Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Risks Digest 33.92

62 views
Skip to first unread message

RISKS List Owner

unread,
Nov 4, 2023, 8:38:28 PM11/4/23
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Saturday 4 November 2023 Volume 33 : Issue 92

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.92>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
2 Jets Collide at Houston Airport After One Took Off Without Permission
(NYTimes)
Apple Disables Maps Features in Israel and Gaza (Gizmodo)
California halts operations of Cruise self-driving robotaxis (NBC News)
Porsche is adding Google to its cars as VW's software problems worsen?
(The Verge)
Toyota has built an EV with a fake transmission, and we've driven it
(Ars Technica)
Oveview of the iLeakage Attack (Jason Kim et al.)
The Internet Worm at 35 (Gene Spafford)
AI Firms Must Be Held Responsible for Harm They Cause, 'Godfathers' Say
(Dan Milmo)
President Biden Issues Executive Order one Safe, Secure, and
Trustworthy Artificial Intelligence (Whitehouse.gov)
Executive Order on AI (Alan Butler)
Humans Find AI-Generated Faces More Trustworthy Than the Real Thing
(Scientific American)
AI Muddies Israel-Hamas War in Unexpected Way (NYTimes)
AI generated allegations against Big Four consulting firms
(The Guardian)
AI voice clones mimic politicians and celebrities, reshapingo reality
(WashPost)
AI has arrived in your doctor's office. Washington doesn't know what to do
about it. (Politico)
The AI-Generated Child Abuse Nightmare Is Here (WiReD)
Small outtakes from a big war (Amos Shapir)
Cybercriminal group claims responsibility for ransomware attack as
hospital CEO says recovery will take weeks (CBC)
Meta Accused by States of Using Features to Lure Children to
Instagram and Facebook (NYTimes)
IRA accounts drained of $36 million in cryptocurrency (CoinDesk)
A Year of Musk (a trifecta in *The NYTimes*)
Gannett takes down Reviewed articles after outcry from staff
(Angela Fu)
Reddit finally takes its API war where it belongs: to AI companies
(Ars Technica)
They Cracked the Code to a Locked USB Drive Worth $235
Million in Bitcoin. Then It Got Weird. (WiReD)
FCC robocall enforcement does little to stop illegal calls, Senate hears
(Ars Technica)
Pervasive North Korean programmers in U.S.? (Kim Zetter
via Paul Burke)
Amazon, Microsoft, and India crack down on tech support scams (The Verge)
U.S. House Republicans Had Their Phones Confiscated to Stop Leaks (WiReD)
Top Philips Executive Approved Sale of Defective Breathing
Machines by Distributors, Despite Tests Showing Health Risks (ProPublica)o
How a Big Pharma Company Stalled a Potentially Lifesaving
Vaccine in Pursuit of Bigger Profits (PeoPublica)
Education Department penalizes Missouri lender for error that
made 800,000 student loan borrowers delinquent (CNBC)
How a Lucrative Surgery Took Off Online and Disfigured Patients
(NYTimes)
Citrix Bleed: Leaking Session Tokens with CVE-2023-4966 (AssetNote)
YouTube fumbles NFL Sunday Ticket streaming (Ars Technica)
Google promises a rescue patch for Android 14's ransomware bug
(Ars Technica)
This Florida School District Banned Cellphones. Here's What Happened.
(NYTimes)
New Laws on Kids and Social Media Are Stymied by Industry Lawsuits
(NYTimes)
Tesla Wins Suit That Blamed Its Software for Deadly Crash
(NYTimes)
The Telegram app has been a key platform for Hamas. Now it's
being restricted there (NPR)
Gaza's 34-hour phone and Internet blackout, as told in voice memos
(NPR)
YouTube's NFL Sunday Ticket streams are failing today?
(The Verge)
Re: Zoom vulnerability (Victor Miller)
Re: The origin of hacking attempts (Lars-Henrik Eriksson)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 27 Oct 2023 00:00:44 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: 2 Jets Collide at Houston Airport After One Took Off Without
Permission (NYTimes)

