RISKS-LIST: Risks-Forum Digest Sunday 10 September 2023 Volume 33 : Issue 83
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/33.83>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Pedestrian dies after Cruise cars block ambulance
(San Francisco Chronicle)
Ryanair boss calls air traffic chaos report rubbish (BBC News)
WHAT COULD GO WRONG? - Pipeline safety agency's proposed pilot for
ChatGPT in rulemaking raises questions (Lauren Weinstein)
A Rube Goldberg chain of failures led to breach of Microsoft-hosted
government emails (The Verge)
Update your iPhone: Apple just pushed out a significant security update
(APNews)
Active North Korean campaign targeting security researchers (Google)
The NYPD will police Labor Day parties with surveillance drones
(The Verge)
Porn age verification law is unconstitutional, says judge (The Verge)
Over 100 Connecticut state troopers accused of faking traffic stops
(The Boston Globe)
Sourcegraph Administrator Access compromised by Credentials in
Publicly Available Code (Ars Technica)
Don't fall for firms pushing "voice verification" bypasses
(Lauren Weinstein)
Silicon Valley vs. Old People (NYTimes)
Crypto Collapse Winners? The Lawyers (NYTimes)
Cyberprofessionals say industry urgently needs to confront mental health
crisis (Cyberscoop)
Another AI Mess: growing reliance on language apps jeopardizes
some asylum applications (The Guardian)
U.S.-China Competition and Military AI. How Washington Can Manage Strategic
Risks amid Rivalry with Beijing (CNAS)
An update on Squares outage (danny burstein)
San Franciscans Are Having Sex in Robotaxis, and Nobody Is Talking About It
(SFStandard)
Your car wants to know about your sex life (Politico)
FCC proceedings on encrypted over the air TV -- how too comment
(Lauren Weinstein)
Re: Kia and Hyundai Helped Enable a Crime Wave. They Should Pay for It
(Mike Smith)
Re: Electric cars catch fire in Florida after flooding (Henry Baker)
Re: A battery catches fire on an Air France flight, the staff
reacts in a few minutes (Steve Bacher)
Re: Eversource Notice of Data Security Incident (Steve Bacher)
Re: Saudi man sentenced to death for tweets in harshest verdict yet
for online critics (Steve Bacher)
Re: UK ATC outage (Jim Geissman)
Re: Lahaina: single points of failure (Steve Bacher)
Re: The Titan's Submersible Disaster Was Years in the Making
(Martin Ward)
Magic (Rob Slade)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 05 Sep 2023 17:50:54 -0700
From: Geoff Kuenning <
geoff@cs.hmc.edu>
Subject: Pedestrian dies after Cruise cars block ambulance
(San Francisco Chronicle)
A pedestrian injured in a traffic collision in San Francisco died; EMTs
allege that they would have survived had two Cruise cars and an unoccupied police car not prevented the ambulance from leaving promptly.
https://www.sfgate.com/bayarea/article/cruise-cars-reportedly-block-first-responders-18343475.php
------------------------------
Date: Thu, 7 Sep 2023 16:36:41 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Ryanair boss calls air traffic chaos report rubbish (BBC News)
How did airport chaos unfold?
In its initial report published on Wednesday, Nats said that at 08:32 on 28 August, its system received details of a flight which was due to cross UK airspace later that day.
Airlines submit every flight path to the national control centre; these
should automatically be shared with Nats controllers, who oversee UK
airspace.
The system detected that two markers along the planned route had the same
name - even though they were in different places. As a result, it could not understand the UK portion of the flight plan.
This triggered the system to automatically stop working for safety reasons,
so that no incorrect information was passed to Nats' air-traffic
controllers. The backup system then did the same thing.
https://www.bbc.com/news/business-66723586
Fault tolerance? What's that? One bad flight plan craters the system?
