Cisco Vulnerability - 😾😾😾 (Thrangrycat)

Infosec_SamInfosec_Sam Security+, CCENT, ITIL Foundation, A+Madison, WIPosts: 360Admin Admin
So, Cisco was hit with a pretty big vulnerability this week, dubbed "ThrAngryCat." It's a secure boot bypass vulnerability that affects millions of Cisco devices around the world. According to thrangrycat.com, "by chaining the 😾😾😾 and remote command injection vulnerabilities, an attacker can remotely and persistently bypass Cisco’s secure boot mechanism and lock out all future software updates to the TAm." Since these flaws exist within the hardware design, we're probably not going to see a software patch that completely resolves the vulnerability.

Yeah, the vulnerability is a pretty big deal, but can we discuss the use of emojis in vulnerability names real quick? The thrangrycat website justifies their reasoning as follows:

"We chose to communicate 😾😾😾 through a visual representation of symbols, rather than “words.” Naming vulnerabilities using emoji sequences instead of other pronounceable natural languages have several advantages. First, emoji sequences are universally understood across nearly all natural languages. Choosing 😾😾😾 instead of a name rooted in any one language ensures that the technical contents of our research can be discussed democratically and without latent cultural or linguistic bias. Second, emojis are indexical to the digital age. Third, clear communication is the foundation of friendship, and such a foundation must begin with proper ontological agreement. Just as the universal language of mathematics is largely expressed through interlinguistic symbology, so too is 😾😾😾."

Do you think there's any validity to that, or should we keep using names like Spectre/Meltdown/WannaCry to describe vulnerabilities and attacks? I think they make a pretty convincing case as to why we would use symbols instead of English words - what do you think?

Full Article Here »
Thrangrycat Website Here »
Community Manager at Infosec!
Who we are | What we do

Comments

  • PC509PC509 CISSP, CEH, CCNA: Security/CyberOps, Sec+, CHFI, A+, Proj+, Server+, MCITP Win7, Vista, MCP Server 2 Oregon, USPosts: 771Member ■■■■■□□□□□
    edited May 14
    Personally, I don't like the idea of emojis. We know it's ThrAngryCat because they use that as well. Without that reference, it would have a dozen possible way to decipher it. What would you call it with zero context? ThreeCats? CatsEmoji? Something more illicit? NaughtyP...?

    It may not be language specific, but we don't have a reference for those emoji names. Without knowing ThrAngryCat, would you have been able to come up with that name? 
  • Infosec_SamInfosec_Sam Security+, CCENT, ITIL Foundation, A+ Madison, WIPosts: 360Admin Admin
    PC509 said:
    Personally, I don't like the idea of emojis. We know it's ThrAngryCat because they use that as well. Without that reference, it would have a dozen possible way to decipher it. What would you call it with zero context? ThreeCats? CatsEmoji? Something more illicit? NaughtyP...?

    It may not be language specific, but we don't have a reference for those emoji names. Without knowing ThrAngryCat, would you have been able to come up with that name? 
    I see where you're coming from, and that's a good point. Do you think we could say the same about something like WannaCry? Without knowing it's a ransomware attack, we would just have to speculate as to what it means.

    I think my big hangup with using emojis is the difficulty to remember what attack they actually are. Like in the future if we have multiple emoji vulnerabilities, we would have to remember the difference between three angry cats and two surprised dogs, or something like that. I suppose WannaCry is actually a pretty good example of a memorable yet descriptive name for the encryption attack.
    Community Manager at Infosec!
    Who we are | What we do
  • clarsonclarson ■■■■□□□□□□ Posts: 897Member ■■■■□□□□□□
    and cisco's cli only comes in English.  So, while the emojis probably enhances its ability to inform people in multiple languages, it is only people that can read english that work on cisco equipment.  Therefore, I'm of the opinion that using the emojis only confuses the delivery of the message to the community most effected by it.  And, is only being used to enhance its branding.

    But, if it is found out that other hardware in multiple nations that use multiple languages, then a common terminology would be useful.  but, mathematics (and its subsets, chemistry, nuclear physics, etc) is the most universal of all languages.  Do we really need a universal symbol to represent a security vulnerability?  Fifty years from now is anyone other than historians going to care what the three cat emoji meant.  I'm sure that over time the three cat emoji will mean something else, with a security vulnerability being way down the list of possible meanings.

    Also, emojis are an iconic/picture language created to say more with fewer characters then the written language, ie, one picture is worth a thousand words.  But, what are the thousand words associated with 3 cats?  its historically significance, how it works, how to recognize it, how to defend against it, etc.?  I think your message is more precise when delivered via the written language.  May take more time to read, but your point is made.

    with there being 1800 emojis, how does anyone know them all.  And, including all the subsets of emojis created by branding.  Emoji is the fastest growing language, but does anyone know more than or use more than a 1000 emojis combinations.  emojis might be an exploding language, but it is understood by few.
  • shochanshochan Senior Member Posts: 866Member ■■■■■■□□□□
    2019 goals -> CySA+ (b4 end of 2019)
    "It's not good when it's done, it's done when it's good" ~ Danny Carey
Sign In or Register to comment.