https://www.nytimes.com/2023/10/25/us/jets-collision-hobby-airport-houston.html

------------------------------

Date: Wed, 25 Oct 2023 09:18:49 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Apple Disables Maps Features in Israel and Gaza
(Gizmodo)

https://gizmodo.com/apple-disables-maps-features-in-israel-and-gaza-1850953585

------------------------------

Date: Tue, 24 Oct 2023 21:38:44 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: California halts operations of Cruise self-driving robotaxis
(NBC News)

The California DMV suspended the company's driverless permits, citing public
safety. Cruise may apply to reinstate them, but the DMV gave no timeline.

https://www.nbcnews.com/tech/tech-news/cruise-california-halts-operations-cruise-self-driving-robotaxis-rcna121964
https://www.washingtonpost.com/technology/2023/10/28/robotaxi-cruise-crash-driverless-car-san-francisco/

------------------------------

Date: Tue, 31 Oct 2023 09:05:13 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Porsche is adding Google to its cars as VW's software problems
worsen? (The Verge)

https://www.theverge.com/2023/10/30/23938741/porsche-google-built-in-vw-cariad-layoffs

------------------------------

Date: Tue, 31 Oct 2023 09:21:40 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Toyota has built an EV with a fake transmission, and
we've driven it (Ars Technica)

https://arstechnica.com/?p=1980015

------------------------------

Date: Wed, 25 Oct 2023 16:43:41 PDT
From: Victor Miller <victor...@gmail.com>
Subject: Oveview of the iLeakage Attack (Jason Kim et al.)

https://ileakage.com/

Jason Kim (Georgia Tech)
Stephan von Schaik (U. Michigan)
Daniel Genkin (Georgia Tech)
Juval Yarom (Ruhr University Bochum)

Overview of the iLeakage Attack.

We present iLeakage, a transient execution side channel targeting the Safari
web browser present on Macs, iPads and iPhones. iLeakage shows that the
Spectre attack is still relevant and exploitable, even after nearly 6 years
of effort to mitigate it since its discovery. We show how an attacker can
induce Safari to render an arbitrary webpage, subsequently recovering
sensitive information present within it using speculative execution. In
particular, we demonstrate how Safari allows a malicious webpage to recover
secrets from popular high-value targets, such as Gmail inbox content.
Finally, we demonstrate the recovery of passwords, in case these are
autofilled by credential managers.

Demo Videos.
Recovering Instagram Credentials
We show a scenario where the target uses an autofilling credential manager
(LastPass in this demo) to sign into Instagram with Safari on macOS.

------------------------------

Date: Thu, 2 Nov 2023 13:25:19 -0400
From: Gene Spafford <sp...@purdue.edu>
Subject: The Internet Worm at 35

Today is the 35th anniversary of the Internet Worm.

"Ancient history," you say? Or perhaps, "What's that?"

Read my blog post about it to get my perspective on why it is important:
https://www.cerias.purdue.edu/site/blog/post/reflecting_on_the_internet_worm_at_35/

[*Ancient history* is really becoming important in this age of forgetting
why some problems never go away. Buffer overflows were recognized and
resolved in the Multics hardware/OS in 1965. Some of the vulnerability
types Robert Morris exposed in 1988 are still problematic. Many of the
types of risks discussed in my 1995 book are still around. Bad
programming practices in flawed program languages still abound. Please
read Spaf's blog. Spam, ransomware, and so on, ad infinitum? (There is
always another one we forgot.) PGN]

------------------------------

Date: Wed, 25 Oct 2023 11:49:18 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: AI Firms Must Be Held Responsible for Harm They Cause,
'Godfathers' Say (Dan Milmo)

