[33092] in RISKS Forum

home help back first fref pref prev next nref lref last post

Risks Digest 33.65

daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sat Mar 11 18:54:46 2023

From: RISKS List Owner <risko@csl.sri.com>
Date: Sat, 11 Mar 2023 15:54:26 PST
To: risks@mit.edu

RISKS-LIST: Risks-Forum Digest  Saturday 11 March 2023  Volume 33 : Issue 65

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/33.65>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Noam Chomsky: The False Promise of ChatGPT (via Matthew Kruk)
ChatGPT Convulses Big Tech with its Promise and its Peril (NYTimes)
Two types of dataset poisoning attacks that can corrupt AI system results
 (techxplore.com)
Detection Stays Ahead of Deepfakes -- for Now (Matthew Hutson)
Tesla under investigation after Model Y steering wheels fall off (The Verge)
Stablecoin Issuer Circle Reveals $3.3 Billion SVB Exposure (Bloomberg)
Blackbaud Fined $3M For Misleading Disclosures Re: 2020 Ransomware
 (Ryan Naraine)
Canada's tax revenue agency tries to ToS itself out of hacking liability
 (Risky Biz News)
Data breach hits hundreds of lawmakers and staff on Capitol Hill (NBC)
North Korean hackers target security researchers with a new backdoor
 (Ars Technica)
Hackers Claim They Breached T-Mobile More Than 100 Times in 2022
 (Krebs on Security)
When Low-Tech Hacks Cause High-Impact Breaches (Krebs on Security)
TikTok whistleblower claims U.S. data privacy efforts are seriously flawed
 (Engadget)
Tech Is Allowing Businesses to Overcharge You in Tips (NYTimes)
Why the Floppy Disk Just Won't Die (WiReD)
Union `increasingly alarmed' about Indigo cyberattack, demands further
 disclosure (CBC)
Password changing considered harmful (WSJ)
Teens are stealing more cars. They learn how on social  media (NYT)
UK online safety bill -- how to create a digital dictatorship
 (Lauren Weinstein)
Terms of enscamment? (Rob Slade)
Re: Safety Advocates Say Hyundai, Kia's Anti-Theft Upgrade Doesn't Go
  Far Enough (Richard S. Russell)
Re: Why I'm sticking up for science (zeurkous)
Re: rm -rf (Henry Baker, Steve Bacher)
Re: SMS-Based Multi-Factor Authentication: What Could Go Wrong?
 (John Levine)
Re: FAA reports 'close call' between two planes at Logan Airport
 (Jan Wolitzky)
Re: Everyone is special, SMS-Based Multi-Factor Authentication:
 What Could Go Wrong? (John Levine)
Re: The privacy loophole in your doorbell (Steve Bacher)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 8 Mar 2023 18:40:24 -0700
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Noam Chomsky: The False Promise of ChatGPT

https://www.nytimes.com/2023/03/08/opinion/noam-chomsky-chatgpt-ai.html

Jorge Luis Borges once wrote that to live in a time of great peril and
promise is to experience both tragedy and comedy, with ``the imminence of a
revelation'' in understanding ourselves and the world. Today our supposedly
revolutionary advancements in artificial intelligence are indeed cause for
both concern and optimism. Optimism because intelligence is the means by
which we solve problems. Concern because we fear that the most popular and
fashionable strain of AI -- machine learning -- will degrade our science and
debase our ethics by incorporating into our technology a fundamentally
flawed conception of language and knowledge.

------------------------------

Date: Thu, 9 Mar 2023 14:08:15 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: ChatGPT Convulses Big Tech with its Promise and its Peril (NYT)

Tripp Mickle, Cade Metz, and Nico Grant, *The New York Times*, 9 Mar 2023
A scramble to assess the impact of AI.

  [It seems to be a nice enumeration of many of the problems created such as
  disrupting cloud providers, advertisers, and e-commerce sales (each
  discussed in considerable detail), questionable trustworthiness, legal
  implications, ownership, etc.  ``No one knows where the courts will draw
  the lines.'' -- quoting Bradley J. Hulbert.  PGN-ed]

------------------------------

Date: Wed, 08 Mar 2023 12:42:44 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Two types of dataset poisoning attacks that can corrupt AI system
 results (techxplore.com)

https://techxplore.com/news/2023-03-dataset-poisoning-corrupt-ai-results.html

``The research team calls this type of attack split view poisoning. Testing
showed that such an approach could be used to purchase enough URLs to poison
a large portion of mainstream AI systems, for as little as $10,000.

