Risks Digest 33.31

31 views
Skip to first unread message

RISKS List Owner

unread,
Jul 2, 2022, 12:08:47 PMJul 2
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Saturday 2 July 2022 Volume 33 : Issue 31

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.31>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
The Wheels Have Come Off Electric Vehicles (Bloomberg)
Who Is Liable when AI Kills? (Scientific American)
Four Takeaways From a Times Investigation Into China's Expanding
Surveillance State (NYTimes)
An Invisible Cage: How China Is Policing the Future (NYTimes)
China lured graduate jobseekers into digital espionage (ArsTechnica)
Internet Explorer Shutdown to Cause Japan Problems 'For Months'
(Financial Times)
School Surveillance Will Never Protect Kids From Shootings (WiReD)
UK plan to scrap cookie consent boxes will make it easier to spy on web
users (The Guardian)
"Whoops. That Feeling When the AG of the most populous state publishes a
list of where all the handguns are... (twitter viz geoff goodfellow)
Supercookies Have Privacy Experts Sounding the Alarm (WiReD)
Police sweep Google searches to find suspects. The tactic is facing its
first legal challenge. (NBC News)
DARPA report exposes blockchain vulnerabilities (exodus)
'Mystery rocket' that crashed into the Moon baffles NASA scientists (Chron)
Mega says it can't decrypt your files. New POC exploit shows otherwise.
(ArsTechnica)
The Assessments of the Swiss Post E-Voting System (Andrew Appel)
2022 Zero-day in-the-wild exploitation (Maddie Stone)
Ocean Freight Shipping Costs Are Driving Goods Prices Higher (ProPublica)
ZuoRAT Trojan (WiReD)
Sophisticated attacks against range of SOHO routers (ArsTechnica)
Microsoft Plans to Eliminate Face Analysis Tools in Push for`Responsible AI'
(NYTimes)
The Race to Hide Your Voice (WiReD)
Amazon demonstrates Alexa mimicking the voice of a deceased relative (CNBC)
South Carolina mom says baby monitor was hacked; Experts say many devices
are vulnerable (NPR)
St. John's woman loses home after Phoenix pay fiasco (CBC)
"These Period Tracker Apps Say They Put Privacy First. Here's What We Found.
(Consumer Reports)
FCC asks Google, Apple to remove TikTok due to data privacy concerns at
Chinese-owned company TikTok (CBC)
Lost and Found: USB Sticks With Data on 460,000 People (NYTimes)
Some Crypto Exchanges Already Secretly Insolvent (Forbes)
Unintended Centralities in Distributed [Blockchain] Ledgers (via Lauren W.)
Crypto Crash Widens Divide Between Rich and Amateur Traders (NYTimes)
Cryptocurrency Titan Coinbase providing "Geo Tracking Data" to ICE
(The Intercept)
Crypto traceability and market rules agreed by EU lawmakers (TechCrunch)
Crypto investors' hot streak ends as harsh 'winter' descends (Boston Globe)
Alex Mashinky's Celsius crypto bank draws probe by five states (WashPost)
LOL Headline of the Day (LW)
When customers say their money was stolen on Zelle, banks often refuse to
pay (NYTimes)
Planned Parenthood Privacy (WashPost)
Re: Micropatching on the fly (John Levine)
Re: A Periodic Issue (Steven J. Greenwald)
Re: Long-term planning and Optimization (Martin Ward, Martin Ward)
Re: It is 2022. My coffee mug wants me to log in, wants to know my location,
and if it can send me promotional emails... (geoff goodfellow)
AT&T Fiber Optic outage update (PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 30 Jun 2022 16:51:19 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: The Wheels Have Come Off Electric Vehicles (Bloomberg)

*If Toyota's cars can't keep their tires on, what good is its $35 billion
EV pledge?*

The world's biggest car company, Toyota Motor Corp., reluctantly released
an electric vehicle in May
<https://global.toyota/en/newsroom/toyota/37135919.html#:~:text=Toyota%20City%2C%20Japan%2C%20April%2012,BEV*1%20on%20May%2012.>.
Weeks later, it recalled 2,700 of them because there was a risk their
wheels -- the most fundamental component -- would fall off. If that's the
level of quality and safety traditional auto giants are willing to commit
to, then investors and regulators should increase their scrutiny.

Getting it right on battery technology and electric motors is one thing,
but bolting the wheels on properly? It shouldn't even be a question.
Billions of dollars have been invested, huge promises have been made and
every major car manufacturer in the world has committed to go electric and
clean. What's more, cars are selling at record high prices.

Toyota's statement was alarming
<https://pressroom.toyota.com/toyota-is-conducting-a-safety-recall-involving-2023-model-year-bz4x-vehicles/>.
``After low-mileage use, all of the hub bolts on the wheel can loosen to the
point where the wheel can detach from the vehicle. If a wheel detaches from
the vehicle while driving, it could result in a loss of vehicle control,
increasing the risk of a crash,'' the company said as it recalled its first
electric car release. Long a leader in hybrid or gasoline-electric
technology, the Japanese firm has been dragging its feet on EVs as
competitors like Volkswagen AG have raced ahead. Toyota president Akio
Toyoda has in the past commented on the excessive hype around green cars and
pointed out the downsides.
<https://www.wsj.com/articles/toyotas-chief-says-electric-vehicles-are-overhyped-11608196665>

Meanwhile, Subaru Corp., in which Toyota holds a 20.02% stake, also recalled
the Solterra, a related electric vehicle model jointly developed that shares
parts with the latter's bZ4x.

