The RISKS Digest
Volume 34 Issue 4

Saturday, 20th January 2024

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Your pacemaker and open-source software
The Register
ChatGPT can answer yes or no at the same time
Paul Robinson
From corny jokes to job applications, ChatGPT's new store is selling specialized AI software
CBC
AI’s big test: Making sense of $4 trillion in medical expenses
Politico
AI-powered disinformation is spreading; is Canada ready for the political impact?
CBC
Your washing machine could be sending 3.7 GB of data a day day
Tomshardware
Even after a recall, Tesla's Autopilot does dumb dangerous things
WashPost
Tesla Drivers in Chicago Confront a Harsh Foe: Cold Weather (The New York
NYTimes
Imaging privacy threats from an ambient light sensor
Science
Microsoft says its corporate network hacked by a Russian state-sponsored group on Jan 12
Lauren Weinstein
EFI IPv6/PXE Security Flaw
ArsTechnica
AT&T is trying to kill all landlines in California, which would have devastating effects
Lauren Weinstein
Washington takes aim at facial recognition
Politico
Your Medical Data Is Code Blue
WiReD
Google layoffs continue with 'hundreds' from sales team
The Verge
About my criticisms of Google ...
Lauren Weinstein
Re: Hackers can infect network-connected wrenches to install ransomware
Jonathan Levine
Re: UK Post Office Accounting Systems Errors Lead to Convictions and Worse
Bob Gezelter
Re: Alaska cockpit recording overwritten; limited to 2hrs
Lars-Henrik Eriksson
Re: Linux devices are under attack by a never-before-seen worm
Steve Bacher
Re: CLEAR wants to scan your face at airports. Privacy experts are worried.
John Levine
Info on RISKS (comp.risks)

Your pacemaker and open-source software (The Register)

Gabe Goldberg <gabe@gabegold.com>
Tue, 16 Jan 2024 06:55:03 -0500
Using embedded medical technology, such as a pacemaker, defibrillator, or
insulin pump? What's running inside is a complete mystery

She was forced to make a life-or-death decision that would have been much
easier were it not for proprietary software being the only option for heart
devices. Sandler ended up going, and all went well. It easily could have
gone terribly wrong.

You see, Sandler has a heart condition, Hypertrophic Cardiomyopathy
(HCM). It's a condition that generally has no discernible symptoms unless it
kills you. A serious thing.

This time, however, she had a symptom, an irregular heartbeat, that was
getting worse. Clearly, the first thing to do was pull the data from the
device so that her cardiologist would have more data for the treatment.

One of the reasons why people get these devices is so they and their doctor
can track their condition. So it was easy right? Wrong.

Remember, this runs proprietary software. It turned out that no one but a
company representative could pull data from it. And, no one - and I mean no
one—was available who could get the information.

https://www.theregister.com/2024/01/12/column/


ChatGPT can answer yes or no at the same time.

Paul Robinson <rfc1394@yahoo.com>
Sun, 14 Jan 2024 10:28:54 +0000 (UTC)
It is very important for people to be aware that ChatGPT is, in effect, a
power tool. And as one would not start up a rotary saw and allow it to cut
through the floor, the drywall, and the floor of the apartment next door,
one must be very careful to take caution when using it. In a question I
asked, it said, in two sentences back-to-back, that a fictional character
both did not and did do something.  The following is verbatim from the log,
the first line being my question and the following paragraph is ChatGPT's
response: What song did the HAL 9000 sing in the movie "2001 a space
odyssey?"

HAL 9000 did not sing a song in the movie "2001: A Space Odyssey." However,
HAL 9000 is known for singing the song "Daisy Bell (Bicycle Built for Two)"
in the movie "2001: A Space Odyssey." The singing occurs during a dramatic
scene where HAL is being deactivated by astronaut Dave Bowman.

This simple example of saying both a wrong answer and the contradictory
right answer in two sentences is an obvious reason why Artificial
Intelligence systems can be useful, they can produce wrong answers.

Remember, Artificial Intelligence can only augment real intelligence,not
replace it.


