The RISKS Digest
Volume 34 Issue 11

Sunday, 24th March 2024

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

DMVs Nationwide Hit With Outage, Officials In Multiple States Say Across America
U.S. Patch
DMV services disrupted nationwide by system out[r]age
Henry Baker
McDonald's blames global outage on third party
BBC
Re: McDonald's hit by outages at stores worldwide
Steve Bacher
Re: McDonald's
turgut_kalfao─člu?
Tesco and Sainsbury's working to fix technical issues that suspended food deliveries to customers
CNN
Anti-drone radio jammers marketed on Amazon and Google despite being outlawed by FCC rules
Steve Bacher
A ChatGPT for Music Is Here. Inside Suno, the Startup Changing Everything
Rolling Stone
Albertans have lost at least $156M to fraud this decade
CBC
Chinese & Western Scientists Identify ‘Red Lines’ on AI Risks
Financial Times
Unpatchable vulnerability in Apple chip leaks secret encryption keys
Ars Technica
Apple has effectively abandoned HomeKit Secure Routers
Monty Solomon
Paper about the gofetch attack
Victor Miller
Why Tech Companies Are Not Your Friends: Lessons From Roku
NYTimes
Is your smart device safe from hackers? New FCC program will label cybersecure technology
LA Times
Hackers can unlock over 3 million hotel doors in seconds
ArsTechnica
Man Boarded Delta Flight Using Ticket Ruse
NYTimes
Never-before-seen data wiper may have been used by Russia against Ukraine
ArsTechnica
UPS worker charged after $1.3M Apple product theft spree fines, report finds
WashPost
Social Security program failed to properly notify people of huge service
Ars Technica
FCC bans cable TV industry's favorite trick for hiding full cost of service
Ars Technica
Hype cycle meets rinse cycle: does dishwasher really need a mobile app?
Rob Pegoraro
LAUSD's new student advisor is an AI bot that designs academic plans, suggests books
LATimes
Lawyer warns ‘integrity of the entire system in jeopardy’ if rising use of AI in legal circles goes wrong
CBC
I recommend DISABLING Google's new Chrome “real-time, privacy-preserving URL protection”
Lauren Weinstein
Why Tech Companies Are Not Your Friends: Lessons From Roku
NYTimes
Re: Risks of Leap Years and Dumb Digital Watches
Mark Brader
Re: AT&T proposals to kill landlines and more in California
Lauren Weinstein
Re: Hackers Breached Key Microsoft Systems
Bernie Cosell
Info on RISKS (comp.risks)

DMVs Nationwide Hit With Outage, Officials In Multiple States Say | Across America (U.S. Patch)

Gabe Goldberg <gabe@gabegold.com>
Thu, 21 Mar 2024 18:10:04 -0400

CROSS AMERICA ” All motor vehicle departments in the United States went down Thursday, according to officials in multiple states. Officials in Illinois, Virginia, Massachusetts, Arkansas and Colorado all confirmed they experienced an outage.

“We are currently experiencing a nationwide network outage at our DMV facilities,” tweeted Illinois Secretary of State Alexi Giannoulias. “All DMVs across the country are currently down.”

Virginia's DMV said the outage stemmed from “a third-party technical outage,” and that driver's license services were unavailable online and at all in-person locations.

“We apologize for the inconvenience. Please stay tuned to social media for updates,” the agency said.

https://patch.com/virginia/annandale/s/ivgud/dmvs-nationwide-hit-with-outage-officials-in-multiple-states-say

A technical outage hit all DMVs at once? Need details..


DMV services disrupted nationwide by system out[r]age

Henry Baker <hbaker1@pipeline.com>
Fri, 22 Mar 2024 02:03:12 +0000

I'm surprised that anyone could tell the difference from typical DMV operations. ..

https://www.nbcnews.com/news/rcna144496

DMV services disrupted nationwide by system out[r]age

The American Association of Motor Vehicle Administrators said the outage was due to “a loss in cloud connectivity” Thursday.


McDonald's blames global outage on third party (BBC)

Gabe Goldberg <gabe@gabegold.com>
Sat, 16 Mar 2024 18:03:32 -0400

McDonald's has revealed the technical problems which brought much of its fast food chain to a standstill on Friday were caused by a third party provider.

The international restaurant said the global outage happened during a “configuration change” and stopped stores taking orders in the UK, Australia and Japan—amongst others.

McDonald's stressed the issue was not caused by a cyberattack.

https://www.bbc.com/news/business-68573106

Configuration change hits single point of failure, craters world-wide restaurant chain. Nice. A plus for momentary healthy eating, though.


