Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

BOFH excuse #174: Backbone adjustment

comp / comp.risks / Risks Digest 33.17

SubjectAuthor
o Risks Digest 33.17RISKS List Owner

1
Subject: Risks Digest 33.17
From: RISKS List Owner
Newsgroups: comp.risks
Organization: PANIX Public Access Internet and UNIX, NYC
Date: Sat, 23 Apr 2022 19:52 UTC
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!panix!.POSTED.panix1.panix.com!not-for-mail
From: risko@csl.sri.com (RISKS List Owner)
Newsgroups: comp.risks
Subject: Risks Digest 33.17
Date: 23 Apr 2022 19:52:13 -0000
Organization: PANIX Public Access Internet and UNIX, NYC
Lines: 435
Sender: RISKS List Owner <risko@csl.sri.com>
Approved: risks@csl.sri.com
Message-ID: <CMM.0.90.4.1650743363.risko@chiron.csl.sri.com15958>
Injection-Info: reader1.panix.com; posting-host="panix1.panix.com:166.84.1.1";
logging-data="16771"; mail-complaints-to="abuse@panix.com"
To: risko@csl.sri.com
View all headers

RISKS-LIST: Risks-Forum Digest Saturday 23 April 2022 Volume 33 : Issue 17

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.17>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Tesla owner uses *Smart Summon* feature, crashes it into $3.5M jet
(The Daily Dot)
Tesla Autopilot stirs U.S. alarm as disaster waiting to happen (MSN)
AI Drug Discovery Systems Might Be Repurposed to Make Chemical Weapons,
Researchers Warn (Scientific American)
MetroWest Medical Center Turned Away Ambulances & Patients
(Framinghan Source)
Oracle Java wins cryptography bug of the year for bypass flaw
(The Register and Ars Technica)
Lenovo security flaws risk >100 models *but* local access to the laptop is
required for the attack (Ars Technica)
Lenovo Patches UEFI Firmware Vulnerabilities Impacting Millions of devices
(Ars Technica)
Critical bug could have let hackers commandeer millions of Androido devices
(Ars Technica)
How Democracies Spy on Their Citizens (The New Yorker)
Brave is bypassing Google AMP pages because they're harmful to users
(The Verge)
LinkedIn can't use anti-hacking law to block web scraping, judges rule
(Ars Technica)
CNN's new streaming service, CNNPlus, is already shutting down (WashPost)
What You Don't Know About Amazon (NYTimes)
Barack Obama Takes On a New Role: Fighting Disinformation (NYTimes)
Re: Driverless Cars Can Be Tricked into Seeing Red Traffic Lights
(Martin Ward)
Re: Beanstalk DAO falls to a corporate raid, funded by flash
(George Sicheman)
Re: What Can Hackers Do With Stolen Source Code? (Michael Kohne,
Bernie Cosell)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 22 Apr 2022 16:59:33 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Tesla owner uses *Smart Summon* feature, crashes it into $3.5M jet
(The Daily Dot)

A video posted to Reddit this week appears to show a Tesla vehicle driving
into a jet while using one of its self-driving functions.

Uploaded on Thursday by u/smiteme, the footage, reportedly taken at an event
held by the aircraft manufacturer Cirrus, shows the vehicle running into
what's known as a Vision Jet.

The vehicle is said to have struck the aircraft, reportedly valued at around
$3.5 million, after the owner activated Tesla's Smart Summon feature. The
Vision Jet can be seen rotating as the Tesla attempts to drive through it.
[...]

https://www.dailydot.com/debug/tesla-crash-vision-jet-autpilot-video/

[Also note by Bryan Webb
https://twitter.com/Phylan/status/1517507755162148864
and Daniel H. Eakins, who added:
"Now planes need to be added to the recognition algorithm evidentially."
https://www.tmz.com/2022/04/22/tesla-autopilot-crashes-vision-jet-3-million/
https://www.autoevolution.com/news/tesla-model-y-is-summoned-in-air-fair-crashes-into-35-million-vision-jet-187098.html
PGN]

[However, this story might have much longer legs for RISKS. For
example, consider a large class of other obstacles that might appear to
be almost entirely above the car (as perhaps the jet was), such as an
building on narrow stilts that the car video does not detect, after
which the crash causes the entire building to collapse on top of the car
-- as a result of knocking out a few critical stilts? PGN]

------------------------------

Date: Sat, 23 Apr 2022 07:30:58 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: Tesla Autopilot stirs U.S. alarm as disaster waiting to happen
(MSN)

Derrick Monet and his wife, Jenna, were driving on an Indiana interstate in
2019 when their Tesla Model 3 sedan operating on Autopilot crashed into a
parked fire truck. Derrick, then 25, sustained spine, neck, shoulder, rib
and leg fractures. Jenna, 23, died at the hospital.

