Home page logo
dailydave logo
Daily Dave Mailing List

This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

List Archives


Latest Posts

Re: The monetization of information insecurity Parity (Sep 12)
Returning to the original proposition -

Everyone here who has ever filled out an application for business insurance
may recall where the questionnaire asked whether they ran AV software. No
doubt there was a time when the actuarial data showed a definite inverse
correlation between AV utilization and real, actual losses.

A couple of decades later, insurers still hold customers negligent when
they don't run AV.

Point #1 being, there...

Re: Karsten Nohl + Jakob Lell are pretty damn smart Kristian Erik Hermansen (Sep 12)
And if you missed it, his talk at CCC 2013 on pwning phones via
Over-The-Air SMS / SIM card firmware exploits is highly interesting as
well...and very scary. SMS as a control channel for mobile networks to
your phones should really frighten you...

30C3: Mobile network attack evolution (EN)


Karsten Nohl + Jakob Lell are pretty damn smart Dave Aitel (Sep 11)

I have to admit they did a bang up job on this work and this talk. I
watch a lot of talks (and hence everyone in the office gets to watch a
lot of talks) because once you work through the accent issues, some of
them are great, and this talk is an amazing example of when a talk goes
absolutely right. Lots of innovative ideas and actual out of the box


Re: The monetization of information insecurity Dominique Brezinski (Sep 11)
Michal, I think you give fantastic counter-points with regard to liability
and doing everything possible to prevent incidents. My gut tells me it is
foolish to rely on third parties for your own security, and that extends to
software you purchase and run. To extend stupid physical world analogies,
think of a modern warrior -- though firearms are relatively simple
mechanical devices, even the best engineered ones fail, and any good
operator does...

Re: The monetization of information insecurity Dan Guido (Sep 11)
Someone I know wrote this for an essay contest at NYU-Poly CSAW in
2007 to answer whether the security industry was a lemon market. I
thought her analysis was incredibly lucid for an undergraduate student
with relatively little exposure to the security industry at the time.

In the future, I hope that education efforts in designing secure
systems (http://blog.trailofbits.com/2014/07/30/education-initiative-spotlight-build-it-break-it/)

Three new videos showing off Volatility 2.4 features Andrew Case (Sep 10)
We (the Volatility team) have published three videos showing off new
features in the recently released Volatility 2.4 version. These videos
were originally shown at Black Hat Arsenal this past summer.

The first video shows how to locate and extract rootkit components from
process and kernel memory and then gather context for IDA:


The second shows how to uncover a number of artifacts of OS X user...

Re: The monetization of information insecurity Michal Zalewski (Sep 10)
It's a fairly persistent argument, but there is also a range of
counterpoints. Perhaps most importantly, liability for damages puts
the open source community and small, emerging companies at a distinct
disadvantage, whereas large businesses would be likely to just factor
it in as a cost of doing business.

In that context, it may be also informative to look at the credit card
& banking industry; liability for fraudulent charges...

Re: The monetization of information insecurity John Strand (Sep 10)
Our problem may not be one of better AV/IDS/IPS, but rather an inherent
inability to think of new defensive tactics and technologies.

It is very hard to think beyond the toolsets we currently have and develop
new ideas.

It is even harder to sell it to investors.


Re: The monetization of information insecurity Dennis Groves (Sep 10)
With all due respect,

can be improved in some way (while still remaining non-optimum)

Donald Knuth states perfectly why bug bounties do not work. And our industry
is filled with security people finding clever ways to *improve* non-optimal
solutions, while they still remain non-optimum! Do nothing and profit!!! I
believe that AV has already been mentioned, however, we all know they are
not the only security vendors who make their livings this...

Re: The monetization of information insecurity Michal Zalewski (Sep 09)
The prehistory of anti-virus software is probably of note. In essence,
they served as a pretty reasonable solution to a nuisance problem of
slowly-evolving, long-lived viruses piggybacking on top of legitimate
executables carried around on floppy disks. There was no pretense of
providing any security boundaries, and the unique properties of this
distribution channel meant that you could actually offer users fairly
clear benefits when exchanging...

Re: The monetization of information insecurity Andreas Lindh (Sep 09)
Hi all,

I won't claim to have a definite answer, but here is one concrete example of something that I believe should definitely
be avoided.

Back in 2001, a whole bunch of people in the antivirus industry signed a petition against teaching how to create
computer viruses. The reasoning behind this was, and I quote:

"It is not necessary and it is not useful to write computer viruses to learn how to protect against them."...

Re: The monetization of information insecurity J. Oquendo (Sep 09)
This is/was one of the main reasons why I choose to avoid
doing static malware analysis. Once upon a 4-6 years ago, I
was tasked to analyze a sample (Qakbot/Qbot/YourNameHere).
Initially, I was able to pick this little needle out of
a haystack pretty easy. As time went on, those responsible
for it made some heavy duty modifications. To the point
where, every 15 minutes of so, another iteration was sent
(via C&C) and the whole structure...

Re: The monetization of information insecurity Brad Spengler (Sep 09)
Hi Dave,

How to avoid repeating the mistake of AV: this is a difficult problem.
I don't have much experience in defense, so if I were to ponder a
solution to this problem, I would look toward the paradigm-shifters in
the infosec industry. Being an avid reader of Wired and other such
online magazines, my immediate thought was Google's Project Zero.

We've learned from the failure of AV that ex post facto detection
and remediation...

The monetization of information insecurity dave aitel (Sep 08)
So I'm heading to a conference shortly and I was going to promote them
in this email but they're apparently not a public conference. I'm on a
panel called "Identification of Emerging and Evolving Threats" with some
non-US Government people who seem pretty nice.

Anyways, now that I've guaranteed myself an exciting visit from security
services, I wanted to point out the one question everyone should be
asking when...

t2’14 Challenge to be released 2014 -09-13 10:00 EEST Tomi Tuominen (Sep 08)
Running assets is always difficult, however this year has been excruciating for t2 infosec. We lost one of our most
prized and well placed deep cover operatives in a foreign three letter agency. Shortly after the CFP, communications
stopped and we have to assume her new assignment is a permanent placement at a black site somewhere in Eastern Europe.

Luckily for us, the person was able to exfiltrate a key piece of an intelligence analysis...

More Lists

Dozens of other network security lists are archived at SecLists.Org.

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]