The RISKS Digest
Volume 33 Issue 57

Saturday, 10th December 2022

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents

Dreams of a Future in Big Tech Dim for Computer Science Students
NYTimes via PGN Bruce DeBruhl
Metro May Resume Automatic Train Operation In 2023
DCist
Amnesty International Canada hit by cyberattack out of China
CBC
Data breach of Ontario's vaccine booking system affects hundreds of thousands, province says
CBC
How the Global Spyware Industry Spiraled Out of Control
Sundry
It's Not Science, Just Surveillance—and It's Under Your Desk
Techworker
Raspberry Pi hires a former cop, and responds poorly to the public response
Resetera
Apple to encrypt iCloud
The Washington Post
TSA argues for impunity for checkpoint staff who rape travelers
PaperPlease
Hertz to pay $168m for falsely accusing customers of theft
BBC
AI Learns To Write Computer Code In 'Stunning' Advance
Science
A Row Erupts Over Texas' Bold Bitcoin Battery Plan
WiReD
A Twitter data tracker inhabits tens of thousands of websites
WashPost
Sundry Musky Items
PGN-collected from Lauren Weinstein
Info on RISKS (comp.risks)

Dreams of a Future in Big Tech Dim for Computer Science Students (NYTimes)

Peter Neumann <neumann@csl.sri.com>
Thu, 8 Dec 2022 13:22:53 PST
Natasha Singer and Kalley Huang, *The New York Times* Business, 8 Dec 2022
After spending years laying the groundwork for lucrative careers, many
recent graduates are left scrambling as coveted jobs dry up.
https://www.nytimes.com/2022/12/06/technology/computer-students-tech-jobs-layoffs.html

[Thursday's print article and the online version from two days prior differ
in titling, but apparently not in content.  PGN]

  This article seems to have been written primarily in response to Meta
  laying off 11,000, and layoffs, hiring freezes, and slowdowns at Twitter,
  Alphabet, DoorDash, Luft, Snap, Stripe, and Amazon (which is contemplating
  cutting this year's 18,000 summer interns in more than 50% for next
  summer).  More than 400,000 new jobs are foreseen between 2021 and 2031,
  according to the Bureau of Labor Statistics, although “many of those are
  in areas like finance and the automotive industry.''  The article
  documents various personal cases, and suggests that graduate school is
  also an option to jobs (assuming one can afford it)...  PGN-ed

There seems to be a Catch-22 underlying undergraduate computer science,
which has been touted as a great source of future jobs.  My guess is that
being just a programming whiz is not enough, and that system-oriented
thinking and the experience that can result therefrom has not been popular
even in graduate programs for many years.  Perhaps CS has been
oversimplified in too many schools and colleges?  How many of them actually
teach the fundamental principles of total-system architectures, not to
mention formal methods as a basis for developing trustworthy systems?

  My CSL colleague Prashanth Mundkur sent me this comment:

  Given the reputational damage that Big Tech, Silicon Valley and tech in
  general have suffered in recent years, it might be worth including the
  ethical impacts of business models (e.g., on violations of privacy, spread
  of misinformation/disinformation) into the holistic analysis of
  total-system architectures.  I'm not sure if the ACM Code of Ethics is
  studied in undergraduate or graduate CS curricula.

Many years ago Deborah Johnson taught courses at RPI on the subject of
computer-related ethics, and wrote various books that are still in print.
Considerable effort at Yale was led by Terry Bynum (including a summer
workshop in 1991).  There have been numerous efforts to revisit this
subject.  I have no idea how many computer science curricula include
relevant courses today.  However, I suspect that most of the mentioned
companies are not paying much attention—where profits are generally
considered more important.  PGN


Dreams of a Future in Big Tech Dim for Computer Science Students (Re: PGN, RISKS-33.57)

Bruce DeBruhl <bruce.debruhl@sri.com>
Fri, 9 Dec 2022 21:43:04 +0000
This is something I have definitely considered a lot as a member of an
undergraduate curriculum committee for computer science and the chair of a
curriculum committee for computer engineering.  I think part of the issue is
the overall drift of the ACM/IEEE curricular recommendation for CS has been
moving away from complete system design guidelines are also used, in part,
to define what a program requires to get ABET accreditation - a target for
many CS programs.
(https://www.acm.org/binaries/content/assets/education/cs2013_web_final.pdf). These

For example, architecture and organization for a BS computer science degree
gets only 16 tier-2 hours. That is 1 semester-unit or 1.5 quarter units.
Similarly, a lot of system design topics get a similar small 1 or 2 unit
recommendation. This encourages teaching systematic thinking in a limited
number of survey courses if you want to follow the ACM recommendations and
not have all of your curriculum on specific system topics.

