1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 33.85

    From RISKS List Owner@21:1/5 to All on Wed Sep 20 03:45:11 2023
    RISKS-LIST: Risks-Forum Digest Tuesday 19 September 2023 Volume 33 : Issue 85

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    <http://catless.ncl.ac.uk/Risks/33.85>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Bots are Better than Humans at CAPCHAS (Bruce Schneier)
    Cryptocurrency Startup Loses Encryption Key for Electronice
    Wallet (Schneier via Gabe Goldberg)
    What politicians are doing about the Internet, RIGHT NOW
    (Lauren Weinstein)
    Microsoft AI researchers accidentally exposed terabytes of internal
    sensitive data (TechCrunch)
    In Risky Hunt for Secrets, U.S. and China Expand Global Spy Operations
    (NYTimes)
    Chinese hackers have unleashed a never-before-seen Linux backdoor
    (Ars Technica)
    Scientists warn entire branches of the 'Tree of Life' are going extinct
    (Yahoo! News)
    Can the free market ensure artificial intelligence won't wipe out human
    workers? (CBC)
    DHS Issues Privacy/Civil Liberties Guidelines, *and* DHS Spies
    Trouble in 2024 in election security (Politico)
    Old Google vs. New Google (Lauren Weinstein)
    Re: Pedestrian dies after Cruise cars block ambulance
    (Geoff Kuenning, Henry Baker)
    Re: Vintage Car prices (Joe Gwinn)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 15 Sep 2023 11:06:31 +0000
    From: Bruce Schneier <schneier@schneier.com>
    Subject: Bots are Better than Humans at CAPCHAS

    [PGN-Excerpted from Bruce's latest issue. But why does Bruce have to
    encode commas as "=2C"???? What is so special for Bruce's computer? As
    Gertrude Stein might have written, a comma is a comma is a comma. PGN]

    Abstract: For nearly two decades, CAPTCHAS have been widely used as a MEANS
    OF PROTECTION AGAINST bots. Throughout the years, as their use grew,
    techniques to defeat or bypass CAPTCHAS have continued to improve.
    Meanwhile, CAPTCHAS have also evolved in terms of sophistication and
    diversity, becoming increasingly difficult to solve for both bots (machines) and humans. Given this long-standing and still-ongoing arms race, it is critical to investigate how long it takes legitimate users to solve modern CAPTCHAS, and how they are perceived by those users.

    In this work, we explore CAPTCHAS *in the wild* by evaluating users' solving performance and perceptions of *unmodified currently-deployed* CAPTCHAS. We obtain this data through manual inspection of popular websites and user
    studies in which 1,400 participants collectively solved 14,000
    CAPTCHAS. Results show significant differences between the most popular
    types of CAPTCHAS: surprisingly, solving time and user perception are not always correlated. We performed a comparative study to investigate the
    effect of experimental context specifically the difference between solving CAPTCHAS directly versus solving them as part of a more natural task, such
    as account creation. Whilst there were several potential confounding
    factors, our results show that *experimental context* could have an impact
    on this task, and must be taken into account in future CAPTCHA
    studies. Finally, we investigate CAPTCHA-induced user task *abandonment* by analyzing participants who start and do not complete the task.

    Slashdot thread [https://hardware.slashdot.org/story/23/08/10/0439241/bots-are-better-than-humans-at-cracking-are-you-a-robot-captcha-tests-study-f
    inds].

    And let's all rewatch this great ad [https://www.youtube.com/watch?v=lhUuzWbrCgU] from 2022.

    ------------------------------

    Date: Sat, 16 Sep 2023 16:37:40 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Cryptocurrency Startup Loses Encryption Key for Electronic
    Wallet (Schneier on Security)

    The cryptocurrency fintech startup Prime Trust lost the encryption key to
    its hardware wallet—and the recovery key—and therefore $38.9 million. It is
    now in bankruptcy.

    I can’t understand why anyone thinks these technologies are a good idea.

    https://www.schneier.com/blog/archives/2023/09/cryptocurrency-startup-loses-encryption-key-for-electronic-wallet.html

    I mean, nobody could have anticipated that happening... [!!!]

