• Risks Digest 33.41

    From RISKS List Owner@21:1/5 to All on Wed Aug 24 00:20:09 2022
    RISKS-LIST: Risks-Forum Digest Tuesday 23 August 2022 Volume 33 : Issue 41

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/33.41>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Peiter "Mudge" Zatko's journey from hacker to Twitter whistleblower
    (WashPost with PGN comments)
    FBI Warns of Zeppelin Ransomware Attacks Targeting Bay Area Companies
    (SFStandard)
    How Secret Tesla Crash Data Might Make the Roads Safer (Cade Metz)
    Google Search Is Quietly Damaging Democracy (WiReD)
    How Google Cloud blocked the largest Layer 7 DDoS attack at 46 million rps
    (Google)
    'Anti-Reflective' Coating Allows Wi-Fi Through Walls (Tech Radar)
    HBO Max Crashes for Thousands in the Minutes After *House of the Dragon*
    Premieres (WSJ)
    A Dad Took Photos of His Naked Toddler for the Doctor. Google Flagged Him as
    a Criminal. (The New York Times)
    Working from home has fueled a rise in porn addicts (Daily Mail)
    AI Model Can Detect Parkinson's From Breathing Patterns (Slashdot)
    Re: AI Model Can Detect Parkinson's From Breathing Patterns (Slashdot)
    Startup uses AI to transform call center workers' accents into "white voice"
    (BoingBoing)
    Hackers Used Deepfake of Binance CCO to Perform Exchange Listing Scams
    (Bitcoin.com)
    Unix legend, who owes us nothing, keeps fixing foundational AWK code
    (Ars Technica)
    Software dev cracks Hyundai encryption with Google Search (The Register)
    Re: Software dev cracks Hynudai encryption with Google Search (Steve Bacher) MS-DEFCON 3: Issues with bootloader patches @AskWoody (Susan Bradley)
    How 40,000 people used a Lockport woman's SSN: 078-05-1120. (Gabe Goldberg)
    Re: How 40,000 people used a Lockport woman's SSN (Li Gong)
    Re: Voters in the UK Cast Ballots Online, in Test for Internet Voting,
    (Alan Ralph)
    Re: An Explosive New Report ... Alzheimer's (Peter Bernard Ladkin)
    Re: A Janet Jackson Song Could Crash Windows XP Laptops (Martin Ward)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 23 Aug 2022 11:30:14 PDT
    From: Peter Neumann <neumann@csl.sri.com>
    Subject: Peiter "Mudge" Zatko's journey from hacker to Twitter whistleblower

    https://www.washingtonpost.com/technology/2022/08/23/peiter-mudge-zatko-twitter-whistleblower/
    Full text of (redacted) whistleblower disclosure re Twitter (84 pages) https://s3.documentcloud.org/documents/22186683/twitter-whistleblower-disclosure.pdf [From Lauren Weinstein]

    [This item deserves some discussion here. Mudge and his L0pht folks
    testified for the U.S. Senate Government Affairs Committee (as did
    I just before them) on 19 May 1998 in a hearing about how everything
    relating to computer and network security was badly broken.
    There is a youtube of the L0pht testimony and subsequent discussion,
    running 59 minutes: https://www.youtube.com/watch?v=VVJldn_MmMY
    The L0pht were remarkably insightful pro-bono whistleblowers even then.
    The Russian state-sponsored hacker groups are now doing exactly what
    was being discussed 24 years ago in the oral testimony at about 28
    minutes into the hour. Senator Fred Thompson asked whether they could
    actually make the Internet unusable in less than 30 minutes, and
    the answer was that one of them could indeed do that with just a few
    inserted packets. Another Senator (Lieberman?) returns to that around
    49 minutes in. The L0pht written testimony is also on line:
    https://nsarchive.gwu.edu/briefing-book/cyber-vault/2019-01-09/cybersecuritcy-when-hackers-went-hill-revisiting-l0pht-hearings-1998
    Space-Rogue noted to me that a transcript of the original testimony is here:
    https://www.spacerogue.net/wordpress/?p=602
    However, much of what is fascinating here are the Senators' responses. All
    of this is worth reviewing today, primarily illustrating how little
    fundamental work has been done since then. It was very refreshing for me
    to revisit this archival material. The good news might be that the L0pht
    video has had almost a half-million views, and it is nice to know that our
    RISKS readers seem to be much more aware than nonreaders. Incidentally,
    my written testimony is on my website and in the searchable Congressional
    Record, but I had looked for a video of my oral testimony, and i did not
    find one. I am delighted I could find the L0pht's one so easily. PGN]

