[continued from previous message]
whittling the company down to a skeleton staff of just over 2,000.
------------------------------
Date: Thu, 20 Oct 2022 14:57:22 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Devastating Report: Twitter may fire 75% of workers, gut content
moderation and decimate infrastructure (WashPost)
https://www.washingtonpost.com/technology/2022/10/20/musk-twitter-acquisition-staff-cuts/
------------------------------
Date: Wed, 19 Oct 2022 00:25:20 +0000
From: Richard Marlon Stein <
rmstein@protonmail.com>
Subject: The vulnerability of transformers-based malware detectors to
adversarial attacks (techxplore.com)
https://techxplore.com/news/2022-10-vulnerability-transformers-based-malware-detectors-adversarial.html
Malware detection techniques are challenged by hackers, APTs, etc. who
adjust payload signatures that avoid detection. The arms race continues.
------------------------------
Date: Mon, 24 Oct 2022 11:59:06 -0400 (EDT)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Thousands of GitHub Repositories Deliver Fake PoC Exploits
with Malware (Bill Toulas)
Bill Toulas, *BleepingComputer*, 23 Oct 2022,
via ACM TechNews, 24 Oct 2022
Researchers at the Leiden Institute of Advanced Computer Science in the Netherlands discovered thousands of GitHub repositories offering fake proof-of-concept (PoC) exploits for various vulnerabilities, including
malware. The researchers analyzed slightly more than 47,300 repositories promoting exploits for vulnerabilities disclosed between 2017 and 2021 using Internet Protocol (IP) address analysis, binary analysis, and hexadecimal
and Base64 analysis. Over 2,800 of 150,734 unique IPs extracted matched blocklist entries, 1,522 were labeled malicious in antivirus scans on Virus Total, and 1,069 of them were in the AbuseIPDB database. The researchers designated 4,893 of 47,313 tested repositories malicious, with most focusing
on vulnerabilities from 2020. The researchers advised software testers to thoroughly vet the PoCs they download, and to run as many checks as possible before execution.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f78bx237093x072432&
------------------------------
Date: Tue, 18 Oct 2022 01:20:05 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: How a Microsoft blunder opened millions of PCs to potent malware
attacks (Ars Technica)
https://arstechnica.com/information-technology/2022/10/how-a-microsoft-blunder-opened-millions-of-pcs-to-potent-malware-attacks/
https://learn.microsoft.com/en-us/windows/security/threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity#windows-security-app
------------------------------
Date: Fri, 14 Oct 2022 10:39:13 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Microsoft Office 365 email encryption could expose message content
(Bleeping Computer)
Doing encryption well ain't easy. -L
https://www.bleepingcomputer.com/news/security/microsoft-office-365-email-encryp
tion-could-expose-message-content/
------------------------------
Date: Sat, 15 Oct 2022 09:52:42 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Google's "passkey" effort
https://twitter.com/laurenweinstein/status/1581325271810027523
I have long advocated for FIDO U2F security keys as the preferred multiple factor authentication model, and have suggested explicitly that "passwords
must die". So it's natural that I'm being asked about the @google "passkey" initiative.
There are multiple aspects to this. An obvious one is how rapidly sites will implement this method. Given the glacial speed with which many financial institutions have implemented crude 2-factor like text messaging and have delayed U2F key implementations, I am not optimistic.
Of even more concern is the sense that the methodology of passkeys will
appeal mainly to the tech-savvy, and will be understandably resisted by many everyday users, who will find the model overly complex and difficult to
trust for that reason.
This presents a familiar dilemma: persons who already are careful with their authentication security will benefit but the users most in need of improved security and who are most vulnerable largely will not -- especially if they don't use multiple devices and 24/7 smartphones.
The upshot isn't that passkeys won't have a place -- they will -- but that I suspect they will not be accepted by a significant proportion of sites and users, keeping in mind that many people even refuse to use ordinary
autofill, especially for passwords or payment methods.
I have pointed out this problem with @google outreach to users many times
over the years, and again, while there have been some improvements, many
users are still being left behind, and that's very unfortunate indeed.
------------------------------
Date: Sun, 16 Oct 2022 22:27:03 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: How Your Shadow Credit Score Could Decide Whether You Get an
Apartment (ProPublica)
Fuller learned her rental application had been screened by RentGrow, one of more than a dozen companies that mine consumer databases to perform
background checks on tenants. A form emailed to her said RentGrow determined she didn't meet applicant screening requirements, highlighting in yellow the box labeled *credit history*.
