The RISKS Digest
Volume 33 Issue 23

Friday, 27th May 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


3+ Years Later and Millions of U.S. Patient X-Rays are Still Exposed to Internet by Insecure PACS Servers"
Shawn Merdinger
Artificial intelligence predicts patients' race from their medical images
Touch Screens in Cars Solve a Problem We Didn't Have
Jay Caspian Kang
Autonomous vehicles can be tricked into dangerous driving behavior
Could contact lenses be the ultimate computer screen?
Accused of Cheating by an Algorithm, and a Professor She Had Never Met
'Tough to Forge' Digital Driver's License Actually Easy to Forge
Dan Goodin
New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message
geoff goodfellow
Cyber-attacks could jeopardize global food supplies
Crypto is a solution in search of a problem
How Influencers Hype Crypto, Without Disclosing Their Financial Ties
Researchers Find Backdoor in WordPress Plugin for Schools
Dan Goodin
Scientists Learn to Kill Cyberattacks in Less Than a Second
Vigilante scratching out QR codes on illegally parked scooters around Denver
Apple shipped me a 79-pound iPhone repair kit to fix a 1.1 ounce battery
The Verge
A Face Search Engine Anyone Can Use Is Alarmingly Accurate
A tale of 31 burgers ordered from DoorDash by a 2-year old
Russia's laser weapon claim derided as propaganda
BBC News
Russian Botnet Can Spam Social Media on 'Massive Scale'
This Hacktivist Site Lets You Prank Call Russian Officials
Is your face gay? Conservative? Criminal? AI researchers are asking the wrong questions
Trenton W. Ford
Grief fraud
Rob Slade
ACM makes back archives available for free
Lauren Weinstein
Cybercriminals target metaverse investors with phishing scams
'Elon Musk's Crash Course' shows the tragic cost of his leadership
Re: ACM, Ethics, and Corporate Behavior
Richard Stein
Info on RISKS (comp.risks)

3+ Years Later and Millions of U.S. Patient X-Rays are Still Exposed to Internet by Insecure PACS Servers"

Shawn Merdinger <>
Thu, 19 May 2022 20:25:19 -0400
Some readers might find this of interest.

Artificial intelligence predicts patients' race from their medical images (

Richard Stein <>
Sun, 22 May 2022 12:27:12 +0800

"For example, the bone density test used images where the thicker part of
the bone appeared white, and the thinner part appeared more gray or
translucent. Scientists assumed that since Black people generally have
higher bone mineral density, the color differences helped the AI models to
detect race. To cut that off, they clipped the images with a filter, so the
model couldn't color differences. It turned out that cutting off the color
supply didn't faze the model—it still could accurately predict
races. (The "Area Under the Curve" value, meaning the measure of the
accuracy of a quantitative diagnostic test, was 0.94“0.96). As such, the
learned features of the model appeared to rely on all regions of the image,
meaning that controlling this type of algorithmic behavior presents a messy,
challenging problem."

Ethnic identity detection and determination via AI-enhanced diagnostic image
analysis may be applied to marginalize patient populations that postpone or
deny effective medical treatments.

Touch Screens in Cars Solve a Problem We Didn't Have (Jay Caspian Kang)

Gabe Goldberg <>
Tue, 24 May 2022 00:29:23 -0400
Jay Caspian Kang, *The New York Times*, from a Subscriber-only Newsletter

Despite my best efforts to stay young at heart, I have somehow reached the
point in my life - 42 years old, dad, mostly sedentary—where I feel
perpetually assaulted by small changes in my daily routine.

This was certainly an expected development, but one I feel relatively
powerless against. And because I believe that a writer should age with his
audience (nothing is sadder than a columnist who spends a clueless decade or
so pretending like he's still one of the cool kids), I want to introduce
what will be a recurring segment in this newsletter. The official name is
still pending, but a good working title might be "Get Off My Lawn: A
42-Year-Old Dad Complains About Change." I make no promises about how often
these pieces will appear, but I hope to treat it like a Quaker meeting in
which I will speak when the spirit of small grievances moves me.

