[33112] in RISKS Forum
Risks Digest 33.72
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sun Jun 4 21:17:13 2023
From: RISKS List Owner <risko@csl.sri.com>
Date: Sun, 4 Jun 2023 18:16:46 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Sunday 4 June 2023 Volume 33 : Issue 72
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.72>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
How A Dark Fleet Moves Russian Oil (The New York Times)
Metro Breach Linked To Computer In Russia, Report Finds (DCIST)
Kaspersky Says New Zero-Day Malware Hit iPhones, Including Its Own (WiReD)
$528 Billion Nuclear Cleanup Plan at Hanford Site in Jeopardy (NYTimes)
Secret industry documents reveal that makers of PFAS 'forever chemicals'
covered up their health dangers (phys.org)
Japanese Moon Lander Crashed Because of a Software Glitch (NYTimes)
Millions of Gigabyte Motherboards Were Sold With a Firmware Backdoor (WiReD)
Fake students stealing aid from colleges (Nanette Asimov)
Tesla leak reportedly shows thousands of Full Self-Driving safety complaints
(The Verge)
Tesla data leak reportedly details Autopilot complaints (LATimes)
Social Media and Youth Mental Health (U.S. Surgeon General)
Meta slapped with record $1.3 billion EU fine over data privacy (CNN)
Flaws Found in Using Source Reputation for Training Automatic Misinformation
Detection Algorithms (Carol Peters)
Failed Expectations: A Deep Dive Into the Internet's 40 Years of Evolution
(Geoff Huston)
AI Poses 'Risk of Extinction,' Industry Leaders Warn (Kevin Roose)
What we *should* be worrying about with AI (Lauren Weinstein)
Artificial intelligence system predicts consequences of gene modifications
(medicalxpress.com)
How to fund and launch your AI startup (Meetup)
Rise of the Newsbots: AI-Generated News Websites Proliferating Online
(NewsGuard)
Some thoughts on the current AI storm und drang (Gene Spafford)
Massachusetts hospitals, doctors, medical groups pilot ChatGPT technology
(The Boston Globe)
The benefits and perils of using artificial intelligence to trade and other
financial instruments (TheConversation.com)
Professor Flunks All His Students After ChatGPT Falsely Claims It Wrote
Their Papers (Rolling Stone)
Top French court backs AI-powered surveillance cameras for Paris Olympics
(Politico)
Meta's Big AI Giveaway (Metz/Isaac)
Meta hit with record fine by Irish regulator over U.S. data transfers (CBC)
AI scanner used in hundreds of US schools misses knives (BBC)
Milton resident's against CVS raises questions about the use of AI lie
detectors in hiring (The Boston Globe)
EPIC on Generative AI (Prashanth Mundkur)
Reality check: What will generative AI really do for cybersecurity?
(Cyberscoop)
Moody's cites credit risk from state-backed cyber intrusions into
U.S. critical infrastructure (cybersecuritydive.com)
What Happens When Your Lawyer Uses ChatGPT (NYTimes)
Anger over airports' passport e-gates not working (BBC News)
Longer and longer trains are blocking emergency services and killing people
(WashPost)
Denials of health-insurance claims are risingm and getting weirder
(WashPost)
Small plane crashes after jet fighter chase in WashDC area (WashPost)
Response from American Airlines for delay (Steven J. Greenwald)
Microsoft Finds macOS Bug That Lets Hackers Bypass SIP Root Restrictions
(Sergiu Gatlan)
Apps for Older Adults Contain Security Vulnerabilities (Patrick Lejtenyi)
India official drains entire dam to retrieve phone (BBC)
Google's Privacy Sandbox (Lauren Weinstein)
WebKit Under Attack: Apple Issues Emergency Patches for 3 New Zero-Day
Vulnerabilities (Apple)
Q&A: Why is there so much hype about the quantum computer? (phys.org)
Report Estimates Trillions in Indirect Losses Would Follow Quantum Computer
Hack (nextgov.com)
Don't Store Your Money on Venmo, U.S. Govt Agency Warns (Gizmodo)
Re: An EFF Investigation: Mystery GPS Tracker (Steve Lamont)
Re: Three Companies Supplied Fake Comments to FCC (NY AG), but John Oliver
didn't (John Levine)
Re: Near collision embarrasses Navy, so they order public San Diego
(Michael Kohne)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 3 Jun 2023 13:15:46 PDT
From: Peter G Neumann <neumann@csl.sri.com>
Subject: How A Dark Fleet Moves Russian Oil (The New York Times)
This article is by Christian Triebert, Blacki Migliozzi, Alexander Cardia,
Muyl Shao, and David Botti. It covers pages 6-7 in today's National
Edition, and has a front-page satellite image above the fold showing the
Cathay Phoenix tanker docked at the Russian oil terminal in Kozmino,
although its GPS showed it many miles southeast, near to the coast of Japan.
Actually, the ship had left from China for a scheduled stop in South Korea,
and then switched its GPS location to a spoofed fixed FAKE location near
Niigata (Japan) while returning to Kozmino. According to the article, three
tankers tracked by *The NYTimes* from Kozmino had made 13 trips loading
Russian oil and delivering it to China, each using GPS spoofing to mask
their whereabouts.
