Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Ellen Nakashima and Aaron Schaffer, *The Washington Post*, 17 Apr 2024, via ACM TechNews A water tower serving the town of Muleshoe, TX, overflowed in the system controlling it was hacked, releasing tens of thousands of gallons of water. The hackers, who called themselves the Cyber Army of Russia Reborn (CARR), posted a video online of the town's water-control system and that of a nearby town being manipulated, showing how they reset the controls. CARR is believed to be a front for Russia's military spy agency.
But a series of delays meant the final cargo pallet of old batteries missed its ride back to Earth, so NASA jettisoned the batteries from the space station in 2021 to head for an unguided reentry. Ars published details of the circumstances that led to this in a previous story. This isn't the way NASA prefers to get rid of space debris, but managers decided they couldn't keep the pallet at the space station, where it took up a storage location needed for other purposes. NASA expected the roughly 5,800 (2.6-metric ton) battery pallet to fully burn up during reentry. https://arstechnica.com/space/2024/04/florida-man-tells-ars-about-his-encounter-with-something-that-fell-from-space/
The JetBlue flight was aborted at take-off after another plane was cleared to cross the runway at the same time. https://www.boston.com/news/transportation/2024/04/18/faa-investigating-after-boston-bound-jetblue-flight-involved-in-near-collision/
Tariq Panja, The New York Times, 17 Apr 2024, via ACM TechNews Cybersecurity experts with the organizing committee of the Summer Olympic Games in Paris are preparing for cyberattacks. There were 450 million attempted "security events" at the Tokyo Summer Games in 2021, a number expected to surge by eight to 12 times for the Paris Summer Games. The Paris organizers joined with the International Olympic Committee and official technology partner Atos to conduct "war games," offering "bug bounties" to ethical hackers who identify vulnerabilities in the Games' systems.
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html summary: NIST P521 private keys are exposed by biased signature generation class: vulnerability: This is a security vulnerability. priority: high: This should be fixed in the next release. absent-in: 0.67 present-in: 0.68 0.69 0.70 0.71 0.72 0.73 0.74 0.75 0.76 0.77 0.78 0.79 0.80 fixed-in: c193fe9848f50a88a4089aac647fecc31ae96d27 (0.81) Every version of the PuTTY tools from 0.68 to 0.80 inclusive has a critical vulnerability in the code that generates signatures from ECDSA private keys which use the NIST P521 curve. (PuTTY, or Pageant, generates a signature from a key when using it to authenticate you to an SSH server.) This vulnerability has been assigned CVE-2024-31497. It was discovered by Fabian BC$umer and Marcus Brinkmann of the Ruhr University Bochum; see their write-up on the oss-security mailing list. The bad news: the effect of the vulnerability is to compromise the private key. An attacker in possession of a few dozen signed messages and the public key has enough information to recover the private key, and then forge signatures as if they were from you, allowing them to (for instance) log in to any servers you use that key for. To obtain these signatures, an attacker need only briefly compromise any server you use the key to authenticate to, or momentarily gain access to a copy of Pageant holding the key. (However, these signatures are not exposed to passive eavesdroppers of SSH connections.) Therefore, if you have a key of this type, we recommend you revoke it immediately: remove the old public key from all OpenSSH authorized_keys files, and the equivalent in other SSH servers, so that a signature from the compromised key has no value any more. Then generate a new key pair to replace it. (The problem is not with how the key was originally generated; it doesn't matter whether it came from PuTTYgen or somewhere else. What matters is whether it was ever used with PuTTY or Pageant.) The good news: the only affected key type is 521-bit ECDSA. That is, a key that appears in Windows PuTTYgen with ecdsa-sha2-nistp521 at the start of the 'Key fingerprint' box, or is described as 'NIST p521' when loaded into Windows Pageant, or has an id starting ecdsa-sha2-nistp521 in the SSH protocol or the key file. Other sizes of ECDSA, and other key algorithms, are unaffected. In particular, Ed25519 is not affected. Details of the error: [...]
