RISKS-LIST: Risks-Forum Digest Wednesday 1 September 2021 Volume 32 : Issue 85

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.85>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Tesla on autopilot smashes into police car helping motorist at side of road
(CNN)
Toyota suspends use of self-driving vehicle in Olympic Village after
collision with Paralympic athlete (CNN)
'Copilot' "highly likely" to introduce bugs and vulnerabilities (Techradar) Keeping Your Family Safe From Vehicle Rollaways (NBC4 WashDC)
Lights Flickered in New York City. Why Did the Subways Grind to a Halt?
(NYTimes)
Fraud Alert: Malicious QR Codes Now Used by Online Scammers
(Washington Consumers' Checkbook)
A Fix for Ransomeware Attacks (Paul Rosenzweig)
Falsehoods diminish trust in Califonia recall vote (Kaylee Fagan)
Manned Mars mission viable if it doesn't exceed four years, concludes
international research team (phys.org)
Lying with statistics (Ars Technica)
Iceland has reported more cases in the past month than they had in the
previous 9 months combined (ianmSC)
T-Mobile Hacker Who Stole Data on 50 Million Customers: ‘Their Security Is
Awful’ (WSJ)
Reddit CEO rejects call for a crackdown on coronavirus misinformation
(Engadget)
Australian preprint ban in grant applications deemed ‘plain ludicrous’
(Nature)
One more position on the Apple Appleplexy (Susan Landau)
Re: UK to SORT-OF Hang Up on Landline Phones in 2025
(Lindsay Marshall, John Levine)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 30 Aug 2021 13:52:16 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Tesla on autopilot smashes into police car helping motorist at side
of road (CNN)

The feds should order "autopilot" shut down completely while these investigations continue. -L

https://www.cnn.com/2021/08/30/business/tesla-crash-police-car/index.html

------------------------------

Date: Sat, 28 Aug 2021 18:41:21 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Toyota suspends use of self-driving vehicle in Olympic Village
after collision with Paralympic athlete (CNN)

https://www.cnn.com/2021/08/27/cars/toyota-self-driving-vehicle-paralympics-accident/index.html

------------------------------

Date: Sun, 29 Aug 2021 18:53:35 +0000
From: "Henry Baker" <hbaker1@pipeline.com>
Subject: 'Copilot' "highly likely" to introduce bugs and vulnerabilities
(Techradar)

'AI' proves once again that BS in == BS out. There is no free lunch.

GitHub autopilot "highly likely" to introduce bugs and vulnerabilities

https://www.techradar.com/news/github-autopilot-highly-likely-to-introduce-bugs-and-vulnerabilities-report-claims

Academic researchers discover that nearly 40% of the code suggestions by GitHub&rsquo;s Copilot tool are erroneous, from a security point of view.

Since Copilot draws on publicly available code in GitHub repositories, the researchers theorize that the generated vulnerable code could perhaps just
be the result of the system mimicking the behavior of buggy code in the repositories.

https://arxiv.org/pdf/2108.09293.pdf

An Empirical Cybersecurity Evaluation of GitHub Copilot&rsquo;s Code Contributions

------------------------------

Date: Sun, 29 Aug 2021 18:49:34 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: Keeping Your Family Safe From Vehicle Rollaways (NBC4 WashDC)

Families across the country are raising safety questions involving deadly vehicle rollaway accidents that kill nearly 150 people every year.

https://www.nbcwashington.com/news/local/keeping-your-family-safe-from-vehicle-rollaways/2756126/

Novel implementation of familiar gearshift technology, uninformed dealers,
lack of instruction/practice, inattentive drivers, massive manuals nobody
reads burying critical safety information.

ALWAYS set parking brake. I didn't, once, and my stick-shift car went for an adventure -- made sharp right turn in reverse, crossed a street, killed a neighbor's mailbox.

------------------------------

Date: Tue, 31 Aug 2021 00:26:30 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: Lights Flickered in New York City. Why Did the Subways Grind to a
Halt? (NYTimes)

https://www.nytimes.com/2021/08/30/nyregion/power-outage-nyc.html

...because one thing led to another.

------------------------------

Date: Wed, 1 Sep 2021 14:58:33 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: Fraud Alert: Malicious QR Codes Now Used by Online Scammers
(Washington Consumers' Checkbook)

A couple lost $1,600 trying to rent a vacation house. The “rental agent” said to use his QR code to pay the deposit using a Bitcoin ATM machine.

A caller, who claimed to be with the power company, threatened to turn off
the electricity in 20 minutes because of an outstanding bill of $973. The homeowners were sent a QR code and told to use it at a nearby kiosk. It
turned out to be the QR code to download the bitcoin app. Thankfully, the transaction was not completed.

A consumer in Hawaii sent $1,000 via QR code to an investment company that
made contact via Instagram. After the trading period ended, the scammer demanded a fee of $4,102 to withdraw the supposed $20,500 profit in the account. Again, the money was sent via a bitcoin machine to the address in
the QR Code. Total loss: $5,102.

https://www.checkbook.org/washington-area/consumers-notebook/articles/Fraud-Alert-Malicious-QR-Codes-Now-Used-by-Online-Scammers-7587

Well, yes. But don't be an idiot.

------------------------------

Date: Wed, 1 Sep 2021 13:30:39 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: A Fix for Ransomeware Attacks (Paul Rosenzweig)

Paul Rosenzweig, *The New York Times*, 1 Sep 2021

Tighter cryptocurrency rules would interfere with criminals' toll collection

The last paragraph is this: The U.S. ``does not have a ransomware problem so much as it has an anonymous ransom problem. If we can change the payment system to make the kidnapping less profitable, we will go a long way to a solution.''

------------------------------

Date: Mon, 30 Aug 2021 20:07:27 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Falsehoods diminish trust in Califonia recall vote (Kaylee Fagan)

Kaylee Fagan, *The San Francisco Chronicle*, 29 Aug 2021 [Or not? PGN]

``The campaign to recall Califonia Governor Gavin Newsome has a conspiracy theory problem, and it just might siphon off votes that aid its cause.''

[The disinformation campaign is running rampant, complicating a crazy law
that provides an up-or-down yes-no vote to recall the Governor, and 46
candidates to replace him if the first vote is yes. Thus, an elected
replacement Governor could win with as little as three or four percent of
the votes from those who bother to vote, and maybe half of that if half of
the eligible voters don't even bother to vote . This is democracy at
work? PGN]

------------------------------

Date: Fri, 27 Aug 2021 11:25:39 +0800
From: "Richard Stein" <rmstein@ieee.org>
Subject: Manned Mars mission viable if it doesn't exceed four years,
concludes international research team (phys.org)

https://phys.org/news/2021-08-mars-mission-viable-doesnt-years.html

"Shprits and colleagues from UCLA, MIT, Moscow's Skolkovo Institute of
Science and Technology and GFZ Potsdam combined geophysical models of
particle radiation for a solar cycle with models for how radiation would
affect both human passengers—including its varying effects on different bodily organs—and a spacecraft. The modeling determined that having a spacecraft's shell built out of a relatively thick material could help
protect astronauts from radiation, but that if the shielding is too thick,
it could actually increase the amount of secondary radiation to which they
are exposed."

For the curious, and those inclined to "Boldly go where no one has gone before," see "How bad is the radiation on Mars?" from https://phys.org/news/2016-11-bad-mars.html to discover the hard facts about Martian Surface radiation: ~22 rads per day (~0.22 Sv per day from https://www.unitsconverters.com/en/Rad-To-Sievert/Unittounit-3966-3988?MeasurementId=33&From=3966&To=3988&textBoxBufferedValue=0)
which is ~220 chest x-rays.

In space, timing is everything. If the cosmic radiation doesn't 'get
you,' the Sun's (and/or secondary/shield-induced) radiation will.

