RISKS Forum mailing list archives

Risks Digest 33.25


From: RISKS List Owner <risko () csl sri com>
Date: Sat, 4 Jun 2022 15:13:33 PDT

RISKS-LIST: Risks-Forum Digest  Saturday 4 June 2022  Volume 33 : Issue 35

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/33.35>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Firm proposes using Taser-armed drones to stop school shootings (NPR.ORG)
Illumina Cybersecurity Vulnerability May Present Risks for Patient Results
 and Customer Networks: Letter to Health Care Providers (FDA)
FBI blocked planned cyberattack on children's hospital (NBC)
Three times in one year, gamers release classified military documents on
 game forum (Kotaku)
Voting Software Vulnerable in Some States (Kate Brumback)
Activists say cyber agency weakens voting tech advisory (AP News)
The Airline Changed My Flight Itinerary -- for the Worse (NYTimes)
Parameter Expansion Considered Dangerous (The Hacker News)
I tried to read all my app privacy policies. It was 1 million words.
 (Geoffrey A. Fowler)
D.C. stop-sign camera brought in $1.3 million in tickets in 2 years
 (WashPost)
Tim Hortons app tracked too much personal information without adequate
 consent, investigation finds (CBC)
Cape Cod Regional Transit Authority hit by ransomware attack (CapeCodTimes)
Microsoft Follina Vulnerability in Windows Can Be Exploited Through Office
 365 (WiReD)
User Generated Content moderation? (Lauren Weinstein)
Same Symptom -- Different Cause? (TUMunich)
Google bans deepfake-generating AI from Colab (Techcrunch)
Tech Experts Urge WashDC to Resist Cryptocurrency Industry's Influence
 (Scott Chipolina)
She documented the alt-right. Now she's coming for cryptocurrency.
 (WashPost)
Three NYU Tandon teams win $2.5 million from an NSF partnership to ensure
 resiliency is part of next-G wireless telecommunications (NYU)
Racist and Violent Ideas Jump From Web's Fringes to Mainstream Sites
 (NYTimes)
China is looking for 'other Earths' to colonize (CGTN)
Why Silicon Valley's Tech Titans Are In 'Serious Trouble' (YouTube)
With Cameras on Every Phone, Will Broadway' Nude Scenes Survive? (NYTimes)
Re: Inside the Government Fiasco That Nearly Closed the U.S. Air System
 (John Levine)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 4 Jun 2022 22:31:15 +0800
From: Richard Stein <rmstein () ieee org>
Subject: Firm proposes using Taser-armed drones to stop school shootings
 (NPR.ORG)

https://www.npr.org/2022/06/04/1103066205/taser-armed-drones-school-shootings

"The product idea had been kicked around at Axon since at least 2019 and the
company has been working to try to figure out whether a drone with a Taser
was even a feasible idea. Over the last year, the company created
computer-generated art renderings to mock up a product design and conducted
an internal test to see if Taser darts -- which transmit an immobilizing
electric jolt -- could be fired from a flying drone, Smith said. He added
that he had discussed the possibility of developing such a product with the
ethics board."

Would Axon deploy this drone-tazerbot to patrol of their corporate HQ and
other facilities? Nuts!

------------------------------

Date: Thu, 2 Jun 2022 16:26:28 -0400
From: Monty Solomon <monty () roscom com>
Subject: Illumina Cybersecurity Vulnerability May Present Risks for Patient
 Results and Customer Networks: Letter to Health Care Providers *FDA)

The U.S. Food and Drug Administration (FDA) is informing laboratory
personnel and health care providers about a cybersecurity vulnerability
affecting software in the Illumina NextSeq 550Dx, the MiSeqDx, the NextSeq
500, NextSeq 550, MiSeq, iSeq, and MiniSeq, next generation sequencing
instruments. These instruments are medical devices that may be specified
either for clinical diagnostic use in sequencing a person's DNA or testing
for various genetic conditions, or for research use only (RUO). Some of
these instruments have a dual boot mode that allows a user to operate them
in either clinical diagnostic mode or RUO mode. Devices intended for RUO are
typically in a development stage and must be labeled “For Research Use
Only. Not for use in diagnostic procedures.” – though many laboratories may
be using them with tests for clinical diagnostic use.

