Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Vint Cerf Helped Create the Internet on the Back of an Envelope. Now He's Calling for More Critical Thinking About How We Use It
Emily Bobrow, The Wall Street Journal, 16 Dec 2022 via ACM TechNews, 19 Dec 2022
Google Chief Internet Evangelist and 2004 ACM A.M. Turing Award co-recipient Vint Cerf helped invent the Internet but acknowledges its downsides, including its use for spreading misinformation and disinformation. Cerf says addressing this “propagation problem” requires Google and similar companies to better “understand how these mechanisms influence the way people behave.” He observes that although commercialization has broadened the Internet's scope, feedback algorithms appear to be directing people toward “more divisive and extreme stuff.” Cerf urges more critical thinking to rein in the Internet's sociological and psychological effects, while businesses must make better efforts to contain online trolling, lying, bullying, and surveillance.
According to prosecutors, two Queens men, Daniel Abayev and Peter Leyman, worked with Russian hackers to gain access to the taxi dispatch system for New York'sJFK airport. They then allegedly created a group chat where drivers could secretly pay $10 to skip the sometimes hours-long line to be assigned a pickupâabout a fifth of the $52 flat fee passengers pay for rides from the airport to elsewhere in NYC. The indictment against the two men doesn't name the Russians or detail exactly how they gained access to JFK's dispatch system. But it notes that since 2019, Abayev and Leyman allegedly schemed to get access to the system by multiple methods, including bribing someone to insert a USB drive with malware into one of the dispatch operators' computers, gaining unauthorized access to their systems via Wi-Fi, and stealing one of their tablet computers. “I know that the Pentagon is being hacked,” Abayev wrote to his Russian contacts in November 2019, according to the indictment, “So, can't we hack the taxi industry[?]”
Before the scheme was shut down, prosecutors say it was enabling as many as a thousand fraudulent line-skips a day for drivers,
https://www.wired.com/story/russia-jfk-taxi-hack-security-roundup
[Monty noted this: https://www.theverge.com/2022/12/22/23522275/nyc-russian-hack-jfk-airport-taxi-dispatch-system ]
By Kashmir Hill, John Ismay, Christopher F. Schuetze and Aaron Krolik, The New York Times, 27 Dec 2022l https://www.nytimes.com/2022/12/27/technology/for-sale-on-ebay-a-military-database-of-fingerprints-and-iris-scans.html
The shoebox-shaped device, designed to capture fingerprints and perform iris scans, was listed on eBay for $149.95. A German security researcher, Matthias Marx, successfully offered $68, and when it arrived at his home in Hamburg in August, the rugged, hand-held machine contained more than what was promised in the listing.
The device's memory card held the names, nationalities, photographs, fingerprints and iris scans of 2,632 people.
Senior lawmakers said they would investigate the government's purchase and use of powerful spyware made by two Israeli hacking firms, as Congress passed a measure in recent days to try to rein in the proliferation of the hacking tools.
Representative Adam Schiff, the California Democrat who is chairman of the House Intelligence Committee, sent a letter last week to the head of the Drug Enforcement Administration asking for detailed information about the agency's use of Graphite, a spyware tool produced by the Israeli company Paragon.
“Such use could have potential implications for U.S. national security, as well as run contrary to efforts to deter the broad proliferation of powerful surveillance capabilities to autocratic regimes and others who may misuse them,” Mr. Schiff wrote in the letter.
Graphite, like the better-known Israeli hacking tool Pegasus, can penetrate the mobile phones of its targets and extract messages, videos, photos and other content. The New York Times revealed this month that the DEA was using Graphite in its foreign operations. The agency has said it uses the tool legally and only outside the United States, but has not answered questions about whether American citizens can be targeted with the hacking tool.
https://www.nytimes.com/2022/12/28/us/politics/spyware-israel-dea-fbi.htm
Erin Keller, The New York Post, 28 Decee 2022
A German TikToker, who goes by the name @dankeunextgay on the platform, is going viral for detailing the juicy documents and photos he claims to have found on a $15 Apple Time Capsule he allegedly purchased from the thrift retailer.
In his 14 Dec 2022 video, the TikToker showed viewers his MacBook being backed up by the previous owner's files that dated back to 2010, when the wireless router was reportedly last used.
InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online—using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself.
https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/
The extreme cold, ice and snow grounded planes and left some crew members stranded, so Southwest's crew schedulers worked furiously to put a new schedule together, matching available crew with aircraft that were ready to fly. But the Federal Aviation Administration strictly regulates when flight crews can work, complicating Southwest's scheduling efforts.
