Protip: academic board observed secret and so did vendors. The OpenBSD patch went unnoticed. It was the Infosec community that screwed up.https://twitter.com/marcan42/status/919972354947796993 …
-
Why? That’s a very typical process for academic submissions.
Typical does not make it right, and most (good) academic security papers aren't about software bugs but about deeper protocol/crypto breaks.
-
-
You get the bug fixed *first*, then you publish the paper about your sweet way of exploiting it for maximum fun and profit.
-
Which is precisely what happened, given that the paper was NOT published before the fix deadline agreed (I suppose) w/ the vendors and CERT.
End of conversation
New conversation -
-
-
Not true. And typical, since it does not do any harm, makes it reasonable and not “irresponsible”.
-
It does harm - it adds 2+ months to the vulnerability window. At the very least you should be sending drafts of the paper out to vendors.
- Show replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.