The RISKS Digest
Volume 33 Issue 15

Monday, 18th April 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


SoCal man says car computer on his new Tesla froze, causing vehicle to be stuck at 83 mph on freeway
Driverless Cars Can Be Tricked into Seeing Red Traffic Lights as Green
New Scientist
Risks of locust swarms
FBI removing malware surreptitiously
The Conversation
What Can Hackers Do With Stolen Source Code?
U.S. officials preparing for potential Russian cyberattacks
Feds Uncover a Swiss Army Knife for Hacking Industrial Control Systems
Google Bans Apps With Hidden Data-Harvesting Software
Inside the Bitcoin Bust That Took Down the Web's Biggest Child Abuse Site
The Uncanny Future of Romance With Robots Is Already Here
In Race to Build Quantum Computing Hardware, Silicon Begins to Shine
You agreed to what? Tax sites want your data for more than filing
Those robot dogs got their first real job—guarding Pompeii
Squirrely maintenance
Re: Spreadsheets are hot
Henry Baker
Re: Squirrels and rats attacking AT&T fiber
Charles Cazabon
History of Internet Security and AI for Cybersecurity 20 Apr 2022
Info on RISKS (comp.risks)

SoCal man says car computer on his new Tesla froze, causing vehicle to be stuck at 83 mph on freeway (ABC7)

geoff goodfellow <>
Fri, 15 Apr 2022 15:16:16 -1000

The owner of a new Tesla Model 3 was left in shock after the car's main features allegedly froze while he was driving on the freeway.

Javier Rodriguez of Irvine spoke with Eyewitness News on Tuesday and said it happened last Thursday while he was heading westbound on the 10 Freeway through Cabazon.

He said the car was stuck going 83 mph and the main screen was frozen.

He said all of the buttons and switches - including turn signals and hazard lights - were not working.

“I noticed that it started to get hot in the car and there started to be a weird scent coming,” recalled Rodriguez. “I was nervous that if I were to brake a whole lot that I wouldn't be able to gain the speed again to keep up with traffic and get around cars. I was nervous somebody was going to slam into me.”

Even though the accelerator wasn't responding, fortunately Rodriguez said the brakes did work, but said that didn't make him any more comfortable when he was trying to stop. He was able to make it off the road, and a few minutes later, the car rebooted. That's when everything seemed normal.

An officer with the California Highway Patrol helped Rodriguez get off the freeway, where he eventually had the car towed. He said Tesla later told him they fixed the vehicle, but all they would say about what happened was what he said they wrote in the report.

“Diagnosed and found poor communication from charge port door causing power conversion system to shut off in order to protect on board components during drive,” Rodriguez recalled. […]

Driverless Cars Can Be Tricked into Seeing Red Traffic Lights as Green (New Scientist)

ACM TechNews <>
Mon, 18 Apr 2022 11:43:11 -0400 (EDT)

Matthew Sparkes, New Scientist, 16 Apr 2022 via ACM TechNews; Monday, April 18, 2022

Researchers at China's Zhejiang University found driverless cars could be fooled into seeing red traffic lights as green. The scientists directed a laser at the sensors of five camera models used by self-driving vehicles, with two open-source software packages reading the captured images. Lasers of a 650-nanometer and a 520-nanometer wavelength rendered the entire image red or green, respectively, while flickering the laser at high frequencies only induced this coloration in certain image segments. Adding a horizontal bar of green or red caused both software packages to incorrectly sense the traffic lights as green 30% of the time and red 86% of the time, on average, across the cameras.

Risks of locust swarms

Peter G Neumann <>
Sun, 17 Apr 2022 10:12:19 PDT

Vast swarms of locusts have decimated crops and grasslands across southern Namibia in recent weeks and contributed to a deadly traffic accident. A minibus driver lost control on a slippery stretch of highway where the ravenous pests were keeping warm on the pavement at night. Three of the 17 passengers died, with several more sustaining injuries. Officials say the slime from locusts crushed by traffic caused the accident.

Please add just one more corner case in your automated-vehicle threat model.

San Francisco Chronicle, Sunday 17 Apr 2022, Earthweek: a diary of the planet, which this week includes climate change, a new strain of avian flu, record droughts in Chile, second year of record-breaking methane surge, +117F in Senegal, -102F in Vostok, Antarctica, volcano eruption in Costa Rica with zero warning,

FBI removing malware surreptitiously (The Conversation)

Peter Neumann <>
Tue, 12 Apr 2022 19:23:50 PDT

What Can Hackers Do With Stolen Source Code? (WiReD)

Gabe Goldberg <>
Thu, 14 Apr 2022 12:21:40 -0400

Lapsus$ hackers leaked Microsoft's Bing and Cortana source code. How bad is that, really?

The Lapsus$ digital extortion group is the latest to mount a high-profile data-stealing rampage against major tech companies. And among other things, the group is known for grabbing and leaking source code at every opportunity, including from Samsung, Qualcomm, and Nvidia. At the end of March, alongside revelations that they had breached an Okta subprocessor, the hackers also dropped a trove of data containing portions of the source code for Microsoft's Bing, Bing Maps, and its Cortana virtual assistant. Sounds bad, right?

Businesses, governments, and other institutions have been plagued by ransomware attacks, business email compromise, and an array other breaches in recent years. Researchers say, though, that while source code leaks may seem catastrophic, and certainly aren't good, they typically aren't the worst-case scenario of a criminal data breach.

“Some source code does represent trade secrets, some parts of source code may make it easier for people to abuse systems, but accounts and user data are typically the biggest things companies have to protect” says Shane Huntley, director of Google's Threat Analysis Group. “For a vulnerability hunter, it makes certain things easier, allowing them to skip a lot of steps. But it's not magic. Just because someone can see the source code doesn't mean they'll be able to exploit it right then.”

In other words, when attackers gain access to source code”and especially when they leak it for all to see, a company's intellectual property could be exposed in the process, and attackers may be able to spot vulnerabilities in their systems more quickly. But source code alone isn't a road map to find exploitable bugs. Attackers can't take over Cortana from Microsoft or access users' accounts simply because they have some of the source code for the platform. In fact, as open source software shows, it's possible for source code to be publicly available without making the software it underpins less secure.

Best comment somewhere was that news of Bing source compromised resulted in 4x increase in searches, “What is Bing?”.

U.S. officials preparing for potential Russian cyberattacks (CBSNews)

“Peter G. Neumann” <>
Mon, 18 Apr 2022 11:24:01 -0700

This 60 Minutes episode on Russian cyberattacks might be of interest.

Feds Uncover a Swiss Army Knife for Hacking Industrial Control Systems (WiReD)

Jim Reisert AD1C <>
Thu, 14 Apr 2022 15:42:37 -0600

Andy Greenberg, WiReD, 13 Apr 2022

On Wednesday, the Department of Energy, the Cybersecurity and Infrastructure Security Agency, the NSA, and the FBI jointly released an advisory about a new hacker toolset potentially capable of meddling with a wide range of industrial control system equipment. More than any previous industrial control system hacking toolkit, the malware contains an array of components designed to disrupt or take control of the functioning of devices, including programmable logic controllers (PLCs) that are sold by Schneider Electric and OMRON and are designed to serve as the interface between traditional computers and the actuators and sensors in industrial environments. Another component of the malware is designed to target Open Platform Communications Unified Architecture (OPC UA) servers—the computers that communicate with those controllers.
“This is the most expansive industrial control system attack tool that anyone has ever documented,” says Sergio Caltagirone, the vice president of threat intelligence at industrial-focused cybersecurity firm Dragos, which contributed research to the advisory and published its own report about the malware. Researchers at Mandiant, Palo Alto Networks, Microsoft, and Schneider Electric also contributed to the advisory. ”It’s like a Swiss Army knife with a huge number of pieces to it.”

Google Bans Apps With Hidden Data-Harvesting Software (WSJ)

ACM TechNews <>
Wed, 13 Apr 2022 12:07:26 -0400 (EDT)

Byron Tau and Robert McMillan, The Wall Street Journal, 6 Apr 2022, via ACM TechNews, Wednesday, April 13, 2022

Google has pulled dozens of applications from its Google Play store amid researchers' findings that they contain software that secretly harvests data. Serge Egelman at the University of California, Berkeley and Joel Reardon of Canada's University of Calgary found links between the code's developer, Panama-based Measurement Systems, and a Virginia defense contractor that conducts cyberintelligence and other work for U.S. national security agencies. They learned the code ran on millions of Android devices and could be found within a number of consumer apps. The researchers said Measurement Systems had paid developers to embed its data-harvesting software development kit into their apps, which “continues to underscore the importance of not accepting candy from strangers,” according to Egelman.

Inside the Bitcoin Bust That Took Down the Web's Biggest Child Abuse Site (WiReD)

Gabe Goldberg <>
Sat, 16 Apr 2022 23:37:08 -0400

They thought their payments were untraceable. They couldn't have been more wrong. The untold story of the case that shredded the myth of Bitcoin's anonymity.

The Uncanny Future of Romance With Robots Is Already Here (Yahoo!)

geoff goodfellow <>
Sun, 17 Apr 2022 12:17:17 -1000

In the late 2000s, a lifestyle reporter in Moscow named Eugenia Kuyda, then in her early twenties, decided to produce a cover story on Roman Mazurenko, the person at the center of Moscow's creative hipster scene at the time. Right from the start, Eugenia and Roman both felt they had a profound connection, and soon became close friends.

A few years later, Kuyda moved to San Francisco to start a chatbot-based virtual assistant company. Shortly after, Mazurenko also moved and began his American life. They kept in touch continuously and exchanged endless text messages. But in late 2015 Mazurenko, then 34, was hit and killed by a car while crossing a street during a short visit in Moscow.

Grieving Mazurenko, Kuyda read their messages over and over again. At some point, she realized that these messages had the potential to be more than just a memory. She took all the data she had and, with her team and using Google-based neural networks, built a chatbot version of Mazurenko. The result was surprisingly human-like. She could text with the chatbot on past and future events, and digital Mazurenko came to life and felt real. Digital Mazurenko was sad when she told him how much she missed him and joyful when she shared with him her recent achievements at her company.

Kuyda and her team took this concept further and made a version that anyone could use. They named it Replika and users loved it instantly. Looking back at Replika’s success, Kuyda recounted, “People started sending us emails asking us to build a bot for them.”

Some people wanted to build a replica of themselves, and some wanted to build a bot for a person that they loved but was gone. These positive reactions encouraged Kuyda and her team to go further”to create fictitious characters that accompany people around the world. Replika is now a companion chatbot app available on almost any operating system with the slogan: “Always here to listen and talk. Always on your side.” Millions have downloaded the app, and it boasts hundreds of thousands of reviews, most highly positive. […]

In Race to Build Quantum Computing Hardware, Silicon Begins to Shine (Princeton)

ACM TechNews <>
Wed, 13 Apr 2022 12:07:26 -0400 (EDT)

Tom Garlinghouse, Princeton University Department of Physics, 6 Apr 2022

Princeton University researchers achieved more than 99.8% fidelity using a two-qubit quantum device made from silicon. The researchers used a double quantum dot silicon device to capture and force two electrons to interact; the entangling operation achieved the highest fidelity achieved so far for a two-qubit gate in a semiconductor. Princeton's Jason Petta said, “This is the first demonstration of a semiconductor spin qubit system where we have integrated performance of the entire system—the state preparation, the readout, the single qubit control, the two-qubit control—all with performance metrics that exceed the threshold you need to make a larger-scale system work.”

You agreed to what? Tax sites want your data for more than filing (WashPost)

Monty Solomon <>
Wed, 13 Apr 2022 09:07:16 -0400

We investigate why Turbo Tax and H&R Block ask you to give up your return's basic federal privacy protections—and explain how to demand your data back.

Those robot dogs got their first real job—guarding Pompeii (

Richard Stein <>
Sun, 17 Apr 2022 11:11:39 +0800

The robot doggie-breath patrol deters antiquities theft. No word if they are equipped with BD Entelodont jaw option.

Squirrely maintenance

“Peter G, Neumann” <>
Tue, 12 Apr 2022 19:15:03 PDT

One of my neighbors who has recently experienced long AT&T home Internet outages reports that the maintenance folks cannot see the big picture of how the entire neighborhood is offline, as their diagnostic screens show only the house that is being remediated, with a different truck each day — apparently with no carryover from one customer to another or oone day to the next.

“He told me he didn't even have a way to be aware of it, and he couldn't look it up anywhere. He said he could see only the call for my particular house and didn't have access to a bigger picture anywhere. The supervisor who came out said the same. In fact, they both said they had never heard of a squirrel problem. Go figure.”

[At least five AT&T trucks in the neighborhood again. PGN]

Re: Spreadsheets are hot (Levine, RISKS-33.14)

Henry Baker <>
Wed, 13 Apr 2022 00:15:39 +0000

What's Going On Under the (Spread) Sheets Re: ‘We also found that people Did Not Care’

In the daze before IEEE-754 Floating Point Arithmetic[1], the ‘same’ program run on computers from different vendors would often produce different results—sometimes very different results.

Since this was embarrassing—perhaps the original “Replication Crisis”[2] ?—IEEE-754 standard arithmetic caught on extremely quickly.

Now—thanks to standardization—everyone gets the same erroneous answers! :-)



Re: Squirrels and rats attacking AT&T fiber (Jha, RISKS-33.14)

Charles Cazabon <>
Tue, 12 Apr 2022 17:28:14 -0600
> It appears Honda thinks chili-flavored wire might work, though there is a
> concern that habituation would decrease long-term effectiveness:

Honda may be assuming too much from a study on a few lab rats. Different species react to capsaicin very differently, as I found inadvertently.

I've had pet rabbits for many years. Once, when we were fostering a litter of young (~3 week old) abandoned bunnies, they jumped onto a kitchen table (they're like deer; you need a really tall fence to keep them out…) and ate a paper bag full of Thai Dragon peppers I was drying. It was my entire harvest for the year—several dozen peppers, stems, seeds, and all. Also the paper bag, most of a pillar candle, half a bunch of bananas, with skins, and part of a lead candle holder.

They weren't phased in the slightest by the capsaicin, though the peppers were far too hot for me in any quantity.

I don't know how squirrels or other wire-destroying animals might handle capsaicin, but if I were a company looking at solutions, I would make sure I had a study of the particular animals of interest, and not try to generalize from a lab-rat study.

History of Internet Security and AI for Cybersecurity 20 Apr 2022 (Hybrid ACM Baltimore Chapter Seminar)

Rebecca Mercuri <>
Wed, 13 Apr 2022 08:42:16 -0400
> From: Ashutosh Dutta, Ph.D., Chair ACM Baltimore Chapter
> <>


ACM Baltimore Chapter 2nd Seminar (In-Person and Online) Wednesday, April 20, 2022, 5:00 PM—8:00 PM EST [Heavily PGN-ed]

Agenda: (Talks will be Streamed Live/All Times are US Eastern Time)

5:50 PM—6:40 PM EST Invited Talk: “35 Years of Protecting the Internet, a historical retrospective” (Prof. Steven M. Bellovin, Columbia University)

6:50 PM—7:40 PM EST Invited Talk: AI for Cybersecurity (Dr. Anupam Joshi, University of Maryland Baltimore County (UMBC))

7:40 PM—8:00 PM EST Future Events and Vote of Thank

FREE Zoom link: Tiny URL: <>

[TINY? You must be kidding. I deleted the full-length one, which was almost twice as long. PGN]

ID: 160 781 8310 Password: 468284

Johns Hopkins University Applied Physics Lab, USA (Online and in-person)

Please report problems with the web pages to the maintainer