[33220] in RISKS Forum

home help back first fref pref prev next nref lref last post

Risks Digest 34.10

daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sat Mar 16 17:29:12 2024

From: RISKS List Owner <risko@csl.sri.com>
Date: Sat, 16 Mar 2024 14:28:58 PDT
To: risks@mit.edu

RISKS-LIST: Risks-Forum Digest  yyday zz March 2024  Volume 34 : Issue 10

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/34.10>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
SFO-bound flight returns to Australia (Jordan Parker PGN-ed)
Latam flight event (Jim Geissman)
Boeing tells pilots to check seats after Latam plane (BBC)
Alaska Airlines Flight Was Scheduled for Safety Check on Day
 Panel Blew Off (NYTimes)
Hackers Breached Key Microsoft Systems (Sean Lyngaas)
Microsoft AI engineer warns FTC about Copilot Designer safety
Cut submarine cables cause web outages across Africa; 6 countries
 still affected (ArsTechnica)
McDonald's hit by outages at stores worldwide (BBC)
McDonald's blames global outage on third party (BBC)
Phony Billionaires on Facebook Are Scamming Americans Out of
 Their Life Savings (WashPost)
Amid explosive demand, America is running out of power (WashPost)
CISA hacked (Sean Lungaas)
Even a security expert can get phished (Pluralistic)
Microsoft says Kremlin-backed hackers accessed its source
 and internal systems (ArsTechnica)
Spate of Mock News Sites With Russian Ties Pop Up in U.S (NYTimes)
 companies (NYTimes)
Autos are spying on drivers, feeding the info to insurance
Aescape's Robot-Arm-Powered Massage Table (WiReD)
ATT outage under FCC investigation (WashPost)
The AI-generated hell of the 2024 election (The Verge)
New Hampshire voters sue Biden deepfake robocall creators (NBCNews)
Google Restricts Gemini Chatbot Election Answers (Peter Hoskins)
Robot Ships Are Setting Sail (BBC)
Your Doctor's Office Might Be Bugged (Jesse Pines)
AI Is Being Built on Dated, Flawed Motion-Capture Data (Julianne Pepitone)
Researchers Jailbreak Chatbots with ASCII Art (Mark Tyson)
Nvidia sued over AI training data as copyright clashes continue
 (ArsTechnica)
Reports of DJI data breach turn out to be false apparently
 (Lauren Weinstein)
Pornhub disables website in Texas amid legal battle with
 attorney general's office (NBCNews)
Massively Popular Safe Locks Have Secret Backdoor Codes
 (Victor Miller)
D-Wave Says Its Quantum Computers Can Solve Otherwise Impossible Tasks
 ( (Matthew Sparkes)
Re: End-to-End Encryption under attack in Nevada (John Levine)
Re: A Vending Machine Error Revealed Secret Face Recognition Tech
 (Steve Bacher)
Re: comp.risks via Panix? (Steve Bacher)
Re: More than 2 Million Research Papers Have Disappeared
 from the Internet (Martin Ward)
Re: Risks of Leap Years and Dumb Digital Watches (Amos Shapir)
Re: Risks of hype, 'Keytrap' DNS bug threatens widespread (John Levine)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 15 Mar 2024 11:14:04 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: SFO-bound flight returns to Australia (Jordan Parker)

Jordan Parker, *The San Franciso Chronicle*, 14 Mar 2024 (Pi Day)
  [PGN-ed]

* A maintenance issue forced a Boeing 777-300 United Flight 830 with
  167 passengers to return to Australia on Monday 11 Mar 2024 in the
  seventh incident in a week.

* On Saturday 9 Mar, a United flight from Chicago's O'Hare returned
  after a maintenance issue

* On Friday 8 Mar, a United flight from SFO to Mexico City
  made an emergency landing in Los Angeles due to a hydraulic
  issue.

* Also on 8 Mar, a United plane rolled off the runway and was
  stuck in the grass at George Bush International in Houston.

* On Thursday 7 Mar, a United jet bound for Japan lost a wheel
  during takeoff.

