• Risks Digest 34.21

    From RISKS List Owner@21:1/5 to All on Sat Apr 27 21:56:14 2024
    RISKS-LIST: Risks-Forum Digest Saturday 27 April 2024 Volume 34 : Issue 21

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

    ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/34.21>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    AI deepfakes threaten to upend global elections. No one can stop them.
    (WashPost)
    Tesla's Autopilot and Full Self-Driving linked to hundreds of crashes,
    dozens of deaths (The Verge)
    Cisco Says Hackers Subverted Its Security Devices to Spy on Governments
    (Reuters)
    Hackers Use Developing Countries as Testing Ground for New Ransomware
    Attacks (Ellesheva Kissin)
    9 Disturbing Stories From People Who Say They Found Cameras in Their Airbnb
    (Gizmodo)
    Millions of IPs remain infected by USB worm years after its
    creators left it for dead (ArsTechnica)
    Chinese Firm Is America's Favorite Drone Maker, Except in Washington
    (NYTimes)
    Stop Using Your Face or Thumb to Unlock Your Phone (Gizmodo)
    How Google's SGE Could Destroy the Internet (Lauren Weinstein)
    FTC questions Amazon's use of disappearing messages on Signal
    (WashPost)
    FTC says Amazon executives destroyed potential evidence by using
    apps like Signal (The Verge)
    Tech brands are forcing AI into your gadgets, whether you asked for
    it or not (ArsTechnica)
    Health insurance giant Kaiser will notify millions of a data breach
    after sharing patients’ data with advertisers (TechCrunch)
    Chaturbate Owes Texas $675,000 for Not Verifying the Age of Users (Gizmodo) Android TV has access to your entire account, but Google is changing that
    (ArsTechnica)
    Health insurance giant Kaiser will notify millions of a data breach after
    sharing patients’ data with advertisers (TechCrunch)
    We're always fighting the last war (Henry Baker)
    Prescient Fiction: 'Forbidden Planet' & 21st C. AI (Henry Baker)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sat, 27 Apr 2024 8:37:31 PDT
    From: Peter Neumann <neumann@csl.sri.com>
    Subject: AI deepfakes threaten to upend global elections. No one
    can stop them. (WashPost)

    Pranshu Verma and Cat Zakrzewski, *The Washington Post*

    Elections from India to Europe have been assailed by AI deepfakes that
    spread quickly and are no longer easy to debunk -- leaving voters
    vulnerable.

    https://www.washingtonpost.com/technology/2024/04/23/ai-deepfake-election-2024-us-india/

    ------------------------------

    Date: Fri, 26 Apr 2024 19:31:09 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Tesla's Autopilot and Full Self-Driving linked to
    hundreds of crashes, dozens of deaths (The Verge)

    https://www.theverge.com/2024/4/26/24141361/tesla-autopilot-fsd-nhtsa-investigation-report-crash-death

    In March 2023, a North Carolina student was stepping off a school bus when
    he was struck by a Tesla Model Y traveling at “highway speeds,” according to
    a federal investigation that published today. The Tesla driver was using Autopilot, the automaker’s advanced driver-assist feature that Elon Musk insists will eventually lead to fully autonomous cars.

    The 17-year-old student who was struck was transported to a hospital by helicopter with life-threatening injuries. But what the investigation found after examining hundreds of similar crashes was a pattern of driver inattention, combined with the shortcomings of Tesla’s technology, resulting in hundreds of injuries and dozens of deaths.

    Drivers using Autopilot or the system’s more advanced sibling, Full Self-Driving, “were not sufficiently engaged in the driving task,” and Tesla’s technology “did not adequately ensure that drivers maintained their attention on the driving task,” NHTSA concluded.

    ------------------------------

    Date: Fri, 26 Apr 2024 11:40:26 -0400 (EDT)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Cisco Says Hackers Subverted Its Security Devices to Spy on
    Governments (Reuters)

    Raphael Satter, *Reuters*, 24 Apr 2024, via ACN TechNews

    Cisco Systems on Wednesday said that hackers have subverted some of its
    digital security devices to break into government networks globally. In a
    blog post, Cisco said its Adaptive Security Appliances had previously
    unknown vulnerabilities that had been exploited by a group of hackers they dubbed "UAT4356." The company described the group as a "sophisticated state-sponsored actor." Cisco said the vulnerabilities have been patched.

