Risks Digest 33.15

Skip to first unread message

RISKS List Owner

Apr 18, 2022, 6:41:04 PMApr 18
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Monday 18 April 2022 Volume 33 : Issue 15

Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
The current issue can also be found at

Contents: [Propaganda-ish items from multiple viewpoints rejected.]
SoCal man says car computer on his new Tesla froze, causing vehicle to be
stuck at 83 mph on freeway (ABC7)
Driverless Cars Can Be Tricked into Seeing Red Traffic Lights as Green
(New Scientist)
Risks of locust swarms (PGN)
FBI removing malware surreptitiously (The Conversation)
What Can Hackers Do With Stolen Source Code? (WiReD)
U.S. officials preparing for potential Russian cyberattacks (CBSNews)
Feds Uncover a Swiss Army Knife for Hacking Industrial Control Systems
Google Bans Apps With Hidden Data-Harvesting Software (WSJ)
Inside the Bitcoin Bust That Took Down the Web's Biggest Child Abuse Site
The Uncanny Future of Romance With Robots Is Already Here (Yahoo!)
In Race to Build Quantum Computing Hardware, Silicon Begins to Shine
You agreed to what? Tax sites want your data for more than filing (WashPost)
Those robot dogs got their first real job -- guarding Pompeii (NPR+PGN)
Squirrely maintenance (PGN)
Re: Spreadsheets are hot (Henry Baker)
Re: Squirrels and rats attacking AT&T fiber (Charles Cazabon)
History of Internet Security and AI for Cybersecurity 20 Apr 2022 (DrM)
Abridged info on RISKS (comp.risks)


Date: Fri, 15 Apr 2022 15:16:16 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: SoCal man says car computer on his new Tesla froze, causing vehicle
to be stuck at 83 mph on freeway (ABC7)

The owner of a new Tesla Model 3 was left in shock after the car's main
features allegedly froze while he was driving on the freeway.

Javier Rodriguez of Irvine spoke with Eyewitness News on Tuesday and said it
happened last Thursday while he was heading westbound on the 10 Freeway
through Cabazon.

He said the car was stuck going 83 mph and the main screen was frozen.

He said all of the buttons and switches - including turn signals and hazard
lights - were not working.

"I noticed that it started to get hot in the car and there started to be a
weird scent coming," recalled Rodriguez. "I was nervous that if I were to
brake a whole lot that I wouldn't be able to gain the speed again to keep up
with traffic and get around cars. I was nervous somebody was going to slam
into me."

Even though the accelerator wasn't responding, fortunately Rodriguez said
the brakes did work, but said that didn't make him any more comfortable when
he was trying to stop. He was able to make it off the road, and a few
minutes later, the car rebooted. That's when everything seemed normal.

An officer with the California Highway Patrol helped Rodriguez get off the
freeway, where he eventually had the car towed. He said Tesla later told
him they fixed the vehicle, but all they would say about what happened was
what he said they wrote in the report.

"Diagnosed and found poor communication from charge port door causing power
conversion system to shut off in order to protect on board components
during drive," Rodriguez recalled. [...]



Date: Mon, 18 Apr 2022 11:43:11 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Driverless Cars Can Be Tricked into Seeing Red Traffic Lights
as Green (New Scientist)

Matthew Sparkes, *New Scientist*, 16 Apr 2022
via ACM TechNews; Monday, April 18, 2022

Researchers at China's Zhejiang University found driverless cars could be
fooled into seeing red traffic lights as green. The scientists directed a
laser at the sensors of five camera models used by self-driving vehicles,
with two open-source software packages reading the captured images. Lasers
of a 650-nanometer and a 520-nanometer wavelength rendered the entire image
red or green, respectively, while flickering the laser at high frequencies
only induced this coloration in certain image segments. Adding a horizontal
bar of green or red caused both software packages to incorrectly sense the
traffic lights as green 30% of the time and red 86% of the time, on average,
across the cameras.



Date: Sun, 17 Apr 2022 10:12:19 PDT
From: Peter G Neumann <neu...@csl.sri.com>
Subject: Risks of locust swarms

Vast swarms of locusts have decimated crops and grasslands across southern
Namibia in recent weeks and contributed to a deadly traffic accident. A
minibus driver lost control on a slippery stretch of highway where the
ravenous pests were keeping warm on the pavement at night. Three of the 17
passengers died, with several more sustaining injuries. Officials say the
slime from locusts crushed by traffic caused the accident.

