Daily Dave

Syndicate content
This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
Updated: 21 hours 51 sec ago

Re: 0xC15A: Secure By Design and Secure by Default

26 January, 2024 - 10:05

Posted by Christian Heinrich via Dailydave on Jan 26

Telsh,

The CISA responded to their draft deliverable on 29 November 2023
(Page 15) and have agreed to implement its recommendations by 31
October 2024, 30 May 2025 (Page 12) and 30 September 2025 (Page 13)

The page numbers above of
https://www.oig.dhs.gov/sites/default/files/assets/2024-01/OIG-24-09-Jan24.pdf

Secure By Default Part 2

19 January, 2024 - 16:06

Posted by Dave Aitel via Dailydave on Jan 19

So I wrote a little draft essay on Secure By Default and opened it for
comment. I think one thing that we maybe forget in our community is that
some of the more fundamental basises of what we do never make it up to
policy-world. Langsec being the primary example. But also there's a huge
body of work in TAOSSA, Shellcoders, every offensive conference talk, etc.
that never gets put into context anywhere but in our clique.

Obviously feel free...

Re: 0xC15A: Secure By Design and Secure by Default

19 January, 2024 - 15:59

Posted by telsh via Dailydave on Jan 19

Hey everybody,

Please note the last sentence on page 3:
"The scope of our audit was efforts during fiscal years 2019 through 2022"

Not being a fanboy of CISA, I see that quite a lot of (positive) things
have happened in the last 2 years there.

And publishing a report for that timeframe in January 2024 puts the OIG
in a questionable light regarding agility and speed.

Just my 0.02 €...
telsh

Re: 0xC15A: Secure By Design and Secure by Default

19 January, 2024 - 10:18

Posted by Christian Heinrich via Dailydave on Jan 19

Dave,

https://www.oig.dhs.gov/sites/default/files/assets/2024-01/OIG-24-09-Jan24.pdf
reached a different conclusion.

0xC15A: Secure By Design and Secure by Default

12 January, 2024 - 16:40

Posted by Dave Aitel via Dailydave on Jan 12

So I have a ton of thoughts on the CISA Secure by Design and Secure by
Default push that is ongoing, as I am sure many of you do. And the first
thought is: This is not a bad way to go about business as a government
agency in general. I think it's easy to ignore how fast the USG has changed
its business practices, showing an agility that few large organizations can
match. In particular using Secure By Design as a case example.

1. Massive...

Re: Leverage

27 December, 2023 - 14:45

Posted by Jason Syversen via Dailydave on Dec 27

I’m in! I’ve spent a bunch of time on this topic, from the mechanical (donor advised funds, supporting organizations,
tax law, etc.), theoretical (“effective altruism”, 80,000 hours, books on giving strategy, etc.) and practical (served
at probably a dozen charities now in various roles, donor strategies, measuring impact, etc.) AMA!

It’s fun as a hacker to use that mindset to effect a different kind of system change. And much more...

Leverage

27 December, 2023 - 13:40

Posted by Dave Aitel via Dailydave on Dec 27

So we know a lot of people who've gone into Big Corpo or sold a company or
just worked hard and gotten lucky and happen to be richer than the average
bear. And while a lot of those people put their money into nice things,
nothing wrong with that, a lot of them also try to use that money to change
the world, and then they find out it's harder to change the world with
money than it is with an exploit. And I know a lot of people who say...

A holiday reflection on: Training.

19 December, 2023 - 13:33

Posted by Dave Aitel via Dailydave on Dec 19

I think one thing this community does really well, better than almost any
other community I've found, is training. It's amazing, in a way,
because this is a community of professional secret holders. And yet
everywhere you look, a hacker is putting their heart and soul into
iterating on lab exercises for their class in whatever sub-field they are
an expert in.

And giving training is hard. It's hard in the way consulting is hard,...

t2'24: Call For Papers 2024 (Helsinki, Finland)

19 December, 2023 - 13:27

Posted by Tomi Tuominen via Dailydave on Dec 19

Call for Papers 2024

t2 infosec has been pushing the boundaries of security research for two decades and it don't stop. We're back April
18-19, 2024 - Helsinki, Finland.

CFP and registration are both open.

This is an event for newcomers, established merchants of dual use computer code, beginners of vulndev, cyber vagabonds,
retired or redacted, and hackers of all sorts.

If you have new original security research targeting old,...