Today, I want to talk about the oversized touch screen in my Subaru Outback.
All my car's important functions, which once were controlled by perfectly
serviceable buttons, have now been relegated to a matrix of little boxes on
a glowing screen. And of course the screen does not even really comply with
my commands. Instead, it randomly changes its brightness and then
disconnects my phone at the exact moment when I actually need to look at the
navigation map.

Autonomous vehicles can be tricked into dangerous driving behavior (

Richard Stein <>
Fri, 27 May 2022 07:20:32 +0800

"When a driverless car is in motion, one faulty decision by its
collision-avoidance system can lead to disaster, but researchers at the
University of California, Irvine have identified another possible risk:
Autonomous vehicles can be tricked into an abrupt halt or other undesired
driving behavior by the placement of an ordinary object on the side of the

Without human-like, contextual interpretation and reasoning, an AV's CAS
cannot discriminate a cardboard box from a concrete block.

When an obstacle appears, the CAS will try to determine an avoidance path as
a deterministic outcome—if there's no traffic in other lanes.

At highway speed with following traffic, a CAS stop-decision is dangerous.
The trolley problem at work.

[A scaredy-car?!]

Could contact lenses be the ultimate computer screen? (

Richard Stein <>
Fri, 20 May 2022 13:37:52 +0800

Who wouldn't want the programmable super-eyesight of the "Cyborg" in Martin
Caidin's novel? Programmable contact lenses are under development. These
devices, hardware and apps, might one day be available off-the-shelf in your
supermarket or drugstore to imbue you with visual acuity rivaling "The 6
Million Dollar Man."

But more than vision enhancement, these eye-wearable plugins (eye-ins?)  will
monitor your vital signs, live-stream your field of view, enable wireless
GUI navigation...the eye is the limit.

The US Centers for Disease Control estimates ~45M people in the US wear
contact lenses everyday. retrieved on 20MAY2022.

Contact lenses are generally safe medical devices, but can injure (corneal
ulcers, keratitis, etc.), and also malfunction (lens crack, deformation,
scratch, etc.).

Patient death-by-contact lens medical device reports are not revealed by
searching the FDA MAUDE system between 01JAN2017 and 29APR2022 for product
codes LPL and LPM.

The Johnson and Johnson Vision Care Inc. recall of 27MAR2018 included 3
classes of daily wear contacts affecting ~500K lenses. See the LPL product
code records below. Other manufacturer recall notifications, which I did not
inspect in detail, apparently affect smaller numbers of lenses (generally).

MEDICAL DEVICE REPORTS PRODUCT CODE LPL—lenses, soft contact, daily wear;

MDR Year,MDR Reports,MDR Events


Manufacturer,Recall Class,Date Posted
Alden Optical,II,Mar-13-2018
Chengdu Ai Qin E-commerce Co., Ltd,II,Jul-27-2020
Clerio Vision,II,Apr-05-2021
Clerio Vision,II,Jan-08-2021
CooperVision Inc.,II,Jul-27-2021
Johnson & Johnson Vision Care, Inc.,II,Jun-16-2021
Johnson & Johnson Vision Care, Inc.,II,Apr-11-2019
Johnson & Johnson Vision Care, Inc.,II,Aug-23-2018
Johnson & Johnson Vision Care, Inc.,II,Mar-27-2018
The See Clear Company,II,Mar-03-201

extended wear; see
retrieved on 20MAY2022.

