RISKS Forum mailing list archives
Risks Digest 33.83
From: RISKS List Owner <risko () csl sri com>
Date: Sun, 10 Sep 2023 21:22:00 PDT
RISKS-LIST: Risks-Forum Digest Sunday 10 September 2023 Volume 33 : Issue 83 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.83> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Pedestrian dies after Cruise cars block ambulance (San Francisco Chronicle) Ryanair boss calls air traffic chaos report rubbish (BBC News) WHAT COULD GO WRONG? - Pipeline safety agency's proposed pilot for ChatGPT in rulemaking raises questions (Lauren Weinstein) A Rube Goldberg chain of failures led to breach of Microsoft-hosted government emails (The Verge) Update your iPhone: Apple just pushed out a significant security update (APNews) Active North Korean campaign targeting security researchers (Google) The NYPD will police Labor Day parties with surveillance drones (The Verge) Porn age verification law is unconstitutional, says judge (The Verge) Over 100 Connecticut state troopers accused of faking traffic stops (The Boston Globe) Sourcegraph Administrator Access compromised by Credentials in Publicly Available Code (Ars Technica) Don't fall for firms pushing "voice verification" bypasses (Lauren Weinstein) Silicon Valley vs. Old People (NYTimes) Crypto Collapse Winners? The Lawyers (NYTimes) Cyberprofessionals say industry urgently needs to confront mental health crisis (Cyberscoop) Another AI Mess: growing reliance on language apps jeopardizes some asylum applications (The Guardian) U.S.-China Competition and Military AI. How Washington Can Manage Strategic Risks amid Rivalry with Beijing (CNAS) An update on Squares outage (danny burstein) San Franciscans Are Having Sex in Robotaxis, and Nobody Is Talking About It (SFStandard) Your car wants to know about your sex life (Politico) FCC proceedings on encrypted over the air TV -- how too comment (Lauren Weinstein) Re: Kia and Hyundai Helped Enable a Crime Wave. They Should Pay for It (Mike Smith) Re: Electric cars catch fire in Florida after flooding (Henry Baker) Re: A battery catches fire on an Air France flight, the staff reacts in a few minutes (Steve Bacher) Re: Eversource Notice of Data Security Incident (Steve Bacher) Re: Saudi man sentenced to death for tweets in harshest verdict yet for online critics (Steve Bacher) Re: UK ATC outage (Jim Geissman) Re: Lahaina: single points of failure (Steve Bacher) Re: The Titan's Submersible Disaster Was Years in the Making (Martin Ward) Magic (Rob Slade) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 05 Sep 2023 17:50:54 -0700 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Pedestrian dies after Cruise cars block ambulance (San Francisco Chronicle) A pedestrian injured in a traffic collision in San Francisco died; EMTs allege that they would have survived had two Cruise cars and an unoccupied police car not prevented the ambulance from leaving promptly. https://www.sfgate.com/bayarea/article/cruise-cars-reportedly-block-first-responders-18343475.php ------------------------------ Date: Thu, 7 Sep 2023 16:36:41 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Ryanair boss calls air traffic chaos report rubbish (BBC News) How did airport chaos unfold? In its initial report published on Wednesday, Nats said that at 08:32 on 28 August, its system received details of a flight which was due to cross UK airspace later that day. Airlines submit every flight path to the national control centre; these should automatically be shared with Nats controllers, who oversee UK airspace. The system detected that two markers along the planned route had the same name - even though they were in different places. As a result, it could not understand the UK portion of the flight plan. This triggered the system to automatically stop working for safety reasons, so that no incorrect information was passed to Nats' air-traffic controllers. The backup system then did the same thing. https://www.bbc.com/news/business-66723586 Fault tolerance? What's that? One bad flight plan craters the system? ------------------------------ Date: Tue, 5 Sep 2023 12:35:26 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: WHAT COULD GO WRONG? - Pipeline safety agency's proposed pilot for ChatGPT in rulemaking raises questions https://fedscoop.com/pipeline-safety-agencys-proposed-pilot-for-chatgpt-in-rulemaking-raises-questions/ [Gabe Goldberg gave me the