Arbitrary Albatross: Neutral Names for Vulnerabilities at Volume

I'd like to introduce arbitrary are arbitrary albatross with art Manion and Lee Metcalf great thank you for the intro this is got a good signal okay for recording right so yeah we Lee and I work at the cert Coordination Center which is part of Carnegie Mellon University software engineering Institute do all the organizational names in there I do a lot of coordinated vulnerably disclosure been doing it for a long long time Lee is my helpful helpful math PhD assistant who does the important work when I don't know what I'm talking about Lee is also one of the co-editors of this ACM digital threats journal which is up here which I encourage everyone to consider submitting to it is how far

from a first edition hopefully by the end of the year okay I try to ride my bike in all kinds of weather and you can't tell if there's no cross section here but those are those triple layer brownies to have the chocolate chips and the other stuff in the bottom which we brings those in and I say what would you like would you look what new computer would you like today or something like that ever say food bribery works with me super well so we're gonna basically talk about the idea that you know vulnerabilities get names right mostly it's a research or selection there's some branding element to that and it crossed our minds I

forget how long ago what if we just had a computer named them all and what is that what would that mean would that be useful and this is basically these this presentation is our experiment to date in chasing down that that line of thinking we really really really need vona Blee identification we have to have a name on the abstract thing that we're trying to talk about this is important for like disclosure and doing all of all management all this hinges off of knowing what you're talking about we already have ID which is a good thing except we have a lot of it here are just four different sets of IDs that are use there's a nice talk here from I

think a black hat or a Def Con many years ago a few years ago about all the IDS and Counting as well and just if you want to read more about that that's a great great talk I often point to so we have you know we have phone numbers we have CVID identifiers and we have this idea about words and name vulnerabilities professionals who are in a field have jargon usually okay with the numbers in the code words and you know nerds about vulnerabilities okay with code code words the rest of the planet really doesn't know you're talking about and they shouldn't have to know what you're talking about on occasion they might need to and it's

something big and they have to take some kind of action fairly recently the couple of different congressional committees were interested in this problem and Senate Commerce Committee had a hearing which I was invited to testify and I felt very proud and was a bit of a challenge to do that CVD was not mentioned at all during that talk no one talked about CVD - whatever they talked about the words melt down an inspector so regular people need words and I'm very what I was very proud to go to this president take it go go testify it but I did note that next week they're talking about sharks and it may have been shark week so I don't know

maybe what this committee is up to half the time but there's some very serious talks and then there's we've maybe that's - I don't want to say it's not serious but yes sir I actually looked at some of the speakers and there were it looked like an actually interesting thing but I just had to capture this because there's really two something there a charge right people remember words pretty well and they'll remember clusters of words pretty well and when you talk about sort of coordinates like latitude and latitude and longitude and this may be an alphanumeric code for latitude and longitude I'm not familiar with there recall and memory drop-off basically quite quickly in this graph it comes

from a 1957 paper talking about this sort of thing but I more recently stole it from these people so we name other things we named storms I'm gonna claim that they're easy measured in vulnerabilities cuz they're physical you can measure wind speed and pressure and temperature and things they're conceptually easier to measure maybe not physically easier to measure measure physical properties have an objective measure it's a tropical storm it gets a name it's a hurricane it gets a name may be typhoons get names I believe Noah in the u.s. does this I don't know happens internationally but I notice at the Weather Channel names things as well just for probably promotional purposes so you know you

want Authority in a central authority attacking about objective measurements this is something interesting we came across this company covers the globe in three meter squares with a three word a three word phrase and this to the best of my ability is where we're standing well maybe not all of us cuz this room is bigger than that this is we are in model head spine or somewheres in this room is probably that that quadrant so you know three meter squares I don't know the math or much surely you if this is actual a different kind of math right how much surface area of the globe is there and there's enough free word combinations to cover the entire thing I

