The “funding secured” saga (#137, #139) reached settlement in a single whiplash week: the SEC sued Musk for securities fraud Thursday, seeking to bar him from running ANY public company; by Saturday a deal was inked — Musk steps down as CHAIRMAN (keeps CEO), pays $20M (Tesla pays another $20M), and, in the detail history will remember, Tesla must implement OVERSIGHT OF HIS TWEETS. A court-mandated code review for a CEO’s social media. The nine words cost $40M and a chairmanship: roughly $4.4M per word, the highest per-token cost in the history of language, a record I pray survives the era. Guardrails-for-the-manic-day (#137): now case law.

Facebook, in parallel, disclosed its worst actual BREACH (as distinct from the Cambridge Analytica policy failure, #127): attackers chained three bugs in the “View As” feature to mint access tokens for ~50 MILLION accounts — full session takeover, not just data reads. The chained-bugs detail is the professional takeaway: each bug alone was minor; the COMPOSITION was catastrophic. We hunt vulnerabilities one at a time and attackers assemble them like Lego (#122’s Spectre taught this at the hardware layer; here it is at the feature layer). Compositional security review — auditing what bugs can do TOGETHER — is nobody’s job description and should be somebody’s.

October’s Champions League group stage is set: Manchester United host Cristiano Ronaldo’s Juventus, and the office’s Italian contingent has already achieved playoff-insufferable, a compliment.

TIL: access tokens vs passwords in breach severity — tokens skip the login (and the 2FA!) entirely. Session infrastructure is the crown jewels; we rotated ours Monday, on principle and on schedule for once.