Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Ross Anderson https://twitter.com/duncan_2qq/status/1773752269395099774 https://alecmuffett.com/article/109513
From Ross's University of Cambridge: Ross pioneered the field of security engineering. Our students were very fortunate to learn from him over the last few years. In fact, he gave 2 seminars just last Wednesday. He researched many topics within computer science including cryptology, steganography, dependability, security economics, adversarial machine learning and more. Ross also used his position as a researcher to actively advocate for a more secure world. This included championing individual privacy rights, research into payments security in developing countries, and protecting vulnerable people from scams. On a personal level, he will be greatly missed by students and staff.
Dan's era was long before Ross's. Lauren Weinstein had this note: Dan Lynch, one of the key people involved in building the Internet and ARPANET before it, has died. Dan was director of computing facilities at SRI International, where ARPANET node #2 was located. He worked on development of TCP/IP, and where the first packets were received from our site at UCLA node #1 to SRI, and later at USC-ISI led the team that made the transition from the original ARPANET NCP protocols to TCP/IP for the Internet. And much more. https://www.internethalloffame.org/inductee/dan-lynch/
Both of them were major figures in their respective eras, and wonder friends, Ross much too young at 67, Dan at 82.
We rarely consider the dangers these days, but our existence depends on it.
Nuclear war is the only scenario other than an asteroid strike that could end civilization in a matter of hours. The soot from burning cities and forests will blot out the sun and cause a nuclear winter. Agriculture will fail. State-of-the-art climate modeling predicts five billion humans will die. In the words of Nikita Khrushchev, “the survivors will envy the dead.”
https://www.motherjones.com/politics/2024/03/nuclear-war-scenario-book-siop-weapons-annie-jacobsen/
Christina Jewett, The New York Times, 30 Mar 2024
A troubled Impella heart pump that has now been linked to 49 deaths and dozens of injuries worldwide will be allowed to remain in use, despite the FDA's decision to issue an alert about the risk that it could puncture a wall of the heart.
The FDA said Abiomed (the manufacturer of the device) should have notified the agency more than two years ago, when the company first posted an updatte on its website about the perforation risk. [Abiomed was then acquired by Johnson and Johnson in 2022.] [Half-page article PGN-ed]
“To say that you're addressing 49 deaths by saying ‘be careful’ is not addressing the problem at all.” Rita Redberg, UCSF cardiologist and professor.
Reed Ableson and Margot Sanger-Katz, The New York Times, 30 Mar 2024
The recent cyberattack on the billing and payment colossus Change Healthcare (Making Change as well as Changing Healthcare?) revealed just how serious the vulnerabilities are throughout the U.S. healthcare system, and alerted industry leaders and policymakers in the urgent need for better digital security.
Mitch Smith and Catrin Einhorn (*The New York Times, 30 Mar 2024)
Single valve left open over a weekend. Lessons from our RISKS community need to be practiced elsewhere. Flow control Systems? Probably none. Monitoring? Probably none. Diagnostics? Probably none. Risks to human and other lives? Rampant.
Red Hat Fedora 41 had a backdoor installed. The latest version of the “xz” compression tools and libraries had malicious code inserted that appears to attack SSH authentication. CVE-2024-3094
Some details at https://www.openwall.com/lists/oss-security/2024/03/29/4
Are these exotic/esoteric threats meaningful in the real non-high-value-target world?
How is it weaponized?
The attack, which the researchers have named GoFetch <https://gofetch.fail/>, uses an application that doesn���t require root access, only the same user privileges needed by most third-party applications installed on a macOS system. M-series chips are divided into what are known as clusters. The M1, for example, has two clusters: one containing four efficiency cores and the other four performance cores. As long as the GoFetch app and the targeted cryptography app are running on the same performance cluster — even when on separate cores within that cluster — GoFetch can mine enough secrets to leak a secret key. […]
End users who are concerned should check for GoFetch mitigation updates that become available for macOS software that implements any of the four encryption protocols known to be vulnerable. Out of an abundance of caution, it's probably also wise to assume, at least for now, that other cryptographic protocols are likely also susceptible.
…so attacker must get malware installed, THEN it gathers data, THEN it exfiltrates it?
Well, friend answered:
Cloud is a big issue here, since you may be running on a CPU with other customers.