entire article. I try not to beat dead horses in AI misuse, when you can simply click it. PGN] ------------------------------ Date: Wed, 6 Sep 2023 22:45:12 -0400 From: Monty Solomon <monty () roscom com> Subject: A Rube Goldberg chain of failures led to breach of Microsoft-hosted government emails https://www.theverge.com/2023/9/6/23861890/microsoft-azure-data-breach-investigation-failures-outlook ------------------------------ Date: Thu, 7 Sep 2023 22:49:17 -0400 From: Monty Solomon <monty () roscom com> Subject: Update your iPhone: Apple just pushed out a significant security update (APNews) https://apnews.com/article/apple-iphone-security-update-0964e8bd5264e5b66c3908d4 9fdf404a https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/ Apple security updates macOS Ventura 13.5.2 https://support.apple.com/kb/HT213906 iOS 16.6.1 and iPadOS 16.6.1 https://support.apple.com/kb/HT213905 watchOS 9.6.2 https://support.apple.com/kb/HT213907 ------------------------------ Date: Fri, 8 Sep 2023 08:56:44 -0400 From: Monty Solomon <monty () roscom com> Subject: Active North Korean campaign targeting security researchers (Google) https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/ ------------------------------ Date: Mon, 4 Sep 2023 00:49:55 -0400 From: Monty Solomon <monty () roscom com> Subject: The NYPD will police Labor Day parties with surveillance drones (The Verge) https://www.theverge.com/2023/8/31/23318832/nypd-drones-parties-jouvert-west-indian-labor-day-weekend ------------------------------ Date: Mon, 4 Sep 2023 00:52:04 -0400 From: Monty Solomon <monty () roscom com> Subject: Porn age verification law is unconstitutional, says judge (The Verge) https://www.theverge.com/2023/8/31/23854369/texas-porn-age-verification-law-blocked-judge ------------------------------ Date: Mon, 4 Sep 2023 14:04:05 -0400 From: Monty Solomon <monty () roscom com> Subject: Over 100 Connecticut state troopers accused of faking traffic stops (The Boston Globe) Auditors found tens of thousands of apparently falsified traffic stop records, many of white drivers. They suspect the officers were trying to appear more productive. https://www.boston.com/news/national-news/2023/09/04/over-100-connecticut-state-troopers-accused-of-faking-traffic-stops/ ------------------------------ Date: Mon, 4 Sep 2023 23:57:12 -0400 From: Bob Gezelter <gezelter () rlgsc com> Subject: Sourcegraph Administrator Access compromised by Credentials in Publicly Available Code (Ars Technica) ArsTechnica reports that a recent security breach at Sourcegraph was facilitated by credentials embedded in publicly-available source code. Credentials visible in source or executable code is an obviously bad practice. Besides the fact that it is obviously dangerous, it has been on the OWASP list for many years. The tragedy is that this class of security breach is completely preventable. There is no reason for putting credentials in source or executable code. The ArsTechnica article can be found at: https://arstechnica.com/security/2023/09/pii-leaked-after-sourcegraph-an-ai-driv en-service-for-code-development-is-hacked/ ------------------------------ Date: Fri, 8 Sep 2023 08:37:19 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Don't fall for firms pushing "voice verification" bypasses A suggestion. If a firm you deal with offers to sign you up for a *voice verification* service that bypasses PINs, passwords, etc., you would be wise to decline. There are increasing reports of online AI voice generators being used to defraud customers via these systems. And the situation is likely to be getting only worse. -L ------------------------------ Date: Sat, 9 Sep 2023 14:33:04 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Silicon Valley vs. Old People What Mark Zuckerberg Doesn't Understand About Old People https://www.nytimes.com/2023/09/06/opinion/seniors-tech-silicon-valley.html ------------------------------ Date: Wed, 6 Sep 2023 16:22:44 PDT From: Peter Neumann <neumann () csl sri com> Subject: Crypto Collapse Winners? The Lawyers (NYTimes) David Yaffe-Bellany and Yiwen Lu *The New York Times* Business front page, National Edition, 6 Sep 2023 Profiting while billing over $700M in fees since last year to untangle bankruptcies of 5 industrial firms [including the FTX exchange -- RISKS-33.75] ------------------------------ Date: Thu, 07 Sep 2023 13:52:48 +0000 From: Richard Marlon Stein <rmstein () protonmail com> Subject: Cyberprofessionals say industry urgently needs to confront mental health crisis (Cyberscoop) https://cyberscoop.com/cyber-professionals-mental-health/ Despite a growing awareness of mental health struggles within the industry, sources said there still aren't enough resources inside companies or across the broader cybersecurity community for professionals dealing with burnout, stress and the intense anxiety of working in a high-pressure environment. ------------------------------ Date: Thu, 7 Sep 2023 13:22:20 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Another AI Mess: growing reliance on language apps jeopardizes some asylum applications (The Guardian) https://www.theguardian.com/us-news/2023/sep/07/asylum-seekers-ai-translation-ap ps ------------------------------ Date: Thu, 07 Sep 2023 15:22:23 +0200 From: "Diego.Latella" <diego.latella () isti cnr it> Subject: U.S.-China Competition and Military AI. How Washington Can Manage Strategic Risks amid Rivalry with Beijing Jacob Stokes, Alexander Sullivan and Noah Greene Center for a New American Security, 25 Jul 2023 https://www.cnas.org/publications/reports/u-s-china-competition-and-military-ai ------------------------------ Date: Fri, 8 Sep 2023 15:52:06 +0000 () From: danny burstein <dannyb () panix com> Subject: An update on Squares outage (fwd)
---------- Forwarded message ---------- Date: Fri, 8 Sep 2023 14:10:25 +0000 From: Square <noreply () messaging squareup com> Subject: An update on Squares outage
[ID snipped] We are writing to apologize. Due to a systems outage within Square, sellers have been unable to log into their accounts or process payments since around noon Pacific Time on Thursday. We know that you trust us with your business, and these types of situations add challenges to running your operations. For that, we are truly sorry. Our services are now starting to come back online. As a reminder, you can use offline mode to continue accepting payments during these types of outages. =A0 Once the outage has been fully investigated, we plan to publish a full review of this issue and determine what steps we can take to prevent it from happening again. In the meantime, we will continue to keep you up to date on the status of the outage and next steps via email, as well as through our social media channels and on issquareup.com. Thank you for bearing with us and for your continued partnership. ------------------------------ Date: Thu, 7 Sep 2023 22:53:21 -0400 From: Monty Solomon <monty () roscom com> Subject: San Franciscans Are Having Sex in Robotaxis, and Nobody Is Talking About It (SFStandard) https://sfstandard.com/2023/08/11/san-francisco-robotaxi-cruise-debauchery/ ------------------------------ Date: Thu, 7 Sep 2023 09:27:09 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Your car wants to know about your sex life Cars are increasingly filming, recording and tracking drivers and passengers, new report finds. https://www.politico.eu/article/car-manufacturer-data-privacy-driver-passenger-sexual-activity-report/ Car manufacturers are collecting troves of data on drivers and passengers —- some even tracking drivers' sexual activity -— according to a new report. In a review <https://linklock.titanhq.com/analyse?url=https%3A%2F%2Ffoundation.mozilla.org%2Fprivacynotincluded%2Fcategories%2Fcars%2F&data=eJxNTLsKwjAU_Zpks1RtAw4ZXArd1MU53sR4Nc0NeRT0603FoXDgcJ4gRde3AL2-iUO35VoGcpgRqDGFT_I6nDbi3LeXeRQ8yZeZ0bOuneiDzqk7Fa9VRvINRcujBEvlqaKulfVPkY-cQ2L7I9sNFavd_2nZ1yBEnBW8PWX04Io2upqgsrEU0aSfiAt9AYRVQBg%> of 25 car brands and 15 car companies published by Mozilla Foundation on Wednesday, researchers found that Japanese car manufacturer Nissan said it could sell information about drivers and passengers’ sexual activity, intelligence and health diagnosis to data brokers, law enforcement agencies and other companies. German manufacturer Volkswagen said it could record drivers’ voices to profile them for targeted ads. “The amount of data that these car companies blatantly said that they could collect was shocking,” said Jen Caltrider, lead researcher at Mozilla Foundation, the nonprofit owner of the company running the Firefox Browser. “It's like nobody's ever challenged them or asked them questions about privacy, and so they just include everything.” [...] Caltrider and other researchers looked at car companies’ privacy policies and downloaded