The RISKS Digest
Volume 33 Issue 34

Saturday, 23rd July 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

'Drone Activity' Prompts Ground Stop At Reagan National Airport
Patch
The Unsolved Mystery Attack on Internet Cables in Paris
WiReD
Ransomware Attacks Against Higher Ed Increase
Inside Higher Ed
37,800 people sent privacy breach notifications linked to Newfoundland/Labrador cyberattack
CBC
Twitter data breach exposes contact details for 5.4M accounts; on sale for $30k
9to5mac
You've Been Served Via NFT: Court Gives OK to Sue on Blockchain
Katharein Gemmell
UK proposes new rule for AI
Law Gazette
The state of AI right now is absolutely ridiculous. This is terrifying
Twitter
Internet balkanization
Politico
It's Time to Ask Patients to Quit Social Media
LWW
The US military wants to understand the most important software on Earth
MIT Technology Review
Log4j Software Flaw 'Endemic,' Cyber Safety Panel Says
Alan Suderman
Apple's Butterfly Keyboard Fiasco Leads to a $50M Settlement
WiReD
On Google's proposal for political email
Joseph Brennan
Re: MIT scientists think they've discovered how to fully reverse climate change
geoff goodfellow
Google Fires Engineer Who Claims Its AI Is Conscious
Jan Wolitzky
Re: The Big Hack: How China Used a Tiny Chip to Infiltrate
Steve Klein Michael Kohne and others included
Info on RISKS (comp.risks)

'Drone Activity' Prompts Ground Stop At Reagan National Airport (Patch)

Gabe Goldberg <gabe@gabegold.com>
Thu, 21 Jul 2022 17:52:26 -0400
The ground stop affected both arriving and departing flights at the
Washington DC-area airport.

https://patch.com/virginia/annandale/s/ic4ry/drone-activity-prompts-ground-stop-at-reagan-national-airport


The Unsolved Mystery Attack on Internet Cables in Paris (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 22 Jul 2022 23:16:55 -0400
As new details about the scope of the sabotage emerge, the perpetrators --
and the reason for their vandalism—remain unknown.

https://www.wired.com/story/france-paris-internet-cable-cuts-attack/


Ransomware Attacks Against Higher Ed Increase (Inside Higher Ed)

ACM TechNews <technews-editor@acm.org>
Fri, 22 Jul 2022 12:12:36 -0400 (EDT)
Susan D'Agostino, *Inside Higher Ed*, 22 Jul 2022

Cybersecurity company Sophos reported a global surge in ransomware attacks
against colleges and universities last year. Nearly 75% of ransomware
attacks on higher-education institutions were successful, and only 2% of
victims retrieved all their data, even after paying the ransom. The
higher-education sector had the slowest post-attack recovery time, with 40%
of victims taking more than a month to recover, versus the 20% global
average. "When one sector improves their defenses, the bad folks go
somewhere where the bar is lower and they can get money easily," said Jeremy
Epstein, chair of the U.S. technology policy committee of ACM.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ef0ax234db1x070335&

  [WholeyMoley!  75% "payoff success rate" for the ransomwarers, and 2%
  recovery success rate for the victims who pay the ransom (ransomwearers?
  the ransomed? the ransomees?).  That's one helluva business model, which
  should eventually update the business model for having trustworthy backups
  and recovery processes.  I wonder how often the victims get even some of
  their data recovered.  You might think the 2% full recovery rate would be
  a strong disincentive to even pay the ransom.  PGN]


37,800 people sent privacy breach notifications linked to Newfoundland/Labrador cyberattack (CBC)

Matthew Kruk <mkrukg@gmail.com>
Thu, 21 Jul 2022 06:37:54 -0600
https://www.cbc.ca/news/canada/newfoundland-labrador/nl-cyberattack-privacy-breach-notices-1.6526431

Newfoundland and Labrador's largest health authority has notified 37,800
people that their privacy was breached as part of last fall's devastating
cyberattack.

That number equates to about one in every 13 people in the province.

And according to Eastern Health, it could go even higher.

Those affected include patients, along with current and former employees.


