[talk] OpenBSD Repremianded for Patching Krack Attacks Vunerability
mark.saad at ymail.com
Mon Oct 16 18:34:46 EDT 2017
I’ll keep it short; amazing work; I can’t stand the nifty name game , a lot of researchers have adopted .
We should all try to get someone to name their newly found issue after a bit of Aztec mythology.
I want to see the Centzonmimixcoa exploit .
Mark Saad | mark.saad at ymail.com
> On Oct 16, 2017, at 5:30 PM, Andy Kosela <akosela at andykosela.com> wrote:
>> On Monday, October 16, 2017, Siobhan Lynch <slynch2112 at me.com> wrote:
>> On Oct 16, 2017, at 09:37 AM, Raul Cuza <raulcuza at gmail.com> wrote
>> From https://www.krackattacks.com/
>> Why did OpenBSD silently release a patch before the embargo?
>> OpenBSD was notified of the vulnerability on 15 July 2017, before
>> CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt
>> replied and critiqued the tentative disclosure deadline: “In the open
>> source world, if a person writes a diff and has to sit on it for a
>> month, that is very discouraging”. Note that I wrote and included a
>> suggested diff for OpenBSD already, and that at the time the tentative
>> disclosure deadline was around the end of August. As a compromise, I
>> allowed them to silently patch the vulnerability. In hindsight this
>> was a bad decision, since others might rediscover the vulnerability by
>> inspecting their silent patch. To avoid this problem in the future,
>> OpenBSD will now receive vulnerability notifications closer to the end
>> of an embargo.
>> Because the OpenBSD project has quick turn around time on bug patches,
>> they will now be given the information later so they will not release
>> patches before other projects. Why does this remind of a story from
>> Flash Boys by Michael Lewis?
>> LOL, yeah I noticed that as well.... its been a minute since I was neck-deep in the BSD community, but my reaction was "wow .... some things never change" - it's nice to know Theo and the OpenBSD folx are pretty much exactly the same as they've always been. Some things will always remain constant..... OpenBSD's nature seems a constant. :)
> A few months embargo?? You must be kidding me. It seems that only OpenBSD project is taking seriously their userbase and their security.
> talk mailing list
> talk at lists.nycbug.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the talk