Michael Wardrop

Trump had one of his worst mental health episodes yet last night, posting over 55 times in 3 hours. Here is the list: 10:15 PM - Accuses Obama of attempting a coup in 2016 10:15 PM - Says Obama worked with CIA to overthrow Trump 10:15 PM - Reposts tweet saying Obama is a “traitor” and that he should be arrested 10:22 PM - Attacks dominion voting systems for 2020 election saying they switched votes 10:22 PM - Says Fulton County, GA had their 2020 fraud exposed (there was none) 10:23 PM - Accuses Obama of personally making $120 million from Obamacare (wtf?) 10:23 PM - Cites quack lawyer Sidney Powell on the 2020 election 10:24 PM - Posts fake JFK Jr account that says Obama wiretapped Trump Tower 10:27 PM - Demands Senator Mark Kelly resign 10:29 PM - Claims neither Biden nor Harris were in charge of the Biden admin 10:29 PM - Attacks Fulton County, GA again 10:29 PM - Posts Fox News clip of Rep Ro Khanna 10:30 PM - Demands Jack Smith be arrested 10:30 PM - Accuses Obama, Clinton, and Comey of treason 10:39 PM - Reposts a tweet from a MAGA account saying they have secret intel proving Clinton and Obama committed crimes 10:39 PM - Reposts a MAGA tweet saying Hillary Clinton should be sent to Haiti 10:40 PM - Says the DOJ is “working hard” to arrest his enemies for treason 10:40 PM - Reposts a tweet attacking his own DOJ and Todd Blanche for no arrests of political enemies 10:40 PM - Posts a TikTok video of people stealing from a convenience store 10:41 PM - Posts a TikTok of someone taking a Door Dash order 10:41 PM - accuses Obama, John Brennan, and Clinton of sedition and treason again 10:42 PM - Posts a video of a man on CCTV footage knocking over food a waiter was carrying 10:47 PM - Calls Obama the “most DEMONIC FORCE” in American politics 10:47 PM - Posts a tweet from Mike Flynn saying 2020 election wasn’t fair 10:49 PM - Attacks Dominion again claiming they stole the 2020 election (it wasn’t) 10:51 PM - Reposts a fake Charlie Kirk account that claimed Obama blocked Hillary Clinton from being prosecuted 10:53 PM - Claims Obama was part of Hillary Clinton’s emails in some way 11:28 PM - Claims a senior Democrat just testified under oath that Senator Adam Schiff leaked classified information 1:13 AM - Attacks the New York Times for reporting on the reflecting pool This man is clearly not well.

Google is rolling out Android “Intrusion Logging” for high-risk users. It stores encrypted forensic logs in the user’s Google account, making it harder for spyware or forensic tools to erase traces after compromise Very useful shift for Android spyware investigations https://t.co/73inIGBwUt

‼️🚨 One of the world's largest Certificate Authorities, DigiCert, was compromised by a malicious screensaver file sent through a customer support chat. Their antivirus blocked the malware four times. The agent kept clicking. The fifth try got through. 27 code signing certificates were stolen and used to sign malware. DigiCert ultimately revoked 60 certificates. Per DigiCert's incident report, filed in Mozilla's CA compliance tracker as Bug 2033170, here is how it unfolded: April 2: an attacker contacted a DigiCert helpdesk agent through the company's customer support chat channel, posing as a customer. The lure was a zip file pitched as a screenshot. Inside the zip was a .scr file. On Windows, .scr files are executables, and this one carried a malicious payload. Opening a file a customer sent through the official support channel is what an agent is supposed to do. Support staff are the one role designed to accept files from strangers. DigiCert's endpoint security blocked four infection attempts. On the fifth, the support analyst's machine was infected. DigiCert detected the infection, ran an investigation, and concluded the incident was contained. Eleven days later, an external researcher tipped DigiCert off about misuse of DigiCert-issued code signing certificates in the wild. That tip led to the discovery of a second compromised machine, belonging to a different support analyst, infected through the same vector. The EDR on that machine had not been functioning correctly, so the original investigation missed it. The second machine gave the attacker access to DigiCert's internal support portal. That portal lets support staff reach limited views of customer accounts, including initialization codes for ordered but not-yet-issued code signing certificates. Combining a stolen initialization code with an approved order let the attacker pull a real, validly issued code signing certificate. They did this 27 times. DigiCert's own list of what went wrong: - File-type filtering on the customer support chat channel did not catch the .scr - EDR coverage was inconsistent and incomplete, creating a blind spot - Initialization codes for code signing certificates were not adequately protected DigiCert says it got lucky. An outside researcher found the malware abuse before DigiCert did. Without that tip, the second machine and the active certificate theft might still be running today.

