RISKS-LIST: Risks-Forum Digest Tuesday 13 September 2022 Volume 33 : Issue 44

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.44>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
The Search for Dirt on the Twitter Whistle-Blower (Ronan Farrow via PGN)
Twitter's testimony today (Lauren Weinstein)
GM's Cruise Recalls Self-Driving Software Involved in June Crash (WiReD)
Be afraid of the Internet of Everything (Gabe Goldberg)
Samsung denies Social Security numbers involved in latest breach
(The Record by Recorded Future)
Careless Errors in Hundreds of Apps Could Expose Troves of Data (WiReD)
Timing of Artemis launch may depend on emergency detonation system
(WashPost)
Artemis I launch scrubbed again, new attempt may not come till October
(The Washington Post)
Four vulnerabilities discovered in popular infusion pumps, WiF batteries
(The Record via WashPo)
Extreme California heat knocks key Twitter data center offline (CNN)
How criminals are using jammers, deauthers to disrupt WiFi security cameras
(Kiara Hay via Steve Stroh via Dewayne Hendricks via Dave Farber)
Apple and eSIM (Rob Slade)
Apple's recent iPhone security fix puts spotlight on transparency
(USA Today)
How Human Traffickers Force Victims Into Cyberscamming (ProPublica)
Iranian authorities plan to use facial recognition to enforce new hijab law
(The Guardian)
Cloudflare drops KiwiFarms (The Washington Post)
BBC report that UK Court IT system puts justice at risk (BBC)
The 1,000 Chinese SpaceX engineers that existed only on LinkedIn
(MIT Technology Review)
Sky Cuts Queen Elizabeth II-Related Jokes From 'Last Week Tonight With John
Oliver' in UK (Hollywood Reporter)
Facebook has no idea where to find your data (DJC)
Facebook and Google, they're SO public spirited... (Gabe Goldberg)
Super-rich preppers' planning to save themselves from the apocalypse
(The Guardian)
Major telecoms sign deal to keep some phone services running during future
outages (CBC Canada)
Israel: Health Ministry website faces cyberattack, oversea access blocked
(I14 News)
Groove.cm Breaks the Internet (Paul Robinson)
This $30 mouse jiggler makes it look like you're working when you're not
(CNBC)
Obsessively watching the news can make you mentally and physically sick
(Study Finds)
Re: High Seas Deception: How Shady Ships Use GPS to Evade International Law
(John Stewart)
Re: Hand-counting elections riskier than computer counts?
(Craig Cottingham)
Re: Honda Clocks Are Stuck 20 Years In The Past; There Isn't A Fix
(Steve Bacher)
Re: 3D gun printing operation busted in Calgary (Henry Baker)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 13 Sep 2022 10:14:37 -0700
From: Peter G Neumann <neumann@csl.sri.com>
Subject: The Search for Dirt on the Twitter Whistle-Blower (Ronan Farrow)

[Re: Mudge, the L0pht, and whistle-blowing, RKSKS-33.41 --
Peiter "Mudge" Zatko's journey from hacker to Twitter whistleblower]

Ronan Farrow, *The New Yorker*, 13 Sep 2022
https://www.newyorker.com/news/news-desk/the-search-for-dirt-on-the-twitter-whistle-blower

Many of Peiter (Mudge) Zatko's former colleagues have received offers of
payment for [dirty] information about him.

On 23 Aug, a Slack chat for former employees of the payments company Stripe
began filling with accounts of strange queries about an ex-colleague.
<https://www.cnn.com/2022/08/23/tech/twitter-whistleblower-peiter-zatko-security/index.html>
<https://www.washingtonpost.com/technology/2022/08/23/peiter-mudge-zatko-twitte
r-whistleblower/> ``I'm getting inundated with paid interview requests,''
one of the former employees, Dan Foster, wrote. Another, Marty Wasserman,
later posted that he'd received a similar message via e-mail. ``Hi Marty,
Hope you're having a great week!'' the message read. ``I'm currently
working on a project regarding leadership in tech, and my client is hoping
to speak to an experienced professional about a particular individual you
may have worked with.'' The message requested a 45-60 minute compensated
phone consultation. Wasserman was suspicious of the timing. ``Preeeettyy
sure this is regarding Mudge,'' he wrote, pasting it in the Slack chat with
his former colleagues. ``Hard pass.''

Hours earlier, CNN and *The Washington Post* had reported that Twitter's
former head of security, Peiter (Mudge) Zatko, had filed a whistle-blower
disclosure to federal agencies, accusing the social-media platform of
reckless security practices. Zatko's sweeping claims, if proven, could aid
Elon Musk in his attempt to terminate his forty-four-billion-dollar
agreement to acquire Twitter, a legal fight with implications of billions of
dollars for investors. The dozens of e-mails and LinkedIn messages received
by people in Zatko's professional orbit appeared to be mostly from
research-and-advisory companies, part of a burgeoning industry whose clients
include investment firms and individuals jockeying for financial advantage
through information. At least six research outfits -- Gerson Lehrman Group
(G.L.G.), AlphaSights, Mosaic Research Management, Ridgetop Research,
Coleman Research Group, and Guidepoint -- approached former colleagues of
Zatko's at Stripe, Google, and the Pentagon research agency DARPA. All
offered to pay for information, sometimes noting that the compensation would
be high or apparently unrestricted. At least two investment firms, Farallon
Capital Management L.L.C. and Pentwater Capital Management L.P., also sought
information from individuals close to Zatko.

[It's a long and ugly story, truncated for RISKS. PGN]

https://www.cnn.com/2022/09/12/tech/twitter-data-center-california-heat-wave/index.html

"The restrictions highlight the apparent fragility of some of Twitter's most
fundamental systems, a problem Peiter "Mudge" Zatko, Twitter's former head
of security who turned whistleblower, had raised in a disclosure sent to
lawmakers and government agencies in July. In his whistleblower disclosure,
first reported by CNN and The Washington Post, Zatko warned that Twitter had
"insufficient data center redundancy" that raised the risk of a brief
service outage or even the prospect of Twitter going offline for good.
"Even a temporary but overlapping outage of a small number of datacenters
would likely result in the service [Twitter] going offline for weeks,
months, or permanently," according to Zatko's whistleblower disclosure.
(Twitter has criticized Zatko and broadly defended itself against the
allegations, saying the disclosure paints a "false narrative" of the
company.) News of the data center outage comes a day before Zatko is due to
testify before the Senate Judiciary Committee."

https://www.cnn.com/2022/09/12/tech/peter-zatko-twitter-whistleblower-hearing-walkup/index.html
https://www.washingtonpost.com/technology/2022/08/24/twitter-whistleblower-senate-hearing/

Twitter agreed in June to pay roughly $7 million to the whistleblower whose
allegations will be part of Elon Musk's case against the company, WSJ
reported Thursday, citing people familiar with the matter.
https://www.wsj.com/articles/twitter-agreed-to-pay-whistleblower-7-million-in-june-settlement-11662661116

------------------------------

Date: Tue, 13 Sep 2022 11:01:49 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Twitter's testimony today

> Twitter whistleblower Peiter Zatko will testify before the Senate about
> his allegations of security failures at the social network, the Senate
> Judiciary Committee announced on Wednesday.

> ``MMr. Zatko's allegations of widespread security failures and foreign
> state actor interference at Twitter raise serious concerns. If these
> claims are accurate, they may show dangerous data privacy and security
> risks for Twitter users around the world,'' said Sens. Richard J. Durbin
> (D-Ill.) and Charles E. Grassley (R-Iowa), the chair and top Republican on
> the Senate Judiciary Committee.

In my quick review so far of the "Mudge" testimony today, I've seen no
obvious red flags concerning the sort of user data collected. These seem
reasonable and in line with the @Twitter TOS.

Of more concern is the allegation of "unlimited" access to this @Twitter
data by engineers without case-based need to know, and if that access was
properly logged and monitored.

I am less concerned about allegations of large numbers of failed attempts to
login to @Twitter corp systems -- that's pretty much standard hacking
attempts -- the real issue is how many (if any) *succeeded* at gaining
access.

------------------------------

Date: Mon, 5 Sep 2022 01:50:13 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: GM's Cruise Recalls Self-Driving Software Involved in June Crash
(WiReD)