Talks Archives

Talks Archives

  • June 2026 · fwd:cloudsec 2026 Sub:jugation – Hijacking Cloud Identities by Recycling Namespaces in Global OIDC Issuers A vulnerability class in global OIDC issuers (GitHub Actions, GitLab CI, Terraform Cloud) that lets attackers reclaim deleted namespaces and mint tokens matching cloud IAM trust policies.  Watch
  • December 2025 · AI Hacking Village · BSides TLV 2025 The Invisible Identities Behind AI Agents Research on the Non-Human Identities behind AI agents — new attack vectors on agent identities, findings from analyzing thousands of MCP server implementations, and impacts on OWASP's NHI and Agentic Apps Top 10s.  Details
  • October 2025 · LASCON 2025 Exposing the OWASP Non-Human Identity Top 10: Risks, Realities, and AI Impacts How the OWASP Non-Human Identity Top 10 was built — methodology, rankings, and live demos of the top risks. With Tomer Yahalom.  Watch
  • October 2025 · Reversim Summit 2025 Breakin' 'Em All – Overcoming Pokémon GO's Anti-Cheat Mechanism Reverse-engineering Pokémon GO's anti-cheat and network protocol (the Reversim Summit talk).  Watch
  • August 2025 · DEF CON 33 Breakin' 'Em All – Overcoming Pokémon GO's Anti-Cheat Mechanism Reverse-engineering Pokémon GO's anti-cheat and network protocol from scratch.  Watch
  • April 2025 · RSAC 2025 Non-Human Identity Security: Insights from 800 Security Professionals Findings on non-human identity security drawn from a survey of 800 security professionals.  Details
  • March 2025 · CyberWire Daily (podcast) Non-Human Identity Top 10 — guest segment Guest on CyberWire Daily (ep. 2274) discussing the OWASP NHI Top 10.  Details
  • March 2025 · SnowFROC 2025 OWASP Non-Human Identity Top 10 The OWASP NHI Top 10 talk (same as LASCON). No recording available.
  • May 2024 · N2K Networks (podcast) Google's Not Being Ghosted from Vulnerabilities Podcast appearance discussing the GhostToken 0-day.  Watch
  • September 2023 · The Hacker Mind (podcast) Ghost Token (Ep. 80) The Hacker Mind episode on the GhostToken 0-day.  Details
  • August 2023 · DEF CON 31 GhostToken: Exploiting GCP Application Infrastructure to Create Invisible, Unremovable Trojan Apps A 0-day in Google Cloud Platform that turned OAuth apps into unremovable trojans on any Google account.  Watch
  • January 2023 · Simons Institute · ITCS 2023 On Interactive Proofs of Proximity with Proof-Oblivious Queries My theoretical-CS research on interactive proofs of proximity (ITCS 2023).  Watch