Daniel Gruss
(Professor at Graz University of Technology) – Keynote
Keynote. Every Threat Model is Wrong
Abstract. Security is the tension between an adversary trying to break into a system and a defender trying to prevent this. This game is inherently
asymmetric, as the defender tries to anticipate what the adversary could do and the adversary tries to find anything the defender overlooked. Thus, it is at the core of security that threat models are time and again invalidated. In this keynote, we'll explore some historic examples including the change from isolated to interconnected systems, the change of the root
of trust with TEEs, and lastly the change from carbon-ignorant security to carbon-aware security. Finally, we will discuss why threat models are still relevant and how
they can guide security research in a constantly evolving landscape.
Biography. Daniel Gruss is a Professor at Graz University of Technology. He has a great passion for teaching, which he started doing in 2009. Daniel's
research focuses on microarchitectural security, covering both attacks as well as efficient and effective defenses. He implemented the first
remote fault attack running in a website, known as Rowhammer.js. His research team was one of the teams that found the Meltdown and Spectre
bugs published in early 2018. He frequently speaks at top international venues. In 2022, he was awarded an ERC Starting Grant to research how to make security more sustainable.
@lavados
@lavados@infosec.exchange
Ben Stock
(CISPA Helmholtz Center for Information Security) – Keynote
Keynote. Complexity Kills - Why Adding Layers of Security Doesn’t Solve Much
Abstract. Many of the technologies (e.g., email or the Web) we use today have been designed decades ago. Over the years, several additions have been made to these technologies to add security, be it in the form of transport encryption or security mechanisms supported by major browsers. However, the overwhelming evidence suggests that the addition of these mechanisms is only beneficial for a tiny fraction of affected operators. Indeed, merely adding security mechanisms leads to confusion about threat models and misunderstandings about the mechanisms. In this keynote, I'll underline this statement and identify what I believe are key issues to overcome to secure both the email and Web ecosystem.
Biography. Ben Stock is a tenured faculty at the CISPA Helmholtz Center for Information Security in Saarbrücken, Germany. Ben leads the Secure Web Application Group at CISPA, and his research focuses on various aspects of Web and network security, with a recent focus in particular on (un)usability of security mechanisms. His group regularly publishes at all major security conferences and Ben serves on the PC and in chair roles for various security conferences. Beyond the focus on academic output, together with his students, he regularly aims to bridge the gap between scientists and practitioners through talks at non-academic conferences like OWASP AppSec or Ruhrsec.
@kcotsneb
_ _ _ _ _ _ _ _ _ _ _ _ _ _
Fabian Bäumer
(Ruhr University Bochum) – Talk
Talk. Terrapin Attack: Breaking SSH Channel Integrity by Sequence Number Manipulation
Abstract. The SSH protocol provides secure access to network services, particularly remote terminal login and file transfer to millions of servers worldwide. SSH uses an authenticated key exchange to establish a secure channel between client and server, which protects the confidentiality and integrity of messages sent.
In this talk, we show that as new algorithms and mitigations were added to SSH, the protocol no longer establishes a secure channel: SSH channel integrity is broken for three widely used encryption modes. This allows prefix truncation where encrypted packets at the beginning of the SSH channel can be deleted without either peer noticing it.
We demonstrate real-world applications of this attack. We show that we can break SSH extension negotiation, such that an attacker can downgrade algorithms for user authentication or turn off a countermeasure against keystroke timing attacks. Further, we identify a flaw in AsyncSSH that, together with prefix truncation, allows an attacker to redirect the victim’s login into an attacker-controlled shell.
Biography. Fabian Bäumer completed his M.Sc. degree in IT security by the end of 2021. Since 2022, Fabian has been working as a PhD student at Ruhr University Bochum and is part of the Chair for Network and Data Security. Currently, he is researching the SSH (Secure Shell) network protocol from a security standpoint.
@TrueSkrillor
@Skrillor@infosec.exchange
Vaisha Bernard
(Eye Security) – Talk
Talk. Phishing for Tenants: All I Wanted was for Microsoft to Deliver my Phishing Simulation, but instead I kept Reeling in Bug Bounties and Admin Access to Random Tenants
Abstract. I just wanted to send out a phishing simulation. My first attempt with Microsoft's new Attack Simulation platform resulted in three bug bounties for the most trivial mistakes and no more faith in the product. Then I tried building it myself and the last thing I needed was only to allowlist my IP address. I ended up in a rabbit hole that took me from a Chinese company that wanted all my access tokens, to intercepting client-side requests made by the Security & Compliance Center with the goal of replaying these to a backend API, only to discover I could now access tenants that were not mine. Tenants which I could now completely turn upside down and extract every bit of information that was in there.
Biography. Vaisha Bernard is a principal cybersecurity specialist at Eye Security, a rapidly growing MSSP based in The Netherlands, Germany, and Belgium. Although he has a formal background in Astrophysics and Artificial Intelligence, he already became an offensive cybersecurity enthusiast at age 12. After graduating it was this expertise that landed him a job at the Dutch government. In 2020 he joined Eye Security as principal cybersecurity specialist, where he splits his time between research, high profile incident response cases and cracking attack surfaces.
@the1bernard
Vaisha Bernard
Márton Bognár
(KU Leuven) – Talk
Talk. Breaking and Securing Memory Isolation in Texas Instruments Microcontrollers
Abstract. Texas Instruments has shipped millions of new-generation MSP430 microcontrollers featuring an advanced security feature (Intellectual Property Encapsulation, IPE) that isolates selected code and data from attackers. We first adapt attack techniques from higher-end systems to leak or inject data and extract side-channel information from IPE. Then we demonstrate controlled call corruption, a novel attack which completely bypasses the IPE protections by performing a simple function call.
In the second part of the talk, we first demonstrate a software-only mitigation for existing devices which repurposes the memory protection unit to recover most of IPE’s security guarantees. We then introduce openIPE, our research prototype implementing IPE’s specification extended with a flexible firmware layer to enable rapid prototyping of security primitives more closely aligned with industry practices.
Biography. Márton is a graduating PhD student at the DistriNet research group of KU Leuven. His interest lies at the intersection of hardware design, microarchitectural attacks, and formal verification. He is active in both offensive and defensive research with contributions ranging from performing side-channel attacks on web browsers and microcontrollers to building hardware extensions on RISC-V to mitigate transient execution vulnerabilities.
@martonbognar
Bluesky – @mici.hu
www.mici.hu
Jo Van Bulck
(KU Leuven) – Talk
Talk. Breaking and Securing Memory Isolation in Texas Instruments Microcontrollers
Abstract. Texas Instruments has shipped millions of new-generation MSP430 microcontrollers featuring an advanced security feature (Intellectual Property Encapsulation, IPE) that isolates selected code and data from attackers. We first adapt attack techniques from higher-end systems to leak or inject data and extract side-channel information from IPE. Then we demonstrate controlled call corruption, a novel attack which completely bypasses the IPE protections by performing a simple function call.
In the second part of the talk, we first demonstrate a software-only mitigation for existing devices which repurposes the memory protection unit to recover most of IPE’s security guarantees. We then introduce openIPE, our research prototype implementing IPE’s specification extended with a flexible firmware layer to enable rapid prototyping of security primitives more closely aligned with industry practices.
Biography. Jo Van Bulck is a professor in the DistriNet lab at the Department of Computer Science of KU Leuven, Belgium. His research explores microarchitectural security limitations along the hardware-software boundary, with a particular attention for privileged side-channel attacks on trusted execution environments. Jo's research has uncovered several innovative attack vectors in commodity Intel x86 processors. Key results include Foreshadow, LVI, ZombieLoad, Plundervolt, and SGX-Step.
@jovanbulck
www.vanbulck.net
Jessa Gegax
(Surescripts LLC) – Talk
Talk. Salesforce Snafus: Unveiling and Exploiting Security Misconfigurations Using Commonly Used Widgets
Abstract. This talk explores how to leverage the nooks of Salesforce to find and abuse misconfigurations that chain together and create vulnerabilities that leak data to adversaries.
It highlights that security concerns still exist on applications built on a well-known CRM tool with declarative or "point and click" development, where to discover them, and how they can be remediated.
It provides a real-world scenario of using various Salesforce widgets to find security vulnerabilities like Insecure Direct Object References (IDORs) and Broken Authorization as a means of stealing sensitive information. It offers solutions for detection and prevention for these attacks that relate to common security best practices. At the end of this discussion, you will walk away with better awareness of the vulnerabilities existing in Salesforce, how they can be discovered, remediated, then prevented.
