RISKS Forum mailing list archives
Risks Digest 33.93
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 11 Nov 2023 20:43:27 PST
RISKS-LIST: Risks-Forum Digest Saturday 11 November 2023 Volume 33 : Issue 93 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.93> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Man crushed to death by robot in South Korea (BBC News) Risk of all your communication eggs in one basket (Sundry) Recognizing Fake News Now a Required Subject in California Schools (IJPR) How Russian disinformation toppled multiple governments in Africa (WashPost) Russia fines Google $100 million, and Facebook parent company $27 million, for content violations (The Washington Post) Cloudflare Outage: There's Plenty Of Blame To Go Around (Data Center Frontier) Essays: Decoupling for Security (Schneier on Security) U.S. Drones Are Flying Over Gaza to Aid in Hostage Recovery, Officials Say (The New York Times) Look, Up in the Sky! Amazon's Drones Are Delivering Cans of Soup! (*The New York Times) Five big carmakers beat lawsuits alleging infotainment systems invade privacy (Ars Technica) Multiple Python Obscuration Tools that are not trustable (Ars Techica) Data on 267,000 Sarnia patients going back 3 decades among cyberattack thefts at 5 Ontario hospitals (CBC) Brothel compromises (Sundry items from Monty Solomon) Android 14's storage disaster gets patched, but your data might be gone (Ars Technica) Man vs. Musk: A Whistleblower Creates Headaches for Tesla (NYTimes) Don't trust *Find my apps* or location trackers like AirTags (WashPost) Why Banks Are Suddenly Closing Down Customer Accounts (NYTimes) Virginia State Police Prepares Team To Monitor Voter Removals (DCist) The impasse over who controls your car data (WashPost) This smart garage door controller is no longer very smart (The Verge) Critical vulnerability in Atlassian Confluence server is under *mass exploitation* (Ars Technica) Re: A $92,000 flying car can reach speeds of 63 miles (John Levine) Re: Toyota has built an EV with a fake transmission, and we've driven it (Martin Ward) Re: They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird. (Dick Mills) Re: Comments on RISKS-33.92 (Jericho) Hiring: One Jamaican Bobsled Team -- and Weird Job Descriptions (Cliff Kilby) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Wed, 8 Nov 2023 18:19:37 -0500 From: Gabe Goldberg <gabe () gabegold com>] Subject: Man crushed to death by robot in South Korea (BBC News) A man has been crushed to death by a robot in South Korea after it failed to differentiate him from the boxes of food it was handling, reports say. https://www.bbc.com/news/world-asia-67354709 ------------------------------ Date: Wed, 8 Nov 2023 16:55:45 +1100 From: Bruce Hunter <brucer.hunter () gmail com> Subject: Risk of all your communication eggs in one basket Australia's second largest mobile and Internet service provider had a major outage across Australia today. https://www.smh.com.au/technology/what-caused-the-optus-outage-20231108-p5eiep.html?btis https://www.abc.net.au/news/2023-11-08/optus-outage-mobile-phones-internet-what-happened/103077180 It was revealing how dependent our society is on the full functioning of our communication services. This outage affected public transport, `000' emergency calls (Australia's 911) for Ambulance-Police-Fire Brigades, Two-factor authentication of websites, Uber, Taxis, Hospitals and the list goes on. People are scrounging for other ways to connect as most of our digital life is dependent on communication. In a hint at reducing the risk impact of NO communication services, Optus spokesperson said: "We are aware of some mobile phones having issues connecting to triple-0. *If Optus customers need to call emergency services, we suggest finding a family member or neighbour with an alternative device"!