RISKS-LIST: Risks-Forum Digest Friday 12 August 2022 Volume 33 : Issue 38

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.38>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Tesla faces new probes into motorbike deaths, false advertising
(Ars Technica)
One of 5G's Biggest Features Is a Security Minefield (WiReD)
Cisco Confirms It's Been Hacked by Yanluowang Ransomware Gang
(The Hacker News)
The Hacking of Starlink Terminals Has Begun (WiReD)
A bug lurking for 12 years gives attackers root on every major Linux distro
(Ars Technica)
Coinbase reports 63% drop in revenues in second quarter (NYTimes)
Rainwater everywhere on Earth unsafe to drink due to *forever chemicals*,
study finds (Euronews)
A Sydney high school banned mobile phones. It had dramatic results
(Sydney Morning Herald)
Math error overturns 100-year-old understanding of color perception (Phys)
Sloppy Use of Machine Learning Is Causing a Reproducibility Crisis in
Science (WiReD)
MoFi has been using digital all along, a scandal in the audio community
(WashPost)
FEC approves Google's horrible political spam filter bypass plan
(Lauren Weinstein)
MoFi has been using digital all along, a scandal in the audio community
(WashPost)
Cryptocurrencies and the US Government Are Headed for a Decisive Showdown
(WiReD)
U.S. sanctions Tornado Cash and crypto shrieks in horro
(Attack of the 50-Foot Blockchain)
Just use voice calls or in person for sensitive communications
(Lauren Weinstein)
What about Signal or Whatsapp, etc. vs. voice callsignal or Whatsapp,
etc. vs. voice calls privacy/security? (Lauren Weinstein)
New Data Suggests Our Fundamental Model of the Universe Is Wrong, And
Scientists Are Racing to Solve It (dnyuz)
Re: "Dr. Birx ADMITS She 'Knew' COVID-19 Vaccines 'Were Not Going to Protect
Against Infection' (Steve Lamont)
Re: Bad Batches (Judith Hemenway)
Danger: Metaverse Ahead! (Rob Slade)
Amazon vacuums up more data and money with Roomba? (Lauren Weinstein)
Re: Tech giants, including Meta, Google, and Amazon, want to put an end to
leap-seconds (David E. Ross)
Re: Who is at fault when medical software gets it wrong? (Gabe Goldberg)
Re: Robotic Surgery (Gabe Goldberg)
Re: Clipping wires to upgrade (Lindsay Marshall)
Re: Book Review: America's Biggest Lottery Scam by Bob Sand (Mark Brader)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 8 Aug 2022 14:45:58 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Tesla faces new probes into motorbike deaths, false
advertising (Ars Technica)

NHTSA is investigating bike deaths as California says Tesla statements are
"untrue."

The first fatal crash occurred in the early hours of July 7 in Riverside,
California, when a Tesla Model Y on State Route 91 hit a motorcycle from
behind, killing its rider. The second fatal motorcycle crash occurred on
July 24, again at night, this time on I-15 outside Draper, Utah. In that
case, a Tesla Model 3 was driving behind a motorcycle and hit it, killing
the rider.

------------------------------

Date: Thu, 11 Aug 2022 01:38:32 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: One of 5G's Biggest Features Is a Security Minefield (WiReD)

New research found troubling vulnerabilities in the 5G platforms carriers
offer to wrangle embedded device data.

https://www.wired.com/story/5g-api-flaws

------------------------------

Date: Thu, 11 Aug 2022 10:20:56 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Cisco Confirms It's Been Hacked by Yanluowang Ransomware Gang
(The Hacker News)

Networking equipment major Cisco on Wednesday confirmed it was the victim of
a cyberattack on May 24, 2022 after the attackers got hold of an employee's
personal Google account that contained passwords synced from their web
browser.

