Daily Dave Mailing List

• Current Quarter
• RSS Feed
• About List
• All Lists

This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.

List Archives

• Jan–Mar
• Apr–Jun
• Jul–Sep
• Oct–Dec
• 2024
• 9
• 6
• –
• –
• 2023
• 3
• 13
• 14
• 5
• 2022
• 6
• 4
• 18
• –
• 2021
• 11
• 2
• 4
• 1
• 2020
• 15
• 10
• 19
• 8
• 2019
• 38
• 8
• 12
• 15
• 2018
• 23
• 12
• 15
• 16
• 2017
• 41
• 37
• 43
• 20
• 2016
• 63
• 74
• 54
• 16
• 2015
• 62
• 51
• 68
• 63
• 2014
• 85
• 57
• 68
• 88
• 2013
• 77
• 53
• 67
• 71
• 2012
• 70
• 65
• 89
• 55
• 2011
• 40
• 113
• 90
• 87
• 2010
• 86
• 68
• 55
• 56
• 2009
• 143
• 146
• 129
• 74
• 2008
• 161
• 136
• 252
• 134
• 2007
• 324
• 209
• 176
• 193
• 2006
• 270
• 220
• 315
• 318
• 2005
• 352
• 399
• 408
• 281
• 2004
• 247
• 204
• 294
• 361
• 2003
• –
• –
• –
• 84

Latest Posts

Re: Excellent piece by Chris Rohlf - " No, LLM Agents can not Autonomously Exploit One-day Vulnerabilities " Arun Koshy via Dailydave (Apr 24)
This is probably an independent issue ( imvho ).

Re LLMs and present AI / ML regime, my only public comment is that
we're in the Hindenburg [1] era .. caveat emptor. Another insightful
paper that probably will be ignored this summer:

https://arxiv.org/abs/2308.03762 ( author :
https://people.csail.mit.edu/kostas/ )

[1] - https://en.wikipedia.org/wiki/LZ_129_Hindenburg

Excellent piece by Chris Rohlf - " No, LLM Agents can not Autonomously Exploit One-day Vulnerabilities " Arun Koshy via Dailydave (Apr 24)
check:

https://struct.github.io/auto_agents_1_day.html

A Familiar World of Chaos Dave Aitel via Dailydave (Apr 21)
After spending some time looking at "Secure by Design/Default" I have no
doubt many of you feel like something is missing - something that's hard to
put your finger on. So you go back to the treadmill of reading about bugs
in Palo Alto devices, or the latest Project Zero blogpost, or something the
Microsoft Threat Team is naming RidonculousBreeze, or whatever.

For those of you who chose to read the latest Project Zero post, one...

Sophia D'Antoine Dave Aitel via Dailydave (Apr 17)
On Monday, I and 400 other people, including many on this mailing list,
attended Sophia's funeral in a huge church in the upper east side of NYC.
Although I grew up in a Jewish household, I am not religious, and the last
time I went to a church was also with Sophia, in Jerusalem, where we
wandered through various landmarks until we ended up at the Church of the
Holy Sepulcher, one of the holiest sites for Christianity.

We waited in a line...

do androids dream of electric sheep in JSON or XML? Dave Aitel via Dailydave (Apr 02)
[image: image.png]

Like everyone I know, I've been spending a lot of time neck deep in LLMs.
As released, they are fascinating and useless toys. I feel like actually
using an LLM to do anything real is your basic nightmare still. At the very
minimum, you need structured output, and OpenAI has led the way in offering
a JSON-based calling format which allows you to extend it with functions
that cover the things an LLM can't really do...

Bugdoor vs Backdoor Dave Aitel via Dailydave (Apr 01)
[image: image.png]

The security community (aka, all of us on this list) still rages with the
impact of Jia Tan putting a sophisticated backdoor into the XV package, and
all of the associated HUMINT effort that went into it. And I realized from
talking to people, especially people in the cyber policy realm but also
technical experts, about it that there's a pretty big gap when it comes to
understanding why someone would put in a backdoor at...

t2'24: Last Dance Tomi Tuominen via Dailydave (Mar 28)
Dear Daily Dave,

For a hacker conference, twenty years is a huge achievement — for a small conference, even more so. Over these years
we’ve enjoyed speakers showcasing results from cutting-edge research, seen thought-provoking keynotes and bonded with
other like-minded people from all over the world.

