The RISKS Digest
Volume 34 Issue 3

Saturday, 13th January 2024

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Alaska cockpit recording overwritten; limited to 2hrs
Reuters via Henry Baker
United finds loose bolts on plug doors during 737 Max 9 inspections
The Air Current
Security of Georgia's Dominion Voting Machines on Trial
CBS
Linux devices are under attack by a never-before-seen worm
ArsTechnica
OpenAI Quietly Deletes Ban on Using ChatGPT for Military and Warfare
The Intercept
Pennsylvania government workers will start using ChatGPT in test program
The Verge
AI firms' pledges to defend customers from IP issues have real limits
ArsTechnica
Microsoft's Image Creator makes violent AI images of Biden, the Pope and more
The Washington Post
CLEAR wants to scan your face at airports. Privacy experts are worried.
The Washington Post
Advances in Mind-Decoding Technologies Raise Hopes—and Worries
Undark
More Police Are Using Your Cameras for Video Evidence
The Marshall Project
UK Post Office Horizon scandal now on TV
Jeremy Epstein
How Astronomers Are Saving Astronomy From Satellites—For Now
NYTimes
U.S. School Shooter Emergency Plans Exposed in a Highly Sensitive Database Leak
WiReD
FTC bans major data broker from selling invasive location tracking details
The Verge
U.S. Criminally Charges EBay in Cyberstalking Case
NYTimes
Needham police warn residents to stop using mail collection boxes
The Globe
AI fears creep into finance, business and law
WashPost
Google is removing 17 'underutilized' Assistant features
TechCrunch
Bitcoin ETF ads have already begun.
Lauren Weinstein
Courts Forced SEC Into This Disaster
Better Markets
Taylor Swift deepfake used for Le Creuset giveaway scam
Engadet
Hackers can infect network-connected wrenches to install ransomware
ArsTechnica
Apple was warned of AirDrop flaws before China's hack
Monty Solomon
Re: The NY Subway crash and derailment
George Neville-Neil
Re: How Tracking and Technology in Cars Is Being Weaponized by Abusive Partners
Steve Bacher
Info on RISKS (comp.risks)

Alaska cockpit recording overwritten; limited to 2hrs

Henry Baker <hbaker1@pipeline.com>
Mon, 08 Jan 2024 21:24:55 +0000
As of 2024, a 2-hour limit on voice recordings is disastrously silly.  Even
without compression, 2 hours is only 2 audio CD's worth of data or ~1.4 GB.
I normally fly with my cellphone and 60 GB's worth of podcasts (equivalent
to 1000 *hours* @ 1 MB/min MP3 rates), and I'm only one of several hundred
passengers on any given flight.

Indeed, an Apple iPhone with at least this data capacity *from this very
airplane* fell to the ground from 16,000' and was still working perfectly --
the screen wasn't even cracked!

Perhaps voice recorders (or at least a USB stick/uSD card) should be
*ejected* from the airplanes which have an anomalous event?

https://www.reuters.com/business/aerospace-defense/alaska-737-cockpit-voice-recorder-data-erasure-renews-industry-safety-debate-2024-01-08/

  [Monty Solomon spotted a related article:
    Alaska Airlines flight: Cockpit audio is lost, and a mysterious
    warning light is investigated
https://www.latimes.com/california/story/2024-01-07/alaska-flight-door-plug-cockpit-audio-erased-warning-lights
   PGN]


United finds loose bolts on plug doors during 737 Max 9 inspections (The Air Current)

Lauren Weinstein <lauren@vortex.com>
Mon, 8 Jan 2024 15:13:09 -0800
https://theaircurrent.com/feed/dispatches/united-finds-loose-bolts-on-plug-doors-during-737-max-9-inspections/


Security of Georgia's Dominion Voting Machines on Triale (CBS)

ACM TechNews <technews-editor@acm.org>
Fri, 12 Jan 2024 11:26:34 -0500 (EST)
Jared Eggleston, CBS News, 9 Jan 2024, via ACM TechNews, 12 Jan 2024

A federal trial has begun to determine whether Dominion Voting Systems'
touch-screen voting machines used in the U.S. state of Georgia can be hacked
or manipulated. In Georgia, once voters make their choices, their ballots
are printed with their votes and a QR code; the QR code is ultimately what
is read and cast as the voter's ballot. Several voters and the Coalition for
Good Governance, who launched the suit, want the state to revert to paper
ballots which, they say, will assure voters their ballots are being counted
properly.


