Digital Dopamine

Digital Dopamine
  • 5.0 (1)
  • NEWS
  • UPDATED WEEKLY

Tune in for a weekly dose of digital dopamine! Explore productivity apps, uncover tech trends, and dive into short coding tutorials tailored for new developers. Subscribe for insights that supercharge your tech journey! digitaldopaminellc.substack.com

Episodes

  1. Gimme More Gemma 4

    MAY 16

    Gimme More Gemma 4

    One Step Closer to Sustainable AI Today, we are going to give props where props are due, and that’s with Google’s new Gemma 4 models. The Gemma 4 models are open source with an Apache 2.0 license; Anyone can use this model commercially or personally with no restrictions, allowing folks to build and sell applications, embed the model in their product, or clone and build upon the core model code without needing permission from Google. That’s not the only cool thing about Gemma 4, the models are TINY and pretty damn powerful. As you can see in the image above, there are 4 models total: E2B, E4B, 26B, and 31B. E2B & E4B These models are best suited for mobile and IoT devices. There are no other models available that can run natively on the user’s device without an internet connection and using only the device’s processing power. The immediate benefit of this breakthrough is that populations with little to no internet access can begin using AI for their own learning. For personal use and coding, the intelligence of these 2 models is not strong enough to do any daunting task, coding, or deep thinking, but they are more than capable of providing quick 1-2 liner responses for learning and informational purposes (we’ll get into the exact details of the breakthrough later). This also benefits people who might get lost on long expeditions in unknown & uncivilized territories. For example, one might need to get foraging info to assist their survival tactics. Though they were engineered with a target audience in mind. These models were engineered from the ground up for maximum compute and memory efficiency, and in collaboration with Google Pixel, Qualcomm, and MediaTek, they can run completely offline with near-zero latency on phones, Raspberry Pi, and NVIDIA Jetson Orin Nano. 26B & 31B Here’s where things get pretty interesting. The 26B & 31B models are aimed at more coding assistants and agentic workflows, research, and enterprise production apps. The 26B works decently on a Mac Mini (M4), and you can easily downgrade to the smaller models for much greater performance, depending on the task and context provided. But for open source models that are so small with an open license, the 26B and 31B swing well above their weight class, outcompeting models with 20× more parameters. By total parameter count, Gemma 4 31B is 24× smaller than GLM-5 and 34× smaller than Kimi-K2.5-Thinking, delivering comparable performance at a fraction of the footprint. The more remarkable story is the 26B MoE: it achieves 97% of the 31B's quality at approximately 8× less compute per inference step, with the 26B MoE reaching 40+ tokens per second locally versus the 31B exceeding 10 tokens per second. The pure flexibility and power at these model sizes unlock so many possibilities in the open source space, especially for people looking for a free and frictionless way to get into using AI without needing massive compute power. Much better for the environment, too! Gemma The Winna Yes, I misspelled “winner” on purpose, relax. Gemma 4 is the clear winner when it comes to open models. At least in my. eyes. There are other open-source and free models, such as Kimi-K2.5 and Qwen 3.6, that beat Gemma 4 in almost every category, but the gap is not large, and with the other models, you pretty much will need a powerhouse of a home setup or the power of an actual enterprise server to run these on. So, for the everyday layman, Gemma 4 should be the model forced upon the people. Yup, I said it. If you aren’t using AI agents or AI in general for coding, deep thinking, research, or science, then you need to be forced to use a model that has very little impact on the environment and your wallet. There’s no reason for anyone to be paying $20/month for high-energy prompts about what to make for dinner or how to talk to women……there are people that do the latter and all I can do is pray for them lol. But below is a nice little graphic of the 4 different model variations, their use cases, and the min amount of compute needed to run (not necessarily smoothly). There are some cool facts to read into about the technical achievements of Gemma 4 and I urge anyone with a deeper interest in knowing the nitty-gritty to read into their official docs → https://ai.google.dev/gemma/docs/core/model_card_4 as well as peep the video below: Pairing With OpenCode and Ollama Now that we have a general sense of Gemma 4 and its capabilities, I wanted to test things out myself with a quick local project that uses the Gemma 4 Model to build out an API for an AI chat. I wanted to include a UI as well for screen recording purposes so I looked into ways to make this happen all without paying a single penny (locally of course). This led me to OpenCode and Ollama. OpenCode This is pretty much the open-source and free version of “Claude Code” with the added ability to use any free or paid model for your operations. To be more detailed, OpenCode is an AI-powered terminal coding agent that sits on top of whatever local model you point it at. It reads your codebase, writes and edits files, runs commands, and iterates — all from your terminal. Critically, it’s model-agnostic, so you can point it directly at your Ollama endpoint and it uses Gemma 4 as its brain instead of a paid cloud model. The local setup was very straightforward, and you can get it installed with curl, brew, or an installer: Curl curl -fsSL https://opencode.ai/install | bash Homebrew brew install anomalyco/tap/opencode Node (NPM, PNPM, BUN, YARN) # NPM npm install -g opencode-ai # PNPM pnpm install -g opencode-ai # Bun bun install -g opencode-ai # Yarn yarn global add opencode-ai Once installed, you are all set to start using OpenCode as your agent of choice, but you’ll still need a vehicle to download, manage, and serve open-weight models like Gemma 4 on your local machine. That's where Ollama comes in. Ollama Ollama is the runtime layer in which you can download and serve open-weight models and API dependent models on your local machine. In our case, it wraps the model in a local REST API (mimicking OpenAI's API format) so any app can talk to it at localhost:11434. With the command below: # The model i used is a custom 26b model. You can swap that out with gemma4:latest or any other model version ollama run gemma4:26b-32k you get your model running. Ollama handles quantization, GPU/CPU offloading, and model versioning under the hood. For our example project, it's the reason we have zero cloud dependency and zero API costs, which is DOPE AF!! Local AI API Example Now let’s dive into the example project itself. The goal was to build a Local AI assistant API using only OpenCode and Gemma 4 as the model. That turned into two rounds of attempting that, both having their fair share of difficulties when it came to some of the logic. Now this task was pretty hefty for Gemma 4 in my opinion but I wanted to see how well it would do with creating an AI itself. The Qwen flop This one kinda sucked because for the second run, I wanted to use Qwen since it’s supposed to be better when it comes to agentic coding. But long story short, as soon as I started using the qwen3.6:27b, which is supposed to be good on machines with at least 17 GB of RAM. I have 24GB, and while it’s running, my activity monitor says it’s using 22.5 GB of my 24 GB…. Not only is it using more GBs than the model apparently was supposed to use (or maybe it is, and there’s a lack of architectural knowledge on my end), but it just doesn’t work at all. No exaggeration when I say I let it run for about 1 hr on a simple question, and it never even got past the thinking step. Clearly, my Mac Mini was not up for the task with Qwen, but that’s exactly why Gemma 4 is so damn cool. There’s literally a model for every kind of device. API V1 & V2 So, as I mentioned earlier, I did two rounds of running this, and I will say there were successes and failures in both runs that made them about equal in output quality. V1 With V1, the UI is where we were lacking. Hell, the UI was the biggest struggle for both runs since it insisted it use Svelete and SvelteKit as the frontend framework 😂. I know most of these models have very little Svelte in their training data, so any chance I get, I make sure to use Svelte and help the AI build their Svelte chops lol. But considering this project is local, I’m not helping the big 3 (OpenAI, Anthropic, X) train their models this time around. The other issue with this build was that the scaffolding was a bit off, and that caused confusion when giving further directions. However, it seemed to pick up the pieces pretty quickly on the first round, and I got a working API + UI pushed up to GitHub. Below is a quick screenshot of a random question I asked the V1 chatbot: For additional context here, the first question was asked with nothing in the “System Prompt” section, but for the second question, I added “Make sure your responses are fantasy-themed”, and the response was adjusted accordingly. The System Prompt section itself is unique to this version’s build, as V2 did not feel the need to add that feature 😅. But it gives a bit more control of the output for the user by allowing them to add some constants into their chat flow. The UI uses Svelte and took a couple of prompts to fix the errors present. I was personally still impressed by how well it did with Svelte compared to other big-name models I’ve used in the past. V2 Now with V2, the first run through of the prompt gave it a good head start with the UI, since there were already structured files in the first version. There were only 2 main issues with the second run through: it initially built the frontend in a “UI” folder instead of a “Frontend” folder, and the button + POST request was broken. The UI design, though, was a bit more compact, and in my opinion, that was a better look. The System Prompt sec

