Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Some Polish trains were sent for routine maintenance, after which they would not run even though nothing was evidently wrong. As a last resort, the railway hired the Dragon Sector hacking group which analysed the trains' software and found code that made the trains fail if their GPS said they'd been in a list of locations that happened to match repair shops not run by the trains' manufacturer. NEWAG, the manufacturer, denies everything and has sued them for slander. https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/ https://www.404media.co/polish-hackers-repaired-trains-the-manufacturer-artificially-bricked-now-the-train-company-is-threatening-them/
www.washingtonpost.com Artificial intelligence is automating the creation of fake news, spurring an explosion of websites that can disseminate false information about wars and elections https://www.washingtonpost.com/technology/2023/12/17/ai-fake-news-misinformation/
On 19 Dec, the Daily Dot published my new investigative article digging into the mystery of the missing silver laptop that Coffee County, Georgia—home of the infamous January 2021 elections office breach captured on surveillance film—is going to the mat not to turn over, not to even find. This laptop was used extensively by Trump co-defendant and then-election supervisor Misty Hampton, charged for facilitating the MAGA-led intrusions. If found, the laptop's contents would likely impact two cases in Atlanta courthouses: Trump's criminal one over election interference, and the long-running federal civil suit *Curling v. Raffensperger*, in which plaintiffs seek to force the state to abandon mandatory electronic ballots and, in most circumstances, employ instead hand-marked paper ones. Here's the link for my investigative article: https://www.dailydot.com/news/missing-laptop-trump-case-georgia/ Also on 19 Dec, I self-published an accompanying blog post that includes several of the cut passages as well as, for the first time, four previously unreleased surveillance still. My blog pot has a ton of additional information, including a longtime area lawyer's proposal that the county adopt independent (not conflicted) and possibly pro bono counsel to aid the elections board and public with an internal inquiry into the breach and its aftermath. Here's the link for my blog post, the deleted scenes if you will: https://douglaslucas.com/blog/2023/12/19/extra-material-dailydot-investigative-article-laptop/ I worked on this for something like half a year. There's a lot of material that RISKS may be interested in. Mysteries surrounding the .ost file, the Microsoft Office 365 licenses, the county refusing to back up official files on the elections desktop computer, as required by law, when the Georgia Bureau of Investigation came knocking, they say because they feared accusations of tampering. One of the most interesting aspects is lawyers that are more powerful than the people they represesnt, the de jure vs de facto power landscape of the county, and how all this can fester and get worse when the underlying digital data, in full, headers, signatures, everything, is not out in the open. Theopacity allows the overpowered lawyers and county manager to run the show, merely claiming this, claiming that, until enough strength shows up to enforce, you know, Rules of Evidence.
*The New York Times*, 30 Dec 2023, Front-page story (PGN-ed) Benjamin Weiser and Jonah Bromwich Michael D. Cohen, the onetime fixer for former President Donald J. Trump, said in court papers unsealed on Friday that he had mistakenly given his lawyer bogus legal citations generated by the artificial intelligence program Google Bard. The fictitious citations were used by Mr. Cohen's lawyer in a motion submitted to a federal judge, Jesse M. Furman. Mr. Cohen, who pleaded guilty in 2018 to campaign finance violations and served time in prison, had asked the judge for an early end to the court's supervision of his case now that he is out of prison and has complied with the conditions of his release. In a sworn declaration made public on Friday, Mr. Cohen explained that he had not kept up with “emerging trends (and related risks) in legal technology and did not realize that Google Bard was a generative text service that, like ChatGPT, could show citations and descriptions that looked real but actually were not.'' https://www.nytimes.com/2023/12/29/nyregion/michael-cohen-ai-fake-cases.html [Lauren Weinstein had a note on this: Most ordinary folks do *not understand* what AI and Large Language Models are about. They don't read the AI company disclaimers that the firms know are basically there to try protect the firms—not the users. PGN] [But Michael Cohen was no ordinary person. Perhaps Google Bard also wrote all of “shakespeare'' (The Bard) retroactively? The illiterate Willem Shaksper certainly didn't. PGN] [Gabe Goldberg commented, When will they ever learn... PGN]
Jeremy Hsu, *New Scientist*, 15 Dec 2023, via ACM TechNews An AI system based on large language models (LLMs) developed by University of California, Irvine researchers can be used locally via smartphone, eliminating reliance on a cloud service's datacenters and permitting LLM queries without having to share sensitive personal information. The LinguaLinked system splits the LLM's computations among several smartphones based on the phones' available memory and network connectivity. The researchers used the system to run BLOOM LLMs on four commercial phones, with an average AI processing speed per token of 2 seconds on a small AI model with 1.1 billion parameters, and 4 seconds on a larger model with 3 billion parameters. [This could increase trustworthiness for oneself if one is very careful, but could also make it much more difficult for others who won't know anything about that trustworthiness—or the lack thereof. PGN]
Will Douglas Heaven, MIT Technology Reveiw, Jan/Feb 2024, pp. 30-37 1. Will we ever mitigate the bias problem? 2. How will AI change the way we apply copyright? 3. How will it change our jobs? 4. What misinformation will it make possible? 5. Will we come to grips with its costs? 6. Will doomerism continue to dominate policymaking?
