RISKS-LIST: Risks-Forum Digest Tuesday 23 August 2022 Volume 33 : Issue 41
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/33.41>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Peiter "Mudge" Zatko's journey from hacker to Twitter whistleblower
(WashPost with PGN comments)
FBI Warns of Zeppelin Ransomware Attacks Targeting Bay Area Companies
(SFStandard)
How Secret Tesla Crash Data Might Make the Roads Safer (Cade Metz)
Google Search Is Quietly Damaging Democracy (WiReD)
How Google Cloud blocked the largest Layer 7 DDoS attack at 46 million rps
(Google)
'Anti-Reflective' Coating Allows Wi-Fi Through Walls (Tech Radar)
HBO Max Crashes for Thousands in the Minutes After *House of the Dragon*
Premieres (WSJ)
A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as
a Criminal. (The New York Times)
Working from home has fueled a rise in porn addicts (Daily Mail)
AI Model Can Detect Parkinson's From Breathing Patterns (Slashdot)
Re: AI Model Can Detect Parkinson's From Breathing Patterns (Slashdot)
Startup uses AI to transform call center workers' accents into "white voice"
(BoingBoing)
Hackers Used Deepfake of Binance CCO to Perform Exchange Listing Scams
(Bitcoin.com)
Unix legend, who owes us nothing, keeps fixing foundational AWK code
(Ars Technica)
Software dev cracks Hyundai encryption with Google Search (The Register)
Re: Software dev cracks Hynudai encryption with Google Search (Steve Bacher) MS-DEFCON 3: Issues with bootloader patches @AskWoody (Susan Bradley)
How 40,000 people used a Lockport woman's SSN: 078-05-1120. (Gabe Goldberg)
Re: How 40,000 people used a Lockport woman's SSN (Li Gong)
Re: Voters in the UK Cast Ballots Online, in Test for Internet Voting,
(Alan Ralph)
Re: An Explosive New Report ... Alzheimer's (Peter Bernard Ladkin)
Re: A Janet Jackson Song Could Crash Windows XP Laptops (Martin Ward)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 23 Aug 2022 11:30:14 PDT
From: Peter Neumann <
neumann@csl.sri.com>
Subject: Peiter "Mudge" Zatko's journey from hacker to Twitter whistleblower
https://www.washingtonpost.com/technology/2022/08/23/peiter-mudge-zatko-twitter-whistleblower/
Full text of (redacted) whistleblower disclosure re Twitter (84 pages)
https://s3.documentcloud.org/documents/22186683/twitter-whistleblower-disclosure.pdf [From Lauren Weinstein]
[This item deserves some discussion here. Mudge and his L0pht folks
testified for the U.S. Senate Government Affairs Committee (as did
I just before them) on 19 May 1998 in a hearing about how everything
relating to computer and network security was badly broken.
There is a youtube of the L0pht testimony and subsequent discussion,
running 59 minutes:
https://www.youtube.com/watch?v=VVJldn_MmMY
The L0pht were remarkably insightful pro-bono whistleblowers even then.
The Russian state-sponsored hacker groups are now doing exactly what
was being discussed 24 years ago in the oral testimony at about 28
minutes into the hour. Senator Fred Thompson asked whether they could
actually make the Internet unusable in less than 30 minutes, and
the answer was that one of them could indeed do that with just a few
inserted packets. Another Senator (Lieberman?) returns to that around
49 minutes in. The L0pht written testimony is also on line:
https://nsarchive.gwu.edu/briefing-book/cyber-vault/2019-01-09/cybersecuritcy-when-hackers-went-hill-revisiting-l0pht-hearings-1998
Space-Rogue noted to me that a transcript of the original testimony is here:
https://www.spacerogue.net/wordpress/?p=602
However, much of what is fascinating here are the Senators' responses. All
of this is worth reviewing today, primarily illustrating how little
fundamental work has been done since then. It was very refreshing for me
to revisit this archival material. The good news might be that the L0pht
video has had almost a half-million views, and it is nice to know that our
RISKS readers seem to be much more aware than nonreaders. Incidentally,
my written testimony is on my website and in the searchable Congressional
Record, but I had looked for a video of my oral testimony, and i did not
find one. I am delighted I could find the L0pht's one so easily. PGN]
------------------------------
Date: Tue, 23 Aug 2022 11:55:55 -0700
From: Li Gong <
ligongsf@gmail.com>
Subject: FBI Warns of Zeppelin Ransomware Attacks Targeting Bay Area Companies
(SFStandard)
The evolution of ransomware business models: ransomware-as-a-service
https://sfstandard.com/business/fbi-warns-of-zeppelin-ransomware-attacks-targeting-bay-area-companies/
Two new trends raised alarm bells with law enforcement and cybersecurity professionals. One is a new focus on attacks on health care facilities and organizations already burdened by the pandemic. The other is an evolution in the business models around ransomware, with the Zeppelin software creating
an ecosystem of cybercrime-- whereby actors research at-risk organizations, conduct attacks, negotiate ransoms and launder payments -- that Chan dubbed *ransomware-as-a-service*.
