RISKS-LIST: Risks-Forum Digest Monday 29 Jul 2024 Volume 34 : Issue 38

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.38>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Lithium Battery Fire Traps Drivers in Sweltering Heat on 'California Highway
(The New York Times)
Spy v spy v spy: Jamming home wifi's by crims & cops (Henry Baker)
Lawmaker uses AI voice clone to address Congress (BBC via Matthew Kruk)
AI May Save Us, or May Construct Viruses to Kill Us (NYTimes)
Robots sacked, screenings shut down: a new movement of Luddites is rising up
against AI (Ed Newton-Rex)
Restrictions on AI training data (NYTimes via Jim Geissman)
Apple signs on to Biden's responsible AI guidelines (Politico)
Crypto fanatics flock to Trump, hoping to *make bitcoin great again*.
(WashPost)
Devastating ransomware attack shuts down L.A. County courts
Proofpoint Email Routing Flaw Exploited to Send Millions
of Spoofed Phishing Emails (The Hacker News)
Prominent Short Seller Made Millions Off Bait-and-Switch Scheme,
U.S. Says (NYTimes)
Secure Boot is completely broken on 200+ models from 5 big device makers
(Ars Technica)
Hackers steal call records of 'nearly all' AT&T customers (BBC)
Security Firm Discovers Remote Worker Is North Korean Hacker (Michael Kan)
New Israeli Spyware (Israel News)
Windows resiliency: Best practices and the path forward
(MS vis PGN)
Google reverts TV YouTube app to original search history behavior
(Lauren Weinsteain)
CrowdStrike and fuzz testing (Martin Ward)
Re: U.S. Gender Care Is Ignoring ... (Julizn Bradford)
Re: Switzerland now requires all government software to be open source
(Amos Shapir)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 28 Jul 2024 01:29:04 -0400
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: Lithium Battery Fire Traps Drivers in Sweltering Heat on 'California Highway (The New York Times)

Traffic was at a standstill for hours on a portion of I-15 near Baker,
Calif., after a truck carrying lithium batteries overturned and caught
fire. [...]

Drivers were stuck in traffic in 109-degree heat on a California highway
on Saturday for hours as the authorities struggled to extinguish a fire involving a truck carrying lithium ion batteries that had overturned on
Friday.

“Multiple attempts were made to move the container from the freeway
shoulder to open land using heavy equipment,” the San Bernardino County
Fire Protection District said on social media on Saturday. “However, the container’s weight, exceeding 75,000 pounds, has made these efforts unsuccessful so far.”

https://www.nytimes.com/2024/07/27/us/battery-fire-traffic-nevada-california.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb

------------------------------

Date: Sun, 28 Jul 2024 22:07:16 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: Spy v spy v spy: Jamming home wifi's by crims & cops

Those wifi cameras that you just installed to spy on your own home (and
AirBnB guests?):

Jammed by both crims and cops!

FCC: "Yes, Wi-Fi devices that comply with FCC technical standards **must
accept interference**, including interference that may cause undesired operation. This is because the FCC's Part 15 federal regulation limits the amount of electromagnetic interference that electronic devices can cause,
and requires that they operate without interfering with authorized radio services."

https://www.pcworld.com/article/2405434/burglars-are-jamming-wi-fi-security-cameras.html

Burglars are jamming Wi-Fi security cameras -- here's what you can do

Tech-savvy thieves are finding new ways to circumvent wireless networked security cameras like Ring and Nest.

By Michael Crider Staff Writer, PCWorld Jul 22, 2024 9:24 am PDT

https://www.404media.co/dhs-has-a-ddos-robot-to-disable-internet-of-things-booby-traps-inside-homes/

DHS Has a DoS Robot to Disable Internet of Things 'Booby Traps' Inside
Homes

Jason Koebler Jul 22, 2024 at 9:50 AM

"NEO carries an onboard computer and **antenna array** that will allow
officers the ability to create a 'denial-of-service' event to disable
'Internet of Things' devices that could potentially cause harm while
entry is made."

... https://www.fcc.gov/document/consumer-alert-using-or-importing-jammers-illegal

CONSUMER ALERT: Using or Importing Jammers is Illegal

https://www.fcc.gov/general/jammer-enforcement "Local law enforcement
agencies do ***not*** have independent authority to use jamming
equipment; in certain limited exceptions use by Federal
law-enforcement agencies is authorized in accordance with applicable
statutes.

