info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Risks Digest 33.40
40 views
Skip to first unread message
RISKS List Owner
Aug 20, 2022, 7:43:49 PM8/20/22
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Saturday 20 August 2022 Volume 33 : Issue 40
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.40>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Voters in the UK Cast Ballots Online, in Test for Internet Voting (WSJ)
Plane fails to descend as pilots reportedly fell asleep during flight (CNN)
Apple AirTag leads to arrest of airline worker accused of stealing at least
$15,000 worth of items from luggage (NBC)
'Hackers Against Conspiracies': Cybersleuths Take Aim at Election
Disinformation (Maggie Miller)
Software dev cracks Hyundai encryption with Google Search (The Register)
Cryptoverse: Blockchain bridges fall into troubled waters (Reuters)
On the Dangers of Cryptocurrencies and the Uselessness of Blockchain
(CRYPTO-GRAM)
Starbucks NFTs, Reddit karma points on the blockchain, Saylor fired,
Telegram ICO slight return. (David Gerard)
Track carbon offsets with blockchain? (Rob Slade)
Deepfakes Expose Vulnerabilities in Facial Recognition Technology (PSU)
Email marketing firm hacked to steal crypto-focused mailing lists
(Bleeping Computer)
Pirates Infielder Suspended for Taking Cellphone Onto Basepaths (NYTimes)
You can now tweet as you climb Mount Kilimanjaro thanks to new Wi-Fi network
(NBC News)
Massachusetts Registry of Motor Vehicles Cautions Customers to be Aware of
Unofficial Third-Party Websites and Text/Phishing Scams (Monty Solomon)
How a Third-Party SMS Service Was Used to Take Over Signal Accounts (Vice)
Posing as Contractors, Nigerians Scammed Project Owners for Nearly $6M, FBI
Says (Engineering News-Record)
Just 1 of 25 Apps That Track Reproductive Health Protect Users' Data
(Shirin Ali)
FTC sued by firm allegedly selling sensitive data on abortion clinic visits
(Ars Technica)
An Explosive New Report Could Upend More than a Decade of Alzheimer's
Research. How Did This Happen (Mother Jones)
Dozens of Facebook contractors lost their jobs after an algorithm reportedly
chose them 'at random' (Engadget)
Microsoft Employees Exposed Own Company's Internal Logins (Vice)
#DEFCON: How US Teen Rickrolled His High School District
(Infosecurity Magazine)
Apple Warns of Security Flaw for iPhones, iPads, Macs (AP)
Apple security updates fix 2 zero-days used to hack iPhones, Macs
(Bleeping Computer)
A Janet Jackson Song Could Crash Windows XP Laptops (Michael Kan)
Made-Up Words Trick AI Text-to-Image Generators (Discover)
Re: Meta finds new way of tracking users across websites (Steve Bacher)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 20 Aug 2022 08:28:27 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: Voters in the UK Cast Ballots Online, in Test for Internet Voting
(WSJ)
In the prime-minister race, Conservative Party wants to make voting more
convenient for its 160,000 eligible members; no U.S. state permits universal
online voting.
Members of the UK's ruling Conservative Party who are voting to decide the
country's next prime minister are for the first time casting ballots online
in a leadership election, a rarity among democracies wary of Internet voting
because of cybersecurity concerns
Over a several-week period, the party is offering Internet voting alongside
voting by mail, in part to provide greater convenience during August weeks
when Britons take vacation and to avoid disruptions by striking postal
workers. The results are to be announced Sept. 5.
The Conservatives are sending qualifying members a ballot pack in the mail
that will include a paper ballot to be returned by mail and information and
security codes for voting online. ``We recommend online voting where
possible,'' the party states on its website.
The party sought guidance from Britain's National Cyber Security Centre, or
NCSC, and a Tory spokesman said the party was confident the leadership
election would be secure. ``We have consulted with the NCSC throughout this
process,'' the spokesman said.
Election security analysts fear the system is vulnerable to interference by
hackers.
``We do not have the technology to conduct voting securely online and so it
should not be deployed for high-stakes elections. And I count this as
rather high stakes,'' said Peter Ryan, a professor of applied security at
the University of Luxembourg. [...]
https://www.wsj.com/articles/voters-in-u-k-cast-ballots-online-in-test-for-internet-voting-11660993200
[I expect there will be some attempts to hack into the Conservative Party
leadership election. If the software allows write-in votes, the Duke of
Windsor (Edward VIII), Winston Churchill, and Princess Diana would seem to
be particularly likely choices, along with some well-known still-active
athletes -- e.g., David Beckham (soccer) and James Anderson (cricket), and
a few leading liberals. Perhaps the Russians will re-use their skills
that evidently influenced the Brexit election. We'll have only just a few
more weeks to find out. PGN]
------------------------------
Date: Fri, 19 Aug 2022 19:28:22 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: Plane fails to descend as pilots reportedly fell asleep during
flight (CNN)
Two pilots are believed to have fallen asleep and missed their landing
during a flight from Sudan to Ethiopia on Monday, according to a report by
commercial aviation news site Aviation Herald.
<http://avherald.com/h?article=4fd127fe>
The incident took place on board an Ethiopian Airlines Boeing 737-800 en
route from Khartoum to Addis Ababa, the report said, "when the pilots fell
asleep" and "the aircraft continued past the top of descent." Data obtained
by the website indicates that the aircraft was cruising at 37,000 feet on
autopilot when it failed to descend at Addis Ababa Bole International
Airport, its scheduled destination, on August 15. Air traffic control were
apparently unable to reach the crew despite making several attempts at
contact. However, an alarm was triggered when the plane overshot the runway
and continued along the route. The aircraft subsequently began to descend,
landing safely around 25 minutes later.
Automatic Dependent Surveillance-Broadcast (ADS-B) data shows the aircraft
overflying the runway, before beginning its descent and maneuvering for
another approach. [...]
http://www.cnn.com/travel/article/pilots-reported-to-fall-asleep-ethiopian-airlines/index.html
------------------------------
Date: Sat, 20 Aug 2022 10:56:46 -0600
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: Apple AirTag leads to arrest of airline worker accused of stealing
at least $15,000 worth of items from luggage (NBC)
Elisha Fieldstadt, NBC News, Aug. 17, 2022, 12:12 PM MDT
An Apple AirTag led to the arrest of an airline subcontractor accused of
stealing thousands of dollars' worth of items from luggage at a Florida
airport.
