Risks Digest 33.07

62 views
Skip to first unread message

RISKS List Owner

unread,
Feb 25, 2022, 8:00:53 PMFeb 25
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Friday 25 February 2022 Volume 33 : Issue 07

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.07>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
The radiation will never be higher in Chernobyl? oops! (danny burstein)
3G shutdown will affect a host of everyday devices (Gabe Goldberg)
TurboTax Maker Intuit Faces Tens of Millions in Fees in a Groundbreaking
Legal Battle Over Consumer Fraud (ProPublica)
Ukraine, computer risks, and the Space Station (Lauren Weinstein PGN-ed)
How NASA plans to destroy the International Space Station, and the dangers
involved (phys.org)
Man versus machine: Human beings losing out as AI coldly fires
under-performing workers (Straits Times)
Robots are increasing mortality among US adults (phys.org)
Difficult situation on campus: robots blockaded (Sean Hecht)
Facial recognition firm Clearview AI tells investors it's seeking massive
expansion beyond law enforcement (WashPost)
Power outages (PGN)
New Bill Would Bring Mobile Voting To WashDC (DCist)
SSL protocol mismatch (Cliff Kilby)
Inside the Lab Where Intel Tries to Hack Its Own Chips (WiReD)
The CDC Isn't Publishing Large Portions of the Covid Data It Collects
(NYTimes)
$1.7 million in NFTs stolen in apparent phishing attack on OpenSea users
(The Verge)
Digital Wallet cartoon in *The New Yorker* (Jan Wolitzky)
Re: Really big electric power refund (Steve Bacher, Morten Welinder)
Re: Some Mazda cars stuck on a Seattle Station (David Lesher)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 25 Feb 2022 15:02:20 +0000 ()
From: danny burstein <dan...@panix.com>
Subject: The radiation will never be higher in Chernobyl? oops!

Radiation meters in the extended Chernobyl area have been reading higher and
higher, with many of them reporting numbers of 65500 nanosieverts/hr.

Which is annoyingly high, but likely (hopefully...) simply a matter of
(formerly) stable contaminated dirt and dust getting kicked up from tanks
running over it and shelling, etc.

But ... this led to the following observation, which does add a bit more
concern:

[Twitter]

"An explanation for my non-IT followers is in order.

"Digital devices often store numerical values in data cells called a
"double" (two times 8 bits).

"The largest number it can store is (2 to the 16th, minus 1, which comes out
to) 65535... which rounded down to the nearest hundred is 65500..."

more at:
https://twitter.com/KirilsSolovjovs/status/1497001320015970310
https://twitter.com/DrEricDing/status/1497011166341599274

------------------------------

Date: Thu, 17 Feb 2022 15:15:41 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: 3G shutdown will affect a host of everyday devices

The looming shutdown of 3G networks won't impact just older phones.

With AT&T's 3G network shutting down next week, and other carriers following
suit later this year, a range of products require updates to continue
working, including some home alarm systems, medical devices such as fall
detectors, and in-car crash notification and roadside assistance systems
such as General Motors' OnStar.

Just as many mobile carriers have urged customers to swap their older 3G
iPhones, Android phones, e-readers and other hand-held devices for newer
models ahead of the shutdown, other businesses are urging customers to
upgrade or replace some of the everyday products and services in their homes
and cars before they drop connectivity.

If left unaddressed, the stakes could be high in certain cases. Millions of
cars, for example, may no longer have the ability to contact first
responders after a collision or receive updates such as location or traffic
alerts for built-in GPS systems. Some vehicles, including Chevrolet, Buick
and Cadillac, have software upgrades for drivers to connect their systems to
a 4G network, but other models will reportedly lose this feature for good.

http://pge.libercus.net//.pf/showstory/202202170035/3

[Monty Solomon noted this addition to the above item:
AT&T 3G shutdown on Feb. 22 to impact seniors with medical alert
devices (CNBC)
https://www.cnbc.com/2022/02/19/att-3g-shutdown-on-feb-22-to-impact-seniors-with-medical-alert-devices.html
PGN]

------------------------------

Date: Thu, 24 Feb 2022 15:53:11 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: TurboTax Maker Intuit Faces Tens of Millions in Fees in a
Groundbreaking Legal Battle Over Consumer Fraud (ProPublica)

At a hearing before U.S. District Court Judge Charles Breyer, a lawyer for
Intuit complained that “the Keller firm is able to threaten companies
Intuit's not alone - into paying $3,000 in arbitration fees, for a $100
claim.

Breyer questioned whether the proposed settlement was in the best interest
of consumers.

