Vulnerabilities do not need PR, especially not on the scale of picking a sexy name and making a cool logo. I'll repeat what I said in my blog post here.
Branding vulnerabilities accomplishes two things, both of which are bad for the security community and the broader tech community:
1. It implicitly establishes vulnerabilities as severe if they are widely reported on. Getting media attention does not necessarily mean a vulnerability is serious. It means you have content that will generate views. I’ve been in the press twice for vulnerabilities found in widely used web applications – neither I or anyone who is even remotely familiar with security would claim that media attention elevates a vulnerability to the same level as Heartbleed. But the broader public doesn’t know this, and the media capitalizes on it.
2. It implicitly rates a vulnerability’s severity by how much attention and “buzz” it generates, not by how severe it is according to an objective scale. Yes, Heartbleed and Shellshock were severe. Did you know that all the vulnerabilities that received bounties from The Internet Bug Bounty Program were also severe? They didn’t receive media attention. They didn’t need to receive media attention – the normal process of responsible and coordinated disclosure is enough (and I’m willing to say that for extremely high-severity cases like Heartbleed, a brand may be warranted – but not for anything less).
Having widespread press attention via a logo and a name is just another noisy metric that will soon be added to the list of necessities for a vulnerability to have any credibility. Michal Zalewski and Project Zero find vulnerabilities on the scale of the so-called "GHOST" weekly. They are resolved without the need for panic or self-promotion.
This activity, like all fame seeking in the infosec industry, is encouraging a race to the bottom where people focus on the wrong things to decide is a vulnerability warrants attention. For every legitimate Heartbleed and Shellshock, there are the 20 vulnerabilities people try to brand put on the front page of Hacker News and /r/netsec.
While I can agree about over-hyping things, I've seen a lot of really, really ancient crap finally getting much-needed upgrades due to some of the hype, like Debian Lenny, which hasn't had security updates for 3 years now.
Marketing vulnerabilities doesn't really sit well with me, but at least there's something of a silver lining. More people are actually paying attention to security and at work I've been helping clue people into better security practices. The status quo is pretty sad.
Though I grant I've seen some nonsense, too, likely generated by some sort of hype. For reasons I cannot explain, a lot of people suddenly want to do mutual auth against any old public CA-issued cert. It's not as if anyone can run s_client, find all the trusted issuers listed in the ServerHello (and possibly other random certs, because some people put the whole chain in there), and pay the CA a few bucks for a cert to auth with.
Lenny didn't get a security update for ghost. What you're thinking of is the LTS support effort [1] for a limited set of packages. It is maintained by a team of volunteers and is not an official project. Libc6 has had a few security upgrades by the LTS team in 2014. See both squeeze and LTS changelogs [2] for a comparison. It is important to note that if people still run squeeze they will NOT have LTS support out of the box, it has to be configured manually.
I feel this is way too optimistic. Who doesn't own a few devices (especially routers and cellphones) that probably aren't ever going to get much-needed security updates from the manufacturer? I'm very for any PR about how not-okay this type of situation is.
I feel the opposite, or that your optimism about exploiting the GHOST vulnerability is silly. PR firms aren't paid for good judgement. Lets see your cellphone and router exploits for GHOST, and then worry. Since you bring up cellphones how about these vulnerabilities http://www.extremetech.com/computing/170874-the-secret-secon... These sound much worse. You can brick a phone etc.
That's a non-sequitur -- busybox isn't a replacement for glibc. In fact, the busybox package included with Debian is linked against glibc, and I would assume the same is true for most other distributions.
What's more frustrating is that after the disclosure of Heartbleed, a lot of commentators have been talking about how it demonstrates a colossal blow on free software in general, and that it is now horribly insecure.
Of course, anyone who is subscribed to a relevant mailing list knows that security bugs are discovered constantly, are promptly addressed and most never see much grace beyond being buried in the archives of some taxonomy.
All these marketing campaigns that are about making infomercials out of security vulnerabilities backfire by causing panic, exacerbating ignorance and creating talking points for uninformed pundits ("But Heartbleed this, Shellshock that..."), and I'd wager they skew the infosec community even further towards self-promotion and ephemerality.
As an example, there recently has been a publicly disclosed IE11 zero day that allows universal XSS that IMO is more severe and easier to exploit than GHOST.
Not to mention the other countless flash exploits that come out each year allowing drive-bys to happen.
This seems to be a communication problem, for example most platforms don't have systems to automatically notify us based on which software we use. Relying on marketing/branding for bugs to reach us seem highly inefficient, considering we're in the business of software.
What makes the firefox sandbox escape "critical"? It requires at least one other, unknown bug to exploit. Seems like a pretty run of the mill issue that will get fixed in the next Firefox update. The fact that most Firefox users won't ever know about it doesn't matter.
I mostly agree with you here, most browsers would take multiple exploits combined together to be effective. And the update process is fairly rapid with Firefox these days - especially compared to glibc and (often) Linux kernel rollouts. So this would exclude the script-kiddies unlike Heartbleed which was quite accessible to newbs who could use a single PoC.