Many departments have to make hard decisions about what curriculum to focus
on also. It is difficult to hire in some specialties for non-R1
universities. Cybersecurity (formal methods or other) is difficult because
industrial demand is high and pay scale is hard to compete with. For
example, most CSUs and similar state schools have 0 or 1 person with formal
background in cybersecurity. Software engineering has similar issues.

In my experience, other domains are hard to hire because of supply side
issues. For example, compilers and programming languages are difficult
because there are fewer people getting PhDs in related fields—so some
schools have had to cut compilers as a required course because they just
can't staff enough sections. Schools can try to find creative solutions, for
example. cross-training across specialties, but this is a hard task to add
to an already busy job.


Metro May Resume Automatic Train Operation In 2023 (DCist)

Gabe Goldberg <gabe@gabegold.com>
Wed, 7 Dec 2022 01:10:29 -0500
If you've ever cursed your jerky Metro train as it comes into a station,
take comfort in the fact that those days may soon be over.

Metro is seeking to return its Red Line trains to automatic operation --
instead of manual human operation—by next spring, the transit agency
noted in a presentation Monday. The rest of the system could return to
automation by the end of 2023.

System shut down after 2009 crash

Metro was originally designed to be an automated system. And it operated
that way until 2009 when a sensor in the track malfunctioned, which led to a
train crashing into the back of another train near Fort Totten. The crash
killed nine people and injured 80 others. (The malfunctioning circuit meant
one of the trains involved in the collision was, in essence, invisible on
the system.)

https://dcist.com/story/22/12/06/metro-resume-automatic-train-operation-2009-crash-red-line


Amnesty International Canada hit by cyberattack out of China (CBC)

Matthew Kruk <mkrukg@gmail.com>
Mon, 5 Dec 2022 14:33:38 -0700
https://www.cbc.ca/news/politics/amnesty-international-canada-cyber-attack-china-1.6674788

The Canadian branch of Amnesty International was the target of a
sophisticated cyber-security breach this fall—an attack forensic
investigators believe originated in China with the blessing of the
government in Beijing.

The intrusion was first detected on October 5, the human rights group said
Monday.

The attack showed signs of being the work of what's known as an advanced
persistent-threat group (APT), according to the cyber security company that
conducted the forensic investigation.

Unlike a typical cybercrime attack, the attack on Amnesty involved
establishing covert surveillance of the operating system of Amnesty's
network, said the report prepared for Amnesty International Canada by the
U.K.-based cybersecurity firm Secureworks.

The hackers appeared to be attempting to obtain a list of Amnesty's contacts
and monitor its plans.


Data breach of Ontario's vaccine booking system affects hundreds of thousands, province says (CBC)

Matthew Kruk <mkrukg@gmail.com>
Fri, 9 Dec 2022 20:45:21 -0700
https://www.cbc.ca/news/canada/toronto/vaccine-data-breach-ontario-1.6680714

Hundreds of thousands of Ontarians' information may have been compromised in
a data breach of the province's vaccine management system last year.

Beginning Friday, some 360,000 people will receive notices that their
personal information was part of the November 2021 data breach of the COVAXX
system, the Ministry of Public and Business Service Delivery said in a
statement Friday.

The ministry said it had been working with the Ministry of Health, police
and the Ontario's privacy commissioner to determine the scale and impact of
the breach. The ministry's statement does not say how it occurred.

Two people were charged in connection with the breach last year.


How the Global Spyware Industry Spiraled Out of Control (Sundry)

geoff goodfellow <geoff@iconia.com>
Thu, 8 Dec 2022 11:09:08 -0700
The Biden administration took a public stand last year against the abuse of
spyware to target human-rights activists, dissidents and journalists: It
blacklisted the most notorious maker of the hacking tools, the Israeli firm
NSO Group.

But the global industry for commercial spyware—which allows governments
to invade mobile phones and vacuum up data—continues to boom. Even the
U.S. government is using it.

The Drug Enforcement Administration is secretly deploying spyware from a
different Israeli firm, according to five people familiar with the agency's
operations, in the first confirmed use of commercial spyware by the federal
government.

At the same time, the use of spyware continues to proliferate around the
world, with new firms—which employ former Israeli cyberintelligence
veterans, some of whom worked for NSO—stepping in to fill the void left
by the blacklisting. With this next generation of firms, technology that
once was in the hands of a small number of nations is now ubiquitous --
transforming the landscape of government spying.

