info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 33.46
45 views
Skip to first unread message
RISKS List Owner
Sep 29, 2022, 8:13:38 PM9/29/22
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Thursday 29 September 2022 Volume 33 : Issue 46
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.46>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
`Our world is in peril,' UN secretary general warns general assembly (CBC)
The UN Wants to Curb Anti-Satellite Missile Tests (WiReD)
Vulnerability of insulin pumps (Healio via Judith Hemenway)
Optus' breach exposes 9.8M customers' data (ABC-AU)
Tesla Megapack battery fire spurs shelter-in-place warning in California
(The Verge)
Multiple driverless Cruise cars block traffic in San Francisco
(SanFranChron)
Automakers are ignoring the simple solution to the rise of traffic deaths
(The Verge)
Egypt's submarine cable stranglehold (Sebastian Moss)
'Protestware' is on the rise, with programmers self-sabotaging their own
code. Should we be worried? (Techxplore.com)
Morgan Stanley Smith Barney to Pay $35 Million for Extensive Failures to
Safeguard Personal Information of Millions of Customers (SEC)
NY Suffolk Co. "911" system crippled by cyberattack, other gov't functions
also (WNBC)
American Airlines says hackers obtained some customer/employee data
(Engadget)
LastPass says hackers had internal access for four dayso (Bleeping Computer)
15-Year-Old Python Bug Allows Code Execution in 350k Projects (Ionut Ilascu)
Artist finds private medical record photos in popular AI training data set
(ArsTechnica)
Uber blames contractor for hack (Lauren Weinstein)
Luxury cars seized from 23-year-old 'Crypto King' as investors try to recoup
millions (CBC)
33% of U.S. TikTok users say they regularly get their news on the app, up
from 22% in 2020 (TechCrunch)
TikTok's search engine repeatedly delivers misinformation to its
majority-young user base, report says (CNN)
A common phishing attack sources from Gmail (Lauren Weinstein)
Wegmans Discontinues Self-Checkout App, Citing Losses (NYTimes)
Health apps share your concerns with advertisers. HIPAA can't stop it.
(WashPost)
NTSB wants all new vehicles to check drivers for alcohol use (NPR)
How vigilante *predator catchers* are infiltrating the criminal justice
system (WashPost)
Senators introduce a bill to protect open-source software (WashPost)
Open-Source Software That Lasts a Thousand Years? (Liam Tung)
The ITU's Secretary-General Election Could Shape the Internet's Future
(WiReD)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 20 Sep 2022 09:58:10 -0600
From: Matthew Kruk <mkr...@gmail.com>
Subject: `Our world is in peril,' UN secretary general warns general assembly
(CBC)
https://www.cbc.ca/news/world/antonio-guterres-1.6588574
He also warned of what he called "a forest of red flags" around new
technologies despite promising advances to heal diseases and connect people.
Guterres said social media platforms are based on a model "that monetizes
outrage, anger, and negativity." Artificial intelligence, he said, "is
compromising the integrity of information systems, the media, and indeed
democracy itself."
------------------------------
Date: Mon, 19 Sep 2022 01:00:13 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The UN Wants to Curb Anti-Satellite Missile Tests (WiReD)
At a high-profile meeting in Geneva, international negotiators are moving
closer toward developing rules for space actors in low Earth orbit and
beyond.
https://www.wired.com/story/the-un-wants-to-curb-anti-satellite-missile-tests/
------------------------------
Date: Wed, 21 Sep 2022 18:35:13 +0000
From: Judith Hemenway <Jud...@divingturtle.com>
Subject: Vulnerability of insulin pumps (Healio)
Although the insulin pumps are not accessible via the Internet, they are
vulnerable via pairing from near-by devices. Causing the pump to deliver
either too much or too little insulin can be life-threatening.
https://www.healio.com/news/endocrinology/20220920/fda-warns-of-possible-cybersecurity-risk-with-medtronic-minimed-600-series-insulin-pumps
------------------------------
Date: Mon, 26 Sep 2022 21:00:04 +0000
From: John Colville <John.C...@uts.edu.au>
Subject: Optus' breach exposes 9.8M customers' data (ABC-AU)
Optus is Australia's second largest Telco.
https://www.abc.net.au/news/2022-09-23/optus-rejects-claim-hack-likely-result-of-human-error/101468846
https://www.abc.net.au/news/2022-09-25/new-security-measures-to-be-unveiled-following-optus-data-breach/101472364
------------------------------
Date: Tue, 20 Sep 2022 22:08:28 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Tesla Megapack battery fire spurs shelter-in-place warning in
California (The Verge)
https://www.theverge.com/2022/9/20/23363345/tesla-megapack-battery-fire-california-monterey-pg-and-e
------------------------------
Date: Tue, 27 Sep 2022 15:32:08 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: Multiple driverless Cruise cars block traffic in San Francisco
(SanFranChron)
At least three driverless Cruise cars were responsible for holding up
traffic and reportedly blocking a bus lane in San Francisco last week, the
latest in a string of incidents involving the locally headquartered
self-driving car company.
A video shared on Reddit showed two of Cruise's vehicles at a standstill
Thursday evening, near the intersection of Sacramento and Leavenworth
streets, with their hazard lights flashing. A Muni bus appeared to be
stalled about a block behind them.
``Come on, we've got to get the f*** going,'' one person could be heard
yelling in the background of the video. ``There's no driver!'' another
responded.
https://www.sfgate.com/local/article/driverless-cruise-cars-block-SF-traffic-17467985.php
------------------------------
Date: Mon, 19 Sep 2022 19:34:14 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Automakers are ignoring the simple solution to the rise of traffic
deaths (The Verge)
Automakers are ignoring the simple solution to the rise of traffic deaths
https://www.theverge.com/23360839/cars-speed-safety-traffic-deaths-technology-usdot
------------------------------
Date: September 20, 2022 21:17:26 JST
From: Dewayne Hendricks <dew...@warpspeed.com>
Subject: Egypt's submarine cable stranglehold (Sebastian Moss)
Sebastian Moss, Datacenter Dynamics, 15 Sep 2022
Understanding the Middle East bottleneck, and how things could be set to
change
https://www.datacenterdynamics.com/en/analysis/egypts-submarine-cable-stranglehold/
The world's digital infrastructure has been built by the paranoid. At every
turn, equipment is duplicated, routes are triplicated, fuel reserves are
over-filled. Astronomical sums are spent on building layers and layers of
safety into the system, as suspicious minds game out various scenarios that
could put the precious flow of data at risk. And yet, there remains one
giant bottleneck, a quirk of geography and geopolitics, that is anything but
redundant.
If you take a map of the world's submarine cable infrastructure, responsible
for shuttling data between nations and entire continents, and zoom in on the
Middle East, you will notice something striking: Everything goes through
Egypt.
Data traveling to and from Europe and Asia, as well as Northern Africa and
the Middle East itself, has just one route.
Coming from the Gulf of Aden, cables snake up along the Red Sea, and into
the Gulf of Suez. There, they make landfall in Egypt, traversing little more
than a hundred miles, before breaking out into the Mediterranean Sea.
"There's no way a network operator would design their network like this
under ideal conditions, right?" said Paul Brodsky, senior analyst at
Telegeography, best known for its maps of cable routes. "They don't like
having everything funneled through one place."
This route concentration is a concern for reliability, putting an estimated
17 percent of the world's Internet traffic in the hands of one country, and
in one shallow and narrow sea. But it is also a concern for businesses,
which have to contend with a monopoly.
To get through Egypt, companies have to pay exorbitant fees to state-owned
Telecom Egypt. Prices have risen dramatically, amid claims of corruption,
but operators have had little choice but to pay. At least until now.
The only route
The story of Egypt's submarine stranglehold is hard to tell. Several
analysts declined to talk on the record due to business relationships with
Telecom Egypt. Cable providers either declined to talk, or did not respond
to requests for comment. ``I am afraid I won't be open to discuss the
Egyptian submarine cable bottleneck due to certain concerns,'' another
industry figure said, declining to elaborate.
In Egypt itself, it's even harder to talk about the cable situation. In
2019, the TV host of local news program 90 minutes, Ossama Kamal, accused
the government of corruption with the way it charges submarine cable
operators, and said it risked destroying its position as the gateway between
Asia and Europe.
Immediately following the broadcast, he was suspended from his show, fined,
and forced to apologize. He did not respond to requests for comment.
Whether Telecom Egypt abuses its market dominance is a matter of debate --
some, speaking on background, called fees extortionate. Others accepted it
as the cost of business for using the most logical route through the Middle
East, with more than a dozen major cables choosing to go across the country.
Egypt's position as a critical communications node between East and West
dates all the way back to the colonial era, and remains, due to a few simple
reasons.
First is geography: It's the shortest stretch of land between the
Mediterranean and Arabian seas, hence the creation of the Suez Canal for
shipping. Network operators like to avoid needlessly traveling across land,
with its expensive owners and pesky national sovereignties that need to be
dealt with.
Then comes geopolitics. Do Western companies want data to travel through
Iran? How about Iraq, Afghanistan, or Syria? Operators like to steer clear
of sanctioned nations, or active war zones, so they are off most people's
preferred routes -- although some have still tried, but we'll get to that
later. There is one other journey they could take, but that too, we shall
save.
Finally, there are market forces. "Once you establish a route and
everybody's using it, the cost goes down as more people use it," Doug
Madory, director of Internet analysis at Kentik, explained. "So it's really
hard not to use it, and it's hard to break out of what ends up being the
most selected path.
``With this Egypt chokepoint, obviously the geographic layout is the number
one reason, but then once it gets established, it's super hard to break out
because then there's so many cables, so many lines, so much infrastructure
built along that path.''
With this in its favor, Telecom Egypt has been able to charge huge fees --
between 6.6 percent and 17.4 percent of its total revenues came from cable
fees between 2008 to 2019, according to Submarine Cable Networks. The
founder of SCN declined to comment.
It took a while for the state telco to realize it was sitting on a goldmine:
It used to sell a perpetual license for somewhere in the ballpark of
$100k. Then they moved to a monthly fee, a source told DCD. "Then they said
'oh no, we want to have the transit costs, where people pay by volume of
traffic." So if tomorrow traffic doubles for a telecom, they get double pay
or whatever the tiering system is," Madory said. "I feel like that was too
far -- people started to revolt, although what can you do? It's not like
there's another Egypt you can go to."
Another industry figure called the fees "ridiculous." An SCN report found
that 12 submarine cables crossing Egypt paid the telco at least $369 million
for Indefeasible Right of Use, with additional Operation and Maintenance
(O&M) charges during the lifetime - however, it is not clear if this is
before the telco tried to shift to charging more for more traffic.
[Long item. The rest is PGN-truncated for RISKS.]
------------------------------
Date: Thu, 29 Sep 2022 00:23:17 +0000
From: Richard Marlon Stein <rms...@protonmail.com>
Subject: 'Protestware' is on the rise, with programmers self-sabotaging
their own code. Should we be worried? (Techxplore.com)
https://techxplore.com/news/2022-09-protestware-programmers-self-sabotaging-code
.html
"In March 2022, the author of node-ipc, a software library with over a
million weekly downloads, deliberately broke their code. If the code
discovers it is running within Russia or Belarus, it attempts to replace the
contents of every file on the user's computer with a heart emoji."
Open-source software dependencies are ubiquitous. Most, if not all,
open-source components are adopted and integrated without substantial or any
code review. Never mind the details, get that stack to work and sell, sell,
sell. [...]
NIST's "Security and Privacy Controls for Information Systems and
Organizations" identifies two control family items emphasizing code reviews
as a method for reducing cybersecurity risks: RA-5 (Vulnerability Monitoring
and Scanning), SA-11 (Developer Testing and Evaluation).
(https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf)
Intentional sabotage/service denial based on conditional run-time factors:
location of use, date/time of day, ip address/domain, etc.
Extremely nefarious risk.
------------------------------
Date: Tue, 20 Sep 2022 13:38:54 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <ch...@rinzewind.org>
Subject: Morgan Stanley Smith Barney to Pay $35 Million for Extensive
Failures to Safeguard Personal Information of Millions of Customers (SEC)
https://www.sec.gov/news/press-release/2022-168
The Securities and Exchange Commission today announced charges against
Morgan Stanley Smith Barney LLC (MSSB) stemming from the firm's extensive
failures, over a five-year period, to protect the personal identifying
information, or PII, of approximately 15 million customers. MSSB has agreed
to pay a $35 million penalty to settle the SEC charges.
The SEC' order finds that, as far back as 2015, MSSB failed too properly
dispose of devices containing its customers' PII. On multiple occasions,
MSSB hired a moving and storage company with no experience or expertise in
data destruction services to decommission thousands of hard drives and
servers containing the PII of millions of its customers. Moreover, according
to the SEC's order, over several years, MSSB failed to properly monitor the
moving company's work. The staff's investigation found that the moving
company sold to a third party thousands of MSSB devices including servers
and hard drives, some of which contained customer PII, and which were
eventually resold on an Internet auction site without removal of such
customer PII. While MSSB recovered some of the devices, which were shown to
contain thousands of pieces of unencrypted customer data, the firm has not
recovered the vast majority of the devices.
[Long item. The rest is PGN-truncated for RISKS.
Also, Matthew Kruk noted a NYTimes item on this issue:
Morgan Stanley Hard Drives With Client Data Turn Up on Auction Site
https://www.nytimes.com/2022/09/20/us/morgan-stanley-smith-barney-settlement.html
PGN]
------------------------------
Date: Sat, 24 Sep 2022 21:52:19 +0000 ()
From: danny burstein <dan...@panix.com>
Subject: NY Suffolk Co. "911" system crippled by cyberattack, other gov't
functions also (WNBC)
Suffolk County Asks NYPD for Help After Hack Cripples 911 Call Center and
Police HQ
Ten days after a cyber attack hit Suffolk County computers, much of the
county's police department is still deeply feeling the effects -- and is
calling on the NYPD for backup.
The 911 dispatch center at the Suffolk County Police Department headquarters
has been reduced to using pen and paper, after hackers took down the county
government's computers.
"Unfortunately had to go back to our old system where information is
recorded by hand and information is handed to the dispatcher, in contrast to
putting it into a computer-aided system," said Suffolk County Police
Commissioner Rodney Harrison. [...] And it's not just police hurting as a
result. Title searches, an essential part of real estate closings, have been
frozen too. Lawyers and buyers are trying to proceed with caution.
https://www.nbcnewyork.com/news/local/suffolk-county-hack-cripples-911-call-center-and-police-hq-as-they-turn-to-nypd-for-help/3871797/
------------------------------
Date: Tue, 20 Sep 2022 22:10:08 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: American Airlines says hackers obtained some customer/employee data
(Engadget)
https://www.engadget.com/american-airlines-data-breach-customer-employee-data-180132383.html?src=rss
------------------------------
From: Monty Solomon <mo...@roscom.com>
Date: Mon, 19 Sep 2022 14:56:36 -0400
Subject: LastPass says hackers had internal access for four days
(Bleeping Computer)
https://www.bleepingcomputer.com/news/security/lastpass-says-hackers-had-internal-access-for-four-days/
------------------------------
Date: Fri, 23 Sep 2022 12:29:41 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: 15-Year-Old Python Bug Allows Code Execution in 350k Projects
(Ionut Ilascu)
Ionut Ilascu, BleepingComputer*, 21 Sep 2022 via ACM Tech News 23 Sep 2022
An unpatched 15-year-old bug in the Python programming language could affect
more than 350,000 open-source repositories, and could lead to code
execution. The path traversal vulnerability, disclosed in 2007, resides in
the Python tarfile package, and can allow hackers to overwrite arbitrary
files. The flaw exists because the code in the extract function in Python's
tarfile module trusts data in the TarInfo object "and joins the path that is
passed to the extract function and the name in the TarInfo object." Analyst
Charles McFarland at extended detection and response solutions provider
Trellix rediscovered the bug while probing another security issue. No
reports indicate the bug has been exploited in attacks, although it remains
a threat in the software supply chain.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f446x23641bx070841&
------------------------------
Date: Mon, 26 Sep 2022 10:27:24 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: Artist finds private medical record photos in popular AI training
data set (ArsTechnica)
Late last week, a California-based AI artist who goes by the name Lapine
discovered private medical record photos taken by her doctor in 2013
referenced in the LAION-5B image set, which is a scrape of publicly
available images on the web. AI researchers download a subset of that data
to train AI image synthesis models such as Stable Diffusion and Google
Imagen.
https://arstechnica.com/information-technology/2022/09/artist-finds-private-medical-record-photos-in-popular-ai-training-data-set/
------------------------------
Date: Mon, 19 Sep 2022 13:31:29 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Uber blames contractor for hack
So Uber is apparently blaming a contractor (sure, blame the contractor, so
typical) for the fact that Uber's corp network was so easily & broadly
penetrated by a hacker. If they had been using U2F keys & "zero trust"
security it's hard to see how this hack could have occurred. -L
[Monty Solomon noted this item:
Uber links breach to Lapsus$ group, blames contractor for hack
https://www.bleepingcomputer.com/news/security/uber-links-breach-to-lapsus-group-blames-contractor-for-hack/
PGN]
------------------------------
Date: Fri, 23 Sep 2022 06:20:18 -0600
From: Matthew Kruk <mkr...@gmail.com>
Subject: Luxury cars seized from 23-year-old 'Crypto King' as investors try
to recoup millions (CBC)
https://www.cbc.ca/news/canada/toronto/luxury-cars-seized-crypto-king-investors-
try-recoup-millions-1.6583982
Two McLarens, two BMWs and a Lamborghini make up just a few of the $2M worth
of assets seized from a 23-year-old from Whitby, Ont., as his investors try
to recoup millions of dollars they handed over to the self-described *Crypto
King*. But so far, Aiden Pleterski's assets fall far short of what his
investors claim they're owed.
