RISKS Forum mailing list archives
Risks Digest 34.19
From: RISKS List Owner <risko () csl sri com>
Date: Mon, 22 Apr 2024 11:14:04 PDT
RISKS-LIST: Risks-Forum Digest Monday 22 April 2024 Volume 34 : Issue 19 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.19> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Influential women's tech network shuts down unexpectedly (BBC) Re: Women Who Code shut down today (Rebecca Mercuri) Re: Women Who Code shut down today (Wendy Grossman) ‘We’re a dead ship’: Hundreds of cargo ships lost propulsion in U.S. waters in recent years (WashPost) Tesla Cybertruck turns into world's most expensive brick after car wash (The Register) Software upgrade error grounds all Alaska Airlines flights for 1 hour (Seattle Times) San Francisco’s Train System Still Uses Floppy Disks -- and Will for Years (WiReD) GPT-4 and CVE = exploit (Rik Farrow) The invisible seafaring industry that keeps the Internet afloat (The Verge) Microsoft’s VASA-1 can deepfake a person with one photo and one audio track (Ars Technica) Hospital prices for the same emergency care vary up to 16-fold, a study finds (ArsTechnica) Chirp mandates open-door policy -- in a bad way (Krebs) Netflix doc accused of using AI to manipulate true crime story (ArsTechnica) China orders Apple to remove Meta apps after “inflammatory” posts about president (ArsTechnica) Roku forcing 2-factor authentication after 2 breaches of 600K accounts (ArsTechnica) The GMO tooth microbe that is supposed to prevent cavities (Undark) Virginia to become first state to allow online-only local nesw sites to publish legal notices (ARLnow) Amazon is filled with garbage ebooks. Here’s how they get made. (Esquire)\\ Re: Palo Alto Zero Exploit (Martin Ward) Re: AI chatbots spread falsehoods about the EU elections (Martin Ward) Re: U.S. Air Force confirms first successful AI dogfight (Turgut Kalfaoglu) Re: Wrong button clicked, wrong divorce cannot be undone (Henry Baker) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 19 Apr 2024 15:38:32 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: Influential women's tech network shuts down unexpectedly (BBC) https://www.bbc.com/news/articles/cw0769446nyo Women Who Code (WWC), a charity that supports women who work in the technology sector, has announced it is shutting down because of a lack of funding. The U.S.-based organisation says it had 360,000 people in its community, across 145 countries. [The risks to many women who code around the world could be considerable. Are there any former members who are also RISKS readers who can share the back stories? To me this seems like a terrible loss -- even if there was management malpractice. The Atlanta Journal-Constitution in today's article by Mirtha Donastorg suggests that WWC had millions of dollars. However, this is the WWC statement quoted in the AJ-C on 19 Apr 202, the day of the shut down: ``This decision has not been made lightly. It only comes after careful consideration of all options and is due to factors that have materially impacted our funding sources -- funds that were critical to continuing our programming and delivering on our mission,'' the organization said in a statement. It did not detail what factors impacted its finances. PGN] ------------------------------ Date: Sun, 21 Apr 2024 18:58:13 -0400 From: "DrM: Rebecca Mercuri" <notable () mindspring com> Subject: Re: Women Who Code shut down today (RISKS-34.19) I am not a member or supporter of either Women Who Code or Girls Who Code (separate non-profits that both started in 2011), but have been aware of the existence of these two groups. Certainly, it is important for women and girls to feel comfortable learning how to code, and to be able to find work and equal pay in coding-related fields. Unfortunately, I feel that neither group has/had successfully addressed the problems of bias and harassment against girls and women who code. What has long been needed for all in the computing fields, is to learn how to work side-by-side with people of all genders, where mutual respect and acknowledgment of everyone's contributions are encouraged and nurtured. Splitting into same-sex support groups has not and does not create healthy, safe, and fair workplaces. It is possible that these same-sex non-profits may have inadvertently reinforced the stereotype of "lesser than or different" while not appropriately addressing the very real biases and affronts that women and girls and others continue to battle in schools and the workplace. While belated and often posthumous recognitions of female coders occasionally occurs, such as for the Women of the ENIAC and Grace Murray Hopper, extreme bias in prizes continues to be blatant and overlooked. A very visible example of gender bias is exemplified by the Association of Computing Machinery's Turing Award. Over the 58 years of its issuance, there have only been 3 women, as compared to 74 men, given this esteemed prize. The last woman received her Turing in 2012. Since Google endowed it in 2014 with $1,000,000.00 for each award, precisely ZERO