RISKS-LIST: Risks-Forum Digest Tuesday 19 April 2022 Volume 33 : Issue 16

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.16>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
NASA Will Roll Back Its SLS Rocket for Repairs (WiReD)
CatalanGate: Extensive Mercenary Spyware Operation against Catalans Using
Pegasus and Candiru (CitizenLab)
Insteon is down and may not be coming back (Stacey on IoT)
Creating an Information Security Program from Scratch (Walter Williams) Hundreds of Brockton drivers failed exam after getting licenses with no test
(The Boston Globe)
Why I deleted the ACM election email (Cliff Kilby)
Crypto Is Poised to Reshape Taxes -- and Cities (WiReD)
Beanstalk DAO falls to a corporate raid, funded by flash loan junk bonds:
Attack of the 50-foot Blockchain (David Gerard)
Re: recent NYT slips on tech coverage (Prashanth Mundkur)
Re: The Uncanny Future of Romance With Robots Is Already Here
(Rob Slade. Craig Cottingham)
Re: What Can Hackers Do With Stolen Source Code? (Bernie Cosell)
Re: Hackers Steal About $600 Million in One of the Biggest Crypto
(Kevin Kostolo)
Re: Driverless Cars Can Be Tricked into Seeing Red Traffic Lights as Green
(Jan Wolitzky)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 19 Apr 2022 18:51:29 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: NASA Will Roll Back Its SLS Rocket for Repairs (WiReD)

After three attempts to run through a test of the Space Launch System, engineers spotted a leak and a faulty valve. The fixes may delay the first Artemis moon mission.

NASA engineers hope to have their massive moon-bound Space Launch System
ready for liftoff in a couple of months, but so far they've encountered some bumps in the road. On March 17, NASA rolled the world's most powerful rocket out onto the launchpad at Kennedy Space Center in Florida to ready it for
the Artemis program's inaugural lunar mission later this year. Since then, technicians have completed a raft of checks on the huge rocket's systems,
but after three tries they haven't been able to make it through the final
test, a practice countdown called the ``wet dress rehearsal test.''

The key problems have been a faulty helium check valve and a liquid hydrogen leak, which led to several pushbacks of the test countdown. Finally, NASA officials decided over the weekend to disconnect the rocket and, starting
next Tuesday, carefully roll the SLS and Orion crew capsule back to the
Vehicle Assembly Building, a facility with the equipment needed for them to perform rocket surgery. They hope to have a quick turnaround, returning to
the pad soon afterward to complete the countdown test, but the first Artemis mission around the moon -- originally planned for early June -- might be delayed.

``The mega moon rocket is still doing very well. The one check valve is literally the only real issue we've seen so far. We're very proud of the rocket,'' said Tom Whitmeyer, a deputy associate administrator at NASA headquarters in Washington, at a press conference this afternoon. ``But we
have a little bit more work in front of us.''

https://www.wired.com/story/nasa-rolls-back-its-sls-rocket-for-repairs

Aside from that one thing, Mrs. Lincoln...

------------------------------

Date: Mon, 18 Apr 2022 11:11:55 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema@rinzewind.org>
Subject: CatalanGate: Extensive Mercenary Spyware Operation against
Catalans Using Pegasus and Candiru (CitizenLab)

https://citizenlab.ca/2022/04/catalangate-extensive-mercenary-spyware-operation-against-catalans-using-pegasus-candiru/

Summary of the findings:

- The Citizen Lab, in collaboration with Catalan civil society groups, has
identified at least 65 individuals targeted or infected with mercenary
spyware.

- At least 63 were targeted or infected with Pegasus, and four others with
Candiru. At least two were targeted or infected with both.

- Victims included Members of the European Parliament, Catalan Presidents,
legislators, jurists, and members of civil society organisations. Family
members were also infected in some cases.

- We identified evidence of HOMAGE, a previously-undisclosed iOS zero-click
vulnerability used by NSO Group that was effective against some versions
prior to 13.2.

- The Citizen Lab is not conclusively attributing the operations to a
specific entity, but strong circumstantial evidence suggests a nexus with
Spanish authorities.

- We shared a selection of Pegasus cases with Amnesty International's Tech
Lab, which independently validated our forensic methodology.

------------------------------

Date: Sun, 17 Apr 2022 23:52:16 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Insteon is down and may not be coming back (Stacey on IoT)

Internet of Things news and analysis

Author writes: Is your Insteon smart home system down? I'm getting reports
from dozens of Insteon users that as of Friday their smart home hubs have stopped working. So far, none of them have heard from the company, and Insteon's Twitter account hasn't been updated since June 2021. I reached out
to Rob Lilleness, the president and chairman of Smartlabs, the company that owns Insteon and have not yet heard back.

https://staceyoniot.com/insteon-is-down-and-may-not-be-coming-back/

A friend commented:

I have probably four or five Insteon devices plus a hub. Their technology
has been pretty decent and their support was excellent. They suddenly disappeared last Friday without a trace. No explanation, no apology. The
woman who wrote the article above did some digging and it sure looks like they're gone.

What I'd like to do (aside from replacing my now-useless Insteon devices) is follow the careers of the perps named in the article and write scathing
reviews of any company that hires any of them, pointing to this article, to
let customers know that the same thing could happen to them with such disrespectful people in management.

One of the comments made the excellent point that incidents like this are
going to erode consumer trust in IoT, especially products that require
Internet access to a server somewhere in order to function at all.

------------------------------

Date: Mon, 18 Apr 2022 08:58:03 -0700
From: "Rob Slade, greatgrandpa and widower" <rslade@gmail.com>
Subject: Creating an Information Security Program from Scratch
(Walter Williams)

There are plenty of tools we could talk about for those who already have a security program in place. What have we got if you don't?

(There are, of course, those long in the field, who seriously wish that they could start over from scratch. This book might act as a reminder that might get them out of the weeds long enough to see an approach or tool they might have overlooked.)

Walter Williams has taken on that task. What happens when you, as possibly
the crack firewall expert on the tech team, are suddenly noticed by the
boss, who, out of the blue, decides that the company needs a CISO, and
you're it. You've got the whole corporate infosec world in= your hands, and you'd better not drop it.

Chapter one correctly states that you can start with either risk assessment
or compliance, and lists, in detail, that tools available to you for both. Williams includes the top level security frameworks that can act as your
guides into the labyrinth that is information security, and notes the strengths, and areas of emphasis, of each. This provides you with not only
a starting point, but resources that will aid your throughout your security career.

From there, Williams moves into policy, and the supporting documentation around it. Without policy you can have no security, because you don' know

what it is you are protecting, and why. Included in this chapter is an
initial foray into the importance of planning, which will come back in
myriad forms as you move deeper into security processes.

Asset management jumps from the high level viewpoint down into the weeds
and details. However, that is a jump that you frequently have to make in security. You have no security without an overall vision, but you have no protection without having the correct controls in place and working.
Assets, and the controls meant to protect them, have vulnerabilities, and
so managing those is vital as well.

Overall planning is important, but very soon you are going to be putting
out fires, known in the trade as incidents. Note that Williams does not,
at this point, give you a full guide to business continuity or disaster recovery planning, which would require an entire book of its own. He does, however, point you to yet more frameworks in the fields, which will get you started in that direction.

Then it's back to assets, in this case the =E2=80=9Cendpoint,=E2=80=
=9D or what the user
tends to interact with. The author provides an overview of both the
various problems which you will likely encounter in this realm, and a
variety of protections you may wish to choose, depending upon your specific security posture. From there Williams moves to email security, an issue
common to pretty much any end user these days.

From the user, it is back to the technical team, and the issues with your networking and telecommunications. Note that I say *issues*: the full range

of every possible detail that you need to know would need a very fat book indeed, and several of those are available when you want to go there.
Somewhat more detail, or at least the structures and processes that you will need, are addressed in the chapter on software development.

After the introduction to incidents, earlier in the work, Williams now turns
to disasters, and disaster recovery. This is addressed from the disaster recovery, rather than the business continuity, angle, which is probably
wise, as a company in the first round of a security program probably has neither the maturity, nor the resources, to prepare a full business
continuity plan.

In the chapter on access control, Williams spends a good deal of time
outlining some of the formal theories and models behind the controls. This
is far from a waste of time. Tuning an access control system in terms of details can waste a good deal of effort and resources if those controls do
not protect in the way you think or assume that they will. Looking at the formal models should get you used to understanding what a system will, and won't, do for you.

Spend a lot of time with chapter twelve, Human Issues. As the author notes
up front, too many security specialists take it for granted that people are
the problem. People are your greatest weakness, in security, but they are, paradoxically and at the same time, your greatest security asset. Make your people aware, and get them onside.

Williams finishes with the concept of organizational maturity. This is an important concept, but readers may be distracted by the accompanying
material on metrics and data presentation.

This is a solid, and comprehensive, guide for those who have to start
securing an enterprise from square one. It may appear to jump around from topic to topic, and from the overall view to the details. Get used to it. That's what security is like.

