RISKS Forum mailing list archives
Risks Digest 33.49
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 25 Oct 2022 21:17:15 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 25 October 2022 Volume 33 : Issue 49 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.49> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Nuclear War Simulator Creator Says Public Must Know Potential Destruction (Aristos Georgiou) Climate Change Threatens Supercomputers (Jacklin Kwan) The computer errors from outer space (bbc.com) NYC's Emerg. Med. Svc ("911") system was crippled 'cuz ... (danny burstein) AI Language Models Show Bias Against People with Disabilities, Study Finds (Penn State) A new AI model can accurately predict human response to novel drug compounds (phys.org) We Should Try to Prevent Another Alex Jones (Zeynep Tufekci) Alternatives to Twitter (Lauren Weinstein) A prudent approach to Musk and Twitter (Lauren Weinstein) Twitter reportedly has a user retention problem (Lauren Weinstein) TikTok and Facebook fail to detect election disinformation in the U.S., while YouTube succeeds (Global Witness) Behind TikTok's Boom: A legion of traumatised, $10-a-day content moderators (The Bureau Investigates) ACM Highlights Underuse of Risk-Limiting Audits in Confirming Accuracy of Election Results (ACM) Iran Hackers Behind Attempt on US Election Are Still Active (GovInfoSecurity) Internet Of Dangerous Things (Henry Baker) In the ultimate Amazon smart home, each device collects your data (WashPost) GPS interference caused the FAA to reroute Texas air traffic. Experts stumped (Ars Technica) Cuban Defector Flies Stolen An-2 To Florida (AVweb) How to miss potentially important Google Chat notifications (LW) Police Are Using DNA to Generate 3D Images of Suspects They've Never Seen (Vice) Even After $100 Billion, Self-Driving Cars Are Going Nowhere (Bloomberg) Eleven more crash deaths are linked to automated-tech vehicles (The Center for Auto Safety) High-Tech Cars Are Killing the Auto Repair Shop (WiReD) Heat from fingertips can be used to crack passwords, researchers find (Yahoo! News) Zillow bug (Jan Woliltzky) Real Estate Phish Swallows 1,000s of Microsoft 365 Credentials (Dark Reading) Google drops Chrome support for Windows 7 (Lauren Weinstein) Too Many Drivers with Advanced Tech Expect Cars to Drive for Them (Car and Driver) Planned cuts at Twitter likely to hurt content moderation, user security (WashPost) Devastating Report: Twitter may fire 75% of workers, gut content moderation and decimate infrastructure (WashPost) The vulnerability of transformers-based malware detectors to adversarial attacks (techxplore.com) Thousands of GitHub Repositories Deliver Fake PoC Exploits with Malware (Bill Toulas) How a Microsoft blunder opened millions of PCs to potent malware attacks (Ars Technica) Microsoft Office 365 email encryption could expose message content (Bleeping Computer) Google's "passkey" effort (Twitter) How Your Shadow Credit Score Could Decide Whether You Get an Apartment (ProPublica) U.S. Chip Sanctions Kneecap China's Tech Industry (WiReD) The danger of advanced artificial intelligence controlling its own feedback (techxplore.com) Toyota exposed 300,000 customer email addresses for 5 years (Techcrunch) Parler leaked email addresses for Ivanka Trump, other 'VIPs' in Kanye West announcement (Mashable) Humans Beat DeepMind AI in Creating Algorithm to Multiply Numbers (Matthew Sparkes) Deception Detection (RAND) Re: AI-driven 'thermal attack' system reveals computer and smartphone passwords in seconds (Steve Bacher) Re: Lufthansa Says Apple AirTags Are Once Again Allowed in Checked Bags (Jan Wolitzky) Re: Not a physical DDoS attack on the Australian Postal system (John Levine) Re: Automatic emergency braking is not great at preventing crashes. at normal speeds (Martin Ward) Article about CHERI (Rik Farrow) U.S. National Security Strategy report (The White House) Book on Digital Ethics (Christian Fuchs) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 24 Oct 2022 11:59:06 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Nuclear War Simulator Creator Says Public Must Know Potential Destruction (Aristos Georgiou) Aristos Georgiou, *Newsweek*, 19 0ct 2022, via ACM TechNews, 24 Oct 2022 A computer scientist created a nuclear war simulator to demonstrate atomic weapons' destructive potential to the public. Christopher Minson said Russia's war in Ukraine has elevated traffic to his website, which hosts a map tool for modeling an attack on the U.S. involving approximately 1,200 nuclear warheads. Minson based the tool on databases of warhead yields and targets derived from declassified information; he then compiled a database of census data, and mapped populations to target sites. Minson said the system correlates this data and executes a two-hour attack, calculating casualties from known impact and population size, and modeling the spread of fallout. "It is critical that the public understands this threat," he said. "They need to see, clearly and viscerally, just how universal and destructive a nuclear war would be." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f78bx23708fx072432& ------------------------------ Date: Wed, 12 Oct 2022 15:16:14 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Climate Change Threatens Supercomputers (Jacklin Kwan) Jacklin Kwan, *Science*, 11 Oct 2022, via ACM TechNews, 12 Oct 2022 Climate change is jeopardizing the operation of high-performance computing (HPC) facilities. Natalie Bates at the U.S. Department of Energy's Lawrence Livermore National Laboratory (LLNL) said such facilities, which include supercomputers and data centers, are vulnerable due to their high cooling demands and massive energy use. Increased humidity driven by climate change can reduce the efficiency of the evaporative coolers many HPC centers depend on, and also can threaten the systems with blowouts. Hewlett Packard Enterprise's Nicolas Dub=C8 said the high cost of upgrades to adapt to such changes has driven some HPC centers to cooler and drier locations like Canada and Finland. LLNL's Anna-Maria Bailey said the cost of relocation may be unaffordable, so the California facility is considering moving its computers underground. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f638x236c48x071990& ------------------------------ Date: Thu, 13 Oct 2022 00:26:49 +0000 From: Richard Marlon Stein <rmstein () protonmail com> Subject: The computer errors from outer space (bbc.com) https://www.bbc.com/future/article/20221011-how-space-weather-causes-computer-errors "When computers go wrong, we tend to assume it's just some software hiccup, a bit of bad programming. But ionising radiation, including rays of protons blasted towards us by the sun, can also be the cause. These incidents, called single-event upsets, are rare and it can be impossible to be sure that cosmic rays were involved in a specific malfunction because they leave no trace behind them." As silicon features reduce to near atomic dimensions (approaching 1 nanometer == 10), these events are likely increase their frequency. The biggest supercomputers contain very high-density physical memory pools. Administrators and reliability engineers battle with row-level memory failures constantly. See https://catless.ncl.ac.uk/Risks/30/15#subj6.1. There are at least 10 prior comp.risks posts containing the term "cosmic ray." ------------------------------ Date: Sat, 15 Oct 2022 23:25:02 +0000 () From: danny burstein <dannyb () panix com> Subject: NYC's Emerg. Med. Svc ("911") system was crippled 'cuz ... In NYC, the "911" calls come into a central "public safety answering position" ("psap"). If the emergency required EMS or fire response, it's transferred to the fire dep't center and then dispatched from there. The FDNY dispatch and control system was crippled for half a day earlier this week because... ... a contractor, thinking he was pushing an "open the door, Hal", button, lifted the cover on a button labeled "EPO"... Which stood for... "emergency power off". Ok, everyone, start cringing... Including asking why, in addition to not having a secondary "hot standby" system, it took *hours* to bring this back up. [NY Post] Oops! FDNY contractor presses wrong button, shuts down NYC's emergency dispatch system An outside contractor making repairs at the FDNY's emergency dispatch center in downtown Brooklyn pressed the wrong button to open a door -- and shut down the agency's communications system, triggering an hours-long citywide crisis. Wednesday's snafu at the FDNY's MetroTech Center facility forced staffers to rely on ancient methods - pens, paper and telephones rather than digital systems -- to gather facts and get word to first responders as 911 calls came in, officials for unions representing the agency's dispatchers and medics told The Post. Delays responding to emergency calls ranged from a few minutes to more than an hour, said Oren Barzilay, president of Local 2507, which represents city EMTs and paramedics. [...] The shutdown occurred around 11 a.m. when a repairman from communications company Lightpath responded to a report of an earlier glitch at the data center. [...] The repairman mistook a glass-enclosed button, marked "EPO" for "emergency power off," for an electronic door release button, so he opened the lid and accidentally shut down the system, workers recalled. [...[ The agency's radio systems were down until 2:30 p.m., and mobile data terminals out in the field weren't fully operational until 6 p.m., Smyth and Barzilay said. https://nypost.com/2022/10/15/fdny-contractor-presses-wrong-button-shuts-down-emergency-dispatch-system/ ------------------------------ Date: Wed, 19 Oct 2022 12:21:15 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: AI Language Models Show Bias Against People with Disabilities, Study Finds (Penn State) Jessica Hallman, Penn State News, 13 Oct 2022, via ACM TechNews, 19 Oct 2022 Pennsylvania State University (Penn State) researchers found that natural language processing models often are biased against people with disabilities. The researchers studied 13 popular machine learning models trained to generate sequences of words, and tested over 15,000 unique sentences on each model to produce word associations for over 600 adjectives that could be associated with individuals with or without disabilities. The researchers assessed the sentiment of each adjective generated as positive, negative, or neutral, finding that sentences with disability-related words scored more negatively than sentences lacking them. Penn State's Pranav Venkit said the work demonstrates "that people need to care about what sort of models they are using and what the repercussions are that could affect real people in their everyday lives." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f706x236eaex072403& ------------------------------ Date: Tue, 18 Oct 2022 12:39:57 +0000 From: Richard Marlon Stein <rmstein () protonmail com> Subject: A new AI model can accurately predict human response to novel drug compounds (phys.org) https://phys.org/news/2022-10-ai-accurately-human-response-drug.html "The journey between identifying a potential therapeutic compound and Food and Drug Administration approval of a new drug can take well over a decade and cost upward of a billion dollars. A research team at the CUNY Graduate Center has created an artificial intelligence model that could significantly improve the accuracy and reduce the time and cost of the drug development process." The AI yields a number that supposedly determines the outcome from swallowing a pill or undergoing IV infusion. Reduce pharmaceutical company operating and R&D expenses for drug approval: substitute machine decisions for double-blind random control trials and other FDA-mandated processes. Regulatory processes safeguard public health and safety. [Heuristic, perhaps nondeterministic, no need for testing, expensive controlled trials, long delays, and regulation, what could possibly go wrong? PGN] ------------------------------ Date: Sun, 16 Oct 2022 12:32:40 -0400 From: Monty Solomon <monty () roscom com> Subject: We Should Try to Prevent Another Alex Jones (Zeynep Tufekci) Zeynep Tufekci, The New York Times, 16 Oct 2022 We Should Try to Prevent Another Alex Jones https://www.nytimes.com/2022/10/16/opinion/alex-jones-sandy-hook.html PGN notes: Zeynep comments on her own article: On the Alex Jones Verdict: The Very, Very Lucrative World of Lying https://www.theinsight.org/p/on-the-alex-jones-verdict-the-very My latest piece for *The New York Times* returns to a key question: how should we grapple with the current historic transformation of the public sphere? I focus on the Alex Jones trial and verdict, but my question is about the future: what can we do, what should we do, to prevent future cases? I suggest that we take a closer look at money as an incentive, and also focus on friction as an answer. [...] ZT ------------------------------ Date: Fri, 21 Oct 2022 15:42:41 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Alternatives to Twitter Starting to see articles pushing for the creation of an alternative to Twitter for people who aren't horrible. Not a new idea. Let's see if anyone with money puts it where their mouths are. Not holding my breath. -L ------------------------------ Date: Sun, 23 Oct 2022 17:13:33 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: A prudent approach to Musk and Twitter It would be prudent for @Twitter users *right now* to start planning how they would deal with a return of mass hate speech and disinformation to TWitter, and how they will hold @Twitter, @Apple, @Google and other related ecosystem stakeholders responsible. -L ------------------------------ Date: Tue, 25 Oct 2022 15:05:08 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Twitter reportedly has a user retention problem So apparently @Twitter has a problem with retaining "power users". Could be. ProTip: Flooding Twitter with hate speech and disinformation a la Musk's Twitter isn't likely to help those retention metrics at all. Quite the opposite. And creating a firestorm of negative media and regulator (e.g., EU) attention by embracing hate speech and disinformation isn't gonna help the business stuff either. All the oxygen will be sucked out of the room. -L ------------------------------ Date: Fri, 21 Oct 2022 10:36:23 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: TikTok and Facebook fail to detect election disinformation in the U.S., while YouTube succeeds (Global Witness) https://www.globalwitness.org/en/campaigns/digital-threats/tiktok-and-facebook-f ail-detect-election-disinformation-us-while-youtube-succeeds/ ------------------------------ Date: Sun, 23 Oct 2022 20:34:23 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Behind TikTok's Boom: A legion of traumatised, $10-a-day content moderators (The Bureau Investigates) https://www.thebureauinvestigates.com/stories/2022-10-20/behind-tiktoks-boom-a-legion-of-traumatised-10-a-day-content-moderators ------------------------------ Date: Fri, 14 Oct 2022 12:10:42 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: ACM Highlights Underuse of Risk-Limiting Audits in Confirming Accuracy of Election Results Association for Computing Machinery, 13 Oct 2022, via ACM TechNews, October 14, 2022 Despite their efficiency in confirming the accuracy of election results, risk-limiting audits (RLAs) are underused, according to a new TechBrief from ACM's global Technology Policy Council. The authors found only five U.S. states will require then in the upcoming November elections, while just 10 additional states either have RLA pilot programs or allow their use. Meanwhile, Denmark is the only other country to have performed an RLA of an election. "RLAs give us the best of both worlds: a high degree of accuracy and transparency without the enormous undertaking that is counting every contest on every ballot by hand," said TechBrief co-lead author Matthew Bernhard. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f684x236d1fx072707& [Risks? If you don't believe in science and technology, you most likely won't believe in RLAs. See the CACM Inside Risks article: Rebecca T. Mercuri and Peter G. Neumann, The Risks of Election Believability (or Lack Thereof), CACM June 2021: http://www.csl.sri.com/neumann/cacm251.pdf What can be done to get more people understanding science and tech? PGN] ------------------------------ Date: Sat, 22 Oct 2022 21:12:52 PDT From: Peter Neumann <neumann () csl sri com> Subject: Iran Hackers Behind Attempt on US Election Are Still Active (GovInfoSecurity) Emennet Pasargad, the Iranian cyberthreat actors behind an attempt to disrupt the U.S. presidential election in 2020, remain active, warns the FBI. https://www.govinfosecurity.com/iran-hackers-behind-attempt-on-us-election-are-still-active-a-20310 www.govinfosecurity.com ------------------------------ Date: Thu, 20 Oct 2022 18:51:16 +0000 From: Henry Baker <hbaker1 () pipeline com> Subject: Internet Of Dangerous Things -- IoDT I recently stayed in a brand new hotel in the Bay Area, and it had a *Bluetooth Mirror* in the bathroom. For the life of me, I can't imagine what geek's bright idea this Bluetooth-enabled mirror was, but it's right up there with 'smart rocks' (wifi-enabled boulders???). The *misuses* of this idea far exceed the *uses*, by many orders of magnitude. [NOT] Attached is a screenshot of my phone after pairing with this dumbest of all ideas. The mirror apparently has the same SW as a BT boombox, so you can call your phone on the throne? [Hone alone?] Notice that I didn't allow this mirror to access my *contacts*, but if I had, it would have downloaded all 2000+ of them, I presume. I don't think that this mirror had a camera, but in today's world, I wouldn't be too sure. [I understand that some hotel rooms now come complete with either Amazon's *Alexa* or Google's *OK Google*, so you're now under 24x7 surveillance.] ------------------------------ Date: Tue, 18 Oct 2022 17:20:18 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: In the ultimate Amazon smart home, each device collects your data (WashPost) Here's everything Amazon learns about your family, your home and you. https://www.washingtonpost.com/technology/interactive/2022/amazon-smart-home Toilet, garage, car, doorbell, Roomba, TV, lights/switches/shades, exercise band, router, soap dispenser (!), medicines, pantry, Whole Foods, air quality, thermostat, more. ------------------------------ Date: Fri, 21 Oct 2022 10:31:23 -0400 From: Monty Solomon <monty () roscom com> Subject: GPS interference caused the FAA to reroute Texas air traffic. Experts stumped (Ars Technica) Episode lasting almost 2 days prompted the closure of a runway at Dallas airport. The Federal Aviation Administration is investigating the cause of mysterious GPS interference that, over the past few days, has closed one runway at the Dallas-Fort Worth International Airport and prompted some aircraft in the region to be rerouted to areas where signals were working properly. The interference first came to light on Monday afternoon when the FAA issued an advisory over ATIS (Automatic Terminal Information Service). It warned flight personnel and air traffic controllers of GPS interference over a 40-mile swath of airspace near the Dallas-Fort Worth airport. The advisory read in part: ATTN ALL AIRCRAFT. GPS REPORTED UNRELIABLE WITHIN 40 NM OF DFW. [...] https://arstechnica.com/information-technology/2022/10/cause-is-unknown-for-mysterious-gps-outage-that-rerouted-texas-air-traffic/ "This week's event appears similar to one that, according to GPSWorld, played out in Denver last January. In the January episode, aircraft in a 50-nautical-mile swath of airspace around the airport reported unreliable GPS for more than 33 hours." https://www.gpsworld.com/what-happened-to-gps-in-denver/ ------------------------------ Date: Mon, 24 Oct 2022 14:49:05 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Cuban Defector Flies Stolen An-2 To Florida (AVweb) A Cuban pilot defected to Florida on Friday but there won't be much intelligence to be gleaned from the government aircraft he stole. The pilot, identified by a Spanish publication as Ruben Martinez, flew an ancient Antonov An-2 single-engine biplane at wavetop level before landing at Dade-Collier Training and Transition Airport in the Everglades. The TSA and Customs and Border Protection are, of course, interested in how the school-bus sized relic of the Soviet era was able to sneak through one of the most surveilled coastlines in the country. https://www.avweb.com/aviation-news/cuban-defector-flies-stolen-an-2-to-florida/ ------------------------------ Date: Thu, 20 Oct 2022 12:46:56 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: How to miss potentially important Google Chat notifications There appears to be a significant flaw in the Google Chat notification model that can easily cause desktop users to be unaware of important chat replies for hours, days -- or indefinitely. It happened to me. These notification issues may relate to the hangouts->chat migration. On (linux) desktops, there's no longer a native official Google Chat app, so if Chrome isn't running there are apparently no related desktop notifications. The desktop notification that Chrome throws when running (even when not showing Gmail) is momentary, if you're not around at the moment it pops you won't see or hear it. ------------------------------ Date: Thu, 13 Oct 2022 11:55:30 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Police Are Using DNA to Generate 3D Images of Suspects They've Never Seen (Vice) Releasing one of these Parabon images to the public like the Edmonton Police did recently, is dangerous and irresponsible, especially when that image implicates a Black person and an immigrant. On Tuesday, the Edmonton Police Service (EPS) shared a computer generated image of a suspect <https://www.edmontonpolice.ca/News/MediaReleases/DNAPhenotypeOct4> they created with DNA phenotyping, which it used for the first time in hopes of identifying a suspect from a 2019 sexual assault case. Using DNA evidence from the case, a company called Parabon NanoLabs created the image of a young Black man. The composite image did not factor in the suspect's age, BMI, or environmental factors, such as facial hair, tattoos, and scars. The EPS then released this image to the public, both on its website and on social media platforms including its Twitter, claiming it to be ``a last resort after all investigative avenues have been exhausted.'' The EPS's decision to produce and share this image is extremely harmful, according to privacy experts, raising questions about the racial biases in DNA phenotyping for forensic investigations and the privacy violations of DNA databases that investigators are able to search through. In response to the EPS's tweet of the image, many privacy and criminal justice experts replied with indignation at the irresponsibility of the police department. Callie Schroeder, the Global Privacy Counsel at the Electronic Privacy Information Center, retweeted the tweet, questioning the usefulness of the image: ``Even if it is a new piece of information, what are you going to do with this? Question every approximately 5'4" black man you see? ...that is not a suggestion, absolutely do not do that.'' [...] https://www.vice.com/en/article/pkgma8/police-are-using-dna-to-generate-3d-images-of-suspects-theyve-never-seen ------------------------------ Date: Thu, 13 Oct 2022 00:23:25 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Even After $100 Billion, Self-Driving Cars Are Going Nowhere (Bloomberg) They were supposed to be the future. But prominent detractors -- including Anthony Levandowski, who pioneered the industry -- are getting louder as the losses get bigger. https://www.bloomberg.com/news/features/2022-10-06/even-after-100-billion-self-driving-cars-are-going-nowhere ------------------------------ Date: Tue, 25 Oct 2022 13:46:03 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Eleven more crash deaths are linked to automated-tech vehicles (The Center for Auto Safety) Eleven people were killed in U.S. crashes involving vehicles that were using automated driving systems during a four-month period earlier this year, according to newly released government data, part of an alarming pattern of incidents linked to the technology. https://www.autosafety.org/11-more-crash-deaths-are-linked-to-automated-tech-vehicles 11 people in four months? Out of how many total killed on roads in that time? More meaningful would be deaths/miles driven with and without automated technologies. ------------------------------ Date: Sat, 22 Oct 2022 10:15:48 +0900 From: David Farber <farber () keio jp> Subject: High-Tech Cars Are Killing the Auto Repair Shop (WiReD) https://www.wired.com/story/high-tech-cars-killing-the-traditional-auto-repair-shop/ [PGN Note: This reminds me of the wonderful old Alex Guiness film: The Man in The White Suit, 1951 Sidney ("Sid") Stratton, a brilliant young research chemist and former Cambridge scholarship recipient, has been dismissed from jobs at several textile mills in the north of England because of his demands for expensive facilities and his obsession with inventing an everlasting fibre. Whilst working as a labourer at the Birnley Mills, he accidentally becomes an unpaid researcher and invents an incredibly strong fibre which repels dirt and never wears out. From this fabric, a suit is made-which is brilliant white because it cannot absorb dye and slightly luminous because it includes radioactive elements. Stratton is lauded as a genius until both management and the trade unions realise the consequence of his invention; once consumers have purchased enough cloth, demand will drop precipitously and put the textile industry out of business. The managers try to trick and bribe Stratton into signing away the rights to his invention but he refuses. Managers and workers each try to shut him away, but he escapes. Wikipedia] [Perhaps fortunately for the mechanics, self-driving cars are still a long way from trustworthy. The diagnostic tools are good enough that they can quickly identify which chip to replace, the tools are presumably proprietary so it is more difficult for you to do your own maintenance, and mechanics can probably charge you large rates for maintenance even though it becomes trivial to change the part. Furthermore, there still seems to be business for mechanics and body shops (legal or otherwise), from accidents. Also, in that California's Governor Newsom has made it illegal in California to buy a stolen/stripped catalyic convertor, that has apparently not stopped the thieves and the blackmarket for precious metals. PGN] ------------------------------ Date: Thu, 13 Oct 2022 11:51:37 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Heat from fingertips can be used to crack passwords, researchers find (Yahoo! News) Heat-detecting cameras can help crack passwords up to a minute after typing them, researchers have found, as they warn similar systems could be developed by criminals to break into computers and smartphones. Heat from people's fingertips can be detected on recently-used keyboards and, when thermal images were combined with the help of artificial intelligence, informed guesses of what the password could be were made by a tool developed by researchers at the University of Glasgow. Some 86% of passwords were cracked when thermal images were taken within 20 seconds of typing in the secret code and put through their ThermoSecure system, and 76% when within 30 seconds. Success dropped to 62% after 60 seconds of entry. They also found within 20 seconds, the system was capable of successfully attacking even long passwords of 16 characters, with a rate of up to 67% correct attempts. It's important that computer security research keeps pace with these developments to find new ways to mitigate risk, and we will continue to develop our technology to try to stay one step ahead of attackers. [...] https://news.yahoo.com/heat-fingertips-used-crack-passwords-102357016.html ------------------------------ Date: Wed, 19 Oct 2022 08:56:47 -0400 From: Jan Wolitzky <jan.wolitzky () gmail com> Subject: Zillow bug Q: What's wrong with these Cambridge, MA, listings? https://www.zillow.com/homedetails/21-Day-St-Cambridge-MA-02140/2061016351_zpid/ https://www.zillow.com/homedetails/3-Jarvis-St-Cambridge-MA-02138/2061087683_zpid/ https://www.zillow.com/homedetails/6607-Bellis-Ct-Cambridge-MA-02140/2061083868_zpid/ https://www.zillow.com/homedetails/56-Scott-St-Cambridge-MA-02138/2061087954_zpid/ https://www.zillow.com/homedetails/14-Alpine-St-Cambridge-MA-02138/2061083680_zp id/ A: They're all really in Cambridge ON (Ontario), Canada. (In some cases, the street names are a bit off. Usually, "street" instead of "road", but "Bellis" is actually "Ellis".) I don't know what's gotten into