info
Grupos de Google ya no admite publicaciones ni suscripciones nuevas de Usenet. El contenido anterior sigue visible.
Dismiss
Risks Digest 32.66
31 vistas
Ir al primer mensaje no leído
RISKS List Owner
12 may 2021, 9:25:53 p.m.12/5/21
para ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Wednesday 12 May 2021 Volume 32 : Issue 66
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.66>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
The Pentagon Inches Toward Letting AI Control Weapons (WiReD)
DarkSide hacking group responsible for the Colonial Pipeline shutdown
(CNBC and Bloomberg via geoff goodfellow)
U.S. Declares Emergency in 17 States Over Fuel Pipeline Cyberattack
(The Hacker News)
What the U.S. Colonial pipeline cyberattack means for Europe
(Politico Europe)
ISPs Funded 8.5 Million Fake Comments Opposing Net Neutrality (WiReD)
Tesla backseat driver was arrested then released; now he says he is back at
it (Electrek)
Nearly All Wi-Fi Devices Are Vulnerable to New FragAttacks (The Hacker News)
U.S. Intelligence Agencies Warn About 5G Network Weaknesses (The Hacker News)
Pro tip for the "but how do we protect ourselves?" folks (Brian Krebs)
Twitter's Tip Jar Privacy Fiasco Was Entirely Avoidable (WiReD)
I have been pwned! -- but not really (Rob Slade)
Marvin Minsky hacked? (Tom Van Vleck)
That reminds me of Bob Fenichel's Turing Hack (Tom Van Vleck)
96% of U.S. Users Opt Out of App Tracking in iOS 14.5, Analytics Find
(Samuel Axon)
FaceApp misprepresentation (WashPost)
A risk of computerizing what worked fine without the computer
(NotAlwaysRight)
Apple's new Airtags can be easily abused by stalkers (WashPost)
Michigan GOP lawmaker floats bill to register, fine 'fact checkers'
(Lauren Weinstein)
Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob Popsicles
(Amos Shapir)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 11 May 2021 00:51:30 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The Pentagon Inches Toward Letting AI Control Weapons (WiReD)
But as the drone demonstrations highlight, more widespread use of AI will
sometimes make it more difficult to keep a human in the loop. This might
prove problematic, because AI technology can harbor biases or behave
unpredictably
<https://www.wired.com/story/foundations-ai-riddled-errors/>. A vision
algorithm trained to recognize a particular uniform might mistakenly target
someone wearing similar clothing. Chung says the swarm project presumes that
AI algorithms will improve to a point where they can identify enemies with
enough reliability to be trusted.
https://www.wired.com/story/pentagon-inches-toward-letting-ai-control-weapons/
Presumes... what could go wrong?
------------------------------
Date: Mon, 10 May 2021 09:22:38 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: DarkSide hacking group responsible for the Colonial Pipeline shutdown
- A hacker group called DarkSide is behind the cyberattack on Colonial
Pipeline that shut down a major oil pipeline over the weekend.
- DarkSide makes ransomware hacking tools, but only largely goes after
for-profit companies from English-speaking countries.
The DarkSide hacker gang that is responsible for the devastating Colonial
Pipeline attack this weekend is a relatively new group, but cybersecurity
analysts already know enough about them to determine just how dangerous they
are.
<https://www.cnbc.com/2021/05/09/gasoline-futures-jump-as-much-of-vital-pipeline-remains-shutdown-following-cyberattack.html>
According to Boston-based Cybereason, DarkSide is an organized group of
hackers set up along the *ransomware as a service* business model, meaning
the DarkSide hackers develop and market ransomware hacking tools, and sell
them to other criminals who then carry out attacks. Think of it as the evil
twin of a Silicon Valley software start-up.
Bloomberg first reported
<https://www.bloomberg.com/news/articles/2021-05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown>
that DarkSide may be involved in the attack on Colonial Pipeline. The FBI
confirmed Monday that DarkSide was behind the attack.
On Monday, Cybereason provided CNBC with a new statement from DarkSide's
website that appears to address the Colonial Pipeline shutdown.
Under a heading, *About the latest news*, DarkSide claimed it's not
political and only wants to make money without causing problems for society
``We are apolitical, we do not participate in geopolitics, do not need to
tie us with a defined government and look for our motives,'' the statement
said. ``Our goal is to make money, and not creating problems for society.
>From today we introduce moderation and check each company that our partners
want to encrypt to avoid social consequences in the future.''
Cybereason reports that DarkSide has a perverse desire to appear ethical,
even posting its own code of conduct for its customers telling them who and
what targets are acceptable to attack. Protected organizations not to be
harmed include hospitals, hospices, schools, universities, nonprofit
organizations, and government agencies. Also apparently protected are
entities based in former Soviet countries. Fair game, then, are all
for-profit companies in English speaking countries. [...]
https://www.cnbc.com/2021/05/10/hacking-group-darkside-reportedly-responsiblee-for-colonial-pipeline-shutdown.html
[See also David Sanger and Nicole Perlroth, FBI Identifies Group Behind
Pipeline Hack, *The New York Times*, 11 May 2021.
------------------------------
Date: Tue, 11 May 2021 12:36:14 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: U.S. Declares Emergency in 17 States Over Fuel Pipeline Cyber-Attack
(The Hacker News)
The ransomware attack
<https://thehackernews.com/2021/05/ransomware-cyber-attack-forced-largest.html>
against Colonial Pipeline's networks has prompted the U.S. Federal Motor
Carrier Safety Administration (FMCSA) to issue a regional emergency
declaration
<https://www.fmcsa.dot.gov/sites/fmcsa.dot.gov/files/2021-05/ESC-SSC-WSC%20-%20Regional%20Emergency%20Declaration%202021-002%20-%2005-09-2021.pdf>
in 17 states and the District of Columbia (D.C.).
The declaration provides a temporary exemption to Parts 390 through 399 of
the Federal Motor Carrier Safety Regulations (FMCSRs
<https://www.fmcsa.dot.gov/regulations>), allowing alternate transportation
of gasoline, diesel, and refined petroleum products to address supply
shortages stemming from the attack.
"Such [an] emergency is in response to the unanticipated shutdown of the
Colonial pipeline system due to network issues that affect the supply of
gasoline, diesel, jet fuel, and other refined petroleum products throughout
the Affected States," the directive said. "This Declaration addresses the
emergency conditions creating a need for immediate transportation of
gasoline, diesel, jet fuel, and other refined petroleum products and
provides necessary relief."
The states and jurisdictions affected by the pipeline shut down and
included in the Emergency Declaration are Alabama, Arkansas, District of
Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland,
Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South
Carolina, Tennessee, Texas, and Virginia.
The exemptions, which aim to alleviate any supply disruptions that may
arise as a result of Colonial halting its pipeline operations, are expected
to be in effect until the end of the emergency or June 8, 2021, 11:59 p.m.,
whichever is earlier.
FBI Confirms DarkSide Ransomware. [...]
https://thehackernews.com/2021/05/us-declares-emergency-in-17-states-over.html
------------------------------
Date: Tue, 11 May 2021 11:16:19 PDT
From: Peter G Neumann <neu...@csl.sri.com>
Subject: What the U.S. Colonial pipeline cyberattack means for Europe
(Politico Europe)
America Hernandez and Laurens Cerulus, Politico Europe, 11 May 2021
The shutdown of a major fuel pipeline in the U.S. is a cybersecurity wakeup
call for EU energy operators.
