What do you guys think about the "krack" wpa2 breaker?

What do you guys think about the "krack" wpa2 breaker?
> Key Reinstallation Attacks
Seems to be quite bad, however patchable and has already been patched on linux, and should be pushed to the disyros shortly, so mainly Android is in danger for this (in theory also windows and Iso to some degree)
All the info you need:
krackattacks.com/

Other urls found in this thread:

ftp.uk.debian.org/debian
twitter.com/NSFWRedditVideo

Pushed to distros*

No one cares about WiFi security being literally broken? Aight keep talking about Gentoo I guess

Why did OpenBSD silently release a patch before the embargo?

OpenBSD was notified of the vulnerability on 15 July 2017, before CERT/CC was involved in the coordination. Quite quickly, Theo de Raadt replied and critiqued the tentative disclosure deadline: In the open source world, if a person writes a diff and has to sit on it for a month, that is very discouraging. (...) To avoid this problem in the future, OpenBSD will now receive vulnerability notifications closer to the end of an embargo.


kek

i want to test this on my modem, any tools yet?

you just missed the previous thread, and apparently the threads about it since yesterday

here too

"our key reinstallation attack is exceptionally devastating against Linux"

linux fanbois btfo

"HTTPS was previously bypassed in non-browser software"

implying https web access via browser remains good

>no poc
>can't get the wifi password without a phishing site

Researcher didn't get the memo that Theo de Raadt thinks embargoes, even when well-intentioned, are things for the little people. Not the first time it's happened, he should've delayed giving them the patch.

Give me one good reason for embargoes to exist.

herp@derp:~$ sudo apt-get update && sudo apt-get upgrade
[sudo] password for herp:
Ign:1 ftp.uk.debian.org/debian stretch InRelease
...
The following packages will be upgraded:
wpasupplicant
1 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

Buy previous year's Samsung flagship, stop getting security updates before 2 year term is done.
Ordered iphone yesterday, then came home and read about krack on my GNU+linux (desktop).
Maybe I should have went back to a land line.

...

It is against wpa_supplicant, therefore it is as devastating on linux, as it is on haiku, openbsd, netbsd and microshaft wonblows.

The CLI user. You make me so wet user.

Thanks for the (You)s. Jerks.

theres no reason we need a faster phone every year at this point in tech, just release new model every 3 years and keep them up to date for 6

The reason is the profit.

Gives devs the time to create updates before the attack becomes known to everyone so the issue is less devastating.

Usually, but this time it was a clusterfuck.

>cheapo tp-link router is 3 years old
There's basically no chance I'm getting a firmware update, the last one was in 2015, and it's a suspicious "US only" update, I suspect it has to do with radio power output.

i know, but at some point normies just stop consuming the new stuff (internet+phone is something novel to them now)
and try to buy something that lasts more than year

>android is completely fucked with it's release schedule and people running outdated shit
We should be able to manually patch it, right? Just flash the armhf binary?

But then the attack is known to a select few devs, and not to you: you basically justify closed-source software this way.

Isn't that how responsible disclosure works anyway? I believe you should first notify the organisations involved to give them ample time to patch their stuff. I don't like pushing updates silently because of that, but pushing them on the date of disclosure seems very acceptable to me. Unless it becomes evident an organisation clearly doesn't care about patching... then I think vulnerabilities should be disclosed anyway.

>tfw finally have t change my 15 year old router

aaaaaaa