Zillow, but they seem to have a problem! ------------------------------ Date: Thu, 13 Oct 2022 12:04:38 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Real Estate Phish Swallows 1,000s of Microsoft 365 Credentials (Dark Reading) The attacks showcase broader security concerns as phishing grows in volume and sophistication, especially given that Windows Defender's Safe Links feature for identifying malicious links in emails completely failed in the campaign. https://www.darkreading.com/attacks-breaches/real-estate-phish-1000s-credentials-escalating-cyber-risk ------------------------------ Date: Tue, 25 Oct 2022 12:34:07 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Google drops Chrome support for Windows 7 So @googlechrome is apparently dropping updates for Windows 7 early next year. From a purely logical standpoint for @Google this makes complete and utter sense. However, given the VERY high number of people still using Windows 7 for important applications, there's a real risk. -L ------------------------------ Date: Thu, 20 Oct 2022 16:33:10 -0400 From: Monty Solomon <monty () roscom com> Subject: Too Many Drivers with Advanced Tech Expect Cars to Drive for Them https://www.caranddriver.com/news/a41710516/driver-safety-abuse-semi-autonomous-technology-insurance-institute/ [But not if they have been reading RISKS? PGN] ------------------------------ Date: Thu, 20 Oct 2022 19:38:39 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Planned cuts at Twitter likely to hurt content moderation, user security (WashPost) Previously unreported details shed new light on Twitter's motivations for selling the company -- and Elon Musk's plans to transform it. Twitter's workforce is likely to be hit with massive cuts in the coming months, no matter who owns the company, interviews and documents obtained by *The Washington Post* show, a change likely to have major impact on its ability to control harmful content and prevent data security crises. Elon Musk told prospective investors in his deal to buy the company that he planned to get rid of nearly 75 percent of Twitter's 7,500 workers, whittling the company down to a skeleton staff of just over 2,000. ------------------------------ Date: Thu, 20 Oct 2022 14:57:22 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Devastating Report: Twitter may fire 75% of workers, gut content moderation and decimate infrastructure (WashPost) https://www.washingtonpost.com/technology/2022/10/20/musk-twitter-acquisition-staff-cuts/ ------------------------------ Date: Wed, 19 Oct 2022 00:25:20 +0000 From: Richard Marlon Stein <rmstein () protonmail com> Subject: The vulnerability of transformers-based malware detectors to adversarial attacks (techxplore.com) https://techxplore.com/news/2022-10-vulnerability-transformers-based-malware-detectors-adversarial.html Malware detection techniques are challenged by hackers, APTs, etc. who adjust payload signatures that avoid detection. The arms race continues. ------------------------------ Date: Mon, 24 Oct 2022 11:59:06 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Thousands of GitHub Repositories Deliver Fake PoC Exploits with Malware (Bill Toulas) Bill Toulas, *BleepingComputer*, 23 Oct 2022, via ACM TechNews, 24 Oct 2022 Researchers at the Leiden Institute of Advanced Computer Science in the Netherlands discovered thousands of GitHub repositories offering fake proof-of-concept (PoC) exploits for various vulnerabilities, including malware. The researchers analyzed slightly more than 47,300 repositories promoting exploits for vulnerabilities disclosed between 2017 and 2021 using Internet Protocol (IP) address analysis, binary analysis, and hexadecimal and Base64 analysis. Over 2,800 of 150,734 unique IPs extracted matched blocklist entries, 1,522 were labeled malicious in antivirus scans on Virus Total, and 1,069 of them were in the AbuseIPDB database. The researchers designated 4,893 of 47,313 tested repositories malicious, with most focusing on vulnerabilities from 2020. The researchers advised software testers to thoroughly vet the PoCs they download, and to run as many checks as possible before execution. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f78bx237093x072432& ------------------------------ Date: Tue, 18 Oct 2022 01:20:05 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: How a Microsoft blunder opened millions of PCs to potent malware attacks (Ars Technica) https://arstechnica.com/information-technology/2022/10/how-a-microsoft-blunder-opened-millions-of-pcs-to-potent-malware-attacks/ https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity#windows-security-app ------------------------------ Date: Fri, 14 Oct 2022 10:39:13 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Microsoft Office 365 email encryption could expose message content (Bleeping Computer) Doing encryption well ain't easy. -L https://www.bleepingcomputer.com/news/security/microsoft-office-365-email-encryp tion-could-expose-message-content/ ------------------------------ Date: Sat, 15 Oct 2022 09:52:42 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Google's "passkey" effort https://twitter.com/laurenweinstein/status/1581325271810027523 I have long advocated for FIDO U2F security keys as the preferred multiple factor authentication model, and have suggested explicitly that "passwords must die". So it's natural that I'm being asked about the @google "passkey" initiative. There are multiple aspects to this. An obvious one is how rapidly sites will implement this method. Given the glacial speed with which many financial institutions have implemented crude 2-factor like text messaging and have delayed U2F key implementations, I am not optimistic. Of even more concern is the sense that the methodology of passkeys will appeal