RISKS-LIST: Risks-Forum Digest Thursday 17 Oct 2024 Volume 34 : Issue 47

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.47>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents: [Backlogged; still a large bunch pending]
This Is What Electoral Fraud Looks Like (Jesse Wegman)
2024 Election Protection As AI Increases the Risk of Disenfranchisement
(Lillie Coney)
Notes for my HealthSec24 paper on Healthcare Risks (PGN)
More on money drives healthcare (Robert Boyer)
Millions of Vehicles Could Be Hacked and Tracked Thanks to
a Simple Website Bug (WiReD)
Website Bug Allowed Kia Vehicles to Be Hacked, Tracked (Andy Greenberg)
Tesla driver killed in solo crash (PGN)
Tesla Cybertruck -- too big and sharp for European roads, say
campaigners (The Guardian)
Are taxis safer with no driver? These women think so (nbcnews.com)
South China Sea tensions and undersea cables (WashingtonReport)
Starlink satellites create light pollution and disrupt radio frequencies.
And its getting worse (CBC)
I-XRAY: The AI Glasses That Reveal Anyone's Personal Details Just from
Looking at Them (The Globe)
How to Opt Out of AI Online (The New Yorker)
California Governor Vetoes AI Safety Bill (Politico)
AI Crawlers Are Hammering Sites (Chris Stokel-Walker)
Kamala Harris, AI, and the Bletchley Park ghost (Douglas Lucas)
Steganographic covert channel (Dan Goodin)
Intel is a security risk for China, says influential industry group
(cnn.com)
K8S Image Builder, CVE-2024-9486 (The Register via Cliff Kilby)
WSJ reports China compromised U.S. lawful access systems
(Matt Blaze)
Calgary Public Library locations remain closed after cyberattack (CBC)
(CBC)
Parents sue son's high-school history teacher (NBC News)
Dynamic pricing unpopular (BBC)
Earth has overshot key planetary bounda, scientists warn
(Hastings Tribune)
China Is Writing World's Technology Rules (The Economist)
Mystery Drones Swarmed a U.S. Military Base for 17 Days. The
Pentagon Is Stumped. (WSJ)
Spotify criticized for letting fake albums appear on real artist pages
(ArsTechnica)
*The New York Times* tells *Perplexity* to stop using its content
(Pivot5)
Complete, free CISSP review seminar (Rob Slade)
DoJ vs. Google: Users have the most to lose (Lauren Weinstein)
Kremlin refutes Trump denial on sending Putin COVID tests (Lauren Weinstein)
NBC's former marketing chief: We Created a Monster:
Trump Was a TV Fantasy Invented for 'The Apprentice' (USNews)
Suspect arrested after reports of threats toward FEMA operations in
North Carolina (CNN)
Understanding the Limitations of Mathematical Reasoning in Large Language
Models (arxiv)
Why Restoring Power After Helene Is Complicated (Brad Plumer)
Rob's usual disaster season call for emergency management
training (Rob Slade)
Re: More than 1,000 people, including Hezbollah members, wounded in
Lebanon after pagers detonate (Rik Farrow)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 7 Oct 2024 11:03:08 PDT
From: Peter G Neumann <neumann@csl.sri.com>
Subject: This Is What Electoral Fraud Looks Like (Jesse Wegman)

Jesse Wegman, *The New York Times* Opinion, 7 Oct 2024

For four years, Donald Trump and his allies have been injecting dangerous
lies into the American bloodstream, claiming without any actual evidence
that the 2020 election that he lost was tainted by serious fraud.

As it turns out, there was indeed one serious fraud in the 2020 election.
On [3 Oct 2024], one perpetrator of that fraud was sentenced to nine years
in prison for her crimes. Tina Peters, the former clerk of Mesa County,
Colorado, in 2020 tampered with voting machines in an effort to prove the
election had been rigged against Trump. The data she allowed to be
downloaded made its way to a presentation given by Mike Lindell, the
pillow-hawking conspiracist.

``You abused your position, and you are a charlatan who used and is still
using your prior position in office to peddle a snake oil that's proven to
be junk time and time again,'' Judge Matthew Barrett said as he dressed down
Peters for more than 13 minutes. [...]

Now imagine that the defendant sitting in the defendant's chair is not a
local official but the former president of the United States. Judge
Barrett's words could also have been said verbatim to Donald Trump.

We can only imagine it now, because Trump has avoided any legal consequences
for his persistent lies, his stoking of the public mistrust and his
incitements to violence. This is the fault of the Supreme Court, which
immunized the president against almost all official acts in July [...].

Emboldened by that ahistoric extra-constitutional ruling, Trump remains
defiant. No one needs to be persuaded that he would do it again, because he
already is. [...]