* [emphasis added]. To Optus' credit they have returned systems to operation in just 8 hours. Diversity is one of the key measures to improve reliability and resilience. I was lucky to continue on as my Internet was with a different provider to my mobile. As IoT, Cloud and 5G become the norm to "interconnectedness" we will experience more risks to our "normal" life. I just got to get a list of neighbours with an *alternative device*, just in case. ;-) [John Colville noted this item: More than 10 million customers were affected by the Optus outage (ABC): Service failed at 4am AEDT and took 14 hours to be close to completely recovered. No explanation yet as to cause. https://www.abc.net.au/news/2023-11-09/how-the-optus-outage-played-out/103079768 PGN] ------------------------------ Date: Sat, 11 Nov 2023 14:08:16 -0500 From: Monty Solomon <monty () roscom com> Subject: Recognizing Fake News Now a Required Subject in California Schools (IJPR) https://www.ijpr.org/media-society/2023-11-10/recognizing-fake-news-now-a-required-subject-in-california-schools ------------------------------ Date: Sun, 5 Nov 2023 13:48:29 -0500 From: Monty Solomon <monty () roscom com> Subject: How Russian disinformation toppled multiple governments in Africa (WashPost) In the two years since an Israeli company first tried to thwart a Russian disinformation campaign in Burkina Faso, coups or rebels have removed the governments of five former French colonies, replacing them with pro-Russia leaders. https://www.washingtonpost.com/technology/2023/10/21/percepto-africa-france-russia-disinformation/ ------------------------------ Date: Sun, 26 Dec 2021 15:04:00 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Russia fines Google $100 million, and Facebook parent company $27 million, for content violations (The Washington Post) MOSCOW — A Russian court fined Google nearly $100 million Friday for “systematic failure to remove banned content” — the largest such penalty yet in the country as Moscow attempts to rein in Western tech giants. The fine was calculated based on Google’s annual revenue, the court said. Roskomnadzor, Russia’s Internet regulator, told the court that Google’s 2020 turnover in the country exceeded 85 billion rubles, or about $1.15 billion. Meta Platforms, the parent company of Facebook and Instagram, was fined approximately $27 million, also for declining to remove banned content, several hours after the Google decision. Meta’s fine, like the one levied on Google, was tied to yearly revenue in Russia. The fines represent an escalation in Russia’s push to pressure foreign tech firms to comply with its increasingly strict rules on what it deems illegal content — particularly apps, websites, posts and videos related to jailed opposition leader Alexei Navalny’s network, which has been labeled as extremist in the country. https://www.washingtonpost.com/world/2021/12/24/google-russia-fine-banned-content/ ------------------------------ Date: Wed, 8 Nov 2023 14:56:29 +0000 From: Victor Miller <victorsmiller () gmail com> Subject: Cloudflare Outage: There's Plenty Of Blame To Go Around (Data Center Frontier) https://www.datacenterfrontier.com/cloud/article/33014487/cloudflare-outage-theres-plenty-of-blame-to-go-around ------------------------------ Date: Wed, 8 Nov 2023 14:43:54 +0000 From: Victor Miller <victorsmiller () gmail com> Subject: Essays: Decoupling for Security (Schneier on Security) https://www.schneier.com/essays/archives/2023/11/decoupling-for-security.html ------------------------------ Date: Sun, 5 Nov 2023 22:25:32 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: U.S. Drones Are Flying Over Gaza to Aid in Hostage Recovery, Officials Say (The New York Times) The military has been sending weapons and advisers to Israel, but the flights suggest a more active American role. Approximate paths of American military drone flights over the Gaza Strip. Flights shown here are from Oct. 28 to Nov. 2, of which at least six flights were over Gaza. Source: Flight path data from FlightRadar24. Paths are approximate based on each flight's reported position about every minute. https://www.nytimes.com/2023/11/02/world/middleeast/israel-hamas-gaza-hostages-us.html?smid=nytcore-ios-share&referringSource=articleShare [Military drones are tracked by FlightRadar24? That doesn't seem like a good idea...] ------------------------------ Date: Sat, 4 Nov 2023 19:26:46 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Look, Up in the Sky! Amazon's Drones Aree Delivering Cans of Soup! (*The New York Times) Amazon’s much-hyped drone project is dropping small objects on driveways. Some customers are not sure what it delivers beyond minestrone. Only one item can be delivered at a time. It can’t weigh over five pounds. It can’t be too big. It can’t be something breakable, since the drone drops it from 12 feet. The drones can’t fly when it is too hot or too windy or too rainy. The Texas weather plays havoc with important deliveries. Mr. Lord, a 54-year-old professor of civil engineering at Texas A&M, ordered a medication through the mail. By the time he retrieved the package, the drug had melted. He’s hopeful that the drones can eventually handle problems like this. “I still view this program positively knowing that it is in the experimental phase,” he said. https://www.nytimes.com/2023/11/04/technology/amazon-drone-delivery.html The risk? Bezos fortune? Nah. Looking stupid? We'll see... [Who gets sued if the 5-pound can of soup happens to kill the house owner? What if a poor homeless person is stealing deliveries? What about reports of thieves who are tracking delivery vehicles. PGN] ------------------------------ Date: Fri, 10 Nov 2023 01:14:09 -0500 From: Monty Solomon <monty () roscom com> Subject: Five big carmakers beat lawsuits alleging infotainment systems invade privacy (Ars Technica) https://arstechnica.com/?p=1982702 ------------------------------ Date: Thu, 9 Nov 2023 06:19:25 -0500 From: Bob Gezelter <gezelter () rlgsc com> Subject: Multiple Python Obscuration Tools that are not trustable (Ars Techica) Scripting languages do not use compilers, but applications written in scripting languages, e.g., Python, often use compression and obfuscation tools both to reduce download volume and simultaneously increase the difficulty and effort of reverse engineering. Such tools have a long history, I remember a PL/I source compressor program back in the late-1970s. I remember an item in ACM SIGPLAN from slightly later on the subject of can one trust a compiler to not insert malevolent object code. Obfuscators and compressors in this regard, are effectively compilers. They have the potential to insert foreign logic into the processed scrips. ArsTechnica has reported that the security firm Checkmarx has identified eight malevolent Python obfuscators have been in active circulation since January of this year, inserting code to activate cameras, steal passwords, download files, and other severely compromising actions. Just because a script is not compiled, does not mean that it cannot be compromised. The ArsTechnica article can be found at: https://arstechnica.com/security/2023/11/developers-targeted-with-malware-that-monitors-their-every-move/ ------------------------------ Date: Thu, 9 Nov 2023 12:24:50 -0700 From: Matthew Kruk <mkrukg () gmail com> Subject: Data on 267,000 Sarnia patients going back 3 decades among cyberattack thefts at 5 Ontario hospitals (CBC) https://www.cbc.ca/news/canada/windsor/hospital-cyber-update-data-1.7023826 Patients' information -- including the reasons for their visits -- going back three decades from Bluewater Health in Sarnia, Ont., and its predecessor hospitals is among the data confirmed stolen in the cyberattack on five southwestern Ontario hospitals. Transform, the hospital's IT provider, now confirms a database report containing information on 267,000 patients was taken. The report includes details about "every patient" seen at Bluewater Health and its predecessors since Feb. 24, 1992. ------------------------------ Date: Fri, 10 Nov 2023 16:54:11 -0500 From: Monty Solomon <monty () roscom com> Subject: Brothel compromises (Sundry items) 3 Charged With Running Prostitution Service Used by Politicians and Others https://www.nytimes.com/2023/11/08/us/politics/justice-department-brothel.html Prosecutors say brothel suspect also collected possibly fraudulent COVID funds. Investigators believe James Lee used several business and related bank accounts to “launder the proceeds of the prostitution business,” court documents show. https://www.boston.com/news/crime/2023/11/10/prosecutors-brothel-suspect-collected-possibly-fraudulent-covid-funds/ Exposure of brothels that catered to the elite spotlights how legal system treats buyers and sellers in sex trade https://www.bostonglobe.com/2023/11/10/metro/brothel-bust-massachusetts-legal-system/ Affidavit details how investigators discovered brothel ring that allegedly catered to wealthy in Boston area and Virginia https://www.bostonglobe.com/2023/11/09/metro/brothel-bust-boston/ ------------------------------ Date: Tue, 7 Nov 2023 10:42:39 -0800 From: Lauren Weinstein <lauren () vortex com> Subject: Android 14's storage disaster gets patched, but your data might be gone (Ars Technica) https://arstechnica.com/gadgets/2023/11/android-14-patches-ransomware-storage-bug-but-some-users-will-lose-data/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=sociald ------------------------------ Date: Fri, 10 Nov 2023 14:50:02 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Man vs. Musk: A Whistleblower Creates Headaches for Tesla (The New York Times) Man vs. Musk: A Whistleblower Creates Headaches for Tesla. An employee who was fired after expressing safety concerns leaked personnel records and sensitive data about driver-assistance software. A day after Lukasz Krupski put out a fire at a Tesla car delivery location in Norway, seriously burning his hands and preventing a disaster, he got an email from Elon Musk. “Congratulations for saving the day!” Mr. Musk, Tesla’s chief executive, wrote in March 2019. But what started as a story about a heroic employee and a grateful employer has devolved into an epic battle between the carmaker and Mr. Krupski, a service technician. The fight has spawned lawsuits in Norway and the United States and caught the attention of regulators in several countries. After initially being hailed as a savior, Mr. Krupski said in an interview with The New York Times, he was harassed, threatened and eventually fired after complaining about what he considered grave safety problems at his workplace near Oslo. Mr. Krupski, originally from Poland, was part of a crew that helped prepare Teslas for buyers but became so frustrated with the company that last year he handed over reams of data from the carmaker’s computer system to Handelsblatt, a German business newspaper. https://www.nytimes.com/2023/11/10/business/tesla-whistleblower-elon-musk.html?smid=nytcore-ios-share&referringSource=articleShare ------------------------------ Date: Wed, 8 Nov 2023 06:51:35 -0700 From: Jim Reisert AD1C <jjreisert () alum mit edu> Subject: Don't trust *Find my apps* or location trackers like AirTags (WashPost) By Shira Ovide, *The Washington Post*, 7 Novan 2023 Two dangerous cases of mistaken identity using the Find My app showed that location-tracking technology can be useful -— but it cannot be trusted. https://www.washingtonpost.com/technology/2023/11/07/tracking-find-my-apps-accuracy/ Prosecutors say that a teenager and two friends set fire to a Denver home where he believed Apple’s Find My app showed his stolen iPhone. The teen later realized that the location data pinpointed the wrong house, according to prosecutors. Two of the teens are facing murder charges. Last year, a SWAT team in Denver looking for a truck with stolen guns and an iPhone mistakenly raided the home of a 77-year-old woman. A lawyer for the woman, Ruby Johnson, says police relied on location data from the Find My app that took them to the wrong house. (The Denver Police Department declined to comment.) Location tracking information in Apple’s Find My technology and similar software for Android phones can be incredibly useful, as are location trackers such as Tile and Apple AirTags that can help find your keys buried in the sofa cushions. But as the two cases in Denver show, those location identifying technologies are not always accurate and the consequences can be dire. The bottom line: You shouldn’t entirely trust location identifying technology. ------------------------------ Date: Sun, 5 Nov 2023 22:23:56 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Why Banks Are Suddenly Closing Down Customer Accounts (*The New York Times*) Surprised individuals and small-business owners can’t pay rent or make payroll, and no one ever explains what they did wrong. https://www.nytimes.com/2023/11/05/business/banks-accounts-close-suddenly.html ------------------------------ Date: Tue, 7 Nov 2023 17:35:25 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: Virginia State Police Prepares Team To Monitor Voter Removals (DCist) Virginia is the only state in the U.S. where people who’ve committed any felony automatically lose their right to vote unless the governor restores it, according to the Brennan Center for Justice. In September, VPM News reported on an Arlington County man who’d had his rights restored by former Gov. Ralph Northam, but had been stricken from the voter rolls after a probation violation. State officials at ELECT and the Virginia State Police initially denied there was a systemic problem. The next week, they acknowledged the error; a spokesperson of Gov. Glenn Youngkin estimated it affected fewer than 300 people. But on 27 Oct 2023, ELECT said the total was more than 10 times that estimate. Same-day registration on Election Day can only happen at a voter’s polling place, which