RISKS-LIST: Risks-Forum Digest Saturday 11 March 2023 Volume 33 : Issue 65

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.65>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Noam Chomsky: The False Promise of ChatGPT (via Matthew Kruk)
ChatGPT Convulses Big Tech with its Promise and its Peril (NYTimes)
Two types of dataset poisoning attacks that can corrupt AI system results
(techxplore.com)
Detection Stays Ahead of Deepfakes -- for Now (Matthew Hutson)
Tesla under investigation after Model Y steering wheels fall off (The Verge)
Stablecoin Issuer Circle Reveals $3.3 Billion SVB Exposure (Bloomberg)
Blackbaud Fined $3M For Misleading Disclosures Re: 2020 Ransomware
(Ryan Naraine)
Canada's tax revenue agency tries to ToS itself out of hacking liability
(Risky Biz News)
Data breach hits hundreds of lawmakers and staff on Capitol Hill (NBC)
North Korean hackers target security researchers with a new backdoor
(Ars Technica)
Hackers Claim They Breached T-Mobile More Than 100 Times in 2022
(Krebs on Security)
When Low-Tech Hacks Cause High-Impact Breaches (Krebs on Security)
TikTok whistleblower claims U.S. data privacy efforts are seriously flawed
(Engadget)
Tech Is Allowing Businesses to Overcharge You in Tips (NYTimes)
Why the Floppy Disk Just Won't Die (WiReD)
Union `increasingly alarmed' about Indigo cyberattack, demands further
disclosure (CBC)
Password changing considered harmful (WSJ)
Teens are stealing more cars. They learn how on social media (NYT)
UK online safety bill -- how to create a digital dictatorship
(Lauren Weinstein)
Terms of enscamment? (Rob Slade)
Re: Safety Advocates Say Hyundai, Kia's Anti-Theft Upgrade Doesn't Go
Far Enough (Richard S. Russell)
Re: Why I'm sticking up for science (zeurkous)
Re: rm -rf (Henry Baker, Steve Bacher)
Re: SMS-Based Multi-Factor Authentication: What Could Go Wrong?
(John Levine)
Re: FAA reports 'close call' between two planes at Logan Airport
(Jan Wolitzky)
Re: Everyone is special, SMS-Based Multi-Factor Authentication:
What Could Go Wrong? (John Levine)
Re: The privacy loophole in your doorbell (Steve Bacher)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 8 Mar 2023 18:40:24 -0700
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Noam Chomsky: The False Promise of ChatGPT

https://www.nytimes.com/2023/03/08/opinion/noam-chomsky-chatgpt-ai.html

Jorge Luis Borges once wrote that to live in a time of great peril and
promise is to experience both tragedy and comedy, with ``the imminence of a
revelation'' in understanding ourselves and the world. Today our supposedly
revolutionary advancements in artificial intelligence are indeed cause for
both concern and optimism. Optimism because intelligence is the means by
which we solve problems. Concern because we fear that the most popular and
fashionable strain of AI -- machine learning -- will degrade our science and
debase our ethics by incorporating into our technology a fundamentally
flawed conception of language and knowledge.

------------------------------

Date: Thu, 9 Mar 2023 14:08:15 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: ChatGPT Convulses Big Tech with its Promise and its Peril (NYT)

Tripp Mickle, Cade Metz, and Nico Grant, *The New York Times*, 9 Mar 2023
A scramble to assess the impact of AI.

[It seems to be a nice enumeration of many of the problems created such as
disrupting cloud providers, advertisers, and e-commerce sales (each
discussed in considerable detail), questionable trustworthiness, legal
implications, ownership, etc. ``No one knows where the courts will draw
the lines.'' -- quoting Bradley J. Hulbert. PGN-ed]

------------------------------

Date: Wed, 08 Mar 2023 12:42:44 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Two types of dataset poisoning attacks that can corrupt AI system
results (techxplore.com)

https://techxplore.com/news/2023-03-dataset-poisoning-corrupt-ai-results.html

``The research team calls this type of attack split view poisoning. Testing
showed that such an approach could be used to purchase enough URLs to poison
a large portion of mainstream AI systems, for as little as $10,000.

