Home |
Search |
Today's Posts |
|
Electronics Repair (sci.electronics.repair) Discussion of repairing electronic equipment. Topics include requests for assistance, where to obtain servicing information and parts, techniques for diagnosis and repair, and annecdotes about success, failures and problems. |
Reply |
|
|
LinkBack | Thread Tools | Display Modes |
#1
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
https://www.krackattacks.com I reported it yesterday over here with links... https://groups.google.com/forum/#!forum/alt.internet.wireless They made it public a half hour ago: https://groups.google.com/d/msg/alt.internet.wireless/vn8yRnm7UF8/N89Wcd_OAAAJ Manufacturers apparently had 50 days to effect the fix: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 https://papers.mathyvanhoef.com/ccs2017.pdf -- No need to respond; this is just FYI... |
#2
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
The weaknesses are in the Wi-Fi standard itself, and not in individual
products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. If your device supports Wi-Fi, it is most likely affected. Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. The research behind the attack will be presented at the Computer and Communications Security (CCS) conference, and at the Black Hat Europe conference. Our detailed research paper can already be downloaded. DEMONSTRATION As a proof-of-concept we executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info). When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. In any case, the following demonstration highlights the type of information that an attacker can obtain when performing key reinstallation attacks against protected Wi-Fi networks: Any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website). Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps. |
#3
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 16-Oct-17 2:59 PM, harry newton wrote:
The weaknesses are in the Wi-Fi standard itself, and not in individual products or implementations. Therefore, any correct implementation of WPA2 is likely affected. To prevent the attack, users must update affected products as soon as security updates become available. If your device supports Wi-Fi, it is most likely affected. Android, Linux, Apple, Windows, OpenBSD, MediaTek, Linksys, and others, are all affected by some variant of the attacks. The research behind the attack will be presented at the Computer and Communications Security (CCS) conference, and at the Black Hat Europe conference. Our detailed research paper can already be downloaded. DEMONSTRATION As a proof-of-concept we executed a key reinstallation attack against an Android smartphone. In this demonstration, the attacker is able to decrypt all data that the victim transmits. For an attacker this is easy to accomplish, because our key reinstallation attack is exceptionally devastating against Linux and Android 6.0 or higher. This is because Android and Linux can be tricked into (re)installing an all-zero encryption key (see below for more info). When attacking other devices, it is harder to decrypt all packets, although a large number of packets can nevertheless be decrypted. In any case, the following demonstration highlights the type of information that an attacker can obtain when performing key reinstallation attacks against protected Wi-Fi networks: Any data or information that the victim transmits can be decrypted. Additionally, depending on the device being used and the network setup, it is also possible to decrypt data sent towards the victim (e.g. the content of a website). Although websites or apps may use HTTPS as an additional layer of protection, we warn that this extra protection can (still) be bypassed in a worrying number of situations. For example, HTTPS was previously bypassed in non-browser software, in Apple's iOS and OS X, in Android apps, in Android apps again, in banking apps, and even in VPN apps. FYI https://www.krackattacks.com/ -- David B. |
#4
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is David_B said on Mon, 16 Oct 2017 15:13:58 +0100:
FYI https://www.krackattacks.com/ That link was already in the original post. In cryptography, a nonce is a neologism for an arbitrary number that may only be used once, similar in spirit to the occasionalism lexeme "nonce word" (as are the headwords of any dictionary). Here is a related link to the Blackhat briefing that wasn't in the OP: https://www.blackhat.com/eu-17/briefings/schedule/#key-reinstallation-attacks-breaking-the-wpa2-protocol-8861 "We have discovered several key management vulnerabilities in the Wi-Fi Protected Access II (WPA2) security protocol. These can be exploited using so-called key reinstallation attacks. Because this is a protocol-level issue, most correct implementations of the standard are affected. Put differently, most protected Wi-Fi networks, including personal and enterprise WPA2 networks, are affected. All clients and access points that we tested in practice were vulnerable to some variant of the attack. The precise impact depends on the specific variant(s) of the attack that an implementation is vulnerable to." Bear in mind that the attacker has to be in close proximity to your device to effect the attack, and that no known variants are in the wild yet, so it's not something to worry about except to start looking for when the patches come out for all your devices that handle the WiFi WPA2/PSK protocol. -- See also en.wikipedia.org/wiki/Cryptographic_nonce |
#5
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 16/10/2017 8:46 PM, harry newton wrote:
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet? https://www.krackattacks.com I reported it yesterday over here with links... https://groups.google.com/forum/#!forum/alt.internet.wireless ... Did you notice that these hacks always happen BEFORE someone fixed it? Are they all security traps, planted into router firmware by design? -- @~@ Remain silent! Drink, Blink, Stretch! Live long and prosper!! / v \ Simplicity is Beauty! /( _ )\ May the Force and farces be with you! ^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3 不借貸! 不詐騙! 不援交! 不打交! 不打劫! 不自殺! 請考慮綜援 (CSSA): http://www.swd.gov.hk/tc/index/site_...sub_addressesa |