------------------------------
Date: Mon, 22 Aug 2022 16:36:58 PDT
From: Peter Neumann <
neumann@csl.sri.com>
Subject: How Secret Tesla Crash Data Might Make the Roads Safer (Cade Metz)
Data and video recorded by Tesla and other automakers to hone
driver-assistance systems can also be an investigative tool for
regulators and lawyers.
[On the other hand, the article discusses someone ``whose startup is
trying to monetize performance data.'' We seem to be entering an era
where *almost everything* can be monetized. PGN]
------------------------------
Date: Mon, 22 Aug 2022 01:31:20 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Google Search Is Quietly Damaging Democracy (WiReD)
A series of incremental changes over the years has transformed the tool from
an explorative search function to one that is ripe for deception.
https://www.wired.com/story/google-search-quietly-damaging-democracy
------------------------------
Date: Sun, 21 Aug 2022 09:57:03 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: How Google Cloud blocked the largest Layer 7 DDoS attack at 46
million rps
https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps
------------------------------
Date: Mon, 22 Aug 2022 13:03:12 -0400 (EDT)
From: ACM TechNews <
technews-editor@acm.org>
Subject: 'Anti-Reflective' Coating Allows Wi-Fi Through Walls
Steve McCaskill, *TechRadar*, 18 Aug 2022,
via From: ACM TechNews
Scientists at Austria's Vienna University of Technology (TU Wien) and
France's University of Rennes have enabled Wi-Fi signals to pass through
walls more effectively. The method calculates an anti-reflective invisible structure to a wall, which TU Wien's Stefan Rotter likened to "the anti-reflective coating on your pair of glasses." The researchers
transmitted microwaves through a labyrinth of obstacles, then calculated a matching anti-reflective structure that almost completely removed the
signals' reflection. "We were able to show that this information can be used
to calculate a corresponding compensating structure for any medium that scatters waves in a complex way, so that the combination of both media
allows waves to pass through completely," explained TU Wien's Michael Horodynski.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f12cx2356a9x069966&
------------------------------
Date: Mon, 22 Aug 2022 08:42:59 -0700
From: geoff goodfellow <
geoff@iconia.com>
Subject: HBO Max Crashes for Thousands in the Minutes After *House of the
Dragon* Premieres (WSJ)
*The wait for the *Game of Thrones* prequel lasted a little longer for some;
HBO Max says the show had millions of viewers*
Some users said they were close to a breakdown!
https://www.wsj.com/articles/hbo-max-crashes-house-of-the-dragon-game-of-thrones-prequel-11661172989
[Unnecessarily long item truncated for RISKS. PGN]
------------------------------
Date: Sun, 21 Aug 2022 14:05:12 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: A Dad Took Photos of His Naked Toddler for the Doctor.
Google Flagged Him as a Criminal. (The New York Times)
Google has an automated tool to detect abusive images of children. But the system can get it wrong, and the consequences are serious.
A Google spokeswoman said the company stands by its decisions, even though
law enforcement cleared the two men.
https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html
[Long explicit version for those who wish to dig into this story:
https://dnyuz.com/2022/08/21/a-dad-took-photos-of-his-naked-toddler-for-the-doctor-google-flagged-him-as-a-criminal/
PGN]
------------------------------
Date: Mon, 22 Aug 2022 09:01:45 -0700
From: geoff goodfellow <
geoff@iconia.com>
Subject: Working from home has fueled a rise in porn addicts (Daily Mail
Clinics reveal record number of Brits are seeking help after flexible
working put ``temptation at [their] fingertips.' [...]
