RISKS-LIST: Risks-Forum Digest Monday 2 January 2023 Volume 33 : Issue 59

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.59>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents: HAPPY NEW YEAR, with fewer risks? but perhaps more RISKS?
Vint Cerf and the Internet (Emily Bobrow)
Russians Hacked JFK Airport Taxi Dispatch in Line-Skipping Scheme (WiReD)
Biometric devices sold on eBay reportedly contained sensitive U.S. military
data (NYTimes)
I bought a $15 router at Goodwill, and found a millionaire's dirty secrets
(Erin Keller)
FBI's Vetted Info-Sharing Network InfraGard Hacked (Krebs on Security)
Southwest COO explained that the company's outdated scheduling software
quickly became the main culprit of the cancellations once the storm
cleared. (CNN with comments from Gabe Goldberg and Richard M Stein)
Two Men Arrested For Conspiring With Russian Nationals To Hack the Taxi
Dispatch System At JFK Airport (U.S. DoJ)
Two men indicted for hacking a dozen Ring cameras and livestreaming swatting
attacks (The Verge)
As Tesla stock tanks, videos of Teslas malfunctioning in below-freezing
temps go viral (Yahoo!)
Robocall company may receive the largest FCC fine ever (Engadget)
Calculations on Maryland college savings plans lead to account freeze
(WashPost via Jeremy Epstein)
Ransomware devastates the ALMA Observatory (Physics Today)
Windows: Still insecure after all these years (ZDNET)
Scammers Are Scamming Other Scammers Out of Millions of Dollars (WiReD)
Melbourne Lord Mayor says *vandalism* of QR codes for reporting graffiti `
*so frustrating* (ABC Australia)
Meta's new AI is skilled at a ruthless power-seeking game (WashPost)
Roomba with a View! (MIT Tech Review)
As e-bike fires rise, calls grow for education and regulation
(Smart Cities Dive)
Samsung Recalls Top-Load Washing Machines Due to Fire Hazard; Software
Repair Available (CPSC)
Apple's 'unprecedented' engineering snafu reportedly spoiled plans for more
powerful iPhone 14 Pro chip (Yahoo!)
Studies flag environmental impact of reentry (SpaceNews)
A Fight Over Automation Plans at U.S. Hydroelectric Dams (WiReD)
Their children went viral. Now they wish they could wipe them from the
Internet. (NBC News)
A dangerous side of America's digital divide: Who receives emergency alerts
(WashPost)
DDoS-for-hire sting hits 50 domains, seven people detained (The Register)
Card skimming devices found at 7-Eleven locations in Boston (The Globe)
Users report Google Calendar bug creating random, fake events (The Verge)
Server broke because it was invisibly designed to break (The Register)
Bad Santa at Rockettes' Christmas Spectacular (Ars Technica)
Celsius hearing, December 8: Selling GK8 to Galaxy Digital (Amy Castor)
Bankman-Fried's Cabal of Roommates in the Bahamas Ran His Crypto Empire --
and Dated. Other Employees Have Lots of Questions (Coindesk)
Sympathy for the crypto bros (Mother Jones via Gabe Goldberg)
Twitter dissolves Trust and Safety Council, Yoel Roth flees home (WashPost)
Cats disrupt satellite Internet service (Smithsonian Mag)
How Bots Pushing Adult Content Drowned Out Chinese Protest Tweets (NYTimes)
Okta had another security incident, this time involving stolen source code
(Engadget)
There is great danger in training an AI to lie... (Alex Epstein)
Code-Generating AI Can Introduce Security Vulnerabilities (Kyle Wiggers)
Co-Pilot helps write insecure code (Rik Farrow)
ChatGPT Explains Why AIs like ChatGPT Should Be Regulated (SciAm)
New bot ChatGPT will force colleges to get creative to prevent cheating,
experts say (NBC News)
Re: Dreams of a Future in Big Tech Dim for Computer Science Students
(Gene Spafford)
Re: Pretty Smart AI (David Parnas, Steve Bacher )
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 19 Dec 2022 11:55:21 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Vint Cerf and the Internet (Emily Bobrow)

Vint Cerf Helped Create the Internet on the Back of an Envelope. Now
He's Calling for More Critical Thinking About How We Use It

Emily Bobrow, *The Wall Street Journal*, 16 Dec 2022
via ACM TechNews, 19 Dec 2022

Google Chief Internet Evangelist and 2004 ACM A.M. Turing Award co-recipient
Vint Cerf helped invent the Internet but acknowledges its downsides,
including its use for spreading misinformation and disinformation. Cerf says
addressing this "propagation problem" requires Google and similar companies
to better "understand how these mechanisms influence the way people behave."
He observes that although commercialization has broadened the Internet's
scope, feedback algorithms appear to be directing people toward "more
divisive and extreme stuff." Cerf urges more critical thinking to rein in
the Internet's sociological and psychological effects, while businesses must
make better efforts to contain online trolling, lying, bullying, and
surveillance.

