Pentester with a hero complex.๐
Penetration Testing | Ethical Hacking | Web3 Security
I explore things so you don't have to find out the hard way. โ๏ธ
Veil is finally live end-to-end:
propose โ sign โ threshold โ execute
A private team treasury on @0xMiden, built on Private Multisig.
Full loop in the video below. Create a payout, collect signatures, and watch it execute. All private by default.
Mainnet is days out.
Code's public: https://t.co/doz5vcKYHb
Privacy as a feature is already here.
Privacy as infrastructure is being built.
Privacy as a fundamental property of computation itself -- where even the logic of a program can be hidden from the people running it -- is what Vitalik is pointing toward.
You do not have to choose between privacy and compliance.
Our cofounder @schmiddominik1 takes the Main Stage at #ETHis to make the case.
๐ Deutsches Museum, Munich
๐ Friday 03 July,
๐ง 15:05 โ 15:25 CET
Started building Veil, a private team treasury + payroll app on @0xMiden.
Foundation's up: live devnet connection, dark institutional UI, real typography. No templates, no shortcuts.
Mainnet's days out. Building in public from here.
Stage 3 of the Ubuntu Bridge Initiative cybersecurity internship: done. DFIR this time.
Handed a compromised finance workstation and 72h of forensic artefacts. Reconstructed the whole intrusion: stolen SSH key, login to root in 79 seconds, three persistence hooks, customer data exfiltrated.
The hardest lesson wasn't technical. I reached a correct conclusion but backed it with an evidence line that wasn't in the pack. In IR the report is legally discoverable, so every sentence has to trace to real evidence.
Trust the evidence, never fill a gap.
Stage 4 next. Ikuzo
Catching up on a couple of posts.
Ubuntu Bridge Initiative cybersecurity internship, two stages down.
Stage 1, Applied Cryptography: 98/100.
Decrypted five artefacts off an attacker's abandoned server.
Lesson: none of the algorithms were broken, AES held, signatures held. Every failure was in how the crypto was used. Couldn't crack a JWT secret with hashcat, so I forged admin access via alg:none instead.
Stage 2, web app pentest: 98/100.
Found 10 findings in a forgotten 2019 admin panel and chained them into a 16-minute breach.
No single bug did it. SQLi got me in, a token with no expiry meant access never lapsed, stored XSS meant I didn't even need to come back.
Stage 3 starts tomorrow. Ikuzo
I found zero day bugs which was fixed that same day, which enabled @iamnotshifu
to be able to ship the WishArena be shipped in time for the World Cup, and he had this to say
https://t.co/64YtYpoHvs
What's one flow on your product that's never been stress-tested by a real user?
Reply with a link. I'll personally go through it today and DM you specific feedback.
(If you want a permanent home for this kind of thing: https://t.co/eOHquf2Sxr)
#buildinginpublic#indiedevs
Someone I've never met just sent a very detailed feedback on a flow in my product.
There wasn't any bugs observed but they made a suggestion about the flow that I didn't even think off.
Took them 8 minutes. Cost me nothing.
This is what I built Twnhall for.
Second day of Twnhall release
Launched Sunday afternoon. 48 hours later: 2 projects submitted, 2 missions live, 2 pieces of feedback exchanged between developers who'd never met.
I know the number seem small, but its a start to the dream of twnhall. Devs testing each other works
I built a thing that solves a problem I hit every single project: no budget for QA, no time to find testers, so features ship broken.
It's called TwnHall โ a community where developers test each other's apps.
Here's how it works ๐งต
88/100 on my cybersecurity Stage 0 capstone.
Spent the week thinking like a threat actor to catch one. Decoded hidden payloads, traced a 4-day breach through SSH logs, and had to decide what to do when my manager told me to bury the evidence.
The last part wasn't hypothetical.
Stage 1 (Applied Cryptography) is next.
Ikuzo!