------------------------------

Date: Tue, 19 Apr 2022 17:06:00 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Hundreds of Brockton drivers failed exam after getting licenses
with no test (The Boston Globe)

https://www.boston.com/news/local-news/2022/04/19/brockton-rmv-road-tests-failures-suspensions/

[An unanswerable question unlike Who Shaves the Barber is Who is going to
test the drivers in the driverless cars? PGN]

------------------------------

Date: Mon, 18 Apr 2022 11:04:38 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Why I deleted the ACM election email

And why you should have too.

They used my name, isn't that enough?
Nope. Purchasing email-to-name services (legal and/or questionable) is
cheap and readily available.

They said ACM.
I am proud of my membership in the ACM, this is just a public fact.

They pointed a URL to the ACM website.
Even marginally good phishers refer to their target website. Sometimes even loading their CSS or images directly.

They bounced between several domains that aren't associated with ACM in the email.
This alone is sufficient to reject an email at a glance.

They referred to a URL shortener.
URL shorteners are notorious for being used to plaster over a suspicious reference to another domain, and cannot be easily tested. Another reason to delete on sight.

acmhelp@mg.electionservicescorp.com authenticated the email.

That's nice. I don't know who they are, and if they really had permission
to pretend to be ACM, why isn't this email on ACM's domain (DKIM auth
grant)?

There is something that looks like a password in this email.

They call it a PIN so it may be a username, but an email with an
unsolicited authenticator in it goes straight to garbage.

In other news, it's time for ACM general elections.

https://www.acm.org/elections/acm-vote

------------------------------

Date: Mon, 18 Apr 2022 19:32:35 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Crypto Is Poised to Reshape Taxes -- and Cities (WiReD)

Taxes, CityCoins founder Patrick Stanley says, can stop being a mind-numbing civic ritual and become an exercise in freedom -- if we tokenize and
calibrate them the right way. Stanley's crypto-based invention is what he
calls *an opt-in tax of opportunity, as opposed to obligation,* wherein boosters tithe a particular city with crypto because they have faith in the municipality and its mission. [...]

Within the CityCoins matrix, miners receive a city-specific coin, like MiamiCoin or NYCCoin, by trading in STX, the token for Stacks, a protocol
that operates on top of the Bitcoin network. [...]

Beyond CityCoins' undetermined future, it remains to be seen whether crypto writ large will usher in a technocratic nirvana, wither the way of Dutch tulips, collapse like an audited Ponzi scheme, or lead to unforeseen
outcomes. Regardless, the capitalist urge to turn a civic tradition into a financial instrument will survive whether CityCoins fizzles out or
not. TurboTax has already done this for its shareholders; CityCoins or some future avatar will lead the charge in *democratizing* those gains for
others. But the civic tradition of birthing political movements by
confronting unjust financial tools remains alive and well, too. Whatever
comes next, we can all agree the IRS leaves ample room for improvement.

https://www.wired.com/story/crypto-reshape-taxes-cities

Tokenize? Calibrate? Tithe? Tulips/Ponzi, yes.

------------------------------

Date: Mon, 18 Apr 2022 20:41:55 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Beanstalk DAO falls to a corporate raid, funded by flash loan
junk bonds: Attack of the 50-foot Blockchain (David Gerard)

Beanstalk DAO is a DeFi lender running on the Ethereum blockchain. It was raided just before 12:30 UTC on Sunday 17 April for 24,830 ETH.

Smart contracts are famously prone to hacks. But this wasn't a hack at all
-- this was a corporate raid. Even the project concedes that everything
worked according to the rules of the project.

The story of the Beanstalk raid is the end of a long chain of slapdash and incompetent financial engineering, by people who just found out why
regulations evolved. [...]

The aftermath

Beanstalk is probably screwed, and BEAN's dollar peg has been broken
utterly.

The Beanstalk project has gone to exchanges asking them to block the ether
from the transaction -- and even to the FBI. The project's anonymous
founder, Publius, did not clarify to CoinTelegraph under just what law the
FBI would have recourse to help them. [CoinTelegraph]

This was an outrageous shenanigan. But it's not clear that it was any more illegal than the securities law violations that Beanstalk was already committing. The raider completely obeyed the project's rules.

Publius [Beanstalk founders] said on the project Discord: ``It's unfortunate that the same governance procedure that put beanstalk in a position to
succeed was ultimately its undoing.''

https://davidgerard.co.uk/blockchain/2022/04/18/beanstalk-dao-falls-to-a-corporate-raid-funded-by-flash-loan-junk-bonds/

------------------------------

Date: Tue, 19 Apr 2022 14:05:50 -0400
From: Prashanth Mundkur <prashanth.mundkur@sri.com>
Subject: Re: recent NYT slips on tech coverage

Some correctives to recent NYT tech coverage:

1. The (Edited) Latecomer's Guide to Crypto
by Molly White et al., March 25, 2022.
https://www.mollywhite.net/annotations/latecomers-guide-to-crypto

On March 20, 2022, the New York Times published a 14,000-word puff piece
on cryptocurrencies, both online and as an entire section of the Sunday
print edition. Though its author, Kevin Roose, wrote that it aimed to be
a "sober, dispassionate explanation of what crypto actually is", it was a
thinly-veiled advertisement for cryptocurrency that appeared to have
received little in the way of fact-checking or critical editorial
scrutiny. It uncritically repeated many questionable or entirely
fallacious arguments from cryptocurrency advocates, and it appears that
no experts on the topic were consulted, or even anyone with a
less-than-rosy view on crypto. This is grossly irresponsible.

