Comment by DanAtC
4 years ago
Only because they agreed to sit on the patches for an inordinate amount of time.
Theo de Raadt did the right thing for KRACK. Shame it would be his only chance to do so before getting kicked out of Mathy Vanhoef's secret club.
If you want up-to-the-second research results on Wi-Fi vulnerabilities, you are welcome to start your own research group, generate your own results, and share them however you'd like. You are not entitled to access to other people's results on your own terms.
I'm not a believer in coordinated disclosure and long embargoes (I think P0 does it just about right, though I'd make it 45 days instead of 90). But if I was offered information about a protocol vulnerability under a long embargo, accepted it, and then broke the embargo terms, I wouldn't whine about it next time when I wasn't included. Honestly: I wouldn't whine about it under any circumstances, even if I studiously complied with the embargo. Because we're not entitled to other people's work.
You have mischaracterized the original agreement.
I read the email thread, and stsp's comments on Lobsters. I get that there's a grudging agreement on both sides that OpenBSD can't abide by long embargoes, and will simply get notified later in the process when those are expected. That seems like a fine outcome, and not a cause to dunk on a researcher for having a "secret club".
2 replies →
I'm out of the loop. Expand?
From someone mostly out of the drama loop, here's my brief recollection:
Generally in the security sphere we consider it the most ethical and responsible to give vendors plenty of time to patch vulnerabilities, especially critical ones, before publishing details or anything that could lead to a working 0-day exploit.
Theo de Raadt was one of the people notified of a previous WiFi exploit, and there was a set length of time intended for the vulnerability to be made private, in order for the (inordinately slow) vendors to create and push/prepare patches. If the patches were released early, it'd be easy to determine what the original vulnerability was.
So, Theo de Raadt decided, in the interest of keeping OpenBSD secure, to push the patch early, effectively letting the whole cat out of the bag. I'm not going to get into the drama of whether that was right, wrong, foolish, wise, whatever, but because of that, he no longer receives these ahead-of-time notifications of vulnerabilities.
There are at least two things wrong with this comment. First, OpenBSD did not push the patch earlier than agreed. Second, OpenBSD did not push the patch without permission.
Mathy originally reported the vulnerability to OpenBSD on July 15 under embargo, and estimated it would be lifted by the end of August (1.5 months after disclosure). Theo argued that 1.5 months was too long, but didn’t push the patch. Then on August 14, Mathy said the final public disclosure date would be October 16 (three months after initial disclosure), but agreed to allow OpenBSD to patch early. Although he didn’t like it, and has since said he would not give such permission again, he agrees that OpenBSD did commit with his permission.
Direct quote from Mathy: “From my point of view, I sent one mail on 14 August where I mentioned the new disclosure date of 16 Oct. In that same mail I also gave the OK to quietly commit a fix.” https://marc.info/?l=openbsd-tech&m=152909822107104&w=2
People portray OpenBSD as a project that ignores embargoes, and point to KRACK as an example. But Theo didn’t ignore the KRACK embargo. Rather, Theo successfully persuaded Mathy to allow OpenBSD to patch the vulnerability a full month and a half after all vendors had been informed.
I’m commenting on this because I think simply pushing back against the length of an embargo should not be characterized as breaking an embargo.
There were a lot of vendors in the KRACK embargo. The risk of the vulnerability leaking to the black market or malicious governments is real. As the length of the embargo increases, this risk increases dramatically. Big vendors are incentivized to pressure researchers to extend the embargo as long as possible. Open source projects are forced to hold off on committing bugfixes, leaving their users potentially vulnerable. If a project pushes back against a long embargo, or through persuasion manages to finagle permission to release an unobtrusive fix “early,” that project is characterized as an untrustworthy embargo breaker and left out of future embargoes. So open source projects are incentivized to sit down, shut up, ignore the threat to their users, and let the big vendors dawdle in their bugfixes.
6 replies →
> Generally in the security sphere we consider it the most ethical and responsible to give vendors plenty of time to patch vulnerabilities
Can you provide more context for this point? As somebody with some experience in infosec, I don’t think that’s actually so clear cut. There are people who believe coordinating with vendors is the right course, and people who believe embargoes compromise users’ ability to make safe choices. There are also people who think the right course depends on the individual vuln/system.
2 replies →
>Generally in the security sphere we consider it the most ethical and responsible
I would reword this to say
>Generally in the security sphere we consider it the most obedient
The earlier wording severely disadvantages the end-user of the opportunity to know that they are working with broken software and to find an alternative.
1 reply →
https://www.krackattacks.com/
Probably referring to the internet drama related to silent patching and disclosure embargo. There are some details here, and others on various mailing lists, including an airing of differences if you want to look for that sort of thing after making a bowl of popcorn.