RISKS-LIST: Risks-Forum Digest Wednesday 5 Jun 2024 Volume 34 : Issue 29

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.29>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
NYSE technical error sends stocks tumbling (The Register)
NYSE says bizarre glitch that showed Berkshire Hathaway down
99.97% has been resolved (CNN)
London Hospitals Face Major Disruptions After Cyberattack (NYTimes)
Harvard grad who went off script to address Gaza protests said
she quietly revised her speech last minute (NBC News)
A New Bone of Contention: Trigger Warnings in Archaeology Class (WSJ)
How Researchers Cracked an 11-Year-Old Password to a $3 Million Crypto
Wallet (WiReD)
361 million stolen accounts leaked on Telegram added to HIBP (SecureClick) Digital surveillance and customer isolation are individualizing the
prices we pay (Prospect)
A Pacific Island With Ties to Taiwan Was Hacked. Was It Political?
(The NY Times)
Deepfake of U.S. Official Appears After Shift on Ukraine Attacks
in Russia (The NY Times)
Fake News Reports and Videos Seek to Undermine the Paris Olympics
(The NY Times)
They Spent Their Life Savings on Life Coaching (NYTimes)
How a Samsung Washing Machine Chime Triggered a YouTube Copyright Fiasco
(WiReD)
Don't You Dare Call Me Without Texting First (WSJ)
Miracle AI Weapons (Background Briefing)
Oral-B bricking Alexa toothbrush is cautionary tale against buzzy tech (
(Ars Technica)
New technique can automate data curation for self-supervised pre-
training of AI datasets (techxplore.com)
Artists threaten to leave Instagram in droves over AI art training
(Creative Blog)
Today's Funny Pages (Indeed via Cliff Kilby)
Re: PGN on Ethics (Jan Wolitzky, Henry Baker, Monty Solomon)
Twilight Zone predicted robot CEO (Jeff Jonas)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 04 Jun 2024 01:45:47 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: NYSE technical error sends stocks tumbling (The Register)

Apparently, the LU-LD bands snapped...

My speculation: real-time SW updates to handle speculative meme trading apparently went horribly wrong, actually *causing* the very problem the fix
was attempting to stop.

Note to self: real-time SW updates to real-time systems are very, very dangerous. Perhaps waiting until trading stops for the day might be a
better update policy?

I wonder if this SW problem had any interactions with the new 'T+1'
settlement scheme?

https://www.theregister.com/2024/06/03/nyse_technical_error/

------------------------------

Date: Mon, 3 Jun 2024 17:55:33 -0400
From: Monty Solomon <monty@roscom.com>
Subject: NYSE says bizarre glitch that showed Berkshire Hathaway down
99.97% has been resolved (CNN)

https://www.cnn.com/2024/06/03/investing/new-york-stock-exchange-technical-issue/index.html

[Also noted by Chuck Weinstock. PGN]

------------------------------

Date: Wed, 5 Jun 2024 14:48:42 -0400
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: London Hospitals Face Major Disruptions After Cyberattack
(NYTimes)

Several major hospitals in London have been crippled by a cyberattack, Britain's National Health Service said, causing surgical procedures to be canceled, disrupting blood transfusions and forcing patients to be diverted.

A ransomware cyberattack on Synnovis, an organization that manages blood transfusions and other services, on Monday had significantly disrupted the delivery of services at King's College and Guy's and St. Thomas' hospital trusts, which run several major hospitals. The attack has also caused disruptions to primary care offices in southeast London.

https://www.nytimes.com/2024/06/05/world/europe/london-hospitals-cyberattac= k.html

------------------------------

Date: Fri, 31 May 2024 20:02:46 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Harvard grad who went off script to address Gaza protests said
she quietly revised her speech last minute (NBC News)

Harvard grad who went off script to address Gaza protests said she quietly revised her speech last minute

Shruthi Kumar, 22, said she felt like she had to speak about her 13 peers barred from graduating. Now, her message is reaching millions online.

https://www.nbcnews.com/news/asian-america/harvard-speech-gaza-war-commencement-rcna154899

