Subj : CRYPTO-GRAM, June 15, 2025 Part4
To   : All
From : Sean Rima
Date : Sun Jun 15 2025 12:02:48

 donrCOt take that pause and donrCOt make those better decisions, then
theyrCOre to blame when the attack occurs.

ThatrCOs simply not true, and its blame-the-user message is one of the worst mistakes our industry makes. Stop trying to fix the user. ItrCOs not the userrCOs fault if they click on a link and it infects their system. ItrCOs not their fault if they plug in a strange USB drive or ignore a warning message that they canrCOt understand. ItrCOs not even their fault if they get fooled by a look-alike bank website and lose their money. The problem is that werCOve designed these systems to be so insecure that regular, nontechnical people canrCOt use them with confidence. WerCOre using security awareness campaigns to cover up bad system design. Or, as security researcher Angela Sasse first said in 1999: rCLUsers are not the enemy.rCY

We wouldnrCOt accept that in other parts of our lives. Imagine Take9 in other contexts. Food service: rCLBefore sitting down at a restaurant, take nine seconds: Look in the kitchen, maybe check the temperature of the cooler, or if the cooksrCO hands are clean.rCY Aviation: rCLBefore boarding a plane, take nine seconds: Look at the engine and cockpit, glance at the planerCOs maintenance log, ask the pilots if they feel rested.rCY This is obviously ridiculous advice. The average person doesnrCOt have the training or expertise to evaluate restaurant or aircraft safety -- and we donrCOt expect them to. We have laws and regulations in place that allow people to eat at a restaurant or board a plane without worry.

But -- we get it -- the government isnrCOt going to step in and regulate the Internet. These insecure systems are what we have. Security awareness training, and the blame-the-user mentality that comes with it, are all we have. So if we want meaningful behavioral change, it needs a lot more than just a pause. It needs cognitive scaffolding and system designs that account for all the dynamic interactions that go into a decision to click, download, or share. And that takes real work -- more work than just an ad campaign and a slick video.

This essay was written with Arun Vishwanath, and originally appeared in Dark Reading.

** *** ***** ******* *********** *************

Australia Requires Ransomware Victims to Declare Payments

[2025.06.02] A new Australian law requires larger companies to declare any ransomware payments they have made.

** *** ***** ******* *********** *************

New Linux Vulnerabilities

[2025.06.03] TheyrCOre interesting:

Tracked as CVE-2025-5054 and CVE-2025-4598, both vulnerabilities are race condition bugs that could enable a local attacker to obtain access to access sensitive information. Tools like Apport and systemd-coredump are designed to handle crash reporting and core dumps in Linux systems.

[...]

rCLThis means that if a local attacker manages to induce a crash in a privileged process and quickly replaces it with another one with the same process ID that resides inside a mount and pid namespace, apport will attempt to forward the core dump (which might contain sensitive information belonging to the original, privileged process) into the namespace.rCY

Moderate severity, but definitely worth fixing.

Slashdot thread.

** *** ***** ******* *********** *************

The Ramifications of UkrainerCOs Drone Attack

[2025.06.04] You can read the details of Operation Spiderweb elsewhere. What interests me are the implications for future warfare:

If the Ukrainians could sneak drones so close to major air bases in a police state such as Russia, what is to prevent the Chinese from doing the same with U.S. air bases? Or the Pakistanis with Indian air bases? Or the North Koreans with South Korean air bases? Militaries that thought they had secured their air bases with electrified fences and guard posts will now have to reckon with the threat from the skies posed by cheap, ubiquitous drones that can be easily modified for military use. This will necessitate a massive investment in counter-drone systems. Money spent on conventional manned weapons systems increasingly looks to be as wasted as spending on the cavalry in the 1930s.

The Atlantic makes similar points.

ThererCOs a balance between the cost of the thing, and the cost to destroy the thing, and that balance is changing dramatically. This isnrCOt new, of course. HererCOs an article from last year about the cost of drones versus the cost of top-of-the-line fighter jets. If $35K in drones (117 drones times an estimated
$300 per drone) can destroy $7B in Russian bombers and other long-range
aircraft, why would anyone build more of those planes? And we can have this discussion about ships, or tanks, or pretty much every other military vehicle. And then we can add in drone-coordinating technologies like swarming.

Clearly we need more research on remotely and automatically disabling drones.

** *** ***** ******* *********** *************

Report on the Malicious Uses of AI

[2025.06.06] OpenAI just published its annual report on malicious uses of AI.

By using AI as a force multiplier for our expert investigative teams, in the three months since our last report werCOve been able to detect, disrupt and expose abusive activity including social engineering, cyber espionage, deceptive employment schemes, covert influence operations and scams.

These operations originated in many parts of the world, acted in many different ways, and focused on many different targets. A significant number appeared to originate in China: Four of the 10 cases in this report, spanning social engineering, covert influence operations and cyber threats, likely had a Chinese origin. But werCOve disrupted abuses from many other countries too: this report includes case studies of a likely task scam from Cambodia, comment spamming apparently from the Philippines, covert influence attempts potentially linked with Russia and Iran, and deceptive employment schemes.

Reports like these give a brief window into the ways AI is being used by malicious actors around the world. I say rCLbriefrCY because last year the models werenrCOt good enough for these sorts of things, and next year the threat actors will run their AI models locally -- and we wonrCOt have this kind of visibility.

Wall Street Journal article (also here). Slashdot thread.

** *** ***** ******* *********** *************

Hearing on the Federal Government and AI

[2025.06.06] On Thursday I testified before the House Committee on Oversight and Government Reform at a hearing titled rCLThe Federal Government in the Age of Artificial Intelligence.rCY

The other speakers mostly talked about how cool AI was -- and sometimes about how cool their own company was -- but I was asked by the Democrats to specifically talk about DOGE and the risks of exfiltrating our data from government agencies and feeding it into AIs.

My written testimony is here. Video of the hearing is here.

** *** ***** ******* *********** *************

New Way to Covertly Track Android Users

[2025.06.09] Researchers have discovered a new way to covertly track Android users. Both Meta and Yandex were using it, but have suddenly

--- BBBS/LiR v4.10 Toy-7
 * Origin: TCOB1: https/binkd/telnet binkd.rima.ie (618:500/1)

.