RISKS-LIST: Risks-Forum Digest Sunday 26 Jan 2025 Volume 34 : Issue 53
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/34.53>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Fraud Has Delayed a Cure for Alzheimer's (Charles Piller)
Strengthening and Promoting Innovation in the Nation's Cybersecurity
(Uncle Sam)
White House Disbands Cyber Safety Review Board (John Leyden)
Executive Order Calls for AI 'Free from Ideological Bias (AP)
The Trump Memecoin's Money-Grab's Economics (WiReD)
New AI tool counters health insurance denials decided by automated
algorithms (U.S. healthcare in The Guardian)
Will we control AI, or will it control us? Top researchers
weigh in? (CBC)
The Pentagon says AI is speeding up its 'kill chain' (Techcrunch)
Arrested by AI: Police ignore standards after facial recognition matches
(WashPost)
CIA's Chatbot Stands In for World Leaders (NY TImes)
Microsoft research finds Microsoft AI products may never be secure
(Pivot to AI)
The impeccable logic of Sam Altman (Gary Marcus)
AI in medicine (Jim Geissman)
Signature moves: are we losing the ability to write by hand?
(The Guardian)
How a Troubled Icebreaker Became America's Newest Military Vessel
(ProPublica)
MasterCard DNS Error Went Unnoticed for Years (Krebs on Security)
Research Uncovers Major Vulnerability in Wireless Networking
Technology (Cesareo Contreras)
Los Angeles County's evacuation alert system broke down during
fires. It's part of a larger problem (LA Times)
After safety alert glitches, county overhauls system (LA Times)
Fake radiation reports... (Kim Zetter via danny burstein)
Traffic jams? Study reveals ants' secrets to smooth traffic flow (PHYS.ORG)
Man Loses Bid to Recover Hard Drive Containing Bitcoin Key (ArsTechnica)
UK Judge Ends One Man's 11-Year Quest to Recover $765 Million in Bitcoin by
Digging Up a Landfill (WiReD)
Rsync CVE-2024-12084 (Debian)
AHHHHHH TPM2 BROKE LUKS!!! (Cliff Kilby)
Re: A non-tech analogy for Google Search AI Overviews
(Steve Bacher)
Re: LA Sheriff outage (Steve Bacher)
Re: Eutelsat resolves OneWeb leap-year software glitch after two-day outage
(Steve Bacher)
Re: Tech allows Big Auto to evolve into Big Brother (Martin Ward)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sun, 26 Jan 2025 11:47:00 PST
From: Peter Neumann <
neumann@csl.sri.com>
Subject: Fraud Has Delayed a Cure for Alzheimer's
(Charles Piller)
Charles Piller, *The New York Times*, Sunday Opinion,
26 Jan 2025
Researchinto a disease that affects millions of Americans
has been rife with deception.
If the institutional authorities fail to act, skeptics of science itself,
most likely including those inside the Trump administration, surely will. Almost certainly, an ensuing overkill would describe ambiguity or innocent human error as fraud and eschew the thoughtful respect and due process
needed to preserve what remains vital and true in neuroscience. That would enforce a new calamity on everyone who wants to grow old.
[This appears to be an ideal opportunity for radically rethinking
what might be possible. Alzheimer's would be a wonderful target to
jump-start that quest. I would add that evidence-based neuroscience
is desperately needed to surmount the overuse of generic
chemotherapy for cancer, when research in this country and elsewhere
is showing an extraordinary potential for genetically oriented
approaches for treatment and perhaps even prevention of cancer and
other neurologically linked problems. PGN]
------------------------------
Date: Mon, 20 Jan 2025 06:20:30 +0000
From: Richard Marlon Stein <
rmstein@protonmail.com>
Subject: Strengthening and Promoting Innovation in the Nation's Cybersecurity
(Uncle Sam)
https://www.federalregister.gov/documents/2025/01/17/2025-01470/strengthening -and-promoting-innovation-in-the-nations-cybersecurity
For a coffee cup version of this comprehensive executive order, see:
https:// www.whitehouse.gov/briefing-room/statements-releases/2025/01/15/fact-sheet-new-executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/
With the PRC's Salt Typhoon, and numerous other state and rogue hackers, infiltration and subsequent exfiltration of sensitive information from US government infrastructure -- for Nth time, the outgoing Biden Administration threw the gauntlet at the technology industrial complex's cosmetically voluntary and wholly ineffective effort to harden cybersecurity practices.
