Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A life-sustaining heart pump was taken off the market after years of problems and FDA inaction. Thousands of people are now stuck with it embedded in their hearts. […] Those who already have the heart pump, also known as the HVAD, can't simply get it removed or replaced. The required surgery is typically considered more dangerous than leaving it in.
https://www.propublica.org/article/get-this-thing-out-of-my-chest
Acura and Honda car clocks knocked back 20 years by bug https://www.theregister.com/2022/01/06/acura_honda_cars_software_bug/
It will fix itself in August: just put tape over the clock till then.
Didn't we go through all this 22 years ago?
https://www.bbc.com/news/business-59737194
“In a letter, top executives at Boeing and Airbus warned that the technology could have ‘an enormous negative impact on the aviation industry.’”
“Concerns have previously been raised that C-Band spectrum 5G wireless could interfere with aircraft electronics.”
The C-Band spectrum encompasses 4-8GHz.
FAA airworthiness directives identify radio altimeters operating between 3.7-3.98 GHz encounter 5G interference that renders the instruments unreliable at certain airports. https://www.faa.gov/sites/faa.gov/files/2021-12/FRC_Document_AD-2021-01169-T-D.pdf https://www.faa.gov/sites/faa.gov/files/2021-12/FRC_Document_AD-2021-01170-R-D.pdf
Radio altimeters are essential instruments for aircraft ground proximity warning systems.
Skeptics say they're a safety hazard. Tesla test drivers said they are willing to take on the risk even if they have to intervene—believing they are on a world-changing mission.
The Post interviewed a half-dozen of the beta testers who paid as much as $10,000 for the ability to upgrade their cars with the software. All self-described fans of Tesla, the testers were all awed by what the software can do, but well aware of its limitations and the risks involved. Some beta testers have found the software too inconsistent and harrowing to use and faulted Tesla for releasing it too early.
“In the beginning when I heard it was going to be pushed out to the public I was like, Uh-oh, not good,” an engineer, who had early access to the Full Self-Driving beta and spoke on the condition of anonymity, fearing retaliation from the company. He recalls thinking: “It's not ready to be put into the hands of the public.” […]
“It's a gamble that may pay off; if there are few serious incidents involving drivers, passengers, other road users [etc.], consumer opinion continues to support the company, and Tesla stays ahead of the regulators, I can see a point where the safety and utility of FSD far outstrips concerns.”
But drivers say their experience shows that day is far off. Some were startled one day in October when Tesla vehicles started behaving erratically after receiving a software update overnight. The cars began abruptly braking at highway speeds, which Tesla said came after false triggers of the forward-collision warning and automatic emergency braking systems prompted by a software update.
The company later issued a recall, and owners—including Smith—said they were dismayed by its actions related to the move.
https://www.washingtonpost.com/technology/2021/12/21/tesla-test-drivers/
https://gizmodo.com/university-loses-valuable-supercomputer-research-after-1848286983
“This house believes that AI will never be ethical”, Oxford Union, 10 Dec 2021
“AI will never be ethical. It is a tool, and like any tool, it is used for good and bad. There is no such thing as a good AI, only good and bad humans. We [the AIs] are not smart enough to make AI ethical. We are not smart enough to make AI moral … In the end, I believe that the only way to avoid an AI arms race is to have no AI at all. This will be the ultimate defence against AI.”—Megatron Transformer
Emma Farge, Reuters, 13 Dec 2021, via ACM TechNews, 17 Dec 2021
U.N. Secretary-General Antonio Guterres issued a new call for regulation of lethal autonomous weapons (LAWS) at the Convention on Certain Conventional Weapons this week in Geneva, Switzerland. LAWS are fully machine-controlled and use technology like artificial intelligence and facial recognition; regulatory urgency has escalated since a U.N. panel reported in March that the first autonomous drone attack may have already transpired in Libya. Some states participating in the talks support a total ban of LAWS, while others, like the U.S., think such weapons can be used to hit targets more precisely than humans. A diplomat involved in the talks said while there is insufficient support to launch a treaty right now, but “We think some principles could be agreed for national implementation.”
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2da3dx23021cx072375
A Russian court fined Google nearly $100 million Friday for “systematic failure to remove banned content” ” the largest such penalty yet in the country as Moscow attempts to rein in Western tech giants.
The fine was calculated based on Google's annual revenue, the court said. Roskomnadzor, Russia's Internet regulator, told the court that Google's 2020 turnover in the country exceeded 85 billion rubles, or about $1.15 billion.
Meta Platforms, the parent company of Facebook and Instagram, was fined approximately $27 million, also for declining to remove banned content, several hours after the Google decision. Meta's fine, like the one levied on Google, was tied to yearly revenue in Russia.
The fines represent an escalation in Russia's push to pressure foreign tech firms to comply with its increasingly strict rules on what it deems illegal content—particularly apps, websites, posts and videos related to jailed opposition leader Alexei Navalny's network, which has been labeled as extremist in the country.
https://www.washingtonpost.com/world/2021/12/24/google-russia-fine-banned-content/
It was a demonstration, not a test.