MDR Year,MDR Reports,MDR Events


Manufacturer,Recall Class,Date Posted
Allied Vision Group Inc,II,Apr-29-2020
CooperVision Inc.,II,Jan-27-2020
CooperVision Inc.,III,Feb-23-2018
Johnson & Johnson Vision Care, Inc.,II,Mar-27-2018,II,Dec-05-2019

Accused of Cheating by an Algorithm, and a Professor She Had Never

Jan Wolitzky <>
Fri, 27 May 2022 07:05:04 -0400
A Florida teenager taking a biology class at a community college got an
upsetting note this year. A start-up called Honorlock had flagged her as
acting suspiciously during an exam in February. She was, she said in an
email to *The New York Times*, a Black woman who had been *wrongfully
accused of academic dishonesty by an algorithm.*

What happened, however, was more complicated than a simple algorithmic
mistake. It involved several humans, academic bureaucracy and an automated
facial detection tool from Amazon called Rekognition. Despite extensive
data collection, including a recording of the girl, 17, and her screen
while she took the test, the accusation of cheating was ultimately a human
judgment call: Did looking away from the screen mean she was cheating?

The pandemic was a boom time for companies that remotely monitor test
takers, as it became a public health hazard to gather a large group in a
room. Suddenly, millions of people were forced to take bar exams, tests and
quizzes alone at home on their laptops. To prevent the temptation to cheat,
and catch those who did, remote proctoring companies offered web browser
extensions that detect keystrokes and cursor movements, collect audio from a
computer's microphone, and record the screen and the feed from a computer's
camera, bringing surveillance methods used by law enforcement, employers and
domestic abusers into an academic setting.

  [Monty Solomon quoted more from the same article, noting that this is
  an unsettling glimpse at the digitization of education:

  When the student met with the dean and Dr. Orridge by video, she said, she
  told them that she looks down to think, and that she fiddles with her
  hands to jog her memory. They were not swayed. The student was found
  "responsible" for "noncompliance with directions," resulting in a zero on
  the exam and a warning on her record.

  "Who stares at a test the entire time they're taking a test? That's
  ridiculous. That's not how humans work," said Cooper Quintin, a
  technologist at the Electronic Frontier Foundation, a digital rights
  organization. "Normal behaviors are punished by this software."


'Tough to Forge' Digital Driver's License Actually Easy to Forge

ACM TechNews <>
Wed, 25 May 2022 12:23:33 -0400 (EDT)
Dan Goodin, *Ars Technica*, 24 May 2022, via ACM TechNews, 25 May 2022

Security researchers have found that the supposedly hard-to-counterfeit
digital driver's licenses (DDLs) in use in New South Wales, Australia,
actually can be easily altered. Introduced in 2019, DDLs are used with an
iOS or Android application that displays each holder's identity and age, and
permits authentication. Researcher Noah Farmer found the DDL can be cracked
by brute-forcing the four-digit personal identification number that encrypts
the data, which can take less than an hour using publicly available scripts
and a commodity computer. Once a hacker accesses encrypted DDL data, brute
force enables them to read and alter anything stored on the file. Farmer
aired the flaws in a blog post last week; it is not clear how, or if,
Service NSW, which issued the digital driver's licenses, plans to respond.

New Zoom Flaws Could Let Attackers Hack Victims Just by Sending them a Message

geoff goodfellow <>
Tue, 24 May 2022 19:14:52 -1000
Popular video conferencing service Zoom has resolved
<> as many as
four security vulnerabilities, which could be exploited to compromise
another user over chat by sending specially crafted Extensible Messaging and
Presence Protocol (XMPP <>) messages and
execute malicious code.

Tracked from CVE-2022-22784 through CVE-2022-22787, the issues range between
5.9 and 8.1 in severity. Ivan Fratric of Google Project Zero has been
credited with discovering and reporting all the four flaws in February 2022.

Cyber-attacks could jeopardize global food supplies (

Richard Stein <>
Tue, 24 May 2022 09:20:15 +0800

"Digital agriculture is not immune to cyber-attack, as seen by interference
to a U.S. watering system, a meatpacking firm, wool broker software and an
Australian beverage company.

"Extraction of cryptographic or sensitive information from the operation of
physical hardware is termed side-channel attack," adds Flinders co-author
Professor David Glynn.

"These attacks could be easily carried out with physical access to devices,
which the cybersecurity community has not explicitly investigated."