Please add just one more corner case in your automated-vehicle threat model.

San Francisco Chronicle, Sunday 17 Apr 2022, Earthweek: a diary of the
planet, which this week includes climate change, a new strain of avian
flu, record droughts in Chile, second year of record-breaking methane
surge, +117F in Senegal, -102F in Vostok, Antarctica, volcano eruption in
Costa Rica with zero warning,


Date: Tue, 12 Apr 2022 19:23:50 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: FBI removing malware surreptitiously (The Conversation)




Date: Thu, 14 Apr 2022 12:21:40 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: What Can Hackers Do With Stolen Source Code? (WiReD)

Lapsus$ hackers leaked Microsoft's Bing and Cortana source code. How bad is
that, really?

The Lapsus$ digital extortion group is the latest to mount a high-profile
data-stealing rampage against major tech companies. And among other things,
the group is known for grabbing and leaking source code at every
opportunity, including from Samsung, Qualcomm, and Nvidia. At the end of
March, alongside revelations that they had breached an Okta subprocessor,
the hackers also dropped a trove of data containing portions of the source
code for Microsoft's Bing, Bing Maps, and its Cortana virtual
assistant. Sounds bad, right?

Businesses, governments, and other institutions have been plagued by
ransomware attacks, business email compromise, and an array other breaches
in recent years. Researchers say, though, that while source code leaks may
seem catastrophic, and certainly aren't good, they typically aren't the
worst-case scenario of a criminal data breach.

``Some source code does represent trade secrets, some parts of source code
may make it easier for people to abuse systems, but accounts and user data
are typically the biggest things companies have to protect'' says Shane
Huntley, director of Google's Threat Analysis Group. ``For a vulnerability
hunter, it makes certain things easier, allowing them to skip a lot of
steps. But it's not magic. Just because someone can see the source code
doesn't mean they'll be able to exploit it right then.''

In other words, when attackers gain access to source code—and especially
when they leak it for all to see, a company's intellectual property could be
exposed in the process, and attackers may be able to spot vulnerabilities in
their systems more quickly. But source code alone isn't a road map to find
exploitable bugs. Attackers can't take over Cortana from Microsoft or access
users' accounts simply because they have some of the source code for the
platform. In fact, as open source software shows, it's possible for source
code to be publicly available without making the software it underpins less


Best comment somewhere was that news of Bing source compromised resulted in
4x increase in searches, "What is Bing?".


Date: Mon, 18 Apr 2022 11:24:01 -0700
From: "Peter G. Neumann" <Neu...@csl.sri.com>
Subject: U.S. officials preparing for potential Russian cyberattacks

This 60 Minutes episode on Russian cyberattacks might be of interest.

[I found it quite thorough and convincing, as far as it went. PGN]


Date: Thu, 14 Apr 2022 15:42:37 -0600
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: Feds Uncover a Swiss Army Knife for Hacking Industrial Control
Systems (WiReD)

Andy Greenberg, WiReD, 13 Apr 2022

On Wednesday, the Department of Energy, the Cybersecurity and
Infrastructure Security Agency, the NSA, and the FBI jointly released an
advisory about a new hacker toolset potentially capable of meddling with a
wide range of industrial control system equipment. More than any previous
industrial control system hacking toolkit, the malware contains an array
of components designed to disrupt or take control of the functioning of
devices, including programmable logic controllers (PLCs) that are sold by
Schneider Electric and OMRON and are designed to serve as the interface
between traditional computers and the actuators and sensors in industrial
environments. Another component of the malware is designed to target Open
Platform Communications Unified Architecture (OPC UA) servers -- the
computers that communicate with those controllers.

"This is the most expansive industrial control system attack tool that
anyone has ever documented," says Sergio Caltagirone, the vice president
of threat intelligence at industrial-focused cybersecurity firm Dragos,
which contributed research to the advisory and published its own report
about the malware. Researchers at Mandiant, Palo Alto Networks, Microsoft,
and Schneider Electric also contributed to the advisory. “It’s like a
Swiss Army knife with a huge number of pieces to it."

[The same item also noted by Gabe Goldberg as Pipedream Malware (with the
rest of the above subject line. PGN]


Date: Wed, 13 Apr 2022 12:07:26 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Google Bans Apps With Hidden Data-Harvesting Software (WSJ)

Byron Tau and Robert McMillan, *The Wall Street Journal*, 6 Apr 2022,
via ACM TechNews, Wednesday, April 13, 2022

Google has pulled dozens of applications from its Google Play store amid
researchers' findings that they contain software that secretly harvests
data. Serge Egelman at the University of California, Berkeley and Joel
Reardon of Canada's University of Calgary found links between the code's
developer, Panama-based Measurement Systems, and a Virginia defense
contractor that conducts cyberintelligence and other work for U.S. national
security agencies. They learned the code ran on millions of Android devices
and could be found within a number of consumer apps. The researchers said
Measurement Systems had paid developers to embed its data-harvesting
software development kit into their apps, which "continues to underscore the
importance of not accepting candy from strangers," according to Egelman.



Date: Sat, 16 Apr 2022 23:37:08 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Inside the Bitcoin Bust That Took Down the Web's Biggest Child
Abuse Site (WiReD)

They thought their payments were untraceable. They couldn't have been more
wrong. The untold story of the case that shredded the myth of Bitcoin's



Date: Sun, 17 Apr 2022 12:17:17 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: The Uncanny Future of Romance With Robots Is Already Here (Yahoo!)

In the late 2000s, a lifestyle reporter in Moscow named Eugenia Kuyda, then
in her early twenties, decided to produce a cover story on Roman Mazurenko,
the person at the center of Moscow's creative hipster scene at the time.
Right from the start, Eugenia and Roman both felt they had a profound
connection, and soon became close friends.

A few years later, Kuyda moved to San Francisco to start a chatbot-based
virtual assistant company. Shortly after, Mazurenko also moved and began
his American life. They kept in touch continuously and exchanged endless
text messages. But in late 2015 Mazurenko, then 34, was hit and killed by a
car while crossing a street during a short visit in Moscow.

Grieving Mazurenko, Kuyda read their messages over and over again. At some
point, she realized that these messages had the potential to be more than
just a memory. She took all the data she had and, with her team and using
Google-based neural networks, built a chatbot version of Mazurenko. The
result was surprisingly human-like. She could text with the chatbot on past
and future events, and digital Mazurenko came to life and felt real.
Digital Mazurenko was sad when she told him how much she missed him and
joyful when she shared with him her recent achievements at her company.

Kuyda and her team took this concept further and made a version that anyone
could use. They named it Replika and users loved it instantly. Looking back
at Replika’s success, Kuyda recounted, ``People started sending us emails
asking us to build a bot for them.''

Some people wanted to build a replica of themselves, and some wanted to
build a bot for a person that they loved but was gone. These positive
reactions encouraged Kuyda and her team to go further—to create fictitious
characters that accompany people around the world. Replika is now a
companion chatbot app available on almost any operating system with the
slogan: ``Always here to listen and talk. Always on your side.'' Millions
have downloaded the app, and it boasts hundreds of thousands of reviews,
most highly positive. [...]



Date: Wed, 13 Apr 2022 12:07:26 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: In Race to Build Quantum Computing Hardware, Silicon Begins
to Shine (Princeton)

Tom Garlinghouse, Princeton University Department of Physics, 6 Apr 2022

Princeton University researchers achieved more than 99.8% fidelity using a
two-qubit quantum device made from silicon. The researchers used a double
quantum dot silicon device to capture and force two electrons to interact;
the entangling operation achieved the highest fidelity achieved so far for a
two-qubit gate in a semiconductor. Princeton's Jason Petta said, "This is
the first demonstration of a semiconductor spin qubit system where we have
integrated performance of the entire system--the state preparation, the
readout, the single qubit control, the two-qubit control--all with
performance metrics that exceed the threshold you need to make a
larger-scale system work."


Date: Wed, 13 Apr 2022 09:07:16 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: You agreed to what? Tax sites want your data for more than filing

We investigate why Turbo Tax and H&R Block ask you to give up your return's
basic federal privacy protections -- and explain how to demand your data



Date: Sun, 17 Apr 2022 11:11:39 +0800
From: Richard Stein <rms...@ieee.org>
Subject: Those robot dogs got their first real job -- guarding Pompeii


The robot doggie-breath patrol deters antiquities theft. No word if they are
equipped with BD Entelodont jaw option.

[Perhaps they are controlled by a real live but very well-trained
Pompadour-styled Pomperanian in Pompeii? It might save Pompeii-ments for
enlisting real dogs, but along the lines of Cave Canem, it also would
avoid the canopy (cano-pee?) to cover up the mess of non-robo dogs. On
the other hand, a new volcanic eruption might turn everything into the
hardness of Pompegranite. {Please pardon my Pomp-ousness; without Pomp
and Circumstance, the Pompandemic must be getting to me.} PGN]


Date: Tue, 12 Apr 2022 19:15:03 PDT
From: "Peter G, Neumann" <neu...@csl.sri.com>
Subject: Squirrely maintenance

One of my neighbors who has recently experienced long AT&T home Internet
outages reports that the maintenance folks cannot see the big picture of how
the entire neighborhood is offline, as their diagnostic screens show only
the house that is being remediated, with a different truck each day --
apparently with no carryover from one customer to another or oone day to the

``He told me he didn't even have a way to be aware of it, and he couldn't
look it up anywhere. He said he could see only the call for my particular
house and didn't have access to a bigger picture anywhere. The supervisor
who came out said the same. In fact, they both said they had never heard
of a squirrel problem. Go figure.''

[At least five AT&T trucks in the neighborhood again. PGN]


Date: Wed, 13 Apr 2022 00:15:39 +0000
From: Henry Baker <hba...@pipeline.com>
Subject: Re: Spreadsheets are hot (Levine, RISKS-33.14)

What's Going On Under the (Spread) Sheets
Re: 'We also found that people Did Not Care'

In the daze before IEEE-754 Floating Point Arithmetic[1], the 'same' program
run on computers from different vendors would often produce different
results -- sometimes *very* different results.

Since this was embarrassing -- perhaps the original "Replication Crisis"[2]
? -- IEEE-754 standard arithmetic caught on extremely quickly.

Now -- thanks to standardization -- everyone gets the same erroneous
answers! :-)

[1] https://en.wikipedia.org/wiki/IEEE_754

[2] https://en.wikipedia.org/wiki/Replication_crisis


Date: Tue, 12 Apr 2022 17:28:14 -0600
From: Charles Cazabon <charlesc-r...@pyropus.ca>
Subject: Re: Squirrels and rats attacking AT&T fiber (Jha, RISKS-33.14)

> It appears Honda thinks chili-flavored wire might work, though there is a
> concern that habituation would decrease long-term effectiveness:

Honda may be assuming too much from a study on a few lab rats. Different
species react to capsaicin very differently, as I found inadvertently.

I've had pet rabbits for many years. Once, when we were fostering a litter
of young (~3 week old) abandoned bunnies, they jumped onto a kitchen table
(they're like deer; you need a *really* tall fence to keep them out...) and
ate a paper bag full of Thai Dragon peppers I was drying. It was my entire
harvest for the year -- several dozen peppers, stems, seeds, and all. Also
the paper bag, most of a pillar candle, half a bunch of bananas, with skins,
and part of a lead candle holder.

They weren't phased in the slightest by the capsaicin, though the peppers
were far too hot for me in any quantity.

I don't know how squirrels or other wire-destroying animals might handle
capsaicin, but if I were a company looking at solutions, I would make sure I
had a study of the particular animals of interest, and not try to generalize
from a lab-rat study.


Date: Wed, 13 Apr 2022 08:42:16 -0400
From: Rebecca Mercuri <not...@mindspring.com>
Subject: History of Internet Security and AI for Cybersecurity 20 Apr 2022
(Hybrid ACM Baltimore Chapter Seminar)

> From: Ashutosh Dutta, Ph.D., Chair ACM Baltimore Chapter
> <ashutos...@ieee.org>


ACM Baltimore Chapter 2nd Seminar (In-Person and Online)
Wednesday, April 20, 2022, 5:00 PM -- 8:00 PM EST [Heavily PGN-ed]

Agenda: (Talks will be Streamed Live/All Times are US Eastern Time)

5:50 PM -- 6:40 PM EST Invited Talk: “35 Years of Protecting the
Internet, a historical retrospective (Prof. Steven M. Bellovin,
Columbia University)
6:50 PM -- 7:40 PM EST Invited Talk: AI for Cybersecurity (Dr. Anupam
Joshi, University of Maryland Baltimore County (UMBC))
7:40 PM -- 8:00 PM EST Future Events and Vote of Thank

FREE Zoom link:
Tiny URL: bit.ly/ACM-Baltimore-20April

[TINY? You must be kidding. I deleted the full-length one, which was
almost twice as long. PGN]

ID: 160 781 8310 Password: 468284

Johns Hopkins University Applied Physics Lab, USA (Online and in-person)


Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:

=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:


End of RISKS-FORUM Digest 33.15

Reply all
Reply to author
0 new messages