Creditors are working to unravel where at least $35 million provided to
Pleterski and his company AP Private Equity Limited for cryptocurrency and
foreign exchange investments ended up, according to a fraud recovery lawyer
and documents filed in two separate actions reviewed by CBC Toronto.
------------------------------
Date: Tue, 20 Sep 2022 22:13:56 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: 33% of U.S. TikTok users say they regularly get their news on the
app, up from 22% in 2020 (TechCrunch)
https://techcrunch.com/2022/09/20/33-of-u-s-tiktok-users-say-they-regularly-get-their-news-on-the-app-up-from-22-in-2020/
------------------------------
Date: Mon, 19 Sep 2022 07:47:39 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: TikTok's search engine repeatedly delivers misinformation to its
majority-young user base, report says (CNN)
What the hell else would you expect from a Chinese search engine? -L
https://www.cnn.com/2022/09/18/business/tiktok-search-engine-misinformation/index.html
------------------------------
Date: Mon, 19 Sep 2022 07:57:53 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: A common phishing attack sources from Gmail
The vast majority of "fake invoice" phishing attacks (the ones that ask you
to call a phone number to cancel a "renewal" for example, where they then
ask for credit card info, etc.) appear to source from @gmail
addresses. Piles of them every day being sent to non-Gmail addresses. -L
------------------------------
Date: Mon, 19 Sep 2022 08:02:11 -0400
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Wegmans Discontinues Self-Checkout App, Citing Losses (NYTimes)
Self-checkout systems are intended to make shopping convenient, but they
also can lead to more thefts, experts said.
https://www.nytimes.com/2022/09/18/business/wegmans-self-checkout-shoplifting.html
------------------------------
Date: Thu, 22 Sep 2022 19:26:53 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Health apps share your concerns with advertisers. HIPAA can't stop
it. (WashPost)
Tatum Hunter and Jeremy B. Merrill, *The Washington Post*, 22 Sep 2022
https://www.washingtonpost.com/technology/2022/09/22/health-apps-privacy/
>From depression to HIV, we found popular health apps sharing potential health
concerns and user identifiers with dozens of ad companies.
------------------------------
Date: Tue, 20 Sep 2022 20:19:43 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: NTSB wants all new vehicles to check drivers for alcohol use (NPR)
The recommendation also calls for systems to monitor a driver's behavior,
making sure they're alert. She said many cars now have cameras pointed at
the driver, which have the potential to limit impaired driving.
But Homendy says she also understands that perfecting the alcohol tests will
take time. "We also know that it's going to take time for NHTSA to evaluate
what technologies are available and how to develop a standard."
https://www.npr.org/2022/09/20/1124171320/autos-drunk-driving-blood-alcohol-system-ntsb
Interesting there's no mention of developments in driver assistance
features, let alone attempting autonomous driving.
------------------------------
Date: Thu, 22 Sep 2022 19:06:07 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: How vigilante *predator catchers* are infiltrating the criminal
justice system (WashPost)
How vigilante *predator catchers* are infiltrating the criminal justice
system. It began with a live-streamed shaming in an Olive Garden parking
lot. It ended with an Indiana cop on trial for child solicitation.
https://www.washingtonpost.com/dc-md-va/2022/09/22/prredator-catchers-vigilante-justice/
------------------------------
Date: Sat, 24 Sep 2022 09:37:09 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Senators introduce a bill to protect open-source software
(WashPost)
https://www.washingtonpost.com/politics/2022/09/22/senators-introduce-bill-prote
ct-open-source-software/
ALSO: Lawmakers introduce bill to tackle open-source software
https://www.axios.com/2022/09/23/open-source-software-log4j-senate-bill
[Protecting it sounds like what the offense does.
Tackling it sounds what the defense does to the offense.
I find the defensive second title *offensive*! PGN]
------------------------------
Date: Fri, 23 Sep 2022 12:29:41 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Open-Source Software That Lasts a Thousand Years? (Liam Tung)
Liam Tung, *ZDNet*, 21 Sep 2022 via ACM Tech News 23 Sep 2022
GitHub has completed the construction of its Arctic Code Vault, a
21-terabyte snapshot of all public software repositories mainly encoded in
quick response codes and located 250 meters (820 feet) within a mountain in
Svalbard, Norway. The GitHub Archive Program's Jon Evans said, "Our hope is
that by storing and indexing millions of repositories, we have captured a
valuable cross-section of the world of modern software." The archive is
designed to last a millennium, with the snapshot stored on more than 180
film reels. A nearly 1.5-ton steel box contains the archive, and is
decorated with artificial intelligence-generated etchings to entice future
generations. Evans said the vault could potentially help someone who may
need software that is otherwise lost, and also will serve as a historical
record.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f446x23641ex070841&
------------------------------
Date: Tue, 27 Sep 2022 18:53:06 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The ITU's Secretary-General Election Could Shape the Internet's
Future (WiReD)
UN countries are preparing to pick a new head of the International
Telecommunications Union. Who wins could shape the open Web's future.
Authoritarian states like China, Cordell wrote, "have increased their
interest and activism in the ITU, leading to concerns that their outsized
influence in standards setting may lead to the bifurcation of the Internet.
