Box of Shit: The Revenge

At some point around 2008 I put together a box with a bunch of random shit laying around. Nothing of value, all stuff you question why you even kept it in the first place basically. Off it went to an unsuspecting victim/friend. From there, the box-of-shit was born. Since then, I have sent out hundreds of boxes or envelopes of shit. On occasion, people document what they receive with comedic flair. This is one of the boxes I received and wrote about. This was originally published on attrition.org.


First, I need to defend myself here after the unfair and ungrateful D2D blasted my shower of kindness in the form of a box of shit. D2D does many things around here, most notably send ascii drawings of male genetalia, randomly kill -HUP the web server to make Lyger ask “why did the server crash earlier” and send inappropriate instant messages after a heavy night of drinking rubbing alcohol. Once in a while, he also pretends to be a developer for the OSVDB.org project. By that I mean he acts like a Ruby on Rails Evangelist, constantly saying how it is superior to SNOBOL and PHP. He may be right there though.

It’s for this last thing that I opted to send him a cherished box of shit, to reward him for fixing a bug I opened up seven months ago. After fixing the typo on a web page, he closed the ticket and sent me 69 copies of the ascii version of goatse.cx image. What an ass! Despite this virtual abuse, a box of shit was sent out priority mail. He received and promptly blogged (fag) about it, suggesting my generous gifts were a slight of some kind.

Shortly after this, Lyger decides to betray my generosity by posting his rant about the box of shit I sent to him. Before you read that hurtful link in detail, take note that he carries around a Crackberry (fag) like the good little metrosexual he is. On top of the wonderful stuff, I accidentally sent him the Ansel Adams books that were meant for my color-blind friend in Juarez.

After a spat of e-mails from attrition staff, I found a surprise box of my own (and a cheeseburger wrapper) in the mailbox. I assume that Apacid sent the box and my mailman left the wrapper, but who knows. The first thing that came to mind was that Apacid thought I needed to re-learn material from previous conventions.

I ignored this obvious insult at my memory, as if I’d forget those wonderful conventions in Dallas and Chicago! He also included his hotel key card from last year, probably as a sign that he wants drunken convention sex next year. What a sweet offer.

Among the ‘treasures’ he sent were a book for Half-Life and some satanic Tarot cards that supposedly tell your future. Hah, like I’d heed the mumbo-jumbo sorcery of these cards (the pale horse says I will feast at midnight). Like I would be bothered to waste time on any of these childish games. He even sent me the map to EverQuest’s Ruins of Kunark.

Can you imagine me training Gorenair to Karnor’s Castle or dealing with mobs on the way to Chardok? Please! Sebilis, filled with strange froglok creatures that froooak at you and guard the lair of Trakanon is of no interest to a powerful wizard like me. Uh, i mean, nevermind.

Also included were various instruments of Apacid’s sick perversion. I can only imagine what he had in mind.. what he wanted to put where, how he wanted to restrain whoever.

The box of shit came with two other pieces of literature; something that perplexes me, and a book of the O’reilly animals (which is better than some of their technical books). Squido eagerly grabbed the O’reilly book to brush up on obscure animal knowledge and was immediately disappointed that the book covers do not have pigeonsguinea pigs or chinchillas. Before the animals, let’s ponder what the hell Apacid was doing with “Your Guide to Sleeping Comfort” and where he got it. Ok, that scares me, moving on.

Finally, he sent me a toll token in the hope that I will drive to his place and some patriotic stickers of demented snowmen to put on the car.

All said and done, Apacid has serious issues. What kind of asshole freak sends a box of shit like this to someone?!

“0-day Can Happen to Anyone”

[This was originally published on the OSVDB blog.]

This time, it happened to the OSVDB blog. Unfortunately, WordPress doesn’t have a very good track record on security. During the migration from the old OSVDB to 2.0, we noticed a problem with the blog and several ‘spam’ posts appearing. We attributed it to one of the many previous WordPress bugs. We cleaned out the tainted posts, upgraded to the latest WordPress, and went on our merry way.

Shortly after, a blog reader contacted us to point out that existing posts we made had “noscript” advertisements embedded in them. Our expansive development team (the overworked Dave) looked into it. He started looking through the files for any obvious signs of a compromise – checked the plugins, etc. All seemed normal. Next he checked the web logs and noticed Chinese addresses POSTing to xmlrpc.php at various times throughout the day, most often at night. He then enabled XMLRPClogging inside of the script, cleaned out the database again, and noticed lots of just this:

2008-01-31 04:04:00 Input:
2008-01-31 05:01:43 Input:
2008-01-31 19:29:01 Input:

Posts continued to be altered during his investigation. Suspecting user account compromise, he checked the WordPress users, noticed a good chunk of new users had been added in recent months, mostly all obvious spam users. Spam users aren’t uncommon, but usually a small percentage. In the past few months, the vast majority of users were spam users.

When OSVDB 41136 came out, it all became clear. Since fixing the vulnerability, no posts have been edited.

I know this post is late, but we wanted to clear up any confusion and set the record straight on what occurred. We can definitely say this vulnerability was discovered in the wild.

New Classification: Discovered In the Wild

[This was originally published on the OSVDB blog.]

[October 24, 2020 Update: Since creating this flag, VulnDB now has 629 entries flagged as such.]

In a recent discussion on the security metrics mailing list, Pete Lindstrom put forth a rough formula to throw out a number of vulnerabilities that have been discovered versus undiscovered. One of the data points that he cited lead me to his page on “undercover vulnerabilities”, his term for “0-day” in a certain context. Since the term “0-day” has been perverted to mean many things, he clearly defines his term as:

Undercover Vulnerability: A vulnerability that was generally unknown (e.g. not published on any lists, not discussed by “above ground” security folks) until it was actively exploited in the wild. The vulnerability was discovered through evidence of tampering or other means, not through the usual bugfinding ritual.

In my reply challenging some of his numbers, I specifically said that “if we consider that your number 20 is off by at least half, and I would personally guess it’s more like a small fraction, how does this change your numbers?” Pete took this in stride and offered to buy me a case of beer if I could find half a dozen that he didn’t have. Not one to pass up free booze and vulnerability research (yes, i’m weird) I spent several hours Friday doing just that. I ended up with 24 vulnerabilities that seemed to match his definition, roughly half of them in his time frame (“in the last two years”).

Pete’s page got me wondering just how many vulnerabilities classified as ‘undercover’ by his definition. Further, I thought about another question he asked on his page:

I am open to suggestions on an easy way to do this with TypePad (TypeLists, maybe?). Else, I’ll just periodically update as new vulns become available.

I cornered our lead developer Dave and said “make it so” while I mailed Pete asking if OSVDB could help in this effort. As a result, we now have a new classification that we call “Discovered In the Wild” that means the same thing as Pete’s “undercover vulnerability”. I have updated the 20 vulnerabilities listed on his page and added the flag to the ones I researched. This now shows 43 results which is good progress.

Not content with that, I asked a fellow geek who has a world more experience with IDS, NOC management and various devices that would be prone to catching such vulnerabilities “how many do you think were found this way last year”, to which she replied “at least 50”. So vulnerability researchers and OSVDB contributors, it’s up to you to help out! We’re looking for more instances of vulnerabilities being discovered “in the wild”, being exploited and subsequently disclosed (to mail list, vendor, whatever). Please cite your source as best as possible.

To see what we have so far:

  1. http://osvdb.org/search/advsearch
  2. Under “Vulnerability Classification” and “Disclosure”
  3. Check “Discovered in the Wild”
  4. Search

Thanks to Pete Lindstrom and the Security Metrics mailing list for the input and great idea for a new classification!