RISKS Forum mailing list archives
Risks Digest 32.92
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 6 Nov 2021 20:18:40 PDT
RISKS-LIST: Risks-Forum Digest Saturday 6 November 2021 Volume 32 : Issue 92 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/32.92> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: SpaceX Under Fire After Autonomous Rocket Hits Pedestrian (The Onion) 9-year-old unlocks unconscious father's iPhone with his face to call 911 (Apple Insider via Monty Solomon) AI Is Not A-OK (NY Times) Fake Polls and Tabloid Coverage on Demand: The Dark Side of Sebastian Kurz (NYTimes) Trojan Source Bug Threatens the Security of All Code (KrebsonSecurity) Hackers are stealing data today so quantum computers can crack it in a decade (MIT Tech Review) Using Google search to deliver customers or worse (Mike) Credit-card PINs can be guessed even when covering the ATM pad (BleepingComputer) CoVID dream, risk, and the Newfoundland "cyberattack" (Rob Slade) Will there be vehicle safety tricks or treats this Halloween? (Gabe Goldberg) Re: I *really* hate Hopin ... (John Stewart) Re: Lettering on clothes mistaken for license plate (Andy Walker) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 31 Oct 2021 16:13:59 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: SpaceX Under Fire After Autonomous Rocket Hits Pedestrian (The Onion) AUSTIN, TX—Calling it a terrible tragedy that could and should have easily been avoided, investigators slammed SpaceX Thursday after an autonomous rocket veered off course and struck a pedestrian. “At approximately 11 a.m. CST, a SpaceX Falcon9 rocket launched itself into traffic at 17,000 mph, hitting and subsequently killing a man who was crossing the street,” read a statement from the National Transportation Safety Board, adding that despite being programmed with the latest self-guiding software, the rocket entered traffic, ignored several red lights, and failed to disengage several high-speed booster rockets at the time of impact. “After striking and killing the pedestrian, the spaceship continued to accelerate, until it ultimately flew off of a cliff and collided with a tree, creating an enormous mushroom cloud visible from the entire city. Sadly, until we can enter the several hundred foot crater and find the rocket’s data logs, we may never know what truly happened.” At press time, SpaceX responded that while they were sorry for the loss of life, they were proud that no cars were harmed in the accident. https://www.theonion.com/spacex-under-fire-after-autonomous-rocket-hits-pedestri-1847946787 ------------------------------ Date: Thu, 4 Nov 2021 00:50:26 -0400 From: Monty Solomon <monty () roscom com> Subject: 9-year-old unlocks unconscious father's iPhone with his face to call 911 (Apple Insider) https://appleinsider.com/articles/21/11/03/9-year-old-unlocks-fathers-iphone-with-his-face-calls-911-as-carbon-monoxide-fills-home ------------------------------ Date: Sun, 31 Oct 2021 14:15:48 -0400 From: "George Sherwood" <sherwood () transedge com> Subject: AI Is Not A-OK (NY Times) Maureen Dowd interviews Eric Schmidt about the future of artificial intelligence. The first time I interviewed Eric Schmidt <https://www.nytimes.com/2009/04/15/opinion/15dowd.html?timespastHighlight=e ric,schmidt,maureen,dowd> , a dozen years ago when he was the C.E.O. of Google, I had a simple question about the technology that has grown capable of spying on and monetizing all our movements, opinions, relationships and tastes. "Friend or foe?" I asked. "We claim we're friends," Schmidt replied coolly. Now that the former Google executive has a book out Tuesday on "The Age of AI <https://www.littlebrown.com/titles/henry-a-kissinger/the-age-of-ai/97803162 73800/> ," written with Henry Kissinger and Daniel Huttenlocher, I wanted to ask him the same question about A.I.: "Friend or foe?" https://www.nytimes.com/2021/10/30/opinion/eric-schmidt-ai.html ------------------------------ Date: Sat, 6 Nov 2021 13:49:18 -0400 From: Monty Solomon <monty () roscom com> Subject: Fake Polls and Tabloid Coverage on Demand: The Dark Side of Sebastian Kurz (NYTimes) Fake Polls and Tabloid Coverage on Demand: The Dark Side of Sebastian Kurz The downfall of Austria’s onetime political Wunderkind put a spotlight on the cozy, sometimes corrupt, relationship between right-wing populists and parts of the news media. https://www.nytimes.com/2021/10/17/world/europe/austria-sebastian-kurz-scandal-chancellor.html ------------------------------ Date: Mon, 1 Nov 2021 10:19:16 -0700 From: Tom Van Vleck <thvv () multicians org> Subject: Trojan Source Bug Threatens the Security of All Code (KrebsonSecurity) https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/ Normally a scare headline like this would lead me to ignore it. But this has Ross Anderson's name on it. https://www.trojansource.codes/ ------------------------------ Date: Thu, 4 Nov 2021 00:47:58 -0400 From: Monty Solomon <monty () roscom com> Subject: Hackers are stealing data today so quantum computers can crack it in a decade (MIT Tech Review) https://www.technologyreview.com/2021/11/03/1039171/hackers-quantum-computers-us-homeland-security-cryptography/ ------------------------------ Date: Tue, 2 Nov 2021 03:13:11 +0000 From: "mike smith" <mike1234z () hotmail com> Subject: Using Google search to deliver customers or worse I've run across an interesting way some websites have found to deliver traffic to themselves. I was searching for a recipe and one of the Google search results appeared to have what I needed. However when I clicked on the link to ckbk.com<https://app.ckbk.com/> I found that while it was indeed the recipe I wanted, the actual contents were behind a paywall and I had to subscribe to see the actual recipe. It appears the website has