policy, feelings, and the reality (was Re: nomination for ...)

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

policy, feelings, and the reality (was Re: nomination for ...)

jericho
On Wed, 14 Oct 2015, Pascal Meunier wrote:

: as a repudiation of Brian's methods, and an unwillingness to respond to
: trolling;  it should not be interpreted as apathy.

Yet, that is exactly what it is. You may not like my methods, but very
few people are doing anything to change CVE and try to motivate MITRE to
improve.

I am curious if you/Purdue and Andy/Cisco want to also speak up as to why
it is so crucial we follow this documented procedure, when the board has
gone 15 years without many other procedures that should have been
documented, and never were? Would you also like to give your respective
organization's official opinion on MITRE not following their own
documented policy in several regards in the last 90 days? Perhaps Steve
Christey can explain why it was more important to quote that policy to me
than work on the extensive backlog of CVE requests in their queue, some
older than 50 days now.

For those who know me, they know I am pretty keen on following documented
policy and standards. I also recognize when they should be lobbied for
change, or ignored. However, since many other requests (most polite even!)
have fallen on deaf (apathetic?) ears, this is a testament to my method.
My second email prompted a few people to reply, and it prompted MITRE to
start the discussion per their policy. Oh, by the way, the idea of
bringing Kurt on the board was brought up privately at least twice to
MITRE, to at least two people, in the last few years. That didn't work,
but per policy, shouldn't it have started the process?

Meanwhile, other policies that should have existed a decade ago still
don't exist, legitimate questions aimed at trying to better understand the
MITRE process are unanswered, CNAs are still issuing advisories that do
not follow CVE procedures unchecked, one CNA is selectively issuing CVEs
for some vulnerabilities and not assigning for others (Andy, want to look
into that for us?), and more.

I'm really sorry I hurt your feelings, but personally I would rather see
things change for the better first. When MITRE is back to operating at the
previous capacity they were 9 months ago, or even better, 3 years ago,
then I vote we have a group hug and worry about the rest. The entire
industry has been going downhill quickly as evident by the number of
organizations compromised every day that we hear about. Vulnerabilities
are not slowing down, despite claims otherwise based on some horrible
analysis of CVE numbers in recent years, and a significant chunk of our
industry is using security products that are based on the CVE dataset and
compete to see which of them has the 'best' coverage of one of the worst
vulnerability databases. Is it any wonder our industry can't protect
clients? Personally, I joined this board with some hesitation because I
read the archives first, and saw what I was getting into. But I joined to
try to make a difference and help CVE improve as a whole. The archives,
and dialogue since joining, make it very clear I am in the minority.

If you feel differently, I would love to get your opinion on why CVE has
just over 4,100 live IDs for 2015 compared to the 10,743 disclosed
vulnerabilities I am aware of. Do you feel that MITRE is doing a
sufficient job? Do you feel the board is doing a good job in helping guide
MITRE, give valuable input, ask questions to learn more about the process,
and generally improve how things are going?

Honest questions.
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: policy, feelings, and the reality (was Re: nomination for ...)

Pascal Meunier
On 10/17/2015 01:21 AM, jericho wrote:
>
> On Wed, 14 Oct 2015, Pascal Meunier wrote:
>
> : as a repudiation of Brian's methods, and an unwillingness to respond to
> : trolling;  it should not be interpreted as apathy.
>
> Yet, that is exactly what it is. You may not like my methods, but very
> few people are doing anything to change CVE and try to motivate MITRE to
> improve.

The end does not justify the means.  I admire how you noticed many
things I didn't,
but the way you communicated with the board on this particular issue was
over-the-top.  Simply reminding the board and MITRE that you wanted him
nominated 2 years ago, for reasons you explained then, and would like this
revisited, should have sufficed and should have been effective.

>
> I am curious if you/Purdue and Andy/Cisco want to also speak up as to why
> it is so crucial we follow this documented procedure, when the board has
> gone 15 years without many other procedures that should have been
> documented, and never were?

As a justification for ignoring procedures on purpose, this sounds to me
like shooting your good
foot because your other leg is amputated.  I provided a reasoning of why
I thought it mattered.

>Would you also like to give your respective
> organization's official opinion on MITRE not following their own
> documented policy in several regards in the last 90 days?

