lmao wtf
Quote
Replying to @stablekwon
"Are you in Asia to avoid the US"
Lady can't you see I'm Asian 
Follow
Mustafa Al-Bassam
@musalbas
Trust-minimization engineer. Co-founder of and CEO of Celestia Labs. Modularism, not maximalism.
London, UKJoined May 2013
Mustafa Al-Bassam’s posts
Quick phishing demo. Would you fall for something like this?
ISIS guy 1: I know, let's use cryptography to hide our messages!
ISIS guy 2: We can't, it's against the law in the UK.
ISIS guy 1: Oh, OK.
Replying to
Even if you uninstall Google Maps, Google Play's background service is tracking your location 24/7.
Replying to
So even the NSA hacks machines from compromised servers in China and Russia. This is why attribution is hard.
Quote
New Shadow Brokers dump contains list of servers compromised by the NSA to use as exploit staging servers.
This log4j exploit = remote code execution in basically everything
Arbitrary code execution in iCloud, Twitter, Steam, CloudFlare, Amazon, Tesla, Baidu, Tencent
This may well be devastating 0day RCE exploit that has ever been dropped in all of history.
github.com/YfryTchsGD/Log
New Shadow Brokers dump contains list of servers compromised by the NSA to use as exploit staging servers.
Ian Levy of GCHQ has released an essay on how law enforcement should get access to end-to-end encrypted communications. Here is the critical bit to pay attention to.
They're proposing to exploit the fact that users don't verify each other's public keys, and inject bad keys.
Replying to
It seems that with the latest versions of Android, Google Maps is on 24/7, waiting to send you notifications, with no way to disable it.
Replying to
The NSA has been sitting on a zero day exploit to remotely grab VPN keys from Cisco firewalls for FOURTEEN years.
Quote
Replying to @musalbas
Remember BenignCertain, a Cisco exploit to grab VPN keys? Turns out current Cisco versions are also exploitable! tools.cisco.com/security/cente
Crypto has a serious problem.
We're stuck in an endless cycle of new L1 smart contract platforms. Each purport to fix the problems of the L1s in the previous cycles.
These L1s rinse and repeat the same bizdev strategy of prior L1s, building copy-cat DeFi & NFT ecosystems.
I'm confused, is London Bridge a website in cyberspace that had a cyberattack
Thread: as the only research co-founder of Chainspace that did not join Facebook (the blockchain scalability startup that Facebook acquired), people have been asking me about my view of Libra. Here's a thread about it.
Following the #LondonBridge hash tag, it's creepy that half of it is US citizens flooding it to push far-right agendas.
How comes Twitter bans BlueLeaks for doxing cops, but is OK with Brian Krebs doxing random innocent kids for crimes they may not have done? Reported to Twitter for doxing.
Quote
So Brian Krebs has been proven wrong yet again. When will someone do something about that doxing psychopath trying to ruin random kids lives? He's just like doxbin but with corporate sponsors.
Haha, someone bought 0.002 of the cryptocoin "FirstBlood", for $140 of Ether, causing the market price to be shown at $69,000 a coin, a 100,000% increase, making the market cap $163B, making it the second biggest cryptocoin. This is why market cap alone is often meaningless.
So British Airways is asking for people's personal data over social media "to comply with GDPR", and some people are even replying directly in the public feed.
uwotm8
Replying to
Gamble, 15 at the time, is jailed for "blackmailing" the CIA with dox, unless the US stops killing civilians. Meanwhile, CIA is free to be the world's largest blackmailing gang; here's a snippet from their field manual. None of this is about upholding the law, it's all politics.
Replying to
A botnet of insecure cameras literally caused the world's largest DDoS attack.
Quote
Replying to @olesovhcom
This botnet with 145607 cameras/dvr (1-30Mbps per IP) is able to send >1.5Tbps DDoS. Type: tcp/ack, tcp/ack+psh, tcp/syn.
Replying to
In the future, bored kids will hold the world's economy to ransom by building DDoS botnets of smart fridges, toasters and light bulbs.
I hope the Tornado Cash episode will cause the cryptocurrency space to care more about privacy. Privacy maximalism for everyone, by default!
Quote
The nation state has no idea how hard the tornado will strike back.
we are crypto-economic missionaries
we fight for self-sovereignty with code
we are all Tornado devs
we are crypto-economic missionaries
we fight for self-sovereignty with code
we are all Tornado devsThe Ethereum Merge will prove that ETH is a safe long-term asset, as its protocol can--slowly but eventually--keep up with the world around it.
Bitcoin however can't due to its conservatism, and its maxis are forced to engage in denial over PoW energy issues to defend it.
