[33207] in RISKS Forum
Risks Digest 33.95
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sat Dec 2 18:32:14 2023
From: RISKS List Owner <risko@csl.sri.com>
Date: Sat, 2 Dec 2023 15:29:50 PST
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Saturday 2 December 2023 Volume 33 : Issue 95
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.95>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Commercial Flights Are Experiencing 'Unthinkable' GPS Attacks
and Nobody Knows What to Do (Vice)
G7 and EU countries pitch guidelines for AI cybersecurity
(Joseph Bambridge)
U.S. and UK Unveil AI Cyber-Guidelines (Politico via PGN)
Was Argentina the First AI Election? (NYTimes)
As AI-Controlled Killer Drones Become Reality, Nations Debate Limits,
(The New York Times)
Reports that Sports Illustrated used AI-generated stories and fake
authors are disturbing, but not surprising (Poynter)
Is Anything Still True? On the Internet, No One Know
Anymore (WSJ)
ChatGPT x 3 (sundry sources via Lauren Weinstein)
Texas Rejects Science Textbooks Over Climate Change, Evolution Lessons
(WSJ)
A `silly' attack made ChatGPT reveal real phone numbers
and email addresses (Engadget)
Meta/Facebook profiting from sale of counterfeit U.S. stamps
(Mich Kabay)
Chaos in the Cradle of AI (The New Yorker)
Impossibility of Strong watermarks for Generative AI
Intel hardware vulnerability (Daniel Moghimi at Google_
Hallucinating language models (Victor Miller)
USB worm unleashed by Russian state hackers spreads worldwide
(Ars Technica)
AutoZone warns almost 185,000 customers of a data breach
(Engadget)
Okta admits hackers accessed data on all customers during recent breach
(TechCrunch)
USB worm unleashed by Russian state hackers spreads worldwide
(Ars Technica)
Microsoft’s Windows Hello fingerprint authentication has been bypassed
(The Verge)
Thousands of routers and cameras vulnerable to new 0-day attacks
by hostile botnet (Ars Technica)
A Postcard From Driverless San Francisco (Steve Bacher)
Voting machine trouble in Pennsylvania county triggers alarm ahead of 2024
(Politico via Steve Bacher)
Outdated Password Practices are Widespread (Georgia Tech)
THE CTIL FILES #1 (Shellenberger via geoff goodfellow)
Judge rules it's fine for car makers to intercept your text messages
(Henry Baker)
Protecting Critical Infrastructure from Cyber Attacks (RMIT)
Crypto Crashed and Everyone's In Jail. Investors Think It's
Coming Back Anyway. (Vice)
Feds seize Sinbad crypto mixer allegedly used by North Korean e
hackers (TechCrunch)
A lost bitcoin wallet passcode helped uncover a major security flaw
(WashPost)
Ontario's Crypto King still jet-setting to UK, Miami, and soon Australia
despite bankruptcy (CBC)
British Library confirms customer data was stolen by hackers,
with outage expected to last months (TechCrunch)
PSA: Update Chrome browser now to avoid an exploit
already in the wild (The Verge)
WeWork has failed. Like a lot of other tech startups, it left damage in its
wake (CBC)
Re: The AI Pin (Rob Slade)
Re: Social media gets teens hooked while feeding aggression and
impulsivity, and researchers think they know why (C.J.S. Hayward)
Re: Garble in Schneier's AI post (Steve Singer)
Re: Using your iPhone to start your car is about to get a
lot easier (Sam Bull)
Re: Oveview of the iLeakage Attack (Sam Bull)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 20 Nov 2023 19:00:14 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Commercial Flights Are Experiencing 'Unthinkable' GPS Attacks
and Nobody Knows What to Do (Vice)
New "spoofing" attacks resulting in total navigation failure have been
occurring above the Middle East for months, which is "highly significant"
for airline safety.
https://www.vice.com/en/article/m7bk3v/commercial-flights-are-experiencing-unthinkable-gps-attacks-and-nobody-knows-what-to-do
------------------------------
Date: Mon, 27 Nov 2023 9:10:36 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: G7 and EU countries pitch guidelines for AI cybersecurity
(Joseph Bambridge)
Joseph Bambridge, Politico Europe, 27 Nov 2023
Cybersecurity authorities in 18 major European and Western countries,
including all G7 states, today released joint guidelines on how to
develop artificial intelligence systems in ways that ensure their
cybersecurity.
The United Kingdom, United States, Germany, France, Italy, Australia,
Japan, Israel, Canada, Nigeria, Poland and others backed what they
called the world's first AI cybersecurity guidelines. The initiative
was led by the U.K.'s National Cyber Security Centre and follows
London's AI Safety Summit that took place early November.