------------------------------

Date: Sun, 13 Oct 2024 06:36:39 -0400
From: Lillie Coney <coney@lillieconey.net>
Subject: 2024 Election Protection As AI Increases the Risk of
Disenfranchisement

This article is a repost of the Epic.org Report, e-Deceptive Campaign
Practices, first published in 2008 and again in 2010. The report provides
information on risks posed to election integrity by ubiquitous social media
and mobile technologies. The report needs an update with the most important
developments being the introduction of artificial intelligence and targeting
of communities ill prepared for deceptive campaign attacks. In 2024, Russia
still poses a significant threat to tampering in US elections. But, the
U.S. is not the only democracy facing challenges. In 2020, the United
Kingdom's Brexit vote report cites Russia=E2=80=99s hacking and
disinformation campaign as factors in that important election.

Canada is another democracy that faced challenges from robocalls intended to
confuse and harass voters in the 2011 federal election through misdirection
to incorrect polling locations on Election Day during a very close election.
This was unprecedented and at the end of the day disenfranchised Canadian
voters had no recourse.

In the United States the Voting Rights Act has not been reauthorized and key
provisions protecting voting rights have been struck down by the Supreme
Court, and this law protects only the right to vote of persons in certain
jurisdictions and states with a documented history of voter
disenfranchisement.

This situation leaves many voters on their own should they fall prey to a AI
generated deceptive robocall on Election Day that erroneously reports that
their voting location has changed. AI voice impersonations made an early
debut in the 2024 election, and may have an encore performance on Election
Day.

The recommendation, for those planning to vote is to do so during early
voting, if that is an option, or make a plan to start earlier on Election
Day. Civic participation in the United States is an individual right to
exercise or not -- but each voter is free to decide for themselves, and not
have that decision taken from them.

Article written by Lillie Coney, former Associate Director of EPIC.org, and
Director the Voting Integrity Project. She is a member of the ACM USACM, and
IEEE.

Key Takeaways from the British Report on Russian Interference, by Amy
Mackinnon, a national security and intelligence reporter at Foreign Policy,
on 21 Jul 2021, last visited 8 Oct 2024, found at
https://foreignpolicy.com/2020/07/21/britain-report-russian-interference-brexit/

E-Deceptive Campaign Report 2010: Internet Technology and Democracy 2.0,
Lillie Coney, Peter Neumann and Jon Pincus, October 2010, found at
https://epi=c.org/wp-content/uploads/privacy/voting/E_Deceptive_Report_10_2010.pdf, last visited on 8 Oct 2024.

Robocalls scandal: Timeline of events, CTVNews.ca, by Staff, August 14,
2014, last visited on 8 Oct 2024, can be found at
https://www.ctvnews.ca/politics/robocalls-scandal-timeline-of-events-1.1960260

[The amount of intentionally false information in the lead-up to this
election is absolutely terrifying. Thanks, Lillie, for resurrecting this
item. PGN]

------------------------------

Date: Mon, 14 Oct 2024 9:08:47 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Notes for my HealthSec24 paper on Healthcare Risks

Peter G, Neumann
Computer-Related Risks in Healthcare [10-minute summary]
CCS 2024 conference HealthSec workshop.

The paper is on my website, in part derived from recent RISKS issues,
with lots of editorial additions:
https://www.csl.sri.com/users/neumann/health.pdf
HealthSec 2024, Salt Lake City, 14 Oct 2024

The 10-minute summary that I was going to present at the workshop is
on my website:
https://www.csl.sri.com/users/neumann/healthsec.txt
There were several screw-ups and logistic problems (bandwidth with multiple
workshops) that prevented my zooming in, so I wound up with two minutes
after a lovely introduction from William Yurcik, the program chair, who had
invited my paper.

Here are my notes for my intended summary:

I regret not being able to be with you all -- for pressing health
reasons. Here's an abbreviated summary of the paper.

0. I am very grateful to Kaiser Permanente for multiple decades of keeping
him at work at 92, and to Stanford Hospital for its emergency treatment
of his heart attack over a year ago. My paper is a counter-cultural
analysis of what has gone wrong and what might need to be done in the
future to dramatically improve the situation.

1. Many problems in healthcare require holistic approaches, because
many factors are often interrelated, Thinking out of the box is a
poor metaphor, because there actually is no box. Albert Einstein
said, ``Everything should be made as simple as possible, *but no
simpler.*'' Unfortunately, violating *but no simpler* often causes
crises, and requires some total-system thinking. Also, medical
best practices tend to be overly simplified, driven in part by
avoiding law suits.

2. Certain medical devices have been poorly designed and implemented,
lacking in assurance, monitoring, and oversight. Research and
development in medical devices needs to be much more holistic and
evidence-based. In an incident in Houston just after my paper was
finalized , a student died when the defibrillator failed. When the
authorities checked, all of Houston's 150 school devices failed to
operate correctly. Self-checking failed miserably.

