RISKS-LIST: Risks-Forum Digest Saturday 19 August 2023 Volume 33 : Issue 79
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/33.79>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Voyager 2: NASA Loses Contact With Probe After Sending Wrong Command
(Business Insider)
American Airlines flight from Logan delayed Monday after close call with
Spirit Airlines (The Boston Globe)
Birds and fish competing with squirrels for power failures (Fox)
Lahaina: single points of failure (Henry Baker)
More than 134,000 Mass. residents part of data security breach
(The Boston Globe)
Windows feature that resets system clocks based on random data is wreaking
havoc (Ars Technica)
For the Good of Society, Hackers Prod AI to Be Bad (NYTimes)
San Francisco robotaxi traffic jam is a warning to the world, says city
official (CBC)
CA DMV orders Cruise to reduce robotaxi fleet in SF by 50% after
collision with fire truck, injuring passenger (TechCrunch)
The rapid expansion of robotaxis in major cities MUST BE STOPPED
(Lauren Weinstein)
Potential NYT lawsuit could force OpenAI to wipe ChatGPT and start
over (Ars Technica)
An Iowa school district is using ChatGPT to decide which books to
ban (The Verge)
Not AI? (Cliff Kilby)
Crypto smart contracts still stupid (Amy Castor)
Attackers find new ways to deliver DDoSes with "alarming" sophistication ()
(Ars Technica)
`Bitcoin Bonnie and Clyde' plead guilty in `spy novel'-like laundering case
(WashPost)
Microsoft pulls article recommending Ottawa Food Bank to tourists (CBC)
Cheese and chips: parmesan producers fight fakes with microtransponders
(The Guardian)
Ukraine busts bot farm spreading Russian infowar propaganda and frauds
(The Register)
Imposter scams are the top U.S. fraud (NPR)
Good reason to keep BMC LAN connections on an isolated LAN
(Ars Technica)
Internet Archive's legal woes mount as record labels sue for $400M
(Ars Technica)
AI chatbot scares Snapchat users by posting mysterious video
(Ars Technica)
Re: Don't use our content to train AI systems (Amos Shapir)
Re: Cellphone Radiation Is Harmful, but Few Want to Believe It (PGN)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 1 Aug 2023 23:53:27 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Voyager 2: NASA Loses Contact With Probe After Sending
Wrong Command (Business Insider)
NASA accidentally lost contact with its Voyager 2 probe after sending a
wrong command. It could mean the end of its 46-year-old mission.
[The requirements specifiers, designers, and programmers forgot about
"undo"? or required confirmation of questionable inputs? Foresight,
forsooth farsight, when it is that FAR AWAY? PGN]
https://www.businessinsider.com/nasa-loses-contact-voyager-2-sent-wrong-command-mistake-space-2023-8
------------------------------
Date: Wed, 16 Aug 2023 23:20:24 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: American Airlines flight from Logan delayed Monday after close
call with Spirit Airlines (The Boston Globe)
The close call was the fourth time this year aircraft at Logan have inadvertently flown close to one another, according to FAA records.
https://www.bostonglobe.com/2023/08/16/metro/american-airlines-flight-logan-delayed-monday-after-close-call-with-spirit-airlines/
------------------------------
Date: Wed, 16 Aug 2023 21:32:05 +0000 ()
From: danny burstein <
dannyb@panix.com>
Subject: Birds and fish competing with squirrels for power failures (Fox)
https://www.foxnews.com/us/unlikely-animal-falls-from-sky-knocks-power-out-thousands-new-jersey-town
A fish dropped out of the sky by its bird captor caused a power outage for a section of homes in a New Jersey town, officials say. "There is a large area
of Lower Sayreville without power. [Jersey Central Power & Light] is
reporting a [fish emoji] was found on a transformer.
------------------------------
Date: Thu, 17 Aug 2023 20:03:34 +0000
From: Henry Baker <
hbaker1@pipeline.com>
Subject: Lahaina: single points of failure
High winds => downed power lines => sparked fires =>
melted water lines + pumping power loss => no way to fight the fires.
