cp

@SecurityGuyPhil Hi Phil I’m working on this through @bitcoinqs and have also co-authored a BIP candidate (BIP361) with Jameson Lopp @lopp would be good to add us both.

The latest quantum papers from Google and Caltech are an important signal for the industry. Timelines are still debated, but the time to act is now. The good news: post-quantum cryptography exists. This is a solvable problem, and many chains already have roadmaps. Bitcoin needs to catch up though. The bad news: post-quantum cryptography is relatively new and it would be fairly easy to create new security risks if implementation is rushed. The industry needs to align on what happens to wallets that fail to migrate before a CRQC appears. At Coinbase, we’ve been working on this for a while, auditing and upgrading our internal infrastructure, researching post-quantum cryptography and establishing a Quantum Advisory Council. It’s clear Bitcoin needs to make some fast progress here, so Coinbase is taking the role of rallying the troops and getting the right people in the room - Bitcoin core devs and the broader community - so they can start tackling this. But no one developer or company can do this alone. Real progress will require coordinated action across the ecosystem. If you’re working on post-quantum approaches for Bitcoin, we want to support you, and connect you with others that are working on it too. Please DM me directly and I’ll get you added to the working group. Bitcoin can and will upgrade, but it will take the entire community working together.

@elonmusk Had dinner with someone building something wild 1M AI agents, each with detailed socioeconomic profiles (education, income, commute, background), dropped into a simulated city to model how populations react to real-world events. Maybe, we ARE in someones simulation…

I had dinner once with a top physicist and a top computer scientist and asked what they thought the probability was that we were in a simulation. They answered simultaneously at 0% and 100% respectively. It was like a double-slit experiment, but with humans.

I was asked to conduct a blockchain investigation into stolen funds for my employer. Using Claude Code, I built Python tooling to recursively trace fund flows, identify pooling (many-to-one) accounts, and generate the full investigation report. Impressive leverage.

@Wisdom_HQ 116

@fidexcode Qbasic

In what language did you write your first "Hello world"?

@gothburz Stand your ground. I’m a 3x CISO. You never asked for this or invited it

Someone found an RCE on my website yesterday. CVE-2025-55182. React2Shell. I don't have a bug bounty program. I never asked for a security assessment. I woke up to a DM: "Hey I found a critical vulnerability in your site. I only ran the exploit to verify it worked. Here's my PayPal for the bounty." Bounty? I checked my logs. Forty-seven requests to my RSC endpoint. Something, something ... Prototype pollution payloads. They used the GitHub script. The one with 2,000 stars. The one that runs id automatically "for verification purposes." They spawned a shell on my production server. uid=1001(nextjs) gid=65533(nogroup) They took a screenshot. They posted it on Twitter. "Popped a Shell on a Live Website 🚀💀 #BugBounty #CVE-2025-55182 #YOLO" They got 84781 likes. My customers' data was on that server. I asked them to delete the screenshots. They said "I removed the domain name, you should be thanking me." Thanking them. For unauthorized access to my production infrastructure. For running arbitrary commands on systems I own. For posting proof of exploitation for clout. They called it "responsible disclosure." I called my lawyer. They called me "ungrateful." I called the FBI. Now they're in my DMs explaining that "this is how the industry works" and I "don't understand pen testing." A pen what? I understand it perfectly. I understand that running react2shell-ultimate.py against random websites isn't research. I understand that "I removed the identifying info" doesn't undo the unauthorized access. I understand that #BugBounty doesn't apply when there's no bounty program. I understand that finding my site on Shodan doesn't constitute authorization. Their followers are defending them now. "Presumption of innocence." "You don't know if it was authorized." "The screenshots were redacted." Three hundred people are calling me a bootlicker for reporting a crime. Someone said I should be grateful they didn't deploy a cryptominer. The bar is underground. I just wanted to run a small Next.js app. I didn't ask to be someone's proof-of-concept. I didn't consent to being their "first" I didn't sign up for an unscheduled penetration test from a stranger with a GitHub account. There is no safe harbor for spraying public exploits at random websites. There is no legal protection for "I was just verifying the vulnerability." There is no ethical framework where unauthorized prototype pollution is a favor. But sure. Thank you for your service. You found a CVE that was already public. Using a tool someone else wrote. Against a target that never authorized you. And you posted about it on main. For likes. Hero.

@sherlockdefi @jack__sanford @drakefjustin @ethereumfndn Justin drake ie jduck ?

"Having a blockchain that is so secure that nothing can break it, not a nation state, not a quantum computer, that is the dream that we have" Episode 9 of The Web3 Security Podcast with @jack__sanford and @drakefjustin, senior researcher at the @ethereumfndn, is now live!

@KingKong9888 @Sorenthek @oriental_ghost @LukeGromen @ArcadiaEconomic @MilesFranklinCo @MilesHarrisLGA @KeithWeiner_

Hoo Lee Sheet! 🔥🔥🔥 Chinese commercial banks are already offering interest/yields for their customers’ #Gold accumulate (physical #Gold accumulation) accounts??? @Sorenthek @oriental_ghost @LukeGromen @ArcadiaEconomic @MilesFranklinCo @MilesHarrisLGA

@tsusanka @IanSmith_HSA @JosefTetek This means you can support address generation / wallet generation for qBTC cool! @bitcoinqs

@IanSmith_HSA @JosefTetek You can also find some benchmarks here but note that these were done on an older model github.com/trezor/trezor-… github.com/trezor/trezor-…

These are the Quantum-ready algorithms in the new TS7.

