: [security-vendor] Re: [oss-security] Concerns about CVE coverage shrinking - direct impact to researchers/companies Radzykewycz, T (Radzy) (Mar 07)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Tim Brown (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies David A. Wheeler (Mar 09)
- Re: Concerns about CVE coverage shrinking - direct impact to researchers/companies Kurt Seifried (Mar 09)
- RE: Concerns about CVE coverage shrinking - direct impact to researchers/companies Boyle, Stephen V. (Mar 09)