A landmark settlement over the pharmacy chain's use of the surveillance technology could raise further doubts about facial recognition's use in stores, airports and other venues The FTC said huge errors were commonplace. Between December 2019 and July 2020, the system generated more than 2,000 *Match Alerts* for the same person in faraway stores around the same time, even though the scenarios were *impossible or implausible*, the FTC said. In one case, Rite Aid's system generated more than 900 *match alerts* for a single person over a five-day period across 130 different stores, including in Seattle, Detroit and Norfolk, regulators said. The system generated thousands of false matches, and many of them involved the faces of women, Black people and Latinos, the FTC said. Federal and independent researchers in recent years have found that those groups are more likely to be misidentified by facial-recognition software, though the technology's boosters say the systems have since improved. https://www.washingtonpost.com/technology/2023/12/19/ftc-rite-aid-facial-recognition
https://phys.org/news/2023-12-ai-human-lifespan-good.html "Even though we're using prediction to evaluate how good these models are, the tool shouldn't be used for prediction on real people." Ripe for commercial exploitation. Hospitals and insurance companies might find this model enables cherry picking of patients (ER patient dumping) and policy price schedules. [The old dual-use problem: Anything that can be used for good can be used for bad. That should have been a corollary of Murphy's Law. PGN]
https://www.bbc.com/news/business-67748255 In other slightly less miraculous news, generative modeling is now capable of doing what used to be done by hand faster than when it was done by hand. This is improving flood hazard prediction. I would add to that prediction: flood insurance premiums are likely to rise. Umbrella disclaimer,
The Law Is Powerless. <about:blank?compose#> New AI-generated digital replicas of real experts expose an unnerving policy gray zone. Washington wants to fix it, but it’s not clear how. Martin Seligman, the influential American psychologist, found himself pondering his legacy at a dinner party in San Francisco one late February evening. The guest list was shorter than it used to be: Seligman is 81, and six of his colleagues had died in the early Covid years. His thinking had already left a profound mark on the field of positive psychology, but the closer he came to his own death, the more compelled he felt to help his work survive. The next morning he received an unexpected email from an old graduate student, Yukun Zhao. His message was as simple as it was astonishing: Zhao's team had created a *virtual Seligman*. Zhao wasn't just bragging. Over two months, by feeding every word Seligman had ever written into cutting-edge AI software, he and his team had built an eerily accurate version of Seligman himself—a talking chatbot whose answers drew deeply from Seligman’s ideas, whose prose sounded like a folksier version of Seligman’s own speech, and whose wisdom anyone could access. Impressed, Seligman circulated the chatbot to his closest friends and family to check whether the AI actually dispensed advice as well as he did. “I gave it to my wife and she was blown away by it,” Seligman said. The bot, cheerfully nicknamed “Ask Martin,” had been built by researchers based in Beijing and Wuhan ” originally without Seligman’s permission, or even awareness. The Chinese-built virtual Seligman is part of a broader wave of AI chatbots modeled on real humans, using the powerful new systems known as large language models to simulate their personalities online. Meta is experimenting with licensed AI celebrity avatars <https://www.theverge.com/2023/9/27/23891128/meta-ai-assistant-characters-whatsapp-instagram-connect>; you can already find internet chatbots trained on publicly available material about dead historical figures <https://www.hellohistory.ai>. But Seligman’s situation is also different, and in a way more unsettling. It has cousins in a small handful of projects that have effectively replicated living people without their consent. In Southern California, tech entrepreneur Alex Furmansky created a chatbot version of Belgian celebrity psychotherapist Esther Perel by scraping her podcasts off the internet. He used the bot to counsel himself through a recent heartbreak, documenting his journey in a blog post <https://magneticgrowth.substack.com/p/esther-perel-generative-ai-bot> that a friend eventually forwarded to Perel herself. [...] https://www.politico.com/news/magazine/2023/12/30/ai-psychologist-chatbot-00132682
