[33215] in RISKS Forum
Risks Digest 34.08
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Tue Feb 20 23:08:56 2024
From: RISKS List Owner <risko@csl.sri.com>
Date: Tue, 20 Feb 2024 20:08:42 PST
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Tuesday 20 February 2024 Volume 34 : Issue 08
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.08>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
How persuasive is AI-generated propaganda? (Lauren Weinstein)
New Era of AI Deepfakes Complicates 2024 Elections (WSJ)
Cybercriminals are stealing iOS users' face scans to break into mobile
banking accounts (The Register)
Air Canada chatbot makes up travel rules
Big Tech tells politicians: We'll control the deepfakes (Politico)
New bill would let defendants inspect algorithms used against them in court
(The Verge)
Chinese hackers infiltrated home wifi routers to attack infrastructure, FBI
warns (MSN)
DOJ quietly removed Russian malware from routers in U.S. homes and
businesses (ArsTechnica)
TETRA Radio Code Encryption Has a Flaw: A Backdoor (WiReD)
Chinese hackers infiltrated home wifi routers to attack
infrastructure, FBI warns (MSN)
The $50K Scam: FTC, CIA, and Amazon Weigh In on NY Magazine's Charlotte
Cowles (The New York Times)
TETRA Radio Code Encryption Has a Flaw: A Backdoor (WiReD)
Powerball Posted the Wrong Numbers. Now He’s Suing for $340M (NYTimes)
`Most Wanted’ man pleads guilty in cyberattack that upended Vermont hospital
(The Globe)
Nginx core developer quits project in security dispute, starts free-nginx
fork (ArsTechnica)
Officials Investigate How a Woman Flew to Los Angeles Without a Ticket
(NYTimes)
This Is Why Tesla's Stainless Steel Cybertrucks May Be Rusting (WiReD)
The Tech Friend: Apple's nanny state (WashPost)
An Important Security Message from Wyze (via Victor Miller)
Report on Intelligent Vehicle Dependability and Security
(Chuck Weinstock)
Re: Odometers: A voting machine analogue (Wol)
Re: Tesla's latest screwup (Andrew)
Re: Waymo recalls software after two self-driving cars hit
the same truck (Ned Harris, Sam Bull)
Re: Software bloat (Roderick Rees)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Tue, 20 Feb 2024 17:20:28 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: How persuasive is AI-generated propaganda?
A LOT. -L
https://academic.oup.com/pnasnexus/article/3/2/pgae034/7610937?searchresult=1&login=false
------------------------------
Date: Thu, 15 Feb 2024 08:43:03 -0500
From: Monty Solomon <monty@roscom.com>
Subject: New Era of AI Deepfakes Complicates 2024 Elections
(WSJ)
Deceptive videos, audio and images are more sophisticated, easier to make as
tech industry wrestles with how to keep up
https://www.wsj.com/tech/ai/new-era-of-ai-deepfakes-complicates-2024-elections-aa529b9e
------------------------------
Date: Sun, 18 Feb 2024 12:50:14 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Cybercriminals are stealing iOS users' face scans to
break into mobile banking accounts (The Register)
Deepfake-enabled attacks against Android and iPhone users are netting
criminals serious cash.
https://www.theregister.com/2024/02/15/cybercriminals_stealing_face_id/
------------------------------
Date: Fri, 16 Feb 2024 20:41:32 -0500
From: Jeremy Epstein <jeremy.j.epstein@gmail.com>
Subject: Air Canada chatbot makes up travel rules (ArsTechnica)
A customer asked the Air Canada chatbot about the rules for bereavement
fares. The customer believed the chatbot's answer (basically "buy the
ticket and then ask for a credit"), but Air Canada refused to honor the
guidance, since elsewhere on the site it had a different set of rules. The
court ruled that Air Canada had to honor the instructions provided by the
chatbot, rejecting Air Canada's statement that the customer never should
have trusted the chatbot and the airline should not be liable for the
chatbot's misleading information because Air Canada essentially argued that
"the chatbot is a separate legal entity that is responsible for its own
actions."