women have been selected for the honor. It is utterly appalling that Turing himself (wrongly convicted by the British government of sexual indecency, submitted to chemical castration, and possibly murdered) continues to be exploited with this highly biased award being presented annually, often to coders, in his name, without his permission. THIS NEEDS TO STOP. In conclusion, we must see that new and better support groups are created that will expose and expunge wrongs and biases in workplaces, schools, governments, professional organizations, non-profits, and other entities that make decisions and set policies based on antiquated ideas of genders and sexualities. Those who code should help to create a level playing field, where all people can find ways to work together with egalitarianism and mutual respect. Rebecca Mercuri, PhD [Rebecca should be well-known to long-time RISKS readers. It was her thesis at Penn a quarter-century ago that broke open how to overcome voting machines with no audit trails and no possible remediation of questionable results: <http://www.notablesoftware.com/Papers/mercuri-thesis.pdf> PGN] ------------------------------ Date: Sun, 21 Apr 2024 16:36:03 +0100 From: "Wendy M. Grossman" <wendyg () pelicancrossing net> Subject: Re: Women Who Code shut down today (RISKS-34.19) I remember in 1998 attending an event in 1998 at which ACM had a session on the incredible(?) "shrinking pipeline", which had studied the reasons women were leaving computing. The choices included image (geeks), the hours (medicine was seen as eventually getting better, but computing not), etc. Not included, but widely written in: "sexual harassment". Soon after I had dinner with a woman who sold large computer systems. I told her about the survey. She immediately said: "Did they mention sexual harassment?" I know I wrote about it somewhere, but can't locate where. ------------------------------ Date: Wed, 17 Apr 2024 02:07:23 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: ‘We’re a dead ship’: Hundreds of cargo ships lost propulsion in U.S. waters in recent years (WashPost) A *WashPost* examination found that losses of engine power, part of what the Dali experienced when it crashed into the Key Bridge in Baltimore, are not uncommon. https://www.washingtonpost.com/investigations/2024/04/16/dead-ships-propulsion-loss/ [Preventive maintenance seems to be less frequent here, in aviation, and perhaps even in driverless cars -- although that has other problems, such as a lack of trustworthiness in design and implementation. PGN] ------------------------------ Date: Sat, 20 Apr 2024 14:18:56 -0400 From: Monty Solomon <monty () roscom com> Subject: Tesla Cybertruck turns into world's most expensive brick after car wash (The Register) https://www.theregister.com/2024/04/20/cybertruck_car_wash_mode/ ------------------------------ Date: Wed, 17 Apr 2024 12:12:01 -0700 From: Rob Wilcox <robwilcoxjr () gmail com> Subject: Software upgrade error grounds all Alaska Airlines flights for 1 hour (Seattle Times) Alaska Airlines briefly grounded all flights after an error was found in a software upgrade calculating the plane mass and balance. "Alaska said it had experienced an issue 'while performing an upgrade to the system that calculates our weight and balance.'" The airline had a similar problem in February 2023. In that case: "To determine the thrust and speed settings for takeoff, Alaska’s pilots and others use a performance calculation tool supplied by a Swedish company called DynamicSource. It delivers a message to the cockpit with crucial weight and balance data, including how many people are on board, the jet’s empty and gross weight and the position of its center of gravity. In a cockpit check before takeoff, this data is entered into the flight computer to determine how much thrust the engines will provide and at what speed the jet will be ready to lift off." https://www.seattletimes.com/business/boeing-aerospace/all-alaska-airline-flights-grounded/ ------------------------------ Date: Mon, 15 Apr 2024 11:50:43 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: San Francisco’s Train System Still Uses Floppy Disks -- and Will for Years (WiReD) Three 5.25-inch floppy disks help keep Muni running every morning. A tech upgrade could take until 2030. https://www.wired.com/story/san-francisco-muni-trains-floppy-disks/ ------------------------------ Date: Sun, 21 Apr 2024 16:20:54 -0700 From: Rik Farrow <rik () rikfarrow com> Subject: GPT-4 and CVE = exploit Interesting, a bit surprising, but still: https://www.theregister.com/2024/04/17/gpt4_can_exploit_real_vulnerabilities/ OpenAI's GPT-4 large language model (LLM) can autonomously exploit vulnerabilities in real-world systems if given a CVE advisory describing the flaw. [... if GPT-4 handles the CVE correctly and the CVE is adequately defined, which is usually totally unassured. Thus, the claim seems highly overblown. I think this claim is very suspect and over-hyped. PGN] ------------------------------ Date: Sat, 20 Apr 2024 08:10:11 