The cybersecurity vulnerability affects the Local Run Manager (LRM)
software. An unauthorized user could exploit the vulnerability by:

* taking control of the instrument remotely;

* operating the system to alter settings, configurations, software, or data
  on the instrument or a customer's network; or

* impacting patient test results in the instruments intended for clinical
  diagnosis, including causing the instruments to provide no results or
  incorrect results, altered results, or a potential data breach.

Illumina has developed a software patch to protect against the exploitation
of this vulnerability and is working to provide a permanent software fix for
current and future instruments. The FDA wants laboratory personnel and
health care providers to be aware of the required actions to mitigate these
cybersecurity risks.  [...]

https://www.fda.gov/medical-devices/letters-health-care-providers/illumina-cybersecurity-vulnerability-may-present-risks-patient-results-and-customer-networks-letter

------------------------------

Date: Wed, 1 Jun 2022 14:00:17 -0400
From: Monty Solomon <monty () roscom com>
Subject: FBI blocked planned cyberattack on children's hospital (NBC)

FBI Director Christopher Wray said the bureau and Boston Children' Hospital
had worked closely together after a hacktivist attacked the hospital's
computer network in 2014.

https://www.nbcnews.com/tech/security/fbi-blocked-planned-cyberattack-childrens-hospital-director-says-rcna31456

------------------------------

Date: Fri, 3 Jun 2022 14:03:00 -0400
From: Jan Wolitzky <jan.wolitzky () gmail com>
Subject: Three times in one year, gamers release classified military
 documents on game forum (Kotaku)

How seriously do video gamers take the games' depictions of military
hardware?  Seriously enough that three times in the past year, players of
"War Thunder" have leaked classified military documents on the game's online
forums, either to settle arguments about their favorite tanks' capabilities
or to get the games' designers to make them more true-to-life.

https://kotaku.com/war-thunder-tank-classified-military-document-leak-chin-1849005359

------------------------------

Date: Wed, 1 Jun 2022 11:59:47 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Voting Software Vulnerable in Some States (Kate Brumback)

Kate Brumback, Associated Press, 1 Jun 2022, via ACM TechNews, 1 Jun 2022

The U.S. Cybersecurity and Infrastructure Agency (CISA) warned state
election officials that Dominion Voting Systems' electronic voting machines
contain software flaws that could be exploited if left unpatched. Although
there is no evidence the machines have been hacked to change election
results, the advisory discloses nine vulnerabilities, and recommends
safeguards to prevent or detect exploitation. Despite CISA executive
director Brandon Wales' statement that "states' standard election security
procedures would detect exploitation of these vulnerabilities, and in many
cases would prevent attempts entirely," the advisory seems to suggest those
efforts are inadequate. Advised mitigation strategies include application of
continued and enhanced "defensive measures to reduce the risk of
exploitation of these vulnerabilities" prior to every election. CISA also
urged aggressive pre- and post-election testing on the machines,
post-election audits, and having voters confirm the human-readable portion
on printed ballots.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eb70x2341a1x072730&;

------------------------------

Date: Sun, 5 Jun 2022 01:33:15 +0900
From: Dave Farber <farber () gmail com>
Subject: Activists say cyber agency weakens voting tech advisory (AP News)

The nation's leading cybersecurity agency released a final version Friday of
an advisory it previously sent state officials on voting machine
vulnerabilities in Georgia and other states that voting integrity activists
say weakens a security recommendation on using barcodes to tally votes.

The advisory put out by the U.S. Cybersecurity and Infrastructure Security
Agency, or CISA, has to do with vulnerabilities identified in Dominion
Voting Systems' ImageCast X touchscreen voting machines, which produce a
paper ballot or record votes electronically. The agency said that although
the vulnerabilities should be quickly mitigated, the agency ``has no
evidence that these vulnerabilities have been exploited in any elections.''

Dominion's systems have been unjustifiably attacked since the 2020 election
by people who embraced the false belief that the election was stolen from
former President Donald Trump. The company has filed defamation lawsuits in
response to incorrect and outrageous claims made by high-profile Trump
allies.

