Re: [CVEPRI] Handling new vulnerabilities discovered by Steve Christey

[Dave Mann <dmann@bindview.com>]

Wow.  Such the fire storm.  I'll try to stay close to Steve's
original specific concerns and I'll toss in my 2 cents on one
of the larger issues only at the end.

Steve Christey wrote:
> However, candidate reservation will be available to anyone
> who asks, including individuals who may not trust me.  If such an
> event were to theoretically happen, it would be my word against
> theirs.

Welcome to the club.  Hypothetically, MITRE and say, BindView, could 
be accused of collusion by somebody  if 
1) BindView requests a CAN number 
2) MITRE reserves the CAN number for BindView 
3) Subsequently a third party requests a CAN for the same issue
4) MITRE denies the request (on behalf of BindView)  

So, trust is an issue regardless of whether or not MITRE is 
producing advisories.

As you correctly noted, the real problem is here is the lack
of trust in MITRE by the third party.

"Steven M. Christey" wrote:
> 2) Diligence Level 1 for CVE candidate reservation allows the
>    assignment of 1 CVE candidate number to an unknown party.  (See
>    http://cve.mitre.org/board/archives/2000-05/msg00179.html).  

At the risk of reviving discussions from past Editorial Board
meetings, I would assert that the "trust" issue is deeply
compounded if and when MITRE begins to reserve CAN numbers
for folks not on the CVE board.  Let me explain...


David LeBlanc wrote:
> Academia (and I can speak from experience on this one, as my name can
> properly be followed by B.S.A.E, M.S.A.E, Ph.D) is easily one of the most

Allow me to finish this sentence to suit my own needs!

Academia is easily one of the most experienced in dealing with these
sorts of issues.  We should borrow heavily from them if it helps.

Typically, academic journals will only consider submissions from people 
with the proper credentials.  And note, they do so at the risk
of complaints by the non-credentialed that in so doing, the journals
are denying a voice to dissenting views and serve only to protect
the dominant orthodoxy or meta-narrative [insert stock, post-modern 
deconstructionist rant here if you want ;^].

Applying this observation to the CVE process, I would suggest that it 
makes sense to only accept CAN requests from those who have the peer 
accepted credentials of Editorial  Board membership.  This will go a 
long way to take care  of any concerns about MITRE's handling of these 
matters as it would guarantee a certain level of professionalism for 
all involved and thus, a higher level of trust.

If we are concerned with the CVE process becoming too closed to 
to the general public, then we can rely on certain identified Board
Members to be the publicly identified "gatekeepers" who can request
CANs in proxy for those outside of the Board.  It also makes sense 
to me separate this gatekeeping function from the CAN assignment 
function played by MITRE.  That is, I would suggest that MITRE NOT 
directly assign CANs to people or orgs not on the Editorial Board.

NOTE: Presently, *any* Editorial Board member can request a CAN 
number in proxy for somebody outside of the board!

Consider, as a board member I could request a CAN number and nobody 
on the board, including MITRE, really needs to know where or how I 
got the info or who did the initial discovery.  The discoverer, if 
different from me, is trusting me with the info and I as her proxy, 
am trusting MITRE and the Editorial Board to handle the info 
appropriately.  My point here is that currently, all board members
could, at this very moment, be requesting CAN numbers in proxy for
outsiders and none of us have the ability to know the difference, one 
way or another.

This is fully appropriate, imo.  I trust my fellow board members
and as long as they feel the issue warrants a CAN number, they are
entitled to request the CAN number from MITRE.  

Going back to the academic journal example, an academic journal
may not even consider a paper from David LeBlanc's mom, but they 
might from her son because he has the peer accepted credentials
of a terminal degree in his field.  More importantly to my point, 
they would consider the paper even if it contained his mom's ideas.  
David would merely be her proxy.

[FWIW: A Budget Of A Trisection from the Springer-Verlag library makes a 
great read on the subject of non-credentialed mathematical crack-pots.  
It may shed some light on the noise we see in mailing lists.]


=============  TANGENTIAL COMMENTARY BEGINS HERE ================

For those debating the relative merits of security advisories,
I offer up the following snippets from an article recently
written by Al Berg and published by ICSA in Information
Security Magazine.

"When you buy a vulnerability scanner, you are buying expertise...
Hence, before choosing a vulnerability-scanning product, you should 
take a careful look at the team supporting it... A good indicator of 
the technical savvy of a vendor's team is the number and quality of 
papers, advisories and tools it has authored."

One could challenge Mr. Berg's assertion by citing a chicken and
egg paradox.  To whit, has Mr. Berg merely bought into the marketing
hype of vendor advisories hook, line and sinker?  Or, are advisories,
the quality of the research team and the quality of the tools
directly related?   It's an interesting question but it is totally
missing the point.  

Whether or not they have real technical merit, security advisories 
are an established feature in the marketplace.  To deny this is
to ignore market realities.  Until that reality changes, they have 
value.


'best,

Dave

-- 
==============================================================
Dave Mann                ||   e-mail:  dmann@bos.bindview.com
Senior Security Analyst  ||    phone:  508-485-7737   x254
RAZOR Security Team      ||     cell:  617-968-2697
BindView Corporation     ||      fax:  508-485-0737