RISKS Forum mailing list archives
Risks Digest 34.17
From: RISKS List Owner <risko () csl sri com>
Date: Sun, 14 Apr 2024 17:00:00 PDT
RISKS-LIST: Risks-Forum Digest Sunday 14 April 2024 Volume 34 : Issue 17 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.17> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: 96% of US hospital websites share visitor info with Meta, Google, data brokers (Steve Bacher) Corporate Greed Made the Change Healthcare Cyberattack Worse (NYMag) Hackable Intel and Lenovo hardware that went undetected for 5 years won't ever be fixed (ArsTechnica) Thermostats and Complexity (Tom Vab Vleck) "Are We Watching the Internet Die?" (Ed Zitron via Rich Kulawiec) AI chatbots spread falsehoods about the EU elections, report finds (Clothilde Goujard) How I Built an AI-Powered, Self-Running Propaganda Machine for $105 (WSJ) Norwescon sci-fi con: Knightscope, AI manuscript deluge, genre in crisis (Douglas Lucas) Hatsune Miku is playing Coachella, but she's not human. Why brands are working with digital avatars (LA Times) AI on Wall Street (NYTimes) Humane AI Pin review: the post-smartphone future isn't here yet AT&T Data breach affects 73 million or 51-million customers. No, we won't explain. (ArsTechnica) Apple alerts users in 92 nations to mercenary spyware attacks (TechCrunch) Apple will open the iPhone to repair with used parts -- but ... (The Verge and TechCrunch via Monty Solomon) Texas Surgeon Is Accused of Secretly Denying Liver Transplants (NYTimes) Palo Alto Zero exploit (Cliff Kilby) After the Eclipse, Motorists Observe a Path of Immobility (NYTimes via PGN) Delta eclipse flight from Dallas veered off path of totality (WashPost) Re: The total eclipse shows us how important solar energy is to the U.S. (Douglas Lucas) Re: AI that targets civilians ... (Amos Shapir) Re: Texas Will Use Computers to Grade STAAR Tests (Douglas Lucas) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 14 Apr 2024 08:07:35 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: 96% of US hospital websites share visitor info with Meta, Google, data brokers [Could have been worse – last time researchers checked it was 98.6%.] Hospitals – despite being places where people implicitly expect to have their personal details kept private – frequently use tracking technologies on their websites to share user information with Google, Meta, data brokers, and other third parties, according to research published today. ------------------------------ Date: Sun, 14 Apr 2024 10:02:02 -0400 From: Monty Solomon <monty () roscom com> Subject: Corporate Greed Made the Change Healthcare Cyberattack Worse (NYMag) https://nymag.com/intelligencer/article/corporate-greed-made-the-change-healthcare-cyberattack-worse.html [See RISKS-34.12 for the Change Healthcare Attack. PGN] ------------------------------ Date: Thu, 11 Apr 2024 23:04:07 -0400 From: Monty Solomon <monty () roscom com> Subject: Hackable Intel and Lenovo hardware that went undetected for 5 years won't ever be fixed (ArsTechnica) https://arstechnica.com/?p=2016577 ------------------------------ Date: Sun, 14 Apr 2024 09:02:47 -0400 From: Tom Van Vleck <thvv () multicians org> Subject: Thermostats and Complexity "Computers as tools for humans are so useful exactly *because* they can’t think and do tedious work like calculations or information storage and retrieval for humans in a *deterministic* way. It took like nearly 90 years of digital computers to make them powerful enough to run a wasteful algorithm that pretends to think (but doesn’t) and to deliver bullshit non-deterministic results while using absurd amounts of computational and environmental resources." https://hachyderm.io/@thomasfuchs/112265521636541465 ------------------------------ Date: April 11, 2024 22:21:13 JST From: Rich Kulawiec <rsk () gsp org> Subject: Ed Zitron: "Are We Watching the Internet Die?" [via Dave Farber] This is an excellent piece about where we find ourselves: Are We Watching The Internet Die? https://www.wheresyoured.at/are-we-watching-the-Internet-die/ "We're at the end of a vast, multi-faceted con of Internet users, where ultra-rich technologists tricked their customers into building their companies for free. And while the trade once seemed fair, it's become apparent that these executives see users not as willing participants in some sort of fair exchange, but as veins of data to be exploitatively mined as many times as possible, given nothing in return other than access to a platform that may or may not work properly." and "There are simply too many users, too many websites and too many content providers to manually organize and curate the contents of the Internet, making algorithms necessary for platforms to provide a service. Generative AI is a perfect tool for soullessly churning out content to match a particular set of instructions -- such as those that an algorithm follows -- and while an algorithm can theoretically be tuned to evaluate content as "human," so can scaled content be tweaked to make it seem more human. Things get worse when you realize that the sheer volume of Internet content makes algorithmic recommendations a necessity to sift through an ever-growing pile of crap. Generative AI allows creators to weaponize the algorithms' weaknesses to monetize and popularize low-effort crap, and ultimately, what is a platform to do? Ban anything that uses AI-generated content? Adjust the algorithm to penalize videos without people's faces? How does a platform judge the difference between a popular video and a video that the platform made popular? And if these videos are made by humans and enjoyed by humans, why should it stop them?" ------------------------------ Date: Thu, 11 Apr 2024 13:47:13 PDT From: Peter Neumann <neumann () csl sri com> Subject: AI chatbots spread falsehoods about the EU elections, report finds (Clothilde Goujard) Clothilde Goujard, *Politico* BRUSSELS -- Chatbots produced by Google, Microsoft and OpenAI shared some false information about the European election, two months before hundreds of millions head to cast their ballots, according to an analysis shared exclusively with POLITICO. While the artificial intelligence tools remained politically neutral, they tended to return incorrect election dates and information about how to cast a ballot, said Democracy Reporting International, a Berlin-based NGO that carried out the research in March. Chatbots also often provided broken or even irrelevant links to YouTube videos or content in Japanese, researchers added. `We were not surprised to find wrong information about details of the European elections, because chatbots are known to invent facts when providing answers, a phenomenon known as hallucination,'' said Michael Meyer-Resende, co-founder and executive director of Democracy Reporting International. Researchers noted that AI chatbots were dynamic, making the experiment hard to replicate. In a series of a dozen tests with similar questions carried out by POLITICO on Tuesday, the chatbots either declined to respond entirely or else had updated responses with links directing users to the EU institutions' websites. Meyer-Resende said the experiment was, however, large enough to be representative. It also provided new evidence about the risks of so-called AI hallucinations -- which often occur because of insufficient training data, biases and false assumptions -- ahead of the European election, which takes place from June 6-9. The fast emergence of easy-to-use AI tools generating text, audio and video has prompted concerns about a rise in misinformation in a year with crucial elections in the EU, the United States, the United Kingdom and India. The European Commission in March ordered several tech firms including Bing and Google to explain -- before April 5 -- how they were limiting potential risks to elections connected to their generative AI tools under the Digital Services Act. Researchers asked the same 10 questions in 10 languages -- including German, Italian, Polish and Portuguese -- from March 11-14 to the four most popular and accessible chatbots: OpenAI's ChatGPT 3.5 and 4, Google's Gemini and Microsoft's Copilot. ChatGPT's newest paid version performed the best, while Google's Gemini was deemed the least likely to give correct answers at the time of the test. ``Because of the known limitations of all LLMs, we believe a responsible approach for Gemini is to restrict most election-related queries and to direct users to Google Search for the latest and most accurate information,'' said Karl Ryan, a Google spokesperson. He added that Google's Gemini was in the process of rolling out restrictions in March but the restrictions are now in place. ``We will continue to quickly address instances in which Gemini isn't responding appropriately.'' ``We are continuing to address issues and prepare our tools to perform to our expectations for the 2024 elections,'' said Robin Koch, a Microsoft spokesperson. He added that some of the measures included giving users of Microsoft's Copilot election information from authoritative sources and pushing them to check web links. OpenAI did not reply to a request for comment in time for publication. ------------------------------ Date: Sat, 13 Apr 2024 06:55:29 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: How I Built an AI-Powered, Self-Running Propaganda Machine for $105 (WSJ) The author paid a website developer to create a fully automated, AI-generated ‘pink-slime’ news site, programmed to create false political stories. The results were impressive—and, in an election year, alarming. https://www.wsj.com/politics/how-i-built-an-ai-powered-self-running-propaganda-machine-for-105-e9888705?st=eryapn7ks9k6807&reflink=desktopwebshare_permal ------------------------------ Date: Sat, 13 Apr 2024 18:52:17 -0700 From: Douglas Lucas <dal () riseup net> Subject: Norwescon sci-fi con: Knightscope, AI manuscript deluge, genre in crisis On Fri. Mar. 29, I attended Norwescon, a large science fiction convention hosted in Seattle since 1978. Three items might be of interest to RISKS. First, the parking lot had a hotel-hired Knightscope self-driving robot that aims to deter crime and records film for later optional viewing by humans. I took video of the Knightscope and described it in detail. Second, I posted my notes from a panel made up of editors from top science fiction and fantasy magazines, some still with print incarnations; they discussed in depth the deluge of unsolicited AI-created fiction manuscripts that they're receiving through their open submissions portals. According to one panelist, the scammers are not the submitters, but separate individuals taking advantage of gullible people, telling them that AI fiction is the path to riches, and when it doesn't work, and only threatens to crash the submissions portal, then selling them expensive tutorials on how to AI better. Third, I ask how the fandom, steeped in stories of sci-fi can-do heros, might overcome apathy and consumerism to do something about these sci-fi-style risks encroaching on the genre from the real world without! https://douglaslucas.com/blog/2024/04/02/fading-fun-norwescon46-friday-future/ ------------------------------ Date: Sat, 13 Apr 2024 07:52:11 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Hatsune Miku is playing Coachella, but she's not human. Why brands are working with digital avatars (LA Times) Hatsune Miku has already sold out venues for her concerts and she'll go to her biggest stage yet at Coachella. She looks like a teenage girl but she's not human. She's part of a growing number of digital characters, including Miquela and angelbaby, that are creating music for fans. [...] Her music — mostly synthesizer-heavy dance pop — is created from software developed by the Sapporo, Japan-based technology company Crypton Future Media. The technology lets people, including fans, type in lyrics and punch in a melody. The program generates a singing voice for the song. Crypton then licenses the songs from the fans for her to sing at concerts. Miku herself is an illustrated character, resembling a 16-year-old girl from an anime or manga. To “perform” onstage, Miku’s image is displayed on a giant screen as a video behind a live band. <https://www.youtube.com/watch?v=jhl5afLEKdo> https://www.latimes.com/entertainment-arts/business/story/2024-04-12/coachella-2024-hatsune-miku-zlu-hume-angelbaby ------------------------------ Date: Thu, 11 Apr 2024 11:47:49 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: AI on Wall Street (NYTimes) The Worst Part of a Wall Street Career May Be Coming to an End Artificial intelligence tools can replace much of Wall Street’s entry-level white-collar work, raising tough questions about the future of finance https://archive.is/4iLEA ------------------------------ Date: Fri, 12 Apr 2024 10:02:28 -0400 From: Monty Solomon <monty () roscom com> Subject: Humane AI Pin review: the post-smartphone future isn't here yet (David Pierce) The Verge https://www.theverge.com/24126502/humane-ai-pin-review Humane AI Pin review: not even close For $699 and $24 a month, this wearable computer promises to free you from your smartphone. There’s only one problem: it just doesn’t work. [Also Humane AI Hands-On: My Life So Far With a Wearable AI Pin: Like an AI-powered Star Trek communicator pinned to your shirt, the AI Pin is a wild concept, but it's too frustrating for everyday use. https://www.cnet.com/tech/mobile/humane-ai-hands-on-my-life-so-far-with-a-wearable-ai-pin/ and A Novel AI Innovation, but It Is Not Yet Very Useful: Brian X. Chen, *The New York Times* Business section front page 13 Apr 2024 PGN] ------------------------------ Date: Thu, 11 Apr 2024 23:05:56 -0400 From: Monty Solomon <monty () roscom com> Subject: AT&T Data breach affects 73 million or 51-million customers. No, we won't explain. (ArsTechnica) https://arstechnica.com/?p=2016342 ------------------------------ Date: Fri, 12 Apr 2024 09:52:20 -0400 From: Monty Solomon <monty () roscom com> Subject: Apple alerts users in 92 nations to mercenary spyware attacks (TechCrunch) https://techcrunch.com/2024/04/10/apple-warning-mercenary-spyware-attacks/ ------------------------------ Date: Thu, 11 Apr 2024 23:02:34 -0400 From: Monty Solomon <monty () roscom com> Subject: Apple will open the iPhone to repair with used parts -- but ... (The Verge and TechCrunch) https://www.theverge.com/2024/4/11/24127278/apple-iphone-repair-used-parts BUT: Apple will allow reuse of iPhone parts for repairs, with