Giovanni De Luca, 19, was charged with two counts of grand theft after
authorities recovered the stolen items from his home, the Okaloosa County
Sheriff’s Office said in a news release last week.
Authorities said a traveler reported last month that her luggage never
made it to her destination. The items inside were worth about $1,600. She
said an Apple AirTag, a tracking device that triggers alerts on iPhones,
iPads and Apple computers, had been in her luggage and showed that it was
on Kathy Court in Mary Esther, about 50 miles east of Pensacola.
https://www.nbcnews.com/news/us-news/airtag-leads-arrest-airline-worker-accused-stealing-least-15000-items-rcna43547
------------------------------
Date: Fri, 19 Aug 2022 12:03:58 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: 'Hackers Against Conspiracies': Cybersleuths Take Aim at Election
Disinformation (Maggie Miller)
Maggie Miller, *Politicom* 15 Aug 2022,
via ACM TechNews, Friday, August 19, 2022
The annual DEF CON hacking conference's "Voting Machine Village," has been a
feature since 2017, with attendees attempting to break into registration
databases, ballot-casting machines, and other voting equipment to identify
vulnerabilities. However, in the wake of the 2020 U.S. presidential election
and the resulting false claims of election fraud, the focus of this year's
event was how to detect vulnerabilities without fueling election
misinformation. Said Harri Hursti, co-founder of the Voting Machine
Village, "All the security improvements [have been] hampered by all the
false claims, conspiracies--and fighting those." Hursti noted that clips
from DEF CON were used in the media after the election to cast doubt on
election security. This year's Voting Village featured officials from
Maricopa County, AZ, among others, who discussed ongoing, though debunked,
conspiracy theories. Hursti explained, "What we try to do is to make certain
that the right message gets out."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355ddx069731&
------------------------------
Date: Wed, 17 Aug 2022 20:57:01 -0700
From: Li Gong <ligo...@gmail.com>
Subject: Software dev cracks Hyundai encryption with Google Search
Fun reading -- using public/private keys copied from a public tutorial to
sign real-world software in Hyundai cars
https://www.theregister.com/2022/08/17/software_developer_cracks_hyundai_encryption/
------------------------------
Date: Thu, 18 Aug 2022 13:24:58 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Cryptoverse: Blockchain bridges fall into troubled waters (Reuters)
Another day, another hack -- and another blockchain bridge burned.
When thieves stole an estimated $190 million from U.S. crypto firm Nomad
last week, it was the seventh hack of 2022 to target an increasingly
important cog in the crypto machine: Blockchain "bridges" -- strings of code
that help move cryptocoins between different applications.
https://www.reuters.com/business/future-of-money/cryptoverse-blockchain-bridges-fall-into-troubled-waters-2022-08-09/
------------------------------
Date: Thu, 18 Aug 2022 00:31:44 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: On the Dangers of Cryptocurrencies and the Uselessness of
Blockchain (CRYPTO-GRAM)
Schneier writes:
Earlier this month, I and others wrote a letter to Congress, basically
saying that cryptocurrencies are an complete and total disaster, and urging
them to regulate the space. Nothing in that letter is out of the ordinary,
and is in line with what I wrote about blockchain in 2019. In response,
Matthew Green has written -- not really a rebuttal, but"a general response
to some of the more common spurious objections people make to public
blockchain systems."
In our letter, we write: "By its very design, blockchain technology is
poorly suited for just about every purpose currently touted as a present or
potential source of public benefit. From its inception, this technology has
been a solution in search of a problem and has now latched onto concepts
such as financial inclusion and data transparency to justify its existence,
despite far better solutions to these issues already in use. Despite more
than thirteen years of development, it has severe limitations and design
flaws that preclude almost all applications that deal with public customer
data and regulated financial transactions and are not an improvement on
existing non-blockchain solutions."
https://www.schneier.com/crypto-gram/archives/2022/0715.html#cg8
------------------------------
Date: Wed, 17 Aug 2022 20:50:56 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Starbucks NFTs, Reddit karma points on the blockchain, Saylor
fired, Telegram ICO slight return. (David Gerard)
"Please, God, I don' ask for much from You. But give me this. A video of a
sad cryptobro, trying to get a beat cop to make a police report about his
stolen ape jpeg."
There's very little that' sadder or funnier than corporate NFT projects that
launch after the crypto crash. Starbucks' NFT programme is the latest.
"What's more, the digital program could give customers a reason to care
about NFTs." Yeah, uh, OK. [TechCrunch]
Why did Starbucks want to do an NFT? Because Starbucks owner and CEO Howard
Schultz thinks this will be a shiny object to distract his Generation Z
workers from wanting to unionise. Yes, I know that nothing in that sentence
isn't dumb as hell. Remember that this is the guy who ran for President with
a logo that was his name with his name on it
https://davidgerard.co.uk/blockchain/2022/08/17/news-starbucks-nfts-reddit-karma
-points-on-the-blockchain-saylor-fired-telegram-ico-slight-return/
------------------------------
Date: Wed, 17 Aug 2022 21:44:38 -0700
From: Rob Slade <rsl...@gmail.com>
Subject: Track carbon offsets with blockchain?
Wait, you're telling me that you want to use the least energy efficient
technology in the world to track offsets for carbon emissions resulting
from us using too much energy?
https://www.reuters.com/business/environment/exclusive-world-banks-ifc-taps-blockchain-carbon-offsets-2022-08-17/
------------------------------
Date: Wed, 17 Aug 2022 12:52:21 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Deepfakes Expose Vulnerabilities in Facial Recognition Technology
(PSU)
Jessica Hallman, Pennsylvania State University, 11 Aug 2022,
via ACM TechNews, 17 Aug 2022
Researchers at Pennsylvania State University and China's Shandong and
Zhejiang universities found most application programming interfaces (APIs)
using the facial liveness verification detection feature of facial
recognition technology do not always identify deepfakes, and those that can
are less effective than claimed at detecting deepfakes. The researchers
created and used the LiveBugger deepfake-powered attack framework to
evaluate six commercial facial liveness verification APIs. LiveBugger tried
to deceive the APIs using deepfake images and videos from two separate
datasets, and easily bypassed the four most common verification methods. The
researchers proposed strengthening the technology's security by eliminating
verification that only analyzes a static image of a user's face, and by
matching lip movements to a user's voice in dual audio-video analysis
schemes.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f0dex23550ex069538&
------------------------------
Date: Thu, 18 Aug 2022 13:25:55 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Email marketing firm hacked to steal crypto-focused mailing lists
(Bleeping Computer)
Email marketing firm Klaviyo disclosed a data breach after threat actors
gained access to internal systems and downloaded marketing lists for
cryptocurrency-related customers.