    ------------------------------

    Date: Fri, 26 Apr 2024 11:40:26 -0400 (EDT)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Hackers Use Developing Countries as Testing Ground for New
    Ransomware Attacks (Ellesheva Kissin)

    Ellesheva Kissin, *Financial Times*, 24 Apr 2024, via ACN TechNews

    Cybersecurity firm Performanta reported that businesses in Africa, Asia, and South America increasingly are being used by hackers as testing grounds for their latest ransomware before they turn to higher-value targets in North America and Europe. Recent dry runs in developing countries focused on a Senegalese bank, a Chilean financial services company, a Colombian tax firm, and a government economic agency in Argentina.

    ------------------------------

    Date: Fri, 26 Apr 2024 19:47:27 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: 9 Disturbing Stories From People Who Say They Found Cameras in
    Their Airbnb (Gizmodo)

    https://gizmodo.com/airbnb-hidden-cameras-shocking-stories-bedroom-night-1851433108

    Airbnb announced in March that all indoor security cameras would be banned
    at its properties worldwide starting April 30. And if you read through
    online complaints about cameras that were discovered during Airbnb stays
    over the years, it’s easy to understand why it’s been such a controversial issue.

    Gizmodo filed a Freedom of Information Act request with the FTC for any consumer complaints filed about Airbnb that involved cameras. Some of the complaints are fairly mundane, and simply mention how cameras may have been used to prove things that break the rules at Airbnb properties. But others
    are pretty horrifying and involve hidden cameras in places where people
    expect privacy.

    ------------------------------

    Date: Fri, 26 Apr 2024 19:57:18 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Millions of IPs remain infected by USB worm years after its
    creators left it for dead (ArsTechnica)

    https://arstechnica.com/?p=2020055

    ------------------------------

    Date: Fri, 26 Apr 2024 11:40:26 -0400 (EDT)
    From: ACM TechNews <technews-editor@acm.org>
    Subject: Chinese Firm Is America's Favorite Drone Maker, Except in Washington
    (NYTimes)

    Kate Kelly and Julian E. Barnes. *The New York Times*, 25 Apr 2024,
    via ACN TechNews

    The Countering CCP Drones Act, under consideration by the U.S. Congress,
    would threaten the commercial business of DJI, a Chinese drone manufacturer that dominates sales among U.S. law enforcement agencies and hobbyists. The legislation would put the company on a Federal Communications Commission
    roster that would prevent it from running on U.S. communications infrastructure. Researchers found vulnerabilities in an app that controls DJI's drones could be used to access personal data (a U.S. official said all known vulnerabilities currently have been patched).

    ------------------------------

    Date: Fri, 26 Apr 2024 19:47:58 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Stop Using Your Face or Thumb to Unlock Your Phone (Gizmodo)

    Last week, the 9th Circuit Court of Appeals in California released a ruling that concluded state highway police were acting lawfully when they forcibly unlocked a suspect's phone using their fingerprint. You probably didn’t hear about it. The case didn’t get a lot of coverage, especially because the courts weren’t giving a blanket green light for every cop to shove your
    thumb to your screen during an arrest. But it’s another toll of the warning bell that reminds you to not trust biometrics to keep your phone’s sensitive info private. In many cases, especially if you think you might interact with the police (at a protest, for example), you should seriously consider
    turning off biometrics on your phone entirely. https://gizmodo.com/stop-using-your-face-or-thumb-to-unlock-your-phone-1851438205

    ------------------------------

    Date: Sat, 27 Apr 2024 09:26:18 -0700
    From: Lauren Weinstein <lauren@vortex.com>
    Subject: How Google's SGE Could Destroy the Internet (Lauren Weinstein)

    Google's LLM AI SGE ("Search Generative Experience") could effectively
    destroy the Internet for all but the largest sites -- the same
    Internet that #Google so effectively helped to build.

    This is becoming clear as SGE rolls out to most users, with SGE
    "answers" now appearing on a vast number of Google queries. Leaving
    aside the serious questions around the accuracy of such responses and everything associated with that, the mere presence of the responses
    could be devastating to most sites.

    These SGE answers are frequently verbose and can take up much of the
    entire first screen -- or more -- of the results pages. This means you
    may have to scroll down to even FIND the first organic "blue link"
    results. Devastating.

    To be clear, many of the SGE responses are themselves showing links to
    the answers' source materials (e.g., in colored boxes) -- but the
    obvious question is, why the hell would most users bother to click on
    those links once they already have the answers that Google's LLM has
    provided, based on the information that Google sucked without
    compensation into their LLM from those sites? It's impossible to
    imagine that click through rates to those sites won't be crushed.

