Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
NY Times 16 May 2025 Ninety-nine percent of the air traffic control facilities in the United States are operating below recommended staffing levels, a New York Times analysis has found. The ongoing crisis at Newark Liberty International Airport has put a spotlight on the prolonged nationwide shortage of air traffic controllers. As of 7 May 2025, only two of 313 facilities - one in Akron, Ohio, and another in Fort Lauderdale, Fla.—met staffing targets set by the Federal Aviation Administration and the union representing controllers, according to union data obtained by The Times. <https://www.nytimes.com/2025/05/07/us/politics/newark-airport-delays.html> <https://www.nytimes.com/interactive/2025/05/08/nyregion/newark-airport-delays.html> [Even if you are flying from Akron to Fort Lauderdale, that is not good enough, because you have to cross undermanned ATC centers. PGN]
https://www.science.org/content/article/exclusive-nsf-faces-radical-shake-officials-abolish-its-37-divisions The National Science Foundation (NSF), already battered by White House directives and staff reductions, is plunging into deeper turmoil. According to sources who requested anonymity for fear of retribution, staff were told today that the agency's 37 divisions—across all eight NSF directorates -- are being abolished and the number of programs within those divisions will be drastically reduced. The current directors and deputy directors will lose their titles and might be reassigned to other positions at the agency or elsewhere in the federal government. The consolidation appears to be driven in part by President Donald Trump's proposal to cut the agency's $9-billion budget by 55% for the 2026 fiscal year that begins on 1 October. NSF's decision to abolish its divisions could also be part of a larger restructuring of the agency's grant-making process that involves adding a new layer of review. NSF watchers fear that a smaller, restructured agency could be more vulnerable to pressure from the White House to fund research that suits its ideological bent.
https://www.reuters.com/sustainability/climate-energy/ghost-machine-rogue-communication-devices-found-chinese-inverters-2025-05-14/ [This resembles a cross between the DMA problem addressed by the Thunderclap paper, and planted Trojan horses. PGN]
As Bruce Schneier says "This is a weird story." https://www.msn.com/en-us/news/world/ar-AA1EMfHP But less so when you consider this story. https://www.huschblackwell.com/newsandinsights/new-executive-order-prohibits-use-of-equipment-produced-by-foreign-adversaries-in-bulk-power-system
Jessica Lyon, *The Register* (UK) (05/13/25), via ACM TechNews The European Union Agency for Cybersecurity has rolled out the European Vulnerability Database (EUVD). Updated in real time and now fully operational, the database identifies disclosed bugs with their U.S. Common Vulnerabilities and Exposures (CVE)-assigned IDs and EUVD identifiers, details their criticality and exploitation status, and provides links to available advisories and patches. [The U.S. mothballing of the MITRE-NIST CVE collection was the result of an abonimable showman. The CVE repository may have been the wrong solution to the wrong problem, but it provided a very useful catalog of vulnerabilities against which to track progress (or the lack of it). The deeper problem that is not being adequately confronted is that commercial-system security sucks, so-called best practices are dramatically incomplete, and the industry apparently does not want to bother avoiding even the most critical flaws, much less the way it develops new systems. This has been going on during all of my 71 years as a computer professional, with very few exceptions, and shows few signs of changing (except for perhaps our SRI/Cambridge-UK CHERI clean-slate hardware-software approach, which earlier this week received this year's Test-of-Time award at the 46th IEEE Symposium on Security and Privacy for our 2015 paper, CHERI: A Hybrid Capability-System Architecture for Scalable Software Compartmentalization). I am delighted to see the European Union showing fortitude (although the letters VD in EUVD have a connotation that is symbolic of the self-infectious nature of system and network vulnerabilities). PGN]
Daniel Meierhans, ETH Zurich (Switzerland) (05/13/25) A new class of vulnerabilities in all Intel processors identified by computer scientists at Switzerland's ETH Zurich can be exploited to misuse the central processing unit's (CPU) prediction calculations to gain access to information from other users of the same CPU. The vulnerabilities enable the incorrect assignment of privileges during the few nanoseconds when the CPU switches between prediction calculations for two users with different permissions. ETH Zurich's Sandro Ruegge said quickly repeating the attack can result in a more than 5,000-bytes-per-second readout speed, allowing attackers to read the entire memory over time.
