Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
https://www.latimes.com/world-nation/story/2023-08-11/failed-communication-and-huge-death-toll-in-maui-fires
https://arstechnica.com/security/2023/07/millions-of-servers-inside-data-centers-imperiled-by-flaws-in-ami-bmc-firmware/
Rebecca Carballo, *The New York Times*, 7 Aug 2023 As hospitals go online, they become more vulnerable. Ransomware. Prospect Medical Holdings in CA/CT/PA/RI 16 Hospitals, over 176 clinics affected. [PGN-ed in just another demonstration of how untrustworthy this can be.]
https://www.theguardian.com/technology/2023/aug/08/uk-electoral-commission-registers-targeted-by-hostile-hackers?CMP=Share_iOSApp_Other
https://www.bleepingcomputer.com/news/security/new-acoustic-attack-steals-data-from-keystrokes-with-95-percent-accuracy/
Ionut Ilascu, *Bleeping Computer*, 8 Aug 2023 Google's Daniel Moghimi exploited the so-called "Downfall" bug in Intel central processing units to steal passwords, encryption keys, and private data from computers shared by multiple users. The transient execution side-channel vulnerability affects multiple Intel microprocessor lines, allowing hackers to exfiltrate Software Guard eXtensions-encrypted information. Moghimi said Downfall attacks leverage the <i>gather</i> instruction that "leaks the content of the internal vector register file during speculative execution." He developed the Gather Data Sampling exploit to extract AES 128-bit and 256-bit cryptographic keys on a separate virtual machine from the controlled one, combining them to decrypt the information in less than 10 seconds. Moghimi disclosed the flaw to Intel and worked with the company on a microcode update to address it.
Data collection in cars has surged in recent years, especially in cars that encourage users to plug in their phones to play music, get spoken directions and make hands-free calls. https://www.washingtonpost.com/technology/2023/07/31/cppa-privacy-car-data/ [If the Internet of Things has no appreciable trustworthiness, why should we be surprised when cars are just IoT things! PGN]
Lola Fadulu, *The New York Times*, 11 Aug 2023 New Haven CT has stopped the use of electronic transfers (except payrolls). $3.6M has been recovered. (PGN-ed)
David Danelski, UC Riverside News, 8 Aug 2023 Computer scientists at the University of California, Riverside found hackers can translate the movements of virtual reality (VR) and augmented reality (AR) headset users into words using spyware and artificial intelligence. In one example, spyware used a headset user's motions to record their Facebook password as they air-typed it on a virtual keyboard. Spies also could potentially access a user's actions during virtual meetings involving confidential information by interpreting body movements. One exploit showed hackers retrieving a target's hand gestures, voice commands, and keystrokes on a virtual keyboard with over 90% accuracy. Researchers also developed a system called TyPose that uses machine learning to extract AR/VR users' head motions to deduce words or characters they are typing.
For back issues, or to subscribe, visit Crypto-Gram's web page. https://www.schneier.com/crypto-gram/ https://www.schneier.com/crypto-gram/archives/2023/0715.html These same essays and news items appear in the Schneier on Security [https://www.schneier.com/] blog, along with a lively and intelligent comment section. An RSS feed is available. [PGN-excerpted from Bruce Schneier's CRYPTO-GRAM, 15 Jul 2023, as both timely and historically relevant to a topic that has been in RISKS since the first issue.] ** SECURITY AND HUMAN BEHAVIOR (SHB) 2023 [2023.06.16] [https://www.schneier.com/blog/archives/2023/06/security-and-human-behavior-shb-2023.html] I'm just back from the sixteenth Workshop on Security and Human Behavior [https://www.heinz.cmu.edu/~acquisti/SHB2023/index.htm] hosted by Alessandro Acquisti at Carnegie Mellon University in Pittsburgh. SHB is a small annual invitational workshop of people studying various aspects of the human side of security, organized each year by Alessandro Acquisti, Ross Anderson, and myself. The fifty or so attendees include psychologists, economists, computer security researchers, criminologists, sociologists, political scientists, designers, lawyers, philosophers, anthropologists, geographers, neuroscientists, business-school professors, and a smattering of others. It's not just an interdisciplinary event; most of the people here are individually interdisciplinary. Our goal is always to maximize discussion and interaction. We do that by putting everyone on panels, and limiting talks to six to eight minutes, with the rest of the time for open discussion. Short talks limit