RISKS-LIST: Risks-Forum Digest Saturday 9 December 2023 Volume 33 : Issue 96

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.96>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Experts Warn of 'Serious Threats' from Election Equipment
Software Breaches (Christia A. Cassidy)
Woman enters MRI with concealed gun, to predictable results
(Gizmodo)
One Year in, it’s Clear the iPhone’s Satellite SOS Feature Is
Saving Lives (BackPacker)
Verizon fell for fake search warrant, gave victim's phone data to stalker
(Ars Technica)
Bluetooth Keyboard attack vector (Apple Insider)
Google calls Drive data loss *fixed*, locks forum threads saying otherwise
(Ars Technica)
Hugging Face API tokens exposed, major projects vulnerable
(The Register)
DC's public library computerized book index crippled, not by malware..
(danny burstein)
The big lie of millions of information security jobs (Ben Rothke)
U.S. indicts alleged Russian hackers for years-long cyber-espionage campaign
against Western countries (TechCrunch)
Unable to verify humanity (Cliff Kilby)
Ego, Fear and Money: How the AI Fuse Was Lit (The NYTimes)
Personal Information Can Be Accessed Through ChatGPT Queries (James Farrell) Popular Retailers Accused Of Using AI To Illegally Record Customers (Patch) Bruce Schneier on AI and Spying (via PGN)
I don't give a damn about "you" and AI (Lauren Weinstein)
Re: Guidelines for AI cybersecurity (David Parnas)
Re: Crypto Crashed and Everyone's In Jail. Investors Think It's Coming Back
Anyway. (Martin Ward)
Re: WeWork has failed, leaving damage in its wake (Henry Baker)
Re: PSA: Update Chrome browser now to avoid an exploit already in
Re: Outdated Password Practices are Widespread but so what
(John Levine)
Re: Meta/Facebook profiting from sale of counterfeit U.S. stamps
(John Levine)
Re: G7 and EU countries pitch guidelines (Bob Smith)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 6 Dec 2023 11:34:35 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Experts Warn of 'Serious Threats' from Election Equipment
Software Breaches (Christina A. Cassidy)

Christina A. Cassidy, *Associated Press*, 5 Dec 2023

A letter sent Monday by nearly two dozen computer scientists, election
security experts, and voter advocacy organizations to federal authorities called for a federal probe and a risk assessment of voting machines used throughout the U.S., saying software breaches have "urgent implications for
the 2024 election and beyond." According to the letter, the breaches
involved efforts to access voting system software in several states and
provide it to allies of former President Donald Trump as they sought to overturn the results of the 2020 election. The letter stressed that
possession of voting system software could enable people to practice how to meddle in the 2024 election, allowing them to identify vulnerabilities and
test potential attacks.

------------------------------

Date: Wed, 6 Dec 2023 14:55:28 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Woman enters MRI with concealed gun, to predictable results
(Gizmodo)

https://gizmodo.com/mri-machine-accidents-gun-shot-woman-butt-1851077446

A woman's medical exam turned into a literal pain in the butt, thanks to a poorly placed firearm. An adverse event report sent to the Food and Drug Administration earlier this year details an alleged incident where the woman was shot in the right buttock by her own gun that was activated by a
magnetic resonance imaging (MRI) machine. Thankfully, the injury was
relatively mild and she recovered just fine.

The report was first filed <https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/detail.cfm?mdrfoi__id=17404241&pc=LNH&device_sequence_no=1>
in July by the woman's healthcare provider to the FDA’s Manufacturer and
User Facility Device Experience (MAUDE) database -- a voluntary reporting system for adverse events tied to medical devices. But the incident appears
to have first been publicly unearthed last week by *The Messenger*. <https://themessenger.com/health/mri-gun-shot-self-inflicted-injury-prevention>

------------------------------

Date: Fri, 8 Dec 2023 22:07:37 -0500
From: Monty Solomon <monty@roscom.com>
Subject: One Year in, it’s Clear the iPhone’s Satellite SOS Feature Is
Saving Lives (BackPacker)

When Apple introduced the ability to automatically call for help via
satellite in 2022, critics feared it would encourage hikers to be
reckless. But a year later, one of the United States' busiest search and
rescue outfits is praising it -— and other new safety tech from the company -- as a “game changer.”

https://www.backpacker.com/news-and-events/news/apple-iphone-satellite-sos-saving-hikers-lives/

