RISKS-LIST: Risks-Forum Digest Saturday 2 July 2022 Volume 33 : Issue 31

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.31>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
The Wheels Have Come Off Electric Vehicles (Bloomberg)
Who Is Liable when AI Kills? (Scientific American)
Four Takeaways From a Times Investigation Into China's Expanding
Surveillance State (NYTimes)
An Invisible Cage: How China Is Policing the Future (NYTimes)
China lured graduate jobseekers into digital espionage (ArsTechnica)
Internet Explorer Shutdown to Cause Japan Problems 'For Months'
(Financial Times)
School Surveillance Will Never Protect Kids From Shootings (WiReD)
UK plan to scrap cookie consent boxes will make it easier to spy on web
users (The Guardian)
"Whoops. That Feeling When the AG of the most populous state publishes a
list of where all the handguns are... (twitter viz geoff goodfellow) Supercookies Have Privacy Experts Sounding the Alarm (WiReD)
Police sweep Google searches to find suspects. The tactic is facing its
first legal challenge. (NBC News)
DARPA report exposes blockchain vulnerabilities (exodus)
'Mystery rocket' that crashed into the Moon baffles NASA scientists (Chron) Mega says it can't decrypt your files. New POC exploit shows otherwise.
(ArsTechnica)
The Assessments of the Swiss Post E-Voting System (Andrew Appel)
2022 Zero-day in-the-wild exploitation (Maddie Stone)
Ocean Freight Shipping Costs Are Driving Goods Prices Higher (ProPublica) ZuoRAT Trojan (WiReD)
Sophisticated attacks against range of SOHO routers (ArsTechnica)
Microsoft Plans to Eliminate Face Analysis Tools in Push for`Responsible AI'
(NYTimes)
The Race to Hide Your Voice (WiReD)
Amazon demonstrates Alexa mimicking the voice of a deceased relative (CNBC) South Carolina mom says baby monitor was hacked; Experts say many devices
are vulnerable (NPR)
St. John's woman loses home after Phoenix pay fiasco (CBC)
"These Period Tracker Apps Say They Put Privacy First. Here's What We Found.
(Consumer Reports)
FCC asks Google, Apple to remove TikTok due to data privacy concerns at
Chinese-owned company TikTok (CBC)
Lost and Found: USB Sticks With Data on 460,000 People (NYTimes)
Some Crypto Exchanges Already Secretly Insolvent (Forbes)
Unintended Centralities in Distributed [Blockchain] Ledgers (via Lauren W.) Crypto Crash Widens Divide Between Rich and Amateur Traders (NYTimes) Cryptocurrency Titan Coinbase providing "Geo Tracking Data" to ICE
(The Intercept)
Crypto traceability and market rules agreed by EU lawmakers (TechCrunch)
Crypto investors' hot streak ends as harsh 'winter' descends (Boston Globe) Alex Mashinky's Celsius crypto bank draws probe by five states (WashPost)
LOL Headline of the Day (LW)
When customers say their money was stolen on Zelle, banks often refuse to
pay (NYTimes)
Planned Parenthood Privacy (WashPost)
Re: Micropatching on the fly (John Levine)
Re: A Periodic Issue (Steven J. Greenwald)
Re: Long-term planning and Optimization (Martin Ward, Martin Ward)
Re: It is 2022. My coffee mug wants me to log in, wants to know my location,
and if it can send me promotional emails... (geoff goodfellow)
AT&T Fiber Optic outage update (PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 30 Jun 2022 16:51:19 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: The Wheels Have Come Off Electric Vehicles (Bloomberg)

*If Toyota's cars can't keep their tires on, what good is its $35 billion
EV pledge?*

The world's biggest car company, Toyota Motor Corp., reluctantly released
an electric vehicle in May <https://global.toyota/en/newsroom/toyota/37135919.html#:~:text=Toyota%20City%2C%20Japan%2C%20April%2012,BEV*1%20on%20May%2012.>.
Weeks later, it recalled 2,700 of them because there was a risk their
wheels -- the most fundamental component -- would fall off. If that's the
level of quality and safety traditional auto giants are willing to commit
to, then investors and regulators should increase their scrutiny.