------------------------------
Date: Tue, 5 Sep 2023 12:35:26 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: WHAT COULD GO WRONG? - Pipeline safety agency's proposed pilot for
ChatGPT in rulemaking raises questions
https://fedscoop.com/pipeline-safety-agencys-proposed-pilot-for-chatgpt-in-rulemaking-raises-questions/
[Gabe Goldberg gave me the entire article. I try not to beat dead horses
in AI misuse, when you can simply click it. PGN]
------------------------------
Date: Wed, 6 Sep 2023 22:45:12 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: A Rube Goldberg chain of failures led to breach of
Microsoft-hosted government emails
https://www.theverge.com/2023/9/6/23861890/microsoft-azure-data-breach-investigation-failures-outlook
------------------------------
Date: Thu, 7 Sep 2023 22:49:17 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Update your iPhone: Apple just pushed out a significant
security update (APNews)
https://apnews.com/article/apple-iphone-security-update-0964e8bd5264e5b66c3908d4
9fdf404a
https://citizenlab.ca/2023/09/blastpass-nso-group-iphone-zero-click-zero-day-exploit-captured-in-the-wild/
Apple security updates
macOS Ventura 13.5.2
https://support.apple.com/kb/HT213906
iOS 16.6.1 and iPadOS 16.6.1
https://support.apple.com/kb/HT213905
watchOS 9.6.2
https://support.apple.com/kb/HT213907
------------------------------
Date: Fri, 8 Sep 2023 08:56:44 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Active North Korean campaign targeting security researchers
(Google)
https://blog.google/threat-analysis-group/active-north-korean-campaign-targeting-security-researchers/
------------------------------
Date: Mon, 4 Sep 2023 00:49:55 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: The NYPD will police Labor Day parties with surveillance drones
(The Verge)
https://www.theverge.com/2023/8/31/23318832/nypd-drones-parties-jouvert-west-indian-labor-day-weekend
------------------------------
Date: Mon, 4 Sep 2023 00:52:04 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Porn age verification law is unconstitutional, says judge
(The Verge)
https://www.theverge.com/2023/8/31/23854369/texas-porn-age-verification-law-blocked-judge
------------------------------
Date: Mon, 4 Sep 2023 14:04:05 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: Over 100 Connecticut state troopers accused of faking traffic
stops (The Boston Globe)
Auditors found tens of thousands of apparently falsified traffic stop
records, many of white drivers. They suspect the officers were trying to
appear more productive.
https://www.boston.com/news/national-news/2023/09/04/over-100-connecticut-state-troopers-accused-of-faking-traffic-stops/
------------------------------
Date: Mon, 4 Sep 2023 23:57:12 -0400
From: Bob Gezelter <
gezelter@rlgsc.com>
Subject: Sourcegraph Administrator Access compromised by Credentials in
Publicly Available Code (Ars Technica)
ArsTechnica reports that a recent security breach at Sourcegraph was facilitated by credentials embedded in publicly-available source code.
Credentials visible in source or executable code is an obviously bad
practice. Besides the fact that it is obviously dangerous, it has been on
the OWASP list for many years.
The tragedy is that this class of security breach is completely
preventable. There is no reason for putting credentials in source or
executable code.
The ArsTechnica article can be found at:
https://arstechnica.com/security/2023/09/pii-leaked-after-sourcegraph-an-ai-driv
en-service-for-code-development-is-hacked/
------------------------------
Date: Fri, 8 Sep 2023 08:37:19 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Don't fall for firms pushing "voice verification" bypasses
A suggestion. If a firm you deal with offers to sign you up for a *voice verification* service that bypasses PINs, passwords, etc., you would be wise
to decline. There are increasing reports of online AI voice generators being used to defraud customers via these systems. And the situation is likely to
be getting only worse. -L
------------------------------
Date: Sat, 9 Sep 2023 14:33:04 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Silicon Valley vs. Old People
What Mark Zuckerberg Doesn't Understand About Old People
https://www.nytimes.com/2023/09/06/opinion/seniors-tech-silicon-valley.html
------------------------------
Date: Wed, 6 Sep 2023 16:22:44 PDT
From: Peter Neumann <
neumann@csl.sri.com>
Subject: Crypto Collapse Winners? The Lawyers (NYTimes)
David Yaffe-Bellany and Yiwen Lu
*The New York Times* Business front page, National Edition, 6 Sep 2023
Profiting while billing over $700M in fees since last year to untangle bankruptcies of 5 industrial firms [including the FTX exchange --
RISKS-33.75]
------------------------------
Date: Thu, 07 Sep 2023 13:52:48 +0000
From: Richard Marlon Stein <
rmstein@protonmail.com>
Subject: Cyberprofessionals say industry urgently needs to
confront mental health crisis (Cyberscoop)
https://cyberscoop.com/cyber-professionals-mental-health/
Despite a growing awareness of mental health struggles within the industry, sources said there still aren't enough resources inside companies or across
the broader cybersecurity community for professionals dealing with burnout, stress and the intense anxiety of working in a high-pressure environment.
