Heartbleed and the Power of Names

Great marketing perspective on the recent OpenSSL exploit:

Remember CVE-2013-0156?  Man, those were dark days, right?

Of course you don’t remember CVE-2013-0156.

The security community refers to vulnerabilities by numbers, not names.  This does have some advantages, like precision and the ability to Google them and get meaningful results all of the time, but it makes it very difficult for actual humans to communicate about the issues.

CVE-2013-0156 was the Rails YAML deserialization vulnerability.  ”Oh!  I remember that one!”, said the technologists in the room.  Your bosses don’t.  Your bosses / stakeholders / customers / family / etc also cannot immediately understand, on hearing the words “Rails YAML deserialization vulnerability”, thatlarge portions of the Internet nearly died in fire.  After I wrote a post about that vulnerability I was told for weeks by frustrated technologists about e.g. VPs nixing remediation efforts due to not understanding how critical it was.  That’s a failure of marketing.

Compare “Heartbleed” to CVE-2014-0160, which is apparently the official classification for the bug.  (I say “apparently” because I *cannot bring myself to care enough *to spend a minute verifying that.)  Crikey, what a great name that is.

  • It references the factual underlying technical reality of the vulnerability, which is data leakage during a heartbeat protocol.
  • It is very emotionally evocative.  Think of your associations — “my heart bleeds for you”, the Sacred Heart and associated iconography, etc.
  • It sounds serious and/or fatal.

Geeks sometimes do not like when technical facts are described in emotionally evocative fashion.  I would agree if it were for the purpose of distortion, but “If you use OpenSSL 1.0.1a-f you could be leaking server memory” actually is serious and/or fatal, so describing it as such has the benefit of making people seek immediate resolution, which should be our goal as technologists.

Unique names (and “Heartbleed” is unique, given that you’d be hard pressed to find any mention of it which predates the vulnerability) are useful for communicating shared concepts between people.  My Twitter stream for the last few days is people sensibly discussing e.g. “Don’t forget, you can be heartbled in a client context”, “How do you fix Heartbleed on Ubuntu?”  ”Depends — older versions aren’t vulnerable, newer versions can just apt-get update & upgrade”  ”Thanks!”

(via Hacker News)