------------------------------

Date: Thu, 25 Jul 2024 21:57:30 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Lawmaker uses AI voice clone to address Congress

We talk about the risks of AI. Thought I'd pass along a non-risk, indeed a benefit. Let's hope for more.

https://www.bbc.com/news/videos/c728q850e5do

Virginia Congresswoman Jennifer Wexton used an artificial intelligence (AI) programme to address the House on Thursday. A year ago, the lawmaker was diagnosed with progressive supranuclear palsy, which makes it difficult for
her to speak.

The AI programme allowed Wexton to make a clone of her speaking voice using
old recordings of appearances and speeches she made in Congress. Wexton
appears to be the first person to speak on the House floor with a voice recreated by AI.

[Indeed, a positive use for something that is so easily misused. PGN]

------------------------------

Date: Sat, 27 Jul 2024 22:25:52 -0600
From: "Matthew Kruk" <mkrukg@gmail.com>
Subject: AI May Save Us, or May Construct Viruses to Kill Us
(NYTimes)

https://www.nytimes.com/2024/07/27/opinion/ai-advances-risks.html

Here’s a bargain of the most horrifying kind: For less than $100,000,
it may now be possible to use artificial intelligence to develop a
virus that could kill millions of people.

That’s the conclusion of Jason Matheny, the president of the RAND Corporation, a think tank that studies security matters and other
issues.

“It wouldn't cost more to create a pathogen that’s capable of killing hundreds of millions of people versus a pathogen that’s only capable
of killing hundreds of thousands of people,” Matheny told me.

In contrast, he noted, it could cost billions of dollars to produce a new vaccine or antiviral in response.

------------------------------

Date: Mon, 29 Jul 2024 06:50:26 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Robots sacked, screenings shut down: a new movement of Luddites is
rising up against AI (Ed Newton-Rex)

Robots sacked, screenings shut down: a new movement of luddites is
rising up against AI

Earlier this month, a popular lifestyle magazine introduced a new “fashion and lifestyle editor” to its huge social media following. “Reem” <https://sheerluxe.com/fashion/meet-our-new-ai-enhanced-editor-reem>, who on first glance looked like a twentysomething woman who understood both fashion and lifestyle, was proudly announced as an “AI enhanced team member”. That is, a fake person, generated by artificial intelligence. Reem would be
making product recommendations to SheerLuxe’s followers – or, to put it another way, doing what SheerLuxe would otherwise pay a person to do. The reaction was entirely predictable: outrage <https://www.bbc.com/news/articles/c3gw720vz3lo>, followed by a hastily
issued apology. One suspects Reem may not become a staple of its editorial team.

This is just the latest in a long line of walkbacks of “exciting AI projects” that have been met with fury by the people they’re meant to excite. The Prince Charles Cinema in Soho, London, canceled <https://www.bbc.co.uk/news/articles/cjll3w15j0yo.amp> a screening of an AI-written film in June, because its regulars vehemently objected. Lego was pressured <https://www.axios.com/2024/03/15/lego-ai-ninjago-images> to take down a series of AI-generated images it published on its website. Doctor Who started experimenting with generative AI, but quickly stopped after a wave
of complaints. <https://gizmodo.com/doctor-who-ai-bbc-complaints-response-disney-plus-1851363443>
A company swallows the AI hype, thinks jumping on board will paint it as innovative, and entirely fails to understand the growing anti-AI sentiment taking hold among many of its customers.

Behind the backlash is a range of concerns about AI. Most visceral is its impact on human labour: the chief effect of using AI in many of these situations is that it deprives a person of the opportunity to do the same
work. Then there is the fact that AI systems are built by exploiting the
work <https://www.noemamag.com/the-exploited-labor-behind-artificial-intelligence/> of the very people they’re designed to replace, trained on their creative output and without paying them. The technology has a tendency to sexualise women <https://www.theguardian.com/technology/2023/feb/08/biased-ai-algorithms-racy-women-bodies>,
is used to make deepfakes, has caused tech companies to miss climate targets <https://www.theguardian.com/business/article/2024/jul/04/can-the-climate-survive-the-insatiable-energy-demands-of-the-ai-arms-race>
and is not nearly well enough understood for its many risks to be
mitigated. This has understandably not led to universal adulation. As Hayao Miyazaki, the director of Studio Ghibli, the world-renowned animation
studio, has said: “I am utterly disgusted … I strongly feel that [AI] is an insult to life itself.” [...]