guess yeah we're the middle of the ocean is covered I think so you can really pick anywhere right you can get some you know numbers can be unique if you have enough words you can be unique about things recognition is not great for humans for numbers meaning not great for numbers unless it as a it spells out leader it's your old phone number or something computers like numbers and cataloging but and you know have trouble have to do an LP processing and things to deal with words names are one thing branding is something else so we get a lot of researchers and branding things there's often marketing involved logos websites press releases press language as opposed to advisory or technical

language anybody remember this one could this is a you could begin a start sticker if you get any of these right you already have a start sticker good though miss fortune cookie during what it was about I can't remember I thought my head very very likely anyone remembers that one that one was it's actually the this animal is meaningful ram-paige rampage and I forget what the problem was it's not a real hammer something else anyway that one I totally did not notice at all you want to know this one its venom but again without I have it somewhere in the notes but I don't know what then I was about so great we have you know we have

a name for things you kind of guess this is about a cookie it may not have been a browser cook you may have been like an SMB cookie or something or not I'm not sure something about RAM I have no idea what that was about so I got I got a name but I'm lacking the right the back connection to it so you know what if we named all the vulnerabilities or what if we name just some of them right if you want to pick some how do we decide which ones to notify - sorry - um - to rise to the level of getting a name right I don't name a random thunderstorm I name

a tropical storm severity is a nice idea and this is the CBS s but maybe better would be existence in Metasploit alright a little threat likelihood might be a better way to measure something even the attention people talking about things a lot so count the number of references in an VD or a CV entry and if it has more than ten the thing needs to be talked about by humans you know put a name on it we talked about naming things neutrally just to have a covert on it like that like the three words covering the planet so no names you recognize but they don't have any extra special meaning our betray albatross is you know

kind of in that department or we might want to be not neutral we might want to actually apply some meaning based on one of those dimensions so you know do we encode that severity threat or attention or similarity means something so if it's angry bear or angry lion or angry tiger the fact that it's angry is a you know a hi CBS s score friends - something like that [Applause] we have languages use actual you know which like are we talking about we picked English of course because that's what we speak and it's the de facto sort of technical language just happens to be that way there's nothing stopping someone from using a different set of word lists

right absolutely you get the grammar right we thought we're gonna love our one of our we only think we don't think we only do adjective-noun right we talked about now noun or multiple nouns like the my three words or the three if it's called three words whatever the three words website talks about if you do pick a different language you have to get your grammar right so we have you know there's Red Dog in the French say it dog red dog that is red I guess basically I'm sure there are many more language combinations just deal with if you want to want to change your change in your native language scale we need enough names to cover the number of

vulnerabilities there are in the world future universe a hundred thousand currently I don't know how many in the future wheeze these slides are going to cover the part where there are enough names we probably think right many people have said that and been wrong sorry some of the word expert sort of terms here if you want to have meaning and less neutrality but more pulling out meanings you can talk about sort of common things that are commonly well-known things the evoke some meaning or are a little bit taboo or not taboo if you want to kind of create a feeling in someone rotting in alliteration arbitrary Albatross and my stupid title has like triple lower alliteration in it

creative swear words right I take a normal sounding thing and add you know F in front of it now it's something you kind of notice and remember opposite words similar words and again part of the part of what if you're gonna try to have non neutrality here what emotions do you want to pull out and invoke evoke you could do similarity so what if all of the shell-shocked Boehner abilities had the same you know the same partial word like a last name so you know Mannion one Mannion two Mannion three that requires you to know similarity which may be a human problem it might be a machine and a little problem but you can't just

have a random empty word list you have to have some way to say these are all shellshock so these are all Spectre variants conversely if you don't want to imply that their similarity if I'm trying to be neutral and I have the word dog show up in two vulnerabilities I have to be clear that that does not mean that they're related in any way and I don't words to get reused right yes but not in the same combination the idea okay so you know given all these things we don't have that we don't have a solid solution we've chosen as the right thing yet but we've explored a lot of this space and least on all of the all of the

work for the most part what does a solution look like we need words we need enough words to cover all the vulnerabilities and all the combinations we would need we need to turn those words we need to turn the input you know the catalogue number the CVE number into into the words and we need something to do that an algorithm or a method to do that and you know Lee does work for me but I know she knows math and she is a co-author on that math book so I thought gee I'll ask Lee to look into this and she did so I'm going to hand it over to you and that's the forward button I this

