• Risks Digest 33.87

    From RISKS List Owner@21:1/5 to All on Sat Sep 30 02:36:52 2023
    RISKS-LIST: Risks-Forum Digest Friday 29 September 2023 Volume 33 : Issue 87

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/33.87>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Cal. Gov. vetoes autonomous trucking bill (TechCrunch)
    Search for phone signal caused oil spill, say Japanese investigators
    (The Register)
    The UK passes massive online safety bill (The Verge)
    Egyptian presidential hopeful targeted by Predator spyware (WashPost)
    Web3 Firm Mixin Network Hacked, $200 Million Stolen in Centralised
    Exploit: All Details (MIT Technology News)
    Cryptocurrency's First Year After the FTX Blowup: `It’s Been Miserable’
    (Bloomberg)
    The FTX trial is bigger than Sam Bankman-Fried (The Verge)
    The risks of machine learning psychotherapy with voice interfaces (Gizmodo) Artificial intelligence poses 'risk ofextinction,' tech execs and experts
    warn (CBC)
    AI adapters and opponents debate the future of work (CBC)
    AI will soon be able to cover public meetings. But should it?
    (Nieman Lab)
    GPUs from all major suppliers are vulnerable to new pixel-stealing attack
    (Ars Technica)
    Nigerian Hacktivists Are Taking on Big Oil (Lucas Laursen)
    MGM and Caesars casino hacks point to an alliance of teens and ransomware
    gangs (WashPost)
    GPUs from all major suppliers are vulnerable to new pixel-stealing attack
    (Ars Technica)
    A food delivery robot's footage led to a criminal conviction in LA
    (Engadget)
    Apple warns Russian journalists of Pegasus iPhone infections
    (Monty Solomon)
    Is there really an information security jobs crisis? (Ben Rothke)
    Metaverse: What happened to Mark Zuckerberg's next big thing? (BBC)
    New York Bans Facial Recognition in Schools (AP)
    Re: Misinformation research is buckling under GOP
    legal attacks (Amos Shapir)
    Re: Google accused of directing motorist to drive off collapsed
    bridge (David Landgren)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Wed, 27 Sep 2023 16:51:39 +0000
    From: Henry Baker <hbaker1@pipeline.com>
    Subject: Cal. Gov. vetoes autonomous trucking bill (TechCrunch)

    Governor Gavin Newsom just vetoed a bill banning fully driverless AV trucks.

    https://techcrunch.com/2023/09/24/california-governor-vetoes-bill-to-ban-driverless-av-trucks/

    California governor vetoes bill to ban driverless AV trucks
    Rebecca Bellan@rebeccabellan, 24 Sep 2023

    "California Gov. Gavin Newsom vetoed a bill Friday that would have
    required a human safety operator to be present any time a self-driving
    truck operated on public roads in the state."

    https://legiscan.com/CA/text/AB316/id/2789644

    I'm very concerned that the risks associated with driverless trucks have not been fully vetted, e.g.,Timothy McVeigh.

    For those of you who weren't born yet, Timothy McVeigh blew up the Alfred
    P. Murrah Federal Building in Oklahoma City in 1995, killing 168 people,
    using a rental truck full of an improvised fertilizer bomb.

    https://en.wikipedia.org/wiki/Timothy_McVeigh

    It's not clear whether forcing AV's to also have human drivers ('featherbedders'?) would have stopped a McVeigh-type attack, but it would
    have thrown up an additional barrier.

    California (and most other states) have severe penalties for driving while 'impaired' -- e.g., under the influence of alcohol or marijuana. Truck
    drivers have substantial additional requirements in training, licensing and records keeping -- e.g., number of continuous hours on the roads, etc.

    How do you even test an AI driver for `impairment'? Do you use a
    `hackalyzer'? Does the AI have to get out of the vehicle and walk a
    straight line? Is AI impairment even decidable?

    How does a patrol car even `pull over' an AV?

    At least for the moment, AI's have no 4th and 5th amendment rights, so there are no civil rights to violate when asking ``Ihre Papiere, bitte?'', but apparently there are no mechanisms to actually check the credentials of AI truck drivers before they enter the Yerba Buena Tunnel or the Holland
    Tunnel?

