[33241] in RISKS Forum
Risks Digest 34.21
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sat Apr 27 17:53:59 2024
From: RISKS List Owner <risko@csl.sri.com>
Date: Sat, 27 Apr 2024 14:53:47 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Saturday 27 April 2024 Volume 34 : Issue 21
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.21>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
AI deepfakes threaten to upend global elections. No one can stop them.
(WashPost)
Tesla's Autopilot and Full Self-Driving linked to hundreds of crashes,
dozens of deaths (The Verge)
Cisco Says Hackers Subverted Its Security Devices to Spy on Governments
(Reuters)
Hackers Use Developing Countries as Testing Ground for New Ransomware
Attacks (Ellesheva Kissin)
9 Disturbing Stories From People Who Say They Found Cameras in Their Airbnb
(Gizmodo)
Millions of IPs remain infected by USB worm years after its
creators left it for dead (ArsTechnica)
Chinese Firm Is America's Favorite Drone Maker, Except in Washington
(NYTimes)
Stop Using Your Face or Thumb to Unlock Your Phone (Gizmodo)
How Google's SGE Could Destroy the Internet (Lauren Weinstein)
FTC questions Amazon's use of disappearing messages on Signal
(WashPost)
FTC says Amazon executives destroyed potential evidence by using
apps like Signal (The Verge)
Tech brands are forcing AI into your gadgets, whether you asked for
it or not (ArsTechnica)
Health insurance giant Kaiser will notify millions of a data breach
after sharing patients’ data with advertisers (TechCrunch)
Chaturbate Owes Texas $675,000 for Not Verifying the Age of Users (Gizmodo)
Android TV has access to your entire account, but Google is changing that
(ArsTechnica)
Health insurance giant Kaiser will notify millions of a data breach after
sharing patients’ data with advertisers (TechCrunch)
We're always fighting the last war (Henry Baker)
Prescient Fiction: 'Forbidden Planet' & 21st C. AI (Henry Baker)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 27 Apr 2024 8:37:31 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: AI deepfakes threaten to upend global elections. No one
can stop them. (WashPost)
Pranshu Verma and Cat Zakrzewski, *The Washington Post*
Elections from India to Europe have been assailed by AI deepfakes that
spread quickly and are no longer easy to debunk -- leaving voters
vulnerable.
https://www.washingtonpost.com/technology/2024/04/23/ai-deepfake-election-2024-us-india/
------------------------------
Date: Fri, 26 Apr 2024 19:31:09 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Tesla's Autopilot and Full Self-Driving linked to
hundreds of crashes, dozens of deaths (The Verge)
https://www.theverge.com/2024/4/26/24141361/tesla-autopilot-fsd-nhtsa-investigation-report-crash-death
In March 2023, a North Carolina student was stepping off a school bus when
he was struck by a Tesla Model Y traveling at “highway speeds,” according to
a federal investigation that published today. The Tesla driver was using
Autopilot, the automaker’s advanced driver-assist feature that Elon Musk
insists will eventually lead to fully autonomous cars.
The 17-year-old student who was struck was transported to a hospital by
helicopter with life-threatening injuries. But what the investigation found
after examining hundreds of similar crashes was a pattern of driver
inattention, combined with the shortcomings of Tesla’s technology, resulting
in hundreds of injuries and dozens of deaths.
Drivers using Autopilot or the system’s more advanced sibling, Full
Self-Driving, “were not sufficiently engaged in the driving task,” and
Tesla’s technology “did not adequately ensure that drivers maintained their
attention on the driving task,” NHTSA concluded.
------------------------------
Date: Fri, 26 Apr 2024 11:40:26 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Cisco Says Hackers Subverted Its Security Devices to Spy on
Governments (Reuters)
Raphael Satter, *Reuters*, 24 Apr 2024, via ACN TechNews
Cisco Systems on Wednesday said that hackers have subverted some of its
digital security devices to break into government networks globally. In a
blog post, Cisco said its Adaptive Security Appliances had previously
unknown vulnerabilities that had been exploited by a group of hackers they
dubbed "UAT4356." The company described the group as a "sophisticated
state-sponsored actor." Cisco said the vulnerabilities have been patched.