Digital agriculture establishes a farm-to-table cyber attack surface.
Industrial agriculture constitutes critical infrastructure per

[GPS-guided tractors remotely disabled, agronomy sensors gamed, wholesale
price manipulation via crop yield and stockpile estimate hacks, and
point-of-sale skim. Bulk transport accidents. Climate
disruption. Agri-brownout?]

Crypto is a solution in search of a problem (WashPost)

Gabe Goldberg <>
Tue, 24 May 2022 00:26:31 -0400
Crypto[currency] is a solution in search of a problem.  It is dropping
like a rock. Here's why that's a good thing.

Inflation keeps rising, stocks keep falling, a war rages in Europe, and the
budding market for cryptocurrencies and other digital confections is
vaporizing by the day. None of this is cause for joy. But the crypto
implosion at least has a cleansing benefit: It offers an opportunity to mop
up a speculative and overhyped mess that has gotten badly out of control,
snookering gullible investors in the process.

How Influencers Hype Crypto, Without Disclosing Their Financial Ties (NYTimes)

Gabe Goldberg <>
Fri, 27 May 2022 15:33:00 -0400
"I don't know what went absurdly wrong," Mr. Paul said in an interview.
"That's the project from hell, and I just wiped my hands of that."

That pretty much sums it up.

Researchers Find Backdoor in WordPress Plugin for Schools (Dan Goodin)

ACM TechNews <>
Fri, 27 May 2022 12:46:19 -0400 (EDT)
Dan Goodin, (Ars Technica), 20 May 2022, via ACM TechNews, 27 May 2022

Researchers at website security service Jetpack warned that WordPress's
School Management Pro plugin contains a backdoor that enables hackers to
take full control of sites using the package, which is sold to schools. The
researchers said the website operation-management plugin has had the
backdoor since at least version 8.9, which a third-party site said was
issued last August. The researchers confirmed the backdoor via a
proof-of-concept exploit, after support team members disclosed
heavily obfuscated code on several sites that used the plugin. The backdoor,
said the researchers, "allows any attacker to execute arbitrary PHP code on
the site with the plugin installed." Users of the plugin should update it
right away, and scan their sites for signs any new backdoors may have been

Scientists Learn to Kill Cyberattacks in Less Than a Second (Cardiff)

ACM TechNews <>
Mon, 23 May 2022 12:08:08 -0400 (EDT)
Cardiff University News (UK), 19 May 2022, via ACM TechNews, 23 May 2022

Researchers at Cardiff University in the U.K. and European aerospace company
Airbus have developed a technique for automatically detecting and
neutralizing cyberattacks in under a second. The method is based on
monitoring and forecasting malware's behavior, rather than on analyzing its
code structure. The team built a virtual model representing commonly used
laptops, and they tested the detection method on it using thousands of
malware samples. The approach prevented the corruption of up to 92% of
computer files, and wiped out the malware in an average 0.3 seconds. Airbus'
Matilda Rhode said, "This is an important step towards an automated
real-time detection system that would not only benefit our laptops and
computers, but also our smart speakers, thermostats, cars, and refrigerators
as the 'Internet of Things' becomes more prevalent."

Vigilante scratching out QR codes on illegally parked scooters around Denver (KMGH-TV)

Jim Reisert AD1C <>
Tue, 24 May 2022 16:23:44 -0600
Russell Haythorn, KMGH-TV) 23 May 2022

  DENVER—Call it vigilante parking enforcement—someone is fed up with
  scooter-users dumping their rides in the middle of the sidewalk in Denver.
  As a result, that vigilante is taking matters into their own hands by
  blacking out QR codes on those wonky parked scooters so you can't ride.

  They are also slapping a note on those scooters which reads in part, “All
  vehicles must be parked in a manner that does not impede pedestrian clear
  paths. ... This scooter was illegally parked, resulting in the QR code
  being obscured—some people suck—and are not considerate."

