The phones of Ukrainian officials have been targeted by hackers as Russia pursues its invasion of Ukraine, a senior cybersecurity official said Monday. Reuters: Victor Zhora, the deputy head of Ukraine's State Special Communications Service, said that phones being used by the country's public servants had come under sustained targeting. "We see a lot of attempts to hack Ukrainian officials' phones, mainly with the spreading of malware," Zhora told journalists at an online news conference meant to mark the 100 days since Russian forces poured across the border. Zhora said his service had, so far, not seen any evidence that Ukrainian devices had been compromised. The hacking of government leaders' devices crept up the international agenda following a cascade of revelations last year around the how phones used by presidents, ministers, and other government officials had been targeted or compromised.

NPR reports: Just last month [Apple] decided to postpone its plan after more than 1,000 current and former employees signed an open letter called the plan inefficient, inflexible and a waste of time. "Stop treating us like school kids who need to be told when to be where and what homework to do," they wrote. It was yet more evidence of the shift in the balance of power between management and rank and file, as demand for workers has hit record highs in the past year.

Companies are finding it hard to enforce unpopular policies and mandates when they fear their workers could just walk away.... Google maps workers, who are employed by the tech company Cognizant, also decided to fight back. They connected with the Alphabet Workers Union and signed a petition citing COVID fears, the costs of commuting amid $5 gas, and the increase in productivity and morale that employees have experienced while working from home.... "Our first day back to the Bothell office full-time will now be September 6," the company said in a statement released on Thursday.

Even as some companies seek to bring back some semblance of office life, others are asking: What is the office for anyway?
In an iconic moment, NPR's reporter also visited a management consulting firm, where their new human resources worker (who started in May) admits that "It's hard to even fathom going into the office 100%. I don't think I could do it ever again."

Saturday the New York Times also reported that some corporate leaders "might find themselves fighting a culture shift beyond their control.... [Non-paywalled version here]

"If the pandemic's two-plus years of remote work experimentation have taught us anything, it's that many people can be productive outside the office, and quite a few are happier doing so." Even as the pandemic has changed course, there are signs that the work-from-home trend is actually accelerating. One recent survey published in the National Bureau of Economic Research found that employers are now saying they will allow employees to work from home an average of 2.3 days per week, up from 1.5 days in the summer of 2020.

It's not just the office — it's also the commute. The Wall Street Journal reported this week that almost all of the major cities with the biggest drops in office occupancy during the pandemic had an average one-way commute of more than 30 minutes; and most cities with the smallest drops had shorter commutes.

"Microsoft on Thursday announced a new strategy for dealing with organized labor..." reports the Washington Post (in a story republished on MSN.com): In a blog post shared with The Washington Post, Microsoft President Brad Smith wrote that the company will respect workers' rights to unionize and plans to work collaboratively with organized labor organizations to "make it simpler rather than more difficult" for employees to unionize if they so choose.

Microsoft is in the process of completing a $69 billion acquisition of Activision, a video game company where employees of a small subsidiary voted to unionize in March. That union, the Game Workers Alliance, is a division of the Communications Workers of America (CWA), which in a statement called Microsoft's announcement "encouraging and unique among the major tech companies." CWA Secretary-Treasurer Sara Steffens added that "to truly give workers a legally protected voice in decisions that affect them and their families, these principles must be put into action and incorporated into Microsoft's day-to-day operations and its expectations for its contractors...."

Rebecca Givan, a Rutgers University professor of labor relations, said Microsoft's announcement could mean the company is trying to smooth things over with employees interested in unionizing. "There's a lot of actual organizing or talk or desire in the video game sector, and that's a piece of what Microsoft does. That might be what they're trying to get out in front of," Givan said.
The article argues that Microsoft is "attempting to set itself apart from other Big Tech firms like Google and Amazon that have clashed publicly with employees seeking union representation." And it provides specific examples where other big tech companies have "gotten into trouble" with America's National Labor Relations Board:

• "The labor board has repeatedly found that Amazon wrongfully terminated or retaliated against workers who were involved with union organizing."

• "Google, too, has had to settle charges with workers who said the company fired them in response to union organizing."

• "Workers at Apple told The Post in April that they were targeted by management for supporting the union and threatened with the loss of certain benefits and opportunities for promotion."