    1h 11m
  2. Deepfake Disco

    MAY 6

    Deepfake Disco

    This Is Where We Are…… It pains me to see society slowly but predictably corrode. We’ve had scammers and thieves long before the age of technology, but there’s just something uniquely dark about Deepfake technology, where many people can’t decipher the difference between the deepfake and the real person. Visual deception was the limit with deepfakes for a while; it was possible to mimic a face with a near 1:1 accuracy but as soon as voice came into play, the jig was up. Now, with the vast improvement in AI models and audio generation, voice deception is more accurate than ever, and it’s extremely worrying. The Baby boomer generation was typically the demographic scammed by phone salesmen or offshore scammers via phone or email, but now, with deepfakes being able to mimic voices of your loved ones, that opens the door for many of the younger generations to be scammed as well. So I want to educate as many folks as I can to help them combat the rise of deepfake scams, as well as give a quick overview of what deepfakes are in general and the problems around the tech. What Are Deepfakes? Deepfakes are images, videos, or audio that have been edited or generated using artificial intelligence, AI-based tools, or audio-video editing software. They may depict real or fictional people and are considered a form of synthetic media, that is, media that is usually created by artificial intelligence systems by combining various media elements into a new media artifact. That’s a general definition and should give you an idea of where we are headed. The faster and more intelligent we make AI, the better these deepfakes and scams will get. For a bit of history, an early project called the "Video Rewrite" program was published in 1997. The program modified existing video footage of a person speaking to depict that person mouthing the words from a different audio track.[34] It was the first system to fully automate this kind of facial reanimation, and it did so using machine learning techniques to make connections between the sounds produced by a video's subject and the shape of the subject's face. Fast forward some years, the deepfakes we know today stem from generative adversarial networks (GANs). It was developed in 2014 and published in a research paper by researcher Ian Goodfellow and his colleagues. A GAN is a machine learning model designed to generate realistic data by learning patterns from existing training datasets. It operates within an unsupervised learning framework by using deep learning techniques, where two neural networks work in opposition—one generates data, while the other evaluates whether the data is real or generated. The “Generator” creates synthetic content, and the “Discriminator” evaluates whether the content is real. This back and forth eventually makes the fake content look as real as possible. Think of it like sharpening a sword against a steel block. Every time the sword (the Generator) is run against the steel block (the Discriminator), the sword gets sharper. Deepfakes entered the mainstream in 2018, with the release of accessible open-source deepfake tools like DeepFaceLab. In 2023, the deepfake tool market skyrocketed, with a 44% increase in the development of these tools. It’s Pretty Messed Up Tech Deepfakes are f’d up….. Not much more to elaborate on there lol. While deepfakes could be used to make appropriate parodies, 9 times out of 10 it’s used for things like creating synthetic media of world leaders or creating content combining copyrighted media, along with other nefarious purposes. There is a huge concern amongst academics around deepfakes promoting disinformation, violence, and hate speech. Unfortunately, the creation of non-consensual explicit content of women has served as a motivating factor for the rising popularization of deepfake tools. The problem is rampant, with Security Hero reporting that in 2023, approximately 98% of deepfake videos online are explicit in nature, and only 1% of targets in that category are male. Researchers have also shown that deepfakes are expanding into other domains such as medical imagery. In this work, it was shown how an attacker can automatically inject or remove lung cancer in a patient's 3D CT scan. The result was so convincing that it fooled three radiologists and a state-of-the-art lung cancer detection AI. To demonstrate the threat, the authors successfully performed the attack on a hospital in a white hat penetration test.[37] Another example is a sophisticated scam using AI-generated video and voice that nearly compromised a well-known crypto developer linked to the Cardano ecosystem. The attacker impersonated Pierre Kaklamanos, Head of Digital Assets Adoption at the Cardano Foundation, during what appeared to be a legitimate Microsoft Teams call. The target, developer Big Pey, said the scam almost succeeded after he followed instructions during the fake meeting. There are plenty of other domains that this can have a negative impact on, escpecially is we continue down the line of tokenization. We’d then be faced with deepfake contracts and deeds, getting people to sign away assets and funds to the attacker without even knowing it. How to Protect Yourself Protecting yourself is going to be the best way to avoid being scammed or caught up in a deepfake scheme. So it’s good to know a handful of the things to look out for and the best practices to follow to not be a victim of fraud. Verify Before You Trust If you receive an unexpected call, video, or message from someone claiming to be a family member, colleague, or authority figure — especially one asking for money or sensitive information — verify their identity through a separate channel. Call them back on a known number, or reach out via text/email independently. Example: If "your son" calls saying he's broke and needs some funds wired immediately, hang up and call his actual phone number before doing anything. Establish a Family Safe Word One of the most practical defenses against voice deepfakes is creating a secret code word with close family and friends. If someone calls claiming to be them in an emergency, ask for the safe word. No legitimate loved one will be offended. Example: A family could agree that the word "pineapple" must be said if any family member ever calls asking for urgent financial help. Slow Down — Urgency Is the Red Flag Deepfake scammers rely on panic and urgency to short-circuit your critical thinking. If any call, video, or message is pressuring you to act right now, that's your cue to pause. Scammers don't want you to have time to verify. Legitimate emergencies almost always have a moment to double-check. Use Multi-Factor Authentication (MFA) Everywhere Even if a scammer uses a deepfake to impersonate you to a bank or service provider, MFA adds a critical extra barrier. A voice or face alone shouldn't be enough to authorize anything sensitive — and if a service is relying solely on those for verification, that's a concern worth raising with them. Facing This Issue Head On Deepfakes are here and here to stay. The threat and its consequences are very real and present. Deepfakes today are at the point of undermining trust in the online identity verification process that many organizations, especially in the financial sector, have come to rely upon. With more people than ever authenticating themselves using biometrics across all their devices, the growth in the malicious use of deepfakes can lead to a dire need to rethink authentication security within the next five years, or sooner. As shown in the examples, the barrier to entry for creating realistic deepfakes has dramatically decreased. From cloned voices to full video impersonations, deepfakes empower scammers and fraudsters in ways that are harder to detect and defend against. Understanding the threat is the first step to defending against it. With more end-user security training and by leveraging emerging deepfake detection tools, organizations and individuals can begin to fight back against this new threat. We also have to help our elders and loved ones who aren’t tech-savvy get up to speed with this rising threat, so they too can be prepared to combat deepfakes. If you want to keep up with my work or want to connect as peers, check out my social links below and give me a follow! * 🦋 Bluesky * 📸 Instagram * ▶️ Youtube * 💻 Github * 👾 Discord Get full access to Digital Dopamine at digitaldopaminellc.substack.com/subscribe

