Notices by VessOnSecurity (bontchev@infosec.exchange)

So, when are people going to start praising Musk for opposing Trump's Big Ugly Bill and Trump taking revenge on him?

https://www.nbcnews.com/business/business-news/trump-musk-contracts-subsidies-budget-cuts-rcna211288

@FediThing @lauren @baldur These wrong answers lead me to the right answer faster than a google search, for instance, so yes, it's beneficial since it saves me time. As long as you've learned not to trust is blindly - which is why I said that we should teach how to use it properly.

@lauren @FediThing @baldur I am not talking about teaching them how AI tech works. We don't teach everybody how the internals of the computer work. I am talking about teaching them how to *use* AI properly - just like we teach kids how to use computers.

What is the alternative? Not teach them how to use AI properly and let them try to figure it out themselves and fall for hallucinations and other bullshit?

Oh, and you just blamed the users, BTW, by saying that they can't use security properly. Which they indeed can't - but it's our fault, not theirs, because so far we have failed to figure out how to make computer use for sensitive stuff both secure and intuitive.

@GossiTheDog At least they have the option to pay. Can you imagine of paying the ransom had been made illegal?

@GossiTheDog
In case you missed it in the actual article:

"The hacker was able to access data that the app captured intermittently for debugging purposes, and would not have been able to capture every single message or piece of data that passes through TeleMessage’s service."

That is, this was only debug data, not actual logged messages. As far as I understand, the actual logs are encrypted with a password - although that probably doesn't amount to much, since the password seems to be hard-coded in the app.

Also, you have to pick one:

- Trump's government is bad because they use Signal's disappearing messages to avoid scrutiny

or

- Trump's government is bad because they complied with a judge's order to log Signal messages.

You can't criticize them for both simultaneously and still have any credibility that your reasoning isn't obscured by your politics.

Oh, and Telemessage was procured by the Biden administration - it is not a Trump thing. They just used it to comply with the judge's order.

OK, here is some additional info about the Telemessage thing found by somebody on BlueSky:

- The hard-coded credentials are used to encrypt the collected logs.

- They seem to be "encrypted" in a passworded archive (ZIP?). Not sure; I'm not familiar with Kotlin.

- They are uploaded to a PostgreSQL database on a server in Israel.

- The database is accessed by subscriber e-mail and PIN.

- The site has been purged, which probably means that at least until the app is updated, the US government communications via Signal are no longer logged, as required by law.

I still wouldn't call this a "backdoor" but definitely poor security practices:

- Hard-coded credentials, duh.

- ZIP legacy encryption is vulnerable to known-plaintext attacks.

- Storing sensitive info on a server in a foreign country is bad - not because you can't trust the company but because you have no control of its security. What if an employee runs an info stealer and the admin password to the database gets leaked? The US government has a secure cloud, why not use that?

Link to my conversation with the person who found this:

https://bsky.app/profile/vure.bsky.social/post/3loe5irieck22

@GossiTheDog I agree with most of your arguments. (In fact, the only one I take exception with is comparing ransomware with climate change. Ransomware is a much more real and urgent problem.) Those are pretty much arguments I've used myself when advising customers hit by ransomware not to pay.

But, ultimately, it's the company's decision. Even if the company makes the wrong decision, the government shouldn't be the one who decides for them.

See also this:

https://www.coveware.com/blog/2025/4/29/the-organizational-structure-of-ransomware-threat-actor-groups-is-evolving-before-our-eyes

"Decryption tools are worse than they’ve ever been."

"Woman killed in Greece after bomb explodes in her hands":

https://edition.cnn.com/2025/05/03/europe/woman-killed-carrying-bomb-in-greece-intl

Infosec advice: Don't carry a bomb in your hands.

@GossiTheDog Oh, we've misunderstood each other. "Jan" is a program - a GUI for running various LLMs, not "January".

@GossiTheDog
https://github.com/menloresearch/jan

@GossiTheDog Yes, that's what I tried. Said it couldn't start the server.

@GossiTheDog Most of the energy is spent on training the models - not on using them.

That said, I tried using this thing in Jan and it didn't even start. (DeepSeek runs fine.)

@GossiTheDog But were they Russian teenagers?

@urwumpe @GossiTheDog As I said, I don't know enough genetics to determine by myself how unusual this is, but my dentist's sister, who is a geneticist, reached that same conclusion all by herself after looking at the genome of the virus, so it must be pretty obvious to a geneticist. It might look unrealistic and black magic to us - but then me telling somebody what a new computer virus does after just looking at a hex dump of it looked like black magic to that person, too.

Anyway, my point is, it is fine to criticize Trump for static this as a fact, while it is only an unproven (albeit likely) theory based on some insufficient evidence. But it's definitely not correct to call it a "conspiracy theory". It's a perfectly legitimate theory, there is evidence supporting it, it's just not sufficient to prove it.

@mmasnick @davidbcohen @briankrebs In the ruling, he seems to be saying that the White House *can* exclude journalists from the briefing - just not based on their opinions (which the government has explicitly stated was the reason)? I still don't understand how he makes the jump from "not abridging the freedom to print anything" to "not abridging their access to government briefings"...

He seems to be basing it on some rulings "Cornelius, 473 U.S. at 806; see also Forbes, 523 U.S. at 682"; I'd have to dig up those.

@briankrebs @mmasnick Banning AP for refusing to comply with the "Gulf of America" name is silly, nasty, and petty - but how exactly is it an infringement on their 1st Amendment rights? Trump isn't forbidding them from printing whatever they want; he's just denying them access to a gathering in his home. (They can probably get what was said there via a FOIA, but that would be pretty useless to them, because other outlets would have already printed the information by that time.)

@davidbcohen @briankrebs @mmasnick But why? What was his argumentation? Clearly, there is nothing in the 1st Amendment that mentions these places or excluding journalists from them. It mentions "not abridging the freedom of the press" and "the right to peacefully assemble" - but it seems pretty obvious to me that this means not preventing the press from printing anything they want - not preventing it from assembling in the White House...

Make Python Great Again! Impose tariffs on its imports!

https://pypi.org/project/tariff/

A report on ransomware from a cybercrime specialist at the Dutch police. Sadly, in Dutch, but Google Translate makes it reasonably understandable:

https://www-digitaltrustcenter-nl.translate.goog/veel-bedrijven-hebben-eigenlijk-geen-keuze-tussen-betalen-of-niet-betalen?_x_tr_sl=auto&_x_tr_tl=en&_x_tr_hl=en-US&_x_tr_pto=wapp

Some highlights:

- Companies with a cyber insurance are asked higher ransoms. Not clear who pays it - they victims or the insurance company.

- Trade, construction, and the ICT sector (whatever that is) are targeted most often.

- Most companies have no option but to pay. In 5% of the cases the company could recover by other means but chose to pay nevertheless, because it was faster and cheaper. In the remaining 95% the only alternative to not paying was bankruptcy. But sure, let's make ransom payments illegal...

@GossiTheDog They will be, if they speak out. Krebs has worked in a bunch of infosec companies - their clearances will be suspended in a snap if they speak out.