#6
Posted to sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On Monday, October 16, 2017 at 11:57:56 AM UTC-4, Mr. Man-wai Chang wrote:
Did you notice that these hacks always happen BEFORE someone fixed it? Are they all security traps, planted into router firmware by design? a) If the fix were in, then they could not happen. b) Otherwise, it would not be a Hack. You need to brush up on your logic. Peter Wieck Melrose Park, PA |
#7
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is Mr. Man-wai Chang said on Mon, 16 Oct 2017 23:57:50 +0800:
Did you notice that these hacks always happen BEFORE someone fixed it? Are they all security traps, planted into router firmware by design? This nonce KRACK vulnerability is in *everything*, including smart phones (iOS & Android) and computers (Mac/Windows/Linux) and routers (Netgear/Cisco/TPLink) .... It even affects web sites (e.g., Match.com)... It's more than just routers, so it's *big* - but bear in mind a. Fixes will be out soon b. Nothing is known in the wild yet c. You have to be nearby to be vulnerable Still, since it affects *everything* using WPA2 (business and personal), it's a big deal nonetheless. All you can do is wait for the patch when it comes out for each of your devices that implement the affected encryption protocol. |
#8
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
It appears if you do not use or have WiFi and WPS enabled you should be
secure from this. Since I have both disabled I assume I am safe because I use neither. --- Bill Brought to you from Anchorage, Alaska "harry newton" wrote in message news Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet? https://www.krackattacks.com I reported it yesterday over here with links... https://groups.google.com/forum/#!forum/alt.internet.wireless They made it public a half hour ago: https://groups.google.com/d/msg/alt.internet.wireless/vn8yRnm7UF8/N89Wcd_OAAAJ Manufacturers apparently had 50 days to effect the fix: Key Reinstallation Attacks: Forcing Nonce Reuse in WPA2 https://papers.mathyvanhoef.com/ccs2017.pdf -- No need to respond; this is just FYI... |
#9
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is Bill Bradshaw said on Mon, 16 Oct 2017 09:23:19 -0800:
It appears if you do not use or have WiFi and WPS enabled you should be secure from this. Since I have both disabled I assume I am safe because I use neither. More so than routers, mostly all known wifi "clients" are affected (e.g., all consumer smartphones and computers) that use either WPA or WPA2 (enterprise or personal), and even against networks that just use AES. Some encrypted web sites are also affected, such as Match.com (as shown in the aforementioned video). So you're right that it's not a big deal that there is no encryption in all these cases because the the man in the middle has to be nearby. |
#10
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
On Mon, 16 Oct 2017 12:46:08 +0000 (UTC), harry newton wrote:
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet? https://www.krackattacks.com Still waiting for an update for my TP-Link Archer C7 router. If I understand all this correctly, then I'll also need an update for my Nexus 5X? -- s|b |
#11
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 10/16/17 20:00, harry newton wrote:
He who is Bill Bradshaw said on Mon, 16 Oct 2017 09:23:19 -0800: It appears if you do not use or have WiFi and WPS enabled you should be secure from this.* Since I have both disabled I assume I am safe because I use neither. More so than routers, mostly all known wifi "clients" are affected (e.g., all consumer smartphones and computers) that use either WPA or WPA2 (enterprise or personal), and even against networks that just use AES. Some encrypted web sites are also affected, such as Match.com (as shown in the aforementioned video). They do use a tool commonly used in man-in-the-middle attacks, to strip away the tls and send the content to the client machine unencrypted. As they did explain in the video, many don't check in their mobile devices that they have tls communication or not and those they will be able to carry out the attack to see the the login credentials in this example. This has nothing to do with KRACK itself. So you're right that it's not a big deal that there is no encryption in all these cases because the the man in the middle has to be nearby. There are devices that can give an attacker quite long range to execute their attacks on, so you ain't safe just for you don't see anyone nearby. -- //Aho |
#12
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 10/16/17 20:55, s|b wrote:
On Mon, 16 Oct 2017 12:46:08 +0000 (UTC), harry newton wrote: Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet? https://www.krackattacks.com Still waiting for an update for my TP-Link Archer C7 router. If I understand all this correctly, then I'll also need an update for my Nexus 5X? It's more important to update the client than the server. |
#13
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 2017-10-16, s|b wrote:
On Mon, 16 Oct 2017 12:46:08 +0000 (UTC), harry newton wrote: Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet? https://www.krackattacks.com Still waiting for an update for my TP-Link Archer C7 router. If I understand all this correctly, then I'll also need an update for my Nexus 5X? I think, but do not know for sure, that the primary thing that needs to protected is the client not the Access point. Ie, your Android (do they use wpa_supplicant, since Android is based on Linux?) IOs , or your laptop. As far as I have seen, there is no fix out yet for wpa_supplicant. It seems that the reason Windows is more resistant is because they did not no impliment the full spec for WPA2. |
#14
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 2017-10-16, J.O. Aho wrote:
It's more important to update the client than the server. Is this something that MS can push an update out for to fix, or does the wifi chip vendor need to fix device firmware or device driver? -- ----------------------------------------------------------------------------- Roger Blake (Posts from Google Groups killfiled due to excess spam.) NSA sedition and treason -- http://www.DeathToNSAthugs.com Don't talk to cops! -- http://www.DontTalkToCops.com Badges don't grant extra rights -- http://www.CopBlock.org ----------------------------------------------------------------------------- |
#15
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is J.O. Aho said on Mon, 16 Oct 2017 21:08:48 +0200:
They do use a tool commonly used in man-in-the-middle attacks, to strip away the tls and send the content to the client machine unencrypted. As they did explain in the video, many don't check in their mobile devices that they have tls communication or not and those they will be able to carry out the attack to see the the login credentials in this example. This has nothing to do with KRACK itself. Thanks for explaining *how* they manage to unencrypt *some* encrypted web sites but not others, as I wasn't sure how they did that. I was wrong in assuming it was the KRACK attack, which seems to be that they simply hijack the third of the four handshakes, usually from the client side, and force it to be resent where in some cases, it's resent as all zeroes where in other cases it's just resent as a known nonce. Is that a decent summary or can you summarize the attack mode better? |
#16
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is William Unruh said on Mon, 16 Oct 2017 19:58:55 -0000 (UTC):
It seems that the reason Windows is more resistant is because they did not no impliment the full spec for WPA2. Thanks for explaining that as this nonce stuff has certain unexpected nuances. However, we have to be a bit careful with any early conclusions such as mine yesterday (before the paper came out) that routers were originally involved more so than clients, which turns out, as noted, to be not the case - the mobile device and desktop clients are the weak link here. However, all conclusions from the paper at the moment are preliminary because the paper was sent for review on the 19th May where the authors found out more information afterward that's not in the paper, but it *does* seem that some OS'es (e.g., MacOS & Android 6+ & Ubuntu, for example) are apparently far more acutely affected than are the Windows based WPA1 and WPA1 implementations (or the iOS implementation). |
#17
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
harry newton wrote:
He who is Bill Bradshaw said on Mon, 16 Oct 2017 09:23:19 -0800: It appears if you do not use or have WiFi and WPS enabled you should be secure from this. Since I have both disabled I assume I am safe because I use neither. More so than routers, mostly all known wifi "clients" are affected (e.g., all consumer smartphones and computers) that use either WPA or WPA2 (enterprise or personal), and even against networks that just use AES. Some encrypted web sites are also affected, such as Match.com (as shown in the aforementioned video). So you're right that it's not a big deal that there is no encryption in all these cases because the the man in the middle has to be nearby. Ubuntu just pushed out a patch today. sudo apt-get update && sudo apt-get -y upgrade and you are good to go. -- Take care, Jonathan ------------------- LITTLE WORKS STUDIO http://www.LittleWorksStudio.com |
#18
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is Jonathan N. Little said on Mon, 16 Oct 2017 18:13:09 -0400:
Ubuntu just pushed out a patch today. sudo apt-get update && sudo apt-get -y upgrade and you are good to go. We have to be careful about "a patch" since there are actually multiple vulnerabilities, although perhaps one patch fixes all. Ubiquiti released this today for example...where my rooftop radios can pick up the signals from over a million people, so, that many people can attack me. "You are mostly covered if you are running v8.4.0 (AC series) or v6.0.7 (M series). We will fully resolve the issue with v8.4.2/v6.1.2 (betas aimed for the end of this week). Furthermore, our proprietary airMAX protocol makes simple attacks more difficult to carry out. Will be fully fixed with v8.4.2/v6.1.2: CVE-2017-13077: reinstallation of the pairwise key in the Four-way handshake CVE-2017-13078: reinstallation of the group key in the Four-way handshake CVE-2017-13079: reinstallation of the integrity group key in the Four-way handshake CVE-2017-13080: reinstallation of the group key in the Group Key handshake CVE-2017-13081: reinstallation of the integrity group key in the Group Key handshake Unaffected: CVE-2017-13082: accepting a retransmitted Fast BSS Transition Reassociation Request and reinstalling the pairwise key while processing it CVE-2017-13084: reinstallation of the STK key in the PeerKey handshake CVE-2017-13086: reinstallation of the Tunneled Direct-Link Setup (TDLS) PeerKey (TPK) key in the TDLS handshake CVE-2017-13087: reinstallation of the group key (GTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame CVE-2017-13088: reinstallation of the integrity group key (IGTK) when processing a Wireless Network Management (WNM) Sleep Mode Response frame" |
#19
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
Roger Blake wrote:
On 2017-10-16, J.O. Aho wrote: It's more important to update the client than the server. Is this something that MS can push an update out for to fix, or does the wifi chip vendor need to fix device firmware or device driver? Fixed on Patch Tuesday. Good luck collecting detailed proof though. https://social.technet.microsoft.com...0itprosecurity There's a Wifi architecture diagram here. This is so you can see the degrees of freedom allowed. https://docs.microsoft.com/en-us/win...e-architecture I'd wait for some "expert" opinion. I'd accept the opinion of the Microsoft staffer who wrote the patch :-) Anyone else, not so much. Paul |
#20
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
Paul wrote:
Roger Blake wrote: On 2017-10-16, J.O. Aho wrote: It's more important to update the client than the server. Is this something that MS can push an update out for to fix, or does the wifi chip vendor need to fix device firmware or device driver? Fixed on Patch Tuesday. Good luck collecting detailed proof though. https://social.technet.microsoft.com...0itprosecurity There's a Wifi architecture diagram here. This is so you can see the degrees of freedom allowed. https://docs.microsoft.com/en-us/win...e-architecture I'd wait for some "expert" opinion. I'd accept the opinion of the Microsoft staffer who wrote the patch :-) Anyone else, not so much. Paul Microsoft CVE Notice https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2017-13080 qpWhen did Microsoft release the security updates to address this vulnerability? Microsoft released security updates on October 10, 2017 as part of Update Tuesday to resolve this vulnerability in all affected editions of Windows. Customers who have Windows Update enabled and who applied the latest security updates are protected automatically. The Security Update Guide was updated on October 16, 2017 to provide full disclosure on this vulnerability in accordance with a multi-vendor coordinated disclosure. /qp Also, if using a NetGear router see.... https://kb.netgear.com/000049498/Security-Advisory-for-WPA-2-Vulnerabilities-PSV-2017-2826-PSV-2017-2836-PSV-2017-2837 /qp NETGEAR is aware of WPA-2 security vulnerabilities that affect NETGEAR products that connect to WiFi networks as clients. These vulnerabilities are potentially exploitable under the following conditions: Your devices are only vulnerable if an attacker is in physical proximity to and within wireless range of your network. ****Routers and gateways are only affected when in bridge mode**** (which is not enabled by default and not used by most customers). A WPA-2 handshake is initiated by a router in bridge mode only when connecting or reconnecting to a router /qp -- ...winston msft mvp windows experience 2007-2016, insider mvp 2016-2018 |
#21
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is harry newton said on Mon, 16 Oct 2017 22:03:42 +-0000 (UTC):
Thanks for explaining that as this nonce stuff has certain unexpected nuances. Here's every patch for KRACK Wi-Fi vulnerability available right now http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/ Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks. MORE SECURITY NEWS WPA2 security flaw puts almost every Wi-Fi device at risk of hijack, eavesdropping Homeland Security orders federal agencies to start encrypting sites, emails +IAs-OnePlus dials back data collection after users protest These fake tax documents spread jRAT malware Arris: a spokesperson said the company is "committed to the security of our devices and safeguarding the millions of subscribers who use them," and is "evaluating" its portfolio. The company did not say when it will release any patches. Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug. AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary." Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities." "Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention. "Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available," the spokesperson said. In other words, some patches are available, but others are pending the investigation. Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix. Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected. FreeBSD Project: There is no official response at the time of writing. Google: Google told sister-site CNET that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks." HostAP: The Linux driver provider has issued several patches in response to the disclosure. Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers. Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July. Netgear: Netgear has released fixes for some router hardware. The full list can be found here. Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates. MikroTik: The vendor has already released patches that fix the vulnerabilities. OpenBSD: Patches are now available. (The *******s allowed a diff to be performed by the bad guys!) Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack. Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and requires testing for the bug for new members. Wi-Fi Standard: A fix is available for vendors but not directly for end users. At the time of writing, neither Toshiba and Samsung responded to our requests for comment. If that changes, we will update the story. |
#22
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 2017-10-16, harry newton wrote:
This nonce KRACK vulnerability is in *everything*, including smart phones (iOS & Android) and computers (Mac/Windows/Linux) and routers (Netgear/Cisco/TPLink) .... Yet there are still people who think the "Internet of Things" is a good idea. Huge numbers of cheap wifi-connected devices, many poorly-designed, most of them likely never receiving security updates. What could possibly go wrong? -- ----------------------------------------------------------------------------- Roger Blake (Posts from Google Groups killfiled due to excess spam.) NSA sedition and treason -- http://www.DeathToNSAthugs.com Don't talk to cops! -- http://www.DontTalkToCops.com Badges don't grant extra rights -- http://www.CopBlock.org ----------------------------------------------------------------------------- |
#23
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is Roger Blake said on Tue, 17 Oct 2017 01:03:46 -0000 (UTC):
Huge numbers of cheap wifi-connected devices, many poorly-designed, most of them likely never receiving security updates. What could possibly go wrong? Well, much more information is out today than yesterday, where it appears that this situation was handled well since May of this year. The one open-source fiasco was the anomaly of OpenBSD, which the authors vowed to never let happen again. Otherwise, the proprietary solutions were all fixed (or being fixed) in the way that'd you'd expect. The problem is in all WiFi WPA1 and WPA2 implementations, but mostly in Linux and Android "clients" and less so in iOS and Windows clients. Likewise less so in "routers" not set up as "bridges" (where, unfortunately, almost all the many routers in my home are almost all set up as bridges or as stations - all of which are vulnerable). I guess, when the smoke clears, the problem will be the unsupported devices, of which Android may be a significant set as may be some of the older routers and access points. |
