[33149] in RISKS Forum

home help back first fref pref prev next nref lref last post

Risks Digest 33.77

daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sat Aug 12 03:12:12 2023

From: RISKS List Owner <risko@csl.sri.com>
Date: Fri, 11 Aug 2023 20:38:38 PDT
To: risks@mit.edu

RISKS-LIST: Risks-Forum Digest  Friday 11 August 2023  Volume 33 : Issue 77

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/33.77>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents: [Way backlogged.  Here's a start at catch-up.  PGN]
Failed communications left Maui residents trapped by fire,
 unable to escape (LATimes)
Firmware vulnerabilities in millions of computers could
 give hackers superuser status (Ars Technica)
Cyberattack Sabotages Medical Sites in Four States
 (Rebecca Carballo)
UK electoral register hacked in August 2021 (The Guardian)
New acoustic attack steals data from keystrokes with 95%
 (Bleeping Computer)
Downfall Attacks on Intel CPUs Steal Encryption Keys, Data
 (Ionut Ilascu)
California privacy regulatorť˘˛¨s first case: Probing
 Internet-connected cars (WashPost)
Hackers Stole $6M from Connecticut public school system
 Lola Fadulu)
VR Headsets Are Vulnerable to Hackers (UC Riverside)
Security and Human Behavior -- SHB 2023 (Bruce Schneier)
Typo sends millions of U.S. military emails to Russian ally Mali
 (BBC)
Bots and Spam attack Meta's Threads (TechCrunch)
Facebook sent information on visitors to police *anonymous'
 reporting* site (The Guardian)
Tech companies acknowledge machine-learning algorithms can  perpetuate
 discrimination and need improvement. (NYTimes)
Wikipedia's Moment of Truth? (NYTimes)
Why AI detectors think the U.S. Constitution was written by AI (Ars Technica)
ChatGPT's Accuracy Has Gotten Worse (Andrew Paul)
In the Age of AI, Techť˘˛¨s Little Guys Need Big Friends (NYTimes)
OpenAI's trust and safety lead is leaving the company
 (Engadget)
AI That Teaches Other AI (Greg Hardesty)
Researchers Find Deliberate Backdoor in Police Radio Encryption Algorithm
 (Kim Zetter)
Researchers Poke Holes in Safety Controls of ChatGPT, Othoer Chatbots
 (Cade Metz)
Unpatchable AMD Chip Flaw Unlocks Paid Tesla Feature Upgrade
 (Brandon Hill)
Eight-Months Pregnant Woman Arrested After False Facial
 Recognition Match (Kashmir Hill)
MIT Makes Probability-Based Computing a Bit Brighter
 (IEEE Spectrum)
Wikipediať˘˛¨s Moment of Truth (NYTimes)
Possible Typo Leads to Actual Scam (Bob Smith)
'Redacted Redactions' Strike Again (Henry Baker)
Re: Defective train safety controls lead to bus rides for South  Auckland
 commuters (George Neville-Neil)
Re: Myth about innovation ... (Henry Baker, Martyn Thomas,
 John Levine)
Internet censorship (Gene Spafford)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 11 Aug 2023 13:02:46 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Failed communications left Maui residents trapped by fire,
 unable to escape (LATimes)

https://www.latimes.com/world-nation/story/2023-08-11/failed-communication-and-huge-death-toll-in-maui-fires

------------------------------

Date: Fri, 21 Jul 2023 16:17:32 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Firmware vulnerabilities in millions of computers could
 give hackers superuser status (Ars Technica)

https://arstechnica.com/security/2023/07/millions-of-servers-inside-data-centers-imperiled-by-flaws-in-ami-bmc-firmware/

------------------------------

Date: Mon, 7 Aug 2023 18:12:02 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Cyberattack Sabotages Medical Sites in Four States
 (Rebecca Carballo)

Rebecca Carballo, *The New York Times*, 7 Aug 2023
As hospitals go online, they become more vulnerable.

Ransomware.  Prospect Medical Holdings in CA/CT/PA/RI
16 Hospitals, over 176 clinics affected.  [PGN-ed in just
another demonstration of how untrustworthy this can be.]