Breyer: ``I did think when I looked at this, and saw that, really, that this
was a way to avoid or otherwise circumscribe arbitration, that it seemed to
be that Intuit was, in Hamlet's words, hoisted by their own petard, I think
arbitration is the petard that Intuit now faces.'' His comments were first
reported by Reuters.

Breyer rejected the settlement in March 2021.

https://www.propublica.org/article/turbotax-maker-intuit-faces-tens-of-millions-in-fees-in-a-groundbreaking-legal-battle-over-consumer-fraud

Poor Intuit, being forced to arbitrate claims...

------------------------------

Date: Fri, 25 Feb 2022 09:52:23 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Ukraine, computer risks, and the Space Station

[Retitled and repackaged: Sundry messages from Lauren. PGN]

Social media platforms on the defensive as Russian-based disinformation
about Ukraine spreads

You will recall that recently Putin sent armed thugs into Google's Moscow
offices when they tried to fight Putin's demand that content related to his
political opponent be removed. We're not talking typical social media
sanctions here -- we're talking Russian thugs with guns.

https://www.politico.com/news/2022/02/24/social-media-platforms-russia-ukraine-disinformation-00011559

- - - -

Russia retaliates on Facebook's restrictions on Russian propaganda and lies

Russia Will Restrict Access to Facebook, State Media Reports

https://www.vice.com/en/article/93bgq7/russia-will-restrict-access-to-facebook-state-media-reports

- - - -

Putin and Nazis

Putin rants about Nazis controlling Ukraine. The president of Ukraine is
Jewish. Apparently, Putin believes the population of Russia are morons.
He's wrong.

- - - -

Google's actions in response to the Ukrainian situation

Long thread from Google about actions being taken in response to the
Ukrainian situation

https://twitter.com/googleeurope/status/1497312445303513094

- - - -

Russia is threatening to crash (since they control propulsion) the
International Space Station in response to sanctions against Russia.
This is assumed to be bluster, but shades of "2010: The Year We Make
Contact" ('84).

------------------------------

Date: Sun, 20 Feb 2022 09:22:52 +0800
From: Richard Stein <rms...@ieee.org>
Subject: How NASA plans to destroy the International Space Station, and the
dangers involved (phys.org)

https://phys.org/news/2022-02-nasa-international-space-station-dangers.html

"The ISS has been described as the most expensive single item ever
constructed.[409] As of 2010, the total cost was US$150 billion. This
includes NASA's budget of $58.7 billion ($89.73 billion in 2021 dollars) for
the station from 1985 to 2015, Russia's $12 billion, Europe's $5 billion,
Japan's $5 billion, Canada's $2 billion, and the cost of 36 shuttle flights
to build the station, estimated at $1.4 billion each, or $50.4 billion in
total. Assuming 20,000 person-days of use from 2000 to 2015 by two-to
six-person crews, each person-day would cost $7.5 million, less than half
the inflation-adjusted $19.6 million ($5.5 million before inflation) per
person-day of Skylab." See
https://en.wikipedia.org/wiki/International_Space_Station#Cost, retrieved on
20FEB2022.

Assume construction and total operating costs aggregate to US$ 200B today.
Compare that lump sum to the ~US$ 1B per year (estimated in 2015) of revenue
generated from commercial spin-offs and license royalties. See "Testimony
before the Subcommittee on Space, Committee on Science, Space, and
Technology, U.S. House of Representatives Hearing on America's Human
Presence in Low-Earth Orbit Dr. Bhavya Lal, IDA Science and Technology
Policy Institute," May 17, page 5, retrieved on 20FEB2022.
2018https://docs.house.gov/meetings/SY/SY00/20180517/108302/HHRG-115-SY00-Wstate-LalB-20180517.pdf,

"Space station dollars are spent on the ground!" (See
https://www.nytimes.com/1991/05/26/weekinreview/the-nation-can-nasa-make-space-seem-worth-the-price.html,
retrieved on 20FEB2022). Indeed. Space programs employ a lot of people. No
boxcar-sized return on investment cited to date, unless you count von Karman
Line tourism as a big win.

There's some solid science on the ISS: The Alpha Magnetic Spectrometer,
Bose-Einstein condensates, and some physiology experiments.

The ISS will be "dumped into the drink" sometime in 2031. Plenty of time to
plan how to dodge any de-orbited debris that misses the intended South
Pacific ocean graveyard burial.

------------------------------

Date: Tue, 22 Feb 2022 10:19:03 +0800
From: Richard Stein <rms...@ieee.org>
Subject: Man versus machine: Human beings losing out as AI coldly fires
under-performing workers (Straits Times)

https://www.straitstimes.com/tech/tech-news/man-versus-machine-human-beings-losing-out-as-ai-coldly-fires-under-performing-workers

"We measure humans by the standards that are appropriate for machines and
then we tell them we need technology to make them more human. It's
perverse," said Professor Shannon Vallor, the Baillie Gifford Chair in the
Ethics of Data and Artificial Intelligence at the University of Edinburgh.

