[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [CVEPRI] CVE accuracy, consistency, stability, and timeliness

> So, I propose that we create a new T-shirt.  The CVE logo with
> the following:  "Name 'em all and let the taxonomists sort 'em out."

Agreed. Being more specific helps all communities; the more exacting
communities could have a method for organizing or excluding what they
believe is spurious, but you can never reference what's not there. A
Doctrine of Inclusion, in a matter of speaking.

So Steve, will we be able to purchase these T-shirts from the MITRE store on
the web? I understand that creating the MITRE/CVE store has greater priority
than the voting forms. :-)

(Whatever you do, try and avoid the shopping carts mentioned in those 11
CANs.) :-) :-)


> -----Original Message-----
> From: Dave Mann [mailto:dmann@BINDVIEW.COM]
> Sent: Monday, June 26, 2000 5:00 PM
> To: CVE
> Subject: Re: [CVEPRI] CVE accuracy, consistency, stability, and
> timeliness
> Well now!
> "Steven M. Christey" wrote:
> > Pascal Meunier asked:
> > Bill Fithen added:
> [Dave, fresh from vacation, tips the soap box up on it's side and
> steps up...]
> I am strongly in favor of MITRE relaxing its analysis with regards
> to the formation of candidates.  I also propose vastly streamlining
> the the entire set of Content Decisions to a small set (no more than
> 6) guidelines.  Finally, I propose that when in doubt, CVE err on
> the side of greater specificity.  There are several reasons.
> I will open with a thoroughly offensive joke. Rant follows.
> Seen on a T-shirt with the US Marines' Logo on it: "Kill 'em
> all and let God sort 'em out."
> 1) CVE was founded on the belief that we, as a community, do not
> know enough about this space to formalize it to point of agreeing
> on a taxonomy or a database.  While I applaud the desire to achieve
> consistency with respect to enumeration issues, I think it is
> crystal clear that consistency is only achievable if know enough
> to formalize things properly.  And if we understood things to
> that level, we wouldn't be involved in CVE -- we would be involved
> in a joint database effort instead.   The most important things for us
> to do from an academic standpoint is to admit the limitations of
> our knowledge.
> Given how immature our field is, I think it is overreaching to
> believe than any decisions we make now will hold up to scrutiny
> in the long run.  I reject the assertion that we can achieve greater
> consistency by being more careful because I don't believe that
> anybody knows enough to decide on consistency in a rational manner.
> I think we have only 2 rational choices.  Either we accept that CVE
> will contain (possibly annoying) inconsistencies or we give up.
> 2) Our recent experience with the SANS Priority One Top Ten list
> gives us a concrete example of why CVE should put a higher priority
> on completeness than on consistency.  The Top Ten list, of which many
> of us provided input, was written at such a high level that it was
> terribly ambiguous.  For example, when the SANS list identified
> cgi sample files, the expected follow-on question on many lips
> was certainly, "Which cgi sample files?"  More clarity and meaning
> was added to the the SANS list as soon as they incorporated CVE
> names.
> "Oh. These cgi files."
> But all is not perfect.  CVE falls short, literally, with respect
> to the SANS list because it does not adequately cover all of the
> known issues identified by the SANS list.  Witness the large number
> of CAN numbers instead of CVE numbers that are reference to by the
> SANS list.  I draw two immediate conclusions from the SANS Priority
> One exercise with regards to CVE.
>   a) CVE must put a higher priority on timeliness and completeness,
>      even at the price of less consistancy.
>   b) When in doubt, CVE should strive for greater specificity
>      and avoid high level generalization.
> 3) Speaking as a vendor, CVE has greater value to me the more coverage
> it has.  I do not expect one to one mappings to my peers.  CVE is
> an enabling technology that makes life easier.  I do not
> expect, nor do
> I need consistancy.  Again, our internal experience with CVE here at
> BindView is that the more precision or specificity, the better.
> So, I propose that we create a new T-shirt.  The CVE logo with
> the following:  "Name 'em all and let the taxonomists sort 'em out."
> Dave
> --
> ==============================================================
> Dave Mann                ||   e-mail:  dmann@bos.bindview.com
> Senior Security Analyst  ||    phone:  508-485-7737   x254
> BindView Corporation     ||      fax:  508-485-0737

Page Last Updated or Reviewed: May 22, 2007