When you think of Mission: Impossible, the first thing you probably think about is the action that has defined the franchise since its inception. That’s become especially true in later installments, which have been defined by Tom Cruise doing increasingly insane things to entertain audiences. The Final Reckoning has arrived, and it may or may not be the last installment in this franchise. We’ve ranked the five best major action sequences in The Final Reckoning to commemorate this film and its memorable set pieces. Recommended Videos 5. The opening pursuit The Final Reckoning is less action-forward than some previous installments in the franchise. The movie’s opening pursuit is indicative of that, as Ethan and Grace try to hunt down Gabriel and the Entity following the events of Dead Reckoning. It’s not the most inspiring stuff, but seeing Benji, Paris, and Theo rescue Ethan and Grace is a lovely subversion of how the action in these movies usually goes. 4. The showdown at the bunker Paramount Pictures and Skydance This is a fairly conventional gunfight between the CIA and Gabriel’s forces, and one that Ethan only shows up for near the end. It’s followed by much more electrifying stuff, but even this relatively standard set piece is a reminder of Christopher McQuarrie’s unique flair for action, even if it’s not as inventive as some of what we’ve seen in previous installments. 3. The firefight with the Russians Paramount Pictures The best of the more minor action sequences in The Final Reckoning involves Grace and William Donloe’s wife exchanging fire with Russian special forces as they try to get the coordinates for the Sevastopol, which he has memorized. It’s yet another set piece that doesn’t feel all that inventive. However, it’s executed basically to perfection. It’s also an important reminder of how good Haley Atwell is at the action part of the Mission formula. 2. The biplane chase Paramount Pictures / Paramount Pictures Although the other entries on this list are notable, the two most important set pieces in The Final Reckoning occupy the top spots on this list. McQuarrie and Cruise have spent plenty of time discussing all the ways the actor’s work outside of the biplane was dangerous. Let me tell you, it looks spectacular. As Ethan and Gabriel battle while flying over South Africa, we get to see just how much danger Cruise was willing to put himself in for the sake of a good shot. It’s not quite as great as the helicopter fight at the end of Fallout, but it’s definitely covering similar terrain and might feel even more perilous. 1. The Sevastopol extraction Paramount Pictures One of the greatest set pieces in the history of this entire franchise. The underwater work done by Ethan, who travels to the bottom of the ocean to extract the rabbit’s foot from the Sevastopol, is simply stunning. Underwater cinematography is very easy to do wrong, but McQuarrie nails the ocean’s beauty and its perilous nature. There have only been a handful of water stunts in Mission: Impossible’s history. This is by far the best. Every obstacle Ethan encounters, right up until he’s forced to swim back up to the surface with nothing but his underwear to protect him, makes the sequence more tense and alive. Like all of the best action sequences, I have no idea how they pulled it off. Mission: Impossible — The Final Reckoning is now in theaters.

DanaBot Feds charge 16 Russians allegedly tied to botnets used in cyberattacks and spying An example of how a single malware operation can enable both criminal and state-sponsored hacking. Andy Greenberg, WIRED.com – May 23, 2025 3:56 pm | 0 Credit: Getty Images Credit: Getty Images Story text Size Small Standard Large Width * Standard Wide Links Standard Orange * Subscribers only   Learn more The hacker ecosystem in Russia, more than perhaps anywhere else in the world, has long blurred the lines between cybercrime, state-sponsored cyberwarfare, and espionage. Now an indictment of a group of Russian nationals and the takedown of their sprawling botnet offers the clearest example in years of how a single malware operation allegedly enabled hacking operations as varied as ransomware, wartime cyberattacks in Ukraine, and spying against foreign governments. The US Department of Justice today announced criminal charges today against 16 individuals law enforcement authorities have linked to a malware operation known as DanaBot, which according to a complaint infected at least 300,000 machines around the world. The DOJ’s announcement of the charges describes the group as “Russia-based,” and names two of the suspects, Aleksandr Stepanov and Artem Aleksandrovich Kalinkin, as living in Novosibirsk, Russia. Five other suspects are named in the indictment, while another nine are identified only by their pseudonyms. In addition to those charges, the Justice Department says the Defense Criminal Investigative Service (DCIS)—a criminal investigation arm of the Department of Defense—carried out seizures of DanaBot infrastructure around the world, including in the US. Aside from alleging how DanaBot was used in for-profit criminal hacking, the indictment also makes a rarer claim—it describes how a second variant of the malware it says was used in espionage against military, government, and NGO targets. “Pervasive malware like DanaBot harms hundreds of thousands of victims around the world, including sensitive military, diplomatic, and government entities, and causes many millions of dollars in losses,” US attorney Bill Essayli wrote in a statement. Since 2018, DanaBot—described in the criminal complaint as “incredibly invasive malware”—has infected millions of computers around the world, initially as a banking trojan designed to steal directly from those PCs' owners with modular features designed for credit card and cryptocurrency theft. Because its creators allegedly sold it in an “affiliate” model that made it available to other hacker groups for $3,000 to $4,000 a month, however, it was soon used as a tool to install different forms of malware in a broad array of operations, including ransomware. Its targets, too, quickly spread from initial victims in Ukraine, Poland, Italy, Germany, Austria, and Australia to US and Canadian financial institutions, according to an analysis of the operation by cybersecurity firm Crowdstrike. At one point in 2021, according to Crowdstrike, Danabot was used in a software supply-chain attack that hid the