RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 34.01

From: RISKS List Owner <risko () csl sri com>
Date: Sat, 30 Dec 2023 21:18:15 PST
RISKS-LIST: Risks-Forum Digest  Saturday 30 December 2023  Volume 34 : Issue 01

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/34.01>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents: Apologies for hiatus.  Network outage in a real shutdown.
DRM bricks Polish trains (404media)
Rise of AI fake news is creating a misinformation superspreader (WashPost)
Coffee Cty, GA missing laptop may impact Trump, Curling cases
 (Douglas Lucas)
Michael Cohen Used Artificial Intelligence in Feeding Lawyer Bogus Cases
 (NYTimes)
Splitting a Large AI Across Several Devices Lets You Run It in Private
 (New Scientist)
The Times Sues OpenAI and Microsoft Over AI Use of Copyrighted Work
 (NYTimes)
Six Big Questions for Generative AI (Tech Review)
FTC slams Rite Aid for misuse of facial recognition technology in stores
 (The Washington Post)
More people at risk as Ontario public bodies face growing wave of
 cyberattacks, experts say (CBC)
New AI model can predict human lifespan, researchers say.
 They want to make sure it's used for good (phys.org)
BBC has the miraculous report of an AI that is capable of learning. (BBC)
A New Kind of AI Copy Can Fully Replicate Famous People (Politico)
AI in the Machine Internet (Dana F. Blankenhorn)
Chinese Spy Agency Rising to Challenge the CIA (NYTimes)
Open-Source Chip Design Takes Hold in Silicon Valley (WSJ)
Operation Triangulation: The last 'hardware' mystery (Securelist)
TERRAPIN: SSH protects the world's most sensitive networks. It just got a
 lot weaker (Ars Technica)
TERRAPIN and SSH Prefix Truncation Attack (Bob Gezelte)
GTA 6 hacker handed indefinite hospital order (Lapsus$)
Xfinity waited to patch critical Citrix Bleed 0-day. Now it's paying the
 price (Ars Technica)
The 2010 Census Confidentiality Protections Failed, Here's How and Why
 (Arxiv)
Quantum Computing's Hard, Cold Reality Check* (IEEE)
It's easier to convince kids than adults about quantum mechanics
 (Physicist Bob Coecke)
FCPD Combats Crypto-Related Scams: How to Avoid Falling Victim to Fraud
 (Fairfax County Police Department News)
Israeli hackers shut down 70% of Iran's gas stations (Times of Israel)
Blog post on CSAE and E2EE (Susan Landau)
The Disturbing Impact of the Cyberattack at the British Library
 (The New Yorker)
Data for nearly 36 million Comcast customers leaked to hackers
 (Ars Technica)
Online searches to evaluate misinformation can increase its perceived
 veracity (Nature)
The 2023 Good Tech Awards (The NYTimes)
Do you need git or Subversion? (Cliff Kilby)
iPhone Thief Explains How He Breaks Into Your Phone (WSJ)
Former White House scientist was scammed out of $650K and must pay taxes
 (The Washington Post)
Re: Ex-Amazon security engineer admits to stealing over $12M in crypto
 (Gabe Goldberg)
Re: What to do when receiving unprompted MFA OTP codes (Joseph Gwinn)
Re: WeWork has failed, leaving damage in its wake (Martin Ward)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: 17 Dec 2023 23:09:02 -0500
From: "John Levine" <johnl () iecc com>
Subject: DRM bricks Polish trains (404media)

Some Polish trains were sent for routine maintenance, after which they would
not run even though nothing was evidently wrong. As a last resort, the
railway hired the Dragon Sector hacking group which analysed the trains'
software and found code that made the trains fail if their GPS said they'd
been in a list of locations that happened to match repair shops not run by
the trains' manufacturer.

NEWAG, the manufacturer, denies everything and has sued them for slander.

https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/

https://www.404media.co/polish-hackers-repaired-trains-the-manufacturer-artificially-bricked-now-the-train-company-is-threatening-them/

------------------------------

Date: Sun, 17 Dec 2023 22:29:07 -0800
From: Steve Bacher <sebmb1 () verizon net>
Subject: Rise of AI fake news is creating a misinformation superspreader
 (WashPost)

www.washingtonpost.com

Artificial intelligence is automating the creation of fake news, spurring an
explosion of websites that can disseminate false information about wars and
elections

https://www.washingtonpost.com/technology/2023/12/17/ai-fake-news-misinformation/

------------------------------

Date: Tue, 19 Dec 2023 13:31:53 -0800
From: Douglas Lucas <dal () riseup net>
Subject: Coffee Cty, GA missing laptop may impact Trump, Curling cases

On 19 Dec, the Daily Dot published my new investigative article digging into
the mystery of the missing silver laptop that Coffee County, Georgia -- home
of the infamous January 2021 elections office breach captured on
surveillance film -- is going to the mat not to turn over, not to even
find. This laptop was used extensively by Trump co-defendant and
then-election supervisor Misty Hampton, charged for facilitating the
MAGA-led intrusions. If found, the laptop's contents would likely impact two
cases in Atlanta courthouses: Trump's criminal one over election
interference, and the long-running federal civil suit *Curling v.
Raffensperger*, in which plaintiffs seek to force the state to abandon
mandatory electronic ballots and, in most circumstances, employ instead
hand-marked paper ones.