Getting it right on battery technology and electric motors is one thing,
but bolting the wheels on properly? It shouldn't even be a question.
Billions of dollars have been invested, huge promises have been made and
every major car manufacturer in the world has committed to go electric and clean. What's more, cars are selling at record high prices.

Toyota's statement was alarming <https://pressroom.toyota.com/toyota-is-conducting-a-safety-recall-involving-2023-model-year-bz4x-vehicles/>.
``After low-mileage use, all of the hub bolts on the wheel can loosen to the point where the wheel can detach from the vehicle. If a wheel detaches from
the vehicle while driving, it could result in a loss of vehicle control, increasing the risk of a crash,'' the company said as it recalled its first electric car release. Long a leader in hybrid or gasoline-electric
technology, the Japanese firm has been dragging its feet on EVs as
competitors like Volkswagen AG have raced ahead. Toyota president Akio
Toyoda has in the past commented on the excessive hype around green cars and pointed out the downsides. <https://www.wsj.com/articles/toyotas-chief-says-electric-vehicles-are-overhyped-11608196665>

Meanwhile, Subaru Corp., in which Toyota holds a 20.02% stake, also recalled the Solterra, a related electric vehicle model jointly developed that shares parts with the latter's bZ4x.

Recalls are par for the course in the auto industry -- every year, millions
of vehicles are affected. Last year, more than 21 million were accounted for
in recalls mandated by the U.S. National Highway Traffic Safety
Administration, according to third-party data provider Recall Master <https://www.recallmasters.com/sor/>. In addition, several million more are part of so-called voluntary campaigns that aren't formally recognized by the authority. [...]

https://www.bloomberg.com/opinion/articles/2022-06-29/the-wheels-come-off-toyota-s-electric-vehicles

------------------------------

Date: Thu, 30 Jun 2022 01:57:16 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Who Is Liable when AI Kills? (Scientific American)

George Maliha and Ravi B. Parikh, Scientific American, 29 Jun 2022 https://www.scientificamerican.com/article/who-is-liable-when-ai-kills/

"The key is to ensure that all stakeholders, users, developers and everyone else along the chain from product development to use—bear enough liability
to ensure AI safety and effectiveness -- but not so much that they give up on AI."

Organizations that build and deploy AI must be held accountable for usage incidents, be they benign or injurious. Changing the rules -- regulations
--  means that stakeholders negotiate proposed regulations which are
approved by lawmakers, and enforced by regulators. Two of the stakeholders
-- law makers and regulators -- are often captured, or wholly compromised
by, deep pockets or political interests.

Product liability laws are outdated -- they were written for industry conditions that assumed only humans and their parent organizations held responsibility for product faults and the incidents or damage they
cause. There was no anticipation of AI product deployment, and how
autonomous products alters the liability landscape.

Product terms of service for virtually every business or institution
(including governments) invoke indemnification to shield them (their organizations and their employees) against liability save for acts of wanton negligence.

The terms assert commercial impunity: The consumer purchases a product, and
via a license terms of use granted therein, agree to indemnify (hold without fault) the producing organization (and its employees) for any untoward
outcome, including injury or fatality.

Occasionally, where there's a question of guilt attributed to said product
or organization, a negotiated settlement ensues, one that includes non-disclosure of the settlement terms, and a non-admission of guilt to
resolve the law suit.

A liability law rewrite, with AI-in-the-loop, will subject organizations to newly defined accountability IF there's sufficient representative consumer interests at the negotiating table to balance the corporate lobby's litigiousness.

The essay identifies 3 areas of liability regulation revision. The 3rd item
of the author's liability reform addresses revised standards that might establishes a regulatory liability basis for AI.

