• Risks Digest 34.01 (1/2)

    From RISKS List Owner@21:1/5 to All on Sun Dec 31 05:24:33 2023
    RISKS-LIST: Risks-Forum Digest Saturday 30 December 2023 Volume 34 : Issue 01

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/34.01>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents: Apologies for hiatus. Network outage in a real shutdown.
    DRM bricks Polish trains (404media)
    Rise of AI fake news is creating a misinformation superspreader (WashPost) Coffee Cty, GA missing laptop may impact Trump, Curling cases
    (Douglas Lucas)
    Michael Cohen Used Artificial Intelligence in Feeding Lawyer Bogus Cases
    (NYTimes)
    Splitting a Large AI Across Several Devices Lets You Run It in Private
    (New Scientist)
    The Times Sues OpenAI and Microsoft Over AI Use of Copyrighted Work
    (NYTimes)
    Six Big Questions for Generative AI (Tech Review)
    FTC slams Rite Aid for misuse of facial recognition technology in stores
    (The Washington Post)
    More people at risk as Ontario public bodies face growing wave of
    cyberattacks, experts say (CBC)
    New AI model can predict human lifespan, researchers say.
    They want to make sure it's used for good (phys.org)
    BBC has the miraculous report of an AI that is capable of learning. (BBC)
    A New Kind of AI Copy Can Fully Replicate Famous People (Politico)
    AI in the Machine Internet (Dana F. Blankenhorn)
    Chinese Spy Agency Rising to Challenge the CIA (NYTimes)
    Open-Source Chip Design Takes Hold in Silicon Valley (WSJ)
    Operation Triangulation: The last 'hardware' mystery (Securelist)
    TERRAPIN: SSH protects the world's most sensitive networks. It just got a
    lot weaker (Ars Technica)
    TERRAPIN and SSH Prefix Truncation Attack (Bob Gezelte)
    GTA 6 hacker handed indefinite hospital order (Lapsus$)
    Xfinity waited to patch critical Citrix Bleed 0-day. Now it's paying the
    price (Ars Technica)
    The 2010 Census Confidentiality Protections Failed, Here's How and Why
    (Arxiv)
    Quantum Computing's Hard, Cold Reality Check* (IEEE)
    It's easier to convince kids than adults about quantum mechanics
    (Physicist Bob Coecke)
    FCPD Combats Crypto-Related Scams: How to Avoid Falling Victim to Fraud
    (Fairfax County Police Department News)
    Israeli hackers shut down 70% of Iran's gas stations (Times of Israel)
    Blog post on CSAE and E2EE (Susan Landau)
    The Disturbing Impact of the Cyberattack at the British Library
    (The New Yorker)
    Data for nearly 36 million Comcast customers leaked to hackers
    (Ars Technica)
    Online searches to evaluate misinformation can increase its perceived
    veracity (Nature)
    The 2023 Good Tech Awards (The NYTimes)
    Do you need git or Subversion? (Cliff Kilby)
    iPhone Thief Explains How He Breaks Into Your Phone (WSJ)
    Former White House scientist was scammed out of $650K and must pay taxes
    (The Washington Post)
    Re: Ex-Amazon security engineer admits to stealing over $12M in crypto
    (Gabe Goldberg)
    Re: What to do when receiving unprompted MFA OTP codes (Joseph Gwinn)
    Re: WeWork has failed, leaving damage in its wake (Martin Ward)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: 17 Dec 2023 23:09:02 -0500
    From: "John Levine" <johnl@iecc.com>
    Subject: DRM bricks Polish trains (404media)

    Some Polish trains were sent for routine maintenance, after which they would not run even though nothing was evidently wrong. As a last resort, the
    railway hired the Dragon Sector hacking group which analysed the trains' software and found code that made the trains fail if their GPS said they'd
    been in a list of locations that happened to match repair shops not run by
    the trains' manufacturer.