The 20-page document sets out practical ways providers of AI systems can
ensure they function as intended, don't reveal sensitive data and aren't
taken offline by attacks.
AI systems face both traditional threats and novel vulnerabilities
like data poisoning and prompt injection attacks, the authorities
said. The guidelines -- which are voluntary -- set standards for how
technologists design, deploy and maintain AI systems with
cybersecurity in mind.
The U.K.'s NCSC will present the guidelines at an event Monday after
noon.
<https://y3r710.r.eu-west-1.awstrack.me/I0/0102018c10220f9c-cd93ae92-527e-4258-a9b4-5c43adb51332-000000/VBwAxQb3zMQOCAxex0irXa9NdgE=349>
------------------------------
Date: Tue, 28 Nov 2023 11:26:30 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: U.S. and UK Unveil AI Cyber-Guidelines (Politico)
(Joseph Bambridge, Politico, PGN-ed for RISKS)
U.S. and UK UNVEIL AI CYBER GUIDELINES
The UK's National Cyber Security Center and U.S. Cybersecurity and
Infrastructure Security Agency on Monday unveiled what they say are the
world's first AI cyber guidelines, backed by 18 countries including Japan,
Israel, Canada and Germany. It's the latest move on the international stage
to get ahead of the risks posed by AI as companies race to develop more
advanced models, and as systems are increasingly integrated in government
and society.
``Overall I would assess them as some of the early formal guidance
related to the cybersecurity vulnerabilities that derive from both
traditional and unique vulnerabilities,'' the Center for Strategic and
guidelines appeared to be aimed at both traditional cyberthreats and
new ones that come with the continued advancement of AI technologies.
Although the guidelines are voluntary, Allen said they could be made
mandatory for selling to the U.S. federal government for certain types
of risk-averse activities. In the private sector, Allen said
companies buying AI technologies could require vendors to demonstrate
compliance with the guidelines through third-party certification or
other means.
Breaking it down: The guidelines aim to ensure security is a core
requirement of the entire lifecycle of an AI system, and are focused
on four themes: secure design, development, deployment and operation.
Each section has a series of recommendations to mitigate security
risks and safeguard consumer data, such as threat modeling, incident
management processes and releasing AI models responsibly.
Homeland Security Secretary Alejandro Mayorkas said in a statement
that the guidelines are a ``historic agreement that developers must
invest in, protecting customers at each step of a system's design and
development.''International Studies' Gregory Allen told POLITICO. He said the
The guidance is closely aligned with the U.S. National Institute of
Standards and Technology's Secure Software Development Framework
(which outlines steps for software developers to limit vulnerabilities
in their products) and CISA's secure-by-design principles, which was
also released in concert with a dozen other states.
Acknowledgements: The document includes a thank you to a notable list
of leading tech companies for their contributions, including Amazon,
Anthropic, Google, IBM, Microsoft and OpenAI. Also in the mentions
were Georgetown University's Center for Security and Emerging
Technology, RAND and the Center for AI Safety and the program for
Geopolitics, Technology and Governance, both at Stanford.
Aaron Cooper, VP of global policy at tech trade group BSA | The
Software Alliance, said in a statement to MT that the guidelines help
`build a coordinated approach for cybersecurity and artificial
intelligence,'' something that BSA has been calling for in many of its
cyber and AI policy recs.
------------------------------
Date: Mon, 20 Nov 2023 11:40:21 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Was Argentina the First AI Election? (NYTimes)
Jack Nicas and Luc=C3=8Ca Cholakian Herrera
*The New York Times*, 16 Nov 2023
via ACM TechNews, November 20, 2023
Sergio Massa and Javier Milei widely used artificial intelligence (AI) to
create images and videos to promote themselves and attack each other prior
to Sunday's presidential election in Argentina, won by Milei. AI made
candidates say things they did not, put them in famous movies, and created
campaign posters. Much of the content was clearly fake, but a few creations
strayed into the territory of disinformation. Researchers have long worried
about the impact of AI on elections, but those fears were largely
speculative because the technology to produce deepfakes was too expensive
and unsophisticated. "Now we've seen this absolute explosion of incredibly
accessible and increasingly powerful democratized tool sets, and that
calculation has radically changed," said Henry Ajder, an expert who has
advised governments on AI-generated content.
[The losing candidate was destroyed by speculative execution? PGN]
And a few days later, this item:
Argentina Elects Milei in Victory for the Far Right
Jack Nicas, *The New York Times*, 20 Nov 2023, front page of the National
Edition.
