Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A Shut-Off Switch Was Supposed to Prevent 99% of Generator-Related Deaths. It Failed a Family of Three. The generator industry has touted automatic shut-off switches as a lifesaving fix for carbon monoxide poisoning. But the voluntary standard falls short of what federal regulators say is necessary to eliminate deaths. https://www.texastribune.org/2022/09/21/generators-carbon-monoxide-shutoff-switch-texas-cpsc
https://admiralcloudberg.medium.com/the-long-way-down-the-crash-of-air-france-flight-447-8a7678c37982
https://www.theverge.com/2022/9/29/23377376/automatic-emergency-braking-average-speed-study-aaa
Suspected Chinese hackers tampered with widely used software distributed by a small Canadian customer service company, another example of a "supply chain compromise" made infamous by the hack on U.S. networking company SolarWinds. Via Reuters: https://www.reuters.com/technology/exclusive-suspected-chinese-hackers-tampered-with-widely-used-canadian-chat-2022-09-30/
An intriguing possibility is that the Nordstream LNG pipelines were sabotaged by robots *from the inside* ! This type of sabotage would not require submarines (robotic or otherwise), frogmen, etc., but would only require the ability to insert a modern 'pig' (inspection robot) into the pipeline from the Russian end controlled by Gazprom. This type of sabotage could have been performed during the recent *maintenance shutdowns* over the past several months, and the explosions later set off by remote control. https://www.dw.com/en/denmark-sweden-view-nord-stream-pipeline-leaks-as-deliberate-actions/a-63251217 Denmark, Sweden view Nord Stream pipeline leaks as 'deliberate actions' 27 Sep 2022 Mikhail Krutikhin, an energy analyst from the RusEnergy consultancy, told DW that initial evidence clearly pointed to sabotage, and said that a key question going forward would be whether the damage originated inside or outside the pipe. He said the shape of the damaged segments of pipe should indicate this. https://oilprice.com/Energy/Energy-General/Oil-Pipelines-To-Be-Inspected-By-Robots.html
David Mills, TNY on NTP https://www.newyorker.com/tech/annals-of-technology/the-thorny-problem-of-keeping-the-internets-time There are a few bobbles: the author seems a bit confused over whether NTP is an Internet RFC or a piece of software, and whether NTP is the IETF's only concern. *The New Yorker*'s predilection for diereses in English is rather comically distracting when ritually applied to the phrase "Coordinated Universal Time". Nevertheless, it's a nice read, covering both the technical issues and the people involved, with a particularly touching portrait of Mills himself. And the RISKS relevance is the points made -- not for the first time, but not badly—about the difficulties involved in placing the maintenance of core protocols, upon which millions of computers depend, in the decentralized hands of nearly anonymous, unpaid volunteers who can't always even agree on who's in charge, let alone how the protocols should evolve.
Editorial: The Securities and Exchange Commission Obstructs National Security Public disclosure of cyber attacks shows weakness to enemies. Ari Schwartz, https://www.wsj.com, 29 September 2022 The Securities and Exchange Commission seems to have missed a key principle of fighting crime: Investigators don't release all the details of an incident before it's solved because it would make it harder to catch the criminal. This is true in cybersecurity too. You don't want hackers to know they've been discovered or to highlight a company's weakness to other bad actors. Yet a new rule from the SEC would require public disclosure of an incident within four days of discovery, even if the hack is still under investigation and hasn't been remedied. Those of us who have dealt with actual cyber incidents know that a fix is unlikely to materialize in four days. These reporting requirements will place a spotlight on the vulnerability in the hacked company's cybersecurity, putting the business at greater risk of suffering successive attacks before the exploited weakness can be fixed. That comes with a national security risk too, as nation states often engage in or aid cyberattacks against companies. The SEC's new rule will help states cover their tracks by alerting them to any discovery. And it'll make it easier for them to find targets by highlighting what businesses are vulnerable and how. The goal of the SEC's new rule is to inform investors about attacks, which is a fine idea in principle. Investors should be informed about firms' cybersecurity risks and sharing information about attacks can help other businesses optimize their own cyber defenses. Reporting is important, but companies should be allowed to resolve an incident before making it public. Other regulators are racing to require companies to report problems even faster, creating the possibility of confusion of whom to report to and when. Following the European Union requirement of three days, Congress has charged the U.S. Department of Homeland Security to create rules that would also require reporting within three days of an incident, except for ransomware payments, which must be reported in one day. The New York State Department of Financial Services is also asking for a report in three days. The Office of the Comptroller of the Currency, Board of Governors of the Federal Reserve System and the Federal Deposit Insurance Corp. have required notification no later than 36 hours after a banking organization determines that an incident has occurred. India has skipped a time frame altogether, requiring immediate reporting to the government. Unlike the SEC rules, most of these allow for companies to investigate and remediate the incident. But it would be better if the U.S. agencies worked together to create common rules that give businesses a reasonable delay before they report. It would go a long way toward simplifying reporting standards if they clarified what information needs to be reported and when. The key is to balance national security with other concerns, including the investor's right to be informed. This balance can be achieved, but it will requires agencies to look past their own narrow priorities and putting the public interest, including national security, first. Mr. Schwartz served as special assistant to the president for cybersecurity policy, 2013-15. He coordinates the Cybersecurity Coalition.
