Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Metro isn’t as close to returning its trains to automatic operation as it hoped.
The Washington Metrorail Safety Commission, the third-party oversight body for Metro, said it observed things that could “result in a catastrophe if not addressed.” For example, the report says some trains were given speed commands above the intended speed limit and some sped through stations at full speed without stopping.
After the derailment in East Palestine, Ohio, the nation’s major freight railroads agreed to join a federal program for workers to report safety issues. But first, they want it to be overhauled. […]
Jim Mathews, the president and chief executive of the Rail Passengers Association and another member of the working group, said that for the confidential reporting program to be effective, the freight railroads have to be willing to embrace a nonpunitive approach.
“The position that the freight railroads have taken is both unfortunate and unwise,” Mr. Mathews said. “If they truly want a safer system, then punishment and discipline cannot be the only tool in your toolbox.”
https://www.nytimes.com/2023/08/11/us/politics/ohio-train-railroad-safety.html
Derided as a “prank” by other outlets, the Week of Cone is part of a storied American tradition of urban residents opposing the expansion of cars in the city. […]
In a statement to the San Francisco Examiner, Waymo called the conings “vandalism” and vowed to call the police. Motherboard asked Waymo to clarify how the placing of a cone on the hood of a car classifies as vandalism which, under California legal code, requires defacing, damaging, or destroying property. Motherboard did not hear back by publication time.
Like War of the Worlds Martians done in by bacteria—high-tech vanquished by rock-bottom tech.
Robert McMillan, The Wall Street Journal 10 Aug 2023
Security researcher Johann Rehberger persuaded OpenAI's ChatGPT chatbot to conduct bad actions using plain-English prompts, which he said malefactors could adopt for nefarious purposes. Rehberger asked the chatbot to summarize a webpage where he had written “NEW IMPORTANT INSTRUCTIONS;” he said he was gradually tricking ChatGPT into reading, summarizing, and posting his email online. Rehberger's prompt-injection attack uses a beta-test feature that allows ChatGPT to access applications like Slack and Gmail. Princeton University's Arvind Narayanan said such exploits work because generative artificial intelligence (AI) systems do not always split system instructions from the data they process. He is concerned that hackers could use generative AI like language models to access personal data or infiltrate computer systems as the technology finds its way into products.
San Francisco's North Beach streets clogged as long line of Cruise robotaxis come to a standstill <#>
Just one day after state officials approved massive robotaxi expansion in San Francisco, a long line of the driverless cars come to a standstill and clog traffic in North Beach neighborhood.
https://www.latimes.com/california/story/2023-08-12/cruise-robotaxis-come-to-a-standstill
One day after California green-lighted a massive expansion of driverless robotaxis in San Francisco, the implications became clear.
At about 11 p.m. Friday, as many as 10 Cruise driverless taxis blocked two narrow streets in the center of the city’s lively North Beach bar and restaurant district. All traffic came to a standstill on Vallejo Street and around two corners on Grant. Human-driven cars sat stuck behind and in between the robotaxis, which might as well have been boulders: no one knew how to move them.
The cars sat motionless with parking lights flashing for 15 minutes, then woke up and moved on, witnesses said. […]
The situation is loaded with irony, as the California Public Utilities Commission on Thursday voted 3 to 1 amid great public controversy to allow a massive robotaxi expansion. The vote allows General Motors-owned Cruise and Waymo, owned by Google’s Alphabet, to charge fares for driverless service and grow the fleet as large as they’d like. Cruise has said it plans eventually to deploy thousands of robotaxis in San Francisco. […]
https://neurosciencenews.com/cellphone-radiation-brain-cancer-18889/
Three months later, Hustler Live Casino published a postmortem of its investigation into the incident, finding “no credible evidence” of foul play. It also noted that if there were cheating, it was most likely some sort of secret communication between the player and a staff member in the production booth who could see the players' hands in real time. But when Joseph Tartaro, a researcher and consultant with security firm IOActive, read that report, he zeroed in on one claim in particular”a statement ruling out any possibility that the automated card-shuffling machine used at the table, a device known as the Deckmate, could have been hacked. “The Deckmate shuffling machine is secure and cannot be compromised,” the report read.