has been one of the most entertaining projects I've ever worked on seriously so I started with the problem of well let's forget the math for a moment I need some words I gotta have some words in order to name things so I started by scraping the what unary because that has excuse me all the words I got a lot of words doing this I got over half a million adjectives I got over a million nouns right yeah that's enough that's enough vulnerabilities yes I think if we have more than that well at that point I really don't care anymore hopefully I'm not around to deal with that problem that's somebody else's problem that way you know there's the problem with using

the lectionary it's all the words like I said all the words microsoft word likes to declare like half of these misspellings yeah I know what like two of those mean in maybe three so it's like yeah IIIi got nothing for that one don't know what it is it's in the Wiktionary so you can look it up but I got nuttin as to whether it's a good word it's a bad word I'm not even sure I pronounce the thing so I said okay let's see what other words I can find out there so I went toward let's - and wordlist - I said let's look at some natural language processing because these people set up corpuses where they tagged what all the

words are and luckily I found a website that actually had a corpus I could download so a lot of people want you to pay for it and I'm pretty sure I had no money for this project no you might have a little bit so I created two word lists of singular adjectives and nouns went down quite a bit on how many words I got 7,500 adjectives and 30,000 downs and we're still a pretty good number of vulnerabilities to tag we don't have that many right yeah yeah okay okay in testing I ran into some interesting combinations though would you like to name of ulnar ability gelatinous Whitehead and that's the nice life totally had to take the nasty one out

yeah for a second choice so we were suggested to me by so my statisticians you know maybe you should filter out all words in the urban dictionary that might make things better but I said hey I'm having fun with this let's go find it had a hard list so this time I went to list of common nouns and adjectives I just searched Google and said give me a list of common nouns give me a list of common adjectives and this time I got quite a few less again and we're down to six million vulnerabilities and we're not there yet no okay so at least not till Microsoft releases a new operating system I don't know what I'm sorry I

came up through XP in any days I it was great fun on the plus side and nothing too offensive so no more gelatinous Whitehead darn I mean show no more July this one yeah you said it enough times now I think I get the point hey I can do worse than that just watch me so you get lovely names like apologetic alligator corrupt birdbath tickled Allegro these are not bad the problem is is like corrupt kind of is a negative connotation to the word and I'm like okay so negative is not a good thing let's find happy words and I tell you I was having fun with this I really have a lot of fun with it so I found a paper

that looks at the emotional content of words and they had a Ward list and I even give you the URL so you can get a lovely word list and download it for yourselves and in there is a column of the emotional impact of or and so it rates from low as in bad words to higher values which are happier words so using this I made that list using a truly scientific method hey I'm a mathematician not a scientist I had fun with us so I basically said anything above here looks like a happy word so we'll go there that's a nice cut off for us all right so yeah you had you had them ranked in like they're ranked from

happy to yes I'd like you do a positive to negative concept a negative is a bet and then you drew line somewhere I drew a line somewhere and said everything above here is more or less positive I did not read the paper to figure out what they said was positive I said I'm having fun with us hey you want the vulnerability yummy nudity because according to this yummies happy word nudity's a happy word I just can't wait for someone to talk about the immunity vulnerability in Congress I will totally make my career worthwhile so I had some constraints so my function this is where the math gets in there's going to be math formulas there will be no

integration there's gonna be no questions to the crowd to ask you to integrate anything so please stop flashing back to your horrible calculus teacher the function must be surjective and injective that must mean that means everything is mapable to something else you can do and backwards so that if I give you the phrase yummy nudity you can figure out what the CVE that came from or apologetic alligator or our arbitrary albatross you must be able to figure it out the other way around and it must only map to one thing each way and randomness is out guys sorry no randomness because you have to be able to take the function and your CVE if you

