Risks Digest 32.92

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Saturday 6 November 2021  Volume 32 : Issue 92

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/32.92>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
SpaceX Under Fire After Autonomous Rocket Hits Pedestrian (The Onion)
9-year-old unlocks unconscious father's iPhone with his face to call 911
 (Apple Insider via Monty Solomon)
AI Is Not A-OK (NY Times)
Fake Polls and Tabloid Coverage on Demand: The Dark Side of Sebastian Kurz
 (NYTimes)
Trojan Source Bug Threatens the Security of All Code (KrebsonSecurity)
Hackers are stealing data today so quantum computers can crack it in a
 decade (MIT Tech Review)
Using Google search to deliver customers or worse (Mike)
Credit-card PINs can be guessed even when covering the ATM pad
 (BleepingComputer)
CoVID dream, risk, and the Newfoundland "cyberattack" (Rob Slade)
Will there be vehicle safety tricks or treats this Halloween?
 (Gabe Goldberg)
Re: I *really* hate Hopin ... (John Stewart)
Re: Lettering on clothes mistaken for license plate (Andy Walker)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 31 Oct 2021 16:13:59 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: SpaceX Under Fire After Autonomous Rocket Hits Pedestrian
 (The Onion)

AUSTIN, TX—Calling it a terrible tragedy that could and should have easily
been avoided, investigators slammed SpaceX Thursday after an autonomous
rocket veered off course and struck a pedestrian. “At approximately 11
a.m. CST, a SpaceX Falcon9 rocket launched itself into traffic at 17,000
mph, hitting and subsequently killing a man who was crossing the street,”
read a statement from the National Transportation Safety Board, adding that
despite being programmed with the latest self-guiding software, the rocket
entered traffic, ignored several red lights, and failed to disengage several
high-speed booster rockets at the time of impact. “After striking and
killing the pedestrian, the spaceship continued to accelerate, until it
ultimately flew off of a cliff and collided with a tree, creating an
enormous mushroom cloud visible from the entire city. Sadly, until we can
enter the several hundred foot crater and find the rocket’s data logs, we
may never know what truly happened.” At press time, SpaceX responded that
while they were sorry for the loss of life, they were proud that no cars
were harmed in the accident.

https://www.theonion.com/spacex-under-fire-after-autonomous-rocket-hits-pedestri-1847946787

------------------------------

Date: Thu, 4 Nov 2021 00:50:26 -0400
From: Monty Solomon <monty () roscom com>
Subject: 9-year-old unlocks unconscious father's iPhone with his face to
 call 911 (Apple Insider)

https://appleinsider.com/articles/21/11/03/9-year-old-unlocks-fathers-iphone-with-his-face-calls-911-as-carbon-monoxide-fills-home

------------------------------

Date: Sun, 31 Oct 2021 14:15:48 -0400
From: "George Sherwood" <sherwood () transedge com>
Subject: AI Is Not A-OK (NY Times)

Maureen Dowd interviews Eric Schmidt about the future of artificial
intelligence.

  The first time I interviewed Eric Schmidt
  <https://www.nytimes.com/2009/04/15/opinion/15dowd.html?timespastHighlight=e
  ric,schmidt,maureen,dowd> , a dozen years ago when he was the C.E.O. of
  Google, I had a simple question about the technology that has grown
  capable of spying on and monetizing all our movements, opinions,
  relationships and tastes.

  "Friend or foe?" I asked.

  "We claim we're friends," Schmidt replied coolly.