The alerts were intended for a small group of residents near Calabasas, but stoked panic and confusion as they were blasted out repeatedly to a much larger area. [...] In “Sounding the Alarm: Lessons From the Kenneth Fire False Alerts,” Garcia’s office reports that Genasys, the software company contracted with the county to issue wireless emergency alerts, said a technical error caused the faulty alert to ping across the sprawling metro region. [...] https://www.latimes.com/california/story/2025-05-12/report-on-faulty-fire-alert-calls-for-more-federal-regulation-of-private-tech-companies-issuing-alerts
Austrian privacy non-profit noyb (none of your business) has sent Meta's Irish headquarters a cease-and-desist letter, threatening the company with a class action lawsuit if it proceeds with its plans to train users' data for training its artificial intelligence (AI) models without an explicit opt-in. The move comes weeks after the social media behemoth announced <https://thehackernews.com/2025/04/meta-resumes-eu-ai-training-using.html> its plans to train its AI models using public data shared by adults across Facebook and Instagram in the European Union (EU) starting May 27, 2025, after it paused the efforts in June 2024 following concerns raised by Irish data protection authorities. "Instead of asking consumers for opt-in consent, Meta relies on an alleged 'legitimate interest' to just suck up all user data," noyb said <https://noyb.eu/en/noyb-sends-meta-cease-and-desist-letter-over-ai-trainin-european-class-action-potential-next-step>. "Meta may face massive legal risks—just because it relies on an 'opt-out' instead of an 'opt-in' system for AI training." The advocacy group further noted that Meta AI is not compliant with the General Data Protection Regulation (GDPR) in the region, and that, besides claiming that it has a “legitimate interest in taking user data for AI training, the company is also limiting the right to opt-out before the training has started.'' <https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/>
These young people see meme coins as their best shot at the American Dream When traditional routes to wealth feel out of reach, jokey cryptocurrencies can look more attractive. “Financial nihilism” is driving some members of Gen Z to crypto, said Joe McCann, founder and CEO of Asymmetric, a crypto hedge fund that counts itself as one of the first institutional investors in meme coins. Young people with high levels of student debt, who are more likely to live with their parents than prior generations, are less inclined to stash money into a 401(k), he said. They’d rather wager a few hundred bucks on a meme coin, McCann added, because they feel they don’t have other good options. [...] Several conference attendees told *The Washington Post( they expected crypto to thrive during President Donald Trump’s administration in part because he has a personal stake in meme coins. The president has been promoting two coins launched in January called $TRUMP and $MELANIA that were created by a firm affiliated with the Trump Organization. His association with the coins, including a recent offer to host a dinner for top investors, has been criticized for creating a conflict of interest. Trump has also overseen a pullback in regulatory scrutiny of crypto firms. In February, the U.S. Securities and Exchange Commission ruled that meme coins are collectibles, not securities. Industry players say that could lead to a bumper crop of newly minted meme coins. [...] Following the meme coin market’s moves requires dedication as the Internet cycles from one punch line to the next. “I always have my phone in my hand,” said Jeff Matthews, who estimates that he notches 14 to 17 hours of screen time daily, mostly spent trading meme coins.
