RISKS-LIST: Risks-Forum Digest Tuesday 16 August 2022 Volume 33 : Issue 39

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.39>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
'Ring Nation' Is Amazon's Reality Show for Our Surveillance Dystopia
(Deadline)
Meta finds new way of tracking users across websites (The Guardian)
Amazon, Oracle shrug off lawmaker fears of abortion data sales
(techxplore.com)
Zoom's Auto-Update Feature Came With Hidden Risks on Mac (WiReD)
A Single Flaw Broke Every Layer of Security in MacOS (WiReD)
Michigan plot to breach voting machines points to a national pattern
(WashPost)
On TikTok, Election Misinformation Thrives Ahead of Midterms (NYTimes)
How Frustration Over TikTok Has Mounted in Washington (NYTimes)
A New Jailbreak for John Deere Tractors Rides the Right-to-Repair Wave
(WiReD)
Workplace Productivity: Are You Being Tracked? (NYTimes)
How thieves are using cell phones to see what's inside your car
(The Hacker News)
Sloppy Software Patches Are a Disturbing Trend (WiReD)
Sloppy Use of Machine Learning Is Causing a Reproducibility Crisis in
Science (WiReD)
You can lose health data de-centrally as well (Debora Weber-Wulff)
Buying real estate in the metaverse is 'dumbest' idea ever (Mark Cuban)
What do ordinary computer users NOT care about? Breaking up Big Tech
(Lauren Weinstein)
It's Potentially Illegal: As Crypto Crashed, Coinbase Stopped Some
Notifications (Mother Jones)
It Might Be Our Data, But It's Not Our Breach (Krebs on Security)
How Russia Took Over Ukraine's Internet in Occupied Territories (NYTimes)
Why Is Web3 Security Such a Garbage Fire? Let Us Count the Ways (PCMag)
The Danger of Posting Selfies (NowIKnow)
Quote of The Day (Edward Snowden)
CRYPTO-GRAM (Bruce Schneier PGN excerpted)
Re: "Dr. Birx ADMITS She 'Knew' COVID... (Steve Lamont)
Re: Tesla faces new probes into motorbike deaths, false advertising
(Steve Bacher)
Re: What about Signal or Whatsapp, etc. vs. voice callsignal or Whatsapp,
etc. vs. voice calls privacy/security? (John Levine)
Re: Tech giants, including Meta, Google, and Amazon, want to put an end to
leap-seconds (Arthur T.)
Re: Chinese Hackers Backdoored MiMi Chat App to Target Windows, Linux,
macOS Users (via geoff goodfellow)
Re: Rainwater everywhere on Earth unsafe to drink due to *forever
chemicals*, study finds (Craig S. Cottingham)
Re; Doug Jones's review (Mark Brader)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 12 Aug 2022 18:01:02 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: 'Ring Nation' Is Amazon's Reality Show for Our Surveillance
Dystopia (Deadline)

*Amazon's newest effort to normalize its surveillance network will feature
footage from Ring surveillance cameras and commentary from comedian Wanda
Sykes.*

Amazon's propaganda campaign to normalize surveillance is about to hit a
higher gear: Wanda Sykes is going to host a new show featuring videos taken
from Ring surveillance cameras, Deadline reported
<https://deadline.com/2022/08/wanda-sykes-host-syndicated-viral-video-show-ring-doorbell-technology-1235089510/>
on Thursday. It will be called *Ring Nation*.

The show is being produced by MGM Television, which is owned by Amazon, and
Big Fish Entertainment, which ran another dystopian reality show: a piece of
copaganda called *Live PD* which centered on commentary of police footage.

According to Deadline, the show will feature lighthearted viral content
captured on Ring cameras, such as "neighbors saving neighbors, marriage
proposals, military reunions and silly animals." These types of videos
frequently go viral online, but hardly represent the reality of what Ring is
used for. Besides home surveillance, Ring is a source of surveillance video
for police departments in the U.S. and abroad.