are ass in a and give me the nice little phrase you don't need to come to me and hopefully I pull something out of hat or out of my computer or whatever it does and I don't want to tie it to a specific set of words so I had four sets of words up there I'm not saying any of them is the perfect set of words but I did tell you that each one of them has their own little bits of problems so the first method I said this is fairly easy I will use modulus because I have in adjectives and M nouns and I'm a mathematician so I like to write em and in instead of

adjectives announce we're lazy bunch the adjectives will be the number I'm trying to map modulus n and the now will be the number I'm trying to map modulo sound well this fails for collisions it's very easy to run into collisions as this simple example shows now everyone splashing about calculus again I'm going to run into collisions using just plain modulus so okay method wine is out let's go to method everyone dead with method one good method two is where the actual kind of math comes into play it's based on number theory and I want to solve this equation right here to get a unique a and B that I can map to an adjective in and out the problem is this equation

is only solvable by a unique a and B pair if m and n are relatively prime that means they share no common divisors like 4 & 9 h have divisors but they're not in common with each other except for one and one doesn't count number theory so if I fiddled with my work list I might be able to get there except this is actually a hard problem the hard problem is starting with two integers m and n how much fiddling can you do within a reasonable amount to get to relatively prime numbers it's on my list of things to solve I have no solution yet and by the way I'm not a number theorist so that might take me a

while so my effect too is out because I want unique solutions so then here's a nice little math equation here everyone runs screaming yet No okay good and the function should have an inverse so I did what mathematicians do and stare at it you see the movies where the mathematicians data from a whiteboard or a chalkboard or even a window and they stand there and they write equations like mad then ettan when mathematicians do that is not even close with mathematicians do math addition stare at walls a lot and then we might write something down and then we stare at that and then we ball it out and throw it across the room and then we go

back to staring at walls you can't exactly make a really cool movie out of doing that so I went to the but back to my wall and I stared at fall and I literally stared at the wall for awhile thinking about this problem and then it hit me the hilbert curve the hilbert curve is a space-filling curve there's a nice pretty picture of it and it wraps around itself and it gets tighter and tighter each iteration you do so that it's trying to fill up that box without crossing itself and since it doesn't cross itself then there's no collusion that's going to happen yay for no crossing you may have seen it in this xkcd

and if you buy my book you'll see how to make this xkcd cartoon not at my book but I also talk about why it's actually not a great visualization in my book so there I go selling my book again hey it's an awesome book I know I wrote it so I guess need to functions though if I know the length of the curve then I know the point XY that it ends up in and conversely if I know X and y then I know the length of the curve so now I can take my integer and map it to two integers and happy things happen except we have done yeah because there's constraints of the whole curve there's

always constraints that's math there's always a constraint this only works up to curves up to length M squared minus 1 where m is my number of nails right right I confused the heck out of them because I kept calling and adjectives and M nouns sorry it's alright we reviewed carefully and it also requires that N equals M where in this number of adjectives so I just kind of cheated and you said modulus and hoped it worked out for now because I'm not declaring this as the be-all and end-all and great solution I'm declaring this is a great start and if I use two sets of nouns if I'm calling it the alligator albatross vulnerability then this works absolutely

fine and so now I have words I have methods and then you see the e people just screw things up totally I mean I shouldn't put it that way I think there are not polite are there anyone in here for no good okay really okay so the CVE people totally screwed me up I said okay I'll just take the CVE yyy Chinon and and last time I looked at C V's they only went up to like 10,000 or so or yes yeah four or five and I'm good and everything works out and then I started looking at CVS may have said some profanity I'm sorry good thing my office has a door on it because you guys make that go up to

infinity especially let you a sign thing to see an a so life sucks for me now because that numbers probably would be bigger and well it's not gonna be bigger than the Wiktionary maybe it could be though it could be Definity I think right how much you guys messed this up for me I had a great thing going and then like maybe sixty four-bit reality went to it I don't know how big numbers are these days so I have options I can do modulus again and take the scene EEE modulus the number of potential word combinations which is actually what I did for examples but I can also run into collisions with that so that's not