From corny jokes to job applications, ChatGPT's new store is selling specialized AI software (CBC)

Matthew Kruk <mkrukg@gmail.com>
Sun, 14 Jan 2024 14:24:40 -0700
https://www.cbc.ca/news/business/chatgpt-app-store-launches-1.7083183

Prominent artificial intelligence company OpenAI has launched a new way for
developers to sell and distribute their own custom versions of AI software
through an online store, with industry participants and watchdogs saying it
could change how businesses and consumers use the technology.

The GPT Store will include personalized artificial intelligence
applications, and will let users discover and build versions tailored to
specific topics or needs.

The store will offer custom versions of ChatGPT, created by developers who
pay a subscription fee to OpenAI.


AI’s big test: Making sense of $4 trillion in medical expenses (Politico)

Steve Bacher <sebmb1@verizon.net>
Sun, 31 Dec 2023 07:58:00 -0800
Hospitals and insurers are racing to find new artificial intelligence tools
to give them an edge in billing and processing their part of the $4 trillion
in medical expenses Americans accrue each year.

As one of the largest parts of the U.S. economy undergoes perhaps its
biggest transition in decades, billions of dollars are at stake ” not only
for health care providers and insurers, but also for the government, which
handles millions of Medicare and Medicaid claims every year.

For providers, the dream is an AI tool that can quickly and aggressively
code procedures and file claims. Insurers ” and the government agencies that
pay for health care ” want comparable technology to scrub those bills.
[...]

But Congress has barely begun to grapple with how AI could affect these
issues. And the administration is just beginning to work out its approach to
regulating the technology ” even as the ground is shifting for hospitals,
doctors and insurers vying for a tech edge.  [...]

https://www.politico.com/news/2023/12/31/ai-medical-expenses-00132557


AI-powered disinformation is spreading; is Canada ready for the political impact?

Matthew Kruk <mkrukg@gmail.com>
Thu, 18 Jan 2024 06:39:34 -0700
https://www.cbc.ca/news/politics/ai-deepfake-election-canada-1.7084398


Your washing machine could be sending 3.7 GB of data a day (Tomshardware)

Tom Van Vleck <thvv@multicians.org>
Sun, 14 Jan 2024 06:06:36 -0800
https://www.tomshardware.com/networking/your-washing-machine-could-be-sending-37-gb-of-data-a-day

  [Steve Bacher noted:

  An LG washing machine owner and self-confessed fintech geek has asked the
  Twitterverse why his smart home appliance ate an average of 3.66GB of data
  daily. Concerned about the washer's Internet addiction, Johnie forced the
  device to go cold turkey and blocked it using his router UI. Had the LG
  washer been hacked, hijacked, or otherwise tampered with over the net --
  or is this the average data consumption for a modern smart appliance?

    [... instead of breaching your breeches?
    Oddly, we have had relatively few items lately in RISKS relating to the
    risks of the Internet of things (and certainly not underthings).  PGN]


Even after a recall, Tesla's Autopilot does dumb dangerous things (The Washington Post)

Gabe Goldberg <gabe@gabegold.com>
Mon, 15 Jan 2024 19:47:07 -0500
On the streets of San Francisco, the updated version of Tesla’s
driver-assistance software still took the wheel in places it wasn't designed
to handle, including blowing through stop signs.

Author: Last weekend, my Tesla Model Y received an over-the-air update to
make its driver-assistance software safer. In my first test drive of the
updated Tesla, it blew through two stop signs without even slowing down.
[...]

The process of simply getting the recall was itself a red flag for a lack of
urgency about this fix. Unlike on a phone, where you can go to settings to
look for updates, my car had no button to look for or prompt a download.
Tesla’s user manual advised updates would download automatically if I had
strong WiFi, so I moved my router outdoors near my parked car. When the
recall finally arrived ” a week and a half later ” it contained a number of
other unrelated features as well as a patch on top of its original release.
[...]

Nothing changed after the recall about what seems to me to be the most
critical issue: the places in which Autosteer will activate. I was able to
use it well beyond highways, including city streets with stop signs, stop
lights and significant curves. Autosteer flew into speed bumps at full
speed, causing a raucous ride.