Everything is a System. Every system can be more efficient with AI https://danafblankenhorn.substack.com/p/ai-in-the-machine-internet [Everything is indeed a system. Every system can also be less trustworthy with AI. Cassandra-PGN]
The ambitious Ministry of State Security is deploying AI and other advanced technology to go toe-to-toe with the United States, even as the two nations try to pilfer each other's scientific secrets. https://www.nytimes.com/2023/12/27/us/politics/china-cia-spy-mss.html?smid=nytcore-ios-share&referringSource=articleShare
Belle Lin, The Wall Street Journal (12/14/23), via ACM TechNews Because RISC-V, the open-source standard developed in 2010 for designing semiconductors, is free, it allows for the development of lower-cost, potentially more efficient processors for artificial intelligence and mobile devices. Google and Meta have said the open standard enables greater customization. Forrester Research's Glenn O'Donnell said RISC-V is particularly attractive for companies because it does not require upfront licensing fees. However, Dell's John Roese said the "middleware" software supporting RISC-V has not been fully developed for datacenters and other high-performance applications. Roese explained, "Until you have enough of a software and developerecosystem, these things stay very niche."
TERRAPIN: SSH protects the world's most sensitive networks. It just got a lot weaker https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/ [Also noted by Victor Miller. PGN]
ArsTechnica reported that Terrapin, a man-in-the-middle attack against the widely used SSH protocol, is feasible in combination with widely used "ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC" encryption modes. https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/
[Victor Miller noted this item: https://spectrum.ieee.org/quantum-computing-skeptics Rod replied to a separate posting from Dave Farber. PGN[ Just a few comments on the overall thrust rather than detailed comments, so rather than top-posting I just deleted the content. You may both post this to your lists if like. As a confirmed optimist but realist who has now invested twenty years in this field, by and large I endorse this. We are moving from analog through digital to quantum information; in my opinion, quantum represents a fully fundamental change in processing methods, but we still have a long ways to go to realize the full impact. For the most part, unlike many "hit pieces" on quantum, they have talked to the right people. Le Cun is a known skeptic, and Meta is probably the most important tech company in the world that is deliberately *NOT* doing quantum. I don't really know how much he does or doesn't know about quantum, but his opinion carries weight and I don't think he is simply knee-jerk opposed. Troyer and Aaronson are both well known and respected researchers (though Aaronson may be getting a little over-exposed in the media these days; he's eminently quotable and is the field's most prominent blogger, so he is the go-to guy for many media, it seems). (Please, PLEASE do not listen to Michio Kaku on quantum; his explanations of how these things work are far too garbled to be useful, regardless of what you think about the gauzier musings about quantum computing and the Universe.) My own favorite of Troyer's papers is this: https://www.science.org/doi/abs/10.1126/science.1252319 https://arxiv.org/abs/1401.2910 talking about how to quantify a true quantum speedup. Oskar Painter is also a professor at a little school called Caltech, which the article didn't mention. (It's hard to overstate Tech's influence in quantum. A list of prominent people would take a half a page, with Preskill, Kitaev, Shor, Bacon, Raussendorf, Wehner, Kimble, Northup, Vuckovic, Gottesman, Leung, Mabuchi, Brun, Hsin-Yuang Huang, Furusawa, Lloyd, etc. as undergrads, grads, postdocs and faculty. And me, let's not forget me. Oh, and some guy named Feynman, who gets a share of the credit for originating the idea in the first place.) Anyway, back to the topic... This year saw huge advances toward effective error correction. The month of December alone produced several juicy papers. One that is getting a lot of attention is https://www.nature.com/articles/s41586-023-06927-3 which shows logical operations using quantum error detection (not really quite correction yet) on a large number of individual neutral atoms in a trapped array. Personally, I have to issue a mea culpa here, because in the mid-2010s I didn't see a path to solid control of neutral systems that allowed for the individual control and programmability necessary. the QuEra-Harvard-MIT team has done amazing work. I could type for an hour about interesting results from this year, but I don't have time this morning. Everybody agrees that NISQ (noisy, intermediate-scale quantum) won't scale. The biggest question on the table is whether NISQ becomes useful before it stops scaling. I think right now a slim majority people are on the side of "no", though personally I think the jury is still out. So, the hardware is progressing; software tools, including compilers, debuggers, etc. still have a long ways to go. And it's fair to say that the breadth of applications has not advanced as much as I might have hoped two decades ago, but our depth of understanding of what is and isn't possible has continued to grow. I'm optimistic that when we put these machines in the hands of the next generation of Knuths, Lamports and Torvaldses, that amazing things will happen. And we are going to have to continue to rethink education for the #QuantumNative generation; quantum algorithms require a very different way of thinking. (And yes, unlike some people, I think the interdisciplinary skills such students will learn will stand them in good stead throughout their careers, whether they actually focus on quantum or not.) Assuming quantum succeeds, we are going to need a LOT of programmers, and not all of them need to understand the low-level physics of the devices, just as most software engineers today have a moderate-to-completely-nonexistent understanding of semiconductor physics.
Damn. All too common crypto use case. In spite of years-long ongoing publicity and warnings. https://fcpdnews.wordpress.com/2023/12/28/fcpd-combats-crypto-related-scams-how-to-avoid-falling-victim-to-fraud/
No details were released, but it seems that the hackers had targeted a central payment system. Full story at: https://www.timesofisrael.com/israel-linked-group-claims-cyberattack-that-shuts-down-70-of-irans-gas-stations/
I have a short blog post that may be of interest to some of you: https://www.lawfaremedia.org/article/write-the-laws-for-the-world-in-which-we-live-not-the-one-we-imagine.
The library has been incapacitated since October, and the effects have spread beyond researchers and book lovers. https://www.newyorker.com/news/letter-from-the-uk/the-disturbing-impact-of-the-cyberattack-at-the-british-library
Data for nearly 36 million Comcast customers leaked to hackers https://arstechnica.com/security/2023/12/hack-of-unpatched-comcast-servers-results-in-stolen-personal-data-including-passwords/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social
Considerable scholarly attention has been paid to understanding belief in online misinformation, with a particular focus on social networks. However, the dominant role of search engines in the information environment remains underexplored, even though the use of online search to evaluate the veracity of information is a central component of media literacy interventions. Although conventional wisdom suggests that searching online when evaluating misinformation would reduce belief in it, there is little empirical evidence to evaluate this claim. Here, across five experiments, we present consistent evidence that online search to evaluate the truthfulness of false news articles actually increases the probability of believing them. https://www.nature.com/articles/s41586-023-06883-y [See the full article for the footnotes not available here. PGN]
A positive look back at this year's tech developments, from one journalist's viewpoint. Perhaps a refreshing change from the usual RISKS negativity. [I.e., our positive focus on reducing risks! But we are always looking for items that minimize the risks. Thanks, Steve. Happy New Year with fewer risks. PGN]. https://www.nytimes.com/2023/12/25/technology/the-2023-good-tech-awards.html
You do not need either one specifically. A software development company should have a version control system (VCS). DVCS (distributed) is very popular with developers as they are less likely to complain about slow transfers, or merge problems. The slow transfer problem is specific to Subversion's storage and transfer model, which operates at the document level. Git operates on a mixed model of objects and archives. Mercurial uses a similar DVC model. Developers don't complain about merges in git because they tend to make that the problem for the person processing pull requests. Subversion and Team Foundation are CVCS (centralized). Subversion distributed merge conflicts to the developers, and they don't like You cannot commit a merge conflict in Subversion. I have not personally worked with Team Foundation, but it is my understanding you cannot commit merge conflicts in that system either. Merge conflicts arise from multiple developers working on the same document/object at the same time. If you have merge conflicts on a regular basis, your developers are working on a crappy