"Air Canada argues it cannot be held liable for information provided by one
of its agents, servants, or representatives -- including a chatbot," [= the
judge] wrote. "It does not explain why it believes that is the case" or "why
the webpage titled 'Bereavement travel' was inherently more trustworthy than
its chatbot."
The chatbot is apparently no longer active on the Air Canada site.
This was a case in Canada involving a Canadian and a Canadian company.
IANAL, so curious what the analogous results would be in the US or other
countries. This certainly won't be the only case where a chatbot will give
erroneous advice. This isn't to say that human customer service agents
never make mistakes (we all do!), but the attempt to avoid responsibility
is troubling.
https://arstechnica.com/tech-policy/2024/02/air-canada-must-honor-refund-po=
licy-invented-by-airlines-chatbot/
[Matthew Kruk noted this:
Air Canada found liable for chatbot's bad advice
on airline tickets
https://www.cbc.ca/news/canada/british-columbia/air-canada-chatbot-lawsuit-1.7116416
Monty Solomon found this:
Air Canada must honor refund policy invented by airline’s chatbot
https://arstechnica.com/tech-policy/2024/02/air-canada-must-honor-refund-policy-invented-by-airlines-chatbot/
PGN]
------------------------------
Date: Fri, 14 Feb 2024 17:42:11 PST
From: Peter Neumann <neumann@csl.sri.com>
Subject: Big Tech tells politicians: We'll control the deepfakes
(Politico)
Laurens Cerulus, Antoaneta Roussi, Gian Volpicelli,
Politico, 16 Feb 2024,
Munich -- The world's largest technology companies on Friday announced an
industry alliance to stop AI-generated pictures and clips from disrupting
elections taking place around the world in 2024.
------------------------------
Date: Sat, 17 Feb 2024 20:23:27 -0500
From: Monty Solomon <monty@roscom.com>
Subject: New bill would let defendants inspect algorithms used
against them in court (The Verge)
https://www.theverge.com/2024/2/15/24074214/justice-in-forensic-algorithms-act-democrats-mark-takano-dwight-evans
------------------------------
Date: Thu, 15 Feb 2024 16:08:18 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Chinese hackers infiltrated home wifi routers to attack
infrastructure, FBI warns
On Wednesday, the FBI said Volt Typhoon had used its malware to disguise the
fact that the hack had been conducted by the Chinese government, adding that
the “vast majority” of routers affected were out-of-date Cisco and NetGear
machines that had not received recent security updates.
Unlike previous attacks, the hack was directed at internet routers in small
businesses and home offices, rather than at government agencies or
infrastructure providers.
https://www.msn.com/en-us/money/other/chinese-hackers-infiltrated-home-wifi-routers-to-attack-infrastructure-fbi-warns/ar-BB1hza67
------------------------------
Date: Sat, 17 Feb 2024 21:44:44 -0500
From: Monty Solomon <monty@roscom.com>
Subject: DOJ quietly removed Russian malware from routers in US
homes and businesses (ArsTechnica)
https://arstechnica.com/?p=2003936
------------------------------
Date: Thu, 15 Feb 2024 16:09:46 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: TETRA Radio Code Encryption Has a Flaw: A Backdoor (WiReD)
A secret encryption cipher baked into radio systems used by critical
infrastructure workers, police, and others around the world is finally
seeing sunlight. Researchers say it isn’t pretty.
https://www.wired.com/story/tetra-radio-encryption-backdoor/
------------------------------
Date: Thu, 15 Feb 2024 16:08:18 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Chinese hackers infiltrated home wifi routers to attack
infrastructure, FBI warns (MSN)
On Wednesday, the FBI said Volt Typhoon had used its malware to disguise the
fact that the hack had been conducted by the Chinese government, adding that
the “vast majority” of routers affected were out-of-date Cisco and NetGear
machines that had not received recent security updates.