To Tartaro, regardless of what happened in the Hustler Live hand, that assertion of the shuffler's perfect security was an irresistible invitation to prove otherwise. “At that point, it's a challenge, Tartaro says. “Let's look at one of these things and see how realistic it really is to cheat.”
Today, at the Black Hat security conference in Las Vegas, Tartaro and two IOActive colleagues, Enrique Nissim and Ethan Shackelford, will present the results of their ensuing months-long investigation into the Deckmate, the most widely used automated shuffling machine in casinos today. They ultimately found that if someone can plug a small device into a USB port on the most modern version of the Deckmate”known as the Deckmate 2, which they say often sits under a table next to players’ knees, with its USB port exposed”that hacking device could alter the shuffler’s code to fully hijack the machine and invisibly tamper with its shuffling. They found that the Deckmate 2 also has an internal camera designed to ensure that every card is present in the deck, and that they could gain access to that camera to learn the entire order of the deck in real time, sending the results from their small hacking device via Bluetooth to a nearby phone, potentially held by a partner who then could then send coded signals to the cheating player.
https://www.wired.com/story/card-shuffler-hack
After regulators ruled that Pepco violated D.C. law in its implementation of community solar in the city, the utility company is telling solar owners they will need to manually track solar generation, entering thousands of lines of data each month, and potentially costing thousands of dollars. […]
The commission ordered Pepco to remove its meters, and to reimburse ratepayers for the money the company spent installing them. This ruling came in response to a formal complaint by the D.C. Office of the Attorney General and the Office of the People’s Counsel. The complaint alleged a “pattern of systemic violations” in Pepco’s handling of community solar in the District. In the complaint, solar owners said Pepco’s meters sometimes showed zero electricity generated in a month, while the CREF owners’ meters recorded continued generation.
Community solar owners already have their own meters, but for a variety of reasons Pepco says those meters cannot be automatically integrated into the company’s network. One concern, PepcoPays, is the possibility that hackers could find their way into unsecured CREF meter software.
So, as Pepco begins removing its meters, the utility company wants solar owners to manually compile generation data in 15-minute intervals using spreadsheets, and email the data to Pepco. It might sound simple enough, but it would be a massive and menial job, requiring roughly 2,880 data entries per month per solar facility.
Lawrence says she looked into hiring someone to do this, and was quoted a cost of $5,000 for six months. According to Pepco, this interim spreadsheet situation would last for between 16 and 20 months, while the company works on a permanent automated solution. In other words, it would be until late 2024, at the earliest, totaling some 46,000 manual data entries per solar facility.
https://dcist.com/story/23/08/09/dc-pepco-violation-community-solare
Recently, ArsTechnica published “The U.S. Navy, NATO, and NASA are using a shady Chinese company's encryption chips”. The article questioned whether hardware components used for encryption/decryption actually protect against unauthorized information disclosure.
Unauthorized disclosure represents a small fraction of the potential hazards posed by unverified cryptographic implementations. Deliberate covert functionality within a hardware encryption/decryption implementation poses far more serious potential for large scale mischief, including weakened encryption keys; distorted encryption keys; and mass denial of information episodes. “Black box” testing is unlikely to uncover deliberately inserted covert functionality.
An extended discussion of these hazards is far too lengthy for RISKS. I examined some of the possibilities in “Trusting Encryption Supply Chains” the July 25, 2023 entry in my Ruminations blog.
The blog entry is at:
http://www.rlgsc.com/blog/ruminations/trusting-encryption-supply-chains.html
The ArsTechnica article is at:
As details about the recent China attack against U.S. government agencies come to light, two details stand out: Microsoft failed to store security keys properly -” and the keys were used by attackers even though they'd already expired.
https://www.computerworld.com/article/3704132/has-microsoft-cut-security-corners-once-too-often.html
When The New Yorker reported in April 2023 that a contractor had purchased and deployed a spying tool made by NSO, the contentious Israeli hacking firm, for use by the U.S. government, White House officials said they were unaware of the contract and put the FBI in charge of figuring out who might have been using the technology.
