RISKS-LIST: Risks-Forum Digest Thursday 17 Oct 2024 Volume 34 : Issue 47

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.47>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents: [Backlogged; still a large bunch pending]
This Is What Electoral Fraud Looks Like (Jesse Wegman)
2024 Election Protection As AI Increases the Risk of Disenfranchisement
(Lillie Coney)
Notes for my HealthSec24 paper on Healthcare Risks (PGN)
More on money drives healthcare (Robert Boyer)
Millions of Vehicles Could Be Hacked and Tracked Thanks to
a Simple Website Bug (WiReD)
Website Bug Allowed Kia Vehicles to Be Hacked, Tracked (Andy Greenberg)
Tesla driver killed in solo crash (PGN)
Tesla Cybertruck -- too big and sharp for European roads, say
campaigners (The Guardian)
Are taxis safer with no driver? These women think so (nbcnews.com)
South China Sea tensions and undersea cables (WashingtonReport)
Starlink satellites create light pollution and disrupt radio frequencies.
And its getting worse (CBC)
I-XRAY: The AI Glasses That Reveal Anyone's Personal Details Just from
Looking at Them (The Globe)
How to Opt Out of AI Online (The New Yorker)
California Governor Vetoes AI Safety Bill (Politico)
AI Crawlers Are Hammering Sites (Chris Stokel-Walker)
Kamala Harris, AI, and the Bletchley Park ghost (Douglas Lucas)
Steganographic covert channel (Dan Goodin)
Intel is a security risk for China, says influential industry group
(cnn.com)
K8S Image Builder, CVE-2024-9486 (The Register via Cliff Kilby)
WSJ reports China compromised U.S. lawful access systems
(Matt Blaze)
Calgary Public Library locations remain closed after cyberattack (CBC)
(CBC)
Parents sue son's high-school history teacher (NBC News)
Dynamic pricing unpopular (BBC)
Earth has overshot key planetary bounda, scientists warn
(Hastings Tribune)
China Is Writing World's Technology Rules (The Economist)
Mystery Drones Swarmed a U.S. Military Base for 17 Days. The
Pentagon Is Stumped. (WSJ)
Spotify criticized for letting fake albums appear on real artist pages
(ArsTechnica)
*The New York Times* tells *Perplexity* to stop using its content
(Pivot5)
Complete, free CISSP review seminar (Rob Slade)
DoJ vs. Google: Users have the most to lose (Lauren Weinstein)
Kremlin refutes Trump denial on sending Putin COVID tests (Lauren Weinstein) NBC's former marketing chief: We Created a Monster:
Trump Was a TV Fantasy Invented for 'The Apprentice' (USNews)
Suspect arrested after reports of threats toward FEMA operations in
North Carolina (CNN)
Understanding the Limitations of Mathematical Reasoning in Large Language
Models (arxiv)
Why Restoring Power After Helene Is Complicated (Brad Plumer)
Rob's usual disaster season call for emergency management
training (Rob Slade)
Re: More than 1,000 people, including Hezbollah members, wounded in
Lebanon after pagers detonate (Rik Farrow)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 7 Oct 2024 11:03:08 PDT
From: Peter G Neumann <neumann@csl.sri.com>
Subject: This Is What Electoral Fraud Looks Like (Jesse Wegman)

Jesse Wegman, *The New York Times* Opinion, 7 Oct 2024

For four years, Donald Trump and his allies have been injecting dangerous
lies into the American bloodstream, claiming without any actual evidence
that the 2020 election that he lost was tainted by serious fraud.

As it turns out, there was indeed one serious fraud in the 2020 election.
On [3 Oct 2024], one perpetrator of that fraud was sentenced to nine years
in prison for her crimes. Tina Peters, the former clerk of Mesa County, Colorado, in 2020 tampered with voting machines in an effort to prove the election had been rigged against Trump. The data she allowed to be
downloaded made its way to a presentation given by Mike Lindell, the pillow-hawking conspiracist.