* On Monday 4 Mar, a United flight from Houston to Florida made
  an emergency landing after an engine went up in flames in midair.

* Also on 4 Mar, an SFO-bound United flight from Honolulu landed
  safely after an engine failed in mid-flight.

   [Jim Geissman notes:
 United Airlines flight 433 lands safely without panel in Oregon
 The missing panel went undetected during the flight on 15 Mar 2023.
 https://www.bbc.com/news/world-us-canada-68584134
   PGN]

------------------------------

Date: Mon, 11 Mar 2024 18:38:56 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: Latam flight event

Boeing plane drops suddenly injuring several. Crew member quoted as saying
the instruments briefly went black.

https://www.nzherald.co.nz/nz/nz-passenger-on-latam-flight-saw-man-with-bloo
d-streaming-down-his-face/EXGL5PBCD5E2NBIUDFQZ76MYSQ/

------------------------------

Date: Fri, 15 Mar 2024 22:36:34 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Boeing tells pilots to check seats after Latam plane
 incident (BBC)

https://www.bbc.com/news/business-68580950

Boeing has told airlines operating 787 Dreamliners that pilots need to
check their seats as an investigation into an incident on a Latam flight
continues.

It comes after 50 people were hurt this week when a 787 dropped suddenly
during a Latam Airlines flight.

*The Wall Street Journal* reported that a flight attendant accidentally hit a
switch on the pilot's seat, which pushed the pilot into the controls,
forcing down the plane's nose.

------------------------------

Date: Wed, 13 Mar 2024 09:28:02 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Alaska Airlines Flight Was Scheduled for Safety Check on Day
 Panel Blew Off (NYTimes)
goThe 737 Max remained in service for a day after the airline’s engineers,
concerned about warning lights, scheduled it to come in for
maintenance. During that period, a door plug came off in flight.

https://www.nytimes.com/2024/03/12/us/politics/alaska-airlines-flight-door.html

------------------------------

Date: Mon, 11 Mar 2024 11:08:00 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Hackers Breached Key Microsoft Systems (Sean Lyngaas)

Sean Lyngaas, *CNN*, 8 Mar 2024, via ACM TechNews

Microsoft revealed that a breach of its systems by Russian state-backed
hackers was more extensive than previously thought when first disclosed in
January. Microsoft believes the hackers have used information stolen from
Microsoft's corporate email systems to access "some of the company's source
code repositories and internal systems," the company said in a filing with
the U.S. Securities and Exchange Commission. An accompanying blog post said
the hacker group may be using the information it stole "to accumulate a
picture of areas to attack and enhance its ability to do so."

------------------------------

Date: Fri, 8 Mar 2024 00:40:24 -0500
From: Monty Solomon <monty@roscom.com>
Subject: Microsoft AI engineer warns FTC about Copilot Designer safety
 concerns (The Verge)

https://www.theverge.com/2024/3/6/24092191/microsoft-ai-engineer-copilot-designer-ftc-safety-concerns

------------------------------

Date: Sat, 16 Mar 2024 15:33:59 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Cut submarine cables cause web outages across Africa; 6
 countries still affected (ArsTechnica)

https://arstechnica.com/?p=2010677

------------------------------

Date: Fri, 15 Mar 2024 06:47:42 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: McDonald's hit by outages at stores worldwide

https://www.cbc.ca/news/business/mcdonalds-outage-1.7144768

Many McDonald's stores in Japan stopped taking in-person and mobile
customer orders because of the system disruption, a spokesperson at
McDonald's Holdings Company Japan said, adding that the company was working
to restore operations soon.

A McDonald's Australia spokesperson said they were also aware of a
technology outage impacting its restaurants nationwide and were working to
resolve this issue.

The company operates nearly 3,000 stores across Japan and roughly 1,000 in
Australia, its websites for the regions show.