malware in a JavaScript coding tool called NPM with millions of weekly downloads. Crowdstrike found victims of that compromised tool across the financial service, transportation, technology, and media industries. That scale and the wide variety of its criminal uses made DanaBot “a juggernaut of the e-crime landscape,” according to Selena Larson, a staff threat researcher at cybersecurity firm Proofpoint. More uniquely, though, DanaBot has also been used at times for hacking campaigns that appear to be state-sponsored or linked to Russian government agency interests. In 2019 and 2020, it was used to target a handful of Western government officials in apparent espionage operations, according to the DOJ's indictment. According to Proofpoint, the malware in those instances was delivered in phishing messages that impersonated the Organization for Security and Cooperation in Europe and a Kazakhstan government entity. Then, in the early weeks of Russia's full-scale invasion of Ukraine, which began in February 2022, DanaBot was used to install a distributed denial-of-service (DDoS) tool onto infected machines and launch attacks against the webmail server of the Ukrainian Ministry of Defense and National Security and Defense Council of Ukraine. All of that makes DanaBot a particularly clear example of how cybercriminal malware has allegedly been adopted by Russian state hackers, Proofpoint's Larson says. “There have been a lot of suggestions historically of cybercriminal operators palling around with Russian government entities, but there hasn't been a lot of public reporting on these increasingly blurred lines,” says Larson. The case of DanaBot, she says, “is pretty notable, because it's public evidence of this overlap where we see e-crime tooling used for espionage purposes.” In the criminal complaint, DCIS investigator Elliott Peterson—a former FBI agent known for his work on the investigation into the creators of the Mirai botnet—alleges that some members of the DanaBot operation were identified after they infected their own computers with the malware. Those infections may have been for the purposes of testing the trojan, or may have been accidental, according to Peterson. Either way, they resulted in identifying information about the alleged hackers ending up on DanaBot infrastructure that DCIS later seized. “The inadvertent infections often resulted in sensitive and compromising data being stolen from the actor's computer by the malware and stored on DanaBot servers, including data that helped identify members of the DanaBot organization,” Peterson writes. The operators of DanaBot remain at large, but the takedown of a large-scale tool in so many forms of Russian-origin hacking—both state-sponsored and criminal—represents a significant milestone, says Adam Meyers, who leads threat intelligence research at Crowdstrike. “Every time you disrupt a multiyear operation, you're impacting their ability to monetize it. It also creates a bit of a vacuum, and somebody else is going to step up and take that place,” Meyers says. “But the more we can disrupt them, the more we keep them on their back heels. We should rinse and repeat and go find the next target.” This story originally appeared at wired.com Andy Greenberg, WIRED.com Wired.com is your essential daily guide to what's next, delivering the most original and complete take you'll find anywhere on innovation's impact on technology, science, business and culture. 0 Comments

May 21, 202510 min readWhy Some Experts Call Trump’s ‘Golden Dome’ Missile Shield a Dangerous FantasyThe White House’s $175-billion plan to protect the U.S. from nuclear annihilation will probably cost much more—and deliver far less—than has been claimed, says nuclear arms expert Jeffrey LewisBy Lee Billings U.S. President Donald Trump speaks in the Oval Office of the White House on May 20, 2025, during a briefing announcing his administration’s plan for the “Golden Dome” missile defense shield. Jim Watson/AFP via Getty ImagesDuring a briefing from the Oval Office this week, President Donald Trump revealed his administration’s plan for “Golden Dome”—an ambitious high-tech system meant to shield the U.S. from ballistic, cruise and hypersonic missile attacks launched by foreign adversaries. Flanked by senior officials, including Secretary of Defense Pete Hegseth and the project’s newly selected leader, Gen. Michael Guetlein of the U.S. Space Force, Trump announced that Golden Dome will be completed within three years at a cost of $175 billion.The program, which was among Trump’s campaign promises, derives its name from the Iron Dome missile defense system of Israel—a nation that’s geographically 400 times smaller than the U.S. Protecting the vastness of the U.S. demands very different capabilities than those of Iron Dome, which has successfully shot down rockets and missiles using ground-based interceptors. Most notably, Trump’s Golden Dome would need to expand into space—making it a successor to the Strategic Defense Initiative (SDI) pursued by the Reagan administration in the 1980s. Better known by the mocking nickname “Star Wars,” SDI sought to neutralize the threat from the Soviet Union’s nuclear-warhead-tipped intercontinental ballistic missiles by using space-based interceptors that could shoot them down midflight. But fearsome technical challenges kept SDI from getting anywhere close to that goal, despite tens of billions of dollars of federal expenditures.“We will truly be completing the job that President Reagan started 40 years ago, forever ending the missile threat to the American homeland,” Trump said during the briefing. Although the announcement was short on technical details, Trump also said Golden Dome “will deploy next-generation technologies across the land, sea and space, including space-based sensors and interceptors.” The program, which Guetlein has compared to the scale of the Manhattan Project in past remarks, has been allotted $25 billion in a Republican spending bill that has yet to pass in Congress. But Golden Dome may ultimately cost much more than Trump’s staggering $175-billion sum. An independent assessment by the Congressional Budget Office estimates its price tag could be as high as $542 billion, and the program has drawn domestic and international outcries that it risks sparking a new, globe-destabilizing arms race and weaponizing Earth’s fragile orbital environment.On supporting science journalismIf you're enjoying this article, consider supporting our award-winning journalism by subscribing. By purchasing a subscription you are helping to ensure the future of impactful stories about the discoveries and ideas shaping our world today.To get a better sense of what’s at stake—and whether Golden Dome has a better chance of success than its failed forebears—Scientific American spoke with Jeffrey Lewis, an expert on the geopolitics of nuclear weaponry at the James Martin Center for Nonproliferation Studies at the Middlebury Institute of International Studies.