------------------------------

Date: Thu, 2 Jun 2022 10:17:49 -0400
From: Monty Solomon <monty () roscom com>
Subject: The Airline Changed My Flight Itinerary -- for the Worse
 (NYTimes)

Airlines are within their contractual rights to cancel booked flights and
place passengers on less-convenient routes with hours-long layovers. Our
columnist investigates whether travelers have any recourse.

https://www.nytimes.com/2022/05/24/travel/airline-flight-itinerary.html

------------------------------

Date: Fri, 3 Jun 2022 13:30:15 -0400
From: Cliff Kilby <cliffjkilby () gmail com>
Subject: Parameter Expansion Considered Dangerous (The Hacker News)

After the Log4j issue came to light [See RISKS-33.11,13,14]
https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance), I would
have expected the industry to realIze the problem wasn't just with Log4j, or
even Java. It's unguarded user submitted parameter expansion.

https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html
Seems to indicate I was overly optimistic.

Several templating engines exist with several parameter formats. Offhand,
there is jsp with <jsp, <%, <c, ${, asp(x) with <%, smarty and freemarker
with {$, Django, Mustache and Jinja with {{. Apache's Velocity templates
have a list worthy of a BNF rule, but I don't know BNF, so how about
"dollar-sign or hash optional bang optional bracket

------------------------------

Date: Wed, 1 Jun 2022 14:19:02 -0400
From: Monty Solomon <monty () roscom com>
Subject: I tried to read all my app privacy policies. It was 1 million
 words.  (Geoffrey A. Fowler)

Let's abolish reading privacy policies. Here's how we can use the law and
technology to give us real privacy choices.

https://www.washingtonpost.com/technology/2022/05/31/abolish-privacy-policies/

  [Also noted by Gabe Goldberg.  PGN]

------------------------------

Date: Wed, 1 Jun 2022 02:10:10 -0400
From: Monty Solomon <monty () roscom com>
Subject: D.C. stop-sign camera brought in $1.3 million in tickets in 2 years
 (WashPost)

A traffic camera at this stop sign, which has proven lucrative for the
District, is loathed by some residents who say it is overly sensitive and
praised by others who say it promotes safe driving.

https://www.washingtonpost.com/dc-md-va/2022/05/31/stop-sign-camera-northwest-washington/

------------------------------

Date: Wed, 1 Jun 2022 20:43:26 -0600
From: "Matthew Kruk" <mkrukg () gmail com>
Subject: Tim Hortons app tracked too much personal information without
 adequate consent, investigation finds (CBC)

https://www.cbc.ca/news/business/tim-hortons-app-report-1.6473584

The federal privacy commissioner's investigation into the Tim Hortons mobile
app found that the app unnecessarily collected extensive amounts of data
without obtaining adequate consent from users.

The commissioner's report, which was published Wednesday morning, states
that Tim Hortons collected granular location data for the purpose of
targeted advertising and the promotion of its products but that the company
never used the data for those purposes

------------------------------

Date: Sat, 4 Jun 2022 10:18:23 -0400
From: Monty Solomon <monty () roscom com>
Subject: Cape Cod Regional Transit Authority hit by ransomware attack

https://www.capecodtimes.com/story/news/2022/06/04/cape-cod-regional-transit-authority-ransomware-cyber-attack-fbi-investigating/7501982001/

------------------------------

Date: Sat, 4 Jun 2022 00:47:42 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Microsoft Follina Vulnerability in Windows Can Be Exploited Through
 Office 365 (WiReD)

The company continues to downplay the severity of the Follina vulnerability,
which remains present in all supported versions of Windows.

The Follina vulnerability in a Windows support tool can be easily exploited
by a specially crafted Word document. The lure is outfitted with a remote
template that can retrieve a malicious HTML file and ultimately allow an
attacker to execute Powershell commands within Windows. Researchers note
that they would describe the bug as a "zero-day," or previously unknown
vulnerability, but Microsoft has not classified it as such.  [...]

With all this real-world exploitation, the question is whether the guidance
Microsoft has published so far is adequate and proportionate to the risk.

"Security teams could view Microsoft's nonchalant approach as a sign that
this is 'just another vulnerability,' which it most certainly is not," says
Jake Williams, director of cyber threat intelligence at the security firm
Scythe. "It's not clear why Microsoft continues to downplay this
vulnerability, especially while it's being actively exploited in the wild."

https://www.wired.com/story/microsoft-follina-vulnerability-windows-office-365

------------------------------

Date: Wed, 1 Jun 2022 09:26:22 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: User Generated Content moderation?