🦔A Cast AI analysis of roughly 23,000 Kubernetes clusters found average GPU utilization across enterprises sits at 5%, meaning 95% of provisioned GPU capacity is idle. CPU utilization averages 8% and memory 20%. Companies are overprovisioning out of fear of missing allocations rather than sustained demand. The CEO of Cast AI described it plainly: companies are overbuying GPUs out of fear of missing out. My Take Last night Meta, Amazon, Microsoft, and Alphabet all reported earnings beating expectations while simultaneously raising AI infrastructure spend. Meta alone raised its 2026 capex guidance to $125-145 billion. GPU spot prices are up 48% in two months. CoreWeave raised rates 20%. The narrative driving all of that is insatiable AI demand that companies cannot afford to miss. Against that backdrop, 95% of provisioned enterprise GPU capacity sitting idle is a figure I find genuinely difficult to square with the shortage narrative. The price increases and multi-year infrastructure commitments are being driven by demand signals from companies that purchased GPUs on the same fear-of-missing-out logic and are now leaving 95% of that capacity unused. Companies are paying for GPUs they aren't running while bidding up the price of GPUs they claim they urgently need. The hyperscalers booking record backlogs last night are counting commitments from the same enterprises sitting on idle infrastructure, which is a different thing from collected revenue, and the distinction is important when the bill for all of it eventually comes due. Hedgie🤗

This one will require a stiff drink. In the early 1990s, the government came up with a clever idea. Instead of borrowing money cheaply to build hospitals, schools, and roads, it would get the private sector to build them and then pay the private sector back over 25 to 30 years. The Private Finance Initiative. PFI. The attraction was obvious. You got a shiny new hospital today. The bill didn't show up on the government's books. The cost was deferred into the future. Politicians got ribbon-cutting ceremonies without the awkward conversation about borrowing. It was, in effect, the nation's credit card. Buy now, pay later. Except the interest rate was extraordinary. The total capital value of everything built under PFI was around £50 billion. As of March 2024, there were 665 PFI contracts still running across the UK, with roughly £136 billion in remaining payments stretching out to the early 2050s. These are payments public bodies are contractually locked into. Hospitals, schools, councils, government departments. Paying for buildings that in many cases were constructed twenty or thirty years ago. And the terms are extraordinary. PFI contracts were structured so the private sector would not just build the facility but manage its services. Cleaning. Maintenance. Catering. Portering. These services are bundled into long-term contracts with built-in inflation increases that the public sector cannot renegotiate, cannot exit without paying massive penalties, and often cannot even fully scrutinise because of commercial confidentiality clauses. In one case raised in Parliament, a hospital was charged £333 to change a lightbulb. That isn't an urban myth. It was cited in Hansard. The NHS has been hit hardest. According to parliamentary analysis, the capital cost of NHS PFI projects was around £13 billion. The total repayments are estimated at around £80 billion. And the peak of NHS PFI annual repayments isn't even here yet. It arrives in 2029. The bills are still going up. In 2020-21, NHS trusts paid £457 million purely in interest charges on PFI contracts. Not services. Not maintenance. Interest. In the last five years, NHS trusts have handed over more than £1.8 billion in PFI interest alone. We Own It calculates that money would have covered the starting salaries of over 50,000 new doctors. One NHS trust, Essex Partnership, has reportedly paid back 27 times what was originally borrowed. Some hospitals are spending more on PFI repayments than on medicines for patients. And remember, these repayments come out of the same NHS budget that's supposed to fund patient care, staff, and equipment. Scotland got it just as badly. Audit Scotland reported that Scottish taxpayers will pay a cumulative £40 billion for PFI assets worth just £9 billion. North Ayrshire Council will have paid £440 million by 2038 for four schools that cost £83 million to build. Now here's what makes this worse. Many of these contracts are starting to expire. The buildings are being handed back to the public sector. And the NAO has warned of significant risks around the handback process, including cases where public bodies were dissatisfied with the condition of assets being returned to them. Decades of payments. And some of these buildings may come back needing significant further investment. So what actually happened? The government could have borrowed money at significantly lower rates to build these hospitals and schools itself. Sovereign borrowing has always been cheaper than private finance. Instead, it paid the private sector to borrow at a premium and passed the inflated cost on to the taxpayer. The private sector took the profit. The taxpayer took the risk. The buildings are now ageing. The debts are still being paid. And the services that were supposed to benefit are being squeezed partly because so much of their budget is locked into contractual obligations they cannot escape. PFI wasn't investment. It was an accounting trick. A way for governments to build things without the borrowing showing up in the national debt figures. It made politicians look fiscally responsible while loading future generations with obligations they had no say in and no ability to renegotiate. Both parties did this. The Conservatives created PFI in 1992. Labour massively expanded it after 1997. More than 700 projects were signed. The coalition eventually wound it down. The current government scrapped the latest version. But the contracts remain. The payments continue. And the damage is already done. This is what it looks like when a country chooses to buy its infrastructure on hire purchase instead of investing properly. You lock in above-market rates for decades. You lose control of the assets. You tie the hands of future governments. And when the bill keeps coming due, you're told there's no money for doctors, teachers, or social care. There was always money. It just went somewhere else.

