RISKS Forum mailing list archives
Risks Digest 33.54
From: RISKS List Owner <risko () csl sri com>
Date: Sun, 27 Nov 2022 20:26:09 PST
RISKS-LIST: Risks-Forum Digest Sunday 27 November 2022 Volume 33 : Issue 54 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.54> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Why artificial intelligence is now a primary concern for Henry Kissinger (David Ignatius) Alphabet installed software on user devices without their knowledge, permission, or even data enabled. (Mark E Jeftovic via Peter Houppermans) Major tax-filing websites secretly share income data with Meta (Ars Technica) Thinking about taking your computer to the repair shop? Be very afraid (Ars Technica) The airport of the future is the airport of today -- and that's not good. (PapersPlease) What Riding in a Self-Driving Tesla Tells Us About the Future of Autonomy (NYTimes) ID.me made baseless pandemic fraud claims to win contracts, Congress says (Ars Technica) Redacted Documents Are Not as Secure as You Think (WiReD) The World Generates So Much Data, New Unit Measurements Were Created to Keep Up (NPR) Massive Twitter data breach was far worse than reported, reveal security researchers (9to5mac) Twitter, Mastodon Handle, and App (Paul Roberts) Idle Crypto Is the Devil's Workshop (The New York Times) What Happens When Crypto Meets Ted Lasso (NYTimes) U.S. authorities seize iSpoof, a call spoofing site that stole millions (Tech Crunch) How Amazon shopping ads are disguised as real results (WashPost) RansomExx joins the ranks of ransomware gangs switching to Rust (Cybernews) How a Jewish Group's Online Surveillance Uncovered a Synagogue Plot (NYTimes) Sundry twitter items (Lauren Weinstein PGN-culled) Elon's phone confusion (Lauren Weinstein) They Weren't Rich But They Wanted to invest. Then They Lost Everything on FTX (Mother Jones) Re: NordStream (Nicolas Flamant Yotti) Abridged info on RISKS (comp.risks) ------------------------------------------------------------------------- Date: Sat, 26 Nov 2022 16:06:27 -0500 From: Monty Solomon <monty () roscom com> Subject: hy artificial intelligence is now a primary concern for Henry Kissinger (David Ignatius) David Ignatius, The Washington Pst, 24 Nov 2022 If leading powers don't find ways to limit AI's reach, Henry Kissinger warns, ``it is simply a mad race for some catastrophe.''` https://www.washingtonpost.com/opinions/2022/11/24/artificial-intelligence-risk-kissinger-warning-weapons/ ------------------------------ Date: Wed, 23 Nov 2022 07:04:27 +0100 From: Peter Houppermans <peter () houppermans net> Subject: Alphabet installed software on user devices without their knowledge, permission, or even data enabled. I picked this up via Mark E Jeftovic's Axis of Easy, and it's worth paying attention to: https://www.zerohedge.com/political/lawsuit-claims-massachusetts-installed-covid-19-spyware-1-million-devices I merely summarize: 1. Software was installed by Google, sorry, Alphabet on behalf of a government without the user's involvement or knowledge; 2. This installation was explicitly hidden from the user; 3 Alphabet appears to have means to enable data downloads explicitly against the wishes of the user. ------------------------------ Date: Tue, 22 Nov 2022 16:29:53 -0500 From: Monty Solomon <monty () roscom com> Subject: Major tax-filing websites secretly share income data with Meta (Ars Technica) Financial data was sent to Meta by TaxAct, H&R Block, and TaxSlayer. https://arstechnica.com/tech-policy/2022/11/major-tax-filing-websites-secretly-share-income-data-with-meta/ ------------------------------ Date: Tue, 22 Nov 2022 16:31:38 -0500 From: Monty Solomon <monty () roscom com> Subject: Thinking about taking your computer to the repair shop? Be very afraid (Ars Technica) Not surprisingly, female customers bear the brunt of the privacy violations. https://arstechnica.com/information-technology/2022/11/half-of-computer-repairs-result-in-snooping-of-sensitive-data-study-finds/ ------------------------------ Date: November 24, 2022 11:39:33 JST From: "Edward Hasbrouck" <edward () hasbrouck org> Subject: The airport of the future is the airport of today -- and that's not good. (PapersPlease) A case study and post-pandemic holday travel horror story: https://papersplease.org/wp/2022/11/23/the-airport-of-the-future-is-the-airport-of-today-and-thats-not-good/ Today, the day before Thanksgiving, will probably be the busiest day for air travel in the USA since the outbreak of the COVID-19 pandemic