Apple shipped me a 79-pound iPhone repair kit to fix a 1.1 ounce battery (The Verge)

Lauren Weinstein <>
Tue, 24 May 2022 12:49:05 -0700

A Face Search Engine Anyone Can Use Is Alarmingly Accurate (NYTimes)

Gabe Goldberg <>
Fri, 27 May 2022 01:01:41 -0400
Mr. Gobronidze said he believed that PimEyes could be a tool for good,
helping people keep tabs on their online reputation. The journalist who
disliked the photo that a photographer was using, for example, could now ask
him to take it off his Yelp page.

PimEyes users are supposed to search only for their own faces or for the
faces of people who have consented, Mr. Gobronidze said. But he said he was
relying on people to act "ethically," offering little protection against the
technology's erosion of the long-held ability to stay anonymous in a
crowd. PimEyes has no controls in place to prevent users from searching for
a face that is not their own, and suggests a user pay a hefty fee to keep
damaging photos from an ill-considered night from following him or her

"It's stalkerware by design no matter what they say," said Ella Jakubowska,
a policy adviser at European Digital Rights, a privacy advocacy group.  ...
But exclusion, Ms. Scarlett quickly discovered, was available only to
subscribers who paid for "PROtect plans," which cost from $89.99 to $299.99
per month. "It's essentially extortion," said Ms. Scarlett, who eventually
signed up for the most expensive plan.

You can try searching with one photo for free; my results are laughable.  It
found my test photo in several places (not surprising, I sent it when I was
presenting), plus several people who aren't me.

Photos were one of me and dozens of not-me.  Below the bar are results that
are of lower resemblance to the uploaded photo. It is possible that, though
the results are labeled *lower score*, some of them might contain photos of
you!  We recommend you check them thoroughly.

A tale of 31 burgers ordered from DoorDash by a 2-year old (WashPost)

Gabe Goldberg <>
Tue, 24 May 2022 23:43:59 -0400
Kelsey Golden was playing with her 2-year-old son, Barrett, on her front
porch last week when a DoorDash driver pulled into the driveway.  The
delivery woman climbed out of the car and held up a large paper sack [and
later, the receipt].

  [Apps don't order burgers; two-year olds order burgers.]

Russia's laser weapon claim derided as propaganda (BBC News)

Gabe Goldberg <>
Sat, 21 May 2022 18:14:37 -0400
Russia claims to have used laser weapons on the battlefield in Ukraine,
although the US says it has seen no evidence of this and Ukraine has derided
it as propaganda. What are laser weapons and how effective could they be in
the conflict?

Yury Borisov, the deputy prime minister in charge of military development,
told Russian TV that a laser prototype called Zadira was being deployed in
Ukraine and had burned up a Ukrainian drone within five seconds at a
distance of 5km (three miles).

This was in addition to a previous laser system called Peresvet - named
after a medieval Orthodox warrior monk - which could be used to dazzle
satellites orbiting high above Earth and prevent them from gathering

"If Peresvet blinds, then the new generation of laser weapons lead to the
physical destruction of the target - thermal destruction, they burn up," Mr
Borisov said.

However, an official with the US Department of Defense said he had not seen
"anything to corroborate reports of lasers being used" in Ukraine.

Meanwhile, Ukrainian President Volodymyr Zelensky mocked the Russian claim,
comparing it to the so-called "wonder weapons" that Nazi Germany claimed to
be developing during World War Two.  "The clearer it became that they had no
chance in the war, the more propaganda there was about an amazing weapon
that would be so powerful as to ensure a turning point.  And so we see that
in the third month of a full-scale war, Russia is trying to find its 'wonder
weapon'... this all clearly shows the complete failure of the mission."

Weapon shown looks like giant Super Soaker.

Russian Botnet Can Spam Social Media on 'Massive Scale' (Gizmodo)

Dave Farber <>
Sun, 22 May 2022 18:28:44 +0900

This Russian Botnet Is Capable of Manipulating Social Media Trends on a 'Massive Scale,' Report Claims

Need to spread some disinformation all over the world? A Russian company
apparently has a quick and easy recipe for that.