Recalls are par for the course in the auto industry -- every year, millions
of vehicles are affected. Last year, more than 21 million were accounted for
in recalls mandated by the U.S. National Highway Traffic Safety
Administration, according to third-party data provider Recall Master
<https://www.recallmasters.com/sor/>. In addition, several million more are
part of so-called voluntary campaigns that aren't formally recognized by the
authority. [...]

https://www.bloomberg.com/opinion/articles/2022-06-29/the-wheels-come-off-toyota-s-electric-vehicles

------------------------------

Date: Thu, 30 Jun 2022 01:57:16 +0000
From: Richard Marlon Stein <rms...@protonmail.com>
Subject: Who Is Liable when AI Kills? (Scientific American)

George Maliha and Ravi B. Parikh, Scientific American, 29 Jun 2022
https://www.scientificamerican.com/article/who-is-liable-when-ai-kills/

"The key is to ensure that all stakeholders, users, developers and everyone
else along the chain from product development to use—bear enough liability
to ensure AI safety and effectiveness -- but not so much that they give up on
AI."

Organizations that build and deploy AI must be held accountable for usage
incidents, be they benign or injurious. Changing the rules -- regulations
--  means that stakeholders negotiate proposed regulations which are
approved by lawmakers, and enforced by regulators. Two of the stakeholders
-- law makers and regulators -- are often captured, or wholly compromised
by, deep pockets or political interests.

Product liability laws are outdated -- they were written for industry
conditions that assumed only humans and their parent organizations held
responsibility for product faults and the incidents or damage they
cause. There was no anticipation of AI product deployment, and how
autonomous products alters the liability landscape.

Product terms of service for virtually every business or institution
(including governments) invoke indemnification to shield them (their
organizations and their employees) against liability save for acts of wanton
negligence.

The terms assert commercial impunity: The consumer purchases a product, and
via a license terms of use granted therein, agree to indemnify (hold without
fault) the producing organization (and its employees) for any untoward
outcome, including injury or fatality.

Occasionally, where there's a question of guilt attributed to said product
or organization, a negotiated settlement ensues, one that includes
non-disclosure of the settlement terms, and a non-admission of guilt to
resolve the law suit.

A liability law rewrite, with AI-in-the-loop, will subject organizations to
newly defined accountability IF there's sufficient representative consumer
interests at the negotiating table to balance the corporate lobby's
litigiousness.

The essay identifies 3 areas of liability regulation revision. The 3rd item
of the author's liability reform addresses revised standards that might
establishes a regulatory liability basis for AI.

The revised standards should include mandatory explainability requirements
for any deployed AI-product to assist and simplify incident
triage. Explainability can elevate visibility into autonomous product fault
and accelerate the incorporate of lessons learned that prevent
recurrence. Data and voice recorders deployed in aircraft and trains help
earn and sustain capriciously volatile public trust by teaching mistakes. An
equivalent capability will benefit public health and safety exposed to
AI-enabled product deployments.

[As RISKS readers well known, blame can also be spread around flawed
hardware, operating systems, applications, requirements, etc....... PGN]

------------------------------

Date: Tue, 21 Jun 2022 08:47:14 -0400
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Four Takeaways From a Times Investigation Into China's Expanding
Surveillance State (NYTimes)

*The Times* reporters spent over a year combing through government bidding
documents that reveal the country's technological road map to ensure the
longevity of its authoritarian rule:

Chinese police analyze human behaviors to ensure facial recognition
cameras capture as much activity as possible.

Authorities are using phone trackers to link people's digital lives to their
physical movements.

DNA, iris scan samples. and voice prints are being collected indiscriminately
from people with no connection to crime.

he government wants to connect all of these data points to build
comprehensive profiles for citizens -- which are accessible throughout the
government.

https://www.nytimes.com/2022/06/21/world/asia/china-surveillance-investigation.html

------------------------------

Date: Sun, 26 Jun 2022 10:38:20 -0400
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: An Invisible Cage: How China Is Policing the Future (NYTimes)

The more than 1.4 billion people living in China are constantly watched.
They are recorded by police cameras that are everywhere, on street corners
and subway ceilings, in hotel lobbies and apartment buildings. Their phones
are tracked, their purchases are monitored, and their online chats are
censored.

Now, even their future is under surveillance.

The latest generation of technology digs through the vast amounts of data
collected on their daily activities to find patterns and aberrations,
promising to predict crimes or protests before they happen. They target
potential troublemakers in the eyes of the Chinese government -- not only
those with a criminal past but also vulnerable groups, including ethnic
minorities, migrant workers and those with a history of mental illness.

https://www.nytimes.com/2022/06/25/technology/china-surveillance-police.html

------------------------------

Date: Fri, 1 Jul 2022 12:19:04 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: China lured graduate jobseekers into digital espionage
(ArsTechnica)

https://arstechnica.com/information-technology/2022/06/china-lured-graduate-jobseekers-into-digital-espionage/

https://www.ft.com/content/2e4359e4-c0ca-4428-bc7e-456bf3060f45

------------------------------

Date: Mon, 27 Jun 2022 12:08:59 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Internet Explorer Shutdown to Cause Japan Problems 'For Months'
(Financial Times)