[An edited transcript of the interview follows.]It’s been a while, but when last I checked, most experts considered this sort of plan a nonstarter because the U.S. is simply too big of a target. Has something changed?Well, yes and no. The killer argument against space-based interceptors in the 1980s was that it would take thousands of them, and there was just no way to put up that many satellites. Today that’s no longer true. SpaceX alone has put up more than 7,000 Starlink satellites. Launch costs are much cheaper now, and there are more launch vehicles available. So, for the first time, you can say, “Oh, well, I could have a 7,000-satellite constellation. Do I want to do that?” Whereas, when the Reagan administration was talking about this, it was just la-la land.But let’s be clear: this does not solve all the other problems with the general idea—or the Golden Dome version in particular.What are some of those other problems?Just talking about space-based interceptors, there are a couple [of issues that] my colleagues and I have pointed out. We ran some numbers using the old SDI-era calculation from [SDI physicists] Ed Teller and Greg Canavan—so we couldn’t be accused of using some hippie version of the calculation, right? And what this and other independent assessments show is that the number of interceptors you need is super-duper sensitive to lots of things. For instance, it’s not like this is a “one satellite to one missile” situation—because the physics demands that these satellites ... have to be in low-Earth orbit, and that means they’re going to be constantly moving over different parts of the planet.So if you want to defend against just one missile, you still need a whole constellation. And if you want to defend against two missiles, then you basically need twice as many interceptors, and so on.You probably have to shoot down missiles during the boost phase, when the warheads are still attached. For SDI, the U.S. was dealing with Soviet liquid-fueled missiles that would boost, or burn, for about four minutes. Well, modern ones burn for less than three—that’s a whole minute that you no longer have. This is actually much worse than it sounds because you’re probably unable to shoot for the first minute or so. Even with modern detectors [that are] much better than [those] we had in the 1980s, you may not see the missile until it rises above the clouds. And once it does, your sensors, your computers, still have to say, “Aha! That is a missile!” And then you have to ensure that you’re not shooting down some ordinary space launch—so the system says, “I see a missile. May I shoot at it, please?” And someone or something has to give the go-ahead. So let’s just say you’ll have a good minute to shoot it down; this means your space-based interceptor has to be right there, ready to go, right? But by the time you’re getting permission to shoot, the satellite that was overhead to do that is now too far away, and so the next satellite has to be coming there. This scales up really, really fast.Presumably artificial intelligence and other technologies could be leveraged to make that sort of command and control more agile and responsive. But clearly there are still limits here—AI can’t be some sort of panacea.Sure, that’s right. But technological progress overall hasn’t made the threat environment better. Instead it’s gotten much worse.Let’s get back to the sheer physics-induced numbers for a moment, which AI can’t really do much about. That daunting scaling I mentioned also depends on the quality of your interceptors, your kill vehicles—which, by the way, are still going to be grotesquely expensive even if launch costs are low. If your interceptors can rapidly accelerate to eight or 10 kilometers per second (km/s), your constellation can be smaller. If they only reach 4 km/s, your constellation has to be huge.The point is: any claim that you can do this with relatively low numbers—let’s say 2,000 interceptors—assumes a series of improbable miracles occurring in quick succession to deliver the very best outcome that could possibly happen. So it’s not going to happen that way, even if, in principle, it could.So you’re telling me there’s a chance! No, seriously, I see what you mean. The arguments in favor of this working seem rather contrived. No system is perfect, and just one missile getting through can still have catastrophic results. And we haven’t even talked about adversarial countermeasures yet.There’s a joke that’s sometimes made about this: “We play chess, and they don’t move their pieces.” That seems to be the operative assumption here: that other nations will sit idly by as we build a complex, vulnerable system to nullify any strategic nuclear capability they have. And of course, it’s not valid at all. Why do you think the Chinese are building massive fields of missile silos? It’s to counteract or overwhelm this sort of thing. Why do you think the Russians are making moves to put a nuclear weapon in orbit? It’s to mass kill any satellite constellation that would shoot down their missiles.Golden Dome proponents may say, “Oh, we’ll shoot that down, too, before it goes off.” Well, good luck. You put a high-yield nuclear weapon on a booster, and the split second it gets above the clouds, sure, you might see it—but now it sees you, too, before you can shoot. All it has to do at that point is detonate to blow a giant hole in your defenses, and that’s game over. And by the way, this rosy scenario assumes your adversaries don’t interfere with all your satellites passing over their territory in peacetime. We know that won’t be the case—they’ll light them up with sensor-dazzling lasers, at minimum!You’ve compared any feasible space-based system to Starlink and noted that, similar to Starlink, these interceptors will need to be in low-Earth orbit. That means their orbits will rapidly decay from