Stefan Sperling is a user on mastodon.social. You can follow them or interact with them if you have an account anywhere in the fediverse. If you don't, you can sign up here.
Stefan Sperling @stsp

As 's de-facto wifi maintainer, I first learned about this WPA problem in June. A simple patch was provided which I could commit with slight modifications.

The original embargo was already 2 months long, and then extended again for 2 months.

The generall public (you) were left in the dark about this for at least 4 months.

This is a very sad state of affairs. It takes the industry much too long to apply a simple patch.

· Web · 160 · 87

@stsp How does this kind of embargo works? Opensource softwares are asked not to publish a fix to avoid revealing the flaw?

@pierre The basic idea is that vendors hold fixes back, and cooperate to release their fixes concurrently.

On the surface, this looks reasonable.

But end-user security falls apart when information leaks, or when government agencies get involved which happens if someone requests a CVE. So in this WPA case, US gov agencies knew about the bug for at least as of the second embargo.

Does such an embargo serve your interests? Not really. As an end user, you are interested in getting a patch ASAP.

@stsp Ok that's frustrating... Thanks for the work and the informations.

@stsp when in june did you get word? How long have they been sitting on this?

@david Sorry, "June" was incorrect. I should have said "July" or "too long ago to accurately remember"...

@stsp Question.

As a consumer, and as someone who has done infra work professionally - I want so bad for full disclosure to be the norm.

@stsp ok that wasn't a question. that was a rant.

My butt, personally and professionally, was waving in the breeze for months. This is not really OK.