Tweet fixado
Insight财经
1.2K posts
Insight财经 retweetou
Insight财经 retweetou
Insight财经 retweetou
Insight财经 retweetou
Insight财经 retweetou
说点不中听的:现在的美国大厂,文化已经非常 toxic,恶心程度不亚于国内。
计算机行业发展了这么多年,藏污纳垢、劣币驱逐良币,脏东西都沉淀下来了。整个行业的发展空间也被 AI 挤到了墙角。
公司内部,到处都是empire building。领导最看重的,是能给他忽悠到headcount,其它能力都不重要,毕竟都是忽悠。
拉帮结派。不是自己人,干活可以,分好处没门,好处只会分给自己人。A 辛辛苦苦干的可以安到B头上,这些手段mgr们都新手拈来。
各级领导都只向上负责,visibility driven。manager不会manage,director不会direct。底下人干啥根本不管,只要能让我在上面领导那露脸出头,比我的peer强,就行。活干的再好,不能让老板脸上有光,都没有visibility。
干不了几年,我也该退休了。这个行业何去何从,跟我也没太大关系了。
中文
Insight财经 retweetou
🚨 警告: 尽快撤出 @Raydium 协议🚨
Raydium是Sol链上的最大的AMM swap协议, 目前tvl 1B美元.
他们的协议多签用的是 Squads V3, 2/3 多签, 协议可升级, 并且没有时间锁 timelock.
2022年12月就因为私钥被盗被黑了4百万美元.
现在有了Drift的前车之鉴 (2/5多签+0时间锁), 还这么干,我可以怀疑是故意的了.
这个多签直接掌握协议所有池子的管理员权限, 只要被攻破了, 瞬间就可以升级协议转走.
多签地址
solscan.io/account/EXZY7F…
另外, 今天多签钱包的协议 Squads刚好发文,说有一些安全隐患.
前几天说过, 整体来说目前链上defi已经是 风险 > 收益了. 完全不建议投入. 你看 Drift Raydium这种草台班子就知道了, 没被黑之前你都不知道有多垃圾.
Squads@multisig
We've identified an address poisoning attack targeting Squads users. We have no evidence of any users being impacted at this time. Attack vector: Since all public keys are visible onchain, attackers are programmatically creating new multisig accounts that include existing Squads users as members. These multisigs appear in the UI because the program indexes all accounts associated with your key. Additionally, attackers are grinding public keys that match the first and last characters of your real multisig addresses, making fake accounts look legitimate at a glance. Attacker goal: Get you to mistake a fake multisig for one of your real ones — either by copying its vault address (sending funds to an attacker-controlled account) or by signing a transaction you didn't initiate. Impact: None, if you don't interact. This is not a protocol vulnerability. The attacker cannot access your funds, execute transactions, or modify your existing multisigs. It is purely a UI-level social engineering attempt. Action required: — Ignore and do not interact with any multisig you did not create or weren't added to by your team — Do not rely on matching the first and last characters of an address to verify it — always verify the full address against your own records — If you're unsure whether a multisig is legitimate, check with your team before taking any action — Set your Squads accounts as default — this pins them to the top of your Squad list, making it easy to distinguish your real accounts from anything unfamiliar. We encourage everyone to do this now if you haven't already (click on ... next to your Squad in the Squad list). UI updates shipping in the next two hours: — A banner alerting users to this attack — An alert on any multisig you've never interacted with before In the next few days we are also shipping a whitelist logic where all new multisig accounts initially go to a pending state requiring you to manually add them to your Squad list. We'll follow up here with updates as we roll these out.
中文
Insight财经 retweetou
Insight财经 retweetou
Insight财经 retweetou
Insight财经 retweetou
어제 널 보았을 때
눈돌리던 날 잊어줘
내가 사랑하면 사랑한단 말 대신
차갑게 대하는걸 알잖아
오늘 널 멀리하며 혼자 있는 날
믿어줘
내가 차마 네게 할 수 없는 말 그건
사랑해 처음 느낌 그대로
처음 느낌 그대로
한국어
Insight财经 retweetou
Insight财经 retweetou
Insight财经 retweetou
我宣布:目前AI PPT最牛逼的不是Gamma,不是NotebookLM,而是Claude Cowork!!
为什么?
1、因为做出来的内容完全是可编辑的,文字是文字,图是图,不是靠Nano Banana这种模型生成的,是真的去做出来的。
2、速度很快,一个十几页的PPT,要不了2分钟就出稿了,你要是出图,这个效率会非常慢,没个一二十分钟,根本出不来,后面修改更费时间
3、审美也非常在线,这个在线指的是不花里胡哨,非常实用,不需要那些多余的图来点缀,把事情讲清楚就OK,有基础的配色和视觉辅助,层级清晰即可。
很多人肯定没有试过,你下载一个Claude桌面端你就能体验到了。
下载链接:claude.ai/downloads
中文
Insight财经 retweetou
国内有个搞开发的哥们儿,录了个两分钟的小教程,讲怎么配置 Claude Code 智能体的。他背后摆着三台显示器,桌上线乱得跟蜘蛛网似的。视频发到 B 站,他寻思着撑死一百来个人看,就没当回事。
结果西方那边还在吵 AI 会不会抢饭碗呢,咱们这儿公寓楼里已经有人把 AI 矿场搭起来了。这哥们儿本意是教大家怎么用,谁知道一个没留神,把底裤都给露了。
注意看,0 分 47 秒,按个暂停。右边那块屏幕。
那是不是真实余额?86.8 万美金???
