RISKS Forum mailing list archives
Risks Digest 33.15
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 18 Apr 2022 15:25:29 PDT
RISKS-LIST: Risks-Forum Digest Monday 18 April 2022 Volume 33 : Issue 15 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.15> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [Propaganda-ish items from multiple viewpoints rejected.] SoCal man says car computer on his new Tesla froze, causing vehicle to be stuck at 83 mph on freeway (ABC7) Driverless Cars Can Be Tricked into Seeing Red Traffic Lights as Green (New Scientist) Risks of locust swarms (PGN) FBI removing malware surreptitiously (The Conversation) What Can Hackers Do With Stolen Source Code? (WiReD) U.S. officials preparing for potential Russian cyberattacks (CBSNews) Feds Uncover a Swiss Army Knife for Hacking Industrial Control Systems (WiReD) Google Bans Apps With Hidden Data-Harvesting Software (WSJ) Inside the Bitcoin Bust That Took Down the Web's Biggest Child Abuse Site (WiReD) The Uncanny Future of Romance With Robots Is Already Here (Yahoo!) In Race to Build Quantum Computing Hardware, Silicon Begins to Shine (Princeton) You agreed to what? Tax sites want your data for more than filing (WashPost) Those robot dogs got their first real job -- guarding Pompeii (NPR+PGN) Squirrely maintenance (PGN) Re: Spreadsheets are hot (Henry Baker) Re: Squirrels and rats attacking AT&T fiber (Charles Cazabon) History of Internet Security and AI for Cybersecurity 20 Apr 2022 (DrM) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 15 Apr 2022 15:16:16 -1000 From: geoff goodfellow <geoff () iconia com> Subject: SoCal man says car computer on his new Tesla froze, causing vehicle to be stuck at 83 mph on freeway (ABC7) The owner of a new Tesla Model 3 was left in shock after the car's main features allegedly froze while he was driving on the freeway. Javier Rodriguez of Irvine spoke with Eyewitness News on Tuesday and said it happened last Thursday while he was heading westbound on the 10 Freeway through Cabazon. He said the car was stuck going 83 mph and the main screen was frozen. He said all of the buttons and switches - including turn signals and hazard lights - were not working. "I noticed that it started to get hot in the car and there started to be a weird scent coming," recalled Rodriguez. "I was nervous that if I were to brake a whole lot that I wouldn't be able to gain the speed again to keep up with traffic and get around cars. I was nervous somebody was going to slam into me." Even though the accelerator wasn't responding, fortunately Rodriguez said the brakes did work, but said that didn't make him any more comfortable when he was trying to stop. He was able to make it off the road, and a few minutes later, the car rebooted. That's when everything seemed normal. An officer with the California Highway Patrol helped Rodriguez get off the freeway, where he eventually had the car towed. He said Tesla later told him they fixed the vehicle, but all they would say about what happened was what he said they wrote in the report. "Diagnosed and found poor communication from charge port door causing power conversion system to shut off in order to protect on board components during drive," Rodriguez recalled. [...] https://abc7.com/tesla-model-3-car-freezes-while-driving-la-drivers-freezing/11743278/ ------------------------------ Date: Mon, 18 Apr 2022 11:43:11 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Driverless Cars Can Be Tricked into Seeing Red Traffic Lights as Green (New Scientist) Matthew Sparkes, *New Scientist*, 16 Apr 2022 via ACM TechNews; Monday, April 18, 2022 Researchers at China's Zhejiang University found driverless cars could be fooled into seeing red traffic lights as green. The scientists directed a laser at the sensors of five camera models used by self-driving vehicles, with two open-source software packages reading the captured images. Lasers of a 650-nanometer and a 520-nanometer wavelength rendered the entire image red or green, respectively, while flickering the laser at high frequencies only induced this coloration in certain image segments. Adding a horizontal bar of green or red caused both software packages to incorrectly sense the