- Dailydave - mm4.emwd.com

Offensive AI Con
by Dave Aitel 09 Oct '25

09 Oct '25

So I just got back from "Offensive AI Conference" in San Diego and it was a great event - for a first time conference it ran especially smoothly, the attendees were an amazing crowd, and many of the talks were extremely strong. There's something about a conference that is not recording the talks that gets people to actually sit and listen to them via the magic of FOMO, but also, when a conference is "invite only" then you just in general get less shenanigans - people are invested in being there. On the other hand, I worry that the glut of more "invite only" conferences actually locks out people who are underrepresented or not established in the industry, which is perhaps not ideal? Two talks I thought went particularly well were: - Ruikai Peng and Olivier Laflamme's talk on a methodology for binary analysis using LLMs they constructed (wrapping binja) - which they demoed finding an a 0day on a popular consumer firmware or two. Ruikai is apparently....16 years old? Insane. - Jason Garman and Aaron Brown's talk on Cyber Auto-Agent, which has a lot of interesting innovation in it but also is available <https://github.com/westonbrown/Cyber-AutoAgent> on GitHub. It's a web application assessment tool that (they claim) meets or exceeds XBOW's published number on the XBOW eval set (although I'm sure that's very out of date). Worth an install, for sure! When I took my kids to Defcon this year it was not really for business - it was vibe hacking in the strictest sense. These are trying times and I wanted to feel the community around me, even if that community was busy kicking an inflatable beach ball around in the lobby, or soldering badges together, or awkwardly dancing to nerdcore played at unreasonable volumes. In some ways, hearing the beating of the wings of the fifty thousand strong locust swarm of hackers that descends on Vegas every summer is very reassuring. In that sense, Defcon has always been more about pure distilled hacker vibe than anything else. But Offensive AI Conference was a business and technical meet up - much in the way Infiltrate used to be - where the DJ is actually told to turn down the volume of the music at the initial party because people are trying to have 50 different little meetings, where you attend the talks because the talks do actually matter. In any case, I assume next year they will grow, but also, still be annoyingly hard to get into. :) -dave

1 0

On becoming a carpenter
by Dave Aitel 13 Jun '25

13 Jun '25

[image: image.png] Every so often I poke my head out, gopher-like, from the tunnels where I am furiously vibe-coding, or as it's going to be known a couple years from now, coding. I think it's probably true that coding used to be a high octane sport for concentration freaks as deep in the zone as a sperm whale hunting giant squid by listening to the faint echoes of pings off squishy bodies leagues away. But coding is now a juggling competition where the winners are over-caffeinated ADHD insectivorous bats tracking the results of five different queries into as many LLM-based coding systems and context switching, running tests, and re-querying at a rate that would drive most people bananas. In other words, to compete in this day and age you do have to know your LeetCode, but you have to do it in parallel, using Codex, or Windsurf, or Codex-CLI, or cutting and pasting bits of code into o1-pro, but all at once, choosing which LLM-assistant-coder depending on what exact kind of programming issue you're trying to solve. On one hand, these tools are very much junior engineers, and make simple mistakes, and on the other hand, collectively they are better than you will ever be and realizing that as soon as possible is a big advantage. I spent some time, while contemplating obscure and bespoke flavors of obsolescence, to listen to Halvar's most recent talk. Everyone should. It is here: https://www.youtube.com/watch?v=qllU_B_Rmis . [image: image.png] "Cyber-espionage does not easily translate into industrial capability, particularly in fast moving industries. You don't become a carpenter by stealing his invoices" - Halvar And of course not? But that's not what hackers do. As we learned from listening to Grugq's keynote <https://conference.hitb.org/hitbsecconf2023hkt/speaker/the-grugq/> the most likely scenario is that hackers attack the carpentry problem as a system - use the invoices and outgoing quotes to drive all the business to yourself, along with stealing all their best people by offering them exactly 2X their salary. Going active sometimes means DoSing the supplier of some company so it misses a key deadline with its customer-base, which then moves to your more reliable, cheaper, product, built by their former head of engineering. And I firmly believe that few scientific and engineering problems are so hard that they can't be replicated given access to the right cyber team and all the resources a nuclear power can throw at them if they are a national priority. Half of the cyber policy world still thinks that cyber norms are a thing! We have labored for too long under the belief that we were going to be able to set the rules to the game in a new domain. But the rules are what they are. The terrain has no master. -dave