If you want an "official" statement that will take time, and I'm not
sure how useful
that will be.  Policies exist in part so that failures to follow them
can be
pointed out clearly and corrections made.  I thought Steve's email from
9/24
("Upcoming changes for CVE") was very promising.  Issues with the public
archives
seem to have been solved with Nabble;  your monitoring certainly made
the need
for improvement clear.  Are there specific policies for which you
believe the
above insufficient?


>Perhaps Steve
> Christey can explain why it was more important to quote that policy to me
> than work on the extensive backlog of CVE requests in their queue, some
> older than 50 days now.

Probably because what you wrote was excessive and too disruptive to be
ignored, which
was by your design.  However, you interest me in the state of the
backlog and if
perhaps MITRE could regularly provide us with very succinct status data,
e.g.,
how many issues are waiting assignment, and what is the longest wait
time.  Not
too often and detailed to be a significant burden, but often enough that
the board
could discuss it and make appropriate suggestions.

>
> For those who know me, they know I am pretty keen on following documented
> policy and standards. I also recognize when they should be lobbied for
> change, or ignored. However, since many other requests (most polite even!)
> have fallen on deaf (apathetic?) ears, this is a testament to my method.
> My second email prompted a few people to reply, and it prompted MITRE to
> start the discussion per their policy.

Only if any response is better than none.  However, this email you
just wrote helps me understand your frustration and it brings
up issues we can discuss and act upon.  Thank you.

>Oh, by the way, the idea of
> bringing Kurt on the board was brought up privately at least twice to
> MITRE, to at least two people, in the last few years. That didn't work,
> but per policy, shouldn't it have started the process?

I am only aware of the one public time in July 2013.  According to the
policy there
are many reasons why the process might not have reached stage 3.  I
wonder if
  nothing at all was started on those occasions, or if the process
didn't reach
stage 3 for some reason.  The two would appear the same to me.

>
> Meanwhile, other policies that should have existed a decade ago still
> don't exist, legitimate questions aimed at trying to better understand the
> MITRE process are unanswered, CNAs are still issuing advisories that do
> not follow CVE procedures unchecked, one CNA is selectively issuing CVEs
> for some vulnerabilities and not assigning for others (Andy, want to look
> into that for us?), and more.
>
> I'm really sorry I hurt your feelings, but personally I would rather see
> things change for the better first. When MITRE is back to operating at the
> previous capacity they were 9 months ago, or even better, 3 years ago,
> then I vote we have a group hug and worry about the rest.

Thanks, and I understand your motivation better now.

>The entire
> industry has been going downhill quickly as evident by the number of
> organizations compromised every day that we hear about. Vulnerabilities
> are not slowing down,

That particular point is a source of bewilderment to me.  New
vulnerability types
are rare and most vulnerabilities seem like a repeat of the same
mistakes over and over by a horrible zombie horde.  Is there not enough
accessible secure programming material (BTW, I like the OWASP
secure coding cheat sheets)?  Is it not good enough?  Do we not
have better tools available?  Doesn't Coverity offer free scans of
open-source
projects in Java, C/C++, C# or JavaScript?  Did we not integrate
secure programming into classes?  Are the wrong or insufficient
incentives in place?
Why is it that U.S. hospital IP addresses are so often listed on
Spamhaus as
having botnet infections, despite HIPAA (this is anecdotal and not a
systematic
survey, yet what I observed was disturbing)?

>despite claims otherwise based on some horrible
> analysis of CVE numbers in recent years, and a significant chunk of our
> industry is using security products that are based on the CVE dataset and
> compete to see which of them has the 'best' coverage of one of the worst
> vulnerability databases. Is it any wonder our industry can't protect
> clients? Personally, I joined this board with some hesitation because I
> read the archives first, and saw what I was getting into. But I joined to
> try to make a difference and help CVE improve as a whole. The archives,
> and dialogue since joining, make it very clear I am in the minority.
>
> If you feel differently, I would love to get your opinion on why CVE has
> just over 4,100 live IDs for 2015 compared to the 10,743 disclosed
> vulnerabilities I am aware of.

You have a point there.

