[talk] OpenBSD Repremianded for Patching Krack Attacks Vunerability

Charles Sprickman spork at bway.net
Wed Oct 18 16:01:28 EDT 2017

> On Oct 18, 2017, at 9:55 AM, Malcolm Matalka <mmatalka at gmail.com> wrote:
> Andy Kosela <akosela at andykosela.com> writes:
>> On Monday, October 16, 2017, Siobhan Lynch <slynch2112 at me.com> wrote:
>>> On Oct 16, 2017, at 09:37 AM, Raul Cuza <raulcuza at gmail.com
>>> <javascript:_e(%7B%7D,'cvml','raulcuza at gmail.com');>> wrote
>>> From https://www.krackattacks.com/
>>> [quote]
>>> Why did OpenBSD silently release a patch before the embargo?
>>> OpenBSD was notified of the vulnerability on 15 July 2017, before
>>> CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt
>>> replied and critiqued the tentative disclosure deadline: “In the open
>>> source world, if a person writes a diff and has to sit on it for a
>>> month, that is very discouraging”. Note that I wrote and included a
>>> suggested diff for OpenBSD already, and that at the time the tentative
>>> disclosure deadline was around the end of August. As a compromise, I
>>> allowed them to silently patch the vulnerability. In hindsight this
>>> was a bad decision, since others might rediscover the vulnerability by
>>> inspecting their silent patch. To avoid this problem in the future,
>>> OpenBSD will now receive vulnerability notifications closer to the end
>>> of an embargo.
>>> [/quote]
>>> Because the OpenBSD project has quick turn around time on bug patches,
>>> they will now be given the information later so they will not release
>>> patches before other projects. Why does this remind of a story from
>>> Flash Boys by Michael Lewis?
>>> Raúl
>>> ------
>>> LOL, yeah I noticed that as well.... its been a minute since I was
>>> neck-deep in the BSD community, but my reaction was "wow .... some things
>>> never change"  - it's nice to know Theo and the OpenBSD folx are pretty
>>> much exactly the same as they've always been. Some things will always
>>> remain constant.... OpenBSD's nature seems a constant. :)
>>> -Trish
>> A few months embargo??  You must be kidding me.  It seems that only OpenBSD
>> project is taking seriously their userbase and their security.
>> --Andy
> According to an OpenBSD dev, they agreed to the initial embargo
> reluctantly and then the rules around the embargo changed and they
> weren't willing to go along with it so they went by the original
> embargo:
> https://lobste.rs/s/dwzplh/krack_attacks_breaking_wpa2#c_pbhnfz <https://lobste.rs/s/dwzplh/krack_attacks_breaking_wpa2#c_pbhnfz>

Tangent:  Ruckus, one of the best enterprise APs out there (on the RF side) STILL
does not have this patched and will not have it patched until at least 10/30.  They 
are on the list of companies that had access to the details in August.  How sad 
is that?


>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/talk
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20171018/76f810ab/attachment.html>

More information about the talk mailing list