153 views There is a broadly adopted notion that digitally signed software objects are more trustworthy than those which are not signed. There is an element of truth to this concept, but be careful this belief can produce a false sense of security that may not be warranted, leading to the installation of a “digitally signed” software object that can cause serious damage to your digital ecosystem, and your finances as you try to recover from a cybercrime induced disruption to “life as usual”. I’m going to describe an actual case that I recently encountered with a software installation package provided by one of the 4 letter acronym U.S. government agencies that we all look to as experts for cyber security guidance. I won’t mention the name, but suffice it to say – they should know better! For this article, I’ll refer to the government entity that is using these “poor and insecure” practices in their software supply chain as ZZZZ.