Pet Stores Should Be Subject to Stricter Laws

in the world of pets, there is obviously a wide variety of animals. if i were to break it down into two major types off hand, it would be ‘most pets’ and ‘exotic pets’. some regular pets exhibit many of the same mannerisms as exotics, and they can even share some food, treats, litter and living supplies. most cats and dogs are pretty straight forward, with some being a little more exotic than others. moving into the world of rodentia (and probably reptiles and others that i am less familiar with), it is a different story.

hamsters, mice and other small rodents are more quirky than most people realize. while care is pretty straight forward, taking care of them properly may involve a little more than imagined. forgoing this proper treatment doesn’t jeapordize the animal so most don’t realize it and it works out. guinea pigs, rabbits and some other animals require even more care and just throwing them generic small mammal food isn’t good for them. moving to the truly exotic, like a chinchilla, and improper care for a month or two will kill the animal.

pet stores in shopping malls are notorious for not giving their animals the proper care. small cages, poor ventilation and poor food/water conditions are the tip of the iceberg. fortunately for the stores, many pets get purchased before serious harm can occur and the pets go on to lead a better life. unfortunately for pet stores, people buying pets from them support the store which leads to other animals getting poor treatment and possibly living miserable lives.

pet stores cater to families that aren’t ready to adopt a pet. the local pet shelter and adoption facility (Denver Dumb Friends League) will not adopt a pet to just anyone. they briefly interview you and try to get some assurance that the pet will be given a good home. there is a reason they do this! when you see rabbits in pet stores shortly before easter, most get adopted by little kids who want a rabbit for easter, then promptly lose interest a week later. these rabbits are often out of sight, out of mind, or resold/rehomed without consideration.

today, we saw a female chinchilla at the pet store in FlatIron Crossing. being recently exposed to the world of chinchillas via spudlet, i have a decent bit of knowledge about the little creatures, proper care and what not to do. we both dread seeing a chinchilla in a pet store because they are invariably treated very poorly, usually at serious risk of killing them within months. today was no exception. the cage was big (good), very well lit (bad), had no circulation/ventilation (very bad), a plastic home (very bad to deadly), was too warm (very bad), had decent food (good), sitting water (bad), a dust bath left in there full time (bad) and nothing to chew on, other than the plastic house (deadly). the pet store wanted $249 dollars for the little creature which is cost prohibitive to most people and ensures the chinchilla will live in those bad conditions for a longer time.

when i say “deadly”, it isn’t a joke. chinchillas must have something to chew constantly. pumice stones, pieces of wood (not flavored/treated) and other materials are a good start. if a chinchilla doesn’t chew, their front two teeth keep growing and eventually it will require a vet to file the teeth down. while this sounds annoying but hardly deadly, consider that the teeth don’t only grown down, they grow up, and keep growing up into the base of their skull, into their eyes and eventually their brain. this condition falls under Malocclusion and can happen in months if the chinchilla is not given the proper living environment and things to chew.

so we have a pet store that has a chinchilla living in very bad conditions and priced to the point where most people will not buy it. this is essentially a guarantee that the chinchilla will not live a moderate life and will possibly die in months. the chinchilla was already chewing her own fur, had some form of ear injury and had overly red ears, all signs that the chinchilla is on a quick road down hill. the sad part about this is not only that it is very common, but that a well-breed chinchilla sold by a responsible and knowledgeable breeder goes for less than half the cost of that poor chinchilla.

pet stores should be required to certify before selling a given type of pet. there should be stricter laws that help guarantee exotic pets are not being treated poorly. there should be random inspections of these stores to stop them from housing and selling sick guinea pigs like one of the four this store had. improper care should equate to stiff fines and revocation of the certification, preventing them from selling more.

there is a loose collection of chinchilla owners and breeders that rescue chinchillas being kept in poor conditions, or being given up by people that can’t take care of them. such chinchillas are known as “rescue chins” and often end up in great homes and get the proper care by people who appreciate and know about the exotic creatures. while spudlet has the room to take in a chinchilla or two, we can’t afford to take in every one we see at pet stores like this (and you can’t just take any two chins and make them live together). worse, buying such a rescue chin only motivates the store to keep selling them. failing rescue, we did purchase three huge chew sticks (that should last for months) and get permission to give them to the little chinchilla. it should be enough to keep her teeth in better shape until someone can adopt her. hopefully, it is someone that has read up on chinchillas as they are excellent pets; high maintenance, not cheap but very much worth it.

like, man, know what i’m sayin?!

There are certain social oddities that have been around for a while. One of them is the prevalent use of certain phrases, often with ridiculous frequency. For the last few years, many friends and I noticed and commented on it. Just a few days ago, Kay and I were at the local Panera Bread listening to a lady (early 20’s) talk to someone and use “like” in every sentence. Watching episodes of COPS from the very early 90’s reminded me this trend went way back, just with different social/racial circles. Add in a dash of booze and strong desire to procrastinate work, and time to write about it.

