Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
[3 items PGN-merged] NHTSA: 'Self-driving' cars were linked to 392 crashes in 10 months https://www.engadget.com/self-driving-car-technology-crash-data-172606258.html NHTSA report shows Tesla Autopilot led the pack in crashes, but the data has gaps (techcrunch) https://techcrunch.com/2022/06/15/tesla-autopilot-nhtsa-crashes-fatalities/ NHTSA data shows Teslas using Autopilot crashed 273 times in less than a year https://arstechnica.com/cars/2022/06/teslas-using-autopilot-crashed-273-times-in-less-than-a-year/
[PGN retitled with German grunt-pun, combining several contributions from Lauren into a single RISKS item. PGN * More Musk Musk essentially told Twitter employees that it's OK for Twitter to become a cesspool of hate speech and disinformation, so long as Twitter doesn't promote it and individuals can block any given sender. This would still turn Twitter into a hellhole. Hate campaigns could drive individuals off the platform, unable to block so many senders. Crazies would spread hate amongst themselves. And all of this conflicts with the push to monitor social media for law enforcement purposes. A total mess. * Musk vs. the EU Twitter operates internationally. Any given tweet thread may have participants from anywhere in the world. The EU is rapidly ramping up prohibitions on hate speech and disinformation. Think about it. * Elon Musk, Tesla and SpaceX Hit With $258 Billion Dogecoin Lawsuit https://decrypt.co/103089/elon-musk-tesla-spacex-dogecoin-lawsuit
State prosecutors charge a reserve soldier and a service soldier of the Intelligence Corps, and a teenager, with publishing classified military information online. According to charges, one of the soldiers used his access to secret information to share it with the other, who shared it with the teenager, who posted it on social media. https://www.haaretz.com/israel-news/2022-06-13/ty-article/.premium/israeli-intel-soldier-minor-accused-of-posting-secrets-on-social-media/00000181-5ccd-d8b6-abdd-dccf0a990000
David Yaffe-Bellany and Erin Griffith *The New York Times*. 15 Jun 2022, National Edition front page +A13 A global industry worth hundreds of billions of dollars rose up practically overnight. Now it is crashing down. For years [cryptocurrencies] have been marketed as a hedge against inflation caused by central banks flooding the economy with money. ... But now, with stocks crashing, interest rates soaring and inflation high, cryptocurrency prices are also collapsing, showing they have become tied to the overall market. p.A13 summary fragment: Companies are laying off staff and freezing withdrawals. [Coinbase layoffs were noted briefly in RISKS-33.28, and extensively in this *Times* article. PGN]
Anne M. Stark, Lawrence Livermore National Laboratory, 13 Jun 2022, via ACM TechNews, 15 Jun 2022 Researchers at the U.S. Department of Energy's Lawrence Livermore National Laboratory (LLNL) have developed E-Stablecoin, a physics-based cryptocurrency that connects electrical energy with blockchain technology. LLNL's Maxwell Murialdo and Jon Belof said the energy-information link supports the generation of a cryptocurrency token directly backed by and convertible into one kilowatt-hour of electricity, making E-Stablecoin the first digital token to be collateralized by a physical asset. Said Belof, "Through thermodynamic reversibility—to the extent that it is allowed by a modern understanding of statistical mechanics—we envision a future blockchain that is not only rooted in real-life assets like energy usage, but also is a more responsible steward of our natural resources in support of the economy." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ec97x2345b0x070443& [Tom Berson's reaction to this item was helpful: I was surprised to be told that a kWh of electricity is a physical asset. It is 3.6 megajoules of energy. I suppose it is convertible to mass by Einstein's equation. I was also surprised that the cost of generating a kWh is somehow stable. These cryptocurrency folk will stop at nothing. TB] [What could possibly go wrong? We need more stewards who are actually responsible, but today's stewards are running everything into the ground, particularly with respect to climate change. How much energy is wasted in trying to make this link? Also, we may need a Skewered Steward to assuredly pin the blockchain to statistical mechanics. We may also need an E-Stable to house the blockchained E-horses that E-touts are betting will win the race (overseen by trusted racing E-stewards) for the best and most stable cryptocurrency, once they are let free from their blockchains and converted to real-world constraints. But this LLNL item seems seriously overhyped, way beyond the inherent limitations of already overhyped cryptocurrencies. Hyperbolic in the over-the-top sense, or on a nonconverging infinite hyperbolic geometry curve? PGN]
