Risks Digest 33.19

39 views
Skip to first unread message

RISKS List Owner

unread,
May 7, 2022, 6:39:02 PMMay 7
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Saturday 7 May 2022 Volume 33 : Issue 19

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.19>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Japan Says It Needs Nuclear Power. Can Host Towns Ever Trust It Again?
(NYTimes)
AI goes to war in Ukraine (Fortune)
The Information War in Ukraine is Far from Over (NYTimes)
Russia struggles under unprecedented wave of hacking (WashPost)
Microsoft Finds Linux Desktop Flaw That Gives Root to Untrusted Users
(Dan Goodin)
Google Docs crashed when fed 'And. And. And. And. And (The Register)
Ordinary Copper Telephone Wire Could Carry Gigabit Broadband Speeds
(Matthew Sparkes)
The Weapon that Mistook a School Bus for an Ostrich (Science Diplomacy
via Diego Latella)
Smart Office Buildings Are Vulnerable to Hacks (Konrad Putzier)
Every ISP in the US Must Block These 3 Pirate Streaming Services (WiReD)
Problems with Elon Musk's Plan to Open-Source the Twitter Algorithm
(MIT Tech Review)
Elon Musk wants to 'authenticate all real humans' on Twitter.
Here's what that could mean (CNN)
Why is the U.S. still probing foreign visitors' social media accounts?
(WashPost)
Is your social network accurately reporting where you are? (Reddit)
Can computers write product reviews with a human touch? (Techxplore.com)
DeFi ponzinomics, Grayscale ETF comments, Binance and Russia, El Salvador
-- Attack of the 50-Foot Blockchain (Sam Bankman-Fried)
The Tale of a Crypto Executive Who Wasn't Who He Said He Was (NYTimes)
What Is Happening to the People Falling for Crypto and NFTs (NYTimes)
Wikimedia Foundation announces it will no longer accept cryptocurrency
donations (Lauren Weinstein)
Re: Bitcoin Is Unlikely to Go Green (Andrew Waught, John Beattie)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 5 May 2022 15:44:48 -0400
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: Japan Says It Needs Nuclear Power. Can Host Towns Ever Trust It
Again? (NYTimes)

The Ukraine war has shown the fragility of Japan's energy supplies. But
the decision to restart plants after the Fukushima disaster is fraught
with emotions and political calculation.

https://www.nytimes.com/2022/05/04/world/asia/japan-nuclear-power.html

The risk? No perfect solutions.

------------------------------

Date: Fri, 6 May 2022 16:18:03 -0400
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: AI goes to war in Ukraine (Fortune)

War is terrible. But it has often played a pivotal role in advancing
technology. And Russia's invasion of Ukraine is shaping up to be a key
proving ground for artificial intelligence, for ill and, perhaps in a few
instances, for good, too.

Civil society groups and AI researchers have been increasingly alarmed in
recent years about the advent of lethal autonomous weapons systems --
AI-enabled weapons with the ability to select targets and kill people
without human oversight. This has led to a concerted effort at the United
Nations to try to ban or at least restrict the use of such systems. But
those talks have so far not resulted in much progress.

https://fortune.com/2022/03/01/russia-ukraine-invasion-war-a-i-artificial-intelligence/

------------------------------

Date: Fri, 6 May 2022 12:06:04 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: The Information War in Ukraine is Far from Over (NYTimes)

Serge Schmemann, *The New York Times*, lead op-ed, 6 May 2022

If the first casualty of war is truth, then the corollary in Ukraine is that
information is the first battlefield.

On the battlefield, lies are ammunition in Putin's struggle to stay in
power.

[Pithy article. I first mistyped it as *babblefield*. That somewho seems
appropriate. PGN]

------------------------------

Date: Sun, 1 May 2022 17:27:34 +0000
From: The Washington Post <em...@washingtonpost.com>
Subject: Russia struggles under unprecedented wave of hacking (WashPost)

... puncturing the myth of Moscow's unassailable cyber-superiority

[Thanks to Richard Thieme. PGN]

Prolific Russian ransomware groups had pledged to step up attacks on
American infrastructure if Russian technology was hobbled in retribution for
the invasion of Ukraine. But in the third month of the war, Russia, not the
United States, is dealing with a cyber-assault involving government
activity, political voluntarism and criminal action.

