From Newsgroup: comp.risks

RISKS-LIST: Risks-Forum Digest Thursday 31 July 2025 Volume 34 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.76>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Children in Australia to Be Banned from Having YouTube Accounts
(Josh Butler)
Lauren's Blog: The Website Age Verification Train Wreck (Lauren Weinstein)
AI Wrecking Fragile Job Market for College Graduates (WSJ)
AI models may be accidentally -- and secretly -- learning each other's bad
behaviors (NBC News)
One of the most incisive critiques of U.S. capitalism (YouTube)
Elon Musk's Tesla hits a speed-bump in California (Politico)
Insurance won't cover $5M in City of Hamilton claims for
cyberattack, citing lack of log-in security (CBC)
Canadians' health data at risk of being handed over to U.S. authorities, experts warn (CBC)
Researchers Find Way to Identify and Track People via WiFi Signals (WhoFi)
The browser is now the front line of cyber attacks (THN)
Letter from the Editor (Cipher)
Re: Tom Lehrer RIP (Terje Mathisen)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 30 Jul 2025 11:21:59 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Children in Australia to Be Banned from Having YouTube Accounts
(Josh Butler)

Josh Butler, The Guardian (U.K.) (07/29/25), via ACM TechNews

Starting Dec. 10, children in Australia will be banned from having YouTube accounts, as the federal government reversed an earlier decision to exempt
the video platform from national under-16s social media restrictions.
eSafety commissioner Julie Inman Grant pointed out that children would still
be able to view YouTube videos, as the legislation was limited to preventing children from having accounts. The tightly curated YouTube Kids app will be spared from the ban.

------------------------------

Date: Wed, 30 Jul 2025 08:17:39 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Lauren's Blog: The Website Age Verification Train Wreck

https://lauren.vortex.com/2025/07/30/the-website-age-verification-train-wreck

We all want to prevent children from being harmed on the Internet, but
exactly how to do this without creating even more problems for them
and for adults has turned into quite a complicated and political
situation.

There have been broad concerns that various website age verification
systems could be privacy invasive, ineffective, and in some cases
actually might cause even more harm to children than not having the verifications there in the first place. And now with more and more of
these systems appearing -- the Supreme Court just declared them legal
for states to require for commercial porn sites -- we're starting to
see various of these predictions coming true.

Remember that age verification systems -- whether for porn sites, or
social media sites, or pretty much any site like the situation China
where virtually all Internet usage can be tracked by the government --
doesn't only affect children and teens. No matter your age, you have
to prove you're an adult for access. And that opens up tracking
possibilities that many politicians in both parties would love to have
here in the U.S, with various state and federal legislation already in
place or in litigation. And this quickly creates a situation where
your basic privacy involving what sites you visit, what topics you
research, what videos or podcasts you view or listen to, on and on,
may be seriously compromised in ways never possible before now.

There have already been breaches of age verification systems that
publicly exposed users' identity credentials, a treasure trove for
crooks. We can reasonably expect directed hacking attacks at these
systems as they expand, and if history is any guide many will be
successful. Some of these systems use government credentials, some
require credit cards, some are using systems to estimate your age from
your face, or by how long you've been using a particular email
address, and so on.

Many adults who don't want to hand over a credit card or their
driver's license -- and their privacy -- to these firms have already
found various bypass mechanisms, and it appears that -- as expected --
kids are already WAY AHEAD of adults at this.

A broad age verification law just took affect in the UK a handful of
days ago and is already being widely breached, with it trivially easy
to find public discussions with users trading bypass hints and tricks.
The degree to which these systems are political theater is emphasized
by rules that for example order sites not to tell users that they
could use VPNs to bypass the checks in many cases -- as if VPNs
haven't been used to bypass geographic restrictions for many years --
and most age verification systems are geographically based.

But it actually gets even more bizarre. Some of these age verification
systems do indeed try to estimate your age from your face as seen on
your camera. Of course if you don't have a camera on your device or
don't want your face absorbed by these systems you're out of luck in
this respect. For that new UK age verification system, kids very
quickly realized they could use a video game that generates very
realistic faces to bypass the age verification system. And of course
as the nightmarishly advanced AI-based video generation systems
continue to evolve -- we know where this is headed.

The worst part about all this is that age verification systems broadly
applied as some politicians desire, not only have the potential to cut
children off from the ability to access crucial information about
their own health and safety in cases of abuse, but could actually
drive children to all manner of disreputable sites -- the kind that
can pop up and vanish quickly -- that could potentially do them real
harm but will never abide by age verification rules.

Age verification seems like an obvious solution to a range of
Internet-related problems. But the reality is that many observers feel
that it creates more problems than it solves, creating new hacking opportunities and privacy risks, and that in many cases the kids will
find ways to bypass it anyway. When trying to fix a complicated
problem on the Internet, or anywhere else, the first step probably
should be, "Try not to make things even worse." An idea worth keeping
in mind.

------------------------------

Date: Wed, 30 Jul 2025 11:21:59 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: AI Wrecking Fragile Job Market for College Graduates (WSJ)

Lindsay Ellis and Katherine Bindley, The Wall Street Journal (07/28/25),
via ACM TechNews

AI increasingly is taking entry-level jobs from new college graduates,
forcing companies to rethink how to develop the next generation of
talent. The share of entry-level hires relative to total new hires has
declined 50% among the 15 biggest tech companies by market capitalization
since 2019, according to venture-capital firm SignalFire. This comes as companies such as Amazon, JPMorgan, and Ford say AI is enabling them to
reduce headcount.

------------------------------

Date: Tue, 29 Jul 2025 16:16:05 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: AI models may be accidentally -- and secretly -- learning each
other's bad behaviors (NBC News)

*A recent study is the latest to highlight a core AI safety concern: that
the pace of development is outpacing humans' ability to understand their
own AI systems.*

EXCERPT:

Artificial intelligence models can secretly transmit dangerous inclinations
to one another like a contagion, a recent study found.

Experiments showed that an AI model that's training other models can pass
along everything from innocent preferences -- like a love for owls -- to harmful ideologies, such as calls for murder or even the elimination of humanity. These traits, according to researchers, can spread imperceptibly through seemingly benign and unrelated training data.

Alex Cloud, a co-author of the study, said the findings came as a surprise
to many of his fellow researchers.

``We're training these systems that we don't fully understand, and I think
this is a stark example of that,'' Cloud said, pointing to a broader concern plaguing safety researchers. ``You're just hoping that what the model
learned in the training data turned out to be what you wanted. And you just don't know what you're going to get.''

AI researcher David Bau, director of Northeastern University's National
Deep Inference Fabric, a project that aims to help researchers understand
how large language models work, said these findings show how AI models
could be vulnerable to data poisoning, allowing bad actors to more easily insert malicious traits into the models that they're training.

``They showed a way for people to sneak their own hidden agendas into
training data that would be very hard to detect. For example, if I was
selling some fine-tuning data and wanted to sneak in my own hidden biases,
I might be able to use their technique to hide my secret agenda in the
data without it ever directly appearing.''

The preprint research paper, which has not yet been peer reviewed, was
released last week by researchers from the Anthropic Fellows Program for AI Safety Research; the University of California, Berkeley; the Warsaw
University of Technology; and the AI safety group Truthful AI. E[...]

https://www.nbcnews.com/tech/rcna221583

------------------------------

Date: Wed, 30 Jul 2025 14:47:45 -0700
From: John Markoff <jmarkoff@gmail.com>
Subject: One of the most incisive critiques of U.S. capitalism (YouTube)

I found this through a friend and feel it is one of the best and most
accurate accounts of where we're heading. Well worth watching, I believe.

https://www.youtube.com/watch?v=gqtrNXdlraM=EF=BF=BC
You Are Witnessing the Death of American Capitalism

------------------------------

Date: Thu, 31 Jul 2025 10:50:16 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Elon Musk's Tesla hits a speed-bump in California (Politico)

As the tech CEO promises a Robotaxi launch in California, Tesla employees
have been presenting a far more limited plan to key state regulators.

Elon Musk is trying to transform Tesla and sees a nationwide fleet of fully autonomous taxis and humanoid robots as key. [...]

https://www.politico.com/news/2025/07/30/tesla-robotaxi-permit-problems-california-00486269

------------------------------

Date: Thu, 31 Jul 2025 06:36:51 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Insurance won't cover $5M in City of Hamilton claims for
cyberattack, citing lack of log-in security (CBC)

https://www.cbc.ca/news/canada/hamilton/cybersecurity-breach-1.7597713

Many City of Hamilton departments didn't have multi-factor authentication
in place before cyber criminals launched a massive ransomware attack in February 2024, paralizing nearly all municipal services for weeks.

Multi-factor authentication, also sometimes in the form of two-step verification, is a widely used layer of extra security for users logging
into a system like their email accounts. They're required to verify their identity using more than one method, such as entering a code texted to
their phone.

It's been used by corporations and technology companies for years. Google,
for example, launched its two-step log-in system in 2011.

------------------------------

Date: Thu, 31 Jul 2025 06:39:00 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Canadians' health data at risk of being handed over to U.S.
authorities, experts warn (CBC)

https://www.cbc.ca/news/health/health-data-cloud-servers-canada-us-1.7597441

Canadians' electronic health records need more protections to prevent
foreign entities from accessing patient data, according to commentary in
the Canadian Medical Association Journal.

"Canadian privacy law is badly outdated," said Michael Geist, law professor
and Canada Research Chair in Internet and e-commerce law at the University
of Ottawa and co-author of the commentary. "We're now talking about decades since the last major change."

Geist says electronic medical records systems from clinics and hospitals -- containing patients' personal health information -- are often controlled by U.S. companies. The data is encrypted and primarily stored on cloud servers
in Canada, but because those are owned by American companies, they are
subject to American laws.

------------------------------

Date: Tue, 29 Jul 2025 16:13:05 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Researchers Find Way to Identify and Track People via WiFi Signals
(WhoFi)

EXCERPT:

Over the years werCOve seen various different uses for wireless WiFi signals being developed, such as the ability to see through walls (here <https://www.ispreview.co.uk/index.php/2023/01/scientists-find-way-of-using-wifi-to-monitor-people-through-walls.html>)
or to act as a motion sensing alarm system (here <https://www.ispreview.co.uk/index.php/2023/10/new-tech-turns-wifi-into-motion-detecting-home-alarm-system.html>).
Now a team of Italian researchers have figured out how to identify
individual people by the biometric identifier they give off when walking through Wi-Fi signals.

According to a new research paper <https://arxiv.org/html/2507.12869v1> from
a team at the La Sapienza University of Rome, the Wi-Fi Sensing method
they've developed rCo called rCyWhoFirCy rCo can essentially identify people based
on the way that their bodies interfere with Wi-Fi signals as they pass
through an area.

rCL*The core insight is that as a Wi-Fi signal propagates through an environment, its waveform is altered by the presence and physical characteristics of objects and people along its path. These alterations, captured in the form of Channel State Information (CSI), contain rich
biometric information*,rCY said the paper. rCL*Unlike optical systems that perceive only the outer surface of a person, Wi-Fi signals interact with internal structures, such as bones, organs, and body composition, resulting
in person-specific signal distortions that act as a unique signature*.rCY

In addition, and rather unlike existing visual ID systems (cameras etc.),
Wi-Fi based ID systems are not affected by changes in visual illumination,
can penetrate walls and occlusions, and also rCL*offer a privacy-preserving mechanism for sensing*rCY (i.e. you don't need a visual picture of
somebody), [...]

https://www.ispreview.co.uk/index.php/2025/07/whofi-researchers-find-way-to-track-people-by-their-wifi-signature.html

------------------------------

Date: Tue, 29 Jul 2025 16:14:05 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: The browser is now the front line of cyber attacks (THN)

EXCERPT:

Until recently, the cyber attacker methodology behind the biggest breaches
of the last decade or so has been pretty consistent:

- Compromise an endpoint via software exploit, or social engineering a
user to run malware on their device;
- Find ways to move laterally inside the network and compromise
privileged identities;
- Repeat as needed until you can execute your desired attack -- sually
stealing data from file shares, deploying ransomware, or both.

But attacks have fundamentally changed as networks have evolved. With the SaaS-ification of enterprise IT, core business systems aren't locally
deployed and centrally managed in the way they used to be. Instead, they're logged into over the Internet, and accessed via a web browser.

Under the shared responsibility model, the part that's left to the business consuming a SaaS service is mostly constrained to how they manage identities
-- the vehicle by which the app is accessed and used by the workforce. It's
no surprise that this has become the soft underbelly in the crosshairs of attackers.

We've seen this time and again in the biggest breaches of recent years,
with the highlights including the massive *Snowflake campaign in 2024* <https://pushsecurity.com/blog/snowflake-retro/> and the *2025 crime wave attributed to Scattered Spider <https://pushsecurity.com/blog/key-takeaways-from-the-scattered-spider-attacks-on-insurance-firms/>.*

These attacks are so successful because while attackers have moved with the changes to enterprise IT, security hasn't really kept up.

*The browser is the new battleground -- and a security blind spot* [...]

https://thehackernews.com/2025/07/how-browser-became-main-cyber.html

------------------------------

Date: Tue, 29 Jul 2025 17:37:47 -0600
From: Cipher Editor via Cipher <cipher@mailman.xmission.com>
Subject: Letter from the Editor (Cipher)

Electronic CIPHER, Issue 186, July 28, 2025
Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 186 July 28, 2025 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org

Dear Readers:

The recent announcements of severe bugs in car infotainment systems and Microsoft's SharePoint servers are unsettling. Are these the detritus of
"move fast and break things", or is it just too hard to keep major security bugs out of production software? And if self-driving cars and "move it all
to the cloud" are in our immediate future, then are we moving into a
hacker's paradise where everything is hackable (maybe it is already)? Can
AI rescue us from our own incompetence? Or will it magnify our failings? I offer the question as food for thought for those find other, more immediate, thoughts to be even more unsettling.

An upheaval in funds and funding rules is causing havoc in some academic circles in the US. Mathematicians are finding that travel funds are scarce, for example. I expect to see hitchhikers with signs asking for lifts to conferences. I hope AI can learn to do proofs without hallucinations before the last mathematician turns out the lights.

------------------------------

Date: Wed, 30 Jul 2025 12:00:10 +0200
From: Terje Mathisen <terje.mathisen@tmsw.no>
Subject: Re: Tom Lehrer RIP (Risks-34.74)

I grew up in an industrial town in Norway, my high school math teacher introduced us to Tom Lehrer (in 1975) with the "New Math" song, using it to show how base 8 arithmetic works.

He would write down the initial equation on the blackboard, then follow
along with the song, writing down the digits and carries as they were sung.

Following that I listened to all the songs I could find, learned the lyrics, several of which still stay with me.

Who could ever forget lines like "First we got the bomb and that was good, cause we love peace and motherhood."

Some of my personal favorites are "So Long, Mom", "Smut", "Send the
Marines", "We will All Go Together When We Go" and "The Vatican Rag".

I must admit that it smarted when Tom said he could no longer write satire after Norway handed out the Peace Price to Kissinger.

[And MathIsentNewToHim! PGN]

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.76
************************

--- Synchronet 3.21a-Linux NewsLink 1.2

From Newsgroup: comp.risks

RISKS-LIST: Risks-Forum Digest Thursday 31 July 2025 Volume 34 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.76>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Children in Australia to Be Banned from Having YouTube Accounts
(Josh Butler)
Lauren's Blog: The Website Age Verification Train Wreck (Lauren Weinstein)
AI Wrecking Fragile Job Market for College Graduates (WSJ)
AI models may be accidentally -- and secretly -- learning each other's bad
behaviors (NBC News)
One of the most incisive critiques of U.S. capitalism (YouTube)
Elon Musk's Tesla hits a speed-bump in California (Politico)
Insurance won't cover $5M in City of Hamilton claims for
cyberattack, citing lack of log-in security (CBC)
Canadians' health data at risk of being handed over to U.S. authorities, experts warn (CBC)
Researchers Find Way to Identify and Track People via WiFi Signals (WhoFi)
The browser is now the front line of cyber attacks (THN)
Letter from the Editor (Cipher)
Re: Tom Lehrer RIP (Terje Mathisen)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 30 Jul 2025 11:21:59 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Children in Australia to Be Banned from Having YouTube Accounts
(Josh Butler)

Josh Butler, The Guardian (U.K.) (07/29/25), via ACM TechNews

Starting Dec. 10, children in Australia will be banned from having YouTube accounts, as the federal government reversed an earlier decision to exempt
the video platform from national under-16s social media restrictions.
eSafety commissioner Julie Inman Grant pointed out that children would still
be able to view YouTube videos, as the legislation was limited to preventing children from having accounts. The tightly curated YouTube Kids app will be spared from the ban.

------------------------------

Date: Wed, 30 Jul 2025 08:17:39 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Lauren's Blog: The Website Age Verification Train Wreck

https://lauren.vortex.com/2025/07/30/the-website-age-verification-train-wreck

We all want to prevent children from being harmed on the Internet, but
exactly how to do this without creating even more problems for them
and for adults has turned into quite a complicated and political
situation.

There have been broad concerns that various website age verification
systems could be privacy invasive, ineffective, and in some cases
actually might cause even more harm to children than not having the verifications there in the first place. And now with more and more of
these systems appearing -- the Supreme Court just declared them legal
for states to require for commercial porn sites -- we're starting to
see various of these predictions coming true.

Remember that age verification systems -- whether for porn sites, or
social media sites, or pretty much any site like the situation China
where virtually all Internet usage can be tracked by the government --
doesn't only affect children and teens. No matter your age, you have
to prove you're an adult for access. And that opens up tracking
possibilities that many politicians in both parties would love to have
here in the U.S, with various state and federal legislation already in
place or in litigation. And this quickly creates a situation where
your basic privacy involving what sites you visit, what topics you
research, what videos or podcasts you view or listen to, on and on,
may be seriously compromised in ways never possible before now.

There have already been breaches of age verification systems that
publicly exposed users' identity credentials, a treasure trove for
crooks. We can reasonably expect directed hacking attacks at these
systems as they expand, and if history is any guide many will be
successful. Some of these systems use government credentials, some
require credit cards, some are using systems to estimate your age from
your face, or by how long you've been using a particular email
address, and so on.

Many adults who don't want to hand over a credit card or their
driver's license -- and their privacy -- to these firms have already
found various bypass mechanisms, and it appears that -- as expected --
kids are already WAY AHEAD of adults at this.

A broad age verification law just took affect in the UK a handful of
days ago and is already being widely breached, with it trivially easy
to find public discussions with users trading bypass hints and tricks.
The degree to which these systems are political theater is emphasized
by rules that for example order sites not to tell users that they
could use VPNs to bypass the checks in many cases -- as if VPNs
haven't been used to bypass geographic restrictions for many years --
and most age verification systems are geographically based.

But it actually gets even more bizarre. Some of these age verification
systems do indeed try to estimate your age from your face as seen on
your camera. Of course if you don't have a camera on your device or
don't want your face absorbed by these systems you're out of luck in
this respect. For that new UK age verification system, kids very
quickly realized they could use a video game that generates very
realistic faces to bypass the age verification system. And of course
as the nightmarishly advanced AI-based video generation systems
continue to evolve -- we know where this is headed.

The worst part about all this is that age verification systems broadly
applied as some politicians desire, not only have the potential to cut
children off from the ability to access crucial information about
their own health and safety in cases of abuse, but could actually
drive children to all manner of disreputable sites -- the kind that
can pop up and vanish quickly -- that could potentially do them real
harm but will never abide by age verification rules.

Age verification seems like an obvious solution to a range of
Internet-related problems. But the reality is that many observers feel
that it creates more problems than it solves, creating new hacking opportunities and privacy risks, and that in many cases the kids will
find ways to bypass it anyway. When trying to fix a complicated
problem on the Internet, or anywhere else, the first step probably
should be, "Try not to make things even worse." An idea worth keeping
in mind.

------------------------------

Date: Wed, 30 Jul 2025 11:21:59 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: AI Wrecking Fragile Job Market for College Graduates (WSJ)

Lindsay Ellis and Katherine Bindley, The Wall Street Journal (07/28/25),
via ACM TechNews

AI increasingly is taking entry-level jobs from new college graduates,
forcing companies to rethink how to develop the next generation of
talent. The share of entry-level hires relative to total new hires has
declined 50% among the 15 biggest tech companies by market capitalization
since 2019, according to venture-capital firm SignalFire. This comes as companies such as Amazon, JPMorgan, and Ford say AI is enabling them to
reduce headcount.

------------------------------

Date: Tue, 29 Jul 2025 16:16:05 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: AI models may be accidentally -- and secretly -- learning each
other's bad behaviors (NBC News)

*A recent study is the latest to highlight a core AI safety concern: that
the pace of development is outpacing humans' ability to understand their
own AI systems.*

EXCERPT:

Artificial intelligence models can secretly transmit dangerous inclinations
to one another like a contagion, a recent study found.

Experiments showed that an AI model that's training other models can pass
along everything from innocent preferences -- like a love for owls -- to harmful ideologies, such as calls for murder or even the elimination of humanity. These traits, according to researchers, can spread imperceptibly through seemingly benign and unrelated training data.

Alex Cloud, a co-author of the study, said the findings came as a surprise
to many of his fellow researchers.

``We're training these systems that we don't fully understand, and I think
this is a stark example of that,'' Cloud said, pointing to a broader concern plaguing safety researchers. ``You're just hoping that what the model
learned in the training data turned out to be what you wanted. And you just don't know what you're going to get.''

AI researcher David Bau, director of Northeastern University's National
Deep Inference Fabric, a project that aims to help researchers understand
how large language models work, said these findings show how AI models
could be vulnerable to data poisoning, allowing bad actors to more easily insert malicious traits into the models that they're training.

``They showed a way for people to sneak their own hidden agendas into
training data that would be very hard to detect. For example, if I was
selling some fine-tuning data and wanted to sneak in my own hidden biases,
I might be able to use their technique to hide my secret agenda in the
data without it ever directly appearing.''

The preprint research paper, which has not yet been peer reviewed, was
released last week by researchers from the Anthropic Fellows Program for AI Safety Research; the University of California, Berkeley; the Warsaw
University of Technology; and the AI safety group Truthful AI. E[...]

https://www.nbcnews.com/tech/rcna221583

------------------------------

Date: Wed, 30 Jul 2025 14:47:45 -0700
From: John Markoff <jmarkoff@gmail.com>
Subject: One of the most incisive critiques of U.S. capitalism (YouTube)

I found this through a friend and feel it is one of the best and most
accurate accounts of where we're heading. Well worth watching, I believe.

https://www.youtube.com/watch?v=gqtrNXdlraM=EF=BF=BC
You Are Witnessing the Death of American Capitalism

------------------------------

Date: Thu, 31 Jul 2025 10:50:16 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Elon Musk's Tesla hits a speed-bump in California (Politico)

As the tech CEO promises a Robotaxi launch in California, Tesla employees
have been presenting a far more limited plan to key state regulators.

Elon Musk is trying to transform Tesla and sees a nationwide fleet of fully autonomous taxis and humanoid robots as key. [...]

https://www.politico.com/news/2025/07/30/tesla-robotaxi-permit-problems-california-00486269

------------------------------

Date: Thu, 31 Jul 2025 06:36:51 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Insurance won't cover $5M in City of Hamilton claims for
cyberattack, citing lack of log-in security (CBC)

https://www.cbc.ca/news/canada/hamilton/cybersecurity-breach-1.7597713

Many City of Hamilton departments didn't have multi-factor authentication
in place before cyber criminals launched a massive ransomware attack in February 2024, paralizing nearly all municipal services for weeks.

Multi-factor authentication, also sometimes in the form of two-step verification, is a widely used layer of extra security for users logging
into a system like their email accounts. They're required to verify their identity using more than one method, such as entering a code texted to
their phone.

It's been used by corporations and technology companies for years. Google,
for example, launched its two-step log-in system in 2011.

------------------------------

Date: Thu, 31 Jul 2025 06:39:00 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Canadians' health data at risk of being handed over to U.S.
authorities, experts warn (CBC)

https://www.cbc.ca/news/health/health-data-cloud-servers-canada-us-1.7597441

Canadians' electronic health records need more protections to prevent
foreign entities from accessing patient data, according to commentary in
the Canadian Medical Association Journal.

"Canadian privacy law is badly outdated," said Michael Geist, law professor
and Canada Research Chair in Internet and e-commerce law at the University
of Ottawa and co-author of the commentary. "We're now talking about decades since the last major change."

Geist says electronic medical records systems from clinics and hospitals -- containing patients' personal health information -- are often controlled by U.S. companies. The data is encrypted and primarily stored on cloud servers
in Canada, but because those are owned by American companies, they are
subject to American laws.

------------------------------

Date: Tue, 29 Jul 2025 16:13:05 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Researchers Find Way to Identify and Track People via WiFi Signals
(WhoFi)

EXCERPT:

Over the years werCOve seen various different uses for wireless WiFi signals being developed, such as the ability to see through walls (here <https://www.ispreview.co.uk/index.php/2023/01/scientists-find-way-of-using-wifi-to-monitor-people-through-walls.html>)
or to act as a motion sensing alarm system (here <https://www.ispreview.co.uk/index.php/2023/10/new-tech-turns-wifi-into-motion-detecting-home-alarm-system.html>).
Now a team of Italian researchers have figured out how to identify
individual people by the biometric identifier they give off when walking through Wi-Fi signals.

According to a new research paper <https://arxiv.org/html/2507.12869v1> from
a team at the La Sapienza University of Rome, the Wi-Fi Sensing method
they've developed rCo called rCyWhoFirCy rCo can essentially identify people based
on the way that their bodies interfere with Wi-Fi signals as they pass
through an area.

rCL*The core insight is that as a Wi-Fi signal propagates through an environment, its waveform is altered by the presence and physical characteristics of objects and people along its path. These alterations, captured in the form of Channel State Information (CSI), contain rich
biometric information*,rCY said the paper. rCL*Unlike optical systems that perceive only the outer surface of a person, Wi-Fi signals interact with internal structures, such as bones, organs, and body composition, resulting
in person-specific signal distortions that act as a unique signature*.rCY

In addition, and rather unlike existing visual ID systems (cameras etc.),
Wi-Fi based ID systems are not affected by changes in visual illumination,
can penetrate walls and occlusions, and also rCL*offer a privacy-preserving mechanism for sensing*rCY (i.e. you don't need a visual picture of
somebody), [...]

https://www.ispreview.co.uk/index.php/2025/07/whofi-researchers-find-way-to-track-people-by-their-wifi-signature.html

------------------------------

Date: Tue, 29 Jul 2025 16:14:05 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: The browser is now the front line of cyber attacks (THN)

EXCERPT:

Until recently, the cyber attacker methodology behind the biggest breaches
of the last decade or so has been pretty consistent:

- Compromise an endpoint via software exploit, or social engineering a
user to run malware on their device;
- Find ways to move laterally inside the network and compromise
privileged identities;
- Repeat as needed until you can execute your desired attack -- sually
stealing data from file shares, deploying ransomware, or both.

But attacks have fundamentally changed as networks have evolved. With the SaaS-ification of enterprise IT, core business systems aren't locally
deployed and centrally managed in the way they used to be. Instead, they're logged into over the Internet, and accessed via a web browser.

Under the shared responsibility model, the part that's left to the business consuming a SaaS service is mostly constrained to how they manage identities
-- the vehicle by which the app is accessed and used by the workforce. It's
no surprise that this has become the soft underbelly in the crosshairs of attackers.

We've seen this time and again in the biggest breaches of recent years,
with the highlights including the massive *Snowflake campaign in 2024* <https://pushsecurity.com/blog/snowflake-retro/> and the *2025 crime wave attributed to Scattered Spider <https://pushsecurity.com/blog/key-takeaways-from-the-scattered-spider-attacks-on-insurance-firms/>.*

These attacks are so successful because while attackers have moved with the changes to enterprise IT, security hasn't really kept up.

*The browser is the new battleground -- and a security blind spot* [...]

https://thehackernews.com/2025/07/how-browser-became-main-cyber.html

------------------------------

Date: Tue, 29 Jul 2025 17:37:47 -0600
From: Cipher Editor via Cipher <cipher@mailman.xmission.com>
Subject: Letter from the Editor (Cipher)

Electronic CIPHER, Issue 186, July 28, 2025
Newsletter of the IEEE Computer Society's TC on Security and Privacy
Electronic Issue 186 July 28, 2025 Hilarie Orman, Editor Sven Dietrich, Assoc. Editor cipher-editor @ ieee-security.org cipher-assoc-editor @ ieee-security.org

Dear Readers:

The recent announcements of severe bugs in car infotainment systems and Microsoft's SharePoint servers are unsettling. Are these the detritus of
"move fast and break things", or is it just too hard to keep major security bugs out of production software? And if self-driving cars and "move it all
to the cloud" are in our immediate future, then are we moving into a
hacker's paradise where everything is hackable (maybe it is already)? Can
AI rescue us from our own incompetence? Or will it magnify our failings? I offer the question as food for thought for those find other, more immediate, thoughts to be even more unsettling.

An upheaval in funds and funding rules is causing havoc in some academic circles in the US. Mathematicians are finding that travel funds are scarce, for example. I expect to see hitchhikers with signs asking for lifts to conferences. I hope AI can learn to do proofs without hallucinations before the last mathematician turns out the lights.

------------------------------

Date: Wed, 30 Jul 2025 12:00:10 +0200
From: Terje Mathisen <terje.mathisen@tmsw.no>
Subject: Re: Tom Lehrer RIP (Risks-34.74)

I grew up in an industrial town in Norway, my high school math teacher introduced us to Tom Lehrer (in 1975) with the "New Math" song, using it to show how base 8 arithmetic works.

He would write down the initial equation on the blackboard, then follow
along with the song, writing down the digits and carries as they were sung.

Following that I listened to all the songs I could find, learned the lyrics, several of which still stay with me.

Who could ever forget lines like "First we got the bomb and that was good, cause we love peace and motherhood."

Some of my personal favorites are "So Long, Mom", "Smut", "Send the
Marines", "We will All Go Together When We Go" and "The Vatican Rag".

I must admit that it smarted when Tom said he could no longer write satire after Norway handed out the Peace Price to Kissinger.

[And MathIsentNewToHim! PGN]

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.76
************************

--- Synchronet 3.21a-Linux NewsLink 1.2