Dailydave June 2022

dailydave@lists.aitelfoundation.org

1 participants
2 discussions

The top of the whale
by Dave Aitel 24 Jun '22

24 Jun '22

People think that finding vulnerabilities is about finding holes in code. But at some level it's not really about that. It's about understanding that the code itself is a hole in the swirling chaos of the world and just letting a little bit of that chaos in allows you to illuminate the whole thing. Spending time in Seattle is a little bit like buying a pair of high-powered binoculars to look down the train tracks at that weird light that's heading towards you. Seattle is a city perpetually timeless and jet lagged - as far away as a giraffe's head from the country's dual beating hearts of New York City and DC. The city rests on an absolute bedrock of code. Code that feeds on lives everywhere as voraciously and implacably as a blue whale gulping krill. In that sense, the inhabitants of Seattle are those who have realized it's better to be on top of the whale than inside it. It is perhaps why all the architecture is as boxy as an early software package. If you pulled the lid of any of the buildings next to the water you might see the packaging for a Windows 95 CD ROM, or a bunch of floppies with a forgotten database. When you go running past all these horribly efficient buildings down to the water on the lone sunny day, you will be surprised with a bunch of naked people, stripping down next to an old industrial park turned into a playground, covering themselves in body paint before some eldritch streaking ritual for the parade over the hill. Around them buzz photographers immortalizing the moment. Memes infecting other memes like an endless series of smaller wasp larvae. Flying back to Miami, amongst the bridal parties and vacationers, over an endless survey of drying rivers and lakes, the ravages of unchecked climate change exposing raw pale edges the exact beige color of army pants. The whole country - a patchwork tinderbox of exposed nerves. With the right kind of eyes you can see a little bit of chaos being let in. -dave

1 0

Using microarchitecture bugs to beat authenticated pointers.
by Dave Aitel 11 Jun '22

11 Jun '22

If you've walked through the Underworld long enough, you've run into demons. Or maybe it's the other way around - by running into enough demons, you might realize you are walking through the Underworld. And by making friends with them, if you are lucky, you might realize you are a demon yourself. [image: image.png] My brother in Zeus - this is just tempting the Fates. Every so often an exploit from the Underworld is found. Maybe one or two a year is dragged screaming curses in a long-dead language out into the sunlight, pinned against a Kaspersky GReaT blogpost, and vivasected for the world. Sometimes these are simple bugs, with complex exploitation chains. Sometimes these are complex bugs, but with reliable simple exploit chains. Occasionally you see a host of bugs, all linked together like fire ants fording a stream. If you've walked through the Underworld enough you'll simply nod in recognition of them, perhaps stop to admire the artwork of the Runes carved into their skins by some unknown spellcrafter. My point is this: it doesn't matter what the real-world utility is for an exploit, because demons don't care. They operate partially in the future, perhaps. Or maybe ignoring real-world utility evolved as a sense of necessity of staying ahead of the eyes hunting for them. I'm not sure. But my rule - a core axiom of persistent engagement - is that if it can be done, it is being done already. -dave

1 0

2024

2023

2022

2021

2020

Dailydave June 2022