Preliminary investigations indicate that a group of Russian criminal hackers
known as Darkside were likely behind the ransomware attack that shut down
the nearly 9,000-kilometer Colonial Pipeline -- which transports almost half
the jet fuel, diesel, gasoline and heating fuel used on the East Coast of
the United States.
Similar incidents have happened in Europe.
Russia-based cyberattacks on critical energy infrastructure have put the EU
on high alert since 2014, when the annexation of Crimea and war in the
Donbas led to Ukraine being hit with a series of attacks crippling
everything from power grids to election systems.
Those infiltrations culminated in the 2017 NotPetya attack, which paralyzed
multinationals like the Danish shipping giant Maersk, logistics giant FedEx,
pharma company Merck and other major corporations, and cost an estimated $10
billion to clean up.
Since then, the EU has moved to strengthen its energy system resilience --
but the work is far from over.
``The attack on Colonial just screams out for new regulation on critical
infrastructure companies,'' said Bart Groothuis, a Dutch member of the
European Parliament who leads negotiations on draft EU rules for
cybersecurity of networks and IT systems.
According to the European Union's Cybersecurity Agency (ENISA), the sector
reported roughly 100 significant cybersecurity incidents in 2020 -- half of
which were ransomware attacks.
Assessing the vulnerabilities
Energy system operators in Europe have so far faced only limited
requirements under the bloc's first-ever 2016 cybersecurity legislation, the
Networks and Information Security (NIS)
Directive<https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2013/0027(COD)&l=en>
-- as well as some sectoral legislation.
<https://ec.europa.eu/info/news/tackling-cybersecurity-challenges-energy-commission-adopts-recommendation-cybersecurity-energy-sector-2019-apr-03_en>
Those include applying minimum cybersecurity standards and promptly
reporting incidents as they happen.
According to the EU Agency for the Cooperation of Energy Regulators (ACER),
the most exposed elements of the bloc's pipeline systems are so-called
SCADAs -- supervisory control and data acquisition systems that govern
hardware such as pressure-reducing stations, valves and compressor stations.
``These are typically not linked to any other network, precisely to reduce the exposure to cyberattacks,'' said ACER spokesperson Una Shortall.
The Colonial attack, however, didn't directly hit the infrastructure.
Instead, it targeted the business-side computer systems of the private
operator, which shut down the pipeline as a precaution.
``In a case like this, the company itself is the first line of defense and
the first line of response to crisis,'' Shortall added.
Planning for the worst
The bloc has several measures in place to ensure it can weather emergency
shutdowns.
To avoid the kind of fuel shortages and gasoline price increases currently
being experienced in parts of the U.S., all EU countries are required under
the Oil Stocks Directive to keep at least 90 days' worth of crude oil or
petroleum product imports on hand, or 61 days' worth of consumption --
whichever is greater.
But it's not always respected. In December, the European Commission
chastised Bulgaria, Romania and the Czech Republic for repeatedly failing to
keep the minimum supplies on hand, in some cases going as far back as 2013.
The good news is that upwards of 80 percent the bloc's crude imports
arrive on oil tankers and trucks, according to the International Association
of Oil and Gas Producers (IOGP). Refined products like gasoline and diesel
are also transported through the EU by truck and rail, rather than through
fixed pipelines -- vastly upping flexibility.
``The EU crude oil pipeline network is a lot less dense -- pipe imports of
crude are a very small share,'' said Nareg Terzian, EU spokesperson for
IOGP. ``It actually makes sense if you think about it: Historically, the
oil market has been more liquid and open than the gas one, also because oil
is simply much easier to store and transport than gas.''
Natural gas is a bigger worry for the EU.
Following the 2006 and 2009 gas crises, Europe's network of gas
transmission system operators has conducted regular simulations of supply
interruptions on all EU import pipelines -- and prepared rerouting plans
using the Continent's system of cross-border interconnectors, underground
storage reserves and liquefied natural gas (LNG) terminals.
The most recent
analysis<https://entsog.eu/sites/default/files/2020-10/INV0332-20%20Addendum%20to%20the%20SoS%202017%20-%20for%20publication.pdf>,
published in October, simulated winter gas cutoffs of up to two months on
three major Russian supply routes: via Finland and down to the Baltic
States; via Ukraine; and along the Trans-Balkan pipeline flowing to Romania,
Bulgaria and Greece.
In the Finnish case, the response would be ramping up LNG imports in
Lithuania to maximum capacity and tapping Latvia's storage reserves to
supply the region. The Baltic connector pipeline -- which launched in
December 2019 and links Estonia to Finland -- would send flows north.
Should the Trans-Balkan pipeline shut down, flows destined for Bulgaria
could be sent through the second line of TurkStream, at the
Turkish-Bulgarian border.
But if the Ukrainian route to the EU is hit with a long-term outage in the
dead of winter, Romania could be left stranded -- even if Russian gas flows
are maintained through Belarus and through Germany's Nord Stream pipeline.
``Romania has no other possibilities to import gas'' after its storage
stocks are used up, the analysis warns.
The scenarios don't account for countries dialing down usage. They also
focus more on accidents on individual routes, rather than deliberate
shutdowns on multiple routes by a single supplier like Russia.
``The EU must think long and hard about energy diversification and consider
once again the risks of Nord Stream
2<https://politico.us8.list-manage.com/track/click?u=e26c1a1c392386a968d02fdbc&id=c65a90dc4e&e=b93961e7ed>,
which, if built, will concentrate 80 percent of all Russian gas
supplies=20to Europe to one submarine pipeline system,'' said Sergiy
Makogon, CEO of Ukraine's gas grid operator.
``Digital threats have just come to the fore, but they can't overshadow
physical security,'' Makogon added. ``We have seen mysterious accidents
reshape the European energy landscape in 2009, when an unexplained
blast<https://politico.us8.list-manage.com/track/click?u=e26c1a1c392386a968d02fdbc&id=20db2acd86&e=b93961e7ed>
destroyed a portion of the Turkmenistan-Russia pipeline, ending exports of
Turkmen gas to Europe. Or the 2006 pipeline
exposition<https://politico.us8.list-manage.com/track/click?u=e26c1a1c392386a968d02fdbc&id=b3b63382f8&e=b93961e7ed>
that left Georgia and Armenia without gas in the middle of winter.''
The rise of digital attacks could change the way those scenarios are modeled.
``Cyber has introduced in the energy sector a new way to think about
threats and risks: Better to simulate and stimulate a reaction and to derive
a preventive strategy than to have a scenario that will rarely repeat twice
on large scale infrastructures,'' ACER's Shortall said.
Policies in the pipeline
European companies could soon face tougher cybersecurity rules, when EU
legislators pass a
proposal<https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2020/0359(COD)&l=en>
by the European Commission to strengthen the NIS regime.
In the draft law, energy firms risk being fined up to 2 percent of their
annual turnover if they don't put in place security audits, have incident
response policies and check the security of their suppliers. The proposal
also added a range of subsectors of the energy market to the scope of the
law, including hydrogen production, district heating, electricity production
and central oil stockholding.
The EU is also working on a ``network code'' on cybersecurity for electricity firms that would be adopted next year; a similar code for gas is also in the works. And the sector is already working with public authorities to share information on attacks and incidents within a European Energy Information Sharing and Analysis Center.