This is a multi-part message in MIME format. <https://www.nbcnews.com/news/us-news/major-911-outages-4-states-leave-millions-way-contact-local-authoritie-rcna148345> A major 911 outage Wednesday showed the urgent need for increased modernization and regulation of the emergency system, experts in telecommunications and public safety told NBC News. On Thursday, Lumen Technologies, a telecommunications company based in Louisiana, said in a statement that "some customers in Nevada, South Dakota, and Nebraska experienced an outage due to a third-party company installing a light pole ” unrelated to our services." authorities for about 2½ hours. [...] Key paragraphs at the end: [...] The current system is “missing resilient backups” that could prevent outages on several levels, Simpson said, like having more cables for path diversity and multiple telecommunications carriers, updated equipment and multiple routers. “Engineers will tell you you don’t assume everything is going to be fine,” Feld said. “When you build a system like this, you assume things are going to go wrong, and you build it in a way so that things can go wrong without taking down the whole system.” https://www.nbcnews.com/tech/tech-news/multistate-911-outage-shows-fragility-systems-experts-say-rcna148475 The outage left millions in multiple states without emergency access to [...] Key paragraphs at the end: The current system is “missing resilient backups” that could prevent outages on several levels, Simpson said, like having more cables for path diversity and multiple telecommunications carriers, updated equipment and multiple routers. “Engineers will tell you you don’t assume everything is going to be fine,” Feld said. “When you build a system like this, you assume things are going to go wrong, and you build it in a way so that things can go wrong without taking down the whole system.” https://www.nbcnews.com/tech/tech-news/multistate-911-outage-shows-fragility-systems-experts-say-rcna148475
https://www.bbc.com/news/uk-68838977 Police have taken down a gang accused of using a technology service that helped criminals use fraudulent text messages to steal from victims. They have arrested 37 people worldwide and are contacting victims. Officers say younger people who grew up with the internet were the most likely to fall for the "phishing" scam. The technology allowed scammers without technical skills to bombard victims likely to fall for the "phishing" scam. The technology allowed scammers without technical skills to bombard victims with messages designed to trick them into making payments online. Police targeted the gang's site, LabHost, which helped criminals send the messages and direct victims to fake websites appearing to be legitimate online payment or shopping services. It had enabled the criminals to steal identity information, including 480,000 card numbers and 64,000 Pin codes, known in criminal slang as "fullz data", the police said.
The U.S. Air Force is putting AI in the pilot’s seat. In an update on Thursday, the Defense Advanced Research Projects Agency (DARPA) revealed that an AI-controlled jet successfully faced a human pilot during an in-air dogfight test carried out last year. DARPA began experimenting with AI applications in December 2022 as part of its Air Combat Evolution (ACE) program. It worked to develop an AI system capable of autonomously flying a fighter jet, while also adhering to the Air Force’s safety protocols. [...] https://www.theverge.com/2024/4/18/24133870/us-air-force-ai-dogfight-test-x-62a
https://arstechnica.com/?p=2017732
Password-manager LastPass users were recently targeted by a convincing phishing campaign that used a combination of email, SMS, and voice calls to trick targets into divulging their master passwords, company officials said. The attackers used an advanced phishing-as-a-service kit discovered in February by researchers from mobile security firm Lookout. Dubbed CryptoChameleon for its focus on cryptocurrency accounts, the kit provides all the resources needed to trick even relatively savvy people into believing the communications are legitimate. Elements include high-quality URLs, a counterfeit single sign-on page for the service the target is using, and everything needed to make voice calls or send emails or texts in real time as targets are visiting a fake site. The end-to-end service can also bypass multi-factor authentication in the event a target is using the protection. [...] https://arstechnica.com/?p=2018339
A London solicitor clicked the wrong button and applied for a final divorce order for the wrong couple. The court says the final order cannot be overturned. https://www.theguardian.com/lifeandstyle/2024/apr/15/wrong-couple-divorced-solicitor-clicks-wrong-button
On Wednesday, Colorado expanded the scope of its privacy law initially designed to protect biometric data like fingerprints or face images to become first in the nation to also shield sensitive neural data. That could stop companies from hoarding brain activity data without residents realizing the risks. The New York Times reported that neural data is increasingly being collected and sold nationwide. And after a market analysis showed that investments in neurotechnology leapt by 60 percent globally from 2019 to 2020”and were valued at $30 billion in 2021”Big Tech companies have significantly intensified plans to develop their own products to rake in potentially billions. [...] https://arstechnica.com/?p=2018276
