Dave Aitel
2017-12-04 20:08:16 UTC
So for a while it was like being on a treadmill trying to keep up with
the security communities technical advances. These days, it's like being
a guy on a skateboard while several fireman shoot you with firehoses
from different directions. Even staying current on one platform seems
impossible for super-experts.
I say this, because I noted someone pointing out that the DirtyCow patch
maybe didn't work, and maybe didn't work in an exploitable way. Look,
I'll be honest, I didn't even have time to read the analysis yet, and
when I'm doing dishes even I've got the phone propped up so I can watch
whatever videos HITB released that week. But nobody can keep up. Which
is a somewhat new phenomenon really.
I saw people on the Steptoe podcast pointing at this:
https://www.recordedfuture.com/chinese-vulnerability-reporting/ report
which "shows" that the Chinese have their own version of the VEP, as for
some bugs they were demonstrably a lot later than for every other bug.
Here's my point as it relates to policy wonks and the VEP: Nobody has
the number of vulnerability researches on hand who could tell them that
THEIR version of DirtyCow was or was not properly patched by the
publicly reported patch/vuln. The workload for knowing if any two bugs
are the same bug or if any patch actually worked is so much higher than
is publicly discussed. I mean, half of twitter is just Steffan Esser
pointing and laughing at Apple's security engineers these days.
-dave
the security communities technical advances. These days, it's like being
a guy on a skateboard while several fireman shoot you with firehoses
from different directions. Even staying current on one platform seems
impossible for super-experts.
I say this, because I noted someone pointing out that the DirtyCow patch
maybe didn't work, and maybe didn't work in an exploitable way. Look,
I'll be honest, I didn't even have time to read the analysis yet, and
when I'm doing dishes even I've got the phone propped up so I can watch
whatever videos HITB released that week. But nobody can keep up. Which
is a somewhat new phenomenon really.
I saw people on the Steptoe podcast pointing at this:
https://www.recordedfuture.com/chinese-vulnerability-reporting/ report
which "shows" that the Chinese have their own version of the VEP, as for
some bugs they were demonstrably a lot later than for every other bug.
Here's my point as it relates to policy wonks and the VEP: Nobody has
the number of vulnerability researches on hand who could tell them that
THEIR version of DirtyCow was or was not properly patched by the
publicly reported patch/vuln. The workload for knowing if any two bugs
are the same bug or if any patch actually worked is so much higher than
is publicly discussed. I mean, half of twitter is just Steffan Esser
pointing and laughing at Apple's security engineers these days.
-dave