[Just another instance of spoofed GPS locations, which have been
discussed in earlier RISKS issues, such as these:
Russia Regularly Spoofs Regional GPS (RISKS-31.15)
Ghost ships, crop circles, and soft gold: A GPS mystery in Shanghai,
RISKS-31.48)
Mysterious GPS outages are wracking the shipping industry (RISKS-31.59)
High Seas Deception: How Shady Ships Use GPS to Evade International
Law (RISKS-33.43)
PGN]
------------------------------
Date: Wed, 17 May 2023 17:04:22 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Metro Breach Linked To Computer In Russia, Report Finds (DCIST)
A former WMATA contractor using a personal computer in Russia breached
Metro's computer system earlier this year, according to a report from
WMATA's Office of the Inspector General, revealing *grave concerns* in the
system's cyber-vulnerabilities.
The investigation by Metro OIG Rene Febles into the hacking revealed several
weaknesses in WMATA operations regarding data protection and cyberscurity,
and a failure by the agency to address its vulnerabilities.
``Evidence has surfaced that WMATA, at all levels, has failed to follow its
own data handling policies and procedures as well as other policies and
procedures establishing minimum levels of protection for handling and
transmitting various types of data collected by WMATA,'' OIG report, made
public Wednesday.
https://dcist.com/story/23/05/17/metro-breach-linked-russian-computer
------------------------------
Date: Fri, 2 Jun 2023 18:19:28 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Kaspersky Says New Zero-Day Malware Hit iPhones, Including Its Own
(WiReD)
On the same day, Russia's FSB intelligence service launched wild claims of
NSA and Apple hacking thousands of Russians.
https://www.wired.com/story/kaspersky-apple-ios-zero-day-intrusion
------------------------------
Date: Thu, 1 Jun 2023 11:08:36 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: $528 Billion Nuclear Cleanup Plan at Hanford Site in Jeopardy
(The New York Times)
A $528-billion plan to clean up 54-million gallons of radioactive
bomb-making waste may never be achieved. Government negotiators are looking
for a compromise.
https://www.nytimes.com/2023/05/31/us/nuclear-waste-cleanup.html
[WOPR in *War Games* strikes again?
``The only winning strategy is not to play.''
A compromise here seems like a lose-lose strategy.
PGN]
------------------------------
Date: Fri, 02 Jun 2023 02:21:34 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Secret industry documents reveal that makers of PFAS 'forever
chemicals' covered up their health dangers (phys.org)
https://phys.org/news/2023-05-secret-industry-documents-reveal-makers.html
... From the department of environment pollution risks.
Is another master settlement agreement, similar to that imposed on tobacco
companies, for cancer-causing PFAS -- forever chemical pollution -- in the
works?
------------------------------
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Date: Sat, 27 May 2023 08:36:07 -0400
Subject: Japanese Moon Lander Crashed Because of a Software Glitch
(NYTimes)
A software glitch caused a Japanese robotic spacecraft to misjudge its
altitude as it attempted to land on the moon last month leading to its
crash, an investigation has revealed.
Ispace of Japan said in a news conference on Friday that it had finished
its analysis of what went wrong during the landing attempt on April 25. The
Hakuto-R Mission 1 lander completed its planned landing sequence, slowing
to a speed of about 2 miles per hour. But it was still about three miles
above the surface. After exhausting its fuel, the spacecraft plunged to its
destruction, hitting the Atlas crater at more than 200 miles per hour.
<https://www.nytimes.com/2023/05/26/science/moon-crash-japan-ispace.html>
------------------------------
Date: Wed, 31 May 2023 13:50:00 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Millions of Gigabyte Motherboards Were Sold With a Firmware
Backdoor (WiReD)
Hidden code in hundreds of models of Gigabyte motherboards invisibly and
insecurely downloads programs -- a feature ripe for abuse, researchers say.
Hiding malicious programs in a computer's UEFI firmware, the deep-seated
code that tells a PC how to load its operating system, has become an
insidious trick in the toolkit of stealthy hackers. But when a motherboard
manufacturer installs its own hidden backdoor in the firmware of millions of
computers -- and doesn't even put a proper lock on that hidden back entrance
-- they're practically doing hackers' work for them.
Researchers at firmware-focused cybersecurity company Eclypsium revealed
today that they've discovered a hidden mechanism in the firmware of
motherboards sold by the Taiwanese manufacturer Gigabyte, whose components
are commonly used in gaming PCs and other high-performance computers.
Whenever a computer with the affected Gigabyte motherboard restarts,
Eclypsium found, code within the motherboard's firmware. code within the
motherboard's firmware invisibly initiates an updater program that runs on
the computer and in turn downloads and executes another piece of software.
While Eclypsium says the hidden code is meant to be an innocuous tool to
keep the motherboard's firmware updated, researchers found that it's
implemented insecurely, potentially allowing the mechanism to be hijacked
and used to install malware instead of Gigabyte's intended program. And
because the updater program is triggered from the computer's firmware,
outside its operating system, it's tough for users to remove or even
discover.
https://www.wired.com/story/gigabyte-motherboard-firmware-backdoor/
------------------------------
Date: Sun, 4 Jun 2023 11:49:18 PDT
From: Peter G Neumann <neumann@csl.sri.com>
Subject: Fake students stealing aid from colleges (Nanette Asimov)
Nanette Asimov, *The San Francsico Chronicle" print edition,
4 Jun 2023 front page
[Based on an earlier online version:]
Thousands of `ghost students' are applying to California colleges to steal
financial aid. Here's how. SFChronicle, 2 Jun 2023:
Nobody knows how much money the fraudsters have managed to grab by
impersonating enrollees.
Months after a mysterious check for $1,400 landed in Richard Valicenti's
mailbox last summer, the U.S. Department of Education notified him that the
money was a mistake -- an overpayment of the $3,000 Pell grant he had used to
attend Saddleback College in Orange County.
"I told them I never applied for a Pell," said Valicenti, a 64-year-old
radiation oncologist at UC Davis who had never even heard of Saddleback.
[...]
[Just the tip of the iceberg, evidently. No surprise... PGN]
------------------------------
Date: Fri, 26 May 2023 20:01:37 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Tesla leak reportedly shows thousands of Full Self-Driving
safety complaints (The Verge)
The data contains reports about over 2,400 self-acceleration issues and more
than 1,500 braking problems.
https://www.theverge.com/2023/5/25/23737972/tesla-whistleblower-leak-fsd-complaints-self-driving
------------------------------
Date: Sun, 28 May 2023 07:05:03 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Tesla data leak reportedly details Autopilot complaints (LATimes)
https://www.latimes.com/business/story/2023-05-26/tesla-autopilot-alleged-data-breach-leak
How bad is Tesla Autopilot's safety problem? According to thousands of
complaints allegedly from Tesla customers in the U.S. and around the world,
pretty bad.
<https://www.latimes.com/business/story/2022-12-08/tesla-lawsuit-full-self-driving-technology-failure-not-fraud>
------------------------------
Date: Wed, 24 May 2023 08:12:24 -0600
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Social Media and Youth Mental Health (U.S. Surgeon General)
This Advisory describes the current evidence on the impacts of social media
on the mental health of children and adolescents. It states that we cannot
conclude social media is sufficiently safe for children and adolescents and
outlines immediate steps we can take to mitigate the risk of harm to
children and adolescents.
https://www.hhs.gov/surgeongeneral/priorities/youth-mental-health/social-media/
https://www.hhs.gov/sites/default/files/sg-youth-mental-health-social-media-summary.pdf
https://www.hhs.gov/sites/default/files/sg-youth-mental-health-social-media-advisory.pdf
------------------------------
Date: Tue, 30 May 2023 16:21:16 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Meta slapped with record $1.3 billion EU fine over data privacy
(CNN)
Meta has been fined a record-breaking 1.2 billion euros ($1.3 billion) by
European Union regulators for violating EU privacy laws by transferring the
personal data of Facebook users to servers in the United States.
https://edition.cnn.com/2022/11/28/tech/meta-irish-fine-privacy-law/index.html
https://edition.cnn.com/2022/04/23/business/eu-tech-regulation/index.html
The European Data Protection Board announced the fine in a statement Monday,
saying it followed an inquiry into Facebook (FB) by the Irish Data
Protection Commission, the chief regulator overseeing Meta's operations in
Europe.
<https://edpb.europa.eu/news/news/2023/12-billion-euro-fine-facebook-result-edpb-binding-decision_en>
<https://money.cnn.com/quote/quote.html?symb=FB&source=story_quote_link>
The move highlights ongoing uncertainty about how global businesses may
legally transfer EU users' data to servers overseas. [...]
https://www.cnn.com/2023/05/22/tech/meta-facebook-data-privacy-eu-fine
[Matthew Kruk found
https://www.cbc.ca/news/business/meta-europe-fine-data-transfers-1.6851243
PGN]
------------------------------
Date: Wed, 17 May 2023 12:15:57 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Flaws Found in Using Source Reputation for Training Automatic
Misinformation Detection Algorithms (Carol Peters)
Carol Peters, Rutgers Today, 16 May 2023 via ACM TechNews
Rutgers University scientists found algorithms trained to detect `fake news'
may have a flawed approach for assessing the credibility of online news
stories. The researchers said most of these programs do not evaluate an
article's credibility, but instead rely on a credibility score for the
article's sources. They rated the credibility and political leaning of 1,000
news articles and incorporated the assessment into misinformation-detection
algorithms, then evaluated the labeling methodology's impact on the
algorithms' performance. Article-level source labels matched just 51% of the
time, illustrating the source reputation method 's lack of reliability. In
response, the researchers created a new dataset of journalistic-quality,
individually labeled articles and a process for misinformation detection and
fairness audits.
------------------------------
Date: Tue, 30 May 2023 16:18:19 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Failed Expectations: A Deep Dive Into the Internet's 40 Years of
Evolution (Geoff Huston)
In a recent workshop, I attended, reflecting on the evolution of the
Internet over the past 40 years, one of the takeaways for me is how weâve
managed to surprise ourselves in both the unanticipated successes weâve
encountered and in the instances of failure when technology has stubbornly
resisted to be deployed despite our confident expectations to the contrary!
