RISKS-LIST: Risks-Forum Digest Saturday 15 Nov 2024 Volume 34 : Issue No 49 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/34.49>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents: [Way backlogged, Running out of time.]
Was this election well conducted? (Peter G. Neumann)
After Trump Took the Lead, Election Deniers Went Suddenly Silent
(The NY Times)
Terrified friends burned to death in Tesla as electronic doors
(The Mirror)
Robotaxis open for business in Los Angele (LsTimes)
Zoox's pill-shaped robotaxis become latest self-driving cars to hit
California's streets (LA Times)
Anomalous Windows Server Update (MSPowerUser)
North Korea Jams GPS Signals (The Korea Times)
A new iOS 18 security feature makes it harder for police to unlock
iPhones (The Verge)
A kayaker was missing for months. Authorities say he faked his
death. (WashPost)
Robotaxis open for business in Los Angeles (LA Times)
Fake images of hurricane survivors have become a bizarre meme
(NBC News)
import what? (The Register)
42% of daily X users have a negative view of it -- losing the block feature
won't help (ZDNET)
AI fails a student's paper, with "98% accuracy" (The Star via Ed Ravin)
Top Routinely Exploited Vulnerabilities in 2023 (CISA.GOV)
Inside the Massive Crime Industry That£⌠≥∙s Hacking Billion-Dollar Companies
(WiReD)
How Tech Created a *Recipe for Loneliness* (The NY Times)
Hidden Data in Amgen Publicly-released Spreadsheet Possible Cause of Stock
Drop (CNBC)
I was moderating hundreds of horrific and traumatising videos (BBC)
Re: Families Battle Tech Giants as Australia Pushes for an Under-16
Social-Media Ban (WSJ via Monty Solomon)
Re: Australia plans social media ban for under-16s (Steve Bacher)
Re: Man who made 'depraved' child images with AI jailed (Steve Bacher)
Re: Nobody wants Copilot Pro AI for Office365, so Microsoft will
force-bundle it and raise the price? (Pivot to AI) (Steve Bacher)
Re: AI decodes oinks and grunts to keep pigs happy (Steve Bacher)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 15 Nov 2024 13:02:12 PST
From: Peter G Neumann <
neumann@csl.sri.com>
Subject: Was this election well conducted?
1. Did the computer technology work correctly? Perhaps the same answer as
in the Biden election in 2020 -- with all the preparation and oversight
-- despite the President-elect claiming that nothing could be trusted (in
case he lost). Nevertheless, most of the technology is not really
capable of enforcing string requirements for security integrity, and
trustworthiness.
2. Was the election riddled with wrong-doings? Yes,
but most of them had very little to do with the
technology used in the election.
A few of you may remember that my final report for the SRI portion of the
NSF ACCURATE team project wrote extensively about how the non-technical
issues were beginning to weigh heavily in the overall trustworthiness of the overall election process, character assassination, malicious lies, misinformation, intentional disinformation, death threats to election
officials and voters, support from the Supreme Court, dumbing down public education, book burning, claiming slavery was a job-opportunities program,
and many other factors unrelated that were almost totally unrelated to the computer technology were all pieces of the puzzle.
[Lillie Coney recently mentioned (RISKS-34.47) a joint paper: Lillie Coney,
Juan E. Gilbert, Peter G. Neumann, Erik Nilsson, Jon Pincus, and Bruce
Schneier, E-Deceptive Campaign Practices, Electronic Privacy Information
Center and The Century Foundation 20 Oct 2008:
http://votingintegrity.org/pdf/edeceptive_report.pdf
PGN]
*The NYTimes* had a serious of articles on Sunday and Monday trying to
assess blame. For example, President Biden failed to make the positive case for his administration, and he deferred too long before exiting the
candidacy. The Democrats violated their own belief in an open convention. Kamala Harris did not adequately defend herself and attack back until it was too late. The voters' concerns were underestimated by pollsters and the Democratic Party. The real issues were never debated or even addressed.
Many Democrats apparently stayed home. And that's just a few points
discussed post-election from some of the media.
