RISKS Forum mailing list archives
Risks Digest 33.19
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 7 May 2022 15:36:39 PDT
RISKS-LIST: Risks-Forum Digest Saturday 7 May 2022 Volume 33 : Issue 19 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.19> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Japan Says It Needs Nuclear Power. Can Host Towns Ever Trust It Again? (NYTimes) AI goes to war in Ukraine (Fortune) The Information War in Ukraine is Far from Over (NYTimes) Russia struggles under unprecedented wave of hacking (WashPost) Microsoft Finds Linux Desktop Flaw That Gives Root to Untrusted Users (Dan Goodin) Google Docs crashed when fed 'And. And. And. And. And (The Register) Ordinary Copper Telephone Wire Could Carry Gigabit Broadband Speeds (Matthew Sparkes) The Weapon that Mistook a School Bus for an Ostrich (Science Diplomacy via Diego Latella) Smart Office Buildings Are Vulnerable to Hacks (Konrad Putzier) Every ISP in the US Must Block These 3 Pirate Streaming Services (WiReD) Problems with Elon Musk's Plan to Open-Source the Twitter Algorithm (MIT Tech Review) Elon Musk wants to 'authenticate all real humans' on Twitter. Here's what that could mean (CNN) Why is the U.S. still probing foreign visitors' social media accounts? (WashPost) Is your social network accurately reporting where you are? (Reddit) Can computers write product reviews with a human touch? (Techxplore.com) DeFi ponzinomics, Grayscale ETF comments, Binance and Russia, El Salvador -- Attack of the 50-Foot Blockchain (Sam Bankman-Fried) The Tale of a Crypto Executive Who Wasn't Who He Said He Was (NYTimes) What Is Happening to the People Falling for Crypto and NFTs (NYTimes) Wikimedia Foundation announces it will no longer accept cryptocurrency donations (Lauren Weinstein) Re: Bitcoin Is Unlikely to Go Green (Andrew Waught, John Beattie) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 5 May 2022 15:44:48 -0400 From: "Gabe Goldberg" <gabe () gabegold com> Subject: Japan Says It Needs Nuclear Power. Can Host Towns Ever Trust It Again? (NYTimes) The Ukraine war has shown the fragility of Japan's energy supplies. But the decision to restart plants after the Fukushima disaster is fraught with emotions and political calculation. https://www.nytimes.com/2022/05/04/world/asia/japan-nuclear-power.html The risk? No perfect solutions. ------------------------------ Date: Fri, 6 May 2022 16:18:03 -0400 From: "Gabe Goldberg" <gabe () gabegold com> Subject: AI goes to war in Ukraine (Fortune) War is terrible. But it has often played a pivotal role in advancing technology. And Russia's invasion of Ukraine is shaping up to be a key proving ground for artificial intelligence, for ill and, perhaps in a few instances, for good, too. Civil society groups and AI researchers have been increasingly alarmed in recent years about the advent of lethal autonomous weapons systems -- AI-enabled weapons with the ability to select targets and kill people without human oversight. This has led to a concerted effort at the United Nations to try to ban or at least restrict the use of such systems. But those talks have so far not resulted in much progress. https://fortune.com/2022/03/01/russia-ukraine-invasion-war-a-i-artificial-intelligence/ ------------------------------ Date: Fri, 6 May 2022 12:06:04 PDT From: Peter Neumann <neumann () csl sri com> Subject: The Information War in Ukraine is Far from Over (NYTimes) Serge Schmemann, *The New York Times*, lead op-ed, 6 May 2022 If the first casualty of war is truth, then the corollary in Ukraine is that information is the first battlefield. On the battlefield, lies are ammunition in Putin's struggle to stay in power. [Pithy article. I first mistyped it as *babblefield*. That somewho seems appropriate. PGN] ------------------------------ Date: Sun, 1 May 2022 17:27:34 +0000 From: The Washington Post <email () washingtonpost com> Subject: Russia struggles under unprecedented wave of hacking (WashPost) ... puncturing the myth of Moscow's unassailable cyber-superiority [Thanks to Richard Thieme. PGN] Prolific Russian ransomware groups had pledged to step up attacks on American infrastructure if Russian technology was hobbled in retribution for the invasion of Ukraine. But in the third month of the war, Russia, not the United States, is dealing with a cyber-assault involving government activity, political voluntarism and criminal action. <https://s2.washingtonpost.com/36b9790/> ------------------------------ Date: Fri, 29 Apr 2022 12:26:34 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Microsoft Finds Linux Desktop Flaw That