RISKS Forum mailing list archives
Risks Digest 33.13
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 9 Apr 2022 20:33:17 PDT
RISKS-LIST: Risks-Forum Digest Saturday 9 April 2022 Volume 33 : Issue 13 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.13> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: 'We Became Like a Big Startup.' How Kyiv Adapted Tech to Save Lives (Time) Microsoft reports disrupting hacking attempts on Ukrainian, EU, and U.S. targets (CBC) Russia Sees Tech Brain Drain, Other Nations Hope to Gain (AP) Apple Maps was sending me into Russian-controlled territory (Axios) Hackers' Path Eased as 600,000 U.S. Cybersecurity Jobs Sit Empty (Bloomberg) Researchers uncover a hardware security vulnerability on Android phones (techxplore.com) Chrome, Edge Hit with V8 Type Confusion Vulnerability with in-the-wild Exploit (ZDNet) D.C. Metro Fails To Meet Its Own Safety Requirements (Patch Watchdog Audit) Sports-Betting App Pays D.C. $500, 000 Over Super Bowl Mishap (DCist) Southwest apologizes for delays, cancellations, blames technology issues (FoxBusiness) JetBlue lacked staff to disembark stranded passengers off airplane: 'Embarrassing' (Fox Business) U.S. military wants AI to make battlefield medical decisions (WashPost) Machine learning and uncommon names (Arthur Flatau) The side effects of quantum error-correction and how to cope with them (phys.org) Squirrels and rats attacking AT&T fiber (PGN) Monash Develops Algorithm for Stronger Blockchains (Digital Nation) Improving software supply chain security with tamper-proofo builds (Google) Spreadsheets Are Hot -- and Cranking Out Complex Code (WiReD) Who's Behind the Okta Hack (WiReD) Hackers breach MailChimp's internal tools to target crypto customers (BleepingComputer) 'Trust No One: The Hunt for the Crypto King' Review: Coins and Misdemeanors (NYTimes) Who turned out the lights? (Cliff Kilby) Re: Hackers Steal About $600 Million in One of the Biggest... (Matthew Kruk) Re: Tesla Deaths and Apache Log4j instances unpatched (Andrew Duane) Re: NYC Skyscraper's Elevator Breakdowns Strand Tenants (John Murrell) Re: The never-stopping car (Andrew Duane0 'Trust No One: The Hunt for the Crypto King' Review: Coins and Misdemeanors (NYTimes) Review of Paul Van Oorschot's security book (Rik Farrow) The Internet Is Not What You Think It Is: A History, A Philosophy, A Warning (LA Review of Books) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 6 Apr 2022 11:51:43 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: 'We Became Like a Big Startup.' How Kyiv Adapted Tech to Save Lives (Time) Vera Bergengruen, *Time*, 4 Apr 2022, via ACM TechNews, 6 Apr 2022 Oleg Polovynko, IT director of Kyiv's city council, and Petro Olenych, Kyiv's deputy mayor and chief digital transformation officer, have been working to adapt and repurpose the Ukrainian capital's technology amid the war with Russia. They have enabled most Kyiv residents to connect to the Internet in underground bomb shelters using the city's mobile Wi-Fi hotspots and to receive phone alerts of incoming air raids. They also revamped the Kyiv Digital smartphone app--designed to help residents pay utility bills and parking tickets--to display maps of the nearest bomb shelters and places to obtain critical supplies. Said Polovynko, "I never imagined that I would develop software in 2022 to help people stay alive, to survive things like a missile attack. But of course, we can. And now we're using all of our IT minds in Ukraine to help our people and our soldiers." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e5f7x232ed4x072218&; ------------------------------ Date: Thu, 7 Apr 2022 18:33:49 -0600 From: "Matthew Kruk" <mkrukg () gmail com> Subject: Microsoft reports disrupting hacking attempts on Ukrainian, EU, and U.S. targets (CBC) https://www.cbc.ca/news/world/microsoft-russia-hack-attempts-ukraine-eu-us-1.6412697 Microsoft Corp. said on Thursday it had disrupted hacking attempts by Russian military spies aimed at breaking into Ukrainian, European Union, and American targets. In a blog post, the tech firm said a group it nicknamed "Strontium" was using seven Internet domains as part of an effort to spy on government bodies and think tanks in the EU and the United States, as well as Ukrainian institutions such as media organizations. Microsoft did not identify any of the targets by name. ------------------------------ Date: Fri, 1 Apr 2022 12:05:28 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Russia Sees Tech Brain Drain, Other Nations Hope to Gain (AP) Liudas Dapkus, Associated Press, 31 Mar 2022, via