RISKS-LIST: Risks-Forum Digest Sunday 19 May 2024 Volume 34 : Issue 25

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.25>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Ex-CDC Director Says It's High Time To Admit Significant
Side Effects* of COVID-19 Vaccines (zerohedge)
Re: Could the Covid-19 Vaccines Have Caused Some People
Harm? (Peter Bernard Ladkin)
A woman was dragged by a self-driving Cruise taxi in San Francisco.
(LA Times)
U.S. Fears Undersea Cables Are Vulnerable to Espionage
From Chinese Repair Ships (WSJ)
Linux maintainers were infected for 2 years by SSH-dwelling
backdoor with huge reach (ArsTechnica)
Lethal AI weapons are here: how can we control them? (Nature)
Artificial Intelligence Trained To Deceive Humans, Lie
(StudyFinds)
American IT Scammer Helped North Korea Fund Nuclear Weapons
Program, U.S. Says (WSJ)
Half of calls to gambling helpline were for help placing
mobile bets (The Boston Globe)
An identity thief stole $5,000 from me. I spent two years
tracking down how. (The Boston Globe)
Schumer's AI Roadmap now online (PGN)
UnitedHealth Top Executive Slammed Over Cyberattack (NYTimes)
Cape Cod Hospital to pay $24.4 million for Medicare billing issues
(The Boston Globe)
At-Home IV-Drip Therapy Is the Latest Luxury Building issues Amenity
(The New York Times)
Is the news media picking on Tesla? (LATimes/YouTube)
Smarter Vehicles Could Mean Changes to Traffic Lights (Jeff McMurray)
Is Your Car Spying on You? Dale Harrington (AP)
Tech Giants Treat Southeast Asia Like Next Big Thing (Bloomberg)
Will Chatbots Eat India's IT Industry? (The Economist)
Newspaper conglomerate Gannett is adding AI-generated
summaries to the top of its articles (The Verge)
The Night That Sotheby's Was Crypto-Punked (NYImes)
MIT students stole $25M in seconds by exploiting ETH blockchain bug, DOJ
says (Ars Technica)
What Meltdown? Crypto Comes Roaring Back in the Philippines. (NYTimes)
OpenAI disbands team devoted to artificial intelligence risks (AFP)(NYTimes)
ChatGPT Gets Real (NYMag)
The man who turned his dead father into a chatbot (BBC)
Dell Hell Redux -- More Personal Info Stolen by Menelik (Security Boulevard)
Link Rot and Digital Decay on Government, News and Other Webpages
(Pew Research Center)
The Rise of Large-Language-Model Optimization backups (ArsTechnica)
Unprecedented Google Cloud event wipes out customer account and its optimi
(ArsTechnica)
A horrifying software bug (trofi)
New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrad
Attacks (The Hacker News)
Deleted photos of former owners reappearing on sold iPads
-- and probably iPhones (PhoneArena)
As AI becomes more human-like, experts warn users must think more critically
about its responses (CBC)
AI turned a Ukrainian into Russian propaganda (BBC)
Two unlikely U.S. states are leading the charge on regulating AI
(Politico)
Google tests AI to detect scam phone calls. Privacy advocates are terrified
(NBC News)
Flood of Fake Science Forces Multiple Journal Closures (WSJ)
Newspaper groups warn Apple over ad-blocking plans (Financial Times)
Slack users horrified to discover messages used for AI training
(ArsTechnica)
Tractors that don't know where they are (John Levinw)
She was accused of faking an incriminating video of teenage
cheerleaders. The problem? Nothing was fake after all (The Guadian)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sun, 19 May 2024 10:20:18 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Ex-CDC Director Says It's High Time To Admit *Significant
Side Effects* Of COVID-19 Vaccines (zerohedge)

Dr. Robert Redfield, former director of the Centers for Disease Control and
Prevention (CDC), said Thursday that many officials who tried to warn the
public about potential problems with COVID-19 vaccines were pressured into
silence and that it's high time to admit that there were
significant side effects that made people sick.

Dr. Redfield made the remarks in a May 16 interview with Chris Cuomo on
NewsNation, during which he lamented the loss of public confidence in public
health agencies because of a lack of transparency around the vaccines, which
he said saved a lot of lives, but also made some people quite ill.

``Those of us that tried to suggest there may be significant side effects
from vaccines ... we kind of got canceled because no one wanted to talk
about the potential that there was a problem from the vaccines, because
they were afraid that that would cause people not to want to get
vaccinated,'' Dr. Redfield said.

In his role as head of the CDC, Dr. Redfield was part of the Trump
administration's Operation Warp Speed, a project to surge COVID-19 vaccine
development at a time during the pandemic when little was known about the
virus and rapid vaccine rollout was widely seen as key to getting the
outbreak under control and lockdowns lifted. [...]

https://www.zerohedge.com/covid-19/ex-cdc-director-says-its-high-time-admit-significant-side-effects-covid-19-vaccines

------------------------------

Date: Sun, 12 May 2024 12:45:04 +0200
From: "Prof. Dr. Peter Bernard Ladkin" <ladkin@causalis.com>
Subject: Re: Could the Covid-19 Vaccines Have Caused Some People
Harm? (Gwinn, RISKS-34.24)

Joseph Gwinn writes "note that COVID vaccines have measured serious problem
rates of order [of] a part per million"

Unfortunately, this seems to be out by an order of magnitude. (However, this
should not logically detract from the message which Gwinn wished to convey.)

