Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Mark Mazzetti and Ronen Bergman, *The New York Times* front page, National Edition, 13 Nov 2022 https://www.nytimes.com/2022/11/12/us/politics/fbi-pegasus-spyware-phones-nso.html During a closed-door session with lawmakers last December, Christopher A. Wray, the director of the FBI, was asked whether the bureau had ever purchased and used Pegasus, the hacking tool that penetrates mobile phones and extracts their contents. Mr. Wray acknowledged that the FBI had bought a license for Pegasus, but only for research and development. “To be able to figure out how bad guys could use it, for example,'' he told Senator Ron Wyden, Democrat of Oregon, according to a transcript of the hearing that was recently declassified. But dozens of internal FBI documents and court records tell a different story. The documents, produced in response to a Freedom of Information Act lawsuit brought by *The New York Times* against the bureau, show the FBI officials made a push in late 2020 and the first half of 2021 to deploy the hacking tools—made by the Israeli spyware firm NSO—in its own criminal investigations. The officials developed advanced plans to brief the bureau's leadership, and drew up guidelines for federal prosecutors about how the FBI's use of hacking tools would need to be disclosed during criminal proceedings. [...]
https://www.cbc.ca/newsinteractives/features/takedown-homegrown-ransomware-hacker An FBI investigation into a criminal ransomware gang believed to be tied to Russia led to a Canadian government employee in Gatineau, the largest cryptocurrency seizure in Canadian history and hundreds of victims around the world.
Kate Conger, Mike Isaac, Ryan Mac and Diffany Hsu For Staff, Two Weeks of Layoffs and Panic Ryan Mac, Benjamin Mullin, Kate Conger and Mike Isaac Users Make a Mockery of Musk's New Service *The New York Times*, Business, 12 Nov 2022
Fake LeBron, Schefter tweets expose flaw in new paid verification system https://www.audacy.com/wqam/sports/fake-lebron-schefter-tweets-expose-flaw-in-verification Fake Twitter accounts flock to blue check chaos https://techcrunch.com/2022/11/09/fake-twitter-blue-check-lebron-musk/ Twitter chief information security officer Lea Kissner departs: The resignation of Lea, one of the industry's most respected and experienced persons in our field, is yet another clear signal that Twitter is rapidly rotting from within, putting users and itself at risk. There are also not yet confirmed reports that Twitter's chief compliance officer resigned. -L https://techcrunch.com/2022/11/10/twitter-lea-kissner-departs/ After fake Twitter claim that Northern Ireland secretary resigned, Musk makes a joke https://www.theguardian.com/technology/2022/nov/10/twitter-elon-musk-tosh-northern-ireland-secretary Twitter Lawyer Claims Elon Musk Has Put Company At Risk Of Billions In Fines https://www.thegamer.com/twitter-lawyer-claims-elon-musk-has-put-company-at-risk-of-billions-in-fines/ Twitter's Security And Privacy Leaders Quit Amidst Musk's Chaotic Takeover https://www.forbes.com/sites/thomasbrewster/2022/11/10/twitter-security-privacy-compliance-leads-quit-elon-musk-takeover/?sh=2b3e4b1c586f Twitter's disaster for users: We're all (including me) getting some laughs out of Musk's Twitter situation, but I cannot possibly emphasize enough how incredibly dangerous the situation has become for Twitter's users. Infrastructure, privacy, security, are all affected by layoffs and resignations. Disastrous. -L More on Musk's Twitter disaster: Additionally, the verification nightmare that Musk has callously imposed is putting users in intolerable positions and supercharging disinformation. Intolerable. -L Elon Musk's Twitter Is a Scammer's Paradise https://www.wired.com/story/twitter-blue-check-verification-buy-scams/ Twitter puts a "may be unsafe link" interstitial on a one word article called "What Elon Musk Is Doing Right at Twitter"—the one word is "Nothing." https://twitter.com/laurenweinstein/status/1591264511247327233 Musk blames "media elite" for Twitter's troubles https://twitter.com/laurenweinstein/status/1591121628804440064 A Twitter manager says laid-off engineers he's rehired are 'weak, lazy, unmotivated' https://www.businessinsider.com/twitter-manager-says-engineers-he-rehired-are-weak-lazy-unmotivated-2022-11 After Sen. Markey raises concerns about Twitter, Musk replies that Markey's account sounds like a parody. Markey is not amused, and Musk is behaving like an idiot. Musk could bring everything down. -L
David Yaffe Bellany, *The New York Times*, front page, 12 Nov 2022
FTX, a Crypto Linchpin, Files for Bankruptcy:
Chief Executive Exists, Ending Chaotic Weel
Added bonus noted on the front page:
Free Money—Why did investors hand over so much to FTX?