The incident was one of a dozen in the last four years in which Teslas using
this driver-assistance system collided with first-responder vehicles,
raising questions about the safety of technology the world's most valuable
car company considers one of its crown jewels.

Now, U.S. regulators are applying greater scrutiny to Autopilot than ever
before. The National Highway Traffic Safety Administration, which has the
authority to force recalls, has opened two formal defect investigations
that could ultimately lead Tesla Inc. to have to retrofit cars and restrict
use of Autopilot in situations it still can't safely handle.

A clampdown on Autopilot could tarnish Tesla's reputation with consumers and
spook investors whose belief in the company's self-driving bona fides have
helped make Tesla Chief Executive Officer Elon Musk the world's wealthiest
person. It could damage confidence in technology other auto and software
companies are spending billions to develop in hope of reversing a troubling
trend of soaring U.S. traffic fatalities. [...]

https://www.msn.com/en-us/autos/news/tesla-autopilot-stirs-us-alarm-as-disa=
ster-waiting-to-happen/ar-AAWkGtE

------------------------------

Date: Fri, 22 Apr 2022 08:13:48 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: AI Drug Discovery Systems Might Be Repurposed to Make Chemical
Weapons, Researchers Warn (Scientific American)

https://www.scientificamerican.com/article/ai-drug-discovery-systems-might-be-repurposed-to-make-chemical-weapons-researchers-warn/

"The team ran MegaSyn overnight and came up with 40,000 substances,
including not only VX but other known chemical weapons, as well as many
completely new potentially toxic substances. All it took was a bit of
programming, open-source data, a 2015 Mac computer and less than six hours
of machine time. 'It just felt a little surreal,' Urbina says, remarking on
how the software’s output was similar to the company's commercial
drug-development process. 'It wasn't any different from something we had
done before—use these generative models to generate hopeful new drugs.'"

An AI drug discovery platform cooks new CW formulations. They may be easy to
prepare in a binary form for dispersal, a possibly convenient deployment
composition. Frightening to imagine this situation.

AI drug discovery applications are not new. Their possible exploitation as
eventual open-source instruments that can enable CW preparation, is
alarming.

The Risks Forum lists ~20 prior submissions on chemical weapons.

------------------------------

Date: Fri, 22 Apr 2022 22:45:42 -0400
From: Monty Solomon <monty@roscom.com>
Subject: MetroWest Medical Center Turned Away Ambulances & Patients
(Framinghan Source)

https://framinghamsource.com/index.php/2022/04/20/updated-metrowest-medical-center-turned-away-ambulances-patients-earlier-today/

------------------------------

Date: Thu, 21 Apr 2022 10:47:58 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Oracle Java wins cryptography bug of the year for bypass flaw
(The Register and Ars Technica)

[Thanks to Steven Cheung, Li Gong, and Drew Dean for these urls.
PGN-ed for RISKS]

This looks like a serious bug for Java, which enables one to forge signatures.

Twenty-some years ago, someone at what was then Sun did not understand the
importance of proper use of nonces. They hard-coded the nonce in Java's DSA
implementation.

https://www.theregister.com/2022/04/20/java_authentication_bug/
https://arstechnica.com/information-technology/2022/04/major-crypto-blunder-in-java-enables-psychic-paper-forgeries/

[Drew suggests this bug may be Snoracle's Strike Two implementing DSA?]

------------------------------

Date: Thu, 21 Apr 2022 01:03:50 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Lenovo security flaws risk >100 models *but* local access to
the laptop is required for the attack (Ars Technica)

Hackers can infect >100 Lenovo models with unremovable malware. Are you
patched?

Lenovo has released security updates for more than 100 laptop models to
fix critical vulnerabilities that make it possible for advanced hackers to
surreptitiously install malicious firmware that can be next to impossible to
remove or, in some cases, to detect.

All three of the Lenovo vulnerabilities discovered by ESET require local
access, meaning that the attacker must already have control over the
vulnerable machine with unfettered privileges. The bar for that kind of
access is high and would likely require exploiting one or more critical
other vulnerabilities elsewhere that would already put a user at
considerable risk.

https://arstechnica.com/information-technology/2022/04/bugs-in-100-lenovo-models-fixed-to-prevent-unremovable-infections/

------------------------------

Date: Fri, 22 Apr 2022 12:42:16 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Lenovo Patches UEFI Firmware Vulnerabilities Impacting Millions of
Users (Charlie Osborne)


Click here to read the complete article
1

rocksolid light 0.9.8
clearnet tor