Daily Dave

Syndicate content
This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
Updated: 7 min 25 sec ago


19 March, 2019 - 10:02

Posted by Dave Aitel on Mar 19

It's almost INFILTRATE dry-run time! Some part of me prefers the slow pace
of two talks a day to the firehose that is a one-track focused conference
where each speaker has been told to not walk us through the basics. This is
the balance of "We liked a ton more talks than we have slots" and "my brain

Because there's about a thousand conferences now, there's also so many
talks you could do nothing but...

(no subject)

27 February, 2019 - 13:53

Posted by Steve Lord on Feb 27

44CON is the UK's premier annual technical security conference and
training event. From the evening of the
11th of September till the 13th of September 2019, expect a top-tier
international technical conference
with fast wifi, loose 0day, a village pub and of course, Gin O'Clock.

__ __ __ __ __________ _ __
/ // / / // / / ____/ __ \/ | / / | "You can hack us
/ // /_/ // /_/ / / / / / |/ / | You can...

Re: The dream of the LISP machine is alive in the 90ies

18 February, 2019 - 11:41

Posted by the grugq on Feb 18


I like to think I'm as good an armchair philosopher as anyone else that

Attacking information processing systems is what I’ve been researching for
the last few years. The only way to create propaganda or implement
deceptions is if you have a model of how the entity processes data. Once
you have that model you can craft information that will force the entity to
respond in the manner you chose. This is the theory anyway. There...

The dream of the LISP machine is alive in the 90ies

15 February, 2019 - 11:23

Posted by Bas Alberts on Feb 15

I ate some bad chicken last night.

Really it all started a few days ago when I saw a chick-fil-a
commercial about their heart shaped 30pc nugget Valentines day
special. That's where that particular piece of data first entered my

I didn't think much of it at the time.

If you're wondering how I could let delicious chicken trump my ethics
I would counter that, if you're reading this, you are probably an

0days Post

13 February, 2019 - 13:51

Posted by Dave Aitel on Feb 13

When in the course of human events, it becomes necessary for one person to
communicate information about an unknown vulnerability to the public, they
often do not do so in the manner to which you might expect: With all due
pomp and circumstance, a ringing of the sacred bells, a phone call to Kim
Zetter, and that sort of thing.

Instead, they announce their talk title as "TBD LOL!", put a code fragment
into their Keynote slidepack with...

Re: Static and Dynamic Analysis

13 February, 2019 - 12:03

Posted by Jared DeMott on Feb 13

We use and have access to a number of both types of tools when we do dev
training and pentesting. We find them fairly useful both for dev and for
red teaming.

Static and Dynamic Analysis

11 February, 2019 - 14:00

Posted by Dave Aitel on Feb 11

So one thing I often find weird about our industry is how it gets taken
over by marketing language and the utility of entire classes of products
gets clouded over. For example, part of any SDLC is going to be static and
dynamic analysis. However, if you ask a normal security manager what kinds
of bugs these sorts of products find or don't find, and what the false
positive levels are, they find it hard to answer, even assuming they use

Web Hacking and CVSS

6 February, 2019 - 09:57

Posted by Dave Aitel on Feb 06

A lot of the trainings at INFILTRATE<http://infiltratecon.com/training/> have sold out (and we are going to be sold out
of Tier 2 Tickets soon as well), but one that is not sold out, and yet is my favorite, is the Web Hacking class. The
thing we realized a million years ago when we started doing trainings, is that the only thing that works is hands on
exercises, so the whole class is basically a guided CTF.

This brings me to CVSS. You...


28 January, 2019 - 14:42

Posted by Dave Aitel on Jan 28

We've announced all but one of the INFILTRATE 2019 speakers!

Probably the hardest question to answer about a CFP I've found is "Why
wasn't this particular great talk chosen?" and I've gotten a few of these
since the announcement letters went out. Part of the answer sometimes is
balance. You don't want an entire conference of Heap Overflows or Fuzzing
or Mobile attacks any of...

Make your stack executable!

25 January, 2019 - 09:42

Posted by Dave Aitel on Jan 25

So in case you missed it, we announced last week that we've teamed up with
Azeria and Vector35 to do two extra classes at INFILTRATE this year. They
are already filling up, so I wanted to make sure that everyone knew about
them and I didn't have to deal with last minute complaining about lack of
seats. :)

[image: image.png]


Modern Meanness

24 January, 2019 - 15:23

Posted by Dave Aitel on Jan 24

"Every man loves what he is good at", said Thomas Shadwell, poet laureate
of England, a few hundred years ago. Coincidentally, a few years ago I was
on a TF2 server with a different Thomas Shadwell. I actually grew up with
Team Fortress Classic, and then when I had kids I got back into TF2 because
its advanced level of whimsey is oddly addictive, not just to meet British

Zoom forward to today and Thomas <https://zemn.me/...

INFILTRATE talk announcement: Marco Ivaldi, The Story of a Solaris 0day

22 January, 2019 - 13:05

Posted by Dave Aitel on Jan 22


I don't want to talk too much about the talk, but I do want to talk a bit about INFILTRATE and what it was like in the
2000's to be a Unix hacker. Because almost everyone wrote _some_ exploits. These days, the supply chain is as vertical
as a glowworm's saliva lure, and equally sticky. You could specialize in blockchain security and literally never even
venture off the particular...