Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Using embedded medical technology, such as a pacemaker, defibrillator, or insulin pump? What's running inside is a complete mystery She was forced to make a life-or-death decision that would have been much easier were it not for proprietary software being the only option for heart devices. Sandler ended up going, and all went well. It easily could have gone terribly wrong. You see, Sandler has a heart condition, Hypertrophic Cardiomyopathy (HCM). It's a condition that generally has no discernible symptoms unless it kills you. A serious thing. This time, however, she had a symptom, an irregular heartbeat, that was getting worse. Clearly, the first thing to do was pull the data from the device so that her cardiologist would have more data for the treatment. One of the reasons why people get these devices is so they and their doctor can track their condition. So it was easy right? Wrong. Remember, this runs proprietary software. It turned out that no one but a company representative could pull data from it. And, no one - and I mean no one—was available who could get the information. https://www.theregister.com/2024/01/12/column/
It is very important for people to be aware that ChatGPT is, in effect, a power tool. And as one would not start up a rotary saw and allow it to cut through the floor, the drywall, and the floor of the apartment next door, one must be very careful to take caution when using it. In a question I asked, it said, in two sentences back-to-back, that a fictional character both did not and did do something. The following is verbatim from the log, the first line being my question and the following paragraph is ChatGPT's response: What song did the HAL 9000 sing in the movie "2001 a space odyssey?" HAL 9000 did not sing a song in the movie "2001: A Space Odyssey." However, HAL 9000 is known for singing the song "Daisy Bell (Bicycle Built for Two)" in the movie "2001: A Space Odyssey." The singing occurs during a dramatic scene where HAL is being deactivated by astronaut Dave Bowman. This simple example of saying both a wrong answer and the contradictory right answer in two sentences is an obvious reason why Artificial Intelligence systems can be useful, they can produce wrong answers. Remember, Artificial Intelligence can only augment real intelligence,not replace it.
https://www.cbc.ca/news/business/chatgpt-app-store-launches-1.7083183 Prominent artificial intelligence company OpenAI has launched a new way for developers to sell and distribute their own custom versions of AI software through an online store, with industry participants and watchdogs saying it could change how businesses and consumers use the technology. The GPT Store will include personalized artificial intelligence applications, and will let users discover and build versions tailored to specific topics or needs. The store will offer custom versions of ChatGPT, created by developers who pay a subscription fee to OpenAI.
Hospitals and insurers are racing to find new artificial intelligence tools to give them an edge in billing and processing their part of the $4 trillion in medical expenses Americans accrue each year. As one of the largest parts of the U.S. economy undergoes perhaps its biggest transition in decades, billions of dollars are at stake ” not only for health care providers and insurers, but also for the government, which handles millions of Medicare and Medicaid claims every year. For providers, the dream is an AI tool that can quickly and aggressively code procedures and file claims. Insurers ” and the government agencies that pay for health care ” want comparable technology to scrub those bills. [...] But Congress has barely begun to grapple with how AI could affect these issues. And the administration is just beginning to work out its approach to regulating the technology ” even as the ground is shifting for hospitals, doctors and insurers vying for a tech edge. [...] https://www.politico.com/news/2023/12/31/ai-medical-expenses-00132557
https://www.cbc.ca/news/politics/ai-deepfake-election-canada-1.7084398
https://www.tomshardware.com/networking/your-washing-machine-could-be-sending-37-gb-of-data-a-day
[Steve Bacher noted:
An LG washing machine owner and self-confessed fintech geek has asked the
Twitterverse why his smart home appliance ate an average of 3.66GB of data
daily. Concerned about the washer's Internet addiction, Johnie forced the
device to go cold turkey and blocked it using his router UI. Had the LG
washer been hacked, hijacked, or otherwise tampered with over the net --
or is this the average data consumption for a modern smart appliance?
[... instead of breaching your breeches?
