Home page logo
dailydave logo
Daily Dave Mailing List

This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

List Archives


Latest Posts

Re: A summary of all the RSA Keynotes and the future we have to beat. Dominique Brezinski (Apr 18)
There is a way through the sticky issues you bring up. El Jefe is a right
approach, but only part of it. There are certain inalienable observables,
such as processes and their attributes, that an attacker can influence but
not completely avoid. If you pick correlating observables from different
observation points that don't have correlated failure from an attack, then
you are selecting good data sources for your analytics. Having talked to a...

VisualSploit 2.0 Dave Aitel (Apr 17)

I wanted to point out the above blog post - I'm a huge believer in
modern educational techniques and advantages (Khan Academy, etc.) and
the fact is that online "training" has really ruined the reputation that
modern computer assisted learning should have.

Above you can see a few screenshots that demonstrate the advantage a
custom web...

A summary of all the RSA Keynotes and the future we have to beat. Dave Aitel (Apr 16)
Links you should hit first:

One thing I noticed from watching all of the RSA keynotes is that they
all said the exact same things, often in the same words. For example, in
the HP keynote (above) you'll see the threads of "We're getting
outmatched" with we need to move to...

BJJ AT INFILTRATE 2014 Dave Aitel (Apr 14)
As you can see from the schedule
<http://www.infiltratecon.com/schedule.html> INFILTRATE is once again
having a friendly BJJ area. The plan is to keep it much the same as last
year, which is largely unstructured and a lot of fun.

FAQ as follows:
Q: Will Cyborg show up to throw Jeremiah around like a sack of twigs?
A: Unsure.

Q: Will Sean Heelan once again armbar me about 5 times in a row while
conducting an impromptu lecture on the...

NotSoSecure CTF Sumit Siddharth (Apr 11)
Hello all,

Just a gentle reminder; the next NotSoSecure CTF is scheduled for next week
(April 18-20th) 2014. Registration page and more details can be found here:





<http://www.notsosecure.com/> www.notsosecure.com

Innuendo Demo #1 Dave Aitel (Apr 11)

This little movie shows a couple of the features in INNUENDO that I like
- although it probably does not emphasize enough the difference in
thinking that you have to do with INNUENDO as compared to other
commercial tools.

Still, it's a start. :>


Re: Nobody but us. Alfonso De Gregorio (Apr 09)

If the NOBUS appetite is high, it is possible to combine up even more

Two more kingdoms and the associated phyla -- à la carte.

8. Detection difficulty only we will bother with / Components only we
can tamper with (e.g., implementing hardware Trojans below the gate
level by changing in the dopant polarity of existing transistors).

9. Information only we have access to (e.g., a virus using a
cryptocounter to trigger an...

Nobody but us. Dave Aitel (Apr 09)
I spent some time talking to various people lately about the concept of
"Nobody but us" (NOBUS) especially now that the DUAL_EC algorithm is
being researched more closely. People got confused because the papers
that came out didn't really stress that the "attacks" against Dual_EC
were in the case where they first corrupted it by replacing the magic
constants in the spec with their own.

So here's a list of seven ways...

Re: Some slides for a keynote Dave Aitel (Apr 09)
The goal of the next set of internet malware may very well be to enable
the kind of involuntary transparency that is so obviously powerful in
this day and age. All you really have to do is have your implant collect
anything that might be interesting along with some metadata, encrypt it
to your private key and then deposit these files all over the network
with a little header that says "Upload this file using Tor to...

Re: Some slides for a keynote Vitaly Osipov (Apr 09)
Here are some quotes about goals from a rather randomly selected, but
very fitting, psychology paper

"...it matters how people frame their good intentions or goals. For
instance, better performances are observed when people set themselves
challenging, specific goals as compared with challenging but vague
goals (so-called "do your best" goals). "


speech dan (Apr 08)
Perhaps of relevance here.

APT in a World of Rising Interdependence
invited address, NSA, 26 March 2014


Re: Some slides for a keynote Michal Zalewski (Apr 08)
Interesting. I have argued in favor of this position when it comes to
vulnerability research: people like to paint their motivations in a
variety of ways, but most of the actions they take are best explained
by just wanting to see the world acknowledge your skills. Being in the
headlines or in the limelight at a major conference can give you quite
a powerful fix. And because most journalists struggle to tell good
research from bad one, it also...

Some slides for a keynote Richard Thieme (Apr 08)
great insights, as expected, and not merely "speculative." to add to
the theme, there are other reasons for the addictive behaviors too. I
recently read "Addiction By Design: Machine Gambling in Las Vegas" by
Natasha Dow Schull and it details in granular fashion the evolution of
slot machines as they have been designed to induce a trance, keep the
gambler in the seat, and reinforce behaviors by all sorts of means,...

Some slides for a keynote Halvar Flake (Apr 08)
Hey all,
on Dave's recommendation, here are some slides from a keynote I gave today at ISACA Nordic Security.
It is non-technical (as keynotes are prone to be), and full of vague speculation. Perhaps someone will
find the slides entertaining/useful/insightful:



Re: Shady headlines brian krebs (Apr 07)
Dave, you're entitled to your opinion, of course, which seems to be that
this is all overblown and the result of bloggers/reporters going for
sensational headlines and stories. I think that future reporting on this
(at least on my part) will show in a very concrete way that this negatively
affected a large number of people.

If you're interested in reading a fact-checked version of Experian's
talking points on this subject, please...

More Lists

Dozens of other network security lists are archived at SecLists.Org.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]