The RISKS Digest
Volume 33 Issue 85

Tuesday, 19th September 2023

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy, Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site - however only a small number of sites are covered at the moment. The flashlight take you to an analysis of the various trackers etc. that the linked site delivers. Please let the website maintainer know if you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…


Bots are Better than Humans at CAPCHAS
Bruce Schneier
Cryptocurrency Startup Loses Encryption Key for Electronice Wallet
Schneier via Gabe Goldberg
What politicians are doing about the Internet, RIGHT NOW
Lauren Weinstein
Microsoft AI researchers accidentally exposed terabytes of internal sensitive data
In Risky Hunt for Secrets, U.S. and China Expand Global Spy Operations
Chinese hackers have unleashed a never-before-seen Linux backdoor
Ars Technica
Scientists warn entire branches of the ‘Tree of Life’ are going extinct
Yahoo! News
Can the free market ensure artificial intelligence won't wipe out human workers?
DHS Issues Privacy/Civil Liberties Guidelines, and DHS Spies Trouble in 2024 in election security
Old Google vs. New Google
Lauren Weinstein
Re: Pedestrian dies after Cruise cars block ambulance
Geoff Kuenning Henry Baker
Re: Vintage Car prices
Joe Gwinn
Info on RISKS (comp.risks)

Bots are Better than Humans at CAPCHAS

Bruce Schneier <>
Fri, 15 Sep 2023 11:06:31 +0000

Abstract: For nearly two decades, CAPTCHAS have been widely used as a MEANS OF PROTECTION AGAINST bots. Throughout the years, as their use grew, techniques to defeat or bypass CAPTCHAS have continued to improve. Meanwhile, CAPTCHAS have also evolved in terms of sophistication and diversity, becoming increasingly difficult to solve for both bots (machines) and humans. Given this long-standing and still-ongoing arms race, it is critical to investigate how long it takes legitimate users to solve modern CAPTCHAS, and how they are perceived by those users.

In this work, we explore CAPTCHAS in the wild by evaluating users' solving performance and perceptions of unmodified currently-deployed CAPTCHAS. We obtain this data through manual inspection of popular websites and user studies in which 1,400 participants collectively solved 14,000 CAPTCHAS. Results show significant differences between the most popular types of CAPTCHAS: surprisingly, solving time and user perception are not always correlated. We performed a comparative study to investigate the effect of experimental context specifically the difference between solving CAPTCHAS directly versus solving them as part of a more natural task, such as account creation. Whilst there were several potential confounding factors, our results show that experimental context could have an impact on this task, and must be taken into account in future CAPTCHA studies. Finally, we investigate CAPTCHA-induced user task abandonment by analyzing participants who start and do not complete the task.

Slashdot thread [ inds].

And let's all rewatch this great ad [] from 2022.

Cryptocurrency Startup Loses Encryption Key for Electronic Wallet (Schneier on Security)

Gabe Goldberg <>
Sat, 16 Sep 2023 16:37:40 -0400

The cryptocurrency fintech startup Prime Trust lost the encryption key to its hardware wallet”and the recovery key”and therefore $38.9 million. It is now in bankruptcy.

I can’t understand why anyone thinks these technologies are a good idea.

I mean, nobody could have anticipated that happening… [!!!]

What politicians are doing about the Internet, RIGHT NOW

Lauren Weinstein <>
Sun, 10 Sep 2023 08:11:37 -0700

Keep in mind that right now, at this very moment, politicians in BOTH PARTIES are pushing legislation to require you to show a government ID to use most major Internet sites. Some of these laws have already been passed, and litigation all the way up to the Supreme Court is very likely. The goal of BOTH PARTIES is to create a Chinese-style Internet with everyone fully identified, all anonymity effectively lost (irrespective of the “safeguards” U.S. officials will promise), and all content tightly micromanaged by officials on the Left and Right not only to “protect the children” but to keep all Internet users firmly under the government's control. Yes, it's that bad. -L

Microsoft AI researchers accidentally exposed terabytes of internal sensitive data (TechCrunch)

Victor Miller <>
Mon, 18 Sep 2023 15:30:26 -0700

In Risky Hunt for Secrets, U.S. and China Expand Global Spy Operations (NYTimes)

Monty Solomon <>
Mon, 18 Sep 2023 10:34:42 -0400

The nations are taking bold steps in the espionage shadow war to try to collect intelligence on leadership thinking and military capabilities.

Chinese hackers have unleashed a never-before-seen Linux backdoor (Ars Technica)

Monty Solomon <>
Mon, 18 Sep 2023 19:55:29 -0400

Scientists warn entire branches of the ‘Tree of Life’ are going extinct (Yahoo! News)

geoff goodfellow <>
Tue, 19 Sep 2023 09:02:26 -0700

Humans are driving the loss of entire branches of the “Tree of Life,” according to a new study published on Monday which warns of the threat of a sixth mass extinction.

“The extinction crisis is as bad as the climate change crisis. It is not recognized,” said Gerardo Ceballos, professor at the National Autonomous University of Mexico, and co-author of the study published in Proceedings of the National Academy of Sciences (PNAS).

“What is at stake is the future of mankind,” he told AFP.

The study is unique because instead of merely examining the loss of a species, it examines the extinction of entire genera.

In the classification of living beings, the genus lies between the rank of species and that of family. For example, dogs are a species belonging to the genus canis—itself in the canid family.

“It is a really significant contribution, I think the first time anyone has attempted to assess modern extinction rates at a level above the species,” Robert Cowie, a biologist at the University of Hawaii who was not involved in the study, told AFP.

“As such it really demonstrates the loss of entire branches of the Tree of Life,” a representation of living things first developed by Charles Darwin.