Here's the link for my investigative article:
https://www.dailydot.com/news/missing-laptop-trump-case-georgia/

Also on 19 Dec, I self-published an accompanying blog post that includes
several of the cut passages as well as, for the first time, four previously
unreleased surveillance still. My blog pot has a ton of additional
information, including a longtime area lawyer's proposal that the county
adopt independent (not conflicted) and possibly pro bono counsel to aid the
elections board and public with an internal inquiry into the breach and its
aftermath.

Here's the link for my blog post, the deleted scenes if you will:
https://douglaslucas.com/blog/2023/12/19/extra-material-dailydot-investigative-article-laptop/

I worked on this for something like half a year. There's a lot of material
that RISKS may be interested in. Mysteries surrounding the .ost file, the
Microsoft Office 365 licenses, the county refusing to back up official files
on the elections desktop computer, as required by law, when the Georgia
Bureau of Investigation came knocking, they say because they feared
accusations of tampering. One of the most interesting aspects is lawyers
that are more powerful than the people they represesnt, the de jure vs de
facto power landscape of the county, and how all this can fester and get
worse when the underlying digital data, in full, headers, signatures,
everything, is not out in the open. Theopacity allows the overpowered
lawyers and county manager to run the show, merely claiming this, claiming
that, until enough strength shows up to enforce, you know, Rules of
Evidence.

------------------------------

Date: Fri, 29 Dec 2023 12:05:03 -0800
From: Jan Wolitzky <jan.wolitzky () gmail com>
Subject: Michael Cohen Used Artificial Intelligence in Feeding Lawyer
 Bogus Cases (NYTimes)

*The New York Times*, 30 Dec 2023, Front-page story (PGN-ed)
Benjamin Weiser and Jonah Bromwich

Michael D. Cohen, the onetime fixer for former President Donald J. Trump,
said in court papers unsealed on Friday that he had mistakenly given his
lawyer bogus legal citations generated by the artificial intelligence
program Google Bard.

The fictitious citations were used by Mr. Cohen's lawyer in a motion
submitted to a federal judge, Jesse M. Furman. Mr. Cohen, who pleaded guilty
in 2018 to campaign finance violations and served time in prison, had asked
the judge for an early end to the court's supervision of his case now that
he is out of prison and has complied with the conditions of his release.

In a sworn declaration made public on Friday, Mr. Cohen explained that he
had not kept up with ``emerging trends (and related risks) in legal
technology and did not realize that Google Bard was a generative text
service that, like ChatGPT, could show citations and descriptions that
looked real but actually were not.''

https://www.nytimes.com/2023/12/29/nyregion/michael-cohen-ai-fake-cases.html

  [Lauren Weinstein had a note on this:   Most ordinary folks do *not
  understand* what AI and Large Language Models are about. They don't read
  the AI company disclaimers that the firms know are basically there to try
  protect the firms -- not the users.  PGN]

    [But Michael Cohen was no ordinary person.  Perhaps Google Bard also
    wrote all of ``shakespeare'' (The Bard) retroactively?  The illiterate
    Willem Shaksper certainly didn't.  PGN]

  [Gabe Goldberg commented, When will they ever learn...  PGN]

------------------------------

Date: Fri, 22 Dec 2023 11:35:51 -0500 (EST)
From: ACM TechNews <technews-editor () acm org>
Subject: Splitting a Large AI Across Several Devices Lets You Run It
 in Private (New Scientist)

Jeremy Hsu, *New Scientist*, 15 Dec 2023, via ACM TechNews

An AI system based on large language models (LLMs) developed by University
of California, Irvine researchers can be used locally via smartphone,
eliminating reliance on a cloud service's datacenters and permitting LLM
queries without having to share sensitive personal information. The
LinguaLinked system splits the LLM's computations among several smartphones
based on the phones' available memory and network connectivity. The
researchers used the system to run BLOOM LLMs on four commercial phones,
with an average AI processing speed per token of 2 seconds on a small AI
model with 1.1 billion parameters, and 4 seconds on a larger model with 3
billion parameters.