Gives Root to Untrusted Users (Dan Goodin) Dan Goodin, *Ars Technica*, 26 Apr 2022, via ACM TechNews; 29 Apr 2022 Microsoft discovered an elevation of privileges flaw in Linux incorporating two vulnerabilities that can grant root system rights to untrusted users. The Nimbuspwn exploit, which Microsoft calls "the EoP threat," resides in the networkd-dispatcher, a component in many Linux distributions that dispatches network status changes and can process various scripts to respond to a new status. Networkd-dispatcher runs as root when a desktop boots up, and the flaws blend threats including directory traversal, symlink race, and time-of-check time-of-use race condition, permitting hackers with minimal access to a desktop to link exploits for these vulnerabilities and gain full root access. The flaw has been patched, and users of vulnerable versions of Linux are advised to implement the patch as soon as possible. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e86bx23379bx073897& ------------------------------ Date: Sat, 7 May 2022 08:41:01 -0400 From: Tom Van Vleck <thvv () multicians org> Subject: Google Docs crashed when fed 'And. And. And. And. And (The Register) https://www.theregister.com/2022/05/06/google_docs_crash/ ------------------------------ Date: Mon, 2 May 2022 12:00:44 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Ordinary Copper Telephone Wire Could Carry Gigabit Broadband Speeds (Matthew Sparkes) Matthew Sparkes, *New Scientist*, 26 Apr 2022 via ACM TechNews, 2 May 2022 Ergin Dinc and colleagues at the U.K.'s University of Cambridge claim copper telephone wire already deployed across Britain can carry data at rates three times higher than fiber-optic cable at much less cost, over short distances. The researchers say twisted pairs of copper wire can bear a frequency five times higher than is currently employed, which may enable houses near fiber-optic cables to realize higher speeds than currently possible, without threading fiber all the way to their homes. In addition, the researchers learned that copper broadband connections' operating frequency of less than 1 gigahertz can theoretically be increased to 5 gigahertz through the use of an electrical device called a balun. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e891x233851x071263& ------------------------------ Date: Thu, 05 May 2022 21:53:55 +0200 From: "Diego.Latella" <diego.latella () isti cnr it> Subject: The Weapon that Mistook a School Bus for an Ostrich D. Amoroso, D. Garcia, and G. Tamburrini - Science & Diplomacy An interesting article on autonomous weapons https://www.sciencediplomacy.org/article/2022/weapon-mistook-school-bus-for-ostrich [de BUStigus NON DISPUTANDUM oESTrich? PGN] ------------------------------ Date: Wed, 4 May 2022 12:40:45 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Smart Office Buildings Are Vulnerable to Hacks (Konrad Putzier) Konrad Putzier, *The Wall Street Journal*, 03 May 2022 Smart office buildings in the U.S. raise concerns about privacy and cybersecurity. Cybersecurity consultants warn that building managers devote little attention to digital security, and the interconnection of smart building systems means accessing a single Internet-connected door can potentially enable hijacking, extortion, or data theft. Lucian Niemeyer at smart-building safety nonprofit Building Cyber Security worries that more criminals will target smart buildings as protections for mobile phones and databases are strengthened. Said Dave Tyson of cybersecurity company Apollo Information Systems Corp., "The bad guys only need to find one way in, and whatever you've connected to is now on the table." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e8e7x23395bx071938& ------------------------------ Date: Thu, 5 May 2022 20:05:09 -0400 From: "Gabe Goldberg" <gabe () gabegold com> Subject: Every ISP in the US Must Block These 3 Pirate Streaming Services (WiReD) The 96 Internet service providers were told to enforce the orders. "by any technological means available". https://www.wired.com/story/streaming-services-piracy-blocked-isps-united-states ------------------------------ Date: Fri, 6 May 2022 12:10:16 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Problems with Elon Musk's Plan to Open-Source the Twitter Algorithm (MIT Tech Review) Chris Stokel-Walker, *MIT Technology Review*, 27 Apr 2022, via ACM TechNews, via 6 May 2022 Elon Musk's announced plans for the Twitter social network include open-sourcing its algorithms, which experts say would do little to boost transparency without access to their training data. Said Jennifer Cobbe of the U.K.'s University of Cambridge, "Most of the time when people talk about algorithmic accountability these days, we recognize that the algorithms themselves aren't necessarily what we want to see--what we really want is information about how they were developed." There also are concerns open-sourcing Twitter's algorithms would enable bad actors to identify vulnerabilities to exploit and could make it more difficult to defeat spam bots. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e929x2339f9x071309& ------------------------------ Date: April 30, 2022 at 18:05:03 GMT+9 From: Dewayne Hendricks <dewayne () warpspeed com> Subject: Elon Musk wants to 'authenticate all real humans' on Twitter. Here's what that could mean (CNN) [Note: This item comes from friend Mike Nelson. DLH] Brian Fung, CNN, 28 Apr 2022 <https://www.cnn.com/2022/04/28/tech/elon-musk-authenticate-all-real-humans/iundex.html> Elon Musk wants to 'authenticate all real humans' on Twitter. Here's what that could mean: As the public combs through Elon Musk's Twitter (TWTR) feed for clues on how the billionaire entrepreneur intends to run the social media platform he's buying for $44 billion, one mysterious line stands out: "authenticate all real humans." That cryptic proposal is vague enough to keep people guessing about what Musk has in mind but specific enough that it offers several possible paths as he looks to shape Twitter more to his liking. For example, Musk could seek to require real names on accounts. Or perhaps he may continue to allow pseudonyms but require photo identification, or integration with third-party services where users are already known. Depending on the outcome, the plan could have big ramifications for Twitter's hundreds of millions of users. Musk's drive to "authenticate" Twitter users stems from one of his biggest pet peeves with the platform's spam accounts, particularly those that push cryptocurrency scams. It's often not hard to find these accounts lurking in the replies to Musk's tweets; many even attempt to trade on his celebrity and lure the unsuspecting by impersonating him. It didn't help that in the summer of 2020, Musk's verified account was affected by a widespread Twitter hack that led to users including former President Barack Obama and Kanye West unwittingly spreading a bitcoin scam. Cryptocurrency spam bots, Musk has said, represent Twitter's ``single most annoying problem.'' Musk's diagnosis may reflect the experiences of a very particular type of user, but it so happens that this user will soon control the design of the platform. As part of his solution for battling cryptocurrency bots, Musk wants to make it easier to separate real from fake accounts under his proposal to ``authenticate all real humans.'' If the goal is to ensure that every account is tied to a flesh-and-blood person, the platform will need some way to verify they are real. One possibility is an expansion of Twitter's existing verification program. Currently, to receive a blue check on their accounts, users have to supply a link to an official website that they're affiliated with, an official email address or a government-issued form of identification. Musk could stop short of requiring identification but require that users use their real names. He could explore other methods too, such as linking accounts to credit cards or relying more on CAPTCHAs to defeat bots, said Jillian York, director for international freedom of expression at the digital rights group Electronic Frontier Foundation. (CAPTCHAs aren't a cure-all, however; as bots have grown more sophisticated, CAPTCHAs have had to become more and more difficult for humans to solve in what could be described as a technological arms race.) Whatever method he chooses, York and other experts said Musk is likely to run into challenges that fall into two main categories: access and privacy. Access is about ensuring that all people who wish to use Twitter can get on the platform. With a system that ties accounts to credit cards, for example, York said Twitter would risk excluding all those who don't have them. Maybe they're too young to have a credit card or they have poor credit and can't get approved. Maybe they don't like having their credit card transactions traded to data brokers or they just prefer using cash for cultural reasons. Tying authentication to consumer credit would "exclude millions of people," said York. Then there's the issue of privacy. While many users may feel they have nothing to hide, a system that forces users to submit their personally identifiable information