What have we learned from these lessons about our inability to predict
technology outcomes? Are the issues related to the aspects of the
technology? Are they embedded in the considerations behind the expectations
about how a technology will be adopted? Or do the primary issues reside at a
deeper level relating to economic and even political contexts? Let's look at
this question of failed expectations using several specific examples drawn
from the last 40 years of the Internet's evolution.
*The Public Debut of the Internet (and the demise of O.S.I.)*. [...]
https://circleid.com/posts/20230524-failed-expectations-a-deep-dive-into-the-internets-40-years-of-evolution
------------------------------
Date: Wed, 31 May 2023 14:56:28 PDT
From: Peter G Neumann <neumann@csl.sri.com>
Subject: AI Poses 'Risk of Extinction,' Industry Leaders Warn (Kevin Roose)
Kevin Roose, *The New York Times*, 30 May 2023, via ACM TechNews
Subtital: Putting the Necessity of Controls on Par with Nuclear Weapons
Industry leaders warned in an open letter from the nonprofit Center for AI
Safety that artificial intelligence (AI) technology might threaten
humanity's existence. Signatories included more than 350 executives,
scientists, and engineers working on AI, with the CEOs of OpenAI, Google
DeepMind, and Anthropic among them. ACM Turing Award recipients and AI
pioneers Geoffrey Hinton and Yoshua Bengio also signed the letter, which
comes amid growing concern about the potential hazards of AI partly fueled
by innovations in large language models. Such advancements have provoked
fears of AI facilitating mass job takeovers and the spread of
misinformation, while earlier this month OpenAI's Sam Altman said the risks
were sufficiently dire to warrant government intervention and regulation.
https://www.nytimes.com/2023/05/30/technology/ai-threat-warning.html
[Jan Wolitzky noted a comment on this in The Onion:
``It's sad how desperately these nerds want to make their coding jobs sound
cool.''
https://www.theonion.com/industry-leaders-warn-that-ai-poses-risk-of-extinc=
tion-1850497166
PGN]
------------------------------
Date: Wed, 31 May 2023 19:11:27 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: What we *should* be worrying about with AI
We shouldn't be worrying about AI wiping out humanity. That's a smokescreen.
That's sci-fi. We need to worry about the *individuals* now and in the near
future who can be hurt by the premature deployment of generative AI systems
that spew wrong answers and lies, and then when asked for confirmation, lie
about their own lies! And just popping up warnings to users is useless,
because you know and I know that hardly anyone will read those warnings or
pay any attention to them whatsoever.
[Remenber the boy who cried wolf too often -- when there was one. PGN]
------------------------------
Date: Thu, 01 Jun 2023 04:00:24 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Artificial intelligence system predicts consequences of gene
modifications (medicalxpress.com)
https://medicalxpress.com/news/2023-05-artificial-intelligence-consequences-gene-modifications.html
"The new model, dubbed Geneformer, learns from massive amounts of data on
gene interactions from a broad range of human tissues and transfers this
knowledge to make predictions about how things might go wrong in disease."
Would commercial or academic life science organizations apply this
capability to reduce human trial expenses for certain genetically engineered
medicines or treatments, like CAR T-cells used to treat leukemia? Would
prescription drug prices decline as a result?
------------------------------
Date: Fri, 2 Jun 2023 02:21:02 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: How to fund and launch your AI startup (Meetup)
You've got a great idea, but how do you build it into a successful company?
Come learn how to assemble the right team, develop your pitch, and raise
venture capital for your new company.
https://www.meetup.com/acm-chicago/events/293851188
What could go wrong?
------------------------------
Date: Fri, 2 Jun 2023 07:00:29 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Rise of the Newsbots: AI-Generated News Websites Proliferating
Online (NewsGuard)
NewsGuard has identified 49 news and information sites that appear to be
almost entirely written by artificial intelligence software. A new
generation of content farms is on the way.
https://www.newsguardtech.com/special-reports/newsbots-ai-generated-news-websites-proliferating/
------------------------------
Date: Fri, 19 May 2023 17:53:41 -0400
From: Gene Spafford <spaf@purdue.edu>
Subject: Some thoughts on the current AI storm und drang
There is a massive miasma of hype and misinformation around topics related
to AI, ML, and chat programs and how they might be used -- or misused. I
remember previous hype cycles around 5th-generation systems, robotics, and
automatic language translation (as examples). The enthusiasm each time
resulted in some advancements that weren't as profound as predicted. That
enthusiasm faded as limitations became apparent and new bright, shiny
technologies appeared to be chased.
The current hype seems even more frantic for several reasons, not least of
which is that there are many more potential market opportunities for the
current developments. Perhaps the entities that see new AI systems as a way
to reduce expenses by cutting headcount and replacing people with AI are one
of the biggest drivers causing both enthusiasm and concern (see, for
example,
https://www.businessinsider.com/chatgpt-jobs-at-risk-replacement-artificialintelligence-ai-labor-trends-2023-02?op=1#teachers-5). That
was a driver of the robotics craze some years back, too. The current cycle
has already had an impact on some creative media, including being an issue
of contention in the media writers' strike in the US. It also is raising
serious questions in academia, politics, and the military.
There's also the usual hype cycle FOMO (fear of missing out) and the urge to
be among the early adopters, as well as those speculating about the most
severe forms of misuse. That has led to all sorts of predictions of
outlandish capabilities and dire doom scenarios -- neither of which is
likely wholly accurate. AI, generally, is still a developing field and will
produce some real benefits over time. The limitations of today's systems may
or may not be present in future systems. However, there are many caveats
about the systems we have now and those that may be available soon that
justify genuine concern.
