donΓÇÖt take that pause and donΓÇÖt make those better decisions, then
theyΓÇÖre to blame when the attack occurs.

ThatΓÇÖs simply not true, and its blame-the-user message is one of the worst
mistakes our industry makes. Stop trying to fix the user. ItΓÇÖs not the
userΓÇÖs fault if they click on a link and it infects their system. ItΓÇÖs not
their fault if they plug in a strange USB drive or ignore a warning message that
they canΓÇÖt understand. ItΓÇÖs not even their fault if they get fooled by a
look-alike bank website and lose their money. The problem is that weΓÇÖve
designed these systems to be so insecure that regular, nontechnical people
canΓÇÖt use them with confidence. WeΓÇÖre using security awareness campaigns to
cover up bad system design. Or, as security researcher Angela Sasse first said
in 1999: ΓÇ£Users are not the enemy.ΓÇ¥

We wouldnΓÇÖt accept that in other parts of our lives. Imagine Take9 in other
contexts. Food service: ΓÇ£Before sitting down at a restaurant, take nine
seconds: Look in the kitchen, maybe check the temperature of the cooler, or if
the cooksΓÇÖ hands are clean.ΓÇ¥ Aviation: ΓÇ£Before boarding a plane, take nine
seconds: Look at the engine and cockpit, glance at the planeΓÇÖs maintenance
log, ask the pilots if they feel rested.ΓÇ¥ This is obviously ridiculous advice.
The average person doesnΓÇÖt have the training or expertise to evaluate
restaurant or aircraft safety -- and we donΓÇÖt expect them to. We have laws and
regulations in place that allow people to eat at a restaurant or board a plane
without worry.

But -- we get it -- the government isnΓÇÖt going to step in and regulate the
Internet. These insecure systems are what we have. Security awareness training,
and the blame-the-user mentality that comes with it, are all we have. So if we
want meaningful behavioral change, it needs a lot more than just a pause. It
needs cognitive scaffolding and system designs that account for all the dynamic
interactions that go into a decision to click, download, or share. And that
takes real work -- more work than just an ad campaign and a slick video.

This essay was written with Arun Vishwanath, and originally appeared in Dark
Reading.

** *** ***** ******* *********** *************

Australia Requires Ransomware Victims to Declare Payments

[2025.06.02] A new Australian law requires larger companies to declare any
ransomware payments they have made.

** *** ***** ******* *********** *************

New Linux Vulnerabilities

[2025.06.03] TheyΓÇÖre interesting:

Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race
condition bugs that could enable a local attacker to obtain access to access
sensitive information. Tools like Apport and systemd-coredump are designed to
handle crash reporting and core dumps in Linux systems.

[...]

ΓÇ£This means that if a local attacker manages to induce a crash in a privileged
process and quickly replaces it with another one with the same process ID that
resides inside a mount and pid namespace, apport will attempt to forward the
core dump (which might contain sensitive information belonging to the original,
privileged process) into the namespace.ΓÇ¥

Moderate severity, but definitely worth fixing.

Slashdot thread.

** *** ***** ******* *********** *************

The Ramifications of UkraineΓÇÖs Drone Attack

[2025.06.04] You can read the details of Operation Spiderweb elsewhere. What
interests me are the implications for future warfare:

If the Ukrainians could sneak drones so close to major air bases in a police
state such as Russia, what is to prevent the Chinese from doing the same with
U.S. air bases? Or the Pakistanis with Indian air bases? Or the North Koreans
with South Korean air bases? Militaries that thought they had secured their air
bases with electrified fences and guard posts will now have to reckon with the
threat from the skies posed by cheap, ubiquitous drones that can be easily
modified for military use. This will necessitate a massive investment in
counter-drone systems. Money spent on conventional manned weapons systems
increasingly looks to be as wasted as spending on the cavalry in the 1930s.

The Atlantic makes similar points.

ThereΓÇÖs a balance between the cost of the thing, and the cost to destroy the
thing, and that balance is changing dramatically. This isnΓÇÖt new, of course.
HereΓÇÖs an article from last year about the cost of drones versus the cost of
top-of-the-line fighter jets. If $35K in drones (117 drones times an estimated
$300 per drone) can destroy $7B in Russian bombers and other long-range
aircraft, why would anyone build more of those planes? And we can have this
discussion about ships, or tanks, or pretty much every other military vehicle.
And then we can add in drone-coordinating technologies like swarming.

Clearly we need more research on remotely and automatically disabling drones.

** *** ***** ******* *********** *************

Report on the Malicious Uses of AI

[2025.06.06] OpenAI just published its annual report on malicious uses of AI.

By using AI as a force multiplier for our expert investigative teams, in the
three months since our last report weΓÇÖve been able to detect, disrupt and
expose abusive activity including social engineering, cyber espionage, deceptive
employment schemes, covert influence operations and scams.

These operations originated in many parts of the world, acted in many different
ways, and focused on many different targets. A significant number appeared to
originate in China: Four of the 10 cases in this report, spanning social
engineering, covert influence operations and cyber threats, likely had a Chinese
origin. But weΓÇÖve disrupted abuses from many other countries too: this report
includes case studies of a likely task scam from Cambodia, comment spamming
apparently from the Philippines, covert influence attempts potentially linked
with Russia and Iran, and deceptive employment schemes.

Reports like these give a brief window into the ways AI is being used by
malicious actors around the world. I say ΓÇ£briefΓÇ¥ because last year the
models werenΓÇÖt good enough for these sorts of things, and next year the threat
actors will run their AI models locally -- and we wonΓÇÖt have this kind of
visibility.

Wall Street Journal article (also here). Slashdot thread.

** *** ***** ******* *********** *************

Hearing on the Federal Government and AI

[2025.06.06] On Thursday I testified before the House Committee on Oversight and
Government Reform at a hearing titled ΓÇ£The Federal Government in the Age of
Artificial Intelligence.ΓÇ¥

The other speakers mostly talked about how cool AI was -- and sometimes about
how cool their own company was -- but I was asked by the Democrats to
specifically talk about DOGE and the risks of exfiltrating our data from
government agencies and feeding it into AIs.

My written testimony is here. Video of the hearing is here.

** *** ***** ******* *********** *************

New Way to Covertly Track Android Users

[2025.06.09] Researchers have discovered a new way to covertly track Android
users. Both Meta and Yandex were using it, but have suddenly

--- BBBS/LiR v4.10 Toy-7
 * Origin: TCOB1: https/binkd/telnet binkd.rima.ie (618:500/1)