Ron McKown

@j4hangir @EowynChen @TrustWallet Even if they were using this feature, it's only as good as the security of the signing private key. Perhaps that was compromised as well. Either their key management is weak or they have an insider threat problem.

Your statement implies that you lack multisig for binary uploads. Otherwise, regardless of the number of leaked API keys, the binary simply couldn't have been signed to be deployed. You should've implemented an internal multisig process or, ideally, adopted Google's from over six months ago. This clearly shows security-the one thing that you must prioritize over all-is not your first and foremost concern. Honestly, embarrassing; and highly concerning. developer.chrome.com/blog/verified-…

I want to share a transparent update on the @TrustWallet Browser Extension v2.68 security incident, and what we know so far ~24 hours of the attack. This is an ongoing investigation, so I’ll focus on confirmed facts and updates, highly likely hypothesis, and what we’re doing to stop loss for users.

Name a better logo. I'll wait.

@RealRossU Welcome back Ross, you deserve this!

Oops...the first thing I try to do on X and I screw it up! I accidentally deleted my last post about taking over the account: 6.5 years ago my wife created this X account to give me my voice back. All this time, she relayed my messages to you word for word. Starting now, MY fingertips are on the keyboard! Here we are, one week after my release, our prayers finally answered.

👋🏼 Ron here, Head of Security @phantom. First of all, I want to reassure everyone that security is our top priority at Phantom and that there is no vulnerability that puts user funds at risk. The issue @CloakdDev is referring to involves being able to freeze a user’s Phantom app by sending it thousands of tokens. This issue has been never been exploited and is now completely remediated, but at various points this was the case for both fungible and non-fungible tokens. In the case of non-fungible tokens, it was possible to crash the collectibles tab, but not affect the rest of the app, and certainly not affect user private keys or secret recovery phrases. In the case of fungible tokens, it was possible to crash the app, and make it difficult for users to access their wallet without the help of Phantom support. Both these issues were promptly remediated and never exploited. At no point were funds at risk of being compromised. @CloakdDev had been in touch with our security team, and other members of the Phantom team, claiming that it had been possible to wipe private keys and secret recovery phrases from user devices using similar methods. Despite multiple outreaches from our team, he was not able to provide reproducible steps, and we have also not been able to reproduce this despite our best efforts. Based on this, the finding was triaged to score CVSS 3.7, rated Low, and valued at $3,000. @CloakdDev if you can provide reproducible steps to your claims, we are happy to work with you and increase the size of the bounty offered.

I've been waiting for over 28 days for a large vulnerability to be fixed in one of the largest apps on SOL At this point, it's becoming a joke - I can't even get a response from their security team at this point in terms of update.

@lopp The word "kindly" is always a giveaway.

Social engineering prevention 101: 1. Never trust ANY unsolicited incoming communications be it via email, phone, chat, social media, etc. 2. Any message you receive that conveys FEAR and a sense of URGENCY should be regarded as highly suspicious. 3. No crypto exchange, hardware, or software provider is going to call you out of the blue and ask you to make changes to your security setup. 4. Never install software, especially remote desktop software like AnyDesk or TeamViewer, at the instruction of an unsolicited message. 5. Slow down, take a breath, and reach out to someone you trust to provide a second opinion if you find yourself in a weird situation.

@lopp Always verify calls to action out of band.

@Petter_Solberg Happy Birthday Peter!! 🎉 🎈🎂

That young man on the left couldn't even imagine turning 50, but here we are...! 😂🎈 Big thanks to everyone for all the birthday wishes, and to my family for the lovely gifts and excellent day so far! 👌🥊

@MagicEden LFG

If Bitcoin hits $70k, Solana hits $170 and ETH hits $2,700 this week, we’re following everyone who replies to this.

@mikealfred Beware of people with wrenches, saying something like this makes you an easy target.

I just received some new toys!

@Kalpak2015 @tnorlin @freebsdfrau @AWS @strongdm @goteleport @HashiCorp You don't store private keys on a jump host.

I didn't want to write this, but I felt like I had to. Put this in your .bash_profile and get notifications whenever someone impersonates you, hijacks your credentials, or nefariously attaches to your forwarded ssh-agent to gain access to machines they cannot without your user

@Kalpak2015 @freebsdfrau @AWS @strongdm @goteleport @HashiCorp Sure, let's extend our surface, lose our visibility and kill any concept of defense in depth - no thanks

@BitcoinMagazine We needed someone like Linus Torvalds. We got Gavin. The rest is history.

FUN FACT: 13 years ago today, Satoshi Nakamoto announced he "moved on to other things", stepping away from #Bitcoin ✨

@ndgoHODL It should be required reading in high school.

@cybersecmeg Since 100% prevention is impossible, detection is paramount.

is it better to detect the breach, or to prevent the breach?

Taken in my backyard with a phone

@lopp @RealRossU Eagle scout, Masters degree and clean record - his punishment is much too severe.

Wishing as happy a 40th birthday as possible, given the circumstances, to @RealRossU. A decade in prison for facilitating free trade is unconscionable.

@masonic_tweets Except he spells "favor" with a U

I'm telling you - Satoshi talks like he was born, raised and worked in Mountain View, CA.

@DaDrunkDragon This did nothing to stop piracy, it only inconvenienced people who actually bought the game.

@80s_Kidz Wings

What's the first game you can think of when see this? Turricain for me.