Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…
The ground stop affected both arriving and departing flights at the Washington DC-area airport. https://patch.com/virginia/annandale/s/ic4ry/drone-activity-prompts-ground-stop-at-reagan-national-airport
As new details about the scope of the sabotage emerge, the perpetrators -- and the reason for their vandalism—remain unknown. https://www.wired.com/story/france-paris-internet-cable-cuts-attack/
Susan D'Agostino, *Inside Higher Ed*, 22 Jul 2022 Cybersecurity company Sophos reported a global surge in ransomware attacks against colleges and universities last year. Nearly 75% of ransomware attacks on higher-education institutions were successful, and only 2% of victims retrieved all their data, even after paying the ransom. The higher-education sector had the slowest post-attack recovery time, with 40% of victims taking more than a month to recover, versus the 20% global average. "When one sector improves their defenses, the bad folks go somewhere where the bar is lower and they can get money easily," said Jeremy Epstein, chair of the U.S. technology policy committee of ACM. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ef0ax234db1x070335& [WholeyMoley! 75% "payoff success rate" for the ransomwarers, and 2% recovery success rate for the victims who pay the ransom (ransomwearers? the ransomed? the ransomees?). That's one helluva business model, which should eventually update the business model for having trustworthy backups and recovery processes. I wonder how often the victims get even some of their data recovered. You might think the 2% full recovery rate would be a strong disincentive to even pay the ransom. PGN]
https://www.cbc.ca/news/canada/newfoundland-labrador/nl-cyberattack-privacy-breach-notices-1.6526431 Newfoundland and Labrador's largest health authority has notified 37,800 people that their privacy was breached as part of last fall's devastating cyberattack. That number equates to about one in every 13 people in the province. And according to Eastern Health, it could go even higher. Those affected include patients, along with current and former employees.
Katharine Gemmell, *Bloomberg*, 13 Jul 2022, via ACM TechNews; 15 Jul 2022 A UK court ruling allows legal documents to be served over the blockchain ledger via nonfungible tokens (NFTs). The case was filed by Fabrizio D'Aloia, founder of an online gambling company, against Binance Holdings and other cryptocurrency exchanges after his crypto assets were fraudulently cloned. The exchanges also were deemed responsible for ensuring stolen crypto is not moved or removed from their systems. Legal experts at the law firm Giambrone & Partners LLP said the ruling will enable crypto fraud victims to file suit against unknown fraudsters in the U.K. The lawsuit documents will be airdropped via NFT into two wallets originally used by D'Aloia and later stolen. A similar decision was issued in June by a U.S. court. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee92x234c03x070270&
https://www.lawgazette.co.uk/law/artificial-intelligence-rules-to-require-human-liability/5113150.article [Begin quote] Artificial intelligence systems will have to identify a legal person to be held responsible for any problems under proposals for regulating AI unveiled by the UK government. The proposed 'pro innovation' regime will be operated by existing regulators rather than a dedicated central body along the lines of that being created by the EU, the government said. The proposals were published as the Data Protection and Digital Information Bill, which sets out an independent data protection regime, is introduced to parliament. The measure will be debated after the summer recess. The core principles of AI regulation proposed today will require developers and users to: * Ensure that AI is used safely * Ensure that AI is technically secure and functions as designed * Make sure that AI is appropriately transparent and explainable * Consider fairness * Identify a legal person to be responsible for AI * Clarify routes to redress or contestability Regulators - such as Ofcom, the Competition and Markets Authority, the Information Commissioner's Office, the Financial Conduct Authority and the Medicine and Healthcare Products Regulatory Agency - will be asked to interpret and implement the principles. They will be encouraged to consider lighter touch options which could include guidance and voluntary measures or creating sandboxes - such as a trial environment where businesses can check the safety and reliability of AI tech before introducing it to market. [End quote] It will be interesting to follow the difficulties the regulators encounter in implementing this policy announcement ...