------------------------------

Date: Tue, 8 Aug 2023 14:42:12 +0100
From: "Robert N. M. Watson"
Subject: UK electoral register hacked in August 2021 (The Guardian)

https://www.theguardian.com/technology/2023/aug/08/uk-electoral-commission-registers-targeted-by-hostile-hackers?CMP=Share_iOSApp_Other

------------------------------

Date: Wed, 9 Aug 2023 06:45:13 -0700
From: Victor Miller <victorsmiller@gmail.com>
Subject: New acoustic attack steals data from keystrokes with 95%
 accuracy (Bleeping Computer)

https://www.bleepingcomputer.com/news/security/new-acoustic-attack-steals-data-from-keystrokes-with-95-percent-accuracy/

------------------------------

Date: Fri, 11 Aug 2023 11:23:58 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Downfall Attacks on Intel CPUs Steal Encryption Keys, Data
 (Ionut Ilascu)

Ionut Ilascu, *Bleeping Computer*, 8 Aug 2023

Google's Daniel Moghimi exploited the so-called "Downfall" bug in Intel
central processing units to steal passwords, encryption keys, and private
data from computers shared by multiple users. The transient execution
side-channel vulnerability affects multiple Intel microprocessor lines,
allowing hackers to exfiltrate Software Guard eXtensions-encrypted
information. Moghimi said Downfall attacks leverage the <i>gather</i>
instruction that "leaks the content of the internal vector register file
during speculative execution." He developed the Gather Data Sampling exploit
to extract AES 128-bit and 256-bit cryptographic keys on a separate virtual
machine from the controlled one, combining them to decrypt the information
in less than 10 seconds. Moghimi disclosed the flaw to Intel and worked with
the company on a microcode update to address it.

------------------------------

Date: Tue, 1 Aug 2023 18:24:07 -0400
From: Monty Solomon <monty@roscom.com>
Subject: California privacy regulatorť˘˛¨s first case: Probing
 Internet-connected cars (WashPost)

Data collection in cars has surged in recent years, especially in cars that
encourage users to plug in their phones to play music, get spoken directions
and make hands-free calls.

https://www.washingtonpost.com/technology/2023/07/31/cppa-privacy-car-data/

  [If the Internet of Things has no appreciable trustworthiness, why should
  we be surprised when cars are just IoT things!  PGN]

------------------------------

Date: Fri, 11 Aug 2023 9:23:39 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Hackers Stole $6M from Connecticut public school system
 (Lola Fadulu)

Lola Fadulu, *The New York Times*, 11 Aug 2023

New Haven CT has stopped the use of electronic transfers (except
payrolls).  $3.6M has been recovered.  (PGN-ed)

------------------------------

Date: Fri, 11 Aug 2023 11:23:58 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: VR Headsets Are Vulnerable to Hackers
 (UC Riverside)

David Danelski, UC Riverside News, 8 Aug 2023

Computer scientists at the University of California, Riverside found hackers
can translate the movements of virtual reality (VR) and augmented reality
(AR) headset users into words using spyware and artificial intelligence. In
one example, spyware used a headset user's motions to record their Facebook
password as they air-typed it on a virtual keyboard. Spies also could
potentially access a user's actions during virtual meetings involving
confidential information by interpreting body movements. One exploit showed
hackers retrieving a target's hand gestures, voice commands, and keystrokes
on a virtual keyboard with over 90% accuracy. Researchers also developed a
system called TyPose that uses machine learning to extract AR/VR users' head
motions to deduce words or characters they are typing.

------------------------------

Date: Sat, 15 Jul 2023 08:27:20 +0000
From: Bruce Schneier <schneier@schneier.com>
Subject: Security and Human Behavior -- SHB 2023

For back issues, or to subscribe, visit Crypto-Gram's web page.
https://www.schneier.com/crypto-gram/
https://www.schneier.com/crypto-gram/archives/2023/0715.html

These same essays and news items appear in the Schneier on Security
[https://www.schneier.com/] blog, along with a lively and
intelligent comment section. An RSS feed is available.

[PGN-excerpted from Bruce Schneier's CRYPTO-GRAM, 15 Jul 2023, as both
timely and historically relevant to a topic that has been in RISKS
since the first issue.]

** SECURITY AND HUMAN BEHAVIOR (SHB) 2023

[2023.06.16]
[https://www.schneier.com/blog/archives/2023/06/security-and-human-behavior-shb-2023.html]
I'm just back from the sixteenth Workshop on Security and Human
Behavior [https://www.heinz.cmu.edu/~acquisti/SHB2023/index.htm]
hosted by Alessandro Acquisti at Carnegie Mellon University in
Pittsburgh.