Dan Milmo, *The Guardian*, 25 Oct 2023. via ACM TechNews

A group of experts including "godfathers" of artificial intelligence
(AI) Geoffrey Hinton and Yoshua Bengio, both ACM Turing Award
recipients, said AI companies must be held accountable for the damage
their products cause, ahead of an AI safety summit in London. The
University of California, Berkeley's Stuart Russell, one of 23 experts
who composed AI policy proposals released Tuesday, called developing
increasingly powerful AI systems before understanding how to render
them safe "utterly reckless." The proposed policies include having
governments and companies commit 33% of their AI research and
development resources to safe and ethical AI use. Companies that
discover dangerous capabilities in their AI models also must adopt
specific safeguards.

<https://venturebeat.com/ai/ai-godfathers-bengio-and-hinton-major-tech-companies-should-devote-a-third-of-ai-budget-to-managing-ai-risk/>

------------------------------

Date: Mon, 30 Oct 2023 07:37:51 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: President Biden Issues Executive Order one Safe, Secure, and
Trustworthy Artificial Intelligence (Whitehouse.gov)

https://www.whitehouse.gov/briefing-room/statements-releases/2023/10/30/fact-sheet-president-biden-issues-executive-order-on-safe-secure-and-trustworthy-artificial-intelligence/

------------------------------

Date: Tue, 31 Oct 2023 20:20:42 +0000
From: Alan Butler <al...@epic.org>
Subject: Executive Order on AI

In an op-ed for Bloomberg Law, EPIC's Executive Director Alan Butler argued
for the need for an overriding federal privacy law.

https://news.bloomberglaw.com/privacy-and-data-security/data-protection-leaders-differ-on-powers-of-new-us-privacy-law

------------------------------

Date: Tue, 15 Feb 2022 08:06:37 +0800
From: Richard Stein <rms...@ieee.org>
Subject: Humans Find AI-Generated Faces More Trustworthy
Than the Real Thing (Scientific American)

https://www.scientificamerican.com/article/humans-find-ai-generated-faces-more-trustworthy-than-the-real-thing/

"The startling realism has implications for malevolent uses of the
technology: its potential weaponization in disinformation campaigns for
political or other gain, the creation of false porn for blackmail, and any
number of intricate manipulations for novel forms of abuse and
fraud. Developing countermeasures to identify deepfakes has turned into an
'arms race' between security sleuths on one side and cybercriminals and
cyberwarfare operatives on the other."

Deepfaked content reaffirms human susceptibility to truth default
interpretation (https://en.wikipedia.org/wiki/Truth-default_theory). The
human psyche is easily and quickly hooked into believing a whole-cloth

------------------------------

Date: Mon, 30 Oct 2023 12:26:59 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: AI Muddies Israel-Hamas War in Unexpected Way (NYTimes)

Tiffany Hsu and Stuart A. Thompson, *The New York Times*, 28 Oct 2023,
via ACM TechNews, 30 Oct 2023

Disinformation researchers have found the use of artificial
intelligence (AI) to spread falsehoods in the Israel-Hamas war is
sowing doubt about the veracity of online content. The researchers
discovered people on social media platforms and forums accusing
political figures, media outlets, and others of attempts to influence
public opinion through deepfakes, even when the content is authentic.
Experts say bad actors are exploiting AI's availability to facilitate
the so-called liar's dividend by convincing people genuine content is
fake. Deepfake detection services like U.S.-based AI or Not also have
been used to label content as fake, and synthetic media specialist
Henry Ajder said such tools "provide a false solution to a much more
complex and difficult-to-solve problem."

------------------------------

Date: Fri, 3 Nov 2023 09:19:19 +1100
From: Paul Edwards <pa...@cathicolla.com>
Subject: AI generated allegations against Big Four consulting firms
(The Guardian)

https://www.theguardian.com/business/2023/nov/02/australian-academics-apologise-for-false-ai-generated-allegations-against-big-four-consultancy-firms?cid=b2c860be9e4d6b4f38703562bfe30681

For context, Australia has the concept of "parliamentary privilege" under
which members of Parliament (both federal and state) cannot be sued for
defamation or libel for statements made in Parliament. This privilege
extends to Parliamentary inquiries and Senate committees, whereupon anyone
(not just MPs) presenting evidence are covered by parliamentary privilege.