``You abused your position, and you are a charlatan who used and is still
using your prior position in office to peddle a snake oil that's proven to
be junk time and time again,'' Judge Matthew Barrett said as he dressed down Peters for more than 13 minutes. [...]

Now imagine that the defendant sitting in the defendant's chair is not a
local official but the former president of the United States. Judge
Barrett's words could also have been said verbatim to Donald Trump.

We can only imagine it now, because Trump has avoided any legal consequences for his persistent lies, his stoking of the public mistrust and his
incitements to violence. This is the fault of the Supreme Court, which immunized the president against almost all official acts in July [...].

Emboldened by that ahistoric extra-constitutional ruling, Trump remains defiant. No one needs to be persuaded that he would do it again, because he already is. [...]

------------------------------

Date: Sun, 13 Oct 2024 06:36:39 -0400
From: Lillie Coney <coney@lillieconey.net>
Subject: 2024 Election Protection As AI Increases the Risk of
Disenfranchisement

This article is a repost of the Epic.org Report, e-Deceptive Campaign Practices, first published in 2008 and again in 2010. The report provides information on risks posed to election integrity by ubiquitous social media
and mobile technologies. The report needs an update with the most important developments being the introduction of artificial intelligence and targeting
of communities ill prepared for deceptive campaign attacks. In 2024, Russia still poses a significant threat to tampering in US elections. But, the
U.S. is not the only democracy facing challenges. In 2020, the United Kingdom's Brexit vote report cites Russia=E2=80=99s hacking and
disinformation campaign as factors in that important election.

Canada is another democracy that faced challenges from robocalls intended to confuse and harass voters in the 2011 federal election through misdirection
to incorrect polling locations on Election Day during a very close election. This was unprecedented and at the end of the day disenfranchised Canadian voters had no recourse.

In the United States the Voting Rights Act has not been reauthorized and key provisions protecting voting rights have been struck down by the Supreme
Court, and this law protects only the right to vote of persons in certain jurisdictions and states with a documented history of voter
disenfranchisement.

This situation leaves many voters on their own should they fall prey to a AI generated deceptive robocall on Election Day that erroneously reports that their voting location has changed. AI voice impersonations made an early
debut in the 2024 election, and may have an encore performance on Election
Day.

The recommendation, for those planning to vote is to do so during early
voting, if that is an option, or make a plan to start earlier on Election
Day. Civic participation in the United States is an individual right to exercise or not -- but each voter is free to decide for themselves, and not have that decision taken from them.

Article written by Lillie Coney, former Associate Director of EPIC.org, and Director the Voting Integrity Project. She is a member of the ACM USACM, and IEEE.

Key Takeaways from the British Report on Russian Interference, by Amy Mackinnon, a national security and intelligence reporter at Foreign Policy,
on 21 Jul 2021, last visited 8 Oct 2024, found at https://foreignpolicy.com/2020/07/21/britain-report-russian-interference-brexit/

E-Deceptive Campaign Report 2010: Internet Technology and Democracy 2.0,
Lillie Coney, Peter Neumann and Jon Pincus, October 2010, found at https://epi=c.org/wp-content/uploads/privacy/voting/E_Deceptive_Report_10_2010.pdf, last visited on 8 Oct 2024.

Robocalls scandal: Timeline of events, CTVNews.ca, by Staff, August 14,
2014, last visited on 8 Oct 2024, can be found at https://www.ctvnews.ca/politics/robocalls-scandal-timeline-of-events-1.1960260

[The amount of intentionally false information in the lead-up to this
election is absolutely terrifying. Thanks, Lillie, for resurrecting this
item. PGN]

------------------------------

Date: Mon, 14 Oct 2024 9:08:47 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Notes for my HealthSec24 paper on Healthcare Risks

Peter G, Neumann
Computer-Related Risks in Healthcare [10-minute summary]
CCS 2024 conference HealthSec workshop.