>Do you feel that MITRE is doing a
> sufficient job? Do you feel the board is doing a good job in helping guide
> MITRE, give valuable input, ask questions to learn more about the process,
> and generally improve how things are going?

I admit having been reactive instead of proactive for the CVE, and
relying on
MITRE (and CERIAS) to bring up issues they wanted to discuss.  It's why
I thought
I was here and what was expected.  Asking "is it enough?" is interesting
and
requires looking at it as a committed stakeholder.  I am looking forward to
Julie Connolly's email.  However, I feel I don't have much to contribute to
the CNA issue and discussion, as I (and CERIAS) have little involvement in
that process.

> Honest questions.

Good questions too.

Pascal
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: policy, feelings, and the reality (was Re: nomination for ...)

Andy Balinsky (balinsky)
I think there are some good questions for the board to consider here. I think the reason the board has not taken these up is that we do not meet regularly, and do not regularly bring up and discuss issues. The board has mainly been reactive to Mitre prompting. This is probably historical, as the board was originally an advisory body designed to review content of the CVE candidates. That role has moved to Mitre, and the board mainly tends to act as a consultant when asked. It could stand to become more proactive.

Probably the most interesting things we should take up are:
1. Is CVE providing adequate coverage of vulnerabilities? Are all of the 10K+ vulnerabilities that Brian has identified ones that the CVE should cover? If some portion of them are, then how should the coverage be changed to include them? We have had these discussions in the past, and have decided that there are limits to what should be covered (i.e. software that few people use, apps, scripts, games). I’m not saying that the limits we decided on are the right ones. It is worth discussing again. It would be interesting to see some categorization of the vulnerabilities that Brian has identified that are not in the 4K issued CVE ID’s. Then we can see what types of gaps in coverage we may be lacking.

2. Are CNAs living up to their responsibilities? This is probably more of an executive function (rather than a board function), but if we don’t have clear responsibilities laid out, and if MITRE needs peers or industry voices to pressure these CNA’s into doing the right thing, then the board has a role.

