Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The malware was revealed as Russian troops remain massed at the Ukrainian border, and after Ukrainian government agencies had their websites defaced. https://www.nytimes.com/2022/01/16/us/politics/microsoft-ukraine-cyberattack.html https://www.microsoft.com/security/blog/2022/01/15/destructive-malware-targeting-ukrainian-organizations/
Sue Halpern, *The New Yorker*, 17 Jan 2022 Artificial intelligence is being taught to fly warplanes. Can the technology be trusted? https://www.newyorker.com/magazine/2022/01/24/the-rise-of-ai-fighter-pilots
Erin Mulvaney, *Bloomberg Law*, 29 Dec 2021, via ACM TechNews, 10 Jan 2022 Artificial intelligence (AI)-related hiring discrimination has prompted regulatory action, with New York City banning employers from using automated employment decision tools for screening job applicants in lieu of a bias audit. Meanwhile, District of Columbia Attorney General Karl Racine has announced proposed legislation to address algorithmic discrimination by mandating annual corporate technology audits. The U.S. Equal Employment Opportunity Commission's Charlotte Burrows said up to 83% of employers, and as many as 90% of Fortune 500 companies, use automated tools to screen or rank job candidates; she warned these technologies "could be used to mask or even perpetuate existing discrimination and create new discriminatory barriers to jobs." Civil rights groups like the Surveillance Technology Oversight Project (STOP) worry that New York's measure could enable more AI bias, and have proposed banning biased technology altogether. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2dbd4x23061ex072805&
Allison Murray, *ZDNet*, 20 Jan 2022, via ACM TechNews, 21 Jan 2022 Medical cybersecurity platform Cynerio's 2022 State of Healthcare IoT Device Security Report estimates 53% of connected medical devices in hospitals have critical flaws, including a third of bedside devices. Cynerio analyzed more than 10 million medical devices at over 300 global hospitals and medical facilities and found, among other things, that 73% of infusion pumps, constituting 38% of hospital Internet of Things (IoT) inventory, possess some type of vulnerability. Cynerio warns hacked medical devices would affect hospital service availability, data confidentiality, and patient safety. Said Cynerio's Daniel Brodie, "Hospitals and health systems don't need more data--they need advanced solutions that mitigate risks and empower them to fight back against cyberattacks, and as medical device security it's time for all of us to step up." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2dd2ex230a3fx074115&
Rachel Gordon, MIT Computer Science and Artificial Intelligence Laboratory, 14 Jan 2022, via ACM TechNews, 21 Jan 2022 The Twist programming language created by researchers in the Massachusetts Institute of Technology (MIT) Computer Science and Artificial Intelligence Laboratory is designed to codify quantum computing. Twist can characterize and verify which pieces of data are entangled in a quantum algorithm, and applies the concept of purity, which enforces the absence of quantum entanglement, to produce intuitive programs with fewer flaws. MIT's Charles Yuan said, "Because understanding quantum programs requires understanding entanglement, we hope that Twist paves the way to languages that make the unique challenges of quantum computing more accessible to programmers." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2dd2ex230a40x074115&
Data of European citizens may not be stored in the USA without further considerations. This is stated in a ruling by the European Court of Justice (ECJ) from the summer of 2020. However, many companies violate this requirement on a daily basis, as does the European Parliament. Parliament had installed cookies from Google Analytics and the payment service provider Stripe on its website. European Data Protection Supervisor Wojciech Wiewiorowski investigated the cookies and has now concluded that they should not have been used. He issued a cease-and-desist order. https://www.handelsblatt.com/politik/international/dsgvo-europaparlament-missachtet-datenschutz-warnung-an-unternehmen/27964838.html
The 2020 Olympics are coming up. I have more reason than normal to ignore them this year, but I noted a news story about the "My 2020" app, and its security problems. All athletes, coaches, officials, and the vanishingly small number of "guests" that are allowed at this year's Olympics, are to use the "My 2020" app, which is provided by China. It seems to provide information and schedules, but it also collects detailed information about all attendees, including CoVID test status (on a very regular basis). The thing is, it's insecure. As most such apps do, it connects to a central server to collect and dump data. Most apps do a bit of verification of that server. My 2020 does not. So, of course, it would be relatively trivial to set up a fake server, collect all kinds of data and personal information (for example, loads of names, birthdates, and passport numbers, as well as the aforementioned CoVID results), and give out misinformation or Disinformation about schedules, events, locations, and generally mess with the games. I think I'll have a heart attack and die from *NOT* being surprised that the Chinese government failed to take this simple security precaution. You have to understand that there is a difference in mindset. Here in "the West" (being from BC, I tend to think of myself as being from the far, far east), the computer security field started with an interest in confidentiality. It was only later that we, in information security, expanded our interest to include integrity and availability. But the Chinese government has never been