Amazon has done a lot of work to turn the U.S. into a Ring nation
off-camera. Ring's surveillance cameras and surveillance network have been
aggressively rolled out by Amazon mainly by cultivating fear in suburbs
<https://www.vice.com/en/article/ywaa57/how-ring-transmits-fear-to-american-suburbs> about crime, and by entering partnerships with police departments
<https://www.vice.com/en/article/bjw9e8/inside-rings-quest-to-become-law-enforcements-best-friend> to give them unfettered access
<https://www.politico.com/news/2022/07/13/amazon-gave-ring-videos-to-police-without-owners-permission-00045513> to surveillance footage
<https://www.vice.com/en/article/v7memd/police-are-tapping-into-ring-cameras-to-expand-surveillance-network-in-mississippi>. Last year, advocacy
groups pushed for Amazon's Ring to be banned entirely
<https://www.vice.com/en/article/3aq4b9/48-advocacy-groups-call-on-the-ftc-to-ban-amazon-surveillance> by the Federal Trade Commission over concerns
its facial surveillance technology could fuel criminalization of Black and
brown people in public spaces. [...]

https://www.vice.com/en/article/7k8x49/ring-nation-is-amazons-reality-show-for-our-surveillance-dystopia

------------------------------

Date: Sat, 13 Aug 2022 07:57:22 +0100
From: paul cornish <paul.a.cornish@googlemail.com>
Subject: Meta finds new way of tracking users across websites (The Guardian)

Following Apple's introduction of blocks that stopped Facebook from tracking
users activity across many websites it looks like Meta has developed a
Facebook Mobile Browser to do just that.

https://www.theguardian.com/technology/2022/aug/11/meta-injecting-code-into-websites-visited-by-its-users-to-track-them-research-says?CMP=Share_iOSApp_Other

Clicking a hyperlink in Facebook does NOT open your preferred browser but a
browser from Facebook. They also modify the websites pages by inserting
code (surely a copyright issue?!) that enables the tracking.

>From that browsers Settings menu it appears Facebook are recording data used
to complete any forms and also payment details.

As a user our response is to turn off the saving of data and to remember to
click the bottom right on the Facebook browser window and select Open in
Browser.

------------------------------

Date: Sun, 14 Aug 2022 22:37:48 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Amazon, Oracle shrug off lawmaker fears of abortion data sales
(techxplore.com)

https://techxplore.com/news/2022-08-amazon-oracle-lawmaker-abortion-sales.html

'While all the companies detailed ways they keep data anonymized, "similar
practices and policies at a number of brokers have already proven
insufficient, even before the overturning of Roe raised the stakes for tens
of millions of women," Trahan said Friday in a statement to Bloomberg.'

Does business calculate brand outrage risk arising from data breach? Yes,
but they repeatedly trivialize financial fallout as a cost of doing business
-- an operating expense passed along to the consumers via shrink-flation
product prices traced to rising cyber-incident insurance premiums.

If breach penalties imposed minimum mandatory jail time for the CxOs and
boards of directors, one would expect businesses to adopt risk mitigation
measures with greater sincerity and purpose.

While there's no guarantee that criminal penalties can motivate data breach
reduction, attempted compliance with CISA standards and measures can reduce
breach potential.

Alternatively, restricting indemnification from product terms of services --
excluding data breach from indemnification coverage -- will remind business
governance that their own personal freedom is as much at risk as the
consumer data they readily exploit for profit.

------------------------------

Date: Sat, 13 Aug 2022 16:56:04 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Zoom's Auto-Update Feature Came With Hidden Risks on Mac (WiReD)

The popular video meeting app makes it easy to keep the software up to
dateâbut it also introduced vulnerabilities.

To exploit any of these flaws, an attacker would need to already have an
initial foothold in a target's device, so you're not in imminent danger of
having your Zoom remotely attacked. But Wardle's findings are an important
reminder to keep updatingâautomatically or not.

https://www.wired.com/story/zoom-auto-update-mac-flaws/

------------------------------

Date: Sat, 13 Aug 2022 20:29:54 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: A Single Flaw Broke Every Layer of Security in MacOS (WiReD)

Mac exposure -- esoteric and not exploited -- yet

An injection flaw allowed a researcher to access all files on a Mac. Apple
issued a fix, but some machines may still be vulnerable.

There is no evidence to date that the vulnerability has been exploited in
the real world. However, the flaw shows how, in some instances, it may be
possible for attackers to move through an entire operating system,
increasingly being able to access more data. In the description for his
talk, Alkemade says that as local security on macOS moves more toward an iOS
model, this highlights that multiple parts of the system need to be
reexamined.