名字:gabagool22。利润:868,862 美元。预测次数:28,620 次。2025 年 10 月进的场。
他钱包地址在这→ @gabagool22?r=PM888" target="_blank" rel="nofollow noopener">polymarket.com/zh/@gabagool22…
本来是教人搭 AI 智能体的,结果忘了第二个屏幕还亮着钱包页面。28,620 个头寸,清一色押 BTC,全是 15 分钟的短窗口,满屏全是绿的,全在赚钱。
评论区直接变侦探破案现场。有人把视频放慢到 0.25 倍速,只要第二个屏露出来一丁点画面,立刻截图。最后愣是把那 4 秒钟的背景碎片拼一起,完整还原了整个钱包界面。
进场价全在两美分到十美分之间,赔付金额成百上千地往上蹦。两万八千多条记录,愣是一条红的都没有。
那不是一台电脑,那是个矿场。好几台机器同时扫着不同的 15 分钟窗口,二十四小时连轴转,所有时间段全覆盖,一个缝儿都不给市场留。
他三小时后就把视频删了。但晚了。早有人录了屏。录像先是在 Discord 里传,然后上 Telegram,最后推特上炸了锅。
教程本身播放量才两百。可他第二块屏那几秒画面,播放量已经干到四十万了。
现在有七十万零七千人盯着那个钱包看。他之后再没发过任何东西。显示器还亮着,钱包还在跑,矿场还在转。
他本来想教大家怎么搭 AI 智能体,结果一不小心让全世界看见了他的智能体已经干到啥程度了。
要是你也想跟着这类操作走一遭,哪怕就拿五十美金试试水,最省心的办法就是挂个跟单工具,躺着就行:
t.me/PolyCop_BOT?st…
省得自己搭矿场,人家吃肉,咱跟着喝口汤就得了。
中文
Insight财经 retweetou
Insight财经 retweetou
Insight财经 retweetou
中文
看完这个攻击文档叙事,进一步觉得大多数项目方的链上安全防范意识,甚至不如普通散户。
黑客通过线下量化团队的身份接触了 @DriftProtocol ,然后,通过以远程测试的名义,就把后门安装在了 DRIFT 员工的工作电脑中。
然后, DRIFT 员工就用这台运行着恶意软件的工作电脑,签署了协议多签,唯一的安全就是他们觉得签名用了冷钱包。
太可笑了,连最基本的签名设备独立隔离,杜绝一切下载和插件安装的意识都没有,管理着 5亿 规模TVL 的 DEFI 协议,舍不得花 800 美金买一台专门的签名 MACBOOK。
而这个协议,就被这么一群外行管理者,还要花这么多时间来解释,他们被朝鲜黑客准备了 6个月 “才” 黑掉的。
按照这个逻辑,传统金融有这么多业务接触, 不是早该被朝鲜黑客翻个底朝天了吗?
为什么没有,大概因为传统金融出了问题了,是真的要进去吃牢饭的,所以他们把安全思维刻在骨子里,权限分离,独立设备,时间锁、大额审批。
而 DEFI 这些草台项目方,只有那么几个业余的管理人,用着充满恶意代码的电脑,管理着 5亿协议的安全层,最后,出事了,只会有一句“对不起,我么们失败了。”屁事没有的去干下一个项目。
shame on you all guys, 你们应该承担刑事过失的责任。 @cindyleowtt @davijlu
——
After reading this attack narrative, I am further convinced that the on-chain security awareness of most project teams is actually inferior to that of an average retail investor.
The hacker approached @DriftProtocol under the guise of an offline quantitative trading team. Then, using the pretext of "remote testing," they managed to install a backdoor directly onto a DRIFT employee's workstation.
Subsequently, the DRIFT employee used this malware-infected computer to sign protocol multi-sig transactions. Their only sense of "security" stemmed from the fact that they were using a cold wallet for the signatures.
It’s laughable. They lack even the most basic awareness of hardware isolation—the concept of using a dedicated signing device and prohibiting all downloads or plugin installations. They are managing a DeFi protocol with a $500M TVL, yet they couldn't be bothered to spend $800 on a dedicated MacBook just for signing.
And yet, this protocol is run by such a group of amateurs who then spend so much time explaining how it took North Korean hackers six months of preparation "just" to breach them.
By that logic, shouldn't traditional finance—with its vast array of business interactions—have been turned upside down by North Korean hackers long ago?
Why hasn't it happened? Likely because in traditional finance, if things go wrong, people actually go to prison. Consequently, they have security mindsets ingrained in their DNA: separation of privileges, independent devices, time locks, and multi-level approvals for large transactions.
In contrast, these "shoddy" DeFi project teams consist of just a few amateur managers using computers riddled with malicious code to oversee the security layer of a $500M protocol. In the end, when disaster strikes, they simply say, "Sorry, we failed," and move on to their next project without facing any consequences.
Shame on you all. You should be held criminally liable for such gross negligence. @cindyleowtt @davijlu
Drift@DriftProtocol
中文
Insight财经 retweetou
