Daily Dave

Syndicate content
This technical discussion list covers vulnerability research, exploit development, and security events/gossip. It was started by ImmunitySec founder Dave Aitel and many security luminaries participate. Many posts simply advertise Immunity products, but you can't really fault Dave for being self-promotional on a list named DailyDave.
Updated: 18 hours 43 min ago

Felt Vampires in Policy World And You

12 June, 2024 - 14:36

Posted by Dave Aitel via Dailydave on Jun 12

Can a hamster do interprocedural analysis? What size of hamster can turn a
tier-2 geopolitical adversary's cyber force into a tier-1 adversary? Is the
best use of a hamster finding 0day or orchestrating the offensive
operations themselves? These are all great questions for policy teams to
ponder and they pontificate over how to properly regulate AI.

On one hand, as a technologist, your tendency will be to try to explain to
policy teams what...

GDB Dances and the Moon

8 June, 2024 - 10:39

Posted by Dave Aitel via Dailydave on Jun 08

People occasionally read my blogposts
<https://cybersecpolitics.blogspot.com/2024/04/what-open-source-projects-are.html>on
Jia Tan
<https://cybersecpolitics.blogspot.com/2024/04/the-open-source-problem.html>and
then ask me about open source development in general, and you can only, in
your darkest heart of hearts (your only heart) laugh.

The other day I was contributing to a project that I am one of several
developers on. In...

Re: What a failure of Secure by Design looks like: Web Browsers

4 June, 2024 - 14:36

Posted by Tom Ritter via Dailydave on Jun 04

Speaking about (but not for - this is just how I interpreted it) Firefox -
mostly sausage making and org pains. Fennec (the old mobile architecture)
supported extensions, although I don't remember to what extent/how well. In
2016 it got WebExtension support - before that it was supporting extensions
in the old style of "Just let them do whatever they want in the browser,
I'm sure it will be fine.[0]" And in late 2017 we...

Re: What a failure of Secure by Design looks like: Web Browsers

4 June, 2024 - 09:35

Posted by Andre Gironda via Dailydave on Jun 04

The problem of ads or things-in things is in a poor state. It's bad on
every stack, every ecosystem. Ads or SEO poisoning bubbled up this
crimeware-to ransomware via "Bing AI Chat" --
https://www.bleepingcomputer.com/news/security/bing-chat-responses-infiltrated-by-ads-pushing-malware/
Try asking your AI buddy a download link for Advanced IP Scanner

and there's been other strange stories such as this one --...

Re: What a failure of Secure by Design looks like: Web Browsers

3 June, 2024 - 22:26

Posted by Michal Zalewski via Dailydave on Jun 03

The security argument is fairly good in the sense that the extension
security model is broken. It's not even about ad blockers: far too many
extensions request overly broad permissions and then either do sneaky
things (e.g., "monetizing" users by stealing browsing histories) or put
users at risk. It doesn't help that if you pop a developer's account, you
can essentially deploy a backdoored extension to all users...

Re: What a failure of Secure by Design looks like: Web Browsers

3 June, 2024 - 22:18

Posted by Dave Aitel via Dailydave on Jun 03

[image: image.png]
So on one hand, a net completely controlled by Facebook and Apple and every
other walled off application "garden" would be a terrible thing. And yet,
did we not get just that in a manner of speaking? How healthy would we say
the net is right now?

Also, I find the security argument against extensions
<...

Re: What a failure of Secure by Design looks like: Web Browsers

16 May, 2024 - 10:28

Posted by Michal Zalewski via Dailydave on May 16

As you note, the list is much longer than JIT - web fonts, WebGL, and so on.

But I was there, and many of these decisions weren't about not
grasping the risk, or prioritizing performance for the sake of it.

Rather, they came from a place of terror: look at mobile applications
cannibalizing the browser market share! If we don't give people the
ability to build applications with as much flexibility as they have
natively, the web will...

What a failure of Secure by Design looks like: Web Browsers

16 May, 2024 - 09:52

Posted by Dave Aitel via Dailydave on May 16

I know it's in vogue to pick on enterprise hardware marketed to "Secure
your OT Environment" but actually written in crayon in a language made of
all sharp edges like C or PHP, with some modules in Cobol for spice. This
is the "Critical Infrastructure" risk du jour, on a thousand podcasts and
panels, with *Volt Typhoon* in the canary seat, where once only the
"sophisticated threat" Mirai had root permissions....

Re: Excellent piece by Chris Rohlf - " No, LLM Agents can not Autonomously Exploit One-day Vulnerabilities "

24 April, 2024 - 13:50

Posted by Arun Koshy via Dailydave on Apr 24

This is probably an independent issue ( imvho ).

Re LLMs and present AI / ML regime, my only public comment is that
we're in the Hindenburg [1] era .. caveat emptor. Another insightful
paper that probably will be ignored this summer:

https://arxiv.org/abs/2308.03762 ( author :
https://people.csail.mit.edu/kostas/ )

[1] - https://en.wikipedia.org/wiki/LZ_129_Hindenburg

A Familiar World of Chaos

21 April, 2024 - 11:08

Posted by Dave Aitel via Dailydave on Apr 21

After spending some time looking at "Secure by Design/Default" I have no
doubt many of you feel like something is missing - something that's hard to
put your finger on. So you go back to the treadmill of reading about bugs
in Palo Alto devices, or the latest Project Zero blogpost, or something the
Microsoft Threat Team is naming RidonculousBreeze, or whatever.

For those of you who chose to read the latest Project Zero post, one...