Unfortunately, it appears that the New York State Board of Elections has been convinced (by ES&S and Dominion and others) to purchase new voting machines that can add votes without the voters' consent. This will be engineered by the fact that votes will not be counted from the verified choices that the voters made, rather there will be a barcode (generated by the voting system) that will be used to tally the results. It doesn't take a rocket scientist to know that this is a big mistake. Basically this purchase, if it goes through, will wind back all of the good work that we [DrM--Rebecca Mercuri, PGN, and Ronnie Dugger] with enormous inspiration from Mae Churchill, when [the first two of us testified for the NYBoE in 1988] some 3 decades ago. Doug Kellner had spearheaded the effort to thwart the DRE purchase in NYC when he was on the City board then, and later, in his position on the State BOE, worked hard to ensure that NY State regulations provided plenty of checks and balances, including being the ONLY state in the country that REQUIRES escrow of voting system source code (not that it'll ever be looked at, but at least they have it). I ran into Doug a few years ago (pre-COVID) and it seemed that he had grown tired of fighting the good fight, and these recent procurement decisions appear to be evidence of that. Hence there are various current protest letters from advocates (familiar folks who have been also fighting for 30+ years, but haven't given up) against these new voting systems. [This is slightly edited from a private message for RISKS, with permission, Among other things, Rebecca seems to have some concerns about the letters' use of the term *voter-verifiable*, which was the focus of her PhD thesis in 21 years ago. If you are interested in joining in on this old battle that never seems to go away, please contact her for more information. PGN]
Sara Cline and Christina A. Cassidy, AP, *The Times Picayune*, 14 Aug 2022
[With thanks to Sevilla Finley]
The need for Louisiana to replace its voting machines dating from 2006 is
not in dispute. What to do about them is another story. The machines' main
problem is that votes are recorded electronically without a paper record of
each voter's selections. However, "The problem in Louisiana is that if
someone were to allege the voting machines had been hacked, there would be
no conclusive evidence to rebut that." [or even to prove it!] [PGN-ed]
[2006 is a very long time, but the situation is continually getting
worse in many respects. See my most recent Inside Risks article in
the Communications of the ACM:
http://www.csl.sri.com/neumann/cacm252.pdf
PGN]
Evasion has proliferated during the pandemic and is a visible reminder to many riders of revenue Metro is not collecting The issue has put a spotlight on Metro's recent $70 million replacement of more than 1,200 fare gates at its 91 stations. The new gates are touch-free, process mobile payments, display SmarTrip balances and improve Metro's ability to collect ridership data, but do little to deter evasion of fares. The gates predate the arrival of Clarke, who acknowledges Metro may have erred in their design and has asked his staff to research possible modifications. But transit officials note they couldn't have foreseen the pandemic or its effects, which some say has exacerbated fare evasion alongside higher gas prices, inflation, and fewer passengers in buses or stations to discourage evasions. They also say societal norms increasingly have been ignored during the pandemic, a problem that extends to airlines battling passenger disruptions, rising pedestrian deaths from reckless drivers and elevated crime rates. https://www.washingtonpost.com/transportation/2022/10/01/dc-metro-fare-evasion/ [Right, after 100+ years of public transit, who could know people might evade fares?]