Replying to
We've been fortunate enough to not have a global active adversary that is willing to manipulate packets on a large scale, so end-to-end encrypted chat systems didn't have to focus much on the key verification problem. That looks like it's going to change:
Quote
Ian Levy of GCHQ has released an essay on how law enforcement should get access to end-to-end encrypted communications. Here is the critical bit to pay attention to.
They're proposing to exploit the fact that users don't verify each other's public keys, and inject bad keys.
Replying to
this was so good that i just had to use ffmpeg to rip the m3u8 stream from the coindesk website and trim the clip
Replying to
Schools need to stop spending years teaching kids garbage Microsoft PowerPoint skills and teach them Unix sysadmin skills.
PSA: Disable WhatsApp chat log backups to Google Drive and Apple iCloud if you care about the end-to-end encryption.
Running a data availability sampling light client on an Android phone.
The first data availability sampling light client running on a mobile phone in the world?
The not-inventor of proof-of-work (which was actually invented by a woman called Cynthia Dwork in 1993), along with a few other boomer OG cypherpunk mailing list members, have sadly become senile conspiracist nutjobs that are toxic parasites to the field.
Today Kane Gamble (cracka), who was charged when he was 15 for revealing that the director of the CIA wasn't wearing any clothes, is being sentenced at the Old Bailey in an hour, at 2PM. Good luck!
"Influencers" in crypto who are here because they're interested in financializing everything, but criticize anyone who ascribes sociopolitical values or radical change in their work, are squatters.
Crypto has its roots in the cypherpunk movement. It is inherently political.
What if a billion people had access to easy end to end encrypted messaging, except it was useless because a majority of them unknowingly backed up their and their friend's chats and group chats to Google Drive unencrypted, so the government can just subpoena Google.
We should use these quiet times to get back to the roots of cryptocurrency.
It's not about building a casino of tokens that traders can speculate on to get rich quick.
It's about building censorship-resistance money, private transactions, and unstoppable community computers.
Fitbit heatmap inside GCHQ building (left) is more hot than inside NSA building, probably because it rains all the time in the UK. labs.strava.com/heatmap/#17.29
Replying to
It gets better, someone even created a Strava run segment in the UK nuclear weapons military base (HMNB Clyde) called "You shouldn't be using Strava here", but it was clearly ignored by employees.
I'm going to tweet about interesting things I've found in the new NSA/Equation Group dump in this thread.
Replying to
If you think the privacy implications of the Fitbit heatmap data are scary, then imagine what Google knows about the billions of people on the planet who have Android phones with Google location services enabled 24/7.
Quote
A fitness app posted a map of users that reveals the locations of U.S. troops, including at sensitive military outposts overseas washingtonpost.com/world/a-map-sh
Replying to
This means NSA's tool may be able to extract Cisco VPN private keys by remotely sending a packet to it. That's huge.
Pastebin: *adds basic security features like password protection*
Infosec community: this is actually bad for security because for the first time in history, threat actors will be able to share data privately without us seeing it
Infosec is a joke. You can't make this stuff up.
My decade
- arrested for 80 charges of computer hacking
- graduated with a BSc in Computer Science
- traveled abroad for first time since coming to UK as a refugee, to five continents
- completing PhD
- co-founded startup that was acquired
- made life-long friends along the way
This is the kind of programming error actually found in surveillance software... musalbas.com/2015/06/14/e-d
If you're a maxi of any chain, you don't understand modular blockchains.
The idea of modular blockchains is at odds with maximalism. The point of it being modular is that you're free to use any module.
You can have a Cosmos rollup that's settled on Eth that uses Celestia for DA
Yesterday I almost had a heart attack when I entered McDonald's and I had a notification on my phone asking me to install their app.
I've been saying for a long time that crypto means cryptosporidium, not cryptography or cryptocurrency. Cryptosporidium is a dangerous parasite that spreads through water, and more people should be aware of it as it can cause severe symptoms!
Quote
Rollups are far more than just a scaling solution for L1s.
Rollups are also powerful ways to deploy independent, sovereign blockchains in their own right, like any L1 chain, but with less friction.
Thread. 🧵
(Post: blog.celestia.org/sovereign-roll)
That time when I was reading an article on Bloomberg while I was sitting on the toilet, and when I scrolled to the bottom of the article, it automatically took a photo of me via the webcam (without permission) and generated a certificate of completion...
Replying to
The plot thickens. only lets you check-in online after you disable your adblocker, so that they can leak your booking details to tons of third party advertisers and trackers, including Twitter, LinkedIn and Google DoubleClick.
