Unofficial statement re: tcpdump and libpcap

["Alan DeKok" <aland () freeradius org>]

-----BEGIN PGP SIGNED MESSAGE-----

  There was a post on Slashdot recently [1] about a trojan in tcpdump
and libpcap.  The post referred to two web pages [2], and [3], which
describe the trojan.

  Unfortunately, the web pages at this time say nothing about whether
or not the maintainers of tcpdump were contacted.  The Slashdot post
claims that that the discoverers of this vulnerability have "notified
the maintainers of tcpdump.org.", but does NOT mention where that
notification was sent.

  While I am not one of the tcpdump maintainers, I have been in
contact with the host of tcpdump.org, and he has not, as yet, found
any such a notification which is immediately obvious.


  The date on the web pages describing the vulnerability is "Wed Nov
13 03:44:08 CST 2002".  Tcpdump is hosted in the EST time zone, and
the host of tcpdump.org has been out of touch for much of the day, due
to travelling via airline to a conference.  So the time between any
alleged notification and action would have been unfortunately larger
than usual.


  The release of the vulnerability information appears to have been
ill-timed, at best.  At worst, I find it surprising that the
vulnerability was posted at 3am, and that the host and maintainers of
tcpdump.org were not aware of this issue late last night.

  It appears that the time between any alleged "notification", and the
release of the vulnerability information was disappointingly small.

  After consulting with the host of tcpdump.org, I took the machine
off-line late this morning.  I'm disappointed that the discoverers of
this problem did not give adequate time to respond to this issue, and
to correct it.


  As to how the files were trojaned, that topic is still being
investigated.  I took a NetBSD security officer along with me to
investigate the problem, while I was removing the machine from the
net.  A cursory investigation yeilded nothing obvious, other than that
the machine was running an older version of NetBSD.


  The NetBSD project may, or may not, issue an official statement
later.  I cannot speak for them.

  The TCPDump maintainers may, or may not, issue an official statement
later.  I cannot speak for them.


  In summary, the people who found these vulnerabilities did NOT
follow reasonable notification methods or timings.  Many of the people
involved only discovered the problem through Slashdot, or through
being contacted by a friend who had seen the post on Slashdot.

  This message is meant mainly to stop any speculation or confusion,
(as seen in the Slashdot comments), and to start the process of
setting the record straight about the events under discussion.

  I welcome comments from the originators of the report, and/or people
listed on the web pages in [2], and [3].  I especially welcome
information as to:

  a) WHO they notified
  b) WHEN they sent that notification
  b) WHEN the discovered the vulnerability


  Answers to these questions would go a long way to furthering
openness and good-will on this issue.

  Alan DeKok.
- ------
[1] http://slashdot.org/articles/02/11/13/1255243.shtml?tid=172
[2] http://hlug.fscker.com/
[3] http://151.164.128.17/def-con/

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Processed by Mailcrypt 3.5.6, an Emacs/PGP interface

iQCVAwUBPdKvjakul4vkAkl9AQG/GAQAiLRIAh0sgYdWSsMB6U1WRycO3D3drrKX
JKz85TJUTa+jEE9CeyIdEFy+HzEwAqV0r9fYzUX0OlnBdWzDaYOTmII0RSFV/1Nk
BhgL1hp5fHu/+h6bo4co9pR8k2f4P+StSSShlCrIcQ3KPnZIhrTuxP/7EZbDyAHQ
1wU2MONkKbw=
=UP8B
-----END PGP SIGNATURE-----