------------------------------
Date: Thu, 7 Sep 2023 13:22:20 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: Another AI Mess: growing reliance on language apps jeopardizes
some asylum applications (The Guardian)
https://www.theguardian.com/us-news/2023/sep/07/asylum-seekers-ai-translation-ap
ps
------------------------------
Date: Thu, 07 Sep 2023 15:22:23 +0200
From: "Diego.Latella" <
diego.latella@isti.cnr.it>
Subject: U.S.-China Competition and Military AI. How Washington Can
Manage Strategic Risks amid Rivalry with Beijing
Jacob Stokes, Alexander Sullivan and Noah Greene
Center for a New American Security, 25 Jul 2023
https://www.cnas.org/publications/reports/u-s-china-competition-and-military-ai
------------------------------
Date: Fri, 8 Sep 2023 15:52:06 +0000 ()
From: danny burstein <
dannyb@panix.com>
Subject: An update on Squares outage (fwd)
---------- Forwarded message ----------
Date: Fri, 8 Sep 2023 14:10:25 +0000
From: Square <noreply@messaging.squareup.com>
Subject: An update on Squares outage
[ID snipped]
We are writing to apologize.
Due to a systems outage within Square, sellers have been unable to log into their accounts or process payments since around noon Pacific Time on
Thursday. We know that you trust us with your business, and these types of situations add challenges to running your operations. For that, we are truly sorry.
Our services are now starting to come back online. As a reminder, you can use offline mode to
continue accepting payments during these types of outages. =A0
Once the outage has been fully investigated, we plan to publish a full
review of this issue and determine what steps we can take to prevent it from happening again. In the meantime, we will continue to keep you up to date on the status of the outage and next steps via email, as well as through our social media channels and on issquareup.com.
Thank you for bearing with us and for your continued partnership.
------------------------------
Date: Thu, 7 Sep 2023 22:53:21 -0400
From: Monty Solomon <
monty@roscom.com>
Subject: San Franciscans Are Having Sex in Robotaxis, and Nobody Is
Talking About It (SFStandard)
https://sfstandard.com/2023/08/11/san-francisco-robotaxi-cruise-debauchery/
------------------------------
Date: Thu, 7 Sep 2023 09:27:09 -0700
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Your car wants to know about your sex life
Cars are increasingly filming, recording and tracking drivers and
passengers, new report finds.
https://www.politico.eu/article/car-manufacturer-data-privacy-driver-passenger-sexual-activity-report/
Car manufacturers are collecting troves of data on drivers and passengers —- some even tracking drivers' sexual activity -— according to a new report.
In a review <
https://linklock.titanhq.com/analyse?url=https%3A%2F%2Ffoundation.mozilla.org%2Fprivacynotincluded%2Fcategories%2Fcars%2F&data=eJxNTLsKwjAU_Zpks1RtAw4ZXArd1MU53sR4Nc0NeRT0603FoXDgcJ4gRde3AL2-iUO35VoGcpgRqDGFT_
I6nDbi3LeXeRQ8yZeZ0bOuneiDzqk7Fa9VRvINRcujBEvlqaKulfVPkY-cQ2L7I9sNFavd_2nZ1yBEnBW8PWX04Io2upqgsrEU0aSfiAt9AYRVQBg%>
of 25 car brands and 15 car companies published by Mozilla Foundation on Wednesday, researchers found that Japanese car manufacturer Nissan said it could sell information about drivers and passengers’ sexual activity, intelligence and health diagnosis to data brokers, law enforcement agencies
and other companies. German manufacturer Volkswagen said it could record drivers’ voices to profile them for targeted ads.
