simonmorley

I built a tool called PGDN.ai that analyses DeFi/L1 networks for misconfigurations, CVEs, exposed services, etc. I started with Sui because I had a contact there. I didn’t expect much from one of the largest chains. What I found was wild.

- Nearly 40% of validators are running with serious misconfigurations: open SSH, CVEs, default services, no firewalls. - The majority expose the exact Ubuntu version. They didn’t give a sausage. - I flagged multiple validators with default Apache landing pages on 80, all with a CVE. They said, "that’s by design!" - They cannot tell the difference between RPC & HTTP. - Port 2375 (usually Docker) was open - they actually just denied this.

For context: I was CTO of a crypto exchange for 4 years, and have spent 20 years in security. It's not my first rodeo as they say.

When I disclosed responsibly, their response was bizarre:

'A CVE is only exploitable if you know how to exploit it.'

They brushed it off as a "bug bounty". I was not looking for a quick buck, I was looking to help them.

After I spoke to a journalist, their comms team even told my contact not to discuss it further.

I eventually wrote up a simulated attack doc:

Full report (technical): https://github.com/pgdn-network/sui-network-report-250819 Blog (overview): https://paragraph.com/@pgdn/40percent-of-sui-validators-exposed

To me, this shows a systemic lack of security hygiene in a network securing billions of $$$. Given the right tools, an organised group could easily take Sui offline. (I am personally selling all my Sui because of this.)

So my question: is this lack of secops understanding, lack of genuine concern, or something else? I have really struggled to get this out there with my limited public "followers". Would appreciate any input!

It’s 2023 people and I’m staggered how many apps / sites I use that leak personal data.

Yesterday, someone asked my to try an AI coaching platform. It felt buggy so I started looking at the requests.

Mins later I was able to view customer emails, DoBs, photos and location. Thousands of them.

Fortunately I used the apple private email feature.

As someone legitimately into privacy, I’d like to know what others would do to report this.

The company is US based, a startup - too small for a data officer. Raised 250k.

I see this a lot still - it’s not 2010 anymore and sloppy engineering should be a thing of the past!

Thoughts…

You can now flash your Meraki paperweights with OpenWrt and bring them back to life. Woop. Huzza.

Us lot at Cucumber WiFi, have put together a precompiled version so you can carry on cloud-managing it.

Currently we support the MR12 and MR16. MR18 coming soon.

Here's the guide:

http://docs.cucumberwifi.io/article/213-installing-cucumber-on-cisco-meraki

Let me know how you get on!