-----BEGIN PGP SIGNED MESSAGE----- There was a post on Slashdot recently [1] about a trojan in tcpdump and libpcap. The post referred to two web pages [2], and [3], which describe the trojan. Unfortunately, the web pages at this time say nothing about whether or not the maintainers of tcpdump were contacted. The Slashdot post claims that that the discoverers of this vulnerability have "notified the maintainers of tcpdump.org.", but does NOT mention where that notification was sent. While I am not one of the tcpdump maintainers, I have been in contact with the host of tcpdump.org, and he has not, as yet, found any such a notification which is immediately obvious. The date on the web pages describing the vulnerability is "Wed Nov 13 03:44:08 CST 2002". Tcpdump is hosted in the EST time zone, and the host of tcpdump.org has been out of touch for much of the day, due to travelling via airline to a conference. So the time between any alleged notification and action would have been unfortunately larger than usual. The release of the vulnerability information appears to have been ill-timed, at best. At worst, I find it surprising that the vulnerability was posted at 3am, and that the host and maintainers of tcpdump.org were not aware of this issue late last night. It appears that the time between any alleged "notification", and the release of the vulnerability information was disappointingly small. After consulting with the host of tcpdump.org, I took the machine off-line late this morning. I'm disappointed that the discoverers of this problem did not give adequate time to respond to this issue, and to correct it. As to how the files were trojaned, that topic is still being investigated. I took a NetBSD security officer along with me to investigate the problem, while I was removing the machine from the net. A cursory investigation yeilded nothing obvious, other than that the machine was running an older version of NetBSD. The NetBSD project may, or may not, issue an official statement later. I cannot speak for them. The TCPDump maintainers may, or may not, issue an official statement later. I cannot speak for them. In summary, the people who found these vulnerabilities did NOT follow reasonable notification methods or timings. Many of the people involved only discovered the problem through Slashdot, or through being contacted by a friend who had seen the post on Slashdot. This message is meant mainly to stop any speculation or confusion, (as seen in the Slashdot comments), and to start the process of setting the record straight about the events under discussion. I welcome comments from the originators of the report, and/or people listed on the web pages in [2], and [3]. I especially welcome information as to: a) WHO they notified b) WHEN they sent that notification b) WHEN the discovered the vulnerability Answers to these questions would go a long way to furthering openness and good-will on this issue. Alan DeKok. - ------ [1] http://slashdot.org/articles/02/11/13/1255243.shtml?tid=172 [2] http://hlug.fscker.com/ [3] http://151.164.128.17/def-con/ -----BEGIN PGP SIGNATURE----- Version: 2.6.3ia Charset: noconv Comment: Processed by Mailcrypt 3.5.6, an Emacs/PGP interface iQCVAwUBPdKvjakul4vkAkl9AQG/GAQAiLRIAh0sgYdWSsMB6U1WRycO3D3drrKX JKz85TJUTa+jEE9CeyIdEFy+HzEwAqV0r9fYzUX0OlnBdWzDaYOTmII0RSFV/1Nk BhgL1hp5fHu/+h6bo4co9pR8k2f4P+StSSShlCrIcQ3KPnZIhrTuxP/7EZbDyAHQ 1wU2MONkKbw= =UP8B -----END PGP SIGNATURE-----