``The sector is catching up in terms of cybersecurity,'' said Evangelos
Ouzounis, head of secure infrastructure and services at ENISA, adding that
more investments and continuous information sharing were needed to rule out
incidents like the Colonial catastrophe.
------------------------------
Date: Sun, 9 May 2021 16:10:02 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: ISPs Funded 8.5 Million Fake Comments Opposing Net Neutrality
(WiReD)
The secret campaign, backed by major broadband companies, used real people's
names without their consent.
The largest Internet providers in the US funded a campaign that generated
`8.5 million fake comments' to the Federal Communications Commission as part
of their fight against net neutrality rules during the Trump administration,
according to a report issued Thursday by New York state attorney general
Letitia James.
Nearly 18 million out of 22 million comments were fabricated, including both
pro- and anti-net-neutrality submissions, the report said. One 19-year-old
submitted 7.7 million comments supporting net neutrality under fake,
randomly generated names. But the astroturfing effort by the broadband
industry stood out because it used real people's names without their
consent, with third-party firms hired by the industry faking consent
records, the report said.
The New York Attorney General's Office began its investigation in 2017 and
said it faced stonewalling from then FCC chair Ajit Pai, who refused
requests for evidence. But after a years-long process of obtaining and
analyzing "tens of thousands of internal emails, planning documents, bank
records, invoices, and data comprising hundreds of millions of records," the
office said it "found that millions of fake comments were submitted through
a secret campaign, funded by the country's largest broadband companies, to
manufacture support for the repeal of existing net neutrality rules using
lead generators."
It was clear before Pai completed the repeal in December 2017 that millions
of people—including dead people—were impersonated in net neutrality
comments. Even industry-funded research found that 98.5 percent of genuine
comments opposed Pai's deregulatory plan. But Thursday's report reveals more
details about how many comments were fake and how the broadband industry was
involved.
https://www.wired.com/story/isps-funded-85-million-fake-comments-opposing-net-neutrality/
Hey, there's a bright side -- 4+ million comments were real. Nice work, Pai
-- suppressing evidence.
------------------------------
Date: Wed, 12 May 2021 09:30:03 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Tesla backseat driver was arrested then released; now he says he is
back at it (Electrek)
https://electrek.co/2021/05/12/tesla-backseat-driver-arrested-releases-back-at-it/
Why does this person still have a driver's license?
If Elon Musk had an ounce of integrity, @Tesla would shut down all driver
assist and self-drive capabilities of anyone found to be abusing those
systems, including of course back seat drivers.
------------------------------
Date: Wed, 12 May 2021 07:58:48 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Nearly All Wi-Fi Devices Are Vulnerable to New FragAttacks
(
Three design and multiple implementation flaws have been disclosed in IEEE
802.11 technical standard that undergirds Wi-Fi, potentially enabling an
adversary to take control over a system and plunder confidential data.
Called FragAttacks <https://www.fragattacks.com/> (short for FRgmentation
and AGgregation attacks), the weaknesses impact all Wi-Fi security
protocols, from Wired Equivalent Privacy (WEP) all the way to Wi-Fi
Protected Access 3 (WPA3), thus virtually putting almost every
wireless-enabled device at risk of attack.
"An adversary that is within radio range of a victim can abuse these
vulnerabilities to steal user information or attack devices," Mathy Vanhoef,
a security academic at New York University Abu Dhabi, said. "Experiments
indicate that every Wi-Fi product is affected by at least one vulnerability
and that most products are affected by several vulnerabilities."
IEEE 802.11 provides the basis for all modern devices using the Wi-Fi family
of network protocols, allowing laptops, tablets, printers, smartphones,
smart speakers, and other devices to communicate with each other and access
the Internet via a wireless router.
Introduced in January 2018, WPA3
<https://www.wi-fi.org/discover-wi-fi/security> is a third-generation
security protocol that's at the heart of most Wi-Fi devices with several
enhancements such as robust authentication and increased cryptographic
strength to safeguard wireless computer networks.
According to Vanhoef, the issues <https://github.com/vanhoefm/fragattacks> =
stem from "widespread" programming mistakes encoded in the implementation of
the standard, with some flaws dating all the way back to 1997. The
vulnerabilities have to do with the way the standard fragments and
aggregates frames, allowing threat actors to inject arbitrary packets and
trick a victim into using a malicious DNS server, or forge the frames to
siphon data.
The list of 12 flaws
<https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md>
[...]
https://thehackernews.com/2021/05/nearly-all-wifi-devices-are-vulnerable.html
------------------------------
Date: Tue, 11 May 2021 12:27:29 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: U.S. Intelligence Agencies Warn About 5G Network Weaknesses
(The Hacker News)
Inadequate implementation of telecom standards, supply chain threats, and
weaknesses in systems architecture could pose major cybersecurity risks to
5G networks, potentially making them a lucrative target for cybercriminals
and nation-state adversaries to exploit for valuable intelligence.
The analysis, which aims to identify and assess risks and vulnerabilities
introduced by 5G adoption, was published on Monday by the U.S. National
Security Agency (NSA), in partnership with the Office of the Director of
National Intelligence (ODNI) and the Department of Homeland Security's
(DHS) Cybersecurity and Infrastructure Security Agency (CISA).
``As new 5G policies and standards are released, there remains the potential
for threats that impact the end-user. For example, nation states may
attempt to exert undue influence on standards that benefit their proprietary
technologies and limit customers' choices to use other equipment or
software.''
Specifically, the report cites undue influence from adversarial nations on
the development of technical standards, which may pave the way for adopting
untrusted proprietary technologies and equipment that could be difficult to
update, repair, and replace. Also of concern, per the report, are the
optional security controls baked into telecommunication protocols, which,
if not implemented by network operators, could leave the door open to
malicious attacks.
A second area of concern highlighted by the NSA, ODNI, and CISA is the
supply chain. Components procured from third-party suppliers, vendors, and
service providers could either be counterfeit or compromised, with security
flaws and malware injected during the early development process, enabling
threat actors to exploit the vulnerabilities at a later stage.
[...]
https://thehackernews.com/2021/05/us-intelligence-agencies-warn-about-5g.html
------------------------------
Date: Tue, 11 May 2021 12:09:50 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Pro tip for the "but how do we protect ourselves?" folks
(Brian Krebs)
Pro tip for the "but how do we protect ourselves?" folks. DarkSide
ransomware, like many other strains, will not install on systems where
certain Cyrillic keyboard and other scripts are already installed. So,
install the Russian keyboard. You don't have to use it.
https://twitter.com/briankrebs/status/1392163072970829830
------------------------------
Date: Sun, 9 May 2021 16:05:43 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Twitter's Tip Jar Privacy Fiasco Was Entirely Avoidable (WiReD)
Sending its users to PayPal has created all sorts of problems that Twitter
should have caught ahead of time.
On Thursday, Twitter continued its grand tradition of embracing features
users had unofficially pioneered (see also: the @-reply, the retweet, the
hashtag) by instituting a Tip Jar. Enjoy someone's tweet? Send them some
money straight from the app, via the online payment processor of their
choice. Simple enough. And yet, predictably, not so simple, especially for
those who value their anonymity online.