...with front identification panel display alternating between these designations in large friendly letters: Invalid code Please enter new code
Dan Goodin, Ars Technica, 30 Sep 2022, via ACM TechNews; Wednesday, October 5, 2022 Microsoft researchers said numerous servers have been compromised and approximately 220,000 additional servers worldwide are threatened by two critical vulnerabilities in its Exchange application. One is a server-side request forgery vulnerability, and the other enables remote code execution via PowerShell. The unpatched flaws were identified in August by researchers at the Vietnamese security firm GTSC, who found that an Exchange vulnerability was exploited to infect customer networks with malicious webshells. The GTSC researchers said, "After successfully mastering the exploit, we recorded attacks to collect information and create a foothold in the victim's system. The attack team also used various techniques to create backdoors on the affected system and perform lateral movements to other servers in the system. Microsoft is working on a patch for the new vulnerabilities. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f590x236956x070749&
https://www.nytimes.com/2022/10/07/opinion/machines-ai-employment.html It's 2022, and computers keep stunning us with their achievements. Artificial intelligence systems are writing drawing creating videos interactive, diagnosing diseases, dreaming up new molecules for medicine, and doing much else to make their parents very proud. Yet somehow we sacks of meat—though prone to exhaustion, distraction, injury and sometimes spectacular error—remain in high demand. How did this happen? Weren't humans supposed to have been replaced by now—or at least severely undermined by the indefatigable go-getter robots who were said to be gunning for our jobs? [See the NYTimes online version for oodles of URLs. PGN]
https://www.engadget.com/us-uk-data-sharing-agreement-in-effect-171316794.html
Christopher Mims, *The Wall Street Journal*, 17 Sep 2022, via ACM TechNews <technews-editor@acm.org> More companies are using technology to monitor virtually everything workers do on their devices, with Gartner reporting that one in three medium-to-large companies in the U.S. implemented a worker surveillance system since the pandemic started, and that two out of three such companies currently use these systems. The technology can screenshot a worker's computer every 10 minutes, record the apps and websites they visit, and document how long was spent on each site, among other things. However, critics are concerned such "bossware" can be counterproductive. Teramind's Isaac Kohn said, "Realistically, the vast majority of customers don't find the need to enable full monitoring on all users all the time." However, Kohn acknowledged that "the system can be abused if placed in the wrong hands." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f4fdx236761x071689&
https://www.cbc.ca/news/canada/ottawa/ransomeware-hacker-vachon-desjardins-sentenced-1.6606274 Sebastien Vachon-Desjardins pleaded guilty to ransomware crimes, $28 million in bitcoin seized
Elizabeth Warren's analysis of fraud and scam complaints on the payment network found that banks at times violate a federal consumer protection law. https://www.nytimes.com/2022/10/03/business/zelle-fraud-warren.html
Local law enforcement isn't ready to deal with this new type of fraud, even with shady scams on the rise. As platforms overwhelmed by fraud and theft begin looking to traditional law enforcement to assist with crypto crime-fighting efforts, victims may have no choice but to throw themselves at the mercy of the police, and it's difficult to imagine the crypto crime wave subsiding any time soon if the police prove unequal to the task. https://www.wired.com/story/cryptocurrency-cybercrime-law-enforcement
El Salvador's Bitcoin Law came into force on 7 September 2021—and what a day it was! Bitcoin is yet another failed initiative from President Nayib Bukele—a huge splashy announcement, a lot of money set on fire, and not much to show for it. [...] "No one really talks about Bitcoin here anymore. Itâs kind of been forgotten," says former Banco Central de Reserva president Carlos Acevedo. "I don't know if you'd call that a failure, but it certainly hasn't been a success." The bitcoin infrastructure seems to have been paid for out of previous borrowing. The State Financial Management Report for 2021, chapter 3, says the bitcoin project was financed from $375.9 million of loans previously taken out by the government. https://davidgerard.co.uk/blockchain/2022/09/24/el-salvadors-bitcoin-law-one-yea r-on-with-the-worlds-coolest-dictator/
Kim Kardashian to pay $1.26 million in SEC crypto case The Securities and Exchange Commission is charging the reality star and entrepreneur with allegedly promoting a cryptocurrency on her Instagram account without disclosing how much she was paid to do so, the agency announced. https://www.washingtonpost.com/business/2022/10/03/sec-kardashian-crypto The risks? Reality stars (whatever that means), people who believe/follow them, and crypto-anything.
