proposal: "security spectrum scale" (SSS)

["Vladimir Z. Nuri" <vznuri@netcom.com>]

regarding the recent Markoff NYT article on NFS weaknesses, I agree
it seemed to be overblown. but in fact I have been betting that feeling
from *all* the recent articles on the netscape bugs etc (egad, am I
mistaken, or whas there front page NYT coverage for a *buffer*overflow*?
at least there was for a single *poorly generated random seed*!!). 
for example, in another, the fact that netscape had a buffer overflow in URLs
was translated by a reporter into "a similar bug was used by Robert
Morris in the infamous worm that infected the entire internet a few
years ago" or something similar.

it seems to me what is lacking in all this is a *security spectrum*.
unfortunately security experts sometimes have a tendency to equate
*any* security weakness with a catastrophic one. while this is a good
approach in general, i.e. to be as conservative as possible, in 
practice there can be no doubt that some security weaknesses are far
less severe than others.

if the security *experts* conflate the issue of the *severity* of
a security breach (and I see this happening all the time on this
list), there is little surprise that reporters aren't
figuring it out either. some of the really obvious example of the kinds of
differences in security that are being conflated: client vs. server
problems (server problems are far worse of course; the netscape bugs
were mostly *client* problems), subnet vs. overall network problems, bugs
that allow people to merely crash a system vs. submit arbitary
code, etc.

to aid this serious problem, I propose the creation of a 
UNIFIED SECURITY SPECTRUM RANKING.

this would be a list of all the different types of security weaknesses
a system can have, and their LEVEL OF SEVERITY. it would attempt to 
rank every type of security breach possible. then, when a new
security weakness is discovered, it could be ranked A1 or B5 or C6
or whatever. this would be a sort of technological "richter scale"
that would allow the novice to immediately understand that a given
bug that was recently discovered (say, the recent netscape bugs)
was, say, not really as potentially severe as the Morris worm.

a press article might say something like,  "the recent netscape
bug was ranked a B5 on the security scale by experts. this means that an 
unauthorized intruder could break client software. the bug could
potentially be as serious as A3, meaning that arbitrary code could
be submitted. the other bug was classed B3, because it allows the
detector to grab unauthorized data, but still be detected in 
doing so." 

etc!!

I think it is pretty obvious how much of a positive effect this could
have in quantifying and tracking and publicizing new bugs. it might
make it impossible for a reporter to give an improperly alarmist
position. for example, no one would take seriously an article that
gets excited about a 3.6 richter scale earthquake. similarly, the
reader might be able to draw his own conclusions if we came up with
a sufficiently universal scale and it is widely used in articles.

furthermore, this scale would tend to help the reporter/editor immediately know
if a given bug report is newsworthy (if they continue to enthusiastically
report bugs, although I wonder if this is a fad that may die out).
and ultimately it might really help the issue of "proper attention
to bugs". the public is getting a scare story for almost every new
bug, and this is just not appropriate. to use my tired analogy, it is
like the media putting every dinky earthquake item on page 1.

another idea behind the rating: it might be a sort of matrix format,
such as "a-6-alpha" where each of the elements indicates some kind
of independent factor. for example the "a" might mean "client side",
the "6" might mean "crash only", the "alpha" might mean "breach
cannot be detected after the fact". however it shouldn't be so
complicated that the novice can't immediately determine which of
two rankings is more severe.

now, I am really rather surprised that no such scale appears to 
exist currently. I highly suspect the NSA probably has a system for
this but unfortunately it is not being used by CERT or anyone else
that I know of. if anyone does know of this kind of "security spectrum",
I think our cause of trying to improve software security would be
furthered immensely if whenever reporters call about bugs, the scale
factor could be consistently and uniformly used in association with 
trying to describe the severity of the bug.

I am willing to work on a beta version of this "security spectrum"
if there is sufficient interest. it certainly seems like a far better and 
worthwhile investment of time than, say, "the geek code", the latter of which
is already highly developed!! I don't really consider myself the best 
qualified in terms of experience but sometimes if you want something done, you
have to do it yourself.

however, if we do this, I hope that a good scale that is pretty general
and doesn't need extensions can be done from the start, before its widespread
usage, so that later changes do not confuse users. there is already 
confusion in the media about two slightly different richter scales, this
is a pity. 

another neat perq: if the cypherpunks come up with a good scale, it
could be a tremendous positive publicity tool. "today experts discovered
a bug in -x- that rated a -y- on the CSSS (Cypherpunk Security Spectrum Scale)"

generally, regarding cypherpunk priorities, I think the "media can be made 
our friend", but we just have to learn how to be more meticulous and 
careful in our interactions with them. in general I don't really think
a lot of the misreporting going on is the fault of the reporters involved.
it's not surprising they get their stories mixed up, when, IMHO, even
the "experts" they quote aren't particularly polished and don't really have 
their act fully together (or at least, tend to misrepresent the problems
from the beginning).

(most of the last Markoff article imho can just be chalked up to, "two 
prestigious graduate students who discovered something significant recently 
wrote a message warning about another significant security problem."  it shows
how absolutely critical it is to be careful what you say once you have
built up a bit of a reputation.  these two grad students are now being
watched as the Chicken Little's of Cyberspace by the media, unfairly
or not. be careful about wishing about fame, or anything else!! you might
get it!! makes me a bit nervous about causes *I* have promoted in the 
distant past.)

--Vlad Nuri