RISKS Forum mailing list archives
Risks Digest 33.47
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 7 Oct 2022 20:39:06 PDT
RISKS-LIST: Risks-Forum Digest Friday 7 October 2022 Volume 33 : Issue 47 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.47> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Shut-Off Switch Was Supposed to Prevent 99% of Generator-Related Deaths. It Failed a Family of Three. (TexasTribune) Crash of Air France 447 redux (Jagan Jagannathan) Automatic emergency braking is not great at preventing crashes at normal speeds (The Verge) Chinese supply-chain tampering (Reuters) Nordstream Explosion: Robotic Sabotage from *Inside*? (Henry Baker) The Thorny Problem of Keeping the Internet's Time (David Mills) The Securities and Exchange Commission Obstructs National Security (Ari Schwartz) NY SBOE is buying ES&S barcoding voting machines (Rebecca Mercuri) Conspiracy theories muddy Louisiana voting machine debate (AP item) WashDC Metro system looking for solutions to fare evasion (WashPost) I wouldn't get on that DC-area bus (Gabe Goldberg) Microsoft Exchange 0-Day Attack Threatens 220,000 Servers (Dan Goodin) In the Battle With Robots, Human Workers Are Winning (NYTimes) A data-sharing agreement between the US and UK is now in effect (Engadget) More Bosses Spy on Quiet Quitters. It Could Backfire (WSJ) Canadian ransomware hacker sentenced to 20 years in U.S. prison (CBC) Few Customers Get Refunds for Rampant Zelle Fraud (Senator Warren) Are You a Victim of Crypto Crime? Good Luck Getting Help (WiReD) El_Salvador's Bitcoin Law -- one year on, with the World's Coolest Dictator: Attack of the 50-Foot Blockchain (David Gerard) SEC charges Kim Kardashian for allegedly not disclosing crypto promotion payday (WashPost) Sorry, But Your Boss Is Pretty Hyped About Today's Most Annoying Tech Trends (PCMag) Joe Sullivan guilty in Uber hacking case (WashPost) I Make Video Games. I Won't Let My Daughters Play Them. (NYTimes) Sorry, But Your Boss Is Pretty Hyped About Today's Most Annoying Tech Trends (PCMag) AI can now create any image in seconds, bringing wonder and danger (WashPost) Rethinking the Computer Chip in the Age of AI (Devorah Fischler) Leading Makers Pledge Not to Weaponize Their Robots (Joe Hernandez) Optus criticized for massive breach (Reuters) Re: Optus' breach exposes 9.8M customers' data (John Colville) Re: Wegmans Discontinues Self-Checkout App, Citing Losses (John Levine) Re: Egypt's submarine cable stranglehold (Amos Shapir) Re: Automakers are ignoring the simple solution to the rise of traffic deaths (Scott Dorsey) Castiglioncello 2022: Nuclear Weapons: New Risks (Diego Latella) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 4 Oct 2022 09:59:09 -0400 From: Monty Solomon <monty () roscom com> Subject: Shut-Off Switch Was Supposed to Prevent 99% of Generator-Related Deaths. It Failed a Family of Three. (TexasTribune) A Shut-Off Switch Was Supposed to Prevent 99% of Generator-Related Deaths. It Failed a Family of Three. The generator industry has touted automatic shut-off switches as a lifesaving fix for carbon monoxide poisoning. But the voluntary standard falls short of what federal regulators say is necessary to eliminate deaths. https://www.texastribune.org/2022/09/21/generators-carbon-monoxide-shutoff-switch-texas-cpsc ------------------------------ Date: Mon, 3 Oct 2022 07:59:16 -0700 From: Jagan Jagannathan <jagan () ahista com> Subject: Crash of Air France 447 redux https://admiralcloudberg.medium.com/the-long-way-down-the-crash-of-air-france-flight-447-8a7678c37982 ------------------------------ Date: Fri, 30 Sep 2022 14:09:16 -0400 From: Monty Solomon <monty () roscom com> Subject: Automatic emergency braking is not great at preventing crashes at normal speeds (The Verge) https://www.theverge.com/2022/9/29/23377376/automatic-emergency-braking-average-speed-study-aaa ------------------------------ Date: Sun, 2 Oct 2022 03:33:35 -0400 From: "Steven J. Greenwald" <greenwald.steve () gmail com> Subject: Chinese supply-chain tampering (Reuters) Suspected Chinese hackers tampered with widely used software distributed by a small Canadian customer service company, another example of a "supply chain compromise" made infamous by the hack on U.S. networking company SolarWinds. Via Reuters: https://www.reuters.com/technology/exclusive-suspected-chinese-hackers-tampered-with-widely-used-canadian-chat-2022-09-30/ ------------------------------ Date: Fri, 30 Sep 2022 16:11:15 +0000 From: Henry Baker <hbaker1 () pipeline com> Subject: Nordstream Explosion: Robotic Sabotage from *Inside*? An intriguing possibility is that the Nordstream LNG pipelines were sabotaged by robots *from the inside* ! This type of sabotage would not require submarines (robotic or otherwise), frogmen, etc., but would only require the