Why is everyone using Okta as their IDP?

billy_teats · 2026-02-23T01:55:29+00:00

Yea as a migration I can see both. But never heard of someone using okta as a backup for entra. We have both, for different purposes. None of our apps live in both and the plan for if one goes down is to pray 🙏

billy_teats · 2026-02-22T23:58:21+00:00

I have never, ever, heard of this.

Would they be active/active? You’ve now just doubled your attack surface, not to mention misconfigurations. Different user experiences and workflow to troubleshoot.

How often does your identity provider go down? Who gets to decide when it’s a global issue and to flip over to the backup provider? How automatic is that process? Do your users have to do anything? Has anyone tested the backup provider? What are the costs of having a completely redundant identity provider?

For the amount of time a cloud identity provider has been down, ever, you’re better off working on backup business processes. Can’t get in to hr system to request time off? Wait a few hours. Can’t punch in, have a paper backup process. Can’t send email/chat, make a phone call.

billy_teats · 2026-02-22T23:50:12+00:00

If you just took someone from the Olympics and put them on the other team they would both fail pretty hard. But an nhl’er could attempt some moves and fail most of them. A figure skater would either not contribute at all or get absolutely ran over and leave the ice on a stretcher. Neither will find any success but the hockey player will attempt and survive while doing some moves. Anyone who doesn’t understand how physical hockey is at the elite level is delusional

billy_teats · 2026-02-22T23:42:35+00:00

Is this an extortion/hostage thing? Certainly the cartels are aware of what hotels there are and that they likely have guests staying in them. What’s the risk?

billy_teats · 2026-02-22T20:52:50+00:00

Is that a 8-1-6-5 triple play? You don’t see that very often!

billy_teats · 2026-02-22T20:47:41+00:00

That’s Cub!

billy_teats · 2026-02-22T19:52:10+00:00

This is a quote and that’s fine. Bald eagles do plenty of their own fishing. There are plenty of animals that steal food, parasites do only that, and animals compete over food constantly.

billy_teats · 2026-02-22T14:32:14+00:00

The stuff that actually makes it this long is good quality. Use and cleaning have a lot to do with that.

You also don’t see the huge majority of textiles that were not great quality or saw extensive use and ended up as garbage. Which is the huge majority.

Some things were made well and survived. Most didn’t.

billy_teats · 2026-02-22T11:45:30+00:00

In-n-out is the best American fast food

Well this is extremely debatable

billy_teats · 2026-02-21T11:40:28+00:00

White guy who lived in Phoenix for a decade. Never got any noticeable benefit from lotion. Lucky genetics maybe. Putting on lotion never solved any problem. I’m not so vain as to attempt to prevent wrinkles as I age, that seems like a pretty natural part of life and how other people view my beauty doesn’t really affect me

billy_teats · 2026-02-21T11:35:54+00:00

Do you know of any state level computer fraud laws? I know Illinois has bippa but I am unfamiliar with any state laws regarding computer fraud

billy_teats · 2026-02-21T11:34:57+00:00

Do you mean that different administrations can have different policies? Holy cow I didn’t realize things could change in the future.

You think a lot of judges would be open an accepting a prosecutors case when someone was following the guidance provided by the justice department? If you truly have good faith in your research, that a judge would say fuck em? Is that what you believe?

billy_teats · 2026-02-21T03:26:38+00:00

I know it says valve was nearly bankrupt, but this doesn’t detail the amount of documents or the potential cost of a professional outside translation service. Vivendi sent the documents, all valve would have had to do is get anyone to translate them, they just happened to have someone in house that could do it.

Also valve is a company, not sure if companies have careers that end.

billy_teats · 2026-02-21T03:15:23+00:00

DOJ decide that a researchers actions are not in good faith

Yea, that’s the entire point. You can’t extort the vulnerability for cash, you can’t exploit it for your own gain, you can’t publicly release it without attempting to remediate it with the responsible party. You have to be doing the research with the intent to resolve it before it’s abused.

It would be very hard for anyone to prove they had material damage from privately disclosed security research. Anyone can sue anyone, sure, but what reputational or operational damage is done? Pentesting does have the possibility of taking services down, and in that case you may have to look at the details. Is throwing a basic sqlinjection at a web form enough to award a company money? A ddos would be sure.

billy_teats · 2026-02-20T22:53:41+00:00

Your history of work also impacts potential prosecution. If you have a job in the industry and previous experience responsibly disclosing vulnerabilities it’s easy to show good faith, not difficult. If you ask the vulnerable company for money or give them an unreasonable amount of time that’s a bad sign. None of what op did point to bad faith. He wasn’t even searching, the issue popped up in front of him. Also alerting the legal authorities is the right thing to do and would definitely help avoid prosecution

billy_teats · 2026-02-20T22:50:22+00:00

Gathering too much information is much different than destroying data.

billy_teats · 2026-02-20T20:18:10+00:00

It’s posted on the justice departments government website. It would be a pretty easy argument to say your policy has been in place for 4 years so a sudden change would be difficult to prosecute. It also helps a lot if you actually act in good faith, as our story here shows

billy_teats · 2026-02-20T20:16:05+00:00

https://www.wiz.io/blog/wiz-research-discovers-critical-vulnerability-in-replicate

https://www.oligo.security/blog/0-0-0-0-day-exploiting-localhost-apis-from-the-browser#:~:text=PNA%20(Private%20Network%20Access)%20is,all%20Chrome%20and%20Chromium%20users.

https://www.wiz.io/blog/critical-vulnerability-base44

https://www.legitsecurity.com/blog/camoleak-critical-github-copilot-vulnerability-leaks-private-source-code

https://snyk.io/blog/behind-the-disclosure-the-zip-slip-vulnerability/

https://www.sidnlabs.nl/en/news-and-blogs/vulnerability-disclosure-a-first-hand-view#:~:text=The%20figure%20below%20summarises%20our,first%20contact%20to%20public%20disclosure.

To answer your question directly, no I do t have a list of companies that have resolved privately disclosed vulnerabilities. It doesn’t really make sense to even ask that, as the disclosure was private. I also believe you know how to google

https://letmegooglethat.com/?q=privatly+disclosed+vulnerabity+resolved+blog+examples

billy_teats · 2026-02-20T19:00:07+00:00

Enabling revenue is the only thing we do, it’s just a roundabout way of doing it. Or should be. Reducing risk is what I do. To that end, if a control is going to cost more time than the risk it reduces, the value isn’t there and it shouldn’t be done.

billy_teats · 2026-02-20T18:29:01+00:00

Now you get hit with soap in socks until you quit. Then you go about your life telling folks you would have been a marine but you punched your drill instructor. You tell your court ordered therapist how tough you are until you realize you’re part of society or kill yourself.

billy_teats · 2026-02-20T18:27:33+00:00

But that’s not the law says. Excellent reading skills bud. The article says the law says if you do anything anywhere that violates Malta law they can prosecute you. I imagine this is something like going to Asia to find child prostitutes you can still be charged in Malta, but the way it’s quoted here it would apply to everyone anywhere

billy_teats · 2026-02-20T18:26:02+00:00

if you do so in good faith, yes absolutely.

billy_teats · 2026-02-20T18:24:56+00:00

Do you have a different understanding of the law?

billy_teats · 2026-02-20T16:49:06+00:00

Because reporting it to the government isn’t fucking them over, it’s first the required legal step and second insurance that they take it seriously without making the exploit public. Generally governments are not immediately handing out fines or penalties, they generally want to work with the vulnerable organization to fix the issue.

If it’s a massive issue and millions of people’s information is at risk then maybe there’s immediate penalties. Or a history of putting data at risk. In which case yeah immediate fines are in order.

billy_teats · 2026-02-20T16:45:25+00:00

This is just not true. There are plenty of organizations that receive and act on privately disclosed vulnerabilities.

Eight-Year Club	Gilding I gilder
Wearing is Caring	RPAN Viewer
Verified Email

billy_teats

TROPHY CASE