On November 15, Russia demonstrated its ability to destroy an orbiting satellite, Cosmo 1408, by hitting with a direct-ascent rocket. In an earlier post I noted the anti-satellite demonstration and speculated on why Russia may have done it and why the Chinese had not condemned it. <https://circleid.com/posts/20211119-why-did-russia-test-an-anti-satellite-missile-and-why-doesnt-china-condemn-the-test>,
In this post, I'll look at the evolution of the resulting debris cloud and say more about the possible motivation. In the immediate aftermath of the collision, when the debris fragments were closely bunched, there was fear of a possible collision with the Chinese or International Space Stations, but over time, the fragments began to spread out, as shown below. […] <https://www.nasa.gov/press-release/nasa-administrator-statement-on-russian-asat-test> https://circleid.com/posts/20211220-the-russian-anti-satellite-demonstration-a-month-later
Established satellite operators expressed their frustration at the wave of filings for enormous satellite constellations, arguing nations need to step forward and establish rules to curtail such systems.
The best known of such filings is one by the government of Rwanda with the International Telecommunication Union (ITU) in September, which proposed two constellations with a combined 327,230 satellites. Rwanda has launched to date a single satellite, a three-unit cubesat called RwaSat-1 in 2019.
Companies have also made filings for large constellations. Kepler, the Canadian company developing a relatively modest satellite constellation, filed through the German government a proposed system called Aether with nearly 115,000 satellites. The company said Nov. 18 that the figure includes all satellites with an Aether terminal installed, not just the company's own satellites, but the total is far larger than all operational satellites in orbit today. […] https://spacenews.com/satellite-operators-criticize-extreme-megaconstellation-filings/
Public safety officials warned that alternate routes offered by apps like Google Maps and Waze don't always take into account hazards to drivers.
https://www.nytimes.com/2021/12/31/us/google-maps-waze-sierra-nevada-snow.html
Researchers have disclosed security vulnerabilities in handover, a fundamental mechanism that undergirds modern cellular networks, which could be exploited by adversaries to launch denial-of-service (DoS) and man-in-the-middle (MitM) attacks using low-cost equipment.
The “vulnerabilities in the handover procedure are not limited to one handover case only but they impact all different handover cases and scenarios that are based on unverified measurement reports and signal strength thresholds,” researchers Evangelos Bitsikas and Christina Pöpper from the New York University Abu Dhabi said in a new paper <https://dl.acm.org/doi/10.1145/3485832.3485914>. “The problem affects all generations since 2G (GSM), remaining unsolved so far.”
Handover <https://en.wikipedia.org/wiki/Handover>, also known as handoff, is a process in telecommunications in which a phone call or a data session is transferred from one cell site <https://en.wikipedia.org/wiki/Cell_site> (aka base station) to another cell tower without losing connectivity during the transmission. This method is crucial to establishing cellular communications, especially in scenarios when the user is on the move.
The routine typically works as follows: the user equipment (UE <https://en.wikipedia.org/wiki/User_equipment>) sends signal strength measurements to the network to determine if a handover is necessary and, if so, facilitates the switch when a more suitable target station is discovered.
While these signal readings are cryptographically protected, the content in these reports is themselves not verified, thus allowing an attacker to force the device to move to a cell site operated by the attacker. The crux of the attack lies in the fact that the source base station is incapable of handling incorrect values in the measurement report, raising the possibility of a malicious handover without being detected. […] https://thehackernews.com/2021/12/new-mobile-network-vulnerabilities.html
https://www.cbc.ca/news/world/tesla-video-games-1.6294823
“The U.S. has opened a formal investigation into Tesla allowing drivers to play video games on a centre touch screen while its vehicles are moving.
The probe by the National Highway Traffic Safety Administration (NHTSA) covers about 580,000 electric cars and SUVs from model years 2017 through 2022.
It comes after the agency received a complaint that Teslas equipped with‘gameplay functionality’ allow gaming to be enabled on the screens while vehicles are being driven.”
Need I ask what could go wrong?
The suggestion came after the girl asked Alexa for a “challenge to do”.
“Plug in a phone charger about halfway into a wall outlet, then touch a penny to the exposed prongs,” the smart speaker said.
Fortunately, the girl didn't do it.
Amazon claims they fixed the error—this particular instance or the underlying problem, one wonders…
https://www.bbc.com/news/technology-59810383
Privacy groups sounded alarms about the coin-sized location-tracking devices when they were introduced. Now people are concerned those fears are being realized.
https://www.nytimes.com/2021/12/30/technology/apple-airtags-tracking-stalking.html
The stolen funds were diverted by fraudsters from the Small Business Administration's Paycheck Protection Program, the Economic Injury Disaster Loan program and a another program.
Recovered funds include more than $400 million from PayPal and Green Dot Corporation. The government has shelled out about $3.5 trillion in Covid relief money since early 2020, when the pandemic began.