    17 min
  3. Hack w/ Me Episode 3: Linux Basics + VMs

    APR 21

    Hack w/ Me Episode 3: Linux Basics + VMs

    Intro Sup folks, my last completed module was about the basics of Linux, so that’s what this episode will be about. However, I’ll be covering a bit more than we covered in the module. Within TryHackMe, we covered basic commands, working with the filesystem, shell operations, flags & switches, and automation, to name a few. But what I also want to cover is how to get a Virtual Machine booted up using “Kali Linux”, which is a Linux distribution designed for digital forensics and penetration testing. That will involve us getting familiar with UTM, a full-featured system emulator and virtual machine host for iOS and macOS (sorry, Windows users, it might not be a 1:1 comparison on how to start the VM locally). We’ll also go through the entire process of installation of the distribution and even try our hand at a fun lil script 😏. Before we get into the hands-on sections of this episode, let’s go over some Linux basics. Lil Linux Lore The name "Linux" is actually an umbrella term for multiple OS's that are based on UNIX (another operating system). Thanks to Linux being open-source, variants of Linux come in all shapes and sizes - suited best for what the system is being used for. For example, Ubuntu & Debian are some of the more commonplace distributions of Linux because they are so extensible. For example, you can run Ubuntu as a server (such as websites & web applications) or as a fully-fledged desktop. While the TryHackMe module uses Ubuntu, when we are setting up our own VM, we will be using Debian, since that’s what Kali Linux is based on. When it comes to the commands and execution, though, both distributions should function very similarly. "Linux" is often used to refer to the entire operating system, but in reality, Linux is the operating system kernel, which is started by the boot loader, which is itself started by the “Basic Input/Output System”/”Unified Extensible Firmware Interface” (BIOS/UEFI). The kernel assumes a role similar to that of a conductor in an orchestra—it ensures coordination between hardware and software. And no, I did not come up with that analogy myself lol. But enough of the technical jargon, let's get our VMS set up, then dive into some basics. Setting Up Your VM There are a handful of steps to properly set up both of the VMs we will be using in this episode, so I created a quick video to help walk through each step of the process while notating some of the known bugs when it comes to getting the “Kali Linux” VM set up. Quick Setup Summary UTM * We will need UTM as our emulator. Download and install it → https://mac.getutm.app Kali * Download the ISO image from their site → https://www.kali.org/get-kali/#kali-installer-images. Make sure you are downloading the right image for the architecture you’re on. * Follow their official guide once you have it downloaded → https://www.kali.org/docs/virtualization/install-utm-guest-vm/ ParrotOS * Download the pre-configured UTM from ParrotOS - Home → https://www.parrotsec.org/download/ * Follow their official installation guide → https://www.parrotsec.org/docs/virtualization/utm-configuration Once you have both of these VMs installed, we are ready for action! The Basics Commands Now, when it comes to commands, if you are familiar with macOS terminal commands, you should feel at home with Linux. Apple’s macOS is based on UNIX as well, so a lot of the commands for filesystem management, shell commands, and shortcuts should be identical. Let’s start with the very basic command echo. echo will output any text that we provide. Check out this screenshot below. You can see the simple command input and the output. There are various use cases for using echo from debugging to getting environment variables in a safe manner, and we will for sure be using some of them throughout this series. Another basic command is whoami to find out what user we're currently logged in as. That’s the only function there, lol, a one-and-done command. You can see in the screenshot above that I’m logged in as “mortaniel”. Next we have pwd which stands for “print working directory”, and this just prints out where you are currently in your filesystem within your terminal. The ls command prints out the contents of the directory you’re in. The last command I wanna mention here is cd, which lets you navigate into certain directories. Below you can see me navigate into “Desktop” and I used ls to list out the contents on my VM’s desktop, which is just a custom folder named “Best Folder”. There are TONS of other commands available to use, and we’d be here all day if I tried listing them out with their use cases. For instance, the find command is very useful and worth covering; I just have to spare the time to fit everything under an hour. It would be extremely boring too 😂, and besides, there are going to be commands I use later in this episode and will provide a quick definition of what it is when I reference/use them. So let’s move on to the next section, where I want to discuss SSH. Secure Shell: Operations & Deploy Secure Shell (SSH) is the common means of connecting to and interacting with the command line of a remote Linux machine. In TryHackMe, we deploy two machines: * The Linux machine * The TryHackMe AttackBox Where we go over common shell operations as well as how to use it to remotely log into the Linux Machine. So, what we’ll do is create 2 VMs locally to emulate what we’re doing in TryHackMe (or at least as close as possible). The main VM we will make should be a standard setup in terms of memory and storage allocation. This will be our “Attack Box”, and it will be using Kali Linux. The second VM we create will be our “Target Linux Machine”, and I’ll use ParrotOS for this one, to change it up a bit. You are more than welcome to use 2 Kali Linux VMs. Ubuntu, being the 2nd VM, is ideal if you can get it set up, but I’m having compatibility issues that I don’t feel like resolving, so I'm stuck with 2 different Debian-based distros. I’ll walk through how to set both up a bit later on, but our Attack Box will be where we get to test out some of these shell commands. I’m also going to walk through a cool and simple exploit to give an idea of what’s capable in the world of pen testing. A few of those operations are as follows: * &: This operator allows you to run commands in the background of your terminal. * &&: This operator allows you to combine multiple commands together in one line of your terminal. * >: This operator is a redirector - meaning that we can take the output from a command (such as using cat to output a file) and direct it elsewhere. * >>: This operator does the same function of the > operator but appends the output rather than replacing (meaning nothing is overwritten). If we want to get into more details on each operator: Operator “&” This operator allows us to execute commands in the background. For example, let’s say we want to copy a large file. This will obviously take quite a long time and will leave us unable to do anything else until the file is successfully copied. The “&” shell operator allows us to execute a command and have it run in the background (such as this file copy), allowing us to do other things! Operator “&&” This shell operator is a bit misleading in the sense of how familiar is to its partner “&”. Unlike the “&” operator, we can use “&&” to make a list of commands to run for example command1 && command2. However, it’s worth noting that command2 will only run if command1 was successful. Operator “>” This operator is what’s known as an output redirector. What this essentially means is that we take the output from a command we run and send that output to somewhere else. A great example of this is redirecting the output of the echo command that we learned in Task 4. Of course, running something such as echo wordsILoveToSay will return “wordsILoveToSay” back to our terminal — that isn’t super useful. What we can do instead is redirect “wordsILoveToSay” to something such as a new file! Let’s say we wanted to create a file, and I’ll name it newFile with the message “sup”. We can run echo sup > newFile where we want the file created with the contents “sup” like so: Now I personally don’t see much use of this other than allowing users to save command results directly to a file for later but I feel that’s something you’d just work on in whatever file you are writing code in. I could be missing the nice use case and maybe it’ll come to me in practice. That leads us to the “>>” operator. Operator “>>” This is pretty much an extension of the previous command. But instead of creating or replacing an entire file with the new command, this operator appends the output. These are just very basic Linux commands, and I’m sure I’ll find more use for them the more I dabble. There is a lot more basic knowledge that I feel is useful but to go into detail on each one would make this a very long episode. So in the next section, im just going to list the command, give a quick definition, and show an example screenshot if applicable. The File System Navigating the file system is extremely important, but can be summed up clearly, in which your file system is like your playing field in an RPG, table top, or digital. In that RPG’s playing field/world (the filesystem), there are many paths that you can take once you leave home (different paths like /Home/Desktop/Pictures & /Home/Downloads/cool_img.jpg). But you can always come back home and even further, go back to your root(s)…aka /~. I haven’t seen anyone make a similar analogy, so I’m gonna call dibs on that until further notice 😏. But you want to be able to navigate your file system(s) effortlessly, because sometimes time is not on your side when trying to execute an exploit or defend yourself from one. Termin

    1h 21m
  4. Tokenizing Private Credit, Real Estate, National Debt, and Everything Else

