Risks Digest 33.13

35 views
Skip to first unread message

RISKS List Owner

unread,
Apr 9, 2022, 11:34:52 PMApr 9
to ri...@csl.sri.com
RISKS-LIST: Risks-Forum Digest Saturday 9 April 2022 Volume 33 : Issue 13

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.13>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
'We Became Like a Big Startup.' How Kyiv Adapted Tech to Save Lives (Time)
Microsoft reports disrupting hacking attempts on Ukrainian, EU, and U.S.
targets (CBC)
Russia Sees Tech Brain Drain, Other Nations Hope to Gain (AP)
Apple Maps was sending me into Russian-controlled territory (Axios)
Hackers' Path Eased as 600,000 U.S. Cybersecurity Jobs Sit Empty (Bloomberg)
Researchers uncover a hardware security vulnerability on Android phones
(techxplore.com)
Chrome, Edge Hit with V8 Type Confusion Vulnerability with in-the-wild
Exploit (ZDNet)
D.C. Metro Fails To Meet Its Own Safety Requirements (Patch Watchdog Audit)
Sports-Betting App Pays D.C. $500, 000 Over Super Bowl Mishap (DCist)
Southwest apologizes for delays, cancellations, blames technology issues
(FoxBusiness)
JetBlue lacked staff to disembark stranded passengers off airplane:
'Embarrassing' (Fox Business)
U.S. military wants AI to make battlefield medical decisions (WashPost)
Machine learning and uncommon names (Arthur Flatau)
The side effects of quantum error-correction and how to cope with them
(phys.org)
Squirrels and rats attacking AT&T fiber (PGN)
Monash Develops Algorithm for Stronger Blockchains (Digital Nation)
Improving software supply chain security with tamper-proofo builds (Google)
Spreadsheets Are Hot -- and Cranking Out Complex Code (WiReD)
Who's Behind the Okta Hack (WiReD)
Hackers breach MailChimp's internal tools to target crypto customers
(BleepingComputer)
'Trust No One: The Hunt for the Crypto King' Review: Coins and Misdemeanors
(NYTimes)
Who turned out the lights? (Cliff Kilby)
Re: Hackers Steal About $600 Million in One of the Biggest... (Matthew Kruk)
Re: Tesla Deaths and Apache Log4j instances unpatched (Andrew Duane)
Re: NYC Skyscraper's Elevator Breakdowns Strand Tenants (John Murrell)
Re: The never-stopping car (Andrew Duane0
'Trust No One: The Hunt for the Crypto King' Review: Coins and Misdemeanors
(NYTimes)
Review of Paul Van Oorschot's security book (Rik Farrow)
The Internet Is Not What You Think It Is: A History, A Philosophy, A Warning
(LA Review of Books)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 6 Apr 2022 11:51:43 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: 'We Became Like a Big Startup.' How Kyiv Adapted Tech to Save Lives
(Time)

Vera Bergengruen, *Time*, 4 Apr 2022, via ACM TechNews, 6 Apr 2022

Oleg Polovynko, IT director of Kyiv's city council, and Petro Olenych,
Kyiv's deputy mayor and chief digital transformation officer, have been
working to adapt and repurpose the Ukrainian capital's technology amid the
war with Russia. They have enabled most Kyiv residents to connect to the
Internet in underground bomb shelters using the city's mobile Wi-Fi hotspots
and to receive phone alerts of incoming air raids. They also revamped the
Kyiv Digital smartphone app--designed to help residents pay utility bills
and parking tickets--to display maps of the nearest bomb shelters and places
to obtain critical supplies. Said Polovynko, "I never imagined that I would
develop software in 2022 to help people stay alive, to survive things like a
missile attack. But of course, we can. And now we're using all of our IT
minds in Ukraine to help our people and our soldiers."

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e5f7x232ed4x072218&

------------------------------

Date: Thu, 7 Apr 2022 18:33:49 -0600
From: "Matthew Kruk" <mkr...@gmail.com>
Subject: Microsoft reports disrupting hacking attempts on Ukrainian, EU, and
U.S. targets (CBC)

https://www.cbc.ca/news/world/microsoft-russia-hack-attempts-ukraine-eu-us-1.6412697

Microsoft Corp. said on Thursday it had disrupted hacking attempts by
Russian military spies aimed at breaking into Ukrainian, European Union, and
American targets.

