RISKS-LIST: Risks-Forum Digest Sunday 27 November 2022 Volume 33 : Issue 54

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.54>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Why artificial intelligence is now a primary concern for Henry Kissinger
(David Ignatius)
Alphabet installed software on user devices without their knowledge,
permission, or even data enabled. (Mark E Jeftovic via Peter Houppermans) Major tax-filing websites secretly share income data with Meta
(Ars Technica)
Thinking about taking your computer to the repair shop? Be very afraid
(Ars Technica)
The airport of the future is the airport of today -- and that's not good.
(PapersPlease)
What Riding in a Self-Driving Tesla Tells Us About the Future of Autonomy
(NYTimes)
ID.me made baseless pandemic fraud claims to win contracts, Congress says
(Ars Technica)
Redacted Documents Are Not as Secure as You Think (WiReD)
The World Generates So Much Data, New Unit Measurements Were Created to Keep
Up (NPR)
Massive Twitter data breach was far worse than reported, reveal security
researchers (9to5mac)
Twitter, Mastodon Handle, and App (Paul Roberts)
Idle Crypto Is the Devil's Workshop (The New York Times)
What Happens When Crypto Meets Ted Lasso (NYTimes)
U.S. authorities seize iSpoof, a call spoofing site that stole millions
(Tech Crunch)
How Amazon shopping ads are disguised as real results (WashPost)
RansomExx joins the ranks of ransomware gangs switching to Rust (Cybernews)
How a Jewish Group's Online Surveillance Uncovered a Synagogue Plot
(NYTimes)
Sundry twitter items (Lauren Weinstein PGN-culled)
Elon's phone confusion (Lauren Weinstein)
They Weren't Rich But They Wanted to invest. Then They Lost Everything on
FTX (Mother Jones)
Re: NordStream (Nicolas Flamant Yotti)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 26 Nov 2022 16:06:27 -0500
From: Monty Solomon <monty@roscom.com>
Subject: hy artificial intelligence is now a primary concern for Henry
Kissinger (David Ignatius)

David Ignatius, The Washington Pst, 24 Nov 2022
If leading powers don't find ways to limit AI's reach,
Henry Kissinger warns, ``it is simply a mad race for some catastrophe.''`

https://www.washingtonpost.com/opinions/2022/11/24/artificial-intelligence-risk-kissinger-warning-weapons/

------------------------------

Date: Wed, 23 Nov 2022 07:04:27 +0100
From: Peter Houppermans <peter@houppermans.net>
Subject: Alphabet installed software on user devices without their
knowledge, permission, or even data enabled.

I picked this up via Mark E Jeftovic's Axis of Easy, and it's worth paying attention to:

https://www.zerohedge.com/political/lawsuit-claims-massachusetts-installed-covid-19-spyware-1-million-devices

I merely summarize:

1. Software was installed by Google, sorry, Alphabet on behalf of a
government without the user's involvement or knowledge;
2. This installation was explicitly hidden from the user;
3 Alphabet appears to have means to enable data downloads explicitly
against the wishes of the user.

------------------------------

Date: Tue, 22 Nov 2022 16:29:53 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Major tax-filing websites secretly share income data with Meta
(Ars Technica)

Financial data was sent to Meta by TaxAct, H&R Block, and TaxSlayer.

https://arstechnica.com/tech-policy/2022/11/major-tax-filing-websites-secretly-share-income-data-with-meta/

------------------------------

Date: Tue, 22 Nov 2022 16:31:38 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Thinking about taking your computer to the repair shop?
Be very afraid (Ars Technica)

Not surprisingly, female customers bear the brunt of the privacy violations.

https://arstechnica.com/information-technology/2022/11/half-of-computer-repairs-result-in-snooping-of-sensitive-data-study-finds/

------------------------------

Date: November 24, 2022 11:39:33 JST
From: "Edward Hasbrouck" <edward@hasbrouck.org>
Subject: The airport of the future is the airport of today -- and that's not
good. (PapersPlease)

A case study and post-pandemic holday travel horror story: https://papersplease.org/wp/2022/11/23/the-airport-of-the-future-is-the-airport-of-today-and-thats-not-good/

Today, the day before Thanksgiving, will probably be the busiest day for air travel in the USA since the outbreak of the COVID-19 pandemic in early 2020.
If you are flying this week for the first time in three years, what will you see that has changed? Unfortunately, many of the most significant changes
made during the pandemic are deliberately invisible -- which is part of that makes them so evil.

