Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://www.nytimes.com/2023/03/08/opinion/noam-chomsky-chatgpt-ai.html Jorge Luis Borges once wrote that to live in a time of great peril and promise is to experience both tragedy and comedy, with “the imminence of a revelation'' in understanding ourselves and the world. Today our supposedly revolutionary advancements in artificial intelligence are indeed cause for both concern and optimism. Optimism because intelligence is the means by which we solve problems. Concern because we fear that the most popular and fashionable strain of AI—machine learning—will degrade our science and debase our ethics by incorporating into our technology a fundamentally flawed conception of language and knowledge.
Tripp Mickle, Cade Metz, and Nico Grant, *The New York Times*, 9 Mar 2023 A scramble to assess the impact of AI. [It seems to be a nice enumeration of many of the problems created such as disrupting cloud providers, advertisers, and e-commerce sales (each discussed in considerable detail), questionable trustworthiness, legal implications, ownership, etc. “No one knows where the courts will draw the lines.''—quoting Bradley J. Hulbert. PGN-ed]
https://techxplore.com/news/2023-03-dataset-poisoning-corrupt-ai-results.html “The research team calls this type of attack split view poisoning. Testing showed that such an approach could be used to purchase enough URLs to poison a large portion of mainstream AI systems, for as little as $10,000. “There is another way that AI systems could be subverted—y manipulating data in well-known data repositories such as Wikipedia. This could be done, the researchers note, by modifying data just prior to regular data dumps, preventing monitors from spotting the changes before they are sent to and used by AI systems. They call this approach front-running poisoning.'' As AI proliferates, overtrust—reliance on output—elevates training dataset's provenance and bona fides to bound false positive/negative outcomes. I applied for image diagnosis (mammograms, CAT/MRI, etc.), a patient should be entitled to a traceable explanation to supplement physician's review and concurrence or dispute of platform output.
Matthew Hutson, *IEEE Spectrum*, 6 Mar 2023, via ACM TechNews, March 8, 2023 Computer scientists are developing more advanced algorithms for generating synthetic content, at the same time they are creating counter-algorithms to detect such content. Intel's Real-Time Deepfake Detector, slated for release this spring, will include FakeCatcher, which can identify facial changes due to blood flow. Developed by researchers at Intel and Binghamton University, FakeCatcher cannot be reverse-engineered easily to train a generation algorithm to get better at fooling it. Among other detection tools, researchers at the University of Florida developed a system that models the human vocal tract and can determine if an audio recording is biologically plausible. When it comes to detecting synthetic text, the University of Maryland's Tom Goldstein said the diversity in how people use language and a dearth of signal means it likely will lag other forms of detection.
https://www.theverge.com/2023/3/8/23630358/tesla-steering-wheel-bolt-nhtsa-model-y
https://www.bloomberg.com/news/articles/2023-03-11/usd-coin-stablecoin-falls-further-from-peg-on-svb-exposure-risk?srnd=premium&sref=zVYYYI5e Also: Roku, Roblox and others disclose their exposure to SVB in SEC filings (TechCrunch) https://techcrunch.com/2023/03/11/roku-roblox-and-others-disclose-their-exposure-to-svb-in-sec-filings/ More than 85% of Silicon Valley's Bank's Deposits Were Not Insured https://time.com/6262009/silicon-valley-bank-deposit-insurance/ [Monty Solomon noted this relevant item: Here's how much of your bank deposits are FDIC protected: Michelle Singletary, *WashPost* https://www.washingtonpost.com/business/2023/03/10/faq-fdic-insurance/ PGN]
Ryan Naraine, *Security Week*, 10 Mar 2023 https://www.securityweek.com/blackbaud-fined-3m-for-misleading-disclosures-about-2020-ransomware-attack/ [Among other things, Blackbaud had insisted there had been no leakage of customer information, which actually impacted 1300 customers. The original notice has since disappeared. PGN]
https://riskybiznews.substack.com/p/risky-biz-news-canadas-tax-revenue The Canada Revenue Agency (CRA), the tax department of Canada, recently updated its terms and conditions to force taxpayers to agree that CRA is not liable if their personal information is stolen while using the My Account online service portal—which, ironically, all Canadians must use when doing their taxes and/or running their business. The CRA's terms of use assert the agency is not liable because they have “taken all reasonable steps to ensure the security of this Web site.''
