[talk] OpenBSD Repremianded for Patching Krack Attacks Vunerability
raulcuza at gmail.com
Mon Oct 16 09:37:49 EDT 2017
While researching the WIFI vulnerability announced today [
] I discovered a BSD related slant on the news.
Why did OpenBSD silently release a patch before the embargo?
OpenBSD was notified of the vulnerability on 15 July 2017, before
CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt
replied and critiqued the tentative disclosure deadline: “In the open
source world, if a person writes a diff and has to sit on it for a
month, that is very discouraging”. Note that I wrote and included a
suggested diff for OpenBSD already, and that at the time the tentative
disclosure deadline was around the end of August. As a compromise, I
allowed them to silently patch the vulnerability. In hindsight this
was a bad decision, since others might rediscover the vulnerability by
inspecting their silent patch. To avoid this problem in the future,
OpenBSD will now receive vulnerability notifications closer to the end
of an embargo.
Because the OpenBSD project has quick turn around time on bug patches,
they will now be given the information later so they will not release
patches before other projects. Why does this remind of a story from
Flash Boys by Michael Lewis?
More information about the talk