SHB is a small annual invitational workshop of people studying various
aspects of the human side of security, organized each year by
Alessandro Acquisti, Ross Anderson, and myself. The fifty or so
attendees include psychologists, economists, computer security
researchers, criminologists, sociologists, political scientists,
designers, lawyers, philosophers, anthropologists, geographers,
neuroscientists, business-school professors, and a smattering of
others. It's not just an interdisciplinary event; most of the people
here are individually interdisciplinary.

Our goal is always to maximize discussion and interaction. We do that
by putting everyone on panels, and limiting talks to six to eight
minutes, with the rest of the time for open discussion. Short talks
limit presenters' ability to get into the boring details of their
work, and the interdisciplinary audience discourages jargon.

For the past decade and a half, this workshop has been the most
intellectually stimulating two days of my professional year. It
influences my thinking in different and sometimes surprising ways 00
and has resulted in some unexpected collaborations.

And that's what's valuable. One of the most important outcomes of the
event is new collaborations.  Over the years, we have seen new
interdisciplinary research between people who met at the workshop, and
ideas and methodologies move from one field into another based on
connections made at the workshop. This is why some of us have been
coming back every year for over a decade.

This year's schedule is here
[https://www.heinz.cmu.edu/~acquisti/SHB2023/program.htm]. This page
[https://www.heinz.cmu.edu/~acquisti/SHB2023/participants.htm] lists
the participants and includes links to some of their work. As he does
every year, Ross Anderson is live blogging
[https://www.lightbluetouchpaper.org/2023/06/14/security-and-human-behaviour-2023/]
the talks. We are back 100% in-person after two years of fully remote
and one year of hybrid.

Here are my posts on the first
[http://www.schneier.com/blog/archives/2008/06/security_and_hu.html], second
[http://www.schneier.com/blog/archives/2009/06/second_shb_work.html], third
[http://www.schneier.com/blog/archives/2010/06/third_shb_works.html], fourth
[http://www.schneier.com/blog/archives/2011/06/fourth_shb_work.html], fifth
[https://www.schneier.com/blog/archives/2012/06/security_and_hu_1.html], sixth
[https://www.schneier.com/blog/archives/2013/06/security_and_hu_2.html], seventh
[https://www.schneier.com/blog/archives/2014/06/security_and_hu_3.html],
eighth
[https://www.schneier.com/blog/archives/2015/06/security_and_hu_4.html], ninth
[https://www.schneier.com/blog/archives/2016/06/security_and_hu_5.html], tenth
[https://www.schneier.com/blog/archives/2017/05/security_and_hu_6.html], eleventh
[https://www.schneier.com/blog/archives/2018/05/security_and_hu_7.html], twelfth
[https://www.schneier.com/blog/archives/2019/06/security_and_hu_8.html], thirteenth
[https://www.schneier.com/blog/archives/2020/06/security_and_hu_9.html],
fourteenth
[https://www.schneier.com/blog/archives/2021/06/security-and-human-behavior-sh
b-2021.html], and fifteenth
[https://www.schneier.com/blog/archives/2022/05/security-and-human-behavior-shb-2022.html]
SHB workshops. Follow those links to find summaries, papers, and
occasionally audio/video recordings of the sessions. Ross also
maintains a good webpage [https://www.cl.cam.ac.uk/~rja14/psysec.html]
of psychology and security resources.

It's actually hard to believe that the workshop has been going on for
this long, and that it's still vibrant. We rotate [among] organizers,
so next year is my turn in Cambridge (the Massachusetts one).

------------------------------

Date: Mon, 17 Jul 2023 16:23:45 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Typo sends millions of U.S. military emails to Russian ally Mali
 (BBC)

Emails intended for the U.S. military's ".mil" domain have, for years, been
sent to the west African country which ends with the ".ml" suffix.  Some of
the emails reportedly contained sensitive information such as passwords,
medical records and the itineraries of top officers.
[...]

https://www.bbc.com/news/world-us-canada-66226873

------------------------------

Date: Mon, 17 Jul 2023 13:31:56 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Bots and Spam attack Meta's Threads (TechCrunch)

https://techcrunch.com/2023/07/17/the-spam-bots-have-now-found-threads-as-company-announces-its-own-rate-limits/

------------------------------

Date: Sun, 16 Jul 2023 08:03:45 +0200
From: Anthony Thorn <anthony.thorn@atss.ch>
Subject: Facebook sent information on visitors to police *anonymous
 reporting* site (The Guardian)

``Britainť˘˛¨s biggest police force gathered sensitive data about people using
its website to report sexual offences, domestic abuse and other crimes and
shared it with Facebook for targeted advertising, the Observer has found.''

https://www.theguardian.com/uk-news/2023/jul/15/revealed-metropolitan-police-shared-sensitive-data-about-victims-with-facebook

Facebook's Pixel tool was embedded in Metropolitan Police web page

The data was collected by a tracking tool embedded in the website of the
Metropolitan police and included records of browsing activity about people
using a *secure* online form for victims and witnesses to report offences.