traffic lights as green 30% of the time and red 86% of the time, on average, across the cameras. https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2e718x2332ecx073464&; ------------------------------ Date: Sun, 17 Apr 2022 10:12:19 PDT From: Peter G Neumann <neumann () csl sri com> Subject: Risks of locust swarms Vast swarms of locusts have decimated crops and grasslands across southern Namibia in recent weeks and contributed to a deadly traffic accident. A minibus driver lost control on a slippery stretch of highway where the ravenous pests were keeping warm on the pavement at night. Three of the 17 passengers died, with several more sustaining injuries. Officials say the slime from locusts crushed by traffic caused the accident. Please add just one more corner case in your automated-vehicle threat model. San Francisco Chronicle, Sunday 17 Apr 2022, Earthweek: a diary of the planet, which this week includes climate change, a new strain of avian flu, record droughts in Chile, second year of record-breaking methane surge, +117F in Senegal, -102F in Vostok, Antarctica, volcano eruption in Costa Rica with zero warning, ------------------------------ Date: Tue, 12 Apr 2022 19:23:50 PDT From: Peter Neumann <neumann () csl sri com> Subject: FBI removing malware surreptitiously (The Conversation) https://theconversation.com/the-fbi-is-breaking-into-corporate-computers-to-remove-malicious-code-smart-cyber-defense-or-government-overreach-159185 https://arstechnica.com/information-technology/2022/04/watchguard-failed-to-disclose-critical-flaw-exploited-by-russian-hackers/ ------------------------------ Date: Thu, 14 Apr 2022 12:21:40 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: What Can Hackers Do With Stolen Source Code? (WiReD) Lapsus$ hackers leaked Microsoft's Bing and Cortana source code. How bad is that, really? The Lapsus$ digital extortion group is the latest to mount a high-profile data-stealing rampage against major tech companies. And among other things, the group is known for grabbing and leaking source code at every opportunity, including from Samsung, Qualcomm, and Nvidia. At the end of March, alongside revelations that they had breached an Okta subprocessor, the hackers also dropped a trove of data containing portions of the source code for Microsoft's Bing, Bing Maps, and its Cortana virtual assistant. Sounds bad, right? Businesses, governments, and other institutions have been plagued by ransomware attacks, business email compromise, and an array other breaches in recent years. Researchers say, though, that while source code leaks may seem catastrophic, and certainly aren't good, they typically aren't the worst-case scenario of a criminal data breach. ``Some source code does represent trade secrets, some parts of source code may make it easier for people to abuse systems, but accounts and user data are typically the biggest things companies have to protect'' says Shane Huntley, director of Google's Threat Analysis Group. ``For a vulnerability hunter, it makes certain things easier, allowing them to skip a lot of steps. But it's not magic. Just because someone can see the source code doesn't mean they'll be able to exploit it right then.'' In other words, when attackers gain access to source code—and especially when they leak it for all to see, a company's intellectual property could be exposed in the process, and attackers may be able to spot vulnerabilities in their systems more quickly. But source code alone isn't a road map to find exploitable bugs. Attackers can't take over Cortana from Microsoft or access users' accounts simply because they have some of the source code for the platform. In fact, as open source software shows, it's possible for source code to be publicly available without making the software it underpins less secure. https://www.wired.com/story/source-code-leak-dangers/ Best comment somewhere was that news of Bing source compromised resulted in 4x increase in searches, "What is Bing?". ------------------------------ Date: Mon, 18 Apr 2022 11:24:01 -0700 From: "Peter G. Neumann" <Neumann () csl sri com> Subject: U.S. officials preparing for potential Russian cyberattacks (CBSNews) This 60 Minutes episode on Russian