Biography. Jessa Gegax is an Information Security Testing Analyst at Surescripts LLC in Minneapolis, Minnesota.
Jessa holds an undergraduate degree in Computer Science with research interests in offensive cloud security, networking, and web application/API penetration testing.
Jessa Gegax
Paul Gerste
(SonarSource SA) – Talk
Talk. SQL Injection Isn’t Dead: Smuggling Queries at the Protocol Level
Abstract. SQL injections seem to be a solved problem; databases even have built-in support for prepared statements, leaving no room for injections. In this session, we will go a level deeper: instead of attacking the query syntax, we will explore smuggling attacks against database wire protocols, through which remote, unauthenticated attackers can inject entire (No)SQL statements into an application's database connection.
Using vulnerable database driver libraries as case studies, we will bring the concept of HTTP request smuggling to binary protocols. By corrupting the boundaries between protocol messages, we desynchronize an application and its database, allowing the insertion of malicious messages that lead to authentication bypasses, data leakage, and remote code execution.
Biography. Paul Gerste is a vulnerability researcher on Sonar's R&D team. He has a proven talent for finding security issues, demonstrated by his two successful Pwn2Own participations and discoveries in popular applications like Proton Mail, Visual Studio Code, and Rocket.Chat. When Paul is not at work, he enjoys playing and organizing CTFs with team FluxFingers.
@pspaul95
@pspaul@infosec.exchange
Christoph Heine
(RADIX SECURITY) – Talk
Talk. 5G Security (And Why You Should Care About It
Abstract. The security of cellular networks is still frequently associated with the security of phone networks and personal communication. Attacks discussed in popular media mostly focus on the privacy aspect of phone calls and text messages, e.g. attacks involving eavesdropping or location tracking. However, with the introduction of the 5th Generation technology standard (5G) in 2016, the possible practical applications of cellular network technology have increased significantly beyond usage in phone networks. 5G introduces several new provisions that allow it to be deployed in advanced machine-to-machine communication contexts such as IoT devices, autonomous driving, or aviation. Furthermore, 5G’s new modular design makes it much easier to run a small-scale, dedicated 5G network by placing a greater emphasis on scalability, interoperability, and usage of more “classic” web technologies, e.g. TLS, OAuth2, and HTTP[1].
While these applications offer exciting new opportunities and use cases from a consumer’s point of view, they also have the potential to significantly increase the attack surface and introduce new threats in the fields of mobile security. In our talk, we want to shine a light on the current state of 5G and security threats that have been observed or may arise in the future as the standard is being rolled out all over the world. In this context, we explain which lessons can be learned from related fields of security research, e.g. web security, and how researchers in these fields may apply their findings in the context of 5G. We also discuss the current challenges we face in both 5G security research and practical testing of 5G networks based on our experience on working with the BSI to refine Germany's national 5G certification scheme.
[1] //www.3gpp.org/technologies/5g-system-overview
Biography. Christoph Heine is an independent security researcher and developer of pentesting tools for Radix Security. Christoph is best known for designing and building tools with a high degree of automation, particularly in the field of REST security and testing common vulnerabilities in APIs. His current main focus is the analysis and enhancement of the REST APIs used in the 5G network standards. In this context, he is currently working with a team at Radix Security to create a dedicated security suite for enhancing the testing of 5G networks. In addition to his security related interests, Christoph is also an avid free software advocate and is a frequent collaborator on various open source projects.
Jonas Kaspereit
(FH Münster) – Talk
Talk. LanDscAPe: Exploring LDAP Weaknesses and Data Leaks at Internet Scale
Abstract. The Lightweight Directory Access Protocol (LDAP) is the standard technology to query information stored in directories. These directories can contain sensitive personal data such as usernames, email addresses, and passwords. LDAP is also used as a central, organization-wide storage of configuration data for other services. Hence, it is important to the security posture of many organizations, not least because it is also at the core of Microsoft's Active Directory, and other identity management and authentication services.
We report on a large-scale security analysis of deployed LDAP servers on the Internet. We developed LanDscAPe, a scanning tool that analyzes security-relevant misconfigurations of LDAP servers and the security of their TLS configurations. Our Internet-wide analysis revealed more than 10k servers that appear susceptible to a range of threats, including insecure configurations, deprecated software with known vulnerabilities, and insecure TLS setups. 4.9k LDAP servers host personal data, and 1.8k even leak passwords. We document, classify, and discuss these and briefly describe our notification campaign to address these concerning issues.
