
What Heartbleed Can Teach The OSS Community About Marketing - spatulon
http://www.kalzumeus.com/2014/04/09/what-heartbleed-can-teach-the-oss-community-about-marketing/
======
phillmv
Yes entirely on name, visual identity and first three paragraphs. More like
this for serious vulns, please.

Also, what a great name.

The remaining of the page is a loud reminder of the gap between the sec and
dev communities, at least as practiced in lolstartupland. Or at least between
offence and defence. The second paragraph tells you the sky is falling, and
then it takes them 13 questions to tell you which openssl versions are
vulnerable.

(Also, I wish the behind the scenes action was less messy; why not coordinate
with Debian and RedHat patches? Why did Cloudflare get advance notice?)

~~~
mschuster91
Because Cloudflare is possibly the biggest and most vulnerable target due to
the enormous number of websites and businesses relying on it. I would not be
surprised if at least FB and Twitter also had early access.

It was clear from the beginning that as soon as the details became public, a
race would begin for the script-kiddy-friendliest tool to own sites/users. And
the most likely targets of script kiddies should be warned in advance.

~~~
ef4
> Because Cloudflare is possibly the biggest and most vulnerable target due to
> the enormous number of websites and businesses relying on it.

AWS is at least as important, as is Akamai.

My point being, it's not enough to hand-wave about who's the biggest and most
important. A good system would give anyone with enough at risk a clear path to
earn a seat at the table.

Major providers could create an "early warning disclosure club", each
contributing some money annually, and the money can be used to pay bounties to
anyone who gives them advance warning of a zero day. Of course you'd want some
safeguards to make sure nobody blackhat joins the club to use the
vulnerabilities for offense.

~~~
tptacek
Software security used to work this way, in the early 90s. Disclosures went to
vendor cabals. They leaked like sieves and were a running joke on #hack.

It's hard to argue: yes, the world would be better if only the people who were
going to mitigate the bug had the information until everyone had mitigated.
But a repeal of the CAP theorem would be nice too. Meanwhile, we have to work
with the world we have, not the one we want.

Early disclosure club isn't a terrible idea, but good luck getting it funded
in a serious way. The correlation between "most impacted" and "most clueful"
isn't particularly strong.

~~~
patio11
Indeed, if one posits a channel for transmitting secrets among a vendor cabal
which never leaks to people not authorized to receive the secrets, we should
abandon SSL and use that for our secure communication needs instead.

------
tetha
I'm noticing this at work, too. Give things - even entire contexts - short,
pronouncible names.

For example, at our place, "Munin" or recently "Graphite" have been
established as the name for our monitoring systems. They describe a system
spanning a couple hundreds servers, include a handful of different daemons and
configurations and generally, a lot that's going on, so the term is inherently
ambiguous and imprecise.

However, I've found that this takes a lot of pressure from the less involved
people. They don't need to figure out how to call something precisely and
correctly. They have an accepted, not entirely correct term that's precise
enough to get the point across: "Munin on Server X broke" is all I need.
Similarly, "Is our server X affected by Heartbleed?" might be a silly question
because server X is no webserver, but it's easy to answer, because the
question is precise enough and just on the right level.

~~~
keithpeter
I read that as Moomin at first.

As a teacher, I give silly names to maths topics and it seems to help the
students organise their 'big picture' a bit.

------
nodata
"The Heartbleed announcement ... is masterful communication."

You have to be kidding me. It took so long to decipher what I wanted to know
that I went elsewhere.

Edit: "masterful communication" this is not, since the reader doesn't know who
the page is aimed at. Even a line at the top saying "Technical people go
_here_", and then something aimed at technical people would be better.

~~~
jmathai
But you did. What the communication accomplished was getting others who
otherwise might not have heard about or cared enough to do something to take
measures in fixing it.

That's an enormous win.

~~~
computer
He did because this is the worst internet bug in the past 10 years, not
because the page was so masterfully written. Private keys and user
passwords/data being disclosed will be cared about by systems administrators
even without such a fancy page.

~~~
tptacek
It is not the worst Internet bug in the past 10 years.

It's among the most widespread Internet bugs, but:

* An identical bug impacted nginx a few years ago

* A far worse bug impacted Debian (when they commented out the randomness in their CSPRNG), which coughed up code execution on tens of thousands of machines; lots of companies that didn't officially deploy on Debian still had a Debian box somewhere vulnerable

* The Rails YAML bug was perniciously exposed in lots of places for months after the initial disclosure, and also coughed up code execution

Losing authenticators for "live" users and TLS private keys is bad, but it's
not the kind of bad where you invariably need to nuke your servers from orbit
and rebuild. Other widespread bugs were actually like that.

~~~
cdelsolar
This bug is on 70% of systems and ANYONE can run a python script and pull out
plaintext Paypal or bank passwords. It is the worst Internet bug perhaps ever.

~~~
tptacek
I don't know a single vulnerability researcher who agrees with that statement.
But you also didn't marshal any evidence; you restated the first thing I said
about the bug, and then effectively said "no, you're wrong".

------
keithpeter
UK Offtopic: kalzumeus.com is being blocked under the category 'gambling' for
me by the TalkTalk HomeSafe filter. First time I've _seen_ the filter. My ADSL
over copper connection is provided by EE.

[https://dl.dropboxusercontent.com/u/8403291/talktalk-
blockin...](https://dl.dropboxusercontent.com/u/8403291/talktalk-blocking-
bingo-card-creator.jpg)

I can't change the settings as I am not a TalkTalk customer (to my knowledge,
my connection has remained functional despite mergers: Freeserve -> Wanadoo ->
Orange -> EE). I certainly don't have a 10 digit customer reference and my
account email is 'unknown' to the filter.

Cameron's cyber-nanny can be circumvented for eminently respectable domains
such as this by judicious use of ?oo?le Cache of course.

Anyone else from the UK with _default_ filter settings seeing this? I'm about
to write to my M.P. and some wider data points would be helpful.

I have used the 'report' button: perhaps they will unblock the domain when
they realise it is about Bingo.

------
bhousel
Maybe MITRE should assign proper names to serious CVEs, kind of like
hurricanes?

~~~
rubiquity
Oh, great. Then in a few years we can have minor security issues given names,
too. Like how winter storms this past winter were called "Polar Vortexes."
This world needs less media sensationalism, not more.

~~~
danohuiginn
They can just use NSA-style semi-random codenames. Every CVE can be
automatically assigned a pair of words out of a hat. It'll be particularly
beautiful when combined with already-silly software names. I want to have to
tell my boss that Raring Ringtail has been affected by Nevada Horseshoe or
somesuch.

~~~
keithpeter
Please don't joke about this kind of stuff.

MOODLE is an eminently useful free software course management system. A PHB I
used to work for got very worried about the 'silly name' and the lack of an
0845 number for when anything went wrong. Took ages to convince him that it
was a sensible alternative to another well known course management system that
cost a couple of teacher salaries per year.

We got there.

------
rbanffy
"Your bosses / stakeholders / customers / family / etc also cannot immediately
understand, on hearing the words “Rails YAML deserialization vulnerability”,
that large portions of the Internet nearly died in fire."

I watched my colleagues working around the clock (not that bad as it sounds -
we are scattered around the planet for a reason) patching servers, testing and
ensuring every hatch is properly shut. I can imagine other teams all over the
world and all over the internet doing the same, literally saving our
civilization from a threat only a tiny percentage of the population had any
idea existed and an even smaller group has any idea of how it threatened us.

~~~
rubiquity
You don't think for a second that the reason you were all working so hard to
fix this is entirely because of the marketing? The intense marketing of
Heartbleed alerted legit crackers (who would have found out anyway), and a
thousand times worse, it alerted _wannabe crackers_ of low hanging security
exploit fruit.

Marketing works both ways, you know.

~~~
teacup50
My apologies, I accidentally downvoted this. I strongly agree -- this should
have _NOT_ been publicly marketed in this way until vendors had _some_ to
assembly updates, and possibly not even then.

Serious security vulnerabilities do their own marketing for the people that
need to know about them.

This is just lowering security to the tabloid level for mass consumption by
users who can't fix the issue anyway.

~~~
eridius
The moment it was made public information, there was absolutely no reason
whatsoever to hold back on marketing it. Even if your chosen Linux
distribution isn't quite ready to go with an easy fix, by being aware of the
problem you're a lot more prepared to deploy a fix the moment it becomes
available.