------------------------------
Date: Fri, 26 Apr 2024 11:40:26 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Hackers Use Developing Countries as Testing Ground for New
Ransomware Attacks (Ellesheva Kissin)
Ellesheva Kissin, *Financial Times*, 24 Apr 2024, via ACN TechNews
Cybersecurity firm Performanta reported that businesses in Africa, Asia, and
South America increasingly are being used by hackers as testing grounds for
their latest ransomware before they turn to higher-value targets in North
America and Europe. Recent dry runs in developing countries focused on a
Senegalese bank, a Chilean financial services company, a Colombian tax firm,
and a government economic agency in Argentina.
------------------------------
Date: Fri, 26 Apr 2024 19:47:27 -0400
From: Monty Solomon <monty@roscom.com>
Subject: 9 Disturbing Stories From People Who Say They Found Cameras in
Their Airbnb (Gizmodo)
https://gizmodo.com/airbnb-hidden-cameras-shocking-stories-bedroom-night-1851433108
Airbnb announced in March that all indoor security cameras would be banned
at its properties worldwide starting April 30. And if you read through
online complaints about cameras that were discovered during Airbnb stays
over the years, it’s easy to understand why it’s been such a controversial
issue.
Gizmodo filed a Freedom of Information Act request with the FTC for any
consumer complaints filed about Airbnb that involved cameras. Some of the
complaints are fairly mundane, and simply mention how cameras may have been
used to prove things that break the rules at Airbnb properties. But others
are pretty horrifying and involve hidden cameras in places where people
expect privacy.
------------------------------
Date: Fri, 26 Apr 2024 19:57:18 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Millions of IPs remain infected by USB worm years after its
creators left it for dead (ArsTechnica)
https://arstechnica.com/?p=2020055
------------------------------
Date: Fri, 26 Apr 2024 11:40:26 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Chinese Firm Is America's Favorite Drone Maker, Except in Washington
(NYTimes)
Kate Kelly and Julian E. Barnes. *The New York Times*, 25 Apr 2024,
via ACN TechNews
The Countering CCP Drones Act, under consideration by the U.S. Congress,
would threaten the commercial business of DJI, a Chinese drone manufacturer
that dominates sales among U.S. law enforcement agencies and hobbyists. The
legislation would put the company on a Federal Communications Commission
roster that would prevent it from running on U.S. communications
infrastructure. Researchers found vulnerabilities in an app that controls
DJI's drones could be used to access personal data (a U.S. official said all
known vulnerabilities currently have been patched).
------------------------------
Date: Fri, 26 Apr 2024 19:47:58 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Stop Using Your Face or Thumb to Unlock Your Phone (Gizmodo)
Last week, the 9th Circuit Court of Appeals in California released a ruling
that concluded state highway police were acting lawfully when they forcibly
unlocked a suspect's phone using their fingerprint. You probably didn’t hear
about it. The case didn’t get a lot of coverage, especially because the
courts weren’t giving a blanket green light for every cop to shove your
thumb to your screen during an arrest. But it’s another toll of the warning
bell that reminds you to not trust biometrics to keep your phone’s sensitive
info private. In many cases, especially if you think you might interact with
the police (at a protest, for example), you should seriously consider
turning off biometrics on your phone entirely.
https://gizmodo.com/stop-using-your-face-or-thumb-to-unlock-your-phone-1851438205
------------------------------
Date: Sat, 27 Apr 2024 09:26:18 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: How Google's SGE Could Destroy the Internet (Lauren Weinstein)
Google's LLM AI SGE ("Search Generative Experience") could effectively
destroy the Internet for all but the largest sites -- the same
Internet that #Google so effectively helped to build.
This is becoming clear as SGE rolls out to most users, with SGE
"answers" now appearing on a vast number of Google queries. Leaving
aside the serious questions around the accuracy of such responses and
everything associated with that, the mere presence of the responses
could be devastating to most sites.
These SGE answers are frequently verbose and can take up much of the
entire first screen -- or more -- of the results pages. This means you
may have to scroll down to even FIND the first organic "blue link"
results. Devastating.
To be clear, many of the SGE responses are themselves showing links to
the answers' source materials (e.g., in colored boxes) -- but the
obvious question is, why the hell would most users bother to click on
those links once they already have the answers that Google's LLM has
provided, based on the information that Google sucked without
compensation into their LLM from those sites? It's impossible to
imagine that click through rates to those sites won't be crushed.
