Re: [cti-stix] Kill Chains in STIX

["Jason Keirstead" <Jason.Keirstead@ca.ibm.com>]

I highly encourage everyone to read the link I just sent on Turkish on why "lower case everything" is not a panacea to compare strings. It actually does not help.. it makes problems worse.

-
Jason Keirstead
STSM, Product Architect, Security Intelligence, IBM Security Systems
www.ibm.com/security | www.securityintelligence.com

Without data, all you are is just another person with an opinion - Unknown


"Jordan, Bret" ---06/08/2016 03:41:47 PM---I had this discussion today, and some times I think people believe that STIX is a product. It is no

From: "Jordan, Bret" <bret.jordan@bluecoat.com>
To: Mark Davidson <mdavidson@soltra.com>
Cc: Allan Thomson <athomson@lookingglasscyber.com>, John-Mark Gurney <jmg@newcontext.com>, Jason Keirstead/CanEast/IBM@IBMCA, "Wunder, John A." <jwunder@mitre.org>, Terry MacDonald <terry.macdonald@cosive.com>, "Piazza, Rich" <rpiazza@mitre.org>, "cti-stix@lists.oasis-open.org" <cti-stix@lists.oasis-open.org>, "Ted Bedwell (tebedwel)" <tebedwel@cisco.com>, "Katz, Gary CTR DC3/DCCI" <Gary.Katz.ctr@dc3.mil>
Date: 06/08/2016 03:41 PM
Subject: Re: [cti-stix] Kill Chains in STIX

---

I had this discussion today, and some times I think people believe that STIX is a product.  It is not.  STIX is there to make sure two products developed by two different groups can share threat intelligence.  

For this specific example I think everything over the wire should be lower-case for these properties.  There is no need for anything else.  If a product wants to display it in camel case they can.  

Bret 

Sent from my Commodore 64

> On Jun 8, 2016, at 2:14 PM, Mark Davidson <mdavidson@soltra.com> wrote:
> 
> Agreed. A product could just store the .lower() of whatever the user entered, and optionally keep around a case-sensitive display name if needed. What is displayed to the user and stored in the product’s database is an implementation and/or process detail. What is exchanged over the wire is what will drive interoperability.
> 
> I think the more concretely we can specify what is exchanged, the easier interoperability will be.
> 
> Thank you.
> -Mark
> 
>> On 6/8/16, 1:31 AM, "cti-stix@lists.oasis-open.org on behalf of Jordan, Bret" <cti-stix@lists.oasis-open.org on behalf of bret.jordan@bluecoat.com> wrote:
>> 
>> I would greatly prefer that all vocabs are case sensitive and that they MUST be lower-case.  That makes it very simple all the way around.  
>> 
>> Bret 
>> 
>> Sent from my Commodore 64
>> 
>>> On Jun 8, 2016, at 1:41 AM, Allan Thomson <athomson@lookingglasscyber.com> wrote:
>>> 
>>> I think we are discussing trade-offs that impact products creating or using STIX.
>>> 
>>> I personally much prefer lower case for all terms but that’s not the point of deciding case sensitive or not.
>>> 
>>> I think you should also consider the users of our products in this.
>>> 
>>> A user will not know which case the STIX spec defined the terms in and products that expose these terms in their UI will have to support case insensitive searching/use.
>>> 
>>> Users will just type what they think the term is without regard to uppercase, lowercase, camel-case ….etc.
>>> 
>>> By making terms case sensitive in the protocol exchange you are forcing products to know what the exact case was used in the spec, and then products will have to know how to map from what users do to the underlying protocol uses.
>>> 
>>> For me, not having to care about case sensitivity if a user enters a term of an open vocab in all CAPS when the spec was defined in lowercase then that would be a good thing.
>>> 
>>> I also think for open vocabs products will have to support the option to extend the vocab and therefore unless you are careful you could end up with multiple versions of the same term just because the user’s entered the term using different cases.
>>> 
>>> For example, all of the following are clearly the same term:
>>> 
>>> THREAT-BLAH
>>> Threat-Blah
>>> threat-blah
>>> threat-Blah
>>> threat-BLAH
>>> 
>>> ….etc.
>>> 
>>> Allan
>>> 
>>>> On 6/7/16, 4:53 PM, "John-Mark Gurney" <jmg@newcontext.com> wrote:
>>>> 
>>>> Jason Keirstead wrote this message on Tue, Jun 07, 2016 at 09:04 -0300:
>>>>> I would vastly prefer that the standard declares that vocabularies are
>>>>> case-sensitive. If vocabularies are case-insensitive it is a headache. Note
>>>>> that I am *not* saying that I think that we should mandate that entries all
>>>>> be lower-case - I am saying that we should mandate that the vocabulary is
>>>>> case-sensitive and compares should be done that way.
>>>> 
>>>> I agree...  Trying to do case insensitive compares intorduces complexities
>>>> that case sensitive does not..  Simple ==/strcmp for most uses...
>>>> 
>>>> --
>>>> John-Mark
>> 
>> ---------------------------------------------------------------------
>> To unsubscribe from this mail list, you must leave the OASIS TC that 
>> generates this mail.  Follow this link to all your TCs in OASIS at:
>> https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
>