The People Who Are Branding Vulnerabilities

antdude points out a story at ZDNet about how the naming of security vulnerabilities and exploits has evolved into branding and awareness campaigns. Heartbleed set the trend early this year, having a distinct name and logo to represent a serious security problem. It seemed to work; the underlying bug got massive exposure, even in the mainstream media. This raises a new set of issues — should the response to the disclosure of a vulnerability be dependent on how catchy its name is? No, but it probably will be. Heartbleed charmed the public, and in a way, it was designed to do so. By comparison Shellshock, POODLE (aka clumsy "Poodlebleed"), Sandworm, the secretively named Rootpipe, Winshock, and other vulns seem like proverbial "red headed stepchildren" — despite the fact that each of these vulns are critical issues, some are worse than Heartbleed, and all of which needed fast responses. The next "big bug" after Heartbleed was Shellshock — real name CVE-2014-6271. Shellshock didn't have a company's pocketbook or marketing team behind it. So, despite the fact that many said Shellshock was worse than Heartbleed (rated high on severity but low on complexity, making it easy for attackers), creating a celebrity out of Shellshock faced an uphill climb.

Re:

[davester666]

putting a patch over that vulnerability results in a lot of other problems.

Re:

[jones_supa]

A content-aware firewall made of rubber is the professional solution.

Branding disasters

[Taco Cowboy]

Nowadays they do assign names to typhoons / hurricanes, and TFA gives me an idea ... why stop at branding vulnerabilities when we can branding disasters?

All we need to do is to supply a meme, a logo, a theme song, ... and we can even throw in a new aerobic dance step as a bonus!

Anyone thinks such a venture might sell? How about we crowdsource our funding @ www.kickstarter.com?

Fuck That Shit

[sexconker]

Fuck naming shit to appeal to the plebes and media. It's not a popularity contest. It's a fucking security vulnerability that needs to be patched. You don't get points for media mentions.

If you want to think up shitty names for shit you have two options:
1: Go work for some Congressman's lawyer's office and think up names for bills that mean the complete opposite or what the bill actually does.
2: Go work for the restaurant industry and come up fresh and creative hits that can stand alongside "Awesome Bl

Re:Fuck That Shit

[thegarbz]

You don't get points for media mentions.

You're right. You don't get points. You get funding and awareness which is far more important.

Re:

[grcumb]

You don't get points for media mentions.

You're right. You don't get points. You get funding and awareness which is far more important.

Not necessarily. If the vulnerability du jour is catching media attention the way Ebola did, then you're probably not doing work you should be doing because you've got a CEO who just publicly pronounced that not one of your customers ever is going to get $EBOLA because of you. And suddenly your entire development cycle is in ruins, every manager everywhere has to explain in voluminous detail why his business unit will not be the cause of the next $EBOLA crisis, consultants will be hired to waste your time c

Re:

[s.petry]

The people doing the branding of these things are often vultures trying to scavenge money. (You could say garnering reputation, but the ultimate purpose is identical). Media latches on to anything that sounds catchy and pushes today's agenda. Fear mongering is a good thing to the authoritarians who offer us a rescue from the bogey man at every turn.

We had the one guy this year claiming to have billions of email addresses and passwords he "stole" acquired from "Russian Hackers!!!11!!!ONE!!". To see if yo

Re:

[thegarbz]

Wait. Are you saying that being able to justify why your programs don't relate or contain certain bugs is so hard that it is financially crippling for your project to go ahead? If that's the case maybe your project SHOULD be under this level of scrutiny, and your distracting dog put down for good measure.

No the problem is that a lot of the bugs get glossed over. If something is serious and marketed in a way that people know it's serious it gets attention. CVEs get published all the time for systems we get f

Re:

[HiThere]

How do you explain to a nervous boss who doesn't program that your program isn't going to be affected? Some people won't be reassured, and also won't understand. And they can always find someone to justify their fears.

My old boss came up through programming. I got a new boss. After a couple of years I decided to take early retirement. Some people you just can't explain things to...especially in areas they're ignorant of. (I'm willing to accept that he was a good accountant.)

Re:

[thegarbz]

You can't, but not every boss is an idiot boss despite what Dilbert says.

I don't blame you that you took early retirement if your boss thinks he's technical but isn't. The worst thing any boss can do is not know something and then not listen to the deferred advice for experts.

So far I've been lucky. Either my boss has known more than me, or my boss has trusted my judgement to do what I was hired to do, and hasn't taken it upon himself to try and understand every technicality.

One of the other departments at

Re:

[Charliemopps]

Fuck naming shit to appeal to the plebes and media. It's not a popularity contest. It's a fucking security vulnerability that needs to be patched. You don't get points for media mentions.

If you want to think up shitty names for shit you have two options:
1: Go work for some Congressman's lawyer's office and think up names for bills that mean the complete opposite or what the bill actually does.
2: Go work for the restaurant industry and come up fresh and creative hits that can stand alongside "Awesome Blossom", "Crispy Honey-Chipotle Chicken Crispers", "Razz-Ma-Tazz Raspberry Iced Tea", and "Yummy Nummy Chicken Drummies".

Ah... you're yet another person that would like to believe we should treat people how they should act, rather than treat them how they really act in the hopes they'll change as a result. Good luck with that.

Re:

[tlhIngan]

uck naming shit to appeal to the plebes and media. It's not a popularity contest. It's a fucking security vulnerability that needs to be patched. You don't get points for media mentions.

I know, I mean, if they didn't call it "heartbleed" there would be millions of easily exploitable servers and security appliances out there to rip data from. instead they had to get media attention and force people to actually examine their systems and update them. After all, a few months later about 80% of vulnerable machin

Re:

[radarskiy]

It is in your interest for everyone else to be prompted to respond to security issues, by whatever means is available, the same way it is in everyone else's interest for you to be prompted to respond to security issues. For example, how many people found all instances of the "Heartbleed" bug that affected them by code review? Did you?