    Many tunnels don't want RV's with propane tanks, but zombie AV's are OK?

    Starlink now offers high-speed Internet for vehicles, including trucks. Yet Elon Musk was roundly criticized for prohibiting Ukraine's use of Starlink
    for AV weapons. Perhaps Elon's worries about weaponized AV's shouldn't be dismissed out of hand?

    https://tuckstruck.net/truck-and-kit/geekery/starlink-mobile-roaming/

    https://apnews.com/article/spacex-ukraine-starlink-russia-air-force-fde93d9a69d7dbd1326022ecfdbc53c2

    Elon Musk's refusal to have Starlink support Ukraine attack in Crimea raises questions for Pentagon

    Tara Copp, Updated 3:42 PM PDT, 11 Sep 2023

    https://www.reuters.com/technology/musk-experts-urge-pause-training-ai-systems-that-can-outperform-gpt-4-2023-03-29/

    I hate to sound like a Luddite, but I don't think that these breathless AV
    aficionados have completely thought all of these risks through.

    ------------------------------

    Date: Fri, 29 Sep 2023 15:57:49 -0600
    From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
    Subject: Search for phone signal caused oil spill, say Japanese
    investigators (The Register)

    Laura Dobberstein, *The Register*, 29 Sep 2023

    Japan’s Transport Safety Board on Thursday judged that a cargo ship that spilled 1,000 tons of fuel oil into a pristine marine environment off the
    coast of Mauritius in 2020 was traveling off course in search of a cell
    phone signal.

    https://www.theregister.com/2023/09/29/signal_search_caused_oil_spill/

    ------------------------------

    Date: Wed, 20 Sep 2023 02:29:35 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: The UK passes massive online safety bill (The Verge)

    https://www.theverge.com/2023/9/19/23880919/uk-passes-massive-online-safety-bill

    ------------------------------

    Date: Wed, 27 Sep 2023 13:32:17 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject N:ew Green Line extension already so defective that trains are
    forced to move at walking pace (The Boston Globe)

    https://www.bostonglobe.com/2023/09/26/metro/mbta-green-line-extension-new-slow-zones/

    [Walking is appropriate for Green Parties. PGN]

    ------------------------------

    Date: Fri, 29 Sep 2023 19:31:40 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Egyptian presidential hopeful targeted by Predator spyware
    (*The Washington Post*)

    Rare ‘zero-day’ exploit used in failed hacking attempt that researchers say was probably conducted by the Egyptian government

    https://www.washingtonpost.com/investigations/2023/09/23/predator-egypt-hack-spyware-iphone/

    ------------------------------

    Date: Mon, 25 Sep 2023 09:18:37 -0700
    From: Victor Miller <victorsmiller@gmail.com>
    Subject: Web3 Firm Mixin Network Hacked, $200 Million Stolen in Centralised
    Exploit: All Details (MIT Technology News)

    https://www.gadgets360.com/cryptocurrency/news/web3-firm-mixin-network-hacked-usd-200-million-stolen-centralised-exploit-4422486

    [Monty Solomon noted this:
    Hackers steal $200M from crypto company Mixin https://techcrunch.com/2023/09/25/hackers-steal-200-million-from-crypto-company-mixin/

    ------------------------------

    Date: Fri, 29 Sep 2023 19:02:34 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Cryptocurrency's First Year After the FTX Blowup:
    `It’s Been Miserable’ (Bloomberg)

    As Sam Bankman-Fried heads to trial, many digital-asset players remain in survival mode.

    https://www.bloomberg.com/news/features/2023-09-29/sam-bankman-fried-trial-crypto-s-first-year-after-ftx-blowup-miserable

    ------------------------------

    Date: Thu, 28 Sep 2023 20:46:27 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: The FTX trial is bigger than Sam Bankman-Fried
    (The Verge)

    https://www.theverge.com/2023/9/28/23893269/ftx-sam-bankman-fried-trial-evidence-crypto

    ------------------------------

    Date: Thu, 28 Sep 2023 13:29:50 -0700
    From: Rob Wilcox <robwilcoxjr@gmail.com>
    Subject: The risks of machine learning psychotherapy with voice
    interfaces (Gizmodo)

    OpenAI Employee Discovers Eliza Effect, Gets Emotional

    ChatGPT's new text-to-voice feature has one OpenAI's head of safety
    systems feeling *heard & warm*, while other experiments with AI therapy have been a disaster.