can be found online or by calling a local election office. This is the second general election to take advantage of the process, which passed the then -– Democrat controlled General Assembly along party lines in 2020. https://dcist.com/story/23/11/07/virginia-voter-removal-2023-election-state-police-watch-team ------------------------------ Date: Fri, 10 Nov 2023 14:01:17 -0500 From: Gabe Goldberg <gabe () gabegold com> Subject: The impasse over who controls your car data (WashPost) CitySide Subaru, a car dealership in the Boston area, regularly loses potential customers for a surprising reason: Subaru has disabled some of its own software in a stalemate over control of data from your car. That means no automatic emergency calls if the car crashes, no wireless notifications from the dealer about maintenance problems and no option to remotely start the car and fire up the heater. (Don’t judge. It’s cold in Massachusetts.) Nathan White, CitySide’s general manager, said his staff warns car shoppers that features like those requiring wireless transmission don’t work on new Subaru models sold in the state. The lack of those features is a “conversation we have to have with the customer,” White said. “To be honest with you, it’s a couple of percent a month” in lost vehicle sales. [...] “This all comes down to who owns the information,” White said. “Shouldn't the customer have some say?” https://s2.washingtonpost.com/camp-rw/?trackId=596b22969bbc0f403f8bcc25&s=654e689d8c1e4d00e8e615 ------------------------------ Date: Wed, 8 Nov 2023 00:22:29 -0500 From: Monty Solomon <monty () roscom com> Subject: This smart garage door controller is no longer very smart (The Verge) https://www.theverge.com/23949612/chamberlain-myq-smart-garage-door-controller-homebridge-integrations ------------------------------ Date: Wed, 8 Nov 2023 00:46:04 -0500 From: Monty Solomon <monty () roscom com> Subject: Critical vulnerability in Atlassian Confluence server is under *mass exploitation* (Ars Technica) https://arstechnica.com/security/2023/11/critical-vulnerability-in-atlassian-confluence-server-is-under-mass-exploitation/ ------------------------------ Date: 29 Dec 2021 19:26:32 -0500 From: "John Levine" <johnl () iecc com> Subject: Re: A $92,000 flying car can reach speeds of 63 miles per hour (Business Insider, RISKS-33.92) Perhaps we can try and collect all the reasons why a flying car that can only go 20 miles before it falls out of the sky is a bad idea. How is it licenced? Is it a car, a plane, or something else? How high can it go? There's one set of problems flying close to the ground (running into obstacles), a different set flying higher up (running into airplanes), etc. I happen to live near a lake which is about 30 miles long and a mile wide, so something that let me go directly across the lake rather than around one end or the other might be useful, but I'm having trouble thinking of other scenarios for this thing. ------------------------------ Date: Mon, 6 Nov 2023 13:02:10 +0000 From: Martin Ward <mwardgkc () gmail com> Subject: Re: Toyota has built an EV with a fake transmission, and we've driven it (Ars Technica) Do you get bored driving your electric car with nothing to do but maintain your speed and direction and keep your attention on other road users and driving conditions? Well, Toyota has added a computer game that you can play as you drive! (TOY-ota, get it?) Instead of a mouse and keyboard this game has an extra pedal and joystick as game interfaces for you to play with, and plays full volume game sound through the car's sound system. Best of all, if you mess up one of the moves in the game, the car will actually stop accelerating, or even suddenly stall! I think that they should add a warning message for other road users (similar to those on driving instructor's cars): "Please keep your distance. Driver is playing a computer game while driving. Car may stall suddenly." Children used to stick cards in their bikes, so that they would make fake motorbike noises as the card flaps against the spokes of the wheels. I suppose this is the "grown ups" version, but with added danger to other road users. The, ahem, "young at heart" reporter at Ars Technica says that "it made things so much more fun"! ------------------------------ Date: Mon, 6 Nov 2023 17:14:52 -0500 From: Dick Mills <dickandlibbymills () gmail com> Subject: Re: They Cracked the Code to a Locked USB Drive Worth $235 Million in Bitcoin. Then It Got Weird. (RISKS-33.92) The *Wired* article makes a good read. It gives details on how one company cracked the encryption of the locked USB drive, in part by examining a sample of the drive. It has been many years since I recall reading on this risks forum that security through obscurity was foolish and futile. The USS drive manufacturer should have been able to open source everything without compromising security. Here's a quote from Risks 12:25 "Within the Multics community, anything less than a complete willingness to hand critical code over to any hacker who asked for it was demeaningly referred to as "security through obscurity," and was avoided at all cost." A year ago, I had to cancel my LastPass account because their obscure secrets were compromised. Is the doctrine ridiculing security through obscurity dead? [Nice reminder. Yes, it is widely ignored today. Dick, Tom Van Vleck, and I are among the few remaining early Multicians who contribute who still contribute to RISKS. And I am the pain-in-the-ass Multician who keeps reminding RISKS readers that the Multics hardware and operating system completely resolved the stack buffer-overflow problem in 1965 -- a wonderful visionary leap into the future that has almost completely ignored by almost everyone else. But I believe that Multicians never forget (like elephants?), because the principled development was so pervasive. PGN] ------------------------------ Date: Sun, 5 Nov 2023 23:11:29 -0700 From: "Jared E. Richo" <jericho () attrition org> Subject: Re: Comments on RISKS-33.92 Abridged comments, to remind us to scrutinize and be critical of the news we read, if you'll permit. Almost a 30-year reader of RISKS, this issue just hit all the right buttons for a reply to the entire thing, which is a first for me, a professional critic of sorts. -- jericho [Jericho, Thanks for your comments. I decided to run most of them, as a reminder to myself. Everything is indeed tumbling down.. PGN]
Subject: Apple Disables Maps Features in Israel and Gaza
Meanwhile, doesn't disable in other conflict regions?
Subject: California halts operations of Cruise self-driving robotaxis
Meanwhile, allows ex-DUI and elderly that cannot pass a current eye exam to drive.
Subject: Oveview of the iLeakage Attack (Jason Kim et al.)
Eh.. Spectre-evolved? Or are you really claiming Apple ignored Spectre, Spectre v2, Spectre v3 / SPECTRE-NG, Spectre v4 / SPECTRE-NG, Spectre v5 / ret2spec, Spectre-BHB...
Subject: AI Firms Must Be Held Responsible for Harm They Cause, 'Godfathers' Say (Dan Milmo)
Sorry... "godfather" implies at least two generations, if not three. Modern so-called "AI" is still an infant. You already abused the term "AI", you don't get to abuse more terms.
Subject: President Biden Issues Executive Order one Safe, Secure, and Trustworthy Artificial Intelligence (Whitehouse.gov)
"Trustworthy Artificial Intelligence" .. oxymoron.
Subject: Executive Order on AI
In an op-ed for Bloomberg Law, EPIC's Executive Director Alan Butler argued for the need for an overriding federal privacy law.
But better than ECPA, COPPA, GLBA, HIPAA, FERPA... right?
Subject: Humans Find AI-Generated Faces More Trustworthy Than the Real Thing (Scientific American)
Big surprise here! As Joe Navarro tells us in his most basic of books, humans are -trained- to lie from a shockingly early age. AI isn't explicitly trained to, but it is programmed by the humans that are.
Subject: AI Muddies Israel-Hamas War in Unexpected Way (NYTimes)
Subject: AI generated allegations against Big Four consulting firms
Ibid.
Subject: Meta Accused by States of Using Features to Lure Children to Instagram and Facebook (NYTimes)
Eh, not like history has shown us they don't care. Now they are getting in on the game?
Subject: FCC robocall enforcement does little to stop illegal calls, Senate hears
Hundreds of millions could have testified a decade ago.
Subject: Amazon, Microsoft, and India crack down on tech support scams
Meanwhile, many customers interfacing with the actual support channels still feel it is a scam. Date: Sun, 29 Oct 2023 11:40:02 -0400
Subject: Top Philips Executive Approved Sale of Defective Breathing Machines by Distributors, Despite Tests Showing Health Risks
(ProPublica) Pharmacom only cares about profit, news at 11.
Subject: How a Big Pharma Company Stalled a Potentially Lifesaving Vaccine in Pursuit of Bigger Profits (ProPublica)
Ibid.
