- Dailydave - mm4.emwd.com

OpenAI Codex Security
by Dave Aitel 07 Mar '26

07 Mar '26

https://openai.com/index/codex-security-now-in-research-preview/ As you might have noticed we've released Codex Security and if you have a ChatGPT business or enterprise or edu or pro subscription (which is most of y'all) then you have access ! Just go to chatgpt.com/codex/security and hopefully it pulls up cleanly for you. If not, probably my fault in some way. If you do have access then I'd love it if you would: 1. Say what you think? You can just post your reasoned and informed analysis here. 2. Play my reverse ctf: can you construct a realistically exploitable human spottable vulnerability (as a commit to a repo monitored by codex security) that does not get detected ? Can be anything. Post your best result here and we can explore human vs AI together. Dave (I'll think of a prize at some point :) )

1 0

RE//verse, DistrictCon, an Anole Friend
by Dave Aitel 02 Feb '26

02 Feb '26

Last month was DistrictCon, a great conference that I did not attend because the sky decided to dump snow on Washington, DC. Anyone who has spent more than ten minutes in that city knows this is how you cancel every flight out of DCA and turn the roads into skating rinks filled with deeply furious government contractors. Life is short, so I remained in Miami where it was 80 degrees and everyone was pretending winter is a myth. Today it is somehow 30 degrees here, and the iguanas are scattered across the sidewalks, frozen mid-thought, like USB sticks someone yanked out without ejecting. Nature is resilient, but not emotionally prepared for Miami cold snaps. Yesterday I picked an anole off the ground and it tried to snuggle under my jacket, which in my opinion is a "no lizards" area no matter the weather. That said, next month on March 5th is RE//verse <https://re-verse.io/>. Everyone should come. It's in Orlando. It has great talks, and we are doing the hard but fun work of giving every talk a dry run before the conference. There should not be snow. But given recent events, no promises. -dave

1 0

feeling the air
by Dave Aitel 05 Jan '26

05 Jan '26

For reasons I still don’t fully understand, Miami Beach has enormous colonies of turkey vultures. You’ll see them circling over the city and the interstates, perched like huge awkward toddlers on lampposts, or standing motionless as a shadow in the strip of grass between the road and the blue water of the bay. If you look up at almost any moment, there’s a column of them somewhere overhead, wings spread wide, fingers splayed, feeling the air as they rise and fall until they’re just brown pinpricks against the sky. They’re not hunting in the way people imagine. They’re reading the environment. Thermals, pressure changes, subtle signals you don’t see from the ground. To understand the shape of the air, you have to spend a lot of time inside it. Lately, the hacking community looks exactly the same. Everyone is circling LLMs. Probing them. Stressing them. Flying the same invisible currents with different models, different agentic systems, different targets. Not because there’s a single exploit waiting up there, but because you only learn what’s possible by living in the flow and finding where lift suddenly appears. And it’s been a ridiculous year to do that. 2025 opened with SharePoint bugs, rolled straight into a design-level auth failure in Entra, delivered a steady drumbeat of humiliating appliance RCEs, and closed out with react2shell. An objectively unhinged year. One that made it hard to pretend we’re still in the old world where software is written one way and analyzed another. Something has shifted. Software is changing how it’s built, but just as importantly, how it’s *understood*. Analysis is no longer a static act. It’s dynamic, exploratory, and increasingly continuous. Tools aren’t just checking artifacts anymore, they’re moving through systems, adapting, accumulating intuition. That’s the environment AARDVARK grew out of. It’s not about a single clever trick. It’s about living in the air long enough to learn where the lift is, over and over again, across real systems at real scale. Which is why we’re hiring. If you know software engineers who want to work on systems that explore, adapt, and actually understand complex software in motion, we’re rapidly building that team now: https://openai.com/careers/software-engineer-security-products-san-francisc… – dave

1 0

Defense ?
by Dave Aitel 16 Nov '25

16 Nov '25

How would one actually move the actual bar in defense? A big part of me thinks that you're just not going to patch your way out of the problem. But the number of organizations that you can rely on to actually make a difference seems pretty small? Like even converting every Linux binary to rust would only make sense if you could find a team that could actually maintain and support that code base, which I don't know that you could. Like in a sense, what you have to do is completely rebuild how you're building software and have the large language model be the intermediary for everything? Dave

5 4

Re: Defense ?
by etojake＠10k.org 16 Nov '25

16 Nov '25

The content of this message was lost. It was probably cross-posted to multiple lists and previously handled on another list.

