RISKS Forum mailing list archives
Risks Digest 33.67
From: RISKS List Owner <risko () csl sri com>
Date: Thu, 6 Apr 2023 17:35:47 PDT
RISKS-LIST: Risks-Forum Digest Saturday 1* April 2023 Volume 33 : Issue 67 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.67> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: BACKLOGGED with pre-1Apr unread messages. Will get to it. Speculative out-of-order execution on my part? (PGN) Airline baggage drops (JSX) How space storms miscue train signals (phys.org) Why Long Trains Keep Derailing (ProPublica) Trojanized Windows and Mac apps rain down on 3CX users in massive supply chain attack (Sentinel One) Chinese fraudsters: evading detection and monetizing stolen credit-card information (ATT) A Front Company and a Fake Identity: How the U.S. Came to Use Spyware It Was Trying to Kill. (NYTimes) It's like children turned loose on a jungle gym (CBC) AI application ChatGPT temporarily banned in Italy over data collection concerns (CBC) Even More on Trust & Safety and AI (Lauren Weinstein) Australian mayor prepares world's first defamation lawsuit over ChatGPT content (The Guardian) Pausing AI Developments Isn't Enough. We Need to Shut It All Down (Eliezer Yudkowsky) Forgive or Forget: What Happens When Robots Lie? (Catherine Barzler) I am not afraid of robots. I am afraid of people. (Gary Marcus) Are robot waiters the future? Some restaurants think so. (AP News) It's Their Content,You're Just Licensing it, (NYTimes) Stupid physical risk (Nextdoor via Phil Smith III) Re: DC Metro Will Retrofit Faregates To Cut Down On Fare Evasion (Stan Brown) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 06 Apr 2023 16:57:44 PDT From: Peter G Neumann <neumann () csl sri com> Subject: Speculative out-of-order execution on my part? * In that I somehow managed to put out the 1 April issue as RISKS-33.68 one day early, an off-by-one error in the issue number, so I now figure that I should backdate this RISKS-33.67 issue five days to April Fools' Day, to balance off my previous *post*-dated issue. It seems only natural, but was actually *not* an April-Fools prank. ------------------------------ Date: Sat, 01 Apr 2023 18:07:01 +0000 From: Henry Baker <hbaker1 () pipeline com> Subject: Airline baggage drops (JSX) I just received this *April Fool's* email from JSX, a startup airline serving California. The amazing thing is that I suggested something eerily similar about a decade ago. My non-April-Fool's suggestion was to have Fedex/UPS simply dump all their packages from ~10,000' altitude, and have them GPS-guided to their destinations, JDAM-style: https://en.wikipedia.org/wiki/Joint_Direct_Attack_Munition "The JDAM is not a stand-alone weapon; rather it is a 'bolt-on' guidance package that converts unguided gravity bombs into precision-guided munitions (PGMs)." I figured that UPS/Fedex could deliver packages with the same precision as JDAM bombs. Beating swords into plowshares... [In RISKS-26.78, I noted from my Bell Labs days that Vic Vyssotsky had a wonderful piece on a Cable-laying Satellite, programmed to drop a cable between two specified points, carefully engineered to avoid snap-back and collateral damage . PGN] ------------------------------ Date: Sun, 02 Apr 2023 02:55:48 +0000 From: Richard Marlon Stein <rmstein () protonmail com> Subject: How space storms miscue train signals (phys.org) [Re: Over 1,000 Trains Derail Each Year in America (NYTimes, RISKS-33.63. PGN] https://phys.org/news/2023-03-space-storms-miscue.html "Train track disruptions are particularly troublesome because space storms can interfere with detection systems that prevent collisions. Railways detect trains using electrical currents and send stop signals to others to avoid crashes. But when Earth's magnetic field is disrupted, they might send false signals to stop or go, affecting operations and potentially endangering the freight and passengers on board." Recent train derailings across the U.S. are being investigated. Certain trains (in the U.S.) with HazMat cargoes are remotely piloted by joystick -- virtually crewed. They are currently exempt from certain safety regulations. https://www.nbcnews.com/politics/congress/remote-hazmat-trains-fall-congress-push-rail-regulation-rcna77667 ------------------------------ Date: Mon, 3 Apr 2023 14:59:12 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Why Long Trains Keep Derailing (ProPublica) Before that morning in Hyndman in August 2017, regulators had already investigated seven long-train accidents in which the length was a culprit, and the nation's largest rail-worker union had sounded alarms about a pattern of problems. None of this caused the Federal Railroad Administration, the agency in charge of train safety, to intercede -- even as more long trains crashed in the years after the Hyndman derailment, sending cars spilling into other communities. Today, the rail administration says it lacks enough evidence that long trains pose a particular risk. But ProPublica discovered it is a quandary of the agency's own making: It doesn't require companies to provide certain basic information after accidents -- notably, the length of the train -- that would allow it to assess once and for all the extent agency of the danger. ... [More on Hunter Harrison PGN-truncated] https://www.propublica.org/article/train-derailment-long-trains ------------------------------ Date: Fri, 31 Mar 2023 20:19:13 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Trojanized Windows and Mac apps rain down on 3CX users in massive supply chain attack (Sentinel One) Remember SolarWinds? A similar attack is playing out now against a new software supplier. Hackers working on behalf of the North Korean government have pulled off a massive supply chain attack on Windows and macOS users of 3CX, a widely used voice and video calling desktop client, researchers from multiple security firms said. Through means that aren't yet clear, the attack managed to distribute Windows and macOS versions of the app, which provides both VoIP and PBX services to 600,000+ customers <https://www.3cx.com/company/customers/>, including American Express, Mercedes-Benz, and Price Waterhouse Cooper. The attackers somehow gained the ability to hide malware inside 3CX apps that were digitally signed using the company's official signing key. The macOS version, according to <https://objective-see.org/blog/blog_0x73.html> macOS security expert Patrick Wardle, was also notarized by Apple, indicating that the company analyzed the app and detected no malicious functionality. In the making since 2022 ``This is a classic supply chain attack, designed to exploit trust relationships between an organization and external parties,'' Lotem Finkelstein, Director of Threat Intelligence & Research at Check Point Software, said in an email. ``This includes partnerships with vendors or the use of a third-party software which most businesses are reliant on in some way. This incident is a reminder of just how critical it is that we do our due diligence in terms of scrutinizing who we conduct business with.'' Security firm CrowdStrike said the infrastructure and an encryption key used in the attack match those seen in a March 7 campaign carried out by Labyrinth Chollima, the tracking name for a threat actor aligned with the North Korean government. The attack came to light late on Wednesday, when products from various security companies began detecting malicious activity coming from legitimately signed binaries for 3CX desktop apps. Preparations for the sophisticated operation began no later than February 2022, when the threat actor registered a sprawling set of domains used to communicate with infected devices. By 22 Mar 2023, security firm Sentinel One saw a spike in behavioral detections <https://www.sentinelone.com/blog/smoothoperator-ongoing-campaign-trojanizes-3cx-software-in-software-supply-chain-attack/> ------------------------------ Date: Wed, 5 Apr 2023 07:37:52 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Chinese fraudsters: evading detection and monetizing stolen credit-card information (ATT) Cyber-attacks are common occurrences that often make headlines, but the leakage of personal information, particularly credit-card data, can have severe consequences for individuals. It is essential to understand the techniques employed by cyber-criminals to steal this sensitive information. Credit-card fraud in the United States has been on the rise, with total losses reaching approximately $12.16 billion in 2021, according to Insider Intelligence. Card-Not-Present (CNP) fraud constituted 72% of these losses, with a substantial portion attributed to Chinese fraudsters. This article discusses the tactics employed by Chinese cyber-actors in committing CNP fraud and their value chain. Chinese fraudsters primarily target the United States for two reasons: the large population makes phishing attacks more effective, and credit-card limits in the country are higher compared to other nations. These factors make the U.S. an attractive market for card fraudsters. Common methods for acquiring card information include phishing, JavaScript injection through website tampering, and stealing data via Trojan horse infections. Phishing is the most prevalent method, and this analysis will focus on phishing tactics and the monetization value chain of stolen credit-card information. [...] https://cybersecurity.att.com/blogs/security-essentials/chinese-fraudsters-evadi