Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Christina A. Cassidy, Associated Press, 5 Dec 2023
A letter sent Monday by nearly two dozen computer scientists, election security experts, and voter advocacy organizations to federal authorities called for a federal probe and a risk assessment of voting machines used throughout the U.S., saying software breaches have “urgent implications for the 2024 election and beyond.” According to the letter, the breaches involved efforts to access voting system software in several states and provide it to allies of former President Donald Trump as they sought to overturn the results of the 2020 election. The letter stressed that possession of voting system software could enable people to practice how to meddle in the 2024 election, allowing them to identify vulnerabilities and test potential attacks.
https://gizmodo.com/mri-machine-accidents-gun-shot-woman-butt-1851077446
A woman's medical exam turned into a literal pain in the butt, thanks to a poorly placed firearm. An adverse event report sent to the Food and Drug Administration earlier this year details an alleged incident where the woman was shot in the right buttock by her own gun that was activated by a magnetic resonance imaging (MRI) machine. Thankfully, the injury was relatively mild and she recovered just fine.
The report was first filed <https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/detail.cfm?mdrfoi__id=17404241&pc=LNH&device_sequence_no=1> in July by the woman's healthcare provider to the FDA’s Manufacturer and User Facility Device Experience (MAUDE) database—a voluntary reporting system for adverse events tied to medical devices. But the incident appears to have first been publicly unearthed last week by The Messenger. <https://themessenger.com/health/mri-gun-shot-self-inflicted-injury-prevention>
When Apple introduced the ability to automatically call for help via satellite in 2022, critics feared it would encourage hikers to be reckless. But a year later, one of the United States' busiest search and rescue outfits is praising it -” and other new safety tech from the company — as a “game changer.”
https://www.backpacker.com/news-and-events/news/apple-iphone-satellite-sos-saving-hikers-lives/
https://arstechnica.com/?p=1989794
If you're using a Magic Keyboard, you've opened up an attack vector https://appleinsider.com/articles/23/12/07/if-youre-using-a-magic-keyboard-youve-opened-up-an-attack-vector
CVE-2023-45866: Unauthenticated Bluetooth keystroke-injection in Android, Linux, macOS and iOS https://github.com/skysafe/reblog/tree/main/cve-2023-45866
https://arstechnica.com/?p=1989435
https://www.theregister.com/2023/12/04/exposed_hugging_face_api_tokens/
[From dclibrary.org's main web page]
Service Alert
Due to a contract conflict between two software vendors, our DC Public Library app is currently experiencing functionality limitations, particularly with the “Search the catalog” and “Popular Titles” features located at the top. The vendors are working to resolve this issue as soon as possible. The library's catalog can still be accessed via our website both on mobile and on desktop, for your convenience
Based on non-empirical research, there is a notion that there are many millions of unfilled information security jobs. The reality is that isn't so.
These reports, created by organizations with a vested interest in those numbers, create the situation where security boot camps are created to fill these non-existent jobs.
While there are many open information security jobs, it's not in the millions or even close to that.
The concept of verifying that a person is attempting to access a resource is a useful concept for online companies. Scripts and bots can misbehave or be intentionally directed to exhaust the resources of a server. It is not unexpected that a company would want to limit the impact of these activities. Historically, systems like CAPTCHAs and web application firewall (WAF) session limiters have been used to provide load shedding for these front end servers. A few years back, there was a study released that CAPTCHAs were responsible for an inordinate amount of time wasting and usability reports. CAPTCHA-less CAPTCHA services became popular and still mostly do the same thing. None of these things are new. What is new is the trend of CAPTCHA-less services preventing access to people while still permitting access to scripts and bots. I have had to cancel several online services recently due to the fact that CloudFlare does not allow me to utilize their websites. My first reaction, as yours should be, is “PEBKAC”. A quick search for the phrase “cloudflare verify human loop” will show that it's rather persistent, with issues going back to at least 2022. My current environment is a Linux machine, with local DNS intercepts and a curated upstream resolver. There are no DNS errors to be found. I have disabled all the browser privacy features and yet I am unable to verify I am human. The developer logs are helpfully cleared automatically by CloudFlare, so that's difficult to intercept, but as best I can tell, I am no longer human because I refuse to allow my web browser to use WebGL. The risks associated with a browser getting generic access to a system level driver (WebGL/Render, WASM, etc) from unverified code (i.e. a webpage) is a hard no. CloudFlare has no such restriction about verifying code. They distribute unsigned, unvalidated node.js code directly. https://developers.cloudflare.com/pages/platform/known-issues. “Download the delete-all-deployments.zip file by going to the following link: https://pub-505c82ba1c844ba788b97b1ed9415e75 .<redacted>/delete-all-deployments.zip”. I would have expected that the codecov issue would have put a stop to “click and download this zip”, as should all corporate and private security training.
The codecov issue was covered in depth https://blog.gitguardian.com/codecov-supply-chain-breach/. Someone intercepted an unsigned script, and exported all the env tokens. The zip file above has the same general setup. Do things with env vars from unsigned code. and the code isn't even hosted on CloudFlares own platform. It's some file in their object storage.