One firm, selling a hacking tool called Predator and run by a former Israeli
general from offices in Greece, is at the center of a political scandal in
Athens over the spyware√Ęs use against politicians and journalists.  [...]

https://dnyuz.com/2022/12/08/how-the-global-spyware-industry-spiraled-out-of-control/

  [Also reported by Jan Wolitzky from The NYTimes, with the same caption:]

The market for commercial spyware—which allows governments to invade
mobile phones and vacuum up data—is booming. Even the U.S. government is
using it.

  [Includes a copy of a nine-page Intellexa pitch for Predator to a
  Ukrainian intelligence agency in 2021, the first full such commercial
  spyware proposal to be made public.]

https://www.nytimes.com/2022/12/08/us/politics/spyware-nso-pegasus-paragon.html


It's Not Science, Just Surveillance—and It's Under Your Desk (Techworker)

Jan Wolitzky <jan.wolitzky@gmail.com>
Thu, 8 Dec 2022 07:26:35 -0500
Northeastern University installed heat sensors under the desks of graduate
student workers, without their consent, allegedly to conduct a study on desk
usage.

<https://news.techworkerscoalition.org/2022/11/29/issue-19/>


Raspberry Pi hires a former cop, and responds poorly to the public response (Resetera)

Lauren Weinstein <lauren@vortex.com>
Thu, 8 Dec 2022 12:35:54 -0800
Raspberry Pi hires a former cop, and responds poorly to the public response
https://www.resetera.com/threads/raspberry-pi-hires-a-former-cop-and-responds-poorly-to-the-public-response.662539/


Apple to encrypt iCloud (The Washington Post)

Gabe Goldberg <gabe@gabegold.com>
Wed, 7 Dec 2022 14:55:41 -0500
Law enforcement has objected in the past to encrypting iCloud accounts

After years of delay under government pressure, Apple said Wednesday that it
will offer fully encrypted backups of photos, chat histories and most other
sensitive user data in its cloud storage system worldwide, putting them out
of reach of most hackers, spies and law enforcement.

https://www.washingtonpost.com/technology/2022/12/07/icloud-apple-encryption/


TSA argues for impunity for checkpoint staff who rape travelers (PaperPlease)

Lauren Weinstein <lauren@vortex.com>
Tue, 6 Dec 2022 18:12:08 -0800
https://papersplease.org/wp/2022/12/06/tsa-argues-for-impunity-for-checkpoint-staff-who-rape-travelers/

  [The cited full story is even scarier than its subject line, and is
  omitted here.  Note that this is a problem not just in foreign airports.
  Seems as if TSA absurdly wants to whitewash outright crimes, but perhaps
  it is something appealing to would-be molesters whom they might hire as
  more aggressive agents.  This item is either ridiculously bad PR for TSA,
  or ridiculously bad journalism—or perhaps both.  PGN]


Hertz to pay $168m for falsely accusing customers of theft (BBC)

Gabe Goldberg <gabe@gabegold.com>
Wed, 7 Dec 2022 01:12:30 -0500
Hertz said it will pay $168m (£137.4m) to customers who were wrongly accused
by the rental company of vehicle theft.  The pay-out will settle 364 claims
against the company, some from innocent customers who were falsely reported
to the authorities for stealing rental cars, Hertz announced on Monday.

Some customers said they were arrested or jailed over the accusations.

In a statement, Hertz CEO Stephen Scherr said his company "will not always
be perfect".

https://www.bbc.com/news/world-us-canada-63879250

  [It really hertz to be falsely arrested.  PGN]


AI Learns To Write Computer Code In 'Stunning' Advance (Science)

geoff goodfellow <geoff@iconia.com>
Sat, 10 Dec 2022 08:57:12 -0700
DeepMind's new artificial intelligence system called AlphaCode was able to
"achieve approximately human-level performance" in a programming competition
<https://www.science.org/content/article/ai-learns-write-computer-code-stunning-advance>.
The findings have been published in the journal Science
<https://www.science.org/doi/10.1126/science.abq1158?adobe_mc=MCORGID=242B6472541199F70A4C98A6%40AdobeOrg|TS=1670536877>.
Slashdot reader sciencehabit
<https://developers.slashdot.org/~sciencehabit> shares
a report from Science Magazine:AlphaCode's creators focused on solving
those difficult problems. Like the Codex researchers, they started by
feeding a large language model many gigabytes of code from GitHub, just to
familiarize it with coding syntax and conventions. Then, they trained it to
translate problem descriptions into code, using thousands of problems
collected from programming competitions. For example, a problem might ask
for a program to determine the number of binary strings (sequences of
zeroes and ones) of length n that don't have any consecutive zeroes. When
presented with a fresh problem, AlphaCode generates candidate code
solutions (in Python or C++) and filters out the bad ones. But whereas
researchers had previously used models like Codex to generate tens or
hundreds of candidates, DeepMind had AlphaCode generate up to more than 1
million.

