RISKS-LIST: Risks-Forum Digest Tuesday 14 June 2022 Volume 33 : Issue 28

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.28>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Long-term planning and optimization (PGN)
Single beaver caused mass Internet, cell service outages in Northern B.C.
(CTV News)
Vulnerability discovered in Apple M1 chip (The Register via Tom Van Vleck)
The Billionaires Seeking a U.S. Chip-Making Revival (Ephrat Livni)
How Henry Ford Would Deal With Today's Supply Chain Upheaval (NYTimes)
Researchers Find Bluetooth Signals Can be Fingerprinted to Track Smartphones
(The Hacker News)
A Story of a Bug Found Fuzzing (Microsoft Browser Vulnerability Research)
I was able to access thousands of companies' passwords on #Azure
and run code on their VMs. This includes access to Microsoft's own
credentials (Tzah Pahima)
New Syslogk Linux Rootkit Lets Attackers Remotely Command It Using "Magic
Packets" (The Hacker News)
The surreal case of the disgruntled CIA hacker accused of exposing the
agency's digital arsenal -- King Joshhn (The New Yorker)
Coinbase lays off 1,100 employees in 18% cut (Lauren Weinstein)
'The Music Has Stopped': Crypto Firms Quake as Prices Fall (NYTimes)
Jay-Z and Jack Dorsey launched a Bitcoin academy in a public housing complex
(TechCrunch)
Researchers Detail PureCrypter Loader Cyber Criminals Using to Distribute
Malware (The Hacker New)
Thefts, Fraud, and Lawsuits at the World's Biggest NFT Marketplace (NYTimes)
CRISPR-Based Map Ties Every Human Gene to Its Function (Eva Frederick)
Self-Driving Truck Will Deliver Goods to 34 Sam's Club Locations
(Alexandra Skores)
Has the U.S. Learned Nothing From the UK's Gambling Woes (WiReD)
Re: Parameter Expansion Considered Dangerous (Cliff Kilby with TomHVV)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 14 Jun 2022 14:36:48 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Long-term planning and optimization

We've been around this topic in RISKS for many different manifestations, and
also in the CACM Inside Risks series:

* The Foresight Saga, Redux: Short-term thinking is the enemy of the
long-term future, PGN, CACM October 2012:
http://www.csl.sri.com/neumann/cacm228.pdf

* A Holistic View of Future Risks: Almost everything is somehow
interrelated with everything else -- and that should not surprise
us. PGN, CACM October 2020:
http://www.csl.sri.com/neumann/cacm250.pdf

The lack of long-term thinking comes up in off-shoring of hardware
fabrication, outsourcing of critical operations to the cloud or
untrustworthy third-parties, supply-chain shortages, food production and
distribution, health care, use of pesticides and toxic wastes,
overdependence on fossil fuels, and -- perhaps above all -- climate change.
Many of the issues that arise seem to have a common theme, namely, seeking
to saving money and labor in the short term, while suppressing or ignoring
concerns for long-term implications: essentially, kicking the can down the
road rather than picking it up and recycling it.

An opinion piece by Paul Krugman in today's *The New York Times* impels me
to write this short note for RISKS readers.

In the context of the pressing need to save the Great Salt Lake from drying
up totally (with some really nasty implications), Krugman once more leads us
to an absolutely fundamental point: sooner or later, there comes a time when
civiliazions must radically do something dramatic -- with costs that vastly
exceed what was saved in the short term.

Krugman's op-ed piece concludes:

"Finally, we aren't talking about a global problem. True, globally climate
change has contributed to reduced snowpack, which is one reason the Great
Salt Lake has shrunk. But a large part of the problem is local water
consumption; if that consumption could be curbed, Utah needn't worry that
its efforts would be negated by the Chinese or whatever.

So this should be easy: A threatened region should be accepting modest
sacrifices, some barely more than inconveniences, to avert a disaster just
around the corner. But it doesn't seem to be happening.

And if we can't save the Great Salt Lake, what chance do we have of saving
the planet?"

I like to look at problems more holistically -- interdisciplinarily,
internationally, globally, and even in some cases universally (as in
the two CACM Inside Risks columns noted above), and always at least
consider the long-term implications before making short-term decisions
that are clearly incompatible with long-term needs. Not having this
kind of long-term awareness can be eventually be devastating.