The revised standards should include mandatory explainability requirements
for any deployed AI-product to assist and simplify incident
triage. Explainability can elevate visibility into autonomous product fault
and accelerate the incorporate of lessons learned that prevent
recurrence. Data and voice recorders deployed in aircraft and trains help
earn and sustain capriciously volatile public trust by teaching mistakes. An equivalent capability will benefit public health and safety exposed to AI-enabled product deployments.

[As RISKS readers well known, blame can also be spread around flawed
hardware, operating systems, applications, requirements, etc....... PGN]

------------------------------

Date: Tue, 21 Jun 2022 08:47:14 -0400
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: Four Takeaways From a Times Investigation Into China's Expanding
Surveillance State (NYTimes)

*The Times* reporters spent over a year combing through government bidding documents that reveal the country's technological road map to ensure the longevity of its authoritarian rule:

Chinese police analyze human behaviors to ensure facial recognition
cameras capture as much activity as possible.

Authorities are using phone trackers to link people's digital lives to their physical movements.

DNA, iris scan samples. and voice prints are being collected indiscriminately from people with no connection to crime.

he government wants to connect all of these data points to build
comprehensive profiles for citizens -- which are accessible throughout the government.

https://www.nytimes.com/2022/06/21/world/asia/china-surveillance-investigation.html

------------------------------

Date: Sun, 26 Jun 2022 10:38:20 -0400
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: An Invisible Cage: How China Is Policing the Future (NYTimes)

The more than 1.4 billion people living in China are constantly watched.
They are recorded by police cameras that are everywhere, on street corners
and subway ceilings, in hotel lobbies and apartment buildings. Their phones
are tracked, their purchases are monitored, and their online chats are censored.

Now, even their future is under surveillance.

The latest generation of technology digs through the vast amounts of data collected on their daily activities to find patterns and aberrations,
promising to predict crimes or protests before they happen. They target potential troublemakers in the eyes of the Chinese government -- not only
those with a criminal past but also vulnerable groups, including ethnic minorities, migrant workers and those with a history of mental illness.

https://www.nytimes.com/2022/06/25/technology/china-surveillance-police.html

------------------------------

Date: Fri, 1 Jul 2022 12:19:04 -0400
From: Monty Solomon <monty@roscom.com>
Subject: China lured graduate jobseekers into digital espionage
(ArsTechnica)

https://arstechnica.com/information-technology/2022/06/china-lured-graduate-jobseekers-into-digital-espionage/

https://www.ft.com/content/2e4359e4-c0ca-4428-bc7e-456bf3060f45

------------------------------

Date: Mon, 27 Jun 2022 12:08:59 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Internet Explorer Shutdown to Cause Japan Problems 'For Months'
(Financial Times)

Masaharu Ban and Kosuke Toshi. *Financial Times*, 24 Jun 2022

Microsoft's recent termination of the Internet Explorer (IE) browser has sparked panic among businesses and government agencies in Japan that had delayed updating their Websites. Tokyo-based software developer Computer Engineering & Consulting (CEC) has been flooded with help requests since
April, mainly from government agencies, financial institutions, and manufacturing and logistics companies that operate sites that only work with IE. In a March poll by IT resource provider Keyman's Net, almost half of respondents said they used the IE browser for work, and more than 20% of
those respondents said they did not know how to transition to another
browser.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9 6-2ed5ex23482ex071085&

------------------------------

Date: Thu, 30 Jun 2022 23:47:21 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: School Surveillance Will Never Protect Kids From Shootings (WiReD)

If we are to believe the purveyors of school surveillance systems, K-12
schools will soon operate in a manner akin to some agglomeration of Minority Report, Person of Interest, and Robocop. "Military grade" systems would
slurp up student data, picking up on the mere hint of harmful ideations, and dispatch officers before the would-be perpetrators could carry out their
vile acts. In the unlikely event that someone were able to evade the
predictive systems, they would inevitably be stopped by next-generation weapon-detection systems and biometric sensors that interpret the gait or
tone of a person, warning authorities of impending danger. The final layer might be the most technologically advanced—some form of drone or maybe even
a robot dog, which would be able to disarm, distract, or disable the
dangerous individual before any real damage is done. If we invest in these systems, the line of thought goes, our children will finally be safe.