ability to insert a modern 'pig' (inspection robot) into the pipeline from the Russian end controlled by Gazprom. This type of sabotage could have been performed during the recent *maintenance shutdowns* over the past several months, and the explosions later set off by remote control. https://www.dw.com/en/denmark-sweden-view-nord-stream-pipeline-leaks-as-deliberate-actions/a-63251217 Denmark, Sweden view Nord Stream pipeline leaks as 'deliberate actions' 27 Sep 2022 Mikhail Krutikhin, an energy analyst from the RusEnergy consultancy, told DW that initial evidence clearly pointed to sabotage, and said that a key question going forward would be whether the damage originated inside or outside the pipe. He said the shape of the damaged segments of pipe should indicate this. https://oilprice.com/Energy/Energy-General/Oil-Pipelines-To-Be-Inspected-By-Robots.html ------------------------------ Date: Mon, 03 Oct 2022 09:59:20 -0400 From: scs () eskimo com (Steve Summit) Subject: The Thorny Problem of Keeping the Internet's Time (David Mills) David Mills, TNY on NTP https://www.newyorker.com/tech/annals-of-technology/the-thorny-problem-of-keeping-the-internets-time There are a few bobbles: the author seems a bit confused over whether NTP is an Internet RFC or a piece of software, and whether NTP is the IETF's only concern. *The New Yorker*'s predilection for diereses in English is rather comically distracting when ritually applied to the phrase "Coordinated Universal Time". Nevertheless, it's a nice read, covering both the technical issues and the people involved, with a particularly touching portrait of Mills himself. And the RISKS relevance is the points made -- not for the first time, but not badly -- about the difficulties involved in placing the maintenance of core protocols, upon which millions of computers depend, in the decentralized hands of nearly anonymous, unpaid volunteers who can't always even agree on who's in charge, let alone how the protocols should evolve. ------------------------------ Date: Fri, 30 Sep 2022 09:11:48 -0400 From: dan () geer org Subject: The Securities and Exchange Commission Obstructs National Security (Ari Schwartz) Editorial: The Securities and Exchange Commission Obstructs National Security Public disclosure of cyber attacks shows weakness to enemies. Ari Schwartz, https://www.wsj.com, 29 September 2022 The Securities and Exchange Commission seems to have missed a key principle of fighting crime: Investigators don't release all the details of an incident before it's solved because it would make it harder to catch the criminal. This is true in cybersecurity too. You don't want hackers to know they've been discovered or to highlight a company's weakness to other bad actors. Yet a new rule from the SEC would require public disclosure of an incident within four days of discovery, even if the hack is still under investigation and hasn't been remedied. Those of us who have dealt with actual cyber incidents know that a fix is unlikely to materialize in four days. These reporting requirements will place a spotlight on the vulnerability in the hacked company's cybersecurity, putting the business at greater risk of suffering successive attacks before the exploited weakness can be fixed. That comes with a national security risk too, as nation states often engage in or aid cyberattacks against companies. The SEC's new rule will help states cover their tracks by alerting them to any discovery. And it'll make it easier for them to find targets by highlighting what businesses are vulnerable and how. The goal of the SEC's new rule is to inform investors about attacks, which is a fine idea in principle. Investors should be informed about firms' cybersecurity risks and sharing information about attacks can help other businesses optimize their own cyber defenses. Reporting is important, but companies should be allowed to resolve an incident before making it public. Other regulators are racing to require companies to report problems even faster, creating the possibility of confusion of whom to report to and when. Following the European Union requirement of three days, Congress has charged the U.S. Department of Homeland Security to create rules that would also require reporting within three days of an incident, except for ransomware payments, which must be reported in one day. The New York State Department of Financial Services is also asking for a report in three days. The Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corp. have required notification no later than 36 hours after a banking organization determines that an incident has occurred. India has skipped a time frame altogether, requiring immediate reporting to the government. Unlike the SEC rules, most of these allow for companies to investigate and remediate the