in early 2020. If you are flying this week for the first time in three years, what will you see that has changed? Unfortunately, many of the most significant changes made during the pandemic are deliberately invisible -- which is part of that makes them so evil. During the pandemic, largely unnoticed, the dystopian surveillance-by design airport of the future that we've been worried and warning about for many years has become, in many places, the airport of today. While travelers were sheltering in place during the COVID-19 pandemic, airports have taken advantage of the opportunity to move ahead with expansion and renovation projects. While passenger traffic was reduced, and terminals and other airport facilities were operating well below capacity, disruptions due to construction could be minimized. A characteristic feature of almost all new or newly-renovated major airports in the U.S. and around the world is that they are designed and built on the assumption that all passengers' movements within the airport will be tracked at all times, and that all phases of passenger processing will be carried out automatically using facial recognition. In the airport of the future, or in a growing number of present-day airports, there's no need for a government agency or airline that wants to use facial recognition to install cameras or data links for that purpose. As in the new International Arrivals Facility at Sea-Tac Airport, which opened this year, the cameras and connectivity are built into the facility as common-use public-private infrastructure shared by airlines, government agencies, and the operator of the airport -- whether that's a public agency (as with almost all U.S. airports) or a private company (as with many foreign airports). This integrated and as-invisible-as-possible surveillance infrastructure exemplifies the malign convergence of interests between government agencies that want to identify and track travelers for pre-crime predictive profiling and control, and airlines and airports (motivated by business efficiency even when they are operated by instrumentalities of state and local governments) that want to use the same hardware, and data from government ID databases, for business process automation and revenue maximization. That malign convergence of interests extends to an interest in making surveillance tech inconspicuous and, if it is visible at all, making it appear normal and unavoidable. Neither government agencies nor travel companies nor airports want travelers to notice or question what is happening, or want to take responsibility for it. If travelers ask questions, airlines want to be able to answer, ``the Federal government made us do it'', even if that isn't true (as it unquestionably isn't for U.S. citizens or any domestic flyers within the U.S.). The integration of facial recognition into the airport structure makes these surveillance systems and practices much less visible -- by design -- than retrofitted or standalone surveillance cameras. Their positioning along the flow of passengers from airport entrance to aircraft door makes it almost impossible to pass through the airport and board a plane without being photographed, identified, and tracked. Opting out is, in these new airports and terminals, a purely theoretical option for travelers who already know their rights (without being given notice of them), figure out how to assert them (again without notice) and who are willing to put up with additional questioning, search, and/or delay. More: https://papersplease.org/wp/2022/11/23/the-airport-of-the-future-is-the-airport-of-today-and-thats-not-good/ ------------------------------ Date: Sun, 27 Nov 2022 13:51:14 -0500 From: Monty Solomon <monty () roscom com> Subject: What Riding in a Self-Driving Tesla Tells Us About the Future of Autonomy (NYTimes) https://www.nytimes.com/interactive/2022/11/14/technology/tesla-self-driving-flaws.html ------------------------------ Date: Tue, 22 Nov 2022 16:40:38 -0500 From: Monty Solomon <monty () roscom com> Subject: ID.me made baseless pandemic fraud claims to win contracts, Congress says (Ars Technica) https://arstechnica.com/tech-policy/2022/11/id-me-made-baseless-pandemic-fraud-claims-to-win-contracts-congress-says/ ------------------------------ Date: Fri, 25 Nov 2022 21:52:50 -0500 From: Monty Solomon <monty () roscom com> Subject: Redacted Documents Are Not as Secure as You Think (WiReD) https://www.wired.com/story/redact-pdf-online-privacy/ ------------------------------ Date: Wed, 23 Nov 2022 12:01:56 -0500 (EST) From: ACM TechNews <technews-editor () acm org> Subject: The World Generates So Much Data, New Unit Measurements Were Created to Keep Up (NPR) Ashley Ahn, NPR, 19 Nov 2022 Four new prefixes to the International System of Units were announced by the 27th General Conference on Weights and Measures on 18 Nov 2022, marking the first expansion of the metric system since 1991. The new prefixes are ronna (27 zeroes after the first digit) and quetta (30 zeroes) at the top of the measurement range, and ronto (27 zeroes after the decimal point) and quecto (30 zeroes) at the bottom. Said the UK's National Physical Laboratory (NPL), "The change was largely driven by the growing requirements of data science and digital storage, which is already using prefixes at the top of the existing range (yottabytes and zettabytes, for expressing huge quantities of digital information)." NPL indicated ronto and quecto will be useful in quantum science and particle physics. [And of course it will never stop. Y'otta do something abyte it. Maybe ronna contest for the next prefixes, send a ronto to toRonto, hold a ban-quetta. We already have the Irish Zetta. I wonder how many people will confuse ronna and ronto. PGN] ------------------------------ Date: Fri, 25 Nov 2022 22:19:11 -0500 From: Monty Solomon <monty () roscom com> Subject: Massive Twitter data breach was far worse than reported, reveal security researchers (9to5mac) https://9to5mac.com/2022/11/25/massive-twitter-data-breach/ ------------------------------ Date: Wed, 23 Nov 2022 17:14:43 -0500 From: Paul Roberts <paulroberts () gmail com> Subject: Twitter, Mastodon Handle, and App I think we're seeing an Elon Musk blindspot. Essentially: he's purchased a *social network*, but seems to think that the secret to making it work is the same as the solution for Tesla and SpaceX -- namely: excellent engineering. Undoubtedly, there are ways to improve the Twitter platform, as Mudge has pointed out. But what has kept users coming to Twitter and *giving it* high-quality content is the social network bit, not the platform, per se. It is having people you respect there, alongside you, sharing ideas and engaging in conversations. Musk -- who is clearly not gifted in person-to-person interactions -- just misses that. That's also why he doesn't see why the *TwitChan* platform he's unleashed, in which trolls hurl racial, misogynistic and antisemitic epithets, conspiracy theories, and unbridled hate speech without consequence will drive people *away* from the commons rather than draw them to it. You can have an amazing social media platform, but without creatives to provide it with content, Twitter is doomed. Looking at Twitter purely from the engineering/coding perspective misses this bigger, deeper *truth* for Twitter. Alas, Musk has missed the window to get this right, hold on to the critical 10% of creatives and thinkers who provide 90% of the content and promote Twitter as a "pro social" platform with -- perhaps -- a slightly more coarse filter (literally). Next stop: bankruptcy. [Borrowed with permission from another group. New-ants instead of Nuance? Although `formal' is not the root of formaldahyde, `formic' is the root of all ants. Perhaps twitter should be embalmed, and placed in its full nakedness on permanent public view for all to see. PGN] ------------------------------ Date: Sun, 27 Nov 2022 22:40:03 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Idle Crypto Is the Devil's Workshop (The New YorkTimes) The newest monetary system in the world may be undone by the oldest problem there is. A few weeks ago, Sam Bankman-Fried's FTX cryptocurrency exchange collapsed in a classic run. Investors were spooked by evidence that the exchange had mismanaged their money and couldn't pay them back, so they panicked. And they were right. They couldn't get their money back. The blockchain technology behind cryptocurrency was supposed to make events like this a thing of the past. But FTX's business was to serve as a gateway into (and out of) cryptocurrency. That business still depends on humans to serve as honest gatekeepers. And we've seen over and over that humans can't resist the main temptation that comes with this role: to use their customers' money for their own purposes. https://www.nytimes.com/2022/11/27/opinion/ftx-sam-bankman-fried-fullenkamp.html ------------------------------ Date: Sun, 27 Nov 2022 13:43:42 -0500 From: Monty Solomon <monty () roscom com> Subject: What Happens When Crypto Meets Ted Lasso (NYTimes) What Happens When Crypto Meets Ted Lasso A group of American cryptocurrency investors is trying to turn an obscure English soccer club into the *Internet's team* with a global following of crypto[currency] enthusiasts. https://www.nytimes.com/2022/11/06/business/crypto-soccer-crawley.html [Socc'er to'em. PGN] ------------------------------ Date: Thu, 24 Nov 2022 15:57:13 -0500 From: Monty Solomon <monty () roscom com> Subject: U.S. authorities seize iSpoof, a call spoofing site that stole millions (Tech Crunch) https://techcrunch.com/2022/11/24/ispoof-seized/ ------------------------------ Date: Fri, 25 Nov 2022 01:23:46 -0500 From: Monty Solomon <monty () roscom com> Subject: How Amazon shopping ads are disguised as real results (WashPost) https://www.washingtonpost.com/technology/interactive/2022/amazon-shopping-ads/ ------------------------------ Date: Sun, 27 Nov 2022 10:09:34 -0500 From: Monty Solomon <monty () roscom com> Subject: RansomExx joins the ranks of ransomware gangs switching to Rust (Cybernews) https://cybernews.com/news/ransomexx-switching-to-rust/ ------------------------------ From: Monty Solomon <monty () roscom com> Date: Sun, 27 Nov 2022 13:04:11 -0500 Subject: How a Jewish Group's Online Surveillance Uncovered a Synagogue Plot (NYTimes) The Community Security Initiative of the UJA-Federation of New York sounded the alarm that set off the manhunt that ended in two arrests. https://www.nytimes.com/2022/11/22/nyregion/nyc-synagogue-threats-twitter.html ------------------------------ Date: Tue, 22 Nov 2022 21:15:32 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Sundry twitter items (PGN-culled) Sam Bankman-Fried, Elon Musk, and a secret text https://www.semafor.com/article/11/22/2022/sam-bankman-fried-elon-and-a-secret-text Elon Musk Tweets Defense of Cop Who Killed Unarmed Black Man in Ferguson Missouri https://gizmodo.com/elon-musk-tweets-cop-killed-unarmed-black-man-ferguson-1849815713 Musk running another phony poll to bring back most suspended users: "Should Twitter offer a general amnesty to suspended accounts, provided that they have not broken the law or engaged in egregious spam?" Now you know why people are referring to Elon's Twitter as $8chan. It's headed toward being the most toxic place on the Net for however long it lasts -- which isn't likely to be long under these conditions. -L [Eric Sosman queries, ``Might there be a serpent in the Garden of Elon?'' PGN] High-profile Apple executive overseeing App Store deleted his Twitter account, which had over 200,000 followers https://finance.yahoo.com/news/high-profile-apple-executive-overseeing-142618165.html Elon Musk Inherited Twitter's Child Abuse Nightmare--Experts Say He's Making It Worse https://www.forbes.com/sites/alexandralevine/2022/11/18/elon-musk-twitter-csam-lawsuit/ ------------------------------ Date: Sat, 26 Nov 2022 08:28:27 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Elon's phone confusion It was amusing yesterday hearing Musk talking about "building his own phone" if #Twitter is tossed from the #Apple and #Google app stores for violations of their Terms of Service. Notably, his comment gives us instant insight into his lack of knowledge in this area. Let's review: 1) There was already supposed to be a Tesla Pi phone to be available by perhaps the end of this year. Maybe it will arrive in a fully self-driving Tesla without a human driver. 2) He doesn't actually need to build his own phone. If he wants an Elon phone, he could just rebrand one of the many Chinese Android clone phones (though notably, most of these will not have Play Store access, see below). 3) The phone isn't the problem for a toxic Twitter. The *ecosystems* are the issue. The Apple and Google smartphones ecosystems are built to provide end-to-end security for apps, best effort protection against malware (e.g., Google's Play Store "Play Protect" that scans apps for malware), and so on. If an app is not in the app stores, you can't easily run that app. Sure, Elon could sell a clone phone with his pay-to-play Twitter app already installed, but that phone would not be expected to have access to the Google Play Store for other apps unless they were preloaded also. Now you also need an update mechanism for the apps. Essentially, you have to build an entire new ecosystem. 