RISKS Forum mailing list archives
Risks Digest 33.29
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 16 Jun 2022 16:18:45 PDT
RISKS-LIST: Risks-Forum Digest Thursday 16 June 2022 Volume 33 : Issue 29 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.29> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Self-driving car crashes (NHTSA bia Monty Solomon) Musk Achs: Twitter, Tesla, and SpaceX (Lauren Weinstein via PGN) Two Israeli intel soldiers and a teenager charged with exposing classified information online (Haaretz) Crypto's Price Plunge Exposes Industry's Unstable Roots (NYTimes) Physics-Based Cryptocurrency Transmits Energy Through Blockchain (LLNL) The NSA Says that There are No Known Flaws in NIST's Quantum-Resistant Algorithms (Bruce Schneier) The "Sentient AI" story (Lauren Weinstein) DVFS and Hertzbleed (Cliff Kilby) Facebook Is Receiving Sensitive Medical Information from Hospital Websites (The Markup) Facebook plans to show content mainly from strangers (The Verge) BEREC network neutrality guidelines (Barbara via Schewick via LW) Privacy bill would set out rules on use of personal data, artificial intelligence (CBC) Executive Order 14028 and the death knell of jSCH (Cliff Kilby) Re: How Henry Ford Would Deal With Today's Supply Chain Upheaval (Amos Shapir) Re: Long-term planning and Optimization (Dick Mills, Amos Shapir) Re: The Billionaires Seeking a U.S. Chip-Making Revival (Arthur Flatau)) Re: 5GSec Convergence Accelerator Proposal (Cliff Kilby) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 15 Jun 2022 22:04:32 -0400 From: Monty Solomon <monty () roscom com> Subject: Self-driving car crashes (NHTSA) [3 items PGN-merged] NHTSA: 'Self-driving' cars were linked to 392 crashes in 10 months https://www.engadget.com/self-driving-car-technology-crash-data-172606258.html NHTSA report shows Tesla Autopilot led the pack in crashes, but the data has gaps (techcrunch) https://techcrunch.com/2022/06/15/tesla-autopilot-nhtsa-crashes-fatalities/ NHTSA data shows Teslas using Autopilot crashed 273 times in less than a year https://arstechnica.com/cars/2022/06/teslas-using-autopilot-crashed-273-times-in-less-than-a-year/ ------------------------------ Date: Thu, 16 Jun 2022 11:04:18 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Musk Achs: Twitter, Tesla, and SpaceX [PGN retitled with German grunt-pun, combining several contributions from Lauren into a single RISKS item. PGN * More Musk Musk essentially told Twitter employees that it's OK for Twitter to become a cesspool of hate speech and disinformation, so long as Twitter doesn't promote it and individuals can block any given sender. This would still turn Twitter into a hellhole. Hate campaigns could drive individuals off the platform, unable to block so many senders. Crazies would spread hate amongst themselves. And all of this conflicts with the push to monitor social media for law enforcement purposes. A total mess. * Musk vs. the EU Twitter operates internationally. Any given tweet thread may have participants from anywhere in the world. The EU is rapidly ramping up prohibitions on hate speech and disinformation. Think about it. * Elon Musk, Tesla and SpaceX Hit With $258 Billion Dogecoin Lawsuit https://decrypt.co/103089/elon-musk-tesla-spacex-dogecoin-lawsuit ------------------------------ Date: Wed, 15 Jun 2022 18:14:15 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Two Israeli intel soldiers and a teenager charged with exposing classified information online (Haaretz) State prosecutors charge a reserve soldier and a service soldier of the Intelligence Corps, and a teenager, with publishing classified military information online. According to charges, one of the soldiers used his access to secret information to share it with the other, who shared it with the teenager, who posted it on social media. https://www.haaretz.com/israel-news/2022-06-13/ty-article/.premium/israeli-intel-soldier-minor-accused-of-posting-secrets-on-social-media/00000181-5ccd-d8b6-abdd-dccf0a990000 ------------------------------ Date: Wed, 15 Jun 2022 11:37:24 PDT From: Peter Neumann <neumann () csl sri com> Subject: Crypto's Price Plunge Exposes Industry's Unstable Roots (NYTimes) David Yaffe-Bellany and Erin Griffith *The New York Times*. 