1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 33.72 (2/2)

    From RISKS List Owner@21:1/5 to All on Mon Jun 5 01:19:44 2023
    [continued from previous message]

    The lawsuit began like so many others: A man named Roberto Mata sued the airline Avianca, saying he was injured when a metal serving cart struck his knee during a flight to Kennedy International Airport in New York.

    When Avianca asked a Manhattan federal judge to toss out the case, Mr.
    Mata's lawyers vehemently objected, submitting a 10-page brief that cited
    more than half a dozen relevant court decisions. There was Martinez v.
    Delta Air Lines, Zicherman v. Korean Air Lines and, of course, Varghese v. China Southern Airlines, with its learned discussion of federal law and
    ``the tolling effect of the automatic stay on a statute of limitations.''

    There was just one hitch: No one -- not the airline's lawyers, not even the judge himself -- could find the decisions or the quotations cited and summarized in the brief.

    That was because ChatGPT had invented everything.

    https://www.nytimes.com/2023/05/27/nyregion/avianca-airline-lawsuit-chatgpt.html

    [Gabe Goldberg noted this item, and commented:
    I guess hallucinations aren't admissible...
    Matthew Kruk found another report in the BBC:
    https://www.bbc.com/news/world-us-canada-65735769
    Amos Shapir noted that one as well, with this line;
    The lawyer claimed that it was the first time he had used AI,
    and was ``unaware that its content could be false.''
    PGN]

    ------------------------------

    Date: Sun, 28 May 2023 16:38:03 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Anger over airports' passport e-gates not working (BBC News)

    Passengers flying into the UK faced hours of delays at airports across the country where passport e-gates were not working.

    Travelers told of their anger at being stuck in queues at airports including Heathrow, Manchester and Gatwick.

    The Home Office said on Saturday evening that all e-gates were now operating
    as normal.

    The disruption, which began on Friday night, had been due to an IT issue, a source told the BBC.

    All airports across the country using the technology were affected.

    The e-gate system speeds up passport control by allowing some passengers to scan their own passports. It uses facial recognition to verify identity and captures the traveler's image.

    https://www.bbc.com/news/uk-65731795

    ------------------------------

    Date: Sat, 27 May 2023 16:26:37 -0700
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: Longer and longer trains are blocking emergency services and
    killing people (WashPost)

    https://www.washingtonpost.com/nation/interactive/2023/long-trains-block-intersections-paramedics/

    ------------------------------

    Date: Wed, 17 May 2023 22:29:47 +0000
    From: Richard Marlon Stein <rmstein@protonmail.com>
    Subject: Denials of health-insurance claims are rising and getting weirder
    (WashPost)

    https://www.washingtonpost.com/opinions/2023/05/17/health-insurance-denial-claims-reasons/

    ``ProPublica's investigation, published in March, found that an automated system, called PXDX, allowed Cigna medical reviewers to sign off on 50
    charts in 10 seconds presumably without even examining the patients'
    records.''

    Another electronic health record advantage.

    ------------------------------

    Date: Sun, 4 Jun 2023 15:12:01 -0700
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: Small plane crashes after jet fighter chase in WashDC area
    (WashPost)

    A small plane (Cessna Citation) -- apparently on autopilot with unresponsive pilot -- crashes in mountainous Virginia terrain after chase by jet fighters causing sonic boom across DC, after plane violated DC airspace. -L

    [I was just on a zoom call with folks in the DC area. The boom
    was heard quite widely. PGN]

    ------------------------------

    Date: Sat, 20 May 2023 15:18:11 -0400
    From: "Steven J. Greenwald" <greenwald.steve@gmail.com>
    Subject: Response from American Airlines for delay

    For my flight out of DFW the other day, American Airlines had a major issue with a bugged up Airbus 321. They couldn't debug it, so they had to change
    the plane/gate.

    I found it unusual enough to ask for confirmation from American Airlines
    (they gave it, included below).

    Date: Sat, May 20, 2023 at 2:46=E2=80=AFPM
    From: <AmericanAirlinesCustomerRelations@aa.com>
    Subject: Your Response From American Airlines

    Thank you for contacting Customer Relations. I am happy to respond to your inquiry regarding the reason for the delay of AA2206.

    Our records indicate that your flight was delayed due to an aircraft
    change caused by a moth infestation. [...]