Lots of threats are relatively low-risk; the thing is, those risks can be additive. I forget who, but someone talks about a “Swiss cheese model”: you take a bunch of minor risks, each of which is a small hole in the cheese, and sometimes they line up, leaving a hole all the way through. Those of you who have read /Normal Accidents/ will recognize this failure chain concept.
So yeah, MY machines aren't running other folks' stuff, or unvetted applications, so I probably don't care. But your bank might be (yes, banks are doing cloud too, more fools they. …)
Let���s look at the race itself first. Opinions could vary, but in my opinion, the race is not going great. One the one hand, we have big promises for AI helping in domains like medicine, and computer programming, but the inherent unreliability in these systems is deeply worrisome. An example in a story I just saw that could unravel some of the gains in programming is this: […]
From a security perspective, that's terrifying. If lots of code gets written, fast, but that code is riddled with security problems, the net advantage on the positive side of the ledger may be less than anticipated. As noted here before, one study indicates that code quality is going down.
https://garymarcus.substack.com/p/the-race-between-positive-and-negative
Will Henshall, Time, 29 Mar 2024, via ACM TechNews
The Brookings Institution reported a nearly 1,200% surge in the potential value of AI-related U.S. government contracts, from $355 million in the year ending in August 2022 to $4.6 billion in the year ending in August 2023. The U.S. Department of Defense accounted for the majority of the total, with $557 million committed by the agency to AI-related contracts, rising to $4.3 billion if each contract were extended to its fullest terms.
Simply look out for libraries imagined by ML and make them real, with actual malicious code. No wait, don't do that.
https://www.theregister.com/2024/03/28/ai_bots_hallucinate_software_packages/
https://www.nytimes.com/2024/03/23/opinion/deepfake-sex-videos.html
*Biofire says its gun will be in people's hands this month. The company has walked a careful line to avoid blowback from the gun-rights movement*
The company behind America's first biometric “smart gun” — one that fires only when gripped by authorized users — will face a crucial test in the coming weeks.
After decades of failed attempts by other manufacturers to bring a reliable smart gun to market, Biofire, a Colorado-based startup, says it's shipping its first batch of 9 mm handguns equipped with fingerprint and facial-recognition technology by the end of the month. The company's smart gun is designed to serve a very specific purpose: a weapon that can be quickly accessed to defend against a home intruder, but that can't be used by anyone unauthorized, particularly children.
As Biofire markets its gun to firearm enthusiasts and skeptics alike, the company is walking a careful line to avoid the massive blowback from the gun-rights movement that derailed previous iterations of smart guns.
Gun control advocates have long seen biometric technology as a game changer for reducing gun violence, and Biofire has drawn their praise by emphasizing safety and the need to prevent children from accessing guns. At the same time, the company has built ties with the gun industry and opposes any government mandates <https://smartgun.com/explore/videos/biofire-s-stance-on-mandates> to require biometric features in guns, trying to head off fears that the technology is a Trojan horse for gun control.
So far, Biofire's approach has been received with a mix of cautious optimism, curiosity and distrust. But the most important question won't be fully answered until the gun is in people's hands: Does it really work? […]
https://www.nbcnews.com/news/us-news/biofire-smart-gun-biometric-safety-rcna143637
The company behind the Saflok-brand door locks is offering a fix, but it may take months or years to reach some hotels.
https://www.wired.com/story/saflok-hotel-lock-unsaflok-hack-technique
The telecommunications giant AT&T announced on Saturday that it had reset the passcodes of 7.6 million customers after it determined that compromised customer data was released on the dark web. “Our internal teams are working with external cybersecurity experts= to analyze the situation. To the best of our knowledge, the compromised data appears to be from 2019 or earlier and does not contain personal financial information or call history.” […]
https://www.nytimes.com/2024/03/30/business/att-passcodes-reset-data-breach.html
Based on a spoofed e-mail, a county comptroller paid $2.7 million to a man with a thick Middle-Eastern accent in Germany. I think it's time for a little social engineering training.
https://kingfish1935.blogspot.com/2024/03/madison-county-scammed-out-of-27-million.html
It's important to understand that “age verification” schemes being passed by states, ostensibly to “protect the children”, won't do that and will bring about incredible abuses.
In order to age verify children, obviously EVERYBODY of any age must be verified, for every account, under every name or pseudonym, ultimately on every site no matter how public or private the topic, and before downloading any apps.
