-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
Hello We've had private correspondence with Solar Designer and his group who seem to be a little taken aback by the release of this remote hole, but really, we care so much about full disclosure that it needed to be fixed ASAP. Other correspondence pretty much deal with issues we mentioned in advisory... 1. Yes, K2/antisec discover and disclose this before GOBBLES, but after this disclosure, many other vendor talkd still vulnerable to hack attacks by blackhat hackers. Since we're ethical whitehats like K2 and his antisec, we thought public should be notified that bug is still alive and hasn't been killed yet. 2. NGSec made discovery of same hole in Solaris talkd a very long time ago, but did not inform Sun. Really, GOBBLES not understand why this not occur, since parallel disclosure would not be issue if they found it long before GOBBLES. They had plenty of time to inform Sun, which is the right thing to do. We have and are working with Sun and they are very cooperative in dealing with holes of this nature. We were mad that rwalld took a little long to fix, but there is rapid progress on current holes in two other default rpc services. 3. Chris Evans in email... > Not a new discovery: > http://security-archive.merton.ox.ac.uk/bugtraq-200010/0065.html True. GOBBLES acknowledge research of past researchers and not try to claim ownership of bug. > Could you elaborate on why KDE is vulnerable? Have they copied this buggy > code for their "ktalkd"? Indeed yes. KDE developers are to be commended on rapid circulation of advisory. They really considered this hole serious and took appropriate action to patch ktalkd immediately. "A patch for this has been in KDE CVS since 5pm EDT 05/21/02. Thanks to Waldo Bastian for the quick work. It is patched in the KDE_2_2_BRANCH, KDE_3_0_BRANCH and HEAD branch. There are other problems with this code and we recommend not using it. In particular, users of older KDE versions should disable ktalkd entirely. " The just-released KDE 3.0.1 does not contain this fix since we were unaware of it when we sent the source out to the packagers." We are becoming very close with the infosec community. GOBBLES will begin disclosing remote vulnerabilities of a very serious kind in the near future. GOBBLES will become the paragon of popularity and fameseeking, drinking dr pepper on the fringe of the infosec scene, and fully disclosing ALL bugs we find to make the Internet a safer place. The rejection of ideas concerning disclosure can be a two-way street. GOBBLES recommend close study of 1978 Karpov - Korchnoi match to appreciate higher level forces that are now at work in infosec world... Hush provide the worlds most secure, easy to use online applications - which solution is right for you? HushMail Secure Email http://www.hushmail.com/ HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/ Hush Business - security for your Business http://www.hush.com/ Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/ Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople -----BEGIN PGP SIGNATURE----- Version: Hush 2.1 Note: This signature can be verified at https://www.hushtools.com wlwEARECABwFAjztw+sVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPjgwA oI9nT4T9/Dukmg1CtljY+GM/Nl/rAKC6Tfn4U4OkB+5NkPHrMfYeb5bwCA== =CY5K -----END PGP SIGNATURE-----