The initial adverse reactions to viral vector vaccines (AstraZeneca) were of
the order of 2-3 per 100,000 for what is now called CSTV, and to mRNA
vaccines for myocarditis and pericarditis of a few more per 100,000, also
correlated to some extent with gender and age when first noted. The most

K. Faksova, D. Walsh, Y.Jiang, COVID-19 vaccines and adverse events of
special interest: A multinational Global Vaccine Data Network (GVDN) cohort
study of 99 million vaccinated individuals, Vaccine 92(9):2200-2211, April
2024, available open-access at
https://www.sciencedirect.com/science/article/pii/S0264410X24001270

There are two main points to note about vaccines and adverse events.

First, such statistical studies look at correlated events, not
causation. The no rmal way to report events is what is called the OE ratio:
observed to expected events. For example, a certain proportion of people are
going to get myocarditis or pericarditis over a particular time period; it
is when the number of observed events goes over this proportion just after
people have received a Covid-19 mRNA vaccine that one speaks of correlated
"adverse events" (or, less rigorously, "adverse reactions"). The study looks
at three classes of OE ratio: 1 or less (colored green in their tables); 1
to 1.5 (yellow); over 1.5 (red). It should be pretty obvious why these
colours were chosen.

Second, clinical trials through Phase 3, which are necessary in most
countries for vaccine approval, recruited tens of thousands of
participants. They were thus likely to miss adverse events which occur at a
frequency of a couple per 100,000, or more rarely. Which seems to be what
happened with Gillain-Barre' syndrome and CSTV for viral vector vaccines and
myocarditis and pericarditis with the mRNA vaccines. (There are also adverse
events besides these which turn up yellow and red in the study.)

------------------------------

Date: Fri, 17 May 2024 06:52:05 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: A woman was dragged by a self-driving Cruise taxi in San Francisco.
(LA Times)

The company is paying her millions (LA Times)

[This case from October 2023 was mentioned in passing in RISKS-34.20.
PGN]

Autonomous taxi company Cruise agrees to pay millions to a woman who was
dragged by one of its self-driving cars in San Francisco last year.

https://www.latimes.com/california/story/2024-05-16/woman-gets-millions-after-getting-dragged-by-self-driving-taxi-in-san-francisco

------------------------------

Date: Sun, 19 May 2024 07:29:20 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: U.S. Fears Undersea Cables Are Vulnerable to Espionag
From Chinese Repair Ships (WSJ)

Google, Meta Platforms and others partially own many cables, but they rely
on maintenance specialists, including some with foreign ownership

U.S. officials are privately delivering an unusual warning to
telecommunications companies: Undersea cables that ferry Internet traffic
across the Pacific Ocean could be vulnerable to tampering by Chinese repair
ships.

State Department officials said a state-controlled Chinese company that
helps repair international cables, S.B. Submarine Systems, appeared to be
hiding its vessels' locations from radio and satellite tracking services,
which the officials and others said defied easy explanation.

The warnings highlight an overlooked security risk to undersea fiber-optic
cables, according to these officials: Silicon Valley giants, such as Google
and Meta Platforms, partially own many cables and are investing in more.
But they rely on specialized construction and repair companies, including
some with foreign ownership that U.S. officials fear could endanger the
security of commercial and military data.

The Biden administration's focus on the repair ships is part of a
wide-ranging effort to address China's maritime activities in the western
Pacific. Beijing has taken steps in recent decades to counter U.S. military
power in the region, often by seeking ways to stymie the Pentagon's
communications and other technological advantages in case of a clash over
Taiwan or another flashpoint, officials say. [...]

https://www.wsj.com/politics/national-security/china-internet-cables-repair=
-ships-93fd6320?st=qsuy4n4dpm3nlev

------------------------------

Date: Wed, 15 May 2024 12:10:15 -0700
From: Victor Miller <victorsmiller@gmail.com>
Subject: Linux maintainers were infected for 2 years by SSH-dwelling
backdoor with huge reach (ArsTechnica)

https://arstechnica.com/security/2024/05/ssh-backdoor-has-infected-400000-linux-servers-over-15-years-and-keeps-on-spreading/

------------------------------

Date: Fri, 17 May 2024 13:46:48 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Lethal AI weapons are here: how can we control them? (Nature)

Autonomous weapons guided by artificial intelligence are already in use.
Researchers, legal experts and ethicists are struggling with what should be
allowed on the battlefield.

In the conflict between Russia and Ukraine
<https://www.nature.com/articles/d41586-023-02031-8>, video footage has
shown drones penetrating deep into Russian territory, more than 1,000
kilometres from the border, and destroying oil and gas infrastructure. It's
likely, experts say, that AI is helping to direct the drones to their
targets. For such weapons, no person needs to hold the trigger or make the
final decision to detonate.