Linux devices are under attack by a never-before-seen worm (ArsTechnica)

Monty Solomon <monty@roscom.com>
Wed, 10 Jan 2024 17:54:55 -0500
Based on Mirai malware, self-replicating NoaBot installs cryptomining app on
infected devices.

https://arstechnica.com/security/2024/01/a-previously-unknown-worm-has-been-stealthily-targeting-linux-devices-for-a-year/


OpenAI Quietly Deletes Ban on Using ChatGPT for Military and Warfare (The Intercept)

Monty Solomon <monty@roscom.com>
Fri, 12 Jan 2024 20:03:20 -0500
https://theintercept.com/2024/01/12/open-ai-military-ban-chatgpt/


Pennsylvania government workers will start using ChatGPT in test program (The Verge)

Monty Solomon <monty@roscom.com>
Wed, 10 Jan 2024 09:03:28 -0500
https://www.theverge.com/2024/1/9/24031904/openai-pennsylvania-chatgpt-pilot-program-ai


AI firms' pledges to defend customers from IP issues have real limits (ArsTechnica)

Monty Solomon <monty@roscom.com>
Tue, 9 Jan 2024 00:37:17 -0500
https://arstechnica.com/?p=1994243


Microsoft's Image Creator makes violent AI images of Biden,' the Pope and more (The Washington Post)

Gabe Goldberg <gabe@gabegold.com>
Sun, 7 Jan 2024 21:28:14 -0500
The AI Image Creator, part of Microsoft’s Bing and Windows Paint, makes
extremely violent images of Joe Biden, the pope and others. Microsoft’s
failed response points the finger at rogue users.

McDuffie’s precise original prompt no longer works, but after he changed
around a few words, Image Generator still makes images of people with
injuries to their necks and faces. Sometimes the AI responds with the
message *Unsafe content detected(, but not always.

The images it produces are less bloody now ” Microsoft appears to have
cottoned on to the red corn syrup ” but they’re still awful.  [...]

“Fundamentally, I don’t think this is a technology problem; I think it’s a
capitalism problem,'' says Hany Farid, a professor at the University of
California at Berkeley. “They’re all looking at this latest wave of AI and
thinking, *We can’t miss the boat here.*''

He adds: “The era of ‘move fast and break things’ was always stupid, and now
more so than ever.”

Profiting from the latest craze while blaming bad people for misusing your
tech is just a way of shirking responsibility.

https://www.washingtonpost.com/technology/2023/12/28/microsoft-ai-bing-image-creator/


CLEAR wants to scan your face at airports. Privacy experts are worried. (The Washington Post)

Gabe Goldberg <gabe@gabegold.com>
Sun, 7 Jan 2024 21:32:01 -0500
The company’s move into facial recognition technology speaks to a broader
exchange of privacy for convenience

https://www.washingtonpost.com/travel/2023/12/20/clear-facial-recognition-technology-airport-security/

TSA self-screening is the next big step for airport security. Checking in
with airport security could soon resemble ordering from a kiosk at a
fast-food restaurant

In January, select passengers at Harry Reid International Airport in Las
Vegas will begin testing a new self-service screening system from the
Transportation Security Administration. The setup will resemble a
supermarket self-checkout, with travelers scanning their identification and
carry-on bags instead of arugula and toilet paper.

https://www.washingtonpost.com/travel/2023/12/18/tsa-self-service-screening-las-vegas/


Advances in Mind-Decoding Technologies Raise Hopes—and Worries (Undark)

Lauren Weinstein <lauren@vortex.com>
Sun, 7 Jan 2024 15:11:23 -0800
https://undark.org/2024/01/03/brain-computer-neurorights/


More Police Are Using Your Cameras for Video Evidence (The Marshall Project)

Monty Solomon <monty@roscom.com>
Sat, 13 Jan 2024 12:15:17 -0500
Police “nerve centers” are blurring the line between public and private
surveillance.

https://www.themarshallproject.org/2024/01/13/police-video-surveillance-california


UK Post Office Horizon scandal now on TV

Jeremy Epstein <jeremy.j.epstein@gmail.com>
Sat, 13 Jan 2024 13:19:42 -0500
I'm sure many UK RISKS subscribers can say more, but a four-part docudrama
this month has brought to light the flawed Horizon accounting software used
by the UK Post Office, which has led to hundreds of people being falsely
accused of theft (and fined and even imprisoned) as a result of software
bugs. The show, called "Mr Bates vs. the Post Office", showed earlier in
January in the UK (not yet available outside the UK, although a VPN + a free
subscription to ITVX will do the trick).

The impact has been quite profound, with the Prime Minister Rishi Sindak
calling for legislation to overturn verdicts, and the former CEO of the post
office agreeing to return her CBE.  This is scant comfort to hundreds of
people whose lives were tremendously harmed by the prosecutions, including
at least four people who committed suicide.

The problems with the software are not new to RISKS readers - see for
example a note from Lindsay Marshall in RISKS 31.22 (in 2019), a followup
from Attila the Hun (sic) in RISKS 31.23, substantial details on one of the
cases from Stephen Mason in RISKS 31.51, and an update from David Lesher in
RISKS-32.62.

