Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
Neal E. Boudette, The New York Times, 20 Aug 2021
GM said the move announced [on 20 Aug 2021] “would cost the company $1 billion on top of the $800M it had allocated for the previous Bolt recall.” This means that all 141,000 Bolts produced (since 2017) are under recall. The battery packs are made by LG Chem in S.Korea. This is third Bolt recall in a year. The National Highway Traffic Safety Administration is quoted on the November recall (an ‘offer’) to add software to address concerns that some of the high-voltage batteries “may pose a risk of fire when charged to full, or very close to full, capacity.” The NYTimes article says “Two fires occurred after that recall, including one in a Bolt that had the updated software.” [PGN-ed from the National print Edition.]
Something appears to be confusing a system that Tesla drivers frequently misuse.
On Monday, the National Highway Traffic Safety Administration opened an investigation <https://www.reuters.com/business/autos-transportation/us-opens-formal-safety-probe-into-tesla-autopilot-crashes-2021-08-16/> into Tesla. The agency claims that there have been 11 incidents since 2018 in which Tesla vehicles struck stationary first-responder vehicles attending to the scene of an emergency; there's allegedly <https://static.nhtsa.gov/odi/inv/2021/INOA-PE21020-1893.PDF> been 17 injuries and one fatality as a result. The NHTSA is narrowing in on the company's Autopilot system, noting that the Teslas in these incidents “were all confirmed to have been engaged in either Autopilot or Traffic Aware Cruise Control during the approach to the crashes.” The investigation will cover Tesla models Y, X, S, and 3 that were released between 2014 and 2021. Autopilot's difficulties with sensing firetrucks and other emergency vehicles has been a known problem for years <https://www.wired.com/story/tesla-autopilot-why-crash-radar/>, and the feature has also been criticized as encouraging drivers to rely on it as though it is a self-driving system when in fact it is only meant to assist an engaged driver. To better understand the issue, I spoke with Raj Rajkumar, an electrical and computer engineering professor at Carnegie Mellon University who specializes in self-driving vehicles. Our conversation has been condensed and edited for clarity.
Aaron Mak: Why might Teslas be having this issue with stationary emergency vehicles?. […] https://slate.com/technology/2021/08/teslas-allegedly-hitting-emergency-vehicles-why-it-could-be-happening.html
Paul Lienert, Reuters, 18 Aug 2021, via ACM TechNews, 20 Aug 2021
Silicon Valley-based self-driving startup Aurora has unveiled what it describes as the industry's first tool for assessing the relative safety of autonomous vehicles. Aurora's Chris Urmson said the Safety Case Framework provides a “structured approach” to assessing the safety of autonomous vehicles on actual streets, featuring four levels of claims associated with the safe development, testing, and evaluation of the company's self-driving systems, as well as required supporting evidence. The framework supports a systematic approach to assessing the vehicles' safety, as well as metrics for measuring progress across their full development cycle. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2c69cx22d045x073748&
It is about time the autopilot in Tesla and other vehicles is investigated properly. I have not been able to find any criminal prosecutions. Maybe your readers might be interested to know the only prosecution I am aware of, from Switzerland:
Case translation: Switzerland
Case citation: PEN 17 16 DIP, Regionalgericht Emmental-Oberaargau, Strafabteilung (Regional Court Emmental-Oberaargau, Criminal Division), 30 May 2018
Key words: Switzerland; criminal law; traffic violation; Autobahn; Tesla motor vehicle ‘Traffic-Aware Cruise Control’ and ‘Autosteer’ mode engaged; collision; driver failed to control vehicle; Convention on Road Traffic, Vienna; evidential value of report by Tesla Motors Switzerland GmbH
Citation in journal: Case translation from Switzerland, PEN 17 16 DIP, Regionalgericht Emmental-Oberaargau, Strafabteilung (Regional Court Emmental-Oberaargau, Criminal Division), 30 May 201817 Digital Evidence and Electronic Signature Law Review (2020) 97 “ 111
Might somebody alert the U.S. safety regulators who are undertaking the inquiry (whoever they are)?
