On Wed, Oct 18, 2017 at 04:30:43PM +0000, John Nash wrote: > Via ACM, I came across That's an odd place to get such notices. Unfortunately, due to embargoes, you're unlikely to get advance notice of all issues to your liking. You can try and parse the flood of CVEs every day, or subscribe to your distro security mailing list. https://lists.archlinux.org/pipermail/arch-security/2017-October/001043.html Or check out your local bug tracker, which is always only a subset of all possible issues: > https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/ Here's the upstream link: https://www.krackattacks.com/ > I'm wondering if anyone would give a lightning talk about this for the November meeting. What exactly? Vulgarization? There are likely lots of people in this list who don't really understand basic crypto, and there probably are one or two who show up at the meetings who have more than enough knowledge to take a nuanced view of the claims in the website above, and anywhere in between. Who are you targeting? How long? What level of detail? What level of preparation? Do you want some nice diagrams? Those who the requisite background material will just read the upstream articles or papers, in full or in part. But might you just want some related issue discussion instead? > Also if anyone has done any patching because of this yet. I'm looking around > for patches and updates. What OS? For Linux, the patches are either already upstream, or being upstreamed in wpa_supplicant and hostapd: Your distro may choose to take the risk and manually patch packages until they are merged upstream: - https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/wpa_supplicant&id=9c1bda00a846ff3b60e7c4b4f60b28ff4a8f7768 - https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/hostapd&id=d31735a09b4c25eaa69fb13b1031910ca3c29ee5 - https://security.archlinux.org/AVG-447 Conveniently, there's a bunch of links to other distros, mailing lists, etc., below: https://security.archlinux.org/CVE-2017-13077 > Such information certainly would be a good thing to appear on the oclug > website/wiki and if we have solid and useful information, to publicize the > group. Yes it's an important vulnerability. Yes, it affects just about everybody. I don't believe it should be on the website or the wiki, unless you can really convince people it'll make a difference and they won't have heard of it elsewhere. Time should be spent educating people how to stay up to date, on what, and why it's important, rather than make them dependent on services OCLUG doesn't have time to properly provide. Distribute or push the burden upstream.