Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://www.washingtonpost.com/technology/2022/08/23/peiter-mudge-zatko-twitter-whistleblower/ Full text of (redacted) whistleblower disclosure re Twitter (84 pages) https://s3.documentcloud.org/documents/22186683/twitter-whistleblower-disclosure.pdf [From Lauren Weinstein] [This item deserves some discussion here. Mudge and his L0pht folks testified for the U.S. Senate Government Affairs Committee (as did I just before them) on 19 May 1998 in a hearing about how everything relating to computer and network security was badly broken. There is a youtube of the L0pht testimony and subsequent discussion, running 59 minutes: https://www.youtube.com/watch?v=VVJldn_MmMY The L0pht were remarkably insightful pro-bono whistleblowers even then. The Russian state-sponsored hacker groups are now doing exactly what was being discussed 24 years ago in the oral testimony at about 28 minutes into the hour. Senator Fred Thompson asked whether they could actually make the Internet unusable in less than 30 minutes, and the answer was that one of them could indeed do that with just a few inserted packets. Another Senator (Lieberman?) returns to that around 49 minutes in. The L0pht written testimony is also on line: https://nsarchive.gwu.edu/briefing-book/cyber-vault/2019-01-09/cybersecuritcy-when-hackers-went-hill-revisiting-l0pht-hearings-1998 Space-Rogue noted to me that a transcript of the original testimony is here: https://www.spacerogue.net/wordpress/?p=602 However, much of what is fascinating here are the Senators' responses. All of this is worth reviewing today, primarily illustrating how little fundamental work has been done since then. It was very refreshing for me to revisit this archival material. The good news might be that the L0pht video has had almost a half-million views, and it is nice to know that our RISKS readers seem to be much more aware than nonreaders. Incidentally, my written testimony is on my website and in the searchable Congressional Record, but I had looked for a video of my oral testimony, and i did not find one. I am delighted I could find the L0pht's one so easily. PGN]
The evolution of ransomware business models: ransomware-as-a-service https://sfstandard.com/business/fbi-warns-of-zeppelin-ransomware-attacks-targeting-bay-area-companies/ Two new trends raised alarm bells with law enforcement and cybersecurity professionals. One is a new focus on attacks on health care facilities and organizations already burdened by the pandemic. The other is an evolution in the business models around ransomware, with the Zeppelin software creating an ecosystem of cybercrime-- whereby actors research at-risk organizations, conduct attacks, negotiate ransoms and launder payments—that Chan dubbed *ransomware-as-a-service*.
Data and video recorded by Tesla and other automakers to hone driver-assistance systems can also be an investigative tool for regulators and lawyers. [On the other hand, the article discusses someone “whose startup is trying to monetize performance data.'' We seem to be entering an era where *almost everything* can be monetized. PGN]
A series of incremental changes over the years has transformed the tool from an explorative search function to one that is ripe for deception. https://www.wired.com/story/google-search-quietly-damaging-democracy
https://cloud.google.com/blog/products/identity-security/how-google-cloud-blocked-largest-layer-7-ddos-attack-at-46-million-rps
Steve McCaskill, *TechRadar*, 18 Aug 2022, via From: ACM TechNews Scientists at Austria's Vienna University of Technology (TU Wien) and France's University of Rennes have enabled Wi-Fi signals to pass through walls more effectively. The method calculates an anti-reflective invisible structure to a wall, which TU Wien's Stefan Rotter likened to "the anti-reflective coating on your pair of glasses." The researchers transmitted microwaves through a labyrinth of obstacles, then calculated a matching anti-reflective structure that almost completely removed the signals' reflection. "We were able to show that this information can be used to calculate a corresponding compensating structure for any medium that scatters waves in a complex way, so that the combination of both media allows waves to pass through completely," explained TU Wien's Michael Horodynski. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f12cx2356a9x069966&
*The wait for the *Game of Thrones* prequel lasted a little longer for some; HBO Max says the show had millions of viewers* Some users said they were close to a breakdown! https://www.wsj.com/articles/hbo-max-crashes-house-of-the-dragon-game-of-thrones-prequel-11661172989 [Unnecessarily long item truncated for RISKS. PGN]
Google has an automated tool to detect abusive images of children. But the system can get it wrong, and the consequences are serious. A Google spokeswoman said the company stands by its decisions, even though law enforcement cleared the two men. https://www.nytimes.com/2022/08/21/technology/google-surveillance-toddler-photo.html [Long explicit version for those who wish to dig into this story: https://dnyuz.com/2022/08/21/a-dad-took-photos-of-his-naked-toddler-for-the-doctor-google-flagged-him-as-a-criminal/ PGN]
Clinics reveal record number of Brits are seeking help after flexible working put “temptation at [their] fingertips.' [...] https://www.dailymail.co.uk/health/article-11127351/EXCL-WFH-fuelled-rise-extreme-porn-addiction.html
https://science.slashdot.org/story/22/08/22/2215255/ai-model-can-detect-parkinsons-from-breathing-patterns "The team developed a device with the appearance of a home Wi-Fi router, but instead of providing Internet access, the device emits radio signals, analyzes their reflections off the surrounding environment, and extracts the subject's breathing patterns without any bodily contact. The breathing signal is then fed to the neural network to assess Parkinson's in a passive manner, and there is zero effort needed from the patient and caregiver." Could they adapt this technology to make a stealth contactless lie detector? Put one of these in a waiting room and play various ads, see how people respond. Play patriotic music and see whose anthem folks like best. THVV
When we did this work: https://www.lightbluetouchpaper.org/2015/01/04/to-freeze-or-not-to-freeze/ we experimented with radar as well as time-difference-of-arrival cameras and body motion-capture suits. Radar didn' work at all. Motion capture worked best. But the main signals come from fidgeting especially in the upper arms and hands. A smart watch can give you away!
https://boingboing.net/2022/08/23/startup-uses-ai-to-transform-call-center-workers-accents-into-white-voice.html
https://news.bitcoin.com/hackers-used-deepfake-of-binance-cco-to-perform-exchange-listing-scams/ A set of hackers managed to impersonate Binance chief communications officer (CCO) Patrick Hillmann in a series of video calls with several representatives of cryptocurrency projects. The attackers used what Hillman described as an AI hologram, a deepfake of his image for this objective, and managed to fool some representatives of these projects, making them think Hillmann was helping them get listed on the exchange.
https://arstechnica.com/gadgets/2022/08/unix-legend-who-owes-us-nothing-keeps-fixing-foundational-awk-code/
Fun reading—using public/private keys copied from a public tutorial to sign real-world software in Hyundai cars https://www.theregister.com/2022/08/17/software_developer_cracks_hyundai_encryption/
What I fear is that the wrong lesson will be learned, and Google will be urged to suppress search results for general encryption tutorials, rather than addressing the ill-advised behavior of Hyundai programmers in lazily copying keys from an online example.
This month's updates are a great example of why my patching advice differs for consumers and businesses. For consumer patchers, whether using Windows 10 Home or Professional, I'm not convinced that you need to install KB5012170, Microsoft's security update for Secure Boot DBX (the Secure Boot Forbidden Signature Database). Unless, that is, you think you will be targeted by an overseas attacker with a malicious bootloader installer. If your computer holds the keys to the nuclear codes, then by all means install this update instantly. The fact that this isn't clear-cut is the reason I can lower the MS-DEFCON only to 3 this time around. https://www.askwoody.com/newsletter/ms-defcon-3-issues-with-bootloader-patches/
Proving there's nothing new under the sun: That's the most used—or misused—Social Security number in history, and it belonged to a woman from Lockport. The federal government originally issued that number to Hilda Schrader Whitcher in the 1930s. But over the next four decades more than 40,000 people mistakenly claimed it for themselves. https://buffalonews.com/news/local/history/how-40-000-people-used-a-lockport-womans-social-security-number/article_9e74f603-25b9-5d06-9efa-eab3697369a3.html And: Social Security Cards Issued by Woolworth The most misused SSN of all time was (078-05-1120). In 1938, wallet manufacturer the E. H. Ferree company in Lockport, New York decided to promote its product by showing how a Social Security card would fit into its wallets. A sample card, used for display purposes, was inserted in each wallet. Company Vice President and Treasurer Douglas Patterson thought it would be a clever idea to use the actual SSN of his secretary, Mrs. Hilda Schrader Whitcher. https://www.ssa.gov/history/ssn/misused.html
> "They started using the number," Whitcher told The News. "They thought it > was their own. I can't understand how people can be so stupid. I can't > understand that." One has to sigh—how true is that today across a whole range of issues/things, political and otherwise, even in the so-called *greatest country on earth*. Oh well—and I guess one has to be careful even to utter that sentence in fear of being accused of politically incorrect.
Given that this is the Conservative party we're talking about, I think the biggest security threat is inside the tent. Use the postal strikes (which they've done nothing about because it feeds their anti-union plans) to get most party members to vote online, then 'fix' the result to the one the party itself wants. Yes, I'm being very cynical, but 12+ years of Conservative (mis)government will do that to you. The Russians don't need to hack us anymore, we (or rather the Conservatives) can do that work for them now.
Charles Piller's reports for Science are available at (On the questions surrounding the Lesné-Ashe Nature 2006 paper) Piller, C., Blots on a Field? Science 337 6604 dated 2022-07-21 on-line, https://www.science.org/content/article/potential-fabrication-research-images-threatens-key-theory-alzheimers-disease which includes the analysis of a particular Western-blot image, to show how (some of) the analysis is done. We have heard a lot about image analysis in scientific papers in the biomedical/biochemical/biowhatever fields lately, and it is very helpful to see an example. (On Cassava Sciences and its studies on its drug Simulfilam) Piller, C., Research backing experimental Alzheimer's drug was first target of suspicion, Science 337 6604 dated 2022-07-21 on-line, https://www.science.org/doi/10.1126/science.ade0181
> Chen said the laptop manufacturer put a custom filter... around the hard > drive to prevent it being affected by sound waves or to dampen the > resonance frequency? No: > the laptop manufacturer put a custom filter in the device's audio > system that could eliminate the resonant frequency during audio > playback. So their solution was to severely degrade the quality of audio playback to try and stop the laptop from crashing when certain sound frequencies were playing near the laptop? Never mind that laptop would still crash if a laptop nearby (or just about any other audio device) happened to play those frequencies!
Please report problems with the web pages to the maintainer