Daily Dave

Syndicate content
This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
Updated: 2 min 13 sec ago

Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos

19 November, 2019 - 11:59

Posted by frank pound on Nov 19

Although not a 0-day buildroot[0] seems to use http to download its
tarballs. It would be interesting to see which of the many embedded devices
(like cubesats and rockets??) out there use buildroot or similar systems
akin to buildroot to construct their minimal linux kernel and linux
environments. Firmware updates etc. available as binary downloads might be
constructed with such a build system. I haven't done much research on this
other...

Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos

1 November, 2019 - 20:10

Posted by Alex Stamos on Nov 01

Hi, Dave-

I'm glad you enjoyed the keynote, and I appreciate the risks from 0-day. I
would disagree with Nathan that I'm a naive empiricist. I learned something
really important when I took the CISO job at Yahoo, my first big-company VP
position under a very experienced Silicon Valley executive named Jay
Rossiter. Jay told me "Son, you are coming from a world where you could
focus on really specific and interesting challenges but...

Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos

1 November, 2019 - 14:40

Posted by Arun Koshy on Nov 01

Another candidate for airport-ad that I must highlight on this thread.
The truth hurts but it does set one free. I just personally wish to
unsee some of the stuff we've seen in negative rings these past 18 or
so months.

Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos

1 November, 2019 - 13:24

Posted by Nathan Landon on Nov 01

It’s naive empiricism, much like the discussions around terrorism:
https://www.youtube.com/watch?time_continue=33&v=9dKiLclupUM

What Dave is essentially saying (I think) and what Alex Stamos misses is that 0-days have fat tail risks.

-Nate

Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos

1 November, 2019 - 11:07

Posted by Don A. Bailey on Nov 01

Alex is exceptional but this is a critical fact that is indeed overlooked by a vocal majority.

Re: A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos

1 November, 2019 - 10:35

Posted by Arun Koshy on Nov 01

Wish there were ads in airports just with the above statement -- in a
world that worked correctly, there would be. But this above, yes and
yes.

A KEYNOTE REVIEW: Bluehat 2019 Alex Stamos

1 November, 2019 - 10:18

Posted by Dave Aitel on Nov 01

Ok, so you can/should watch it here:
https://www.youtube.com/watch?v=uohyx7OIugY

Alex is a great keynote speaker and I really like a lot of his talk
(especially where he delves into how disintermediation has broken all
social systems without ever using the word disintermediation) but also I
think he's super wrong about something so I'm going to spam this at him
(and all of you) to annoy him, specifically in a section about priorities...

RootedCON 2020 Call For Papers is open!

31 October, 2019 - 20:12

Posted by omarbv on Oct 31

______ _ _ ____ ___ _ _
/ / _ \ ___ ___ | |_ ___ __| |/ ___/ _ \| \ | |
/ /| |_) / _ \ / _ \| __/ _ \/ _` | | | | | | \| |
/ / | _ < (_) | (_) | || __/ (_| | |__| |_| | |\ |
/_/ |_| \_\___/ \___/ \__\___|\__,_|\____\___/|_| \_|

*** /RootedCON'2020 - Main event ***

-=] About RootedCON

RootedCON is a technology congress that will be...

INFILTRATE 2020 Keynote Speaker Announcement!

31 October, 2019 - 19:57

Posted by Dave Aitel on Oct 31

So when I was 15 or something I read a poem in a Virginia Tech literary
magazine that changed everything. Looking back, the idea that something you
write can float like pixie dust across the world and eventually change the
course of a life was too powerful to ignore.

For a lot of people, that something was this thesis
<https://yurichev.com/mirrors/DCC_decompilation_thesis.pdf> by Dr.
Cifuentes on decompiler design. At INFILTRATE every year...

Re: INFILTRATE 2020 Keynote Speaker Announcement!

31 October, 2019 - 19:42

Posted by Jared DeMott on Oct 31

Excellent!

Re: INFILTRATE 2020 Keynote Speaker Announcement!

31 October, 2019 - 19:42

Posted by Edward Prevost on Oct 31

Impressive 

Edward Prevost | 509.254.7690 | @edwardprevost

Excellent!

So when I was 15 or something I read a poem in a Virginia Tech literary magazine that changed everything. Looking back,
the idea that something you write can float like pixie dust across the world and eventually change the course of a life
was too powerful to ignore. 

For a lot of people, that something was this thesis by Dr. Cifuentes on decompiler design. At...

"For the Glory of the State Machine"

25 September, 2019 - 08:43

Posted by Dave Aitel on Sep 25

So for the past while I've been obsessed with HTTP Desync Attacks
<https://www.youtube.com/watch?v=-y82LadA7N4>. A lot of people call this
"http request smuggling" which is a dumb name in a few ways, most
specifically because it restricts the bug class (and hence your mindset)
down to the smallest possible point. To be fair, in my head I call them
Parser State Mismatch bugs.

The way I look at this bugclass is that no two...