``There is another way that AI systems could be subverted -- y manipulating
data in well-known data repositories such as Wikipedia. This could be done,
the researchers note, by modifying data just prior to regular data dumps,
preventing monitors from spotting the changes before they are sent to and
used by AI systems. They call this approach front-running poisoning.''

As AI proliferates, overtrust -- reliance on output -- elevates training
dataset's provenance and bona fides to bound false positive/negative
outcomes.

I applied for image diagnosis (mammograms, CAT/MRI, etc.), a patient should
be entitled to a traceable explanation to supplement physician's review and
concurrence or dispute of platform output.

------------------------------

Date: Wed, 8 Mar 2023 11:09:07 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Detection Stays Ahead of Deepfakes -- for Now (Matthew Hutson)

Matthew Hutson, *IEEE Spectrum*, 6 Mar 2023, via ACM TechNews, March 8, 2023

Computer scientists are developing more advanced algorithms for generating
synthetic content, at the same time they are creating counter-algorithms to
detect such content. Intel's Real-Time Deepfake Detector, slated for release
this spring, will include FakeCatcher, which can identify facial changes due
to blood flow. Developed by researchers at Intel and Binghamton University,
FakeCatcher cannot be reverse-engineered easily to train a generation
algorithm to get better at fooling it. Among other detection tools,
researchers at the University of Florida developed a system that models the
human vocal tract and can determine if an audio recording is biologically
plausible. When it comes to detecting synthetic text, the University of
Maryland's Tom Goldstein said the diversity in how people use language and a
dearth of signal means it likely will lag other forms of detection.

------------------------------

Date: Wed, 8 Mar 2023 19:19:59 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Tesla under investigation after Model Y steering wheels fall off
 (The Verge)

https://www.theverge.com/2023/3/8/23630358/tesla-steering-wheel-bolt-nhtsa-model-y

------------------------------

Date: Sat, 11 Mar 2023 09:03:42 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Stablecoin Issuer Circle Reveals $3.3 Billion SVB Exposure
 (Bloomberg)


https://www.bloomberg.com/news/articles/2023-03-11/usd-coin-stablecoin-falls-further-from-peg-on-svb-exposure-risk?srnd=premium&sref=zVYYYI5e

Also:

  Roku, Roblox and others disclose their exposure to SVB in SEC filings
  (TechCrunch)
  https://techcrunch.com/2023/03/11/roku-roblox-and-others-disclose-their-exposure-to-svb-in-sec-filings/

  More than 85% of Silicon Valley's Bank's Deposits Were Not Insured
  https://time.com/6262009/silicon-valley-bank-deposit-insurance/

  [Monty Solomon noted this relevant item:
    Here's how much of your bank deposits are FDIC protected:
    Michelle Singletary, *WashPost*
https://www.washingtonpost.com/business/2023/03/10/faq-fdic-insurance/
  PGN]

------------------------------

Date: Fri, 10 Mar 2023 14:28:45 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Blackbaud Fined $3M For Misleading Disclosures Re: 2020 Ransomware
 (Ryan Naraine)

Ryan Naraine, *Security Week*, 10 Mar 2023
https://www.securityweek.com/blackbaud-fined-3m-for-misleading-disclosures-about-2020-ransomware-attack/

  [Among other things, Blackbaud had insisted there had been no leakage of
  customer information, which actually impacted 1300 customers.  The
  original notice has since disappeared.  PGN]

------------------------------

Date: Wed, 8 Mar 2023 13:02:09 -0500
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema@rinzewind.org>
Subject: Canada's tax revenue agency tries to ToS itself out of hacking
 liability (Risky Biz News)

https://riskybiznews.substack.com/p/risky-biz-news-canadas-tax-revenue

The Canada Revenue Agency (CRA), the tax department of Canada, recently
updated its terms and conditions to force taxpayers to agree that CRA is not
liable if their personal information is stolen while using the My Account
online service portal -- which, ironically, all Canadians must use when doing
their taxes and/or running their business.