atmospheric drag, so just like Starlink’s satellites, they’d need to be constantly replaced, too, right?Ha, yes, that’s right. With Starlink, you’re looking at a three-to-five-year life cycle, which means annually replacing one third to one fifth of a constellation.So let’s say Golden Dome is 10,000 satellites; this would mean the best-case scenario is that you’re replacing 2,000 per year. Now, let’s just go along with what the Trump administration is saying, that they can get these things really cheap. I’m going to guess a “really cheap” mass-produced kill vehicle would still run you $20 million a pop, easily. Just multiply $20 million by 2,000, and your answer is $40 billion. So under these assumptions, we’d be spending $40 billion per year just to maintain the constellation. That’s not even factoring in operations.And that’s not to mention associated indirect costs from potentially nasty effects on the upper atmosphere and the orbital environment from all the launches and reentries.That, yes—among many other costly things.I have to ask: If fundamental physics makes this extremely expensive idea blatantly incapable of delivering on its promises, what’s really going on when the U.S. president and the secretary of defense announce their intention to pump $175 billion into it for a three-year crash program? Some critics claim this kind of thing is really about transferring taxpayer dollars to a few big aerospace companies and other defense contractors.Well, I wouldn’t say it’s quite that simple.Ballistic missile defense is incredibly appealing to some people for reasons besides money. In technical terms, it’s an elegant solution to the problem of nuclear annihilation—even though it’s not really feasible. For some people, it’s just cool, right? And at a deeper level, many people just don’t like the concept of deterrence—mutual assured destruction and all that—because, remember, the status quo is this: If Russia launches 1,000 nuclear weapons at us—or 100 or 10 or even just one—then we are going to murder every single person in Russia with an immediate nuclear counterattack. That’s how deterrence works. We’re not going to wait for those missiles to land so we can count up our dead to calibrate a more nuanced response. That’s official U.S. policy, and I don’t think anyone wants it to be this way forever. But it’s arguably what’s prevented any nuclear exchange from occurring to date.But not everyone believes in the power of deterrence, and so they’re looking for some kind of technological escape. I don’t think this fantasy is that different from Elon Musk thinking he’s going to go live on Mars when climate change ruins Earth: In both cases, instead of doing the really hard things that seem necessary to actually make this planet better, we’re talking about people who think they can just buy their way out of the problem. A lot of people—a lot of men, especially—really hate vulnerability, and this idea that you can just tech your way out of it is very appealing to them. You know, “Oh, what vulnerability? Yeah, there’s an app for that.”You’re saying this isn’t about money?Well, I imagine this is going to be good for at least a couple of SpaceX Falcon Heavy or Starship launches per year for Elon Musk. And you don’t have to do too many of those launches for the value proposition to work out: You build and run Starlink, you put up another constellation of space-based missile defense interceptors, and suddenly you’ve got a viable business model for these fancy huge rockets that can also take you to Mars, right?Given your knowledge of science history—of how dispassionate physics keeps showing space-based ballistic missile defense is essentially unworkable, yet the idea just keeps coming back—how does this latest resurgence make you feel?When I was younger, I would have been frustrated, but now I just accept human beings don’t learn. We make the same mistakes over and over again. You have to laugh at human folly because I do think most of these people are sincere, you know. They’re trying to get rich, sure, but they’re also trying to protect the country, and they’re doing it through ways they think about the world—which admittedly are stupid. But, hey, they’re trying. It’s very disappointing, but if you just laugh at them, they’re quite amusing.I think most people would have trouble laughing about something as devastating as nuclear war—or about an ultraexpensive plan to protect against it that’s doomed to failure and could spark a new arms race.I guess if you’re looking for a hopeful thought, it’s that we’ve tried this before, and it didn’t really work, and that’s likely to happen again.So how do you think it will actually play out this time around?I think this will be a gigantic waste of money that collapses under its own weight.They’ll put up a couple of interceptors, and they’ll test those against a boosting ballistic missile, and they’ll eventually get a hit. And they’ll use that to justify putting up more, and they’ll probably even manage to make a thin constellation—with the downside, of course, being that the Russians and the Chinese and the North Koreans and everybody else will make corresponding investments in ways to kill this system.And then it will start to really feel expensive, in part because it will be complicating and compromising things like Starlink and other commercial satellite constellations—which, I’d like to point out, are almost certainly uninsured in orbit because you can’t insure against acts of war. So think about that: if the Russians or anyone else detonate a nuclear weapon in orbit because of something like Golden Dome, Elon Musk’s entire constellation is dead, and he’s probably just out the cash.The fact is: these days we rely on space-based assets much more than most people realize, yet Earth orbit is such a fragile environment that we could muck it up in many different ways that carry really nasty long-term consequences. I worry about that a lot. Space used to be a benign environment, even throughout the entire cold war, but having an arms race there will make it malign. So Golden Dome is probably going to make everyone’s life a little bit more dangerous—at least until we, hopefully, come to our senses and decide to try something different.

A new US indictment against a group of Russian nationals offers a clear example of how, authorities say, a single malware operation can enable both criminal and state-sponsored hacking.