    NEWAG, the manufacturer, denies everything and has sued them for slander.

    https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/

    https://www.404media.co/polish-hackers-repaired-trains-the-manufacturer-artificially-bricked-now-the-train-company-is-threatening-them/

    ------------------------------

    Date: Sun, 17 Dec 2023 22:29:07 -0800
    From: Steve Bacher <sebmb1@verizon.net>
    Subject: Rise of AI fake news is creating a misinformation superspreader
    (WashPost)

    www.washingtonpost.com

    Artificial intelligence is automating the creation of fake news, spurring an explosion of websites that can disseminate false information about wars and elections

    https://www.washingtonpost.com/technology/2023/12/17/ai-fake-news-misinformation/

    ------------------------------

    Date: Tue, 19 Dec 2023 13:31:53 -0800
    From: Douglas Lucas <dal@riseup.net>
    Subject: Coffee Cty, GA missing laptop may impact Trump, Curling cases

    On 19 Dec, the Daily Dot published my new investigative article digging into the mystery of the missing silver laptop that Coffee County, Georgia -- home
    of the infamous January 2021 elections office breach captured on
    surveillance film -- is going to the mat not to turn over, not to even
    find. This laptop was used extensively by Trump co-defendant and
    then-election supervisor Misty Hampton, charged for facilitating the
    MAGA-led intrusions. If found, the laptop's contents would likely impact two cases in Atlanta courthouses: Trump's criminal one over election
    interference, and the long-running federal civil suit *Curling v. Raffensperger*, in which plaintiffs seek to force the state to abandon mandatory electronic ballots and, in most circumstances, employ instead hand-marked paper ones.

    Here's the link for my investigative article: https://www.dailydot.com/news/missing-laptop-trump-case-georgia/

    Also on 19 Dec, I self-published an accompanying blog post that includes several of the cut passages as well as, for the first time, four previously unreleased surveillance still. My blog pot has a ton of additional
    information, including a longtime area lawyer's proposal that the county
    adopt independent (not conflicted) and possibly pro bono counsel to aid the elections board and public with an internal inquiry into the breach and its aftermath.

    Here's the link for my blog post, the deleted scenes if you will: https://douglaslucas.com/blog/2023/12/19/extra-material-dailydot-investigative-article-laptop/

    I worked on this for something like half a year. There's a lot of material
    that RISKS may be interested in. Mysteries surrounding the .ost file, the Microsoft Office 365 licenses, the county refusing to back up official files
    on the elections desktop computer, as required by law, when the Georgia
    Bureau of Investigation came knocking, they say because they feared
    accusations of tampering. One of the most interesting aspects is lawyers
    that are more powerful than the people they represesnt, the de jure vs de
    facto power landscape of the county, and how all this can fester and get
    worse when the underlying digital data, in full, headers, signatures, everything, is not out in the open. Theopacity allows the overpowered
    lawyers and county manager to run the show, merely claiming this, claiming that, until enough strength shows up to enforce, you know, Rules of
    Evidence.

    ------------------------------

    Date: Fri, 29 Dec 2023 12:05:03 -0800
    From: Jan Wolitzky <jan.wolitzky@gmail.com>
    Subject: Michael Cohen Used Artificial Intelligence in Feeding Lawyer
    Bogus Cases (NYTimes)

    *The New York Times*, 30 Dec 2023, Front-page story (PGN-ed)
    Benjamin Weiser and Jonah Bromwich

    Michael D. Cohen, the onetime fixer for former President Donald J. Trump,
    said in court papers unsealed on Friday that he had mistakenly given his
    lawyer bogus legal citations generated by the artificial intelligence
    program Google Bard.

    The fictitious citations were used by Mr. Cohen's lawyer in a motion
    submitted to a federal judge, Jesse M. Furman. Mr. Cohen, who pleaded guilty
    in 2018 to campaign finance violations and served time in prison, had asked
    the judge for an early end to the court's supervision of his case now that
    he is out of prison and has complied with the conditions of his release.

    In a sworn declaration made public on Friday, Mr. Cohen explained that he
    had not kept up with ``emerging trends (and related risks) in legal
    technology and did not realize that Google Bard was a generative text
    service that, like ChatGPT, could show citations and descriptions that
    looked real but actually were not.''

    https://www.nytimes.com/2023/12/29/nyregion/michael-cohen-ai-fake-cases.html

    [Lauren Weinstein had a note on this:   Most ordinary folks do *not
    understand* what AI and Large Language Models are about. They don't read
    the AI company disclaimers that the firms know are basically there to try
    protect the firms -- not the users. PGN]

    [But Michael Cohen was no ordinary person. Perhaps Google Bard also
    wrote all of ``shakespeare'' (The Bard) retroactively? The illiterate
    Willem Shaksper certainly didn't. PGN]