Reminds me of the 'Useless Box' that Turns Itself Off:
https://www.youtube.com/watch?v=3KTilOsXBmU
Lahaina clearly demonstrates the Major Risk of *centralized electrical power systems*; to gain resilience, we *have* to move to *distributed electrical power systems*, aka 'microgrids':
https://www.nrel.gov/grid/microgrids.html
"Advanced microgrids enable local power generation assets—including traditional generators, renewables, and storage—to keep the local grid running even when the larger grid experiences interruptions or, for remote areas, where there is no connection to the larger grid."
https://www.nytimes.com/2023/08/13/us/lahaina-water-failure.html
As Inferno Grew, Lahain's Water System Collapsed
Firefighters who rushed to contain the Maui wildfire found that hydrants
were running dry, forcing crews to embark instead on a perilous rescue
mission.
West Maui's water system relies on electrical power to pump water through
the network and deliver it to fire hydrants, and officials at Hawaiian Electric, the state's main electrical utility, have said that the need to maintain this pumping capability has made it difficult to shut off power
when high winds pose a fire risk.
``Pre-emptive, short-notice power shut-offs have to be coordinated with first-responders and in Lahaina, electricity powers the pumps that provide
the water needed for firefighting,'' said Jim Kelly, a spokesman for the utility.
[Re: the sirens, discussed in an earlier RISKS issue, I heard a news
report faulting officials that the sirens were not used. The rebuttal
justification seemed to be that their use was primarily for tsunamis, for
which people are trained to move inland higher altitudes as fast as
possible -- which may not have been relevant here. PGN]
------------------------------
Date: Wed, 16 Aug 2023 22:52:34 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: More than 134,000 Mass. residents part of data security breach
(The Boston Globe)
https://www.boston.com/news/crime/2023/08/16/massachusetts-data-security-breach-moveit-umass-chan-medical-school/
------------------------------
Date: Thu, 17 Aug 2023 11:15:37 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Windows feature that resets system clocks based on random data is
wreaking havoc (Ars Technica)
Windows Secure Time Seeding resets clocks months or years off the correct
time.
A few months ago, an engineer in a data center in Norway encountered some perplexing errors that caused a Windows server to suddenly reset its system clock to 55 days in the future. The engineer relied on the server to
maintain a routing table that tracked cell phone numbers in real time as
they moved from one carrier to the other. A jump of eight weeks had dire consequences because it caused numbers that had yet to be transferred to be listed as having already been moved and numbers that had already been transferred to be reported as pending. [...]
https://arstechnica.com/security/2023/08/windows-feature-that-resets-system-clocks-based-on-random-data-is-wreaking-havoc
------------------------------
Date: Thu, 17 Aug 2023 12:07:34 PDT
From: Peter Neumann <
neumann@csl.sri.com>
Subject: For the Good of Society, Hackers Prod AI to Be Bad
(NYTimes)
Sarah Kessler and Tiffany Hsu, *The New York Times* business front
page, 17 Aug 2023
AI Village was part of a White-House endorsed contest to expose weak
spots before the criminals can. [PGN-ed]
[Instead of Biden' our time and waiting for rampant Zero-day misuses
to emerge, RISKS readers should find pre-zero days (subzero?)
salubrious. Although it clearly took a village, there were no
bounties. However, two of the three top scores of the judges were
attributed to Cody Ho, a Stanford CS student. PGN]
------------------------------
Date: Thu, 17 Aug 2023 06:49:19 -0600
From: Matthew Kruk <
mkrukg@gmail.com>
Subject: San Francisco robotaxi traffic jam is a warning to the
world, says city official (CBC)
https://www.cbc.ca/radio/asithappens/san-francisco-robotaxi-traffic-jam-1.6= 938440
The day after California approved an expansion of driverless taxis, 10 of
them came to a grinding halt on a busy San Francisco street, creating a gridlock that encompassed several blocks.
The culprit? A music festival.
"Cell phones were overwhelmed, and as a result, they were not able to take control of these cars -- which is a pretty frightening systemic defe= ct,"
Aaron Peskin, president of the San Francisco Board of Supervisors (SFBV),
told As It Happens guest host Paul Hunter.
Not only was there the 10-car back-up of Cruise-owned autonomous taxis in city's North Shore neighbourhood on Friday, but on the other side of the
city, closer to the Outside Lands music festival, Peskin said "there were
also scores of them that came to a grinding halt."