    ------------------------------

    Date: Sun, 10 Sep 2023 08:11:37 -0700
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: What politicians are doing about the Internet, RIGHT NOW

    Keep in mind that right now, at this very moment, politicians in BOTH
    PARTIES are pushing legislation to require you to show a government ID to
    use most major Internet sites. Some of these laws have already been passed,
    and litigation all the way up to the Supreme Court is very likely. The goal
    of BOTH PARTIES is to create a Chinese-style Internet with everyone fully identified, all anonymity effectively lost (irrespective of the "safeguards" U.S. officials will promise), and all content tightly micromanaged by
    officials on the Left and Right not only to "protect the children" but to
    keep all Internet users firmly under the government's control. Yes, it's
    that bad. -L

    ------------------------------

    Date: Mon, 18 Sep 2023 15:30:26 -0700
    From: Victor Miller <victorsmiller@gmail.com>
    Subject: Microsoft AI researchers accidentally exposed terabytes of internal
    sensitive data (TechCrunch)

    https://techcrunch.com/2023/09/18/microsoft-ai-researchers-accidentally-exposed-terabytes-of-internal-sensitive-data/

    [Monty Solomon spotted the above and also found this:
    Microsoft AI team accidentally leaks 38TB of private company data: https://mashable.com/article/microsoft-ai-researchers-leaked-private-data-azure-link-github
    PGN]

    ------------------------------

    Date: Mon, 18 Sep 2023 10:34:42 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: In Risky Hunt for Secrets, U.S. and China Expand Global Spy Operations
    (NYTimes)

    The nations are taking bold steps in the espionage shadow war to try to
    collect intelligence on leadership thinking and military capabilities.

    https://www.nytimes.com/2023/09/17/us/politics/us-china-global-spy-operations.html

    ------------------------------

    Date: Mon, 18 Sep 2023 19:55:29 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Chinese hackers have unleashed a never-before-seen Linux backdoor
    (Ars Technica)

    https://arstechnica.com/?p=1969201

    ------------------------------

    Date: Tue, 19 Sep 2023 09:02:26 -0700
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Scientists warn entire branches of the 'Tree of Life'
    are going extinct (Yahoo! News)

    Humans are driving the loss of entire branches of the "Tree of Life,"
    according to a new study published on Monday which warns of the threat of a sixth mass extinction.

    "The extinction crisis is as bad as the climate change crisis. It is not recognized," said Gerardo Ceballos, professor at the National Autonomous University of Mexico, and co-author of the study published in Proceedings
    of the National Academy of Sciences (PNAS).

    "What is at stake is the future of mankind," he told AFP.

    The study is unique because instead of merely examining the loss of a
    species, it examines the extinction of entire genera.

    In the classification of living beings, the genus lies between the rank of species and that of family. For example, dogs are a species belonging to
    the genus canis -- itself in the canid family.

    "It is a really significant contribution, I think the first time anyone has attempted to assess modern extinction rates at a level above the species," Robert Cowie, a biologist at the University of Hawaii who was not involved
    in the study, told AFP.

    "As such it really demonstrates the loss of entire branches of the Tree of Life," a representation of living things first developed by Charles Darwin.

    The study shows that "we aren't just trimming terminal twigs, but rather
    are taking a chainsaw to get rid of big branches," agreed Anthony Barnosky, professor emeritus at the University of California, Berkeley.

    The researchers relied largely on species listed as extinct by the International Union for Conservation of Nature (IUCN). They focused on vertebrate species (excluding fish), for which more data are available.

    Of some 5,400 genera (comprising 34,600 species), they concluded that 73
    had become extinct in the last 500 years -- most of them in the last two centuries.

    The researchers then compared this with the extinction rate estimated from
    the fossil record over the very long term. [...]

    https://news.yahoo.com/scientists-warn-entire-branches-tree-011943508.html

    [If the skunks don't prevail, they will become Ex-Stinked. PGN]

    ------------------------------

    Date: Mon, 18 Sep 2023 19:00:06 -0600
    From: Matthew Kruk <mkrukg@gmail.com>
    Subject: Can the free market ensure artificial intelligence
    won't wipe out human workers? (CBC)

    https://www.cbc.ca/news/business/post-ai-jobs-column-don-pittis-1.6962905

    What will you be doing only a decade from now when advanced versions of the artificial intelligence program ChatGPT have wormed their way into the
    fabric of life?

    According to some experts, you may be out of a job. Two current labour
    disputes involving autoworkers and screenwriters are at least partly about
    the future threat of AI.

    When AI comes for the jobs, writers may be among the first to go, warn two respected technology mavens writing in Foreign Affairs magazine. And they
    are not alone in that view. Even current versions of the AI program ChatGPT
    can sketch clearer prose than most humans, they say. And those programs are getting better.

    By 2035, as "white-collar workers lose their jobs en masse," declare Ian Bremmer and Mustafa Suleyman, AI will be running hospitals and airlines and courtrooms. "A year ago, that scenario would have seemed purely fictional; today, it seems nearly inevitable."

    ------------------------------

    Date: Mon, 18 Sep 2023 10:41:08 PDT
    From: Peter Neumann <neumann@csl.sri.com>
    Subject: DHS Issues Privacy/Civil Liberties Guidelines, *and* DHS Spies
    Trouble in 2024 in election security (Politico)

    DHS also joined the Washington emerging tech frenzy on Thursday by
    introducing new guidelines on responsible use of AI with a focus on privacy
    and civil liberties.