Many many years ago, it was using words like “man” at the end of each sentence. “man” in the context of looking for understanding and empathy. This one episode of COPS had a suspect that was a perfect example. Here is his dialogue, and only his dialogue, as said to a police officer asking him about a physical confrontation:
– they shouldn’t be jumping me man, im with my baby’s mother man
– im gonna get sent up for two and a half years right?
– already gave me a chance man
– yah man!
– come on man, ya’ll want me to go away right?
– do you see me around here no more? i dont be around here, i was walking home with my baby’s mother man
– they jumped me man
– i dont mess with nobody around here man, i dont wanna play around man, i walk to my house man
– [mumble] crying man
– im walking around man, they were like ‘wassup’, im like ‘nothing man‘, they comin up pushing me man, im telling them leave me alone man,
– yeah man, he punched me in my face, im like man i dont care about none of you no more
cause im saying i dont care about them no more man, they say ‘what’, ‘oh you aint down no more?’ im like no man, my own boys man
– and that hurts man, thats why i stabbed him man

Many years ago, I noticed that a lot of rappers and other (mostly) black males on TV (celebrity or COPS, and i hate to stereotype but it’s true) would frequently say “you know what i’m saying?“. I wish I could find and quote one interview with a rapper from a few years back, who ended every single sentence with “you know what i’m saying?“, even if the sentence was three words.

Jump to the present, and the stereotypical ditzy girls who use ‘like’ too often. It’s isn’t just ditzy girls, even many professionals regardless of gender in the workplace have started using it, possibly due to ‘celebrity’ influence. If you listen carefully and try to observe the speech patterns, you will notice they use ‘like’ almost every sentence, sometimes several times. For the more extreme, you literally hear them interject ‘like’ two or three times a sentence, every single sentence.

Twenty years, the social/racial circles and wording change.. the pattern does not.

VDB Searching Headache: Apache

[This was originally published on the OSVDB blog.]

I had the need to search for Apache vulnerabilities today for the pesky day job. One word, one search and four hours later I realized just how bad our Apache entries were. Enter headache #1. Unfortunately, the rest of the VDBs were no better. What did I want a concise list of?

  • Apache web server vulnerabilities
  • Apache Tomcat vulnerabilities

Seems straight forward, and the second search is relatively easy to get at any VDB as “Apache Tomcat” is a consistently used name for the product and distinct enough not to catch other products. So why isn’t the first? Many moons ago, Apache was just “Apache” and everyone knew it was the web server. Eventually Apache branched out and currently maintain an incredible amount of projects. The old “Apache” we all know is really “Apache HTTP Server” which VDBs don’t consistently use, especially the older ones. This is understandable because when CVE added an Apache vulnerability in 1999, that was all there was. These days, just using “Apache” to describe any of their projects is overly vague and irresponsible. Thus, four hours later i’d like to think that OSVDB’s entries are a lot better off for many reasons, that being the first and most simple.

Searching OSVDB by title for “Apache HTTP Server” will now list all vulnerabilities related to the classic web server. One thing you will notice is the different in naming convention for modules. Enter headache #2! Apache modules are not created equal. According to the Apache documentation, module status is labeled according to one of four values:

  • Base – modules that are compiled and loaded into the server by default
  • Extension – modules that are not normally compiled by default, but must be selected during compilation/installation
  • Experimental – modules that are available as part of the apache kit; not necessarily supported
  • External – modules that are not included with the base Apache distribution; not supported by Apache

Modules like modinclude and modimap are ‘base’ modules and are part of the Apache web server for most installations. Vulnerabilities in these modules will impact most Apache users. Modules like mod_rewrite are extension modules and must be specifically selected during the configure/make process.

Modules like modperl are .. what? Hello Headache #3. If you check the modperl homepage, you don’t see the easy to spot designation if it is ‘base’ vs ‘extension’, even though it is part of the Apache project. This is more understandable with modssl since it’s an extension and maintained on a non-Apache web page. Apache module authors: please make this clear! Before you fire up your e-mail client to send me obnoxious mails, consider that these are “some” of the supported modules Apache offers, and there are 443 more modules that aren’t supported but definitely useful to many folks. What about moddigest_apple and others? Not fun for those who are tasked with tracking vulnerabilities.

As a result of all this, OSVDB is now using consistent titles to help distinguish all of the above. Here are a few guidelines to help better understand it, and we hope that other VDBs will follow suit to assist their users.

  • “Apache HTTP Server” is used for the Apache web server (httpd).
  • If the module is ‘base’, ‘extension’ or ‘experimental’, meaning it is part of the Apache distribution, we use “Apache HTTP Server mod_whatever”
  • If the module is ‘external’, meaning it is not part of the Apache distribution, we use “mod_whatever for Apache HTTP Server”.

This will help our users more easily distinguish if the vulnerability affects them, assist in searches with more concise results and generally make me feel better about the VDB world.

Month of Search Engines Bugs (MOSEB)

[This was originally published on the OSVDB blog.]

It was bound to happen, now we get to see a Month of Search Engine Bugs. It would be nice if this effort included some bugs with meat rather than relatively obscure cross-site scripting issues.

