Monthly Archives: March, 2007

OS Security, Old Debate, New Info

Check out this article/report by OmniNerd, which tested various operating systems for security. They performed a base line vulnerability scan during installation, after installation and after patches had been applied. Each installation was done to mimick as close to a ‘default install’ by clicking ‘next’ when possible. While one can argue various points of this test, they did a good job defining the operating system, configuration and resulting open ports, along with corresponding vulnerabilities. The only questions that immediately come to mind are if the Solaris install included Update 3 and why they didn’t have any charts or graphs summarizing the information.

This is hands down one of the most fair and unbiased tests I have seen in a while, based on the information in the article.

English is a Funny Language

NVD announced this week that they are now going to expand and provide vulnerability information in Spanish. I found this a bit amusing since OSVDB once thought that translating the database was a critical feature that needed to be delivered back in 2002. In fact, all of the language support was in the original OSVDB database schema and the backend code was created to handle it as we truly thought this would be implemented.

However, we quickly realized there were several issues with this concept including finding people to perform the translations! Additional concerns were raised as we spoke to more people in the security industry which included many conversations with non-US based security professionals (including a long ranting conversation with FX at Defcon). The critical concern was that much of the true meaning of the vulnerabilty is lost when the information is translated. The bottom line is that it was strongly believed that the vulnerability information in OSVDB should remain only in English.

OSVDB decided that we would not proceed any further with official plans to to translate the database, however, we have been contacted from other people that have wanted to translate OSVDB and we have provided permission to do so…

Here is a copy of the NVD announcement:

The National Vulnerability Database (NVD) is expanding to provide vulnerability translations. The first translation data feed is in Spanish and is being provided in cooperation with Inteco (, an entity of the Spanish government’s Ministry of Industry, Tourism, and Commerce ( Inteco is providing the translations and is solely responsible for the translation content. NVD is providing the translation infrastructure. The result of this cooperative effort is that NVD now contains an XML feed with 7,858 Spanish translations for the Common Vulnerabilities and Exposures (CVE) dictionary of security related software flaws. This feed will be maintained with translations for all new CVE vulnerabilities and, as with the other NVD data feeds, the data can be incorporated into commercial products and services with no licensing fees or restrictions. The translations are available through translation XML feeds at

We would love to hear any further thoughts (good and bad) on the value of translating vulnerability information into other languages.

OSVDB Chosen for Google Summer of Code 2007

For the second year now, OSVDB has been selected to participate in the Google Summer of Code program. It’s pretty neat to be in this program along with other relatively unheard of projects like Debian, FreeBSD, GNU, KDE, NetBSD, OpenSolaris, PHP, PostgreSQL, Python, Samba, Apache, EFF, Fedora and =)

As always, Google continues to give back to the community in ways most companies will never understand or appreciate.

How Apple Orchestrated Web Attack on Researchers

How Apple orchestrated web attack on researchers

Last summer when I wrote “Vicious orchestrated assault on MacBook wireless researchers”, it set off a long chain of heated debated and blogs. I had hoped to release the information on who orchestrated the vicious assault but threats of lawsuits and a spineless company that refused to defend itself meant I couldn’t disclose the details. Well a lot has changed since then and researcher David Maynor is no longer working for SecureWorks and he’s finally given me permission to publish the details.


Apple is a mega corporation that nearly smashed the reputation of two individuals with bogus claims of fraud. It didn’t matter they weren’t the one’s pulling the trigger because they were pulling all the strings. David Chartier should be ashamed of himself and his blog. Jim Dalrymple of Macworld and his colleagues that jumped on the bandwagon should be ashamed of their reporting. Frank Hayes was the only one of Dalrymple’s colleagues that had the decency and honor to apologize. Most of all, shame on Apple.

Month of MySpace Bugs (MOMSB)

Yes, the trend continues and gets more .. odd.

The Washington Post decided to cover this story giving it more attention than it probably deserves. From the home page of the effort:

The purpose of the exercise is not so much to expose Myspace as a hive of spam and villainy (since everyone knows that already), but to highlight the monoculture-style danger of extremely popular websites populated by users of various levels of sophistication. We could have just as easily gone after Google or Yahoo or MSN or ZDNet or whatever. Myspace is just more fun, and is becoming notoriously dickish about responding to security issues.

I’m not exactly sure how MySpace deserves a “monoculture-style” designation since it is a single social web site and the vulnerabilities (presumably) aren’t specific to one web browser or operating system.

Month of PHP Bugs

Hell hath no fury like a PHP developer scorned…

During the last months there have been the Month of the Browser bugs and the Month of the Kernel bugs projects that tried to raise awareness for security vulnerabilities in browsers and kernels.

After thinking a bit about this I started to wonder if I should not start a Month of PHP bugs somewhen in the first half of 2007. At the PHP conference it was once again claimed that it is not PHP that is insecure but the applications written by novice programmers. While it is true that many PHP applications are written by people with no clue about security it is absolutely not true that PHP is a secure programming language.

I think it is necessary to make ALL people aware of this. The plan is therefore to choose one of the 31 day months after January and release everyday a vulnerability in PHP itself. I would like to hear comments from the PHP community about this plan. (Be warned that anonymous rants will be deleted)

To check out the bugs, visit I will also be adding comments to this entry pointing out some of the interesting commentary and underlying message behind this effort.