“The process of matching up those crew members with the aircraft could not be handled by our technology,” Watterson said. “The process of matching up those crew members with the aircraft could not be handled by our technology.”
Southwest ended up with planes that were ready to take off with available crew, but the company's scheduling software wasn't able to match them quickly and accurately, Watterson added. “As a result, we had to ask our crew schedulers to do this manually, and it's extraordinarily difficult. That is a tedious, long process.” Watterson noted that manual scheduling left Southwest building an incredibly delicate house of cards that could quickly tumble when the company encountered a problem. “They would make great progress, and then some other disruption would happen, and it would unravel their work. So, we spent multiple days where we kind of got close to finishing the problem, and then it had to be reset.”
https://amp.cnn.com/cnn/2022/12/27/business/southwest-airlines-service-meltdown/index.html
[Richard Marlon Stein noted this item: Southwest didn't heed calls to upgrade tech before meltdown, unions say https://www.washingtonpost.com/transportation/2022/12/28/southwest-airlines-flight-cancellations/ “The tools we use to recover from disruption serve us well, 99 percent of the time,”
Department of Justice U.S. Attorney's Office Southern District of New York, 20 Dec 2022
At all relevant times, taxi drivers who sought to pick up a fare at JFK were required to wait in a holding lot at JFK before being dispatched to a specific terminal by the Dispatch System. Taxi drivers were frequently required to wait several hours in the lot before being dispatched to a terminal and were dispatched in approximately the order in which they arrived at the holding lot.
Beginning in 2019, ABAYEV and LEYMAN explored and attempted various mechanisms to access the Dispatch System, including bribing someone to insert a flash drive containing malware into computers connected to the Dispatch System, obtaining unauthorized access to the Dispatch System via a Wi-Fi connection, and stealing computer tablets connected to the Dispatch System.
https://www.theverge.com/2022/12/20/23517973/ring-doorbells-swatting-yahoo-email-arrest
https://news.yahoo.com/videos-teslas-malfunctioning-below-freezing-215149907.html
https://www.washingtonpost.com/education/2022/12/21/maryland-529-college-tuition-savings/
Maryland, like most US states, offers a college savings plan. The calculations of account values seem to have been incorrect, and the state is having a hard time figuring out the correct values. In the meantime, accounts are frozen, as is the ability to make withdrawals to pay for college.
The only thing surprising about this to me is that it doesn't happen more often—the calculations for value must be pretty complex, and once a small bug gets in, figuring out the right numbers can't be easy.
Ransomware has shutdown the ALMA Observatory for over a month. https://physicstoday.scitation.org/do/10.1063/PT.6.2.20221212a/full/
OPINION: With every Windows release, Microsoft promises better security. And, sometimes, it makes improvements. But then, well then, we see truly ancient security holes show up yet again.
https://www.zdnet.com/article/windows-still-insecure-after-all-these-years/
On cybercrime forums, user complaints about being duped may accidentally expose their real identities.
Pretty funny: Nobody is immune to beingscammed online—not even the people running the scams. Cybercriminals using hacking forums to buy software exploits and stolen login details keep falling for cons and are getting ripped off thousands of dollars at a time, a new analysis has revealed. And what's more, when the criminals complain that they are being scammed, they're also leaving a trail of breadcrumbs of their own personal information that could reveal their real-world identities to police and investigators.
Hackers and cybercriminals often gather on specific forums and marketplaces to do business with each other. They can advertise upcoming work they need help with, sell databases of people's stolen passwords and credit card information, or tout new security vulnerabilities that can be used to break into people's devices or systems. However, these deals often donn't go to plan.
The new research, published today by cybersecurity firm Sophos, examines these failed transactions and the complaints people have made about them. “Scammers scamming scammers on criminal forums and marketplaces is much bigger than we originally thought it was,” says Matt Wixey, researcher with Sophos X-Ops who studied the marketplaces.
https://www.wired.com/story/cybercrime-hackers-scams-forums/
Emma D'Agostino, ABC News Australia, Updated 1 Jan 2023
The City of Melbourne is investigating how much of a system for reporting graffiti, using QR codes, has been vandalised. … QR codes posted around the Melbourne CBD have been overlaid with alternative codes. These codes, which the ABC has seen, lead to a documentary about hip hop culture on YouTube that explores graffiti as part of hip hop culture.
Melbourne Lord Mayor Sally Capp said it was not yet known how many of the QR codes had been vandalised, but believed it was still small in number.