First, LLMs such as ChatGPT, Bard, et al. are NOT really "intelligent." [...]
Second, these systems are not accountable in current practice and law. [...]
Third, the inability of much of the general public to understand teh
limitations of current systems means that any use may introduce a bias
into how people make their own decisions and choices. [...]
[Long item PGN-ed for RISKS. Check in with Spaf if you want the entire
piece.]
------------------------------
Date: Wed, 31 May 2023 07:27:32 -0400
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: Massachusetts hospitals, doctors, medical groups pilot ChatGPT
technology (The Boston Globe)
Artificial intelligence is already in wide use in health care: medical
workers use it to record patient interactions and add notes to medical
records; some hospitals use it to read radiology images, or to predict how
long a patient may need to be in intensive care.
But some hospitals have begun to contemplate using a new phase of AI that
is much more advanced and could have a profound effect on their operations,
and possibly even clinical care.
Indeed, never one for modesty, ChatGPT, one form of the new AI technology
that can render answers to queries in astonishing depth (if dubious
accuracy), called its own role in the future of medicine a *groundbreaking
development poised to reshape the medical landscape.*
https://www.bostonglobe.com/2023/05/30/metro/massachusetts-hospitals-doctor=
s-medical-groups-pilot-chatgpt-technology/
------------------------------
Date: Sun, 21 May 2023 03:26:49 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: The benefits and perils of using artificial intelligence to trade
and other financial instruments (TheConversation.com)
https://theconversation.com/chatgpt-powered-wall-street-the-benefits-and-perils-of-using-artificial-intelligence-to-trade-stocks-and-other-financial-instrument-201436
High Frequency Trading (HFT) platforms elevate financial market
volatility. Cou pling HFT with ChatGPT will likely exponentiate volatility.
[Is e^sh*tload >= Spinal Tap's "11"?]
------------------------------
Date: Thu, 18 May 2023 05:29:01 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Professor Flunks All His Students After ChatGPT Falsely Claims It
Wrote Their Papers (Rolling Stone)
Texas A&M University commerce seniors who have already graduated were
denied their diplomas because of an instructor who incorrectly used AI
software to detect cheating.
https://www.rollingstone.com/culture/culture-features/texas-am-chatgpt-ai-professor-flunks-students-false-claims-1234736601/
https://news.slashdot.org/story/23/05/17/2023212/professor-failed-more-than-half-his-class-after-chatgpt-falsely-claimed-it-wrote-their-final-papers
------------------------------
Date: Thu, 18 May 2023 07:42:33 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Top French court backs AI-powered surveillance cameras for Paris
Olympics (Politico)
https://www.politico.eu/article/french-top-court-backs-olympics-ai-powered-surveillance-cameras/
------------------------------
Date: Sat, 20 May 2023 15:36:15 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Meta's Big AI Giveaway (Metz/Isaac)
Cade Metz and Mike Isaac, *The New York Times* business section, front
page continued inside, 20 May 2023
``Do you want every AI system to be under the control of a couple of
powerful American companies?'' Yann LeCun, Meta chief scientist.
As tech giant makes its latest innovation open-source, rivals view it
as a dangerous move.
------------------------------
Date: Mon, 22 May 2023 14:30:41 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Meta hit with record fine by Irish regulator over U.S. data
transfers (CBC)
https://www.cbc.ca/news/business/meta-europe-fine-data-transfers-1.6851243
Facebook parent company Meta was hit with a record 1.2 billion euro ($1.75
billion Cdn) fine by its lead European Union privacy regulator over its
handling of user information and given five months to stop transferring
users' data to the United States.
The fine, imposed by Ireland's Data Protection Commissioner (DPC), came
after Meta continued to transfer data beyond a 2020 EU court ruling that
invalidated an EU-U.S. data transfer pact. It tops the previous record EU
privacy fine of 746 million euros ($1.09 billion Cdn) handed by Luxembourg
to Amazon.com Inc in 2021. [...]
------------------------------
Date: Tue, 23 May 2023 06:33:54 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: AI scanner used in hundreds of US schools misses knives (BBC)
https://www.bbc.com/news/technology-65342798
A security firm that sells AI weapons scanners to schools is facing fresh
questions about its technology after a student was attacked with a knife
that the $3.7m system failed to detect.
On Halloween last year, student Ehni Ler Htoo was walking in the corridor
of his school in Utica, New York, when another student walked up behind him
and stabbed him with a knife.
Speaking exclusively to the BBC, the victim's lawyer said the 18-year-old
suffered multiple stab wounds to his head, neck, face, shoulder, back and
hand.
The knife used in the attack was brought into Proctor High School despite a
multimillion weapons-detection system installed by a company called Evolv
Technology, a security firm that wants to replace traditional metal
detectors with AI weapons scanners.