https://www.theguardian.com/commentisfree/article/2024/jul/27/harm-ai-artificial-intelligence-backlash-human-labour

------------------------------

Date: Fri, 19 Jul 2024 09:00:13 -0700
From: Jim Geissman <jgeissman@socal.rr.com>
Subject: Restrictions on AI training data (NYTimes)

But there's also a lesson here for big AI companies, who have treated the Internet as an all-you-can-eat data buffet for years, without giving the
owners of that data much of value in return. Eventually, if you take
advantage of the web, the web will start shutting its doors.

https://www.nytimes.com/2024/07/19/technology/ai-data-restrictions.html

------------------------------

Date: Sat, 27 Jul 2024 18:42:31 +0000 (UTC)
From: Steve Bacher <sebmb1@verizon.net>
Subject: Apple signs on to Biden's responsible AI guidelines (Politico)

https://www.politico.com/news/2024/07/26/apple-biden-ai-00171502

[Is there any hope that these guidelines are strong enough? PGN]

------------------------------

Date: Mon, 29 Jul 2024 10:39:58 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Crypto fanatics flock to Trump, hoping to *make bitcoin greatagain*
(WashPost)

The crypto community is rallying behind Trump for the 2024 election, hoping
to avoid regulation.

https://www.washingtonpost.com/business/2024/07/27/trump-bitcoin-support-2024-cryptocurrency/

------------------------------

Date: Mon, 22 Jul 2024 09:47:14 -0700
From: Jim Geissman <jgeissman@socal.rr.com>
Subject: Devastating ransomware attack shuts down L.A. County courts
(LATimes)

https://www.latimes.com/california/story/2024-07-22/la-county-court-ransomwa
re

------------------------------

Date: Mon, 29 Jul 2024 09:22:26 -0700
From: geoff goodfellow" <geoff@iconia.com>
Subject: Proofpoint Email Routing Flaw Exploited to Send Millions
of Spoofed Phishing Emails (The Hacker News)

An unknown threat actor has been linked to a massive scam campaign that exploited an email routing misconfiguration in email security vendor Proofpoint's defenses to send millions of messages spoofing various popular companies like Best Buy, IBM, Nike, and Walt Disney, among others.

"These emails echoed from official Proofpoint email relays with
authenticated SPF and DKIM signatures <https://thehackernews.com/2024/02/8000-subdomains-of-trusted-brands.html>, thus bypassing major security protections — all to deceive recipients
and steal funds and credit-card details," Guardio Labs researcher Nati
Tal said <https://labs.guard.io/echospoofing-a-massive-phishing-campaign-exploiting-proofpoints-email-protection-to-dispatch-3dd6b5417db6>
in a detailed report shared with The Hacker News.

The cybersecurity company has given the campaign the name
EchoSpoofing. The activity is believed to have commenced in January
2024, with the threat actor exploiting the loophole to send as many as
three million emails per day on average, a number that hit a peak of
14 million in early June as Proofpoint began to enact countermeasures.

"The most unique and powerful part of this domain is the spoofing method – leaving almost no chance to realize this is not a genuine email sent from
those companies," Tal told the publication.

"This EchoSpoofing concept is really powerful. It's kind of strange it
is being used for large-scale phishing like this instead of a boutique spear-phishing campaign – where an attacker can swiftly take any real
company team member's identity and send emails to other co-workers – eventually, through high-quality social engineering, get access to
internal data or credentials and even compromise the entire company.

The technique, which involves the threat actor sending the messages from an SMTP server on a virtual private server (VPS), is notable for the fact that
it complies with authentication and security measures <https://today.ucsd.edu/story/forwarding_based_spoofing> such as SPF and
DKIM, which are short for Sender Policy Framework and DomainKeys Identified Mail, respectively, and refer to authentication methods that are designed
to prevent attackers from imitating a legitimate domain.

