info
Google Groupes n'accepte plus les nouveaux posts ni abonnements Usenet. Les contenus de l'historique resteront visibles.
Dismiss
Risks Digest 33.33
43Â vues
Accéder directement au premier message non lu
RISKS List Owner
19 juil. 2022, 23:24:5819/07/2022
à ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Tuesday 19 July 2022 Volume 33 : Issue 33
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.33>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
(Bloomberg)
Driver says GPS made him turn onto train tracks in Everett; at least he was
able to escape before train destroyed his car (UniversalHub)
DeepMind AI Learns Simple Physics Like a Baby (Davide Castelvecchi)
As AI Language Skills Grow, So Do Scientists' Concerns (Matt O'Brien)
Researchers Defeat Facial Recognition Systems with Universal Face Mask
(Zeljka Zorz)
Pentagon UFO study led by researcher who believes in the supernatural
(Science)
Criminal Justice Algorithm Predicts Risk of Biased Sentencing
(Jule Pattison-Gordon)
The Long, Strange Relationship Between Psychedelics and Telepathy (Vice)
How your brainwaves could be used in criminal trials (techxplore.com)
New 'Retbleed' Speculative Execution Attack Affects AMD, Intel CPUs
(Ravie Lakshmanan)
New UEFI Firmware Vulnerabilities Impact Several Lenovo Notebook
(The Hacker News)
Choosing a non-Windows OS on Lenovo Secured-core PCs is trickier than it
should be (The Register)
How the FBI Wiretapped the World (Vice)
Democracy dies behind a paywall (Poynter)
User Generated Content (Lauren Weinstein)
Cryptomining Capacity in U.S. Rivals Energy Use of Houston (Hiroko Tabuchi)
How the fall of Celsius dragged down crypto investors (CNBC)
Tech experts send letter to Congress urging them to resist crypto industry
lobbying (Twitter)
GM rebate on new Cadillac Lyriq if drivers sign NDA, agree to tracking
(USA Today)
Uber leveraged violent attacks against its drivers to pressure
politicians (WashPost)
About the Uber Files investigation (WashPost)
Hit the kill switch: Uber used covert tech to thwart government raids
(WashPost)
GOOD! - Google bans deepfake-generating AI from Colab (TechCrunch)
Google Voice problems (Lauren Weinstein)
Full text of Google's proposal for political email to bypass Gmail spam
filters -- and an interesting sentence
MIT scientists think they've discovered how to fully reverse climate change
(BGR)
Meet the Lobbyist Next Door (WiReD)
Facebook encrypting links to avoid URL-stripping (Henry Baker)
Facebook, privacy and abortion (Reveal News)
Nobody likes self-checkout. Here's why it's everywhere (The Atlantic)
Major American Companies to Schools: Expand Access to Computer Science
(Alyson Klein)
FedEx bot apologizes for pending delivery' of missing human remains
(WashPost)
Re: Canadian network outage misunderstatement OTD (David W. Hodgins)
ISODARCO 2023 (Diego.Latella)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 18 Jul 2022 19:38:53 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The Big Hack: How China Used a Tiny Chip to Infiltrate
U.S. Companies (Bloomberg)
The attack by Chinese spies reached almost 30 U.S. companies, including
Amazon and Apple, by compromising America's technology supply chain,
according to extensive interviews with government and corporate sources.
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
------------------------------
Date: Mon, 18 Jul 2022 15:31:08 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Driver says GPS made him turn onto train tracks in Everett; at
least he was able to escape before train destroyed his car
(UniversalHub)
https://www.universalhub.com/2022/driver-says-gps-made-him-turn-train-tracks-everett
------------------------------
Date: Wed, 13 Jul 2022 11:59:21 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: DeepMind AI Learns Simple Physics Like a Baby (Davide Castelvecchi)
Davide Castelvecchi, *Nature*, 11 Jul 2022,
via ACM TechNews; 13 Jul 2022
Computer scientists at the DeepMind artificial intelligence (AI) research
laboratory trained a software model to learn simple physical rules about
object behavior. The researchers trained the Physics Learning through
Auto-encoding and Tracking Objects (PLATO) neural network model using
animated videos and images of objects like cubes and balls, in order for it
to generate an internal representation of the physical properties of each
object. The model learned patterns such as continuity, solidity, and
persistence of shape. DeepMind's Luis Piloto said the software makes
predictions at every step in the video, and its accuracy increases as the
video progresses. Piloto suggested PLATO could be a first step toward AI
that can test theories about how human infants learn.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee75x234badx070806&
[Interesting metaphor. How long dies it take a baby to understand quantum
theory and space physics? Through elementary and secondary schools,
universities, and specialized grad schools? Would you want that baby to
grow into building your airplanes without the benefits of a real in-person
education, or even designing your space ship so that you might some day
want to escape from this planet? PGN]
------------------------------
Date: Mon, 18 Jul 2022 12:25:28 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: As AI Language Skills Grow, So Do Scientists' Concerns
(Matt O'Brien)
Matt O'Brien, Associated Press, 17 Jul 2022
via ACM TechNews; Monday, July 18, 2022
Scientists are worried about the use of large language models in chatbots
and other technologies, not least because their creators conceal their inner
workings and the flaws that can cause such systems to spread misinformation.
Stanford University's Percy Liang said companies face competitive pressure
not to expose large language models' underpinning technology, or to partner
on community standards. A group of scientists worked with France's
government to launch the BigScience Large Open-science Open-access
Multilingual Language Mode (BLOOM) large language model, which was developed
to counter closed models like Microsoft's GPT-3. BLOOM functions across 46
languages, while most systems concentrate on English or Chinese.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eeb3x234c60x070732&
------------------------------
Date: Wed, 13 Jul 2022 11:59:21 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Researchers Defeat Facial Recognition Systems with Universal Face
Mask (Zeljka Zorz)
Zeljka Zorz, *Help Net Security*, 12 Jul 2022,
via ACM TechNews; 13 Jul 2022
Researchers at Israel's Ben-Gurion University of the Negev (BGU) and Tel
Aviv University found that facial recognition (FR) systems may be thwarted
by fabric face masks boasting adversarial patterns. The researchers employed
a gradient-based optimization process to generate a universal perturbation
and mask to falsely classify each wearer as an unknown identity. BGU's Alon
Zolfi said, "The perturbation depends on the FR model it was used to attack,
which means different patterns will be crafted depending on the different
victim models." Zolfi suggested FR models could see through masked face
images by training them on images containing adversarial patterns, by
teaching them to make predictions based only on the upper area of the face,
or by training them to generate lower facial areas based on upper facial
areas.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee75x234bacx070806&
------------------------------
Date: Mon, 18 Jul 2022 20:09:01 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Pentagon UFO study led by researcher who believes in the
supernatural (AAAS Science)
Critics dumbfounded by reality TV star Travis Taylor's position as "chief
scientist"
https://www.science.org/content/article/pentagon-ufo-study-led-researcher-who-believes-supernatural
------------------------------
Date: Wed, 13 Jul 2022 11:59:21 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Criminal Justice Algorithm Predicts Risk of Biased Sentencing
(Jule Pattison-Gordon)
Jule Pattison-Gordon, *Government Technology*, 12 Jul 2022,
via ACM TechNews; 13 Jul 2022
Members of the American Civil Liberties Union, Carnegie Mellon University,
the Idaho Justice Project, and the University of Pennsylvania developed a
criminal justice algorithm to predict the probability of defendants
receiving biased sentences in court. The algorithm factors in seemingly
immaterial variables like the judge's and defendant's gender and race, along
with case details like mandatory minimum sentencing requirements and the
nature of the offense, to forecast how likely the judge is to issue an
unusually long sentence (longer than those issued in 90% of the other cases
with "identical legally relevant factors"). The team of developers suggest
the algorithm could help potentially wronged defendants argue for reducing
disproportionately harsh sentences.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee75x234ba4x070806&
------------------------------
Date: Mon, 18 Jul 2022 11:38:27 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: The Long, Strange Relationship Between Psychedelics and Telepathy
(Vice)
*It's impossible to tell the story of psychedelics without telepathy. How
will these experiences fit into psychedelics' mainstream, medical future?*
In February of 1971, approximately 2,000 attendees at six Grateful Dead
concerts at the Capitol Theater in Port Chester, New York saw this message
projected onto a large screen at 11:30 PM: ``YOU ARE ABOUT TO PARTICIPATE IN
AN ESP EXPERIMENT.''