    [Gabe Goldberg commented, When will they ever learn... PGN]

    ------------------------------

    Date: Fri, 22 Dec 2023 11:35:51 -0500 (EST)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Splitting a Large AI Across Several Devices Lets You Run It
    in Private (New Scientist)

    Jeremy Hsu, *New Scientist*, 15 Dec 2023, via ACM TechNews

    An AI system based on large language models (LLMs) developed by University
    of California, Irvine researchers can be used locally via smartphone, eliminating reliance on a cloud service's datacenters and permitting LLM queries without having to share sensitive personal information. The LinguaLinked system splits the LLM's computations among several smartphones based on the phones' available memory and network connectivity. The
    researchers used the system to run BLOOM LLMs on four commercial phones,
    with an average AI processing speed per token of 2 seconds on a small AI
    model with 1.1 billion parameters, and 4 seconds on a larger model with 3 billion parameters.

    [This could increase trustworthiness for oneself if one is very careful,
    but could also make it much more difficult for others who won't know
    anything about that trustworthiness -- or the lack thereof. PGN]

    ------------------------------

    Date: Thu, 28 Dec 2023 08:13:43 +0900
    From: David Farber <farber@keio.jp>
    Subject: The Times Sues OpenAI and Microsoft Over AI Use of Copyrighted Work
    (NYTimes)

    https://www.nytimes.com/2023/12/27/business/media/new-york-times-open-ai-microsoft-lawsuit.html?smid=nytcore-ios-share&referringSource=articleShare

    ------------------------------

    Date: Sat, 23 Dec 2023 13:44:36 PST
    From: Peter Neumann <neumann@csl.sri.com>
    Subject: Six Big Questions for Generative AI (Tech Review)

    Will Douglas Heaven, MIT Technology Reveiw, Jan/Feb 2024, pp. 30-37

    1. Will we ever mitigate the bias problem?
    2. How will AI change the way we apply copyright?
    3. How will it change our jobs?
    4. What misinformation will it make possible?
    5. Will we come to grips with its costs?
    6. Will doomerism continue to dominate policymaking?

    ------------------------------

    Date: Wed, 20 Dec 2023 00:04:20 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: FTC slams Rite Aid for misuse of facial recognition technology in
    stores (The Washington Post)

    A landmark settlement over the pharmacy chain's use of the surveillance technology could raise further doubts about facial recognition's use in
    stores, airports and other venues

    The FTC said huge errors were commonplace. Between December 2019 and July
    2020, the system generated more than 2,000 *Match Alerts* for the same
    person in faraway stores around the same time, even though the scenarios
    were *impossible or implausible*, the FTC said.

    In one case, Rite Aid's system generated more than 900 *match alerts* for a single person over a five-day period across 130 different stores, including
    in Seattle, Detroit and Norfolk, regulators said.

    The system generated thousands of false matches, and many of them involved
    the faces of women, Black people and Latinos, the FTC said. Federal and independent researchers in recent years have found that those groups are
    more likely to be misidentified by facial-recognition software, though the technology's boosters say the systems have since improved.

    https://www.washingtonpost.com/technology/2023/12/19/ftc-rite-aid-facial-recognition

    ------------------------------

    Date: Sat, 23 Dec 2023 09:53:18 -0700
    From: Matthew Kruk <mkrukg@gmail.com>
    Subject: More people at risk as Ontario public bodies face growing wave of
    cyberattacks, experts say (CBC)

    https://www.cbc.ca/news/canada/toronto/cybersecurity-ontario-incidents-2023-1.7048495

    ------------------------------

    Date: Sun, 24 Dec 2023 13:11:30 +0000
    From: Richard Marlon Stein <rmstein@protonmail.com>
    Subject: New AI model can predict human lifespan, researchers say.
    They want to make sure it's used for good (phys.org)

    https://phys.org/news/2023-12-ai-human-lifespan-good.html

    "Even though we're using prediction to evaluate how good these models are,
    the tool shouldn't be used for prediction on real people."

    Ripe for commercial exploitation. Hospitals and insurance companies might
    find this model enables cherry picking of patients (ER patient dumping) and policy price schedules.

