What Heartbleed Can Teach The OSS Community About Marketing

Yes entirely on name, visual identity and first three paragraphs. More like this for serious vulns, please.<p>Also, what a great name.<p>The remaining of the page is a loud reminder of the gap between the sec and dev communities, at least as practiced in lolstartupland. Or at least between offence and defence. The second paragraph tells you the sky is falling, and then it takes them 13 questions to tell you which openssl versions are vulnerable.<p>(Also, I wish the behind the scenes action was less messy; why not coordinate with Debian and RedHat patches? Why did Cloudflare get advance notice?)

I&#x27;m noticing this at work, too. Give things - even entire contexts - short, pronouncible names.<p>For example, at our place, &quot;Munin&quot; or recently &quot;Graphite&quot; have been established as the name for our monitoring systems. They describe a system spanning a couple hundreds servers, include a handful of different daemons and configurations and generally, a lot that&#x27;s going on, so the term is inherently ambiguous and imprecise.<p>However, I&#x27;ve found that this takes a lot of pressure from the less involved people. They don&#x27;t need to figure out how to call something precisely and correctly. They have an accepted, not entirely correct term that&#x27;s precise enough to get the point across: &quot;Munin on Server X broke&quot; is all I need. Similarly, &quot;Is our server X affected by Heartbleed?&quot; might be a silly question because server X is no webserver, but it&#x27;s easy to answer, because the question is precise enough and just on the right level.

&quot;The Heartbleed announcement ... is masterful communication.&quot;<p>You have to be kidding me. It took so long to decipher what I wanted to know that I went elsewhere.<p>Edit: &quot;masterful communication&quot; this is not, since the reader doesn&#x27;t know who the page is aimed at. Even a line at the top saying &quot;Technical people go _here_&quot;, and then something aimed at technical people would be better.

UK Offtopic: kalzumeus.com is being blocked under the category &#x27;gambling&#x27; for me by the TalkTalk HomeSafe filter. First time I&#x27;ve <i>seen</i> the filter. My ADSL over copper connection is provided by EE.<p><a href="https://dl.dropboxusercontent.com/u/8403291/talktalk-blocking-bingo-card-creator.jpg" rel="nofollow">https:&#x2F;&#x2F;dl.dropboxusercontent.com&#x2F;u&#x2F;8403291&#x2F;talktalk-blockin...</a><p>I can&#x27;t change the settings as I am not a TalkTalk customer (to my knowledge, my connection has remained functional despite mergers: Freeserve -&gt; Wanadoo -&gt; Orange -&gt; EE). I certainly don&#x27;t have a 10 digit customer reference and my account email is &#x27;unknown&#x27; to the filter.<p>Cameron&#x27;s cyber-nanny can be circumvented for eminently respectable domains such as this by judicious use of ?oo?le Cache of course.<p>Anyone else from the UK with <i>default</i> filter settings seeing this? I&#x27;m about to write to my M.P. and some wider data points would be helpful.<p>I have used the &#x27;report&#x27; button: perhaps they will unblock the domain when they realise it is about Bingo.

Maybe MITRE should assign proper names to serious CVEs, kind of like hurricanes?

&quot;Your bosses &#x2F; stakeholders &#x2F; customers &#x2F; family &#x2F; etc also cannot immediately understand, on hearing the words “Rails YAML deserialization vulnerability”, that large portions of the Internet nearly died in fire.&quot;<p>I watched my colleagues working around the clock (not that bad as it sounds - we are scattered around the planet for a reason) patching servers, testing and ensuring every hatch is properly shut. I can imagine other teams all over the world and all over the internet doing the same, literally saving our civilization from a threat only a tiny percentage of the population had any idea existed and an even smaller group has any idea of how it threatened us.

I remember when the antivirus companies would fight about who gets to name what. Didn&#x27;t one try to name Slammer &quot;Sapphire&quot; after a stripper an engineer had seen the previous night?<p>I don&#x27;t look fondly on those days.

I don&#x27;t have a problem with making fanfare around the bug, but I cannot help but feel that the Linux and BSD distro maintainers should have been notified before it went public so that the patches would be available at the same time as the site goes up. Instead, Codenomicon caused them to have roughly 16-24 hour delay in releasing patched versions, while doing a poor job of communicating which versions of libssl are vulnerable (1.0.1 a-f were vulnerable, yet most distros use 1.0.1e and they patched that version instead of upgrading to 1.0.1g, making things very confusing).<p>So while all the marketing has been great for Codenomicon, it caused most sysadmins and distro maintainers more headache than it should have.