The paper is on my website, in part derived from recent RISKS issues,
with lots of editorial additions:
https://www.csl.sri.com/users/neumann/health.pdf
HealthSec 2024, Salt Lake City, 14 Oct 2024

The 10-minute summary that I was going to present at the workshop is
on my website:
https://www.csl.sri.com/users/neumann/healthsec.txt
There were several screw-ups and logistic problems (bandwidth with multiple workshops) that prevented my zooming in, so I wound up with two minutes
after a lovely introduction from William Yurcik, the program chair, who had invited my paper.

Here are my notes for my intended summary:

I regret not being able to be with you all -- for pressing health
reasons. Here's an abbreviated summary of the paper.

0. I am very grateful to Kaiser Permanente for multiple decades of keeping
him at work at 92, and to Stanford Hospital for its emergency treatment
of his heart attack over a year ago. My paper is a counter-cultural
analysis of what has gone wrong and what might need to be done in the
future to dramatically improve the situation.

1. Many problems in healthcare require holistic approaches, because
many factors are often interrelated, Thinking out of the box is a
poor metaphor, because there actually is no box. Albert Einstein
said, ``Everything should be made as simple as possible, *but no
simpler.*'' Unfortunately, violating *but no simpler* often causes
crises, and requires some total-system thinking. Also, medical
best practices tend to be overly simplified, driven in part by
avoiding law suits.

2. Certain medical devices have been poorly designed and implemented,
lacking in assurance, monitoring, and oversight. Research and
development in medical devices needs to be much more holistic and
evidence-based. In an incident in Houston just after my paper was
finalized , a student died when the defibrillator failed. When the
authorities checked, all of Houston's 150 school devices failed to
operate correctly. Self-checking failed miserably.

3. In the spirit of this workshop, technological solutions often are
not sufficiently trustworthy -- especially if they rely on
artificial intelligence that has no evidence that it will give
sound results. However, we note that nontechnological problems
generally cannot be solved by technology alone.

4. Throughout the medical profession, money and greed are often the
driving force, whether for making profits or surviving as a
non-profit, cutting corners wherever possible. Political and
government problems abound, especially relating to insurance and
vaccinations. Healthcare is a worldwide concern, but the U.S. has
its own problems.

5. Artificial intelligence can be helpful, but in systems demanding
real-time life-critical trustworthiness, it urgently needs serious
evidence-based assurance. I have an Inside Risks article (the
255th column) in the November 2024 CACM on that subject. a preview
of which is also on my website, along with most of the other
more recent columns since my book came out:
https://www.csl.sri.com/users/neumann/cacm255.pdf

6. Dealing with rampant disinformation has become pandemic.

7. Overall, some serious rethinking is required throughout, along with
stringent oversight. Functional rather than allopathic medicine is
almost completely disregarded by conventional healthcare, that is,
treating the underlying causes rather than just the symptoms. This
fact seems to be strongly influenced by pharmaceutical companies,
overly narrow best practices, and big money.

8. The meaning if my school pledge of allegiance seems to have been
lost -- one nation, under God, with liberty and justice for all.

Please read the entire paper, which has ample examples for all of these
points -- and lots more. And this introductory list is also on my website.
I seem to be the only Peter G Neumann, although I know three other Peter Neumanns.

Once you have read my paper based on recent items in the ACM Risks
Forum (http://www.risks.org), with extensive personal opinions, read
Bernie Sanders new book, It's OK To Be Angry About Capitalism.
Chapter 5 is titled Ending Greed in the Health Care System: Health
Care is a Human Right, not a Privilege. It is comprehensive.

Also, read the very constructive HealthSec 2024 paper by John McHugh
and William Yurcik, on John's personal experience abouthow caregiving institutions can be done humanely. I prefer hospice care where
possible, which may be where I am now headed.

[Tom Van Vleck suggests that I should mention that this paper contains
just a small sample of observations, some of which were contributed by
RISKS readers, who are of course identified in the cited RISKS issue.
There are also many other problems that are generally not described in
RISKS. PGN]

------------------------------

Date: Thu, 10 Oct 2024 14:01:27 -0500
From: Robert Boyer <robertstephenboyer@gmail.com>
Subject: More on money drives healthcare

Fine article on 'fault injection'.

