sudo rm -rf --no-preserve-root / (pcaversaccio)

so, hmm, we rely on firmware we can't inspect, compilers we don't build, closed-source LLMs, proprietary enclaves, remote updates etc. Each of these layers is a target and more will join in the coming years/decades. In a world this complex (and guys this complexity is our own making!), how do we even verify that we're safe? If you ask me, verification has never been more critical or more impossible.

• 3 replies
• 2 recasts
• 28 reactions

Had a fun convo recently where some dude was talking about Uber and ride-sharing. I told him I've never used any of those services in my life (I'm being serious here). He looked confused and asked how I get around usually. Well it's pretty simple: I always take a taxi & pay in local cash. I don't like being tracked. Look people forget that physical cash is one of the last forms of everyday privacy we still have. Cash is cypherpunk. Cash is freedom.

• 2 replies
• 2 recasts
• 38 reactions

if someone ever managed to breach all _private_ GitHub repos (I mean it's insanely difficult but not impossible) it would be one of the most catastrophic events in the security history, and if I were a state-level actor that's exactly the kind of target I'd prioritise rn. I was thinking about this scenario since this morning I wanted to push something (more or less sensitive) to a private repo but ended up rolling it back purely out of paranoia. I guess the right threat model for private repos is that it can be assumed to be leaked one day.

• 10 replies
• 7 recasts
• 64 reactions

In light of the recent incident at Radiant and the clear challenges of verifying multisig transactions on a Ledger device, I've built a simple Bash script designed to simplify the process. This script generates the domain, message, and Safe transaction hashes, making it easier to cross-check them with the values displayed on your Ledger hardware wallet. All you need to provide are the network name, multisig address, and transaction nonce. It supports all Safe networks, and I hope it will serve as a useful tool to temporarily ease the burden of blind signing verification for multisig transactions. Eventually, make sure to check out the trust assumptions laid out in the README for this script. https://github.com/pcaversaccio/safe-tx-hashes-util

• 17 replies
• 45 recasts
• 82 reactions

We've fucking lost it. Nobody in their right mind wants over 50 rollups and endless layers that take days to bridge back. What the world wants is one goddamn chain that just works, and that should be Ethereum. No one with a shred of sanity wants to switch networks in M***Mask. No one wants the headache of adding a token manually on another chain because the contract address isn't the same. Bridging is a pain in the ass. What people want is to transact value simply and directly, without all this convoluted bullshit!

• 23 replies
• 18 recasts
• 102 reactions

This morning I've been reviewing our last months' SEAL 911 tickets. Guys, it's clear that soon (probably sooner than you think) a large portion of our ecosystem will be running on compromised devices. I mean, man, infostealers are probably the _biggest_ ecosystem problem right now. However, and that's what I want to address here, is that OS design choices like weak data compartmentalisation & permissive default trust models are the _major enablers_, especially on macOS and Windows. Please remember: these OSes weren't built with the strict sandboxing, strong application isolation, or zero-trust principles needed to defend against these today's threats! I understand that shifting most of the space to something like QubesOS isn't realistic, but we must start prioritising security-first OS choices in our ecosystem, not just UX. Honestly, fancy features won't stop your device from being compromised.

• 3 replies
• 7 recasts
• 64 reactions