In a blog post, the tech firm said a group it nicknamed "Strontium" was
using seven Internet domains as part of an effort to spy on government
bodies and think tanks in the EU and the United States, as well as Ukrainian
institutions such as media organizations.

Microsoft did not identify any of the targets by name.

------------------------------

Date: Fri, 1 Apr 2022 12:05:28 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Russia Sees Tech Brain Drain, Other Nations Hope to Gain (AP)

Liudas Dapkus, Associated Press, 31 Mar 2022, via ACM TechNews

Some countries view the exodus of technology workers from Russia as an
opportunity to refresh expertise in their own high-tech industries. One
estimate suggested as many as 70,000 computer specialists have left Russia
since the start of its invasion of Ukraine, departing for Latvia, Lithuania,
Armenia, Georgia, and elsewhere. The Russian Association for Electronic
Communications' Sergei Plugotarenko said another 100,000 tech workers might
leave in April. Said Konstantin Siniushin at Latvian tech-focused venture
capital fund Untitled Ventures, "The more talent that Europe or the U.S. can
take away from Russia today, the more benefits these new innovators, whose
potential will be fully realized abroad, will bring to other countries."

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e572x232c41x074907&

------------------------------

Date: Wed, 6 Apr 2022 10:21:37 -0600
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: Apple Maps was sending me into Russian-controlled territory (Axios)

Ina Fried, Axios

Chef Jos=C3=A9 Andr=C3=A9s has relied heavily on technology as part of his
humanitarian work in Ukraine, feeding thousands of people displaced by the
Russian invasion. But he has a few gripes as well, including the fact that
Apple Maps kept sending him to Russian-controlled areas.

"Don't send people to enemy territory in a war," he told me in a brief
interview after his appearance at the Axios What's Next Summit in
Washington, D.C.

https://www.axios.com/jose-andres-beef-apple-maps-8f47a198-b153-49fd-9e49-7=
b1ca822e8fb.html

------------------------------

Date: Fri, 1 Apr 2022 12:05:28 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Hackers' Path Eased as 600,000 U.S. Cybersecurity Jobs Sit
Empty (Bloomberg)

Olivia Rockeman, *Bloomberg*, 30 Mar 2022, via ACM TechNews

Cybersecurity jobs search platform CyberSeek estimates roughly 600,000
vacant U.S. cybersecurity positions, including 560,000 private-sector
jobs. The pandemic compounded a shortfall of cybersecurity professionals,
while phishing and ransomware attacks escalated due to many employees using
their home networks and computers. The Massachusetts Institute of Technology
Sloan School of Management's Stuart Madnick cites a lack of qualified
cybersecurity workers, while Bryan Palma at cybersecurity company Trellix
said nations like Russia and China host better talent pipelines at the
government level of people trained in cybersecurity. Max Shuftan at the SANS
Institute cybersecurity training organization said the worker shortage
especially impacts smaller organizations like civilian public agencies, most
of which cannot match private companies' pay. As a result, Shuftan warned,
"They're probably not going have the staff and that makes them more
vulnerable to attacks."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e572x232c46x074907&

------------------------------

Date: Wed, 6 Apr 2022 08:51:36 +0800
From: Richard Stein <rms...@ieee.org>
Subject: Researchers uncover a hardware security vulnerability on Android
phones (techxplore.com)

https://techxplore.com/news/2022-04-uncover-hardware-vulnerability-android.html

YASC -- yet another side-channel.

------------------------------

Date: Fri, 1 Apr 2022 12:05:28 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Chrome, Edge Hit with V8 Type Confusion Vulnerability with
in-the-wild Exploit (ZDNet)

Chris Duckett, ZDNet, 27 Mar 2022, via ACM TechNews

Google is calling on Windows, macOS, and Linux users to upgrade their Chrome
browsers to version 99.0.4844.84, in order to patch a V8 Type Confusion
vulnerability with an exploit in the wild. V8, Chrome's JavaScript engine
also is used server-side in Node.js, but Google has not yet announced
whether that is impacted. Google said bug details would be undisclosed until
most users had updated their browsers. "We will also retain restrictions if
the bug exists in a third-party library that other projects similarly depend
on, but haven't yet fixed," according to Google's announcement. Microsoft
published its own advisory, and said the issue has been corrected in the
concurrently released Edge version 99.0.1150.55.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e572x232c4ax074907&

