Taylor Hornby 🛡❤️

20.6K posts

Taylor Hornby 🛡❤️ banner
Taylor Hornby 🛡❤️

Taylor Hornby 🛡❤️

@DefuseSec

Security research (https://t.co/xrmvhFVPtv), EDM (https://t.co/Ynq2DNWQa1), & board member @ Zcash Foundation.

Calgary, Canada Katılım Şubat 2012
1.4K Takip Edilen9.4K Takipçiler
Taylor Hornby 🛡❤️ retweetledi
Zcash Open Development Lab
zcashd will reach its end-of-life service halt on July 18, as scheduled, completing the Zcash ecosystem's migration to Rust-based, next-generation Zcash client software. zcashd will not support NU6.3 (Ironwood). Node operators will need to complete their transition to Zebra and the ZODL-maintained Zallet wallet prior July 18. Only Zebra nodes will be on the peer-to-peer network from that time onward. We've successfully worked with and continue to assist partners in their migrations to bring the ecosystem forward. Zcash is upgrading.
English
21
43
129
12K
Taylor Hornby 🛡❤️ retweetledi
vitalik.eth
vitalik.eth@VitalikButerin·
And ... we have a winner! My method when writing the post in 2024 was: I wrote it in Chinese, used qwen2.5 locally to translate it to English, then manually fixed all the bugs in the translation. Notice that the stylistic hints that his AI picked up on were intellectual habits and style of math and algorithm explanation, which bypassed my obfuscation strategy (which only covered prose) completely. firefly.social/post/x/2074176…
English
344
148
1.9K
635K
Taylor Hornby 🛡❤️
Taylor Hornby 🛡❤️@DefuseSec·
Can someone please make a security issue severity grading bechmark so that AIs can get better at it?
English
0
0
11
727
Taylor Hornby 🛡❤️ retweetledi
Halvar Flake
Halvar Flake@halvarflake·
I wish I could get Fable to help me reason through my old PhD research, but because it involves cryptanalysis of a block cipher, I'm nerfed to Opus 4.8 immediately just explaining the problem. Sigh.
English
11
8
114
14.1K
Taylor Hornby 🛡❤️ retweetledi
Matthew Green
Matthew Green@matthew_d_green·
The next big bug class is going to be vulnerabilities in formal verification systems and harnesses. Proving the wrong theorem, axiom smuggling, etc. It’s going to be a wild year.
Zellic@zellic_io

Note that all of our proofs are valid proofs for the statements they claim to prove. The issue lies in those statements not meaning what they were intended to mean. While our circuits were still sound and complete, the flaw in the spec for mainCost allowed us to break the larger protocol functionality – ranking circuits by cost – and place our circuit #1 on the leaderboard. We look forward to following how this competition develops, and all the cool new optimised circuits that will come out of it, once all the kinks are ironed out. Takeaway: Formally verified code is only as secure as the spec it was proved against!

English
9
18
137
19.5K
Taylor Hornby 🛡❤️ retweetledi
cts🌸
cts🌸@gf_256·
Perfect example of when and how formal verification can fail. Why code golf when you can just find bugs in the contest itself? (Contest here is "make a SHA256 circuit along with a Lean 4 proof of correctness. We found a bug in the way the circuit cost is scored)
Zellic@zellic_io

You "win" zk.golf – ZKSecurity’s FV contest – by writing the most optimized formally verified circuit for cryptographic primitives. But how does the best SHA256 circuit have a cost of 0? Here's how we exploited the FV spec for the top score on all circuits.👇

English
4
12
285
30.6K
Taylor Hornby 🛡❤️ retweetledi
Roman Storm 🇺🇸 🌪️
The gov't theory in my case isn't about me. It's a template. Under US v. Storm, "money transmitting" no longer requires custody or control of funds. Publishing code that others use is enough. Who's in danger: → Every maintainer of open-source privacy, messaging, or crypto tools that any bad actor ever touches → Every operator of a financial service — DeFi or not — who learns some % of users are illicit and keeps operating. Knowledge alone becomes the crime → Every dev of immutable, self-custodial software, held to a duty to "stop" what is technically unstoppable It's already working as designed. Michael Lewellen finished lawful crowdfunding software and can't publish it. He asked DOJ if he'd be prosecuted. Their answer, in federal court: we "cannot disclaim an intent to prosecute." Finished code, sitting on a shelf. You don't need to be charged to be silenced. And SDNY isn't done with me. Prosecutors want to retry me regardless — regardless of the hung counts, regardless of Van Loon, regardless of FinCEN's own guidance. I've been fighting this for 3+ years. Legal defense at this level costs millions, and I can't do it alone. If you write code, use privacy tools, or believe publishing software isn't a crime — this is your fight too. Donate: freeromanstorm.com Every retweet helps. Every dollar goes to the defense.
Peter Van Valkenburgh@valkenburgh

