Hacker News new | ask | show | jobs
by jascii 2309 days ago
Less sensationalist and more informative link: https://nvd.nist.gov/vuln/detail/CVE-2019-15126 (CVSS Severity Base Score: 3.1 Low)

Eh yeah, you shouldn't use WPA2 as your sole defence against data exfiltration. Nice way to drive traffic to your website though..
2 comments
dfox 2309 days ago
To summarize the mechanism: the affected chips will transmit packets that are waiting in the Tx buffer even after the station was disassociated and because the station is disassociated (and thus the encryption key was zeroized), these packets are going to be transmitted encrypted with all-zero key.
link
tptacek 2309 days ago
Not that I think this an especially scary vulnerability, but I wouldn't use CVSS scores as a basis for evaluating any kind of bug. CVSS is a ouija metric without any real merit.

The underlying work here is good and interesting. If companies are going to hype bugs, let it be for stuff like this!

link
jascii 2309 days ago
> CVSS is a ouija metric without any real merit.

Tell that to the hard working folks that define the standard, I'm sure they'll appreciate it..

Like any such metric, CVSS is far from perfect, however, in the real world you are sometimes called upon to express things in a quantitative manner even if they are better expressed in a qualitative manner, for instance when you need to justify security spending in a corporate environment, or in the context of compliance reporting. Do you know of a better tool/standard?

> If companies are going to hype bugs, let it be for stuff like this!

That's a bit like crying wolf though, isn't it? It desensitises people to actual issues and takes focus and funds away from them. This kind of fear based marketing might be useful if your goal is to suck a naive client dry for a year or so, if you are actually trying to make the world a safer place it does more harm then good.

link
tptacek 2308 days ago
Steve Christey? I have. Many times. He's fine with it. (I assume he disagrees! He's wrong!) Sorry, you'll have to find someone else to take vicarious offense for.

CVSS doesn't work, for the reasons I gave, and have given other times on HN; the search bar will help you if you want to dig in.

link
jascii 2308 days ago
> CVSS doesn't work, for the reasons I gave

You didn't give any reasons. If you want to have a civil discourse, at least try to justify your opinions.

link
Fnoord 2309 days ago
I never see Temporal Score and Environmental Score being used. I wonder if it could add nuance where needed.
link