[Is Emily a niece of Danny Bobrow (BBN, Xerox PARC, etc.), who was a
friend and colleague of Vint way back? PGN]

------------------------------

Date: Sun, 25 Dec 2022 02:53:06 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Russians Hacked JFK Airport Taxi Dispatch in Line-Skipping Scheme
(WiReD)

According to prosecutors, two Queens men, Daniel Abayev and Peter Leyman,
worked with Russian hackers to gain access to the taxi dispatch system for
New York'sJFK airport. They then allegedly created a group chat where
drivers could secretly pay $10 to skip the sometimes hours-long line to be
assigned a pickupâabout a fifth of the $52 flat fee passengers pay for rides
from the airport to elsewhere in NYC. The indictment against the two men
doesn't name the Russians or detail exactly how they gained access to JFK's
dispatch system. But it notes that since 2019, Abayev and Leyman allegedly
schemed to get access to the system by multiple methods, including bribing
someone to insert a USB drive with malware into one of the dispatch
operators' computers, gaining unauthorized access to their systems via
Wi-Fi, and stealing one of their tablet computers. ``I know that the
Pentagon is being hacked,'' Abayev wrote to his Russian contacts in November
2019, according to the indictment, ``So, can't we hack the taxi
industry[?]''

Before the scheme was shut down, prosecutors say it was enabling as many as
a thousand fraudulent line-skips a day for drivers,

https://www.wired.com/story/russia-jfk-taxi-hack-security-roundup

[Monty noted this:
https://www.theverge.com/2022/12/22/23522275/nyc-russian-hack-jfk-airport-taxi-dispatch-system
]

------------------------------

Date: Wed, 28 Dec 2022 13:59:59 -0700
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Biometric devices sold on eBay reportedly contained sensitive U.S.
military data (NYTimes)

https://www.nytimes.com/2022/12/27/technology/for-sale-on-ebay-a-military-database-of-fingerprints-and-iris-scans.html

By Kashmir Hill, John Ismay, Christopher F. Schuetze and Aaron Krolik,
*The New York Times*, 27 Dec 2022l
https://www.nytimes.com/2022/12/27/technology/for-sale-on-ebay-a-military-database-of-fingerprints-and-iris-scans.html

The shoebox-shaped device, designed to capture fingerprints and perform iris
scans, was listed on eBay for $149.95. A German security researcher,
Matthias Marx, successfully offered $68, and when it arrived at his home in
Hamburg in August, the rugged, hand-held machine contained more than what
was promised in the listing.

The device's memory card held the names, nationalities, photographs,
fingerprints and iris scans of 2,632 people.

[Also noted by Jan Wolitzky, PGN]

------------------------------

Date: Wed, 28 Dec 2022 15:35:27 -0500
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: Lawmakers Signal Inquiries Into U.S. Government's Use of Foreign
Spyware (NYTimes)

Senior lawmakers said they would investigate the government's purchase and
use of powerful spyware made by two Israeli hacking firms, as Congress
passed a measure in recent days to try to rein in the proliferation of the
hacking tools.

Representative Adam Schiff, the California Democrat who is chairman of the
House Intelligence Committee, sent a letter last week to the head of the
Drug Enforcement Administration asking for detailed information about the
agency's use of Graphite, a spyware tool produced by the Israeli company
Paragon.

``Such use could have potential implications for U.S. national security, as
well as run contrary to efforts to deter the broad proliferation of powerful
surveillance capabilities to autocratic regimes and others who may misuse
them,'' Mr. Schiff wrote in the letter.

Graphite, like the better-known Israeli hacking tool Pegasus, can penetrate
the mobile phones of its targets and extract messages, videos, photos and
other content. The New York Times revealed this month that the DEA was using
Graphite in its foreign operations. The agency has said it uses the tool
legally and only outside the United States, but has not answered questions
about whether American citizens can be targeted with the hacking tool.