The RISKS Digest
Volume 32 Issue 92

Saturday, 6th November 2021

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

SpaceX Under Fire After Autonomous Rocket Hits Pedestrian
The Onion
9-year-old unlocks unconscious father's iPhone with his face to call 911
Apple Insider via Monty Solomon
AI Is Not A-OK
NY Times
Fake Polls and Tabloid Coverage on Demand: The Dark Side of Sebastian Kurz
NYTimes
Trojan Source Bug Threatens the Security of All Code
KrebsonSecurity
Hackers are stealing data today so quantum computers can crack it in a decade
MIT Tech Review
Using Google search to deliver customers or worse
Mike
Credit-card PINs can be guessed even when covering the ATM pad
BleepingComputer
CoVID dream, risk, and the Newfoundland “cyberattack”
Rob Slade
Will there be vehicle safety tricks or treats this Halloween?
Gabe Goldberg
Re: I really hate Hopin …
John Stewart
Re: Lettering on clothes mistaken for license plate
Andy Walker
Info on RISKS (comp.risks)

SpaceX Under Fire After Autonomous Rocket Hits Pedestrian (The Onion)

Gabe Goldberg <gabe@gabegold.com>
Sun, 31 Oct 2021 16:13:59 -0400

AUSTIN, TX — Calling it a terrible tragedy that could and should have easily been avoided, investigators slammed SpaceX Thursday after an autonomous rocket veered off course and struck a pedestrian. “At approximately 11 a.m. CST, a SpaceX Falcon9 rocket launched itself into traffic at 17,000 mph, hitting and subsequently killing a man who was crossing the street,” read a statement from the National Transportation Safety Board, adding that despite being programmed with the latest self-guiding software, the rocket entered traffic, ignored several red lights, and failed to disengage several high-speed booster rockets at the time of impact. “After striking and killing the pedestrian, the spaceship continued to accelerate, until it ultimately flew off of a cliff and collided with a tree, creating an enormous mushroom cloud visible from the entire city. Sadly, until we can enter the several hundred foot crater and find the rocket’s data logs, we may never know what truly happened.” At press time, SpaceX responded that while they were sorry for the loss of life, they were proud that no cars were harmed in the accident.

https://www.theonion.com/spacex-under-fire-after-autonomous-rocket-hits-pedestri-1847946787


9-year-old unlocks unconscious father's iPhone with his face to call 911 (Apple Insider)

Monty Solomon <monty@roscom.com>
Thu, 4 Nov 2021 00:50:26 -0400

https://appleinsider.com/articles/21/11/03/9-year-old-unlocks-fathers-iphone-with-his-face-calls-911-as-carbon-monoxide-fills-home


AI Is Not A-OK (NY Times)

“George Sherwood” <sherwood@transedge.com>
Sun, 31 Oct 2021 14:15:48 -0400

Maureen Dowd interviews Eric Schmidt about the future of artificial intelligence.

The first time I interviewed Eric Schmidt <https://www.nytimes.com/2009/04/15/opinion/15dowd.html?timespastHighlight=eric,schmidt,maureen,dowd>, a dozen years ago when he was the C.E.O. of Google, I had a simple question about the technology that has grown capable of spying on and monetizing all our movements, opinions, relationships and tastes.

“Friend or foe?” I asked.

“We claim we're friends,” Schmidt replied coolly.

Now that the former Google executive has a book out Tuesday on “The Age of AI <https://www.littlebrown.com/titles/henry-a-kissinger/the-age-of-ai/97803162 73800/> ,” written with Henry Kissinger and Daniel Huttenlocher, I wanted to ask him the same question about A.I.: “Friend or foe?”

https://www.nytimes.com/2021/10/30/opinion/eric-schmidt-ai.html


Fake Polls and Tabloid Coverage on Demand: The Dark Side of Sebastian Kurz (NYTimes)

Monty Solomon <monty@roscom.com>
Sat, 6 Nov 2021 13:49:18 -0400

Fake Polls and Tabloid Coverage on Demand: The Dark Side of Sebastian Kurz

The downfall of Austria’s onetime political Wunderkind put a spotlight on the cozy, sometimes corrupt, relationship between right-wing populists and parts of the news media.

https://www.nytimes.com/2021/10/17/world/europe/austria-sebastian-kurz-scandal-chancellor.html


Trojan Source Bug Threatens the Security of All Code (KrebsonSecurity)

Tom Van Vleck <thvv@multicians.org>
Mon, 1 Nov 2021 10:19:16 -0700

https://krebsonsecurity.com/2021/11/trojan-source-bug-threatens-the-security-of-all-code/

Normally a scare headline like this would lead me to ignore it. But this has Ross Anderson's name on it.