In one case, Facebook received a parcel of data when someone clicked a link
to ť˘˛Řsecurely and confidentially report rape or sexual assaultť˘˛ř to the Met
online. This included the sexual nature of the offence being reported, the
time the page was viewed and a code denoting the personť˘˛¨s Facebook account
ID.

The tracking tool, known as Meta Pixel, also sent details to Facebook about
content viewed and buttons clicked on webpages linked to contacting police,
accessing victim services, and advice pages for crimes including rape,
assaults, stalking and fraud."

What was the person who installed the tool thinking?

We must assume that almost(?) every web site reports our activity to
Facebook and Google.

I guess it's time for Tor.

------------------------------

Date: Tue, 18 Jul 2023 08:54:41 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Tech companies acknowledge machine-learning algorithms can
 perpetuate discrimination and need improvement. (NYTimes)

https://www.nytimes.com/2023/07/04/arts/design/black-artists-bias-ai.html

------------------------------

Date: Tue, 18 Jul 2023 08:38:49 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Wikipedia's Moment of Truth? (NYTimes)

Can the online encyclopedia help teach A.I. chatbots to get their facts
right -ť˘˛˘ without destroying itself in the process?

https://www.nytimes.com/2023/07/18/magazine/wikipedia-ai-chatgpt.html

------------------------------

Date: Tue, 18 Jul 2023 12:22:52 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Why AI detectors think the U.S. Constitution was
 written by AI (Ars Technica)

If you feed America's most important legal document -- the US Constitution

<https://arstechnica.com/information-technology/2022/12/openai-invites-everyone-to-test-new-ai-powered-chatbot-with-amusing-results/>,
it will tell you that the document was almost certainly written by AI. But
unless James Madison was a time traveler, that can't be the case. Why do AI
writing detection tools give false positives? We spoke to several experts --
and the creator of AI writing detector GPTZero -- to find out.

Among news stories of overzealous professors
<https://www.washingtonpost.com/technology/2023/05/18/texas-professor-threatened-fail-class-chatgpt-cheating/>
flunking an entire class due to the suspicion of AI writing tool use and
kids falsely accused
<https://www.reddit.com/r/ChatGPT/comments/132ikw3/teacher_accused_me_of_using_chatgpt/> of using ChatGPT, generative AI has education in a tizzy. Some
think it represents an existential
crisishttps://www.theatlantic.com/technology/archive/2022/12/chatgpt-ai-writing-college-student-essays/672371/>.  Teachers relying on educational methods
developed over the past century have been scrambling for ways to keep
<https://www.reddit.com/r/Teachers/comments/zkguxg/my_frustrations_with_chatgpt/>
the status quo -- the tradition of relying on the essay as a tool to gauge~>
student mastery of a topic.

As tempting as it is to rely on AI tools to detect AI-generated writing,
evidence so far has shown that they are not reliable
<https://techcrunch.com/2023/02/16/most-sites-claiming-to-catch-ai-written-text-fail-spectacularly/>.
Due to false positives, AI writing detectors such as GPTZero
<https://gptzero.me/>, ZeroGPT <https://www.zerogpt.com/>, and OpenAI's Text
Classifier <https://platform.openai.com/ai-text-classifier> cannot
<https://theconversation.com/we-pitted-chatgpt-against-tools-for-detecting-ai-written-text-and-the-results-are-troubling-199774>
be trusted to detect text composed by large language models (LLMs) like
ChatGPT.

If you feed GPTZero a section of the US Constitution, it says the text is
``likely to be written entirely by AI.'' Several times over the past six
months, screenshots of other AI detectors showing similar results have gone
viral <https://twitter.com/0xgaut/status/1648383977139363841?s=20> on
social media, inspiring confusion and plenty of jokes about the founding
fathers being robots. It turns out the same thing happens with selections
from The Bible, which also show up as being AI-generated.

