undefined | Better HN

0 pointstptacek2y ago0 comments

It does not matter, because the signal was never there or meant to be there to begin with. CVEs solve a problem of multiple researchers and developers talking past each other about the same vulnerability (or vulnerable subsystem or line of code). It has never been a reliable enumeration of vulnerabilities. Organizations triaging CVEs line-by-line are abusing the system. The system should not bend itself to accommodate that abuse; that just harms everybody else who isn't abusing it.

0 comments

14 comments · 3 top-level

tsujamin2y ago· 5 in thread

you’re missing the CVSS aspect which is intrinsically tied to CVE issuance (atleast when issued through the CNA-LR). It’s not _just_ an identifier, it’s a entirely valid and useful tool of triage and classification

lokar2y ago

For me, CVSS and the people who use it lost all credibility when they asked my team for a urgent update to patch… a pcmcia bug in the kernel of our EC2 instances.

tptacekOP2y ago

It's so easy to come up with stories about this that you don't really even need examples. I think everybody just sort of understands that if you put CVSS to the test, it would be ludicrously easy to stack two 8.0+ vulnerabilities next to each other with wildly different severity.

tptacekOP2y ago

CVSS is a Ouija board. Nobody takes it seriously. It was also introduced long after CVEs were. And even if it was meaningful --- it isn't, but stipulate --- it wouldn't change the fundamental point of CVEs.

tsujamin2y ago

CVSS as practiced sucks sometimes, the rules around not chaining vulnerabilities to up a score are rarely followed, but as specified it’s actually a good system.

Undercutting my own point though, it doesn’t hurt to rerun a calculation if you think the public vectors is “lacking” or if temporal/environmental metrics matter in your context

1 more reply

worthless-trash2y ago

Where is upstreams CVSS score ?

arp2422y ago· 3 in thread

This reminds me a little bit of the people saying things like "actually, Java is not "True Object Oriented™* because it's not about messaging like in Smalltalk", and things like that. Well, okay, fine, but it seems undisputable that the phrase "Object Oriented" is used to describe OOP as implemented in Java. When millions of people understand a term "wrong", then that becomes "correct" on virtue of it being so widely used. I mean, modern English is just old English spoken badly by Vikings and Normans, right?

That's kind of how things work, and not much you or I can do about it.

So we need to think about "What is practical?" and "what is useful?", keeping these realities in mind, rather than insisting on "this is what it was meant to be".

Personally I think a good start would be to rethink the entire messaging and list them as "high impact bugs you probably want to get fixed ASAP", or something along those lines, rather than "security bugs". This should avoid the whole security wankery with memory issues that perhaps maybe possibly could perhaps someday lead a possible exploit maybe.

tptacekOP2y ago

CVEs are categorically not "high impact bugs you probably want to get fixed ASAP". If you want that, make a new enumeration.

gnfargbl2y ago

They're also, equally categorically, not "a list of every bug in every system." If you want that, make a new enumeration.

As 'arp242 says, we need to consider what is useful. Pretending that all CVEs are severe and must be addressed immediately is not useful. Spamming the CVE database with every bug in your tracker is not useful.

Replacing CVEs (and CPEs, which are equally terrible) with something new would be extremely helpful. My question is, who funds that work? NIST currently appear to have NVD resourcing issues, based on the banner on their website.

orf2y ago

> When millions of people understand a term "wrong", then that becomes "correct" on virtue of it being so widely used

1 more reply

gnfargbl2y ago· 3 in thread

Let's continue your reductive line of thinking. If the only purpose is to ensure that developers are talking about the same issue, then why does the kernel need need CVEs at all? Their existing bug tracking mechanisms should be entirely adequate, no?

pdonis2y ago

In the 2019 article that is linked to in the LWN article posted upthread, that's exactly what Greg Kroah-Hartman suggested: use the change ID that the Linux kernel is already using as a vulnerability identifier.

Unfortunately, it does not appear that that proposal gained traction, since it's not discussed at all in the more recent LWN article.

saagarjha2y ago

Some platforms do in fact do this. If you run the entire stack, more power to you. But the kernel is forked by a hundred different people and everyone has their own bug trackers for that, so having an identifier for a security bug is actually useful to unify those.

gnfargbl2y ago

I would have no problem at all with the kernel developers introducing the concept of a "universal bug identifier," and developing a system for cataloguing and managing those UBIDs. I would also have no issue with CVEs being replaced by a set of flags on those UBIDs, which people could take notice of or ignore as they saw fit.

I do have a problem with the kernel devs attempting to burn down the only system we presently have, however terrible it is, and with HN justifying the bonfire on the basis that CVEs were always broken anyway.

1 more reply

j / k navigate · click thread line to collapse

0 comments

14 comments · 3 top-level

tsujamin2y ago· 5 in thread

lokar2y ago

For me, CVSS and the people who use it lost all credibility when they asked my team for a urgent update to patch… a pcmcia bug in the kernel of our EC2 instances.

tptacekOP2y ago

tsujamin2y ago

CVSS as practiced sucks sometimes, the rules around not chaining vulnerabilities to up a score are rarely followed, but as specified it’s actually a good system.

Undercutting my own point though, it doesn’t hurt to rerun a calculation if you think the public vectors is “lacking” or if temporal/environmental metrics matter in your context

1 more reply

worthless-trash2y ago

Where is upstreams CVSS score ?

arp2422y ago· 3 in thread

That's kind of how things work, and not much you or I can do about it.

So we need to think about "What is practical?" and "what is useful?", keeping these realities in mind, rather than insisting on "this is what it was meant to be".

tptacekOP2y ago

CVEs are categorically not "high impact bugs you probably want to get fixed ASAP". If you want that, make a new enumeration.

gnfargbl2y ago

They're also, equally categorically, not "a list of every bug in every system." If you want that, make a new enumeration.

orf2y ago

> When millions of people understand a term "wrong", then that becomes "correct" on virtue of it being so widely used

1 more reply

gnfargbl2y ago· 3 in thread

pdonis2y ago

Unfortunately, it does not appear that that proposal gained traction, since it's not discussed at all in the more recent LWN article.

saagarjha2y ago

gnfargbl2y ago

1 more reply

j / k navigate · click thread line to collapse