[talk] OpenBSD Repremianded for Patching Krack Attacks Vunerability
Charles Sprickman
spork at bway.net
Wed Oct 18 16:01:28 EDT 2017
> On Oct 18, 2017, at 9:55 AM, Malcolm Matalka <mmatalka at gmail.com> wrote:
>
> Andy Kosela <akosela at andykosela.com> writes:
>
>> On Monday, October 16, 2017, Siobhan Lynch <slynch2112 at me.com> wrote:
>>
>>>
>>> On Oct 16, 2017, at 09:37 AM, Raul Cuza <raulcuza at gmail.com
>>> <javascript:_e(%7B%7D,'cvml','raulcuza at gmail.com');>> wrote
>>>
>>>
>>> From https://www.krackattacks.com/
>>> [quote]
>>>
>>> Why did OpenBSD silently release a patch before the embargo?
>>>
>>> OpenBSD was notified of the vulnerability on 15 July 2017, before
>>> CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt
>>> replied and critiqued the tentative disclosure deadline: “In the open
>>> source world, if a person writes a diff and has to sit on it for a
>>> month, that is very discouraging”. Note that I wrote and included a
>>> suggested diff for OpenBSD already, and that at the time the tentative
>>> disclosure deadline was around the end of August. As a compromise, I
>>> allowed them to silently patch the vulnerability. In hindsight this
>>> was a bad decision, since others might rediscover the vulnerability by
>>> inspecting their silent patch. To avoid this problem in the future,
>>> OpenBSD will now receive vulnerability notifications closer to the end
>>> of an embargo.
>>> [/quote]
>>>
>>> Because the OpenBSD project has quick turn around time on bug patches,
>>> they will now be given the information later so they will not release
>>> patches before other projects. Why does this remind of a story from
>>> Flash Boys by Michael Lewis?
>>>
>>> Raúl
>>>
>>> ------
>>>
>>> LOL, yeah I noticed that as well.... its been a minute since I was
>>> neck-deep in the BSD community, but my reaction was "wow .... some things
>>> never change" - it's nice to know Theo and the OpenBSD folx are pretty
>>> much exactly the same as they've always been. Some things will always
>>> remain constant.... OpenBSD's nature seems a constant. :)
>>>
>>> -Trish
>>>
>>>
>>>
>> A few months embargo?? You must be kidding me. It seems that only OpenBSD
>> project is taking seriously their userbase and their security.
>>
>> --Andy
>
> According to an OpenBSD dev, they agreed to the initial embargo
> reluctantly and then the rules around the embargo changed and they
> weren't willing to go along with it so they went by the original
> embargo:
>
> https://lobste.rs/s/dwzplh/krack_attacks_breaking_wpa2#c_pbhnfz <https://lobste.rs/s/dwzplh/krack_attacks_breaking_wpa2#c_pbhnfz>
Tangent: Ruckus, one of the best enterprise APs out there (on the RF side) STILL
does not have this patched and will not have it patched until at least 10/30. They
are on the list of companies that had access to the details in August. How sad
is that?
Charles
>
>
>> _______________________________________________
>> talk mailing list
>> talk at lists.nycbug.org
>> http://lists.nycbug.org/mailman/listinfo/talk
>
> _______________________________________________
> talk mailing list
> talk at lists.nycbug.org
> http://lists.nycbug.org/mailman/listinfo/talk
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.nycbug.org:8443/pipermail/talk/attachments/20171018/76f810ab/attachment.htm>
More information about the talk
mailing list