mainly to the tech-savvy, and will be understandably resisted by many everyday users, who will find the model overly complex and difficult to trust for that reason. This presents a familiar dilemma: persons who already are careful with their authentication security will benefit but the users most in need of improved security and who are most vulnerable largely will not -- especially if they don't use multiple devices and 24/7 smartphones. The upshot isn't that passkeys won't have a place -- they will -- but that I suspect they will not be accepted by a significant proportion of sites and users, keeping in mind that many people even refuse to use ordinary autofill, especially for passwords or payment methods. I have pointed out this problem with @google outreach to users many times over the years, and again, while there have been some improvements, many users are still being left behind, and that's very unfortunate indeed. ------------------------------ Date: Sun, 16 Oct 2022 22:27:03 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: How Your Shadow Credit Score Could Decide Whether You Get an Apartment (ProPublica) Fuller learned her rental application had been screened by RentGrow, one of more than a dozen companies that mine consumer databases to perform background checks on tenants. A form emailed to her said RentGrow determined she didn't meet applicant screening requirements, highlighting in yellow the box labeled *credit history*. The letter provided no further explanation. A RentGrow representative, through an executive at its parent company, declined to comment. Habitat America declined to respond to questions about Fuller's application from ProPublica, citing privacy concerns. You don't know why you got denied or if you were ever considered. It's really murky out there. ------------------------------ Date: Thu, 13 Oct 2022 23:53:32 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: U.S. Chip Sanctions Kneecap China's Tech Industry (WiReD) The toughest export restrictions yet cut off AI hardware and chip-making tools crucial to China's commercial and military ambitions. https://www.wired.com/story/us-chip-sanctions-kneecap-chinas-tech-industry ------------------------------ Date: Tue, 25 Oct 2022 06:41:49 +0000 From: Richard Marlon Stein <rmstein () protonmail com> Subject: The danger of advanced artificial intelligence controlling its own feedback (techxplore.com) https://techxplore.com/news/2022-10-danger-advanced-artificial-intelligence-feed back.html "What we now call the reinforcement learning problem was first considered in 1933 by the pathologist William Thompson. He wondered: if I have two untested treatments and a population of patients, how should I assign treatments in succession to cure the most patients? "More generally, the reinforcement learning problem is about how to plan your actions to best accrue rewards over the long term. The hitch is that, to begin with, you're not sure how your actions affect rewards, but over time you can observe the dependence. For Thompson, an action was the selection of a treatment, and a reward corresponded to a patient being cured." Without human oversight, a generalized superintelligence might be a "no brainer" waiting to happen. Good script kiddie experiment. ------------------------------ Date: Wed, 12 Oct 2022 14:17:30 -0400 From: Monty Solomon <monty () roscom com> Subject: Toyota exposed 300,000 customer email addresses for 5 years (Techcrunch) https://techcrunch.com/2022/10/12/toyota-customer-email-addresses-exposed/ ------------------------------ Date: Tue, 18 Oct 2022 21:13:10 -0400 From: Monty Solomon <monty () roscom com> Subject: Parler leaked email addresses for Ivanka Trump, other 'VIPs' in Kanye West announcement (Mashable) https://mashable.com/article/parler-leaks-vip-emails-kanye-west-ivanka-trump ------------------------------ Date: Mon, 17 Oct 2022 11:55:31 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Humans Beat DeepMind AI in Creating Algorithm to Multiply Numbers (Matthew Sparkes) Matthew Sparkes, *New Scientist*, 13 Oct 2022, via ACM TechNews, 17 Oct 2022 Jakob Moosbauer and Manuel Kauers at Austria's Johannes Kepler University Linz bested an algorithm developed by artificial intelligence company DeepMind with a program that can perform matrix multiplication more efficiently. Earlier this month, DeepMind unveiled a method for multiplying two five-by-five matrices in just 96 multiplications, out-performing a more-than-50-year-old record. Moosbauer and Kauers reduced the process to 95 multiplications by testing multiple steps in multiplication algorithms to see if they could be combined. Said Moosbauer, "We take an existing algorithm and apply a sequence of transformations that at some point can lead to an improvement. Our technique works for any known algorithm, and if we are lucky, then [the results] need one multiplication less than before." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f6b4x236dbax072760& ------------------------------ Date: Thu, 20 Oct 2022 16:31:43 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Deception Detection (RAND) A group of RAND Corporation researchers found that machine-learning (ML) models can identify signs of deception during national security background check interviews. The most accurate approach for detecting deception is an ML model that counts the number of times that interviewees use common words. https://www.rand.org/pubs/research_briefs/RBA873-1.html [The? Er? Um? You-know? Well? PGN] ------------------------------ Date: Thu, 13 Oct 2022 15:28:45 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Re: AI-driven 'thermal attack' system reveals computer and smartphone passwords in seconds (Techxplore) This suggests to me that a good strategy to confound the