Add topics for Socratic Seminar 151 (Wednesday September 24 2025) #199
Conversation
pinheadmz
commented
Sep 17, 2025
pinheadmz
commented
Co-authored-by: Stacie W <1823216+satsie@users.noreply.github.com>
|
We provide the first in-depth security analysis of Nostr, an open-source, distributed SNS protocol developed in 2019 with more than 1.1 million registered users. We investigate the specification of Nostr and the client implementations and present a number of practical attacks allowing forgeries on various objects, such as encrypted direct messages (DMs), by a malicious user or a malicious server. Even more, we show a confidentiality attack against encrypted DMs by a malicious user exploiting a flaw in the link preview mechanism and the CBC malleability. Our attacks are due to cryptographic flaws in the protocol specification and client implementation, some of which in combination elevate the forgery attack to a violation of confidentiality. Key-replacement impersonation caused by missing public-key authenticity checks. Event forgery attacks where several clients omit signature verification. Full DM forgery that combines AES-CBC without a MAC and poor key separation. Plain-text recovery of encrypted DMs by chaining CBC malleability with link previews. Inadequate cache search (Client cache poisoning) that hijacks Bitcoin tips or alters profile data. |
|
Ledger Donjon discovered a new online brute-force attack against Tangem cards that exploits vulnerabilities in their secure channel implementation leveraging a “tearing” technique. This allows attackers to bypass the card’s security delay mechanism after failed authentication attempts, enabling them to try approximately 2.5 passwords per second, significantly accelerating the time to crack passwords, especially weak ones. The vulnerabilities cannot be patched on existing cards because they’re not upgradable. Users are advised to use strong passwords (at least 8 characters with a mix of digits, letters, and symbols). All findings have been disclosed responsibly with a delay of 90 days. Tangem assessment of the Donjon’s report concluded that it won’t be classified as a vulnerability. In their opinion, the proposed attack scenario does not pose a significant risk. This article details the Donjon’s research process behind Tangem’s card security delay feature, examining its protection, introducing tearing attacks, and outlining our failed attempts as well as the discovery of the final vulnerability. |
|
Bitcoin Knots Node Ban Script A plug-and-play script to automatically ban/disconnect Bitcoin Knots nodes from any Bitcoin Core node. Features easy one-command cron installation for continuous protection. |
|
Cashu Version 0.13.0 marks a major milestone for mobile development with the introduction of comprehensive native mobile bindings that enable building Cashu wallets for iOS and Android using Swift and Kotlin. The release introduces cdk-ffi, a new Foreign Function Interface crate that provides UniFFI-based bindings for Swift and Kotlin, with full wallet functionality including multi-mint support, BOLT12 payments, BIP-353 address resolution, and advanced features like P2PK conditions and authentication. Mobile bindings are distributed through dedicated repositories at https://github.com/cashubtc/cdk-kotlin and https://github.com/cashubtc/cdk-swift that provide native package management for Android/JVM and iOS/macOS platforms respectively. The release also delivers significant infrastructure improvements including an event-driven payment architecture with real-time notifications, enhanced database layer with generic key-value storage, improved HTTP transport with proxy support and BIP-353 DNS resolution, and new operational features like Prometheus metrics collection and dedicated authentication database support. |
|
Anatomy of a Billion-Download NPM Supply-Chain Attack: https://jdstaerk.substack.com/p/we-just-found-malicious-code-in-the https://www.aikido.dev/blog/npm-debug-and-chalk-packages-compromised |
|
Memecoiners Erect a 12-foot Golden Trump Bitcoin Statue near US Capitol, We All Die Of Cringe https://cointelegraph.com/news/memecoiners-golden-trump-bitcoin-statue-us-capitol |
|
Shilld: Visible PAID SHILL Badges on X/Twitter A price sheet of 200+ crypto influencers and their wallet addresses from a project they were recently contacted by to promote. From 160+ accounts who accepted the deal I only saw <5 accounts actually disclose the promotional posts as an advertisement. After zachxbt published the latest list of leaked shillers, swadler turned it into a simple chrome extension that flags the shillers, and a website where community can add more (with proof) https://x.com/zachxbt/status/1962485396597776468 |
|
Cake Wallet Updates Cupcake Launched. Similar to AirGap Knox, a separate app that turns a second device (like an old smartphone or tablet) into an air-gapped cold storage device. Pay Anywhere Launched. Got Monero but need to pay a Bitcoin address? Just paste the address and hit send. Cake Wallet automatically offers to swap your Monero to Bitcoin and complete the payment in one flow. No wallet switching, no manual swapping, no awkward "can you give me your Monero address instead?" Native Tor Launches on iOS Under the hood, we've enhanced Silent Payments functionality for better Bitcoin privacy, improved overall wallet stability, and squashed numerous bugs that were causing crashes and performance issues. |