During the pandemic, largely unnoticed, the dystopian surveillance-by design airport of the future that we've been worried and warning about for many
years has become, in many places, the airport of today.

While travelers were sheltering in place during the COVID-19 pandemic,
airports have taken advantage of the opportunity to move ahead with
expansion and renovation projects. While passenger traffic was reduced,
and terminals and other airport facilities were operating well below
capacity, disruptions due to construction could be minimized.

A characteristic feature of almost all new or newly-renovated major airports
in the U.S. and around the world is that they are designed and built on the assumption that all passengers' movements within the airport will be tracked
at all times, and that all phases of passenger processing will be carried
out automatically using facial recognition.

In the airport of the future, or in a growing number of present-day
airports, there's no need for a government agency or airline that wants to
use facial recognition to install cameras or data links for that purpose.
As in the new International Arrivals Facility at Sea-Tac Airport, which
opened this year, the cameras and connectivity are built into the facility
as common-use public-private infrastructure shared by airlines, government agencies, and the operator of the airport -- whether that's a public agency
(as with almost all U.S. airports) or a private company (as with many
foreign airports).

This integrated and as-invisible-as-possible surveillance infrastructure exemplifies the malign convergence of interests between government agencies that want to identify and track travelers for pre-crime predictive profiling and control, and airlines and airports (motivated by business efficiency
even when they are operated by instrumentalities of state and local governments) that want to use the same hardware, and data from government ID databases, for business process automation and revenue maximization.

That malign convergence of interests extends to an interest in making surveillance tech inconspicuous and, if it is visible at all, making it
appear normal and unavoidable. Neither government agencies nor travel
companies nor airports want travelers to notice or question what is
happening, or want to take responsibility for it. If travelers ask
questions, airlines want to be able to answer, ``the Federal government made
us do it'', even if that isn't true (as it unquestionably isn't for
U.S. citizens or any domestic flyers within the U.S.).

The integration of facial recognition into the airport structure makes these surveillance systems and practices much less visible -- by design -- than retrofitted or standalone surveillance cameras. Their positioning along the flow of passengers from airport entrance to aircraft door makes it almost impossible to pass through the airport and board a plane without being photographed, identified, and tracked.

Opting out is, in these new airports and terminals, a purely theoretical
option for travelers who already know their rights (without being given
notice of them), figure out how to assert them (again without notice) and
who are willing to put up with additional questioning, search, and/or delay.

More: https://papersplease.org/wp/2022/11/23/the-airport-of-the-future-is-the-airport-of-today-and-thats-not-good/

------------------------------

Date: Sun, 27 Nov 2022 13:51:14 -0500
From: Monty Solomon <monty@roscom.com>
Subject: What Riding in a Self-Driving Tesla Tells Us About the Future of
Autonomy (NYTimes)

https://www.nytimes.com/interactive/2022/11/14/technology/tesla-self-driving-flaws.html

------------------------------

Date: Tue, 22 Nov 2022 16:40:38 -0500
From: Monty Solomon <monty@roscom.com>
Subject: ID.me made baseless pandemic fraud claims to win contracts,
Congress says (Ars Technica)

https://arstechnica.com/tech-policy/2022/11/id-me-made-baseless-pandemic-fraud-claims-to-win-contracts-congress-says/

------------------------------

Date: Fri, 25 Nov 2022 21:52:50 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Redacted Documents Are Not as Secure as You Think (WiReD)

https://www.wired.com/story/redact-pdf-online-privacy/

------------------------------

Date: Wed, 23 Nov 2022 12:01:56 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: The World Generates So Much Data, New Unit Measurements Were
Created to Keep Up (NPR)

Ashley Ahn, NPR, 19 Nov 2022

Four new prefixes to the International System of Units were announced by the 27th General Conference on Weights and Measures on 18 Nov 2022, marking the first expansion of the metric system since 1991. The new prefixes are ronna
(27 zeroes after the first digit) and quetta (30 zeroes) at the top of the measurement range, and ronto (27 zeroes after the decimal point) and quecto
(30 zeroes) at the bottom. Said the UK's National Physical Laboratory
(NPL), "The change was largely driven by the growing requirements of data science and digital storage, which is already using prefixes at the top of
the existing range (yottabytes and zettabytes, for expressing huge
quantities of digital information)." NPL indicated ronto and quecto will be useful in quantum science and particle physics.