The president of America's largest federation of union, the AFL-CIO, tells the Post in a statement that "Microsoft's collaborative approach to working with its employees who seek to organize is a best practice that we look forward to seeing implemented at Microsoft and other companies."

"An actively exploited Microsoft zero-day flaw still has no patch," Wired wrote Friday (in an article they've designated as "free for a limited time only.")

Microsoft first received reports of the flaw on April 21st, the article points out, and researchers have now seen malicious Word documents exploiting Follina for targets in Russia, India, the Philippines, Belarus, and Nepal. Yet "The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows." Researchers warned last weekend that a flaw in Microsoft's Support Diagnostic Tool could be exploited using malicious Word documents to remotely take control of target devices. Microsoft released guidance on Monday, including temporary defense measures. By Tuesday, the United States Cybersecurity and Infrastructure Security Agency had warned that "a remote, unauthenticated attacker could exploit this vulnerability," known as Follina, "to take control of an affected system." But Microsoft would not say when or whether a patch is coming for the vulnerability, even though the company acknowledged that the flaw was being actively exploited by attackers in the wild. And the company still had no comment about the possibility of a patch when asked by WIRED [Thursday].

The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a "zero-day," or previously unknown vulnerability, but Microsoft has not classified it as such. "After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it," says Tom Hegel, senior threat researcher at security firm SentinelOne. He adds that while attackers have primarily been observed exploiting the flaw through malicious documents thus far, researchers have discovered other methods as well, including the manipulation of HTML content in network traffic....

The vulnerability is present in all supported versions of Windows and can be exploited through Microsoft Office 365, Office 2013 through 2019, Office 2021, and Office ProPlus. Microsoft's main proposed mitigation involves disabling a specific protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block exploitation.

But incident responders say that more action is needed, given how easy it is to exploit the vulnerability and how much malicious activity is being detected.
The Register adds that the flaw works in Microsoft Word even when macros are disabled. (Thanks to long-time Slashdot reader Z00L00K for sharing the story!)

Friday Microsoft went into the vulnerability's official CVE report and added this update.

"Microsoft is working on a resolution and will provide an update in an upcoming release."

EU countries and EU lawmakers are set to agree on a common charging port for mobile phones, tablets and headphones on June 7 when they meet to discuss a proposal that has been fiercely criticised by Apple, Reuters reported Friday, citing people familiar with the matter said. From the report: The proposal for a single mobile charging port was first broached by the European Commission more than a decade ago after iPhone and Android users complained about having to use different chargers for their phones. The former is charged from a Lightning cable while Android-based devices are powered using USB-C connectors. The trilogue next Tuesday will be the second and likely the final one between EU countries and EU lawmakers on the topic, an indication of a strong push to get a deal done, the people said.

A notorious Russian cybercrime group has updated its attack methods in response to sanctions that prohibit US companies from paying it a ransom, according to cybersecurity researchers. From a report: The security firm Mandiant said Thursday it believes that the Evil Corp gang is now using a well-known ransomware tool named Lockbit. Evil Corp has shifted to using Lockbit, a form of ransomware used by numerous cybercrime groups, rather than its own brand of malicious software to hide evidence of the gang's involvement so that compromised organizations are more likely to pay an extortion fee, researchers said. The US Treasury Department in 2019 sanctioned the alleged leaders of the Evil Corp gang, creating legal liabilities for American companies that knowingly send ransom funds to the hackers. While cybersecurity firms have associated Evil Corp with two kinds of malware strains, known as Dridex and Hades, the group's use of LockBit could cause hacked organizations to believe that another hacking group, other than Evil Corp, was behind the breach. Evil Corp is believed to be behind some of the worst banking fraud and computer hacking schemes of the past decade, stealing more than $100 million from companies across 40 countries, according to the US government.

U.S. Cyber Command Director Gen. Paul Nakasone confirmed for the first time that the U.S. had conducted offensive cyber operations in support of Ukraine. From a report: "We've conducted a series of operations across the full spectrum: offensive, defensive, [and] information operations," Nakasone said in an interview Wednesday with Sky News, a British television news channel. Although the general did not provide specifics, he said the operations were lawful and conducted with civilian oversight of the military. "My job is to provide a series of options to the secretary of Defense and the president, and so that's what I do," he told Sky News. Nakasone previously said his agency deployed a "hunt forward" team in December to help Ukraine shore up its cyber defenses and networks against active threats. But his latest remarks appear to be the first time that a U.S. official said publicly that the U.S. has been involved in offensive cyber operations in response to Russia's invasion of Ukraine.