A new report claims that a subcontractor working for Russia99s intelligence
service has a botnet capable of manipulating trends on social media
platforms on a 9Cmassive scale.9D The report
published Thursday by the cybersecurity firm Nisos, alleges that the
Moscow-based firm 0day Technologies can spread disinformation at a
frightening rate using a customizable suite that is tied to a malicious
network. The company has previously worked with the Federal Security
Service, one of Russia's primary intelligence agencies.

The report is based on documents and other materials that were stolen from
the contractor and leaked by the hacktivist group Digital Revolution in
March of 2020.

 [Long message PGN-truncated]

This Hacktivist Site Lets You Prank Call Russian Officials (WiReD)

Gabe Goldberg <>
Mon, 23 May 2022 01:10:09 -0400
To protest the war in Ukraine, auto-dials Russian
government officials, connects them to each other, and lets you listen in to
their confusion.

Entertaining and well deserved—but how long before this idea is
duplicated for more general harassment?

Is your face gay? Conservative? Criminal? AI researchers are asking the wrong questions (Trenton W. Ford)

"Diego.Latella" <>
Mon, 23 May 2022 15:33:50 +0200
Trenton W. Ford, Bulletin of the Atomic Scientists

Grief fraud

Rob Slade <>
Thu, 26 May 2022 20:56:29 -0700
Consider the case of Robert Slade.  His wife, Gloria, has died recently, and
while the circumstances are not mysterious, there are still questions to be
answered.  Gloria was not in great health, but none of her medical
conditions were in any way life-threatening.  Up until she died.

Now, someone has contacted EARLUG, which Rob attends regularly, albeit
virtually.  The EARLUG people provided this person with Rob's contact
information.  Rob has now received multiple phone calls from someone who
claims to have insider knowledge of Gloria's death.

This person identifies himself as being the purchasing manager for the ICU
at Lions Gate Hospital.  He says that he was on extended family leave, and
therefore unable to speak until now.  He has only just become aware of some
of the circumstances of Gloria's death.  Such as the fact that hospital
administrators on the day on which Rob was unable to visit Gloria, withdrew
all nursing care from Gloria for that time period.

All of this seems very strange.

As we approach, you notice a sign up ahead.  It reads "You are entering the
Fraudster Zone."

Okay, it's not me.  But the circumstances of Gloria's death (and my
associated grief) are so similar that I can use them to protect the identity
of the actual family that is the victim of an attempted fraud.  (I did not
expect, when I went to Bible Study, to spend three hours on the edges of
what probably will turn out to be the beginning stages of a fraud

The situations are alike enough that I fully understand what the family is
going through.  I also, by way of being one of the professionally paranoid,
understand the social engineering techniques that the fraudster is using to
try and attack the family.

As I say, the circumstances are fairly similar. The family has had a death.
The death is not particularly mysterious, and there is, in fact, no evidence
of foul play.  However, the family has not been given full information, and
is unhappy with the conduct of the case.

They have now been contacted, via a rather circuitous route, by someone who
claims to know exactly what happened to their family member surrounding the
circumstances of the death.

As with Gloria, not all the circumstances of the death are known.  In
Gloria's case no autopsy was performed.  I understand that cytology and
oncology reports have been done, but I have seen neither.  I could,
therefore, suspect that something untoward might have been happening or
being covered up.  I don't.  But not all the questions have been answered,
and I fully understand the family's desire to know the circumstances of
their loved ones death, I share that desire to know.

When your loved one dies, you want to understand.  You want to understand
all the circumstances, particularly if the death is sudden.  Sometimes you
want to know who to blame.  Sometimes you simply want to understand the
progress of the death and whether your loved one was in pain or discomfort
during the period leading up to the actual demise.  You want to know.  And
if someone comes along claiming to have knowledge, and the ability to
explain to you the circumstances of the death, you are really inclined to
take them up on it.

This family is not completely happy with the investigation of their loved
ones death.  I am not completely happy with the information I have been
provided from the hospital as to Gloria's death.  However in neither case is
there any evidence of any wrongdoing (other than the continued operation of
a cell phone belonging to the victim, which is probably simply the result of
a completely unrelated, and opportunistic, purloining).  This still means
that you wish to know. And therefore, you are in a position of vulnerability
for anyone who claims that they have knowledge that they could give you.