  [This could increase trustworthiness for oneself if one is very careful,
  but could also make it much more difficult for others who won't know
  anything about that trustworthiness -- or the lack thereof.  PGN]

------------------------------

Date:   Thu, 28 Dec 2023 08:13:43 +0900
From:   David Farber <farber () keio jp>
Subject: The Times Sues OpenAI and Microsoft Over AI Use of Copyrighted Work
 (NYTimes)

https://www.nytimes.com/2023/12/27/business/media/new-york-times-open-ai-microsoft-lawsuit.html?smid=nytcore-ios-share&referringSource=articleShare

------------------------------

Date: Sat, 23 Dec 2023 13:44:36 PST
From: Peter Neumann <neumann () csl sri com>
Subject: Six Big Questions for Generative AI (Tech Review)

Will Douglas Heaven, MIT Technology Reveiw, Jan/Feb 2024, pp. 30-37

1. Will we ever mitigate the bias problem?
2. How will AI change the way we apply copyright?
3. How will it change our jobs?
4. What misinformation will it make possible?
5. Will we come to grips with its costs?
6. Will doomerism continue to dominate policymaking?

------------------------------

Date: Wed, 20 Dec 2023 00:04:20 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: FTC slams Rite Aid for misuse of facial recognition technology in
 stores (The Washington Post)

A landmark settlement over the pharmacy chain's use of the surveillance
technology could raise further doubts about facial recognition's use in
stores, airports and other venues

The FTC said huge errors were commonplace. Between December 2019 and July
2020, the system generated more than 2,000 *Match Alerts* for the same
person in faraway stores around the same time, even though the scenarios
were *impossible or implausible*, the FTC said.

In one case, Rite Aid's system generated more than 900 *match alerts* for a
single person over a five-day period across 130 different stores, including
in Seattle, Detroit and Norfolk, regulators said.

The system generated thousands of false matches, and many of them involved
the faces of women, Black people and Latinos, the FTC said.  Federal and
independent researchers in recent years have found that those groups are
more likely to be misidentified by facial-recognition software, though the
technology's boosters say the systems have since improved.

https://www.washingtonpost.com/technology/2023/12/19/ftc-rite-aid-facial-recognition

------------------------------

Date: Sat, 23 Dec 2023 09:53:18 -0700
From: Matthew Kruk <mkrukg () gmail com>
Subject: More people at risk as Ontario public bodies face growing wave of
 cyberattacks, experts say (CBC)

https://www.cbc.ca/news/canada/toronto/cybersecurity-ontario-incidents-2023-1.7048495

------------------------------

Date: Sun, 24 Dec 2023 13:11:30 +0000
From: Richard Marlon Stein <rmstein () protonmail com>
Subject: New AI model can predict human lifespan, researchers say.
 They want to make sure it's used for good (phys.org)

https://phys.org/news/2023-12-ai-human-lifespan-good.html

"Even though we're using prediction to evaluate how good these models are,
the tool shouldn't be used for prediction on real people."

Ripe for commercial exploitation. Hospitals and insurance companies might
find this model enables cherry picking of patients (ER patient dumping) and
policy price schedules.

  [The old dual-use problem: Anything that can be used for good can be used
  for bad.  That should have been a corollary of Murphy's Law. PGN]

------------------------------

Date: Fri, 22 Dec 2023 18:38:21 -0500
From: Cliff Kilby <cliffjkilby () gmail com>
Subject: BBC has the miraculous report of an AI that is capable of learning.
 (BBC)

https://www.bbc.com/news/business-67748255

In other slightly less miraculous news, generative modeling is now capable
of doing what used to be done by hand faster than when it was done by hand.
This is improving flood hazard prediction.  I would add to that prediction:
flood insurance premiums are likely to rise.  Umbrella disclaimer,

------------------------------

Date: Sat, 30 Dec 2023 09:16:40 -0800
From: Steve Bacher <sebmb1 () verizon net>
Subject: A New Kind of AI Copy Can Fully Replicate Famous People (Politico)

The Law Is Powerless. <about:blank?compose#>

New AI-generated digital replicas of real experts expose an unnerving policy
gray zone. Washington wants to fix it, but it’s not clear how.

Martin Seligman, the influential American psychologist, found himself
pondering his legacy at a dinner party in San Francisco one late February
evening. The guest list was shorter than it used to be: Seligman is 81, and
six of his colleagues had died in the early Covid years. His thinking had
already left a profound mark on the field of positive psychology, but the
closer he came to his own death, the more compelled he felt to help his work
survive.

The next morning he received an unexpected email from an old graduate
student, Yukun Zhao. His message was as simple as it was astonishing: Zhao's
team had created a *virtual Seligman*.

