Daily Dave

Syndicate content
This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
Updated: 2 days 1 hour ago

Re: Deep down the certificate pinning rabbit hole of "Tor Browser Exposed"

19 September, 2016 - 12:09

Posted by Ryan Duff on Sep 19

Hey everyone,

I have posted a full technical writeup and wrap-up for this bug. Check it
out here:



Deep down the certificate pinning rabbit hole of "Tor Browser Exposed"

15 September, 2016 - 11:36

Posted by Ryan Duff on Sep 15

Hey everyone,

I spent a decent portion of my day looking into the claim by the Tor-Fork
developer that you could get cross-platform RCE on Tor Browser if you're
able to both MitM a connection and forge a single TLS certificate for
addons.mozilla.org. This is well within the capability of any decently
resourced nation-state. Definitely read @movrcx's write-up first to see his
claim. It's here:...

Re: The difference between block-based fuzzing and AFL

15 September, 2016 - 11:28

Posted by Michal Zalewski on Sep 15

I don't look at the it this way.

To put it bluntly, the overriding principle behind AFL is that it
intentionally takes away choice and forces you to simplify problems
instead of complicating the test suite.

Quite often, that's the right thing to do, even if it *feels*
insulting or wrong to a pro. There are fuzzing frameworks that are
incredibly flexible and expressive, allowing you to create complex
protocol specs, fiddle with dozens...

Tor Browser Exposed: Anti-Privacy Implantation at Mass Scale

14 September, 2016 - 01:18

Posted by Joshua on Sep 13

Howdy folks,

An article was written on how a nation state could conduct an attack on all Tor Browser platforms. Enjoy!

Dailydave mailing list
Dailydave () lists immunityinc com

Re: iPhone Security

14 September, 2016 - 01:10

Posted by Kristian Erik Hermansen on Sep 13

Thanks to Apple for finally fixing the issues today with latest
updates and not crediting where credit is due. And, you should really
update to get the patches just released...

"CVE-2016-4741: Description: An issue existed in iOS updates, which
did not properly secure user communications. This issue was addressed
by using HTTPS for software updates."

Re: The difference between block-based fuzzing and AFL

14 September, 2016 - 01:00

Posted by Ryan Stortz on Sep 13

I don't think it's an apples-to-oranges comparison to compare these fuzzers
against the Cyber Grand Challenge test set (
https://github.com/trailofbits/cb-multios). In fact, the CGC test set is a
perfect shooting gallery. The test set is entirely comprised of network
services that implement protocols that represent real world software.
DECREE has no knowledge of file systems or files at all. The protocols are
frequently simplified, but...

Re: The difference between block-based fuzzing and AFL

14 September, 2016 - 00:41

Posted by Andrew Ruef on Sep 13

The benefit of a tool like AFL is that it’s black-box: you don’t need a grammar, you don’t need a complicated, rich and
deep specification of a protocol like RPC that encapsulates checksums, encryption, etc.

AFL (and fuzzers like it) have a strategy to work around their lack of knowledge/a deep specification, though: just
recompile your application to skip checksums and turn off encryption.

Augh! It’s so cheesy! The indignity! You...

The difference between block-based fuzzing and AFL

13 September, 2016 - 10:34

Posted by Dave Aitel on Sep 13

So let's take a quick break from thinking about how messed up Wassenaar is
or what random annoying thing the EFF or ACLU said about 0day today and
talk about fuzzers. AFL has everyone's mind share, but I you have to point
out that it is still a VERY specialized tool.

The process of taking a file, sending it into some processing unit, and
then figuring out if it crashes, sounds easy and generic. But in practice
you have to carefully...

Dealing with large colony sizes

13 September, 2016 - 06:50

Posted by dave aitel on Sep 13

https://vimeo.com/181992289 Tagging and Automation

https://vimeo.com/182118990 Web Powershell Channel

Ant colonies used to be very small. Some of the features Ants needed to
develop (specialized genes for controlling size in various castes of the
colony, for example) took eons to evolve. Likewise, the algorithms that
drive large ant colonies are hugely complex - they are quite
intelligent, in other words....

t2'16: Challenge to be released 2016-09-10 10:00 EEST

31 August, 2016 - 08:38

Posted by Tomi Tuominen on Aug 31

It is that time of the year again.

Unicorns attract competitors, copycats and charlatans. For a VC, the road to losing the principal is paved with poor
decisions, bad luck and ultimately betting on the wrong horse. One of the challengers in the unregulated
pay-per-hitchhike app industry, Astley Auto Association, has been trying to raise a C round. Its founder and CEO, a
controversial character, is claimed to represent the darker side of the...