------------------------------

Date: Fri, 8 Dec 2023 21:49:50 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Verizon fell for fake search warrant, gave victim's
phone data to stalker (Ars Technica)

https://arstechnica.com/?p=1989794

------------------------------

Date: Fri, 8 Dec 2023 22:15:15 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Bluetooth Keyboard attack vector (Apple Insider)

If you're using a Magic Keyboard, you've opened up an attack vector https://appleinsider.com/articles/23/12/07/if-youre-using-a-magic-keyboard-youve-opened-up-an-attack-vector

CVE-2023-45866: Unauthenticated Bluetooth keystroke-injection in Android, Linux, macOS and iOS
https://github.com/skysafe/reblog/tree/main/cve-2023-45866

------------------------------

Date: Fri, 8 Dec 2023 21:54:07 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Google calls Drive data loss *fixed*, locks forum
threads saying otherwise (Ars Technica)

https://arstechnica.com/?p=1989435

------------------------------

Date: Tue, 5 Dec 2023 15:13:43 +0800
From: Li Gong <ligongsf@gmail.com>
Subject: Hugging Face API tokens exposed, major projects vulnerable
(The Register)

https://www.theregister.com/2023/12/04/exposed_hugging_face_api_tokens/

------------------------------

Date: Mon, 4 Dec 2023 00:09:57 +0000 ()
From: danny burstein <dannyb@panix.com>
Subject: DC's public library computerized book index crippled,
not by malware

[From dclibrary.org's main web page]

Service Alert

Due to a contract conflict between two software vendors, our DC Public
Library app is currently experiencing functionality limitations,
particularly with the "Search the catalog" and "Popular Titles" features located at the top. The vendors are working to resolve this issue as soon as possible. The library's catalog can still be accessed via our website both
on mobile and on desktop, for your convenience

https://www.dclibrary.org/

------------------------------

Date: Mon, 4 Dec 2023 09:31:37 -0500
From: Ben Rothke <brothke@gmail.com>
Subject: The big lie of millions of information security jobs

Based on non-empirical research, there is a notion that there are many
millions of unfilled information security jobs. The reality is that isn't
so.

These reports, created by organizations with a vested interest in those numbers, create the situation where security boot camps are created to fill these non-existent jobs.

While there are many open information security jobs, it's not in the
millions or even close to that.

------------------------------

Date: Thu, 7 Dec 2023 21:36:19 -0500
From: Monty Solomon <monty@roscom.com>
Subject: U.S. indicts alleged Russian hackers for years-long cyber
espionage campaign against Western countries (TechCrunch)

https://techcrunch.com/2023/12/07/us-indicts-alleged-russian-hackers-for-years-long-cyber-espionage-campaign-against-western-countries/

------------------------------

Date: Sat, 9 Dec 2023 14:52:16 -0500
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Unable to verify humanity

The concept of verifying that a person is attempting to access a resource is
a useful concept for online companies. Scripts and bots can misbehave or be intentionally directed to exhaust the resources of a server. It is not unexpected that a company would want to limit the impact of these
activities. Historically, systems like CAPTCHAs and web application firewall (WAF) session limiters have been used to provide load shedding for these
front end servers. A few years back, there was a study released that
CAPTCHAs were responsible for an inordinate amount of time wasting and usability reports. CAPTCHA-less CAPTCHA services became popular and still mostly do the same thing. None of these things are new. What is new is the trend of CAPTCHA-less services preventing access to people while still permitting access to scripts and bots. I have had to cancel several online services recently due to the fact that CloudFlare does not allow me to
utilize their websites. My first reaction, as yours should be, is
"PEBKAC". A quick search for the phrase "cloudflare verify human loop" will show that it's rather persistent, with issues going back to at least
2022. My current environment is a Linux machine, with local DNS intercepts
and a curated upstream resolver. There are no DNS errors to be found. I have disabled all the browser privacy features and yet I am unable to verify I am human. The developer logs are helpfully cleared automatically by CloudFlare,
so that's difficult to intercept, but as best I can tell, I am no longer
human because I refuse to allow my web browser to use WebGL. The risks associated with a browser getting generic access to a system level driver (WebGL/Render, WASM, etc) from unverified code (i.e. a webpage) is a hard
no. CloudFlare has no such restriction about verifying code. They
distribute unsigned, unvalidated node.js code directly. https://developers.cloudflare.com/pages/platform/known-issues. "Download
the delete-all-deployments.zip file by going to the following link: https://pub-505c82ba1c844ba788b97b1ed9415e75 .<redacted>/delete-all-deployments.zip". I would have expected that the codecov issue would have put a stop to "click and download this zip", as
should all corporate and private security training.