https://www.trojansource.codes/


Hackers are stealing data today so quantum computers can crack it in a decade (MIT Tech Review)

Monty Solomon <monty@roscom.com>
Thu, 4 Nov 2021 00:47:58 -0400

https://www.technologyreview.com/2021/11/03/1039171/hackers-quantum-computers-us-homeland-security-cryptography/


Using Google search to deliver customers or worse

“mike smith” <mike1234z@hotmail.com>
Tue, 2 Nov 2021 03:13:11 +0000

I've run across an interesting way some websites have found to deliver traffic to themselves. I was searching for a recipe and one of the Google search results appeared to have what I needed. However when I clicked on the link to ckbk.com<https://app.ckbk.com/> I found that while it was indeed the recipe I wanted, the actual contents were behind a paywall and I had to subscribe to see the actual recipe. It appears the website has found a way to recognize the Google spider and allow it to index their site but then lock out those using the search link from Google.

Risks here start with persuading people to give credit card info for information that was seemingly provided openly on the web. Who knows what happens once they have that info. And if this website can give the spider one view of their website and the public something else, putting the promised content behind a paywall is going to be child's play compared to the other exploits possible.

[Mike Smith alias Mike Thompson?]


Credit-card PINs can be guessed even when covering the ATM pad (BleepingComputer)

“Gabe Goldberg” <gabe@gabegold.com>
Thu, 4 Nov 2021 15:35:57 -0400

https://www.bleepingcomputer.com/news/security/credit-card-pins-can-be-guessed-even-when-covering-the-atm-pad/


CoVID dream, risk, and the Newfoundland “cyberattack”

Rob Slade <rmslade@shaw.ca>
Thu, 4 Nov 2021 11:36:58 -0800

I've had another of my (infrequent) CoVID dreams. (I don't remember a lot of details, but the gist is there.) Somebody (possibly me) is supplying cleansers, unguents, and potions to the Royal Family. They are full of random ingredients, none of them particularly effective. So, somebody (possibly me) suddenly, and without warning, insists upon changing the formulations of the cleansers, unguents, and potion so that they are, at least minimally, effective. (High- handed, I know, but probably useful.)

In recent days the IT systems underlying the Newfoundland and Labrador health ministry, and hospitals, and diagnostic services, have ceased to work. This, particularly in the middle of a pandemic, could be a problem, since nothing of a health nature, aside from direct emergency services, is happening. Nobody is saying much about it. The relevant minister, and law enforcement leaders, have, after more than a day of pretty much useless pronouncements, finally admitted that the situation is a result of a “cyberattack.” This is a singularly unhelpful piece of information, given that it could describe almost anything. “Sources” are wildly speculating that it might be “ransomware,” with no indication that any of those “sources” actually knows what “ransomware” is, beyond “something that's recently made problems for a lot of enterprises.” (Similar “sources” are now saying that the “cyberattack” is the worst in Canadian history, despite not knowing what it is or how bad.) The lack of information may result from embarrassment (if, in this day and age, I had to admit that I'd suffered a ransomware attack and didn't know how to recover within a day or so, I'd certainly be embarrassed), or, probably more likely, a complete lack of understanding of what happened.

My mother died recently. (No, I'm not changing the topic.) (Yes, thank you; it was not unexpected; she'd been going downhill; it was a relief; she'd had a “good innings.”) Lots of people were very grateful to my mother, for a number of things. And she gave me one very great gift. Many years ago, I read an article from someone who said that everyone, these days, insisted that they worked in “high tech.” And, not everyone could. So, he provided a guideline for determining whether you actually worked in high tech. If your mother understood what you did, you didn't work in high tech. My mother, very definitively, never, EVER, understood what I did. In fact, most of my bosses never understood what I did.

I think I have this in common with most of you in information security. Most of us work for managers, supervisors, directors, and ministers who have only the vaguest notion of what we actually do, and the principles that drive us.

Since information, and information processing, now basically drives almost all of the world, this creates a dangerous situation. There are many threats to that information, and that processing, and if you don't understand the threats, you can't take precautions.

Take my original field of research. The fact that malware has exploded into myriad different forms makes it more important to know and define the various forms, not less. Different precautions and controls are effective against different types of malware. Some are best handled by security awareness training of staff (and, sometimes, customers). Some are addressed by very specific types of application level proxy firewalls. Some are addressed by having a backup. (Remember backups?) You need to know, specifically, what the threats are in order to protect against them.

We, in information security, have always been faced with the problem of “training up.” We are managed, and our budgets and resources are controlled, by those above us, in the org chart, who do not understand what we do. We need to take every opportunity (often when the metaphorical building next door metaphorically catches fire) to explain the risks facing the enterprise, and the precautions that need to be taken against those many risks. (And why “cloud” or “blockchain” is not the answer to every security question.)

