RISKS Forum mailing list archives

Previous By Date Next
Previous By Thread Next

Risks Digest 34.12

From: RISKS List Owner <risko () csl sri com>
Date: Mon, 1 Apr 2024 18:51:11 PDT
RISKS-LIST: Risks-Forum Digest  Monday 1 April 2024  Volume 34 : Issue 12

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/34.12>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents: somewhat backlogged, but No Fooling yet today!
Two major losses (PGN)
America's Nuclear War Plan in the 1960s Was Utter Madness.
 It Still Is. (Mother Jones)
FDA Warning Links Heart Pump to Deaths (Christina Jewett)
 Persist (NYTimes)
Ransomeware Attack Against UnitedHealth Shows Flaws in Cybersecurty
Iowa fertilizer spell kills 750K fish in Iowa and Missouri over
 60-mile stretch of rivers (NYTimes)
Red Hat Fedora 41 hacked (Tom Van Vleck)
Unpatchable vulnerability in Apple chip leaks secret encryption keys
 (ArsTechnica via Gabe Goldberg, Gabe Goldberg)
The race between positive and negative applications of Generative
 AI is on -���� and not looking pretty (Gary Marcus via Gabe)
U.S. Military's Investments into AI Skyrocket (Will Henshall)
AI bots hallucinate software packages and devs download them
 (Steve Bacher via The Register)
OpenAI Reveals but Will Not Release Human Voice Cloning Feature (WSJ)
The Online Degradation of Women and Girls That We Meet With a Shrug
 (The New York Times)
America's first biometric 'smart gun' is finally here. Will it work?
 (SmartGun)
Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds
 (WiReD)
AT&T Resets Millions of Passcodes After Customer Records Are Leaked
 (Jan Wolitzky)
Time for Social Engineering Training (Kingfish1935 via Ben Moore)
Internet Age Verification schemes -- e.g., Florida's new law
 (Lauren Weinstein)
Scientists aghast at bizarre AI rat with huge genitals in peer-reviewed
 article (ArsTechnica)
Israel Deploys Expansive Facial Recognition Program in Gaza (NYTimes)
Facebook snooped on users' Snapchat traffic in secret project,
 documents reveal (TechCrunch)
Elon Musk's Starlink Terminals Are Falling Into the Wrong Hands?
 (Henry Baker)
Explanations of Australian emergency phone number failure (John Colville)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 30 Mar 2024 9:02:31 PDT
From: Peter Neumann <neumann () csl sri com>
Subject: Two major losses

Ross Anderson 
https://twitter.com/duncan_2qq/status/1773752269395099774
https://alecmuffett.com/article/109513

  From Ross's University of Cambridge:
  Ross pioneered the field of security engineering. Our students were very
  fortunate to learn from him over the last few years. In fact, he gave 2
  seminars just last Wednesday. He researched many topics within computer
  science including cryptology, steganography, dependability, security
  economics, adversarial machine learning and more. Ross also used his
  position as a researcher to actively advocate for a more secure
  world. This included championing individual privacy rights, research into
  payments security in developing countries, and protecting vulnerable
  people from scams. On a personal level, he will be greatly missed by
  students and staff.

Dan Lynch
https://www.nytimes.com/2024/03/31/technology/daniel-c-lynch-dead.html?unlocked_article_code=1.hE0.tCVR.8ASMr_sTSh3W&smid=url-share

  Dan's era was long before Ross's.  Lauren Weinstein had this note: Dan
  Lynch, one of the key people involved in building the Internet and ARPANET
  before it, has died.  Dan was director of computing facilities at SRI
  International, where ARPANET node #2 was located.  He worked on
  development of TCP/IP, and where the first packets were received from our
  site at UCLA node #1 to SRI, and later at USC-ISI led the team that made
  the transition from the original ARPANET NCP protocols to TCP/IP for the
  Internet. And much more.
  https://www.internethalloffame.org/inductee/dan-lynch/

Both of them were major figures in their respective eras, and wonder
friends, Ross much too young at 56, Dan at 82.

------------------------------

Date: Thu, 28 Mar 2024 13:11:21 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: America's Nuclear War Plan in the 1960s Was Utter Madness.
 It Still Is. (Mother Jones)

We rarely consider the dangers these days, but our existence depends on it.

Nuclear war is the only scenario other than an asteroid strike that could
end civilization in a matter of hours. The soot from burning cities and
forests will blot out the sun and cause a nuclear winter.  Agriculture will
fail. State-of-the-art climate modeling predicts five billion humans will
die.  In the words of Nikita Khrushchev, ����the survivors will envy the dead.����

https://www.motherjones.com/politics/2024/03/nuclear-war-scenario-book-siop-weapons-annie-jacobsen/ 

------------------------------

Date: Sat, 30 Mar 2024 12:07:54 PDT
From: Peter Neumann <neumann () csl sri com>
Subject: FDA Warning Links Heart Pump to Deaths (Christina Jewett)

Christina Jewett, *The New York Times*, 30 Mar 2024

A troubled Impella heart pump that has now been linked to 49 deaths
and dozens of injuries worldwide will be allowed to remain in use,
despite the FDA's decision to issue an alert about the risk that it
could puncture a wall of the heart.

The FDA said Abiomed (the manufacturer of the device) should have
notified the agency more than two years ago, when the company first
posted an updatte on its website about the perforation risk.  [Abiomed
was then acquired by Johnson and Johnson in 2022.]  [Half-page article
PGN-ed]

``To say that you're addressing 49 deaths by saying `be careful' is not
addressing the problem at all.''  Rita Redberg, UCSF cardiologist and
professor.

------------------------------

Date: Sat, 30 Mar 2024 18:23:42 PDT
From: Peter Neumann <neumann () csl sri com>
Subject: Ransomeware Attack Against UnitedHealth Shows Flaws in Cybersecurty
 Persist (NYTimes)

Reed Ableson and Margot Sanger-Katz, *The New York Times*, 30 Mar 2024

The recent cyberattack on the billing and payment colossus Change Healthcare
(Making Change as well as Changing Healthcare?) revealed just how serious
the vulnerabilities are throughout the U.S. healthcare system, and alerted
industry leaders and policymakers in the urgent need for better digital
security.

  [They clearly have not been reading RISKS for any of the past 38 years!
  And this is on top of HIPAA, where none of the systems are secure enough
  to begin with and privacy is a huge problem already.  PGN]

------------------------------

Date: Sat, 30 Mar 2024 14:44:31 PDT
From: Peter Neumann <neumann () csl sri com>
Subject: Iowa fertilizer spell kills 750K fish in Iowa and Missouri over
 60-mile stretch of rivers (NYTimes)

Mitch Smith and Catrin Einhorn (*The New York Times, 30 Mar 2024)

Single valve left open over a weekend.
Lessons from our RISKS community need to be practiced elsewhere.
Flow control Systems?  Probably none.
Monitoring?  Probably none.
Diagnostics?  Probably none.
Risks to human and other lives?  Rampant.

  [Einhorn is Unicorn in German.  I am delighted Einhorns are not totally
  extinct, with two in the same issueq.  Katrin and Bruce (below) need to
  work together -- if they are not already.  PGN]

------------------------------

Date: Fri, 29 Mar 2024 15:16:48 -0400
From: Tom Van Vleck <thvv () multicians org>
Subject: Red Hat Fedora 41 hacked

Red Hat Fedora 41 had a backdoor installed.
The latest version of the "xz" compression tools and libraries had 
malicious code inserted that appears to attack SSH authentication.
CVE-2024-3094

Some details at
https://www.openwall.com/lists/oss-security/2024/03/29/4

  [Hassen Saidi remarked on the fascinating story:
  https://boehs.org/node/everything-i-know-about-the-xz-backdoor

  Victor Miller noted
  https://infosec.exchange/@tinker/112181161329268317
  and Technologist vs spy: the xz backdoor debate
  https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
  PGN]

------------------------------

Date: Sun, 24 Mar 2024 18:18:12 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Unpatchable vulnerability in Apple chip leaks secret encryption
 keys (Ars Technica)

Are these exotic/esoteric threats meaningful in the real 
non-high-value-target world?

How is it weaponized?

The attack, which the researchers have named GoFetch
<https://gofetch.fail/>, uses an application that doesn����t require root
access, only the same user privileges needed by most third-party
applications installed on a macOS system. M-series chips are divided into
what are known as clusters. The M1, for example, has two clusters: one
containing four efficiency cores and the other four performance cores. As
long as the GoFetch app and the targeted cryptography app are running on the
same performance cluster����even when on separate cores within that
cluster����GoFetch can mine enough secrets to leak a secret key.  [...]

End users who are concerned should check for GoFetch mitigation updates that
become available for macOS software that implements any of the four
encryption protocols known to be vulnerable. Out of an abundance of caution,
it����s probably also wise to assume, at least for now, that other
cryptographic protocols are likely also susceptible.

https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/

  ...so attacker must get malware installed, THEN it gathers data, THEN it 
  exfiltrates it?

------------------------------

Date: Sun, 24 Mar 2024 18:55:47 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Unpatchable vulnerability in Apple chip leaks secret
 encryption keys

Well, friend answered:

Cloud is a big issue here, since you may be running on a CPU with other 
customers.

Lots of threats are relatively low-risk; the thing is, those risks can 
be additive. I forget who, but someone talks about a ����Swiss cheese 
model����: you take a bunch of minor risks, each of which is a small hole 
in the cheese, and sometimes they line up, leaving a hole all the way 
through. Those of you who have read /Normal Accidents/ will recognize 
this failure chain concept.

So yeah, MY machines aren't running other folks' stuff, or unvetted 
applications, so I probably don't care. But your bank might be (yes, 
banks are doing cloud too, more fools they. ...)

------------------------------

Date: Fri, 29 Mar 2024 16:13:02 -0400
From: "Gabe Goldberg" <gabe () gabegold com>
Subject: The race between positive and negative applications of Generative
 AI is on -���� and not looking pretty

Let����s look at the race itself first. Opinions could vary, but in my
opinion, the race is not going great. One the one hand, we have big
promises for AI helping in domains like medicine, and computer
programming, but the inherent unreliability in these systems is deeply
worrisome. An example in a story I just saw that could unravel some of
the gains in programming is this: [...]

  From a security perspective, that����s terrifying. If lots of code gets
  written, fast, but that code is riddled with security problems, the net
  advantage on the positive side of the ledger may be less than anticipated.
  As noted here before, one study indicates that code quality is going down.

https://garymarcus.substack.com/p/the-race-between-positive-and-negative

------------------------------

Date: Mon, 1 Apr 2024 11:09:41 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: U.S. Military's Investments into AI Skyrocket (Will Henshall)

Will Henshall, *Time*, 29 Mar 2024, via ACM TechNews

The Brookings Institution reported a nearly 1,200% surge in the potential
value of AI-related U.S. government contracts, from $355 million in the year
ending in August 2022 to $4.6 billion in the year ending in August 2023. The
U.S. Department of Defense accounted for the majority of the total, with
$557 million committed by the agency to AI-related contracts, rising to $4.3
billion if each contract were extended to its fullest terms.

  [How much of that will be devoted to evidence-based assurance of low-risk
  AI's total-system trustworthiness?  Close to ZERO, if past experience is
  any guide.  This fantastic AI spurge sounds like the definition of a
  sailboat -- a hole in the ocean into which you pour money.  PGN]

------------------------------

Date: Sat, 30 Mar 2024 06:57:29 -0700
From: Steve Bacher <sebmb1 () verizon net>
Subject: AI bots hallucinate software packages and devs download them

Simply look out for libraries imagined by ML and make them real, with 
actual malicious code. No wait, don't do that.

https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/ 

------------------------------

Date: Mon, 1 Apr 2024 08:42:23 -0700
From: "Peter G. Neumann" <peter.neumann () sri com>
Subject: OpenAI Reveals but Will Not Release Human Voice Cloning Feature

https://www.wsj.com/tech/ai/openai-reveals-audio-feature-that-clones-human-voices-30f066ea?st=765urbqcxvhpuxs&reflink=desktopwebshare_permalink

------------------------------

Date: Sat, 23 Mar 2024 11:20:13 -0400
From: Monty Solomon <monty () roscom com>
Subject: The Online Degradation of Women and Girls That We Meet With a Shrug

https://www.nytimes.com/2024/03/23/opinion/deepfake-sex-videos.html

------------------------------

Date: Sat, 23 Mar 2024 16:00:52 -0700
From: Steve Bacher <sebmb1 () verizon net>
Subject: America's first biometric 'smart gun' is finally here. Will it work?
 (

*Biofire says its gun will be in people's hands this month. The company 
has walked a careful line to avoid blowback from the gun-rights movement*

The company behind America����s first biometric ����smart gun���� ������one that 
fires only when gripped by authorized users ���� will face a crucial test 
in the coming weeks.

After decades of failed attempts by other manufacturers to bring a reliable
smart gun to market, Biofire, a Colorado-based startup, says it����s shipping
its first batch of 9 mm handguns equipped with fingerprint and
facial-recognition technology by the end of the month. The company����s smart
gun is designed to serve a very specific purpose: a weapon that can be
quickly accessed to defend against a home intruder, but that can����t be used
by anyone unauthorized, particularly children.

As Biofire markets its gun to firearm enthusiasts and skeptics alike, the
company is walking a careful line to avoid the massive blowback from the
gun-rights movement that derailed previous iterations of smart guns.

Gun control advocates have long seen biometric technology as a game changer
for reducing gun violence, and Biofire has drawn their praise by emphasizing
safety and the need to prevent children from accessing guns.  At the same
time, the company has built ties with the gun industry and opposes any
government mandates
<https://smartgun.com/explore/videos/biofire-s-stance-on-mandates> to
require biometric features in guns, trying to head off fears that the
technology is a Trojan horse for gun control.

So far, Biofire����s approach has been received with a mix of cautious
optimism, curiosity and distrust. But the most important question won����t be
fully answered until the gun is in people����s hands: Does it really work?
[...]

https://www.nbcnews.com/news/us-news/biofire-smart-gun-biometric-safety-rcna143637

------------------------------

Date: Sun, 24 Mar 2024 01:40:37 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Hackers Found a Way to Open Any of 3 Million Hotel Keycard
 Locks in Seconds (WiReD)

The company behind the Saflok-brand door locks is offering a fix, but it 
may take months or years to reach some hotels.

https://www.wired.com/story/saflok-hotel-lock-unsaflok-hack-technique

------------------------------

Date: Sat, 30 Mar 2024 19:49:43 -0400
From: Jan Wolitzky <jan.wolitzky () gmail com>
Subject: AT&T Resets Millions of Passcodes After Customer Records Are
 Leaked

The telecommunications giant AT&T announced on Saturday that it had reset
the passcodes of 7.6 million customers after it determined that compromised
customer data was *released on the dark web*.  ``Our internal teams are
working with external cybersecurity experts= to analyze the situation.  To
the best of our knowledge, the compromised data appears to be from 2019 or
earlier and does not contain personal financial information or call
history.''  [...]

https://www.nytimes.com/2024/03/30/business/att-passcodes-reset-data-breach.html

  [Also noted by Gabe Goldberg and Matthew Kruk.  Thanks!  PGN]

------------------------------

From: Ben Moore <ben.moore () juno com>
Date: Tue, 26 Mar 2024 21:55:34 -0500
Subject: Time for Social Engineering Training

Based on a spoofed e-mail, a county comptroller paid $2.7 million to a man
with a thick Middle-Eastern accent in Germany. I think it's time for a
little social engineering training.

https://kingfish1935.blogspot.com/2024/03/madison-county-scammed-out-of-27-million.html

------------------------------

Date: Mon, 25 Mar 2024 17:35:54 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Internet Age Verification schemes -- e.g., Florida's new law

It's important to understand that "age verification" schemes being
passed by states, ostensibly to "protect the children", won't do that
and will bring about incredible abuses.