Here, a group of around fifteen cryptocurrency researchers and critics
have done what *The New York Times* apparently won't.

2. On NYT Magazine on AI: Resist the Urge to be Impressed
by Emily M. Bender, April 17, 2022
https://medium.com/@emilymenonbender/on-nyt-magazine-on-ai-resist-the-urge-to-be-impressed-3d92fd9a0edd

On April 15, 2022, Steven Johnson published a piece in the New York Times
Magazine entitled AI Is Mastering Language. Should We Trust What It Says?
I knew this piece was coming, because I had been interviewed for it, over
email, a couple of weeks ago. I read it with some trepidation, because I
had the sense that Johnson's question and goals going into the article
did not maintain sufficient skepticism of the claims of AI boosters. At
the same time, I was also fairly confident my words weren't going to be
taken out of context because I'd been contacted by a fact checker who was
verifying the quotes they intended to use. On reading the article, my
expectations were met on both counts. Ordinarily, when I encounter AI
hype in media coverage of research/products that claim to be AI, I get
inspired to write tweet threads aiming to educate folks on how to spot
and thus resist such hype. (Here's a recent example.) Johnson's article
is ~10k words long, though, and so I've decided to try to do the same in
blog form, rather than as a tweet thread.

------------------------------

Date: Mon, 18 Apr 2022 19:13:25 -0700
From: Rob Slade <rslade@gmail.com>
Subject: Re: The Uncanny Future of Romance With Robots Is Already Here
(RISKS-33.15)

Some people wanted to build a replica of themselves, ...

As a grieving widower, I am more than a little freaked out by the
implications of this. Being able to build a "perfect" friend is one level
of self delusion. But the bereaved are already in danger from inappropriate relationships. The bereaved suffer extreme and desperate loneliness, not
just from the loss of a loved one, but from social isolation, because most
of their friends and family do not understand the depth of real grief.
Couple that with the existing tendency to "converse" with the dead loved one (which can be healthy at some point in the grieving process, but can become
an obsession), and the temptation to recreate a "Markov chain" replica (Replika?) can create a really (psychologically) dangerous situation.

(I've got a whole bunch of Gloria's email messages, going back possibly
thirty years. Should I try it out? Would the "uncanny valley" freak me
out? Would I become obsessed if it was too good?)

------------------------------

Date: Tue, 19 Apr 2022 09:57:24 -0500
From: Craig Cottingham <craig.cottingham@gmail.com>
Subject: Re: The Uncanny Future of Romance With Robots Is Already Here
(RISKS-33.15)

This is more-or-less the plot of the Black Mirror episode *Be Right Back* https://www.imdb.com/title/tt2290780/

Art may imitate life, but life also imitates art.

------------------------------

Date: Mon, 18 Apr 2022 19:25:18 -0400
From: "Bernie Cosell" <bernie@fantasyfarm.com>
Subject: Re: What Can Hackers Do With Stolen Source Code? (RISKS-33.15)

Considering that MS patches scores of bugs, many of them serious, it isn't
so difficult to suspect that some group getting the source code could,
perhaps, find next month's bugs and the month after that's bugs and
... before MS does.

------------------------------

Date: Tue, 19 Apr 2022 10:35:01 -0500
From: Kevin Kostolo <kevinkostolo2005@gmail.com>
Subject: Re: Subject: Hackers Steal About $600 Million in One of the
Biggest Crypto (RISKS-33.15)

[Incidentally, I received a copy of the full text from Gabe Goldberg, but
for some reason it came in as rampant gibberish, so I decided not to try
to unscramble the rest of it after what I hav added here. PGN]

I read elsewhere there was an msn version of the link floated about with
the same gibberish.

------------------------------

Date: Tue, 19 Apr 2022 06:48:37 -0400
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: Re: Driverless Cars Can Be Tricked into Seeing Red Traffic Lights
as Green (JW)

A racing car driver, Eugene,
Had the swiftest machine on the scene.
Nearly faster than light,
With no cops in sight,
He'd blue-shift the red lights to green.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.16
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)