Daily Dave

Syndicate content
This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
Updated: 14 min 19 sec ago

Re: The dream of the LISP machine is alive in the 90ies

18 February, 2019 - 11:41

Posted by the grugq on Feb 18


I like to think I'm as good an armchair philosopher as anyone else that

Attacking information processing systems is what I’ve been researching for
the last few years. The only way to create propaganda or implement
deceptions is if you have a model of how the entity processes data. Once
you have that model you can craft information that will force the entity to
respond in the manner you chose. This is the theory anyway. There...

The dream of the LISP machine is alive in the 90ies

15 February, 2019 - 11:23

Posted by Bas Alberts on Feb 15

I ate some bad chicken last night.

Really it all started a few days ago when I saw a chick-fil-a
commercial about their heart shaped 30pc nugget Valentines day
special. That's where that particular piece of data first entered my

I didn't think much of it at the time.

If you're wondering how I could let delicious chicken trump my ethics
I would counter that, if you're reading this, you are probably an

0days Post

13 February, 2019 - 13:51

Posted by Dave Aitel on Feb 13

When in the course of human events, it becomes necessary for one person to
communicate information about an unknown vulnerability to the public, they
often do not do so in the manner to which you might expect: With all due
pomp and circumstance, a ringing of the sacred bells, a phone call to Kim
Zetter, and that sort of thing.

Instead, they announce their talk title as "TBD LOL!", put a code fragment
into their Keynote slidepack with...

Re: Static and Dynamic Analysis

13 February, 2019 - 12:03

Posted by Jared DeMott on Feb 13

We use and have access to a number of both types of tools when we do dev
training and pentesting. We find them fairly useful both for dev and for
red teaming.

Static and Dynamic Analysis

11 February, 2019 - 14:00

Posted by Dave Aitel on Feb 11

So one thing I often find weird about our industry is how it gets taken
over by marketing language and the utility of entire classes of products
gets clouded over. For example, part of any SDLC is going to be static and
dynamic analysis. However, if you ask a normal security manager what kinds
of bugs these sorts of products find or don't find, and what the false
positive levels are, they find it hard to answer, even assuming they use

Web Hacking and CVSS

6 February, 2019 - 09:57

Posted by Dave Aitel on Feb 06

A lot of the trainings at INFILTRATE<http://infiltratecon.com/training/> have sold out (and we are going to be sold out
of Tier 2 Tickets soon as well), but one that is not sold out, and yet is my favorite, is the Web Hacking class. The
thing we realized a million years ago when we started doing trainings, is that the only thing that works is hands on
exercises, so the whole class is basically a guided CTF.

This brings me to CVSS. You...


28 January, 2019 - 14:42

Posted by Dave Aitel on Jan 28

We've announced all but one of the INFILTRATE 2019 speakers!

Probably the hardest question to answer about a CFP I've found is "Why
wasn't this particular great talk chosen?" and I've gotten a few of these
since the announcement letters went out. Part of the answer sometimes is
balance. You don't want an entire conference of Heap Overflows or Fuzzing
or Mobile attacks any of...

Make your stack executable!

25 January, 2019 - 09:42

Posted by Dave Aitel on Jan 25

So in case you missed it, we announced last week that we've teamed up with
Azeria and Vector35 to do two extra classes at INFILTRATE this year. They
are already filling up, so I wanted to make sure that everyone knew about
them and I didn't have to deal with last minute complaining about lack of
seats. :)

[image: image.png]


Modern Meanness

24 January, 2019 - 15:23

Posted by Dave Aitel on Jan 24

"Every man loves what he is good at", said Thomas Shadwell, poet laureate
of England, a few hundred years ago. Coincidentally, a few years ago I was
on a TF2 server with a different Thomas Shadwell. I actually grew up with
Team Fortress Classic, and then when I had kids I got back into TF2 because
its advanced level of whimsey is oddly addictive, not just to meet British

Zoom forward to today and Thomas <https://zemn.me/...

INFILTRATE talk announcement: Marco Ivaldi, The Story of a Solaris 0day

22 January, 2019 - 13:05

Posted by Dave Aitel on Jan 22


I don't want to talk too much about the talk, but I do want to talk a bit about INFILTRATE and what it was like in the
2000's to be a Unix hacker. Because almost everyone wrote _some_ exploits. These days, the supply chain is as vertical
as a glowworm's saliva lure, and equally sticky. You could specialize in blockchain security and literally never even
venture off the particular...

