Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Vera Bergengruen, *Time*, 4 Apr 2022, via ACM TechNews, 6 Apr 2022 Oleg Polovynko, IT director of Kyiv's city council, and Petro Olenych, Kyiv's deputy mayor and chief digital transformation officer, have been working to adapt and repurpose the Ukrainian capital's technology amid the war with Russia. They have enabled most Kyiv residents to connect to the Internet in underground bomb shelters using the city's mobile Wi-Fi hotspots and to receive phone alerts of incoming air raids. They also revamped the Kyiv Digital smartphone app--designed to help residents pay utility bills and parking tickets--to display maps of the nearest bomb shelters and places to obtain critical supplies. Said Polovynko, "I never imagined that I would develop software in 2022 to help people stay alive, to survive things like a missile attack. But of course, we can. And now we're using all of our IT minds in Ukraine to help our people and our soldiers." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e5f7x232ed4x072218&
https://www.cbc.ca/news/world/microsoft-russia-hack-attempts-ukraine-eu-us-1.6412697 Microsoft Corp. said on Thursday it had disrupted hacking attempts by Russian military spies aimed at breaking into Ukrainian, European Union, and American targets. In a blog post, the tech firm said a group it nicknamed "Strontium" was using seven Internet domains as part of an effort to spy on government bodies and think tanks in the EU and the United States, as well as Ukrainian institutions such as media organizations. Microsoft did not identify any of the targets by name.
Liudas Dapkus, Associated Press, 31 Mar 2022, via ACM TechNews Some countries view the exodus of technology workers from Russia as an opportunity to refresh expertise in their own high-tech industries. One estimate suggested as many as 70,000 computer specialists have left Russia since the start of its invasion of Ukraine, departing for Latvia, Lithuania, Armenia, Georgia, and elsewhere. The Russian Association for Electronic Communications' Sergei Plugotarenko said another 100,000 tech workers might leave in April. Said Konstantin Siniushin at Latvian tech-focused venture capital fund Untitled Ventures, "The more talent that Europe or the U.S. can take away from Russia today, the more benefits these new innovators, whose potential will be fully realized abroad, will bring to other countries." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e572x232c41x074907&
Ina Fried, Axios Chef Jos=C3=A9 Andr=C3=A9s has relied heavily on technology as part of his humanitarian work in Ukraine, feeding thousands of people displaced by the Russian invasion. But he has a few gripes as well, including the fact that Apple Maps kept sending him to Russian-controlled areas. "Don't send people to enemy territory in a war," he told me in a brief interview after his appearance at the Axios What's Next Summit in Washington, D.C. https://www.axios.com/jose-andres-beef-apple-maps-8f47a198-b153-49fd-9e49-7= b1ca822e8fb.html
Olivia Rockeman, *Bloomberg*, 30 Mar 2022, via ACM TechNews Cybersecurity jobs search platform CyberSeek estimates roughly 600,000 vacant U.S. cybersecurity positions, including 560,000 private-sector jobs. The pandemic compounded a shortfall of cybersecurity professionals, while phishing and ransomware attacks escalated due to many employees using their home networks and computers. The Massachusetts Institute of Technology Sloan School of Management's Stuart Madnick cites a lack of qualified cybersecurity workers, while Bryan Palma at cybersecurity company Trellix said nations like Russia and China host better talent pipelines at the government level of people trained in cybersecurity. Max Shuftan at the SANS Institute cybersecurity training organization said the worker shortage especially impacts smaller organizations like civilian public agencies, most of which cannot match private companies' pay. As a result, Shuftan warned, "They're probably not going have the staff and that makes them more vulnerable to attacks." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e572x232c46x074907&
https://techxplore.com/news/2022-04-uncover-hardware-vulnerability-android.html YASC—yet another side-channel.
Chris Duckett, ZDNet, 27 Mar 2022, via ACM TechNews Google is calling on Windows, macOS, and Linux users to upgrade their Chrome browsers to version 99.0.4844.84, in order to patch a V8 Type Confusion vulnerability with an exploit in the wild. V8, Chrome's JavaScript engine also is used server-side in Node.js, but Google has not yet announced whether that is impacted. Google said bug details would be undisclosed until most users had updated their browsers. "We will also retain restrictions if the bug exists in a third-party library that other projects similarly depend on, but haven't yet fixed," according to Google's announcement. Microsoft published its own advisory, and said the issue has been corrected in the concurrently released Edge version 99.0.1150.55. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e572x232c4ax074907&
An audit by the Washington Metrorail Safety Commission revealed that the District's rail system is not meeting its own safety requirements. https://patch.com/virginia/annandale/s/i7a1m/metro-fails-to-meet-its-own-safety-requirements-watchdog-audit
The D.C. Lottery has received $500,000 in compensation from the operator of the city's official sports-betting app for lost revenue and reputation damage stemming from an embarrassing technical mishap that kept the app offline during the Super Bowl, typically the year's single-biggest day for sports betting. The payment comes from Intralot, the Greek lottery operator that runs the D.C. Lottery as well as GambetDC, the only sports-betting app that works citywide. In 2019 it received a controversial sole-source $215 million lottery contract from the D.C. Council that also gave it the right to develop the city's sole official sports-betting app; it launched in mid-2020. A mishandled software update by Intralot caused Apple to suspend GambetDC ahead of the Super Bowl, leaving anyone with an Apple phone or tablet unable to use the app to place a bet during the game. (There were 30,000 registered users in February, half of them using Apple phones or tablets.) Android users were still able to bet, and the Gambet website still worked. https://dcist.com/story/22/04/08/dc-get-compensation-for-sports-betting-app-mishap/
https://www.foxbusiness.com/economy/southwest-apologizes-delays-cancellations-technology-issues
https://www.foxbusiness.com/lifestyle/jetblue-massachusetts-sitting-plane-crew-left-for-night
The development of a medical triage program raises a question: When lives are at stake, should artificial intelligence be involved? The Defense Advanced Research Projects Agency (DARPA) ” the innovation arm of the U.S. military ” is aiming to answer these thorny questions by outsourcing the decision-making process to artificial intelligence. Through a new program, called In the Moment, it wants to develop technology that would make quick decisions in stressful situations using algorithms and data, arguing that removing human biases may save lives, according to details from the program's launch this month. Though the program is in its infancy, it comes as other countries try to update a centuries-old system of medical triage, and as the U.S. military increasingly leans on technology to limit human error in war. But the solution raises red flags among some experts and ethicists who wonder if AI should be involved when lives are at stake. “AI is great at counting things. But I think it could set a [bad] precedent by which the decision for someone's life is put in the hands of a machine.'' (Sally A. Applin, a research fellow and consultant who studies the intersection between people, algorithms and ethics, said in reference to the DARPA program.) ... To that end, DARPA's In the Moment program will create and evaluate algorithms that aid military decision-makers in two situations: small unit injuries, such as those faced by Special Operations units under fire, and mass casualty events, like the Kabul airport bombing. Later, they may develop algorithms to aid disaster relief situations such as earthquakes, agency officials said. The program, which will take roughly 3.5 years to complete, is soliciting private corporations to assist in its goals, a part of most early-stage DARPA research. Agency officials would not say which companies are interested, or how much money will be slated for the program. [...] Matt Turek, a program manager at DARPA in charge of shepherding the program, said the algorithms suggestions would model *highly trusted humans* who have expertise in triage. But they will be able to access information to make shrewd decisions in situations where even seasoned experts would be stumped. For example, he said, AI could help identify all the resources a nearby hospital has—such as drug availability, blood supply and the availability of medical staff—to aid in decision-making. “That wouldn't fit within the brain of a single human decision-maker. Computer algorithms may find solutions that humans can't.'' Sohrab Dalal, a colonel and head of the medical branch for NATO's Supreme Allied Command Transformation, said the triage process, whereby clinicians go to each soldier and assess how urgent their care needs are, is nearly 200 years old and could use refreshing. https://www.washingtonpost.com/technology/2022/03/29/darpa-artificial-intelligence-battlefield-medical-decisions/ So much here. They know it will take roughly 3.5 years? AI will triage wounded *without* going to each soldier? It will somehow identify nearby hospital resources?
I am a long time leukemia and bone marrow transplant survivor and a patient advocate. As such I worked with a number of medical professionals on a relatively recent review article on late effects for stem cell survivors (Male-Specific Late Effects in Adult Hematopoietic Cell Transplantation Recipients: A Systematic Review from the Late Effects and Quality of Life Working Committee of the Center for International Blood and Marrow Transplant Research and Transplant Complications Working Party of the European Society of Blood and Marrow Transplantation, https://www.astctjournal.org/article/S2666-6367(21)01329-4/fulltext). Enough tooting my horn. There are not that many Flataus in the world and even fewer Arthur Flataus. However there is another one who is a surgeon ( https://www.medstarhealth.org/doctors/arthur-flatau-iii-md) and is, as far as I know, not related to me This site https://www.medifind.com/doctors/arthur-flatau/19605475, which is one of the top ten hits if you google, "Arthur Flatau MD", for instance) lists him as a co-author of the paper. (IAt least it did when I wrote this, I have requested they remove the mention of the publication, and perhaps they will). Their information is apparently scraped from other sites. According to the "How Medifind works" page (https://www.medifind.com/how-medifind-works) they "[use] cutting-edge machine learning techniques [...] to sift through this mass of information and identify those findings that could help you learn about a new treatment or make a better-informed decision about which treatment option to choose". It seems their algorithm might need a little tweaking.
https://phys.org/news/2022-04-side-effects-quantum-error-cope.html "In applying QEC to quantum sensing, errors are repeatedly corrected as the sensor acquires information about the target quantity. As an analogy, imagine a car that keeps departing from the center of the lane it travels in. In the ideal case, the drift is corrected by constant counter-steering. In the equivalent scenario for quantum sensing, it has been shown that by constant—or very frequent—error correction, the detrimental effects of noise can be suppressed completely, at least in principle. The story is rather different when for practical reasons, the driver can perform correcting interventions with the steering wheel only at specific points in time. Then, as experience tells us, the sequence of driving ahead and making corrective movements has to be finely tuned. If the sequence did not matter, then the motorist could simply perform all steering maneuvers at home in the garage and then confidently put their foot down on the accelerator. The reason why this does not work is that rotation and translation are not commutative—the order in which the actions of one type or the other are executed changes the outcome." The last paragraph contains this fragment: "these results are set to provide an import contribution to tweaking out the highest precision from a broad range..." Where would the world be without a good quantum tweak now and then?
For the past few weeks, numerous AT&T trucks have been seen daily in our
neighborhood, which has been plagued by squirrels and rats chewing through
Internet fiber—with lengthy outages even up to an entire week. AT&T is
attributing the problem to the fact that they (as opposed to other carriers)
is using environmentally friendly soy-based encapsulation for fiber. In
this case, it appears that "environmentally friendly" also means very
friendly to squirrels and rats.
There are also some reports that this may also be a problem with fiber
in certain automobile models, including Teslas. It'Soy veh!
I sent this short tale of long tails out to various colleagues and friends.
I summarize briefly two responses:
* Susmit Jha suggested this is
Very interesting .. would be good to have quantitative numbers on marginal
gain in fiber chewing due to introduction of environmentally friendly
encapsulations because the baseline appears to be high too:
https://www.tomsguide.com/us/cyberwar-squirrels-shmoocon,news-24283.html ,
https://circleid.com/posts/20190606_squirrels_number_one_culprit_for_animal_damage_to_aerial_fiber
It appears rodents do not view most wiring as food instead.
In 2001, a repairman suggested it was the grease used in the sheathing. A
1989 patent suggests "chewing on objects which are tough in composition is
necessary to prevent [rodents] ever-growing incisor teeth from overgrowing."
<http://www.techrepublic.com/article/get-it-done-maintaining-fiber-optic-connections-takes-a-creative-approach/1041526>
<http://www.google.com/patents?id=qRY-AAAAEBAJ&zoom=4&dq=squirrel fiber cable damage&pg=PA6#v=onepage&q=squirrel fiber cable damage&f=false>
Some researchers are already on the problem:
https://www.scientific.net/KEM.818.1
* Dan Eakins suggested this involved an engineering choice made—small
decision with good intentions—that led to unexpected failures. Like
the rumor that auto manufacturers use peanut oil rather than petroleum to
make it easier to put wire harnesses through bulkheads—and that smell
lasts years—rodents are attracted to it for a long time and chew
through them. No one thought that would be an outcome I imagine for such
a clever solution.
Or I had a car catch on fire from a small rodent nest in the heater box
next to the heating coils. Perfect place for a mouse to make a home --
first time it got cold it started a fire I couldn't put out in the
mountains and I almost started a forest fire—and it burned the car up
as interiors are highly flammable. Well, whose great idea was it to make
a fire starter in a mouse house?
But it is not considered a manufacturing fault I expect, and they don't
investigate or change designs like they would if it were a plane or an
auto crash.
They say you are what you eat—so those squirrels and rats are now
Cyber-rodents.
[They also might have a need for RoDentalFloss. PGN]
Digital Nation (Australia), 5 Apr 2022, via ACM TechNews, 6 Apr 2022 An international team of researchers has developed an algorithm to enable faster, stronger, more efficient blockchains. Researchers at Australia's Monash University, automation technology company ABB Zurich, and the U.K.'s University of Birmingham designed the Damysus Byzantine Fault Tolerance (BFT) consensus protocol to surmount faults and evade system failures in blockchain applications, adding more resilience as fault tolerance increases. Monash's Jiangshan Yu said the algorithm can be implemented simply for constructing scalable blockchains. He added that Damysus boosted the number of blockchain transactions per second by 87.5%, compared to the state-of-the-art HotStuff BFT consensus protocol. Said David Kozhaya at ABB Zurich, "Given the plethora of devices that inherently embed some form of trusted hardware nowadays, our results in Damysus, pragmatically speaking, make BFT protocols more appealing to use in real-world systems." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e5f7x232ed9x072218&
https://security.googleblog.com/2022/04/improving-software-supply-chain.html
The venerable (and yes, super dull) piece of officeware is getting reinvented as a tool for non-coders to automate and simplify their lives. https://www.wired.com/story/spreadsheets-are-hot-and-cranking-out-complex-code/ Not a word about black-box/opaque "programming" being difficult to verify, modify, debug. Computer results/actions, mist be correct.
Even if you aren't familiar with Okta, you've probably used it. The digital login system is used by thousands of companies across the world to manage employee logins to various cloud services. Which makes it a real problem when that system, and all that login info, gets hacked. This week on Gadget Lab, WIRED senior writer Lily Hay Newman joins the show to tell us about the group behind the recent Okta hack, how the hackers took control of such a vast system, and what happened in the aftermath. https://www.wired.com/story/gadget-lab-podcast-544
Email marketing firm MailChimp disclosed on Sunday that they had been hit by
hackers who gained access to internal customer support and account
management tools to steal audience data and conduct phishing attacks.
Sunday morning, Twitter was abuzz with reports from owners of Trezor
hardware cryptocurrency wallets who received phishing notifications claiming
that the company suffered a data breach. [...]
According to MailChimp, some of their employees fell for a social
engineering attack that led to the theft of their credentials.
https://www.bleepingcomputer.com/news/security/hackers-breach-mailchimps-internal-tools-to-target-crypto-customers/
[Monty Solomon noted
Hackers breached MailChimp to phish cryptocurrency wallets (The Verge)
https://www.theverge.com/2022/4/4/23010317/hackers-mailchimp-trezor-cryptocurrency-phishing
In this sensationalist Netflix documentary, aggrieved users of a defunct cryptocurrency exchange grow convinced that the company's head absconded with their money. https://www.nytimes.com/2022/03/30/movies/trust-no-one-the-hunt-for-the-crypto-king-review.html
Part of the joy of running a data center is configuring the data center to allow you to run it without having to stand at a crash cart in the cold isle. Unfortunately, this also means there are devices sitting on your network that have unusually high value for lateral attack movement. Dell has recently addressed a series of issues with their branded lights-out manager, iDRAC. https://www.dell.com/support/kbdoc/en-us/000196401/dsa-2022-043 This lights-out manager happens to be included in their storage systems. https://www.dell.com/support/kbdoc/en-us/000197962/dsa-2022-078-dell-technologies-powerprotect-dd-security-update-for-idrac9-and-bios-vulnerabilities Patch and ensure your network segmentation plan prevents general connectivity to lights-out managers.
Why people bother with craptocurrency is beyond me. Hello people, repeat after me: Electronic Ponzi. Madoff would be proud. I have other comments but this is a PG(N) family digest. [TNX for your thoughtfulness. PGN]
Both of these entries are good data to collect, but they both lack context. For the Tesla deaths, how does 246 deaths compare to non-autonomous vehicles? How many cars, how many miles were driven? Is 246 deaths a 50% drop from historical trends, or a 50%? For the log4j vulnerabilities (which I spent weeks on), what does that 30% unpatched figure represent? An instance could mean anything. Is it a Fortune 100 company's business database? Or Aunt Winnie's knitting blog with 14 subscribers? Many of us here live for numbers, but numbers without context don't give the complete or correct picture.
Lifts use regenerative braking to stop the car at the destination floor and to control the speed. This results in the local supply voltage increasing which can cause problems both to the other lifts on the same supply as well as other equipment. The direction of travel when the lift regenerates depends on which is heavier, the counterweight or the car. It is a common fallacy that the lift brakes are used to stop the car, they are only used in an emergency and to hold the car at a floor when the doors are open. The problem will be intermittent as it depends on how many lifts are regenerating at the same time as well as how much power is consumed by the rest of the building. I know of one London Underground Station where the lifts cause the brightness of nearby shop lights to change. Also another where the old style rotating disc electricity meter failed as the regenerative current was trying to rotate the disc in the 'wrong' direction.
This reminds me of a (not at the time) amusing anecdote about my first car: a 1980 VW Rabbit Diesel. Driving along the highway one day, I noticed the car went from 48 HP to about 300 HP without me touching the gas pedal. Simultaneously, a huge cloud of black smoke was coming out of the tailpipe. I immediately put the car in neutral and turned off the ignition key. That did little to stop the engine. Diesels don't use spark to ignite the fuel, they use the heat of compression inside the cylinder. Turning off the key only turns off the fuel pump which is supposed to stop fuel flowing to the cylinders. But it turns out that when the air filter gets clogged enough, the vacuum created starts pulling oil around the piston rings, and engine oil is 100 octane racing gas for diesels. So turning off the fuel pump does not stop the engine from running; it runs until the engine oil is gone (then seizes). Luckily I got mine turned off before it switched to 100% engine oil, and the engine did spool down over 10 or 20 seconds.
In this sensationalist Netflix documentary, aggrieved users of a defunct cryptocurrency exchange grow convinced that the company's head absconded with their money. https://www.nytimes.com/2022/03/30/movies/trust-no-one-the-hunt-for-the-crypto-king-review.html
I've just published a review of Paul Van Oorschot's second edition of his book, Computer Security and the Internet. You can find my review here: https://www.usenix.org/publications/loginonline/computer-security-and-internet Briefly, very concise coverage in textbook form of computer security, quite up to date. A good choice for people with experience programming or managing computers who want to learn about security.
Julien Crockett, March 22, 2022 https://lareviewofbooks.org/article/the-internet-is-not-what-you-think-it-is-a-history-a-philosophy-a-warning/ THE INTERNET HAS lost its way and taken society with it. Since the mid-2010s, we hear warnings of "dis/misinformation." We hear about the loss of trust in our institutions and the need to reinvent them for the Internet age. In short, we are living in a "crisis moment"—one ironically experienced by many of us while stuck at home. Many have diagnosed these symptoms and proposed policy solutions, but few have done the hard work of rummaging around in the Internet's history to find the roots of the problems—and almost none have taken a truly long view. In "The Internet Is Not What You Think It Is", Justin E. H. Smith, a philosopher and historian of science, argues that we've been much too narrow-minded in our understanding of the Internet. In presenting a longue durĂ©e history, he challenges our assumptions about what the Internet is and what we're doing when we're on it. Only by understanding the Internet's long history—by understanding the circumstances in which the Internet's many parts were conceived—can we, he claims, take back control of our lives and shape the Internet in a way more conducive to human flourishing.
Please report problems with the web pages to the maintainer