Daily Dave Mailing List

This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

List Archives

Jan–Mar
Apr–Jun
Jul–Sep
Oct–Dec
2024
9
13
–
–
2023
3
13
14
5
2022
6
4
18
–
2021
11
2
4
1
2020
15
10
19
8
2019
38
8
12
15
2018
23
12
15
16
2017
41
37
43
20
2016
63
74
54
16
2015
62
51
68
63
2014
85
57
68
88
2013
77
53
67
71
2012
70
65
89
55
2011
40
113
90
87
2010
86
68
55
56
2009
143
146
129
74
2008
161
136
252
134
2007
324
209
176
193
2006
270
220
315
318
2005
352
399
408
281
2004
247
204
294
361
2003
–
–
–
84

Latest Posts

GDB Dances and the Moon Dave Aitel via Dailydave (Jun 08)
People occasionally read my blogposts
<https://cybersecpolitics.blogspot.com/2024/04/what-open-source-projects-are.html>on
Jia Tan
<https://cybersecpolitics.blogspot.com/2024/04/the-open-source-problem.html>and
then ask me about open source development in general, and you can only, in
your darkest heart of hearts (your only heart) laugh.

The other day I was contributing to a project that I am one of several
developers on. In...

Re: What a failure of Secure by Design looks like: Web Browsers Tom Ritter via Dailydave (Jun 04)
Speaking about (but not for - this is just how I interpreted it) Firefox -
mostly sausage making and org pains. Fennec (the old mobile architecture)
supported extensions, although I don't remember to what extent/how well. In
2016 it got WebExtension support - before that it was supporting extensions
in the old style of "Just let them do whatever they want in the browser,
I'm sure it will be fine.[0]" And in late 2017 we...

Re: What a failure of Secure by Design looks like: Web Browsers Andre Gironda via Dailydave (Jun 04)
The problem of ads or things-in things is in a poor state. It's bad on
every stack, every ecosystem. Ads or SEO poisoning bubbled up this
crimeware-to ransomware via "Bing AI Chat" --
https://www.bleepingcomputer.com/news/security/bing-chat-responses-infiltrated-by-ads-pushing-malware/
Try asking your AI buddy a download link for Advanced IP Scanner

and there's been other strange stories such as this one --...

Re: What a failure of Secure by Design looks like: Web Browsers Michal Zalewski via Dailydave (Jun 03)
The security argument is fairly good in the sense that the extension
security model is broken. It's not even about ad blockers: far too many
extensions request overly broad permissions and then either do sneaky
things (e.g., "monetizing" users by stealing browsing histories) or put
users at risk. It doesn't help that if you pop a developer's account, you
can essentially deploy a backdoored extension to all users...

Re: What a failure of Secure by Design looks like: Web Browsers Dave Aitel via Dailydave (Jun 03)
[image: image.png]
So on one hand, a net completely controlled by Facebook and Apple and every
other walled off application "garden" would be a terrible thing. And yet,
did we not get just that in a manner of speaking? How healthy would we say
the net is right now?

Also, I find the security argument against extensions
<...

Re: What a failure of Secure by Design looks like: Web Browsers Michal Zalewski via Dailydave (May 16)
As you note, the list is much longer than JIT - web fonts, WebGL, and so on.

But I was there, and many of these decisions weren't about not
grasping the risk, or prioritizing performance for the sake of it.

Rather, they came from a place of terror: look at mobile applications
cannibalizing the browser market share! If we don't give people the
ability to build applications with as much flexibility as they have
natively, the web will...

What a failure of Secure by Design looks like: Web Browsers Dave Aitel via Dailydave (May 16)
I know it's in vogue to pick on enterprise hardware marketed to "Secure
your OT Environment" but actually written in crayon in a language made of
all sharp edges like C or PHP, with some modules in Cobol for spice. This
is the "Critical Infrastructure" risk du jour, on a thousand podcasts and
panels, with *Volt Typhoon* in the canary seat, where once only the
"sophisticated threat" Mirai had root permissions....

Re: Excellent piece by Chris Rohlf - " No, LLM Agents can not Autonomously Exploit One-day Vulnerabilities " Arun Koshy via Dailydave (Apr 24)
This is probably an independent issue ( imvho ).

Re LLMs and present AI / ML regime, my only public comment is that
we're in the Hindenburg [1] era .. caveat emptor. Another insightful
paper that probably will be ignored this summer:

https://arxiv.org/abs/2308.03762 ( author :
https://people.csail.mit.edu/kostas/ )

[1] - https://en.wikipedia.org/wiki/LZ_129_Hindenburg

Excellent piece by Chris Rohlf - " No, LLM Agents can not Autonomously Exploit One-day Vulnerabilities " Arun Koshy via Dailydave (Apr 24)
check:

https://struct.github.io/auto_agents_1_day.html

A Familiar World of Chaos Dave Aitel via Dailydave (Apr 21)
After spending some time looking at "Secure by Design/Default" I have no
doubt many of you feel like something is missing - something that's hard to
put your finger on. So you go back to the treadmill of reading about bugs
in Palo Alto devices, or the latest Project Zero blogpost, or something the
Microsoft Threat Team is naming RidonculousBreeze, or whatever.

For those of you who chose to read the latest Project Zero post, one...

Sophia D'Antoine Dave Aitel via Dailydave (Apr 17)
On Monday, I and 400 other people, including many on this mailing list,
attended Sophia's funeral in a huge church in the upper east side of NYC.
Although I grew up in a Jewish household, I am not religious, and the last
time I went to a church was also with Sophia, in Jerusalem, where we
wandered through various landmarks until we ended up at the Church of the
Holy Sepulcher, one of the holiest sites for Christianity.

We waited in a line...

do androids dream of electric sheep in JSON or XML? Dave Aitel via Dailydave (Apr 02)
[image: image.png]

Like everyone I know, I've been spending a lot of time neck deep in LLMs.
As released, they are fascinating and useless toys. I feel like actually
using an LLM to do anything real is your basic nightmare still. At the very
minimum, you need structured output, and OpenAI has led the way in offering
a JSON-based calling format which allows you to extend it with functions
that cover the things an LLM can't really do...

Bugdoor vs Backdoor Dave Aitel via Dailydave (Apr 01)
[image: image.png]

The security community (aka, all of us on this list) still rages with the
impact of Jia Tan putting a sophisticated backdoor into the XV package, and
all of the associated HUMINT effort that went into it. And I realized from
talking to people, especially people in the cyber policy realm but also
technical experts, about it that there's a pretty big gap when it comes to
understanding why someone would put in a backdoor at...

t2'24: Last Dance Tomi Tuominen via Dailydave (Mar 28)
Dear Daily Dave,

For a hacker conference, twenty years is a huge achievement — for a small conference, even more so. Over these years
we’ve enjoyed speakers showcasing results from cutting-edge research, seen thought-provoking keynotes and bonded with
other like-minded people from all over the world.

If we had to summarize the experience with one word, it would be gratitude. The speakers, repeat speakers, first timers
or regular...

while True: Dave Aitel via Dailydave (Mar 24)
There seem to be a lot of people who think the problem with cyber security
is we aren't paying lawyers enough. This results in the current push for
software liabilities, or the need to click accept on cookies before we use
every website. It is natural for lawyers to want to feed the
next generation of associates, by regurgitating legal koans into their
mouths. These vomitous truisms pass for thought leadership when you go high
enough into...

More Lists

Dozens of other network security lists are archived at SecLists.Org.