home | list info | list archive | date index | thread index

Re: [OCLUG-Tech] WPA2 vulnerability

On Wed, Oct 18, 2017 at 04:30:43PM +0000, John Nash wrote:
> Via ACM, I came across

That's an odd place to get such notices. Unfortunately, due to embargoes,
you're unlikely to get advance notice of all issues to your liking. You can try
and parse the flood of CVEs every day, or subscribe to your distro security
mailing list.


Or check out your local bug tracker, which is always only a subset of all
possible issues:

> https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/

Here's the upstream link:


> I'm wondering if anyone would give a lightning talk about this for the November meeting.

What exactly? Vulgarization? There are likely lots of people in this list who
don't really understand basic crypto, and there probably are one or two who
show up at the meetings who have more than enough knowledge to take a nuanced
view of the claims in the website above, and anywhere in between.

Who are you targeting?
How long?
What level of detail?
What level of preparation? Do you want some nice diagrams?

Those who the requisite background material will just read the upstream
articles or papers, in full or in part. But might you just want some related
issue discussion instead?

> Also if anyone has done any patching because of this yet. I'm looking around
> for patches and updates.

What OS? For Linux, the patches are either already upstream, or being
upstreamed in wpa_supplicant and hostapd:

Your distro may choose to take the risk and manually patch packages until they
are merged upstream:
- https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/wpa_supplicant&id=9c1bda00a846ff3b60e7c4b4f60b28ff4a8f7768
- https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/hostapd&id=d31735a09b4c25eaa69fb13b1031910ca3c29ee5
- https://security.archlinux.org/AVG-447

Conveniently, there's a bunch of links to other distros, mailing lists, etc., below:


> Such information certainly would be a good thing to appear on the oclug
> website/wiki and if we have solid and useful information, to publicize the
> group.

Yes it's an important vulnerability. Yes, it affects just about everybody.

I don't believe it should be on the website or the wiki, unless you can really
convince people it'll make a difference and they won't have heard of it

Time should be spent educating people how to stay up to date, on what, and why
it's important, rather than make them dependent on services OCLUG doesn't have
time to properly provide. Distribute or push the burden upstream.