To explain why these tools make such obvious mistakes (and otherwise often
return false positives), we first need to understand how they work.

*Understanding the concepts behind AI detection*.  [...]

https://arstechnica.com/information-technology/2023/07/why-ai-detectors-think-the-us-constitution-was-written-by-ai/

------------------------------

Date: Fri, 21 Jul 2023 11:44:53 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: ChatGPT's Accuracy Has Gotten Worse (Andrew Paul)

Andrew Paul, *Popular Science*, 19 Jul 2023, via ACM TechNews,

Stanford University and University of Southern California, Berkeley
(UC Berkeley) researchers demonstrated an apparent decline in the
reliability of OpenAI's ChatGPT large language model (LLM) over time
without any solid explanation. The researchers assessed the chatbot's
tendency to offer answers with varying degrees of accuracy and
quality, as well as how appropriately it follows instructions. In one
example, the researchers observed that GPT-4's nearly 98% accuracy in
identifying prime numbers fell to less than 3% between March and June
2023, while GPT-3.5's accuracy increased; both GPT-3.5 and GPT-4's
code-generation abilities worsened in that same interval. UC
Berkeley's Matei Zaharia suggested the decline may reflect a limit
reached by reinforcement learning from human feedback, or perhaps bugs
in the system.

------------------------------

Date: Tue, 18 Jul 2023 08:49:59 -0400
From: Monty Solomon <monty@roscom.com>
Subject: In the Age of AI, Techť˘˛¨s Little Guys Need Big Friends (NYTimes)

Creating a new AI system requires lots of money and lots of computing power, which is controlled by the industryť˘˛¨s giants.

https://www.nytimes.com/2023/07/05/business/artificial-intelligence-power-data-centers.html

---------------------------------------

Date: Fri, 21 Jul 2023 18:12:10 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: OpenAI's trust and safety lead is leaving the company
 (Engadget)

https://www.engadget.com/openais-trust-and-safety-lead-is-leaving-the-company-190049987.html?src=rss

  [He could not safely trust it?  PGN]

------------------------------

Date: Mon, 24 Jul 2023 11:54:55 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: AI That Teaches Other AI (Greg Hardesty)

Greg Hardesty, USC Viterbi School of Engineering, 18 Jul 2023,
via ACM TechNews

Scientists at the University of Southern California (USC), Intel Labs, and
the Chinese Academy of Sciences demonstrated that robots can be trained to
train other robots by sharing their knowledge. The researchers developed the
Shared Knowledge Lifelong Learning (SKILL) tool to teach artificial
intelligence agents 102 unique tasks whose knowledge they then shared over a
decentralized communication network. The researchers said they found the
SKILLtool's algorithms speed up the learning process by allowing agents to
learn concurrently in parallel. The work indicated learning time shrinks by
a factor of 101.5 when 102 agents each learn one task and then share.

  [Speed is irrelevant if there are any flaws or vulnerabilities in the
  process.  This is a a classic example of a serpent eating its own tail --
  ouroboros, which eventually is nonconvergent to a sound state.  PGN]

------------------------------

Date: Wed, 26 Jul 2023 11:46:32 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Researchers Find Deliberate Backdoor in Police Radio Encryption
 Algorithm (Kim Zetter)

Kim Zetter, *Ars Technica*, 25 Jul 2023

Researchers with Netherlands-based security consultancy Midnight Blue
have uncovered a secret backdoor in technology long used for critical
data and voice radio communications worldwide. The backdoor resides in
an algorithm embedded within commercially sold devices that transmit
encrypted data and commands, allowing users to eavesdrop on
communications and potentially hijack critical infrastructure. The
researchers found the backdoor and four other flaws in the European
Telecommunications Standards Institute's Terrestrial Trunked Radio
(TETRA) standard in 2021, but waited until radio manufacturers could
develop patches and mitigations before disclosing them. The
researchers also learned most police forces worldwide (excluding the
U.S.) use TETRA-based radio technology.