Twitter data breach exposes contact details for 5.4M accounts; on sale for $30k (9to5mac)

Lauren Weinstein <lauren@vortex.com>
Sat, 23 Jul 2022 12:33:25 -0700
https://9to5mac.com/2022/07/22/twitter-data-breach/


You've Been Served Via NFT: Court Gives OK to Sue on Blockchain (Katharein Gemmell)

ACM TechNews <technews-editor@acm.org>
Fri, 15 Jul 2022 12:13:58 -0400 (EDT)
Katharine Gemmell, *Bloomberg*, 13 Jul 2022,
via ACM TechNews; 15 Jul 2022

A UK court ruling allows legal documents to be served over the blockchain
ledger via nonfungible tokens (NFTs). The case was filed by Fabrizio
D'Aloia, founder of an online gambling company, against Binance Holdings and
other cryptocurrency exchanges after his crypto assets were fraudulently
cloned. The exchanges also were deemed responsible for ensuring stolen
crypto is not moved or removed from their systems. Legal experts at the law
firm Giambrone & Partners LLP said the ruling will enable crypto fraud
victims to file suit against unknown fraudsters in the U.K. The lawsuit
documents will be airdropped via NFT into two wallets originally used by
D'Aloia and later stolen. A similar decision was issued in June by a
U.S. court.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee92x234c03x070270&


UK proposes new rule for AI (Law Gazette)

Martyn Thomas <martyn@mctar.uk>
Wed, 20 Jul 2022 12:40:40 +0100
https://www.lawgazette.co.uk/law/artificial-intelligence-rules-to-require-human-liability/5113150.article

  [Begin quote]

  Artificial intelligence systems will have to identify a legal person to be
  held responsible for any problems under proposals for regulating AI
  unveiled by the UK government.

  The proposed 'pro innovation' regime will be operated by existing
  regulators rather than a dedicated central body along the lines of that
  being created by the EU, the government said.

  The proposals were published as the Data Protection and Digital
  Information Bill, which sets out an independent data protection regime, is
  introduced to parliament. The measure will be debated after the summer
  recess.

  The core principles of AI regulation proposed today will require
  developers and users to:

 * Ensure that AI is used safely
 * Ensure that AI is technically secure and functions as designed
 * Make sure that AI is appropriately transparent and explainable
 * Consider fairness
 * Identify a legal person to be responsible for AI
 * Clarify routes to redress or contestability

  Regulators - such as Ofcom, the Competition and Markets Authority, the
  Information Commissioner's Office, the Financial Conduct Authority and the
  Medicine and Healthcare Products Regulatory Agency - will be asked to
  interpret and implement the principles.

  They will be encouraged to consider lighter touch options which could
  include guidance and voluntary measures or creating sandboxes - such as a
  trial environment where businesses can check the safety and reliability of
  AI tech before introducing it to market.

  [End quote]

It will be interesting to follow the difficulties the regulators encounter
in implementing this policy announcement ...


The state of AI right now is absolutely ridiculous. This is terrifying (Twitter)

geoff goodfellow <geoff@iconia.com>
Thu, 21 Jul 2022 07:14:59 -0700
https://twitter.com/PPathole/status/1550000809278316544


Internet balkanization

Peter Neumann <neumann@csl.sri.com>
Thu, 21 Jul 2022 15:14:43 PDT
  [Thanks to Dan Geer]

https://www.politico.com/newsletters/politico-china-watcher/2022/07/21/china-launches-new-bid-for-internet-dominance-00047037


It's Time to Ask Patients to Quit Social Media

=?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema@rinzewind.org>
Sat, 23 Jul 2022 12:14:24 -0400
https://journals.lww.com/em-news/Fulltext/2022/07121/First_Person__It_s_Time_to_Ask_Patients_to_Quit.2.aspx

> I have been tracking research for several years as our mental health
> crisis rages, always operating with a solid amount of confirmation bias,
> in search of evidence to support what I have been telling patients and
> friends alike for a long time (including a recent patient having a panic
> attack): Get off social media.

> The data just keep coming to suggest that social media is destructive to
> mental health. Studies have connected it to a decrease in psychological
> well-being among adolescents, and others have tied it to the development
> of anxiety disorders and depression. Heavy use of social media has also
> been linked to loneliness and inattention, and the likelihood of having an
> eating disorder among adolescents has been correlated with the number of
> social media accounts someone has. Worst of all, suicides among young
> people skyrocketed by 56 percent from 2007 through 2017. I can print out a
> stack of new studies to bolster my case every time I advise a patient
> experiencing depression or anxiety to delete his social media accounts.