------------------------------
Date: Tue, 23 May 2023 13:45:48 +0000 (UTC)
From: Steve Bacher <sebmb1@verizon.net>
Subject: Milton resident's against CVS raises questions about the use of
AI lie detectors in hiring (The Boston Globe)
https://www.boston.com/news/the-boston-globe/2023/05/22/milton-residents-lawsuit-cvs-ai-lie-detectors
It's illegal for employers in Mass. to use a lie detector to screen job
applicants, but what if they use AI to assess a candidate's honesty?
------------------------------
Date: Thu, 25 May 2023 02:39:50 +0000
From: Prashanth Mundkur <prashanth.mundkur@sri.com>
Subject: EPIC on Generative AI
In case you haven't seen this great report:
https://epic.org/new-epic-report-sheds-light-on-generative-a-i-harms/
------------------------------
Date: Wed, 24 May 2023 12:20:15 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Reality check: What will generative AI really do for cybersecurity?
(Cyberscoop)
https://cyberscoop.com/generative-ai-chatbots-cybersecurity/ via
https://www.washingtonpost.com/politics/2023/05/24/food-agriculture-industry-gets-new-center-share-cybersecurity-information/.
"Cleaning data to get it usable for machine learning required time and
resources, and once the agency rolled out the models for analysts to use
some were resistant and were concerned that they could be displaced. 'It
took a while until it was accepted that such models could triage and to give
them a more effective role,' Neuberger said."
Data cleansing requires skilled eyes and hands, not something an LLM
possesses out-of-the-box. Inculcating these skills into the LLM is
equivalent to outsourcing and off-shoring.
If the data cleansers and infosec engineers were given certain copyright or
patent royalties over the knowledge they transferred into the LLM,
cybersecurity engineering organizational effectiveness would likely
experience less turnover.
------------------------------
Date: Thu, 01 Jun 2023 12:00:26 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Moody's cites credit risk from state-backed cyber intrusions into
U.S. critical infrastructure (cybersecuritydive.com)
https://www.cybersecuritydive.com/news/moodys-credit-risk-cyber-critical-infrastructure/651656/
Corporate credit ratings are affected by cybersecurity risk assessments.
This expense should motivate rapid adoption of hardening infrastructure
measures to elevate ratings based on infosec audits and preparedness,
thereby reduce cyber-insurance costs.
Where are the skilled hands to competently rollout these core capabilities
and to sustain vigilant operations? Cyber infrastructure engineers and
watchdogs are hard to train, recruit, and retain. Not a role typically
out-sourced or off-shore, unlike the domestic US computer manufacturing
operations migrated to cut costs.
Remains to be seen if AI mitigates hockey-stick cybersecurity cost
expenditures while improving protection benchmarks established by
CISA. Business expenses attributed to cyberinsurance cannot be absorbed by
consumers indefinitely.
------------------------------
Date: Sat, 27 May 2023 13:45:02 -0400
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: What Happens When Your Lawyer Uses ChatGPT (NYTimes)
The lawsuit began like so many others: A man named Roberto Mata sued the
airline Avianca, saying he was injured when a metal serving cart struck his
knee during a flight to Kennedy International Airport in New York.
When Avianca asked a Manhattan federal judge to toss out the case, Mr.
Mata's lawyers vehemently objected, submitting a 10-page brief that cited
more than half a dozen relevant court decisions. There was Martinez v.
Delta Air Lines, Zicherman v. Korean Air Lines and, of course, Varghese v.
China Southern Airlines, with its learned discussion of federal law and
``the tolling effect of the automatic stay on a statute of limitations.''
There was just one hitch: No one -- not the airline's lawyers, not even the
judge himself -- could find the decisions or the quotations cited and
summarized in the brief.
That was because ChatGPT had invented everything.
https://www.nytimes.com/2023/05/27/nyregion/avianca-airline-lawsuit-chatgpt.html
[Gabe Goldberg noted this item, and commented:
I guess hallucinations aren't admissible...
Matthew Kruk found another report in the BBC:
https://www.bbc.com/news/world-us-canada-65735769
Amos Shapir noted that one as well, with this line;
The lawyer claimed that it was the first time he had used AI,
and was ``unaware that its content could be false.''
PGN]
------------------------------
Date: Sun, 28 May 2023 16:38:03 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Anger over airports' passport e-gates not working (BBC News)
Passengers flying into the UK faced hours of delays at airports across the
country where passport e-gates were not working.
Travelers told of their anger at being stuck in queues at airports including
Heathrow, Manchester and Gatwick.
The Home Office said on Saturday evening that all e-gates were now operating
as normal.
The disruption, which began on Friday night, had been due to an IT issue, a
source told the BBC.
All airports across the country using the technology were affected.
The e-gate system speeds up passport control by allowing some passengers to
scan their own passports. It uses facial recognition to verify identity and
captures the traveler's image.
https://www.bbc.com/news/uk-65731795
------------------------------
Date: Sat, 27 May 2023 16:26:37 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Longer and longer trains are blocking emergency services and
killing people (WashPost)
https://www.washingtonpost.com/nation/interactive/2023/long-trains-block-intersections-paramedics/
------------------------------
Date: Wed, 17 May 2023 22:29:47 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Denials of health-insurance claims are rising and getting weirder
(WashPost)
https://www.washingtonpost.com/opinions/2023/05/17/health-insurance-denial-claims-reasons/
``ProPublica's investigation, published in March, found that an automated
system, called PXDX, allowed Cigna medical reviewers to sign off on 50
charts in 10 seconds presumably without even examining the patients'
records.''
