Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
In 2018, an Uber autonomous vehicle fatally struck a pedestrian. In a WIRED exclusive, the human behind the wheel finally speaks.
https://www.wired.com/story/uber-self-driving-car-fatal-crash/
We provide an updated record of Tesla fatalities and Tesla accident deaths that have been reported and as much related crash data as possible (e.g. location of crash, names of deceased, etc.). This sheet also tallies claimed and confirmed Tesla autopilot crashes, i.e. instances when Autopilot was activated during a Tesla crash that resulted in death. Read our other sheets for additional data and analysis on vehicle miles traveled, links and analysis comparing Musk's safety claims, and more.
Tesla Deaths Total as of 3/23/2022: 246 Tesla Autopilot Deaths Count: 12
Officials have tried to appeal to Musk's ego and have upped threats to force Tesla into line
SAN FRANCISCO—The first time Washington regulators tried to investigate Tesla's Autopilot software, CEO Elon Musk was irate.
Weeks earlier, a Tesla using the company's advanced driver-assistance system had crashed into a tractor-trailer at about 70 mph, killing the driver. When National Highway Traffic Safety Administration officials called Tesla executives to say they were launching an investigation, Musk screamed, protested and threatened to sue, said a former safety official who spoke on the condition of anonymity to discuss sensitive matters.
The regulators knew Musk could be impulsive and stubborn; they would need to show some spine to win his cooperation. So they waited. And in a subsequent call, “when tempers were a little bit cool, Musk agreed to cooperate: He was a changed person.”
https://www.washingtonpost.com/technology/2022/03/27/tesla-elon-musk-regulation
The AI Incident Database is the only collection of AI deployment harms or near harms across all disciplines, geographies, and use cases.
https://incidentdatabase.ai/?lang=en
Do you ever get the creepy feeling you're being watched? According to two computer scientists, you're probably right, only it's not someone watching you, it's something—and that thing is smart technology.
In a paper by University of Maryland, Baltimore County's Roberto Yus and Penn State's Primal Pappachan, the team warns that billions of digital devices are scanning and sensing your movements every day. Some of them are sitting right in front of you—inside televisions, cars, offices, and even your refrigerator.
In 2007, few people could have imagined the countless apps which society now uses on their smartphones each day. However, Yus and Pappachan say this technological revolution has come with a high price to our privacy as Internet connectivity now reaches people in more places than ever before.
For all these smart devices to do their job, they need a connection to the Internet so they can correlate all the data they're gathering on you. For example, a smart thermostat in your house spends its day collecting information on you and your preferences. However, without an Internet connection to see a weather forecast, the thermostat can't decide how to properly set the temperature in your home.
This is just the tip of the iceberg though, as the researchers say devices which gather data on everything people do are infiltrating our workspaces <https://www.studyfinds.org/americans-security-cameras-study/>, malls, and cities.
“In fact, the Internet of Things (IoT) is already widely used in transport and logistics, agriculture and farming, and industry automation. There were around 22 billion Internet-connected devices in use around the world in 2018, and the number is projected to grow to over 50 billion by 2030, the team explains in an article published in The Conversation <https://theconversation.com/smart-devices-spy-on-you-2-computer-scientists-explain-how-the-internet-of-things-can-violate-your-privacy-174579>
The problem of privacy
So, what are all these smart devices doing? A lot depends on what the device does. Smart security cameras and home assistants like Alexa are basically (just cameras and microphones which record you and your activities <https://www.studyfinds.org/mobile-phones-tracking-location/> all day. […] https://www.studyfinds.org/smart-devices-violating-privacy/
Jeff Kosseff's last book turned out to be pretty prescient. He published The Twenty-Six Words That Created The Internet, a deep look at the history and future of Section 230, right as those 26 words became central to the regulatory fight over the future of the Internet.
With his next book, Kosseff, a professor at the Naval Academy, may have done the same thing. The book is titled The United States of Anonymous, and it deals with the centuries-old argument about whether people should be allowed to say things without having to identify themselves. In the U.S., courts have given a lot of leeway and protection to anonymous speakers, but the Internet has changed the equation, and companies and governments alike are still figuring out what to do. […]
https://www.protocol.com/anonymous-internet-jeff-koseff
The classified version of the much-hyped UFO report describes the shapes of UFOs, is far more interesting than the one released to the public. […]
https://www.vice.com/en/article/v7dnex/activist-publishes-redacted-version-= of-classified-military-ufo-report
Such a leak is not funny of course. But the joke going around is that Microsoft probably saw a five-fold traffic increase from everyone googling “what is Bing?”. -L
https://www.xda-developers.com/microsoft-lapsus-leak-37gb-soure-code/
A number of people have been concerned about reports from the hacking group LAPSUS$ that they compromised a system protected by Okta. Since Okta is a widely used access-control and single-sign-on product, a number of experts have surmised that it may portend a larger problem.
Okta has responded in some detail: https://www.okta.com/blog/2022/03/oktas-investigation-of-the-january-2022-compromise/
The way I read it, it's basically, “the system is working as designed, but what happens if you access it with a machine that is already breached in a different way?” When I was doing reviews of antivirus products, in the olden days, I used to make this part of the tests I would do: what would happen if you used/installed this on an already infected system?
So, in the same way here, what seems to have happened is that someone at Sitel was either under remote control when they did a job that required access to an Okta-managed system, or that while they were accessing the Okta-managed system, they did something that allowed someone else remote access to their system. (Okta's product is, I understand, more about access control and single sign-on: I have no idea if they have any endpoint security functions built in.)
This points out one of the basic points that we have to keep drilling into people: you have to consider the totality of security. It's a kind of layered security or defence in depth in a different way. You may have good individual security tools, but you don't have security if you don't manage them, and the entire environment, properly.
It sounds like a bad joke. I mean we all knew that the open source Java logging library Apache Log4j was nasty with a capital N. The National Vulnerability Database (NVD), rated it a 10.0 CVSSv3 which is the worst possible. Last, but not least, Log4j is also used all over the place. So months later how many instances of this security hole have been fixed? All of them? Far from it! According to cloud security company Qualys, only 70% has been patched. “30% of Log4j instances remain vulnerable to exploitation.”
https://thenewstack.io/30-of-apache-log4j-security-holes-remain-unpatched/
A seemingly endless supply chain crunch has fueled interest in tech that promises to track problems or predict where new ones might occur.
The supply chain is in chaos, and it's getting worse. Air freight warehouses at Shanghai Pudong Airport are log-jammed as a result of strict Covid testing protocols imposed on China's biggest city following a local outbreak. At the city's port, Shanghai-Ningbo, more than 120 container vessels are stuck on hold. In Shenzhen, a major manufacturing hub in the country's south, trucking costs have shot up 300 percent due to a backlog of orders and a shortage of drivers following the introduction of similar Covid restrictions. Major ports the world over, which used to operate like clockwork, are now beset by delays, with container ships queuing for days in some of the worst congestion ever recorded. The list goes on.
More than a million containers due to travel to Europe from China by train — on a route that goes through Russia—must now make their journey by sea as sanctions bite. Russia's invasion of Ukraine has also severed key supply lines for nickel, aluminum, wheat, and sunflower oil, causing commodity prices to skyrocket. Countries in the Middle East and Africa that rely on produce from Ukraine are likely to experience serious food shortages in the coming weeks and months. Some European automotive production lines have cut their output due to a shortage of wiring normally sourced from factories in Ukraine. If the pandemic, which triggered a surge in purchasing of goods, caused the global supply chain to buckle, Russia's invasion of Ukraine and China's continuing zero-Covid policy risk breaking it completely.
https://www.wired.com/story/supply-chain-crisis-data/
Katie Benner and Kate Conger, The New York Times, 25 Mar 2022 Indictments serve as a warning of Moscow's cyberattack prowess.
Four Russian officials accused of carrying out a series of cyberattacks on U.S. critical infrastructure including a nuclear-power plant in Kansas, as well as compromising a petrochemical facility in Saudi Arabia during 2012 to 2018, and breaching hundreds of energy companies around the world. Among others, Evgeny V. Gladkikh is accused of using Triton malware that led to two emergency shutdowns of a nuclear power plant (implicitly seeming to be the one in Saudia Arabia). [Long item PGN-ed for RISKS]
It took 20 years for Arkady Volozh to build Yandex into Russia's Google, Uber, Spotify, and Amazon combined. It took 20 days for everything to crumble.
https://www.wired.com/story/yandex-arkady-volozh-russia-largest-tech-company
Steven Vaughan-Nichols, ZDNet, 21 Mar 2022 https://www.zdnet.com/article/corrupted-open-source-software-enters-the-russian-battlefield/
JavaScript programmer Brandon Nozaki Miller's innocent attempt to protest Russia's invasion of Ukraine by crafting the peacenotwar open-source npm source-code package has been used to delete the file systems of Russian or Belorussian computers. Miller inserted code in the package to delete the hard drive, then added the module as a dependency to the node-ipc mode. Miller encoded his code revisions in base-64 to thwart detection via code reading. Developer security company Snyk has classified the software as malicious. Such “protestware” creates a dangerous precedent; as one GitHub programmer wrote, “What's going to happen with this is that security teams in Western corporations that have absolutely nothing to do with Russia or politics are going to start seeing free and open source software as an avenue for supply chain attacks (which this totally is) and simply start banning free and open source software—all free and open source software — within their companies.”
If your ransomware protection includes Veeam, you may not be as protected as you think.
The default configuration of an internal API allows access to unauthenticated users, providing a high value target for lateral movement. Patch and ensure your network segmentation plan isolates backups from general connectivity.
My opinions are my own and may not represent those of my employer.
https://techcrunch.com/2022/03/15/germany-kaspersky-risk-invasion/
Russian cybersecurity firm, Kaspersky, has been added to the Federal Communications Commission's (FCC) Covered List with the agency stating that it poses unacceptable risks to national security in the United States.
According to Eugene Kaspersky, the recently publicized Pegasus malware employs zero-click unsolicited SMS and MMS messages to infect iPhone devices.
https://twitter.com/e_kaspersky/status/849306559796699136
>It's pretty much always the case that anything Congress does in a hurry >hasn't been thought out. …
Hi from the frozen north. (Well, not so frozen this week.) We know that the sun rises late in the winter, and even on standard time, the school bus sometimes runs before dawn. On the other hand, the sun sets at 4:30 EST and some of us would be pleased if it set at 5:30 EDT instead.
Where this bill really screwed up is in the parts of the US that have never used daylight time. The bill moves Hawaii from UTC-10 to UTC-9, which would be awful since the solar time in Honolulu is about UTC-10:40. Or they have the option of keeping their current time which will be renamed Samoa Standard time.
Farther west in American Samoa, Guam, and Saipan, they have an even stranger choice, get moved to a zone an hour too far ahead, or keep their current time which will be in zones with no name at all. Well, no U.S. name. The time zone for Guam and Saipan is also called Vladivostok Time.
Turns out this was a Marx Brothers type mess. No offense to the Marx Brothers. Luckily, it appears almost certain the House will sit on this indefinitely.
https://www.electoral-vote.com/evp2022/Senate/Maps/Mar18.html#item-2
> My long-time colleague (Prof.) Doug Jones (not the politician) has > published an op-ed relating to recent attempts to abandon ballot > scanners in favor of hand-counting ballots. It is in The Des Moines > Register. This is worth reading. [PGN]
> https://www.msn.com/en-us/news/politics/opinion-we-shouldnt-abandon-machine-counted-election-ballots/ar-AAVhCzE
When I tried to open this URL in Firefox, I got a blank page. The NoScript icon indicated 2 sources blocked, but when I pulled it down it only showed msn.com. I temporarily enabled JavaScript from that source, but the page was still blank and the icon indicated one source blocked. I don't understand what that means in NoScript.
However, I found what is presumably the same piece at:
Why bring msn.com into it?
Please report problems with the web pages to the maintainer