An anonymous reader quotes a report from Popular Science: Ahead of the upcoming midterm elections, Connecticut is hiring a "security analyst" tasked with monitoring and addressing online misinformation. The New York Times first reported this new position, saying the job description will include spending time on "fringe sites like 4chan, far-right social networks like Gettr and Rumble and mainstream social media sites." The goal is to identify election-related rumors and attempt to mitigate the damage they might cause by flagging them to platforms that have misinformation policies and promoting educational content that can counter those false narratives.

Connecticut Governor Ned Lamont's midterm budget (PDF), approved in early May, set aside more than $6 million to make improvements to the state's election system. That includes $4 million to upgrade the infrastructure used for voter registration and election management and $2 million for a "public information campaign" that will provide information on how to vote. The full-time security analyst role is recommended to receive $150,000. "Over the last few election cycles, malicious foreign actors have demonstrated the motivation and capability to significantly disrupt election activities, thus undermining public confidence in the fairness and accuracy of election results," the budget stated, as an explanation for the funding.

While the role is a first for Connecticut, the NYT noted that it's part of a growing nationwide trend. Colorado, for example, has a Rapid Response Election Security Cyber Unit tasked with monitoring online misinformation, as well as identifying "cyber-attacks, foreign interference, and disinformation campaigns." Originally created in anticipation of the 2020 presidential election, which proved to be fruitful ground for misinformation, the NYT says the unit is being "redeployed" this year. Other states, including Arizona, California, Idaho, and Oregon, are similarly funding election information initiatives in an attempt to counter misinformation, provide educational information, or do both.

The FBI thwarted a planned cyberattack on a children's hospital in Boston that was to have been carried out by hackers sponsored by the Iranian government, FBI Director Christopher Wray said Wednesday. From a report: Wray told a Boston College cybersecurity conference that his agents learned of the planned digital attack from an unspecified intelligence partner and got Boston Children's Hospital the information it needed last summer to block what would have been "one of the most despicable cyberattacks I've seen."

"And quick actions by everyone involved, especially at the hospital, protected both the network and the sick kids who depended on it," Wray said. The FBI chief recounted that anecdote in a broader speech about ongoing cyber threats from Russia, China and Iran and the need for partnerships between the U.S. government and the private sector.

Denmark-based Poul-Henning Kamp describes himself as the "author of a lot of FreeBSD, most of Varnish and tons of other Open Source Software." And he shares this message in June's Communications of the ACM.

"The software industry is still the problem." If any science fiction author, famous or obscure, had submitted a story where the plot was "modern IT is a bunch of crap that organized crime exploits for extortion," it would have gotten nowhere, because (A) that is just not credible, and (B) yawn!

And yet, here we are.... As I write this, 200-plus corporations, including many retail chains, have inoperative IT because extortionists found a hole in some niche, third-party software product most of us have never heard of.
But he's also proposing a solution. In Denmark, 129 jobs are regulated by law. There are good and obvious reasons why it is illegal for any random Ken, Brian, or Dennis to install toilets or natural-gas furnaces, perform brain surgery, or certify a building is strong enough to be left outside during winter. It may be less obvious why the state cares who runs pet shops, inseminates cattle, or performs zoological taxidermy, but if you read the applicable laws, you will learn that animal welfare and protection of endangered species have many and obscure corner cases.

Notably absent, as in totally absent, on that list are any and all jobs related to IT; IT architecture, computers, computer networks, computer security, or protection of privacy in computer systems. People who have been legally barred and delicensed from every other possible trade — be it for incompetence, fraud, or both — are entirely free to enter the IT profession and become responsible for the IT architecture or cybersecurity of the IT system that controls nearly half the hydrocarbons to the Eastern Seaboard of the U.S....

With respect to gas, water, electricity, sewers, or building stability, the regulations do not care if a company is hundreds of years old or just started this morning, the rules are always the same: Stuff should just work, and only people who are licensed — because they know how to — are allowed to make it work, and they can be sued if they fail to do so.

