Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
QUESTION: Why did Tesla seemingly knowingly program their vehicles to operate illegally?
The recall shows that Tesla programmed its vehicles to violate the law in most states, where police will ticket drivers for disregarding stop signs. The Governors Highway Safety Association, which represents state highway safety offices, said it is not aware of any states that allow rolling stops.
Risks are many: Actually developing software that breaks the law. All-way stop signs, common on North American roads, require drivers to halt completely, before proceeding. Tesla's software drives the car over the stop line at 5mph. Misleading pseudo- technical marketing terms e.g., Full self-driving that isn't. Abusing well-known terms (e.g., that have long been used in aircraft as meaning just that). But in Tesla it is less sophisticated than full self-driving. Reliance on members of the public to do beta testing of sophisticated software with no knowledge of its design, functionality, failure modes etc. The delay in getting the feature removed. First discussed 20th Nov will be removed 28th March.
Tesla recalls more than 817,000 vehicles over seat-belt chime issue, which it will address remotely. For Tesla, it's the second recall in a matter of days after it said it would address the ‘rolling stop’ issue
https://www.washingtonpost.com/technology/2022/02/03/tesla-recall-seatbelt-chime/
Joel Khalili, TechRadar, 4 Feb 2022, via ACM TechNews, Wednesday, February 9, 2022
A report by enterprise software provider Micro Focus found that more than 800 billion lines of COBOL code are in daily use worldwide, about three times more than expected, despite a decline in the number of developers familiar with the 60-year-old programming language. Moreover, nearly half of developers surveyed predict an increase in the volume of COBOL used in their organization in the coming year, while a similar share said they expect COBOL applications to live on for at least another decade. The report found that 64% of companies reliant on COBOL prefer to modernize their apps rather than replace them, while 92% of respondents said COBOL will retain strategic importance to their business. Said Micro Focus' Ed Airey, “For IT leaders, supporting core business systems, COBOL application modernization lies at the heart of digital transformation.”
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e009x231452x073060&
[COBOL could be here forever. Thus, Y2K+N problems are likely to recur for all nonnegative integer values of N. Might RISKS still be around in perpetuity? All the evidence from the past suggests it would still be relevant. The year 3000 would certainly deserve a major celebration.
In the wake of a voter-approved law, Subaru and Kia dealers in Massachusetts have disabled systems that allow remote starts and send maintenance alerts.
https://www.wired.com/story/fight-right-repair-cars-turns-ugly/
As we see far too often, a fiber cut often has a disproportionate impact on communications, in this case taking out not only CenturyLink's service but also cellular service for providers who use CenturyLink's fiber as a backhaul.
This points out yet again how easy it is to take out a single link and disrupt communications across a wide area, whether accidentally or intentionally.
https://www.ouraynews.com/news/cell-phone-service-disrupted-cut-fiber-line
France 24, 3 Feb 2022 via ACM TechNews, 4 Feb 2022
Major oil terminals at some of Western Europe's biggest ports have been hit by a cyberattack, as energy prices in Europe soar amid tensions with gas supplier Russia. In Belgium, authorities are investigating the hacking of oil facilities in the country's maritime entryways, including Antwerp, Europe's second biggest port, while German prosecutors are investigating a cyberattack targeting oil facilities in what was described as a possible ransomware strike. German newspaper Handelsblatt said an initial report from German security services identifies the BlackCat ransomware as the tool used in the cyberattack in Germany. BlackCat emerged in mid-November 2021 as a software tool that allows hackers to seize control of target systems. Experts note that BlackCat is programmed in the Russian language.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2df35x231264x073765&
Proposals in Wyoming and Arizona to accept tax payments in Bitcoin and other cryptocurrencies would undermine the dollar's unique status..= .
The dreams of crypto enthusiasts inched closer to reality in recent days as lawmakers in Wyoming and Arizona put forward proposals that would allow those states to accept tax payments in the form of digital currencies.