In order to age verify children, obviously EVERYBODY of any age must
be verified, for every account, under every name or pseudonym,
ultimately on every site no matter how public or private the topic,
and before downloading any apps.

Children will find ways to work around this. They'll use the accounts
of adults, which will be openly traded. But because these age
verification systems must by definition be based on government IDs,
the verification process creates a linkage between your account names
and your actual identity, subjecting you to all manner of leaked
personal information, government abuses (think MAGA in charge), and
worse. Firms will claim their systems either don't keep this data or
can't be abused. History strongly suggests otherwise, and when courts
step in, those firms will have to do what the courts say, often in
secret, when it comes to collecting data.

Age verification is in actuality a massive Chinese-style Internet
identity tracking project -- nothing less -- and there are many
politicians in the U.S. who look with envy at how China controls their
Internet and keeps their Internet users under police state controls. -L

------------------------------

Date: Sun, 31 Mar 2024 06:55:02 -0700
From: Steve Bacher <sebmb1 () verizon net>
Subject: Scientists aghast at bizarre AI rat with huge genitals in
 peer-reviewed article

It's unclear how such egregiously bad images made it through peer-review.

https://arstechnica.com/science/2024/02/scientists-aghast-at-bizarre-ai-rat-with-huge-genitals-in-peer-reviewed-article/
 

  [Maybe it was pier-reviewed as the rats were leaving the ship.  PGN]

------------------------------

From: Jan Wolitzky <jan.wolitzky () gmail com>
Date: Wed, 27 Mar 2024 07:14:27 -0400
Subject: Israel Deploys Expansive Facial Recognition Program in Gaza
 (The New York Times)

The experimental effort, which has not been disclosed, is being used to
conduct mass surveillance of Palestinians in Gaza, according to military
officials and others.

The facial recognition program, which is run by Israel's military
intelligence unit, including the cyber-intelligence division Unit 8200,
relies on technology from Corsight, a private Israeli company, four
intelligence officers said. It also uses Google Photos, they said.
Combined, the technologies enable Israel to pick faces out of crowds and
grainy drone footage.

https://www.nytimes.com/2024/03/27/technology/israel-facial-recognition-gaza.html?unlocked_article_code=1.f00.UuRb.B3-bbKoxaWrf&smid=url-share

  [False positives? negatives? undecideds?  Basically unreliable?  PGN]

------------------------------

Date: Tue, 26 Mar 2024 14:24:10 -0700
From: Lauren Weinstein <lauren () vortex com>
Subject: Facebook snooped on users' Snapchat traffic in secret project,
 documents reveal (TechCrunch)
https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/

------------------------------

Date: Tue, 26 Mar 2024 14:34:52 +0000
From: Henry Baker <hbaker1 () pipeline com>
Subject: Elon Musk's Starlink Terminals Are Falling Into the Wrong Hands?

For many years in the 1970's, a (physical) bulletin board at MIT's AI Lab had
an article posted with the headline 'ARPAnet accused of transmitting data'.

I'm sure that there must have been many articles in the 1920's with the
headline 'Henry Ford's Automobiles are Falling into Criminal Hands', and
many articles in the 1700's with the headline 'Johannes Gutenberg's Printing
Presses are falling into Papist Hands'.

https://www.freep.com/story/money/cars/ford/2019/02/09/bonnie-clyde-chestnut-barrow-ford/2812888002/

"I have drove Fords exclusively when I could get away with one."  signed
 "Yours truly Clyde Champion Barrow." [of 'Bonnie & Clyde' fame]

Criminals breath air, drink water, eat food, use the telephone, drive the
roads, etc., -- in short -- they utilize everything that non-criminals do in
order to commit their crimes. But restricting access to air, water, food,
etc., hurts everyone a lot more than it hurts criminals -- we cut off our
nose to spite our face.