The time is way overdue for IT engineers to be subject to professional liability, like almost every other engineering profession. Before you tell me that is impossible, please study how the very same thing happened with electricity, planes, cranes, trains, ships, automobiles, lifts, food processing, buildings, and, for that matter, driving a car.

As with software product liability, the astute reader is apt to exclaim, "This will be the end of IT as we know it!" Again, my considered response is, "Yes, please, that is precisely my point!"

"Researchers at Trend Micro have discovered some new Linux-based ransomware that's being used to attack VMware ESXi servers," reports CSO Online. (They describe the ESXi servers as "a bare-metal hypervisor for creating and running several virtual machines that share the same hard drive storage.") Called Cheerscrypt, the bad app is following in the footsteps of other ransomware programs — such as LockBit, Hive and RansomEXX — that have found ESXi an efficient way to infect many computers at once with malicious payloads.

Roger Grimes, a defense evangelist with security awareness training provider KnowBe4, explains that most of the world's organizations operate using VMware virtual machines. "It makes the job of ransomware attackers far easier because they can encrypt one server — the VMware server — and then encrypt every guest VM it contains. One compromise and encryption command can easily encrypt dozens to hundreds of other virtually run computers all at once."

"Most VM shops use some sort of VM backup product to back up all guest servers, so finding and deleting or corrupting one backup repository kills the backup image for all the hosted guest servers all at once," Grimes adds....

The gang behind Cheerscrypt uses a "double extortion" technique to extract money from its targets, the researchers explain. "Security Alert!!!" the attackers' ransom message declares. "We hacked your company successfully. All files have been stolen and encrypted by us. If you want to restore your files or avoid file leaks, please contact us."

This week Google began a rolling release for stable Chrome version 102 "with 32 security fixes for browser on Windows, Mac and Linux," reports ZDNet: Chrome 102 for the desktop includes 32 security fixes reported to Google by external researchers. There's one critical flaw, while eight are high severity, nine are medium severity, and seven are low severity. Google also creates other fixes for issues found through internal testing...

The critical flaw, labelled as CVE-2022-1853, is a 'use after free in IndexedDB', an interface for applications to store data in a user's browser.... "My guess is that an attacker could construct a specially crafted website and take over the visitor's browser by manipulating the IndexedDB," says Pieter Arntz, a malware intelligence researcher at Malwarebytes. None of the flaws fixed in this Chrome 102 stable release were zero days, meaning flaws that were exploited before Google released a patch for it.

Google's Project Zero (GPZ) team last year counted 58 zero-day exploits for popular software in 2021. Twenty-five of these were in browsers, of which 14 affected Chrome. Google engineers argue zero-day counts are rising because vendors are improving detection, fixes and disclosure. However, GPZ researchers argue the industry as a whole is not making zero days hard enough for attackers, who often rely on tweaking existing flaws rather than being forced to conjure up entirely new exploitation methods.
Linux/Mac/Windows users of Chrome can check Help/About to see if the update has already rolled out to their system — or if they need to update manually.

"Quanta not patching vulnerable baseboard management controllers leaves data centers vulnerable," writes long-time Slashdot reader couchslug. "Pantsdown was disclosed in 2019..." Ars Technica reports: In January 2019, a researcher disclosed a devastating vulnerability in one of the most powerful and sensitive devices embedded into modern servers and workstations. With a severity rating of 9.8 out of 10, the vulnerability affected a wide range of baseboard management controllers (BMC) made by multiple manufacturers. These tiny computers soldered into the motherboard of servers allow cloud centers, and sometimes their customers, to streamline the remote management of vast fleets of computers. They enable administrators to remotely reinstall OSes, install and uninstall apps, and control just about every other aspect of the system -- even when it's turned off. Pantsdown, as the researcher dubbed the threat, allowed anyone who already had some access to the server an extraordinary opportunity. Exploiting the arbitrary read/write flaw, the hacker could become a super admin who persistently had the highest level of control for an entire data center.