I can&#x27;t disagree with this post enough. Security exploitations shouldn&#x27;t be about marketing. Security exploits should be handled first and then communicated to the public after the fact. The way Heartbleed was handled lead to a media firestorm. Other than Codenomic, who else benefitted from this?<p>&gt; <i>Marketing Helps Accomplish Legitimate Goals</i><p>Are you kidding me? The only goal of a security issue should be fixing it and getting everyone else to update to the fix. Heartbleed will be remembered forever because of the BS marketing.<p>OpenSSL isn&#x27;t a startup, it&#x27;s a security library that is used by over half of the internet.

I just worry next time when a major incident occurs the author will spend more time working on the design than just announcing the issue.

The first thing I thought about this whole thing when I saw the name was &quot;this is a great name for this bug, and will help ensure everyone hears about it - and panics, which is the goal&quot;. I think the logo helped amplify that, so great work by the people who thought this up.

Also, hats off to the heartbleed.com keepers, Codenomicon, for handling this very selflessly - despite this (fuzzing) being their core business and having found the bug itself. They could have made it a &quot;company logo first&quot; marketing campaign.

Maybe they could start naming them like they name hurricanes in addition to the CVE number.

Excellent writeup but as long as the subject is marketing and memorability in names (and in particular domain names) kalzeumus (or is it kalzumeus) isn&#x27;t the easiest name to remember for a blog or business.<p>And it lends itself to many typos which is one of my areas of expertise along with branding. I can&#x27;t easily tell someone &quot;just go to kal zum e us dot com&quot; like I can &quot;heart bleed&quot; (which by the way has a typo that would leak in high volume traffic to &quot;blead&quot; a bit).<p>Other than that I agree with what Patrick is saying, although I did find the use of &quot;heartbleed&quot; with something also referred to as &quot;heartbeat&quot; (which of course wouldn&#x27;t be available as a domain name) a bit confusing at first.

I agree with the principle; the logo even made the NYT, which had at least three stories on Heartbleed.<p>But: are there enough two-english-word combinations left as viable .com names, much less ones that accurately describe the vulnerability?

Don&#x27;t overdo it either. There&#x27;s plenty of landing pages with non-existing services, no need for crazy project pages where the projects themselves will die soon out of interest or are just subpar.<p>In this specific case, I would prefer resources spent to make the OpenSSL library itself better instead of the <a href="https://www.openssl.org/" rel="nofollow">https:&#x2F;&#x2F;www.openssl.org&#x2F;</a> domain better.<p>That being said I agree with the article and love how <a href="http://heartbleed.com/" rel="nofollow">http:&#x2F;&#x2F;heartbleed.com&#x2F;</a> was done.

Talking about marketing: Wouldn&#x27;t this be a great time for one of the not so small IT companies to pull off a publicity stunt within the tech community and donate a few full time developers to improve the openssl codebase?<p>For example I might not like Facebook, but if they&#x27;d actually make such a contribution to the public good I&#x27;d always have to include that counter argument in my criticism.<p>Maybe some one here on hackernews might be able to pull some strings?

<p><pre><code> &gt; Man, would that have been an easier month if &gt; we had all been talking about DeserialKiller. </code></pre> Cereal Thief (I like a bit of whimsy; and as a child, it was <i>serious</i> :-)<p>Serial Killer (Yeah, drops the &quot;De&quot;, but more people will associate with it, and it&#x27;s easier to parse and pronounce.)

The one weak point of the landing page is that it didn&#x27;t indicate who was <i>not</i> affected. I read to the bottom of the announcement and had to think a while on whether I had to update my <i>laptop</i> because, hey, this seems like a serious bug. Granted, I&#x27;m nontechnical... but that&#x27;s kind of the point.<p>Edit: not sure why this was downvoted, but if it contains an error please add a comment pointing it out. If you just think it should be lower on the page, no worries.

Bugs should be named after shitty politicians. Especially those which oppose or act against net neutrality.

Apple&#x27;s GOTO FAIL certainly also had a catchy name.

I&#x27;m not sure how big a part the name and branding, per se, played in the wide reaction to this vulnerability. I would argue that people reacted because they knew it was incredibly serious, impacting almost every site out there. Further a lot of the reaction was by security and infrastructure people and organizations who themselves were impacted and vulnerable, despite every best practice.<p>In contrast to OpenSSL, the YAML vulnerability was just a very minor blip of importance.

Ironic that the blog talking about this is a rather boring looking site that I&#x27;ve just navigated away from as soon as I got the gist. Not meaning to be hash but that&#x27;s what I did...