RISKS-LIST: Risks-Forum Digest Saturday 1 April 2023 Volume 33 : Issue 68

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.68>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Ifixme.com announces 'Right to Repair' program for your human body
(via Henry Baker)
In Gen Z's world of dupes, fake is fabulous -- until you try it on
(WashPost)
Grindr warns Egyptian police may be using fake accounts to trap users
(WashPost)
A scammer tricked Instagram into banning influencers with millions of
followers. Then he made them pay to recover their accounts. (ProPublica)
Amazon Begs Employees Not to Leak Corporate Secrets to ChatGPT (Futurism)
People talking about what AI will do to society, here's a niche example
that's happening right now (TJStebbing)
Google and Microsoft's chatbots are already citing one another in a
misinformation sh*tshow (The Verge)
Warning: AI-generated YouTube Video Tutorials Spreading Infostealer Malware
(The Hacker News)
AI-Powered Vehicle Descriptions: Save Money, Save, Time, Sell More!
(slisghtly redacted by PGN)
Elon Musk and other tech leaders call for pausee on 'dangerous race' to make
AI as advanced as humans (CNBC)
On using Microsoft's Bing Chat for programming (PGN)
Microsoft Patched Bing Vulnerability That Allowed Snooping on Email, Other
Data (Robert McMillan)
DC Metro Will Retrofit Faregates To Cut Down On Fare Evasion (DCist)
Metro operator investigated for using automation system without clearance
(The Washington Post)
Biden Acts to Restrict U.S. Government Use of Spyware (NTTimes)
Flight problems, not turbulence, found in death of former White House
official (WashPost)
Researchers exploit vulnerabilities of smart-device microphones and voice
assistants (techxplore.com)
OpenSSL KDF and secure by default (OpenSSL)
All of your Internet usage will be subject to government tracking and
control. (Lauren Weinstein)
Cryptocurrencies (Amy Castor)
Pwn2Own Hackers Breach a Tesla Twice (Marco Marcelline)>
Voting vendor in Reality Winner's leak is coming to Texas
(Texas Observer)
Malicious Actors Use Unicode Support in Python to Evade Detection
(Phylum via Monty Solomon)
Progressives Across Nation Locked Out Of Accounts After CAPTCHA Asks 'Select
All Squares That Contain A Woman' (Babylonbee)
SF loses 150K daily office workers during pandemic (SanFranChron)
Any friend that can be replaced by GPT-4 ... (Rob Slade)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 1 April 2023 00:00:57 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: Ifixme.com announces 'Right to Repair' program for your human body

S. California, April 1, 2023. -- Ifixme.com (http://Ifixyou.com) announced
today its foray into the medical self-repair business with its 'Right to
Repair' program for the human body. Ifixme.com (http://Ifixyou.com) is
building on its successful self repair and battery-replacement programs for
Medical Devices, and brings a host of interested volunteers to do teardowns,
write repair manuals, and participate in forums with many thousands of users
and professionals. Ifixme.com has been a supporter of 'Right to Repair'
laws across the UnitedStates, and intends to stand up to the doctors' and
dentists' lobbies to enable ordinary people to perform their own procedures.
https://www.cnbc.com/2023/03/29/elon-musk-other-tech-leaders-pause-training-ai-beyond-gpt-4.html

[Lauren later added this apt comment:]

The Open Letter to Stop 'Dangerous' AI Race Is a Huge Mess
https://www.vice.com/en/article/qjvppm/the-open-letter-to-stop-dangerous-ai-race
-is-a-huge-mess

Yeah, you ain't kidding. -L
PGN]

------------------------------

Date: Mon, 27 Mar 2023 14:17:11 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: On using Microsoft's Bing Chat for programming

Dani Barrack pointed an interesting article on letting ChatBots write
critical code:

Planting Undetectable Backdoors in Machine Learning Models
https://arxiv.org/abs/2204.06974