------------------------------

Date: Fri, 28 Jul 2023 11:05:55 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Researchers Poke Holes in Safety Controls of ChatGPT, Other
 Chatbots (Cade Metz)

Cade Metz, *The New York Times*, 27 Jul 2023, via,ACM TechNews

Scientists at Carnegie Mellon University and the Center for AI Safety
demonstrated the ability to produce nearly infinite volumes of
destructive information by bypassing artificial intelligence (AI)
protections in any leading chatbot. The researchers found they could
exploit open source systems by appending a long suffix of characters
onto each English-language prompt inputted into the system. In this
manner, they were able to persuade chatbots to provide harmful
information and generate discriminatory, counterfeit, and otherwise
toxic data. The researchers found they could use this method to
circumvent the safeguards of OpenAI's ChatGPT, Google's Bard, and
Anthropic's Claude chatbots. While they concede that an obvious
countermeasure for preventing all such attacks does not exist, the
researchers suggest chatbot developers could block the suffixes they
identified.

------------------------------

Date: Mon, 7 Aug 2023 13:51:39 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Unpatchable AMD Chip Flaw Unlocks Paid Tesla Feature Upgrade
 (Brandon Hill)

Brandon Hill, *Tom's Hardware*, 3 Aug 2023

Security researchers at Germany's Technical University of Berlin have
cracked modern Tesla vehicles' Media Control Unit (MCU) to access paid
features through an unpatchable flaw in the MCU-controlling AMD
processor. The researchers said they launched a voltage fault injection
attack against the third-generation MCU-Z's Platform Security Processor,
allowing the decryption of objects stored in the Trusted Platform
Module. They explained, "Our gained root permissions enable arbitrary
changes to Linux that survive reboots and update. They allow an attacker to
decrypt the encrypted NVMe [Non-Volatile Memory Express] storage and access
private user data such as the phonebook, calendar entries, etc." The
researchers found hackers can access Tesla subsystems and even
paywall-locked optional content via the exploit.

------------------------------

Date: Mon, 7 Aug 2023 13:51:39 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Eight-Months Pregnant Woman Arrested After False Facial
 Recognition Match (Kashmir Hill)

Kashmir Hill, *The New York Times*, 6 Aug 2023

Detroit police recently arrested eight-months-pregnant African American
Porcha Woodruff for robbery and carjacking due to an erroneous offender
match by facial recognition technology. Woodruff is the sixth person to
report being wrongly accused of a crime through such a mismatch and the
third such wrongful arrest involving the Detroit Police Department. City
documents indicated the department uses a facial recognition vendor called
DataWorks Plus to run unknown faces against a database of mug shots,
returning matches ranked according to the probability of being the same
person. Crime analysts decide if any matches are potential suspects, and the
police report said a match for Woodruff's 2015 mug shot -- which she said
was from an arrest for driving with an expired license -- prompted the
analyst to give her name to the investigator.

  [Maybe the probability was something like 5%, but more than anyone else in
  the database?  PGN]

------------------------------

Date: Fri, 21 Jul 2023 11:44:53 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: MIT Makes Probability-Based Computing a Bit Brighter
 (IEEE Spectrum)

Edd Gent and Margo Anderson. *IEEE Spectrum*,19 Jul 2023
via ACM TechNews,

Massachusetts Institute of Technology (MIT) researchers have produced the
first probabilistic bit (p-bit) using photonics. The method's core component
is an optical parametric oscillator (OPO), which is basically two mirrors
reflecting light back and forth between them. The researchers can influence
the likelihood with which an oscillation's phase assumes a particular state
by injecting the OPO with extremely weak laser pulses. MIT's Charles
Roques-Carmes explained, "We can keep the random aspect that just comes from
using quantum physics, but in a way that we can control the probability
distribution that is generated by those quantum variables." The researchers
said they were able to generate 10,000 p-bits per second, which appear to
support the necessary behavior for building a probabilistic computer.

------------------------------

Date: Tue, 18 Jul 2023 08:38:49 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Wikipediať˘˛¨s Moment of Truth (NYTimes)

Can the online encyclopedia help teach AI chatbots to get their facts right
-ť˘˛˘ without destroying itself in the process?

https://www.nytimes.com/2023/07/18/magazine/wikipedia-ai-chatgpt.html

------------------------------

Date: Thu, 20 Jul 2023 22:01:00 -0400
From: Bob Smith <bsmith@sudleyplace.com>
Subject: Possible Typo Leads to Actual Scam

I encountered an error message from my Frigidaire PCFI3668AF induction
range, which thankfully resolved itself.  But, before that resolution, I
called Frigidaire tech support for help, and as I was right there at the
oven, I lazily used the phone number printed on the tag inside the oven:
800-374-4472.  The phone was answered as if it were Frigidaire tech support,
but actually was a scam where they wanted to "give" me a $100 debit card if
only I would cover the USPS handling charge of $2.95; yes, that noise you
hear is the sound of your alarm bells.  At this point, I hung up.

