Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://www.npr.org/2022/06/04/1103066205/taser-armed-drones-school-shootings "The product idea had been kicked around at Axon since at least 2019 and the company has been working to try to figure out whether a drone with a Taser was even a feasible idea. Over the last year, the company created computer-generated art renderings to mock up a product design and conducted an internal test to see if Taser darts—which transmit an immobilizing electric jolt—could be fired from a flying drone, Smith said. He added that he had discussed the possibility of developing such a product with the ethics board." Would Axon deploy this drone-tazerbot to patrol of their corporate HQ and other facilities? Nuts!
The U.S. Food and Drug Administration (FDA) is informing laboratory personnel and health care providers about a cybersecurity vulnerability affecting software in the Illumina NextSeq 550Dx, the MiSeqDx, the NextSeq 500, NextSeq 550, MiSeq, iSeq, and MiniSeq, next generation sequencing instruments. These instruments are medical devices that may be specified either for clinical diagnostic use in sequencing a person's DNA or testing for various genetic conditions, or for research use only (RUO). Some of these instruments have a dual boot mode that allows a user to operate them in either clinical diagnostic mode or RUO mode. Devices intended for RUO are typically in a development stage and must be labeled “For Research Use Only. Not for use in diagnostic procedures.” “ though many laboratories may be using them with tests for clinical diagnostic use. The cybersecurity vulnerability affects the Local Run Manager (LRM) software. An unauthorized user could exploit the vulnerability by: * taking control of the instrument remotely; * operating the system to alter settings, configurations, software, or data on the instrument or a customer's network; or * impacting patient test results in the instruments intended for clinical diagnosis, including causing the instruments to provide no results or incorrect results, altered results, or a potential data breach. Illumina has developed a software patch to protect against the exploitation of this vulnerability and is working to provide a permanent software fix for current and future instruments. The FDA wants laboratory personnel and health care providers to be aware of the required actions to mitigate these cybersecurity risks. [...] https://www.fda.gov/medical-devices/letters-health-care-providers/illumina-cybersecurity-vulnerability-may-present-risks-patient-results-and-customer-networks-letter
FBI Director Christopher Wray said the bureau and Boston Children' Hospital had worked closely together after a hacktivist attacked the hospital's computer network in 2014. https://www.nbcnews.com/tech/security/fbi-blocked-planned-cyberattack-childrens-hospital-director-says-rcna31456
How seriously do video gamers take the games' depictions of military hardware? Seriously enough that three times in the past year, players of "War Thunder" have leaked classified military documents on the game's online forums, either to settle arguments about their favorite tanks' capabilities or to get the games' designers to make them more true-to-life. https://kotaku.com/war-thunder-tank-classified-military-document-leak-chin-1849005359
Kate Brumback, Associated Press, 1 Jun 2022, via ACM TechNews, 1 Jun 2022 The U.S. Cybersecurity and Infrastructure Agency (CISA) warned state election officials that Dominion Voting Systems' electronic voting machines contain software flaws that could be exploited if left unpatched. Although there is no evidence the machines have been hacked to change election results, the advisory discloses nine vulnerabilities, and recommends safeguards to prevent or detect exploitation. Despite CISA executive director Brandon Wales' statement that "states' standard election security procedures would detect exploitation of these vulnerabilities, and in many cases would prevent attempts entirely," the advisory seems to suggest those efforts are inadequate. Advised mitigation strategies include application of continued and enhanced "defensive measures to reduce the risk of exploitation of these vulnerabilities" prior to every election. CISA also urged aggressive pre- and post-election testing on the machines, post-election audits, and having voters confirm the human-readable portion on printed ballots. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eb70x2341a1x072730&
The nation's leading cybersecurity agency released a final version Friday of an advisory it previously sent state officials on voting machine vulnerabilities in Georgia and other states that voting integrity activists say weakens a security recommendation on using barcodes to tally votes. The advisory put out by the U.S. Cybersecurity and Infrastructure Security Agency, or CISA, has to do with vulnerabilities identified in Dominion Voting Systems' ImageCast X touchscreen voting machines, which produce a paper ballot or record votes electronically. The agency said that although the vulnerabilities should be quickly mitigated, the agency “has no evidence that these vulnerabilities have been exploited in any elections.'' Dominion's systems have been unjustifiably attacked since the 2020 election by people who embraced the false belief that the election was stolen from former President Donald Trump. The company has filed defamation lawsuits in response to incorrect and outrageous claims made by high-profile Trump allies.