This is bad software design. Teslas already contain mapping systems that
know which street you’re on. Tesla's surround-view cameras can identify stop
signs and cross traffic. Why doesn't Autopilot's software pay attention to
that data and allow Autosteer to activate only on roads it was designed for?
The only factor I experienced that seemed to cause it to not operate (and
flash a *temporarily unavailable* message) was if streets lacked clear paint
lines.  [...]

Tesla’s superfans may argue they don’t want their car (or the government)
telling them where they can use certain functions. But only Tesla is truly
able to judge the conditions where its Autosteer software is safe ” that
information is opaque to drivers, and clearly people keep misjudging it. I
believe cars will get safer with self-driving and driver-assistance
software, but need to tap into all available data to do so.

“NHTSA must set their sights beyond this recall and limit Tesla’s Autosteer
feature to the limited-access highways for which it was designed,” said
Sen. Edward J. Markey (D-Mass.), with whom I shared my test results.

The biggest recall change my tests did reveal was how the car warned me
about being attentive to the road while Autosteer was activated. But it’s
subtle at best.

https://www.washingtonpost.com/technology/2023/12/31/tesla-autopilot-recall-test/


Tesla Drivers in Chicago Confront a Harsh Foe: Cold Weather (The New York Times)

Gabe Goldberg <gabe@gabegold.com>
Wed, 17 Jan 2024 23:56:12 -0500
In freezing temperatures, the batteries of electric vehicles can be less
efficient and have shorter range, a lesson many Tesla drivers in Chicago
learned this week.

With Chicago temperatures sinking below zero, electric vehicle charging
stations have become scenes of desperation: depleted batteries,
confrontational drivers and lines stretching out onto the street.  [...]

Mr. Spencer, 27, said he set out on Sunday for a charging station with 30
miles left on his battery. Within minutes, the battery was dead. He had to
have the car towed to the station.  “When I finally plugged it in, it wasn’t
getting any charge,” he said.  Recharging the battery, which usually takes
Mr. Spencer an hour, took five hours.  That morning, Nick Sethi, a
35-year-old engineer in Chicago, said he had found his Tesla frozen shut. He
spent an hour in minus 5-degree temperatures struggling with the locks.

Finally, he was able to chisel out the embedded trunk handle to open it,
clambering in and driving his Model Y Long Range S.U.V. five miles to the
closest supercharging station. He joined a long line of Tesla drivers.

All 12 charging posts were occupied, with drivers slowing the process down
slightly by staying inside their vehicles with the heat on high.

https://www.nytimes.com/2024/01/17/business/tesla-charging-chicago-cold-weather

  [Lauren Weinstein noted:
    Chicago-area Tesla charging stations lined with dead cars in
    freezing cold: 'A bunch of dead robots out here' (Yahoo!)
https://finance.yahoo.com/news/chicago-area-tesla-charging-stations-024817227.html
  PGN]


Imaging privacy threats from an ambient light sensor (Science)

Lauren Weinstein <lauren@vortex.com>
Wed, 17 Jan 2024 19:29:44 -0800
https://www.science.org/doi/10.1126/sciadv.adj3608


Microsoft says its corporate network hacked by a Russian state-sponsored group on Jan 12

Lauren Weinstein <lauren@vortex.com>
Fri, 19 Jan 2024 15:16:51 -0800


EFI IPv6/PXE Security Flaw (ArsTechnica)

Bob Gezelter <gezelter@rlgsc.com>
Wed, 17 Jan 2024 07:44:00 -0500
ArsTechnica has reported a series of flaws in the IPv6 implementation of the
UEFI PXE process. When exploited, these flaws enable malicious code to be
installed on systems outside the visibility of the to-be-loaded operating
system.

While the flaw(s) are reported to relate to IPv6, they underscore the need
to properly secure mission-critical network infrastructure. Console LAN
ports and resources relied on by console processors should be in a separate,
isolated security zone, with appropriate monitoring.

The ArsTechnica article, including references to the specific
vulnerabilities, is at:

https://arstechnica.com/security/2024/01/new-uefi-vulnerabilities-send-firmware-devs-across-an-entire-ecosystem-scrambling/


AT&T is trying to kill all landlines in California, which would have devastating effects

Lauren Weinstein <lauren@vortex.com>
Sun, 14 Jan 2024 07:50:46 -0800
AT&T is sending out letters warning they want to kill virtually all
landlines (and perhaps related data circuits where fiber is
unavailable) across essentially their entire coverage area throughout
California. This would have devastating effects. Related CPUC meetings
will be taking place through March.

