Risks Digest 33.16

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Tuesday 19 April 2022  Volume 33 : Issue 16

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/33.16>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
NASA Will Roll Back Its SLS Rocket for Repairs (WiReD)
CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using
 Pegasus and Candiru (CitizenLab)
Insteon is down and may not be coming back (Stacey on IoT)
Creating an Information Security Program from Scratch (Walter Williams)
Hundreds of Brockton drivers failed exam after getting licenses with no test
 (The Boston Globe)
Why I deleted the ACM election email (Cliff Kilby)
Crypto Is Poised to Reshape Taxes -- and Cities (WiReD)
Beanstalk DAO falls to a corporate raid, funded by flash loan junk bonds:
 Attack of the 50-foot Blockchain (David Gerard)
Re: recent NYT slips on tech coverage (Prashanth Mundkur)
Re: The Uncanny Future of Romance With Robots Is Already Here
 (Rob Slade. Craig Cottingham)
Re: What Can Hackers Do With Stolen Source Code? (Bernie Cosell)
Re: Hackers Steal About $600 Million in One of the Biggest Crypto
 (Kevin Kostolo)
Re: Driverless Cars Can Be Tricked into Seeing Red Traffic Lights as Green
 (Jan Wolitzky)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 19 Apr 2022 18:51:29 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: NASA Will Roll Back Its SLS Rocket for Repairs (WiReD)

After three attempts to run through a test of the Space Launch System,
engineers spotted a leak and a faulty valve. The fixes may delay the first
Artemis moon mission.

NASA engineers hope to have their massive moon-bound Space Launch System
ready for liftoff in a couple of months, but so far they've encountered some
bumps in the road. On March 17, NASA rolled the world's most powerful rocket
out onto the launchpad at Kennedy Space Center in Florida to ready it for
the Artemis program's inaugural lunar mission later this year. Since then,
technicians have completed a raft of checks on the huge rocket's systems,
but after three tries they haven't been able to make it through the final
test, a practice countdown called the ``wet dress rehearsal test.''

The key problems have been a faulty helium check valve and a liquid hydrogen
leak, which led to several pushbacks of the test countdown.  Finally, NASA
officials decided over the weekend to disconnect the rocket and, starting
next Tuesday, carefully roll the SLS and Orion crew capsule back to the
Vehicle Assembly Building, a facility with the equipment needed for them to
perform rocket surgery. They hope to have a quick turnaround, returning to
the pad soon afterward to complete the countdown test, but the first Artemis
mission around the moon -- originally planned for early June -- might be
delayed.

``The mega moon rocket is still doing very well. The one check valve is
literally the only real issue we've seen so far. We're very proud of the
rocket,'' said Tom Whitmeyer, a deputy associate administrator at NASA
headquarters in Washington, at a press conference this afternoon. ``But we
have a little bit more work in front of us.''

https://www.wired.com/story/nasa-rolls-back-its-sls-rocket-for-repairs

Aside from that one thing, Mrs. Lincoln...

------------------------------

Date: Mon, 18 Apr 2022 11:11:55 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema () rinzewind org>
Subject: CatalanGate: Extensive Mercenary Spyware Operation against
 Catalans Using Pegasus and Candiru (CitizenLab)

https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/

Summary of the findings:

- The Citizen Lab, in collaboration with Catalan civil society groups, has
  identified at least 65 individuals targeted or infected with mercenary
  spyware.

- At least 63 were targeted or infected with Pegasus, and four others with
  Candiru. At least two were targeted or infected with both.

- Victims included Members of the European Parliament, Catalan Presidents,
  legislators, jurists, and members of civil society organisations. Family
  members were also infected in some cases.

- We identified evidence of HOMAGE, a previously-undisclosed iOS zero-click
  vulnerability used by NSO Group that was effective against some versions
  prior to 13.2.

- The Citizen Lab is not conclusively attributing the operations to a
  specific entity, but strong circumstantial evidence suggests a nexus with
  Spanish authorities.

- We shared a selection of Pegasus cases with Amnesty International's Tech
  Lab, which independently validated our forensic methodology.

------------------------------

Date: Sun, 17 Apr 2022 23:52:16 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Insteon is down and may not be coming back (Stacey on IoT)

 Internet of Things news and analysis

Author writes: Is your Insteon smart home system down? I'm getting reports
from dozens of Insteon users that as of Friday their smart home hubs have
stopped working. So far, none of them have heard from the company, and
Insteon's Twitter account hasn't been updated since June 2021. I reached out
to Rob Lilleness, the president and chairman of Smartlabs, the company that
owns Insteon and have not yet heard back.

https://staceyoniot.com/insteon-is-down-and-may-not-be-coming-back/

A friend commented:

I have probably four or five Insteon devices plus a hub. Their technology
has been pretty decent and their support was excellent. They suddenly
disappeared last Friday without a trace. No explanation, no apology. The
woman who wrote the article above did some digging and it sure looks like
they're gone.