cyberattacks might be of interest. https://www.cbsnews.com/news/russia-cyberattacks-60-minutes-2022-04-17/ [I found it quite thorough and convincing, as far as it went. PGN] ------------------------------ Date: Thu, 14 Apr 2022 15:42:37 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Feds Uncover a Swiss Army Knife for Hacking Industrial Control Systems (WiReD) Andy Greenberg, WiReD, 13 Apr 2022 https://www.wired.com/story/pipedream-ics-malware/ On Wednesday, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI jointly released an advisory about a new hacker toolset potentially capable of meddling with a wide range of industrial control system equipment. More than any previous industrial control system hacking toolkit, the malware contains an array of components designed to disrupt or take control of the functioning of devices, including programmable logic controllers (PLCs) that are sold by Schneider Electric and OMRON and are designed to serve as the interface between traditional computers and the actuators and sensors in industrial environments. Another component of the malware is designed to target Open Platform Communications Unified Architecture (OPC UA) servers -- the computers that communicate with those controllers. "This is the most expansive industrial control system attack tool that anyone has ever documented," says Sergio Caltagirone, the vice president of threat intelligence at industrial-focused cybersecurity firm Dragos, which contributed research to the advisory and published its own report about the malware. Researchers at Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric also contributed to the advisory. “It’s like a Swiss Army knife with a huge number of pieces to it." [The same item also noted by Gabe Goldberg as Pipedream Malware (with the rest of the above subject line. PGN] ------------------------------ Date: Wed, 13 Apr 2022 12:07:26 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Google Bans Apps With Hidden Data-Harvesting Software (WSJ) Byron Tau and Robert McMillan, *The Wall Street Journal*, 6 Apr 2022, via ACM TechNews, Wednesday, April 13, 2022 Google has pulled dozens of applications from its Google Play store amid researchers' findings that they contain software that secretly harvests data. Serge Egelman at the University of California, Berkeley and Joel Reardon of Canada's University of Calgary found links between the code's developer, Panama-based Measurement Systems, and a Virginia defense contractor that conducts cyberintelligence and other work for U.S. national security agencies. They learned the code ran on millions of Android devices and could be found within a number of consumer apps. The researchers said Measurement Systems had paid developers to embed its data-harvesting software development kit into their apps, which "continues to underscore the importance of not accepting candy from strangers," according to Egelman. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e696x23314cx073061&; ------------------------------ Date: Sat, 16 Apr 2022 23:37:08 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Inside the Bitcoin Bust That Took Down the Web's Biggest Child Abuse Site (WiReD) They thought their payments were untraceable. They couldn't have been more wrong. The untold story of the case that shredded the myth of Bitcoin's anonymity. https://www.wired.com/story/tracers-in-the-dark-welcome-to-video-crypto-anonymity-myth/ ------------------------------ Date: Sun, 17 Apr 2022 12:17:17 -1000 From: geoff goodfellow <geoff () iconia com> Subject: The Uncanny Future of Romance With Robots Is Already Here (Yahoo!) In the late 2000s, a lifestyle reporter in Moscow named Eugenia Kuyda, then in her early twenties, decided to produce a cover story on Roman Mazurenko, the person at the center of Moscow's creative hipster scene at the time. Right from the start, Eugenia and Roman both felt they had a profound connection, and soon became close friends. A few years later, Kuyda moved to San Francisco to start a chatbot-based virtual assistant company. Shortly after, Mazurenko also moved and began his American life. They kept in touch continuously and exchanged endless text messages. But in late 2015 