RISKS Forum mailing list archives
Risks Digest 33.79
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 19 Aug 2023 17:23:35 PDT
RISKS-LIST: Risks-Forum Digest Saturday 19 August 2023 Volume 33 : Issue 79 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.79> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Voyager 2: NASA Loses Contact With Probe After Sending Wrong Command (Business Insider) American Airlines flight from Logan delayed Monday after close call with Spirit Airlines (The Boston Globe) Birds and fish competing with squirrels for power failures (Fox) Lahaina: single points of failure (Henry Baker) More than 134,000 Mass. residents part of data security breach (The Boston Globe) Windows feature that resets system clocks based on random data is wreaking havoc (Ars Technica) For the Good of Society, Hackers Prod AI to Be Bad (NYTimes) San Francisco robotaxi traffic jam is a warning to the world, says city official (CBC) CA DMV orders Cruise to reduce robotaxi fleet in SF by 50% after collision with fire truck, injuring passenger (TechCrunch) The rapid expansion of robotaxis in major cities MUST BE STOPPED (Lauren Weinstein) Potential NYT lawsuit could force OpenAI to wipe ChatGPT and start over (Ars Technica) An Iowa school district is using ChatGPT to decide which books to ban (The Verge) Not AI? (Cliff Kilby) Crypto smart contracts still stupid (Amy Castor) Attackers find new ways to deliver DDoSes with "alarming" sophistication () (Ars Technica) `Bitcoin Bonnie and Clyde' plead guilty in `spy novel'-like laundering case (WashPost) Microsoft pulls article recommending Ottawa Food Bank to tourists (CBC) Cheese and chips: parmesan producers fight fakes with microtransponders (The Guardian) Ukraine busts bot farm spreading Russian infowar propaganda and frauds (The Register) Imposter scams are the top U.S. fraud (NPR) Good reason to keep BMC LAN connections on an isolated LAN (Ars Technica) Internet Archive's legal woes mount as record labels sue for $400M (Ars Technica) AI chatbot scares Snapchat users by posting mysterious video (Ars Technica) Re: Don't use our content to train AI systems (Amos Shapir) Re: Cellphone Radiation Is Harmful, but Few Want to Believe It (PGN) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 1 Aug 2023 23:53:27 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Voyager 2: NASA Loses Contact With Probe After Sending Wrong Command (Business Insider) NASA accidentally lost contact with its Voyager 2 probe after sending a wrong command. It could mean the end of its 46-year-old mission. [The requirements specifiers, designers, and programmers forgot about "undo"? or required confirmation of questionable inputs? Foresight, forsooth farsight, when it is that FAR AWAY? PGN] https://www.businessinsider.com/nasa-loses-contact-voyager-2-sent-wrong-command-mistake-space-2023-8 ------------------------------ Date: Wed, 16 Aug 2023 23:20:24 -0400 From: Monty Solomon <monty () roscom com> Subject: American Airlines flight from Logan delayed Monday after close call with Spirit Airlines (The Boston Globe) The close call was the fourth time this year aircraft at Logan have inadvertently flown close to one another, according to FAA records. https://www.bostonglobe.com/2023/08/16/metro/american-airlines-flight-logan-delayed-monday-after-close-call-with-spirit-airlines/ ------------------------------ Date: Wed, 16 Aug 2023 21:32:05 +0000 () From: danny burstein <dannyb () panix com> Subject: Birds and fish competing with squirrels for power failures (Fox) https://www.foxnews.com/us/unlikely-animal-falls-from-sky-knocks-power-out-thousands-new-jersey-town A fish dropped out of the sky by its bird captor caused a power outage for a section of homes in a New Jersey town, officials say. "There is a large area of Lower Sayreville without power. [Jersey Central Power & Light] is reporting a [fish emoji] was found on a transformer. ------------------------------ Date: Thu, 17 Aug 2023 20:03:34 +0000 From: Henry Baker <hbaker1 () pipeline com> Subject: Lahaina: single points of failure High winds => downed power lines => sparked fires => melted water lines + pumping power loss => no way to fight the fires. Reminds me of the 'Useless Box' that Turns Itself Off: https://www.youtube.com/watch?v=3KTilOsXBmU Lahaina clearly demonstrates the Major Risk of *centralized electrical power systems*; to gain resilience, we *have* to move to *distributed electrical power systems*, aka 