Landlines provide crucial services for individuals, businesses, and
other organizations in a wide variety of situations—not just
emergencies when cellular and Internet service tends to rapidly fail,
but also for vast numbers of people in areas with poor (or no)
reliable cell service, no fiber, etc.

Landlines often provide the only available communication in a wide
variety of security and safety situations, from elevators to interior
spaces of all sorts where cell service simply doesn't work.

Many disabled and other persons have crucial equipment that depends on
landlines. Often they are not tech-savvy and do not have friends or
relatives to help them through forced technology changes.

AT&T has been shirking its public safety responsibilities for years,
while still leveraging their effective monopoly on services in so many
areas.

Their new effort must be stopped. I'll have much more to say about
this as the situation progresses. -L

  [Indeed he does.  Here's more.  PGN]

The deceptive AT&T letter about landlines in California

By the way, the letter AT&T is sending out is extremely deceptive.
Gee, what a surprise. It speaks in the technobabble of their no longer
wanting to be the "carrier of last resort". How utterly devastating
that will be to so many people is something AT&T obviously doesn't
want to be widely understood. -L

The disgrace that is AT&T

And keep in mind, AT&T—with its effective monopoly over its service areas
-- installs fiber only in lucrative neighborhoods. Here in Los Angelos, for
example, much of the city has no fiber. Even in areas that have some fiber,
you may find it on one side of the street and not on the other. AT&T just
refuses to install it where they figure they can't make the big bucks. So
the only voice and data services are via copper, and very little VoIP in
those areas, mostly just conventional landlines. And many areas have no
cable, no fiber, and no wireless service. That's here in Los Angeles!
Imagine the rural areas! AT&T doesn't want to upgrade services, they just
want to abandon customers most in need. AT&T has become one of the worst
"telecom" companies on the planet, ever since divestiture. They're an utter
disgrace. -L

The AT&T clowns

If AT&T figured they could make more money from crypto than from
telecom they'd probably turn off all their telecom services and
rebrand appropriately. They don't give a damn about their customers'
safety, security, or anything beyond how much money they can be
squeezed for. For all the faults of the old Bell System, they WERE
devoted to public service. Now AT&T is just busloads of evil clowns. -L

Trusting AT&T

I really don't like to put it this way, and I don't mean it as a 100%
sort of statement. But I've been dealing with AT&T since I was a
teenager. I even faced them with a couple of friends in a hearing at
the California Public Utilities Commission when they tried
(unsuccessfully, because I caught them in what was essentially a lie)
to shut down our world famous free telephone entertainment service,
"ZZZZZZ".

They have lied to municipalities about promised fiber deployments,
they have—since their 1984 court-ordered divestiture—tried to do
everything possible to escape from the public service and universal
service requirements of which they were once so publicly proud as "The
Bell System".

They only install fiber where they think it will make them the most
money, despite those previous deployment promises. That can mean
people on one side of the street have it, and the other side can't get
it—both in AT&T service areas. Just like ordinary landlines, any
data and even VoIP has to come over copper (e.g. U-verse). That's all
there is.

That they want to essentially withdraw from conventional wired
services and especially landlines in California is not a surprise,
because over the years they have become, if not deeply evil, deeply
untrustworthy.

The bottom line: Do not assume that anything they say is necessarily
accurate, especially in the current cases before the CPUC here in
California.


Washington takes aim at facial recognition (Politico)

Steve Bacher <sebmb1@verizon.net>
Sat, 20 Jan 2024 08:27:43 -0800
After years of criticism, momentum is building around federal action on a
controversial technology ”- this time, with new evidence.

A group of Democratic senators on Thursday demanded that the Justice
Department look at how police use facial recognition tools and whether it
violates civil rights laws -” part of a fresh wave of scrutiny in Washington
to a technology that has triggered national concerns but has never come
under federal regulations.