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: The invisible seafaring industry that keeps the Internet afloat (The Verge) [Long article PGN-ed] The global Internet relies on 800,000 miles of undersea cables that are constantly breaking. This is the story of the 22 aging ships that fix them. The world’s emails, TikToks, classified memos, bank transfers, satellite surveillance, and FaceTime calls travel on cables that are about as thin as a garden hose. There are about 800,000 miles of these skinny tubes crisscrossing the Earth’s oceans, representing nearly 600 different systems, according to the industry tracking organization TeleGeography. The cables are buried near shore, but for the vast majority of their length, they just sit amid the gray ooze and alien creatures of the ocean floor, the hair-thin strands of glass at their center glowing with lasers encoding the world’s data. If, hypothetically, all these cables were to simultaneously break, modern civilization would cease to function. The financial system would immediately freeze. Currency trading would stop; stock exchanges would close. Banks and governments would be unable to move funds between countries because the Swift and U.S. interbank systems both rely on submarine cables to settle over $10 trillion in transactions each day. In large swaths of the world, people would discover their credit cards no longer worked and ATMs would dispense no cash. As U.S. Federal Reserve staff director Steve Malphrus said at a 2009 cable security conference, “When communications networks go down, the financial services sector does not grind to a halt. It snaps to a halt.” Corporations would lose the ability to coordinate overseas manufacturing and logistics. Seemingly local institutions would be paralyzed as outsourced accounting, personnel, and customer service departments went dark. Governments, which rely on the same cables as everyone else for the vast majority of their communications, would be largely cut off from their overseas outposts and each other. Satellites would not be able to pick up even half a percent of the traffic. Contemplating the prospect of a mass cable cut to the UK, then-MP Rishi Sunak concluded, “Short of nuclear or biological warfare, it is difficult to think of a threat that could be more justifiably described as existential.” Fortunately, there is enough redundancy in the world’s cables to make it nearly impossible for a well-connected country to be cut off, but cable breaks do happen. On average, they happen every other day, about 200 times a year. The reason websites continue to load, bank transfers go through, and civilization persists is because of the thousand or so people living aboard 20-some ships stationed around the world, who race to fix each cable as soon as it breaks. https://www.theverge.com/c/24070570/internet-cables-undersea-deep-repair-ships ------------------------------ Date: Sat, 20 Apr 2024 14:38:44 -0400 From: Monty Solomon <monty () roscom com> Subject: Microsoft’s VASA-1 can deepfake a person with one photo and one audio track (Ars Technica) YouTube videos of 6K celebrities helped train AI model to animate photos in real time. On Tuesday, Microsoft Research Asia unveiled VASA-1, an AI model that can create a synchronized animated video of a person talking or singing from a single photo and an existing audio track. In the future, it could power virtual avatars that render locally and don't require video feeds—or allow anyone with similar tools to take a photo of a person found online and make them appear to say whatever they want. https://arstechnica.com/information-technology/2024/04/microsofts-vasa-1-can-deepfake-a-person-with-one-photo-and-one-audio-track/ ------------------------------ Date: Sat, 20 Apr 2024 14:41:23 -0400 From: Monty Solomon <monty () roscom com> Subject: Hospital prices for the same emergency care vary up to 16-fold, a study finds (ArsTechnica) Hospitals' *trauma activation fees* are unregulated and extremely variable. Since 2021, federal law has required hospitals to publicly post their prices, allowing Americans to easily anticipate costs and shop around for affordable care -- as they would for any other marketed service or product. But hospitals have mostly failed miserably at complying with the law. A 2023 KFF analysis on compliance found that the pricing information hospitals provided is ``messy, inconsistent, and confusing, making it challenging, if not impossible, for patients or researchers to use them for their intended purpose.'' A February 2024 report from the nonprofit organization Patient Rights Advocate found that only 35 percent of 2,000 US hospitals surveyed were in full compliance with the 2021 rule. But even if hospitals dramatically improved their price transparency, it likely wouldn't help when patients need emergency trauma care. After an unexpected, major injury, people are sent to the closest hospital and aren't likely to be shopping around for the best price from the back of an ambulance. If they did, though, they might also need to be treated for shock. According