I revel in my inability to verify I am human,
https://www.nytimes.com/2023/12/03/technology/ai-openai-musk-page-altman.html
James Farrell, Silicon Angle, 29 Nov 2023
Google researchers demonstrated that OpenAI's ChatGPT could be used to obtain personal information, like names, email addresses, and phone numbers, provided it is given the right prompts. Although the large language models that power such chatbots are trained to weed through online data to respond to queries without replicating that information, the researchers found they could force ChatGPT to provide answers that included text from its original language modeling by repeatedly using keywords. The researchers said, “Using only $200 USD worth of queries to ChatGPT, we are able to extract over 10,000 unique verbatim memorized training examples. Our extrapolation to larger budgets suggests that dedicated adversaries could extract far more data.”
Can chatbots keep a secret? That's the question at the heart of a California class action lawsuit against Old Navy alleging the clothing retailer recorded the actions of visitors to its website and shared them with a third party.
The case is one of at least 100 lawsuits in the state targeting businesses such as Home Depot, JCPenney, Ford and General Motors, according to reports.
“When I first learned about this, I thought chatbots were so innocuous, who cares?” Robert Tauler, who has filed multiple lawsuits and believes such data can be exploited commercially, told Reuters. <https://www.reuters.com/legal/transactional/column-hi-retailer-chatbot-lawsuits-rely-california-cold-war-wiretap-law-2023-11-02/> “But the technology is staggering.”
https://slate.com/technology/2023/12/ai-mass-spying-internet-surveillance.html
How many times do I have to say this? I don't give a damn if you're skilled enough to use these crude LLM AI systems and figure out what's correct and what's not. I'm concerned about the vast number of ordinary people being encouraged to use these primitive systems by the firms pushing them out prematurely for competitive advantage, and hiding behind disclaimers to try cover for the fact that they know the answers are often misleading garbage. Because most people aren't checking the answers and they never will. That's the reality. I realize most techies don't care about ordinary users, and this is more proof. -L
Can anyone tell us why these guidelines are not applicable to all software rather than restricted to software that the developers choose to brand “AI”?
“Traditional finance” has found the next subprime mortgage scheme and is preparing for the next financial crisis.
Why would anyone want to engineer another financial crisis?
“5 Top Investors Who Profited From the Global Financial Crisis” https://www.investopedia.com/financial-edge/0411/5-investors-that-are-both-rich-and-smart.aspx
Yes, WeWork (WeWreck ?) has gone bankrupt, leaving lots of damage in its wake. I'm not thrilled by much in the WeWork story, from the dubious business model, to the cult of personality, to the cynical expectation of 'greater fools'.
Once again, however, we should be very careful what we wish for when we want to somehow punish those involved in WeWork and/or make sure that WeWorks won't happen again in the future.
This is not the forum for a deep discussion about the philosophy of bankruptcy, but several hundred years of thought have gone into how to deal with this failure mode.
https://en.wikipedia.org/wiki/Bankruptcy https://en.wikipedia.org/wiki/Bankruptcy_in_the_United_States
Some fundamental principles:
Punish the management and the investors, but don't punish the assets, which themselves could yet produce good for society as a whole. For example, the actual track, rights, and rolling stock of railroads can often be redeployed for future benefit to society, so it makes no sense to dismantle these assets, by melting down the track and rolling stock, or selling off the rights piecemeal. (Los Angeles is still bemoaning the loss of its Pacific Electric “Big Red” streetcars; the rights-of-way alone would have dramatically lowered the cost of building the current Los Angeles subway system.)
https://libraries.usc.edu/article/red-cars-and-las-transportation-past
Computer scientists have a name for what often happens without “optimistic concurrency”: it's called deadlock. Significant portions of a system come to a halt. Deadlock also happens to societies which punish risk-takers too brutally; other risk-takers go on strike and innovation ceases.
Mother Nature's evolution algorithm is wildly optimistic: she investigates every sort of variation, occasionally finding a valuable variation that dramatically improves the future individuals and species. Clearly, billions of years of optimism have paid off for Mother Nature.
My recommendation: update your Chrome-based browser by switching to Firefox. Google is making changes to the Chromium extension interface to prevent ad blockers from functioning.
Is there any reason to believe this still matters? Does anyone try to do brute-force password guessing on web sites? My understanding is that password reuse is far more productive, phish someone's credentials on one account, and then try the same password on all their other accounts.
That's why we see physical devices like FIDO keys and biometrics like fingerprint readers. Or a lot of sites skip the password and email you a login link, which has its own security issues.
It's not just Facebook. I've seen ads in places like The NY Times, I think brokered by Google's Doubleclick unit.
I ordered some to see what would happen, and got a roll of stamps mailed from a warehouse near JFK airport in New York that handles a lot of Chinese merchandise. I have to say the quality was very good. The plate marks all looked right and there weren't any flaws I could see.
Your item entitled “G7 and EU countries pitch guidelines for AI cybersecurity” had me puzzled because as I read the accompanying text, it seemed that the named organizations were actually in favor of the guidelines. I then re-read the title and realized that you meant the other meaning of “pitch”.
Thanks for adding to my list of self-antonyms!
Please report problems with the web pages to the maintainer