 This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
List Archives
Latest Posts
D2Sec's Elliot
Dave Aitel (May 06)
http://www.d2sec.com/news/driving_d2_elliot_with_immunity_canvas.html
There's a lot of different kinds of exploits - and many people ignore
the web exploits that are not for Wordpress. This is usually a mistake
because, especially as we look at #OpUSA and #OpIsreal and the like, a
lot of people are running all sorts of web applications with all sorts
of esoteric web vulnerabilities on them. Which is why our close and
continuing friends over...
SyScan 2013
Dave Aitel (May 02)
It's really only after you finish writing a keynote that you know what
it's about. In a sense, everyone around you writes it with you as you
talk through it with people. The one I delivered at SyScan itself was
funnier. . . although even so, not very funny. Not everything is funny!
Even things that include Buffy.
"Things Buffy the Vampire Slayer Taught Me About CyberWar - SyScan 2013
Keynote)"...
Yet Another Java Security Warning Bypass
Esteban Guillardoy (Apr 25)
Hi everyone!
I wrote a blog post about another Java Security Warning Bypass that
you may find interesting ;)
Just go to the Immunity blog and enjoy:
http://immunityproducts.blogspot.com/2013/04/yet-another-java-security-warning-bypass.html
Cheers
Esteban
Answering Lurene's Question
Dave Aitel (Apr 21)
So the kids are in NY so I've gotten a full night's sleep for the first
time in about a while, and parts of my brain I didn't realize were
malfunctioning now have blood and oxygen and whatever soupy hormones
they need to start sparking back up. I'm working on my SyScan talk,
which is due next week, so I wanted to warm up by answering a question
for Lurene.
----
Imagine it's 2030 and we finally understand a few things...
Students teaching trainers
Alex McGeorge (Apr 17)
Aloha list,
We do a lot of teaching at Immunity and it's something I think we've
gotten pretty good at over the years. Part of improving your teaching
offerings is doing some hard reflection on what did and didn't work for
the most recent class which is what we're in the process of doing for
web hacking right now. Most of those lessons only make sense from an
internal perspective but there are some things that other people...
Re: Linux Hangman Rules
Michal Zalewski (Apr 17)
[lcamtuf () raccoon ~]$ gdb
(gdb) shell id
uid=500(lcamtuf) gid=500(lcamtuf) groups=100(users),500(lcamtuf)
Oh no!
/mz
Linux Hangman Rules
Dave Aitel (Apr 17)
http://blog.ioactive.com/2013/04/can-gdbs-list-source-code-be-used-for.html
So reading the above blog is amusing for many reasons. But it did make a
lot of people sit around looking at the funniest games you could play on
modern Linux. For example, Linux Hangman.
Linux Hangman Rules
You take turns putting setuid root onto files in /usr/bin /usr/sbin/,
etc. and if your opponent can use that to get root, even via a
convoluted scenario, then you...
Re: Recent experiences with ZDI?
Jim Manico (Apr 17)
Here is a pretty comprehensive list of bug bounty programs to help kick
start the conversation.
http://bugcrowd.com/list-of-bug-bounty-programs/
- Jim
Recent experiences with ZDI?
patrick patrick (Apr 15)
Hi guys,
I haven´t had dealings with ZDI in years, but I´ve heard some rumors of
people getting screwed over by them recently.
Can somebody confirm or deny this?
Is there currently a safe&legal alternative to get rewarded for bughunting?
Thanks
P
Android Application (Dalvik) Memory Analysis & the Chuli Malware
Joe Sylve (Apr 15)
Hello,
We wanted to take the opportunity to point you to a blog post which gives a
preview of some of the research we've been working on at 504ENSICS Labs in
the area of Android memory analysis. We think our results will be of great
interest to the DFIR community and look forward to your feed back.
The blog post can be found here:
http://www.504ensics.com/android-application-dalvik-memory-analysis-the-chuli-malware/
---
Joe T. Sylve,...
top game
Dave Aitel (Mar 22)
In some parallel universe you can hear Yoda say to a younger Disciple,
"How are you going to control EIP if you can't even control your own anger?"
Perhaps not Yoda. Perhaps Halvar.
Regardless, if for whatever reason you wanted to hear more about
Brazilian Jiu Jitsu or INFILTRATE, then you can hit up the podcast I did
this morning with Ryan Naraine
here:...
Gifts
Dave Aitel (Mar 21)
Angel <http://en.wikipedia.org/wiki/Angel_%28Buffyverse%29>: And
Buffy, be careful with this gift. A lot of things that seem strong
and good and powerful, they can be painful.
Buffy <http://en.wikipedia.org/wiki/Buffy_Summers>: Like, say...
immortality?
Angel: Exactly. I'm dying to get rid of that.
We put the 32 bit (or we will shortly) version of the PTRACE exploit
into CANVAS Early Updates. I know there...
Re: RSA
Shawn (Mar 21)
I putted these slides into one tar file:
http://hfg-resources.googlecode.com/files/RSA-US-2013.tar.bz2
"Seeing is believing"
Dave Aitel (Mar 19)
So a while back I asked what the point of PWN2OWN was, and Mark Dowd
said that of course many people have never SEEN a modern exploit, and
hence it has some strategic value. I think for Google it's also useful
to see what new bugclasses exist in their products that people have not
otherwise publicly told them about, as well. The main bugclass is being
arrogant enough to believe they can write something memory safe in C++,
but we'll get...
Re: The Truth of TrueType
Justin Seitz (Mar 11)
Sometimes Dave fails at pasting things, that's why the rest of us are here:
http://immunityproducts.blogspot.com.ar/2013/03/infiltrate-preview-truetype-font.html
More Lists
Dozens of other network security lists are archived at
SecLists.Org.
| 
Current Quarter
RSS Feed
About List
All Lists