Re: CME: A Total Failure -- Throw in the Towel

[Nick FitzGerald <nick () virus-l demon co uk>]

Alexander Sotirov to me:

> I have not followed the AV industry very closely, ...

So we may expect your comments to be relavant how?

> ... but I use the CVE dictionary
> every day.  ...

I'm sure that's nice for you.

> ...  Its main achievement is that it provides a common identifier for each
> vulnerability, and this identifier can be used to cross-reference multiple
> vulnerability databases with otherwise incompatible naming schemes. It doesn't
> matter that Microsoft, ISS, OSVDB, CERT and everybody else out there uses their
> own identifiers (we at Determina do too), as long as they include the CVE id so
> that I know that they are talking about the same thing.

Yawn...

Are you going to tell me something interesting about CVE I don't 
already know?

Better yet, something I didn't know _years_ ago??

> Of course, getting the media to adopt CME names is impossible, but who cares
> about what the media calls a virus? The important thing for the security
> professionals is to have a unique identifier that we can use to talk about these
> things.

In the trivial numbers the "vulnerability" world deals with, I agree 
that that is nice.

But unlike vulnerabilities, malware is (mostly) very shortlived and the 
_main effect_ of the naming confusion surrounding any "topical" malware 
is experienced _very early_ the "publicity cycle" of the malware.  That 
is, before it is well-known that what Vendor A calls Grew.A and what 
vendor B calls Blakmal.E and what vendor C calls Blackmal.F and what 
seven other vendors call seven other things is all, actually, the same 
thing, it can be really useful to know that these are all the same 
because all vendors also cross-reference those 10+ names as CME-123.

The trick in making this both useful _AND_ manageable is deciding what 
malware is "important enough" to warrant being given a CME identifier.

But, as you openly admit, you have no idea what happens in the AV 
(virus, Trojans, etc) world.  We deal with as many new things a week as 
your industry segment deals with in three months (and that's a damn 
slow week for us and the busiest quarter in history for the 
vulnerability folk).

Unlike CVE, if CME is to be anywhere near "complete" the folk running 
it will have to have much more than an acceptably broad knowledge of 
general computer security issues.  They will have to have well-tuned 
understanding of _all_ the finer workings of all manner of malware and 
associated issues.  Long before enough of them develop those skills to 
be totally useful to CME, they wil find much more highly rewarded, 
complex and challenging employment in the AV industry (or closely 
related areas).

> Even if the AV vendors refuse include the CME ids in their databases, CME would
> still provide a very valuable service. If you have a vendor specific malware
> name, you can go to http://cme.mitre.org/data/list.html and search for the that
> name. You will find the CME entry, which will lists all other names of this
> malware, essentially providing a translation service.

Hahahahahahahaha...

Seriously -- that comment alone shows so little idea of what the 
malware naming problem is, I am not going to waste my time trying to 
begin to explain to you the multiple, massive errors in multiple, 
flawed assumption hidden in it.

I was _very_ skeptical from the outset that "modelling" the "CME" name 
after "CVE" was a good idea.  In fact, I thought it was a terrible 
mistake for _exactly_ the reasons that your comments above expose.

I'll make it easy for you -- CME =/= "CVE for malware".  Never was 
intended for that, never will be that no matter how much a few 
misguided souls at MITRE might think that it could be a possible goal 
for them to achieve.

_I_ am not being obstructive -- despite working _in_ the Av industry I 
honestly believe that the malware naming problem can (mostly) be 
"solved".  Further, I'm fairly sure I know the only way it can happen 
any time soon (I can see all kinds of other solutions that will "work" 
after a fashion, but they depend on all kinds of other much less likely 
scenarios coming into effect than we already have) and CME is not only 
not it, but far, far, far from what is likely to have a chance (but 
that doesn't matter for CME's purposes as CME is not intended to fix 
the naming problem and, at least for now, is the only thing the major 
AV developers seem at all willing to cooperate with).


Regards,

Nick FitzGerald

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.