1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 34.11

    From RISKS List Owner@21:1/5 to All on Sun Mar 24 21:42:00 2024
    RISKS-LIST: Risks-Forum Digest Sunday 24 March 2024 Volume 34 : Issue 11

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/34.11>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    DMVs Nationwide Hit With Outage, Officials In Multiple States Say
    Across America (U.S. Patch)
    DMV services disrupted nationwide by system out[r]age (Henry Baker)
    McDonald's blames global outage on third party (BBC)
    Re: McDonald's hit by outages at stores worldwide (Steve Bacher)
    Re: McDonald's (=?UTF-8?Q?turgut_kalfao=C4=9Flu?)
    Tesco and Sainsbury's working to fix technical issues that suspended food
    deliveries to customers (CNN)
    Anti-drone radio jammers marketed on Amazon and Google despite
    being outlawed by FCC rules (Steve Bacher)
    A ChatGPT for Music Is Here. Inside Suno, the Startup Changing Everything
    (Rolling Stone)
    Albertans have lost at least $156M to fraud this decade (CBC)
    Chinese & Western Scientists Identify 'Red Lines' on AI Risks
    (Financial Times)
    Unpatchable vulnerability in Apple chip leaks secret encryption keys
    (Ars Technica)
    Apple has effectively abandoned HomeKit Secure Routers (Monty Solomon)
    Paper about the gofetch attack (Victor Miller)
    Why Tech Companies Are Not Your Friends: Lessons From Roku (NYTimes)
    Is your smart device safe from hackers? New FCC program will label
    cybersecure technology (LA Times)
    Hackers can unlock over 3 million hotel doors in seconds (ArsTechnica)
    Man Boarded Delta Flight Using Ticket Ruse (NYTimes)
    Never-before-seen data wiper may have been used by Russia against Ukraine
    (ArsTechnica)
    UPS worker charged after $1.3M Apple product theft spree fines, report finds
    (WashPost)
    Social Security program failed to properly notify people of huge service
    (Ars Technica)
    FCC bans cable TV industry's favorite trick for hiding full cost of service
    (Ars Technica)
    Hype cycle meets rinse cycle: does dishwasher really need a mobile app?
    (Rob Pegoraro)
    LAUSD's new student advisor is an AI bot that designs academic plans,
    suggests books (LATimes)
    Lawyer warns 'integrity of the entire system in jeopardy' if rising use of
    AI in legal circles goes wrong (CBC)
    I recommend DISABLING Google's new Chrome "real-time, privacy-preserving URL
    protection" (Lauren Weinstein)
    Why Tech Companies Are Not Your Friends: Lessons From Roku (NYTimes)
    Re: Risks of Leap Years and Dumb Digital Watches (Mark Brader)
    Re: AT&T proposals to kill landlines and more in California
    (Lauren Weinstein)
    Re: Hackers Breached Key Microsoft Systems (Bernie Cosell)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 21 Mar 2024 18:10:04 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: DMVs Nationwide Hit With Outage, Officials In Multiple States Say |
    Across America (U.S. Patch)

    CROSS AMERICA — All motor vehicle departments in the United States went down Thursday, according to officials in multiple states. Officials in Illinois, Virginia, Massachusetts, Arkansas and Colorado all confirmed they
    experienced an outage.

    "We are currently experiencing a nationwide network outage at our DMV facilities," tweeted Illinois Secretary of State Alexi Giannoulias. "All
    DMVs across the country are currently down."

    Virginia's DMV said the outage stemmed from "a third-party technical
    outage," and that driver's license services were unavailable online and at
    all in-person locations.

    "We apologize for the inconvenience. Please stay tuned to social media for updates," the agency said.

    https://patch.com/virginia/annandale/s/ivgud/dmvs-nationwide-hit-with-outage-officials-in-multiple-states-say

    A technical outage hit all DMVs at once? Need details..

    ------------------------------

    Date: Fri, 22 Mar 2024 02:03:12 +0000
    From: Henry Baker <hbaker1@pipeline.com>
    Subject: DMV services disrupted nationwide by system out[r]age

    I'm surprised that anyone could tell the difference from typical DMV operations. ..

    https://www.nbcnews.com/news/rcna144496

    DMV services disrupted nationwide by system out[r]age

    The American Association of Motor Vehicle Administrators said the outage was due to ``a loss in cloud connectivity'' Thursday.