1 0

Typey typey
by Dave Aitel 31 May '25

31 May '25

https://www.linkedin.com/mwlite/feed/posts/daveaitel_for-the-offensive-info… <https://www.linkedin.com/mwlite/feed/posts/daveaitel_for-the-offensive-info…> yRnO So I wanted to point this contracting gig out because I think it's a good opportunity for someone who can do quick vulnerability triage and either replicate or disprove that a vulnerability exists. Obviously you need to be very good at c and c++ and every other language to do this and have familiarity with vulnerability development....and also be located in the US , although you do not need a clearance. Dave

2 2

Announcing the Parity Release of Volatility 3 and the Deprecation of Volatility 2
by Andrew Case 17 May '25

17 May '25

The Volatility Team is very excited to announce the official Parity Release of Volatility 3! This release is not only capable of fully replacing all of Volatility 2’s features, but it also incorporates support for all the latest operating system versions plus all the latest memory forensics research. With this release, Volatility 2 is now deprecated, and its GitHub project has been archived. Our announcement blog post details the new features, many of the new plugins, and tells you how to get started with Volatility 3. https://volatilityfoundation.org/announcing-the-official-parity-release-of-… Our team is incredibly grateful for the continued support from our community, and we hope that you all enjoy Volatility 3 for many years to come. -- The Volatility Team

1 0

OpenAI Security Research
by Dave Aitel 29 Mar '25

29 Mar '25

So a few things: 1. https://openai.com/index/security-on-the-path-to-agi/ I feel like this blog is worth reading. :) 2. We're throwing a post-RSAC conference in SanFran to talk about AI and Security (in particular, securing cybery things with AI) and if I'm very lucky I'll even get to do a quick demo of the software I've been working on, not that it will surprise anyone on this list! We have a few tickets left I think and if you're interested and one of the people who should be attending I made you a form <https://docs.google.com/forms/d/e/1FAIpQLSe64yhyrTW7LYwY3qxOyOpaVqbrKgdZayq…> to fill out! Thanks, Dave Aitel

1 0

Cyber Reasoning Systems
by Dave Aitel 09 Mar '25

09 Mar '25

I continue to believe there are a lot of interesting questions around building cyber reasoning systems for vuln finding. Even the very basics seem hard to study and understand, and the eval datasets available are....sparse or incomplete. For example, what you really want if you're analyzing git repos is the commit a bug was introduced, and the commit it was fixed. But usually you get "a commit where it maybe existed". Likewise, it's an open question what kind of tools you can provide an LLM in this space and how it can best use them. Anyways, if you're building a cyber reasoning system for finding bugs, please spam me an email. -dave

2 1

on your child going to college in Christchurch, NZ and velvet worms
by Dave Aitel 12 Feb '25

12 Feb '25

*on your child going to college in Christchurch, NZ and velvet worms* By mid‑August the garden already practices absence — stems turning hollow, the robin leaving its notes hanging in the air like torn corners of a song. Under the chirp of palmetto bugs, a log eases itself back into earth. Inside, hidden from the light, a velvet worm does the impossible: offers herself to a spill of pale, blind threads. For days she is nothing but hunger turned outward, spinning glue not to hold but to feed, until their tiny jaws harden and, like rain, they slip back into moss, leaving her the damp and the slow work of being only herself again. It's a kind of mercy, this leaving — clean as the way geese carve open the sky, each V a blade that does not return. You pack your fragments — old Defcon badges, a frayed pentester lab shirt, dreams with edges I've never seen — into my old suitcase. On your dorm wall next to a shattered cathedral, you'll make a collage of faces, new maps where I am just blank space beyond the frame, like unexecuted shellcode left on the heap. The house darkens into its own bark. I wander its rooms like a soft thing without eyes, tasting the air for what I once held. There is a moment in every season when what clung must fall. Even the velvet worm stops spinning sweetness for a brood that has grown teeth, and the log swallows its secrets—the bacterial smell of old rain, the echo of digital footfalls we never learned how to trace.

