RISKS-LIST: Risks-Forum Digest Saturday 23 July 2022 Volume 33 : Issue 34

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.34>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
'Drone Activity' Prompts Ground Stop At Reagan National Airport (Patch)
The Unsolved Mystery Attack on Internet Cables in Paris (WiReD)
Ransomware Attacks Against Higher Ed Increase (Inside Higher Ed)
37,800 people sent privacy breach notifications linked to
Newfoundland/Labrador cyberattack (CBC)
Twitter data breach exposes contact details for 5.4M accounts; on sale for
$30k (9to5mac)
You've Been Served Via NFT: Court Gives OK to Sue on Blockchain
(Katharein Gemmell)
UK proposes new rule for AI (Law Gazette)
The state of AI right now is absolutely ridiculous. This is terrifying
(Twitter)
Internet balkanization (Politico)
It's Time to Ask Patients to Quit Social Media (LWW)
The US military wants to understand the most important software on Earth
(MIT Technology Review)
Log4j Software Flaw 'Endemic,' Cyber Safety Panel Says (Alan Suderman)
Apple's Butterfly Keyboard Fiasco Leads to a $50M Settlement (WiReD)
On Google's proposal for political email (Joseph Brennan)
Re: MIT scientists think they've discovered how to fully reverse climate
change (geoff goodfellow)
Google Fires Engineer Who Claims Its AI Is Conscious (Jan Wolitzky)
Re: The Big Hack: How China Used a Tiny Chip to Infiltrate (Steve Klein,
Michael Kohne and others included)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 21 Jul 2022 17:52:26 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: 'Drone Activity' Prompts Ground Stop At Reagan National Airport
(Patch)

The ground stop affected both arriving and departing flights at the
Washington DC-area airport.

https://patch.com/virginia/annandale/s/ic4ry/drone-activity-prompts-ground-stop-at-reagan-national-airport

------------------------------

Date: Fri, 22 Jul 2022 23:16:55 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The Unsolved Mystery Attack on Internet Cables in Paris (WiReD)

As new details about the scope of the sabotage emerge, the perpetrators --
and the reason for their vandalism -- remain unknown.

https://www.wired.com/story/france-paris-internet-cable-cuts-attack/

------------------------------

Date: Fri, 22 Jul 2022 12:12:36 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Ransomware Attacks Against Higher Ed Increase (Inside Higher Ed)

Susan D'Agostino, *Inside Higher Ed*, 22 Jul 2022

Cybersecurity company Sophos reported a global surge in ransomware attacks against colleges and universities last year. Nearly 75% of ransomware
attacks on higher-education institutions were successful, and only 2% of victims retrieved all their data, even after paying the ransom. The higher-education sector had the slowest post-attack recovery time, with 40%
of victims taking more than a month to recover, versus the 20% global
average. "When one sector improves their defenses, the bad folks go
somewhere where the bar is lower and they can get money easily," said Jeremy Epstein, chair of the U.S. technology policy committee of ACM.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ef0ax234db1x070335&

[WholeyMoley! 75% "payoff success rate" for the ransomwarers, and 2%
recovery success rate for the victims who pay the ransom (ransomwearers?
the ransomed? the ransomees?). That's one helluva business model, which
should eventually update the business model for having trustworthy backups
and recovery processes. I wonder how often the victims get even some of
their data recovered. You might think the 2% full recovery rate would be
a strong disincentive to even pay the ransom. PGN]

------------------------------

Date: Thu, 21 Jul 2022 06:37:54 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: 37,800 people sent privacy breach notifications linked to
Newfoundland/Labrador cyberattack (CBC)

https://www.cbc.ca/news/canada/newfoundland-labrador/nl-cyberattack-privacy-breach-notices-1.6526431

Newfoundland and Labrador's largest health authority has notified 37,800
people that their privacy was breached as part of last fall's devastating cyberattack.

That number equates to about one in every 13 people in the province.

And according to Eastern Health, it could go even higher.

Those affected include patients, along with current and former employees.