    [The old dual-use problem: Anything that can be used for good can be used
    for bad. That should have been a corollary of Murphy's Law. PGN]

    ------------------------------

    Date: Fri, 22 Dec 2023 18:38:21 -0500
    From: Cliff Kilby <cliffjkilby@gmail.com>
    Subject: BBC has the miraculous report of an AI that is capable of learning.
    (BBC)

    https://www.bbc.com/news/business-67748255

    In other slightly less miraculous news, generative modeling is now capable
    of doing what used to be done by hand faster than when it was done by hand. This is improving flood hazard prediction. I would add to that prediction: flood insurance premiums are likely to rise. Umbrella disclaimer,

    ------------------------------

    Date: Sat, 30 Dec 2023 09:16:40 -0800
    From: Steve Bacher <sebmb1@verizon.net>
    Subject: A New Kind of AI Copy Can Fully Replicate Famous People (Politico)

    The Law Is Powerless. <about:blank?compose#>

    New AI-generated digital replicas of real experts expose an unnerving policy gray zone. Washington wants to fix it, but it’s not clear how.

    Martin Seligman, the influential American psychologist, found himself
    pondering his legacy at a dinner party in San Francisco one late February evening. The guest list was shorter than it used to be: Seligman is 81, and
    six of his colleagues had died in the early Covid years. His thinking had already left a profound mark on the field of positive psychology, but the closer he came to his own death, the more compelled he felt to help his work survive.

    The next morning he received an unexpected email from an old graduate
    student, Yukun Zhao. His message was as simple as it was astonishing: Zhao's team had created a *virtual Seligman*.

    Zhao wasn't just bragging. Over two months, by feeding every word Seligman
    had ever written into cutting-edge AI software, he and his team had built an eerily accurate version of Seligman himself -- a talking chatbot whose
    answers drew deeply from Seligman’s ideas, whose prose sounded like a folksier version of Seligman’s own speech, and whose wisdom anyone could access.

    Impressed, Seligman circulated the chatbot to his closest friends and family
    to check whether the AI actually dispensed advice as well as he did. “I gave it to my wife and she was blown away by it,” Seligman said.

    The bot, cheerfully nicknamed “Ask Martin,” had been built by researchers based in Beijing and Wuhan — originally without Seligman’s permission, or even awareness.

    The Chinese-built virtual Seligman is part of a broader wave of AI chatbots modeled on real humans, using the powerful new systems known as large
    language models to simulate their personalities online. Meta is
    experimenting with licensed AI celebrity avatars <https://www.theverge.com/2023/9/27/23891128/meta-ai-assistant-characters-whatsapp-instagram-connect>;
    you can already find internet chatbots trained on publicly available
    material about dead historical figures <https://www.hellohistory.ai>.

    But Seligman’s situation is also different, and in a way more unsettling. It has cousins in a small handful of projects that have effectively replicated living people without their consent. In Southern California, tech
    entrepreneur Alex Furmansky created a chatbot version of Belgian celebrity psychotherapist Esther Perel by scraping her podcasts off the internet. He
    used the bot to counsel himself through a recent heartbreak, documenting his journey in a blog post <https://magneticgrowth.substack.com/p/esther-perel-generative-ai-bot> that
    a friend eventually forwarded to Perel herself. [...]

    https://www.politico.com/news/magazine/2023/12/30/ai-psychologist-chatbot-00132682

    ------------------------------

    Date: Wed, 27 Dec 2023 17:19:05 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: AI in the Machine Internet (Dana F. Blankenhorn)

    Everything is a System. Every system can be more efficient with AI

    https://danafblankenhorn.substack.com/p/ai-in-the-machine-internet

    [Everything is indeed a system. Every system can also be less
    trustworthy with AI. Cassandra-PGN]

    ------------------------------

    Date: Sat, 30 Dec 2023 00:58:02 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Chinese Spy Agency Rising to Challenge the CIA (NYTimes)

    The ambitious Ministry of State Security is deploying AI and other advanced technology to go toe-to-toe with the United States, even as the two nations
    try to pilfer each other's scientific secrets.

    https://www.nytimes.com/2023/12/27/us/politics/china-cia-spy-mss.html?smid=nytcore-ios-share&referringSource=articleShare

    ------------------------------

    Date: Wed, 20 Dec 2023 11:47:32 -0500 (EST)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Open-Source Chip Design Takes Hold in Silicon Valley (WSJ)

    Belle Lin, The Wall Street Journal (12/14/23), via ACM TechNews

    Because RISC-V, the open-source standard developed in 2010 for designing semiconductors, is free, it allows for the development of lower-cost, potentially more efficient processors for artificial intelligence and mobile devices. Google and Meta have said the open standard enables greater customization. Forrester Research's Glenn O'Donnell said RISC-V is
    particularly attractive for companies because it does not require upfront licensing fees. However, Dell's John Roese said the "middleware" software supporting RISC-V has not been fully developed for datacenters and other high-performance applications. Roese explained, "Until you have enough of a software and developerecosystem, these things stay very niche."

