Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Jordan Parker, The San Franciso Chronicle, 14 Mar 2024 (Pi Day) [PGN-ed]
Boeing plane drops suddenly injuring several. Crew member quoted as saying the instruments briefly went black.
https://www.nzherald.co.nz/nz/nz-passenger-on-latam-flight-saw-man-with-bloo d-streaming-down-his-face/EXGL5PBCD5E2NBIUDFQZ76MYSQ/
https://www.bbc.com/news/business-68580950
Boeing has told airlines operating 787 Dreamliners that pilots need to check their seats as an investigation into an incident on a Latam flight continues.
It comes after 50 people were hurt this week when a 787 dropped suddenly during a Latam Airlines flight.
The Wall Street Journal reported that a flight attendant accidentally hit a switch on the pilot's seat, which pushed the pilot into the controls, forcing down the plane's nose.
https://www.nytimes.com/2024/03/12/us/politics/alaska-airlines-flight-door.html
Sean Lyngaas, CNN, 8 Mar 2024, via ACM TechNews
Microsoft revealed that a breach of its systems by Russian state-backed hackers was more extensive than previously thought when first disclosed in January. Microsoft believes the hackers have used information stolen from Microsoft's corporate email systems to access “some of the company's source code repositories and internal systems,” the company said in a filing with the U.S. Securities and Exchange Commission. An accompanying blog post said the hacker group may be using the information it stole “to accumulate a picture of areas to attack and enhance its ability to do so.”
https://arstechnica.com/?p=2010677
https://www.cbc.ca/news/business/mcdonalds-outage-1.7144768
Many McDonald's stores in Japan stopped taking in-person and mobile customer orders because of the system disruption, a spokesperson at McDonald's Holdings Company Japan said, adding that the company was working to restore operations soon.
A McDonald's Australia spokesperson said they were also aware of a technology outage impacting its restaurants nationwide and were working to resolve this issue.
The company operates nearly 3,000 stores across Japan and roughly 1,000 in Australia, its websites for the regions show.
https://www.bbc.com/news/business-68573106
McDonald's has revealed the technical problems which brought much of its fast food chain to a standstill on Friday were caused by a third party provider.
The international restaurant said the global outage happened during a “configuration change” and stopped stores taking orders in the UK, Australia and Japan—amongst others.
McDonald's stressed the issue was not caused by a cyberattack.
A fake Bill Ackman, a bogus Cathie Wood and a false Steve Cohen are among the impersonators luring victims on social media, and their real-life counterparts can't keep up. ‘It’s like a game of whack-a-mole.
https://www.wsj.com/tech/fake-bill-ackman-cathie-wood-scam-a8df6ce7
An interesting example: airports will need vast electricity to charge the rental cars!
Artificial intelligence, data centers and the boom in clean-tech manufacturing are pushing America's aging power grid to the brink. Utilities can't keep up.
https://www.cnn.com/2024/03/08/politics/top-us-cybersecurity-agency-cisa-hacked/index.html
Top US cybersecurity agency hacked and forced to take some systems offline
Sean Lyngaas <https://www.cnn.com/profiles/sean-lyngaas>
The Homeland Security Department headquarters in northwest Washington, DC, on February 25, 2015. CNN
A federal agency in charge of cybersecurity discovered it was hacked last month and was forced to take two key computer systems offline, an agency spokesperson and US officials familiar with the incident told CNN.
One of the US Cybersecurity and Infrastructure Security Agency’s affected systems runs a program that allows federal, state and local officials to share cyber and physical security assessment tools, according to the US officials briefed on the matter. The other holds information on security assessment of chemical facilities, the sources said.
A CISA spokesperson said in a statement that “there is no operational impact at this time” from the incident and that the agency continues to “upgrade and modernize our systems.”
“This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience,” the spokesperson said, adding that the impact from the hack “was limited to two systems, which we immediately took offline.”
The two systems run on older technology that was already set to be replaced, sources told CNN.