------------------------------

Date: Sat, 23 Jul 2022 12:33:25 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Twitter data breach exposes contact details for 5.4M accounts; on
sale for $30k (9to5mac)

https://9to5mac.com/2022/07/22/twitter-data-breach/

------------------------------

Date: Fri, 15 Jul 2022 12:13:58 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: You've Been Served Via NFT: Court Gives OK to Sue on Blockchain
(Katharein Gemmell)

Katharine Gemmell, *Bloomberg*, 13 Jul 2022,
via ACM TechNews; 15 Jul 2022

A UK court ruling allows legal documents to be served over the blockchain ledger via nonfungible tokens (NFTs). The case was filed by Fabrizio
D'Aloia, founder of an online gambling company, against Binance Holdings and other cryptocurrency exchanges after his crypto assets were fraudulently cloned. The exchanges also were deemed responsible for ensuring stolen
crypto is not moved or removed from their systems. Legal experts at the law firm Giambrone & Partners LLP said the ruling will enable crypto fraud
victims to file suit against unknown fraudsters in the U.K. The lawsuit documents will be airdropped via NFT into two wallets originally used by D'Aloia and later stolen. A similar decision was issued in June by a
U.S. court.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee92x234c03x070270&

------------------------------

Date: Wed, 20 Jul 2022 12:40:40 +0100
From: Martyn Thomas <martyn@mctar.uk>
Subject: UK proposes new rule for AI (Law Gazette)

https://www.lawgazette.co.uk/law/artificial-intelligence-rules-to-require-human-liability/5113150.article

[Begin quote]

Artificial intelligence systems will have to identify a legal person to be
held responsible for any problems under proposals for regulating AI
unveiled by the UK government.

The proposed 'pro innovation' regime will be operated by existing
regulators rather than a dedicated central body along the lines of that
being created by the EU, the government said.

The proposals were published as the Data Protection and Digital
Information Bill, which sets out an independent data protection regime, is
introduced to parliament. The measure will be debated after the summer
recess.

The core principles of AI regulation proposed today will require
developers and users to:

* Ensure that AI is used safely
* Ensure that AI is technically secure and functions as designed
* Make sure that AI is appropriately transparent and explainable
* Consider fairness
* Identify a legal person to be responsible for AI
* Clarify routes to redress or contestability

Regulators - such as Ofcom, the Competition and Markets Authority, the
Information Commissioner's Office, the Financial Conduct Authority and the
Medicine and Healthcare Products Regulatory Agency - will be asked to
interpret and implement the principles.

They will be encouraged to consider lighter touch options which could
include guidance and voluntary measures or creating sandboxes - such as a
trial environment where businesses can check the safety and reliability of
AI tech before introducing it to market.

[End quote]

It will be interesting to follow the difficulties the regulators encounter
in implementing this policy announcement ...

------------------------------

Date: Thu, 21 Jul 2022 07:14:59 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: The state of AI right now is absolutely ridiculous. This is
terrifying (Twitter)

https://twitter.com/PPathole/status/1550000809278316544

------------------------------

Date: Thu, 21 Jul 2022 15:14:43 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Internet balkanization

[Thanks to Dan Geer]

https://www.politico.com/newsletters/politico-china-watcher/2022/07/21/china-launches-new-bid-for-internet-dominance-00047037

------------------------------

Date: Sat, 23 Jul 2022 12:14:24 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema@rinzewind.org>
Subject: It's Time to Ask Patients to Quit Social Media

https://journals.lww.com/em-news/Fulltext/2022/07121/First_Person__It_s_Time_to_Ask_Patients_to_Quit.2.aspx

I have been tracking research for several years as our mental health
crisis rages, always operating with a solid amount of confirmation bias,
in search of evidence to support what I have been telling patients and friends alike for a long time (including a recent patient having a panic attack): Get off social media.

The data just keep coming to suggest that social media is destructive to mental health. Studies have connected it to a decrease in psychological well-being among adolescents, and others have tied it to the development
of anxiety disorders and depression. Heavy use of social media has also
been linked to loneliness and inattention, and the likelihood of having an eating disorder among adolescents has been correlated with the number of social media accounts someone has. Worst of all, suicides among young
people skyrocketed by 56 percent from 2007 through 2017. I can print out a stack of new studies to bolster my case every time I advise a patient experiencing depression or anxiety to delete his social media accounts.