The CRA's terms of use assert the agency is not liable because they have
``taken all reasonable steps to ensure the security of this Web site.''

------------------------------

Date: Wed, 8 Mar 2023 17:47:03 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Data breach hits hundreds of lawmakers and staff on Capitol Hill
 (NBC)

Ryan Nobles, Frank Thorp V, Zoƫ Richards and Kevin  Collier NBC News
https://www.nbcnews.com/politics/congress/data-breach-hits-lawmakers-staff-capitol-hill-rcna74061

House Chief Administrative Officer Catherine L. Szpindor said the breach at
the DC Health Exchange did not appear to target members of Congress. The
Senate was also affected.

  The actual quote is somewhat less reasssuring: ``Currently, I do not know
  the size and scope of the breach, but have been informed by the Federal
  Bureau of Investigation (FBI) that account information and [personally
  identifiable information] of hundreds of Member and House staff were
  stolen,'' Szpindor added that it did not appear that House lawmakers were
  ``the specific target of the attack'' on DC Health Link *.  [PGN-ed]
     [* Just everyone using the Health Exchange used by Congress!  PGN]

------------------------------

Date: Sat, 11 Mar 2023 09:10:42 -0500
From: Monty Solomon <monty@roscom.com>
Subject: North Korean hackers target security researchers with a new
 backdoor (Ars Technica)

https://arstechnica.com/information-technology/2023/03/security-researchers-are-again-in-the-crosshairs-of-north-korean-hackers/

------------------------------

Date: Thu, 9 Mar 2023 20:22:09 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Hackers Claim They Breached T-Mobile More Than 100 Times in 2022
 (Krebs on Security)

https://krebsonsecurity.com/2023/02/hackers-claim-they-breached-t-mobile-more-than-100-times-in-2022/

------------------------------

Date: Thu, 9 Mar 2023 20:23:21 -0500
From: Monty Solomon <monty@roscom.com>
Subject: When Low-Tech Hacks Cause High-Impact Breaches (Krebs on Security)

https://krebsonsecurity.com/2023/02/when-low-tech-hacks-cause-high-impact-breaches/

------------------------------

Date: Fri, 10 Mar 2023 23:40:15 -0500
From: Monty Solomon <monty@roscom.com>
Subject: TikTok whistleblower claims U.S. data privacy efforts are seriously
 flawed (Engadget)

https://www.engadget.com/tiktok-whistleblower-claims-us-data-privacy-efforts-are-seriously-flawed-211255093.html

------------------------------

Date: Fri, 10 Mar 2023 16:41:31 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Tech Is Allowing Businesses to Overcharge You in Tips (NYTimes)

Payment apps and touch screens have made it easy for merchants to ask us for
preset gratuity amounts. We don't need to succumb to the pressure.

https://www.nytimes.com/2023/03/01/technology/personaltech/tipping-defaults-digital-payments.html

------------------------------

Date: Wed, 8 Mar 2023 13:36:57 +0200
From: Amos Shapir <amos083@gmail.com>
Subject: Why the Floppy Disk Just Won't Die (WiReD)

It seems that there are still a lot of businesses around who use systems
(including industrial machinery and even passenger aircraft) which are
20-30 years old, and depend on floppy disks to get their data -- and these
are now running out.

https://www.wired.co.uk/article/why-the-floppy-disk-just-wont-die

------------------------------

Date: Sat, 11 Mar 2023 13:51:45 -0700
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Union `increasingly alarmed' about Indigo cyberattack, demands
 further disclosure (CBC)

https://www.cbc.ca/news/business/indigo-workers-cyberattack-data-1.6776119

A union representing 200 employees of Indigo Books & Music Inc. is calling
on the retailer to disclose more information about the scope of its recent
data breach and offer additional support to staff affected.

United Food and Commercial Workers International Union Local 1006A says it
is *increasingly alarmed* by new information that has come to light about a
8 Feb 2023 cyberattack on Canada's biggest bookstore.