Airlines are within their contractual rights to cancel booked flights and place passengers on less-convenient routes with hours-long layovers. Our columnist investigates whether travelers have any recourse. https://www.nytimes.com/2022/05/24/travel/airline-flight-itinerary.html
After the Log4j issue came to light [See RISKS-33.11,13,14] https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance), I would have expected the industry to realIze the problem wasn't just with Log4j, or even Java. It's unguarded user submitted parameter expansion. https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html Seems to indicate I was overly optimistic. Several templating engines exist with several parameter formats. Offhand, there is jsp with <jsp, <%, <c, ${, asp(x) with <%, smarty and freemarker with {$, Django, Mustache and Jinja with {{. Apache's Velocity templates have a list worthy of a BNF rule, but I don't know BNF, so how about "dollar-sign or hash optional bang optional bracket
Let's abolish reading privacy policies. Here's how we can use the law and technology to give us real privacy choices. https://www.washingtonpost.com/technology/2022/05/31/abolish-privacy-policies/ [Also noted by Gabe Goldberg. PGN]
A traffic camera at this stop sign, which has proven lucrative for the District, is loathed by some residents who say it is overly sensitive and praised by others who say it promotes safe driving. https://www.washingtonpost.com/dc-md-va/2022/05/31/stop-sign-camera-northwest-washington/
https://www.cbc.ca/news/business/tim-hortons-app-report-1.6473584 The federal privacy commissioner's investigation into the Tim Hortons mobile app found that the app unnecessarily collected extensive amounts of data without obtaining adequate consent from users. The commissioner's report, which was published Wednesday morning, states that Tim Hortons collected granular location data for the purpose of targeted advertising and the promotion of its products but that the company never used the data for those purposes
https://www.capecodtimes.com/story/news/2022/06/04/cape-cod-regional-transit-authority-ransomware-cyber-attack-fbi-investigating/7501982001/
The company continues to downplay the severity of the Follina vulnerability, which remains present in all supported versions of Windows. The Follina vulnerability in a Windows support tool can be easily exploited by a specially crafted Word document. The lure is outfitted with a remote template that can retrieve a malicious HTML file and ultimately allow an attacker to execute Powershell commands within Windows. Researchers note that they would describe the bug as a "zero-day," or previously unknown vulnerability, but Microsoft has not classified it as such. [...] With all this real-world exploitation, the question is whether the guidance Microsoft has published so far is adequate and proportionate to the risk. "Security teams could view Microsoft's nonchalant approach as a sign that this is 'just another vulnerability,' which it most certainly is not," says Jake Williams, director of cyber threat intelligence at the security firm Scythe. "It's not clear why Microsoft continues to downplay this vulnerability, especially while it's being actively exploited in the wild." https://www.wired.com/story/microsoft-follina-vulnerability-windows-office-365
It's not impossible that ultimately platforms will be required to moderate all UGC (User Generated Content) before it appears publicly. This would likely require a drastic cutback in UGC availability, with many ramifications. But the regulatory arrow is moving in this direction.
Technical University of Munich, Germany, 27 May 2022 via ACM TechNews, 1 Jun 2022 Scientists at Germany's Technical University of Munich (TUM) have developed a machine learning algorithm to extract subtypes of illnesses from molecular data. The Molecular Signatures using Biclustering (MoSBi) tool merges the results of existing algorithms to acquire stronger, more precise clinical subtype predictions, removing the need for time-consuming adjustment. "We have developed a Web-based tool that permits online analysis of molecular clinical data by practitioners without prior knowledge of bioinformatics," explained TUM's Josch Konstantin Pauling. Researchers can submit data to a website for automated analysis, and use the results to interpret their research. The team worked with colleagues at Germany's Max Planck Institute, Technical University of Dresden, and Kiel University Clinic to apply MoSBi to identify two potential biomarkers for progression to non-alcoholic fatty liver disease. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eb70x2341a7x072730&
https://techcrunch.com/2022/06/01/2328459/ GOOD!