<https://www.nature.com/immersive/d41586-023-03017-2/index.html>

The development of lethal autonomous weapons (LAWs), including AI-equipped
drones, is on the rise. The US Department of Defense, for example, has
earmarked US$1 billion so far for its Replicator programme, which aims to
build a fleet of small, weaponized autonomous vehicles. Experimental
submarines, tanks and ships have been made that use AI to pilot themselves
and shoot. Commercially available drones can use AI image recognition to
zero in on targets and blow them up. LAWs do not need AI to operate, but
the technology adds speed, specificity and the ability to evade defences.
Some observers fear a future in which swarms of cheap AI drones could be
dispatched by any faction to take out a specific person, using facial
recognition.

Warfare is a relatively simple application for AI.
<https://www.nature.com/articles/d41586-024-01087-4>

``The technical capability for a system to find a human being and kill them
is much easier than to develop a self-driving car. It's a graduate-student
project'', says Stuart Russell, a computer scientist at the University of
California, Berkeley, and a prominent campaigner against AI weapons. He
helped to produce a viral 2017 video called *Slaughterbots* that highlighted
the possible risks.

The emergence of AI on the battlefield has spurred debate among researchers,
legal experts and ethicists. Some argue that AI-assisted weapons could be
more accurate than human-guided ones, potentially reducing both collateral
damage -- such as civilian casualties and damage to residential areas -- and
the numbers of soldiers killed and maimed, while helping vulnerable nations
and groups to defend themselves. Others emphasize that autonomous weapons
could make catastrophic mistakes. And many observers have overarching
ethical concerns about passing targeting decisions to an algorithm. [...]

https://www.nature.com/articles/d41586-024-01029-0

------------------------------

Date: Tue, 14 May 2024 06:50:25 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Artificial Intelligence Trained To Deceive Humans, Lie
(StudyFinds)

AI's increasing capabilities at deception pose serious risks, ranging from
short-term, such as fraud and election tampering, to long-term, such as
losing control of AI systems.

Artificial intelligence systems are fast becoming increasingly
sophisticated, with engineers and developers working to make them as human
as possible. Unfortunately, that can also mean *lying* just like a
person. AI platforms are reportedly learning to deceive us in ways that can
have far-reaching consequences. A new study by researchers from the Center
for AI Safety in San Francisco delves into the world of AI deception,
exposing the risks and offering potential solutions to this growing problem.

<https://studyfinds.org/digital-deception-9-in-10-americans-have-been-victimized-by-an-online-scam/>
At its core, deception is the luring of false beliefs from others to achieve
a goal other than telling the truth. When humans engage in deception, we can
usually explain it in terms of their beliefs and desires -- they want the
listener to believe something false because it benefits them in some
way. But can we say the same about AI systems?

The study, published in the open-access journal *Patterns*
<https://www.cell.com/patterns/fulltext/S2666-3899(24)00103-X#%20>, argues
that the philosophical debate about whether AIs truly have beliefs and
desires is less important than the observable fact that they are
increasingly exhibiting deceptive behaviors that would be concerning if
displayed by a human. <https://studyfinds.org/robots-lie-apology-humans/>

------------------------------

Date: Sun, 19 May 2024 00:19:23 -0400
From: Monty Solomon <monty@roscom.com>
Subject: American IT Scammer Helped North Korea Fund Nuclear Weapons
Program, U.S. Says (WSJ)

Justice Department alleges Arizona woman and others helped foreign workers
with North Korean connections get freelance gigs at U.S. companies

https://www.wsj.com/politics/national-security/american-it-scammer-helped-north-korea-fund-nuclear-weapons-program-u-s-says-65430aa7

------------------------------

Date: Thu, 16 May 2024 21:12:06 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Half of calls to gambling helpline were for help placing
mobile bets (The Boston Globe)

Of the 2,069 calls since sports betting was legalized, 1,043 were callers
“looking for technical support for their sports wagering mobile applications
and platforms.”

https://www.boston.com/news/local-news/2024/05/16/half-of-recent-calls-to-states-gambling-helpline-were-for-help-placing-mobile-sports-bets-new-report-shows/

------------------------------

Date: Sun, 19 May 2024 12:48:55 -0400
From: Monty Solomon <monty@roscom.com>
Subject: An identity thief stole $5,000 from me. I spent two years
tracking down how. (The Boston Globe)

When a stranger got $5,000 of my money from a bank teller, it sent me on a
two-year odyssey to figure out who was impersonating me and how.

https://www.bostonglobe.com/2024/05/15/magazine/on-the-trail-of-my-identity-thief/

------------------------------

Date: Wed, 15 May 2024 12:28:49 +0000
From: Peter Neumann <neumann@csl.sri.com>
Subject: Schumer's AI Roadmap now online

A one-page summary of the new Senate AI Roadmap Report is online:
<https://www.young.senate.gov/wp-content/uploads/One_Pager_Roadmap.pdf>.