ACM TechNews Some countries view the exodus of technology workers from Russia as an opportunity to refresh expertise in their own high-tech industries. One estimate suggested as many as 70,000 computer specialists have left Russia since the start of its invasion of Ukraine, departing for Latvia, Lithuania, Armenia, Georgia, and elsewhere. The Russian Association for Electronic Communications' Sergei Plugotarenko said another 100,000 tech workers might leave in April. Said Konstantin Siniushin at Latvian tech-focused venture capital fund Untitled Ventures, "The more talent that Europe or the U.S. can take away from Russia today, the more benefits these new innovators, whose potential will be fully realized abroad, will bring to other countries." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e572x232c41x074907&; ------------------------------ Date: Wed, 6 Apr 2022 10:21:37 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Apple Maps was sending me into Russian-controlled territory (Axios) Ina Fried, Axios Chef Jos=C3=A9 Andr=C3=A9s has relied heavily on technology as part of his humanitarian work in Ukraine, feeding thousands of people displaced by the Russian invasion. But he has a few gripes as well, including the fact that Apple Maps kept sending him to Russian-controlled areas. "Don't send people to enemy territory in a war," he told me in a brief interview after his appearance at the Axios What's Next Summit in Washington, D.C. https://www.axios.com/jose-andres-beef-apple-maps-8f47a198-b153-49fd-9e49-7= b1ca822e8fb.html ------------------------------ Date: Fri, 1 Apr 2022 12:05:28 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Hackers' Path Eased as 600,000 U.S. Cybersecurity Jobs Sit Empty (Bloomberg) Olivia Rockeman, *Bloomberg*, 30 Mar 2022, via ACM TechNews Cybersecurity jobs search platform CyberSeek estimates roughly 600,000 vacant U.S. cybersecurity positions, including 560,000 private-sector jobs. The pandemic compounded a shortfall of cybersecurity professionals, while phishing and ransomware attacks escalated due to many employees using their home networks and computers. The Massachusetts Institute of Technology Sloan School of Management's Stuart Madnick cites a lack of qualified cybersecurity workers, while Bryan Palma at cybersecurity company Trellix said nations like Russia and China host better talent pipelines at the government level of people trained in cybersecurity. Max Shuftan at the SANS Institute cybersecurity training organization said the worker shortage especially impacts smaller organizations like civilian public agencies, most of which cannot match private companies' pay. As a result, Shuftan warned, "They're probably not going have the staff and that makes them more vulnerable to attacks." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e572x232c46x074907&; ------------------------------ Date: Wed, 6 Apr 2022 08:51:36 +0800 From: Richard Stein <rmstein () ieee org> Subject: Researchers uncover a hardware security vulnerability on Android phones (techxplore.com) https://techxplore.com/news/2022-04-uncover-hardware-vulnerability-android.html YASC -- yet another side-channel. ------------------------------ Date: Fri, 1 Apr 2022 12:05:28 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Chrome, Edge Hit with V8 Type Confusion Vulnerability with in-the-wild Exploit (ZDNet) Chris Duckett, ZDNet, 27 Mar 2022, via ACM TechNews Google is calling on Windows, macOS, and Linux users to upgrade their Chrome browsers to version 99.0.4844.84, in order to patch a V8 Type Confusion vulnerability with an exploit in the wild. V8, Chrome's JavaScript engine also is used server-side in Node.js, but Google has not yet announced whether that is impacted. Google said bug details would be undisclosed until most users had updated their browsers. "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed," according to Google's announcement. Microsoft published its own advisory, and said the issue has been corrected in the concurrently released Edge version 99.0.1150.55. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e572x232c4ax074907&; ------------------------------ Date: Thu, 7 Apr 2022 13:34:38 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: D.C. Metro Fails To Meet Its Own Safety Requirements (Patch Watchdog Audit) An audit by the Washington Metrorail Safety Commission revealed that the District's rail system is not meeting its own safety requirements. https://patch.com/virginia/annandale/s/i7a1m/metro-fails-to-meet-its-own-safety-requirements-watchdog-audit ------------------------------ Date: Fri, 8 Apr 2022 17:14:19 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Sports-Betting App Pays D.C. $500, 000 Over Super Bowl Mishap (DCist) The D.C. Lottery has received $500,000 in compensation from the operator of the city's official sports-betting app for lost revenue and reputation damage stemming from an embarrassing technical mishap that kept the app offline during the Super Bowl, typically the year's single-biggest day for sports betting. The payment comes from Intralot, the Greek lottery operator that runs the D.C. Lottery as well as GambetDC, the only sports-betting app that works citywide. In 2019 it received a controversial sole-source $215 million lottery contract from the D.C. Council that also gave it the right to develop the city's sole official sports-betting app; it launched in mid-2020. A mishandled software update by Intralot caused Apple to suspend GambetDC ahead of the Super Bowl, leaving anyone with an Apple phone or tablet unable to use the app to place a bet during the game. (There were 30,000 registered users in February, half of them using Apple phones or tablets.) Android users were still able to bet, and the Gambet website still worked. https://dcist.com/story/22/04/08/dc-get-compensation-for-sports-betting-app-mishap/ ------------------------------ Date: Sat, 2 Apr 2022 20:07:29 -0400 From: Monty Solomon <monty () roscom com> Subject: Southwest apologizes for delays, cancellations, blames technology issues (FoxBusiness) https://www.foxbusiness.com/economy/southwest-apologizes-delays-cancellations-technology-issues ------------------------------ Date: Sat, 2 Apr 2022 20:08:50 -0400 From: Monty Solomon <monty () roscom com> Subject: JetBlue lacked staff to disembark stranded passengers off airplane: 'Embarrassing' (Fox Business) https://www.foxbusiness.com/lifestyle/jetblue-massachusetts-sitting-plane-crew-left-for-night ------------------------------ Date: Sun, 3 Apr 2022 16:19:36 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: U.S. military wants AI to make battlefield medical decisions (WashPost) The development of a medical triage program raises a question: When lives are at stake, should artificial intelligence be involved? The Defense Advanced Research Projects Agency (DARPA) — the innovation arm of the U.S. military — is aiming to answer these thorny questions by outsourcing the decision-making process to artificial intelligence. Through a new program, called In the Moment, it wants to develop technology that would make quick decisions in stressful situations using algorithms and data, arguing that removing human biases may save lives, according to details from the program's launch this month. Though the program is in its infancy, it comes as other countries try to update a centuries-old system of medical triage, and as the U.S. military increasingly leans on technology to limit human error in war. But the solution raises red flags among some experts and ethicists who wonder if AI should be involved when lives are at stake. ``AI is great at counting things. But I think it could set a [bad] precedent by which the decision for someone's life is put in the hands of a machine.'' (Sally A. Applin, a research fellow and consultant who studies the intersection between people, algorithms and ethics, said in reference to the DARPA program.) ... To that end, DARPA's In the Moment program will create and evaluate algorithms that aid military decision-makers in two situations: small unit injuries, such as those faced by Special Operations units under fire, and mass casualty events, like the Kabul airport bombing. Later, they may develop algorithms to aid disaster relief situations such as earthquakes, agency officials said. The program, which will take roughly 3.5 years to complete, is soliciting private corporations to assist in its goals, a part of most early-stage DARPA research. Agency officials would not say which companies are interested, or how much money will be slated for the program. [...] Matt Turek, a program manager at DARPA in charge of shepherding the program, said the algorithms suggestions would model *highly trusted humans* who have expertise in triage. But they will be able to access information to make shrewd decisions in situations where even seasoned experts would be stumped. For example, he said, AI could help identify all the resources a nearby hospital has -- such as drug availability, blood supply and the availability of medical staff -- to aid in decision-making. ``That wouldn't fit within the brain of a single human decision-maker. Computer algorithms may find