[talk] OpenBSD Repremianded for Patching Krack Attacks Vunerability

Mark Saad mark.saad at ymail.com
Mon Oct 16 18:34:46 EDT 2017


All
I’ll keep it short; amazing work;  I can’t stand the nifty name game , a lot of researchers have adopted .
We should all try to get someone to name their newly found issue after a bit of Aztec mythology.

I want to see the Centzonmimixcoa exploit .

---
Mark Saad | mark.saad at ymail.com

> On Oct 16, 2017, at 5:30 PM, Andy Kosela <akosela at andykosela.com> wrote:
> 
> 
> 
>> On Monday, October 16, 2017, Siobhan Lynch <slynch2112 at me.com> wrote:
>> 
>> On Oct 16, 2017, at 09:37 AM, Raul Cuza <raulcuza at gmail.com> wrote
>> 
>> 
>> From https://www.krackattacks.com/
>> [quote]
>> 
>> Why did OpenBSD silently release a patch before the embargo?
>> 
>> OpenBSD was notified of the vulnerability on 15 July 2017, before
>> CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt
>> replied and critiqued the tentative disclosure deadline: “In the open
>> source world, if a person writes a diff and has to sit on it for a
>> month, that is very discouraging”. Note that I wrote and included a
>> suggested diff for OpenBSD already, and that at the time the tentative
>> disclosure deadline was around the end of August. As a compromise, I
>> allowed them to silently patch the vulnerability. In hindsight this
>> was a bad decision, since others might rediscover the vulnerability by
>> inspecting their silent patch. To avoid this problem in the future,
>> OpenBSD will now receive vulnerability notifications closer to the end
>> of an embargo.
>> [/quote]
>> 
>> Because the OpenBSD project has quick turn around time on bug patches,
>> they will now be given the information later so they will not release
>> patches before other projects. Why does this remind of a story from
>> Flash Boys by Michael Lewis?
>> 
>> Raúl
>> 
>> ------
>> 
>> LOL, yeah I noticed that as well.... its been a minute since I was neck-deep in the BSD community, but my reaction was "wow .... some things never change"  - it's nice to know Theo and the OpenBSD folx are pretty much exactly the same as they've always been. Some things will always remain constant..... OpenBSD's nature seems a constant. :)
>> 
>> -Trish
>> 
>> 
> 
> A few months embargo??  You must be kidding me.  It seems that only OpenBSD project is taking seriously their userbase and their security.
> 
> --Andy 
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20171016/589a7976/attachment.htm>


More information about the talk mailing list