15 Jun 2022, National Edition front page +A13 A global industry worth hundreds of billions of dollars rose up practically overnight. Now it is crashing down. For years [cryptocurrencies] have been marketed as a hedge against inflation caused by central banks flooding the economy with money. ... But now, with stocks crashing, interest rates soaring and inflation high, cryptocurrency prices are also collapsing, showing they have become tied to the overall market. p.A13 summary fragment: Companies are laying off staff and freezing withdrawals. [Coinbase layoffs were noted briefly in RISKS-33.28, and extensively in this *Times* article. PGN] ------------------------------ Date: Wed, 15 Jun 2022 12:01:04 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Physics-Based Cryptocurrency Transmits Energy Through Blockchain (LLNL) Anne M. Stark, Lawrence Livermore National Laboratory, 13 Jun 2022, via ACM TechNews, 15 Jun 2022 Researchers at the U.S. Department of Energy's Lawrence Livermore National Laboratory (LLNL) have developed E-Stablecoin, a physics-based cryptocurrency that connects electrical energy with blockchain technology. LLNL's Maxwell Murialdo and Jon Belof said the energy-information link supports the generation of a cryptocurrency token directly backed by and convertible into one kilowatt-hour of electricity, making E-Stablecoin the first digital token to be collateralized by a physical asset. Said Belof, "Through thermodynamic reversibility -- to the extent that it is allowed by a modern understanding of statistical mechanics -- we envision a future blockchain that is not only rooted in real-life assets like energy usage, but also is a more responsible steward of our natural resources in support of the economy." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ec97x2345b0x070443& [Tom Berson's reaction to this item was helpful: I was surprised to be told that a kWh of electricity is a physical asset. It is 3.6 megajoules of energy. I suppose it is convertible to mass by Einstein's equation. I was also surprised that the cost of generating a kWh is somehow stable. These cryptocurrency folk will stop at nothing. TB] [What could possibly go wrong? We need more stewards who are actually responsible, but today's stewards are running everything into the ground, particularly with respect to climate change. How much energy is wasted in trying to make this link? Also, we may need a Skewered Steward to assuredly pin the blockchain to statistical mechanics. We may also need an E-Stable to house the blockchained E-horses that E-touts are betting will win the race (overseen by trusted racing E-stewards) for the best and most stable cryptocurrency, once they are let free from their blockchains and converted to real-world constraints. But this LLNL item seems seriously overhyped, way beyond the inherent limitations of already overhyped cryptocurrencies. Hyperbolic in the over-the-top sense, or on a nonconverging infinite hyperbolic geometry curve? PGN] ------------------------------ Date: Wed, 15 Jun 2022 06:25:17 +0000 From: Bruce Schneier <schneier () schneier com> Subject: The NSA Says that There are No Known Flaws in NIST's Quantum-Resistant Algorithms Excerpt from CRYPTO-GRAM, 15 Jun 2022 https://www.schneier.com/crypto-gram/ Bruce Schneier, Fellow and Lecturer, Harvard Kennedy School schneier () schneier com, https://www.schneier.com NSA says there are no known flaws in NIST's quantum-resistant algorithms 16 May 2022 https://www.schneier.com/blog/archives/2022/05/the-nsa-says-that-there-are-no-known-flaws-in-nists-quantum-resistant-algorithms.html Rob Joyce, the director of cybersecurity at the NSA, said so in an interview: https://www.bloomberg.com/news/articles/2022-05-13/nsa-says-no-backdoor-in-new-encryption-scheme-for-us-tech ``The NSA already has classified quantum-resistant algorithms of its own that it developed over many years. But it didn't enter any of its own in the contest. However, the agency's mathematicians worked with NIST to support the process, trying to crack the algorithms in order to test their merit. ``Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance. We've worked against all of them to make sure they are solid, The purpose of the open public international scrutiny of the separate NIST algorithms is to build trust and confidence.'' I believe him. This is what the NSA did with NIST's candidate algorithms for AES and then for SHA-3. NIST's Post-Quantum Cryptography Standardization Process looks good. <https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization> I still worry about the long-term security of the submissions, though. In 2018 in an essay titled Cryptography After the Aliens Land <https://www.schneier.com/essays/archives/2018/09/cryptography_after_t.html> I wrote: ...there is always the possibility that those algorithms will fall to aliens with better