Google executives appear to be thrilled with how well this is going --
FOR THEM. For the sites providing the data that is now powering
Google's SGE encroaching, destructive storm, it's likely going to be a
disaster, unless Google and other AI firms make major changes in their
deployment models -- whether voluntarily or under the force of new
regulatory models. -L
------------------------------
Date: Fri, 26 Apr 2024 14:44:21 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: FTC questions Amazon's use of disappearing messages on Signal
(WashPost)
*The Washington Post*, 26 Apr 2026
https://www.washingtonpost.com/technology/2024/04/26/amazon-ftc-messages-de=ted-bezos/
The Federal Trade Commission is accusing Amazon founder Jeff Bezos and
other top company executives of using disappearing messaging apps such
as Signal to conceal potential evidence in the agency's ongoing
antitrust case against the e-commerce behemoth.
``For years, Amazon's top executives, including founder and former CEO
Jeff Bezos, discuss[ed] sensitive business matters, including antitrust,
over the Signal encrypted-messaging app instead of email,'' the FTC
alleged in a document filed Thursday evening. ``These executives turned
on Signal's *disappearing message* feature, which irrevocably destroys
messages, even after Amazon was on notice that Plaintiffs were
investigating its conduct.''
The agency, which first accused Amazon of intentionally deleting messages
in its original antitrust complaint last fall, is now asking a U.S.
District Court judge to order the company to turn over documents related
to its handling of data. It's the latest salvo in a landmark case in which
the FTC is arguing that Amazon abused its dominance of e-commerce to
squeeze merchants and bury rivals, leading to higher prices for Bezos owns The Washington Post.
``The FTC's contentions are baseless,'' Amazon spokesman Tim Doyle said in
a statement, responding to the filing alleging destruction of evidence.
``Amazon voluntarily disclosed employees' limited Signal use to the FTC
years ago, thoroughly collected Signal conversations from its employees'
phones, and allowed agency staff to inspect those conversations even when
they had nothing to do with the FTC's investigation. The FTC has a
complete picture of Amazon's decision-making in this case, including 1.7
million documents from sources like email, internal messaging
applications, and laptops (among other sources), and over 100 terabytes of
data.'' [..]
------------------------------
Date: Fri, 26 Apr 2024 19:32:39 -0400
From: Monty Solomon <monty@roscom.com>
Subject: FTC says Amazon executives destroyed potential evidence by using
apps like Signal (The Verge)
https://www.theverge.com/2024/4/26/24141801/ftc-amazon-antitrust-signal-ephemeral-messaging-evidence
------------------------------
Date: Fri, 26 Apr 2024 19:54:32 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Tech brands are forcing AI into your gadgets, whether you asked for
it or not (ArsTechnica)
https://arstechnica.com/gadgets/2024/04/ai-marketing-hype-is-coming-for-your-favorite-gadgets
------------------------------
Date: Fri, 26 Apr 2024 19:43:32 -0400
From: "Monty Solomon" <monty@roscom.com>
Subject: Health insurance giant Kaiser will notify millions of a data breach
after sharing patients’ data with advertisers (TechCrunch)
https://techcrunch.com/2024/04/25/kaiser-permanente-health-plan-million
s-data-breach/
------------------------------
Date: Fri, 26 Apr 2024 19:45:49 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Chaturbate Owes Texas $675,000 for Not Verifying the Age of
Users (Gizmodo)
https://gizmodo.com/chaturbate-porn-age-verification-law-ken-paxton-pornhub-1851439770
------------------------------
Date: Fri, 26 Apr 2024 19:51:57 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Android TV has access to your entire account, but Google is
changing that (ArsTechnica)
https://arstechnica.com/?p=2020252
------------------------------
Date: Fri, 26 Apr 2024 19:43:32 -0400
From: "Monty Solomon" <monty@roscom.com>
Subject: Health insurance giant Kaiser will notify millions
of a data breach after sharing patients’ data with advertisers
https://techcrunch.com/2024/04/25/kaiser-permanente-health-plan-million
s-data-breach/
------------------------------
Date: Sat, 27 Apr 2024 03:34:57 +0000
From: "Henry Baker" <hbaker1@pipeline.com>
Subject: We're always fighting the last war
The first few minutes of the Pearl Harbor attack which caused the U.S. entry
into WWII sadly proved Billy Mitchell 100% correct. The good news re
Dec. 7th -- if there was any -- was that no U.S. aircraft carriers were in
Pearl Harbor that day.
Ditto with the 'Millennium Challenge 2002' wargames, in which essentially
the entire U.S. Mediterranean fleet was 'virtually' sunk within days using
'asymmetric warfare'.
