RISKS Forum mailing list archives
Risks Digest 33.85
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 19 Sep 2023 20:39:53 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 19 September 2023 Volume 33 : Issue 85 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator <http://catless.ncl.ac.uk/Risks/33.85> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Bots are Better than Humans at CAPCHAS (Bruce Schneier) Cryptocurrency Startup Loses Encryption Key for Electronice Wallet (Schneier via Gabe Goldberg) What politicians are doing about the Internet, RIGHT NOW (Lauren Weinstein) Microsoft AI researchers accidentally exposed terabytes of internal sensitive data (TechCrunch) In Risky Hunt for Secrets, U.S. and China Expand Global Spy Operations (NYTimes) Chinese hackers have unleashed a never-before-seen Linux backdoor (Ars Technica) Scientists warn entire branches of the 'Tree of Life' are going extinct (Yahoo! News) Can the free market ensure artificial intelligence won't wipe out human workers? (CBC) DHS Issues Privacy/Civil Liberties Guidelines, *and* DHS Spies Trouble in 2024 in election security (Politico) Old Google vs. New Google (Lauren Weinstein) Re: Pedestrian dies after Cruise cars block ambulance (Geoff Kuenning, Henry Baker) Re: Vintage Car prices (Joe Gwinn) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 15 Sep 2023 11:06:31 +0000 From: Bruce Schneier <schneier () schneier com> Subject: Bots are Better than Humans at CAPCHAS [PGN-Excerpted from Bruce's latest issue. But why does Bruce have to encode commas as "=2C"???? What is so special for Bruce's computer? As Gertrude Stein might have written, a comma is a comma is a comma. PGN] Abstract: For nearly two decades, CAPTCHAS have been widely used as a MEANS OF PROTECTION AGAINST bots. Throughout the years, as their use grew, techniques to defeat or bypass CAPTCHAS have continued to improve. Meanwhile, CAPTCHAS have also evolved in terms of sophistication and diversity, becoming increasingly difficult to solve for both bots (machines) and humans. Given this long-standing and still-ongoing arms race, it is critical to investigate how long it takes legitimate users to solve modern CAPTCHAS, and how they are perceived by those users. In this work, we explore CAPTCHAS *in the wild* by evaluating users' solving performance and perceptions of *unmodified currently-deployed* CAPTCHAS. We obtain this data through manual inspection of popular websites and user studies in which 1,400 participants collectively solved 14,000 CAPTCHAS. Results show significant differences between the most popular types of CAPTCHAS: surprisingly, solving time and user perception are not always correlated. We performed a comparative study to investigate the effect of experimental context specifically the difference between solving CAPTCHAS directly versus solving them as part of a more natural task, such as account creation. Whilst there were several potential confounding factors, our results show that *experimental context* could have an impact on this task, and must be taken into account in future CAPTCHA studies. Finally, we investigate CAPTCHA-induced user task *abandonment* by analyzing participants who start and do not complete the task. Slashdot thread [https://hardware.slashdot.org/story/23/08/10/0439241/bots-are-better-than-humans-at-cracking-are-you-a-robot-captcha-tests-study-f inds]. And let's all rewatch this great ad [https://www.youtube.com/watch?v=lhUuzWbrCgU] from 2022. ------------------------------ Date: Sat, 16 Sep 2023 16:37:40 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Cryptocurrency Startup Loses Encryption Key for Electronic Wallet (Schneier on Security) The cryptocurrency fintech startup Prime Trust lost the encryption key to its hardware wallet—and the recovery key—and therefore $38.9 million. It is now in bankruptcy. I can’t understand why anyone thinks these technologies are a good idea. https://www.schneier.com/blog/archives/2023/09/cryptocurrency-startup-loses-encryption-key-for-electronic-wallet.html I mean, nobody could have anticipated that happening... [!!!] ------------------------------ Date: Sun, 10 Sep 2023 08:11:37 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: What politicians are doing about the Internet, RIGHT NOW Keep in mind that right now, at this very moment, politicians in BOTH PARTIES are pushing legislation to require you to show a government ID to use most major Internet sites. Some of these laws have already been passed, and litigation all the way up to the Supreme Court is very likely. The goal of BOTH PARTIES is to create a Chinese-style Internet with everyone fully identified, all anonymity effectively lost (irrespective of the "safeguards" U.S. officials will promise), and all content tightly micromanaged by officials on the Left and Right not only to "protect the children" but to keep all Internet users firmly under the government's control. Yes, it's that bad. -L ------------------------------ Date: Mon, 18 Sep 2023 15:30:26 -0700 From: Victor Miller <victorsmiller () gmail com> Subject: Microsoft AI researchers accidentally exposed terabytes of internal sensitive data (TechCrunch) https://techcrunch.com/2023/09/18/microsoft-ai-researchers-accidentally-exposed-terabytes-of-internal-sensitive-data/ [Monty Solomon spotted the above and also found this: Microsoft AI team accidentally leaks 38TB of private company data: https://mashable.com/article/microsoft-ai-researchers-leaked-private-data-azure-link-github PGN] ------------------------------ Date: Mon, 18 Sep 2023 10:34:42 -0400 From: Monty Solomon <monty () roscom com> Subject: In Risky Hunt for Secrets, U.S. and China Expand Global Spy Operations (NYTimes) The nations are taking bold steps in the espionage shadow war to try to collect intelligence on leadership thinking and military capabilities. https://www.nytimes.com/2023/09/17/us/politics/us-china-global-spy-operations.html ------------------------------ Date: Mon, 18 Sep 2023 19:55:29 -0400 From: Monty Solomon <monty () roscom com> Subject: Chinese hackers have unleashed a never-before-seen Linux backdoor (Ars Technica) https://arstechnica.com/?p=1969201 ------------------------------ Date: Tue, 19 Sep 2023 09:02:26 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Scientists warn entire branches of the 'Tree of Life' are going extinct (Yahoo! News) Humans are driving the loss of entire branches of the "Tree of Life," according to a new study published on Monday which warns of the threat of a sixth mass extinction. "The extinction crisis is as bad as the climate change crisis. It is not recognized," said Gerardo Ceballos, professor at the National Autonomous University of Mexico, and co-author of the study published in Proceedings of the National Academy of Sciences (PNAS). "What is at stake is the future of mankind," he told AFP. The study is unique because instead of merely examining the loss of a species, it examines the extinction of entire genera. In the classification of living beings, the genus lies between the rank of species and that of family. For example, dogs are a species belonging to the genus canis -- itself in the canid family. "It is a really significant contribution, I think the first time anyone has attempted to assess modern extinction rates at a level above the species," Robert Cowie, a biologist at the University of Hawaii who was not involved in the study, told AFP. "As such it really demonstrates the loss of entire branches of the Tree of Life," a representation of living things first developed by Charles Darwin. The study shows that "we aren't just trimming terminal twigs, but rather are taking a chainsaw to get rid of big branches," agreed Anthony Barnosky, professor emeritus at the University of California, Berkeley. The researchers relied largely on species listed as extinct by the International Union for Conservation of Nature (IUCN). They focused on vertebrate species (excluding fish), for which more data are available. Of some 5,400 genera (comprising 34,600 species), they concluded that 73 had become extinct in the last 500 years -- most of them in the last two centuries. The researchers then compared this with the extinction rate estimated from the fossil record over the very long term. [...] https://news.yahoo.com/scientists-warn-entire-branches-tree-011943508.html [If the skunks don't prevail, they will become Ex-Stinked. PGN] ------------------------------ Date: Mon, 18 Sep 2023 19:00:06 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: Can the free market ensure artificial intelligence won't wipe out human workers? (CBC) https://www.cbc.ca/news/business/post-ai-jobs-column-don-pittis-1.6962905 What will you be doing only a decade from now when advanced versions of the artificial intelligence program ChatGPT have wormed their way into the fabric of life? According to some experts, you may be out of a job. Two current labour disputes involving autoworkers and screenwriters are at least partly about the future threat of AI. When AI comes for the jobs, writers may be among the first to go, warn two respected technology mavens writing in Foreign Affairs magazine. And they are not alone in that view. Even current versions of the AI program ChatGPT can sketch clearer prose than most humans, they say. And those programs are getting better. By 2035, as "white-collar workers lose their jobs en masse," declare Ian Bremmer and Mustafa Suleyman, AI will be running hospitals and airlines and courtrooms. "A year ago, that scenario would have seemed purely fictional; today, it seems nearly inevitable." ------------------------------ Date: Mon, 18 Sep 2023 10:41:08 PDT From: Peter Neumann <neumann () csl sri com> Subject: DHS Issues Privacy/Civil Liberties Guidelines, *and* DHS Spies Trouble in 2024 in election security (Politico) DHS also joined the Washington emerging tech frenzy on Thursday by introducing new guidelines on responsible use of AI with a focus on privacy and civil liberties. The move, the first of its kind for the agency, emphasizes the need for transparency and accountability in AI, while