Masaharu Ban and Kosuke Toshi. *Financial Times*, 24 Jun 2022

Microsoft's recent termination of the Internet Explorer (IE) browser has
sparked panic among businesses and government agencies in Japan that had
delayed updating their Websites. Tokyo-based software developer Computer
Engineering & Consulting (CEC) has been flooded with help requests since
April, mainly from government agencies, financial institutions, and
manufacturing and logistics companies that operate sites that only work with
IE. In a March poll by IT resource provider Keyman's Net, almost half of
respondents said they used the IE browser for work, and more than 20% of
those respondents said they did not know how to transition to another
browser.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9 6-2ed5ex23482ex071085&

------------------------------

Date: Thu, 30 Jun 2022 23:47:21 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: School Surveillance Will Never Protect Kids From Shootings (WiReD)

If we are to believe the purveyors of school surveillance systems, K-12
schools will soon operate in a manner akin to some agglomeration of Minority
Report, Person of Interest, and Robocop. "Military grade" systems would
slurp up student data, picking up on the mere hint of harmful ideations, and
dispatch officers before the would-be perpetrators could carry out their
vile acts. In the unlikely event that someone were able to evade the
predictive systems, they would inevitably be stopped by next-generation
weapon-detection systems and biometric sensors that interpret the gait or
tone of a person, warning authorities of impending danger. The final layer
might be the most technologically advanced—some form of drone or maybe even
a robot dog, which would be able to disarm, distract, or disable the
dangerous individual before any real damage is done. If we invest in these
systems, the line of thought goes, our children will finally be safe.

https://www.wired.com/story/school-surveillance-never-protect-kids-shootings

------------------------------

Date: Thu, 30 Jun 2022 09:33:52 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: UK plan to scrap cookie consent boxes will make it easier to
spy on web users (The Guardian)

*Privacy campaign group warns against government's proposals to move to an
*opt-out* model*

Proposals to scrap pop-up cookie consent boxes on websites will make it
easier to spy on web users, a privacy campaign group has warned.

Cookie banners are a common feature for web users, who are asked to give
their consent for websites as well as marketing and advertising businesses
to gather information about their browsing activity. Ministers announced
proposals on Friday to move to an opt-out model for cookie consent.
<https://www.theguardian.com/technology/2022/feb/02/techscape-google-chrome-cookies>

~~In the future, the government intends to move to an opt-out model of
consent for cookies placed by websites,'' said the Department for Digital,
Culture, Media and Sport (DCMS). ``This would mean cookies could be set
without seeking consent, but the website must give the web user clear
information about how to opt out.''

Open Rights Group (ORG), which campaigns for privacy and free speech online,
said the proposal would make spying on people's activities the *default
option*. [...]
https://www.theguardian.com/technology/2022/jun/17/uk-plan-to-scrap-cookie-consent-boxes-will-make-it-easier-to-spy-on-web-users

------------------------------

Date: Thu, 30 Jun 2022 09:46:45 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: "Whoops. That Feeling When the AG of the most populous state
publishes a list of where all the handguns are... (

https://twitter.com/briankrebs/status/1542233920204324866

------------------------------

Date: Thu, 30 Jun 2022 15:14:44 -0400
From: Gabe Goldberg
Subject: Supercookies Have Privacy Experts Sounding the Alarm (WiReD)

A German ad-tech trial features what Vodafone calls "digital tokens."
Should you be worried?

https://www.wired.com/story/trustpid-digital-token-supercookie

------------------------------

Date: Thu, 30 Jun 2022 19:00:55 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Police sweep Google searches to find suspects. The tactic is facing
its first legal challenge. (NBC News)

Privacy advocates are watching the case closely, concerned that police could
use reverse keyword searches to investigate people who seek information
about abortions.

https://www.nbcnews.com/news/us-news/police-google-reverse-keyword-searches-rcna35749

Gabe Goldberg noted in the same article:
Is there reasonable expectation of privacy for search data? No.
Can it be misused? Yes

Police sweep Google searches to find suspects. The tactic is facing its
first legal challenge. PGN]

------------------------------

Date: Thu, 23 Jun 2022 15:35:56 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: DARPA report exposes blockchain vulnerabilities (exodus)

<https://www.exodus.com/news/how-secure-is-ethereum/>

How secure are Bitcoin and Ethereum, really? We often hear that
Proof-of-Stak blockchains could theoretically become centralized in the
hands of a few rich players, while Bitcoin and Ethereum (for now) are
relatively immune.
<https://www.exodus.com/news/proof-of-work-vs-proof-of-stake/#head4>

Now, a new Defense Department-sponsored study
<https://assets-global.website-files.com/5fd11235b3950c2c1a3b6df4/62af6c641a672b3329b9a480_Unintended_Centralities_in_Distributed_Ledgers.pdf>
reveals that most blockchains are more centralized (and thus less secure)
than we're led to believe.

*An uncomfortable report*

Trail of Bits <https://www.trailofbits.com/>, a cybersecurity research and
consulting firm whose clients include Google, Microsoft and Meta, released
an important study on June 21 entitled *Are Blockchains Decentralized?* It
concludes that many blockchains are more vulnerable to centralization
dangers than previously thought.
<https://cointelegraph.com/blockchain-for-beginners/how-does-blockchain-work-everything-there-is-to-know>

The report was produced for the U.S. Defense Advanced Research Projects
Agency (DARPA <https://www.darpa.mil/>), an agency founded in 1958 to manage
the development of emerging technologies for use by the Department of
Defense. The agency developed and furthered much of the conceptual basis for
ARPANET, the prototypical communications network that became today's
Internet.