Over the next few months, multiple BMC vendors issued patches and advisories that told customers why patching the vulnerability was critical. Now, researchers from security firm Eclypsium reported a disturbing finding: for reasons that remain unanswered, a widely used BMC from data center solutions provider Quanta Cloud Technology, better known as QCT, remained unpatched against the vulnerability as recently as last month. As if QCT's inaction wasn't enough, the company's current posture also remains baffling. After Eclypsium privately reported its findings to QCT, the solutions company responded that it had finally fixed the vulnerability. But rather than publish an advisory and make a patch public -- as just about every company does when fixing a critical vulnerability -- it told Eclypsium it was providing updates privately on a customer-by-customer basis. As this post was about to go live, "CVE-2019-6260," the industry's designation to track the vulnerability, didn't appear on QCT's website. [...] "[T]hese types of attacks have remained possible on BMCs that were using firmware QCT provided as recently as last month," writes Ars' Dan Goodin in closing. "QCT's decision not to publish a patched version of its firmware or even an advisory, coupled with the radio silence with reporters asking legitimate questions, should be a red flag. Data centers or data center customers working with this company's BMCs should verify their firmware's integrity or contact QCT's support team for more information."

New submitter Grokew writes: "GoodWill ransomware group propagates very unusual demands in exchange for the decryption key," reports CloudSEK. "The Robin Hood-like group is forcing its victims to donate to the poor and provides financial assistance to the patients in need."

["Once infected, the GoodWill ransomware worm encrypts documents, photos, videos, databases, and other important files and renders them inaccessible without the decryption key," reports CloudSEK.] In order for the victims to obtain the decryption keys, they must provide proof of donating to the homeless, sharing a meal with the less fortunate, and pay a debt of someone who can't afford it. [The decryption kit includes the main decryption tool, password file and a video tutorial on how to recover all important files. It's only given to infected users after the three activities are verified by the ransomware operators, who appear to be operating out of India.]

Inside of hard disk drives are platters which hold all your data; these are all manufactured by one company in Japan called Showa Denko which has announced it expects to "realize near-line HDD having storage capacity of more than 30TB" by the end of 2023. From a report: Deciphering that statement, we'd assume it will provide platters with a storage capacity of more than 3TB, sometime in 2023, to partners such as Toshiba, Seagate and Western Digital, who will then produce the hard disk drives, targeting hyperscalers and data centers operators. We'd expect some of them to end up in NAS and 3.5-inch external hard drives, but that won't be the main target markets, as performance is likely to be optimized for nearline usage.

Showa Denko has now started shipment of the platters that will go into new 26TB Ultrastar DC HC670 UltraSMR hard disk drives announced by Western Digital only a few days ago. A 2.6TB platter -- which uses energy-assisted magnetic recording and shingled magnetic recording -- also marks an important milestone as it hits the symbolic 1TB/in^2 density. Showa Denko's announcement comes as a surprise as Toshiba recently suggested 30TB drives (rather than higher capacities) would not come until 2024. A 30TB model would comprise of 11 platters with 2.73TB capacities each, a slight improvement on the 2.6TB capacity that are on the way. Given the fact that 26TB HDDs have now been announced in the first half of 2022, there's a remote chance that we could see 30TB drives before the end of the year or (as the saying goes), depending on market conditions.

Google is highlighting how Chromebooks can work in "zero trust" corporate environments with its new Chrome Enterprise Connectors Framework. From a report: The new integration system is designed to make the Chrome browser and Chrome OS devices easier for IT departments to implement with existing security, endpoint, and authentication solutions as well as bother management solutions. Google Chrome OS exec John Solomon describes the new tools as a "plug and play" solution that lets other companies helm Chrome OS management functions like remote-wiping a Chromebook using BlackBerry Unified Endpoint Management or flagging malware downloads with Splunk. These types of management functions previously worked through the Google Admin console. Managing and enrolling Chrome OS devices in the enterprise will still rely on Google tools like Google Admin and Chrome Browser Cloud Management. But new tools like Chrome OS Data Controls give enterprises more options to allow or lock down actions like printing, screen capture, copy / paste, and other potential data loss situations. It might even give IT a better handle on buggy Chrome OS updates and is currently available through the Trusted Tester program.

