init4_tech

Today I did the hardest thing I’ve ever had to do. My wife and I took our 5 year old son on a road trip to Disney. What we didn’t tell him was that we actually lost the house. We didn’t know what we were going to feed him or where we were going to live. The drawdown on BTC destroyed my families finances. I invested everything we had in BTC. I packed up the car with what items we had left after selling all our other worldly belongings on FB marketplace, and we hit the road. The plan is to stay with my wife’s parents until we can get back on our feet. About 7 hours into our trip, I pulled over to a gas station in just about the middle of nowhere. I pushed my son out of the car behind the gas station near the dumpster riddled with mice. “That’s Mickey and his family” I told my son, he’s going to take care of you. My wife didn’t protest. She knew we didn’t need the burden of another mouth. We drove away with tears in our eyes as the rodents over took my infant son. I wish I’d never touched crypto.

It's official. MicroStrategy, $MSTR, is now facing its biggest unrealized loss in history, at -$10.8 billion. In other words, after 6 years of buying Bitcoin, the company is now down -17% on its position. By comparison, the S&P 500 is up +116% over this same timeframe. Since MicroStrategy sold 32 Bitcoin at $77,135 per coin, their positions has lost -$11.8 billion in value. This puts MicroStrategy's stock, $MSTR, down -77% since its record high. Bear market is an understatement.

‼️🚨 A new npm supply-chain attack compromised 57 packages across over 286 malicious versions in under 2 hours. The attackers used self-replicating malware, a new version of the Miasma worm, which also used evasion techniques to stay under the radar. The payload targets CI/CD and developer credentials, including GitHub Actions secrets, cloud credentials, Vault tokens, SSH keys, npm and GitHub tokens, and password-manager stores. This variant also injects AI coding assistant config files at `.claude`, `.cursor`, `.gemini`, and `.vscode` paths, a separate persistence and repo-poisoning angle.

Our HR department just migrated all our mandatory compliance training to a new gamified learning management system. I received an automated email stating I had 48 hours to complete a module on data privacy or my badge would be deactivated. I logged into the portal and was greeted by a cartoon badger named Barnaby. Barnaby told me I was about to embark on a security quest. I'm 44 years old. I don't want to go on a quest. The first module was a video about phishing scams produced like a high-budget daytime soap opera. The actors were inappropriately attractive for a simulated accounts payable department. The main character, Chad, left his laptop open at a coffee shop while he ordered a matcha latte. A guy in a black hoodie immediately sat down and downloaded the entire corporate mainframe to a USB drive in four seconds. Then the video paused and asked me to identify Chad's critical mistake. The multiple choice options were leaving the device unsecured, using public Wi-Fi, or failing to foster a culture of vigilance. I clicked the first one. Barnaby the badger popped up and told me I was technically correct, but I lacked a holistic security mindset. He deducted 10 "synergy tokens" from my digital wallet. I didn't even know I had a digital wallet. The next scenario involved a complex ethical dilemma about accepting gifts from vendors. A supplier offered the protagonist a branded corporate fleece. The video framed this as the first step toward international corporate espionage. I was asked if accepting the fleece was a violation of the anti-bribery statutes. I clicked yes. Barnaby congratulated me and awarded me a bronze digital badge of integrity. I tried to fast-forward through the next video because it was 45 minutes long. The player immediately froze and a warning message appeared saying Barnaby notices you are rushing. The video restarted from the very beginning. I sat there for 45 minutes watching a dramatization of password hygiene while staring blankly at my monitor. At the end of the quest, I had to take a 50-question final exam. One question asked how long a visitor badge is valid under the new global security matrix. I guessed 24 hours. Barnaby appeared with a sad face and told me it was 12 hours. I failed the module with an 84 percent. The passing grade was 85 percent. Barnaby informed me that my quest must start over. I considered throwing my company-issued laptop out the window. Instead, I sent an email to HR asking for an extension. I got an automated reply saying the HR representative was out of the office on a corporate wellness retreat. I clicked replay on the video. Chad is about to leave his laptop at the coffee shop again. This time I hope the hacker deletes my employee profile entirely.

‼️🚨 REMARKABLE: A man calling himself "Noah Doe" walked into the NYPD with a USB drive of 39,069 dormant Bitcoin wallets, filed it as "lost property," and got a receipt. He's now suing in New York to be declared the legal owner of all of it: ~3.8M BTC (~$286B). He says he built an algorithm to find them and is invoking a 1958 NY finders law to claim title. Wallet #1 is the Mt. Gox hacker's address: ~80,000 BTC stolen in 2011, untouched for 15 years, worth ~$6B today. Every on-chain analyst on earth watches it.

‼�� After the MSRC blog post about Nightmare-Eclipse, researchers are coming forward with their own MSRC horror stories. The response from the security community isn't going Microsoft's way. As they’re not backing Microsoft. Gabriel Landau, a well-known Windows security researcher, says he reported a Device Guard bypass with a 90-day window. MSRC told him it met their bar and they'd fix it, then asked him to hold disclosure for extra months. He agreed on the condition they issue a CVE. They patched it silently, decided after the fact it "didn't meet the bar," and never issued the CVE. In his words: "MSRC strung me along for a few extra months to keep me quiet, then broke their word." Another researcher, rootsecdev, says he responsibly disclosed a legacy-auth flaw that allowed password spraying while avoiding smart lockout. Five months later, MSRC replied that it "doesn't meet the bar for servicing," silently fixed it, and closed the case. Microsoft's post was meant to defend their coordinated disclosure policy. Instead it became a thread of researchers explaining why they've stopped trusting their process.