In a nutshell, the U.S. government won't buy off-the-shelf software stacks
or s ervices unless the manufacturer/supplier demonstrates irrefutable proof
-- attestation -- of Federal cybersecurity regulatory compliance. "Just
trust us" won't fly any longer. "Trust but verify" lives, with a vengeance
via procurement regulations on steroids.
The EO regulations require in-house adoption and audit of NIST 800-53 and
other 'modest' process disciplines before foisting the next software toxic waste dump into the government's supply chain.
[US$5 says the EO is repealed by the incoming administration -- too
expense for business to comply.]
[Also noted by Gabe Goldberg:
https://www.wired.com/story/the-fccs-jessica-rosenworcel-isnt-leaving-without-a-fight/
PGN]
------------------------------
Date: Fri, 24 Jan 2025 11:12:51 -0500 (EST)
From: ACM TechNews <
technews-editor@acm.org>
Subject: White House Disbands Cyber Safety Review Board
(John Leyden)
John Leyden, CSO, 22 Jan 2025
The Trump administration has dismissed all members of the Cyber Safety
Review Board (CSRB), including those investigating the China-linked
hacking group Salt Typhoon. The CSRB was established through an
executive order by the previous administration and tasked with
reviewing major cyber-incidents affecting the U.S. government.
------------------------------
Date: Fri, 24 Jan 2025 11:12:51 -0500 (EST)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Executive Order Calls for AI 'Free from Ideological Bias (CNVC)
Matt O'Brien and Sarah Parvini, Associated Press, 23 Jan 2025
President Trump on Thursday signed an executive order revoking past
government policies on AI that "act as barriers to American AI
innovation." To maintain global leadership, "We must develop AI
systems that are free from ideological bias or engineered social
agendas," the order states. While the order does not specify which
policies are hindering AI development, it calls for a review of "all
policies, directives, regulations, orders, and other actions taken" as
a result of the former administration's AI executive order.
------------------------------
Date: Wed, 22 Jan 2025 02:37:23 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: The Trump Memecoin's Money-Grab's Economics
(WiReD)
When he launched his own cryptocurrency, Donald Trump produced unimaginable wealth from thin air. But it will come at a cost to someone.
Late Friday evening, three days before his return to the Oval Office, Donald Trump performed an act of crypto alchemy. Pretty much all it took was a few strokes of the keyboard. “My NEW Official Trump Meme is HERE!” the incoming U.S. president wrote in a Truth Social post. “It’s time to celebrate everything we stand for: WINNING!
The post marked the launch of Trump’s very own memecoin—a type of joke cryptocurrency that typically has no purpose beyond financial speculation, whose value tends to whipsaw dramatically with changes in public sentiment.
The price of the TRUMP memecoin began to hare upwards almost immediately, despite speculation that Trump’s account had been hacked. By the following day, the coins released into circulation -- 20 percent of the total supply
-- were valued at $14 billion.
https://www.wired.com/story/the-trump-memecoins-money-grab-economics/
[Matthew Kruk had this comment on Trump launches cryptocurrency with price
rocketing:
https://www.bbc.com/news/articles/c9vmym2jvy9o
"It included a disclaimer noting the coin is "not intended to be, or the
subject of" an investment opportunity or a security and was "not political
and has nothing to do with" any political campaign, political office or
government agency."
Translation: Scam [?]