incident. But it would be better if the U.S. agencies worked together to create common rules that give businesses a reasonable delay before they report. It would go a long way toward simplifying reporting standards if they clarified what information needs to be reported and when. The key is to balance national security with other concerns, including the investor's right to be informed. This balance can be achieved, but it will requires agencies to look past their own narrow priorities and putting the public interest, including national security, first. Mr. Schwartz served as special assistant to the president for cybersecurity policy, 2013-15. He coordinates the Cybersecurity Coalition. ------------------------------ Date: Sun, 2 Oct 2022 19:57:04 -0400 From: Rebecca Mercuri <notable () mindspring com> Subject: NY SBOE is buying ES&S barcoding voting machines Unfortunately, it appears that the New York State Board of Elections has been convinced (by ES&S and Dominion and others) to purchase new voting machines that can add votes without the voters' consent. This will be engineered by the fact that votes will not be counted from the verified choices that the voters made, rather there will be a barcode (generated by the voting system) that will be used to tally the results. It doesn't take a rocket scientist to know that this is a big mistake. Basically this purchase, if it goes through, will wind back all of the good work that we [DrM--Rebecca Mercuri, PGN, and Ronnie Dugger] with enormous inspiration from Mae Churchill, when [the first two of us testified for the NYBoE in 1988] some 3 decades ago. Doug Kellner had spearheaded the effort to thwart the DRE purchase in NYC when he was on the City board then, and later, in his position on the State BOE, worked hard to ensure that NY State regulations provided plenty of checks and balances, including being the ONLY state in the country that REQUIRES escrow of voting system source code (not that it'll ever be looked at, but at least they have it). I ran into Doug a few years ago (pre-COVID) and it seemed that he had grown tired of fighting the good fight, and these recent procurement decisions appear to be evidence of that. Hence there are various current protest letters from advocates (familiar folks who have been also fighting for 30+ years, but haven't given up) against these new voting systems. [This is slightly edited from a private message for RISKS, with permission, Among other things, Rebecca seems to have some concerns about the letters' use of the term *voter-verifiable*, which was the focus of her PhD thesis in 21 years ago. If you are interested in joining in on this old battle that never seems to go away, please contact her for more information. PGN] ------------------------------ Date: Sat, 1 Oct 2022 11:13:12 -0700 From: Peter G Neumann <neumann () csl sri com> Subject: Conspiracy theories muddy Louisiana voting machine debate (AP item) Sara Cline and Christina A. Cassidy, AP, *The Times Picayune*, 14 Aug 2022 [With thanks to Sevilla Finley] The need for Louisiana to replace its voting machines dating from 2006 is not in dispute. What to do about them is another story. The machines' main problem is that votes are recorded electronically without a paper record of each voter's selections. However, "The problem in Louisiana is that if someone were to allege the voting machines had been hacked, there would be no conclusive evidence to rebut that." [or even to prove it!] [PGN-ed] [2006 is a very long time, but the situation is continually getting worse in many respects. See my most recent Inside Risks article in the Communications of the ACM: http://www.csl.sri.com/neumann/cacm252.pdf PGN] ------------------------------ Date: Wed, 5 Oct 2022 16:19:37 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: WashDC Metro system looking for solutions to fare evasion (WashPost) Evasion has proliferated during the pandemic and is a visible reminder to many riders of revenue Metro is not collecting The issue has put a spotlight on Metro's recent $70 million replacement of more than 1,200 fare gates at its 91 stations. The new gates are touch-free, process mobile payments, display SmarTrip balances and improve Metro's ability to collect ridership data, but do little to deter evasion of fares. The gates predate the arrival of Clarke, who acknowledges Metro may have erred in their design and has asked his staff to research possible modifications. But transit officials note they couldn't have foreseen the pandemic or its effects, which some say has exacerbated fare evasion alongside higher gas prices, inflation, and fewer passengers in buses or stations to discourage evasions. They also say societal norms increasingly have been ignored during the pandemic, a problem that extends to airlines battling