    MAR 23

    Tokenizing Private Credit, Real Estate, National Debt, and Everything Else

    Blockchain and Tokenization Popularity Boom Tokenization has become one of the new buzzwords in the world of finance. Your 401(k) may already be invested in assets you've never heard of, through technology you don't understand — and the people making those decisions didn't ask your permission.There are a lot of people who barely know much about blockchain, and it’s been around even before cryptocurrency was a thing, and tokenization is just an extension of digital assets. So I feel like I should go over both just a bit. Blockchain A blockchain is a digital ledger, which is a record-keeping system, that stores information across a network of computers rather than in a single centralized location. Think of it as a shared spreadsheet that thousands of computers maintain simultaneously, where every entry is permanent, time-stamped, and visible to participants on the network. Some key features and benefits are: * Decentralization: No single institution (no bank, no government, no company) controls the ledger. It’s maintained by a distributed network of computers (called “nodes”). * Immutability: Once a transaction is recorded, it cannot be altered or deleted. Every entry is cryptographically linked to the one before it, forming a “chain” of “blocks” — hence the name. * Transparency: On public blockchains, every transaction is visible to anyone who looks. This is a feature for accountability, but also a concern for privacy, since financial activity becomes traceable. * Smart contracts: Blockchains can execute automated agreements — code that says “if X happens, then do Y.” For example, a smart contract could automatically distribute rental income to token holders every month without a human intermediary. Tokenization Tokenization is the process of creating a digital token on a blockchain that represents ownership of real-world assets like real estate, art, or stocks, as well as intangible assets such as intellectual property or voting rights. Tokenization enables easier asset transfers, ownership verification, and fractional ownership. Imagine a commercial building worth $10 million. Traditionally, you'd need millions of dollars and a team of lawyers to buy it. With tokenization, the building's ownership can be divided into 10 million tokens worth $1 each. An investor could buy 100 tokens for $100 and own a tiny fraction of that building, receiving proportional rental income and being able to sell those tokens on a digital marketplace. Now this may sound like a scenario where the average Jamal has a seat at the big dawg table, but that fractional piece of ownership will never outweigh the millions or billions of dollars the elite will put in all at once, maybe even taking ownership of all available tokens for that digital asset themselves. How Tokenization Connects Real-World Assets to the Blockchain Let’s cover a bit on exactly how Tokenization Connects Real-World Assets to the Blockchain: * The asset exists in the real world — a piece of real estate, a corporate loan, a Treasury bond, shares in an ETF, etc. * A legal structure is created that ties the digital token to legal ownership rights over that asset. This is the critical (and often fragile) link, because the token is only as good as the legal framework backing it. * Tokens are then issued on a blockchain, where they can be bought, sold, held, or used as collateral — 24 hours a day, across borders, without traditional intermediaries like brokers or clearinghouses. But this presents its own issues with cyber criminals and hacking. * Last but not least, Smart contracts automate functions like interest payments, dividend distributions, compliance checks, and transfer restrictions. But what is being tokenized right now, you ask? * U.S. Treasuries and money market funds (~$12 billion tokenized) — led by BlackRock’s BUIDL fund and J.P. Morgan’s MONY fund * Private credit (~$9 billion tokenized) — corporate loans that were traditionally opaque and illiquid * Real estate — commercial and residential properties fractionalized for smaller investors * Commodities — tokenized gold and trade receivables * ETFs and fund shares — increasingly being explored for on-chain issuance Who Is Leading The Financial Tokenization Charge Like I just mentioned, tokenization converts ownership of physical or financial assets into digital tokens on a blockchain (real estate, loans, Treasury bonds, ETFs), and we have big players like BlackRock, J.P. Morgan, Goldman Sachs, Franklin Templeton, and Apollo Global Management, leading the charge. The tokenized real-world asset market surpassed a staggering $26 billion by early 2026, which is a fourfold increase from early 2025, with private credit and U.S. Treasuries dominating. The Private Credit Problem Large lenders, including BlackRock, Blue Owl, and J.P. Morgan, have restricted investor withdrawals from private credit funds amid rising interest rates and borrower distress. Businesses that took on these loans are struggling to service their debt, and what most people don’t know is that tokenization is being positioned as a solution. The plan is to create secondary markets for these illiquid loans, fractionalize them, and potentially offload the risk to a broader pool of investors. Some might call this a genuine innovation in the digital landscape of finance, but I call it transferring risk from institutional balance sheets to less sophisticated investors. The private credit market is sitting at a staggering $3 trillion, and investors want out, which could cause major ripple effects in the broader markets. Now I can go deep into a rabbit hole on the issues in the private credit market alone, but let’s stick to our focus on the tokenization of all these connected issues. The 401(k) Pipeline Back in August 2025, President Trump signed an executive order directing the Department of Labor to open 401(k) plans to alternative investments, including private equity, private credit, and digital assets. Essentially, just giving America’s $13.9 trillion in defined-contribution retirement plans to private-asset giants like Apollo, Blackstone, and BlackRock. Target Date Funds — where most workers’ 401(k) money sits by default — were designed for daily liquidity, transparency, and public markets. They were never built to house illiquid private equity or gated real estate. As one longtime fiduciary advisor put it: “This quiet push isn’t democratization. It’s risk transfer.” And a lot of workers typically have little or no say in how their plan providers allocate funds. The risks are substantial on multiple fronts: * You have higher fees than traditional index funds. * Your money is locked up for years. * It’s less transparent in terms of knowing which companies took out these risky loans. * And there’s no guarantee of performance. Legal experts warn that many plan committees lack the expertise to evaluate private market investments, and attorneys are already watching for ERISA fiduciary violations — ERISA being the 1974 federal law specifically designed to protect workers in retirement plans like these. The Security Problem No One Wants to Talk About Tokenization’s promise depends entirely on the security of the systems holding these assets. And right now, those systems are under siege from every direction — nation-states, organized crime, AI-powered scam operations, and even physical violence. State-Sponsored Theft: The North Korea Problem North Korean hackers, operating under the umbrella group known as Lazarus Group, stole $2.02 billion in cryptocurrency in 2025 alone — a 51% increase from the prior year and their all-time record. Their cumulative total now exceeds $6.75 billion. The single largest heist was the February 2025 Bybit hack: $1.5 billion in Ethereum stolen by compromising a third-party wallet provider’s developer through social engineering. The FBI formally attributed the attack to North Korea’s TraderTraitor unit. What makes this especially relevant to tokenization is that these hackers aren’t breaking the blockchain itself. They’re targeting the human and operational layers around it — the developers, the wallet software, and the interfaces people actually use. When real-world assets like Treasury bonds, real estate, and private credit are tokenized and held in similar infrastructure, the attack surface for nation-state hackers grows enormously. We’re no longer talking about stolen cryptocurrency; we’re talking about the potential theft or manipulation of tokenized deeds, loan obligations, and retirement fund shares. North Korea is the only country in the world known to use state-sponsored hacking primarily for financial gain, and the proceeds fund its nuclear and missile programs. A senior Biden administration official estimated that roughly 50% of North Korea’s foreign-currency earnings come from cybercrime. Now, just think about your 401(k) assets becoming tokenized on the same kind of infrastructure these hackers are already systematically exploiting; the risk is no longer theoretical. The AI-Powered Fraud Explosion AI is becoming embedded in everything and is becoming more of a security risk for our everyday lives today, without even considering tokenization. Crypto scam losses hit an estimated $17 billion in 2025, according to Chainalysis. These AI-powered scams — using deepfake video calls, cloned executive voices, and automated social engineering — extracted 4.5 times more money than traditional scams. Impersonation scams surged 1,400% year over year. One investor lost $284 million in a single phishing attack after scammers impersonated hardware wallet support staff. As tokenized assets become more mainstream, these same techniques will be weaponized against retail investors, plan administrators, and the platforms managing tokenized 401(k) assets. Imagine AI-generated deepfakes impersonating your retirement plan administrato

    44 min
  5. The Coruna iOS Exploit & The Major Issues With The Commercial Surveillance Industry

    MAR 10

    The Coruna iOS Exploit & The Major Issues With The Commercial Surveillance Industry