    ------------------------------

    Date: Tue, 23 Aug 2022 11:55:55 -0700
    From: Li Gong <ligongsf@gmail.com>
    Subject: FBI Warns of Zeppelin Ransomware Attacks Targeting Bay Area Companies
    (SFStandard)

    The evolution of ransomware business models: ransomware-as-a-service

    https://sfstandard.com/business/fbi-warns-of-zeppelin-ransomware-attacks-targeting-bay-area-companies/

    Two new trends raised alarm bells with law enforcement and cybersecurity professionals. One is a new focus on attacks on health care facilities and organizations already burdened by the pandemic. The other is an evolution in the business models around ransomware, with the Zeppelin software creating
    an ecosystem of cybercrime-- whereby actors research at-risk organizations, conduct attacks, negotiate ransoms and launder payments -- that Chan dubbed *ransomware-as-a-service*.

    ------------------------------

    Date: Mon, 22 Aug 2022 16:36:58 PDT
    From: Peter Neumann <neumann@csl.sri.com>
    Subject: How Secret Tesla Crash Data Might Make the Roads Safer (Cade Metz)

    Data and video recorded by Tesla and other automakers to hone
    driver-assistance systems can also be an investigative tool for
    regulators and lawyers.

    [On the other hand, the article discusses someone ``whose startup is
    trying to monetize performance data.'' We seem to be entering an era
    where *almost everything* can be monetized. PGN]

    ------------------------------

    Date: Mon, 22 Aug 2022 01:31:20 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Google Search Is Quietly Damaging Democracy (WiReD)

    A series of incremental changes over the years has transformed the tool from
    an explorative search function to one that is ripe for deception.

    https://www.wired.com/story/google-search-quietly-damaging-democracy

    ------------------------------

    Date: Sun, 21 Aug 2022 09:57:03 -0700
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: How Google Cloud blocked the largest Layer 7 DDoS attack at 46
    million rps

    https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps

    ------------------------------

    Date: Mon, 22 Aug 2022 13:03:12 -0400 (EDT)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: 'Anti-Reflective' Coating Allows Wi-Fi Through Walls

    Steve McCaskill, *TechRadar*, 18 Aug 2022,
    via From: ACM TechNews

    Scientists at Austria's Vienna University of Technology (TU Wien) and
    France's University of Rennes have enabled Wi-Fi signals to pass through
    walls more effectively. The method calculates an anti-reflective invisible structure to a wall, which TU Wien's Stefan Rotter likened to "the anti-reflective coating on your pair of glasses." The researchers
    transmitted microwaves through a labyrinth of obstacles, then calculated a matching anti-reflective structure that almost completely removed the
    signals' reflection. "We were able to show that this information can be used
    to calculate a corresponding compensating structure for any medium that scatters waves in a complex way, so that the combination of both media
    allows waves to pass through completely," explained TU Wien's Michael Horodynski. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f12cx2356a9x069966&

    ------------------------------

    Date: Mon, 22 Aug 2022 08:42:59 -0700
    From: geoff goodfellow <geoff@iconia.com>
    Subject: HBO Max Crashes for Thousands in the Minutes After *House of the
    Dragon* Premieres (WSJ)

    *The wait for the *Game of Thrones* prequel lasted a little longer for some;
    HBO Max says the show had millions of viewers*

    Some users said they were close to a breakdown!

    https://www.wsj.com/articles/hbo-max-crashes-house-of-the-dragon-game-of-thrones-prequel-11661172989

    [Unnecessarily long item truncated for RISKS. PGN]

    ------------------------------

    Date: Sun, 21 Aug 2022 14:05:12 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: A Dad Took Photos of His Naked Toddler for the Doctor.
    Google Flagged Him as a Criminal. (The New York Times)

    Google has an automated tool to detect abusive images of children. But the system can get it wrong, and the consequences are serious.

    A Google spokeswoman said the company stands by its decisions, even though
    law enforcement cleared the two men.

    https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html

    [Long explicit version for those who wish to dig into this story: https://dnyuz.com/2022/08/21/a-dad-took-photos-of-his-naked-toddler-for-the-doctor-google-flagged-him-as-a-criminal/
    PGN]

    ------------------------------

    Date: Mon, 22 Aug 2022 09:01:45 -0700
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Working from home has fueled a rise in porn addicts (Daily Mail

    Clinics reveal record number of Brits are seeking help after flexible
    working put ``temptation at [their] fingertips.' [...]

    https://www.dailymail.co.uk/health/article-11127351/EXCL-WFH-fuelled-rise-extreme-porn-addiction.html

