I wanted to support the Red Cross during Harvey… (but I can’t, so I need alternatives…)

File this under “blogs I didn’t expect to, or want to write tonight”.

With hurricane Harvey causing incredible damage and distress to Texas, many of us are looking for ways to help. I’d love to be down there in a boat rescuing animals or humans, bringing free bottled water (as opposed to the horrible alternative), or other forms of support. For those not able to make that commitment, we fall back to supporting charities that are on the ground helping. Tonight started out simple enough:

08-29-2017 21:43:38 Lyger: have you donated anything to any hurricane relief fund?
08-29-2017 21:44:09 jericho: not yet
08-29-2017 21:44:17 jericho: if i do, likely Red Cross
08-29-2017 21:44:38 jericho: may do ASPCA, looks like they are doing relief efforts specifically for animals
08-29-2017 21:44:50 Lyger: was wondering about both of those
08-29-2017 21:45:03 jericho: RC is kind of ‘old faithful’ in that regard
08-29-2017 21:45:03 Lyger: let me know if you do. if reasonable, i’ll match

First, know that I am not only one who donates to charity who is careful where we donate, but I have learned the hard way that not all charities are created equal. I’ve also pointed out how so many of them waste considerable money trying to solicit more donations. I’ve advocated for everyone who will listen to tap into Amazon’s excellent program for giving to charity via your own purchases. I’ve also considered this at a slightly more abstract levels, on smaller amounts, because I really believe that people in a position to help should do so. Please, before you come down on me for warning someone away from charity or Red Cross specifically, I have been very clear it is about supporting charities doing the work you support. In this case, I just wanted to find which charities are specifically helping hurricane Harvey victims, and how.

I started by showing Lyger what Red Cross looks like under Charity Navigator, which is a 501c3 that I support too. With 90% going to program expenses, that is excellent, despite a 3/4 star rating (the CN star rating is more nuanced).

However, things went downhill after that. Start by Googling for “red cross harvey” and you get somewhat expected results:

Follow the links and you get the Red Cross donation page for Harvey:

Unfortunately, this is basically “give us money” with no supporting evidence for what they are doing during Harvey specifically. On the side bar we get a video though! Ignoring the culturally insensitive message suggesting that Hispanic kids have to read a book to figure out who their mother is, we see a building with cots and displaced families, but not a single Red Cross volunteer (the person speaking is almost certainly not a volunteer, as is the person filming them). The blankets and shots are strategic showing a good mix of people, Red Cross branded blankets, and… not much else. The man they briefly interview, I personally don’t think he fully understands if the person that saved him or his family were affiliated with the Red Cross, just that he is grateful that his family was rescued.

At the end of the video, the nice lady encourages you to visit their web site (see screenshot above, that is all the info I could find), or call 1-800-RED-CROSS (800-733-2717). Ignoring the web site issue, and I didn’t pay attention to the number, I called the first number I found on their site: 1-800-HELP NOW (1-800-435-7669). Since I called the ‘Help Now’ number, it wasn’t the intended line to find out more information on how Red Cross is helping during Harvey, which is my fault. But I called, and the nice gentleman I talked to tonight was confused why I would ask about the Red Cross relief efforts (?!). Once I explained and he understood, he told me to call their ‘main line’, 1-800-733-2767 (RED-CROSS). I called that and got an interesting voicemail/routing lineup:

1. Opens with ‘call 911’ or call Houston coast guard if in life threatening situation
2. If experiencing flooding, they give advice to avoid attics, etc.
3. If calling from TX visit redcross.org/shelter or press 1
4. if calling from LA ..
5. To continue in español ..
6. Press 0 for all other inquiries
A. If you are calling about a blood donation, press 1
B. If inquiring on training and certification, press 2
C. To make a financial donation, press 3
a. For all other inquiries press 0 and you will be connected with to the next available representative, you can also visit redcross.org for more information
b. press 0
c. Options for Red Cross / Armed Forces liason
d. Disaster Assistance
e. Else, call back during regular hours

I spent the time trying to find out what the Red Cross is doing during hurricane Harvey, and I am left confused and wanting more information. Again, before you start telling me that of course they are good, wait a minute. The Red Cross took in over half a billion dollars in 2015 via “Contributions, Gifts & Grants“, and ultimately $2,726,672,619 dollars total. That is 2.7 with a B.

I am not saying the Red Cross doesn’t do amazing work, I know they do. I have done the same level of digging tonight in prior years for other disasters and been content they do good things. I have seen videos, first-hand accounts, and a wealth of information showing how they helped. What I am saying is that the Red Cross has completely failed in their social media campaign during Harvey. They are letting down the people they are helping, their countless volunteers who do wonderful work, and their supporters looking to make sure that money donated today goes to help the crisis we’re facing today.

My advice is that Red Cross continue helping during Harvey, but seriously re-evaluate their social media and fundraising efforts afterwards. Consider that my go-to charity to learn about charities, gave a pop-up about how to support during Harvey. And if you scroll down any given page, when the pop-up appears, it shows how you can help in their eyes based on data:

This is clever and helpful and I honestly wish this was a banner at the top of their site right now. That said, clicking on it is revealing in the context of the above. Consider the charities they recommend and where Red Cross places on that list. Of course, verify those other charities ranked higher are actually helping the crisis we face today, just as I tried to do with the Red Cross tonight. Please… make sure that if you donate, your money goes as far as possible. Doesn’t matter if it is $1 or $1,000, just make sure it counts. In the mean time, I am going to keep researching to find a charity I feel will deliver the most good during this incredible time of need, and look to donate tomorrow. Thank you.