A video of the 425th Separate Assault Regiment's motorcycle company shows how Ukrainian soldiers plan to fight atop the light vehicles. 425th Separate Assault Regiment/Screenshot 2025-05-22T06:22:04Z Save Saved Read in app This story is available exclusively to Business Insider subscribers. Become an Insider and start reading now. Have an account? It's Ukraine's turn to adopt an unusual battle tactic from Russia: motorcycle assaults. One unit has formed its first motorcycle attack company for storming Russian positions quickly. It said its troops have trained "hundreds of hours" to shoot assault rifles from off-road bikes. As the battle with drones continues, motorcycles have become a rising star in Ukraine's war.The Ukrainian military's 425th separate assault regiment, nicknamed "Skala," announced on Tuesday that it had officially formed the country's first motorcycle attack company."As a result, we now have a modern 'cavalry' whose main task is to rapidly break through to enemy positions, conduct assault operations, and quickly shift the direction of attack," it said on its Telegram channel. The motorbike assault company appears to run a paired configuration with one driver and one gunman. 425th Separate Assault Regiment/Screenshot The use of motorcycles to carry troops into battle is well-documented in Ukraine. Since early last year, Russian troops have been increasingly seen riding on light vehicles such as ATVs and motorbikes as both a means of transport and a way to attack Ukrainian positions rapidly.Their rise is largely viewed as a direct consequence of drone warfare, since armored vehicles are often vulnerable to exploding drones on Ukraine's flat terrain.While motorbikes leave the rider more exposed, they're faster, nimbler, and smaller, which makes them better able to evade attacks from small drones."Russia's increased use of motorcycles is an adaptation in response to pervasive Ukrainian drone strikes against Russian armored vehicles and the unsustainable armored vehicle losses that Russian forces suffered in late 2023 and 2024," the Institute for the Study of War wrote in early May.Ukraine's troops initially balked at the attack method, which the Russians used in suicide assaults to wear down Ukrainian defenses and munitions.But the 425th's announcement on Tuesday means that some Ukrainians are now adopting the same tactic.In its statement, the 425th said its motorbike-riding troops had trained for "hundreds of hours" to shoot while on the move. The statement did not indicate whether the unit has started fighting or when its motorcycle troops will hit the front lines.The 425th released a video of about two dozen soldiers riding tandem on off-road motorbikes, with each pair involving one driver and an infantryman wielding an assault rifle."The goal is to ride in, strike quickly at enemy positions, dismount, storm in, secure a foothold, and complete the mission successfully," a Ukrainian soldier says in the video.Deploying motorbikes in a direct assault is an unusual tactic for modern war, where such vehicles are typically used for reconnaissance or infiltration. US special forces, for example, have used commercial bikes to navigate difficult terrain or traverse deserts in the Middle East. Ukrainian troops in the company said motorbikes offer them a swifter way to attack Russian positions, improving their safety. 425th Separate Assault Regiment/Screenshot But in Ukraine, the number of motorbikes sighted on the front lines has grown dramatically. In April, Ukrainian troops said they repelled a Russian assault on Pokrovsk that involved over 100 motorcycles.Several Russian motorized attacks last month were also reported to be comprised wholly of motorcycles and civilian vehicles. The latter have been increasingly appearing in the warzone, with Moscow's troops often sighted traveling in sedans and tractors at the rear — a likely sign of strain on Russian logistics and resources.Analysts from the ISW said in late April that it's likely Russia will start further incorporating motorcycles into its tactics for future attacks.Lt. Col. Pavlo Shamshyn, spokesperson of Ukraine's ground forces in Kharkiv, told local media that week that Kyiv believed the same."Our intelligence records the fact that in training centers on the territory of the Russian Federation and in the units themselves, active training of motorcycle drivers is taking place, and all this indicates that the assault operations of spring-summer 2025 will be carried out on motorcycles," Shamshyn told Ukrainian outlet Suspilne.

Eight years ago, Simon Whittaker, head of cyber security at Belfast-based consultancy Instil, narrowly avoided having his front door smashed in by the Police Service of Northern Ireland (PSNI) (see photo of warrant below) and was only saved from an expensive repair job because a relative was home at the time. Whittaker was the innocent victim of a misunderstanding that arose when his work as a cyber security professional butted heads with legislation contained in the UK’s Computer Misuse Act (CMA) of 1990 that at first glance seems sensible. “What happened to me is that we were working with a client who was working with an NHS Trust, demonstrating some of their software,” he explains. “Their software picked up information from various dark web sources and posted this information on Pastebin.” This post was made on Tuesday 9 May 2017 (remember this date – it’s important) and the information contained several keywords, including “NHS” and “ransomware” (see screenshot of Pastebin page below). This accidental act was enough to trip alarm bells somewhere in the depths of Britain’s intelligence apparatus. The National Crime Agency (NCA) got involved, emails whizzed back and forth over the Atlantic to the Americans. Unbeknownst to Whittaker and his family, a crisis was developing. “We ended up with eight coppers at our door and a lot of people very upset,” says Whittaker. “It cost us about £3,000 in legal fees, when all that had happened was a few words had been posted on Pastebin. “We talk about using a sledgehammer to crack a nut, but it’s quite accurate, inasmuch as they had identified the smallest amount of evidence – that wasn’t even evidence because nothing happened – but it was enough.” And the punchline? It just so happens that the posts were identified on Friday 12 May as part of the investigation into the WannaCry attack, which caused chaos across the NHS. Whittaker’s home was raided the following Monday. So, what is the CMA, and how did it almost land Whittaker in the nick? It’s a big question that speaks not only to his unpleasant experience, but to wider issues of legal overreach, government inertia and, ultimately, the ability of Britain’s burgeoning cyber security economy to function to its full potential. Indeed, the CyberUp campaign for CMA reform estimates that the