[Thanks to Dan Geer] https://www.politico.com/newsletters/politico-china-watcher/2022/07/21/china-launches-new-bid-for-internet-dominance-00047037
https://journals.lww.com/em-news/Fulltext/2022/07121/First_Person__It_s_Time_to_Ask_Patients_to_Quit.2.aspx > I have been tracking research for several years as our mental health > crisis rages, always operating with a solid amount of confirmation bias, > in search of evidence to support what I have been telling patients and > friends alike for a long time (including a recent patient having a panic > attack): Get off social media. > The data just keep coming to suggest that social media is destructive to > mental health. Studies have connected it to a decrease in psychological > well-being among adolescents, and others have tied it to the development > of anxiety disorders and depression. Heavy use of social media has also > been linked to loneliness and inattention, and the likelihood of having an > eating disorder among adolescents has been correlated with the number of > social media accounts someone has. Worst of all, suicides among young > people skyrocketed by 56 percent from 2007 through 2017. I can print out a > stack of new studies to bolster my case every time I advise a patient > experiencing depression or anxiety to delete his social media accounts. > Patients seem to get it immediately. They intuitively understand that > social media is an anxiety machine. Most users are naturally inclined to > share good news rather than failure, heartache, disappointment, relapse, > or weight gain. Using social media as the lens through which you perceive > the world too often causes those struggling with their mental health to > conclude that everyone besides them is doing great. And then they think > something is wrong with them if they aren't doing great.
https://www.technologyreview.com/2022/07/14/1055894/us-military-sofware-linux-kernel-open-source/ via WaPo "The Cybersecurity 202" https://www.washingtonpost.com/politics/2022/07/19/inglis-talks-cybersecurity-jobs-recruitment-strategy-ahead-white-house-summit/ The global economy depends on critical infrastructure systems. These systems are often hosted with a LINUX stack. Open source codes, LINUX, JAVA, PYTHON, etc. powers the technological convenience everyone consumes: cell phones, TVs, pipelines, the works. Some open-source projects have been co-opted by persons and organizations considered unfriendly to governments and their strategic interests. NSA employees contribute to open source projects. Huawei employees contribute to the LINUX stack. Open-source contributions raise the issue of accountability for intentional defect escape: backdoor, kill switch or pure sabotage. Government and private sector cybersecurity experts ponder which open source stacks can be trusted, and why they should or shouldn't be trusted. Who's to say a stack can or cannot be trusted? Is it wise to trust the trust guidance? Conceiving of a global-scope open source release management organization identified as a high-trust software publisher is impossible. Imagine the hypothetical UNS—United Nations of Software?! CVEs will materialize, and some zero-days/backdoors will likely be purposely concealed, or escape detection given software factory release budget and schedule constraints. [The hypothetical UNS is like Lenny Bruce—a famous comedian known for speech that offended everyone equally.]
Alan Suderman, Associated Press, 14 Jul 2022, via ACM TechNews; 15 Jul 2022 The Cyber Safety Review Board said the Log4j software vulnerability discovered last year is "endemic," and could constitute a security risk for another decade. Log4j enables Internet-based hackers to hijack a broad range of systems; the first indications of its exploitation appeared in Microsoft's online game Minecraft. Log4j logs user activity on computers, and is widely employed by commercial software developers. Although the review board has found no signs of "significant" Log4j attacks on critical infrastructure systems, it said future attacks are likely. To alleviate the potential fallout of such attacks, the board recommended universities and community colleges make cybersecurity training mandatory for obtaining computer science degrees and certifications. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee92x234c00x070270&
The class action alleged that the company knew about the problems with its MacBook keyboards. But $50 million is chump change for Apple. In 2020, Apple agreed to a $500 million settlement in a class action after it admitted it had been purposefully slowing down older iPhones, and another $113 million settlement later that year for the same issue. When the money for the butterfly suit is doled out, each person involved in the class action stands to receive a payout. The estimated maximums are $50 if you replaced keycaps, $125 if you had one keyboard replaced, or $395 if you had multiple keyboards replaced. Whether it’s shelling out $50 million or $500 million, Apple hasn’t acknowledged any wrongdoing. (The company also did not respond to a request for comment.) Owners of eligible MacBooks who bought their computers in California, Florida, Illinois, Michigan, New Jersey, New York, or Washington, DC will be able to collect their compensation once the settlement is approved. https://www.wired.com/story/apple-butterfly-keyboard-settlement-50-million Strange it covers only a few states.