Another electronic health record advantage.
------------------------------
Date: Sun, 4 Jun 2023 15:12:01 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Small plane crashes after jet fighter chase in WashDC area
(WashPost)
A small plane (Cessna Citation) -- apparently on autopilot with unresponsive
pilot -- crashes in mountainous Virginia terrain after chase by jet fighters
causing sonic boom across DC, after plane violated DC airspace. -L
[I was just on a zoom call with folks in the DC area. The boom
was heard quite widely. PGN]
------------------------------
Date: Sat, 20 May 2023 15:18:11 -0400
From: "Steven J. Greenwald" <greenwald.steve@gmail.com>
Subject: Response from American Airlines for delay
For my flight out of DFW the other day, American Airlines had a major issue
with a bugged up Airbus 321. They couldn't debug it, so they had to change
the plane/gate.
I found it unusual enough to ask for confirmation from American Airlines
(they gave it, included below).
> Date: Sat, May 20, 2023 at 2:46=E2=80=AFPM
> From: <AmericanAirlinesCustomerRelations@aa.com>
> Subject: Your Response From American Airlines
> Thank you for contacting Customer Relations. I am happy to respond to your
> inquiry regarding the reason for the delay of AA2206.
> Our records indicate that your flight was delayed due to an aircraft
> change caused by a moth infestation. [...]
[And it was not even Moth-ers' Day. PGN]
------------------------------
Date: Fri, 2 Jun 2023 11:53:10 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Microsoft Finds macOS Bug That Lets Hackers Bypass SIP Root
Restrictions (Sergiu Gatlan)
Sergiu Gatlan, *BleepingComputer, 30 May 2023 via ACM Tech News
Apple has patched a vulnerability discovered by Microsoft security
researchers, dubbed Migraine, that would have allowed attackers with root
privileges to install *undeleteable* malware and access the victim's private
data. The researchers said, ``By focusing on system processes that are
signed by Apple and have the com.apple.rootless.install.heritable
entitlement, we found two child processes that could be tampered with to
gain arbitrary code execution in a security context that bypasses SIP
[System Integrity Protection] checks.'' Bypassing SIP also would allow
attackers to circumvent Transparency, Consent, and Control (TCC) policies to
gain access the victim's private data. The vulnerability was patched in
Apple's May 18 security updates for macOS Ventura 13.4, macOS Monterey
12.6.6, and macOS Big Sur 11.7.7.
------------------------------
Date: Wed, 24 May 2023 11:23:31 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Apps for Older Adults Contain Security Vulnerabilities
(Patrick Lejtenyi)
Patrick Lejtenyi, Concordia University, Canada, 23 May 2023
Researchers at Canada's Concordia University found security bugs in 95 of
146 popular Android applications designed for older adults. The researchers
discovered that many apps failed to properly authenticate server application
programming interface endpoints, which attackers could exploit to access
sensitive personal data. Other apps had easily penetrable accounts, with
some sending unencrypted information to either client-side servers or
third-party domains. The researchers found multiple other flaws in dozens of
other apps. Only seven of the 35 app developers the team contacted about the
bugs responded, while Concordia's Pranay Kapoor said the vulnerabilities
could be remedied by following best practices for basic security.
------------------------------
Date: Fri, 26 May 2023 21:09:12 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: India official drains entire dam to retrieve phone (BBC)
https://www.bbc.com/news/world-asia-india-65726193
A government official in India has been suspended after he ordered a
reservoir to be drained to retrieve his phone.
It took three days to pump millions of litres of water out of the dam, after
Rajesh Vishwas dropped the device while taking a selfie.
By the time it was found, the phone was too water-logged to work.
[Jim Reisert found that here:
https://www.cnn.com/2023/05/28/india/india-reservoir-drained-selfie-photo-intl-hnk/
PGN]
[Out, Out, Dammed Drought. PGN]
------------------------------
Date: Thu, 18 May 2023 08:31:26 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Google's Privacy Sandbox
I believe the big Achilles heel of Google's Privacy Sandbox, their
continuing effort rolling out in trials already, is Ad Topics, that replaces
third party cookies with an advertising API involving local device modeling
of your browsing history into predefined categories (about 350), with sites
able to receive up to three of them most highly ranked.
Google asserts that this will maintain or increase the value of targeted ads
while increasing individual user privacy by moving away from third party
cookies and ad hoc techniques used by sites to try target individual users.
Google is moving to default the various aspect of Privacy Sandbox to ON,
based on the usual hope that users won't bother to change the defaults.
I think the two words that spell the main trouble for this plan are
"browsing history." Most people are quite sensitive about this and assume it
is private. Even if shared with Google for enhanced services, they don't
really want advertisers to know anything about it.
Hell, even I feel an emotional punch when I think about advertisers being
handed information about my browsing, no matter how carefully categorized,
anonymized, and sanitized. And I know how this stuff actually works. I even
agree that in theory it's better than the status quo with third party
cookies, etc.
Is this really going to fly in the long run? It seems unlikely as currently
defined. Most people aren't going to understand it, just like they don't
understand that Google doesn't sell user data to advertisers -- a widely
held false belief that Google has never really been able to dispel. And
Privacy Sandbox is even more complicated to explain to the average
nontechnical person.