The U.S. Constitution's Fifth Amendment protection against self-incrimination does not prohibit police officers from forcing a suspect to unlock a phone with a thumbprint scan, a federal appeals court ruled yesterday. The ruling does not apply to all cases in which biometrics are used to unlock an electronic device but is a significant decision in an unsettled area of the law. The U.S. Court of Appeals for the 9th Circuit had to grapple with the question of "whether the compelled use of Payne's thumb to unlock his phone was testimonial," the ruling in United States v. Jeremy Travis Payne said. "To date, neither the Supreme Court nor any of our sister circuits have addressed whether the compelled use of a biometric to unlock an electronic device is testimonial." A three-judge panel at the 9th Circuit ruled unanimously against Payne, affirming a US District Court's denial of Payne's motion to suppress evidence. Payne was a California parolee who was arrested by California Highway Patrol (CHP) after a 2021 traffic stop and charged with possession with intent to distribute fentanyl, fluorofentanyl, and cocaine. [...] https://arstechnica.com/tech-policy/2024/04/cops-can-force-suspect-to-unlock-phone-with-thumbprint-us-court-rules/
https://arstechnica.com/?p=2017285
When we fly, there’s a small risk that a battery powering our phones or laptops could start a dangerous fire on board. But the most common source of battery-related fires in airplane travel is surprising: vape pens. A safety organization that tracks airline battery incidents grew so concerned that it recently flagged the vaping fire trend to the Food and Drug Administration, which oversees electronic smoking devices. On average in the United States, there are more than two reports each week of battery-related fires, smoke or similar incidents on planes or at airports, according to voluntary reporting by passenger and cargolines. How to reduce the risk of in-flight battery fires Don’t pack e-cigarettes or other battery-powered devices in your checked luggage. Airlines tell you this, but people may not know the rules or forget that they packed a vape pen or portable battery in a suitcase that gets gate-checked. The risk is that no one will see a fire that starts in the baggage hold before it grows out of control. Don’t charge vape pens on board the plane. It’s not allowed. Take that rule seriously. There’s typically a higher fire risk when a battery is charging. Last year, a Spirit Airlines flight to Orlando made an emergency landing because of a fire from a vape pen that was charging in an overhead bin. A reminder: You’re not allowed to smoke on planes. That includes e-cigarettes. Tell a flight attendant or other personnel immediately if you see smoke or fire. Airline crews have special training and fire containment bags for battery-powered gadgets. https://s2.washingtonpost.com/camp-rw/?trackId=596b22969bbc0f403f8bcc25&s=66229c2c847347087352364b&linknum=2&linktot=37
Long article in *The New Yorker*, 22-29 Apr 2024 They have long been a symbol of a future that never came. Now a variety of companies are building them”or something close. By 2030, customers could have access to self-driving, electric air taxis that travel between neighborhood “vertiports.” One company promises a seven-minute trip from Manhattan to the airport for the price of a rideshare. Gideon Lewis-Kraus writes about the BlackFly, a flying vehicle developed by Pivotal, and companies developing other eVTOL aircraft, including Wisk and Beta.
Sergiu Gatlan, *BleepingComputer*, 9 Apr 2024 A security flaw in the Rust standard library could be used by hackers to launch command injection attacks targeting Windows systems. The vulnerability stems from OS command and argument injection weaknesses. The Rust Security Response Working Group said it was notified that the Rust standard library did not properly escape arguments when invoking batch files on Windows using the Command API. Flatt Security engineer RyotaK, who discovered the vulnerability, said it also impacts other major programming languages.
Machine-learning technologies are being used in film restoration for new home video releases. But some viewers strongly dislike the results. https://www.nytimes.com/2024/04/13/movies/ai-blu-ray-true-lies.html
Boddy immediately bought an Edgertronic on eBay. He also had a crucial insight about how to use it. Camera data could help players experiment with new pitch grips and refine their swings, and the avalanche of statistical data could confirm the outcomes. But to revolutionize player performance ” to get athletes to really understand what they needed to do ” the two had to converge in simple and elegant software. And the means of that convergence was artificial intelligence. I’ve spoken to a lot of people about AI, and there’s an awkward point in almost every conversation where we both admit we don’t know exactly what AI is. In fairness, it can be a lot of things. There’s no fixed definition. But people are pretty assertive about the money they expect to make from it, and I’m an AI columnist, so it’d be nice not to have to talk about the benefits of this technology in the vague way people talk about, I dunno, Herbalife? All of which is to say, Boddy has the most practical definition of AI I’ve heard. “It’s the best translator ever,” he says. “In the literal sense, we communicate with our athletes in Japanese and Korean and Spanish with a ChatGPT plug-in that translates baseball slang flawlessly in real time. https://www.washingtonpost.com/opinions/2024/04/10/op-moneyballai/ “It’s the best translator ever,” he says. What could go wrong?