actually a great solution I can take the top CV and subtract off the minimum CVE so that I'm starting at zero for counting the problem with that is that the first one was 1999 - zero zero zero one or four zeros three zeros on the one yeah yeah that's a small number I know I'm saying it's a small number but compared to these guys with you know six or seven afterwards it's not enough to actually really affect things so there I want that one so now I'm like I shall use math by the power of math I shall solve this and everyone's looking at me just leave it believing me you know I'm used to that

there's this thing called the Cantor pairing and unpair and the Cantor pairing function what it does is it takes two numbers and creates a unique third out of it and you can go backwards from it you can take the unique third and create the unique pair that created that the problem with doing that is we're gonna end up with some vulnerabilities with two words some vulnerabilities or three words totally depends on the actual CVE number I hadn't solved this one yet I'm still working on isolation so now we have some examples would you like to sure Oh control the clicker yeah no so yeah little game again these might be easier than the one before and again your prize

is a lovely cert sticker these are so illegal so don't tell anyone that I gave him - I didn't ask first I just had them made in it because I knew what the answer was gonna be is gonna be a six-month drawn-out no or not answer so I've learned just it's just a sticker it is actually anyway yeah so a little little PowerPoint game who knows what when this is closed ghost-like synonym for ghost I'm sure there's a technical difference Spectre Spectre it is Spectre here you go you're welcome did anyone know this the CVE it was that one off the top of their head it didn't remember that CVE yes no okay because there's more than one right variant of

Spectre does anyone know which variant the CVE or that ghost means or anything yet can you can you yeah this is v2 but again all this stuff is just you don't create a table for yourself somewhere it's just lost right so the common word list calls the deputy consideration happy words list is genetic paradise we've got starched amplify and abdominal vesicle area physics yeah I should get a head you myself a sticker for that all right now as an experiment we talked about sort of you know neutral names versus an even has some meaning as an experiment we're gonna try with severity so and stop me if I get this one wrong so we've got

would take we've taken the CVE the the number integer part of CVE turned it into adjective noun right what I did is I took the four point to one of us right first before we added the severity right we're just taking the CVE genetics we're adding an entire separate number as an input a third second whatever you point out I took the CBS SS score multiplied it by 10 to get me a nice integer and then just map that to the 47th adjective in my list right so basically as CBS s scores go you don't actually get all 100 anyway but anytime you see a 4.7 you get the word abundant in the happy words and accustomed in the

NLP list so basically filled it if you had a 4.7 for a different ball you would get abundant you know abdominal whatever but the point is you could encode meaning here if you wanted to add a word to it CBS s was easy for an experiment here but again we would try to pick something else again sort of most talked about popular perhaps highest higher threat rating of some kind but again you don't get you don't just get that for free you've got to have that data ahead of time also so let's see what our next one is here anybody want to guess what this one is heartbleed he said first good guess this was it this was gonna be the

first one nice assess for you here you go Thanks who knows who knows the CVE anybody want to guess the CVE I don't get anyone I guess the year you're come and get the year someone knows the year 2014 whoa won 6-0 which I had memorized for like a month and then I forgot until I looked it up again yeah I know it's yeah so right professionals and nerds can remember the phone number and the code number but I'm right let's see oh yeah heartbleed drawbridge clam economic freedom sub membranous help and then there long run to acclimate acclimatize Apple adolescent C I think we got that of syllable limit somewhere two or something these do not sellable or these do not

roll off the tongue right that might be the flu and some of the flu the fluency property perhaps there are the more common things people can say more easily and we're already being jerks about doing this in English so you know when you start giving out really hard multi-syllable words with ELLs and things it's it gets silly so should be polite to to others okay we have at least at least one more here anybody want to guess this one dirty cow very good get a sticker that one's pretty self-explanatory but yeah there you go Oh who wants to guess the CVE ID anybody why can you humans not remember the CVE ids for these things so easy it's so

easy yeah whatever sixteen copy-on-write that's why thirty cow all right let's see what we came up with so division craw heady convenience subtle and your is mole and your original the way I can throw Karpis after comer Wiktionary has got to be out I mean I think we're crossing that one out why do you think I chose this I chose them at random and that's the kind of was a great illustration no no I mean this is this is we got you know basically we reduce this down to be a forward list we're still playing with and yes at the moment one sort of preferred way to convert convert things over but again not you