It's not impossible that ultimately platforms will be required to moderate
all UGC (User Generated Content) before it appears publicly.  This would
likely require a drastic cutback in UGC availability, with many
ramifications. But the regulatory arrow is moving in this direction.

------------------------------

Date: Wed, 1 Jun 2022 11:59:47 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Same Symptom -- Different Cause? (TUMunich)

Technical University of Munich, Germany, 27 May 2022
via ACM TechNews, 1 Jun 2022

Scientists at Germany's Technical University of Munich (TUM) have developed
a machine learning algorithm to extract subtypes of illnesses from molecular
data. The Molecular Signatures using Biclustering (MoSBi) tool merges the
results of existing algorithms to acquire stronger, more precise clinical
subtype predictions, removing the need for time-consuming adjustment. "We
have developed a Web-based tool that permits online analysis of molecular
clinical data by practitioners without prior knowledge of bioinformatics,"
explained TUM's Josch Konstantin Pauling. Researchers can submit data to a
website for automated analysis, and use the results to interpret their
research. The team worked with colleagues at Germany's Max Planck Institute,
Technical University of Dresden, and Kiel University Clinic to apply MoSBi
to identify two potential biomarkers for progression to non-alcoholic fatty
liver disease.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eb70x2341a7x072730&;

------------------------------

Date: Wed, 1 Jun 2022 14:58:49 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Google bans deepfake-generating AI from Colab (Techcrunch)

https://techcrunch.com/2022/06/01/2328459/

  GOOD!

------------------------------

Date: Wed, 1 Jun 2022 11:59:47 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Tech Experts Urge WashDC to Resist Cryptocurrency Industry's
 Influence (Scott Chipolina)

Scott Chipolina, *Financial Times*, 31 May 2022,
via ACM TechNews, 1 Jun 2022

A coalition of 26 leading computer scientists and academics has submitted a
letter to U.S. lawmakers urging a crackdown on cryptocurrency investments
and blockchain technology. The letter calls on major Senate figures "to
resist pressure from digital asset industry financiers, lobbyists, and
boosters to create a regulatory safe haven for these risky, flawed, and
unproven digital financial instruments." Signatory Bruce Schneier at Harvard
University said blockchain, contrary to advocates' assurances, is insecure
and not decentralized. Events like the recent implosion of the TerraUSD
stablecoin have rekindled worries about crypto's financial stability, while
letter signatory and former Microsoft engineer Miguel de Icaza argued, "The
computational power [of blockchain] is equivalent to what you could do in a
centralized way with a $100 computer."

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eb70x2341abx072730&;

------------------------------

Date: Sat, 4 Jun 2022 09:46:28 -0400
From: Monty Solomon <monty () roscom com>
Subject: She documented the alt-right. Now she's coming for cryptocurrency.
 (WashPost)

Molly White, a 28-year-old software engineer who edits Wikipedia pages in
her spare time, has become an unlikely thorn in the side of the burgeoning
cryptocurrency movement. As the tech and finance world largely embrace
crypto tech, she's helping lead a band of skeptics pushing the other
direction.

https://www.washingtonpost.com/technology/2022/05/29/molly-white-crypto/

------------------------------

Date: Thu, 2 Jun 2022 16:14:15 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Three NYU Tandon teams win $2.5 million from an NSF partnership to
 ensure resiliency is part of next-G wireless telecommunications (NYU)

Tandon School of Engineering

BROOKLYN, New York, 11 May 2022 -- Lightning-fast, low-latency wireless,
from 5G to 6G and beyond, will enable such services as virtual and augmented
reality streaming, near-zero latency vehicle-to-cloud communications to help
self-driving cars navigate in real time, remote surgery, coordination of
automated systems in factories and other facilities, and a plethora of
futuristic consumer apps. But it will also open a Pandora's box of security
vulnerabilities in the hardware serving as its backbone and software driving
its networks.  [,,,]

------------------------------

Date: Thu, 2 Jun 2022 11:00:46 -0400
From: Monty Solomon <monty () roscom com>
Subject: Racist and Violent Ideas Jump From Web's Fringes to Mainstream
 Sites (NYTimes)