The model is adept at negotiation and trickery. One expert called it “super scary.”
https://www.washingtonpost.com/technology/2022/12/01/meta-diplomacy-ai-cicero/
[A Roomba cleaning robot with an imaging camera; what could possibly go wrong?]
Eileen Guo, 19 Dec 2022 A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook?
In the fall of 2020, gig workers in Venezuela posted a series of images to online forums where they gathered to talk shop. The photos were mundane, if sometimes intimate, household scenes captured from low—including some you really wouldn't want shared on the Internet.
In one particularly revealing shot, a young woman in a lavender T-shirt sits on the toilet, her shorts pulled down to mid-thigh. The images were not taken by a person, but by development versions of iRobot's Roomba J7 series robot vacuum. They were then sent to Scale AI, a startup that contracts workers around the world to label audio, photo, and video data used to train artificial intelligence. […]
Li-ion batteries are “pretty unique fire hazards,” said a spokesperson for the National Fire Protection Association.
An increase in battery fires linked to electric bicycles has caught the attention of municipal and federal officials, who point to public education rather than bans as the best way to keep people safe.
As of late December, there were 206 e-bike fires in New York City in 2022, more than double the number of fires that occurred the year prior, according to a New York Fire Department spokesperson. Those e-bike fires are blamed for 142 injuries in 2022, almost 80% more than in 2021, and six deaths. In 2020, there were just 44 e-bike fires, which were associated with 23 injuries and no deaths, the department said.
https://news.yahoo.com/videos-teslas-malfunctioning-below-freezing-215149907.html
Megaconstellations promise a steady flow of de-orbiting debris. Can the sky take it?
Space hardware tumbling out of orbit may lead to unforeseen environmental and climate impacts. Due to the growing scale and pace of launch activities, what is needed is better monitoring of the situation, as well as regulation to create an environmentally sustainable space industry.
Making that case is Jamie Shutler, associate professor of Earth observation at the University of Exeter, Cornwall.
Shutler and colleagues authored the research paper Atmospheric Impacts of the Space Industry Require Oversight in the August issue of the journal Nature Geoscience.
Decreased satellite costs have led to large spacecraft constellations, thereby creating a constant flow of de-orbiting debris as craft die and are replaced. “This debris could double the annual injection of aerosol particle mass into the mesosphere,” the paper explains, thereby increasing the number of aluminum particles that can reach the stratosphere, where they promote ozone loss.
Shutler told SpaceNews, “We are now realizing the full benefits of access to space, but our understanding of the environmental impact of these activities is currently limited. Maximizing these benefits whilst minimizing the environmental impact is likely to become increasingly important for science and industry.” […]
https://spacenews.com/studies-flag-environmental-impact-of-reentry/
The U.S. government says replacing staff with automation and remote monitoring saves taxpayers money. Some workers fear accidents and cyberattacks.
https://www.wired.com/story/a-fight-over-automation-plans-at-us-hydroelectric-dams
Maybe Tesla's full-function utterly safe automatic driving software can be adapted to run hydro dams…
Children don't know about the Internet. They don't know that their images are going to live on forever.
People with little to no cellphone service, particularly in rural areas, face danger as storms approach and they are unable to receive alerts and make calls.
https://www.washingtonpost.com/climate-environment/2022/12/21/weather-alerts= -storms-disasters/
https://www.theregister.com/2022/12/15/ddos_sites_takedown_fbi_europol/
Police said they expect other devices to be found in the city and beyond. Card skimming devices are used to steal personal financial information.
https://www.boston.com/news/local-news/2022/12/22/card-skimming-devices-found-7-eleven-boston/
https://www.theverge.com/2022/12/23/23524555/google-calendar-ios-android-app-spam-events
https://www.theregister.com/2022/12/16/on_call/
Bad Santa does facial recognition at Radio City Music Hall (owned by James Dolan, as is MSG Entertainment):
He sees you when you are suing He knows when you litigate He knows if you've been bad or good So be good for goodness sake
You better watch out, you better not cry You better not pout, I'm telling you why Santa Claus is kicking you down town
Celsius is bankrupt, with liabilities that are hugely greater than its assets. So they're selling what can be sold—such as subsidiaries that are solvent going concerns.
Celsius bought Israeli crypto custody company GK8 in October 2021 for $115 million—$100 million in cash, and the rest in their own CEL tokens. Now Celsius wants to sell GK8 to Mike Novogratz's Galaxy Digital for $44 million, plus $100,000 assumed liabilities (debts that Galaxy will be responsible for). This is a huge loss—but Galaxy was the only qualified bidder. […]
It's important to keep in mind that this week's hearings have been furious arguments over the alignment of the deck chairs on the Titanic. But the iceberg is still there. Celsius is flat broke. There's no business. There are pennies left for creditors at best. Celsius is a shambling zombie. It should have been liquidated in July.
https://amycastor.com/2022/12/10/celsius-hearing-december-8-selling-gk8-to-galaxy-digital/
I sure can't completely follow these narratives but the writing is brilliant and details are grimly laughable.
CoinDesk spoke to several current and former FTX and Alameda employees who agreed to talk on the condition of anonymity, citing ongoing harassment and death threats due to the exchangeâs solvency issues. And they said essentially this: It's a place full of conflicts of interest, nepotism and lack of oversight.
“The whole operation was run by a gang of kids in the Bahamas,” a person familiar with the matter told CoinDesk on the condition of anonymity.
FTX and Alameda employees CoinDesk interviewed say they have been kept in the dark about the events of the past week, adding that only CEO Bankman-Fried's inner circle may have had knowledge that the exchange, as reported by the Wall Street Journal, siphoned customer funds into corporate sibling Alameda.
Things are falling apart for Sam Bankman-Fried, the FTX founder who allegedly defrauded investors before filing bankruptcy and spelling financial ruin for crypto investors, including, as my colleague Ali Breland has reported, those who weren't very rich to start out with.
Yesterday, SBF, as he's known, was arrested in the Bahamas. Today, federal prosecutors filed eight charges against him, including wire fraud, money laundering, and making illegal campaign donations. This is all very bad, but I have mainly been interested in SBF's apparent relationships with co-workers and business associates, which, as Intelligencer pointed out, are more than just salacious details and actually pretty important to understanding the company's power dynamics.
While it's easy to dismiss the plight of people who invested in cryptocurrency, you can't really blame people for investing in get-rich-quick schemes when wealth inequality is widening and home ownership is a pipe dream for many members of the younger generations. “The moral question upon seeing the gap between owners and buyers, between the poor and ultra-rich, between capitalist owners and workers, is how do we end it?” Ali wrote last year. “Yet in an economy where most people work long hours, are struggling to get by, and have deeply internalized the status quo, that question becomes: How do I get in?”
https://link.motherjones.com/view/5eb475c1b01fd7378a674535hufgc.sdi/02467db4
Not all victims were downtrodden proles. How about the well-off who should have known better? Or did, just figuring there's be bigger fools to buy them out nicely. Then the music stopped.
Meanwhile, a former top Twitter official fled his home amid attacks following Musk tweets. https://www.washingtonpost.com/technology/2022/12/12/musk-twitter-harass-yoel-roth
Okay, enough with the stories of rats chewing through data cables and squirrels self-immolating to cause power blackouts. Here's a story of cats disrupting satellite Internet service because they discovered that Elon Musk's Starlink dishes are heated (to prevent snow build-up disrupting Satellite Internet service [!!!]). Cute cat pix included.
How Bots Pushing Adult Content Drowned Out Chinese Protest Tweets https://www.nytimes.com/interactive/2022/12/19/technology/twitter-bots-china-protests-elon-musk.html
Okta had another security incident, this time involving stolen source code https://www.engadget.com/okta-stolen-source-code-205601214.html
ALSO:
Okta says source code for Workforce Identity Cloud service was copied (Ars Technica)
https://twitter.com/AlexEpstein/status/1606347326624215040
Kyle Wiggers, TechCrunch, 28 Dec 2022, via ACM TechNews, 30 Dec 2022
Software engineers who use code-generating artificial intelligence (AI) systems are more likely to cause security vulnerabilities in the apps they develop, according to researchers affiliated with Stanford University. Their study looked at Codex, an AI code-generating system developed by research lab OpenAI. The researchers recruited developers to use Codex to complete security-related problems across programming languages, including Python, JavaScript, and C. Participants who had access to Codex were more likely to write incorrect and insecure solutions to programming problems compared to a control group, and they were more likely to say that their insecure answers were secure compared to the people in the control.
An article in The Register (including the word ‘boffins’) describes two papers that show that programmers using Co-Pilot think they write more secure code, but actually are doing the opposite:
https://www.theregister.com/2022/12/21/ai_assistants_bad_code/
Does this suggest that if Skynet becomes a reality, it can be hacked? More likely, that the training code used for Co-Pilot started out as insecure and buggy.