Subject: How a Lucrative Surgery Took Off Online and Disfigured Patients
If doctors fall for this crap, does society stand a chance? ------------------------------ Date: Sat, 11 Nov 2023 15:42:13 -0500 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Hiring: One Jamaican Bobsled Team -- and Weird Job Descriptions I am in the market for employment again, and the job postings are amusing. I thought it might be helpful to discuss it a bit. I am a security professional, with a specialization in process management. I happen to also have a background in Linux operations, and development. I have even done networking (IPv4, and TIA 568A). These were all separate jobs. I am bemused that the industry has seemed to move in the direction that professionals are expected to do all those at once, and somehow maintain proficiency in any of them. The following are excerpts from job postings. Each job posting is for a single position. This is two jobs: Remediation management (e.g., Vulnerability [Web, Database, OS] and Plan of Action and Milestones [POA&M]). Vulnerability management should not include project management. If your security department is tracking milestones for deliverability of remediation, they are no longer performing security. This is two jobs, and a ludicrous expectation: *Cloud Security* Essentials in at least 1 of *AWS, GCP or Azure*. Working knowledge of GCP and Azure. Knowing the limitations and usages of a cloud platform is a job. Knowing two, is two jobs. Knowing two and being certified in a third is ludicrous. This is at least four jobs Build security tools and automation for critical corporate infrastructure protection, monitoring, and remediation. Develop DevOps pipelines and mature the SDLC process. Security professionals do not develop security tools. Developers develop. Security professionals issue guidance and perform auditing and reporting on controls. Security is not DevOps, which was already more than two jobs. SDLC management is development, ensuring it works is operations, validating that it exists is security. This one is my favorite. 19,000,005 jobs. The listing is for a SOC Incident Handler: Restores environment after an incident and ensures that the managed security service has thorough detection capabilities in place for emerging threats. Performs service requests from internal/external teams. Maintains an advanced understanding of cyber security threats, vulnerabilities, attacks, responsible groups, motivations and techniques. SOC is an operations monitoring center. Restoring an environment is operations. Validating detection rules, that's reasonable. Service requests is helpdesk, maybe smart hands. If your operations monitoring center is performing operations, they are no longer monitoring. This is a violation of the Two-man rule (the language is older than I am). Gathering data to create security detections, that's a job. Analysis of security vulnerabilities, that's a job. Analysis of *responsible groups, motivations and techniques*, that's a government. This is *a* [single!] job: *Performs a combination of duties in accordance with departmental guidelines:* - Leads the development of data security strategies and designs data security architecture for CNA IT systems that aligns with CNA Secure Data Strategy, embedding security into the overall approach and vision for data across the enterprise. - Participates in the creation, update and review of corporate security policies and technology standards for data security. - Creates and maintains the information security technology standards to align with corporate data security policies and standards - Develops and maintains data security solution and technology roadmaps for structured and unstructured data discovery, classification, protection and data rights management on premise and in the Cloud. - Develops, maintains and governs the reusable data security framework and design patterns - Develops the enterprise security solutions that deliver Secure Data Analytics, collecting and analyzing business and event data to drive security value and enabling the utilization of data as a business asset. - In collaboration with Information Security and Legal, design solutions and processes to resolve current and potential legal and regulatory issues affecting information security and assesses their impact on CNA's security and technology teams. - Contributes to general enterprise architecture framework and strategy development and enhancements. A complex one, but it has a single scope, presuming this company is only in 1 cloud. I am discounting on-premise as an ongoing job because it is a solved problem. The general guidance for operating on-premise has not changed in decades at this point. Use long term operating systems, document problem solving when implemented, patch when the vendor says to, it runs until you change it or the equipment gives up. This is in contrast to cloud providers which may not provide whatever specific feature you are using tomorrow, so you have to keep up with the provider. Or, my personal favorite, yesterday you were using 3 of their services, and today you are using 5. Scramble the security team to determine if the implementation is secure. Job postings retrieved from indeed.com. Keep juggling the shovels, ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.93 ************************
Current thread:
- Risks Digest 33.93 RISKS List Owner (Nov 11)