Stephen Mason, https://ials.sas.ac.uk/about/about-us/people/stephen-mason Open-source practitioner text for judges, lawyers and legal academics:
Stephen Mason and Daniel Seng, editors, Electronic Evidence and Electronic Signatures (5th edition, Institute of Advanced Legal Studies for the SAS Humanities Digital Library, School of Advanced Study, University of London, 2021) https://humanities-digital-library.org/index.php/hdl/catalog/book/electronic-evidence-and-electronic-signatures
Open source journal:
Digital Evidence and Electronic Signature Law Review https://journals.sas.ac.uk/index.php/deeslr (also available via the HeinOnline subscription service and British and Irish Legal Information Institute http://www.bailii.org/)
Amtrak and freight rail companies have long clashed over the use of railroad tracks, a dispute that is now playing out along the Gulf Coast, where the agency is seeking to restore service.
The risk? Aging infrastructure, and fingerpointing over responsibility and access …
Precipitation was so unexpected, scientists had no gauges to measure it, and is stark sign of climate crisis.
Rain has fallen on the summit of Greenland's huge ice cap for the first time on record. Temperatures are normally well below freezing on the 3,216-metre (10,551ft) peak, and the precipitation is a stark sign of the climate crisis.
Scientists at the US National Science Foundation's summit station saw rain falling throughout 14 August, but had no gauges to measure the fall because the precipitation was so unexpected. Across Greenland, an estimated 7bn tonnes of water was released from the clouds. <https://nsidc.org/greenland-today/2021/08/rain-at-the-summit-of-greenland/>
The rain fell during an exceptionally hot three days in Greenland when temperatures were 18C higher than average in places. As a result, melting was seen in most of Greenland, across an area about four times the size of the UK.
The recent report from the Intergovernmental Panel on Climate Change concluded it was “unequivocal” that carbon emissions from human activities were heating the planet and causing impacts such as melting ice and rising sea level. <https://www.theguardian.com/environment/2021/aug/09/climate-crisis-unequivocally-caused-by-human-activities-says-ipcc-report>
In May, researchers reported that a significant part of the Greenland ice sheet was nearing a tipping point, after which accelerated melting would become inevitable even if global heating was halted. […] <https://www.theguardian.com/environment/2021/may/17/greenland-ice-sheet-on-brink-of-major-tipping-point-says-study>,
“In trials, the AI was able to differentiate between healthy heartbeats from three common arrhythmias with an 88% accuracy rate. In the process, the polymer network consumed less energy than a pacemaker. The potential applications for implantable AI systems are manifold: For example, they could be used to monitor cardiac arrhythmias or complications after surgery and report them to both doctors and patients via smartphone, allowing for swift medical assistance.”
I could not locate statistics on heart attacks directly attributed to rhythm-specific conditions such as atrial fibrillation, ventricular fibrillation, tachycardia, etc. versus those arising from arteriosclerosis, pericarditis, etc.
The CDC estimates that ~805K US persons will experience a heart attack per year (See “Heart Disease Facts,” retrieved from https://www.cdc.gov/heartdisease/facts.htm on 22AUG2021).
By “accuracy,” I assume the essay means the technology correctly detects the anticipated/trained arrhythmia it was presented versus a false positive/negative detection outcome.
Assuming there's a 12% false negative/positive arrhythmia detection via this experimental implanted heart monitor technology, that implies 0.12*805K = 96.6K potential false negative/positive incidents per year in the US.
This false negative/positive detection rate implies: (1) For false negatives, it means the arrhythmia WAS NOT detected by the device, and the patient experienced the symptom, and no therapy was applied by an pacemaker or cardiodefibrillator; or, (2) for false positive, it means an unrecognized, possibly fictitious arrhythmia signal WAS detected and the pacemaker or cardiodefibrillator therapy (an electric shock) was inappropriately applied—meaning it was unnecessary/extraneous.
Consult https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfTPLC/tplc.cfm?id=1039&min_report_year=2016 for a summary of product code LWS, which documents a class of implanted cardiodefibrillator medical device report events between 01JAN2016-31JUL2021.
That TPLC summary contains this URL which documents over 10000 “inappropriate therapy” cardiodefibrillator events experienced by patients during the 01JAN2016 to 31JUL2021 period:
“Unfortunately, there is a tendency of criminologists and policymakers to attempt to reform the criminal justice system using strategies that don't consider community-led initiatives as viable solutions. The emphasis on BWCs [body-worn cameras] over other possibilities offers a similar case in point.”