------------------------------

Date: Thu, 7 Apr 2022 13:34:38 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: D.C. Metro Fails To Meet Its Own Safety Requirements (Patch
Watchdog Audit)

An audit by the Washington Metrorail Safety Commission revealed that the
District's rail system is not meeting its own safety requirements.

https://patch.com/virginia/annandale/s/i7a1m/metro-fails-to-meet-its-own-safety-requirements-watchdog-audit

------------------------------

Date: Fri, 8 Apr 2022 17:14:19 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Sports-Betting App Pays D.C. $500, 000 Over Super Bowl Mishap
(DCist)

The D.C. Lottery has received $500,000 in compensation from the operator of
the city's official sports-betting app for lost revenue and reputation
damage stemming from an embarrassing technical mishap that kept the app
offline during the Super Bowl, typically the year's single-biggest day for
sports betting.

The payment comes from Intralot, the Greek lottery operator that runs the
D.C. Lottery as well as GambetDC, the only sports-betting app that works
citywide. In 2019 it received a controversial sole-source $215 million
lottery contract from the D.C. Council that also gave it the right to
develop the city's sole official sports-betting app; it launched in
mid-2020.

A mishandled software update by Intralot caused Apple to suspend GambetDC
ahead of the Super Bowl, leaving anyone with an Apple phone or tablet unable
to use the app to place a bet during the game. (There were 30,000 registered
users in February, half of them using Apple phones or tablets.) Android
users were still able to bet, and the Gambet website still worked.

https://dcist.com/story/22/04/08/dc-get-compensation-for-sports-betting-app-mishap/

------------------------------

Date: Sat, 2 Apr 2022 20:07:29 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: Southwest apologizes for delays, cancellations, blames technology
issues (FoxBusiness)

https://www.foxbusiness.com/economy/southwest-apologizes-delays-cancellations-technology-issues

------------------------------

Date: Sat, 2 Apr 2022 20:08:50 -0400
From: Monty Solomon <mo...@roscom.com>
Subject: JetBlue lacked staff to disembark stranded passengers off airplane:
'Embarrassing' (Fox Business)

https://www.foxbusiness.com/lifestyle/jetblue-massachusetts-sitting-plane-crew-left-for-night

------------------------------

Date: Sun, 3 Apr 2022 16:19:36 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: U.S. military wants AI to make battlefield medical decisions
(WashPost)

The development of a medical triage program raises a question: When lives
are at stake, should artificial intelligence be involved?

The Defense Advanced Research Projects Agency (DARPA) — the innovation arm
of the U.S. military — is aiming to answer these thorny questions by
outsourcing the decision-making process to artificial intelligence. Through
a new program, called In the Moment, it wants to develop technology that
would make quick decisions in stressful situations using algorithms and
data, arguing that removing human biases may save lives, according to
details from the program's launch this month.

Though the program is in its infancy, it comes as other countries try to
update a centuries-old system of medical triage, and as the U.S. military
increasingly leans on technology to limit human error in war. But the
solution raises red flags among some experts and ethicists who wonder if AI
should be involved when lives are at stake.

``AI is great at counting things. But I think it could set a [bad]
precedent by which the decision for someone's life is put in the hands of a
machine.'' (Sally A. Applin, a research fellow and consultant who studies
the intersection between people, algorithms and ethics, said in reference to
the DARPA program.) ...

To that end, DARPA's In the Moment program will create and evaluate
algorithms that aid military decision-makers in two situations: small unit
injuries, such as those faced by Special Operations units under fire, and
mass casualty events, like the Kabul airport bombing. Later, they may
develop algorithms to aid disaster relief situations such as earthquakes,
agency officials said.

The program, which will take roughly 3.5 years to complete, is soliciting
private corporations to assist in its goals, a part of most early-stage
DARPA research. Agency officials would not say which companies are
interested, or how much money will be slated for the program. [...]

Matt Turek, a program manager at DARPA in charge of shepherding the program,
said the algorithms suggestions would model *highly trusted humans* who
have expertise in triage. But they will be able to access information to
make shrewd decisions in situations where even seasoned experts would be
stumped.

For example, he said, AI could help identify all the resources a nearby
hospital has -- such as drug availability, blood supply and the availability
of medical staff -- to aid in decision-making.