The study shows that “we aren't just trimming terminal twigs, but rather are taking a chainsaw to get rid of big branches,” agreed Anthony Barnosky, professor emeritus at the University of California, Berkeley.

The researchers relied largely on species listed as extinct by the International Union for Conservation of Nature (IUCN). They focused on vertebrate species (excluding fish), for which more data are available.

Of some 5,400 genera (comprising 34,600 species), they concluded that 73 had become extinct in the last 500 years—most of them in the last two centuries.

The researchers then compared this with the extinction rate estimated from the fossil record over the very long term. […]

Can the free market ensure artificial intelligence won't wipe out human workers? (CBC)

Matthew Kruk <>
Mon, 18 Sep 2023 19:00:06 -0600

What will you be doing only a decade from now when advanced versions of the artificial intelligence program ChatGPT have wormed their way into the fabric of life?

According to some experts, you may be out of a job. Two current labour disputes involving autoworkers and screenwriters are at least partly about the future threat of AI.

When AI comes for the jobs, writers may be among the first to go, warn two respected technology mavens writing in Foreign Affairs magazine. And they are not alone in that view. Even current versions of the AI program ChatGPT can sketch clearer prose than most humans, they say. And those programs are getting better.

By 2035, as “white-collar workers lose their jobs en masse,” declare Ian Bremmer and Mustafa Suleyman, AI will be running hospitals and airlines and courtrooms. “A year ago, that scenario would have seemed purely fictional; today, it seems nearly inevitable.”

DHS Issues Privacy/Civil Liberties Guidelines, and DHS Spies Trouble in 2024 in election security (Politico)

Peter Neumann <>
Mon, 18 Sep 2023 10:41:08 PDT

DHS also joined the Washington emerging tech frenzy on Thursday by introducing new guidelines on responsible use of AI with a focus on privacy and civil liberties.

The move, the first of its kind for the agency, emphasizes the need for transparency and accountability in AI, while setting the stage for agencies to take steps to blunt bias in its systems.

The guidelines also give us a sneak peek on how the agency plans to prioritize AI, honing in on its use for decision-making, the collection and use of data, and the development and testing of AI systems.

[ALSO from the same source:]

DHS Spies Trouble in 2024 in election security
 [don't forget integrity!!! PGN]

Next year's election is shaping up to be a doozy—and the country has a toxic triad of foreign cyberthreats, increasingly powerful AI models and rising domestic extremism to thank for it, according to a new government report<>.

The Department of Homeland Security's 2024 threat assessment, which came out Thursday courtesy of its office of Intel and analysis, warns those three variables together will present significant risks to the integrity of the presidential election and the physical well-being of those involved in it.

Old Google vs. New Google

Lauren Weinstein <>
Mon, 18 Sep 2023 11:12:00 -0700

Re: Pedestrian dies after Cruise cars block ambulance (RISKS-33.83)

Geoff Kuenning <>
Fri, 15 Sep 2023 13:20:27 -0700

You'll note that I used the word “allege”.

Even if this case turns out to be not the fault of the Cruise cars, I think that it highlights an important point that has been repeatedly raised over the past year or so: driving is about more than safely staying within the lane (and the rules) and avoiding obstacles. Drivers have to deal with all sorts of unusual situations where the usual rules don't apply, such as police officers (or cones) directing them into the oncoming lane, turning around because a stuck semi has blocked the road, avoiding dangerously flooded intersections, etc. It's likely to be a long time before self-driving cars can handle all of those exceptions as well as a human can.

Re: Pedestrian dies after Cruise cars blocks ambulance (Lamont, RISKS-33.83)

Henry Baker <>
Fri, 15 Sep 2023 17:14:50 +0000

I think that we need to consider this incident a wakeup call re the risks of ‘smart’ vehicles.

The newest cars are literally computers that happen to have wheels attached, and nearly everything about these cars can be hacked via the Internet — either using the car's own radios or utilizing Bluetooth/Wifi connected smartphones provided by the car's passengers.

So here are some obvious hacking risks:

  1. EV's could be hacked to cause their batteries to melt down; catch fire — literally execute ‘HCF’—perhaps an entire city's worth of EV's at exactly the same time. Since a lot of EV's would be parked inside garages, an entire city could be burned to the ground via an organized hack.

    [No need for censorship; I'm certain that the Chinese have already thought of this. Oh wait, aren't most EV batteries built in China? What could possibly go wrong? ]

  2. Self-driving vehicles could be hacked to all drive to the same location at the same time to block all the main streets in a city. An optimized algorithm could block all of a city's streets with relatively few strategically placed ‘self’ driving vehicles.

    [Once again, I'm sure that Chinese/Russian/Iranian/NKorean hackers have already thought of this.]

  3. Another terrifying prospect: an AI-operated system of traffic lights that decides on its own how to ‘optimize’ traffic—e.g., to/from a major event like a football game—but gets too clever and cuts off access to hospitals. Programs like ‘Waze’ have already shown us how directed traffic can go wrong.

    Partial solution: we desperately need diversity in the HW/SW of our vehicles, so that no single attack vector can zombify all of our vehicles simultaneously.

    Partial solution: much, much stronger controls to make sure that vehicle SW can be updated to respond to newly discovered threats, and that the SW can be updated safely—i.e., the update channel itself cannot be compromised to provide an attack mechanism.

Re: Vintage Car prices (Thorn, RISKS-33.84)

Joe Gwinn <>
Thu, 14 Sep 2023 16:01:08 -0400
> NO data collection included.-)

And no unreliable electronics and dependence on the web and various servers working, or subscription fees.

Not to mention that the electronics may well have outlived its manufacturer, rendering the car scrap. See the Right-to-Repair topic for examples.

Please report problems with the web pages to the maintainer