found a way to recognize the Google spider and allow it to index their site but then lock out those using the search link from Google. Risks here start with persuading people to give credit card info for information that was seemingly provided openly on the web. Who knows what happens once they have that info. And if this website can give the spider one view of their website and the public something else, putting the promised content behind a paywall is going to be child's play compared to the other exploits possible. [Mike Smith alias Mike Thompson?] ------------------------------ Date: Thu, 4 Nov 2021 15:35:57 -0400 From: "Gabe Goldberg" <gabe () gabegold com> Subject: Credit-card PINs can be guessed even when covering the ATM pad (BleepingComputer) https://www.bleepingcomputer.com/news/security/credit-card-pins-can-be-guessed-even-when-covering-the-atm-pad/ [I did not dig this one up, but it is obvious to me that hand motions of one-finger keyers can be a big giveaway, requiring only one try in certain cases of geometric PINs on the standard keypad. PGN] ------------------------------ Date: Thu, 4 Nov 2021 11:36:58 -0800 From: Rob Slade <rmslade () shaw ca> Subject: CoVID dream, risk, and the Newfoundland "cyberattack" I've had another of my (infrequent) CoVID dreams. (I don't remember a lot of details, but the gist is there.) Somebody (possibly me) is supplying cleansers, unguents, and potions to the Royal Family. They are full of random ingredients, none of them particularly effective. So, somebody (possibly me) suddenly, and without warning, insists upon changing the formulations of the cleansers, unguents, and potion so that they *are*, at least minimally, effective. (High- handed, I know, but probably useful.) In recent days the IT systems underlying the Newfoundland and Labrador health ministry, and hospitals, and diagnostic services, have ceased to work. This, particularly in the middle of a pandemic, could be a problem, since nothing of a health nature, aside from direct emergency services, is happening. Nobody is saying much about it. The relevant minister, and law enforcement leaders, have, after more than a day of pretty much useless pronouncements, finally admitted that the situation is a result of a "cyberattack." This is a singularly unhelpful piece of information, given that it could describe almost anything. "Sources" are wildly speculating that it might be "ransomware," with no indication that any of those "sources" actually knows what "ransomware" *is*, beyond "something that's recently made problems for a lot of enterprises." (Similar "sources" are now saying that the "cyberattack" is the worst in Canadian history, despite not knowing what it is or how bad.) The lack of information *may* result from embarrassment (if, in *this* day and age, *I* had to admit that I'd suffered a ransomware attack and didn't know how to recover within a day or so, *I'd* certainly be embarrassed), or, probably more likely, a complete lack of understanding of what happened. My mother died recently. (No, I'm not changing the topic.) (Yes, thank you; it was not unexpected; she'd been going downhill; it was a relief; she'd had a "good innings.") Lots of people were very grateful to my mother, for a number of things. And she gave me one very great gift. Many years ago, I read an article from someone who said that *everyone*, these days, insisted that they worked in "high tech." And, not everyone could. So, he provided a guideline for determining whether you actually worked in high tech. If your mother understood what you did, you *didn't* work in high tech. My mother, very definitively, never, *EVER*, understood what I did. In fact, most of my *bosses* never understood what I did. I think I have this in common with most of you in information security. Most of us work for managers, supervisors, directors, and ministers who have only the vaguest notion of what we actually do, and the principles that drive us. Since information, and information processing, now basically drives almost all of the world, this creates a dangerous situation. There are many threats to that information, and that processing, and if you don't understand the threats, you can't take precautions. Take my original field of research. The fact that malware has exploded into myriad different forms makes it *more* important to know and define the various forms, not less. Different precautions and controls are effective against different types of malware. Some are best handled by security awareness training of staff (and, sometimes, customers). Some are addressed by very specific types of application level proxy firewalls. Some are addressed by having a backup. (Remember backups?) You need to know, specifically, what the threats are in order to protect against them. We, in information security, have always been faced with the problem of "training up." We are managed, and our budgets and resources are controlled, by those above us, in the org chart, who do not understand what we do. We need to take every opportunity (often when the metaphorical building next door metaphorically catches fire) to explain the risks facing the enterprise, and the precautions that need to be taken against those many risks. (And why "cloud" or "blockchain" is not the answer to every security question.) (I have a great problem understanding why senior management does not understand risk management. After all, if you are a manager, at any level, of whatever type, you manage two things: people and risk. But, then again, the pandemic has demonstrated, over and over again, with a huge number of illustrations, that we, as a species, are really and utterly terrible at assessing and managing risk. It's a wonder we've survived as long as we have.) We, in information security, need to