info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 33.56
29 views
Skip to first unread message
RISKS List Owner
Dec 4, 2022, 8:39:37 PM12/4/22
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Sunday 4 December 2022 Volume 33 : Issue 56
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.56>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Doonesbury (Garry Trudeau)
Quantifying a Large Rise in Hate Speech under Musk (NYTimes)
MuskRat or MuskOx? (PGN-culled from Lauren Weinstein)
Domestic terrorism in North Carolina (Lauren Weinstein)
Sirius XM flaw could've let hackers remotely unlock and start cars
(The Verge)
Samsung and app-signing leakage (Ars Technica via Henry Baker)
The more you submit, the more we get paid: How fintech fueled COVID aid
fraud (WashPost)
TSA now wants to scan your face at security. Here are your rights. (WashPost)
Man Cashed His Dead Mother's Social Security Checks for 26 Years, (NYTimes)
Re: Blockchains, What Are They Good For? (Peter Houppermans)
Re: San Francisco Considers Allowing Use of Deadly Robots by Police
(Amos Shapir)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 4 Dec 2022 12:07:17 PST
From: Peter G Neumann <neu...@csl.sri.com>
Subject: Doonesbury (Garry Trudeau)
[For the RISKS truthiness department.]
Sunday 4 Dec 2022
[Man online:]
Hi, You've reached Austin at MyFacts, offering bespoke realities since
2002? How may I enhance your bubble?
Yeah, my QAnon belief system needs a tune-up. The predictions keep
failing.
I'm sorry, sir. But on advice of counsel, we no longer service violent
conspiracy theories.
How about my Dominion voting machine fantasy? Can I get that updated?
Afraid not, sir. That line was also discontinued after the Fox News
lawsuits. We now only carry theories that are legally bulletproof.
Like what?
Well, for instance, we still stock alien abductions.
Aliens can't sue?
No sir, they lack standing, ... Oh, wow! I see we're offering new
photographic evidence for only $29.95.
------------------------------
Date: Sun, 4 Dec 2022 12:11:13 PST
From: Peter G Neumann <neu...@csl.sri.com>
Subject: Quantifying a Large Rise in Hate Speech under Musk (NYTimes)
[Also for the RISKS truthiness department.]
*The New York Times*, 3 Dec 2022, front Business front page, graphic:
* In the two weeks after Elon Musk acquired Twitter, antisemitic posts
referring to Jews and Judaism increased 61%.
* Before the acquisition, the average number of slurs a day against
Black Americans that appeared on Twitter was 1,282,
Afterward, they jumped to 3,876.
* Before Mr. Musk took over, the average number of slurs a day against
gay men that appeared in Twitter was 2,506.
Afterward, their use rose to 3,964.
This graphic appears over two articles: *The New York Times*, 3 Dec 2022,
Business front page:
This graphic covers two articles:
1. Sheera Frenkel and Kate Conger, Research and interactions show little
focus on responding to complaints
2. Ryan Mac, Mike Isaa, and Kate Conger, Twitter flails in it bid
for advertisers as its financial expectations worsen
------------------------------
Date: Sat, 3 Dec 2022 12:52:34 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: MuskRat or MuskOx? (PGN-culled)
Elon, Twitter, advertisers, and Al Capone
Elon's Hunter Biden #Twitter *bombshell* was about as revelatory as the
opening of Al Capone's vault. (Google it.)
I'm sure advertisers will be oh so very reassured by Elon's behavior.
Nothing they'd like better than wondering if one day he'll start publicly
releasing emails between them and Twitter during one of his rants. Or maybe
DMs? Uh huh. -L
- - - -
Elon (Twitter) has been recommending newly restored account of neo-Nazi
(Anglin) to everyday users
Elon is now Twitter. So I think it's fair to consider every Twitter
recommendation to be a recommendation from Elon.
