security

security

Discussion on all things web3 security and auditing

Peter pfp

@silencedogood.eth

When a Valid Critical Goes Nowhere: Lessons from 14 Weeks in ImmuneFi Limbo https://medium.com/@sillencedogood/when-a-valid-critical-goes-nowhere-lessons-from-14-weeks-in-immunefi-limbo-7764039316a2

0 reply

0 recast

0 reaction

Max pfp

All engineering at Privy is security engineering We architect with zero trust assumptions, design for failure, and build secure-by-default systems that scale How @andrewmohawk and @0xasta lead us in securing billions of assets across hundreds of millions of txns 👇

0 reply

0 recast

7 reactions

Adam pfp

@adamhurwitz.eth

I discovered Aura today visiting my 95 year old aunt that her grand daughters set up. Someone needs to build digital picture frames /product where the data is securely stored and distributed on @ipfs | /arweave and you own your account with @safe https://x.com/verge/status/1912491974797717732

0 reply

0 recast

0 reaction

Adam pfp

@adamhurwitz.eth

I've been planning the great migration from Mac to Linux too 👨🏻‍💻🦅 My strategy is finding apps that work well on both operating systems so that I can test and become comfortable with these apps for when I'm ready to move to a Framework laptop. For example these should work well across each - /brave for web browsers - Bitwarden for password management - Signal for messaging - Proton VPN for VPNs - Hopefully soon Proton Drive for file storage I haven't researched screen management apps yet for moving windows around with hotkeys|shortcuts. I'm looking for suggestions for ones that are open source and well reviewed since these have high security risks given access to all of your screens. https://x.com/dhh/status/1940848946504782066

0 reply

0 recast

1 reaction

Adam pfp

@adamhurwitz.eth

Mullvad and WireGuard are the only VPNs that GrapheneOS recommends. I will compare Mullvad to Proton VPN since I have to frequently toggle Proton VPN on|off on desktop for sites I use on a daily basis. I'm also excited to test @gnosischain's Hopr's distributed product once it's more consumer ready. https://grapheneos.org/faq#vpn-support:~:text=The%20only%20apps%20we%20can%20recommend%20is%20the%20official%20WireGuard%20app%20and%20the%20official%20Mullvad%20app.

3 replies

1 recast

3 reactions

Adam pfp

@adamhurwitz.eth

Meanwhile on X... Wow Jenna, you look good. Almost too good. 🔥👀 I wonder what the angle of attack is using my profile picture?

0 reply

0 recast

1 reaction

Adam pfp

@adamhurwitz.eth

The latest @safe UX upgrade makes it easier to do multi factor verification MFV of important transactions txs - @openzeppelin Safe Utils to compare tx hashes across signers - Tenderly tx simulator to compare expected actions across devices https://x.com/rahulrumalla/status/1927987805361254629

0 reply

0 recast

0 reaction

Adam pfp

@adamhurwitz.eth

I'm observing Proton Drive desktop app not syncing changes again on macOS. (Ticket #3750568) https://x.com/adamshurwitz/status/1807839043092468109

1 reply

0 recast

1 reaction

Darryl Yeo 🛠️ pfp

Darryl Yeo 🛠️

https://farcaster.xyz/nickysap/0x7220e9ef

0 reply

0 recast

3 reactions

Adam pfp

@adamhurwitz.eth

Thanks again to everyone for letting myself and everyone else know and X for quickly suspending the impersonated account! Things to check to verify accounts 1. Spelling of the person's name from multiple sources, E.g. LinkedIn, web search citations, etc. 2. See if they already follow you 3. Check mutual followers Mutual followers is one indicator. However in this case the impersonated account had gained real existing mutual followers that thought I had potentially re-followed them. Steps 1 and 2 above would disqualify the impersonated account.

0 reply

0 recast

2 reactions

Adam pfp

@adamhurwitz.eth

Much appreciated for friends reaching out to me to quickly let me know [at]adamshurrwitz on X is impersonating me in case you've received a message from them. - Please report if you have 1 min. Thank you! - They added an extra "r" in my last name and bought close to the same amount of followers that I have - Moving to Texas does sound like fun though...

1 reply

0 recast

0 reaction

DepressiveHacks pfp

DepressiveHacks

@depressivehacks

Always check your token warnings on Rally. Stay safe out there!

0 reply

0 recast

0 reaction

Adam pfp

@adamhurwitz.eth

How is code written in China reviewed? Is there similar compliance in place that applies to tech companies @pmarca outlines?

0 reply

0 recast

0 reaction

Adam pfp

@adamhurwitz.eth

For @safe multi factor verification MFV generating the transaction tx hashes with @openzeppelin Safe Utils on both the device|UI where the tx is created and on separate devices|UIs signing the tx is essential. This way the tx hashes created between devices|UIs can be compared. Otherwise using Safe Utils with data from only 1 source would not detect if that source is showing bad info while displaying a correct tx hash. E.g. 1. Create tx on 1st device with Safe UI 2. Create tx hashes with Safe Utils and Safe UI data 3. Sign on 2nd device with software account, E.g. @metamask 4. Create tx hashes with Safe Utils and MetaMask data 5. Compare tx hashes created from both Safe UI and MetaMask to make sure they're the same Thank you to @so for talking through different tx signing scenarios!

0 reply

0 recast

3 reactions

Adam pfp

@adamhurwitz.eth

Can any Rabby users confirm if you can copy|paste @safe transaction tx data on the mobile app? There doesn't seem to be an immediate fix for this Rainbow issue so it could be good to use temporary alternatives as part of a diverse set of Safe signers. I know @metamask has copy|paste tx info on mobile too.

0 reply

0 recast

0 reaction