Risk: Overtrust in technology as a law enforcement accountability measure.
Hospitals and Insurers Didn't Want You to See These Prices. Here's Why.
As remote work gets prolonged because of the delta variant, more companies are tracking what employees do at home
There are a lot of things your employer doesn't know right now — like the future of remote work or when the coronavirus pandemic might end.
But your activity during the workday is less of a mystery.
The pandemic pushed many into work-from-home setups, and companies turned to employee data to keep tabs on their workforces. Your company can get access to almost everything you do electronically, and monitoring software makes that data easy to collect and analyze.
As some employees see work-from-home time extended because of the delta variant spreading across the world, reliance on employee tracking is staying steady at lockdown-level highs, say executives at monitoring software firms.
Elizabeth Harz, chief executive of Connecticut-based employee monitoring software provider InterGuard, said one of her clients came to her convinced that remote work would mean “economic ruin” for his company. That was until the client saw what InterGuard could do for his newly dispersed workforce, Harz said. The software tracks employees' productivity, down to how long it takes to respond to emails. “They woke up in 2021 and said, ‘Half of our employees don't even work where we are anymore’”
Eager to bring back their employees, companies are wrestling with how best to verify vaccination status, and some are using tech tools to help.
At a time when more people use voice assistants to retrieve the most basic information, Microsoft's Cortana doesn't provide even the basics about protecting against the coronavirus.
Asking a voice assistant to search the Internet for essential health information. What could go wrong?
A critical vulnerability in Cisco Small Business Routers will not be patched by the networking equipment giant, since the devices reached end-of-life in 2019.
Tracked as CVE-2021-34730 (CVSS score: 9.8), the issue resides in the routers' Universal Plug-and-Play (UPnP) service, enabling an unauthenticated, remote attacker to execute arbitrary code or cause an affected device to restart unexpectedly, resulting in a denial of service (DoS) condition.
The vulnerability, which the company said is due to improper validation of incoming UPnP traffic, could be abused to send a specially-crafted UPnP request to an affected device, resulting in remote code execution as the root user on the underlying operating system.
“Cisco has not released and will not release software updates to address the vulnerability,” the company noted in an advisory published Wednesday. “The Cisco Small Business RV110W, RV130, RV130W, and RV215W Routers have entered the end-of-life process. Customers are encouraged to migrate to the Cisco Small Business RV132W, RV160, or RV160W Routers.” <https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cisco-sb-rv-overflow-htpymMB5> <https://www.cisco.com/c/en/us/products/collateral/routers/small-business-rv-series-routers/eos-eol-notice-c51-742771.pdf>
The issue impacts the following products —
A Nigerian threat actor has been observed attempting to recruit employees by offering them to pay $1 million in bitcoins to deploy Black Kingdom ransomware on companies' networks as part of an insider threat scheme.
“The sender tells the employee that if they're able to deploy ransomware on a company computer or Windows server, then they would be paid $1 million in bitcoin, or 40% of the presumed $2.5 million ransom,” Abnormal Security said in a report published Thursday. “The employee is told they can launch the ransomware physically or remotely. The sender provided two methods to contact them if the employee is interested”an Outlook email account and a Telegram username.” <https://abnormalsecurity.com/blog/nigerian-ransomware-soliciting-employees-demonware/>
Black Kingdom, also known as DemonWare and DEMON, attracted attention earlier this March when threat actors were found exploiting ProxyLogon flaws <https://thehackernews.com/2021/03/black-kingdom-ransomware-hunting.html> impacting Microsoft Exchange Servers to infect unpatched systems with the ransomware strain.
Abnormal Security, which detected and blocked the phishing emails on August 12, responded to the solicitation attempt by creating a fictitious persona and reached out to the actor on Telegram messenger, only to have the individual inadvertently spill the attack's modus operandi, which included two links for an executable ransomware payload that the “employee” could download from WeTransfer or Mega.nz. […] https://thehackernews.com/2021/08/cybercrime-group-asking-insiders-for.html
Criminal hackers will try almost anything to get inside a profitable enterprise and secure a million-dollar payday from a ransomware infection. Apparently now that includes emailing employees directly and asking them to unleash the malware inside their employer's network in exchange for a percentage of any ransom amount paid by the victim company.