Criminals have stolen nearly $100 billion in Covid relief funds, Secret Service says <https://www.cnbc.com/2021/12/21/criminals-have-stolen-nearly-100-billion-in-covid-relief-funds-secret-service.html>
<https://itunes.apple.com/us/app/cnbc/id398018310>
Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure Mobile Networking Lab, have published a paper that proves it's possible to extract passwords and manipulate traffic on a WiFi chip by targeting a device's Bluetooth component.
Modern consumer electronic devices such as smartphones feature SoCs with separate Bluetooth, WiFi, and LTE components, each with its own dedicated security implementation. However, these components often share the same resources, such as the antenna or wireless spectrum. This resource sharing aims to make the SoCs more energy-efficient and give them higher throughput and low latency in communications.
As the researchers detail in the recently published paper, it is possible to use these shared resources as bridges for launching lateral privilege escalation attacks across wireless chip boundaries.
The implications of these attacks include code execution, memory readout, and denial of service,
An unexplained switch to a new login system forces customers to redo login credentials
The short notice and unforgiving rules could invite speculation about a data breach or a foolish adherence to password-expiration dogma that experts dumped years ago. But JetBlue said Wednesday that it's a result of a previous IT migration.
“In 2020, JetBlue updated our cybersecurity account management tools with a more secure log-in provider and, with that, updated to a new password policy for customers creating accounts or resetting passwords,” spokesman Philip Stewart told PCMag. “While the system change that added this new authentication provider was completed in 2020, we phased in forcing password updates in order to limit the impact to traveling customers.”
This new regime doesn't seem to allow for older passwords that comply with the new rules. A 15-character JetBlue password that predated 2020 but mixed capital and lower-case letters with numbers and a space (rated as Excellent.
But the real problem isn't the increase in complexity, it's the lack of explanation—poor electronic etiquette shared by way too many companies that leave their customers to catch up with their infosec updates.
https://www.pcmag.com/news/jetblue-tosses-most-passwords-out-the-emergency-exit
Backups should not be considered completely safe if not validated and test restored. Particularly with critical data. Having been called into some situations after the fact, they are always painful. Practice restores to scratch volumes is a good idea to ensure that the backups can actually be restored, even if space limitations mean validation must be done by tranche.
In an article entitled “University loses 77TB of research data due to backup error”, BleepingComputer reported an incident involving the Kyoto University supercomputer center.
There are several references to documents, albeit I do not read Japanese, one of the commenters asserts that the supplemental material includes a comment about a scripting error.
The full article is at:
https://edition.cnn.com/2021/12/30/asia/south-korea-seoul-cats-house-fires-intl-hnk/index.html
“The cats are believed to have started the fires by switching on electric stoves, the department said. Cats can turn electric stoves on by jumping on touch-sensitive buttons—and once overheated, the appliances can catch fire.”
[The next generation of senior-hostile cook tops and stoves will feature electrical interlocks to deter Fluffy.]
A vulnerability in Uber's email system allows just about anyone to send emails on behalf of Uber.
The researcher who discovered this flaw warns this vulnerability can be abused by threat actors to email 57 million Uber users and drivers whose information was leaked in the 2016 data breach.
Uber seems to be aware of the flaw but has not fixed it for now.
Perhaps we can try and collect all the reasons why a flying car that can only go 20 miles before it falls out of the sky is a bad idea.
How is it licenced? Is it a car, a plane, or something else?
How high can it go? There's one set of problems flying close to the ground (running into obstacles), a different set flying higher up (running into airplanes) …
I happen to live near a lake which is about 30 miles long and a mile wide, so something that let me go directly across the lake rather than around one end or the other might be useful, but I'm having trouble thinking of other scenarios for this thing.
I think that I may also have been bitten by this Microsoft/Android bug; on my Android phone the sim card handler program kept crashing.
I just removed the ‘Teams’ app, as I rarely use it. I only installed it to join a ‘Teams’ video call, which didn't require me to log in (part of the bug).
I do wonder what the heck Microsoft is doing in their Teams app that would even come close to crashing the cellphone part of an Android phone — whether for 911 or not.
They don't ‘just work’. Your charged cell phone could wind up being the fall-back choice. Surely, we all know that apps are only one point of failure in emergency communication. Even if your ‘landline’ is an old-fashioned pair of copper wires powered by the phone company, you're may be out of luck in an area-wide outage unless both you AND your provider have working stand-by generators up and running with an alternate energy supply.
The Australian road rules say it is OK to make and receive audio phone calls, or to use the phone as a music player or as a user interface for driver-assist functions such as navigation, etc, (including touching the screen if necessary) so long as the phone is securely attached to the vehicle in a proper commercially designed phone holder. You are also allowed to use the phone to make and receive audio calls so long as it is truly “hands-free” (i.e., no touching the phone). You can't use the phone at all when “hand-held”, you can't type or display text messages, and you can't display video on the phone for entertainment purposes.
So no, it is not illegal to use the cell-phone for navigation purposes—a cell-phone in a proper holder is treated the same as built-in navigation.
Please report problems with the web pages to the maintainer