Klaviyo says the breach occurred on August 3rd after hackers stole an
employee's login credentials in a phishing attack. These login credentials
were then used to access the employee's account and internal Klaviyo support
tools.
https://www.bleepingcomputer.com/news/security/email-marketing-firm-hacked-to-steal-crypto-focused-mailing-lists/
------------------------------
Date: Wed, 17 Aug 2022 13:43:23 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Pirates Infielder Suspended for Taking Cellphone Onto Basepaths
(NYTimes)
As Rodolfo Castro slid into third base, his phone shot out of his pocket. He
has appealed his suspension for violating MLB' electronic device policy.
https://www.nytimes.com/2022/08/16/sports/baseball/rodolfo-castro-pirates-suspension.html
[Perhaps it was a pirated phone, or even PI-rated if his was batting
average was .314. What is there to appeal? Maybe his wife was about to
deliver, and he was ready to ask for a pinch-runner at third base so he
could join her? Suppose the opponents called him just as he was ready to
tag up on a fly ball? Would he actually answer the phone and forget to
run home? Any appeal would be an interesting "hot-corner" case (pun only
for baseball addicts). PGN]
------------------------------
Date: Fri, 19 Aug 2022 17:07:49 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: You can now tweet as you climb Mount Kilimanjaro thanks to new
Wi-Fi network (NBC News)
https://www.nbcnews.com/news/africa/mount-kilimanjaro-wifi-broadband-fiber-optic-tanzania-rcna43880
[Even from above the third base camp! That will be a cool-corner case,
especially if GPS can locate your phone when you are buried in a snow
storm higher up. PGN]
------------------------------
Date: Thu, 18 Aug 2022 08:28:26 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Massachusetts Registry of Motor Vehicles Cautions Customers to
be Aware of Unofficial Third-Party Websites and Text/Phishing Scams
https://www.mass.gov/news/massachusetts-registry-of-motor-vehicles-cautions-customers-to-be-aware-of-unofficial-third-party-websites-and-textphishing-scams
------------------------------
Date: Thu, 18 Aug 2022 07:25:46 +0900
From: David Farber <far...@keio.jp>
Subject: How a Third-Party SMS Service Was Used to Take Over Signal Accounts
(Vice)
https://www.vice.com/en/article/qjkvxv/how-a-third-party-sms-service-was-used-to-take-over-signal-accounts
------------------------------
Date: Thu, 18 Aug 2022 13:28:49 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Posing as Contractors, Nigerians Scammed Project Owners for Nearly
$6M, FBI Says (Engineering News-Record)
Three Nigerian citizens are facing U.S. criminal charges over alleged scams
that targeted construction contractors and public project owners.
Prosecutors say the scams netted nearly $6 million and involved the
defendants posing as five different contractors. [...]
To carry out the scam, prosecutors say the defendants obtained information
about large construction projects, including the names of project owners,
companies that won contracts and contract dollar amounts.
They then registered website domain names similar to those of actual
contractors. Using email addresses under false names from those domains, the
individuals contacted employees of universities and other public agencies
that had hired the contractors for projects. In the emails, they would
direct the employees to wire a payment to a bank account they controlled.
https://www.enr.com/articles/54623-posing-as-contractors-nigerians-scammed-projct-owners-for-nearly-6m-fbi-says
------------------------------
Date: Fri, 19 Aug 2022 12:03:58 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Just 1 of 25 Apps That Track Reproductive Health Protect Users'
Data (Shirin Ali)
Shirin Ali, *The Hill*, 17 Aug 2022,
via ACM TechNews, Friday, August 19, 2022
A study of 25 reproductive health apps and wearable devices by researchers
at the Mozilla Foundation found that most have weak privacy protections. The
researchers found that these apps generally collect personal information,
including phone numbers, emails, home addresses, dates of menstrual cycles,
sexual activity, doctors' appointments, and pregnancy symptoms. Of the apps
analyzed, 18 were given a "Privacy Not Included" warning label due to vague
privacy policies and potential security concerns. Additionally, the study
found that most of the apps had vague guidelines regarding data-sharing with
law enforcement. Mozilla's Ashley Boyd warned users that many reproductive
health apps are "riddled with loopholes and they fail to properly secure
intimate data." Only the Euki app was found not to collect any personal
information about users, and any information input by users is stored
locally on the user's device.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355dfx0
69731&
------------------------------
Date: Sat, 20 Aug 2022 09:07:55 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: FTC sued by firm allegedly selling sensitive data on abortion
clinic visits (Ars Technica)
https://arstechnica.com/tech-policy/2022/08/ftc-sued-by-firm-allegedly-selling-sensitive-data-on-abortion-clinic-visits/
------------------------------
Date: Wed, 17 Aug 2022 17:06:35 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: An Explosive New Report Could Upend More than a Decade of
Alzheimer's Research. How Did This Happen (Mother Jones)
A conversation with reporter Charles Piller, whose recent Science
investigation rocked the research world.
More than 15 years ago, researchers at the University of Minnesota announced
they had made a breakthrough: When they purified a protein from the brains
of genetically modified mice and injected it into rats, it would cause the
rats to develop symptoms similar to Alzheimer's disease in humansâthe first
time anyone had directly linked a substance to the disease. They called this
protein Aβ*56.
The researchers, along with colleagues from three other universities,
published their findings in *Nature* in 2006. The study has since been cited
about 2,300 times and helped provide the basis of a leading hypothesis about
the cause of Alzheimer's, a disease that currently impacts about 6 million
Americans and their families. Proponents of the hypothesis think that clumps
of amyloid beta protein (Aβ) in peoples brains may be the primary cause of
Alzheimer's. Since the *Nature* study showed that AÎ*56, one form of the
protein, could cause dementia in rats, it seemed to validate the hypothesis.
But now, the accuracy of the *Nature* paper has been called into question.
