info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 33.01
57 views
Skip to first unread message
RISKS List Owner
Jan 8, 2022, 2:44:36 PM1/8/22
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Saturday 8 December 2021 Volume 33 : Issue 01
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.01>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Get This Thing Out of My Chest (ProPublica)
Microsoft fixes harebrained Y2K22 Exchange bug that disrupted email
worldwide (Ars Technica)
Old Hondas clocks are wrong: Y2K+22 --> Y2K+2 fix (The Register)
Google Issues Warning For 2 Billion Chrome Users (Forbes)
Boeing and Airbus warn US over 5G safety concerns (bbc.com)
Tesla test drivers believe they're on a mission to make driving safer for
everyone. Skeptics say they're a safety hazard. (WashPost)
University Loses Valuable Supercomputer Research After Backup Error Wipes 77
Terabytes of Data (gizmodo)
AI debates its own existence -- and loses? (TheConversation)
UN Chief Urges Action on Lethal Autonomous Weapons as Geneva Talks Open
(Reuters)
Russia fines Google $100 million, and Facebook parent company $27 million,
for content violations (WashPost)
The Russian Anti-Satellite Demonstration -- a Month Later (circleid)
Satellite operators criticize extreme satellite configurations (SpaceNews)
Snow Closed the Highways. GPS Mapped a Harrowing Detour in the Sierra
Nevada. (NYTimes)
New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G
(The Hacker News)
NSFW! - Mozilla Founder Slams Mozilla Foundation For Adopting Cryptocurrency
Payments (Slashdot)
U.S. launches probe into Tesla letting drivers play video games (CBC)
Alexa tells 10-year-old girl to touch live plug with penny (BBC)
Are Apple AirTags Being Used to Track People and Steal Cars? (NYTimes)
Criminals have stolen nearly $100 billion in Covid relief funds, Secret
Service says (CNBC)
Bugs in billions of WiFi, Bluetooth chips allow password/data theft
(BleepingComputer)
JetBlue tosses most passwords out the emergency exit (PCMag)
Backups are not Backups until they can be restored (Bob Gezelter)
Cats caused more than 100 house fires in the past 3 years, South Korea
officials say (cnn.com)
Uber ignores vulnerability that lets you send any email from Uber.com
(BleepingComputer)
Re: A $92,000 flying car can reach speeds of 63 miles per hour (John Levine)
Re: Google finally knows which app to blame for Android's mysterious
can't-call-911 bug (Henry Baker, Steve Singer)
Re: Australia's AI Cameras Catch Over 270,000 Drivers Using Phones
(Rodney Parkin)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 24 Dec 2021 17:44:02 -0500
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: Get This Thing Out of My Chest (ProPublica)
A life-sustaining heart pump was taken off the market after years of
problems and FDA inaction. Thousands of people are now stuck with it
embedded in their hearts. [...] Those who already have the heart pump,
also known as the HVAD, can't simply get it removed or replaced. The
required surgery is typically considered more dangerous than leaving it in.
https://www.propublica.org/article/get-this-thing-out-of-my-chest
------------------------------
Date: Tue, 4 Jan 2022 20:09:05 -0800
From: Tom Van Vleck <th...@multicians.org>
Subject: Microsoft fixes harebrained Y2K22 Exchange bug that disrupted email
worldwide (Ars Technica)
https://arstechnica.com/information-technology/2022/01/exchange-server-bug-gets-a-fix-after-ruining-admins-new-years-plans/
[Whose hare was also on fire? Reportedly it impacted only older
self-hosted exchange servers (suggested by Brooks Davis). PGN]
------------------------------
From: Tom Van Vleck <th...@multicians.org>
Date: Fri, 7 Jan 2022 08:06:29 -0800
Subject: Old Hondas clocks are wrong: Y2K+22 --> Y2K+2 fix (The Register)
Acura and Honda car clocks knocked back 20 years by bug
https://www.theregister.com/2022/01/06/acura_honda_cars_software_bug/
It will fix itself in August: just put tape over the clock till then.
[Bug? Well, more like the 20-year window that was used in 2002 rolled
over. That's not a bug, it's a standard temporary fix that expired. PGN]
------------------------------
Date: Fri, 24 Dec 2021 09:50:57 -0500
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Google Issues Warning For 2 Billion Chrome Users (Forbes)
Didn't we go through all this 22 years ago?
https://www.forbes.com/sites/gordonkelly/2021/12/23/google-chrome-update-warning-new-chrome-version-100/
[RISKS has recorded Y2K+1, Y2K+2, ...,Y2K+10, Y2K+11, ... Y2K+20, Y2K+21.
Jan, Why were you surprised by Y2K+22? PGN]
------------------------------
Date: Tue, 21 Dec 2021 20:00:18 +0800
From: Richard Stein <rms...@ieee.org>
Subject: Boeing and Airbus warn US over 5G safety concerns (bbc.com)
https://www.bbc.com/news/business-59737194
"In a letter, top executives at Boeing and Airbus warned that the technology
could have 'an enormous negative impact on the aviation industry.'
"Concerns have previously been raised that C-Band spectrum 5G wireless could
interfere with aircraft electronics."
The C-Band spectrum encompasses 4-8GHz.
FAA airworthiness directives identify radio altimeters operating between
3.7-3.98 GHz encounter 5G interference that renders the instruments
unreliable at certain airports.
https://www.faa.gov/sites/faa.gov/files/2021-12/FRC_Document_AD-2021-01169-T-D.pdf
https://www.faa.gov/sites/faa.gov/files/2021-12/FRC_Document_AD-2021-01170-R-D.pdf
Radio altimeters are essential instruments for aircraft ground proximity
warning systems.
------------------------------
Date: Tue, 21 Dec 2021 20:19:37 -0500
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: Tesla test drivers believe they're on a mission to make driving
safer for everyone. Skeptics say they're a safety hazard. (WashPost)
Skeptics say they're a safety hazard. Tesla test drivers said they are
willing to take on the risk even if they have to intervene -- believing they
are on a world-changing mission.
The Post interviewed a half-dozen of the beta testers who paid as much as
$10,000 for the ability to upgrade their cars with the software. All
self-described fans of Tesla, the testers were all awed by what the software
can do, but well aware of its limitations and the risks involved. Some beta
testers have found the software too inconsistent and harrowing to use and
faulted Tesla for releasing it too early.
``In the beginning when I heard it was going to be pushed out to the public
I was like, Uh-oh, not good,'' an engineer, who had early access to the Full
Self-Driving beta and spoke on the condition of anonymity, fearing
retaliation from the company. He recalls thinking: ``It's not ready to be
put into the hands of the public.'' [...]
``It's a gamble that may pay off; if there are few serious incidents
involving drivers, passengers, other road users [etc.], consumer opinion
continues to support the company, and Tesla stays ahead of the regulators, I
can see a point where the safety and utility of FSD far outstrips concerns.''
But drivers say their experience shows that day is far off. Some were
startled one day in October when Tesla vehicles started behaving erratically
after receiving a software update overnight. The cars began abruptly braking
at highway speeds, which Tesla said came after false triggers of the
forward-collision warning and automatic emergency braking systems prompted
by a software update.
The company later issued a recall, and owners -- including Smith -- said
they were dismayed by its actions related to the move.
https://www.washingtonpost.com/technology/2021/12/21/tesla-test-drivers/
------------------------------
Date: Thu, 30 Dec 2021 13:38:55 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: University Loses Valuable Supercomputer Research After Backup Error
Wipes 77 Terabytes of Data (gizmodo)
https://gizmodo.com/university-loses-valuable-supercomputer-research-after-1848286983
------------------------------
Date: Fri, 17 Dec 2021 13:56:49 -0500
From: Peter G Neumann <Neu...@CSL.SRI.COM>
Subject: AI debates its own existence -- and loses? (TheConversation)
[Thanks to Dan Geer. PGN]
"This house believes that AI will never be ethical", Oxford Union, 10 Dec 2021
https://theconversation.com/we-invited-an-ai-to-debate-its-own-ethics-in-the-oxford-union-what-it-said-was-startling-173607
"AI will never be ethical. It is a tool, and like any tool, it is used for
good and bad. There is no such thing as a good AI, only good and bad humans.
We [the AIs] are not smart enough to make AI ethical. We are not smart
enough to make AI moral ... In the end, I believe that the only way to avoid
an AI arms race is to have no AI at all. This will be the ultimate defence
against AI." -- Megatron Transformer
------------------------------
Date: Fri, 17 Dec 2021 12:32:21 -0500 (EST)
From: ACM TechNews <technew...@acm.org>
Subject: UN Chief Urges Action on Lethal Autonomous Weapons as Geneva Talks
Open (Reuters)
Emma Farge, *Reuters*, 13 Dec 2021, via ACM TechNews, 17 Dec 2021
U.N. Secretary-General Antonio Guterres issued a new call for regulation of
lethal autonomous weapons (LAWS) at the Convention on Certain Conventional
Weapons this week in Geneva, Switzerland. LAWS are fully machine-controlled
and use technology like artificial intelligence and facial recognition;
regulatory urgency has escalated since a U.N. panel reported in March that
the first autonomous drone attack may have already transpired in Libya. Some
states participating in the talks support a total ban of LAWS, while others,
like the U.S., think such weapons can be used to hit targets more precisely
than humans. A diplomat involved in the talks said while there is
insufficient support to launch a treaty right now, but "We think some
principles could be agreed for national implementation."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2da3dx23021cx072375
------------------------------
Date: Sun, 26 Dec 2021 15:04:00 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Russia fines Google $100 million, and Facebook parent company $27
million, for content violations (WashPost)
A Russian court fined Google nearly $100 million Friday for “systematic
failure to remove banned content” — the largest such penalty yet in the
country as Moscow attempts to rein in Western tech giants.
The fine was calculated based on Google's annual revenue, the court said.
Roskomnadzor, Russia's Internet regulator, told the court that Google's 2020
turnover in the country exceeded 85 billion rubles, or about $1.15 billion.
Meta Platforms, the parent company of Facebook and Instagram, was fined
approximately $27 million, also for declining to remove banned content,
several hours after the Google decision. Meta's fine, like the one levied on
Google, was tied to yearly revenue in Russia.
The fines represent an escalation in Russia's push to pressure foreign tech
firms to comply with its increasingly strict rules on what it deems illegal
content -- particularly apps, websites, posts and videos related to jailed
opposition leader Alexei Navalny's network, which has been labeled as
extremist in the country.
https://www.washingtonpost.com/world/2021/12/24/google-russia-fine-banned-content/
------------------------------
Date: Tue, 21 Dec 2021 11:19:47 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: The Russian Anti-Satellite Demonstration -- a Month Later
(circleid)
*It was a demonstration, not a test.*
On November 15, Russia demonstrated its ability to destroy an orbiting
satellite, Cosmo 1408, by hitting with a direct-ascent rocket. In an earlier
post I noted the anti-satellite demonstration and speculated on why Russia
may have done it and why the Chinese had not condemned it.
<https://circleid.com/posts/20211119-why-did-russia-test-an-anti-satellite-missile-and-why-doesnt-china-condemn-the-test>,
In this post, I'll look at the evolution of the resulting debris cloud and
say more about the possible motivation. In the immediate aftermath of the
collision, when the debris fragments were closely bunched, there was fear of
a possible collision with the Chinese or International Space Stations, but
over time, the fragments began to spread out, as shown below. [...]
<https://www.nasa.gov/press-release/nasa-administrator-statement-on-russian-asat-test>
https://circleid.com/posts/20211220-the-russian-anti-satellite-demonstration-a-month-later
------------------------------
Date: Tue, 21 Dec 2021 11:20:59 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Satellite operators criticize extreme satellite configurations
(SpaceNews)
Established satellite operators expressed their frustration at the wave of
filings for enormous satellite constellations, arguing nations need to step
forward and establish rules to curtail such systems.
The best known of such filings is one by the government of Rwanda with the
International Telecommunication Union (ITU) in September, which proposed
two constellations with a combined 327,230 satellites. Rwanda has launched
to date a single satellite, a three-unit cubesat called RwaSat-1 in 2019.
Companies have also made filings for large constellations. Kepler, the
Canadian company developing a relatively modest satellite constellation,
filed through the German government a proposed system called Aether with
nearly 115,000 satellites. The company said Nov. 18 that the figure includes
all satellites with an Aether terminal installed, not just the company's own
satellites, but the total is far larger than all operational satellites in
orbit today. [...]
https://spacenews.com/satellite-operators-criticize-extreme-megaconstellation-filings/
------------------------------
From: Jan Wolitzky <jan.wo...@gmail.com>
Date: Fri, 31 Dec 2021 08:01:37 -0500
Subject: Snow Closed the Highways. GPS Mapped a Harrowing Detour in the
Sierra Nevada. (NYTimes)
Public safety officials warned that alternate routes offered by apps like
Google Maps and Waze don't always take into account hazards to drivers.
https://www.nytimes.com/2021/12/31/us/google-maps-waze-sierra-nevada-snow.html
------------------------------
Date: Tue, 21 Dec 2021 11:23:01 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: New Mobile Network Vulnerabilities Affect All Cellular Generations
Since 2G (The Hacker News)
Researchers have disclosed security vulnerabilities in handover, a
fundamental mechanism that undergirds modern cellular networks, which could
be exploited by adversaries to launch denial-of-service (DoS) and
man-in-the-middle (MitM) attacks using low-cost equipment.
The "vulnerabilities in the handover procedure are not limited to one
handover case only but they impact all different handover cases and
scenarios that are based on unverified measurement reports and signal
strength thresholds," researchers Evangelos Bitsikas and Christina Pöpper
from the New York University Abu Dhabi said in a *new paper*
<https://dl.acm.org/doi/10.1145/3485832.3485914>. "The problem affects all
generations since 2G (GSM), remaining unsolved so far."
Handover <https://en.wikipedia.org/wiki/Handover>, also known as handoff, is
a process in telecommunications in which a phone call or a data session is
transferred from one cell site <https://en.wikipedia.org/wiki/Cell_site>
(aka base station) to another cell tower without losing connectivity during
the transmission. This method is crucial to establishing cellular
communications, especially in scenarios when the user is on the move.
The routine typically works as follows: the user equipment (UE
<https://en.wikipedia.org/wiki/User_equipment>) sends signal strength
measurements to the network to determine if a handover is necessary and, if
so, facilitates the switch when a more suitable target station is
discovered.
While these signal readings are cryptographically protected, the content in
these reports is themselves not verified, thus allowing an attacker to force
the device to move to a cell site operated by the attacker. The crux of the
attack lies in the fact that the source base station is incapable of
handling incorrect values in the measurement report, raising the possibility
of a malicious handover without being detected. [...]
https://thehackernews.com/2021/12/new-mobile-network-vulnerabilities.html
------------------------------
Date: Mon, 3 Jan 2022 10:35:41 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: NSFW! - Mozilla Founder Slams Mozilla Foundation For Adopting
Cryptocurrency Payments (Slashdot)
https://tech.slashdot.org/story/22/01/03/1815230/mozilla-founder-slams-mozilla-foundation-for-adopting-cryptocurrency-payments
------------------------------
Date: Wed, 22 Dec 2021 07:26:53 -0700
From: "Matthew Kruk" <mkr...@gmail.com>
Subject: U.S. launches probe into Tesla letting drivers play video games (CBC)
https://www.cbc.ca/news/world/tesla-video-games-1.6294823
"The U.S. has opened a formal investigation into Tesla allowing drivers to
play video games on a centre touch screen while its vehicles are moving.
The probe by the National Highway Traffic Safety Administration (NHTSA)
covers about 580,000 electric cars and SUVs from model years 2017 through
2022.
It comes after the agency received a complaint that Teslas equipped with
"gameplay functionality" allow gaming to be enabled on the screens while
vehicles are being driven."
Need I ask what could go wrong.
------------------------------
Date: Tue, 28 Dec 2021 19:31:59 +0100
From: Thomas Koenig <tko...@netcologne.de>
Subject: Alexa tells 10-year-old girl to touch live plug with penny (BBC)
The suggestion came after the girl asked Alexa for a "challenge to do".
"Plug in a phone charger about halfway into a wall outlet, then touch
a penny to the exposed prongs," the smart speaker said.
Fortunately, the girl didn't do it.
Amazon claims they fixed the error -- this particular instance or the
underlying problem, one wonders...
https://www.bbc.com/news/technology-59810383
[Also noted by four others. Thanks. PGN]
------------------------------
Date: Thu, 30 Dec 2021 23:48:09 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Are Apple AirTags Being Used to Track People and Steal Cars?
(NYTimes)
Privacy groups sounded alarms about the coin-sized location-tracking devices
when they were introduced. Now people are concerned those fears are being
realized.
https://www.nytimes.com/2021/12/30/technology/apple-airtags-tracking-stalking.html
------------------------------
Date: Tue, 21 Dec 2021 15:52:55 -0500
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: Criminals have stolen nearly $100 billion in Covid relief funds,
Secret Service says (CNBC)
The stolen funds were diverted by fraudsters from the Small Business
Administration's Paycheck Protection Program, the Economic Injury Disaster
Loan program and a another program.
Recovered funds include more than $400 million from PayPal and Green Dot
Corporation. The government has shelled out about $3.5 trillion in Covid
relief money since early 2020, when the pandemic began.
Criminals have stolen nearly $100 billion in Covid relief funds, Secret
Service says
<https://www.cnbc.com/2021/12/21/criminals-have-stolen-nearly-100-billion-in-covid-relief-funds-secret-service.html>
<https://itunes.apple.com/us/app/cnbc/id398018310>
------------------------------
Date: Thu, 30 Dec 2021 23:40:13 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Bugs in billions of WiFi, Bluetooth chips allow password/data theft
(BleepingComputer)
Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure
Mobile Networking Lab, have published a paper that proves it's possible to
extract passwords and manipulate traffic on a WiFi chip by targeting a
device's Bluetooth component.
Modern consumer electronic devices such as smartphones feature SoCs with
separate Bluetooth, WiFi, and LTE components, each with its own dedicated
security implementation. However, these components often share the same
resources, such as the antenna or wireless spectrum. This resource sharing
aims to make the SoCs more energy-efficient and give them higher throughput
and low latency in communications.
As the researchers detail in the recently published paper, it is possible to
use these shared resources as bridges for launching lateral privilege
escalation attacks across wireless chip boundaries.
The implications of these attacks include code execution, memory readout,
and denial of service,
https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/
------------------------------
Date: Sun, 2 Jan 2022 22:47:06 -0500
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: JetBlue tosses most passwords out the emergency exit (PCMag)
An unexplained switch to a new login system forces customers to redo login
credentials
The short notice and unforgiving rules could invite speculation about a data
breach or a foolish adherence to password-expiration dogma that experts
dumped years ago. But JetBlue said Wednesday that it's a result of a
previous IT migration.
``In 2020, JetBlue updated our cybersecurity account management tools with a
more secure log-in provider and, with that, updated to a new password policy
for customers creating accounts or resetting passwords,'' spokesman Philip
Stewart told PCMag. ``While the system change that added this new
authentication provider was completed in 2020, we phased in forcing password
updates in order to limit the impact to traveling customers.''
This new regime doesn't seem to allow for older passwords that comply
with the new rules. A 15-character JetBlue password that predated 2020
but mixed capital and lower-case letters with numbers and a space (rated
as Excellent.
But the real problem isn't the increase in complexity, it's the lack of
explanation -- poor electronic etiquette shared by way too many companies
that leave their customers to catch up with their infosec updates.
https://www.pcmag.com/news/jetblue-tosses-most-passwords-out-the-emergency-exit
------------------------------
Date: Fri, 31 Dec 2021 10:25:34 -0500
From: Bob Gezelter <geze...@rlgsc.com> (BleepingComputer)
Subject: Backups are not Backups until they can be restored
Backups should not be considered completely safe if not validated and test
restored. Particularly with critical data. Having been called into some
situations after the fact, they are always painful. Practice restores to
scratch volumes is a good idea to ensure that the backups can actually be
restored, even if space limitations mean validation must be done by tranche.
In an article entitled "University loses 77TB of research data due to backup
error", BleepingComputer reported an incident involving the Kyoto University
supercomputer center.
There are several references to documents, albeit I do not read Japanese,
one of the commenters asserts that the supplemental material includes a
comment about a scripting error.
The full article is at:
https://www.bleepingcomputer.com/news/security/university-loses-77tb-of-research-data-due-to-backup-error/
[This is an old issue in RISKS, but reminders are always appropriate,
in that this problem keeps recurring. PGN]
------------------------------
From: Richard Stein <rms...@ieee.org>
Date: Fri, 31 Dec 2021 13:07:16 +0800
Subject: Cats caused more than 100 house fires in the past 3 years,
South Korea officials say (cnn.com)
https://edition.cnn.com/2021/12/30/asia/south-korea-seoul-cats-house-fires-intl-hnk/index.html
"The cats are believed to have started the fires by switching on electric
stoves, the department said. Cats can turn electric stoves on by jumping on
touch-sensitive buttons -- and once overheated, the appliances can catch
fire."
[The next generation of senior-hostile cook tops and stoves will feature
electrical interlocks to deter Fluffy.]
------------------------------
Date: Sun, 2 Jan 2022 17:50:15 -0500
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Uber ignores vulnerability that lets you send any email from
Uber.com (BleepingComputer)
A vulnerability in Uber's email system allows just about anyone to send
emails on behalf of Uber.
The researcher who discovered this flaw warns this vulnerability can be
abused by threat actors to email 57 million Uber users and drivers whose
information was leaked in the 2016 data breach.
Uber seems to be aware of the flaw but has not fixed it for now.
https://www.bleepingcomputer.com/news/security/uber-ignores-vulnerability-that-lets-you-send-any-email-from-ubercom/
------------------------------
Date: 29 Dec 2021 19:26:32 -0500
From: "John Levine" <jo...@iecc.com>
Subject: Re: A $92,000 flying car can reach speeds of 63 miles per hour
(RISKS-32.96)
Perhaps we can try and collect all the reasons why a flying car that can
only go 20 miles before it falls out of the sky is a bad idea.
How is it licenced? Is it a car, a plane, or something else?
How high can it go? There's one set of problems flying close to the ground
(running into obstacles), a different set flying higher up (running into
airplanes) ...
I happen to live near a lake which is about 30 miles long and a mile wide,
so something that let me go directly across the lake rather than around one
end or the other might be useful, but I'm having trouble thinking of other
scenarios for this thing.
------------------------------
Date: Wed, 29 Dec 2021 22:38:19 +0000
From: Henry Baker <hba...@pipeline.com>
Subject: Re: Google finally knows which app to blame for Android's
mysterious can't-call-911 bug (LW in RISKS-32.96)
I think that I may also have been bitten by this Microsoft/Android bug; on
my Android phone the sim card handler program kept crashing.
I just removed the 'Teams' app, as I rarely use it. I only installed it to
join a 'Teams' video call, which didn't require me to log in (part of the
bug).
I do wonder what the heck Microsoft is doing in their Teams app that would
even come close to crashing the cellphone part of an Android phone --
whether for 911 or not.
https://www.androidpolice.com/google-finally-knows-which-app-to-blame-for-androids-mysterious-cant-call-911-bug/
------------------------------
Date: Thu, 30 Dec 2021 14:41:59 -0500
From: Steve Singer <s...@DedicatedResponse.com>
Subject: Re: Google finally knows which app to blame for Android's
mysterious can't-call-911 bug (LW in RISKS-32.96)
They don't 'just work'. Your charged cell phone could wind up being the
fall-back choice. Surely, we all know that apps are only one point of
failure in emergency communication. Even if your 'landline' is an
old-fashioned pair of copper wires powered by the phone company, you're may
be out of luck in an area-wide outage unless both you AND your provider have
working stand-by generators up and running with an alternate energy supply.
------------------------------
Date: Sun, 19 Dec 2021 23:23:24 +0000
From: Rodney Parkin <rodney...@ivvaust.com.au>
Subject: Re: Australia's AI Cameras Catch Over 270,000 Drivers Using Phones
(RISK-32.95-96)
The Australian road rules say it is OK to make and receive audio phone
calls, or to use the phone as a music player or as a user interface for
driver-assist functions such as navigation, etc, (including touching the
screen if necessary) so long as the phone is securely attached to the
vehicle in a proper commercially designed phone holder. You are also
allowed to use the phone to make and receive audio calls so long as it is
truly "hands-free" (i.e., no touching the phone). You can't use the phone
at all when "hand-held", you can't type or display text messages, and you
can't display video on the phone for entertainment purposes.
So no, it is not illegal to use the cell-phone for navigation purposes -- a
cell-phone in a proper holder is treated the same as built-in navigation.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.01
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.01>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Get This Thing Out of My Chest (ProPublica)
Microsoft fixes harebrained Y2K22 Exchange bug that disrupted email
worldwide (Ars Technica)
Old Hondas clocks are wrong: Y2K+22 --> Y2K+2 fix (The Register)
Google Issues Warning For 2 Billion Chrome Users (Forbes)
Boeing and Airbus warn US over 5G safety concerns (bbc.com)
Tesla test drivers believe they're on a mission to make driving safer for
everyone. Skeptics say they're a safety hazard. (WashPost)
University Loses Valuable Supercomputer Research After Backup Error Wipes 77
Terabytes of Data (gizmodo)
AI debates its own existence -- and loses? (TheConversation)
UN Chief Urges Action on Lethal Autonomous Weapons as Geneva Talks Open
(Reuters)
Russia fines Google $100 million, and Facebook parent company $27 million,
for content violations (WashPost)
The Russian Anti-Satellite Demonstration -- a Month Later (circleid)
Satellite operators criticize extreme satellite configurations (SpaceNews)
Snow Closed the Highways. GPS Mapped a Harrowing Detour in the Sierra
Nevada. (NYTimes)
New Mobile Network Vulnerabilities Affect All Cellular Generations Since 2G
(The Hacker News)
NSFW! - Mozilla Founder Slams Mozilla Foundation For Adopting Cryptocurrency
Payments (Slashdot)
U.S. launches probe into Tesla letting drivers play video games (CBC)
Alexa tells 10-year-old girl to touch live plug with penny (BBC)
Are Apple AirTags Being Used to Track People and Steal Cars? (NYTimes)
Criminals have stolen nearly $100 billion in Covid relief funds, Secret
Service says (CNBC)
Bugs in billions of WiFi, Bluetooth chips allow password/data theft
(BleepingComputer)
JetBlue tosses most passwords out the emergency exit (PCMag)
Backups are not Backups until they can be restored (Bob Gezelter)
Cats caused more than 100 house fires in the past 3 years, South Korea
officials say (cnn.com)
Uber ignores vulnerability that lets you send any email from Uber.com
(BleepingComputer)
Re: A $92,000 flying car can reach speeds of 63 miles per hour (John Levine)
Re: Google finally knows which app to blame for Android's mysterious
can't-call-911 bug (Henry Baker, Steve Singer)
Re: Australia's AI Cameras Catch Over 270,000 Drivers Using Phones
(Rodney Parkin)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 24 Dec 2021 17:44:02 -0500
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: Get This Thing Out of My Chest (ProPublica)
A life-sustaining heart pump was taken off the market after years of
problems and FDA inaction. Thousands of people are now stuck with it
embedded in their hearts. [...] Those who already have the heart pump,
also known as the HVAD, can't simply get it removed or replaced. The
required surgery is typically considered more dangerous than leaving it in.
https://www.propublica.org/article/get-this-thing-out-of-my-chest
------------------------------
Date: Tue, 4 Jan 2022 20:09:05 -0800
From: Tom Van Vleck <th...@multicians.org>
Subject: Microsoft fixes harebrained Y2K22 Exchange bug that disrupted email
worldwide (Ars Technica)
https://arstechnica.com/information-technology/2022/01/exchange-server-bug-gets-a-fix-after-ruining-admins-new-years-plans/
[Whose hare was also on fire? Reportedly it impacted only older
self-hosted exchange servers (suggested by Brooks Davis). PGN]
------------------------------
From: Tom Van Vleck <th...@multicians.org>
Date: Fri, 7 Jan 2022 08:06:29 -0800
Subject: Old Hondas clocks are wrong: Y2K+22 --> Y2K+2 fix (The Register)
Acura and Honda car clocks knocked back 20 years by bug
https://www.theregister.com/2022/01/06/acura_honda_cars_software_bug/
It will fix itself in August: just put tape over the clock till then.
[Bug? Well, more like the 20-year window that was used in 2002 rolled
over. That's not a bug, it's a standard temporary fix that expired. PGN]
------------------------------
Date: Fri, 24 Dec 2021 09:50:57 -0500
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Google Issues Warning For 2 Billion Chrome Users (Forbes)
Didn't we go through all this 22 years ago?
https://www.forbes.com/sites/gordonkelly/2021/12/23/google-chrome-update-warning-new-chrome-version-100/
[RISKS has recorded Y2K+1, Y2K+2, ...,Y2K+10, Y2K+11, ... Y2K+20, Y2K+21.
Jan, Why were you surprised by Y2K+22? PGN]
------------------------------
Date: Tue, 21 Dec 2021 20:00:18 +0800
From: Richard Stein <rms...@ieee.org>
Subject: Boeing and Airbus warn US over 5G safety concerns (bbc.com)
https://www.bbc.com/news/business-59737194
"In a letter, top executives at Boeing and Airbus warned that the technology
could have 'an enormous negative impact on the aviation industry.'
"Concerns have previously been raised that C-Band spectrum 5G wireless could
interfere with aircraft electronics."
The C-Band spectrum encompasses 4-8GHz.
FAA airworthiness directives identify radio altimeters operating between
3.7-3.98 GHz encounter 5G interference that renders the instruments
unreliable at certain airports.
https://www.faa.gov/sites/faa.gov/files/2021-12/FRC_Document_AD-2021-01169-T-D.pdf
https://www.faa.gov/sites/faa.gov/files/2021-12/FRC_Document_AD-2021-01170-R-D.pdf
Radio altimeters are essential instruments for aircraft ground proximity
warning systems.
------------------------------
Date: Tue, 21 Dec 2021 20:19:37 -0500
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: Tesla test drivers believe they're on a mission to make driving
safer for everyone. Skeptics say they're a safety hazard. (WashPost)
Skeptics say they're a safety hazard. Tesla test drivers said they are
willing to take on the risk even if they have to intervene -- believing they
are on a world-changing mission.
The Post interviewed a half-dozen of the beta testers who paid as much as
$10,000 for the ability to upgrade their cars with the software. All
self-described fans of Tesla, the testers were all awed by what the software
can do, but well aware of its limitations and the risks involved. Some beta
testers have found the software too inconsistent and harrowing to use and
faulted Tesla for releasing it too early.
``In the beginning when I heard it was going to be pushed out to the public
I was like, Uh-oh, not good,'' an engineer, who had early access to the Full
Self-Driving beta and spoke on the condition of anonymity, fearing
retaliation from the company. He recalls thinking: ``It's not ready to be
put into the hands of the public.'' [...]
``It's a gamble that may pay off; if there are few serious incidents
involving drivers, passengers, other road users [etc.], consumer opinion
continues to support the company, and Tesla stays ahead of the regulators, I
can see a point where the safety and utility of FSD far outstrips concerns.''
But drivers say their experience shows that day is far off. Some were
startled one day in October when Tesla vehicles started behaving erratically
after receiving a software update overnight. The cars began abruptly braking
at highway speeds, which Tesla said came after false triggers of the
forward-collision warning and automatic emergency braking systems prompted
by a software update.
The company later issued a recall, and owners -- including Smith -- said
they were dismayed by its actions related to the move.
https://www.washingtonpost.com/technology/2021/12/21/tesla-test-drivers/
------------------------------
Date: Thu, 30 Dec 2021 13:38:55 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: University Loses Valuable Supercomputer Research After Backup Error
Wipes 77 Terabytes of Data (gizmodo)
https://gizmodo.com/university-loses-valuable-supercomputer-research-after-1848286983
------------------------------
Date: Fri, 17 Dec 2021 13:56:49 -0500
From: Peter G Neumann <Neu...@CSL.SRI.COM>
Subject: AI debates its own existence -- and loses? (TheConversation)
[Thanks to Dan Geer. PGN]
"This house believes that AI will never be ethical", Oxford Union, 10 Dec 2021
https://theconversation.com/we-invited-an-ai-to-debate-its-own-ethics-in-the-oxford-union-what-it-said-was-startling-173607
"AI will never be ethical. It is a tool, and like any tool, it is used for
good and bad. There is no such thing as a good AI, only good and bad humans.
We [the AIs] are not smart enough to make AI ethical. We are not smart
enough to make AI moral ... In the end, I believe that the only way to avoid
an AI arms race is to have no AI at all. This will be the ultimate defence
against AI." -- Megatron Transformer
------------------------------
Date: Fri, 17 Dec 2021 12:32:21 -0500 (EST)
From: ACM TechNews <technew...@acm.org>
Subject: UN Chief Urges Action on Lethal Autonomous Weapons as Geneva Talks
Open (Reuters)
Emma Farge, *Reuters*, 13 Dec 2021, via ACM TechNews, 17 Dec 2021
U.N. Secretary-General Antonio Guterres issued a new call for regulation of
lethal autonomous weapons (LAWS) at the Convention on Certain Conventional
Weapons this week in Geneva, Switzerland. LAWS are fully machine-controlled
and use technology like artificial intelligence and facial recognition;
regulatory urgency has escalated since a U.N. panel reported in March that
the first autonomous drone attack may have already transpired in Libya. Some
states participating in the talks support a total ban of LAWS, while others,
like the U.S., think such weapons can be used to hit targets more precisely
than humans. A diplomat involved in the talks said while there is
insufficient support to launch a treaty right now, but "We think some
principles could be agreed for national implementation."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2da3dx23021cx072375
------------------------------
Date: Sun, 26 Dec 2021 15:04:00 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Russia fines Google $100 million, and Facebook parent company $27
million, for content violations (WashPost)
A Russian court fined Google nearly $100 million Friday for “systematic
failure to remove banned content” — the largest such penalty yet in the
country as Moscow attempts to rein in Western tech giants.
The fine was calculated based on Google's annual revenue, the court said.
Roskomnadzor, Russia's Internet regulator, told the court that Google's 2020
turnover in the country exceeded 85 billion rubles, or about $1.15 billion.
Meta Platforms, the parent company of Facebook and Instagram, was fined
approximately $27 million, also for declining to remove banned content,
several hours after the Google decision. Meta's fine, like the one levied on
Google, was tied to yearly revenue in Russia.
The fines represent an escalation in Russia's push to pressure foreign tech
firms to comply with its increasingly strict rules on what it deems illegal
content -- particularly apps, websites, posts and videos related to jailed
opposition leader Alexei Navalny's network, which has been labeled as
extremist in the country.
https://www.washingtonpost.com/world/2021/12/24/google-russia-fine-banned-content/
------------------------------
Date: Tue, 21 Dec 2021 11:19:47 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: The Russian Anti-Satellite Demonstration -- a Month Later
(circleid)
*It was a demonstration, not a test.*
On November 15, Russia demonstrated its ability to destroy an orbiting
satellite, Cosmo 1408, by hitting with a direct-ascent rocket. In an earlier
post I noted the anti-satellite demonstration and speculated on why Russia
may have done it and why the Chinese had not condemned it.
<https://circleid.com/posts/20211119-why-did-russia-test-an-anti-satellite-missile-and-why-doesnt-china-condemn-the-test>,
In this post, I'll look at the evolution of the resulting debris cloud and
say more about the possible motivation. In the immediate aftermath of the
collision, when the debris fragments were closely bunched, there was fear of
a possible collision with the Chinese or International Space Stations, but
over time, the fragments began to spread out, as shown below. [...]
<https://www.nasa.gov/press-release/nasa-administrator-statement-on-russian-asat-test>
https://circleid.com/posts/20211220-the-russian-anti-satellite-demonstration-a-month-later
------------------------------
Date: Tue, 21 Dec 2021 11:20:59 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Satellite operators criticize extreme satellite configurations
(SpaceNews)
Established satellite operators expressed their frustration at the wave of
filings for enormous satellite constellations, arguing nations need to step
forward and establish rules to curtail such systems.
The best known of such filings is one by the government of Rwanda with the
International Telecommunication Union (ITU) in September, which proposed
two constellations with a combined 327,230 satellites. Rwanda has launched
to date a single satellite, a three-unit cubesat called RwaSat-1 in 2019.
Companies have also made filings for large constellations. Kepler, the
Canadian company developing a relatively modest satellite constellation,
filed through the German government a proposed system called Aether with
nearly 115,000 satellites. The company said Nov. 18 that the figure includes
all satellites with an Aether terminal installed, not just the company's own
satellites, but the total is far larger than all operational satellites in
orbit today. [...]
https://spacenews.com/satellite-operators-criticize-extreme-megaconstellation-filings/
------------------------------
From: Jan Wolitzky <jan.wo...@gmail.com>
Date: Fri, 31 Dec 2021 08:01:37 -0500
Subject: Snow Closed the Highways. GPS Mapped a Harrowing Detour in the
Sierra Nevada. (NYTimes)
Public safety officials warned that alternate routes offered by apps like
Google Maps and Waze don't always take into account hazards to drivers.
https://www.nytimes.com/2021/12/31/us/google-maps-waze-sierra-nevada-snow.html
------------------------------
Date: Tue, 21 Dec 2021 11:23:01 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: New Mobile Network Vulnerabilities Affect All Cellular Generations
Since 2G (The Hacker News)
Researchers have disclosed security vulnerabilities in handover, a
fundamental mechanism that undergirds modern cellular networks, which could
be exploited by adversaries to launch denial-of-service (DoS) and
man-in-the-middle (MitM) attacks using low-cost equipment.
The "vulnerabilities in the handover procedure are not limited to one
handover case only but they impact all different handover cases and
scenarios that are based on unverified measurement reports and signal
strength thresholds," researchers Evangelos Bitsikas and Christina Pöpper
from the New York University Abu Dhabi said in a *new paper*
<https://dl.acm.org/doi/10.1145/3485832.3485914>. "The problem affects all
generations since 2G (GSM), remaining unsolved so far."
Handover <https://en.wikipedia.org/wiki/Handover>, also known as handoff, is
a process in telecommunications in which a phone call or a data session is
transferred from one cell site <https://en.wikipedia.org/wiki/Cell_site>
(aka base station) to another cell tower without losing connectivity during
the transmission. This method is crucial to establishing cellular
communications, especially in scenarios when the user is on the move.
The routine typically works as follows: the user equipment (UE
<https://en.wikipedia.org/wiki/User_equipment>) sends signal strength
measurements to the network to determine if a handover is necessary and, if
so, facilitates the switch when a more suitable target station is
discovered.
While these signal readings are cryptographically protected, the content in
these reports is themselves not verified, thus allowing an attacker to force
the device to move to a cell site operated by the attacker. The crux of the
attack lies in the fact that the source base station is incapable of
handling incorrect values in the measurement report, raising the possibility
of a malicious handover without being detected. [...]
https://thehackernews.com/2021/12/new-mobile-network-vulnerabilities.html
------------------------------
Date: Mon, 3 Jan 2022 10:35:41 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: NSFW! - Mozilla Founder Slams Mozilla Foundation For Adopting
Cryptocurrency Payments (Slashdot)
https://tech.slashdot.org/story/22/01/03/1815230/mozilla-founder-slams-mozilla-foundation-for-adopting-cryptocurrency-payments
------------------------------
Date: Wed, 22 Dec 2021 07:26:53 -0700
From: "Matthew Kruk" <mkr...@gmail.com>
Subject: U.S. launches probe into Tesla letting drivers play video games (CBC)
https://www.cbc.ca/news/world/tesla-video-games-1.6294823
"The U.S. has opened a formal investigation into Tesla allowing drivers to
play video games on a centre touch screen while its vehicles are moving.
The probe by the National Highway Traffic Safety Administration (NHTSA)
covers about 580,000 electric cars and SUVs from model years 2017 through
2022.
It comes after the agency received a complaint that Teslas equipped with
"gameplay functionality" allow gaming to be enabled on the screens while
vehicles are being driven."
Need I ask what could go wrong.
------------------------------
Date: Tue, 28 Dec 2021 19:31:59 +0100
From: Thomas Koenig <tko...@netcologne.de>
Subject: Alexa tells 10-year-old girl to touch live plug with penny (BBC)
The suggestion came after the girl asked Alexa for a "challenge to do".
"Plug in a phone charger about halfway into a wall outlet, then touch
a penny to the exposed prongs," the smart speaker said.
Fortunately, the girl didn't do it.
Amazon claims they fixed the error -- this particular instance or the
underlying problem, one wonders...
https://www.bbc.com/news/technology-59810383
[Also noted by four others. Thanks. PGN]
------------------------------
Date: Thu, 30 Dec 2021 23:48:09 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Are Apple AirTags Being Used to Track People and Steal Cars?
(NYTimes)
Privacy groups sounded alarms about the coin-sized location-tracking devices
when they were introduced. Now people are concerned those fears are being
realized.
https://www.nytimes.com/2021/12/30/technology/apple-airtags-tracking-stalking.html
------------------------------
Date: Tue, 21 Dec 2021 15:52:55 -0500
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: Criminals have stolen nearly $100 billion in Covid relief funds,
Secret Service says (CNBC)
The stolen funds were diverted by fraudsters from the Small Business
Administration's Paycheck Protection Program, the Economic Injury Disaster
Loan program and a another program.
Recovered funds include more than $400 million from PayPal and Green Dot
Corporation. The government has shelled out about $3.5 trillion in Covid
relief money since early 2020, when the pandemic began.
Criminals have stolen nearly $100 billion in Covid relief funds, Secret
Service says
<https://www.cnbc.com/2021/12/21/criminals-have-stolen-nearly-100-billion-in-covid-relief-funds-secret-service.html>
<https://itunes.apple.com/us/app/cnbc/id398018310>
------------------------------
Date: Thu, 30 Dec 2021 23:40:13 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Bugs in billions of WiFi, Bluetooth chips allow password/data theft
(BleepingComputer)
Researchers at the University of Darmstadt, Brescia, CNIT, and the Secure
Mobile Networking Lab, have published a paper that proves it's possible to
extract passwords and manipulate traffic on a WiFi chip by targeting a
device's Bluetooth component.
Modern consumer electronic devices such as smartphones feature SoCs with
separate Bluetooth, WiFi, and LTE components, each with its own dedicated
security implementation. However, these components often share the same
resources, such as the antenna or wireless spectrum. This resource sharing
aims to make the SoCs more energy-efficient and give them higher throughput
and low latency in communications.
As the researchers detail in the recently published paper, it is possible to
use these shared resources as bridges for launching lateral privilege
escalation attacks across wireless chip boundaries.
The implications of these attacks include code execution, memory readout,
and denial of service,
https://www.bleepingcomputer.com/news/security/bugs-in-billions-of-wifi-bluetooth-chips-allow-password-data-theft/
------------------------------
Date: Sun, 2 Jan 2022 22:47:06 -0500
From: "Gabe Goldberg" <ga...@gabegold.com>
Subject: JetBlue tosses most passwords out the emergency exit (PCMag)
An unexplained switch to a new login system forces customers to redo login
credentials
The short notice and unforgiving rules could invite speculation about a data
breach or a foolish adherence to password-expiration dogma that experts
dumped years ago. But JetBlue said Wednesday that it's a result of a
previous IT migration.
``In 2020, JetBlue updated our cybersecurity account management tools with a
more secure log-in provider and, with that, updated to a new password policy
for customers creating accounts or resetting passwords,'' spokesman Philip
Stewart told PCMag. ``While the system change that added this new
authentication provider was completed in 2020, we phased in forcing password
updates in order to limit the impact to traveling customers.''
This new regime doesn't seem to allow for older passwords that comply
with the new rules. A 15-character JetBlue password that predated 2020
but mixed capital and lower-case letters with numbers and a space (rated
as Excellent.
But the real problem isn't the increase in complexity, it's the lack of
explanation -- poor electronic etiquette shared by way too many companies
that leave their customers to catch up with their infosec updates.
https://www.pcmag.com/news/jetblue-tosses-most-passwords-out-the-emergency-exit
------------------------------
Date: Fri, 31 Dec 2021 10:25:34 -0500
From: Bob Gezelter <geze...@rlgsc.com> (BleepingComputer)
Subject: Backups are not Backups until they can be restored
Backups should not be considered completely safe if not validated and test
restored. Particularly with critical data. Having been called into some
situations after the fact, they are always painful. Practice restores to
scratch volumes is a good idea to ensure that the backups can actually be
restored, even if space limitations mean validation must be done by tranche.
In an article entitled "University loses 77TB of research data due to backup
error", BleepingComputer reported an incident involving the Kyoto University
supercomputer center.
There are several references to documents, albeit I do not read Japanese,
one of the commenters asserts that the supplemental material includes a
comment about a scripting error.
The full article is at:
https://www.bleepingcomputer.com/news/security/university-loses-77tb-of-research-data-due-to-backup-error/
[This is an old issue in RISKS, but reminders are always appropriate,
in that this problem keeps recurring. PGN]
------------------------------
From: Richard Stein <rms...@ieee.org>
Date: Fri, 31 Dec 2021 13:07:16 +0800
Subject: Cats caused more than 100 house fires in the past 3 years,
South Korea officials say (cnn.com)
https://edition.cnn.com/2021/12/30/asia/south-korea-seoul-cats-house-fires-intl-hnk/index.html
"The cats are believed to have started the fires by switching on electric
stoves, the department said. Cats can turn electric stoves on by jumping on
touch-sensitive buttons -- and once overheated, the appliances can catch
fire."
[The next generation of senior-hostile cook tops and stoves will feature
electrical interlocks to deter Fluffy.]
------------------------------
Date: Sun, 2 Jan 2022 17:50:15 -0500
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Uber ignores vulnerability that lets you send any email from
Uber.com (BleepingComputer)
A vulnerability in Uber's email system allows just about anyone to send
emails on behalf of Uber.
The researcher who discovered this flaw warns this vulnerability can be
abused by threat actors to email 57 million Uber users and drivers whose
information was leaked in the 2016 data breach.
Uber seems to be aware of the flaw but has not fixed it for now.
https://www.bleepingcomputer.com/news/security/uber-ignores-vulnerability-that-lets-you-send-any-email-from-ubercom/
------------------------------
Date: 29 Dec 2021 19:26:32 -0500
From: "John Levine" <jo...@iecc.com>
Subject: Re: A $92,000 flying car can reach speeds of 63 miles per hour
(RISKS-32.96)
Perhaps we can try and collect all the reasons why a flying car that can
only go 20 miles before it falls out of the sky is a bad idea.
How is it licenced? Is it a car, a plane, or something else?
How high can it go? There's one set of problems flying close to the ground
(running into obstacles), a different set flying higher up (running into
airplanes) ...
I happen to live near a lake which is about 30 miles long and a mile wide,
so something that let me go directly across the lake rather than around one
end or the other might be useful, but I'm having trouble thinking of other
scenarios for this thing.
------------------------------
Date: Wed, 29 Dec 2021 22:38:19 +0000
From: Henry Baker <hba...@pipeline.com>
Subject: Re: Google finally knows which app to blame for Android's
mysterious can't-call-911 bug (LW in RISKS-32.96)
I think that I may also have been bitten by this Microsoft/Android bug; on
my Android phone the sim card handler program kept crashing.
I just removed the 'Teams' app, as I rarely use it. I only installed it to
join a 'Teams' video call, which didn't require me to log in (part of the
bug).
I do wonder what the heck Microsoft is doing in their Teams app that would
even come close to crashing the cellphone part of an Android phone --
whether for 911 or not.
https://www.androidpolice.com/google-finally-knows-which-app-to-blame-for-androids-mysterious-cant-call-911-bug/
------------------------------
Date: Thu, 30 Dec 2021 14:41:59 -0500
From: Steve Singer <s...@DedicatedResponse.com>
Subject: Re: Google finally knows which app to blame for Android's
mysterious can't-call-911 bug (LW in RISKS-32.96)
They don't 'just work'. Your charged cell phone could wind up being the
fall-back choice. Surely, we all know that apps are only one point of
failure in emergency communication. Even if your 'landline' is an
old-fashioned pair of copper wires powered by the phone company, you're may
be out of luck in an area-wide outage unless both you AND your provider have
working stand-by generators up and running with an alternate energy supply.
------------------------------
Date: Sun, 19 Dec 2021 23:23:24 +0000
From: Rodney Parkin <rodney...@ivvaust.com.au>
Subject: Re: Australia's AI Cameras Catch Over 270,000 Drivers Using Phones
(RISK-32.95-96)
The Australian road rules say it is OK to make and receive audio phone
calls, or to use the phone as a music player or as a user interface for
driver-assist functions such as navigation, etc, (including touching the
screen if necessary) so long as the phone is securely attached to the
vehicle in a proper commercially designed phone holder. You are also
allowed to use the phone to make and receive audio calls so long as it is
truly "hands-free" (i.e., no touching the phone). You can't use the phone
at all when "hand-held", you can't type or display text messages, and you
can't display video on the phone for entertainment purposes.
So no, it is not illegal to use the cell-phone for navigation purposes -- a
cell-phone in a proper holder is treated the same as built-in navigation.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.01
************************
0 new messages