their apps in Germany, France, the U.S., Japan and South Korea. They found that the industry hoovered up massive amounts of data through dozens of sensors and technology built into newer car models that calculate people's weight as they sit down, filmed the car inside and outside with cameras, listened to conversations through microphones and tracked users via connected apps on smartphones. ------------------------------ Date: Mon, 4 Sep 2023 19:08:18 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: FCC proceedings on encrypted over the air TV -- how to comment It's important to realize that even if you never watch over the air TV, many people depend on it due to the unavailability of other options in their locations, or due to cost issues. The broadcasting industry has been making inane excuses for encryption of free channels, including (get this!) blaming *deep fake* AI. Uh huh. This article explains how to comment to the FCC. NOTE that everything entered there become public record, including names, addresses, etc. https://www.tvtechnology.com/news/pearl-tv-responds-to-critics-of-30-encryption ------------------------------ Date: Fri, 8 Sep 2023 17:03:41 +0000 (UTC) From: Mike Smith <jmikesmith () yahoo com> Subject: Re: Kia and Hyundai Helped Enable a Crime Wave. They Should Pay for It (RISKS-33.82) Increased car theft is happening in Canada, too. CBC reports many of them are being shipped to overseas markets within days or even hours of being stolen: https://www.cbc.ca/news/world/auto-theft-canada-1.6953242 "Police sources tell CBC News that large, established organized criminal gangs based in Montreal are behind most of the thefts, though it's become so lucrative, other groups with less technical skill are becoming involved. This partially explains what the police sources say is an increase in home invasions and violent attacks to obtain a vehicle and its keys. ... Small teams sometimes mark cars in mall parking lots during the day by using GPS trackers similar to the ones people can buy and place in their luggage or on key chains to track lost items. Then, typically at night, they use the trackers to follow the marked vehicles and take them from streets and driveways, quickly cramming multiple vehicles into shipping containers, which are then moved by truck or train to the Port of Montreal and loaded onto ships. "Most thieves use one of three methods of attack. The first type is a relay attack, which involves "capturing" the signal of a key fob, then replicating it to enter and start a vehicle. Thieves used to hold a large antenna in front of a house door, scanning for keys left inside, but the technology has advanced in the past year, becoming smaller and easier to use at a distance. Then there is the onboard diagnostic port, accessible via a small door under the steering wheel in all vehicles. Typically used by a mechanic to connect a handheld computer that can diagnose a problem, the access point is being used by thieves to reprogram the car to understand a new key they've made for it. The latest attack method involves the Controller Area Network (CAN bus), which acts similar to a nervous system for vehicles, enabling communication between various components of the car. Thieves connect to one of multiple nodes from the exterior of the vehicle, commanding it to unlock and start the engine. The process may take only seconds." ------------------------------ Date: Mon, 04 Sep 2023 20:24:01 +0000 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: Electric cars catch fire in Florida after flooding (RISKS-33.82) I don't want to minimize the risk of EV's catching fire during/after floods/accidents/recharging/shipping/aging/parking..., but let's keep things in perspective. It's taken well over 100 years to deal with gasoline-powered vehicles exploding during/after refueling/accidents/shipping/parking... Have a gander at newpapers and *movies* from 1920's, 1930's, 1940's, etc., to see how many of these problems there were, and how long it took society to design gas tanks, filling stations, tankers, etc., to minimize these risks. https://www.latimes.com/archives/la-xpm-1992-09-21-mn-832-story.html Gasoline is perhaps the *worst* possible choice for a retail fuel, due to its quick vaporization and subsequent tendency to explode. Better choices would have been diesel and alcohol. Indeed, some gasoline-powered racing cars were replaced in 1965 by alcohol-powered racing cars due to the inherent risks of gasoline. https://www.motortrend.com/how-to/ctrp-1201-alcohol-fuel-basics/