    So What Is the Coruna Exploit? The Coruna iOS exploit framework is a new and powerful exploit kit targeting Apple iPhone models running iOS 13.0 (released in September 2019) up to version 17.2.1 (released in December 2023). It was identified by Google Threat Intelligence Group (GTIG) and iVerify. The exploit contained five full iOS exploit chains and a total of 23 exploits. The core technical value of this exploit kit lies in its comprehensive collection of iOS exploits, with the most advanced ones using non-public exploitation techniques and mitigation bypasses. GTIG has been tracking this exploit since 2025, and at first, that threw me off a bit. Like, you mean to tell me this has just been out in the wild for a whole year without any major reporting on it? But that’s exactly what they do. There’s another report from 08-29-2024 from Google that states, “Today, we’re sharing that Google’s Threat Analysis Group (TAG) observed multiple in-the-wild exploit campaigns, between November 2023 and July 2024, delivered from a watering hole attack on Mongolian government websites.” Now I’m still new to cyber security and threat intelligence, so I don’t know if there are procedures around exploit discovery that require monitoring to understand them. To be honest, that kinda makes sense as I say it out loud, so maybe there’s some truth to that assumption. But these specific campaigns first delivered an iOS WebKit exploit affecting iOS versions older than 16.6.1 and then, later, a Chrome exploit chain against Android users running versions from m121 to m123. These were n-day exploits for which patches were available, but would still be effective against unpatched devices. They assessed that, “with moderate confidence, the campaigns were linked to the Russian government-backed actor APT29”. This leads me back to the Coruna exploit, because it seems like security vendors that are goverment backed have increasingly become more and more careless with who they sell the exploits to. That’s right folks, commercial spyware is sold to the government and other brokers. And it’s becoming more common that once spyware or an exploit capability is sold, control over the end customer is lost. Brokers can’t be trusted with these capabilities, and business-to-business transactions over the spyware market are highly unregulated. Now, this lack of control helped launch discussions about responsible use of spyware and aligning on a formal voluntary framework for its use called the Pall Mall Process. But those discussions are ongoing, and the economic pressures for spyware companies to return a profit mean these tools are being sold to a broader array of organizations. Some things just should’t be based on the constant need for a return on investment, and at the end of the day, Capitalism is to blame for this industry getting sloppy with its handling of exploits. Google is actually more on the forefront of reporting the slippery slope we are in when it comes to the unchecked commercial surveillance industry, and there is a great report you can read here → “Buying Spying”. I highly recommend the read regardless of your interest in CS, because whether you like it or not, these leaks or unethical sales of spyware affect all of us. So I want to elaborate on the definition of these attacks and exploits. 0-day Exploits A 0-day is a vulnerability or security hole in a computer system unknown to its developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit or zero-day attack. The term "zero-day" originally referred to the number of days since a new piece of software was released to the public, so "zero-day software" was obtained by hacking into a developer's computer before release. Eventually, the term was applied to the vulnerabilities that allowed this hacking, and to the number of days that the vendor has had to fix them. Vendors who discover the vulnerability may create patches or advise workarounds to mitigate it, though users need to deploy that mitigation to eliminate the vulnerability in their systems. Zero-day attacks are severe threats. Watering Hole Watering hole is a computer attack strategy in which an attacker guesses or observes which websites an organization's users frequently use and then uses one or more of the websites to distribute malware. Eventually, some member(s) of the targeted users will become infected. Attackers looking for specific information may only target users coming from a specific IP address. This also makes the attacks harder to detect and research. The name is derived from a strategy of predators in the natural world, who wait for an opportunity to attack their prey near watering holes. The attack strategy was named in an RSA blog in 2012. These are just 2 of many different types of attacks and exploits that threat actors use to gain confidential information or credentials from their targets. If you’re interested in learning about more common attacks, you can check out this article from Fortinet → https://www.fortinet.com/resources/cyberglossary/types-of-cyber-attacks, where they go over the 20 most common attacks and exploits. Initial Discovery: The Commercial Surveillance Vendor Role In February 2025, GTIG captured parts of an iOS exploit chain used by a customer of a surveillance company. The exploits were integrated into a previously unseen JavaScript framework that used simple but unique JavaScript obfuscation techniques. The framework starts a fingerprinting module, collecting a variety of data points to determine if the device is real and what specific iPhone model and iOS software version it is running. Based on the collected data, it loads the appropriate WebKit remote code execution (RCE) exploit, followed by a pointer authentication code (PAC) bypass as seen in Figure 2 from the deobfuscated JavaScript. At that time, GTIG recovered the WebKit RCE delivered to a device running iOS 17.2 and determined it was CVE-2024-23222, a vulnerability previously identified as a zero-day that was addressed by Apple on Jan. 22, 2024 in iOS 17.3 without crediting any external researchers. The image below shows the beginning of the RCE exploit, exactly how it was delivered in-the-wild with GTIG’s annotations. I’m gonna throw in a shameless plug from my Hack w/ Me Episode 2: Search Skills: Because I used one of the specialized databases I learned about, the Common Vulnerabilities and Exposures (CVE) database, to pull up the record of this exploit. As previously mentioned, the record is CVE-2024-23222, and as you can see below, this exploit was fixed with the iOS 17.3 and iPadOS 17.3, macOS Sonoma 14.3, and tvOS 17.3 updates. The last update on the record states 2024-06-12, so I’m not sure if that is when the OS updates came out or if that was the last fix forward from the initial releases of the OS patches. Either way, most people I can assume are safe from this attack moving forward. But there are apparently still many users within the US and outside of the country who still have an older OS version, for one reason or another. The Coruna Exploit Kit is In The Wild This is a huge issue, and the fact that these exploits that are being funded by and built for government entities should be concerning to all of us. Google’s report doesn’t explicitly mention the original CSV customer that deployed Coruna, but iVerify, which also analyzed a version of Coruna it obtained from one of the infected Chinese sites, suggests the code may well have started life as a hacking kit built for or purchased by the US government. Google and iVerify both note that Coruna contains multiple components previously used in a hacking operation known as “Triangulation” that was discovered targeting Russian cybersecurity firm Kaspersky in 2023, which the Russian government claimed was the work of the NSA. The US government didn’t respond to Russia’s claim and you can be damn sure that if they DIDN’T have any involvement in “Triangulation”, they would make it known. iVerify also noted that the code appears to have been originally written by English-speaking coders, saying “It's highly sophisticated, took millions of dollars to develop, and it bears the hallmarks of other modules that have been publicly attributed to the US government." Adding, “This is the first example we’ve seen of very likely US government tools—based on what the code is telling us—spinning out of control and being used by both our adversaries and cybercriminal groups.” So here we are again, another extremely sophisticated exploit, leaked by the US government. I say another because this isn’t the first time this has happened. Back in 2017, EternalBlue was a Windows-hacking tool stolen from the NSA (National Security Agency) and leaked to the world, leading to its use in catastrophic cyberattacks, including North Korea's WannaCry worm and Russia's NotPetya attack. We can most certainly expect something of the same caliber to be developed and deployed over the next couple of years. Even Google stated, “Beyond these identified exploits, multiple threat actors have now acquired advanced exploitation techniques that can be reused and modified with newly identified vulnerabilities.” The loosely regulated industry is a problem within itself. iVerify’s cofounder, Rocky Cole, points to the industry of brokers that may pay tens of millions of dollars for zero-day hacking techniques that they can resell for espionage, cybercrime, or cyberwar. Notably, Peter Williams, an executive of US government contractor Trenchant, was recently sentenced to seven years in prison for selling hacking tools to the Russian zero-day broker Operation Zero from 2022 to 2025. Williams’ sentencing memo notes that Trenchant sold hacking tools to the US intelligence community as well as others in the “Five Eyes” group of English-speaking governme