https://www.theverge.com/2024/4/18/24134196/senate-cloture-vote-fisa-section-702-surveillance [Senator, Be careful what you ask for. We've been around this issue in all of the previous crypto wars. The slippery slope is immense. [GN]
https://www.axios.com/2024/04/18/avi-eisenberg-convicted-crypto-defi-mango-markets
Its robotic arm heats vegan burgers and crispy potatoes while relegating humans to assembly line jobs. In many ways, Kernel resembles other restaurants catering to office workers. It has a smartphone app. It has scheduled pickups. It [is] a vegan fast-casual joint sitting in an unassuming block of Manhattan, nestled between outposts of Paris Baguette and Just Salad. It has sandwiches. It has sides. It has a smartphone app. It has scheduled pickups. It has a robotic arm. Kernel, the brainchild of Chipotle co-founder Steve Ells, has been called a possible reinvention of lunch. The menu was designed by former Eleven Madison Park chef and Kernel chief culinary officer Andrew Black. Unlike other restaurants serving Manhattan’s office workers, Kernel only has three human employees on-site at all times, which Black tells The Verge is the point. https://www.theverge.com/2024/4/18/24130997/kernel-ai-robot-vegan-burgers-potatoes [Somewhat gibberished item PGN-ed.]
https://arstechnica.com/?p=201815
Having known Wall Street analysts, I would imagine that their jobs are threatened not just by AI, but also by 'high frequency trading'. The combination of AI/HFT will completely revolutionize Wall Street, because an AI/HFT 'analyst' can respond within micro- or milli-seconds, rather than within days. You may recall that AlphaGo revolutionized the game of Go, by playing with itself thousands upon thousands of games, enabling the creation of new strategies never before known to human Go players. Similarly, an AI/HFT (legal) 'person' could learn about trading patterns, first as a completely passive study of past trading activity, followed by a gentle introduction to active trading in small volumes, completely hedged by the SPX/QQQ indices, followed by an acceleration of volume into large scale activities. With risk minimized by constant hedging, such an AI/HFT bot could eventually figure out non- (in-?) human strategies that might make very little on each transaction, but could coordinate the transactions over a large number of stocks/bonds/commodities and world-wide exchanges in every time zones to beat most—if not all—human traders. At some point, the 'coupon clip machine' would no longer have any need for outside investors, but would have accumulated enough capital to trade only for its own account. If it were part of a non-profit, e.g., a university endowment fund (Harvard??), then it wouldn't even have to worry about taxes. Bostrom's 'paper clip machine' would then be outclassed by this 'coupon clip machine', which cared nothing about humans but only about 'shareholders' such as itself. I suspect that such coupon clip machine(s) are already in training (Simons??), and may already be making outsized profits—at least enough to pay a larger premium for whatever nVidia boxes they need than anyone else can afford to pay.
For an application whose main job is gathering and presenting information, results which are factually false should be considered a serious bug. Don't these companies have QA departments? Such applications are obviously not yet ready for public distribution, and should be recalled. The solution suggested by Google's spokesperson—to use Google Search to verify results—is not feasible where large amounts of data are presented; users cannot be expected to sift through all of it to check which results are false. Maybe we need another AI application for that...
"Perhaps avoid the use of dynamic scripting languages in what should be a secure context? Or, why does my firewall have python?" Perhaps, but does that mean the choice for developers comes down to this: have your programmers code in a compiled language that makes code susceptible to buffer-overflow and use-after-free style bugs, or code in a scripting language whose behavior is dependent on the resident interpreter libraries? Is there a happy medium? [No, most mediums today are likely to be very unhappy because they tend to be more trustworthy than AI, even if professionally as a group they tend to be less trusted by the general public! PGN]
I'm not against scriptable languages, I've written in a few and they are extremely useful for last mile extensibility. My complaint is more along the lines of why is it a full interpreter, and not restricted like the f5 or a10 tcl interpreter, or even the pfSense php interpreter (to a lesser extent). AWS already very publicly learned the lesson about interpreter escapes in python with its RDS python adoption. You can useafterfree, or bufferoverflow, or offbyone in any language. The features that prevent it in dynamic languages are as good as the interpreter. The features that prevent it in compiled languages are as good as the libraries. When crashing isn't an option, behavior becomes undefined.
Please report problems with the web pages to the maintainer