  Now that the former Google executive has a book out Tuesday on "The Age of
  AI
  <https://www.littlebrown.com/titles/henry-a-kissinger/the-age-of-ai/97803162
  73800/> ," written with Henry Kissinger and Daniel Huttenlocher, I wanted
  to ask him the same question about A.I.: "Friend or foe?"

  https://www.nytimes.com/2021/10/30/opinion/eric-schmidt-ai.html

------------------------------

Date: Sat, 6 Nov 2021 13:49:18 -0400
From: Monty Solomon <monty () roscom com>
Subject: Fake Polls and Tabloid Coverage on Demand: The Dark Side of
 Sebastian Kurz (NYTimes)

Fake Polls and Tabloid Coverage on Demand: The Dark Side of Sebastian Kurz

The downfall of Austria’s onetime political Wunderkind put a spotlight on
the cozy, sometimes corrupt, relationship between right-wing populists and
parts of the news media.

https://www.nytimes.com/2021/10/17/world/europe/austria-sebastian-kurz-scandal-chancellor.html

------------------------------

Date: Mon, 1 Nov 2021 10:19:16 -0700
From: Tom Van Vleck <thvv () multicians org>
Subject: Trojan Source Bug Threatens the Security of All Code
 (KrebsonSecurity)

https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/

Normally a scare headline like this would lead me to ignore it.  But this
has Ross Anderson's name on it.

https://www.trojansource.codes/

------------------------------

Date: Thu, 4 Nov 2021 00:47:58 -0400
From: Monty Solomon <monty () roscom com>
Subject: Hackers are stealing data today so quantum computers can crack it
 in a decade (MIT Tech Review)

https://www.technologyreview.com/2021/11/03/1039171/hackers-quantum-computers-us-homeland-security-cryptography/

------------------------------

Date: Tue, 2 Nov 2021 03:13:11 +0000
From: "mike smith" <mike1234z () hotmail com>
Subject: Using Google search to deliver customers or worse

I've run across an interesting way some websites have found to deliver
traffic to themselves.  I was searching for a recipe and one of the Google
search results appeared to have what I needed.  However when I clicked on
the link to ckbk.com<https://app.ckbk.com/> I found that while it was indeed
the recipe I wanted, the actual contents were behind a paywall and I had to
subscribe to see the actual recipe.  It appears the website has found a way
to recognize the Google spider and allow it to index their site but then
lock out those using the search link from Google.

Risks here start with persuading people to give credit card info for
information that was seemingly provided openly on the web.  Who knows what
happens once they have that info.  And if this website can give the spider
one view of their website and the public something else, putting the
promised content behind a paywall is going to be child's play compared to
the other exploits possible.

  [Mike Smith alias Mike Thompson?]

------------------------------

Date: Thu, 4 Nov 2021 15:35:57 -0400
From: "Gabe Goldberg" <gabe () gabegold com>
Subject: Credit-card PINs can be guessed even when covering the ATM pad
 (BleepingComputer)

https://www.bleepingcomputer.com/news/security/credit-card-pins-can-be-guessed-even-when-covering-the-atm-pad/

  [I did not dig this one up, but it is obvious to me that hand motions of
  one-finger keyers can be a big giveaway, requiring only one try in certain
  cases of geometric PINs on the standard keypad.  PGN]

------------------------------

Date: Thu, 4 Nov 2021 11:36:58 -0800
From: Rob Slade <rmslade () shaw ca>
Subject: CoVID dream, risk, and the Newfoundland "cyberattack"

I've had another of my (infrequent) CoVID dreams.  (I don't remember a lot
of details, but the gist is there.)  Somebody (possibly me) is supplying
cleansers, unguents, and potions to the Royal Family.  They are full of
random ingredients, none of them particularly effective.  So, somebody
(possibly me) suddenly, and without warning, insists upon changing the
formulations of the cleansers, unguents, and potion so that they *are*, at
least minimally, effective.  (High- handed, I know, but probably useful.)