    30 min

  6. FEB 25

    Hack w/ Me Episode 2: Search Skills

    Intro Sup folks! Today, we will be discussing what was learned after finishing the Search Skills room in TryHackMe. Honestly, I went into this room thinking, “This is gonna be a bunch of filler that I already know, I should just skim through it.” But I quickly realized that there were plenty of VERY useful tips, tricks, and resources that I never knew. So with that, here’s a quick overview of the learning material within this room: * Evaluation of information sources * The use of search engines efficiently * Exploring specialized search engines * Reading technical documentation * Making use of social media * Checking news outlets Most of these topics are things I do regularly, especially reading technical documentation, considering that’s a required skill as a software engineer. But others, like the use of specialized search engines, were topics I’ve never really touched (or maybe I have in the past and didn’t realize it). Even some of the tips and tricks with search queries for the typical search engines like Google or DuckDuckGo were new to me, so I definitely learned a good amount from this section, aka “room”. I’ll try to make this article a quick read and sum up everything I went over and learned. Evaluation of Search Results For this task, we just went over how to effectively evaluate the information we ingest from our searches. Here are a handful of things to consider when evaluating information: * Source: Identify the author or organization publishing the information. Consider whether they are reputable and authoritative on the subject matter. Publishing a blog post does not make one an authority on the subject. * Evidence and reasoning: Check whether the claims are backed by credible evidence and logical reasoning. We are seeking hard facts and solid arguments. * Objectivity and bias: Evaluate whether the information is presented impartially and rationally, reflecting multiple perspectives. We are not interested in authors pushing shady agendas, whether to promote a product or attack a rival. * Corroboration and consistency: Validate the presented information by corroboration from multiple independent sources. Check whether multiple reliable and reputable sources agree on the central claim Search Engines Most people reading this will be familiar with Google or Bing, and some will be keen on DuckDuckGo, like myself. However, I found out about the many search operators that you can use to refine your search results. Each browser has its own set of operators, and some do overlap. It’s not isolated only to browsers either; many operating systems have their own subset of search operators as well. Here is a GitHub repo that has collected a ton of direct links to platform documentation of their respective search operators → https://github.com/cipher387/Advanced-search-operators-list. Since I use DuckDuckGo, let’s take a peek at a screenshot of that one: Here, you can see a variety of search operators that may come in handy for searching for specific items. One I find particularly useful is the filetype parameter. This will be extremely useful when trying to search for research papers and whitepapers. This actually partially disproves a statement I made in my latest article/podcast, which was that search queries these days were starting to produce less and less valuable results. Now that I’m no longer ingnorant to more advanced ways to search for information, I might be able to limit the trash articles I get in my queries 😅. I encourage people to play around with some of these search operators and confirm if your results are more refined and useful for what you’re searching for. Specialized Search Engines Completing this task was my “oh, word?!” moment when completing the room. There are SO many very specific search engines that provide fantastic information and context depending on what you’re looking for. I find that this is more useful for IT and Cyber Security engineers/enthusiasts, though. The example engines presented seem to be focused that way, at least. The first one we cover is Shodan. Shodan Shodan is a search engine for devices connected to the Internet. It allows you to search for specific types and versions of servers, networking equipment, industrial control systems, and IoT devices. For example, you may want to see how many servers are still running Apache 2.4.1 and the distribution across countries. To find the answer, we can search for apache 2.4.1, which will return the list of servers with the string “apache 2.4.1” in their headers. Censys Next up is Cynsys. Cynsys is similar to Shodan but focuses on Internet-connected hosts, websites, certificates, and other Internet assets. Some of its use cases include enumerating domains in use, auditing open ports and services, and discovering rogue assets within a network. They have a good doc on Introductory Use Cases that’s worth checking out. Some key use cases are: * Investigate indicators of compromise (IoCs): Find and track threat actors on the internet via the infrastructure they set up. * Enrich internal threat feeds with host and certificate data: Augment network logs with the most accurate, up-to-date public profile of the entities within and connecting to your network. * Create a timeline of adversary infrastructure: Investigate how and when an adversary weaponized infrastructure. See the history of a compromised or suspicious host. * Understand the global impact of vulnerabilities across the Internet: Conduct security research to understand the global impact of vulnerabilities across the Internet from CVEs to zero-days like SolarWinds or Microsoft Exchange. * Map your external attack surface: Investigate and view your attack surface from an external perspective by finding your Internet-facing assets and evaluating them for vulnerabilities. The Introductory Use Cases doc goes into deeper detail of the key use cases with some examples as well, but I won’t go over that in this article. I’m sure we will be utilizing this tool in the future for assignments. VirusTotal VirusTotal is a website that provides a virus-scanning service for files using multiple antivirus engines. It allows users to upload files or provide URLs to scan them against numerous antivirus engines and website scanners in a single operation. They can even input file hashes to check the results of previously uploaded files. The screenshot above shows the result of checking the submitted file against 67 antivirus engines. Moreover, one can check the community's comments for additional insights. From time to time, a file might be flagged as a virus or a Trojan; however, this might not be accurate for various reasons, and that's when community members can provide a more in-depth explanation. Have I Been Pwned Last but certainly not least, is “Have I Been Pwned” (HIBP). HIBP does one thing: it tells you if an email address has appeared in a leaked data breach. I’ve used this a couple of times over the past couple of years due to the increased data breach reports that have been sprouting up with apps I used, like Discord and the National Data Breach that exposed 3 BILLION PEOPLE!! Finding one’s email within leaked data indicates leaked private information and, more importantly, passwords. Many users use the same password across multiple platforms; if one platform is breached, their password on other platforms is also exposed. So please, for the love of god start using a password generator and manager lol. While passwords are usually stored in an encrypted format, many passwords are not that complex and can be recovered using a variety of attacks. Vulnerabilities & Exploits This task was pretty damn cool. We went over 2 main tools/databases: The Common Vulnerabilities and Exposures (CVE) program and the Exploit Database. Common Vulnerabilities and Exposures (CVE) It’s said to think of CVE as a dictionary of vulnerabilities. It provides a standardized identifier for vulnerabilities and security issues in software and hardware products. Each vulnerability is assigned a CVE ID with a standardized format like CVE-2024-29988. This unique identifier (CVE ID) ensures that everyone from security researchers to vendors and IT professionals is referring to the same vulnerability, CVE-2024-29988 in this case. The MITRE Corporation maintains the CVE system. For more information and to search for existing CVEs, we can visit the CVE Program website. Alternatively, we can visit the National Vulnerability Database (NVD) website. The screenshot below shows CVE-2014-0160, also known as Heartbleed. The Heartbleed bug is a critical security vulnerability in the OpenSSL cryptographic software library that allows attackers to exploit improperly implemented TLS heartbeat functions to access sensitive data in memory, such as private keys and passwords. This vulnerability was publicly disclosed in April 2014 and has since been patched in newer versions of OpenSSL. Exploit Database There are many reasons why you would want to exploit a vulnerable application; one would be assessing a company’s security as part of its red team. Needless to say, we should not try to exploit a vulnerable system unless we are given permission, usually via a legally binding agreement. Once we have permission to exploit a vulnerable system *wink wink*, we might need to find a working exploit code. One resource is the Exploit Database. The Exploit Database lists exploit codes from various authors; some of these exploit codes are tested and marked as verified. Technical Documentation & Social Media I want to combine these two tasks as they are pretty straightforward Technical Docs From coding languages & Framework docs like Python and Svelte to hardware ecosystem docs for Apple hardware, you will find well-organized documentation of its software or hardware. These official docs provide a reliable source of information about the software or product features and funct

    23 min

  7. FEB 18

    Open Season on OpenAI & The Crumbling AI Pillar Our Society Sits On

    Let's dive into how OpenAI and AI in general is hemorrhaging money, our environment, and the economy. Check out my Substack for the full video & full written article that contains all of the sources: https://open.substack.com/pub/digitaldopaminellc/p/open-season-on-openai-and-the-crumbling Follow Me on IG: https://www.instagram.com/digital_dopamine_llc Peep the Linktree for all other socials: https://linktr.ee/digital_dopamine If YouTube is your preference for watching, catch me over there and give me a subscribe: https://www.youtube.com/@DigitalDopamineLLC Get full access to Digital Dopamine at digitaldopaminellc.substack.com/subscribe