Part of the Department of Homeland Security, CISA investigates cyber intrusions at federal agencies and advises private critical infrastructure firms on how to bolster their security.
The Record first reported on the hack. <https://therecord.media/cisa-takes-two-systems-offline-following-ivanti-compromise> It was not immediately clear who was behind the hack, but it occurred through vulnerabilities in popular virtual private networking software made by Utah-based IT firm Ivanti. For several weeks, CISA has urged federal agencies and private firms to update their software or take other defensive measures in response to widespread exploitation of Ivanti vulnerabilities by hackers.
Among the hackers exploiting the flaws are a Chinese group focused on espionage, private researchers have previously told CNN. <https://www.cnn.com/2024/01/10/politics/chinese-hackers-research-organization/index.html>
While there is some irony in it, even cybersecurity agencies or officials can be victims of hacking. After all, they rely on the same technology that others do. The U.S.’s top cybersecurity diplomat Nate Fick said last year that his personal account on social media platform X was hacked, calling it part of the “perils of the job.” <https://www.cnn.com/2023/02/05/politics/nate-fick-twitter-hack-cybersecurity/index.html>
First-person account of someone who fell for a phishing scam,
https://pluralistic.net/2024/02/05/cyber-dunning-kruger/
“The fact that the fraudsters knew where I banked, knew my name, and had my phone number had really caused me to let down my guard.”
You are NOT paranoid when they really are after you (well, your money).
The Aescape has robot arms designed to deliver a custom spa-like massage”all for $60.
https://www.wired.com/story/hands-on-aescape-automated-massage/
What could go … wrong?
The Federal Communications Commission has opened a formal investigation into last month's nationwide AT&T outage that left millions of people without cellphone service for hours.
https://www.washingtonpost.com/business/2024/03/07/fcc-att-outage-investigat ion/
https://www.theverge.com/policy/24098798/2024-election-ai-generated-disinformation
Based on NBC News reporting, the League of Women Voters is suing the creators of a deepfake robocall impersonating Joe Biden that told voters not to vote.
Peter Hoskins, BBC, 13 Mar 2024, via ACM TechNews
Google announced in a blog post it is limiting the types of election-related questions its Gemini chatbot can be asked. The restriction has been implemented in India, where elections will be held next month. BBC staff asked the AI chatbot questions about the upcoming elections in the U.S., U.K., and South Africa, to which Gemini responded, “I'm still learning how to answer this question. In the meantime, try Google Search.” Gemini provided more detailed responses when asked follow-up questions about India's major parties.
Jonathan Amos, Rebecca Morelle. Alison Francis et al., BBC, 6 Mar 2024, via ACM TechNews
In Norway, U.S. and U.K. researchers at Ocean Infinity are testing a robotic ship equipped with cameras, microphones, radar, GPS, and satellite technology that eventually will be part of a fleet of 23 such vessels used to assess the seabed for offshore wind farm operators and perform underwater infrastructure inspections for oil and gas companies. The 255-foot ship has just 16 crew members, and that figure ultimately could decline further as more roles are performed remotely using gaming-like controls and touch screens. Reducing the number of crew members can allow for smaller ships that use less fuel and have a smaller carbon footprint.
Jesse Pines, Forbes, 4 Mar 2024, via ACM TechNews
More physician practices are implementing ambient AI scribing, in which AI listens to patient visits and writes clinical notes summarizing them. In a recent study of the Permanente Medical Group in Northern California, more than 3,400 doctors have used ambient AI scribes in more than 300,000 patient encounters since October. Doctors reported that the technology reduced the amount of time spent on after-hours note writing and allowed for more meaningful patient interactions. However, its use raises concerns about security, privacy, and documentation errors.