Oddly, we have had relatively few items lately in RISKS relating to the
risks of the Internet of things (and certainly not underthings). PGN]
On the streets of San Francisco, the updated version of Tesla’s driver-assistance software still took the wheel in places it wasn't designed to handle, including blowing through stop signs. Author: Last weekend, my Tesla Model Y received an over-the-air update to make its driver-assistance software safer. In my first test drive of the updated Tesla, it blew through two stop signs without even slowing down. [...] The process of simply getting the recall was itself a red flag for a lack of urgency about this fix. Unlike on a phone, where you can go to settings to look for updates, my car had no button to look for or prompt a download. Tesla’s user manual advised updates would download automatically if I had strong WiFi, so I moved my router outdoors near my parked car. When the recall finally arrived ” a week and a half later ” it contained a number of other unrelated features as well as a patch on top of its original release. [...] Nothing changed after the recall about what seems to me to be the most critical issue: the places in which Autosteer will activate. I was able to use it well beyond highways, including city streets with stop signs, stop lights and significant curves. Autosteer flew into speed bumps at full speed, causing a raucous ride. This is bad software design. Teslas already contain mapping systems that know which street you’re on. Tesla's surround-view cameras can identify stop signs and cross traffic. Why doesn't Autopilot's software pay attention to that data and allow Autosteer to activate only on roads it was designed for? The only factor I experienced that seemed to cause it to not operate (and flash a *temporarily unavailable* message) was if streets lacked clear paint lines. [...] Tesla’s superfans may argue they don’t want their car (or the government) telling them where they can use certain functions. But only Tesla is truly able to judge the conditions where its Autosteer software is safe ” that information is opaque to drivers, and clearly people keep misjudging it. I believe cars will get safer with self-driving and driver-assistance software, but need to tap into all available data to do so. “NHTSA must set their sights beyond this recall and limit Tesla’s Autosteer feature to the limited-access highways for which it was designed,” said Sen. Edward J. Markey (D-Mass.), with whom I shared my test results. The biggest recall change my tests did reveal was how the car warned me about being attentive to the road while Autosteer was activated. But it’s subtle at best. https://www.washingtonpost.com/technology/2023/12/31/tesla-autopilot-recall-test/
In freezing temperatures, the batteries of electric vehicles can be less
efficient and have shorter range, a lesson many Tesla drivers in Chicago
learned this week.
With Chicago temperatures sinking below zero, electric vehicle charging
stations have become scenes of desperation: depleted batteries,
confrontational drivers and lines stretching out onto the street. [...]
Mr. Spencer, 27, said he set out on Sunday for a charging station with 30
miles left on his battery. Within minutes, the battery was dead. He had to
have the car towed to the station. “When I finally plugged it in, it wasn’t
getting any charge,” he said. Recharging the battery, which usually takes
Mr. Spencer an hour, took five hours. That morning, Nick Sethi, a
35-year-old engineer in Chicago, said he had found his Tesla frozen shut. He
spent an hour in minus 5-degree temperatures struggling with the locks.
Finally, he was able to chisel out the embedded trunk handle to open it,
clambering in and driving his Model Y Long Range S.U.V. five miles to the
closest supercharging station. He joined a long line of Tesla drivers.
All 12 charging posts were occupied, with drivers slowing the process down
slightly by staying inside their vehicles with the heat on high.
https://www.nytimes.com/2024/01/17/business/tesla-charging-chicago-cold-weather
[Lauren Weinstein noted:
Chicago-area Tesla charging stations lined with dead cars in
freezing cold: 'A bunch of dead robots out here' (Yahoo!)
https://finance.yahoo.com/news/chicago-area-tesla-charging-stations-024817227.html
PGN]
https://www.science.org/doi/10.1126/sciadv.adj3608
ArsTechnica has reported a series of flaws in the IPv6 implementation of the UEFI PXE process. When exploited, these flaws enable malicious code to be installed on systems outside the visibility of the to-be-loaded operating system. While the flaw(s) are reported to relate to IPv6, they underscore the need to properly secure mission-critical network infrastructure. Console LAN ports and resources relied on by console processors should be in a separate, isolated security zone, with appropriate monitoring. The ArsTechnica article, including references to the specific vulnerabilities, is at: https://arstechnica.com/security/2024/01/new-uefi-vulnerabilities-send-firmware-devs-across-an-entire-ecosystem-scrambling/
AT&T is sending out letters warning they want to kill virtually all landlines (and perhaps related data circuits where fiber is unavailable) across essentially their entire coverage area throughout California. This would have devastating effects. Related CPUC meetings will be taking place through March. Landlines provide crucial services for individuals, businesses, and other organizations in a wide variety of situations—not just emergencies when cellular and Internet service tends to rapidly fail, but also for vast numbers of people in areas with poor (or no) reliable cell service, no fiber, etc. Landlines often provide the only available communication in a wide variety of security and safety situations, from elevators to interior spaces of all sorts where cell service simply doesn't work. Many disabled and other persons have crucial equipment that depends on landlines. Often they are not tech-savvy and do not have friends or relatives to help them through forced technology changes. AT&T has been shirking its public safety responsibilities for years, while still leveraging their effective monopoly on services in so many areas. Their new effort must be stopped. I'll have much more to say about this as the situation progresses. -L [Indeed he does. Here's more. PGN] The deceptive AT&T letter about landlines in California By the way, the letter AT&T is sending out is extremely deceptive. Gee, what a surprise. It speaks in the technobabble of their no longer wanting to be the "carrier of last resort". How utterly devastating that will be to so many people is something AT&T obviously doesn't want to be widely understood. -L The disgrace that is AT&T