3. In the spirit of this workshop, technological solutions often are
not sufficiently trustworthy -- especially if they rely on
artificial intelligence that has no evidence that it will give
sound results. However, we note that nontechnological problems
generally cannot be solved by technology alone.

4. Throughout the medical profession, money and greed are often the
driving force, whether for making profits or surviving as a
non-profit, cutting corners wherever possible. Political and
government problems abound, especially relating to insurance and
vaccinations. Healthcare is a worldwide concern, but the U.S. has
its own problems.

5. Artificial intelligence can be helpful, but in systems demanding
real-time life-critical trustworthiness, it urgently needs serious
evidence-based assurance. I have an Inside Risks article (the
255th column) in the November 2024 CACM on that subject. a preview
of which is also on my website, along with most of the other
more recent columns since my book came out:
https://www.csl.sri.com/users/neumann/cacm255.pdf

6. Dealing with rampant disinformation has become pandemic.

7. Overall, some serious rethinking is required throughout, along with
stringent oversight. Functional rather than allopathic medicine is
almost completely disregarded by conventional healthcare, that is,
treating the underlying causes rather than just the symptoms. This
fact seems to be strongly influenced by pharmaceutical companies,
overly narrow best practices, and big money.

8. The meaning if my school pledge of allegiance seems to have been
lost -- one nation, under God, with liberty and justice for all.

Please read the entire paper, which has ample examples for all of these
points -- and lots more. And this introductory list is also on my website.
I seem to be the only Peter G Neumann, although I know three other Peter
Neumanns.

Once you have read my paper based on recent items in the ACM Risks
Forum (http://www.risks.org), with extensive personal opinions, read
Bernie Sanders new book, It's OK To Be Angry About Capitalism.
Chapter 5 is titled Ending Greed in the Health Care System: Health
Care is a Human Right, not a Privilege. It is comprehensive.

Also, read the very constructive HealthSec 2024 paper by John McHugh
and William Yurcik, on John's personal experience abouthow caregiving
institutions can be done humanely. I prefer hospice care where
possible, which may be where I am now headed.

[Tom Van Vleck suggests that I should mention that this paper contains
just a small sample of observations, some of which were contributed by
RISKS readers, who are of course identified in the cited RISKS issue.
There are also many other problems that are generally not described in
RISKS. PGN]

------------------------------

Date: Thu, 10 Oct 2024 14:01:27 -0500
From: Robert Boyer <robertstephenboyer@gmail.com>
Subject: More on money drives healthcare

Fine article on 'fault injection'.

How can modern medicine go so proudly marching on? Don't they read the news?

Answer: shamelessness, money, money, honey.

Saying 'we are/were doing our best' does not cut it with me. In the past,
the medical community may have been doing more harm than good in some cases,
e.g., with the practice of bleeding. Do we really know that things are any
better today? So how come some say life expectancy is going down?

Philips is paying out half a billion dollars for ruining the lungs and lives
of many CPAP wearers.

https://www.fiercebiotech.com/medtech/philips-reaches-settlement-over-economic-loss-claims-class-action-cpap-lawsuit#:~:text=he%20economic%20loss%20awards%20will,the%20costs%20of%20replacement%20devices

Where were the WHO, the FDA, the CDC, and those other pompous three letter
authorities while this lung ruination was going on? I'll tell you where they
were. They were telling themselves how much good 'modern' medicine was
doing, on their expensive vacations, that's where. On their butts!

So who cares? No one! How soon will I get a call from Philips asking how
much they owe me for decades of CPAP use? CPAP came highly recommended by
the medical community. Fortunately, I never throw out anything, so I may
have old CPAP masks to base a lawsuit upon. But I am too weak to undertake a
suit.

Where is the global medical sense of shame, shame, shame?

------------------------------

Date: Mon, 30 Sep 2024 11:29:40 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Millions of Vehicles Could Be Hacked and Tracked Thanks to
a Simple Website Bug (WiReD)

Researchers found a flaw in a Kia web portal that let them track millions of
cars, unlock doors, and start engines at will -- the latest in a plague of
web bugs that's affected a dozen carmakers. [...]

https://www.wired.com/story/kia-web-vulnerability-vehicle-hack-track/ -or-
https://archive.ph/itwuF#selection-627.0-627.192

------------------------------

Date: Wed, 2 Oct 2024 11:32:50 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Website Bug Allowed Kia Vehicles to Be Hacked, Tracked
(Andy Greenberg)

Andy Greenberg, *WiReD*, 27 Sep 2024

Independent security researchers identified a vulnerability in the back end
of a Kia Web portal for customers and dealers that could allow a hacker to
redirect control of Internet-connected features of most Kia models from the
car owner's smartphone to the hacker. A custom app built by the researchers
allowed them to leverage that flaw. Shortly after the researchers reported
the issue, Kia made a change to its Web portal API that appeared to block
the technique.