Albert Einstein has a pithy quote, which I paraphrase:

Seemingly difficult problems can often be resolved early.

The Yogi Berra corollary is related, but also valid:

It gets late early.

That's certainly true of climate change (where the future seemed
inevitable to some wise people at least 60 years ago -- e.g., read
Silent Spring), outsourcing almost everything, being dependent on
potentially untrustworthy entities, etc. In some cases, it may not be
too late to change. However, in cases of species extinction,
remediation becomes impossible and the role of the departed species in
a balanced ecology is lost forever, and often results in further
imbalance. Attempts to compensate by local changes is likely to be
inadequate, especially when the problems are global to begin with, and
have no national boundaries.

Is any of my rant relevant to The ACM Risks Forum? Yes.

The 737 MAX is just one example where a local software fix was attempted
without understainding the airframe-hardware-software implications. The
Deepwater Horizon fiasco was another case in which financial issues hindered
reasoned remediation even before things went wonky. (See the very detailed
Beobert/Blossom book, noted in RISKS-29.49,75,80.)

------------------------------

Date: Tue, 14 Jun 2022 09:44:37 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Single beaver caused mass Internet, cell service outages in
Northern B.C. Northern B.C. (CTV News)

Officials have now identified a beaver as the cause of a June 7 outage that
left many residents of northwestern B.C. without Internet, landline and
cellular service for more than eight hours.

The beaver gnawed its way through an aspen tree which then fell on both BC
Hydro lines and a Telus fibre-optic cable line strung along BC Hydro poles
between Topley and Houston.

The resulting power outage affected just 21 customers but the fibre optics
damage affected Telus customers in Burns Lake, Granisle, Haida Gwaii, the
Hazeltons, Kitimat, Prince George, Prince Rupert, Smithers, Terrace,
Thornhill, Houston, Topley, Telkwa, Fraser Lake and Vanderhoof.

CityWest, the utilities company owned by the City of Prince Rupert, also had
its customers affected because it uses the Telus fibre optics line.

BC Hydro official Bob Gammer said crews identified a beaver as the culprit
because of chew marks at the bottom of the downed tree. [...]

https://bc.ctvnews.ca/single-beaver-caused-mass-internet-cell-service-outages-in-northern-b-c-1.5944697

------------------------------

Date: Fri, 10 Jun 2022 20:03:26 -0400
From: Tom Van Vleck <thvv@multicians.org>
Subject: Vulnerability discovered in Apple M1 chip (The Register)

https://www.theregister.com/2022/06/10/apple_m1_pacman_flaw/

"In a paper titled "PACMAN: Attacking Arm Pointer Authentication with
Speculative Execution," Joseph Ravichandran, eon Taek Na, Jay Lang, and
Mengjia Yan describe how they were able to use speculative execution -- the
way in which modern processors perform calculations before they may or may
not be needed to accelerate execution – to discern the pointer
authentication code that allows pointer modification on a protected system."

------------------------------

Date: Sat, 11 Jun 2022 16:51:53 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: The Billionaires Seeking a U.S. Chip-Making Revival (Ephrat Livni)

Ephrat Livni, *The New York Times*, 11 Jun 2022

Looking to invest and get Congress to help foot the bill

Eric Schmidt (ex-CEO Google, Dem donor), Peter Thiel (PayPal founder, Trump
supporter), H.R. McMaster, and Ash Carter and are part of the American
Frontier Fund, an "usual nonprofit venture capital fund to invest in
chip-making" in the U.S., asking Congess to provide $1B. The AFF has been
asked by the White House to lead the "Quad Investor Network", described as
:an independent consortium of investors that seeks to advance access to
capital for critical and emerging technologies across the U.S., Japan, and
Australia." [Ephrat describes varying nuanced views on this effort.
PGN-ed]

[It has long been obvious to most far-sighted people that outsourcing fab
labs was never a risk-free approach. This is a bad example of optimizing
for cost-cutting via off-shoring, while ignoring all other factors. The
current unavailability of chips and the risks of supply-chain compromises
are only two issues that need to be considered. PGN]