<div dir="ltr">I make this point a lot also - to folks feeling overwhelmed - keeping the pace with info overload is new. It's a very interesting challenge. :)</div><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Dec 4, 2017 at 3:08 PM, Dave Aitel <span dir="ltr"><<a href="mailto:dave@immunityinc.com" target="_blank">dave@immunityinc.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div text="#000000" bgcolor="#FFFFFF">
<p align="center"><img src="http://0x74696d.com/slides/images/20130618/firehose.png"></p>
<p>So for a while it was like being on a treadmill trying to keep
up with the security communities technical advances. These days,
it's like being a guy on a skateboard while several fireman shoot
you with firehoses from different directions. Even staying current
on one platform seems impossible for super-experts. <br>
</p>
<p>I say this, because I noted someone pointing out that the
DirtyCow patch maybe didn't work, and maybe didn't work in an
exploitable way. Look, I'll be honest, I didn't even have time to
read the analysis yet, and when I'm doing dishes even I've got the
phone propped up so I can watch whatever videos HITB released that
week. But nobody can keep up. Which is a somewhat new phenomenon
really. <br>
</p>
<p>I saw people on the Steptoe podcast pointing at this:
<a class="m_-3185521921324830260moz-txt-link-freetext" href="https://www.recordedfuture.com/chinese-vulnerability-reporting/" target="_blank">https://www.recordedfuture.<wbr>com/chinese-vulnerability-<wbr>reporting/</a>
report which "shows" that the Chinese have their own version of
the VEP, as for some bugs they were demonstrably a lot later than
for every other bug.<br>
</p>
<p>Here's my point as it relates to policy wonks and the VEP: Nobody
has the number of vulnerability researches on hand who could tell
them that THEIR version of DirtyCow was or was not properly
patched by the publicly reported patch/vuln. The workload for
knowing if any two bugs are the same bug or if any patch actually
worked is so much higher than is publicly discussed. I mean, half
of twitter is just Steffan Esser pointing and laughing at Apple's
security engineers these days. <br><span class="HOEnZb"><font color="#888888">
</font></span></p><span class="HOEnZb"><font color="#888888">
<p>-dave</p>
<p><br>
</p>
</font></span></div>
<br>______________________________<wbr>_________________<br>
Dailydave mailing list<br>
<a href="mailto:Dailydave@lists.immunityinc.com">Dailydave@lists.immunityinc.<wbr>com</a><br>
<a href="https://lists.immunityinc.com/mailman/listinfo/dailydave" rel="noreferrer" target="_blank">https://lists.immunityinc.com/<wbr>mailman/listinfo/dailydave</a><br>
<br></blockquote></div><br><br clear="all"><div><br></div>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr">Thanks,<div><br></div><div>Dr. Jared DeMott</div><div>Founder, VDA Labs</div><div><a href="http://www.vdalabs.com" target="_blank">www.vdalabs.com</a></div><div><img src="http://vdalabs.com/VDA_TEXT_VERY_SMALL.png" width="96" height="22"><br></div></div></div>
</div>