RISKS Forum mailing list archives
Risks Digest 33.25
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 4 Jun 2022 15:13:33 PDT
RISKS-LIST: Risks-Forum Digest Saturday 4 June 2022 Volume 33 : Issue 35 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.35> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Firm proposes using Taser-armed drones to stop school shootings (NPR.ORG) Illumina Cybersecurity Vulnerability May Present Risks for Patient Results and Customer Networks: Letter to Health Care Providers (FDA) FBI blocked planned cyberattack on children's hospital (NBC) Three times in one year, gamers release classified military documents on game forum (Kotaku) Voting Software Vulnerable in Some States (Kate Brumback) Activists say cyber agency weakens voting tech advisory (AP News) The Airline Changed My Flight Itinerary -- for the Worse (NYTimes) Parameter Expansion Considered Dangerous (The Hacker News) I tried to read all my app privacy policies. It was 1 million words. (Geoffrey A. Fowler) D.C. stop-sign camera brought in $1.3 million in tickets in 2 years (WashPost) Tim Hortons app tracked too much personal information without adequate consent, investigation finds (CBC) Cape Cod Regional Transit Authority hit by ransomware attack (CapeCodTimes) Microsoft Follina Vulnerability in Windows Can Be Exploited Through Office 365 (WiReD) User Generated Content moderation? (Lauren Weinstein) Same Symptom -- Different Cause? (TUMunich) Google bans deepfake-generating AI from Colab (Techcrunch) Tech Experts Urge WashDC to Resist Cryptocurrency Industry's Influence (Scott Chipolina) She documented the alt-right. Now she's coming for cryptocurrency. (WashPost) Three NYU Tandon teams win $2.5 million from an NSF partnership to ensure resiliency is part of next-G wireless telecommunications (NYU) Racist and Violent Ideas Jump From Web's Fringes to Mainstream Sites (NYTimes) China is looking for 'other Earths' to colonize (CGTN) Why Silicon Valley's Tech Titans Are In 'Serious Trouble' (YouTube) With Cameras on Every Phone, Will Broadway' Nude Scenes Survive? (NYTimes) Re: Inside the Government Fiasco That Nearly Closed the U.S. Air System (John Levine) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 4 Jun 2022 22:31:15 +0800 From: Richard Stein <rmstein () ieee org> Subject: Firm proposes using Taser-armed drones to stop school shootings (NPR.ORG) https://www.npr.org/2022/06/04/1103066205/taser-armed-drones-school-shootings "The product idea had been kicked around at Axon since at least 2019 and the company has been working to try to figure out whether a drone with a Taser was even a feasible idea. Over the last year, the company created computer-generated art renderings to mock up a product design and conducted an internal test to see if Taser darts -- which transmit an immobilizing electric jolt -- could be fired from a flying drone, Smith said. He added that he had discussed the possibility of developing such a product with the ethics board." Would Axon deploy this drone-tazerbot to patrol of their corporate HQ and other facilities? Nuts! ------------------------------ Date: Thu, 2 Jun 2022 16:26:28 -0400 From: Monty Solomon <monty () roscom com> Subject: Illumina Cybersecurity Vulnerability May Present Risks for Patient Results and Customer Networks: Letter to Health Care Providers *FDA) The U.S. Food and Drug Administration (FDA) is informing laboratory personnel and health care providers about a cybersecurity vulnerability affecting software in the Illumina NextSeq 550Dx, the MiSeqDx, the NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq, next generation sequencing instruments. These instruments are medical devices that may be specified either for clinical diagnostic use in sequencing a person's DNA or testing for various genetic conditions, or for research use only (RUO). Some of these instruments have a dual boot mode that allows a user to operate them in either clinical diagnostic mode or RUO mode. Devices intended for RUO are typically in a development stage and must be labeled “For Research Use Only. Not for use in diagnostic procedures.” – though many laboratories may be using them with tests for clinical diagnostic use. The cybersecurity vulnerability affects the Local Run Manager (LRM) software. An unauthorized user could exploit the vulnerability by: * taking control of the instrument remotely; * operating the system to alter