------------------------------

Date: Sat, 28 Aug 2021 01:23:39 -0400
From: "Arthur T." <risks202108.6.atsjbt@xoxy.net>
Subject: Lying with statistics (Ars Technica)

'Microsoft says that Insider Program PCs that didn't meet Windows 11's
minimum requirements "had 52% more kernel-mode crashes" than PCs that did,
and that "devices that do meet the system requirements had a 99.8%
crash-free experience."'

This is from an Ars Technica story, and the writer didn't do the math. An
52% increased probability of crash yields barely under a 99.7% crash-free experience. When expressed in the same terms (probability of not crashing),
it shows that there's not really a big difference.

Risk: Blithely quoting a company's statistics without questioning them.

https://arstechnica.com:443/gadgets/2021/08/why-windows-11-has-such-strict-hardware-requirements-according-to-microsoft/

(Yes, I know that total crashes might be more than just kernel-mode crashes. But I think that would make the crash-free percentages even less different.)

------------------------------

Date: Thu, 26 Aug 2021 09:07:05 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Iceland has reported more cases in the past month than they had in
the previous 9 months combined (ianmSC)

Iceland has reported more cases in the past month than they had in the
previous 9 months combined 91.2% of their adult population is at least partially vaccinated, 86.5% are fully vaccinated Fauci said with 50% vaccinated, we wouldn’t see surges like those in the past. Whoops!

https://twitter.com/ianmSC/status/1428407830093041664

------------------------------

Date: Thu, 26 Aug 2021 11:22:40 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: T-Mobile Hacker Who Stole Data on 50 Million Customers: ‘Their
Security Is Awful’

A 21-year-old American said he used an unprotected router to access millions
of customer records in the mobile carrier’s latest breach

The hacker who is taking responsibility for breaking into T-Mobile US Inc.’s systems said the wireless company’s lax security eased his path into a cache of records with personal details on more than 50 million people and
counting.

John Binns, a 21-year-old American who moved to Turkey a few years ago, told *The Wall Street Journal* he was behind the security breach. Mr. Binns, who since 2017 has used several online aliases, communicated with the Journal in Telegram messages from an account that discussed details of the hack before they were widely known.

The August intrusion was the latest in a string of high-profile breaches at U.S. companies that have allowed thieves to walk away with troves of
personal details on consumers. A booming industry of cybersecurity
consultants, software suppliers and incident-response teams have so far
failed to turn the tide against hackers and identity thieves who fuel their businesses by tapping these deep reservoirs of stolen corporate data.

The breach is the third major customer data leak that T-Mobile has disclosed
in the past two years. The Bellevue, Wash., company is the second-largest
U.S. mobile carrier with roughly 90 million cellphones connecting to its networks.

The Seattle office of the Federal Bureau of Investigation is investigating
the T-Mobile hack, according to a person familiar with the matter. “The FBI is aware of the incident and does not have any additional information at
this time,” the Seattle office said in a statement Wednesday.

In messages with the Journal, Mr. Binns said he managed to pierce T-Mobile’s defenses after discovering in July an unprotected router exposed on the internet. He said he had been scanning T-Mobile’s known internet addresses for weak spots using a simple tool available to the public.

The young hacker said he did it to gain attention. “Generating noise was one goal,” he wrote. He declined to say whether he had sold any of the stolen data or whether he was paid to breach T-Mobile.

*The 21-year-old hacker shared a screenshot of internal T-Mobile servers
with warnings against unauthorized access.*

Several cybersecurity experts said the public details of the hack and
reports of previous T-Mobile breaches show the carrier’s defenses need improvement. Many of the records reported stolen were from prospective
clients or former customers long gone. “That to me does not sound like good data management practices,” said Glenn Gerstell, a former general counsel
for the National Security Agency.

Mr. Binns said he used that entry point to hack into the cellphone carrier’s data center outside East Wenatchee, Wash., where stored credentials allowed
him to access more than 100 servers. “I was panicking because I had access to something big,” he wrote. “Their security is awful.” He said it took about a week to burrow into the servers that contained personal data about
the carrier’s tens of millions of former and current customers, adding that the hack lifted troves of data around Aug. 4.