    Google executives appear to be thrilled with how well this is going --
    FOR THEM. For the sites providing the data that is now powering
    Google's SGE encroaching, destructive storm, it's likely going to be a disaster, unless Google and other AI firms make major changes in their deployment models -- whether voluntarily or under the force of new
    regulatory models. -L

    ------------------------------

    Date: Fri, 26 Apr 2024 14:44:21 PDT
    From: Peter Neumann <neumann@csl.sri.com>
    Subject: FTC questions Amazon's use of disappearing messages on Signal (WashPost)

    *The Washington Post*, 26 Apr 2026 https://www.washingtonpost.com/technology/2024/04/26/amazon-ftc-messages-de=ted-bezos/

    The Federal Trade Commission is accusing Amazon founder Jeff Bezos and
    other top company executives of using disappearing messaging apps such
    as Signal to conceal potential evidence in the agency's ongoing
    antitrust case against the e-commerce behemoth.

    ``For years, Amazon's top executives, including founder and former CEO
    Jeff Bezos, discuss[ed] sensitive business matters, including antitrust,
    over the Signal encrypted-messaging app instead of email,'' the FTC
    alleged in a document filed Thursday evening. ``These executives turned
    on Signal's *disappearing message* feature, which irrevocably destroys
    messages, even after Amazon was on notice that Plaintiffs were
    investigating its conduct.''

    The agency, which first accused Amazon of intentionally deleting messages
    in its original antitrust complaint last fall, is now asking a U.S.
    District Court judge to order the company to turn over documents related
    to its handling of data. It's the latest salvo in a landmark case in which
    the FTC is arguing that Amazon abused its dominance of e-commerce to
    squeeze merchants and bury rivals, leading to higher prices for Bezos owns The Washington Post.

    ``The FTC's contentions are baseless,'' Amazon spokesman Tim Doyle said in
    a statement, responding to the filing alleging destruction of evidence.
    ``Amazon voluntarily disclosed employees' limited Signal use to the FTC
    years ago, thoroughly collected Signal conversations from its employees'
    phones, and allowed agency staff to inspect those conversations even when
    they had nothing to do with the FTC's investigation. The FTC has a
    complete picture of Amazon's decision-making in this case, including 1.7
    million documents from sources like email, internal messaging
    applications, and laptops (among other sources), and over 100 terabytes of
    data.'' [..]

    ------------------------------

    Date: Fri, 26 Apr 2024 19:32:39 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: FTC says Amazon executives destroyed potential evidence by using
    apps like Signal (The Verge)

    https://www.theverge.com/2024/4/26/24141801/ftc-amazon-antitrust-signal-ephemeral-messaging-evidence

    ------------------------------

    Date: Fri, 26 Apr 2024 19:54:32 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Tech brands are forcing AI into your gadgets, whether you asked for
    it or not (ArsTechnica)

    https://arstechnica.com/gadgets/2024/04/ai-marketing-hype-is-coming-for-your-favorite-gadgets

    ------------------------------

    Date: Fri, 26 Apr 2024 19:43:32 -0400
    From: "Monty Solomon" <monty@roscom.com>
    Subject: Health insurance giant Kaiser will notify millions of a data breach
    after sharing patients’ data with advertisers (TechCrunch)

    https://techcrunch.com/2024/04/25/kaiser-permanente-health-plan-million s-data-breach/

    ------------------------------

    Date: Fri, 26 Apr 2024 19:45:49 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Chaturbate Owes Texas $675,000 for Not Verifying the Age of
    Users (Gizmodo)

    https://gizmodo.com/chaturbate-porn-age-verification-law-ken-paxton-pornhub-1851439770

    ------------------------------

    Date: Fri, 26 Apr 2024 19:51:57 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Android TV has access to your entire account, but Google is
    changing that (ArsTechnica)

    https://arstechnica.com/?p=2020252

    ------------------------------

    Date: Fri, 26 Apr 2024 19:43:32 -0400
    From: "Monty Solomon" <monty@roscom.com>
    Subject: Health insurance giant Kaiser will notify millions
    of a data breach after sharing patients’ data with advertisers

    https://techcrunch.com/2024/04/25/kaiser-permanente-health-plan-million s-data-breach/

    ------------------------------

    Date: Sat, 27 Apr 2024 03:34:57 +0000
    From: "Henry Baker" <hbaker1@pipeline.com>
    Subject: We're always fighting the last war

    The first few minutes of the Pearl Harbor attack which caused the U.S. entry into WWII sadly proved Billy Mitchell 100% correct. The good news re
    Dec. 7th -- if there was any -- was that no U.S. aircraft carriers were in Pearl Harbor that day.

    Ditto with the 'Millennium Challenge 2002' wargames, in which essentially
    the entire U.S. Mediterranean fleet was 'virtually' sunk within days using 'asymmetric warfare'.