``There is another way that AI systems could be subverted -- y manipulating
data in well-known data repositories such as Wikipedia. This could be done,
the researchers note, by modifying data just prior to regular data dumps,
preventing monitors from spotting the changes before they are sent to and
used by AI systems. They call this approach front-running poisoning.''

As AI proliferates, overtrust -- reliance on output -- elevates training
dataset's provenance and bona fides to bound false positive/negative
outcomes.

I applied for image diagnosis (mammograms, CAT/MRI, etc.), a patient should
be entitled to a traceable explanation to supplement physician's review and
concurrence or dispute of platform output.

------------------------------

Date: Wed, 8 Mar 2023 11:09:07 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Detection Stays Ahead of Deepfakes -- for Now (Matthew Hutson)

Matthew Hutson, *IEEE Spectrum*, 6 Mar 2023, via ACM TechNews, March 8, 2023

Computer scientists are developing more advanced algorithms for generating
synthetic content, at the same time they are creating counter-algorithms to
detect such content. Intel's Real-Time Deepfake Detector, slated for release
this spring, will include FakeCatcher, which can identify facial changes due
to blood flow. Developed by researchers at Intel and Binghamton University,
FakeCatcher cannot be reverse-engineered easily to train a generation
algorithm to get better at fooling it. Among other detection tools,
researchers at the University of Florida developed a system that models the
human vocal tract and can determine if an audio recording is biologically
plausible. When it comes to detecting synthetic text, the University of
Maryland's Tom Goldstein said the diversity in how people use language and a
dearth of signal means it likely will lag other forms of detection.

------------------------------

Date: Wed, 8 Mar 2023 19:19:59 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Tesla under investigation after Model Y steering wheels fall off
(The Verge)

https://www.theverge.com/2023/3/8/23630358/tesla-steering-wheel-bolt-nhtsa-model-y

------------------------------

Date: Sat, 11 Mar 2023 09:03:42 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Stablecoin Issuer Circle Reveals $3.3 Billion SVB Exposure
(Bloomberg)

https://www.bloomberg.com/news/articles/2023-03-11/usd-coin-stablecoin-falls-further-from-peg-on-svb-exposure-risk?srnd=premium&sref=zVYYYI5e

Also:

Roku, Roblox and others disclose their exposure to SVB in SEC filings
(TechCrunch)
https://techcrunch.com/2023/03/11/roku-roblox-and-others-disclose-their-exposure-to-svb-in-sec-filings/

More than 85% of Silicon Valley's Bank's Deposits Were Not Insured
https://time.com/6262009/silicon-valley-bank-deposit-insurance/

[Monty Solomon noted this relevant item:
Here's how much of your bank deposits are FDIC protected:
Michelle Singletary, *WashPost*
https://www.washingtonpost.com/business/2023/03/10/faq-fdic-insurance/
PGN]

------------------------------

Date: Fri, 10 Mar 2023 14:28:45 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Blackbaud Fined $3M For Misleading Disclosures Re: 2020 Ransomware
(Ryan Naraine)

Ryan Naraine, *Security Week*, 10 Mar 2023
https://www.securityweek.com/blackbaud-fined-3m-for-misleading-disclosures-about-2020-ransomware-attack/

[Among other things, Blackbaud had insisted there had been no leakage of
customer information, which actually impacted 1300 customers. The
original notice has since disappeared. PGN]

------------------------------

Date: Wed, 8 Mar 2023 13:02:09 -0500
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema@rinzewind.org>
Subject: Canada's tax revenue agency tries to ToS itself out of hacking
liability (Risky Biz News)

https://riskybiznews.substack.com/p/risky-biz-news-canadas-tax-revenue

The Canada Revenue Agency (CRA), the tax department of Canada, recently
updated its terms and conditions to force taxpayers to agree that CRA is not
liable if their personal information is stolen while using the My Account
online service portal -- which, ironically, all Canadians must use when doing
their taxes and/or running their business.

The CRA's terms of use assert the agency is not liable because they have
``taken all reasonable steps to ensure the security of this Web site.''

------------------------------

Date: Wed, 8 Mar 2023 17:47:03 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Data breach hits hundreds of lawmakers and staff on Capitol Hill
(NBC)