opsek

154 posts

opsek banner
opsek

opsek

@opsek_io

Operational security audits and training for web3 organizations and HNWIs. We train your team and harden your stack, so you don't get hacked.

127.0.0.1 Katılım Eylül 2024
43 Takip Edilen786 Takipçiler
opsek
opsek@opsek_io·
Our founder, @PabloSabbatella is joining the Review Committee for the Defi Security Summit 2026. Expect the operational side of security to be a lot harder to ignore this year. 👇 Why this matters to us, and what we'll be pushing for
Defi Security Summit@summit_defi

Welcome @PabloSabbatella to the DSS 2026 Review Committee. Thank you for helping shape this year's technical program. DSS 2026 | Mumbai, India

English
1
7
16
1.9K
opsek retweetledi
souilos
souilos@theSouilos·
🛡️ At @opsek_io , our main goal is to make the ecosystem a safer place, securing organizations and end users. Here are some of our initiatives:
English
1
5
8
552
opsek retweetledi
Pablo Sabbatella
Pablo Sabbatella@PabloSabbatella·
At @opsek_io we're hiring a Head of Security to build and lead the security function for one of the most established protocols in DeFi. Onchain is already strong. The work is everything around it. 👇
English
4
8
41
6.3K
opsek
opsek@opsek_io·
Shai-Hulud 2.0 cleanup, step by step: how to check if you're hit, what to rotate, and why ignore-scripts is the single biggest guardrail going forward
souilos@theSouilos

x.com/i/article/2064…

English
0
2
8
1.7K
opsek
opsek@opsek_io·
We built a social engineering game. A "verified" account slides into your DMs with a job opportunity. You follow the steps. At the end, you have to report every red flag you caught. The more you catch, the higher your score. Can you get them all? game.opsek.io
opsek tweet media
English
2
5
13
1.6K
opsek retweetledi
souilos
souilos@theSouilos·
KeePassXC is my favorite LOCAL password manager, and you can protect it with YubiKeys. 🔐 It's open source and one of the only non cloud based options out there. If you want to actually own your passwords, don't hand them to a cloud service.
English
2
2
7
455
opsek
opsek@opsek_io·
Opsek's @PabloSabbatella is in NYC for ETHConf! Your opsec has no excuses now. Come find him before the scammers find you.
opsek tweet media
English
1
2
19
4.2K
opsek
opsek@opsek_io·
Google Fi is harder to SIM swap than a standard carrier but requires personal data and US-based activation. AT&T is the worst option here: personal data required, high SIM swap exposure. Hushed is the only virtual number on the list. Useful in specific contexts, but most services flag it immediately.
English
0
0
2
182
opsek
opsek@opsek_io·
Efani and Silent SIM sit at opposite ends. Efani is non-virtual with strong protections but expensive and US/Canada/Mexico only. Silent SIM requires no personal data and accepts crypto, but some of its stealth features are illegal in certain jurisdictions. If you're outside North America, Silentlink is the cleanest option: no KYC, crypto payments, worldwide coverage. Limitation: data and inbound SMS only.
English
2
0
3
164
opsek
opsek@opsek_io·
Not all phone numbers are created equal. A SIM swap attacker doesn't care how strong your password is. They need one thing: your number. Which provider you're on determines how easy that is. We compared six options across coverage, privacy requirements, and SIM swap resistance.
opsek tweet media
English
1
0
6
362
opsek retweetledi
souilos
souilos@theSouilos·
Just updated our open-source YubiKey cheatsheet with a new section: encrypting files with GPG so they can only be opened when your YubiKey is physically present and touched. Infostealers grab files off disk and brute-force them offline. A touch-gated key kills that: the stolen copy is just inert ciphertext. 🔑🧵
English
2
2
5
222
opsek
opsek@opsek_io·
@safetyth1rd This is what we do: Operational security for Web3. OpSec before it was cool.
opsek tweet media
English
0
0
1
64
𝕯𝖆𝖓𝖌𝖊𝖗
𝕯𝖆𝖓𝖌𝖊𝖗@safetyth1rd·
Not that running a DeFi project in 2026 isn’t expensive enough But these days if you’re running serious TVL you should either have a security guy on staff, or do regular opsec/overall security audits. Many recent hacks are not SC hacks but web2/opsec related.
English
11
0
46
7K
opsek
opsek@opsek_io·
Update or not? What's safer ?
Pablo Sabbatella@PabloSabbatella

Update or not? That's the question. Here's the answer 👇 - Update everything the second it drops? → You risk pulling in a compromised library or dependency (a supply chain attack). - Never update? → You leave hundreds of known vulnerabilities sitting unpatched and getting exploited in the wild. The way out: it depends on WHAT you're updating. I split it into two groups: - 🟢 Group 1: Software from large orgs with real review processes and release pipelines. Treat their updates as safe by default, so patch FAST: macOS, Windows, Android, iOS, and browsers (Chrome, Safari, Firefox, Brave, etc). - 🟡 Group 2: Packages, libraries and tools with deep dependency trees, often maintained by tiny teams with little to no OpSec or release controls. Here you slow down and verify before bumping. For Group 2 I like the approach Dan Guido (@dguido, co-founder & CEO of Trail of Bits) shared in a recent talk: on top of disabling install scripts in NPM, they enforce a mandatory package cooldown: nobody installs a package version less than 7 days old, across any package manager, company-wide, enforced through MDM (Jamf). This works because most npm/PyPI compromises get caught and pulled within hours to a few days. A 7-day cooldown closes that window before the bad version ever lands on your machine. Summary: patch trusted vendors fast, pin untrusted dependencies and review before you bump.

English
0
0
1
350
opsek
opsek@opsek_io·
Operational security audits and training for Web3 Organizations (DeFi, L1s, L2s, VCs, Centralized exchanges, service providers) and HNWIs. We perform Threat modeling, Security training, OSINT investigations, Company infra hardening, Team full setup hardening, Treasury and multisig audits, Physical security, and Red teaming. After the initial assessment, we become the Security lead for the organization until they hire a CISO.
English
0
0
3
36
Pablo Sabbatella
Pablo Sabbatella@PabloSabbatella·
You choose it or not, your organization is gonna be OpSec audited either way. Choose wisely
Pablo Sabbatella tweet media
English
5
5
46
3.6K
opsek
opsek@opsek_io·
Priority order if you only do this once: — Remove from X and LinkedIn first (lowest friction, highest exposure) — Gmail next, after you've moved 2FA off SMS and onto a TOTP app or hardware key — Telegram and Signal last, since it's a visibility setting not a removal
English
1
0
4
182
opsek
opsek@opsek_io·
A SIM swap doesn't start with your phone. It starts with your phone number being publicly tied to accounts that matter. Every app where your number is attached is a path back to you. Some you can sever. Some you can't.
opsek tweet media
English
1
3
10
1.4K