Browser sandbox escapes are less common than higher level bugs so they have some FUD-appeal. But my point isn't to say that these are worse than any other bugs, or more exploitable for that matter. Merely that they are similarly bad but not as well covered. Both are definitely in the same class as Shellshock or Ghost.
I'm not saying particularly bad ones aren't in need of special attention, merely that playing the branding game as a security strategy is mostly non-productive when countless relatively unknown me-too's exist at all times.
There is no inherent correlation between the severity of the find and the PR budget available to the discoverer.
On top of this, some types of security claims attract considerably greater attention than others for reasons unrelated to their actual impact or merit. If you mention privacy, Internet of Things, malware, and rooting in a single sentence, you will get headlines out of it, no matter how bogus the underlying claims may be.
You need a reliable way of finding about the vulnerabilities that affect you even if they are discovered by a teenager in Romania and a PR agency is not involved.
Breathlessly panicking about vulnerabilities is worse than no PR at all. There are well-established avenues for keeping up with vulnerabilities, and anyone operating an Internet-addressable computer who is not familiar with any of them is incompetent.
Speaking of incompetence, it was Qualsys' desire for fame which caused them to retain a PR firm, which is why this vulnerability was announced as such before major vendors had patches available. If Qualsys had stuck to the normal avenues, there would not have been any need for the ridiculous panic felt by half-informed administrators.
The vast majority of people who read about security vulnerabilities primarily via press releases are almost certainly not in a position to fix them. What, then, is the motivation for presenting them with a goddamned logo?
"anyone operating an Internet-addressable computer who is not familiar with any of them is incompetent"
Sorry but I just can't take such a statement seriously. There are millions of people who are in this situation. Calling them incompetent is just ridiculous. Perhaps you were around for the big worms but vulnerable internet facing systems are purely reality. Making people more aware is not some kind of problem.
Yes, and the vast majority of those millions of people have an arrangement with their OS vendor to receive updates, including security-related updates.
The ones who don't rely on Windows Update, Red Hat alerts, or similar services from various vendors are the ones who have presumably chosen an operating system deliberately outside of those with curated update procedures -- and please note that even relatively small projects tend to have security notification lists.
That leaves a vastly outnumbered, tiny minority of people who are either willfully ignoring crucial information or are constitutionally unable to consume it, and neither group is doing humanity any great service in the process.
In short, retaining a PR firm does nothing to enhance the overall internet's security posture, and just leads to a lot of half-informed worry on the part of people who can't take any action anyway.
PR, as it's being used here, doesn't increase awareness of security in general, it only increases awareness of a single, specific issue. There are many more major security issues that don't get branded and hyped up, they just get solved.
Would you have all major vulns receive the same level of PR? If so, there would be a C-SPAN style, 24 hour channel constantly discussing the latest issues. This channel would not be commercially viable as the majority of people would ignore it. No amount of PR for individual issues will increase the public's awareness of the real problems. The media coverage of Heartbleed was particularly useless, as it didn't tell anyone what they should, or could do. The sysadmins updated their systems, the developers patched their libraries, the general populace just worried non-specifically about something they couldn't do much about.
I would also like to point out that the human race survived without PR for thousands of years. It's not "absolutely essential" for anything.
Vulnerabilities do not need PR, especially not on the scale of picking a sexy name and making a cool logo. I'll repeat what I said in my blog post here.
Branding vulnerabilities accomplishes two things, both of which are bad for the security community and the broader tech community:
1. It implicitly establishes vulnerabilities as severe if they are widely reported on. Getting media attention does not necessarily mean a vulnerability is serious. It means you have content that will generate views. I’ve been in the press twice for vulnerabilities found in widely used web applications – neither I or anyone who is even remotely familiar with security would claim that media attention elevates a vulnerability to the same level as Heartbleed. But the broader public doesn’t know this, and the media capitalizes on it.
2. It implicitly rates a vulnerability’s severity by how much attention and “buzz” it generates, not by how severe it is according to an objective scale. Yes, Heartbleed and Shellshock were severe. Did you know that all the vulnerabilities that received bounties from The Internet Bug Bounty Program were also severe? They didn’t receive media attention. They didn’t need to receive media attention – the normal process of responsible and coordinated disclosure is enough (and I’m willing to say that for extremely high-severity cases like Heartbleed, a brand may be warranted – but not for anything less).
Having widespread press attention via a logo and a name is just another noisy metric that will soon be added to the list of necessities for a vulnerability to have any credibility. Michal Zalewski and Project Zero find vulnerabilities on the scale of the so-called "GHOST" weekly. They are resolved without the need for panic or self-promotion.
This activity, like all fame seeking in the infosec industry, is encouraging a race to the bottom where people focus on the wrong things to decide is a vulnerability warrants attention. For every legitimate Heartbleed and Shellshock, there are the 20 vulnerabilities people try to brand put on the front page of Hacker News and /r/netsec.
[1]: http://breakingbits.net/2015/01/27/your-vuln-does-not-need-a...