RISKS Forum mailing list archives
Risks Digest 33.80
From: RISKS List Owner <risko () csl sri com>
Date: Wed, 23 Aug 2023 19:26:38 PDT
RISKS-LIST: Risks-Forum Digest Wednesday 23 August 2023 Volume 33 : Issue 80 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.80> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: 'Near Collisions' of Commercial Jets Happen All the Time, Horrifying FAA Records Show (Gizmodo plus NYTimes) Cruise Agrees to Reduce Driverless Car Fleet in San Francisco After Crash (NYTimes) How a hacking crew overtook a satellite from inside a Las Vegas convention center and won $50,000 (Cyberscoop) Fifty minutes to hack ChatGPT: Inside the DEF CON competition to break AI (Cyberscoop) Hackers exploit WinRAR zero-day bug to steal funds from broker accounts (TechCrunch) Grieving widow sues Tesla over deadly Model 3 crash and explosion (TechCrunch) The Case of the Internet Archive vs. Book Publishers (NYTimes) Google announces new algorithm that makes FIDO encryption safe from quantum computers (Ars Technica) Google and YouTube are trying to have it both ways with AI and copyright (The Verge) ICANN warns UN may sideline tech community from future Internet governance (The Register) ``We can always turn off bad AI's'': *NOT* (Henry Baker) Researchers Demo Fake Airplane Mode Exploit That Trickse iPhone Users (Alex Scroxton) American Airlines sues a travel site to crack down on consumers who use this travel hack to save money (APNews) Research Hack Reveals Call Security Risk in Smartphones (Texas A&M) Our health care system may soon receive a much-needed cybersecurity boost (Lily Hay Newman) Tesla points to insider wrongdoing as cause of massive employee data leak (The Verge) Wegmans Double Charging Affects Credit Card Customers In VA, DC (Old Town Alexandria VA Patch) Buyers of Bored Ape NFTs sue after digital apes turn out to be bad investment (Ars Technica) Wi-Fi sniffers strapped to drones -- Mike Lindell's odd plan to stop election fraud (Ars Technica) How X Is Suing Its Way Out of Accountability (WiReD) Re: Voyager 2: NASA Didn't Lose Contact With Probe After Sending Wrong Command (John Levine, Lars-Henrik Eriksson) Re: Cellphone Radiation Is Harmful, but Few Want to Believe It Martin Ward) Re: Lahaina: single points of failure (John Levine, Henry Baker, Dick Mills_ Re: Google/AI -- sundry items PGN-ed (Lauren Weinsteain) Unpacking Cyber Capacity-Building Needs (via Diego Latella) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 23 Aug 2023 09:32:44 -0400 From: Monty Solomon <monty () roscom com> Subject: 'Near Collisions' of Commercial Jets Happen All the Time, Horrifying FAA Records Show (Gizmodo) https://gizmodo.com/plane-crashes-almost-happen-a-lot-faa-records-1850760132 [Almost half of today's front page of *The New York Times* is devoted to a graphic and lead: Air Disasters Are Rare in the U.S. Close Calls Are a Different Story -- Multiple Incidents Each Month Reveal a Safety Net Under Stress. PGN] ------------------------------ Date: Sun, 20 Aug 2023 18:15:56 -0400 From: Monty Solomon <monty () roscom com> Subject: Cruise Agrees to Reduce Driverless Car Fleet in San Francisco After Crash (NYTimes) https://www.nytimes.com/2023/08/18/technology/cruise-crash-driverless-car-san-francisco.html ------------------------------ Date: Wed, 23 Aug 2023 10:17:45 -0400 From: Monty Solomon <monty () roscom com> Subject: How a hacking crew overtook a satellite from inside a Las Vegas convention center and won $50,000 (Cyberscoop) https://cyberscoop.com/mhackeroni-hackasat-space-def-con/ ------------------------------ Date: Wed, 23 Aug 2023 10:23:40 -0400 From: Monty Solomon <monty () roscom com> Subject: Fifty minutes to hack ChatGPT: Inside the DEF CON competition to break AI (Cyberscoop) Fifty minutes to hack ChatGPT: Inside the DEF CON competition to break AI More than 2,000 hackers attacked cutting-edge chatbots to discover vulnerabilities — and demonstrated the challenges for red-teaming AI. https://cyberscoop.com/def-con-ai-hacking-red-team/ ------------------------------ Date: Wed, 23 Aug 2023 09:15:10 -0400 From: Monty Solomon <monty () roscom com> Subject: Hackers exploit WinRAR zero-day bug to steal funds from broker accounts (TechCrunch) https://techcrunch.com/2023/08/23/winrar-zero-day-funds-brokers/ ------------------------------ Date: Wed, 23 Aug 2023 09:21:58 -0400 From: Monty Solomon <monty () roscom com> Subject: Grieving widow sues Tesla over deadly Model 3 crash and explosion (TechCrunch) https://techcrunch.com/2023/08/22/grieving-widow-sues-tesla-over-deadly-model-3-crash-and-explosion/ ------------------------------ Date: Sun, 20 Aug 2023 02:29:17 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: The Case of the Internet Archive vs. Book Publishers (The New York Times) The Dream Was Universal Access to Knowledge. The Result Was a Fiasco. In the pandemic