Welcome

Dear Reader,

Once it was announced to the public, the news of the KRACK attack spread quickly over the Internet – a flaw in the handshake system for wireless devices that allows an attacker to compromise encryption. According to reports, the attack puts almost all devices that engage in WPA2-encrypted wireless networking at risk. Early warnings said Android was most vulnerable, but later updates reported that Windows, iOS, macOS, and OpenBSD were also at risk. Linux wasn't safe either, with several versions of the wpa_supplicant utility marked as vulnerable. Although the problem was publicly announced in October, vendors were warned privately in May, and many are already well along finding solutions.

The KRACK attack is particularly significant because everybody is using wireless networking. Many people younger than 21 just look bewildered if you show them a Cat 5 networking cable. Such things don't exist in their world, because wireless is everywhere – at the library, at the malt shop, in the home. One of the reasons for the recent explosion in wireless networking is that everybody trusts it now, and they trust it because they have this general sense that the glaring security issues that made everyone nervous about wireless in the first place have somehow been resolved. If you asked many security experts in the past couple years, they would say wireless networking is fine as long as you:

• use WPA2 wireless encryption
• use a strong password

But actually, it turns out those experts were overconfident.

By the time you read this, I hope word of the KRACK attack has already reached you and updates are available for all your wireless devices, including your phone, your tablet, your computer, and your wireless router.

If you haven't heard about KRACK, check with your OS or hardware vendor as soon as you can. The word is that this attack has not appeared in the wild so far, but now that the description is out there, someone is going to implement it, so you'd better hurry.

I hesitate to make this the main subject of the essay, because I often muse about this kind of thing, but I really do need to mention: Shouldn't we have expended a little more time and energy up front to explore this issue before the whole planet went wireless? I know, these kinds of problems are hard to spot, but seriously, this sudden discovery that a tool we depend on is not as secure as we thought it was yesterday seems to be happening a lot.

As for wireless networking, first we had WEP, which we said was secure at first, then we said, "uh … never mind, here's WPA, which we also said was secure, and then we said, "never mind, here's WPA2." Now it's …"uh, yeah, but we gotta fix WPA2."

"Well of course!" you impatiently inform me. "What's the problem? That's what always happens. Developers develop some software, then they tell you its safe and tested, then someone figures out it isn't safe, then the developers create a patch and tell you to install the patch and it will really be safe this time, then you go out and install the patch before some nefarious actor operating with anonymity uses the attack to steal your secrets, then the whole process starts over. What could be more obvious?"

And you're right, that is what always happens, but all I'm saying is, it's really weird if you look at it from a distance. If you believe in Everett's theory of multiple branching universes, you'd have to believe there's a version of us out there somewhere that has figured out a better way to develop software.

But until our universe catches up … INSTALL THE PATCH!