quantum techniques. I am less worried about symmetric cryptography (where Grover's algorithm is basically an upper limit on quantum improvements than I am about public-key algorithms based on number theory) which feel more fragile. It's possible that quantum computers will someday break all of them, even those that today are quantum resistant. It took us a couple of decades to fully understand von Neumann computer architecture. I'm sure it will take years of working with a functional quantum computer to fully understand the limits of that architecture. And some things that we think of as computationally hard today will turn out not to be. EDITED TO ADD (6/14): Since I wrote this, flaws were found in at least four candidates. <https://english.elpais.com/science-tech/2022-03-24/using-just-a-laptop-an-encryption-code-designed-to-prevent-a-quantum-computer-attack-was-cracked-in-just-53-hours.html> <https://www.idquantique.com/new-vulnerability-threatens-three-finalists-nist-pqc-contest/> ------------------------------ Date: Tue, 14 Jun 2022 20:35:54 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: The "Sentient AI" story My email load is now significantly people asking me about the "Sentient Google AI" story. I have boilerplate now to explain in lay terms why there's no sentience involved, but it's clear that corporate comms around AI in general leave much to be desired. -L ------------------------------ Date: Wed, 15 Jun 2022 16:57:05 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: DVFS and Hertzbleed After reading about the M1 speculation issue in ARM (Risks 33.28) I was reminded I had read something similar previously. My recollection was wrong, but it did eventually get to a point. https://www.hertzbleed.com/ demonstrated a side channel attack against most popular x86 chips. I don't specialize in chipsets, and tend towards having to believe when I ask the silicon for (1 | 0 ) it will almost never answer 2, or give give my private key to someone strolling by. Seems like the industry was already aware there were some side channel issues in DVFS, as CLKSCREW demonstrated as early as 2017. https://www.bleepingcomputer.com/news/security/clkscrew-attack-can-hack-modern-chipsets-via-their-power-management-features/ So is Hertzbleed new? I'd ask my computer but it seems to be saying "We've been trying to reach you about your auto warranty." ------------------------------ Date: Thu, 16 Jun 2022 07:16:25 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Facebook Is Receiving Sensitive Medical Information from Hospital Websites (The Markup) https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites ------------------------------ Date: Wed, 15 Jun 2022 16:32:11 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Facebook plans to show content mainly from strangers (The Verge) https://www.theverge.com/2022/6/15/23168887/facebook-discovery-engine-redesign-tiktok What could go wrong? ------------------------------ Date: Wed, 15 Jun 2022 23:04:31 +0000 From: Barbara van Schewick <schewick () stanford edu> Subject: BEREC network neutrality guidelines [via Lauren Weinstein's Network Neutrality Squad distribution] EU top telecom regulator BEREC just issued new net neutrality guidelines<https://berec.europa.eu/eng/document_register/subject_matter/berec/regulatory_best_practices/guidelines/10280-berec-guidelines-on-the-implementation-of-the-open-internet-regulation> that ban zero-rating plans that exempt specific apps or categories of apps from people's monthly data caps. This is a big deal. The decision revolutionizes the treatment of zero-rating in Europe and affects millions of Europeans. I haven't seen a lot of reporting yet, so thought I would share. Links to two blog posts and two Twitter threads below. As I explain here<https://cyberlaw.stanford.edu/blog/2022/06/european-regulators-just-stopped-facebook-google-and-big-telecoms-net-neutrality>, the new guidelines are a huge win for Europeans and for the open Internet, and for the consumer groups, civil society groups, and academics that have fought so long for these changes. The new guidelines respond to three 2021 decisions by Europe's top court, which had found that discriminatory zero-rating violates Europe's net neutrality law. Big carriers & platforms such as Facebook & Google had pressured BEREC to ignore the rulings or interpret them narrowly. That's not surprising. Discriminatory zero-rating plans disproportionately benefited big platforms like Apple, Google & Facebook, while small companies & European startups were left out. Following