The letter provided no further explanation. A RentGrow representative,
through an executive at its parent company, declined to comment. Habitat America declined to respond to questions about Fuller's application from ProPublica, citing privacy concerns.
You don't know why you got denied or if you were ever considered. It's
really murky out there.
------------------------------
Date: Thu, 13 Oct 2022 23:53:32 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: U.S. Chip Sanctions Kneecap China's Tech Industry (WiReD)
The toughest export restrictions yet cut off AI hardware and chip-making
tools crucial to China's commercial and military ambitions.
https://www.wired.com/story/us-chip-sanctions-kneecap-chinas-tech-industry
------------------------------
Date: Tue, 25 Oct 2022 06:41:49 +0000
From: Richard Marlon Stein <
rmstein@protonmail.com>
Subject: The danger of advanced artificial intelligence controlling its own
feedback (techxplore.com)
https://techxplore.com/news/2022-10-danger-advanced-artificial-intelligence-feed
back.html
"What we now call the reinforcement learning problem was first considered in 1933 by the pathologist William Thompson. He wondered: if I have two
untested treatments and a population of patients, how should I assign treatments in succession to cure the most patients?
"More generally, the reinforcement learning problem is about how to plan
your actions to best accrue rewards over the long term. The hitch is that,
to begin with, you're not sure how your actions affect rewards, but over
time you can observe the dependence. For Thompson, an action was the
selection of a treatment, and a reward corresponded to a patient being
cured."
Without human oversight, a generalized superintelligence might be a "no brainer" waiting to happen. Good script kiddie experiment.
------------------------------
Date: Wed, 12 Oct 2022 14:17:30 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Toyota exposed 300,000 customer email addresses for 5 years
(Techcrunch)
https://techcrunch.com/2022/10/12/toyota-customer-email-addresses-exposed/
------------------------------
Date: Tue, 18 Oct 2022 21:13:10 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Parler leaked email addresses for Ivanka Trump, other 'VIPs' in
Kanye West announcement (Mashable)
https://mashable.com/article/parler-leaks-vip-emails-kanye-west-ivanka-trump
------------------------------
Date: Mon, 17 Oct 2022 11:55:31 -0400 (EDT)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Humans Beat DeepMind AI in Creating Algorithm to Multiply Numbers
(Matthew Sparkes)
Matthew Sparkes, *New Scientist*, 13 Oct 2022, via ACM TechNews, 17 Oct 2022
Jakob Moosbauer and Manuel Kauers at Austria's Johannes Kepler University
Linz bested an algorithm developed by artificial intelligence company
DeepMind with a program that can perform matrix multiplication more efficiently. Earlier this month, DeepMind unveiled a method for multiplying
two five-by-five matrices in just 96 multiplications, out-performing a more-than-50-year-old record. Moosbauer and Kauers reduced the process to 95 multiplications by testing multiple steps in multiplication algorithms to
see if they could be combined. Said Moosbauer, "We take an existing
algorithm and apply a sequence of transformations that at some point can
lead to an improvement. Our technique works for any known algorithm, and if
we are lucky, then [the results] need one multiplication less than before."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f6b4x236dbax072760&
------------------------------
Date: Thu, 20 Oct 2022 16:31:43 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Deception Detection (RAND)
A group of RAND Corporation researchers found that machine-learning (ML)
models can identify signs of deception during national security background check interviews. The most accurate approach for detecting deception is an
ML model that counts the number of times that interviewees use common words.
https://www.rand.org/pubs/research_briefs/RBA873-1.html
[The? Er? Um? You-know? Well? PGN]
------------------------------
Date: Thu, 13 Oct 2022 15:28:45 -0700
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: AI-driven 'thermal attack' system reveals computer and
smartphone passwords in seconds (Techxplore)
This suggests to me that a good strategy to confound the thermal detectors would be to use repeated characters in passwords. I doubt that the thermal detection would be able to tell how many times a key was pressed, rather
than just the recency of a given key press. That would go against the common assumption that repeated characters in passwords are a Bad Thing.
------------------------------
Date: Wed, 12 Oct 2022 17:49:13 -0400
From: Jan Wolitzky <
jan.wolitzky@gmail.com>
Subject: Re: Lufthansa Says Apple AirTags Are Once Again Allowed in Checked
Bags (RISKS-33.48)
Never mind!
