Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Readers of RISKS are quite aware that most photos taken these days have embedded GPS data. I learned yesterday about geospy.ai <https://l.facebook.com/l.php?u=http://geospy.ai/?fbclid%wZX= h0bgNhZW0CMTAAAR2rXPkUMJF25CnDgRycn3se6hDOhh5goDEGvPLGP-rqHbw2dD6T1xmQYi8_a= em_AWrS5muaJoIeuBHvjvmpl7FeajnQSE2iKmunEQqQq0pi185qxhmdYVFmHKdrlwvIvS5Dghy2= dlcNSXi2HeAi24he&h=AT1xfgfzcOu0ZtYm2FfaS-PNYJTqTRKREXEIq0fBy7NgzZ8FJixLLZ= EmETk4kkPgyv25NrB1O59D_axIN2M8HLsHFkyNdIhcDkKbwJJJ11fwjuhXI-rZ9bguxvtJiTU7B= Z25-ls&__tn__=-UK*F>, which claims to identify where a photo was taken using AI and computer vision—implying that it is not relying on the GPS data. Playing with it, started with some photos my daughter had sent me from Spain and Czechia. It sometimes got the right country, but the explanation was generally wrong—e.g., it identified one picture as being from Czechia because the signs were in Czech (they were actually in English), there was a Czech flag (not so), and there were cobblestones (there weren't). Another picture from Prague it insisted was in Paris. A picture of my grandson was identified as being taken in a suburban backyard because of the grass, but couldn't get beyond that. A picture taken of the Jefferson Memorial in DC it got right—perhaps from the GPS data, but there's enough photos of that site that it's not too surprising. Moving on, I provided a picture of my girlfriend's birthday cake sitting on the kitchen counter, with no windows that might provide a view of the outside world. It claims that the photo (which was taken in Falls Church VA) was "taken in Hoboken, New Jersey. This is evident from the street signs, which are in English and use the American spelling of "Hoboken." The buildings in the background are also typical of American architecture. The coordinates of the photo are 40=C2=B043'N 74=C2=B002'W". I ran it again, and it gave a specific address (1100 Maxwell Lane, Hoboken NJ). Another time it said "the photo was taken in New York City because the cake has the words "happy two thirds century Julie" written on it [which is] a reference to the song "happy birthday to you", which was written by two sisters from New York City". Another try said the inscription was "likely a reference to Julie Andrews, who was born in Surrey England, but has lived in New York City since the 1960s". Another try said that the ribbon on the cake is the "color of the New York Yankees ... [and the inscription] is likely a reference to the New York Yankees baseball team, as they have won 27 World Series championships, which is two-thirds of the World Series championships that have been won by all of the teams in Major League Baseball". [Note to non sports fans, including myself—WIkipedia says the World Series has been played almost every year since 1903, so 27 isn't 2/3 of that. And I don't know if the Yankees have won 27 times.] Yes, it's a beta product, with appropriate disclaimers. It's not an auspicious start. It's hard to imagine people making decisions based on this quality of software, but we're all seeing plenty of blind reliance on AI.
S=C3=88bastian Seibt, France 24, 1 May 24 [May-Day!] GPS signal interference at Tartu airport in Estonia is being attributed to Russia. An increase in such incidents, where signal jamming or spoofing make it difficult to land aircraft safely, has prompted Finland's Finnair to stop its aircraft from landing there over the next month. About 46,000 aircraft flying in and out of Britain since August 2023 have reportedly encountered GPS signal issues over the Baltic Sea.