setting the stage for agencies to take steps to blunt bias in its systems. The guidelines also give us a sneak peek on how the agency plans to prioritize AI, honing in on its use for decision-making, the collection and use of data, and the development and testing of AI systems. [ALSO from the same source:] DHS Spies Trouble in 2024 in election security [don't forget integrity!!! PGN] Next year's election is shaping up to be a doozy -- and the country has a toxic triad of foreign cyberthreats, increasingly powerful AI models and rising domestic extremism to thank for it, according to a new government report<https://www.dhs.gov/news/2023/09/14/dhs-continues-see-high-risk-foreign-and-domestic-terrorism-2024-homeland-threat>. The Department of Homeland Security's 2024 threat assessment, which came out Thursday courtesy of its office of Intel and analysis, warns those three variables together will present significant risks to the integrity of the presidential election and the physical well-being of those involved in it. ------------------------------ Date: Mon, 18 Sep 2023 11:12:00 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Old Google vs. New Google * OLD GOOGLE: We prefer websites be written by people, for people. QUALITY MATTERS! * NEW GOOGLE: AI writing trash is OK. It's the clicks that count! Never mind about that people writing for people quality stuff. Ancient history. ------------------------------ Date: Fri, 15 Sep 2023 13:20:27 -0700 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Re: Pedestrian dies after Cruise cars block ambulance (RISKS-33.83) You'll note that I used the word "allege". Even if this case turns out to be not the fault of the Cruise cars, I think that it highlights an important point that has been repeatedly raised over the past year or so: driving is about more than safely staying within the lane (and the rules) and avoiding obstacles. Drivers have to deal with all sorts of unusual situations where the usual rules don't apply, such as police officers (or cones) directing them into the oncoming lane, turning around because a stuck semi has blocked the road, avoiding dangerously flooded intersections, etc. It's likely to be a long time before self-driving cars can handle all of those exceptions as well as a human can. ------------------------------ Date: Fri, 15 Sep 2023 17:14:50 +0000 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: Pedestrian dies after Cruise cars blocks ambulance (Lamont, RISKS-33.83) I think that we need to consider this incident a *wakeup call* re the risks of 'smart' vehicles. The newest cars are literally computers that happen to have wheels attached, and nearly everything about these cars can be hacked via the Internet -- either using the car's own radios or utilizing Bluetooth/Wifi connected smartphones provided by the car's passengers. So here are some obvious hacking risks: 1. EV's could be hacked to cause their batteries to melt down; catch fire -- literally execute 'HCF' -- perhaps an entire city's worth of EV's at exactly the same time. Since a lot of EV's would be parked *inside garages*, an entire city could be burned to the ground via an organized hack. [No need for censorship; I'm certain that the Chinese have already thought of this. Oh wait, aren't most EV batteries built in China? What could possibly go wrong? ] 2. Self-driving vehicles could be hacked to all drive to the same location at the same time to block all the main streets in a city. An optimized algorithm could block all of a city's streets with relatively few strategically placed 'self' driving vehicles. [Once again, I'm sure that Chinese/Russian/Iranian/NKorean hackers have already thought of this.] 3. Another terrifying prospect: an AI-operated system of traffic lights that decides on its own how to 'optimize' traffic -- e.g., to/from a major event like a football game -- but gets too clever and cuts off access to hospitals. Programs like 'Waze' have already shown us how directed traffic can go wrong. Partial solution: we desperately need *diversity* in the HW/SW of our vehicles, so that no *single* attack vector can zombify *all* of our vehicles simultaneously. Partial solution: much, much stronger controls to make sure that vehicle SW can be updated to respond to newly discovered threats, and that the SW can be updated *safely* -- i.e., the update channel itself cannot be compromised to provide an attack mechanism. ------------------------------ Date: Thu, 14 Sep 2023 16:01:08 -0400 From: Joe Gwinn <joegwinn () comcast net> Subject: Re: Vintage Car prices (Thorn, RISKS-33.84)
NO data collection included.-)
And no unreliable electronics and dependence on the web and various servers working, or subscription fees. Not to mention that the electronics may well have outlived its manufacturer, rendering the car scrap. See the Right-to-Repair topic for examples. ------------------------------ Date: Sat, 1 Jul 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.85 ************************
Current thread:
- Risks Digest 33.85 RISKS List Owner (Sep 19)