``That wouldn't fit within the brain of a single human decision-maker.
Computer algorithms may find solutions that humans can't.'' Sohrab Dalal, a
colonel and head of the medical branch for NATO's Supreme Allied Command
Transformation, said the triage process, whereby clinicians go to each
soldier and assess how urgent their care needs are, is nearly 200 years old
and could use refreshing.

https://www.washingtonpost.com/technology/2022/03/29/darpa-artificial-intelligence-battlefield-medical-decisions/

So much here. They know it will take roughly 3.5 years? AI will triage
wounded *without* going to each soldier? It will somehow identify nearby
hospital resources?

------------------------------

Date: Tue, 5 Apr 2022 15:15:38 -0500
From: Arthur Flatau <fla...@acm.org>
Subject: Machine learning and uncommon names

I am a long time leukemia and bone marrow transplant survivor and a patient
advocate. As such I worked with a number of medical professionals on a
relatively recent review article on late effects for stem cell survivors
(Male-Specific Late Effects in Adult Hematopoietic Cell Transplantation
Recipients: A Systematic Review from the Late Effects and Quality of Life
Working Committee of the Center for International Blood and Marrow
Transplant Research and Transplant Complications Working Party of the
European Society of Blood and Marrow Transplantation,
https://www.astctjournal.org/article/S2666-6367(21)01329-4/fulltext).

Enough tooting my horn. There are not that many Flataus in the world and
even fewer Arthur Flataus. However there is another one who is a surgeon (
https://www.medstarhealth.org/doctors/arthur-flatau-iii-md) and is, as far
as I know, not related to me This site
https://www.medifind.com/doctors/arthur-flatau/19605475, which is one of the
top ten hits if you google, "Arthur Flatau MD", for instance) lists him as a
co-author of the paper. (IAt least it did when I wrote this, I have
requested they remove the mention of the publication, and perhaps they
will). Their information is apparently scraped from other sites. According
to the "How Medifind works" page
(https://www.medifind.com/how-medifind-works) they "[use] cutting-edge
machine learning techniques [...] to sift through this mass of information
and identify those findings that could help you learn about a new treatment
or make a better-informed decision about which treatment option to choose".
It seems their algorithm might need a little tweaking.

------------------------------

Date: Thu, 7 Apr 2022 20:05:53 +0800
From: Richard Stein <rms...@ieee.org>
Subject: The side effects of quantum error-correction and how to cope with
them (phys.org)

https://phys.org/news/2022-04-side-effects-quantum-error-cope.html

"In applying QEC to quantum sensing, errors are repeatedly corrected as the
sensor acquires information about the target quantity. As an analogy,
imagine a car that keeps departing from the center of the lane it travels
in. In the ideal case, the drift is corrected by constant counter-steering.
In the equivalent scenario for quantum sensing, it has been shown that by
constant -- or very frequent -- error correction, the detrimental effects of
noise can be suppressed completely, at least in principle. The story is
rather different when for practical reasons, the driver can perform
correcting interventions with the steering wheel only at specific points in
time. Then, as experience tells us, the sequence of driving ahead and making
corrective movements has to be finely tuned. If the sequence did not
matter, then the motorist could simply perform all steering maneuvers at
home in the garage and then confidently put their foot down on the
accelerator. The reason why this does not work is that rotation and
translation are not commutative -- the order in which the actions of one
type or the other are executed changes the outcome."

The last paragraph contains this fragment: "these results are set to provide
an import contribution to tweaking out the highest precision from a broad
range..."

Where would the world be without a good quantum tweak now and then?

------------------------------

Date: Fri, 8 Apr 2022 20:33:00 PDT
From: Peter Neumann <neu...@csl.sri.com>
Subject: Squirrels and rats attacking AT&T fiber

For the past few weeks, numerous AT&T trucks have been seen daily in our
neighborhood, which has been plagued by squirrels and rats chewing through
Internet fiber -- with lengthy outages even up to an entire week. AT&T is
attributing the problem to the fact that they (as opposed to other carriers)
is using environmentally friendly soy-based encapsulation for fiber. In
this case, it appears that "environmentally friendly" also means very
friendly to squirrels and rats.

There are also some reports that this may also be a problem with fiber
in certain automobile models, including Teslas. It'Soy veh!

