This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
Dave Aitel (May 06)
There's a lot of different kinds of exploits - and many people ignore
the web exploits that are not for Wordpress. This is usually a mistake
because, especially as we look at #OpUSA and #OpIsreal and the like, a
lot of people are running all sorts of web applications with all sorts
of esoteric web vulnerabilities on them. Which is why our close and
continuing friends over...
Dave Aitel (May 02)
It's really only after you finish writing a keynote that you know what
it's about. In a sense, everyone around you writes it with you as you
talk through it with people. The one I delivered at SyScan itself was
funnier. . . although even so, not very funny. Not everything is funny!
Even things that include Buffy.
"Things Buffy the Vampire Slayer Taught Me About CyberWar - SyScan 2013
Yet Another Java Security Warning Bypass
Esteban Guillardoy (Apr 25)
I wrote a blog post about another Java Security Warning Bypass that
you may find interesting ;)
Just go to the Immunity blog and enjoy:
Answering Lurene's Question
Dave Aitel (Apr 21)
So the kids are in NY so I've gotten a full night's sleep for the first
time in about a while, and parts of my brain I didn't realize were
malfunctioning now have blood and oxygen and whatever soupy hormones
they need to start sparking back up. I'm working on my SyScan talk,
which is due next week, so I wanted to warm up by answering a question
Imagine it's 2030 and we finally understand a few things...
Students teaching trainers
Alex McGeorge (Apr 17)
We do a lot of teaching at Immunity and it's something I think we've
gotten pretty good at over the years. Part of improving your teaching
offerings is doing some hard reflection on what did and didn't work for
the most recent class which is what we're in the process of doing for
web hacking right now. Most of those lessons only make sense from an
internal perspective but there are some things that other people...
Re: Linux Hangman Rules
Michal Zalewski (Apr 17)
[lcamtuf () raccoon ~]$ gdb
(gdb) shell id
uid=500(lcamtuf) gid=500(lcamtuf) groups=100(users),500(lcamtuf)
Linux Hangman Rules
Dave Aitel (Apr 17)
So reading the above blog is amusing for many reasons. But it did make a
lot of people sit around looking at the funniest games you could play on
modern Linux. For example, Linux Hangman.
Linux Hangman Rules
You take turns putting setuid root onto files in /usr/bin /usr/sbin/,
etc. and if your opponent can use that to get root, even via a
convoluted scenario, then you...
Re: Recent experiences with ZDI?
Jim Manico (Apr 17)
Here is a pretty comprehensive list of bug bounty programs to help kick
start the conversation.
Recent experiences with ZDI?
patrick patrick (Apr 15)
I haven´t had dealings with ZDI in years, but I´ve heard some rumors of
people getting screwed over by them recently.
Can somebody confirm or deny this?
Is there currently a safe&legal alternative to get rewarded for bughunting?
Android Application (Dalvik) Memory Analysis & the Chuli Malware
Joe Sylve (Apr 15)
We wanted to take the opportunity to point you to a blog post which gives a
preview of some of the research we've been working on at 504ENSICS Labs in
the area of Android memory analysis. We think our results will be of great
interest to the DFIR community and look forward to your feed back.
The blog post can be found here:
Joe T. Sylve,...
Dave Aitel (Mar 22)
In some parallel universe you can hear Yoda say to a younger Disciple,
"How are you going to control EIP if you can't even control your own anger?"
Perhaps not Yoda. Perhaps Halvar.
Regardless, if for whatever reason you wanted to hear more about
Brazilian Jiu Jitsu or INFILTRATE, then you can hit up the podcast I did
this morning with Ryan Naraine
Dave Aitel (Mar 21)
Angel <http://en.wikipedia.org/wiki/Angel_%28Buffyverse%29>: And
Buffy, be careful with this gift. A lot of things that seem strong
and good and powerful, they can be painful.
Buffy <http://en.wikipedia.org/wiki/Buffy_Summers>: Like, say...
Angel: Exactly. I'm dying to get rid of that.
We put the 32 bit (or we will shortly) version of the PTRACE exploit
into CANVAS Early Updates. I know there...
Shawn (Mar 21)
I putted these slides into one tar file:
"Seeing is believing"
Dave Aitel (Mar 19)
So a while back I asked what the point of PWN2OWN was, and Mark Dowd
said that of course many people have never SEEN a modern exploit, and
hence it has some strategic value. I think for Google it's also useful
to see what new bugclasses exist in their products that people have not
otherwise publicly told them about, as well. The main bugclass is being
arrogant enough to believe they can write something memory safe in C++,
but we'll get...
Re: The Truth of TrueType
Justin Seitz (Mar 11)
Sometimes Dave fails at pasting things, that's why the rest of us are here:
Dozens of other network security lists are archived at