Summary: The technology seemed to get an accurate sense of the voters;
the anomalies in the election generally lay elsewhere.
------------------------------
Date: Sun, 10 Nov 2024 12:22:35 -0500
From: "Monty Solomon" <
monty@roscom.com>
Subject: After Trump Took the Lead, Election Deniers Went Suddenly Silent
Trump supporters spent years fomenting concern about election integrity. On Tuesday, they set it all aside.
https://www.nytimes.com/2024/11/06/technology/trump-election-denial.html
[Surprise? They were wrong along??? PGN]
------------------------------
Date: Tue, 12 Nov 2024 16:59:00 -0700
From: geoff goodfellow <
geoff@iconia.com>
Subject: Terrified friends burned to death in Tesla as electronic doors
wouldn't open after crash ()
The only survivor of the October 24 fire was a woman in her 20s who was
able to get to safety after a quick thinking passer-by smashed a window of
the burning Model Y car to free her [...]
https://www.mirror.co.uk/news/world-news/terrified-friends-burned-death-tesla-34087725
------------------------------
Date: Wed, 13 Nov 2024 06:35:45 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Robotaxis open for business in Los Angeles (LA Times)
Angelenos can hail a robotaxi with the Waymo One app starting Tuesday.
There are about 100 taxis in the Los Angeles fleet £⌠≥⌠ but they don't drive freeways.
https://www.latimes.com/california/story/2024-11-12/robotaxis-open-for-business-in-los-angeles
[Why? Perhaps because there would be only ONE person in the vehicle, and
it could not go in the Diamond lane? Insurance issue? Safety issue when
all the human-driven vehicles are routinely doing 80+ mph it can be
difficult for CHP law enforcement to stop and arrest the non-driver of the
driverless car??? PGN]
------------------------------
Date: Wed, 13 Nov 2024 06:37:04 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Zoox's pill-shaped robotaxis become latest self-driving cars to hit
California's streets (LA Times)
Is it a toaster? Is it a pill on wheels? No, it£⌠≥∙s Zoox£⌠≥∙s funny-looking robotaxi, the latest fully autonomous vehicle to hit the streets of
California.
Zoox£⌠≥∙s self-driving vehicles began rolling out in San Francisco£⌠≥∙s SoMa neighborhood this week, and are expected to compete with robotaxis designed
by Waymo, which started offering rides to the public in San Francisco and
Los Angeles earlier this year.
But not quite yet. For now, Zoox£⌠≥∙s driverless trips around SoMa will be for testing and research purposes only.
https://www.latimes.com/california/story/2024-11-12/zoox-pill-shaped-robotaxis-latest-self-driving-cars-california-streets
------------------------------
Date: Tue, 5 Nov 2024 10:36:30 -0500
From: Cliff Kilby <
cliffjkilby@gmail.com>
Subject: Anomalous Windows Server Update (MSPowerUser)
https://mspoweruser.com/microsoft-reportedly-upgrades-users-with-windows-server-2022-to-2025-without-notice/
It appears that an upgrade has been marked as a security update, and is
pushing some versions of Windows Server 2022 to Server 2025.
If you're running Server 2022 21h2, you may want to manually flag KB5044284
as skipped until Microsoft clarifies the issue.
------------------------------
Date: Mon, 11 Nov 2024 11:01:10 -0500 (EST)
From: ACM TechNews <
technews-editor@acm.org>
Subject: North Korea Jams GPS Signals (The Korea Times)
The Korea Times, 9 Nov 2024
North Korea staged GPS jamming attacks for the second consecutive day
Saturday, affecting several ships in the Yellow Sea and dozens of
civilian aircraft, according to South Korea's Joint Chiefs of Staff
(JCS). After being alerted, the International Civil Aviation
Organization adopted a decision raising serious concerns over the GPS
jamming, naming North Korea explicitly for the first time.