It all goes back to the fact that these messages are routed from
various adversary-controlled Microsoft 365 tenants, which are then
relayed through Proofpoint enterprise customers' email infrastructures
to reach users of free email providers such as Yahoo!, Gmail, and GMX.

This is the result of what Guardio described as a "super-permissive misconfiguration flaw" in Proofpoint servers ("pphosted.com") that
essentially allowed spammers to take advantage of the email
infrastructure to send the messages. [...]

https://thehackernews.com/2024/07/proofpoint-email-routing-flaw-exploited.html

------------------------------

Date: Mon, 29 Jul 2024 10:44:32 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Prominent Short Seller Made Millions Off Bait-and-Switch Scheme,
U.S. Says (NYTimes)

Federal authorities filed charges against Andrew Left, founder of Citron Research, who they said made at least $16 million from a multiyear scheme to manipulate market prices.

https://www.nytimes.com/2024/07/26/business/andrew-left-short-seller-fraud.html

------------------------------

Date: Sat, 27 Jul 2024 01:59:54 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Secure Boot is completely broken on 200+ models from 5 big device
makers (Ars Technica)

[Also noted by Monty Solomon]

https://arstechnica.com/security/2024/07/secure-boot-is-completely-compromised-o
n-200-models-from-5-big-device-makers/

On Thursday, researchers from security firm Binarly revealed that Secure
Boot is completely compromised on more than 200 device models sold by Acer, Dell, Gigabyte, Intel, and Supermicro. The cause: a cryptographic key underpinning Secure Boot on those models that was compromised in 2022.

Report https://www.binarly.io/blog/pkfail-untrusted-platform-keys-undermine-secure-boot-on-uefi-ecosystem

------------------------------

Date: Sat, 13 Jul 2024 16:11:45 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Hackers steal call records of 'nearly all' AT&T customers (BBC)

https://www.bbc.com/news/articles/c51yemmmg9mo

Hackers stole call and text records data from "nearly all" of 109 million
AT&T Wireless customers, the telecommunications company disclosed on Friday.

The firm said one suspect had been arrested after the records - from May to October 2022 - were illegally downloaded and copied to a third-party
platform this April.

The stolen data did not contain the content of calls or texts, but did
record the numbers contacted, as well as the number and lengths of interactions, the company said.

------------------------------

Date: Fri, 26 Jul 2024 11:00:06 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Security Firm Discovers Remote Worker Is North Korean Hacker
(Michael Kan)

Michael Kan, *PC Magazine*, 23 Jul 2024

KnowBe4, a U.S. security training firm, disclosed that it had unknowingly
hired a remote software engineer who turned out to be a North Korean hacker. The firm revealed in a blog post that as soon as the employee received a company-issued Mac, it began to load malware. The Mac's onboard security software detected the malware, however, and the company was able to prevent
the hacker from using the device to compromise its internal systems.

------------------------------

Date: Sat, 27 Jul 2024 08:22:11 -0700
From: "Peter G. Neumann" <peter.neumann@sri.com>
Subject: New Israeli Spyware (Ja'aretz)

Israeli Cyber Firms Have Developed an 'Insane' New Spyware Tool. No Defense Exists - Israel News (Ha'aretz)
https://www.haaretz.com › Israel News

According to a September 2023 Haaretz magazine article, the Israeli
cyberfirm Insanet has developed a new spyware tool called Sherlock that uses ads for tracking and infection. The company was founded by well-known entrepreneurs in offensive cyber and digital intelligence, and is owned by former defense establishment members, including Dani Arditi, a former head
of the National Security Council.

------------------------------

Date: Fri, 26 Jul 2024 08:14:43 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Windows resiliency: Best practices and the path forward

https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-resiliency-best-practices-and-the-path-forward/ba-p/4201550

[Please remember that *best practices* are generally a minimal set of
practices that is seriously incomplete and sometimes inappropriate,
particularly in systems with critical requirements. PGN]

------------------------------

Date: Sat, 27 Jul 2024 10:09:21 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Google reverts TV YouTube app to original search history behavior

On 21 July I noted that the TV app for YouTube (e.g. Android TV, Chromecast with Google TV) had become much harder to use since user-specific search history was no longer being shown, replaced with a list of (as far as I'm concerned) utterly useless "hot, trending" topics. This meant that users had
to manually reenter their common searches with every use. Extremely bad user experience. I made my concerns about this change known to Google. I'm sure I wasn't the only one.