Unlike previous attacks, the hack was directed at Internet routers in small
businesses and home offices, rather than at government agencies or
infrastructure providers.
https://www.msn.com/en-us/money/other/chinese-hackers-infiltrated-home-wifi-routers-to-attack-infrastructure-fbi-warns/ar-BB1hza67
------------------------------
Date: Sat, 17 Feb 2024 14:07:51 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The $50K Scam: FTC, CIA, and Amazon Weigh In
on NY Magazine's Charlotte Cowles (The New York Times)
What Amazon, FTC, and CIA Won't Say When You've Been Scammed
New York magazine’s money columnist wrote about being conned out of $50,000
by crooks pretending to be from Amazon and government agencies. We asked
the company and agencies for comment.
https://www.nytimes.com/2024/02/16/your-money/scam-new-york-magazine-amazon-ftc-cia.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb
There's much here that makes this hard to believe; it's a collection of
every scam red flag that says, *Run away*.
Amazon-->FTC-->CIA? $50,000 cash? Don't tell family?
------------------------------
Date: Thu, 15 Feb 2024 16:09:46 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: TETRA Radio Code Encryption Has a Flaw: A Backdoor (WiReD)
A secret encryption cipher baked into radio systems used by critical
infrastructure workers, police, and others around the world is finally
seeing sunlight. Researchers say it isn’t pretty.
https://www.wired.com/story/tetra-radio-encryption-backdoor/
------------------------------
Date: Tue, 20 Feb 2024 19:17:58 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Powerball Posted the Wrong Numbers. Now He’s Suing for $340M
(NYTimes)
Powerball organizers in Washington DC said they “mistakenly posted” winning
numbers in January 2023. The holder of those numbers is suing for negligence
and emotional distress.
https://www.nytimes.com/2024/02/20/us/powerball-lottery-lawsuit.html
------------------------------
Date: Tue, 20 Feb 2024 09:42:58 -0500 From: Monty Solomon <monty@roscom.com>
From: Monty Solomon <monty@roscom.com>
Subject: `Most Wanted’ man pleads guilty in cyberattack that upended Vermont
hospital (The Globe)
Vyacheslav Igorevich Penchukov, 37, of Ukraine, pleaded guilty in federal
court for his role in two separate malware schemes that caused tens of
millions of dollars in losses.
https://www.boston.com/news/national-news/2024/02/19/most-wanted-man-pleads-guilty-in-cyberattack-that-upended-vermont-hospital-2/
------------------------------
Date: Fri, 16 Feb 2024 09:48:02 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Nginx core developer quits project in security dispute, starts
free-nginx fork (ArsTechnica)
https://arstechnica.com/?p=2003602
------------------------------
Date: Sat, 17 Feb 2024 21:18:13 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Officials Investigate How a Woman Flew to Los Angeles Without a
Ticket (NYTimes)
The woman bypassed a Transportation Security Administration check and
boarded an American Airlines flight in Nashville, officials said.
https://www.nytimes.com/2024/02/16/us/tsa-security-breach-nashville.html
------------------------------
Date: Sat, 17 Feb 2024 15:28:39 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: This Is Why Tesla's Stainless Steel Cybertrucks May Be
Rusting (WiReD)
Who knew stainless steel might not be such a good idea for the exterior of
an electric SUV? The entire automotive industry, that’s who.
Posting on the Cybertruck Owners Club forum, a user named Raxar risked the
wrath of the Tesla faithful—already exercised by the Cybertruck's numerous
alleged design flaws—by stating that when they collected the $61,000 truck,
"the advisor specifically mentioned the Cybertrucks develop orange rust
marks in the rain."
In a separate thread, the user vertigo3pc reported that "corrosion was
forming on the metal" of his Cybertruck after it spent 11 days in the rain
in Los Angeles.
Raxar, who also lives in California, posted what appeared to be close-up,
rust-flecked images of his truck after driving it for two days in rain.
The Cybertruck does not ship with clear coat, that outermost layer of
transparent paint that comes as standard on almost every new motor vehicle
on the planet. Instead, each Cybertruck owner has the option to purchase a
$5,000 urethane-based film to "wrap your Cybertruck in our premium satin
clear paint films. Only available through Tesla." [...]