Once again, be very, very, very careful what you wish for when you start to
regulate technology that everyone wants (and needs) to use.

https://www.yahoo.com/news/elon-musk-starlink-terminals-falling-210028713.html

Elon Musk's Starlink Terminals Are Falling Into the Wrong Hands

Bruce Einhorn, Loni Prinsloo, Marissa Newman and Simon Marks
Mon, March 25, 2024 at 2:00 PM PDT

(Bloomberg) -- SpaceX's Starlink touts its high-speed internet as
``available almost anywhere on Earth.''  In the real world, its reach
extends to countries where Elon Musk's satellite-enabled service has no
agreement to operate, including territories ruled by repressive regimes.  A
Bloomberg News investigation identified wide-spanning examples of Starlink
kits being traded and activated illegally. How they are smuggled and the
sheer availability of Starlink on the black market suggests that its misuse
is a systemic global problem, raising questions about the company control of
a system with clear national security dimensions.  In Yemen, which is in the
throes of a decade-long civil war, a government official conceded that
Starlink is in widespread use. Many people are prepared to defy competing
warring factions, including Houthi rebels, to secure terminals for business
and personal communications, and evade the slow, often censored internet
service that's currently available.  Or take Sudan, where a year-long civil
war has led to accusations of genocide, crimes against humanity and millions
of people fleeing their homes. With the regular internet down for months,
soldiers of the paramilitary Rapid Support Forces are among those using the
system for their logistics, according to Western diplomats.  ``It is deeply
concerning because it's unregulated and headed by a private company, Emma
Shortis, a senior researcher in international and security affairs at the
Australia Institute, an independent think tank in Canberra, said of the
Starlink system. ``There's no accountability on who has access to it and how
it's being used.'' Starlink delivers broadband Internet beamed down from a
network of roughly 5,500 satellites that SpaceX started deploying in
2019. With some 2.6 million customers already, Starlink has the potential to
become a major moneymaker for SpaceX, a company that began as Musk's way to
fulfill his dream of exploring Mars and has now become the most important
private-sector contractor to the US government's space program and a
dominant force in national security.  Musk, until recently the world's
richest person, has said there will be a cap to how much money SpaceX's
launch services business will make, while Starlink could eventually reach
revenue of $30 billion a year. Starlink plans to launch tens of thousands of
additional satellites to connect places that are too remote for ground-based
broadband or that have been cut off by natural disasters or conflict.  But
given the security concerns around a private American company controlling
Internet service, SpaceX first needs to strike agreements with governments
in each territory. Where there are none, people are ``proceeding to use
Starlink without the proper coverage'' that is quite illegal and of course
should not be allowed, but it's difficult to control and manage,'' said
Manuel Ntumba, an Africa geospatial, governance and risk expert based in New
York.  In central Asia, where Starlink deals are rare, a government
crackdown on illicit terminals in Kazakhstan this year has barely made a
dent on its use. All it did was lead to higher prices on the black market,
according to a trader who imports the gear and who didn't want to speak
publicly for fear of retribution. Prior to the government intervention,
customers were able to buy the company's equipment and have it shipped via