Research focused mainly on Bitcoin, revealing several security weaknesses
that could be exploited by bad actors to gain greater control of the
network.

*Bitcoin nodes* [...]
https://www.exodus.com/news/report-exposes-blockchain-vulnerabilities/

------------------------------

Date: Wed, 29 Jun 2022 19:35:49 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: 'Mystery rocket' that crashed into the Moon baffles NASA scientists
(Chron)

*So far, no space exploring nations have claimed responsibility for the
rocket.*

NASA has discovered the crash site of a "mystery rocket body" that collided
with the Moon's surface earlier this year. The impact left behind a
widespread "double crater," meaning it wasn't the average rocket.

However, since its crash landing, none of Earth's space-exploring nations
have claimed responsibility for the mysterious projectile, leaving NASA
scientists baffled as to who was behind its launch. New images shared on
June 24 by NASA's Lunar Reconnaissance Orbiter show the unusual impact site.

After a rocket body impacted the Moon last year, NASA's Lunar Reconnaissance
Orbiter was able to snap a surprising view of the impact site. Unexpectedly,
the crater is actually two craters and may indicate that the rocket body had
large masses at each end: https://t.co/WtMAFrNkUw pic.twitter.com/hcoYPxlm8z

NASA 360 (@NASA360) 27 Jun 2022

"Surprisingly the crater is actually two craters, an eastern crater
(18-meter diameter, about 19.5 yards) superimposed on a western crater
(16-meter diameter, about 17.5 yards," NASA reported
<https://www.nasa.gov/feature/goddard/2022/nasas-lunar-reconnaissance-orbiter-spots-rocket-impact-site-on-moon>. "The double crater was
unexpected...No other rocket body impacts on the Moon created double
craters." [...]
https://www.chron.com/news/houston-texas/article/mystery-rocket-NASA-moon-crash-country-origin-17273903.php

------------------------------

Date: Tue, 21 Jun 2022 15:47:06 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Mega says it can't decrypt your files.
New POC exploit shows otherwise. (ArsTechnica)

https://arstechnica.com/information-technology/2022/06/mega-says-it-cant-decrypt-your-files-new-poc-exploit-shows-otherwise/

------------------------------

Date: Fri, 1 Jul 2022 10:01:00 -0400 (DT)
From: Andrew Appel <ap...@cs.princeton.edu>
Subject: The Assessments of the Swiss Post E-Voting System

We have just published a 5-part series on Freedom-to-Tinker about the expert
assessments Switzerland commissioned of its E-voting system.
https://freedom-to-tinker.com/2022/06/27/how-to-assess-an-e-voting-system/

Andrew Appel, How to Assess an E-voting System

After small-scale pilots of an Internet voting system for citizens living
abroad, Switzerland commissioned expert studies of all aspects of its
e-voting system: cryptographic protocol security and privacy, systems
security, infrastructure and operation, network infrastructure security.
These are the most thorough and expert studies ever commissioned of a
deployed Internet voting system. Based on these studies, the Swiss
government put a pause on further use of the system.

https://freedom-to-tinker.com/2022/06/28/how-not-to-assess-an-e-voting-system/
How NOT to Assess an E-voting System ] , by Vanessa Teague The Australian
state of New South Wales used an Internet voting system very similar to the
Swiss one. Not only did they whitewash findings by outside experts that the
system was insecure, but on election day the system simply didn't work: the
Electoral Commission estimated that 20,000 people registered to use iVote
but did not receive a voting credential in time to vote; as a consequence,
the Supreme Court of NSW voided the results in three local elections. The
NSW government has been careless about driver's license security, health
data privacy, and covid-tracing records, too: there's a pattern.

[ https://freedom-to-tinker.com/2022/06/29/how-the-swiss-post-e-voting-system-addresses-client-side-vulnerabilities/ | How the Swiss Post E-voting system addresses client-side vulnerabilities ] , by Appel
The two biggest vulnerabilities in any Internet voting system are:
server-side (from insiders or attackers who penetrate the server), and
client-side (from attackers who manage to install a fake voting-app on
voters' computers or phones). We explain how the Swiss system protects
against client-side attacks, based on a sheet of paper mailed to the voter containing special codes for the voter to enter and check.

[ https://freedom-to-tinker.com/2022/06/30/what-the-assessments-say-about-the-swiss-e-voting-system/ | What the Assessments Say About the Swiss E-voting System ] , by Appel
The assessments were commissioned in 2021-22 after independent experts (not
commissioned by the government) had found serious security flaws in the
cryptographic protocol. The vendor of the system, the Swiss Post, cooperated
by documenting the protocol and the computer code in great detail. The
assessors found that "the clarity of the protocol and documentation is much
improved [which] has exposed many issues that were already present but not
visible in the earlier versions of the system; this is progress. ... [but]
Several issues that we found require structural changes..."

The glass-half-empty cryptographic protocol experts concluded ``We encourage
the stakeholders in Swiss e-voting to allow adequate time for the system to
thoroughly reviewed before restarting the use of e-voting,'' while the
glass-half-full system-security expert concluded ``as imperfect as the
current system might be when judged against a nonexistent ideal, the current
system generally appears to achieve its stated goals, under the
corresponding assumptions and the specific threat model around which it was
designed.''