solutions that humans can't.'' Sohrab Dalal, a colonel and head of the medical branch for NATO's Supreme Allied Command Transformation, said the triage process, whereby clinicians go to each soldier and assess how urgent their care needs are, is nearly 200 years old and could use refreshing. https://www.washingtonpost.com/technology/2022/03/29/darpa-artificial-intelligence-battlefield-medical-decisions/ So much here. They know it will take roughly 3.5 years? AI will triage wounded *without* going to each soldier? It will somehow identify nearby hospital resources? ------------------------------ Date: Tue, 5 Apr 2022 15:15:38 -0500 From: Arthur Flatau <flataua () acm org> Subject: Machine learning and uncommon names I am a long time leukemia and bone marrow transplant survivor and a patient advocate. As such I worked with a number of medical professionals on a relatively recent review article on late effects for stem cell survivors (Male-Specific Late Effects in Adult Hematopoietic Cell Transplantation Recipients: A Systematic Review from the Late Effects and Quality of Life Working Committee of the Center for International Blood and Marrow Transplant Research and Transplant Complications Working Party of the European Society of Blood and Marrow Transplantation, https://www.astctjournal.org/article/S2666-6367(21)01329-4/fulltext). Enough tooting my horn. There are not that many Flataus in the world and even fewer Arthur Flataus. However there is another one who is a surgeon ( https://www.medstarhealth.org/doctors/arthur-flatau-iii-md) and is, as far as I know, not related to me This site https://www.medifind.com/doctors/arthur-flatau/19605475, which is one of the top ten hits if you google, "Arthur Flatau MD", for instance) lists him as a co-author of the paper. (IAt least it did when I wrote this, I have requested they remove the mention of the publication, and perhaps they will). Their information is apparently scraped from other sites. According to the "How Medifind works" page (https://www.medifind.com/how-medifind-works) they "[use] cutting-edge machine learning techniques [...] to sift through this mass of information and identify those findings that could help you learn about a new treatment or make a better-informed decision about which treatment option to choose". It seems their algorithm might need a little tweaking. ------------------------------ Date: Thu, 7 Apr 2022 20:05:53 +0800 From: Richard Stein <rmstein () ieee org> Subject: The side effects of quantum error-correction and how to cope with them (phys.org) https://phys.org/news/2022-04-side-effects-quantum-error-cope.html "In applying QEC to quantum sensing, errors are repeatedly corrected as the sensor acquires information about the target quantity. As an analogy, imagine a car that keeps departing from the center of the lane it travels in. In the ideal case, the drift is corrected by constant counter-steering. In the equivalent scenario for quantum sensing, it has been shown that by constant -- or very frequent -- error correction, the detrimental effects of noise can be suppressed completely, at least in principle. The story is rather different when for practical reasons, the driver can perform correcting interventions with the steering wheel only at specific points in time. Then, as experience tells us, the sequence of driving ahead and making corrective movements has to be finely tuned. If the sequence did not matter, then the motorist could simply perform all steering maneuvers at home in the garage and then confidently put their foot down on the accelerator. The reason why this does not work is that rotation and translation are not commutative -- the order in which the actions of one type or the other are executed changes the outcome." The last paragraph contains this fragment: "these results are set to provide an import contribution to tweaking out the highest precision from a broad range..." Where would the world be without a good quantum tweak now and then? ------------------------------ Date: Fri, 8 Apr 2022 20:33:00 PDT From: Peter Neumann <neumann () csl sri com> Subject: Squirrels and rats attacking AT&T fiber For the past few weeks, numerous AT&T trucks have been seen daily in our neighborhood, which has been plagued by squirrels and rats chewing through Internet fiber -- with lengthy outages even up to an entire week. AT&T is attributing the problem to the fact that they (as opposed to other carriers) is using environmentally friendly soy-based encapsulation for fiber. In this case, it appears that "environmentally friendly" also means very friendly