CPE telephone conference

I would like to host a telephone conference focused on the Microsoft
Windows names.  In an effort to move this discussion along and attempt
to put this to bed, are people available tomorrow (wed) at 11AM eastern
for this?  Please let me know off-line about your availability.  If too
many people can not make this time, I will reschedule for a different
day.

I will forward the exact date/time, along with call details before the
end of today.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

I'll be on a flight, but I'll reply to the list with my thoughts.

--------------------------
Sheldon Malm
Director
Security Research and Development
nCircle VERT

Sent from my BlackBerry Wireless Handheld


----- Original Message -----
From: Buttner, Drew <[hidden email]>
To: [hidden email] <[hidden email]>
Sent: Tue Oct 02 07:51:56 2007
Subject: [CPE-DISCUSSION-LIST] CPE telephone conference

I would like to host a telephone conference focused on the Microsoft
Windows names.  In an effort to move this discussion along and attempt
to put this to bed, are people available tomorrow (wed) at 11AM eastern
for this?  Please let me know off-line about your availability.  If too
many people can not make this time, I will reschedule for a different
day.

I will forward the exact date/time, along with call details before the
end of today.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

It turns out that noon (eastern time) tomorrow works best for everyone.
The agenda for this call is to talk about the CPE Name used for
Microsoft Windows operating systems.  Please read up on the thread
before the call.  I have included dial-in information below.

Date/Time:  October 03, 2007 at 12:00 PM America/New_York
Length:     60  (minutes)
Frequency:  once

Meeting ID: 1876
Meeting Password:

Phone Number: 703-983-6338 in Washington, DC
              781-271-6338 in Bedford, MA
              866-648-7367 Toll Free (866-MITRE-MP)

NOTE - Toll Free number is for North America callers only.  Other
countries must dial either the Washington or Bedford numbers to attend.

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Drew - unfortunately I will be unable to make it, but Dave Waltermire
will be on the call and will brief me on the results.

Thanks,
Doug

-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Tuesday, October 02, 2007 10:52 AM
To: [hidden email]
Subject: [CPE-DISCUSSION-LIST] CPE telephone conference

I would like to host a telephone conference focused on the Microsoft
Windows names.  In an effort to move this discussion along and attempt
to put this to bed, are people available tomorrow (wed) at 11AM eastern
for this?  Please let me know off-line about your availability.  If too
many people can not make this time, I will reschedule for a different
day.

I will forward the exact date/time, along with call details before the
end of today.

Thanks
Drew

---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Drew,

I would like to join the phone call tomorrow, can I assume the call is open to folks such as myself, recently discovered the CPE discussion list, and catching up on the threads? I did not see a password for the call, is one necessary? If so, can you please forward?

I have an Open Source perspective, and for me the naming & enumeration issues for Microsoft Windows pale in comparison. I understand the need to keep tomorrow's meeting focused, however a solution with larger scope may solve issues for Open Source too.

I look forward to a good discussion.

-Paul

--
Paul Whyman
[hidden email]
970.898.1101
Open Source Review Board (OSRB)
Open Source & Linux Organization R&D (OSLO)
Hewlett Packard Company
3404 East Harmony Road
Fort Collins, Colorado 80528

In prep for today's telcon I pulled the MS names from the asset tools I have
laying around in the DoD.  Here are three -- The AVTR OS Names list has the
Microsoft Names from the Army's "Asset and Vulnerability Tracking Resource"
-- Basically a patching compliance database; from the Remedy BMC Atrium CMDB
enumerations; and from our Joint CERT Database list of OS names.

I'll try to share the names used in VMS prior to noon.

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office

NSA/I71
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


-----Original Message-----
From: Whyman, Paul Arthur [mailto:[hidden email]]
Sent: Tuesday, October 02, 2007 5:26 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE telephone conference


Drew,

I would like to join the phone call tomorrow, can I assume the call is open
to folks such as myself, recently discovered the CPE discussion list, and
catching up on the threads? I did not see a password for the call, is one
necessary? If so, can you please forward?