It’s true that a lot of open source projects really hate AI code. There’s several objections, but the biggest one is that users who don't understand their own lack of competence spam the projects with time-wasting AI garbage. The Curl project banned AI-generated security reports because they were getting flooded with automated AI-generated “bug bounty” requests. [LinkedIn] More broadly, the very hardest problem in open source is not code, it’s people -” how to work with others. Some AI users just don’t understand the level they simply aren't working at. One user of the LLVM compiler complained that his AI-generated pull requests were not being taken seriously ” by a compiler project, where correct computer science and knowing precisely what the heck you’re doing is profoundly important. The user considered it was the unpaid volunteer coders’ “job” to take his AI submissions seriously. He even filed a code of conduct complaint with the project against the developers. This was not upheld. So he proclaimed the project corrupt. [GitHub; Seylaw, archive] This is an actual comment that this user left on another project: [GitLab] As a non-programmer, I have zero understanding of the code and the analysis and fully rely on AI and even reviewed that AI analysis with a different AI to get the best possible solution (which was not good enough in this case). You can see why people don’t really want to deal with this sort of contribution. But maybe we’ll get a flood of obviously excellent AI code -” and AI code submitters ”- next year. https://pivot-to-ai.com/2025/05/13/if-ai-is-so-good-at-coding-where-are-the-open-source-contributions/
Court documents show the company commissioned a sham report and lied on the stand to justify its actions, which will cast a shadow over future lawsuits. https://www.nytimes.com/2025/05/09/technology/apple-app-store-antitrust.html
Here are some best practices for safeguarding sensitive personal data. https://www.nytimes.com/2025/04/30/technology/personaltech/travel-burner-phone-cbp.html
A young mother told friends that she’d be “back in 10 minutes.” She never returned, and the police in San Jose have now charged a man in her death. https://www.nytimes.com/2025/05/10/us/jeanette-ralston-cold-case-murder-suspect.html
Walgreens is expanding the number of its retail stores served by its micro-fulfillment centers as it works to turn itself around and prepares to go private. As struggling drugstore chains work to regain their footing, Walgreens is doubling down on automation. The company is expanding the number of retail stores served by its micro-fulfillment centers, which use robots to fill thousands of prescriptions for patients who take medications to manage or treat diabetes, high blood pressure and other conditions. Walgreens aims to free up time for pharmacy staff, reducing their routine tasks and eliminating inventory waste. Fewer prescription fills would allow employees to interact directly with patients and perform more clinical services such as vaccinations and testing. [...] https://www.cnbc.com/2025/05/11/walgreens-doubles-down-on-robots-to-fill-prescriptions-amid-turnaround.html
NY Magazine, 8 May 2025 Starting at the beginning of the 2025“26 school year, New York public and charter schools will be implementing plans for “bell-to-bell” smartphone bans, which prohibit the “unsanctioned use of smartphones and other Internet-enabled personal devices on school grounds in K-12 schools for the entire school day.” Yes, there is a growing trend of schools and states banning or restricting student smartphone use, particularly during class time. This is driven by concerns about student distraction, mental health, and the potential for bullying and negative social behaviors. Many states, including Florida, Indiana, and New York, have already implemented or are planning to implement such bans.
In March, complaints started appearing online about lifetime subscriptions to VPNSecure no longer working. The new owners of VPN provider VPNSecure have drawn ire after canceling lifetime subscriptions. The owners told customers that they didn’t know about the lifetime subscriptions when they bought VPNSecure, and they cannot honor the purchases. The first public response Ars Technica found came on April 28, when lifetime subscription holders reported receiving an email from the VPN provider saying: “To continue providing a secure and high-quality experience for all users, Lifetime Deal accounts have now been deactivated as of April 28th, 2025.” A copy of the email from “The VPN Secure Team” and posted on Reddit notes that VPNSecure had previously deactivated accounts with lifetime subscriptions that it said hadn’t been used in “over 6 months.” The message noted that VPNSecure was acquired in 2023, “including the technology, domain, and customer database”but not the liabilities.” The email continues: Unfortunately, the previous owner did not disclose that thousands of Lifetime Deals (LTDs) had been sold through platforms like StackSocial. We discovered this only months later”when a large portion of our resources were strained by these LTD accounts and high support volume from users, who through part of the database, provided no sustaining income to help us improve and maintain the service. https://www.wired.com/story/vpnsecure-canceled-all-lifetime-subscriptions-claiming-it-didnt-know-about-them
The titans of the tech industry say artificial intelligence will soon match the powers of humans’ brains. Are they underestimating us? [(No) surprise] https://www.nytimes.com/2025/05/16/technology/what-is-agi.html?smid=nytcore-ios-share&referringSource=articleShare
Dan Goodin, *Ars Technica* (05/13/25), via ACM TechNews A "context manipulation" exploit developed by Princeton University researchers leverages prompt injection attacks against the open source framework ElizaOS to steal cryptocurrency. ElizaOS uses large language models to undertake blockchain-based transactions for users based on predefined rules. The attacks depend on a feature of ElizaOS in which past conversations are stored in an external database, which allows anyone authorized to transact with an agent to create a false memory that triggers an override of security defenses.