'microgrids': https://www.nrel.gov/grid/microgrids.html "Advanced microgrids enable local power generation assets—including traditional generators, renewables, and storage—to keep the local grid running even when the larger grid experiences interruptions or, for remote areas, where there is no connection to the larger grid." https://www.nytimes.com/2023/08/13/us/lahaina-water-failure.html As Inferno Grew, Lahain's Water System Collapsed Firefighters who rushed to contain the Maui wildfire found that hydrants were running dry, forcing crews to embark instead on a perilous rescue mission. West Maui's water system relies on electrical power to pump water through the network and deliver it to fire hydrants, and officials at Hawaiian Electric, the state's main electrical utility, have said that the need to maintain this pumping capability has made it difficult to shut off power when high winds pose a fire risk. ``Pre-emptive, short-notice power shut-offs have to be coordinated with first-responders and in Lahaina, electricity powers the pumps that provide the water needed for firefighting,'' said Jim Kelly, a spokesman for the utility. [Re: the sirens, discussed in an earlier RISKS issue, I heard a news report faulting officials that the sirens were not used. The rebuttal justification seemed to be that their use was primarily for tsunamis, for which people are trained to move inland higher altitudes as fast as possible -- which may not have been relevant here. PGN] ------------------------------ Date: Wed, 16 Aug 2023 22:52:34 -0400 From: Monty Solomon <monty () roscom com> Subject: More than 134,000 Mass. residents part of data security breach (The Boston Globe) https://www.boston.com/news/crime/2023/08/16/massachusetts-data-security-breach-moveit-umass-chan-medical-school/ ------------------------------ Date: Thu, 17 Aug 2023 11:15:37 -0400 From: Monty Solomon <monty () roscom com> Subject: Windows feature that resets system clocks based on random data is wreaking havoc (Ars Technica) Windows Secure Time Seeding resets clocks months or years off the correct time. A few months ago, an engineer in a data center in Norway encountered some perplexing errors that caused a Windows server to suddenly reset its system clock to 55 days in the future. The engineer relied on the server to maintain a routing table that tracked cell phone numbers in real time as they moved from one carrier to the other. A jump of eight weeks had dire consequences because it caused numbers that had yet to be transferred to be listed as having already been moved and numbers that had already been transferred to be reported as pending. [...] https://arstechnica.com/security/2023/08/windows-feature-that-resets-system-clocks-based-on-random-data-is-wreaking-havoc ------------------------------ Date: Thu, 17 Aug 2023 12:07:34 PDT From: Peter Neumann <neumann () csl sri com> Subject: For the Good of Society, Hackers Prod AI to Be Bad (NYTimes) Sarah Kessler and Tiffany Hsu, *The New York Times* business front page, 17 Aug 2023 AI Village was part of a White-House endorsed contest to expose weak spots before the criminals can. [PGN-ed] [Instead of Biden' our time and waiting for rampant Zero-day misuses to emerge, RISKS readers should find pre-zero days (subzero?) salubrious. Although it clearly took a village, there were no bounties. However, two of the three top scores of the judges were attributed to Cody Ho, a Stanford CS student. PGN] ------------------------------ Date: Thu, 17 Aug 2023 06:49:19 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: San Francisco robotaxi traffic jam is a warning to the world, says city official (CBC) https://www.cbc.ca/radio/asithappens/san-francisco-robotaxi-traffic-jam-1.6= 938440 The day after California approved an expansion of driverless taxis, 10 of them came to a grinding halt on a busy San Francisco street, creating a gridlock that encompassed several blocks. The culprit? A music festival. "Cell phones were overwhelmed, and as a result, they were not able to take control of these cars -- which is a pretty frightening systemic defe= ct," Aaron Peskin, president of the San Francisco Board of Supervisors (SFBV), told As It Happens guest host Paul Hunter. Not only was there the 10-car back-up of Cruise-owned autonomous taxis in city's North Shore neighbourhood on Friday, but on the other side of the city, closer to the Outside Lands music festival, Peskin said "there were also scores of them that came to a grinding halt." ------------------------------ Date: Fri, 18 Aug 2023 18:57:24 -0700 From: PRIVACY Forum mailing list <privacy () vortex com> Subject: CA DMV orders Cruise to reduce robotaxi fleet in SF by 50% after collision with fire truck, injuring passenger [on 17 Aug] (TechCrunch) https://techcrunch.com/2023/08/18/cruise-told-by-regulators-to-immediately-reduce-robotaxi-fleet-50-following-crash/ Of course, just a handful of days ago the CPUC said Waymo and Cruise could vastly expand their fleets in SF. At least the DMV has some sense about this half-baked tech. -L ------------------------------ Date: Thu, 17 Aug 2023 12:01:09 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: The rapid expansion of robotaxis in major cities MUST BE STOPPED (The Verge and KTVU) The technology is not ready. The alarms are blinking RED. It's beyond irresponsible to push out this half-baked tech this way. -L https://www.theverge.com/2023/8/15/23831170/robotaxi-cpuc-sf-waymo-cruise-traffic-halt [Die Verge-ntly? Deja(kt) Vu? PGN] https://www.ktvu.com/news/san-francisco-asks-regulators-to-stop-approval-of-robotaxi-expansion-after-recent-blunders ------------------------------ Date: Thu, 17 Aug 2023 11:39:09 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Potential NYT lawsuit could force OpenAI to wipe ChatGPT and start over (Ars Technica) https://arstechnica.com/tech-policy/2023/08/report-potential-nyt-lawsuit-could-force-openai-to-wipe-chatgpt-and-start-over/ ------------------------------ Date: Tue, 15 Aug 2023 23:37:00 -0400 From: Monty Solomon <monty () roscom com> Subject: An Iowa school district is using ChatGPT to decide which books to ban (The Verge) https://www.theverge.com/2023/8/15/23833167/iowa-book-ban-chatgpt-mason-city-community-school-district-removal ------------------------------ Date: Thu, 17 Aug 2023 14:29:32 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Not AI? I know it's difficult to stop a media trend once it has begun but there is no current functionally complete AI available. I propose the counter inflamatory term *Dijkstra's demon*. The underlying algorithms that drive LLMs are essentially pathfinders. Instead of connecting points for paths, they connect glyphs to form new glyphs (to borrow a term from Hofstadter) Comparing a LLM to a less than ideal way of connecting two subjects is a more accurate model to work from than the popular construction of a "thinking" machine. Also, in my non-legal opinion, start reserving derivative works in any of your statement of work negotiations. ChatGPT is almost entirely unusable now because it doesn't have a provenance for what it's spitting out. Now that you ask, yes, I am in fact in an armchair. [Why did the bot run off the glyph? It didn't see the other glyph. PGN parodizing the old joke -- Why did the RAM run off the cliff? (He didn't see the EWE-turn.) ------------------------------ Date: Fri, 4 Aug 2023 14:06:42 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Crypto smart contracts still stupid (Amy Castor) Curve: smart contracts, stupid humans "Smart contracts" are small programs that run right there inside a blockchain. In enterprise computing, these would be called "database triggers" or "stored procedures." You never use triggers or stored procedures unless you absolutely have to, because they're very easy to get wrong and a pain in the backside to debug. In the real world, you keep your financial data and the programs working on it separate. So, of course, crypto uses programs embedded in the database for everything and touts the difficulty in working with them as a feature and not evidence of the idea's incredible stupidity. A smart contract full of crypto can reasonably be treated as a piata, just waiting for you to whack it in the right spot and get the candy. Today's piñata is Curve Finance, a DeFi exchange used for trading stablecoins and other tokens. Curve was hacked on July 30 due to a bug in the Vyper language compiler. Smart contracts that were using Vyper versions 0.2.15, 0.2.16, and 0.3.0 were vulnerable. About $70 million in funds was drained from liquidity pools whose smart contracts used these versions. [Twitter, archive; Twitter, archive] Vyper, which is inspired by Python, was supposed to have been an improvement over the hilariously awful Solidity -- a.k.a. "JavaScript with a concussion" -- that most Ethereum Virtual Machine smart contracts are written in. Unfortunately, the Vyper compiler had a bug that meant compiled code was exploitable. So you could mathematically