I have an Open Source perspective, and for me the naming & enumeration
issues for Microsoft Windows pale in comparison. I understand the need to
keep tomorrow's meeting focused, however a solution with larger scope may
solve issues for Open Source too.

I look forward to a good discussion.

-Paul

--
Paul Whyman
[hidden email]
970.898.1101
Open Source Review Board (OSRB)
Open Source & Linux Organization R&D (OSLO)
Hewlett Packard Company
3404 East Harmony Road
Fort Collins, Colorado 80528

>I would like to join the phone call tomorrow, can I assume the
>call is open to folks such as myself,

Absolutely!


>recently discovered the CPE discussion list

Welcome


>and catching up on the threads? I did not
>see a password for the call, is one necessary?

A password is not needed.


>I have an Open Source perspective, and for me the naming &
>enumeration issues for Microsoft Windows pale in comparison. I
>understand the need to keep tomorrow's meeting focused,
>however a solution with larger scope may solve issues for Open
>Source too.

I am excited to hear your views and your perspective will definitely
help augment the discussion.  Once you get caught up and have
formulated opinions about the bigger picture, maybe the best thing to
do would be to start a discussion thread.  We do want to keep the
telephone call focused, but we would love to hear your opinions.

Thanks
Drew

Thank you to all that attended the telephone call today.  I think we
got a lot accomplished and hopefully we can build off the conversation.
I have tried to capture a few of the major points that were discussed.


Attendees
------------
David Lamire - A&N Associates
Gary Newman - Belarc
Jim Ronayne - DOD
Niel Ziring - DOD
Joe Wolfkiel - DOD
Shane Shaffer - G2
Paul Whyman - HP
Ken Lassessen - Lumension
Kent Landfield - McAfee
Monty Ijzerman - McAfee
Andrew Buttner - MITRE
Steve Boczenowski - MITRE
Matthew Wojcik - MITRE
Jon Baker - MITRE
Jay Graver - nCircle
Tim Keanini - nCircle
Gary Gapinski - NASA
David Waltermire - NIST
John Banghart - NIST
Scott Carpenter - Secure Elements
Ben Greenbaum - Symantec
Vladimire Giszpenc - US Army
Ralph Lowenthal - US Army



Notes
------------

- One of the main concerns is that it is not possible to arrive at the
"windows-nt" product component based on the guidelines outlined in the
CPE Specification.  The only guidance given by the specification is to
replace spaces with underscores.

- CPE Matching is useful during the remediation process.  This is not a
requirement that we can remove.

- The above two statements brings us to the root of our problem, we are
trying to solve two different things:  1) create CPE Names that follow
the prefix property 2) develop a specification that allows CPE Names to
be created in a defined way.

- It was noted that although changes to the specification would require
a new version to be released, changes to the CPE Names in the CPE
Dictionary can be done easily by deprecating existing names.

- It was pointed out that as a community, the most important thing for
us to do is pick a naming convention and stick to it.  We all know that
it won't be perfect, but the benefits of us all using the same names
will outweigh any deficiencies.

- We need to be cognizant of 3rd party tools and how the specification
relates to them.  Specifically, we need to support alias names
somewhere so that adoption of CPE can be done over time.  It was noted
that it is probably better for individual tools to keep a mapping of
their names to CPE Names instead of having CPE maintain a mapping
between CPE and every tool on the market.

- We need to continue to ask for vendor help as they can help solve
most of the naming issues that we have.  The CPE Dictionary is being
set up to allow vendors to have control over their CPE Names.

- In the case of Microsoft Windows, we are having trouble since the
name the general public associates with the product actually contains
version information.  In one sense we want to support matching between
CPE Names and on the other we want CPE Names to be recognizable to
users.  It seems like we can't have both.