Within a few hours of Twitter's Tip Jar announcement, security researcher
Rachel Tobac found an unfortunate wrinkle: Sending someone money via PayPal
revealed to them her home address. Not long after, former Federal Trade
Commission chief technologist Ashkan Soltani discovered that using PayPal
for the Tip Jar could reveal a user's email address, even if no transaction
took place.
https://www.wired.com/story/twitter-tip-jar-privacy-fiasco-entirely-avoidable/
The risk? Good intentions.
------------------------------
Date: Mon, 10 May 2021 12:05:56 -0700
From: Rob Slade <rsl...@gmail.com>
Subject: I have been pwned! -- but not really
Today I received a notification from haveibeenpwned.com, informing that I
was "pwned" in the DriveSure data breach.
The notification lists my email address, the breach, the date (December of
2020), the number of accounts, the compromised data (email addresses, names,
passwords, phone numbers, physical addresses, and vehicle details), and a
description of the breach.
The thing is, I don't recall dealing with DriveSure.
And the email address given was my rsl...@gmail.com address.
Aha!
I get *lots* of email through that account that isn't for me. It isn't
exactly spam, either. It is directed at someone, and, although some of it
is marketing bumpf, some of it is quite personal. A lot of people think
that rsl...@gmail.com is *their* email address, and provide it to friends
and business contacts.
The upside is that, no, my password and personal details probably haven't
been pwned.
The downside is that there is a risk in using a very popular email platform.
------------------------------
Date: Tue, 11 May 2021 08:15:30 -0700
From: Tom Van Vleck <th...@multicians.org>
Subject: Marvin Minsky hacked?
Compsci boffin publishes proof-of-concept code for 54-year-old zero-day in
Universal Turing Machine
The Register
https://www.theregister.com/2021/05/11/turing_machine_0day_no_patch_available/
[Marvin Minsky taught my 2nd computer course at MIT. THVV]
------------------------------
Date: Tue, 11 May 2021 17:25:27 -0700
From: Tom Van Vleck <th...@multicians.org>
Subject: That reminds me of Bob Fenichel's Turing Hack
Bob Fenichel was an assistant professor at MIT in 1965. He wrote a set of
FAP macros to simulate a Turing machine. As the macros were expanded, they
defined other macros with temporary names. You invoked the top-level macro
something like TURING A,B,C where A was the tape, B the initial position, C
the transition table.
The macro-assembler assembled the macros, simulating the operation of the
specified machine, and eventually assembled either PZE 1 or PZE 0 depending
if the machine stopped on a 1 or 0 on the tape.
So all the "computation" was done in (conditional) macro expansion. This
was a practical demonstration that a macro language that allowed macros to
define other macros is able to compute anything computable. Of course, the
FAP simulation was in practice limited by the storage available on the
assembler's macro expansion tape, but the cost of 7094 time was an even more
practical limit on these experiments. It is still one of the neatest hacks
I've seen.
------------------------------
Date: Wed, 12 May 2021 12:25:21 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: 96% of U.S. Users Opt Out of App Tracking in iOS 14.5, Analytics
Find (Samuel Axon)
Samuel Axon, Ars Technica, 7 May 2021, via ACM TechNews, 12 May 2021
U.S. users have opted out of application tracking nearly all (96%) of the
time following Apple's release of iOS 14.5 in April, according to mobile app
analysis platform Flurry Analytics. That release was accompanied by Apple's
launch of enforcement of the App Tracking Transparency policy, which
requires iPhone, iPad, and Apple TV apps to request user consent to monitor
their activity across multiple apps for data collection and ad targeting.
Based on data from roughly 1 million mobile apps, Flurry Analytics said U.S.
users agree to be tracked only 4% of the time; globally, the firm found that
number reaching 12%.
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2af34x22b1c8x069859&
------------------------------
Date: Wed, 12 May 2021 09:53:55 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: FaceApp misprepresentation (WashPost)
A beautiful female biker was actually a 50-year-old man using FaceApp. After
he confessed, his followers liked him even more.
The middle-aged father's big reveal sparked a debate over identity in the
Internet age: ``The only thing I'm creating is my appearance. Everything
else is me.''
https://www.washingtonpost.com/technology/2021/05/11/japan-biker-faceapp-soya-azusagakuyuki/
------------------------------
Date: Tue, 11 May 2021 22:42:45 -0400
From: "Mark Lutton" <mlu...@rcn.com>
Subject: A risk of computerizing what worked fine without the computer
(NotAlwaysRight)
https://notalwaysright.com/gordon-was-their-glue/233352/
This story comes from the web site "Not Always Right."
Gordon was a janitor, odd-job man, and general get-things-done man at a
care facility for vulnerable adults and the elderly. He was happy,
friendly, cheerful, and competent, kept the infrastructure running well,
and kept the place spick and span. Basically, he was really good at his
job and went above and beyond as the necessity presented itself.
Come the day when the place was computerised. The requirement was now that
he book all his activities on a computerised timesheet, for which he had
to have a computer of his own or a mobile phone. Gordon did not have a
computer and didn't have the most up-to-date phone; all he needed to do
was to take phone calls, which he managed perfectly well with his old
model.
This latest requirement gave him a lot of trouble. He managed to get
around it by being allowed to use one of the computers in the office,
which was not part of his domain, and he felt socially awkward in
there. Not only was it a complicated, fiddly, and awkwardly buggy piece of
software - it used to crash when you didn't enter the operations in the
correct order - but Gordon did not take easily to learning how to use a
computer. Equally unfortunately, there was nobody in the facility who was
skilled in training a technological newcomer, and he was getting shouted
at plenty, so of course, he found himself shouting back.
It didn't end well. He was given an ultimatum: shape up or ship out. He
was close to retirement anyway, so he took that early retirement and
shipped out before the facility had even begun to think about getting his
replacement trained up. They were forced to rely completely on the agency
staff who had been used on a temporary basis on the occasions when Gordon
was on leave. While competent enough at general janitorial duties, such
temporary staff were nowhere near familiar enough with the facility to
know how to keep it running properly, and things started progressively
breaking down and not getting properly repaired, and of course, it turned
out that Gordon had contacts in the trade where he would call specific
people to get various repairs done. Without Gordon's happy smiling
presence, coupled with the increasingly shabby and ill-maintained
infrastructure, morale plummeted, and staff started to drift away. Hence,
they started failing inspections, and in due course, the facility
closed. I'm not sure what happened to the residents; I believe they were
shunted off to other establishments.