As documented in an explosive report in Science that published on July 21,
whistleblower Matthew Schrag discovered evidence to suggest that some of the
images at the center of the 2006 paper were tampered with, along with dozens
of other images connected to one of the authors, University of Minnesota
neuroscientist Sylvain LesnÃ.
https://www.motherjones.com/politics/2022/08/alzheimers-research-image-photo-tampering-science-investigation-research
------------------------------
Date: Thu, 18 Aug 2022 13:21:23 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Dozens of Facebook contractors lost their jobs after an algorithm
reportedly chose them 'at random' (Engadget)
[Sort of like the way Imperial Rome would "decimate" troops (which is
where the word comes from, by the way). -L]
https://www.engadget.com/facebook-contractors-cut-accenture-via-algorithm-194128471.html?src=rss
------------------------------
Date: Tue, 16 Aug 2022 18:30:13 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Microsoft Employees Exposed Own Company's Internal Logins (Vice)
Proper use of "zero trust"/security key models should render such leaks
ineffectual. -L
https://www.vice.com/en/article/m7gb43/microsoft-employees-exposed-login-credentials-azure-github
------------------------------
Date: Wed, 17 Aug 2022 13:08:07 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: #DEFCON: How US Teen Rickrolled His High School District
(Infosecurity Magazine)
A time honored tradition in many US high schools is for students in their
final year to do some kind of prank as part of their senior year. As it
turns out, some pranks or more interesting from a hacker perspective, than
others.
At the at the DEFCON 30 security conference in Las Vegas, Minh Duong
outlined how he, along with a team of friends, was able to gain control of
the presentation and public address systems in his local high school
district outside of Chicago and Rickrolled it. A Rickroll is when a loop of
Rick Astley's 1987 song 'never going to give you up' is played to annoy a
user.
Duong explained that his high school has approximately 2000 students and is
part of a larger school district in suburban Chicago, which has six high
schools in total.
"Like any hacker wannabe, I started running scans against my school
network," Duong said.
https://www.infosecurity-magazine.com/news/defcon-how-us-teen-rickrolled/
------------------------------
Date: Fri, 19 Aug 2022 12:03:58 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Apple Warns of Security Flaw for iPhones, iPads, Macs (AP)
Associated Press, 18 Aug 2022, via ACM TechNews, Friday, August 19, 2022
Apple issued two security reports about a major flaw that hackers could
potentially exploit to hijack iPhones, iPads, and Macs by gaining "full
admin access." Rachel Tobac at computer security service SocialProof
Security said this would allow intruders to masquerade as device owners and
run any software in their name. Security experts have recommended that users
update affected devices, while researcher Will Strafach said he had seen no
technical analysis of the vulnerabilities that Apple has just patched. The
company cited an anonymous researcher as the flaws' discoverer, without
disclosing how or where they were found. Apple has previously conceded the
existence of similarly serious flaws, and expressed awareness that such
vulnerabilities had been exploited on perhaps a dozen occasions by
Strafach's estimates.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355dex0
69731&
------------------------------
Date: Thu, 18 Aug 2022 13:27:27 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Apple security updates fix 2 zero-days used to hack iPhones, Macs
(Bleeping Computer)
Apple has released emergency security updates today to fix two zero-day
vulnerabilities previously exploited by attackers to hack iPhones, iPads, or
Macs.
Zero-day vulnerabilities are security flaws known by attackers or
researchers before the software vendor has become aware or been able to
patch them. In many cases, zero-days have public proof-of-concept exploits
or are actively exploited in attacks.
Today, Apple has released macOS Monterey 12.5.1 and iOS 15.6.1/iPadOS
15.6.1 to resolve two zero-day vulnerabilities that are reported to have
been actively exploited.
https://www.bleepingcomputer.com/news/security/apple-security-updates-fix-2-zero-days-used-to-hack-iphones-macs/
Good reason to apply updates now...
------------------------------
Date: Fri, 19 Aug 2022 12:03:58 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: A Janet Jackson Song Could Crash Windows XP Laptops (PC Magazine)
Michael Kan, PC Magazine, 17 Aug 2022
via ACM TechNews, Friday, August 19, 2022
Microsoft software engineer Raymond Chen said a sound frequency in Janet
Jackson's song "Rhythm Nation" could crash a model 5400rpm laptop hard drive
used in certain Windows XP notebooks. A laptop maker alerted Microsoft's
Windows team to the problem, which seemed to occur when the song's music
video played on the laptops. However, the video also would crash Windows
laptops produced by the manufacturer's competitors, and Chen blogged,
"Playing the music video on one laptop caused a laptop sitting nearby to
crash, even though that other laptop wasn't playing the video!" Microsoft
determined the song had a frequency that matched the laptop hard drive's
natural resonant frequency, which caused its moving disks to over-vibrate
and induce a crash. Chen said the laptop manufacturer put a custom filter in
the device's audio system that could eliminate the resonant frequency during
audio playback.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355e2x0
69731&
[Also noted by Monty Solomon at
https://arstechnica.com/gadgets/2022/08/janet-jacksons-rhythm-nation-is-officially-a-security-threat-for-some-old-laptops/
I remember a case in the 1970s where am IBM disk unit could allegedly be
programmed to rock at a particular frequency -- and fall over. PGN]
------------------------------
Date: Fri, 19 Aug 2022 12:03:58 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Made-Up Words Trick AI Text-to-Image Generators (Discover)
*Discover*, 16 Aug 2022, via ACM TechNews, Friday, August 19, 2022
Columbia University's Rapha=C3=ABl Milli=C3=A8re found that made-up words
can trick text-to-image generators, raising questions about their security.
Milli=C3=A8re created nonsense words using the "macaronic prompting"
technique, which involves combining parts of real words from different
languages. For instance, the made-up word "falaiscoglieklippantilado," a
combination of the German, Italian, French, and Spanish words for "cliff,"
generated images of cliffs when input into the DALL-E 2 text-to-image
generator. Milli=C3=A8re said, "The preliminary experiments suggest that
hybridized nonce strings can be methodically crafted to generate images of
virtually any subject as needed, and even combined together to generate more
complex scenes." However, Milli=C3=A8re noted, "In principle, macaronic
prompting could provide an easy and seemingly reliable way to bypass
[content] filters in order to generate harmful, offensive, illegal, or
otherwise sensitive content, including violent, hateful, racist, sexist, or
pornographic images, and perhaps images infringing on intellectual property
or depicting real individuals."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355dax069731&
------------------------------
Date: Thu, 18 Aug 2022 11:25:22 -0700
From: "Steve Bacher" <seb...@verizon.net>
Subject: Re: Meta finds new way of tracking users across websites (The Guardian)
Quote from the Guardian article:
"The two apps have been taking advantage of the fact that users who click on
links are taken to webpages in an in-app browser, controlled by Facebook
Instagram, rather than sent to the user's web browser of choice, such as
Safari or Firefox."
As a longtime Firefox user and Chrome hater, I am pleased to see Chrome
omitted as an example of a "web browser of choice."