https://www.wired.com/story/school-surveillance-never-protect-kids-shootings

------------------------------

Date: Thu, 30 Jun 2022 09:33:52 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: UK plan to scrap cookie consent boxes will make it easier to
spy on web users (The Guardian)

*Privacy campaign group warns against government's proposals to move to an *opt-out* model*

Proposals to scrap pop-up cookie consent boxes on websites will make it
easier to spy on web users, a privacy campaign group has warned.

Cookie banners are a common feature for web users, who are asked to give
their consent for websites as well as marketing and advertising businesses
to gather information about their browsing activity. Ministers announced proposals on Friday to move to an opt-out model for cookie consent. <https://www.theguardian.com/technology/2022/feb/02/techscape-google-chrome-cookies>

~~In the future, the government intends to move to an opt-out model of
consent for cookies placed by websites,'' said the Department for Digital, Culture, Media and Sport (DCMS). ``This would mean cookies could be set without seeking consent, but the website must give the web user clear information about how to opt out.''

Open Rights Group (ORG), which campaigns for privacy and free speech online, said the proposal would make spying on people's activities the *default option*. [...] https://www.theguardian.com/technology/2022/jun/17/uk-plan-to-scrap-cookie-consent-boxes-will-make-it-easier-to-spy-on-web-users

------------------------------

Date: Thu, 30 Jun 2022 09:46:45 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: "Whoops. That Feeling When the AG of the most populous state
publishes a list of where all the handguns are... (

https://twitter.com/briankrebs/status/1542233920204324866

------------------------------

Date: Thu, 30 Jun 2022 15:14:44 -0400
From: Gabe Goldberg
Subject: Supercookies Have Privacy Experts Sounding the Alarm (WiReD)

A German ad-tech trial features what Vodafone calls "digital tokens."
Should you be worried?

https://www.wired.com/story/trustpid-digital-token-supercookie

------------------------------

Date: Thu, 30 Jun 2022 19:00:55 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Police sweep Google searches to find suspects. The tactic is facing
its first legal challenge. (NBC News)

Privacy advocates are watching the case closely, concerned that police could use reverse keyword searches to investigate people who seek information
about abortions.

https://www.nbcnews.com/news/us-news/police-google-reverse-keyword-searches-rcna35749

Gabe Goldberg noted in the same article:
Is there reasonable expectation of privacy for search data? No.
Can it be misused? Yes

Police sweep Google searches to find suspects. The tactic is facing its
first legal challenge. PGN]

------------------------------

Date: Thu, 23 Jun 2022 15:35:56 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: DARPA report exposes blockchain vulnerabilities (exodus)

<https://www.exodus.com/news/how-secure-is-ethereum/>

How secure are Bitcoin and Ethereum, really? We often hear that
Proof-of-Stak blockchains could theoretically become centralized in the
hands of a few rich players, while Bitcoin and Ethereum (for now) are relatively immune. <https://www.exodus.com/news/proof-of-work-vs-proof-of-stake/#head4>

Now, a new Defense Department-sponsored study <https://assets-global.website-files.com/5fd11235b3950c2c1a3b6df4/62af6c641a672b3329b9a480_Unintended_Centralities_in_Distributed_Ledgers.pdf>
reveals that most blockchains are more centralized (and thus less secure)
than we're led to believe.

*An uncomfortable report*

Trail of Bits <https://www.trailofbits.com/>, a cybersecurity research and consulting firm whose clients include Google, Microsoft and Meta, released
an important study on June 21 entitled *Are Blockchains Decentralized?* It concludes that many blockchains are more vulnerable to centralization
dangers than previously thought. <https://cointelegraph.com/blockchain-for-beginners/how-does-blockchain-work-everything-there-is-to-know>

The report was produced for the U.S. Defense Advanced Research Projects
Agency (DARPA <https://www.darpa.mil/>), an agency founded in 1958 to manage the development of emerging technologies for use by the Department of
Defense. The agency developed and furthered much of the conceptual basis for ARPANET, the prototypical communications network that became today's
Internet.