Speaking at a recent panel discussion on AI, she said technology should be
about enhancing people's capabilities and experiences. But, increasingly,
she is seeing AI being designed to advance its performance, "and humans
are being twisted into knots in order to make that possible".'

A business corrects processes when public outrage exposes AI deployments
that abuse employee capacities or cause physical harm.

Proactive monitoring of mechanized work, such as snap inspections of
highly-automated, AI-driven factories or warehouses will become impractical
as technological solutions penetrate deeper into manual labor.

Automated oversight of fair labor practices, as might be enforced by
regulations, is problematic in that whomever (or whatever) controls the
input regulatory specification determines compliance.

------------------------------

Date: Fri, 25 Feb 2022 10:41:42 +0800
From: Richard Stein <rms...@ieee.org>
Subject: Robots are increasing mortality among US adults (phys.org)

https://phys.org/news/2022-02-robots-mortality-adults.html

The automation of U.S. manufacturing robots replacing people on factory
floors is fueling rising mortality rate among America's working-age adults,
according to a new study by researchers at Yale and the University of
Pennsylvania.

Industrial automation accelerates labor dislocation while human despair
accumulates. How will highly industrialized societies sustain economy
without consumers of automatically produced goods and services?

------------------------------

Date: Thu, 17 Feb 2022 18:38:42 -1000
From: geoff goodfellow <ge...@iconia.com>
Subject: Difficult situation on campus: robots blockaded (Sean Hecht)

... Traffic jam of automated food delivery robots, apparently all stuck
behind a carelessly discarded scooter. I just observed a couple of students
clearing a path out of pity for the robots. This is our future, I guess.

https://twitter.com/seanhecht/status/1493432613628825600

------------------------------

Date: Fri, 18 Feb 2022 09:33:49 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Facial recognition firm Clearview AI tells investors it's seeking
massive expansion beyond law enforcement (WashPost)

It claims to be on track to have 100 billion facial photos in its database
within a year, enough to ensure almost everyone in the world will be
identifiable, according to a financial presentation from December obtained
by *The Washington Post*.

https://www.washingtonpost.com/technology/2022/02/16/clearview-expansion-facial-recognition/

------------------------------

Date: Fri, 18 Feb 2022 15:33:07 PST
From: Peter Neumann <neu...@csl.sri.com>
Subject: Power outages

To add to the long litany of outages reported in RISKS, my afternoon work
was disrupted by a regional power outage affecting 4,500 customers in
southeast Palo Alto -- due to a Mylar balloon on power wires, presumably
near one of the retranmission sites.

One of my neighbors suggested that mylar balloons are bad for the
environment and bad for electrical transmission.

------------------------------

Date: Mon, 21 Feb 2022 19:25:24 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: New Bill Would Bring Mobile Voting To WashDC (DCist)

As written, the bill would require that the Washington DC Board of Elections
create a secure system to allow any voter to fill out and submit a ballot
from their smartphone, tablet, or computer. [...]

Still, the bill could face stiff opposition from experts who say that while
online security options are improving, mobile voting would still be
susceptible to hacking.

``There is currently no Internet technology available that allows for the
secure transmission of voted ballots while also maintaining voter privacy
and ballot verifiability,'' wrote Mark Lindeman, an expert on voting
security and audits with Verified Voting, a nonpartisan group that focuses
on elections and technology, in a recent letter to legislators in Rhode
Island considering a bill to allow ballots to be returned over the Internet.

https://dcist.com/story/22/02/21/new-bill-would-bring-mobile-voting-to-d-c/

------------------------------

Date: Wed, 23 Feb 2022 17:34:18 -0500
From: Cliff Kilby <cliff...@gmail.com>
Subject: SSL protocol mismatch

Lots of security tools are based on Linux, and the Linux environment tends
towards earlier adoption of updated security guidance. This has created a
gap. Kali Linux is intentionally configured to allow older protocols, but
has disabled SSLv3.

https://www.kali.org/docs/general-use/openssl-configuration/

Windows as late as Windows 10 still has SSLv3 enabled.

https://docs.microsoft.com/en-us/windows/win32/secauthn/protocols-in-tls-ssl--schannel-ssp-#pre-tls-standard-protocols-support

It would be worthwhile to ensure your security tools have the older
protocols available for pen-testing.

------------------------------

Date: Wed, 23 Feb 2022 20:40:25 -0500
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Inside the Lab Where Intel Tries to Hack Its Own Chips (WiReD)

Researchers at iSTARE have to think like the bad guys, finding critical
flaws before processors go to production.

https://www.wired.com/story/intel-lab-istare-hack-chips/

------------------------------

Date: Mon, 21 Feb 2022 12:02:52 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: The CDC Isn't Publishing Large Portions of the Covid Data It Collects
(NYTimes)

The agency has withheld critical data on boosters, hospitalizations and,
until recently, wastewater analyses.

https://www.nytimes.com/2022/02/20/health/covid-cdc-data.html

------------------------------

Date: Mon, 21 Feb 2022 15:06:59 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: $1.7 million in NFTs stolen in apparent phishing attack on OpenSea
users (The Verge)

Two hundred and fifty-four tokens were stolen over roughly three hours

https://www.theverge.com/2022/2/20/22943228/opensea-phishing-hack-smart-contract-bug-stolen-nft

------------------------------

Date: Mon, 21 Feb 2022 07:43:55 -0500
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Digital Wallet cartoon in *The New Yorker*

*"Our new digital wallet app is going to revolutionize the way people get
robbed."*

[I respect TNY's paywall, but recommend their caption contest. PGN]

------------------------------

Date: Sat, 19 Feb 2022 12:21:21 -0800
From: Steve Bacher <seb...@verizon.net>
Subject: Re: Really big electric power refund (Epstein, RISKS-33.06)

The ability to handle large numbers does not necessarily imply that those
numbers are expected to occur normally.For instance, it could have been a
prepackaged software routine that was general purpose enough to accommodate
conceivably huge amounts.

Common Lisp, for example, has the numeric-to-English-output feature built in
to the standard format function.I wrote code to implement this in the Lisp
system that I built for the IBM mainframe in the 1980s, so I know how it
would work. Once you have established the algorithm to handle thousand,
million and billion, it is fairly straightforward to extend that to trillion
and up. My code was written to handle amounts up to a vigintillion [?],
with little effort.

(It is said that 80% of the code of a given program is designed to handle
things that happen 20% of the time, or maybe 90%/10%. Whatever.)

[Whatever? That seems irrelevant to RISKS. It might just be the one line
that is never expected to be executed that saves the day when it does get
executed. PGN]

------------------------------

Date: Fri, 18 Feb 2022 20:48:21 -0500
From: Morten Welinder <mwel...@gmail.com>
Subject: Re: Really big electric power refund (BBC)

I am going to assume that someone just grabbed a library that may or may not
have had anything to do with money.

However, there's another risk here: just how big is a trillion? If you
meant to write a check for "one trillion" in the 10^12 sense, it would be
rather awkward to do so in a jurisdiction where "one trillion" means 10^18.
Even in Zimbabwe that difference would have taken weeks to even out.

https://en.wikipedia.org/wiki/Trillion

------------------------------

Date: Sat, 19 Feb 2022 10:16:46 -0500
From: David Lesher <wb8...@panix.com>
Subject: Re: Some Mazda cars stuck on a Seattle Station (RISKS-33.06)

In 2019 Github detailed a bug in the receivers; it's not clear if it is the
same bug or its brother. In either case, Little Johnny Tables
<https://xkcd.com/327/> came to mind.

<https://github.com/Hamled/mazda-format-string-bug#readme>

printf format string bug in Mazda Connect Infotainment System

Bug Description

The Infotainment System's UI (and possibly other software elements) crashes
when a Bluetooth audio source sends track metadata wherein the track name
(at least) includes a "%n" conversion specifier.

Example Case

When the track's title includes the string "99% Invisible" this triggers a
crash. [...\

Perhaps the most unusual aspect of this from a coder's perspective (this
kind of bug isn't all that uncommon, unfortunately), is actually the 'I'
itself. This is a Microsoft-invented 'upgrade' to the ISO standard C format
specifiers, but it's almost certainly the case that Mazda's Infotainment
System does not use Windows as its operating system.

It turns out that GCC and Clang (the two major compilers for open source
software) have included the 'I' specifier as well, presumably for
compatibility so people can easily move their code from Microsoft's VC++
compiler to them (and back).

Talking about code using natural languages like English is really fraught
with problems! The Reply All episode that discussed this bug involved the
hosts speaking with some coders about using the phrase "percent I" -- but
maybe everyone was assuming "%i" which is much more common.

However for the computer, in its infinitely pedantic manner, "%i" and "%I"
have nothing in common... which means we as coders have to be aware of that
kind of difference. Without that key info, we wouldn't know to look past the
'I' and see that the 'n' is what was causing the crash. ...

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.07
************************

Reply all
Reply to author
Forward
0 new messages