RISKS-LIST: Risks-Forum Digest Wednesday 14 Aug 2024 Volume 34 : Issue 40

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.40>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Bird Flu Shows That the U.S. Learned All the Wrong Lessons from Covid
(David Wallace Wells)
Beware Politicians' Newfound Love of Crytpo[currency]
(Eswar Prasad)
Illinois Voter Data Exposed by Unsecured Databases (Lily Hay Newman)
Trump Campaign Confirms It Was Hacked (Alex Isenstadt)
GPS spoofers 'hack time' on commercial airlines, researchers say
Boeing Starliner software (ArsTechnica)
Outages Plague Trading Platforms During Stock-Market Selloff (WSJ)
Canada's food supply -— under threat? (CBC)
French Museum Network Hit by Ransomware Attack (AP)
UK PM Warns Social Media Firms After Misinformation Fuels Riots (Reuters)
Chipmaking Giant Learns What Works in Taiwan Doesn't in Arizona (John Liu)
Power-hungry AI data centers are raising electric bills and blackout risk
(LA Times)
Cisco to Lay Off Thousands in Latest Round of Tech Cuts (Reuters)
Intel Will Fire 15,000 Workers (Eva Dou)
Excess memes and ‘reply all’ emails are bad for climate, researcher warns
(The Guardian)
Experts to PNT leaders: “It’s not working!” (GPS World)
The nation’s best hackers found vulnerabilities in voting machines
-— but no time to fix them (MSN)
We're Entering an AI Price-Fixing Dystopia (The Atlantic)
Unfixable Infections (WiReD)
Flaw in Hundreds of Mill?ions of AMD Chips Allows Deep, Virtually
Unfixable Infections (WiReD)
New Flaws in Sonos Smart Speakers Allow Hackers to Eavesdrop on Users
(The Hacker News)
Logic Gone Astray: A Security Analysis Framework for the
Control Plane Protocols of 5G Basebands (USENIX)
Call to ban DJI drones introduced in US Senate, company responds (dronedj)
DDoS Attacks Surge 46% in First Half of 2024 (Gcore Report)
NIST announces post quantum encryption standards (SecurityWeek)
Generative AI Has a 'Shoplifting' Problem. This Startup CEO Has a
Plan to Fix It (WiReD)
Kroger unveils AI-powered automatic price gouger (Pivot to AI)
Corporation Email Looks Like A Scam (Bob Smith)
ICANN Approves DNS Top-Level Domain for Intranets (Bob Gezelter)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 12 Aug 2024 19:05:31 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Bird Flu Shows That the U.S. Learned All the Wrong Lessons from
Covid (David Wallace Wells)

David Wallace Wells, *The New York Times*, Sunday Option, 11 Aug 2024

Two years after H5N1 jumped to mammals, health officials don't
seem to have a plan.

The concluding paragraph is a succinct summary:

The growing indifference has affected those still worried about Covid --
last year the CDC stopped a lot of its pandemic data collection, making
some basic facts like total deaths from Covin-19 much harder to track.

For more backgroumd for those who missed them in earlier issues:

See Robert Redfield's quote:

It's High Time To Admit Significant Side Effects of COVID-19 Vaccines.
(RISKS-34.25)

and Zeynep Tufekci's:

An Object Lesson From Covid on How to Destroy Public Trust: Officials
should have told us what they knew, or at least leveled with us about what
they didn't know. (RISKS-34.30)

------------------------------

Date: Mon, 12 Aug 2024 19:05:31 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Beware Politicians' Newfound Love of Crytpo[currency]
(Eswar Prasad)

Eswar Prasad, *The New York Times*, 12 Aug 2024

A cynical bid for Silicon Valley cash seeks to prop up a financially
perilous industry.

Politicians’ newfound love of crypto probably has more to do with a cynical
bid for young voter support and Silicon Valley cash than a maturing of a
financially perilous set of assets. If anything, crypto today presents even
greater risks to its investors and to our financial institutions than it did
before. The fact that the Republican Party is publicly celebrating crypto to
American voters could only make matters worse.