PGN]
------------------------------
Date: Wed, 22 Nov 2023 16:53:39 -0800
From: Steve Bacher <sebmb1@verizon.net>
Subject: As AI-Controlled Killer Drones Become Reality, Nations Debate
Limits (The New York Times)
An experimental unmanned aircraft at Eglin Air Force Base in Florida. The
drone uses artificial intelligence and has the capability to carry weapons,
although it has not yet been used in combat.
As AI-Controlled Killer Drones Become Reality, Nations Debate Limits
Worried about the risks of robot warfare, some countries want new legal
constraints, but the U.S. and other major powers are resistant.
https://www.nytimes.com/2023/11/21/us/politics/ai-drones-war-law.html
------------------------------
Date: Tue, 28 Nov 2023 06:48:00 -0800
From: Steve Bacher <sebmb1@verizon.net>
Subject: Reports that Sports Illustrated used AI-generated stories and fake
authors are disturbing, but not surprising (Poynter)
It’s unsettling, especially from such a storied name. But comments from its
parent company should have told us it was coming.
In a story that has generated both shock and disdain, Futurism’s Maggie
Harrison reports
<https://futurism.com/sports-illustrated-ai-generated-writers> that Sports
Illustrated published stories that were produced or partially produced by
artificial intelligence, and that some stories had bylines its parent
company should have told us it was coming.
In a story that has generated both shock and disdain, Futurism’s Maggie
Harrison reports
<https://futurism.com/sports-illustrated-ai-generated-writers> that Sports
Illustrated published stories that were produced or partially produced by
artificial intelligence, and that some stories had bylines of fake
authors. To be clear, the disdain was directed at Sports Illustrated.
But maybe we shouldn't be surprised by any of this, as I’ll explain in a
moment. First, the details.
When asked about fake authors, an anonymous source described as a “person
involved with the creation of the content” told Harrison, “There’s a lot. I
was like, what are they? This is ridiculous. This person does not exist. At
the bottom (of the page) there would be a photo of a person and some fake
description of them like, ‘oh, John lives in Houston, Texas. He loves yard
games and hanging out with his dog, Sam.’ Stuff like that. It’s just crazy.”
The fake authors even included AI-generated mugshots. If true, that is
pretty gross — photos of authors who don't actually exist, to go along with
made-up bios that included made-up hobbies and even made-up pets. [...]
https://www.poynter.org/commentary/2023/sports-illustrated-artificial-intelligence-writers-futurism/
------------------------------
Date: Tue, 21 Nov 2023 10:07:10 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Is Anything Still True? On the Internet, No OneK
Knows Anymore (WSJ)
New tools can create fake videos and clone the voices of those closest to
us. This is how authoritarianism arises.
Creating and disseminating convincing propaganda used to require the
resources of a state. Now all it takes is a smartphone.
Generative artificial intelligence is now capable of creating fake
pictures, clones of our voices
<https://www.wsj.com/articles/i-cloned-myself-with-ai-she-fooled-my-bank-and-my-family-356bd1a3>,
and even videos depicting and distorting world events. The result: From our
personal
<https://www.wsj.com/tech/fake-nudes-of-real-students-cause-an-uproar-at-a-new-vvxsxsjersey-high-school-df10f1bb>
circles
to the political
<https://www.wsj.com/world/china/china-is-investing-billions-in-global-disinformation-campaign-u-s-says-88740b85>
circuses,
everyone must now question whether what they see and hear is true.
We've long been warned
<https://www.wsj.com/articles/the-world-isnt-as-bad-as-your-wired-brain-tells-you-1535713201>
about the potential of social media to distort our view of the world
<https://www.wsj.com/articles/why-social-media-is-so-good-at-polarizing-us-11603105204>,
and now there is the potential for more false and misleading information to
spread on social media than ever before. Just as importantly, exposure to
AI-generated fakes can make us question the authenticity of everything we
see <https://www.wsj.com/articles/the-deepfake-dangers-ahead-b08e4ecf>.
Real images and real recordings can be dismissed as fake. ``When you show
people deepfakes and generative AI, a lot of times they come out of the
experiment saying, ``I just don't trust anything anymore,'' says David Rand
<https://mitsloan.mit.edu/faculty/directory/david-g-rand>, a professor at
MIT Sloan who studies <https://www.nature.com/articles/s41562-023-01641-6>
the creation, spread and impact of misinformation.
This problem, which has grown more acute in the age of generative AI, is
known as the liar's dividend
<https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3213954>, says Renee
DiResta, a researcher at the Stanford Internet Observatory.
The combination of easily-generated fake content and the suspicion that
anything might be fake allows people to choose what they want to believe,
adds DiResta, leading to what she calls =9Cbespoke realities
<https://www.ribbonfarm.com/2019/12/17/mediating-consent/>.
Examples of misleading content created by generative AI are not hard to come
by, especially on social media. One widely circulated and fake image of
Israelis lining the streets in support of their country has many of the
hallmarks of being AI-generated
<https://www.reuters.com/fact-check/photo-cheering-crowds-waving-israeli-flags-soldiers-is-ai-generated-2023-10-30/>
including telltale oddities that are apparent if you look closely, such as
distorted bodies and limbs. For the same reasons, a widely shared image that
purports to show fans at a soccer match in Spain displaying a Palestinian
flag doesn't stand up <https://factcheck.afp.com/doc.afp.com.33YY7NY> to
scrutiny.
------------------------------
Date: Wed, 22 Nov 2023 08:02:57 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: ChatGPT x 3 (sundry sources)
ChatGPT Replicates Gender Bias in Recommendation Letters
https://www.scientificamerican.com/article/chatgpt-replicates-gender-bias-in-recommendation-letters/
OpenAI and Microsoft hit with copyright lawsuit from non-fiction authors
https://www.engadget.com/openai-and-microsoft-hit-with-copyright-lawsuit-from-non-fiction-authors-101505740.html?src=rss
ChatGPT generates fake data set to support scientific hypothesis
https://www.nature.com/articles/d41586-023-03635-w
------------------------------
Date: Sun, 19 Nov 2023 18:19:43 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Texas Rejects Science Textbooks Over Climate Change, Evolution
Lessons (WSJ)
https://www.wsj.com/us-news/education/texas-rejects-science-textbooks-over-climate-change-evolution-lessons-29a2c2ca
[Do most Texans believe that climate change is a hoax, and evolution is
impossible because it is inconsistent with the Bible? Or just the
politicians? Note that dumbing down education will have to apply to
chatbots as well, if they are used as textbooks. The next step has to be
legislating that generative AI must not be consistent with established
history regarding climate change, evolution, slavery, etc.? The only way
out may be to ban chatbots with truthful training data. We seem to be on
a very slippery slope with content censorship. PGN]
------------------------------
Date: Thu, 30 Nov 2023 08:50:28 -0500
From: Monty Solomon <monty@roscom.com>
Subject: A `silly' attack made ChatGPT reveal real phone numbers
and email addresses (Engadget)
https://www.engadget.com/a-silly-attack-made-chatgpt-reveal-real-phone-numbers-and-email-addresses-200546649.html
------------------------------
Date: Sun, 26 Nov 2023 17:46:22 -0500
From: <mekabay@gmail.com>
Subject: Meta/Facebook profiting from sale of counterfeit
U.S. stamps
Meta/Facebook post and profit from ads on FB for criminals who sell
counterfeit U.S. stamps to unsuspecting victims (or to those who choose to
ignore warnings such as the one in the next paragraph). Images of the
counterfeit stamps at the time of posting are here. I have reported these
crimes to the United States Postal Inspection Service and the FBI's Internet
Crime Complaint Center. I have also written to Meta about this criminal
activity but never received a reply.
See < http://www.mekabay.com/counterfeit-stamps/ > for images of over 500
ads on FB for counterfeit US stamps.
Warning I post online whenever I can:
These are counterfeit stamps. It is a federal crime to use fake stamps as
postage. Don't fall for these scams.
https://www.uspis.gov/news/scam-article/counterfeit-stamps
------------------------------
Date: Fri, 24 Nov 2023 19:51:50 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Chaos in the Cradle of AI (The New Yorker)
The Sam Altman saga at OpenAI underscores an unsettling truth: nobody knows
what *AI safety* really means.
https://www.newyorker.com/science/annals-of-artificial-intelligence/chaos-in-the-cradle-of-ai
[`AIIIII' sounds like a scream fo help in several languages, PGN]
------------------------------
Date: Sun, 19 Nov 2023 15:39:33 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Impossibility of Strong watermarks for Generative AI
Watermarks have been proposed to allow identification of data (and
pictures, etc) generated by AI. This paper shows that that goal is
essentially impossible.
https://arxiv.org/pdf/2311.04378.pdf
------------------------------
Date: Mon, 27 Nov 2023 15:38:59 -0800
From: Victor Miller <victorsmiller@gmail.com>
Subject: Hallucinating language models
The introduction is really very clear.