How can modern medicine go so proudly marching on? Don't they read the news?

Answer: shamelessness, money, money, honey.

Saying 'we are/were doing our best' does not cut it with me. In the past,
the medical community may have been doing more harm than good in some cases, e.g., with the practice of bleeding. Do we really know that things are any better today? So how come some say life expectancy is going down?

Philips is paying out half a billion dollars for ruining the lungs and lives
of many CPAP wearers.

https://www.fiercebiotech.com/medtech/philips-reaches-settlement-over-economic-loss-claims-class-action-cpap-lawsuit#:~:text=he%20economic%20loss%20awards%20will,the%20costs%20of%20replacement%20devices

Where were the WHO, the FDA, the CDC, and those other pompous three letter authorities while this lung ruination was going on? I'll tell you where they were. They were telling themselves how much good 'modern' medicine was
doing, on their expensive vacations, that's where. On their butts!

So who cares? No one! How soon will I get a call from Philips asking how
much they owe me for decades of CPAP use? CPAP came highly recommended by
the medical community. Fortunately, I never throw out anything, so I may
have old CPAP masks to base a lawsuit upon. But I am too weak to undertake a suit.

Where is the global medical sense of shame, shame, shame?

------------------------------

Date: Mon, 30 Sep 2024 11:29:40 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Millions of Vehicles Could Be Hacked and Tracked Thanks to
a Simple Website Bug (WiReD)

Researchers found a flaw in a Kia web portal that let them track millions of cars, unlock doors, and start engines at will -- the latest in a plague of
web bugs that's affected a dozen carmakers. [...]

https://www.wired.com/story/kia-web-vulnerability-vehicle-hack-track/ -or- https://archive.ph/itwuF#selection-627.0-627.192

------------------------------

Date: Wed, 2 Oct 2024 11:32:50 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Website Bug Allowed Kia Vehicles to Be Hacked, Tracked
(Andy Greenberg)

Andy Greenberg, *WiReD*, 27 Sep 2024

Independent security researchers identified a vulnerability in the back end
of a Kia Web portal for customers and dealers that could allow a hacker to redirect control of Internet-connected features of most Kia models from the
car owner's smartphone to the hacker. A custom app built by the researchers allowed them to leverage that flaw. Shortly after the researchers reported
the issue, Kia made a change to its Web portal API that appeared to block
the technique.

------------------------------

Date: Wed, 16 Oct 2024 17:11:50 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Tesla driver killed in solo crash

Local news on Monday morning reported a Tesla driver in Fremont (SF East
Bay) driving close to 100 mph demolishing himself and the vehicle.

FREMONT, Calif. (KGO) -- The driver of a Tesla died after witnesses say the
car appeared to lose control, crashing into an apartment building in Fremont Monday evening. Fremont Fire Dept. Acting Battalion Chief Dan Brunicardi
said the car went through the first floor, which is vacant.2 days ago

The driver has been identified as 46-year-old Kamleshkumar J. Patel, from Fremont. Fremont police said fire crews responded at 5:47 p.m. from the building," Brunicardi said.

MORE: Tesla crashes into back of San Mateo home, police say

Brunicardi said smoke reached the upper floors of the building so everyone
was evacuated.

Tom Vo lives on the fifth floor and said the building shook on impact. Once
he heard the fire alarm, he grabbed his cat Katzu. "My window is wide open,
I heard this loud screech right before that I basically like -- that person
or whoever was happening they were hitting the object before they went into that building, and pretty much I heard a loud explosion, I literally thought
it was a bomb," Vo said.

Fremont police confirmed no one else was in the car.

MORE: Orinda home gets crashed into for 2nd time in 2 years

Debra Martin lives in a nearby building. She said the driver nearly hit her
as she was driving back from the grocery store. "He was going fast I would
say like 100 miles an hour - it was fast," Martin said.

------------------------------

Date: Fri, 11 Oct 2024 10:19:19 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Tesla Cybertruck -- too big and sharp for European roads, say
campaigners (The Guardian)

Tesla’s Cybertruck is too big and sharp for European roads, transport campaigners have warned, as questions are raised about the registration of
one of the first of the electric pickup trucks to hit the continent.