On Aug 13 2021, the security research firm Unit221B LLC reported to T-Mobile that an account was attempting to sell T-Mobile customer data, according to
the security firm. Two days later, T-Mobile publicly acknowledged it was investigating a potential breach.

T-Mobile confirmed that more than 50 million customer records have been
stolen. The wireless carrier said it had repaired the security hole that enabled the breach. “We are confident that we have closed off the access and egress points the bad actor used in the attack,” it said in a statement. A T-Mobile spokeswoman declined to comment on specific claims by Mr. Binns or
by cybersecurity experts.

For Mr. Binns, who uses the online names IRDev and v0rtex, among others, the T-Mobile hack represents a major development in a track record that has featured various exploits and—four years ago—peripheral involvement in the creation of a massive network of hacked devices that was used for online attacks.

Mr. Binns showed the Journal that he could access accounts linked to the
IRDev online personality, which shared screenshots depicting access into T-Mobile’s network. He declined to be photographed but answered personal questions to confirm his identity as John Binns. [...] https://www.wsj.com/articles/t-mobile-hacker-who-stole-data-on-50-million-customers-their-security-is-awful-11629985105?st=4nh9nfpmp3o2293

[ADDED LATER from geoff:]

... Mike Benjamin, vice president of security for network operator Lumen Technologies Inc., said U.S. prosecutions in past years have limited the
threat from these botnets, though network attacks have started growing in recent months. He said *many young people, especially in the U.S. and
Europe, first learn basic hacking techniques by sharing tricks and tactics
with fellow gamers online.

“Online video-gaming drives a natural competitiveness,” Mr. Benjamin said. ”Everybody’s looking for that edge. That can reach into this area of outside
of the videogame,” where tactics end up “breaking the internet instead of just inside the rules of the game.”

------------------------------

Date: Thu, 26 Aug 2021 14:28:42 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Reddit CEO rejects call for a crackdown on coronavirus misinformation (Engadget)

https://www.engadget.com/reddit-211856313.html?src=rss

------------------------------

Date: Thu, 2 Sep 2021 03:36:33 +0900
From: "ファーバーデイビッド Ｊ" <farber@keio.jp>
Subject: Australian preprint ban in grant applications deemed ‘plain
ludicrous’ (Nature)

https://www.nature.com/articles/d41586-021-02318-8

------------------------------

Date: Mon, 30 Aug 2021 9:02:41 PDT
From: Peter G Neumann <neumann@csl.sri.com>
Subject: One more position on the Apple Appleplexy (Susan Landau)

https://www.lawfareblog.com/normalizing-surveillance

------------------------------

Date: Fri, 27 Aug 2021 07:25:03 +0000
From: Lindsay Marshall <Lindsay.Marshall@newcastle.ac.uk>
Subject: Re: UK to SORT-OF Hang Up on Landline Phones in 2025 (RISKS-32.84)

This is not true. The move is to an IP-based system, not no landlines.

https://www.ofcom.org.uk/phones-telecoms-and-internet/information-for-industry/telecoms-competition-regulation/future-fixed-telephone-services

------------------------------

Date: 27 Aug 2021 14:20:10 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Re: UK to SORT-OF Hang Up on Landline Phones in 2025 (RISKS-32.84)

This story suffers from bad reporting. What's actually going away is the legacy SS7/TDM signaling, known in the UK as C7, presumably in favor of SIP.

The physical networks in the UK are a mix of fiber and copper, with a lot
of FTTN with copper loops which is migrating at some rate to FTTP with fiber the whole way.

PS: We can have a metaphysical discussion about what counts as a landline phone. I have fiber running into the house, which connects to a
telco-provided battery-backed modem, which is connected to the copper wire
in my house into which I plug a genuine American Bell Mickey Mouse phone.
Is that a landline? Sure seems like it when the phone rings, and I mean *rings*.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.85
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)