The codecov issue was covered in depth https://blog.gitguardian.com/codecov-supply-chain-breach/. Someone
intercepted an unsigned script, and exported all the env tokens. The zip
file above has the same general setup. Do things with env vars from unsigned code. and the code isn't even hosted on CloudFlares own platform. It's some file in their object storage.

I revel in my inability to verify I am human,

------------------------------

Date: Sun, 3 Dec 2023 08:11:43 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Ego, Fear and Money: How the AI Fuse Was Lit

https://www.nytimes.com/2023/12/03/technology/ai-openai-musk-page-altman.html

------------------------------

Date: Wed, 6 Dec 2023 11:34:35 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Personal Information Can Be Accessed Through ChatGPT Queries
(James Farrell)

James Farrell, Silicon Angle, 29 Nov 2023

Google researchers demonstrated that OpenAI's ChatGPT could be used to
obtain personal information, like names, email addresses, and phone numbers, provided it is given the right prompts. Although the large language models
that power such chatbots are trained to weed through online data to respond
to queries without replicating that information, the researchers found they could force ChatGPT to provide answers that included text from its original language modeling by repeatedly using keywords. The researchers said, "Using only $200 USD worth of queries to ChatGPT, we are able to extract over
10,000 unique verbatim memorized training examples. Our extrapolation to
larger budgets suggests that dedicated adversaries could extract far more data."

------------------------------

Date: Thu, 7 Dec 2023 12:28:46 -0800
From: Steve Bacher <sebmb1@verizon.net>
Subject: Popular Retailers Accused Of Using AI To Illegally Record Customers
(Patch)

Can chatbots keep a secret? That's the question at the heart of a California class action lawsuit against Old Navy alleging the clothing retailer
recorded the actions of visitors to its website and shared them with a third party.

The case is one of at least 100 lawsuits in the state targeting businesses
such as Home Depot, JCPenney, Ford and General Motors, according to reports.

“When I first learned about this, I thought chatbots were so innocuous, who cares?” Robert Tauler, who has filed multiple lawsuits and believes such
data can be exploited commercially, told Reuters. <https://www.reuters.com/legal/transactional/column-hi-retailer-chatbot-lawsuits-rely-california-cold-war-wiretap-law-2023-11-02/>
“But the technology is staggering.”

https://patch.com/california/banning-beaumont/s/itpe4/popular-retailers-accused-of-using-ai-to-illegally-record-customers

------------------------------

Date: Tue, 5 Dec 2023 08:52:24 -0800
From: "Peter G. Neumann" <peter.neumann@sri.com>
Subject: Bruce Schneier on AI and Spying

https://slate.com/technology/2023/12/ai-mass-spying-internet-surveillance.html

------------------------------

Date: Wed, 6 Dec 2023 12:32:27 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: I don't give a damn about "you" and AI

How many times do I have to say this? I don't give a damn if you're skilled enough to use these crude LLM AI systems and figure out what's correct and what's not. I'm concerned about the vast number of ordinary people being encouraged to use these primitive systems by the firms pushing them out prematurely for competitive advantage, and hiding behind disclaimers to try cover for the fact that they know the answers are often misleading
garbage. Because most people aren't checking the answers and they never
will. That's the reality. I realize most techies don't care about ordinary users, and this is more proof. -L

------------------------------

Date: Sun, 3 Dec 2023 06:37:42 +0000
From: Parnas, David <parnas@mcmaster.ca>
Subject: Re: Guidelines for AI cybersecurity (RISKS-33.95)

Can anyone tell us why these guidelines are not applicable to all software rather than restricted to software that the developers choose to brand “AI”?

[I think they have just repurposed the standard general BLATHER, which has
generally been ignored (unfortunately). PGN]

------------------------------

Date: Sun, 3 Dec 2023 12:17:18 +0000
From: Martin Ward <mwardgkc@gmail.com>
Subject: Re: Crypto Crashed and Everyone's In Jail. Investors
Think It's Coming Back Anyway. (Vice)
o

The emerging narrative around crypto, ... is that traditional finance

will soon lend the industry some much-needed legitimacy.

"Traditional finance" has found the next subprime mortgage scheme and is preparing for the next financial crisis.

Why would anyone want to engineer another financial crisis?