Bring a question, and sunblock.

14 January, 2019 - 14:46

Posted by Dave Aitel on Jan 14


Project Zero released about five different bugs today in Windows:

This is my favorite bit:
*Ultimately I warned you after cases 36544 and 37954 that you should be
fixing the root cause of normal user’s being able to use the Session
Moniker not playing whack-a-mole with COM objects. Of course you didn’t...

EuskalHack Security Congress Call For Papers

14 January, 2019 - 13:34

Posted by Joxean Koret on Jan 14

      _____          _         _ _   _            _          
     | ____|   _ ___| | ____ _| | | | | __ _  ___| | __      
     |  _|| | | / __| |/ / _` | | |_| |/ _` |/ __| |/ /      
     | |__| |_| \__ \   < (_| | |  _  | (_| | (__|   <       ...

Re: CVSS is the worst compression algorithm ever

11 January, 2019 - 09:50

Posted by Nathaniel Ferguson on Jan 11

Well that's not entirely true, a significant percentage of work comes from vendors seeking to acquire or utilize
another product or an institution going through some sort of audit wherein both cases the client is someone that
doesn't really even want to be going through it and it's something being forced on them. Those are the instances I've
encountered where the sort of negotiating down or into entire absence findings are...

Re: CVSS is the worst compression algorithm ever

11 January, 2019 - 09:49

Posted by Adrian Sanabria on Jan 11

Everywhere I've ever pentested, we've used a low/medium/high or
low/medium/high/critical scale - this is my first encounter with DREAD.
What you describe though - clients attempting to negotiate down the
severity of vulns on the report - was common regardless of the scoring
system used. I don't see DREAD being unique in that respect.

Reflecting, it's probably what pushed me towards the binary system I ended
up using. No score...

Re: CVSS is the worst compression algorithm ever

11 January, 2019 - 09:47

Posted by Adam Shostack on Jan 11

Okay, I'll respond generally about DREAD. The issue comes up when
people say "We'll treat a DREAD rating of >= 8 as critical." Then
someone looks at your discoverability of 7, and says "hmm, if this
were a 6, then DREAD would be 7.9...can we change it?" Lacking any
guidance on the difference, it's hard to say no.

Really, it's often "You're being unreasonable by making
discoverability a 7...

Re: CVSS is the worst compression algorithm ever

11 January, 2019 - 09:46

Posted by Adrian Sanabria on Jan 11

I probably shouldn't have brought it up - I'm not involved much on the
pentesting side. I know we've discussed replacing it, but finding little
out there to replace it with.

In my own work, I find most of my pentesting results come down to a binary
value (hackable, not hackable) and some sense of likelihood of it getting
exploited by a malicious party. Highs/mediums/lows all seem pointless when
emulating the attacker perspective....

Re: CVSS is the worst compression algorithm ever

11 January, 2019 - 09:44

Posted by Adrian Sanabria on Jan 11

I understand the limitations and challenges of CVSS. We already do a lot of
what you mentioned to come up with a risk score. Some of it, I'm still
trying to figure out how to do. The bottom line though, is that we find the
factors that go into the score (CIA, exploitability, exploit availability,
attack vector, etc) to be useful. The score *itself*, is what I was talking
about not being terribly useful, though it does go into our model also....

Re: CVSS is the worst compression algorithm ever

10 January, 2019 - 14:24

Posted by Dennis Groves on Jan 10

+1 Wim. You covered that perfectly.

Re: CVSS is the worst compression algorithm ever

10 January, 2019 - 14:21

Posted by Adam Shostack on Jan 10

I'm sorry, but I need to rant a little.

A decade back, I wrote a "DREAD is DEAD, please stop" blog post for
Microsoft. If you are getting consistent scoring out of DREAD, you
are not using DREAD (as described in Writing Secure Code 1, which I
think is the first public description).

You are using some derivitive that adds tools to provide for
that consistency. Those tools may be as simple as a set of examples
of each of the...

Re: CVSS is the worst compression algorithm ever

10 January, 2019 - 14:13

Posted by Monroe, Bruce on Jan 10

Uh no. CVSS scores a vulnerability and if it’s a vendor we’re scoring that without knowing how you have the vulnerable
software/firmware/hardware/ect deployed in your environment. It’s why the CVSS Base Score is worst case. The resulting
CVSS V3 vulnerability score is one element you can then calculate into your overall risk factoring. It’s the orgs job
consuming the CVSS V3x vulnerability score to determine their risk and set their...