Zhao wasn't just bragging. Over two months, by feeding every word Seligman
had ever written into cutting-edge AI software, he and his team had built an
eerily accurate version of Seligman himself -- a talking chatbot whose
answers drew deeply from Seligman’s ideas, whose prose sounded like a
folksier version of Seligman’s own speech, and whose wisdom anyone could
access.

Impressed, Seligman circulated the chatbot to his closest friends and family
to check whether the AI actually dispensed advice as well as he did. “I gave
it to my wife and she was blown away by it,” Seligman said.

The bot, cheerfully nicknamed “Ask Martin,” had been built by researchers
based in Beijing and Wuhan — originally without Seligman’s permission, or
even awareness.

The Chinese-built virtual Seligman is part of a broader wave of AI chatbots
modeled on real humans, using the powerful new systems known as large
language models to simulate their personalities online. Meta is
experimenting with licensed AI celebrity avatars
<https://www.theverge.com/2023/9/27/23891128/meta-ai-assistant-characters-whatsapp-instagram-connect>;
you can already find internet chatbots trained on publicly available
material about dead historical figures <https://www.hellohistory.ai>.

But Seligman’s situation is also different, and in a way more unsettling. It
has cousins in a small handful of projects that have effectively replicated
living people without their consent. In Southern California, tech
entrepreneur Alex Furmansky created a chatbot version of Belgian celebrity
psychotherapist Esther Perel by scraping her podcasts off the internet. He
used the bot to counsel himself through a recent heartbreak, documenting his
journey in a blog post
<https://magneticgrowth.substack.com/p/esther-perel-generative-ai-bot> that
a friend eventually forwarded to Perel herself.  [...]

https://www.politico.com/news/magazine/2023/12/30/ai-psychologist-chatbot-00132682

------------------------------

Date: Wed, 27 Dec 2023 17:19:05 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: AI in the Machine Internet (Dana F. Blankenhorn)

Everything is a System. Every system can be more efficient with AI

https://danafblankenhorn.substack.com/p/ai-in-the-machine-internet

  [Everything is indeed a system.  Every system can also be less
  trustworthy with AI.  Cassandra-PGN]

------------------------------

Date: Sat, 30 Dec 2023 00:58:02 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Chinese Spy Agency Rising to Challenge the CIA (NYTimes)

The ambitious Ministry of State Security is deploying AI and other advanced
technology to go toe-to-toe with the United States, even as the two nations
try to pilfer each other's scientific secrets.

https://www.nytimes.com/2023/12/27/us/politics/china-cia-spy-mss.html?smid=nytcore-ios-share&referringSource=articleShare

------------------------------

Date: Wed, 20 Dec 2023 11:47:32 -0500 (EST)
From: ACM TechNews <technews-editor () acm org>
Subject: Open-Source Chip Design Takes Hold in Silicon Valley (WSJ)

Belle Lin, The Wall Street Journal (12/14/23), via ACM TechNews

Because RISC-V, the open-source standard developed in 2010 for designing
semiconductors, is free, it allows for the development of lower-cost,
potentially more efficient processors for artificial intelligence and mobile
devices. Google and Meta have said the open standard enables greater
customization. Forrester Research's Glenn O'Donnell said RISC-V is
particularly attractive for companies because it does not require upfront
licensing fees. However, Dell's John Roese said the "middleware" software
supporting RISC-V has not been fully developed for datacenters and other
high-performance applications. Roese explained, "Until you have enough of a
software and developerecosystem, these things stay very niche."

------------------------------

Date: Thu, 28 Dec 2023 02:49:07 +0000
From: Victor Miller <victorsmiller () gmail com>
Subject: Operation Triangulation: The last 'hardware' mystery
 (Securelist)

https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/

------------------------------

Date: Tue, 19 Dec 2023 10:39:14 -0800
From: Lauren Weinstein <lauren () vortex com> ]
Subject: TERRAPIN: SSH protects the world's most sensitive networks. It just
 got a lot weaker (Ars Technica)

TERRAPIN: SSH protects the world's most sensitive networks. It just
got a lot weaker

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

  [Also noted by Victor Miller.  PGN]

------------------------------

Date: Thu, 21 Dec 2023 00:26:32 -0500
From: Bob Gezelter <gezelter () rlgsc com>
Subject: TERRAPIN and SSH Prefix Truncation Attack

ArsTechnica reported that Terrapin, a man-in-the-middle attack against the
widely used SSH protocol, is feasible in combination with widely used
"ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC" encryption modes.