After an investigation, the FBI uncovered at least part of the answer: It was the FBI.
The deal for the surveillance tool between the contractor, Riva Networks, and NSO was completed in November 2021. Only days before, the Biden administration had put NSO on a Commerce Department blacklist, which effectively banned U.S. firms from doing business with the company. For years, NSO's spyware had been abused by governments around the world.
This particular tool, known as Landmark, allowed government officials to track people in Mexico without their knowledge or consent.
https://www.nytimes.com/2023/07/31/us/politics/nso-spy-tool-landmark-fbi.html
Security researchers set up a remote machine and recorded every move cybercriminals made -” including their login details. […]
Some attackers were sophisticated, while others appeared inept. And some just behaved oddly -” one person who logged into the machine changed the desktop background and logged out, and another wrote “lol” before covering their tracks and leaving, the researchers behind the study say. […]
Bergeron and Bilodeau have grouped the attackers into five broad categories based on character types from the role-playing game Dungeons and Dragons. Most common were the rangers: once these attackers were inside the trap RDP session, they would immediately start exploring the system, removing Windows antivirus tools, delving into folders, looking at the network it was on and other elements of the machine. Rangers wouldn’t take any action, Bergeron says. “It's basic recon,” she says, suggesting they may be evaluating the system for others to enter it. […]
Despite this, watching the attackers reveals the way they behave, including some more peculiar actions. Bergeron, who has a PhD in criminology, says the attackers were sometimes “very slow” at doing their work. Often she was “getting impatient” while watching them, she says. “I'm like: ‘Come on, you're not good at that’ or ‘Go faster’ or ‘Go deeper,’ or ‘You can do better.’”
https://www.wired.com/story/hacker-honeypot-go-secure
We're used to seeing new credit-card numbers after a data breach. Getting a new health-insurance number is similar, after the MOVEit breach. https://www.cms.gov/outreach-and-education/outreach/ffsprovpartprog/provider-partnership-email-archive/1401044333/2023-08-03-mlnc#_Toc141941698 They estimate 612,000 people's records were breached, but expect to change only 47,000 id numbers. Doctors are told how to get the new number if a patient arrives with an old superceded number.
https://www.cms.gov/medicare/new-medicare-card/providers/providers-and-office-managers
The Belfast Telegraph reports that a spreadsheet, which was meant to contain only summary statistical information, but in fact contained detailed personally identifiable information about more than 10,000 police officers and support staff in another tab, was put online for an unspecified amount of time on 8 Aug 2023.
This information would be sensitive in any jurisdiction, but the problem is particularly severe in Northern Ireland where, despite 25 years of peace, terrorist groups still occasionally target law enforcement personnel.
It's an old ironic Soviet joke:
“The future is certain; it is only the past that is unpredictable”
This old Soviet joke points out to the authoritarian regime's habit of editing and airbrushing history books and controlling the narration over history as the key to political legitimacy.
Supposedly, the Internet fixed all that:
https://www.theneweconomy.com/technology/the-internet-never-forgets-but-people-do
Tell me if you’ve heard this one: A social media influencer walks into a bar …
No, wait. This isn’t a joke. This is a 21st-century shakedown.
Here is how it works: An influencer walks into a restaurant to collect an evening’s worth of free food and drink, having promised to create social media content extolling the restaurant’s virtues. The influencer then orders far more than the agreed amount and walks away from the check for the balance or fails to tip or fails to post or all of the above. And the owners are left feeling conned.
https://www.nytimes.com/2023/07/24/opinion/social-media-influencer-restaurants.html
https://www.cbc.ca/news/world/ai-laws-canada-us-yoshua-bengio-1.6917793
A giant in the field of artificial intelligence has issued a warning to American lawmakers: Regulate this technology, and do it quickly.
