[GOBBLES] reflections on talkd hole

[gobbles () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello

We've had private correspondence with Solar Designer and his group who seem to be a little taken aback by the release 
of this remote hole, but really, we care so much about full disclosure that it needed to be fixed ASAP.

Other correspondence pretty much deal with issues we mentioned in advisory...

1. Yes, K2/antisec discover and disclose this before GOBBLES, but after this disclosure, many other vendor talkd still 
vulnerable to hack attacks by blackhat hackers. Since we're ethical whitehats like K2 and his antisec, we thought 
public should be notified that bug is still alive and hasn't been killed yet.

2. NGSec made discovery of same hole in Solaris talkd a very long time ago, but did not inform Sun. Really, GOBBLES not 
understand why this not occur, since parallel disclosure would not be issue if they found it long before GOBBLES. They 
had plenty of time to inform Sun, which is the right thing to do. We have and are working with Sun and they are very 
cooperative in dealing with holes of this nature. We were mad that rwalld took a little long to fix, but there is rapid 
progress on current holes in two other default rpc services.

3. Chris Evans in email...

> Not a new discovery:
> http://security-archive.merton.ox.ac.uk/bugtraq-200010/0065.html

True. GOBBLES acknowledge research of past researchers and not try to claim ownership of bug.

> Could you elaborate on why KDE is vulnerable? Have they copied this buggy
> code for their "ktalkd"?

Indeed yes. KDE developers are to be commended on rapid circulation of advisory. They really considered this hole 
serious and took appropriate action to patch ktalkd immediately.

"A patch for this has been in KDE CVS since 5pm EDT 05/21/02.  Thanks to
Waldo Bastian for the quick work.  It is patched in the KDE_2_2_BRANCH,
KDE_3_0_BRANCH and HEAD branch.  There are other problems with this code and
we recommend not using it.  In particular, users of older KDE versions should
disable ktalkd entirely.

"    The just-released KDE 3.0.1 does not contain this fix since we were
unaware of it when we sent the source out to the packagers."


We are becoming very close with the infosec community. GOBBLES will begin disclosing remote vulnerabilities of a very 
serious kind in the near future. GOBBLES will become the paragon of popularity and fameseeking, drinking dr pepper on 
the fringe of the infosec scene, and fully disclosing ALL bugs we find to make the Internet a safer place.

The rejection of ideas concerning disclosure can be a two-way street.

GOBBLES recommend close study of 1978 Karpov - Korchnoi match to appreciate higher level forces that are now at work in 
infosec world...










Hush provide the worlds most secure, easy to use online applications - which solution is right for you?
HushMail Secure Email http://www.hushmail.com/
HushDrive Secure Online Storage http://www.hushmail.com/hushdrive/
Hush Business - security for your Business http://www.hush.com/
Hush Enterprise - Secure Solutions for your Enterprise http://www.hush.com/

Looking for a good deal on a domain name? http://www.hush.com/partners/offers.cgi?id=domainpeople

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAjztw+sVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPjgwA
oI9nT4T9/Dukmg1CtljY+GM/Nl/rAKC6Tfn4U4OkB+5NkPHrMfYeb5bwCA==
=CY5K
-----END PGP SIGNATURE-----