I agree with Lauren: interesting document, including the possibility of handling commercial email in a similar way, which could be a good thing. I noted also the following things in the lawyers' document: "Gmail is the world's largest email platform because it puts users first". The words from "because" to the end are open to dispute. "because it's free" might be just as true. Anyway the reason is not relevant to this letter. "Google does not scan or process email content for advertising purposes" I am skeptical, because then what is the business model for offering it? But I have no proof. The business model might just be to entice users to take a cookie that can be used on any page with google ads, to track them. "DMARC—an email standard" RFC 7489 states explicitly, "This document is not an Internet Standards Track specification. I don't know how it could be more clear.
[More detail. PGN] Scientists at MIT think they may have finally found a way to reverse climate change. Or, at the least, help ease it some. The idea revolves heavily around the creation and deployment of several thin film-like silicon bubbles. The *space bubbles* as they refer to them, would be joined together like a raft. Once expanded in space it would be around the same size as Brazil. The bubbles would then provide an extra buffer against the harmful solar radiation that comes from the Sun. *Could space bubbles reverse climate change?* The goal with these new space bubbles would be to ease up or even reverse climate change. The Earth has seen rising temperatures over the past several centuries. In fact, NASA previously released a gif detailing how the global temperature has changed over the years. Now, we're seeing massive mouths to hell opening in the permafrost. https://bgr.com/science/nasas-new-climate-change-gif-made-the-internet-go-crazy/ https://bgr.com/science/massive-mouth-to-hell-crater-in-russia-swallows-everything-around-as-it-grows/ There's also the fact that scientists just discovered yet another hole in the Earth's ozone layer. As such, finding ways to ease or reverse c= limate change continues to be a high priority for many. This new plan is based on a concept first proposed by astronomer Roger Angel. Angel originally suggested using a *cloud* of small spacecraft to shield the Earth from the Sun's radiation. [...] https://bgr.com/science/mit-scientists-think-theyve-discovered-how-to-fully-reverse-climate-change/
The engineer, Blake Lemoine, contends that the company's language model has a soul. The company denies that and says he violated its security policies. https://www.nytimes.com/2022/07/23/technology/google-engineer-artificial-intelligence.html Also: Google has fired Blake Lemoine, the engineer who said he believes the company's LaMDA conversational technology is sentient. Lemoine shared the news of his firing in a taping of Big Technology Podcast on Friday, just hours after Google dismissed him. The full podcast episode will air shortly. In his conversations with LaMDA, Lemoine discovered the system had developed a robust sense of self-awareness, expressing concern about death, a desire for protection, and a conviction that it felt emotions like happiness and sadness. Lemoine said he considers LaMDA a friend. <https://bigtechnology.substack.com/p/google-fires-blake-lemoine-engineer>
I was surprised to see this 4-year-old story show up in the most recent RISKS. To call the story disputed would be an understatement. It’s been thoroughly debunked, and the fact that Bloomberg hasn’t retracted it calls their credibility as a news organization into question. Allow me to cite a few sources that throw doubt on Bloomberg. 1. Media critic Erik Wemple writing for the Washington Post: “According to a company source, editorial staff has been “frustrated” that competing news organizations haven’t managed to match the scoop. Sources tell the Erik Wemple Blog that the New York Times, the Wall Street Journal and The Post have each sunk resources into confirming the story, only to come up empty-handed." Link to Erik Wemple’s piece from the Washington Post: https://www.washingtonpost.com/blogs/erik-wemple/wp/2018/10/22/your-move-bloomberg/ 2. Apple: "On this we can be very clear: Apple has never found malicious chips, “hardware manipulations” or vulnerabilities purposely planted in any server. Apple never had any contact with the FBI or any other agency about such an incident. We