w2c

programming

Today we disclose Dark Skippy - a powerful new method for a malicious signing device to leak secret keys. With a modified signing function, a device can efficiently and covertly exfiltrate a master secret seed by embedding it within transaction signatures If an attacker manages to corrupt a signing device, Dark Skippy can deliberately use weak & low entropy secret nonces to embed chunks of the seed words into transaction signatures. It takes just two input signatures to leak a 12 word seedphrase onto the Bitcoin blockchain. The attacker can watch on-chain until they spot an affected transaction, unblind and invert the low entropy nonces using an algorithm like Pollard's Kangaroo algorithm to learn the master secret seed. Then the attacker can wait and steal the funds whenever they decide best. Despite this attack vector not being new, we believe that Dark Skippy is now the best-in-class attack for malicious signing devices. - The attack is impractical to detect - Requires no additional communication channels - Effective on stateless devices - Exfils master secret Beyond ensuring your device firmware is genuine and honest (opensource), mitigations include anti-exfil signing protocols and we present some new ideas for additions to PSBT specifications to disrupt this attack. We encourage mitigation discussion and implementation exploration. This attack highlights the importance of verifying and securing your device's firmware, and the danger of sharing stateless signing devices with other people. We will be publicly releasing our code later this year. Authors: @Zero-Knowledge Goof (follow him so he gets onto nostr), Robin Linus, and myself. If you have any concerns or questions we recommend checking out the FAQ page on our website:

Dark Skippy Disclosure - A Powerful Method For Key Exfil Attacks

A powerful method for a malicious hardware wallet to leak its secret keys.

Check out our latest prototypes for the next generation of Bitcoin self-custody!

Frostsnap - Bitcoin Security

Take Bitcoin Saving Seriously.

Why shouldn't I eat a complimentary biscuit?

toxic trait: adding target="_blank" to absolutely every link on a website

testing reckless nostr apps goodluck to my npub

cool post from @conduition

Conduition

Reverse Engineering TicketMaster's Rotating Barcodes (SafeTix)

"Screenshots won't get you in", but Chrome DevTools will.

My friend sent to me, "Wait I know this person, they wrote some incredible FROST posts and are on nostr!"

I scored 0 in the snake game! #snakegame

all accounts are fake unless NIP05d or otherwise attested

Update your bitcoin nodes! sudo apt update && sudo apt upgrade A recently disclosed SSH exploit is actively being attempted!

Qualys

OpenSSH CVE-2024-6387 RCE Vulnerability: Risk & Mitigation | Qualys

CVE-2024-6387 exploit in OpenSSH poses remote unauthenticated code execution risks. Find out which versions are vulnerable and how to pro...

Hacking private raffles into ecash (whjo is asking for this): Imagine you own a rarity that you want to privately raffle, You place the item in a box protected behind a locked door, a door that only unlocks after a payment to a displayed QR invoice. You create an ecash mint and allow people to exchange sats for ecash tickets. Ticket holders continually self pay to improve group privacy. To draw a winner, you draw a single note at random and make that note the only redeemable note which can pay the invoice to unlock the door.

it's completely insane that FOSS Android OSs only work on pixels

Unveiling the latest frostsnap devices sometime this week 🔜 A small step in our radical shift for bitcoin self-custody tech. Nostr gets to see it first

Someone in the apartment above decided to start hammering out their seedphrase at 6am

Why is the encoding for [note.., npub..., nsec...] in NIP-19 bech32 instead of bech32m?

GitHub

nips/19.md at master · nostr-protocol/nips

Nostr Implementation Possibilities. Contribute to nostr-protocol/nips development by creating an account on GitHub.

If you want to clear up space on your linux btw machine, run ncdu /

really wish i made a vanity npub before i got started with nostr