The new proposals, and others like them around the United States, threaten to erode a key distinction upholding the supremacy of the U.S. dollar over its would-be digital competitors: Americans can use U.S. dollars, but not cryptocurrencies, to pay their taxes.
Under the Arizona proposal, the state would recognize the most popular cryptocurrency, Bitcoin, as legal tender. The Wyoming proposal, which is not limited to any specific cryptocurrency, would apply only to sales and use taxes.
Both proposals face potential legal and political hurdles. But Wyoming has gone further than any other state in passing laws to accommodate cryptocurrency adoption, and backers of the proposal there believe it will be the first state to take a significant step in the realm of tax payments. […]
https://www.politico.com/news/2022/01/31/crypto-wyoming-arizona-tax-payments-00003910
Virtual reality and artificial intelligence helped with the daunting task
Last November, at Fort Campbell, Tennessee, half a mile from the Kentucky border, a single human directed a swarm of 130 robots. The swarm, including uncrewed planes, quadcopters, and ground vehicles, scouted the mock buildings of the Cassidy Range Complex, creating and sharing information visible not just to the human operator but to other people on the same network. The exercise was part of DARPA's OFFensive Swarm-Enabled Tactics (OFFSET) program.
If the experiment can be replicated outside the controlled settings of a test environment, it suggests that managing swarms in war could be as easy as point and click for operators in the field.
“The operator of our swarm really was interacting with things as a collective, not as individuals,” says Shane Clark, of Raytheon BBN, who wa the company's main lead for OFFSET. “We had done the work to establish the sort of baseline levels of autonomy to really support those many-to-one interactions in a natural way.”
Piloting even one drone can be so taxing that it’s not rare to see videos of first-time flights leading immediately to crashes. Getting to the point where a single human can control more than a hundred drones takes some skill”and a lot of artificial intelligence.
In total, the swarm operator directed 130 vehicles in the physical world, as well as 30 simulated drones operating in the virtual environment. These 30 virtual drones were integrated into the swarm's planning and appeared as indistinguishable from the others in the program to the human operator, and to the rest of the swarm. As apparitions of pure code, tracked by the swarm AI, these virtual drones flew in formation with the physical drones, and maneuvered around as though they really existed in physical space. […]
https://www.popsci.com/technology/drone-swarm-control-virtual-reality/
Patching operating systems and applications to remediate vulnerabilities is commonplace.
Far fewer pay as much attention to maintaining the more firmware responsible for low-level system hardware maintenance.
Recent generations of processors use implementations of the Extensible Firmware standard, referred to as EFI, to manage processor hardware at a low level. BleepingComputer reports that a widely-used implementation of EFI has a number of exploitable vulnerabilities that can compromise systems. According to the article, several of the vulnerabilities affect “power management and hardware control” including secure bootstrap.
The article contains a list of the CVE entries describing the vulnerabilities.
The full article is at:
https://gizmodo.com/crypto-platform-wormhole-loses-325-million-in-apparent-1848470502
A controversial new program that uses facial recognition is part of a national effort to verify identities and reduce fraud.
In November, the Internal Revenue Service launched an online security system that uses face recognition to confirm a person's identity. Public attention to the project last week triggered an outcry. The ACLU called the project deeply troubling, saying face recognition “has been shown to be less accurate for people of color.”
Some IRS functions, like scheduling payments but not filing taxes, now require first-time users to verify their identity with Virginia startup ID.me, which also works with 27 state employment agencies and the Veterans Administration. The process involves photographing a government-issued ID and uploading a video selfie so algorithms can match face and document. […]
Goodman says that such programs need to provide offline options such as visiting a post office for people unable or unwilling to use phone apps or internet services. Making any digital service universally accessible in a large and varied nation like the US is a challenge. An agency like the IRS has to serve a user base similar in scale to that of a large tech company, but unlike a hot startup must also include society's least connected. Usable security is really, really hard, government's track record on digital inclusion is mixed. ID.me says it has 650 locations where people can complete enrollment in person in a big country. https://www.wired.com/story/irs-us-government-wants-selfies/
This process was like playing Simon Says with an evil/demented robot. For starters, there's no initial list of steps to take and what will be required. So it was multiple iterations finding what was necessary. Then facial recognition didn't like initial images I uploaded. And it took several identical attempts to get improved images recognized, which it did, after a while. None of this gives me faith in its reliability/scalability.
