Coding while watching documentaries about Polish organized crime groups.
Bugs show up everywhere:
This is a full disclosure of a 4 byte stack overwrite in GNU ghostscript 9.07.
Though perhaps I should have sat on it for 4 months, and registered a domain first? How does ghostsmash.com sound?
reminder @ me and anyone else who is essentially self-employed: take a break. don't work all weekend, don't run urself down, it will never be worth it (and it'll come back to bite you, hard)
Astonishing how anyone could think this is anything BUT toxic..
"Mailed you a diff, please sit on it for 3 or 4 months while I pass it around to various government and private institutions."
So #OpenBSD is getting flak for #KRACK early patch, yet a silent patch a week before release from Mikrotik is OK? https://forum.mikrotik.com/viewtopic.php?f=21&t=126695
I said on many occasions that I don't trust my phone. So why do I bother with signal?
Because no matter the endpoint security, making in flight messages easier to read should not be a global default - each bit counts and not all attackers are sophisticated.
You can't hack my servers/mail/ssh/gpg by getting into my phone - you can however read my texts about grocery shopping if you're willing to blow an exploit on it.
@pierre The basic idea is that vendors hold fixes back, and cooperate to release their fixes concurrently.
On the surface, this looks reasonable.
But end-user security falls apart when information leaks, or when government agencies get involved which happens if someone requests a CVE. So in this WPA case, US gov agencies knew about the bug for at least as of the second embargo.
Does such an embargo serve your interests? Not really. As an end user, you are interested in getting a patch ASAP.
As #OpenBSD's de-facto wifi maintainer, I first learned about this WPA problem in June. A simple patch was provided which I could commit with slight modifications.
The original embargo was already 2 months long, and then extended again for 2 months.
The generall public (you) were left in the dark about this for at least 4 months.
This is a very sad state of affairs. It takes the industry much too long to apply a simple patch.