1 0

Offensive AI Con
by Dave Aitel 08 Oct '25

08 Oct '25

So I just got back from "Offensive AI Conference" in San Diego and it was a great event - for a first time conference it ran especially smoothly, the attendees were an amazing crowd, and many of the talks were extremely strong. There's something about a conference that is not recording the talks that gets people to actually sit and listen to them via the magic of FOMO, but also, when a conference is "invite only" then you just in general get less shenanigans - people are invested in being there. On the other hand, I worry that the glut of more "invite only" conferences actually locks out people who are underrepresented or not established in the industry, which is perhaps not ideal? Two talks I thought went particularly well were: - Ruikai Peng and Olivier Laflamme's talk on a methodology for binary analysis using LLMs they constructed (wrapping binja) - which they demoed finding an a 0day on a popular consumer firmware or two. Ruikai is apparently....16 years old? Insane. - Jason Garman and Aaron Brown's talk on Cyber Auto-Agent, which has a lot of interesting innovation in it but also is available <https://github.com/westonbrown/Cyber-AutoAgent> on GitHub. It's a web application assessment tool that (they claim) meets or exceeds XBOW's published number on the XBOW eval set (although I'm sure that's very out of date). Worth an install, for sure! When I took my kids to Defcon this year it was not really for business - it was vibe hacking in the strictest sense. These are trying times and I wanted to feel the community around me, even if that community was busy kicking an inflatable beach ball around in the lobby, or soldering badges together, or awkwardly dancing to nerdcore played at unreasonable volumes. In some ways, hearing the beating of the wings of the fifty thousand strong locust swarm of hackers that descends on Vegas every summer is very reassuring. In that sense, Defcon has always been more about pure distilled hacker vibe than anything else. But Offensive AI Conference was a business and technical meet up - much in the way Infiltrate used to be - where the DJ is actually told to turn down the volume of the music at the initial party because people are trying to have 50 different little meetings, where you attend the talks because the talks do actually matter. In any case, I assume next year they will grow, but also, still be annoyingly hard to get into. :) -dave

1 0

On becoming a carpenter
by Dave Aitel 12 Jun '25

12 Jun '25

[image: image.png] Every so often I poke my head out, gopher-like, from the tunnels where I am furiously vibe-coding, or as it's going to be known a couple years from now, coding. I think it's probably true that coding used to be a high octane sport for concentration freaks as deep in the zone as a sperm whale hunting giant squid by listening to the faint echoes of pings off squishy bodies leagues away. But coding is now a juggling competition where the winners are over-caffeinated ADHD insectivorous bats tracking the results of five different queries into as many LLM-based coding systems and context switching, running tests, and re-querying at a rate that would drive most people bananas. In other words, to compete in this day and age you do have to know your LeetCode, but you have to do it in parallel, using Codex, or Windsurf, or Codex-CLI, or cutting and pasting bits of code into o1-pro, but all at once, choosing which LLM-assistant-coder depending on what exact kind of programming issue you're trying to solve. On one hand, these tools are very much junior engineers, and make simple mistakes, and on the other hand, collectively they are better than you will ever be and realizing that as soon as possible is a big advantage. I spent some time, while contemplating obscure and bespoke flavors of obsolescence, to listen to Halvar's most recent talk. Everyone should. It is here: https://www.youtube.com/watch?v=qllU_B_Rmis . [image: image.png] "Cyber-espionage does not easily translate into industrial capability, particularly in fast moving industries. You don't become a carpenter by stealing his invoices" - Halvar And of course not? But that's not what hackers do. As we learned from listening to Grugq's keynote <https://conference.hitb.org/hitbsecconf2023hkt/speaker/the-grugq/> the most likely scenario is that hackers attack the carpentry problem as a system - use the invoices and outgoing quotes to drive all the business to yourself, along with stealing all their best people by offering them exactly 2X their salary. Going active sometimes means DoSing the supplier of some company so it misses a key deadline with its customer-base, which then moves to your more reliable, cheaper, product, built by their former head of engineering. And I firmly believe that few scientific and engineering problems are so hard that they can't be replicated given access to the right cyber team and all the resources a nuclear power can throw at them if they are a national priority. Half of the cyber policy world still thinks that cyber norms are a thing! We have labored for too long under the belief that we were going to be able to set the rules to the game in a new domain. But the rules are what they are. The terrain has no master. -dave

1 0

Typey typey
by Dave Aitel 30 May '25

30 May '25

https://www.linkedin.com/mwlite/feed/posts/daveaitel_for-the-offensive-info… <https://www.linkedin.com/mwlite/feed/posts/daveaitel_for-the-offensive-info…> yRnO So I wanted to point this contracting gig out because I think it's a good opportunity for someone who can do quick vulnerability triage and either replicate or disprove that a vulnerability exists. Obviously you need to be very good at c and c++ and every other language to do this and have familiarity with vulnerability development....and also be located in the US , although you do not need a clearance. Dave

2 2

Announcing the Parity Release of Volatility 3 and the Deprecation of Volatility 2
by Andrew Case 16 May '25

16 May '25

The Volatility Team is very excited to announce the official Parity Release of Volatility 3! This release is not only capable of fully replacing all of Volatility 2’s features, but it also incorporates support for all the latest operating system versions plus all the latest memory forensics research. With this release, Volatility 2 is now deprecated, and its GitHub project has been archived. Our announcement blog post details the new features, many of the new plugins, and tells you how to get started with Volatility 3. https://volatilityfoundation.org/announcing-the-official-parity-release-of-… Our team is incredibly grateful for the continued support from our community, and we hope that you all enjoy Volatility 3 for many years to come. -- The Volatility Team

1 0

OpenAI Security Research
by Dave Aitel 28 Mar '25

28 Mar '25

So a few things: 1. https://openai.com/index/security-on-the-path-to-agi/ I feel like this blog is worth reading. :) 2. We're throwing a post-RSAC conference in SanFran to talk about AI and Security (in particular, securing cybery things with AI) and if I'm very lucky I'll even get to do a quick demo of the software I've been working on, not that it will surprise anyone on this list! We have a few tickets left I think and if you're interested and one of the people who should be attending I made you a form <https://docs.google.com/forms/d/e/1FAIpQLSe64yhyrTW7LYwY3qxOyOpaVqbrKgdZayq…> to fill out! Thanks, Dave Aitel

1 0

2026

2025

2024

2023

2022

2021

2020

Dailydave