Switzerland's E-voting: The Threat Model, by Appel
https://freedom-to-tinker.com/2022/07/01/switzerlands-e-voting-the-threat-model

As the system-security expert pointed out, there is a danger in limiting a
security assessment to a specific threat model. That expert pointed out that
the printing company, that sends paper credentials to voters before each
election, can corrupt the election if hacked or dishonest, but was excluded
from the threat model that he was asked to consider. Here we identify a new
threat model: it's a real security risk, if voters use smartphone cameras to
speed the process of entering code numbers from the paper credential
document.

------------------------------

Date: Thu, 30 Jun 2022 13:01:21 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: 2022 Zero-day in-the-wild exploitation (Maddie Stone)

Maddie Stone, Google Project Zero

For the last three years, we've published annual year-in-review reports of
0-days found exploited in the wild. The most recent of these reports is the
2021 Year in Review report
<https://googleprojectzero.blogspot.com/2022/04/the-more-you-know-more-you-know-you.html>,
which we published just a few months ago in April. While we plan to stick
with that annual cadence, we're publishing a little bonus report today
looking at the in-the-wild 0-days detected and disclosed in the first half
of 2022.

As of 15 Jun 2022, there have been 18 0-days detected and disclosed as
exploited in-the-wild in 2022. When we analyzed those 0-days, we found that
at least nine of the 0-days are variants of previously patched
vulnerabilities. At least half of the 0-days we've seen in the first six
months of 2022 could have been prevented with more comprehensive patching
and regression tests. On top of that, four of the 2022 0-days are variants
of 2021 in-the-wild 0-days. Just 12 months from the original in-the-wild
0-day being patched, attackers came back with a variant of the original bug.

So, what does this mean?

When people think of 0-day exploits, they often think that these exploits
are so technologically advanced that there's no hope to catch and prevent
them. The data paints a different picture. At least half of the 0-days we've
seen so far this year are closely related to bugs we've seen before. Our
conclusion and findings in the 2020 year-in-review report were very similar.
<https://googleprojectzero.blogspot.com/2021/02/deja-vu-lnerability.html>

Many of the 2022 in-the-wild 0-days are due to the previous vulnerability
not being fully patched. In the case of the Windows win32k and the Chromium
property access interceptor bugs, the execution flow that the
proof-of-concept exploits took were patched, but the root cause issue was
not addressed: attackers were able to come back and trigger the original
vulnerability through a different path. And in the case of the WebKit and
Windows PetitPotam issues, the original vulnerability had previously been
patched, but at some point regressed so that attackers could exploit the
same vulnerability again. In the iOS IOMobileFrameBuffer bug, a buffer
overflow was addressed by checking that a size was less than a certain
number, but it didn't check a minimum bound on that size. For more detailed
explanations of three of the 0-days and how they relate to their variants,
please see the slides from the talk. [...]

<https://github.com/maddiestone/ConPresentations/blob/master/FIRST2022.2022_0days_so_far.pdf>
https://googleprojectzero.blogspot.com/2022/06/2022-0-day-in-wild-exploitationso-far.html

------------------------------

Date: Sun, 26 Jun 2022 00:59:32 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Ocean Freight Shipping Costs Are Driving Goods Prices Higher
(ProPublica)

The Hidden Fees Making Your Bananas, and Everything Else, Cost More

The story you're about to read is bananas, and it's also about bananas.

Last fall, a company called One Banana loaded 600,000 pounds of the fruit
from its plantations in Guatemala and Ecuador onto ships bound for the Port
of Long Beach in California. Once they arrived, the bananas, packed in
refrigerated containers, were offloaded by cranes for trucking to a nearby
warehouse, where the fruit would be sent to supermarkets nationwide.

But in the midst of a global supply chain crisis, none of the trucking
companies the importer normally worked with were willing to come and get the
containers.

As the bananas sat at the marine terminal, a logistics specialist for One
Banana scrambled, contacting more than a dozen trucking firms.

With each passing hour, the bananas grew closer to spoiling.

https://www.propublica.org/article/ocean-freight-shipping-costs-inflation

------------------------------

Date: Thu, 30 Jun 2022 15:14:44 -0400
From: Gabe Goldberg
Subject: ZuoRAT Trojan (WiReD)

Researchers say the remote-access Trojan ZuoRAT is likely the work of a
nation-state and has infected at least 80 different targets.

The discovery of this ongoing campaign is the most important one affecting
SOHO routers since VPNFilter, the router malware created and deployed by the
Russian government that was discovered in 2018. Routers are often
overlooked, particularly in the work-from-home era. While organizations
often have strict requirements for what devices are allowed to connect, few
mandate patching or other safeguards for the devices' routers.

Like most router malware, ZuoRAT can't survive a reboot. Simply restarting
an infected device will remove the initial ZuoRAT exploit, consisting of
files stored in a temporary directory. To fully recover, however, infected
devices should be factory reset. Unfortunately, in the event connected
devices have been infected with the other malware, they can't be disinfected
so easily.

https://www.wired.com/story/zuorat-trojan-malware-hacking-routers

------------------------------

Date: Wed, 29 Jun 2022 08:32:05 -0400
From: Bob Gezelter <geze...@rlgsc.com>
Subject: Sophisticated attacks against range of SOHO routers (ArsTechnica)

ArsTechnica has reported that there is a sophisticated attack campaign
against SOHO routers, which in turns infects and compromises attached
devices. In "A wide range of routers are under attack by new, unusually
sophisticated malware", the high-level details of the attack are described,
including the somewhat unavoidable conclusion that Work from Home (WFH)
makes systems used for remote work a potential target.

The ArsTechnica article is at:

https://arstechnica.com/information-technology/2022/06/a-wide-range-of-routers-are-under-attack-by-new-unusually-sophisticated-malware/

------------------------------

Date: Tue, 21 Jun 2022 09:57:04 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Microsoft Plans to Eliminate Face Analysis Tools in Push for
`Responsible AI' (NYTimes)

https://www.nytimes.com/2022/06/21/technology/microsoft-facial-recognition.html

------------------------------

Date: Sat, 25 Jun 2022 23:49:59 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: The Race to Hide Your Voice (WiReD)

Voice recognition and data collection have boomed in recent years.
Researchers are figuring out how to protect your privacy.

https://www.wired.com/story/voice-recognition-privacy-speech-changer/

------------------------------

Date: Thu, 23 Jun 2022 07:36:35 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: Amazon demonstrates Alexa mimicking the voice of a deceased
relative (CNBC)

Amazon is devising a way for users to speak to their family members through
its Alexa voice assistant, even after they've died.

At Amazon's Re:Mars conference in Las Vegas on Wednesday, Rohit Prasad,
senior vice president and head scientist for the Alexa team, detailed a
feature that allows the voice assistant to replicate a specific human voice.

In a demonstration video, a child said, `` Alexa, can Grandma finish reading
me the Wizard of Oz?''

Alexa confirmed the request with the default, robotic voice, then
immediately switched to a softer, more humanlike tone, seemingly mimicking
the child's family member.

The Alexa team developed a model that allows its voice assistant to produce
a high-quality voice with ``less than a minute of recorded audio,''
Prasad said. [...]

https://www.cnbc.com/2022/06/22/amazon-demonstrates-alexa-mimicking-the-voice-of-a-deceased-relative.html

------------------------------

Date: Tue, 28 Jun 2022 19:12:38 -0600
From: Matthew Kruk <mkr...@gmail.com>
Subject: South Carolina mom says baby monitor was hacked; Experts say many
devices are vulnerable (NPR)

https://www.npr.org/sections/thetwo-way/2018/06/05/617196788/s-c-mom-says-baby-monitor-was-hacked-experts-say-many-devices-are-vulnerable

[Security on the Internet of Things? Ya gotta be kiddin'.]

------------------------------

Date: Wed, 29 Jun 2022 06:50:48 -0600
From: Matthew Kruk <mkr...@gmail.com>
Subject: St. John's woman loses home after Phoenix pay fiasco (CBC)

https://www.cbc.ca/news/canada/newfoundland-labrador/phoenix-pay-joanne-osmond-1.6500083

------------------------------

Date: Sun, 26 Jun 2022 11:30:39 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: "These Period Tracker Apps Say They Put Privacy First. Here's What
We Found. (Consumer Reports)

https://www.consumerreports.org/health-privacy/period-tracker-apps-privacy-a2278134145/

------------------------------

Date: Wed, 29 Jun 2022 11:39:44 -0600
From: Matthew Kruk <mkr...@gmail.com>
Subject: FCC asks Google, Apple to remove TikTok due to data privacy
concerns at Chinese-owned company TikTok (CBC)
https://www.cbc.ca/news/business/tiktok-fcc-1.6505269

------------------------------

Date: Wed, 29 Jun 2022 07:35:58 -0400
From: Jan Wolitzky <jan.wo...@gmail.com>
Subject: Lost and Found: USB Sticks With Data on 460,000 People (NYTimes)

The plight of a technician tasked with transferring a city's worth of
personal data is a lesson in the risks of combining small, important objects
with a night out drinking.

https://www.nytimes.com/2022/06/28/world/asia/usb-japan-flash-drive-amagasai.html

------------------------------

Date: Tue, 28 Jun 2022 19:17:46 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: Some Crypto Exchanges Already Secretly Insolvent (Forbes)

*After throwing lifelines to troubled digital currency platforms BlockFi and
Voyager Digital, Sam Bankman-Fried, the 30-year-old billionaire founder of
FTX, warns that some crypto exchanges will soon fail.*

The question on everybodY's mind in the crypto world is whether we've
reached the market bottom. Nearly $2 trillion in crypto market value has
evaporated since November. Two bellwether digital assets Luna, a $40 billion
crypto asset associated with TerraUSD, a $16 billion stablecoin designed to
maintain parity with the U.S. dollar, have collapsed. Earlier this month
bitcoin traded for below $20,000, its lowest level since December 2020.

But the fallout is far from complete. Earlier this month, Singapore-based
Three Arrows Capital (3AC), a highly levered crypto trading firm with $200
million of exposure to Luna revealed that it was nearly insolvent. Three
Arrows had borrowed large sums from numerous crypto firms including New
Jersey's Voyager Digital and New York-based BlockFi. In order to survive
Three Arrows' default, the two digital asset exchanges turned to billionaire
Sam Bankman-Fried, founder of FTX and the richest person in crypto, worth
some $20.5 billion. Between FTX and his quantitative trading firm Alameda,
he provided the companies with $750 million in credit lines. There is no
guarantee that Bankman-Fried will recoup his investment. ``You know, we're
willing to do a somewhat bad deal here, if that's what it takes to sort of
stabilize things and protect customers,'' he says. [...]

https://www.forbes.com/sites/stevenehrlich/2022/06/28/bankman-fried-some-crypto-exchanges-already-secretly-insolvent/

------------------------------

Date: Tue, 21 Jun 2022 07:55:56 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Unintended Centralities in Distributed [Blockchain] Ledgers

https://assets-global.website-files.com/5fd11235b3950c2c1a3b6df4/62af6c641a672b3329b9a480_Unintended_Centralities_in_Distributed_Ledgers.pdf

------------------------------

Date: Thu, 30 Jun 2022 12:46:58 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Crypto Crash Widens Divide Between Rich and Amateur Traders
(NYTimes)

No cryptocurrency investor has been spared the pain of plunging prices. But
the fallout from more than $700 billion in losses is far from even.

Photo: Tyler Winklevoss, left, and Cameron Winklevoss, center, performing
with Mars Junction in Englewood, Colo. The billionaires recently laid off 10
percent of the staff at Gemini, their crypto firm.

ENGLEWOOD, Colo. -- The cryptocurrency market was in ruins. But Tyler and
Cameron Winklevoss were jamming.

Cameron and Tyler Winklevoss, whose wealth stood at $4 billion apiece before
the crash, were each worth $3.3 billion this week, according to Forbes. They
declined to comment.

For retail investors like Ben Thompson, 33, the reality is different.
Mr. Thompson, who lives in Sydney, Australia, lost about $45,000 — half his
savings — in the crash. He had dabbled in crypto since 2018 and planned to
use the money to open a brewery.

"A lot of people who seemed quite reputable had a lot of confidence,"
Mr. Thompson said. "The smaller people get taken advantage of."

https://www.nytimes.com/2022/06/29/technology/crypto-crash-divide.html

------------------------------

Date: Thu, 30 Jun 2022 12:24:15 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Cryptocurrency Titan Coinbase providing "Geo Tracking Data" to ICE
(The Intercept)

https://theintercept.com/2022/06/29/crypto-coinbase-tracer-ice/

------------------------------

Date: Fri, 1 Jul 2022 08:43:02 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Crypto traceability and market rules agreed by EU lawmakers
(TechCrunch)

https://techcrunch.com/2022/07/01/crypto-regulation-eu/

------------------------------

Date: Tue, 21 Jun 2022 00:22:51 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Crypto investors' hot streak ends as harsh 'winter' descends
(The Boston Globe)

"There was this irrational exuberance."
https://www.boston.com/news/business/2022/06/20/crypto-winter/

------------------------------

Date: Thu, 30 Jun 2022 14:07:01 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Alex Mashinky's Celsius crypto bank draws probe by five states
(WashPost)

In 2018, Alex Mashinsky held a dinner at an upscale restaurant in New
York. The entrepreneur's goal was to attract "whales"— crypto-speak for
large-scale currency holders who can move markets — to invest in a nascent
entity he'd created called Celsius Network.

The Ukraine-born, Israel-raised businessman spoke charmingly and
passionately, according to a person who was at the dinner and described it
on the condition of anonymity because it was a private event. He laid out
his mission of "unbanking,"in which investors can deposit cryptocurrency
outside the traditional financial system. Central to the pitch were
unusually high yields for depositors in his Celsius Network — as much as 30
percent — made possible, the New York-based Mashinsky explained, because
their money would be lent out at high rates to those needing it for
short-term crypto investments.

"It was incredible to watch -- everyone in the room was enthralled,"said the
guest. "The whales were excited and ready to write checks. Even people who
might have been skeptical were on board." [...]

He made the case to Wall Street that he could offer much higher yields
without the bureaucratic costs and profit-taking of traditional banks, and
he also marketed those yields — which could reach between 20 and 30 percent
-- to depositors. [...]

Still, business was slow. The company's own CEL token, launched in the fall
of 2018 to help facilitate transactions, ended 2019 at just 14 cents -- only
the slightest improvement from the 10 cents it was worth the previous
spring. [...]

The company has fallen in the eyes of a number of the faithful. After
Mashinsky tweeted a stay-strong message last week (``@CelsiusNetwork team is
working non-stop. To see you come together is a clear sign our community is
the strongest in the world''), one user replied angrily. "Please allow us
to withdraw OUR funds,"wrote @TzannakosPat. "People have their life savings
on Celsius. The community is strong and together we should demand and [sic]
formal investigation. You can't just take peoples money and coins."

That frustration was felt by Alex, a Celsius customer in Maryland who asked
not to be fully identified to protect himself online. He has about $20,000
in his account now, he said, money he was counting on to help support his
son. "I'm feeling pretty bad to be honest,"he said.

Bitboy Crypto, the pseudonym of a prominent crypto influencer named Ben
Armstrong, who has nearly 900,000 followers on Twitter, had long advocated
Celsius to his followers. But after the freeze, he changed his tune.

"We were lied to about the safety of our funds by Alex @Mashinsky,"he
tweeted Saturday as he offered suggestions for legal action — in turn
prompting some to blame him for cheerleading for Celsius for so long.

Yet many of Mashinsky's adherents have refused to give up. They see the
freeze not as a sign of malfeasance but as one more piece of evidence that
traditional finance wants to destroy crypto and will stop at nothing to
realize its aim.

https://www.washingtonpost.com/technology/2022/06/21/celsius-withdrawal-freeze-explained/

SLIGHT improvement -- 10 cents to 14 is 40% in maybe 15 months. I'll take
it.

------------------------------

Date: Wed, 29 Jun 2022 09:11:27 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: LOL Headline of the Day

"Crypto[currency] crash threatens North Korea's stolen funds."

------------------------------

Date: Tue, 21 Jun 2022 09:21:22 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: When customers say their money was stolen on Zelle, banks often
refuse to pay (NYTimes)

Federal law requires banks to reimburse customers for unauthorized
electronic transfers, but they often refuse, stranding victims.

https://www.nytimes.com/2022/06/20/business/zelle-money-stolen-banks.html

[Your money is carefully wrapped in Zellephane. PGN]

------------------------------

Date: Wed, 29 Jun 2022 17:25:57 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Planned Parenthood Privacy (WashPost)

The organization left marketing trackers running on its scheduling pages.

https://www.washingtonpost.com/technology/2022/06/29/planned-parenthood-privacy

------------------------------

Date: 25 Jun 2022 20:34:27 -0400
From: "John Levine" <jo...@iecc.com>
Subject: Re: Micropatching on the fly (Tom Van Vleck)

>There is a DARPA/I2O program that is awarding ways to patch IoT
>appliances and heavy truck engines:
> https://www.darpa.mil/program/assured-micropatching
>
> What could possibly go wrong? THVV

Plenty, but this is an engineering question. We expect some amount of
damage from unpatched cruddy old equipment. We have some level of risk from
this hack patch approach. Which is likely to cause more trouble overall?

I have no idea but since there is no question that we're seeing a lot
of damage from unpatched IoT (for example, the Mirai botnet) I wouldn't
dismiss it out of hand.

------------------------------

Date: Mon, 20 Jun 2022 22:55:00 -0400
From: "Steven J. Greenwald" <greenwa...@gmail.com>
Subject: Re: A Periodic Issue

I thought I restrained myself with the puns on that one. I still remember
getting yelled at by a strident feminist circa 1990 when I used a COBOL
programming term, which we really truly used -- a lot --.when the compiler
aborted on a COBOL sentence that didn't get terminated properly. We called
those "pregnant" because they were missing their periods.

Re: my late darkness, well, three major neurosurgeries surgeries in 5 months
will do that to you (for my spine; long boring medical story omitted). I'm
much much better now though (and 40% titanium, I think, with really cool
scars that look like I got attacked by either an alligator or an eagle,
depending on where you come from). : )

------------------------------

Date: Tue, 21 Jun 2022 09:03:55 +0100
From: Martin Ward <mar...@gkc.org.uk>
Subject: Re: Long-term planning and Optimization (RISKS-33.28)

Oxfam's report, published in January 2022, states that:

"The world's ten richest men more than doubled their fortunes from $700
billion to $1.5 trillion -- at a rate of $15,000 per second or $1.3
billion a day -- during the first two years of a pandemic that has seen
the incomes of 99 percent of humanity fall and over 160 million more
people forced into poverty.

"Inequality goes to the heart of the climate crisis, as the richest 1
percent emit more than twice as much CO2 as the bottom 50 percent of the
world, driving climate change throughout 2020 and 2021"

"The carbon footprints of the richest 1 percent of people on Earth is set
to be 30 times greater than the level compatible with the 1.5°C goal of
the Paris Agreement in 2030. The poorest half of the global population
will still emit far below the 1.5°C-aligned level in 2030."

The problem is not "too many people" but "too many rich people"! There is
plenty of money and resources in the world to feed everyone and tackle
climate change, the problem is inequitable distribution of resources and
lobbying against the needed changes by powerful vested interests and corrupt
governments.

https://www.oxfam.org/en/press-releases/ten-richest-men-double-their-fortunes-pandemic-while-incomes-99-percent-humanity

------------------------------

Date: Tue, 21 Jun 2022 10:01:30 +0100
From: Martin Ward <mar...@gkc.org.uk>
Subject: Re: Long-term planning and Optimization (Mills. RISKS-33.28)

China's draconian "One Child Policy", implemented between 1980 and 2015, is
claimed to have prevented over 400 million births. Yet China's CO2
emissions increased by around five times in the same period.

------------------------------

Date: Mon, 20 Jun 2022 18:03:05 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: Re: It is 2022. My coffee mug wants me to log in, wants to know
my location, and if it can send me promotional emails... (RISKS-33.30)

looks like the URL in RISKS got mangled, here's a working one:
https://twitter.com/Marc_IRL/status/1537187487675711488
(The final '8' was summarily dropped)

------------------------------

Date: Fri, 1 Jul 2022 2:31:20 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: AT&T Fiber Optic outage update

[From a PGN neighbor, Re: RISKS-33.13-15,20]

We've had a lot of interactions with AT&T people on this issue. including
with someone who was honest and knew something. My general question was:
companies have been stringing cables for decades, if not centuries.
Presumably the squirrel problem has been resolved???

His answer was clear: all other cables were metallic, either the conductor
or the shield. The fiber cables are not. Squirrels and rats have trouble
with metal, although they do succeed sometimes. When ATT chose the fiber
to install, in the interest of weight and cost, they decided against a
metallic shield. Apparently this works in most places, but a few
locations have high squirrel activity, and they have to replace short
sections with squirrel-protected cable after the problem....not
proactively.

That is to say....the problems will continue, although slowly
diminishing, as more cable gets squirrel shielding.

Kudos to AT&T for stepping up to deliver the long-hoped-for "fiber to the
home". This is a huge deal, and a massive step to the future. Too bad
they didn't invest more in better cables. -Jeff

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.31
************************

Reply all
Reply to author
Forward
0 new messages