Conclusion
-------------

The call did a great job of reminding us that there is still a lot of
work to be done with CPE.  There are many issues that need to be
solved.  One of these issues just needs to be settled so we can move
on.  Since we have not secured Microsoft's help in defining the CPE
Name for their operating systems, the community needs to take a vote
regarding how to move forward.  A separate email will be sent out with
details and instructions about this vote.



---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

Thanks Drew.  Sorry I was in the air and not available for the call, but I will definitely participate in the vote.  I'm confident that Jay and TK represented my views in the call.

--------------------------
Sheldon Malm
Director
Security Research and Development
nCircle VERT

Sent from my BlackBerry Wireless Handheld


----- Original Message -----
From: Buttner, Drew <[hidden email]>
To: [hidden email] <[hidden email]>
Sent: Wed Oct 03 11:22:42 2007
Subject: Re: [CPE-DISCUSSION-LIST] CPE telephone conference

Thank you to all that attended the telephone call today.  I think we
got a lot accomplished and hopefully we can build off the conversation.
I have tried to capture a few of the major points that were discussed.


Attendees
------------
David Lamire - A&N Associates
Gary Newman - Belarc
Jim Ronayne - DOD
Niel Ziring - DOD
Joe Wolfkiel - DOD
Shane Shaffer - G2
Paul Whyman - HP
Ken Lassessen - Lumension
Kent Landfield - McAfee
Monty Ijzerman - McAfee
Andrew Buttner - MITRE
Steve Boczenowski - MITRE
Matthew Wojcik - MITRE
Jon Baker - MITRE
Jay Graver - nCircle
Tim Keanini - nCircle
Gary Gapinski - NASA
David Waltermire - NIST
John Banghart - NIST
Scott Carpenter - Secure Elements
Ben Greenbaum - Symantec
Vladimire Giszpenc - US Army
Ralph Lowenthal - US Army



Notes
------------

- One of the main concerns is that it is not possible to arrive at the
"windows-nt" product component based on the guidelines outlined in the
CPE Specification.  The only guidance given by the specification is to
replace spaces with underscores.

- CPE Matching is useful during the remediation process.  This is not a
requirement that we can remove.

- The above two statements brings us to the root of our problem, we are
trying to solve two different things:  1) create CPE Names that follow
the prefix property 2) develop a specification that allows CPE Names to
be created in a defined way.

- It was noted that although changes to the specification would require
a new version to be released, changes to the CPE Names in the CPE
Dictionary can be done easily by deprecating existing names.

- It was pointed out that as a community, the most important thing for
us to do is pick a naming convention and stick to it.  We all know that
it won't be perfect, but the benefits of us all using the same names
will outweigh any deficiencies.

- We need to be cognizant of 3rd party tools and how the specification
relates to them.  Specifically, we need to support alias names
somewhere so that adoption of CPE can be done over time.  It was noted
that it is probably better for individual tools to keep a mapping of
their names to CPE Names instead of having CPE maintain a mapping
between CPE and every tool on the market.

- We need to continue to ask for vendor help as they can help solve
most of the naming issues that we have.  The CPE Dictionary is being
set up to allow vendors to have control over their CPE Names.

- In the case of Microsoft Windows, we are having trouble since the
name the general public associates with the product actually contains
version information.  In one sense we want to support matching between
CPE Names and on the other we want CPE Names to be recognizable to
users.  It seems like we can't have both.



Conclusion
-------------

The call did a great job of reminding us that there is still a lot of
work to be done with CPE.  There are many issues that need to be
solved.  One of these issues just needs to be settled so we can move
on.  Since we have not secured Microsoft's help in defining the CPE
Name for their operating systems, the community needs to take a vote
regarding how to move forward.  A separate email will be sent out with
details and instructions about this vote.



---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515

The only item I disagree with in this summary is the conclusion about
aliases.  I think we really need to have a discussion on the value of having
a community maintained, wiki-like, alias list where vendors, content
producers, and users can go to post and cross-reference different text
strings used to identify the same software objects.

