1. 5

  2. 2

    We need a better classification and naming for these SgxSpectre/MeltdownPrime/SpectrePrime/BranchScope/Meltdown/Spectre-like branch prediction vulnerabilities as using arbitrary names is a mess. What was wrong with simply referring to these vulnerabilities by their CVE numbers? Do we really need a logo and marketing glossy for each new variant? I blame the Heartbleed people.

    1. 3

      Six months from now, you’ll remember the difference between CVE-2017-2345 and CVE-2017-2435?

      1. 3

        What about naming them from a rotating list of names, à la tropical storms? Particularly devastating ones could have their names retired. That or using some other arbitrary naming scheme that could complement the CVE numbers.

        1. 3

          We’re at number CVE-2018-9105 for this year, and it’s not even the end of March.


          1. 2

            How about a combination system, something similar to a set of DiceWare-style wordlists?

            You’d likely need at least 5 lists to make enough phrases, and new wordlists can be chosen each year - maybe by some ridiculous contest system which could be used to promote computer security. An [proper-name’s adjective noun adjective verb] system might be fun, first thing I randomly generated with such a system was:

            “Merlin’s Automatic Priesthood Relevant Chat” and MAPRC for short.

            When you discover a vulnerability, when it’s assigned a CVE number, you’ll be given the opportunity to choose a new from a set of random rolls, and then for major vulnerabilities, the words used will be retired, and the system can exclude future rolls of the same acronym.

            Interesting note: This might be impossible because of politics. I’m in Florida, and can tell you first-hand the ridiculousness that goes into naming. After protests by women and allegations of sexism, they started adding men’s and women’s names to the lists. The system has to be continually tweaked by an international committee at the World Meteorological Organization. In recent times after some very destructive hurricanes (Katrina, etc.), some women have protested that attributing destructive and deadly forces to women is inappropriate, and that such ‘negative’ violence and destruction is the realm of men. Then, in regards to the names themselves, they now include popular French, Spanish, Dutch and English names because they don’t want to use names from only one culture or appear exclusionary, but now in recent times some other people are complaining they don’t want “their” culture or country associated with these terrible things. I believe the list was determined by allowing for names and cultures from anywhere the storms hit.

            Anyway, this is why we can’t have nice things.

        2. 2

          Probably not, but I’m not going to remember the difference between all these names anymore either! Perhaps something similar to the CARO/virus scanner industry solution, of a somewhat descriptive and roughly hierarchical name that’s hopefully self-describing … however, this still breaks in implementation with different scanners giving an identification of the same threat very differently.