PGN]
------------------------------
Date: Sat, 25 Jan 2025 11:53:04 -0800
From: Jim Geissman <
jgeissman@socal.rr.com>
Subject: New AI tool counters health insurance denials decided
by automated algorithms (U.S. healthcare, The Guardian)
Some patients and companies have developed AI tools to appeal denials in a battle of the bots <
https://www.hfma.org/revenue-cycle/denials-management/health-systems-start-to-fight-back-against-ai-powered-robots-driving-denial-rates-higher/>
Companies have launched new generative AI tools to help hospitals <
https://www.cnbc.com/2025/01/13/health-waystar-generative-ai-new-tool-will-help-fight-health-insurance-denials.html>
and patients <
https://www.getclaimable.com/> draft appeal letters, while one open-source large language model developed by an engineer promises to help patients Fight Health Insurance. <
https://fighthealthinsurance.com/>
https://www.theguardian.com/us-news/2025/jan/25/health-insurers-ai
[Having sent that, let me qualify it, so it doesn't sound like the AI did
all the medicine.]
------------------------------
Date: Sat, 11 Jan 2025 12:56:32 -0700
From: Matthew Kruk <
mkrukg@gmail.com>
Subject: Will we control AI, or will it control us? Top researchers
weigh in? (CBC)
https://www.cbc.ca/news/science/artificial-intelligence-predictions-1.7427024
Imagine this: you're gently awoken by the dulcet tones of your personal assistant just as you're nearing the end of your final sleep cycle.
A disembodied voice informs you of the emails you missed overnight and how
they were responded to in your absence. The same voice lets you know rain
is expected this morning and recommends you don your trenchcoat
before leaving the house. As your car drives you to the office, your
wristwatch announces that lunch from your local steak house has been
preordered for delivery since your iron levels have been a little low
lately.
Having all your needs anticipated and met before you've even had the chance
to realize them yourself is one of the potentials of advanced artificial intelligence. Some of Canada's top AI researchers believe it could create a utopia for humankind -- if AI doesn't eradicate our species first.
------------------------------
Date: Tue, 21 Jan 2025 06:21:54 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: The Pentagon says AI is speeding up its 'kill chain'
(Techcrunch)
Leading AI developers, such as OpenAI and Anthropic, are threading a
delicate needle to sell software to the United States military: make the Pentagon more efficient, without letting their AI kill people.
https://techcrunch.com/2025/01/19/the-pentagon-says-ai-is-speeding-up-its-kil l-chain
------------------------------
Date: Tue, 14 Jan 2025 08:13:18 -0700
From: geoff goodfellow <
geoff@iconia.com>
Subject: Arrested by AI: Police ignore standards after
facial recognition matches (WashPost)
After two men brutally assaulted a security guard on a desolate train
platform on the outskirts of St. Louis, county transit police detective
Matthew Shute struggled to identify the culprits. He studied grainy surveillance videos, canvassed homeless shelters and repeatedly called the victim of the attack, who said he remembered almost nothing because of a
brain injury from the beating.
Months later, they tried one more option.
Shute uploaded a still image from the blurry video of the incident to a
facial recognition program, which uses artificial intelligence to scour the
mug shots of hundreds of thousands of people arrested in the St. Louis
area. Despite the poor quality of the image, the software spat out the
names and photos of several people deemed to resemble one of the attackers, whose face was hooded by a winter coat and partially obscured by a surgical mask.
Though the city's facial recognition policy warns officers that the
results of the technology are nonscientific and
should not be used as the sole basis for any decision,˜Shute proceeded to build a case against one of the AI-generated results:
Christopher Gatlin, a 29-year-old father of four who had no apparent ties to the crime scene nor a history of violent offenses, as Shute would later acknowledge. [...]
https://www.msn.com/en-us/news/us/arrested-by-ai-police-ignore-standards-after-facial-recognition-matches/ar-BB1rnOai
------------------------------
Date: Sun, 19 Jan 2025 09:13:57 -0500
From: Jan Wolitzky <
jan.wolitzky@gmail.com>
Subject: CIA's Chatbot Stands In for World Leaders
(NY TImes)
Understanding leaders around the world is one of the CIA's most important
jobs. Teams of analysts comb through intelligence collected by spies and publicly available information to create profiles of leaders that can
predict behaviors.