Research focused mainly on Bitcoin, revealing several security weaknesses
that could be exploited by bad actors to gain greater control of the
network.

*Bitcoin nodes* [...] https://www.exodus.com/news/report-exposes-blockchain-vulnerabilities/

------------------------------

Date: Wed, 29 Jun 2022 19:35:49 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: 'Mystery rocket' that crashed into the Moon baffles NASA scientists
(Chron)

*So far, no space exploring nations have claimed responsibility for the rocket.*

NASA has discovered the crash site of a "mystery rocket body" that collided with the Moon's surface earlier this year. The impact left behind a
widespread "double crater," meaning it wasn't the average rocket.

However, since its crash landing, none of Earth's space-exploring nations
have claimed responsibility for the mysterious projectile, leaving NASA scientists baffled as to who was behind its launch. New images shared on
June 24 by NASA's Lunar Reconnaissance Orbiter show the unusual impact site.

After a rocket body impacted the Moon last year, NASA's Lunar Reconnaissance Orbiter was able to snap a surprising view of the impact site. Unexpectedly, the crater is actually two craters and may indicate that the rocket body had large masses at each end: https://t.co/WtMAFrNkUw pic.twitter.com/hcoYPxlm8z

NASA 360 (@NASA360) 27 Jun 2022

"Surprisingly the crater is actually two craters, an eastern crater
(18-meter diameter, about 19.5 yards) superimposed on a western crater (16-meter diameter, about 17.5 yards," NASA reported <https://www.nasa.gov/feature/goddard/2022/nasas-lunar-reconnaissance-orbiter-spots-rocket-impact-site-on-moon>. "The double crater was
unexpected...No other rocket body impacts on the Moon created double
craters." [...] https://www.chron.com/news/houston-texas/article/mystery-rocket-NASA-moon-crash-country-origin-17273903.php

------------------------------

Date: Tue, 21 Jun 2022 15:47:06 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Mega says it can't decrypt your files.
New POC exploit shows otherwise. (ArsTechnica)

https://arstechnica.com/information-technology/2022/06/mega-says-it-cant-decrypt-your-files-new-poc-exploit-shows-otherwise/

------------------------------

Date: Fri, 1 Jul 2022 10:01:00 -0400 (DT)
From: Andrew Appel <appel@cs.princeton.edu>
Subject: The Assessments of the Swiss Post E-Voting System

We have just published a 5-part series on Freedom-to-Tinker about the expert assessments Switzerland commissioned of its E-voting system. https://freedom-to-tinker.com/2022/06/27/how-to-assess-an-e-voting-system/

Andrew Appel, How to Assess an E-voting System

After small-scale pilots of an Internet voting system for citizens living abroad, Switzerland commissioned expert studies of all aspects of its
e-voting system: cryptographic protocol security and privacy, systems
security, infrastructure and operation, network infrastructure security.
These are the most thorough and expert studies ever commissioned of a
deployed Internet voting system. Based on these studies, the Swiss
government put a pause on further use of the system.

https://freedom-to-tinker.com/2022/06/28/how-not-to-assess-an-e-voting-system/ How NOT to Assess an E-voting System ] , by Vanessa Teague The Australian
state of New South Wales used an Internet voting system very similar to the Swiss one. Not only did they whitewash findings by outside experts that the system was insecure, but on election day the system simply didn't work: the Electoral Commission estimated that 20,000 people registered to use iVote
but did not receive a voting credential in time to vote; as a consequence,
the Supreme Court of NSW voided the results in three local elections. The
NSW government has been careless about driver's license security, health
data privacy, and covid-tracing records, too: there's a pattern.