https://www.washingtonpost.com/technology/2022/12/03/twitter-antisemitism-violence-jan-6/
- - - -
Every business and project of Musk is now tainted by his toxic behaviors
related to #Twitter. And any support of any of those projects or businesses
is directly or indirectly helping Elon to continue those behaviors. -L
- - - -
Elon Musk's Twitter Antics Are Tarnishing Tesla - Just As Its EV
Rivals Are Catching Up
https://www.forbes.com/sites/alanohnsman/2022/12/02/elon-musks-twitter-antics-are-tarnishing-teslajust-as-its-ev-rivals-are-catching-up/?sh=517a70ba2018
------------------------------
Date: Sun, 4 Dec 2022 13:59:33 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Domestic terrorism in North Carolina
Authorities say substation damage that has blacked out 40K in North Carolina
in cold weather (possibly until late this upcoming week) was done by
gunfire. The technical term for this is domestic terrorism. -L
------------------------------
Date: Sat, 3 Dec 2022 19:45:45 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Sirius XM flaw could've let hackers remotely unlock and start cars
https://www.theverge.com/2022/12/3/23491259/sirius-xm-hack-remotely-unlock-start-cars
------------------------------
Date: Sat, 03 Dec 2022 17:46:45 +0000
From: Henry Baker <hba...@pipeline.com>
Subject: Samsung and app-signing leakage
[We don't care. We don't have to. We're a Smart Phone Company.]
(with apologies to Lily Tomlin)
Ron Amadeo - 2 Dec 2022
Samsung's Android app-signing key has leaked, is being used to sign malware
[since 2016!]
https://arstechnica.com/gadgets/2022/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-malware/
The cryptographic key proves an update is legit, assuming your OEM doesn't
lose it.
The story gets even weirder, though. As APKMirror founder Artem Russakovskii
points out, some of the samples of officially signed malware on VirusTotal
are from 2016! So has this problem been going on for six years? [...]
What OEMs really need to do is stop using the compromised keys to secure
their apps. It's not clear why Samsung continues to use the key. Android's
APK Signature Scheme V3 allows developers to change app keys with just an
update -- you authenticate an app with the new and old key and indicate that
only the new key is supported for updates. This is a requirement for Play
Store apps, but again, system apps from OEMs are not subject to any of the
Play Store rules, so some OEMs are still using the old v2 signature scheme.
Thankfully, these leaked keys are only for apps and not the keys used to
sign OS updates. So even if the v3 signature scheme is not in use,
theoretically the affected companies could ship a still-secure OTA update
that includes new system apps with new keys, and they could make new
corresponding Play Store updates that are compatible with those new
keys. That sounds like a lot of work, though.
Consumers are now left in the dark about how this happened and how it's
being handled. We're going to be very generous and hope it's just because
this is a newly developing situation right now. We'll update this post if
Samsung or Google answers any of our myriad questions.
------------------------------
From: Monty Solomon <mo...@roscom.com>
Date: Sat, 3 Dec 2022 23:51:35 -0500
Subject: The more you submit, the more we get paid: How fintech fueled
COVID aid fraud (WashPost)
The probe by a congressional watchdog tasked to oversee roughly $5 trillion
in federal covid aid contends there was rampant abuse among fintechs.
https://www.washingtonpost.com/business/2022/12/01/fintech-covid-relief-frau=
d/
------------------------------
Date: Sun, 4 Dec 2022 00:19:32 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: TSA now wants to scan your face at security. Here are your rights.
16 major domestic airports are testing facial-recognition tech to verify IDs
-- and it could go nationwide in 2023.
https://www.washingtonpost.com/technology/2022/12/02/tsa-security-face-recog=
nition/
------------------------------
Date: Sun, 4 Dec 2022 01:45:04 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Man Cashed His Dead Mother's Social Security Checks for 26 Years,
https://www.nytimes.com/2022/12/02/us/social-security-theft-dead-mother.html
------------------------------
Date: Sun, 4 Dec 2022 10:36:02 +0100
From: Peter Houppermans <pe...@houppermans.net>
Subject: Re: Blockchains, What Are They Good For? (RISKS-33.55)
Thank you for that article, and there is more.
In addition to the arguments in the article, there always was that other
problem that has never been solved but always glossed over: its actual
utility for real life transactions.
Due to the distributed nature of the beast, transactions take several
factors longer than traditional financial transactions, which, given its oft
stated aim to replace existing financial systems, has always struck me as a
rather important issue given the daily volume thereof. Add to that the
amount of resources and energy needed per transaction in the context of
global warming (which can no longer be shoved under the carpet as someone
else's problem), and the question indeed becomes ``why on Earth would you
use it?''
As an aside, for those that claimed blockchains to be shiny and new, an
online search for *Merkle Tree* is sure to disappoint.
------------------------------
Date: Sat, 3 Dec 2022 12:06:09 +0200
From: Amos Shapir <amo...@gmail.com>
Subject: Re: San Francisco Considers Allowing Use of Deadly Robots by Police
(RISKS-33.55)
The popular press tends to brand any remotely-controlled device, especially
when used by law enforcement bodies, as "a robot".