Julianne Pepitone, IEEE Spectrum, 1 Mar 2024, via ACM TechNews
A study by a University of Michigan-led research team found that the motion-capture data used to design some AI-based applications is flawed and could endanger users outside the parameters of the preconceived “typical” body type. The benchmarks and standards used by developers of fall detection algorithms for smartwatches and pedestrian-detection systems for self-driving vehicles, among other technologies, do not include representations of all body types. In a systemic literature review of 278 studies as far back as the 1930s, the researchers found that the data captured for most motion-capture systems were from white able-bodied men “of unremarkable weight.” Some studies used data from dismembered cadavers.
Mark Tyson, Tom's Hardware, 7 Mar 2024, via ACM TechNews
ArtPrompt, developed by researchers in Washington and Chicago, can bypass large language models' (LLMs) built-in security features. The tool generates ASCII art prompts to get AI chatbots to respond to queries they are supposed to reject, like those referencing hateful, violent, illegal, or harmful content. ArtPrompt replaces the “safety word” (the reason for rejecting the submission) with an ASCII art representation of the word, which does not trigger the ethical or security measures that would prevent a response from the LLM.
https://arstechnica.com/?p=2009239
There were reports of a massive DJI data breach involving corporate and customer data. Apparently no such breach has occurred, and the original claims of stolen data were reportedly part of an effort to get ransom paid for a database of stolen data that did not actually exist. -L
Pornhub disables website in Texas amid legal battle with attorney general's office
“Unfortunately, the Texas law for age verification is ineffective, haphazard, and dangerous,” a statement on Pornhub's website read.
https://www.nbcnews.com/tech/pornhub-disables-website-texas-rcna143502
Not exactly computing related, but still of interest.
https://www.404media.co/massively-popular-safe-locks-have-secret-backdoor-codes/
Matthew Sparkes, New Scientist (03/07/24), via ACM TechNews
D-Wave is claiming its Advantage quantum computer and prototype Advantage2 achieved “computational supremacy” by calculating transverse field Ising model problems faster than the world's most powerful classical computer. D-Wave researchers contend it would take millions of years for the Frontier supercomputer to solve the same problems. D-Wave's “quantum annealing” computers differ from quantum computers produced by others, and have been criticized as only being able to solve certain classes of optimization problem.
It's more a failure of imagination. If your mental model of security is telephone wiretaps, asking for crypto backdoors seems like the same thing.
I blogged about this a few years ago: https://jl.ly/Internet/catastrophe.html
PS: bonus points to anyone who recognizes the reference in the title
> The risks? Error messages. Like airport displays, billboards, etc. > showing fatal Windows errors.
Also, the risk of naming your software components too transparently.
These are risks to the perpetrators, not to the consumer population. Perhaps they should be considered blessings.
You may also view the comp.risks newsgroup via the NovaBBS (RockSolid) web interface:
https://www.novabbs.com/computers/thread.php?group=comp.risks
Also note that if you replace http: with https: in the catless link, it will run into the expired cert problem. This is one case where the insecure version is to be preferred, at least for now.
I am guessing that they do not count Sci-Hub as a “major digital archive” since Sci-Hub currently has 77.8% coverage of 51 million journal articles and 79.7% of 5 million proceedings articles:
https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5832410/
I don't know why those dumb watches were even made in the first place, I had a Seiko watch which had a year counter back in the late 1970's.
However, those less-dumb watches use only the last digits of the year to track Feb.29 every four years, a formula which would break on March 1, 2100.
Keytrap is a real bug but it's been grossly overhyped. Yes, specially created DNS responses can cause a naive DNS cache to do a huge amount of work, but there's nothing new about that. A CNAME loop can do that, too.
This particular trick has been possible since the current version of DNSSEC was defined 20 years ago. The fact that nobody ever noticed it until late 2023 suggests that it was never that bad, and now that all of the widely used cache software has added it to the list of things to limit it's a non-issue.
ISC wrote a good blog post about keytrap and the general issue of DNS scalability: https://www.isc.org/blogs/2024-bind-security-release/
Please report problems with the web pages to the maintainer