Trail of Bits

Moody's Ratings #DigitalEconomy team had the opportunity to host a thought-provoking roundtable discussion on #smartcontracts, bringing together industry participants and experts. It was a privilege to engage with Yuval Rooz, Dan Guido, Michael Lewellen, Renee Berman, Otto Nino, Thomas Sullivan, Wee Kee Toh, Miren Aparicio, Stephen Aschettino, Nikos Andrikogiannopoulos, Roy Ben-Hur, Altin Hoxha, Andrew Stakiwicz, CFA, Charlie You, John Motzel who shared their insights on the evolving landscape of smart contracts and their associated risks. The dialogue underscored the importance of #collaboration and #knowledgeexchange in navigating the opportunities and challenges presented by this technology. We’re grateful for the diverse perspectives shared and the actionable takeaways that emerged from this engaging discussion. Looking forward to continued engagement and collective progress in unlocking the potential of #digitalfinance! Fabian Astic Rohan Shende Cristiano Ventricelli Prasad G. Tiphany Lee-Allen Charlotte Murray

?? tl;dr sec 257 Autonomous AI Hacking, Buying us-east-1, macOS Security ? Highlights ???? AppSec ???? - Easily run Burp Collaborator Server in Docker - Jonathan Conesa - Paved Roads? Secure-by-Design?? More Buzzwords? - Srajan Gupta ?? Apple ?? - Reverse Engineering iOS 18 Inactivity Reboot - Jiska - Pishi: Coverage guided macOS KEXT fuzzing - Meysam - A New Era of macOS Sandbox Escapes - Mickey Jin ? Cloud Security ? - A better AWS SSM Session manager CLI client - Adam ?tevko - The IAM Guide to Managing and Updating Encryption for AWS Resources - Jason Kao - I bought us-east-1.com: A Look at Security, DNS Traffic, and Protecting AWS Users - ?? Gabriel Koo ?? - Wiz CMO & VP Product Raaz Herzberg on Lenny's Podcast - How Wiz became the fastest company to hit $500M - Francis Odum ?? Container Security ?? - pinniped: an easy, secure way to log in to Kubernetes clusters - VMware Tanzu - Kubernetes Initial Access Vectors: Control & Data Plane - Shay Berkovich ? Supply Chain ? - Repo swatting attack deletes GitHub and GitLab accounts - Paul McCarty - Attestations: A new generation of signatures on PyPI - Trail of Bits - Release-Drafter To google/accompanist Compromise - Adnan Khan ?? AI + Security ?? - Examining ChatGPT’s execution environment?- Daniel Wood, Marco Figueroa - Predictable IDs & PII Leakages: Using AI to Mass leak data - Shlomie Liberow - How XBOW found a Scoold authentication bypass - Nico Waisman, Brendan Dolan-Gavitt https://lnkd.in/g_RwwvWc #cybersecurity #infosec #security #ciso #ai

Popular AI coding assistants didn’t support Solidity...so we fixed them. We also tested 10+ models with our new evaluation tool, CompChomper, to see which model is best for Solidity completion. But code completion != code generation. AI-generated Solidity has subtle bugs. We’ve seen them. AI is not a substitute for rigorous testing and audits.

Fall Tribune: We uncovered security pitfalls in AWS Nitro Enclaves, published our audit of Hugging Face's Gradio library, and expanded our Testing Handbook with cryptographic testing guidance.https://hubs.la/Q02YG6xQ0

Big news for Python supply chain security: PyPI now supports Sigstore-based attestations that let you verify the source of packages. Read the blog: https://hubs.la/Q02Yb3bf0 Unlike traditional PGP signatures, these attestations provide key improvements: - Better usability - works automatically with Trusted Publishing - Index verifiability - cryptographic proof of package origins - Strong provenance - clear link between source and published package The best part? If you're using Trusted Publishing with PyPI (like 19,000+ projects already do), you get attestations automatically with the official GitHub Action for publishing. No configuration needed. We're also working on bringing verification directly to package installers like pip, so users can automatically check these attestations when installing packages. Want to see how many of the top Python packages have attestations? Check out our tracking tool: Are We PEP 740 Yet? https://hubs.la/Q02Yb2Zh0

Don't use signed integers for blockchain node array indices. We found a vulnerability in Lotus and Venus Filecoin nodes where incorrect index validation let attackers remotely crash nodes. Read the blog: https://hubs.la/Q02Y477Y0

?? What’s next for PyPI? Join William Woodruff from Trail of Bits at #SigstoreCon as he explores the future of supply chain security in the Python ecosystem. ?? From binary transparency to TOFU-style identity locking, discover the innovations that could shape the next 5 years! ?? #KubeCon

?? Day 1 at NYU Tandon School of Engineerings CSAW (Cybersecurity Awareness Worldwide) Event! ?? Today was nothing short of amazing at CSAW, NYU’s flagship cybersecurity event and one of the largest student-run cybersecurity conferences in the world! ?? It’s an incredible feeling to be surrounded by innovators and leaders, learning about the latest in cybersecurity. At the career fair, I had the opportunity to connect with recruiters from Metropolitan Transportation Authority , Trail of Bits , Con Edison and more ?? . Every conversation added new insights, making me even more excited about the future of the field. Chintan Patel Riley Dugan Cayden Liao Thank you so much for the insights Throughout the event, I made connections with people from across North America and Canada, each interaction adding to a valuable network of knowledge and support. Truly grateful for this experience!???? #CSAW2024 #NYUCSAW #Cybersecurity #Networking #CSAWDay1 #CyberSecCommunity #NYUTandon

Hacking isn’t without its challenges—especially when it comes to AI bias. Check out Keith Hoodlet and Casey Ellis' take on what AI bias means for hackers: https://lnkd.in/gBurTXHd

We're thrilled to announce Trail of Bits' continued sponsorship of CSAW—the world's leading student-run cybersecurity competition! This is my third straight year attending, and given the various challenges students compete in and the industry talks, it is one of my favorite conferences. If you're unfamiliar with CSAW, it stands as a cornerstone in cybersecurity education, bringing together the brightest minds to provide hands-on learning experiences and inspire the next generation of security professionals. From its humble beginnings at NYU Tandon in 2003, it has grown into a global event hosted across 5 academic centers, continuously adapting to address emerging security challenges in AI, cloud computing, and advanced manufacturing. At this year's event, our CEO Dan Guido will deliver a compelling industry presentation on "Securing AI Systems" by providing an overview of 3 key discrepancies in the ML field. Come check out our booth if you would like to learn more about the work we are currently doing at Trail of Bits and get some SWAG! I'll be there all day! https://www.csaw.io/