Ditto with 'cheap drones' in the current Ukraine war; they have rebalanced the battle between
infantry -- now equipped with cheap drones for surveillance and attack -- and tanks -- a balance
which has existed for a century since the battle tank appeared near the end of WWI.
Cheap drones put into serious question most -- if not almost all -- of the
'prevailing wisdom' re strategy/tactics/weapons of modern warfare. These
put big '?' marks next to *every* 'big ticket' asset in modern warfare --
from $billion ships/aircraft carriers, to $100m fighters, to $10m battle
tanks, to $billion spy satellites. In chess terminology, coordinated pawns
beat rare expensive bishops, rooks, and queens.
https://nationalinterest.org/blog/reboot/exact-day-navy-battleships-became-obsolete-clear-209558
"In 1921, General Billy Mitchell, a vocal advocate of airpower, staged a
controversial exercise sinking obsolete battleship with bombers. This
foreshadowed the dominance of aircraft carriers in World War II despite
Mitchell's goal of a separate air force. The Navy initially dismissed his
claims, but the sinking of the 'unsinkable' German battleship Ostfriesland
proved the vulnerability of battleships."
"Mitchell believed that aviation -- which could respond to both air and
naval threats -- much better suited to protecting the country's coastline
than battleships. Mitchell was fond of stating that a thousand bombers could
be purchased for the cost of a single battleship, and told a House
subcommittee that properly equipped, an Air Service could sink any
battleship in existence."
https://www.msn.com/en-us/news/world/ar-AA1nIxGp
"Cheap Russian drones overwhelm US-made Abrams tanks, taken out of action"
"Ukrainian forces are withdrawing US-provided Abrams M1A1 main battle tanks
from the front lines after at least five have been destroyed by cheap
Russian drones, according to the AP."
"The failure of the Abrams to make a difference is a costly miscalculation.
The export cost of an Abrams tank can be around $10mn, while Col. Markus
Reisner, an Austrian military trainer who follows the weapons being used in
Ukraine, told the Euromaidan Press that the Russian suicide drones being
used to destroy them can be as cheap as $500 each (a ratio of 20,000:1)."
https://en.wikipedia.org/wiki/Millennium_Challenge_2002
"In a preemptive strike, Red launched a massive salvo of cruise missiles
that overwhelmed the Blue forces' electronic sensors and destroyed sixteen
warships: one aircraft carrier, ten cruisers and five of Blue's six
amphibious ships. An equivalent success in a real conflict would have
resulted in the deaths of over 20,000 service personnel. Soon after the
cruise missile offensive, another significant portion of Blue's navy was
"sunk" by an armada of small Red boats, which carried out both conventional
and suicide attacks that capitalized on Blue's inability to detect them as
well as expected."
https://www.theguardian.com/world/2002/sep/06/usa.iraq
"In the first few days of the [Millennium Challenge] exercise, using
surprise and unorthodox tactics, the wily 64-year-old Vietnam veteran sank
most of the US expeditionary fleet in the Persian Gulf, bringing the US
assault to a halt."
------------------------------
Date: Fri, 26 Apr 2024 00:44:55 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: Prescient Fiction: 'Forbidden Planet' & 21st C. AI
All of the recent discussions of the risks of AI bring to mind the
incredibly prescient movie (& radio play) 'Forbidden Planet':
https://en.wikipedia.org/wiki/Forbidden_Planet
In addition to being a pretty decent takeoff on Shakespeare's 'The Tempest',
the movie version of 'Forbidden Planet' introduces us to talking robots (now
almost passe !), and incredibly power- hungry planet-sized data centers
capable of turning human thoughts into reality.
Amazingly, this 1956 movie still holds up for modern viewers, thanks to the
supplanting of typical cheesy 1950's scifi effects in favor of laserlike
animations and electronic music.
The risks of AI, according to this movie: be very careful what you wish for,
because an AI with access to planet-sized energy capabilities can fulfill
even your worst nightmare.
Your choice: watch it again (safely) in movie form, or watch it play out in
real life.
BTW, I listened as a young boy to a radio serial version of Forbidden Planet
during the summer of either 1955 or 1956; but after extensive Google
searching, I have been unable to find a reference to this radio play
version. I know exactly where I was while listening to it on my
grandmother's huge radio with quite decent fidelity; perhaps someone else
here also heard it at the same time?
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 34.21
************************