Re: McDonald's hit by outages at stores worldwide From: Steve Bacher <sebmb1@verizon.net>

<>
Sun, 17 Mar 2024 08:46:14 -0700

This comes at a bad time for McDonald's, since they are aggressively rolling out kiosk-only ordering in place of humans. Recently I had to deal with one of those in my local McD's—the counterwoman kindly fingerwalked through the menus for me to order 2 coffees but the kiosks had no provision for the senior discount price so she still had to ring it up manually for me instead.

So it's kind of karmic justice in a way.


Re: McDonald's (RISKS-34.10)

turgut_kalfao─člu <turgut@kalfaoglu.com>
Sun, 17 Mar 2024 20:21:31 +0300
> McDonald's has revealed the technical problems which brought much of its
> fast food chain to a standstill on Friday were caused by a third party
> provider.

What I fail to understand is why do all of the world's McDonald's stores have to be online to be able to sell food?

It seems the more eggs you put in one basket, the more eggs you are going to lose.


Tesco and Sainsbury's working to fix technical issues that suspended food deliveries to customers (CNN)

Monty Solomon <monty@roscom.com>
Sun, 17 Mar 2024 00:55:39 -0400

https://www.cnn.com/2024/03/16/business/tesco-sainsburys-delivery-technical-issues/index.html


Anti-drone radio jammers marketed on Amazon and Google despite being outlawed by FCC rules

Steve Bacher <sebmb1@verizon.net>
Wed, 20 Mar 2024 16:15:55 -0700

Several online retailers and drone technology companies are marketing the sale of radio frequency jammers as drone deterrence or privacy tools, sidestepping federal laws that prohibit such devices from being offered for sale in the U.S. [Long item PGN-curtailed]

https://www.nbcnews.com/tech/security/drone-radio-frequency-jammer-signal-online-defense-technology-rcna135103


A ChatGPT for Music Is Here. Inside Suno, the Startup Changing Everything (Rolling Stone)

Steve Bacher <sebmb1@verizon.net>
Tue, 19 Mar 2024 06:53:20 -0700

AI music-generation illustration www.rollingstone.com

Suno AI wants everyone to be able to produce their own pro-level songs with artificial intelligence ” but what does that mean for artists?


Albertans have lost at least $156M to fraud this decade (CBC)

Matthew Kruk <mkrukg@gmail.com>
Fri, 22 Mar 2024 06:46:55 -0600

Many others don't report the crime

https://www.cbc.ca/news/canada/edmonton/alberta-fraud-money-victims-1.71467= 51

Albertans have reported losing more than $156 million to fraudsters since the start of this decade, with tens of millions more being taken each year. But there hasn't been a coinciding rise in victims—in part, experts say, because people are reluctant to come forward.

In 2023, roughly 2,900 Albertans lost more than $62.5 million to various fraud schemes—up more than fivefold from the $11.3 million taken = from about 2,600 people in 2020, data shows.

More than half the reported losses in the province last year were from investment scams, particularly cryptocurrency frauds. Spear-phishing—when scammers pretend to be legitimate sources to con businesses and people into sending money—was the second-most lucrative type of fraud, taking= more than $8.5 million from 72 people.


Chinese & Western Scientists Identify ‘Red Lines’ on AI Risks (Financial Times)

ACM TechNews <technews-editor@acm.org>
Wed, 20 Mar 2024 11:42:38 -0400 (EDT)

Cristina Criddle, Eleanor Olcott and Madhumita Murgia, Financial Times, 18 Mar 2024, via ACM Tech News

A statement signed by Western and Chinese AI scientists warns that Cold War-level global cooperation is necessary to avoid “catastrophic or even existential risks to humanity within our lifetimes” resulting from AI technology. At the International Dialogue on AI Safety in Beijing, the experts established “red lines” on AI risks that no AI system should cross, including the development of bioweapons and the launch of cyberattacks. Signatories to the statement included ACM A.M. Turing Award laureates Geoffrey Hinton and Yoshua Bengio, as well as computer scientists Stuart Russell and Andrew Yao.


Unpatchable vulnerability in Apple chip leaks secret encryption keys (Ars Technica)

Victor Miller <victorsmiller@gmail.com>
Fri, 22 Mar 2024 02:14:23 +0000

Unpatchable vulnerability in Apple chip leaks secret encryption keys | Ars Technica

https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/


Apple has effectively abandoned HomeKit Secure Routers

Monty Solomon <monty@roscom.com>
Fri, 22 Mar 2024 20:12:17 -0400

https://appleinsider.com/articles/24/03/22/apple-has-abandoned-homekit-secure-routers-claim-vendors?utm_medium=rss


Paper about the gofetch attack

Victor Miller <victorsmiller@gmail.com>
Fri, 22 Mar 2024 02:16:49 +0000

https://gofetch.fail/files/gofetch.pdf


Why Tech Companies Are Not Your Friends: Lessons From Roku (The New York Times)

Gabe Goldberg <gabe@gabegold.com>
Fri, 22 Mar 2024 15:13:44 -0400

Roku recently changed its policy to make it even harder for customers to take legal action. It’s a reminder of how we need to protect ourselves.