    Designing a program in such a way that it can truly convince someone that another human is on the other side of the screen has been a goal of AI developers since the concept took its first steps toward reality. Research company OpenAI recently announced that its flagship product ChatGPT would be getting eyes, ears, and a voice in its quest to appear more human. Now, an
    AI safety engineer at OpenAI says she got “quite emotional” after using the chatbot’s voice mode to have an impromptu therapy session.""

    https://gizmodo.com/openai-employee-discovers-eliza-effect-gets-emotional-1850877739

    ------------------------------

    Date: Tue, 26 Sep 2023 18:22:45 -0600
    From: Matthew Kruk <mkrukg@gmail.com>
    Subject: Artificial intelligence poses 'risk of extinction,' tech execs and
    experts warn (CBC)

    https://www.cbc.ca/news/world/artificial-intelligence-extinction-risk-1.6859118

    ------------------------------

    Date: Wed, 27 Sep 2023 14:39:25 -0600
    From: Matthew Kruk <mkrukg@gmail.com>
    Subject: AI adapters and opponents debate the future of work (CBC)

    Artificial intelligence is becoming a major part of our world and has the potential to change work forever, but is it a threat or an opportunity? The National brings together people using AI to improve their work or workplace
    and others who see it as a hazard to their jobs.

    http://www.cbc.ca/player/play/2267202115683

    ------------------------------

    Date: Tue, 26 Sep 2023 11:33:23 -0700
    From: Steve Bacher <sebmb1@verizon.net>
    Subject: AI will soon be able to cover public meetings. But should it?
    (Nieman Lab)

    AI will soon be able to cover public meetings. But should it? <#>

    “Is it ready for primetime, ready to be released to the masses? Absolutely not...But can it be done? Can you design an AI system that attends a city meeting and generates a story? Yeah, I did it.”

    https://www.niemanlab.org/2023/06/ai-will-soon-be-able-to-cover-public-meetings-but-should-it/

    ------------------------------

    Date: Tue, 26 Sep 2023 19:44:01 -0700
    From: Victor Miller <victorsmiller@gmail.com>
    Subject: GPUs from all major suppliers are vulnerable to new pixel-stealing
    attack (Ars Technica)

    https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/

    ------------------------------

    Date: Fri, 29 Sep 2023 11:26:54 -0400 (EDT)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Nigerian Hacktivists Are Taking on Big Oil (Lucas Laursen)

    Lucas Laursen, *IEEE Spectrum*, 27 Sep 2023,
    via ACM TechNews, 29 Sep 2023

    A group of Nigerian hacker-activists aims to collect and share data to
    increase public awareness of pollution caused by oil spills. The Media Awareness and Justice Initiative (MAJI) is organizing a low-cost air
    pollution monitoring network, and last year the group began installing
    the first of 15 air quality sensors in and around the city of Port
    Harcourt. The sensors monitor particulate matter, temperature,
    humidity, and atmospheric pressure to test for air pollution and
    hopefully determine its origin. MAJI has deployed two community
    networks to provide Internet access. MAJI's Okoro Onyekachi said the organization releases its data through a Web portal, radio, and social
    and print media in the hope of having a greater impact on polluters.