These young people see meme coins as their best shot at the American Dream. When traditional routes to wealth feel out of reach, jokey cryptocurrencies can look more attractive. “Financial nihilism” is driving some members of Gen Z to crypto, said Joe McCann, founder and CEO of Asymmetric, a crypto hedge fund that counts itself as one of the first institutional investors in meme coins. Young people with high levels of student debt, who are more likely to live with their parents than prior generations, are less inclined to stash money into a 401(k), he said. They’d rather wager a few hundred bucks on a meme coin, McCann added, because they feel they don’t have other good options. [...] Several conference attendees told The Washington Post they expected crypto to thrive during President Donald Trump’s administration in part because he has a personal stake in meme coins. The president has been promoting two coins launched in January called $TRUMP and $MELANIA that were created by a firm affiliated with the Trump Organization. His association with the coins, including a recent offer to host a dinner for top investors, has been criticized for creating a conflict of interest. Trump has also overseen a pullback in regulatory scrutiny of crypto firms. In February, the U.S. Securities and Exchange Commission ruled that meme coins are collectibles, not securities. Industry players say that could lead to a bumper crop of newly minted meme coins. [...] Following the meme coin market’s moves requires dedication as the Internet cycles from one punch line to the next. “I always have my phone in my hand,” said Jeff Matthews, who estimates that he notches 14 to 17 hours of screen time daily, mostly spent trading meme coins.
Earlier this year, a hacker used his X account to hawk a fraudulent WIRED-branded crypto coin. After they pulled the rug on investors, he faced the aftermath. https://www.wired.com/story/wired-memecoin-scam-hacked-x-account/
Cripes, we were only joking when we called Elon's social network the new state media Iain Thomson <https://www.theregister.com/Author/Iain-Thomson>
On Friday, 2 May, at about 17.50 local time, the driver of a Mercedes SUV
ran into pedestrians on a busy street near the centre of the city of
Stuttgart in Germany. One died; seven others were injured. It seems to have
all the indications of a tragic accident. The car is (very) expensive; the
owner was driving; his young son was sitting in the passenger seat. The
most-read newspaper in Germany is the "tabloid" Bild-Zeitung. Bild reported
the accident, as well as that the driver is a "Selfmade-Millionär" (which is
German for "selfmade millionaire") with an Internet portal on which he sells
stuff. Bild also invented a pseudonym for him, "Markus S." (German law
prevents reporting full last names in potential criminal cases, in this case
a possible charge of "causing death by negligence", fahrlässige Tötung).
There is, however, a real Markus S., last name "Schön", who is an Internet
entrepreneur in Detmold, a city some 450+km north of the accident site in
Stuttgart. Herr Schön's site sells office and school supplies. He started
receiving hate mails and death threats almost immediately, it seems, and
sales on his site went precipitiously down.
Sunday 4 May he posted on LinkedIn to say it wasn't him. The editor of Bild
got in touch. Bild amended its story to make it clear that it wasn't him,
and offered him space to do so himself (which he didn't take).
By Friday 9 May it seems things were back to "normal" for Herr Schön and his
business.
All this courtesy of a story in my local paper at the weekend (10-11 May) by
Silke Buhrmester entitled "Detmolder Unternehmer bedroht" ("Detmold
businessman threatened").
[PDL, Danke Schön. PGN]
In 2023, the Riverside (CA) City Council approved a two-year pilot program to have the Riverside Transit Agency operate, staff and maintain three automated, fully electric shuttle buses. The first bus began serving the Riverside Municipal Airport this week. There is a little shuttle bus in the Inland Empire that’s fueled with big aspirations. It’s electric, tops out at 25 mph, and can only go on a pre-designated route set up by the Riverside Transit Agency. But here’s a catch ” it also drives itself. As of Monday, commuters in Riverside are the first in the country to ride a fully self-driving, publicly accessible bus that is deployed by a city transit agency. [...] https://www.latimes.com/california/story/2025-05-15/riverside-self-driving-buses
IBM is really into the new vibe of "vibe coding": https://www.ibm.com/think/topics/vibe-coding There are just a few, really minor, limitations: "for real world applications ... vibe coding becomes challenging." "Code generated by AI is challenging to debug because it's dynamic and lacks architectural structure." "Applications built using AI generated code face maintenance and update challenges" "This can cause developers to struggle to understand the underlying logic" "Security concerns ... unseen vulnerabilities that can go unnoticed and be exploited" But hey, as long as your application isn't a real world application, does not need optimisation, you don't care about bugs, you don't need to maintain it or understand the underlying logic, and you don't care about security, then vibe coding is for you!
