Rocksolid Light

News from da outaworlds

mail  files  register  groups  login

Message-ID:  

BOFH excuse #100: IRQ dropout

comp / comp.risks / Risks Digest 33.24

SubjectAuthor
o Risks Digest 33.24RISKS List Owner

1
Subject: Risks Digest 33.24
From: RISKS List Owner
Newsgroups: comp.risks
Organization: PANIX Public Access Internet and UNIX, NYC
Date: Wed, 1 Jun 2022 02:01 UTC
Path: eternal-september.org!news.eternal-september.org!reader01.eternal-september.org!reader02.eternal-september.org!panix!.POSTED.panix1.panix.com!not-for-mail
From: risko@csl.sri.com (RISKS List Owner)
Newsgroups: comp.risks
Subject: Risks Digest 33.24
Date: 1 Jun 2022 02:01:39 -0000
Organization: PANIX Public Access Internet and UNIX, NYC
Lines: 437
Sender: RISKS List Owner <risko@csl.sri.com>
Approved: risks@csl.sri.com
Message-ID: <CMM.0.90.4.1654048715.risko@chiron.csl.sri.com25386>
Injection-Info: reader1.panix.com; posting-host="panix1.panix.com:166.84.1.1";
logging-data="10890"; mail-complaints-to="abuse@panix.com"
To: risko@csl.sri.com
View all headers

RISKS-LIST: Risks-Forum Digest Tuesday 31 May 2022 Volume 33 : Issue 24

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.24>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
When a machine invents things for humanity, who gets the patent?
(techxplore)
Inside the Government Fiasco That Nearly Closed the U.S. Air System
(ProPublica)
Serious Warning Issued For Millions Of Google Gmail Users (Forbes)
2022 Data Breach Investigations Report (DBIR)
Children's Rights Violations by Governments that Endorsed Online Learning
During the Covid-19 Pandemic (HRW)
Elon Musk: When He saw the Tesla CEO for who he really is. (S;ate)
Help Wanted: State Misinformation Sheriff (Jose Maria Mateos)
Microsoft Wants to Prove You Exist with Verified ID System, if You'll Let It
(Kyle Barr)
An Autonomous Car Blocked a Fire Truck Responding to an Emergency (WiReD)
Re: Autonomous vehicles can be tricked into dangerous driving (Martin Ward,
Richard Stein)
Re: Artificial intelligence predicts patients' race from their medical
images (Jan Wolitzky, Amos Shapir, Steve Bacher)
Security and Human Behaviour 2022 (Jose Maria Mateos)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 28 May 2022 13:34:10 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: When a machine invents things for humanity, who gets the patent?
(techxplore.com)

https://techxplore.com/news/2022-05-machine-humanity-patent.html

"The day is coming -- some say has already arrived -- when artificial
intelligence starts to invent things that its human creators could not. But
our laws are lagging behind this technology, UNSW experts say.

"It's not surprising these days to see new inventions that either
incorporate or have benefitted from artificial intelligence (AI) in some
way, but what about inventions dreamt up by AI -- do we award a patent to a
machine?"

The authors argue that a new class of intellectual property, that created or
discovered by AI (AI-IP), be established to enable patent rights protection
and adjudication.

Would an anti-AI-IP invention, a dataset or learning model or combination
that can defeat an AI-IP's operation be eligible for patent, or would it be
considered dangerous malware?

------------------------------

Date: Sat, 28 May 2022 14:40:07 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Inside the Government Fiasco That Nearly Closed the U.S. Air
System (ProPublica)

The upgrade to 5G was supposed to bring a paradise of speedy wireless. But
a chaotic process under the Trump administration, allowed to fester by the
Biden administration, turned it into an epic disaster. The problems haven't
been solved.

The prospect sounded terrifying. A nationwide rollout of new wireless
technology was set for January, but the aviation industry was warning it
would cause mass calamity: 5G signals over new C-band networks could
interfere with aircraft safety equipment, causing jetliners to tumble from
the sky or speed off the end of runways. Aviation experts warned of
"catastrophic failures leading to multiple fatalities." [...]

But the Trump administration didn't initially seem inclined to leave 5G
decisions to the FCC. The administration saw the fifth generation of
cellular technology, with its faster speeds and automation efficiencies for
industry, as its single biggest communications initiative.