Subsequently, I looked up the actual Frigidaire tech support number online
and found it to be 800-374-4432, not -4472, so perhaps the number printed
inside the oven is a typo; nonetheless, it leads to an actual scam with an
unusual set-up.

I was puzzled that someone thought it worthwhile to capitalize on this tiny
mistake, as who even *reads* the printed tag inside an oven, no less *calls*
the printed phone number?  On the other hand, once the typo is noticed by a
scammer, the cost to set up and manage the scam is negligible, which seems
to be the case.

I sent all this along with a photo of the printed tag to Frigidaire tech
support in May, but have not heard back.

This is such a rare and unusual basis for a scam that I'm unsure of what is
the takeaway lesson, if any.

------------------------------

Date: Thu, 20 Jul 2023 15:27:05 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: 'Redacted Redactions' Strike Again

I'd like to coin the neologism "outcroppings" for these redacted redactions.

"An outcropping is rock formation, a place on the earth where
the bedrock underneath shows through."

Perhaps 'natural emergence' has come a cropper ?

Oops!

https://theintercept.com/2023/07/12/covid-documents-house-republicans/

HOUSE REPUBLICANS ACCIDENTALLY RELEASED A TROVE OF
DAMNING COVID DOCUMENTS

"According to the metadata in the PDF of the report, it was created
using 'Acrobat PDFMaker 23 for Word,' indicating that the report was
originally drafted as a Word document. Word, however, retains the
original image when an image is cropped, as do many other apps.
Microsoft's documentation cautions that 'Cropped parts of the picture
are not removed from the file, and can potentially be seen by others,'
going on to note: 'If there is sensitive information in the area you're
cropping out make sure you delete the cropped areas.'

"When this Word document was converted to a PDF, the original,
uncropped images were likewise carried over. The Intercept was able to
extract the original, complete images from the PDF using freely
available tools..."

------------------------------

Date: Mon, 17 Jul 2023 21:37:57 +0800
From: George Neville-Neil <gnn@neville-neil.com>
Subject: Re: Defective train safety controls lead to bus rides for South
 Auckland commuters (Hinson. RISKS-33.76)

WRT the *Defective train safety controls*, it would seem that the controls
in question are the locomotive engineers.  Reviewing the rolling stock and
locomotives used on the KiwiRail service shows them to be common diesel
locomotives, without any form of positive train control or automatic braking
that would stop the train when it runs a red signal.  The issue is operator
error, rather than a fault in an automated system.  It's a risk, but it's an
old one, and not, it would seem, due to an automated system.

------------------------------

Date: Sun, 16 Jul 2023 16:51:29 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: Re: Myth about innovation ... (RISKS-33.75)

Be very careful what you wish for.

While I have also criticized OceanGate in this forum, I'm not about ready to
throw out the innovation baby with the (ocean?)  bathwater.

*Innovation* is *novelty* + *usefulness* + *cost-effectiveness* +
*right-timing*.

Exhibit #1 is Apple, as they have continually reshaped the
computer world from personal computers to desktop publishing
to smartphones to digital cameras.  At each step, the 'market
research' said that no one was interested in these devices; the
reason, of course, is that no one had had access to such devices,
so the intuition of the market research subjects was wrong.

There's a curious relationship between 'fake news' and
innovation: *the experts are always wrong*, because *experts*
(by definition) are *backwards-looking*. You can't be an expert
in a field that doesn't exist yet. Yet the 'expert' is the first to
call every new idea 'fake news'.

An American football analogy: so-called 'broken field running',
when all the planning and practice for a particular play goes
out the window, and the field is completely chaotic.  The best
broken field runners don't think -- they utilize their *gut feel* to
know which way to run.

Entrepreneurs see the world differently from the rest of us.
Where the politicians, regulators and 'experts' decry the sad
state of the world, the entrepreneur sees *opportunity* and
*grabs it*.

For every single new idea there are a million naysayers and
censors.

It takes an extremely strong ego to withstand this withering
criticism. The vast majority of the population doesn't have the
constitution to go up against colleagues, friends, and family.

Exhibit #2 is Christopher Columbus.  More important than how
may people died is how many people survived and subsequently
took advantage of his innovation.  Look back at the famous
explorers -- Magellan, etc. -- quite a number of them and their
crew lived to tell the tale, and the rest is history.