Today we are launching a Bitcoin Improvement Proposal that I co-authored with @lopp. It addresses incentive & safety issues for migrating the ecosystem to post quantum cryptography. Anyone who cares about the value of their BTC should support this proposal.

@StackUpYourSats @bitcoinqs @BarryBuddon31 @StackUpYourSats Trust minimised MPC / SSS bridge - we are architecting a solution which has 0 trust at all layers- MPC bridges usually fail if nodes collude or the centralised coordinator is hacked or colludes - ours assumes 0 trust at all layers.

@bitcoinqs @BarryBuddon31 @0xfffffffa how do you Secure the pegged in Bitcoin?

Stealth no more: I’ve been building qBTC — a quantum-safe Bitcoin sidechain with 1:1 BTC backing. Live on testnet. BlueWallet forked + fully integrated. Post-quantum wallets. Bitcoin compatibility. Zero L1 changes. This is Bitcoin’s quantum contingency plan @bitcoinqs

@CoinDesk @c7five @krakenfx @JennSanasie Very cool @c7five

Kraken uncovered a North Korean hacker trying to land a job at the crypto exchange. It started with a resume -- and turned into a full-blown intellegence op. 🔦 .@krakenfx CSO @c7five tells @jennsanasie how they identified the threat. 👇

@PortaltoBitcoin You seem to not realise / forget / not know - that Taproot addresses are vulnerable to quantum attack by default as the public key is not hashed when creating the address. So anything on taproot is vulnerable by default.

Portal Wallet will safeguard you with hidden post-quantum keys that quantum computers can't crack, utilizing hash-based signatures once OP_HASHBASEDSIG is implemented. Multisig adds another layer, multiple keys needed, no single point of failure. Non-custodial means you control it all. No third parties, no risks. Just pure, future-proof Bitcoin security. ✅ 5/5 🧵

Quantum computing is coming... 😱 How safe is YOUR Bitcoin when it does? We’re thrilled to announce that once OP_HASHBASEDSIG is live, Portal Wallet will launch with cutting-edge, hidden post-quantum keys + multisig support. No wrappers. No bridges. No custodians. Just real BTC. Future-ready from Day 1. 1/5 🧵

@CraigHRowland Yes 100% true. WebRTC.

You people can believe what you want, I'm just telling you that without significantly more controls than just firing up a VPN app, you can get your IP leaked and I don't care what Guy Fawkes LARPing you are being sold by vendors.

Let me state it more clearly: I personally developed methods to de-cloak Tor and VPN users for anti-fraud vendor iovation for some time. None of this mixing of IP, multi-hop stuff matters. Other than the fact I did it for a living, what could I possibly know on the subject?

🚨 Bitcoin will be broken by quantum computers way before 2035. NIST is already urging a move away from quantum-unsafe crypto. I’ve launched @bitcoinqs — Quantum Safe Wrapped Bitcoin (like WBTC but quantum-resistant). We must act now. Follow & DM if you want to help. #bitcoin

@elonmusk I assure you Elon that Greece still lives in antiquity and little has been developed in the country. One seriously questions where these funds really go. We need a DOGE department too. Once finished in the US you have a role waiting for you here too.

Wow, Germany carries a lot of the cost of the EU!

@SvetskiWrites @Wise Our business bank account (cyber security company) was also immediately shut down by @Wise - our clients were companies like @NYSE and our books were audited. To get our own money back we had to appeal , threaten legal action , fight with the ombudsmen etc etc. “Wise” 🤡🤡🤡

The morons at @Wise are hands down the dumbest company I’ve ever dealt with. Debanked out of nowhere, right in the middle travelling, after they ask me to KYC myself for the 7th time in 6 years (as if I’ve somehow morphed into someone else). Submit latest docs. Get told via email account verified, then 10 days later, debanked. And sorry “we can’t tell you why” 🤡🤡🤡🤡 Oh and if you want your OWN money back, you have to submit an appeal ??? This whole banking system needs to burn to the ground.

@LessEgoMoreData Sharing is Caring

This supplement brand was acquired by Nestlé for $2 billion. Why? Partly because their online shop is an incredible acquisition machine. Big, old enterprises often lack this direct-to-consumer relationship and the skill to convert shoppers. I broke down Vital Proteins’ online shop to show how simple it can be to create a shop that can be sold for billions. Of course, it’s still hard work. I want you to learn from this funnel and apply some of the strategies that made Vital Proteins successful for yourself. This breakdown includes: → Landing pages that convert (details included) → Review psychology analysis → Advanced AOV & CRO strategies → Traffic data insights → Tools & tech stack → Customer personas → Editable Figma templates …and much more! If you want it: 1. Like this post 2. Comment “Sharing is Caring” or tag a friend (must be following) And I’ll DM the file to the first 200 people. (So be quick) ✨ P.S. Repost for priority access (sometimes the comments can get crazy!)

Boots the @Proactive_RISK code Monkey release's AllSecure today details @ allsecure.proactiverisk.com