info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 32.79
42 views
Skip to first unread message
RISKS List Owner
Aug 2, 2021, 8:29:04 PM8/2/21
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Monday 2 August 2021 Volume 32 : Issue 79
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.79>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
If you don't trust AI yet, you're not wrong. (NYTimes)
Phantom Warships Are Courting Chaos in Conflict Zones (WiReD)
Chair moved to clean in control room, bumps switch, shutting reactor in
Taiwan (The Register)
World's first re-progammable commercial satellite set to launch (phys.org)
AirDropped Image Of AirSoft Weapon Leads to UAL Flight Evacuation (AVweb)
On The Contours of Our Insecurity' & Related Obduracy... (Forbes)
Hackers Turning to 'Exotic' Programming Languages for Malware Development
(The Hacker News)
As Cyberattacks Surge, Security Start-Ups Reap the Rewards (NYTimes)
Albertans' personal information exposed after national health-care provider
hacked, data put up for sale (Edmonton Journal)
Human Risk Management is the FIX. (The Hacker News)
Don't click links in text messages (Tom Van Vleck)
Florida Sheriff's Office Now Notifying People It Will Be Inflicting Its
Pre-Crime Program On Them (TexchDirt)
Ancient Printer Security Bug Affects Millions of Devices Worldwide
(Mayank Sharma)
ML Technique Used to Pinpoint Quantum Errors (Q-CTRL and.Sydney)
QR Codes Are Here to Stay. So Is the Tracking They Allow. (NYTimes)
The Robocall Rebellion (NYTimes)
Joint USTPC/CRA Comments to the White House's OSTP on Enhancing
Scientific Integrity Policies (PGN)
Re: Disinformation for Hire, a Shadow Industry, Is Quietly Booming,
(Richard Thieme)
Re: Some locals say a bitcoin mining operation is ruining one of
the Finger Lakes. Here's how. (John Levine)
Re: YouTube fined 100 000 Euros delaying court order to restore video
(Thomas Koenig)
Re: "Roundoff" (Eric Ferguson)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 30 Jul 2021 11:33:27 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: If you don't trust AI yet, you're not wrong. (NYTimes)
Frank Pasquale and Gianclaudio Malgieri, *The New York Times* (online on 30
Jul 2021, and in print on the opinion page, 2 Aug 2021)
[Thanks to Prashanth Mundkur for spotting this one on Friday, when I first
read it. It was not in print in the National Edition until Monday's paper
-- with some nifty art work. I PGN-excerpted it on Saturday, and added
the final paragraph after re-reading the article in print on Monday. PGN]
https://www.nytimes.com/2021/07/30/opinion/artificial-intelligence-european-union.html
Americans have good reason to be skeptical of artificial intelligence. Tesla
crashes have dented the dream of self-driving cars. Mysterious algorithms
predict job applicants' performance based on little more than video
interviews. Similar technologies may soon be headed to the classroom, as
administrators use “learning analytics platforms” to scrutinize students'
written work and emotional states. Financial technology companies are using
social media and other sensitive data to set interest rates and repayment
terms.
Even in areas where AI seems to be an unqualified good, like machine
learning to better spot melanoma, researchers are worried that current data
sets do not adequately represent all patients’ racial backgrounds. [...]
In April, the European Union released a new proposal for a systematic
regulation of artificial intelligence. If enacted, it will change the terms
of the debate by forbidding some forms of AI, regardless of their ostensible
benefits. Some forms of manipulative advertising will be banned, as will
real-time indiscriminate facial recognition by public authorities for law
enforcement purposes.
The list of prohibited AI uses is not comprehensive enough -- for example,
many forms of nonconsensual AI-driven emotion recognition, mental health
diagnoses, ethnicity attribution and lie detection should also be
banned. But the broader principle -- that some uses of technology are simply
too harmful to be permitted -- should drive global debates on AI regulation.
[...]
The European Union is now laying the intellectual foundations for such
protections, in a wide spectrum of areas where advanced computation is now
(or will be) deployed to make life-or-death decisions about the allocation
of public-assistance services, the targets of policing, and the cost of
credit. While its regulation will never be adopted by the United States,
there is much ot learn from its comprehensive approach.
------------------------------
Date: Fri, 30 Jul 2021 00:38:29 -0400
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: Phantom Warships Are Courting Chaos in Conflict Zones (WiReD)
The latest weapons in the global information war are fake vessels
behaving badly
https://www.wired.com/story/fake-warships-ais-signals-russia-crimea/
------------------------------
Date: Wed, 28 Jul 2021 20:18:30 -0700
From: "Rob Wilcox" <robwi...@gmail.com>
Subject: Chair moved to clean in control room, bumps switch, shutting
reactor in Taiwan (The Register)
We don't often think about basic house cleaning in mission critical
facilities. Not cleaning is not an option for operator experience and other
reasons. I wonder what the literature is on that in human factors
engineering?
