Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

The Flawed System Behind the Krack Wi-Fi Meltdown

From: "Dave Farber" <farber () gmail com>
Date: Wed, 18 Oct 2017 18:20:26 -0400
Ain’t  that simple


Begin forwarded message:


From: the keyboard of geoff goodfellow <geoff () iconia com>
Date: October 18, 2017 at 4:16:37 PM EDT
To: "E-mail Pamphleteer Dave Farber's Interesting People list" <ip () listbox com>
Subject: The Flawed System Behind the Krack Wi-Fi Meltdown

The Flawed System Behind the Krack Wi-Fi Meltdown
By LILY HAY NEWMAN
Oct 17 2017
<https://www.wired.com/story/krack-wi-fi-meltdown-open-standards>

On Monday, the security community scrambled to unpack Krack, a fundamental vulnerability in the ubiquitous, secure 
Wi-Fi network standard known a WPA2. Though some of the most popular devices are mercifully already protected (like 
most of those that run Windows and iOS), a staggering population remains exposed to data theft and manipulation every 
time they connect to WPA2 Wi-Fi. But as another interminable patching process begins, a different conversation is 
picking up, too, about how to catch flaws in crucial standards more quickly, and make it easier to patch them.

No software is perfect. Bugs are inevitable now and then. But experts say that software standards that impact 
millions of devices are too often developed behind closed doors, making it difficult for the broader security 
community to assess potential flaws and vulnerabilities early on. They can lack full documentation even months or 
years after their release.

"If there is one thing to learn from this, it's that standards can't be closed off from security researchers," says 
Robert Graham, an analyst for the cybersecurity firm Erratasec. "The bug here is actually pretty easy to prevent, and 
pretty obvious. It's the fact that security researchers couldn't get their hands on the standards that meant that it 
was able to hide."

The WPA2 protocol was developed by the Wi-Fi Alliance and the Institute of Electrical and Electronics Engineers 
(IEEE), which acts as a standards body for numerous technical industries, including wireless security. But unlike, 
say, Transport Layer Security, the popular cryptographic protocol used in web encryption, WPA2 doesn't make its 
specifications widely available. IEEE wireless security standards carry a retail cost of hundreds of dollars to 
access, and costs to review multiple interoperable standards can quickly add up to thousands of dollars.

"There are quite a few other IEEE standards that shared the same fate as WPA2, from vehicular communications to 
healthcare IT, which are only available in a timely fashion for significant sums," says Emin Gun Sirer, a distributed 
systems and cryptography researcher at Cornell University. "There's an academic program, but it only makes standards 
available to academics six months after they have been published, which is far after they have been implemented and 
buried deep within devices."

Even open standards like TLS experience major, damaging bugs at times. Open standards have broad community oversight, 
but don't have the funding for deep, robust maintenance and vetting; researchers argue that you need both to catch 
the kind of ubiquitous bugs that can plague standards. And if open protocols still have frequent bugs even with 
crowdsourced vetting, more closed software logically runs runs a higher risk of oversights.

"Even TLS has been coughing up bugs through 2016, and that’s a 20-year old-protocol that’s had hundreds of people 
looking at it," says Matthew Green, a crypotgrapher at Johns Hopkins University, who analyzed the WPA2 vulnerability. 
"IEEE working groups are a closed industry process."

Researchers note that standards development processes are unwieldy and time-consuming, which can make working groups 
inflexible and unwilling to evolve once they've put significant effort into a certain approach. "I've seen this over 
and over," Matt Blaze, a security researcher at the University of Pennsylvania, wrote on Twitter on Tuesday. 
"Eventually, the most talented people stop showing up to the meetings and no one feels empowered to restart from 
scratch. Sunk cost fallacy. The people involved aren't dumb, and they're working hard to do a good job. But the 
process is effectively rigged to produce crap like this.”

[snip]
-- 
Geoff.Goodfellow () iconia com
living as The Truth is True
http://geoff.livejournal.com  

This message was sent to the list address and trashed, but can be found online.




-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/18849915-ae8fa580
Modify Your Subscription: https://www.listbox.com/member/?member_id=18849915&id_secret=18849915-aa268125
Unsubscribe Now: 
https://www.listbox.com/unsubscribe/?member_id=18849915&id_secret=18849915-32545cb4&post_id=20171018182034:8D2873F0-B452-11E7-9EF0-DB6A7F51FCEA
Powered by Listbox: http://www.listbox.com
Previous By Date Next
Previous By Thread Next

Current thread: