
Was the Efail disclosure horribly screwed up? - tptacek
https://blog.cryptographyengineering.com/2018/05/17/was-the-efail-disclosure-horribly-screwed-up/
======
tptacek
A fair bit of the blame here goes to HN, where the PGP cheering section
uncritically repeated statements by members of the Enigmail and GnuPG teams
that turned out to be contradicted by the public record. In one case, someone
posted a mailing list post by Werner Koch from GnuPG that established the
November 2017 timeline, and HN found a way to argue that it might be evidence
_in favor of_ the position that the researchers had botched the disclosure.

More evidence could come to light, but from what we have now, it looks pretty
clear that what happened was the Efail researchers made an unusually strong
effort to notify and coordinate, and were thwarted by the judgement of the
GnuPG project members that the vulnerability was "boring" and not worth
liasing over.

~~~
pvg
Was there some other, weirder discussion on HN that made this worse? The one
linked in the article has a total of 26 comments. Even if you assume, for the
sake of argument, that every single one of them is nuts, 26 nutty HN comments
on a given popular topic seems hardly worth mentioning. Especially compared to
the torrent of bananas tweets about this particular one.

~~~
tptacek
I don't know about the one in the article, but the front page story had almost
300 comments:

[https://news.ycombinator.com/item?id=17064129](https://news.ycombinator.com/item?id=17064129)

~~~
pvg
Ah that makes more sense.

------
tedunangst
I like the congruence of lives are at stake and this is not a bug. There's a
warning. If you don't read it, you deserve to die. What else could possibly be
done?