    ------------------------------

    Date: Thu, 28 Dec 2023 02:49:07 +0000
    From: Victor Miller <victorsmiller@gmail.com>
    Subject: Operation Triangulation: The last 'hardware' mystery
    (Securelist)

    https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/

    ------------------------------

    Date: Tue, 19 Dec 2023 10:39:14 -0800
    From: Lauren Weinstein <lauren@vortex.com> ]
    Subject: TERRAPIN: SSH protects the world's most sensitive networks. It just
    got a lot weaker (Ars Technica)

    TERRAPIN: SSH protects the world's most sensitive networks. It just
    got a lot weaker

    https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

    [Also noted by Victor Miller. PGN]

    ------------------------------

    Date: Thu, 21 Dec 2023 00:26:32 -0500
    From: Bob Gezelter <gezelter@rlgsc.com>
    Subject: TERRAPIN and SSH Prefix Truncation Attack

    ArsTechnica reported that Terrapin, a man-in-the-middle attack against the widely used SSH protocol, is feasible in combination with widely used "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC" encryption modes.

    https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

    ------------------------------

    Date: Fri, 22 Dec 2023 09:44:58 +0000
    From: Victor Miller <victorsmiller@gmail.com>
    Subject: GTA 6 hacker handed indefinite hospital order (Lapsus$)

    https://www.bbc.com/news/technology-67663128

    ------------------------------

    Date: Thu, 21 Dec 2023 03:37:32 +0000
    From: Victor Miller <victorsmiller@gmail.com>
    Subject: Xfinity waited to patch critical Citrix Bleed 0-day. Now it's
    paying the price (Ars Technica)

    https://arstechnica.com/security/2023/12/hack-of-unpatched-comcast-servers-results-in-stolen-personal-data-including-passwords/

    ------------------------------

    Date: Thu, 21 Dec 2023 13:42:06 +0000
    From: Victor Miller <victorsmiller@gmail.com>
    Subject: The 2010 Census Confidentiality Protections Failed, Here's How and
    Why (Arxiv)

    https://arxiv.org/abs/2312.11283

    ------------------------------

    Date: December 27, 2023 10:38:40 JST
    From: Rod Van Meter <rdv@sfc.wide.ad.jp>
    Subject: Quantum Computing's Hard, Cold Reality Check* (IEEE)

    [Victor Miller noted this item: https://spectrum.ieee.org/quantum-computing-skeptics
    Rod replied to a separate posting from Dave Farber. PGN[

    Just a few comments on the overall thrust rather than detailed comments, so rather than top-posting I just deleted the content. You may both post this
    to your lists if like.

    As a confirmed optimist but realist who has now invested twenty years in
    this field, by and large I endorse this. We are moving from analog through digital to quantum information; in my opinion, quantum represents a fully fundamental change in processing methods, but we still have a long ways to
    go to realize the full impact.

    For the most part, unlike many "hit pieces" on quantum, they have talked to
    the right people. Le Cun is a known skeptic, and Meta is probably the most important tech company in the world that is deliberately *NOT* doing
    quantum. I don't really know how much he does or doesn't know about quantum, but his opinion carries weight and I don't think he is simply knee-jerk opposed. Troyer and Aaronson are both well known and respected researchers (though Aaronson may be getting a little over-exposed in the media these
    days; he's eminently quotable and is the field's most prominent blogger, so
    he is the go-to guy for many media, it seems). (Please, PLEASE do not listen
    to Michio Kaku on quantum; his explanations of how these things work are far too garbled to be useful, regardless of what you think about the gauzier musings about quantum computing and the Universe.)

    My own favorite of Troyer's papers is this: https://www.science.org/doi/abs/10.1126/science.1252319 https://arxiv.org/abs/1401.2910
    talking about how to quantify a true quantum speedup.