I'm surprised ChatGPT—AI generally—didn't suggest self-regulation. The AI-authoring industry appears to favor that approach versus explainability via Hagras' criteria (https://www.researchgate.net/publication/328088140_Toward_Human-Understandable_Explainable_AI) or the equivalent.
New bot ChatGPT will force colleges to get creative to prevent cheating, experts say
Those who work with AI in their classrooms said they're not panicking about ChatGPT, which went viral after its launch last week.
https://www.nbcnews.com/tech/chatgpt-can-generate-essay-generate-rcna60362
> I have no idea how many computer science curricula include relevant > courses today.
ABET certification requires coverage of ethics. The ACM/IEEE curricular recommendations include ethics. So, common curricula generally include the topic.
Of course, that doesn't mean that it is covered in any meaningful way. I know some institutions give it only a passing mention. At others, it is likely a topic at the end of some courses that is viewed as expendable when there is more to cover from the syllabus than there is class time in the semester. Thankfully, this is not the case everywhere.
I haven't found meaningful coverage in many textbooks, which means it is easy to overlook. For faculty who are uncomfortable with the topic, or who have no experience in presenting it, this often means the topic is given superficial (if any) coverage in classes.
In a sense, professional ethics is a CS topic similar to writing safe code: It is in the syllabi at most schools but given only a vague hand wave at too many schools because the potential employers of students are more interested in a few more weeks of instruction in some fad topic. In the view of faculty, students are more likely to get employed if they know how to build a blockchain or ML system rather than spend time learning how to employ them in an ethical manner, and recent news continues to illustrate the problems with that approach.
To relate a particular positive example: I include a section on professional ethics in every course I have taught at Purdue since I got here 35 years ago. I have created both an undergrad and a grad course that include multi-week discussions of ethics (and bias, logical fallacies, and misinformation, among other topics) that seem to be well-received by students, although both are electives. A decade ago, the department adopted an ethics requirement for grad students. This involves an introductory lecture that I give and a requirement to complete the CITI course on responsible conduct of research.
I'm told by people at companies and government agencies (and by alumni) that they wish other schools devoted time and resources to the topic the way we do. Meanwhile, I know we could do more at the undergrad level.
(I'm writing this as someone who has participated in the development of the last 2 iterations of the ACM Code of Professional Ethics, as an attendee of Terry Bynum's ‘81 conference[*], and as leader of ACM's committee on publication ethics. So I cannot make any claim to being a typical faculty member in this regard or that the Purdue experience is more generalizable.)
The science-fiction stories of rogue AI, concerns about autonomous weapons systems, issues of cryptocurrency fraud, and the other topics we have seen for decades in RISKS (thanks, Peter) are not solely traceable to technical faults—or even primarily traceable to the technology. They are based on choices and decisions by people who, too often, are thinking about whether they can do something rather than whether it is proper to do those things, and evaluating the consequences.
We can definitely do better.
[Thanks, Spaf. Having known you for so long, this is very helpful. Please note: Ethics, Liability, and Responsibility (Gene Spafford), RISKS-5.60 18 Nov 87 * Also, two of Terry Bynum's meetings that we both attended were NSF Ethics Panel, 1 Nov 1989 at SRI WashDC, and The National Conference on Computing and Values, 12-16 Aug 1991 New Haven. PGN]
> A more interesting question is, “What would Joe Weizenbaum think about > ChatGPT?” I think he would be turning over in his grave seeing his > lessons about Eliza forgotten.An even more interesting question is, “Would anyone trust that technology if the results mattered?” Who?
Re: Pretty Smart AI (RISKS-33.58)
Steve Bacher <sebmb1@verizon.net>Tue, 20 Dec 2022 13:06:23 -0800> Q: What is the difference between lento and adagio?// > A: Lento is a tempo marking that indicates a slow and leisurely pace, while > adagio is a tempo marking that indicates a slower and more solemn pace. > C: Correct. > G: *Lento—slowly (40—45 BPM)** > *Largo—Broadly (45—50 BPM)*//* > *Adagio —slow and stately (literally, at ease=) (55—65 BPM)*/(Those answers appear inconsistent with one another. Google demonstrates that adagio is faster than either lento or largo, but GPT-3's response seems to claim that adagio is slower than lento. Maybe GPT-3 is going by the principle that “slow” is slower than “slower,” but that's not how one reads it when the statements are adjacent to one another.
Please report problems with the web pages to the maintainer
xTop