Original story is from Not Always Right at the link above. Submitted to
RISKS by Mark Lutton, mlu...@rcn.com
------------------------------
Date: Wed, 5 May 2021 18:35:47 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Apple's new Airtags can be easily abused by stalkers (WashPost)
https://www.washingtonpost.com/technology/2021/05/05/apple-airtags-stalking/
------------------------------
Date: Wed, 12 May 2021 08:34:30 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Michigan GOP lawmaker floats bill to register, fine 'fact checkers'
Only if there's an equivalent fine for anyone who purposely promotes
misinformation, idiots!
https://www.detroitnews.com/story/news/politics/2021/05/11/michigan-gop-lawmaker-floats-bill-register-and-fine-fact-checkers/5043399001/
------------------------------
Date: Mon, 10 May 2021 16:32:59 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob
Popsicles (RISKS-32.65)
I'd love to find out how it was possible for a 4-year old boy to do that;
Unfortunately, *The Washington Post* site requires subscription.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.66
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.66>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
The Pentagon Inches Toward Letting AI Control Weapons (WiReD)
DarkSide hacking group responsible for the Colonial Pipeline shutdown
(CNBC and Bloomberg via geoff goodfellow)
U.S. Declares Emergency in 17 States Over Fuel Pipeline Cyberattack
(The Hacker News)
What the U.S. Colonial pipeline cyberattack means for Europe
(Politico Europe)
ISPs Funded 8.5 Million Fake Comments Opposing Net Neutrality (WiReD)
Tesla backseat driver was arrested then released; now he says he is back at
it (Electrek)
Nearly All Wi-Fi Devices Are Vulnerable to New FragAttacks (The Hacker News)
U.S. Intelligence Agencies Warn About 5G Network Weaknesses (The Hacker News)
Pro tip for the "but how do we protect ourselves?" folks (Brian Krebs)
Twitter's Tip Jar Privacy Fiasco Was Entirely Avoidable (WiReD)
I have been pwned! -- but not really (Rob Slade)
Marvin Minsky hacked? (Tom Van Vleck)
That reminds me of Bob Fenichel's Turing Hack (Tom Van Vleck)
96% of U.S. Users Opt Out of App Tracking in iOS 14.5, Analytics Find
(Samuel Axon)
FaceApp misprepresentation (WashPost)
A risk of computerizing what worked fine without the computer
(NotAlwaysRight)
Apple's new Airtags can be easily abused by stalkers (WashPost)
Michigan GOP lawmaker floats bill to register, fine 'fact checkers'
(Lauren Weinstein)
Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob Popsicles
(Amos Shapir)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 11 May 2021 00:51:30 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The Pentagon Inches Toward Letting AI Control Weapons (WiReD)
But as the drone demonstrations highlight, more widespread use of AI will
sometimes make it more difficult to keep a human in the loop. This might
prove problematic, because AI technology can harbor biases or behave
unpredictably
<https://www.wired.com/story/foundations-ai-riddled-errors/>. A vision
algorithm trained to recognize a particular uniform might mistakenly target
someone wearing similar clothing. Chung says the swarm project presumes that
AI algorithms will improve to a point where they can identify enemies with
enough reliability to be trusted.
https://www.wired.com/story/pentagon-inches-toward-letting-ai-control-weapons/
Presumes... what could go wrong?
------------------------------
Date: Mon, 10 May 2021 09:22:38 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: DarkSide hacking group responsible for the Colonial Pipeline shutdown
- A hacker group called DarkSide is behind the cyberattack on Colonial
Pipeline that shut down a major oil pipeline over the weekend.
- DarkSide makes ransomware hacking tools, but only largely goes after
for-profit companies from English-speaking countries.
The DarkSide hacker gang that is responsible for the devastating Colonial
Pipeline attack this weekend is a relatively new group, but cybersecurity
analysts already know enough about them to determine just how dangerous they
are.
<https://www.cnbc.com/2021/05/09/gasoline-futures-jump-as-much-of-vital-pipeline-remains-shutdown-following-cyberattack.html>
According to Boston-based Cybereason, DarkSide is an organized group of
hackers set up along the *ransomware as a service* business model, meaning
the DarkSide hackers develop and market ransomware hacking tools, and sell
them to other criminals who then carry out attacks. Think of it as the evil
twin of a Silicon Valley software start-up.
Bloomberg first reported
<https://www.bloomberg.com/news/articles/2021-05-09/colonial-hackers-stole-data-thursday-ahead-of-pipeline-shutdown>
that DarkSide may be involved in the attack on Colonial Pipeline. The FBI
confirmed Monday that DarkSide was behind the attack.
On Monday, Cybereason provided CNBC with a new statement from DarkSide's
website that appears to address the Colonial Pipeline shutdown.
Under a heading, *About the latest news*, DarkSide claimed it's not
political and only wants to make money without causing problems for society
``We are apolitical, we do not participate in geopolitics, do not need to
tie us with a defined government and look for our motives,'' the statement
said. ``Our goal is to make money, and not creating problems for society.
>From today we introduce moderation and check each company that our partners
want to encrypt to avoid social consequences in the future.''
Cybereason reports that DarkSide has a perverse desire to appear ethical,
even posting its own code of conduct for its customers telling them who and
what targets are acceptable to attack. Protected organizations not to be
harmed include hospitals, hospices, schools, universities, nonprofit
organizations, and government agencies. Also apparently protected are
entities based in former Soviet countries. Fair game, then, are all
for-profit companies in English speaking countries. [...]
https://www.cnbc.com/2021/05/10/hacking-group-darkside-reportedly-responsiblee-for-colonial-pipeline-shutdown.html
[See also David Sanger and Nicole Perlroth, FBI Identifies Group Behind
Pipeline Hack, *The New York Times*, 11 May 2021.
------------------------------
Date: Tue, 11 May 2021 12:36:14 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: U.S. Declares Emergency in 17 States Over Fuel Pipeline Cyber-Attack
(The Hacker News)
The ransomware attack
<https://thehackernews.com/2021/05/ransomware-cyber-attack-forced-largest.html>
against Colonial Pipeline's networks has prompted the U.S. Federal Motor
Carrier Safety Administration (FMCSA) to issue a regional emergency
declaration
<https://www.fmcsa.dot.gov/sites/fmcsa.dot.gov/files/2021-05/ESC-SSC-WSC%20-%20Regional%20Emergency%20Declaration%202021-002%20-%2005-09-2021.pdf>
in 17 states and the District of Columbia (D.C.).
The declaration provides a temporary exemption to Parts 390 through 399 of
the Federal Motor Carrier Safety Regulations (FMCSRs
<https://www.fmcsa.dot.gov/regulations>), allowing alternate transportation
of gasoline, diesel, and refined petroleum products to address supply
shortages stemming from the attack.
"Such [an] emergency is in response to the unanticipated shutdown of the
Colonial pipeline system due to network issues that affect the supply of
gasoline, diesel, jet fuel, and other refined petroleum products throughout
the Affected States," the directive said. "This Declaration addresses the
emergency conditions creating a need for immediate transportation of
gasoline, diesel, jet fuel, and other refined petroleum products and
provides necessary relief."
The states and jurisdictions affected by the pipeline shut down and
included in the Emergency Declaration are Alabama, Arkansas, District of
Columbia, Delaware, Florida, Georgia, Kentucky, Louisiana, Maryland,
Mississippi, New Jersey, New York, North Carolina, Pennsylvania, South
Carolina, Tennessee, Texas, and Virginia.
The exemptions, which aim to alleviate any supply disruptions that may
arise as a result of Colonial halting its pipeline operations, are expected
to be in effect until the end of the emergency or June 8, 2021, 11:59 p.m.,
whichever is earlier.
FBI Confirms DarkSide Ransomware. [...]
https://thehackernews.com/2021/05/us-declares-emergency-in-17-states-over.html
------------------------------
Date: Tue, 11 May 2021 11:16:19 PDT
From: Peter G Neumann <neu...@csl.sri.com>
Subject: What the U.S. Colonial pipeline cyberattack means for Europe
(Politico Europe)
America Hernandez and Laurens Cerulus, Politico Europe, 11 May 2021
The shutdown of a major fuel pipeline in the U.S. is a cybersecurity wakeup
call for EU energy operators.
Preliminary investigations indicate that a group of Russian criminal hackers
known as Darkside were likely behind the ransomware attack that shut down
the nearly 9,000-kilometer Colonial Pipeline -- which transports almost half
the jet fuel, diesel, gasoline and heating fuel used on the East Coast of
the United States.