emergency, Brewster Kahle’s Internet Archive freely lent out digital scans of its library. Publishers sued. Owning a book means something different now. Information wants to be free. That observation, first made in 1984, anticipated the Internet and the world to come. It cost nothing to digitally reproduce data and words, and so we have them in numbing abundance. Information also wants to be expensive. The right information at the right time can save a life, make a fortune, topple a government. Good information takes time and effort and money to produce. https://www.nytimes.com/2023/08/13/business/media/internet-archive-emergency-len ding-library.html ------------------------------ Date: Tue, 22 Aug 2023 08:30:49 -0400 From: Monty Solomon <monty () roscom com> Subject: Google announces new algorithm that makes FIDO encryption safe from quantum computers (Ars Technica) https://arstechnica.com/?p=1961906 ------------------------------ From: Monty Solomon <monty () roscom com> Date: Wed, 23 Aug 2023 09:04:40 -0400 Subject: Google and YouTube are trying to have it both ways with AI and copyright (The Verge) Google and YouTube are trying to have it both ways with AI and copyright https://www.theverge.com/2023/8/22/23841822/google-youtube-ai-copyright-umg-scraping-universal ------------------------------ Date: Tue, 22 Aug 2023 10:55:40 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: ICANN warns UN may sideline tech community from future Internet governance (The Register) https://www.theregister.com/2023/08/22/icann_un_digital_compact_warning/ ------------------------------ Date: Mon, 21 Aug 2023 16:32:20 +0000 From: Henry Baker <hbaker1 () pipeline com> Subject: ``We can always turn off bad AI's'': *NOT!* Let's examine this conceit carefully. The very *definition* of *war* is the existential struggle to flip the 'power switch' of your enemy into the 'off' position. If it were so simple to just flip a power switch, the Ukraine war would have been long since over. Those whose very *survival* is at stake won't hesitate to use every means at their disposal -- including AI's -- in order to win their wars. Since preserving one's own power while attacking your enemy's power switch is essential, AI's will be deployed to protect our own (and hence the AI's own) power. What did you think all of this research into using AI's for cyber activities is all about ? What did you think all of this research into using AI's to 'protect the grid' is all about? The highest priority in AI research today is *already* the task of keeping any enemies from turning off our AI's own power. Let's stop being delusional! ------------------------------ Date: Mon, 21 Aug 2023 11:16:51 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Researchers Demo Fake Airplane Mode Exploit That Tricks iPhone Users (Alex Scroxton) Alex Scroxton, *Computer Weekly*, 17 Aug 2023 Jamf Threat Labs researchers demonstrated an exploit chain that allows attackers to use an artificial 'airplane mode' to remain connected to exposed devices that users believe are offline. The researchers created a fake airplane mode by identifying a specific string in the device's console log, "#N User airplane mode preference changing from kFalse to KTrue," accessing the device's code, and replacing the function with an empty or 'do nothing' function. They also accessed the user interface to add a small piece of code to dim the mobile connectivity icon and highlight the airplane mode icon, then exploited the CommCentre to block mobile data access for certain apps so the user received a "turn off airplane mode" notification. The researchers believe the technique is most likely to be used in a targeted attack. ------------------------------ Date: Sun, 20 Aug 2023 08:56:01 -0400 From: Monty Solomon <monty () roscom com> Subject: American Airlines sues a travel site to crack down on consumers who use this travel hack to save money (APNews) https://apnews.com/article/american-airlines-lawsuit-skiplagging-tickets-905acda8ac5fe302238cefd63ac864e3 ------------------------------ Date: Wed, 23 Aug 2023 11:32:32 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Research Hack Reveals Call Security Risk in Smartphones (Texas A&M) Nancy Luedke, Texas A&M Engineering News, 17 Aug 2023 via ACM TechNews, 23 Aug 2023 A multi-institutional team of researchers developed malware to extract caller information by screening vibration data from ear speakers recorded by a smartphone's accelerometers. The researchers used two newer Android phones whose motion-sensor data is retrievable without users' consent. The models' larger speakers also provided more caller information than older models, allowing a machine learning algorithm to infer 45% to 90% of the word regions from their accelerometer data. The researchers learned their EarSpy malware could identify repeat callers with 91.6% accuracy, determine the