------------------------------
Date: Fri, 18 Aug 2023 18:57:24 -0700
From: PRIVACY Forum mailing list <
privacy@vortex.com>
Subject: CA DMV orders Cruise to reduce robotaxi fleet in SF by 50% after
collision with fire truck, injuring passenger [on 17 Aug] (TechCrunch)
https://techcrunch.com/2023/08/18/cruise-told-by-regulators-to-immediately-reduce-robotaxi-fleet-50-following-crash/
Of course, just a handful of days ago the CPUC said Waymo and Cruise could
vastly expand their fleets in SF. At least the DMV has some sense about
this half-baked tech. -L
------------------------------
Date: Thu, 17 Aug 2023 12:01:09 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: The rapid expansion of robotaxis in major cities
MUST BE STOPPED (The Verge and KTVU)
The technology is not ready. The alarms are blinking RED. It's beyond irresponsible to push out this half-baked tech this way. -L
https://www.theverge.com/2023/8/15/23831170/robotaxi-cpuc-sf-waymo-cruise-traffic-halt
[Die Verge-ntly? Deja(kt) Vu? PGN]
https://www.ktvu.com/news/san-francisco-asks-regulators-to-stop-approval-of-robotaxi-expansion-after-recent-blunders
------------------------------
Date: Thu, 17 Aug 2023 11:39:09 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Potential NYT lawsuit could force OpenAI to wipe ChatGPT and start
over (Ars Technica)
https://arstechnica.com/tech-policy/2023/08/report-potential-nyt-lawsuit-could-force-openai-to-wipe-chatgpt-and-start-over/
------------------------------
Date: Tue, 15 Aug 2023 23:37:00 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: An Iowa school district is using ChatGPT to decide which books to
ban (The Verge)
https://www.theverge.com/2023/8/15/23833167/iowa-book-ban-chatgpt-mason-city-community-school-district-removal
------------------------------
Date: Thu, 17 Aug 2023 14:29:32 -0400
From: Cliff Kilby <
cliffjkilby@gmail.com>
Subject: Not AI?
I know it's difficult to stop a media trend once it has begun but there is
no current functionally complete AI available. I propose the counter inflamatory term *Dijkstra's demon*. The underlying algorithms that drive
LLMs are essentially pathfinders. Instead of connecting points for paths,
they connect glyphs to form new glyphs (to borrow a term from Hofstadter) Comparing a LLM to a less than ideal way of connecting two subjects is a
more accurate model to work from than the popular construction of a
"thinking" machine.
Also, in my non-legal opinion, start reserving derivative works in any of
your statement of work negotiations. ChatGPT is almost entirely unusable
now because it doesn't have a provenance for what it's spitting out.
Now that you ask, yes, I am in fact in an armchair.
[Why did the bot run off the glyph? It didn't see the other glyph. PGN
parodizing the old joke -- Why did the RAM run off the cliff? (He didn't
see the EWE-turn.)
------------------------------
Date: Fri, 4 Aug 2023 14:06:42 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Crypto smart contracts still stupid (Amy Castor)
Curve: smart contracts, stupid humans
"Smart contracts" are small programs that run right there inside a
blockchain. In enterprise computing, these would be called "database
triggers" or "stored procedures."
You never use triggers or stored procedures unless you absolutely have to, because they're very easy to get wrong and a pain in the backside to
debug. In the real world, you keep your financial data and the programs
working on it separate.
So, of course, crypto uses programs embedded in the database for everything
and touts the difficulty in working with them as a feature and not evidence
of the idea's incredible stupidity.
A smart contract full of crypto can reasonably be treated as a piata, just waiting for you to whack it in the right spot and get the candy.