Top Trump officials viewed the technology through the prism of competition
with China. Many in the administration also expressed fears that Huawei
Technologies, a dominant maker of 5G hardware, might be a conduit for
Chinese government surveillance, posing a national-security threat. (Huawei
has always denied such claims.) Trump lieutenants began employing a
nationalist battle cry: America needed to "win the race to 5G" against
China.

https://www.propublica.org/article/fcc-faa-5g-planes-trump-biden

------------------------------

Date: Sat, 21 May 2022 18:17:34 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Serious Warning Issued For Millions Of Google Gmail Users

Gmail is the world's most popular email service, it is also known as one of
the most secure. But a dangerous exploit might make you rethink how you want
to use the service in future.

In an eye-opening *blog post* <https://ysamm.com/?p=763>, security
researcher Youssef Sammouda has revealed that Gmail's OAuth authentication
code enabled him to exploit vulnerabilities in Facebook to hijack Facebook
accounts when Gmail credentials are used to sign in to the service. And the
wider implications of this are significant.

Speaking to *The Daily Swing*
<https://portswigger.net/daily-swig/facebook-account-takeover-researcher-scoops-40k-bug-bounty-for-chained-exploit>,
Sammouda explained that he was able to exploit redirects in Google OAuth and
chain it with elements of Facebook's logout, checkpoint and sandbox systems
to break into accounts. Google OAuth is part of the '*Open Authorization*
<https://en.wikipedia.org/wiki/OAuth>' standard used by Amazon, Microsoft,
Twitter and others which allows users to link accounts to third-party sites
by signing into them with the existing usernames and passwords they have
already registered with these tech giants.

Sammouda reports no vulnerabilities using other email accounts. He does
stress that it could potentially be applied more widely "but that was more
complicated to develop an exploit for." He states Facebook paid him a
$44,625 'bug bounty' for its role in this vulnerability. Facebook has
subsequently patched the vulnerability from their side. I have contacted
Google for a response on the role of Google OAuth in the exploit and will
update this post when/if I receive a reply.

Commenting on Sammouda's findings, security provider *Malwarebytes Labs*
<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/05/gmail-linked-facebook-accounts-vulnerable-to-attack-using-a-chain-of-bugs-now-fixed/>
issued a warning to anyone using linked accounts: "Linked accounts were
invented to make logging in easier," writes Pieter Arntz, the company's
Malware Intelligence Researcher. "You can use one account to log in to other
apps, sites and services... All you need to do to access the account is
confirm that the account is yours." [...]

https://www.forbes.com/sites/gordonkelly/2022/05/21/google-gmail-security-facebook-oauth-login-warning/

------------------------------

Date: Sun, 29 May 2022 11:45:20 -0400
From: Monty Solomon <monty@roscom.com>
Subject: 2022 Data Breach Investigations Report (DBIR)

https://www.verizon.com/business/resources/reports/dbir/
https://www.verizon.com/business/resources/reports/2022/dbir/2022-dbir-data-breach-investigations-report.pdf

Verizon DBIR: Stolen credentials led to nearly 50% of attacks

The 2022 Verizon Data Breach Investigations Report revealed enterprises'
ongoing struggle with securing credentials and avoiding common mistakes such
as misconfigurations.

https://www.techtarget.com/searchsecurity/news/252520686/Verizon-DBIR-Stolen-credentials-led-to-nearly-50-of-attacks

------------------------------

Date: Sun, 29 May 2022 14:48:34 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Children's Rights Violations by Governments that Endorsed Online
Learning During the Covid-19 Pandemic (HRW)

How Dare They Peep into My Private Life?

This report is a global investigation of the education technology (EdTech)
endorsed by 49 governments for children's education during the pandemic.
Based on technical and policy analysis of 164 EdTech products, Human Rights
Watch finds that governments' endorsements of the majority of these online
learning platforms put at risk or directly violated children's privacy and
other children's rights, for purposes unrelated to their education.

The coronavirus pandemic upended the lives and learning of children around
the world. Most countries pivoted to some form of online learning, replacing
physical classrooms with EdTech websites and apps; this helped fill urgent
gaps in delivering some form of education to many children.

But in their rush to connect children to virtual classrooms, few governments
checked whether the EdTech they were rapidly endorsing or procuring for
schools were safe for children. As a result, children whose families were
able to afford access to the Internet and connected devices, or who made
hard sacrifices in order to do so, were exposed to the privacy practices of
the EdTech products they were told or required to use during Covid-19 school
closures.

https://www.hrw.org/report/2022/05/25/how-dare-they-peep-my-private-life/childrens-rights-violations-governments

------------------------------

Date: Mon, 30 May 2022 16:22:31 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Elon Musk: When He saw the Tesla CEO for who he really is.


Click here to read the complete article
1

rocksolid light 0.9.8
clearnet tor