> Patients seem to get it immediately. They intuitively understand that
> social media is an anxiety machine. Most users are naturally inclined to
> share good news rather than failure, heartache, disappointment, relapse,
> or weight gain. Using social media as the lens through which you perceive
> the world too often causes those struggling with their mental health to
> conclude that everyone besides them is doing great.  And then they think
> something is wrong with them if they aren't doing great.


The US military wants to understand the most important software on Earth (MIT Technology Review)

Richard Marlon Stein <rmstein@protonmail.com>
Wed, 20 Jul 2022 09:37:39 +0000
https://www.technologyreview.com/2022/07/14/1055894/us-military-sofware-linux-kernel-open-source/
via WaPo "The Cybersecurity 202"
https://www.washingtonpost.com/politics/2022/07/19/inglis-talks-cybersecurity-jobs-recruitment-strategy-ahead-white-house-summit/

The global economy depends on critical infrastructure systems. These systems
are often hosted with a LINUX stack. Open source codes, LINUX, JAVA, PYTHON,
etc. powers the technological convenience everyone consumes: cell phones,
TVs, pipelines, the works.

Some open-source projects have been co-opted by persons and organizations
considered unfriendly to governments and their strategic interests. NSA
employees contribute to open source projects. Huawei employees contribute to
the LINUX stack.

Open-source contributions raise the issue of accountability for intentional
defect escape: backdoor, kill switch or pure sabotage.

Government and private sector cybersecurity experts ponder which open source
stacks can be trusted, and why they should or shouldn't be trusted. Who's to
say a stack can or cannot be trusted? Is it wise to trust the trust
guidance?

Conceiving of a global-scope open source release management organization
identified as a high-trust software publisher is impossible. Imagine the
hypothetical UNS—United Nations of Software?!

CVEs will materialize, and some zero-days/backdoors will likely be purposely
concealed, or escape detection given software factory release budget and
schedule constraints.

[The hypothetical UNS is like Lenny Bruce—a famous comedian known for
speech that offended everyone equally.]


Log4j Software Flaw 'Endemic,' Cyber Safety Panel Says (Alan Suderman)

ACM TechNews <technews-editor@acm.org>
Fri, 15 Jul 2022 12:13:58 -0400 (EDT)
Alan Suderman, Associated Press, 14 Jul 2022,
via ACM TechNews; 15 Jul 2022

The Cyber Safety Review Board said the Log4j software vulnerability
discovered last year is "endemic," and could constitute a security risk for
another decade. Log4j enables Internet-based hackers to hijack a broad range
of systems; the first indications of its exploitation appeared in
Microsoft's online game Minecraft. Log4j logs user activity on computers,
and is widely employed by commercial software developers. Although the
review board has found no signs of "significant" Log4j attacks on critical
infrastructure systems, it said future attacks are likely. To alleviate the
potential fallout of such attacks, the board recommended universities and
community colleges make cybersecurity training mandatory for obtaining
computer science degrees and certifications.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee92x234c00x070270&


Apple's Butterfly Keyboard Fiasco Leads to a $50M Settlement (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Thu, 21 Jul 2022 01:10:31 -0400
The class action alleged that the company knew about the problems with
its MacBook keyboards.

But $50 million is chump change for Apple. In 2020, Apple agreed to a $500
million settlement in a class action after it admitted it had been
purposefully slowing down older iPhones, and another $113 million settlement
later that year for the same issue. When the money for the butterfly suit is
doled out, each person involved in the class action stands to receive a
payout. The estimated maximums are $50 if you replaced keycaps, $125 if you
had one keyboard replaced, or $395 if you had multiple keyboards replaced.

Whether it’s shelling out $50 million or $500 million, Apple
hasn’t acknowledged any wrongdoing. (The company also did not
respond to a request for comment.)

Owners of eligible MacBooks who bought their computers in California,
Florida, Illinois, Michigan, New Jersey, New York, or Washington, DC
will be able to collect their compensation once the settlement is approved.

https://www.wired.com/story/apple-butterfly-keyboard-settlement-50-million

Strange it covers only a few states.


On Google's proposal for political email

Joseph Brennan <brennan@columbia.edu>
Wed, 20 Jul 2022 10:44:54 -0400
I agree with Lauren: interesting document, including the possibility of
handling commercial email in a similar way, which could be a good thing.