The only people that holding back (after the vulnerability becomes public
knowledge) helps are the attackers.

~~~
teacup50
> _The moment it was made public information, there was absolutely no reason
> whatsoever to hold back on marketing it._

There's a lot of different kinds of public. "Possibly in the wild" is _very_
different than "available to every script kiddie under the sun".

------
danielweber
I remember when the antivirus companies would fight about who gets to name
what. Didn't one try to name Slammer "Sapphire" after a stripper an engineer
had seen the previous night?

I don't look fondly on those days.

------
IgorPartola
I don't have a problem with making fanfare around the bug, but I cannot help
but feel that the Linux and BSD distro maintainers should have been notified
before it went public so that the patches would be available at the same time
as the site goes up. Instead, Codenomicon caused them to have roughly 16-24
hour delay in releasing patched versions, while doing a poor job of
communicating which versions of libssl are vulnerable (1.0.1 a-f were
vulnerable, yet most distros use 1.0.1e and they patched that version instead
of upgrading to 1.0.1g, making things very confusing).

So while all the marketing has been great for Codenomicon, it caused most
sysadmins and distro maintainers more headache than it should have.

~~~
throwaway7767
Yes, not notifying at least the big linux distros and BSD projects was quite
irresponsible. Everyone except for a few chosen service providers like
cloudflare was thrown under a bus here.

------
rubiquity
I can't disagree with this post enough. Security exploitations shouldn't be
about marketing. Security exploits should be handled first and then
communicated to the public after the fact. The way Heartbleed was handled lead
to a media firestorm. Other than Codenomic, who else benefitted from this?

> _Marketing Helps Accomplish Legitimate Goals_

Are you kidding me? The only goal of a security issue should be fixing it and
getting everyone else to update to the fix. Heartbleed will be remembered
forever because of the BS marketing.

OpenSSL isn't a startup, it's a security library that is used by over half of
the internet.

~~~
teacup50
Yes, a thousand times yes. The point isn't to _market_ a vulnerability, the
point is to get a fix out there.

Forcing the entire world to scramble is great marketing, but poor security.
Vendors needed time to prep releases and communications; there's _tons_ of
confusion flying around out there.

Likewise, patio11's trying to capitalize on the awareness to market himself
may also be great marketing, but it's bad advice.

I don't know why parent is being downvoted, either. This is simply not how you
keep people secure. This is how you grandstand to promote yourself at the cost
of other people's security.

~~~
rmc
Wait, surely getting everyone to scramble is a good way to get the fix
released soon?

~~~
forgottenpass
Marketing is entirely the wrong way to get the people who release fixes to
scramble. At least at the top few tiers (package developers and distribution
maintainers) you know the organizations necessary to contact, and how to
contact them. If the orgs are worth their salt, a descriptive email to their
security contacts is faster and easier than a marketing campaign.

Marketing is useful to get sysadmins too lazy to subscribe to security
announcement mailing lists to apply the already-released patches or take other
mitigation.

~~~
smacktoward
_> Marketing is useful to get sysadmins too lazy to subscribe to security
announcement mailing lists to apply the already-released patches_

Which, let's be honest, is the vast majority of people who admin servers these
days.

With cloud servers, VPSes, etc., anyone can become a "sysadmin," and lots of
people do who don't really understand what they are signing up for. These are
the people running the unpatched boxes that Ars Technica recently called "the
slum houses of the Internet."
([http://arstechnica.com/security/2014/03/ancient-linux-
server...](http://arstechnica.com/security/2014/03/ancient-linux-servers-the-
blighted-slum-houses-of-the-internet/))

Those people aren't going to patch their system just because a CVE was issued.
They don't know what a CVE is. So marketing the problem is critical to reach
them and get them off their duffs.

------
jdubs
I just worry next time when a major incident occurs the author will spend more
time working on the design than just announcing the issue.

~~~
ef4
At that point, speed isn't really the issue yet. Heartbleed was in the wild
for _two years_. Would a day or two have made much difference? Highly
unlikely.

Speed matters _after_ the disclosure, when every petty criminal and script
kiddy in the world is suddenly empowered.