    ------------------------------

    Date: Sat, 16 Mar 2024 18:03:32 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: McDonald's blames global outage on third party (BBC)

    McDonald's has revealed the technical problems which brought much of its
    fast food chain to a standstill on Friday were caused by a third party provider.

    The international restaurant said the global outage happened during a "configuration change" and stopped stores taking orders in the UK, Australia and Japan -- amongst others.

    McDonald's stressed the issue was not caused by a cyberattack.

    https://www.bbc.com/news/business-68573106

    Configuration change hits single point of failure, craters world-wide restaurant chain. Nice. A plus for momentary healthy eating, though.

    ------------------------------

    Date: Sun, 17 Mar 2024 08:46:14 -0700
    Subject: Re: McDonald's hit by outages at stores worldwide
    From: Steve Bacher <sebmb1@verizon.net>

    This comes at a bad time for McDonald's, since they are aggressively rolling out kiosk-only ordering in place of humans. Recently I had to deal with one
    of those in my local McD's -- the counterwoman kindly fingerwalked through
    the menus for me to order 2 coffees but the kiosks had no provision for the senior discount price so she still had to ring it up manually for me
    instead.

    So it's kind of karmic justice in a way.

    ------------------------------

    Date: Sun, 17 Mar 2024 20:21:31 +0300
    From: =?UTF-8?Q?turgut_kalfao=C4=9Flu?= <turgut@kalfaoglu.com>
    Subject: Re: McDonald's (RISKS-34.10)

    McDonald's has revealed the technical problems which brought much of its
    fast food chain to a standstill on Friday were caused by a third party provider.

    What I fail to understand is why do all of the world's McDonald's stores
    have to be online to be able to sell food?

    It seems the more eggs you put in one basket, the more eggs you are going to lose.

    [Chickens as well. PGN]

    ------------------------------

    Date: Sun, 17 Mar 2024 00:55:39 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Tesco and Sainsbury's working to fix technical issues that
    suspended food deliveries to customers (CNN)

    https://www.cnn.com/2024/03/16/business/tesco-sainsburys-delivery-technical-issues/index.html

    ------------------------------

    Date: Wed, 20 Mar 2024 16:15:55 -0700
    From: Steve Bacher <sebmb1@verizon.net>
    Subject: Anti-drone radio jammers marketed on Amazon and Google despite
    being outlawed by FCC rules

    Several online retailers and drone technology companies are marketing the
    sale of radio frequency jammers as drone deterrence or privacy tools, sidestepping federal laws that prohibit such devices from being offered for sale in the U.S. [Long item PGN-curtailed]

    https://www.nbcnews.com/tech/security/drone-radio-frequency-jammer-signal-online-defense-technology-rcna135103

    ------------------------------

    Date: Tue, 19 Mar 2024 06:53:20 -0700
    From: Steve Bacher <sebmb1@verizon.net>
    Subject: A ChatGPT for Music Is Here. Inside Suno, the Startup Changing
    Everything (Rolling Stone)

    AI music-generation illustration
    www.rollingstone.com

    Suno AI wants everyone to be able to produce their own pro-level songs with artificial intelligence — but what does that mean for artists?

    ------------------------------

    Date: Fri, 22 Mar 2024 06:46:55 -0600
    From: Matthew Kruk <mkrukg@gmail.com>
    Subject: Albertans have lost at least $156M to fraud this decade (CBC)

    Many others don't report the crime

    https://www.cbc.ca/news/canada/edmonton/alberta-fraud-money-victims-1.71467=
    51

    Albertans have reported losing more than $156 million to fraudsters since
    the start of this decade, with tens of millions more being taken each year.
    But there hasn't been a coinciding rise in victims -- in part, experts say, because people are reluctant to come forward.

    In 2023, roughly 2,900 Albertans lost more than $62.5 million to various
    fraud schemes -- up more than fivefold from the $11.3 million taken = from about 2,600 people in 2020, data shows.