#24
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 10/16/17 23:53, harry newton wrote:
He who is J.O. Aho said on Mon, 16 Oct 2017 21:08:48 +0200: They do use a tool commonly used in man-in-the-middle attacks, to strip away the tls and send the content to the client machine unencrypted. As they did explain in the video, many don't check in their mobile devices that they have tls communication or not and those they will be able to carry out the attack to see the the login credentials in this example. This has nothing to do with KRACK itself. Thanks for explaining *how* they manage to unencrypt *some* encrypted web sites but not others, as I wasn't sure how they did that. You can think of it like [client]-----[MITM HTTP-service]---[MITM client]---[HTTPS Site] or if you want to keep encryption [client]-----[MITM HTTPS-service]---[MITM client]---[HTTPS Site] In the first case the client connect to the Man-in-the-middle (MITM) over http, MITM then resends the data over HTTPS to the site the client tried to connect to. In the second example the MITM do allow the client to connect with HTTPS, the certificate which the MITM has will not be the same as on the site, so if the client don't verify the certificate, then the attack works. If you want to read more in detail and better explained how MITM works, please take a look at: https://www.owasp.org/index.php/Man-...-middle_attack I was wrong in assuming it was the KRACK attack, which seems to be that they simply hijack the third of the four handshakes, usually from the client side, and force it to be resent where in some cases, it's resent as all zeroes where in other cases it's just resent as a known nonce. Is that a decent summary or can you summarize the attack mode better? I wouldn't say it's hijacked, as you can resend the third request without knowing the first request. The request is sent to the client and on the client side, if you have followed the specification and cleared out the key already, then a zero-key used. I think they did explain this well on the video. -- //Aho |
#25
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 10/16/17 23:31, Roger Blake wrote:
On 2017-10-16, J.O. Aho wrote: It's more important to update the client than the server. Is this something that MS can push an update out for to fix, or does the wifi chip vendor need to fix device firmware or device driver? No, not the chip vendor, the manufacturer of the device, for example to get a fix for your phone, the phone manufacturer has to push out a fix, then your phone operator may have a custom firmware for your phone, then you may be vulnerable a lot longer. When it comes to your wifi, the Access point is usually not a client, so it's not as vulnerable to the issue. It's important to get updates to your devices that connects to wifi. |
#26
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 2017-10-17, J.O. Aho wrote:
On 10/16/17 23:31, Roger Blake wrote: On 2017-10-16, J.O. Aho wrote: It's more important to update the client than the server. Is this something that MS can push an update out for to fix, or does the wifi chip vendor need to fix device firmware or device driver? No, not the chip vendor, the manufacturer of the device, for example to get a fix for your phone, the phone manufacturer has to push out a fix, then your phone operator may have a custom firmware for your phone, then you may be vulnerable a lot longer. As I understand it on Android, it uses wpa_supplicant to make the WPA2 connection, and what is needed is to push an updated wpa_supplicant onto the phone (and presumably something similar for IOS). I do not think it has anything to do with the firmware. When it comes to your wifi, the Access point is usually not a client, so it's not as vulnerable to the issue. It's important to get updates to your devices that connects to wifi. |
#27
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 17-Oct-17 1:17 AM, harry newton wrote:
He who is harry newton said on Mon, 16 Oct 2017 22:03:42 +-0000 (UTC): Thanks for explaining that as this nonce stuff has certain unexpected nuances. Here's every patch for KRACK Wi-Fi vulnerability available right now http://www.zdnet.com/article/here-is-every-patch-for-krack-wi-fi-attack-available-right-now/ Apple: The iPhone and iPad maker confirmed to sister-site CNET that fixes for iOS, macOS, watchOS and tvOS are in beta, and will be rolling it out in a software update in a few weeks. MORE SECURITY NEWS WPA2 security flaw puts almost every Wi-Fi device at risk of hijack, eavesdropping Homeland Security orders federal agencies to start encrypting sites, emails +IAs-OnePlus dials back data collection after users protest These fake tax documents spread jRAT malware Arris: a spokesperson said the company is "committed to the security of our devices and safeguarding the millions of subscribers who use them," and is "evaluating" its portfolio. The company did not say when it will release any patches. Aruba: Aruba has been quick off the mark with a security advisory and patches available for download for ArubaOS, Aruba Instant, Clarity Engine and other software impacted by the bug. AVM: This company may not be taking the issue seriously enough, as due to its "limited attack vector," despite being aware of the issue, will not be issuing security fixes "unless necessary." Cisco: The company is currently investigating exactly which products are impacted by KRACK, but says that "multiple Cisco wireless products are affected by these vulnerabilities." "Cisco is aware of the industry-wide vulnerabilities affecting Wi-Fi Protected Access protocol standards," a Cisco spokesperson told ZDNet. "When issues such as this arise, we put the security of our customers first and ensure they have the information they need to best protect their networks. Cisco PSIRT has issued a security advisory to provide relevant detail about the issue, noting which Cisco products may be affected and subsequently may require customer attention. "Fixes are already available for select Cisco products, and we will continue publishing additional software fixes for affected products as they