Andy

> On Oct 17, 2015, at 10:12 AM, Pascal Meunier <[hidden email]> wrote:
>
> On 10/17/2015 01:21 AM, jericho wrote:
>>
>> On Wed, 14 Oct 2015, Pascal Meunier wrote:
>>
>> : as a repudiation of Brian's methods, and an unwillingness to respond to
>> : trolling;  it should not be interpreted as apathy.
>>
>> Yet, that is exactly what it is. You may not like my methods, but very
>> few people are doing anything to change CVE and try to motivate MITRE to
>> improve.
>
> The end does not justify the means.  I admire how you noticed many things I didn't,
> but the way you communicated with the board on this particular issue was
> over-the-top.  Simply reminding the board and MITRE that you wanted him
> nominated 2 years ago, for reasons you explained then, and would like this
> revisited, should have sufficed and should have been effective.
>
>>
>> I am curious if you/Purdue and Andy/Cisco want to also speak up as to why
>> it is so crucial we follow this documented procedure, when the board has
>> gone 15 years without many other procedures that should have been
>> documented, and never were?
>
> As a justification for ignoring procedures on purpose, this sounds to me like shooting your good
> foot because your other leg is amputated.  I provided a reasoning of why I thought it mattered.
>
>> Would you also like to give your respective
>> organization's official opinion on MITRE not following their own
>> documented policy in several regards in the last 90 days?
>
> If you want an "official" statement that will take time, and I'm not sure how useful
> that will be.  Policies exist in part so that failures to follow them can be
> pointed out clearly and corrections made.  I thought Steve's email from 9/24
> ("Upcoming changes for CVE") was very promising.  Issues with the public archives
> seem to have been solved with Nabble;  your monitoring certainly made the need
> for improvement clear.  Are there specific policies for which you believe the
> above insufficient?
>
>
>> Perhaps Steve
>> Christey can explain why it was more important to quote that policy to me
>> than work on the extensive backlog of CVE requests in their queue, some
>> older than 50 days now.
>
> Probably because what you wrote was excessive and too disruptive to be ignored, which
> was by your design.  However, you interest me in the state of the backlog and if
> perhaps MITRE could regularly provide us with very succinct status data, e.g.,
> how many issues are waiting assignment, and what is the longest wait time.  Not
> too often and detailed to be a significant burden, but often enough that the board
> could discuss it and make appropriate suggestions.
>
>>
>> For those who know me, they know I am pretty keen on following documented
>> policy and standards. I also recognize when they should be lobbied for
>> change, or ignored. However, since many other requests (most polite even!)
>> have fallen on deaf (apathetic?) ears, this is a testament to my method.
>> My second email prompted a few people to reply, and it prompted MITRE to
>> start the discussion per their policy.
>
> Only if any response is better than none.  However, this email you
> just wrote helps me understand your frustration and it brings
> up issues we can discuss and act upon.  Thank you.
>
>> Oh, by the way, the idea of
>> bringing Kurt on the board was brought up privately at least twice to
>> MITRE, to at least two people, in the last few years. That didn't work,
>> but per policy, shouldn't it have started the process?
>
> I am only aware of the one public time in July 2013.  According to the policy there
> are many reasons why the process might not have reached stage 3.  I wonder if
> nothing at all was started on those occasions, or if the process didn't reach
> stage 3 for some reason.  The two would appear the same to me.
>
>>
>> Meanwhile, other policies that should have existed a decade ago still
>> don't exist, legitimate questions aimed at trying to better understand the
>> MITRE process are unanswered, CNAs are still issuing advisories that do
>> not follow CVE procedures unchecked, one CNA is selectively issuing CVEs
>> for some vulnerabilities and not assigning for others (Andy, want to look
>> into that for us?), and more.
>>
>> I'm really sorry I hurt your feelings, but personally I would rather see
>> things change for the better first. When MITRE is back to operating at the
>> previous capacity they were 9 months ago, or even better, 3 years ago,
>> then I vote we have a group hug and worry about the rest.
>
> Thanks, and I understand your motivation better now.
>
>> The entire
>> industry has been going downhill quickly as evident by the number of
>> organizations compromised every day that we hear about. Vulnerabilities
>> are not slowing down,
>
> That particular point is a source of bewilderment to me.  New vulnerability types
> are rare and most vulnerabilities seem like a repeat of the same
> mistakes over and over by a horrible zombie horde.  Is there not enough
> accessible secure programming material (BTW, I like the OWASP
> secure coding cheat sheets)?  Is it not good enough?  Do we not
> have better tools available?  Doesn't Coverity offer free scans of open-source
> projects in Java, C/C++, C# or JavaScript?  Did we not integrate
> secure programming into classes?  Are the wrong or insufficient incentives in place?
> Why is it that U.S. hospital IP addresses are so often listed on Spamhaus as
> having botnet infections, despite HIPAA (this is anecdotal and not a systematic
> survey, yet what I observed was disturbing)?
>
>> despite claims otherwise based on some horrible
>> analysis of CVE numbers in recent years, and a significant chunk of our
>> industry is using security products that are based on the CVE dataset and
>> compete to see which of them has the 'best' coverage of one of the worst
>> vulnerability databases. Is it any wonder our industry can't protect
>> clients? Personally, I joined this board with some hesitation because I
>> read the archives first, and saw what I was getting into. But I joined to
>> try to make a difference and help CVE improve as a whole. The archives,
>> and dialogue since joining, make it very clear I am in the minority.
>>
>> If you feel differently, I would love to get your opinion on why CVE has
>> just over 4,100 live IDs for 2015 compared to the 10,743 disclosed
>> vulnerabilities I am aware of.
>
> You have a point there.
>
>> Do you feel that MITRE is doing a
>> sufficient job? Do you feel the board is doing a good job in helping guide
>> MITRE, give valuable input, ask questions to learn more about the process,
>> and generally improve how things are going?
>
> I admit having been reactive instead of proactive for the CVE, and relying on
> MITRE (and CERIAS) to bring up issues they wanted to discuss.  It's why I thought
> I was here and what was expected.  Asking "is it enough?" is interesting and
> requires looking at it as a committed stakeholder.  I am looking forward to
> Julie Connolly's email.  However, I feel I don't have much to contribute to
> the CNA issue and discussion, as I (and CERIAS) have little involvement in
> that process.
>
>> Honest questions.
>
> Good questions too.
>
> Pascal


smime.p7s (5K) Download Attachment
Loading...