    [And it was not even Moth-ers' Day. PGN]

    ------------------------------

    Date: Fri, 2 Jun 2023 11:53:10 -0400 (EDT)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Microsoft Finds macOS Bug That Lets Hackers Bypass SIP Root
    Restrictions (Sergiu Gatlan)

    Sergiu Gatlan, *BleepingComputer, 30 May 2023 via ACM Tech News

    Apple has patched a vulnerability discovered by Microsoft security
    researchers, dubbed Migraine, that would have allowed attackers with root privileges to install *undeleteable* malware and access the victim's private data. The researchers said, ``By focusing on system processes that are
    signed by Apple and have the com.apple.rootless.install.heritable
    entitlement, we found two child processes that could be tampered with to
    gain arbitrary code execution in a security context that bypasses SIP
    [System Integrity Protection] checks.'' Bypassing SIP also would allow attackers to circumvent Transparency, Consent, and Control (TCC) policies to gain access the victim's private data. The vulnerability was patched in
    Apple's May 18 security updates for macOS Ventura 13.4, macOS Monterey
    12.6.6, and macOS Big Sur 11.7.7.

    ------------------------------

    Date: Wed, 24 May 2023 11:23:31 -0400 (EDT)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Apps for Older Adults Contain Security Vulnerabilities
    (Patrick Lejtenyi)

    Patrick Lejtenyi, Concordia University, Canada, 23 May 2023

    Researchers at Canada's Concordia University found security bugs in 95 of
    146 popular Android applications designed for older adults. The researchers discovered that many apps failed to properly authenticate server application programming interface endpoints, which attackers could exploit to access sensitive personal data. Other apps had easily penetrable accounts, with
    some sending unencrypted information to either client-side servers or third-party domains. The researchers found multiple other flaws in dozens of other apps. Only seven of the 35 app developers the team contacted about the bugs responded, while Concordia's Pranay Kapoor said the vulnerabilities
    could be remedied by following best practices for basic security.

    ------------------------------

    Date: Fri, 26 May 2023 21:09:12 -0600
    From: Matthew Kruk <mkrukg@gmail.com>
    Subject: India official drains entire dam to retrieve phone (BBC)

    https://www.bbc.com/news/world-asia-india-65726193

    A government official in India has been suspended after he ordered a
    reservoir to be drained to retrieve his phone.

    It took three days to pump millions of litres of water out of the dam, after Rajesh Vishwas dropped the device while taking a selfie.

    By the time it was found, the phone was too water-logged to work.

    [Jim Reisert found that here: https://www.cnn.com/2023/05/28/india/india-reservoir-drained-selfie-photo-intl-hnk/
    PGN]

    [Out, Out, Dammed Drought. PGN]

    ------------------------------

    Date: Thu, 18 May 2023 08:31:26 -0700
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: Google's Privacy Sandbox

    I believe the big Achilles heel of Google's Privacy Sandbox, their
    continuing effort rolling out in trials already, is Ad Topics, that replaces third party cookies with an advertising API involving local device modeling
    of your browsing history into predefined categories (about 350), with sites able to receive up to three of them most highly ranked.

    Google asserts that this will maintain or increase the value of targeted ads while increasing individual user privacy by moving away from third party cookies and ad hoc techniques used by sites to try target individual users.

    Google is moving to default the various aspect of Privacy Sandbox to ON,
    based on the usual hope that users won't bother to change the defaults.

    I think the two words that spell the main trouble for this plan are
    "browsing history." Most people are quite sensitive about this and assume it
    is private. Even if shared with Google for enhanced services, they don't
    really want advertisers to know anything about it.

    Hell, even I feel an emotional punch when I think about advertisers being handed information about my browsing, no matter how carefully categorized, anonymized, and sanitized. And I know how this stuff actually works. I even agree that in theory it's better than the status quo with third party
    cookies, etc.

    Is this really going to fly in the long run? It seems unlikely as currently defined. Most people aren't going to understand it, just like they don't understand that Google doesn't sell user data to advertisers -- a widely
    held false belief that Google has never really been able to dispel. And
    Privacy Sandbox is even more complicated to explain to the average
    nontechnical person.

    Politicians from both parties are going to jump all over this. The fine
    points of privacy balance will be lost in the noise.

    This is unlikely to end well for anyone.

    ------------------------------

    Date: Sat, 20 May 2023 12:59:55 -0700
    From: geoff goodfellow <geoff@iconia.com>
    Subject: WebKit Under Attack: Apple Issues Emergency Patches for 3 New
    Zero-Day Vulnerabilities (Apple)

    Apple on Thursday rolled out security updates <https://support.apple.com/en-us/HT201222> to iOS, iPadOS, macOS, tvOS, watchOS, and the Safari web browser to address three new zero-day flaws
    that it said are being actively exploited in the wild.

    The three security shortcomings are listed below --

    - CVE-2023-32409 - A WebKit flaw that could be exploited by a malicious
    actor to break out of the Web Content sandbox. It was addressed with
    improved bounds checks.
    - CVE-2023-28204 - An out-of-bounds read issue in WebKit that could be
    abused to disclose sensitive information when processing web content. It
    was addressed with improved input validation.
    - CVE-2023-32373 - A use-after free bug in WebKit that could lead to
    arbitrary code execution when processing maliciously crafted web content.