become available," the spokesperson said. In other words, some patches are available, but others are pending the investigation. Espressif Systems: The Chinese vendor has begun patching its chipsets, namely ESP-IDF and ESP8266 versions, with Arduino ESP32 next on the cards for a fix. Fortinet: At the time of writing there was no official advisory, but based on Fortinet's support forum, it appears that FortiAP 5.6.1 is no longer vulnerable to most of the CVEs linked to the attack, but the latest branch, 5.4.3, may still be impacted. Firmware updates are expected. FreeBSD Project: There is no official response at the time of writing. Google: Google told sister-site CNET that the company is "aware of the issue, and we will be patching any affected devices in the coming weeks." HostAP: The Linux driver provider has issued several patches in response to the disclosure. Intel: Intel has released a security advisory listing updated Wi-Fi drives and patches for affected chipsets, as well as Intel Active Management Technology, which is used by system manufacturers. Linux: As noted on Charged, a patch is a patch is already available and Debian builds can patch now, while OpenBSD was fixed back in July. Netgear: Netgear has released fixes for some router hardware. The full list can be found here. Microsoft: While Windows machines are generally considered safe, the Redmond giant isn't taking any chances and has released a security fix available through automatic updates. MikroTik: The vendor has already released patches that fix the vulnerabilities. OpenBSD: Patches are now available. (The *******s allowed a diff to be performed by the bad guys!) Ubiquiti Networks: A new firmware release, version 3.9.3.7537, protects users against the attack. Wi-Fi Alliance: The group is offering a tool to detect KRACK for members and requires testing for the bug for new members. Wi-Fi Standard: A fix is available for vendors but not directly for end users. At the time of writing, neither Toshiba and Samsung responded to our requests for comment. If that changes, we will update the story. Thanks, Harry. Have you read/watched here? http://www.techrepublic.com/article/...-whos-at-risk/ -- David B. |
#28
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is David_B said on Tue, 17 Oct 2017 09:04:31 +0100:
Have you read/watched here? http://www.techrepublic.com/article/...-whos-at-risk/ Nice find. http://www.techrepublic.com/article/krack-wpa2-protocol-wi-fi-attack-how-it-works-and-whos-at-risk/ KRACK WPA2 protocol Wi-Fi attack: How it works and who's at risk Salient points: .. There are 10 CVE identifiers .. All WPA is likely affected especially Android 6.0+ & Linux/MacOS clients .. https://www.kb.cert.org/vuls/byvendor?searchview&Query=FIELD+Reference=228519&S earchOrder=4 .. Lynchpin is the 4-way handshake to join a WPA network .. wpa_supplicant is the Wi-Fi library that handles the 4-way handshake .. The SSID passphrase is verified & an encryption key is negotiated .. The client waits for the access point to acknowledge the encryption key .. The client will receive the encryption key multiple times in that case .. The client is expected to reinstall that rebroadcast encryption key .. The client is expected to reset the incremental packet transit nonce .. The result is a blank (all zero) encryption key |
#29
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 17/10/2017 1:05 AM, harry newton wrote:
It's more than just routers, so it's *big* - but bear in mind a. Fixes will be out soon b. Nothing is known in the wild yet c. You have to be nearby to be vulnerable So are these "fixes" really fixing the problem, or are they merely moving the trap-doors to somewhere? That is, the trap-doors or maybe "portals" are always opened. -- @~@ Remain silent! Drink, Blink, Stretch! Live long and prosper!! / v \ Simplicity is Beauty! /( _ )\ May the Force and farces be with you! ^ ^ (x86_64 Ubuntu 9.10) Linux 2.6.39.3 不借貸! 不詐騙! 不援交! 不打交! 不打劫! 不自殺! 請考慮綜援 (CSSA): http://www.swd.gov.hk/tc/index/site_...sub_addressesa |
#30
Posted to sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On Tuesday, October 17, 2017 at 8:11:36 AM UTC-4, Mr. Man-wai Chang wrote:
So are these "fixes" really fixing the problem, or are they merely moving the trap-doors to somewhere? That is, the trap-doors or maybe "portals" are always opened. Logical fallacy - you cannot know what you do not know. Peter Wieck Melrose Park, PA |
#31
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is Mr. Man-wai Chang said on Tue, 17 Oct 2017 20:11:31 +0800:
So are these "fixes" really fixing the problem, or are they merely moving the trap-doors to somewhere? That is, the trap-doors or maybe "portals" are always opened. The author of the KRACK attack pleonasm says that he would expect other protocols to be similarly afflicted. |
#32
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 10/17/17 07:25, William Unruh wrote:
On 2017-10-17, J.O. Aho wrote: On 10/16/17 23:31, Roger Blake wrote: On 2017-10-16, J.O. Aho wrote: It's more important to update the client than the server. Is this something that MS can push an update out for to fix, or does the wifi chip vendor need to fix device firmware or device driver? No, not the chip vendor, the manufacturer of the device, for example to get a fix for your phone, the phone manufacturer has to push out a fix, then your phone operator may have a custom firmware for your phone, then you may be vulnerable a lot longer. As I understand it on Android, it uses wpa_supplicant to make the WPA2 connection, and what is needed is to push an updated wpa_supplicant onto the phone (and presumably something similar for IOS). I do not think it has anything to do with the firmware. The wps_supplicant ain't delivered as APK, so you will need a firmware update. On most GNU/Linux phones it's a package (rpm/deb), so that could be pushed out without a firmware update. |
#33
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 2017-10-17, J.O. Aho wrote:
On 10/17/17 07:25, William Unruh wrote: On 2017-10-17, J.O. Aho wrote: On 10/16/17 23:31, Roger Blake wrote: On 2017-10-16, J.O. Aho wrote: It's more important to update the client than the server. Is this something that MS can push an update out for to fix, or does the wifi chip vendor need to fix device firmware or device driver? No, not the chip vendor, the manufacturer of the device, for example to get a fix for your phone, the phone manufacturer has to push out a fix, then your phone operator may have a custom firmware for your phone, then you may be vulnerable a lot longer. As I understand it on Android, it uses wpa_supplicant to make the WPA2 connection, and what is needed is to push an updated wpa_supplicant onto the phone (and presumably something similar for IOS). I do not think it has anything to do with the firmware. The wps_supplicant ain't delivered as APK, so you will need a firmware update. On most GNU/Linux phones it's a package (rpm/deb), so that could be pushed out without a firmware update. I am pretty sure it is not firmware, but it is part of the Android package, if that is what you mean. Ie, it is a system program/daemon. How to replace it I have no idea, esp since it is probably altered by either Google or by the phone manufacturer. So you are probably right that it requires them to ship a replacement. |
#34
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
On Mon, 16 Oct 2017 20:55:25 +0200, s|b wrote:
Still waiting for an update for my TP-Link Archer C7 router. If I understand all this correctly, then I'll also need an update for my Nexus 5X? TP-Link is waking up, so it seems: [Security Flaws] Severe flaws called "KRACK" are discovered in the WPA2 protocol http://forum.tp-link.com/showthread.php?101094-Security-Flaws-Severe-flaws-called-quot-KRACK-quot-are-discovered-in-the-WPA2-protocol Microsoft announces they patched the leak(s) on October 10. Microsoft releases statement on KRACK Wi-Fi vulnerability https://www.windowscentral.com/microsoft-releases-statement-krack-wi-fi-vulnerability -- s|b |
#35
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is s|b said on Tue, 17 Oct 2017 22:36:45 +0200:
Microsoft releases statement on KRACK Wi-Fi vulnerability https://www.windowscentral.com/microsoft-releases-statement-krack-wi-fi-vulnerability What's interesting is that the open-source community has a problem with diffs letting the cat out of the bag too soon (witness openbsd). |
#36
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 2017-10-17, harry newton wrote:
He who is s|b said on Tue, 17 Oct 2017 22:36:45 +0200: Microsoft releases statement on KRACK Wi-Fi vulnerability https://www.windowscentral.com/microsoft-releases-statement-krack-wi-fi-vulnerability What's interesting is that the open-source community has a problem with diffs letting the cat out of the bag too soon (witness openbsd). And the closed source community has a problem with never actually fixing the problems (see most of the wireless router manufacturers). As can be seen from the debate that occured re Krack and OpenBSD. Theodore felt that leaving his users hanging completely exposed was not a good idea, and eventually the Krack finder agreed (only to regret it later). It is a real moral connundrum. Did anyone actually notice that OpenBSD could be used to reveal the bug? Ofttimes fear makes one think that everyone in the world can see right through you and see what you are trying to hide, while actually noone does. So it was not a problem, but a true moral connundrum where no answer is right. |
#37
Posted to sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
Bill Bradshaw wrote:
It appears if you do not use or have WiFi and enabled you should be secure from this. Since I have both disabled I assume I am safe because I use neither. Is a hard wired connection safer (at all distances)? |
#38
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
He who is William Unruh said on Wed, 18 Oct 2017 02:25:28 -0000 (UTC):
And the closed source community has a problem with never actually fixing the problems (see most of the wireless router manufacturers). Hi William, I'm not sure what you mean, but I guess what you're saying is that firmware is only available for the newest routers, which I would agree with. Is that what you're saying? As can be seen from the debate that occured re Krack and OpenBSD. Theodore felt that leaving his users hanging completely exposed was not a good idea, and eventually the Krack finder agreed (only to regret it later). Thanks William for understanding what I was talking about. I do see the conundrum, which is the following, put bluntly: 1. Researcher finds vulnerability on day 0 & secretly informs vendors 2. Proprietary-code vendors fix & release code & nobody is the wiser 3. Open-source vendors fix & release code & anyone can do a "diff" The problem is that the bad guys can do the diff and then get a jump in the wild on building an attack vector. I don't know *how* to solve this, and I don't understand what the Krack Attack researcher proposed for what Theordore should have done. It is a real moral connundrum. Did anyone actually notice that OpenBSD could be used to reveal the bug? William, Can you help me understand what the researcher prefers for next time? He used the words "sit on a diff", which I took to mean that someone *knew* what the changes were and had to "sit on it" (and not tell anyone). (Yes, I'm well aware of what a "diff" is in the Bash world anyway, which is just a command revealing what's different.) I'm confused about one of two events, as to what the researcher wanted: 1. Did he want Theordore to just *sit* on the fix & wait? 2. Or did he propose not giving Theordore enough info to fix it next time? Ofttimes fear makes one think that everyone in the world can see right through you and see what you are trying to hide, while actually noone does. So it was not a problem, but a true moral connundrum where no answer is right. But what is the *standard* approach in this situation for open-source code? What did the researcher propose for open-source code vendors? 1. Did he propose that they not release the code until it's public? 2. Or did he propose not *telling* the open-source community early? I'm confused what the suggested "solution" by the researcher was. |
#39
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-useattack yet?
