<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
<p align="center"><img
src="http://0x74696d.com/slides/images/20130618/firehose.png"></p>
<p>So for a while it was like being on a treadmill trying to keep
up with the security communities technical advances. These days,
it's like being a guy on a skateboard while several fireman shoot
you with firehoses from different directions. Even staying current
on one platform seems impossible for super-experts. <br>
</p>
<p>I say this, because I noted someone pointing out that the
DirtyCow patch maybe didn't work, and maybe didn't work in an
exploitable way. Look, I'll be honest, I didn't even have time to
read the analysis yet, and when I'm doing dishes even I've got the
phone propped up so I can watch whatever videos HITB released that
week. But nobody can keep up. Which is a somewhat new phenomenon
really. <br>
</p>
<p>I saw people on the Steptoe podcast pointing at this:
<a class="moz-txt-link-freetext" href="https://www.recordedfuture.com/chinese-vulnerability-reporting/">https://www.recordedfuture.com/chinese-vulnerability-reporting/</a>
report which "shows" that the Chinese have their own version of
the VEP, as for some bugs they were demonstrably a lot later than
for every other bug.<br>
</p>
<p>Here's my point as it relates to policy wonks and the VEP: Nobody
has the number of vulnerability researches on hand who could tell
them that THEIR version of DirtyCow was or was not properly
patched by the publicly reported patch/vuln. The workload for
knowing if any two bugs are the same bug or if any patch actually
worked is so much higher than is publicly discussed. I mean, half
of twitter is just Steffan Esser pointing and laughing at Apple's
security engineers these days. <br>
</p>
<p>-dave</p>
<p><br>
</p>
</body>
</html>