4) Apple currently locks down their iOS devices tightly against non-app store apps. This will be changing with new EU rules coming into force. On the other hand, Google has always permitted sideloading of (non-Play Store) Android apps by knowledgeable users. Technically, Elon could promote users sideloading a Twitter app on Android (and presumably eventually iOS) to bypass app store restrictions. However, there is definitely significantly increased friction and potential for user confusion in this model. 5) We've heard Elon complain about the cut that the Apple and Google app stores take from app revenues. This of course only is an issue if your app isn't free and/or is charging users for something. This tends to validate the observation that Elon wants to turn all Twitter users into an ongoing profit center -- thus his talk about crypto, banking, etc. via Twitter, and his "anything app" fixation. While he may be able to convince significant numbers of users to pay him continuously for now worthless blue checks, the extent to which large numbers of Internet users will want to participate in a "your entire life belongs to Elon" app/banking ecosystem remains to be seen. -L ------------------------------ Date: Fri, 25 Nov 2022 01:34:22 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: They Weren't Rich But They Wanted to invest. Then They Lost Everything on FTX (Mother Jones) The amateur investors who trusted the crypto platform have lost a shot at financial stability. He Lost $17,000 in Crypto. https://www.motherjones.com/politics/2022/11/ftx-ftt-users-losses-alameda-sam-bankman-fried/ Here's How to Avoid His Mistake: He's not the first person to suffer this fate, but hopefully he can be the last. https://www.wired.com/story/i-lost-17000-dollars-crypto-how-to-avoid/ ------------------------------ Date: Tue, 22 Nov 2022 13:19:13 +0000 From: "Nicolas Flamant Yotti" <nicolas.flamant () papernest com> Subject: Re: NordStream (RISKS-33.50 and RISKS-33.52) My colleague Kendall sent you some information about the aftermath of the nordstream pipe bursting which was uploaded here right away: https://seclists .org/risks/2022/q4/3 Here is a follow-up. Carbon offsetting <https://t.sidekickopen84.com/s3t/c/5/f18dQhb0S7kF8bWDTTW1C5FXw59hl3kW7_k2841CX6NGN36PYCpvfv7lW7vZ0Py3jpv0Sf197v5Y04?te=W3R5hFj4cm2zwW4mKLS-4cRxF8W3F7sbd3ZSz4qW3FbmCt3XvbfRW3K3psD3K76ZWW3P8KrX3zgCBpW41p0wR3M7MSgf4fJfX_V3&si=8000000023715636&pi=b900d744-9de6-431f-eb58-041670f2b14f> Projects estimate the emissions they have prevented by predicting how much deforestation and land clearing would have occurred without them. The reductions are then sold on as credits. We found their predictions were often inconsistent with previous levels of deforestation in the area and in some cases, the threat to the trees may have been overstated. There is a reason that Indigenous Environmental Network and Indigenous Climate Action held a protest against offsetting at COP26, the UN's annual climate conference: Offsetting incentivises the commodification of nature and allows powerful corporations to take over the lands of vulnerable communities, risking human rights abuses. Offset schemes often exclude local and Indigenous Peoples from land management practises that allow them to grow food and preserve biodiversity. <https://t.sidekickopen84.com/s3t/c/5/f18dQhb0S7kF8bWDTTW1C5FXw59hl3kW7_k2841CX6NGN36PYCpvfv7lW7vZ0Py3jpv0Sf197v5Y04?te=W3R5hFj4cm2zwW4mKLS-3T1jVGW45Nq0H3K78fMW3FbmCt3Xv9WMW3T0W843JF3YjW3zdZ6p1LBDN_W4cgyYh45n4V3W3F9cm73zhrNGW4cQK1L3T3KWNW41QW513K77SmW4cfM1M3M7MSgW4fJfX_1GysvpW1YZrlM24RsJK39x12&si=8000000023715636&pi=b900d744-9de6-431f-eb58-041670f2b14f> <https://t.sidekickopen84.com/s3t/c/5/f18dQhb0S7kF8bWDTTW1C5FXw59hl3kW7_k2841CX6NGN36PYCpvfv7lW7vZ0Py3jpv0Sf197v5Y04?te=W3R5hFj4cm2zwW4mKLS-3P5VTyW41WVrw3F6bT3W49LdrL41YyllW41PGFk43TBFHW1Lw2bX45LLHwW41pRqm45n4V50&si=8000000023715636&pi=b900d744-9de6-431f-eb58-041670f2b14f>, A research on programs in the Brazilian Amazon headed by scientist and former project inspector Thales West discovered that initiatives consistently misrepresented their carbon reductions. The procedures, he claimed, ``are not robust enough, leaving room for projects to obtain credits that have no influence at all on the environment.'' Source: https://www.switch-plan.co.uk/green-energy/carbon-offsetting/ In charge of digital partnerships for papernest UK *+44 789 9829 913* *nicolas.flamant () papernest com* <nicolas.flamant () papernest com> www.papernest.co.uk ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.54 ************************
Current thread:
- Risks Digest 33.54 RISKS List Owner (Nov 27)