To filter them, AlphaCode first keeps only the 1% of programs that pass
test cases that accompany problems. To further narrow the field, it
clusters the keepers based on the similarity of their outputs to made-up
inputs. Then, it submits programs from each cluster, one by one, starting
with the largest cluster, until it alights on a successful one or reaches
10 submissions (about the maximum that humans submit in the competitions).
Submitting from different clusters allows it to test a wide range of
programming tactics. That's the most innovative step in AlphaCode's
process, says Kevin Ellis, a computer scientist at Cornell University who
works AI coding.

After training, AlphaCode solved about 34% of assigned problems, DeepMind
reports this week in Science
<http://www.science.org/doi/10.1126/science.abq1158?adobe_mc=MCORGID=242B6472541199F70A4C98A6%40AdobeOrg|TS=1670536877>.
(On similar benchmarks, Codex achieved single-digit-percentage success.) To
further test its prowess, DeepMind entered AlphaCode into online coding
competitions. In contests with at least 5000 participants, the system
outperformed 45.7% of programmers. The researchers also compared its
programs with those in its training database and found it did not duplicate
large sections of code or logic. It generated something new—a creativity
that surprised Ellis. The study notes the long-term risk of software that
recursively improves itself. Some experts say such self-improvement could
lead to a superintelligent AI that takes over the world. Although that
scenario may seem remote, researchers still want the field of AI coding to
institute guardrails, built-in checks and balances.

https://developers.slashdot.org/story/22/12/08/226221/ai-learns-to-write-computer-code-in-stunning-advance


A Row Erupts Over Texas' Bold Bitcoin Battery Plan (WiReD)

Gabe Goldberg <gabe@gabegold.com>
Thu, 8 Dec 2022 00:53:34 -0500
Bitcoin miners say they can help stabilize a shaky power grid and prevent
blackouts. Experts say it will make the problem worse.

In Bratcher's terms, it works like this: In periods of low demand, big
crypto mines can plug into sources of renewable power that would otherwise
be wasted, thereby increasing the profitability of wind and solar and
encouraging new development. Then, when demand from the grid is high, miners
shut off their operations to allow power to be channeled toward regular
people.

Although Texas produces more renewable energy than any other U.S. state, its
grid is propped up by an aging fleet of fossil fuel plants, some of which
have been running without maintenance to keep pace with energy demand. At an
average age of 50 and 30 years, respectively, the state's coal and gas
plants are reaching the end of their useful lives.

Core to [Gov] Abbott's plan is the theory that the additional demand for
energy created by new bitcoin-mining facilities will establish *an
investment incentive* that brings new sources of power generation to
Texas. Then, when energy demand goes through the roof during a heat wave or
cold snap, the state will have more energy flowing through its grid and the
option to redirect power as a last resort.

The plan to use crypto mines as giant batteries is controversial, to say the
least. Ed Hirs, an energy fellow at the University of Houston, claims the
battery analogy is "nonsense" because miners don't store and release energy,
but rather only promise to stop consuming when it's urgently needed
elsewhere. And he disputes the idea that crypto mining will bring additional
energy generation to the grid, which he describes as misdirection designed
to distract from the price increases people will incur due to an overall
rise in energy demand.

Demand for energy in Texas is set to skyrocket as a result of Abbott's
plan. Miners in the state are currently using around 2 gigawatts (GW) of
energy, with peak capacity for the state topping out at 80 GW. By 2026 it's
estimated that Texas bitcoin miners will draw as much as 29 GWfour times as
much as the whole of New York City.

https://www.wired.com/story/bitcoin-texas-power-grid


A Twitter data tracker inhabits tens of thousands of websites (The Washington Post)

Gabe Goldberg <gabe@gabegold.com>
Fri, 9 Dec 2022 01:24:20 -0500
Tens of thousands of websites belonging to government agencies, Fortune 500
companies and other organizations host Twitter computer code that sends
visitor information to the social media giant, according to research first
reported by The Cybersecurity 202.

And virtually none of them have used a Twitter feature to put restrictions
on what the company can do with that data, said digital ad analysis firm
Adalytics, which conducted the study.

The presence of Twitter's code—known as the Twitter advertising pixel --
has grown more troublesome since Elon Musk purchased the platform.

That's because under the terms of Musk's purchase, large foreign investors
were granted special privileges. Anyone who invested $250 million or more is
entitled to receive information beyond what lower-level investors can
receive.