------------------------------

Date: Wed, 16 Oct 2024 17:11:50 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Tesla driver killed in solo crash

Local news on Monday morning reported a Tesla driver in Fremont (SF East
Bay) driving close to 100 mph demolishing himself and the vehicle.

FREMONT, Calif. (KGO) -- The driver of a Tesla died after witnesses say the
car appeared to lose control, crashing into an apartment building in Fremont
Monday evening. Fremont Fire Dept. Acting Battalion Chief Dan Brunicardi
said the car went through the first floor, which is vacant.2 days ago

The driver has been identified as 46-year-old Kamleshkumar J. Patel, from
Fremont. Fremont police said fire crews responded at 5:47 p.m. from the
building," Brunicardi said.

MORE: Tesla crashes into back of San Mateo home, police say

Brunicardi said smoke reached the upper floors of the building so everyone
was evacuated.

Tom Vo lives on the fifth floor and said the building shook on impact. Once
he heard the fire alarm, he grabbed his cat Katzu. "My window is wide open,
I heard this loud screech right before that I basically like -- that person
or whoever was happening they were hitting the object before they went into
that building, and pretty much I heard a loud explosion, I literally thought
it was a bomb," Vo said.

Fremont police confirmed no one else was in the car.

MORE: Orinda home gets crashed into for 2nd time in 2 years

Debra Martin lives in a nearby building. She said the driver nearly hit her
as she was driving back from the grocery store. "He was going fast I would
say like 100 miles an hour - it was fast," Martin said.

------------------------------

Date: Fri, 11 Oct 2024 10:19:19 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Tesla Cybertruck -- too big and sharp for European roads, say
campaigners (The Guardian)

Tesla’s Cybertruck is too big and sharp for European roads, transport
campaigners have warned, as questions are raised about the registration of
one of the first of the electric pickup trucks to hit the continent.

There had been confusion about whether the Cybertruck could be driven in
Europe, owing to strict road safety rules that ban sharp edges and require
speed limiters on vehicles that weigh more than 3.5 tonnes when
full. Tesla’s manual lists the angular steel vehicle as having a gross
vehicle weight of 4 tonnes. (The equivalent of a standard family car, such
as a Ford Focus, is 1.9 tonnes.)

A handful of Cybertrucks have already been spotted on European streets this
year, causing safety fears among campaigners. In a letter to the European
Commission and to authorities in the Czech Republic, where the registration
of one Cybertruck has raised questions about the rules, campaign groups
called for Cybertrucks registered in the EU to be removed from public roads.
[...]

https://www.theguardian.com/technology/2024/oct/08/tesla-cybertruck-too-big-and-sharp-for-european-roads-say-campaigners

------------------------------

Date: Tue, 08 Oct 2024 23:30:27 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Are taxis safer with no driver? These women think
so (nbcnews.com)

https://www.nbcnews.com/tech/innovation/are-taxis-safer-no-driver-women-think-rcna173936

"Some women say they prefer taking driverless taxis because they don't have
to deal with safety concerns they have about human drivers."

A risk of risk choice. Risk prioritization or perception.

[And they'd better check that there is no creep hiding in the car? PGN]

------------------------------

Date: Thu, 3 Oct 2024 09:09:04 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: South China Sea tensions and undersea cables
(Washington Report)

Undersea cables below the South China Sea have long provided vital
connectivity to countries in Southeast Asia as demand for Internet service
has surged.

To maintain the extensive network of cables and develop new ones, private
cable companies have for decades relied on being able to move freely through
this waterway, despite conflicting claims over the sea by China and a half
dozen other governments.

But now, competition for control of the South China Sea is disrupting the
repair and badly needed construction of subsea cables, raising costs and at
times straining telecommunications, according to interviews with more than
30 people in the subsea cable industry and unpublished industry data.

https://www.washingtonpost.com/world/2024/10/03/south-china-sea-underwater-c
ables/

[How about remote-controlled robots? Also, the Navy has used trained
seals before for certain missions, but maintenance of undersea cables is
probably above their pay grade. PGN]

------------------------------

Date: Thu, 3 Oct 2024 06:42:30 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Starlink satellites create light pollution and disrupt
radio frequencies. And it's getting worse (CBC)

https://www.cbc.ca/news/science/spacex-starlinks-astronomy-1.7334803

Look up at the night sky from a city -- where most people live -- and you'll
see just a smattering of stars. Perhaps even an airplane or two.