The GSA is now rejecting facial recognition for login.gov: https://www.washingtonpost.com/technology/2022/02/07/irs-gsa-id-facial-reco= gntion/
A New York Times investigation reveals how Israel reaped diplomatic gains around the world from NSO's Pegasus spyware—a tool America itself purchased but is now trying to ban.
https://www.nytimes.com/2022/01/28/magazine/nso-group-israel-spyware.html
Twitter says it has quit taking action against lies about the 2020 election
https://www.cnn.com/2022/01/28/politics/twitter-lies-2020-election/index.html
Francisco Pires, Tom's Hardware, 4 Feb 2022, via ACM TechNews, Wednesday, February 9, 2022
Researchers at the U.S. Department of Energy's Argonne National Laboratory and the University of Chicago (UChicago) have realized 100 million quantum operations, hailed as a key step toward achieving quantum supremacy. The team added single electrons to quantum bits (qubits) with laser pulses. “[The] emitted light reflects the absence or presence of the electron, and with almost 10,000 times more signal,” said UChicago's Elena Glen. “By converting our fragile quantum state into stable electronic charges, we can measure our state much, much more easily. With this signal boost, we can get a reliable answer every time we check what state the qubit is in.” The single-shot readout method deletes all previously loaded errors, enabling coherent quantum states to ”perpetuate” themselves.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e009x231451x073060&
The thing about this is that it's a battle Musk is almost certain to lose. The data involved is ADS-B aircraft transmissions that are easily received with the proper (relatively inexpensive) equipment.
The FAA recently established a voluntary program for the “masking” of actual plane ID data from ADS-B. The program involves substituting a “temporary” ID that doesn't map to any publicly available registration data, and could be changed no more frequently than once every 60 days (ultimately to be once every 20 days).
The flaw in this plan is obvious. Once an aircraft has been identified through some other means (such as knowing when someone leaves a specific airport and noting where they are headed or land based on the kind of information typically available regarding many public figures), that “temporary” ID can then be used (until it is changed) for tracking pretty much just as easily as the unmasked ID. And there are Internet sites where enthusiasts openly trade this information.
So even if Musk got this particular person to stop tweeting the location of his jet, it is extremely likely that another person (or persons) would take up where the original tweeter left off.
https://www.engadget.com/ftc-social-media-scammers-stole-770-million-in-2021-210022922.html
https://techcrunch.com/2022/01/27/lets-make-the-teen-tesla-hack-a-teachable-moment/
Israel used the NSO Group's software as a tool of diplomacy. The FBI wanted it for domestic surveillance. Then everything soured. Here are highlights of a (New York Times Magazine investigation.
https://www.nytimes.com/2022/01/28/world/middleeast/israel-pegasus-spyware.html
The sudden hit Wordle, in which once a day players get six chances to guess a five-letter word, has been acquired by The New York Times Company.
The purchase, announced by The Times on Monday, reflects the growing importance of games, like crosswords and Spelling Bee, in the company's quest to increase digital subscriptions to 10 million by 2025.