settings, configurations, software, or data on the instrument or a customer's network; or * impacting patient test results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results or incorrect results, altered results, or a potential data breach. Illumina has developed a software patch to protect against the exploitation of this vulnerability and is working to provide a permanent software fix for current and future instruments. The FDA wants laboratory personnel and health care providers to be aware of the required actions to mitigate these cybersecurity risks. [...] https://www.fda.gov/medical-devices/letters-health-care-providers/illumina-cybersecurity-vulnerability-may-present-risks-patient-results-and-customer-networks-letter ------------------------------ Date: Wed, 1 Jun 2022 14:00:17 -0400 From: Monty Solomon <monty () roscom com> Subject: FBI blocked planned cyberattack on children's hospital (NBC) FBI Director Christopher Wray said the bureau and Boston Children' Hospital had worked closely together after a hacktivist attacked the hospital's computer network in 2014. https://www.nbcnews.com/tech/security/fbi-blocked-planned-cyberattack-childrens-hospital-director-says-rcna31456 ------------------------------ Date: Fri, 3 Jun 2022 14:03:00 -0400 From: Jan Wolitzky <jan.wolitzky () gmail com> Subject: Three times in one year, gamers release classified military documents on game forum (Kotaku) How seriously do video gamers take the games' depictions of military hardware? Seriously enough that three times in the past year, players of "War Thunder" have leaked classified military documents on the game's online forums, either to settle arguments about their favorite tanks' capabilities or to get the games' designers to make them more true-to-life. https://kotaku.com/war-thunder-tank-classified-military-document-leak-chin-1849005359 ------------------------------ Date: Wed, 1 Jun 2022 11:59:47 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Voting Software Vulnerable in Some States (Kate Brumback) Kate Brumback, Associated Press, 1 Jun 2022, via ACM TechNews, 1 Jun 2022 The U.S. Cybersecurity and Infrastructure Agency (CISA) warned state election officials that Dominion Voting Systems' electronic voting machines contain software flaws that could be exploited if left unpatched. Although there is no evidence the machines have been hacked to change election results, the advisory discloses nine vulnerabilities, and recommends safeguards to prevent or detect exploitation. Despite CISA executive director Brandon Wales' statement that "states' standard election security procedures would detect exploitation of these vulnerabilities, and in many cases would prevent attempts entirely," the advisory seems to suggest those efforts are inadequate. Advised mitigation strategies include application of continued and enhanced "defensive measures to reduce the risk of exploitation of these vulnerabilities" prior to every election. CISA also urged aggressive pre- and post-election testing on the machines, post-election audits, and having voters confirm the human-readable portion on printed ballots. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eb70x2341a1x072730& ------------------------------ Date: Sun, 5 Jun 2022 01:33:15 +0900 From: Dave Farber <farber () gmail com> Subject: Activists say cyber agency weakens voting tech advisory (AP News) The nation's leading cybersecurity agency released a final version Friday of an advisory it previously sent state officials on voting machine vulnerabilities in Georgia and other states that voting integrity activists say weakens a security recommendation on using barcodes to tally votes. The advisory put out by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, has to do with vulnerabilities identified in Dominion Voting Systems' ImageCast X touchscreen voting machines, which produce a paper ballot or record votes electronically. The agency said that although the vulnerabilities should be quickly mitigated, the agency ``has no evidence that these vulnerabilities have been exploited in any elections.'' Dominion's systems have been unjustifiably attacked since the 2020 election by people who embraced the false belief that the election was stolen from former President Donald Trump. The company has filed defamation lawsuits in response to incorrect and outrageous claims made by high-profile Trump allies. ------------------------------ Date: Thu, 2 Jun 2022 10:17:49 -0400 From: Monty Solomon <monty () roscom com> Subject: The Airline Changed My Flight Itinerary -- for the Worse (NYTimes) Airlines are within their contractual rights to cancel booked flights and place passengers on less-convenient routes with hours-long layovers. Our columnist investigates whether travelers have any recourse. https://www.nytimes.com/2022/05/24/travel/airline-flight-itinerary.html ------------------------------ Date: Fri, 3 Jun 2022 13:30:15 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Parameter Expansion Considered Dangerous (The Hacker News) After the Log4j issue came to light [See RISKS-33.11,13,14] https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance), I would have expected the industry to realIze the problem wasn't just with Log4j, or even Java. It's unguarded user submitted parameter expansion. https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html Seems to indicate I was overly optimistic. Several templating engines exist with several parameter formats. Offhand, there is jsp with <jsp, <%, <c, ${, asp(x) with <%, smarty and freemarker with {$, Django, Mustache and Jinja with {{. Apache's Velocity templates have a list worthy of a BNF rule, but I don't know BNF, so how about "dollar-sign or hash optional bang optional bracket ------------------------------ Date: Wed, 1 Jun 2022 14:19:02 -0400 From: Monty Solomon <monty () roscom com> Subject: I tried to read all my app privacy policies. It was 1 million words. (Geoffrey A. Fowler) Let's abolish reading privacy policies. Here's how we can use the law and technology to give us real privacy choices. https://www.washingtonpost.com/technology/2022/05/31/abolish-privacy-policies/ [Also noted by Gabe Goldberg. PGN] ------------------------------ Date: Wed, 1 Jun 2022 02:10:10 -0400 From: Monty Solomon <monty () roscom com> Subject: D.C. stop-sign camera brought in $1.3 million in tickets in 2 years (WashPost) A traffic camera at this stop sign, which has proven lucrative for the District, is loathed by some residents who say it is overly sensitive and praised by others who say it promotes safe driving. https://www.washingtonpost.com/dc-md-va/2022/05/31/stop-sign-camera-northwest-washington/ ------------------------------ Date: Wed, 1 Jun 2022 20:43:26 -0600 From: "Matthew Kruk" <mkrukg () gmail com> Subject: Tim Hortons app tracked too much personal information without adequate consent, investigation finds (CBC) https://www.cbc.ca/news/business/tim-hortons-app-report-1.6473584 The federal privacy commissioner's investigation into the Tim Hortons mobile app found that the app unnecessarily collected extensive amounts of data without obtaining adequate consent from users. The commissioner's report, which was published Wednesday morning, states that Tim Hortons collected granular location data for the purpose of targeted advertising and the promotion of its products but that the company never used the data for those purposes ------------------------------ Date: Sat, 4 Jun 2022 10:18:23 -0400 From: Monty Solomon <monty () roscom com> Subject: Cape Cod Regional Transit Authority hit by ransomware attack https://www.capecodtimes.com/story/news/2022/06/04/cape-cod-regional-transit-authority-ransomware-cyber-attack-fbi-investigating/7501982001/ ------------------------------ Date: Sat, 4 Jun 2022 00:47:42 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Microsoft Follina Vulnerability in Windows Can Be Exploited Through Office 365 (WiReD) The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows. The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a "zero-day," or previously unknown vulnerability, but Microsoft has not classified it as such. [...] With all this real-world exploitation, the question is whether the guidance Microsoft has published so far is adequate and proportionate to the risk. "Security teams could view Microsoft's nonchalant approach as a sign that this is 'just another vulnerability,' which it most certainly is not," says Jake Williams, director of cyber threat intelligence at the security firm Scythe. "It's not clear why Microsoft continues to downplay this vulnerability, especially while it's being actively exploited in the wild." https://www.wired.com/story/microsoft-follina-vulnerability-windows-office-365 ------------------------------ Date: Wed, 1 Jun 2022 09:26:22 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: User Generated Content moderation? It's not impossible that ultimately platforms will be required to moderate all UGC (User Generated Content) before it appears publicly. This would likely require a drastic cutback in UGC availability, with many ramifications. But the regulatory arrow is moving in this direction. ------------------------------ Date: Wed, 1 Jun 2022 11:59:47 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Same Symptom -- Different Cause? (TUMunich) Technical University of Munich, Germany, 27 May 2022 via ACM TechNews, 1 Jun 2022 Scientists at Germany's Technical University of Munich (TUM) have developed a machine learning algorithm to extract subtypes of illnesses from molecular data. The Molecular Signatures using Biclustering (MoSBi) tool merges the results of existing algorithms to acquire stronger, more precise clinical subtype predictions, removing the need for time-consuming adjustment. "We have developed a Web-based tool that permits online analysis of molecular clinical data by practitioners without prior knowledge of bioinformatics," explained TUM's Josch Konstantin Pauling. Researchers can submit data to a website for automated analysis, and use the results to interpret their research. The team worked with colleagues at Germany's Max Planck Institute, Technical University of Dresden, and Kiel University Clinic to apply MoSBi to identify two potential biomarkers for progression to non-alcoholic fatty liver disease. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eb70x2341a7x072730& ------------------------------ Date: Wed, 1 Jun 2022 14:58:49 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Google bans deepfake-generating AI from Colab (Techcrunch) https://techcrunch.com/2022/06/01/2328459/ GOOD! ------------------------------ Date: Wed, 1 Jun 2022 11:59:47 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Tech Experts Urge WashDC to Resist Cryptocurrency Industry's Influence (Scott Chipolina) Scott Chipolina, *Financial Times*, 31 May 2022, via ACM TechNews, 1 Jun 2022 A coalition of 26 leading computer scientists and academics has submitted a letter to U.S. lawmakers urging a crackdown on cryptocurrency investments and blockchain technology. The letter calls on major Senate figures "to resist pressure from digital asset industry financiers, lobbyists, and boosters to create a regulatory safe haven for these risky, flawed, and unproven digital financial instruments." Signatory Bruce Schneier at Harvard University said blockchain, contrary to advocates' assurances, is insecure and not decentralized. Events like the recent implosion of the TerraUSD stablecoin have rekindled worries about crypto's financial stability, while letter signatory and former Microsoft engineer Miguel de Icaza argued, "The computational power [of blockchain] is equivalent to what you could do in a centralized way with a $100 computer." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eb70x2341abx072730& ------------------------------ Date: Sat, 4 Jun 2022 09:46:28 -0400 From: Monty Solomon <monty () roscom com> Subject: She documented the alt-right. Now she's coming for cryptocurrency. (WashPost) Molly White, a 28-year-old software engineer who edits Wikipedia pages in her spare time, has become an unlikely thorn in the side of the burgeoning cryptocurrency movement. As the tech and finance world largely embrace crypto tech, she's helping lead a band of skeptics pushing the other direction. https://www.washingtonpost.com/technology/2022/05/29/molly-white-crypto/ ------------------------------ Date: Thu, 2 Jun 2022 16:14:15 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Three NYU Tandon teams win $2.5 million from an NSF partnership to ensure resiliency is part of next-G wireless telecommunications (NYU) Tandon School of Engineering BROOKLYN, New York, 11 May 2022 -- Lightning-fast, low-latency wireless, from 5G to 6G and beyond, will enable such services as virtual and augmented reality streaming, near-zero latency vehicle-to-cloud communications to help self-driving cars navigate in real time, remote surgery, coordination of automated systems in factories and other facilities, and a plethora of futuristic consumer apps. But it will also open a Pandora's box of security vulnerabilities in the hardware serving as its backbone and software driving its networks. [,,,] ------------------------------ Date: Thu, 2 Jun 