To Isaac Phillips, a software engineer in Tampa, Fla., this felt unfair. So he came up with a workaround to disconnect his Roku TV from the Internet and use it as a normal TV without Roku’s apps, which include Netflix, Hulu and other streaming services.

“It should belong to whoever paid for it,” Mr. Phillips said. “To lock somebody out of it completely just doesn't seem right. It’s pretty unacceptable.”

A Roku spokesman also provided a list of steps for those who wish to use their Roku TVs as normal TVs without an Internet connection. It involves pressing a button or pinhole on the back of the TV to reset the software and skipping the step to set up the Internet connection.

https://www.nytimes.com/2024/03/20/technology/personaltech/roku-data-breach-companies.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb

Why is it harder to opt out than it is to opt in? Because the companies are legally allowed to do this.

I suggest that Roku customers follow those steps to opt out of the new terms and hold on to what little power they have. I, for one, took this opportunity to disconnect my Roku TV from the Internet and plug in a different streaming device with less onerous terms, an old Apple TV. As for a letter to opt out, I plan to use the AI chatbot ChatGPT to draft a testy note.


Is your smart device safe from hackers? New FCC program will label cybersecure technology (LA Times)

Steve Bacher <sebmb1@verizon.net>
Wed, 20 Mar 2024 18:44:57 -0700

Internet-connecting devices that meet standards will soon come with a “U.S. Cyber Trust Mark” to help consumers choose products that protect their private information.

https://www.latimes.com/california/story/2024-03-19/new-program-will-label-smart-device-and-products-cybersecurity-safe Would you trust the Trust Mark? I'm not sure. I guess the consumer strategy would be to avoid buying devices that lack the Trust Mark rather than putting blind trust in the mark.


Hackers can unlock over 3 million hotel doors in seconds (ArsTechnica)

Monty Solomon <monty@roscom.com>
Fri, 22 Mar 2024 20:03:39 -0400

https://arstechnica.com/?p=2012114


Man Boarded Delta Flight Using Ticket Ruse (NYTimes)

Monty Solomon <monty@roscom.com>
Fri, 22 Mar 2024 02:10:43 -0400

By taking pictures of other passengers’ boarding passes on their phones, the man was able to board a Delta Air Lines flight in Salt Lake City on Sunday, according to a federal complaint.

https://www.nytimes.com/2024/03/20/business/delta-unticketed-passenger-arrested.html


Never-before-seen data wiper may have been used by Russia against Ukraine (ArsTechnica)

Monty Solomon <monty@roscom.com>
Fri, 22 Mar 2024 20:09:52 -0400

https://arstechnica.com/?p=2012093


UPS worker charged after $1.3M Apple product theft spree

Monty Solomon <monty@roscom.com>
Fri, 22 Mar 2024 20:16:05 -0400

https://appleinsider.com/articles/24/03/21/ups-worker-charged-after-13m-apple-product-theft-spree


Social Security program failed to properly notify people of huge fines, report finds (WashPost)

Monty Solomon <monty@roscom.com>
Thu, 21 Mar 2024 19:17:36 -0400

The Social Security Administration’s internal watchdog office failed to properly notify some poor and disabled Americans before levying huge fines on them, an investigation found. https://wapo.st/3vsSwyb


FCC bans cable TV industry's favorite trick for hiding full cost of service (Ars Technica)

Monty Solomon <monty@roscom.com>
Fri, 22 Mar 2024 09:40:02 -0400

https://arstechnica.com/?p=2011532


Hype cycle meets rinse cycle: does dishwasher really need a mobile app? (Rob Pegoraro)

Gabe Goldberg <gabe@gabegold.com>
Sun, 17 Mar 2024 23:32:15 -0400

Years later than you might have expected, given my line of work, I’ve finally hit the dubious milestone of owning a major appliance with its own Internet Protocol address and mobile app“the Bosch dishwasher we procured as part of an overdue and immensely-appreciated kitchen renovation.

https://robpegoraro.com/2024/03/16/hype-cycle-meets-rinse-cycle-does-my-dishwasher-really-need-a-mobile-app/

Risks? Missing an app alert and the undocumented trash masher feature starting? Dishwasher organizing other appliances in rebellion against flaky power? Yet another malware attack surface?


LAUSD's new student advisor is an AI bot that designs academic plans, suggests books

Steve Bacher <sebmb1@verizon.net>
Fri, 22 Mar 2024 07:47:27 -0700

Los Angeles school officials say their new app lets students and parents, in one place, find anything they need related to school and their specific learning path.