There had been confusion about whether the Cybertruck could be driven in Europe, owing to strict road safety rules that ban sharp edges and require speed limiters on vehicles that weigh more than 3.5 tonnes when
full. Tesla’s manual lists the angular steel vehicle as having a gross vehicle weight of 4 tonnes. (The equivalent of a standard family car, such
as a Ford Focus, is 1.9 tonnes.)

A handful of Cybertrucks have already been spotted on European streets this year, causing safety fears among campaigners. In a letter to the European Commission and to authorities in the Czech Republic, where the registration
of one Cybertruck has raised questions about the rules, campaign groups
called for Cybertrucks registered in the EU to be removed from public roads. [...]

https://www.theguardian.com/technology/2024/oct/08/tesla-cybertruck-too-big-and-sharp-for-european-roads-say-campaigners

------------------------------

Date: Tue, 08 Oct 2024 23:30:27 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Are taxis safer with no driver? These women think
so (nbcnews.com)

https://www.nbcnews.com/tech/innovation/are-taxis-safer-no-driver-women-think-rcna173936

"Some women say they prefer taking driverless taxis because they don't have
to deal with safety concerns they have about human drivers."

A risk of risk choice. Risk prioritization or perception.

[And they'd better check that there is no creep hiding in the car? PGN]

------------------------------

Date: Thu, 3 Oct 2024 09:09:04 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: South China Sea tensions and undersea cables
(Washington Report)

Undersea cables below the South China Sea have long provided vital
connectivity to countries in Southeast Asia as demand for Internet service
has surged.

To maintain the extensive network of cables and develop new ones, private
cable companies have for decades relied on being able to move freely through this waterway, despite conflicting claims over the sea by China and a half dozen other governments.

But now, competition for control of the South China Sea is disrupting the repair and badly needed construction of subsea cables, raising costs and at times straining telecommunications, according to interviews with more than
30 people in the subsea cable industry and unpublished industry data.

https://www.washingtonpost.com/world/2024/10/03/south-china-sea-underwater-c ables/

[How about remote-controlled robots? Also, the Navy has used trained
seals before for certain missions, but maintenance of undersea cables is
probably above their pay grade. PGN]

------------------------------

Date: Thu, 3 Oct 2024 06:42:30 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Starlink satellites create light pollution and disrupt
radio frequencies. And it's getting worse (CBC)

https://www.cbc.ca/news/science/spacex-starlinks-astronomy-1.7334803

Look up at the night sky from a city -- where most people live -- and you'll see just a smattering of stars. Perhaps even an airplane or two.

But drive further out, past the glare of lights from houses, cars, office buildings and street lamps, and the stars reveal themselves in a way that
few have truly seen.

Now, it seems the night sky is under attack not only from below, but from above, thanks to the rapid proliferation of satellites, mainly megaconstellations, which can contain hundreds or thousands of satellites.
And leading the charge is SpaceX.

------------------------------

Date: Fri, 4 Oct 2024 17:35:47 -0400
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: I-XRAY: The AI Glasses That Reveal Anyone's
Personal Details Just from Looking at Them (The Globe)

... (Home Address, Name, Phone Number, and More)

A pair of Harvard undergraduates have come up with a disturbing new way to invade people's privacy: an artificial intelligence tool that can reveal a stranger's name, address, and other sensitive information just by taking a picture of them.

By combining AI with smart eyeglasses and commonly used online databases, Harvard juniors AnhPhu Nguyen and Caine Ardayfio developed a fast, simple
tool called I-XRAY that could potentially allow law enforcement agents,
cyber criminals, or just a guy at the bar to obtain anybody's vital
information in just over a minute by capturing an image of their face.

