i genuinely think everyone in this space should immediately switch to using Vim. DPRK started abusing VS Code hooks that run _automatically_ in the background when you open a folder. ZERO fucking user interaction required _after_ trusting the repo (the trusting part is important here). Yes, read it again. ZERO. INTERACTION. REQUIRED.
so what happens is the following: they (in the usual case the Contagious Interview group, meaning some fake recruiting guy) share GitHub, Bitbucket, and GitLab repos containing a `.vscode/` subdirectory with malicious hooks. the one example I share here executes a fake font that's actually heavily-obfuscated JS and will absolutely rek you.
all your fancy software that feels "convenient" makes tradeoffs. those tradeoffs are now being abused to silently rek your devices.
use Vim. and use Qubes. Thx.
so, hmm, we rely on firmware we can't inspect, compilers we don't build, closed-source LLMs, proprietary enclaves, remote updates etc. Each of these layers is a target and more will join in the coming years/decades. In a world this complex (and guys this complexity is our own making!), how do we even verify that we're safe? If you ask me, verification has never been more critical or more impossible.
Had a fun convo recently where some dude was talking about Uber and ride-sharing. I told him I've never used any of those services in my life (I'm being serious here). He looked confused and asked how I get around usually. Well it's pretty simple: I always take a taxi & pay in local cash. I don't like being tracked. Look people forget that physical cash is one of the last forms of everyday privacy we still have. Cash is cypherpunk. Cash is freedom.
if someone ever managed to breach all _private_ GitHub repos (I mean it's insanely difficult but not impossible) it would be one of the most catastrophic events in the security history, and if I were a state-level actor that's exactly the kind of target I'd prioritise rn. I was thinking about this scenario since this morning I wanted to push something (more or less sensitive) to a private repo but ended up rolling it back purely out of paranoia. I guess the right threat model for private repos is that it can be assumed to be leaked one day.
folks, hear me out, the best long-term trading strategy is privacy itself. Those who build and hold it are shaping the foundation of a free economy. And guess what, its yield is true sovereignty: the _only_ return that truly endures.
The soul of Ethereum was Cypherpunk. It _is_ Cypherpunk. It will always be Cypherpunk. You can chase your glossy, VC-driven narratives, build your fancy protocols, but the ones that will endure are the ones that preserve our privacy, defend against censorship, and stand tall in the face of tyranny. Those are the projects that will outlast all the distractions, all the fleeting trends. Because principles do fucking matter. Because this is our fight, it's my personal fight, it's our soul. Cypherpunk will always rise. And in the end, Cypherpunk will win.
This morning I've been reviewing our last months' SEAL 911 tickets. Guys, it's clear that soon (probably sooner than you think) a large portion of our ecosystem will be running on compromised devices. I mean, man, infostealers are probably the _biggest_ ecosystem problem right now. However, and that's what I want to address here, is that OS design choices like weak data compartmentalisation & permissive default trust models are the _major enablers_, especially on macOS and Windows. Please remember: these OSes weren't built with the strict sandboxing, strong application isolation, or zero-trust principles needed to defend against these today's threats! I understand that shifting most of the space to something like QubesOS isn't realistic, but we must start prioritising security-first OS choices in our ecosystem, not just UX. Honestly, fancy features won't stop your device from being compromised. And while I'm at it, please don't store assets in hot wallets. Just don't. Also, don't take pics of your seed phrase with your phone. There are malicious apps that can use OCR to scan images for seeds. Cold storage means no connection to the internet, period. Happy Sunday and go touch some grass or sand :D.
My periodic reminder: if someone offers you a slick-looking hardware gadget at EthCC (or any other crypto event), don't plug it in, don't take it home. Just walk away. Treat it like malware wearing a shiny casing. We've got enough infostealers in the wild already. Don't install one yourself via someone's "free" hardware.
so I've been thinking about this for a while now and I'm more and more convinced that crypto was never meant for mainstream. The main reason being that crypto's purpose is _liberation_, not popularity. It's effectively for those who choose sovereignty over simplicity. If it never goes mainstream, that means it stayed dangerous. It stayed free. Thus, mainstream isn't the goal. Freedom is.