I sent this short tale of long tails out to various colleagues and friends.
I summarize briefly two responses:

* Susmit Jha suggested this is

Very interesting .. would be good to have quantitative numbers on marginal
gain in fiber chewing due to introduction of environmentally friendly
encapsulations because the baseline appears to be high too:
https://www.tomsguide.com/us/cyberwar-squirrels-shmoocon,news-24283.html ,
https://circleid.com/posts/20190606_squirrels_number_one_culprit_for_animal_damage_to_aerial_fiber

It appears rodents do not view most wiring as food instead.

In 2001, a repairman suggested it was the grease used in the sheathing. A
1989 patent suggests "chewing on objects which are tough in composition is
necessary to prevent [rodents] ever-growing incisor teeth from overgrowing."
<http://www.techrepublic.com/article/get-it-done-maintaining-fiber-optic-connections-takes-a-creative-approach/1041526>
<http://www.google.com/patents?id=qRY-AAAAEBAJ&zoom=4&dq=squirrel%20fiber%20cable%20damage&pg=PA6#v=onepage&q=squirrel%20fiber%20cable%20damage&f=false>

Some researchers are already on the problem:
https://www.scientific.net/KEM.818.1

* Dan Eakins suggested this involved an engineering choice made -- small
decision with good intentions -- that led to unexpected failures. Like
the rumor that auto manufacturers use peanut oil rather than petroleum to
make it easier to put wire harnesses through bulkheads -- and that smell
lasts years -- rodents are attracted to it for a long time and chew
through them. No one thought that would be an outcome I imagine for such
a clever solution.

Or I had a car catch on fire from a small rodent nest in the heater box
next to the heating coils. Perfect place for a mouse to make a home --
first time it got cold it started a fire I couldn't put out in the
mountains and I almost started a forest fire -- and it burned the car up
as interiors are highly flammable. Well, whose great idea was it to make
a fire starter in a mouse house?

But it is not considered a manufacturing fault I expect, and they don't
investigate or change designs like they would if it were a plane or an
auto crash.

They say you are what you eat -- so those squirrels and rats are now
Cyber-rodents.

[They also might have a need for RoDentalFloss. PGN]

------------------------------

Date: Wed, 6 Apr 2022 11:51:43 -0400 (EDT)
From: ACM TechNews <technew...@acm.org>
Subject: Monash Develops Algorithm for Stronger Blockchains (Digital Nation)

Digital Nation (Australia), 5 Apr 2022, via ACM TechNews, 6 Apr 2022

An international team of researchers has developed an algorithm to enable
faster, stronger, more efficient blockchains. Researchers at Australia's
Monash University, automation technology company ABB Zurich, and the U.K.'s
University of Birmingham designed the Damysus Byzantine Fault Tolerance
(BFT) consensus protocol to surmount faults and evade system failures in
blockchain applications, adding more resilience as fault tolerance
increases. Monash's Jiangshan Yu said the algorithm can be implemented
simply for constructing scalable blockchains. He added that Damysus boosted
the number of blockchain transactions per second by 87.5%, compared to the
state-of-the-art HotStuff BFT consensus protocol. Said David Kozhaya at ABB
Zurich, "Given the plethora of devices that inherently embed some form of
trusted hardware nowadays, our results in Damysus, pragmatically speaking,
make BFT protocols more appealing to use in real-world systems."

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e5f7x232ed9x072218&

------------------------------

Date: Thu, 7 Apr 2022 20:33:57 -0700
From: Lauren Weinstein <lau...@vortex.com>
Subject: Improving software supply chain security with tamper-proof
builds (Google)

https://security.googleblog.com/2022/04/improving-software-supply-chain.html

------------------------------

Date: Thu, 7 Apr 2022 13:33:21 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Spreadsheets Are Hot -- and Cranking Out Complex Code (WiReD)

The venerable (and yes, super dull) piece of officeware is getting
reinvented as a tool for non-coders to automate and simplify their lives.

https://www.wired.com/story/spreadsheets-are-hot-and-cranking-out-complex-code/

Not a word about black-box/opaque "programming" being difficult to verify,
modify, debug. Computer results/actions, mist be correct.

------------------------------

Date: Sat, 2 Apr 2022 09:22:56 +0900
From: Dave Farber <far...@gmail.com>
Subject: Who's Behind the Okta Hack (WiReD)

Even if you aren't familiar with Okta, you've probably used it. The digital
login system is used by thousands of companies across the world to manage
employee logins to various cloud services. Which makes it a real problem
when that system, and all that login info, gets hacked.

