[talk] OpenBSD Repremianded for Patching Krack Attacks Vunerability
Mark Saad
mark.saad at ymail.com
Mon Oct 16 18:34:46 EDT 2017
All
I’ll keep it short; amazing work; I can’t stand the nifty name game , a lot of researchers have adopted .
We should all try to get someone to name their newly found issue after a bit of Aztec mythology.
I want to see the Centzonmimixcoa exploit .
---
Mark Saad | mark.saad at ymail.com
> On Oct 16, 2017, at 5:30 PM, Andy Kosela <akosela at andykosela.com> wrote:
>
>
>
>> On Monday, October 16, 2017, Siobhan Lynch <slynch2112 at me.com> wrote:
>>
>> On Oct 16, 2017, at 09:37 AM, Raul Cuza <raulcuza at gmail.com> wrote
>>
>>
>> From https://www.krackattacks.com/
>> [quote]
>>
>> Why did OpenBSD silently release a patch before the embargo?
>>
>> OpenBSD was notified of the vulnerability on 15 July 2017, before
>> CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt
>> replied and critiqued the tentative disclosure deadline: “In the open
>> source world, if a person writes a diff and has to sit on it for a
>> month, that is very discouraging”. Note that I wrote and included a
>> suggested diff for OpenBSD already, and that at the time the tentative
>> disclosure deadline was around the end of August. As a compromise, I
>> allowed them to silently patch the vulnerability. In hindsight this
>> was a bad decision, since others might rediscover the vulnerability by
>> inspecting their silent patch. To avoid this problem in the future,
>> OpenBSD will now receive vulnerability notifications closer to the end
>> of an embargo.
>> [/quote]
>>
>> Because the OpenBSD project has quick turn around time on bug patches,
>> they will now be given the information later so they will not release
>> patches before other projects. Why does this remind of a story from
>> Flash Boys by Michael Lewis?
>>
>> Raúl
>>
>> ------
>>
>> LOL, yeah I noticed that as well.... its been a minute since I was neck-deep in the BSD community, but my reaction was "wow .... some things never change" - it's nice to know Theo and the OpenBSD folx are pretty much exactly the same as they've always been. Some things will always remain constant..... OpenBSD's nature seems a constant. :)
>>
>> -Trish
>>
>>
>
> A few months embargo?? You must be kidding me. It seems that only OpenBSD project is taking seriously their userbase and their security.
>
> --Andy
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20171016/589a7976/attachment.htm>
More information about the talk
mailing list