His time at the helm of the organization, according to Cordell, has been
marked by "highly favorable comments and decisions in support of Chinese
companies." Huawei alone has submitted some 2,000 new standards proposals
to the organization, according to Cordell.
https://www.wired.com/story/2022-itu-secretary-general-election
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.46
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.46>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
`Our world is in peril,' UN secretary general warns general assembly (CBC)
The UN Wants to Curb Anti-Satellite Missile Tests (WiReD)
Vulnerability of insulin pumps (Healio via Judith Hemenway)
Optus' breach exposes 9.8M customers' data (ABC-AU)
Tesla Megapack battery fire spurs shelter-in-place warning in California
(The Verge)
Multiple driverless Cruise cars block traffic in San Francisco
(SanFranChron)
Automakers are ignoring the simple solution to the rise of traffic deaths
(The Verge)
Egypt's submarine cable stranglehold (Sebastian Moss)
'Protestware' is on the rise, with programmers self-sabotaging their own
code. Should we be worried? (Techxplore.com)
Morgan Stanley Smith Barney to Pay $35 Million for Extensive Failures to
Safeguard Personal Information of Millions of Customers (SEC)
NY Suffolk Co. "911" system crippled by cyberattack, other gov't functions
also (WNBC)
American Airlines says hackers obtained some customer/employee data
(Engadget)
LastPass says hackers had internal access for four dayso (Bleeping Computer)
15-Year-Old Python Bug Allows Code Execution in 350k Projects (Ionut Ilascu)
Artist finds private medical record photos in popular AI training data set
(ArsTechnica)
Uber blames contractor for hack (Lauren Weinstein)
Luxury cars seized from 23-year-old 'Crypto King' as investors try to recoup
millions (CBC)
33% of U.S. TikTok users say they regularly get their news on the app, up
from 22% in 2020 (TechCrunch)
TikTok's search engine repeatedly delivers misinformation to its
majority-young user base, report says (CNN)
A common phishing attack sources from Gmail (Lauren Weinstein)
Wegmans Discontinues Self-Checkout App, Citing Losses (NYTimes)
Health apps share your concerns with advertisers. HIPAA can't stop it.
(WashPost)
NTSB wants all new vehicles to check drivers for alcohol use (NPR)
How vigilante *predator catchers* are infiltrating the criminal justice
system (WashPost)
Senators introduce a bill to protect open-source software (WashPost)
Open-Source Software That Lasts a Thousand Years? (Liam Tung)
The ITU's Secretary-General Election Could Shape the Internet's Future
(WiReD)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 20 Sep 2022 09:58:10 -0600
From: Matthew Kruk <mkr...@gmail.com>
Subject: `Our world is in peril,' UN secretary general warns general assembly
(CBC)
https://www.cbc.ca/news/world/antonio-guterres-1.6588574
He also warned of what he called "a forest of red flags" around new
technologies despite promising advances to heal diseases and connect people.
Guterres said social media platforms are based on a model "that monetizes
outrage, anger, and negativity." Artificial intelligence, he said, "is
compromising the integrity of information systems, the media, and indeed
democracy itself."
------------------------------
Date: Mon, 19 Sep 2022 01:00:13 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The UN Wants to Curb Anti-Satellite Missile Tests (WiReD)
At a high-profile meeting in Geneva, international negotiators are moving
closer toward developing rules for space actors in low Earth orbit and
beyond.
https://www.wired.com/story/the-un-wants-to-curb-anti-satellite-missile-tests/
------------------------------
Date: Wed, 21 Sep 2022 18:35:13 +0000
From: Judith Hemenway <Jud...@divingturtle.com>
Subject: Vulnerability of insulin pumps (Healio)
Although the insulin pumps are not accessible via the Internet, they are
vulnerable via pairing from near-by devices. Causing the pump to deliver
either too much or too little insulin can be life-threatening.
https://www.healio.com/news/endocrinology/20220920/fda-warns-of-possible-cybersecurity-risk-with-medtronic-minimed-600-series-insulin-pumps
------------------------------
Date: Mon, 26 Sep 2022 21:00:04 +0000
From: John Colville <John.C...@uts.edu.au>
Subject: Optus' breach exposes 9.8M customers' data (ABC-AU)
Optus is Australia's second largest Telco.
https://www.abc.net.au/news/2022-09-23/optus-rejects-claim-hack-likely-result-of-human-error/101468846
https://www.abc.net.au/news/2022-09-25/new-security-measures-to-be-unveiled-following-optus-data-breach/101472364
------------------------------
Date: Tue, 20 Sep 2022 22:08:28 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Tesla Megapack battery fire spurs shelter-in-place warning in
California (The Verge)
https://www.theverge.com/2022/9/20/23363345/tesla-megapack-battery-fire-california-monterey-pg-and-e
------------------------------
Date: Tue, 27 Sep 2022 15:32:08 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: Multiple driverless Cruise cars block traffic in San Francisco
(SanFranChron)
At least three driverless Cruise cars were responsible for holding up
traffic and reportedly blocking a bus lane in San Francisco last week, the
latest in a string of incidents involving the locally headquartered
self-driving car company.
A video shared on Reddit showed two of Cruise's vehicles at a standstill
Thursday evening, near the intersection of Sacramento and Leavenworth
streets, with their hazard lights flashing. A Muni bus appeared to be
stalled about a block behind them.
``Come on, we've got to get the f*** going,'' one person could be heard
yelling in the background of the video. ``There's no driver!'' another
responded.
https://www.sfgate.com/local/article/driverless-cruise-cars-block-SF-traffic-17467985.php
------------------------------
Date: Mon, 19 Sep 2022 19:34:14 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Automakers are ignoring the simple solution to the rise of traffic
deaths (The Verge)
Automakers are ignoring the simple solution to the rise of traffic deaths
https://www.theverge.com/23360839/cars-speed-safety-traffic-deaths-technology-usdot
------------------------------
Date: September 20, 2022 21:17:26 JST
From: Dewayne Hendricks <dew...@warpspeed.com>
Subject: Egypt's submarine cable stranglehold (Sebastian Moss)
Sebastian Moss, Datacenter Dynamics, 15 Sep 2022
Understanding the Middle East bottleneck, and how things could be set to
change
https://www.datacenterdynamics.com/en/analysis/egypts-submarine-cable-stranglehold/
The world's digital infrastructure has been built by the paranoid. At every
turn, equipment is duplicated, routes are triplicated, fuel reserves are
over-filled. Astronomical sums are spent on building layers and layers of
safety into the system, as suspicious minds game out various scenarios that
could put the precious flow of data at risk. And yet, there remains one
giant bottleneck, a quirk of geography and geopolitics, that is anything but
redundant.
If you take a map of the world's submarine cable infrastructure, responsible
for shuttling data between nations and entire continents, and zoom in on the
Middle East, you will notice something striking: Everything goes through
Egypt.
Data traveling to and from Europe and Asia, as well as Northern Africa and
the Middle East itself, has just one route.
Coming from the Gulf of Aden, cables snake up along the Red Sea, and into
the Gulf of Suez. There, they make landfall in Egypt, traversing little more
than a hundred miles, before breaking out into the Mediterranean Sea.
"There's no way a network operator would design their network like this
under ideal conditions, right?" said Paul Brodsky, senior analyst at
Telegeography, best known for its maps of cable routes. "They don't like
having everything funneled through one place."
This route concentration is a concern for reliability, putting an estimated
17 percent of the world's Internet traffic in the hands of one country, and
in one shallow and narrow sea. But it is also a concern for businesses,
which have to contend with a monopoly.
To get through Egypt, companies have to pay exorbitant fees to state-owned
Telecom Egypt. Prices have risen dramatically, amid claims of corruption,
but operators have had little choice but to pay. At least until now.
The only route
The story of Egypt's submarine stranglehold is hard to tell. Several
analysts declined to talk on the record due to business relationships with
Telecom Egypt. Cable providers either declined to talk, or did not respond
to requests for comment. ``I am afraid I won't be open to discuss the
Egyptian submarine cable bottleneck due to certain concerns,'' another
industry figure said, declining to elaborate.
In Egypt itself, it's even harder to talk about the cable situation. In
2019, the TV host of local news program 90 minutes, Ossama Kamal, accused
the government of corruption with the way it charges submarine cable
operators, and said it risked destroying its position as the gateway between
Asia and Europe.
Immediately following the broadcast, he was suspended from his show, fined,
and forced to apologize. He did not respond to requests for comment.
Whether Telecom Egypt abuses its market dominance is a matter of debate --
some, speaking on background, called fees extortionate. Others accepted it
as the cost of business for using the most logical route through the Middle
East, with more than a dozen major cables choosing to go across the country.
Egypt's position as a critical communications node between East and West
dates all the way back to the colonial era, and remains, due to a few simple
reasons.
First is geography: It's the shortest stretch of land between the
Mediterranean and Arabian seas, hence the creation of the Suez Canal for
shipping. Network operators like to avoid needlessly traveling across land,
with its expensive owners and pesky national sovereignties that need to be
dealt with.
Then comes geopolitics. Do Western companies want data to travel through
Iran? How about Iraq, Afghanistan, or Syria? Operators like to steer clear
of sanctioned nations, or active war zones, so they are off most people's
preferred routes -- although some have still tried, but we'll get to that
later. There is one other journey they could take, but that too, we shall
save.
Finally, there are market forces. "Once you establish a route and
everybody's using it, the cost goes down as more people use it," Doug
Madory, director of Internet analysis at Kentik, explained. "So it's really
hard not to use it, and it's hard to break out of what ends up being the
most selected path.
``With this Egypt chokepoint, obviously the geographic layout is the number
one reason, but then once it gets established, it's super hard to break out
because then there's so many cables, so many lines, so much infrastructure
built along that path.''
With this in its favor, Telecom Egypt has been able to charge huge fees --
between 6.6 percent and 17.4 percent of its total revenues came from cable
fees between 2008 to 2019, according to Submarine Cable Networks. The
founder of SCN declined to comment.
It took a while for the state telco to realize it was sitting on a goldmine:
It used to sell a perpetual license for somewhere in the ballpark of
$100k. Then they moved to a monthly fee, a source told DCD. "Then they said
'oh no, we want to have the transit costs, where people pay by volume of
traffic." So if tomorrow traffic doubles for a telecom, they get double pay
or whatever the tiering system is," Madory said. "I feel like that was too
far -- people started to revolt, although what can you do? It's not like
there's another Egypt you can go to."
Another industry figure called the fees "ridiculous." An SCN report found
that 12 submarine cables crossing Egypt paid the telco at least $369 million
for Indefeasible Right of Use, with additional Operation and Maintenance
(O&M) charges during the lifetime - however, it is not clear if this is
before the telco tried to shift to charging more for more traffic.
[Long item. The rest is PGN-truncated for RISKS.]
------------------------------
Date: Thu, 29 Sep 2022 00:23:17 +0000
From: Richard Marlon Stein <rms...@protonmail.com>
Subject: 'Protestware' is on the rise, with programmers self-sabotaging
their own code. Should we be worried? (Techxplore.com)
https://techxplore.com/news/2022-09-protestware-programmers-self-sabotaging-code
.html
"In March 2022, the author of node-ipc, a software library with over a
million weekly downloads, deliberately broke their code. If the code
discovers it is running within Russia or Belarus, it attempts to replace the
contents of every file on the user's computer with a heart emoji."
Open-source software dependencies are ubiquitous. Most, if not all,
open-source components are adopted and integrated without substantial or any
code review. Never mind the details, get that stack to work and sell, sell,
sell. [...]
NIST's "Security and Privacy Controls for Information Systems and
Organizations" identifies two control family items emphasizing code reviews
as a method for reducing cybersecurity risks: RA-5 (Vulnerability Monitoring
and Scanning), SA-11 (Developer Testing and Evaluation).
(https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf)
Intentional sabotage/service denial based on conditional run-time factors:
location of use, date/time of day, ip address/domain, etc.
Extremely nefarious risk.
------------------------------
Date: Tue, 20 Sep 2022 13:38:54 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <ch...@rinzewind.org>
Subject: Morgan Stanley Smith Barney to Pay $35 Million for Extensive
Failures to Safeguard Personal Information of Millions of Customers (SEC)
https://www.sec.gov/news/press-release/2022-168
The Securities and Exchange Commission today announced charges against
Morgan Stanley Smith Barney LLC (MSSB) stemming from the firm's extensive
failures, over a five-year period, to protect the personal identifying
information, or PII, of approximately 15 million customers. MSSB has agreed
to pay a $35 million penalty to settle the SEC charges.
The SEC' order finds that, as far back as 2015, MSSB failed too properly
dispose of devices containing its customers' PII. On multiple occasions,
MSSB hired a moving and storage company with no experience or expertise in
data destruction services to decommission thousands of hard drives and
servers containing the PII of millions of its customers. Moreover, according
to the SEC's order, over several years, MSSB failed to properly monitor the
moving company's work. The staff's investigation found that the moving
company sold to a third party thousands of MSSB devices including servers
and hard drives, some of which contained customer PII, and which were
eventually resold on an Internet auction site without removal of such
customer PII. While MSSB recovered some of the devices, which were shown to
contain thousands of pieces of unencrypted customer data, the firm has not
recovered the vast majority of the devices.
[Long item. The rest is PGN-truncated for RISKS.
Also, Matthew Kruk noted a NYTimes item on this issue:
Morgan Stanley Hard Drives With Client Data Turn Up on Auction Site
https://www.nytimes.com/2022/09/20/us/morgan-stanley-smith-barney-settlement.html
PGN]
------------------------------
Date: Sat, 24 Sep 2022 21:52:19 +0000 ()
From: danny burstein <dan...@panix.com>
Subject: NY Suffolk Co. "911" system crippled by cyberattack, other gov't
functions also (WNBC)
Suffolk County Asks NYPD for Help After Hack Cripples 911 Call Center and
Police HQ
Ten days after a cyber attack hit Suffolk County computers, much of the
county's police department is still deeply feeling the effects -- and is
calling on the NYPD for backup.
The 911 dispatch center at the Suffolk County Police Department headquarters
has been reduced to using pen and paper, after hackers took down the county
government's computers.
"Unfortunately had to go back to our old system where information is
recorded by hand and information is handed to the dispatcher, in contrast to
putting it into a computer-aided system," said Suffolk County Police
Commissioner Rodney Harrison. [...] And it's not just police hurting as a
result. Title searches, an essential part of real estate closings, have been
frozen too. Lawyers and buyers are trying to proceed with caution.
https://www.nbcnewyork.com/news/local/suffolk-county-hack-cripples-911-call-center-and-police-hq-as-they-turn-to-nypd-for-help/3871797/
------------------------------
Date: Tue, 20 Sep 2022 22:10:08 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: American Airlines says hackers obtained some customer/employee data
(Engadget)
https://www.engadget.com/american-airlines-data-breach-customer-employee-data-180132383.html?src=rss
------------------------------
From: Monty Solomon <mo...@roscom.com>
Date: Mon, 19 Sep 2022 14:56:36 -0400
Subject: LastPass says hackers had internal access for four days
(Bleeping Computer)
https://www.bleepingcomputer.com/news/security/lastpass-says-hackers-had-internal-access-for-four-days/
------------------------------
Date: Fri, 23 Sep 2022 12:29:41 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: 15-Year-Old Python Bug Allows Code Execution in 350k Projects
(Ionut Ilascu)
Ionut Ilascu, BleepingComputer*, 21 Sep 2022 via ACM Tech News 23 Sep 2022
An unpatched 15-year-old bug in the Python programming language could affect
more than 350,000 open-source repositories, and could lead to code
execution. The path traversal vulnerability, disclosed in 2007, resides in
the Python tarfile package, and can allow hackers to overwrite arbitrary
files. The flaw exists because the code in the extract function in Python's
tarfile module trusts data in the TarInfo object "and joins the path that is
passed to the extract function and the name in the TarInfo object." Analyst
Charles McFarland at extended detection and response solutions provider
Trellix rediscovered the bug while probing another security issue. No
reports indicate the bug has been exploited in attacks, although it remains
a threat in the software supply chain.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f446x23641bx070841&
------------------------------
Date: Mon, 26 Sep 2022 10:27:24 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: Artist finds private medical record photos in popular AI training
data set (ArsTechnica)
Late last week, a California-based AI artist who goes by the name Lapine
discovered private medical record photos taken by her doctor in 2013
referenced in the LAION-5B image set, which is a scrape of publicly
available images on the web. AI researchers download a subset of that data
to train AI image synthesis models such as Stable Diffusion and Google
Imagen.
https://arstechnica.com/information-technology/2022/09/artist-finds-private-medical-record-photos-in-popular-ai-training-data-set/
------------------------------
Date: Mon, 19 Sep 2022 13:31:29 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Uber blames contractor for hack
So Uber is apparently blaming a contractor (sure, blame the contractor, so
typical) for the fact that Uber's corp network was so easily & broadly
penetrated by a hacker. If they had been using U2F keys & "zero trust"
security it's hard to see how this hack could have occurred. -L
[Monty Solomon noted this item:
Uber links breach to Lapsus$ group, blames contractor for hack
https://www.bleepingcomputer.com/news/security/uber-links-breach-to-lapsus-group-blames-contractor-for-hack/
PGN]
------------------------------
Date: Fri, 23 Sep 2022 06:20:18 -0600
From: Matthew Kruk <mkr...@gmail.com>
Subject: Luxury cars seized from 23-year-old 'Crypto King' as investors try
to recoup millions (CBC)
https://www.cbc.ca/news/canada/toronto/luxury-cars-seized-crypto-king-investors-
try-recoup-millions-1.6583982
Two McLarens, two BMWs and a Lamborghini make up just a few of the $2M worth
of assets seized from a 23-year-old from Whitby, Ont., as his investors try
to recoup millions of dollars they handed over to the self-described *Crypto
King*. But so far, Aiden Pleterski's assets fall far short of what his
investors claim they're owed.
Creditors are working to unravel where at least $35 million provided to
Pleterski and his company AP Private Equity Limited for cryptocurrency and
foreign exchange investments ended up, according to a fraud recovery lawyer
and documents filed in two separate actions reviewed by CBC Toronto.
------------------------------
Date: Tue, 20 Sep 2022 22:13:56 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: 33% of U.S. TikTok users say they regularly get their news on the
app, up from 22% in 2020 (TechCrunch)
https://techcrunch.com/2022/09/20/33-of-u-s-tiktok-users-say-they-regularly-get-their-news-on-the-app-up-from-22-in-2020/
------------------------------
Date: Mon, 19 Sep 2022 07:47:39 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: TikTok's search engine repeatedly delivers misinformation to its
majority-young user base, report says (CNN)
What the hell else would you expect from a Chinese search engine? -L
https://www.cnn.com/2022/09/18/business/tiktok-search-engine-misinformation/index.html
------------------------------
Date: Mon, 19 Sep 2022 07:57:53 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: A common phishing attack sources from Gmail
The vast majority of "fake invoice" phishing attacks (the ones that ask you
to call a phone number to cancel a "renewal" for example, where they then
ask for credit card info, etc.) appear to source from @gmail
addresses. Piles of them every day being sent to non-Gmail addresses. -L
------------------------------
Date: Mon, 19 Sep 2022 08:02:11 -0400
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Wegmans Discontinues Self-Checkout App, Citing Losses (NYTimes)
Self-checkout systems are intended to make shopping convenient, but they
also can lead to more thefts, experts said.
https://www.nytimes.com/2022/09/18/business/wegmans-self-checkout-shoplifting.html
------------------------------
Date: Thu, 22 Sep 2022 19:26:53 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Health apps share your concerns with advertisers. HIPAA can't stop
it. (WashPost)
Tatum Hunter and Jeremy B. Merrill, *The Washington Post*, 22 Sep 2022
https://www.washingtonpost.com/technology/2022/09/22/health-apps-privacy/
>From depression to HIV, we found popular health apps sharing potential health
concerns and user identifiers with dozens of ad companies.
------------------------------
Date: Tue, 20 Sep 2022 20:19:43 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: NTSB wants all new vehicles to check drivers for alcohol use (NPR)
The recommendation also calls for systems to monitor a driver's behavior,
making sure they're alert. She said many cars now have cameras pointed at
the driver, which have the potential to limit impaired driving.
But Homendy says she also understands that perfecting the alcohol tests will
take time. "We also know that it's going to take time for NHTSA to evaluate
what technologies are available and how to develop a standard."
https://www.npr.org/2022/09/20/1124171320/autos-drunk-driving-blood-alcohol-system-ntsb
Interesting there's no mention of developments in driver assistance
features, let alone attempting autonomous driving.
------------------------------
Date: Thu, 22 Sep 2022 19:06:07 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: How vigilante *predator catchers* are infiltrating the criminal
justice system (WashPost)
How vigilante *predator catchers* are infiltrating the criminal justice
system. It began with a live-streamed shaming in an Olive Garden parking
lot. It ended with an Indiana cop on trial for child solicitation.
https://www.washingtonpost.com/dc-md-va/2022/09/22/prredator-catchers-vigilante-justice/
------------------------------
Date: Sat, 24 Sep 2022 09:37:09 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Senators introduce a bill to protect open-source software
(WashPost)
https://www.washingtonpost.com/politics/2022/09/22/senators-introduce-bill-prote
ct-open-source-software/
ALSO: Lawmakers introduce bill to tackle open-source software
https://www.axios.com/2022/09/23/open-source-software-log4j-senate-bill
[Protecting it sounds like what the offense does.
Tackling it sounds what the defense does to the offense.
I find the defensive second title *offensive*! PGN]
------------------------------
Date: Fri, 23 Sep 2022 12:29:41 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Open-Source Software That Lasts a Thousand Years? (Liam Tung)
Liam Tung, *ZDNet*, 21 Sep 2022 via ACM Tech News 23 Sep 2022
GitHub has completed the construction of its Arctic Code Vault, a
21-terabyte snapshot of all public software repositories mainly encoded in
quick response codes and located 250 meters (820 feet) within a mountain in
Svalbard, Norway. The GitHub Archive Program's Jon Evans said, "Our hope is
that by storing and indexing millions of repositories, we have captured a
valuable cross-section of the world of modern software." The archive is
designed to last a millennium, with the snapshot stored on more than 180
film reels. A nearly 1.5-ton steel box contains the archive, and is
decorated with artificial intelligence-generated etchings to entice future
generations. Evans said the vault could potentially help someone who may
need software that is otherwise lost, and also will serve as a historical
record.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f446x23641ex070841&
------------------------------
Date: Tue, 27 Sep 2022 18:53:06 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The ITU's Secretary-General Election Could Shape the Internet's
Future (WiReD)
UN countries are preparing to pick a new head of the International
Telecommunications Union. Who wins could shape the open Web's future.
Authoritarian states like China, Cordell wrote, "have increased their
interest and activism in the ITU, leading to concerns that their outsized
influence in standards setting may lead to the bifurcation of the Internet.
His time at the helm of the organization, according to Cordell, has been
marked by "highly favorable comments and decisions in support of Chinese
companies." Huawei alone has submitted some 2,000 new standards proposals
to the organization, according to Cordell.
https://www.wired.com/story/2022-itu-secretary-general-election
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.46
************************
0 new messages