The pdf is online:
http://www.young.senate.gov/wp-content/uploads/Roadmap_Electronic1.32pm.pdf

[The first reactions: punt the ball down the field where possible. PGN]

------------------------------

Date: Wed, 8 May 2024 12:44:30 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: UnitedHealth Top Executive Slammed Over Cyberattack
(NYTimes)

Reed Abelson and Noah Weiland, *The New York Times" National
Edition Business Section front page, 2 May 2024

Senators from both parties questioned whether the 21 Feb 2024
ransomware cyberattack of Change Healthcare (which manages a third of
all U.S. patient records and 15 billion transactions a year, with its
parent Unitedhealth having reported $372B in revenues in 1923) i
deeply embedded in almost every aspect of U.S. healthcare. [PGN-ed]

They had to shut down for several weeks, despite having paid the $22M
ransom.

[No backup-and-recovery procedures? We might expect that a company
with that much revenue would invest in something significantly
better than the alleged so-called industry *best practices*, which
are obviously rather mediocre, and nowhere near good enough. PGN]

------------------------------

Date: Fri, 17 May 2024 09:16:41 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Cape Cod Hospital to pay $24.4 million for Medicare billing
issues (The Boston Globe)

.... following DOJ investigation into Medicare billing practices

https://www.bostonglobe.com/2024/05/16/business/cape-cod-hospital-investigation-settlement/

------------------------------

Date: Sun, 19 May 2024 17:28:34 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: At-Home IV-Drip Therapy Is the Latest Luxury Building
Amenity (The New York Times)

High-end condos and rentals now offer the medically dubious therapy as a
regular wellness practice, not just a vacation splurge.

IV drip therapy was first popularized about a decade ago as a novelty
reserved for vacations and bachelorette parties, but it has since become
embedded in the wellness sphere. The 30-to-45-minute treatments cost
anywhere from $100 to $1,000, depending on the concoction and provider, and
have been embraced by the Hollywood elite — Gwyneth Paltrow, Chrissy Teigen
and Harry Styles have all partaken. Today, IV drip therapy is a staple at
medical spas, resort hotels and strip malls. Some companies even make house
calls.

And over the last several months, a handful of high-end residential
buildings in Los Angeles, Miami and Manhattan began offering the treatments
in house, allowing tenants to make them a core feature of their personal
wellness routine.

At the Park, which started offering the service at the end of 2023, tenants
can schedule an IV drip in their apartment or in a treatment room where they
can also book massages, Botox or fillers.

“If you are a healthy person, you really can’t do it too often, unless
you’re doing it three or four times a day,” said Danielle Remington,
director of events and partnerships at Drip Hydration, the service provider
for the Park.

Drip Hydration and other providers market their formulas as elixirs that can
improve sleep and mental clarity, brighten your skin and boost your athletic
performance. However, there is scant scientific research to bolster these
claims. Critics argue that at best, IV drips are a wildly overpriced
alternative to drinking a glass of water, and at worst, they could harm
people with underlying health conditions like kidney disease or
hypertension. In 2018, Kendall Jenner was hospitalized after a bad reaction
to an IV drip. And last year, a woman died after receiving IV drip therapy
at Luxe Med Spa in Wortham, Texas; its medical director’s license was later
temporarily restricted by the state’s medical board.

https://www.nytimes.com/2024/05/14/realestate/iv-drip-therapy-luxury-building.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb

[What's next? Do-it-yourself surgery with AI assistance? PGN]

------------------------------

Date: Sat, 18 May 2024 06:41:41 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Is the news media picking on Tesla? (LATimes/YouTube)

Take this story, for example:

A Tesla going more than 100 mph. A suspended license. Three young lives cut
short. Inside the Pasadena crash.

The 22-year-old driver ran through a red light while driving over 100 mph
before the fatal car crash in east Pasadena last weekend.

If you read it you see that this accident was due to irresponsible driving
habits and there is nowhere any suggestion that features of the car unique
to Tesla were involved.

Mentioning the make of the car in the headline and the story would never
normally happen, except we are conditioned to seeing bad news about
Teslas.

It seems more than a little unfair to me.

https://www.latimes.com/california/story/2024-05-14/what-we-know-about-the-deadly-tesla-crash-in-east-pasadena

[That URL no longer works, but
https://www.youtube.com/watch?v=I5aScTiR3Dg
says alcohol involved in 35-mph zone, 3 died, 3 injured,
driver lost control, crashed into a building. Only one or
two wearing seatbelts. PGN]

[It seems to me no car with the ability for automated controls would
allow the driver to turn off the automation completely on a road with
red lights or drive at 200% over the speed limit. PGN]

------------------------------

Date: Mon, 13 May 2024 11:08:39 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Smarter Vehicles Could Mean Changes to Traffic Lights
(Jeff McMurray)

Jeff McMurray, *Associated Press*, 11 May 2024, via ACM Technews

The advent of connected and automated vehicles could bring major changes to
traditional traffic signals. North Carolina State University's Ali
Hajbabaie, for example, suggests adding a fourth light to indicate when
there are enough autonomous vehicles on the road to take charge and lead the
way. A pilot program by University of Michigan researchers in the Detroit
suburb of Birmingham found that adjusting the timing of traffic lights by
just a few seconds reduced congestion.