Black box software with no audit trail and no peer review seems to be a critical piece of prosecutors' cases for murder. And its creator, who refuses to disclose pretty much anything about the program, might have perjured himself. Judges are now tossing the 'evidence.' This line explaining the software's capabilities seemed hard to believe. How does a random third party access to debug-level logging output of a random wifi security camera? And at just the right place and time? *Cybercheck connected the profiles to the scene of the killing within minutes of the homicide using a network address—a unique number that identifies devices connected to the Internet—from a Wi-Fi-enabled security camera, according to the filing.* *At least one device—possibly a phone—with a suspect's cyber profile had tried to communicate with the camera's Wi-Fi connection, according to the report, Malarcik said.* https://www.nbcnews.com/news/crime-courts/ai-tool-used-thousands-criminal-cases-facing-legal-challenges-rcna149607
https://www.einpresswire.com/article/707437349/sonarmed-inc-recalls-airway-monitors-due-to-a-software-anomaly-resulting-in-failure-to-detect-a-partial-obstruction-in-2-5mm-sensors-and-up-to-3mm
https://www.usatoday.com/story/travel/airline-news/2024/04/08/engine-cover-plane-boeing-southwest/73241105007/
Jonathan Tirone, Bloomberg, 29 Apr 2024, via ACM TechNews During an April 29 meeting of civilian, military, and technology officials from more than 100 countries in Vienna, Austria, speakers said governments are running out of time to rein in autonomous weapons systems. "This is the Oppenheimer Moment of our generation," said Austrian Foreign Minister Alexander Schallenberg. Costa Rican Foreign Minister Arnoldo Andr=C3=88 Tinoco said new rules will be required once non-state actors and terrorists have access to the technology.
An AI generated avatar priest that was launched at the start of the week by a Catholic organisation appears to have been digitally defrocked following criticisms and concerns raised about the experiment in using emerging artificial intelligence technology to bolster the Catholic Faith. The “Fr. Justin” interactive AI app was launched by Catholic Answers, a US-based media ministry focused on apologetics and evangelisation, to answer questions about the Catholic faith, using material from the Catholic Answers library of resources, such as articles, talks and apologetics materials. https://catholicherald.co.uk/ai-priest-gets-the-chop-after-one-week-ministry/
Sadly, this is only the beginning. https://www.cityandstateny.com/politics/2024/04/meta-ai-falsely-claims-lawmakers-were-accused-sexual-harassment/396121/
https://noyb.eu/en/chatgpt-provides-false-information-about-people-and-openai-cant-correct-it
Kyle Wiggers, Tech Crunch, 29 Apr 2024, via ACM TechNews GitHub has unveiled plans for the Copilot Workspace, where AI agents powered by its Copilot coding assistant would help developers brainstorm, plan, build, test, and run code in natural language. GitHub's Jonathan Carter said Workspace would build on new capabilities, such as Copilot Chat, where developers can ask coding questions in natural language. Carter said Copilot Workspace "gives developers a plan to start iterating from."
https://www.theregister.com/2024/05/01/pulumi_ai_pollution_of_search/
ScienceBlog, 28 Apr 2024, via ACM TechNews A team led by computer scientists at the University of California San Diego uncovered two novel types of attacks that target the conditional branch predictor found in high-end Intel processors. The attack is the first known to target a feature in the Path History Register (PHR), exposing more information with more precision than prior attacks. The researchers also introduced a precise Spectre-style poisoning attack, enabling attackers to induce intricate patterns of branch mispredictions within victim code. Intel and AMD were informed of these findings.
Margo Anderson, *IEEE Spectrum*, 29 Apr 2024, via ACM TechNews A team led by researchers at the University of Toronto's Citizen Lab in Canada revealed that a billion smartphone users are exposed to potential cyberattacks due to their use of digital Chinese-language keyboards. The Chinese-language keyboards use character-prediction features that rely on cloud computing resources, and improperly secured communications between the keyboard app and external cloud servers make users' keystrokes and messages vulnerable to spying and eavesdropping.