Wordle was acquired from its creator, Josh Wardle, a software engineer in Brooklyn, for a price in the low seven figures, the company said the game would initially remain free to new and existing players.
https://www.nytimes.com/2022/01/31/business/media/new-york-times-wordle.html
Not sure that this represents a Risk to the Public, per se, unless one considers the tens of millions of lost productive person-hours spent on the game. But the HTML underlying the phenomenon is so trivial—it really is just a single static page of HTML—that it has already attracted malicious hackers (see, e.g., “A bot tried to ruin Wordle by posting the next day's answer. Twitter suspended the account”. https://www.washingtonpost.com/technology/2022/01/25/twitter-suspends-wordle-ruining-bot/
Putting Wordle behind a paywall will only increase the incentive to develop malware.
https://www.tomshardware.com/news/windows-update-needs-eight-hours
Meanwhile, Chromebooks seem to update in about 5 minutes or so for me. -L
Microsoft this week revealed that it had fended off a record number of distributed denial-of-service (DDoS) attacks aimed at its customers in 2021, three of which surpassed 2.4 terabit per second (Tbps).
One of the DDoS attacks took place in November, targeting an unnamed Azure customer in Asia and lasted a total of 15 minutes. It hit a peak throughput of 3.47 Tbps and a packet rate of 340 million packets per second (pps), making it the largest attack ever reported in history.
“This was a distributed attack originating from approximately 10,000 sources and from multiple countries across the globe, including the United States, China, South Korea, Russia, Thailand, India, Vietnam, Iran, Indonesia, and Taiwan,” Alethea Toh, product manager of Azure Networking, said <https://azure.microsoft.com/en-us/blog/azure-ddos-protection-2021-q3-and-q4-ddos-attack-trends/>
DDoS attacks occur when several compromised devices are employed as a conduit to overwhelm a targeted server, service, or network with a flood of Internet traffic with the goal of overloading the systems and disrupting its regular services. […]
https://thehackernews.com/2022/01/microsoft-mitigated-record-breaking-347.html
I'm concerned by what's not being {explicitly} said by the parties engaged in this Musical Chairs of Blame.
From what I've been reading, but not seeing discussed:
Someone I chatted with who dealt with a parallel C-band co-channel issue on satellite downlinks saw/used a 7"-long waveguide filter, but that takes space and it added loss of 1.3 dB; neither desirable when in an aircraft seeking a reflected bounce of very low levels.
I can hazard a guess if the cellco's want this to go away soon, once and for all, they could just swap out all the iffy domestic radar altimeters for new ones that would fulfill the obviously upcoming TSO. That is maybe cheaper & faster than years of lobbying and legislation. And if there is a crash even suspected of being 5G related…
In conclusion I see:
Two agencies, both gutted by indifferent/hostile Congresses, lacking their technical expertise of decades past, rushing to a political ‘answer.’
Intense political/economic pressure to make this issue Just Go Away NOW.
But in aviation: Haste Makes Graves.
> In the Air France 447 and Boeing 737 Max crashes, the autonomous systems > got confused by faulty sensor information and the pilots couldn't recover
This is correct for the 737 Max crashes, but not for AF447. The sensor failure did not cause the “autonomous systems” to do anything except turn themselves off. The problem was rather with the design of the human-computer interface which gave confusing information to the pilots. If the pilots had done literally nothing when the autopilot disconnected, except applying the very basic airmanship of maintaining aircraft attitude, the accident would not have happened.
Many households already have VOIP—a lot of them are cable, and most new-builds no longer get POTS, so we have quite a lot of experience over here.
Likewise, DECT is pretty much standard already. The problem is, all the phones you see in the shops are DECT-1 (analog line), and BT don't tell you your new phones are DECT-2 (VOIP). The switch is EASY PEASY so long as they don't leave you floundering for information!
Oh - and to make it clear exactly what is happening, the national rollout is FTTC - “Fibre to the Cabinet” (for people who don't know what that means, there are street boxes serving maybe 100 houses, that's the cabinet. Unless you choose, and pay, it'll still be copper from there into your house. So the phone connection in your house won't change at all unless, like us, you are too close to the exchange to have a cabinet.) n BUT: As somebody who has already been told “we are switching you over”
> > The consequences include: > > 1. Householders having to re-arrange their domestic phone systems—to > establish a connection to their router. Or replace their handsets with a > Digital Voice compatible one.