This week on Gadget Lab, WIRED senior writer Lily Hay Newman joins the show
to tell us about the group behind the recent Okta hack, how the hackers took
control of such a vast system, and what happened in the aftermath.

https://www.wired.com/story/gadget-lab-podcast-544

------------------------------

Date: Tue, 5 Apr 2022 13:48:35 -0400
From: Gabe Goldberg <ga...@gabegold.com>
Subject: Hackers breach MailChimp's internal tools to target crypto
customers (BleepingComputer)

Email marketing firm MailChimp disclosed on Sunday that they had been hit by
hackers who gained access to internal customer support and account
management tools to steal audience data and conduct phishing attacks.

Sunday morning, Twitter was abuzz with reports from owners of Trezor
hardware cryptocurrency wallets who received phishing notifications claiming
that the company suffered a data breach. [...]

According to MailChimp, some of their employees fell for a social
engineering attack that led to the theft of their credentials.

https://www.bleepingcomputer.com/news/security/hackers-breach-mailchimps-internal-tools-to-target-crypto-customers/

[Monty Solomon noted
Hackers breached MailChimp to phish cryptocurrency wallets (The Verge)

https://www.theverge.com/2022/4/4/23010317/hackers-mailchimp-trezor-cryptocurrency-phishing

------------------------------

Date: Mon, 4 Apr 2022 09:30:05 -0400
From: Andrew Duane <e91.w...@gmail.com>
Subject: Re: The never-stopping car (RISKS-33.13)

This reminds me of a (not at the time) amusing anecdote about my first car:
a 1980 VW Rabbit Diesel. Driving along the highway one day, I noticed the
car went from 48 HP to about 300 HP without me touching the gas pedal.
Simultaneously, a huge cloud of black smoke was coming out of the tailpipe.
I immediately put the car in neutral and turned off the ignition key. That
did little to stop the engine.

Diesels don't use spark to ignite the fuel, they use the heat of compression
inside the cylinder. Turning off the key only turns off the fuel pump which
is supposed to stop fuel flowing to the cylinders. But it turns out that
when the air filter gets clogged enough, the vacuum created starts pulling
oil around the piston rings, and engine oil is 100 octane racing gas for
diesels. So turning off the fuel pump does not stop the engine from running;
it runs until the engine oil is gone (then seizes). Luckily I got mine
turned off before it switched to 100% engine oil, and the engine did spool
down over 10 or 20 seconds.

------------------------------

Date: Mon, 4 Apr 2022 07:17:09 -0600
From: "Matthew Kruk" <mkr...@gmail.com>
Subject: 'Trust No One: The Hunt for the Crypto King' Review: Coins and
Misdemeanors (NYTimes)

In this sensationalist Netflix documentary, aggrieved users of a defunct
cryptocurrency exchange grow convinced that the company's head absconded
with their money.

https://www.nytimes.com/2022/03/30/movies/trust-no-one-the-hunt-for-the-crypto-king-review.html

------------------------------

Date: Tue, 5 Apr 2022 10:59:55 -0400
From: Cliff Kilby <cliff...@gmail.com>
Subject: Who turned out the lights?

Part of the joy of running a data center is configuring the data center to
allow you to run it without having to stand at a crash cart in the cold
isle. Unfortunately, this also means there are devices sitting on your
network that have unusually high value for lateral attack movement.

Dell has recently addressed a series of issues with their branded
lights-out manager, iDRAC.

https://www.dell.com/support/kbdoc/en-us/000196401/dsa-2022-043

This lights-out manager happens to be included in their storage systems.

https://www.dell.com/support/kbdoc/en-us/000197962/dsa-2022-078-dell-technologies-powerprotect-dd-security-update-for-idrac9-and-bios-vulnerabilities

Patch and ensure your network segmentation plan prevents general
connectivity to lights-out managers.

------------------------------

Date: Fri, 1 Apr 2022 22:09:14 -0600
From: "Matthew Kruk" <mkr...@gmail.com>
Subject: Re: Hackers Steal About $600 Million in One of the Biggest...

Why people bother with craptocurrency is beyond me. Hello people, repeat
after me: Electronic Ponzi. Madoff would be proud. I have other comments
but this is a PG(N) family digest.