I'm with Galileo: 'And yet it moves' !

------------------------------

Date: Tue, 11 Jul 2023 10:57:50 +0100
From: Martyn Thomas <martyn@mctar.uk (http://mctar.uk)>
Subject: Re: Myth about innovation ... (RISKS-33.75)

We should challenge the myth that regulation stifles innovation.

Some of the most innovative industries are highly regulated.

Pharmaceuticals and children's toys, for example (in the EU and UK).

------------------------------

Date: 16 Jul 2023 22:36:31 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Re: Myth about innovation and regulation ... (RISKS-33.75) NOTSP
 (Thomas, RISKS-33.76)

> We should challenge the myth that regulation stifles innovation. Some of
> the most innovative industries are highly regulated. Pharmaceuticals and
> children's toys, for example (in the EU and UK).

One could write entire books about the purposes, costs, and benefits
of regulation. (Someone probably has.)

The normal motivation is to protect the public from some direct harm, e.g.,
drugs that don't work or are harmful. But there is plenty of regulation
intended more to maintain the providers' business model.  That isn't
necessarily a bad idea.  When you have an 80,000 lb truck barreling down the
road, I would prefer that the operator have sufficient revenue to maintain
the truck, and to pay the driver enough that she doesn't feel forced to pop
pills and drive 16 hrs a day.

There is a reason that Uber et al. started in San Francisco -- its taxi
regulation was uniquely bad due to a local law that limited taxis to
owner-drivers, with a cap way too small to handle the demand. That was swell
for the drivers, awful for everyone else. So there was a lot of sympathy for
a service, even an illegal one, that fixed the fact that there just weren't
taxis when you needed them.

Some of the innovation was plausibly a good idea, e.g., using an app to
match up drivers and passengers. Some was bad, e.g., Lyft's "sharing"
insurance fraud model taking paying passengers in personal cars with no
insurance in case of an accident. (Uber quickly copied it.) Some was
accidental, Uber's super cheap below-cost service subsidized by lots of
venture capital silly money.

The app also happened to be a regulatory innovation since it completely
blurred the distinction between taxis you could hail on the street and car
services you book ahead. In New York, those are different services with
different licenses. NYC had enough sense to force Uber to become a car
service, which meant among other things that Uber drivers in NYC are covered
by workers comp if they're injured on the job, other places not so much.

Picking apart the beneficial parts of innovation from the harmful or
parasitic parts can be hard, but it is necessary.  As we saw with Ocean
Gate, what is always wrong is to insist that innovation for its own sake is
by definition good.

------------------------------

Date: Thu, 20 Jul 2023 08:50:37 -0600
From: "Eugene H. Spafford" <spaf@acm.org>
Subject: Internet censorship

You might be interested in this Ph.D. dissertation by my most recent
student, Major Alexander Master.

Title: Modeling and Characterization of Internet Censorship Technologies

Abstract:

The proliferation of Internet access has enabled the rapid and widespread
exchange of information globally. The world wide web has become the primary
communications platform for many people and has surpassed other traditional
media outlets in terms of reach and influence. However, many nation-states
impose various levels of censorship on their citizens' Internet
communications. There is little consensus about what constitutes
*objectionable* online content deserving of censorship. Some people consider
the censor activities occurring in many nations to be violations of
international human rights (e.g., the rights to freedom of expression and
assembly). This multi-study dissertation explores Internet censorship
methods and systems. By using combinations of quantitative, qualitative, and
systematic literature review methods, this thesis provides an
interdisciplinary view of the domain of Internet censorship. The author
presents a reference model for Internet censorship technologies: an
abstraction to facilitate a conceptual understanding of the ways in which
Internet censorship occurs from a system design perspective. The author then
characterizes the technical threats to Internet communications, producing a
comprehensive taxonomy of Internet censorship methods as a result. Finally,
this work provides a novel research framework for revealing how nation-state
censors operate based on a globally representative sample. Of the 70 nations
analyzed, 62 used at least one Internet censorship method against their
citizens. The results reveal worldwide trends in Internet censorship based
on historical evidence and Internet measurement data.

https://www.doi.org/10.25394/PGS.23666784

------------------------------

Date: Sat, 1 Jul 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) has moved to the ftp.sri.com site:
   <risksinfo.html>.
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.77
************************

home help back first fref pref prev next nref lref last post