1. Forum
  2. Usenet
  3. COMP.RISKS

  • Risks Digest 34.25 (2/2)

    From RISKS List Owner@21:1/5 to All on Mon May 20 04:46:46 2024
    [continued from previous message]

    says he’s also grabbed a bunch more.

    https://securityboulevard.com/2024/05/dell-hell-redux-menelik-richixbw

    ------------------------------

    Date: Sun, 19 May 2024 07:39:20 -0700
    From: Steve Bacher <sebmb1@verizon.net>
    Subject: Link Rot and Digital Decay on Government, News and Other Webpages
    (Pew Research Center)

    When Online Content Disappears

    A quarter of all webpages that existed at one point between 2013 and 2023
    are no longer accessible.

    https://www.pewresearch.org/data-labs/2024/05/17/when-online-content-disappears/

    [Cf More than 2 Million Research Papers Have Disappeared from the
    Internet (R 34 09)]

    ------------------------------

    Date: Wed, 15 May 2024 12:49:55 -0400
    From: Tom Van Vleck <thvv@multicians.org>
    Subject: The Rise of Large-Language-Model Optimization
    (Schneier on Security)

    This is very good.

    https://www.schneier.com/blog/archives/2024/04/the-rise-of-large.html

    ------------------------------

    Date: Sat, 18 May 2024 06:36:47 -0700 From: Steve Bacher
    <sebmb1@verizon.net> Subject: Unprecedented Google Cloud event wipes out customer account and its backups (ArsTechnica)

    Bringing new meaning to "Killed By Google" --

    UniSuper, a $135 billion pension account, details its cloud compute
    nightmare.

    Buried under the news from Google I/O this week is one of Google Cloud's biggest blunders ever: Google's Amazon Web Services competitor accidentally deleted a giant customer account for no reason. UniSuper, an Australian
    pension fund that manages $135 billion worth of funds and has 647,000
    members, had its entire account wiped out at Google Cloud, including all its backups that were stored on the service. UniSuper thankfully had some
    backups with a different provider and was able to recover its data, but according to UniSuper's incident log, downtime started May 2, and a full restoration of services didn't happen until May 15. [...]

    https://arstechnica.com/gadgets/2024/05/google-cloud-accidentally-nukes-customer-account-causes-two-weeks-of-downtime

    [Also noted by Victor Miller,
    Google Accidentally Deleted $125 Billion Pension Fund's Account
    https://gizmodo.com/google-cloud-pension-fund-unisuper-1851476649
    !< What's 10 Billion here or there between the two items? PGN]

    ------------------------------

    Date: Mon, 13 May 2024 10:57:37 -0700
    From: Victor Miller <victorsmiller@gmail.com>
    Subject: A horrifying software bug (trofi)

    I don't expect you to read this in detail, but you can skip to the end to
    find the final (?) diagnosis. I find this pretty horrifying. I liken this
    to a heroic firefighter going into a burning building. I'm afraid that our software chain has gotten so baroque that it may be impossible to certify anything with high confidence.

    https://trofi.github.io/posts/312-the-sagemath-saga.html

    ------------------------------

    Date: Thu, 16 May 2024 10:10:43 -0700
    From: geoff goodfellow <geoff@iconia.com>
    Subject: New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade
    Attacks (The Hacker News)

    Researchers have discovered a new security vulnerability stemming from a
    design flaw in the IEEE 802.11 Wi-Fi standard that tricks victims into connecting to a less secure wireless network and eavesdrop on their network traffic.

    The SSID Confusion attack, tracked as CVE-2023-52424, impacts all operating systems and Wi-Fi clients, including home and mesh networks that are based
    on WEP, WPA3, 802.11X/EAP, and AMPE protocols.

    The method "involves downgrading victims to a less secure network by
    spoofing a trusted network name (SSID) so they can intercept their traffic
    or carry out further attacks," TopVPN said, which
    collaborated with KU Leuven professor and researcher Mathy Vanhoef. <https://www.top10vpn.com/research/wifi-vulnerability-ssid/>~<,

    "A successful SSID Confusion attack also causes any VPN with the
    functionality to auto-disable on trusted networks to turn itself off,
    leaving the victim's traffic exposed."

    The issue underpinning the attack is the fact that the Wi-Fi standard does
    not require the network name (SSID or the service set identifier) to always
    be authenticated and that security measures are only required when a device opts to join a particular network.