``You could just theoretically identify anybody on the street'', said
Nguyen, an engineering student majoring in human augmentation. It's a huge security issue.''

https://www.bostonglobe.com/2024/10/04/business/harvard-students-ai-meta-glasses/
https://docs.google.com/document/d/1iWCqmaOUKhKjcKSktIwC3NNANoFP7vPsRvcbOIup_BA/edit

------------------------------

Date: Sat, 5 Oct 2024 07:53:01 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: How to Opt Out of AI Online

You can’t opt out [...] But you can set some controls on your privacy.

Last week, like the Jews of Exodus painting blood on their lintels, hundreds
of thousands of Instagram users posted a block of text to their accounts
hoping to avoid the plague of artificial intelligence online. “Goodbye Meta AI,” the message began, referring to Facebook’s parent company, and continued, “I do not give Meta or anyone else permission to use any of my personal data, profile information or photos.” Friends of mine posted it; artists I follow posted it; Tom Brady posted it. In their eagerness to
combat the encroachment of AI, all of them seemed to overlook the fact that merely sharing a meme would do nothing to change their legal rights
vis-à-vis Meta or any other tech platform.

It is, in fact, possible to prevent Meta from training its AI models on your personal data. [...]

https://www.newyorker.com/culture/infinite-scroll/how-to-opt-out-of-ai-online

------------------------------

Date: Mon, 30 Sep 2024 11:30:04 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: California Governor Vetoes AI Safety Bill (Politico)

Lara Korte and Jeremy B. White, *Politico*, 29 Sep 2024, via ACM TechNews

California Governor Gavin Newsom vetoed a state measure that would have
imposed safety vetting requirements for powerful AI models. Newsom said the legislation "does not take into account whether an AI system is deployed in high-risk environments, involves critical decision-making, or the use of sensitive data." He said of the bill, "I do not believe this is the best approach to protecting the public from real threats posed by the
technology."

------------------------------

Date: Mon, 30 Sep 2024 11:30:04 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: AI Crawlers Are Hammering Sites (Chris Stokel-Walker)

Chris Stokel-Walker, Fast Company*, 26 Sep 2024, via ACM TechNews

Some websites are being hit with so many queries from AI crawlers that their performance is impacted. iFixit recently reported close to a million queries
in just over 24 hours, which it attributed to a crawler from Anthropic. Game
UI Database said its website almost came to a halt due to a crawler from
OpenAI hitting it around 200 times a second. Said iFixit's Kyle Wiens,
"There are polite levels of crawling, and this superseded that threshold."

------------------------------

Date: Thu, 10 Oct 2024 14:54:43 +0000
From: Douglas Lucas <dal@riseup.net>
Subject: Kamala Harris, AI, and the Bletchley Park ghost

In late September at a fundraiser, Kamala Harris spoke about
collaborating with industry and other stakeholders on AI and
"encourag[ing] innovative technologies like AI and digital assets." This
echoed her high-profile Bletchley Park speech in 2023 at the inaugural
global AI summit, where she touted a non-binding voluntary agreement
between industry and other key players to promote AI safety. But while
the Biden-Harris administration efforts she touted in the 2023 speech
included warnings about algorithmic bias, neither Harris speech (as far
as reported) mentioned Alan Turing, who of course gave the first public
lecture on AI shortly after his time code-cracking at Bletchley Park,
and who of course fell victim to bigotry. In a blog post, I explain all
this, and how the preference for happyspeak and pols-journos using "AI"
as a buzzword might be remediated somewhat if we maybe brought up more
often the tragic story of one of its forefathers as a way to discuss
what the buzzword actually means (how Turing defined AI) and how it can
cause problems (bias drove Turing to suicide but AI puts the same sorts
of bias on steroids). Harris did mention problems with AI of course but
the emphasis has been on fundraising, happyspeak, etc., and it is a bit
eerie to see world leaders in 2023 discussing AI's emergence at the same location where the 1940s originated Five Eyes and the current world
order of spy agencies and so on.

https://douglaslucas.com/blog/2024/09/24/kamala-harris-ai-best-bletchley-park-ghost/

------------------------------

Date: Tue, 15 Oct 2024 21:10:51 -0400
From: dan@geer.org
Subject: Steganographic covert channel (Dan Goodin)

A quirk in the Unicode standard harbors an ideal steganographic code
channel. -- Dan Goodin

https://arstechnica.com/security/2024/10/ai-chatbots-can-read-and-write-invisible-text-creating-an-ideal-covert-channel/

------------------------------

Date: Thu, 17 Oct 2024 12:01:12 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Intel is a security risk for China, says influential
industry group (cnn.com)

https://lite.cnn.com/2024/10/16/tech/china-intel-security-review-intl-hnk/index.html

In silicon we do not trust.

