“The History of CVE” and A Couple of Objections

I just read “The History of Common Vulnerabilities and Exposures (CVE)” by Ary Widdes from Tripwire and found it to be a great summary of the 20+ years of the program. I say that as an outspoken CVE and MITRE critic even! I do have a couple of objections however, with the conclusion, and then a fun bounty!

Widdes concludes the history by saying:

A lot has changed in the 21 years since the CVE List’s inception – both in terms of technology and vulnerabilities. Without the CVE List, it’s possible that security professionals would still be using multiple tools from multiple vendors just to ensure complete coverage. It’s also possible that someone else would have created a service similar to the CVE List. Either way, from idea to whitepaper to database, the CVE List has become a core part of vulnerability and patch management.

There’s a lot to unpack here so I will take it one sentence at a time, starting with the second.

“Without the CVE List, it’s possible that security professionals would still be using multiple tools from multiple vendors just to ensure complete coverage.”

No, there is no “possible” here. That is a simple reality with an important caveat. The reality is that teams of all types still use multiple tools from multiple vendors to do their job. The caveat, and more to the point of that sentence, is that CVE doesn’t offer “complete coverage” and many of the vulnerability scanners only cover a third of the issues in CVE for various reasons. Even using a combination of firewalls, vulnerability scanners, intrusion detection/prevention, audits, and a slew of other tools, organizations are likely seeing half of what CVE has to offer at best. Widdes’ conclusion here gives undue credit to CVE and the state of vulnerability coverage it offers.

It’s also possible that someone else would have created a service similar to the CVE List.

This is where the vulnerability historian in me wants to rage a bit. This statement is unequivocally false for the simple reason that vulnerability databases existed before CVE, both free (e.g. X-Force) and commercial (e.g. RSI), in 1997 alone [1]. The first vulnerability database was created in 1973, specific to Multics, but also when there weren’t that many other systems to catalog bugs or vulnerabilities in. In 1983 we saw the Mt Xinu Bug List and in 1985 Matt Bishop’s List of UNIX Holes, both of which were more comprehensive than one platform. If we consider a vulnerability database implemented via product, we had ISS, SATAN, Ballista, and Nessus between 1995 and the creation of CVE in 1999. Many of the hackers turned security professionals may fondly remember Fyodor’s Exploit World (1996 – 1998) from both aspects of their lives. Those same folks probably also remember Packet Storm (1998) which is still running today.

Either way, from idea to whitepaper to database, the CVE List has become a core part of vulnerability and patch management.

This, unfortunately, is true. I say unfortunately because of my long-standing criticisms of CVE over the past decade, but won’t go into here.

Bug(s) Bounty:

If there is anyone at MITRE open to outright bribery, including all-you-can-eat sushi dinners, I will pay a bounty to get my hands on that list of 8,400 submissions! While I know there are likely a lot of duplicates, the vulnerability historian in me would love to audit that data to see if MITRE decided to skip any that would be considered vulnerabilities by today’s standards, or where someone else back then had more knowledge of a vulnerability than was submitted. That data is over twenty years old and was solicited, processed, and partially published with U.S. taxpayer funded money. There’s no reason not to make it public. =)

[1] The Repent Security Inc. (RSI) database existed in 1997 but may not have been offered as a commercial product until 1998.

A String of Charity Auctions…

Auction #1: Attrition.org 2020 Custom Swag Pack (limited edition)


Starting this week, I will post the first of several charity auctions to eBay. I don’t know how many there will be exactly, but these will be bigger than the typical Twitter-based single sticker pack charity drives I do on occasion. The goal is for each to be significant in both what you win as well as raising money to help good causes. Ming Chow and Lei have both generously donated a lot of great InfoSec swag for the cause, so keep an eye out for t-shirts, con badges, as well as some 0day Attrition swag.

With wildfires devastating California and Colorado, among other places, providing a bit of relief will be one goal. Expect to see another charity to help an animal cause and one for military veterans. Due to the way eBay works I cannot give the winner a choice in where the money goes so please choose the one you bid on wisely.

As auctions are created I will Tweet about them on @attritionorg and appreciate any sharing on your favorite platforms (e.g. Slack, Discord, Carrier Pigeon) to reach a broader audience. In addition to the original posted item, I will add more to the final box that gets sent out based on target amounts reached in the charity auction. But first, please read this disclaimer:

Bid on what you see listed and pictured in the auction, not on what might or might not be included later. The stuff that will be added is very much in the spirit of the original ‘box of shit‘ I began sending out long ago. Generally fun or odd things that have no real value other than laughter or odd looks I hope. Any value attributed to additional items that accompany the listing is your own.

This will finally be your first chance to have a shot at the slick new Attrition acrylic coins and another chance at a set of seven new Attrition stickers.

During this period of charity auctions there will be impromptu offers of one-off sticker packs or knock-off ‘Lolzo’ coins that don’t come in the nice black felt pouch (and typically don’t have all six coins). As I tend to do, they will be given out contingent on smaller charity donations. Please note that I do my best to make it so people donating are guaranteed what I offer -or- make it clear that it is ‘first-come, first-serve’ (FCFS) and that if you donate you may not necessarily receive what you hoped. This is all done in good faith with the goal of helping non-profits out during a global pandemic, when many are seeing an understandable decrease in their usual funding.

Any questions? Tweet at me so the answers can be seen by all. Really want one of those pouches of coins or sticker packs? Feel free to message an offer that involves donating to a charity in good standing, that uses at least 80% of their money for program expenses and less than 10% for admin expenses. You can see those numbers for many charities using the wonderful Charity Navigator site. For smaller charities that may be local to you or have a more personal connection feel free to DM me their web site and let me look around first.

  • There will only be two auctions that involve slick custom-made Lazlo wooden trays.
  • There will be one super-mega-pack of stickers (InfoSec and not).
  • There will be one auction with a lot of con badges. In fact, they might be split up into a couple auctions.
  • There will be one auction with InfoSec t-shirts.
  • I’ll consider charity offers on ~ 20 of the black pouches with coins starting on September 18.
  • I’ll consider charity offers on ~ 10 of the knock-off Lolzo bags with coins after September 23.

All said and done, this year’s Attrition swag cost over $1,000 to do, but supported one artist and one American company. I had originally planned on selling half of what was made to recoup those costs and then give away the rest. Since the world is in bad shape I decided it would be better to try to raise as much for charity as possible instead. I share this in hopes that anyone receiving items will bear with me on shipping speed and turnaround time. I am doing this in my limited spare time, paying postage, braving the post office, and doing all of it in good faith.

Thanks,
Brian