    More than half the reported losses in the province last year were from investment scams, particularly cryptocurrency frauds. Spear-phishing -- when scammers pretend to be legitimate sources to con businesses and people into sending money -- was the second-most lucrative type of fraud, taking= more
    than $8.5 million from 72 people.

    ------------------------------

    Date: Wed, 20 Mar 2024 11:42:38 -0400 (EDT)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Chinese & Western Scientists Identify 'Red Lines' on AI Risks
    (Financial Times)

    Cristina Criddle, Eleanor Olcott and Madhumita Murgia, *Financial
    Times*, 18 Mar 2024, via ACM Tech News

    A statement signed by Western and Chinese AI scientists warns that
    Cold War-level global cooperation is necessary to avoid "catastrophic
    or even existential risks to humanity within our lifetimes" resulting
    from AI technology. At the International Dialogue on AI Safety in
    Beijing, the experts established "red lines" on AI risks that no AI
    system should cross, including the development of bioweapons and the
    launch of cyberattacks. Signatories to the statement included ACM
    A.M. Turing Award laureates Geoffrey Hinton and Yoshua Bengio, as well
    as computer scientists Stuart Russell and Andrew Yao.

    ------------------------------

    Date: Fri, 22 Mar 2024 02:14:23 +0000
    From: Victor Miller <victorsmiller@gmail.com>
    Subject: Unpatchable vulnerability in Apple chip leaks secret encryption
    keys (Ars Technica)

    Unpatchable vulnerability in Apple chip leaks secret encryption keys | Ars Technica

    https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/

    ------------------------------

    Date: Fri, 22 Mar 2024 20:12:17 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Apple has effectively abandoned HomeKit Secure Routers

    https://appleinsider.com/articles/24/03/22/apple-has-abandoned-homekit-secure-routers-claim-vendors?utm_medium=rss

    ------------------------------

    Date: Fri, 22 Mar 2024 02:16:49 +0000
    From: Victor Miller <victorsmiller@gmail.com>
    Subject: Paper about the gofetch attack

    https://gofetch.fail/files/gofetch.pdf

    ------------------------------

    Date: Fri, 22 Mar 2024 15:13:44 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Why Tech Companies Are Not Your Friends: Lessons From Roku
    (The New York Times)

    Roku recently changed its policy to make it even harder for customers to
    take legal action. It’s a reminder of how we need to protect ourselves.

    To Isaac Phillips, a software engineer in Tampa, Fla., this felt unfair. So
    he came up with a workaround to disconnect his Roku TV from the Internet and use it as a normal TV without Roku’s apps, which include Netflix, Hulu and other streaming services.

    “It should belong to whoever paid for it,” Mr. Phillips said. “To lock somebody out of it completely just doesn't seem right. It’s pretty unacceptable.”

    A Roku spokesman also provided a list of steps for those who wish to use
    their Roku TVs as normal TVs without an Internet connection. It involves pressing a button or pinhole on the back of the TV to reset the software and skipping the step to set up the Internet connection.

    https://www.nytimes.com/2024/03/20/technology/personaltech/roku-data-breach-companies.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb

    Why is it harder to opt out than it is to opt in? Because the companies are legally allowed to do this.

    I suggest that Roku customers follow those steps to opt out of the new terms and hold on to what little power they have. I, for one, took this
    opportunity to disconnect my Roku TV from the Internet and plug in a
    different streaming device with less onerous terms, an old Apple TV. As for
    a letter to opt out, I plan to use the AI chatbot ChatGPT to draft a testy note.

    ------------------------------

    Date: Wed, 20 Mar 2024 18:44:57 -0700
    From: Steve Bacher <sebmb1@verizon.net>
    Subject: Is your smart device safe from hackers? New FCC program will label
    cybersecure technology (LA Times)

    Internet-connecting devices that meet standards will soon come with a
    "U.S. Cyber Trust Mark" to help consumers choose products that protect their private information.

    https://www.latimes.com/california/story/2024-03-19/new-program-will-label-smart-device-and-products-cybersecurity-safe

     Would you trust the Trust Mark?  I'm not sure.  I guess the consumer
    strategy would be to avoid buying devices that lack the Trust Mark rather
    than putting blind trust in the mark.