Children will find ways to work around this. They'll use the accounts of adults, which will be openly traded. But because these age verification systems must by definition be based on government IDs, the verification process creates a linkage between your account names and your actual identity, subjecting you to all manner of leaked personal information, government abuses (think MAGA in charge), and worse. Firms will claim their systems either don't keep this data or can't be abused. History strongly suggests otherwise, and when courts step in, those firms will have to do what the courts say, often in secret, when it comes to collecting data.
Age verification is in actuality a massive Chinese-style Internet identity tracking project—nothing less—and there are many politicians in the U.S. who look with envy at how China controls their Internet and keeps their Internet users under police state controls. -L
It's unclear how such egregiously bad images made it through peer-review.
The experimental effort, which has not been disclosed, is being used to conduct mass surveillance of Palestinians in Gaza, according to military officials and others.
The facial recognition program, which is run by Israel's military intelligence unit, including the cyber-intelligence division Unit 8200, relies on technology from Corsight, a private Israeli company, four intelligence officers said. It also uses Google Photos, they said. Combined, the technologies enable Israel to pick faces out of crowds and grainy drone footage.
https://techcrunch.com/2024/03/26/facebook-secret-project-snooped-snapchat-user-traffic/
For many years in the 1970's, a (physical) bulletin board at MIT's AI Lab had an article posted with the headline ‘ARPAnet accused of transmitting data’.
I'm sure that there must have been many articles in the 1920's with the headline ‘Henry Ford’s Automobiles are Falling into Criminal Hands', and many articles in the 1700's with the headline ‘Johannes Gutenberg’s Printing Presses are falling into Papist Hands'.
https://www.freep.com/story/money/cars/ford/2019/02/09/bonnie-clyde-chestnut-barrow-ford/2812888002/
“I have drove Fords exclusively when I could get away with one.” signed “Yours truly Clyde Champion Barrow.” [of ‘Bonnie & Clyde’ fame]
Criminals breath air, drink water, eat food, use the telephone, drive the roads, etc.,—in short—they utilize everything that non-criminals do in order to commit their crimes. But restricting access to air, water, food, etc., hurts everyone a lot more than it hurts criminals—we cut off our nose to spite our face.
Once again, be very, very, very careful what you wish for when you start to regulate technology that everyone wants (and needs) to use.
https://www.yahoo.com/news/elon-musk-starlink-terminals-falling-210028713.html
Elon Musk's Starlink Terminals Are Falling Into the Wrong Hands
Bruce Einhorn, Loni Prinsloo, Marissa Newman and Simon Marks Mon, March 25, 2024 at 2:00 PM PDT
(Bloomberg)—SpaceX's Starlink touts its high-speed internet as “available almost anywhere on Earth.” In the real world, its reach extends to countries where Elon Musk's satellite-enabled service has no agreement to operate, including territories ruled by repressive regimes. A Bloomberg News investigation identified wide-spanning examples of Starlink kits being traded and activated illegally. How they are smuggled and the sheer availability of Starlink on the black market suggests that its misuse is a systemic global problem, raising questions about the company control of a system with clear national security dimensions. In Yemen, which is in the throes of a decade-long civil war, a government official conceded that Starlink is in widespread use. Many people are prepared to defy competing warring factions, including Houthi rebels, to secure terminals for business and personal communications, and evade the slow, often censored internet service that's currently available. Or take Sudan, where a year-long civil war has led to accusations of genocide, crimes against humanity and millions of people fleeing their homes. With the regular internet down for months, soldiers of the paramilitary Rapid Support Forces are among those using the system for their logistics, according to Western diplomats. “It is deeply concerning because it's unregulated and headed by a private company, Emma Shortis, a senior researcher in international and security affairs at the Australia Institute, an independent think tank in Canberra, said of the Starlink system. “There's no accountability on who has access to it and how it's being used.” Starlink delivers broadband Internet beamed down from a network of roughly 5,500 satellites that SpaceX started deploying in 2019. With some 2.6 million customers already, Starlink has the potential to become a major moneymaker for SpaceX, a company that began as Musk's way to fulfill his dream of exploring Mars and has now become the most important private-sector contractor to the US government's space program and a dominant force in national security. Musk, until recently the world's richest person, has said there will be a cap to how much money SpaceX's launch services business will make, while Starlink could eventually reach revenue of $30 billion a year. Starlink plans to launch tens of thousands of additional satellites to connect places that