to squirrels and rats. There are also some reports that this may also be a problem with fiber in certain automobile models, including Teslas. It'Soy veh! I sent this short tale of long tails out to various colleagues and friends. I summarize briefly two responses: * Susmit Jha suggested this is Very interesting .. would be good to have quantitative numbers on marginal gain in fiber chewing due to introduction of environmentally friendly encapsulations because the baseline appears to be high too: https://www.tomsguide.com/us/cyberwar-squirrels-shmoocon,news-24283.html , https://circleid.com/posts/20190606_squirrels_number_one_culprit_for_animal_damage_to_aerial_fiber It appears rodents do not view most wiring as food instead. In 2001, a repairman suggested it was the grease used in the sheathing. A 1989 patent suggests "chewing on objects which are tough in composition is necessary to prevent [rodents] ever-growing incisor teeth from overgrowing." <http://www.techrepublic.com/article/get-it-done-maintaining-fiber-optic-connections-takes-a-creative-approach/1041526> <http://www.google.com/patents?id=qRY-AAAAEBAJ&zoom=4&dq=squirrel%20fiber%20cable%20damage&pg=PA6#v=onepage&q=squirrel%20fiber%20cable%20damage&f=false> Some researchers are already on the problem: https://www.scientific.net/KEM.818.1 * Dan Eakins suggested this involved an engineering choice made -- small decision with good intentions -- that led to unexpected failures. Like the rumor that auto manufacturers use peanut oil rather than petroleum to make it easier to put wire harnesses through bulkheads -- and that smell lasts years -- rodents are attracted to it for a long time and chew through them. No one thought that would be an outcome I imagine for such a clever solution. Or I had a car catch on fire from a small rodent nest in the heater box next to the heating coils. Perfect place for a mouse to make a home -- first time it got cold it started a fire I couldn't put out in the mountains and I almost started a forest fire -- and it burned the car up as interiors are highly flammable. Well, whose great idea was it to make a fire starter in a mouse house? But it is not considered a manufacturing fault I expect, and they don't investigate or change designs like they would if it were a plane or an auto crash. They say you are what you eat -- so those squirrels and rats are now Cyber-rodents. [They also might have a need for RoDentalFloss. PGN] ------------------------------ Date: Wed, 6 Apr 2022 11:51:43 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Monash Develops Algorithm for Stronger Blockchains (Digital Nation) Digital Nation (Australia), 5 Apr 2022, via ACM TechNews, 6 Apr 2022 An international team of researchers has developed an algorithm to enable faster, stronger, more efficient blockchains. Researchers at Australia's Monash University, automation technology company ABB Zurich, and the U.K.'s University of Birmingham designed the Damysus Byzantine Fault Tolerance (BFT) consensus protocol to surmount faults and evade system failures in blockchain applications, adding more resilience as fault tolerance increases. Monash's Jiangshan Yu said the algorithm can be implemented simply for constructing scalable blockchains. He added that Damysus boosted the number of blockchain transactions per second by 87.5%, compared to the state-of-the-art HotStuff BFT consensus protocol. Said David Kozhaya at ABB Zurich, "Given the plethora of devices that inherently embed some form of trusted hardware nowadays, our results in Damysus, pragmatically speaking, make BFT protocols more appealing to use in real-world systems." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e5f7x232ed9x072218&; ------------------------------ Date: Thu, 7 Apr 2022 20:33:57 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Improving software supply chain security with tamper-proof builds (Google) https://security.googleblog.com/2022/04/improving-software-supply-chain.html ------------------------------ Date: Thu, 7 Apr 2022 13:33:21 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Spreadsheets Are Hot -- and Cranking Out Complex Code (WiReD) The venerable (and yes, super dull) piece of officeware is getting reinvented as a tool for non-coders to automate and simplify their lives. https://www.wired.com/story/spreadsheets-are-hot-and-cranking-out-complex-code/ Not a word about black-box/opaque "programming" being difficult to verify, modify, debug. Computer results/actions, mist be correct. ------------------------------ Date: Sat, 2 Apr 2022 09:22:56 +0900 From: Dave Farber <farber () gmail com> Subject: Who's Behind the Okta Hack (WiReD) Even if you aren't familiar with Okta, you've probably used it. The digital login system is used by thousands of companies across the world to manage employee logins to various cloud services. Which makes it a real problem when that system, and all that login info, gets hacked. This week on Gadget Lab, WIRED senior writer Lily Hay Newman joins the show to tell us about the group behind the recent Okta hack, how the hackers took control of such a vast system, and what happened in the aftermath. https://www.wired.com/story/gadget-lab-podcast-544 ------------------------------ Date: Tue, 5 Apr 2022 13:48:35 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Hackers breach MailChimp's internal tools to target crypto customers (BleepingComputer) Email marketing firm MailChimp disclosed on Sunday that they had been hit by hackers who gained access to internal customer support and account management tools to steal audience data and conduct phishing attacks. Sunday morning, Twitter was abuzz with reports from owners of Trezor hardware cryptocurrency wallets who received phishing notifications claiming that the company suffered a data breach. [...] According to MailChimp, some of their employees fell for a social engineering attack that led to the theft of their credentials. https://www.bleepingcomputer.com/news/security/hackers-breach-mailchimps-internal-tools-to-target-crypto-customers/ [Monty Solomon noted Hackers breached MailChimp to phish cryptocurrency wallets (The Verge) https://www.theverge.com/2022/4/4/23010317/hackers-mailchimp-trezor-cryptocurrency-phishing ------------------------------ Date: Mon, 4 Apr 2022 09:30:05 -0400 From: Andrew Duane <e91.waggin () gmail com> Subject: Re: The never-stopping car (RISKS-33.13) This reminds me of a (not at the time) amusing anecdote about my first car: a 1980 VW Rabbit Diesel. Driving along the highway one day, I noticed the car went from 48 HP to about 300 HP without me touching the gas pedal. Simultaneously, a huge cloud of black smoke was coming out of the tailpipe. I immediately put the car in neutral and turned off the ignition key. That did little to stop the engine. Diesels don't use spark to ignite the fuel, they use the heat of compression inside the cylinder. Turning off the key only turns off the fuel pump which is supposed to stop fuel flowing to the cylinders. But it turns out that when the air filter gets clogged enough, the vacuum created starts pulling oil around the piston rings, and engine oil is 100 octane racing gas for diesels. So turning off the fuel pump does not stop the engine from running; it runs until the engine oil is gone (then seizes). Luckily I got mine turned off before it switched to 100% engine oil, and the engine did spool down over 10 or 20 seconds. ------------------------------ Date: Mon, 4 Apr 2022 07:17:09 -0600 From: "Matthew Kruk" <mkrukg () gmail com> Subject: 'Trust No One: The Hunt for the Crypto King' Review: Coins and Misdemeanors (NYTimes) In this sensationalist Netflix documentary, aggrieved users of a defunct cryptocurrency exchange grow convinced that the company's head absconded with their money. https://www.nytimes.com/2022/03/30/movies/trust-no-one-the-hunt-for-the-crypto-king-review.html ------------------------------ Date: Tue, 5 Apr 2022 10:59:55 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Who turned out the lights? Part of the joy of running a data center is configuring the data center to allow you to run it without having to stand at a crash cart in the cold isle. Unfortunately, this also means there are devices sitting on your network that have unusually high value for lateral attack movement. Dell has recently addressed a series of issues with their branded lights-out manager, iDRAC. https://www.dell.com/support/kbdoc/en-us/000196401/dsa-2022-043 This lights-out manager happens to be included in their storage systems. https://www.dell.com/support/kbdoc/en-us/000197962/dsa-2022-078-dell-technologies-powerprotect-dd-security-update-for-idrac9-and-bios-vulnerabilities Patch and ensure your network segmentation plan prevents general connectivity to lights-out managers. ------------------------------ Date: Fri, 1 Apr 2022 22:09:14 -0600 From: "Matthew Kruk" <mkrukg () gmail com> Subject: Re: Hackers Steal About $600 Million in One of the Biggest... Why people bother with craptocurrency is beyond me. Hello people, repeat after me: Electronic Ponzi. Madoff would be proud. I have other comments but this is a PG(N) family digest. [TNX for your