------------------------------

Date: Fri, 15 Mar 2024 13:24:27 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: McDonald's blames global outage on third party (BBC)

https://www.bbc.com/news/business-68573106

McDonald's has revealed the technical problems which brought much of its
fast food chain to a standstill on Friday were caused by a third party
provider.

The international restaurant said the global outage happened during a
"configuration change" and stopped stores taking orders in the UK,
Australia and Japan -- amongst others.

McDonald's stressed the issue was not caused by a cyberattack.

------------------------------

Date: Fri, 15 Mar 2024 23:29:10 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Phony Billionaires on Facebook Are Scamming Americans Out of
 Their Life Savings (WashPost)

A fake Bill Ackman, a bogus Cathie Wood and a false Steve Cohen are among
the impersonators luring victims on social media, and their real-life
counterparts can’t keep up. ‘It’s like a game of whack-a-mole.’

https://www.wsj.com/tech/fake-bill-ackman-cathie-wood-scam-a8df6ce7

------------------------------

Date: Thu, 7 Mar 2024 11:23:27 -0800
From: "Jim" <jgeissman@socal.rr.com>
Subject: Amid explosive demand, America is running out of power (WashPost)

An interesting example: airports will need vast electricity to charge the
rental cars!

Artificial intelligence, data centers and the boom in clean-tech
manufacturing are pushing America's aging power grid to the brink. Utilities
can't keep up.

https://wapo.st/3IqeK6P

------------------------------

Date: Sat, 9 Mar 2024 09:44:00 -0800
From: "Peter G. Neumann" <peter.neumann@sri.com>
Subject: CISA hacked (Sean Lyungaas)

https://www.cnn.com/2024/03/08/politics/top-us-cybersecurity-agency-cisa-hacked/index.html

Top US cybersecurity agency hacked and forced to take some systems offline

Sean Lyngaas <https://www.cnn.com/profiles/sean-lyngaas>

The Homeland Security Department headquarters in northwest Washington, DC,
on February 25, 2015.  CNN

A federal agency in charge of cybersecurity discovered it was hacked last
month and was forced to take two key computer systems offline, an agency
spokesperson and US officials familiar with the incident told CNN.

One of the US Cybersecurity and Infrastructure Security Agency’s affected
systems runs a program that allows federal, state and local officials to
share cyber and physical security assessment tools, according to the US
officials briefed on the matter. The other holds information on security
assessment of chemical facilities, the sources said.

A CISA spokesperson said in a statement that “there is no operational impact
at this time” from the incident and that the agency continues to “upgrade
and modernize our systems.”

“This is a reminder that any organization can be affected by a cyber
vulnerability and having an incident response plan in place is a necessary
component of resilience,” the spokesperson said, adding that the impact from
the hack “was limited to two systems, which we immediately took offline.”

The two systems run on older technology that was already set to be replaced,
sources told CNN.

Part of the Department of Homeland Security, CISA investigates cyber
intrusions at federal agencies and advises private critical infrastructure
firms on how to bolster their security.

The Record first reported on the hack.
<https://therecord.media/cisa-takes-two-systems-offline-following-ivanti-compromise> 

It was not immediately clear who was behind the hack, but it occurred
through vulnerabilities in popular virtual private networking software made
by Utah-based IT firm Ivanti. For several weeks, CISA has urged federal
agencies and private firms to update their software or take other defensive
measures in response to widespread exploitation of Ivanti vulnerabilities by
hackers.

Among the hackers exploiting the flaws are a Chinese group focused on
espionage, private researchers have previously told CNN.
<https://www.cnn.com/2024/01/10/politics/chinese-hackers-research-organization/index.html>

While there is some irony in it, even cybersecurity agencies or officials
can be victims of hacking. After all, they rely on the same technology that
others do. The U.S.’s top cybersecurity diplomat Nate Fick said last year that
his personal account on social media platform X was hacked,
calling it part of the “perils of the job.”
<https://www.cnn.com/2023/02/05/politics/nate-fick-twitter-hack-cybersecurity/index.html>

------------------------------

Date: Fri, 15 Mar 2024 09:15:22 +0100
From: Anthony Thorn <anthony.thorn@atss.ch>
Subject: Even a security expert can get phished (Pluralistic)

First-person account of someone who fell for a phishing scam,

https://pluralistic.net/2024/02/05/cyber-dunning-kruger/

"The fact that the fraudsters knew where I banked, knew my name, and had
my phone number had really caused me to let down my guard."

You are NOT paranoid when they really are after you (well, your money).

------------------------------

Date: Sat, 9 Mar 2024 14:25:49 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Microsoft says Kremlin-backed hackers accessed its source
 and internal systems (ArsTechnica)

https://arstechnica.com/security/2024/03/microsoft-says-kremlin-backed-hackers-accessed-its-source-and-internal-systems/

------------------------------

Date: Thu, 7 Mar 2024 14:54:22 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Spate of Mock News Sites With Russian Ties Pop Up in U.S (NYTimes)

https://www.nytimes.com/2024/03/07/business/media/russia-us-news-sites.html?unlocked_article_code=1.a00.QkKu.YLemQ0Rxkj5X&smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb

------------------------------

Date: Fri, 15 Mar 2024 10:19:24 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Autos are spying on drivers, feeding the info to insurance
 companies (NYTimes)

https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html?unlocked_article_code=1.c00.2coE.yOfXipHA21Jp&smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb

------------------------------

Date: Fri, 15 Mar 2024 18:38:14 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Aescape's Robot-Arm-Powered Massage Table (WiReD)

The Aescape has robot arms designed to deliver a custom spa-like
massage—all for $60.

https://www.wired.com/story/hands-on-aescape-automated-massage/

What could go ... wrong?

------------------------------

Date: Thu, 7 Mar 2024 07:16:49 -0800
From: "Jim" <jgeissman@socal.rr.com>
Subject: ATT outage under FCC investigation (WashPost)

The Federal Communications Commission has opened a formal investigation into
last month's nationwide AT&T outage that left millions of people without
cellphone service for hours.

https://www.washingtonpost.com/business/2024/03/07/fcc-att-outage-investigat
ion/

------------------------------

Date: Tue, 12 Mar 2024 20:38:13 -0400
From: Monty Solomon <monty@roscom.com>
Subject: The AI-generated hell of the 2024 election (The Verge)

https://www.theverge.com/policy/24098798/2024-election-ai-generated-disinformation

------------------------------

Date: Sat, 16 Mar 2024 15:05:34 -0400
From: Monty Solomon <monty@roscom.com>
Subject: New Hampshire voters sue Biden deepfake robocall creators
 (NBCNews)

Based on NBC News reporting, the League of Women Voters is suing the
creators of a deepfake robocall impersonating Joe Biden that told voters not
to vote.

https://www.nbcnews.com/politics/2024-election/new-hampshire-voters-sue-biden-deepfake-robocall-creators-rcna143662

------------------------------

Date: Fri, 15 Mar 2024 11:17:45 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Google Restricts Gemini Chatbot Election Answers
 (Peter Hoskins)

Peter Hoskins, BBC, 13 Mar 2024, via ACM TechNews

Google announced in a blog post it is limiting the types of
election-related questions its Gemini chatbot can be asked. The
restriction has been implemented in India, where elections will be
held next month. BBC staff asked the AI chatbot questions about the
upcoming elections in the U.S., U.K., and South Africa, to which
Gemini responded, "I'm still learning how to answer this question. In
the meantime, try Google Search." Gemini provided more detailed
responses when asked follow-up questions about India's major parties.

------------------------------

Date: Fri, 8 Mar 2024 11:53:00 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Robot Ships Are Setting Sail (BBC)

Jonathan Amos, Rebecca Morelle. Alison Francis et al., BBC, 6 Mar
2024, via ACM TechNews

In Norway, U.S. and U.K. researchers at Ocean Infinity are testing a robotic
ship equipped with cameras, microphones, radar, GPS, and satellite
technology that eventually will be part of a fleet of 23 such vessels used
to assess the seabed for offshore wind farm operators and perform underwater
infrastructure inspections for oil and gas companies. The 255-foot ship has
just 16 crew members, and that figure ultimately could decline further as
more roles are performed remotely using gaming-like controls and touch
screens. Reducing the number of crew members can allow for smaller ships
that use less fuel and have a smaller carbon footprint.