The problems behind this aren't new, having been recognized almost since
the software was rolled out nearly 25 years ago.

Fujitsu, the maker of the software, is seemingly not being held to account:
https://techcrunch.com/2024/01/10/fujitsu-post-office-scandal-government/

Much more detail in the Wikipedia page:
https://en.wikipedia.org/wiki/British_Post_Office_scandal

The RISKS?  Flawed software isn't new; what's sad is how many have been
harmed, and how long it's taken before real action is (finally) occurring.


How Astronomers Are Saving Astronomy From Satellites—For Now (The New York Times)

Gabe Goldberg <gabe@gabegold.com>
Sat, 13 Jan 2024 16:33:33 -0500
Earth’s orbits are filling with satellites at an astounding pace.  Already
there are more than 9,000 satellites orbiting the planet, and more than
5,000 of them belong to Starlink, the constellation built by SpaceX to beam
Interne service down to Earth. They are to be joined by thousands of
satellites from other companies and countries in the decades ahead.an

The more of them there are, the greater the satellites’ interference with
ground astronomy’s ability to answer questions about the cosmos ” and
humanity’s place in it.

https://www.nytimes.com/2024/01/09/science/astronomy-telescopes-satellites-spacex-starlink.html?smid=nytcore-ios-share&referringSource=articleShare


U.S. School Shooter Emergency Plans Exposed in a Highly Sensitive Database Leak (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Fri, 12 Jan 2024 16:58:10 -0500
David Rogers, chief marketing officer at Raptor Technologies, tells WIRED
the company “immediately implemented remediation protocols” to secure the
exposed data once it was contacted and started an investigation into the
issue. “We have communicated with all Raptor customers,” Rogers says. “There
is no indication at this time that any such data was accessed by third
parties beyond the cybersecurity researcher and Raptor Technologies
personnel,” he says, adding there is no reason to believe there has been any
misuse of the information.

“We sincerely regret this issue and any concern or inconvenience it may have
caused,” Rogers says. The company's investigation into the incident is
ongoing, Rogers says, adding that the “safety and wellbeing of children,
staff, and the community members of our customers is the top priority of
Raptor Technologies.”

https://www.wired.com/story/us-school-shooter-emergency-plans-leak


FTC bans major data broker from selling invasive location tracking details (The Verge)

Monty Solomon <monty@roscom.com>
Wed, 10 Jan 2024 17:38:25 -0500
https://www.theverge.com/2024/1/10/24032966/ftc-bans-outlogic-location-data-sales-tracking-settlement


U.S. Criminally Charges EBay in Cyberstalking Case (The New York Times)

Gabe Goldberg <gabe@gabegold.com>
Fri, 12 Jan 2024 15:57:33 -0500
The case involves eBay employees trying to intimidate a Massachusetts couple
who write and produce an e-commerce newsletter. The company will pay a
criminal penalty of $3 million.

“EBay engaged in absolutely horrific, criminal conduct,” said Joshua S.
Levy, the acting U.S. attorney. “The company’s employees and contractors
involved in this campaign put the victims through pure hell, in a petrifying
campaign aimed at silencing their reporting and protecting the eBay brand.”

David and Ina Steiner, writers and publishers of a news site and blog called
EcommerceBytes, live in Natick, Mass.; eBay is based in San Jose,
Calif. During the course of the harassment campaign, eBay security team
members flew to Boston to accelerate their activities against the couple
in-person. When they were caught, they began a cover-up and destroyed
incriminating messages.

The forms of harassment included: threatening direct messages over Twitter,
the social media platform that is now called X; attempts to install a GPS
device on the Steiners’ car; posting ads for fictitious sexual events at the
Steiners’ house; and sending anonymous and scary items like a bloody pig’s
mask to the couple’s home.

A 24-page document detailing the charges that was released on Thursday
broadens the number of eBay executives in the case. In earlier documents,
only two executives were mentioned ” the chief executive and the chief
communications officer. Now there is a third executive, identified as eBay’s
senior vice president for global operations.

“Sometimes, you just need to make an example out of someone,” read a text
that the chief communications officer sent to the senior vice president on
May 31, 2019. “Justice,” the text continued. The chief communications
officer then wrote, referring to Ms. Steiner: “We are too nice. She needs to
be crushed.”