Lawfareblog podcast on the VEP

30 August, 2016 - 07:57

Posted by dave aitel on Aug 30


You'll notice that there isn't really a pushback to the arguments in
this podcast from the usual suspects. Maybe that's because after they
listen to it, they kinda agree? My favorite question is when the editor
of Lawfare asks us "Why should anyone even listen to you guys anyways?"
I only tell one...

nullcon 8-bit Call for Papers is open

25 August, 2016 - 12:46

Posted by nullcon on Aug 25

Dear Hackers and Security Pros,

Welcome to nullcon 8-bit!
nullcon is an annual security conference held in Goa, India. The focus
of the conference is to showcase the next generation of offensive and
defensive security technology. We happily open doors to researchers
and hackers around the world and the universe , working on the next
big thing in security and request everyone to submit their new

What is 8-bit?
As a tradition of...

SAINTCON 2016 Details

23 August, 2016 - 10:59

Posted by Troy Jessup on Aug 23


SAINT CON (SAINT is an Acronym for "Security Advisory and Incident Network Team") is a moderate sized hacking
conference based in Utah. SAINTCON is a non-profit event where we provide a security conference focused on training,
discussion, and information sharing.

When you attend SAINTCON, you will experience one of the best information security conferences that combines
professional, casual, and social...

Re: Latency is a demogorgon

18 August, 2016 - 09:06

Posted by Parity on Aug 18

A fun question to ask is, *"why wasn't that Cisco ASA remote patched?"*

Because EQGRP didn't tell Cisco about it, duh.

But, wait, if you're EQ and suddenly a bunch of your vulns are in the wind,
you're bloody well going to rethink the equities there, right? Especially
knowing that an adversary was suddenly in possession of a bunch of your
unpatched vulnerabilities...

Unless, of course, you didn't know.


Re: Latency is a demogorgon (dave aitel)

18 August, 2016 - 08:56

Posted by Jeffrey Carr on Aug 18

Thanks for this post, Dave. I enjoyed reading it.

Regarding the EQ Group leak, I think that there's a good case to be made
that an insider or an ex-employee was responsible. I hope to have some
reasons posted on why that is in the next few days.

Jeff Carr

On Wed, Aug 17, 2016 at 9:00 AM, <dailydave-request () lists immunityinc com>

Latency is a demogorgon

17 August, 2016 - 10:24

Posted by dave aitel on Aug 17

So every remote access trojan framework has a high level interpreter
built into it these days. It brings you back to something from that Zero
Day movie (which we all watched drunk to make it bearable, admit it)
where a Kaspersky analyst talked about Stuxnet being "Big but amazingly
BUG FREE". Not having subtle bugs is something you can do much more
easily in Python/Lua/Ruby/etc than in C/C++. There are other good
reasons to have a high...

An anonymous posting

16 August, 2016 - 09:24

Posted by dave aitel on Aug 16

Note that the below is not from me. I know every time I do this ppl who
can't read are like "IT IS FROM YOU". But I have a strict personal rule
against pseudonyms; even my TF2 and Overwatch accounts are named

Regarding the supposed Cisco firewall tool leak from NSA that was
publicly disclosed recently:

At a recent briefing, somebody said...

Re: The Correct Amount

16 August, 2016 - 09:15

Posted by Moses Hernandez on Aug 16

PHP is … well it just is, and that happens to be the problem. There is no good way around it, it’s far too much in use
to quickly deprecate and back out of, and it’s also very far from being well designed, or just designed at all. If you
don’t believe anyone just Google “Why is PHP Such a horribly designed language” for all the fun references to the
developers just magically patching this thing in real time to cobble the language....


15 August, 2016 - 08:54

Posted by dave aitel on Aug 15

If you're looking for a conference to attend that has real return on
investment then hopefully you've considered INFILTRATE
You can and will get drunk with your friends at INFILTRATE, but we've
spent a lot of time optimizing the conference for getting you real face
to face contacts and technical knowledge. Sometimes, and I hate to say
it, this...

Data based policy making in our space?

5 August, 2016 - 11:02

Posted by dave aitel on Aug 05


If you have not read this, then feel free to heckle me here about it!
Nate Cardozo has lots to say about it, but since the EFF's current
position on these things is a ball of unsupportable spaghetti he might
save his heckling for Twitter. :)