ng-detection-and-monetizing-stolen-credit-card-information ------------------------------ Date: Sun, 2 Apr 2023 20:00:24 -0400 From: Jan Wolitzky <jan.wolitzky () gmail com> Subject: A Front Company and a Fake Identity: How the U.S. Came to Use Spyware It Was Trying to Kill. (NYTimes) The Biden administration has been trying to choke off use of hacking tools made by the Israeli firm NSO. It turns out that not every part of the government has gotten the message. <https://www.nytimes.com/2023/04/02/us/politics/nso-contract-us-spy.html> ------------------------------ Date: Sat, 1 Apr 2023 14:39:49 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: It's like children turned loose on a jungle gym (CBC) https://www.cbc.ca/news/business/chatgpt-intelligence-ownership-column-don-pittis-1.6739025 In some ways the surprising thing about ChatGPT is how it caught not just the general public, but even artificial intelligence experts by surprise. People like Karina Vold, a philosopher of cognitive science and artificial intelligence at the University of Toronto, knew this kind of thing was around the corner, but the user-friendly accessibility that allowed almost anyone with a few computer skills to try it out has been transformative. She thinks even its creators were surprised. ``They are learning, I think, a lot from our own human feedback as we play with the system, kind of like building a jungle gym and then releasing a bunch of children onto it,'' said Vold. ------------------------------ Date: Fri, 31 Mar 2023 19:47:13 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: AI application ChatGPT temporarily banned in Italy over data-collection concerns (CBC) https://www.cbc.ca/news/world/italy-openai-chatgpt-ban-1.6797963 Italy's Data Protection Authority on Friday temporarily banned OpenAI's ChatGPT chatbot and launched a probe over a suspected breach of the artificial intelligence application's data-collection rules. The agency, also known as Garante, accused Microsoft Corp-backed ChatGPT of failing to check the age of its users who are supposed to be 13 and up. [This item even made it to the Palo Alto local Daily Post on 3 Apr. PGN] ------------------------------ Date: Thu, 6 Apr 2023 10:38:28 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Even More on Trust & Safety and AI In answer to some questions I've received, let me put it this way. The firms pushing out these AI chat systems seem to lack an understanding of how ordinary persons exposed to them would react and use them. This is not altogether surprising, we've seen this pattern in tech repeatedly for many years, especially (but not exclusively) on the Internet. While the firms have generally had disclaimers present on these AI chat systems, to expect them to be fully understood in context by random users of these systems is both unreasonable and potentially dangerous. Attempting to pause or stop AI training or other related research is not practical nor desirable. But better communication with the public is absolutely necessary. These systems need to be explained in ways that non-technical, busy persons will appreciate in the context of their own lives and experiences. The technologists designing these systems need to realize that if sufficient resources are not dedicated to these direct public communication and education needs, the firms will be ever more targeted by politically-motivated attacks, and risk their work being ever more mis-characterized by entities with political motives of their own, to the detriment of the firms, their users, and the community at large. This must be understood and acted upon immediately, or the benefits of AI will be consumed by false narratives and it will be too late for much more than painful regrets. ------------------------------ Date: Thu, 6 Apr 2023 09:21:46 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Australian mayor prepares world's first defamation lawsuit over ChatGPT content https://www.theguardian.com/technology/2023/apr/06/australian-mayor-prepares-worlds-first-defamation-lawsuit-over-chatgpt-content ------------------------------ Date: Sun, 2 Apr 2023 11:07:55 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Pausing AI Developments Isn't Enough. We Need to Shut It All Down (Eliezer Yudkowsky) https://time.com/6266923/ai-eliezer-yudkowsky-open-letter-not-enough/ AI Labs Urged to Pump the Brakes in Open Letter <https://time.com/6266679/musk-ai-open-letter/> ------------------------------ Date: Wed, 5 Apr 2023 11:44:07 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Forgive or Forget: What Happens When Robots Lie? (Catherine Barzler) Catherine Barzler, Georgia Institute of Technology, 30 Mar 2023, via ACM Tech News Georgia Institute of Technology (Georgia Tech) researchers aimed