prove your smart contract program was correct # and the compiled version could still be exploited. This could hit any Vyper smart contract using vulnerable versions. [Twitter, archive] https://amycastor.com/2023/08/03/crypto-collapse-terra-judge-repudiates-ripple-finding-razzlekhan-cops-a-plea-binances-fdusd-stablecoin-coindesk-sold-smart-contracts-still-stupid/ ------------------------------ Date: Tue, 25 Jul 2023 08:01:02 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Attackers find new ways to deliver DDoSes with "alarming sophistication (Ars Technica) Once crude and unsophisticated, DDoSes are now on par with those by nation-states. The protracted arms race between criminals who wage Distributed Denial- of-Service attacks and the defenders who attempt to stop them continues, as the former embraces *alarming* new methods to make their online offensives more powerful and destructive, researchers from content-delivery network Cloudflare reported Wednesday. With a global network spanning more than 300 cities in more than 100 countries around the world, Cloudflare has visibility into these types of attacks that's shared by only a handful of other companies. The company said it delivers more than 63 million network requests per second and more than 2 trillion domain lookups per day during peak times. Among the services that Cloudflare provides is mitigation for the[se] attacks. [... LONG and rather repetitive text PGN-truncated] https://arstechnica.com/security/2023/07/attackers-find-new-ways-to-deliver= -ddoses-with-alarming-sophistication/ ------------------------------ Date: Fri, 4 Aug 2023 18:22:48 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: `Bitcoin Bonnie and Clyde' plead guilty in `spy novel'-like laundering case (WashPost) María Luisa Paúl https://www.washingtonpost.com/nation/2023/08/04/bitfinex-hack-guilty-plea/ Heather Morgan and Ilya Lichtenstein hadn't been implicated in the 2016 Bitfinex hack itself - until Lichtenstein delivered a bombshell revelation Thursday. ------------------------------ Date: Fri, 18 Aug 2023 21:06:02 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: Microsoft pulls article recommending Ottawa Food Bank to tourists (CBC) https://www.cbc.ca/news/canada/ottawa/artificial-intelligence-microsoft-travel-ottawa-food-bank-1.6940356 Microsoft has removed an article that advised tourists to visit the "beautiful" Ottawa Food Bank on an empty stomach, after facing ridicule about the company's reliance on artificial intelligence for news. But an unnamed Microsoft spokesperson later blamed the article's publication on "human error," rather than "unsupervised AI." ------------------------------ Date: Sat, 19 Aug 2023 14:31:55 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: Cheese and chips: parmesan producers fight fakes with micro-transponders (The Guardian) https://www.theguardian.com/food/2023/aug/18/parmesan-producers-fight-fakes-microtransponders-chips-rind Counterfeits are the bane of the Parmigiano Reggiano Consortium, which is now trialling tech in the rind ------------------------------ Date: Thu, 20 Jul 2023 12:52:24 +0200 From: Peter Houppermans <peter () houppermans net> Subject: Ukraine busts bot farm spreading Russian infowar propaganda and fraud (The Register) https://www.theregister.com/2023/07/20/ukraine_busts_russian_bot_farm/ "Ukrainian cops have disrupted a massive bot farm with more than 100 operators allegedly spreading fake news about the Russian invasion, leaking personal information belonging to Ukrainian citizens, and instigating fraud schemes. After conducting 21 searches, the country's cyber and national police seized computer equipment, mobile phones, more than 250 GSM gateways, and about 150,000 SIM cards. "The Cyber Police established that the attackers used special equipment and software to register thousands of bot accounts in various social networks and subsequently launch advertisements that violated the norms and legislation of Ukraine," according to machine translation of the news alert issued by the police. Insiders in Vinnytsia, Zaporizhzhia, and Lviv were involved in the bot farm, we're told. I'm guessing that will also take some of the load problems from Twitter.. ------------------------------ Date: Wed, 16 Aug 2023 01:17:34 -0400 From: Monty Solomon <monty () roscom com> Subject: Imposter scams are the top U.S. fraud (NPR) A 3-hour phone call that brought her to tears: Imposter scams cost Americans billions Valeria Haedo, a visual