The Guosheng Nuclear Power Plant in Taiwan is about 15 miles from Taipei
and on the ocean. At 985MW, it provides about 3-4% of load this week that
varies between about 26,000-38,000MW
When cleaning the control room, a chair was moved, lifting an acrylic safety
cover and activating the protected switch. The switch closed the main steam
loop valve which caused the safety sequence to shut down the reactor without
further incident.
The Register tagged their article "Surprisingly a real-life scenario and not
a plotline from The Simpsons"
Preliminary report by the Taiwan Atomic Energy Council (Chinese, your
browser may translate):
https://www.aec.gov.tw/newsdetail/headline/5757.html
Local coverage:
https://en.rti.org.tw/news/view/id/2005816
More:
https://www.theregister.com/2021/07/28/taiwan_nuclear_plant_shutdown/
[Also reported by Dan Jacobson:
Surprisingly a real-life scenario and not a plotline from The Simpsons.
PGN]
------------------------------
Date: Fri, 30 Jul 2021 18:25:43 +0800
From: "Richard Stein" <rms...@ieee.org>
Subject: World's first re-progammable commercial satellite set to launch
(phys.org)
https://phys.org/news/2021-07-world-re-progammable-commercial-satellite.html
"The European Space Agency will on Friday launch the world's first
commercial fully re-programmable satellite, paving the way for a new era of
more flexible communications.
"Unlike conventional models that are designed and 'hard-wired' on Earth and
cannot be repurposed once in orbit, the Eutelsat Quantum is based on
so-called software-defined technology that allows users to tailor the
communications to their needs -- almost in real-time."
A pre-launch bugathon/hackathon, in addition to qualification testing and
acceptance sign-off, is a reasonable recommendation.
------------------------------
Date: Wed, 28 Jul 2021 12:30:51 -0400
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: AirDropped Image Of AirSoft Weapon Leads to UAL Flight Evacuation
(AVweb)
According to local news sources, a teenage airline passenger “virtually”
triggered a security evacuation by AirDropping an electronic image of a
replica AirSoft weapon to other passengers. The incident occurred before
takeoff on a United Airlines flight from San Francisco to Orlando. Security
officials ultimately determined that the image had been taken well before
the time of the flight and the fake gun was not on board. They also
determined that no malicious intent was involved.
https://www.avweb.com/aviation-news/airdropped-image-of-airsoft-weapon-leads-to-ual-flight-evacuation/
------------------------------
Date: Thu, 29 Jul 2021 22:31:33 -0400
From: "Robert Mathews (OSIA)" <mat...@hawaii.edu>
Subject: On The Contours of Our Insecurity' & Related Obduracy....
Thomas Brewster, Cybersecurity, FORBES, 29 Jul 2021
"Meet Paragon: An American-Funded, Super-Secretive Israeli Surveillance
Startup That ‘Hacks WhatsApp And Signal’"
https://www.forbes.com/sites/thomasbrewster/2021/07/29/paragon-is-an-nso-competitor-and-an-american-funded-israeli-surveillance-startup-that-hacks-encrypted-apps-like-whatsapp-and-signal
"Paragon Solutions doesn’t have a website. There’s very little information
at all about them online .... But it does have a cofounder, director and
chief shareholder that will turn heads: Ehud Schneorson, the former
commander of Israel’s NSA equivalent, known as Unit 8200. The other
cofounders - CEO Idan Nurick, CTO Igor Bogudlov and vice president of
research Liad Avraham - are ex-Israeli intelligence too. Also on the board
is cofounding director and former Israeli prime minister Ehud Barak. They
also have a significant American financial backer: Boston,
Massachusetts-based Battery Ventures."
------------------------------
Date: Tue, 27 Jul 2021 12:33:46 -1000
From: geoff goodfellow" <ge...@iconia.com>
Subject: Hackers Turning to 'Exotic' Programming Languages for Malware
Development (The Hacker News)
Threat actors are increasingly shifting to "exotic" programming languages
such as Go, Rust, Nim, and Dlang that can better circumvent conventional
security protections, evade analysis, and hamper reverse engineering
efforts.
"Malware authors are known for their ability to adapt and modify their
skills and behaviors to take advantage of newer technologies," said
<https://www.blackberry.com/us/en/forms/enterprise/report-old-dogs-new-tricks>
Eric
Milam, Vice President of threat research at BlackBerry. "That tactic has
multiple benefits from the development cycle and inherent lack of coverage
from protective products."
On the one hand, languages like Rust are more secure as they offer
guarantees like memory-safe programming
<https://en.wikipedia.org/wiki/Rust_(programming_language)#Memory_safety>,
but they can also be a double-edged sword when malware engineers abuse the
same features designed to offer increased safeguards to their advantage,
thereby making malware less susceptible to exploitation and thwart attempts
to activate a kill-switch
<https://thehackernews.com/2020/08/emotet-botnet-malware.html> and render
them powerless.