with so little oversight, p. B1 in the National Edition:
Erin Griffith and David Yaffe-Bellany
Questions About Crash of FTX Rise for Investors
PREVIOUSLY:
Kevin Roose, https://www.nytimes.com/2022/11/12/us/politics/fbi-pegasus-spyware-phones-nso.html
*The New York Times*, 10 Nov 2022, Business
Crypto[currency] faces a reckoning in FTX collapse
... it is already being referred to as a "Lehman moment" —a reference
to the 2008 collapse of Lehman Brothers.
[Earlier item from LaurenW:
Crypto giant Binance drops bid to save rival, stoking chaos in digital
assets
https://www.cnn.com/2022/11/09/business/bitcoin-crypto-prices-fall-ftx-binance-ctrp/index.html
PGN]
SUBSEQUENTLY:
David Yaffe-Bellany, *The New York Times*, p.27, National Ed., 13 Nov 2022
Crypto Giant FTX Investigating $515 Million in Transfers After Collapses
https://www.nytimes.com/2022/11/12/business/ftx-cryptocurrency-hack.html
https://www.cbc.ca/news/canada/british-columbia/ftx-cryptocurrency-bailout-bankman-fried-1.6647478 Last week, California billionaire Sam Bankman-Fried was touted as a key figure in cryptocurrency—even a saviour. Today, amid a series of apologetic tweets, he said "I f--ked up" after his cryptocurrency exchange bled billions of dollars. His FTX exchange is now scrambling to raise $9.4 billion US from both investors and rivals, as customers rush to withdraw their funds.
"Google's Chrome, Apple's Safari, nonprofit Firefox and others allow the
company, TrustCor Systems, to act as what's known as a root certificate
authority, a powerful spot in the Internet's infrastructure that guarantees
websites are not fake, guiding users to them seamlessly.
The company's Panamanian registration records show that it has the identical
slate of officers, agents and partners as a spyware maker identified this
year as an affiliate of Arizona-based Packet Forensics, which public
contracting records and company documents show has sold communication
interception services to U.S. government agencies for more than a decade."
<https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/>
[David Rosenthal noted an earlier item on David Farber's IP distribution
via Dewayne Hendricks, excerpted here:
Mysterious company with government ties plays key internet role
TrustCor Systems vouches for the legitimacy of websites. But its physical
address is a UPS Store in Toronto.
Joseph Menn, WashPost, 8 Nov 2022
<https://www.washingtonpost.com/technology/2022/11/08/trustcor-internet-addresses-government-connections/>
PGN]
A guide to contemporary doomsday scenarios ” from the threats you know about to the ones you never think of Author: A few days before NASA tried to crash a spacecraft into an asteroid as part of what it called the Double Asteroid Redirection Test, I talked to Lindley Johnson, the agency’s planetary defense officer. I think we can all agree that this sounds like an important job. https://www.washingtonpost.com/magazine/2022/11/07/doomsday-scenarios-asteroids/ Should be enough risks here for any riskophile.
250kW per rack ! The average home uses 29kWh per day, for an average of 1.2kW, so a single rack would consume the power of 200 homes. A large data center can have 5,000 racks; hence might require *four* small nuclear reactors to power it ! These are terrifying numbers. And we thought that cryptomining calculations were going to ruin the planet... The average human brain requires perhaps 0.1kW, so a single rack consumes the "brainpower" of 2500 people; a large datacenter consumes the "brainpower" of 12.5 million people—the population of greater Los Angeles. It's time we thought about moving these datacenters to remote places, e.g., in the middle of the Pacific Ocean, in outer space orbit, on the far side of the Moon. Tobias Mann Tue 8 Nov 2022 // 00:30 UTC https://www.theregister.com/2022/11/08/colovore_liquidcooled_datacenter/ AI and HPC deployments means propping up 250kW densities per rack The all liquid-cooled colo facility rush has begun. [Long item PGN-truncated.]
[Unauthored blog:] https://fibrecookery.blogspot.com/2022/11/peoplenet-or-populistnet.html I suppose that you can blame Telus for this, and, if they go out of business, it's their own fault. I did tell them: Do not annoy grieving widowers. They have lots of time to create and detail new ideas that may drive you out of business if you're not providing actual service to your customers. Ever since I've thought of this, I have felt that it would be a really good idea to drive the telephone and telecommunications companies (generally known as telcos) out of business. After all, they make tons of money, and make huge profit margins on, what is currently, very little outlay. The telecommunications companies have a near monopoly. They use this to ensure that they have large profits, for relatively little effort and expense. We do not need the telephone companies. Okay, there is the issue of long distance, but there are ways around that. Or, we can simply set up new long distance companies, and let them know that provision of service is not actually necessary to most of our communications. [Long but fascinating personal-experience-based Blog item PGN-truncated.]
I love Rust, but my love is tough love. The referenced Wired article focuses on Rust's guarantees of memory safety. Memory safety has been a solved problem since the 1950's, with the invention of reference counting and tracing garbage collection. With the development of *real-time* garbage collection in 1976, it has been theoretically possible to do system programming in a garbage- collected language for nearly half a century. I leave it to others to explain why it has taken so long for the CS industry to accept memory safety as a fundamental requirement. https://en.wikipedia.org/wiki/Garbage_collection_(computer_science) The ubiquity of Javascript in every web page has now made memory safety an absolute must, and Javascript's garbage collector has taught new generations of software engineers about this solution to memory safety. However, Javascript (with the exception of WASM) is not a compiled system programming language like C/C++, and therefore not a suitable replacement for C/C++. Enter a number of new "safe" systems programming languages, including Rust. Rust inherits a more modern and far more powerful *type system* from so-called "functional" languages, which enables many of the overheads for memory safety to be moved to compile time. In particular, Rust's so-called "affine" types with their "move" and "borrow" semantics enable *some* of the overheads of reference counting to be moved to compile time. The interaction of *memory safety* with *multiple threads* and *crash consistency* required in a systems programming language place very severe requirements on the type system and runtime system of a system remain open to significant criticism IMHO. Rust's "affine types" abandon the fundamental "object identity" axiom of computer SW (HW since the 1950s) "address IS identity". All of the datapaths, caches, speculations, etc., found in modern CPU architectures are dedicated to preserving this axiom. Rust's "everything is movable (its address can change)" destroys this identity, and thus the fundamental mental models of millions of programmers and CPU designers. [A technical note: as the developer of a "copying garbage collector", where everything can (and eventually will) move, my criticism of Rust's affine types could be seen as hypocritical. Nevertheless, a copying garbage collector still needs to rely on "address IS identity" for "forwarding pointers" *during* an epoch of the CGC; Rust makes the implementation of a copying GC *inside safe Rust* essentially impossible.] An alternative (and more fundamental) typing model utilizes "linear" types and objects, where "linear" essentially means "refcount = 1". It is possible to implement "affine" types using "linear" types, but the reverse is apparently impossible. For example, so long as its "refcount = 1", *moving* a "small" object is safe, trivial, lockfree and inexpensive. Rust's interactions of multiple threads, memory safety and crash consistency are still not very clean. The specification of what is an "atomic" action (*indivisible* w.r.t. thread switches, interrupts, and crashes) is still not particularly perspicuous in Rust. We are not yet in an era where Rust is a result of ACID. https://en.wikipedia.org/wiki/ACID
Don't rain on the AI parade!
AI is currently an infinite source of CS theses: develop/train an AI model
to do X; then another student thesis pokes holes in that AI model in order
to 'hack' it.
The wonderful thing: the student/developer doesn't have to *think*; just
find a sufficiently large database and use multiple bitcoins' worth of
CPU/GPU cycles to do your thinking for you!
Re: "Most AI systems are black box models"
That's their *advantage*! You develop an AI model to determine who gets
bail, who gets parole, who gets 911 service, who gets a loan, who gets
admitted into your college, and *no person (or politician) is at fault*.
We love AI not because of its superior performance, but because it is the
ultimate scapegoat (scAIpegoat ??).
My favorite AI example: train an AI to recognize a single 256-bit number
chosen `at random' (https://xkcd.com/221/). The chances of including that
particular number in "randomly chosen" training samples is effectively zero,
so my AI model gives you a constant function *no*. It's correct for nearly
all universes, and therefore good enough for government work.
