Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
A man has been crushed to death by a robot in South Korea after it failed to differentiate him from the boxes of food it was handling, reports say.
https://www.bbc.com/news/world-asia-67354709
Australia's second largest mobile and Internet service provider had a major outage across Australia today.
https://www.smh.com.au/technology/what-caused-the-optus-outage-20231108-p5eiep.html?btis https://www.abc.net.au/news/2023-11-08/optus-outage-mobile-phones-internet-what-happened/103077180
It was revealing how dependent our society is on the full functioning of our communication services.
This outage affected public transport, ‘000’ emergency calls (Australia's 911) for Ambulance-Police-Fire Brigades, Two-factor authentication of websites, Uber, Taxis, Hospitals and the list goes on. People are scrounging for other ways to connect as most of our digital life is dependent on communication.
In a hint at reducing the risk impact of NO communication services, Optus spokesperson said:
“We are aware of some mobile phones having issues connecting to triple-0. If Optus customers need to call emergency services, we suggest finding a family member or neighbour with an alternative device”! [emphasis added]. To Optus' credit they have returned systems to operation in just 8 hours.
Diversity is one of the key measures to improve reliability and resilience. I was lucky to continue on as my Internet was with a different provider to my mobile. As IoT, Cloud and 5G become the norm to “interconnectedness” we will experience more risks to our “normal” life. I just got to get a list of neighbours with an alternative device, just in case. ;-)
In the two years since an Israeli company first tried to thwart a Russian disinformation campaign in Burkina Faso, coups or rebels have removed the governments of five former French colonies, replacing them with pro-Russia leaders.
https://www.washingtonpost.com/technology/2023/10/21/percepto-africa-france-russia-disinformation/
MOSCOW ” A Russian court fined Google nearly $100 million Friday for “systematic failure to remove banned content” ” the largest such penalty yet in the country as Moscow attempts to rein in Western tech giants.
The fine was calculated based on Google’s annual revenue, the court said. Roskomnadzor, Russia’s Internet regulator, told the court that Google’s 2020 turnover in the country exceeded 85 billion rubles, or about $1.15 billion.
Meta Platforms, the parent company of Facebook and Instagram, was fined approximately $27 million, also for declining to remove banned content, several hours after the Google decision. Meta’s fine, like the one levied on Google, was tied to yearly revenue in Russia.
The fines represent an escalation in Russia’s push to pressure foreign tech firms to comply with its increasingly strict rules on what it deems illegal content ” particularly apps, websites, posts and videos related to jailed opposition leader Alexei Navalny’s network, which has been labeled as extremist in the country.
https://www.washingtonpost.com/world/2021/12/24/google-russia-fine-banned-content/
https://www.schneier.com/essays/archives/2023/11/decoupling-for-security.html
The military has been sending weapons and advisers to Israel, but the flights suggest a more active American role.
Approximate paths of American military drone flights over the Gaza Strip. Flights shown here are from Oct. 28 to Nov. 2, of which at least six flights were over Gaza.
Source: Flight path data from FlightRadar24. Paths are approximate based on each flight's reported position about every minute.
[Military drones are tracked by FlightRadar24? That doesn't seem like a good idea…]
Amazon’s much-hyped drone project is dropping small objects on driveways. Some customers are not sure what it delivers beyond minestrone.
Only one item can be delivered at a time. It can’t weigh over five pounds. It can’t be too big. It can’t be something breakable, since the drone drops it from 12 feet. The drones can’t fly when it is too hot or too windy or too rainy.
The Texas weather plays havoc with important deliveries. Mr. Lord, a 54-year-old professor of civil engineering at Texas A&M, ordered a medication through the mail. By the time he retrieved the package, the drug had melted. He’s hopeful that the drones can eventually handle problems like this.
“I still view this program positively knowing that it is in the experimental phase,” he said.
https://www.nytimes.com/2023/11/04/technology/amazon-drone-delivery.html
The risk? Bezos fortune? Nah. Looking stupid? We'll see…
https://arstechnica.com/?p=1982702
Scripting languages do not use compilers, but applications written in scripting languages, e.g., Python, often use compression and obfuscation tools both to reduce download volume and simultaneously increase the difficulty and effort of reverse engineering. Such tools have a long history, I remember a PL/I source compressor program back in the late-1970s.
I remember an item in ACM SIGPLAN from slightly later on the subject of can one trust a compiler to not insert malevolent object code.
Obfuscators and compressors in this regard, are effectively compilers. They have the potential to insert foreign logic into the processed scrips.