Biography. Jonas Kaspereit is currently pursuing a Ph.D. in Computer Science at FH Münster.
Jonas Kaspereit
David Klein
(Technische Universität Braunschweig) – Talk
Talk. Parse Me, Baby, One More Time: Bypassing HTML Sanitizer via Parsing Differentials
Abstract. In this talk, we will delve into why this is the case. To remove XSS payloads, an HTML sanitizer must first parse its input. Then, it determines which parts of the input are dangerous and removes or rewrites them. Lastly, it serializes the transformed input back to its textual form and returns it.
This process means a sanitizer is only as strong as the employed HTML parser. Despite HTML looking deceptively simple, implementing an HTML parser is surprisingly complex. While officially specified, parsing HTML has tons of edge cases and quirks. Sanitizers have to implement all of them, effectively mimicking the exact behavior of a browser. Even if a developer pulls off this nontrivial feat, additional pitfalls lie in the differences in behavior between browsers.This talk will show how sanitizers deployed by millions of people fall well short of these goals and are easily bypassable.
We will present MutaGen, a framework that generates HTML fragments prone to abuse parsing implementation differences, so-called parsing differentials. When evaluating the generated fragments on 11 server-side HTML sanitizers, we found that all use deficient parsers. In benign cases, this means the sanitizer mangles harmless input. However, by abusing such parsing differentials we could automatically bypass all but two of them.
Biography. David is a PhD candidate at the Institute for Application Security at Technische Universität Braunschweig under the supervision of Martin Johns. His research focus mainly lies in the area of Web Security. However, he's also passionate about privacy and making applications more private and secure through runtime enforcement techniques. He's actively participating in the open source community, maintaining the research browser "Project Foxhound" and the JVM taint engine "Project Fontus".
His works have been presented at leading academic conferences (IEEE S&P, Usenix Security, ACM CCS, IEEE EuroS&P, ACSAC, PETS, ...) as well as non-academic venues, e.g., Black Hat EU, RuhrSec, IT Defense, OWASP AppSec SFO, German OWASP Day.
@ncd_leen
David Klein
@leeN@chaos.social
leeN
Daniel Klischies
(Ruhr University Bochum) – Talk
Talk. Behind Closed Curtains - Insights on Security Vulnerabilities in Smartphone Basebands
Abstract. In an era where smartphones are integral to our daily lives, securing them against vulnerabilities is crucial to protect our overall digital privacy. Consequently, mobile operating systems have been hardened, prompting exploits to become increasingly sophisticated and costly. Threat actors are, therefore, exploring cellular basebands as an alternative and more attractive avenue to compromise the security of smartphones.
In this talk, I provide new insights on the security of modern smartphone basebands. I will outline several vulnerabilities in commercial basebands, affecting thousands of different smartphone models. Besides concrete vulnerabilities, you will learn about the systemic issues in the cellular protocol specifications and firmware lifecycle, promoting the likelihood and longevity of such vulnerabilities.
Biography. Daniel Klischies is a final-year PhD student at the Chair for Security and Privacy of Ubiquitous Systems at Ruhr University Bochum. His main research objective is to understand and improve the security properties of firmware, currently focusing on cellular devices. He prefers to employ a diverse range of methodologies in problem-solving, such as binary analysis, formal methods, and empirical studies.
Prior to his PhD studies, Daniel was a software engineer for data analytics solutions in the automotive industry.
@danielklischies
www.danielklischies.net
Niclas Kühnapfel
(Technische Universität Berlin) – Talk
Talk. Glitching AP4: A Technical Deep Dive Into Tesla’s Autopilot Computer
Abstract. Tesla has become known not only for its electric vehicles but also for its advanced computer platform, featuring an infotainment system, remote services, and the prominent Autopilot driving assistant. While Autopilot’s platform security protects its code, machine learning models, and data from competitors, it also hinders third parties from accessing crucial user data, such as camera and sensor recordings, which could aid in e.g. crash investigations.
In this presentation, we demonstrate how we rooted Tesla Autopilot HW4 using voltage glitching, enabling the extraction of arbitrary code and user data. We will dive deeper into Autopilot’s security architecture, exploring the flash filesystem, full disk encryption, and model weight encryption. Additionally, we will compare this attack with the previously published attack on Autopilot HW3.