But drive further out, past the glare of lights from houses, cars, office
buildings and street lamps, and the stars reveal themselves in a way that
few have truly seen.

Now, it seems the night sky is under attack not only from below, but from
above, thanks to the rapid proliferation of satellites, mainly
megaconstellations, which can contain hundreds or thousands of satellites.
And leading the charge is SpaceX.

------------------------------

Date: Fri, 4 Oct 2024 17:35:47 -0400
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: I-XRAY: The AI Glasses That Reveal Anyone's
Personal Details Just from Looking at Them (The Globe)

.... (Home Address, Name, Phone Number, and More)

A pair of Harvard undergraduates have come up with a disturbing new way to
invade people's privacy: an artificial intelligence tool that can reveal a
stranger's name, address, and other sensitive information just by taking a
picture of them.

By combining AI with smart eyeglasses and commonly used online databases,
Harvard juniors AnhPhu Nguyen and Caine Ardayfio developed a fast, simple
tool called I-XRAY that could potentially allow law enforcement agents,
cyber criminals, or just a guy at the bar to obtain anybody's vital
information in just over a minute by capturing an image of their face.

``You could just theoretically identify anybody on the street'', said
Nguyen, an engineering student majoring in human augmentation. It's a huge
security issue.''

https://www.bostonglobe.com/2024/10/04/business/harvard-students-ai-meta-glasses/
https://docs.google.com/document/d/1iWCqmaOUKhKjcKSktIwC3NNANoFP7vPsRvcbOIup_BA/edit

------------------------------

Date: Sat, 5 Oct 2024 07:53:01 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: How to Opt Out of AI Online

You can’t opt out [...] But you can set some controls on your privacy.

Last week, like the Jews of Exodus painting blood on their lintels, hundreds
of thousands of Instagram users posted a block of text to their accounts
hoping to avoid the plague of artificial intelligence online. “Goodbye Meta
AI,” the message began, referring to Facebook’s parent company, and
continued, “I do not give Meta or anyone else permission to use any of my
personal data, profile information or photos.” Friends of mine posted it;
artists I follow posted it; Tom Brady posted it. In their eagerness to
combat the encroachment of AI, all of them seemed to overlook the fact that
merely sharing a meme would do nothing to change their legal rights
vis-à-vis Meta or any other tech platform.

It is, in fact, possible to prevent Meta from training its AI models on your
personal data. [...]

https://www.newyorker.com/culture/infinite-scroll/how-to-opt-out-of-ai-online

------------------------------

Date: Mon, 30 Sep 2024 11:30:04 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: California Governor Vetoes AI Safety Bill (Politico)

Lara Korte and Jeremy B. White, *Politico*, 29 Sep 2024, via ACM TechNews

California Governor Gavin Newsom vetoed a state measure that would have
imposed safety vetting requirements for powerful AI models. Newsom said the
legislation "does not take into account whether an AI system is deployed in
high-risk environments, involves critical decision-making, or the use of
sensitive data." He said of the bill, "I do not believe this is the best
approach to protecting the public from real threats posed by the
technology."

------------------------------

Date: Mon, 30 Sep 2024 11:30:04 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: AI Crawlers Are Hammering Sites (Chris Stokel-Walker)

Chris Stokel-Walker, Fast Company*, 26 Sep 2024, via ACM TechNews

Some websites are being hit with so many queries from AI crawlers that their
performance is impacted. iFixit recently reported close to a million queries
in just over 24 hours, which it attributed to a crawler from Anthropic. Game
UI Database said its website almost came to a halt due to a crawler from
OpenAI hitting it around 200 times a second. Said iFixit's Kyle Wiens,
"There are polite levels of crawling, and this superseded that threshold."

------------------------------

Date: Thu, 10 Oct 2024 14:54:43 +0000
From: Douglas Lucas <dal@riseup.net>
Subject: Kamala Harris, AI, and the Bletchley Park ghost

In late September at a fundraiser, Kamala Harris spoke about
collaborating with industry and other stakeholders on AI and
"encourag[ing] innovative technologies like AI and digital assets." This
echoed her high-profile Bletchley Park speech in 2023 at the inaugural
global AI summit, where she touted a non-binding voluntary agreement
between industry and other key players to promote AI safety. But while
the Biden-Harris administration efforts she touted in the 2023 speech
included warnings about algorithmic bias, neither Harris speech (as far
as reported) mentioned Alan Turing, who of course gave the first public
lecture on AI shortly after his time code-cracking at Bletchley Park,
and who of course fell victim to bigotry. In a blog post, I explain all
this, and how the preference for happyspeak and pols-journos using "AI"
as a buzzword might be remediated somewhat if we maybe brought up more
often the tragic story of one of its forefathers as a way to discuss
what the buzzword actually means (how Turing defined AI) and how it can
cause problems (bias drove Turing to suicide but AI puts the same sorts
of bias on steroids). Harris did mention problems with AI of course but
the emphasis has been on fundraising, happyspeak, etc., and it is a bit
eerie to see world leaders in 2023 discussing AI's emergence at the same
location where the 1940s originated Five Eyes and the current world
order of spy agencies and so on.

