Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Taken in context, it is essentially a design for the most powerful text and image-based mass surveillance system the free world has ever seen. This legislation, which is initially targeted at child abuse applications, creates the infrastructure to build in mandatory automated scanning tools that will search for *known* media, *unknown* media matching certain descriptions, and textual conversations. The legislation is vague about how this will be accomplished, but the *impact assessment* it cites is not. The assessment makes clear that mandatory scanning of images and text, especially in encrypted data, is the only solution the Commission will consider. [...] https://twitter.com/matthew_d_green/status/1634252397919739921
Copyright Office will field public input during listening sessions this spring. https://arstechnica.com/tech-policy/2023/03/us-issues-guidance-on-copyrighting-ai-assisted-artwork/
https://www.straitstimes.com/tech/ai-to-act-as-doctor-s-second-pair-of-eyes-to-s pot-nearly-invisible-colon-cancer-growths Developed with the help of biomedical company Medtronic, the tool is able to detect roughly 20^ more growths—or polyps—that doctors would otherwise miss with the human eye, according to studies by SKH. Endoscope image processing by AI to discern near invisible (to the naked eye) polyps during a gastroscopy. FDA's TPLC platform identifies, to date, 4 separate devices under Product Code QNP (gastrointestinal lesion software detection system). See https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=2260&min_report_year=2018 for device approval information. The polyp detector stack is defined as, “A gastrointestinal lesion software detection system is a computer-assisted detection device used in conjunction with endoscopy for the detection of abnormal lesions in the gastrointestinal tract. This device with advanced software algorithms brings attention to images to aid in the detection of lesions. The device may contain hardware to support interfacing with an endoscope.'' No medical device reports for device or patient problems. Stay tuned to this space. Among the many procedural risks (e.g., an unsterilized endoscope) for gastroscopy is perforation—the endoscope, via the gastroenterologist, pokes a hole through your intestine. Need to wonder if the polyp detector false negative/positive outcome might advise over-aggressive polyp biopsy frequency that elevates perforation risk.
https://www.darkreading.com/endpoint/ai-blackmamba-keylogging-edr-security AI-Powered 'BlackMamba' Keylogging Attack Evades Modern EDR Security Researchers warn that polymorphic malware created with ChatGPT and other LLMs will force a reinvention of security automation. Researchers from HYAS Labs demonstrated the proof-of-concept attack, which they call BlackMamba, which exploits a large language model (LLM)—the technology on which ChatGPT is based—to synthesize a polymorphic keylogger functionality on the fly. The attack is "truly polymorphic" in that every time BlackMamba executes, it resynthesizes its keylogging capability, the researchers wrote. The BlackMamba attack, outlined in a blog post, demonstrates how AI can allow the malware to dynamically modify benign code at runtime without any command-and-control (C2) infrastructure, allowing it to slip past current automated security systems that are attuned to look out for this type of behavior to detect attacks.
Thanks to AI, every written word now comes with a question. https://www.theatlantic.com/technology/archive/2023/03/gpt4-arrival-human-artificial-intelligence-blur/673399/
Artificial intelligence has the awesome power to change the way we live our lives, in both good and dangerous ways. Experts have little confidence that those in power are prepared for what's coming. https://www.bbc.com/news/world-us-canada-64967627
Quoting Herman Melville is only one of Emotet's latest innovations. https://arstechnica.com/information-technology/2023/03/botnet-that-knows-your-name-and-quotes-your-email-is-back-with-new-tricks/
Senate staffers were sent an email warning that data from the DC Health Link breach, including users' birthdates and Social Security numbers, can be found online. https://www.nbcnews.com/politics/congress/info-data-breach-affecting-lawmakers-posted-hacker-site-rcna75140
Russia, North Korea, Iran, and China have been caught using fake profiles to gather information. But the platform's tools to weed them out only go so far. https://www.wired.com/story/linkedin-fake-profiles-state-actors-scams
Microsoft laid off an entire team dedicated to guiding AI innovation that leads to ethical, responsible and sustainable outcomes. The cutting of the ethics and society team, as reported by Platformer, is part of a recent spate of layoffs that affected 10,000 employees across the company. https://techcrunch.com/2023/03/13/microsoft-lays-off-an-ethical-ai-team-as-it-doubles-down-on-openai/
A TeslaModel 3 unlocked and driven by the wrong owner. The man was ablec2 to drive off, stop, and pick his children up from school without issue https://www.autoblog.com/2023/03/13/tesla-model-3-unlocked-driven-by-wrong-owner/ [Monty Solomon noted https://www.washingtonpost.com/nation/2023/03/14/tesla-app-unlock-strangers-car PGN]
With victims refusing to pay, cybercriminal gangs are now releasing stolen photos of cancer patients and sensitive student records. https://www.wired.com/story/ransomware-tactics-cancer-photos-student-records
https://www.vice.com/en/article/qjvd9q/ransomware-group-claims-hack-of-amazons-ring
https://www.theverge.com/2023/3/13/23637401/samsung-fake-moon-photos-ai-galaxy-s21-s23-ultra
https://www.theverge.com/2023/3/11/23635518/cerebral-patient-data-meta-tiktok-google-pixel
Vanishing phone customer support is driving us all insane: Why it's increasingly hard to reach customer support by phone—if it's possible at all. https://www.washingtonpost.com/opinions/2023/03/07/phone-customer-support-disappearing/
The No. 1 wireless carrier wants to look as if it's giving customers something for nothing. It's not and customers should be wary. https://www.thestreet.com/travel/verizon-botches-its-take-on-t-mobiles-netflix-deal
As regulators take aim at noncompete agreements, people in five states talk about how they've been hampered in their attempts to change employers. https://www.washingtonpost.com/business/2023/03/10/noncompete-agreements-ftc/
Public service announcement: Quebec residents can now freeze their credit files with the two credit bureaus operating in Canada: Equifax and TransUnion. I wrote an oped about this issue that got published by the Montreal Gazette a month ago: https://montrealgazette.com/opinion/opinion-quebecers-act-now-to-freeze-your-credit-file Also, early this year I started https://idtheftreform.ca/, which is an effort to bring together people to push for legislative changes in Canada regarding ID theft laws, which to my mind (coming from Europe) place a heavy burden on the victims to defend themselves, when most of the time the cause is a banking / credit institution not checking documentation as thoroughly as they should.
While I also consider the Dawkins editorial to be a rant whose aim, poorly-circumscribed as it may be, is not fully on topic for RISKS, I find that zeurkous' response highlights the RISK that the original submission highlighted. There is risk to society at large when relativism is placed on equal standing with empiricism. The "special treatment" afforded to "Western" science is earned by the fact that all people can, in fact, access and verify it. There is no special belief system or ancestral qualification required. It is important to point out that there are traditional beliefs that are not evaluated by the world at large (yet another RISK!), but when they are they also become part of this shared science, this consensus reality that scientists and observers everywhere participate in. Advocating for the promulgation of beliefs and systems of belief that are not to be questioned or verified, simply because they have also been held by some people at some time, erodes solidarity. It erodes the trust that any person can have in the mass of people, because there is now this doubt about whether everyone is willing to perceive the same reality. Unfortunately, signs point to us all *living* in the same reality—whether colonized, colonizer, independent, or uncontacted—and we cannot play together nicely if some of us insist on playing another game altogether.
I suppose I didn't bother to make any response to the post by Geoff Goodfellow citing in detail a Spectator article by Richard Dawkins because, as a scientist and a Roman Catholic, I am always astounded by the sheer ignorance of Dawkins and his ilk about what religion is and - amazingly - about how science proceeds. This was just more of the same, no doubt causing eyes of many a reader to glaze over and pass on to the next item. If I may put this into a way of talking that is actually relevant to the objectives of this list, the RISK is that the boundaries between religion and science get deliberately blurred by people who have a naive world view of both and who promote these world views with sophistical rhetoric and cheap knock-down arguments against a parody of what religious belief is. The article cited by Geoff Goodfellow is a good example of how irrational emotions may be stirred by those peddling this RISKY behaviour, leading to untenable positions on both topics.
Dr Dick Dawkins goes too far. It's one thing to argue when pseudo science gets in the door, but another thing entirely to argue cultural values need to be kept at arms length. He does it in The God Delusion—he undoes his own arguments with cloying appeals to science as the great reset against humanist encroachment. New Zealand has a river and a mountain with personhood. It's wonderful progress. Science will be brought forward and made stronger. Does Dawkins still oppose the chiropractic as anti-science? TDG
(John and I chatted a little offline about some of this) Unfortunately, at least insofar as I can see wandering around within my Vanguard account and talking with Vanguard support, Vanguard does NOT use ONLY whatever 2FA you have configured; Vanguard REQUIRES a mobile phone, and literally says at the security key login prompt page "If you don't have your security key, you can always request a security code". In other words, as I said initially, Vanguard (like BoA) lets you buy and set up a physical security token, but also always allow you to bypass it - making the physical security token of exactly zero real security value. I checked in with John about it and he also found the "would you like to bypass the real user's strong security and use weak security that you can attack?" prompt by Vanguard. (eyeroll) John then observed: >Ugh, you're right. Vanguard are pretty sophisticated so I would guess they think that it is a lot more people who forget their passwords than who get SIM swapped. Undoubtedly true, though the fallibility of the average user shouldn't mean that we godlike security people have to accept less security than we're willing to hamstring ourselves with ... (insert "eye roll" emoji here, again) John continued: >I also wonder if they have different security for different sizes of >accounts. Sadly, nope. My parents have one of those "bigger size" accounts, and I've spoken directly with their named Vanguard representative, who couldn't come up with anything else/better (and, when pressed, never responded at all... very disappointing). (Though, as John also noted, maybe in the millions and millions and ... size accounts? Dunno. Shouldn't have to be in the top 1% to have adequate security !) Lastly, in response to the newer comments about why 2FA really is necessary, about the recent hacks of LastPass, while those hacks are serious, they don't in the near-term make a secured-with-a-strong-unique-password account directly vulnerable (the vaults that were stolen remained encrypted, so if the LastPass master password was good, there's still a practically safe amount of time before a vault could be brute forced). But, yes, still - 2FA is unfortunately NEEDED now for ... basically everything. (And, then, yes, adequate, at least as safe recoverability for when 2FA fails, is also needed).
Of course, most of the "floppy disks" as referenced in the WIRED article are not floppy at all. They are mainly the 3.5" diskettes that supplanted the earlier 5-1/4" disks that were truly floppy, whence the appellation. The sobriquet was carried forward to their replacement, even though floppiness ceased to be an attribute. (The WIRED article alludes only to the 3.5" and much earlier 8" disks without mentioning the once-commonplace 5-1/4" ones at all.) I tried to adopt the practice of referring to the 3.5" disks as *stiffs*, but it never caught on.
In response to Steve Bacher's comment:
It's not typically necessary to use subshells with -e or pipefail turned
off: the -e option in bash already has mechanisms to prevent the shell from
terminating when _anticipated_ commands return a nonzero exit status:
The shell does not exit if the command that fails is part of the command
list immediately following a while or until keyword, part of the test
following the if or elif reserved words, part of any command executed in a
&& or || list except the command following the final && or ||, any command
in a pipeline but the last, or if the command's return value is being
inverted with !.
The common idiom is to append "&& true" or "|| true" to commands or
pipelines you don't want to trigger the behaviour of -e if they fail, e.g.:
set -e
grep pattern "$FILENAME" | wc -l || true
will not cause the shell to exit even if the grep command returns a non-zero
exit status (whether this is because the pattern is not found in the named
file, because the named file does not exist or is not readable, because the
FILENAME variable is not set and "set -u" is in effect, or for any other
reason--so caution is still needed in permitting the script to continue in
not making unwarranted assumptions about the reason the pipeline failed).
Using "|| true" makes the intention of ignoring the success of failure of
the command or pipeline apparent; using "&& true" is perhaps slightly less
intuitive, but has the advantage of allowing the script to evaluate the
return status of the pipeline; e.g., "case $? in 1) [...]".
I know you meant to write
cd foo && rm -rf ...
but it got munged on the way to the RISKS web page. [PGN usually strips
the html crap from a strictly UTF-8 digest. Sorry when i don't.]
Yes, that's another approach; I would go further and encase it in a
subshell:
(cd foo && rm -rf ...)
to ensure that the cd does not affect the remainder of the script. In that
way you get the same outcome, in terms of the environment, following the
execution of the cd and rm whether the cd "takes" or not.
If you actually want to change the current working directory for the
remainder of the script, this doesn't apply.
"IEEE 1003.2 is the shell command part of POSIX. I'm not sure I could call it complete, but it is thorough and detailed, and they were acutely aware that the commands are all used in shell scripts." Based upon this comment, I'd say that Planck's Principle is alive and well in the computer science community. It's amazing that we ever made the transition from decimal to binary arithmetic! https://en.wikipedia.org/wiki/Planck's_principle I just Google'd "bash" "euo" and got 489,000 results. Clearly, Unix/Linux error handling in shell scripts is a massive mess that will require a new generation of computer scientists to fix.
I think what's missing from all these is that snafus like `rm -rf /` or `killall` (on not Linux) have long been considered a rite of passage among certain unix sysadmins. Dealing with the consequences of your mistake is a valuable learning experience; if one wants to be forever shielded from the consequences, one should consider politics, not unix.
Yup, I have the same problem. Password? Whatp password? Eventbrite lets you enter a mail address that they don't verify. As you just discovered, if you give Eventbrite the wrong address, you don't get the tickets so there is a strong incentive to provide a real address. (Unless, I suppose, the tickets are delivered in the web transaction and the mail is just a copy. I haven't bought tix from them for a very long time and don't remember.) I suppose they could verify the address by sending a test message you have to click on, but there is a tradeoff: some fraction of people would give up and not complete the transaction, so I can't really blame them.
Please report problems with the web pages to the maintainer