Excerpt from CRYPTO-GRAM, 15 Jun 2022 https://www.schneier.com/crypto-gram/ Bruce Schneier, Fellow and Lecturer, Harvard Kennedy School schneier@schneier.com, https://www.schneier.com NSA says there are no known flaws in NIST's quantum-resistant algorithms 16 May 2022 https://www.schneier.com/blog/archives/2022/05/the-nsa-says-that-there-are-no-known-flaws-in-nists-quantum-resistant-algorithms.html Rob Joyce, the director of cybersecurity at the NSA, said so in an interview: https://www.bloomberg.com/news/articles/2022-05-13/nsa-says-no-backdoor-in-new-encryption-scheme-for-us-tech “The NSA already has classified quantum-resistant algorithms of its own that it developed over many years. But it didn't enter any of its own in the contest. However, the agency's mathematicians worked with NIST to support the process, trying to crack the algorithms in order to test their merit. “Those candidate algorithms that NIST is running the competitions on all appear strong, secure, and what we need for quantum resistance. We've worked against all of them to make sure they are solid, The purpose of the open public international scrutiny of the separate NIST algorithms is to build trust and confidence.'' I believe him. This is what the NSA did with NIST's candidate algorithms for AES and then for SHA-3. NIST's Post-Quantum Cryptography Standardization Process looks good. <https://csrc.nist.gov/Projects/post-quantum-cryptography/post-quantum-cryptography-standardization> I still worry about the long-term security of the submissions, though. In 2018 in an essay titled Cryptography After the Aliens Land <https://www.schneier.com/essays/archives/2018/09/cryptography_after_t.html> I wrote: ...there is always the possibility that those algorithms will fall to aliens with better quantum techniques. I am less worried about symmetric cryptography (where Grover's algorithm is basically an upper limit on quantum improvements than I am about public-key algorithms based on number theory) which feel more fragile. It's possible that quantum computers will someday break all of them, even those that today are quantum resistant. It took us a couple of decades to fully understand von Neumann computer architecture. I'm sure it will take years of working with a functional quantum computer to fully understand the limits of that architecture. And some things that we think of as computationally hard today will turn out not to be. EDITED TO ADD (6/14): Since I wrote this, flaws were found in at least four candidates. <https://english.elpais.com/science-tech/2022-03-24/using-just-a-laptop-an-encryption-code-designed-to-prevent-a-quantum-computer-attack-was-cracked-in-just-53-hours.html> <https://www.idquantique.com/new-vulnerability-threatens-three-finalists-nist-pqc-contest/>
My email load is now significantly people asking me about the "Sentient Google AI" story. I have boilerplate now to explain in lay terms why there's no sentience involved, but it's clear that corporate comms around AI in general leave much to be desired. -L
After reading about the M1 speculation issue in ARM (Risks 33.28) I was reminded I had read something similar previously. My recollection was wrong, but it did eventually get to a point. https://www.hertzbleed.com/ demonstrated a side channel attack against most popular x86 chips. I don't specialize in chipsets, and tend towards having to believe when I ask the silicon for (1 | 0 ) it will almost never answer 2, or give give my private key to someone strolling by. Seems like the industry was already aware there were some side channel issues in DVFS, as CLKSCREW demonstrated as early as 2017. https://www.bleepingcomputer.com/news/security/clkscrew-attack-can-hack-modern-chipsets-via-their-power-management-features/ So is Hertzbleed new? I'd ask my computer but it seems to be saying "We've been trying to reach you about your auto warranty."
https://themarkup.org/pixel-hunt/2022/06/16/facebook-is-receiving-sensitive-medical-information-from-hospital-websites
https://www.theverge.com/2022/6/15/23168887/facebook-discovery-engine-redesign-tiktok What could go wrong?