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

------------------------------

Date: Fri, 22 Dec 2023 09:44:58 +0000
From: Victor Miller <victorsmiller () gmail com>
Subject: GTA 6 hacker handed indefinite hospital order (Lapsus$)

https://www.bbc.com/news/technology-67663128

------------------------------

Date: Thu, 21 Dec 2023 03:37:32 +0000
From: Victor Miller <victorsmiller () gmail com>
Subject: Xfinity waited to patch critical Citrix Bleed 0-day. Now it's
 paying the price (Ars Technica)

https://arstechnica.com/security/2023/12/hack-of-unpatched-comcast-servers-results-in-stolen-personal-data-including-passwords/

------------------------------

Date: Thu, 21 Dec 2023 13:42:06 +0000
From: Victor Miller <victorsmiller () gmail com>
Subject: The 2010 Census Confidentiality Protections Failed, Here's How and
 Why (Arxiv)

https://arxiv.org/abs/2312.11283

------------------------------

Date: December 27, 2023 10:38:40 JST
From: Rod Van Meter <rdv () sfc wide ad jp>
Subject: Quantum Computing's Hard, Cold Reality Check* (IEEE)

  [Victor Miller noted this item:
https://spectrum.ieee.org/quantum-computing-skeptics
  Rod replied to a separate posting from Dave Farber.  PGN[

Just a few comments on the overall thrust rather than detailed comments, so
rather than top-posting I just deleted the content. You may both post this
to your lists if like.

As a confirmed optimist but realist who has now invested twenty years in
this field, by and large I endorse this. We are moving from analog through
digital to quantum information; in my opinion, quantum represents a fully
fundamental change in processing methods, but we still have a long ways to
go to realize the full impact.

For the most part, unlike many "hit pieces" on quantum, they have talked to
the right people. Le Cun is a known skeptic, and Meta is probably the most
important tech company in the world that is deliberately *NOT* doing
quantum. I don't really know how much he does or doesn't know about quantum,
but his opinion carries weight and I don't think he is simply knee-jerk
opposed. Troyer and Aaronson are both well known and respected researchers
(though Aaronson may be getting a little over-exposed in the media these
days; he's eminently quotable and is the field's most prominent blogger, so
he is the go-to guy for many media, it seems). (Please, PLEASE do not listen
to Michio Kaku on quantum; his explanations of how these things work are far
too garbled to be useful, regardless of what you think about the gauzier
musings about quantum computing and the Universe.)

My own favorite of Troyer's papers is this:
https://www.science.org/doi/abs/10.1126/science.1252319
https://arxiv.org/abs/1401.2910
talking about how to quantify a true quantum speedup.

Oskar Painter is also a professor at a little school called Caltech, which
the article didn't mention. (It's hard to overstate Tech's influence in
quantum. A list of prominent people would take a half a page, with Preskill,
Kitaev, Shor, Bacon, Raussendorf, Wehner, Kimble, Northup, Vuckovic,
Gottesman, Leung, Mabuchi, Brun, Hsin-Yuang Huang, Furusawa, Lloyd, etc. as
undergrads, grads, postdocs and faculty. And me, let's not forget me. Oh,
and some guy named Feynman, who gets a share of the credit for originating
the idea in the first place.)

Anyway, back to the topic...

This year saw huge advances toward effective error correction. The month of
December alone produced several juicy papers. One that is getting a lot of
attention is https://www.nature.com/articles/s41586-023-06927-3 which shows
logical operations using quantum error detection (not really quite
correction yet) on a large number of individual neutral atoms in a trapped
array. Personally, I have to issue a mea culpa here, because in the
mid-2010s I didn't see a path to solid control of neutral systems that
allowed for the individual control and programmability necessary. the
QuEra-Harvard-MIT team has done amazing work.

I could type for an hour about interesting results from this year, but I
don't have time this morning.

Everybody agrees that NISQ (noisy, intermediate-scale quantum) won't
scale. The biggest question on the table is whether NISQ becomes useful
before it stops scaling. I think right now a slim majority people are on the
side of "no", though personally I think the jury is still out.

So, the hardware is progressing; software tools, including compilers,
debuggers, etc. still have a long ways to go.

And it's fair to say that the breadth of applications has not advanced as
much as I might have hoped two decades ago, but our depth of understanding
of what is and isn't possible has continued to grow. I'm optimistic that
when we put these machines in the hands of the next generation of Knuths,
Lamports and Torvaldses, that amazing things will happen.

And we are going to have to continue to rethink education for the
#QuantumNative generation; quantum algorithms require a very different way
of thinking. (And yes, unlike some people, I think the interdisciplinary
skills such students will learn will stand them in good stead throughout
their careers, whether they actually focus on quantum or not.) Assuming
quantum succeeds, we are going to need a LOT of programmers, and not all of
them need to understand the low-level physics of the devices, just as most
software engineers today have a moderate-to-completely-nonexistent
understanding of semiconductor physics.