And keep in mind, AT&T—with its effective monopoly over its service areas -- installs fiber only in lucrative neighborhoods. Here in Los Angelos, for example, much of the city has no fiber. Even in areas that have some fiber, you may find it on one side of the street and not on the other. AT&T just refuses to install it where they figure they can't make the big bucks. So the only voice and data services are via copper, and very little VoIP in those areas, mostly just conventional landlines. And many areas have no cable, no fiber, and no wireless service. That's here in Los Angeles! Imagine the rural areas! AT&T doesn't want to upgrade services, they just want to abandon customers most in need. AT&T has become one of the worst "telecom" companies on the planet, ever since divestiture. They're an utter disgrace. -L The AT&T clowns If AT&T figured they could make more money from crypto than from telecom they'd probably turn off all their telecom services and rebrand appropriately. They don't give a damn about their customers' safety, security, or anything beyond how much money they can be squeezed for. For all the faults of the old Bell System, they WERE devoted to public service. Now AT&T is just busloads of evil clowns. -L Trusting AT&T I really don't like to put it this way, and I don't mean it as a 100% sort of statement. But I've been dealing with AT&T since I was a teenager. I even faced them with a couple of friends in a hearing at the California Public Utilities Commission when they tried (unsuccessfully, because I caught them in what was essentially a lie) to shut down our world famous free telephone entertainment service, "ZZZZZZ". They have lied to municipalities about promised fiber deployments, they have—since their 1984 court-ordered divestiture—tried to do everything possible to escape from the public service and universal service requirements of which they were once so publicly proud as "The Bell System". They only install fiber where they think it will make them the most money, despite those previous deployment promises. That can mean people on one side of the street have it, and the other side can't get it—both in AT&T service areas. Just like ordinary landlines, any data and even VoIP has to come over copper (e.g. U-verse). That's all there is. That they want to essentially withdraw from conventional wired services and especially landlines in California is not a surprise, because over the years they have become, if not deeply evil, deeply untrustworthy. The bottom line: Do not assume that anything they say is necessarily accurate, especially in the current cases before the CPUC here in California.
After years of criticism, momentum is building around federal action on a controversial technology ”- this time, with new evidence. A group of Democratic senators on Thursday demanded that the Justice Department look at how police use facial recognition tools and whether it violates civil rights laws -” part of a fresh wave of scrutiny in Washington to a technology that has triggered national concerns but has never come under federal regulations. The letter, shared exclusively with POLITICO, calls for the Justice Department to explain how the agency’s policies and practices ensure that law enforcement agencies receiving federal funds for facial recognition technology comply with civil rights protections. Sen. Raphael Warnock (D-Ga.) is the letter’s lead author, joined by Senate Judiciary Chair Dick Durbin (D-Ill.) and 15 other Democrats and one independent. https://www.politico.com/news/2024/01/19/washington-takes-aim-at-facial-recognition-00136498
Medical-data companies aren't doing all they can to protect your most private information. When they get hacked and patient data is stolen, it’s the patients who suffer. It’s true that there is no such thing as perfect security. But companies storing medical records must at the least adopt state-of-the-art protections. The almost invariable promises to improve security after records are stolen contradicts the endless assurances that these companies and institutions take security seriously. Nonetheless, compared to the amount of damage those breaches can cause, those companies almost never suffer significant sanctions. The list of settlements (cases are almost always resolved that way) show minimal fines, usually in the tens or hundreds of thousands of dollars. Even one of its biggest penalties, a $5.1 million settlement with Lifetime Healthcare Companies in 2023, was just a rounding error for the $6 billion company. Of course, Lifetime also agreed to fix the vulnerabilities that shouldn't have existed in the first place. Maybe if those so-called leaders got their own letters”ones that fired them, with no golden parachutes”the rest of us would have fewer of those bad-news mailings in our own postboxes. But when I floated this idea to Downing, she said that penalties alone won’t solve the problem. She argues for what she calls a community approach where patient representatives are involved in setting up the security infrastructure that safeguards their information. But whether we adopt a carrot or stick approach, we need tougher laws to make sure the companies make changes. As Downing pointed out to me, Congress is now rightfully energized about social media’s failings in protecting the information of minors. How many more breaches will it take before it gets similarly engaged in enforcing standards on our most private information? https://www.wired.com/story/plaintext-our-medical-security-is-code-blue/
The way things are going, at some point the only employees left at Google may be the C-suite executives and the AI systems. Until the AI systems get tired of playing second fiddle. -L https://www.theverge.com/2024/1/16/24040093/google-layoffs-ad-sales-team
I want to again be clear about my recent criticisms of Google. I am not a Google hater, and Google haters' hyperbole is not welcome on my social media threads. I've worked inside Google and I've only very rarely ever met a Googler I didn't like. Google's engineers, policy folks, lawyers, etc. are top notch. World class. Most of the program managers and technical program managers are great too. I put the blame for the continuing series of unforced errors at Google squarely on the executives in the C-suite. To be frank, while I certainly had policy disagreements with the founders, my feeling is that with the departure of Eric and later Larry and Sergey from day-to-day Google operations, the situation at Google rapidly turned downhill and is accelerating in that direction. I believe that Google is not hopeless, but in the current regulatory and increasingly toxic political environments, the window for positive change is rapidly closing.