UK’s security firms lose billions every year because the CMA effectively binds them. In a nutshell, it defines the broad offence of Unauthorised Access to a Computer. At face value, this is hard to argue with because it appears to make cyber crime illegal. However, in its broad application, what the offence actually does is to make all hacking illegal. As such, it is now woefully outdated because it completely fails to account for the fact that, from time to time, legitimate security professionals and ethical hackers must access a computer without authorisation if they are to do their jobs. “It’s so frustrating, the idea that there’s a piece of legislation that’s been around for so long that was originally brought in because they didn’t have any legislation,” says Whittaker. “Somebody broke into Prince Philip’s email account, a BT account, and they didn’t have any legislation to do them under, so they got them under the Forgery and Counterfeiting Act.” Whittaker is referring to a 1985 incident in which security writer and educator Robert Schifreen hacked the BT Prestel service – an early email precursor – and accessed the Duke of Edinburgh’s mailbox. Schifreen’s archive, preserved at the National Museum of Computing, reveals how he hacked Prestel to raise awareness of potential vulnerabilities in such systems. In a 2016 interview, Schifreen told Ars Technica that he waited until after 6pm on the day of the hack to be sure that the IT team had gone home for the evening and couldn’t interfere. He even tried to tell BT what he was doing. The CMA was the Thatcher government’s response to this, and 35 years on, the offence of Unauthorised Access to a Computer is now at the core of a five-year-plus campaign led by the CyberUp group and backed in Parliament by, among others, Lord Chris Holmes. Whittaker says it is very clear that in 1990, it was impossible to predict that research would fall into the information security domain.  “Nobody expected there would be people open to bug bounties or to having their IT researched and investigated. I don’t think anybody back then realised that this was going to be a thing – and if you look at the underlying message of the CMA, which is, ‘Don’t touch other people’s stuff’, there is some sense to that,” he says. “But what the CMA doesn’t do is put any kind of allowance for research or understanding that there are cyber professionals out there whose job it is to try to break things, to try to keep the nation secure and organisations safe,” he adds. “The CMA was a piece of legislation that was very broad, and the idea that it’s still there after this amount of time, and hasn’t been adapted in accordance with the changes we’ve seen over the last 20, 25 years that I’ve been in the industry, is quite bizarre,” says Whittaker. “The legislation around murder hasn’t changed since 1861 in the Offences Against the Person Act. It’s not like the offence of murder has changed hugely since 1861, whereas the computing world has changed dramatically since 1990.” Cutting to the core of the problem, what the CMA does in practice is force security professionals in the UK to operate with one eye on the letter of the law and one hand tied behind their backs. Whittaker recounts another story from Instil’s archives. “We had a look on Shodan, and identified there was an open Elasticsearch bucket that was dropping credentials for a very large mobile phone and fixed-line provider in Spain. “Every time a new order came in, it dropped their data into this bucket, which then provided names, addresses, telephone numbers, bank details, lots of really interesting stuff,” he says. “We were very concerned about reporting this. Because we had found it, we were concerned there was going to be blame associated with us. Why were you looking? What were you doing? What was happening here? We engaged our lawyers to help us do that responsible disclosure to them. “We did it privately – we’ve never spoken about it to anybody, but we spoke with the organisation and they were ultimately very grateful. Their CISO was very understanding, but it still cost us about two grand in legal fees to be able to do it.” Whittaker can recount many other stories of how people who are just trying to do some public-spirited research into similar issues have had to either stop and not do it, or travel to another jurisdiction to do it, because of the CMA. To more deeply understand how the CMA hamstrings the UK’s cyber professionals, let’s go back in time again, this time to the early 2000s, when Whittaker, then working in software development, caught the cyber bug after a job took him to Russia following an acquisition. “One of the first things the Russians asked us was, “Have you ever had a security or pen test?’ We said, ‘No, but don’t worry, we’re really good at this stuff’, and within 20 seconds, they had torn us to pieces and broken us in multiple different ways. I was watching the test and I said, ‘That’s so cool, how do I work out how to do that?’” If the amendment comes, it will enable us to be able to compete and to protect ourselves and our citizens in a much better way Simon Whittaker, Instil About 20 years down the line, Whittaker’s company, founded as Vertical Structure, but now merging into InstilCrest-accredited penetration tester, and certified by the National Cyber Security Centre (NCSC) as a Cyber Essentials certifying body and an assured service provider for the Cyber Essentials programme. “We teach people how to break things. We teach people how to break into their own systems. We teach people how to break into their own cloud infrastructure, how to do threat modelling, so they can start to understand how to think about threats,” he explains. But in practice, this means Whittaker and his team are teaching people to do things that a court could argue is against the CMA in some way, shape or form, so in addition to the technicalities, he is also very careful to teach his clients all about the law and how to operate within its confines when brushing up against hard limits. “The pieces of paper have to be signed, the scope has to be agreed on,” says Whittaker. “When we’re teaching juniors, we spend probably half a day going through the CMA and detailing to them exactly how nervous they have to be about this stuff, making sure they are aware of it. “It is definitely at the forefront of our minds. And if there is a breach in scope, you stop. You contact the client and say, ‘Listen, we’ve scanned too many IPs, we’ve done this, we’ve done that’. You speak to the client regularly about making sure that doesn’t happen. “In all of our considerations, we would rather pull back on the project rather than risk hitting a third party when we’re pen testing,” says Whittaker. He looks, maybe a little wistfully, to the work of security researchers at larger US or Israeli security organisations