artist based in New York City, was caught off guard when she was targeted in a complex phone scam. It was a Monday in the middle of the day when Valeria Haedo got a phone call from a number she didn't recognize. She doesn't normally pick those up, but she did that day. The caller said his name was Officer Robert Daniels from U.S. Customs and Border Protection and he had a warrant for her arrest. He told Haedo she could verify him by Googling his name and department. She did, and it checked out. But what Haedo didn't realize in that moment is she'd just been targeted in an intricate scam. She was kept on the phone for more than three hours and eventually brought to tears. The scam is known as an imposter scam and is the top fraud in the U.S. right now. It involves the perpetrator impersonating an authority figure and using scare tactics to reel in victims. While these scams have been around forever, they've become more believable because con artists use real names of law enforcement officers that show up with caller ID from an actual office and even local accents. [...] https://www.npr.org/2023/06/19/1182464826/scammer-phone-calls-imposter-fraud\ ------------------------------ Date: Fri, 21 Jul 2023 00:52:47 -0400 From: Bob Gezelter <gezelter () rlgsc com> Subject: good reason to keep BMC LAN connections on an isolated LAN (Ars Technica) A 2021 ransomware breach at Gigabyte reportedly compromised more than 112 gigabytes of data including code and other information related to widely-used baseboard management controllers (BMC) processors on system boards. The exposed defects reportedly include zero-day and code execution vulnerabilities. An update is being prepared to address known issues. I have long advocated connecting to BMC and similar control interfaces using a physically separate LAN. Remote access is necessary, but access to the isolated "walled garden" should be through a separate gateway portal. The Ars Technica article: https://arstechnica.com/security/2023/07/millions-of-servers-inside-data-centers-imperiled-by-flaws-in-ami-bmc-firmware/ ------------------------------ Date: Wed, 16 Aug 2023 00:17:09 -0400 From: Monty Solomon <monty () roscom com> Subject: Internet Archive's legal woes mount as record labels sue for $400M (Ars Technica) The Internet Archive also reached a confidential settlement with book publishers. Major record labels are suing the Internet Archive, accusing the nonprofit of "massive" and "blatant" copyright infringement "of works by some of the greatest artists of the Twentieth Century." The lawsuit was filed Friday in a US district court in New York by UMG Recordings, Capitol Records, Concord Bicycle Assets, CMGI, Sony Music Entertainment, and Arista Music. It targets the Internet Archive's "Great 78 Project," which was launched in 2006. [...] https://arstechnica.com/tech-policy/2023/08/record-labels-sue-internet-archive-for-digitizing-obsolete-vintage-records/ ------------------------------ Date: Fri, 18 Aug 2023 02:36:39 -0400 From: Monty Solomon <monty () roscom com> Subject: AI chatbot scares Snapchat users by posting mysterious video (Ars Technica) https://arstechnica.com/?p=1961146 ------------------------------ Date: Fri, 18 Aug 2023 11:32:33 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re: Don't use our content to train AI systems (NYTimes, R 33 78) There's a simple and inexpensive way to fight back: The NYT could surround the real text of their sites by a thick wall of AI-generated nonsense, invisible to regular users but accessible to parasitic AI's crawlers. This way, their sites would quickly become detrimental to the parasite's contents. ------------------------------ Date: Thu, 17 Aug 2023 12:59:12 PDT From: Peter Neumann <neumann () csl sri com> Subject: Re: Cellphone Radiation Is Harmful, but Few Want to Believe It (Neuroscience News, RISKS-33.78)
https://neurosciencenews.com/cellphone-radiation-brain-cancer-18889/
It has come to my attention that the same publication published the exactly opposite results in 2022: https://neurosciencenews.com/cell-phone-brain-tumor-20314/ [It's the old story. Whom should you trust on the Internet? Neuroscience News or Neuroscience News? Or has the neuroscience simply changed that much? Or are they both right, in some quantum-theoretical sense? PGN ------------------------------ Date: Sat, 1 Jul 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.79 ************************
Current thread:
- Risks Digest 33.79 RISKS List Owner (Aug 19)