codebase. Moving to DVCS won't fix that. Git was developed by the hardest working man in IT to deal with a project that was intentionally designed to be mostly monolithic as it was the source for a kernel, which is monolithic. Are you developing a monolithic kernel? No? Then you do not need git nor DVCS. You need to fix your codebase. Are you developing open-source software? No? Then you do not need git nor DVCS. Are you developing software which has a GRC mandate to be tracked? Yes? Then you need CVCS. Unless you take a lot of extra time to ensure that your git is setup for signed commits and that your developers are using signing by whoever the developer said their email address was at the time. Subversion only operates in two modes, anonymous and authenticated. If you set authentication up, every commit is authenticated. Developers cannot attempt a commit without authentication. Are you working on a codebase which needs additional restrictions on branches or specific files? DVCS pushes the whole codebase to everyone. If you can see the project, you can see everything in it. And the file that was deleted because it had a raw key in it? Hope you pruned your history, otherwise, it's still there. What do you mean you moved to git to stop having to deal with administrative issues with the Subversion repository? Git still needs things like historical pruning, backups, dead branch deletion. You can kick the can down the road a bit longer with git because its model is smaller on disk, but those 200 dead branches are going to prevent any new developers from being able to onboard rapidly. If you are using Subversion, the historical-key-file problem still exists, if the developer can see the file, they can roll the history back on it. However, as Subversion requires each revision checkout to be a separate request, your inside threat is going to leave some very blatant log activity. What do you mean that Bitbucket Cloud doesn't provide access logs for repos? How does your security team review potential internal threats or access control misconfigurations? GitHub Cloud does. Maybe if you were running your VCS internally you could use the server logs? Also if your VCS was internal, those access logs would be a little smaller as the whole world couldn't attempt bulk logins. Oh, your access log doesn't have attempts. Only successes. Cool. How do you know if someone is prodding your publicly-accessible private repo more or less than usual? You're not that concerned because you're using VCS to host your documentation? Why? Are you going to merge your old documents and your new documents? Oh, so you didn't have to setup a CMS (content management system). I am also fond of using the electrician's hammer. Does that screw look like a nail to you, [Cliff, In defense of Subversion and github, you may have overstated your case a bit. Both take a bit of learning to cover certaub corner cases, and they do have benefits in highly distributed team efforts. PGN]
Thieves are stealing Apple iPhones, passcodes and thousands of dollars from their victims' bank accounts. WSJ's Joanna Stern sat down with a convicted thief in a high-security prison to find how”and how you can protect yourself. https://www.youtube.com/watch?v=gi96HKr2vo8 [High-security has (at least) TWO meanings here. I wonder if Joanna came out with her phone intact. PGN]
The government that Frances Sharples served for more than four decades considers the money to be income, compounding her pain Frances Sharples walked through the glass doors of her credit union, ready to make the worst decision of her life. She had a script from the man promising to save the retirement account she built over decades as a science adviser to the U.S. government, including in the White House. He told her to transfer more than $600,000 ” and to keep her cellphone on so he could listen to her. If anyone asked whether she was put up to it, she was to reply: “No, absolutely not,” according to her hand-scrawled notes. No one did. She handed the clerk the routing number, walked back to her dented 2005 Honda and returned home. “Now I'm good,” she told herself. “Now, I'm safe.” [...] Billings started small, saying Sharples first needed to protect the $25,000 in her savings account at Commerce Federal. Williams would keep her on the line from 7 a.m. until bedtime ” claiming to be removing malicious software from her computer but mostly lingering silently ” for more than two weeks. Finally, a document appeared on her screen with a list of account names and numbers. Print it out, Billings told her. Drive to your credit union. She did. According to the script he gave her, if asked, she should say she was moving the money to her investment account, something she