HalesFall 🪽
680 posts

HalesFall 🪽
@HalesFall
Founder & Viceroy of The Holy Trinity BTC • ETH • USD | "Do Not Cast Your Pearls Before Swine"


💥One Check, One Laser, Every Card: The Tangem Immutability Trap. The @DonjonLedger just published research worth stating plainly. With a single laser pulse the Ledger Donjon team faults one conditional check in the firmware of a Tangem card and resets the password to a value of its choosing. No existing password, backup card, or recovery feature needed. Once reset, the attacker is able to sign anything and can potentially drain the user’s wallet. To be precise about the threat model: this attack requires physical possession of the card, invasive chip opening, lab-grade fault-injection equipment, our own setup costs roughly $250,000, and genuine technical expertise. That puts it well beyond the reach of an opportunistic thief, but comfortably within the capabilities of a serious lab. Both things can be true at the same time. Why one pulse is enough: the recovery path depends on a single yes/no check, “is this card in recovery state?”, and a pulse is simply a precisely timed electrical disturbance designed to make the chip misread that decision at the critical moment. Because there is no redundant check and no penalty for repeated SetPin attempts, one successful disturbance is enough. The chip’s countermeasures are formidable, but they cannot protect the one bit the firmware chose to trust. The uncomfortable part: it cannot be patched. Tangem cards have no firmware update mechanism. The vulnerability was disclosed on February 10th, 2026. There is no fix coming, because there is no channel to deliver one. Tangem presents immutable firmware as a security feature. Call it what it is: a trade-off. "We cannot change the firmware" is a strong story right up until the firmware is wrong. Then the same property that protected you guarantees you can never be protected again. This research did not create that reality. It made it visible. What a user can do, since there is no patch: this attack requires physical possession of the card and invasive lab work, so it cannot be done covertly. The practical risk is a lost or stolen card in the hands of a capable attacker. If the card stays in your possession, there is no reason to assume compromise. If you have doubt, or if your threat model requires a higher level of assurance, treat the funds as compromised and move them to a new secure set up. This was published in line with Ledger Donjon’s responsible disclosure process. When a vulnerability cannot be patched, the next responsibility is to inform users clearly and widely, so they can make their own informed decisions, especially here where the vulnerability can not be exploited remotely. The bigger lesson is not about one product. Security is never static, and systems should be designed with human error and future failure in mind. You should not have to blindly trust that yesterday’s assumptions still hold. You should be able to verify, adapt, and recover when they do not. Design for the day you are wrong, because eventually, you will be. Full write-up from Baptistin Boilot, Ledger Donjon. Stay safe. Stay honest about your trust assumptions. donjon.ledger.com/blog/bypassing…



Tropic Square disclosed a vulnerability in the TROPIC01 Secure Element chip used in Trezor Safe 7. It has been identified based on findings from the Ledger Donjon team's independent audit. Important: Your funds remain safe and secure. Trezor Safe 7 has not been hacked, and you don’t need to take any action. What you need to know: - This discovery cannot give an attacker access to your PIN, funds, or wallet backup in Trezor Safe 7. The vulnerability concerns only the TROPIC01 Secure Element chip, one of three physical, independent security layers, not the whole device. We’re releasing this news proactively because this is how open-source security should work. Transparency is non-negotiable. Collaborations like this raise the bar for the entire industry and make self-custody security stronger for everyone. Here is our response to the findings: trezor.io/blog/news/Trez…

‼️ Telegram's t[.]me domain is down with WHOIS now showing a "serverHold" status which is a registry-level suspension that stops the domain from resolving entirely. All t[.]me links are currently broken. The app itself still works, but link sharing is toast until this gets lifted. 🤣


this is an inconvenience to my life luckily, i live in switzerland, so i am unaffected by this homosexual rigamarole but here is the issue: even if my security and privacy is good, 50% of my friends are european so THEY are being supervised and if they don't take their privacy seriously, my chats with them are still compromised and i suffer from a policy that shouldn't affect me also, need some help on new setup: i assume insta, telegram, whatsapp and text messages are all affected. is signal still save? how should i communicate with europoors now

I don’t know why normies think traveling is some kind of ultra exclusive activity reserved for nepo babies I pay for everything for me and my girlfriend to travel for less than 100$ a day on average (under 70 dollars here in Albania for example) that’s like 35$ per person if you were to split costs We stay in perfectly good private rooms, eat out a fair bit, do lots of fun activities You can easily travel for way cheaper than that too Travelling full time is cheaper than living in a tier 1/2 city in America If you have a remote job you can very easily travel full time for cheaper than living in America The biggest cost of traveling is just the opportunity cost of your time Most people just have a slave mentality, you can literally just go places and do things. Nobody can stop you.



This would mean that the attacker somehow modifies your app's code. To counter this, the Tangem application includes built-in mechanisms that verify its code and content to detect any unauthorized changes. These checks ensure that the application is genuine and prevent the execution of potentially harmful or unauthorized versions. Integrity checks are a crucial part of Runtime Application Self-Protection (RASP) and are recommended by the OWASP MSTG as a key to maintaining application trust and security. In case of a clipboard highjack, even a "trusted display" won't save you if you don't double check the address yourself. In such cases, the Tangem app would display the modified address, but so will other hardware wallets.

‼️ BREAKING: The official SpaceX and Starlink accounts on X appear to have been compromised. According to multiple reports online, an account named "Sam Catman," carrying an official SpaceXAI-affiliated badge, posted a scam coin. The official SpaceX and Starlink accounts then reposted Sam Catman's posts. Needless to say, anyone who bought in was rug-pulled.



Because it IS a luxury. It means you have free time, money, and few responsibilities. A "digital nomad" is not the same thing. You're a Wagecuck on Wheels™ Mr. Shekelstein can summon you back to Zoom or cut off your livelihood at will. Then you'd have zero income to sustain "traveling". Vacation on the other hand, is LEISURE. And that's what people yearn for. People want to ENJOY the amusement park, they don't want to WORK at the amusement park. Working on a tourist visa is technically illegal and runs afoul of tax laws. It's just rarely enforced. Companies fire people once they find out because it's a massive liability. Most people cannot just go places and do things. Life stops them.



🚨@Ledger has achieved perfect mastery over their competitor @Trezor They have now disclosed vulnerabilities in the entire product lineup: Trezor One, Trezor T, Trezor Safe 3, Trezor Safe 5, Trezor Safe 7 >be Trezor >dunks on Ledger >??? >¿¿¿ Ledger is carrying Trezor. Complete dominance. Zero bias, I use Trezors myself for testing. But Ledger has the better approach. I don't care about referral links, I'm retired. Ledger sucks in their own ways too. Too many assume muh open source = muh secure, whilst ignoring the critical vulnerabilities that sit undiscovered for years in open-source projects. You're reading this tweet from a closed source SoC, on a closed source OS, on a closed source app, btw. I recall when people were crying about Ledger Recover, lol. All hardware wallet manufacturers possess the same capabilities. You simply trust them not to deliver malicious firmware updates. Hardware wallets are also not "cold storage", but they are useful tools with a strong product market fit. [Not meant to discourage anybody, ANY hardware wallet is far more secure than only a software wallet. I also believe that "security" is not a solo venture, but a collective of many brilliant minds coming together to improve safety for all users.]