[Incidental PGN-added notes: Susan Landau has a post at Lawfare: CALEA
Was a National Security Disaster Waiting to Happen:
<
https://www.lawfaremedia.org/article/calea-was-a-national-security-disaster-waiting-to-happen>
Steve Bellovin noted an FBI item on China that was also of interest here:
https://www.fbi.gov/news/press-releases/joint-statement-from-fbi-and-cisa-on-the-peoples-republic-of-china-targeting-of-commercial-telecommunications-infrastructure
Lauren Weinstein noted:
2022 Russian TV program singing the praises of "our girlfriend" Tulsi
Gabbard, who Trump wants to be director of national intelligence
https://www.youtube.com/watch?v=N2_eL8t8D9Y
PGN]
------------------------------
Date: Sat, 9 Nov 2024 12:22:20 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: A new iOS 18 security feature makes it harder for police to unlock
iPhones (The Verge)
Apple added an inactivity timer that reboots iPhones to a more secure state when they haven£⌠≥∙t been unlocked in a while.
https://www.theverge.com/2024/11/9/24292092/ios-18-security-inactivity-reboot-police-complain-unlocking-iphone-difficult
------------------------------
Date: Tue, 12 Nov 2024 10:00:16 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: A kayaker was missing for months. Authorities say he faked his
death. (WashPost)
After scouring a lake in Wisconsin, authorities now say Ryan Borgwardt
staged his drowning to abandon his wife and three children.
https://www.washingtonpost.com/nation/2024/11/11/kayaker-drowned-faked-death= -wisconsin/
[PGN: Here are two unresolved disappearances:]
[My late wife's oldest dear friend Marilyn had a brother Courtland Mumford
who was a former TWA pilot. One morning in 2007 he was out doing
touch-and-go landings and takeoffs in his new Cessna to and from the
Aurora State Airport in Western Oregon. He and his plane disappeared, and
no traces have been found in the past 17 years. Browsing gives some
background, and adds other cases: MAST has developed the most accurate and
comprehensive database on aircraft that have gone missing in the United
States.
Many of us remember the wonderful Jim Gray, who took his boat out from the
San Francisco marina to the Farallon Islands, to scatter the ashes of his
mother. Jim and his boat disappeared and were never found.
https://en.m.wikipedia.org/wiki/Jim_Gray_(computer_scientist)
PGN]
------------------------------
Date: Wed, 13 Nov 2024 06:35:45 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Robotaxis open for business in Los Angeles (LA Times)
Angelenos can hail a robotaxi with the Waymo One app starting Tuesday.
There are about 100 taxis in the Los Angeles fleet £⌠≥⌠ but they don't drive freeways.
https://www.latimes.com/california/story/2024-11-12/robotaxis-open-for-business-in-los-angeles
------------------------------
Date: Fri, 11 Oct 2024 06:59:07 -0700
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Fake images of hurricane survivors have become a bizarre meme
(NBC News)
Pluto holding a girl in his paws while trekking through a flooded Disney
World. Godzilla crying while cradling a giant bug in a flooded city
street. A small girl in a lifejacket seated on a boat next to a green alien baby.
Absurd and comical rescue images that appear to have been made with
artificial intelligence have sprung up on social media this week as
Hurricane Milton hit Florida, a reaction to the earlier proliferation of
more realistic fake images related to Hurricane Helene.
Many of the memes are clearly fake £⌠≥⌠ some contain fictional characters, others look like illustrations, most have captions that imply the posts are
a joke. But as technology has advanced, fake images generated by AI have continued to proliferate on the Internet, at times making it easier for
false information to spread online. Public officials even cautioned
Floridians this week to beware of AI-generated images that falsely depict conditions on the ground. [...]
https://www.nbcnews.com/tech/fake-images-hurricane-survivors-bizarre-meme-rcna174874
------------------------------
From: Cliff Kilby <
cliffjkilby@gmail.com>
Date: Wed, 2 Oct 2024 10:47:23 -0400
Subject: Import what? (The Register)
https://www.theregister.com/2024/09/30/ai_code_helpers_invent_packages/
Signs of risk in usage of "AI" for application development:
0: Legality of LLM/GPT training sources is still unresolved.
Risk the first, that you're using an AI for application development.
If you're using TDD or any other code testing framework, you can mitigate
this risk by only allowing the AI to create/edit/suggest method/function
level code.
LLMs and GPTs have shown great promise in assisting with refactoring or suggesting approaches for method level code. The testing framework should
help ensure the code does what the AI "thinks" it does and help the org
create stable code quickly.
Risk number 2:
If you let the AI write class level code, it breaks down frequently.
As noted in the source the current models will gladly pull in libraries
that don't exist.
This creates its own unique risks for languages that can fetch packages.
Sure that package didn't exist when the AI made it up, but after looking at import trends, I've now created the package and its malicious.
Don't let the AI make import statements or fetch dependencies.
------------------------------
Date: Thu, 3 Oct 2024 18:14:20 -0400
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: 42% of daily X users have a negative view of it --
losing the block feature won't help (ZDNET)
What X needs is stronger blocking, not this.
X CEO Elon Musk announced earlier this week that he's pulling the teeth out
of X's (formerly Twitter) blocking feature. Soon, users you've blocked will
be able to view your posts again.
Nina Owji, a web developer, posted, "X is about to remove the current block button, meaning that if an account is public, their posts will be visible to the blocked users as well!"
Musk's reply: "High time this happened. The block function will block that account from engaging with, but not block seeing, public posts."
If Musk insists on going through with the weakened block, even more users
will flee X. In the US, daily active X users fell to 27 million in February 2024, down 18% from a year earlier and 23% since Musk took over in November 2022.
The people who are staying, by the way, don't like X much. I'm one of
those. An August YouGov survey found that 42% of those who use X daily have
a negative view of it.
https://www.zdnet.com/article/42-of-daily-x-users-have-a-negative-view-of-it-losing-the-block-feature-wont-help/
------------------------------
Date: Mon 11 Nov 2024 00:09:33 -0500
From: Ed Ravin <
eravin@panix.com>
Subject: AI fails a student's paper, with "98% accuracy"
An Ontario Canada student attending an online school had her
paper rejected by a 3rd-party system used by the school
to check papers for plagiarism or ChatGPT use. When her mother
complained, the school responded that the system was "98% foolproof"
and they would not reconsider:
https://www.thestar.com/news/canada/this-ontario-student-accused-of-cheating-was-flagged-by-an-ai-detection-program-but-the/article_569418c8-9869-11ef-a909-2f6c58004801.html
Even if the 98% claim is true, that still leaves a lot of students
in the lurch, especially if the school acts as if the cheat-detection
is 100% perfect...
------------------------------
Date: Fri, 15 Nov 2024 09:50:21 -0500
From: Monty Solomon <
monty@roscom.com>
Subject: Top Routinely Exploited Vulnerabilities in 2023
https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a
------------------------------
Date: Tue, 12 Nov 2024 01:34:17 -0500
From: "Gabe Goldberg" <
gabe@gabegold.com>
Subject: Inside the Massive Crime Industry That£⌠≥∙s Hacking Billion-Dollar
Companies (WiReD)
When you download a piece of pirated software, you might also be getting a piece of infostealer malware, and entering a highly complex hacking
ecosystem that£⌠≥∙s fueling some of the biggest breaches on the planet.
https://www.wired.com/story/inside-the-massive-crime-industry-thats-hacking-billion-dollar-companies/
------------------------------
Date: Sun, 10 Nov 2024 22:08:53 -0500
From: "Monty Solomon" <
monty@roscom.com>
Subject: How Tech Created a *Recipe for Loneliness (The NY Times)
Technology and loneliness are interlinked, researchers have found, stoked by the ways we interact with social media, text messaging and binge-watching.
https://www.nytimes.com/2024/11/10/technology/personaltech/technology-loneliness.html
------------------------------
Date: Tue, 12 Nov 2024 23:43:13 -0500
From: Bob Gezelter <
gezelter@rlgsc.com>
Subject: Hidden Data in Amgen Publicly-released Spreadsheet
Possible Cause of Stock Drop (CNBC)
While I am not an attorney, I often speak on the technical aspects of electronically stored information (ESI), I advise attendees to take care to produce the requested material. I also caution that it is important to understand what information was produced.
Today, Amgen stock suffered a decline when a Cantor Fitzgerald analyst
reported that they had uncovered hidden, potentially adverse, data in the publicly-released spreadsheet from an early stage trial of a weight-loss
drug.
The complete article, including video clip, can be found at:
https://www.cnbc.com/2024/11/12/amgen-stock-falls-on-weight-loss-drugs-bone-density-loss-data.html
------------------------------
Date: Mon, 11 Nov 2024 12:13:26 -0700
From: "Matthew Kruk" <
mkrukg@gmail.com>
Subject: I was moderating hundreds of horrific and traumatising videos
https://www.bbc.com/news/articles/crr9q2jz7y0o
Over the past few months the BBC has been exploring a dark, hidden world £⌠≥≤
a world where the very worst, most horrifying, distressing, and in many
cases, illegal online content ends up.
Beheadings, mass killings, child abuse, hate speech £⌠≥≤ all of it ends up in the inboxes of a global army of content moderators.
You don£⌠≥∙t often see or hear from them £⌠≥≤ but these are the people whose job
it is to review and then, when necessary, delete content that either gets reported by other users, or is automatically flagged by tech tools.
The issue of online safety has become increasingly prominent, with tech
firms under more pressure to swiftly remove harmful material.
And despite a lot of research and investment pouring into tech solutions to help, ultimately for now, it£⌠≥∙s still largely human moderators who have the final say.
------------------------------
Date: Sun, 10 Nov 2024 12:25:17 -0500
From: "Monty Solomon" <
monty@roscom.com>
Subject: Re: Families Battle Tech Giants as Australia Pushes for an Under-16
Social-Media Ban (WSJ)
[Another take on the item in the previous issue,
Australia plans social media ban for under-16s (BBC)
https://www.bbc.com/news/articles/c4gzd62g1r3o
PGN]
Proposal, considered among the strictest of its kind, stirs controversy over how best to protect children online
https://www.wsj.com/world/oceania/families-battle-tech-giants-as-australia-pushes-for-an-under-16s-social-media-ban-7045f224
------------------------------
Date: Sat, 9 Nov 2024 10:43:58 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: Australia plans social media ban for under-16s (RISKS-34.48)
What the articles (at least those that I've read) fail to mention is that
you can't implement a reliable age-based restriction without demanding verifiable proof of age from *every* customer, which means sharing private information with government or other institutions about what you desire to access.üá You can guess which kinds of sites are most concerned about these proposals.
------------------------------
Date: Sat, 9 Nov 2024 10:47:19 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: Man who made 'depraved' child images with AI jailed (BBC) (RISKS
34.48)
You write that "the legal problems created by AI-generated content depicting criminal offenses against children£⌠≥⌠but where no real children are involved nor hurt£⌠≥⌠are still not resolved." Heck, the legal problems with *any* depictions that don't involve real children haven't been resolved, or at
least not in a way compatible with US free speech protections (which I acknowledge are stronger than those in the UK).
------------------------------
Date: Sat, 9 Nov 2024 11:02:51 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: Nobody wants Copilot Pro AI for Office365, so Microsoft will
force-bundle it and raise the price? (Pivot to AI) (RISKS 34.48)
This is an old, old practice.üá My first encounter with it was in the
Seventies when Rolling Stone magazine decided to switch from black and white
to color (I don't recall anyone asking for this) and then raising the
newsstand price to cover the increased costs.
------------------------------
Date: Sat, 9 Nov 2024 11:18:25 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: AI decodes oinks and grunts to keep pigs happy (RISKS 34.48)
It wasn't that long ago (in fact it may have been as recently as April 1,
2024) that an April Fool's Day prank was circulating about an app that would translate dog barks.üá How little time it has taken for this joke to be rendered obsolete by reality. Today's pigs may be tomorrow's dogs.
Has anyone consulted Dr. Dolittle about his experience with interpreting pig speech?
[I think he moved to Oinkers, NY, but still has to do little. PGN]
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume/previous directories
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 34.49
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)