    53 min

  8. JAN 28

    The AT Protocol & Why You Should Drop Centralized Social Apps

    Intro (2 minutes) [Music Intro] What’s up, folks, and welcome to the second episode of the Digital Dopamine podcast! One of these days, I’m gonna get a sponsor lol and have a quick standard intro for everyone. In due time, in due time 😂. But people who follow me on IG have already seen what today’s episode is gonna be about, and that’s the AT Protocol, or Authenticated Transfer Protocol, atproto. All names are used in the space of decentralized digital identities. Alright, so we will be covering: * What the AT Protocol is at a basic-intermediate level so that developers and, more importantly, non-devs can understand what it is and how it works. * The key features of the AT Protocol and its benefits. * The Challenges and Limitations of the AT Protocol as of today. * Why apps built on the architecture (Bluesky, Flashes, and Pinksky) are superior to centralized social apps like IG, TikTok, and X, and what is capable within those apps. * Discussing a bit about Fanbase and UpScrolled. * Then, ending the show with a new project I’m starting up related to these apps and content distribution. After more research on the core tech and architecture of Bluesky, there are some concerns that I actually learned about and will give my honest frustration with it, but they pale in comparison to the issues I have with the likes of IG, TikTok, and X, and I personally see more benefits of using these apps over the others. So let’s get right into it. Main Story The At Protocol Overview *Skip to minute 30:00 if you want to skip the technical deep dive* So I’ll just start with a quick definition of the AT Protocol: “is a protocol and open standard for distributed social networking services.[3] It is under development by Bluesky Social PBC, a public benefit corporation created as an independent research group within [Twitter, Inc.](https://en.wikipedia.org/wiki/Twitter,_Inc.) to investigate the possibility of decentralizing the service.[4] A distributed social network (not to be confused with a decentralized or federated social network) is a network wherein all participating social networking services can communicate with each other through a unified communication protocol, and all participants are equal. Okay, technical definitions are over. What is the purpose of switching, and why should you care? depending on what you’re looking for in your social apps and identity will determine if any of this is of interest to you. So far, monetization is the only frustrating challenge I see with these apps, and in a world where influencers are the biggest proponents for people who might want to switch. If they don’t have a way to make money on these new platforms, it’s gonna be hard to get people to transition. That being said, creators can take the extra step and use external revenue channels like Substack, Patreon, or Fanbase in order to generate income from the traffic they get through the platforms. But Bluesky IS planning to add revenue streams to the platform, like a tipping system as well as subscriptions in future feature releases, so hopefully that comes sooner than later. AT Protocol also doesn’t support private content yet. If you need a private account or encrypted DMs, this isn’t your platform yet. But it’s coming. For public discourse and community building, it’s great. Now this next section is about to get a bit technical and into the weeds so if any of this starts to confuse you or you don’t really care about the good and the bad of the protocol, I’ll try to have a timestamp of where you can skip to and we talk about the apps that stand to be a 1:1 alternative and what they offer. AT Protocol’s Key Features The “Speech vs. Reach” Framework So the core concept of apps built on ATP is “Speech vs. Reach”. This is the heart of what makes AT Protocol different, and it’s the fundamental architectural philosophy of its creation. AT Protocol deliberately separates two layers: “speech” and “reach” and explains both in detail. * Speech Layer = permissive, distributed authority. It’s the data repository level where everyone has a voice. Your posts, data, and identity are all stored in signed repositories that you control. * Reach Layer = moderation and algorithmic curation. This is where platforms decide what you see. It’s about limiting the visibility/reach of content based on preferences, algorithms, moderation policies, etc. You are basically able to curate what you see on your feed without a central algorithm showing you what it thinks you might like, or force-feeding you rage bait or thirst traps because it tracked how long you paused on the “Suggested Reels” section…Which, for some reason, always has something you’ve clearly stated “See Less” or “Not Interested” multiple times. You’re able to literally choose moderation services and custom feed algorithms built by community developers. For instance, I have a handful of coding feed algorithms I’ve subscribed to, and my feed rarely shows posts that I wasn’t interested in. IfIi start to see a trend in the wrong direction, I can search for a new algorithm to swap to OR use none if my followers and likes are vast enough for the standard algorithm to know what I actually like. And for context, there are over 50,000 custom feeds that exist on Bluesky. So there’s bound to be a feed that fits your preferences. Moderation Dive To dive a bit deeper, Bluesky uses a two-tier moderation system: baseline protections (violence, exploitation, fraud) that everyone follows, then user choice on top. What this means: Bluesky maintains community standards, but you decide which additional moderation filters you subscribe to. Community-run labelers create custom labels (”Spoilers,” “Political Content,” etc.), and you choose which ones affect what you see. This is fundamentally different from Instagram, X, and TikTok: * Instagram bans you with no explanation or appeal * X’s moderation is inconsistent and unilateral under Musk * TikTok’s algorithm removes content opaquely Bluesky gives you transparency—you know why you were flagged, can appeal, and can choose your own moderation standards. The key insight: Moderation is part of the “reach” layer (who sees what), not the “speech” layer (whether content exists). This means if you block someone on one AT Protocol app, that block carries across all apps. Your moderation rules work at the protocol level, not just one platform. You’re not at the mercy of one company’s moderation philosophy, and you set your own standards. DIDs (Decentralized Identifiers) Another awesome feature is DID, or Decentralized Identifiers. Instead of your identity being @username.instagram.com, which is tied to Meta’s servers, your identity on AT Protocol is a cryptographic DID that looks like a hash. Example: did:plc:7iza6de2dwap2sbkpav7c6c6 I’ll explain did:plc a bit later. This DID can have multiple human-readable handles (@alice.example.com, @alice.bsky.social), but the DID stays the same and is portable. And I think this is one of the most, if not THE most important features within this ecosystem. And that’s the fact that you can’t get banned or straight-up deleted from the devs/company that built the app. With Instagram, your account exists at the pleasure of Meta. And we have seen how they’ve been moving on IG recently. I’ve experienced it myself, and I’m a nobody on that platform lol. If they ban you, you lose everything—followers, posts, history, pretty much your whole digital identity. With AT Protocol, your DID (your actual identity) is cryptographically yours. Your posts are signed by you. If Bluesky shuts down, you move to another AT Protocol app and bring everything with you: all followers see your posts, your history is intact, and your identity persists. Now, how this works is: Your DID contains your public cryptographic keys, and your posts are signed with your private key. This means you can prove ownership of your account without asking permission from any company, and if it comes to it, you can migrate servers without the old server’s involvement. So imagine if a big name like IShowSpeed could leave Instagram, take 100% of his followers and posts him to Snapchat or TikTok (if they were on AT Protocol), and his username and followers would be transferred as well and they would still be able to verify it’s him AND he would still be able to have his own verified status come along too. That’s what the AT Protocol enables. So getting control and freedom of your digital identity would be a great thing for us as a society to do, in my opinion. But that leads us back to some of the major drawbacks and bottlenecks I discovered while researching this. The Challenges and Limitations So, currently, the most common DID method is did:plc “Public Ledger of Credential,” and Bluesky runs the single directory service that manages it. There’s no redundancy or independent backup, so if the directory goes down, critical network functions break. Which then raises the theoretical concern of you being banned at the protocol level by Bluesky if they really wanted to be petty 😩 cause that wouldn’t only ban you from Bluesky, it would ban your DID from all apps you’re using with DID. It also contradicts the whole decentralization narrative. But I’m not too concerned about this for a few reasons: * That would ruin the reputation of Bluesky and the Protocol they built,t which will encourage people to go back to the mainstream apps or switch to a different, more raw decentralized protocol, like Nostr. I won’t dive into Nostr, but I will leave links to the Wiki (https://en.wikipedia.org/wiki/Nostr), the white-paper it released in 2020 (https://fiatjaf.com/nostr.html), and it’s Github README (https://github.com/nostr-protocol/nostr/) in the script. Also. Very cool protocol, but not as feature-rich to build on as AT Protocol. * They are already