Biography. Niclas Kühnapfel is a Ph.D. candidate at TU Berlin’s Chair for Security in Telecommunications (SecT). His research spans hardware, embedded, and platform security. He studied Computer and Communication Systems Engineering (B.Sc., TU Braunschweig) and Computer Engineering (M.Sc., TU Berlin). Niclas has presented on covert channels (ACSAC) and fault injection attacks on AMD-ASP (IEEE PAINE). Recently, he published voltage glitching attacks on Tesla’s infotainment system (Black Hat) and Autopilot HW3 (37C3).
Sarah Mader
(NVISO GmbH) – Talk
Talk. Red Team Operations in OT: A Peek Behind the Curtains of Hacking Industrial Systems
Abstract. In an era where industrial systems are increasingly targeted by sophisticated cyber threats, understanding how these attacks take place and how to defend against these attacks is crucial. This presentation will provide an in-depth look at Red Team operations within Operational Technology (OT) environments, such as factories and power plants.
We will begin by outlining the fundamental differences between OT and IT security, highlighting the unique challenges and vulnerabilities present in OT systems. This foundational knowledge sets the stage for a deeper exploration of the current threat landscape within OT environments.
The core of the presentation will focus on real-world case studies from our Red Team assessments. We will walk you through the methodologies we use to simulate real attacker behaviours, from initial infiltration to identifying critical vulnerabilities, all while ensuring minimal disruption to operational processes.
Agenda:
- Introduction: Overview of Operational Technology (OT) and Red Teaming
- Distinguishing IT from OT: Key Differences and Implications
- Current Threat Landscape: Emerging Threats and Vulnerabilities in OT
- Red Team Operations in OT Environments: Strategies, Tools, and Techniques
- Case Studies: Real-world Examples and Lessons Learned
Biography. Sarah is a Senior Consultant at NVISO, with a focus on Red Team Assessments. Complementing her cybersecurity experience, she has developed proficiency in Operational Technology (OT) assessments and continues to specialize further in this area.
She possesses a Master's degree in Applied IT Security, which has been enriched by her diverse experiences in cybersecurity roles across various companies.
In addition to her professional work, Sarah is dedicated to contributing to the community by leading workshops and delivering presentations at industry conferences.
David Rupprecht
(RADIX SECURITY) – Talk
Talk. 5G Security (And Why You Should Care About It
Abstract. The security of cellular networks is still frequently associated with the security of phone networks and personal communication. Attacks discussed in popular media mostly focus on the privacy aspect of phone calls and text messages, e.g. attacks involving eavesdropping or location tracking. However, with the introduction of the 5th Generation technology standard (5G) in 2016, the possible practical applications of cellular network technology have increased significantly beyond usage in phone networks. 5G introduces several new provisions that allow it to be deployed in advanced machine-to-machine communication contexts such as IoT devices, autonomous driving, or aviation. Furthermore, 5G’s new modular design makes it much easier to run a small-scale, dedicated 5G network by placing a greater emphasis on scalability, interoperability, and usage of more “classic” web technologies, e.g. TLS, OAuth2, and HTTP[1].
While these applications offer exciting new opportunities and use cases from a consumer’s point of view, they also have the potential to significantly increase the attack surface and introduce new threats in the fields of mobile security. In our talk, we want to shine a light on the current state of 5G and security threats that have been observed or may arise in the future as the standard is being rolled out all over the world. In this context, we explain which lessons can be learned from related fields of security research, e.g. web security, and how researchers in these fields may apply their findings in the context of 5G. We also discuss the current challenges we face in both 5G security research and practical testing of 5G networks based on our experience on working with the BSI to refine Germany's national 5G certification scheme.
[1] //www.3gpp.org/technologies/5g-system-overview
Biography. David Rupprecht is a security researcher at the Ruhr University of Bochum in the field of mobile security. Since finishing his PhD in 2020, David has dedicated a significant amount of his attention to the development of official security requirements for the 5G network standards published by the 3GPP working group. In this context, David also works closely with the German Federal Office for Information Security (BSI) to prepare the rollout of the German national certification program for public 5G networks. In 2022, David founded Radix Security together with Katharina Kohls to pursue these efforts further with a dedicated team of like-minded individuals. As of 2025, their company has grown to the size of 12 people.