Think you can escape the metaverse? KPMG's 'Digital to the core' report shows a high state of buzzword compliance among surveyed execs. Many of those concepts have drawn a fair amount of skepticism if not outright scorn. For example, in June Bill Gates ridiculed cryptocurrencies and non-fungible tokens as examples of "the Greater Fool Theory." And ambitions to build the metaverse—what we used to call immersive virtual words before Facebook founder and CEO Mark Zuckerberg leaped on the term as he renamed Facebook to Meta—assume a level of consumer interest that may not be there. https://www.pcmag.com/news/sorry-but-your-boss-is-pretty-hyped-about-todays-most -annoying-tech-trends The risks? Buzzwords and execs
Surprise verdict on charges that predated rampant ransomware and extortion payoffs in more recent hacking cases A former chief security officer for Uber was convicted Wednesday of federal charges stemming from payments he quietly authorized to hackers who breached the ride-hailing company in 2016. Joe Sullivan was found guilty of obstructing justice for keeping the breach from the Federal Trade Commission, which had been probing Uber's privacy protections at the time, and of actively hiding a felony. The verdict ended a dramatic case that pitted Sullivan, a prominent security expert who was an early prosecutor of cybercrimes for the San Francisco U.S. attorney's office, against his former government office. In between prosecuting hackers and being prosecuted, Sullivan served as the top security executive at Facebook, Uber and Cloudflare. https://www.washingtonpost.com/technology/2022/10/05/uber-obstruction-sullivan-hacking
https://www.nytimes.com/2022/10/02/opinion/video-game-addiction.html "The over-the-top experiences and rewards built into video games can stimulate our brains to release dopamine. Dopamine, the powerful 'feel good' neurotransmitter, motivates us to seek more of these pleasurable activities. This is what can lead to addictive behavior. "...a significant minority, 10 percent, developed pathological tendencies related to video games, including having difficulty stopping play. Compared with the other group in the study, these players displayed higher levels of depression, aggression, shyness, problematic phone use and anxiety by the time they were emerging into adulthood."
Think you can escape the metaverse? KPMG's 'Digital to the core' report shows a high state of buzzword compliance among surveyed execs. Many of those concepts have drawn a fair amount of skepticism if not Date: Sun, 2 Oct 2022 21:14:45 -0400 From: Monty Solomon <monty@roscom.com> Subject: AI can now create any image in seconds, bringing wonder and danger (WashPost) https://www.washingtonpost.com/technology/interactive/2022/artificial-intelligence-images-dall-e/
Devorah Fischler, Penn Engineering Today, 29 Sep 2022, via ACM TechNews, 7 Oct 2022 A team of researchers from the University of Pennsylvania (Penn), Sandia National Laboratories, and Brookhaven National Laboratory has unveiled a computing architecture suited for artificial intelligence (AI). The researchers developed a transistor-free compute-in-memory (CIM) architecture where processing and storage happen in the same place, removing transfer time and minimizing energy consumption. The architecture, which builds on earlier work on a ferroelectric switching scandium-alloyed aluminum nitride semiconductor, could potentially perform up to 100 times faster than a conventional computing architecture. The design also performs on-chip storage, parallel search, and matrix multiplication acceleration. Penn's Xiwen Liu said the work "proves that we can rely on memory technology to develop chips that integrate multiple AI data applications in a way that truly challenges conventional computing technologies." https://blog.seas.upenn.edu/rethinking-the-computer-chip-in-the-age-of-ai/
Joe Hernandez, NPR, 6 Oct 2022, via ACM TechNews, 7 Oct 2022 Six major robot manufacturers have signed a letter promising not to weaponize their products. Boston Dynamics, Agility Robotics, ANYbotics, Clearpath Robotics, Open Robotics, and Unitree pledged against weaponizing their "advanced-mobility general-purpose robots" or their underlying software, while also vowing to ensure their customers do not weaponize them either. The companies also said they do not oppose "existing technologies" used by governments to "defend themselves and uphold their laws." Boston Dynamics says police and fire departments are using the company's canine-like robot Spot to assess hazardous situations, but the firm notes Spot is not designed for surveillance or as a substitute for police officers. "https://www.npr.org/2022/10/06/1127227605/boston-dynamics-robots-pledge-against -weapons"
"The Australian government on Sunday leveled its harshest criticism yet against Optus, the second-biggest telecoms company, for a cybersecurity breach that affected the equivalent of 40% of the country's population." Via Reuters: https://www.reuters.com/business/media-telecom/australian-government-slams-optus-cybersecurity-breach-2022-10-02/
It now appears that Optus's access controls were (very) weak. A lot of debate about how much of peoples' data is being stored by various organizations—and for how long. However Optus have continued to store information like drivers licence ids and passport detail which have originally been used to identify customers. For telcos the length of the period that data has to be stored is more complicated because of worries that they may be asked for communication histories in connection with authorities' enquiries into activities like drug importation or terrorism.