(I have a great problem understanding why senior management does not understand risk management. After all, if you are a manager, at any level, of whatever type, you manage two things: people and risk. But, then again, the pandemic has demonstrated, over and over again, with a huge number of illustrations, that we, as a species, are really and utterly terrible at assessing and managing risk. It's a wonder we've survived as long as we have.)

We, in information security, need to step up our efforts to train managers, media, and the general public about the real risks that we, as a society, face every day.

Now go make a backup. (Maybe more than one.) (Maybe more than one type.) It'll keep you safe from “ransomware” “cyberattacks.”

(Although not from breachstortion. But that's another story. Or attack.)


Will there be vehicle safety tricks or treats this Halloween?

“Gabe Goldberg” <gabe@gabegold.com>
Sun, 31 Oct 2021 16:32:50 -0400

Happy Halloween! Remember to drive carefully in your neighborhood tonight. With all the kids out in their costumes, hurrying for that next piece of candy, it is amongst the deadliest days of the year for younger pedestrians. And that’s true even if no one is testing self-driving car technology in your community.

We recently sat down with National Public Radio’s Marketplace to discuss what the status of self-driving car regulations are, and how the current testing set-up works. As we noted, manufacturers are “just putting vehicles out on public roads, public highways, neighborhood streets, across the country, and collecting data and seeing how it goes. That is obviously something that most people aren’t aware of, and no one really signed up for.” Happy Halloween! Remember to drive carefully in your neighborhood tonight. With all the kids out in their costumes, hurrying for that next piece of candy, it is amongst the deadliest days of the year for younger pedestrians. And that’s true even if no one is testing self-driving car technology in your community.

We recently sat down with National Public Radio’s Marketplace <https://www.autosafety.org/the-road-ahead-what-about-regulation-for-self-driving-cars/> to discuss what the status of self-driving car regulations are, and how the current testing set-up works. As we noted, manufacturers are “just putting vehicles out on public roads, public highways, neighborhood streets, across the country, and collecting data and seeing how it goes. That is obviously something that most people aren’t aware of, and no one really signed up for.”

https://mailchi.mp/autosafety.org/october-safety-update?e=91e5c03d94

Check out the full interview here: The road ahead: What about regulation for self-driving cars? <https://www.autosafety.org/the-road-ahead-what-about-regulation-for-self-driving-cars/>


Re: I really hate Hopin …

John Stewart <thompsonstevenssoftware@gmail.com>
Mon, 1 Nov 2021 11:45:50 -0400

It's always interesting what goes on. Like Rob Slade, the organization I worked for for quite a while (Communications Research Centre, Ottawa) “did” Internet stuff.

Way back in the mid '90s, us Canadians could participate in EU FP projects. Could not claim funds, but could participate. One fun one was the UCL-led MICE and MECCANO projects, “doing” Multicast Audio/Video conferencing, amongst other things.

Two things came to light:

  1. There was no way for two or three researchers to go off into a corner to quickly discuss some point, without disrupting the audio channel. A shared text-based white board was the saviour here. It worked really well.

  2. Video was ok, but (other than sharing a slide deck) one did not need to see the face of the current speaker; it did not change that much, and none of us participants were anywhere near movie-star quality.

I can remember Roy Bennett, the UCL-based facilitator asking on Audio “I see lots of conversations on the white board, but does anyone want to say anything?”

I did have fun, as a side project, creating a VRML-based 3D front end to the audio tool, proximity based, so one could group with like minded people (Avatars) and talk, could see and hear other groups walk by, audio if they were close, just like real life. I led a little group doing fun things like that - I think we all enjoyed creating 3D interfaces for all sorts of things.

Now, in 2021, it appears that:

With Video; the main feature is to have a background (preferably animated, and of zero relevance) going in the background, which is imperfect at stitching the user onto the background;

Audio - people are getting better, but the mute button gets ignored too much, so focus often changes to the coffee-slurpers (like me!) from the main presenter.

Saying that, the video quality is definitely better than we had back in the mid 90s but the whole experience has not really progressed much.


Re: Lettering on clothes mistaken for license plate (BBC)

Andy Walker <anw@cuboid.me.uk>
Sun, 31 Oct 2021 23:45:07 +0000

Point of order! Paula and Dave Knight, who received the fine, had nothing at all to do with sweater lady, and in particular Mr Knight is not her husband. Readers may also have noted the rather feeble attempt at a personalised number plate, approximating to KNigT.., which is pretty much as good as it gets for most UK car owners, given the rules by which our plates are assigned.

Please report problems with the web pages to the maintainer

x
Top