[ https://freedom-to-tinker.com/2022/06/29/how-the-swiss-post-e-voting-system-addresses-client-side-vulnerabilities/ | How the Swiss Post E-voting system addresses client-side vulnerabilities ] , by Appel
The two biggest vulnerabilities in any Internet voting system are:
server-side (from insiders or attackers who penetrate the server), and client-side (from attackers who manage to install a fake voting-app on
voters' computers or phones). We explain how the Swiss system protects
against client-side attacks, based on a sheet of paper mailed to the voter containing special codes for the voter to enter and check.

[ https://freedom-to-tinker.com/2022/06/30/what-the-assessments-say-about-the-swiss-e-voting-system/ | What the Assessments Say About the Swiss E-voting System ] , by Appel
The assessments were commissioned in 2021-22 after independent experts (not commissioned by the government) had found serious security flaws in the cryptographic protocol. The vendor of the system, the Swiss Post, cooperated
by documenting the protocol and the computer code in great detail. The assessors found that "the clarity of the protocol and documentation is much improved [which] has exposed many issues that were already present but not visible in the earlier versions of the system; this is progress. ... [but] Several issues that we found require structural changes..."

The glass-half-empty cryptographic protocol experts concluded ``We encourage the stakeholders in Swiss e-voting to allow adequate time for the system to thoroughly reviewed before restarting the use of e-voting,'' while the glass-half-full system-security expert concluded ``as imperfect as the
current system might be when judged against a nonexistent ideal, the current system generally appears to achieve its stated goals, under the
corresponding assumptions and the specific threat model around which it was designed.''

Switzerland's E-voting: The Threat Model, by Appel https://freedom-to-tinker.com/2022/07/01/switzerlands-e-voting-the-threat-model

As the system-security expert pointed out, there is a danger in limiting a security assessment to a specific threat model. That expert pointed out that the printing company, that sends paper credentials to voters before each election, can corrupt the election if hacked or dishonest, but was excluded from the threat model that he was asked to consider. Here we identify a new threat model: it's a real security risk, if voters use smartphone cameras to speed the process of entering code numbers from the paper credential
document.

------------------------------

Date: Thu, 30 Jun 2022 13:01:21 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: 2022 Zero-day in-the-wild exploitation (Maddie Stone)

Maddie Stone, Google Project Zero

For the last three years, we've published annual year-in-review reports of 0-days found exploited in the wild. The most recent of these reports is the 2021 Year in Review report <https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html>,
which we published just a few months ago in April. While we plan to stick
with that annual cadence, we're publishing a little bonus report today
looking at the in-the-wild 0-days detected and disclosed in the first half
of 2022.

As of 15 Jun 2022, there have been 18 0-days detected and disclosed as exploited in-the-wild in 2022. When we analyzed those 0-days, we found that
at least nine of the 0-days are variants of previously patched
vulnerabilities. At least half of the 0-days we've seen in the first six
months of 2022 could have been prevented with more comprehensive patching
and regression tests. On top of that, four of the 2022 0-days are variants
of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild
0-day being patched, attackers came back with a variant of the original bug.

So, what does this mean?

When people think of 0-day exploits, they often think that these exploits
are so technologically advanced that there's no hope to catch and prevent
them. The data paints a different picture. At least half of the 0-days we've seen so far this year are closely related to bugs we've seen before. Our conclusion and findings in the 2020 year-in-review report were very similar. <https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>

Many of the 2022 in-the-wild 0-days are due to the previous vulnerability
not being fully patched. In the case of the Windows win32k and the Chromium property access interceptor bugs, the execution flow that the
proof-of-concept exploits took were patched, but the root cause issue was
not addressed: attackers were able to come back and trigger the original vulnerability through a different path. And in the case of the WebKit and Windows PetitPotam issues, the original vulnerability had previously been patched, but at some point regressed so that attackers could exploit the
same vulnerability again. In the iOS IOMobileFrameBuffer bug, a buffer
overflow was addressed by checking that a size was less than a certain
number, but it didn't check a minimum bound on that size. For more detailed explanations of three of the 0-days and how they relate to their variants, please see the slides from the talk. [...]

