Daily Dave

Syndicate content
This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
Updated: 12 min 32 sec ago

A Peer Review of the Latest Bellovin Paper on Cyber Weapons

18 July, 2016 - 14:31

Posted by Dave Aitel on Jul 18

http://papers.ssrn.com/sol3/papers.cfm?abstract_id=2809463
Limiting the Undesired Impact of Cyber Weapons: Technical Requirements and
Policy Implications
Steven M. Bellovin, Susan Landau, and Herbert S. Lin
*Acknowledgements: We are grateful for comments from Thomas Berson, Joseph
Nye, and Michael Sulemeyer, which improved the paper. *

In case you're curious: This paper went off the rails in my opinion in a
couple areas. The first is that...

Re: Clique - a stillborn project

18 July, 2016 - 14:21

Posted by future on Jul 18

another encrypted mailinglist is schleuder.
It works. http://schleuder2.nadir.org/

If you want to have a serverless encrypted mailinglist Bitmessage works
too.
https://www.bitmessage.org/wiki/Main_Page
Some people don't like the interface. Someone i know reads Bitmessages
on his email client.

Find a list of pros and cons here:
http://7ywdkxkpi7kk55by.onion/trac/wiki/PromisingProjects/BitMessage
another contra: it lacks the...

New Deadline August 15: International Conference on Computing, Networking and Communication (ICNC 2017) - Silicon Valley, USA

18 July, 2016 - 14:12

Posted by Jaime Lloret Mauri on Jul 18

CALL FOR PAPERS

ICNC 2017
2017 International Conference on Computing, Networking and Communication
Silicon Valley, USA
January 26-29, 2017
http://www.conf-icnc.org/2017

New Deadline August 15

The 2017 International Conference on Computing, Networking and Communication (ICNC) is a premier conference in the
computer and communication fields, which is to be held in Silicon Valley, California during January 26-29, 2017. The
conference covers all...

Re: "I hunt Sys-Admins"

13 July, 2016 - 16:15

Posted by Dave Aitel on Jul 13

Just want to chime in with this bit from politico this morning:

http://www.politico.com/tipsheets/morning-cybersecurity

*DEFINING DIGITAL ACTS OF WAR* *— *Rep. Will Hurd fears ambiguity on
international norms for acts of war in cyberspace could fuel escalation and
deeper economic losses for the United States. So his House Oversight
Information Technology Subcommittee is *holding*
<...

Re: "I hunt Sys-Admins"

13 July, 2016 - 16:07

Posted by Mara Tam on Jul 13

1. ‘Critical infrastructure’ is contextually dependent. It encompasses the physical and non-physical systems and
services whose damage, interruption, or destruction would deleteriously impact national or economic security, public
health, or public safety. Because these systems and services are defined as critical by the consequences of their
absence, one can expect a degree of variation from one society to another. That does not make the...

Re: "I hunt Sys-Admins"

13 July, 2016 - 13:23

Posted by Alex Grigsby on Jul 13

If what you're saying is: There are some places you should not attack, I would point out that the translation into
cyber world is "There are some effects on systems you should try not to have".

*****

That’s a version of what I’m saying to a certain extent and probably what the UN folks are saying as well in the CERT
context. In their 2015 GGE report (http://www.un.org/ga/search/view_doc.asp?symbol=A/70/174), they recommend...

"I hunt Sys-Admins"

13 July, 2016 - 13:15

Posted by Konrads Smelkovs on Jul 13

Anything that fails a dodgy curry thought experiment (what if your entire
team went for lunch and ate a bad curry which made them sick for a week)
cannot be considered critical infrastructure because you've clearly shown
it isn't important to you that much.

The second part is that UN/Tallinn conference attendees are often working
at CERTs so there may be a certain conflict of interest there.

This is a very good point. CERTs are...

Re: "I hunt Sys-Admins"

13 July, 2016 - 13:08

Posted by Konrads Smelkovs on Jul 13

Anything that fails a dodgy curry thought experiment (what if your entire
team went for lunch and ate a bad curry which made them sick for a week)
cannot be considered critical infrastructure because you've clearly shown
it isn't important to you that much.

The second part is that UN/Tallinn conference attendees are often working
at CERTs so there may be a certain conflict of interest there.

This is a very good point. CERTs are...

Re: Clique - a stillborn project

13 July, 2016 - 13:00

Posted by Marco Ivaldi on Jul 13

Interesting idea. The venerable zeitgeist-ml by tcannon implemented a
similar functionality for the 0dd.com mailing list. If you wanted the
server to encrypt your message (and subsequent replies), you just needed
to put the [0dd-encrypted] keyword in the email subject and the server
would handle it for you.

Not sure if the code is available somewhere and can be reused, though.