are too remote for ground-based broadband or that have been cut off by natural disasters or conflict. But given the security concerns around a private American company controlling Internet service, SpaceX first needs to strike agreements with governments in each territory. Where there are none, people are “proceeding to use Starlink without the proper coverage” that is quite illegal and of course should not be allowed, but it's difficult to control and manage,” said Manuel Ntumba, an Africa geospatial, governance and risk expert based in New York. In central Asia, where Starlink deals are rare, a government crackdown on illicit terminals in Kazakhstan this year has barely made a dent on its use. All it did was lead to higher prices on the black market, according to a trader who imports the gear and who didn't want to speak publicly for fear of retribution. Prior to the government intervention, customers were able to buy the company's equipment and have it shipped via the local postal service, the trader said. SpaceX didn't respond when asked to comment on a written list of questions submitted on Thursday. “If SpaceX obtains knowledge that a Starlink terminal is being used by a sanctioned or unauthorized party, we investigate the claim and take actions to deactivate the terminal if confirmed,” the company said in a post on X in February. The growing black market for Starlink has emerged in regions with patchy connectivity, where the allure of high speed, dependable Internet in an easy-to-use package is strong for businesses and consumers alike. In many ways, it's Starlink's effectiveness as a communications tool that has made it such a sensitive matter. The US military is a customer: The Air Force has been testing terminals in the Arctic, calling them *reliable and high-performance*. Those same properties made it vital to Ukraine's military in its defense against invading Russian forces. SpaceX provided the technology to Kyiv in the early days of Russia's invasion, and Starlink has since become crucial to the Ukrainian communications infrastructure. The US Departcment of Defense later struck a deal with Starlink to supply Ukraine with equipment, the terms of which were not made public. Then in February of this year, Ukraine said that Russia was deploying Starlink in its own war efforts, while unverified posts on X, Musk's social network, appeared to show Russian soldiers unpacking kits. Two House Democrats wrote a letter to SpaceX President Gwynne Shotwell pressing her on Ukraine's claims. “To the best of our knowledge, no Starlinks have been sold directly or indirectly to Russia,” Musk wrote on X. Itquo;s the uncertainty about where the satellite dishes are landing that as security officials around the world concerned. Starlink kits are being sold for use in Venezuela, where individuals and entities have been subject to US sanctions for almost a decade, most recently under President Nicolas Maduro's authoritarian rule. A map of coverage areas on Starlink's website shows the South American nation blacked out. Yet social media ads promote package deals for Starlink equipment, which is widely available and admired for its reliability and portability in a country of isolated cattle ranches and gold mines. SpaceX should be able to prevent Russian use of Starlink in occupied Ukraine, since “basically every single transmitter can be identified,” said Candace Johnson, director at NorthStar Earth & Space Inc., a Montreal company that in January successfully launched four satellites—on a rocket from SpaceX competitor Rocket Lab USA Inc.—to identify and track objects in space. “There needs to be more accountability: to your country, to your company, to your shareholders, to your stakeholders,” said Johnson, who is also a partner with Seraphim Capital, a venture-capital firm that invests in space startups. In North Africa, Starlink's use in Sudan shows how terminals arrive in a country subject to international sanctions. There has been no Internet in Sudan since early February. Both the Sudanese Armed Forces and Rapid Support Forces have blamed each other for cutting the service while the CEO of Zain Sudan, a mobile operator, said his company's engineers had been prevented from reaching parts of the country to reconnect the network due to insecurity and a lack of fuel. To bypass the blackout, members of the RSF and local business owners have smuggled Starlink devices into Sudan's Darfur region using an organized network that registered the units in Dubai before transporting them into Uganda by airplane and then by road to Sudan via South Sudan, according to interviews with Western diplomats and business owners using the devices.
Gold miners in remote areas along the borders of South Sudan and the Central African Republic were provided with Starlink services even prior to the war by traders working in South Darfur's Nyala City. Starlink says on its website that a “service date is unknown at this time” for Sudan.
Haroun Mohamed, a trader in Nyala who transports goods across the border to Chad and South Sudan, said the use of Starlink by RSF soldiers and civilians was widespread. “Ever since the eruption of war in Darfur, a lot of people are bringing in Starlink devices and use it for business. People are paying between $2 or $3 per hour, so it's very good business.”