Self-righteousness is not a security protocol.

Go to know which hole to cover!

[EzInKy]

Look, we all know we all are vulnerable. Naming helps people determine how much armor we need to deploy. Vulnerabilities that aim to fuck us up the ass need especially thick armor.

Make a Name Contest!

[AlejandroTejadaC]

Why every bug should be named by the same people? Make a Name Contest for each bug and raise public awareness still more, about their real danger!!!

Name them like hurricanes

[davydagger]

I think they are similar to hurricanes in many regards, and I propose we name them as such.

Start alphabetically, and with a long list of random names (take randomly from US+other census data, or other large pools), and each successive vulernbility gets the next name from the list, no exceptions.

Not only did this work for hurricanes, this is actually how the US Government has decided on operation names for a while:
How the US Army choses operation names [wisegeek.com]

Re:

[the_other_chewey]

Start alphabetically, and with a long list of random names (take randomly from US+other census data, or other large pools), and each successive vulernbility gets the next name from the list, no exceptions.

Not only did this work for hurricanes, this is actually how the US Government has decided on operation names for a while: How the US Army choses operation names [wisegeek.com]

You should read the articles you link to. They used to use random names, but they don't anymore, for PR reasons.

"Just Cause", "Desert Shield", "Provide Comfort", "Northern Watch", "Desert Fox", "Desert Freedom", "Desert Storm", "Iraqi Freedom", "Enduring Freedom", ...

Really not that random.

Re:

[radarskiy]

The point of those naming regimes is specifically to a) carry no implicit information and to be a pure identifier while b) still being pronounceable and memorable. What are advantageous of a) in the case of security vulnerabilities?

Re:

[HiThere]

The main advantage is that most of them are too complex to be explained, or even pointed to, in a couple of words. And more than once the understanding of the bug and its effects has changed after the name was assigned.

WAGTD

[sinij]

Next vulnerability name - WAGTD (We all going to die!!!)

Re:

[Lunix Nutcase]

Most OpenSSL developers are FIPS contractors. Working for free in their spare time? Hardly.

Re:

[GuB-42]

- Linux has a greater market share in critical systems
- Linux is expected to be more secure than Windows
- Being a closed system, there isn't much you can do in Windows beside waiting the patch from MS. Linux is community based and more attention results in faster response.
- Vulnerabilities like heartbleed are not linux-specific. OpenSSL may be used on many OSes including Windows.

Re:

[jones_supa]

Linux is community based and more attention results in faster response.

Hah hah! That is no guarantee. Very often the "response" is just crickets chirping. The actual benefit of Linux is that you can hire your own engineers to write code to the kernel or other open source components.

Vulns?

[tompaulco]

noun: vuln; plural noun: vulns
a vulnerability, especially one associated with computer security.

According to Google, this usage of the word vuln has not been used much since the 1840s. Get with the times people!
Apparently, computer viruses were a big thing back then.

Re:

[Hognoxious]

The only usage I'm aware of is as a verb, and that's only used in heraldry, and even then only when referring to pelicans. Slightly obscure.

Red headed step children

[Anonymous Coward]

Sorry but this term is quite offensive, and they way it's being used with the author's poor attempt to be cool is worrying. For those who think it's amusing, replace "red headed" with "black" in the same phrase, see what kind of uproar you get from the community.

richter scale needed

[e**(i pi)-1]

Giving names is often part of propaganda. This is common in politics. No surprise that this happens in industries where lots of money is. Giving catchy names to vulnerabilities certainly was effective to raise awareness but once the storm is over people care even less or become immune. Especially if propaganda is evident, it does not work any more. Heartbleed was serious, but totally over hyped by the media, with poodle it worked less, with shellshock it was already pathetic Its best to keep being informed

NEW?

[darkain]

"Heartbleed set the trend early this year"

Wait, this is NEW!? http://en.wikipedia.org/wiki/B... [wikipedia.org]

Re:

[darkain]

And to go beyond my computing age, let's have something a little older: http://en.wikipedia.org/wiki/B... [wikipedia.org]

Re:

[SeaFox]

This is a ZDNet article. Their average reader doesn't have the attention span to remember back that far.

Re:

[Dutch Gun]

Viruses and trojans have been named for a long time. This is naming the actual vulnerability, not the exploiting/malicious code, so yes, it's actually different.

Shellshock doesn't make sense.

[steelfood]

Shellshock was a terrible name. Not all shells were vulnerable (especially not non-unix shells), only bash. The name for the vulnerability's name should've had "bash" in it at least.

Heartbleed actually sounds physiologically dangerous. Shellshock (and some of the other names) sounds unfortunate. In fact, Poodle actually sounds cute...

Demote 99% of the vulnerabilities

[Burz]

Keep all the complex interfaces and code if you need them, but put them behind very small paravirtualization codebase [qubes-os.org] ingrained into the OS which keeps them isolated -- from the core system, and from each other. Really, even your devices like USB controllers and NICs can be treated as untrusted in this way if you have an IOMMU. And you can have it in a normal desktop GUI.

Kernel-implemented security is a failure; Its ridiculous to go through continued years & decades of pain by relying on it and worrying

Only the incompetent need the media to inform them

[uolamer]

A lot of people have no business being in charge of the security of a server. Those are the same people who need the media to bring an exploit to their attention. They might fix Heartbleed but they never fix CVE-2014-wxyz and others and their server is probably already compromised or could be anyway. Some of the hackers will help keep your system up to date, since they don't want some other hacker taking one of "their" servers.

I found Heartbleed very simplistic and how it went unnoticed for so long is impre