2022 11:00:46 -0400 From: Monty Solomon <monty () roscom com> Subject: Racist and Violent Ideas Jump From Web's Fringes to Mainstream Sites (NYTimes) Despite some efforts by the largest tech companies to limit the spread of hateful content, it often remains only a click or two away. https://www.nytimes.com/2022/06/01/technology/fringe-mainstream-social-media.html ------------------------------ Date: Mon, 30 May 2022 19:19:31 -1000 From: geoff goodfellow <geoff () iconia com> Subject: China is looking for 'other Earths' to colonize (CGTN) China has announced its first plans to search the stars for nearby habitable planets that could one day expand humanity's "living space" across the Milky Way. If it gets funding, the telescope could launch as soon as 2026. In the project, called Closeby Habitable Exoplanet Survey (CHES), officials propose launching a 3.9-foot-aperture (1.2 meters) space telescope roughly 930,000 miles (1.5 million kilometers) to a gravitationally stable Lagrange point between Earth and the Sun, according to the Chinese state-run news service CGTN. Lagrange points trek around the sun at exactly the same rate as Earth does, meaning a craft at one of those points will remain the same distance from our planet indefinitely. Once at the L2 Lagrange point (which is also home to NASA's James Webb Space Telescope, the CHES telescope will spend five years searching for habitable worlds across the roughly 100 sun-like stars within 33 light-years (10 parsecs) of Earth. From this data, astronomers hope to spot Earth-size *exoplanets* <https://www.livescience.com/what-are-exoplanets> that are moving around their stars in similar orbits to our own -- a clue that these potential "Earth 2.0's" may harbor water, and possibly even life. "The discovery of the nearby habitable worlds will be a great breakthrough for humankind, and will also help humans visit those Earth twins and expand our living space in the future," Ji Jianghui, an astronomer at the Chinese Academy of Sciences and the principal investigator of the CHES mission, *told CGTN*, the website of the China Global Television Network. The scientists say they hope to find roughly 50 Earth-like or super-Earth exoplanets in their search. [...] <https://news.cgtn.com/news/2022-05-19/China-plans-world-s-first-habitable-planet-search-outside-solar-system-1a9W98DLA52/index.html>, https://www.livescience.com/china-is-looking-for-other-earths-to-colonize [What are risks? It's likely to be hugely expensive. It seems somewhat delusional and beyond rational thought, in light of needing mass transit over the light-years required for travel, although that would perhaps be limited to future government leaders wishing to escape. The use of the word "nearby" in the trans-galactic sense is particularly amusing. It's too late for an April Fool's posting, so perhaps it is actually being considered seriously. <I wonder what Bill Cheswick (widely known as "CHES") might think of it. He has always been a far-sighted thinker.> PGN] ------------------------------ Date: Sat, 4 Jun 2022 00:27:25 -0600 From: "Matthew Kruk" <mkrukg () gmail com> Subject: Why Silicon Valley's Tech Titans Are In 'Serious Trouble' (YouTube) https://www.youtube.com/watch?v=6VKpJeNoRlA Business Insider's Linette Lopez joins Morning Joe to discuss her latest piece on why the tech titans of Silicon Valley are in serious trouble. ------------------------------ Date: Thu, 2 Jun 2022 09:41:33 -0400 From: Monty Solomon <monty () roscom com> Subject: With Cameras on Every Phone, Will Broadway' Nude Scenes Survive? (NYTimes) https://www.nytimes.com/2022/06/01/arts/broadway-nudity-phone-cameras.html ------------------------------ Date: 31 May 2022 22:48:12 -0400 From: "John Levine" <johnl () iecc com> Subject: Re: Inside the Government Fiasco That Nearly Closed the U.S. Air System (ProPublica, RISKS-33.24) This is an unusually poor piece for ProPublica, a lot of DC inside baseball but nothing on the key question of whether C band signals really will make airliners' radio altimeters fail. The answer for the most part turns out to be no. Harold Feld did a really good series on this last fall: https://wetmachine.com/tales-of-the-sausage-factory/what-the-eff-faa-my-insanely-long-field-guide-to-the-faa-fcc-5g-c-band-fight/ ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.25 ************************
Current thread:
- Risks Digest 33.25 RISKS List Owner (Jun 04)