In recent days the IT systems underlying the Newfoundland and Labrador
health ministry, and hospitals, and diagnostic services, have ceased to
work.  This, particularly in the middle of a pandemic, could be a problem,
since nothing of a health nature, aside from direct emergency services, is
happening.  Nobody is saying much about it.  The relevant minister, and law
enforcement leaders, have, after more than a day of pretty much useless
pronouncements, finally admitted that the situation is a result of a
"cyberattack."  This is a singularly unhelpful piece of information, given
that it could describe almost anything.  "Sources" are wildly speculating
that it might be "ransomware," with no indication that any of those
"sources" actually knows what "ransomware" *is*, beyond "something that's
recently made problems for a lot of enterprises."  (Similar "sources" are
now saying that the "cyberattack" is the worst in Canadian history, despite
not knowing what it is or how bad.)  The lack of information *may* result
from embarrassment (if, in *this* day and age, *I* had to admit that I'd
suffered a ransomware attack and didn't know how to recover within a day or
so, *I'd* certainly be embarrassed), or, probably more likely, a complete
lack of understanding of what happened.

My mother died recently.  (No, I'm not changing the topic.)  (Yes, thank
you; it was not unexpected; she'd been going downhill; it was a relief;
she'd had a "good innings.")  Lots of people were very grateful to my
mother, for a number of things.  And she gave me one very great gift.  Many
years ago, I read an article from someone who said that *everyone*, these
days, insisted that they worked in "high tech."  And, not everyone could.
So, he provided a guideline for determining whether you actually worked in
high tech.  If your mother understood what you did, you *didn't* work in
high tech.  My mother, very definitively, never, *EVER*, understood what I
did.  In fact, most of my *bosses* never understood what I did.

I think I have this in common with most of you in information security.
Most of us work for managers, supervisors, directors, and ministers who have
only the vaguest notion of what we actually do, and the principles that
drive us.

Since information, and information processing, now basically drives almost
all of the world, this creates a dangerous situation.  There are many
threats to that information, and that processing, and if you don't
understand the threats, you can't take precautions.

Take my original field of research.  The fact that malware has exploded into
myriad different forms makes it *more* important to know and define the
various forms, not less.  Different precautions and controls are effective
against different types of malware.  Some are best handled by security
awareness training of staff (and, sometimes, customers).  Some are addressed
by very specific types of application level proxy firewalls.  Some are
addressed by having a backup.  (Remember backups?)  You need to know,
specifically, what the threats are in order to protect against them.

We, in information security, have always been faced with the problem of
"training up."  We are managed, and our budgets and resources are
controlled, by those above us, in the org chart, who do not understand what
we do.  We need to take every opportunity (often when the metaphorical
building next door metaphorically catches fire) to explain the risks facing
the enterprise, and the precautions that need to be taken against those many
risks.  (And why "cloud" or "blockchain" is not the answer to every security
question.)

(I have a great problem understanding why senior management does not
understand risk management.  After all, if you are a manager, at any level,
of whatever type, you manage two things: people and risk.  But, then again,
the pandemic has demonstrated, over and over again, with a huge number of
illustrations, that we, as a species, are really and utterly terrible at
assessing and managing risk.  It's a wonder we've survived as long as we
have.)

We, in information security, need to step up our efforts to train managers,
media, and the general public about the real risks that we, as a society,
face every day.

Now go make a backup.  (Maybe more than one.)  (Maybe more than one type.)
It'll keep you safe from "ransomware" "cyberattacks."

(Although not from breachstortion.  But that's another story.  Or attack.)

------------------------------

Date: Sun, 31 Oct 2021 16:32:50 -0400
From: "Gabe Goldberg" <gabe () gabegold com>
Subject: Will there be vehicle safety tricks or treats this Halloween?

Happy Halloween! Remember to drive carefully in your neighborhood
tonight. With all the kids out in their costumes, hurrying for that next
piece of candy, it is amongst the deadliest days of the year for younger
pedestrians. And that’s true even if no one is testing self-driving car
technology in your community.

We recently sat down with National Public Radio’s Marketplace to discuss
what the status of self-driving car regulations are, and how the current
testing set-up works. As we noted, manufacturers are “just putting
vehicles out on public roads, public highways, neighborhood streets,
across the country, and collecting data and seeing how it goes. That is
obviously something that most people aren’t aware of, and no one really
signed up for.” Happy Halloween! Remember to drive carefully in your
neighborhood tonight. With all the kids out in their costumes, hurrying
for that next piece of candy, it is amongst the deadliest days of the
year for younger pedestrians. And that’s true even if no one is testing
self-driving car technology in your community.