------------------------------

Date: Sat, 11 Mar 2023 13:35:31 -0500
From: dan@geer.org
Subject: Password changing considered harmful (WSJ)

  [Long item PGN-ed.]

https://www.wsj.com/articles/annoying-password-rules-actually-make-us-less-secure-a05edb70

Annoying Password Rules Actually Make Us Less Secure

Does your company network or a frequently visited website force you to come
up with a new password because it has declared your old one is past its
expiration date?

If you find that annoying, you're not alone. What's worse: It's actually bad
for cybersecurity, say researchers.

The scheduled-replacement policy is one of a number of poor or ineffective
password practices that make logging into sites, apps and services more
complicated and annoying than ever.

We're not just talking about issues with government and corporate IT
systems, though they can be among the worst offenders. Companies and
services including Apple, Microsoft, Instagram and LinkedIn, among others,
all have less-than-optimal password policies, according to a recent paper by
researchers at Princeton University.

These password policies can increase the chance that individuals' accounts
can be breached, especially if users aren't using additional means of
securing their accounts, such as two-factor authentication, says Arvind
Narayanan, a professor of computer science at Princeton and one of the
authors of the paper on bad password policies.

Compelling routine password changes, for example, while a seemingly logical
way to reset a password that may have been leaked, actually tends to make
people more likely to choose weak passwords in the first place, according to
numerous studies. Another flawed-but-common practice is to limit the
combinations of characters one can use in a password, or compel users to
include special characters in their passwords. It turns out those rules
don't generally lead to more secure passwords, either.  [...]

Making better security available isn't enough

Cybersecurity-savvy readers may, by now, be throwing up their hands in
exasperation. Of course these are all bad password policies! But do they
matter, if a person uses two-factor authentication on their most important
accounts, and they're using a password manager to generate a unique and
complicated password for everything they log into? (A password manager,
which everyone should adopt, generates strong passwords, stores them and
automatically enters them into apps and sites.)  [...]

In sum, the key to making individuals and organizations more secure
is to create cybersecurity policies that respect how people actually
behave in the real world.

``I think security has always been everybody's problem, but now we are
realizing it, And I think a well-designed security system can help reduce
the burden on the non-security experts on the team.''  [Dr. Lorrie Cranor,
who is quoted heavily throughout the article.  PGN]

    [WSJ article also noted by Monty Solomon.  PGN]

------------------------------

Date: Fri, 10 Mar 2023 07:45:05 -0700
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Teens are stealing more cars. They learn how on social  media (NYT)

Tim Arango and Jacey Fortin, *The  New York Times*, 10 Mar 2023
https://www.nytimes.com/2023/03/10/us/car-thefts-kia-challenge-tiktok.html

Violent crime is largely receding from pandemic highs, but cities face a
surge in car thefts, driven in part by videos that show how to hot-wire
models by Kia and Hyundai.

------------------------------

Date: Sat, 11 Mar 2023 08:49:44 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: UK online safety bill -- how to create a digital dictatorship

Essentially this bill turns the UK into Iran, North Korea, Russia, and
China. And the U.S. is definitely next, with both the Left and Right
on-board toward furthering their own ends. -L

Also:
 Secure messaging apps line up to warn UK's Online Safety Bill risks
 web security
 https://techcrunch.com/2023/03/10/uk-osb-e2ee-warning/

------------------------------

Date: Wed, 8 Mar 2023 07:34:16 -0800
From: Rob Slade <rslade@gmail.com>
Subject: Terms of enscamment?

I have mentioned that a number of people seem to think that my GMail email
address, rslade@gmail.com, is theirs.  I've received all kinds of email
messages, over the years, from legitimate vendors and contacts, who have
apparently been told to use rslade@gmail.com as the contact for a bunch of
people who aren't me.

Mostly I think it's just carelessness.  I wonder, at times, if sometimes it
could, partly, be part of a scam by someone who is hiding their own
identity.  I try to look at any of these messages from a variety of
perspectives.

Today I got a message from Eventbrite.  It seems to be legitimately from
Eventbrite.  Someone bought tickets to *Terms of Endearment*--in Shanghai,
China.  (Ticket prices seem to be fairly steep in China: they are $23.17
each, according to the statement.)  (Then again, it may be live theatre,
rather than an old movie, so, in that case, it's pretty cheap.)  Seven
people seem to be going.  The tickets are paid, by a MasterCard account that
is not mine.  The event seems to be about 22 hours from now, if the world
clock Website that I use frequently is correct.

I hope that they get in and enjoy the show.  I'm pretty sure that there is
no risk to me, and the only risk I can see is that they may not get in if
they don't get the tickets.  I do wonder why Eventbrite let them buy tickets
on my account without knowing my password, but that is presumably
Eventbrite's problem ...

------------------------------

Date: Tue, 7 Mar 2023 15:11:23 -0600
From: "Richard S. Russell" <RichardSRussell@tds.net>
Subject: Re: Safety Advocates Say Hyundai, Kia's Anti-Theft Upgrade Doesn't Go
 Far Enough (RISKS-33.64)

https://madison.com/news/local/madison-city-council-looks-to-sue-kia-hyundai-for-making-it-too-easy-to-steal/article_3193e905-5ce7-51ef-a792-825df201cc00.html

Madison City Council looks to sue Kia, Hyundai, for making it too easy to
steal cars

Since the article itself, dated 2023-03-07, is behind a paywall, I've copied
it for you:

  The city of Madison [Wisconsin] is gearing up to sue car manufacturers Kia
  and Hyundai over the lack of anti-theft software in their vehicles after
  they accounted for nearly half of thefts of cars in the city last summer.

  City council members will take up a resolution Tuesday night over whether
  the city can retain outside counsel for a federal lawsuit for Kia and
  Hyundai's ``role in creating a public nuisance,'' a statement from the
  city said.

Car thefts dropped by 5%
<https://madison.com/news/local/crime-and-courts/we-do-have-a-safe-city-gunfire-car-thefts-down-in-madison-after-summertime-anti/article_efded0db-c166-57b4-8e8d-6cf6f3b76d62.html>
in Madison last summer, compared to the prior year, but thefts of Kia and
Hyundai cars increased by 270%, making up 45% of all stolen auto cases in
July and August. Rates of Kia and Hyundai thefts are even higher in
Milwaukee, where the two brands comprise 60% of all stolen autos.
<https://www.jsonline.com/story/news/crime/2023/02/20/new-class-action-lawsuit-by-milwaukee-man-targets-kia-hyundai/69924626007/>

The two brands are especially susceptible to theft because of a
manufacturing flaw in less-expensive models that allows vehicles to be
stolen even if a key isn't present. Viral TikTok challenges spearheaded by
Milwaukee-based *Kia Boys* taught people how advantage of that flaw by
starting the engine with a USB cable and a screwdriver.

``Madison residents deserve better,'' Mayor Satya Rhodes-Conway said in a
statement.  ``These corporations cut corners and put people at risk. In
their search for profits, they pushed the costs of keeping people safe off
to cities like Madison. That's unacceptable.''

------------------------------

Date: Wed, 08 Mar 2023 08:56:07 +0000 (UTC)
From: zeurkous@blaatscaahp.org
Subject: Re: Why I'm sticking up for science (Richard Dawkins)

  [IME, Mr. Dawkins's rant constitutes propaganda unworthy of RISKS.
  Nonetheless, I have a short response.]

    [It was worthy of RISKS precisely because it raised a lot of hackles --
    with me as well, and I am delighted your zeurkous circus has chimed in.
    What worries me most is that you were the *only* one to respond.  RISKS
    is *always* interested in smoking out falsehoods.  PGN]

In his rant, Mr. Dawkins falls into the common trap of defending science(tm)
[insert Chester from the Bunnicula cartoons here] against political
interference: from most scientists' point of view, science is supposed to
dictate politics, not the other way around! Unsurprisingly, politicians
often feel exactly the opposite, and this is thus is a likely factor leading
to Mr. Hipkins's intervention.

Furthermore, I think it's very ironic of Mr. Dawkins to allege *special
treatment* for the Maori when the colonists made themselves the exception
from virtually the moment they arrived (and have been doing so ever since),
at the near-total expense of the original human population! Now who needs
*special treatment*, eh?

The *forcing to learn* issue comes down to a discussion about unschooling
and that, too, seems to be pretty off-topic for this list.