------------------------------

Date: Tue, 19 Dec 2023 14:14:02 +0000
From: Victor Miller <victorsmiller () gmail com>
Subject: It's easier to convince kids than adults about quantum mechanics
 (Physicist Bob Coecke)

https://www.theguardian.com/science/2023/dec/16/physicist-bob-coecke-its-easier-to-convince-kids-than-adults-about-quantum-mechanics?CMP=Share_iOSApp_Other

------------------------------

Date: Thu, 28 Dec 2023 15:49:04 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: FCPD Combats Crypto-Related Scams: How to Avoid Falling

Damn. All too common crypto use case. In spite of years-long ongoing
publicity and warnings.

https://fcpdnews.wordpress.com/2023/12/28/fcpd-combats-crypto-related-scams-how-to-avoid-falling-victim-to-fraud/

------------------------------

Date: Sat, 23 Dec 2023 10:40:57 +0200
From: Amos Shapir <amos083 () gmail com>
Subject: Israeli hackers shut down 70% of Iran's gas stations
 (Times of Israel)

No details were released, but it seems that the hackers had targeted a
central payment system.

Full story at:
https://www.timesofisrael.com/israel-linked-group-claims-cyberattack-that-shuts-down-70-of-irans-gas-stations/

------------------------------

Date: Wed, 20 Dec 2023 14:40:44 -0500
From: Susan Landau <susan.landau () privacyink org>
Subject: Blog post on CSAE and E2EE

I have a short blog post that may be of interest to some of you:
https://www.lawfaremedia.org/article/write-the-laws-for-the-world-in-which-we-live-not-the-one-we-imagine.

------------------------------

Date: Mon, 25 Dec 2023 08:57:03 -0500
From: Jan Wolitzky <jan.wolitzky () gmail com>
Subject: The Disturbing Impact of the Cyberattack at the British Library
 (The New Yorker)

The library has been incapacitated since October, and the effects have
spread beyond researchers and book lovers.

https://www.newyorker.com/news/letter-from-the-uk/the-disturbing-impact-of-the-cyberattack-at-the-british-library

------------------------------

Date: Wed, 20 Dec 2023 10:43:07 -0800
From: Lauren Weinstein <lauren () vortex com>
To: nnsquad-dist () vortex com
Subject: Data for nearly 36 million Comcast customers leaked to hackers
 (Ars Technica)

Data for nearly 36 million Comcast customers leaked to hackers
https://arstechnica.com/security/2023/12/hack-of-unpatched-comcast-servers-results-in-stolen-personal-data-including-passwords/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

------------------------------

Date: Wed, 20 Dec 2023 23:46:08 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Online searches to evaluate misinformation can increase
 its perceived veracity (Nature)

Considerable scholarly attention has been paid to understanding belief in
online misinformation, with a particular focus on social networks.  However,
the dominant role of search engines in the information environment remains
underexplored, even though the use of online search to evaluate the veracity
of information is a central component of media literacy interventions.
Although conventional wisdom suggests that searching online when evaluating
misinformation would reduce belief in it, there is little empirical evidence
to evaluate this claim. Here, across five experiments, we present consistent
evidence that online search to evaluate the truthfulness of false news
articles actually increases the probability of believing them.

https://www.nature.com/articles/s41586-023-06883-y

  [See the full article for the footnotes not available here.  PGN]

------------------------------

Date: Tue, 26 Dec 2023 14:51:10 +0000 (UTC)
From: Steve Bacher <sebmb1 () verizon net>
Subject: The 2023 Good Tech Awards (The NYTimes)

A positive look back at this year's tech developments, from one journalist's
viewpoint.  Perhaps a refreshing change from the usual RISKS negativity.

  [I.e., our positive focus on reducing risks!  But we are always looking
  for items that minimize the risks.  Thanks, Steve.  Happy New Year with
  fewer risks.  PGN].

https://www.nytimes.com/2023/12/25/technology/the-2023-good-tech-awards.html

------------------------------

Date: Sat, 30 Dec 2023 11:51:28 -0500
From: Cliff Kilby <cliffjkilby () gmail com>
Subject: Do you need git or Subversion?

You do not need either one specifically. A software development company
should have a version control system (VCS). DVCS (distributed) is very
popular with developers as they are less likely to complain about slow
transfers, or merge problems. The slow transfer problem is specific to
Subversion's storage and transfer model, which operates at the document
level. Git operates on a mixed model of objects and archives. Mercurial uses
a similar DVC model. Developers don't complain about merges in git because
they tend to make that the problem for the person processing pull
requests. Subversion and Team Foundation are CVCS (centralized).  Subversion
distributed merge conflicts to the developers, and they don't like You
cannot commit a merge conflict in Subversion. I have not personally worked
with Team Foundation, but it is my understanding you cannot commit merge
conflicts in that system either.