This paper is full of RISKS-worthy warnings about what might *not* be
appropriate for generating code for systems with life-critical and other
stringent requirements. It is worth reading by those who think it might be
a good idea. PGN

------------------------------

Date: Fri, 31 Mar 2023 12:22:00 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Microsoft Patched Bing Vulnerability That Allowed Snooping on
Email, Other Data (Robert McMillan)

Robert McMillan, *The Wall Street Journal*, 29 Mar 2023

Microsoft last month patched an issue discovered by security firm Wiz Inc.
in the Bing search engine that allowed unauthorized access to email and
other data. The researchers determined an error in the way applications were
configured on Microsoft's Azure cloud-computing platform could allow
unauthorized access to Bing users' Microsoft 365 emails, documents,
calendars, and other tools. The software giant said a small number of
applications usingthe Azure Active Directory login management service were
impacted by the misconfiguration issue. Wiz said it had no evidence the
issue had been used by anyone. In announcing in a blog post the issue had
been fixed, Microsoft offered ways in which companies and consumers can
better protect themselves from such unauthorized intrusions.

------------------------------

Date: Thu, 23 Mar 2023 15:55:16 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: DC Metro Will Retrofit Faregates To Cut Down On Fare Evasion
(DCist)

Metro says it will spend up to $40 million to redesign its new faregates,
making it harder to jump over them and evade paying the fare. [...]

New faregates, which were installed across all 97 stations last year, now
have sensors that can detect when someone jumps them. That's the beep you
may often hear in stations. Metro spent $70 million on the faregate
replacement, which also added new features like larger and brighter
displays, bi-directional access, and improved safety features. The old
ones, installed in 1990, had reached the end of their useful life.

Metro board members at the time didn't want to make the faregates too
cage-like, similar to NYC, so it didn't hurt the atmosphere of Metro
stations. But new General Manager Randy Clarke has put a renewed emphasis on
stopping fare evasion as the transit agency faces a fiscal cliff next year.

The transit agency released new data Monday saying 13% of Metrorail riders
did not tap in and pay for their rides, amounting to 40,000 fare evasions
each weekday during the first two-and-a-half months of 2023.

https://dcist.com/story/23/03/21/metro-will-retrofit-faregates-to-cut-down-on-far
e-evasion/

[How long will it take to catch $70M worth of offenders to make it
worthwhile? At an average fare of $5 and roughly 200,000 offenders each
year, the answer is 70 years. That's really nifty long-term planning.
PGN]

------------------------------

Date: Mon, 27 Mar 2023 16:52:39 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Metro operator investigated for using automation system without
clearance (The Washington Post)

The Washington Metrorail Safety Commission said it is investigating a train
operator, raising questions about the self-piloting system Metro is testing.

Metro has been testing ATO for more than a year as it moves toward returning
train operations to automatic piloting. Metrorail was designed for the ATO
system and had been operating that way for decades until a fatal train crash
14 years ago. Train movements have since been controlled manually by
operators in each train's cab.

The train operating in ATO earlier this month shot past the Innovation
Center station platform, said Max Smith, spokesman for the safety
commission. During its ongoing investigation, the commission discovered the
operator had used the ATO system multiple times, even though the commission
hasn't given the transit agency permission for its use.

``The evidence does show that this operator had been using it over the course
of that day and had previously used ATO,'' Smith said.

``When he was interviewed, he admitted he was curious to see if ATO would
work,'' Benson said. ``Based on the investigation, there is no evidence this
is a systemic problem.'' [...]

Benson said the overrun occurred at a station where a team that is testing
and preparing Metro for ATO had not yet installed the necessary track
equipment that interacts with the ATO system, and also had not conducted
engineering tests.

https://www.washingtonpost.com/transportation/2023/03/24/metrorail-ato-train-oper
ator/

------------------------------

Date: Mon, 27 Mar 2023 18:11:53 -0400
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: Biden Acts to Restrict U.S. Government Use of Spyware (NYTimes)