ArsTechnica has reported that the security firm Checkmarx has identified eight malevolent Python obfuscators have been in active circulation since January of this year, inserting code to activate cameras, steal passwords, download files, and other severely compromising actions.
Just because a script is not compiled, does not mean that it cannot be compromised.
The ArsTechnica article can be found at: https://arstechnica.com/security/2023/11/developers-targeted-with-malware-that-monitors-their-every-move/
https://www.cbc.ca/news/canada/windsor/hospital-cyber-update-data-1.7023826
Patients' information—including the reasons for their visits—going back three decades from Bluewater Health in Sarnia, Ont., and its predecessor hospitals is among the data confirmed stolen in the cyberattack on five southwestern Ontario hospitals.
Transform, the hospital's IT provider, now confirms a database report containing information on 267,000 patients was taken. The report includes details about “every patient” seen at Bluewater Health and its predecessors since Feb. 24, 1992.
3 Charged With Running Prostitution Service Used by Politicians and Others https://www.nytimes.com/2023/11/08/us/politics/justice-department-brothel.html
Prosecutors say brothel suspect also collected possibly fraudulent COVID funds. Investigators believe James Lee used several business and related bank accounts to “launder the proceeds of the prostitution business,” court documents show. https://www.boston.com/news/crime/2023/11/10/prosecutors-brothel-suspect-collected-possibly-fraudulent-covid-funds/
Exposure of brothels that catered to the elite spotlights how legal system treats buyers and sellers in sex trade https://www.bostonglobe.com/2023/11/10/metro/brothel-bust-massachusetts-legal-system/
Affidavit details how investigators discovered brothel ring that allegedly catered to wealthy in Boston area and Virginia https://www.bostonglobe.com/2023/11/09/metro/brothel-bust-boston/
Man vs. Musk: A Whistleblower Creates Headaches for Tesla. An employee who was fired after expressing safety concerns leaked personnel records and sensitive data about driver-assistance software.
A day after Lukasz Krupski put out a fire at a Tesla car delivery location in Norway, seriously burning his hands and preventing a disaster, he got an email from Elon Musk.
“Congratulations for saving the day!” Mr. Musk, Tesla’s chief executive, wrote in March 2019.
But what started as a story about a heroic employee and a grateful employer has devolved into an epic battle between the carmaker and Mr. Krupski, a service technician. The fight has spawned lawsuits in Norway and the United States and caught the attention of regulators in several countries.
After initially being hailed as a savior, Mr. Krupski said in an interview with The New York Times, he was harassed, threatened and eventually fired after complaining about what he considered grave safety problems at his workplace near Oslo. Mr. Krupski, originally from Poland, was part of a crew that helped prepare Teslas for buyers but became so frustrated with the company that last year he handed over reams of data from the carmaker’s computer system to Handelsblatt, a German business newspaper.
By Shira Ovide, The Washington Post, 7 Novan 2023
Two dangerous cases of mistaken identity using the Find My app showed that location-tracking technology can be useful -” but it cannot be trusted.
https://www.washingtonpost.com/technology/2023/11/07/tracking-find-my-apps-accuracy/
Prosecutors say that a teenager and two friends set fire to a Denver home where he believed Apple’s Find My app showed his stolen iPhone. The teen later realized that the location data pinpointed the wrong house, according to prosecutors. Two of the teens are facing murder charges.
Last year, a SWAT team in Denver looking for a truck with stolen guns and an iPhone mistakenly raided the home of a 77-year-old woman. A lawyer for the woman, Ruby Johnson, says police relied on location data from the Find My app that took them to the wrong house. (The Denver Police Department declined to comment.)
Location tracking information in Apple’s Find My technology and similar software for Android phones can be incredibly useful, as are location trackers such as Tile and Apple AirTags that can help find your keys buried in the sofa cushions.
But as the two cases in Denver show, those location identifying technologies are not always accurate and the consequences can be dire.
The bottom line: You shouldn’t entirely trust location identifying technology.
Surprised individuals and small-business owners can’t pay rent or make payroll, and no one ever explains what they did wrong.
https://www.nytimes.com/2023/11/05/business/banks-accounts-close-suddenly.html
Virginia is the only state in the U.S. where people who’ve committed any felony automatically lose their right to vote unless the governor restores it, according to the Brennan Center for Justice.
In September, VPM News reported on an Arlington County man who’d had his rights restored by former Gov. Ralph Northam, but had been stricken from the voter rolls after a probation violation.
State officials at ELECT and the Virginia State Police initially denied there was a systemic problem. The next week, they acknowledged the error; a spokesperson of Gov. Glenn Youngkin estimated it affected fewer than 300 people. But on 27 Oct 2023, ELECT said the total was more than 10 times that estimate.