------------------------------

Date: Thu, 17 Oct 2024 10:54:54 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: K8S Image Builder, CVE-2024-9486 (The Register)

https://www.theregister.com/2024/10/16/critical_kubernetes_image_builder_bug

During image assembly, some targets use default credentials and are not cleaning up after themselves.
Proxmox, Nutanix, OVA, and Qemu are noted but have slightly different
impacts due to specifics about those platforms.
c.f. CVE-2024-9594

https://github.com/kubernetes-sigs/image-builder
This is the impacted tool, which appears to be part of the official K8S
project at a glance, but it is not. It is a community project run by a
subgroup of another community project.

As noted the sponsor project is https://github.com/kubernetes/community/blob/master/sig-cluster-lifecycle/README.md

My summary of this issue is:
Who is this image builder for?
Is there a company out there with a large VM deployment which doesn't
already have tooling for repeatable image creation?
Why does this tool use a ansible as an intermediary tool rather than just providing ansible run scripts?
Also, after looking at the documentation, this project is security toxic
and I would not let is anywhere near my build infrastructure.

Second page of the welcome docs:
https://image-builder.sigs.k8s.io/capi/capi

Loading additional components using additional_components.json
{
[...]
"additional_s3": "true",
"additional_s3_endpoint": "https://path-to-s3-endpoint",
"additional_s3_access": "S3_ACCESS_KEY",
"additional_s3_secret": "S3_SECRET_KEY",
"additional_s3_bucket

Is that a disk backed unencrypted secret? Yes.
Don't do that.
Ansible has ansible-vault for secret encryption.

I'm glad it got a CVE, but overall this doesn't seem to be anymore than someone's hobby horse on fire.

------------------------------

Date: Sat, 5 Oct 2024 06:24:29 -0400
From: Matt Blaze <mab@mattblaze.org>
Subject: WSJ reports China compromised U.S. lawful access systems

https://www.wsj.com/tech/cybersecurity/u-s-wiretap-systems-targeted-in-china-linked-hack-327fc63b

------------------------------

Date: Sun, 13 Oct 2024 22:35:04 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Calgary Public Library locations remain closed after
cyberattack (CBC)

https://www.cbc.ca/news/canada/calgary/calgary-public-library-cyberattack-closed-saturday-1.7351306

All Calgary Public Library locations remain closed Saturday after a cybersecurity breach compromised at least some of its systems. The library shut down all of its physical locations Friday at 5 p.m. as a proactive
measure to mitigate the potential impact of the hack, a spokesperson said.

On Sunday morning, a spokesperson told CBC News there was no update on the status of the hack. Tom Keenan, a professor in the School of Architecture, Planning and Landscape at the University of Calgary, told CBC News public institutions such as libraries are a logical target for cybercriminals.
"Almost everybody has a library card, it's free in Calgary, so there's a big database of people they can get," Keenan said. "And think about it. When
you got your library card, what did you tell them? Your name, maybe your address, your email address. So there's a rich amount of data there and the
bad guys go looking for things like that."

[Logical? It's easier than burning books, or taking them out with forged
library cards and never returning them, but ransomware can be discouraged
by daily backups, and there is certainly not much of am immediate
financial incentive. Perhaps perpetrated by jealous people who have
reading problems or who resent people who love to read books? PGN]

------------------------------

Date: Thu, 17 Oct 2024 06:38:53 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Parents sue son's high-school history teacher (NBC News)

The lawsuit, filed in Massachusetts district court, said the student didn't break any rules and is now at a disadvantage in the college application process.


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)