"... Computer scientists don't have to worry about the world. They don't
have to develop theories of the world and then build tools to test it.
Rather, they just build tools to satisfy their own worlds. Ask a computer
science graduate student what his or her thesis is and the best they can
answer is that the program or machine they are working on will be a good
thing to have..."
—Chuck Thacker, in "Fumbling the Future: How Xerox Invented,
Then Ignored, the First Personal Computer"
https://amzn.to/3EmrlH4
Getting the same five numbers twice in one day is described as a 1 in 330 billion chance, but the odds of guessing the five numbers correctly are given as 1 in 575,757. To get the same five numbers twice in one day simply requires that the machine doing the evening draw simply has to *win the lottery* for the midday draw: so the actual chance of getting the same numbers twice for a particular lottery on a particular day is simply 1 in 575,757. Given the number of city, state and national lotteries and the number of days in a year, such an event is likely to happen in a few years. For example, if there are 100 lotteries then there is around a 50% chance of duplicate numbers occurring some time within 10 years. Here's where it gets a bit more interesting: *The New York Post* article says “Thursday's drawing for the game amazingly yielded the numbers 18, 21, 30, 35, and 36 during both the midday and evening drawings --the odds of which experts put at more than 1 in 330 billion.'' Now, technically, this is correct: the odds of getting *that particular sequence of numbers* twice on that particular day with that particular lottery are indeed 330 billion to 1. But the first draw had to have *some* set of numbers: so drawing the same set of numbers twice in the same day is not the same as drawing a specified set of numbers twice in one day. Did the journalist knowingly mislead their readers by writing something technically correct, knowing that it would be interpreted as saying something about getting the same numbers twice in a row? Or did the journalist mis-calculate and not notice their absurdly inaccurate result because humans have difficulty in comprehending really large numbers? If there was a verified written prediction which read: “On Thursday 27th October the New York Lottery numbers will be 18, 21, 30, 35, 36 on both the midday and evening draw'', then that prediction would have a 1 in 331 billion probability of being correct by chance. But the chance of the evening drawing matching the midday drawing is the same as the chance of your numbers matching the midday drawing, which is the same as the chance of winning the jackpot. If the chance of winning the jackpot ($37,206 prize fund total for Thursday evening) was really 330 billion to 1, then it is extremely unlikely that anyone would ever win and I think most people would give up playing! So you don't need to know anything about how many numbers are drawn or what the range of numbers are in order to deduce that the *1 in 330 billion chance of duplicate numbers on the same day* just *cannot* be correct. [Amos Shapir came up with similar reasoning. PGN]
Satellite monitors discovered two vessels with their trackers turned off in the area of the pipeline prior to the suspected sabotage in September. https://www.wired.com/story/nord-stream-pipeline-explosion-dark-ships/
Read the small print! I was delighted to read the Washable item, telling me that I can delete Meta's contact information. (I am not a Meta user.) Sure enough Meta has my information. Well I *was* delighted *until* I read *Information for people who don't use Meta Products*—https://www.facebook.com/help/637205020878504 -- where I learned that: “We retain Non-User's personal information for as long as needed... *including after you ask us to erase it.* This includes for legal reasons ...'' and for those of us living in the EU, and who assume some level of privacy protection: “*Non-Users'* information will be transferred or transmitted to, or stored and processed in, the United States or other third countries outside of where they live for the purposes described in this Data Notice.'' So there!
I tried that. I never gave Meta my contact info, but I'm suspicious that they might have found it other ways. But I did not use the Mashable link. I searched the help on FB. When I got to the removal tool, it asked for a number or email to send a confirmation code to verify my identity. I did that, but the code never arrived. No explanation or error appeared. Hmmm. - Could Meta use this tool for phishing to collect your contact info if it doesn't already have it? - Might two-factor confirmation codes on other sites be used for phishing? - Could Meta be protecting us against bad guys who might trick Meta into sending messages to my contacts? - Might it be that the tool doesn't work if Meta never had your contact info in the first place as a security measure? A code can't verify my identity if Meta doesn't know my number or email. So, now I fear that I have been phished. Worse; I have never used my real name on FB, but now I fear that I just revealed a way to link my identity to my FB username. Resistance is futile. :-(
Please report problems with the web pages to the maintainer