Similar incidents have happened in Europe.
Russia-based cyberattacks on critical energy infrastructure have put the EU
on high alert since 2014, when the annexation of Crimea and war in the
Donbas led to Ukraine being hit with a series of attacks crippling
everything from power grids to election systems.
Those infiltrations culminated in the 2017 NotPetya attack, which paralyzed
multinationals like the Danish shipping giant Maersk, logistics giant FedEx,
pharma company Merck and other major corporations, and cost an estimated $10
billion to clean up.
Since then, the EU has moved to strengthen its energy system resilience --
but the work is far from over.
``The attack on Colonial just screams out for new regulation on critical
infrastructure companies,'' said Bart Groothuis, a Dutch member of the
European Parliament who leads negotiations on draft EU rules for
cybersecurity of networks and IT systems.
According to the European Union's Cybersecurity Agency (ENISA), the sector
reported roughly 100 significant cybersecurity incidents in 2020 -- half of
which were ransomware attacks.
Assessing the vulnerabilities
Energy system operators in Europe have so far faced only limited
requirements under the bloc's first-ever 2016 cybersecurity legislation, the
Networks and Information Security (NIS)
Directive<https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2013/0027(COD)&l=en>
-- as well as some sectoral legislation.
<https://ec.europa.eu/info/news/tackling-cybersecurity-challenges-energy-commission-adopts-recommendation-cybersecurity-energy-sector-2019-apr-03_en>
Those include applying minimum cybersecurity standards and promptly
reporting incidents as they happen.
According to the EU Agency for the Cooperation of Energy Regulators (ACER),
the most exposed elements of the bloc's pipeline systems are so-called
SCADAs -- supervisory control and data acquisition systems that govern
hardware such as pressure-reducing stations, valves and compressor stations.
``These are typically not linked to any other network, precisely to reduce the exposure to cyberattacks,'' said ACER spokesperson Una Shortall.
The Colonial attack, however, didn't directly hit the infrastructure.
Instead, it targeted the business-side computer systems of the private
operator, which shut down the pipeline as a precaution.
``In a case like this, the company itself is the first line of defense and
the first line of response to crisis,'' Shortall added.
Planning for the worst
The bloc has several measures in place to ensure it can weather emergency
shutdowns.
To avoid the kind of fuel shortages and gasoline price increases currently
being experienced in parts of the U.S., all EU countries are required under
the Oil Stocks Directive to keep at least 90 days' worth of crude oil or
petroleum product imports on hand, or 61 days' worth of consumption --
whichever is greater.
But it's not always respected. In December, the European Commission
chastised Bulgaria, Romania and the Czech Republic for repeatedly failing to
keep the minimum supplies on hand, in some cases going as far back as 2013.
The good news is that upwards of 80 percent the bloc's crude imports
arrive on oil tankers and trucks, according to the International Association
of Oil and Gas Producers (IOGP). Refined products like gasoline and diesel
are also transported through the EU by truck and rail, rather than through
fixed pipelines -- vastly upping flexibility.
``The EU crude oil pipeline network is a lot less dense -- pipe imports of
crude are a very small share,'' said Nareg Terzian, EU spokesperson for
IOGP. ``It actually makes sense if you think about it: Historically, the
oil market has been more liquid and open than the gas one, also because oil
is simply much easier to store and transport than gas.''
Natural gas is a bigger worry for the EU.
Following the 2006 and 2009 gas crises, Europe's network of gas
transmission system operators has conducted regular simulations of supply
interruptions on all EU import pipelines -- and prepared rerouting plans
using the Continent's system of cross-border interconnectors, underground
storage reserves and liquefied natural gas (LNG) terminals.
The most recent
analysis<https://entsog.eu/sites/default/files/2020-10/INV0332-20%20Addendum%20to%20the%20SoS%202017%20-%20for%20publication.pdf>,
published in October, simulated winter gas cutoffs of up to two months on
three major Russian supply routes: via Finland and down to the Baltic
States; via Ukraine; and along the Trans-Balkan pipeline flowing to Romania,
Bulgaria and Greece.
In the Finnish case, the response would be ramping up LNG imports in
Lithuania to maximum capacity and tapping Latvia's storage reserves to
supply the region. The Baltic connector pipeline -- which launched in
December 2019 and links Estonia to Finland -- would send flows north.
Should the Trans-Balkan pipeline shut down, flows destined for Bulgaria
could be sent through the second line of TurkStream, at the
Turkish-Bulgarian border.
But if the Ukrainian route to the EU is hit with a long-term outage in the
dead of winter, Romania could be left stranded -- even if Russian gas flows
are maintained through Belarus and through Germany's Nord Stream pipeline.
``Romania has no other possibilities to import gas'' after its storage
stocks are used up, the analysis warns.
The scenarios don't account for countries dialing down usage. They also
focus more on accidents on individual routes, rather than deliberate
shutdowns on multiple routes by a single supplier like Russia.
``The EU must think long and hard about energy diversification and consider
once again the risks of Nord Stream
2<https://politico.us8.list-manage.com/track/click?u=e26c1a1c392386a968d02fdbc&id=c65a90dc4e&e=b93961e7ed>,
which, if built, will concentrate 80 percent of all Russian gas
supplies=20to Europe to one submarine pipeline system,'' said Sergiy
Makogon, CEO of Ukraine's gas grid operator.
``Digital threats have just come to the fore, but they can't overshadow
physical security,'' Makogon added. ``We have seen mysterious accidents
reshape the European energy landscape in 2009, when an unexplained
blast<https://politico.us8.list-manage.com/track/click?u=e26c1a1c392386a968d02fdbc&id=20db2acd86&e=b93961e7ed>
destroyed a portion of the Turkmenistan-Russia pipeline, ending exports of
Turkmen gas to Europe. Or the 2006 pipeline
exposition<https://politico.us8.list-manage.com/track/click?u=e26c1a1c392386a968d02fdbc&id=b3b63382f8&e=b93961e7ed>
that left Georgia and Armenia without gas in the middle of winter.''
The rise of digital attacks could change the way those scenarios are modeled.
``Cyber has introduced in the energy sector a new way to think about
threats and risks: Better to simulate and stimulate a reaction and to derive
a preventive strategy than to have a scenario that will rarely repeat twice
on large scale infrastructures,'' ACER's Shortall said.
Policies in the pipeline
European companies could soon face tougher cybersecurity rules, when EU
legislators pass a
proposal<https://oeil.secure.europarl.europa.eu/oeil/popups/ficheprocedure.do?reference=2020/0359(COD)&l=en>
by the European Commission to strengthen the NIS regime.
In the draft law, energy firms risk being fined up to 2 percent of their
annual turnover if they don't put in place security audits, have incident
response policies and check the security of their suppliers. The proposal
also added a range of subsectors of the energy market to the scope of the
law, including hydrogen production, district heating, electricity production
and central oil stockholding.
The EU is also working on a ``network code'' on cybersecurity for electricity firms that would be adopted next year; a similar code for gas is also in the works. And the sector is already working with public authorities to share information on attacks and incidents within a European Energy Information Sharing and Analysis Center.
``The sector is catching up in terms of cybersecurity,'' said Evangelos
Ouzounis, head of secure infrastructure and services at ENISA, adding that
more investments and continuous information sharing were needed to rule out
incidents like the Colonial catastrophe.