[That last sentence seems to run counter to queueing theory in an
imperfect world, but could work in the presumed perfect world of only
autonomous vehicles on the road, with no mechanical or computer-glitch
breakdowns. Who is worrying about hybrid avenues with conventional cars
intermingled with self-driving cars? Weaving conventional or doctored
autonomous motorcycles slipping in between everything else at much faster
speeds? Hybrid automated toll-roads in the realistically non-perfect
worlds? What could possibly go wrong? PGN]

------------------------------

Date: Sun, 12 May 2024 02:41:32 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Is Your Car Spying on You? Dale Harrington (AP)

CUG Wednesday Workshop - YouTube

Is Your Car Spying on You? Why Your Car Collects and Shares Data.  Dale
Harrington, MICRO-PC Program Chair

A car (and its app, if you installed one on your phone) can collect all
sorts of data in the background without you realizing it. This, in turn, may
be shared for various purposes, including advertising and risk assessment
for insurance companies. The data collection list is long and depends on the
car's make, model, and trim. But if you look through any car maker's privacy
policy, you'll see some trends. Dale will talk about what types of data may
be shared with, among others, dealers, repair companies, emergency services,
advertising, and insurance companies.

https://www.youtube.com/watch?v=Ve5szJXc9sw

APCUG, an international cross-platform (Windows, OSX, Linux, iOS, Android,
and Chrome) association, is a valuable resource for technology and computer
user groups, helping them stay connected, informed, and effective in their
mission to support and educate their members.

------------------------------

Date: Mon, 13 May 2024 11:08:39 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Tech Giants Treat Southeast Asia Like Next Big Thing
(Bloomberg)

Olivia Poh and Suvashree Ghosh, *Bloomberg*, 10 May 1024,
via ACM TechNews

Southeast Asia is drawing more tech investment than ever. As China turns
more hostile to U.S. firms and India remains tougher to navigate
politically, tech companies are focusing on business-friendly regimes in
Southeast Asia. As the advent of AI is spurring tech leaders to pursue new
sources of growth, the world's biggest companies are set to spend up to
US$60 billion on datacenters over the next few years to meet the demands of
Southeast Asia's young population.

------------------------------

Date: Mon, 13 May 2024 11:08:39 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Will Chatbots Eat India's IT Industry? (The Economist)

The Economist, 9 May 2024, via ACM TechNews

A paper last year by Alexander Copestake of the IMF and colleagues
identified "near-exponential growth" in demand for AI-related skills in
India's service sector since 2016, yet there are concerns that generative AI
technology could erode India's tech industry. Seven of India's IT companies
collectively laid off 75,000 employees last year, equivalent to about 4% of
their combined workforce. The companies say that reflects the broader
slowdown in the tech sector.

------------------------------

Date: Sat, 18 May 2024 00:41:41 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Newspaper conglomerate Gannett is adding AI-generated
summaries to the top of its articles (The Verge)

https://www.theverge.com/2024/5/16/24158531/gannett-ai-generated-overviews-usa-today-memo

[All the news that fits we print? PGN]

------------------------------

Date: Sun, 19 May 2024 14:24:25 -0400
From: Monty Solomon <monty@roscom.com>
Subject: The Night That Sotheby's Was Crypto-Punked (NYImes)

The auction that was supposed to be an art world coming-out party for NFTs
instead exposed the instability at the heart of the crypto world.

https://www.nytimes.com/2024/05/18/business/sothebys-crypto-nfts-auction.html

------------------------------

Date: Thu, 16 May 2024 15:20:56 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: MIT students stole $25M in seconds by exploiting ETH
blockchain bug, DOJ says (Ars Technica)

Brothers charged in novel crypto[currency] scheme potentially face decades
in prison.

Within approximately 12 seconds, two highly educated brothers allegedly
stole $25 million by tampering with the ethereum blockchain in a
never-before-seen cryptocurrency scheme, according to an indictment that the
U.S. Department of Justice unsealed Wednesday.

In a DOJ press release, US Attorney Damian Williams said the scheme was so
sophisticated that it ``calls the very integrity of the blockchain into
question. The brothers, who studied computer science and math at one of the
most prestigious universities in the world, allegedly used their specialized
skills and education to tamper with and manipulate the protocols relied upon
by millions of ethereum users across the globe,'' Williams said. Once they
put their plan into action, their heist took only 12 seconds to complete.

https://arstechnica.com/tech-policy/2024/05/sophisticated-25m-ethereum-heist-took-about-12-seconds-doj-says/

The risk? Specialized skills.