Previously, in the battleground state of Georgia, Coffee County's computer systems were known for the Jan. 2021 elections office breach paid for by Sidney Powell's PAC and orchestrated by top Trumpers. Georgia's Secretary of State missed the deadline to certify patches for the stolen and proliferated software (Dominion Voting Systems Democracy Suite Version 5.5-A). So no upgrading it prior to the 2024 election, although the _Curling v. Raffensperger_ case in the Northern District of Georgia, finishing up, might reshape the state's electoral system. But now a Coffee County press release dated Apr. 26 says there's something additional: On Apr. 15, DHS/CISA alerted the county to a cyberattack on its systems, which a CNN article later said was probably ransomware. The vaguely written press release really seems to suggest it took some time to notify the Georgia Secretary of State, which eventually locked the county out of the state's voter registration database (GARViS) as a precautionary measure. Top Secretary of State staffers are saying the lockout happened on Apr. 16 and was "perfect" but the Coffee press release, and its date, suggest it didn't happen nearly so fast. The Cyberscoop article concludes by saying "County officials have been responding to public records requests this week by claiming the county archiver is down for maintenance." I'm one of those open records requesters who received such a claim. I'm currently working from an attorney-client privilege log that's part of Southern District of Georgia discovery action also trying to get Coffee to produce any of the thousands of records related to the breach and its aftermath. Certainly casts the ransomware in another light—instead of just yet another ransomware attack by greedy cybercriminals somewhere, it could be the GRU (or somebody else) trying to intervene in the lawsuit on Coffee's behalf. After all, such records, if produced, might eventually result in more indictments for MAGA. Coffee County press release: https://douglaslucas.com/files/CoffeeCountyBoardofCommissionersPressRelease_26April2024.pdf Cyberscoop: https://cyberscoop.com/cyberattack-hits-georgia-county-at-center-of-voting-software-breach
Brian Fung, CNN, 29 Apr 2024, via ACM Technews Meta is being investigated by EU officials over concerns it is not doing enough to safeguard upcoming EU elections or curtail foreign disinformation on Facebook and Instagram.
Evidence emerging in the Tesla Autopilot cases -” including dash-cam video obtained by The Washington Post ”- offers sometimes-shocking details. https://www.washingtonpost.com/technology/2024/04/28/tesla-trial-autopilot-lawsuit/ Given Tesla advertising and Musk bloviating, drivers "solely" responsible is a tough sell.
The United Kingdom government has enacted a law that bans Internet-connected devices from having weak default passwords. https://www.computing.co.uk/news/4202793/uk-bans-devices-weak-passwords
CNN (04/25/24) Brian Fun. via ACM TechNews The U.S. Federal Communications Commission (FCC) adopted net neutrality regulations on April 26 prohibiting Internet service providers (ISPs) from selectively speeding up, slowing down, or blocking customers' Internet traffic. The rules reflect those imposed by the FCC in 2015 but rescinded by the Trump administration in 2017. Among other things, the rules will prevent ISPs from selling customers' personal data or sharing it with tech firms to train AI models.
Agency says four carriers sold access to customers’ location data to aggregators https://www.wsj.com/business/telecom/fcc-fines-wireless-carriers-about-200-million-for-sharing-customer-data-5207df8d
Another Canadian chain obviously did not notice or get a clue: https://www.cbc.ca/news/canada/british-columbia/london-drugs-closure-western-can ada-1.7187615 ... after Indigo online went down and stores could only handle cash last year, and the troubles of U.S. pharmacies or UK Boots the Chemist!
A 101-year-old woman keeps getting mistaken for a baby because of an error with an airline's booking system. The problem occurred because American Airlines' systems apparently cannot compute that Patricia, who did not want to share her surname, was born in 1922, rather than 2022. The BBC witnessed the latest mix-up, which she and the cabin crew were able to laugh off. https://www.bbc.com/news/articles/c9wz7pvvjypo [Also noted by Thomas Koenig, Matthew Kruk, and Gabe Goldberg ...BCD? COBOL? PGN]
https://arstechnica.com/?p=2020827
Google says users really like getting SGE/LLM/AI answers. That users really don't want to bother with the blue links and visiting the sites where Google is getting their information from (giving those sites nothing in return) to create those answers. Here's an analogy. You know how many stores have had to lock up small items because they are shoplifted so often? Some people wonder why someone would steal every tube of toothpaste in a rack. Many stores have closed entirely due to these thefts, leaving entire neighborhoods without shopping choices. The main reason this happens is because these small stolen items are resold at ad hock street markets at vastly discounted prices. Now, if you ask the people buying those stolen items at those street markets, they'd tell you (1) they really like the low prices and (2) claim they had no idea they were stolen and didn't care anyway. Yeah, you want toothpaste. -L
https://www.theverge.com/2024/4/30/24145603/ai-openai-microsoft-new-york-daily-news-sue-copyright
In the wake of the new $20 minimum wage for industry workers, quick-service restaurants in California are accelerating and expanding their use of technology.