https://www.dailymail.co.uk/health/article-11127351/EXCL-WFH-fuelled-rise-extreme-porn-addiction.html
------------------------------
Date: Tue, 23 Aug 2022 13:39:57 -0400
From: Tom Van Vleck <
thvv@multicians.org>
Subject: AI Model Can Detect Parkinson's From Breathing Patterns (Slashdot)
https://science.slashdot.org/story/22/08/22/2215255/ai-model-can-detect-parkinsons-from-breathing-patterns
"The team developed a device with the appearance of a home Wi-Fi router,
but instead of providing Internet access, the device emits radio signals,
analyzes their reflections off the surrounding environment, and extracts
the subject's breathing patterns without any bodily contact. The
breathing signal is then fed to the neural network to assess Parkinson's
in a passive manner, and there is zero effort needed from the patient and
caregiver."
Could they adapt this technology to make a stealth contactless lie detector? Put one of these in a waiting room and play various ads, see how people respond. Play patriotic music and see whose anthem folks like best. THVV
------------------------------
From: Ross Anderson <
Ross.Anderson@cl.cam.ac.uk>
Date: Tue, 23 Aug 2022 23:19:31 +0100
Subject: Re: AI Model Can Detect Parkinson's From Breathing Patterns (THVV)
When we did this work:
https://www.lightbluetouchpaper.org/2015/01/04/to-freeze-or-not-to-freeze/
we experimented with radar as well as time-difference-of-arrival cameras and body motion-capture suits. Radar didn' work at all. Motion capture worked best. But the main signals come from fidgeting especially in the upper arms
and hands. A smart watch can give you away!
------------------------------
Date: Tue, 23 Aug 2022 10:10:51 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Startup uses AI to transform call center workers' accents into
"white voice" (BoingBoing)
https://boingboing.net/2022/08/23/startup-uses-ai-to-transform-call-center-workers-accents-into-white-voice.html
------------------------------
Date: Tue, 23 Aug 2022 11:26:52 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <
chema@rinzewind.org>
Subject: Hackers Used Deepfake of Binance CCO to Perform Exchange Listing
Scams (Bitcoin.com)
https://news.bitcoin.com/hackers-used-deepfake-of-binance-cco-to-perform-exchange-listing-scams/
A set of hackers managed to impersonate Binance chief communications officer (CCO) Patrick Hillmann in a series of video calls with several
representatives of cryptocurrency projects. The attackers used what Hillman described as an AI hologram, a deepfake of his image for this objective, and managed to fool some representatives of these projects, making them think Hillmann was helping them get listed on the exchange.
------------------------------
Date: Tue, 23 Aug 2022 12:08:16 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Unix legend, who owes us nothing, keeps fixing foundational AWK
code -- Thanks Brian!
https://arstechnica.com/gadgets/2022/08/unix-legend-who-owes-us-nothing-keeps-fixing-foundational-awk-code/
------------------------------
Date: Wed, 17 Aug 2022 20:57:01 -0700
From: Li Gong <
ligongsf@gmail.com>
Subject: Software dev cracks Hyundai encryption with Google Search
(The Register)
Fun reading -- using public/private keys copied from a public tutorial to
sign real-world software in Hyundai cars
https://www.theregister.com/2022/08/17/software_developer_cracks_hyundai_encryption/
------------------------------
Date: Sun, 21 Aug 2022 09:09:18 -0700
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: Software dev cracks Hynudai encryption with Google Search
What I fear is that the wrong lesson will be learned, and Google will be
urged to suppress search results for general encryption tutorials, rather
than addressing the ill-advised behavior of Hyundai programmers in lazily copying keys from an online example.
------------------------------
Date: Tue, 23 Aug 2022 13:51:11 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: MS-DEFCON 3: Issues with bootloader patches @AskWoody
(Susan Bradley)
This month's updates are a great example of why my patching advice
differs for consumers and businesses.
For consumer patchers, whether using Windows 10 Home or Professional, I'm
not convinced that you need to install KB5012170, Microsoft's security
update for Secure Boot DBX (the Secure Boot Forbidden Signature Database). Unless, that is, you think you will be targeted by an overseas attacker with
a malicious bootloader installer. If your computer holds the keys to the nuclear codes, then by all means install this update instantly. The fact
that this isn't clear-cut is the reason I can lower the MS-DEFCON only to 3 this time around.
https://www.askwoody.com/newsletter/ms-defcon-3-issues-with-bootloader-patches/
------------------------------
Date: Sat, 20 Aug 2022 22:22:58 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: How 40,000 people used a Lockport woman's SSN: 078-05-1120.
