[talk] OpenBSD Repremianded for Patching Krack Attacks Vunerability

Siobhan Lynch slynch2112 at me.com
Mon Oct 16 11:53:01 EDT 2017

On Oct 16, 2017, at 09:37 AM, Raul Cuza <raulcuza at gmail.com> wrote

From https://www.krackattacks.com/

Why did OpenBSD silently release a patch before the embargo?

OpenBSD was notified of the vulnerability on 15 July 2017, before
CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt
replied and critiqued the tentative disclosure deadline: “In the open
source world, if a person writes a diff and has to sit on it for a
month, that is very discouraging”. Note that I wrote and included a
suggested diff for OpenBSD already, and that at the time the tentative
disclosure deadline was around the end of August. As a compromise, I
allowed them to silently patch the vulnerability. In hindsight this
was a bad decision, since others might rediscover the vulnerability by
inspecting their silent patch. To avoid this problem in the future,
OpenBSD will now receive vulnerability notifications closer to the end
of an embargo.

Because the OpenBSD project has quick turn around time on bug patches,
they will now be given the information later so they will not release
patches before other projects. Why does this remind of a story from
Flash Boys by Michael Lewis?



LOL, yeah I noticed that as well.... its been a minute since I was neck-deep in the BSD community, but my reaction was "wow .... some things never change"  - it's nice to know Theo and the OpenBSD folx are pretty much exactly the same as they've always been. Some things will always remain constant.... OpenBSD's nature seems a constant. :)


Siobhan P. Lynch
slynch2112 at me.com
trish at secopsunlimited.com 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20171016/f1b2a653/attachment.html>

More information about the talk mailing list