passenger disruptions, rising pedestrian deaths from reckless drivers and elevated crime rates. https://www.washingtonpost.com/transportation/2022/10/01/dc-metro-fare-evasion/ [Right, after 100+ years of public transit, who could know people might evade fares?] ------------------------------ Date: Fri, 30 Sep 2022 00:47:40 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: I wouldn't get on that DC-area bus ...with front identification panel display alternating between these designations in large friendly letters: Invalid code Please enter new code ------------------------------ Date: Wed, 5 Oct 2022 12:21:07 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Microsoft Exchange 0-Day Attack Threatens 220,000 Servers (Dan Goodin) Dan Goodin, Ars Technica, 30 Sep 2022, via ACM TechNews; Wednesday, October 5, 2022 Microsoft researchers said numerous servers have been compromised and approximately 220,000 additional servers worldwide are threatened by two critical vulnerabilities in its Exchange application. One is a server-side request forgery vulnerability, and the other enables remote code execution via PowerShell. The unpatched flaws were identified in August by researchers at the Vietnamese security firm GTSC, who found that an Exchange vulnerability was exploited to infect customer networks with malicious webshells. The GTSC researchers said, "After successfully mastering the exploit, we recorded attacks to collect information and create a foothold in the victim's system. The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system. Microsoft is working on a patch for the new vulnerabilities. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f590x236956x070749& ------------------------------ From: Matthew Kruk <mkrukg () gmail com> Date: Fri, 7 Oct 2022 12:09:44 -0600 Subject: In the Battle With Robots, Human Workers Are Winning (NYTimes) https://www.nytimes.com/2022/10/07/opinion/machines-ai-employment.html It's 2022, and computers keep stunning us with their achievements. Artificial intelligence systems are writing drawing creating videos interactive, diagnosing diseases, dreaming up new molecules for medicine, and doing much else to make their parents very proud. Yet somehow we sacks of meat -- though prone to exhaustion, distraction, injury and sometimes spectacular error -- remain in high demand. How did this happen? Weren't humans supposed to have been replaced by now -- or at least severely undermined by the indefatigable go-getter robots who were said to be gunning for our jobs? [See the NYTimes online version for oodles of URLs. PGN] ------------------------------ Date: Mon, 3 Oct 2022 15:21:40 -0400 From: Monty Solomon <monty () roscom com> Subject: A data-sharing agreement between the US and UK is now in effect (Engadget) https://www.engadget.com/us-uk-data-sharing-agreement-in-effect-171316794.html ------------------------------ Date: Fri, 30 Sep 2022 13:43:44 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: More Bosses Spy on Quiet Quitters. It Could Backfire (WSJ) Christopher Mims, *The Wall Street Journal*, 17 Sep 2022, via ACM TechNews <technews-editor () acm org> More companies are using technology to monitor virtually everything workers do on their devices, with Gartner reporting that one in three medium-to-large companies in the U.S. implemented a worker surveillance system since the pandemic started, and that two out of three such companies currently use these systems. The technology can screenshot a worker's computer every 10 minutes, record the apps and websites they visit, and document how long was spent on each site, among other things. However, critics are concerned such "bossware" can be counterproductive. Teramind's Isaac Kohn said, "Realistically, the vast majority of customers don't find the need to enable full monitoring on all users all the time." However, Kohn acknowledged that "the system can be abused if placed in the wrong hands." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f4fdx236761x071689& ------------------------------ Date: Tue, 4 Oct 2022 20:15:30 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: Canadian ransomware hacker sentenced to 20 years in U.S. prison (CBC) https://www.cbc.ca/news/canada/ottawa/ransomeware-hacker-vachon-desjardins-sentenced-1.6606274 Sebastien Vachon-Desjardins pleaded guilty to ransomware crimes, $28 million in bitcoin seized ------------------------------ Date: Mon, 3 Oct 2022 23:25:40 -0400 From: Monty Solomon <monty () roscom com> Subject: Few Customers Get Refunds for Rampant Zelle Fraud (Senator Warren) Elizabeth Warren's analysis of fraud and scam complaints on the payment network found that banks at times violate a federal consumer protection law. https://www.nytimes.com/2022/10/03/business/zelle-fraud-warren.html ------------------------------ Date: Sun, 2 Oct 2022 19:17:56 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Are You a Victim of Crypto Crime? Good Luck Getting Help (WiReD) Local law enforcement isn't ready to deal with this new type of fraud, even with shady scams on the rise. As platforms overwhelmed by fraud and theft begin looking to traditional law enforcement to assist with crypto crime-fighting efforts, victims may have no choice but to throw themselves at the mercy of the police, and it's difficult to imagine the crypto crime wave subsiding any time soon if the police prove unequal to the task. https://www.wired.com/story/cryptocurrency-cybercrime-law-enforcement ------------------------------ Date: Thu, 29 Sep 2022 23:56:43 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: El_Salvador's Bitcoin Law -- one year on, with the World's Coolest Dictator: Attack of the 50-Foot Blockchain (David Gerard) El Salvador's Bitcoin Law came into force on 7 September 2021 -- and what a day it was! Bitcoin is yet another failed initiative from President Nayib Bukele -- a huge splashy announcement, a lot of money set on fire, and not much to show for it. [...] "No one really talks about Bitcoin here anymore. Itâs kind of been forgotten," says former Banco Central de Reserva president Carlos Acevedo. "I don't know if you'd call that a failure, but it certainly hasn't been a success." The bitcoin infrastructure seems to have been paid for out of previous borrowing. The State Financial Management Report for 2021, chapter 3, says the bitcoin project was financed from $375.9 million of loans previously taken out by the government. https://davidgerard.co.uk/blockchain/2022/09/24/el-salvadors-bitcoin-law-one-yea r-on-with-the-worlds-coolest-dictator/ ------------------------------ Date: Mon, 3 Oct 2022 16:12:01 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: SEC charges Kim Kardashian for allegedly not disclosing crypto promotion payday (WashPost) Kim Kardashian to pay $1.26 million in SEC crypto case The Securities and Exchange Commission is charging the reality star and entrepreneur with allegedly promoting a cryptocurrency on her Instagram account without disclosing how much she was paid to do so, the agency announced. https://www.washingtonpost.com/business/2022/10/03/sec-kardashian-crypto The risks? Reality stars (whatever that means), people who believe/follow them, and crypto-anything. ------------------------------ Date: Sun, 2 Oct 2022 22:52:14 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Sorry, But Your Boss Is Pretty Hyped About Today's Most Annoying Tech Trends (PCMag) Think you can escape the metaverse? KPMG's 'Digital to the core' report shows a high state of buzzword compliance among surveyed execs. Many of those concepts have drawn a fair amount of skepticism if not outright scorn. For example, in June Bill Gates ridiculed cryptocurrencies and non-fungible tokens as examples of "the Greater Fool Theory." And ambitions to build the metaverse -- what we used to call immersive virtual words before Facebook founder and CEO Mark Zuckerberg leaped on the term as he renamed Facebook to Meta -- assume a level of consumer interest that may not be there. https://www.pcmag.com/news/sorry-but-your-boss-is-pretty-hyped-about-todays-most -annoying-tech-trends The risks? Buzzwords and execs ------------------------------ Date: Wed, 5 Oct 2022 18:16:49 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Joe Sullivan guilty in Uber hacking case (WashPost) Surprise verdict on charges that predated rampant ransomware and extortion payoffs in more recent hacking cases A former chief security officer for Uber was convicted Wednesday of federal charges stemming from payments he quietly authorized to hackers who breached the ride-hailing company in 2016. Joe Sullivan was found guilty of obstructing justice for keeping the breach from the Federal Trade Commission, which had been probing Uber's privacy protections at the time, and of actively hiding a felony. The verdict ended a dramatic case that pitted Sullivan, a prominent security expert who was an early prosecutor of cybercrimes for the San Francisco U.S. attorney's office, against his former government office. In between prosecuting hackers and being prosecuted, Sullivan served as the top security executive at Facebook, Uber and Cloudflare. https://www.washingtonpost.com/technology/2022/10/05/uber-obstruction-sullivan-hacking ------------------------------ Date: Mon, 03 Oct 2022 03:00:05 +0000 From: Richard Marlon Stein <rmstein () protonmail com> Subject: I Make Video Games. I Won't Let My Daughters Play Them. (NYTimes) https://www.nytimes.com/2022/10/02/opinion/video-game-addiction.html "The over-the-top experiences and rewards built into video games can stimulate our brains to release dopamine. Dopamine, the