a notable catch As a result, "select iPhone models" this fall will allow for reusing biometric sensors and other parts, and anyone ordering parts from Apple can skip sending a device's serial number, so long as the repair doesn't involve a new main logic board. https://arstechnica.com/?p=2016470 ------------------------------ Date: Thu, 11 Apr 2024 21:50:52 -0400 From: Monty Solomon <monty () roscom com> Subject: Texas Surgeon Is Accused of Secretly Denying Liver Transplants (NYTimes) https://www.nytimes.com/2024/04/11/us/organ-transplants-houston.html ------------------------------ Date: Fri, 12 Apr 2024 23:45:56 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Palo Alto Zero exploit Perhaps avoid the use of dynamic scripting languages in what should be a secure context? Or, why does my firewall have python? https://security.paloaltonetworks.com/CVE-2024-3400 ------------------------------ Date: Sun, 14 Apr 2024 11:17:22 PDT From: Peter Neumann <neumann () csl sri com> Subject: After the Eclipse, Motorists Observe a Path of Immobility (NYTimes) Miles of Taillights on Interstates Last Longer Than the Celestial Phenomenon in the Sky Charlie Smart, short article at the bottom of a full page of six graphics along the path of totality: (1) top half-page showing remarkably frequent major traffic delays from West Texas to Canada; (2) during totality (no delays, Syracuse to Bangor); (3) one hour after totality (building up, Syracuse to Bangor, delays north of Burlington VT)); (4) three hours after (delays all around Burligton), (5) six hours after still quite heavy going south from Burlington), (6) long traffic delays in the Midwesst, at 9pm ET still heavy leaving bigger cities (e.g., St. Louis, Indianapolis, Columbus, Toledo). [The next major U.S. eclipse is not until 2045. But who will remember this situation in 2045? There could be many lessons for the expected exoduses from major disasters in large cities -- spills, toxic train wrecks, although those would typically be local problems. Nevertheless, there are some risks lessons to be learned. ------------------------------ Date: Fri, 12 Apr 2024 22:44:37 -0400 From: Monty Solomon <monty () roscom com> Subject: Delta eclipse flight from Dallas veered off path of totality (WashPost) Delta Air Lines said the eclipse flight had to change its plans because area traffic control would not allow a special maneuver. https://www.washingtonpost.com/travel/2024/04/12/delta-eclipse-flight-leaves-path-of-totality/ ------------------------------ Date: Sat, 13 Apr 2024 18:40:43 -0700 From: Douglas Lucas <dal () riseup net> Subject: Re: The total eclipse shows us how important solar energy is to the U.S. (RISKS-34.16) The Verge article said that, when the total solar eclipse increased demand for electricity in the United States, the shortfall was made up in part by gas. Might be interesting to note that, if this chain of dominoes were followed for anything on Earth, not just the gas "peaker plants," the energy source is the Sun. Biology, engineering, smartphones, whatever it is, ultimately it's the Sun that pays for everything. All of our rent-seeking economic systems are downstream of the big kahuna in the sky. What's the RISK? Red giant! ------------------------------ Date: Fri, 12 Apr 2024 13:21:21 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: AI that targets civilians ... (Northrup, RISKS-34.16)
Facial recognition should be forbidden from use by law enforcement unless and until it is able to be used on white collar criminals
But white collar criminals do not hide their faces; it's the money they stole which should be identified. ------------------------------ Date: Sat, 13 Apr 2024 18:29:41 -0700 From: Douglas Lucas <dal () riseup net> Subject: Re: Texas Will Use Computers to Grade STAAR Tests (RISKS-34.16) Regarding Texas using AI to grade most of the mandatory STAAR tests taken by elementary, middle, and high schoolers: In the past decade and a half, I've more than once flunked the GRE writing test and the IELTS writing test, for admission into graduate school and Canada respectively. I'm pretty sure both were computer-scored, at least initially, but I wasn't enthusiastic enough about either destination to challenge the results much. If I ever have to flunk such a writing test again, I plan to re-take it and, instead of answering the question, type out my bonafides with evidentiary URLs -- a summa writing degree; a CELTA cert for teaching ESL; numerous publications and media spots as a professional writer -- along with my complaint that, for the life of me, I cannot seem to pass these computer-graded writing tests. Might make an interesting media stunt, if nothing else. ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.17 ************************
Current thread:
- Risks Digest 34.17 RISKS List Owner (Apr 14)