Proving there's nothing new under the sun:
That's the most used -- or misused -- Social Security number in history, and
it belonged to a woman from Lockport.
The federal government originally issued that number to Hilda Schrader
Whitcher in the 1930s. But over the next four decades more than 40,000
people mistakenly claimed it for themselves.
https://buffalonews.com/news/local/history/how-40-000-people-used-a-lockport-womans-social-security-number/article_9e74f603-25b9-5d06-9efa-eab3697369a3.html
And: Social Security Cards Issued by Woolworth
The most misused SSN of all time was (078-05-1120). In 1938, wallet manufacturer the E. H. Ferree company in Lockport, New York decided to
promote its product by showing how a Social Security card would fit into its wallets. A sample card, used for display purposes, was inserted in each
wallet. Company Vice President and Treasurer Douglas Patterson thought it
would be a clever idea to use the actual SSN of his secretary, Mrs. Hilda Schrader Whitcher.
https://www.ssa.gov/history/ssn/misused.html
------------------------------
Date: Sat, 20 Aug 2022 22:39:28 -0700
From: Li Gong <
ligongsf@gmail.com>
Subject: Re: How 40,000 people used a Lockport woman's SSN
(Goldberg, RISKS-33.41)
"They started using the number," Whitcher told The News. "They thought it
was their own. I can't understand how people can be so stupid. I can't understand that."
One has to sigh -- how true is that today across a whole range of issues/things, political and otherwise, even in the so-called *greatest
country on earth*.
Oh well -- and I guess one has to be careful even to utter that sentence
in fear of being accused of politically incorrect.
------------------------------
From: Alan Ralph <
alan@alanralph.co.uk>
To:
risks@csl.sri.com
Date: Sun, 21 Aug 2022 09:41:16 +0100
Subject: Re: Voters in the UK Cast Ballots Online, in Test for Internet
Voting, (WSJ, RISKS-33.40)
Given that this is the Conservative party we're talking about, I think the biggest security threat is inside the tent. Use the postal strikes (which they've done nothing about because it feeds their anti-union plans) to get
most party members to vote online, then 'fix' the result to the one the
party itself wants.
Yes, I'm being very cynical, but 12+ years of Conservative (mis)government
will do that to you. The Russians don't need to hack us anymore, we (or
rather the Conservatives) can do that work for them now.
------------------------------
Date: Sun, 21 Aug 2022 12:35:24 +0200
From: Peter Bernard Ladkin <
ladkin@causalis.com>
Subject: Re: An Explosive New Report ... Alzheimer's (RISKS-33.40)
Charles Piller's reports for Science are available at
(On the questions surrounding the Lesné-Ashe Nature 2006 paper)
Piller, C., Blots on a Field? Science 337 6604 dated 2022-07-21 on-line,
https://www.science.org/content/article/potential-fabrication-research-images-threatens-key-theory-alzheimers-disease
which includes the analysis of a particular Western-blot image, to show how (some of) the analysis is done. We have heard a lot about image analysis in scientific papers in the biomedical/biochemical/biowhatever fields lately,
and it is very helpful to see an example.
(On Cassava Sciences and its studies on its drug Simulfilam)
Piller, C., Research backing experimental Alzheimer's drug was first target
of suspicion, Science 337 6604 dated 2022-07-21 on-line,
https://www.science.org/doi/10.1126/science.ade0181
------------------------------
Date: Sun, 21 Aug 2022 13:38:54 +0100
From: Martin Ward <
martin@gkc.org.uk>
Subject: Re: A Janet Jackson Song Could Crash Windows XP Laptops
(PC Magazine, RISKS-33.40)
Chen said the laptop manufacturer put a custom filter... around the hard drive to prevent it being affected by sound waves or to dampen the
resonance frequency?
No:
the laptop manufacturer put a custom filter in the device's audio
system that could eliminate the resonant frequency during audio
playback.
So their solution was to severely degrade the quality of audio playback to
try and stop the laptop from crashing when certain sound frequencies were playing near the laptop? Never mind that laptop would still crash if a
laptop nearby (or just about any other audio device) happened to play those frequencies!
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<
http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume/previous directories
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.41
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)