[*The New York Times* Sunday Opinion on 2 Jun 2024 has a piece by Noah
Feldman and Alison Simmons, Harvard Should Say Less. Maybe All Schools
Should: Let's spare universities from having to make statements on world
events. PGN says Harvard seems to have mostly honored free speech in the
past. Why stop now? Donors seem to be very unhappy one way or the other.
My Class of 1954 just had its 70th class reunion last Thursday with a
panel on this subject. (This is the first reunion I have ever missed.)
But it definitely seems like a lose-lose issue for Harvard, barring
students' graduations if they had spoken out on a life-critical matter.
It smells bad, and DRACONIAN. Sorry if I am oversimplifying what seems to
me like a no-brainer in a place noted for brains. PGN]

------------------------------

Date: Mon, 3 Jun 2024 08:24:31 -0400
From: Monty Solomon <monty@roscom.com>
Subject: A New Bone of Contention: Trigger Warnings in Archaeology Class
(WSJ)


Professors from Harvard to Cambridge feel obliged to caution students
before displaying ancient human remains; drawings and plastic
skeletons fill the void.

https://www.wsj.com/world/trigger-warning-bones-archaeology-class-f20dcb65?st=o8dh4d5xd6jffv9

------------------------------

Date: Tue, 4 Jun 2024 14:38:20 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: How Researchers Cracked an 11-Year-Old Password to a $3 Million Crypto
Wallet (WiReD)

Thanks to a flaw in a decade-old version of the RoboForm password manager
and a bit of luck, researchers were able to unearth the password to a crypto wallet containing a fortune.

https://www.wired.com/story/roboform-password-3-million-dollar-crypto-wallet/

------------------------------

Date: Tue, 04 Jun 2024 14:17:25 +0000
From: Presale1
Subject: 361 million stolen accounts leaked on Telegram added to HIBP
(SecureClick)

A massive trove of 361 million email addresses from credentials stolen by password-stealing malware, in credential stuffing attacks, and from data breaches was added to the Have I Been Pwned data breach notification
serv. ...

<https://email.cloud2.secureclick.net/c/10688?id=1546099.3979.1.49f533d26394a01aaac7a79a61ef2c7a>

------------------------------

Date: Wed, 5 Jun 2024 08:38:40 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Digital surveillance and customer isolation are individualizing the
prices we pay (Prospect)

https://prospect.org/economy/2024-06-04-one-person-one-price/

The RISK?  E-commerce and the Internet.

Businesses have always wanted to maximize what they can induce people to
pay, trying to walk right up to the limit before a customer says no. But everyone has a different pain point, and companies were deterred from purely individualizing what they charge, because of publicly posted prices and consumer anger over the unfairness of being charged differently for the same product.

Today, the fine-graining of data and the isolation of consumers has changed
the game. The old idiom is that every man has his price. But that’s
literally true now, much more than you know, and it’s certainly the plan for the future.

“The idea of being able to charge every individual person based on their individual willingness to pay has for the most part been a thought experiment,” said Lina Khan, chairwoman of the Federal Trade Commission. “And now … through the enormous amount of behavioral and individualized data
that these data brokers and other firms have been collecting, we’re now in
an environment that technologically it actually is much more possible to be serving every individual person an individual price based on everything they know about you.”

Economists soft-pedal this emerging trend by calling it “personalized” pricing, which reflects their view that tying price to individual characteristics adds value for consumers. But Zephyr Teachout, who helped
write anti-price-gouging rules in the New York attorney general’s office,
has a different name for it: surveillance pricing. [...]

*THERE HAVE BEEN TWO BINDING CONSTRAINTS* for true personalization: the
quality and quantity of data collected, and the mechanism for giving
individual prices to people who shop where price tags are publicly
displayed. Step by step, these constraints are being defeated, and a new frontier on pricing is becoming available.

E-commerce really served both ends. Instead of being out in the world,
people shop from home, unaware of any uniform price. And data that can be grabbed over the Internet dwarfs what’s available on a loyalty card. It includes your IP address, the devices you use, your phone number, email, pinpoint demographics, and a comprehensive graph of everything you’ve ever done on the Internet, from purchases to searches to websites visited to
emails to social media posts and much, much more. And if the retailer
doesn't get all that information, they could always buy it.