https://douglaslucas.com/blog/2024/09/24/kamala-harris-ai-best-bletchley-park-ghost/

------------------------------

Date: Tue, 15 Oct 2024 21:10:51 -0400
From: dan@geer.org
Subject: Steganographic covert channel (Dan Goodin)

A quirk in the Unicode standard harbors an ideal steganographic code
channel. -- Dan Goodin

https://arstechnica.com/security/2024/10/ai-chatbots-can-read-and-write-invisible-text-creating-an-ideal-covert-channel/

------------------------------

Date: Thu, 17 Oct 2024 12:01:12 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Intel is a security risk for China, says influential
industry group (cnn.com)

https://lite.cnn.com/2024/10/16/tech/china-intel-security-review-intl-hnk/index.html

In silicon we do not trust.

------------------------------

Date: Thu, 17 Oct 2024 10:54:54 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: K8S Image Builder, CVE-2024-9486 (The Register)

https://www.theregister.com/2024/10/16/critical_kubernetes_image_builder_bug

During image assembly, some targets use default credentials and are not
cleaning up after themselves.
Proxmox, Nutanix, OVA, and Qemu are noted but have slightly different
impacts due to specifics about those platforms.
c.f. CVE-2024-9594

https://github.com/kubernetes-sigs/image-builder
This is the impacted tool, which appears to be part of the official K8S
project at a glance, but it is not. It is a community project run by a
subgroup of another community project.

As noted the sponsor project is
https://github.com/kubernetes/community/blob/master/sig-cluster-lifecycle/README.md

My summary of this issue is:
Who is this image builder for?
Is there a company out there with a large VM deployment which doesn't
already have tooling for repeatable image creation?
Why does this tool use a ansible as an intermediary tool rather than just
providing ansible run scripts?
Also, after looking at the documentation, this project is security toxic
and I would not let is anywhere near my build infrastructure.

Second page of the welcome docs:
https://image-builder.sigs.k8s.io/capi/capi

Loading additional components using additional_components.json
{ [...]
"additional_s3": "true",
"additional_s3_endpoint": "https://path-to-s3-endpoint",
"additional_s3_access": "S3_ACCESS_KEY",
"additional_s3_secret": "S3_SECRET_KEY",
"additional_s3_bucket

Is that a disk backed unencrypted secret? Yes.
Don't do that.
Ansible has ansible-vault for secret encryption.

I'm glad it got a CVE, but overall this doesn't seem to be anymore than
someone's hobby horse on fire.

------------------------------

Date: Sat, 5 Oct 2024 06:24:29 -0400
From: Matt Blaze <mab@mattblaze.org>
Subject: WSJ reports China compromised U.S. lawful access systems

https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b

------------------------------

Date: Sun, 13 Oct 2024 22:35:04 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Calgary Public Library locations remain closed after
cyberattack (CBC)

https://www.cbc.ca/news/canada/calgary/calgary-public-library-cyberattack-closed-saturday-1.7351306

All Calgary Public Library locations remain closed Saturday after a
cybersecurity breach compromised at least some of its systems. The library
shut down all of its physical locations Friday at 5 p.m. as a proactive
measure to mitigate the potential impact of the hack, a spokesperson said.

On Sunday morning, a spokesperson told CBC News there was no update on the
status of the hack. Tom Keenan, a professor in the School of Architecture,
Planning and Landscape at the University of Calgary, told CBC News public
institutions such as libraries are a logical target for cybercriminals.
"Almost everybody has a library card, it's free in Calgary, so there's a big
database of people they can get," Keenan said. "And think about it. When
you got your library card, what did you tell them? Your name, maybe your
address, your email address. So there's a rich amount of data there and the
bad guys go looking for things like that."

[Logical? It's easier than burning books, or taking them out with forged
library cards and never returning them, but ransomware can be discouraged
by daily backups, and there is certainly not much of am immediate
financial incentive. Perhaps perpetrated by jealous people who have
reading problems or who resent people who love to read books? PGN]

------------------------------

Date: Thu, 17 Oct 2024 06:38:53 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Parents sue son's high-school history teacher (NBC News)

The lawsuit, filed in Massachusetts district court, said the student didn't
break any rules and is now at a disadvantage in the college application
process.

https://www.nbcnews.com/tech/tech-news/ai-paper-write-cheating-lawsuit-massachusetts-help-rcna175669

------------------------------

Date: Mon, 30 Sep 2024 13:00:57 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: Dynamic pricing unpopular (BBC)

Oasis ditch dynamic ticket pricing for U.S. gigs
https://bbc.com/news/articles/cj04y6y0316o

A risk is eventually profit maximizing comes to be viewed as fleecing.