That's pretty easy. Your old router plugged in to your phone socket. So unless they've wired your new cable router somewhere completely different from your phone line, you unplug your landline from the POTS socket, and plug it in to the router (or if you don't have broadband, the alternative box they provide).
> 2. However, BT Digital Voice appears to only work with the routers (Smart > Hub 2) they provide!
This is (like with DECT-2) probably just lack of information - I don't know, I can't find any information!
> > 3. BT state that if consumers have a monitored alarm that's connected to > their landline (like a health pendant or monitored burglar alarm) they'll > need to speak to their alarm provider before moving to Digital Voice. > Apparently these systems will stop working. > > 4. Oh and if there's a power cut or your broadband fails, you'll be unable > to make calls using Digital Voice, including calls to 999
No 3 is a direct consequence of No 4. Burglars used to cut phone lines - which is why modern alarms mostly use mobile SIMs nowadays - so that's a new manifestation of an old problem. Health alarms will just have to move too.
> 5. Some areas have no broadband services / or they fail often
You forget - some areas NEED broadband as backup for a poor mobile service!
(The whole point of this manoeuvre is to provide a modern, reliable broadband service. It won't fail (much) and will be available everywhere POTS currently is.)
> Risks: very limited news / announcements about the programme, issues over > requiring householders to change their equipment / undertake technical > re-configuration with limited / little support. Elderly / vulnerable > residents a risk.
6. Short dialling no longer works. You have to use the long STD code every time. More of a nuisance than anything else, but again it's the elderly/vulnerable that are hardest hit.
We fall into the elderly/vulnerable category, and the biggest problem was the lack of information and unexpected side effects. I think it took us two or three months to realise what was going on, during which time people ringing us had a lot of difficulty making contact. And we didn't have a clue anything was wrong …
This is a rather gratuitous attack on the telecoms. In no way was this a technical problem or a commercial problem.
All other countries had no problems with the rollout, only the US botched it.
I looked up the technical reports from Canada, Japan, US. All the reports were completed in plenty of time. Japan did bench experiments as did US. All other countries proceeded to issue guidelines - don't be too close to glide path, don't point antenna up. For some reason, US FAA/FTC did nothing after the technical committee report.
Some say but the US frequency is closer:
If Japan can roll it out, it's hard to see how US has a harder problem.
… From the cited article:
A covid outbreak, a storm, a natural disaster, political instability, problem with equipment—really anything that disrupts a [chip-making] facility anywhere in the world, “we will feel the ramifications here in the United States of America,” Commerce Secretary Gina Raimondo said. “A covid outbreak in Malaysia has the potential to shut down a manufacturing facility in America.”
American semiconductor plants are not magically immune from covid outbreaks, storms, natural disasters, and problems with equipment. There might be a good reasons for the U.S. government to give highly profitable companies $52 billion in taxpayer subsidies, but it such a reason exists, the Commerce Secretary is keeping it to herself.
Alexandria VA (suburb of Washington DC) is refunding nearly 5000 tickets / $200K in fines because of an error in the software: the problem was that the software didn't account for a half-econd grace period (after the light turns red) written in the law. The company that operates the cameras found it — although I wonder how many other cameras have this problem (or similar problems) but there's no accountability.
My recollection is that these automated tickets aren't reported to insurance companies and don't incur points, so it (shouldn't) have increased anyone's rates or caused anyone to lose insurance.
[Incidentally, the Virginia law is explicit on this, so it's not a matter of whether the software designer came up with the rule: “All traffic light signal violation monitoring systems shall provide a minimum 0.5-second grace period between the time the signal turns red and the time the first violation is recorded.” https://law.lis.virginia.gov/vacode/title15.2/chapter9/section15.2-968.1/ ]
Please report problems with the web pages to the maintainer