“The amount of data that these car companies blatantly said that they could collect was shocking,” said Jen Caltrider, lead researcher at Mozilla Foundation, the nonprofit owner of the company running the Firefox
Browser. “It's like nobody's ever challenged them or asked them questions about privacy, and so they just include everything.” [...]
Caltrider and other researchers looked at car companies’ privacy policies
and downloaded their apps in Germany, France, the U.S., Japan and South
Korea. They found that the industry hoovered up massive amounts of data
through dozens of sensors and technology built into newer car models that calculate people's weight as they sit down, filmed the car inside and
outside with cameras, listened to conversations through microphones and
tracked users via connected apps on smartphones.
------------------------------
Date: Mon, 4 Sep 2023 19:08:18 -0700
From: Lauren Weinstein <
lauren@vortex.com>
Subject: FCC proceedings on encrypted over the air TV -- how to comment
It's important to realize that even if you never watch over the air TV, many people depend on it due to the unavailability of other options in their locations, or due to cost issues. The broadcasting industry has been
making inane excuses for encryption of free channels, including (get this!) blaming *deep fake* AI. Uh huh.
This article explains how to comment to the FCC. NOTE that everything
entered there become public record, including names, addresses, etc.
https://www.tvtechnology.com/news/pearl-tv-responds-to-critics-of-30-encryption
------------------------------
Date: Fri, 8 Sep 2023 17:03:41 +0000 (UTC)
From: Mike Smith <
jmikesmith@yahoo.com>
Subject: Re: Kia and Hyundai Helped Enable a Crime Wave. They Should
Pay for It (RISKS-33.82)
Increased car theft is happening in Canada, too. CBC reports many of them
are being shipped to overseas markets within days or even hours of being stolen:
https://www.cbc.ca/news/world/auto-theft-canada-1.6953242
"Police sources tell CBC News that large, established organized criminal
gangs based in Montreal are behind most of the thefts, though it's become so lucrative, other groups with less technical skill are becoming
involved. This partially explains what the police sources say is an increase
in home invasions and violent attacks to obtain a vehicle and its
keys. ... Small teams sometimes mark cars in mall parking lots during the
day by using GPS trackers similar to the ones people can buy and place in
their luggage or on key chains to track lost items. Then, typically at
night, they use the trackers to follow the marked vehicles and take them
from streets and driveways, quickly cramming multiple vehicles into shipping containers, which are then moved by truck or train to the Port of Montreal
and loaded onto ships.
"Most thieves use one of three methods of attack. The first type is a relay attack, which involves "capturing" the signal of a key fob, then replicating
it to enter and start a vehicle. Thieves used to hold a large antenna in
front of a house door, scanning for keys left inside, but the technology has advanced in the past year, becoming smaller and easier to use at a
distance. Then there is the onboard diagnostic port, accessible via a small door under the steering wheel in all vehicles. Typically used by a mechanic
to connect a handheld computer that can diagnose a problem, the access point
is being used by thieves to reprogram the car to understand a new key
they've made for it. The latest attack method involves the Controller Area Network (CAN bus), which acts similar to a nervous system for vehicles, enabling communication between various components of the car. Thieves
connect to one of multiple nodes from the exterior of the vehicle,
commanding it to unlock and start the engine. The process may take only seconds."
------------------------------
Date: Mon, 04 Sep 2023 20:24:01 +0000
From: Henry Baker <
hbaker1@pipeline.com>
Subject: Re: Electric cars catch fire in Florida after flooding
(RISKS-33.82)
I don't want to minimize the risk of EV's catching fire during/after floods/accidents/recharging/shipping/aging/parking..., but let's
keep things in perspective.
It's taken well over 100 years to deal with gasoline-powered vehicles
exploding during/after refueling/accidents/shipping/parking...
Have a gander at newpapers and *movies* from 1920's, 1930's,
1940's, etc., to see how many of these problems there were, and
how long it took society to design gas tanks, filling stations,
tankers, etc., to minimize these risks.
https://www.latimes.com/archives/la-xpm-1992-09-21-mn-832-story.html
Gasoline is perhaps the *worst* possible choice for a retail
fuel, due to its quick vaporization and subsequent tendency
to explode. Better choices would have been diesel and alcohol.