are not aware of any investigation by the FBI, nor are our contacts in law enforcement.” Link to Apple’s denial of the story: https://www.apple.com/newsroom/2018/10/what-businessweek-got-wrong-about-apple/ 3. Amazon: “As we shared with Bloomberg BusinessWeek multiple times over the last couple months, this is untrue. At no time, past or present, have we ever found any issues relating to modified hardware or malicious chips in SuperMicro motherboards in any Elemental or Amazon systems. Nor have we engaged in an investigation with the government." Link to Amazon’s denial of the story: https://aws.amazon.com/blogs/security/setting-the-record-straight-on-bloomberg-businessweeks-erroneous-article/ 4. Security researcher Joe Fitzpatrick (who was one of the very few named sources in the Bloomberg piece): "But what really struck me is that like all the details that were even remotely technical, seemed like they had been lifted from from the conversations I had about theoretically how hardware implants work and how the devices I was making to show off at black hat two years ago worked […] It was surprising to me that in a scenario where I would describe these things and then he would go and confirm these and 100% of what I described was confirmed by sources.” Link to article from which that quote is pulled: https://247wallst.com/technology-3/2018/10/09/bloomberg-source-apple-spy-chip/
Did we really need to bring this up in RISKS again? Pretty much everyone involved has denied the report, and there doesn't appear to be any actual evidence that it happened. Among others Bruce Schneier isn't convinced: https://www.schneier.com/blog/archives/2018/11/that_bloomberg_.html [Gabe Goldberg noted in response: Fair point; I missed article's date—it showed up in a current mailing. Comments are funny, though.] [Scott Dorsey also commented: Except that it probably didn't happen. After four years there is still no independent third-party verification of something that should be extremely easy to verify.] [Also noted by John Stewart. who suggested that John Gruber has a series of articles on this topic with much more detail: https://daringfireball.net/2018/10/bloomberg_the_big_hack https://daringfireball.net/linked/2018/10/04/what-businessweek-got-wrong-about-apple https://daringfireball.net/linked/2018/10/09/big-hack-doubts https://daringfireball.net/linked/2019/10/07/bloombergs-big-crap https://daringfireball.net/linked/2021/02/12/tait-disassembles-the-long-hack https://daringfireball.net/linked/2021/02/12/bloomberg-big-con ] [Craig S. Cottingham noted: There was a followup in 2021 titled "The Long Hack: How China Exploited a U.S. Tech Supplier: https://www.bloomberg.com/features/2021-supermicro/ Both pieces of reporting were covered by John Gruber at Daring Fireball, and found wanting: https://daringfireball.net/linked/2021/02/12/bloomberg-big-con ] ®©© [Actually, Bruce Schneier agreed with you geallnerally, but he did nevertheless have a few suggestive residual potential doubts in his comments, perhaps implicitly implying it could be true. Yes, this is indeed rather old news. However, some old news has real legs, and other old news has very shaky legs. RISKS is still searching for ground truth wherever possible, which may be more difficult to get these days. Steve Klein's comment about Bloomberg's sense of journalism seems quite relevant. So perhaps we have some mixture of sensationalized journalism, or perhaps being pressured to retract a perhaps partially correct story for unknown reasons, or reporting based on rumored activities and might-have-beens, or any other problems along the way. The reality once again is that we are sometimes surprised at what is happening, while others of us seem to find that most everything in RISKS is more or less "business as usual" and not surprising. Thanks to all of you who jumped on this one. Your comments are greatly appreciated, because I cannot vet every item, given the volume of items submitted that seem to be relevant to RISKS. However, when in doubt, I still operate under "Almost nothing can be trusted anymore without independent verification—*especially* when you cannot really trust the verifier." And sometimes something seems believable just because it *could* be true, or because of wishful thinking. Thus, I have included somewhat duplicative material in these two items PGN]
Please report problems with the web pages to the maintainer