I am not sure what the fraudster in this case wishes to accomplish.  It may
simply be some kind of financial reward for providing the information.  It
may be some other more complicated plan.  It doesn't really matter: the
social engineering involved is pretty similar.

The informant, in this case, claims to be in a position of some authority.
The person also claims to have a reasonable excuse for absence from the
scene, in order to explain why they have not contacted the family up until
now.  They also claim that the authorities are involved, at some level, in a
conspiracy in regard to the death.  This of course is very common in many
frauds to prevent the victim from going to the authorities for either
assistance, clarification, or to report a fraud.

The fraudster engaged in some rather interesting provision of contact
information.  Two phone numbers were provided.  One number was to be used
for telephone calls.  The other was to be used for WhatsApp conversations.
The inclusion of WhatsApp is interesting.  Subsequent to Gloria's death, I
reassigned the number on Gloria's phone and found that WhatsApp continued to
receive messages from original groups set up prior to Gloria's death and
using her original phone number, but also received messages to the same
groups from the same people when the new number was used.  WhatsApp has some
intriguing addressing going on.

In addition we did some searching on the phone numbers provided.  One
number seems to have been registered in the Cayman Islands.  And, of
course, we all know how much fraud there is associated with the Cayman
Islands.  The other number popped up some rather interesting results,
indicating a connection to Russian criminals.  In any case, the fraudster
was pretty clearly identified as such by the use of these numbers.  In
addition, the fraudster's story of both his own position in relation to
personnel associated with the death, and the conspiracy that was supposedly
associated with the death, are fairly clearly, and demonstrably, untrue.
However, they are not completely improbable and, for someone who was not a
professional paranoid, no one would think to check that these situations
were questionable.

I do not know how the fraudster obtained information about the family.  I do
have some suspicions, given some of the mistakes that the fraudster made in
identifying the family.  The fraudster initially contacted someone in a
place where the family had been, but no longer resided.  When the fraudster
then contacted the family directly, the fraudster did claim to be local to
the area.  (This seems to be an attempt to appear trustworthy due to
proximity.)  Although not too terribly local.  No really detailed
information was provided.  In any case the phone numbers provided definitely
did not match the supposed location of the fraudster.

I do not know how much information above the actual death the fraudster had,
although I'm sure that information was not difficult to come by.  (Probably
a basic newspaper obituary would provide most details.)  However, I am
reasonably certain that the family did, unwittingly, provide information to
the fraudster on specific details of the death, and their unhappiness with
the investigation.  The fraudster of course, used this further information
to refine their social engineering approach to the family.  (I hope that I
wouldn't be gullible enough to betray information to a fraudster, but, being
a bereaved widower and therefore having questionable judgment in any case,
as well as being sleep deprived, and therefore having my judgment denigrated
even further. It is likely that I might provide such information. It
certainly would not be beyond the bounds of possibility.)

As I said, I was involved only peripherally.  Hopefully I provided some
advice in the situation, and hopefully helped the family to come to a
decision.  In the end, the decision seems to have been to turn to the
police, and not engage the fraudster anymore.  I believe this to be the
correct decision.  But I understand the difficulty in coming to that

ACM makes back archives available for free

Lauren Weinstein <>
Thu, 19 May 2022 13:30:22 -0700
ACM (Association for Computing Machinery) makes their archive from
1951 to 2000 available for free

Very cool to see this big chunk of the ACM archive no longer being
paywalled. It seems quite comprehensive—I've already located a number of
CACM articles I authored or coauthored during this period, including both
serious ones and from my series of April Fool's Day CACM columns.  Long time
since I've seen those in their original form!

