SoylentNews is people
SoylentNews
Don't worry - I won't.
I won't tell a human soul other than those in a position to fix it, however it's a systemic weakness, and cannot be fixed by issuing patches. This problem won't get fixed until the IETF issues some future RFCs - more than one of them - and even then, not until those new standards are _widely_ implemented.
I've never mentioned this in a public way - this is the very _first_ time I've done so - and I've only told one other person that I know how, but not how it would be done.
If you're in a position to implement new RFCs at your company, or in your contributions to a Free Software or Open Source codebase that you are a _commiter_ to, please fetch my OpenPGP key from a keyserver, if your key isn't already there, please submit it then _email_ your key fingerprint - I think that's 16 digits of hex or so - then I'll add it to my keyring.
$ gpg --keyserver pgp.mit.edu --list-keys 69297A03F84E2022
pub rsa4096 2018-11-18 [SC] [expires: 2023-11-17]
87741D160E80D4F860A192FE69297A03F84E2022
uid [ultimate] Michael David Crawford
sub rsa4096 2018-11-18 [E] [expires: 2023-11-17]
Note that I do not yet have a key for mike@soggywizards.com.
$ gpg --keyserver pgp.mit.edu --receive-key 69297A03F84E2022
Please do _not_ sign my key - nor anyone else's - unless I show your my _passport_ in your direct presence. That my technical articles are so popular led a few complete strangers who I'd never met to sign my old key. The key I've got now is _only_ self-signed.
Please keep it that way until we meet for coffee. But not a beer; I only get drunk when a close friend has been unlucky in love. Then we both Pray To The Porcelain God.
I must be purposefully oblique about the details I provide until I can feel certain not just that those who I share this with will keep a lid on it but also until I've found enough RFC-implementors that once I do provide the details, they'll be able to apply the fixes expeditiously.
It happens that I know some primary developers of some stacks. I also know some leading security experts. I'll explain this to a few of them first. I'm on good terms with some vendors' security people, I'll explain it to them as well.
(Score: -1, Spam) by Anonymous Coward on Tuesday December 04 2018, @12:02PM (3 children)
Why does the internet still exist, you lying turd?
Why have you not destroyed the internet yet, you lying turd?
"Famed Security Researcher Michael David Crawford Demonstrates Design Flaw By Breaking Entire Internet"
Why are you not headline news yet, you lying turd?
"Greatest Genius Of Our Time Michael David Crawford Receives Michael David Crawford Award In His Own Honor"
Why have you not received the attention and prestige you so richly deserve, you lying turd?
Why are you a lying turd, Crawford?
Fuck MDC
(Score: 2) by MichaelDavidCrawford on Tuesday December 04 2018, @12:27PM (2 children)
I'm quite certain there are some others who know about the underlying problems, but having spent some time watching the news - mostly here at Soylent, also Tech News like Ars Technica - has convinced me that I'm the only one who knows how to create this particular exploit.
I'm not even remotely seeking credit, rather, I want the problem _fixed_.
Yes I Have No Bananas. [gofundme.com]
(Score: -1, Spam) by Anonymous Coward on Tuesday December 04 2018, @01:51PM (1 child)
Prove it. Shut down the internet.
Fuck MDC
(Score: 0) by Anonymous Coward on Wednesday December 05 2018, @10:46AM
But if MDC does shut down the intertubes you won't be able to post here to tell him that he was right and you were wrong. See the dichotomy?