[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: policy, feelings, and the reality (was Re: nomination for ...)



On 10/17/2015 01:21 AM, jericho wrote:
>
> On Wed, 14 Oct 2015, Pascal Meunier wrote:
>
> : as a repudiation of Brian's methods, and an unwillingness to respond to
> : trolling;  it should not be interpreted as apathy.
>
> Yet, that is exactly what it is. You may not like my methods, but very
> few people are doing anything to change CVE and try to motivate MITRE to
> improve.

The end does not justify the means.  I admire how you noticed many 
things I didn't,
but the way you communicated with the board on this particular issue was
over-the-top.  Simply reminding the board and MITRE that you wanted him
nominated 2 years ago, for reasons you explained then, and would like this
revisited, should have sufficed and should have been effective.

>
> I am curious if you/Purdue and Andy/Cisco want to also speak up as to why
> it is so crucial we follow this documented procedure, when the board has
> gone 15 years without many other procedures that should have been
> documented, and never were?

As a justification for ignoring procedures on purpose, this sounds to me 
like shooting your good
foot because your other leg is amputated.  I provided a reasoning of why 
I thought it mattered.

>Would you also like to give your respective
> organization's official opinion on MITRE not following their own
> documented policy in several regards in the last 90 days?

If you want an "official" statement that will take time, and I'm not 
sure how useful
that will be.  Policies exist in part so that failures to follow them 
can be
pointed out clearly and corrections made.  I thought Steve's email from 
9/24
("Upcoming changes for CVE") was very promising.  Issues with the public 
archives
seem to have been solved with Nabble;  your monitoring certainly made 
the need
for improvement clear.  Are there specific policies for which you 
believe the
above insufficient?


>Perhaps Steve
> Christey can explain why it was more important to quote that policy to me
> than work on the extensive backlog of CVE requests in their queue, some
> older than 50 days now.

Probably because what you wrote was excessive and too disruptive to be 
ignored, which
was by your design.  However, you interest me in the state of the 
backlog and if
perhaps MITRE could regularly provide us with very succinct status data, 
e.g.,
how many issues are waiting assignment, and what is the longest wait 
time.  Not
too often and detailed to be a significant burden, but often enough that 
the board
could discuss it and make appropriate suggestions.

>
> For those who know me, they know I am pretty keen on following documented
> policy and standards. I also recognize when they should be lobbied for
> change, or ignored. However, since many other requests (most polite even!)
> have fallen on deaf (apathetic?) ears, this is a testament to my method.
> My second email prompted a few people to reply, and it prompted MITRE to
> start the discussion per their policy.

Only if any response is better than none.  However, this email you
just wrote helps me understand your frustration and it brings
up issues we can discuss and act upon.  Thank you.

>Oh, by the way, the idea of
> bringing Kurt on the board was brought up privately at least twice to
> MITRE, to at least two people, in the last few years. That didn't work,
> but per policy, shouldn't it have started the process?

I am only aware of the one public time in July 2013.  According to the 
policy there
are many reasons why the process might not have reached stage 3.  I 
wonder if
  nothing at all was started on those occasions, or if the process 
didn't reach
stage 3 for some reason.  The two would appear the same to me.

>
> Meanwhile, other policies that should have existed a decade ago still
> don't exist, legitimate questions aimed at trying to better understand the
> MITRE process are unanswered, CNAs are still issuing advisories that do
> not follow CVE procedures unchecked, one CNA is selectively issuing CVEs
> for some vulnerabilities and not assigning for others (Andy, want to look
> into that for us?), and more.
>
> I'm really sorry I hurt your feelings, but personally I would rather see
> things change for the better first. When MITRE is back to operating at the
> previous capacity they were 9 months ago, or even better, 3 years ago,
> then I vote we have a group hug and worry about the rest.

Thanks, and I understand your motivation better now.

>The entire
> industry has been going downhill quickly as evident by the number of
> organizations compromised every day that we hear about. Vulnerabilities
> are not slowing down,

That particular point is a source of bewilderment to me.  New 
vulnerability types
are rare and most vulnerabilities seem like a repeat of the same
mistakes over and over by a horrible zombie horde.  Is there not enough
accessible secure programming material (BTW, I like the OWASP
secure coding cheat sheets)?  Is it not good enough?  Do we not
have better tools available?  Doesn't Coverity offer free scans of 
open-source
projects in Java, C/C++, C# or JavaScript?  Did we not integrate
secure programming into classes?  Are the wrong or insufficient 
incentives in place?
Why is it that U.S. hospital IP addresses are so often listed on 
Spamhaus as
having botnet infections, despite HIPAA (this is anecdotal and not a 
systematic
survey, yet what I observed was disturbing)?

>despite claims otherwise based on some horrible
> analysis of CVE numbers in recent years, and a significant chunk of our
> industry is using security products that are based on the CVE dataset and
> compete to see which of them has the 'best' coverage of one of the worst
> vulnerability databases. Is it any wonder our industry can't protect
> clients? Personally, I joined this board with some hesitation because I
> read the archives first, and saw what I was getting into. But I joined to
> try to make a difference and help CVE improve as a whole. The archives,
> and dialogue since joining, make it very clear I am in the minority.
>
> If you feel differently, I would love to get your opinion on why CVE has
> just over 4,100 live IDs for 2015 compared to the 10,743 disclosed
> vulnerabilities I am aware of.

You have a point there.

>Do you feel that MITRE is doing a
> sufficient job? Do you feel the board is doing a good job in helping guide
> MITRE, give valuable input, ask questions to learn more about the process,
> and generally improve how things are going?

I admit having been reactive instead of proactive for the CVE, and 
relying on
MITRE (and CERIAS) to bring up issues they wanted to discuss.  It's why 
I thought
I was here and what was expected.  Asking "is it enough?" is interesting 
and
requires looking at it as a committed stakeholder.  I am looking forward to
Julie Connolly's email.  However, I feel I don't have much to contribute to
the CNA issue and discussion, as I (and CERIAS) have little involvement in
that process.

> Honest questions.

Good questions too.

Pascal


Page Last Updated or Reviewed: October 26, 2015