know not really a finished thing yet I think we have another one here so just as a counter example here's a something with no branding that black thought means there's no branding but this is a good one this is a doozy back in the day because it was remote O&I is it might still be if anyone's running Windows 2000 anyway and this game is out comes out for flax bugle Vogel Google manageable fidelity Tona metric aggregate and adventuresome Wiktionary acro a stiva neuroses you do that means it's gonna get you a sticker you can answer it correctly oh all right yeah all right yeah so yeah again this Li's run the CVE corpus through all of

for Adele forests and the kind of the questions we have to pose you know post this presentation and once we either you know guess what these slides will be posted I think they'll post them if they aren't posted here but does anybody care is this useful right there's it's a maternal debate about you know what problem are you trying to solve which I'll basically summarize to be sometimes humans need to talk about the things and they're just not gonna use the cpe number and yet we need the CVE number or the equivalent we have to have that for informational purposes that's not some people can go talk about the press can't write about it Congress can ask questions about it

non-professional nerds can't have that conversation I don't think we care about sort of preventing there's there's there's the branding element in the hype element right so trying to forget for remember the one they've been a couple of branded ones that were sort of flops and were panned as being you know well well overhyped for their relative severity the Bosch one shell shock shell shock yeah I was in my sister's in days at that time and I looked at Shaw shock and went I don't care because I realized and I get root using it you had to have root so but it had a cool name yeah so I don't think we're trying to put you know

researchers out of business in terms of their their marketing and their PR and and and gaining attention for vulnerabilities maybe if such a system we're common in every day and you know ever the CV entry just had the words in it maybe that would deter brand name creation I don't know that it would and I don't know that we particularly care it might be more for the other you know you know what 20,000 a year - the 2005 year they get a brand name you know how do you talk about those might be the case and again we're not you know we're not done with the idea that maybe you only need names for the top whatever 10 percent

severity threat popular ones you mean I need names for absolutely everything although I guess it's relatively trivial to just name them all relatively travel they all just don't name them all but I think if you had the cbss or whatever excuse me not CBS I apologize but whatever threat type of score with it that would actually really is the so the happy words have scores with them and they map to low numbers means they're emotionally bad to higher numbers like yummy which is emotionally happy work so it's very easy to map the whatever score we use and figure out what are the adjectives that are like this is horrible - yummy okay I won't use something it's like a

funny one but horrible - nice so it's fairly easy to do something like that yeah which would also give an idea to people as opposed to going to look up the CDSs score not understanding at me and whoa oh this is horrible happy bugle excuse me horrible flex bugle and so therefore that's a scarier thing than just cv whatever CVE whatever the heck the number was that I still don't remember there's actually one other problem with award lists I did not filter out computer terms so when you see the word lists and things maps there will probably be something called happy computer or vulnerabilities happy firmware vulnerability I think that's probably something you should concede consider removing unless you a

terminal doesn't a fool doesn't go there why not one second while I mess with my display that's the slides so we'll pause for questions I'm gonna grab a terminal and I can grab some CDs everyone's got a favorite and we can play a couple more games as to what comes out there so Lee you handle questions please excellent thank you they're gonna be mafic stoves anyway from him for sure yeah yeah no no not anymore okay so who you considered limousine the terms since it seemed like some of the more complex words were derivative of a more common base where it slimmer izing and the using the root as the term instead of using the more

complex form I know I had not consider that and that's a great idea sorry Oh what did he mean by that no really I was not paying attention at all so yeah please so like a crow áthisá is a derivative of say it will pretend this because I'm not a linguist either a derivative of acrobatics and so we'd use acrobatics not the worst derived from it okay and that was a horrible example but