"Initial access to the Cisco VPN was achieved via the successful compromise
of a Cisco employee's personal Google account," Cisco Talos said in a
detailed write-up. "The user had enabled password syncing via Google Chrome
and had stored their Cisco credentials in their browser, enabling that
information to synchronize to their Google account."
<https://blog.talosintelligence.com/2022/08/recent-cyber-attack.html>

The disclosure comes as cybercriminal actors associated with the Yanluowang
ransomware gang published a list of files from the breach to their data leak
site on August 10.
<https://twitter.com/Cyberknow20/status/1557419082210676736>

The exfiltrated information, according to Talos, included the contents of a
Box cloud storage folder that was associated with the compromised employee's
account and is not believed to have included any valuable data.

Besides the credential theft, there was also an additional element of
phishing wherein the adversary resorted to methods like *vishing* (aka voice
phishing) and multi-factor authentication (MFA) fatigue to trick the victim
into providing access to the VPN client. [...]

https://thehackernews.com/2022/08/cisco-confirms-its-been-hacked-by.html

------------------------------

Date: Thu, 11 Aug 2022 10:23:00 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: The Hacking of Starlink Terminals Has Begun (WiReD)

It cost a researcher only $25 worth of parts to create a tool that allows
custom code to run on the satellite dishes.

https://www.wired.com/story/starlink-internet-dish-hack/

------------------------------

Date: Wed, 26 Jan 2022 11:08:40 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: A bug lurking for 12 years gives attackers root on every major
Linux distro (Ars Technica)

[oops. i forwarded this to a colleague and lost the author from another
list. PGN]

https://arstechnica.com/information-technology/2022/01/a-bug-lurking-for-12-years-gives-attackers-root-on-every-major-linux-distro/

This highlights a problem with running old versions of OSes that aren't
getting software updates.

(Ubuntu Advantage has patches for this in 14.04 and 16.04, but only if
you're in the program. It looks like they aren't supporting 12.04 (which is
still within 5 yrs of end of security patches, so I expected them to)

This was more interesting to me...
https://thehackernews.com/2022/01/chinese-hackers-spotted-using-new-uefi.html

------------------------------

Date: Wed, 10 Aug 2022 19:23:03 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Coinbase reports 63% drop in revenues in second quarter (NYTimes)

David Yaffe-Bellany, *The New York Times" Business, 10 Aug 2022

.... and $2.2 billion down from a year ago.

------------------------------

Date: Tue, 9 Aug 2022 10:51:32 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Rainwater everywhere on Earth unsafe to drink due to *forever
chemicals*, study finds (EuroNews)

[Another ALMOST EVERYTHING IS INTERCONNECTED example.]

Per- and poly-fluoroalkyl substances (PFAS) are a large family of
human-made chemicals that don't occur in nature. They have non-stick or
stain repellent properties so can be found in household items like food
packaging, electronics, cosmetics and cookware. But now researchers at
the University of Stockholm have found them in rainwater in most
locations on the planet -- including Antarctica. There is no safe space
to escape them.

https://www.euronews.com/green/2022/08/04/rainwater-everywhere-on-earth-unsafe-to-drink-due-to-forever-chemicals-study-finds

------------------------------

Date: Sun, 7 Aug 2022 16:57:58 -0600
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: A Sydney high school banned mobile phones. It had dramatic results
(Sydney Morning Herald)

Andrew Taylor, *Sydney Morning Herald*, 7 Aug 2022

A Sydney high school has seen a dramatic decrease in behavioural issues
and a boost in physical activity and students talking to each other just
two months after it tightened restrictions on mobile phone usage.

Davidson High School principal David Rule said there had been significant
changes since students in years 7 to 10 were banned from using mobile
phones at school. "Classrooms have effectively become phone-free and this
has allowed staff to focus on educating students," he said in a school
newsletter. "Finally, in eight weeks of the policy, there has been a 90
per cent reduction in behavioural issues related to phones in the school."

The high school in Frenchs Forest requires students to put phones in a
pouch that, once closed, cannot be reopened without breaking a lock.

https://www.smh.com.au/national/nsw/a-sydney-high-school-banned-mobile-phones-it-had-dramatic-results-20220803-p5b6zf.html

------------------------------

Date: Thu, 11 Aug 2022 20:48:54 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Math error overturns 100-year-old understanding of color perception
(Phys)