    The net effect of this behavior is that an attacker could deceive a client
    into connecting to an untrusted Wi-Fi network than the one it intended to connect to by staging an adversary-in-the-middle (AitM) attack. [...]

    https://thehackernews.com/2024/05/new-wi-fi-vulnerability-enabling.html

    [Victor Miller noted New Wifi vulnerability:
    https://www.top10vpn.com/research/wifi-vulnerability-ssid/
    PGN]

    ------------------------------

    Date: Sat, 18 May 2024 02:03:14 +0000
    From: Victor Miller <victorsmiller@gmail.com>
    Subject: Deleted photos of former owners reappearing on sold iPad
    -- and probably iPhones (PhoneArena)

    Deleted photos of former owners reappearing on sold iPads (and probably iPhones) - PhoneArena

    https://www.phonearena.com/news/Deleted-photos-of-former-owners-reappearing-on-sold-iPads-and-probably-iPhones_id158441

    ------------------------------

    Date: Wed, 15 May 2024 06:38:29 -0600
    From: Matthew Kruk <mkrukg@gmail.com>
    Subject: As AI becomes more human-like, experts warn users must
    think more critically about its responses (CBC

    https://www.cbc.ca/news/business/google-openai-search-1.7204014

    Tech giant Google has announced upgrades to its artificial intelligence technologies, just a day after rival OpenAI announced similar changes to its offerings, with both companies trying to dominate the quickly emerging
    market where human beings can ask questions of computer systems -- and get answers in the style of a human response. [...]

    But researchers in the technology and artificial intelligence sector warn
    that as people get information from AI systems in more user-friendly ways,
    they also have to be careful to watch for inaccurate or misleading responses
    to their queries.

    ------------------------------

    Date: Wed, 15 May 2024 13:52:28 +0100
    From: Julia Segal <julia@flydiem.com>
    Subject: AI turned a Ukrainian into Russian propaganda (BBC)

    https://www.bbc.co.uk/news/articles/c25rre8ww57o

    ------------------------------

    Date: Thu, 16 May 2024 10:36:28 -0700
    From: Steve Bacher <sebmb1@verizon.net>
    Subject: Two unlikely U.S. states are leading the charge on regulating AI
    (Politico)

    Connecticut’s ambitious legislation regulating the emerging industry got derailed. Now, the tech industry is trying to kill Colorado’s bill. [...]

    In the absence of federal legislation, more than 40 states — including the
    AI epicenter of California — are considering some 400 bills related to artificial intelligence, as the emerging technology has potential to remake vast swaths of the economy. But the struggles in Connecticut and Colorado highlight the perils of trying to put guardrails around the rapidly evolving industry with powerful lobbying forces. [...]

    https://www.politico.com/news/2024/05/15/ai-tech-regulations-lobbying-00157676

    ------------------------------

    Date: Fri, 17 May 2024 06:59:14 -0700
    From: Steve Bacher <sebmb1@verizon.net>
    Subject: Google tests AI to detect scam phone calls. Privacy advocates are
    terrified. (NBCNews)

    Some privacy advocates say they’re terrified by Google’s announcement this week that it’s testing a way to scan people’s phone calls in real time for signs of financial scams.

    Google unveiled the idea Tuesday at Google I/O, its conference for software developers. Dave Burke, a Google vice president for engineering, said the company is trying out a feature that uses artificial intelligence to detect patterns associated with scams and then alert Android phone users when suspected scams are in progress.

    Burke described the idea as a security feature and provided an example. Onstage, he got a demonstration call from someone impersonating a bank who suggested that he move his savings to a new account to keep it safe.
    Burke’s phone flashed a notification: “Likely scam: Banks will never ask you
    to move your money to keep it safe,” with an option to end the call.

    “Gemini Nano alerts me the second it detects suspicious activity,” Burke said, using the name of a Google-developed AI model. He didn’t specify what signals the software uses to determine a conversation is suspicious. [...]

    https://www.nbcnews.com/tech/security/google-io-phone-ai-scan-privacy-signal-android-rcna152426

    ------------------------------

    Date: Wed, 15 May 2024 09:59:52 -0400
    From: Monty Solomon <monty@roscom.com>
    Subject: Flood of Fake Science Forces Multiple Journal Closures
    (WSJ)

    Wiley to shutter 19 more journals, some tainted by fraud

    Fake academic studies are turning the publishing industry on its
    head—forcing publishers to issue retractions and close journals. They are losing millions of dollars.

    https://www.wsj.com/science/academic-studies-research-paper-mills-journals-publishing-f5a3d4bc

    FOLLOWED BY

    The Business of Scientific Publishing https://www.science.org/content/blog-post/business-scientific-publishing

    ------------------------------

    Date: Sun, 12 May 2024 11:29:59 -0700
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Newspaper groups warn Apple over ad-blocking plans

    UK press says proposed *web eraser* tool in next iOS update threatens journalism's financial sustainability.

