← Back to context

Comment by Reventlov

4 years ago

Mathy strikes again ! This has been fixed in Linux and certain firmware / driver already: https://lore.kernel.org/linux-wireless/20210511180259.159598...

23 comments

Reventlov

Reply
DanAtC  4 years ago

Only because they agreed to sit on the patches for an inordinate amount of time.

Theo de Raadt did the right thing for KRACK. Shame it would be his only chance to do so before getting kicked out of Mathy Vanhoef's secret club.

  • tptacek  4 years ago

    If you want up-to-the-second research results on Wi-Fi vulnerabilities, you are welcome to start your own research group, generate your own results, and share them however you'd like. You are not entitled to access to other people's results on your own terms.

    I'm not a believer in coordinated disclosure and long embargoes (I think P0 does it just about right, though I'd make it 45 days instead of 90). But if I was offered information about a protocol vulnerability under a long embargo, accepted it, and then broke the embargo terms, I wouldn't whine about it next time when I wasn't included. Honestly: I wouldn't whine about it under any circumstances, even if I studiously complied with the embargo. Because we're not entitled to other people's work.

  • wing-_-nuts  4 years ago

    I'm out of the loop. Expand?

    • spijdar  4 years ago

      From someone mostly out of the drama loop, here's my brief recollection:

      Generally in the security sphere we consider it the most ethical and responsible to give vendors plenty of time to patch vulnerabilities, especially critical ones, before publishing details or anything that could lead to a working 0-day exploit.

      Theo de Raadt was one of the people notified of a previous WiFi exploit, and there was a set length of time intended for the vulnerability to be made private, in order for the (inordinately slow) vendors to create and push/prepare patches. If the patches were released early, it'd be easy to determine what the original vulnerability was.

      So, Theo de Raadt decided, in the interest of keeping OpenBSD secure, to push the patch early, effectively letting the whole cat out of the bag. I'm not going to get into the drama of whether that was right, wrong, foolish, wise, whatever, but because of that, he no longer receives these ahead-of-time notifications of vulnerabilities.

      12 replies →

    • ygjb  4 years ago

      https://www.krackattacks.com/

      Probably referring to the internet drama related to silent patching and disclosure embargo. There are some details here, and others on various mailing lists, including an airing of differences if you want to look for that sort of thing after making a bowl of popcorn.