the local postal service, the trader said.  SpaceX didn't respond when asked
to comment on a written list of questions submitted on Thursday.  ``If
SpaceX obtains knowledge that a Starlink terminal is being used by a
sanctioned or unauthorized party, we investigate the claim and take actions
to deactivate the terminal if confirmed,'' the company said in a post on X
in February.  The growing black market for Starlink has emerged in regions
with patchy connectivity, where the allure of high speed, dependable
Internet in an easy-to-use package is strong for businesses and consumers
alike.  In many ways, it's Starlink's effectiveness as a communications tool
that has made it such a sensitive matter. The US military is a customer: The
Air Force has been testing terminals in the Arctic, calling them *reliable
and high-performance*. Those same properties made it vital to Ukraine's
military in its defense against invading Russian forces. SpaceX provided the
technology to Kyiv in the early days of Russia's invasion, and Starlink has
since become crucial to the Ukrainian communications infrastructure. The US
Departcment of Defense later struck a deal with Starlink to supply Ukraine
with equipment, the terms of which were not made public.  Then in February
of this year, Ukraine said that Russia was deploying Starlink in its own war
efforts, while unverified posts on X, Musk's social network, appeared to
show Russian soldiers unpacking kits. Two House Democrats wrote a letter to
SpaceX President Gwynne Shotwell pressing her on Ukraine's claims.  ``To the
best of our knowledge, no Starlinks have been sold directly or indirectly to
Russia,'' Musk wrote on X.  Itquo;s the uncertainty about where the
satellite dishes are landing that as security officials around the world
concerned.  Starlink kits are being sold for use in Venezuela, where
individuals and entities have been subject to US sanctions for almost a
decade, most recently under President Nicolas Maduro's authoritarian rule. A
map of coverage areas on Starlink's website shows the South American nation
blacked out. Yet social media ads promote package deals for Starlink
equipment, which is widely available and admired for its reliability and
portability in a country of isolated cattle ranches and gold mines.  SpaceX
should be able to prevent Russian use of Starlink in occupied Ukraine, since
``basically every single transmitter can be identified,'' said Candace
Johnson, director at NorthStar Earth & Space Inc., a Montreal company that
in January successfully launched four satellites -- on a rocket from SpaceX
competitor Rocket Lab USA Inc. -- to identify and track objects in space.
``There needs to be more accountability: to your country, to your company,
to your shareholders, to your stakeholders,'' said Johnson, who is also a
partner with Seraphim Capital, a venture-capital firm that invests in space
startups.  In North Africa, Starlink's use in Sudan shows how terminals
arrive in a country subject to international sanctions.  There has been no
Internet in Sudan since early February. Both the Sudanese Armed Forces and
Rapid Support Forces have blamed each other for cutting the service while
the CEO of Zain Sudan, a mobile operator, said his company's engineers had
been prevented from reaching parts of the country to reconnect the network
due to insecurity and a lack of fuel.  To bypass the blackout, members of
the RSF and local business owners have smuggled Starlink devices into
Sudan's Darfur region using an organized network that registered the units
in Dubai before transporting them into Uganda by airplane and then by road
to Sudan via South Sudan, according to interviews with Western diplomats and
business owners using the devices.

