Thread: Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
View Single Post
  #42   Report Post  
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
William Unruh William Unruh is offline
external usenet poster
  
Posts: 16
Default Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 2017-10-18, Doomsdrzej wrote:
On Wed, 18 Oct 2017 02:25:28 -0000 (UTC), William Unruh
wrote:

On 2017-10-17, harry newton wrote:
He who is s|b said on Tue, 17 Oct 2017 22:36:45 +0200:

Microsoft releases statement on KRACK Wi-Fi vulnerability
https://www.windowscentral.com/microsoft-releases-statement-krack-wi-fi-vulnerability

What's interesting is that the open-source community has a problem with
diffs letting the cat out of the bag too soon (witness openbsd).

And the closed source community has a problem with never actually fixing
the problems (see most of the wireless router manufacturers).

As can be seen from the debate that occured re Krack and OpenBSD.
Theodore felt that leaving his users hanging completely exposed was not
a good idea, and eventually the Krack finder agreed (only to regret it
later). It is a real moral connundrum. Did anyone actually notice that
OpenBSD could be used to reveal the bug? Ofttimes fear makes one think
that everyone in the world can see right through you and see what you
are trying to hide, while actually noone does.
So it was not a problem, but a true moral connundrum where no answer is
right.

I have to disagree with the first statement. The open-source community
does fix bugs which are very well-known and widespread. That is why

Note that the fix for Krack was not a fix in the distributions, but a
fix to wpa_supplicant, an external program. So the key person who
should be notified was the developer of wpa_supplicant.
Note that the "zero password" problem, probably the worst of the lot,
could have been fixed privately as if it were a minor improvement (eg
instead of zeroing the password, it could have been filled with random
chaacters and released without inciting much suspicion. Of course making
sure that users actually upgraded would have been a challenge without
the urgency of it being a major flaw that could be attacked.


Krack already has a fix. It's the smaller issues, like graphical
glitches that only affect about 25% of their users which they might
not actually fix. They only prioritize whatever they know they can't
get away without fixing.

Who are you talking about here? There is a big difference between a bug
which only annoys and a bug which is a security issue.
Reply With QuoteReply With Quote