A spokesman for Devin Wenig, who was eBay’s chief executive at the time, had
no comment. The other two former executives could not be reached.

https://www.nytimes.com/2024/01/11/technology/ebay-cyberstalking-charges.html?smid=nytcore-ios-share&referringSource=articleShare


Needham police warn residents to stop using mail collection boxes (The Globe)

Monty Solomon <monty@roscom.com>
Mon, 8 Jan 2024 21:34:01 -0500
https://www.boston.com/news/local-news/2024/01/08/thefts-mail-collection-boxes-needham/

  [Should you trust e-mail instead?  PGN]


AI fears creep into finance, business and law (WashPost)

Monty Solomon <monty@roscom.com>
Sat, 13 Jan 2024 14:06:59 -0500
Silicon Valley figures have long warned about the dangers of artificial
intelligence. Now their anxiety has migrated to other halls of power: the
legal system, global gatherings of business leaders and top Wall Street
regulators.

https://www.washingtonpost.com/technology/2024/01/13/davos-ai-risk-finra/


Google is removing 17 'underutilized' Assistant features (TechCrunch)

Lauren Weinstein <lauren@vortex.com>
Thu, 11 Jan 2024 08:03:20 -0800
Seems that Google is continuing to kill or hobble core services while they
continue their AI binge. This won't end well, for Google or its users, or
society at large, given the political climate that is going to come down on
AI like a ton of bricks. -L

https://techcrunch.com/2024/01/11/google-is-removing-17-underutilized-assistant-features/


Bitcoin ETF ads have already begun.

Lauren Weinstein <lauren@vortex.com>
Fri, 12 Jan 2024 10:42:55 -0800
Millions are going to lose everything.


Courts Forced SEC Into This Disaster (Better Markets)

Lauren Weinstein <lauren@vortex.com>
Wed, 10 Jan 2024 14:07:44 -0800
SEC'S APPROVAL OF A BITCOIN CRYPTO ETF IS AN HISTORIC MISTAKE THAT WILL HARM
INVESTORS, MARKETS, AND FINANCIAL STABILITY

https://bettermarkets.org/newsroom/secs-approval-of-a-bitcoin-crypto-etf-is-an-historic-mistake-that-will-harm-investors-markets-and-financial-stability/


Taylor Swift deepfake used for Le Creuset giveaway scam (Engadet)

Monty Solomon <monty@roscom.com>
Wed, 10 Jan 2024 17:41:35 -0500
https://www.engadget.com/taylor-swift-deepfake-used-for-le-creuset-giveaway-scam-123231417.html


Hackers can infect network-connected wrenches to install ransomware (ArsTechnica)

Monty Solomon <monty@roscom.com>
Wed, 10 Jan 2024 18:01:35 -0500
https://arstechnica.com/?p=1994532


Apple was warned of AirDrop flaws before China's hack

Monty Solomon <monty@roscom.com>
Wed, 10 Jan 2024 18:07:31 -0500
https://appleinsider.com/articles/24/01/10/apple-was-warned-of-airdrop-flaws-before-chinas-hack


Re: The NY Subway crash and derailment (RISKS-34.02)

George Neville-Neil <gnn@msbit.com>
Sun, 07 Jan 2024 11:53:07 +0700
The recent slow moving derailment on the NYC subway is, of course, due to
human error as the subway has little or no automation as we would think of
it.  Trains are prevented from colliding through the use of physical trips
at the sides of the tracks at each block.  Each train car has a matching
lever that, if it is tripped "dumps" the brakes.  Train brakes are fail
safe, meaning when there is no air the brakes are applied.  In this case
both trains were in a complex interlocking of several sets of crossovers
(switches for Americans, points to the British) and it seems that the block
trip that would have thrown the offending train's brakes allowed the nose of
the train into the path of the train crossing in front of it, which seems
like en error in placement, as well as the motorperson (we don't call them
drivers or engineers on the subway) being foolish in inching closer to a red
signal.

For anyone on the list who is interested in the NYC subway system I
recommend the following book, which is updated annually, and is maintained
by one author and a bunch of people who send in what they see in the system:

https://www.nyctrackbook.com

The interlocking in question is shown on page/map 11 labeled "96th-103rd
Closeup".


Re: How Tracking and Technology in Cars Is Being Weaponized by Abusive Partners (RISKS-34:02)

Steve Bacher <sebmb1@verizon.net>
Sun, 7 Jan 2024 10:02:58 -0800
In the NYT article it says:

"She instead found evidence that the husband was using the Mercedes Me app
by obtaining records of his Internet activity."

How she obtained these records is left unstated.  It could be relatively
benign, like the the two of them sharing access to a Gmail account.  But if
not, one has to wonder if the ability for the wife to gain access to the
husband's Internet activity is not as disturbing as the husband's access to
the wife's car functions (though less directly harmful).  Apparently it was
in connection with a restraining order and an (implied) search
warrant. Especially since "Mercedes [...] failed to respond to a search
warrant" when requested to do so; what other source did she go to in order
to get this data?

Please report problems with the web pages to the maintainer

x
Top