The time has come for announcement of my new project – Month of Search Engines Bugs. This project will be in the next month. So June is a month of bugs in search engines. Purpose of this Month of Bugs is a demonstration of real state with security in search engines, which are the most popular sites in Internet. To let users of search engines and web community as a whole to understand all risks, which search engines bring to them. And also to draw attention of search engines~R owners to security issues of their sites. During the month everyday will be publish vulnerabilities in most popular search engines of the world. Cross-Site Scripting vulnerabilities in particular. Everyday will be publish vulnerabilities in different engines (minimum one publication at a time, but there will be bonus publications also).

Not Local.. Not Remote..

[This was originally published on the OSVDB blog.]

Several of us working on VDBs have debated over the years how best to handle vulnerabilities that aren’t necessarily remote or local. Issues like image or archive handling vulnerabilities, where the program processing a malformed file is prone to an overflow, traversal or denial of service. While one may argue they are ‘remote’ in the sense that if I e-mail you the file, the attack is definitely remote in a sense. But, if the malformed file is loaded via a floppy disk, the attack certainly isn’t ‘local’ or ‘requires physical’ access necessarily. So we need something that covers the grey area between vectors. A while back Steven Christey at CVE began using “context-dependent attacker” to describe such vulnerabilities. OSVDB tried to come up with another term for this but after some time, we couldn’t. So, from here on out, you will start noticing the use of “context-dependent attacker” in our vulnerability descriptions more frequently, and eventually when the classification scheme is overhauled it will appear there too.

The Real Animals

The Denver Zoo is a great place and has nice exhibits along with a wide variety of denizens. As most summer weekends, it gets really crowded and the amount of sprogs and fat oblivious people is almost unbearable.

Kids will be kids, but parents simply don’t care about the results of the kid’s actions and don’t seem to feel any responsibility for them. If a kid breaks something or offends someone or gets in my way, its ok for the parents, they see it as ‘just how kids are’.

When that crosses the line and endangers animals being held in a zoo, a sanctuary, that isn’t ok. Today we saw an ignorant kid swinging a necklace with a piece of metal around, dangling it in the mongoose exhibit. Of course the kid drops it, a dozen mongooses converge and run off with it, happy as can be. The parents just stand there watching, oblivious to the fact that the item may be dangerous to the animals. They don’t scold the kid, don’t think to notify zoo employees or do anything other than watch the animals. I told them to notify someone immediately, but at that point they should have been banned from the zoo for life.

Further along, asian family is watching their little kid chase two peacocks around. The kid is poking at the birds, stepping on the dragging tail feathers and scaring them. The dad happily takes more and more video, the mom waves her hat trying to get the peacocks to look away from the threatening kid and at the video camera. People look on, not realizing the trauma it causes the birds. These people need to stay away from zoos the rest of their lives.

Veterinary Detachment

Some doctors seem detached from reality at times. They don’t quite get how the real world and life’s obligations can get in the way of always thinking about the ideal way to live.

Veterinarians are worse, especially when it comes to applying medicine. Yes, they can apply the most obnoxious treatment to an animal at their office with grace and ease. First, the animal is at the vet’s office and they know it. Fear and a slight case of petrification are strategic advantages to the vet who is about to squirt pink liquid down the throat of a cat. second, they handle animals all day. Worse, they handle scared animals who see the vet as some sort of Gitmo interrogation officer and are used to learning all the tricks. third, they have backup during the application of said torture. If the pet’s owner can’t help, there are assistants available to come in and hold the flailing beast down.

Invariably, they send you and your scruffy beat home with a bottle of pink stuff and an eye dropper, or a tube of goo and your own finger. “Administer three times a day” doesn’t seem too bad until the first time you try to do it on your own, and have a new found appreciation for what “holy war” really means.

Squirting an eye dropper of pink stuff into the wild toadblock or smearing goo on the underside of an Okra eye (Chinchilla) just doesn’t happen without a full on melee breaking out. When two of us held the toadblock down and finally got a nice squirt of pink junk in him, He promptly spit once, shook his head wildly and ran off leaving us looking like Hello Kitty met Bukake Champions of 2007. When goo was finally smeared under the eye of a struggling chinchilla being held by the tail upside down, the poor thing ran in her cage and began rubbing her cheek on every surface she could find including the cage, wood ledge, pumice stone, grassy mat, luffa, floor, water bottle nozzle, wood chunk, cuddle buddy, cardboard tube, chew carrot, and wall. We’re pretty sure she ended up with a lot less goo on her cheek than every inanimate object in her cage.

Vet’s, remember that we’re pet owners. We spoil our pets, we love our pets, but we simply are not equipped to engage in outright sparring to force feed the creatures the medicine they so desperately need, but so passionately hate.

Month of ActiveX Bugs…

[This was originally published on the OSVDB blog.]

Yet another “Month of..” bug campaign. This time, the Month of ActiveX Bugs (MoAxB) will focus on vulnerable ActiveX controls. Do a quick title search for “activex” and you will see a healthy history of vulnerabilities related to ActiveX controls. There is already a debate on the Full-Disclosure list regarding if this will be a month of annoying Denial of Service issues, or something more severe.