Gold miners in remote areas along the borders of South Sudan and the Central
African Republic were provided with Starlink services even prior to the war
by traders working in South Darfur's Nyala City. Starlink says on its
website that a ``service date is unknown at this time'' for Sudan.

Haroun Mohamed, a trader in Nyala who transports goods across the border to
Chad and South Sudan, said the use of Starlink by RSF soldiers and civilians
was widespread. ``Ever since the eruption of war in Darfur, a lot of people
are bringing in Starlink devices and use it for business.  People are paying
between $2 or $3 per hour, so it's very good business.''

In South Africa, where Musk was born, the government hasn't yet approved
Starlink's application to operate. But that hasn't prevented a flourishing
trade in terminals there. Facebook groups feature providers that offer to
buy and activate the kits in Mozambique, where it is licensed, and then
deliver them over the border to South African customers.

There were enough users of the service in the country as of Nov. 28 that the
regulator felt the need to issue a statement reminding people that Starlink
has no license for South Africa. Unlawful use could result in fines of as
much as 5 million rand ($265,000), or 10% of annual turnover.

Regulators in other countries in Africa have issued similar
warnings. Ghana's National Communications Authority in December released a
statement demanding that anyone involved in selling or operating Starlink
services in the country ``cease and desist immediately.''

In Zimbabwe, authorities threatened raids in response to online advertising
for Starlink equipment, H-Metro newspaper reported in January. Prices for
Starlink gear on the black market ranged from $700 to $2,000, according to
local technology blog Techzim. Government officials in Ghana and Zimbabwe
have recently said they hope to allow licensed service.

Countries have different reasons for declining to cooperate with Starlink,
including stipulations that it have a local partner and concerns around data
use.

Starlink service is currently available --legally -- in eight countries in
sub-Saharan Africa, and the US company has big plans to build its user
base. It is working with local marketing partners such as Jumia Technologies
AG, an e-commerce company backed by Pernod Ricard SA that has an agreement
to sell Starlink equipment for residential use in Nigeria and Kenya. There
has been significant demand, with the first shipment to Nigeria selling out
in a few hours, according to Chief Commercial Officer Hisham El Gabry.

``Jumia is aware that there are some unofficial distributors of these
kits,'' El Gabry said in an interview. While the number of devices is not
yet at an alarming level, ``it is a point of discussion between us and
Starlink that this needs to be brought under control,'' he said.  Jumia
verifies customers, and cancels orders if they are going to traders or
unverified sources, according to El Gabry. While ``that device could
eventually end up with bad actors,'' Starlink can monitor where these
devices are connecting from.  ``If they pick up it ``connecting from a
particular militant group for instance, they can enforce that control,'' he
said.

One Facebook group of people complaining they've`been cut off suggests that
Starlink has recently de-activated some of the equipment smuggled into South
Africa. Still, social media groups point to a workaround, with terminals
re-registered in a country like Malawi and reactivated. Customers can then
make use of Starlink's roaming services, with a subscription paid through
the website.  The company offers a global roaming service with a monthly
charge of $200. Customers in South Africa can expect to pay about 12,000
rand ($630) for a kit.

In Venezuela, customers similarly get around the ban by paying for the
global service plan using an international credit card, according to people
familiar with the market, who said its use is now ``normalized.''

President Joe Biden's administration could tighten the export controls that
apply to Starlink to keep them out of the hands of American adversaries,
according to a former US government official. A security consultant who
provides training to companies on the restrictions said the real key is
trying to geolocate kits when they are turned on and blocking the ones that
are in violation of US export controls. That would require the company to
cooperate, the person said, asking not to be named discussing commercially
sensitive matters of national security.

A State Department spokesperson said that satellite constellations like
Starlink are a key tool for providing connectivity and bridging digital
divides. ``We encourage companies to take appropriate measures to seek
licenses for operating in nations around the world,'' they said.

Meanwhile, SpaceX is providing assurance to some countries that it will work
with them to keep its Starlink services out of certain areas.  SpaceX has
reassured Israel that it can geolocate and turn off individual terminals
when it detects illegal use, according to an Israeli government official.
In Yemen, meanwhile, Starlink kits are openly for sale on social media,
bought in countries such as Singapore or Malaysia, then activated on
roaming. Customers pay via bank transfers in other countries or at the port
of arrival. Prices are higher in Houthi-controlled areas, said one seller
who asked not be named for safety reasons. That's because telecoms are
controlled by the Houthis, who profit from the revenues, and have warned of
severe actions against those caught using Starlink.  Facebook and WhatsApp
groups offer the equipment regardless mdash; along with tips on how to
conceal the dish.

--With assistance from Fabiola Zerpa, Daniel Flatley, Mohammed Alamin,
Mohammed Hatem, Andreina Itriago Acosta, Nariman Gizitdinov, Ray Ndlovu,
Eric Johnson and Jake Rudnitsky.

------------------------------

Date: Wed, 27 Mar 2024 06:07:35 +0000
From: "John Colville" <John.Colville () uts edu au>
Subject: Explanations of Australian emergency phone number failure

Follow-up to failure of emergency call systems on 1 March 2024:

https://www.thenewdaily.com.au/news/national/2024/03/27/errors-telstra-triple-zero-outage

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) has moved to the ftp.sri.com site:
   <risksinfo.html>.
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.12
************************
Previous By Date Next
Previous By Thread Next

Current thread: