Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A video posted to Reddit this week appears to show a Tesla vehicle driving into a jet while using one of its self-driving functions.
Uploaded on Thursday by u/smiteme, the footage, reportedly taken at an event held by the aircraft manufacturer Cirrus, shows the vehicle running into what's known as a Vision Jet.
The vehicle is said to have struck the aircraft, reportedly valued at around $3.5 million, after the owner activated Tesla's Smart Summon feature. The Vision Jet can be seen rotating as the Tesla attempts to drive through it. […]
https://www.dailydot.com/debug/tesla-crash-vision-jet-autpilot-video/
Derrick Monet and his wife, Jenna, were driving on an Indiana interstate in 2019 when their Tesla Model 3 sedan operating on Autopilot crashed into a parked fire truck. Derrick, then 25, sustained spine, neck, shoulder, rib and leg fractures. Jenna, 23, died at the hospital.
The incident was one of a dozen in the last four years in which Teslas using this driver-assistance system collided with first-responder vehicles, raising questions about the safety of technology the world's most valuable car company considers one of its crown jewels.
Now, U.S. regulators are applying greater scrutiny to Autopilot than ever before. The National Highway Traffic Safety Administration, which has the authority to force recalls, has opened two formal defect investigations that could ultimately lead Tesla Inc. to have to retrofit cars and restrict use of Autopilot in situations it still can't safely handle.
A clampdown on Autopilot could tarnish Tesla's reputation with consumers and spook investors whose belief in the company's self-driving bona fides have helped make Tesla Chief Executive Officer Elon Musk the world's wealthiest person. It could damage confidence in technology other auto and software companies are spending billions to develop in hope of reversing a troubling trend of soaring U.S. traffic fatalities. […]
https://www.msn.com/en-us/autos/news/tesla-autopilot-stirs-us-alarm-as-disa= ster-waiting-to-happen/ar-AAWkGtE
“The team ran MegaSyn overnight and came up with 40,000 substances, including not only VX but other known chemical weapons, as well as many completely new potentially toxic substances. All it took was a bit of programming, open-source data, a 2015 Mac computer and less than six hours of machine time. ‘It just felt a little surreal,’ Urbina says, remarking on how the software’s output was similar to the company's commercial drug-development process. ‘It wasn't any different from something we had done before”use these generative models to generate hopeful new drugs.’”
An AI drug discovery platform cooks new CW formulations. They may be easy to prepare in a binary form for dispersal, a possibly convenient deployment composition. Frightening to imagine this situation.
AI drug discovery applications are not new. Their possible exploitation as eventual open-source instruments that can enable CW preparation, is alarming.
The Risks Forum lists ~20 prior submissions on chemical weapons.
This looks like a serious bug for Java, which enables one to forge signatures.
Twenty-some years ago, someone at what was then Sun did not understand the importance of proper use of nonces. They hard-coded the nonce in Java's DSA implementation.
https://www.theregister.com/2022/04/20/java_authentication_bug/ https://arstechnica.com/information-technology/2022/04/major-crypto-blunder-in-java-enables-psychic-paper-forgeries/
[Drew suggests this bug may be Snoracle's Strike Two implementing DSA?]
Hackers can infect >100 Lenovo models with unremovable malware. Are you patched?
Lenovo has released security updates for more than 100 laptop models to fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that can be next to impossible to remove or, in some cases, to detect.
All three of the Lenovo vulnerabilities discovered by ESET require local access, meaning that the attacker must already have control over the vulnerable machine with unfettered privileges. The bar for that kind of access is high and would likely require exploiting one or more critical other vulnerabilities elsewhere that would already put a user at considerable risk.
Charlie Osborne, ZDNet. 19 Apr 2022, via ACM TechNews, Friday, April 22, 2022
Lenovo Patches UEFI Firmware Vulnerabilities Impacting Millions of Users
Chinese multinational technology company Lenovo has patched three Unified Extensible Firmware Interface (UEFI) vulnerabilities discovered by Martin Smol=B7r at Slovak Internet security firm ESET. The bugs reportedly could be leveraged to “deploy and successfully execute UEFI malware either in the form of SPI [Serial Peripheral Interface] flash implants like LoJax, or ESP implants like ESPecter” in the Lenovo Notebook BIOS. ESET said the bugs, caused by drivers only intended for use during product development, affected “more than 100 different consumer laptop models with millions of users worldwide.” ESET advised using Trusted Platform Module-aware full-disk encryption software to block access to information, if UEFI Secure Boot configurations are meddled with in out-of-support devices.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e7b9x2334c3x072707&
The inside story of the world's most notorious commercial spyware and the big tech companies waging war against it.
https://www.newyorker.com/magazine/2022/04/25/how-democracies-spy-on-their-citizens
https://www.theverge.com/2022/4/19/23032776/brave-de-amp-google-browser
New parent company, Warner Bros. Discovery, decided to pull the plug on the streaming service after a slow first month.
https://www.washingtonpost.com/media/2022/04/21/cnn-plus-streaming-shut-down-warner-bros/
The risk? Doing anything new? Planting a seed and being insanely impatient for it to bear fruit? Looking ridiculous?
When Carey Gartner ordered a TV remote on Amazon in 2017, it arrived promptly at his home in Texas, most likely in one of those standard brown boxes with the company's logo: an arrow tilting up in a half-smile. A year later, the battery cover popped off the remote, exposing a lithium battery, and Gartner's 19-month-old swallowed it, severely burning and permanently damaging her esophagus, according to allegations in a court filing. His wife, Morgan McMillan, sued Amazon on their daughter’s behalf.
Last June, the Supreme Court of Texas ruled that Amazon was not liable for her injuries, because even if the company had listed, warehoused and delivered the remote control, it had not sold it. The seller was a third-party merchant with an address in China, who had registered an account with Amazon under the name Hu Xi Jie. Ms. McMillan subpoenaed Mr. Hu through Texas’ secretary of state, but he did not respond to the subpoena, if it ever reached him, or to a request from Amazon for information.
“It's like whack-a-mole, Jeff Meyerson, the Gartner-McMillan family's attorney, told The Times. “You can't find these entities when it's time for them to compensate anybody.” Amazon removed the product from its website, but the family was out of luck. (An Amazon representative told The Times, “Amazon invests heavily in the safety and authenticity of all products offered in our store, including proactively vetting sellers and products before being listed and continuously monitoring our store for signals of a concern.”
But a series of product safety cases that have been brought against Amazon over the past few years makes clear that its rewiring of retail poses risks to customers as well. Above all, the cases highlight a significant gap between how most people understand the world's largest e-commerce company and what that company actually does.
https://www.nytimes.com/2022/04/21/opinion/amazon-product-liability.html
The former president has embarked on a campaign to warn that the scourge of online falsehoods has eroded the foundations of democracy.
https://www.nytimes.com/2022/04/20/technology/barack-obama-disinformation.html
Cars with drivers can also be caused to stop by shining a laser into the windscreen.
The Financial Times Alphaville section has a reasonable and very sceptical take on it:
There are reasons that laws are interpreted by people rather than by software. You can't write either complex software or complex laws without errors. When there are poorly drafted laws, judges have rules of construction to try and find the most sensible interpretation, and above that some overriding principles. If a badly drafted law somehow said that you were allowed to kill people without consequence, a court would observe that laws can't say that and ignore the law. We are a long, long, way from software that works like that.
It's not that simple. Having source MAY make it a little bit easier to find an exploit in a system, but it's not like you can look at a piece of code and easily spot the problems. If you could, they'd have been spotted by the people who wrote the code! Most exploitable vulnerabilities are the result of strange interactions between various portions of a system, and looking at the source doesn't necessarily give you the slightest clue as to how they happen.
Being afraid of the release of source code is like being afraid of the release of a cryptographic algorithm—if that's what gives the bad guy a leg up, then you've always had a problem, and you were just hiding it.
The problem is motivation. An attacker with source code will double check each strcmp for a buffer overflow.. the author, who has seen the code dozens of times, often can't see the trees for the forest. Another problem is skill set: it takes different skills to analyze code for weaknesses than it does to write the code so that it seems to operate correctly
I don't think RISKS it the right forum to discuss/argue this, but this does give me a chance to plug the book “This Is How They Tell Me the World Ends: The Cyberweapons Arms Race” by Nicole Perlroth is eye opening on how attackers can analyze system for vulnerabilities without having the source code. There's actually a marketplace for zero-day vulnerabilities… who knew?
[See RISKS-32.48]
Please report problems with the web pages to the maintainer