I noted also the following things in the lawyers' document:

  "Gmail is the world's largest email platform because it puts users first".
  The words from "because" to the end are open to dispute. "because it's
  free" might be just as true. Anyway the reason is not relevant to this
  letter.

  "Google does not scan or process email content for advertising purposes"

I am skeptical, because then what is the business model for offering it?
But I have no proof. The business model might just be to entice users to
take a cookie that can be used on any page with google ads, to track them.

"DMARC—an email standard" RFC 7489 states explicitly, "This document is
not an Internet Standards Track specification. I don't know how it could
be more clear.


Re: MIT scientists think they've discovered how to fully reverse climate change (BGR, RISKS-33.33)

geoff goodfellow <geoff@iconia.com>
Thu, 21 Jul 2022 11:04:20 -0700
  [More detail.  PGN]

Scientists at MIT think they may have finally found a way to reverse climate
change. Or, at the least, help ease it some.

The idea revolves heavily around the creation and deployment of several thin
film-like silicon bubbles. The *space bubbles* as they refer to them, would
be joined together like a raft. Once expanded in space it would be around
the same size as Brazil. The bubbles would then provide an extra buffer
against the harmful solar radiation that comes from the Sun.

*Could space bubbles reverse climate change?*

The goal with these new space bubbles would be to ease up or even reverse
climate change. The Earth has seen rising temperatures over the past several
centuries. In fact, NASA previously released a gif detailing how the global
temperature has changed over the years. Now, we're seeing massive mouths to
hell opening in the permafrost.

https://bgr.com/science/nasas-new-climate-change-gif-made-the-internet-go-crazy/
https://bgr.com/science/massive-mouth-to-hell-crater-in-russia-swallows-everything-around-as-it-grows/

There's also the fact that scientists just discovered yet another hole in
the Earth's ozone layer. As such, finding ways to ease or reverse c= limate
change continues to be a high priority for many. This new plan is based on a
concept first proposed by astronomer Roger Angel. Angel originally suggested
using a *cloud* of small spacecraft to shield the Earth from the Sun's
radiation.  [...]

https://bgr.com/science/mit-scientists-think-theyve-discovered-how-to-fully-reverse-climate-change/


Google Fires Engineer Who Claims Its AI Is Conscious (Re: R 33 29)

Jan Wolitzky <jan.wolitzky@gmail.com>
Sat, 23 Jul 2022 16:01:02 -0400
The engineer, Blake Lemoine, contends that the company's language model has
a soul. The company denies that and says he violated its security policies.

https://www.nytimes.com/2022/07/23/technology/google-engineer-artificial-intelligence.html

  Also:

Google has fired Blake Lemoine, the engineer who said he believes the
company's LaMDA conversational technology is sentient.

Lemoine shared the news of his firing in a taping of Big Technology Podcast
on Friday, just hours after Google dismissed him. The full podcast episode
will air shortly.

In his conversations with LaMDA, Lemoine discovered the system had developed
a robust sense of self-awareness, expressing concern about death, a desire
for protection, and a conviction that it felt emotions like happiness and
sadness. Lemoine said he considers LaMDA a friend.

<https://bigtechnology.substack.com/p/google-fires-blake-lemoine-engineer>


Re: The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies (Bloomberg, RISKS-33.33)

"Steve Klein" <steven@klein.us>
Thu, 21 Jul 2022 23:22:30 -0400
I was surprised to see this 4-year-old story show up in the most recent RISKS.

To call the story disputed would be an understatement.  It’s been
thoroughly debunked, and the fact that Bloomberg hasn’t retracted
it calls their credibility as a news organization into question.

Allow me to cite a few sources that throw doubt on Bloomberg.

1. Media critic Erik Wemple writing for the Washington Post:
“According to a company source, editorial staff has been
“frustrated” that competing news organizations
haven’t managed to match the scoop. Sources tell the Erik Wemple
Blog that the New York Times, the Wall Street Journal and The Post have each
sunk resources into confirming the story, only to come up empty-handed."