Indeed, some gasoline-powered racing cars were replaced
in 1965 by alcohol-powered racing cars due to the inherent risks
of gasoline.
https://www.motortrend.com/how-to/ctrp-1201-alcohol-fuel-basics/
From the 20/20 perspective of hindsight, one can only marvel
at the politics and economics that enabled such an inherently
dangerous fuel like gasoline to become ubiquitous.
There is an inherent risk of *any* energy-storage mechanism
powerful enough to propel a 5000 lb vehicle 500 miles at 70 mph;
e.g., Lucid's new 113kwh battery:
https://www.caranddriver.com/news/a33797162/2021-lucid-air-517-mile-range-113-kw
h-battery/
Let's put this Lucid battery in perspective. A small fireplace might
generate perhaps 1.5 kwatts, so a Lucid battery fire might burn for
*three 24-hour days* with heat equivalent to a small fireplace.
The inherent risks of large quantities of energy storage were
already being explored in 1940's/1950's scifi -- e.g., the use of short-circuited 'blaster' handguns as 'IED' bombs.
------------------------------
Date: Tue, 5 Sep 2023 13:26:38 -0700
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: A battery catches fire on an Air France flight, the staff
reacts in a few minutes (Euro)
Definitely badly translated. ChatGPT would never write in such a way. (Still wondering what the Figaro could be.)
The article recommends keeping your devices charged to no more than 30%
and/or not charging during flight. With all due respect, that is not going
to happen unless you want to see a long line at the airport filled with departing passengers looking for a phone recharging spot (which is almost certainly going to be poisoned with malware anyway).
------------------------------
Date: Tue, 5 Sep 2023 13:37:37 -0700
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: Eversource Notice of Data Security Incident (RISKS-33.82)
We've received similar notices from two financial companies with which we
have significant dealings. It's pretty widespread due to the exposure from MOVEit. If everyone is relying on boilerplate to send out the notices, I don't have a problem with that. It doesn't necessarily
mean they're using
AI.
------------------------------
Date: Tue, 5 Sep 2023 13:44:14 -0700
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: Saudi man sentenced to death for tweets in harshest verdict yet
for online critics (RISKS-33.82)
But... Elon promised free speech for everybody ...
------------------------------
Date: Wed, 6 Sep 2023 08:06:02 -0700
From: "Jim" <
jgeissman@socal.rr.com>
Subject: Re: UK ATC outage
A flight plan has two different waypoints mistakenly given the same ID.
Equals invalid flight plan. Response? Crash the entire ATC system. No
comment would seem to be necessary.
[Tell that to the ATC system folks. PGN]
------------------------------
Date: Tue, 5 Sep 2023 14:01:35 -0700
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: Lahaina: single points of failure (RISKS-33.81)
Looks like the article is N/A at *The NY Times*, but it's available at the Seattle Times:
https://www.seattletimes.com/nation-world/maui-evacuation-alert-shows-limits-of-a-warning-system-dependent-on-cellphones/
------------------------------
Date: Tue, 5 Sep 2023 10:58:31 +0100
From: Martin Ward <
mwardgkc@gmail.com>
Subject: Re: The Titan's Submersible Disaster Was Years in the Making
In the late 1970's I joined a diving club. In the first training session we were taught the meaning of the saying:
``There are old divers and there are bold divers, but there are no old
bold divers.''
------------------------------
Date: Tue, 5 Sep 2023 09:49:11 -0700
From: Rob Slade <
rslade@gmail.com>
Subject: Magic
Abstract (aka tl:dr)
Life is unpredictable (so eat dessert first). Our modern world is unpredictable, and uncertain. The increasing uncertainty drives fatalism, which various political actors use to increase their own power and reduce
the possibility of opposition. Information technology, based upon logical computers, could provide more certainty. Unfortunately, marketing
decisions frequently make the use of computers, and the results from
computers, more uncertain. We, in information technology, should address
these issues, and work towards greater knowledge and certainty.
https://fibrecookery.blogspot.com/2023/09/magic.html
------------------------------
Date: Sat, 1 Jul 2023 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume/previous directories
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.83
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)