interested in confidentiality and privacy. (At least, not for their citizens.) The Chinese government always wants to know everything there is to know about anyone in China. (Or anyone outside of China, for that matter.) Privacy is a non-issue. (To the government.) This is why encryption is almost unheard of in China. Even most government and military personnel and officials (with the exception of a very, very few) do not have their communications protected by encryption. (Other governments therefore find it trivially easy to snoop on the bulk of military and government communications traffic in China.) So, since the government of China is primarily interested in availability (of the opportunity to snoop on visitors), the lack of server authentication is unsurprising. It may not have occurred to anyone that it might be a problem. It may even be a design feature, from the Chinese perspective, rather than a flaw. After all, if anyone can set up a fake server, collect information, and provide disinformation, so can the Chinese government. With impunity and total deniability. [Lauren Weinstein suggests visiting this item: China's Olympic app contains 'simple but devastating' flaw (CTVnews) https://www.ctvnews.ca/sci-tech/china-s-olympic-app-contains-simple-but-devastating-flaw-1.5744221 PGN]
The FBI is seeing so much activity around malicious Google Voice activity, where victims are associated with fraudulent virtual phone numbers, that it sent out an alert this week. https://threatpost.com/google-voice-authentication-scam/177421/
Anybody else getting lots of Media Message Service messages, ostensibly from twelve digit phone numbers? I have no idea what they are trying to get me to do, since this phone doesn't have a data plan, and, regardless of what the cell companies tell you when they sell you the plan, without buying extra data you cannot receive MMS messages. (I'm also getting lots of robot phone calls warning me about extraneous charges on my Visa. Which, presumably, they can catch and fix as long as I wire money somewhere for some reason ...)
Re: Boeing and Airbus warn US over 5 G safety concerns (bbc.com) This is a long running fight between the FAA and FCC. Neither side has covered itself in glory but the FAA has been a lot worse. For 15 years we have known that old cruddy radio altimeters are subject to interference from adjacent bands including the new 5G C-band. The sensible approach would have been for the FAA and FCC to work together on a combination of finding and replacing the old altimeters perhaps with subsidies from the telcos, and power limits on C-band cells near runways. Instead we get dueling press releases. Forty other countries have worked this out with the same altimeters and same 5G band. What do they know that we don't?
Following on from the risk highlighted after Christmas (RISKS-33.01), it now appears that the airline / mobile ( cellular) operator deal was only a temporary halt. The risk still remains—in the U.S. the frequencies used by 5G overlap with those used by critical safety devices fitted to aircraft. Aircraft systems are built to an international standard and hence can't be changed. https://www.theguardian.com/technology/2022/jan/17/us-airline-officials-crisis-5 Airlines have identified 50+ airports that could be impacted and Bloomberg has identified that medevac helicopters could also be impacted. https://www.bloomberg.com/news/articles/2022-01-13/medevac-helicopter-flights-risk-grounding-with-5g-deadline-ahead
https://techxplore.com/news/2022-01-faa-boeing-5g.html Federal safety officials are directing operators of some Boeing planes to adopt extra procedures when landing on wet or snowy runways near impending 5G service because, they say, interference from the wireless networks could mean that the planes need more room to land. The Federal Aviation Administration said Friday that interference could delay systems like thrust reversers on Boeing 787s from kicking in, leaving only the brakes to slow the plane. That 'could prevent an aircraft from stopping on the runway,' the FAA said."
https://phys.org/news/2022-01-palomar-survey-instrument-impact-starlink.html “In 2019, 0.5 percent of twilight images were affected, and now almost 20 percent are affected,'' says Przemek Mróz, study lead author and a former Caltech postdoctoral scholar who is now at the University of Warsaw in Poland. ... There is a small chance that we would miss an asteroid or another event hidden behind a satellite streak, but compared to the impact of weather, such as a cloudy sky, these are rather small effects for ZTF [Zwicky Transient Facility]. Private satellite constellations pollute Earth-based astronomical observations.
https://www.bbc.com/news/uk-england-cambridgeshire-60084347 Like a page from Asimov's "I, Robot." The article notes that "Nature abhors a vacuum." [RS] [HOO-VERy-likely other than the BBC might have thought of that? PGN]
Not surprising, but that doesn't mean it is okay: https://citizenlab.ca/2022/01/cross-country-exposure-analysis-my2022-olymp= ics-app/
Key Findings The Citizen Lab and Access Now have conducted a joint investigation into Pegasus hacking in El Salvador in collaboration with Frontline Defenders, SocialTIC, and Fundación Acceso. We confirmed 35 cases of journalists and members of civil society whose phones were successfully infected with NSOâs Pegasus spyware between July 2020 and November 2021. We shared a sample of forensic data with Amnesty International's Security Lab which independently confirms the findings. Targets included journalists at El Faro, GatoEncerrado, La Prensa Gráfica, Revista Digital Disruptiva, Diario El Mundo, El Diario de Hoy, and two independent journalists. Civil society targets included Fundación DTJ, Cristosal, and another NGO.