speaker's gender with 98.6% accuracy, and identify spoken numbers from zero to nine with 56% accuracy. Texas A&M University's Ahmed Tanvir Mahdad said. ------------------------------ Date: Tue, 22 Aug 2023 08:34:12 -0400 From: Monty Solomon <monty () roscom com> Subject: Our health care system may soon receive a much-needed cybersecurity boost (Lily Hay Newman) Lily Hay Newman, *WiReD*, 18 Aug 2023 https://arstechnica.com/?p=1961745 The Advanced Research Projects Agency for Health (Arpa-H), a research support agency within the United States Department of Health and Human Services, said today that it is launching an initiative to find and help fund the development of cybersecurity technologies that can specifically improve defenses for digital infrastructure in US health care. Dubbed the Digital Health Security project, also known as Digiheals, the effort will allow researchers and technologists to submit proposals beginning today through September 7 for cybersecurity tools geared specifically to health care systems, hospitals and clinics, and health-related devices. [...] ------------------------------ Date: Tue, 22 Aug 2023 08:14:47 -0400 From: Monty Solomon <monty () roscom com> Subject: Tesla points to insider wrongdoing as cause of massive employee data leak (The Verge) https://www.theverge.com/2023/8/21/23839940/tesla-data-leak-inside-job-handelsblatt ------------------------------ Date: Mon, 21 Aug 2023 16:58:20 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Wegmans Double Charging Affects Credit Card Customers In VA, DC (Old Town Alexandria VA Patch) A glitch in the Wegmans system one day in August impacted both in-store and online orders, the company said. https://patch.com/virginia/annandale/s/ir98x/wegmans-double-charging-affects-credit-card-customers-in-va-dc Oh, a glitch. OK, then -- that's nobody's fault. ------------------------------ Date: Tue, 22 Aug 2023 08:34:48 -0400 From: Monty Solomon <monty () roscom com> Subject: Buyers of Bored Ape NFTs sue after digital apes turn out to be bad investment (Ars Technica) https://arstechnica.com/?p=1961571 ------------------------------ Date: Tue, 22 Aug 2023 08:32:34 -0400 From: Monty Solomon <monty () roscom com> Subject: Wi-Fi sniffers strapped to drones -- Mike Lindell's odd plan to stop election fraud (Ars Technica) https://arstechnica.com/?p=1961867 [What could possibly go wrong here? My moderator-self decided this was simply the wrong solution to the wrong problem. PGN] ------------------------------ Date: Sun, 20 Aug 2023 18:16:54 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: How X Is Suing Its Way Out of Accountability (WiReD) The social media giant filed a lawsuit against a nonprofit that researches hate speech online. It’s the latest effort to cut off the data needed to expose online platforms’ failings. “The Center for Countering Digital Hate’s research shows that hate and disinformation is spreading like wildfire on the platform under Musk’s ownership, and this lawsuit is a direct attempt to silence those efforts,” says Imran Ahmed, CEO of the CCDH. Experts who spoke to WIRED see the legal action as the latest move by social media platforms to shrink access to their data by researchers and civil society organizations that seek to hold them accountable. “We're talking about access not just for researchers or academics, but it could also potentially be extended to advocates and journalists and even policymakers,” says Liz Woolery, digital policy lead at PEN America, a nonprofit that advocates for free expression. “Without that kind of access, it is really difficult for us to engage in the research necessary to better understand the scope and scale of the problem that we face, of how social media is affecting our daily life, and make it better.” In 2021, Meta blocked researchers at New York University’s Ad Observatory from collecting data about political ads and Covid-19 misinformation. Last year, the company said it would wind down its monitoring tool CrowdTangle, which has been instrumental in allowing researchers and journalists to monitor Facebook. Both Meta and Twitter are suing Bright Data, an Israeli data collection firm, for scraping their sites. (Meta had previously contracted Bright Data to scrape other sites on its behalf.) Musk announced in March that the company would begin charging $42,000 per month for its API, pricing out the vast majority of researchers and academics who have used it to study issues like disinformation and hate speech in more than 17,000 academic studies. https://www.wired.com/story/twitter-x-ccdh-lawsuit-data-crackdown/ ------------------------------ Date: 19 Aug 2023 21:03:11 -0400 From: "John Levine" <johnl () iecc com> Subject: Re: Voyager 2: NASA Didn't Lose Contact With Probe After Sending Wrong Command (Business Insider via Goldberg)
It could mean the end of its 46-year-old mission.