Crane Hassold, director of threat intelligence at Abnormal Security, described what happened after he adopted a fake persona and responded to the proposal in the screenshot above. It offered to pay him 40 percent of a million-dollar ransom demand if he agreed to launch their malware inside his employer's network. <https://abnormalsecurity.com/blog/nigerian-ransomware-soliciting-employees-demonware/>
This particular scammer was fairly chatty, and over the course of five days it emerged that Hassold's correspondent was forced to change up his initial approach in planning to deploy the DemonWare ransomware strain, which is freely available on GitHub. <https://arstechnica.com/gadgets/2021/03/ransomware-operators-are-piling-on-already-hacked-exchange-servers/>
“According to this actor, he had originally intended to send his targets”all senior-level executives”phishing emails to compromise their accounts, but after that was unsuccessful, he pivoted to this ransomware pretext,” Hassold wrote.
Abnormal Security documented how it tied the email back to a young man in Nigeria who acknowledged he was trying to save up money to help fund a new social network he is building called Sociogram. […] https://krebsonsecurity.com/2021/08/wanted-disgruntled-employees-to-deploy-ransomware/
The NYTimes has another excellent podcast of interest, on “The Daily” for this past Friday, on Apple's new CSAM proposal:
Here's one more take on the situation that is worth reading “This is not a slippery slope. It is a cliff.'' if you are confused by all of the ongoing back-and-forths.
“This is not a slippery slope. It is a cliff.''
He spent years inside the iPhone leaks and jailbreak community. He was also spying for Apple.
[via David Farber <email@example.com>]
The traditional landline phone will be consigned to the rubbish bin by 2025, at least as far as telephone companies in the United Kingdom are concerned.
The move comes as the telecommunications industry wants to no longer have to maintain the [copper] wires and switching gear required for landline phones, and also wants to be able to offer more robust Internet services.
Chris Stokel-Walker, New Scientist, 17 Aug 2021 via ACM TechNews, 23 Aug 2021
Arizona State University (ASU) researchers have found that hackers could exploit virtual private networks (VPNs) to strip users' anonymity and send them to bogus websites by tapping what ASU's William Tolley calls “a fundamental networking vulnerability.” The vulnerability monitors the presence and size of the data packets routed along the VPN. Attackers first send different-sized packets to different entry/exit ports, which if forwarded signals that the targeted port is the correct one; they can then send packets where they have altered the source address to seem as if they originate from one of the legitimate ends of the connection. The researchers say they have alerted a number of VPN providers to the attack, but it is unlikely that all currently used networks will be patched. Tolley said, “Our advice is to avoid VPNs if you're trying to keep your information private from government entities, or something like that.”
I received two notices like the one below, minutes apart.
Clicked link for not recognizing activity.
I'm left at a generic eBay page, nothing related to reporting suspicious activity.
Look around, click Contact link, taken to generic list of reasons to contact eBay.
Find “Suspicious activity” link; it takes me to generic advice—if you can still log on, change password. Do a couple other things. If that doesn't work, come back and try to reach us.
Since I had no stored payment method, plus I have 2FA turned on, I'm not sure what my exposure is. But if they actually WANTED to know about bogus attempts, they might make it easier to reach them. So this isn't even very convincing security theater.
Subject: Confirm it's you to access your eBay account - August 20, 2021 Date: Fri, 20 Aug 2021 11:11:33 -0700 From: eBay <eBay@ebay.com> To: firstname.lastname@example.org
We need to confirm you have access to this account, Gabriel. eBay [horrible URL removed] Please confirm your identity to access your eBay account
Hi Gabriel, It looks like you're having trouble signing into your account.
Please select the ‘confirm’ button to verify your identity and access your account. (It's only good for 24 hours.)
If you don't recognize this activity, please contact us. Confirm [horrible URL removed] eBay is committed to your privacy. Read our user agreement [horrible URL removed] and privacy notice [horrible URL removed] Learn how to recognize fake (spoof) emails [horrible URL removed]
We don't check replies sent to this email. If you have questions, we want to help you find an answer [horrible URL removed]
Please report problems with the web pages to the maintainer