A chatbot powered by artificial intelligence now helps do that work.
Over the last two years, the Central Intelligence Agency has developed a
tool that allows analysts to talk to virtual versions of foreign presidents
and prime ministers, who answer back.
<
https://www.nytimes.com/2025/01/18/us/politics/cia-chatbot-technology.html
[That is really speCIAl. PGN]
------------------------------
Date: Fri, 17 Jan 2025 13:45:01 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Microsoft research finds Microsoft AI products
may never be secure (Pivot to AI)
Microsoft CEO Satya Nadella is going all-in on AI. Earlier this week, he announced that the company’s developer division (which makes developer tools and compilers) has been folded into a new unit called CoreAI. “Thirty years of change is being compressed into three years!” [Microsoft]
Unfortunately, generative confabulation machines remain difficult to secure against data leaks. Microsoft already has problems with Copilot Studio
leaking enterprise data and Recall storing sensitive data.
Is there hope? Twenty-six Microsoft AI Red Team researchers tested more than 100 Microsoft AI products. Their verdict? Probably not. [arXiv; Register]
In their paper “Lessons from red-teaming 100 generative AI products,” the authors conclude that simple attacks work best — you don’t need to break out
the computer science:
https://pivot-to-ai.com/2025/01/17/microsoft-research-finds-microsoft-ai-prod ucts-may-never-be-secure/
[Last Pivot-to-AI I'll forward -- worth subscribing/supporting.]
------------------------------
Date: Sat, 11 Jan 2025 20:08:39 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: The impeccable logic of Sam Altman (Gary Marcus)
[Sam Altman] can simultaneously think that these risks are real and also believe that the only way to appropriately address them is to ship product
and learn.
https://garymarcus.substack.com/p/the-impeccable-logic-of-sam-altman
Works for Boeing, why not.
------------------------------
Date: Tue, 21 Jan 2025 18:57:20 -0800
From: "Jim" <
jgeissman@socal.rr.com>
Subject: AI in medicine (Jim Geissman)
I just had my annual physical. My doc has long been a user of technology, starting long ago to dictate his notes to voice-to-text. I mentioned that
when he started doing that, he would usually spend more time correcting his notes than dictating them, but now he's not doing it at all. He said he has
AI in his phone that is listening to the whole conversation and will make
the notes. At one point I heard him tell his phone "load the annual physical macro". JRG
------------------------------
Date: Fri, 24 Jan 2025 07:07:04 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Signature moves: are we losing the ability to write by hand?
(The Guardian)
We are far more likely to use our hands to type or swipe than pick up a
pen. But in the process we are in danger of losing cognitive skills, sensory experience –- and a connection to history.
https://www.theguardian.com/news/2025/jan/21/signature-moves-are-we-losing-th e-ability-to-write-by-hand
[I suppose we could learn to sign our ``John Footcock'' instead of our
hand-written ``John Hancock''. But grammar schools are not teaching
script writing any more, so fewer people know how to write. Have they
stopped teaching grammar yet? If so, we won't need grammar schools any
more. PGN]
------------------------------
Date: Sat, 25 Jan 2025 15:55:57 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: How a Troubled Icebreaker Became America's Newest Military Vessel
(ProPublica)
This Icebreaker Has Design Problems and a History of Failure. It’s America’s
Latest Military Vessel.
Reporting Highlights
Troubled History: The icebreaker Aiviq was built for oil work in the Arctic
but has design issues. Its maiden voyage to Alaska ended in a rescue at sea
and a Coast Guard investigation.
Influential Donor: The Aiviq’s Louisiana builder has made more than $7 million in political contributions since 2012. For much of that time, Edison Chouest sought to sell or lease the ship.