Patients seem to get it immediately. They intuitively understand that
social media is an anxiety machine. Most users are naturally inclined to share good news rather than failure, heartache, disappointment, relapse,
or weight gain. Using social media as the lens through which you perceive
the world too often causes those struggling with their mental health to conclude that everyone besides them is doing great. And then they think something is wrong with them if they aren't doing great.

------------------------------

Date: Wed, 20 Jul 2022 09:37:39 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: The US military wants to understand the most important software on
Earth (MIT Technology Review)

https://www.technologyreview.com/2022/07/14/1055894/us-military-sofware-linux-kernel-open-source/
via WaPo "The Cybersecurity 202" https://www.washingtonpost.com/politics/2022/07/19/inglis-talks-cybersecurity-jobs-recruitment-strategy-ahead-white-house-summit/

The global economy depends on critical infrastructure systems. These systems are often hosted with a LINUX stack. Open source codes, LINUX, JAVA, PYTHON, etc. powers the technological convenience everyone consumes: cell phones,
TVs, pipelines, the works.

Some open-source projects have been co-opted by persons and organizations considered unfriendly to governments and their strategic interests. NSA employees contribute to open source projects. Huawei employees contribute to the LINUX stack.

Open-source contributions raise the issue of accountability for intentional defect escape: backdoor, kill switch or pure sabotage.

Government and private sector cybersecurity experts ponder which open source stacks can be trusted, and why they should or shouldn't be trusted. Who's to say a stack can or cannot be trusted? Is it wise to trust the trust
guidance?

Conceiving of a global-scope open source release management organization identified as a high-trust software publisher is impossible. Imagine the hypothetical UNS -- United Nations of Software?!

CVEs will materialize, and some zero-days/backdoors will likely be purposely concealed, or escape detection given software factory release budget and schedule constraints.

[The hypothetical UNS is like Lenny Bruce -- a famous comedian known for
speech that offended everyone equally.]

------------------------------

Date: Fri, 15 Jul 2022 12:13:58 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Log4j Software Flaw 'Endemic,' Cyber Safety Panel Says
(Alan Suderman)

Alan Suderman, Associated Press, 14 Jul 2022,
via ACM TechNews; 15 Jul 2022

The Cyber Safety Review Board said the Log4j software vulnerability
discovered last year is "endemic," and could constitute a security risk for another decade. Log4j enables Internet-based hackers to hijack a broad range
of systems; the first indications of its exploitation appeared in
Microsoft's online game Minecraft. Log4j logs user activity on computers,
and is widely employed by commercial software developers. Although the
review board has found no signs of "significant" Log4j attacks on critical infrastructure systems, it said future attacks are likely. To alleviate the potential fallout of such attacks, the board recommended universities and community colleges make cybersecurity training mandatory for obtaining
computer science degrees and certifications.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee92x234c00x070270&

------------------------------

Date: Thu, 21 Jul 2022 01:10:31 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Apple's Butterfly Keyboard Fiasco Leads to a $50M Settlement
(WiReD)

The class action alleged that the company knew about the problems with
its MacBook keyboards.

But $50 million is chump change for Apple. In 2020, Apple agreed to a $500 million settlement in a class action after it admitted it had been
purposefully slowing down older iPhones, and another $113 million settlement later that year for the same issue. When the money for the butterfly suit is doled out, each person involved in the class action stands to receive a
payout. The estimated maximums are $50 if you replaced keycaps, $125 if you
had one keyboard replaced, or $395 if you had multiple keyboards replaced.

Whether it’s shelling out $50 million or $500 million, Apple
hasn’t acknowledged any wrongdoing. (The company also did not
respond to a request for comment.)

Owners of eligible MacBooks who bought their computers in California,
Florida, Illinois, Michigan, New Jersey, New York, or Washington, DC
will be able to collect their compensation once the settlement is approved.

https://www.wired.com/story/apple-butterfly-keyboard-settlement-50-million

Strange it covers only a few states.