------------------------------

Date: Mon, 3 Jun 2024 01:03:30 -0400
From: Monty Solomon <monty@roscom.com>
Subject: A Pacific Island With Ties to Taiwan Was Hacked. Was It Political?
(The NY Times)

Palau’s claims that China orchestrated the attack remain unproven. But
it’s clear that the breach presents a danger for another ally of
Palau: the United States.

https://www.nytimes.com/2024/06/02/world/asia/palau-taiwan-china-hack.html

------------------------------

Date: Fri, 31 May 2024 22:16:40 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Deepfake of U.S. Official Appears After Shift on Ukraine Attacks
in Russia (The NY Times)

A manufactured video fabricated comments by the State Department spokesman, Matthew Miller.

https://www.nytimes.com/2024/05/31/us/politics/deepfake-us-official-russia.html

------------------------------

Date: Mon, 3 Jun 2024 01:02:17 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Fake News Reports and Videos Seek to Undermine the Paris Olympics
(The NY Times)

Russian propagandists are spoofing broadcasters and mimicking French
and U.S. intelligence agencies to stoke fear about security at the
Games.

https://www.nytimes.com/2024/06/03/us/politics/russia-disinformation-olympics-paris.html

------------------------------

Date: Mon, 3 Jun 2024 01:01:25 -0400
From: Monty Solomon <monty@roscom.com>
Subject: They Spent Their Life Savings on Life Coaching (NYTimes)

Some people who wanted to improve their lives and careers through
coaching found themselves trapped in what they described as a pyramid
scheme.

https://www.nytimes.com/2024/06/02/business/life-coach-debt-savings.html

------------------------------

Date: Sun, 2 Jun 2024 19:05:03 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: How a Samsung Washing Machine Chime Triggered a YouTube Copyright
Fiasco (WiReD)

When YouTube’s Content ID system goes wrong, it goes very, very wrong.

YouTube’s Content ID system—which automatically detects content registered by rights holders—is “completely fucking broken,” a YouTuber called “Albino”
declared in a rant on the social media site X that has been viewed more than 950,000 times.

Albino, who is also a popular Twitch streamer, complained that his YouTube video playing through Fallout was demonetized because a Samsung washing
machine randomly chimed to signal a laundry cycle had finished while he was streaming.

Apparently, YouTube had automatically scanned Albino's video and detected
the washing machine chime as a song called “Done”—which Albino quickly saw
was uploaded to YouTube by a musician known as Audego nine years ago.

But when Albino hit Play on Audego's song, the only thing that he heard was
a 30-second clip of the washing machine chime. To Albino it was obvious that Audego didn't have any rights to the jingle, which Dexerto reported actually comes from the song "Die Forelle" (“The Trout”) from Austrian composer Franz
Schubert.

The song was composed in 1817 and is in the public domain. Samsung has used
it to signal the end of a wash cycle for years, sparking debate over whether it's the catchiest washing machine song and inspiring at least one violinist
to perform a duet with her machine. It's been a source of delight for many Samsung customers, but for Albino, hearing the jingle appropriated on
YouTube only inspired ire.

"A guy recorded his fucking washing machine and uploaded it to YouTube with Content ID," Albino said in a video on X. "And now I'm getting copyright claims" while "my money" is "going into the toilet and being given to this fucking slime."

Albino suggested that YouTube had potentially allowed Audego to make invalid copyright claims for years without detecting the seemingly obvious abuse.

"How is this still here?" Albino asked. "It took me one Google search to
figure this out," and "now I'm sharing revenue with this? That's insane."
...

Widespread Abuse of Content ID Continues

YouTubers have complained about abuse of Content ID for years. Techdirt's Timothy Geigner agreed with Albino's assessment that the YouTube system is "hopelessly broken," noting that sometimes content is flagged by
mistake. But just as easily, bad actors can abuse the system to claim
"content that simply isn't theirs" and seize sometimes as much as millions
in ad revenue.

In 2021, YouTube announced that it had invested "hundreds of millions of dollars" to create content management tools, of which Content ID quickly emerged as the platform's go-to solution to detect and remove copyrighted materials.

https://www.wired.com/story/youtube-content-id-samsung-washing-machine-chime-demonetize

------------------------------

Date: Mon, 3 Jun 2024 08:21:02 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Don't You Dare Call Me Without Texting First (WSJ)

Extremely annoyed. The etiquette of unexpected phone calls divides
friends, families and co-workers.

https://www.wsj.com/lifestyle/phone-etiquette-text-before-calling-6015145b

------------------------------

Date: Tue, 4 Jun 2024 19:15:42 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: Miracle AI Weapons (Background Briefing)

Today's https://www.backgroundbriefing.org/

Following the CIA, The Pentagon Falls For Silicon Valley's Promise of AI Miracle Weapons