As wealth concentrates, so does power — the power to influence elections, shape policy, tilt markets and define the terms of public debate. That’s why we’ve been told for far too long that tax reform is politically infeasible, too complex, and too radical. Taxing billionaires is not radical. What is radical is allowing a system where extreme wealth exists alongside widespread hardship — and where billionaires can in effect opt out of contributing to the society that made their success possible. 
https://t.co/0YCVZJk7ib

I'm happy to announce this new paper — we compile evidence on the extraordinary harms caused by IMF and World Bank structural adjustment programmes in the global South since the 1980s. The empirical record is devastating: documented negative impacts on wages, poverty, inequality, maternal mortality, infant mortality, healthcare access, etc. SAPs inflicted misery on the periphery in order to curtail their consumption, scupper independent development, and make labour and resources more cheaply available for the core. https://t.co/21awBtifPu

A company that sells cybersecurity risk intelligence to 91% of Fortune 100 companies just got breached through an unpatched React app and a single overprivileged AWS role. LexisNexis. 3.9 million records. 400,000 user profiles. 53 secrets extracted in plaintext from AWS Secrets Manager. Including credentials for production databases, Salesforce, Oracle, and analytics platforms. The password "Lexis1234" was reused across five different internal systems. This is a company that describes itself as "one of the largest protectors of private and confidential data in the world." They provide risk intelligence to 7,500 US government agencies, nine out of ten banks, and major insurers globally. They sell cybersecurity assessments to their customers. And they couldn't secure their own AWS account. Here's what makes this worse than a typical breach: - The compromised data includes accounts tied to 118 .gov email domains. Three US federal judges. Four Department of Justice attorneys. SEC staff. Probation officers. Federal court law clerks. The attackers published doxxed profiles of federal officials tied to courts and regulatory agencies across the country. - These aren't random consumer records. These are the digital identities of people whose exposure carries national security implications. A compromised federal judge's profile doesn't just enable identity theft - it enables targeted influence operations, blackmail, and intelligence gathering. The attack path is textbook and that's the problem: → Unpatched React application - the front door → Single ECS task role with read access to every secret in the account - the keys to everything → 536 Redshift tables, 430+ database tables, full VPC infrastructure mapping - complete visibility → 53 secrets in plaintext including database credentials, API tokens, and development access keys No zero-day. No advanced persistent threat. No nation-state capability required. Basic hygiene failures — unpatched app, overprivileged IAM role, password reuse, plaintext secrets. This is LexisNexis's second confirmed breach in two years. The December 2024 incident exposed 364,000 individuals through a compromised corporate account on a third-party development platform. Data brokers and analytics providers are not peripheral players - they're deeply embedded in today's risk landscape. That's the pattern we keep seeing. Attack the aggregator, not the individual. BPO providers. Cloud platforms. Legal data giants. The organisations that hold everyone else's data are the highest-value targets - and often the weakest links. For every enterprise that uses LexisNexis services: → Assume your metadata, contract details, and product usage history are exposed → Watch for targeted phishing using the exposed business relationship data → If your staff have LexisNexis accounts, reset credentials immediately → Ask your vendor risk team: when was the last time we assessed LexisNexis's actual security posture - not their marketing, their controls? The company that indexes the world's legal information couldn't index its own IAM policies. And they're not the exception. They're the pattern. More info: https://t.co/lzgKNNraWf

🦔 Identity protection company Aura confirmed a breach exposing 900,000 records after a voice phishing attack on an employee. ShinyHunters claimed credit and leaked the data after Aura refused to pay. The exposed information includes names, email addresses, home addresses, phone numbers, customer service comments, and IP addresses. Aura says no SSNs, passwords, or financial data were compromised. Have I Been Pwned added the data to its database and noted 90% of the emails were already in there from previous breaches. My Take An identity protection company getting breached by a phishing attack is the kind of thing that writes itself. Aura sells services to protect people from exactly what just happened to Aura. The 90% figure from HIBP is almost worse than the breach itself. Nine out of ten people in this leak were already exposed somewhere else, which says something about how much of everyone's data is already out there. Aura is blaming a marketing tool from an acquisition five years ago. Acquire a company, inherit their technical debt, don't clean it up, act surprised when it bites you. Voice phishing isn't sophisticated. Someone picked up the phone and got social engineered. If your business is telling people you'll protect their identity, you should probably have that one locked down. Hedgie🤗

This tweet got over 1M views so we made it a video: How much money does Meta make by enabling crimes? "Internal docs leaked to Reuters show: • 10% of all Meta revenue comes from ads for scams & banned goods ($16B/year) • Meta estimates it's involved in 1/3 of all successful scams in the US • That suggests they drive $50B in scam losses for US consumers alone each year • Meta earns ~$3B annually from scam/banned goods ads run by Chinese operations alone..."