Adam Tauman Kalai, Microsoft Research
Santosh S. Vempala, Georgia Tech
Calibrated Language Models Must Hallucinate
27 Nov 2023
https://arxiv.org/pdf/2311.14648.pdf
------------------------------
Date: Wed, 22 Nov 2023 21:00:41 -0500
From: Monty Solomon <monty@roscom.com>
Subject: USB worm unleashed by Russian state hackers spreads worldwide
(Ars Technica)
https://arstechnica.com/?p=1985993
------------------------------
Date: Wed, 22 Nov 2023 18:38:06 -0500
From: Monty Solomon <monty@roscom.com>
Subject: AutoZone warns almost 185,000 customers of a data breach
(Engadget)
https://www.engadget.com/autozone-warns-almost-185000-customers-of-a-data-breach-202533437.html
------------------------------
Date: Wed, 29 Nov 2023 20:47:49 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Okta admits hackers accessed data on all customers
during recent breach (TechCrunch)
https://techcrunch.com/2023/11/29/okta-admits-hackers-accessed-data-on-all-customers-during-recent-breach/
[I've seen reports of breaches for several days, but this seems to be the
first one from Okta. PGN]
------------------------------
Date: Fri, 24 Nov 2023 15:37:03 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: USB worm unleashed by Russian state hackers spreads worldwide
(Ars Technica)
https://arstechnica.com/security/2023/11/normally-targeting-ukraine-russian-state-hackers-spread-usb-worm-worldwide/
------------------------------
Date: Wed, 22 Nov 2023 18:23:24 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Microsoft’s Windows Hello fingerprint authentication has been bypassed
(The Verge)
https://www.theverge.com/2023/11/22/23972220/microsoft-windows-hello-fingerprint-authentication-bypass-security-vulnerability
------------------------------
Date: Wed, 22 Nov 2023 20:58:06 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Thousands of routers and cameras vulnerable to new 0-day attacks
by hostile botnet (Ars Technica)
https://arstechnica.com/?p=1986211
------------------------------
Date: Wed, 29 Nov 2023 08:53:27 -0800
From: Steve Bacher <sebmb1@verizon.net>
Subject: A Postcard From Driverless San Francisco
Unexplained stops. Incensed firefighters. Cars named Oregano. The a
robotaxis are officially here. Riding with Cruise and Waymo during their
debut in San Francisco.
https://www.curbed.com/article/waymo-cruise-driverless-cars-robotaxi-san-francisco.html
------------------------------
Date: Sat, 25 Nov 2023 08:10:12 -0800
From: Steve Bacher <sebmb1@verizon.net>
Subject: Voting machine trouble in Pennsylvania county triggers alarm ahead
of 2024
Officials say the issue did not affect the outcome of the votes, but are
nonetheless racing to restore voter confidence ahead of next year’s
election.
https://www.politico.com/news/2023/11/25/voting-machine-trouble-pennsylvania-00128554
Excerpt:
Skeptics [...] say the root of the problem ties back to the basic design
of the devices, called the ExpressVote XL.
The machine spits out a paper print-out that records voters’ choices in two
ways: a barcode that is used to tabulate their vote and corresponding text
so they can verify it was input correctly.
However, in the two races on 7 Nov, the machines swapped voters’ choices in
the written section of the ballot -— but not the barcode — if they voted
“yes” to retain one judge and “no” for the other.
ES&S and Northampton officials acknowledged that pre-election software
testing, which is conducted jointly, should have caught that problem. They
say an ES&S employee first introduced the error during regular programming
meant to prepare the machines for Election Day. [...]
------------------------------
Date: Mon, 20 Nov 2023 19:14:06 -0800
From: Victor Miller <victorsmiller@gmail.com>
Subject: Intel hardware vulnerability (Daniel Moghimi at Google_
We found another vulnerability inside Intel Corporation CPUs. Somehow
instruction prefixes that should be ignored mess up the "fast rep string
mov" FRSM extension and causes invalid instruction execution. This
vulnerability with high severity rating has serious consequence for cloud
providers. It enables an attacker who is renting a cloud VM to: - DDOS an
entire server - Elevates privilege gaining access to the entire server
(Confirmed by Intel) https://lnkd.in/guzjT3UD https://lnkd.in/gUn-vAvN
------------------------------
Date: Wed, 22 Nov 2023 10:48:11 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Outdated Password Practices are Widespread
(Georgia Tech)
Georgia Tech Research, 17 Nov 23). via ACM TechNews
A majority of the world's most popular websites are putting users and their
data at risk by failing to meet minimum password requirement standards,
according to researchers at the Georgia Institute of Technology (Georgia
Tech). The researchers analyzed 20,000 randomly sampled websites from the
Google Chrome User Experience Report, a database of 1 million websites and
pages. Using a novel automated tool that can assess a website's password
creation policies, they found that many sites permit very short passwords,
do not block common passwords, and use outdated requirements like complex
characters. Georgia Tech's Frank Li said security researchers have
"identified and developed various solutions and best practices for improving
Internet and Web security. It's crucial that we investigate whether those
solutions or guidelines are actually adopted in practice to understand
whether security is improving in reality."