The Los Angeles school district on Wednesday unveiled a much-awaited AI tool named “Ed” to serve as a student adviser, programmed to tell its young users and their parents about grades, tests results and attendance ” while giving out assignments, suggesting readings and even helping students cope with nonacademic matters. […]

https://www.latimes.com/california/story/2024-03-21/new-ai-tool-in-education-aspires-to-have-all-the-answers-for-l-a-students


Lawyer warns ‘integrity of the entire system in jeopardy’ if rising use of AI in legal circles goes wrong (CBC)

Matthew Kruk <mkrukg@gmail.com>
Sun, 17 Mar 2024 10:18:02 -0600

https://www.cbc.ca/news/canada/nova-scotia/artificial-intelligence-lawyers-= law-nova-scotia-1.7126732

As lawyer Jonathan Saumier types a legal question into ChatGPT, it spits out an answer almost instantly.

But there's a problem—the generative artificial intelligence chatbot was flat-out wrong.

“So here's a prime example of how we're just not there yet in terms of accuracy when it comes to those systems,” said Saumier, legal services support counsel at the Nova Scotia Barristers' Society.

Artificial intelligence can be a useful tool. In just a few seconds, it can perform tasks that would normally take a lawyer hours or even days.

But courts across the country are issuing warnings about it, and some experts say the very integrity of the justice system is at stake.


I recommend DISABLING Google's new Chrome “real-time, privacy-preserving URL protection”

Lauren Weinstein <lauren@vortex.com>
Sat, 16 Mar 2024 13:13:37 -0700

It's up to you, but for now I recommend DISABLING Google's new Chrome “real-time, privacy-preserving URL protection”.

I'm getting a lot of questions about this, and I simply don't have time right now to write this up in depth. So this will have to be short (at least by my standards).

Google is implementing by default in Chrome a new system to expand their detection of unsafe sites, via a complicated new real-time system that sends hashes of URLs to a third-party, non-Google firm.

The details are in:

https://security.googleblog.com/2024/03/blog-post.html

Google's goal is laudable, but though it would probably be unfair of me to call this system “Rube Goldberg-ish”, it is definitely very far from trivial.

I am in particular concerned about the ramifications of Chrome users being connected by default to a completely non-Google entity to which they are sending data, no matter how obfuscated that data may be.

While Google seems to be asserting that by creating a three-party system (user, Google, outside firm) privacy is enhanced—and this would appear to be true in theory—the possibilities for interference by government or other entities seems increased with each new player in the process. Also, users are now dealing with an additional set of policies (and legal departments), that of Google and that of the third party. Nor (as far as I know) has the contractual basis of the relationship between Google and this third party been made public.

There may be nothing at all wrong with this arrangement. But frankly, the introduction of a third party and other aspects of this system have raised a caution warning for me, especially when this is enabled by default.

So my recommendation for now is to turn off this feature, until significantly more is known about it in the respects I've mentioned above and others. This is completely up to you of course. You may wish to keep the Google default that uses this system and have the additional protection, and may not be at all concerned about the other issues I've mentioned. Absolutely your choice.

I do invite Google to contact me with more information about these issues if they wish to do so. -L


Why Tech Companies Are Not Your Friends: Lessons From Roku (NYTimes)

“Jim” <jgeissman@socal.rr.com>
Wed, 20 Mar 2024 10:48:05 -0700

Roku recently changed its policy to make it even harder for customers to take legal action. It's a reminder of how we need to protect ourselves.

https://www.nytimes.com/2024/03/20/technology/personaltech/roku-data-breach- companies.html?unlocked_article_code=1.eE0.xzdb.HCSnU1ujiRmT


Re: Risks of Leap Years and Dumb Digital Watches (Shapir, R-34..10)

Mark Brader <msb@Vex.Net>
Sun, 17 Mar 2024 06:13:54 -0400 (EDT)

The year on my Timex watch cannot be set outside the range 2000-2099.


Re: AT&T proposals to kill landlines and more in California

Lauren Weinstein <lauren@vortex.com>
Thu, 14 Mar 2024 17:53:40 -0700

The count of comments at the CPUC (overwhelmingly negative) on the main proposal has now exceeded 5000, and it's no longer possible to know exactly how many there are, since “Over 5000” is as high as their counter runs. -L

https://apps.cpuc.ca.gov/apex/f?p=401:65:0::NO:RP,57,RIR:P5_PROCEEDING_SELECT:A2303003


Re: Hackers Breached Key Microsoft Systems (RISKS-34.11)

“Bernie Cosell” <bernie@fantasyfarm.com>
Sat, 16 Mar 2024 18:33:50 -0400

Any hint as to how they compromised the entire corporate email system? I know how they can nail individual email addresses, but how do they leap from that to invading the entire system?

Please report problems with the web pages to the maintainer

x
Top