Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The feds should order “autopilot” shut down completely while these investigations continue. -L
‘AI’ proves once again that BS in == BS out. There is no free lunch.
GitHub autopilot “highly likely” to introduce bugs and vulnerabilities
Academic researchers discover that nearly 40% of the code suggestions by GitHub’s Copilot tool are erroneous, from a security point of view.
Since Copilot draws on publicly available code in GitHub repositories, the researchers theorize that the generated vulnerable code could perhaps just be the result of the system mimicking the behavior of buggy code in the repositories.
An Empirical Cybersecurity Evaluation of GitHub Copilot’s Code Contributions
Families across the country are raising safety questions involving deadly vehicle rollaway accidents that kill nearly 150 people every year.
Novel implementation of familiar gearshift technology, uninformed dealers, lack of instruction/practice, inattentive drivers, massive manuals nobody reads burying critical safety information.
ALWAYS set parking brake. I didn't, once, and my stick-shift car went for an adventure—made sharp right turn in reverse, crossed a street, killed a neighbor's mailbox.
…because one thing led to another.
A couple lost $1,600 trying to rent a vacation house. The “rental agent” said to use his QR code to pay the deposit using a Bitcoin ATM machine.
A caller, who claimed to be with the power company, threatened to turn off the electricity in 20 minutes because of an outstanding bill of $973. The homeowners were sent a QR code and told to use it at a nearby kiosk. It turned out to be the QR code to download the bitcoin app. Thankfully, the transaction was not completed.
A consumer in Hawaii sent $1,000 via QR code to an investment company that made contact via Instagram. After the trading period ended, the scammer demanded a fee of $4,102 to withdraw the supposed $20,500 profit in the account. Again, the money was sent via a bitcoin machine to the address in the QR Code. Total loss: $5,102.
Well, yes. But don't be an idiot.
Paul Rosenzweig, The New York Times, 1 Sep 2021
Tighter cryptocurrency rules would interfere with criminals' toll collection
The last paragraph is this: The U.S. “does not have a ransomware problem so much as it has an anonymous ransom problem. If we can change the payment system to make the kidnapping less profitable, we will go a long way to a solution.''
Kaylee Fagan, The San Francisco Chronicle, 29 Aug 2021 [Or not? PGN]
“The campaign to recall Califonia Governor Gavin Newsome has a conspiracy theory problem, and it just might siphon off votes that aid its cause.''
“Shprits and colleagues from UCLA, MIT, Moscow's Skolkovo Institute of Science and Technology and GFZ Potsdam combined geophysical models of particle radiation for a solar cycle with models for how radiation would affect both human passengers‘including its varying effects on different bodily organs’ and a spacecraft. The modeling determined that having a spacecraft's shell built out of a relatively thick material could help protect astronauts from radiation, but that if the shielding is too thick, it could actually increase the amount of secondary radiation to which they are exposed.”
For the curious, and those inclined to “Boldly go where no one has gone before,” see “How bad is the radiation on Mars?” from https://phys.org/news/2016-11-bad-mars.html to discover the hard facts about Martian Surface radiation: ~22 rads per day (~0.22 Sv per day from https://www.unitsconverters.com/en/Rad-To-Sievert/Unittounit-3966-3988?MeasurementId=33&From=3966&To=3988&textBoxBufferedValue=0) which is ~220 chest x-rays.
In space, timing is everything. If the cosmic radiation doesn't ‘get you,’ the Sun's (and/or secondary/shield-induced) radiation will.
‘Microsoft says that Insider Program PCs that didn't meet Windows 11's minimum requirements “had 52% more kernel-mode crashes” than PCs that did, and that “devices that do meet the system requirements had a 99.8% crash-free experience.”’
This is from an Ars Technica story, and the writer didn't do the math. An 52% increased probability of crash yields barely under a 99.7% crash-free experience. When expressed in the same terms (probability of not crashing), it shows that there's not really a big difference.
Risk: Blithely quoting a company's statistics without questioning them.
(Yes, I know that total crashes might be more than just kernel-mode crashes. But I think that would make the crash-free percentages even less different.)
Iceland has reported more cases in the past month than they had in the previous 9 months combined 91.2% of their adult population is at least partially vaccinated, 86.5% are fully vaccinated Fauci said with 50% vaccinated, we wouldn't see surges like those in the past. Whoops!
A 21-year-old American said he used an unprotected router to access millions of customer records in the mobile carrier's latest breach
The hacker who is taking responsibility for breaking into T-Mobile US Inc.'s systems said the wireless company's lax security eased his path into a cache of records with personal details on more than 50 million people and counting.
John Binns, a 21-year-old American who moved to Turkey a few years ago, told The Wall Street Journal he was behind the security breach. Mr. Binns, who since 2017 has used several online aliases, communicated with the Journal in Telegram messages from an account that discussed details of the hack before they were widely known.
The August intrusion was the latest in a string of high-profile breaches at U.S. companies that have allowed thieves to walk away with troves of personal details on consumers. A booming industry of cybersecurity consultants, software suppliers and incident-response teams have so far failed to turn the tide against hackers and identity thieves who fuel their businesses by tapping these deep reservoirs of stolen corporate data.
The breach is the third major customer data leak that T-Mobile has disclosed in the past two years. The Bellevue, Wash., company is the second-largest U.S. mobile carrier with roughly 90 million cellphones connecting to its networks.
The Seattle office of the Federal Bureau of Investigation is investigating the T-Mobile hack, according to a person familiar with the matter. “The FBI is aware of the incident and does not have any additional information at this time,” the Seattle office said in a statement Wednesday.
In messages with the Journal, Mr. Binns said he managed to pierce T-Mobile's defenses after discovering in July an unprotected router exposed on the internet. He said he had been scanning T-Mobile's known internet addresses for weak spots using a simple tool available to the public.
The young hacker said he did it to gain attention. “Generating noise was one goal,” he wrote. He declined to say whether he had sold any of the stolen data or whether he was paid to breach T-Mobile.
The 21-year-old hacker shared a screenshot of internal T-Mobile servers with warnings against unauthorized access.
Several cybersecurity experts said the public details of the hack and reports of previous T-Mobile breaches show the carrier's defenses need improvement. Many of the records reported stolen were from prospective clients or former customers long gone. “That to me does not sound like good data management practices,” said Glenn Gerstell, a former general counsel for the National Security Agency.
Mr. Binns said he used that entry point to hack into the cellphone carrier's data center outside East Wenatchee, Wash., where stored credentials allowed him to access more than 100 servers. “I was panicking because I had access to something big,” he wrote. “Their security is awful.” He said it took about a week to burrow into the servers that contained personal data about the carrier's tens of millions of former and current customers, adding that the hack lifted troves of data around Aug. 4.
On Aug 13 2021, the security research firm Unit221B LLC reported to T-Mobile that an account was attempting to sell T-Mobile customer data, according to the security firm. Two days later, T-Mobile publicly acknowledged it was investigating a potential breach.
T-Mobile confirmed that more than 50 million customer records have been stolen. The wireless carrier said it had repaired the security hole that enabled the breach. “We are confident that we have closed off the access and egress points the bad actor used in the attack,” it said in a statement. A T-Mobile spokeswoman declined to comment on specific claims by Mr. Binns or by cybersecurity experts.
For Mr. Binns, who uses the online names IRDev and v0rtex, among others, the T-Mobile hack represents a major development in a track record that has featured various exploits and”four years ago”peripheral involvement in the creation of a massive network of hacked devices that was used for online attacks.
Mr. Binns showed the Journal that he could access accounts linked to the IRDev online personality, which shared screenshots depicting access into T-Mobile's network. He declined to be photographed but answered personal questions to confirm his identity as John Binns. […] https://www.wsj.com/articles/t-mobile-hacker-who-stole-data-on-50-million-customers-their-security-is-awful-11629985105?st=4nh9nfpmp3o2293
[ADDED LATER from geoff:]
… Mike Benjamin, vice president of security for network operator Lumen Technologies Inc., said U.S. prosecutions in past years have limited the threat from these botnets, though network attacks have started growing in recent months. He said many young people, especially in the U.S. and Europe, first learn basic hacking techniques by sharing tricks and tactics with fellow gamers online.
“Online video-gaming drives a natural competitiveness,” Mr. Benjamin said. ”Everybody's looking for that edge. That can reach into this area of outside of the videogame,” where tactics end up “breaking the internet instead of just inside the rules of the game.”
This is not true. The move is to an IP-based system, not no landlines.
This story suffers from bad reporting. What's actually going away is the legacy SS7/TDM signaling, known in the UK as C7, presumably in favor of SIP.
The physical networks in the UK are a mix of fiber and copper, with a lot of FTTN with copper loops which is migrating at some rate to FTTP with fiber the whole way.
PS: We can have a metaphysical discussion about what counts as a landline phone. I have fiber running into the house, which connects to a telco-provided battery-backed modem, which is connected to the copper wire in my house into which I plug a genuine American Bell Mickey Mouse phone. Is that a landline? Sure seems like it when the phone rings, and I mean rings.
Please report problems with the web pages to the maintainer