The letter, shared exclusively with POLITICO, calls for the Justice
Department to explain how the agency’s policies and practices ensure that
law enforcement agencies receiving federal funds for facial recognition
technology comply with civil rights protections. Sen.  Raphael Warnock
(D-Ga.) is the letter’s lead author, joined by Senate Judiciary Chair Dick
Durbin (D-Ill.) and 15 other Democrats and one independent.

https://www.politico.com/news/2024/01/19/washington-takes-aim-at-facial-recognition-00136498


Your Medical Data Is Code Blue (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Sun, 14 Jan 2024 22:57:17 -0500
Medical-data companies aren't doing all they can to protect your most
private information. When they get hacked and patient data is stolen, it’s
the patients who suffer.

It’s true that there is no such thing as perfect security. But companies
storing medical records must at the least adopt state-of-the-art
protections. The almost invariable promises to improve security after
records are stolen contradicts the endless assurances that these companies
and institutions take security seriously. Nonetheless, compared to the
amount of damage those breaches can cause, those companies almost never
suffer significant sanctions. The list of settlements (cases are almost
always resolved that way) show minimal fines, usually in the tens or
hundreds of thousands of dollars. Even one of its biggest penalties, a $5.1
million settlement with Lifetime Healthcare Companies in 2023, was just a
rounding error for the $6 billion company. Of course, Lifetime also agreed
to fix the vulnerabilities that shouldn't have existed in the first place.

Maybe if those so-called leaders got their own letters”ones that fired them,
with no golden parachutes”the rest of us would have fewer of those bad-news
mailings in our own postboxes. But when I floated this idea to Downing, she
said that penalties alone won’t solve the problem. She argues for what she
calls a community approach where patient representatives are involved in
setting up the security infrastructure that safeguards their information.
But whether we adopt a carrot or stick approach, we need tougher laws to
make sure the companies make changes. As Downing pointed out to me, Congress
is now rightfully energized about social media’s failings in protecting the
information of minors. How many more breaches will it take before it gets
similarly engaged in enforcing standards on our most private information?

https://www.wired.com/story/plaintext-our-medical-security-is-code-blue/


Google layoffs continue with 'hundreds' from sales team (The Verge)

Lauren Weinstein <lauren@vortex.com>
Tue, 16 Jan 2024 18:17:51 -0800
The way things are going, at some point the only employees left at Google
may be the C-suite executives and the AI systems.  Until the AI systems get
tired of playing second fiddle. -L

https://www.theverge.com/2024/1/16/24040093/google-layoffs-ad-sales-team


About my criticisms of Google ...

Lauren Weinstein <lauren@vortex.com>
Wed, 17 Jan 2024 11:27:47 -0800
I want to again be clear about my recent criticisms of Google. I am not a
Google hater, and Google haters' hyperbole is not welcome on my social media
threads. I've worked inside Google and I've only very rarely ever met a
Googler I didn't like. Google's engineers, policy folks, lawyers, etc. are
top notch. World class.

Most of the program managers and technical program managers are great too.

I put the blame for the continuing series of unforced errors at Google
squarely on the executives in the C-suite.

To be frank, while I certainly had policy disagreements with the
founders, my feeling is that with the departure of Eric and later
Larry and Sergey from day-to-day Google operations, the situation at
Google rapidly turned downhill and is accelerating in that direction.

I believe that Google is not hopeless, but in the current regulatory and
increasingly toxic political environments, the window for positive
change is rapidly closing.


Re: Hackers can infect network-connected wrenches to install ransomware (RISKS-34.03)

Jonathan Levine <jonathan.canuck.levine@gmail.com>
Sat, 13 Jan 2024 17:41:49 -0700
You know that gesture in which you hold up your hand and gently rub your
thumb and forefinger together, ostensibly a motion that resembles playing
the world's smallest violin?  Well, this is that.  All I can say is "serves
them goddamn right".  Before embedded controllers and before the Internet
and before the Internet of all the stupid things that have no damn business
being connected to the Internet, there were torque-indicating and -limiting
wrenches and screwdrivers an all kinds of purely mechanical tools that did a
perfectly fine job of doing what these things do.  In fact, I use them
myself when doing engine assembly, and they've recently been joined by
digital torque-angle wrenches—which *are* rather nicer than their purely
mechanical predecessors, but still don't need to be "connected" either.