~~~
jdubs
I agree with you, but what about the people that knew about this before hand?
The article references cloud flair, on their blog it says that they knew about
this before the rest of us, who is to say those individuals are not bad guys??

------
higherpurpose
The first thing I thought about this whole thing when I saw the name was "this
is a great name for this bug, and will help ensure everyone hears about it -
and panics, which is the goal". I think the logo helped amplify that, so great
work by the people who thought this up.

------
zurn
Also, hats off to the heartbleed.com keepers, Codenomicon, for handling this
very selflessly - despite this (fuzzing) being their core business and having
found the bug itself. They could have made it a "company logo first" marketing
campaign.

------
pmorici
Maybe they could start naming them like they name hurricanes in addition to
the CVE number.

------
larrys
Excellent writeup but as long as the subject is marketing and memorability in
names (and in particular domain names) kalzeumus (or is it kalzumeus) isn't
the easiest name to remember for a blog or business.

And it lends itself to many typos which is one of my areas of expertise along
with branding. I can't easily tell someone "just go to kal zum e us dot com"
like I can "heart bleed" (which by the way has a typo that would leak in high
volume traffic to "blead" a bit).

Other than that I agree with what Patrick is saying, although I did find the
use of "heartbleed" with something also referred to as "heartbeat" (which of
course wouldn't be available as a domain name) a bit confusing at first.

------
bernardom
I agree with the principle; the logo even made the NYT, which had at least
three stories on Heartbleed.

But: are there enough two-english-word combinations left as viable .com names,
much less ones that accurately describe the vulnerability?

~~~
ereckers
A .bug TLD may actually work here.

~~~
squidsoup
Why not, we already have .coffee .florist and .dating - we should just
enumerate the OED for TLDs.

------
thu
Don't overdo it either. There's plenty of landing pages with non-existing
services, no need for crazy project pages where the projects themselves will
die soon out of interest or are just subpar.

In this specific case, I would prefer resources spent to make the OpenSSL
library itself better instead of the
[https://www.openssl.org/](https://www.openssl.org/) domain better.

That being said I agree with the article and love how
[http://heartbleed.com/](http://heartbleed.com/) was done.

------
Perseids
Talking about marketing: Wouldn't this be a great time for one of the not so
small IT companies to pull off a publicity stunt within the tech community and
donate a few full time developers to improve the openssl codebase?

For example I might not like Facebook, but if they'd actually make such a
contribution to the public good I'd always have to include that counter
argument in my criticism.

Maybe some one here on hackernews might be able to pull some strings?

------
pasbesoin

        > Man, would that have been an easier month if
        > we had all been talking about DeserialKiller.
    

Cereal Thief (I like a bit of whimsy; and as a child, it was _serious_ :-)

Serial Killer (Yeah, drops the "De", but more people will associate with it,
and it's easier to parse and pronounce.)

------
pseut
The one weak point of the landing page is that it didn't indicate who was
_not_ affected. I read to the bottom of the announcement and had to think a
while on whether I had to update my _laptop_ because, hey, this seems like a
serious bug. Granted, I'm nontechnical... but that's kind of the point.

Edit: not sure why this was downvoted, but if it contains an error please add
a comment pointing it out. If you just think it should be lower on the page,
no worries.

------
digismack
Bugs should be named after shitty politicians. Especially those which oppose
or act against net neutrality.

------
orkoden
Apple's GOTO FAIL certainly also had a catchy name.

------
personZ
I'm not sure how big a part the name and branding, per se, played in the wide
reaction to this vulnerability. I would argue that people reacted because they
knew it was incredibly serious, impacting almost every site out there. Further
a lot of the reaction was by security and infrastructure people and
organizations who themselves were impacted and vulnerable, despite every best
practice.

In contrast to OpenSSL, the YAML vulnerability was just a very minor blip of
importance.

------
andy_ppp
Ironic that the blog talking about this is a rather boring looking site that
I've just navigated away from as soon as I got the gist. Not meaning to be
hash but that's what I did...

~~~
munger
Not really sure how it's possible to hang out on HN and not know who
patio11/Patrick/Kalzumeus is...

~~~
pseut
I've seen people not know who "pg" is, so...