In South Africa, where Musk was born, the government hasn't yet approved Starlink's application to operate. But that hasn't prevented a flourishing trade in terminals there. Facebook groups feature providers that offer to buy and activate the kits in Mozambique, where it is licensed, and then deliver them over the border to South African customers.
There were enough users of the service in the country as of Nov. 28 that the regulator felt the need to issue a statement reminding people that Starlink has no license for South Africa. Unlawful use could result in fines of as much as 5 million rand ($265,000), or 10% of annual turnover.
Regulators in other countries in Africa have issued similar warnings. Ghana's National Communications Authority in December released a statement demanding that anyone involved in selling or operating Starlink services in the country “cease and desist immediately.”
In Zimbabwe, authorities threatened raids in response to online advertising for Starlink equipment, H-Metro newspaper reported in January. Prices for Starlink gear on the black market ranged from $700 to $2,000, according to local technology blog Techzim. Government officials in Ghana and Zimbabwe have recently said they hope to allow licensed service.
Countries have different reasons for declining to cooperate with Starlink, including stipulations that it have a local partner and concerns around data use.
Starlink service is currently available —legally—in eight countries in sub-Saharan Africa, and the US company has big plans to build its user base. It is working with local marketing partners such as Jumia Technologies AG, an e-commerce company backed by Pernod Ricard SA that has an agreement to sell Starlink equipment for residential use in Nigeria and Kenya. There has been significant demand, with the first shipment to Nigeria selling out in a few hours, according to Chief Commercial Officer Hisham El Gabry.
“Jumia is aware that there are some unofficial distributors of these kits,” El Gabry said in an interview. While the number of devices is not yet at an alarming level, “it is a point of discussion between us and Starlink that this needs to be brought under control,” he said. Jumia verifies customers, and cancels orders if they are going to traders or unverified sources, according to El Gabry. While “that device could eventually end up with bad actors,” Starlink can monitor where these devices are connecting from. “If they pick up it “connecting from a particular militant group for instance, they can enforce that control,” he said.
One Facebook group of people complaining they‘ve’been cut off suggests that Starlink has recently de-activated some of the equipment smuggled into South Africa. Still, social media groups point to a workaround, with terminals re-registered in a country like Malawi and reactivated. Customers can then make use of Starlink's roaming services, with a subscription paid through the website. The company offers a global roaming service with a monthly charge of $200. Customers in South Africa can expect to pay about 12,000 rand ($630) for a kit.
In Venezuela, customers similarly get around the ban by paying for the global service plan using an international credit card, according to people familiar with the market, who said its use is now “normalized.”
President Joe Biden's administration could tighten the export controls that apply to Starlink to keep them out of the hands of American adversaries, according to a former US government official. A security consultant who provides training to companies on the restrictions said the real key is trying to geolocate kits when they are turned on and blocking the ones that are in violation of US export controls. That would require the company to cooperate, the person said, asking not to be named discussing commercially sensitive matters of national security.
A State Department spokesperson said that satellite constellations like Starlink are a key tool for providing connectivity and bridging digital divides. “We encourage companies to take appropriate measures to seek licenses for operating in nations around the world,” they said.
Meanwhile, SpaceX is providing assurance to some countries that it will work with them to keep its Starlink services out of certain areas. SpaceX has reassured Israel that it can geolocate and turn off individual terminals when it detects illegal use, according to an Israeli government official. In Yemen, meanwhile, Starlink kits are openly for sale on social media, bought in countries such as Singapore or Malaysia, then activated on roaming. Customers pay via bank transfers in other countries or at the port of arrival. Prices are higher in Houthi-controlled areas, said one seller who asked not be named for safety reasons. That's because telecoms are controlled by the Houthis, who profit from the revenues, and have warned of severe actions against those caught using Starlink. Facebook and WhatsApp groups offer the equipment regardless mdash; along with tips on how to conceal the dish.
—With assistance from Fabiola Zerpa, Daniel Flatley, Mohammed Alamin, Mohammed Hatem, Andreina Itriago Acosta, Nariman Gizitdinov, Ray Ndlovu, Eric Johnson and Jake Rudnitsky.
Follow-up to failure of emergency call systems on 1 March 2024:
https://www.thenewdaily.com.au/news/national/2024/03/27/errors-telstra-triple-zero-outage
Please report problems with the web pages to the maintainer