    ------------------------------

    Date: Sat, 23 Sep 2023 22:03:22 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: MGM and Caesars casino hacks point to an alliance of teens
    and ransomware gangs (WashPost)

    Security experts worry a group of English-speaking hackers has allied
    itself with forces responsible for the Colonial Pipeline ransomware attack.

    https://www.washingtonpost.com/technology/2023/09/22/mgm-hack-laid-to-star-fraud/

    ------------------------------

    Date: Tue, 26 Sep 2023 19:44:01 -0700
    From: Victor Miller <victorsmiller@gmail.com>
    Subject: GPUs from all major suppliers are vulnerable to new pixel-stealing
    attack (Ars Technica)

    https://arstechnica.com/security/2023/09/gpus-from-all-major-suppliers-are-vulnerable-to-new-pixel-stealing-attack/

    ------------------------------

    Date: Thu, 28 Sep 2023 20:55:16 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: A food delivery robot's footage led to a criminal conviction in LA
    (Engadget)

    https://www.engadget.com/a-food-delivery-robots-footage-led-to-a-criminal-conviction-in-la-190854339.html

    ------------------------------

    Date: Wed, 20 Sep 2023 02:25:35 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Apple warns Russian journalists of Pegasus iPhone infections

    https://appleinsider.com/articles/23/09/16/apple-warns-russian-journalists-of-pegasus-iphone-infections

    ------------------------------

    Date: Sun, 24 Sep 2023 10:28:23 -0400
    From: Ben Rothke <brothke@gmail.com>
    Subject: Is there really an information security jobs crisis?

    There are countless reports that there are millions of open information security jobs.

    My take on the situation is that the numbers being touted are way, way off.

    https://brothke.medium.com/is-there-really-an-information-security-jobs-crisis-a492665f6823?sk=9dfae4d5614a4ad4681bbfb8e58a99dc

    ------------------------------

    Date: Mon, 25 Sep 2023 19:48:27 -0600
    From: Matthew Kruk <mkrukg@gmail.com>
    Subject: Metaverse: What happened to Mark Zuckerberg's next big thing?
    (BBC)

    https://www.bbc.com/news/technology-66913551

    " Reality Labs -- which as the name suggests is Meta's virtual and augmented reality branch -- has lost a staggering $21 billion since last year."

    ------------------------------

    Date: Fri, 29 Sep 2023 11:26:54 -0400 (EDT)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: New York Bans Facial Recognition in Schools (AP)

    Carolyn Thompson, *Associated Press*, 27 Sep 2023,
    via ACM TechNews, 29 Sep 2023

    New York State has prohibited facial recognition in schools, following
    last month's report by the state's Office of Information Technology
    Services acknowledging that the risks of the technology's use may
    outweigh its security benefits. The analysis cited facial
    recognition's "potentially higher rate of false positives for people
    of color, non-binary and transgender people, women, the elderly, and
    children." The report added that biotechnology would not prevent
    students from entering schools "unless an administrator or staff
    member first noticed that the student was in crisis, had made some
    sort of threat, or indicated in some other way that they could be a
    threat to school security." Decisions on digital fingerprinting and
    other biometric solutions are left up to local districts, per New York Education Commissioner Betty Rosa's directive.

    ------------------------------

    Date: Sun, 24 Sep 2023 12:49:52 +0300
    From: Amos Shapir <amos083@gmail.com>
    Subject: Re: Misinformation research is buckling under GOP
    legal attacks (RISKS-33.86)

    "... they had planned to use the grants to fund projects on noncontroversial topics such as nutritional guidelines..." -- Sorry, too late!

    See for example: https://www.theguardian.com/environment/2023/aug/18/gigantic-power-of-meat-industry-blocking-green-alternatives-study-finds

    Nothing is non-political any more...

    ------------------------------

    Date: Mon, 25 Sep 2023 14:00:57 +0200
    From: David Landgren <david@landgren.net>
    Subject: Re: Google accused of directing motorist to drive off collapsed bridge
    (Kruk, RISKS-33.86)

    The obvious question to ask is what happens to a driver who *wasn't* using a Google app and drove off the collapsed bridge and died? The only third party who could be held responsible is the municipality that failed to block off
    the access in a way that no car could get through. And that would still
    hold true regardless of what method of navigation the person was using. A couple of large blocks of concrete would do the job.

    Can't really fault Google here.

    ------------------------------

    Date: Sat, 1 Jul 2023 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) has moved to the ftp.sri.com site:
    <risksinfo.html>.
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 33.87
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)