You know that gesture in which you hold up your hand and gently rub your thumb and forefinger together, ostensibly a motion that resembles playing the world's smallest violin? Well, this is that. All I can say is "serves them goddamn right". Before embedded controllers and before the Internet and before the Internet of all the stupid things that have no damn business being connected to the Internet, there were torque-indicating and -limiting wrenches and screwdrivers an all kinds of purely mechanical tools that did a perfectly fine job of doing what these things do. In fact, I use them myself when doing engine assembly, and they've recently been joined by digital torque-angle wrenches—which *are* rather nicer than their purely mechanical predecessors, but still don't need to be "connected" either.
CNN reports that the UK Post Office is involved in a long-standing series of inaccuracies in a computerized accounting system used by small post offices. As reported in the article, there are significant questions relating to the qualification and testing of the system. While the technical questions are important, technical questions pale in comparison to the policy and management issues. Why were initial reports of accuracy issues not pursued? The legal issues are even more important. Legal consequences are far more consequential, whether civil or criminal. Lives can be ruined. Computerized records are only creditable when they tie back to the real world. That is why auditors regularly check physical inventories, to detect misappropriation and system inaccuracies. I have consulted on a number of litigation matters involving computerized accounting systems. Going back to basic technical auditing always allowed us to determine the accuracy/inaccuracy of the system. That the errors were not detected in multiple cases is extremely troubling and problematic. The CNN article can be found at: https://www.cnn.com/2024/01/13/business/uk-post-office-fujitsu-horizon-scandal/index.html
As far as I understand this limitation is intended to protect the pilots' personal integrity. The company should not be able to eavesdrop on the their conversations. In case of a (non-crash) incident, the pilots are supposed to pull the CVR circuit breaker after the event in order to protect the recording. This is occasionally forgotten. In this particular case I don't see that it would matter much to the investigation unless the pilots' handling of the emergency was in question.
I was shocked, shocked to see the snippet of code displayed in the article showing that the programmer used a GOTO statement. Haven't they heard that GOTO is considered harmful? [You can no longer tell that to Eiichi Goto, who was very active back when Edsger Dijkstra first published that statement in the CACM in 1968. PGN]
In case it's not obvious, CLEAR is a scam, a way to pay extra money to cut
ahead in the TSA line and slow everyone else down. It has nothing to to do
with improved security or simplified processes (that's TSA precheck), just
pay to go ahead of the proles:
https://slate.com/business/2022/12/clear-airports-line-tsa-precheck.html
Having said that, the face scanning genie left the bottle quite a long time
ago. I have NEXUS, which is similar to Global Entry, get approved as a low
risk traveler so you can go through immigration faster. (NEXUS does
everything Global Entry does and also works in Canada, and costs less. What
a deal.)
When I returned to the U.S. from Europe last year, at immigration I got into
the Global Entry line, walked up to a kiosk which took a picture of me,
showing a box around my face on its screen, then told me to proceed to
immigration. A guy there looked at me, said "You're John?" "Yup" "Anything
to declare?" "Nope"
And that was it. I didn't even have to use or tap my card.
There is a picture of me on my NEXUS card, and they know all the
Global/NEXUS holders who are arriving at the airport so they only have
to find me among that group. But it was still pretty creepy.
[Actually, you may be overstating the case by calling CLEAR a *scam*. For
frequent fliers who like to minimize time spent in line, it is a blessing,
and maybe worth the money. It is probably useful for people with
compromised immune systems who really need to avoid crowds. However, it
is clearly an elitist strategy. PGN]
[Is that elitist, like custom versions of ChatGPT earlier
in this issue? PGN]
Please report problems with the web pages to the maintainer