Not really. The command pointed the antenna slightly in the wrong direction, which, since it is so far away, made it lose contact. Fortunately, the people who designed the Voyager probes anticipated that people might make mistakes, and it automatically reorients itself twice a year, which would have put it back in contact in October. A few days later they got a weak carrier signal, which told them that nothing else was wrong. Since the antenna was only slightly off center, they tried yelling at it, sending a command using very high power from one of the earth stations. After waiting 37 hours for the speed of light round trip, Voyager responded -- it had worked and it's back in contact. The Voyager probes were launched 45 years ago, are still operating, and will most likely keep working for a few more years until their radioactive power supplies run down. If you are very careful and have a large budget, you can make extremely reliable equipment. [The non-demise was apparently old news, as noted by Gabe Goldberg Old news: August 4, 2023 https://arstechnica.com/space/2023/08/voyager-2-phones-home-and-says-everything- is-cool/ PGN] ------------------------------ Date: Sun, 20 Aug 2023 10:40:03 +0200 From: Lars-Henrik Eriksson <lhe () it uu se> Subject: Re: Voyager 2: NASA Loses Contact With Probe After ...
[The requirements specifiers, designers, and programmers forgot about "undo"? or required confirmation of questionable inputs? Foresight, forsooth farsight, when it is that FAR AWAY? PGN]
It is difficult to have an undo for something that breaks your communications. Anyway they DID have such foresight, as the probe has a failsafe function that will automatically attempt to restore communications if the probe has been out of touch long enough. (Which was mentioned in the article.) Fortunately, NASA managed to restore communication without waiting for the failsafe function. ------------------------------ Date: Sun, 20 Aug 2023 14:47:31 +0100 From: Martin Ward <mwardgkc () gmail com> Subject: Re: Cellphone Radiation Is Harmful, but Few Want to Believe It
PGN wrote:> Or are they both right, in some quantum-theoretical sense? PGN They could both be "right" in the sense that both results are supported by the data, depending on the interpretation.
There is no known mechanism by which cellphone radiation can cause cancer,
so researchers can look only for correlations between cellphone usage and
increased occurrence of cancer. Some research projects find correlations
and others do not.
But correlation does not imply causation: there are a number of other
factors that might correlate with cellphone usage: e.g., wealth, lifestyle,
diet, age and so on. Some of these factors might also correlate with cancer
risk. So, depending on which factors are accounted for in the analysis, a
correlation between cellphone use and cancer risk could appear or disappear.
------------------------------
Date: 19 Aug 2023 21:19:08 -0400
From: "John Levine" <johnl () iecc com>
Subject: Re: Lahaina: single points of failure (RISKS-33.79)
Maui has a population about the same as Salinas CA. Most of its power
comes from diesel generators, but it also has two substantial wind
farms, three small solar farms, two old hydro plants, and two battery
storage plants. It's a small island, there is no "larger grid."
As is usually the case, better management of existing facilities would
have made a great deal of difference. In particular, the power company
had no plan to turn the power off when high winds caused arcing that
started multiple fires. You'd hope that they'd have taken the hint
when exactly the same thing started fires in California last year,
but nope.
If they're going to spend money, burying the lines would be a lot
better use of it than fooling around with microgrids.
------------------------------
Date: Sun, 20 Aug 2023 03:09:30 +0000
From: Henry Baker <hbaker1 () pipeline com>
Subject: Re: Lahaina: single points of failure (Levine, RISKS-33.80)
John Levine raises the issue of so-called 'undergrounding' of electrical
power lines.
I'm no apologist for the electrical monopolies, but as an electrical
engineer, I can understand some of the problems that they point out with
underground electrical power transmission installations.
[Levine: Good point. Some of the news reports say that they were planning
to make the power poles stronger, which had they actually done it, would
have provided many of the same benefits at much lower cost.]
Briefly, the issues are:
* Installation costs > 10X overhead cables
* Voltage perhaps 1/10 of overhead cable voltage
* Underground cables require expensive cooling and
insulation
* Trees still cause headaches, only this time it's their
*roots* rather than their *branches & leaves* !
* Underground cables take perhaps 25X as long to fix
* Lifespan of underground cables still only about the
same as that of overhead cables.
