SoylentNews is people
SoylentNews
Don't worry - I won't.
I won't tell a human soul other than those in a position to fix it, however it's a systemic weakness, and cannot be fixed by issuing patches. This problem won't get fixed until the IETF issues some future RFCs - more than one of them - and even then, not until those new standards are _widely_ implemented.
I've never mentioned this in a public way - this is the very _first_ time I've done so - and I've only told one other person that I know how, but not how it would be done.
If you're in a position to implement new RFCs at your company, or in your contributions to a Free Software or Open Source codebase that you are a _commiter_ to, please fetch my OpenPGP key from a keyserver, if your key isn't already there, please submit it then _email_ your key fingerprint - I think that's 16 digits of hex or so - then I'll add it to my keyring.
$ gpg --keyserver pgp.mit.edu --list-keys 69297A03F84E2022
pub rsa4096 2018-11-18 [SC] [expires: 2023-11-17]
87741D160E80D4F860A192FE69297A03F84E2022
uid [ultimate] Michael David Crawford
sub rsa4096 2018-11-18 [E] [expires: 2023-11-17]
Note that I do not yet have a key for mike@soggywizards.com.
$ gpg --keyserver pgp.mit.edu --receive-key 69297A03F84E2022
Please do _not_ sign my key - nor anyone else's - unless I show your my _passport_ in your direct presence. That my technical articles are so popular led a few complete strangers who I'd never met to sign my old key. The key I've got now is _only_ self-signed.
Please keep it that way until we meet for coffee. But not a beer; I only get drunk when a close friend has been unlucky in love. Then we both Pray To The Porcelain God.
I must be purposefully oblique about the details I provide until I can feel certain not just that those who I share this with will keep a lid on it but also until I've found enough RFC-implementors that once I do provide the details, they'll be able to apply the fixes expeditiously.
It happens that I know some primary developers of some stacks. I also know some leading security experts. I'll explain this to a few of them first. I'm on good terms with some vendors' security people, I'll explain it to them as well.
(Score: 0) by Anonymous Coward on Tuesday December 04 2018, @05:46PM
Hey Michael,
I think you need to take a step back and look at things from an outside perspective:
1. You have a friend who has a history of delusional episodes.
2. Your friend has had a recent health issue that was very severe.
3. Less than a week after suffering from some neurological symptoms (possibly related to #2), this friend has become convinced that they have, single-handedly, identified a severe security weakness in a key piece of infrastructure that has gone unnoticed by everyone else who has interacted with it.
4. This friend has also made similar (in magnitude) claims in the past that did not turn out to be realistic or actionable.
What should you say to this friend?
Should you tell them to be patient, recover fully from their health problems, and then look at the problem at least a week later? If the problem has been around for a long time, then surely it could be present for a little while longer (importance: high, but urgency: low).