------------------------------
Date: Tue, 28 Nov 2023 19:44:03 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: THE CTIL FILES #1
Many people insist that governments aren't involved in censorship, but they
are. And now, a whistleblower has come forward with an explosive new trove
of documents, rivaling or exceeding the Twitter Files and Facebook Files in
scale and importance.
[image: image.png]
US military contractor Pablo Breuer (left), UK defense researcher Sara-Jayne
CSJ Terp (center), and Chris Krebs, former director of the U.S. Department
of Homeland Security's Cybersecurity and Infrastructure Security Agency
(DHS-CISA) A whistleblower has come forward with an explosive new trove of
documents, rivaling or exceeding the Twitter Files and Facebook Files in
scale and importance. They describe the activities of an anti-disinformation
group called the Cyber Threat Intelligence League, or CTIL, that officially
began as the volunteer project of data scientists and defense and
intelligence veterans but whose tactics over time appear to have been
absorbed into multiple official projects, including those of the Department
of Homeland Security (DHS). The CTI League documents offer the missing link
answers to key questions not addressed in the Twitter Files and Facebook
Files. Combined, they offer a comprehensive picture of the birth of the
anti-disinformation sector, or what we have called the Censorship Industrial
Complex. The whistleblower's documents describe everything from the genesis
of modern digital censorship programs to the role of the military and
intelligence agencies, partnerships with civil society organizations and
commercial media, and the use of sock puppet accounts and other offensive
techniques. ``Lock your shit down," explains one document about creating
*your spy* disguise.'' Another explains that while such activities overseas
are "typically" done by "the CIA and NSA and the Department of Defense,"
censorship efforts "against Americans" have to be done using private
partners because the government doesn't have the "legal authority." The
whistleblower alleges that a leader of CTI League, a former British
intelligence analyst, was *in the room* at the Obama White House in 2017
when she received the instructions to create a counter-disinformation
project to stop a "repeat of 2016." Over the last year, Public, Racket,
congressional investigators, and others have documented the rise of the
Censorship Industrial Complex, a network of over 100 government agencies and
nongovernmental organizations that work together to urge censorship by
social media platforms and spread propaganda about disfavored individuals,
topics, and whole narratives. The US Department of Homeland Security's
Cybersecurity and Information Security Agency (CISA) has been the center of
gravity for much of the censorship, with the National Science Foundation
financing the development of censorship and disinformation tools and other
federal government agencies playing a supportive role. Emails from CISA's
NGO and social media partners show that CISA created the Election Integrity
Partnership (EIP) in 2020, which involved the Stanford Internet Observatory
(SIO) and other US government contractors. EIP and its successor, the
Virality Project (VP), urged Twitter, Facebook and other platforms to censor
social media posts by ordinary citizens and elected officials alike. [...]
https://twitter.com/shellenberger/status/1729538920487305723
------------------------------
Date: Sun, 19 Nov 2023 17:34:07 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: Judge rules it's fine for car makers to intercept
your text messages
I was worried about this problem the last time I rented a car, because
I was able to see all the GPS destinations and the phone numbers
of some of the previous rental customers when I first got into the
rental car. I didn't want to leave my data available to every subsequent
renter.
But *clearing the GPS, message and phone number data logs* took
me (a PhD in Computer Science) at least 15 minutes and a significant
amount of research in order to perform this expunging task on a
relatively high-end rental car.
Very few people are going to spend the time while turning in their
rental car to clear these personal data from the car data logs --
especially when they're trying like crazy to get to their airplane
on time!
>>There needs to be a *industry-wide standard* for clearing these
data which takes only a second or two.<<
Furthermore, the car manufacturers should be liable if these supposedly
expunged data are subsequently used illegally -- e.g., for tracking down
an ex-spouse or for identity theft.
https://www.malwarebytes.com/blog/news/2023/11/judge-rules-its-fine-for-car-make
rs-to-intercept-your-text-messages
Judge rules it's fine for car makers to intercept your text messages
Posted: November 9, 2023 by Pieter Arntz
A federal judge has refused to bring back a class action lawsuit that
alleged four car manufacturers had violated Washington state's privacy
laws by using vehicles' on-board infotainment systems to record
customers' text messages and mobile phone call logs.