It was a test to see if people could use extra-sensory perception, or ESP,
to telepathically transmit randomly chosen images to two psychic-sensitive
people, Malcolm Bessent and Felicia Parise, who were sleeping 45 miles
away. Bessent was at the Maimonides Dream Laboratory in Brooklyn, while
Parise slept in her apartment.
Art prints, selected at random, were projected at the Dead show, like The
Castle of the Pyrenees and Philosophy in the Boudoir by Ren=C3=A9 Magritte,
or a visual representation of spinal chakras. Bessent and Parise described
their dreams to two evaluators, an art therapy student and a divinity
student, who then judged them based on their similarities to the images
shown at the concert.
The Grateful Dead were chosen because the members of the band agreed to
facilitate such an experiment, but also because those who conducted the
study had determined that the audience would be especially primed for
telepathic abilities, in part because of the state of mind they assumed the
audience would be in. [...]
https://www.vice.com/en/article/z34xa5/the-long-strange-relationship-between-psychedelics-and-telepathy
------------------------------
Date: Sun, 10 Jul 2022 01:30:28 +0000
From: Richard Marlon Stein <rms...@protonmail.com>
Subject: How your brainwaves could be used in criminal trials
(techxplore.com)
https://techxplore.com/news/2022-07-brainwaves-criminal-trials.html
"Law enforcement agencies worldwide struggle with the unreliability of
eyewitness identification and scarcity of physical clues at crime
scenes. There is a wealth of evidence showing that mistaken eyewitness
identification is a contributing factor in wrongful convictions. Police only
collect physical evidence in approximately 15% or less of crime scenes. This
makes non-physical evidence like eyewitness testimony extremely important."
Extrapolating criminal identification via eyewitness brainwave analysis
shown either a perpetrator lineup or a mugshot equivalences the false
negative/positive outcome determination of AI-trained image recognition.
Reasonable doubt without batting an eyelash.
------------------------------
Date: Fri, 15 Jul 2022 19:50:29 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: New 'Retbleed' Speculative Execution Attack Affects AMD and Intel
CPUs (Ravie Lakshmanan, The Hacker News)
Security researchers have uncovered yet another vulnerability affecting
numerous older AMD and Intel microprocessors that could bypass current
defenses and result in Spectre-based speculative-execution attacks.
Dubbed Retbleed <https://comsec.ethz.ch/research/microarch/retbleed/> by ETH
Zurich researchers Johannes Wikner and Kaveh Razavi, the issue is tracked as
CVE-2022-29900 (AMD) and CVE-2022-29901 (Intel), with the chipmakers
releasing software mitigations as part of a coordinated disclosure process.
<https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037>
<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00707.html>
<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html>
Retbleed is also the latest addition to a class of Spectre attacks
<https://thehackernews.com/2022/03/new-exploit-bypasses-existing-spectre.html>
known as Spectre-BTI (CVE-2017-5715 or Spectre-V2), which exploit the side
effects of an optimization technique called speculative execution
<https://en.wikipedia.org/wiki/Speculative_execution> by means of a timing
side channel to trick a program into accessing arbitrary locations in its
memory space and leak private information.
Speculative execution attempts to fill the instruction pipeline of a
program by predicting which instruction will be executed next in order to
gain a performance boost, while also undoing the results of the execution
should the guess turn out to be wrong.
Attacks like Spectre take advantage of the fact that these erroneously
executed instructions -- a result of the misprediction -- are bound to leave
traces of the execution in the cache, resulting in a scenario where a rogue
program can trick the processor into executing incorrect code paths and
infer secret data pertaining to the victim. [...]
https://thehackernews.com/2022/07/new-retbleed-speculative-execution.html
------------------------------
Date: Sat, 16 Jul 2022 13:22:06 PDT
From: Peter G Neumann <neu...@csl.sri.com>
Subject: New UEFI Firmware Vulnerabilities Impact Several Lenovo Notebook
Models (The Hacker News)
Consumer electronics maker Lenovo on Tuesday rolled out fixes to contain
three security flaws in its UEFI firmware affecting over 70 product models.
<https://thehackernews.com/2022/07/microsoft-releases-fix-for-zero-day.html>
"The vulnerabilities can be exploited to achieve arbitrary code execution in
the early phases of the platform boot, possibly allowing the attackers to
hijack the OS execution flow and disable some important security features,"
Slovak cybersecurity firm ESET said in a series of tweets. [...]
https://twitter.com/ESETresearch/status/1547166334651334657
https://thehackernews.com/2022/07/new-uefi-firmware-vulnerabilities.html
------------------------------
Date: Tue, 12 Jul 2022 08:43:43 +0300
From: Henry Crun <mi...@rechtman.com>
Subject: Choosing a non-Windows OS on Lenovo Secured-core PCs is trickier
than it should be (The Register)
https://www.theregister.com/2022/07/11/lenovo_secured_core/?td=rt-3a
Lenovo's support documentation explains it thus: "Linux distributions use a
Microsoft signed 'shim' executable that is then able to verify the
subsequent boot stages that have been signed with the distribution key. The
Microsoft signed shim is signed using the 'Microsoft 3rd Party UEFI
Certificate', and this certificate is stored in the BIOS database."
So far so good. However, for Secured Core PCs "it is a Microsoft requirement
for the 3rd Party Certificate to be disabled by default," according to
Lenovo.
Therefore, if your PC ships with Windows pre-installed, there is an
additional step to be taken to install Linux (or boot into something else)
involving a jump into the BIOS setup to enable the Microsoft 3rd Party UEFI
Certificate once again.
------------------------------
Date: Sun, 10 Jul 2022 09:18:15 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: How the FBI Wiretapped the World (Vice)
*We finally understand the code behind the Anom phones.*
For years criminal organizations around the world were buying a special
phone called Anom. The pitch was that it was completely anonymous and
secure, a way for criminals to do business without authorities watching over
their shoulder.
It turned out that the whole thing was an elaborate honeypot and that the
FBI and law enforcement agencies around the world were listening in. They'd
help develop the phones themselves.
The fallout from that revelation is ongoing and, here at Motherboard, we've
just learned how the phones work. On this episode of Cyber, Motherboard
Senior Staff Writer Joseph Cox comes on to discuss the code that powered the
Anom phone. [...]
https://www.vice.com/en/article/pkgbpn/how-the-fbi-wiretapped-the-world
------------------------------
Date: Sat, 16 Jul 2022 11:47:32 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Democracy dies behind a paywall
Lies are free, accurate information is locked away. -L
https://www.poynter.org/commentary/2022/all-news-election-articles-should-be-free/
------------------------------
Date: Wed, 1 Jun 2022 09:26:22 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: User Generated Content
It's not impossible that ultimately platforms will be required to moderate
all UGC (User Generated Content) before it appears publicly. This would
likely require a drastic cutback in UGC availability, with many
ramifications. But the regulatory arrow is moving in this direction.
------------------------------
Date: Mon, 18 Jul 2022 12:25:28 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Cryptomining Capacity in U.S. Rivals Energy Use of Houston
(Hiroko Tabuchi)
Hiroko Tabuchi, *The New York Times*, 17 Jul 2022
via ACM TechNews; Monday, July 18, 2022
A Congressional probe found seven of the largest U.S. bitcoin mining
companies could cumulatively use as much electricity as all the homes in
Houston. The findings indicated the firms could tap up to 1,045 megawatts of
power, and the companies said they intend to dramatically expand their
capacity. Cryptomining enterprise Marathon Digital Holdings told the
investigating committee it ran nearly 33,000 "mining rigs" as of February,
up from slightly over 2,000 at the start of last year; the company plans to
grow that number to 199,000 rigs by early 2023. The seven biggest
cryptominers expected to boost their mining capacity by at least 2,399
megawatts in the years ahead, a nearly 230% gain from current levels.
https://www.nytimes.com/2022/07/15/climate/cryptocurrency-bitcoin-mining-electricity.html
------------------------------
Date: Sun, 17 Jul 2022 16:57:57 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: How the fall of Celsius dragged down crypto investors (CNBC)
... From $25 billion to $167 million: How a major crypto lender collapsed
and dragged many investors down with it
https://www.cnbc.com/2022/07/17/how-the-fall-of-celsius-dragged-down-crypto-investors.html
------------------------------
Date: Wed, 1 Jun 2022 09:18:15 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Tech experts send letter to Congress urging them to resist crypto
industry lobbying
https://twitter.com/smdiehl/status/1531920884444848129
------------------------------
Date: Sat, 16 Jul 2022 16:22:35 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: GM rebate on new Cadillac Lyriq if drivers sign NDA, agree to
tracking (USA Today)
https://www.usatoday.com/story/money/cars/2022/07/16/gm-offers-rebate-cadillac-lyriq-drivers-tracking/10076785002/
------------------------------
Date: Sun, 10 Jul 2022 12:33:09 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Uber leveraged violent attacks against its drivers to pressure
politicians (WashPost)
In push for global expansion, company officials saw clashes with taxi cab
workers as a way to win public sympathy, a trove of new documents shows
https://www.washingtonpost.com/business/2022/07/10/uber-taxi-driver-violence/
------------------------------
Date: Sun, 10 Jul 2022 12:37:08 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: About the Uber Files investigation (WashPost)
About the Uber Files investigation
https://www.washingtonpost.com/business/2022/uber-files-investigation/
https://www.washingtonpost.com/business/2022/07/10/uber-files-explained/
------------------------------
Date: Sun, 10 Jul 2022 12:33:59 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Hit the kill switch: Uber used covert tech to thwart government raids
(WashPost)
Regulators entered Uber's offices only to see computers go dark before their eyes as the company used covert tech to thwart government raids.
https://www.washingtonpost.com/technology/2022/07/10/uber-europe-raids-kill-switch/
------------------------------
Date: Wed, 1 Jun 2022 14:58:49 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: GOOD! - Google bans deepfake-generating AI from Colab
https://techcrunch.com/2022/06/01/2328459/
------------------------------
Date: Tue, 19 Jul 2022 12:19:32 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Google Voice problems
Heads-up: At least some areas of Google Voice appear to be DOWN, with
calls to Google Voice numbers not going through properly.
------------------------------
Date: Sun, 17 Jul 2022 09:03:54 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Full text of Google's proposal for political email to bypass Gmail
spam filters -- and an interesting sentence
Though there's now a lot of publicity concerning Google's proposal for some
political email to bypass Gmail spam filters by default, you likely haven't
seen the full proposal. It's 15 pages, it's quite comprehensive, and it's
here:
https://www.fec.gov/files/legal/aos/2022-14/202214R_1.pdf
A couple of aspects I'll point out. First, the *reason* Google is asking for
FEC approval on this proposal is apparently due to concerns that letting
some entities' email bypass spam filters might be construed as being an
"in-kind contribution" to those entities. Google is seeking an FEC ruling
that the proposal would not fall into the in-kind contribution category.
Secondly, there's a very interesting sentence down deep in there that is
worth pondering:
Google is proposing to start this pilot with Eligible Participants rather
than other industries due to: (1) the ability to verify these
FEC-registered entities; (2) the upcoming period of expected increased and
sustained engagement by this set of bulk senders; (3) this group of bulk
senders' strong incentives to keep users engaged for a sustained period;
and (4) the ease of participant feedback for this group of senders due to
the concentrated group of email vendors.
My reading of this suggests that Google is at least considering the
expansion of the spam filter bypass model to "other industries" -- that is,
to entities other than the political ones that are the focus of the current
proposal.
Anyway, the document is very interesting reading. My original blog post on
this issue is here:
https://lauren.vortex.com/2022/07/13/googles-horrible-plan-to-flood-your-gmail-with-political-garbage
------------------------------
Date: Sun, 10 Jul 2022 19:55:47 -0700
From: Dan Eakins <dan.e...@gmail.com>
Subject: MIT scientists think they've discovered how to fully reverse
climate change (BGR)
Space bubbles
https://bgr.com/science/mit-scientists-think-theyve-discovered-how-to-fully-reverse-climate-change/
------------------------------
Date: Mon, 18 Jul 2022 19:40:13 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Meet the Lobbyist Next Door (WiReD)
What do a Real Housewife, an Olympic athlete, and a doula have in common?
They're all being paid by an ad-tech startup as influencers -- peddling not
products, but ideologies.
https://www.wired.com/story/meet-the-lobbyist-next-door
So why buy either one?
------------------------------
Date: Mon, 18 Jul 2022 17:28:42 +0000
From: Henry Baker <hba...@pipeline.com>
Subject: Facebook encrypting links to avoid URL-stripping
Stupid question: when I click on a 'link', why can't the browser itself
create the link, rather than allowing Facebook to create & encrypt the
link?
Also, this 'dark pattern' from Facebook enables hackers to mask truly
dangerous links that can lead to a complete compromise of the user's
computer. Or worse: child pornography pix that put you in jail.
https://www.ghacks.net/2022/07/17/facebook-has-started-to-encrypt-links-to-counter-privacy-improving-url-stripping/
Facebook has started to encrypt links to counter privacy-improving URL =
Stripping
Martin Brinkmann Jul 17, 2022
Facebook has started to use a different URL scheme for site links to combat
URL stripping technologies that browsers such as Firefox or Brave use to
improve privacy and prevent user tracking.
Some sites, including Facebook, add parameters to the web address for
tracking purposes. These parameters have no functionality that is relevant
to the user, but sites rely on them to track users across pages and
properties.
Mozilla introduced support for URL stripping in Firefox 102, which it
launched in June 2022. Firefox removes tracking parameters from web
addresses automatically, but only in private browsing mode or when the
browser's Tracking Protection feature is set to strict. Firefox users may
enable URL stripping in all Firefox modes, but this requires manual
configuration. Brave Browser strips known tracking parameters from web
addresses as well.
Both web browsers use lists of known tracking parameters for the
functionality. The lists need to be updated whenever sites change tracking
parameters.
Facebook could have changed the scheme that it is using, but this would have
given Facebook only temporary recourse. It appears that Facebook is using
encryption now to track users.
Previously, Facebook used the parameter fbclid for tracking purposes. Now,
it uses URLs such as
https://www.facebook.com/ghacksnet/posts/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl?__cft__[0]=AZXT7WeYMEs7icO80N5ynjE2WpFuQK61pIv4kMN-dnAz27-UrYqrkv52_hQlS_TuPd8dGUNLawATILFs55sMUJvH7SFRqb_WcD6CCOX_zYdsebOW0TWyJ9gT2vxBJPZiAaEaac_zQBShE-UEJfatT-JMQT5-bvmrLz7NlgwSeL6fGKH9oY9uepTio0BHyCmoY1A&__tn__=%2CO%2CP-R
instead.
The main issue here is that there it is no longer possible to remove the
tracking part of the URL, as Facebook merged it with part of the required
web address. Removing the entire construct after the ? would open the main
Facebook page of Ghacks Technology News, but it won't open the linked post.
Since it is no longer possible to identify the tracking part of the web
address, it is no longer possible to remove it from the address
automatically. In other words: Facebook has the upper hand in regards to
URL-based tracking at the time, and there is little that can be done about
it short of finding a way to decrypt the information.
There is no option currently to prevent Facebook's tracking of users via
links. Users could avoid Facebook, but that may not be possible all the
time. URL tracking does not help much if other tracking means, e.g., through
cookies or site data, are not available. While Facebook gets some
information from URL-based tracking, it can't link it if no persistent data
is available.
Users who don't sign into Facebook and clear cookies and site data
regularly, may avoid most of the company's tracking.
------------------------------
Date: Sat, 9 Jul 2022 23:22:22 +0000
From: Judith Hemenway <Jud...@divingturtle.com>
Subject: Facebook, privacy and abortion
``There's nothing to stop police from using Facebook ad-targeting data the
same way they've been using Google's data, as a mass digital dragnet. Our
investigation found that Facebook has continued to ingest data from webpages
with obvious sexual health information -- including ones with URLs that
include phrases such as post-abortion, i-think-im-pregnant, abortion-pill.''
https://revealnews.org/article/facebook-data-abortion-crisis-pregnancy-center/
------------------------------
Date: Sun, 10 Jul 2022 09:26:08 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: Nobody likes self-checkout. Here's why it's everywhere
(The Atlantic)
*"Unexpected item in the bagging area."*
*"Please place item in the bag."*
*"Please wait for assistance."*
If you've encountered these irritating alerts at the self-checkout machine,
you're not alone. According to a survey
<https://www.raydiant.com/blog/state-of-self-service-checkouts/> last year
of 1,000 shoppers, 67% said they'd experienced a failure at the
self-checkout lane. Errors at the kiosks are so common that they have even
spawned dozens of memes <https://memebase.cheezburger.com/tag/self-checkout>
and TikTok videos <https://www.tiktok.com/tag/selfcheckout?lang=en>.
"We're in 2022. One would expect the self-checkout experience to be
flawless. We're not there at all," said Sylvain Charlebois, director
<https://www.dal.ca/faculty/management/school-of-public-administration/faculty-staff/our-faculty/sylvain-charlebois.html>
of the Agri-Food Analytics Lab at Dalhousie University in Nova Scotia who
has researched self-checkout. Customers aren't the only ones frustrated
with the self-checkout experience. Stores have challenges with it, too. The
machines are expensive to install, often break down and can lead to
customers purchasing fewer items. Stores also incur higher losses and more
shoplifting
<https://www.theatlantic.com/magazine/archive/2018/03/stealing-from-self-checkout/550940/>
at self-checkouts than at traditional checkout lanes with human cashiers.
Despite the headaches, self-checkout is growing. In 2020, 29% of
transactions at food retailers were processed through self-checkout, up from
23% the year prior, according to the latest data from food industry
association FMI. This raises the question: why is this often problematic,
unloved technology taking over retail? [...]
https://www.cnn.com/2022/07/09/business/self-checkout-retail/index.html
------------------------------
Date: Wed, 13 Jul 2022 11:59:21 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Major American Companies to Schools: Expand Access to Computer
Science (Alyson Klein)
Alyson Klein, *Education Week*, 12 Jul 2022,
via ACM TechNews; 13 Jul 2022
A July 12 letter to governors and top education officials in all 50 states,
signed by over 500 businesses, nonprofits, and education organizations,
calls for every K-12 student to be given access to computer science
education. Amazon, Microsoft, and Alphabet were among the signatories, along
with companies like American Express, Nike, Starbucks, UPS, and
Walgreens. Code.org reports that only about a dozen of the 27 states with
policies granting access to high school students aim to give all K-12
students access. Code.org's Hadi Partovi said it is important that big
companies not thought of as tech companies support the effort. Said Partovi,
"It helps people realize that this is about every industry, that every
company is becoming a technology company and every company is suffering with
the lack of preparation that our schools are giving to our students."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee75x234ba3x070806&
[The U.S. has been dumbing down lower and higher education for decades,
except for the "elite" schools -- competing with blather from those people
who do not trust science. PGN]
------------------------------
Date: Mon, 18 Jul 2022 20:18:40 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: FedEx bot apologizes for pending delivery' of missing human remains
``I am very sorry for the pending delivery," FedEx Help, the company's
customer service account, replied about how Jeffrey Merriweather's remains
have been missing since they were shipped via FedEx in 2019.
https://www.washingtonpost.com/business/2022/07/15/fedex-twitter-bot-missing-remains-georgia/
------------------------------
Date: Sat, 09 Jul 2022 18:12:50 -0400
From: "David W. Hodgins" <davidw...@teksavvy.com>
Subject: Re: Canadian network outage misunderstatement OTD (RISKS-33.32)
Interac was down only for merchants and ATMs that are connected via
Rogers. Those with Bell or Telus were not affected. A local drive through
banking machine operated by TD Canada Trust continued working while a local
variety store had credit card or cash only, and it's no name ATM was down.
My Internet was down for 28 hours, came back for an hour, down again, then
back again after another hour. Hopefully that's the end of the current
problems in my area, and a proper explanation/fix will be coming.
------------------------------
Date: Tue, 12 Jul 2022 18:06:27 +0200
From: Diego.Latella <diego....@isti.cnr.it>
Subject: ISODARCO 2023
60th Course of the International School on Disarmament and Research on
Conflicts (ISODARCO):
Advancing Technology, Nuclear Weapons Security and International Stability
Andalo (Trento, Italy), 8-15 January 2023
Directors of the Course: Deborah Louis (ISODARCO, Boston, USA),
Francesca Giovannini (Managing the Atom, Harvard University, USA), and
Steven Miller (Belfer Center, Harvard University, USA)
Principal Lecturers:
Mansoor Ahmed, Center for International Strategic Studies, Islamabad;
Alexey Arbatov, IMEMO, Moscow;
Nadia Arbatova, IMEMO, Moscow;
Malfrid Braut-Hegghammer, Oslo University;
Paolo Cotta Ramusino, Secretary-General, Pugwash Conferences on Science
and World Affairs;
Sergio Duarte, President of Pugwash;
Mark Fitzpatrick, International Institute for Strategic Studies, London;
Joan Johnson-Freese, Naval War College, Newport;
Alexander Kmentt, King's College, London;
Ankit Panda, Nuclear Policy Program, Washington;
Alessandro Pascolini, Padua University;
Tariq Rauf, Former Head of Verification & Security Policy, IAEA, Vienna;
Laura Rockwood, Open Nuclear Network, Vienna;
Carlo Trezza, Istituto Affari Internazionali, Roma;
Heather Williams, King's College, London;
Benjamin Zala, Australian National University, Canberra.
Information on the school and application forms: www.isodarco.it [1].
Dott. Diego Latella - Senior Researcher CNR/ISTI, Via Moruzzi 1, 56124
Pisa, Italy (http:www.isti.cnr.it [2])
FM&&T Lab. (http://fmt.isti.cnr.it)
CNR/GI-STS (http://gists.pi.cnr.it)
https://www.isti.cnr.it/People/D.Latella - ph: +390506212982, fax:
+390506212040
[1] http://www.isodarco.it
[2] http://www.isti.cnr.it
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.33
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.33>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
The Big Hack: How China Used a Tiny Chip to Infiltrate U.S. Companies
(Bloomberg)
Driver says GPS made him turn onto train tracks in Everett; at least he was
able to escape before train destroyed his car (UniversalHub)
DeepMind AI Learns Simple Physics Like a Baby (Davide Castelvecchi)
As AI Language Skills Grow, So Do Scientists' Concerns (Matt O'Brien)
Researchers Defeat Facial Recognition Systems with Universal Face Mask
(Zeljka Zorz)
Pentagon UFO study led by researcher who believes in the supernatural
(Science)
Criminal Justice Algorithm Predicts Risk of Biased Sentencing
(Jule Pattison-Gordon)
The Long, Strange Relationship Between Psychedelics and Telepathy (Vice)
How your brainwaves could be used in criminal trials (techxplore.com)
New 'Retbleed' Speculative Execution Attack Affects AMD, Intel CPUs
(Ravie Lakshmanan)
New UEFI Firmware Vulnerabilities Impact Several Lenovo Notebook
(The Hacker News)
Choosing a non-Windows OS on Lenovo Secured-core PCs is trickier than it
should be (The Register)
How the FBI Wiretapped the World (Vice)
Democracy dies behind a paywall (Poynter)
User Generated Content (Lauren Weinstein)
Cryptomining Capacity in U.S. Rivals Energy Use of Houston (Hiroko Tabuchi)
How the fall of Celsius dragged down crypto investors (CNBC)
Tech experts send letter to Congress urging them to resist crypto industry
lobbying (Twitter)
GM rebate on new Cadillac Lyriq if drivers sign NDA, agree to tracking
(USA Today)
Uber leveraged violent attacks against its drivers to pressure
politicians (WashPost)
About the Uber Files investigation (WashPost)
Hit the kill switch: Uber used covert tech to thwart government raids
(WashPost)
GOOD! - Google bans deepfake-generating AI from Colab (TechCrunch)
Google Voice problems (Lauren Weinstein)
Full text of Google's proposal for political email to bypass Gmail spam
filters -- and an interesting sentence
MIT scientists think they've discovered how to fully reverse climate change
(BGR)
Meet the Lobbyist Next Door (WiReD)
Facebook encrypting links to avoid URL-stripping (Henry Baker)
Facebook, privacy and abortion (Reveal News)
Nobody likes self-checkout. Here's why it's everywhere (The Atlantic)
Major American Companies to Schools: Expand Access to Computer Science
(Alyson Klein)
FedEx bot apologizes for pending delivery' of missing human remains
(WashPost)
Re: Canadian network outage misunderstatement OTD (David W. Hodgins)
ISODARCO 2023 (Diego.Latella)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 18 Jul 2022 19:38:53 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The Big Hack: How China Used a Tiny Chip to Infiltrate
U.S. Companies (Bloomberg)
The attack by Chinese spies reached almost 30 U.S. companies, including
Amazon and Apple, by compromising America's technology supply chain,
according to extensive interviews with government and corporate sources.
https://www.bloomberg.com/news/features/2018-10-04/the-big-hack-how-china-used-a-tiny-chip-to-infiltrate-america-s-top-companies
------------------------------
Date: Mon, 18 Jul 2022 15:31:08 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Driver says GPS made him turn onto train tracks in Everett; at
least he was able to escape before train destroyed his car
(UniversalHub)
https://www.universalhub.com/2022/driver-says-gps-made-him-turn-train-tracks-everett
------------------------------
Date: Wed, 13 Jul 2022 11:59:21 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: DeepMind AI Learns Simple Physics Like a Baby (Davide Castelvecchi)
Davide Castelvecchi, *Nature*, 11 Jul 2022,
via ACM TechNews; 13 Jul 2022
Computer scientists at the DeepMind artificial intelligence (AI) research
laboratory trained a software model to learn simple physical rules about
object behavior. The researchers trained the Physics Learning through
Auto-encoding and Tracking Objects (PLATO) neural network model using
animated videos and images of objects like cubes and balls, in order for it
to generate an internal representation of the physical properties of each
object. The model learned patterns such as continuity, solidity, and
persistence of shape. DeepMind's Luis Piloto said the software makes
predictions at every step in the video, and its accuracy increases as the
video progresses. Piloto suggested PLATO could be a first step toward AI
that can test theories about how human infants learn.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee75x234badx070806&
[Interesting metaphor. How long dies it take a baby to understand quantum
theory and space physics? Through elementary and secondary schools,
universities, and specialized grad schools? Would you want that baby to
grow into building your airplanes without the benefits of a real in-person
education, or even designing your space ship so that you might some day
want to escape from this planet? PGN]
------------------------------
Date: Mon, 18 Jul 2022 12:25:28 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: As AI Language Skills Grow, So Do Scientists' Concerns
(Matt O'Brien)
Matt O'Brien, Associated Press, 17 Jul 2022
via ACM TechNews; Monday, July 18, 2022
Scientists are worried about the use of large language models in chatbots
and other technologies, not least because their creators conceal their inner
workings and the flaws that can cause such systems to spread misinformation.
Stanford University's Percy Liang said companies face competitive pressure
not to expose large language models' underpinning technology, or to partner
on community standards. A group of scientists worked with France's
government to launch the BigScience Large Open-science Open-access
Multilingual Language Mode (BLOOM) large language model, which was developed
to counter closed models like Microsoft's GPT-3. BLOOM functions across 46
languages, while most systems concentrate on English or Chinese.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2eeb3x234c60x070732&
------------------------------
Date: Wed, 13 Jul 2022 11:59:21 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Researchers Defeat Facial Recognition Systems with Universal Face
Mask (Zeljka Zorz)
Zeljka Zorz, *Help Net Security*, 12 Jul 2022,
via ACM TechNews; 13 Jul 2022
Researchers at Israel's Ben-Gurion University of the Negev (BGU) and Tel
Aviv University found that facial recognition (FR) systems may be thwarted
by fabric face masks boasting adversarial patterns. The researchers employed
a gradient-based optimization process to generate a universal perturbation
and mask to falsely classify each wearer as an unknown identity. BGU's Alon
Zolfi said, "The perturbation depends on the FR model it was used to attack,
which means different patterns will be crafted depending on the different
victim models." Zolfi suggested FR models could see through masked face
images by training them on images containing adversarial patterns, by
teaching them to make predictions based only on the upper area of the face,
or by training them to generate lower facial areas based on upper facial
areas.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee75x234bacx070806&
------------------------------
Date: Mon, 18 Jul 2022 20:09:01 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Pentagon UFO study led by researcher who believes in the
supernatural (AAAS Science)
Critics dumbfounded by reality TV star Travis Taylor's position as "chief
scientist"
https://www.science.org/content/article/pentagon-ufo-study-led-researcher-who-believes-supernatural
------------------------------
Date: Wed, 13 Jul 2022 11:59:21 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Criminal Justice Algorithm Predicts Risk of Biased Sentencing
(Jule Pattison-Gordon)
Jule Pattison-Gordon, *Government Technology*, 12 Jul 2022,
via ACM TechNews; 13 Jul 2022
Members of the American Civil Liberties Union, Carnegie Mellon University,
the Idaho Justice Project, and the University of Pennsylvania developed a
criminal justice algorithm to predict the probability of defendants
receiving biased sentences in court. The algorithm factors in seemingly
immaterial variables like the judge's and defendant's gender and race, along
with case details like mandatory minimum sentencing requirements and the
nature of the offense, to forecast how likely the judge is to issue an
unusually long sentence (longer than those issued in 90% of the other cases
with "identical legally relevant factors"). The team of developers suggest
the algorithm could help potentially wronged defendants argue for reducing
disproportionately harsh sentences.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee75x234ba4x070806&
------------------------------
Date: Mon, 18 Jul 2022 11:38:27 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: The Long, Strange Relationship Between Psychedelics and Telepathy
(Vice)
*It's impossible to tell the story of psychedelics without telepathy. How
will these experiences fit into psychedelics' mainstream, medical future?*
In February of 1971, approximately 2,000 attendees at six Grateful Dead
concerts at the Capitol Theater in Port Chester, New York saw this message
projected onto a large screen at 11:30 PM: ``YOU ARE ABOUT TO PARTICIPATE IN
AN ESP EXPERIMENT.''
It was a test to see if people could use extra-sensory perception, or ESP,
to telepathically transmit randomly chosen images to two psychic-sensitive
people, Malcolm Bessent and Felicia Parise, who were sleeping 45 miles
away. Bessent was at the Maimonides Dream Laboratory in Brooklyn, while
Parise slept in her apartment.
Art prints, selected at random, were projected at the Dead show, like The
Castle of the Pyrenees and Philosophy in the Boudoir by Ren=C3=A9 Magritte,
or a visual representation of spinal chakras. Bessent and Parise described
their dreams to two evaluators, an art therapy student and a divinity
student, who then judged them based on their similarities to the images
shown at the concert.
The Grateful Dead were chosen because the members of the band agreed to
facilitate such an experiment, but also because those who conducted the
study had determined that the audience would be especially primed for
telepathic abilities, in part because of the state of mind they assumed the
audience would be in. [...]
https://www.vice.com/en/article/z34xa5/the-long-strange-relationship-between-psychedelics-and-telepathy
------------------------------
Date: Sun, 10 Jul 2022 01:30:28 +0000
From: Richard Marlon Stein <rms...@protonmail.com>
Subject: How your brainwaves could be used in criminal trials
(techxplore.com)
https://techxplore.com/news/2022-07-brainwaves-criminal-trials.html
"Law enforcement agencies worldwide struggle with the unreliability of
eyewitness identification and scarcity of physical clues at crime
scenes. There is a wealth of evidence showing that mistaken eyewitness
identification is a contributing factor in wrongful convictions. Police only
collect physical evidence in approximately 15% or less of crime scenes. This
makes non-physical evidence like eyewitness testimony extremely important."
Extrapolating criminal identification via eyewitness brainwave analysis
shown either a perpetrator lineup or a mugshot equivalences the false
negative/positive outcome determination of AI-trained image recognition.
Reasonable doubt without batting an eyelash.
------------------------------
Date: Fri, 15 Jul 2022 19:50:29 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: New 'Retbleed' Speculative Execution Attack Affects AMD and Intel
CPUs (Ravie Lakshmanan, The Hacker News)
Security researchers have uncovered yet another vulnerability affecting
numerous older AMD and Intel microprocessors that could bypass current
defenses and result in Spectre-based speculative-execution attacks.
Dubbed Retbleed <https://comsec.ethz.ch/research/microarch/retbleed/> by ETH
Zurich researchers Johannes Wikner and Kaveh Razavi, the issue is tracked as
CVE-2022-29900 (AMD) and CVE-2022-29901 (Intel), with the chipmakers
releasing software mitigations as part of a coordinated disclosure process.
<https://www.amd.com/en/corporate/product-security/bulletin/amd-sb-1037>
<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00707.html>
<https://www.intel.com/content/www/us/en/security-center/advisory/intel-sa-00702.html>
Retbleed is also the latest addition to a class of Spectre attacks
<https://thehackernews.com/2022/03/new-exploit-bypasses-existing-spectre.html>
known as Spectre-BTI (CVE-2017-5715 or Spectre-V2), which exploit the side
effects of an optimization technique called speculative execution
<https://en.wikipedia.org/wiki/Speculative_execution> by means of a timing
side channel to trick a program into accessing arbitrary locations in its
memory space and leak private information.
Speculative execution attempts to fill the instruction pipeline of a
program by predicting which instruction will be executed next in order to
gain a performance boost, while also undoing the results of the execution
should the guess turn out to be wrong.
Attacks like Spectre take advantage of the fact that these erroneously
executed instructions -- a result of the misprediction -- are bound to leave
traces of the execution in the cache, resulting in a scenario where a rogue
program can trick the processor into executing incorrect code paths and
infer secret data pertaining to the victim. [...]
https://thehackernews.com/2022/07/new-retbleed-speculative-execution.html
------------------------------
Date: Sat, 16 Jul 2022 13:22:06 PDT
From: Peter G Neumann <neu...@csl.sri.com>
Subject: New UEFI Firmware Vulnerabilities Impact Several Lenovo Notebook
Models (The Hacker News)
Consumer electronics maker Lenovo on Tuesday rolled out fixes to contain
three security flaws in its UEFI firmware affecting over 70 product models.
<https://thehackernews.com/2022/07/microsoft-releases-fix-for-zero-day.html>
"The vulnerabilities can be exploited to achieve arbitrary code execution in
the early phases of the platform boot, possibly allowing the attackers to
hijack the OS execution flow and disable some important security features,"
Slovak cybersecurity firm ESET said in a series of tweets. [...]
https://twitter.com/ESETresearch/status/1547166334651334657
https://thehackernews.com/2022/07/new-uefi-firmware-vulnerabilities.html
------------------------------
Date: Tue, 12 Jul 2022 08:43:43 +0300
From: Henry Crun <mi...@rechtman.com>
Subject: Choosing a non-Windows OS on Lenovo Secured-core PCs is trickier
than it should be (The Register)
https://www.theregister.com/2022/07/11/lenovo_secured_core/?td=rt-3a
Lenovo's support documentation explains it thus: "Linux distributions use a
Microsoft signed 'shim' executable that is then able to verify the
subsequent boot stages that have been signed with the distribution key. The
Microsoft signed shim is signed using the 'Microsoft 3rd Party UEFI
Certificate', and this certificate is stored in the BIOS database."
So far so good. However, for Secured Core PCs "it is a Microsoft requirement
for the 3rd Party Certificate to be disabled by default," according to
Lenovo.
Therefore, if your PC ships with Windows pre-installed, there is an
additional step to be taken to install Linux (or boot into something else)
involving a jump into the BIOS setup to enable the Microsoft 3rd Party UEFI
Certificate once again.
------------------------------
Date: Sun, 10 Jul 2022 09:18:15 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: How the FBI Wiretapped the World (Vice)
*We finally understand the code behind the Anom phones.*
For years criminal organizations around the world were buying a special
phone called Anom. The pitch was that it was completely anonymous and
secure, a way for criminals to do business without authorities watching over
their shoulder.
It turned out that the whole thing was an elaborate honeypot and that the
FBI and law enforcement agencies around the world were listening in. They'd
help develop the phones themselves.
The fallout from that revelation is ongoing and, here at Motherboard, we've
just learned how the phones work. On this episode of Cyber, Motherboard
Senior Staff Writer Joseph Cox comes on to discuss the code that powered the
Anom phone. [...]
https://www.vice.com/en/article/pkgbpn/how-the-fbi-wiretapped-the-world
------------------------------
Date: Sat, 16 Jul 2022 11:47:32 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Democracy dies behind a paywall
Lies are free, accurate information is locked away. -L
https://www.poynter.org/commentary/2022/all-news-election-articles-should-be-free/
------------------------------
Date: Wed, 1 Jun 2022 09:26:22 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: User Generated Content
It's not impossible that ultimately platforms will be required to moderate
all UGC (User Generated Content) before it appears publicly. This would
likely require a drastic cutback in UGC availability, with many
ramifications. But the regulatory arrow is moving in this direction.
------------------------------
Date: Mon, 18 Jul 2022 12:25:28 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Cryptomining Capacity in U.S. Rivals Energy Use of Houston
(Hiroko Tabuchi)
Hiroko Tabuchi, *The New York Times*, 17 Jul 2022
via ACM TechNews; Monday, July 18, 2022
A Congressional probe found seven of the largest U.S. bitcoin mining
companies could cumulatively use as much electricity as all the homes in
Houston. The findings indicated the firms could tap up to 1,045 megawatts of
power, and the companies said they intend to dramatically expand their
capacity. Cryptomining enterprise Marathon Digital Holdings told the
investigating committee it ran nearly 33,000 "mining rigs" as of February,
up from slightly over 2,000 at the start of last year; the company plans to
grow that number to 199,000 rigs by early 2023. The seven biggest
cryptominers expected to boost their mining capacity by at least 2,399
megawatts in the years ahead, a nearly 230% gain from current levels.
https://www.nytimes.com/2022/07/15/climate/cryptocurrency-bitcoin-mining-electricity.html
------------------------------
Date: Sun, 17 Jul 2022 16:57:57 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: How the fall of Celsius dragged down crypto investors (CNBC)
... From $25 billion to $167 million: How a major crypto lender collapsed
and dragged many investors down with it
https://www.cnbc.com/2022/07/17/how-the-fall-of-celsius-dragged-down-crypto-investors.html
------------------------------
Date: Wed, 1 Jun 2022 09:18:15 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Tech experts send letter to Congress urging them to resist crypto
industry lobbying
https://twitter.com/smdiehl/status/1531920884444848129
------------------------------
Date: Sat, 16 Jul 2022 16:22:35 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: GM rebate on new Cadillac Lyriq if drivers sign NDA, agree to
tracking (USA Today)
https://www.usatoday.com/story/money/cars/2022/07/16/gm-offers-rebate-cadillac-lyriq-drivers-tracking/10076785002/
------------------------------
Date: Sun, 10 Jul 2022 12:33:09 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Uber leveraged violent attacks against its drivers to pressure
politicians (WashPost)
In push for global expansion, company officials saw clashes with taxi cab
workers as a way to win public sympathy, a trove of new documents shows
https://www.washingtonpost.com/business/2022/07/10/uber-taxi-driver-violence/
------------------------------
Date: Sun, 10 Jul 2022 12:37:08 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: About the Uber Files investigation (WashPost)
About the Uber Files investigation
https://www.washingtonpost.com/business/2022/uber-files-investigation/
https://www.washingtonpost.com/business/2022/07/10/uber-files-explained/
------------------------------
Date: Sun, 10 Jul 2022 12:33:59 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Hit the kill switch: Uber used covert tech to thwart government raids
(WashPost)
Regulators entered Uber's offices only to see computers go dark before their eyes as the company used covert tech to thwart government raids.
https://www.washingtonpost.com/technology/2022/07/10/uber-europe-raids-kill-switch/
------------------------------
Date: Wed, 1 Jun 2022 14:58:49 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: GOOD! - Google bans deepfake-generating AI from Colab
https://techcrunch.com/2022/06/01/2328459/
------------------------------
Date: Tue, 19 Jul 2022 12:19:32 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Google Voice problems
Heads-up: At least some areas of Google Voice appear to be DOWN, with
calls to Google Voice numbers not going through properly.
------------------------------
Date: Sun, 17 Jul 2022 09:03:54 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Full text of Google's proposal for political email to bypass Gmail
spam filters -- and an interesting sentence
Though there's now a lot of publicity concerning Google's proposal for some
political email to bypass Gmail spam filters by default, you likely haven't
seen the full proposal. It's 15 pages, it's quite comprehensive, and it's
here:
https://www.fec.gov/files/legal/aos/2022-14/202214R_1.pdf
A couple of aspects I'll point out. First, the *reason* Google is asking for
FEC approval on this proposal is apparently due to concerns that letting
some entities' email bypass spam filters might be construed as being an
"in-kind contribution" to those entities. Google is seeking an FEC ruling
that the proposal would not fall into the in-kind contribution category.
Secondly, there's a very interesting sentence down deep in there that is
worth pondering:
Google is proposing to start this pilot with Eligible Participants rather
than other industries due to: (1) the ability to verify these
FEC-registered entities; (2) the upcoming period of expected increased and
sustained engagement by this set of bulk senders; (3) this group of bulk
senders' strong incentives to keep users engaged for a sustained period;
and (4) the ease of participant feedback for this group of senders due to
the concentrated group of email vendors.
My reading of this suggests that Google is at least considering the
expansion of the spam filter bypass model to "other industries" -- that is,
to entities other than the political ones that are the focus of the current
proposal.
Anyway, the document is very interesting reading. My original blog post on
this issue is here:
https://lauren.vortex.com/2022/07/13/googles-horrible-plan-to-flood-your-gmail-with-political-garbage
------------------------------
Date: Sun, 10 Jul 2022 19:55:47 -0700
From: Dan Eakins <dan.e...@gmail.com>
Subject: MIT scientists think they've discovered how to fully reverse
climate change (BGR)
Space bubbles
https://bgr.com/science/mit-scientists-think-theyve-discovered-how-to-fully-reverse-climate-change/
------------------------------
Date: Mon, 18 Jul 2022 19:40:13 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Meet the Lobbyist Next Door (WiReD)
What do a Real Housewife, an Olympic athlete, and a doula have in common?
They're all being paid by an ad-tech startup as influencers -- peddling not
products, but ideologies.
https://www.wired.com/story/meet-the-lobbyist-next-door
So why buy either one?
------------------------------
Date: Mon, 18 Jul 2022 17:28:42 +0000
From: Henry Baker <hba...@pipeline.com>
Subject: Facebook encrypting links to avoid URL-stripping
Stupid question: when I click on a 'link', why can't the browser itself
create the link, rather than allowing Facebook to create & encrypt the
link?
Also, this 'dark pattern' from Facebook enables hackers to mask truly
dangerous links that can lead to a complete compromise of the user's
computer. Or worse: child pornography pix that put you in jail.
https://www.ghacks.net/2022/07/17/facebook-has-started-to-encrypt-links-to-counter-privacy-improving-url-stripping/
Facebook has started to encrypt links to counter privacy-improving URL =
Stripping
Martin Brinkmann Jul 17, 2022
Facebook has started to use a different URL scheme for site links to combat
URL stripping technologies that browsers such as Firefox or Brave use to
improve privacy and prevent user tracking.
Some sites, including Facebook, add parameters to the web address for
tracking purposes. These parameters have no functionality that is relevant
to the user, but sites rely on them to track users across pages and
properties.
Mozilla introduced support for URL stripping in Firefox 102, which it
launched in June 2022. Firefox removes tracking parameters from web
addresses automatically, but only in private browsing mode or when the
browser's Tracking Protection feature is set to strict. Firefox users may
enable URL stripping in all Firefox modes, but this requires manual
configuration. Brave Browser strips known tracking parameters from web
addresses as well.
Both web browsers use lists of known tracking parameters for the
functionality. The lists need to be updated whenever sites change tracking
parameters.
Facebook could have changed the scheme that it is using, but this would have
given Facebook only temporary recourse. It appears that Facebook is using
encryption now to track users.
Previously, Facebook used the parameter fbclid for tracking purposes. Now,
it uses URLs such as
https://www.facebook.com/ghacksnet/posts/pfbid0RjTS7KpBAGt9FHp5vCNmRJsnmBudyqRsPC7ovp8sh2EWFxve1Mk2HaGTKoRSuVKpl?__cft__[0]=AZXT7WeYMEs7icO80N5ynjE2WpFuQK61pIv4kMN-dnAz27-UrYqrkv52_hQlS_TuPd8dGUNLawATILFs55sMUJvH7SFRqb_WcD6CCOX_zYdsebOW0TWyJ9gT2vxBJPZiAaEaac_zQBShE-UEJfatT-JMQT5-bvmrLz7NlgwSeL6fGKH9oY9uepTio0BHyCmoY1A&__tn__=%2CO%2CP-R
instead.
The main issue here is that there it is no longer possible to remove the
tracking part of the URL, as Facebook merged it with part of the required
web address. Removing the entire construct after the ? would open the main
Facebook page of Ghacks Technology News, but it won't open the linked post.
Since it is no longer possible to identify the tracking part of the web
address, it is no longer possible to remove it from the address
automatically. In other words: Facebook has the upper hand in regards to
URL-based tracking at the time, and there is little that can be done about
it short of finding a way to decrypt the information.
There is no option currently to prevent Facebook's tracking of users via
links. Users could avoid Facebook, but that may not be possible all the
time. URL tracking does not help much if other tracking means, e.g., through
cookies or site data, are not available. While Facebook gets some
information from URL-based tracking, it can't link it if no persistent data
is available.
Users who don't sign into Facebook and clear cookies and site data
regularly, may avoid most of the company's tracking.
------------------------------
Date: Sat, 9 Jul 2022 23:22:22 +0000
From: Judith Hemenway <Jud...@divingturtle.com>
Subject: Facebook, privacy and abortion
``There's nothing to stop police from using Facebook ad-targeting data the
same way they've been using Google's data, as a mass digital dragnet. Our
investigation found that Facebook has continued to ingest data from webpages
with obvious sexual health information -- including ones with URLs that
include phrases such as post-abortion, i-think-im-pregnant, abortion-pill.''
https://revealnews.org/article/facebook-data-abortion-crisis-pregnancy-center/
------------------------------
Date: Sun, 10 Jul 2022 09:26:08 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: Nobody likes self-checkout. Here's why it's everywhere
(The Atlantic)
*"Unexpected item in the bagging area."*
*"Please place item in the bag."*
*"Please wait for assistance."*
If you've encountered these irritating alerts at the self-checkout machine,
you're not alone. According to a survey
<https://www.raydiant.com/blog/state-of-self-service-checkouts/> last year
of 1,000 shoppers, 67% said they'd experienced a failure at the
self-checkout lane. Errors at the kiosks are so common that they have even
spawned dozens of memes <https://memebase.cheezburger.com/tag/self-checkout>
and TikTok videos <https://www.tiktok.com/tag/selfcheckout?lang=en>.
"We're in 2022. One would expect the self-checkout experience to be
flawless. We're not there at all," said Sylvain Charlebois, director
<https://www.dal.ca/faculty/management/school-of-public-administration/faculty-staff/our-faculty/sylvain-charlebois.html>
of the Agri-Food Analytics Lab at Dalhousie University in Nova Scotia who
has researched self-checkout. Customers aren't the only ones frustrated
with the self-checkout experience. Stores have challenges with it, too. The
machines are expensive to install, often break down and can lead to
customers purchasing fewer items. Stores also incur higher losses and more
shoplifting
<https://www.theatlantic.com/magazine/archive/2018/03/stealing-from-self-checkout/550940/>
at self-checkouts than at traditional checkout lanes with human cashiers.
Despite the headaches, self-checkout is growing. In 2020, 29% of
transactions at food retailers were processed through self-checkout, up from
23% the year prior, according to the latest data from food industry
association FMI. This raises the question: why is this often problematic,
unloved technology taking over retail? [...]
https://www.cnn.com/2022/07/09/business/self-checkout-retail/index.html
------------------------------
Date: Wed, 13 Jul 2022 11:59:21 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Major American Companies to Schools: Expand Access to Computer
Science (Alyson Klein)
Alyson Klein, *Education Week*, 12 Jul 2022,
via ACM TechNews; 13 Jul 2022
A July 12 letter to governors and top education officials in all 50 states,
signed by over 500 businesses, nonprofits, and education organizations,
calls for every K-12 student to be given access to computer science
education. Amazon, Microsoft, and Alphabet were among the signatories, along
with companies like American Express, Nike, Starbucks, UPS, and
Walgreens. Code.org reports that only about a dozen of the 27 states with
policies granting access to high school students aim to give all K-12
students access. Code.org's Hadi Partovi said it is important that big
companies not thought of as tech companies support the effort. Said Partovi,
"It helps people realize that this is about every industry, that every
company is becoming a technology company and every company is suffering with
the lack of preparation that our schools are giving to our students."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ee75x234ba3x070806&
[The U.S. has been dumbing down lower and higher education for decades,
except for the "elite" schools -- competing with blather from those people
who do not trust science. PGN]
------------------------------
Date: Mon, 18 Jul 2022 20:18:40 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: FedEx bot apologizes for pending delivery' of missing human remains
``I am very sorry for the pending delivery," FedEx Help, the company's
customer service account, replied about how Jeffrey Merriweather's remains
have been missing since they were shipped via FedEx in 2019.
https://www.washingtonpost.com/business/2022/07/15/fedex-twitter-bot-missing-remains-georgia/
------------------------------
Date: Sat, 09 Jul 2022 18:12:50 -0400
From: "David W. Hodgins" <davidw...@teksavvy.com>
Subject: Re: Canadian network outage misunderstatement OTD (RISKS-33.32)
Interac was down only for merchants and ATMs that are connected via
Rogers. Those with Bell or Telus were not affected. A local drive through
banking machine operated by TD Canada Trust continued working while a local
variety store had credit card or cash only, and it's no name ATM was down.
My Internet was down for 28 hours, came back for an hour, down again, then
back again after another hour. Hopefully that's the end of the current
problems in my area, and a proper explanation/fix will be coming.
------------------------------
Date: Tue, 12 Jul 2022 18:06:27 +0200
From: Diego.Latella <diego....@isti.cnr.it>
Subject: ISODARCO 2023
60th Course of the International School on Disarmament and Research on
Conflicts (ISODARCO):
Advancing Technology, Nuclear Weapons Security and International Stability
Andalo (Trento, Italy), 8-15 January 2023
Directors of the Course: Deborah Louis (ISODARCO, Boston, USA),
Francesca Giovannini (Managing the Atom, Harvard University, USA), and
Steven Miller (Belfer Center, Harvard University, USA)
Principal Lecturers:
Mansoor Ahmed, Center for International Strategic Studies, Islamabad;
Alexey Arbatov, IMEMO, Moscow;
Nadia Arbatova, IMEMO, Moscow;
Malfrid Braut-Hegghammer, Oslo University;
Paolo Cotta Ramusino, Secretary-General, Pugwash Conferences on Science
and World Affairs;
Sergio Duarte, President of Pugwash;
Mark Fitzpatrick, International Institute for Strategic Studies, London;
Joan Johnson-Freese, Naval War College, Newport;
Alexander Kmentt, King's College, London;
Ankit Panda, Nuclear Policy Program, Washington;
Alessandro Pascolini, Padua University;
Tariq Rauf, Former Head of Verification & Security Policy, IAEA, Vienna;
Laura Rockwood, Open Nuclear Network, Vienna;
Carlo Trezza, Istituto Affari Internazionali, Roma;
Heather Williams, King's College, London;
Benjamin Zala, Australian National University, Canberra.
Information on the school and application forms: www.isodarco.it [1].
Dott. Diego Latella - Senior Researcher CNR/ISTI, Via Moruzzi 1, 56124
Pisa, Italy (http:www.isti.cnr.it [2])
FM&&T Lab. (http://fmt.isti.cnr.it)
CNR/GI-STS (http://gists.pi.cnr.it)
https://www.isti.cnr.it/People/D.Latella - ph: +390506212982, fax:
+390506212040
[1] http://www.isodarco.it
[2] http://www.isti.cnr.it
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.33
************************
0 nouveau message