Bottom line: distributed *generation*, distributed *storage*,
and microgridding are far superior to long (or short) distance
power *transmission*. Whenever possible, use the shortest
physical distance between generator (solar/wind/nuclear),
storage (battery/pneumatic/water head), and the energy
consumer ('load'). Position datacenters and bitcoin miners
adjacent to the power source & transmit data over fiber
rather than transmit power over expensive cables.
[Levine: Maui is an island 48 miles long and 26 wide at the widest point.
All of the distances are short, all of the fuel is tanked in. While I can
believe there are places that microgrids would make a difference, small
islands aren't them since they're microgrids whether they want to be or
not.]
Computer engineers have long known this: regulators and capacitors on every
bay, every board, every chip. *Distributed* power systems win the day.
Here's a link to a good report:
https://electrical-engineering-portal.com/res3/Undergrounding-high-voltage-electricity-transmission-lines.pdf
"Undergrounding high voltage electricity transmission lines -- The
technical issues"
"Overhead lines are insulated by air, while underground cable conductors
are wrapped in layers of insulating material. Air is the simplest and
cheapest insulation and the heat produced by the electricity flowing
through the bare overhead conductors is removed by the flow of air over
the conductors. When conductors are buried underground, robust insulation
is needed to withstand the very high voltage."
"To compensate for this, underground cables are generally bigger to reduce
their electrical resistance and heat produced."
"For direct buried cables each cable needs to be well-spaced from others
for good heat dissipation. To match overhead line thermal performance for
a 400kV double circuit, as many as 12 separate cables in four separate
trenches may be needed, resulting in a work area up to 65m wide. In
addition, water cooling may be used (see section on Components of
underground cable systems). For cables installed in deep bore tunnels,
cable cooling is provided by forced air ventilation or water cooling."
"If a fault occurs on a 400kV underground cable, it is on average out of
service for a period ***25 times longer*** than 400kV overhead lines.
This is due principally to the long time taken to locate, excavate and
undertake technically involved repairs. These maintenance and repairs also
cost significantly more."
------------------------------
Date: Sun, 20 Aug 2023 13:50:29 -0400
From: Dick Mills <dickandlibbymills () gmail com>
Subject: Re: Lahaina: single points of failure
[Similar comments omitted, but two of Dick's paras are particularly
relevant: PGN]
Underground transmission avoids much of the fire risks, but the per-mile
cost is roughly 600% higher, and they bring other risks. In 1998, Auckland
NZ was dark for 15 weeks because of underground power cables.
https://en.wikipedia.org/wiki/1998_Auckland_power_crisis
If you want to study the reliability of independent microgrids, refer to
archipelagos where each island makes its own power without connections to
other islands. The experience in most cases is that they wish that they
could be interconnected for reliability reasons.
------------------------------
Date: Mon, 21 Aug 2023 13:27:29 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Re: Google/AI -- sundry items PGN-ed
1. Simply by flipping a generative AI switch, #Google has gone from being
THE PLACE to find correct information and useful answers, to being the
place to find potentially dangerous misinformation as well.
Impressive. Most impressive. -L
2.'Benefits of Slavery:' Google's AI Search Gives Ridiculous and Wrong
Answers
3. Also advantages of genocide and how to cook poisonous mushrooms. -L
https://gizmodo.com/google-search-ai-answers-slavery-benefits-1850758631
4. Artificial intelligence is ineffective and potentially harmful for fact
checking https://arxiv.org/abs/2308.10800
------------------------------
Date: Tue, 22 Aug 2023 11:16:12 +0200
From: "Diego.Latella" <diego.latella () isti cnr it>
Subject: Unpacking Cyber Capacity-Building Needs
(S. Dominioni, G. Persi Paoli - UNIDIR)
Published recently:
S. Dominioni - G. Persi Paoli
Unpacking Cyber Capacity-Building Needs - Part I. Mapping the
Foundational Cyber Capabilities
UNIDIR
https://unidir.org/publication/unpacking-cyber-capacity-building-needs-part-i-mapping-foundational-cyber-capabilities
S. Dominioni - G. Persi Paoli
Unpacking Cyber Capacity-Building Needs - Part II. Introducing a
Threat-Based Approach
UNIDIR
https://unidir.org/publication/unpacking-cyber-capacity-building-needs-part-ii-introducing-threat-based-approach
------------------------------
Date: Sat, 1 Jul 2023 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.80
************************
Current thread:
- Risks Digest 33.80 RISKS List Owner (Aug 23)