    Oskar Painter is also a professor at a little school called Caltech, which
    the article didn't mention. (It's hard to overstate Tech's influence in quantum. A list of prominent people would take a half a page, with Preskill, Kitaev, Shor, Bacon, Raussendorf, Wehner, Kimble, Northup, Vuckovic,
    Gottesman, Leung, Mabuchi, Brun, Hsin-Yuang Huang, Furusawa, Lloyd, etc. as undergrads, grads, postdocs and faculty. And me, let's not forget me. Oh,
    and some guy named Feynman, who gets a share of the credit for originating
    the idea in the first place.)

    Anyway, back to the topic...

    This year saw huge advances toward effective error correction. The month of December alone produced several juicy papers. One that is getting a lot of attention is https://www.nature.com/articles/s41586-023-06927-3 which shows logical operations using quantum error detection (not really quite
    correction yet) on a large number of individual neutral atoms in a trapped array. Personally, I have to issue a mea culpa here, because in the
    mid-2010s I didn't see a path to solid control of neutral systems that
    allowed for the individual control and programmability necessary. the QuEra-Harvard-MIT team has done amazing work.

    I could type for an hour about interesting results from this year, but I
    don't have time this morning.

    Everybody agrees that NISQ (noisy, intermediate-scale quantum) won't
    scale. The biggest question on the table is whether NISQ becomes useful
    before it stops scaling. I think right now a slim majority people are on the side of "no", though personally I think the jury is still out.

    So, the hardware is progressing; software tools, including compilers, debuggers, etc. still have a long ways to go.

    And it's fair to say that the breadth of applications has not advanced as
    much as I might have hoped two decades ago, but our depth of understanding
    of what is and isn't possible has continued to grow. I'm optimistic that
    when we put these machines in the hands of the next generation of Knuths, Lamports and Torvaldses, that amazing things will happen.

    And we are going to have to continue to rethink education for the #QuantumNative generation; quantum algorithms require a very different way
    of thinking. (And yes, unlike some people, I think the interdisciplinary
    skills such students will learn will stand them in good stead throughout
    their careers, whether they actually focus on quantum or not.) Assuming
    quantum succeeds, we are going to need a LOT of programmers, and not all of them need to understand the low-level physics of the devices, just as most software engineers today have a moderate-to-completely-nonexistent understanding of semiconductor physics.

    ------------------------------

    Date: Tue, 19 Dec 2023 14:14:02 +0000
    From: Victor Miller <victorsmiller@gmail.com>
    Subject: It's easier to convince kids than adults about quantum mechanics
    (Physicist Bob Coecke)

    https://www.theguardian.com/science/2023/dec/16/physicist-bob-coecke-its-easier-to-convince-kids-than-adults-about-quantum-mechanics?CMP=Share_iOSApp_Other

    ------------------------------

    Date: Thu, 28 Dec 2023 15:49:04 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: FCPD Combats Crypto-Related Scams: How to Avoid Falling

    Damn. All too common crypto use case. In spite of years-long ongoing
    publicity and warnings.

    https://fcpdnews.wordpress.com/2023/12/28/fcpd-combats-crypto-related-scams-how-to-avoid-falling-victim-to-fraud/

    ------------------------------

    Date: Sat, 23 Dec 2023 10:40:57 +0200
    From: Amos Shapir <amos083@gmail.com>
    Subject: Israeli hackers shut down 70% of Iran's gas stations
    (Times of Israel)

    No details were released, but it seems that the hackers had targeted a
    central payment system.

    Full story at: https://www.timesofisrael.com/israel-linked-group-claims-cyberattack-that-shuts-down-70-of-irans-gas-stations/

    ------------------------------

    Date: Wed, 20 Dec 2023 14:40:44 -0500
    From: Susan Landau <susan.landau@privacyink.org>
    Subject: Blog post on CSAE and E2EE

    I have a short blog post that may be of interest to some of you: https://www.lawfaremedia.org/article/write-the-laws-for-the-world-in-which-we-live-not-the-one-we-imagine.