What I'd like to do (aside from replacing my now-useless Insteon devices) is
follow the careers of the perps named in the article and write scathing
reviews of any company that hires any of them, pointing to this article, to
let customers know that the same thing could happen to them with such
disrespectful people in management.

One of the comments made the excellent point that incidents like this are
going to erode consumer trust in IoT, especially products that require
Internet access to a server somewhere in order to function at all.

------------------------------

Date: Mon, 18 Apr 2022 08:58:03 -0700
From: "Rob Slade, greatgrandpa and widower" <rslade () gmail com>
Subject: Creating an Information Security Program from Scratch
  (Walter Williams)

There are plenty of tools we could talk about for those who already have a
security program in place.  What have we got if you don't?

(There are, of course, those long in the field, who seriously wish that they
could start over from scratch.  This book might act as a reminder that might
get them out of the weeds long enough to see an approach or tool they might
have overlooked.)

Walter Williams has taken on that task.  What happens when you, as possibly
the crack firewall expert on the tech team, are suddenly noticed by the
boss, who, out of the blue, decides that the company needs a CISO, and
you're it.  You've got the whole corporate infosec world in= your hands, and
you'd better not drop it.

Chapter one correctly states that you can start with either risk assessment
or compliance, and lists, in detail, that tools available to you for both.
Williams includes the top level security frameworks that can act as your
guides into the labyrinth that is information security, and notes the
strengths, and areas of emphasis, of each.  This provides you with not only
a starting point, but resources that will aid your throughout your security
career.

> From there, Williams moves into policy, and the supporting documentation
around it.  Without policy you can have no security, because you don' know
what it is you are protecting, and why.  Included in this chapter is an
initial foray into the importance of planning, which will come back in
myriad forms as you move deeper into security processes.

Asset management jumps from the high level viewpoint down into the weeds
and details.  However, that is a jump that you frequently have to make in
security.  You have no security without an overall vision, but you have no
protection without having the correct controls in place and working.
Assets, and the controls meant to protect them, have vulnerabilities, and
so managing those is vital as well.

Overall planning is important, but very soon you are going to be putting
out fires, known in the trade as incidents.  Note that Williams does not,
at this point, give you a full guide to business continuity or disaster
recovery planning, which would require an entire book of its own.  He does,
however, point you to yet more frameworks in the fields, which will get you
started in that direction.

Then it's back to assets, in this case the =E2=80=9Cendpoint,=E2=80=
=9D or what the user
tends to interact with.  The author provides an overview of both the
various problems which you will likely encounter in this realm, and a
variety of protections you may wish to choose, depending upon your specific
security posture.  From there Williams moves to email security, an issue
common to pretty much any end user these days.

> From the user, it is back to the technical team, and the issues with your
networking and telecommunications.  Note that I say *issues*: the full range
of every possible detail that you need to know would need a very fat book
indeed, and several of those are available when you want to go there.
Somewhat more detail, or at least the structures and processes that you will
need, are addressed in the chapter on software development.

After the introduction to incidents, earlier in the work, Williams now turns
to disasters, and disaster recovery.  This is addressed from the disaster
recovery, rather than the business continuity, angle, which is probably
wise, as a company in the first round of a security program probably has
neither the maturity, nor the resources, to prepare a full business
continuity plan.

In the chapter on access control, Williams spends a good deal of time
outlining some of the formal theories and models behind the controls.  This
is far from a waste of time.  Tuning an access control system in terms of
details can waste a good deal of effort and resources if those controls do
not protect in the way you think or assume that they will.  Looking at the
formal models should get you used to understanding what a system will, and
won't, do for you.

Spend a lot of time with chapter twelve, Human Issues.  As the author notes
up front, too many security specialists take it for granted that people are
the problem.  People are your greatest weakness, in security, but they are,
paradoxically and at the same time, your greatest security asset.  Make your
people aware, and get them onside.

Williams finishes with the concept of organizational maturity.  This is an
important concept, but readers may be distracted by the accompanying
material on metrics and data presentation.

This is a solid, and comprehensive, guide for those who have to start
securing an enterprise from square one.  It may appear to jump around from
topic to topic, and from the overall view to the details.  Get used to it.
That's what security is like.

------------------------------

Date: Tue, 19 Apr 2022 17:06:00 -0400
From: Monty Solomon <monty () roscom com>
Subject: Hundreds of Brockton drivers failed exam after getting licenses
 with no test (The Boston Globe)

https://www.boston.com/news/local-news/2022/04/19/brockton-rmv-road-tests-failures-suspensions/

  [An unanswerable question unlike Who Shaves the Barber is Who is going to
  test the drivers in the driverless cars?  PGN]

------------------------------

Date: Mon, 18 Apr 2022 11:04:38 -0400
From: Cliff Kilby <cliffjkilby () gmail com>
Subject: Why I deleted the ACM election email

And why you should have too.