If we had to summarize the experience with one word, it would be gratitude. The speakers, repeat speakers, first timers
or regular...

while True: Dave Aitel via Dailydave (Mar 24)
There seem to be a lot of people who think the problem with cyber security
is we aren't paying lawyers enough. This results in the current push for
software liabilities, or the need to click accept on cookies before we use
every website. It is natural for lawyers to want to feed the
next generation of associates, by regurgitating legal koans into their
mouths. These vomitous truisms pass for thought leadership when you go high
enough into...

Re: Value of the [leaked] Windows source Michal Zalewski via Dailydave (Mar 06)
Not really different from prototyping on the Linux kernel or the
Chromium codebase - pick an old version if you want known bugs... you
don't see a whole lot of that either, and in contrast to Windows, that
wouldn't lead to all kinds of icky questions about ethics, IP, etc.

The thing about most of these tools is that they don't fare well in
large and exotic codebases. What makes sense for a web app is seldom
applicable to a kernel,...

Value of the [leaked] Windows source Konrads Klints via Dailydave (Mar 06)
Windows XP and Windows 2003 partial source code is out there on github. With such a rich corpus of known
vulnerabilities in those OS'es and source code availability, surely there should be an amazing amount of
SAST/semgrep/codeql rules that take as input existing known exploits and then do rules that find similar things, yet I
don't seem to be able to find such projects

Surely, these two code bases should be the foundation of most...

Re: 0xC15A: Secure By Design and Secure by Default Christian Heinrich via Dailydave (Jan 26)
Telsh,

The CISA responded to their draft deliverable on 29 November 2023
(Page 15) and have agreed to implement its recommendations by 31
October 2024, 30 May 2025 (Page 12) and 30 September 2025 (Page 13)

The page numbers above of
https://www.oig.dhs.gov/sites/default/files/assets/2024-01/OIG-24-09-Jan24.pdf

Secure By Default Part 2 Dave Aitel via Dailydave (Jan 19)
So I wrote a little draft essay on Secure By Default and opened it for
comment. I think one thing that we maybe forget in our community is that
some of the more fundamental basises of what we do never make it up to
policy-world. Langsec being the primary example. But also there's a huge
body of work in TAOSSA, Shellcoders, every offensive conference talk, etc.
that never gets put into context anywhere but in our clique.

Obviously feel free...

Re: 0xC15A: Secure By Design and Secure by Default telsh via Dailydave (Jan 19)
Hey everybody,

Please note the last sentence on page 3:
"The scope of our audit was efforts during fiscal years 2019 through 2022"

Not being a fanboy of CISA, I see that quite a lot of (positive) things
have happened in the last 2 years there.

And publishing a report for that timeframe in January 2024 puts the OIG
in a questionable light regarding agility and speed.

Just my 0.02 €...
telsh

Re: 0xC15A: Secure By Design and Secure by Default Christian Heinrich via Dailydave (Jan 19)
Dave,

https://www.oig.dhs.gov/sites/default/files/assets/2024-01/OIG-24-09-Jan24.pdf
reached a different conclusion.

0xC15A: Secure By Design and Secure by Default Dave Aitel via Dailydave (Jan 12)
So I have a ton of thoughts on the CISA Secure by Design and Secure by
Default push that is ongoing, as I am sure many of you do. And the first
thought is: This is not a bad way to go about business as a government
agency in general. I think it's easy to ignore how fast the USG has changed
its business practices, showing an agility that few large organizations can
match. In particular using Secure By Design as a case example.

1. Massive...

More Lists

Dozens of other network security lists are archived at SecLists.Org.