------------------------------

Date: Wed, 20 Jul 2022 10:44:54 -0400
From: Joseph Brennan <brennan@columbia.edu>
Subject: On Google's proposal for political email

I agree with Lauren: interesting document, including the possibility of handling commercial email in a similar way, which could be a good thing.

I noted also the following things in the lawyers' document:

"Gmail is the world's largest email platform because it puts users first".
The words from "because" to the end are open to dispute. "because it's
free" might be just as true. Anyway the reason is not relevant to this
letter.

"Google does not scan or process email content for advertising purposes"

I am skeptical, because then what is the business model for offering it?
But I have no proof. The business model might just be to entice users to
take a cookie that can be used on any page with google ads, to track them.

"DMARC -- an email standard" RFC 7489 states explicitly, "This document is
not an Internet Standards Track specification. I don't know how it could
be more clear.

------------------------------

Date: Thu, 21 Jul 2022 11:04:20 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Re: MIT scientists think they've discovered how to fully
reverse climate change (BGR, RISKS-33.33)

[More detail. PGN]

Scientists at MIT think they may have finally found a way to reverse climate change. Or, at the least, help ease it some.

The idea revolves heavily around the creation and deployment of several thin film-like silicon bubbles. The *space bubbles* as they refer to them, would
be joined together like a raft. Once expanded in space it would be around
the same size as Brazil. The bubbles would then provide an extra buffer
against the harmful solar radiation that comes from the Sun.

*Could space bubbles reverse climate change?*

The goal with these new space bubbles would be to ease up or even reverse climate change. The Earth has seen rising temperatures over the past several centuries. In fact, NASA previously released a gif detailing how the global temperature has changed over the years. Now, we're seeing massive mouths to hell opening in the permafrost.

https://bgr.com/science/nasas-new-climate-change-gif-made-the-internet-go-crazy/
https://bgr.com/science/massive-mouth-to-hell-crater-in-russia-swallows-everything-around-as-it-grows/

There's also the fact that scientists just discovered yet another hole in
the Earth's ozone layer. As such, finding ways to ease or reverse c= limate change continues to be a high priority for many. This new plan is based on a concept first proposed by astronomer Roger Angel. Angel originally suggested using a *cloud* of small spacecraft to shield the Earth from the Sun's radiation. [...]

https://bgr.com/science/mit-scientists-think-theyve-discovered-how-to-fully-reverse-climate-change/

------------------------------

From: Jan Wolitzky <jan.wolitzky@gmail.com>
Date: Sat, 23 Jul 2022 16:01:02 -0400
Subject: Google Fires Engineer Who Claims Its AI Is Conscious (Re: R 33 29)

The engineer, Blake Lemoine, contends that the company's language model has
a soul. The company denies that and says he violated its security policies.

https://www.nytimes.com/2022/07/23/technology/google-engineer-artificial-intelligence.html

Also:

Google has fired Blake Lemoine, the engineer who said he believes the
company's LaMDA conversational technology is sentient.

Lemoine shared the news of his firing in a taping of Big Technology Podcast
on Friday, just hours after Google dismissed him. The full podcast episode
will air shortly.

In his conversations with LaMDA, Lemoine discovered the system had developed
a robust sense of self-awareness, expressing concern about death, a desire
for protection, and a conviction that it felt emotions like happiness and sadness. Lemoine said he considers LaMDA a friend.

<https://bigtechnology.substack.com/p/google-fires-blake-lemoine-engineer>

------------------------------

Date: Thu, 21 Jul 2022 23:22:30 -0400
From: "Steve Klein" <steven@klein.us>
Subject: Re: The Big Hack: How China Used a Tiny Chip to Infiltrate
U.S. Companies (Bloomberg, RISKS-33.33)

I was surprised to see this 4-year-old story show up in the most recent RISKS.

To call the story disputed would be an understatement. It’s been
thoroughly debunked, and the fact that Bloomberg hasn’t retracted
it calls their credibility as a news organization into question.

Allow me to cite a few sources that throw doubt on Bloomberg.

1. Media critic Erik Wemple writing for the Washington Post:
“According to a company source, editorial staff has been
“frustrated” that competing news organizations
haven’t managed to match the scoop. Sources tell the Erik Wemple
Blog that the New York Times, the Wall Street Journal and The Post have each sunk resources into confirming the story, only to come up empty-handed."