Read more and find the full brief: coincenter.org/non-prosecutio…

English
29
177
542
220.8K
Matthew Green
Matthew Green@matthew_d_green·
The upper bound on the number of vulnerabilities in a piece of software of length n bits is:
English
24
5
27
12.5K
Taylor Hornby 🛡❤️ retweetledi
Palmar 🎧
Palmar 🎧@palmarzk·
I have a rule: I only use AI after thinking deeply for a while with my own brain.
English
0
2
5
426
Taylor Hornby 🛡❤️ retweetledi
Ian Miers
Ian Miers@secparam·
Once the camera is inside your car or the client side scanning bot is in your phone, you no longer control what gets reported. One overnight update and the rules change. You have to watch what you say. And the consequences for speech are much worse than a speeding ticket.
English
1
2
13
900
Taylor Hornby 🛡❤️ retweetledi
Juliano Rizzo
Juliano Rizzo@julianor·
With AI, the reversing barrier is gone for many attackers. Finding tooling, decode/encode niche serialization formats, implementing known crypto attacks, and optimizing them is mostly prompting now. This is obvious to some of you, but we still see a pre-AI mindset: trying to censor or hide bug details. That is ineffective. The real answer is moving faster than attackers. It is more than patching: defend, protect. Reduce impact in every possible way, and use AI to do it faster.
English
0
15
30
5.4K
Taylor Hornby 🛡❤️ retweetledi
Paul Graham
Paul Graham@paulg·
Not using LLMs to write for you won't be like not using Google Maps in a new city. It will be like choosing to run and lift weights, even though we now have machines that can transport us and lift weights for us.
English
49
112
1.3K
62.5K
Taylor Hornby 🛡❤️ retweetledi
Trail of Bits
Trail of Bits@trailofbits·
Patch the Planet is our joint initiative with @OpenAI to help maintainers strengthen critical open-source software. In one week, we used Codex and GPT-5.5-Cyber to find hundreds of bugs inside OSS like cURL, Python, and the Go project. 37 patches merged, with more in flight. 🧵
OpenAI@OpenAI

Patch the Planet is our effort to help open source maintainers move from security findings to merged fixes. We’re working with Trail of Bits, HackerOne, Calif, researchers, and maintainers to bring Codex Security and advanced models into the remediation process, with human review at the center.

English
4
36
188
40.6K
Taylor Hornby 🛡❤️ retweetledi
Ivan Bogatyy
Ivan Bogatyy@ivanbogatyy·
⁨I tested my LLM audit pipeline on Aztec 2.0: could it rediscover the vulnerability that drained the vault? It did, and then found a SECOND, unreported critical: prove a deposit, tag it "not a deposit", L1 skips the debit, withdrawal works. Harmless now, vault's already empty.
Ivan Bogatyy tweet media
Aztec Labs@AztecLabs_

We are investigating a potential exploit affecting a deprecated Aztec payments product from 2021. ~$2m was transferred from the immutable smart contract in transaction: etherscan.io/tx/0xab306cd21… The deprecated product is an immutable stage 2 rollup that was sunset in 2022. Aztec Labs holds no admin keys or control over the system; it cannot be paused or upgraded by us. This is a separate incident from the exploit on the depreciated Aztec Connect product that occurred on June 14, 2026. We will share further updates in due course.

English
9
9
100
14.1K
Taylor Hornby 🛡❤️ retweetledi
Matthew Green
Matthew Green@matthew_d_green·
I’m watching how quickly age verification is becoming a part of every policy proposal. None of this is about age, it’s all ultimately about identity.
Matthew Green tweet media
English
76
1.3K
3.5K
227.2K
Namada
Namada@namada·
There's been an exploit in the Namada protocol. We are investigating the issue and are involving the relevant parties. If you are the white hat hacker behind this exploit, please get in touch with us.
English
20
9
52
16K
Taylor Hornby 🛡❤️ retweetledi
Sarah McLaughlin
Sarah McLaughlin@sarahemclaugh·
4) Yes, there are real challenges that come from grappling with how we can best communicate with one another today, online or off. That does not mean you are justified in demanding deeply authoritarian “solutions” that would not even do what you think they would.
English
2
29
424
7K
Taylor Hornby 🛡❤️ retweetledi
Sarah McLaughlin
Sarah McLaughlin@sarahemclaugh·
3) People have reasons other than politics to speak anonymously. There are lots of people who want to seek advice or community privately — maybe a woman dealing with an abusive spouse, someone struggling with addiction, or another person facing an uncomfortable medical diagnosis.
English
2
41
584
7.9K