ikakavas at infosec dot exchange

DON'T roll your own SAML.

@asanso Just bought this literally 1hr ago too :) Hope all is well Antonio

Sorry Netflix. Can’t wait

@mperedim @hellenicpolice Είμαστε και εμείς που είχαμε κλείσει ραντεβού πριν 4 μήνες και όταν τελικά ζυγωνε η ώρα δεν μπορούσαμε να πάμε αλλά δεν είχαμε και επιλογή να ακυρώσουμε για να ανοίξει το slot

@nikosfertakis I loved it. A deepness in the sky is great too

I’m 75 pages into A Fire Upon the Deep and it already has god-level AIs, faster than light travel, middle-age worlds with telepathic creatures, tree-like animals with speech, and a red-bearded barbarian. It’s like Asimov and Tolkien had a child.

Come for the multi-CSP multi-region cloud platform design , stay for the GIFs and puns!

I’ll be speaking at KubeCon next week about how we’ve redesigned our multi-CSP multi-region Cloud platform at Elastic to embrace Kubernetes. Come learn about unusual ways to build K8s controllers!

@frozzipies @xeraa @elastic Apologies for the delay @frozzipies , we will get back to you shortly - not sure what happened with these reports but we will sort it out :) Thanks for reaching out !

@xeraa @elastic Actually i have another bug report on elastic assets with a high severity. This report status is not on triaged or waiting an action from the internal team. It still on validation phase from h1 analyst. But the problem is, the analyst is not responding my report for about 10 days

@elastic Check your hackerone please. I have two reports that have been abandoned for almost 3 weeks. The status of my report is triaged, and Im still waiting for the Elastic internal team to make a decision to my report :(

@InsecureNature email claim as a unique ID is a badly misconfigured oAuth2/OIDC implementation and the burden _is_ on the RP to get it right. Moving to SAML for instance, has the same risks. Email will be released as a SAML attribute too and if SPs decide to use it.. same issue.

@InsecureNature :wave: given that it is (should be) a well known property of the email scope (the oidc spec describes it in #ClaimStability" target="_blank" rel="nofollow noopener">openid.net/specs/openid-c… and as you pointed out, Google mentions it in the docs - as did MS ), why do you consider this an issue in the OP and not in the RP side ? Using 1/2

🎥I did a much deeper breakdown of Google's Oauth problems on YouTube if anyone's interested youtu.be/r-2OjL8u9VI

My best explanation of parallel lines:

@raTxMole Thanks! Έχω δει και εγώ κανα δυο US αλλά έλεγα μήπως γλυτωσω το πήγαινε έλα του κινητού αν υπάρχει κάτι αξιόπιστο εδώ

@ilektrojohn Αν θέλεις τα data σου, δεν θα σου πρότεινα κανέναν Ελλάδα... Δες STS Telecom ststele.com/mail-in/ Και ipadrehab.com Είναι US αλλά κάνουν θαύματα

#gr έχει κανείς εμπειρία από κάποια εταιρεία που κάνει data recovery από κινητα στην Ελλάδα ; iPhone που κάνει bootloop (βλάβη από νερό). Έχω δοκιμάσει τα τυπικά μαγαζιά επισκευών κλπ

Being old : In an arctic monkeys show dancing by myself with Teddy Picker while the crowd discusses “it’s one of the old ones huh?”

Δείτε την "Ανακοίνωση ΕΔΥΤΕ σχετικά με τις επιθέσεις στην Τράπεζα Θεμάτων" εδώ: grnet.gr/2023/06/03/ann…

Gets me every time , evergreen tweet : twitter.com/ilektrojohn/st… @KimZetter there is no such thing as a “golden SAML” attack :(

Which begs the question: Wouldn’t it be in Oracle’s best interest (it’s within its capabilities for sure) to release this information alongside the CPU? cc @seanjmullan

- TLS 1.3 mentions bad handling of Key Updates can lead to msg trunc attacks (End of S4.6.3 of RFC 8446) - Relevant commit fixing this github.com/openjdk/jdk/co… The benefit of having really clever folks in your engineering teams (hat tip @TimVernum) :) 2/2

TL;DR CVE-2023-21930 seems to be about TLS truncation attacks against TLS1.3 - Oracle credits Ben Smyth - Ben Smyth, A. Pironti have published about this type of attacks linkedin.com/pulse/what-tls… 1/2

Hey Oracle can you be a little more vague with the CVEs you release in your CPUs ? oracle.com/security-alert… Boilerplate statements every quarter.. Anyone has additional info on CVE-2023-21930 ?

We're accepting applications through April 25th for a remote, paid, 12-week summer mentorship through the brand new Alpha-Omega Security Research Mentorship Program. Apply at: mentorship.lfx.linuxfoundation.org/project/4df8fa…