In the past few years, ransomware attacks have crippled schools, hospitals, city governments, and pipelines. Yet, despite the heavy toll such incidents have on both the public and private sectors, government officials have only a limited understanding of ransomware attacks and how cryptocurrencies are being used to collect payment, according to a new report from the Senate Homeland Security and Governmental Affairs Committee. From a report: "Cryptocurrencies -- which allow criminals to quickly extort huge sums of money, can be anonymized, and do not have consistently enforced compliance with regulations, especially for foreign-based attackers -- have further enabled cybercriminals to commit disruptive ransomware attacks that threaten our national and economic security," said Michigan Senator Gary Peters, the committee's chair, in a statement. "My report shows that the federal government lacks the necessary information to deter and prevent these attacks, and to hold foreign adversaries and cybercriminals accountable for perpetrating them."

Part of the issue is in reporting: The federal government doesn't have a standardized place for victims to log ransomware attacks, which typically encrypt data until a ransom is paid in cryptocurrency. Both the Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have websites where victims can report incidents, and some people report the attacks directly to their local FBI field offices -- all of which can leave people unsure of where to turn and lead to different agencies having records of different incidents. Financial regulators, including the Treasury Department's Financial Crimes Enforcement Network, also gather some data on ransomware, particularly around payments, but it's also far from comprehensive. A new law passed by Congress in March, as part of a broad government funding bill, will soon require operators of "critical infrastructure" to report to CISA within 72 hours when they've been the victims of a "substantial cyber incident," and within 24 hours of paying a ransom, but the provision hasn't yet gone into effect, pending regulatory decisions by CISA.

Swiss-based encrypted email provider ProtonMail today announced a restructuring of its privacy-first services, bringing them under a new unifying brand name: Proton. "Today, we are undertaking our biggest step forward in the movement for an internet that respects your privacy. The new, updated Proton offers one account, many services, and one privacy-by-default ecosystem. You can now enjoy unified protection with a modernized look and feel. Evolving into a unified Proton reflects our growth from an end-to-end encrypted email provider to an entire privacy ecosystem, allowing us to deliver even more benefits to the Proton community and make privacy accessible to everyone," the company said. MacRumors adds: Previously, users could only subscribe to each service the company offered individually. Going forward, the new Proton offers one account to access all the services offered in the company's privacy-by-default ecosystem, including Proton Mail, Proton VPN, Proton Calendar, and Proton Drive, all of which can be accessed from proton.me. All Proton services remain available as a free tier, with more advanced features and more storage available via paid plans. The free Proton tier includes up to 1GB of storage and one Proton email address, as well as access to Proton's encrypted Calendar and VPN services. Further reading: Proton Is Trying to Become Google -- Without Your Data.

A new website that published leaked emails from several leading proponents of Britain's exit from the European Union is tied to Russian hackers, according to a Google cybersecurity official and the former head of UK foreign intelligence. From a report: The website - titled "Very English Coop d'Etat" - says it has published private emails from former British spymaster Richard Dearlove, leading Brexit campaigner Gisela Stuart, pro-Brexit historian Robert Tombs, and other supporters of Britain's divorce from the EU, which was finalized in January 2020. The site contends that they are part of a group of hardline pro-Brexit figures secretly calling the shots in the United Kingdom. "I am well aware of a Russian operation against a Proton account which contained emails to and from me," said Dearlove, referring to the privacy-focused email service ProtonMail.

An anonymous reader shares a report: In late 2019, the government of New South Wales in Australia rolled out digital driver's licenses. The new licenses allowed people to use their iPhone or Android device to show proof of identity and age during roadside police checks or at bars, stores, hotels, and other venues. ServiceNSW, as the government body is usually referred to, promised it would "provide additional levels of security and protection against identity fraud, compared to the plastic [driver's license]" citizens had used for decades.

Now, 30 months later, security researchers have shown that it's trivial for just about anyone to forge fake identities using the digital driver's licenses, or DDLs. The technique allows people under drinking age to change their date of birth and for fraudsters to forge fake identities. The process takes well under an hour, doesn't require any special hardware or expensive software, and will generate fake IDs that pass inspection using the electronic verification system used by police and participating venues. All of this, despite assurances that security was a key priority for the newly created DDL system. "To be clear, we do believe that if the Digital Driver's Licence was improved by implementing a more secure design, then the above statement made on behalf of ServiceNSW would indeed be true, and we would agree that the Digital Driver's Licence would provide additional levels of security against fraud compared to the plastic driver's licence," Noah Farmer, the researcher who identified the flaws, wrote in a post published last week.