Mazurenko, then 34, was hit and killed by a car while crossing a street during a short visit in Moscow. Grieving Mazurenko, Kuyda read their messages over and over again. At some point, she realized that these messages had the potential to be more than just a memory. She took all the data she had and, with her team and using Google-based neural networks, built a chatbot version of Mazurenko. The result was surprisingly human-like. She could text with the chatbot on past and future events, and digital Mazurenko came to life and felt real. Digital Mazurenko was sad when she told him how much she missed him and joyful when she shared with him her recent achievements at her company. Kuyda and her team took this concept further and made a version that anyone could use. They named it Replika and users loved it instantly. Looking back at Replika’s success, Kuyda recounted, ``People started sending us emails asking us to build a bot for them.'' Some people wanted to build a replica of themselves, and some wanted to build a bot for a person that they loved but was gone. These positive reactions encouraged Kuyda and her team to go further—to create fictitious characters that accompany people around the world. Replika is now a companion chatbot app available on almost any operating system with the slogan: ``Always here to listen and talk. Always on your side.'' Millions have downloaded the app, and it boasts hundreds of thousands of reviews, most highly positive. [...] https://news.yahoo.com/uncanny-future-romance-robots-already-013111368.html ------------------------------ Date: Wed, 13 Apr 2022 12:07:26 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: In Race to Build Quantum Computing Hardware, Silicon Begins to Shine (Princeton) Tom Garlinghouse, Princeton University Department of Physics, 6 Apr 2022 Princeton University researchers achieved more than 99.8% fidelity using a two-qubit quantum device made from silicon. The researchers used a double quantum dot silicon device to capture and force two electrons to interact; the entangling operation achieved the highest fidelity achieved so far for a two-qubit gate in a semiconductor. Princeton's Jason Petta said, "This is the first demonstration of a semiconductor spin qubit system where we have integrated performance of the entire system--the state preparation, the readout, the single qubit control, the two-qubit control--all with performance metrics that exceed the threshold you need to make a larger-scale system work." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e696x233155x073061&; ------------------------------ Date: Wed, 13 Apr 2022 09:07:16 -0400 From: Monty Solomon <monty () roscom com> Subject: You agreed to what? Tax sites want your data for more than filing (WashPost) We investigate why Turbo Tax and H&R Block ask you to give up your return's basic federal privacy protections -- and explain how to demand your data back. https://www.washingtonpost.com/technology/2022/04/12/tax-prep-privacy/ ------------------------------ Date: Sun, 17 Apr 2022 11:11:39 +0800 From: Richard Stein <rmstein () ieee org> Subject: Those robot dogs got their first real job -- guarding Pompeii (npr.org) https://www.npr.org/2022/04/11/1092162972/boston-dynamics-robot-dogs-pompeii The robot doggie-breath patrol deters antiquities theft. No word if they are equipped with BD Entelodont jaw option. [Perhaps they are controlled by a real live but very well-trained Pompadour-styled Pomperanian in Pompeii? It might save Pompeii-ments for enlisting real dogs, but along the lines of Cave Canem, it also would avoid the canopy (cano-pee?) to cover up the mess of non-robo dogs. On the other hand, a new volcanic eruption might turn everything into the hardness of Pompegranite. {Please pardon my Pomp-ousness; without Pomp and Circumstance, the Pompandemic must be getting to me.