    ------------------------------

    Date: Tue, 23 Aug 2022 13:39:57 -0400
    From: Tom Van Vleck <thvv@multicians.org>
    Subject: AI Model Can Detect Parkinson's From Breathing Patterns (Slashdot)

    https://science.slashdot.org/story/22/08/22/2215255/ai-model-can-detect-parkinsons-from-breathing-patterns

    "The team developed a device with the appearance of a home Wi-Fi router,
    but instead of providing Internet access, the device emits radio signals,
    analyzes their reflections off the surrounding environment, and extracts
    the subject's breathing patterns without any bodily contact. The
    breathing signal is then fed to the neural network to assess Parkinson's
    in a passive manner, and there is zero effort needed from the patient and
    caregiver."

    Could they adapt this technology to make a stealth contactless lie detector? Put one of these in a waiting room and play various ads, see how people respond. Play patriotic music and see whose anthem folks like best. THVV

    ------------------------------

    From: Ross Anderson <Ross.Anderson@cl.cam.ac.uk>
    Date: Tue, 23 Aug 2022 23:19:31 +0100
    Subject: Re: AI Model Can Detect Parkinson's From Breathing Patterns (THVV)

    When we did this work:
    https://www.lightbluetouchpaper.org/2015/01/04/to-freeze-or-not-to-freeze/
    we experimented with radar as well as time-difference-of-arrival cameras and body motion-capture suits. Radar didn' work at all. Motion capture worked best. But the main signals come from fidgeting especially in the upper arms
    and hands. A smart watch can give you away!

    ------------------------------

    Date: Tue, 23 Aug 2022 10:10:51 -0700
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: Startup uses AI to transform call center workers' accents into
    "white voice" (BoingBoing)

    https://boingboing.net/2022/08/23/startup-uses-ai-to-transform-call-center-workers-accents-into-white-voice.html

    ------------------------------

    Date: Tue, 23 Aug 2022 11:26:52 -0400
    From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema@rinzewind.org>
    Subject: Hackers Used Deepfake of Binance CCO to Perform Exchange Listing
    Scams (Bitcoin.com)

    https://news.bitcoin.com/hackers-used-deepfake-of-binance-cco-to-perform-exchange-listing-scams/

    A set of hackers managed to impersonate Binance chief communications officer (CCO) Patrick Hillmann in a series of video calls with several
    representatives of cryptocurrency projects. The attackers used what Hillman described as an AI hologram, a deepfake of his image for this objective, and managed to fool some representatives of these projects, making them think Hillmann was helping them get listed on the exchange.

    ------------------------------

    Date: Tue, 23 Aug 2022 12:08:16 -0700
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: Unix legend, who owes us nothing, keeps fixing foundational AWK
    code -- Thanks Brian!

    https://arstechnica.com/gadgets/2022/08/unix-legend-who-owes-us-nothing-keeps-fixing-foundational-awk-code/

    ------------------------------

    Date: Wed, 17 Aug 2022 20:57:01 -0700
    From: Li Gong <ligongsf@gmail.com>
    Subject: Software dev cracks Hyundai encryption with Google Search
    (The Register)

    Fun reading -- using public/private keys copied from a public tutorial to
    sign real-world software in Hyundai cars

    https://www.theregister.com/2022/08/17/software_developer_cracks_hyundai_encryption/

    ------------------------------

    Date: Sun, 21 Aug 2022 09:09:18 -0700
    From: Steve Bacher <sebmb1@verizon.net>
    Subject: Re: Software dev cracks Hynudai encryption with Google Search

    What I fear is that the wrong lesson will be learned, and Google will be
    urged to suppress search results for general encryption tutorials, rather
    than addressing the ill-advised behavior of Hyundai programmers in lazily copying keys from an online example.

    ------------------------------

    Date: Tue, 23 Aug 2022 13:51:11 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: MS-DEFCON 3: Issues with bootloader patches @AskWoody
    (Susan Bradley)

    This month's updates are a great example of why my patching advice
    differs for consumers and businesses.

    For consumer patchers, whether using Windows 10 Home or Professional, I'm
    not convinced that you need to install KB5012170, Microsoft's security
    update for Secure Boot DBX (the Secure Boot Forbidden Signature Database). Unless, that is, you think you will be targeted by an overseas attacker with
    a malicious bootloader installer. If your computer holds the keys to the nuclear codes, then by all means install this update instantly. The fact
    that this isn't clear-cut is the reason I can lower the MS-DEFCON only to 3 this time around.

    https://www.askwoody.com/newsletter/ms-defcon-3-issues-with-bootloader-patches/

    ------------------------------

    Date: Sat, 20 Aug 2022 22:22:58 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: How 40,000 people used a Lockport woman's SSN: 078-05-1120.