that have a little leeway in such things, or to the work of those in more lenient jurisdictions, such as the Baltics, where the cyber research wings of prominent virtual private network providers churn out large volumes of research, often on big flaws in consumer technology. “You hear, for instance, stories about broadband provider X that sent this box that is rubbish and can be accessed remotely. I can hack all of those things, but I can’t go and do the research in a responsible, formal way, because if I do, I run the risk of being arrested or sued,” he says. “It’s really frustrating for smaller organisations like ourselves. We want to be able to do this research. We want to be able to help. We want to be able to provide this information. But it’s very complicated.” The Computer Misuse Act is currently up for reform as part of a wider Home Office review of the act, but progress has been shaky and stalled out several times thanks to the Covid-19 pandemic and the successive collapses of Boris Johnson’s and Liz Truss’s governments. It’s frustrating for smaller organisations like ourselves. We want to be able to do this research. We want to be able to help. We want to be able to provide this information. But [the law makes it] very complicated Simon Whittaker, Instil Cut to 2024 and a new Labour government, and things seemed to be moving again. But then in December 2024, attempts by Lord Holmes and other peers to have the Data (Access and Use) Bill amended to introduce a statutory defence for cyber professionals were rebuffed by the government, with under-secretary of state at the Department for Science, Innovation and Technology (DSIT) Baroness Margaret Jones saying reform was a complex issue. The government is considering improved defences through engagement with the security community, but Jones claims that to date, there is no consensus on how to do this within the industry, which is holding matters back. More recently, science minister Patrick Vallance weighed in after police highlighted their concerns that allowing unauthorised access to systems under the pretext of identifying vulnerabilities could be exploited by cyber criminals. He said: “The introduction of these specific amendments could unintentionally pose more risk to the UK’s cyber security, not least by inadvertently creating a loophole for cyber criminals to exploit to defend themselves against a prosecution.” But after many years and frequent engagement with the government, the campaigners, while keeping things civil, are clearly frustrated – and understandably so. They want things to be moving faster. Whittaker says reform would be the difference between night and day for his security practice. “It would allow us to be more secure in our research. I’d love to be able to just look at things in more detail and help people secure themselves. It would allow us to focus on our jobs instead of being worried that we’re going to breach something or that something else is going to go wrong. It would be a step change from what we currently see – that ability to perform in a useful way,” he says. “All we are trying to do is give our teams, these experts that we have right here in Belfast and around the country, the ability to be able to compete on a global scale. If the amendment comes, it will enable us to be able to compete and to protect ourselves and our citizens in a much better way,” he concludes. And when all is said and done, isn’t keeping the UK safe in the ever-changing, ever-expanding threat landscape more important than enforcing a blanket definition of hacking as an illegal act when cyber criminals around the world know full well they’re breaking the law and simply don’t give a damn? Timeline: Computer Misuse Act reform January 2020: A group of campaigners says the Computer Misuse Act 1990 risks criminalising cyber security professionals and needs reforming. June 2020: The CyberUp coalition writes to Boris Johnson to urge him to reform the UK’s 30-year-old cyber crime laws. November 2020: CyberUp, a group of campaigners who want to reform the Computer Misuse Act, finds 80% of security professionals are concerned that they may be prosecuted just for doing their jobs. May 2021: Home secretary Priti Patel announces plans to explore reforming the Computer Misuse Act as calls mount for the 31-year-old law to be updated to reflect the changed online world. June 2022: A cross-party group in the House of Lords has proposed an amendment to the Product Security and Telecommunications Infrastructure Bill that would address concerns about security researchers or ethical hackers being prosecuted in the course of their work. August 2022: A study produced by the CyberUp Campaign reveals broad alignment among security professionals on questions around the Computer Misuse Act, which it hopes will give confidence to policymakers as they explore its reform. September 2022: The CyberUp coalition, a campaign to reform the Computer Misuse Act, has called on Liz Truss to push ahead with needed changes to protect cyber professionals from potential prosecution. January 2023: Cyber accreditation association Crest International lends its support to the CyberUp Campaign for reform to the Computer Misuse Act 1990. February 2023: Westminster opens a new consultation on proposed reforms to the Computer Misuse Act 1990, but campaigners who want the law changed to protect cyber professionals have been left disappointed. March 2023: The deadline for submissions to the government’s consultation on reform of the Computer Misuse Act is fast approaching, and cyber professionals need to make their voices heard, say Bugcrowd’s ethical hackers. November 2023: A group of activists who want to reform the UK’s computer misuse laws to protect bona fide cyber professionals from prosecution have been left frustrated by a lack of legislative progress. July 2024: In the Cyber Security and Resilience Bill introduced in the King’s Speech, the UK’s new government pledges to give regulators more teeth to ensure compliance with security best practice and to mandate incident reporting. July 2024: The CyberUp Campaign for reform of the 1990 Computer Misuse Act launches an industry survey inviting cyber experts to share their views on how the outdated law hinders legitimate work. December 2024: An amendment to the proposed Data (Access and Use) Bill that will right a 35-year-old wrong and protect security professionals from criminalisation is to be debated at Westminster. December 2024: Amendments to the Data Bill that would have given the UK cyber industry a boost by updating restrictive elements of the Computer Misuse Act have failed to progress beyond a Lords committee. January 2025: Science minister Patrick Vallance rejects proposed amendments to the Computer Misuse Act, arguing that they could create a loophole for cyber criminals to exploit.