Wider Problem: The Coast Guard’s $125 million purchase of the Aiviq, made under congressional pressure, follows the service’s failure to get its preferred, $1 billion model built.
https://www.propublica.org/article/aiviq-icebreaker-military-coast-guard
------------------------------
Date: Fri, 24 Jan 2025 06:49:42 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: MasterCard DNS Error Went Unnoticed for Years (Krebs on Security)
The payment card giant MasterCard just fixed a glaring error in its domain
name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals.
https://krebsonsecurity.com/2025/01/mastercard-dns-error-went-unnoticed-for-y ears/
------------------------------
Date: Mon, 13 Jan 2025 12:06:51 -0500 (EST)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Research Uncovers Major Vulnerability in Wireless Networking
Technology (Cesareo Contreras)
Cesareo Contreras, Northeastern Global News (01/09/25)
A security flaw in the MU-MIMO (multi-user, multiple input, multiple output) setup procedure could allow threat actors to deploy malicious information on
a Wi-Fi network to dramatically slow Internet speeds, according to
Northeastern University researchers. MU-MIMO is a key component of Wi-Fi networks, and Northeastern's Francesco Restuccia said the Wi-Fi standard may need to be updated to address the vulnerability.
------------------------------
Date: Fri, 24 Jan 2025 18:49:15 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Los Angeles County's evacuation alert system broke down during
fires. It's part of a larger problem (LA Times)
Despite upgrades to wireless alerts system, emergency warnings were often ineffective when most needed during the Los Angeles wildfires. Some were
sent to too many people, some to too few.
https://www.latimes.com/california/story/2025-01-24/california-wildfires-evac uation-alerts-mistakes
------------------------------
Date: Sun, 12 Jan 2025 10:51:26 -0800
From: "Jim" <
jgeissman@socal.rr.com>
Subject: After safety alert glitches, county overhauls system (LA Times)
After faulty notifications during the fire emergency alert system in favor of the State's.
http://enewspaper.latimes.com/infinity/article_share.aspx?guid=b4dbf504-a5c6 -4f92-8101-1ad41d61e6ec
------------------------------
Date: Wed, 8 Jan 2025 23:02:01 +0000 ()
From: danny burstein <
dannyb@panix.com>
Subject: Fake radiation reports... (Kim Zetter)
https://www.zetter-zeroday.com/anatomy-of-a-nuclear-scare/
------------------------------
Date: Mon, 20 Jan 2025 05:52:46 +0000
From: Richard Marlon Stein <
rmstein@protonmail.com>
Subject: Traffic jams? Study reveals ants' secrets to smooth traffic flow (PHYS.ORG)
https://phys.org/news/2025-01-traffic-reveals-ants-secrets-smooth.html
"Ants follow pheromone trails marked by a leader ant, and move in platoons
with small gaps and no overtaking," notes Guerrieri.
"This strategy could make human mobility more efficient. Guerrieri says, 'In the future, traffic systems for autonomous vehicles (CAVs) could be inspired
by ant behavior. Just like insects communicate through pheromones, on smart roads, Connected and Automated Vehicles (CAV) could use advanced
communication technologies to communicate with each other and with the road infrastructure management. In this way, they could form coordinated
platoons, moving at high speeds with close spacing across parallel
lanes. This approach could enhance traffic efficiency, improve levels of service, and reduce gas emissions.'"
Ant that CAV right? No, that CAV ant left.
[It's really an ANT-iclamax. But tell it to the German driver going way
over 200-km/hr on the Autobahn. PGN]
------------------------------
Date: Sun, 12 Jan 2025 16:54:16 -0500
From: Charles Dunlop <
cdunlop@umich.edu>
Subject: Man Loses Bid to Recover Hard Drive Containing
Bitcoin Key (ArsTechnica)
In 2013 a hard drive belonging to a Wales man was mistakenly discarded,
ending up in a landfill. The drive allegedly contained a key to his
bitcoins now worth $765million. The owner has been trying to get
permission to excavate the landfill in an attempt to recover the drive, but
a judge has just issued a final ruling against him.
https://arstechnica.com/tech-policy/2025/01/judge-ends-mans-11-year-quest-to- dig-up-landfill-and-recover-765m-in-bitcoin/
------------------------------
Date: Wed, 15 Jan 2025 02:08:43 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: UK Judge Ends One Man's 11-Year Quest to
Recover $765 Million in Bitcoin by Digging Up a Landfill (WiReD)
A UK judge ruled against James Howells, who has been trying to get a hard
drive with private keys to a cryptocurrency fortune out of a landfill for
over a decade.