    The move, the first of its kind for the agency, emphasizes the need for transparency and accountability in AI, while setting the stage for agencies
    to take steps to blunt bias in its systems.

    The guidelines also give us a sneak peek on how the agency plans to
    prioritize AI, honing in on its use for decision-making, the collection and
    use of data, and the development and testing of AI systems.

    [ALSO from the same source:]

    DHS Spies Trouble in 2024 in election security
    [don't forget integrity!!! PGN]

    Next year's election is shaping up to be a doozy -- and the country has a
    toxic triad of foreign cyberthreats, increasingly powerful AI models and
    rising domestic extremism to thank for it, according to a new government report<https://www.dhs.gov/news/2023/09/14/dhs-continues-see-high-risk-foreign-and-domestic-terrorism-2024-homeland-threat>.

    The Department of Homeland Security's 2024 threat assessment, which came out Thursday courtesy of its office of Intel and analysis, warns those three variables together will present significant risks to the integrity of the presidential election and the physical well-being of those involved in it.

    ------------------------------

    Date: Mon, 18 Sep 2023 11:12:00 -0700
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: Old Google vs. New Google

    * OLD GOOGLE: We prefer websites be written by people, for people. QUALITY
    MATTERS!

    * NEW GOOGLE: AI writing trash is OK. It's the clicks that count! Never mind
    about that people writing for people quality stuff. Ancient history.

    ------------------------------

    Date: Fri, 15 Sep 2023 13:20:27 -0700
    From: Geoff Kuenning <geoff@cs.hmc.edu>
    Subject: Re: Pedestrian dies after Cruise cars block ambulance
    (RISKS-33.83)

    You'll note that I used the word "allege".

    Even if this case turns out to be not the fault of the Cruise cars, I think that it highlights an important point that has been repeatedly raised over
    the past year or so: driving is about more than safely staying within the
    lane (and the rules) and avoiding obstacles. Drivers have to deal with all sorts of unusual situations where the usual rules don't apply, such as
    police officers (or cones) directing them into the oncoming lane, turning around because a stuck semi has blocked the road, avoiding dangerously
    flooded intersections, etc. It's likely to be a long time before
    self-driving cars can handle all of those exceptions as well as a human can.

    ------------------------------

    Date: Fri, 15 Sep 2023 17:14:50 +0000
    From: Henry Baker <hbaker1@pipeline.com>
    Subject: Re: Pedestrian dies after Cruise cars blocks ambulance
    (Lamont, RISKS-33.83)

    I think that we need to consider this incident a *wakeup call* re the risks
    of 'smart' vehicles.

    The newest cars are literally computers that happen to have wheels attached, and nearly everything about these cars can be hacked via the Internet --
    either using the car's own radios or utilizing Bluetooth/Wifi connected smartphones provided by the car's passengers.

    So here are some obvious hacking risks:

    1. EV's could be hacked to cause their batteries to melt down; catch fire -- literally execute 'HCF' -- perhaps an entire city's worth of EV's at exactly the same time. Since a lot of EV's would be parked *inside garages*, an
    entire city could be burned to the ground via an organized hack.

    [No need for censorship; I'm certain that the Chinese have already thought
    of this. Oh wait, aren't most EV batteries built in China? What could possibly go wrong? ]

    2. Self-driving vehicles could be hacked to all drive to the same location
    at the same time to block all the main streets in a city. An optimized algorithm could block all of a city's streets with relatively few
    strategically placed 'self' driving vehicles.

    [Once again, I'm sure that Chinese/Russian/Iranian/NKorean hackers have
    already thought of this.]

    3. Another terrifying prospect: an AI-operated system of traffic lights that decides on its own how to 'optimize' traffic -- e.g., to/from a major event like a football game -- but gets too clever and cuts off access to
    hospitals. Programs like 'Waze' have already shown us how directed traffic
    can go wrong.

    Partial solution: we desperately need *diversity* in the HW/SW of our
    vehicles, so that no *single* attack vector can zombify *all* of our
    vehicles simultaneously.

    Partial solution: much, much stronger controls to make sure that vehicle SW
    can be updated to respond to newly discovered threats, and that the SW can
    be updated *safely* -- i.e., the update channel itself cannot be compromised
    to provide an attack mechanism.

    ------------------------------

    Date: Thu, 14 Sep 2023 16:01:08 -0400
    From: Joe Gwinn <joegwinn@comcast.net>
    Subject: Re: Vintage Car prices (Thorn, RISKS-33.84)

    NO data collection included.-)

    And no unreliable electronics and dependence on the web and various
    servers working, or subscription fees.

    Not to mention that the electronics may well have outlived its manufacturer, rendering the car scrap. See the Right-to-Repair topic for examples.

    ------------------------------

    Date: Sat, 1 Jul 2023 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) has moved to the ftp.sri.com site:
    <risksinfo.html>.
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 33.85
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)