[via Lauren Weinstein's Network Neutrality Squad distribution] EU top telecom regulator BEREC just issued new net neutrality guidelines<https://berec.europa.eu/eng/document_register/subject_matter/berec/regulatory_best_practices/guidelines/10280-berec-guidelines-on-the-implementation-of-the-open-internet-regulation> that ban zero-rating plans that exempt specific apps or categories of apps from people's monthly data caps. This is a big deal. The decision revolutionizes the treatment of zero-rating in Europe and affects millions of Europeans. I haven't seen a lot of reporting yet, so thought I would share. Links to two blog posts and two Twitter threads below. As I explain here<https://cyberlaw.stanford.edu/blog/2022/06/european-regulators-just-stopped-facebook-google-and-big-telecoms-net-neutrality>, the new guidelines are a huge win for Europeans and for the open Internet, and for the consumer groups, civil society groups, and academics that have fought so long for these changes. The new guidelines respond to three 2021 decisions by Europe's top court, which had found that discriminatory zero-rating violates Europe's net neutrality law. Big carriers & platforms such as Facebook & Google had pressured BEREC to ignore the rulings or interpret them narrowly. That's not surprising. Discriminatory zero-rating plans disproportionately benefited big platforms like Apple, Google & Facebook, while small companies & European startups were left out. Following the recommendation of ETNO, the large telecom companies' trade association, BEREC's earlier draft guidelines had not clearly prohibited three kinds of harmful zero-rating practices, including carriers zero-rating their own apps & requiring apps to pay for zero-rating. That was a problem because: (1) in the past carriers have only stopped bad practices when they were unequivocally prohibited; and (2) these practices are even more harmful than the ones that were clearly prohibited. The new net neutrality guidelines close this loophole. They unequivocally prohibit all zero-rating offers that exempt select apps or categories of apps from people's monthly data caps. The ban applies whether the app pays to be included or not. (See the quote from para. 40b below.) BEREC also rejected all other attempts by the large telecom companies to water down the draft guidelines. (For details, see BEREC's report on the outcome of the consultation<https://berec.europa.eu/eng/document_register/subject_matter/berec/reports/10278-report-on-the-outcome-of-public-consultation-on-the-update-to-the-berec-guidelines-on-the-implementation-of-the-open-internet-regulation>.) Read more: More on the new guidelines (also copied below): https://cyberlaw.stanford.edu/blog/2022/06/european-regulators-just-stopped-facebook-google-and-big-telecoms-net-neutrality How we got here and why it matters: https://cyberlaw.stanford.edu/blog/2022/05/facebook-google-big-telecoms-want-keep-violating-net-neutrality-europe-regulators Two Twitter threads: https://twitter.com/vanschewick/status/1537046411186798598 (on the new guidelines and why they matter) https://twitter.com/vanschewick/status/1537181737582665729 (how BEREC closed the loopholes in the draft guidelines despite intense pressure by large carriers and platforms) European Regulators Just Stopped Facebook, Google and Big Telecoms' Net Neutrality Violations By Barbara van Schewick on June 15, 2022 <https://cyberlaw.stanford.edu/about/people/barbara-van-schewick> URL: https://cyberlaw.stanford.edu/blog/2022/06/european-regulators-just-stopped-facebook-google-and-big-telecoms-net-neutrality On Wednesday, European top telecom regulator BEREC, which consists of the national telecom regulators from across the EU, published its revised net neutrality guidelines<https://berec.europa.eu/eng/document_register/subject_matter/berec/regulatory_best_practices/guidelines/10280-berec-guidelines-on-the-implementation-of-the-open-internet-regulation>. The guidelines now prohibit broadband providers' zero-rating offers that benefit select apps or categories of apps, whether they do so for free or require apps to pay to be included. Zero-rating is a practice where a carrier does not count some online activity against a customer's monthly data cap. For example, many European carriers offer plans that don't count the data you use on Facebook or WhatsApp against your data cap. BEREC's previous net neutrality guidelines did not categorically ban selective zero-rating programs or category-based ones that, e.g., offer to zero-rate all music or video apps. So carriers across the EU took advantage and