Interesting People mailing list archives
The Flawed System Behind the Krack Wi-Fi Meltdown
From: "Dave Farber" <farber () gmail com>
Date: Wed, 18 Oct 2017 18:20:26 -0400
Ain’t that simple Begin forwarded message:
From: the keyboard of geoff goodfellow <geoff () iconia com> Date: October 18, 2017 at 4:16:37 PM EDT To: "E-mail Pamphleteer Dave Farber's Interesting People list" <ip () listbox com> Subject: The Flawed System Behind the Krack Wi-Fi Meltdown The Flawed System Behind the Krack Wi-Fi Meltdown By LILY HAY NEWMAN Oct 17 2017 <https://www.wired.com/story/krack-wi-fi-meltdown-open-standards> On Monday, the security community scrambled to unpack Krack, a fundamental vulnerability in the ubiquitous, secure Wi-Fi network standard known a WPA2. Though some of the most popular devices are mercifully already protected (like most of those that run Windows and iOS), a staggering population remains exposed to data theft and manipulation every time they connect to WPA2 Wi-Fi. But as another interminable patching process begins, a different conversation is picking up, too, about how to catch flaws in crucial standards more quickly, and make it easier to patch them. No software is perfect. Bugs are inevitable now and then. But experts say that software standards that impact millions of devices are too often developed behind closed doors, making it difficult for the broader security community to assess potential flaws and vulnerabilities early on. They can lack full documentation even months or years after their release. "If there is one thing to learn from this, it's that standards can't be closed off from security researchers," says Robert Graham, an analyst for the cybersecurity firm Erratasec. "The bug here is actually pretty easy to prevent, and pretty obvious. It's the fact that security researchers couldn't get their hands on the standards that meant that it was able to hide." The WPA2 protocol was developed by the Wi-Fi Alliance and the Institute of Electrical and Electronics Engineers (IEEE), which acts as a standards body for numerous technical industries, including wireless security. But unlike, say, Transport Layer Security, the popular cryptographic protocol used in web encryption, WPA2 doesn't make its specifications widely available. IEEE wireless security standards carry a retail cost of hundreds of dollars to access, and costs to review multiple interoperable standards can quickly add up to thousands of dollars. "There are quite a few other IEEE standards that shared the same fate as WPA2, from vehicular communications to healthcare IT, which are only available in a timely fashion for significant sums," says Emin Gun Sirer, a distributed systems and cryptography researcher at Cornell University. "There's an academic program, but it only makes standards available to academics six months after they have been published, which is far after they have been implemented and buried deep within devices." Even open standards like TLS experience major, damaging bugs at times. Open standards have broad community oversight, but don't have the funding for deep, robust maintenance and vetting; researchers argue that you need both to catch the kind of ubiquitous bugs that can plague standards. And if open protocols still have frequent bugs even with crowdsourced vetting, more closed software logically runs runs a higher risk of oversights. "Even TLS has been coughing up bugs through 2016, and that’s a 20-year old-protocol that’s had hundreds of people looking at it," says Matthew Green, a crypotgrapher at Johns Hopkins University, who analyzed the WPA2 vulnerability. "IEEE working groups are a closed industry process." Researchers note that standards development processes are unwieldy and time-consuming, which can make working groups inflexible and unwilling to evolve once they've put significant effort into a certain approach. "I've seen this over and over," Matt Blaze, a security researcher at the University of Pennsylvania, wrote on Twitter on Tuesday. "Eventually, the most talented people stop showing up to the meetings and no one feels empowered to restart from scratch. Sunk cost fallacy. The people involved aren't dumb, and they're working hard to do a good job. But the process is effectively rigged to produce crap like this.” [snip] -- Geoff.Goodfellow () iconia com living as The Truth is True http://geoff.livejournal.com This message was sent to the list address and trashed, but can be found online.
------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580 Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125 Unsubscribe Now: https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20171018182034:8D2873F0-B452-11E7-9EF0-DB6A7F51FCEA Powered by Listbox: http://www.listbox.com
Current thread:
- The Flawed System Behind the Krack Wi-Fi Meltdown Dave Farber (Oct 18)