[And of course it will never stop. Y'otta do something abyte it. Maybe
ronna contest for the next prefixes, send a ronto to toRonto, hold a
ban-quetta. We already have the Irish Zetta. I wonder how many people
will confuse ronna and ronto. PGN]

------------------------------

Date: Fri, 25 Nov 2022 22:19:11 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Massive Twitter data breach was far worse than reported, reveal
security researchers (9to5mac)

https://9to5mac.com/2022/11/25/massive-twitter-data-breach/

------------------------------

Date: Wed, 23 Nov 2022 17:14:43 -0500
From: Paul Roberts <paulroberts@gmail.com>
Subject: Twitter, Mastodon Handle, and App

I think we're seeing an Elon Musk blindspot. Essentially: he's purchased a *social network*, but seems to think that the secret to making it work is
the same as the solution for Tesla and SpaceX -- namely: excellent
engineering. Undoubtedly, there are ways to improve the Twitter platform,
as Mudge has pointed out. But what has kept users coming to Twitter and
*giving it* high-quality content is the social network bit, not the
platform, per se. It is having people you respect there, alongside you,
sharing ideas and engaging in conversations. Musk -- who is clearly not
gifted in person-to-person interactions -- just misses that. That's also why
he doesn't see why the *TwitChan* platform he's unleashed, in which trolls
hurl racial, misogynistic and antisemitic epithets, conspiracy theories, and unbridled hate speech without consequence will drive people *away* from the commons rather than draw them to it.

You can have an amazing social media platform, but without creatives to
provide it with content, Twitter is doomed. Looking at Twitter purely from
the engineering/coding perspective misses this bigger, deeper *truth* for Twitter. Alas, Musk has missed the window to get this right, hold on to the critical 10% of creatives and thinkers who provide 90% of the content and promote Twitter as a "pro social" platform with -- perhaps -- a slightly
more coarse filter (literally).

Next stop: bankruptcy.

[Borrowed with permission from another group. New-ants instead of Nuance?
Although `formal' is not the root of formaldahyde, `formic' is the root of
all ants. Perhaps twitter should be embalmed, and placed in its full
nakedness on permanent public view for all to see. PGN]

------------------------------

Date: Sun, 27 Nov 2022 22:40:03 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Idle Crypto Is the Devil's Workshop (The New YorkTimes)

The newest monetary system in the world may be undone by the oldest problem there is.

A few weeks ago, Sam Bankman-Fried's FTX cryptocurrency exchange collapsed
in a classic run. Investors were spooked by evidence that the exchange had mismanaged their money and couldn't pay them back, so they panicked. And
they were right. They couldn't get their money back.

The blockchain technology behind cryptocurrency was supposed to make events like this a thing of the past. But FTX's business was to serve as a gateway into (and out of) cryptocurrency. That business still depends on humans to serve as honest gatekeepers. And we've seen over and over that humans can't resist the main temptation that comes with this role: to use their
customers' money for their own purposes.

https://www.nytimes.com/2022/11/27/opinion/ftx-sam-bankman-fried-fullenkamp.html

------------------------------

Date: Sun, 27 Nov 2022 13:43:42 -0500
From: Monty Solomon <monty@roscom.com>
Subject: What Happens When Crypto Meets Ted Lasso (NYTimes)

What Happens When Crypto Meets Ted Lasso

A group of American cryptocurrency investors is trying to turn an obscure English soccer club into the *Internet's team* with a global following of crypto[currency] enthusiasts.

https://www.nytimes.com/2022/11/06/business/crypto-soccer-crawley.html

[Socc'er to'em. PGN]