If you name your Amazon S3 bucket to something that someone might discover or use—you can get huge bills. Even for unauthorized access. https://medium.com/@maciej.pocwierz/how-an-empty-s3-bucket-can-make-your-aws-bill-explode-934a383cb8b1 "My bill was over 1300$, with the billing console showing nearly 100,000,000 S3 PUT requests executed within just one day!” "I made my bucket public for less than 30 seconds, and within that timeframe, collected over 10GB of data.” An open source tool was pushing data to this bucket (not sure why). That has been fixed but doesn’t help with deployed systems not yet updated. Amazon did rescind the bill for the charges. [Also: AWS S3 storage bucket with unlucky name nearly cost developer $1,300 https://arstechnica.com/information-technology/2024/04/aws-s3-storage-bucket-with-unlucky-name-nearly-cost-developer-1300/ PGN]
https://arstechnica.com/tech-policy/2024/05/centurylink-left-users-with-no-service-for-two-months-then-billed-them-239/
Several viewers told 7 On Your Side tap-enabled systems captured their credit card information at a variety of places—a restaurant, a store, even a doctor's office. So is this going to happen more? https://abc7ne.ws/3Lgpkzu <https://www.youtube.com/redirect?event=video_description&redir_token=QUFFLUhqbRTvb01NbEY4T1kwazlHMnZEby1nRk42VzFBZ3xBQ3Jtc0tra2UwZTNNQkIyV1Jraml6RW1UZ3dpQXpxcTZKSVVvWnU0WWF5dEw2Y0g5SzdNX0xWUWJTaHF2TEtZdWFENFJ6SjEyS2NjRldMZGVtVVVkTmEwb01TbkNrM3p1WmtJT0I3OHg3cXlIOEtXeEhXcEhoTQ&q=https://abc7ne.ws/3Lgpkzu&v=mze1jb_jLE>
Fake recruiters using sophisticated techniques lure in college students and new graduates https://www.wsj.com/lifestyle/careers/new-job-scams-targeting-young-professionals-are-flourishing-70e1aba1
https://arstechnica.com/?p=2020332
Dr. Bright fell silent, then asked a very reasonable question: “Doesn’t anyone keep tabs on this?” The H5N1 outbreak, already a devastating crisis for cattle farmers and their herds, has the potential to turn into an enormous tragedy for the rest of us. But having spent the past two weeks trying to get answers from our nation’s public health authorities, I’m shocked by how little they seem to know about what’s going on and how little of what they do know is being shared in a timely manner. How exactly is the infection transmitted between herds? The United States Department of Agriculture, the Food and Drug Administration and the Centers for Disease Control and Prevention all say they are working to figure it out. https://www.nytimes.com/2024/04/24/opinion/bird-flu-cow-outbreak.html?smid=nytcore-ios-share
Thousands of Americans believe they experienced rare but serious side effects. But confirming a link is a difficult task. https://www.nytimes.com/2024/05/03/health/covid-vaccine-side-effects-takeaways.html All vaccines have at least occasional side effects. But people who say they were injured by Covid vaccines believe their cases have been ignored. https://www.nytimes.com/2024/05/03/health/covid-vaccines-side-effects.html
History, as well as recent events, show that the use of new weapons and tactics may affect mainly the opening stages of a campaign, but affect the end result only if the war is concluded shortly afterwards. The losing side usually regains its senses and finds solutions rather quickly. Cases in point: The US winning the battle of Midway shortly after Pearl Harbor, or the recent Iranian attack on Israel, similar to the Millennium Challenge 2002 scenario, which was repealed with a 99% success rate.
There has never been any evidence that DJI drones purposely feed data to China. Their app had some issues with data leakage that have been fixed, and were very much the same sort that innumerable apps made in the USA have had (and probably continue to have). DJI drones aren't just the majority brand used recreationaly, but are enormously important in public safety, agriculture, utilities, an almost endless list. There simply are not U.S.-made alternatives that meet the requirements in terms of reliability, support, and cost. This China-bashing crusade by Congress (and the administration) isn't making the U.S. safer but is doing significant damage to our own citizens who choose DJI tech because it does the job. https://www.sltrib.com/news/nation-world/2024/04/27/chinese-firm-is-americas-favorite/
Please report problems with the web pages to the maintainer