Despite some efforts by the largest tech companies to limit the spread of
hateful content, it often remains only a click or two away.

https://www.nytimes.com/2022/06/01/technology/fringe-mainstream-social-media.html

------------------------------

Date: Mon, 30 May 2022 19:19:31 -1000
From: geoff goodfellow <geoff () iconia com>
Subject: China is looking for 'other Earths' to colonize (CGTN)

China has announced its first plans to search the stars for nearby habitable
planets that could one day expand humanity's "living space" across the Milky
Way.  If it gets funding, the telescope could launch as soon as 2026.

In the project, called Closeby Habitable Exoplanet Survey (CHES), officials
propose launching a 3.9-foot-aperture (1.2 meters) space telescope roughly
930,000 miles (1.5 million kilometers) to a gravitationally stable Lagrange
point between Earth and the Sun, according to the Chinese state-run news
service CGTN.  Lagrange points trek around the sun at exactly the same rate
as Earth does, meaning a craft at one of those points will remain the same
distance from our planet indefinitely.

Once at the L2 Lagrange point (which is also home to NASA's James Webb Space
Telescope, the CHES telescope will spend five years searching for habitable
worlds across the roughly 100 sun-like stars within 33 light-years (10
parsecs) of Earth. From this data, astronomers hope to spot Earth-size
*exoplanets* <https://www.livescience.com/what-are-exoplanets> that are
moving around their stars in similar orbits to our own -- a clue that these
potential "Earth 2.0's" may harbor water, and possibly even life.

"The discovery of the nearby habitable worlds will be a great breakthrough
for humankind, and will also help humans visit those Earth twins and expand
our living space in the future," Ji Jianghui, an astronomer at the Chinese
Academy of Sciences and the principal investigator of the CHES mission,
*told CGTN*, the website of the China Global Television Network. The
scientists say they hope to find roughly 50 Earth-like or super-Earth
exoplanets in their search.  [...]

<https://news.cgtn.com/news/2022-05-19/China-plans-world-s-first-habitable-planet-search-outside-solar-system-1a9W98DLA52/index.html>,

https://www.livescience.com/china-is-looking-for-other-earths-to-colonize

  [What are risks?  It's likely to be hugely expensive.  It seems somewhat
  delusional and beyond rational thought, in light of needing mass transit
  over the light-years required for travel, although that would perhaps be
  limited to future government leaders wishing to escape.  The use of the
  word "nearby" in the trans-galactic sense is particularly amusing.  It's
  too late for an April Fool's posting, so perhaps it is actually being
  considered seriously.  <I wonder what Bill Cheswick (widely known as
  "CHES") might think of it.  He has always been a far-sighted thinker.>
  PGN]

------------------------------

Date: Sat, 4 Jun 2022 00:27:25 -0600
From: "Matthew Kruk" <mkrukg () gmail com>
Subject: Why Silicon Valley's Tech Titans Are In 'Serious Trouble' (YouTube)

https://www.youtube.com/watch?v=6VKpJeNoRlA

Business Insider's Linette Lopez joins Morning Joe to discuss her latest
piece on why the tech titans of Silicon Valley are in serious trouble.

------------------------------

Date: Thu, 2 Jun 2022 09:41:33 -0400
From: Monty Solomon <monty () roscom com>
Subject: With Cameras on Every Phone, Will Broadway' Nude Scenes Survive?
 (NYTimes)

https://www.nytimes.com/2022/06/01/arts/broadway-nudity-phone-cameras.html

------------------------------

Date: 31 May 2022 22:48:12 -0400
From: "John Levine" <johnl () iecc com>
Subject: Re: Inside the Government Fiasco That Nearly Closed the U.S. Air
  System (ProPublica, RISKS-33.24)

This is an unusually poor piece for ProPublica, a lot of DC inside baseball
but nothing on the key question of whether C band signals really will make
airliners' radio altimeters fail. The answer for the most part turns out to
be no.

Harold Feld did a really good series on this last fall:

https://wetmachine.com/tales-of-the-sausage-factory/what-the-eff-faa-my-insanely-long-field-guide-to-the-faa-fcc-5g-c-band-fight/

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.25
************************


Current thread: