RISKS-LIST: Risks-Forum Digest Saturday 23 Nov 2024 Volume 34 : Issue 50
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <
http://www.risks.org> as
<
http://catless.ncl.ac.uk/Risks/34.50>
The current issue can also be found at
<
http://www.csl.sri.com/users/risko/risks.txt>
Contents: Mostly caught up
Two Baltic Sea cables suffer breaks; Sabotage Suspected
(Bob Gezelter)
A deadly crash in Toronto raises questions about the dangers when things go
wrong for EVs (CBC)
Russian Spies Jumped From One Network to Another Via Wi-Fi in an
Unprecedented Hack (WiReD)
Evidence-based high-school grading method (PGN)
Human vs. Machine: The Promise and Peril of Artificial Intelligence in the
Law Enforcement Context (Cato Institute)
AI is supposed to make applying to jobs easier -- but it might be
creating another problem (NBC News)
AI Chatbot Tells Student to Die (Indiana Express)
AI Is Already Taking Jobs (Mark Sullivan)
Authors miffed by publisher's offer to use their books for AI training (CBC) There's No Longer Any Doubt That Hollywood Writing Is Powering AI
(The Atlantic)
U.S. Finalizes $6.6-Billion CHIPS Act Grant to TSMC (Nikkei Asia)
Zero-Day Exploits Increasingly Sought Out by Attackers (Alex Scroxton)
Hardware Hacking? Study Raises Alarm on 98 Risks (Lars Daniel)
Dogs allowed? (BBC)
Elon Musk Asked People to Upload Their Health Data. X Users Obliged
(The New York Times)
The leaks begin! - "Unknown and unauthorized third party" has gained access
to Matt Gaetz depositions, source says (CBS News)
More on: DOJ "remedies" against Google would be a disaster
(Lauren Weinstein)
'You are under digital arrest': Inside a scam looting millions from Indians
(BBC)
Navy Federal customer forced to pay back loan she didn't take out after
being scammed (WTKR)
"... you are the product" (Rob Slade)
Re: Terrified friends burned to death in Tesla as electronic doors
wouldn't open after crash (Steve Bacher)
Re: Australia plans social media ban for under-16s
(Lars-Henrik Eriksson, Dmitri Maziuk)
Re: Robotaxis open for business in Los Angeles (Nicholas Weaver)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 18 Nov 2024 23:44:57 -0500
From: Bob Gezelter <
gezelter@rlgsc.com>
Subject: Two Baltic Sea cables suffer breaks; Sabotage Suspected
Today, there were two breaks in cables traversing the Baltic Sea: a cable connecting Germany and Finland; and a cable connecting Lithuania and
Sweden. Sabotage is suspected.
A little over three years ago, I wrote "WorldWide Broadband Vulnerabilities
are a Significant Hazard",
http://www.rlgsc.com/blog/ruminations/worldwide-bandwidth-vulnerability.html
In that entry, I noted the dangers of broadband disruptions to business operations.
Today's cable incident is reported by Reuters, full article at:
https://www.reuters.com/business/media-telecom/telecoms-cable-linking-finland-germany-likely-severed-owner-says-2024-11-18/
------------------------------
Date: Fri, 22 Nov 2024 12:34:21 -0500
From: Matthew Kruk <
mkrukg@gmail.com>
Subject: A deadly crash in Toronto raises questions about
the dangers when things go wrong for EVs (CBC)
https://www.cbc.ca/news/canada/electric-vehicles-safety-toronto-crash-1.7389937
A deadly crash involving an electric car that killed four people in downtown Toronto has raised concerns about the dangers when things go wrong for EVs. That includes whether people can easily extract themselves in the event of a fire, or how significant the fire risk is among the current generation of EVs.
Observers say these types of fires may draw media attention, but they aren't that common -- and that analysis of EV safety should focus on products and their components, and any resulting concerns.
------------------------------
Date: Fri, 22 Nov 2024 15:38:30 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Russian Spies Jumped From One Network to Another
Via Wi-Fi in an Unprecedented Hack (WiReD)
In a first, Russia's APT28 hacking group appears to have remotely breached
the Wi-Fi of an espionage target by hijacking a laptop in another building across the street.
For determined hackers, sitting in a car outside a target's building and
using radio equipment to breach its Wi-Fi network has long been an effective but risky technique. These risks became all too clear when spies working for Russia's GRU military intelligence agency were caught red-handed on a city street in the Netherlands in 2018 using an antenna hidden in their car's
trunk to try to hack into the Wi-Fi of the Organization for the Prohibition
of Chemical Weapons.
Since that incident, however, that same unit of Russian military hackers appears to have developed a new and far safer Wi-Fi hacking technique:
Instead of venturing into radio range of their target, they found another vulnerable network in a building across the street, hacked into a laptop in that neighboring building, and used that computer's antenna to break into
the Wi-Fi network of their intended victim—a radio-hacking trick that never even required leaving Russian soil.
https://www.wired.com/story/russia-gru-apt28-wifi-daisy-chain-breach/
------------------------------
Date: Sat, 23 Nov 2024 10:58:05 PST
From: Peter Neumann <
neumann@csl.sri.com>
Subject: Evidence-based high-school grading method
Gunn, the Palo Alto high school my sons attended has decided to have a pilot alternative grading method that looks at progress as well as standing.
Perhaps they will also use evidence-based AI! (see my article with
Ulf Lindqvist on E-B AI in the November CACM:
https://www.csl.sri.com/users/Neumann/cacm255.pdf
------------------------------
Date: Sun, 17 Nov 2024 20:16:20 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Human vs. Machine: The Promise and Peril of Artificial
Intelligence in the Law Enforcement Context (Cato Institute)
The development and deployment of artificial intelligence (AI) software for
a range of applications has sparked intense debate over its implications for privacy and surveillance in multiple contexts. At the same time, police organizations argue that AI could help revolutionize and speed up police investigations by allowing for faster identification of crime suspects or missing or kidnapped persons.
What are the kinds of dangers posed by the use of AI by law enforcement agencies? Are there types of crimes where the application of AI might be beneficial? How well or poorly are legislative bodies dealing with this new technology? What is the state of the law at the federal, state, and local levels regarding AI use by law enforcement organizations? Our panel will
tackle all these topics.
https://www.cato.org/events/human-vs-machine-promise-peril-artificial-intelligence-law-enforcement-context
What could go wrong?
------------------------------
Date: Mon, 18 Nov 2024 07:01:13 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: AI is supposed to make applying to jobs easier -- but it might be
creating another problem (NBC News)
Artificial Intelligence is reshaping the job application process,
simplifying some aspects -— and creating new potential frictions in others.
https://www.nbcnews.com/tech/innovation/ai-making-job-applications-easier-creating-another-problem-rcna179683
------------------------------
Date: Tue, 19 Nov 2024 18:07:53 -0500
From: Charles Dunlop <
cdunlop@umich.edu>
Subject: AI Chatbot Tells Student to Die (Indiana Express)e
A Michigan student was interacting with a chatbot about a homework
assignment, when he suddenly started being threatened.
https://indianexpress.com/article/technology/artificial-intelligence/you-are-a-burden-please-die-ai-chatbot-threatens-student-who-sought-help-with-homework-9671494/
[Great topic for a homework assignment: risks of AI and poorly trained
chatbots. PGN
------------------------------
Date: Mon, 18 Nov 2024 11:29:18 -0500 (EST)
From: ACM TechNews <
technews-editor@acm.org>
Subject: AI Is Already Taking Jobs (Mark Sullivan)
Mark Sullivan, Fast Company, 15 Nov 2024
Generative AI is impacting job markets, according to researchers at
Harvard Business School, the German Institute for Economic Research,
and the U.K.'s Imperial College London Business School. The
researchers studied more than a million job posts on a major global
freelance work marketplace from July 2021 to July 2023 and found
demand for automation-prone jobs had fallen 21% eight months after the
release of ChatGPT in late 2022.
------------------------------
Date: Wed, 20 Nov 2024 06:38:08 -0700
From: Matthew Kruk <
mkrukg@gmail.com>
Subject: Authors miffed by publisher's offer to use their books for AI
training (CBC)
https://www.cbc.ca/news/entertainment/harpercollins-using-books-ai-1.7387580
Authors are voicing concerns after a major book publisher offered payments
in exchange for permission to use their books to train artificial
intelligence.
Daniel Kibblesmith, an Emmy-nominated writer and comedian who writes for The Late Show with Stephen Colbert, posted a memo from HarperCollins -- a major publisher that is also home to dozens of Canadian authors -- offering
$2,500 US to use his children's book Santa's Husband to train an AI model
for an unnamed "large tech company."
"Abominable," Kibblesmith posted to the social media platform Bluesky on
Friday -- with screenshots of the messages alongside his response. He
declined.
------------------------------
Date: Wed, 20 Nov 2024 07:01:42 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: There's No Longer Any Doubt That Hollywood Writing
Is Powering AI (The Atlantic)
Dialogue from these movies and TV shows has been used by companies such as Apple and Anthropic to train AI systems.
For as long as generative-AI chatbots have been on the Internet, Hollywood writers have wondered if their work has been used to train them. The
chatbots are remarkably fluent with movie references, and companies seem to
be training them on all available sources. One screenwriter recently told me he’s seen generative AI reproduce close imitations of /The Godfather/ and
the 1980s TV show /Alf/, but he had no way to prove that a program had been trained on such material.
I can now say with absolute confidence that many AI systems have been
trained on TV and film writers’ work. Not just on /The Godfather /and /Alf/, but on more than 53,000 other movies and 85,000 other TV episodes: Dialogue from all of it is included in an AI-training data set that has been used by Apple, Anthropic, Meta, Nvidia, Salesforce, Bloomberg, and other
companies. I recently downloaded this data set, which I saw referenced in papers about the development of various large language models (or LLMs). It includes writing from every film nominated for Best Picture from 1950 to
2016, at least 616 episodes of /The Simpsons/, 170 episodes of /Seinfeld/,
45 episodes of /Twin Peaks/, and every episode of /The Wire/, /The
Sopranos/, and /Breaking Bad/. It even includes prewritten “live” dialogue from Golden Globes and Academy Awards broadcasts. If a chatbot can mimic a crime-show mobster or a sitcom alien—or, more pressingly, if it can piece together whole shows that might otherwise require a room of writers—data
like this are part of the reason why. [..]
https://www.theatlantic.com/technology/archive/2024/11/opensubtitles-ai-data-set/680650/
------------------------------
Date: Mon, 18 Nov 2024 11:29:18 -0500 (EST)
From: ACM TechNews <
technews-editor@acm.org>
Subject: U.S. Finalizes $6.6-Billion CHIPS Act Grant to TSMC
(Nikkei Asia)
Yifan Yu, Nikkei Asiam, 15 Nov 2024
The U.S. finalized a CHIPS Act grant of $6.6 billion to Taiwan
Semiconductor Manufacturing Co. (TSMC), with at least $1 billion to be disbursed by the end of the year. The funds will be distributed in
phases as the company hits certain project milestones. TSCMC will
produce 3 nanometer (nm), 2 nm, and A16 chips at three Arizona fabs.
------------------------------
Date: Mon, 18 Nov 2024 11:29:18 -0500 (EST)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Zero-Day Exploits Increasingly Sought Out by Attackers
(Alex Scroxton)
Alex Scroxton, Computer Weekly, 12 Nov 2024
Cyber agencies from the Five Eyes governments published a list of the
15 most exploited vulnerabilities of last year, the majority of which
were zero-days, a trend that has continued this year. "More routine
initial exploitation of zero-day vulnerabilities represents the new
normal which should concern end-user organizations and vendors alike
as malicious actors seek to infiltrate networks," said Ollie
Whitehouse at the UK's National Cyber Security Centre.
------------------------------
Date: Mon, 18 Nov 2024 11:29:18 -0500 (EST)
From: ACM TechNews <
technews-editor@acm.org>
Subject: Hardware Hacking? Study Raises Alarm on 98 Risks
(Lars Daniel)
Lars Daniel, Forbes, 15 Nov 2024
Researchers at the U.S. National Institute of Standards and Technology identified 98 vulnerabilities that allow chips to be hacked. Most
involve access control, with 43 different scenarios identified that
would allow unauthorized users to access sensitive data or control
systems. The researchers noted modern computer chips contain millions
of components and software that are physically embedded in silicon and
thus difficult and expensive to patch.
------------------------------
Date: Sun, 17 Nov 2024 07:49:50 -0800
From: Steve Lamont <
spl@tirebiter.org>
Subject: Dogs allowed? (BBC)
https://www.bbc.com/news/articles/c30p16gn3pvo
On patrol at Mar-a-Lago, robotic dogs have their moment
British Broadcasting Corporation, 17 Nov 2024
A robotic dog named "Spot" made by Boston Dynamics is the latest tool in
the arsenal of the US Secret Service. The device has lately been spotted
patrolling the perimeter of President-elect Donald Trump's Mar-a-Lago
resort in Palm Beach, Florida.
They do not have weapons - and each can be controlled remotely or
automatically -- as long as its route is pre-programmed.
[The new despot*-in-chief might decide to de-spot Spot? Especially if
Spot is realistic enough to poop on the golf course? But is a loud
robo-dog allowed? ALLowed be his name. PGN
[* DESPOT. In its most simple and original acceptation, signifies
master and supreme lord; it is synonymous with monarch.]
------------------------------
Date: Tue, 19 Nov 2024 01:36:25 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Elon Musk Asked People to Upload Their Health Data.
X Users Obliged (The New York Times)
Privacy experts cringed when people started feeding their medical images to
the AI tool Grok.
https://www.nytimes.com/2024/11/18/well/x-grok-health-privacy.html?smid=nytcore-ios-share&referringSource=articleShare
------------------------------
Date: Tue, 19 Nov 2024 08:46:50 -0800
From: Lauren Weinstein <
lauren@vortex.com>
Subject: The leaks begin! - "Unknown and unauthorized third party" has
gained access to Matt Gaetz depositions, source says
(CBS News)
As predicted. -L
https://www.cbsnews.com/news/matt-gaetz-depositions-leak-investigations/
------------------------------
Date: Wed, 20 Nov 2024 17:27:06 -0800
From: Lauren Weinstein <
lauren@vortex.com>
Subject: More on: DOJ "remedies" against Google would be a disaster
Re: DOJ's call for Google to sell off Chrome could be a disaster for users
Google over recent years, I can't emphasize enough what an utter disaster
for the privacy and security of ordinary users most of the DOJ "remedies"
being suggested to the judge in the Google antitrust case would be. I can't figure out if DOJ just isn't considering these issues in their rush to
create "competition" in a manner that wouldn't actually help ordinary
consumers at all -- and more likely just cause them more tech-related
problems and confusion -- or if the folks at DOJ working on this simply
don't really understand the technical realities involved. -L
------------------------------
Date: Sun, 17 Nov 2024 22:47:03 -0700
From: "Matthew Kruk" <
mkrukg@gmail.com>
Subject: 'You are under digital arrest': Inside a scam looting millions from
Indians (BBC)
https://www.bbc.com/news/articles/cdrdyxk4k4ro
For a harrowing week in August, Ruchika Tandon, a 44-year-old neurologist at one of India’s top hospitals, was ensnared in what felt like a high-stakes federal crime investigation.
Yet, it was an elaborate scam -- a web of deceit spun by scammers who manipulated her every move and drained her and her family’s life savings.
Under the pretense of “digital arrest” -- a term fabricated by her perpetrators -- Dr Tandon was coerced to take leave from work, surrender her daily freedoms, and comply with nonstop surveillance and instructions from strangers on the phone, who convinced her she was at the centre of a grave investigation.
The “digital arrest” scam involves fraudsters impersonating law enforcement officials on video calls, threatening victims with arrest over fake
charges, and pressuring them to transfer large sums of money.
------------------------------
Date: Fri, 22 Nov 2024 15:37:14 -0500
From: Gabe Goldberg <
gabe@gabegold.com>
Subject: Navy Federal customer forced to pay back loan she
didn't take out after being scammed (WTKR)
NEWPORT NEWS, VA. -— There's an alarming scam targeting Navy Federal customers in our area. Someone takes out a loan in a customer's name, and they're left out to dry and forced to pay it back, police say.
https://www.wtkr.com/investigations/another-navy-federal-customer-forced-to-pay-back-loan-she-didnt-take-out-after-scam#google_vignette
------------------------------
Date: Fri, 22 Nov 2024 08:56:50 -0800
From: Rob Slade <
rslade@gmail.com>
Subject: "... you are the product"
It is not exactly news that the corporate tech giants are using us, their *clients*. in every possible way that they can. I just thought that this particular example is an illustration of just how far it goes.
Niantic is the company and technology behind Pokemon Go. I know
very little about the game: at various times various of my grandsons have
been enthralled with Pokemon *cards*, but I don't think any of them
ever got into the online game. I did, once, encounter a person wandering around with a cell phone, who admitted to searching for ... well, whatever
you search for in Pokemon Go.
Apparently, Niantic has been collecting visual and location data from those
who have been playing the game. They are now feeding this into a geospatially-oriented large language model AI.
https://nianticlabs.com/news/largegeospatialmodel
------------------------------
Date: Thu, 21 Nov 2024 15:01:35 -0800
From: Steve Bacher <
sebmb1@verizon.net>
Subject: Re: Terrified friends burned to death in Tesla as electronic doors
wouldn't open after crash (RISKS-34.69)
Final paragraph of the article:
In the event of a crash passengers are directed to pull away a palen in
the door and tug at a cable underneath to open the doors, but safety
watchdogs have said dazed or panicked crash victims may not be able to
search for the feature after a car crash.
What the hell is a "palen"? A Google search comes up with nothing but
brand names, except for the Wiktionary definition.
[omitted here -- better yet, see impale. PGN]
[could it be Sarah running a line from Alaska?]
------------------------------
Date: Thu, 21 Nov 2024 19:47:51 +0100
From: Lars-Henrik Eriksson <
lhe@it.uu.se>
Subject: Re: Australia plans social media ban for under-16s
(RISKS-34.48)
I don't see that electronic verification of age (or other identity
information) means that you need to "share private information with
government or other institutions about what you desire to access."
The electronic ID needs to be issued by a government or institution, but verification does not have to involve them. Public-key cryptography can be
used to verify the authenticity of the ID. The risk is rather that the ID is used by someone other than the holder, but that risk exists also with
physical ID cards.
------------------------------
Date: Sun, 17 Nov 2024 17:40:55 -0600
From: Dmitri Maziuk <
dmitri.maziuk@gmail.com>
Subject: Re: Australia plans social media ban for under-16s
(RISKS-34.48)
This is nothing new: back in late 1990s I worked at a Computer Telephony service provider Down Under when the legislature pushed down the age verification law for "adult chat" phone services. *After* it has been repeatedly explained to them by many consultations with Telcos and other relevant players that a) there isn't a way to implement reliable age verification mechanism over telephone lines and b) there is no
infrastructure to support any kind of age verification over said lines; it would have to be invented and built first.
That never stopped them, and we (I) had to scramble to re-code a bunch of service scripts from 1-800 to direct credit card bulling as that made them
not "open" and thus no subject to the "child protection".
The running joke at the office cooler was "this is an adult chat service
billed to your credit card at $4.95 a minute; if you are over 18, please
have your credit card ready; if you are under 18, please have your dad's
credit card ready."
------------------------------
Date: Sat, 16 Nov 2024 20:01:50 -0800
From: Nicholas Weaver <
nweaver@icsi.berkeley.edu>
Subject: Re: Robotaxis open for business in Los Angeles (R 34 69)
The lack of freeways is prudent risk-management. Freeways are actually far easier for a self driving vehicle (far fewer exceptional cases, its why
proper level-2 systems (aka not Tesla) are restricted to freeways and
similar locations), but the penalty for errors is much higher as the energy levels are much higher.
Since one of the biggest risks for an autonomous vehicle company is an accident, whether or not the autonomous vehicle is at fault, it is best for
the company's interests to ensure that accidents are at dense city street
speed where a "high speed" crash is 25 MPH rather than 75 MPH and 9x the energy.
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From:
RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also,
ftp://ftp.sri.com/risks for the current volume/previous directories
or
ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES:
http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
Special Offer to Join ACM for readers of the ACM RISKS Forum:
<
http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 34.50
************************
--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)