David Rupprecht
Sebastian Schinzel
(FH Münster) – Talk
Talk. LanDscAPe: Exploring LDAP Weaknesses and Data Leaks at Internet Scale
Abstract. The Lightweight Directory Access Protocol (LDAP) is the standard technology to query information stored in directories. These directories can contain sensitive personal data such as usernames, email addresses, and passwords. LDAP is also used as a central, organization-wide storage of configuration data for other services. Hence, it is important to the security posture of many organizations, not least because it is also at the core of Microsoft's Active Directory, and other identity management and authentication services.
We report on a large-scale security analysis of deployed LDAP servers on the Internet. We developed LanDscAPe, a scanning tool that analyzes security-relevant misconfigurations of LDAP servers and the security of their TLS configurations. Our Internet-wide analysis revealed more than 10k servers that appear susceptible to a range of threats, including insecure configurations, deprecated software with known vulnerabilities, and insecure TLS setups. 4.9k LDAP servers host personal data, and 1.8k even leak passwords. We document, classify, and discuss these and briefly describe our notification campaign to address these concerning issues.
Biography. Prof. Dr. Schinzel teaches and researches applied cryptography, cyber security and medical IT security. He heads the research group of the Laboratory for IT Security and the “Applied Cryptography and Medical IT Security (ACM)” department at the Münster site of the Fraunhofer Institute for Secure Information Technology SIT. He is a founding member of the Institute for Society and Digitality (GUD) at the UAS. He is also a professorial member of the NRW doctoral college.
Sebastian Schinzel
Leon Trampert
(CISPA Helmholtz Center for Information Security) – Talk
Talk. Beauty at a Cost: Privacy Implications of CSS on the Web and in Emails
Abstract. Modern browsers are increasingly restricting traditional tracking methods like third-party cookies to enhance user privacy. However, browser fingerprinting remains a powerful tool for tracking users across websites, even in privacy-conscious scenarios. It is typically associated with JavaScript-based methods, which have been the primary focus of tracking and mitigation efforts.
This talk highlights how Cascading Style Sheets (CSS), often considered harmless and enabled by default in email clients, enable third-party profiling without cookies or JavaScript. Furthermore, modern browser engines facilitate these techniques in HTML emails, making email fingerprinting a capable vector for tracking, targeted phishing, and spam campaigns. These findings reveal gaps in current JavaScript-centric privacy protections and emphasize the need for broader mitigations.
Biography. Leon Trampert is a PhD student at Saarland University working for the CISPA Helmholtz Center for Information Security under the supervision of Dr. Michael Schwarz and Prof. Christian Rossow. He works on unintended security and privacy implications introduced by new Web technologies. As such, he regularly plays around with up-and-coming Web technologies such as WebAssembly, WebUSB, or new CSS features. Before his doctoral studies, he obtained his Bachelor's degree in Cybersecurity from Saarland University.
@LTrampert
leon.trampert.me
Daniel Weber
(CISPA Helmholtz Center for Information Security) – Talk
Talk. Beauty at a Cost: Privacy Implications of CSS on the Web and in Emails
Abstract. Modern browsers are increasingly restricting traditional tracking methods like third-party cookies to enhance user privacy. However, browser fingerprinting remains a powerful tool for tracking users across websites, even in privacy-conscious scenarios. It is typically associated with JavaScript-based methods, which have been the primary focus of tracking and mitigation efforts.
This talk highlights how Cascading Style Sheets (CSS), often considered harmless and enabled by default in email clients, enable third-party profiling without cookies or JavaScript. Furthermore, modern browser engines facilitate these techniques in HTML emails, making email fingerprinting a capable vector for tracking, targeted phishing, and spam campaigns. These findings reveal gaps in current JavaScript-centric privacy protections and emphasize the need for broader mitigations.
Biography. Daniel Weber is a PhD student researching in the field of microarchitectural attacks, such as side-channel and transient-execution attacks. His work focuses on improving the process of finding such attacks via automation. He is part of Michael Schwarz' research group at the CISPA Helmholtz Center for Information Security. Before that, he obtained a Bachelor's degree in Cybersecurity from Saarland University. In his free time, Daniel regularly participates in Capture the Flag competitions as part of the team saarsec.
@weber_daniel
roots.ec