You write a try/catch and in the catch send a message to OpenAI: "Fix this error but return only the code" and then you eval the result! https://www.youtube.com/watch?v=TZt6thN7AU8
https://www.bbc.com/news/articles/c1ldnedvde9o A duck has been caught speeding on traffic cameras in the town of Koeniz in central Switzerland. Local police said the mallard—a wild duck—was snapped on radar images on 13 April clocking in at 52km (32 miles per hour) in a 30km zone. Adding to the mystery, authorities said the duck was likely a repeat offender and shared an image of a similar looking duck traveling in the same spot, at the same speed and on the same date in 2018. [Perhaps the duck thought the zone was 30mph? There's a somewhat tortured German pun here: Gans Gut! However, Gans is a Goose not a duck (Ente), and Ganz is German for more-or-less. So, since it might be the same duck, it might be flying until Die Ente Time. PGN]
http://enewspaper.latimes.com/infinity/article_share.aspx?guid=80b7df93-cfb5 -4ba3-a2b2-0a87bb7cd025 [I wish it were so simple. Lately, I have been unable to keep up with the huge pile of e-mail, which suggests that our readers are more tuned to the middle ground—some sort of huge area in between, in which veteran RISKS readers are not overestimating the risks. However, I have had to ignore a few items because of the huge pile of potentially fascinating items submitted that I cannot always read. If you ever submit something really germane that I seem to have overlooked, please RESUBMIT with a subject line that says perhaps I UNDERLOOKED it and ask me to consider it. That would make me feel much better about not missing a superb item. PGN]
As seen in comp.risks, RISKS-34.62 contains 12 items that are second or third occurrences of earlier items in the same issue. (That was based on the table of contents, but I think the body was the same way.) [Mark, My apologies to all readers. I had a series of EMACS accidents after having completed an earlier version of the issue and then tried to add lots more items to try to catch up. I think there were actually some dupes that were not duped in the ToC but duped in the text. I won't try that again—as it evidently created unneeded risks! I usually keep a backup once I get a stable version, but did not do so this time. And I don't have time to try to fix it now after it was immediately discovered by Lindsay Marshall in Newcastle... PGN]
>The Internet Crime Complaint Center of the U.S. Federal Bureau of >Investigation (FBI) said global cybercrime costs topped $16 billion in >2024, up a third from the prior year. US$ 16B is apparently hot-dog money and chump change. The "60 Minutes" episode from 11MAY2025 entitled, "Fraud costing U.S. government hundreds of billions a year as crime rings use stolen identities" (see https://www.cbsnews.com/news/fraud-costing-us-government-as-crime-rings-use-stolen-identities-60-minutes-transcript/) reports APTs—state sponsored gangs of hackers in the PRC, DPKR, Russian Federation, iran, etc.—liberate between US$ 500B to 750B per year using the snowballing dark-web trove of breached PII from US citizens to commit disaster claim fraud. FEMA recovery funds from fires, hurricanes, and floods, and COVID-19 pandemic monies fall from cyberspace into criminal's pockets like radial tires shed micro/n ano-plastics.
As usual, the most contentious issue is not whether under-16s should have their access controlled, but the proposed mechanism for verifying age, which generally involves a scheme that impacts on the privacy rights of over-16s. I don't know enough about New Zealand's legal or Constitutional system to know how much of a concern that is, but I'd guess it's not zero. On the positive side, at least it's not porn being talked about here.
I'm satisfied that the question of juries and evidence is addressed in the article. But more generally, how much weight should be attached to how well a victim impact statement is produced? Is it a greater crime to murder a super nice person than an average jerk? I don't think so.
Please report problems with the web pages to the maintainer