regarding the recent Markoff NYT article on NFS weaknesses, I agree it seemed to be overblown. but in fact I have been betting that feeling from *all* the recent articles on the netscape bugs etc (egad, am I mistaken, or whas there front page NYT coverage for a *buffer*overflow*? at least there was for a single *poorly generated random seed*!!). for example, in another, the fact that netscape had a buffer overflow in URLs was translated by a reporter into "a similar bug was used by Robert Morris in the infamous worm that infected the entire internet a few years ago" or something similar. it seems to me what is lacking in all this is a *security spectrum*. unfortunately security experts sometimes have a tendency to equate *any* security weakness with a catastrophic one. while this is a good approach in general, i.e. to be as conservative as possible, in practice there can be no doubt that some security weaknesses are far less severe than others. if the security *experts* conflate the issue of the *severity* of a security breach (and I see this happening all the time on this list), there is little surprise that reporters aren't figuring it out either. some of the really obvious example of the kinds of differences in security that are being conflated: client vs. server problems (server problems are far worse of course; the netscape bugs were mostly *client* problems), subnet vs. overall network problems, bugs that allow people to merely crash a system vs. submit arbitary code, etc. to aid this serious problem, I propose the creation of a UNIFIED SECURITY SPECTRUM RANKING. this would be a list of all the different types of security weaknesses a system can have, and their LEVEL OF SEVERITY. it would attempt to rank every type of security breach possible. then, when a new security weakness is discovered, it could be ranked A1 or B5 or C6 or whatever. this would be a sort of technological "richter scale" that would allow the novice to immediately understand that a given bug that was recently discovered (say, the recent netscape bugs) was, say, not really as potentially severe as the Morris worm. a press article might say something like, "the recent netscape bug was ranked a B5 on the security scale by experts. this means that an unauthorized intruder could break client software. the bug could potentially be as serious as A3, meaning that arbitrary code could be submitted. the other bug was classed B3, because it allows the detector to grab unauthorized data, but still be detected in doing so." etc!! I think it is pretty obvious how much of a positive effect this could have in quantifying and tracking and publicizing new bugs. it might make it impossible for a reporter to give an improperly alarmist position. for example, no one would take seriously an article that gets excited about a 3.6 richter scale earthquake. similarly, the reader might be able to draw his own conclusions if we came up with a sufficiently universal scale and it is widely used in articles. furthermore, this scale would tend to help the reporter/editor immediately know if a given bug report is newsworthy (if they continue to enthusiastically report bugs, although I wonder if this is a fad that may die out). and ultimately it might really help the issue of "proper attention to bugs". the public is getting a scare story for almost every new bug, and this is just not appropriate. to use my tired analogy, it is like the media putting every dinky earthquake item on page 1. another idea behind the rating: it might be a sort of matrix format, such as "a-6-alpha" where each of the elements indicates some kind of independent factor. for example the "a" might mean "client side", the "6" might mean "crash only", the "alpha" might mean "breach cannot be detected after the fact". however it shouldn't be so complicated that the novice can't immediately determine which of two rankings is more severe. now, I am really rather surprised that no such scale appears to exist currently. I highly suspect the NSA probably has a system for this but unfortunately it is not being used by CERT or anyone else that I know of. if anyone does know of this kind of "security spectrum", I think our cause of trying to improve software security would be furthered immensely if whenever reporters call about bugs, the scale factor could be consistently and uniformly used in association with trying to describe the severity of the bug. I am willing to work on a beta version of this "security spectrum" if there is sufficient interest. it certainly seems like a far better and worthwhile investment of time than, say, "the geek code", the latter of which is already highly developed!! I don't really consider myself the best qualified in terms of experience but sometimes if you want something done, you have to do it yourself. however, if we do this, I hope that a good scale that is pretty general and doesn't need extensions can be done from the start, before its widespread usage, so that later changes do not confuse users. there is already confusion in the media about two slightly different richter scales, this is a pity. another neat perq: if the cypherpunks come up with a good scale, it could be a tremendous positive publicity tool. "today experts discovered a bug in -x- that rated a -y- on the CSSS (Cypherpunk Security Spectrum Scale)" generally, regarding cypherpunk priorities, I think the "media can be made our friend", but we just have to learn how to be more meticulous and careful in our interactions with them. in general I don't really think a lot of the misreporting going on is the fault of the reporters involved. it's not surprising they get their stories mixed up, when, IMHO, even the "experts" they quote aren't particularly polished and don't really have their act fully together (or at least, tend to misrepresent the problems from the beginning). (most of the last Markoff article imho can just be chalked up to, "two prestigious graduate students who discovered something significant recently wrote a message warning about another significant security problem." it shows how absolutely critical it is to be careful what you say once you have built up a bit of a reputation. these two grad students are now being watched as the Chicken Little's of Cyberspace by the media, unfairly or not. be careful about wishing about fame, or anything else!! you might get it!! makes me a bit nervous about causes *I* have promoted in the distant past.) --Vlad Nuri