Today's piñata is Curve Finance, a DeFi exchange used for trading
stablecoins and other tokens. Curve was hacked on July 30 due to a bug in
the Vyper language compiler. Smart contracts that were using Vyper versions 0.2.15, 0.2.16, and 0.3.0 were vulnerable. About $70 million in funds was drained from liquidity pools whose smart contracts used these
versions. [Twitter, archive; Twitter, archive]
Vyper, which is inspired by Python, was supposed to have been an improvement over the hilariously awful Solidity -- a.k.a. "JavaScript with a concussion"
-- that most Ethereum Virtual Machine smart contracts are written
in. Unfortunately, the Vyper compiler had a bug that meant compiled code was exploitable. So you could mathematically prove your smart contract program
was correct # and the compiled version could still be exploited. This could
hit any Vyper smart contract using vulnerable versions. [Twitter, archive]
https://amycastor.com/2023/08/03/crypto-collapse-terra-judge-repudiates-ripple-finding-razzlekhan-cops-a-plea-binances-fdusd-stablecoin-coindesk-sold-smart-contracts-still-stupid/
------------------------------
Date: Tue, 25 Jul 2023 08:01:02 -0700
From: geoff goodfellow <
geoff@iconia.com>
Subject: Attackers find new ways to deliver DDoSes with "alarming
sophistication (Ars Technica)
Once crude and unsophisticated, DDoSes are now on par with those by nation-states.
The protracted arms race between criminals who wage Distributed Denial- of-Service attacks and the defenders who attempt to stop them continues, as
the former embraces *alarming* new methods to make their online offensives
more powerful and destructive, researchers from content-delivery network Cloudflare reported Wednesday. With a global network spanning more than 300 cities in more than 100 countries around the world, Cloudflare has
visibility into these types of attacks that's shared by only a handful of
other companies. The company said it delivers more than 63 million network requests per second and more than 2 trillion domain lookups per day during
peak times. Among the services that Cloudflare provides is mitigation for the[se] attacks. [... LONG and rather repetitive text PGN-truncated]
https://arstechnica.com/security/2023/07/attackers-find-new-ways-to-deliver= -ddoses-with-alarming-sophistication/
------------------------------
Date: Fri, 4 Aug 2023 18:22:48 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: `Bitcoin Bonnie and Clyde' plead guilty in `spy novel'-like
laundering case (WashPost)
María Luisa Paúl
https://www.washingtonpost.com/nation/2023/08/04/bitfinex-hack-guilty-plea/
Heather Morgan and Ilya Lichtenstein hadn't been implicated in the 2016 Bitfinex hack itself - until Lichtenstein delivered a bombshell revelation Thursday.
------------------------------
Date: Fri, 18 Aug 2023 21:06:02 -0600
From: Matthew Kruk <
mkrukg@gmail.com>
Subject: Microsoft pulls article recommending Ottawa Food Bank to tourists
(CBC)
https://www.cbc.ca/news/canada/ottawa/artificial-intelligence-microsoft-travel-ottawa-food-bank-1.6940356
Microsoft has removed an article that advised tourists to visit the
"beautiful" Ottawa Food Bank on an empty stomach, after facing ridicule
about the company's reliance on artificial intelligence for news.
But an unnamed Microsoft spokesperson later blamed the article's
publication on "human error," rather than "unsupervised AI."
------------------------------
Date: Sat, 19 Aug 2023 14:31:55 -0600
From: Matthew Kruk <
mkrukg@gmail.com>
Subject: Cheese and chips: parmesan producers fight fakes with
micro-transponders (The Guardian)
https://www.theguardian.com/food/2023/aug/18/parmesan-producers-fight-fakes-microtransponders-chips-rind
Counterfeits are the bane of the Parmigiano Reggiano Consortium, which is
now trialling tech in the rind
------------------------------
Date: Thu, 20 Jul 2023 12:52:24 +0200
From: Peter Houppermans <
peter@houppermans.net>
Subject: Ukraine busts bot farm spreading Russian infowar propaganda
and fraud (The Register)
https://www.theregister.com/2023/07/20/ukraine_busts_russian_bot_farm/
"Ukrainian cops have disrupted a massive bot farm with more than 100
operators allegedly spreading fake news about the Russian invasion, leaking personal information belonging to Ukrainian citizens, and instigating fraud schemes.
After conducting 21 searches, the country's cyber and national police seized computer equipment, mobile phones, more than 250 GSM gateways, and about 150,000 SIM cards.
"The Cyber Police established that the attackers used special equipment and software to register thousands of bot accounts in various social networks
and subsequently launch advertisements that violated the norms and
legislation of Ukraine," according to machine translation of the news alert issued by the police.
Insiders in Vinnytsia, Zaporizhzhia, and Lviv were involved in the bot farm, we're told.
I'm guessing that will also take some of the load problems from Twitter..