Re: "I hunt Sys-Admins"

13 July, 2016 - 12:51

Posted by future on Jul 13

I've put in some links, underpinning my sad perception that your idea of
values and borders is desirable but not the status quo.
-dmos

Am 2016-07-12 18:16, schrieb Alex Grigsby:

https://www.theguardian.com/world/2015/oct/08/doctors-without-borders-bombing-hospital-war-crime-analysis

It is also not allowed to bomb helpers. People that rescue wounded....

Re: Clique - a stillborn project

13 July, 2016 - 12:42

Posted by future on Jul 13

five eyes and other adequately equipped will know your identity. still
there is no meta data obfuscation integrated in spideroak.
hacking the server will probably help revealing people's social graph.
Such a social graph sensitive service should be dispersed over the whole
net. It's a nice business model on the broken Internet though. The
website is nice!

-dmos

Am 2016-07-12 17:33, schrieb Thomas Quinlan:

Re: "I hunt Sys-Admins"

12 July, 2016 - 16:54

Posted by Dave Aitel on Jul 12

I wrote a slightly longer piece on this today here:
http://cybersecpolitics.blogspot.com/2016/07/when-is-cyber-attack-act-of-war.html

But to address the CERT question directly, I will pose a few distinct
arguments as to how Cyber is a special snowflake and CERTS are clearly
legitimate targets.

First, the things I've read coming out of the UN/Tallinn have made few
inroads into defining the difference between CNE and CNA. From an espionage...

Re: "I hunt Sys-Admins"

12 July, 2016 - 13:59

Posted by Alex Grigsby on Jul 12

I agree with most of the points you raise (esp. with respect to the vagueness of "critical infrastructure") but I'll
push back a bit on your CERT point.

You're right that a CERT would likely be a prime target during a conflict, but just because a country would want to pwn
a CERT doesn't necessarily mean that it should. Over the last 100+ years, countries have agreed to not deliberately
target certain installations in...

Re: Clique - a stillborn project

12 July, 2016 - 13:34

Posted by Thomas Quinlan on Jul 12

Nothing says you have to use your real identity with something like
this:

https://spideroak.com/solutions/semaphor

Support Classes

12 July, 2016 - 11:52

Posted by dave aitel on Jul 12

https://www.josipfranjkovic.com/blog/race-conditions-on-web

Everyone read that post because it's some good shit. Unrelated to the
rest of this post, but still great.

Ok, now that you are done: Lately, like all of you I have been playing
Overwatch. Usually I play with people in infosec because that's more fun
for some reason, or I'm tribal, or whatever. (My ID is: DaveAitel#1794
if you want to play).

Anyways, last night, while...

Clique - a stillborn project

12 July, 2016 - 11:35

Posted by Ben Nagy on Jul 12

I just spent a while talking myself out of spending my holiday writing
code. Instead I am going to be doing elementary Ancient Greek,
finishing up the calculus sections of khanacademy and working through
Malory's epic Mort D'Arthur.

Here's the pitch: Clique is a standalone app that operates a gmail
account. If you're registered, you can send PGP encrypted emails to it
(but if you're using ancient ciphers they'll...

Re: "I hunt Sys-Admins"

12 July, 2016 - 11:26

Posted by J.M. Porup on Jul 12

Your analysis fails to include journalists like myself. Because if you hunt
sysadmins, then I hunt you.

jmp

"I hunt Sys-Admins"

11 July, 2016 - 14:21

Posted by dave aitel on Jul 11

Occasionally I like to reflect, as you all do, on the various things
that have mis-shaped our understanding of cyber war.

For example, take this Intercept article based on the Snowden leaks:
https://theintercept.com/2014/03/20/inside-nsa-secret-efforts-hunt-hack-system-administrators/

Viewed in hindsight, this article points very closely at something I'm
going to support in depth in an article coming out shortly, which is
that *the term...

Global Commission On Internet Governance report

30 June, 2016 - 08:16

Posted by Matthieu Suiche on Jun 30

https://www.ourinternet.org/report

Global Commission On Internet Governance chaired by formed Swedish PM, Carl
Bildt just released their report.

Given its first audience, and the fact they highlight issues related to
internet security and privacy - I thought it would be worth sharing for
open-comments.

"*Recommendations:* Consistent with the International Covenant on Civil and
Political Rights, no one should be subject to arbitrary...

Regulating Systemic Risk

23 June, 2016 - 10:10

Posted by dave aitel on Jun 23

People keep wanted to regulate vulnerabilities, which I find really
funny. Comedic-tragic really. Yet you never hear any mention of
regulation of online advertising networks, which is how the botnets are
getting built in the first place. Unless maybe you do? Perhaps someone
on this list knows of an effort to do that?

-dave