The judge ruled that the practice doesn't meet the threshold for an
illegal privacy violation under state law. The plaintiffs had appealed
a prior judge's dismissal.
https://www.documentcloud.org/documents/24133084-22-35448
Car manufacturers Honda, Toyota, Volkswagen, and General Motors were
facing five related privacy class action suits. One of those cases,
against Ford, had been dismissed on appeal previously.
Infotainment systems in the company's vehicles began downloading and
storing a copy of all text messages on smartphones when they were
connected to the system. Once messages have been downloaded, the
software makes it impossible for vehicle owners to access their
communications and call logs but does provide law enforcement with
access, the lawsuit said.
The Seattle-based appellate judge ruled that the interception and
recording of mobile phone activity did not meet the Washington Privacy
Act's (WPA) standard that a plaintiff must prove that "his or her
business, his or her person, or his or her reputation" has been
threatened.
In a recent Lock and Code podcast, we heard from Mozilla researchers
that the data points that car companies say they can collect on you
include social security number, information about your religion, your
marital status, genetic information, disability status, immigration
status, and race. And they can sell that data to marketers.
https://www.malwarebytes.com/blog/podcast/2023/09/what-does-a-car-need-to-know-about-your-sex-life
This is alarming. Given the increasing number of sensors being placed
in cars every year, this is becoming an increasingly grave problem.
In the same podcast, we also explored the booming revenue stream that
car manufacturers are tapping into by not only collecting people's
data, but also packaging it together for targeted advertising.
According to the Mozilla research, popular global brands including
BMW, Ford, Toyota, Tesla, Kia, and Subaru:
"Can collect deeply personal data such as sexual activity,
immigration status, race, facial expressions, weight, health and
genetic information, and where you drive. Researchers found data is
being gathered by sensors, microphones, cameras, and the phones and
devices drivers connect to their cars, as well as by car apps,
company websites, dealerships, and vehicle telematics."
In fact, the seasoned Mozilla team said "cars are the worst product
category we have ever reviewed for privacy" after finding that all 25
car brands they researched earned the "Privacy Not Included" warning
label.
Since that doesn't give us much of a choice to go for a brand that
respects our privacy, I suggest we turn off our phones before we start
the car. It's both safer and better for your privacy.
------------------------------
Date: Mon, 27 Nov 2023 11:51:33 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Protecting Critical Infrastructure from Cyber Attacks
(RMIT)
RMIT University, 22 Nov 23, via ACM TechNews
A mathematical breakthrough by researchers at the Royal Melbourne Institute
of Technology and tech startup Tide Foundation in Australia allows system
access authority to be spread invisibly and securely across a
network. Dubbed "ineffable cryptograph," the technology has been
incorporated into a prototype access-control system specifically for
critical infrastructure management, known as KeyleSSH, and successfully
tested with multiple companies. It works by generating and operating keys
across a decentralized network of servers, each operated by independent
organizations. Each server in the network can only hold part of a key--no
one can see the full keys, all the processes they are partially actioning,
or the assets they are unlocking.
------------------------------
Date: Mon, 20 Nov 2023 18:58:47 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Crypto Crashed and Everyone's In Jail. Investors Think It's
Coming Back Anyway. (Vice)
https://www.vice.com/en/article/7kxmpg/crypto-crashed-and-everyones-in-jail-investors-think-its-coming-back-anyway
------------------------------
Date: Wed, 29 Nov 2023 20:49:51 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Feds seize Sinbad crypto mixer allegedly used by North Korean
hackers (TechCrunch)
https://techcrunch.com/2023/11/29/feds-seize-sinbad-crypto-mixer-allegedly-used-by-north-korean-hackers/
------------------------------
Date: Thu, 30 Nov 2023 18:37:21 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: A lost bitcoin wallet passcode helped uncover a major security flaw
(The Washington Post)
If you created a bitcoin wallet before 2016, your money may be at risk -- A
company that helps recover cryptocurrency discovered a software flaw putting
as much as $1 billion at risk from hackers. Now it’s going public in hopes
people will move their money before they get robbed.
