Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
We've only scratched the surface of how bad the crypto crime wave has gotten https://news.yahoo.com/weve-only-scratched-surface-bad-221758213.html
David Pan and Olga Kharif, Bloomberg, 16 Jun 2022, via ACM TechNews; Monday, 20 Jun 2022 Ethereum mining could end soon due to "the Merge," leaving as many as 1 million miners out of a source of income. The Merge (expected to occur in August, though it has been pushed back several times already) involves a shift from the proof-of-work model, which uses a significant amount of computing power and energy, to the proof-of-stake model to record transactions. The alternative model will slash the Ethereum network's power consumption by about 99%, but also will put miners out of work. Following The Merge, some Ethereum miners plan to mine other coins that require graphics processing units, like Ethereum Classic or Ravencoin, or to use their equipment for rendering (an aspect of digital video production) or machine learning tasks. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ecdcx23467ax071600&
A "dangerous piece of functionality" has been discovered in Microsoft 365 suite that could be potentially abused by a malicious actor to ransom files stored on SharePoint and OneDrive and launch attacks on cloud infrastructure. The cloud ransomware attack makes it possible to launch file-encrypting malware to "encrypt files stored on SharePoint and OneDrive in a way that makes them unrecoverable without dedicated backups or a decryption key from the attacker," Proofpoint said in a report published today. <https://www.proofpoint.com/us/blog/cloud-security/proofpoint-discovers-potentially-dangerous-microsoft-office-365-functionality> The infection sequence can be carried out using a combination of Microsoft APIs, command-line interface (CLI) scripts, and PowerShell scripts, the enterprise security firm added. The attack, at its core, hinges on a Microsoft 365 feature called AutoSave that creates copies of older file versions as and when users make edits to a file stored on OneDrive or SharePoint Online. <https://support.microsoft.com/en-us/office/what-is-autosave-6d6bd723-ebfd-4e40-b5f6-ae6e8088f7a5> It commences with gaining unauthorized access to a target user's SharePoint Online or OneDrive account, followed by abusing the access to exfiltrate and encrypt files. The three most common avenues to obtain the initial foothold involve directly breaching the account via phishing or brute-force attacks, tricking a user into authorizing a rogue third-party OAuth application, or taking over the web session of a logged-in user. But where this attack stands apart from traditional endpoint ransomware activity is that the encryption phase requires locking each file on SharePoint Online or OneDrive more than the permitted versioning limit. [...] <https://support.microsoft.com/en-us/office/how-versioning-works-in-lists-and-libraries-0f6cd105-974f-44a4-aadb-43ac5bdfd247> https://thehackernews.com/2022/06/a-microsoft-office-365-feature-could.html
People who are running computers with a lot of old and buggy software are being wooed by services that will apply binary patches to their code while it is running. If a site is running an old down-rev version and can't afford the time, cost, and effort to upgrade to a later version, the micropatching service can apply fixes on the fly. [No flies are injured in the process. PGN] They patch in storage to avoid verification of code signatures. Sometimes they extract patches from later versions of the code and back-port them to older code. There is a DARPA/I2O program that is awarding ways to patch IoT appliances and heavy truck engines: https://www.darpa.mil/program/assured-micropatching What could possibly go wrong? THVV [Risks? This reminds me of Doug McIlroy and Bob Morris patching the live object code of their EPL compiler (early PL/I, starkly subset for Multics) at the same time Molly Wagner was compiling Multics memory-management code in 1967. What a mess. (Tom, Thanks for this item.) Note for younger RISKS readers: Tom dates back to pre-Multics on CTSS, with what appears to be the very first e-mail system, which he and Noel Morris developed at MIT. PGN]
One of the most-used tools on the Internet is not what it used to be. https://www.theatlantic.com/ideas/archive/2022/06/google-search-algorithm-internet/661325/
*... This will have unprecedented consequences and require drastic water restrictions never seen before...* https://twitter.com/US_Stormwatch/status/1536912734297526272
Adam Zewe, *MIT News*, 14 Jun 2022, via ACM TechNews, 17 Jun 2022 Massachusetts Institute of Technology researchers demonstrated two security techniques that block power and electromagnetic side-channel attacks targeting analog-to-digital (ADC) converters in smart devices. The countermeasures involve adding randomization to ADC conversion, which in one case uses a random number generator to decide when each capacitor switches, complicating the correlation of power supplies with output data. That method also keeps the comparator in constant operation, preventing hackers from ascertaining when each conversion stage begins and ends. The second technique employs two comparators and an algorithm to randomly establish two thresholds rather than one, creating millions of ways 76an ADC could reach a digital output. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ecc8x234601x071624&
Annie Gowan, WashPost, 17 Jun 2022 https://www.washingtonpost.com/politics/2022/06/17/new-mexico-county-weighs-defying-order-certify-election-results/ New Mexico county certifies election results, bowing to court order. Otero County commissioners voted 2 to 1 to accept results in this month's primary, reversing an earlier decision driven by unfounded concerns about fraud. Cuoy Griffin is quoted in the article: “My vote to remain a no isn't based on any evidence, it's not based on any facts, it's only based on my gut feeling and my own intuition, and that's all I need,'' Griffin said.