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.40
************************
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.40>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Voters in the UK Cast Ballots Online, in Test for Internet Voting (WSJ)
Plane fails to descend as pilots reportedly fell asleep during flight (CNN)
Apple AirTag leads to arrest of airline worker accused of stealing at least
$15,000 worth of items from luggage (NBC)
'Hackers Against Conspiracies': Cybersleuths Take Aim at Election
Disinformation (Maggie Miller)
Software dev cracks Hyundai encryption with Google Search (The Register)
Cryptoverse: Blockchain bridges fall into troubled waters (Reuters)
On the Dangers of Cryptocurrencies and the Uselessness of Blockchain
(CRYPTO-GRAM)
Starbucks NFTs, Reddit karma points on the blockchain, Saylor fired,
Telegram ICO slight return. (David Gerard)
Track carbon offsets with blockchain? (Rob Slade)
Deepfakes Expose Vulnerabilities in Facial Recognition Technology (PSU)
Email marketing firm hacked to steal crypto-focused mailing lists
(Bleeping Computer)
Pirates Infielder Suspended for Taking Cellphone Onto Basepaths (NYTimes)
You can now tweet as you climb Mount Kilimanjaro thanks to new Wi-Fi network
(NBC News)
Massachusetts Registry of Motor Vehicles Cautions Customers to be Aware of
Unofficial Third-Party Websites and Text/Phishing Scams (Monty Solomon)
How a Third-Party SMS Service Was Used to Take Over Signal Accounts (Vice)
Posing as Contractors, Nigerians Scammed Project Owners for Nearly $6M, FBI
Says (Engineering News-Record)
Just 1 of 25 Apps That Track Reproductive Health Protect Users' Data
(Shirin Ali)
FTC sued by firm allegedly selling sensitive data on abortion clinic visits
(Ars Technica)
An Explosive New Report Could Upend More than a Decade of Alzheimer's
Research. How Did This Happen (Mother Jones)
Dozens of Facebook contractors lost their jobs after an algorithm reportedly
chose them 'at random' (Engadget)
Microsoft Employees Exposed Own Company's Internal Logins (Vice)
#DEFCON: How US Teen Rickrolled His High School District
(Infosecurity Magazine)
Apple Warns of Security Flaw for iPhones, iPads, Macs (AP)
Apple security updates fix 2 zero-days used to hack iPhones, Macs
(Bleeping Computer)
A Janet Jackson Song Could Crash Windows XP Laptops (Michael Kan)
Made-Up Words Trick AI Text-to-Image Generators (Discover)
Re: Meta finds new way of tracking users across websites (Steve Bacher)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 20 Aug 2022 08:28:27 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: Voters in the UK Cast Ballots Online, in Test for Internet Voting
(WSJ)
In the prime-minister race, Conservative Party wants to make voting more
convenient for its 160,000 eligible members; no U.S. state permits universal
online voting.
Members of the UK's ruling Conservative Party who are voting to decide the
country's next prime minister are for the first time casting ballots online
in a leadership election, a rarity among democracies wary of Internet voting
because of cybersecurity concerns
Over a several-week period, the party is offering Internet voting alongside
voting by mail, in part to provide greater convenience during August weeks
when Britons take vacation and to avoid disruptions by striking postal
workers. The results are to be announced Sept. 5.
The Conservatives are sending qualifying members a ballot pack in the mail
that will include a paper ballot to be returned by mail and information and
security codes for voting online. ``We recommend online voting where
possible,'' the party states on its website.
The party sought guidance from Britain's National Cyber Security Centre, or
NCSC, and a Tory spokesman said the party was confident the leadership
election would be secure. ``We have consulted with the NCSC throughout this
process,'' the spokesman said.
Election security analysts fear the system is vulnerable to interference by
hackers.
``We do not have the technology to conduct voting securely online and so it
should not be deployed for high-stakes elections. And I count this as
rather high stakes,'' said Peter Ryan, a professor of applied security at
the University of Luxembourg. [...]
https://www.wsj.com/articles/voters-in-u-k-cast-ballots-online-in-test-for-internet-voting-11660993200
[I expect there will be some attempts to hack into the Conservative Party
leadership election. If the software allows write-in votes, the Duke of
Windsor (Edward VIII), Winston Churchill, and Princess Diana would seem to
be particularly likely choices, along with some well-known still-active
athletes -- e.g., David Beckham (soccer) and James Anderson (cricket), and
a few leading liberals. Perhaps the Russians will re-use their skills
that evidently influenced the Brexit election. We'll have only just a few
more weeks to find out. PGN]
------------------------------
Date: Fri, 19 Aug 2022 19:28:22 -0700
From: geoff goodfellow <ge...@iconia.com>
Subject: Plane fails to descend as pilots reportedly fell asleep during
flight (CNN)
Two pilots are believed to have fallen asleep and missed their landing
during a flight from Sudan to Ethiopia on Monday, according to a report by
commercial aviation news site Aviation Herald.
<http://avherald.com/h?article=4fd127fe>
The incident took place on board an Ethiopian Airlines Boeing 737-800 en
route from Khartoum to Addis Ababa, the report said, "when the pilots fell
asleep" and "the aircraft continued past the top of descent." Data obtained
by the website indicates that the aircraft was cruising at 37,000 feet on
autopilot when it failed to descend at Addis Ababa Bole International
Airport, its scheduled destination, on August 15. Air traffic control were
apparently unable to reach the crew despite making several attempts at
contact. However, an alarm was triggered when the plane overshot the runway
and continued along the route. The aircraft subsequently began to descend,
landing safely around 25 minutes later.
Automatic Dependent Surveillance-Broadcast (ADS-B) data shows the aircraft
overflying the runway, before beginning its descent and maneuvering for
another approach. [...]
http://www.cnn.com/travel/article/pilots-reported-to-fall-asleep-ethiopian-airlines/index.html
------------------------------
Date: Sat, 20 Aug 2022 10:56:46 -0600
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: Apple AirTag leads to arrest of airline worker accused of stealing
at least $15,000 worth of items from luggage (NBC)
Elisha Fieldstadt, NBC News, Aug. 17, 2022, 12:12 PM MDT
An Apple AirTag led to the arrest of an airline subcontractor accused of
stealing thousands of dollars' worth of items from luggage at a Florida
airport.
Giovanni De Luca, 19, was charged with two counts of grand theft after
authorities recovered the stolen items from his home, the Okaloosa County
Sheriff’s Office said in a news release last week.