The concluding paragraph is both pithy and incisive:

For all the potential benefits, decentralized finance built around
cryptocurrencies has essentially imported the fragilities of
traditional finance, but with much less regulation and with many new
risks. While being open to innovations that improve access to and
efficiency in financial markets, users, investors and regulators
ought to beware of false premises and hype. Especially if that hype
comes from politicians.

https://www.nytimes.com/2024/08/09/opinion/crypto-2024-election.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb

[Also noted by Gabe Goldberg. PGN]

------------------------------

Date: Wed, 7 Aug 2024 11:24:44 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Illinois Voter Data Exposed by Unsecured Databases
(Lily Hay Newman)

Lily Hay Newman, *WiReD&, via ACM TechNews, 2 Aug 2024

More than a dozen databases containing sensitive voter information from
multiple counties in Illinois were openly accessible on the Internet,
revealing 4.6 million records that included driver's license numbers and
other personally identifiable information. Security researcher Jeremiah
Fowler uncovered a total of 13 exposed databases, none of them
password-protected or requiring any type of authentication to access.

------------------------------

Date: Mon, 12 Aug 2024 11:18:03 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Trump Campaign Confirms It Was Hacked (Alex Isenstadt)

Alex Isenstadt, *Politico*, 10 Aug 2024, via ACM TechNews

Former President Donald Trump's campaign said Saturday that some of its
internal emails had been hacked. The admission came after Politico started
receiving emails from an anonymous account with documents from inside
Trump's operation, including a research dossier the campaign had done on
Trump's running mate, Ohio Sen. JD Vance. The campaign blamed "foreign
sources hostile to the U.S.," citing a Microsoft report on Friday that
Iranian hackers "sent a spear-phishing email in June to a high-ranking
official on a presidential campaign."

------------------------------

Date: Sun, 11 Aug 2024 08:31:46 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: GPS spoofers 'hack time' on commercial airlines, researchers say
(Reuters)

A recent surge in GPS “spoofing”, a form of digital attack which can send
commercial airliners off course, has entered an intriguing new dimension,
according to cybersecurity researchers: The ability to hack time.

There has been a 400% surge in GPS spoofing incidents affecting commercial
airliners in recent months, according to aviation advisory body
OPSGROUP. Many of those incidents involve illicit ground-based GPS systems,
particularly around conflict zones, that broadcast incorrect positions to
the surrounding airspace in a bid to confuse incoming drones or missiles.
[...]

https://www.reuters.com/technology/cybersecurity/gps-spoofers-hack-time-commercial-airlines-researchers-say-2024-08-10/

------------------------------

Date: Tue, 6 Aug 2024 16:18:21 -0400
From: "Jan Wolitzky" <jan.wolitzky@gmail.com>
Subject: Boeing Starliner software (ArsTechnica)

While NASA continues to decide whether the thrusters on the Boeing
Starliner now docked to the International Space Station can be relied upon
to return the two astronauts who rode it up to the ISS back to Earth, a new
issue has apparently arisen: the current flight software on board
Starliner cannot perform an automated undocking from the space station and
re-entry into Earth’s atmosphere.

>From Ars Technica:

At first blush, this seems absurd. After all, Boeing’s Orbital Flight Test 2
mission in May 2022 was a fully automated test of the Starliner vehicle.
During this mission, the spacecraft flew up to the space station without
crew on board and then returned to Earth six days later. Although the 2022
flight test was completed by a different Starliner vehicle, it clearly
demonstrated the ability of the program's flight software to autonomously
dock and return to Earth. Boeing did not respond to a media query about why
this capability was removed for the crew flight test.

It is not clear what change Boeing officials made to the vehicle or its
software in the two years prior to the launch of Wilmore and Williams. It
is possible that the crew has to manually press an undock button in the
spacecraft, or the purely autonomous software was removed from coding on
board Starliner to simplify its software package. Regardless, sources
described the process to update the software on Starliner as "non-trivial"
and "significant," and that it could take up to four weeks. This is what is
driving the delay to launch Crew 9 later next month.