Among the higher-end investors include a Saudi prince[?] holding company and a
Qatari fund.

“Government agencies, hospitals, over half of all U.S. members of Congress,
media publishers, and brands may not be aware that they are sharing
terabytes of their visitors' and audience's data with Twitter,'' Adalytics
founder Krzysztof Franaszek wrote.


Sundry Musky Items (PGN-collected)

Lauren Weinstein <lauren@vortex.com>
Thu, 8 Dec 2022 18:56:17 -0800
Twitter to Charge $11 Per Month for Twitter Blue on iPhone, $7 on Website
 (MacRumors)

ProTip: Elon's hate speech site isn't worth 11 cents per month -L
https://www.macrumors.com/2022/12/07/twitter-blue-relaunch-subscription-fees/

https://dnyuz.com/2022/12/08/how-the-global-spyware-industry-spiraled-out-of-control/

Musk's Neuralink faces federal probe, employee backlash over animal tests
https://news.yahoo.com/exclusive-musk-neuralink-faces-federal-221949094.html

Musk and Direct Messages: It seems absolutely clear from Musk's behavior
over the last few days that he cannot be trusted with the massive #Twitter
stockpile of Direct Messages (DMs), which include a vast variety of
sensitive materials including major firms' account-verified support
interactions with customers and much more.  QED -L

Elon Musk slams San Francisco for probe of bedrooms at Twitter HQ
https://www.redlandsdailyfacts.com/2022/12/07/musk-slams-san-francisco-for-probe-of-bedrooms-at-twitter-hq/

New Letter from Congressmen Schiff and Takano re hate speech on Twitter
https://schiff.house.gov/imo/media/doc/letter_to_twitter.pdf

Elton John leaves Twitter Due to Misinformation, Musk begs him to come back
https://deadline.com/2022/12/elton-john-quits-twitter-elon-musk-responds-1235195130/

More Twitter and DMs:
#Twitter could easily release a statement saying that user DMs are safe from
snooping by Musk or anyone else without specific legal process. Twitter has
so far chosen not to issue such an assurance.  Why? -L

Musk's Devious Plan Is Obvious"
Musk is attempting to leverage the public's lack of knowledge about the
complex tasks of moderating social media content to prevent spam, hate
speech, crime, terrorism, child abuse, and many more horrors—at enormous
scale—to portray Twitter as engaging in a grand conspiracy where none
exists.
He's smart enough to realize this, but he's devious enough to play this all
for maximal personal advantage, just as tyrants and authoritarians have done
in their own contexts throughout history. -L

How Twitter saved lives by blocking:
It was completely appropriate and admirable for the former #Twitter
management to block and/or not amplify tweets/accounts spouting COVID
disinformation or other harmful lies, irrespective of the political
affiliations of the senders. The fact that by far most of this
disinformation came (and still comes) from right-wing accounts does not
indicate a bias against the right, but a healthy bias against
disinformation. While the process wasn't perfect, it probably saved many
innocent lives. -L

Twitter claims reporters they're permitting to rummage around internal
messages don't have access to user DMs—but says nothing about Musk or
others' access. -L

Why disinformation needs to be stopped BEFORE it spreads:
Let's be super clear about why you need to stop disinformation *before* it
is widely amplified. Every study looking at this that I've seen shows
clearly that misinformation and disinformation—usually by virtue of their
alarmist natures—have vastly greater reach than any attempts to correct
the falsehoods after the fact.
Efforts to use accurate information to "answer" misinformation and
purposeful lies are either disbelieved, ignored, and shared to a
dramatically lessor extent. Meanwhile, the liars and conspiracy promoters
move on to their next topics, and their next victims. -L

Twitter Blue returns, 3 Trust and Safety Council members resign, and
Twitter goes silent when asked key questions.
  Any advertisers touching Twitter with a 10 foot pole are insane. -L
https://arstechnica.com/tech-policy/2022/12/twitter-blue-is-coming-back-with-more-colors-and-assurances-from-musk/

#Twitter Direct Messages and Musk:
As far as I know, Musk has still not made a statement regarding the privacy
and sanctity of the enormous collection of Direct Messages (DM) data that
#Twitter presumably has maintained possibly since the feature was originally
deployed many years ago.
This contains the personal discussions of individuals, firms, companies, and
probably government agencies providing customer support via account numbers
and other personal data, and much more.
Do we have any assurance whatsoever that Musk would not feel free to go
rummaging through that mass of data and use and/or publicly expose anything
and everything that he felt would be beneficial to his personal goals?
Given Musk's ongoing behavior, the question would be laughable if it wasn't
so serious. -L

Please report problems with the web pages to the maintainer

x
Top