Dimitris Glynos

"From SSRF to sustained server engagement" slides and tools are now available here: github.com/dglynos/mustai… Use this to turn low-value SSRFs to MEDIUM risk issues! #appsec #infosec #cybersecurity #productsecurity

I'm hiring a research intern for summer 2026 to work with me on applied cryptography research projects. This is a paid, three-month, fully remote position. Check it out, and please spread the word! symbolic.software/blog/2026-03-1…

Arriving in Nuremberg for Embedded World 2026. See you at the intWave booth 5-474 intwave.com/company%20news…

intWave intern Sifis Bampionitakis found that Portainer came with default settings allowing regular users to perform a host takeover. If you're sharing your #Portainer installation with other users it's best to update to 2.39.0 LTS. For the details see: intwave.com/blog/2026/02/2…

My CISO called me at 3 AM last Tuesday. "We caught someone." I asked, "Caught them doing what?" He said, "Typing." Let me explain. We have an employee in IT. Great worker. Always online. Never complained. Perfect Slack etiquette. One problem. His keystrokes were arriving 110 milliseconds late. One hundred and ten milliseconds. That's 0.11 seconds. The average American remote worker has 20-40ms of latency. This guy? 110ms. Every. Single. Keystroke. My security team ran the numbers. That latency doesn't come from a bad router in Ohio. That latency comes from Pyongyang. Our "Senior DevOps Engineer" was a North Korean operative. Running his work laptop through a laptop farm. In America. While he worked from a government building. In North Korea. He passed the interview. He passed the background check. He passed the vibe check. He did not pass the speed of light. Here's what people don't understand about physics: Light travels 186,000 miles per second. But it still has to go through China. And China adds latency. Since April, Amazon has caught 1,800 of these attempts. Eighteen hundred. I called an emergency meeting with my board. I said, "We need to implement Keystroke Velocity Auditing across all remote employees." They said, "That sounds invasive." I said, "You know what else is invasive? The Democratic People's Republic of Korea in your Jira tickets." They approved the budget. We now monitor keystroke timing to the microsecond. If your latency exceeds 60ms, you get a call from HR. If it exceeds 100ms, you get a call from the FBI. We've already flagged 47 employees. Turns out 44 of them just have bad Wi-Fi. 3 of them are "still under investigation." The lesson? You can fake a resume. You can fake a background check. You can fake an American accent on Zoom. But you cannot fake the speed of light. Physics is the ultimate background check. Hire accordingly.

Top researchers do their best to exploit bugs. "Something from Nothing - Exploiting Memory Zeroing in XNU": objectivebythesea.org/v8/talks/OBTS_…

Off to #hw_ioNL2025 in Amsterdam if you're around catch me in the hallways. Happy to exchange notes on CRA, supplier/vendor conformance and everything product security!

We've opened a position for an Application Security Engineer @ intWave. For more information see: #position-ase" target="_blank" rel="nofollow noopener">intwave.com/careers.html#p… #cybersecurity #appsec #hiring

Apparently the maintainer ~qix has been compromised affecting billions of installations on @npmjs Here are the top 20 packages that qix contributed to with the number of installations per months: 1.6B --> ansi-styles 1.5B --> debug 1.3B --> chalk 1.2B --> supports-color 1.1B --> strip-ansi 1.0B --> ansi-regex 828.4M --> color-convert 823.1M --> wrap-ansi 820.8M --> color-name 310.9M --> is-arrayish 245.6M --> slice-ansi 202.5M --> error-ex 133.7M --> color 118.9M --> color-string 111.5M --> simple-swizzle 50.9M --> has-ansi 17.2M --> chalk-template 1.1M --> backslash 408.2K --> handler-agent 25.1K --> strip-ansi-stream Source of claim: #issue-3394431258" target="_blank" rel="nofollow noopener">github.com/Qix-/node-erro…

TLS 1.4 datatracker.ietf.org/doc/draft-zhou…

@ProferoSec In the blog post the authors mention "a well-known attack on AES-128-CBC first block, if ~50 bits or more are known". Could you share a reference to the attack? Thank you.

This isn't a drill - this is reality! See real-world proof that creative incident response can outmaneuver ransomware math in our latest blogpost. Walk through our investigation workflow, cryptographic analysis, and end-to-end data-recovery strategy, proving that "encrypted" doesn't always mean "unrecoverable." Read more: profero.io/blog/from-dron…

1/N I’m excited to share that our latest @OpenAI experimental reasoning LLM has achieved a longstanding grand challenge in AI: gold medal-level performance on the world’s most prestigious math competition—the International Math Olympiad (IMO).

@xtsop @gutsOfDarkness8 I touched on multi threading as a bonus lecture but this wasn't the case every year. This remains a good reference on the subject amazon.com/Programming-PO…

@dfunc @gutsOfDarkness8 Can't wait! What a pity we never had the long awaited advanced sys prog with multi-threading and multi-inheritance

@xtsop @gutsOfDarkness8 I'll prepare a pdf for you sir!

@gutsOfDarkness8 For true polymorphism in C check this out (and comments): modal-echoes.blogspot.com/2007/03/implem… Unfortunately, I can't find my sys prog notes from @dfunc 😉

@Agarri_FR See github.com/dglynos/mustai…

@dfunc The "Watch it now" link on the conference website doesn't work. Are the slides publicly available?

On Saturday I'll be at BSides Athens, presenting "From SSRF to sustained server engagement". Don't be shy, come and say hi. Happy to discuss anything related to product security. #infosec #appsec #productsecurity

We have @dfunc From SSRF to sustained server engagement @BSidesAth

I had a lot of fun making this challenge. I wanted to do a cloud security challenge where the cloud infrastructure is secure (IMDSv2, data perimeters), but something still allows it to be hackable and you need to know some advanced AWS security tricks to abuse it. 🤫 Try it out!

We're #hiring a Sales Engineer at intWave. For more information: linkedin.com/jobs/view/4250…

Tomorrow Wednesday that is :-)

We'll also have a stand on the mid-floor. Don't be shy, come and say hi.

I will be presenting about Product Security and intWave's services at InfoCom Security 2025 tomorrow Tuesday (13:15 slot) infocomsecurity.gr/15o-infocom-se…