step up our efforts to train managers, media, and the general public about the real risks that we, as a society, face every day. Now go make a backup. (Maybe more than one.) (Maybe more than one type.) It'll keep you safe from "ransomware" "cyberattacks." (Although not from breachstortion. But that's another story. Or attack.) ------------------------------ Date: Sun, 31 Oct 2021 16:32:50 -0400 From: "Gabe Goldberg" <gabe () gabegold com> Subject: Will there be vehicle safety tricks or treats this Halloween? Happy Halloween! Remember to drive carefully in your neighborhood tonight. With all the kids out in their costumes, hurrying for that next piece of candy, it is amongst the deadliest days of the year for younger pedestrians. And that’s true even if no one is testing self-driving car technology in your community. We recently sat down with National Public Radio’s Marketplace to discuss what the status of self-driving car regulations are, and how the current testing set-up works. As we noted, manufacturers are “just putting vehicles out on public roads, public highways, neighborhood streets, across the country, and collecting data and seeing how it goes. That is obviously something that most people aren’t aware of, and no one really signed up for.” Happy Halloween! Remember to drive carefully in your neighborhood tonight. With all the kids out in their costumes, hurrying for that next piece of candy, it is amongst the deadliest days of the year for younger pedestrians. And that’s true even if no one is testing self-driving car technology in your community. We recently sat down with National Public Radio’s Marketplace <https://www.autosafety.org/the-road-ahead-what-about-regulation-for-self-driving-cars/> to discuss what the status of self-driving car regulations are, and how the current testing set-up works. As we noted, manufacturers are *“just putting vehicles out on public roads, public highways, neighborhood streets, across the country, and collecting data and seeing how it goes. That is obviously something that most people aren’t aware of, and no one really signed up for.”* https://mailchi.mp/autosafety.org/october-safety-update?e=91e5c03d94 Check out the full interview here: The road ahead: What about regulation for self-driving cars? <https://www.autosafety.org/the-road-ahead-what-about-regulation-for-self-driving-cars/> [Also noted by Mark Brader, George Sigut, and Andy Walker. I am delighted that you follow up on such stories. However, I have a quibble. I sometimes run items that have nothing but a catchy URL. Sometimes when I am curious, I try to PGN-ed it. But this one was convoluted enough that I did not have enough time to verify my own interpretation. I would greatly appreciate submissions with your own version of what is in the URL story, to share with RISKS readers. PGN] ------------------------------ Date: Mon, 1 Nov 2021 11:45:50 -0400 From: John Stewart <thompsonstevenssoftware () gmail com> Subject: Re: I *really* hate Hopin ... It's always interesting what goes on. Like Rob Slade, the organization I worked for for quite a while (Communications Research Centre, Ottawa) "did" Internet stuff. Way back in the mid '90s, us Canadians could participate in EU FP projects. Could not claim funds, but could participate. One fun one was the UCL-led MICE and MECCANO projects, "doing" Multicast Audio/Video conferencing, amongst other things. Two things came to light: 1) There was no way for two or three researchers to go off into a corner to quickly discuss some point, without disrupting the audio channel. A shared text-based white board was the saviour here. It worked really well. 2) Video was ok, but (other than sharing a slide deck) one did not need to see the face of the current speaker; it did not change that much, and none of us participants were anywhere near movie-star quality. I can remember Roy Bennett, the UCL-based facilitator asking on Audio "I see lots of conversations on the white board, but does anyone want to *say* anything?" I did have fun, as a side project, creating a VRML-based 3D front end to the audio tool, proximity based, so one could group with like minded people (Avatars) and talk, could see and hear other groups walk by, audio if they were close, just like real life. I led a little group doing fun things like that - I think we all enjoyed creating 3D interfaces for all sorts of things. Now, in 2021, it appears that: With Video; the main feature is to have a background (preferably animated, and of zero relevance) going in the background, which is imperfect at stitching the user onto the background; Audio - people are getting better, but the mute button gets ignored too much, so focus often changes to the coffee-slurpers (like me!) from the main presenter. Saying that, the video quality is definitely better than we had back in the mid 90s but the whole experience has not really progressed much. ------------------------------ Date: Sun, 31 Oct 2021 23:45:07 +0000 From: Andy Walker <anw () cuboid me uk> Subject: Re: Lettering on clothes mistaken for license plate (BBC) Point of order! Paula and Dave Knight, who received the fine, had nothing at all to do with sweater lady, and in particular Mr Knight is not her husband. Readers may also have noted the rather feeble attempt at a personalised number plate, approximating to KNigT.., which is pretty much as good as it gets for most UK car owners, given the rules by which our plates are assigned. [Similar comments from Mark Brader and George Sigut. I would be delighted if those of you who submit items with only the URL that spells out a catchy phrase would provide your own summaries. PGN] ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 32.92 ************************
Current thread:
- Risks Digest 32.92 RISKS List Owner (Nov 06)