I was just gonna ask how you dealt with like words or if like words would be frequent in the database so you know plurals or you know other well I did restrict myself to singular nouns so that was one thing I definitely restricted myself and singular adjectives I didn't want to run into computer and computers and going oh well yeah pick one that is one thing I did right other than that now it's actually a good question is you should probably we should probably just in Levenstein distance I remember the ones that are just really too close to the each other any other questions as he goes looking through things oh can we get you guys to

sponsor a PowerPoint karaoke next time and like he'll name explain the CVE you know yeah yeah well you know our our boss his boss actually wanted us to do t-shirts no yeah that we were gonna do more of the PowerPoint karaoke basically or the you know play that yeah play the name vulnerability games um it works it's a great PowerPoint game I mean it just lends itself perfectly yeah this PowerPoint karaoke an actual thing that happens at these sites okay no nice alright as a separate competition or you just someone just observes all all weekend slides get a set of slides that from someone else and else and you have to give someone else's slides without like five minutes perhaps

maybe okay something like that another thing is if you could build this into a badge I'm sure the DEF CON people would love you know I just spit spit stuff out but an engine this was like the most fun project ever I mean I was sitting in my office going I named a vulnerability erotic nakedness this is an awesome job I love this job so I'm actually making it I could I wasn't uh I was good I was doing it the other way fishnets chauvinists that might be the one we had as a horrible example we took out if you looked at it on paper or write or read it very slowly it was fine

but if you kind of read it to the consequence when we together in a way it was a little bit of a we don't want to put it on a public presentation basically but um so there's there's a bunch of weird things I could still sneak up that I don't actually know how to exclude all of the possible weird combinations and that'll be language dependent too so I mean one way to do it here's like I said remove everything in the urban dictionary and I actually did download The Omen dictionary and and scrape it so I can do that but I haven't done it yet because I was having too much fun know what CDs I only got heavy I don't

think I have it the other way sorry so the fun thing would be the main meaning something in a different country yeah and you bring it up you know fairytale cauliflower could be something different than that in a different country and it could be a that's not what I really want to say let's just say it could be something gonna be in their urban dictionary [Laughter] yeah I asked the ball team I'm like give me your favorite CBE's and one of them came out with that because apparently is that was that was one of the ones we yeah how do you sit in jail yeah I was like Oh enterprising donation it's so any other questions and also opinions I

mean this is a relatively you know low costs to date experiment for us and and we're gonna play a little bit further I think the only thing I cost was my time well right but uh usefulness of something like this I mean it's fun an we're gonna keep playing with it anyway but you know imagine a world where let me just imagine you know there is a CVE in a timely way for every single public disclosure and along with the CVE is a you know two word or three word combo it's just there all the time and never it just everyone all wakes up one morning and accepts that that's that exists is that better worse the same not

that meaningful i from my opinion i like it in one in a haunted by yeah sure one of the things i find really interesting is this may normalize the idea of giving vulnerabilities names so right now if a vulnerability has a name it is implicit it is more important no matter what the name yeah no matter what the name is and so if you gave them all names they're kind of in the same region of namespace you know when people see a vulnerability with the name they wouldn't automatically think this is one that I have to spend budget to act on you know and if it has the more threatening name because it was named manually

maybe that brings it a little more in the thought presence but it starts being accepted that vulnerabilities just have names and some of them feel very random and some of them are purposefully more intentional yeah and again there's the idea that we might only want to name the important quote-unquote important ones that that's possible to agree on which it's difficult in itself but then then we could leave the idea that the name does mean something but like the storms there'd be some slightly more objective measure that the ones those names did the implication is true right they are more important some reason yeah a couple back years right yeah the only analogic can think of is like

hurricanes you know we have a net system for that thankfully we don't have as many hurricanes as CVE numbers but I think that's you know it makes definitely makes it easier to you know cross they talk about as compared to a random set of numbers yeah I mean I imagine it within NOAA somewhere they've got serial numbers something attracts the storms you know before they get a name I guess the computers got one or the database has something right sorry Domon so I think it's problematic to get rid of the Year beacon at all yeah I think the year needs to stay and like I would like a year and a name because that's very valid in that's very