We recently sat down with National Public Radio’s Marketplace
<https://www.autosafety.org/the-road-ahead-what-about-regulation-for-self-driving-cars/>
to discuss what the status of self-driving car regulations are, and how the
current testing set-up works. As we noted, manufacturers are *“just putting
vehicles out on public roads, public highways, neighborhood streets, across
the country, and collecting data and seeing how it goes.  That is obviously
something that most people aren’t aware of, and no one really signed up
for.”*

https://mailchi.mp/autosafety.org/october-safety-update?e=91e5c03d94

Check out the full interview here: The road ahead: What about regulation
for self-driving cars?
<https://www.autosafety.org/the-road-ahead-what-about-regulation-for-self-driving-cars/>

  [Also noted by Mark Brader, George Sigut, and Andy Walker.  I am delighted
  that you follow up on such stories.  However, I have a quibble.  I
  sometimes run items that have nothing but a catchy URL.  Sometimes when I
  am curious, I try to PGN-ed it.  But this one was convoluted enough that I
  did not have enough time to verify my own interpretation.  I would greatly
  appreciate submissions with your own version of what is in the URL story,
  to share with RISKS readers.  PGN]

------------------------------

Date: Mon, 1 Nov 2021 11:45:50 -0400
From: John Stewart <thompsonstevenssoftware () gmail com>
Subject: Re: I *really* hate Hopin ...

It's always interesting what goes on. Like Rob Slade, the organization I
worked for for quite a while (Communications Research Centre, Ottawa) "did"
Internet stuff.

Way back in the mid '90s, us Canadians could participate in EU FP projects.
Could not claim funds, but could participate. One fun one was the UCL-led
MICE and MECCANO projects, "doing" Multicast Audio/Video conferencing,
amongst other things.

Two things came to light:

1) There was no way for two or three researchers to go off into a corner to
quickly discuss some point, without disrupting the audio channel. A shared
text-based white board was the saviour here. It worked really well.

2) Video was ok, but (other than sharing a slide deck) one did not need to
see the face of the current speaker; it did not change that much, and none
of us participants were anywhere near movie-star quality.

I can remember Roy Bennett, the UCL-based facilitator asking on Audio "I
see lots of conversations on the white board, but does anyone want to *say*
anything?"

I did have fun, as a side project, creating a VRML-based 3D front end to
the audio tool, proximity based, so one could group with like minded people
(Avatars) and talk, could see and hear other groups walk by, audio if they
were close, just like real life. I led a little group doing fun things like
that - I think we all enjoyed creating 3D interfaces for all sorts of
things.

Now, in 2021, it appears that:

With Video; the main feature is to have a background (preferably animated,
and of zero relevance) going in the background, which is imperfect at
stitching the user onto the background;

Audio - people are getting better, but the mute button gets ignored too
much, so focus often changes to the coffee-slurpers (like me!) from the
main presenter.

Saying that, the video quality is definitely better than we had back in the
mid 90s but the whole experience has not really progressed much.

------------------------------

Date: Sun, 31 Oct 2021 23:45:07 +0000
From: Andy Walker <anw () cuboid me uk>
Subject: Re: Lettering on clothes mistaken for license plate (BBC)

Point of order!  Paula and Dave Knight, who received the fine, had nothing
at all to do with sweater lady, and in particular Mr Knight is not her
husband.  Readers may also have noted the rather feeble attempt at a
personalised number plate, approximating to KNigT.., which is pretty much as
good as it gets for most UK car owners, given the rules by which our plates
are assigned.

  [Similar comments from Mark Brader and George Sigut.  I would be delighted
  if those of you who submit items with only the URL that spells out a
  catchy phrase would provide your own summaries.  PGN]

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.92
************************