------------------------------
Date: Sun, 9 May 2021 16:10:02 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: ISPs Funded 8.5 Million Fake Comments Opposing Net Neutrality
(WiReD)
The secret campaign, backed by major broadband companies, used real people's
names without their consent.
The largest Internet providers in the US funded a campaign that generated
`8.5 million fake comments' to the Federal Communications Commission as part
of their fight against net neutrality rules during the Trump administration,
according to a report issued Thursday by New York state attorney general
Letitia James.
Nearly 18 million out of 22 million comments were fabricated, including both
pro- and anti-net-neutrality submissions, the report said. One 19-year-old
submitted 7.7 million comments supporting net neutrality under fake,
randomly generated names. But the astroturfing effort by the broadband
industry stood out because it used real people's names without their
consent, with third-party firms hired by the industry faking consent
records, the report said.
The New York Attorney General's Office began its investigation in 2017 and
said it faced stonewalling from then FCC chair Ajit Pai, who refused
requests for evidence. But after a years-long process of obtaining and
analyzing "tens of thousands of internal emails, planning documents, bank
records, invoices, and data comprising hundreds of millions of records," the
office said it "found that millions of fake comments were submitted through
a secret campaign, funded by the country's largest broadband companies, to
manufacture support for the repeal of existing net neutrality rules using
lead generators."
It was clear before Pai completed the repeal in December 2017 that millions
of people—including dead people—were impersonated in net neutrality
comments. Even industry-funded research found that 98.5 percent of genuine
comments opposed Pai's deregulatory plan. But Thursday's report reveals more
details about how many comments were fake and how the broadband industry was
involved.
https://www.wired.com/story/isps-funded-85-million-fake-comments-opposing-net-neutrality/
Hey, there's a bright side -- 4+ million comments were real. Nice work, Pai
-- suppressing evidence.
------------------------------
Date: Wed, 12 May 2021 09:30:03 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Tesla backseat driver was arrested then released; now he says he is
back at it (Electrek)
https://electrek.co/2021/05/12/tesla-backseat-driver-arrested-releases-back-at-it/
Why does this person still have a driver's license?
If Elon Musk had an ounce of integrity, @Tesla would shut down all driver
assist and self-drive capabilities of anyone found to be abusing those
systems, including of course back seat drivers.
------------------------------
Date: Wed, 12 May 2021 07:58:48 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Nearly All Wi-Fi Devices Are Vulnerable to New FragAttacks
(
Three design and multiple implementation flaws have been disclosed in IEEE
802.11 technical standard that undergirds Wi-Fi, potentially enabling an
adversary to take control over a system and plunder confidential data.
Called FragAttacks <https://www.fragattacks.com/> (short for FRgmentation
and AGgregation attacks), the weaknesses impact all Wi-Fi security
protocols, from Wired Equivalent Privacy (WEP) all the way to Wi-Fi
Protected Access 3 (WPA3), thus virtually putting almost every
wireless-enabled device at risk of attack.
"An adversary that is within radio range of a victim can abuse these
vulnerabilities to steal user information or attack devices," Mathy Vanhoef,
a security academic at New York University Abu Dhabi, said. "Experiments
indicate that every Wi-Fi product is affected by at least one vulnerability
and that most products are affected by several vulnerabilities."
IEEE 802.11 provides the basis for all modern devices using the Wi-Fi family
of network protocols, allowing laptops, tablets, printers, smartphones,
smart speakers, and other devices to communicate with each other and access
the Internet via a wireless router.
Introduced in January 2018, WPA3
<https://www.wi-fi.org/discover-wi-fi/security> is a third-generation
security protocol that's at the heart of most Wi-Fi devices with several
enhancements such as robust authentication and increased cryptographic
strength to safeguard wireless computer networks.
According to Vanhoef, the issues <https://github.com/vanhoefm/fragattacks> =
stem from "widespread" programming mistakes encoded in the implementation of
the standard, with some flaws dating all the way back to 1997. The
vulnerabilities have to do with the way the standard fragments and
aggregates frames, allowing threat actors to inject arbitrary packets and
trick a victim into using a malicious DNS server, or forge the frames to
siphon data.
The list of 12 flaws
<https://github.com/vanhoefm/fragattacks/blob/master/SUMMARY.md>
[...]
https://thehackernews.com/2021/05/nearly-all-wifi-devices-are-vulnerable.html
------------------------------
Date: Tue, 11 May 2021 12:27:29 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: U.S. Intelligence Agencies Warn About 5G Network Weaknesses
(The Hacker News)
Inadequate implementation of telecom standards, supply chain threats, and
weaknesses in systems architecture could pose major cybersecurity risks to
5G networks, potentially making them a lucrative target for cybercriminals
and nation-state adversaries to exploit for valuable intelligence.
The analysis, which aims to identify and assess risks and vulnerabilities
introduced by 5G adoption, was published on Monday by the U.S. National
Security Agency (NSA), in partnership with the Office of the Director of
National Intelligence (ODNI) and the Department of Homeland Security's
(DHS) Cybersecurity and Infrastructure Security Agency (CISA).
``As new 5G policies and standards are released, there remains the potential
for threats that impact the end-user. For example, nation states may
attempt to exert undue influence on standards that benefit their proprietary
technologies and limit customers' choices to use other equipment or
software.''
Specifically, the report cites undue influence from adversarial nations on
the development of technical standards, which may pave the way for adopting
untrusted proprietary technologies and equipment that could be difficult to
update, repair, and replace. Also of concern, per the report, are the
optional security controls baked into telecommunication protocols, which,
if not implemented by network operators, could leave the door open to
malicious attacks.
A second area of concern highlighted by the NSA, ODNI, and CISA is the
supply chain. Components procured from third-party suppliers, vendors, and
service providers could either be counterfeit or compromised, with security
flaws and malware injected during the early development process, enabling
threat actors to exploit the vulnerabilities at a later stage.
[...]
https://thehackernews.com/2021/05/us-intelligence-agencies-warn-about-5g.html
------------------------------
Date: Tue, 11 May 2021 12:09:50 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Pro tip for the "but how do we protect ourselves?" folks
(Brian Krebs)
Pro tip for the "but how do we protect ourselves?" folks. DarkSide
ransomware, like many other strains, will not install on systems where
certain Cyrillic keyboard and other scripts are already installed. So,
install the Russian keyboard. You don't have to use it.
https://twitter.com/briankrebs/status/1392163072970829830
------------------------------
Date: Sun, 9 May 2021 16:05:43 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Twitter's Tip Jar Privacy Fiasco Was Entirely Avoidable (WiReD)
Sending its users to PayPal has created all sorts of problems that Twitter
should have caught ahead of time.
On Thursday, Twitter continued its grand tradition of embracing features
users had unofficially pioneered (see also: the @-reply, the retweet, the
hashtag) by instituting a Tip Jar. Enjoy someone's tweet? Send them some
money straight from the app, via the online payment processor of their
choice. Simple enough. And yet, predictably, not so simple, especially for
those who value their anonymity online.
Within a few hours of Twitter's Tip Jar announcement, security researcher
Rachel Tobac found an unfortunate wrinkle: Sending someone money via PayPal
revealed to them her home address. Not long after, former Federal Trade
Commission chief technologist Ashkan Soltani discovered that using PayPal
for the Tip Jar could reveal a user's email address, even if no transaction
took place.
https://www.wired.com/story/twitter-tip-jar-privacy-fiasco-entirely-avoidable/
The risk? Good intentions.
------------------------------
Date: Mon, 10 May 2021 12:05:56 -0700
From: Rob Slade <rsl...@gmail.com>
Subject: I have been pwned! -- but not really
Today I received a notification from haveibeenpwned.com, informing that I
was "pwned" in the DriveSure data breach.
The notification lists my email address, the breach, the date (December of
2020), the number of accounts, the compromised data (email addresses, names,
passwords, phone numbers, physical addresses, and vehicle details), and a
description of the breach.
The thing is, I don't recall dealing with DriveSure.
And the email address given was my rsl...@gmail.com address.
Aha!
I get *lots* of email through that account that isn't for me. It isn't
exactly spam, either. It is directed at someone, and, although some of it
is marketing bumpf, some of it is quite personal. A lot of people think
that rsl...@gmail.com is *their* email address, and provide it to friends
and business contacts.
The upside is that, no, my password and personal details probably haven't
been pwned.
The downside is that there is a risk in using a very popular email platform.
------------------------------
Date: Tue, 11 May 2021 08:15:30 -0700
From: Tom Van Vleck <th...@multicians.org>
Subject: Marvin Minsky hacked?
Compsci boffin publishes proof-of-concept code for 54-year-old zero-day in
Universal Turing Machine
The Register
https://www.theregister.com/2021/05/11/turing_machine_0day_no_patch_available/
[Marvin Minsky taught my 2nd computer course at MIT. THVV]
------------------------------
Date: Tue, 11 May 2021 17:25:27 -0700
From: Tom Van Vleck <th...@multicians.org>
Subject: That reminds me of Bob Fenichel's Turing Hack
Bob Fenichel was an assistant professor at MIT in 1965. He wrote a set of
FAP macros to simulate a Turing machine. As the macros were expanded, they
defined other macros with temporary names. You invoked the top-level macro
something like TURING A,B,C where A was the tape, B the initial position, C
the transition table.
The macro-assembler assembled the macros, simulating the operation of the
specified machine, and eventually assembled either PZE 1 or PZE 0 depending
if the machine stopped on a 1 or 0 on the tape.
So all the "computation" was done in (conditional) macro expansion. This
was a practical demonstration that a macro language that allowed macros to
define other macros is able to compute anything computable. Of course, the
FAP simulation was in practice limited by the storage available on the
assembler's macro expansion tape, but the cost of 7094 time was an even more
practical limit on these experiments. It is still one of the neatest hacks
I've seen.
------------------------------
Date: Wed, 12 May 2021 12:25:21 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: 96% of U.S. Users Opt Out of App Tracking in iOS 14.5, Analytics
Find (Samuel Axon)
Samuel Axon, Ars Technica, 7 May 2021, via ACM TechNews, 12 May 2021
U.S. users have opted out of application tracking nearly all (96%) of the
time following Apple's release of iOS 14.5 in April, according to mobile app
analysis platform Flurry Analytics. That release was accompanied by Apple's
launch of enforcement of the App Tracking Transparency policy, which
requires iPhone, iPad, and Apple TV apps to request user consent to monitor
their activity across multiple apps for data collection and ad targeting.
Based on data from roughly 1 million mobile apps, Flurry Analytics said U.S.
users agree to be tracked only 4% of the time; globally, the firm found that
number reaching 12%.
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2af34x22b1c8x069859&
------------------------------
Date: Wed, 12 May 2021 09:53:55 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: FaceApp misprepresentation (WashPost)
A beautiful female biker was actually a 50-year-old man using FaceApp. After
he confessed, his followers liked him even more.
The middle-aged father's big reveal sparked a debate over identity in the
Internet age: ``The only thing I'm creating is my appearance. Everything
else is me.''
https://www.washingtonpost.com/technology/2021/05/11/japan-biker-faceapp-soya-azusagakuyuki/
------------------------------
Date: Tue, 11 May 2021 22:42:45 -0400
From: "Mark Lutton" <mlu...@rcn.com>
Subject: A risk of computerizing what worked fine without the computer
(NotAlwaysRight)
https://notalwaysright.com/gordon-was-their-glue/233352/
This story comes from the web site "Not Always Right."
Gordon was a janitor, odd-job man, and general get-things-done man at a
care facility for vulnerable adults and the elderly. He was happy,
friendly, cheerful, and competent, kept the infrastructure running well,
and kept the place spick and span. Basically, he was really good at his
job and went above and beyond as the necessity presented itself.
Come the day when the place was computerised. The requirement was now that
he book all his activities on a computerised timesheet, for which he had
to have a computer of his own or a mobile phone. Gordon did not have a
computer and didn't have the most up-to-date phone; all he needed to do
was to take phone calls, which he managed perfectly well with his old
model.
This latest requirement gave him a lot of trouble. He managed to get
around it by being allowed to use one of the computers in the office,
which was not part of his domain, and he felt socially awkward in
there. Not only was it a complicated, fiddly, and awkwardly buggy piece of
software - it used to crash when you didn't enter the operations in the
correct order - but Gordon did not take easily to learning how to use a
computer. Equally unfortunately, there was nobody in the facility who was
skilled in training a technological newcomer, and he was getting shouted
at plenty, so of course, he found himself shouting back.
It didn't end well. He was given an ultimatum: shape up or ship out. He
was close to retirement anyway, so he took that early retirement and
shipped out before the facility had even begun to think about getting his
replacement trained up. They were forced to rely completely on the agency
staff who had been used on a temporary basis on the occasions when Gordon
was on leave. While competent enough at general janitorial duties, such
temporary staff were nowhere near familiar enough with the facility to
know how to keep it running properly, and things started progressively
breaking down and not getting properly repaired, and of course, it turned
out that Gordon had contacts in the trade where he would call specific
people to get various repairs done. Without Gordon's happy smiling
presence, coupled with the increasingly shabby and ill-maintained
infrastructure, morale plummeted, and staff started to drift away. Hence,
they started failing inspections, and in due course, the facility
closed. I'm not sure what happened to the residents; I believe they were
shunted off to other establishments.
Original story is from Not Always Right at the link above. Submitted to
RISKS by Mark Lutton, mlu...@rcn.com
------------------------------
Date: Wed, 5 May 2021 18:35:47 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Apple's new Airtags can be easily abused by stalkers (WashPost)
https://www.washingtonpost.com/technology/2021/05/05/apple-airtags-stalking/
------------------------------
Date: Wed, 12 May 2021 08:34:30 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Michigan GOP lawmaker floats bill to register, fine 'fact checkers'
Only if there's an equivalent fine for anyone who purposely promotes
misinformation, idiots!
https://www.detroitnews.com/story/news/politics/2021/05/11/michigan-gop-lawmaker-floats-bill-register-and-fine-fact-checkers/5043399001/
------------------------------
Date: Mon, 10 May 2021 16:32:59 +0300
From: Amos Shapir <amo...@gmail.com>
Subject: Re: A mom panicked when her 4-year-old bought $2,600 in SpongeBob
Popsicles (RISKS-32.65)
I'd love to find out how it was possible for a 4-year old boy to do that;
Unfortunately, *The Washington Post* site requires subscription.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.66
************************
0 mensajes nuevos