On 2017-10-18, harry newton wrote:
He who is William Unruh said on Wed, 18 Oct 2017 02:25:28 -0000 (UTC): And the closed source community has a problem with never actually fixing the problems (see most of the wireless router manufacturers). Hi William, I'm not sure what you mean, but I guess what you're saying is that firmware is only available for the newest routers, which I would agree with. Is that what you're saying? As can be seen from the debate that occured re Krack and OpenBSD. Theodore felt that leaving his users hanging completely exposed was not a good idea, and eventually the Krack finder agreed (only to regret it later). Thanks William for understanding what I was talking about. I do see the conundrum, which is the following, put bluntly: 1. Researcher finds vulnerability on day 0 & secretly informs vendors 2. Proprietary-code vendors fix & release code & nobody is the wiser 3. Open-source vendors fix & release code & anyone can do a "diff" The problem is that the bad guys can do the diff and then get a jump in the wild on building an attack vector. I don't know *how* to solve this, and I don't understand what the Krack Attack researcher proposed for what Theordore should have done. It is a real moral connundrum. Did anyone actually notice that OpenBSD could be used to reveal the bug? William, Can you help me understand what the researcher prefers for next time? He used the words "sit on a diff", which I took to mean that someone *knew* what the changes were and had to "sit on it" (and not tell anyone). (Yes, I'm well aware of what a "diff" is in the Bash world anyway, which is just a command revealing what's different.) I'm confused about one of two events, as to what the researcher wanted: 1. Did he want Theordore to just *sit* on the fix & wait? 2. Or did he propose not giving Theordore enough info to fix it next time? Ofttimes fear makes one think that everyone in the world can see right through you and see what you are trying to hide, while actually noone does. So it was not a problem, but a true moral connundrum where no answer is right. But what is the *standard* approach in this situation for open-source code? What did the researcher propose for open-source code vendors? 1. Did he propose that they not release the code until it's public? 2. Or did he propose not *telling* the open-source community early? I'm confused what the suggested "solution" by the researcher was. The standard approach is to give a short waiting period in which the researcher who discovers the bug sits on the bug. Meaning that the researcher does not announce to the world the existence of the found bug. Instead the researcher notifies vendors and publishers, such as a distribution or a vendor for a router such as NetGear. The idea is that they have 60 days in which to patch before the news goes fully public. The idea here is that sometimes they need to be shamed publicly for not patching their hardware or software. In those 60 days all vendors and users of affected software have time to perform a standard update which should fix the discovered issue before the issue is revealed after the 60 days. With open source software since development is out in the open it is possible to discover the bug before 60 days are up. Development is in the open after all. Sometimes if it is a really bad one many distros might agree to release on the same day. And then you have smaller distros based on larger distros that may lag. rhel is typically incredibly fast to fix any known issue. Sometimes in just an hour of it being discovered depending on what it is. In my opinion this is where Open Source really shines. Something like a pFsense firewall will get updates very quickly and you can bank on it. A good distribution like RHEL, Fedora, Debian, Ubuntu, and Suse will get updates on any particular bug very quickly. -- Marek Novotny https://github.com/marek-novotny |
#40
Posted to alt.comp.os.windows-10,alt.os.linux,sci.electronics.repair
|
|||
|
|||
Did you update your router for the WPA2/PSK KRACK nonce re-use attack yet?
On Wed, 18 Oct 2017 02:25:28 -0000 (UTC), William Unruh
wrote: On 2017-10-17, harry newton wrote: He who is s|b said on Tue, 17 Oct 2017 22:36:45 +0200: Microsoft releases statement on KRACK Wi-Fi vulnerability https://www.windowscentral.com/microsoft-releases-statement-krack-wi-fi-vulnerability What's interesting is that the open-source community has a problem with diffs letting the cat out of the bag too soon (witness openbsd). And the closed source community has a problem with never actually fixing the problems (see most of the wireless router manufacturers). As can be seen from the debate that occured re Krack and OpenBSD. Theodore felt that leaving his users hanging completely exposed was not a good idea, and eventually the Krack finder agreed (only to regret it later). It is a real moral connundrum. Did anyone actually notice that OpenBSD could be used to reveal the bug? Ofttimes fear makes one think that everyone in the world can see right through you and see what you are trying to hide, while actually noone does. So it was not a problem, but a true moral connundrum where no answer is right. I have to disagree with the first statement. The open-source community does fix bugs which are very well-known and widespread. That is why Krack already has a fix. It's the smaller issues, like graphical glitches that only affect about 25% of their users which they might not actually fix. They only prioritize whatever they know they can't get away without fixing. |
Reply |
|
Thread Tools | Search this Thread |
Display Modes | |
|
|