Then finally we speak with <https://history.yale.edu/people/michael-brenes> Michael Brenes, Interim Director of the Brady-Johnson Program in Grand
Strategy and Lecturer in History at Yale University. He is the author of <https://www.umasspress.com/9781625345219/for-might-and-right/> For Might
and Right: Cold War Defense Spending and the Remaking of American Democracy.
We discuss his article at The New Republic, " <https://newrepublic.com/article/182145/ai-weapons-make-venture-capitalists- palantir-richer> AI Won't Transform War. It'll Only Make Venture Capitalists Richer" and how the big five defense contractors, Lockheed Martin, RTX,
Boeing, General Dynamics and Northrop Grumman are being challenged by
Silicon Valley players like Thiel and Musk who are promising AI miracle weapons.

------------------------------

Date: Wed, 5 Jun 2024 16:42:22 -0600
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Oral-B bricking Alexa toothbrush is cautionary tale
against buzzy tech (Ars Technica)

Scharon Harding, Ars Technica, 6/5/2024, 2:09 PM

Oral-B discontinued Alexa toothbrush in 2022, now sells $400 "AI"
toothbrush.

On 15 Feb 2024, Oral-B bricked the Guide's ability to set up Alexa by discontinuing the Oral-B Connect app required to complete the process.
Guide owners can still use the Oral-B App for other features; however, the ability to use the charging base like an Alexa smart speaker—a big draw in the product’s announcement and advertising—is seriously limited.

The device should still work with Alexa if users set it up before
Oral-B shuttered Connect, but setting up a new Wi-Fi connection or reestablishing a lost one doesn't work without Connect.

https://arstechnica.com/gadgets/2024/06/oral-b-bricks-ability-to-set-up-alexa-on-230-smart-toothbrush/

------------------------------

Date: Mon, 03 Jun 2024 23:23:30 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: New technique can automate data curation for self-supervised pre-
training of AI datasets (techxplore.com)

https://techxplore.com/news/2024-06-technique-automate-curation-pre-ai.html

"As developers and users alike have been learning over the past year,
the quality of the data that is used to train AI systems is tied very
closely to the accuracy of results. Currently, the best results are
obtained with systems that use manually curated data and the worst are
obtained from systems that are uncurated."

With AI datasets pushing past petabytes into exabytes, automation must
be applied. Pre-training curation can cull extraneous training
stimulus, but will it reduce false-positive/negative AI results that equivalence human curation?

------------------------------

Date: Tue, 4 Jun 2024 06:44:20 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Artists threaten to leave Instagram in droves over AI art training

Meta's making it almost impossible to opt out.

AI art is mired controversy, so it should be no surprise that Meta's confirmation that it trains its AI image generator using public Instagram <https://www.creativebloq.com/tag/instagram> images has upset a lot of
people.

The revelation could be the straw that broke the camel's back for many users
of the social media platform. Already frustrated by the decrease in reach
that their posts receive these days on a platform increasingly saturated
with paid ads, many users, and particularly artists, are wondering if
there's any point to Instagram anymore. [...]

https://www.creativebloq.com/news/instagram-ai-training

------------------------------

Date: Mon, 3 Jun 2024 19:43:14 +0000
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Today's Funny Pages

"As a Cloud Security Operations Lead in Deloitte's Cyber Risk
Services, you will lead team prioritization based on client
requirements, coordinate with key stakeholders to refine
requirements, and lead team workflow."

You cannot rely on client requirements for prioritization of security mitigation and remediation efforts. Cart before the horse, security as
an afterthought?

"Work with security application teams to develop cloud architecture
solutions which meet client CTSO's unique cloud requirements (note:
CTSO routinely requires nonstandard patterns). "

No, no. You don't get "Security" and "Does not follow industry guidance".

Of course, Deloitte failed to define which of the CTSO's they were
mentioning here, so I presumed they meant Chief Trust and Security
Officer. Which for some reason isn't part of Chief Information
Security Officer (CISO), or Chief Security Officer (CSO)?

I am concerned that Deloitte's approach to Cyber Risk may be
lassiez-faire, which is disconcerting.

