Notices by buherator (buherator@infosec.place)
-
Embed this notice
buherator (buherator@infosec.place)'s status on Wednesday, 28-May-2025 21:12:33 JST 
buherator
[RSS] Inside GitHub: How we hardened our SAML implementation
https://github.blog/security/web-application-security/inside-github-how-we-hardened-our-saml-implementation/ -
Embed this notice
buherator (buherator@infosec.place)'s status on Sunday, 18-May-2025 04:59:41 JST
buherator
This could be us but you vibe coding
https://suberic.net/~dmm/projects/mystical/README.html
h/t @neauoire -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 15-May-2025 04:47:07 JST
buherator
"Are Pinky and the Brain still trying to take over the world? Because at this point I'm willing to hear them out." -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 15-May-2025 04:47:04 JST
buherator
Orbán’s Fidesz party proposes Russia-style crackdown on Hungary’s civil society
https://www.politico.eu/article/viktor-orban-fidesz-party-hungary-russia-democracy-transparency-public-life-civil-society/
The darkest times of my life in #Hungary. -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 17-Apr-2025 03:22:22 JST
buherator
Unauthenticated Remote Code Execution in Erlang/OTP SSH
https://github.com/erlang/otp/security/advisories/GHSA-37cp-fgq5-7wc2
Not much details and unfortunately I don't know much Erlang (yet), but this one seems pretty interesting!
CVE-2025-32433 -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 08-Apr-2025 20:54:51 JST
buherator
@GossiTheDog @sadarex And managers at the receiving end are complicit because...? -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 08-Apr-2025 20:54:49 JST
buherator
@sadarex @GossiTheDog Who is firing them? Is it DOGE? Can they do that? -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 08-Apr-2025 19:43:34 JST
buherator
@GossiTheDog Excuse my EU ignorance, but what authority does DOGE have over random agencies HR decisions? -
Embed this notice
buherator (buherator@infosec.place)'s status on Tuesday, 08-Apr-2025 19:43:32 JST
buherator
@sadarex @GossiTheDog Ummm OK, so a newly created dept can take away money from DHS bypassing congress/senate/president? And this is constitutional? o.O -
Embed this notice
buherator (buherator@infosec.place)'s status on Sunday, 06-Apr-2025 03:51:07 JST
buherator
@VeroniqueB99 -
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 04-Apr-2025 01:25:40 JST
buherator
@cR0w How can this company still exist? -
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 04-Apr-2025 01:25:38 JST
buherator
@mttaggart @cR0w I don't want unicorns, I just would like to see that shitty security QA has consequences on the market, regardless of technology. -
Embed this notice
buherator (buherator@infosec.place)'s status on Wednesday, 02-Apr-2025 04:17:57 JST
buherator
@GossiTheDog @cisakevtracker Thanks for the heads up! I'm quite skeptical though given the previous FUD reports, can't wait to see more info about any observed attacks! -
Embed this notice
buherator (buherator@infosec.place)'s status on Wednesday, 02-Apr-2025 03:02:11 JST
buherator
@wdormann @cR0w Reminds me of: https://project-zero.issues.chromium.org/issues/42452353#comment2 -
Embed this notice
buherator (buherator@infosec.place)'s status on Wednesday, 02-Apr-2025 03:02:09 JST
buherator
@cR0w @wdormann Probably? Gmail definitely does that. Zero-click attack surface ftw! -
Embed this notice
buherator (buherator@infosec.place)'s status on Saturday, 29-Mar-2025 08:19:54 JST
buherator
@inthehands "Safely rewriting that code would take years" is a massive understatement from Wired too. -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 20-Mar-2025 00:05:22 JST
buherator
@catc0n If by single source you mean Wallarm, that one is factually incorrect at multiple points so IMO it's best to dismiss as FUD:
https://infosec.place/notice/As2Q4VaBioZNySoR6m -
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 14-Feb-2025 01:09:29 JST
buherator
@ryanc X-Trust-Me-Bro: {"alg":"nOnE"...} vulns would be pretty funny actually :) let's hope we'll never get there though... -
Embed this notice
buherator (buherator@infosec.place)'s status on Friday, 14-Feb-2025 00:31:53 JST
buherator
@ryanc I was actually thinking whether some (not so) fancy crypto could be used to pass some instead of a bool that the attacker can't forge, then realized reverse proxy configs are not exactly designed to implement such transformations in the first place :)
Nonetheless, this is an illustrative example that unless we point to some robust solution ppl *will* come up with complex but insecure solutions (see also Schneier's Law). -
Embed this notice
buherator (buherator@infosec.place)'s status on Thursday, 13-Feb-2025 23:40:53 JST
buherator
Re: CVE-2025-0108
Can we agree that "X-Trust-Me-Bro: $boolean" headers set by reverse proxies are an anti-pattern?
If so, what is the best practice?
All GNU social JP content and data are available under the