On 2017-10-18, harry newton wrote:
He who is William Unruh said on Wed, 18 Oct 2017 18:25:42 -0000 (UTC):

The problem is less than you would expect since it requires that the bad
guys actually do the diff. I doubt that there are many who take each
update or kernel/programs, diff them and try to figure out whether it
was a security update they could use, or some other update that which is
of no use to them. Ie, Unless the code or the press point direct fingers
at it, they have no particular reason to zero in on the changes.

Thanks William (and Marek), for explaining what the problem is, but what
did the researcher propose as the *solution* for open-source code?

Did he propose that OpenBSD *wait* until the announcement 50 days later?
How is the researcher going to *enforce* that 50-day waiting period?

Yes, wait.
Enforcement is a non-issue. He cannot force compliance. He can however
let it be known what they did which will then cause others not to tell
OpenBSD anything when the next problem arises. The people doing open
source distros are responsible people and their intention is not to make
it easy for the bad guys to do nasty things.


I don't know *how* to solve this, and I don't understand what the Krack
Attack researcher proposed for what Theordore should have done.

Their position now seems to be that Theodore should have waited until
Oct 16 when they announced it, and immediately rolled out the fixes on
that date (as for example Debian did).

I see you answered my fundamental confusion (see below).

1. Researcher finds bug on day 0 & plans to announce it 50 days later.
2. OpenSource community has to *wait* until the announcement to ship fixes.
3. Closed-source community can ship when? (any time or wait the 50 days?)

If that's the rules, it seems like it's going to be difficult to *enforce*.

He used the words "sit on a diff",
Make the fix, but do not release it until the embargo is over.

Thank you for confirming he wanted OpenBSD to sit and wait before releasing

And that made Theo uncomfortable, so he asked permission to ship early.
He did not simply go ahead and do it.

the code. I was worried that some *other* researcher ran a diff and had to
"sit on his discovery of that diff" which would have revealed to the
seconde researcher what the flaw in wpa_supplicant was.

What you're telling me is that nobody did that manual third-party "diff" of
the source code so it wasn't revealed in the wild to a third party to our
knowledge before the 50-day waiting period was up.

WE will never know for sure of course. But there was apparently no
evidence that this crack was actuallyused in the wild. Of course NSA may
have discovered it 5 years ago, or perhaps ISIS did.


(Note Marek said 60 days but I think the researchers mentioned only 50 days
but let's not quibble if either one of us is wrong as it's close enough.)

I'm confused about one of two events, as to what the researcher wanted:
1. Did he want Theordore to just *sit* on the fix & wait?

He wanted him to sit on the fix until the bug was announced and everyone
could release the fix at the same time.

That would mean *every* open-source vendor would have to "sit on the fix"
until the announcement. That's fine if the researcher can enforce that.

What is your hang up about "enforce"?



I guess that is what the standard *should* be but who decides such things?

AGain you are hung up on a "enforce"/central authority thing. People can
behave well all on their own, without legal sanctions or centralized
laws.


Note that Theo asked him for permission to release the fix arguing that
it was important for his users not to open to attack. But he asked
permssion. That permission was given, but regretted.

Ah. THANK YOU FOR EXPLAINING. I *knew* there was regret, but to me, a
"diff" is something a third party does of the open-source code to figure
out what's different. The guy who wrote the code doesn't have to run a
"diff" because he *knows* what he wrote.

The permission was to release a patch for the problem. The bad guys
could than run a diff on the released new code to see what was changed.
That is where the diff comes in.



So I thought a third party who accidentally found out about the bug by
doing a "diff" on the open-source code had to "sit" on it. But that didn't
make sense given the rest of the conversation.

The worry was that by releasing a patched system, it made it easier for
some bad guy to discover there was a problem and what it was.



So THANK YOU for explaining that:
A. Researcher finds bug on day 0 & gives all vendors 50 days to fix.
B. OpenBSD fixes it early and asks for permission to ship the code.
C. Researcher provides permission but then regrets that decision.

In the future, I guess, researcher wishes to deny *permission* of
open-source code to ship the fix early, which is a moral conundrum indeed.

And how does the researcher *enforce* this denial of permission to ship
open-source code?

And again. Note that thousands of security holes have been found and
annnouncent embargoed in the past. So there is a history of the open
source community acting responsibly.


2. Or did he propose not giving Theordore enough info to fix it next time?

No, "all" vendors were notified of the problem in August. So everyone
had the opportunity to fix it. The request was to hold off on the
implimentation until a certain date so everyone could fix it at the same
time without warning the bad guys beforehand.

I see the moral conundrum which pits the visibility of open-source code
against the obfuscation of proprietary code for the case of a knowledgeable
bad guy...

I. In open-source code, a bad guy can do a *diff* to see what changed.
II. If something interesting changed, a bad guy can take advantage of it.
III. In effect, they get to have their own personal 0-day vulnerability.

For the price of a "diff", the bad guy gets his own 0-day vulnerability.
It's a moral conundrum I had never even thought about until today.

Yes, but many many others have thought about it.