Why does Stripe require OAuth tokens to pass through a third party server?

Can someone who understands OAuth better than me explain to me why Stripe REQUIRES that their OAuth Access Keys get shared with a third party?

I've tried RTFM, but my biggest hangup is that the OAuth docs appear describe a very different situation than mine. They usually describe a user agent (web browser) as the client. And they talk about "your users" as if I have a bunch of users that I'm going to be fetching access keys for.

Nah, this is server <--> server. I have a server. Stripe has a server. I am one user. All I need is ONE API key for ONE account. But I'm forced to use OAuth. It doesn't seem appropriate, and it's especially concerning that the "flow" requires the (non-expiring!) Access Token to be shared with a third party server. Why?!?

I recently learned that Stripe has been pushing OAuth (branded as "Stripe Connect") to its integration apps as the "more secure" solution, compared to Restricted API

Hi, could some one explain how are seedphrases considered to be super secure? If it’s just a random string of words from a well-known list of words, what stops someone with a simple python script generating random phrases and trying to open wallets with them?

AI - the ultimate social engineer... like for real

link provides story bypassing paywall

im aiming to make a chat app secure as theorhetically possible as a webapp. for transparency its open source. id like the experience to be as close to possible to a regular chat app. its important to note; there are limitation with p2p and webapps such that messages cant be sent if the peer isnt connected.

to keep this post brief, please take a look at the readme. it has all the information and links.

i dont think its ready to replace any app or service, but id love to get feedback on what you think would make it so you would use it more than once.

Samy Kamkar's latest at Defcon.

Archive link: https://archive.ph/UtTtp

3TOFU: Verifying Unsigned Releases

By Michael Altfield
License: CC BY-SA 4.0
https://tech.michaelaltfield.net/

This article introduces the concept of 3TOFU - a harm-reduction process when downloading software that cannot be verified cryptographically.

Verifying Unsigned Releases with 3TOFU

⚠ NOTE: This article is about harm reduction.

It is dangerous to download and run binaries (or code) whose authenticity you cannot verify (using a cryptographic signature from a key stored offline). However, sometimes we cannot avoid it. If youre going to proceed with running untrusted code, then following the steps outlined in this guide may reduce your risk.

TOFU

Just finished up a new post. Hope someone finds it helpful!

Release 1.3.0 (26-07-2024)

Improvements

• Vulnerability Details Page Enhancements: We've significantly enhanced the vulnerabilities details page. It now presents more relevant information and the layout has been substantially improved for a better user experience.
• API Enhancements: Various improvements have been made to the API for better performance and functionality.
• UI Enhancements: Edition/action buttons are now hidden when not logged in (#57).
• Importer Improvements: Enhancements have been made to various importers (37d3a6d).

Fixes

• Custom Vulnerability Display Bug: Fixed an issue where custom vulnerabilities were not displayed correctly (#58).
• New Vulnerability Creation Issue: Resolved the problem where new vulnerabilities couldn't be creat

Media coverage largely sucked

When I just looked at my phone, the headlines were about an unfolding Microsoft global IT outage. My first thought, ransomware. So I logged in and started looking around at what was happening — I’m a CrowdStrike customer — and quickly realised two different, separate things had happened:

• Microsoft Azure had an outage earlier in the day. This was resolved before I got up. Azure has frequent outages (don’t kill me, Microsoft) — this isn’t abnormal.
• CrowdStrike had made a boo-boo and pushed out a channel update that had borked a decent percentage of customers.

The media connected these two events together and conflated them. They weren’t connected.

Vulnerability Lookup facilitates quick correlation of vulnerabilities from various sources (NIST, GitHub, CSAF-Siemens, CSAF-CISCO, CSAF-CERT-Bund, PySec, VARIoT, etc.), independent of vulnerability IDs, and streamlines the management of Coordinated Vulnerability Disclosure (CVD). Vulnerability Lookup is also a collaborative platform where users can comment on security advisories and create bundles.

A Vulnerability Lookup instance operated by CIRCL is available at https://vulnerability.circl.lu/.

cross-posted from: https://programming.dev/post/16106778

Contrary to what is stated on the polyfill.io website, Cloudflare has never recommended the polyfill.io service or authorized their use of Cloudflare’s name on their website. We have asked them to remove the false statement, and they have, so far, ignored our requests. This is yet another warning sign that they cannot be trusted.

Wall Street Journal (paywalled) The digital payments company plans to build an ad sales business around the reams of data it generates from tracking the purchases as well as the broader spending behaviors of millions of consumers who use its services, which include the more socially-enabled Venmo app.

PayPal has hired Mark Grether, who formerly led Uber’s advertising business, to lead the effort as senior vice president and general manager of its newly-created PayPal Ads division.

So, yeah. Other than stated, Spotify does not provide 2FA (shame on them!), so I use a strong password and since years nothing happened.

This early morning I got multiple mails that my account was logged in from Brazil, from the USA, from India, and some other countries. There were songs liked and playlists created so it wasn’t a malicious e-mail but some people actually were able to log on to my Spotify account.

I of course changed the password and logged out all accounts and checked allowed apps, etc. and everything looks fine.

But I wonder … was there something that happened recently? The common sites to check such things do not list my old Spotify password, and a quick web research does not bring anything up.

Any clue what could have happened here?

Infomaniak claims to use TLS, but

The first link in the TLS chain is executed via a purely internal network by the webmail and Smtp servers and is not available in TLS for performance reasons.

is this normal, acceptable, irrelevant, standard, a red flag?

they are the biggest hosting provider of Switzerland, so I somehow have a hard time believing, they lack resources to implement TLS right.

The reporting methodology employed should yield valuable insights, spanning both technical details and high-level strategic considerations.

I wrote about my perception of what risks AI brings to society in 2024. And it's not all about cybersecurity 😉