Overall it would seem wise to move the discussion onwards from *how do we
protect the institution of science against those barbarian politicans?* to
*how can we be more empirical and less dogmatic?'' If anything, science(tm)
[insert Chester again] desperately needs the latter discussion, not the
former.

But the newspapers won't be interested. No shock value. I'm hoping
better for this list.

------------------------------

Date: Wed, 08 Mar 2023 03:26:15 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: Re: rm -rf

I've been discussing this problem with Sylvestre Ledru, who has been
*re-implementing* the so-called 'Core Utilities' in *Rust*.
<sylvestre@debian.org>

So far, he's been trying to implement compatibility with the Gnu Core Utils
(but with fewer errors, of which there have been precious few for Gnu).

But these Core Utilities form the basis of a computer *language* that is
extensively used by Unix/Linux developers, and have never been completely
systematized.

For example, in the case of error conditions, one is never 100% sure what
state the system will be left in.  This isn't normally a problem for
individual execution from an interactive user, but it becomes a serious
problem in scripts.

I have suggested that these *core utilities* have *clean composable
semantics* with *predictable* results; including undoing any visible
side-effects, when this makes sense.

For example, one principle which might be helpful for *most* such utilities:
either run to completion w/o errors, or reset the state to the situation
prior to the start of execution.  I.e., an *atomic* 'all-or-none' set of
side-effects, along the lines of 'ACID' databases:

https://en.wikipedia.org/wiki/ACID

I realize this won't help when 'cd' errs out, but perhaps something like

  cd foo &amp;&amp; rm -rf

is the right solution ?

  cd --help:

Exit Status:
    Returns 0 if the directory is changed ... non-zero otherwise.

------------------------------

Date: Fri, 10 Mar 2023 10:29:21 -0800
From: Steve Bacher <sebmb1@verizon.net>
Subject: Re: rm -rf (Mateos, RISKS-33.64)

/set -euo pipefail/

That is a good idea and one I had not taken advantage of. However, one needs
to be careful about the effects it may have on other parts of the script,
including external scripts invoked from the script where you code the set
command.  Also, there are cases where you want to run a command and test its
outcome (like access to a file or other resource) where continuation of the
script is preferable at that point. Of course you can encase those sections
of code inside a subshell with pipefail turned off. But care should still be
taken with any global setting.

------------------------------

Date: 7 Mar 2023 16:15:15 -0500
From: "John Levine" <johnl@iecc.com>
Subject: Re: SMS-Based Multi-Factor Authentication: What Could Go Wrong?
 (Libove, RISKS-33.64)

Vanguard uses whatever 2FA you have configured.  If you don't like SMS (and
you shouldn't), don't use it.

I have my account configured to use a couple of Fido keys and my phone as
2FA, no SMS.

I wouldn't use BofA if they paid me, so no idea what their policy is.

------------------------------

Date: Tue, 7 Mar 2023 18:35:08 -0500
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: Re: FAA reports 'close call' between two planes at Logan Airport
 (RISKS-33.64)

There's nothing in this story relevant to this forum.  It's not about a
system problem; it's not about a computer issue.  The clearance was proper,
the readback was proper; the pilot just screwed up.

  [And that's not relevant?  Isn't the TCAS technology supposed to prevent
  that?  PGN]

------------------------------

Date: 7 Mar 2023 21:59:49 -0500
From: "John Levine" <johnl@iecc.com>
Subject: Re: Everyone is special, SMS-Based Multi-Factor Authentication:
 What Could Go Wrong? (Cosell, RISKS-33.64)

>... So what's the weakness that might make me have to mess with 2FA?

The obvious ones are that some piece of malware installs a keylogger on your
computer, or you make an unfortunate typo and don't notice it in time. or
your password vault has a bug and it leaks. (See messages about Lastpass in
recent RISKS digests.)

------------------------------

Date: Fri, 10 Mar 2023 08:21:35 -0800
From: Steve Bacher <sebmb1@verizon.net>
Subject: Re: The privacy loophole in your doorbell

When this appeared in RISKS-33.64, the URL was omitted.
https://www.politico.com/news/2023/03/07/privacy-loophole-ring-doorbell-0008497

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest-33.65
************************

home help back first fref pref prev next nref lref last post