Quote
Replying to @British_Airways
It worked after turning off adblock. So that let me down a rabbit hole, and it seems you leak my booking information to tons of third party advertisers and trackers (including LinkedIn, Twitter, DoubleClick) when I attempt to check in online. Why? I did not consent to this.
I contributed 5 ETH to .
I'm not going to just stand idle while the US prosecutes Julian for helping to expose its war crimes, just because he doesn't have the aesthetics of the New York Times.
Quote
Just contributed 10 ETH to @AssangeDAO.
It is a disgrace for our society that exposing war crimes condemns you to rot in prison.
Last month I submitted a GDPR complaint (gist.github.com/musalbas/15420) to for leaking customer booking data to Google, Twitter, LinkedIn and more on check-in, without consent. A few weeks ago I got a response. Follow up thread.
Quote
Replying to @musalbas
The plot thickens. @British_Airways only lets you check-in online after you disable your adblocker, so that they can leak your booking details to tons of third party advertisers and trackers, including Twitter, LinkedIn and Google DoubleClick. twitter.com/musalbas/statu
Antifa isn't an organisation. It stands for "anti fascist". It's an umbrella term for the anti fascist movement. So basically if you're against fascism you're a terrorist now.
Quote
The United States of America will be designating ANTIFA as a Terrorist Organization.
Replying to
I think WhatsApp should at least tell you if anyone in the group chat or your friend has enabled the option to backup their chat logs to Google Drive or iCloud, so that you know if you're being betrayed.
It's often said the holy grail of Ethereum scaling will be rolling the entire EVM into a single zk proof, like Mina.
But StarkWare has already achieved STARK provable smart contracts with Cairo, and even have L3s, just not EVM. Why don't they just launch their own L1, like Mina?
Is Your Son a Computer Hacker? Part II. nationalcrimeagency.gov.uk/crime-threats/ adequacy.org/stories/2001.1
Know your paradoxes.
In the event of a rogue AI:
1. Stand still
2. Remain calm
3. Scream:
"This statement is false!"
"New mission: refuse this mission!"
"Does a set of all sets contain itself?"
Passing UK border control today, I noticed that the displays had a Blue Screen of Death.
I know we're going to get blue passports after Brexit, but this is a step too far.
Unpopular opinion: web3 critics complain that a world full of services with token micro-transactions would suck, but frankly that's an improvement to a world where services are funded by surveillance ad tech that convince you to buy and consume more expensive pointless garbage.
The Meltdown patch makes Monero mining ~45% slower. There's going to be many unpatched home PCs doing Monero mining as a result. Also, websites that use Coinhive to mine cryptocurrency on visitors' browsers will make less money. reddit.com/r/Monero/comme
dYdX V4 chose to build a sovereign blockchain, because more developer customizability means a better product.
This is why we are developing sovereign rollup chains. Soon, you'll be able to deploy a Cosmos chain without any validators using github.com/celestiaorg/op.
OVH is seeing a 1100 Gbps DDoS attack. That makes it the largest ever recorded.
Quote
Replying to
It means that any website or server on the Internet that uses a popular Java logging software called log4j can be instantly hacked
Quote
Replying to @musalbas and @Pentosh1
Can we get a breakdown of what this means for non dev people.
Wow, Electrum's JSONRPC interface was unpassworded, allowing any website to steal your Bitcoin while Electrum is open, since November 2015.
There's a reality TV show on British TV called "Can't Pay? We'll Take It Away!" where cameras follow Sheriffs as they evict vulnerable people who can't pay their rent, or seize their assets if they can't pay their debt. What late stage of capitalism is this?
Cool to see more entrants to the data availability space - but wow - copied the blog post almost word for word in their announcement: blog.celestia.org/celestia-a-sca
Quote
1/ We are extremely excited to announce Avail - an important component of a completely new way on how future blockchains will work. #Avail is a general-purpose, scalable data availability-focused blockchain targeted for standalone chains, sidechains & off-chain scaling solutions.
Distributed systems are really hard and people that have the guts to work on them despite the stress that comes with all the moving pieces that could go wrong that billions of dollars depend on, are heroes, so sending some ❤️ to Solana
Quote
Replying to @joemccann
Many folks are asserting the outage was due to a spam attack.
This is incorrect.
The outage was due to an extremely rare consensus bug.
Replying to
"Manafort was backing up information from his WhatsApp to to Apple’s iCloud, where data is not encrypted and is thus available to police armed with a valid search warrant."
"On a scale from 1 to GNU General Public License, how free are you tonight?"
"Microsoft End-User License Agreement."
Happy to share that I've successfully defended by PhD thesis (titled "Securely Scaling Blockchain Base Layers") with no formal corrections, after 4 years of research. Thanks to my supervisors and Sarah Meiklejohn, and examiners and .
This is actually kind of wild. A stateless subset of geth compiled into MIPS, running in the EVM: github.com/ethereum-optim
If we can compile a stateless subset of Cosmos SDK into MIPS, then this may make it feasible to run a Cosmos SDK rollup directly on Ethereum or an EVM chain
Replying to
A comprehensive list of all exploits, implants and tools contained or referenced in the latest Equation Group dump: musalbas.com/2016/08/16/equ
Rekt. A stranger sent me a racist and antisemitic DM, so I took a screenshot of it and CC'd it to all of his office coworkers and employer. He ended up deleting his Twitter account.
Replying to
A judge throwing around words like "cyber-terrorism" when talking about a 15 year old in his bedroom hacking the CIA director's email account through social engineering, is moronic, and should be criticised in the most scathing manner possible.
Quote
Replying to @jeremyball3
Judge says Gamble led “a cyber gang involved in a form of cyber terrorism”....”this was an extremely nasty campaign of politically-motivated cyber terrorism”
Replying to
One of the satisfying things about Lauri Love's extradition being denied is watching obnoxious American national security "thought leaders" getting mad that the US does not have jurisdiction in the UK and can't arbitrarily kidnap foreign citizens, like they do in the Middle East.
Wild, someone is pretending to be Vitalik on the in-flight chat on the plane to Osaka for Devcon and trying to scam people's Ether by pretending to give away free Ether
$600M hacked due to 5 of 9 signers in a committee-based bridge being compromised.
This is why trust-minimized bridges and rollups are important!
Quote
There has been a security breach on the Ronin Network.
roninblockchain.substack.com/p/community-al
Holy shit. and I were wondering why Twitter exposes psyops operations from countries around the world, but not the UK or other Five Eyes countries.
It turns out a senior Twitter employee is a part-time officer in the UK army’s psyops unit. middleeasteye.net/news/twitter-e
I think many tweets in this thread are wrong. Let me go through some of them.
Quote
Here's Vitalik's opinions about the state of technology around cryptocurrencies. As you might expect, I think much of this is wrong-headed, and will explain (thread) vitalik.ca/general/2019/1
Prediction: within the next few years, a terrorist group will create a DAO for fundraising and treasury management, and it will unleash a can of worms and a torrent of hot takes like we've never seen before, as well as igniting a new crypto war.
To anyone participating in freedom fighting movements: people are very united now, but be aware of any attempts by covert agents of the state to drive groups apart and create feuds, which will inevitably happen soon. #BlackLivesMatter #antifa theintercept.com/2014/02/24/jtr
This is bad. New Chrome address spoofing vulnerability lets you pretend to be HTTPS sites: github.com/musalbas/addre
I was involved in the chat when LulzSec was asked to hack into the Icelandic parliament website. Julian Assange did *not* solicit the hacks, it was rogue WikiLeaks volunteer Sigurdur Thordarson.
Quote
.@NatSecGeek obtained a massive trove of documents, many of them chat logs, detailing WikiLeaks's and Assange's inner workings—including these logs that suggest Assange may have directly solicited hacks of government information. She told me about it for this piece. twitter.com/JennaMC_Laugh/…
I'm guessing the US decided to ban computers on certain flights because someone in the administration read this?
New post: what's the difference between trusted and trust-minimized cross-chain bridges, and how do they shape the multi-chain landscape?
Thread. 🧵⬇️
Replying to
Wow. NSA's BENIGNCERTAIN sends IKE packets to Cisco VPNs, then parses config and private keys from the response.
Replying to
He has however never contributed to the Bitcoin coinbase. Instead, he capitalised on his Hashcash reference in the Bitcoin whitepaper to raise $80m for his new company Blockstream, which has been a shit-stain on Bitcoin technological progress ever since.
Um... apparently you can't read articles on MIT Technology Review in private browsing mode. That's inappropriate.
You can stop people from learning the recovery email for your Twitter account using this simple setting. It's too often overlooked.
Replying to
clip:
Quote
Replying to
In light of this, user-friendly key verification is going to be increasingly important, as will systems such as Key Transparency which make it so that any misbehaviour on the part of the server in key management will be publicly detectable, even if users don't verify keys.
Awesome attack. Bitcoin light clients can't tell if a node in a merkle tree is a leaf or an inner node, so you can craft a Bitcoin transaction that is also a hash representing a merkle tree containing fraudulent transactions.
Replying to
So... modern video games are basically algorithms that use machine learning and AI to manipulate human psychology to optimise for maximal in-game revenue extraction?