Authorities said a traveler reported last month that her luggage never
made it to her destination. The items inside were worth about $1,600. She
said an Apple AirTag, a tracking device that triggers alerts on iPhones,
iPads and Apple computers, had been in her luggage and showed that it was
on Kathy Court in Mary Esther, about 50 miles east of Pensacola.
https://www.nbcnews.com/news/us-news/airtag-leads-arrest-airline-worker-accused-stealing-least-15000-items-rcna43547
------------------------------
Date: Fri, 19 Aug 2022 12:03:58 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: 'Hackers Against Conspiracies': Cybersleuths Take Aim at Election
Disinformation (Maggie Miller)
Maggie Miller, *Politicom* 15 Aug 2022,
via ACM TechNews, Friday, August 19, 2022
The annual DEF CON hacking conference's "Voting Machine Village," has been a
feature since 2017, with attendees attempting to break into registration
databases, ballot-casting machines, and other voting equipment to identify
vulnerabilities. However, in the wake of the 2020 U.S. presidential election
and the resulting false claims of election fraud, the focus of this year's
event was how to detect vulnerabilities without fueling election
misinformation. Said Harri Hursti, co-founder of the Voting Machine
Village, "All the security improvements [have been] hampered by all the
false claims, conspiracies--and fighting those." Hursti noted that clips
from DEF CON were used in the media after the election to cast doubt on
election security. This year's Voting Village featured officials from
Maricopa County, AZ, among others, who discussed ongoing, though debunked,
conspiracy theories. Hursti explained, "What we try to do is to make certain
that the right message gets out."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355ddx069731&
------------------------------
Date: Wed, 17 Aug 2022 20:57:01 -0700
From: Li Gong <ligo...@gmail.com>
Subject: Software dev cracks Hyundai encryption with Google Search
Fun reading -- using public/private keys copied from a public tutorial to
sign real-world software in Hyundai cars
https://www.theregister.com/2022/08/17/software_developer_cracks_hyundai_encryption/
------------------------------
Date: Thu, 18 Aug 2022 13:24:58 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Cryptoverse: Blockchain bridges fall into troubled waters (Reuters)
Another day, another hack -- and another blockchain bridge burned.
When thieves stole an estimated $190 million from U.S. crypto firm Nomad
last week, it was the seventh hack of 2022 to target an increasingly
important cog in the crypto machine: Blockchain "bridges" -- strings of code
that help move cryptocoins between different applications.
https://www.reuters.com/business/future-of-money/cryptoverse-blockchain-bridges-fall-into-troubled-waters-2022-08-09/
------------------------------
Date: Thu, 18 Aug 2022 00:31:44 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: On the Dangers of Cryptocurrencies and the Uselessness of
Blockchain (CRYPTO-GRAM)
Schneier writes:
Earlier this month, I and others wrote a letter to Congress, basically
saying that cryptocurrencies are an complete and total disaster, and urging
them to regulate the space. Nothing in that letter is out of the ordinary,
and is in line with what I wrote about blockchain in 2019. In response,
Matthew Green has written -- not really a rebuttal, but"a general response
to some of the more common spurious objections people make to public
blockchain systems."
In our letter, we write: "By its very design, blockchain technology is
poorly suited for just about every purpose currently touted as a present or
potential source of public benefit. From its inception, this technology has
been a solution in search of a problem and has now latched onto concepts
such as financial inclusion and data transparency to justify its existence,
despite far better solutions to these issues already in use. Despite more
than thirteen years of development, it has severe limitations and design
flaws that preclude almost all applications that deal with public customer
data and regulated financial transactions and are not an improvement on
existing non-blockchain solutions."
https://www.schneier.com/crypto-gram/archives/2022/0715.html#cg8
------------------------------
Date: Wed, 17 Aug 2022 20:50:56 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Starbucks NFTs, Reddit karma points on the blockchain, Saylor
fired, Telegram ICO slight return. (David Gerard)
"Please, God, I don' ask for much from You. But give me this. A video of a
sad cryptobro, trying to get a beat cop to make a police report about his
stolen ape jpeg."
There's very little that' sadder or funnier than corporate NFT projects that
launch after the crypto crash. Starbucks' NFT programme is the latest.
"What's more, the digital program could give customers a reason to care
about NFTs." Yeah, uh, OK. [TechCrunch]
Why did Starbucks want to do an NFT? Because Starbucks owner and CEO Howard
Schultz thinks this will be a shiny object to distract his Generation Z
workers from wanting to unionise. Yes, I know that nothing in that sentence
isn't dumb as hell. Remember that this is the guy who ran for President with
a logo that was his name with his name on it
https://davidgerard.co.uk/blockchain/2022/08/17/news-starbucks-nfts-reddit-karma
-points-on-the-blockchain-saylor-fired-telegram-ico-slight-return/
------------------------------
Date: Wed, 17 Aug 2022 21:44:38 -0700
From: Rob Slade <rsl...@gmail.com>
Subject: Track carbon offsets with blockchain?
Wait, you're telling me that you want to use the least energy efficient
technology in the world to track offsets for carbon emissions resulting
from us using too much energy?
https://www.reuters.com/business/environment/exclusive-world-banks-ifc-taps-blockchain-carbon-offsets-2022-08-17/
------------------------------
Date: Wed, 17 Aug 2022 12:52:21 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Deepfakes Expose Vulnerabilities in Facial Recognition Technology
(PSU)
Jessica Hallman, Pennsylvania State University, 11 Aug 2022,
via ACM TechNews, 17 Aug 2022
Researchers at Pennsylvania State University and China's Shandong and
Zhejiang universities found most application programming interfaces (APIs)
using the facial liveness verification detection feature of facial
recognition technology do not always identify deepfakes, and those that can
are less effective than claimed at detecting deepfakes. The researchers
created and used the LiveBugger deepfake-powered attack framework to
evaluate six commercial facial liveness verification APIs. LiveBugger tried
to deceive the APIs using deepfake images and videos from two separate
datasets, and easily bypassed the four most common verification methods. The
researchers proposed strengthening the technology's security by eliminating
verification that only analyzes a static image of a user's face, and by
matching lip movements to a user's voice in dual audio-video analysis
schemes.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f0dex23550ex069538&
------------------------------
Date: Thu, 18 Aug 2022 13:25:55 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Email marketing firm hacked to steal crypto-focused mailing lists
(Bleeping Computer)
Email marketing firm Klaviyo disclosed a data breach after threat actors
gained access to internal systems and downloaded marketing lists for
cryptocurrency-related customers.
Klaviyo says the breach occurred on August 3rd after hackers stole an
employee's login credentials in a phishing attack. These login credentials
were then used to access the employee's account and internal Klaviyo support
tools.
https://www.bleepingcomputer.com/news/security/email-marketing-firm-hacked-to-steal-crypto-focused-mailing-lists/
------------------------------
Date: Wed, 17 Aug 2022 13:43:23 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Pirates Infielder Suspended for Taking Cellphone Onto Basepaths
(NYTimes)
As Rodolfo Castro slid into third base, his phone shot out of his pocket. He
has appealed his suspension for violating MLB' electronic device policy.
https://www.nytimes.com/2022/08/16/sports/baseball/rodolfo-castro-pirates-suspension.html
[Perhaps it was a pirated phone, or even PI-rated if his was batting
average was .314. What is there to appeal? Maybe his wife was about to
deliver, and he was ready to ask for a pinch-runner at third base so he
could join her? Suppose the opponents called him just as he was ready to
tag up on a fly ball? Would he actually answer the phone and forget to
run home? Any appeal would be an interesting "hot-corner" case (pun only
for baseball addicts). PGN]
------------------------------
Date: Fri, 19 Aug 2022 17:07:49 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: You can now tweet as you climb Mount Kilimanjaro thanks to new
Wi-Fi network (NBC News)
https://www.nbcnews.com/news/africa/mount-kilimanjaro-wifi-broadband-fiber-optic-tanzania-rcna43880
[Even from above the third base camp! That will be a cool-corner case,
especially if GPS can locate your phone when you are buried in a snow
storm higher up. PGN]
------------------------------
Date: Thu, 18 Aug 2022 08:28:26 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Massachusetts Registry of Motor Vehicles Cautions Customers to
be Aware of Unofficial Third-Party Websites and Text/Phishing Scams
https://www.mass.gov/news/massachusetts-registry-of-motor-vehicles-cautions-customers-to-be-aware-of-unofficial-third-party-websites-and-textphishing-scams
------------------------------
Date: Thu, 18 Aug 2022 07:25:46 +0900
From: David Farber <far...@keio.jp>
Subject: How a Third-Party SMS Service Was Used to Take Over Signal Accounts
(Vice)
https://www.vice.com/en/article/qjkvxv/how-a-third-party-sms-service-was-used-to-take-over-signal-accounts
------------------------------
Date: Thu, 18 Aug 2022 13:28:49 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Posing as Contractors, Nigerians Scammed Project Owners for Nearly
$6M, FBI Says (Engineering News-Record)
Three Nigerian citizens are facing U.S. criminal charges over alleged scams
that targeted construction contractors and public project owners.
Prosecutors say the scams netted nearly $6 million and involved the
defendants posing as five different contractors. [...]
To carry out the scam, prosecutors say the defendants obtained information
about large construction projects, including the names of project owners,
companies that won contracts and contract dollar amounts.
They then registered website domain names similar to those of actual
contractors. Using email addresses under false names from those domains, the
individuals contacted employees of universities and other public agencies
that had hired the contractors for projects. In the emails, they would
direct the employees to wire a payment to a bank account they controlled.
https://www.enr.com/articles/54623-posing-as-contractors-nigerians-scammed-projct-owners-for-nearly-6m-fbi-says
------------------------------
Date: Fri, 19 Aug 2022 12:03:58 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Just 1 of 25 Apps That Track Reproductive Health Protect Users'
Data (Shirin Ali)
Shirin Ali, *The Hill*, 17 Aug 2022,
via ACM TechNews, Friday, August 19, 2022
A study of 25 reproductive health apps and wearable devices by researchers
at the Mozilla Foundation found that most have weak privacy protections. The
researchers found that these apps generally collect personal information,
including phone numbers, emails, home addresses, dates of menstrual cycles,
sexual activity, doctors' appointments, and pregnancy symptoms. Of the apps
analyzed, 18 were given a "Privacy Not Included" warning label due to vague
privacy policies and potential security concerns. Additionally, the study
found that most of the apps had vague guidelines regarding data-sharing with
law enforcement. Mozilla's Ashley Boyd warned users that many reproductive
health apps are "riddled with loopholes and they fail to properly secure
intimate data." Only the Euki app was found not to collect any personal
information about users, and any information input by users is stored
locally on the user's device.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355dfx0
69731&
------------------------------
Date: Sat, 20 Aug 2022 09:07:55 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: FTC sued by firm allegedly selling sensitive data on abortion
clinic visits (Ars Technica)
https://arstechnica.com/tech-policy/2022/08/ftc-sued-by-firm-allegedly-selling-sensitive-data-on-abortion-clinic-visits/
------------------------------
Date: Wed, 17 Aug 2022 17:06:35 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: An Explosive New Report Could Upend More than a Decade of
Alzheimer's Research. How Did This Happen (Mother Jones)
A conversation with reporter Charles Piller, whose recent Science
investigation rocked the research world.
More than 15 years ago, researchers at the University of Minnesota announced
they had made a breakthrough: When they purified a protein from the brains
of genetically modified mice and injected it into rats, it would cause the
rats to develop symptoms similar to Alzheimer's disease in humansâthe first
time anyone had directly linked a substance to the disease. They called this
protein Aβ*56.
The researchers, along with colleagues from three other universities,
published their findings in *Nature* in 2006. The study has since been cited
about 2,300 times and helped provide the basis of a leading hypothesis about
the cause of Alzheimer's, a disease that currently impacts about 6 million
Americans and their families. Proponents of the hypothesis think that clumps
of amyloid beta protein (Aβ) in peoples brains may be the primary cause of
Alzheimer's. Since the *Nature* study showed that AÎ*56, one form of the
protein, could cause dementia in rats, it seemed to validate the hypothesis.
But now, the accuracy of the *Nature* paper has been called into question.
As documented in an explosive report in Science that published on July 21,
whistleblower Matthew Schrag discovered evidence to suggest that some of the
images at the center of the 2006 paper were tampered with, along with dozens
of other images connected to one of the authors, University of Minnesota
neuroscientist Sylvain LesnÃ.
https://www.motherjones.com/politics/2022/08/alzheimers-research-image-photo-tampering-science-investigation-research
------------------------------
Date: Thu, 18 Aug 2022 13:21:23 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Dozens of Facebook contractors lost their jobs after an algorithm
reportedly chose them 'at random' (Engadget)
[Sort of like the way Imperial Rome would "decimate" troops (which is
where the word comes from, by the way). -L]
https://www.engadget.com/facebook-contractors-cut-accenture-via-algorithm-194128471.html?src=rss
------------------------------
Date: Tue, 16 Aug 2022 18:30:13 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Microsoft Employees Exposed Own Company's Internal Logins (Vice)
Proper use of "zero trust"/security key models should render such leaks
ineffectual. -L
https://www.vice.com/en/article/m7gb43/microsoft-employees-exposed-login-credentials-azure-github
------------------------------
Date: Wed, 17 Aug 2022 13:08:07 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: #DEFCON: How US Teen Rickrolled His High School District
(Infosecurity Magazine)
A time honored tradition in many US high schools is for students in their
final year to do some kind of prank as part of their senior year. As it
turns out, some pranks or more interesting from a hacker perspective, than
others.
At the at the DEFCON 30 security conference in Las Vegas, Minh Duong
outlined how he, along with a team of friends, was able to gain control of
the presentation and public address systems in his local high school
district outside of Chicago and Rickrolled it. A Rickroll is when a loop of
Rick Astley's 1987 song 'never going to give you up' is played to annoy a
user.
Duong explained that his high school has approximately 2000 students and is
part of a larger school district in suburban Chicago, which has six high
schools in total.
"Like any hacker wannabe, I started running scans against my school
network," Duong said.
https://www.infosecurity-magazine.com/news/defcon-how-us-teen-rickrolled/
------------------------------
Date: Fri, 19 Aug 2022 12:03:58 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Apple Warns of Security Flaw for iPhones, iPads, Macs (AP)
Associated Press, 18 Aug 2022, via ACM TechNews, Friday, August 19, 2022
Apple issued two security reports about a major flaw that hackers could
potentially exploit to hijack iPhones, iPads, and Macs by gaining "full
admin access." Rachel Tobac at computer security service SocialProof
Security said this would allow intruders to masquerade as device owners and
run any software in their name. Security experts have recommended that users
update affected devices, while researcher Will Strafach said he had seen no
technical analysis of the vulnerabilities that Apple has just patched. The
company cited an anonymous researcher as the flaws' discoverer, without
disclosing how or where they were found. Apple has previously conceded the
existence of similarly serious flaws, and expressed awareness that such
vulnerabilities had been exploited on perhaps a dozen occasions by
Strafach's estimates.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355dex0
69731&
------------------------------
Date: Thu, 18 Aug 2022 13:27:27 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Apple security updates fix 2 zero-days used to hack iPhones, Macs
(Bleeping Computer)
Apple has released emergency security updates today to fix two zero-day
vulnerabilities previously exploited by attackers to hack iPhones, iPads, or
Macs.
Zero-day vulnerabilities are security flaws known by attackers or
researchers before the software vendor has become aware or been able to
patch them. In many cases, zero-days have public proof-of-concept exploits
or are actively exploited in attacks.
Today, Apple has released macOS Monterey 12.5.1 and iOS 15.6.1/iPadOS
15.6.1 to resolve two zero-day vulnerabilities that are reported to have
been actively exploited.
https://www.bleepingcomputer.com/news/security/apple-security-updates-fix-2-zero-days-used-to-hack-iphones-macs/
Good reason to apply updates now...
------------------------------
Date: Fri, 19 Aug 2022 12:03:58 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: A Janet Jackson Song Could Crash Windows XP Laptops (PC Magazine)
Michael Kan, PC Magazine, 17 Aug 2022
via ACM TechNews, Friday, August 19, 2022
Microsoft software engineer Raymond Chen said a sound frequency in Janet
Jackson's song "Rhythm Nation" could crash a model 5400rpm laptop hard drive
used in certain Windows XP notebooks. A laptop maker alerted Microsoft's
Windows team to the problem, which seemed to occur when the song's music
video played on the laptops. However, the video also would crash Windows
laptops produced by the manufacturer's competitors, and Chen blogged,
"Playing the music video on one laptop caused a laptop sitting nearby to
crash, even though that other laptop wasn't playing the video!" Microsoft
determined the song had a frequency that matched the laptop hard drive's
natural resonant frequency, which caused its moving disks to over-vibrate
and induce a crash. Chen said the laptop manufacturer put a custom filter in
the device's audio system that could eliminate the resonant frequency during
audio playback.
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355e2x0
69731&
[Also noted by Monty Solomon at
https://arstechnica.com/gadgets/2022/08/janet-jacksons-rhythm-nation-is-officially-a-security-threat-for-some-old-laptops/
I remember a case in the 1970s where am IBM disk unit could allegedly be
programmed to rock at a particular frequency -- and fall over. PGN]
------------------------------
Date: Fri, 19 Aug 2022 12:03:58 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Made-Up Words Trick AI Text-to-Image Generators (Discover)
*Discover*, 16 Aug 2022, via ACM TechNews, Friday, August 19, 2022
Columbia University's Rapha=C3=ABl Milli=C3=A8re found that made-up words
can trick text-to-image generators, raising questions about their security.
Milli=C3=A8re created nonsense words using the "macaronic prompting"
technique, which involves combining parts of real words from different
languages. For instance, the made-up word "falaiscoglieklippantilado," a
combination of the German, Italian, French, and Spanish words for "cliff,"
generated images of cliffs when input into the DALL-E 2 text-to-image
generator. Milli=C3=A8re said, "The preliminary experiments suggest that
hybridized nonce strings can be methodically crafted to generate images of
virtually any subject as needed, and even combined together to generate more
complex scenes." However, Milli=C3=A8re noted, "In principle, macaronic
prompting could provide an easy and seemingly reliable way to bypass
[content] filters in order to generate harmful, offensive, illegal, or
otherwise sensitive content, including violent, hateful, racist, sexist, or
pornographic images, and perhaps images infringing on intellectual property
or depicting real individuals."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2f110x2355dax069731&
------------------------------
Date: Thu, 18 Aug 2022 11:25:22 -0700
From: "Steve Bacher" <seb...@verizon.net>
Subject: Re: Meta finds new way of tracking users across websites (The Guardian)
Quote from the Guardian article:
"The two apps have been taking advantage of the fact that users who click on
links are taken to webpages in an in-app browser, controlled by Facebook
Instagram, rather than sent to the user's web browser of choice, such as
Safari or Firefox."
As a longtime Firefox user and Chrome hater, I am pleased to see Chrome
omitted as an example of a "web browser of choice."
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.40
************************
0 new messages