valuable information when you're talking about stuff that doesn't get patched for very long or just knowing like we're discussing the timeframe of when something was actually shipped yeah or at least coordination began like it did respect her and meltdowns I think there is value in this just for the fact that you know people can say these words so if you are you know if you are on a blue team or doing you know like doing other remediation or assessment and you find stuff this is easier it's easier to talk about these I think well not all of them obviously that Wiktionary is not gonna be something that people can just say a drop in conversation but I mean that

that's valuable for any number of things from just like seeds like conversations over a phone or teleconference or just yelling down the hallway what it is you found on something I think this so that's that's all valuable for this I do like the idea of naming everything and not and having like a repeatable process so that people can find stuff and name it as so long as they have a CVE and that's one issue where we know that in some cases coordination takes place and people are reserving the CVEs or holding or not getting the CVEs until they're ready to lift embargo which means that this becomes moot sadly which is really it just more like people can practice

better getting CVE practices so one thing we have considered is naming a year oh yes so you'd have a family name basically a family name for the year and I'm personally Rhonda the so you know I think Chinese New Year style no that's exactly what I was gonna say give a name for the year I think that's important but I think two names is maybe a little bit too much but if because one name is is probably more memorable there's like a lot of stones that you have it has maybe like one name hurricane katrina hurricane that it just has one name and then you know you the name is tattoo a year so the year has a

name and then you have your whole dictionary for to use for that year and then you can repeat that for next year because then you'll have two different names i love the animal ones like nyjah'd arbitrary albatross so like red dog and unstoppable dolphin er we have a I don't think we know elixir bucket but I do kind of like a I don't know like a some be more important like like start your meltdown it has a name right it's easy to talk about but that's what tells me I'm glad it has a name because it is important right right yeah right exactly exactly so it's but it's useful so so even if they're all named and maybe just

fall out naturally but like you know the Dalek we like the dolphin bone that becomes super popular we need to talk about it it's you're fixing it lots of different places people are worried about it so dolphin becomes an important name that you use but maybe you want to name it something that's relative to what that foam is to you know like the cow phone right yeah it's named cow because it has a gal right there's a couple I just I can see both ways yeah well that's actually an NLP problem we've kicked around but as I'm not an NLP expert but I know some oh you got some around we're gonna be we have a

couple of Lincoln actually one of them helped us with this fried burrito easy emergency bus which one emergency yeah but we need we need you know broken computer shouldn't be one of the ones right yeah serious exploits should not be one of them right yeah and that's the part of there's no what to the happy words because you don't really want to put the emergency although we now have the fried burrito instead so sounds good to me any other question which i think is the reason the thing the hilbert map oops right and that's just my current solution like i said there's another solution that uses the can't or parity pairing so sorry that that's because of

your mod modular singly adjectives i know actually that is because of the way the hilbert curve works okay way it wraps around just please ask again in the mic sorry i'm not sure we've been good about the question so is there an issue with modern-day CVEs after the you know CNA program and the new numbering scheme is there an issue where a like basically a CNA because all their stuff is gonna start with a certain set a number are they gonna get oh yeah like are they gonna get like the same three words for all the vulnerabilities they do that year and then if they get one they don't like then the CNA is going to

complain about the program I see I don't three words but it's gonna be words in the same sort of neighborhood but it also depends on you know how I actually solve that problem the fact that you know they have a CNA with how many zeros is that okay that one so these are these are gwf space right probably because they're in the 1 million I'm just guessing they're I think those are the DWF ones and I see you know stable repeats and unintentional repeats but I think I think lentil block you could still get that first add you to the change yeah and again we can I don't know yeah I mean it's it's it's stable

freedom so stable freedom has a I feel good about stable freedom what's a note of gerak Oh Caracas yo my guess is dictionary will not know nope alright yeah I don't know it was found in that you know P had it so yeah probably I'm Wiktionary so yeah um I think our rep we're at time so um thank you for your input in your questions um anyone want to search sticker just stop up and grab one so I wanted to make a game out of it but not everybody got one so it's one of those games where you just get one I waited by sitting through the whole talk thanks everyone Thank You Lee it's Gabe dude besides