In his drawers he found two hard drives: one was the Hard Drive, and the
other was a blank hard drive that contained no data. He meant to throw out
the blank hard drive, but instead he mistakenly picked up the Hard Drive and put it into one of the black bin-liners. He then left the two bin bags downstairs in his house and asked his partner at the time to take them to
the landfill at the Site the following day after completing the school
run. However, she said that she did not want to take the black bin bags to
the Site and refused to do so. The claimant was not overly concerned at her refusal, because he decided that on the following morning he would check to make sure that he had put the correct hard drive in the bin bags. However,
when he awoke at 9 o'clock the following morning he found that his partner
had had a change of heart and had already taken the bin bags to the Site and manually deposited them into the general waste bins at the Site.
https://www.wired.com/story/bitcoin-landfill-excavation-james-howells-judge-r uling
------------------------------
Date: Wed, 15 Jan 2025 13:13:07 +0000
From: Cliff Kilby <
cliffjkilby@gmail.com>
Subject: Rsync CVE-2024-12084 (Debian)
As has become the trend in the industry, the vulnerability reports have summaries that ignore the fact that several vendors maintain backports.
https://kb.cert.org/vuls/id/952657 claims the vulnerabilities are in 3.3.0
and below.
https://thehackernews.com/2025/01/google-cloud-researchers-uncover-flaws.html maintains that it was fixed in 3.4.0
https://lists.debian.org/debian-security-announce/2025/msg00004.html
Debian patched it in 3.2.7-1.
If you're auditing vulnerabilities, make sure you check your vendor's
security patch notes before trying to force an upgrade beyond the vendor's version.
------------------------------
Date: Fri, 17 Jan 2025 18:04:20 +0000
From: Cliff Kilby <
cliffjkilby@gmail.com>
Subject: AHHHHHH TPM2 BROKE LUKS!!!
Calm down, calm down.
Yes. It is a real problem.
https://www.jedi-sec.com/2025/01/17/bypassing-disk-encryption-on-systems-with -automatic-tpm2unlock/
Even if you are selecting all the right PCRs, TPM2 has no idea if the disk
was swapped.
Most tutorials for auto unlock also fail to include all the PCRs because of
a tradeoff for convenience. So if you aren't already using at least PCRS 0-5,7,8,9,14, your machine was vulnerable to other attacks.
MORE:
Given the first article for TPM auto unlock of LUKS for a debian derivative referenced dracut, and there has been no indication of an existing solution
for people who are running non-UEFI kernels, I decided to fix this myself today.
dracut has a pcr-measure module. systemd-pcrphase. There is a lot of
discussion about this, as it was apparently modified and renamed upstream,
so I discounted it as a solution.
Having a non-unified, secure booting OS, that doesn't measure the LUKS
header already from a previous attempt to learn secure boot, I started from there.
My baseline install was based on
https://blog.fernvenue.com/archives/debian-with-luks-and-tpm-auto-decryption/ My PCRs were *not* 0+7, because leaving PCR8 out would allow anyone to
reboot to init=bin/bash.
My initial PCRs after rebooting twice, and checking what was being
measured: 0+1+2+3+4+5+7+8+9+14
I admittedly misunderstood PCR5 to include the LUKS headers. I was wrong
about that, as my previous post indicated.
I was also under the assumption that PCR9 would have changed if the kernel
it was booted to changed. This hasn't been confirmed, so I presume it does
not, or is spoofable.
Given I am now in the state of being impacted, and need to address it in a better way that removing TPM2 unlocking, or replacing the LUKS passphrase
with a TPM2 pin: What to do?
Dracut uses a modular system with built in hooks that allows it to be extensible to do things like find and then unlock a LUKS volume without prompting for a passphrase.