Ryan Nobles, Frank Thorp V, ZoĆ« Richards and Kevin Collier NBC News https://www.nbcnews.com/politics/congress/data-breach-hits-lawmakers-staff-capitol-hill-rcna74061 House Chief Administrative Officer Catherine L. Szpindor said the breach at the DC Health Exchange did not appear to target members of Congress. The Senate was also affected. The actual quote is somewhat less reasssuring: “Currently, I do not know the size and scope of the breach, but have been informed by the Federal Bureau of Investigation (FBI) that account information and [personally identifiable information] of hundreds of Member and House staff were stolen,'' Szpindor added that it did not appear that House lawmakers were “the specific target of the attack'' on DC Health Link *. [PGN-ed] [* Just everyone using the Health Exchange used by Congress! PGN]
https://arstechnica.com/information-technology/2023/03/security-researchers-are-again-in-the-crosshairs-of-north-korean-hackers/
https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/
https://krebsonsecurity.com/2023/02/when-low-tech-hacks-cause-high-impact-breaches/
https://www.engadget.com/tiktok-whistleblower-claims-us-data-privacy-efforts-are-seriously-flawed-211255093.html
Payment apps and touch screens have made it easy for merchants to ask us for preset gratuity amounts. We don't need to succumb to the pressure. https://www.nytimes.com/2023/03/01/technology/personaltech/tipping-defaults-digital-payments.html
It seems that there are still a lot of businesses around who use systems (including industrial machinery and even passenger aircraft) which are 20-30 years old, and depend on floppy disks to get their data—and these are now running out. https://www.wired.co.uk/article/why-the-floppy-disk-just-wont-die
https://www.cbc.ca/news/business/indigo-workers-cyberattack-data-1.6776119 A union representing 200 employees of Indigo Books & Music Inc. is calling on the retailer to disclose more information about the scope of its recent data breach and offer additional support to staff affected. United Food and Commercial Workers International Union Local 1006A says it is *increasingly alarmed* by new information that has come to light about a 8 Feb 2023 cyberattack on Canada's biggest bookstore.
[Long item PGN-ed.] https://www.wsj.com/articles/annoying-password-rules-actually-make-us-less-secure-a05edb70 Annoying Password Rules Actually Make Us Less Secure Does your company network or a frequently visited website force you to come up with a new password because it has declared your old one is past its expiration date? If you find that annoying, you're not alone. What's worse: It's actually bad for cybersecurity, say researchers. The scheduled-replacement policy is one of a number of poor or ineffective password practices that make logging into sites, apps and services more complicated and annoying than ever. We're not just talking about issues with government and corporate IT systems, though they can be among the worst offenders. Companies and services including Apple, Microsoft, Instagram and LinkedIn, among others, all have less-than-optimal password policies, according to a recent paper by researchers at Princeton University. These password policies can increase the chance that individuals' accounts can be breached, especially if users aren't using additional means of securing their accounts, such as two-factor authentication, says Arvind Narayanan, a professor of computer science at Princeton and one of the authors of the paper on bad password policies. Compelling routine password changes, for example, while a seemingly logical way to reset a password that may have been leaked, actually tends to make people more likely to choose weak passwords in the first place, according to numerous studies. Another flawed-but-common practice is to limit the combinations of characters one can use in a password, or compel users to include special characters in their passwords. It turns out those rules don't generally lead to more secure passwords, either. [...] Making better security available isn't enough Cybersecurity-savvy readers may, by now, be throwing up their hands in exasperation. Of course these are all bad password policies! But do they matter, if a person uses two-factor authentication on their most important accounts, and they're using a password manager to generate a unique and complicated password for everything they log into? (A password manager, which everyone should adopt, generates strong passwords, stores them and automatically enters them into apps and sites.) [...] In sum, the key to making individuals and organizations more secure is to create cybersecurity policies that respect how people actually behave in the real world. “I think security has always been everybody's problem, but now we are realizing it, And I think a well-designed security system can help reduce the burden on the non-security experts on the team.'' [Dr. Lorrie Cranor, who is quoted heavily throughout the article. PGN] [WSJ article also noted by Monty Solomon. PGN]
Tim Arango and Jacey Fortin, *The New York Times*, 10 Mar 2023 https://www.nytimes.com/2023/03/10/us/car-thefts-kia-challenge-tiktok.html Violent crime is largely receding from pandemic highs, but cities face a surge in car thefts, driven in part by videos that show how to hot-wire models by Kia and Hyundai.
Essentially this bill turns the UK into Iran, North Korea, Russia, and China. And the U.S. is definitely next, with both the Left and Right on-board toward furthering their own ends. -L Also: Secure messaging apps line up to warn UK's Online Safety Bill risks web security https://techcrunch.com/2023/03/10/uk-osb-e2ee-warning/
I have mentioned that a number of people seem to think that my GMail email address, rslade@gmail.com, is theirs. I've received all kinds of email messages, over the years, from legitimate vendors and contacts, who have apparently been told to use rslade@gmail.com as the contact for a bunch of people who aren't me. Mostly I think it's just carelessness. I wonder, at times, if sometimes it could, partly, be part of a scam by someone who is hiding their own identity. I try to look at any of these messages from a variety of perspectives. Today I got a message from Eventbrite. It seems to be legitimately from Eventbrite. Someone bought tickets to *Terms of Endearment*--in Shanghai, China. (Ticket prices seem to be fairly steep in China: they are $23.17 each, according to the statement.) (Then again, it may be live theatre, rather than an old movie, so, in that case, it's pretty cheap.) Seven people seem to be going. The tickets are paid, by a MasterCard account that is not mine. The event seems to be about 22 hours from now, if the world clock Website that I use frequently is correct. I hope that they get in and enjoy the show. I'm pretty sure that there is no risk to me, and the only risk I can see is that they may not get in if they don't get the tickets. I do wonder why Eventbrite let them buy tickets on my account without knowing my password, but that is presumably Eventbrite's problem ...
https://madison.com/news/local/madison-city-council-looks-to-sue-kia-hyundai-for-making-it-too-easy-to-steal/article_3193e905-5ce7-51ef-a792-825df201cc00.html Madison City Council looks to sue Kia, Hyundai, for making it too easy to steal cars Since the article itself, dated 2023-03-07, is behind a paywall, I've copied it for you: The city of Madison [Wisconsin] is gearing up to sue car manufacturers Kia and Hyundai over the lack of anti-theft software in their vehicles after they accounted for nearly half of thefts of cars in the city last summer. City council members will take up a resolution Tuesday night over whether the city can retain outside counsel for a federal lawsuit for Kia and Hyundai's “role in creating a public nuisance,'' a statement from the city said. Car thefts dropped by 5% <https://madison.com/news/local/crime-and-courts/we-do-have-a-safe-city-gunfire-car-thefts-down-in-madison-after-summertime-anti/article_efded0db-c166-57b4-8e8d-6cf6f3b76d62.html> in Madison last summer, compared to the prior year, but thefts of Kia and Hyundai cars increased by 270%, making up 45% of all stolen auto cases in July and August. Rates of Kia and Hyundai thefts are even higher in Milwaukee, where the two brands comprise 60% of all stolen autos. <https://www.jsonline.com/story/news/crime/2023/02/20/new-class-action-lawsuit-by-milwaukee-man-targets-kia-hyundai/69924626007/> The two brands are especially susceptible to theft because of a manufacturing flaw in less-expensive models that allows vehicles to be stolen even if a key isn't present. Viral TikTok challenges spearheaded by Milwaukee-based *Kia Boys* taught people how advantage of that flaw by starting the engine with a USB cable and a screwdriver. “Madison residents deserve better,'' Mayor Satya Rhodes-Conway said in a statement. “These corporations cut corners and put people at risk. In their search for profits, they pushed the costs of keeping people safe off to cities like Madison. That's unacceptable.''
[IME, Mr. Dawkins's rant constitutes propaganda unworthy of RISKS. Nonetheless, I have a short response.] [It was worthy of RISKS precisely because it raised a lot of hackles -- with me as well, and I am delighted your zeurkous circus has chimed in. What worries me most is that you were the *only* one to respond. RISKS is *always* interested in smoking out falsehoods. PGN] In his rant, Mr. Dawkins falls into the common trap of defending science(tm) [insert Chester from the Bunnicula cartoons here] against political interference: from most scientists' point of view, science is supposed to dictate politics, not the other way around! Unsurprisingly, politicians often feel exactly the opposite, and this is thus is a likely factor leading to Mr. Hipkins's intervention. Furthermore, I think it's very ironic of Mr. Dawkins to allege *special treatment* for the Maori when the colonists made themselves the exception from virtually the moment they arrived (and have been doing so ever since), at the near-total expense of the original human population! Now who needs *special treatment*, eh? The *forcing to learn* issue comes down to a discussion about unschooling and that, too, seems to be pretty off-topic for this list. Overall it would seem wise to move the discussion onwards from *how do we protect the institution of science against those barbarian politicans?* to *how can we be more empirical and less dogmatic?'' If anything, science(tm) [insert Chester again] desperately needs the latter discussion, not the former. But the newspapers won't be interested. No shock value. I'm hoping better for this list.
I've been discussing this problem with Sylvestre Ledru, who has been *re-implementing* the so-called 'Core Utilities' in *Rust*. <sylvestre@debian.org> So far, he's been trying to implement compatibility with the Gnu Core Utils (but with fewer errors, of which there have been precious few for Gnu). But these Core Utilities form the basis of a computer *language* that is extensively used by Unix/Linux developers, and have never been completely systematized. For example, in the case of error conditions, one is never 100% sure what state the system will be left in. This isn't normally a problem for individual execution from an interactive user, but it becomes a serious problem in scripts. I have suggested that these *core utilities* have *clean composable semantics* with *predictable* results; including undoing any visible side-effects, when this makes sense. For example, one principle which might be helpful for *most* such utilities: either run to completion w/o errors, or reset the state to the situation prior to the start of execution. I.e., an *atomic* 'all-or-none' set of side-effects, along the lines of 'ACID' databases: https://en.wikipedia.org/wiki/ACID I realize this won't help when 'cd' errs out, but perhaps something like cd foo && rm -rf is the right solution ? cd --help: Exit Status: Returns 0 if the directory is changed ... non-zero otherwise.
/set -euo pipefail/ That is a good idea and one I had not taken advantage of. However, one needs to be careful about the effects it may have on other parts of the script, including external scripts invoked from the script where you code the set command. Also, there are cases where you want to run a command and test its outcome (like access to a file or other resource) where continuation of the script is preferable at that point. Of course you can encase those sections of code inside a subshell with pipefail turned off. But care should still be taken with any global setting.
Vanguard uses whatever 2FA you have configured. If you don't like SMS (and you shouldn't), don't use it. I have my account configured to use a couple of Fido keys and my phone as 2FA, no SMS. I wouldn't use BofA if they paid me, so no idea what their policy is.
There's nothing in this story relevant to this forum. It's not about a system problem; it's not about a computer issue. The clearance was proper, the readback was proper; the pilot just screwed up. [And that's not relevant? Isn't the TCAS technology supposed to prevent that? PGN]
>... So what's the weakness that might make me have to mess with 2FA? The obvious ones are that some piece of malware installs a keylogger on your computer, or you make an unfortunate typo and don't notice it in time. or your password vault has a bug and it leaks. (See messages about Lastpass in recent RISKS digests.)
When this appeared in RISKS-33.64, the URL was omitted. https://www.politico.com/news/2023/03/07/privacy-loophole-ring-doorbell-0008497
Please report problems with the web pages to the maintainer