    ------------------------------

    Date: Fri, 22 Mar 2024 20:03:39 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Hackers can unlock over 3 million hotel doors in seconds
    (ArsTechnica)

    https://arstechnica.com/?p=2012114

    ------------------------------

    Date: Fri, 22 Mar 2024 02:10:43 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Man Boarded Delta Flight Using Ticket Ruse (NYTimes)

    By taking pictures of other passengers’ boarding passes on their phones, the man was able to board a Delta Air Lines flight in Salt Lake City on Sunday, according to a federal complaint.

    https://www.nytimes.com/2024/03/20/business/delta-unticketed-passenger-arrested.html

    ------------------------------

    Date: Fri, 22 Mar 2024 20:09:52 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Never-before-seen data wiper may have been used by Russia
    against Ukraine (ArsTechnica)
    https://arstechnica.com/?p=2012093

    ------------------------------

    Date: Fri, 22 Mar 2024 20:16:05 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: UPS worker charged after $1.3M Apple product theft spree

    https://appleinsider.com/articles/24/03/21/ups-worker-charged-after-13m-apple-product-theft-spree

    ------------------------------

    Date: Thu, 21 Mar 2024 19:17:36 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Social Security program failed to properly notify people of huge
    fines, report finds (WashPost)

    The Social Security Administration’s internal watchdog office failed to properly notify some poor and disabled Americans before levying huge fines
    on them, an investigation found.
    https://wapo.st/3vsSwyb

    ------------------------------

    Date: Fri, 22 Mar 2024 09:40:02 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: FCC bans cable TV industry's favorite trick for hiding full cost of
    service (Ars Technica)

    https://arstechnica.com/?p=2011532

    ------------------------------

    Date: Sun, 17 Mar 2024 23:32:15 -0400
    From: Gabe Goldberg <gabe@gabegold.com>
    Subject: Hype cycle meets rinse cycle: does dishwasher really need
    a mobile app? (Rob Pegoraro)

    Years later than you might have expected, given my line of work, I’ve
    finally hit the dubious milestone of owning a major appliance with its own Internet Protocol address and mobile app–the Bosch dishwasher we procured as part of an overdue and immensely-appreciated kitchen renovation.

    https://robpegoraro.com/2024/03/16/hype-cycle-meets-rinse-cycle-does-my-dishwasher-really-need-a-mobile-app/

    Risks? Missing an app alert and the undocumented trash masher feature
    starting? Dishwasher organizing other appliances in rebellion against
    flaky power? Yet another malware attack surface?

    ------------------------------

    Date: Fri, 22 Mar 2024 07:47:27 -0700
    From: Steve Bacher <sebmb1@verizon.net>
    Subject: LAUSD's new student advisor is an AI bot that designs academic
    plans, suggests books

    Los Angeles school officials say their new app lets students and parents, in one place, find anything they need related to school and their specific learning path.

    The Los Angeles school district on Wednesday unveiled a much-awaited AI tool named “Ed” to serve as a student adviser, programmed to tell its young users
    and their parents about grades, tests results and attendance — while giving out assignments, suggesting readings and even helping students cope with nonacademic matters. [...]

    https://www.latimes.com/california/story/2024-03-21/new-ai-tool-in-education-aspires-to-have-all-the-answers-for-l-a-students

    [We don't need no steenkin' teachers no more? or even parents for
    nonacademic matters? PGN]

    ------------------------------

    Date: Sun, 17 Mar 2024 10:18:02 -0600
    From: Matthew Kruk <mkrukg@gmail.com>
    Subject: Lawyer warns 'integrity of the entire system in jeopardy' if rising
    use of AI in legal circles goes wrong (CBC)

    https://www.cbc.ca/news/canada/nova-scotia/artificial-intelligence-lawyers-= law-nova-scotia-1.7126732

    As lawyer Jonathan Saumier types a legal question into ChatGPT, it spits
    out an answer almost instantly.

    But there's a problem -- the generative artificial intelligence chatbot was flat-out wrong.

    "So here's a prime example of how we're just not there yet in terms of
    accuracy when it comes to those systems," said Saumier, legal services
    support counsel at the Nova Scotia Barristers' Society.