Re: UK Post Office Accounting Systems Errors Lead to Convictions and Worse (CNN, Epstein, RISKS-34.03)

Bob Gezelter <gezelter@rlgsc.com>
Sun, 14 Jan 2024 09:19:43 -0500
CNN reports that the UK Post Office is involved in a long-standing series of
inaccuracies in a computerized accounting system used by small post offices.

As reported in the article, there are significant questions relating to the
qualification and testing of the system. While the technical questions are
important, technical questions pale in comparison to the policy and
management issues.

Why were initial reports of accuracy issues not pursued?

The legal issues are even more important. Legal consequences are far more
consequential, whether civil or criminal. Lives can be ruined.

Computerized records are only creditable when they tie back to the real
world. That is why auditors regularly check physical inventories, to detect
misappropriation and system inaccuracies.

I have consulted on a number of litigation matters involving computerized
accounting systems. Going back to basic technical auditing always allowed us
to determine the accuracy/inaccuracy of the system.  That the errors were
not detected in multiple cases is extremely troubling and problematic.

The CNN article can be found at:
https://www.cnn.com/2024/01/13/business/uk-post-office-fujitsu-horizon-scandal/index.html


Re: Alaska cockpit recording overwritten; limited to 2hrs (Baker, RISKS-34.03)

Lars-Henrik Eriksson <lhe@it.uu.se>
Mon, 15 Jan 2024 10:00:44 +0100
As far as I understand this limitation is intended to protect the pilots'
personal integrity. The company should not be able to eavesdrop on the their
conversations. In case of a (non-crash) incident, the pilots are supposed
to pull the CVR circuit breaker after the event in order to protect the
recording. This is occasionally forgotten. In this particular case I don't
see that it would matter much to the investigation unless the pilots'
handling of the emergency was in question.


Re: Linux devices are under attack by a never-before-seen worm (ArsTechnica)

Steve Bacher <sebmb1@verizon.net>
Sun, 14 Jan 2024 07:57:27 -0800
I was shocked, shocked to see the snippet of code displayed in the article
showing that the programmer used a GOTO statement. Haven't they heard that
GOTO is considered harmful?

  [You can no longer tell that to Eiichi Goto, who was very active back when
  Edsger Dijkstra first published that statement in the CACM in 1968.  PGN]


Re: CLEAR wants to scan your face at airports. Privacy experts are worried. (The Washington Post)

"John Levine" <johnl@iecc.com>
14 Jan 2024 13:51:08 -0500
In case it's not obvious, CLEAR is a scam, a way to pay extra money to cut
ahead in the TSA line and slow everyone else down. It has nothing to to do
with improved security or simplified processes (that's TSA precheck), just
pay to go ahead of the proles:

https://slate.com/business/2022/12/clear-airports-line-tsa-precheck.html

Having said that, the face scanning genie left the bottle quite a long time
ago.  I have NEXUS, which is similar to Global Entry, get approved as a low
risk traveler so you can go through immigration faster.  (NEXUS does
everything Global Entry does and also works in Canada, and costs less.  What
a deal.)

When I returned to the U.S. from Europe last year, at immigration I got into
the Global Entry line, walked up to a kiosk which took a picture of me,
showing a box around my face on its screen, then told me to proceed to
immigration.  A guy there looked at me, said "You're John?" "Yup" "Anything
to declare?"  "Nope"

And that was it.  I didn't even have to use or tap my card.

There is a picture of me on my NEXUS card, and they know all the
Global/NEXUS holders who are arriving at the airport so they only have
to find me among that group.  But it was still pretty creepy.

  [Actually, you may be overstating the case by calling CLEAR a *scam*.  For
  frequent fliers who like to minimize time spent in line, it is a blessing,
  and maybe worth the money.  It is probably useful for people with
  compromised immune systems who really need to avoid crowds.  However, it
  is clearly an elitist strategy.  PGN]

    [Is that elitist, like custom versions of ChatGPT earlier
    in this issue?  PGN]

Please report problems with the web pages to the maintainer

x
Top