------------------------------

Date: Thu, 24 Nov 2022 15:57:13 -0500
From: Monty Solomon <monty@roscom.com>
Subject: U.S. authorities seize iSpoof, a call spoofing site that stole
millions (Tech Crunch)

https://techcrunch.com/2022/11/24/ispoof-seized/

------------------------------

Date: Fri, 25 Nov 2022 01:23:46 -0500
From: Monty Solomon <monty@roscom.com>
Subject: How Amazon shopping ads are disguised as real results (WashPost)

https://www.washingtonpost.com/technology/interactive/2022/amazon-shopping-ads/

------------------------------

Date: Sun, 27 Nov 2022 10:09:34 -0500
From: Monty Solomon <monty@roscom.com>
Subject: RansomExx joins the ranks of ransomware gangs switching to Rust
(Cybernews)

https://cybernews.com/news/ransomexx-switching-to-rust/

------------------------------

From: Monty Solomon <monty@roscom.com>
Date: Sun, 27 Nov 2022 13:04:11 -0500
Subject: How a Jewish Group's Online Surveillance Uncovered a Synagogue Plot
(NYTimes)

The Community Security Initiative of the UJA-Federation of New York sounded
the alarm that set off the manhunt that ended in two arrests.

https://www.nytimes.com/2022/11/22/nyregion/nyc-synagogue-threats-twitter.html

------------------------------

Date: Tue, 22 Nov 2022 21:15:32 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Sundry twitter items (PGN-culled)

Sam Bankman-Fried, Elon Musk, and a secret text https://www.semafor.com/article/11/22/2022/sam-bankman-fried-elon-and-a-secret-text

Elon Musk Tweets Defense of Cop Who Killed Unarmed Black Man in Ferguson
Missouri

https://gizmodo.com/elon-musk-tweets-cop-killed-unarmed-black-man-ferguson-1849815713

Musk running another phony poll to bring back most suspended users:
"Should Twitter offer a general amnesty to suspended accounts, provided
that they have not broken the law or engaged in egregious spam?"
Now you know why people are referring to Elon's Twitter as $8chan. It's
headed toward being the most toxic place on the Net for however long it
lasts -- which isn't likely to be long under these conditions. -L

[Eric Sosman queries, ``Might there be a serpent in the Garden of Elon?''
PGN]

High-profile Apple executive overseeing App Store deleted his Twitter
account, which had over 200,000 followers https://finance.yahoo.com/news/high-profile-apple-executive-overseeing-142618165.html

Elon Musk Inherited Twitter's Child Abuse Nightmare--Experts Say He's Making
It Worse

https://www.forbes.com/sites/alexandralevine/2022/11/18/elon-musk-twitter-csam-lawsuit/

------------------------------

Date: Sat, 26 Nov 2022 08:28:27 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Elon's phone confusion

It was amusing yesterday hearing Musk talking about "building his own phone"
if #Twitter is tossed from the #Apple and #Google app stores for violations
of their Terms of Service. Notably, his comment gives us instant insight
into his lack of knowledge in this area. Let's review:

1) There was already supposed to be a Tesla Pi phone to be available by
perhaps the end of this year. Maybe it will arrive in a fully self-driving Tesla without a human driver.

2) He doesn't actually need to build his own phone. If he wants an Elon
phone, he could just rebrand one of the many Chinese Android clone phones (though notably, most of these will not have Play Store access, see below).

3) The phone isn't the problem for a toxic Twitter. The *ecosystems* are the issue. The Apple and Google smartphones ecosystems are built to provide end-to-end security for apps, best effort protection against malware (e.g., Google's Play Store "Play Protect" that scans apps for malware), and so
on. If an app is not in the app stores, you can't easily run that app. Sure, Elon could sell a clone phone with his pay-to-play Twitter app already installed, but that phone would not be expected to have access to the Google Play Store for other apps unless they were preloaded also. Now you also need
an update mechanism for the apps. Essentially, you have to build an entire
new ecosystem.

4) Apple currently locks down their iOS devices tightly against non-app
store apps. This will be changing with new EU rules coming into force. On
the other hand, Google has always permitted sideloading of (non-Play Store) Android apps by knowledgeable users. Technically, Elon could promote users sideloading a Twitter app on Android (and presumably eventually iOS) to
bypass app store restrictions. However, there is definitely significantly increased friction and potential for user confusion in this model.