thoughtfulness. PGN] ------------------------------ Date: Fri, 1 Apr 2022 16:19:45 -0400 From: Andrew Duane <e91.waggin () gmail com> Subject: Re: Tesla Deaths and Apache Log4j instances unpatched Both of these entries are good data to collect, but they both lack context. For the Tesla deaths, how does 246 deaths compare to non-autonomous vehicles? How many cars, how many miles were driven? Is 246 deaths a 50% drop from historical trends, or a 50%? For the log4j vulnerabilities (which I spent weeks on), what does that 30% unpatched figure represent? An instance could mean anything. Is it a Fortune 100 company's business database? Or Aunt Winnie's knitting blog with 14 subscribers? Many of us here live for numbers, but numbers without context don't give the complete or correct picture. ------------------------------ Date: Wed, 06 Apr 2022 09:56:07 +0100 From: John Murrell <mail () JohnMurrell org uk> Subject: Re: NYC Skyscraper's Elevator Breakdowns Strand Tenants (RISKS-33.12) Lifts use regenerative braking to stop the car at the destination floor and to control the speed. This results in the local supply voltage increasing which can cause problems both to the other lifts on the same supply as well as other equipment. The direction of travel when the lift regenerates depends on which is heavier, the counterweight or the car. It is a common fallacy that the lift brakes are used to stop the car, they are only used in an emergency and to hold the car at a floor when the doors are open. The problem will be intermittent as it depends on how many lifts are regenerating at the same time as well as how much power is consumed by the rest of the building. I know of one London Underground Station where the lifts cause the brightness of nearby shop lights to change. Also another where the old style rotating disc electricity meter failed as the regenerative current was trying to rotate the disc in the 'wrong' direction. ------------------------------ Date: Mon, 4 Apr 2022 07:17:09 -0600 From: "Matthew Kruk" <mkrukg () gmail com> Subject: 'Trust No One: The Hunt for the Crypto King' Review: Coins and Misdemeanors (NYTimes) In this sensationalist Netflix documentary, aggrieved users of a defunct cryptocurrency exchange grow convinced that the company's head absconded with their money. https://www.nytimes.com/2022/03/30/movies/trust-no-one-the-hunt-for-the-crypto-king-review.html ------------------------------ Date: Fri, 8 Apr 2022 20:11:37 -0700 From: Rik Farrow <rik () rikfarrow com> Subject: Review of Paul Van Oorschot's security book I've just published a review of Paul Van Oorschot's second edition of his book, Computer Security and the Internet. You can find my review here: https://www.usenix.org/publications/loginonline/computer-security-and-internet Briefly, very concise coverage in textbook form of computer security, quite up to date. A good choice for people with experience programming or managing computers who want to learn about security. ------------------------------ Date: Sun, 3 Apr 2022 09:16:31 -0600 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: The Internet Is Not What You Think It Is: A History, A Philosophy, A Warning (LA Review of Books) Julien Crockett, March 22, 2022 https://lareviewofbooks.org/article/the-internet-is-not-what-you-think-it-is-a-history-a-philosophy-a-warning/ THE INTERNET HAS lost its way and taken society with it. Since the mid-2010s, we hear warnings of "dis/misinformation." We hear about the loss of trust in our institutions and the need to reinvent them for the Internet age. In short, we are living in a "crisis moment" -- one ironically experienced by many of us while stuck at home. Many have diagnosed these symptoms and proposed policy solutions, but few have done the hard work of rummaging around in the Internet's history to find the roots of the problems -- and almost none have taken a truly long view. In "The Internet Is Not What You Think It Is", Justin E. H. Smith, a philosopher and historian of science, argues that we've been much too narrow-minded in our understanding of the Internet. In presenting a longue durée history, he challenges our assumptions about what the Internet is and what we're doing when we're on it. Only by understanding the Internet's long history -- by understanding the circumstances in which the Internet's many parts were conceived -- can we, he claims, take back control of our lives and shape the Internet in a way more conducive to human flourishing. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.13 ************************
Current thread:
- Risks Digest 33.13 RISKS List Owner (Apr 09)