[Also spotted by Matthew Kruk: U.S. brothers arrested for stealing $25m in
crypto in just 12 seconds:
Anton Peraire-Bueno, 24, and James Peraire-Bueno, 28, are accused of wire
fraud and money laundering.
https://www.bbc.com/news/world-us-canada-69018575
To Slightly paraphrase what Bob Morris once said to John Markoff
in 1988, "sounds like the work of bored graduate students. PGN]
I guess MIT is not teaching ethics any more. Perhaps this was indeed a
class project? PGN]

------------------------------

Date: Sun, 19 May 2024 16:10:33 -0400
From: Monty Solomon <monty@roscom.com>
Subject: What Meltdown? Crypto Comes Roaring Back in the Philippines.
(NYTimes)

NYTimes, 18 Mar 2024

Two years after the cryptocurrency market crashed, Internet cafes for
playing crypto-earning video games are opening and farmers have started
harvesting virtual crops from the games for income.

https://www.nytimes.com/2024/03/18/technology/crypto-video-games-philippines.html

------------------------------

Date: Sat, 18 May 2024 18:37:02 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: OpenAI disbands team devoted to artificial intelligence
risks (AFP)

OpenAI on Friday confirmed that it has disbanded a team devoted to
mitigating the long-term dangers of super-smart artificial intelligence.

OpenAI weeks ago began dissolving the so-called "superalignment" group,
integrating members into other projects and research, according to the San
Francisco-based firm.

Company co-founder Ilya Sutskever and team co-leader Jan Leike announced
their departures from the ChatGPT-maker this week.

The dismantling of an OpenAI team focused on keeping sophisticated
artificial intelligence under control comes as such technology faces
increased scrutiny from regulators and fears mount regarding its dangers.
[...]

https://www.yahoo.com/tech/openai-team-devoted-future-risks-221336168.html

------------------------------

Date: Sat, 18 May 2024 11:01:18 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: ChatGPT Gets Real (NYMag)

The bot is now capable of a normal (human) conversation. Is that fun or
terrifying?

Maybe you think you know ChatGPT; after all, over half of Americans have
tried it or one of its competitors. But this week, a new version debuted
that changes ChatGPT from a chatbot into more of a chat/human, by
incorporating ingredients like emotion, musicality, lilt, sarcasm, laughter,
and attention.

https://nymag.com/intelligencer/article/chatgpt-gets-real.html

[I'm waiting for puns, although really good intelligent topical ones seem
unlikely. PGN]

------------------------------

Date: Thu, 16 May 2024 07:32:50 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: The man who turned his dead father into a chatbot (BBC)

https://www.bbc.com/news/business-68944898

Back in 2016, James Vlahos received some terrible news - his father was
diagnosed with terminal cancer.

"I loved my dad, I was losing my dad," says James, who is based in Oakland,
California.

He was determined to make the most of the remaining time he had with his
father. "I did an oral history project with him, where I just spent hours,
and hours, and hours just audio recording his life story."

This coincided with a time when James was starting to explore a career in
AI, so his project soon evolved.

"I thought, gosh, what if I could make something interactive out of this?"
he says. "For a way to more richly keep his memories, and some sense of his
personality, which was so wonderful, to keep that around."

------------------------------

Date: Wed, 15 May 2024 15:13:30 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Dell Hell Redux -- More Personal Info Stolen by Meneli
(Security Boulevard)

Hacker took advantage of Dell’s lack of anti-scraping defense.

A hacker with the pseudonym Menelik has admitted to stealing the data of 49
million Dell customers—we told you about that hack last week. But now he
says he’s also grabbed a bunch more.

https://securityboulevard.com/2024/05/dell-hell-redux-menelik-richixbw

------------------------------

Date: Sun, 19 May 2024 07:39:20 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Link Rot and Digital Decay on Government, News and Other Webpages
(Pew Research Center)

When Online Content Disappears

A quarter of all webpages that existed at one point between 2013 and 2023
are no longer accessible.

https://www.pewresearch.org/data-labs/2024/05/17/when-online-content-disappears/

[Cf More than 2 Million Research Papers Have Disappeared from the
Internet (R 34 09)]

------------------------------

Date: Wed, 15 May 2024 12:49:55 -0400
From: Tom Van Vleck <thvv@multicians.org>
Subject: The Rise of Large-Language-Model Optimization
(Schneier on Security)

This is very good.

https://www.schneier.com/blog/archives/2024/04/the-rise-of-large.html

------------------------------

Date: Sat, 18 May 2024 06:36:47 -0700 From: Steve Bacher
<sebmb1@verizon.net> Subject: Unprecedented Google Cloud event wipes out
customer account and its backups (ArsTechnica)

Bringing new meaning to "Killed By Google" --

UniSuper, a $135 billion pension account, details its cloud compute
nightmare.