https://www.washingtonpost.com/technology/2023/11/14/bitcoin-wallet-passcode-flaw/
------------------------------
Date: Thu, 30 Nov 2023 09:35:52 -0700
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Ontario's Crypto King still jet-setting to UK,
Miami, and soon Australia despite bankruptcy (CBC)
https://www.cbc.ca/news/canada/toronto/ontario-crypto-king-jetsetting-abroad-while-bankrupt-1.7042719
------------------------------
Date: Thu, 30 Nov 2023 08:35:24 -0500
From: Monty Solomon <monty@roscom.com>
Subject: British Library confirms customer data was stolen by hackers,
with outage expected to last months (TechCrunch)
https://techcrunch.com/2023/11/29/british-library-customer-data-stolen-ransomware/
------------------------------
Date: Thu, 30 Nov 2023 08:39:33 -0500
From: Monty Solomon <monty@roscom.com>
Subject: PSA: Update Chrome browser now to avoid an exploit
already in the wild (The Verge)
https://www.theverge.com/2023/11/30/23982296/google-chrome-browser-update-sandbox-escape-exploit-security-vulnerability
------------------------------
Date: Sun, 19 Nov 2023 08:39:46 -0700
From: Matthew Kruk <mkrukg@gmail.com>
Subject: WeWork has failed. Like a lot of other tech
startups, it left damage in its wake (CBC)
https://www.cbc.ca/news/business/armstrong-start-ups-wework-uber-1.7032264
The worksharing giant WeWork was supposed to fundamentally alter the future
of the office. It raised billions of dollars, signed leases in office
towers across North America but filed for bankruptcy protection last week.
Analysts say it collapsed, at least in part, because it never had a viable
business model.
"It didn't really have a clear path to profitability. It never made any
money," said Susannah Streeter, head of money and markets at the financial
services firm Hargreaves Lansdown.
------------------------------
Date: Mon, 20 Nov 2023 12:00:49 -0800
From: Rob Slade <rslade@gmail.com>
Subject: Re: The AI Pin (RISKS-33.94)
[Ummmmm, somehow my posting got truncated, and the risky part left off:]
> On the other hand, as we have seen in various events to do with Siri and
> Alexa, this is "always on" surveillance. The AI Pin will always be
> listening for commands. (And, in common with Siri, Alexa, Gboard, and all
> the others, those verbal commands will be sent back to HQ for processing
> into text and parsing.) By accident (and possibly by design?) it will be
> listening to everything that goes on around you. (And, with the camera,
> possibly looking, too.)
>
> And, if it gets popular enough, who knows what you can find out with all
> that aggregated data ...
------------------------------
Date: Wed, 22 Nov 2023 09:44:45 +0000
From: "C.J.S. Hayward" <cjsh@cjshayward.com>
Subject: Re: Social media gets teens hooked while feeding aggression and
impulsivity, and researchers think they know why (CBC)
https://www.cbc.ca/news/health/smartphone-brain-nov14-1.7029406
> Kids who spend hours on their phones scrolling through social media are
> showing more aggression, depression and anxiety, say Canadian researchers.
> [...
That is part of the dehumanizing effect I studied in "How Can I Take my
Life Back from my Phone?", https://cjshayward.com/phone/.
Using phones the way that seems "natural" opens a Pandora's box. Once
privilege could be marked by not owning a television. Now privilege can be
marked by not owning a phone, or as in my case, learning to use it with
non-obvious ways that curb its presence as an intravenous drip of noise.
------------------------------
Date: Sun, 19 Nov 2023 09:47:58 -0500
From: Steve Singer <sws@dedicatedresponse.com>
Subject: Re: Garble in Schneier's AI post (RISKS-33.84]
The text of this post was garbled by software (what could possibly go
wrong?) ;-)
The links at the beginning and end of Schneier's post are unaffected and
contain the embedded references of the original, ungarbled:
https://www.schneier.com/blog/archives/2023/11/ten-ways-ai-will-change-democracy.html
https://ash.harvard.edu/ten-ways-ai-will-change-democracy
[As I remarked, Bruce's mailer encodes commas, equal signs, and other
characters, and I try to revert to just plain ASCII where possible. PGN]
------------------------------
Date: Mon, 27 Nov 2023 19:05:26 +0000
From: Sam Bull <sam@sambull.org9wqnn1@sambull.org>
Subject: Re: Using your iPhone to start your car is about to get a
lot easier (RISKS-33.94)
* The CCC Digital Key uses UWB and near-field communication (NFC), along with
low-energy Bluetooth to send and receive communications between your phone
and your car.
Not much different from what Tesla has been doing for years (which both
supports unlocking remotely via an API and unlocking locally via Bluetooth).
------------------------------
Date: Sat, 25 Nov 2023 02:29:08 +0000
From: Sam Bull <9wqnn1@sambull.org>
Subject: Re: Oveview of the iLeakage Attack (Jericho, RISKS-33.93)
> Sorry... *godfather* implies at least two generations, if not three.
Wouldn't that be *grandfather*? I'm a godfather to my sister. 0 generations
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 33.95
************************