powerful 'feel good' neurotransmitter, motivates us to seek more of these pleasurable activities. This is what can lead to addictive behavior. "...a significant minority, 10 percent, developed pathological tendencies related to video games, including having difficulty stopping play. Compared with the other group in the study, these players displayed higher levels of depression, aggression, shyness, problematic phone use and anxiety by the time they were emerging into adulthood." ------------------------------ Date: Sun, 2 Oct 2022 22:52:14 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Sorry, But Your Boss Is Pretty Hyped About Today's Most Annoying Tech Trends (PCMag) Think you can escape the metaverse? KPMG's 'Digital to the core' report shows a high state of buzzword compliance among surveyed execs. Many of those concepts have drawn a fair amount of skepticism if not Date: Sun, 2 Oct 2022 21:14:45 -0400 From: Monty Solomon <monty () roscom com> Subject: AI can now create any image in seconds, bringing wonder and danger (WashPost) https://www.washingtonpost.com/technology/interactive/2022/artificial-intelligence-images-dall-e/ ------------------------------ Date: Fri, 7 Oct 2022 12:55:17 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Rethinking the Computer Chip in the Age of AI (Devorah Fischler) Devorah Fischler, Penn Engineering Today, 29 Sep 2022, via ACM TechNews, 7 Oct 2022 A team of researchers from the University of Pennsylvania (Penn), Sandia National Laboratories, and Brookhaven National Laboratory has unveiled a computing architecture suited for artificial intelligence (AI). The researchers developed a transistor-free compute-in-memory (CIM) architecture where processing and storage happen in the same place, removing transfer time and minimizing energy consumption. The architecture, which builds on earlier work on a ferroelectric switching scandium-alloyed aluminum nitride semiconductor, could potentially perform up to 100 times faster than a conventional computing architecture. The design also performs on-chip storage, parallel search, and matrix multiplication acceleration. Penn's Xiwen Liu said the work "proves that we can rely on memory technology to develop chips that integrate multiple AI data applications in a way that truly challenges conventional computing technologies." https://blog.seas.upenn.edu/rethinking-the-computer-chip-in-the-age-of-ai/ ------------------------------ Date: Fri, 7 Oct 2022 12:55:17 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Leading Makers Pledge Not to Weaponize Their Robots (Joe Hernandez) Joe Hernandez, NPR, 6 Oct 2022, via ACM TechNews, 7 Oct 2022 Six major robot manufacturers have signed a letter promising not to weaponize their products. Boston Dynamics, Agility Robotics, ANYbotics, Clearpath Robotics, Open Robotics, and Unitree pledged against weaponizing their "advanced-mobility general-purpose robots" or their underlying software, while also vowing to ensure their customers do not weaponize them either. The companies also said they do not oppose "existing technologies" used by governments to "defend themselves and uphold their laws." Boston Dynamics says police and fire departments are using the company's canine-like robot Spot to assess hazardous situations, but the firm notes Spot is not designed for surveillance or as a substitute for police officers. "https://www.npr.org/2022/10/06/1127227605/boston-dynamics-robots-pledge-against -weapons" ------------------------------ Date: Sun, 2 Oct 2022 03:34:34 -0400 From: "Steven J. Greenwald" <greenwald.steve () gmail com> Subject: Optus criticized for massive breach (Reuters) "The Australian government on Sunday leveled its harshest criticism yet against Optus, the second-biggest telecoms company, for a cybersecurity breach that affected the equivalent of 40% of the country's population." Via Reuters: https://www.reuters.com/business/media-telecom/australian-government-slams-optus-cybersecurity-breach-2022-10-02/ ------------------------------ Date: Fri, 30 Sep 2022 01:40:39 +0000 From: John Colville <John.Colville () uts edu au> Subject: Re: Optus' breach exposes 9.8M customers' data (RISKS-33.46) It now appears that Optus's access controls were (very) weak. A lot of debate about how much of peoples' data is being stored by various organizations -- and for how long. However Optus have continued to store information like drivers licence ids and passport detail which have originally been used to identify customers. For telcos the length of the period that data has to be stored is more complicated because of worries that they may be asked for communication histories in connection with authorities' enquiries into activities like drug importation or terrorism. ------------------------------ Date: 30 Sep 2022 00:31:35 -0400 From: "John Levine" <johnl () iecc com> Subject: Re: Wegmans Discontinues Self-Checkout App, Citing Losses (NYTimes, RISKS-33.46) I am scratching my head about this one. The thing they stopped was a phone app that you could use to scan items as you shopped and put them in your bags. Then when you get to the self-check kiosk, you scanned a code on the kiosk screen, it transferred the list of items to the kiosk and then you paid and left. It was great, I used it every time I shopped there for the past year. They are not getting rid of the self-check kiosks, just the app. I suppose that since there is usually a staff person watching the kiosks it is somewhat harder to sneak stuff, but the kiosks no longer annoyingly insist that you immediately put every item in a bag so it can weigh them and match the weight on the scale to what you've bought. (Now that most people bring their own bags, I suspect there's no way to handle the variable weight of the bags that isn't even more annoying.) The Waitrose grocery chain in the UK has had a similar self-scan scheme for over a decade, originally with hand-held scanners they provided, now also with a phone app: ttps://www.waitrose.com/ecom/help-information/shopping-with-waitrose/shopping-instore/quick-check Waitrose say they may rescan the contents of your bag at the till but when I was there they never did. I wonder why they haven't had similar problems. Waitrose caters to an upper middle class demographic but anyone can shop there and I would think that if it were easy to cheat, some people would. ------------------------------ Date: Fri, 30 Sep 2022 19:33:37 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: Egypt's submarine cable stranglehold (RISKS-33.46) The part of the DCD article posted here, contains the quote "It's not like there's another Egypt you can go to."; but the truncated part does contain a survey of alternative routes. Some of them have failed, but at least one succeeds: Google's Raman-Blue line from India via Saudi Arabia, Jordan and Israel. Also note that the posted map shows yet another alternative route, from the Red Sea via Israel. If Egypt tries to squeeze this resource too tight, It wouldn't be hard for users to switch. ------------------------------ Date: Fri, 30 Sep 2022 09:41:58 -0400 (EDT) From: kludge () panix com (Scott Dorsey) Subject: Re: Automakers are ignoring the simple solution to the rise of traffic deaths (RISKS-33.46) Making vehicles go slower is likely to reduce the number of deaths and that is not a bad thing, but it doesn't solve the real problem. What needs to be done is to reduce the number of accidents in the first place, and that means doing things that permit drivers to see where they are going and force them to pay attention to their driving. This likely does require technical solutions but not expensive ones, and in many case it requires removing technology rather than adding it. ------------------------------ Date: Tue, 04 Oct 2022 08:53:13 +0200 From: "Diego.Latella" <diego.latella () isti cnr it> Subject: Castiglioncello 2022: Nuclear Weapons: New Risks The next Castiglioncello International Conference (Oct. 21-22) will be focused on "Nuclear Weapons: New Risks". The conference is organized by the Pugwash Conferences on Science and World Affairs and the Union of Scientists for Disarmament (USPID). The Municipality of Rosignano Marittimo, the Interdisciplinary Center of Sciences for Peace of the University of Pisa, the Interdepartmental Research Center for Peace of the University of Bari and the Interdisciplinary Group on Science Technology and Society of the CNR Pisa Research Area collaborate for the organization of the event. For additional information, program and registration, please refer to the conference website: https://uspid.org/cast2022/ [I don't quite know whether it is especially computer science or its subdiscipline Artificial Intelligence that has such an enormous affection for euphemism. We speak so spectacularly and so readily of computer systems that understand, that see, decide, make judgments, and so on, without ourselves recognizing our own superficiality and immeasurable naivete with respect to these concepts. And, in the process of so speaking, we anesthetise our ability to evaluate the quality of our work and, what is more important, to identify and become conscious of its end use. ne can't escape this state without asking, again and again: "What do I actually do? What is the final application and use of the products of my work?" and ultimately, "am I content or ashamed to have contributed to this use?" Prof. Joseph Weizenbaum ["Not without us", ACM SIGCAS 16(2-3) 2--7 Aug. 1986]] ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.47 ************************
Current thread:
- Risks Digest 33.47 RISKS List Owner (Oct 07)