Once the chromium oxide barrier is breached, corrosion takes hold. And
caveat emptor, because Tesla's owner's manual advises promptly removing
corrosive substances, emphasizing not to wait until the Cybertruck is
scheduled for a "complete wash," whatever that is.
The documentation says: “To prevent damage to the exterior, immediately
remove corrosive substances (such as grease, oil, bird droppings, tree
resin, dead insects, tar spots, road salt, industrial fallout, etc.). Do not
wait until Cybertruck is due for a complete wash. If necessary use denatured
alcohol to remove tar spots and stubborn grease stains, then immediately
wash the area with water and a mild, non-detergent soap to remove the
alcohol.”
Pigeon poo is a well-known corrosive agent—guano is no friend to the
fastidious car owner—but tree sap and bugs? Maybe that $5,000 Cybertruck
wrap should ship as standard.
Other care instructions—highlighted in this YouTube video at 23 minutes
in—reveal how delicately Cybertruck owners need to treat their stainless
steel electric SUVs. The washing stipulations alone include, somewhat
amazingly, “Do not wash in direct sunlight,” “Some cleaners and car shampoos
contain chemicals that can cause damage or discoloration,” and even “Do not
<use hot water.”
Tesla was asked to comment on this story but did not respond.
https://www.wired.com/story/this-is-why-teslas-stainless-steel-cybertrucks-may-be-rusting/
------------------------------
Date: Fri, 16 Feb 2024 14:51:03 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The Tech Friend: Apple's nanny state (WashPost)
The Internet in the United States leans toward permissiveness within the
bounds of the law. But with your iPhone apps, Apple makes the rules. [...]
In other words, iPhone apps could become a little more like the web — for
better and for worse.
Apple says this is a bad idea. Drop her a line and let her know what you
think.
https://s2.washingtonpost.com/camp-rw/?trackId=596b22969bbc0f403f8bcc25&s=65cf9b9d1782475ec0c79ee2&linknum=2&linktot=43
------------------------------
Date: Mon, Feb 19, 2024 at 01:17
From: Wyze <no-reply@hello.wyze.com>
Subject: An Important Security Message from Wyze
[via Victor Miller, a Wyze Man. PGN]
<https://ablink.hello.wyze.com/ss/c/joL5H43QPq7w8NAgPNQc7L5-zVtqg3G8XOS6RbH=
m1SANPpTujMKJ283b9YZ7J_QQ/43z/iKjB1p0UQCm55attfNtlIQ/h20/Rmb1buuTQBw8PdQgpp=
vDjomyNKfhGyxeO5DclvIHNd0>
Wyze Friends,
On Friday morning, we had a service outage that led to a security incident.
Your account and over 99.75% of all Wyze accounts were not affected by the
security event, but we wanted to make you aware of the incident and let you
know what we are doing to make sure it doesn't happen again.
The outage originated from our partner AWS and took down Wyze devices for
several hours early Friday morning. If you tried to view live cameras or
Events during that time, you likely weren't able to. We're very sorry for
the frustration and confusion this caused.
As we worked to bring cameras back online, we experienced a security issue.
Some users reported seeing the wrong thumbnails and Event Videos in their
Events tab. We immediately removed access to the Events tab and started an
investigation.
We can now confirm that as cameras were coming back online, about 13,000
Wyze users received thumbnails from cameras that were not their own and
1,504 users tapped on them. Most taps enlarged the thumbnail, but in some
cases an Event Video was able to be viewed. All affected users have been
notified. Your account was not one of the accounts affected. The incident
was caused by a third-party caching client library that was recently
integrated into our system. This client library received unprecedented load
conditions caused by devices coming back online all at once. As a result of
increased demand, it mixed up device ID and user ID mapping and connected
some data to incorrect accounts.
To make sure this doesn't happen again, we have added a new layer of
verification before users are connected to Event Videos. We have also
modified our system to bypass caching for checks on user-device
relationships until we identify new client libraries that are thoroughly
stress tested for extreme events like we experienced on Friday.
We know this is very disappointing news. It does not reflect our commitment
to protect customers or mirror the other investments and actions we have
taken in recent years to make security a top priority at Wyze. We built a
security team, implemented multiple processes, created new dashboards,
maintained a bug bounty program, and were undergoing multiple 3rd party
audits and penetration testing when this event occurred.
