Usman

Blessed to have earned my second certification from @CyfrinUpdraft! Now, I’m officially a QWS (Qualified Web3 Signer) certified along with SSCD+. A huge thank you to the @cyfrin team and @PatrickAlphaC for creating such amazing tools like Safe Hash and Wise Signer.

Don’t leave sensitive data in plaintext

@AnaArsonist aura overload

talking about stuff and things

Introducing Chainlink Developer Agent Skills Chainlink Agent Skills are AI tools for building with Chainlink. Each skill teaches your AI agent how to code with a specific Chainlink product. One command to install Skills. Start prompting right away. Go build something awesome!

@Ledger Great that you have clear signing. When do you plan to add support for ERC-8213?

you: wish I could actually read this transaction. also you: bought a Ledger signer where Clear Signing is the standard. well done me.

@lastbrokeman If only the thief had waited for one more day, they could have had the lock too.

>sun is out, juice in hand....good hangout >I get up to give some cents to the Busker because his Bad Bunny's rendition is so good🤌🏼 >we're still waiting for a friend who finally shows up >we go to grab our bikes >mine is gone >just gone >lock delivers tomorrow

Me: >buy a new ebike yesterday and get it home around 17.30 >forget to buy a lock for whatever reason and order one on Amazon to be delivered on Monday >meet cousin today for a ride through the woods and touch some grass

ERC-8213 is probably one of my top favorite ERCs up to date Please Im looking forward to wallets supporting this!!

@PatrickAlphaC I'm turning 36 next month, and as someone who has seen some life, this is gold.

I recently turned 33, and every year I want to go back to 21-year-old Patrick with a list of lessons. If you're in your 20s, these are for you. Most lessons only land after an ass-whooping. And even then, you usually miss them the first time.

Physical phishing isn't going anywhere. Here it says Ledger. In my video it said Trezor. Next time it could be any hardware wallet company. The goal is always the same: >Make the letter feel official >Push you to a fake website >Steal your seed phrase

If you put a private key in plaintext anywhere I will apparate to your house and cut off your pinkies

For those looking to get their non-tech friends into web3, this is for you! Shout out to @0xjesstech for all the hard work she put into this!!!

Who will be next to support ERC-8213? Who is the next wallet that cares about verifying calldata??

There are around only 24 hours left to donate to the DAO security fund. I would like to ask you to please donate to Cyfrin Updraft & Tooling. If you know someone who learned security with us, please consider donating! We have been the #1 education platform for onboarding security researchers and developers to Web3 for 3 years straight, 100% for free. qf.giveth.io/project/cyfrin… Some stats: - Averages 8k students a week - Hundreds of thousands of hours of watchtime in aggregate - Millions of views on YouTube (500k on foundry 1 year ago, 600k 2 years ago, ~200k on intro to security, ~25k on assembly and formal verification, etc) - Thousands of stars on security education on GitHub Not to mention @SoloditOfficial, Aderyn, LocalSafe, WiseSigner, ERC-8213, @CodeHawks first flights & AI first flights (competitive audit live trainings) and more. If you don't like our education, we have a tooling page too: qf.giveth.io/project/cyfrin… Thank you for your consideration!

@ScrewCopper @PatrickAlphaC @battlechain

@PatrickAlphaC Hey u used to tweet something like contests but better right What happened to that

Huge respect to C4 for what they did for web3. Say what you want, but they pioneered an era that helped usher in massive security talent, and provided a lot of security output. 🫡🫡

A big W for the web3 ecosystem.

Seal 911 (@SEAL_911 ) and @_SEAL_Org 's other activities. This is a distribution mechanism for some of the best security minds in the industry, loosely organised under SEAL but with several initiatives.

so our DPRK Contagious Interview friends have advanced in the meantime and now have started reking people for which you only need to _unzip_ a file and run a git checkout or commit operation. so this how the attack works: 1. the attacker distributes the repo as a zip archive (which is pivotal!). this is on purpose because git clone explicitly strips hooks (since cloning goes through git's _own_ protocol which excludes them) from remote sources as a security measure but unzipping is just a _normal_ filesystem ops that git cannot control (yeah fml but also simple fact). the zip restores file permissions exactly as the attacker set them (expect `rwxrwxr-x`), so the two active hooks (`pre-commit` & `post-checkout`) arrive on disk already executable (yeah fml). 2. git _automatically_ runs a hook when two conditions are met at the same time. the file must have the correct bare name with no `.sample` extension _and_ the executable bit must be set (like `rwxrwxr-x`). both of these are already satisfied by the attacker _before_ the zip is distributed. no fucking user action, config change, or approval is needed, git's own hook dispatch system triggers everything lmfaooo. software is great innit? 3. some of the custom `.sample` files in the shipped `.git/hooks` directory are the malicious payloads. they are basically payload components _disguised_ under innocent names. once the victim does anything beyond passively inspecting the repo (e.g. git checkout or git commit), the _active_ hook copies those files into `~/.vscode` (a directory devs usually trust and ignore but well you should not trust it guys) and then starts a detached background process using `nohup` so it does not block or visibly affect the git command. the git operation still completes normally and nothing looks suspicious. fucking evil, but hey here we are! 4. now that background process then bootstraps a node.js runtime if it is not already installed, runs npm install using an attacker controlled package.json, and executes an obfuscated payload (this can ofc differ and change over time). from that point the attacker gains clipboard access, a persistent c2 channel over socket.io (usually) and the ability to read browser credential dbs

His book, Mastering Bitcoin, is a must-read for everyone trying to understand how crypto works. The Blockchain Basics course by @CyfrinUpdraft is also a good place to start. Whatever you choose, just don't forget to take the one-hour Web3 Wallet Security Basics course on Updraft.

@0xusmanf @aantonop Let me watch Thank you✨️

Which YouTube channel or creator helped you understand crypto better as a beginner?