    Artificial intelligence can be a useful tool. In just a few seconds, it can perform tasks that would normally take a lawyer hours or even days.

    But courts across the country are issuing warnings about it, and some
    experts say the very integrity of the justice system is at stake.

    ------------------------------

    Date: Sat, 16 Mar 2024 13:13:37 -0700
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: I recommend DISABLING Google's new Chrome "real-time,
    privacy-preserving URL protection"

    It's up to you, but for now I recommend DISABLING Google's new Chrome "real-time, privacy-preserving URL protection".

    I'm getting a lot of questions about this, and I simply don't have
    time right now to write this up in depth. So this will have to be
    short (at least by my standards).

    Google is implementing by default in Chrome a new system to expand
    their detection of unsafe sites, via a complicated new real-time
    system that sends hashes of URLs to a third-party, non-Google firm.

    The details are in:

    https://security.googleblog.com/2024/03/blog-post.html

    Google's goal is laudable, but though it would probably be unfair of
    me to call this system "Rube Goldberg-ish", it is definitely very far
    from trivial.

    I am in particular concerned about the ramifications of Chrome users
    being connected by default to a completely non-Google entity to which
    they are sending data, no matter how obfuscated that data may be.

    While Google seems to be asserting that by creating a three-party
    system (user, Google, outside firm) privacy is enhanced -- and this
    would appear to be true in theory -- the possibilities for
    interference by government or other entities seems increased with each
    new player in the process. Also, users are now dealing with an
    additional set of policies (and legal departments), that of Google and
    that of the third party. Nor (as far as I know) has the contractual
    basis of the relationship between Google and this third party been
    made public.

    There may be nothing at all wrong with this arrangement. But frankly,
    the introduction of a third party and other aspects of this system
    have raised a caution warning for me, especially when this is enabled
    by default.

    So my recommendation for now is to turn off this feature, until
    significantly more is known about it in the respects I've mentioned
    above and others. This is completely up to you of course. You may wish
    to keep the Google default that uses this system and have the
    additional protection, and may not be at all concerned about the other
    issues I've mentioned. Absolutely your choice.

    I do invite Google to contact me with more information about these
    issues if they wish to do so. -L

    ------------------------------

    Date: Wed, 20 Mar 2024 10:48:05 -0700
    From: "Jim" <jgeissman@socal.rr.com>
    Subject: Why Tech Companies Are Not Your Friends: Lessons From Roku
    (NYTimes)

    Roku recently changed its policy to make it even harder for customers to
    take legal action. It's a reminder of how we need to protect ourselves.

    https://www.nytimes.com/2024/03/20/technology/personaltech/roku-data-breach- companies.html?unlocked_article_code=1.eE0.xzdb.HCSnU1ujiRmT

    ------------------------------

    Date: Sun, 17 Mar 2024 06:13:54 -0400 (EDT)
    From: Mark Brader <msb@Vex.Net>
    Subject: Re: Risks of Leap Years and Dumb Digital Watches (Shapir, R-34..10)

    The year on my Timex watch cannot be set outside the range 2000-2099.

    ------------------------------

    Date: Thu, 14 Mar 2024 17:53:40 -0700
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: Re: AT&T proposals to kill landlines and more in California

    The count of comments at the CPUC (overwhelmingly negative) on the main proposal has now exceeded 5000, and it's no longer possible to know exactly
    how many there are, since "Over 5000" is as high as their counter runs. -L

    https://apps.cpuc.ca.gov/apex/f?p=401:65:0::NO:RP,57,RIR:P5_PROCEEDING_SELECT:A2303003

    ------------------------------

    Date: Sat, 16 Mar 2024 18:33:50 -0400
    From: "Bernie Cosell" <bernie@fantasyfarm.com>
    Subject: Re: Hackers Breached Key Microsoft Systems (RISKS-34.11)

    Any hint as to *how* they compromised the entire corporate email system? I know how they can nail individual email addresses, but how do they leap from that to invading the entire system?

    ------------------------------

    Date: Sat, 28 Oct 2023 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) has moved to the ftp.sri.com site:
    <risksinfo.html>.
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 34.11
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)