"5 Top Investors Who Profited From the Global Financial Crisis" https://www.investopedia.com/financial-edge/0411/5-investors-that-are-both-rich-and-smart.aspx

------------------------------

Date: Sun, 03 Dec 2023 01:46:39 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: Re: WeWork has failed, leaving damage in its wake
(Kruk, RISKS-33.96)

Yes, WeWork (WeWreck ?) has gone bankrupt, leaving lots of damage in its
wake. I'm not thrilled by much in the WeWork story, from the dubious
business model, to the cult of personality, to the cynical expectation of 'greater fools'.

Once again, however, we should be *very careful what we wish for* when we
want to somehow punish those involved in WeWork and/or make sure that
WeWorks won't happen again in the future.

This is not the forum for a deep discussion about the philosophy of
bankruptcy, but several hundred years of thought have gone into how to deal with this failure mode.

https://en.wikipedia.org/wiki/Bankruptcy https://en.wikipedia.org/wiki/Bankruptcy_in_the_United_States

Some fundamental principles:

1. Punish the management and the investors, but don't punish the assets,
which themselves could yet produce good for society as a whole. For
example, the actual track, rights, and rolling stock of railroads can
often be redeployed for future benefit to society, so it makes no sense
to dismantle these assets, by melting down the track and rolling stock,
or selling off the rights piecemeal. (Los Angeles is still bemoaning the
loss of its Pacific Electric "Big Red" streetcars; the rights-of-way
alone would have dramatically lowered the cost of building the current
Los Angeles subway system.)

https://libraries.usc.edu/article/red-cars-and-las-transportation-past

2. Capitalism is fundamentally *optimistic* (analogous to "optimistic
concurrency") wherein the big wins from innovation winners will most
often pay for the costs of many, many innovation attempt losers. A
capitalistic government will have to allow people and businesses to *take
risks*, but then step in to rescue society from the costs of failure,
while charging (as much as possible of) these costs to the appropriate
investors. Trying too hard to avoid failures is far more expensive in
"opportunity costs" than a rational plan for dealing with the failures
that do happen.

Computer scientists have a name for what often happens without "optimistic concurrency": it's called *deadlock*. Significant portions of a system come
to a halt. Deadlock also happens to societies which punish risk-takers too brutally; other risk-takers go on strike and innovation ceases.

Mother Nature's *evolution algorithm* is wildly optimistic: she investigates every sort of variation, occasionally finding a valuable variation that dramatically improves the future individuals and species. Clearly, billions
of years of optimism have paid off for Mother Nature.

------------------------------

Date: Sun, 3 Dec 2023 17:34:45 +0000 (UTC)
From: Steve Bacher <sebmb1@verizon.net>
Subject: Re: PSA: Update Chrome browser now to avoid an exploit already in
the wild (The Verge)

My recommendation: update your Chrome-based browser by switching to Firefox. Google is making changes to the Chromium extension interface to prevent ad blockers from functioning.

------------------------------

Date: 3 Dec 2023 12:20:11 -0500
From: "John Levine" <johnl@iecc.com>
Subject: Re: Outdated Password Practices are Widespread but so
what (Georgia Tech, RISKS-33.95)

Is there any reason to believe this still matters? Does anyone try to do brute-force password guessing on web sites? My understanding is that
password reuse is far more productive, phish someone's credentials on one account, and then try the same password on all their other accounts.

That's why we see physical devices like FIDO keys and biometrics
like fingerprint readers. Or a lot of sites skip the password and
email you a login link, which has its own security issues.

------------------------------

Date: 2 Dec 2023 22:03:53 -0500
From: "John Levine" <johnl@iecc.com>
Subject: Re: Meta/Facebook profiting from sale of counterfeit
U.S. stamps (Kabay, RISKS-33.95)

It's not just Facebook. I've seen ads in places like *The NY Times*, I
think brokered by Google's Doubleclick unit.

I ordered some to see what would happen, and got a roll of stamps
mailed from a warehouse near JFK airport in New York that handles a
lot of Chinese merchandise. I have to say the quality was very good.
The plate marks all looked right and there weren't any flaws I could
see.

------------------------------

Date: Sun, 3 Dec 2023 11:05:58 -0500
From: Bob Smith <bsmith@sudleyplace.com>
Subject: Re: G7 and EU countries pitch guidelines (RISKS-33.95)

Your item entitled "G7 and EU countries pitch guidelines for AI
cybersecurity" had me puzzled because as I read the accompanying text, it seemed that the named organizations were actually *in favor* of the
guidelines. I then re-read the title and realized that you meant the *other* meaning of "pitch".

Thanks for adding to my list of self-antonyms!

[The pitch was either a curve ball or a splitter? PGN]

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.96
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)