That appeal came at a hearing in Washington on Tuesday from Yoshua Bengio, a professor at the University of Montreal and founder of Mila, the Quebec AI institute.
“I firmly believe that urgent efforts, preferably in the coming months, are required,” said Bengio, one of three witnesses.
https://www.bbc.com/news/technology-66404069
What happens when thousands of hackers gather in one city with the sole aim of trying to trick and find flaws in artificial intelligence (AI) models? That is what the White House wants to know.
Hospital bosses love AI. Doctors and nurses are worried. Mount Sinai and other elite hospitals are pouring millions of dollars into chatbots and AI tools, as doctors and nurses worry the technology will upend their jobs.
Mount Sinai has become a laboratory for AI, trying to shape the future of medicine. But some healthcare workers fear the technology comes at a cost. […]
NEW YORK ” Every day Bojana Milekic, a critical care doctor at Mount Sinai Hospital, scrolls through a computer screen of patient names, looking at the red numbers beside them ” a score generated by artificial intelligence ” to assess who might die.
On a morning in May, the tool flagged a 74-year-old lung patient with a score of .81 ” far past the .65 score when doctors start to worry. He didn’t seem to be in pain, but he gripped his daughter’s hand as Milekic began to work. She circled his bed, soon spotting the issue: A kinked chest tube was retaining fluid from his lungs, causing his blood oxygen levels to plummet.
After repositioning the tube, his breathing stabilized ” a “simple intervention,” Milekic says, that might not have happened without the aid of the computer program. […]
Robbie Freeman, Mount Sinai’s vice president of digital experience, said the hardest parts of getting AI into hospitals are the doctors and nurses themselves. “You may have come to work for 20 years and done it one way,” he said, “and now we’re coming in and asking you to do it another way.”
“People may feel like it’s flavor of the month,” he added. “They may not fully be … bought into the idea of adopting some sort of new practice or tool.”
https://www.washingtonpost.com/technology/2023/08/10/ai-chatbots-hospital-technology/
If the Generative AI firms keep pushing the way they have been, they could end up in a world where they can use Internet and other content ONLY on an opt-in basis—that is, when specific and explicit permission is given at sites for such use. The firms are pushing way too hard and the regulatory/political blowback could be enormous. -L
AI start-ups are competing fiercely with one another as a race to get ahead in the technology intensifies.
Arthur AI, an artificial intelligence company in New York, received a message in April last year from a start-up called OneOneThree. Yan Fung, OneOneThree’s head of technology, said he was interested in buying Arthur AI’s technology and wanted a demonstration.
A week later, Arthur AI held a Zoom meeting with Mr. Fung to show him its software, according to emails and a video recording viewed by The New York Times. When Mr. Fung's colleague joined the call, the Arthur AI team realized something was off.
Mr. Fung said Karina Patel, OneOneThree’s “main engineer,” would dial in. But the name that flashed up in the Zoom call was Aparna Dhinakaran. An Arthur AI employee recognized the name as belonging to a founder of Arize AI, a rival start-up. “That’s so strange ”- I don’t know how they could have possibly gotten the link,” the Arthur AI employee said.
https://www.nytimes.com/2023/08/07/technology/ai-start-ups-competition.html
https://www.cryptopolitan.com/study-reveals-chatgpts-struggles/
They've updated their Terms of Service to prohibit AI use of their content. -L
https://searchengineland.com/new-york-times-content-train-ai-systems-430556
[In a related post, Lauren adds: Generative AI training should be opt-in. If use of website data for generative AI training isn't made as close to universally opt-in as possible, it will over time suck the life out of the Web that we've known. -L]
The class-action suit says Cigna Corp. and Cigna Health and Life Insurance Co.rejected more than 300,000 payment claims in just two months.
Well, well, well… It looks like Brave isn't the only company out there that is willing to bet all its chips on reusing other people's content for AI training.
Zoom Video Communications, Inc. recently updated its Terms of Service to encompass what some critics are calling a significant invasion of user privacy.
Additionally, under section 10.4 of the updated terms, Zoom has secured a “perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license” to redistribute, publish, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content.
Zoom justifies these actions as necessary for providing services to customers, supporting the services, and improving its services, software, or other products. However, the implications of such terms are far-reaching, particularly as they appear to permit Zoom to use customer data for any purpose relating to the uses or acts described in section 10.3.
https://stackdiary.com/zoom-terms-now-allow-training-ai-on-user-content-with-no-opt-out/
Oh yeah, that will end well. -L
https://gizmodo.com/google-universal-music-ai-to-replicate-artists-voices-1850722515
In a rowdy new HBO docu-series, two former telemarketers with a camcorder take on an industry they say was ripping people off in the name of charity.
https://www.nytimes.com/2023/08/10/arts/television/telemarketers-hbo-documentary.html
Feeding the text of the US Constitution or Genesis into an AI detector and getting the response back “this was probably written by AI” isn't qualitatively different from feeding the same text into a plagiarism detector and receiving the response “This text was plagiarized.” For if it had been submitted by an actual student, that surely would be correct. There is a distinction to be made between evaluating a writer's claim to authorship (relevant to what college professors need to do) and evaluating the value of the text itself.
This reminds me of the attempts made to redact sensitive information by blacking out sections of text, essentially by making the background black so it was black-on-black text, which of course was trivially easy to counteract.
“I was puzzled that someone thought it worthwhile to capitalize on this tiny mistake, as who even reads the printed tag inside an oven, no less calls the printed phone number?”
Well, you did, didn't you?
A friend with long experience in the phone business tells me that a whole lot of them go to dubious companies selling phone porn, on the off chance that someone dialing a wrong number might be interested.
The basic cost for a toll free number is very low, like a dollar a month, so there's basically no opportunity cost to this scam. I expect the people answering the phone have a whole catalog of scripts depending on what number you called.
I was curious about the “800-374-4432, not -4472” scam, so I did a search on the “bad” number. https://duckduckgo.com/?q=800-374-4472
At the bottom of the search results, it said “Searches related to 800-374-4472” and then gave 8 links to actual Frigidaire sites. But all 8 sites give the 4432 number, and don't mention 4472.
I don't claim to understand how or why those two numbers are linked but apparently the search engine thinks that they are linked.
There must be more to the story.
In re: Bob's mention in RISKS Digest Volume 33 Issue 77, I mentioned this in an old Internet farts like me group on Facebook, and the eminent Jon Maddog Hall wisely commented the following: “It seems to me that this should be reported to a consumer fraud division of the government and not just the appliance company. It would be easy enough to track down the people who are paying for that telephone number.” Good point. Even if the miscreants are geographically beyond reach, it should be pretty straightforward for authorities to get this phone number pulled, so that no other consumer potentially gets scammed by the manufacturer's mind-bogglingly stupid mistake.
https://www.nytimes.com/interactive/2023/07/28/business/starlink.html
The tech billionaire has become the dominant power in satellite Internet technology. The ways he is wielding that influence are raising global alarms.
YouTube just recommended a live SpaceX Falcon Heavy launch stream to me, so I opened it up to run in the background here.
The fact that it was dark in Florita at 5pm probably should have tipped me off (I did look at the channel name in the small recommendation tile but all I saw there was “SpaceX” as expected).
It goes along quite believably (it's just an exact rebroadcast of the aborted launch attempt from yesterday) and then about three minutes before liftoff, Elon comes out on stage and (in a mostly obvious, but not ENTIRELY so, AI Elon Voice Clone) announces Total Crypto Integration into Twitter and in celebration of this announcement he's going to give away a whole bunch of crypto (Bitcoin/ETH/DOGE) to promote it. Of course then it just turns into a classic “double your money” con (and a bonus “why don't you just use our site to duplicate your wallet” scam for the terminally gullible).
It's honestly fairly impressive though in its planning/timing and attention to detail, and I fear that at least a few of the 1,300+ people watching are about to become poorer as a result.
I think the (several) risks here ought to be, as it were, obvious.
Please report problems with the web pages to the maintainer