Merge conflicts arise from multiple developers working on the same
document/object at the same time. If you have merge conflicts on a regular
basis, your developers are working on a crappy codebase. Moving to DVCS
won't fix that.

Git was developed by the hardest working man in IT to deal with a project
that was intentionally designed to be mostly monolithic as it was the
source for a kernel, which is monolithic.

Are you developing a monolithic kernel? No? Then you do not need git nor
DVCS. You need to fix your codebase.

Are you developing open-source software? No? Then you do not need git nor
DVCS.

Are you developing software which has a GRC mandate to be tracked? Yes?
Then you need CVCS. Unless you take a lot of extra time to ensure that your
git is setup for signed commits and that your developers are using signing
by whoever the developer said their email address was at the time.

Subversion only operates in two modes, anonymous and authenticated. If you
set authentication up, every commit is authenticated. Developers cannot
attempt a commit without authentication.

Are you working on a codebase which needs additional restrictions on
branches or specific files? DVCS pushes the whole codebase to everyone. If
you can see the project, you can see everything in it. And the file that
was deleted because it had a raw key in it? Hope you pruned your history,
otherwise, it's still there.

What do you mean you moved to git to stop having to deal with
administrative issues with the Subversion repository? Git still needs
things like historical pruning, backups, dead branch deletion. You can kick
the can down the road a bit longer with git because its model is smaller on
disk, but those 200 dead branches are going to prevent any new developers
from being able to onboard rapidly.

If you are using Subversion, the historical-key-file problem still exists,
if the developer can see the file, they can roll the history back on it.
However, as Subversion requires each revision checkout to be a separate
request, your inside threat is going to leave some very blatant log
activity.

What do you mean that Bitbucket Cloud doesn't provide access logs for
repos? How does your security team review potential internal threats or
access control misconfigurations? GitHub Cloud does. Maybe if you were
running your VCS internally you could use the server logs? Also if your VCS
was internal, those access logs would be a little smaller as the whole
world couldn't attempt bulk logins. Oh, your access log doesn't have
attempts. Only successes. Cool. How do you know if someone is prodding your
publicly-accessible private repo more or less than usual?

You're not that concerned because you're using VCS to host your
documentation? Why? Are you going to merge your old documents and your new
documents? Oh, so you didn't have to setup a CMS (content management system).

I am also fond of using the electrician's hammer.

Does that screw look like a nail to you,

  [Cliff, In defense of Subversion and github, you may have overstated your
  case a bit.  Both take a bit of learning to cover certaub corner cases,
  and they do have benefits in highly distributed team efforts.  PGN]

------------------------------

Date: Sun, 24 Dec 2023 20:13:56 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: iPhone Thief Explains How He Breaks Into Your Phone (WSJ)

Thieves are stealing Apple iPhones, passcodes and thousands of dollars from
their victims' bank accounts.

WSJ's Joanna Stern sat down with a convicted thief in a high-security prison
to find how—and how you can protect yourself.

https://www.youtube.com/watch?v=gi96HKr2vo8

  [High-security has (at least) TWO meanings here.  I wonder if Joanna
  came out with her phone intact.  PGN]

------------------------------

Date: Fri, 22 Dec 2023 01:08:59 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Former White House scientist was scammed out of $650K and
 must pay taxes (The Washington Post)

The government that Frances Sharples served for more than four decades
considers the money to be income, compounding her pain

Frances Sharples walked through the glass doors of her credit union, ready
to make the worst decision of her life.

She had a script from the man promising to save the retirement account she
built over decades as a science adviser to the U.S. government, including in
the White House.

He told her to transfer more than $600,000 — and to keep her cellphone on so
he could listen to her. If anyone asked whether she was put up to it, she
was to reply: “No, absolutely not,” according to her hand-scrawled notes. No
one did. She handed the clerk the routing number, walked back to her dented
2005 Honda and returned home.

“Now I'm good,” she told herself. “Now, I'm safe.”  [...]

Billings started small, saying Sharples first needed to protect the $25,000
in her savings account at Commerce Federal. Williams would keep her on the
line from 7 a.m. until bedtime — claiming to be removing malicious software
from her computer but mostly lingering silently — for more than two weeks.

Finally, a document appeared on her screen with a list of account names and
numbers. Print it out, Billings told her. Drive to your credit union.

She did.

According to the script he gave her, if asked, she should say she was moving
the money to her investment account, something she does frequently.  [...]