Politicians from both parties are going to jump all over this. The fine
points of privacy balance will be lost in the noise.
This is unlikely to end well for anyone.
------------------------------
Date: Sat, 20 May 2023 12:59:55 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: WebKit Under Attack: Apple Issues Emergency Patches for 3 New
Zero-Day Vulnerabilities (Apple)
Apple on Thursday rolled out security updates
<https://support.apple.com/en-us/HT201222> to iOS, iPadOS, macOS, tvOS,
watchOS, and the Safari web browser to address three new zero-day flaws
that it said are being actively exploited in the wild.
The three security shortcomings are listed below --
- CVE-2023-32409 - A WebKit flaw that could be exploited by a malicious
actor to break out of the Web Content sandbox. It was addressed with
improved bounds checks.
- CVE-2023-28204 - An out-of-bounds read issue in WebKit that could be
abused to disclose sensitive information when processing web content. It
was addressed with improved input validation.
- CVE-2023-32373 - A use-after free bug in WebKit that could lead to
arbitrary code execution when processing maliciously crafted web content.
It was addressed with improved memory management. [...]
------------------------------
Date: Tue, 23 May 2023 03:36:59 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Q&A: Why is there so much hype about the quantum computer?
(phys.org)
https://phys.org/news/2023-05-qa-hype-quantum.html
``Calculations show that it takes a quantum computer of 10^20M quantum bits
[qubits *] to break an RSA encryption. Right now, the largest quantum
computer is in the region of 430 quantum bits. So there is still some way to
go. So, at the risk of becoming a laughing stock for posterity, I would
guess that it will take another 20 years before we have a quantum computer
that meets these expectations.''
Four orders of magnitude to scale in the qubit space represents a mighty
tall order to achieve. Government funding essential to back innovation on
this turf.
[*And that's without the massive error-correction that is required for a
huge-qubit quantum computer -- and let's not forget out-put(t)s on the
turf. PGN]
------------------------------
Date: Tue, 23 May 2023 12:12:00 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Report Estimates Trillions in Indirect Losses Would Follow Quantum
Computer Hack (nextgov.com)
https://www.nextgov.com/cybersecurity/2023/05/report-estimates-trillions-indirect-losses-would-follow-quantum-computer-hack/386653/
``An analysis projects the hypothetical disruption a cyberattack from a
quantum computer could have on global financial markets.''
The original report from the Hudson Institute is
https://www.hudson.org/events/prosperity-risk-quantum-computer-threat-us-financial-system.
[Same old financial chaos with a quantum twist.]
------------------------------
Date: Sat, 3 Jun 2023 13:32:00 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Don't Store Your Money on Venmo, U.S. Govt Agency Warns (Gizmodo)
https://gizmodo.com/venmo-paypal-digital-payments-cashapp-1850500772
------------------------------
Date: Sat, 20 May 2023 10:13:19 -0700
From: Steve Lamont <spl@tirebiter.org>
Subject: Re: An EFF Investigation: Mystery GPS Tracker
The device in question sounds very similar to the better known LoJack stolen
vehicle recovery service, though generally they're better hidden than just
under the driver's seat.
I had one put in a used car I bought and the installer wouldn't even let me
watch. (I suspect it was placed under the rear seat but never bothered to
poke around to look.)
I've had one in each in my last three new vehicles. The dealer installs
them by default and the one time fee is included in the purchase price.
According to the brochure, at least, the device tracking is only activated
if/when the vehicle is reported stolen.
------------------------------
Date: 16 May 2023 20:12:51 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Re: Three Companies Supplied Fake Comments to FCC (NY AG), but
John Oliver didn't (RISKS-33.71)
> I suppose this is not nearly on the same level as what those companies
> did, however.
It's not even slightly the same. Oliver was encouraging his viewers to send
their own messages to the FCC. Real messsages from actual people are fine,
so fine that the last clause of the First Amendment specifically allows it:
Congress shall make no law respecting an establishment of religion,
or prohibiting the free exercise thereof; or abridging the freedom of
speech, or of the press; or the right of the people peaceably to
assemble, and to petition the Government for a redress of grievances.
Sure, a lot of the messages will say the same thing, but that's
nothing new. Back in the day people set up card tables with postcards
with preprinted messages you could write your name under and mail to
your representatives. So long as each postcard was from the real
person whose name was on it, no problem.
These guys were sending fake comments using names of people who had no
idea that messages were being sent using their names. I hope the
difference is not hard to see.
------------------------------
Date: Wed, 17 May 2023 10:57:47 -0400
From: Michael Kohne <mhkohne@kohne.org>
Subject: Re: Near collision embarrasses Navy, so they order public San Diego
webcams taken down (Bacher, RISKS-33.71)
I think you're wrong. Most of what the Navy does is pretty much out in the
open. There's no way to prevent people watching what the Navy is doing
anywhere near shore. It's just the nature of the beast -- you can't stop
people taking pictures of the ocean, guys! And anyone competent in the Navy
is aware of that, but frankly it never hurts for them to be publicly
reminded of that fact -- which is why I also tend to believe this is more
about embarrassment, rather than any actual purpose.
------------------------------
Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.72
************************
