You are right that the audience needs to be identified. My view is that a lightning talk could present an overview of the exploit and the measures that have been taken to address it. Possibly particular places that might remain vulnerable (here I'm thinking of my 10 year old Linksys WRT54GL -- lots of them about still I think). Similarly for OCLUG wiki -- as a 1 pager with links. The link https://security.archlinux.org/CVE-2017-13077 seems particularly helpful. I'm also thinking that OCLUG site is local, and may give some of our participants a chance to let their expertise be known to potential local clients/employers. While some of oclug members are part of the "upstream", overall we're far too low on the visibility scale. And often not nearly good enough at translating the technical issues into short, cogent messages. Would you (or anyone else reading this) be up for a 5-10 minute talk? Scott and I had early thought also of the BlueBorne exploit for BlueTooth. Cheers, JN On 2017-10-18 01:28 PM, Alex Pilon wrote: > On Wed, Oct 18, 2017 at 04:30:43PM +0000, John Nash wrote: >> Via ACM, I came across > > That's an odd place to get such notices. Unfortunately, due to embargoes, > you're unlikely to get advance notice of all issues to your liking. You can try > and parse the flood of CVEs every day, or subscribe to your distro security > mailing list. > > https://lists.archlinux.org/pipermail/arch-security/2017-October/001043.html > > Or check out your local bug tracker, which is always only a subset of all > possible issues: > >> https://arstechnica.com/information-technology/2017/10/severe-flaw-in-wpa2-protocol-leaves-wi-fi-traffic-open-to-eavesdropping/ > > Here's the upstream link: > > https://www.krackattacks.com/ > >> I'm wondering if anyone would give a lightning talk about this for the November meeting. > > What exactly? Vulgarization? There are likely lots of people in this list who > don't really understand basic crypto, and there probably are one or two who > show up at the meetings who have more than enough knowledge to take a nuanced > view of the claims in the website above, and anywhere in between. > > Who are you targeting? > How long? > What level of detail? > What level of preparation? Do you want some nice diagrams? > > Those who the requisite background material will just read the upstream > articles or papers, in full or in part. But might you just want some related > issue discussion instead? > >> Also if anyone has done any patching because of this yet. I'm looking around >> for patches and updates. > > What OS? For Linux, the patches are either already upstream, or being > upstreamed in wpa_supplicant and hostapd: > > Your distro may choose to take the risk and manually patch packages until they > are merged upstream: > - https://git.archlinux.org/svntogit/packages.git/commit/trunk?h=packages/wpa_supplicant&id=9c1bda00a846ff3b60e7c4b4f60b28ff4a8f7768 > - https://git.archlinux.org/svntogit/community.git/commit/trunk?h=packages/hostapd&id=d31735a09b4c25eaa69fb13b1031910ca3c29ee5 > - https://security.archlinux.org/AVG-447 > > Conveniently, there's a bunch of links to other distros, mailing lists, etc., below: > > https://security.archlinux.org/CVE-2017-13077 > >> Such information certainly would be a good thing to appear on the oclug >> website/wiki and if we have solid and useful information, to publicize the >> group. > > Yes it's an important vulnerability. Yes, it affects just about everybody. > > I don't believe it should be on the website or the wiki, unless you can really > convince people it'll make a difference and they won't have heard of it > elsewhere. > > Time should be spent educating people how to stay up to date, on what, and why > it's important, rather than make them dependent on services OCLUG doesn't have > time to properly provide. Distribute or push the burden upstream. > _______________________________________________ > Linux mailing list > Linux [ at ] lists [ dot ] oclug [ dot ] on [ dot ] ca > http://oclug.on.ca/mailman/listinfo/linux >