At that point, a precaution set up to backstop bad customer decisions kicked
in. After Sharples asked TIAA — which managed the retirement account — to
transfer her money, a senior fraud investigator with the company called to
question her decision.

“Is someone else telling you to do this?” he asked.

“No, it’s my idea,” she said, following the script. “I’ve decided I want to
invest in a different way.” [...]

As she prepared her taxes online, Sharples was sickened by what she saw on
her Form 1040, which showed the fraud raising her taxes by hundreds of
thousands of dollars. She was then drawn through an excruciating education
in the nation's sprawling tax code.

https://www.washingtonpost.com/dc-md-va/2023/12/14/cyber-crime-scams-irs-taxes/

------------------------------

Date: Mon, 18 Dec 2023 17:08:11 -0500
From: Gabe Goldberg <gabe () gabegold com>
Subject: Re: Ex-Amazon security engineer admits to stealing over $12M in
 crypto (ReadWrite)

Ahmed's first target was the undisclosed crypto exchange on the Solana
blockchain. He manipulated a smart contract to introduce false pricing data,
which led to the generation of approximately $9 million in inflated
fees. After withdrawing these funds, Ahmed brazenly offered to return the
stolen amount, minus $1.5 million, on the condition that the exchange would
not involve law enforcement. This attack closely resembles the breach that
impacted the Crema Finance decentralized finance platform in July 2022.

Following this initial hack, Ahmed turned his attention to Nirvana
Finance. He exploited a loophole in the DeFi protocol's smart contract,
taking a flash loan of ANA cryptocurrency tokens at a low price and selling
them back at a higher rate. This maneuver netted him around $3.6
million. Despite being offered a $300,000 bounty to return the stolen
assets, Ahmed refused, demanding $1.4 million and ultimately leading to the
shutdown of Nirvana Finance after no agreement was reached.

https://readwrite.com/ex-amazon-security-engineer-admits-to-stealing-over-12m-in-crypto/

If those are smart contracts, what would dumb ones be?

------------------------------

Date: Mon, 18 Dec 2023 18:07:43 -0500
From: Joseph Gwinn <joegwinn () comcast net>
Subject: Re: What to do when receiving unprompted MFA OTP codes (RISKS-33.97)

The bleeping computer article misses the distinction between TFA (two-factor
authentication) and TSA (two-step authentication), TFA being far more secure
than TSA.

With TFA, one must possess a physical crypto token (like an RSA SecureID
token) plus a password, the factors being something one possesses (token)
and something one knows (password).  The computer is not providing
authentication.

With the TSA, no physical token is used, it's something one knows (a
password) provided to a computer, and it is done in two steps.  If malware
has managed to sufficiently infect the computer, the malware can perform
both steps.

In the story of unsolicited OTP codes, the malware had not gained sufficient
control and was thwarted.  But the whole drama would not have happened if
true TFA had been implemented.

Amazon certainly knows the difference, which is why they call what they do
TSA, not TFA.

------------------------------

Date: Sat, 23 Dec 2023 11:25:56 +0000
From: Martin Ward <mwardgkc () gmail com>
Subject: Re: WeWork has failed, leaving damage in its wake (Kilby and Ward)

Is capitalism an efficient economic system?  It depends on what you want to
optimise for: if the purpose of your economic system is to transfer wealth
from everyone else to a handful of billionaires, then capitalism is already
very efficient and becoming ever more efficient.  If the purpose is the long
term thriving of the human race, then capitalism is a terrible system: the
thing you are optimisimg for (called "profit") is actually a form of
friction and *loss* to the system as stores of value (money) get extracted
from the economic cycle and stashed away unproductively.  Whole industries,
such as advertising and banking, are purely destructive of value.

A better economic system would eliminate the concept of "profit" as
something extracted by shareholders and board members.  Activities that are
most efficient when nationalised, such as fire service, police, army, energy
distribution, transport, and of course, the health service, should never be
allowed to fall into private hands or should be taken out of private hands.
Each of these activities gets a budget to do a certain thing and should be
laser focused on doing that thing.  The post office delivers letters and
parcels, the railway network runs railways, the health service keeps the
population healthy, the universities generate knowledge and so on. This
leads to a lot of difficult discussions about how much each service needs in
order to ensure human thriving without a negative impact on other
services. But the current approach where everything is reduced to profit is
once again, optimising for the wrong thing.

For private industry, small family businesses and small to medium
cooperatives will ensure that any "profit" is recycled back into the
economy.

In conclusion: The reason that poverty and homelessness exist is not because
capitalism is not working properly, but because that is the way it works.poappp

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) has moved to the ftp.sri.com site:
   <risksinfo.html>.
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.01
************************
Previous By Date Next
Previous By Thread Next

Current thread: