Thread: Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
View Single Post
  #45   Report Post  
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
harry newton harry newton is offline
external usenet poster
  
Posts: 173
Default Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is William Unruh said on Wed, 18 Oct 2017 18:41:25 -0000 (UTC):

Note that the fix for Krack was not a fix in the distributions, but a
fix to wpa_supplicant, an external program. So the key person who
should be notified was the developer of wpa_supplicant.

Thanks William (although I know you're responding to someone else) for
bringing up a second moral conundrum, which is how many people to tell.

Since we all know that a secret is no longer a secret if everyone knows
about it, do they normally enforce secrecy rules among *all* developers of
code?

I can imagine, for example, that the Chinese government has at least one
programmer in their employ at *every* software company in the USA (as just
one example), where that programmer is a sleeper (which is trivial for them
to do so I can't believe they don't do it so I assume that they do).

The moral question that arises is:
Do you tell that sleeper if he is NOT the developer of "wpa_supplicant"?

Note that the "zero password" problem, probably the worst of the lot,
could have been fixed privately as if it were a minor improvement (eg
instead of zeroing the password, it could have been filled with random
chaacters and released without inciting much suspicion. Of course making
sure that users actually upgraded would have been a challenge without
the urgency of it being a major flaw that could be attacked.

If we couple the fact that the bad guys (e.g., the Russian mafia, the
Communist sleepers, the NSA/CIA/FBI/GCHQ, etc.,) have an immense bankroll
with the fact that a 'diff' is so obvious to run on open-source code, I
don't know what the *standard* solution is when it gets down to details.

William and Marek already said that the researcher wanted OpenBSD to sit on
the release of the fix until the vulnerability was announced, which opens
up "fork" issues (which may be minor though).

Worse - it opens up the "sleeper" issue depending on what the "need to
know" classified level of who gets to know about the bug before it's
released.

Does everyone sign an NDA before they're told about the bug?
Who enforces when/if that NDA is broken?
Reply With QuoteReply With Quote