ACM announcement:

ACM library search:

Bonus: Ken and Dennis discuss UNIX (1973):

  [Also the first 10 years of *Inside Risks*—126 monthly articles,
  many of which are now old-hat, but some of which represent RISKS issues
  that are still problematic.  PGN]

Cybercriminals target metaverse investors with phishing scams (CNBC)

Gabe Goldberg <>
Thu, 26 May 2022 14:41:18 -0400
The metaverse, the new digital frontier where users can attend virtual
concerts or purchase digital assets like land, has been hit with fraud.

Cybercriminals use phishing links that imitate the legitimate metaverse
platforms to drain investors' digital wallets of assets.

While metaverse platforms are increasing their security measures and
educating consumers about fraud prevention, they say they're not responsible
for refunding money to phishing scam victims.

A nurse in rural Maine. A fitness instructor in Colorado. A venture
capitalist in Florida. All three invested in the metaverse, buying land they
say they thought was a solid investment.

"I was really excited about it," said Kasha Desrosiers, a long-term care
nurse. "And hopeful for, you know, whatever projects that would come out of

But in just days or months, all their virtual land was gone. And each of
them says that there was simply no way to get it back.

Investors across the country told CNBC that hackers stole their land in the
metaverse by tricking them into clicking on links they believed were genuine
portals to the virtual universe, but which turned out to be phishing sites
designed to steal user credentials. What they wanted was a piece of the
metaverse ” a new, blockchain-based virtual set of platforms that has
recently come to prominence because of significant involvement from
celebrities, fashion shows and investors.

Instead, they say they got a lesson in the dangers of high-risk investing.

I think they mean, "investing".

'Elon Musk's Crash Course' shows the tragic cost of his leadership (NPR)

Gabe Goldberg <>
Fri, 20 May 2022 13:19:52 -0400
Just as his effort to buy Twitter has led the world to focus on Elon Musk's
management style and business strategies, FX and The New York Times have
stepped up with a documentary taking a close look at how Musk responded to
crashes involving the Autopilot function in cars from his company, Tesla.

For those watching Musk's fitful attempt to buy Twitter, the film also
serves as a pointed comparison; showing how his penchant for bold moves and
provocative statements can lead fans to see what they want in his words “
regardless of whether what he says is actually possible.

As part of FX's The New York Times Presents documentary series, Elon Musk's
Crash Course suggests that Musk oversold the cars' self-driving
capabilities, leading to public confusion over what it could actually
do. And when federal authorities began an investigation into a fatal crash
involving the technology, the program says Musk pressured officials to curb
the investigation.

Re: ACM, Ethics, and Corporate Behavior (RISKS-33.20)

Richard Stein <>
Fri, 20 May 2022 10:43:42 +0800
Via private communication, Prof. Moshe Vardi notified me about his essay:
"Artificial Intelligence: Ethics Versus Public Policy" (01APR2022),

Prof. Vardi argues that legislation and regulation, aka public policy, is an
appropriate measure to deter deployment of exploitative AI applications
endangering public health, safety and privacy interests.

Ethical restraints have failed to slow AI product introductions that
jeopardize public interests. Ethics, it appears, no longer concern
professionals from contributing their skills and energies to create and
deploy hazardous AI products and services. As aphorisms that once guided
responsible professional action, ethics are diminished by corporate
governance directives that demand organizational behavior compliance.

A brand outrage incident can arise from corporate employee ethics
breach. These occurrences are often excused under the "better to ask
forgiveness than to get permission" expedient when profit flows from their
outcome. No matter the merit and justification, ethical protests by brave
technology professionals seldom prevent for-profit deployment of product
that jeopardizes public wellbeing.

Regulations, historically, are cautiously introduced to improve public
safety outcomes. Vehicle head and taillights, mirrors, seat belts, air bags,
turn signals, and horns exemplify the benefits of regulation that strengthen
public safety and health interests without detriment to corporations or

Enacting and enforcing regulations that penalize rapacious AI deployments
will establish corporate accountability for their public health, safety, and
privacy consequences. Reminding CxOs and boards of directors that
exploitation of public data entitled by commercial impunity claimed with
product indemnification and terms of service exposes their governance
decisions to personal legal jeopardy.

Please report problems with the web pages to the maintainer