Scott Chipolina, *Financial Times*, 31 May 2022, via ACM TechNews, 1 Jun 2022 A coalition of 26 leading computer scientists and academics has submitted a letter to U.S. lawmakers urging a crackdown on cryptocurrency investments and blockchain technology. The letter calls on major Senate figures "to resist pressure from digital asset industry financiers, lobbyists, and boosters to create a regulatory safe haven for these risky, flawed, and unproven digital financial instruments." Signatory Bruce Schneier at Harvard University said blockchain, contrary to advocates' assurances, is insecure and not decentralized. Events like the recent implosion of the TerraUSD stablecoin have rekindled worries about crypto's financial stability, while letter signatory and former Microsoft engineer Miguel de Icaza argued, "The computational power [of blockchain] is equivalent to what you could do in a centralized way with a $100 computer." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eb70x2341abx072730&
Molly White, a 28-year-old software engineer who edits Wikipedia pages in her spare time, has become an unlikely thorn in the side of the burgeoning cryptocurrency movement. As the tech and finance world largely embrace crypto tech, she's helping lead a band of skeptics pushing the other direction. https://www.washingtonpost.com/technology/2022/05/29/molly-white-crypto/
Tandon School of Engineering BROOKLYN, New York, 11 May 2022—Lightning-fast, low-latency wireless, from 5G to 6G and beyond, will enable such services as virtual and augmented reality streaming, near-zero latency vehicle-to-cloud communications to help self-driving cars navigate in real time, remote surgery, coordination of automated systems in factories and other facilities, and a plethora of futuristic consumer apps. But it will also open a Pandora's box of security vulnerabilities in the hardware serving as its backbone and software driving its networks. [,,,]
Despite some efforts by the largest tech companies to limit the spread of hateful content, it often remains only a click or two away. https://www.nytimes.com/2022/06/01/technology/fringe-mainstream-social-media.html
China has announced its first plans to search the stars for nearby habitable planets that could one day expand humanity's "living space" across the Milky Way. If it gets funding, the telescope could launch as soon as 2026. In the project, called Closeby Habitable Exoplanet Survey (CHES), officials propose launching a 3.9-foot-aperture (1.2 meters) space telescope roughly 930,000 miles (1.5 million kilometers) to a gravitationally stable Lagrange point between Earth and the Sun, according to the Chinese state-run news service CGTN. Lagrange points trek around the sun at exactly the same rate as Earth does, meaning a craft at one of those points will remain the same distance from our planet indefinitely. Once at the L2 Lagrange point (which is also home to NASA's James Webb Space Telescope, the CHES telescope will spend five years searching for habitable worlds across the roughly 100 sun-like stars within 33 light-years (10 parsecs) of Earth. From this data, astronomers hope to spot Earth-size *exoplanets* <https://www.livescience.com/what-are-exoplanets> that are moving around their stars in similar orbits to our own—a clue that these potential "Earth 2.0's" may harbor water, and possibly even life. "The discovery of the nearby habitable worlds will be a great breakthrough for humankind, and will also help humans visit those Earth twins and expand our living space in the future," Ji Jianghui, an astronomer at the Chinese Academy of Sciences and the principal investigator of the CHES mission, *told CGTN*, the website of the China Global Television Network. The scientists say they hope to find roughly 50 Earth-like or super-Earth exoplanets in their search. [...] <https://news.cgtn.com/news/2022-05-19/China-plans-world-s-first-habitable-planet-search-outside-solar-system-1a9W98DLA52/index.html>, https://www.livescience.com/china-is-looking-for-other-earths-to-colonize [What are risks? It's likely to be hugely expensive. It seems somewhat delusional and beyond rational thought, in light of needing mass transit over the light-years required for travel, although that would perhaps be limited to future government leaders wishing to escape. The use of the word "nearby" in the trans-galactic sense is particularly amusing. It's too late for an April Fool's posting, so perhaps it is actually being considered seriously. <I wonder what Bill Cheswick (widely known as "CHES") might think of it. He has always been a far-sighted thinker.> PGN]
https://www.youtube.com/watch?v=6VKpJeNoRlA Business Insider's Linette Lopez joins Morning Joe to discuss her latest piece on why the tech titans of Silicon Valley are in serious trouble.
https://www.nytimes.com/2022/06/01/arts/broadway-nudity-phone-cameras.html
This is an unusually poor piece for ProPublica, a lot of DC inside baseball but nothing on the key question of whether C band signals really will make airliners' radio altimeters fail. The answer for the most part turns out to be no. Harold Feld did a really good series on this last fall: https://wetmachine.com/tales-of-the-sausage-factory/what-the-eff-faa-my-insanely-long-field-guide-to-the-faa-fcc-5g-c-band-fight/
Please report problems with the web pages to the maintainer