    Proving there's nothing new under the sun:

    That's the most used -- or misused -- Social Security number in history, and
    it belonged to a woman from Lockport.

    The federal government originally issued that number to Hilda Schrader
    Whitcher in the 1930s. But over the next four decades more than 40,000
    people mistakenly claimed it for themselves.

    https://buffalonews.com/news/local/history/how-40-000-people-used-a-lockport-womans-social-security-number/article_9e74f603-25b9-5d06-9efa-eab3697369a3.html

    And: Social Security Cards Issued by Woolworth

    The most misused SSN of all time was (078-05-1120). In 1938, wallet manufacturer the E. H. Ferree company in Lockport, New York decided to
    promote its product by showing how a Social Security card would fit into its wallets. A sample card, used for display purposes, was inserted in each
    wallet. Company Vice President and Treasurer Douglas Patterson thought it
    would be a clever idea to use the actual SSN of his secretary, Mrs. Hilda Schrader Whitcher.

    https://www.ssa.gov/history/ssn/misused.html

    ------------------------------

    Date: Sat, 20 Aug 2022 22:39:28 -0700
    From: Li Gong <ligongsf@gmail.com>
    Subject: Re: How 40,000 people used a Lockport woman's SSN
    (Goldberg, RISKS-33.41)

    "They started using the number," Whitcher told The News. "They thought it
    was their own. I can't understand how people can be so stupid. I can't understand that."

    One has to sigh -- how true is that today across a whole range of issues/things, political and otherwise, even in the so-called *greatest
    country on earth*.

    Oh well -- and I guess one has to be careful even to utter that sentence
    in fear of being accused of politically incorrect.

    ------------------------------

    From: Alan Ralph <alan@alanralph.co.uk>
    To: risks@csl.sri.com
    Date: Sun, 21 Aug 2022 09:41:16 +0100
    Subject: Re: Voters in the UK Cast Ballots Online, in Test for Internet
    Voting, (WSJ, RISKS-33.40)

    Given that this is the Conservative party we're talking about, I think the biggest security threat is inside the tent. Use the postal strikes (which they've done nothing about because it feeds their anti-union plans) to get
    most party members to vote online, then 'fix' the result to the one the
    party itself wants.

    Yes, I'm being very cynical, but 12+ years of Conservative (mis)government
    will do that to you. The Russians don't need to hack us anymore, we (or
    rather the Conservatives) can do that work for them now.

    ------------------------------

    Date: Sun, 21 Aug 2022 12:35:24 +0200
    From: Peter Bernard Ladkin <ladkin@causalis.com>
    Subject: Re: An Explosive New Report ... Alzheimer's (RISKS-33.40)

    Charles Piller's reports for Science are available at

    (On the questions surrounding the Lesné-Ashe Nature 2006 paper)
    Piller, C., Blots on a Field? Science 337 6604 dated 2022-07-21 on-line, https://www.science.org/content/article/potential-fabrication-research-images-threatens-key-theory-alzheimers-disease

    which includes the analysis of a particular Western-blot image, to show how (some of) the analysis is done. We have heard a lot about image analysis in scientific papers in the biomedical/biochemical/biowhatever fields lately,
    and it is very helpful to see an example.

    (On Cassava Sciences and its studies on its drug Simulfilam)
    Piller, C., Research backing experimental Alzheimer's drug was first target
    of suspicion, Science 337 6604 dated 2022-07-21 on-line, https://www.science.org/doi/10.1126/science.ade0181

    ------------------------------

    Date: Sun, 21 Aug 2022 13:38:54 +0100
    From: Martin Ward <martin@gkc.org.uk>
    Subject: Re: A Janet Jackson Song Could Crash Windows XP Laptops
    (PC Magazine, RISKS-33.40)

    Chen said the laptop manufacturer put a custom filter... around the hard drive to prevent it being affected by sound waves or to dampen the
    resonance frequency?

    No:

    the laptop manufacturer put a custom filter in the device's audio
    system that could eliminate the resonant frequency during audio
    playback.

    So their solution was to severely degrade the quality of audio playback to
    try and stop the laptop from crashing when certain sound frequencies were playing near the laptop? Never mind that laptop would still crash if a
    laptop nearby (or just about any other audio device) happened to play those frequencies!

    ------------------------------

    Date: Mon, 1 Aug 2020 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 33.41
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)