They used my name, isn't that enough?
Nope. Purchasing email-to-name services (legal and/or questionable) is
cheap and readily available.

They said ACM.
I am proud of my membership in the ACM, this is just a public fact.

They pointed a URL to the ACM website.
Even marginally good phishers refer to their target website. Sometimes even
loading their CSS or images directly.

They bounced between several domains that aren't associated with ACM in the
email.
This alone is sufficient to reject an email at a glance.

They referred to a URL shortener.
URL shorteners are notorious for being used to plaster over a suspicious
reference to another domain, and cannot be easily tested. Another reason to
delete on sight.

acmhelp () mg electionservicescorp com authenticated the email.

That's nice. I don't know who they are, and if they really had permission
to pretend to be ACM, why isn't this email on ACM's domain (DKIM auth
grant)?

There is something that looks like a password in this email.

They call it a PIN so it may be a username, but an email with an
unsolicited authenticator in it goes straight to garbage.

In other news, it's time for ACM general elections.

https://www.acm.org/elections/acm-vote

------------------------------

Date: Mon, 18 Apr 2022 19:32:35 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Crypto Is Poised to Reshape Taxes -- and Cities (WiReD)

Taxes, CityCoins founder Patrick Stanley says, can stop being a mind-numbing
civic ritual and become an exercise in freedom -- if we tokenize and
calibrate them the right way. Stanley's crypto-based invention is what he
calls *an opt-in tax of opportunity, as opposed to obligation,* wherein
boosters tithe a particular city with crypto because they have faith in the
municipality and its mission.  [...]

Within the CityCoins matrix, miners receive a city-specific coin, like
MiamiCoin or NYCCoin, by trading in STX, the token for Stacks, a protocol
that operates on top of the Bitcoin network.  [...]

Beyond CityCoins' undetermined future, it remains to be seen whether crypto
writ large will usher in a technocratic nirvana, wither the way of Dutch
tulips, collapse like an audited Ponzi scheme, or lead to unforeseen
outcomes. Regardless, the capitalist urge to turn a civic tradition into a
financial instrument will survive whether CityCoins fizzles out or
not. TurboTax has already done this for its shareholders; CityCoins or some
future avatar will lead the charge in *democratizing* those gains for
others. But the civic tradition of birthing political movements by
confronting unjust financial tools remains alive and well, too. Whatever
comes next, we can all agree the IRS leaves ample room for improvement.

https://www.wired.com/story/crypto-reshape-taxes-cities

Tokenize? Calibrate? Tithe? Tulips/Ponzi, yes.

------------------------------

Date: Mon, 18 Apr 2022 20:41:55 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Beanstalk DAO falls to a corporate raid, funded by flash loan
 junk bonds: Attack of the 50-foot Blockchain (David Gerard)

Beanstalk DAO is a DeFi lender running on the Ethereum blockchain. It was
raided just before 12:30 UTC on Sunday 17 April for 24,830 ETH.

Smart contracts are famously prone to hacks. But this wasn't a hack at all
-- this was a corporate raid. Even the project concedes that everything
worked according to the rules of the project.

The story of the Beanstalk raid is the end of a long chain of slapdash and
incompetent financial engineering, by people who just found out why
regulations evolved.  [...]

The aftermath

Beanstalk is probably screwed, and BEAN's dollar peg has been broken
utterly.

The Beanstalk project has gone to exchanges asking them to block the ether
from the transaction -- and even to the FBI. The project's anonymous
founder, Publius, did not clarify to CoinTelegraph under just what law the
FBI would have recourse to help them. [CoinTelegraph]

This was an outrageous shenanigan. But it's not clear that it was any more
illegal than the securities law violations that Beanstalk was already
committing. The raider completely obeyed the project's rules.

Publius [Beanstalk founders] said on the project Discord: ``It's unfortunate
that the same governance procedure that put beanstalk in a position to
succeed was ultimately its undoing.''

https://davidgerard.co.uk/blockchain/2022/04/18/beanstalk-dao-falls-to-a-corporate-raid-funded-by-flash-loan-junk-bonds/

------------------------------

Date: Tue, 19 Apr 2022 14:05:50 -0400
From: Prashanth Mundkur <prashanth.mundkur () sri com>
Subject: Re: recent NYT slips on tech coverage

Some correctives to recent NYT tech coverage:

1. The (Edited) Latecomer's Guide to Crypto
   by Molly White et al., March 25, 2022.
   https://www.mollywhite.net/annotations/latecomers-guide-to-crypto

   On March 20, 2022, the New York Times published a 14,000-word puff piece
   on cryptocurrencies, both online and as an entire section of the Sunday
   print edition. Though its author, Kevin Roose, wrote that it aimed to be
   a "sober, dispassionate explanation of what crypto actually is", it was a
   thinly-veiled advertisement for cryptocurrency that appeared to have
   received little in the way of fact-checking or critical editorial
   scrutiny. It uncritically repeated many questionable or entirely
   fallacious arguments from cryptocurrency advocates, and it appears that
   no experts on the topic were consulted, or even anyone with a
   less-than-rosy view on crypto. This is grossly irresponsible.