I am scratching my head about this one. The thing they stopped was a phone app that you could use to scan items as you shopped and put them in your bags. Then when you get to the self-check kiosk, you scanned a code on the kiosk screen, it transferred the list of items to the kiosk and then you paid and left. It was great, I used it every time I shopped there for the past year. They are not getting rid of the self-check kiosks, just the app. I suppose that since there is usually a staff person watching the kiosks it is somewhat harder to sneak stuff, but the kiosks no longer annoyingly insist that you immediately put every item in a bag so it can weigh them and match the weight on the scale to what you've bought. (Now that most people bring their own bags, I suspect there's no way to handle the variable weight of the bags that isn't even more annoying.) The Waitrose grocery chain in the UK has had a similar self-scan scheme for over a decade, originally with hand-held scanners they provided, now also with a phone app: ttps://www.waitrose.com/ecom/help-information/shopping-with-waitrose/shopping-instore/quick-check Waitrose say they may rescan the contents of your bag at the till but when I was there they never did. I wonder why they haven't had similar problems. Waitrose caters to an upper middle class demographic but anyone can shop there and I would think that if it were easy to cheat, some people would.
The part of the DCD article posted here, contains the quote "It's not like there's another Egypt you can go to."; but the truncated part does contain a survey of alternative routes. Some of them have failed, but at least one succeeds: Google's Raman-Blue line from India via Saudi Arabia, Jordan and Israel. Also note that the posted map shows yet another alternative route, from the Red Sea via Israel. If Egypt tries to squeeze this resource too tight, It wouldn't be hard for users to switch.
Making vehicles go slower is likely to reduce the number of deaths and that is not a bad thing, but it doesn't solve the real problem. What needs to be done is to reduce the number of accidents in the first place, and that means doing things that permit drivers to see where they are going and force them to pay attention to their driving. This likely does require technical solutions but not expensive ones, and in many case it requires removing technology rather than adding it.
The next Castiglioncello International Conference (Oct. 21-22) will be focused on "Nuclear Weapons: New Risks". The conference is organized by the Pugwash Conferences on Science and World Affairs and the Union of Scientists for Disarmament (USPID). The Municipality of Rosignano Marittimo, the Interdisciplinary Center of Sciences for Peace of the University of Pisa, the Interdepartmental Research Center for Peace of the University of Bari and the Interdisciplinary Group on Science Technology and Society of the CNR Pisa Research Area collaborate for the organization of the event. For additional information, program and registration, please refer to the conference website: https://uspid.org/cast2022/ [I don't quite know whether it is especially computer science or its subdiscipline Artificial Intelligence that has such an enormous affection for euphemism. We speak so spectacularly and so readily of computer systems that understand, that see, decide, make judgments, and so on, without ourselves recognizing our own superficiality and immeasurable naivete with respect to these concepts. And, in the process of so speaking, we anesthetise our ability to evaluate the quality of our work and, what is more important, to identify and become conscious of its end use. ne can't escape this state without asking, again and again: "What do I actually do? What is the final application and use of the products of my work?" and ultimately, "am I content or ashamed to have contributed to this use?" Prof. Joseph Weizenbaum ["Not without us", ACM SIGCAS 16(2-3) 2--7 Aug. 1986]]
Please report problems with the web pages to the maintainer