    ------------------------------

    Date: Mon, 25 Dec 2023 08:57:03 -0500
    From: Jan Wolitzky <jan.wolitzky@gmail.com>
    Subject: The Disturbing Impact of the Cyberattack at the British Library
    (The New Yorker)

    The library has been incapacitated since October, and the effects have
    spread beyond researchers and book lovers.

    https://www.newyorker.com/news/letter-from-the-uk/the-disturbing-impact-of-the-cyberattack-at-the-british-library

    ------------------------------

    Date: Wed, 20 Dec 2023 10:43:07 -0800
    From: Lauren Weinstein <lauren@vortex.com>
    To: nnsquad-dist@vortex.com
    Subject: Data for nearly 36 million Comcast customers leaked to hackers
    (Ars Technica)

    Data for nearly 36 million Comcast customers leaked to hackers https://arstechnica.com/security/2023/12/hack-of-unpatched-comcast-servers-results-in-stolen-personal-data-including-passwords/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social

    ------------------------------

    Date: Wed, 20 Dec 2023 23:46:08 -0500
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Online searches to evaluate misinformation can increase
    its perceived veracity (Nature)

    Considerable scholarly attention has been paid to understanding belief in online misinformation, with a particular focus on social networks. However, the dominant role of search engines in the information environment remains underexplored, even though the use of online search to evaluate the veracity
    of information is a central component of media literacy interventions.
    Although conventional wisdom suggests that searching online when evaluating misinformation would reduce belief in it, there is little empirical evidence
    to evaluate this claim. Here, across five experiments, we present consistent evidence that online search to evaluate the truthfulness of false news
    articles actually increases the probability of believing them.

    https://www.nature.com/articles/s41586-023-06883-y

    [See the full article for the footnotes not available here. PGN]

    ------------------------------

    Date: Tue, 26 Dec 2023 14:51:10 +0000 (UTC)
    From: Steve Bacher <sebmb1@verizon.net>
    Subject: The 2023 Good Tech Awards (The NYTimes)

    A positive look back at this year's tech developments, from one journalist's viewpoint. Perhaps a refreshing change from the usual RISKS negativity.

    [I.e., our positive focus on reducing risks! But we are always looking
    for items that minimize the risks. Thanks, Steve. Happy New Year with
    fewer risks. PGN].

    https://www.nytimes.com/2023/12/25/technology/the-2023-good-tech-awards.html

    ------------------------------

    Date: Sat, 30 Dec 2023 11:51:28 -0500
    From: Cliff Kilby <cliffjkilby@gmail.com>
    Subject: Do you need git or Subversion?

    You do not need either one specifically. A software development company
    should have a version control system (VCS). DVCS (distributed) is very
    popular with developers as they are less likely to complain about slow transfers, or merge problems. The slow transfer problem is specific to Subversion's storage and transfer model, which operates at the document
    level. Git operates on a mixed model of objects and archives. Mercurial uses
    a similar DVC model. Developers don't complain about merges in git because
    they tend to make that the problem for the person processing pull
    requests. Subversion and Team Foundation are CVCS (centralized). Subversion distributed merge conflicts to the developers, and they don't like You
    cannot commit a merge conflict in Subversion. I have not personally worked
    with Team Foundation, but it is my understanding you cannot commit merge conflicts in that system either.

    Merge conflicts arise from multiple developers working on the same document/object at the same time. If you have merge conflicts on a regular basis, your developers are working on a crappy codebase. Moving to DVCS
    won't fix that.

    Git was developed by the hardest working man in IT to deal with a project
    that was intentionally designed to be mostly monolithic as it was the
    source for a kernel, which is monolithic.

    Are you developing a monolithic kernel? No? Then you do not need git nor
    DVCS. You need to fix your codebase.

    Are you developing open-source software? No? Then you do not need git nor
    DVCS.

    Are you developing software which has a GRC mandate to be tracked? Yes?
    Then you need CVCS. Unless you take a lot of extra time to ensure that your
    git is setup for signed commits and that your developers are using signing
    by whoever the developer said their email address was at the time.

    Subversion only operates in two modes, anonymous and authenticated. If you
    set authentication up, every commit is authenticated. Developers cannot
    attempt a commit without authentication.

    Are you working on a codebase which needs additional restrictions on
    branches or specific files? DVCS pushes the whole codebase to everyone. If
    you can see the project, you can see everything in it. And the file that
    was deleted because it had a raw key in it? Hope you pruned your history, otherwise, it's still there.

    What do you mean you moved to git to stop having to deal with

    [continued in next message]

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)