the recommendation of ETNO, the large telecom companies' trade association, BEREC's earlier draft guidelines had not clearly prohibited three kinds of harmful zero-rating practices, including carriers zero-rating their own apps & requiring apps to pay for zero-rating. That was a problem because: (1) in the past carriers have only stopped bad practices when they were unequivocally prohibited; and (2) these practices are even more harmful than the ones that were clearly prohibited. The new net neutrality guidelines close this loophole. They unequivocally prohibit all zero-rating offers that exempt select apps or categories of apps from people's monthly data caps. The ban applies whether the app pays to be included or not. (See the quote from para. 40b below.) BEREC also rejected all other attempts by the large telecom companies to water down the draft guidelines. (For details, see BEREC's report on the outcome of the consultation<https://berec.europa.eu/eng/document_register/subject_matter/berec/reports/10278-report-on-the-outcome-of-public-consultation-on-the-update-to-the-berec-guidelines-on-the-implementation-of-the-open-internet-regulation>.) Read more: More on the new guidelines (also copied below): https://cyberlaw.stanford.edu/blog/2022/06/european-regulators-just-stopped-facebook-google-and-big-telecoms-net-neutrality How we got here and why it matters: https://cyberlaw.stanford.edu/blog/2022/05/facebook-google-big-telecoms-want-keep-violating-net-neutrality-europe-regulators Two Twitter threads: https://twitter.com/vanschewick/status/1537046411186798598 (on the new guidelines and why they matter) https://twitter.com/vanschewick/status/1537181737582665729 (how BEREC closed the loopholes in the draft guidelines despite intense pressure by large carriers and platforms) European Regulators Just Stopped Facebook, Google and Big Telecoms' Net Neutrality Violations By Barbara van Schewick on June 15, 2022 <https://cyberlaw.stanford.edu/about/people/barbara-van-schewick> URL: https://cyberlaw.stanford.edu/blog/2022/06/european-regulators-just-stopped-facebook-google-and-big-telecoms-net-neutrality On Wednesday, European top telecom regulator BEREC, which consists of the national telecom regulators from across the EU, published its revised net neutrality guidelines<https://berec.europa.eu/eng/document_register/subject_matter/berec/regulatory_best_practices/guidelines/10280-berec-guidelines-on-the-implementation-of-the-open-internet-regulation>. The guidelines now prohibit broadband providers' zero-rating offers that benefit select apps or categories of apps, whether they do so for free or require apps to pay to be included. Zero-rating is a practice where a carrier does not count some online activity against a customer's monthly data cap. For example, many European carriers offer plans that don't count the data you use on Facebook or WhatsApp against your data cap. BEREC's previous net neutrality guidelines did not categorically ban selective zero-rating programs or category-based ones that, e.g., offer to zero-rate all music or video apps. So carriers across the EU took advantage and collectively launched hundreds of zero-rating programs<https://epicenter.works/document/1522>. These often exempted the carriers' own services and disproportionately benefited big platforms<https://cyberlaw.stanford.edu/blog/2022/05/facebook-google-big-telecoms-want-keep-violating-net-neutrality-europe-regulators> like Apple, Google, and Facebook, while small companies and European startups were left out. BEREC has now banned those. Here is my statement: "BEREC's new net neutrality guidelines are a great win for Europeans who will get more data to use as they choose, and they give a big, much-needed boost to online competition. Despite intense lobbying from big carriers and giant platforms, BEREC voted to clearly ban zero-rating offers that benefit select apps or categories of apps by exempting them from people's monthly data caps. The ban applies whether the app pays to be included or not, closing a loophole in the draft guidelines<https://cyberlaw.stanford.edu/blog/2022/05/facebook-google-big-telecoms-want-keep-violating-net-neutrality-europe-regulators>. This is good news for Internet users. When harmful zero-rating plans are banned, users get much more data for the same price. Carriers are no longer able to limit how people can use their data or push them to use apps from the dominant platforms. We just saw this in Germany. After the German regulator banned<https://www.bundesnetzagentur.de/SharedDocs/Pressemitteilungen/EN/2022/20220228_streaming.html> Deutsche