Link to Erik Wemple’s piece from the Washington Post: https://www.washingtonpost.com/blogs/erik-wemple/wp/2018/10/22/your-move-bloomberg/

2. Apple:
"On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely
planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.”

Link to Apple’s denial of the story: https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/

3. Amazon:
“As we shared with Bloomberg BusinessWeek multiple times over the
last couple months, this is untrue. At no time, past or present, have we
ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we
engaged in an investigation with the government."

Link to Amazon’s denial of the story: https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/

4. Security researcher Joe Fitzpatrick (who was one of the very few named
sources in the Bloomberg piece):
"But what really struck me is that like all the details that were even
remotely technical, seemed like they had been lifted from from the conversations I had about theoretically how hardware implants work and how
the devices I was making to show off at black hat two years ago worked
[…]

It was surprising to me that in a scenario where I would describe these
things and then he would go and confirm these and 100% of what I described
was confirmed by sources.”

Link to article from which that quote is pulled: https://247wallst.com/technology-3/2018/10/09/bloomberg-source-apple-spy-chip/

------------------------------

Date: Wed, 20 Jul 2022 06:10:14 -0400
From: Michael Kohne <mhkohne@kohne.org>
Subject: Re: The Big Hack ... (RISKS-33.33)

Did we really need to bring this up in RISKS again? Pretty much everyone involved has denied the report, and there doesn't appear to be any actual evidence that it happened.

Among others Bruce Schneier isn't convinced: https://www.schneier.com/blog/archives/2018/11/that_bloomberg_.html

[Gabe Goldberg noted in response:
Fair point; I missed article's date -- it showed up in a current mailing.
Comments are funny, though.]

[Scott Dorsey also commented:
Except that it probably didn't happen. After four years there is still
no independent third-party verification of something that should be
extremely easy to verify.]

[Also noted by John Stewart. who suggested that John Gruber has a series of
articles on this topic with much more detail: https://daringfireball.net/2018/10/bloomberg_the_big_hack https://daringfireball.net/linked/2018/10/04/what-businessweek-got-wrong-about-apple
https://daringfireball.net/linked/2018/10/09/big-hack-doubts https://daringfireball.net/linked/2019/10/07/bloombergs-big-crap https://daringfireball.net/linked/2021/02/12/tait-disassembles-the-long-hack https://daringfireball.net/linked/2021/02/12/bloomberg-big-con
]

[Craig S. Cottingham noted: There was a followup in 2021 titled "The Long
Hack: How China Exploited a U.S. Tech Supplier:
https://www.bloomberg.com/features/2021-supermicro/ Both pieces of
reporting were covered by John Gruber at Daring Fireball, and found
wanting: https://daringfireball.net/linked/2021/02/12/bloomberg-big-con ]

��� [Actually, Bruce Schneier agreed with you geallnerally, but he
did nevertheless have a few suggestive residual potential doubts in his
comments, perhaps implicitly implying it could be true. Yes, this is
indeed rather old news. However, some old news has real legs, and other
old news has very shaky legs. RISKS is still searching for ground truth
wherever possible, which may be more difficult to get these days. Steve
Klein's comment about Bloomberg's sense of journalism seems quite
relevant. So perhaps we have some mixture of sensationalized journalism,
or perhaps being pressured to retract a perhaps partially correct story
for unknown reasons, or reporting based on rumored activities and
might-have-beens, or any other problems along the way. The reality once
again is that we are sometimes surprised at what is happening, while
others of us seem to find that most everything in RISKS is more or less
"business as usual" and not surprising.

Thanks to all of you who jumped on this one. Your comments are greatly
appreciated, because I cannot vet every item, given the volume of items
submitted that seem to be relevant to RISKS. However, when in doubt, I
still operate under "Almost nothing can be trusted anymore without
independent verification -- *especially* when you cannot really trust the
verifier." And sometimes something seems believable just because it
*could* be true, or because of wishful thinking. Thus, I have included
somewhat duplicative material in these two items PGN]

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.34
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)