collectively launched hundreds of zero-rating programs<https://epicenter.works/document/1522>. These often exempted the carriers' own services and disproportionately benefited big platforms<https://cyberlaw.stanford.edu/blog/2022/05/facebook-google-big-telecoms-want-keep-violating-net-neutrality-europe-regulators> like Apple, Google, and Facebook, while small companies and European startups were left out. BEREC has now banned those. Here is my statement: "BEREC's new net neutrality guidelines are a great win for Europeans who will get more data to use as they choose, and they give a big, much-needed boost to online competition. Despite intense lobbying from big carriers and giant platforms, BEREC voted to clearly ban zero-rating offers that benefit select apps or categories of apps by exempting them from people's monthly data caps. The ban applies whether the app pays to be included or not, closing a loophole in the draft guidelines<https://cyberlaw.stanford.edu/blog/2022/05/facebook-google-big-telecoms-want-keep-violating-net-neutrality-europe-regulators>. This is good news for Internet users. When harmful zero-rating plans are banned, users get much more data for the same price. Carriers are no longer able to limit how people can use their data or push them to use apps from the dominant platforms. We just saw this in Germany. After the German regulator banned<https://www.bundesnetzagentur.de/SharedDocs/Pressemitteilungen/EN/2022/20220228_streaming.html> Deutsche Telekom's and Vodafone's discriminatory zero-rating plans, Vodafone gave affected customers up to 25% more data for the same price<https://www.computerbild.de/artikel/cb-News-Handy-Vodafone-GigaMobil-Tarife-32649151.html>. Earlier this month, Deutsche Telekom boosted some affected customers' monthly data volume from 24GB to 40GB for the same price<https://www.teltarif.de/telekom-tarife/news/88362.html>. Additionally, smaller apps and websites no longer have to fight to be included in these kinds of zero-rating plans and can compete with the giant platforms on an equal footing. BEREC revised its guidelines after the European Court of Justice held<https://curia.europa.eu/jcms/upload/docs/application/pdf/2021-09/cp210145en.pdf> in September 2021 that discriminatory zero-rating plans violated net neutrality. The court ruled that such plans violated the net neutrality law's requirement to treat all data equally, and that it did not matter whether the different treatment was technical, such as a fast lane, or economic, like selective zero-rating. The guidelines wisely allow carriers to offer non-discriminatory zero-rating programs that treat all data the same. Your carrier can still not count data usage against your cap at certain times of day or as a promotion; it just can't force you to use that data on a specific site. Carriers in other countries that have banned discriminatory zero-rating have innovated<https://cyberlaw.stanford.edu/blog/2022/05/facebook-google-big-telecoms-want-keep-violating-net-neutrality-europe-regulators> with offers such as unmetered data from midnight to 6 a.m. or letting users choose hours per month where their data usage is uncounted<https://www.fido.ca/why-fido/extra-data>. I expect that carriers across the EU will soon end their discriminatory zero-rating plans and offer customers of those plans significantly more data for the same price." Barbara van Schewick is one of the world's leading experts on net neutrality, a professor at Stanford Law School, and the director of Stanford Law School's Center for Internet and Society. Background: * You can read more on how we got here and why it matters in my earlier blog post: Facebook, Google & Big Telecoms Want To Keep Violating Net Neutrality In Europe. Regulators Should Stop Them.<https://cyberlaw.stanford.edu/blog/2022/05/facebook-google-big-telecoms-want-keep-violating-net-neutrality-europe-regulators> * BEREC's report on its decision <https://berec.europa.eu/eng/document_register/subject_matter/berec/reports/10278-report-on-the-outcome-of-public-consultation-on-the-update-to-the-berec-guidelines-on-the-implementation-of-the-open-internet-regulation>. * BEREC's new guidelines<https://berec.europa.eu/eng/document_register/subject_matter/berec/regulatory_best_practices/guidelines/10280-berec-guidelines-on-the-implementation-of-the-open-internet-regulation> (Para. 40b. "BEREC considers any differentiated pricing practices which are not application-agnostic to be inadmissible for IAS offers, such as applying a zero price to ISPs' own applications or CAPs subsidizing their own data.") Barbara van Schewick, M. Elizabeth Magill Professor of Law Professor, by Courtesy, of Electrical Engineering Director, Center for Internet and Society, Stanford Law School Author of "Internet Architecture and Innovation," MIT Press 2010 URL: http://cyberlaw.stanford.edu/about/people/barbara-van-schewick Twitter: @vanschewick<https://twitter.com/vanschewick> E-Mail: schewick@stanford.edu<mailto:schewick@stanford.edu%0b> Phone: 650-723 8340