Same-day registration on Election Day can only happen at a voter’s polling place, which can be found online or by calling a local election office. This is the second general election to take advantage of the process, which passed the then -“ Democrat controlled General Assembly along party lines in 2020.
https://dcist.com/story/23/11/07/virginia-voter-removal-2023-election-state-police-watch-team
CitySide Subaru, a car dealership in the Boston area, regularly loses potential customers for a surprising reason: Subaru has disabled some of its own software in a stalemate over control of data from your car.
That means no automatic emergency calls if the car crashes, no wireless notifications from the dealer about maintenance problems and no option to remotely start the car and fire up the heater. (Don’t judge. It’s cold in Massachusetts.)
Nathan White, CitySide’s general manager, said his staff warns car shoppers that features like those requiring wireless transmission don’t work on new Subaru models sold in the state.
The lack of those features is a “conversation we have to have with the customer,” White said. “To be honest with you, it’s a couple of percent a month” in lost vehicle sales. […]
“This all comes down to who owns the information,” White said. “Shouldn't the customer have some say?”
https://s2.washingtonpost.com/camp-rw/?trackId=596b22969bbc0f403f8bcc25&s=654e689d8c1e4d00e8e615
Perhaps we can try and collect all the reasons why a flying car that can only go 20 miles before it falls out of the sky is a bad idea.
How is it licenced? Is it a car, a plane, or something else?
How high can it go? There's one set of problems flying close to the ground (running into obstacles), a different set flying higher up (running into airplanes), etc.
I happen to live near a lake which is about 30 miles long and a mile wide, so something that let me go directly across the lake rather than around one end or the other might be useful, but I'm having trouble thinking of other scenarios for this thing.
Do you get bored driving your electric car with nothing to do but maintain your speed and direction and keep your attention on other road users and driving conditions?
Well, Toyota has added a computer game that you can play as you drive! (TOY-ota, get it?) Instead of a mouse and keyboard this game has an extra pedal and joystick as game interfaces for you to play with, and plays full volume game sound through the car's sound system. Best of all, if you mess up one of the moves in the game, the car will actually stop accelerating, or even suddenly stall!
I think that they should add a warning message for other road users (similar to those on driving instructor's cars): “Please keep your distance. Driver is playing a computer game while driving. Car may stall suddenly.”
Children used to stick cards in their bikes, so that they would make fake motorbike noises as the card flaps against the spokes of the wheels. I suppose this is the “grown ups” version, but with added danger to other road users. The, ahem, “young at heart” reporter at Ars Technica says that “it made things so much more fun”!
The Wired article makes a good read. It gives details on how one company cracked the encryption of the locked USB drive, in part by examining a sample of the drive.
It has been many years since I recall reading on this risks forum that security through obscurity was foolish and futile. The USS drive manufacturer should have been able to open source everything without compromising security. Here's a quote from Risks 12:25 “Within the Multics community, anything less than a complete willingness to hand critical code over to any hacker who asked for it was demeaningly referred to as ”security through obscurity,“ and was avoided at all cost.”
A year ago, I had to cancel my LastPass account because their obscure secrets were compromised.
Is the doctrine ridiculing security through obscurity dead?
Abridged comments, to remind us to scrutinize and be critical of the news we read, if you'll permit. Almost a 30-year reader of RISKS, this issue just hit all the right buttons for a reply to the entire thing, which is a first for me, a professional critic of sorts. —jericho
> Subject: Apple Disables Maps Features in Israel and Gaza
Meanwhile, doesn't disable in other conflict regions?
> Subject: California halts operations of Cruise self-driving robotaxis
Meanwhile, allows ex-DUI and elderly that cannot pass a current eye exam to drive.
> Subject: Oveview of the iLeakage Attack (Jason Kim et al.)
Eh.. Spectre-evolved? Or are you really claiming Apple ignored Spectre, Spectre v2, Spectre v3 / SPECTRE-NG, Spectre v4 / SPECTRE-NG, Spectre v5 / ret2spec, Spectre-BHB…
> Subject: AI Firms Must Be Held Responsible for Harm They Cause, > ‘Godfathers’ Say (Dan Milmo)
Sorry… “godfather” implies at least two generations, if not three. Modern so-called “AI” is still an infant. You already abused the term “AI”, you don't get to abuse more terms.
> Subject: President Biden Issues Executive Order one Safe, Secure, and > Trustworthy Artificial Intelligence (Whitehouse.gov)
“Trustworthy Artificial Intelligence” .. oxymoron.