    British newspaper groups have warned Apple that any move to impose a
    so-called *web eraser* tool to block advertisements would put the
    financial sustainability of journalism at risk.

    Apple is preparing to include an AI-based privacy feature in the Safari
    browser in the next iOS 18 software update that will remove ads or other unwanted website content, according to reports.

    In a letter sent on Friday to Apple's government affairs chief in the UK,
    the News Media Association, which represents 900 national, regional and
    local titles, raised concerns about how this would affect digital revenues
    in the industry.

    The letter, seen by the Financial Times, said professional journalism
    required funding ``and advertising is a key revenue stream for many publishers''. Members of the NMA include The Times, The Guardian and The
    Daily Telegraph.

    Online platforms such as web browsers and social networks are important
    routes for the public to access journalism, the NMA argues, but also for publishers to ``monetise their content in the digital marketplace.''

    The prospect of an automatic block on online ads has caused considerable
    alarm among publishers, which are already facing a squeeze on revenues
    given separate moves by tech groups that have throttled news traffic and a broader slowdown in spending in many parts of the market. Apple declined to comment.

    https://on.ft.com/3QGg5eq

    ------------------------------

    Date: Sat, 18 May 2024 11:25:21 -0700
    From: geoff goodfellow <geoff@iconia.com>
    Subject: Slack users horrified to discover messages used for AI training
    (ArsTechnica)

    *Slack says policy changes are imminent amid backlash.*

    After launching <https://slack.com/blog/news/slack-ai-has-arrived> Slack AI
    in February, Slack appears to be digging its heels in, defending its vague policy that by default sucks up customers' data -- including messages,
    content, and files -- to train Slack's global AI models. [..] <https://slack.com/intl/en-gb/trust/data-management/privacy-principles>

    https://arstechnica.com/tech-policy/2024/05/slack-defends-default-opt-in-for-ai-training-on-chats-amid-user-outrage/ [...]
    https://on.ft.com/3QGg5eq

    ------------------------------

    Date: 12 May 2024 15:34:39 -0400
    From: "John Levine" <johnl@iecc.com>
    Subject: Tractors that don't know where they are

    [The almost unprecedented Friday evening Solar Flares caused some very
    spectacular Northern Lights much farther south, as predicted. I wonder
    if fires or power outages were related. PGN]

    Well, since you asked: tractors use GPS to get precise locations so they can plant with an accuracy of a few cm and come back later knowing exactly where the crops are.

    Except that if there's a huge solar storm the week you need to plant
    your corn, which screws up the GPS signal so the tractors' locations
    are several feet off, you have a big problem:

    https://www.404media.co/solar-storm-knocks-out-tractor-gps-systems-during-peak-planting-season/

    [Also noted by geoff goodfellow and Jan Wolitzky:
    Solar Storm Fried GPS Systems Used by Some Farmers, Stalling Planting https://www.nytimes.com/2024/05/13/us/solar-storm-tractor-break-nebraska.html
    PGN]

    ------------------------------

    Date: Thu, 16 May 2024 08:20:16 -0700
    From: Steve Bacher <sebmb1@verizon.net>
    Subject: She was accused of faking an incriminating video of teenage
    cheerleaders. The problem? Nothing was fake after all (The Guardian)

    She was accused of faking an incriminating video of teenage cheerleaders.
    She was arrested, outcast and condemned. The problem? Nothing was fake
    after all.

    The moral panic following Raffaella Spone’s ‘deepfake’ video spread around
    the world. She talks for the first time about being the centre of a story in which nothing was as it seemed.

    https://www.theguardian.com/technology/article/2024/may/11/she-was-accused-of-faking-an-incriminating-video-of-teenage-cheerleaders-she-was-arrested-outcast-and-condemned-the-problem-nothing-was-fake-after-all

    ------------------------------

    Date: Sat, 28 Oct 2023 11:11:11 -0800
    From: RISKS-request@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) has moved to the ftp.sri.com site:
    <risksinfo.html>.
    *** Contributors are assumed to have read the full info file for guidelines!

    OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume/previous directories
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 34.25
    ************************

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)