<https://github.com/maddiestone/ConPresentations/blob/master/FIRST2022.2022_0days_so_far.pdf>
https://googleprojectzero.blogspot.com/2022/06/2022-0-day-in-wild-exploitationso-far.html

------------------------------

Date: Sun, 26 Jun 2022 00:59:32 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Ocean Freight Shipping Costs Are Driving Goods Prices Higher
(ProPublica)

The Hidden Fees Making Your Bananas, and Everything Else, Cost More

The story you're about to read is bananas, and it's also about bananas.

Last fall, a company called One Banana loaded 600,000 pounds of the fruit
from its plantations in Guatemala and Ecuador onto ships bound for the Port
of Long Beach in California. Once they arrived, the bananas, packed in refrigerated containers, were offloaded by cranes for trucking to a nearby warehouse, where the fruit would be sent to supermarkets nationwide.

But in the midst of a global supply chain crisis, none of the trucking companies the importer normally worked with were willing to come and get the containers.

As the bananas sat at the marine terminal, a logistics specialist for One Banana scrambled, contacting more than a dozen trucking firms.

With each passing hour, the bananas grew closer to spoiling.

https://www.propublica.org/article/ocean-freight-shipping-costs-inflation

------------------------------

Date: Thu, 30 Jun 2022 15:14:44 -0400
From: Gabe Goldberg
Subject: ZuoRAT Trojan (WiReD)

Researchers say the remote-access Trojan ZuoRAT is likely the work of a nation-state and has infected at least 80 different targets.

The discovery of this ongoing campaign is the most important one affecting
SOHO routers since VPNFilter, the router malware created and deployed by the Russian government that was discovered in 2018. Routers are often
overlooked, particularly in the work-from-home era. While organizations
often have strict requirements for what devices are allowed to connect, few mandate patching or other safeguards for the devices' routers.

Like most router malware, ZuoRAT can't survive a reboot. Simply restarting
an infected device will remove the initial ZuoRAT exploit, consisting of
files stored in a temporary directory. To fully recover, however, infected devices should be factory reset. Unfortunately, in the event connected
devices have been infected with the other malware, they can't be disinfected
so easily.

https://www.wired.com/story/zuorat-trojan-malware-hacking-routers

------------------------------

Date: Wed, 29 Jun 2022 08:32:05 -0400
From: Bob Gezelter <gezelter@rlgsc.com>
Subject: Sophisticated attacks against range of SOHO routers (ArsTechnica)

ArsTechnica has reported that there is a sophisticated attack campaign
against SOHO routers, which in turns infects and compromises attached
devices. In "A wide range of routers are under attack by new, unusually sophisticated malware", the high-level details of the attack are described, including the somewhat unavoidable conclusion that Work from Home (WFH)
makes systems used for remote work a potential target.

The ArsTechnica article is at:

https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/

------------------------------

Date: Tue, 21 Jun 2022 09:57:04 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Microsoft Plans to Eliminate Face Analysis Tools in Push for `Responsible AI' (NYTimes)

https://www.nytimes.com/2022/06/21/technology/microsoft-facial-recognition.html

------------------------------

Date: Sat, 25 Jun 2022 23:49:59 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The Race to Hide Your Voice (WiReD)

Voice recognition and data collection have boomed in recent years.
Researchers are figuring out how to protect your privacy.

https://www.wired.com/story/voice-recognition-privacy-speech-changer/

------------------------------

Date: Thu, 23 Jun 2022 07:36:35 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Amazon demonstrates Alexa mimicking the voice of a deceased
relative (CNBC)

Amazon is devising a way for users to speak to their family members through
its Alexa voice assistant, even after they've died.

At Amazon's Re:Mars conference in Las Vegas on Wednesday, Rohit Prasad,

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)