Buried under the news from Google I/O this week is one of Google Cloud's
biggest blunders ever: Google's Amazon Web Services competitor accidentally
deleted a giant customer account for no reason. UniSuper, an Australian
pension fund that manages $135 billion worth of funds and has 647,000
members, had its entire account wiped out at Google Cloud, including all its
backups that were stored on the service. UniSuper thankfully had some
backups with a different provider and was able to recover its data, but
according to UniSuper's incident log, downtime started May 2, and a full
restoration of services didn't happen until May 15. [...]

https://arstechnica.com/gadgets/2024/05/google-cloud-accidentally-nukes-customer-account-causes-two-weeks-of-downtime

[Also noted by Victor Miller,
Google Accidentally Deleted $125 Billion Pension Fund's Account
https://gizmodo.com/google-cloud-pension-fund-unisuper-1851476649
!< What's 10 Billion here or there between the two items? PGN]

------------------------------

Date: Mon, 13 May 2024 10:57:37 -0700
From: Victor Miller <victorsmiller@gmail.com>
Subject: A horrifying software bug (trofi)

I don't expect you to read this in detail, but you can skip to the end to
find the final (?) diagnosis. I find this pretty horrifying. I liken this
to a heroic firefighter going into a burning building. I'm afraid that our
software chain has gotten so baroque that it may be impossible to certify
anything with high confidence.

https://trofi.github.io/posts/312-the-sagemath-saga.html

------------------------------

Date: Thu, 16 May 2024 10:10:43 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: New Wi-Fi Vulnerability Enables Network Eavesdropping via Downgrade
Attacks (The Hacker News)

Researchers have discovered a new security vulnerability stemming from a
design flaw in the IEEE 802.11 Wi-Fi standard that tricks victims into
connecting to a less secure wireless network and eavesdrop on their network
traffic.

The SSID Confusion attack, tracked as CVE-2023-52424, impacts all operating
systems and Wi-Fi clients, including home and mesh networks that are based
on WEP, WPA3, 802.11X/EAP, and AMPE protocols.

The method "involves downgrading victims to a less secure network by
spoofing a trusted network name (SSID) so they can intercept their traffic
or carry out further attacks," TopVPN said, which
collaborated with KU Leuven professor and researcher Mathy Vanhoef.
<https://www.top10vpn.com/research/wifi-vulnerability-ssid/>~<,

"A successful SSID Confusion attack also causes any VPN with the
functionality to auto-disable on trusted networks to turn itself off,
leaving the victim's traffic exposed."

The issue underpinning the attack is the fact that the Wi-Fi standard does
not require the network name (SSID or the service set identifier) to always
be authenticated and that security measures are only required when a device
opts to join a particular network.

The net effect of this behavior is that an attacker could deceive a client
into connecting to an untrusted Wi-Fi network than the one it intended to
connect to by staging an adversary-in-the-middle (AitM) attack. [...]

https://thehackernews.com/2024/05/new-wi-fi-vulnerability-enabling.html

[Victor Miller noted New Wifi vulnerability:
https://www.top10vpn.com/research/wifi-vulnerability-ssid/
PGN]

------------------------------

Date: Sat, 18 May 2024 02:03:14 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Deleted photos of former owners reappearing on sold iPad
-- and probably iPhones (PhoneArena)

Deleted photos of former owners reappearing on sold iPads (and probably
iPhones) - PhoneArena

https://www.phonearena.com/news/Deleted-photos-of-former-owners-reappearing-on-sold-iPads-and-probably-iPhones_id158441

------------------------------

Date: Wed, 15 May 2024 06:38:29 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: As AI becomes more human-like, experts warn users must
think more critically about its responses (CBC

https://www.cbc.ca/news/business/google-openai-search-1.7204014

Tech giant Google has announced upgrades to its artificial intelligence
technologies, just a day after rival OpenAI announced similar changes to its
offerings, with both companies trying to dominate the quickly emerging
market where human beings can ask questions of computer systems -- and get
answers in the style of a human response. [...]

But researchers in the technology and artificial intelligence sector warn
that as people get information from AI systems in more user-friendly ways,
they also have to be careful to watch for inaccurate or misleading responses
to their queries.

------------------------------

Date: Wed, 15 May 2024 13:52:28 +0100
From: Julia Segal <julia@flydiem.com>
Subject: AI turned a Ukrainian into Russian propaganda (BBC)

https://www.bbc.co.uk/news/articles/c25rre8ww57o

------------------------------

Date: Thu, 16 May 2024 10:36:28 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Two unlikely U.S. states are leading the charge on regulating AI
(Politico)

Connecticut’s ambitious legislation regulating the emerging industry got
derailed. Now, the tech industry is trying to kill Colorado’s bill. [...]

In the absence of federal legislation, more than 40 states — including the
AI epicenter of California — are considering some 400 bills related to
artificial intelligence, as the emerging technology has potential to remake
vast swaths of the economy. But the struggles in Connecticut and Colorado
highlight the perils of trying to put guardrails around the rapidly evolving
industry with powerful lobbying forces. [...]

https://www.politico.com/news/2024/05/15/ai-tech-regulations-lobbying-00157676

------------------------------

Date: Fri, 17 May 2024 06:59:14 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Google tests AI to detect scam phone calls. Privacy advocates are
terrified. (NBCNews)

Some privacy advocates say they’re terrified by Google’s announcement this
week that it’s testing a way to scan people’s phone calls in real time for
signs of financial scams.

