Hacker News new | ask | show | jobs
by slome 1053 days ago
OpenBSD only implemented loading AMD firmware two days after AMD published updated microcode to fix Zenbleed. Which makes me believe they were not among the "major kernels", vendors or other entities that got a heads up of this vulnerability which happened over two month prior.

Whether they were last to be in the know or not, i applaud them for being one of the first to have patches out for their latest two stable releases (7.2 and 7.3).
1 comments
antod 1053 days ago
Don't know if it was still the case, but OpenBSD would not get early vuln info because they wouldn't sit on embargoes and would patch right away.
link
ori_b 1053 days ago
This is untrue. OpenBSD pushes to release as early as possible, but if they're on an embargo, they've respected it.
link
antod 1053 days ago
Technically correct I suppose - https://isopenbsdsecu.re/mitigations/embargoes_handling/

But they do have a relatively difficult history with embargoes. This isn't criticising them BTW - although I don't use OpenBSD any more I still have a soft spot for them and respect for everything they've achieved.

link
ori_b 1053 days ago
Rather difficult, in the sense that people continue spreading falsehoods about their relationship with embargoes, which makes it difficult to participate in responsible disclosure.

See this thread for examples.

link
loeg 1053 days ago
Eh, it's more or less true. OpenBSD violated the KRACK embargo in 2018. They decided to publish for the benefit of their users, and fuck everyone else.
link
ori_b 1053 days ago
Incorrect. They had explicit permission from the researcher involved to commit when they did. Here's the full discussion, if you want to read it yourself.

https://marc.info/?l=openbsd-tech&m=152909822107104&w=2

More directly, from the KRACK FAQ: As a compromise, I allowed them to silently patch the vulnerability.

https://www.krackattacks.com/#openbsd

It's also worth noting that Microsoft violated the embargo as well: On this topic, it is also worthwhile to mention that Microsoft pushed their fixes on patch Tuesday on 10 October 2016 [1]. That's before the agreed disclosure deadline, albeit quite close in time.

Quite rightly, nobody is suggesting that nearly a decade later, we should be keeping Microsoft off responsible disclosures as a consequence.

link
loeg 1053 days ago
I mean, I just disagree with that interpretation of 2018 events. The embargo deadline was extended, OpenBSD violated that. They refused to play ball with the coordinated extension. The researcher is orthogonal to that. Their actions in 2018 are certainly not universally celebrated as a good way to participate in an embargo.
link
wbl 1053 days ago
You don't get to extend an embargo unilaterally. Now that there's a new uniform 90 days the conversation looks different.
link
ori_b 1053 days ago
They asked for permission from the coordinator and got it. It's that simple. There's nothing open to interpretation here.

The next time you coordinate a disclosure, you can run it differently.

link
dralley 1053 days ago
It's possible they knew just enough to know that they needed to implement firmware loading, without knowing the full details of the vulnerability.
link