Thread: Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
View Single Post
  #38   Report Post  
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
harry newton harry newton is offline
external usenet poster
  
Posts: 173
Default Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is William Unruh said on Wed, 18 Oct 2017 02:25:28 -0000 (UTC):

And the closed source community has a problem with never actually fixing
the problems (see most of the wireless router manufacturers).

Hi William,
I'm not sure what you mean, but I guess what you're saying is that firmware
is only available for the newest routers, which I would agree with. Is that
what you're saying?

As can be seen from the debate that occured re Krack and OpenBSD.
Theodore felt that leaving his users hanging completely exposed was not
a good idea, and eventually the Krack finder agreed (only to regret it
later).

Thanks William for understanding what I was talking about. I do see the
conundrum, which is the following, put bluntly:
1. Researcher finds vulnerability on day 0 & secretly informs vendors
2. Proprietary-code vendors fix & release code & nobody is the wiser
3. Open-source vendors fix & release code & anyone can do a "diff"

The problem is that the bad guys can do the diff and then get a jump in the
wild on building an attack vector.

I don't know *how* to solve this, and I don't understand what the Krack
Attack researcher proposed for what Theordore should have done.

It is a real moral connundrum. Did anyone actually notice that
OpenBSD could be used to reveal the bug?

William,
Can you help me understand what the researcher prefers for next time?

He used the words "sit on a diff", which I took to mean that someone *knew*
what the changes were and had to "sit on it" (and not tell anyone). (Yes,
I'm well aware of what a "diff" is in the Bash world anyway, which is just
a command revealing what's different.)

I'm confused about one of two events, as to what the researcher wanted:
1. Did he want Theordore to just *sit* on the fix & wait?
2. Or did he propose not giving Theordore enough info to fix it next time?

Ofttimes fear makes one think
that everyone in the world can see right through you and see what you
are trying to hide, while actually noone does.
So it was not a problem, but a true moral connundrum where no answer is
right.

But what is the *standard* approach in this situation for open-source code?
What did the researcher propose for open-source code vendors?
1. Did he propose that they not release the code until it's public?
2. Or did he propose not *telling* the open-source community early?

I'm confused what the suggested "solution" by the researcher was.
Reply With QuoteReply With Quote