Noting that binaries written in these languages can appear more complex,
convoluted, and tedious when disassembled, the researchers said the pivot
adds additional layers of obfuscation, simply by virtue of them being
relatively new, leading to a scenario where older malware developed using
traditional languages like C++ and C# are being actively retooled with
droppers and loaders written in uncommon alternatives to evade detection by
endpoint security systems. [...]
https://thehackernews.com/2021/07/hackers-turning-to-exotic-programming.html
------------------------------
Date: Tue, 27 Jul 2021 22:01:00 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: As Cyberattacks Surge, Security Start-Ups Reap the Rewards
(NYTimes)
Investors have poured $12.2 billion into cybersecurity companies so far this
year, nearly $2 billion more than the total for all of 2020.
https://www.nytimes.com/2021/07/26/technology/cyberattacks-security-investors.html
------------------------------
Date: Fri, 30 Jul 2021 06:46:49 -0600
From: "Matthew Kruk" <mkr...@gmail.com>
Subject: Albertans' personal information exposed after national
health-care provider hacked, data put up for sale (Edmonton Journal)
A listing on Marketo, a self-described "leaked data marketplace," claimed to
be selling more than 180 gigabytes of the company's data including a sample
evidence package with documents referencing provincial and national
organizations, including Workers' Compensation Board of Alberta, the City of
Spruce Grove, Construction Labour Relations, Fortis Alberta, Alberta Motor
Association, the University of Lethbridge and Bow Valley College
https://edmontonjournal.com/news/local-news/albertans-personal-information-exposed-after-national-health-care-provider-hacked-data-put-up-for-sale
------------------------------
Date: Thu, 8 Jul 2021 11:01:15 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Human Risk Management is the FIX. (The Hacker News)
Humans are an organization's strongest defence against evolving #cyber
threats, but security awareness #training alone often isn't enough to
transform user behaviour.
Human Risk Management (HRM) is the FIX.
Checkout this new guide from @getusecure: [...]
https://thehackernews.com/2021/07/security-awareness-training-is-broken.html
via
https://twitter.com/TheHackersNews/status/1413158374057730052
------------------------------
Date: Wed, 28 Jul 2021 08:48:46 -0400
From: "Tom Van Vleck" <th...@multicians.org>
Subject: Don't click links in text messages
Mobile phones have hundreds of options, but there's one important one
missing. If iPhones had a Messages option named "disable links in Messages"
I would set it and tell everyone to set it.
The Bad Guys can send text messages that appear to be from anybody. I get a
lot from banks I don't have an account at. If the Bad Guys hack somebody
else's phone or email, they might get your mobile number and send you a fake
text message with a link in it.
If you click this link, a web browser on you phone will be sent to a fake
page of theirs. That page can infect your phone with malware, spyware,
ransomware. Spoil your day/week/month.
Here is a web page that explains the problem.
https://theintercept.com/2021/07/27/pegasus-nso-spyware-security/
(Are you about to click that link, without making sure the mail is really
from me?)
------------------------------
Date: July 30, 2021 22:23:23 JST
From: Richard Forno <rfo...@infowarrior.org>
Subject: Florida Sheriff's Office Now Notifying People It Will Be
Inflicting Its Pre-Crime Program On Them (TexchDirt)
(the agency's letter, which you can read at the link, is some grade-A
Orwellin nonsense.... --rick) [via Dave Farber]
https://www.techdirt.com/articles/20210724/15223647236/florida-sheriffs-office
-now-notifying-people-it-will-be-inflicting-pre-crime-program-them.shtml
------------------------------
Date: Wed, 28 Jul 2021 11:56:32 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Ancient Printer Security Bug Affects Millions of Devices Worldwide
(Mayank Sharma)
Mayank Sharma, TechRadar, 21 Jul 2021,
via ACM TechNews, Wednesday, July 28, 2021
Cybersecurity researchers at SentinelOne have identified a highly severe
privilege escalation vulnerability in HP, Samsung, and Xerox printer
drivers. The vulnerability appears to have been present since 2005. The
researchers said millions of devices and users worldwide likely have been
impacted by the buffer overflow vulnerability, which can be exploited
whether or not a printer is connected to a targeted device. SentinelOne's
Asaf Amir said, "Successfully exploiting a driver vulnerability might allow
attackers to potentially install programs; view, change, encrypt, or delete
data, or create new accounts with full user rights." Hackers would need
local user access to the system to access the affected driver and take
advantage of the vulnerability.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2c145x22c913x072638
------------------------------
Date: Fri, 30 Jul 2021 12:59:24 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: ML Technique Used to Pinpoint Quantum Errors (Q-CTRL and.Sydney)
HPCwire, 29 Jul 2021, via ACM TechNews, Friday, July 30, 2021
Researchers at Australia's University of Sydney (USYD) and quantum control
startup Q-CTRL have designed a method of pinpointing quantum computing
errors via machine learning (ML). The USYD team devised a means of
recognizing the smallest divergences from the conditions necessary for
executing quantum algorithms with trapped ion and superconducting quantum
computing equipment. Q-CTRL scientists assembled custom ML algorithms to
process the measurement results, and minimized the impact of background
interference using existing quantum controls. This yielded an easy
distinction between sources of correctable "real" noise and phantom
artifacts of the measurements themselves. USYD's Michael J. Biercuk said,
"The ability to identify and suppress sources of performance degradation in
quantum hardware is critical to both basic research and industrial efforts
building quantum sensors and quantum computers."
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2c1c7x22c9a9x073991&
[``Who needs error-correcting codes when we have machine learning?'' PGN]
------------------------------
Date: Tue, 27 Jul 2021 21:51:21 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: QR Codes Are Here to Stay. So Is the Tracking They Allow.
(NYTimes)
Fueled by a desire for touchless transactions, QR codes popped up everywhere in the pandemic. Businesses don’t want to give them up.
https://www.nytimes.com/2021/07/26/technology/qr-codes-tracking.html
------------------------------
Date: Fri, 30 Jul 2021 00:31:50 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: The Robocall Rebellion
https://www.nytimes.com/2021/07/28/opinion/the-robocall-rebellion.html
------------------------------
Date: Wed, 28 Jul 2021 20:10:22 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: Joint USTPC/CRA Comments to the White House's OSTP on Enhancing
Scientific Integrity Policies
The White House's Office of Science and Technology Policy (OSTP) made formal
Request for Information To Improve Federal Scientific Integrity Policies in
June 2021.
https://www.federalregister.gov/documents/2021/06/28/2021-13640/request-for-information-to-improve-federal-scientific-integrity-policies
A joint response has been submitted to OSTP from the Computing Research
Association and USTPC.
https://www.acm.org/binaries/content/assets/public-policy/cra-acm-comments-si-ftac-rfi.pdf.
------------------------------
Date: Thu, 29 Jul 2021 10:02:35 -0500
From: "Richard Thieme" <rth...@thiemeworks.com>
Subject: Re: Disinformation for Hire, a Shadow Industry, Is Quietly Booming,
(Max Fisher, RISKS-32.78)
Max Fisher writes of the disinformation industry as if his illumination
is news. After I wrote an article about a cyber sleuth who worked online
25 years ago for an English magazine, Hill and Knowlton, the global PR
firm, thought I lived in London (we had not acclimated yet to the global
presence of everyone on the Internet) and asked me to come by for a
talk. They wanted to do "brand defense" on the Internet, which meant
impersonating multiple people in Usenet groups and the like, all
forerunners of current practices. This is not new news. I wrote long ago
that "truth and lies are Siamese twins, joined at the lips," and began
with speech - or before, with deceptive gestures, as chimps have been
seen to do.
------------------------------
Date: 28 Jul 2021 01:01:09 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: Some locals say a bitcoin mining operation is ruining one of
the Finger Lakes. Here's how. (NBC News, RISKS-32.78)
The bitcoin mining hardware is physically located at the power plant.
The retail price I pay for power is about 5.4c/kwh for supply and 5.2c/kwh
for delivery. While it's certainly cheaper for wholesale customers I think
that the supply and delivery charges are about equal, so if the miners had
to pay for delivery, it wouldn't be worth it.
------------------------------
Date: Wed, 28 Jul 2021 07:57:24 +0200
From: "Thomas Koenig" <tko...@netcologne.de>
Subject: Re: YouTube fined 100 000 Euros delaying court order to restore
video (RISKS-32-78)
> It seems like hubris for the "Higher Regional Court at Dresden"
> to expect that everyone in the world will recognize that title
> and recognize the court's authority.
They were served with court papers, and as I wrote, they had representation
at court. You have to be qualified lawyer to appear before the
"Oberlandesgericht", to give it its proper title, and the court order would
be communicated to them.
> It should take a reasonable time to investigate such a message for
> authenticity.
It is simply not credible that a company would confuse a court order
communicated through their own lawyers with some random crackpot
e-mail.
------------------------------
Date: Wed, 28 Jul 2021 12:54:11 +0200
From: Eric Ferguson <e.fer...@antenna.nl>
Subject: Re: "Roundoff" (RISKS-32.78)
Whether the times are truncated to the lower number of decimals or correctly
rounded makes no systematic difference when comparing results. The
truncated values are on average exactly 0,5 part of the smallest digit value
smaller than the rounded values. Both expand the smallest difference
between the input values into a full one unit of the smallest digit value in
the shortened number, but do so at different places in the continuum of
input values.
As long as you are only comparing results from the same data set, there will
be no systematic bias. But if you compare truncated times with rounded
times, or compare totals of added times, there can be systematic bias.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.79
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/32.79>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
If you don't trust AI yet, you're not wrong. (NYTimes)
Phantom Warships Are Courting Chaos in Conflict Zones (WiReD)
Chair moved to clean in control room, bumps switch, shutting reactor in
Taiwan (The Register)
World's first re-progammable commercial satellite set to launch (phys.org)
AirDropped Image Of AirSoft Weapon Leads to UAL Flight Evacuation (AVweb)
On The Contours of Our Insecurity' & Related Obduracy... (Forbes)
Hackers Turning to 'Exotic' Programming Languages for Malware Development
(The Hacker News)
As Cyberattacks Surge, Security Start-Ups Reap the Rewards (NYTimes)
Albertans' personal information exposed after national health-care provider
hacked, data put up for sale (Edmonton Journal)
Human Risk Management is the FIX. (The Hacker News)
Don't click links in text messages (Tom Van Vleck)
Florida Sheriff's Office Now Notifying People It Will Be Inflicting Its
Pre-Crime Program On Them (TexchDirt)
Ancient Printer Security Bug Affects Millions of Devices Worldwide
(Mayank Sharma)
ML Technique Used to Pinpoint Quantum Errors (Q-CTRL and.Sydney)
QR Codes Are Here to Stay. So Is the Tracking They Allow. (NYTimes)
The Robocall Rebellion (NYTimes)
Joint USTPC/CRA Comments to the White House's OSTP on Enhancing
Scientific Integrity Policies (PGN)
Re: Disinformation for Hire, a Shadow Industry, Is Quietly Booming,
(Richard Thieme)
Re: Some locals say a bitcoin mining operation is ruining one of
the Finger Lakes. Here's how. (John Levine)
Re: YouTube fined 100 000 Euros delaying court order to restore video
(Thomas Koenig)
Re: "Roundoff" (Eric Ferguson)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 30 Jul 2021 11:33:27 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: If you don't trust AI yet, you're not wrong. (NYTimes)
Frank Pasquale and Gianclaudio Malgieri, *The New York Times* (online on 30
Jul 2021, and in print on the opinion page, 2 Aug 2021)
[Thanks to Prashanth Mundkur for spotting this one on Friday, when I first
read it. It was not in print in the National Edition until Monday's paper
-- with some nifty art work. I PGN-excerpted it on Saturday, and added
the final paragraph after re-reading the article in print on Monday. PGN]
https://www.nytimes.com/2021/07/30/opinion/artificial-intelligence-european-union.html
Americans have good reason to be skeptical of artificial intelligence. Tesla
crashes have dented the dream of self-driving cars. Mysterious algorithms
predict job applicants' performance based on little more than video
interviews. Similar technologies may soon be headed to the classroom, as
administrators use “learning analytics platforms” to scrutinize students'
written work and emotional states. Financial technology companies are using
social media and other sensitive data to set interest rates and repayment
terms.
Even in areas where AI seems to be an unqualified good, like machine
learning to better spot melanoma, researchers are worried that current data
sets do not adequately represent all patients’ racial backgrounds. [...]
In April, the European Union released a new proposal for a systematic
regulation of artificial intelligence. If enacted, it will change the terms
of the debate by forbidding some forms of AI, regardless of their ostensible
benefits. Some forms of manipulative advertising will be banned, as will
real-time indiscriminate facial recognition by public authorities for law
enforcement purposes.
The list of prohibited AI uses is not comprehensive enough -- for example,
many forms of nonconsensual AI-driven emotion recognition, mental health
diagnoses, ethnicity attribution and lie detection should also be
banned. But the broader principle -- that some uses of technology are simply
too harmful to be permitted -- should drive global debates on AI regulation.
[...]
The European Union is now laying the intellectual foundations for such
protections, in a wide spectrum of areas where advanced computation is now
(or will be) deployed to make life-or-death decisions about the allocation
of public-assistance services, the targets of policing, and the cost of
credit. While its regulation will never be adopted by the United States,
there is much ot learn from its comprehensive approach.
------------------------------
Date: Fri, 30 Jul 2021 00:38:29 -0400
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: Phantom Warships Are Courting Chaos in Conflict Zones (WiReD)
The latest weapons in the global information war are fake vessels
behaving badly
https://www.wired.com/story/fake-warships-ais-signals-russia-crimea/
------------------------------
Date: Wed, 28 Jul 2021 20:18:30 -0700
From: "Rob Wilcox" <robwi...@gmail.com>
Subject: Chair moved to clean in control room, bumps switch, shutting
reactor in Taiwan (The Register)
We don't often think about basic house cleaning in mission critical
facilities. Not cleaning is not an option for operator experience and other
reasons. I wonder what the literature is on that in human factors
engineering?
The Guosheng Nuclear Power Plant in Taiwan is about 15 miles from Taipei
and on the ocean. At 985MW, it provides about 3-4% of load this week that
varies between about 26,000-38,000MW
When cleaning the control room, a chair was moved, lifting an acrylic safety
cover and activating the protected switch. The switch closed the main steam
loop valve which caused the safety sequence to shut down the reactor without
further incident.
The Register tagged their article "Surprisingly a real-life scenario and not
a plotline from The Simpsons"
Preliminary report by the Taiwan Atomic Energy Council (Chinese, your
browser may translate):
https://www.aec.gov.tw/newsdetail/headline/5757.html
Local coverage:
https://en.rti.org.tw/news/view/id/2005816
More:
https://www.theregister.com/2021/07/28/taiwan_nuclear_plant_shutdown/
[Also reported by Dan Jacobson:
Surprisingly a real-life scenario and not a plotline from The Simpsons.
PGN]
------------------------------
Date: Fri, 30 Jul 2021 18:25:43 +0800
From: "Richard Stein" <rms...@ieee.org>
Subject: World's first re-progammable commercial satellite set to launch
(phys.org)
https://phys.org/news/2021-07-world-re-progammable-commercial-satellite.html
"The European Space Agency will on Friday launch the world's first
commercial fully re-programmable satellite, paving the way for a new era of
more flexible communications.
"Unlike conventional models that are designed and 'hard-wired' on Earth and
cannot be repurposed once in orbit, the Eutelsat Quantum is based on
so-called software-defined technology that allows users to tailor the
communications to their needs -- almost in real-time."
A pre-launch bugathon/hackathon, in addition to qualification testing and
acceptance sign-off, is a reasonable recommendation.
------------------------------
Date: Wed, 28 Jul 2021 12:30:51 -0400
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: AirDropped Image Of AirSoft Weapon Leads to UAL Flight Evacuation
(AVweb)
According to local news sources, a teenage airline passenger “virtually”
triggered a security evacuation by AirDropping an electronic image of a
replica AirSoft weapon to other passengers. The incident occurred before
takeoff on a United Airlines flight from San Francisco to Orlando. Security
officials ultimately determined that the image had been taken well before
the time of the flight and the fake gun was not on board. They also
determined that no malicious intent was involved.
https://www.avweb.com/aviation-news/airdropped-image-of-airsoft-weapon-leads-to-ual-flight-evacuation/
------------------------------
Date: Thu, 29 Jul 2021 22:31:33 -0400
From: "Robert Mathews (OSIA)" <mat...@hawaii.edu>
Subject: On The Contours of Our Insecurity' & Related Obduracy....
Thomas Brewster, Cybersecurity, FORBES, 29 Jul 2021
"Meet Paragon: An American-Funded, Super-Secretive Israeli Surveillance
Startup That ‘Hacks WhatsApp And Signal’"
https://www.forbes.com/sites/thomasbrewster/2021/07/29/paragon-is-an-nso-competitor-and-an-american-funded-israeli-surveillance-startup-that-hacks-encrypted-apps-like-whatsapp-and-signal
"Paragon Solutions doesn’t have a website. There’s very little information
at all about them online .... But it does have a cofounder, director and
chief shareholder that will turn heads: Ehud Schneorson, the former
commander of Israel’s NSA equivalent, known as Unit 8200. The other
cofounders - CEO Idan Nurick, CTO Igor Bogudlov and vice president of
research Liad Avraham - are ex-Israeli intelligence too. Also on the board
is cofounding director and former Israeli prime minister Ehud Barak. They
also have a significant American financial backer: Boston,
Massachusetts-based Battery Ventures."
------------------------------
Date: Tue, 27 Jul 2021 12:33:46 -1000
From: geoff goodfellow" <ge...@iconia.com>
Subject: Hackers Turning to 'Exotic' Programming Languages for Malware
Development (The Hacker News)
Threat actors are increasingly shifting to "exotic" programming languages
such as Go, Rust, Nim, and Dlang that can better circumvent conventional
security protections, evade analysis, and hamper reverse engineering
efforts.
"Malware authors are known for their ability to adapt and modify their
skills and behaviors to take advantage of newer technologies," said
<https://www.blackberry.com/us/en/forms/enterprise/report-old-dogs-new-tricks>
Eric
Milam, Vice President of threat research at BlackBerry. "That tactic has
multiple benefits from the development cycle and inherent lack of coverage
from protective products."
On the one hand, languages like Rust are more secure as they offer
guarantees like memory-safe programming
<https://en.wikipedia.org/wiki/Rust_(programming_language)#Memory_safety>,
but they can also be a double-edged sword when malware engineers abuse the
same features designed to offer increased safeguards to their advantage,
thereby making malware less susceptible to exploitation and thwart attempts
to activate a kill-switch
<https://thehackernews.com/2020/08/emotet-botnet-malware.html> and render
them powerless.
Noting that binaries written in these languages can appear more complex,
convoluted, and tedious when disassembled, the researchers said the pivot
adds additional layers of obfuscation, simply by virtue of them being
relatively new, leading to a scenario where older malware developed using
traditional languages like C++ and C# are being actively retooled with
droppers and loaders written in uncommon alternatives to evade detection by
endpoint security systems. [...]
https://thehackernews.com/2021/07/hackers-turning-to-exotic-programming.html
------------------------------
Date: Tue, 27 Jul 2021 22:01:00 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: As Cyberattacks Surge, Security Start-Ups Reap the Rewards
(NYTimes)
Investors have poured $12.2 billion into cybersecurity companies so far this
year, nearly $2 billion more than the total for all of 2020.
https://www.nytimes.com/2021/07/26/technology/cyberattacks-security-investors.html
------------------------------
Date: Fri, 30 Jul 2021 06:46:49 -0600
From: "Matthew Kruk" <mkr...@gmail.com>
Subject: Albertans' personal information exposed after national
health-care provider hacked, data put up for sale (Edmonton Journal)
A listing on Marketo, a self-described "leaked data marketplace," claimed to
be selling more than 180 gigabytes of the company's data including a sample
evidence package with documents referencing provincial and national
organizations, including Workers' Compensation Board of Alberta, the City of
Spruce Grove, Construction Labour Relations, Fortis Alberta, Alberta Motor
Association, the University of Lethbridge and Bow Valley College
https://edmontonjournal.com/news/local-news/albertans-personal-information-exposed-after-national-health-care-provider-hacked-data-put-up-for-sale
------------------------------
Date: Thu, 8 Jul 2021 11:01:15 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Human Risk Management is the FIX. (The Hacker News)
Humans are an organization's strongest defence against evolving #cyber
threats, but security awareness #training alone often isn't enough to
transform user behaviour.
Human Risk Management (HRM) is the FIX.
Checkout this new guide from @getusecure: [...]
https://thehackernews.com/2021/07/security-awareness-training-is-broken.html
via
https://twitter.com/TheHackersNews/status/1413158374057730052
------------------------------
Date: Wed, 28 Jul 2021 08:48:46 -0400
From: "Tom Van Vleck" <th...@multicians.org>
Subject: Don't click links in text messages
Mobile phones have hundreds of options, but there's one important one
missing. If iPhones had a Messages option named "disable links in Messages"
I would set it and tell everyone to set it.
The Bad Guys can send text messages that appear to be from anybody. I get a
lot from banks I don't have an account at. If the Bad Guys hack somebody
else's phone or email, they might get your mobile number and send you a fake
text message with a link in it.
If you click this link, a web browser on you phone will be sent to a fake
page of theirs. That page can infect your phone with malware, spyware,
ransomware. Spoil your day/week/month.
Here is a web page that explains the problem.
https://theintercept.com/2021/07/27/pegasus-nso-spyware-security/
(Are you about to click that link, without making sure the mail is really
from me?)
------------------------------
Date: July 30, 2021 22:23:23 JST
From: Richard Forno <rfo...@infowarrior.org>
Subject: Florida Sheriff's Office Now Notifying People It Will Be
Inflicting Its Pre-Crime Program On Them (TexchDirt)
(the agency's letter, which you can read at the link, is some grade-A
Orwellin nonsense.... --rick) [via Dave Farber]
https://www.techdirt.com/articles/20210724/15223647236/florida-sheriffs-office
-now-notifying-people-it-will-be-inflicting-pre-crime-program-them.shtml
------------------------------
Date: Wed, 28 Jul 2021 11:56:32 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Ancient Printer Security Bug Affects Millions of Devices Worldwide
(Mayank Sharma)
Mayank Sharma, TechRadar, 21 Jul 2021,
via ACM TechNews, Wednesday, July 28, 2021
Cybersecurity researchers at SentinelOne have identified a highly severe
privilege escalation vulnerability in HP, Samsung, and Xerox printer
drivers. The vulnerability appears to have been present since 2005. The
researchers said millions of devices and users worldwide likely have been
impacted by the buffer overflow vulnerability, which can be exploited
whether or not a printer is connected to a targeted device. SentinelOne's
Asaf Amir said, "Successfully exploiting a driver vulnerability might allow
attackers to potentially install programs; view, change, encrypt, or delete
data, or create new accounts with full user rights." Hackers would need
local user access to the system to access the affected driver and take
advantage of the vulnerability.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2c145x22c913x072638
------------------------------
Date: Fri, 30 Jul 2021 12:59:24 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: ML Technique Used to Pinpoint Quantum Errors (Q-CTRL and.Sydney)
HPCwire, 29 Jul 2021, via ACM TechNews, Friday, July 30, 2021
Researchers at Australia's University of Sydney (USYD) and quantum control
startup Q-CTRL have designed a method of pinpointing quantum computing
errors via machine learning (ML). The USYD team devised a means of
recognizing the smallest divergences from the conditions necessary for
executing quantum algorithms with trapped ion and superconducting quantum
computing equipment. Q-CTRL scientists assembled custom ML algorithms to
process the measurement results, and minimized the impact of background
interference using existing quantum controls. This yielded an easy
distinction between sources of correctable "real" noise and phantom
artifacts of the measurements themselves. USYD's Michael J. Biercuk said,
"The ability to identify and suppress sources of performance degradation in
quantum hardware is critical to both basic research and industrial efforts
building quantum sensors and quantum computers."
https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-2c1c7x22c9a9x073991&
[``Who needs error-correcting codes when we have machine learning?'' PGN]
------------------------------
Date: Tue, 27 Jul 2021 21:51:21 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: QR Codes Are Here to Stay. So Is the Tracking They Allow.
(NYTimes)
Fueled by a desire for touchless transactions, QR codes popped up everywhere in the pandemic. Businesses don’t want to give them up.
https://www.nytimes.com/2021/07/26/technology/qr-codes-tracking.html
------------------------------
Date: Fri, 30 Jul 2021 00:31:50 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: The Robocall Rebellion
https://www.nytimes.com/2021/07/28/opinion/the-robocall-rebellion.html
------------------------------
Date: Wed, 28 Jul 2021 20:10:22 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: Joint USTPC/CRA Comments to the White House's OSTP on Enhancing
Scientific Integrity Policies
The White House's Office of Science and Technology Policy (OSTP) made formal
Request for Information To Improve Federal Scientific Integrity Policies in
June 2021.
https://www.federalregister.gov/documents/2021/06/28/2021-13640/request-for-information-to-improve-federal-scientific-integrity-policies
A joint response has been submitted to OSTP from the Computing Research
Association and USTPC.
https://www.acm.org/binaries/content/assets/public-policy/cra-acm-comments-si-ftac-rfi.pdf.
------------------------------
Date: Thu, 29 Jul 2021 10:02:35 -0500
From: "Richard Thieme" <rth...@thiemeworks.com>
Subject: Re: Disinformation for Hire, a Shadow Industry, Is Quietly Booming,
(Max Fisher, RISKS-32.78)
Max Fisher writes of the disinformation industry as if his illumination
is news. After I wrote an article about a cyber sleuth who worked online
25 years ago for an English magazine, Hill and Knowlton, the global PR
firm, thought I lived in London (we had not acclimated yet to the global
presence of everyone on the Internet) and asked me to come by for a
talk. They wanted to do "brand defense" on the Internet, which meant
impersonating multiple people in Usenet groups and the like, all
forerunners of current practices. This is not new news. I wrote long ago
that "truth and lies are Siamese twins, joined at the lips," and began
with speech - or before, with deceptive gestures, as chimps have been
seen to do.
------------------------------
Date: 28 Jul 2021 01:01:09 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: Some locals say a bitcoin mining operation is ruining one of
the Finger Lakes. Here's how. (NBC News, RISKS-32.78)
The bitcoin mining hardware is physically located at the power plant.
The retail price I pay for power is about 5.4c/kwh for supply and 5.2c/kwh
for delivery. While it's certainly cheaper for wholesale customers I think
that the supply and delivery charges are about equal, so if the miners had
to pay for delivery, it wouldn't be worth it.
------------------------------
Date: Wed, 28 Jul 2021 07:57:24 +0200
From: "Thomas Koenig" <tko...@netcologne.de>
Subject: Re: YouTube fined 100 000 Euros delaying court order to restore
video (RISKS-32-78)
> It seems like hubris for the "Higher Regional Court at Dresden"
> to expect that everyone in the world will recognize that title
> and recognize the court's authority.
They were served with court papers, and as I wrote, they had representation
at court. You have to be qualified lawyer to appear before the
"Oberlandesgericht", to give it its proper title, and the court order would
be communicated to them.
> It should take a reasonable time to investigate such a message for
> authenticity.
It is simply not credible that a company would confuse a court order
communicated through their own lawyers with some random crackpot
e-mail.
------------------------------
Date: Wed, 28 Jul 2021 12:54:11 +0200
From: Eric Ferguson <e.fer...@antenna.nl>
Subject: Re: "Roundoff" (RISKS-32.78)
Whether the times are truncated to the lower number of decimals or correctly
rounded makes no systematic difference when comparing results. The
truncated values are on average exactly 0,5 part of the smallest digit value
smaller than the rounded values. Both expand the smallest difference
between the input values into a full one unit of the smallest digit value in
the shortened number, but do so at different places in the continuum of
input values.
As long as you are only comparing results from the same data set, there will
be no systematic bias. But if you compare truncated times with rounded
times, or compare totals of added times, there can be systematic bias.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 32.79
************************
0 new messages