    Ditto with 'cheap drones' in the current Ukraine war; they have rebalanced the battle between
    infantry -- now equipped with cheap drones for surveillance and attack -- and tanks -- a balance
    which has existed for a century since the battle tank appeared near the end of WWI.

    Cheap drones put into serious question most -- if not almost all -- of the 'prevailing wisdom' re strategy/tactics/weapons of modern warfare. These
    put big '?' marks next to *every* 'big ticket' asset in modern warfare --
    from $billion ships/aircraft carriers, to $100m fighters, to $10m battle
    tanks, to $billion spy satellites. In chess terminology, coordinated pawns beat rare expensive bishops, rooks, and queens.

    https://nationalinterest.org/blog/reboot/exact-day-navy-battleships-became-obsolete-clear-209558

    "In 1921, General Billy Mitchell, a vocal advocate of airpower, staged a controversial exercise sinking obsolete battleship with bombers. This foreshadowed the dominance of aircraft carriers in World War II despite Mitchell's goal of a separate air force. The Navy initially dismissed his claims, but the sinking of the 'unsinkable' German battleship Ostfriesland proved the vulnerability of battleships."

    "Mitchell believed that aviation -- which could respond to both air and
    naval threats -- much better suited to protecting the country's coastline
    than battleships. Mitchell was fond of stating that a thousand bombers could
    be purchased for the cost of a single battleship, and told a House
    subcommittee that properly equipped, an Air Service could sink any
    battleship in existence."

    https://www.msn.com/en-us/news/world/ar-AA1nIxGp

    "Cheap Russian drones overwhelm US-made Abrams tanks, taken out of action"

    "Ukrainian forces are withdrawing US-provided Abrams M1A1 main battle tanks from the front lines after at least five have been destroyed by cheap
    Russian drones, according to the AP."

    "The failure of the Abrams to make a difference is a costly miscalculation.
    The export cost of an Abrams tank can be around $10mn, while Col. Markus Reisner, an Austrian military trainer who follows the weapons being used in Ukraine, told the Euromaidan Press that the Russian suicide drones being
    used to destroy them can be as cheap as $500 each (a ratio of 20,000:1)."

    https://en.wikipedia.org/wiki/Millennium_Challenge_2002

    "In a preemptive strike, Red launched a massive salvo of cruise missiles
    that overwhelmed the Blue forces' electronic sensors and destroyed sixteen warships: one aircraft carrier, ten cruisers and five of Blue's six
    amphibious ships. An equivalent success in a real conflict would have
    resulted in the deaths of over 20,000 service personnel. Soon after the
    cruise missile offensive, another significant portion of Blue's navy was
    "sunk" by an armada of small Red boats, which carried out both conventional
    and suicide attacks that capitalized on Blue's inability to detect them as
    well as expected."

    https://www.theguardian.com/world/2002/sep/06/usa.iraq

    "In the first few days of the [Millennium Challenge] exercise, using
    surprise and unorthodox tactics, the wily 64-year-old Vietnam veteran sank
    most of the US expeditionary fleet in the Persian Gulf, bringing the US
    assault to a halt."

    ------------------------------

    Date: Fri, 26 Apr 2024 00:44:55 +0000
    From: Henry Baker <hbaker1@pipeline.com>
    Subject: Prescient Fiction: 'Forbidden Planet' & 21st C. AI

    All of the recent discussions of the risks of AI bring to mind the
    incredibly prescient movie (& radio play) 'Forbidden Planet':

    https://en.wikipedia.org/wiki/Forbidden_Planet

    In addition to being a pretty decent takeoff on Shakespeare's 'The Tempest', the movie version of 'Forbidden Planet' introduces us to talking robots (now almost passe !), and incredibly power- hungry planet-sized data centers
    capable of turning human thoughts into reality.

    Amazingly, this 1956 movie still holds up for modern viewers, thanks to the supplanting of typical cheesy 1950's scifi effects in favor of laserlike animations and electronic music.

    The risks of AI, according to this movie: be very careful what you wish for, because an AI with access to planet-sized energy capabilities can fulfill
    even your worst nightmare.

    Your choice: watch it again (safely) in movie form, or watch it play out in real life.

    BTW, I listened as a young boy to a radio serial version of Forbidden Planet during the summer of either 1955 or 1956; but after extensive Google
    searching, I have been unable to find a reference to this radio play
    version. I know exactly where I was while listening to it on my
    grandmother's huge radio with quite decent fidelity; perhaps someone else
    here also heard it at the same time?

    ------------------------------

    Date: Sat, 28 Oct 2023 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) has moved to the ftp.sri.com site:
    <risksinfo.html>.
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 34.21
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)