} PGN] ------------------------------ Date: Tue, 12 Apr 2022 19:15:03 PDT From: "Peter G, Neumann" <neumann () csl sri com> Subject: Squirrely maintenance One of my neighbors who has recently experienced long AT&T home Internet outages reports that the maintenance folks cannot see the big picture of how the entire neighborhood is offline, as their diagnostic screens show only the house that is being remediated, with a different truck each day -- apparently with no carryover from one customer to another or oone day to the next. ``He told me he didn't even have a way to be aware of it, and he couldn't look it up anywhere. He said he could see only the call for my particular house and didn't have access to a bigger picture anywhere. The supervisor who came out said the same. In fact, they both said they had never heard of a squirrel problem. Go figure.'' [At least five AT&T trucks in the neighborhood again. PGN] ------------------------------ Date: Wed, 13 Apr 2022 00:15:39 +0000 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: Spreadsheets are hot (Levine, RISKS-33.14) What's Going On Under the (Spread) Sheets Re: 'We also found that people Did Not Care' In the daze before IEEE-754 Floating Point Arithmetic[1], the 'same' program run on computers from different vendors would often produce different results -- sometimes *very* different results. Since this was embarrassing -- perhaps the original "Replication Crisis"[2] ? -- IEEE-754 standard arithmetic caught on extremely quickly. Now -- thanks to standardization -- everyone gets the same erroneous answers! :-) [1] https://en.wikipedia.org/wiki/IEEE_754 [2] https://en.wikipedia.org/wiki/Replication_crisis ------------------------------ Date: Tue, 12 Apr 2022 17:28:14 -0600 From: Charles Cazabon <charlesc-risks-digest () pyropus ca> Subject: Re: Squirrels and rats attacking AT&T fiber (Jha, RISKS-33.14)
It appears Honda thinks chili-flavored wire might work, though there is a concern that habituation would decrease long-term effectiveness:
Honda may be assuming too much from a study on a few lab rats. Different species react to capsaicin very differently, as I found inadvertently. I've had pet rabbits for many years. Once, when we were fostering a litter of young (~3 week old) abandoned bunnies, they jumped onto a kitchen table (they're like deer; you need a *really* tall fence to keep them out...) and ate a paper bag full of Thai Dragon peppers I was drying. It was my entire harvest for the year -- several dozen peppers, stems, seeds, and all. Also the paper bag, most of a pillar candle, half a bunch of bananas, with skins, and part of a lead candle holder. They weren't phased in the slightest by the capsaicin, though the peppers were far too hot for me in any quantity. I don't know how squirrels or other wire-destroying animals might handle capsaicin, but if I were a company looking at solutions, I would make sure I had a study of the particular animals of interest, and not try to generalize from a lab-rat study. ------------------------------ Date: Wed, 13 Apr 2022 08:42:16 -0400 From: Rebecca Mercuri <notable () mindspring com> Subject: History of Internet Security and AI for Cybersecurity 20 Apr 2022 (Hybrid ACM Baltimore Chapter Seminar)
From: Ashutosh Dutta, Ph.D., Chair ACM Baltimore Chapter <ashutosh.dutta () ieee org>
<https://r20.rs6.net/tn.jsp> ACM Baltimore Chapter 2nd Seminar (In-Person and Online) Wednesday, April 20, 2022, 5:00 PM -- 8:00 PM EST [Heavily PGN-ed] Agenda: (Talks will be Streamed Live/All Times are US Eastern Time) 5:50 PM -- 6:40 PM EST Invited Talk: “35 Years of Protecting the Internet, a historical retrospective (Prof. Steven M. Bellovin, Columbia University) 6:50 PM -- 7:40 PM EST Invited Talk: AI for Cybersecurity (Dr. Anupam Joshi, University of Maryland Baltimore County (UMBC)) 7:40 PM -- 8:00 PM EST Future Events and Vote of Thank FREE Zoom link: Tiny URL: bit.ly/ACM-Baltimore-20April <https://r20.rs6.net/tn.jsp?f=001ugrl-R-Nj9TAxqD8Tw8HWBr0746NepLvPxkTLFeGRdIvoN-yukpTAJuOxpq8aDlEmyb3aeZ7F65bGnX2TN41KI9WAqzW7tU_JeCjSOAQASkZIDnW4TInzvLeEK9TgeoFIAEh3oxqmny11ehTfrY-0OfzOGZI_plk&c=nPt7z5BlUR8jb4PjlmSKp446dMpl1wMqJ1-YfDrNiBmn2Q2xhqf0Wg==&ch=ivwzGJ9LdPeJtvzvVScCuBSPAO8pQ01M4DQ_QPnknSSvTdOtcnpe8g==> [TINY? You must be kidding. I deleted the full-length one, which was almost twice as long. PGN] ID: 160 781 8310 Password: 468284 Johns Hopkins University Applied Physics Lab, USA (Online and in-person) ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.15 ************************
Current thread:
- Risks Digest 33.15 RISKS List Owner (Apr 18)