https://www.cbc.ca/news/politics/privacy-bill-artificial-intelligence-1.6490665 The federal Liberals plan to introduce privacy legislation today to give Canadians more control over their personal data and introduce new rules for the use of artificial intelligence. The bill, to be presented by Innovation Minister Francois-Philippe Champagne, aims to fulfill his mandate to advance the federal digital charter, strengthen privacy protections for consumers and provide clear rules for fair competition in the online marketplace. The digital charter spells out 10 principles that range from ensuring control over information to meaningful penalties for misuse of data.
Java is a popular middleware/backend programming language. It does not include a native library for SSH. This drives developers who use secure file transfer like sftp or scp to use a library to provide this function. There are only 3 main libraries for this available to the general public. jSCH, Jscape, and MINA. http://www.jcraft.com/jsch/ https://files.jscape.com/sshfactory/docs/javadoc/overview-summary.html https://mina.apache.org/ MINA is not well accepted, and jscape has recently undergone an acquisition and now has a burdensome license, driving users away from that project. jSCH is the direction most developers end up taking. This is evident in Apache's own file transfer library, vfs2. It does not use MINA as a SSH client, it links to jSCH. https://commons.apache.org/proper/commons-vfs/commons-vfs2/dependencies.html Jcraft's implementation of jSCH was written for Java 1.2 and has seen few updates since. The last release was 4 years ago. I believe this represents the existence of a widely distributed, but either abandoned, or poorly supported library that is in wide use for critical middleware/backend systems. There is a chance that this software is just abnormally stable, but I have yet to find any such indications with the associated projects. Per EO 14028, this software may meet the definition for "critical to trust".
The trouble is that since deregulation, stock values are decoupled from the true value of companies. Many companies made more money out of trading their stocks than of actual production. Companies are no longer committed to their product, not even committed to their customers, but only committed to their shareholders; and in this environment, those shareholders expect to get ever increasing returns on their investments, or else they take their money elsewhere. The result is that IBM is no longer a computer company, and Ford is no longer a car company; both are stock traders who use computers or cars as an excuse. It's difficult to make any improvement on production (or produce anything at all) in such an environment.
The long-term view of climate and other finite resource problems is that overpopulation is the root cause. The green/brown behavior of the populace is secondary. Banning fossil fuels results from short-term thinking. Population reduction is the only possible long-term solution.
The trouble is, for politicians "long term planning" means this evening's 8pm TV news.
I think this is not at all the best example of problems with outsourcing. The costs of developing new processes technology are huge. Developing leading edge process technology is very difficult, look at the example of Intel, which has fallen behind. With the exceptions of Samsung and Intel, most companies do not have the resources to be able develop new process technology in a timely fashion, if at all. No doubt, it should have been obvious that putting most of the high end fabs on an island that is not that geologically stable and is subject to political disputes was not the best idea.
Variations on a Theme!!! Microsoft is in the news for allowing users to query internal coordination software, as noted in RISKS-33.28. https://orca.security/resources/blog/synlapse-critical-azure-synapse-analytics-service-vulnerability/ Root cause? According to NIST: https://nvd.nist.gov/vuln/detail/CVE-2022-29972 "Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')" I guess that Microsoft is probably a little salty about that.
Please report problems with the web pages to the maintainer