Job post courtesy of Deloitte, via Indeed.

https://www.indeed.com/?from=gnav-notifcenter&vjk=6cfb557f93651fd3&advn=8876452989351355

Laissez les bons temps rouler! Cliff
[Let the wild rumpus roar. PGN]

------------------------------

Date: Fri, 31 May 2024 20:39:59 -0400
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: Re: PGN on Ethics (Robbins, RISKS-34.28)

When I returned as a guest lecturer for a class on technology and society
in the 90s, ethics didn't seem to be taught. So unless something happened between 2000 and 2020, it's never been taught.

Ridiculous! A casual perusal of the online MIT course catalog turns up:

CC.117[J] Humane Warfare: Ancient and Medieval Perspectives on Ethics in War NS.42 Leadership and Ethics
11.133[J] Dilemmas in Biomedical Ethics: Playing God or Doing Good?
11.238[J] Ethics of Intervention
MAS.630 Advanced Seminar: Affective Computing and Ethics
1.082 Ethics for Engineers
6.9321 Ethics for Engineers - Independent Inquiry
10.06 Advanced Topics in Ethics for Engineers
17.055 Just Code: The Ethical Lifecycle of Machine Learning
21A.301 Disease and Health: Culture, Society, and Ethics
21A.508 Culture and Ethics in Science Fiction Worlds
24.03 Good Food: The Ethics and Politics of Food
24.130 Ethics (24.231)
24.131 Ethics of Technology
24.132 Workshop in Ethical Engineering
24.133 Experiential Ethics
24.230 Meta-ethics
24.233 The Ethics of Climate Change (24.07)
24.191 Being, Thinking, Doing (or Not): Ethics in Your Life
24.502 Topics in Metaphysics and Ethics
WGS.183 Feminist Data Ethics
15.269 Leadership Stories: Literature, Ethics, and Authority
15.270 Ethical Practice: Leading Through Professionalism, Social Responsibility, and System Design
15.410 Finance Ethics & Regulation
15.630 Law, Ethics, and Data Privacy

------------------------------

Date: Sat, 01 Jun 2024 00:46:24 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: Re: PGN on Ethics (Robbins, RISKS-34.28)

Having to learn ethics in college is a little late in the day; the horse has already left the barn.

Exhibit #1: Sam Bankman-Fried
https://en.wikipedia.org/wiki/Sam_Bankman-Fried

Exhibits #2-N: most of the output of a graduate school a tad further
up the Charles River.

(D)effective Altruism in action.

------------------------------

Date: Fri, 31 May 2024 19:56:52 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Re: PGN on Ethics (Robbins, RISKS-34.28)

Ethics for Engineers
https://e4e.mit.edu/

Ethics of Technology
Linguistics and Philosophy
MIT OpenCourseWare https://ocw.mit.edu/courses/24-131-ethics-of-technology-spring-2023/

Ethics
Linguistics and Philosophy
MIT OpenCourseWare
https://ocw.mit.edu/courses/24-231-ethics-fall-2009/

Ethical AI by Design
Interview with Abby Everett Jaques https://shass.mit.edu/news/news-2019-ethical-ai-design-interview-abby-everett-jaques

Ethics Computing and AI
Perspectives from MIT https://shass.mit.edu/news/news-2019-ethics-computing-and-ai-perspectives-mit

------------------------------

Date: Mon, 3 Jun 2024 05:50:13 +0000 ()
From: Jeff Jonas <jeffj@panix.com>
Subject: Twilight Zone predicted robot CEO

Re: "If AI Can Do Your Job, Maybe It Can Also Replace Your CEO (NYTimes)'

1) I say if businesses/companies/corporations outsource everything
else (manufacturing, design, programming, service, maintenance) then
turnabout is fair play. It's time to outsource the president/CEO
and board. Look at any proxy and they say how board members from
other companies "bring in experience and new ideas". So does AI,
machine learning, etc. Or an outsourcing company with a more
experienced staff.

2) The Twilight Zone predicted this in 1964 with
"The Brain Center at Whipple's"

- the president's message about factory automation and mass layoffs
was given by film instead of in person, predicting the impersonal &
demoralizing use of Zoom/tele-conferences for "downsizing".

- the "dark factory": no people anywhere

- even the repair technician quit. It's too darned lonely.

- eventually the one person left (the president) was replaced by a
robot with his same nervous habit (swinging his keychain) and
perhaps the same neurosis?

https://en.wikipedia.org/wiki/The_Brain_Center_at_Whipple%27s

"The Brain Center at Whipple's" is episode 153
of the American television series The Twilight Zone.
It originally aired on May 15, 1964 on CBS.

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.29
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)