The Trump administration's plan to accept a luxury jet donated by the Qatari government to use as Air Force One raises significant security concerns, intelligence experts and government officials say, as President Donald Trump said it would be "stupid" not to accept a free plane.Trump on Monday defended the administration's plans to receive a luxury jet donated by the Qatari government during remarks at the White House, calling the donation a "very nice gesture.""I would never be one to turn down that kind of an offer. I mean, I could be a stupid person and say, 'No, we don't want a free, very expensive airplane.' But it was, I thought it was a great gesture," he said.MORE: Trump admin live updatesRhode Island Sen. Jack Reed, the top Democrat on the Senate Armed Services Committee, slammed the move, arguing that using the plane as Air Force One would "pose immense counterintelligence risks by granting a foreign nation potential access to sensitive systems and communications.""This reckless disregard for national security and diplomatic propriety signals a dangerous willingness to barter American interests for personal gain," Reed said in a statement Monday. "It is an affront to the office of the presidency and a betrayal of the trust placed in any U.S. leader to safeguard the nation's sovereignty."Air Force One a 'high-value target'Air Force One sits on the tarmac, May 12, 2025, at Joint Base Andrews, Maryland.Win McNamee/Getty ImagesThe primary aircraft used in the current Air Force One fleet includes two aging Boeing 747-200 jumbo jets that have been operational since 1990. Despite flying for more than 35 years, the current pair of Air Force One jets are considered some of the safest and secure aircraft in the world.Many of the security features on the plane remain classified. It has anti-missile defenses or countermeasure systems to protect against surface-to-air and air-to-air missiles, and the communication devices can also withstand the pulse of a nuclear blast. It is also outfitted with sophisticated communications capability to allow the president to securely run the country from the plane and protect him from cyberattacks."It's designed to transport the president in a safe way and be able to withstand physical attacks, but to also ensure that the president maintains communication with military, his cabinet, other government leaders in a safe and secure manner," said John Cohen, an ABC News contributor and former acting Homeland Security official. "Any building or vehicle or airplane that the president is located is a high-value target for foreign intelligence services who want to gather as much information about the president."Air Force One can also remain in the air for several days due to its ability to refuel in midair. The plane also houses a small medical facility where doctors could perform surgery if needed.All of these systems would likely need to be installed on the Boeing 747-8 that Trump would receive as a gift from Qatar.MORE: Trump defends Qatar jumbo jet offer, says it would be 'stupid' to turn away free planeA jet donated by Qatar would also be a "counterintelligence nightmare," ABC News contributor Darrell Blocker, a former CIA field operative, said."If you go back to almost anything that is given by a foreign government, there are regulations and restrictions and guidelines for ensuring that they're not being bugged, and a plane would be an absolute nightmare to be able to confirm that it's not," Blocker told ABC News Live on Monday. "From an intelligence perspective, it's not the brightest move."Blocker cited that when the U.S. embassy was being built in Moscow in the 1980s, the U.S. had to "take it down to its bare bones" because the Russians "put bugs through every room, every facility.""I think the people of Troy, when they accepted that horse, regretted it after the fact also," he said.The complexity and time needed to retrofit and inspect the plane raise questions on cost and a timeline."Even under the best of circumstances, it's going to take a significant effort for the military to be satisfied that the aircraft is constructed safely, that it's not compromised from the standpoint of intelligence collection capabilities being planted on it, and that it is built in a way that it will be able to assimilate the sensitive communications and countermeasure capabilities that are that are present on any plane that's Air Force One," Cohen said. "To be done right, it's not going to happen quickly.""In order to adequately ensure that this airplane -- which was operated by a foreign government that happens to have a relationship with Iran and China and Russia -- in order to ensure that that plane has not had collection capabilities introduced into it when it was constructed, they're gonna have to basically tear it down to the airframe," he added.White House working on 'legal details'Both the U.S. Air Force and the Department of Defense referred questions to the White House when asked about the possible transfer of the Qatari-owned Boeing 747 to the Department of Defense."The plane will be donated to the Department of Defense, and as with any foreign gift given to the United States Government, all proper safety and security protocols will be followed," White House spokesperson Anna Kelly told ABC News.House Speaker Mike Johnson said Monday he would not comment on Trump preparing to receive the jet from Qatar because he hasn't seen the "details."The White House is working on the "legal details" of the Qatari government's donation to the Defense Department, press secretary Karoline Leavitt said Monday in an appearance on Fox News."But, of course, any donation to this government is always done in full compliance with the law. And we commit ourselves to the utmost transparency and we will continue to do that," Leavitt added.President Donald Trump boards Air Force One at Joint Base Andrews, Md., on his way to Riyadh, Saudi Arabia, May 12, 2025.Manuel Balce Ceneta/APTrump said during remarks at the White House on Monday that he doesn't plan to use the plane after he leaves office. Pressed by ABC News Senior Political Correspondent Rachel Scott on what he would say to people who view the luxury plane as a personal gift to him, Trump said it was not a gift to him but "a gift to the Department of Defense."Sources familiar with the proposed arrangement told ABC News that the plane would be a gift that is to be available for use by Trump as the new Air Force One until shortly before he leaves office, at which time ownership of the plane will be transferred to the Trump presidential library foundation.If a private contractor were able to complete the modifications needed to the donated plane before the end of Trump's presidency, many of the systems installed would then need to be removed should the Trump presidential library foundation take possession of the plane upon Trump leaving office due to the sensitive nature of the technology.Ultimately, Cohen said he suspects that members of the intelligence community and the military will assess the risk to national security and "the level of effort to minimize the risk to national security.""If they're doing their job, the president's national security team will explain to him the level of risk that exists if a foreign intelligence service were able to introduce collection capabilities that could intercept face-to-face communications on the plane, electronic communications coming from the plane," Cohen said. "They should also be explaining to him the level of effort that it will involve in order for that risk to be mitigated. And with that information, he can then make an informed decision on whether and under what conditions to accept the airplane."