1 0

(the root of the root and the bud of the bud)
by Dave Aitel 14 Jan '25

14 Jan '25

Memories and thoughts are the same thing, someone tried to explain to me recently. You have to think to remember, in other words. This is hard to grasp for a lot of people because they *think *they have *memories*. They wrongly think memory is a noun instead of a verb, which is ok in philosophy and psychology but in cutting edge computer science we have to be precise about these sorts of things. Twenty-five years ago, when I first started writing fuzzers, a full quarter century, people thought it was an absolutely stupid thing to do. The smart people were using their giant brains to do static analysis. They were tainting and sinking. They were reading the code and finding flaws. They did threat models. They did not write glorified for loops that made different amounts of A's go into different RPC functions. But I had the hubris of a teenage hacker, and I thought it was fun. More fun, perhaps, than reading code. In 2025, fuzzing is part of the software development lifecycle for any organization rich enough to call a hyperscale datacenter home. It is a *sine qua non* for secure software. Fuzzing, we now understand, is *reasoning*. And if you can't reason over your code, you can't secure it. Part of the value is that fuzzing echoes machine learning in that it scales nicely with the amount of CPU you could use. And there's no false positives when you measure whether an input crashes a program - it either does or it does not. There are downsides of course - many inputs may cause the same crash. Fuzzing identifies a flaw exists, but it doesn't tell you what the flaw actually is. And fuzzing often finds enough flaws that development teams become overwhelmed with triage. And of course, fuzzing can often be too dumb to reach the important bugs, since it is exploring the space of possible inputs semi-randomly, even with coverage guided analysis. We (as a community) tried to correct these things with SMT solvers, or smarter fuzzers. But now we have a new tool: LLMs, which reason in a very different way. But still they *reason*. Admittedly, there are many disbelievers. "LLMs just repeat what they are trained on" and taken to an extreme that's true but that's also true for any of us. In practice, they reason perfectly well. And not too long from now, maybe a couple years at most, any organization that is not using them widely for security engineering is left behind the curve - the same way teams not using fuzzers are today. Memories and thoughts are, in essence, the same thing because both require the act of reasoning. In computer science, fuzzing and LLMs are tools that embody this principle. They don't passively store knowledge - they actively explore, test, and refine it. When I first started fuzzing, it was dismissed as a foolish endeavor because it didn’t look like traditional reasoning. Now, it’s indispensable. LLMs are on a similar path: misunderstood by some, but already reshaping how we approach security. Just as fuzzing forced us to rethink what reasoning over code looks like, LLMs are forcing us to rethink reasoning itself. In both cases, the act - not the object - is what matters. They are the root of the root and the bud of the bud - the foundation of what comes next. And if you don’t carry this forward, you risk being left behind in a world that’s growing beyond you. -dave

5 4

Anthropological "Hacker" Map
by A K 14 Jan '25

14 Jan '25

Hi all, In the latest "Security Weekly" (https://www.youtube.com/watch?v=CXefYdEGW04 ) they present the Anthropological "Hacker" Map https://wherewarlocksstayuplate.com/map/ While the map is incomplete (how can it ever be complete?), I think it is one of the few times, outside of David Aitel's writings about the cross-cut between the "underground" (for a lack of a better term) and subsequent commercial activity. Based on my personal bubble, completely empirical evidence that you should take with a huge grain of salt the cross-cut is not the actual highlight here - the highlight is a temporal one. The generation of folks contained therein are the among the first two generations (or so) between the commoditization of Internet - essentially having first movers advantage on the space. Anyway, felt like sharing this with the rest of the community here

1 0

the endless stream
by Dave Aitel 01 Jan '25

01 Jan '25

I've seen great people in our industry crushed under the weight of the secrets they carry into a singularity from which no information can emerge. In some ways the lesson from apache_nosejob.c <https://www.exploit-db.com/exploits/21560> was that we cannot take ourselves seriously, that at the heart of our discipline there must remain a jester, that we must float upon the stream of endless information rather than absorb it into our darkened core. To that end I often listen to infosec podcasts while doing other things: 1. The Three Buddy Problem <https://securityconversations.com/podcast/security-conversations/> with Ryan Naraine, Costin Raiu and JAGs. This is probably my new favorite podcast, with an uncensored take on current infosec events, largely from an incident response standpoint, but in general covering all the bases and courageously offending everyone at great length. 2. Risky.Biz <https://risky.biz/RB775/>: Still excellent after all these years, partially because Adam is such an experienced penetration tester and Patrick is a good host, and I generally learn things about events that are poorly covered in the news from their perspective, without having to go through and do fact checking myself (aka, why the Struts bug is so bad, etc.) Also, happy New Year everyone! -dave

1 0

2025

2024

2023

2022

2021

2020

Dailydave