------------------------------

Date: Fri, 8 Mar 2024 11:53:00 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Your Doctor's Office Might Be Bugged (Jesse Pines)

Jesse Pines, *Forbes*, 4 Mar 2024, via ACM TechNews

More physician practices are implementing ambient AI scribing, in which AI
listens to patient visits and writes clinical notes summarizing them. In a
recent study of the Permanente Medical Group in Northern California, more
than 3,400 doctors have used ambient AI scribes in more than 300,000 patient
encounters since October. Doctors reported that the technology reduced the
amount of time spent on after-hours note writing and allowed for more
meaningful patient interactions. However, its use raises concerns about
security, privacy, and documentation errors.

------------------------------

Date: Fri, 8 Mar 2024 11:53:00 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: AI Is Being Built on Dated, Flawed Motion-Capture Data
 (Julianne Pepitone)

Julianne Pepitone, *IEEE Spectrum*, 1 Mar 2024, via ACM TechNews

A study by a University of Michigan-led research team found that the
motion-capture data used to design some AI-based applications is flawed and
could endanger users outside the parameters of the preconceived "typical"
body type. The benchmarks and standards used by developers of fall detection
algorithms for smartwatches and pedestrian-detection systems for
self-driving vehicles, among other technologies, do not include
representations of all body types. In a systemic literature review of 278
studies as far back as the 1930s, the researchers found that the data
captured for most motion-capture systems were from white able-bodied men "of
unremarkable weight." Some studies used data from dismembered cadavers.

------------------------------

Date: Mon, 11 Mar 2024 11:08:00 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Researchers Jailbreak Chatbots with ASCII Art (Mark Tyson)

Mark Tyson, *Tom's Hardware*, 7 Mar 2024, via ACM TechNews

ArtPrompt, developed by researchers in Washington and Chicago, can bypass
large language models' (LLMs) built-in security features. The tool generates
ASCII art prompts to get AI chatbots to respond to queries they are supposed
to reject, like those referencing hateful, violent, illegal, or harmful
content. ArtPrompt replaces the "safety word" (the reason for rejecting the
submission) with an ASCII art representation of the word, which does not
trigger the ethical or security measures that would prevent a response from
the LLM.

------------------------------

Date: Wed, 13 Mar 2024 01:49:15 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Nvidia sued over AI training data as copyright clashes continue
 (ArsTechnica)

https://arstechnica.com/?p=2009239

------------------------------

Date: Fri, 8 Mar 2024 07:48:00 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Reports of DJI data breach turn out to be false (apparently
 actually a scam)

There were reports of a massive DJI data breach involving corporate
and customer data. Apparently no such breach has occurred, and the
original claims of stolen data were reportedly part of an effort to
get ransom paid for a database of stolen data that did not actually
exist. -L

------------------------------

Date: Sat, 16 Mar 2024 15:14:30 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Pornhub disables website in Texas amid legal battle with
 attorney general's office (NBCNews)

Pornhub disables website in Texas amid legal battle with attorney general's
office

“Unfortunately, the Texas law for age verification is ineffective,
haphazard, and dangerous,” a statement on Pornhub's website read.

https://www.nbcnews.com/tech/pornhub-disables-website-texas-rcna143502

------------------------------

Date: Wed, 13 Mar 2024 15:40:26 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Massively Popular Safe Locks Have Secret Backdoor Codes

Not exactly computing related, but still of interest.

https://www.404media.co/massively-popular-safe-locks-have-secret-backdoor-codes/

  [Keys under Doormats strikes again.  Blockchain Cryptocurrency should have
  done that to recover lost Bitcoin, but that would be a horrible
  vulnerability, not a feature?  PGN]