creates a single point of failure. Not only would more users have to trust Twitter not to abuse their personal information, but Twitter itself would become a much larger target for repressive governments (who could use legal demands to compel Twitter to hand over the information) or cybercriminals motivated by identity theft. Cybercriminals have even reportedly posed as real law enforcement agents to serve fraudulent government requests for tech company data. Twitter could promise to delete the records, but it would merely be mitigating a risk it created for itself. The privacy issue is particularly worrisome to human rights groups, said Natalia Krapiva, an attorney at the digital rights group Access Now, "especially for people in countries like Russia and others where individuals get severely persecuted for criticizing the government or covering important political events like the protests, corruption, or the war in Ukraine.'' Even a real-names policy could prove challenging. Facebook has some experience with this; the company was forced to make changes to its names policy in 2015 after critics pointed out that abuse victims and other vulnerable groups had good reasons to use pseudonyms. The changes at Facebook raised the bar for reporting a fake name and allowed users to provide reasons to the company why they avoid using their real names. ------------------------------ Date: Mon, 2 May 2022 16:05:57 -0400 From: "Gabe Goldberg" <gabe () gabegold com> Subject: Why is the U.S. still probing foreign visitors' social media accounts? (WashPost) Many people expected the Biden administration to end a Trump-era policy. Instead, the administration is expanding it. https://www.washingtonpost.com/outlook/2022/04/26/social-media-surveillance-us-visas-state/ ------------------------------ Date: Sun, 1 May 2022 17:39:31 -0400 From: Jeremy Epstein <jeremy.j.epstein () gmail com> Subject: Is your social network accurately reporting where you are? (Reddit) Seems that some social networks try to guess where you are based on things other than geolocation, so if you're using a VPN it might not get the right location. My daughter told me that ProtonVPN is started reporting that she's in Russia (the VPN endpoint is actually in the Netherlands). Seems that this is a Known Problem: https://www.reddit.com/r/ProtonVPN/comments/uchwzr/fastest_profile_sent_me_to_russia/ As a moderator described it (I have no idea if this is accurate, but it seems plausible): No, your IP is not changing. The problem is, that often instead of using GeoIP services, social media companies with lots of big data (like facebook, instagram, and google) use location on cell devices to match IPs to locations. Currently, there are a lot of Russian users on ProtonVPN servers hence causing this issue. This has been discussed as example in those threads: https://www.reddit.com/r/ProtonVPN/comments/tfoko3/anyone_else_getting_this_on_instagram_i_am_on_a/ https://www.reddit.com/r/ProtonVPN/comments/tuj9ne/always_connects_to_russia/ ------------------------------ Date: Tue, 3 May 2022 12:23:03 +0800 From: Richard Stein <rmstein () ieee org> Subject: Can computers write product reviews with a human touch? (Techxplore.com) https://techxplore.com/news/2022-04-product-human.html "Review writing is challenging for humans and computers, in part, because of the overwhelming number of distinct products," said Keith Carlson, a doctoral research fellow at the Tuck School of Business. "We wanted to see how artificial intelligence can be used to help people that produce and use these reviews." One means to prevent AI-hype from self-reinforced review feedback, would be to introduce product test plans, test results, and defect tracking metrics into the review. Assuming the test and defect content is not faked, then real metrics exist for comparison and contrast with equivalent product feature sets. Interpreting test plan content for context presents a modest problem to surmount. ------------------------------ Date: Thu, 5 May 2022 00:11:19 -0400 From: "Gabe Goldberg" <gabe () gabegold com> Subject: DeFi ponzinomics, Grayscale ETF comments, Binance and Russia, El Salvador -- Attack of the 50-Foot Blockchain (Sam Bankman-Fried) The cry of the cryptocurrency evangelist is: ``you just don't understand the technology.'' When you ask them a technical question, you discover that 100% of crypto bros who say you just don't understand the technology, don't understand any technology. https://davidgerard.co.uk/blockchain/2022/04/26/news-sam-bankman-fried-on-defi-ponzinomics-grayscale-etf-comments-binance-and-russia-el-salvador/ ------------------------------ Date: Wed, 4 May 2022 13:33:09 -0400 From: "Gabe Goldberg" <gabe () gabegold com> Subject: The Tale of a Crypto Executive Who Wasn't Who He Said He Was (NYTimes) The Tale of a Crypto Executive Who Wasn’t Who He Said He Was The chief operating officer of ZenLedger, a software company, boasted of work for Goldman Sachs and Larry King. Did anyone check to see if it was true? https://www.nytimes.com/2022/05/03/your-money/zenledger-dan-hannum.html Someone scamming a cryptocurrency company, I'm shocked. ------------------------------ Date: Sat, 7 May 2022 12:42:06 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: What Is Happening to the People Falling for Crypto and NFTs (NYTimes) [Warning: As usual, "crypto" does not mean cryptography. PGN] https://www.nytimes.com/2022/05/05/opinion/crypto-nfts-web3.html OpenSea, the world's hottest NFT startup, gained 500,000 users in 1 year. Its founders went from broke to billionaires in that same time. Now they're struggling to keep it from going off the rails. https://fortune.com/longform/opensea-nfts-eth-ethereum-crypto-marketplace-founders/ He became as rich as Mark Zuckerberg virtually overnight. How Binance founder Zhao became a $74 billion man while moving fast-breaking things in crypto. Binance handled $34.1 trillion in trading last year, even while wrangling with regulators. https://fortune.com/longform/binance-changpeng-cz-zhao-net-worth-crypto-exchange-trading/ Why OpenSea's NFT Marketplace Can't Win. Security issues and endless copycat listings are rife, but the platform's attempt to stop them is angering everyone. https://www.wired.com/story/opensea-nfts-twitter/ The fun never stops... ------------------------------ Date: Sun, 1 May 2022 10:22:05 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Wikimedia Foundation announces it will no longer accept cryptocurrency donations ... following a push by users worried about the climate impact of mining and the foundation's reputation. The foundation had accepted donations in bitcoin, bitcoin cash and ether since 2014. [Noted in mulptiple URLs. PGN] ------------------------------ Date: Sun, 1 May 2022 11:29:11 +1000 From: Andrew Waugh <andrew.waugh () gmail com> Subject: Re: Bitcoin Is Unlikely to Go Green (RISKS-33.18) Blockchain is unlikely to move to Proof of Stake simply because Proof of Stake is nonsense at a fundamental level. The idea behind Proof of Stake is simple enough. If the group running a blockchain has sufficient stake in it, they can be trusted to run it carefully and without fraud, because to do otherwise will destroy their own stake. The problem with this idea is that it is completely wrong. Centuries of business history have shown that proof of stake doesn't protect against either fraud or failure. Every single business failure has been controlled by management satisfying the proof of stake test. Some of them failed, of course, because of technology or economic change, but many failed because of management hubris, greed, foolishness, or simply not being good enough. Proof of stake is absolutely no protection against failure due to these reasons. Proof of Stake's protection against fraud is even worse. A fraud depends on controlling the organisation; that is, satisfying the proof of stake test. The control is critical to hiding what the fraudsters are doing. In particular, note that a fraudster is not concerned with how much money is left on the table (usually a purely notional stake), but in how much they can skim off into their pocket along the way or at the end. It should also be noted that business history has shown that many frauds start off as business failures in which the owners slip into fraud in a desperate attempt to avoid losing their stake. The most illuminating aspect of Proof of Stake is that it shows that many blockchain technologists/boosters are entirely innocent of any knowledge of business, or, at least, the history of business failures and frauds. And yet they feel confident to design and promote systems that are intended to protect against failures and frauds. ------------------------------ Date: Tue, 3 May 2022 10:41:56 +0100 From: John Beattie <jkb () jkbsc co uk> Subject: Re: Bitcoin Is Unlikely to Go Green (RISKS-33.18) Bitcoin can be made to go green by action at nation-state level. It is super-easy to detect a mining operation by the flows of energy if not by the major infrastructure. The Chinese managed it. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.19 ************************
Current thread:
- Risks Digest 33.19 RISKS List Owner (May 07)