> Subject: Executive Order on AI
> In an op-ed for Bloomberg Law, EPIC's Executive Director Alan Butler > argued for the need for an overriding federal privacy law.
But better than ECPA, COPPA, GLBA, HIPAA, FERPA… right?
> Subject: Humans Find AI-Generated Faces More Trustworthy > Than the Real Thing (Scientific American)
Big surprise here! As Joe Navarro tells us in his most basic of books, humans are trained to lie from a shockingly early age. AI isn't explicitly trained to, but it is programmed by the humans that are.
> Subject: AI Muddies Israel-Hamas War in Unexpected Way (NYTimes)
> Subject: AI generated allegations against Big Four consulting firms
Ibid.
> Subject: Meta Accused by States of Using Features to Lure Children to > Instagram and Facebook (NYTimes)
Eh, not like history has shown us they don't care. Now they are getting in on the game?
> Subject: FCC robocall enforcement does little to stop illegal calls, > Senate hears
Hundreds of millions could have testified a decade ago.
> Subject: Amazon, Microsoft, and India crack down on tech support scams
Meanwhile, many customers interfacing with the actual support channels still feel it is a scam.
> Date: Sun, 29 Oct 2023 11:40:02 -0400 > Subject: Top Philips Executive Approved Sale of Defective Breathing > Machines by Distributors, Despite Tests Showing Health Risks (ProPublica)
Pharmacom only cares about profit, news at 11.
> Subject: How a Big Pharma Company Stalled a Potentially Lifesaving > Vaccine in Pursuit of Bigger Profits (ProPublica)
Ibid.
> Subject: How a Lucrative Surgery Took Off Online and Disfigured Patients
If doctors fall for this crap, does society stand a chance?
I am in the market for employment again, and the job postings are amusing. I thought it might be helpful to discuss it a bit. I am a security professional, with a specialization in process management. I happen to also have a background in Linux operations, and development. I have even done networking (IPv4, and TIA 568A).
These were all separate jobs. I am bemused that the industry has seemed to move in the direction that professionals are expected to do all those at once, and somehow maintain proficiency in any of them.
The following are excerpts from job postings. Each job posting is for a single position.
This is two jobs: Remediation management (e.g., Vulnerability [Web, Database, OS] and Plan of Action and Milestones [POA&M]).
Vulnerability management should not include project management. If your security department is tracking milestones for deliverability of remediation, they are no longer performing security.
This is two jobs, and a ludicrous expectation: Cloud Security Essentials in at least 1 of AWS, GCP or Azure. Working knowledge of GCP and Azure.
Knowing the limitations and usages of a cloud platform is a job. Knowing two, is two jobs. Knowing two and being certified in a third is ludicrous.
This is at least four jobs
Build security tools and automation for critical corporate infrastructure protection, monitoring, and remediation. Develop DevOps pipelines and mature the SDLC process.
Security professionals do not develop security tools. Developers develop. Security professionals issue guidance and perform auditing and reporting on controls. Security is not DevOps, which was already more than two jobs. SDLC management is development, ensuring it works is operations, validating that it exists is security.
This one is my favorite. 19,000,005 jobs. The listing is for a SOC Incident Handler: Restores environment after an incident and ensures that the managed security service has thorough detection capabilities in place for emerging threats. Performs service requests from internal/external teams. Maintains an advanced understanding of cyber security threats, vulnerabilities, attacks, responsible groups, motivations and techniques.
SOC is an operations monitoring center. Restoring an environment is operations. Validating detection rules, that's reasonable. Service requests is helpdesk, maybe smart hands. If your operations monitoring center is performing operations, they are no longer monitoring. This is a violation of the Two-man rule (the language is older than I am). Gathering data to create security detections, that's a job. Analysis of security vulnerabilities, that's a job. Analysis of responsible groups, motivations and techniques, that's a government.
This is a [single!] job: Performs a combination of duties in accordance with departmental guidelines:
A complex one, but it has a single scope, presuming this company is only in 1 cloud. I am discounting on-premise as an ongoing job because it is a solved problem. The general guidance for operating on-premise has not changed in decades at this point. Use long term operating systems, document problem solving when implemented, patch when the vendor says to, it runs until you change it or the equipment gives up. This is in contrast to cloud providers which may not provide whatever specific feature you are using tomorrow, so you have to keep up with the provider. Or, my personal favorite, yesterday you were using 3 of their services, and today you are using 5. Scramble the security team to determine if the implementation is secure.
Job postings retrieved from indeed.com.
Keep juggling the shovels,
Please report problems with the web pages to the maintainer