------------------------------

Date: Mon, 30 Sep 2024 14:54:17 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Earth has overshot key planetary bounda, scientists warn
(Hastings Tribune)

Human activity is imperiling eight of the planet's critical life-support
systems, and seven of them have already passed into a danger zone, according
to a massive review of Earth science conducted jointly by more than 60
researchers and published Wednesday in The Lancet Planetary Health.

Looking at necessities of a livable Earth -- including the climate,
freshwater systems, biodiversity and soil nutrients -- the researchers find
almost all have crossed crucial thresholds. The only global system yet to
breach safe limits is aerosols, even as small-particle air pollution
contributes to 8 million deaths a year.

The new paper updates a scientific project that began in 2009 to assess
planetary boundaries (since renamed Earth-system boundaries) and how
transgressing them will pose risks to human society and nature around the
world.

Researchers assessed each of these systems on two factors. One was safety,
or how long until the system may no longer perform in the way people have
relied on it to. The other was justice, or ``the risk of significant harm.''
to people alive today and those not yet born. [...]
https://www.hastingstribune.com/earth-has-overshot-key-planetary-boundaries-scientists-warn/article_8b152ff4-70ac-11ef-9393-e7e4904ed367.html

------------------------------

Date: Wed, 16 Oct 2024 11:12:43 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: China Is Writing World's Technology Rules (The Economist)

The Economist, 10 Oct 2024

China has been increasingly assertive in the technology standard-setting
process. Last month for example, the International Telecommunication Union
approved three new technical standards that will be embedded in
sixth-generation (6G) mobile technology, all developed by the Chinese
Academy of Sciences and China Telecom. Unlike the West, which has tended to
defer to private companies and industry associations in the standard-setting
process, China's approach is led by its government.

------------------------------

From: Ted Bridis <tbridis@gmail.com>
Date: Mon, 14 Oct 2024 21:45:08 -0400
Subject: Mystery Drones Swarmed a U.S. Military Base for 17 Days. The
Pentagon Is Stumped. (WSJ)

https://www.wsj.com/politics/national-security/drones-military-pentagon-defense-331871f4

------------------------------

Date: Wed, 16 Oct 2024 10:58:49 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Spotify criticized for letting fake albums appear on real artist
pages (ArsTechnica)

Real bands struggle to remove fake albums from their Spotify pages.

https://arstechnica.com/tech-policy/2024/10/spotify-criticized-for-letting-fake-albums-appear-on-real-artist-pages/

(I know fraud is nothing new under the sun, but this qualifies as a RISK
because the article says "generative AI makes streaming music fraud easier
than ever.")

------------------------------

Date: Wed, 16 Oct 2024 11:55:48 +0000 (UTC)
From: Pivot 5 <daily@pivot5.ai>
Subject: *The New York Times* tells *Perplexity* to stop using its
content (Pivot5)

http://pivot5.ai

------------------------------

Date: Wed, 16 Oct 2024 05:14:22 -0700
From: Rob Slade <rslade@gmail.com>
Subject: Complete, free CISSP review seminar

OK, it's all done. As of 20241016, all of the CISSP review seminar
materials are recorded and posted. It's kind of bizarre to think that it
has taken more than a year and a half, and roughly 450 individual video
clips (probably comprising approximately sixty total hours of video). As
the CISSP is a very decent overview of the entire field, it is also a good
introduction to information security, whether you intend to get certified or
not.

The complete set is available on any or all of:
https://youtube.com/@TheRslade
https://youtube.com/user/TheRslade
(playlist at
https://www.youtube.com/playlist?list=PLUuvftvRsRv7D5PiHIULhhd9M032ej4_i )
https://www.tiktok.com/@robertmslade/
https://www.facebook.com/rslade/
https://ca.linkedin.com/in/rslade and
https://www.instagram.com/robertmslade/

Details, references, and pointers to sample questions are posted at
https://fibrecookery.blogspot.com/2023/02/cissp-seminar-free.html
This completion notice is at
https://fibrecookery.blogspot.com/2024/10/complete-free-cissp-review-seminar.html

I have to say that, as a social media experiment, so far it has indicated
that social media is the absolutely *worst* platform for education, at least
from the instructor's viewpoint. I have, in more than a year and a half,
had precisely *one* question about any of the material. Either I have
delivered everything perfectly (a consummation devoutly to be wished, but
unlikely in the *extreme*), or social media users are massively passive, and
can't be bothered thinking about what they are consuming (given what I've
seen in my forty-plus years on the net, much *MUCH* more probable).

