Risks Digest 33.81

[RISKS List Owner <risko () csl sri com>]

RISKS-LIST: Risks-Forum Digest  Saturday 26 August 2023  Volume 33 : Issue 81

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/33.81>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
'Pibot' Better Than Human Pilots Say Researchers (AVweb)
WinRAR 0-day that uses poisoned JPG and TXT files under exploit since April
 (Ars Technica)
Windows 11 has made the *clean Windows* install an oxymoron (Ars Technica)
A Right-to-Repair Car Law Makes a Surprising U-Turn in Massachusetts (WiReD)
How NightOwl for Mac Added a Botnet (Gimodo)
Whoops: DEA Falls for Crypto Scam, Hands Fraudster $55,000 in Stolen Funds
 (Gizmodo)
Feds Charge Tornado Cash Crypto Mixer Devs With Money Laundering (Gizmodo)
TSA slows push to require additional ID checks for some travelers (WashPost)
The College Board Tells TikTok and Facebook Your SAT Scores (Gizmodo)
Google Passkeys Weakness (Lauren Weinstein)
AI brings researchers one step closer to restoring speech in people with
 paralysis (CBC)
Internet Archiving and Radiocarbon dating (Martin Ward)
Re: Hawaii needs better siren codes (Clive Page)
Re: Buyers of Bored Ape NFTs sue after digital apes turn out to be bad
 investment (Gabe Goldberg)
More detail on Lindell wants to fly drones near polling places to monitor
 voting machines (Gabe Goldberg)
Re: Wegmans Double Charging Affects Credit Card Customers In VA,DC
  (John Levine, Gabe Goldberg, Phil Smith III)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 24 Aug 2023 15:42:02 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: 'Pibot' Better Than Human Pilots Say Researchers (AVweb)

Korean researchers are developing a humanoid “pibot” that looks like a
character from a 1960s science fiction sitcom but unlike most autonomous
flight systems, this one can literally fill in for pilots in any
aircraft. The team at the Korea Advanced Institute of Science and Technology
(KAIST) say their creation can fly a plane without any modifications to the
flight deck. “Pibot is a humanoid robot that can fly an [airplane] just like
a human pilot by manipulating all the single controls in the cockpit, which
is designed for humans,” David Shim, an associate professor of electrical
engineering at KAIST, told Euronews Next.

Pibot has arms and hands with enough dexterity to manipulate controls as
accurately in turbulence as a human, but the team says it has other
capabilities that far outstrip those of mere mortals. For instance, the full
library of Jeppesen charts is stored in memory as are any relevant manuals
and reference material. It also gets real-time video from cameras mounted
inside and outside the flight deck. The data for the aircraft it’s flying is
loaded into that memory without bias learned from other platforms.
Artificial intelligence allows it to understand all that information,
including emergency procedures, and apply it to the mission at hand. “With
the pilot robot, if we teach individual aeroplane configuration, then you
can fly the aeroplane by simply clicking the aeroplane’s type,” Shim told
Euronews Next.

https://www.avweb.com/aviation-news/pibot-better-than-human-pilots-say-researchers/

 [A Pibot might also crank out the digits of pi=3.14... while it was at it.
 PGN]

------------------------------

Date: Fri, 25 Aug 2023 02:16:35 -0400
From: Monty Solomon <monty () roscom com>
Subject: WinRAR 0-day that uses poisoned JPG and TXT files under exploit
 since April (Ars Technica)

https://arstechnica.com/?p=1962625

------------------------------

Date: Thu, 24 Aug 2023 15:35:07 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Windows 11 has made the *clean Windows* install an oxymoron
 (Ars Technica)

Op-ed: PC makers used to need to bring their own add-on bloatware—no longer.

The "out-of-box experience" (OOBE, in Microsoft parlance) for Windows 7
walked users through the process of creating a local user account, naming
their computer, entering a product key, creating a "Homegroup" (a
since-discontinued local file- and media-sharing mechanism), and determining
how Windows Update worked. Once Windows booted to the desktop, you'd find
apps like Internet Explorer and the typical in-box Windows apps (Notepad,
Paint, Calculator, Media Player, Wordpad, and a few other things) installed.

Keeping that baseline in mind, here's everything that happens during the
OOBE stage in a clean install of Windows 11 22H2 (either Home or Pro) if you
don't have active Microsoft 365/OneDrive/Game Pass subscriptions tied to
your Microsoft account:

     (Mostly) mandatory Microsoft account sign-in.
     Setup screen asking you about data collection and telemetry settings.

     * (skippable) screen asking you to "customize your experience."
     * prompt to pair your phone with your PC.
     * Microsoft 365 trial offer.
     * 100GB OneDrive offer.
     * $1 introductory PC Game Pass offer.

This process is annoying enough the first time, but at some point down the
line, you'll also be offered what Microsoft calls the "second chance
out-of-box experience," or SCOOBE (not a joke), which will try to get you to
do all of this stuff again if you skipped some of it the first time. This
also doesn't account for the numerous one-off post-install notification
messages you'll see on the desktop for OneDrive and Microsoft 365. (And it's
not just new installs; I have seen these notifications appear on systems
that have been running for months even if they're not signed in to a
Microsoft account, so no one is safe).

And the Windows desktop, taskbar, and Start menu are no longer the pristine
places they once were. Due to the Microsoft Store, you'll find several
third-party apps taking up a ton of space in your Start menu by default,
even if they aren't technically downloaded and installed until you run them
for the first time. Spotify, Disney+, Prime Video, Netflix, and Facebook
Messenger all need to be removed if you don't want them (this list can vary
a bit over time).

https://arstechnica.com/gadgets/2023/08/windows-11-has-made-the-clean-windows-install-an-oxymoron/

------------------------------

Date: Fri, 25 Aug 2023 17:59:18 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: A Right-to-Repair Car Law Makes a Surprising U-Turn in
 Massachusetts (WiReD)

The Biden administration has changed its mind about a Massachusetts state
law giving mechanics and car owners access to more diagnostic data.

https://www.wired.com/story/nhtsa-massachusetts-right-to-repair-letter/

  [Now it will be a Left-Right-to-Repair law?  PGN]

------------------------------

Date: Sat, 26 Aug 2023 10:13:36 -0400
From: Monty Solomon <monty () roscom com>
Subject: How NightOwl for Mac Added a Botnet (Gizmodo)

How a Well-Regarded Mac App Became a Trojan Horse

NightOwl was supposed to make Macs work in dark mode. After a recent update,
one developer discovered it was siphoning users’ data through a botnet.

https://gizmodo.com/how-nightowl-for-mac-added-a-botnet-1850740785

------------------------------

Date: Fri, 25 Aug 2023 02:08:55 -0400
From: Monty Solomon <monty () roscom com>
Subject: Whoops: DEA Falls for Crypto Scam, Hands Fraudster $55,000 in
 Stolen Funds (Gizmodo)

https://gizmodo.com/dea-falls-for-crypto-scam-55-000-dollars-stolen-funds-1850771607

------------------------------

Date: Fri, 25 Aug 2023 02:12:12 -040
From: Monty Solomon <monty () roscom com>
Subject: Feds Charge Tornado Cash Crypto Mixer Devs With Money Laundering
 (Gizmodo)

https://gizmodo.com/tornado-cash-money-laundering-charges-1850767649

------------------------------

Date: Fri, 25 Aug 2023 12:24:10 -0400
From: Monty Solomon <monty () roscom com>
Subject: TSA slows push to require additional ID checks for some travelers
 (WashPost)

Recent reports of new security incidents involving Clear have some lawmakers
concerned that TSA isn't doing enough to keep airports safe.

https://www.washingtonpost.com/transportation/2023/08/10/tsa-clear-enhanced-=
id-checks/

------------------------------

Date: Sat, 26 Aug 2023 10:08:38 -0400
From: Monty Solomon <monty () roscom com>
Subject: The College Board Tells TikTok and Facebook Your SAT Scores
 (Gizmodo)

Gizmodo’s tests found the higher-ed gatekeeper shares GPAs, SAT scores, and
other data with big tech.

https://gizmodo.com/sat-college-board-tells-facebook-tiktok-your-scores-gpa-1850768077

------------------------------

Date: Sat, 26 Aug 2023 10:50:04 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Google Passkeys Weakness

[...] I'll note here the fundamental issue. In their promotion of passkeys,
Google attempts to gloss over a key weakness (no pun intended) in their
passkey implementation, and in my discussions with them to try "minimize"
the importance of this problem.

Google's current passkey implementation is completely dependent on the
device security on which passkeys have been deployed. Google has not
provided any mechanism for secondary passwords or other authentication
methods to specifically protect passkeys if a device is compromised.

Every day, many devices are stolen and their access authentication bypassed,
sometimes by thieves who see the actual authentication sequence before
stealing phones, etc., sometimes since the user has set relatively weak
authentication in the first place.

This means that once access is gained to the phone past the device
security level, there is no additional protection available for the
passkeys that can give access to every user account that is passkey
protected via that device.

That's the executive summary. The details are lengthy.

------------------------------

Date: Sat, 26 Aug 2023 09:07:54 -0600
From: Matthew Kruk <mkrukg () gmail com>
Subject: AI brings researchers one step closer to restoring speech in people
 with paralysis (CBC)

https://www.cbc.ca/news/health/paralysis-brain-speech-1.6943743

New technology is 'big advance' in interpreting brain signals to let
someone speak, say researchers

  [``Close is for horseshoes.''  If it is as unreliable as ChatBots, it may
  be useful only for horses' asses.  In this and other potentially
  life-critical applications, we desperately need evidence-based AI. PGN]

------------------------------

Date: Thu, 24 Aug 2023 11:16:09 +0100
From: Martin Ward <mwardgkc () gmail com>
Subject: Internet Archiving and Radiocarbon dating

Radiocarbon dates are defined as the number of years BP "before present"
meaning the number of years before 1 Jan 1950.  This is partly because soon
after 1950, large scale atmospheric testing of nuclear weapons altered the
global ratio of carbon-14 to carbon-12.

A similar epoch is currently occurring with the Internet as vast
quantities of AI generated information, and misinformation,
are being poured into web sites and message boards with no reliable
way to distinguish AI generated and human generated content.

This means that The Internet Archive is now a priceless resource:
it contains a copy of the last remaining version of the Internet
consisting of text almost entirely generated by humans and not
tainted by AI language models. Any future AI large language models
which make use of current or later Internet content, will be unable
to avoid the vicious feedback caused by training an AI on AI
generated content.

------------------------------

Date: Thu, 24 Aug 2023 15:24:58 +0100
From: Clive Page <clivegpage () gmail com>
Subject: Re: Hawaii needs better siren codes

You note in RISKS-33.79 that the warning sirens in Lahaina might not have
been activated because they were just designed to warn of a tsunami which
might have prompted a dangerous response.  Clearly a range of siren codes
ought to have been set up and widely advertised, besides just 'tsunami' and
(I assume) an 'all clear'.

When I first visited Hawaii some years ago, I stayed in a hotel in Hilo
where there were prominent warning posters explaining the four possible
emergency warnings and what to do about them:

1. A tsunami: run to high ground well away from the coast.

2. A volcanic eruption: get as far from the volcano as possible, i.e. the
   exact opposite.

3. An earthquake: get out of the building fast as the main risk is from
   falling masonry.

4. A severe storm or hurricane: get well inside the building away from
   windows.

I concluded that Hawaii was a dangerous place and that nowhere was safe. 
But notably the risk of wild fires was not on that list.

------------------------------

Date: Thu, 24 Aug 2023 14:19:39 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Re: Buyers of Bored Ape NFTs sue after digital apes turn out to be
 bad investment (Ars Technica, RISKS-33.80)

Lawsuit: Sotheby's $24M sale to FTX gave Bored Ape NFTs "an air of
legitimacy."

The Sotheby's auction house has been named as a defendant in a lawsuit filed
by investors who regret buying Bored Ape Yacht Club NFTs that sold for
highly inflated prices during the NFT craze in 2021. A Sotheby's auction
duped investors by giving the Bored Ape NFTs "an air of legitimacy... to
generate investors' interest and hype around the Bored Ape brand," the
class-action lawsuit claims.

The boost to Bored Ape NFT prices provided by the auction "was rooted in
deception," said the lawsuit filed in US District Court for the Central
District of California. It wasn't revealed at the time of the auction that
the buyer was the now-disgraced FTX, the lawsuit said.

"Sotheby's representations that the undisclosed buyer was a 'traditional'
collector had misleadingly created the impression that the market for BAYC
NFTs had crossed over to a mainstream audience," the lawsuit
claimed. Lawsuit plaintiffs say that harmed investors bought the NFTs "with
a reasonable expectation of profit from owning them."

Sotheby's sold a lot of 101 Bored Ape NFTs for $24.4 million at its "Ape
In!" auction in September 2021, well above the pre-auction estimates of $12
million to $18 million. That's an average price of over $241,000, but Bored
Ape NFTs now sell for a floor price of about $50,000 worth of ether
cryptocurrency, according to CoinGecko data accessed today.

https://arstechnica.com/tech-policy/2023/08/buyers-of-bored-ape-nfts-sue-after-digital-apes-turn-out-to-be-bad-investment/

------------------------------

Date: Thu, 24 Aug 2023 15:05:56 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: More detail on Lindell wants to fly drones near polling places to
 monitor voting machines (RISKS-33.80)

Election conspiracy theorist Mike Lindell claims he's going to stop voting
fraud by flying drones near polling places to determine whether voting
machines are connected to the Internet.

Lindell, the My Pillow CEO who helped finance Donald Trump's baseless
election protests, "demonstrated" the technology at an event he hosted in
Missouri this week (see video). Lindell's innovation appears to be a
wireless sniffing device mounted on a drone, apparently attached with
velcro.

"This was the lie that's been told to every person in our country...  these
electronic voting machines—from routers to printers to polling books—they're
not online. Well, what if I told you there was a device that's been made for
the first time in history that can tell you that that machine was online?"

The drone flew into the building and onto the stage, with Lindell pulling
the device off the drone and telling the audience, "This wireless monitoring
device, it just grabbed all of your cell phones, everybody in this room,
every device that's on the Internet right now."

The flying wireless monitor may have impressed Lindell's audience, but there
doesn't appear to be any major advance in network monitoring technology
here. Lindell said the gadget, which he calls a "WMD" for "Wireless
Monitoring Device," detects nearby Wi-Fi networks and MAC addresses.

"Now we've got a way to monitor; we've never had this before in history.
They can't lie to us anymore," Lindell said. "For this fall's election, we
want to get every single parish in Louisiana covered, we're doing this right
now." A Daily Beast article said Lindell's plan might violate Louisiana
state laws on criminal trespassing and the use of unmanned aircraft to
conduct surveillance. Lindell claimed he's already used the device in
Florida.

https://arstechnica.com/tech-policy/2023/08/wi-fi-sniffers-strapped-to-drones-mike-lindells-odd-plan-to-stop-election-fraud/

  The risk? A stomach ache from laughing at wonderful/scathing comments,
  like:

  There's a lot of stupidity to parse here, but did anyone think to tell him
  that the acronym WMD has some ... shall we say, historical baggage to
  consider?

------------------------------

Date: 24 Aug 2023 11:48:03 -0400
From: "John Levine" <johnl () iecc com>
Subject: Re: Wegmans Double Charging Affects Credit Card Customers In VA,
 DC (RISKS-33.80)

The article said that Wegmans notified the customers when they could
(presumably when the sale was tied to a frequent shopper account) and
reversed all of the dup charges. What else would you expect them to do?

Given how much duct tape and baling wire there is in the way credit cards
are processed, it's surprising it doesn't happen more often.  Double posting
is a well known database problem that gets harder to avoid as the
transaction rate increases, since the customers don't want to wait for a
full three-way handshake.

------------------------------

Date: Thu, 24 Aug 2023 14:16:37 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Re: Wegmans Double Charging Affects Credit Card Customers In
 VA, DC (RISKS-33.81)

They handled it correctly, but blaming a "glitch" makes it sounds like -- oh
well, stuff happens. Nothing to see here, move along. No, someone made a
mistake or a system failed. "Glitch" is weasel language disclaiming
responsibility.

I was just double charged by a restaurant -- amounts before and after
tip. That wasn't a "glitch", someone made a mistake or a system failed.

------------------------------

Date: Thu, 24 Aug 2023 14:29:15 -0400
From: "Phil Smith III" <phs3 () akphs com>
Subject: Re: Wegmans Double Charging Affects Credit Card Customers In
 VA, DC (RISKS-33.80)

The way charge settlement works, there's no "wait for three-way
handshake". It's:
- auth request, approved or denied in real time
- settlement hours later

What this probably means is that they did double settlement for some reason,
in both cases. Now that might be because their processor screwed up and gave
a failure indicator when it actually worked; we'll never know.

The scary/sad part is that in days of yore, there would be logs *and someone
tasked with giving a **** about them* so when this happens, there would be a
way to track it down and figure it out. That's assuming the bogus failure
indicator case, not just human error -- but if it happens often enough, it
would be worth the proceessor's while to do things like compare batches and
say "Hey, these are the same" .

Actually, now that I think more on it, the settlement includes the approval,
so this is arguably 100% the processor's fault: they should have said "BTDT, not
gonna run this one again".

Or if the Wegman's back-end system (which they'll have, unlike Gabe's small
restaurant) did double approvals, the processor could have heuristics that
say "This type business is hella unlikely to produce identical amounts for
the same card, flag it" (unlike, say, McDonald's, where a large drink might
get ordered repeatedly.)

------------------------------

Date: Sat, 1 Jul 2023 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) has moved to the ftp.sri.com site:
   <risksinfo.html>.
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.81
************************