<https://s2.washingtonpost.com/36b9790/>

------------------------------

Date: Fri, 29 Apr 2022 12:26:34 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Microsoft Finds Linux Desktop Flaw That Gives Root to Untrusted
Users (Dan Goodin)

Dan Goodin, *Ars Technica*, 26 Apr 2022, via ACM TechNews; 29 Apr 2022

Microsoft discovered an elevation of privileges flaw in Linux incorporating
two vulnerabilities that can grant root system rights to untrusted
users. The Nimbuspwn exploit, which Microsoft calls "the EoP threat,"
resides in the networkd-dispatcher, a component in many Linux distributions
that dispatches network status changes and can process various scripts to
respond to a new status. Networkd-dispatcher runs as root when a desktop
boots up, and the flaws blend threats including directory traversal, symlink
race, and time-of-check time-of-use race condition, permitting hackers with
minimal access to a desktop to link exploits for these vulnerabilities and
gain full root access. The flaw has been patched, and users of vulnerable
versions of Linux are advised to implement the patch as soon as possible.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e86bx23379bx073897&

------------------------------

Date: Sat, 7 May 2022 08:41:01 -0400
From: Tom Van Vleck <th...@multicians.org>
Subject: Google Docs crashed when fed 'And. And. And. And. And
(The Register)

https://www.theregister.com/2022/05/06/google_docs_crash/

------------------------------

Date: Mon, 2 May 2022 12:00:44 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Ordinary Copper Telephone Wire Could Carry Gigabit Broadband Speeds
(Matthew Sparkes)

Matthew Sparkes, *New Scientist*, 26 Apr 2022 via ACM TechNews, 2 May 2022

Ergin Dinc and colleagues at the U.K.'s University of Cambridge claim copper
telephone wire already deployed across Britain can carry data at rates three
times higher than fiber-optic cable at much less cost, over short distances.
The researchers say twisted pairs of copper wire can bear a frequency five
times higher than is currently employed, which may enable houses near
fiber-optic cables to realize higher speeds than currently possible, without
threading fiber all the way to their homes. In addition, the researchers
learned that copper broadband connections' operating frequency of less than
1 gigahertz can theoretically be increased to 5 gigahertz through the use of
an electrical device called a balun.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e891x233851x071263&

------------------------------

Date: Thu, 05 May 2022 21:53:55 +0200
From: "Diego.Latella" <diego....@isti.cnr.it>
Subject: The Weapon that Mistook a School Bus for an Ostrich

D. Amoroso, D. Garcia, and G. Tamburrini - Science & Diplomacy
An interesting article on autonomous weapons

https://www.sciencediplomacy.org/article/2022/weapon-mistook-school-bus-for-ostrich

[de BUStigus NON DISPUTANDUM oESTrich? PGN]

------------------------------

Date: Wed, 4 May 2022 12:40:45 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Smart Office Buildings Are Vulnerable to Hacks (Konrad Putzier)

Konrad Putzier, *The Wall Street Journal*, 03 May 2022

Smart office buildings in the U.S. raise concerns about privacy and
cybersecurity. Cybersecurity consultants warn that building managers devote
little attention to digital security, and the interconnection of smart
building systems means accessing a single Internet-connected door can
potentially enable hijacking, extortion, or data theft. Lucian Niemeyer at
smart-building safety nonprofit Building Cyber Security worries that more
criminals will target smart buildings as protections for mobile phones and
databases are strengthened. Said Dave Tyson of cybersecurity company Apollo
Information Systems Corp., "The bad guys only need to find one way in, and
whatever you've connected to is now on the table."

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e8e7x23395bx071938&

------------------------------

Date: Thu, 5 May 2022 20:05:09 -0400
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: Every ISP in the US Must Block These 3 Pirate Streaming Services
(WiReD)

The 96 Internet service providers were told to enforce the orders.
"by any technological means available".

https://www.wired.com/story/streaming-services-piracy-blocked-isps-united-states

------------------------------

Date: Fri, 6 May 2022 12:10:16 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Problems with Elon Musk's Plan to Open-Source the Twitter Algorithm
(MIT Tech Review)

Chris Stokel-Walker, *MIT Technology Review*, 27 Apr 2022,
via ACM TechNews, via 6 May 2022

Elon Musk's announced plans for the Twitter social network include
open-sourcing its algorithms, which experts say would do little to boost
transparency without access to their training data. Said Jennifer Cobbe of
the U.K.'s University of Cambridge, "Most of the time when people talk about
algorithmic accountability these days, we recognize that the algorithms
themselves aren't necessarily what we want to see--what we really want is
information about how they were developed." There also are concerns
open-sourcing Twitter's algorithms would enable bad actors to identify
vulnerabilities to exploit and could make it more difficult to defeat spam
bots.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e929x2339f9x071309&

------------------------------

Date: April 30, 2022 at 18:05:03 GMT+9
From: Dewayne Hendricks <dew...@warpspeed.com>
Subject: Elon Musk wants to 'authenticate all real humans' on Twitter.
Here's what that could mean (CNN)

[Note: This item comes from friend Mike Nelson. DLH]

Brian Fung, CNN, 28 Apr 2022
<https://www.cnn.com/2022/04/28/tech/elon-musk-authenticate-all-real-humans/iundex.html>

Elon Musk wants to 'authenticate all real humans' on Twitter. Here's what
that could mean:

As the public combs through Elon Musk's Twitter (TWTR) feed for clues on how
the billionaire entrepreneur intends to run the social media platform he's
buying for $44 billion, one mysterious line stands out: "authenticate all
real humans."

That cryptic proposal is vague enough to keep people guessing about what
Musk has in mind but specific enough that it offers several possible paths
as he looks to shape Twitter more to his liking.

For example, Musk could seek to require real names on accounts. Or perhaps
he may continue to allow pseudonyms but require photo identification, or
integration with third-party services where users are already known.
Depending on the outcome, the plan could have big ramifications for
Twitter's hundreds of millions of users.

Musk's drive to "authenticate" Twitter users stems from one of his biggest
pet peeves with the platform's spam accounts, particularly those that push
cryptocurrency scams. It's often not hard to find these accounts lurking in
the replies to Musk's tweets; many even attempt to trade on his celebrity
and lure the unsuspecting by impersonating him.

It didn't help that in the summer of 2020, Musk's verified account was
affected by a widespread Twitter hack that led to users including former
President Barack Obama and Kanye West unwittingly spreading a bitcoin
scam. Cryptocurrency spam bots, Musk has said, represent Twitter's ``single
most annoying problem.''

Musk's diagnosis may reflect the experiences of a very particular type of
user, but it so happens that this user will soon control the design of the
platform. As part of his solution for battling cryptocurrency bots, Musk
wants to make it easier to separate real from fake accounts under his
proposal to ``authenticate all real humans.''

If the goal is to ensure that every account is tied to a flesh-and-blood
person, the platform will need some way to verify they are real. One
possibility is an expansion of Twitter's existing verification program.
Currently, to receive a blue check on their accounts, users have to supply a
link to an official website that they're affiliated with, an official email
address or a government-issued form of identification. Musk could stop short
of requiring identification but require that users use their real names.

He could explore other methods too, such as linking accounts to credit cards
or relying more on CAPTCHAs to defeat bots, said Jillian York, director for
international freedom of expression at the digital rights group Electronic
Frontier Foundation. (CAPTCHAs aren't a cure-all, however; as bots have
grown more sophisticated, CAPTCHAs have had to become more and more
difficult for humans to solve in what could be described as a technological
arms race.) Whatever method he chooses, York and other experts said Musk is
likely to run into challenges that fall into two main categories: access and
privacy. Access is about ensuring that all people who wish to use Twitter
can get on the platform. With a system that ties accounts to credit cards,
for example, York said Twitter would risk excluding all those who don't have
them. Maybe they're too young to have a credit card or they have poor credit
and can't get approved. Maybe they don't like having their credit card
transactions traded to data brokers or they just prefer using cash for
cultural reasons. Tying authentication to consumer credit would "exclude
millions of people," said York.

Then there's the issue of privacy. While many users may feel they have
nothing to hide, a system that forces users to submit their personally
identifiable information creates a single point of failure. Not only would
more users have to trust Twitter not to abuse their personal information,
but Twitter itself would become a much larger target for repressive
governments (who could use legal demands to compel Twitter to hand over the
information) or cybercriminals motivated by identity theft. Cybercriminals
have even reportedly posed as real law enforcement agents to serve
fraudulent government requests for tech company data. Twitter could promise
to delete the records, but it would merely be mitigating a risk it created
for itself.

The privacy issue is particularly worrisome to human rights groups, said
Natalia Krapiva, an attorney at the digital rights group Access Now,
"especially for people in countries like Russia and others where individuals
get severely persecuted for criticizing the government or covering important
political events like the protests, corruption, or the war in Ukraine.''

Even a real-names policy could prove challenging. Facebook has some
experience with this; the company was forced to make changes to its names
policy in 2015 after critics pointed out that abuse victims and other
vulnerable groups had good reasons to use pseudonyms. The changes at
Facebook raised the bar for reporting a fake name and allowed users to
provide reasons to the company why they avoid using their real names.

------------------------------

Date: Mon, 2 May 2022 16:05:57 -0400
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: Why is the U.S. still probing foreign visitors' social media
accounts? (WashPost)

Many people expected the Biden administration to end a Trump-era policy.
Instead, the administration is expanding it.

https://www.washingtonpost.com/outlook/2022/04/26/social-media-surveillance-us-visas-state/

------------------------------

Date: Sun, 1 May 2022 17:39:31 -0400
From: Jeremy Epstein <jeremy.j...@gmail.com>
Subject: Is your social network accurately reporting where you are? (Reddit)

Seems that some social networks try to guess where you are based on things
other than geolocation, so if you're using a VPN it might not get the right
location. My daughter told me that ProtonVPN is started reporting that
she's in Russia (the VPN endpoint is actually in the Netherlands). Seems
that this is a Known Problem:

https://www.reddit.com/r/ProtonVPN/comments/uchwzr/fastest_profile_sent_me_to_russia/

As a moderator described it (I have no idea if this is accurate, but it
seems plausible):

No, your IP is not changing. The problem is, that often instead of using
GeoIP services, social media companies with lots of big data (like
facebook, instagram, and google) use location on cell devices to match IPs
to locations. Currently, there are a lot of Russian users on ProtonVPN
servers hence causing this issue. This has been discussed as example in
those threads:
https://www.reddit.com/r/ProtonVPN/comments/tfoko3/anyone_else_getting_this_on_instagram_i_am_on_a/
https://www.reddit.com/r/ProtonVPN/comments/tuj9ne/always_connects_to_russia/

------------------------------

Date: Tue, 3 May 2022 12:23:03 +0800
From: Richard Stein <rms...@ieee.org>
Subject: Can computers write product reviews with a human touch?
(Techxplore.com)

https://techxplore.com/news/2022-04-product-human.html

"Review writing is challenging for humans and computers, in part, because of
the overwhelming number of distinct products," said Keith Carlson, a
doctoral research fellow at the Tuck School of Business. "We wanted to see
how artificial intelligence can be used to help people that produce and use
these reviews."

One means to prevent AI-hype from self-reinforced review feedback, would be
to introduce product test plans, test results, and defect tracking metrics
into the review. Assuming the test and defect content is not faked, then
real metrics exist for comparison and contrast with equivalent product
feature sets.

Interpreting test plan content for context presents a modest problem to
surmount.

------------------------------

Date: Thu, 5 May 2022 00:11:19 -0400
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: DeFi ponzinomics, Grayscale ETF comments, Binance and Russia, El
Salvador -- Attack of the 50-Foot Blockchain (Sam Bankman-Fried)

The cry of the cryptocurrency evangelist is: ``you just don't understand the
technology.'' When you ask them a technical question, you discover that
100% of crypto bros who say you just don't understand the technology, don't
understand any technology.

https://davidgerard.co.uk/blockchain/2022/04/26/news-sam-bankman-fried-on-defi-ponzinomics-grayscale-etf-comments-binance-and-russia-el-salvador/

------------------------------

Date: Wed, 4 May 2022 13:33:09 -0400
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: The Tale of a Crypto Executive Who Wasn't Who He Said He Was
(NYTimes)

The Tale of a Crypto Executive Who Wasn’t Who He Said He Was

The chief operating officer of ZenLedger, a software company, boasted of
work for Goldman Sachs and Larry King. Did anyone check to see if it was
true?

https://www.nytimes.com/2022/05/03/your-money/zenledger-dan-hannum.html

Someone scamming a cryptocurrency company, I'm shocked.

------------------------------

Date: Sat, 7 May 2022 12:42:06 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: What Is Happening to the People Falling for Crypto and NFTs
(NYTimes)

[Warning: As usual, "crypto" does not mean cryptography. PGN]

https://www.nytimes.com/2022/05/05/opinion/crypto-nfts-web3.html

OpenSea, the world's hottest NFT startup, gained 500,000 users in 1 year.
Its founders went from broke to billionaires in that same time. Now
they're struggling to keep it from going off the rails.

https://fortune.com/longform/opensea-nfts-eth-ethereum-crypto-marketplace-founders/

He became as rich as Mark Zuckerberg virtually overnight. How Binance
founder Zhao became a $74 billion man while moving fast-breaking things in
crypto. Binance handled $34.1 trillion in trading last year, even while
wrangling with regulators.

https://fortune.com/longform/binance-changpeng-cz-zhao-net-worth-crypto-exchange-trading/

Why OpenSea's NFT Marketplace Can't Win. Security issues and endless copycat
listings are rife, but the platform's attempt to stop them is angering
everyone.

https://www.wired.com/story/opensea-nfts-twitter/

The fun never stops...

------------------------------

Date: Sun, 1 May 2022 10:22:05 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Wikimedia Foundation announces it will no longer accept
cryptocurrency donations

... following a push by users worried about the climate impact of mining and
the foundation's reputation. The foundation had accepted donations in
bitcoin, bitcoin cash and ether since 2014.

[Noted in mulptiple URLs. PGN]

------------------------------

Date: Sun, 1 May 2022 11:29:11 +1000
From: Andrew Waugh <andrew...@gmail.com>
Subject: Re: Bitcoin Is Unlikely to Go Green (RISKS-33.18)

Blockchain is unlikely to move to Proof of Stake simply because Proof of
Stake is nonsense at a fundamental level.

The idea behind Proof of Stake is simple enough. If the group running a
blockchain has sufficient stake in it, they can be trusted to run it
carefully and without fraud, because to do otherwise will destroy their own
stake.

The problem with this idea is that it is completely wrong. Centuries of
business history have shown that proof of stake doesn't protect against
either fraud or failure.

Every single business failure has been controlled by management satisfying
the proof of stake test. Some of them failed, of course, because of
technology or economic change, but many failed because of management hubris,
greed, foolishness, or simply not being good enough. Proof of stake is
absolutely no protection against failure due to these reasons.

Proof of Stake's protection against fraud is even worse. A fraud depends on
controlling the organisation; that is, satisfying the proof of stake test.
The control is critical to hiding what the fraudsters are doing. In
particular, note that a fraudster is not concerned with how much money is
left on the table (usually a purely notional stake), but in how much they
can skim off into their pocket along the way or at the end.

It should also be noted that business history has shown that many frauds
start off as business failures in which the owners slip into fraud in a
desperate attempt to avoid losing their stake.

The most illuminating aspect of Proof of Stake is that it shows that many
blockchain technologists/boosters are entirely innocent of any knowledge of
business, or, at least, the history of business failures and frauds. And yet
they feel confident to design and promote systems that are intended to
protect against failures and frauds.

------------------------------

Date: Tue, 3 May 2022 10:41:56 +0100
From: John Beattie <j...@jkbsc.co.uk>
Subject: Re: Bitcoin Is Unlikely to Go Green (RISKS-33.18)

Bitcoin can be made to go green by action at nation-state level. It is
super-easy to detect a mining operation by the flows of energy if not by the
major infrastructure. The Chinese managed it.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.19
************************

Reply all
Reply to author
Forward
0 new messages