I hope it is of use to you or your colleagues. It is now available, for
free, as instruction or reference, so long as any of the five platforms
above continue to exist and provide content. It is my sincerest wish that
it is helpful to those genuinely wishing to join our information security
profession, and support the productive use of technology as a whole.

------------------------------

Date: Wed, 9 Oct 2024 06:54:01 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: DoJ vs. Google: Users have the most to lose

Despite my ongoing concerns over various of the directions that
current management has been taking Google over recent years, I must
state that I agree with Google that the kinds of radical antitrust
"remedies" -- and "radical" is the appropriate word -- apparently
being contemplated by DoJ, would almost certainly be a disaster for
ordinary users' privacy, security, and overall ability to interact
with many aspects of related technologies that they depend on every
day.

These systems are difficult enough to keep reasonably user friendly and
secure as it is -- and they certainly should continue to be improved in
those areas. But what DOJ is reportedly considering would be an enormous
step backwards and consumers would be the ultimate victims of such an
approach.

------------------------------

Date: Wed, 9 Oct 2024 07:36:00 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Kremlin refutes Trump denial on sending Putin COVID tests

These were rare COVID test machines, not the little test kits! -L
https://www.axios.com/2024/10/09/trump-putin-covid-testing-equipment-kremlin

------------------------------

Date: Thu, 17 Oct 2024 07:57:43 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: NBC's former marketing chief: We Created a Monster:
Trump Was a TV Fantasy Invented for 'The Apprentice' (USNews)

https://www.usnews.com/opinion/articles/2024-10-16/we-created-a-tv-illusion-for-the-apprentice-but-the-real-trump-threatens-america

Too little, too late, John. -L

------------------------------

Date: Mon, 14 Oct 2024 13:20:43 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Suspect arrested after reports of threats toward FEMA operations in
North Carolina (CNN)

https://www.cnn.com/2024/10/14/us/fema-helene-north-carolina-reported-threats/index.html

------------------------------

Date: Mon, 14 Oct 2024 14:28:28 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Understanding the Limitations of Mathematical Reasoning in Large
Language Models (arxiv)

https://arxiv.org/pdf/2410.05229

------------------------------

Date: Tue, 1 Oct 2024 16:22:05 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: Why Restoring Power After Helene Is Complicated
(Brad Plumer)

https://www.nytimes.com/2024/10/01/climate/helene-hurricane-power-carolinas.
html

Damage went beyond downed power lines. Hundreds of substations went out
after the storm. Getting them back online is difficult.

[The California Crestline snowstorm earlier this year had a broken gas
meter that was broken off when a balcony collapsed from the weight.
Restoring power before fixing that was just one more such risk. PGN]

------------------------------

Date: Tue, 8 Oct 2024 11:28:33 -0700
From: Rob Slade <rslade@gmail.com>
Subject: Rob's usual disaster season call for emergency management
training

I have been remiss. Generally, whenever there is a disaster, I remind all
of you, my colleagues, to sign up with your local emergency management and
disaster relief organizations as volunteers.

Here in BC, it's easy. You go to the municipal government, ask who is the
local director of emergency support services, and sign up. You get put
through four online courses from the Justice Institute, and you're part of
the crew. Most of the rest of Canada is going to be similar.

In other countries, you are possibly going to have to chase down local
offices of the Red Cross, St. John Ambulance, or Salvation Army. There may
be other groups as well. All of them have training (and it counts for CPEs
under BCP).

Get trained, become better at BCP, and, when disaster hits, be part of the
solution (rather than part of the problem).

------------------------------

Date: Sat, 5 Oct 2024 17:38:12 -0700
From: Rik Farrow <rik@rikfarrow.com>
Subject: Re: More than 1,000 people, including Hezbollah members, wounded in
Lebanon after pagers detonate (CBC, RISKS-34.46)

*The Washington Post* has an article describing how the pagers and
walkie-talkies were designed by Mossad, and assembled in Israel with
explosives included in their batteries:

As it turned out, the actual production of the devices was outsourced and
the marketing official had no knowledge of the operation and was unaware
that the pagers were physically assembled in Israel under Mossad oversight,
officials said. Mossad's pagers, each weighing less than three ounces,
included a unique feature: a battery pack that concealed a tiny amount of a
powerful explosive, according to the officials familiar with the plot.

In a feat of engineering, the bomb component was so carefully hidden as to
be virtually undetectable, even if the device was taken apart, the
officials said. Israeli officials believe that Hezbollah did disassemble
some of the pagers and may have even X-rayed them.

https://www.washingtonpost.com/world/2024/10/05/israel-mossad-hezbollah-pagers-nasrallah/

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.47
************************