Thread: Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
View Single Post
  #46   Report Post  
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
Richard Kettlewell[_2_] Richard Kettlewell[_2_] is offline
external usenet poster
  
Posts: 4
Default Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
harry newton writes:
I see you answered my fundamental confusion (see below).

1. Researcher finds bug on day 0 & plans to announce it 50 days later.
2. OpenSource community has to *wait* until the announcement to ship fixes.
3. Closed-source community can ship when? (any time or wait the 50 days?)

If that's the rules, it seems like it's going to be difficult to *enforce*.

Policies like this can be maintained by requiring recipients of
vulnerability predisclosures to agree to maintain confidentiality prior
to embargo dates. An organization could choose to break that agreement,
but they shouldnt expect to be trusted with predisclosures in the
future if they do so.

I see the moral conundrum which pits the visibility of open-source code
against the obfuscation of proprietary code for the case of a knowledgeable
bad guy...

I. In open-source code, a bad guy can do a *diff* to see what changed.
II. If something interesting changed, a bad guy can take advantage of it.
III. In effect, they get to have their own personal 0-day vulnerability.

You can inspect object code to discover what the bugs were, too. A
high-profile example was the 2015 analysis of the Juniper RNG
vulnerability, where no source code was required.

--
https://www.greenend.org.uk/rjk/
Reply With QuoteReply With Quote