From the 20/20 perspective of hindsight, one can only marvel
at the politics and economics that enabled such an inherently dangerous fuel like gasoline to become ubiquitous. There is an inherent risk of *any* energy-storage mechanism powerful enough to propel a 5000 lb vehicle 500 miles at 70 mph; e.g., Lucid's new 113kwh battery: https://www.caranddriver.com/news/a33797162/2021-lucid-air-517-mile-range-113-kw h-battery/ Let's put this Lucid battery in perspective. A small fireplace might generate perhaps 1.5 kwatts, so a Lucid battery fire might burn for *three 24-hour days* with heat equivalent to a small fireplace. The inherent risks of large quantities of energy storage were already being explored in 1940's/1950's scifi -- e.g., the use of short-circuited 'blaster' handguns as 'IED' bombs. ------------------------------ Date: Tue, 5 Sep 2023 13:26:38 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Re: A battery catches fire on an Air France flight, the staff reacts in a few minutes (Euro) Definitely badly translated. ChatGPT would never write in such a way. (Still wondering what the Figaro could be.) The article recommends keeping your devices charged to no more than 30% and/or not charging during flight. With all due respect, that is not going to happen unless you want to see a long line at the airport filled with departing passengers looking for a phone recharging spot (which is almost certainly going to be poisoned with malware anyway). ------------------------------ Date: Tue, 5 Sep 2023 13:37:37 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Re: Eversource Notice of Data Security Incident (RISKS-33.82) We've received similar notices from two financial companies with which we have significant dealings. It's pretty widespread due to the exposure from MOVEit. If everyone is relying on boilerplate to send out the notices, I don't have a problem with that. It doesn't necessarily mean they're using AI. ------------------------------ Date: Tue, 5 Sep 2023 13:44:14 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Re: Saudi man sentenced to death for tweets in harshest verdict yet for online critics (RISKS-33.82) But... Elon promised free speech for everybody ... ------------------------------ Date: Wed, 6 Sep 2023 08:06:02 -0700 From: "Jim" <jgeissman () socal rr com> Subject: Re: UK ATC outage A flight plan has two different waypoints mistakenly given the same ID. Equals invalid flight plan. Response? Crash the entire ATC system. No comment would seem to be necessary. [Tell that to the ATC system folks. PGN] ------------------------------ Date: Tue, 5 Sep 2023 14:01:35 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Re: Lahaina: single points of failure (RISKS-33.81) Looks like the article is N/A at *The NY Times*, but it's available at the Seattle Times: https://www.seattletimes.com/nation-world/maui-evacuation-alert-shows-limits-of-a-warning-system-dependent-on-cellphones/ ------------------------------ Date: Tue, 5 Sep 2023 10:58:31 +0100 From: Martin Ward <mwardgkc () gmail com> Subject: Re: The Titan's Submersible Disaster Was Years in the Making In the late 1970's I joined a diving club. In the first training session we were taught the meaning of the saying: ``There are old divers and there are bold divers, but there are no old bold divers.'' ------------------------------ Date: Tue, 5 Sep 2023 09:49:11 -0700 From: Rob Slade <rslade () gmail com> Subject: Magic Abstract (aka tl:dr) Life is unpredictable (so eat dessert first). Our modern world is unpredictable, and uncertain. The increasing uncertainty drives fatalism, which various political actors use to increase their own power and reduce the possibility of opposition. Information technology, based upon logical computers, could provide more certainty. Unfortunately, marketing decisions frequently make the use of computers, and the results from computers, more uncertain. We, in information technology, should address these issues, and work towards greater knowledge and certainty. https://fibrecookery.blogspot.com/2023/09/magic.html ------------------------------ Date: Sat, 1 Jul 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.83 ************************
Current thread:
- Risks Digest 33.83 RISKS List Owner (Sep 10)