[TNX for your thoughtfulness. PGN]

------------------------------

Date: Fri, 1 Apr 2022 16:19:45 -0400
From: Andrew Duane <e91.w...@gmail.com>
Subject: Re: Tesla Deaths and Apache Log4j instances unpatched

Both of these entries are good data to collect, but they both lack context.

For the Tesla deaths, how does 246 deaths compare to non-autonomous
vehicles? How many cars, how many miles were driven? Is 246 deaths a 50%
drop from historical trends, or a 50%?

For the log4j vulnerabilities (which I spent weeks on), what does that 30%
unpatched figure represent? An instance could mean anything. Is it a Fortune
100 company's business database? Or Aunt Winnie's knitting blog with 14
subscribers?

Many of us here live for numbers, but numbers without context don't give
the complete or correct picture.

------------------------------

Date: Wed, 06 Apr 2022 09:56:07 +0100
From: John Murrell <ma...@JohnMurrell.org.uk>
Subject: Re: NYC Skyscraper's Elevator Breakdowns Strand Tenants
(RISKS-33.12)

Lifts use regenerative braking to stop the car at the destination floor and
to control the speed. This results in the local supply voltage increasing
which can cause problems both to the other lifts on the same supply as well
as other equipment. The direction of travel when the lift regenerates
depends on which is heavier, the counterweight or the car. It is a common
fallacy that the lift brakes are used to stop the car, they are only used in
an emergency and to hold the car at a floor when the doors are open.

The problem will be intermittent as it depends on how many lifts are
regenerating at the same time as well as how much power is consumed by the
rest of the building.

I know of one London Underground Station where the lifts cause the
brightness of nearby shop lights to change. Also another where the old style
rotating disc electricity meter failed as the regenerative current was
trying to rotate the disc in the 'wrong' direction.

------------------------------

Date: Mon, 4 Apr 2022 07:17:09 -0600
From: "Matthew Kruk" <mkr...@gmail.com>
Subject: 'Trust No One: The Hunt for the Crypto King' Review: Coins and
Misdemeanors (NYTimes)

In this sensationalist Netflix documentary, aggrieved users of a defunct
cryptocurrency exchange grow convinced that the company's head absconded
with their money.

https://www.nytimes.com/2022/03/30/movies/trust-no-one-the-hunt-for-the-crypto-king-review.html

------------------------------

Date: Fri, 8 Apr 2022 20:11:37 -0700
From: Rik Farrow <r...@rikfarrow.com>
Subject: Review of Paul Van Oorschot's security book

I've just published a review of Paul Van Oorschot's second edition of his
book, Computer Security and the Internet. You can find my review here:

https://www.usenix.org/publications/loginonline/computer-security-and-internet

Briefly, very concise coverage in textbook form of computer security, quite
up to date. A good choice for people with experience programming or
managing computers who want to learn about security.

------------------------------

Date: Sun, 3 Apr 2022 09:16:31 -0600
From: Jim Reisert AD1C <jjre...@alum.mit.edu>
Subject: The Internet Is Not What You Think It Is: A History, A Philosophy,
A Warning (LA Review of Books)

Julien Crockett, March 22, 2022

https://lareviewofbooks.org/article/the-internet-is-not-what-you-think-it-is-a-history-a-philosophy-a-warning/

THE INTERNET HAS lost its way and taken society with it. Since the
mid-2010s, we hear warnings of "dis/misinformation." We hear about the
loss of trust in our institutions and the need to reinvent them for the
Internet age. In short, we are living in a "crisis moment" -- one
ironically experienced by many of us while stuck at home.

Many have diagnosed these symptoms and proposed policy solutions, but few
have done the hard work of rummaging around in the Internet's history to
find the roots of the problems -- and almost none have taken a truly long
view. In "The Internet Is Not What You Think It Is", Justin E. H. Smith, a
philosopher and historian of science, argues that we've been much too
narrow-minded in our understanding of the Internet. In presenting a longue
durée history, he challenges our assumptions about what the Internet is
and what we're doing when we're on it. Only by understanding the
Internet's long history -- by understanding the circumstances in which the
Internet's many parts were conceived -- can we, he claims, take back
control of our lives and shape the Internet in a way more conducive to
human flourishing.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.13
************************

Reply all
Reply to author
Forward
0 new messages