   Here, a group of around fifteen cryptocurrency researchers and critics
   have done what *The New York Times* apparently won't.

2. On NYT Magazine on AI: Resist the Urge to be Impressed
   by Emily M. Bender, April 17, 2022
   https://medium.com/@emilymenonbender/on-nyt-magazine-on-ai-resist-the-urge-to-be-impressed-3d92fd9a0edd

   On April 15, 2022, Steven Johnson published a piece in the New York Times
   Magazine entitled AI Is Mastering Language. Should We Trust What It Says?
   I knew this piece was coming, because I had been interviewed for it, over
   email, a couple of weeks ago. I read it with some trepidation, because I
   had the sense that Johnson's question and goals going into the article
   did not maintain sufficient skepticism of the claims of AI boosters. At
   the same time, I was also fairly confident my words weren't going to be
   taken out of context because I'd been contacted by a fact checker who was
   verifying the quotes they intended to use.  On reading the article, my
   expectations were met on both counts. Ordinarily, when I encounter AI
   hype in media coverage of research/products that claim to be AI, I get
   inspired to write tweet threads aiming to educate folks on how to spot
   and thus resist such hype. (Here's a recent example.) Johnson's article
   is ~10k words long, though, and so I've decided to try to do the same in
   blog form, rather than as a tweet thread.

------------------------------

Date: Mon, 18 Apr 2022 19:13:25 -0700
From: Rob Slade <rslade () gmail com>
Subject: Re: The Uncanny Future of Romance With Robots Is Already Here
 (RISKS-33.15)


> Some people wanted to build a replica of themselves, ...

As a grieving widower, I am more than a little freaked out by the
implications of this.  Being able to build a "perfect" friend is one level
of self delusion.  But the bereaved are already in danger from inappropriate
relationships.  The bereaved suffer extreme and desperate loneliness, not
just from the loss of a loved one, but from social isolation, because most
of their friends and family do not understand the depth of real grief.
Couple that with the existing tendency to "converse" with the dead loved one
(which can be healthy at some point in the grieving process, but can become
an obsession), and the temptation to recreate a "Markov chain" replica
(Replika?) can create a really (psychologically) dangerous situation.

(I've got a whole bunch of Gloria's email messages, going back possibly
thirty years.  Should I try it out?  Would the "uncanny valley" freak me
out?  Would I become obsessed if it was too good?)

------------------------------

Date: Tue, 19 Apr 2022 09:57:24 -0500
From: Craig Cottingham <craig.cottingham () gmail com>
Subject: Re: The Uncanny Future of Romance With Robots Is Already Here
 (RISKS-33.15)

This is more-or-less the plot of the Black Mirror episode *Be Right Back*
https://www.imdb.com/title/tt2290780/

Art may imitate life, but life also imitates art.

------------------------------

Date: Mon, 18 Apr 2022 19:25:18 -0400
From: "Bernie Cosell" <bernie () fantasyfarm com>
Subject: Re: What Can Hackers Do With Stolen Source Code? (RISKS-33.15)

Considering that MS patches scores of bugs, many of them serious, it isn't
so difficult to suspect that some group getting the source code could,
perhaps, find next month's bugs and the month after that's bugs and
... before MS does.

------------------------------

Date: Tue, 19 Apr 2022 10:35:01 -0500
From: Kevin Kostolo <kevinkostolo2005 () gmail com>
Subject: Re: Subject: Hackers Steal About $600 Million in One of the
 Biggest Crypto (RISKS-33.15)

> [Incidentally, I received a copy of the full text from Gabe Goldberg, but
> for some reason it came in as rampant gibberish, so I decided not to try
> to unscramble the rest of it after what I hav added here.  PGN]

I read elsewhere there was an msn version of the link floated about with
the same gibberish.

------------------------------

Date: Tue, 19 Apr 2022 06:48:37 -0400
From: Jan Wolitzky <jan.wolitzky () gmail com>
Subject: Re: Driverless Cars Can Be Tricked into Seeing Red Traffic Lights
 as Green (JW)

A racing car driver, Eugene,
Had the swiftest machine on the scene.
  Nearly faster than light,
  With no cops in sight,
He'd blue-shift the red lights to green.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.16
************************