I think there is a great deal of value to having a community forum where
different people can post and discover that "windows XP" and "Windows NT
Workstation Version 5.1" and "[however you spell XP in chinese]" and "winXP"
and "OVAL object X" ...  are all the same thing as well as where these
objects are identified that way.  If NIST doesn't choose to host one for
community use, I think the DoD will have to stand up a separate one anyway.

Lt Col Joseph L. Wolfkiel

Director, Computer Network Defense Research & Technology (CND R&T) Program
Management Office

NSA/I71
9800 Savage Rd Ste 6767
Ft Meade, MD 20755-6767
Commercial 410-854-5401 DSN 244-5401
Fax 410-854-6700


-----Original Message-----
From: Buttner, Drew [mailto:[hidden email]]
Sent: Wednesday, October 03, 2007 2:23 PM
To: [hidden email]
Subject: Re: [CPE-DISCUSSION-LIST] CPE telephone conference


Thank you to all that attended the telephone call today.  I think we
got a lot accomplished and hopefully we can build off the conversation.
I have tried to capture a few of the major points that were discussed.


Attendees
------------
David Lamire - A&N Associates
Gary Newman - Belarc
Jim Ronayne - DOD
Niel Ziring - DOD
Joe Wolfkiel - DOD
Shane Shaffer - G2
Paul Whyman - HP
Ken Lassessen - Lumension
Kent Landfield - McAfee
Monty Ijzerman - McAfee
Andrew Buttner - MITRE
Steve Boczenowski - MITRE
Matthew Wojcik - MITRE
Jon Baker - MITRE
Jay Graver - nCircle
Tim Keanini - nCircle
Gary Gapinski - NASA
David Waltermire - NIST
John Banghart - NIST
Scott Carpenter - Secure Elements
Ben Greenbaum - Symantec
Vladimire Giszpenc - US Army
Ralph Lowenthal - US Army



Notes
------------

- One of the main concerns is that it is not possible to arrive at the
"windows-nt" product component based on the guidelines outlined in the
CPE Specification.  The only guidance given by the specification is to
replace spaces with underscores.

- CPE Matching is useful during the remediation process.  This is not a
requirement that we can remove.

- The above two statements brings us to the root of our problem, we are
trying to solve two different things:  1) create CPE Names that follow
the prefix property 2) develop a specification that allows CPE Names to
be created in a defined way.

- It was noted that although changes to the specification would require
a new version to be released, changes to the CPE Names in the CPE
Dictionary can be done easily by deprecating existing names.

- It was pointed out that as a community, the most important thing for
us to do is pick a naming convention and stick to it.  We all know that
it won't be perfect, but the benefits of us all using the same names
will outweigh any deficiencies.

- We need to be cognizant of 3rd party tools and how the specification
relates to them.  Specifically, we need to support alias names
somewhere so that adoption of CPE can be done over time.  It was noted
that it is probably better for individual tools to keep a mapping of
their names to CPE Names instead of having CPE maintain a mapping
between CPE and every tool on the market.

- We need to continue to ask for vendor help as they can help solve
most of the naming issues that we have.  The CPE Dictionary is being
set up to allow vendors to have control over their CPE Names.

- In the case of Microsoft Windows, we are having trouble since the
name the general public associates with the product actually contains
version information.  In one sense we want to support matching between
CPE Names and on the other we want CPE Names to be recognizable to
users.  It seems like we can't have both.



Conclusion
-------------

The call did a great job of reminding us that there is still a lot of
work to be done with CPE.  There are many issues that need to be
solved.  One of these issues just needs to be settled so we can move
on.  Since we have not secured Microsoft's help in defining the CPE
Name for their operating systems, the community needs to take a vote
regarding how to move forward.  A separate email will be sent out with
details and instructions about this vote.



---------

Andrew Buttner
The MITRE Corporation
[hidden email]
781-271-3515