to a study published Wednesday in JAMA Surgery, hospitals around the country charge wildly different prices for trauma care. Prices for the same care can be up to 16-fold different between hospitals, and cash prices are sometimes significantly cheaper than the negotiated prices that insurance companies pay. https://arstechnica.com/science/2024/04/hospital-prices-for-the-same-emergency-care-vary-up-to-16x-study-finds/ ------------------------------ Date: Mon, 15 Apr 2024 21:12:20 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Chirp mandates open-door policy -- in a bad way (Krebs) [This has been known since Mar 2021.] If you have a Chirp lock, someone else could have already been home by now. https://krebsonsecurity.com/2024/04/crickets-from-chirp-systems-in-smart-lock-key-leak/ ------------------------------ Date: Sat, 20 Apr 2024 14:37:24 -0400 From: Monty Solomon <monty () roscom com> Subject: Netflix doc accused of using AI to manipulate true crime story (ArsTechnica) Producer remained vague about whether AI was used to edit photos. An executive producer of the Netflix hit *What Jennifer Did* has responded to accusations that the true crime documentary used AI images when depicting Jennifer Pan, a woman currently imprisoned in Canada for orchestrating a murder-for-hire scheme targeting her parents. *What Jennifer Did* shot to the top spot in Netflix's global top 10 when it debuted in early April, attracting swarms of true crime fans who wanted to know more about why Pan paid hitmen $10,000 to murder her parents. But quickly the documentary became a source of controversy, as fans started noticing glaring flaws in images used in the movie, from weirdly mismatched earrings to her nose appearing to lack nostrils, the Daily Mail reported, in a post showing a plethora of examples of images from the film. https://arstechnica.com/tech-policy/2024/04/netflix-doc-accused-of-using-ai-to-manipulate-true-crime-story/ ------------------------------ Date: Sat, 20 Apr 2024 14:32:42 -0400 From: Monty Solomon <monty () roscom com> Subject: China orders Apple to remove Meta apps after “inflammatory” posts about president (ArsTechnica) Apple said it complied with orders from the Chinese government to remove the Meta-owned WhatsApp and Threads from its App Store in China. Apple also removed Telegram and Signal from China. https://arstechnica.com/tech-policy/2024/04/china-orders-apple-to-remove-meta-apps-after-inflammatory-posts-about-president/ [The NYTimes has a similar story on the front page of today's National Edition Business section. PGN] ------------------------------ Date: Sat, 20 Apr 2024 14:31:37 -0400 From: Monty Solomon <monty () roscom com> Subject: Roku forcing 2-factor authentication after 2 breaches of 600K accounts (ArsTechnica) Accounts with stored payment information went for as little as $0.50 each. Everyone with a Roku TV or streaming device will eventually be forced to enable two-factor authentication after the company disclosed two separate incidents in which roughly 600,000 customers had their accounts accessed through credential stuffing. Credential stuffing is an attack in which usernames and passwords exposed in one leak are tried out against other accounts, typically using automated scripts. When people reuse usernames and passwords across services or make small, easily intuited changes between them, actors can gain access to accounts with even more identifying information and access. https://arstechnica.com/security/2024/04/roku-forcing-2-factor-authentication-after-breach-of-600k-accounts/ ------------------------------ Date: Sat, 20 Apr 2024 14:28:18 -0400 From: Monty Solomon <monty () roscom com> Subject: The GMO tooth microbe that is supposed to prevent cavities (Undark) Christina Szalinski, Undark Magazine, 29 Apr 2024 Some experts have concerns over the safety of the genetically modified bacteria. https://arstechnica.com/health/2024/04/the-gmo-tooth-microbe-that-is-supposed-to-prevent-cavities/ ------------------------------ Date: Mon, 22 Apr 2024 09:16:09 -0400 From: Monty Solomon <monty () roscom com> Subject: Virginia to become first state to allow online-only local news sites to publish legal notices ( https://www.arlnow.com/2024/04/05/virginia-to-become-first-state-to-allow-online-only-local-news-sites-to-publish-legal-notices/ ------------------------------ Date: Sun, 21 Apr 2024 08:07:59 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Amazon is filled with garbage ebooks. Here’s how they get made. (Esquire) How AI Publishing Academy works. https://www.esquire.com/entertainment/books/a45751827/make-a-living-as-a-writer/ It’s so difficult for most authors to make a living from their writing that we sometimes lose track of how much money there is to be made from books, if only we could save costs on the laborious, time-consuming process of writing them. The Internet, though, has always been a safe harbor for those with plans to innovate that pesky writing part out of the actual book publishing. On the Internet, it’s possible to copy text from one platform <https://www.poetryfoundation.org/harriet-books/2010/04/retyping-an-entire-book-is-one-thing-cutting-pasting-an-entire-book-is-another> and paste it into another seamlessly, to share text files <https://bookriot.com/how-easy-is-it-to-pirate-books/>, to build vast databases of stolen books <https://www.theatlantic.com/technology/archive/2023/08/books3-ai-meta-llama-pirated-books/675063/>. If you wanted to design a place specifically to pirate and sleazily monetize books, it would be hard to do better than the Internet as it has long existed. Now, generative AI has made it possible to create cover images, outlines, and even text at the click of a button. https://www.vox.com/culture/24128560/amazon-trash-ebooks-mikkelsen-twins-ai-publishing-academy-scam ------------------------------ Date: Sat, 20 Apr 2024 10:34:32 +0100 From: Martin Ward <mwardgkc () gmail com> Subject: Re: Palo Alto Zero Exploit (Ward/Kilby, RISKS-34.18) The answer has been known for many decades: for any safety-critical software you develop the software using formal methods to prove that it is correct. You implement it in a compiled language that is designed from the start to have no undefined behavior, to check for and prevent array index overflow and to handle all memory management. The language is compiled using a provably correct compiler. And you also have extensive unit and system tests. [Martin, Thanks for channeling Edsger Dijkstra. When he was working for Burroughs long ago, I asked him walking back from lunch one day at a WG2.3 meeting in Santa Cruz what he was teaching the Burroughs programmers about writing operating systems. He said that if he couldn't get them to write a simple program on the back of an envelope and prove that it was correct with respect to its specifications, it was utterly pointless to teach them anything about operating systems. His wisdom must not be forgotten, along with that of his colleagues Tony Hoare, Niklaus Wirth, David Parnas, Brian Randell, and others from that wonderfully seminal era. PGN] ------------------------------ Date: Sat, 20 Apr 2024 10:50:43 +0100 From: Martin Ward <mwardgkc () gmail com> Subject: Re: AI chatbots spread falsehoods about the EU elections, report finds (RISKS-34.17) Another possibility is that the very wealthy companies who produce these chatbots have an interest in influencing the outcome of the elections, and that the factually false information they are spreading may be a feature, not a bug. The companies certainly do have QA departments, but maybe the department's job is to ensure that the correct biases are being promulgated by the chatbots. Just as Microsoft's QA department was tasked to ensure that Windows would not work properly with DR-DOS. Brad Silverberg wrote to Jim Allchin ``DR-DOS has problems running windows today, and I assume will have more problems in the future.'' Allchin replied: ``You should make sure it has problems in the future. :-)'' https://www.theregister.com/1999/11/05/how_ms_played_the_incompatibility/ ------------------------------ Date: Mon, 22 Apr 2024 12:28:48 +0300 From: =?UTF-8?Q?turgut_kalfao=C4=9Flu?= <turgut () kalfaoglu com> Subject: Re: U.S. Air Force confirms first successful AI dogfight (RISKS-34.18)
The U.S. Air Force is putting AI in the pilot’s seat.
After the use of drones to kill enemies half way around and thus avoid the guilt and the possibility of getting the killers arrested and prosecuted, this is the second bad idea that the Pentagon had. If a weapon can be used remotely, it can also be hacked remotely. [Once again, dual-Use rears its head, especially with AI. PGN] ------------------------------ Date: Sat, 20 Apr 2024 00:43:56 +0000 From: Henry Baker <hbaker1 () pipeline com> Subject: Re: Wrong button clicked, wrong divorce cannot be undone A real-life 'Azdak' judge !! Berthold Brecht's play *The Caucasian Chalk Circle* includes a character named *Azdak* who is an idiot, but who inadvertently becomes a judge in the middle of political chaos. Apparently, Brecht's feeling was that a completely *random* judge is fairer than a judge who judiciously applies the law in a universally biased fashion. https://www.litcharts.com/lit/the-caucasian-chalk-circle/act-5-the-chalk-circle ``Azdak removes his judge's gown, stating that it has gotten too hot for him to wear it any longer -- he signs the elderly couple's divorce papers and leaves the chambers, inviting all present to join him outside for a dance. When Shauwa checks the divorce document, he sees that ***Azdak has divorced the wrong couple*** -- he has divorced Grusha from Jussup rather than divorcing the elderly couple.'' [Grushan Groulette? Wassup, Jussup? There really needs to be an UNDO here. Controlled revocation and do-overs are an important part of life when something goes awry. It's common in banking, credit card fraud, golf mulligans, and many other areas. Why not here, especially when AI misuses are rampant. PGN] ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.19 ************************
Current thread:
- Risks Digest 34.19 RISKS List Owner (Apr 22)