[talk] OpenBSD Repremianded for Patching Krack Attacks Vunerability

Malcolm Matalka mmatalka at gmail.com
Wed Oct 18 09:55:05 EDT 2017


Andy Kosela <akosela at andykosela.com> writes:

> On Monday, October 16, 2017, Siobhan Lynch <slynch2112 at me.com> wrote:
>
>>
>> On Oct 16, 2017, at 09:37 AM, Raul Cuza <raulcuza at gmail.com
>> <javascript:_e(%7B%7D,'cvml','raulcuza at gmail.com');>> wrote
>>
>>
>> From https://www.krackattacks.com/
>> [quote]
>>
>> Why did OpenBSD silently release a patch before the embargo?
>>
>> OpenBSD was notified of the vulnerability on 15 July 2017, before
>> CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt
>> replied and critiqued the tentative disclosure deadline: “In the open
>> source world, if a person writes a diff and has to sit on it for a
>> month, that is very discouraging”. Note that I wrote and included a
>> suggested diff for OpenBSD already, and that at the time the tentative
>> disclosure deadline was around the end of August. As a compromise, I
>> allowed them to silently patch the vulnerability. In hindsight this
>> was a bad decision, since others might rediscover the vulnerability by
>> inspecting their silent patch. To avoid this problem in the future,
>> OpenBSD will now receive vulnerability notifications closer to the end
>> of an embargo.
>> [/quote]
>>
>> Because the OpenBSD project has quick turn around time on bug patches,
>> they will now be given the information later so they will not release
>> patches before other projects. Why does this remind of a story from
>> Flash Boys by Michael Lewis?
>>
>> Raúl
>>
>> ------
>>
>> LOL, yeah I noticed that as well.... its been a minute since I was
>> neck-deep in the BSD community, but my reaction was "wow .... some things
>> never change"  - it's nice to know Theo and the OpenBSD folx are pretty
>> much exactly the same as they've always been. Some things will always
>> remain constant.... OpenBSD's nature seems a constant. :)
>>
>> -Trish
>>
>>
>>
> A few months embargo??  You must be kidding me.  It seems that only OpenBSD
> project is taking seriously their userbase and their security.
>
> --Andy

According to an OpenBSD dev, they agreed to the initial embargo
reluctantly and then the rules around the embargo changed and they
weren't willing to go along with it so they went by the original
embargo:

https://lobste.rs/s/dwzplh/krack_attacks_breaking_wpa2#c_pbhnfz


> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk




More information about the talk mailing list