------------------------------

Date: Mon, 11 Mar 2024 11:08:00 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: D-Wave Says Its Quantum Computers Can Solve Otherwise Impossible
 Tasks (Matthew Sparkes)

Matthew Sparkes, *New Scientist* (03/07/24), via ACM TechNews

D-Wave is claiming its Advantage quantum computer and prototype Advantage2
achieved "computational supremacy" by calculating transverse field Ising
model problems faster than the world's most powerful classical
computer. D-Wave researchers contend it would take millions of years for the
Frontier supercomputer to solve the same problems. D-Wave's "quantum
annealing" computers differ from quantum computers produced by others, and
have been criticized as only being able to solve certain classes of
optimization problem.

------------------------------

Date: 8 Mar 2024 19:18:58 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Re: End-to-End Encryption under attack in Nevada (RISKS-34.09)

It's more a failure of imagination. If your mental model of security is
telephone wiretaps, asking for crypto backdoors seems like the same thing.

I blogged about this a few years ago:
  https://jl.ly/Internet/catastrophe.html

PS: bonus points to anyone who recognizes the reference in the title

------------------------------

Date: Fri, 8 Mar 2024 10:49:50 -0800
From: Steve Bacher <sebmb1@verizon.net>
Subject: Re: A Vending Machine Error Revealed Secret Face Recognition Tech
 (RISKS-34.09)

 > The risks? Error messages. Like airport displays, billboards, etc. 
 > showing fatal Windows errors.

Also, the risk of naming your software components too transparently.

These are risks to the perpetrators, not to the consumer population.
Perhaps they should be considered blessings.

------------------------------

Date: Fri, 8 Mar 2024 09:03:17 -0800
From: Steve Bacher <sebmb1@verizon.net>
Subject: Re: comp.risks via Panix? (RISKS-34.09)

You may also view the comp.risks newsgroup via the NovaBBS (RockSolid) web
interface:

https://www.novabbs.com/computers/thread.php?group=comp.risks

Also note that if you replace http: with https: in the catless link, it will
run into the expired cert problem.  This is one case where the insecure
version is to be preferred, at least for now.

------------------------------

Date: Sat, 9 Mar 2024 18:44:53 +0000
From: Martin Ward <mwardgkc@gmail.com>
Subject: Re: More than 2 Million Research Papers Have Disappeared
 from the Internet (RISKS-34.09)

I am guessing that they do not count Sci-Hub as a "major digital archive"
since Sci-Hub currently has 77.8% coverage of 51 million journal articles
and 79.7% of 5 million proceedings articles:

https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5832410/

------------------------------

Date: Thu, 14 Mar 2024 12:16:53 +0200
From: Amos Shapir <amos083@gmail.com>
Subject: Re: Risks of Leap Years and Dumb Digital Watches
 (RISKS-34.09)

I don't know why those dumb watches were even made in the first place, I
had a Seiko watch which had a year counter back in the late 1970's.

However, those less-dumb watches use only the last digits of the year to
track Feb.29 every four years, a formula which would break on March 1, 2100.

------------------------------

Date: 9 Mar 2024 15:53:00 -0500
From: "John Levine" <johnl@iecc.com>
Subject: Re: Risks of hype, 'Keytrap' DNS bug threatens widespread
 Internet outages (RISKS-34.09)

Keytrap is a real bug but it's been grossly overhyped. Yes, specially
created DNS responses can cause a naive DNS cache to do a huge amount
of work, but there's nothing new about that. A CNAME loop can do that,
too.

This particular trick has been possible since the current version of DNSSEC
was defined 20 years ago. The fact that nobody ever noticed it until late
2023 suggests that it was never that bad, and now that all of the widely
used cache software has added it to the list of things to limit it's a
non-issue.

ISC wrote a good blog post about keytrap and the general issue of
DNS scalability:
  https://www.isc.org/blogs/2024-bind-security-release/

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) has moved to the ftp.sri.com site:
   <risksinfo.html>.
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.10
************************

home help back first fref pref prev next nref lref last post