Telekom's and Vodafone's discriminatory zero-rating plans, Vodafone gave affected customers up to 25% more data for the same price<https://www.computerbild.de/artikel/cb-News-Handy-Vodafone-GigaMobil-Tarife-32649151.html>. Earlier this month, Deutsche Telekom boosted some affected customers' monthly data volume from 24GB to 40GB for the same price<https://www.teltarif.de/telekom-tarife/news/88362.html>. Additionally, smaller apps and websites no longer have to fight to be included in these kinds of zero-rating plans and can compete with the giant platforms on an equal footing. BEREC revised its guidelines after the European Court of Justice held<https://curia.europa.eu/jcms/upload/docs/application/pdf/2021-09/cp210145en.pdf> in September 2021 that discriminatory zero-rating plans violated net neutrality. The court ruled that such plans violated the net neutrality law's requirement to treat all data equally, and that it did not matter whether the different treatment was technical, such as a fast lane, or economic, like selective zero-rating. The guidelines wisely allow carriers to offer non-discriminatory zero-rating programs that treat all data the same. Your carrier can still not count data usage against your cap at certain times of day or as a promotion; it just can't force you to use that data on a specific site. Carriers in other countries that have banned discriminatory zero-rating have innovated<https://cyberlaw.stanford.edu/blog/2022/05/facebook-google-big-telecoms-want-keep-violating-net-neutrality-europe-regulators> with offers such as unmetered data from midnight to 6 a.m. or letting users choose hours per month where their data usage is uncounted<https://www.fido.ca/why-fido/extra-data>. I expect that carriers across the EU will soon end their discriminatory zero-rating plans and offer customers of those plans significantly more data for the same price." Barbara van Schewick is one of the world's leading experts on net neutrality, a professor at Stanford Law School, and the director of Stanford Law School's Center for Internet and Society. Background: * You can read more on how we got here and why it matters in my earlier blog post: Facebook, Google & Big Telecoms Want To Keep Violating Net Neutrality In Europe. Regulators Should Stop Them.<https://cyberlaw.stanford.edu/blog/2022/05/facebook-google-big-telecoms-want-keep-violating-net-neutrality-europe-regulators> * BEREC's report on its decision <https://berec.europa.eu/eng/document_register/subject_matter/berec/reports/10278-report-on-the-outcome-of-public-consultation-on-the-update-to-the-berec-guidelines-on-the-implementation-of-the-open-internet-regulation>. * BEREC's new guidelines<https://berec.europa.eu/eng/document_register/subject_matter/berec/regulatory_best_practices/guidelines/10280-berec-guidelines-on-the-implementation-of-the-open-internet-regulation> (Para. 40b. "BEREC considers any differentiated pricing practices which are not application-agnostic to be inadmissible for IAS offers, such as applying a zero price to ISPs' own applications or CAPs subsidizing their own data.") Barbara van Schewick, M. Elizabeth Magill Professor of Law Professor, by Courtesy, of Electrical Engineering Director, Center for Internet and Society, Stanford Law School Author of "Internet Architecture and Innovation," MIT Press 2010 URL: http://cyberlaw.stanford.edu/about/people/barbara-van-schewick Twitter: @vanschewick<https://twitter.com/vanschewick> E-Mail: schewick () stanford edu<mailto:schewick () stanford edu%0b> Phone: 650-723 8340 ------------------------------ Date: Thu, 16 Jun 2022 06:56:20 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: Privacy bill would set out rules on use of personal data, artificial intelligence (CBC) https://www.cbc.ca/news/politics/privacy-bill-artificial-intelligence-1.6490665 The federal Liberals plan to introduce privacy legislation today to give Canadians more control over their personal data and introduce new rules for the use of artificial intelligence. The bill, to be presented by Innovation Minister Francois-Philippe Champagne, aims to fulfill his mandate to advance the federal digital charter, strengthen privacy protections for consumers and provide clear rules for fair competition in the online marketplace. The digital charter spells out 10 principles that range from ensuring control over information to meaningful penalties for misuse of data. ------------------------------ Date: Thu, 16 Jun 2022 12:11:25 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Executive