Recent "rumors"

[gobbles () hushmail com]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

First, we'd like to thank The Blue Boar for discussing this matter with us and explaining the criteria to which we must 
abide to in order to have this message posted on his list.  We should probably make it clear that the posting of this 
message isn't indicative that GOBBLES Security posts will become regular to this list; we have been told that our 
general contributions are not up to par with the requirements for this list.

Having said that, we would like to say a few things.

First, GOBBLES Security does not share our private advisories with anyone, and we do not share any of the materials 
derived from our private research with anyone (exploits, tools, etc).  When we do share material, we share it with the 
community at large, and not just isolated groups.  Any allegation that other groups (including 7350) have developed 
tools/exploits based off our "private" materials is completly ludicrous.

We don't believe that this is a forum to discuss warez.  At some point in the future, those advisories may be made 
public, but at this time we're really not even sure how the vulnerability titles (Apache, sshd, pf) even made it 
public.  Our preauthentication hole in OpenSSH/SSH (discovered in October) was inadvertenly discovered by another 
researcher, from redhat.com, who found the same zlib decompression bug, and realized that some other things might also 
be exploitable.  The Apache hole we've been playing with has also been made public, since it has recently been 
uncovered by other researchers in their own bugsquashing efforts.  The pf technique isn't entirely ours anyways, it's 
built off a concept invented by route (mike () stake com) and if we were to publish it, it'd be intruding upon his 
intellectual properties.

We've talked the matter over with skyper, who assures us that these codes listed do not exist, and that no members of 
7350 have developed code based off of our private/unreleased advisories at this time.  His word is enough for us, and 
any efforts to slander him is extremely unacceptable.

Futher, posting fake irc logs onto a mailing list is hardly acceptable behavior.  The person who started this thread is 
nothing more than a troll, and their post (in the collective opinion of GOBBLES Security Members) should never have 
appeared on this list.

And finally, to the allegation from The Great Pr0ix, where she claims that "GOBBLES is a deliberate joke played out by 
some otherwise avid fans of non-disclosure", this simply is not true.  GOBBLES Security support full disclosure, not 
nondisclosure.

This is an attempt from a warez-guru attempting to slander a respectible nonprofit security group.  Also, to add a 
little fuel to the fire, listening to someone like pr0ix who makes a living off reselling the private resaearch of 
individuals, probaly is not the best practice for information on the latest vulnerabilities.  He is not a member of 
7350, nor is he a member of GOBBLES Security, and is not in a position to speak on the motivations of either group, nor 
is he in a position to state what does and does not exist.

Please keep this forum professional.

- -GOBBLES Security
-----BEGIN PGP SIGNATURE-----
Version: Hush 2.1
Note: This signature can be verified at https://www.hushtools.com

wlwEARECABwFAj0OPJMVHGdvYmJsZXNAaHVzaG1haWwuY29tAAoJEBzRp5chmbAPGlAA
oJoqFgdTEj/9I8T+Yaa9OW96fCaZAKCWsYZFGc/xEefs7L58CpxQQEnL0w==
=mxj0
-----END PGP SIGNATURE-----