That Vulnerability is “Theoretical”!

[This was originally published on the OSVDB blog.]

A few days ago, while writing a draft of a different blog, I made reference to and said “we’re well aware of the pitfalls around calling a vulnerability ‘theoretical’“! I wanted to link off to what I was referencing, a case where security researchers found a vulnerability in a big vendor’s products and were told it was “theoretical”. Of course, they in turn provided a working exploit for the vulnerability proving it wasn’t just theory. Thus, around 1995, the researchers took on the slogan “L0pht, Making the theoretical practical since 1992.” After digging, I couldn’t find a concise story of the details around that event, so I took to Twitter. Over the course of a couple hours, with input from many people, including some involved with the story, I collected the details. I told those in the conversation that if I had the information I would blog about it to better preserve that slice of history.

My bad memory had me believing the vulnerability was in Sendmail, and that Eric Allman said it to Mudge. Royce Williams dug up the Sendmail exploit i was thinking of, and the header text from Mudge suggested I was on the right track.

*NIX Sendmail (8.7.5) – Buffer Overflow – Newest sendmail exploit
:
# Hrm… and Eric Allman told me to my face that there were *no* buffer
# overflows in 8.7.5 — .mudge
# This works on systems that have the chpass program runable by
# users. Tested on FreeBSD, though the vulnerability exists in all
# Sendmail8.7.5. Granted you need to be able to change your gecos field 😉
#
# The problem is in buildfnam() which lives in util.c – it treats
# the static allocated array nbuf[MAXSIZE+1], from recipient.c, in
# an unbounded fashion.

Next, Royce reminded me that I had actually referenced that vulnerability in a prior blog post from 2006… oops! Mark Dowd was the first to challenge me on that, saying he believed it was related to a vulnerability in Microsoft’s products, related to RAS or CHAP, and he was right about the vendor (which vuln it was specifically is still not confirmed). Next, Space Rogue, an original L0pht member chimed in saying he thought it referred to Microsoft and the NT/Lanman vulnerability, and that the 1992 part of the slogan simply referred to when L0pht was formed. DKP further confirmed this by digging into the wonderful Internet Archive, finding the slogan and quote on the L0pht’s page.

“That vulnerability is completely theoretical.” — Microsoft
L0pht, Making the theoretical practical since 1992.

From here, Weld Pond and Mudge, original members of the L0pht joined the conversation. First, Weld said it might be a RAS or CHAP vulnerability but he wasn’t certain, but that the slogan came from a response from a Microsoft spokesperson who was quoted saying “that vulnerability is theoretical“, and that resulted in the exploit being written to prove otherwise. Weld further confirmed what Space Rogue had said, that the “slogan was coined in 95 or so but made retrospective to the founding of the L0pht.

DKP continued digging and found the quoted in Bruce Schneier’s “Secrets and Lies”, and pointed out Schneier worked with Mudge on a MS-CHAPv2 vulnerability. The paper on that vuln is from 1999 though, suggesting it wasn’t the “theoretical” vuln.

With that, the “theoretical” vulnerability is mostly uncovered. It would be great if anyone could confirm exactly which vulnerability it was that prompted the response from Microsoft. If anyone else recalls details about this, please share!

In the mean time, we also get to wonder about the Sendmail story, where this saga started, that also apparently is interesting. Space Rogue mentioned there was a separate story around that, but couldn’t remember details. Mudge jumped in confirming it was a Sendmail 8.6.9 exploit, “in response to in-person ‘discussion’ w/ [Eric] Allman at a Usenix Security in Texas. Witnesses, but no writeup.Mudge added that “a very similar ‘quote’ happened in person with Allman quite some time prior to the MS issue. It wasn’t a throw away quote. I/we lived it 🙂

August 14, 2017 Update:

Mudge provided more insight into another issue, also a ‘theoretical’ risk. During the Twitter thread, there were questions about L0phtcrack. Mudge saysIn a nutshell – a MSFT PR article in NT magazine said l0phtcrack was a theoretical risk but not an actual one. I responded with LC rant. Soon after we coined the phrase to describe the PoCs I felt it was crucial to write and release“. DKP dug up a Wired article that better illustrates how vendors can dismiss security researchers:

20 Seconds to Comply; 17+ Years to Get It Wrong. From “Roboguard” to “Steve”!

Recently, news broke of a robot security guard lovingly nicknamed “Steve” who drowned in a fountain in the lobby of the building he was sworn to protect. The various Tweets and news articles jumped all over it, with articles anthropomorphizing Steve and headlines such as “Security guard robot ends it all by throwing itself into a watery grave“.

No surprise, but workers in the building set up a “touching” memorial for Steve on his charging plate, further anthropomorphizing him. It’s hard not to care for and feel sorry for poor Steve, who likely roamed an empty building with modern access controls and no real threat, other than a wayward janitor who lost his RFID badge.

While the Internet is enjoying and mourning poor Steve, everyone seems to forget about old ‘Roboguard’! Unfortunately, like most media outlets, even “New Scientist” doesn’t preserve links and evidence like a scientist would. These asshats don’t even clearly list a date on their articles (posted to ISN on Aug 31, 2000). Thanks to the Internet Archive, if we go back far enough we see the article but without pictures, likely because “New Scientist” didn’t want to preserve anything back then, like they don’t today. I don’t think “science” means what they think it means.

Not sure if Asimov would be laughing or rolling in his grave.