The hooks system has a pre-mount hook, but pre-mount is too late for LUKS,
as the LVM container inside the LUKS volume has already attempted to mount
by this hook. The pre-trigger hook is too early, as the udev rules haven't
run and the LUKS block device is non-existent. Investigating the dracut
crypt module provides no easy hook to intercept, as it is implemented as a
udev rule target. The udev rule in crypt is 70. I need to get into dracut
in udev, before 70. Checking the other modules loaded in this environment,
69 is free, so that's my target.
Using the crypto module from dracut as a template, I create a module-setup,
a parser, and a udev target. The udev target takes the same arguments the crypto module does: /dev/device luks-label.
Now what to measure? Checking the output of cryptsetup, which is already provided by crypto in the dracut environment, I can pull the digest of the keys. The simple method of sending this output to sha256sum is bound to
fail. The luksDump format doesn't have a filter, and the TPM token would be
in the hash. In order for TPM to release the key, I need static data from
the drive that is not dependent on the tokens, only the keyslots. The cryptsetup tool does dump a json format of the data, and jq is already in
this dracut environment. So cryptsetup dumps everything to jq which filters
to the specific element ".digests". This content will only change if the
static keys change, so I can swap tokens as frequently as I need to.
The TPM I have access to knows sha1 and sha256, but tpm-tss is configured
to read from the sha256 banks only. So, jq is piped out to sha256sum, and
the trailing "-" is cut away to give me a sha256 hash that tpm2_pcrextend
will accept. tpm2_pcrextend is already loaded in this dracut environment as
a side effect of enabling tpm-tss.
Eliding the udev guards and the dracut framework, I end up with a udev
target of:
tpm2_pcrextend 15:sha256=`cryptsetup --dump-json-metadata luksDump
"$device" | jq '.digests' | sha256sum | cut -d" " -f1` 2>/dev/null
After regenerating the initramfs, and rebooting twice to ensure the TPM is settled, I can confirm that PCR15 is being populated and is static.
Validating in dracut that the udev rules are working, and PCR15 is
populated before dracut attempts to open it using crypt, I can now change
my cryptsetup enrollment to include bank 15:
systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+1+2+3+4+5+7+8+9+14+15 /dev/device
Mitigation removed, fix in place.
If you have the ability to run a UEFI system, it might be simpler to go
ahead and move to UEFI. If you are stuck on a initrd kernel, TPM auto
unlocking is not a lost cause.
------------------------------
Date: Sun, 12 Jan 2025 09:04:44 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: A non-tech analogy for Google Search AI Overviews
"Some or all of this food may be fine. Some or all of this food may
have a bad taste. Some or all may give you food poisoning. It's up to
you to double check this food before eating it—we take no
responsibility for any ill effects it may have on you."
This is very similar to the notices all over the state of California that
warn customers that some of the items in this location may contain cancer-causing ingredients. Totally complies with local laws and is totally useless at the same time.
------------------------------
Date: Sun, 12 Jan 2025 08:45:43 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: LA Sheriff outage (LA Times, RISKS-34.52)
PGN wrote: "It still smells like a residual Y2K-type poor retrofix."
That's likely, if the fix was to treat 2-digit years less than 25 as being
20xx but values 25 or greater as being 19xx. That kind of fix was common in 1999.
------------------------------
Date: Sun, 12 Jan 2025 08:47:37 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: Eutelsat resolves OneWeb leap-year software glitch after
two-day outage (SpaceNews)
Hold on. The error was failing to identify 2024 as a leap year but the problem didn't occur until now? Not on 29 February 2024?
------------------------------
Date: Sun, 12 Jan 2025 13:08:29 +0000
From: Martin Ward <
martin@gkc.org.uk>
Subject: Re: Tech allows Big Auto to evolve into Big Brother
"You might want law enforcement to have the data to crack down on
criminals, but can anyone have access to it?" said Jodi Daniels, chief executive of the privacy consulting firm Red Clover Advisors. "Where is
the line?"
Where it has always been: at the bottom!
The bottom line is the only line that matters.
[Roll Over, Red Clover.]
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume/previous directories
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 34.53
************************