5) We've heard Elon complain about the cut that the Apple and Google app
stores take from app revenues. This of course only is an issue if your app isn't free and/or is charging users for something. This tends to validate
the observation that Elon wants to turn all Twitter users into an ongoing profit center -- thus his talk about crypto, banking, etc. via Twitter, and
his "anything app" fixation. While he may be able to convince significant numbers of users to pay him continuously for now worthless blue checks, the extent to which large numbers of Internet users will want to participate in
a "your entire life belongs to Elon" app/banking ecosystem remains to be
seen. -L

------------------------------

Date: Fri, 25 Nov 2022 01:34:22 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: They Weren't Rich But They Wanted to invest. Then They Lost
Everything on FTX (Mother Jones)

The amateur investors who trusted the crypto platform have lost a shot at financial stability. He Lost $17,000 in Crypto. https://www.motherjones.com/politics/2022/11/ftx-ftt-users-losses-alameda-sam-bankman-fried/

Here's How to Avoid His Mistake: He's not the first person to suffer this
fate, but hopefully he can be the last. https://www.wired.com/story/i-lost-17000-dollars-crypto-how-to-avoid/

------------------------------

Date: Tue, 22 Nov 2022 13:19:13 +0000
From: "Nicolas Flamant Yotti" <nicolas.flamant@papernest.com>
Subject: Re: NordStream (RISKS-33.50 and RISKS-33.52)

My colleague Kendall sent you some information about the aftermath of the nordstream pipe bursting which was uploaded here right away:
https://seclists .org/risks/2022/q4/3
Here is a follow-up.

Carbon offsetting

<https://t.sidekickopen84.com/s3t/c/5/f18dQhb0S7kF8bWDTTW1C5FXw59hl3kW7_k2841CX6NGN36PYCpvfv7lW7vZ0Py3jpv0Sf197v5Y04?te=W3R5hFj4cm2zwW4mKLS-4cRxF8W3F7sbd3ZSz4qW3FbmCt3XvbfRW3K3psD3K76ZWW3P8KrX3zgCBpW41p0wR3M7MSgf4fJfX_V3&si=8000000023715636&pi=b900d744-
9de6-431f-eb58-041670f2b14f>

Projects estimate the emissions they have prevented by predicting how much deforestation and land clearing would have occurred without them. The reductions are then sold on as credits. We found their predictions were
often inconsistent with previous levels of deforestation in the area and in some cases, the threat to the trees may have been overstated.

There is a reason that Indigenous Environmental Network and Indigenous
Climate Action held a protest against offsetting at COP26, the UN's annual climate conference: Offsetting incentivises the commodification of nature
and allows powerful corporations to take over the lands of vulnerable communities, risking human rights abuses. Offset schemes often exclude local and Indigenous Peoples from land management practises that allow them to
grow food and preserve biodiversity. <https://t.sidekickopen84.com/s3t/c/5/f18dQhb0S7kF8bWDTTW1C5FXw59hl3kW7_k2841CX6NGN36PYCpvfv7lW7vZ0Py3jpv0Sf197v5Y04?te=W3R5hFj4cm2zwW4mKLS-3T1jVGW45Nq0H3K78fMW3FbmCt3Xv9WMW3T0W843JF3YjW3zdZ6p1LBDN_
W4cgyYh45n4V3W3F9cm73zhrNGW4cQK1L3T3KWNW41QW513K77SmW4cfM1M3M7MSgW4fJfX_1GysvpW1YZrlM24RsJK39x12&si=8000000023715636&pi=b900d744-9de6-431f-eb58-041670f2b14f>
<https://t.sidekickopen84.com/s3t/c/5/f18dQhb0S7kF8bWDTTW1C5FXw59hl3kW7_k2841CX6NGN36PYCpvfv7lW7vZ0Py3jpv0Sf197v5Y04?te=W3R5hFj4cm2zwW4mKLS-3P5VTyW41WVrw3F6bT3W49LdrL41YyllW41PGFk43TBFHW1Lw2bX45LLHwW41pRqm45n4V50&si=8000000023715636&pi=b900d744-9de6-431f-
eb58-041670f2b14f>,

A research on programs in the Brazilian Amazon headed by scientist and
former project inspector Thales West discovered that initiatives
consistently misrepresented their carbon reductions. The procedures, he claimed, ``are not robust enough, leaving room for projects to obtain credits that have no influence at all on the environment.''

Source: https://www.switch-plan.co.uk/green-energy/carbon-offsetting/

In charge of digital partnerships for papernest UK
*+44 789 9829 913*
*nicolas.flamant@papernest.com* <nicolas.flamant@papernest.com>
www.papernest.co.uk

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.54
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)