A harbinger of the AI future? [Excerpted from a note by Dan Geer. PGN] A Language Model Trained to Mimic 4chan Might Portend AI's Grim Future https://cset.georgetown.edu/newsletter/june-16-2022/ A machine learning researcher trained a language model on three and half years' worth of 4chan posts to create what he dubbed "the most horrible model on the Internet," raising concerns about the public availability of language models and sparking debate about their ethical use. Yannic Kilcher, a Swiss ML expert who covers AI and ML advances on his popular YouTube channel, fine-tuned an existing open-source language model -- EleutherAI's GPT-J-6B—using a dataset of more than 130 million posts from 4chan's "Politically Incorrect" board, an online forum with a longstanding reputation for toxicity and offensiveness. As Kilcher described in a video documenting the process, he then programmed a team of bots to post on the board as often as they could. According to Kilcher, the bots posted approximately 30,000 times during two separate 24-hour periods. While 4chan users were able to identify some of the bots for what they were, this appeared to be due less to the model's shortcomings and more to the bots' superhuman indefatigability—they posted round-the-clock, as frequently as the site allowed. Kilcher's experiment was criticized by a number of experts and observers, who called it irresponsible and unethical. While Kilcher made it possible for anyone to use his "GPT-4chan" by uploading it to Hugging Face, an online repository for AI and ML code, the site quickly restricted access. But the cat could be out of the bag: as Kilcher's experiment shows, currently available open-source models and datasets can be used to create surprisingly effective language models with relative ease. 30. https://www.youtube.com/c/YannicKilcher/videos 31. https://huggingface.co/EleutherAI/gpt-j-6B 32. https://zenodo.org/record/3606810#.YpjGgexByDU 33. https://nymag.com/intelligencer/2015/11/inside-pol-4chans-racist-heart.html 34. https://youtu.be/efPrtcLdcdM 35. https://fortune.com/2022/06/10/ai-chatbot-trained-on-4chan-by-yannic-kilcher-draw-ethics-questions/ 36. https://huggingface.co/ykilcher/gpt-4chan 37. https://thegradient.pub/gpt-4chan-lessons/#:~:text=An evaluation of the model on the Language Model Evaluation Harness. Kilcher emphasized the result that GPT-4chan slightly outperformed other existing language models on the TruthfulQA Benchmark, which involves picking the most truthful answer to a multiple choice question
I recently relocated to Gibraltar and looked to open a local bank account. With one of the banks I contacted, communication was difficult - it turned out their email server refused to accept or to make TLS connections, and my email server mandates the use of TLS; their emails to me were not being delivered (and their staff were either not receiving, or not understanding, or not acting upon any error reports) and as I discovered when I tried to email them, my server's connections were rejected. I - from an web-based email account which allows unencrypted connections - emailed the bank about this, pointing out the possibility, given that they are a bank, of people unwittingly or thoughtlessly emailing sensitive information, and the simplicity and ease of allowing TLS connections. This email went unanswered. I discussed the matter directly with a member of their staff, who relayed the issue to their IT team; I was informed the IT team did not consider it a security risk, and in addition (although very likely this chap only speaking as himself, and not in any way reflecting bank policy), when I indicated the bank had three months to act before I would discuss the matter in public, he informed me if I did so the bank might well not wish to do business with me in the future. We all behave rationally given the incentives placed upon us in the situation we are in.
Gmail is the world's most popular email service, it is also known as one of the most secure. But a dangerous exploit might make you rethink how you want to use the service in future. In an eye-opening *blog post* <https://ysamm.com/?p=763>, security researcher Youssef Sammouda has revealed that Gmail's OAuth authentication code enabled him to exploit vulnerabilities in Facebook to hijack Facebook accounts when Gmail credentials are used to sign in to the service. And the wider implications of this are significant. Speaking to *The Daily Swing* <https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit>, Sammouda explained that he was able to exploit redirects in Google OAuth and chain it with elements of Facebook's logout, checkpoint and sandbox systems to break into accounts. Google OAuth is part of the '*Open Authorization* <https://en.wikipedia.org/wiki/OAuth>' standard used by Amazon, Microsoft, Twitter and others which allows users to link accounts to third-party sites by signing into them with the existing usernames and passwords they have already registered with these tech giants. Sammouda reports no vulnerabilities using other email accounts. He does stress that it could potentially be applied more widely "but that was more complicated to develop an exploit for." He states Facebook paid him a $44,625 'bug bounty' for its role in this vulnerability. Facebook has subsequently patched the vulnerability from their side. I have contacted Google for a response on the role of Google OAuth in the exploit and will update this post when/if I receive a reply. Commenting on Sammouda's findings, security provider *Malwarebytes Labs* <https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/gmail-linked-facebook-accounts-vulnerable-to-attack-using-a-chain-of-bugs-now-fixed/> issued a warning to anyone using linked accounts: "Linked accounts were invented to make logging in easier," writes Pieter Arntz, the company's Malware Intelligence Researcher. "You can use one account to log in to other apps, sites and services... All you need to do to access the account is confirm that the account is yours." [...] https://www.forbes.com/sites/gordonkelly/2022/05/21/google-gmail-security-facebook-oauth-login-warning/
Java is abnormally stable. I have code I wrote in early 2000s, some of it rather messy and not exactly what I'd call robust design (there's a reason for that of course), and it's still working fine in production now. By today's "agile standards", this just can't be right.
I think if we remove the technobabble, this is saying that it's a stablecoin backed by electricity commodity futures rather than by money. Electricity futures are am arcane corner of the futures market, mostly of interest to utilities and large industrial customers, but they do exist. Putting them on a blockchain adds that magic pixie dust that makes it possible to do, well, I have no idea but I am sure it is wonderful. If you wanted you could do pork belly or nickel trades on a blockchain with exactly the same benefits. The claim that you can somehow take the energy used to mine cryptocurrency and somehow turn it back into electricity is idiotically stupid, but what else is new in crypto land?
Please report problems with the web pages to the maintainer