This confusion between remote control and autonomy, might lead to approval
of devices in which a robot may control more than just movement -- including
making the decision when to pull the trigger.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.56
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.56>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Doonesbury (Garry Trudeau)
Quantifying a Large Rise in Hate Speech under Musk (NYTimes)
MuskRat or MuskOx? (PGN-culled from Lauren Weinstein)
Domestic terrorism in North Carolina (Lauren Weinstein)
Sirius XM flaw could've let hackers remotely unlock and start cars
(The Verge)
Samsung and app-signing leakage (Ars Technica via Henry Baker)
The more you submit, the more we get paid: How fintech fueled COVID aid
fraud (WashPost)
TSA now wants to scan your face at security. Here are your rights. (WashPost)
Man Cashed His Dead Mother's Social Security Checks for 26 Years, (NYTimes)
Re: Blockchains, What Are They Good For? (Peter Houppermans)
Re: San Francisco Considers Allowing Use of Deadly Robots by Police
(Amos Shapir)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 4 Dec 2022 12:07:17 PST
From: Peter G Neumann <neu...@csl.sri.com>
Subject: Doonesbury (Garry Trudeau)
[For the RISKS truthiness department.]
Sunday 4 Dec 2022
[Man online:]
Hi, You've reached Austin at MyFacts, offering bespoke realities since
2002? How may I enhance your bubble?
Yeah, my QAnon belief system needs a tune-up. The predictions keep
failing.
I'm sorry, sir. But on advice of counsel, we no longer service violent
conspiracy theories.
How about my Dominion voting machine fantasy? Can I get that updated?
Afraid not, sir. That line was also discontinued after the Fox News
lawsuits. We now only carry theories that are legally bulletproof.
Like what?
Well, for instance, we still stock alien abductions.
Aliens can't sue?
No sir, they lack standing, ... Oh, wow! I see we're offering new
photographic evidence for only $29.95.
------------------------------
Date: Sun, 4 Dec 2022 12:11:13 PST
From: Peter G Neumann <neu...@csl.sri.com>
Subject: Quantifying a Large Rise in Hate Speech under Musk (NYTimes)
[Also for the RISKS truthiness department.]
*The New York Times*, 3 Dec 2022, front Business front page, graphic:
* In the two weeks after Elon Musk acquired Twitter, antisemitic posts
referring to Jews and Judaism increased 61%.
* Before the acquisition, the average number of slurs a day against
Black Americans that appeared on Twitter was 1,282,
Afterward, they jumped to 3,876.
* Before Mr. Musk took over, the average number of slurs a day against
gay men that appeared in Twitter was 2,506.
Afterward, their use rose to 3,964.
This graphic appears over two articles: *The New York Times*, 3 Dec 2022,
Business front page:
This graphic covers two articles:
1. Sheera Frenkel and Kate Conger, Research and interactions show little
focus on responding to complaints
2. Ryan Mac, Mike Isaa, and Kate Conger, Twitter flails in it bid
for advertisers as its financial expectations worsen
------------------------------
Date: Sat, 3 Dec 2022 12:52:34 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: MuskRat or MuskOx? (PGN-culled)
Elon, Twitter, advertisers, and Al Capone
Elon's Hunter Biden #Twitter *bombshell* was about as revelatory as the
opening of Al Capone's vault. (Google it.)
I'm sure advertisers will be oh so very reassured by Elon's behavior.
Nothing they'd like better than wondering if one day he'll start publicly
releasing emails between them and Twitter during one of his rants. Or maybe
DMs? Uh huh. -L
- - - -
Elon (Twitter) has been recommending newly restored account of neo-Nazi
(Anglin) to everyday users
Elon is now Twitter. So I think it's fair to consider every Twitter
recommendation to be a recommendation from Elon.
https://www.washingtonpost.com/technology/2022/12/03/twitter-antisemitism-violence-jan-6/
- - - -
Every business and project of Musk is now tainted by his toxic behaviors
related to #Twitter. And any support of any of those projects or businesses
is directly or indirectly helping Elon to continue those behaviors. -L
- - - -
Elon Musk's Twitter Antics Are Tarnishing Tesla - Just As Its EV
Rivals Are Catching Up
https://www.forbes.com/sites/alanohnsman/2022/12/02/elon-musks-twitter-antics-are-tarnishing-teslajust-as-its-ev-rivals-are-catching-up/?sh=517a70ba2018
------------------------------
Date: Sun, 4 Dec 2022 13:59:33 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Domestic terrorism in North Carolina
Authorities say substation damage that has blacked out 40K in North Carolina
in cold weather (possibly until late this upcoming week) was done by
gunfire. The technical term for this is domestic terrorism. -L
------------------------------
Date: Sat, 3 Dec 2022 19:45:45 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Sirius XM flaw could've let hackers remotely unlock and start cars
https://www.theverge.com/2022/12/3/23491259/sirius-xm-hack-remotely-unlock-start-cars
------------------------------
Date: Sat, 03 Dec 2022 17:46:45 +0000
From: Henry Baker <hba...@pipeline.com>
Subject: Samsung and app-signing leakage
[We don't care. We don't have to. We're a Smart Phone Company.]
(with apologies to Lily Tomlin)
Ron Amadeo - 2 Dec 2022
Samsung's Android app-signing key has leaked, is being used to sign malware
[since 2016!]
https://arstechnica.com/gadgets/2022/12/samsungs-android-app-signing-key-has-leaked-is-being-used-to-sign-malware/
The cryptographic key proves an update is legit, assuming your OEM doesn't
lose it.
The story gets even weirder, though. As APKMirror founder Artem Russakovskii
points out, some of the samples of officially signed malware on VirusTotal
are from 2016! So has this problem been going on for six years? [...]
What OEMs really need to do is stop using the compromised keys to secure
their apps. It's not clear why Samsung continues to use the key. Android's
APK Signature Scheme V3 allows developers to change app keys with just an
update -- you authenticate an app with the new and old key and indicate that
only the new key is supported for updates. This is a requirement for Play
Store apps, but again, system apps from OEMs are not subject to any of the
Play Store rules, so some OEMs are still using the old v2 signature scheme.
Thankfully, these leaked keys are only for apps and not the keys used to
sign OS updates. So even if the v3 signature scheme is not in use,
theoretically the affected companies could ship a still-secure OTA update
that includes new system apps with new keys, and they could make new
corresponding Play Store updates that are compatible with those new
keys. That sounds like a lot of work, though.
Consumers are now left in the dark about how this happened and how it's
being handled. We're going to be very generous and hope it's just because
this is a newly developing situation right now. We'll update this post if
Samsung or Google answers any of our myriad questions.
------------------------------
From: Monty Solomon <mo...@roscom.com>
Date: Sat, 3 Dec 2022 23:51:35 -0500
Subject: The more you submit, the more we get paid: How fintech fueled
COVID aid fraud (WashPost)
The probe by a congressional watchdog tasked to oversee roughly $5 trillion
in federal covid aid contends there was rampant abuse among fintechs.
https://www.washingtonpost.com/business/2022/12/01/fintech-covid-relief-frau=
d/
------------------------------
Date: Sun, 4 Dec 2022 00:19:32 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: TSA now wants to scan your face at security. Here are your rights.
16 major domestic airports are testing facial-recognition tech to verify IDs
-- and it could go nationwide in 2023.
https://www.washingtonpost.com/technology/2022/12/02/tsa-security-face-recog=
nition/
------------------------------
Date: Sun, 4 Dec 2022 01:45:04 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Man Cashed His Dead Mother's Social Security Checks for 26 Years,
https://www.nytimes.com/2022/12/02/us/social-security-theft-dead-mother.html
------------------------------
Date: Sun, 4 Dec 2022 10:36:02 +0100
From: Peter Houppermans <pe...@houppermans.net>
Subject: Re: Blockchains, What Are They Good For? (RISKS-33.55)
Thank you for that article, and there is more.
In addition to the arguments in the article, there always was that other
problem that has never been solved but always glossed over: its actual
utility for real life transactions.
Due to the distributed nature of the beast, transactions take several
factors longer than traditional financial transactions, which, given its oft
stated aim to replace existing financial systems, has always struck me as a
rather important issue given the daily volume thereof. Add to that the
amount of resources and energy needed per transaction in the context of
global warming (which can no longer be shoved under the carpet as someone
else's problem), and the question indeed becomes ``why on Earth would you
use it?''
As an aside, for those that claimed blockchains to be shiny and new, an
online search for *Merkle Tree* is sure to disappoint.
------------------------------
Date: Sat, 3 Dec 2022 12:06:09 +0200
From: Amos Shapir <amo...@gmail.com>
Subject: Re: San Francisco Considers Allowing Use of Deadly Robots by Police
(RISKS-33.55)
The popular press tends to brand any remotely-controlled device, especially
when used by law enforcement bodies, as "a robot".
This confusion between remote control and autonomy, might lead to approval
of devices in which a robot may control more than just movement -- including
making the decision when to pull the trigger.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.56
************************
0 new messages