to determine whether a robot could apologize after lying to rebuild trust. The study involved 341 online and 20 in-person participants in a game-like simulation in which they were tasked with driving a robot-assisted car to rush their friend to the hospital. The robot assistant warned that there were police ahead and to stay under the speed limit, but after arriving at the hospital, participants were informed that there had been no police. The robot assistant then randomly provided one of five responses, three of which admitted to deception and two that did not. Forty-five percent of in-person participants did not speed, mainly because they believed the robot knew more about the situation. The researchers found that apologizing without admitting deception outperformed the other apologies, but when told about the deception, the apology most effective in repairing trust involved an explanation. ------------------------------ Date: Mon, 3 Apr 2023 00:04:05 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: I am not afraid of robots. I am afraid of people. (Gary Marcus) Some thoughts on AI risks, near-term and long-term, some recent controversies in AI, and why we are in trouble if we can't find a way to work together https://garymarcus.substack.com/p/i-am-not-afraid-of-robots-i-am-afraid With this great illustration of not-problem-solving: https://twitter.com/razorbelle/status/1642000591802204162 ------------------------------ Date: Thu, 6 Apr 2023 09:08:47 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Are robot waiters the future? Some restaurants think so. (AP News) You may have already seen them in restaurants: waist-high machines that can greet guests, lead them to their tables, deliver food and drinks and ferry dirty dishes to the kitchen. Some have cat-like faces and even purr when you scratch their heads. But are robot waiters the future? It's a question the restaurant industry is increasingly trying to answer. Many think robot waiters are the solution to the industry's labor shortages. Sales of them have been growing rapidly in recent years, with tens of thousands now gliding through dining rooms worldwide. ``There's no doubt in my mind that this is where the world is going,'' said Dennis Reynolds, dean of the Hilton College of Global Hospitality Leadership at the University of Houston. The school's restaurant began using a robot in December, and Reynolds says it has eased the workload for human staff and made service more efficient. [...] [Long article truncated for RISKS. PGN] https://apnews.com/article/robots-waiters-restaurants-84336d32667219776d4d0942c28caa46 ------------------------------ Date: Tue, 4 Apr 2023 23:08:06 -0400 From: Monty Solomon <monty () roscom com> Subject: It's Their Content,You're Just Licensing it. (NYTimes) Recent automatic updates to e-book editions of works by Roald Dahl, R.L. Stine and Agatha Christie are a reminder of who really owns your digital media. https://www.nytimes.com/2023/04/04/arts/dahl-christie-stine-kindle-edited.html [Sticking pins in the Dahl with widespread implications? PGN] ------------------------------ Date: Mon, 3 Apr 2023 10:45:14 -0400 From: "Phil Smith III" <phsiii () gmail com> Subject: Stupid physical risk *Nextdoor* reports that some apartment complex of multiple buildings nearby has identical keys for unit n in each building. Someone found out when she woke up to find a stranger *in her apartment*, holding a key: he was a prospective renter, was given key to check out unit, went to wrong building. After some arguing with management, they sent locksmith to change at least *her* locks. She got a few neighbors to verify that this was true for their keys, too (presumably they knocked on other door, explained, then demonstrated). [I Wonder how common this is. Sure would make it easier for management to keep track of keys! /s] ------------------------------ Date: Sat, 1 Apr 2023 07:07:03 -0700 From: Stan Brown <the_stan_brown () fastmail fm> Subject: Re: DC Metro Will Retrofit Faregates To Cut Down On Fare Evasion (RISKS-33.68) My calculations come up with a different answer: 40,000 evasions per weekday 365*5/7 = about 261 weekdays per year (ignoring holidays) 40,000 * 261 = 10,440,000 evasions per year Using your $5/fare(*) estimate, that's $52.2 million per year Payback period, 70/52.2 = 1.34 years, or 1 year 4 months. I'm sure there are plenty of shortsighted actions for which the Metro board can be criticized, but a payback period of 16 months doesn't sound like one of them. [Also noted by Martin Ward. Opps. Sorry. I misread that as 40,000 each week... BAD. PGN] ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.67 ************************
Current thread:
- Risks Digest 33.67 RISKS List Owner (Apr 06)