weΓÇÖve seen this. Qatar did it in 2022 around the World Cup:

ΓÇ£After accepting the terms of these apps, moderators will have complete
control of usersΓÇÖ devices,ΓÇ¥ he continued. ΓÇ£All personal content, the
ability to edit it, share it, extract it as well as data from other apps on your
device is in their hands. Moderators will even have the power to unlock usersΓÇÖ
devices remotely.ΓÇ¥

** *** ***** ******* *********** *************

Surveillance Via Smart Toothbrush

[2025.05.29] The only links are from The Daily Mail and The Mirror, but a
marital affair was discovered because the cheater was recorded using his smart
toothbrush at home when he was supposed to be at work.

** *** ***** ******* *********** *************

Why Take9 WonΓÇÖt Improve Cybersecurity

[2025.05.30] ThereΓÇÖs a new cybersecurity awareness campaign: Take9. The idea
is that people -- you, me, everyone -- should just pause for nine seconds and
think more about the link they are planning to click on, the file they are
planning to download, or whatever it is they are planning to share.

ThereΓÇÖs a website -- of course -- and a video, well-produced and scary. But
the campaign wonΓÇÖt do much to improve cybersecurity. The advice isnΓÇÖt
reasonable, it wonΓÇÖt make either individuals or nations appreciably safer, and
it deflects blame from the real causes of our cyberspace insecurities.

First, the advice is not realistic. A nine-second pause is an eternity in
something as routine as using your computer or phone. Try it; use a timer. Then
think about how many links you click on and how many things you forward or reply
to. Are we pausing for nine seconds after every text message? Every Slack ping?
Does the clock reset if someone replies midpause? What about browsing -- do we
pause before clicking each link, or after every page loads? The logistics
quickly become impossible. I doubt they tested the idea on actual users.

Second, it largely wonΓÇÖt help. The industry should know because we tried it a
decade ago. ΓÇ£Stop. Think. Connect.ΓÇ¥ was an awareness campaign from 2016, by
the Department of Homeland Security -- this was before CISA -- and the National
Cybersecurity Alliance. The message was basically the same: Stop and think
before doing anything online. It didnΓÇÖt work then, either.

Take9ΓÇÖs website says, ΓÇ£Science says: In stressful situations, wait 10
seconds before responding.ΓÇ¥ The problem with that is that clicking on a link
is not a stressful situation. ItΓÇÖs normal, one that happens hundreds of times
a day. Maybe you can train a person to count to 10 before punching someone in a
bar but not before opening an attachment.

And there is no basis in science for it. ItΓÇÖs a folk belief, all over the
Internet but with no actual research behind it -- like the five-second rule when
you drop food on the floor. In emotionally charged contexts, most people are
already overwhelmed, cognitively taxed, and not functioning in a space where
rational interruption works as neatly as this advice suggests.

Pausing Adds Little

Pauses help us break habits. If we are clicking, sharing, linking, downloading,
and connecting out of habit, a pause to break that habit works. But the problem
here isnΓÇÖt habit alone. The problem is that people arenΓÇÖt able to
differentiate between something legitimate and an attack.

The Take9 website says that nine seconds is ΓÇ£time enough to make a better
decision,ΓÇ¥ but thereΓÇÖs no use telling people to stop and think if they
donΓÇÖt know what to think about after theyΓÇÖve stopped. Pause for nine seconds
and... do what? Take9 offers no guidance. It presumes people have the cognitive
tools to understand the myriad potential attacks and figure out which one of the
thousands of Internet actions they take is harmful. If people donΓÇÖt have the
right knowledge, pausing for longer -- even a minute -- will do nothing to add
knowledge.

The three-part suspicion, cognition, and automaticity model (SCAM) is one way to
think about this. The first is lack of knowledge -- not knowing whatΓÇÖs risky
and what isnΓÇÖt. The second is habits: people doing what they always do. And
third, using flawed mental shortcuts, like believing PDFs to be safer than
Microsoft Word documents, or that mobile devices are safer than computers for
opening suspicious emails.

These pathways donΓÇÖt always occur in isolation; sometimes they happen together
or sequentially. They can influence each other or cancel each other out. For
example, a lack of knowledge can lead someone to rely on flawed mental
shortcuts, while those same shortcuts can reinforce that lack of knowledge.
ThatΓÇÖs why meaningful behavioral change requires more than just a pause; it
needs cognitive scaffolding and system designs that account for these dynamic
interactions.

A successful awareness campaign would do more than tell people to pause. It
would guide them through a two-step process. First trigger suspicion, motivating
them to look more closely. Then, direct their attention by telling them what to
look at and how to evaluate it. When both happen, the person is far more likely
to make a better decision.

This means that pauses need to be context specific. Think about email readers
that embed warnings like ΓÇ£EXTERNAL: This email is from an address outside your
organizationΓÇ¥ or ΓÇ£You have not received an email from this person before.ΓÇ¥
Those are specifics, and useful. We could imagine an AI plug-in that warns:
ΓÇ£This isnΓÇÖt how Bruce normally writes.ΓÇ¥ But of course, thereΓÇÖs an arms
race in play; the bad guys will use these systems to figure out how to bypass
them.

This is all hard. The old cues arenΓÇÖt there anymore. Current phishing attacks
have evolved from those older Nigerian scams filled with grammar mistakes and
typos. Text message, voice, or video scams are even harder to detect. There
isnΓÇÖt enough context in a text message for the system to flag. In voice or
video, itΓÇÖs much harder to trigger suspicion without disrupting the ongoing
conversation. And all the false positives, when the system flags a legitimate
conversation as a potential scam, work against peopleΓÇÖs own intuition. People
will just start ignoring their own suspicions, just as most people ignore all
sorts of warnings that their computer puts in their way.

Even if we do this all well and correctly, we canΓÇÖt make people immune to
social engineering. Recently, both cyberspace activist Cory Doctorow and
security researcher Troy Hunt -- two people who youΓÇÖd expect to be excellent
scam detectors -- got phished. In both cases, it was just the right message at
just the right time.

ItΓÇÖs even worse if youΓÇÖre a large organization. Security isnΓÇÖt based on
the average employeeΓÇÖs ability to detect a malicious email; itΓÇÖs based on
the worst personΓÇÖs inability -- the weakest link. Even if awareness raises the
average, it wonΓÇÖt help enough.

DonΓÇÖt Place Blame Where It DoesnΓÇÖt Belong

Finally, all of this is bad public policy. The Take9 campaign tells people that
they can stop cyberattacks by taking a pause and making a better decision.
WhatΓÇÖs not said, but certainly implied, is that if they

--- BBBS/LiR v4.10 Toy-7
 * Origin: TCOB1: https/binkd/telnet binkd.rima.ie (618:500/1)