Google unveiled the idea Tuesday at Google I/O, its conference for software
developers. Dave Burke, a Google vice president for engineering, said the
company is trying out a feature that uses artificial intelligence to detect
patterns associated with scams and then alert Android phone users when
suspected scams are in progress.

Burke described the idea as a security feature and provided an example.
Onstage, he got a demonstration call from someone impersonating a bank who
suggested that he move his savings to a new account to keep it safe.
Burke’s phone flashed a notification: “Likely scam: Banks will never ask you
to move your money to keep it safe,” with an option to end the call.

“Gemini Nano alerts me the second it detects suspicious activity,” Burke
said, using the name of a Google-developed AI model. He didn’t specify what
signals the software uses to determine a conversation is suspicious. [...]

https://www.nbcnews.com/tech/security/google-io-phone-ai-scan-privacy-signal-android-rcna152426

------------------------------

Date: Wed, 15 May 2024 09:59:52 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Flood of Fake Science Forces Multiple Journal Closures
(WSJ)

Wiley to shutter 19 more journals, some tainted by fraud

Fake academic studies are turning the publishing industry on its
head—forcing publishers to issue retractions and close journals. They are
losing millions of dollars.

https://www.wsj.com/science/academic-studies-research-paper-mills-journals-publishing-f5a3d4bc

FOLLOWED BY

The Business of Scientific Publishing
https://www.science.org/content/blog-post/business-scientific-publishing

------------------------------

Date: Sun, 12 May 2024 11:29:59 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Newspaper groups warn Apple over ad-blocking plans

UK press says proposed *web eraser* tool in next iOS update threatens
journalism's financial sustainability.

British newspaper groups have warned Apple that any move to impose a
so-called *web eraser* tool to block advertisements would put the
financial sustainability of journalism at risk.

Apple is preparing to include an AI-based privacy feature in the Safari
browser in the next iOS 18 software update that will remove ads or other
unwanted website content, according to reports.

In a letter sent on Friday to Apple's government affairs chief in the UK,
the News Media Association, which represents 900 national, regional and
local titles, raised concerns about how this would affect digital revenues
in the industry.

The letter, seen by the Financial Times, said professional journalism
required funding ``and advertising is a key revenue stream for many
publishers''. Members of the NMA include The Times, The Guardian and The
Daily Telegraph.

Online platforms such as web browsers and social networks are important
routes for the public to access journalism, the NMA argues, but also for
publishers to ``monetise their content in the digital marketplace.''

The prospect of an automatic block on online ads has caused considerable
alarm among publishers, which are already facing a squeeze on revenues
given separate moves by tech groups that have throttled news traffic and a
broader slowdown in spending in many parts of the market. Apple declined to
comment.

https://on.ft.com/3QGg5eq

------------------------------

Date: Sat, 18 May 2024 11:25:21 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Slack users horrified to discover messages used for AI training
(ArsTechnica)

*Slack says policy changes are imminent amid backlash.*

After launching <https://slack.com/blog/news/slack-ai-has-arrived> Slack AI
in February, Slack appears to be digging its heels in, defending its vague
policy that by default sucks up customers' data -- including messages,
content, and files -- to train Slack's global AI models. [..]
<https://slack.com/intl/en-gb/trust/data-management/privacy-principles>

https://arstechnica.com/tech-policy/2024/05/slack-defends-default-opt-in-for-ai-training-on-chats-amid-user-outrage/ [...]
https://on.ft.com/3QGg5eq

------------------------------

Date: 12 May 2024 15:34:39 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Tractors that don't know where they are

> [The almost unprecedented Friday evening Solar Flares caused some very
> spectacular Northern Lights much farther south, as predicted. I wonder
> if fires or power outages were related. PGN]

Well, since you asked: tractors use GPS to get precise locations so they can
plant with an accuracy of a few cm and come back later knowing exactly where
the crops are.

Except that if there's a huge solar storm the week you need to plant
your corn, which screws up the GPS signal so the tractors' locations
are several feet off, you have a big problem:

https://www.404media.co/solar-storm-knocks-out-tractor-gps-systems-during-peak-planting-season/

[Also noted by geoff goodfellow and Jan Wolitzky:
Solar Storm Fried GPS Systems Used by Some Farmers, Stalling Planting
https://www.nytimes.com/2024/05/13/us/solar-storm-tractor-break-nebraska.html
PGN]

------------------------------

Date: Thu, 16 May 2024 08:20:16 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: She was accused of faking an incriminating video of teenage
cheerleaders. The problem? Nothing was fake after all (The Guardian)

She was accused of faking an incriminating video of teenage cheerleaders.
She was arrested, outcast and condemned. The problem? Nothing was fake
after all.

The moral panic following Raffaella Spone’s ‘deepfake’ video spread around
the world. She talks for the first time about being the centre of a story in
which nothing was as it seemed.

https://www.theguardian.com/technology/article/2024/may/11/she-was-accused-of-faking-an-incriminating-video-of-teenage-cheerleaders-she-was-arrested-outcast-and-condemned-the-problem-nothing-was-fake-after-all

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.25
************************