Order 14028 and the death knell of jSCH Java is a popular middleware/backend programming language. It does not include a native library for SSH. This drives developers who use secure file transfer like sftp or scp to use a library to provide this function. There are only 3 main libraries for this available to the general public. jSCH, Jscape, and MINA. http://www.jcraft.com/jsch/ https://files.jscape.com/sshfactory/docs/javadoc/overview-summary.html https://mina.apache.org/ MINA is not well accepted, and jscape has recently undergone an acquisition and now has a burdensome license, driving users away from that project. jSCH is the direction most developers end up taking. This is evident in Apache's own file transfer library, vfs2. It does not use MINA as a SSH client, it links to jSCH. https://commons.apache.org/proper/commons-vfs/commons-vfs2/dependencies.html Jcraft's implementation of jSCH was written for Java 1.2 and has seen few updates since. The last release was 4 years ago. I believe this represents the existence of a widely distributed, but either abandoned, or poorly supported library that is in wide use for critical middleware/backend systems. There is a chance that this software is just abnormally stable, but I have yet to find any such indications with the associated projects. Per EO 14028, this software may meet the definition for "critical to trust". ------------------------------ Date: Wed, 15 Jun 2022 18:26:55 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: How Henry Ford Would Deal With Today's Supply Chain Upheaval (RISKS-33.28) The trouble is that since deregulation, stock values are decoupled from the true value of companies. Many companies made more money out of trading their stocks than of actual production. Companies are no longer committed to their product, not even committed to their customers, but only committed to their shareholders; and in this environment, those shareholders expect to get ever increasing returns on their investments, or else they take their money elsewhere. The result is that IBM is no longer a computer company, and Ford is no longer a car company; both are stock traders who use computers or cars as an excuse. It's difficult to make any improvement on production (or produce anything at all) in such an environment. ------------------------------ Date: Wed, 15 Jun 2022 17:38:22 -0400 From: Dick Mills <dickandlibbymills () gmail com> Subject: Re: Long-term planning and Optimization (RISKS-33.28) The long-term view of climate and other finite resource problems is that overpopulation is the root cause. The green/brown behavior of the populace is secondary. Banning fossil fuels results from short-term thinking. Population reduction is the only possible long-term solution. ------------------------------ Date: Wed, 15 Jun 2022 18:16:30 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: Long-term planning and optimization (RISKS-33.28) The trouble is, for politicians "long term planning" means this evening's 8pm TV news. ------------------------------ Date: Wed, 15 Jun 2022 10:46:17 -0500 From: Arthur Flatau <flataua () acm org> Subject: Re: The Billionaires Seeking a U.S. Chip-Making Revival (RISKS-33.28) I think this is not at all the best example of problems with outsourcing. The costs of developing new processes technology are huge. Developing leading edge process technology is very difficult, look at the example of Intel, which has fallen behind. With the exceptions of Samsung and Intel, most companies do not have the resources to be able develop new process technology in a timely fashion, if at all. No doubt, it should have been obvious that putting most of the high end fabs on an island that is not that geologically stable and is subject to political disputes was not the best idea. ------------------------------ Date: Wed, 15 Jun 2022 11:40:34 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Re: 5GSec Convergence Accelerator Proposal (RISKS-33.28) Variations on a Theme!!! Microsoft is in the news for allowing users to query internal coordination software, as noted in RISKS-33.28. https://orca.security/resources/blog/synlapse-critical-azure-synapse-analytics-service-vulnerability/ Root cause? According to NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-29972 "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')" I guess that Microsoft is probably a little salty about that. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.29 ************************
Current thread:
- Risks Digest 33.29 RISKS List Owner (Jun 16)