We must do more and be better, and we will. We are so sorry for this
incident and are dedicated to rebuilding your trust.
If you have questions about your account, please visit support.wyze.com.
Wyze Team
------------------------------
Date: Fri, 16 Feb 2024 11:00:29 -0500
From: Chuck Weinstock <weinstock@conjelco.com>
Subject: Report on Intelligent Vehicle Dependability and Security
I retired from the SEI in February 2022 and then rejoined part-time in April
2022. Independent of the SEI I’ve been working with colleagues at IFIP WG10.4
(specifically Jay Lala, John Meyer, Carl Landwehr, Wilfried Steiner) on an
internal-to-the Working Group project on intelligent vehicle dependability
and security. The project has just concluded and issued a final report which
can be found at https://ivds.dependability.org/final-report.html .
Principal findings of the project, conducted over the past four plus years,
point to significant shortfalls in technologies, cost, governance, and societal
aspects in achieving the end goal of safe and secure SAE Level 4 or 5
self-driving intelligent vehicles.
[Chuck, Welcome back. PGN]
------------------------------
Date: Fri, 16 Feb 2024 08:21:49 +0000
From: Wols Lists <antlists@youngman.org.uk>
Subject: Re: Odometers: A voting machine analogue (Epstein)
In the UK, there is now a requirement for the odometer reading to be logged
at the annual road safety check. This is available on line. So if you roll
it back to less than the previous year's reading, it will show up.
We have been quite lucky - the last two second-hand cars we purchased were
three years old and had known-genuine readings of 6000 and 1250 miles --
absolute bargains.
------------------------------
Date: Mon, 19 Feb 2024 06:33:08 +0000
From: Andrew <andrew@tug.com>
Subject: Re: Tesla's latest screwup
Ford, GM and others have been caught out by this regulation in the past
They argued that whilst their vehicles did not comply with the letter of the
law, the impact was inconsequential, so they petitioned to ignore the issue
in existing cars and not perform a recall.
The request to ignore was granted.
Tesla simply fixed the issue over the air for American vehicles. No change
was made to non-americas vehicles where the move to pure English language
indications (as opposed to icon-with-English) would not be appropriate.
------------------------------
Date: Thu, 15 Feb 2024 21:27:21 -0500
From: Ned Harris <nedharris39@gmail.com>
Subject: Re: Waymo recalls software after two self-driving cars hit
the same truck (RISKS-34.07)
I can hear the discussion (many times, as a former software developer and
then quality consultant) among the software developers: Question from the
software quality guy: ``Well what if the car being towed is at an angle to
the tow truck?'' Response from the developers (who've never had their car
towed): ``Oh, no, that's not going to happen! The towed car is *ALWAYS*
directly behind the truck.''
[One-towed sloth truck? PGN]
------------------------------
Date: Sat, 17 Feb 2024 14:51:59 +0000
From: Sam Bull <9wqnn1@sambull.org>
Subject: Re: Waymo recalls software after two self-driving cars
hit the same truck (RISKS-34.07)
It's interesting that Waymo, not long ago, was trying to sound like their
software was years ahead of Tesla's, because this seems to highlight some
things that Tesla have moved away from.
------------------------------
Date: Sun, 18 Feb 2024 14:50:28 -0800
From: Roderick Rees <jp3vampire@gmail.com>
Subject: Re: Software bloat
Bloat has been a problem for a long time for two reasons. Onw is that there
seems to be little teaching of how to recognise simple and direct expression
of any intended idea. It is not natural because the thinking behind
conversation is extremely old -- probably several hundred thousand years --
and because working programmers are under pressure to produce results
quickly. That's because managers themselves are under pressure to get to
market before the competition.
So the environment is the basic cause of inefficient software. It is made
more critical because any idea (or legal requirement) is basically a set of
descriptions - and all descriptions, though useful and necessary, are
inherently incomplete and wrong.
I can't suggest a way to overcome either influence. Anybody have any ideas?
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 34.08
************************
