Some films age well.

An example is the classic The Day the Earth Stood Still, which was fairly successful when it was originally released in 1951, and has steadily gained in popularity over the years. (I will refrain from comment on the 2008 remake of this film, except to say that they tried...) I’ve seen it a number of times, and it’s a wonderful film – even the special effects seem plausible (though simple by modern standards), and they don’t “take you out” of the story. And, of course, it included the immortal line “Klaatu Barada Nikto”, which was made even more memorable by its inclusion in Army of Darkness.

The Thing was a great film. Though it was not really appreciated when it was released, it has gained a cult following over the years. It is quite an interesting look at a the psychology of fear, how people behave in isolation, and of how truly different an alien species might be. Sadly, though, it did not age well – at least in terms of the special effects. On re-watching a few months ago, the special effects seemed dreadfully dated and cheesy – they inspired laughter, rather than fear. It really changed my experience in watching the film.

These two films are immediately recognizable, and I found that just thinking about the names carried a lot of associations. I’ve commented on the importance of names before, and it made me think a bit about the way the security industry names things.

Take threat actors as an example. Different groups categorize threat actors in different ways, and use different criteria for grouping them. CrowdStrike, as an example, generally uses animal names, and associates them with nation-states – bears for Russia, pandas for China, kittens for Iran, and so on. In contrast, Mandiant generally uses an “APT” (Advanced Persistent Threat) number, while Microsoft generally uses “metal” names.

So, the threat actor Fancy Bear (thought to be associated with Russian military intelligence) is also known as “APT28” and “STRONTIUM”, along with a number of other names. Do these names all refer to the same group? Possibly, in some cases, but maybe not, as different researchers have access to different types of information. A standard may emerge at some point, but until then researchers will use their own names initially, and mappings will be determined later. As in the case of APT28, someone will usually eventually rationalize the overlapping names.

And then we come to vulnerabilities, which can be both more and less complicated. Less complicated in one way, as they will generally be associated with a CVE (Common Vulnerabilities and Exposures) number, but more complicated in that some will have (theoretically) memorable names associated with them.

Most will not remember something like CVE-2021-44228, so researchers, journalists, marketers, or others will often try to come up with a name for a “famous” vulnerability. “Log4Shell” is much more memorable, though not necessarily so technically precise. And then you have attempts to find a better way, such as the Vulnonym Twitter Bot, which selected “Stolen Bustard” as a name for Log4Shell.

The idea, as I understand it, was to avoid unnecessary FUD (Fear, Uncertainty, Doubt) where people come up with menacing-sounding names such as “Heartbleed”, “Meltdown”, or “Spectre”, by providing neutral names. It really did not go well. When I heard about this, most people were either annoyed that people were trying to impose names, or laughing at the silliness of some of the names. In fact, it appears that the industry has largely ignored these proposed names, except to note them from time to time as a joke. In the case of Log4Shell, I only learned that the “official” name was “Stolen Bustard” when I went searching for it – everyone is calling it “Log4Shell” or “Log4j” depending on their familiarity with the details of the vulnerability.

Maybe there’s a better way, but it doesn’t appear as if we’ve found it yet.

Cheers!