The airline reversed itself Wednesday, saying it had consulted with German aviation authorities, who agreed that Bluetooth trackers were safe for passengers to use.
https://www.nytimes.com/2022/10/12/travel/lufthansa-apple-airtags-luggage.html
------------------------------
Date: 12 Oct 2022 18:10:15 -0400
From: "John Levine" <
johnl@iecc.com>
Subject: Re: Not a physical DDoS attack on the Australian Postal system
(Auspost)
If you read the reasons they give, I wouldn't call it a DoS attack but
rather yet another fragile supply chain. COVID caused a lot of mail that
would have normally been sent by air to be sent by sea, and it appears that
the places they inspect airmail are not the ones where they inspect sea
mail, what with airports and seaports being different.
It's like the Great Toilet Paper Shortage which turned out not to be that
there wasn't enough, but that there are different kinds for homes and institutions. When everyone started staying home, it was not easy to
repackage and redirect the institutional kind for home use.
------------------------------
Date: Thu, 13 Oct 2022 10:41:00 +0100
From: Martin Ward <
martin@gkc.org.uk>
Subject: Re: Automatic emergency braking is not great at preventing crashes.
at normal speeds (RISKS-33.48)
Naturally, I would like more research into why so many cars are crashing
into the chicane (a large, clearly marked, immobile structure): but this is
not necessarily a bad thing. Crashing into a chicane is better than mowing
down a child. The chicane is, presumably, better signposted and more visible than any small child, so any driver who crashed into the chicane is
presumably a risk to children, not just in the road but also on the
pavement: since the chicane hitter obviously has difficulty in keeping to
the road! Perhaps it is just as well that they are taken out of action
before they can do more serious harm?
------------------------------
Date: Thu, 13 Oct 2022 14:06:52 -0700
From: Rik Farrow <
rik@rikfarrow.com>
Subject: Article about CHERI
I have long been interested in technology that might make computers more secure, and have been watching one such project for over a decade. CHERI, a combined software and hardware project, has now reached the implemented-in-silicon stage:
https://www.arm.com/architecture/cpu/morello.
I have written an article explaining the thinking behind CHERI and how Microsoft engineers using CHERI believe that they can eliminate as much two thirds of vulnerabilities in software that uses C or C++:
https://www.usenix.org/publications/loginonline/redesigning-hardware-support-sec
urity-cheri
CHERI provides hardware support for limiting the range of pointers as well
as support for mechanisms to prevent use-after-free bugs. CHERI provides scalable compartmentalization, meaning that operating systems themselves can
be partitioned on memory boundaries without the performance expense of
changing context or flushing page caches. Overall, CHERI is a project that
may prove to be the most significant change in architecture in decades.
[Rik Farrow is the Editor of ;login: PGN]
------------------------------
Date: Thu, 13 Oct 2022 10:22:43 PDT
From: Peter Neumann <
neumann@csl.sri.com>
Subject: U.S. National Security Strategy report
The White House has released its National Security Strategy report,
The full report is at
https://www.whitehouse.gov/wp-content/uploads/2022/10/Biden-Harris-Administrations-National-Security-Strategy-10.2022.pdf
A summary is at
https://www.whitehouse.gov/briefing-room/speeches-remarks/2022/10/13/remarks-by-national-security-advisor-jake-sullivan-on-the-biden-harris-administrations-national-security-strategy/
------------------------------
Date: Fri, 21 Oct 2022 10:42:15 +0200
From: Christian Fuchs via iacap-announce <
iacap-announce@iacap.org>
Subject: Book on Digital Ethics (Christian Fuchs)
Christian Fuchs. 2023/. //Digital Ethics. Media, Communication and
Society Volume Five//. /New York: Routledge. ISBN 9781032246161.
More infos and sample chapter:
https://fuchsc.uti.at/books/digital-ethics/
This fifth volume in Christian Fuchs, Media, Communication and Society
series, presents an approach to critical digital ethics. It develops foundations and applications of digital ethics based on critical theory. It applies a critical approach to ethics within the realm of digital
technology.
Based on the notions of alienation, communication (in)justice, media (in)justice, and digital (in)justice, it analyses ethics in the context of digital labour and the surveillance-industrial complex; social media
research ethics; privacy on Facebook; participation, co-operation, and sustainability in the information society; the digital commons; the digital public sphere; and digital democracy. The book consists of three arts. Part
I presents some of the philosophical foundations of critical, humanist
digital ethics. Part II applies these foundations to concrete digital ethics case studies. Part III presents broad conclusions about how to advance the digital commons, the digital public sphere, and digital democracy, which is
the ultimate goal of critical digital ethics. [...]
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<
http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume/previous directories
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.49
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)