So we have AI-generated rubbish presented in a situation which doesn't
allow recourse for those impacted. I'm no fan of the Big Four, or the
behaviour of *some* of their partners, but the fact that some partners lost
their jobs over this is terrible.

------------------------------

Date: Tue, 31 Oct 2023 9:49:41 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: AI voice clones mimic politicians and celebrities, reshaping
reality (WashPost)

Pranshu Verma and Will Oremus, *The Washington Post*

Artificial intelligence voice-cloning software has rapidly increased in
quality. It's allowing anyone from foreign actors to music fans to copy
somebody's voice.

https://www.washingtonpost.com/technology/2023/10/13/ai-voice-cloning-deepfakes

------------------------------

Date: Fri, 27 Oct 2023 11:24:32 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Security Threats in AIs Revealed by Researchers
(U.of Sheffield)

University of Sheffield (UK), 24 Oct 2023, via ACM TechNews

Scientists at the U.K.'s University of Sheffield, the North China University
of Technology, and e-commerce giant Amazon found hackers can trick natural
language processing tools like OpenAI's ChatGPT into generating malicious
code for possible use in cyberattacks. The researchers discovered and
successfully exploited security flaws in six commercial artificial
intelligence (AI) tools, including ChatGPT, Chinese intelligent dialoge
platform Baidu-UNIT, structured query language (SQL) generators AI2SQL,
AIHelperBot, and Text2SQL, and online tool resource ToolSKE. They learned
that asking these AIs specific questions caused them to produce malicious
code that would leak confidential database information, or disrupt or even
destroy database operation. The team also found AI language models are
susceptible to simple backdoor attacks. Sheffield's Xutan Peng said the
vulnerabilities are rooted in the fact that "more and more people are using
[AIs like ChatGPT] as productivity tools, rather than a conversational bot."

[Yes, AIs *do* like ChatGPT. Natural stupidity does also. I'm not so
sure about the use of AIs as a plural to mean something like AI systems or
AI algorithms, or indeed artificial intelligences? PGN]

------------------------------

Date: Sat, 28 Oct 2023 06:54:12 -0700
From: Steve Bacher <seb...@verizon.net>
Subject: AI has arrived in your doctor's office.
Washington doesn't know what to do about it. (Politico)

AI is diagnosing diseases and recommending treatments, but the systems
aren't always regulated like drugs or medical devices.

https://www.politico.com/news/2023/10/28/ai-doctors-healthcare-regulation-00124051

Washington hasn't written the rules for the new artificial intelligence in
health care even though doctors are rapidly deploying it -- to interpret
tests, diagnose diseases and provide behavioral therapy.

Products that use AI are going to market without the kind of data the
government requires for new medical devices or medicines. The Biden
administration hasn't decided how to handle emerging tools like chatbots
that interact with patients and answer doctors' questions -- even though
some are already in use. And Congress is stalled. Senate Majority Leader
Chuck Schumer said this week that legislation was months away.

[stalled? more like deadlocked, especially when it comes to
artificial intelligence and natural stupidity? PGN]

Advocates for patient safety warn that until there’s better government
oversight, medical professionals could be using AI systems that steer them
astray by misdiagnosing diseases, relying on racially biased data or
violating their patients’ privacy.

------------------------------

Date: Wed, 25 Oct 2023 09:10:13 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: The AI-Generated Child Abuse Nightmare Is Here (WiReD)

https://www.wired.com/story/generative-ai-images-child-sexual-abuse/

[Watch out for the AI-Generated Child! PGN]

[Monty Solomon noted this item:
A Controversial Plan to Scan Private Messages for Child Abuse
Meets Fresh Scandal
https://www.wired.com/story/csar-chat-scan-proposal-european-commission-ads/
PGN]

------------------------------

Date: Sat, 4 Nov 2023 12:20:46 +0200
From: Amos Shapir <amo...@gmail.com>
Subject: Small outtakes from a big war (via Amos)

[These are just some impressions of war in the 21sta century, from the POV
of a retired hi-tech man whose latest military experience was 30 years
ago. I'll try to keep it relevant to RISKS.]

Part 1: It's a Smartphone war

Forget walkie-talkies, forget battleground maps, communication lines,
Signaling Corps. The main way to communicate, by soldiers and civilians,
is Whatsapp. Soldiers get their marching orders on their phones, which
include maps, drone images of targets, real-time situation profiles.

Other applications are also employed: Whatsapp's "Share Location" feature
was essential during the first hours, and enabled soldiers to reach and
whisk out civilians who were caught in the fire lines, and also locate
terrorists. There is also an app which alerts people that their area is
under attack. Other applications help coordinate manpower and supplies.

A lot has been said about how terrorists had used low-tech means to
overcome hi-tech defenses (even since 9/11), but in organized operations,
high-tech warfare seems to be a lot more efficient.

Part 2: The Role of Women.

This may be relevant to RISKS because ever since the invention of the
typewriter, women in the military have been assigned the roles of operators
of high-tech machinery. As the military had become more advanced
technologically, more women are stationed at frontline HQ and CC units.

In this war, such units were attacked, and women had to fight along with
the men to defend their positions, They had proven to be every bit as
courageous and effective fighters.

A section of the front was defended by a tank company, which was meant to
be "experimental" and staffed entirely by women, They virtually saved the
entire southern sector of the front. I guess it can be concluded that the
experiment was successful.

Part 3: The Rockets' Red Glare

The Iron Dome defense system consists of long and short range radars, which
can detect incoming missiles and rockets, calculate where they might land,
operate air-raid sirens in the affected areas, and launch interceptor
missiles to shoot them down.

The system does not intercept missiles whose target area is uninhabited.
This saves on interceptor missiles, but can be scary for those living
nearby, who sometimes are given no warning that a missile is going to come
down and explode next door.

The accuracy of the system is on the scale of a small town or borough.
It's an unparalleled experience to have your afternoon coffee on your
porch, while watching a missile attack unfold over the next town: Air-raid
sirens, the rockets' red glare, interceptors launched, and a few very loud
bangs when they explode in mid-air.

------------------------------

Date: Fri, 3 Nov 2023 07:18:00 -0600
From: Matthew Kruk <mkr...@gmail.com>
Subject: Cybercriminal group claims responsibility for ransomware attack as
hospital CEO says recovery will take weeks (CBC)

https://www.cbc.ca/news/canada/windsor/windsor-hospital-ransomware-attack-cybercriminal-group-1.7017176

Twelve days into a ransomware attack that has upended health-care services
at five hospitals in southwestern Ontario, a cybercriminal group claimed
responsibility in an online blog describing how the attack happened and
what it says are the millions of private patient records it has stolen.

In a report to Windsor Regional Hospital Thursday, CEO David Musyj said the
hospital is slowly getting back on track, working hard to restore services.
He noted that although the impacted hospitals "closely examined" the ransom
demand from the cybercriminals, they decided against paying it.

------------------------------

Date: Tue, 24 Oct 2023 22:00:07 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Meta Accused by States of Using Features to Lure Children to
Instagram and Facebook (NYTimes)

https://www.nytimes.com/2023/10/24/technology/states-lawsuit-children-instagram-facebook.html

------------------------------

Date: Tue, 15 Feb 2022 10:27:49 -0500
From: George Mannes <gma...@gmail.com>
Subject: IRA accounts drained of $36 million in cryptocurrency
(CoinDesk)

https://www.coindesk.com/business/2022/02/14/drained-crypto-accounts-at-ira-financial-leave-victims-searching-for-answers/

Danny Nelson
Drained Crypto Accounts at IRA Financial Leave Victims Searching for Answer

They joined IRA Financial Trust eager to build a nest egg in crypto.
Instead, some users told CoinDesk their retirement accounts were drained,
frozen and locked -- with little explanation of what happens next.

It's been nearly one week since an apparent security breach threw IRA
Financial's clients into crisis mode. With $36 million of their retirement
savings in limbo and no full explanation from either IRA Financial or Gemini
-- the crypto exchange owned by the Winklevoss twins, Cameron and Tyler, and
custodian where their crypto was held -- they've begun organizing a response
to crypto's latest hack.....

....The incident is one of the first high-profile exploits to hit crypto
retirement accounts in the U.S. Appealing to tax-savvy bitcoiners, this
cottage industry has for the past few years hawked products in partnership
with top crypto brands. [...]

------------------------------

Date: Sat, 28 Oct 2023 10:34:10 PDT
From: "Peter G. Neumann" <neu...@csl.sri.com>
Subject: A Year of Musk (a trifecta in *The NYTimes*)

*The New York Times*, 28 October 2023, Business section
front page in the National Edition

>From Twitter's town square to a spammy, shrinking X:
Since the billionaire bought Twitter and rebranded it
as X, disinformation and hateful speech have surged,
among several other effects.

1. Kate Conger, Meaning of App Changed for Users (Audience)

2. Steven Lee Myers, Stuart A. Thompson, and Tiffany Hse,
Swirl of Vitriol and False Posts (Misinformation)

3. Jesus Jiménez, Sports Fans See No Reason to Go
(Power of the Feed)

[Too much to summarize here. However, the titles tall it all? PGN]

------------------------------

Date: Wed, 25 Oct 2023 08:35:34 -0700
From: Steve Bacher <seb...@verizon.net>
Subject: Gannett takes down Reviewed articles after outcry from staff
(Angela Fu)

The Poynter Report
https://mailchi.mp/poynter/lb6mw105q6?e=8084435636

Reviewed, Gannett's product reviews site, took down several affiliate
marketing articles that some of its journalists claimed were generated by
artificial intelligence.

The articles in question first went up on Friday and included reviews of
products that Reviewed does not typically cover, like dietary supplements,
according to the Reviewed Union, which represents journalists and lab and
operations workers at the outlet. The posts, which were part of a new
shopping page <https://reviewed.usatoday.com/shopping>, did not have
bylines, and union members decried the work as an attempt to replace their
labor. By Tuesday morning, the page was gone. Reviewed then republished the
stories in the afternoon with a disclaimer that they had not been
written by staff before taking the page down again.

As of Tuesday evening, the shopping page was still down, though links
<https://reviewed.usatoday.com/shopping/similar/Greens-Steel/vacuum-tumbler>
to individual
<https://reviewed.usatoday.com/shopping/similar/National-Geographic-Snorkeler/Scuba-Mask>
stories
<https://reviewed.usatoday.com/shopping/similar/nbpure/Best-Liver-Supplements>
still worked.

The articles were created by third-party freelancers hired by a marketing
agency partner, not AI, Reviewed spokesperson Lark-Marie Anton wrote in an
emailed statement: ``The pages were deployed without the accurate affiliate
disclaimers and did not meet our editorial standards.''

Reviewed follows USA Today's ethical guidelines
<https://cm.usatoday.com/ethical-conduct/> regarding AI-generated content,
Anton added. Those guidelines stipulate that journalists disclose the use of
AI and its limitations when publishing AI-assisted content.

------------------------------

Date: Wed, 25 Oct 2023 09:39:07 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Reddit finally takes its API war where it belongs: to AI companies
(Ars Technica)

https://arstechnica.com/gadgets/2023/10/reddit-may-block-search-if-it-cant-reach-an-ai-deal-with-google-microsoft/

------------------------------

Date: Wed, 25 Oct 2023 09:15:04 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: They Cracked the Code to a Locked USB Drive Worth $235
Million in Bitcoin. Then It Got Weird. (WiReD)

https://www.wired.com/story/unciphered-ironkey-password-cracking-bitcoin/

------------------------------

Date: Wed, 25 Oct 2023 09:34:32 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: FCC robocall enforcement does little to stop illegal calls,
Senate hears

https://arstechnica.com/?p=1978233

------------------------------

Date: Mon, 30 Oct 2023 1o7:58:54 -0700
From: Paul Burke <box...@gmail.com>
Subject: Pervasive North Korean programmers in U.S.?

Any company that hired freelance IT workers over the last few years more
than likely hired someone from North Korea, pretending to be an American.
https://www.zetter-zeroday.com/p/how-north-korean-workers-tricked

- "In some instances, the North Korean workers also infiltrated computer
networks and stole information from the companies that hired them, the
Justice Department said. They also maintained access for future hacking
and extortion schemes...

- "program has been in play for more than a decade, but the effort got a
boost from the COVID-19 pandemic."

https://apnews.com/article/north-korea-weapons-program-it-workers-f3df7c120522b0581db5c0b9682ebc9b

FBI guidance: https://www.ic3.gov/Media/Y2023/PSA231018

- Neither article says if anyone is combing the work of these programmers
for backdoors they left in their code, or if anyone has notified the
target companies. The FBI closed 17 websites, but only one has been
reported: edenprogram.com

https://www.stltoday.com/news/local/crime-courts/thousands-of-it-workers-secretly-funded-north-korea-missile-program-st-louis-fbi-says/article_e484b9c4-6df1-11ee-b757-4b313a0abdd2.html

------------------------------

Date: Thu, 26 Oct 2023 08:45:26 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Amazon, Microsoft, and India crack down on tech support scams
(The Verge)

Call-center operators use pop-ups, malware, and cold calls to get people to
pay for PC fixes they don't really need.

https://www.theverge.com/2023/10/19/23924294/amazon-microsoft-india-cbi-crackdown-technology-support-fraud

------------------------------

Date: Fri, 27 Oct 2023 21:19:11 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: U.S. House Republicans Had Their Phones Confiscated to
Stop Leaks (WiReD)

https://www.wired.com/story/us-house-phones-confiscated/

------------------------------

Date: Sun, 29 Oct 2023 11:40:02 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Top Philips Executive Approved Sale of Defective Breathing
Machines by Distributors, Despite Tests Showing Health Risks (ProPublica)

Philips argued in court that its U.S. subsidiary should be responsible for
damages caused by its CPAP machines and ventilators. Patients' attorneys say
safety decisions were made at the Dutch company's highest levels.

https://www.propublica.org/article/philips-executive-defective-breathing-machines

------------------------------

Date: Sun, 29 Oct 2023 11:43:58 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: How a Big Pharma Company Stalled a Potentially Lifesaving
Vaccine in Pursuit of Bigger Profits (ProPublica)

A vaccine against tuberculosis, the world's deadliest infectious disease,
has never been closer to reality, with the potential to save millions of
lives. But its development slowed after its corporate owner focused on more
profitable vaccines.

https://www.propublica.org/article/how-big-pharma-company-stalled-tuberculosis-vaccine-to-pursue-bigger-profits

------------------------------

Date: Mon, 30 Oct 2023 09:12:08 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Education Department penalizes Missouri lender for error that
made 800,000 student loan borrowers delinquent

The Education Department announced on Monday it would penalize the student
loan servicer MOHELA for its failure to send timely billing statements to
2.5 million borrowers.

https://www.cnbc.com/2023/10/30/education-dept-penalizes-student-loan-servicer-mohela-for-errors.html

------------------------------

Date: Mon, 30 Oct 2023 10:19:29 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: How a Lucrative Surgery Took Off Online and Disfigured Patients
(NYTimes)

More surgeons are opting for a complicated hernia repair that they learned from videos on social media showing shoddy techniques.

https://www.nytimes.com/2023/10/30/health/hernia-surgery-component-separation.html

The Patent Fight That Could Take Apple Watches Off the Market
https://www.nytimes.com/2023/10/30/opinion/apple-watch-masimo.html

------------------------------

Date: Tue, 31 Oct 2023 09:24:17 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Citrix Bleed: Leaking Session Tokens with CVE-2023-4966
(AssetNote)

https://www.assetnote.io/resources/research/citrix-bleed-leaking-session-tokens-with-cve-2023-4966

------------------------------

Date: Tue, 31 Oct 2023 09:25:23 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: YouTube fumbles NFL Sunday Ticket streaming
(Ars Technica)

https://arstechnica.com/?p=1979736

------------------------------

Date: Tue, 31 Oct 2023 09:26:01 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Google promises a rescue patch for Android 14's
ransomware bug (Ars Technica)


https://arstechnica.com/?p=1979603

------------------------------

Date: Tue, 31 Oct 2023 16:32:18 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: This Florida School District Banned Cellphones.
Here's What Happened.

Schools in Orlando took a tougher approach than a new state law
required. Student engagement increased. So did the hunt for contraband
phones.

https://www.nytimes.com/2023/10/31/technology/florida-school-cellphone-tiktok-ban.html

------------------------------

Date: Tue, 31 Oct 2023 16:35:34 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: New Laws on Kids and Social Media Are Stymied by Industry Lawsuits
(NYTimes)

Federal judges in three states have blocked children's privacy and parental
oversight laws, saying they very likely violate free speech rights.

https://www.nytimes.com/2023/10/12/technology/tech-children-kids-laws.html

------------------------------

Date: Tue, 31 Oct 2023 16:36:31 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Tesla Wins Suit That Blamed Its Software for Deadly Crash

The decision by a California jury is the first involving a fatal accident that lawyers representing the victims said was the fault of Tesla’s self-driving technology.

https://www.nytimes.com/2023/10/31/business/tesla-autopilot-jury-decision.html

------------------------------

Date: Tue, 31 Oct 2023 21:03:41 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: The Telegram app has been a key platform for Hamas. Now it's
being restricted there (NPR)

https://www.npr.org/2023/10/31/1208800238/the-telegram-app-has-been-a-key-platform-for-hamas-now-its-being-restricted-thereç¢

------------------------------

Date: Tue, 31 Oct 2023 21:06:17 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Gaza's 34-hour phone and Internet blackout, as told in voice memoso
(NPR)

https://www.npr.org/2023/10/31/1209549210/gaza-blackout-mobile-internet-israel-war

------------------------------

Date: Tue, 31 Oct 2023 09:18:14 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: YouTube's NFL Sunday Ticket streams are failing today?
(The Verge)

https://www.theverge.com/2023/10/29/23937429/nfl-sunday-ticket-youtube-tv-buffering-glitch

------------------------------

Date: Fri, 27 Oct 2023 04:10:48 -0700
From: Victor Miller <victor...@gmail.com>
Subject: Re: Zoom vulnerability (RISKS-33.91)

https://x.com/saxenatamu/status/1717735142456803701?s=46&t=R7LtOuHvFiytvcCgjQS4t

------------------------------

Date: Tue, 24 Oct 2023 13:23:12 +0200
From: Lars-Henrik Eriksson <l...@it.uu.se>
Subject: Re: The origin of hacking attempts (RISKS-33.91)

The location of the attacking computer doesn't say much (or anything) about
where the hackers themselves are actually located. They could be using cloud
services or botnets with computer located in other countries than their own.

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.92
************************

0 new messages