Aren't these so-called smart speakers really driven by humans in the back room, pretending to be AI? Which is why I don't use them, both to avoid being an unpaid tester to make some co rich, and because it's pathetic that they are nowhere near to having real AI, and so it's a huge privacy violation to have dopey humans listening in, and in this case issuing dopey ideas to kids. My take, no AI would have made that suggestion. That was a phony AI, like a chess player with a midget inside! A chess player who should be fired.
> ... one way to do that is to require a subscription for some pretty basic > services What next? "Subscribe to the basic steering wheel package (right turns only) for just $5 a month, or opt for the delux package (includes both left *and* right turns) for only $8 a month!!!"
I warned about this class of attacks a few months back (RISKS 32.93). Although I must admit the attackers took the next step. I was concerned about attackers replacing legitimate QR codes (e.g., on menus) with their own versions. In this attack, however, Austin doesn't actually put QR codes on meters." The attackers just added their own. People have no become so accustomed to scanning QRcodes that they don't question even their presence. This opens the attack surface wide. How about a "scan for hours and menu" QR code on the outside glass of a restaurant? If they are closed on Monday, how many passers-by will it catch if placed there early Monday morning -- with no one from the store even being present to notice until Tuesday? Similar attacks work all over the place. Any store window. The doors of cars on a dealer lot—"Scan for our best price on this beauty!" At the entrance to a Mall: "Scan for a map." Or at an office building: "Scan for a tenant list." The commuter rail lines around NY have an app that allows you to pay for your ticket; you then show your phone to the conductor when he checks for tickets. For those who don't have the app ... imagine a QR code that says "Beat the rush! Scan here to buy an eTicket." The important thing to realize is that an "addition" attack—unlike a "replacement" attack—leaves the owner of the physical object where the code is presented entirely out of the loop. A restaurant using QR codes for menus, say, could in principle have a sign on the wall with a picture to be matched to the presented menu. It could change very day—or, if presented on a screen, every 10 minutes. How effective this would be—how often people would actually look and compare—is questionable, but it's at least a way to provide some degree of authentication. But what's Austin to do: Post signs everywhere telling people "we don't use QR codes"? How effective is that likely to be. We've spent decades (mainly unsuccessfully) teaching people not to click on links in unsolicited emails. QR codes are even worse. Since they are essentially * never* solicited in any meaningful sense ... "intent" is no longer a meaningful distinction. They are completely unparseable to human beings. Even if a QR code reader showed the URL on the phone's screen with a "click if this is OK" ... given that the whole purpose of the code is provide a quick, frictionless interface, what are the odds people will read the incomprehensible—even the legitimate ones are not intended for human comprehension - URL's that result? QR codes. Just say no.
The mathematical relationship "more than" does not need further interpretation. It is the measurement itself that needs interpreting. If the displacement is measured at precisely 1/32 of an inch, then the actual measurement is 1/32 of an inch plus or minus the error in the reading. This error is very unlikely to be precisely zero. So the probability of the actual measurement being *more than* 1/32 of an inch is very close to 50%. So the question is: should a car be taken out of service if there is close to a 50% chance that it is out of spec? Put this way, I think it is reasonable to err on the side of safety.
To be fair, the technicians may well understand both the meaning of "More than" and that small length measurements need to be specified as a function of their environment. The metro specification requires a measurement accuracy of at least 1/32 of an inch. But steel expands approximately .07% per 100 degrees F. For a measurement of 53 5/16 of inches, a 100 degree difference works out to be .037 inches > 1/32 inch. Working backwards, an 85 degree F difference could result in a greater than 1/32 inch expansion. It seems to me that the real risk is in a specification of an absolute length deviation without ALSO specifying the temperature at which the measurement must be made. FWIW: Coincidentally, Adam Savage (of Myth Busters) recently produced a wonderful video (https://youtu.be/qE7dYhpI_bI) on why all sufficiently precise measurements are a function of their environment. Perhaps the technicians are Adam Savage fans.
Please report problems with the web pages to the maintainer