    It was addressed with improved memory management. [...]

    ------------------------------

    Date: Tue, 23 May 2023 03:36:59 +0000
    From: Richard Marlon Stein <rmstein@protonmail.com>
    Subject: Q&A: Why is there so much hype about the quantum computer?
    (phys.org)

    https://phys.org/news/2023-05-qa-hype-quantum.html

    ``Calculations show that it takes a quantum computer of 10^20M quantum bits [qubits *] to break an RSA encryption. Right now, the largest quantum
    computer is in the region of 430 quantum bits. So there is still some way to go. So, at the risk of becoming a laughing stock for posterity, I would
    guess that it will take another 20 years before we have a quantum computer
    that meets these expectations.''

    Four orders of magnitude to scale in the qubit space represents a mighty
    tall order to achieve. Government funding essential to back innovation on
    this turf.

    [*And that's without the massive error-correction that is required for a
    huge-qubit quantum computer -- and let's not forget out-put(t)s on the
    turf. PGN]

    ------------------------------

    Date: Tue, 23 May 2023 12:12:00 +0000
    From: Richard Marlon Stein <rmstein@protonmail.com>
    Subject: Report Estimates Trillions in Indirect Losses Would Follow Quantum
    Computer Hack (nextgov.com)

    https://www.nextgov.com/cybersecurity/2023/05/report-estimates-trillions-indirect-losses-would-follow-quantum-computer-hack/386653/

    ``An analysis projects the hypothetical disruption a cyberattack from a
    quantum computer could have on global financial markets.''

    The original report from the Hudson Institute is https://www.hudson.org/events/prosperity-risk-quantum-computer-threat-us-financial-system.

    [Same old financial chaos with a quantum twist.]

    ------------------------------

    Date: Sat, 3 Jun 2023 13:32:00 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Don't Store Your Money on Venmo, U.S. Govt Agency Warns (Gizmodo)

    https://gizmodo.com/venmo-paypal-digital-payments-cashapp-1850500772

    ------------------------------

    Date: Sat, 20 May 2023 10:13:19 -0700
    From: Steve Lamont <spl@tirebiter.org>
    Subject: Re: An EFF Investigation: Mystery GPS Tracker

    The device in question sounds very similar to the better known LoJack stolen vehicle recovery service, though generally they're better hidden than just under the driver's seat.

    I had one put in a used car I bought and the installer wouldn't even let me watch. (I suspect it was placed under the rear seat but never bothered to
    poke around to look.)

    I've had one in each in my last three new vehicles. The dealer installs
    them by default and the one time fee is included in the purchase price.

    According to the brochure, at least, the device tracking is only activated if/when the vehicle is reported stolen.

    ------------------------------

    Date: 16 May 2023 20:12:51 -0400
    From: "John Levine" <johnl@iecc.com>
    Subject: Re: Three Companies Supplied Fake Comments to FCC (NY AG), but
    John Oliver didn't (RISKS-33.71)

    I suppose this is not nearly on the same level as what those companies
    did, however.

    It's not even slightly the same. Oliver was encouraging his viewers to send their own messages to the FCC. Real messsages from actual people are fine,
    so fine that the last clause of the First Amendment specifically allows it:

    Congress shall make no law respecting an establishment of religion,
    or prohibiting the free exercise thereof; or abridging the freedom of
    speech, or of the press; or the right of the people peaceably to
    assemble, and to petition the Government for a redress of grievances.

    Sure, a lot of the messages will say the same thing, but that's
    nothing new. Back in the day people set up card tables with postcards
    with preprinted messages you could write your name under and mail to
    your representatives. So long as each postcard was from the real
    person whose name was on it, no problem.

    These guys were sending fake comments using names of people who had no
    idea that messages were being sent using their names. I hope the
    difference is not hard to see.

    ------------------------------

    Date: Wed, 17 May 2023 10:57:47 -0400
    From: Michael Kohne <mhkohne@kohne.org>
    Subject: Re: Near collision embarrasses Navy, so they order public San Diego
    webcams taken down (Bacher, RISKS-33.71)

    I think you're wrong. Most of what the Navy does is pretty much out in the open. There's no way to prevent people watching what the Navy is doing
    anywhere near shore. It's just the nature of the beast -- you can't stop
    people taking pictures of the ocean, guys! And anyone competent in the Navy
    is aware of that, but frankly it never hurts for them to be publicly
    reminded of that fact -- which is why I also tend to believe this is more
    about embarrassment, rather than any actual purpose.

    ------------------------------

    Date: Mon, 1 Aug 2020 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 33.72
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)