I'm pleased to report that as of this morning, the original behavior has returned to the TV app, with user search history now appearing as it did before. Since this was not the case last night, and the app version is now dated 24 July, this clearly is an update.

------------------------------

Date: Mon, 29 Jul 2024 13:03:24 +0100
From: Martin Ward <mwardgkc@gmail.com>
Subject: CrowdStrike and fuzz testing

CrowdStrike were using a *signed* *verified* kernel driver that crashed and caused a blue screen when given a data file consisting of all binary zeros.

Testing programs with random inputs dates back to the 1950s when data was
still stored on punched cards. Programmers would use punched cards that were pulled from the trash or card decks of random numbers as input to computer programs. If an execution revealed undesired behavior, a bug had been
detected.

In the late 1980's, Prof Barton Miller uncovered bugs in Unix (user mode) utilities by feeding them with random data, a testing method for which he coined the term "fuzz testing".

In April 2012, Google announced ClusterFuzz, a cloud-based fuzzing infrastructure for security-critical components of the Chromium web browser.

In September 2014, Shellshock was disclosed as a family of security bugs in
the widely used UNIX Bash shell; most vulnerabilities of Shellshock were
found using the fuzzer AFL.

In April 2015, Hanno B=C3=B6ck showed how the fuzzer AFL could have found
the 2014 Heartbleed vulnerability.

In September 2016, Microsoft announced Project Springfield, a cloud-based
fuzz testing service for finding security critical bugs in software.

In September 2020, Microsoft released OneFuzz, a self-hosted fuzzing-as-a-service platform that automates the detection of software bugs.

And yet, despite all of this, Microsoft
signed the CrowdStrike kernel mode driver *without* doing *any* fuzz
testing!

Then, CrowdStrike released a data file without testing it.

Then, all the purchasers of CrowdStrike software installed the update
on their live systems the moment it was released, without testing,
it first.

Then, the systems running critical infrastructure bluescreened and could
not be fixed remotely, despite the fact that they (1) were controlling
critical infrastructure and (2) were running MicroSoft software
which is infamous for bluescreening. (They could have used virtual
machines or KVM switches to enable remote access at the hardware level).

MicroSoft's greatest contribution to the computer industry has been to
convince people that computer errors are just "glitches": a force of nature that we just have to put up with and cannot do anything about. According to Microsoft, CrowdStrike affected *only* 8.5 million machines ("less than 1%
of all Windows computers"), so canceling 6.5% of all air flights worldwide, stopping hospitals from doing anything but emergency operations, preventing
911 calls from going through and so on and so on, is just not a big
deal. Nobody needs to lose their job, or stop using MicroSoft software
because of it!

[Nevertheless, it was a big deal for a lot of people
who were personally affected. PGN]

------------------------------

Date: Fri, 26 Jul 2024 10:59:22 +0100
From: Julian Bradfield <jcb@inf.ed.ac.uk>
Subject: Re: U.S. Gender Care Is Ignoring ... (Ward, RISKS-34.37)

The so-called "comprehensive review" is the UK Cass Report which has been widely criticised for ignoring 98% of the published science: because these studies did not use double-blind testing. But in a medical environment
where a treatment is already known to be effective, double-blind testing
is unethical and evil.

This is itself gross misrepresentation.

The Cass Review considered 103 papers, of which 2% were considered "high-quality", and 56% "moderate quality", and all these were
included in the analysis.

Responses to this and some other misrepresentations can be seen
here:

https://cass.independent-review.uk/home/publications/final-report/final-report-faqs/

------------------------------

Date: Sat, 27 Jul 2024 12:43:55 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: Switzerland now requires all government software to
be open source (RISKS-34.37)

I suspect that this law is not going to achieve what legislators hope for.

Companies who wish to keep their code hidden can do it while still formally complying with the law. E.g., they can post code in assembly (which can be generated automatically by tools like "cc -S") if regulations allow it.
There are also shrouding tools which remove comments and change all
statements to something like "felicity = commandment + serenity".

Such practices may adhere to the letter of the law, but make "public" code virtually unusable for any practical purpose.

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.38
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)