1. 42
  1.  

  2. 15

    Also note the last part of Theo’s reply to that mail: “ps. Disable Intel Hyper-Threading where not needed, until we all know more.”

    1. 8

      After Spectre/Meltdown were disclosed we made a similar decision. Not uniformly: we haven’t disabled it on every one of our physical hosts–we’ve done it where we could. Given the significant chance of further CPU vulnerabilities it seemed like a reasonable decision. Time will tell.

    2. 5

      I can’t follow this at all the way it’s presented.

      1. 4

        No worries, you are not the only one who is having trouble following it.

        This is not an editorialized piece of writing trying to guide you towards a particular point of view. It just shows unredacted facts. The intent is to allow anyone to be a bystander in the discussion that actually occurred and make up their own minds about related questions if they have an interest in doing so. And it is only happening in public because interpretations of what happened contradicting the facts were circulated in public (most recently at BSDcan).

        There are no easy answers to the questions raised by the full- vs coordinated-disclosure debate in general. If you are involved in the disclosure process of a security problem and fix, whatever you do, one way or another someone else might potentially be put at risk as a consequence of your actions. And not every risk assessment will lead to the same conclusions.

        1. 1

          Near as I can figure, there was a bunch of back-channel communications about the issue in the OpenBSD community until the guy who found the issue contacted CERT because he figured out the issue went way beyond OBSD. The OpenBSD folks apparently don’t trust CERT and decided to push a fix to protect OBSD users possibly at the expense of, well, everyone else because…I don’t know…screw them, I guess.

          You put us in a conundrum. We knew there was a problem and how to fix it. And when you got CERT involved, we had to assume that information about the problem was now leaking beyond your control into government agencies and private companies, and that some of those “in the know” would have had 2 months of extended embargo time to use an exploit against OpenBSD users. I don’t see any reason to trust every single person in those parts of the security community and in these institutions to act responsibly.

        2. 3

          wouldn’t you have to agree to an embargo in order to break it?

          also: How about blaming the people who created the flaw instead of the people trying to fix it?

          1. 8

            Oh believe me, I would like to blame Damien Bergamini for lots of things :) But that wouldn’t do the overall great results of his work justice.

            KRACK was a common flaw across many independent WPA implementations. Which was quite surprising. It has been argued that it’s an 802.11 standard flaw because the standard authors didn’t alert anyone that the state machines described in the documents were incomplete and didn’t account for this issue. But of course the standard authors didn’t notice the problem either at the time.

            1. 7

              “because the standard authors didn’t alert anyone that the state machines described in the documents were incomplete and didn’t account for this issue.”

              Another example where formal specification of a standard might have caught a problem. Especially if it involved state machines.

            2. 2

              wouldn’t you have to agree to an embargo in order to break it?

              Yes, but if you don’t agree to it, don’t complain if you aren’t given disclosure.

              How about blaming the people who created the flaw instead of the people trying to fix it?

              Because that’s not a mutually exclusive position, and a transparent attempt to create a moral high ground where none exists. You can blame both the people who created the flaw and the people who trying to fix it if they act in bad faith.

              1. 4

                Yes, but if you don’t agree to it, don’t complain if you aren’t given disclosure.

                It’s rather hard to agree to an embargo if you’re not notified of it or offered a chance to agree.

                1. 0

                  Since the OBSD folks are talking about the embargo and their participation (or not) in it in all of the emails cited, I assume you’re speaking of the general case and not this specific one. I agree that, in the general case, if you aren’t notified it’s hard to agree to an embargo. That’s not the case here, of course.

                  1. 8

                    The OBSD people were talking about how they heard rumors of an embargo, and could not get a response from anyone relevant. They were absolutely clear that if they had been able to agree to the embargo, they would have. They were not offered the option.

                    The best they got was “You didn’t get a response because you asked the wrong people”. When asked who the right people were – crickets.