Meta didn't remove scam ads for half a decade, even if you reported them 10 times/day

To paraphrase Cardinal Richelieu:

"If you give me six lines written by the hand of the most honest of men, I will find something in them to prove he is Satoshi"

ScreenConnect: “unauthenticated attributes” are not authenticated (Lessons from the ScreenConnect certificate-revocation episode) An earlier blog post recounted the discovery of threat actors leveraging the ScreenConnect remote assistance application in the wild,…

Now that the cat is out of the bag:
Write-up on how ConnectWise misused Microsoft Authenticode signatures, creating the ideal platform for threat actors to modify ScreenConnect installers into initial payloads (previously disclosed to vendor & DigiCert)

blog.randomoracle.io/2025/06/26/s...

The story behind ScreenConnect certificate revocation An unusual phishing site In late May, the River security team received a notification about a new fraudulent website impersonating our service. Phishing is a routine occurrence that every industry …

Recent work from River security team and UnmitigateRisk: how the discovery of bogus "River desktop app" in the wild lead to DigiCert revoking ConnectWise's code-signing certificate and invalidating all existing ScreenConnect binaries for Windows

blog.randomoracle.io/2025/06/16/t...

Ledger inventing a non-existent category of transaction review called "Clear Signing" when plenty of existing hardware wallets (such as Grid+ Lattice1) already have the capability to parse Ethereum calldata and present human-readable explanation of contract calls.

3/3

Fireblocks shilling for MPC over multsig. MPC has exactly the same threat model: if a quorum of shard-holders are tricked into signing the wrong transaction (as multiple key holders were in the Bybit incident) the attacker still wins.

2/N

Periodic reminder:
Every security incident is an opportunity for vendors to shill for their particular product, whether or not it could have made any difference (and clueless journalists to repackage that as free marketing)

Two examples from the #Bybit fiasco
🧵

U.S. Government Disclosed 39 Zero-Day Vulnerabilities in 2023, Per First-Ever Report The number of zero-day vulnerabilities the government disclosed to vendors to be fixed, rather than keep them secret to exploit, comes out to about three a month. But the figure could rise dramaticall...

In 2023, per a first-ever report from intel community, US gov disclosed 39 zero day vulns to vendors/public to be patched rather than retain them for use in hacking ops by NSA/CIA/FBI. Ten of these, however, were zero days the gov withheld for unknown number of yrs to exploit before disclosing them