presenters' ability to get into the boring details of their work, and the interdisciplinary audience discourages jargon. For the past decade and a half, this workshop has been the most intellectually stimulating two days of my professional year. It influences my thinking in different and sometimes surprising ways 00 and has resulted in some unexpected collaborations. And that's what's valuable. One of the most important outcomes of the event is new collaborations. Over the years, we have seen new interdisciplinary research between people who met at the workshop, and ideas and methodologies move from one field into another based on connections made at the workshop. This is why some of us have been coming back every year for over a decade. This year's schedule is here [https://www.heinz.cmu.edu/~acquisti/SHB2023/program.htm]. This page [https://www.heinz.cmu.edu/~acquisti/SHB2023/participants.htm] lists the participants and includes links to some of their work. As he does every year, Ross Anderson is live blogging [https://www.lightbluetouchpaper.org/2023/06/14/security-and-human-behaviour-2023/] the talks. We are back 100% in-person after two years of fully remote and one year of hybrid. Here are my posts on the first [http://www.schneier.com/blog/archives/2008/06/security_and_hu.html], second [http://www.schneier.com/blog/archives/2009/06/second_shb_work.html], third [http://www.schneier.com/blog/archives/2010/06/third_shb_works.html], fourth [http://www.schneier.com/blog/archives/2011/06/fourth_shb_work.html], fifth [https://www.schneier.com/blog/archives/2012/06/security_and_hu_1.html], sixth [https://www.schneier.com/blog/archives/2013/06/security_and_hu_2.html], seventh [https://www.schneier.com/blog/archives/2014/06/security_and_hu_3.html], eighth [https://www.schneier.com/blog/archives/2015/06/security_and_hu_4.html], ninth [https://www.schneier.com/blog/archives/2016/06/security_and_hu_5.html], tenth [https://www.schneier.com/blog/archives/2017/05/security_and_hu_6.html], eleventh [https://www.schneier.com/blog/archives/2018/05/security_and_hu_7.html], twelfth [https://www.schneier.com/blog/archives/2019/06/security_and_hu_8.html], thirteenth [https://www.schneier.com/blog/archives/2020/06/security_and_hu_9.html], fourteenth [https://www.schneier.com/blog/archives/2021/06/security-and-human-behavior-sh b-2021.html], and fifteenth [https://www.schneier.com/blog/archives/2022/05/security-and-human-behavior-shb-2022.html] SHB workshops. Follow those links to find summaries, papers, and occasionally audio/video recordings of the sessions. Ross also maintains a good webpage [https://www.cl.cam.ac.uk/~rja14/psysec.html] of psychology and security resources. It's actually hard to believe that the workshop has been going on for this long, and that it's still vibrant. We rotate [among] organizers, so next year is my turn in Cambridge (the Massachusetts one).
Emails intended for the U.S. military's ".mil" domain have, for years, been sent to the west African country which ends with the ".ml" suffix. Some of the emails reportedly contained sensitive information such as passwords, medical records and the itineraries of top officers. [...] https://www.bbc.com/news/world-us-canada-66226873
https://techcrunch.com/2023/07/17/the-spam-bots-have-now-found-threads-as-company-announces-its-own-rate-limits/
“Britainœôòùs biggest police force gathered sensitive data about people using its website to report sexual offences, domestic abuse and other crimes and shared it with Facebook for targeted advertising, the Observer has found.'' https://www.theguardian.com/uk-news/2023/jul/15/revealed-metropolitan-police-shared-sensitive-data-about-victims-with-facebook Facebook's Pixel tool was embedded in Metropolitan Police web page The data was collected by a tracking tool embedded in the website of the Metropolitan police and included records of browsing activity about people using a *secure* online form for victims and witnesses to report offences. In one case, Facebook received a parcel of data when someone clicked a link to œôòüsecurely and confidentially report rape or sexual assaultœôòý to the Met online. This included the sexual nature of the offence being reported, the time the page was viewed and a code denoting the personœôòùs Facebook account ID. The tracking tool, known as Meta Pixel, also sent details to Facebook about content viewed and buttons clicked on webpages linked to contacting police, accessing victim services, and advice pages for crimes including rape, assaults, stalking and fraud." What was the person who installed the tool thinking? We must assume that almost(?) every web site reports our activity to Facebook and Google. I guess it's time for Tor.
https://www.nytimes.com/2023/07/04/arts/design/black-artists-bias-ai.html
Can the online encyclopedia help teach A.I. chatbots to get their facts right -œôòô without destroying itself in the process? https://www.nytimes.com/2023/07/18/magazine/wikipedia-ai-chatgpt.html
If you feed America's most important legal document—the US Constitution <https://arstechnica.com/information-technology/2022/12/openai-invites-everyone-to-test-new-ai-powered-chatbot-with-amusing-results/>, it will tell you that the document was almost certainly written by AI. But unless James Madison was a time traveler, that can't be the case. Why do AI writing detection tools give false positives? We spoke to several experts -- and the creator of AI writing detector GPTZero—to find out. Among news stories of overzealous professors <https://www.washingtonpost.com/technology/2023/05/18/texas-professor-threatened-fail-class-chatgpt-cheating/> flunking an entire class due to the suspicion of AI writing tool use and kids falsely accused <https://www.reddit.com/r/ChatGPT/comments/132ikw3/teacher_accused_me_of_using_chatgpt/> of using ChatGPT, generative AI has education in a tizzy. Some think it represents an existential crisishttps://www.theatlantic.com/technology/archive/2022/12/chatgpt-ai-writing-college-student-essays/672371/>. Teachers relying on educational methods developed over the past century have been scrambling for ways to keep <https://www.reddit.com/r/Teachers/comments/zkguxg/my_frustrations_with_chatgpt/> the status quo—the tradition of relying on the essay as a tool to gauge~> student mastery of a topic. As tempting as it is to rely on AI tools to detect AI-generated writing, evidence so far has shown that they are not reliable <https://techcrunch.com/2023/02/16/most-sites-claiming-to-catch-ai-written-text-fail-spectacularly/>. Due to false positives, AI writing detectors such as GPTZero <https://gptzero.me/>, ZeroGPT <https://www.zerogpt.com/>, and OpenAI's Text Classifier <https://platform.openai.com/ai-text-classifier> cannot <https://theconversation.com/we-pitted-chatgpt-against-tools-for-detecting-ai-written-text-and-the-results-are-troubling-199774> be trusted to detect text composed by large language models (LLMs) like ChatGPT. If you feed GPTZero a section of the US Constitution, it says the text is “likely to be written entirely by AI.'' Several times over the past six months, screenshots of other AI detectors showing similar results have gone viral <https://twitter.com/0xgaut/status/1648383977139363841?s=20> on social media, inspiring confusion and plenty of jokes about the founding fathers being robots. It turns out the same thing happens with selections from The Bible, which also show up as being AI-generated. To explain why these tools make such obvious mistakes (and otherwise often return false positives), we first need to understand how they work. *Understanding the concepts behind AI detection*. [...] https://arstechnica.com/information-technology/2023/07/why-ai-detectors-think-the-us-constitution-was-written-by-ai/
Andrew Paul, *Popular Science*, 19 Jul 2023, via ACM TechNews, Stanford University and University of Southern California, Berkeley (UC Berkeley) researchers demonstrated an apparent decline in the reliability of OpenAI's ChatGPT large language model (LLM) over time without any solid explanation. The researchers assessed the chatbot's tendency to offer answers with varying degrees of accuracy and quality, as well as how appropriately it follows instructions. In one example, the researchers observed that GPT-4's nearly 98% accuracy in identifying prime numbers fell to less than 3% between March and June 2023, while GPT-3.5's accuracy increased; both GPT-3.5 and GPT-4's code-generation abilities worsened in that same interval. UC Berkeley's Matei Zaharia suggested the decline may reflect a limit reached by reinforcement learning from human feedback, or perhaps bugs in the system.
Creating a new AI system requires lots of money and lots of computing power, which is controlled by the industryœôòùs giants. https://www.nytimes.com/2023/07/05/business/artificial-intelligence-power-data-centers.html
https://www.engadget.com/openais-trust-and-safety-lead-is-leaving-the-company-190049987.html?src=rss [He could not safely trust it? PGN]
Greg Hardesty, USC Viterbi School of Engineering, 18 Jul 2023, via ACM TechNews Scientists at the University of Southern California (USC), Intel Labs, and the Chinese Academy of Sciences demonstrated that robots can be trained to train other robots by sharing their knowledge. The researchers developed the Shared Knowledge Lifelong Learning (SKILL) tool to teach artificial intelligence agents 102 unique tasks whose knowledge they then shared over a decentralized communication network. The researchers said they found the SKILLtool's algorithms speed up the learning process by allowing agents to learn concurrently in parallel. The work indicated learning time shrinks by a factor of 101.5 when 102 agents each learn one task and then share. [Speed is irrelevant if there are any flaws or vulnerabilities in the process. This is a a classic example of a serpent eating its own tail -- ouroboros, which eventually is nonconvergent to a sound state. PGN]
Kim Zetter, *Ars Technica*, 25 Jul 2023 Researchers with Netherlands-based security consultancy Midnight Blue have uncovered a secret backdoor in technology long used for critical data and voice radio communications worldwide. The backdoor resides in an algorithm embedded within commercially sold devices that transmit encrypted data and commands, allowing users to eavesdrop on communications and potentially hijack critical infrastructure. The researchers found the backdoor and four other flaws in the European Telecommunications Standards Institute's Terrestrial Trunked Radio (TETRA) standard in 2021, but waited until radio manufacturers could develop patches and mitigations before disclosing them. The researchers also learned most police forces worldwide (excluding the U.S.) use TETRA-based radio technology.
Cade Metz, *The New York Times*, 27 Jul 2023, via,ACM TechNews Scientists at Carnegie Mellon University and the Center for AI Safety demonstrated the ability to produce nearly infinite volumes of destructive information by bypassing artificial intelligence (AI) protections in any leading chatbot. The researchers found they could exploit open source systems by appending a long suffix of characters onto each English-language prompt inputted into the system. In this manner, they were able to persuade chatbots to provide harmful information and generate discriminatory, counterfeit, and otherwise toxic data. The researchers found they could use this method to circumvent the safeguards of OpenAI's ChatGPT, Google's Bard, and Anthropic's Claude chatbots. While they concede that an obvious countermeasure for preventing all such attacks does not exist, the researchers suggest chatbot developers could block the suffixes they identified.
Brandon Hill, *Tom's Hardware*, 3 Aug 2023 Security researchers at Germany's Technical University of Berlin have cracked modern Tesla vehicles' Media Control Unit (MCU) to access paid features through an unpatchable flaw in the MCU-controlling AMD processor. The researchers said they launched a voltage fault injection attack against the third-generation MCU-Z's Platform Security Processor, allowing the decryption of objects stored in the Trusted Platform Module. They explained, "Our gained root permissions enable arbitrary changes to Linux that survive reboots and update. They allow an attacker to decrypt the encrypted NVMe [Non-Volatile Memory Express] storage and access private user data such as the phonebook, calendar entries, etc." The researchers found hackers can access Tesla subsystems and even paywall-locked optional content via the exploit.
Kashmir Hill, *The New York Times*, 6 Aug 2023 Detroit police recently arrested eight-months-pregnant African American Porcha Woodruff for robbery and carjacking due to an erroneous offender match by facial recognition technology. Woodruff is the sixth person to report being wrongly accused of a crime through such a mismatch and the third such wrongful arrest involving the Detroit Police Department. City documents indicated the department uses a facial recognition vendor called DataWorks Plus to run unknown faces against a database of mug shots, returning matches ranked according to the probability of being the same person. Crime analysts decide if any matches are potential suspects, and the police report said a match for Woodruff's 2015 mug shot—which she said was from an arrest for driving with an expired license—prompted the analyst to give her name to the investigator. [Maybe the probability was something like 5%, but more than anyone else in the database? PGN]
Edd Gent and Margo Anderson. *IEEE Spectrum*,19 Jul 2023 via ACM TechNews, Massachusetts Institute of Technology (MIT) researchers have produced the first probabilistic bit (p-bit) using photonics. The method's core component is an optical parametric oscillator (OPO), which is basically two mirrors reflecting light back and forth between them. The researchers can influence the likelihood with which an oscillation's phase assumes a particular state by injecting the OPO with extremely weak laser pulses. MIT's Charles Roques-Carmes explained, "We can keep the random aspect that just comes from using quantum physics, but in a way that we can control the probability distribution that is generated by those quantum variables." The researchers said they were able to generate 10,000 p-bits per second, which appear to support the necessary behavior for building a probabilistic computer.
Can the online encyclopedia help teach AI chatbots to get their facts right -œôòô without destroying itself in the process? https://www.nytimes.com/2023/07/18/magazine/wikipedia-ai-chatgpt.html
I encountered an error message from my Frigidaire PCFI3668AF induction range, which thankfully resolved itself. But, before that resolution, I called Frigidaire tech support for help, and as I was right there at the oven, I lazily used the phone number printed on the tag inside the oven: 800-374-4472. The phone was answered as if it were Frigidaire tech support, but actually was a scam where they wanted to "give" me a $100 debit card if only I would cover the USPS handling charge of $2.95; yes, that noise you hear is the sound of your alarm bells. At this point, I hung up. Subsequently, I looked up the actual Frigidaire tech support number online and found it to be 800-374-4432, not -4472, so perhaps the number printed inside the oven is a typo; nonetheless, it leads to an actual scam with an unusual set-up. I was puzzled that someone thought it worthwhile to capitalize on this tiny mistake, as who even *reads* the printed tag inside an oven, no less *calls* the printed phone number? On the other hand, once the typo is noticed by a scammer, the cost to set up and manage the scam is negligible, which seems to be the case. I sent all this along with a photo of the printed tag to Frigidaire tech support in May, but have not heard back. This is such a rare and unusual basis for a scam that I'm unsure of what is the takeaway lesson, if any.
I'd like to coin the neologism "outcroppings" for these redacted redactions. "An outcropping is rock formation, a place on the earth where the bedrock underneath shows through." Perhaps 'natural emergence' has come a cropper ? Oops! https://theintercept.com/2023/07/12/covid-documents-house-republicans/ HOUSE REPUBLICANS ACCIDENTALLY RELEASED A TROVE OF DAMNING COVID DOCUMENTS "According to the metadata in the PDF of the report, it was created using 'Acrobat PDFMaker 23 for Word,' indicating that the report was originally drafted as a Word document. Word, however, retains the original image when an image is cropped, as do many other apps. Microsoft's documentation cautions that 'Cropped parts of the picture are not removed from the file, and can potentially be seen by others,' going on to note: 'If there is sensitive information in the area you're cropping out make sure you delete the cropped areas.' "When this Word document was converted to a PDF, the original, uncropped images were likewise carried over. The Intercept was able to extract the original, complete images from the PDF using freely available tools..."
WRT the *Defective train safety controls*, it would seem that the controls in question are the locomotive engineers. Reviewing the rolling stock and locomotives used on the KiwiRail service shows them to be common diesel locomotives, without any form of positive train control or automatic braking that would stop the train when it runs a red signal. The issue is operator error, rather than a fault in an automated system. It's a risk, but it's an old one, and not, it would seem, due to an automated system.
Be very careful what you wish for. While I have also criticized OceanGate in this forum, I'm not about ready to throw out the innovation baby with the (ocean?) bathwater. *Innovation* is *novelty* + *usefulness* + *cost-effectiveness* + *right-timing*. Exhibit #1 is Apple, as they have continually reshaped the computer world from personal computers to desktop publishing to smartphones to digital cameras. At each step, the 'market research' said that no one was interested in these devices; the reason, of course, is that no one had had access to such devices, so the intuition of the market research subjects was wrong. There's a curious relationship between 'fake news' and innovation: *the experts are always wrong*, because *experts* (by definition) are *backwards-looking*. You can't be an expert in a field that doesn't exist yet. Yet the 'expert' is the first to call every new idea 'fake news'. An American football analogy: so-called 'broken field running', when all the planning and practice for a particular play goes out the window, and the field is completely chaotic. The best broken field runners don't think—they utilize their *gut feel* to know which way to run. Entrepreneurs see the world differently from the rest of us. Where the politicians, regulators and 'experts' decry the sad state of the world, the entrepreneur sees *opportunity* and *grabs it*. For every single new idea there are a million naysayers and censors. It takes an extremely strong ego to withstand this withering criticism. The vast majority of the population doesn't have the constitution to go up against colleagues, friends, and family. Exhibit #2 is Christopher Columbus. More important than how may people died is how many people survived and subsequently took advantage of his innovation. Look back at the famous explorers—Magellan, etc.—quite a number of them and their crew lived to tell the tale, and the rest is history. I'm with Galileo: 'And yet it moves' !
We should challenge the myth that regulation stifles innovation. Some of the most innovative industries are highly regulated. Pharmaceuticals and children's toys, for example (in the EU and UK).
> We should challenge the myth that regulation stifles innovation. Some of > the most innovative industries are highly regulated. Pharmaceuticals and > children's toys, for example (in the EU and UK). One could write entire books about the purposes, costs, and benefits of regulation. (Someone probably has.) The normal motivation is to protect the public from some direct harm, e.g., drugs that don't work or are harmful. But there is plenty of regulation intended more to maintain the providers' business model. That isn't necessarily a bad idea. When you have an 80,000 lb truck barreling down the road, I would prefer that the operator have sufficient revenue to maintain the truck, and to pay the driver enough that she doesn't feel forced to pop pills and drive 16 hrs a day. There is a reason that Uber et al. started in San Francisco—its taxi regulation was uniquely bad due to a local law that limited taxis to owner-drivers, with a cap way too small to handle the demand. That was swell for the drivers, awful for everyone else. So there was a lot of sympathy for a service, even an illegal one, that fixed the fact that there just weren't taxis when you needed them. Some of the innovation was plausibly a good idea, e.g., using an app to match up drivers and passengers. Some was bad, e.g., Lyft's "sharing" insurance fraud model taking paying passengers in personal cars with no insurance in case of an accident. (Uber quickly copied it.) Some was accidental, Uber's super cheap below-cost service subsidized by lots of venture capital silly money. The app also happened to be a regulatory innovation since it completely blurred the distinction between taxis you could hail on the street and car services you book ahead. In New York, those are different services with different licenses. NYC had enough sense to force Uber to become a car service, which meant among other things that Uber drivers in NYC are covered by workers comp if they're injured on the job, other places not so much. Picking apart the beneficial parts of innovation from the harmful or parasitic parts can be hard, but it is necessary. As we saw with Ocean Gate, what is always wrong is to insist that innovation for its own sake is by definition good.
You might be interested in this Ph.D. dissertation by my most recent student, Major Alexander Master. Title: Modeling and Characterization of Internet Censorship Technologies Abstract: The proliferation of Internet access has enabled the rapid and widespread exchange of information globally. The world wide web has become the primary communications platform for many people and has surpassed other traditional media outlets in terms of reach and influence. However, many nation-states impose various levels of censorship on their citizens' Internet communications. There is little consensus about what constitutes *objectionable* online content deserving of censorship. Some people consider the censor activities occurring in many nations to be violations of international human rights (e.g., the rights to freedom of expression and assembly). This multi-study dissertation explores Internet censorship methods and systems. By using combinations of quantitative, qualitative, and systematic literature review methods, this thesis provides an interdisciplinary view of the domain of Internet censorship. The author presents a reference model for Internet censorship technologies: an abstraction to facilitate a conceptual understanding of the ways in which Internet censorship occurs from a system design perspective. The author then characterizes the technical threats to Internet communications, producing a comprehensive taxonomy of Internet censorship methods as a result. Finally, this work provides a novel research framework for revealing how nation-state censors operate based on a globally representative sample. Of the 70 nations analyzed, 62 used at least one Internet censorship method against their citizens. The results reveal worldwide trends in Internet censorship based on historical evidence and Internet measurement data. https://www.doi.org/10.25394/PGS.23666784
Please report problems with the web pages to the maintainer