    54 min
  9. Billionaires' Takeover Attempt in Greenland

    JAN 23

    Billionaires' Takeover Attempt in Greenland

    Intro (2 minutes) * *[Music Intro] Welcome everyone, to the first podcast of Digital Dopamine! Where I’ll be delivering a weekly dose of tech news, app demos, tips, and tricks, tailored to tech enthusiasts and developers of all levels. On today’s Episode we’re gonna focus on the Tech Billionaire’s wet dream…” Greenland”. As a lot of you probably know by now, there’s this feverish push to “buy” Greenland, which is pretty much another invasion, and they want to make it seem like it’s for national security. While that claim may be partially true. I’m gonna dive into the real culprits behind this push, and that’s all the tech billionaires, specifically the “PayPal” Mafia. Main Story Who’s the PayPal Mafia, you ask? Well i’ll get into that in a bit, but first, let’s go back to 2016, where a man named Ronald Lauder made the first move of this long game plan. I’ll keep this briefing quick, Lauder, in 2016, made a huge investment in , a luxury water bottling company founded by Svend Hardenberg and Jørgen Wæver Johansen, both of whom are well-connected in the political sphere. Now Ronald is the person who floated the idea during Trump’s first term to make Greenland part of the US (Source-1, Source-2), with some analysts describing his investments in Greenlandic businesses asa political strategy rather than purely commercial (Source). Ronald’s business partner, Jørgen, is married to Greenland’s current foreign minister, which is for sure a conflict of interest, but that’s never stopped the ultra-wealthy from doing business. But the same individuals negotiating foreign investment policy are also investment recipients. Now that’s just a bit of context for how this all started, and I recommend diving deeper into Ronald Lauder when you get some free time. But let’s hop ahead a few years to talk about some other Billionaires that didn’t wanna miss out on the exploitation. In 2019, when traction started to pick up on the “idea” of buying Greenland, Jeff Bezos, Bill Gates, and Michael Bloomberg all invested in a company called KoBold Metals through Breakthrough Energy, an organization founded by Bill Gates himself (Source). KoBold Metals is a company that explores and develops mineral resources essential for clean energy technologies, which consists of Ev Vehicle wind turbines, etc, and the minerals they are in search of include lithium, nickel, copper, and cobalt, which are critical for batteries and other renewable energy solutions. How they search for these rare earths is through AI-powered exploration of the island. And in 2022, guess who decided to join the party, Sam Altman, and since then, more and more investments have poured into KoBold Metals, valuing the company today at around 2.96 billion dollars. Speaking of muddied interests, Howard Nutlick….I mean, Lutnick… has been investing in a different Greenland Mining company called Critical Metals Corp……..for over 3 decades through Cantor Fitzgerald. He’s since divested in cantor but his stake was just handed over to his children……and I’m SUREEEE they will have a moral compass and not be a conflict of interest in the area moving forward. (Forbes) And then we have Ken Howery, a former venture capitalist and associate of Peter Thiel, who Trump appointed as US ambassador to Denmark…..like how is no major outlet reporting about this?!?!…. That’s rhetorical, of course. There are a couple more folks in the weeds of all of this, but for the sake of time, I’m gonna now get to the PayPal Mafia, and how they plan to create a “Freedom City”…which in reality will be an internet-native/technocratic nation, testing AI surveillance tech before bringing it back home here in the US. Let’s start at Praxis, which is a company founded by Dryden Brown and Charlie Callinan, with Howard Hughes Corporation founder David Weinreb, who is the current vice chairman. Praxis describes itself as an “internet-native nation” [1] and has stated plans to create a 10,000-person city in the Mediterranean. Brown is designing a theoretical “city-state” aiming to “restore Western Civilization,” and has had his sights on Greenland specifically. Who backs this concept???? PayPal Mafia members, including Peter Thiel and Ken Howery, Trump’s pick for Denmark ambassador So how do they play to test surveillance?? Praxis plans include “AI-augmented governance” and will feature “employer-friendly labor laws” described as “Elon-compatible.” The company’s manifesto describes creating all infrastructure—contracts, governance—on blockchain, creating a “tax-free enclave, governed by free-market principles and managed by a king-CEO leading citizen-shareholders.” (Source) The argument for why they are desperate for Greenland is that it’s a small, contained population (Greenland has under 57,000 people) where these billionaires with their shady political connections could experiment with governance, AI integration, and surveillance systems. All while being free from existing regulatory frameworks and the consequences that come with breaking them. These tech billionaires envision unregulated “freedom cities” in Greenland, free from democratic oversight, environmental laws, and labor protections. La Voce di New York Greenland’s cool climate is ideal for hosting massive AI data centers. Wikipedia—combining computational power with a controlled population creates something like a real-world laboratory. The PayPal Mafia’s collective vision is “a state stripped down to its bare bones, with only one objective: maximize shareholder value.”(Source: New Arab). These people include Elon Musk, Thiel’s minion JD Vance, Ken Howery, and other members across Trump’s executive branch, like David Sacks, who is Trump’s advisor on AI and cryptocurrencies. This group has unprecedented political access and, from their past actions, will surely stop at nothing until they get their greasy, greedy hands on Greenland. Peter Thiel and Elon Musk see Greenland not just as a source of rare earths, but as a laboratory for their libertarian economic and social experiments. ( The Irish Times ) The crazy part is, this is all being experimented with NOW in Próspera. “What’s Próspera?” you ask…..well, Próspera is a charter city on the island of Roatán in Honduras, operating as one of three Zones for Employment and Economic Development (ZEDEs) with autonomy from the national government. It’s backed by venture capitalists, including none other than Peter F*****G Thiel, Marc Andreessen, and Balaji Srinivasan (buh-LAH-jee sree-nee-VAH-sun)…I literally had to add how to pronounce his name in the script lol. But the investment is through Pronomos Capital, and has recently attracted Coinbase CEO Brian Armstrong as an additional investor. So this is pretty much a libertarian experimental zone designed to test free-market principles at scale. According to historian Quinn Slobodian, Próspera is part of a broader trend of projects aimed at implementing these theories in practice. The model features: * Minimal taxation: Tax rates are 1% on business revenue, 5% on wages, and 2.5% sales tax, with 5% personal income tax as of 2025. * Corporate governance: Honduras Próspera Inc. has veto power over the governing council’s nine-member body, with four members appointed by the company itself. * Crypto integration: Bitcoin is recognized as legal tender within the city. * Private arbitration and custom law: Businesses can select regulations from approved foreign jurisdictions or propose custom regulations subject to Próspera’s approval. (The Irish Times) And this is already negatively affecting the local populations of neighboring villages. The village of Crawfish Rock expressed fears about land expropriation, and funds earmarked for Honduras development haven’t reached nearby communities, while Próspera uses the island’s infrastructure (electricity, airports, garbage) with inequities. Honduras’ leftist President Xiomara Castro repealed the ZEDE law in 2022, citing sovereignty concerns, but Próspera didn’t stop operations…….they instead decided to sue Honduras for $10.7 billion—equivalent to one-third of the country’s GDP. (The Irish Times) This is the atrocity: create a private city with minimal regulation, extract wealth from the land and locals while ignoring their communities, and use international legal mechanisms to override national sovereignty if a government tries to stop it. Greenland would be where this model scales globally. Outro So really quick: we have mining companies searching for rare earth minerals (Bezos, Gates, Bloomberg via KoBold), water extraction (Lauder), and a libertarian city-state with AI governance (Thiel, Howery, Altman via Praxis), an ongoing experiment in Próspera testing these theories of libertarianism, minimal income and business revenue tax while at the same time, horrid wages for workers & being a haven for crypto fraud and laundering by the GOV—all connecting to the same island, all connected to PayPal alumni, all with Trump administration alignment. Editors Note All sources in the article are bolded with links. Feel free to correct any of my sources in the comments. Get full access to Digital Dopamine at digitaldopaminellc.substack.com/subscribe

    19 min
  • 9 Episodes

About

Tune in for a weekly dose of digital dopamine! Explore productivity apps, uncover tech trends, and dive into short coding tutorials tailored for new developers. Subscribe for insights that supercharge your tech journey! digitaldopaminellc.substack.com

Information

  • Creator
    Digital Dopamine
  • Years Active
    2K
  • Episodes
    9
  • Rating
    Explicit
  • Copyright
    © Kyle Leonard
  • Show Website
    Digital Dopamine