does frequently. [...] At that point, a precaution set up to backstop bad customer decisions kicked in. After Sharples asked TIAA ” which managed the retirement account ” to transfer her money, a senior fraud investigator with the company called to question her decision. “Is someone else telling you to do this?” he asked. “No, it’s my idea,” she said, following the script. “I’ve decided I want to invest in a different way.” [...] As she prepared her taxes online, Sharples was sickened by what she saw on her Form 1040, which showed the fraud raising her taxes by hundreds of thousands of dollars. She was then drawn through an excruciating education in the nation's sprawling tax code. https://www.washingtonpost.com/dc-md-va/2023/12/14/cyber-crime-scams-irs-taxes/
Ahmed's first target was the undisclosed crypto exchange on the Solana blockchain. He manipulated a smart contract to introduce false pricing data, which led to the generation of approximately $9 million in inflated fees. After withdrawing these funds, Ahmed brazenly offered to return the stolen amount, minus $1.5 million, on the condition that the exchange would not involve law enforcement. This attack closely resembles the breach that impacted the Crema Finance decentralized finance platform in July 2022. Following this initial hack, Ahmed turned his attention to Nirvana Finance. He exploited a loophole in the DeFi protocol's smart contract, taking a flash loan of ANA cryptocurrency tokens at a low price and selling them back at a higher rate. This maneuver netted him around $3.6 million. Despite being offered a $300,000 bounty to return the stolen assets, Ahmed refused, demanding $1.4 million and ultimately leading to the shutdown of Nirvana Finance after no agreement was reached. https://readwrite.com/ex-amazon-security-engineer-admits-to-stealing-over-12m-in-crypto/ If those are smart contracts, what would dumb ones be?
The bleeping computer article misses the distinction between TFA (two-factor authentication) and TSA (two-step authentication), TFA being far more secure than TSA. With TFA, one must possess a physical crypto token (like an RSA SecureID token) plus a password, the factors being something one possesses (token) and something one knows (password). The computer is not providing authentication. With the TSA, no physical token is used, it's something one knows (a password) provided to a computer, and it is done in two steps. If malware has managed to sufficiently infect the computer, the malware can perform both steps. In the story of unsolicited OTP codes, the malware had not gained sufficient control and was thwarted. But the whole drama would not have happened if true TFA had been implemented. Amazon certainly knows the difference, which is why they call what they do TSA, not TFA.
Is capitalism an efficient economic system? It depends on what you want to optimise for: if the purpose of your economic system is to transfer wealth from everyone else to a handful of billionaires, then capitalism is already very efficient and becoming ever more efficient. If the purpose is the long term thriving of the human race, then capitalism is a terrible system: the thing you are optimisimg for (called "profit") is actually a form of friction and *loss* to the system as stores of value (money) get extracted from the economic cycle and stashed away unproductively. Whole industries, such as advertising and banking, are purely destructive of value. A better economic system would eliminate the concept of "profit" as something extracted by shareholders and board members. Activities that are most efficient when nationalised, such as fire service, police, army, energy distribution, transport, and of course, the health service, should never be allowed to fall into private hands or should be taken out of private hands. Each of these activities gets a budget to do a certain thing and should be laser focused on doing that thing. The post office delivers letters and parcels, the railway network runs railways, the health service keeps the population healthy, the universities generate knowledge and so on. This leads to a lot of difficult discussions about how much each service needs in order to ensure human thriving without a negative impact on other services. But the current approach where everything is reduced to profit is once again, optimising for the wrong thing. For private industry, small family businesses and small to medium cooperatives will ensure that any "profit" is recycled back into the economy. In conclusion: The reason that poverty and homelessness exist is not because capitalism is not working properly, but because that is the way it works.poappp
Please report problems with the web pages to the maintainer