------------------------------
Date: Wed, 16 Aug 2023 01:17:34 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Imposter scams are the top U.S. fraud (NPR)
A 3-hour phone call that brought her to tears: Imposter scams cost Americans billions
Valeria Haedo, a visual artist based in New York City, was caught off guard when she was targeted in a complex phone scam.
It was a Monday in the middle of the day when Valeria Haedo got a phone call from a number she didn't recognize. She doesn't normally pick those up, but
she did that day. The caller said his name was Officer Robert Daniels from
U.S. Customs and Border Protection and he had a warrant for her arrest.
He told Haedo she could verify him by Googling his name and department. She did, and it checked out. But what Haedo didn't realize in that moment is
she'd just been targeted in an intricate scam. She was kept on the phone for more than three hours and eventually brought to tears.
The scam is known as an imposter scam and is the top fraud in the U.S. right now. It involves the perpetrator impersonating an authority figure and using scare tactics to reel in victims. While these scams have been around
forever, they've become more believable because con artists use real names
of law enforcement officers that show up with caller ID from an actual
office and even local accents. [...]
https://www.npr.org/2023/06/19/1182464826/scammer-phone-calls-imposter-fraud\
------------------------------
Date: Fri, 21 Jul 2023 00:52:47 -0400
From: Bob Gezelter <
gezelter@rlgsc.com>
Subject: good reason to keep BMC LAN connections on an isolated LAN
(Ars Technica)
A 2021 ransomware breach at Gigabyte reportedly compromised more than 112 gigabytes of data including code and other information related to
widely-used baseboard management controllers (BMC) processors on system
boards.
The exposed defects reportedly include zero-day and code execution vulnerabilities. An update is being prepared to address known issues.
I have long advocated connecting to BMC and similar control interfaces
using a physically separate LAN. Remote access is necessary, but access to
the isolated "walled garden" should be through a separate gateway portal.
The Ars Technica article:
https://arstechnica.com/security/2023/07/millions-of-servers-inside-data-centers-imperiled-by-flaws-in-ami-bmc-firmware/
------------------------------
Date: Wed, 16 Aug 2023 00:17:09 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Internet Archive's legal woes mount as record labels sue for $400M
(Ars Technica)
The Internet Archive also reached a confidential settlement with book publishers.
Major record labels are suing the Internet Archive, accusing the nonprofit
of "massive" and "blatant" copyright infringement "of works by some of the greatest artists of the Twentieth Century."
The lawsuit was filed Friday in a US district court in New York by UMG Recordings, Capitol Records, Concord Bicycle Assets, CMGI, Sony Music Entertainment, and Arista Music. It targets the Internet Archive's "Great 78 Project," which was launched in 2006. [...]
https://arstechnica.com/tech-policy/2023/08/record-labels-sue-internet-archive-for-digitizing-obsolete-vintage-records/
------------------------------
Date: Fri, 18 Aug 2023 02:36:39 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: AI chatbot scares Snapchat users by posting mysterious video
(Ars Technica)
https://arstechnica.com/?p=1961146
------------------------------
Date: Fri, 18 Aug 2023 11:32:33 +0300
From: Amos Shapir <
amos083@gmail.com>
Subject: Re: Don't use our content to train AI systems (NYTimes, R 33 78)
There's a simple and inexpensive way to fight back: The NYT could surround
the real text of their sites by a thick wall of AI-generated nonsense, invisible to regular users but accessible to parasitic AI's crawlers.
This way, their sites would quickly become detrimental to the parasite's contents.
------------------------------
Date: Thu, 17 Aug 2023 12:59:12 PDT
From: Peter Neumann <
neumann@csl.sri.com>
Subject: Re: Cellphone Radiation Is Harmful, but Few Want to Believe It
(Neuroscience News, RISKS-33.78)
https://neurosciencenews.com/cellphone-radiation-brain-cancer-18889/
It has come to my attention that the same publication published the exactly opposite results in 2022:
https://neurosciencenews.com/cell-phone-brain-tumor-20314/
[It's the old story. Whom should you trust on the Internet? Neuroscience
News or Neuroscience News? Or has the neuroscience simply changed that
much? Or are they both right, in some quantum-theoretical sense? PGN
------------------------------
Date: Sat, 1 Jul 2023 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume/previous directories
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.79
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)