thermal detectors would be to use repeated characters in passwords. I doubt that the thermal detection would be able to tell how many times a key was pressed, rather than just the recency of a given key press. That would go against the common assumption that repeated characters in passwords are a Bad Thing. ------------------------------ Date: Wed, 12 Oct 2022 17:49:13 -0400 From: Jan Wolitzky <jan.wolitzky () gmail com> Subject: Re: Lufthansa Says Apple AirTags Are Once Again Allowed in Checked Bags (RISKS-33.48) Never mind! The airline reversed itself Wednesday, saying it had consulted with German aviation authorities, who agreed that Bluetooth trackers were safe for passengers to use. https://www.nytimes.com/2022/10/12/travel/lufthansa-apple-airtags-luggage.html ------------------------------ Date: 12 Oct 2022 18:10:15 -0400 From: "John Levine" <johnl () iecc com> Subject: Re: Not a physical DDoS attack on the Australian Postal system (Auspost) If you read the reasons they give, I wouldn't call it a DoS attack but rather yet another fragile supply chain. COVID caused a lot of mail that would have normally been sent by air to be sent by sea, and it appears that the places they inspect airmail are not the ones where they inspect sea mail, what with airports and seaports being different. It's like the Great Toilet Paper Shortage which turned out not to be that there wasn't enough, but that there are different kinds for homes and institutions. When everyone started staying home, it was not easy to repackage and redirect the institutional kind for home use. ------------------------------ Date: Thu, 13 Oct 2022 10:41:00 +0100 From: Martin Ward <martin () gkc org uk> Subject: Re: Automatic emergency braking is not great at preventing crashes. at normal speeds (RISKS-33.48) Naturally, I would like more research into why so many cars are crashing into the chicane (a large, clearly marked, immobile structure): but this is not necessarily a bad thing. Crashing into a chicane is better than mowing down a child. The chicane is, presumably, better signposted and more visible than any small child, so any driver who crashed into the chicane is presumably a risk to children, not just in the road but also on the pavement: since the chicane hitter obviously has difficulty in keeping to the road! Perhaps it is just as well that they are taken out of action before they can do more serious harm? ------------------------------ Date: Thu, 13 Oct 2022 14:06:52 -0700 From: Rik Farrow <rik () rikfarrow com> Subject: Article about CHERI I have long been interested in technology that might make computers more secure, and have been watching one such project for over a decade. CHERI, a combined software and hardware project, has now reached the implemented-in-silicon stage: https://www.arm.com/architecture/cpu/morello. I have written an article explaining the thinking behind CHERI and how Microsoft engineers using CHERI believe that they can eliminate as much two thirds of vulnerabilities in software that uses C or C++: https://www.usenix.org/publications/loginonline/redesigning-hardware-support-sec urity-cheri CHERI provides hardware support for limiting the range of pointers as well as support for mechanisms to prevent use-after-free bugs. CHERI provides scalable compartmentalization, meaning that operating systems themselves can be partitioned on memory boundaries without the performance expense of changing context or flushing page caches. Overall, CHERI is a project that may prove to be the most significant change in architecture in decades. [Rik Farrow is the Editor of ;login: PGN] ------------------------------ Date: Thu, 13 Oct 2022 10:22:43 PDT From: Peter Neumann <neumann () csl sri com> Subject: U.S. National Security Strategy report The White House has released its National Security Strategy report, The full report is at https://www.whitehouse.gov/wp-content/uploads/2022/10/Biden-Harris-Administrations-National-Security-Strategy-10.2022.pdf A summary is at https://www.whitehouse.gov/briefing-room/speeches-remarks/2022/10/13/remarks-by-national-security-advisor-jake-sullivan-on-the-biden-harris-administrations-national-security-strategy/ ------------------------------ Date: Fri, 21 Oct 2022 10:42:15 +0200 From: Christian Fuchs via iacap-announce <iacap-announce () iacap org> Subject: Book on Digital Ethics (Christian Fuchs) Christian Fuchs. 2023/. //Digital Ethics. Media, Communication and Society Volume Five//. /New York: Routledge. ISBN 9781032246161. More infos and sample chapter: https://fuchsc.uti.at/books/digital-ethics/ This fifth volume in Christian Fuchs, Media, Communication and Society series, presents an approach to critical digital ethics. It develops foundations and applications of digital ethics based on critical theory. It applies a critical approach to ethics within the realm of digital technology. Based on the notions of alienation, communication (in)justice, media (in)justice, and digital (in)justice, it analyses ethics in the context of digital labour and the surveillance-industrial complex; social media research ethics; privacy on Facebook; participation, co-operation, and sustainability in the information society; the digital commons; the digital public sphere; and digital democracy. The book consists of three arts. Part I presents some of the philosophical foundations of critical, humanist digital ethics. Part II applies these foundations to concrete digital ethics case studies. Part III presents broad conclusions about how to advance the digital commons, the digital public sphere, and digital democracy, which is the ultimate goal of critical digital ethics. [...] ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.49 ************************
Current thread:
- Risks Digest 33.49 RISKS List Owner (Oct 25)