Cryptography @ Infosec.pub

588 readers

1 users here now

Questions, answers, discussions, and literature on the theory and practice of cryptography

Rules (longer version here)

Stick to cryptography / infosec
Be a good netizen - be kind, act in good faith, maintain high quality, don't mislead
Link directly to original sources
Don't use us to cheat on challenges or tests!
Crypto review requests must show the algorithm
CTF / challenges and puzzles must use modern crypto
Avoid making duplicate posts
All use of AI / LLM and their prompts MUST be disclosed in your submissions and comments

##Related resources;

Reddit cryptography forums 1 & 2; /r/crypto /r/cryptography
Cryptology ePrint archive
Discussion site for ePrint papers
Libera Chat's IRC:s #crypto - (IRC protocol URL)
Metzdowd cryptography mailing list
Randombit cryptography mailing list
StackExchange cryptography community

founded 2 years ago

MODERATORS

SqueamishOssifrage@infosec.pub

TrustedThirdParty@infosec.pub

Let’s talk about Layer One X and X_wallet | horrifically bad use of cryptographic primitives (saltysquirrel1759d62f4c-tcyiv.wordpress.com)

submitted 2 weeks ago by litchralee@sh.itjust.works to c/crypto@infosec.pub

3 comments fedilink hide all child comments

I won't spoil the walkthrough of the appalling source code. But it does end like this:

If you’re using X_wallet, you need to move your assets Right. Fucking. Now. to a wallet that isn’t a steaming pile of dogshit.

As always, there's an XKCD to succinctly describe the situation: https://xkcd.com/221

top 3 comments

sorted by: hot top controversial new old

[–] Neptr@lemmy.blahaj.zone 2 points 2 weeks ago* (last edited 2 weeks ago) (1 children)

Very fun (horrifying) read. That fucking extension was probably coded with heavy use of LLM generated code.

[–] litchralee@sh.itjust.works 2 points 2 weeks ago (1 children)

This is an instance where I sincerely hope it was the work of an LLM, for the alternative is even more fearful: someone who knows just enough cryptography to be familiar with using primitives and is able to write code that compiles, but doesn't actually understand one iota of the theory behind modes and constructions.

The thought of this person being somewhere out there, inexorably writing awful code but unlike an LLM has the free will to keep going. It gives me chills.

[–] Neptr@lemmy.blahaj.zone 3 points 2 weeks ago* (last edited 2 weeks ago)

At the very least the source code was available to read. Much of the software world which is proprietary could (and does) have similar awful security. Proprietary code isnt necessarily insecure, just that it is much simpler to call people out on their bs code practices otherwise.