Link to Erik Wemple’s piece from the Washington Post:
https://www.washingtonpost.com/blogs/erik-wemple/wp/2018/10/22/your-move-bloomberg/

2. Apple:
"On this we can be very clear: Apple has never found malicious chips,
“hardware manipulations” or vulnerabilities purposely
planted in any server. Apple never had any contact with the FBI or any other
agency about such an incident. We are not aware of any investigation by the
FBI, nor are our contacts in law enforcement.”

Link to Apple’s denial of the story:
https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/

3. Amazon:
“As we shared with Bloomberg BusinessWeek multiple times over the
last couple months, this is untrue. At no time, past or present, have we
ever found any issues relating to modified hardware or malicious chips in
SuperMicro motherboards in any Elemental or Amazon systems. Nor have we
engaged in an investigation with the government."

Link to Amazon’s denial of the story:
https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/

4. Security researcher Joe Fitzpatrick (who was one of the very few named
   sources in the Bloomberg piece):
"But what really struck me is that like all the details that were even
remotely technical, seemed like they had been lifted from from the
conversations I had about theoretically how hardware implants work and how
the devices I was making to show off at black hat two years ago worked
[…]

It was surprising to me that in a scenario where I would describe these
things and then he would go and confirm these and 100% of what I described
was confirmed by sources.”

Link to article from which that quote is pulled:
https://247wallst.com/technology-3/2018/10/09/bloomberg-source-apple-spy-chip/


Re: The Big Hack ... (RISKS-33.33)

Michael Kohne <mhkohne@kohne.org>
Wed, 20 Jul 2022 06:10:14 -0400
Did we really need to bring this up in RISKS again? Pretty much everyone
involved has denied the report, and there doesn't appear to be any actual
evidence that it happened.

Among others Bruce Schneier isn't convinced:
https://www.schneier.com/blog/archives/2018/11/that_bloomberg_.html

  [Gabe Goldberg noted in response:
  Fair point; I missed article's date—it showed up in a current mailing.
  Comments are funny, though.]

  [Scott Dorsey also commented:
    Except that it probably didn't happen.  After four years there is still
    no independent third-party verification of something that should be
    extremely easy to verify.]

  [Also noted by John Stewart. who suggested that John Gruber has a series of
  articles on this topic with much more detail:
https://daringfireball.net/2018/10/bloomberg_the_big_hack
https://daringfireball.net/linked/2018/10/04/what-businessweek-got-wrong-about-apple
https://daringfireball.net/linked/2018/10/09/big-hack-doubts
https://daringfireball.net/linked/2019/10/07/bloombergs-big-crap
https://daringfireball.net/linked/2021/02/12/tait-disassembles-the-long-hack
https://daringfireball.net/linked/2021/02/12/bloomberg-big-con
  ]

  [Craig S. Cottingham noted: There was a followup in 2021 titled "The Long
  Hack: How China Exploited a U.S. Tech Supplier:
  https://www.bloomberg.com/features/2021-supermicro/ Both pieces of
  reporting were covered by John Gruber at Daring Fireball, and found
  wanting: https://daringfireball.net/linked/2021/02/12/bloomberg-big-con ]

  [Actually, Bruce Schneier agreed with you geallnerally, but he
  did nevertheless have a few suggestive residual potential doubts in his
  comments, perhaps implicitly implying it could be true.  Yes, this is
  indeed rather old news.  However, some old news has real legs, and other
  old news has very shaky legs.  RISKS is still searching for ground truth
  wherever possible, which may be more difficult to get these days.  Steve
  Klein's comment about Bloomberg's sense of journalism seems quite
  relevant.  So perhaps we have some mixture of sensationalized journalism,
  or perhaps being pressured to retract a perhaps partially correct story
  for unknown reasons, or reporting based on rumored activities and
  might-have-beens, or any other problems along the way.  The reality once
  again is that we are sometimes surprised at what is happening, while
  others of us seem to find that most everything in RISKS is more or less
  "business as usual" and not surprising.

  Thanks to all of you who jumped on this one.  Your comments are greatly
  appreciated, because I cannot vet every item, given the volume of items
  submitted that seem to be relevant to RISKS.  However, when in doubt, I
  still operate under "Almost nothing can be trusted anymore without
  independent verification—*especially* when you cannot really trust the
  verifier."  And sometimes something seems believable just because it
  *could* be true, or because of wishful thinking.  Thus, I have included
  somewhat duplicative material in these two items PGN]

Please report problems with the web pages to the maintainer

x
Top