[talk] OpenBSD Repremianded for Patching Krack Attacks Vunerability

Andy Kosela akosela at andykosela.com
Mon Oct 16 17:30:03 EDT 2017


On Monday, October 16, 2017, Siobhan Lynch <slynch2112 at me.com> wrote:

>
> On Oct 16, 2017, at 09:37 AM, Raul Cuza <raulcuza at gmail.com
> <javascript:_e(%7B%7D,'cvml','raulcuza at gmail.com');>> wrote
>
>
> From https://www.krackattacks.com/
> [quote]
>
> Why did OpenBSD silently release a patch before the embargo?
>
> OpenBSD was notified of the vulnerability on 15 July 2017, before
> CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt
> replied and critiqued the tentative disclosure deadline: “In the open
> source world, if a person writes a diff and has to sit on it for a
> month, that is very discouraging”. Note that I wrote and included a
> suggested diff for OpenBSD already, and that at the time the tentative
> disclosure deadline was around the end of August. As a compromise, I
> allowed them to silently patch the vulnerability. In hindsight this
> was a bad decision, since others might rediscover the vulnerability by
> inspecting their silent patch. To avoid this problem in the future,
> OpenBSD will now receive vulnerability notifications closer to the end
> of an embargo.
> [/quote]
>
> Because the OpenBSD project has quick turn around time on bug patches,
> they will now be given the information later so they will not release
> patches before other projects. Why does this remind of a story from
> Flash Boys by Michael Lewis?
>
> Raúl
>
> ------
>
> LOL, yeah I noticed that as well.... its been a minute since I was
> neck-deep in the BSD community, but my reaction was "wow .... some things
> never change"  - it's nice to know Theo and the OpenBSD folx are pretty
> much exactly the same as they've always been. Some things will always
> remain constant.... OpenBSD's nature seems a constant. :)
>
> -Trish
>
>
>
A few months embargo??  You must be kidding me.  It seems that only OpenBSD
project is taking seriously their userbase and their security.

--Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20171016/7a3c3973/attachment.html>


More information about the talk mailing list