[33152] in RISKS Forum

home help back first fref pref prev next nref lref last post

Risks Digest 33.79

daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sat Aug 19 20:23:55 2023

From: RISKS List Owner <risko@csl.sri.com>
Date: Sat, 19 Aug 2023 17:23:35 PDT
To: risks@mit.edu

RISKS-LIST: Risks-Forum Digest  Saturday 19 August 2023  Volume 33 : Issue 79

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/33.79>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Voyager 2: NASA Loses Contact With Probe After Sending Wrong Command
 (Business Insider)
American Airlines flight from Logan delayed Monday after close call with
 Spirit Airlines (The Boston Globe)
Birds and fish competing with squirrels for power failures (Fox)
Lahaina: single points of failure (Henry Baker)
More than 134,000 Mass. residents part of data security breach
 (The Boston Globe)
Windows feature that resets system clocks based on random data is wreaking
 havoc (Ars Technica)
For the Good of Society, Hackers Prod AI to Be Bad (NYTimes)
San Francisco robotaxi traffic jam is a warning to the world, says city
 official (CBC)
CA DMV orders Cruise to reduce robotaxi fleet in SF by 50% after
 collision with fire truck, injuring passenger (TechCrunch)
The rapid expansion of robotaxis in major cities MUST BE STOPPED
 (Lauren Weinstein)
Potential NYT lawsuit could force OpenAI to wipe ChatGPT and start
 over (Ars Technica)
An Iowa school district is using ChatGPT to decide which books to
 ban (The Verge)
Not AI? (Cliff Kilby)
Crypto smart contracts still stupid (Amy Castor)
Attackers find new ways to deliver DDoSes with "alarming" sophistication ()
 (Ars Technica)
`Bitcoin Bonnie and Clyde' plead guilty in `spy novel'-like laundering case
 (WashPost)
Microsoft pulls article recommending Ottawa Food Bank to tourists (CBC)
Cheese and chips: parmesan producers fight fakes with microtransponders
 (The Guardian)
Ukraine busts bot farm spreading Russian infowar propaganda and frauds
 (The Register)
Imposter scams are the top U.S. fraud (NPR)
Good reason to keep BMC LAN connections on an isolated LAN
 (Ars Technica)
Internet Archive's legal woes mount as record labels sue for $400M
 (Ars Technica)
AI chatbot scares Snapchat users by posting mysterious video
 (Ars Technica)
Re: Don't use our content to train AI systems (Amos Shapir)
Re: Cellphone Radiation Is Harmful, but Few Want to Believe It (PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Tue, 1 Aug 2023 23:53:27 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Voyager 2: NASA Loses Contact With Probe After Sending
 Wrong Command (Business Insider)

NASA accidentally lost contact with its Voyager 2 probe after sending a
wrong command. It could mean the end of its 46-year-old mission.

  [The requirements specifiers, designers, and programmers forgot about
  "undo"? or required confirmation of questionable inputs?  Foresight,
  forsooth farsight, when it is that FAR AWAY?  PGN]

https://www.businessinsider.com/nasa-loses-contact-voyager-2-sent-wrong-command-mistake-space-2023-8

------------------------------

Date: Wed, 16 Aug 2023 23:20:24 -0400
From: Monty Solomon <monty@roscom.com>
Subject: American Airlines flight from Logan delayed Monday after close
 call with Spirit Airlines (The Boston Globe)

The close call was the fourth time this year aircraft at Logan have
inadvertently flown close to one another, according to FAA records.

https://www.bostonglobe.com/2023/08/16/metro/american-airlines-flight-logan-delayed-monday-after-close-call-with-spirit-airlines/

------------------------------

Date: Wed, 16 Aug 2023 21:32:05 +0000 ()
From: danny burstein <dannyb@panix.com>
Subject: Birds and fish competing with squirrels for power failures (Fox)

https://www.foxnews.com/us/unlikely-animal-falls-from-sky-knocks-power-out-thousands-new-jersey-town

A fish dropped out of the sky by its bird captor caused a power outage for a
section of homes in a New Jersey town, officials say. "There is a large area
of Lower Sayreville without power. [Jersey Central Power & Light] is
reporting a [fish emoji] was found on a transformer.

------------------------------

Date: Thu, 17 Aug 2023 20:03:34 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: Lahaina: single points of failure

High winds => downed power lines => sparked fires =>
melted water lines + pumping power loss => no way to fight the fires.

Reminds me of the 'Useless Box' that Turns Itself Off:
https://www.youtube.com/watch?v=3KTilOsXBmU

Lahaina clearly demonstrates the Major Risk of *centralized electrical power
systems*; to gain resilience, we *have* to move to *distributed electrical
power systems*, aka 'microgrids':

https://www.nrel.gov/grid/microgrids.html

"Advanced microgrids enable local power generation assets&mdash;including
traditional generators, renewables, and storage&mdash;to keep the local grid
running even when the larger grid experiences interruptions or, for remote
areas, where there is no connection to the larger grid."

https://www.nytimes.com/2023/08/13/us/lahaina-water-failure.html

As Inferno Grew, Lahain's Water System Collapsed

Firefighters who rushed to contain the Maui wildfire found that hydrants
were running dry, forcing crews to embark instead on a perilous rescue
mission.

West Maui's water system relies on electrical power to pump water through
the network and deliver it to fire hydrants, and officials at Hawaiian
Electric, the state's main electrical utility, have said that the need to
maintain this pumping capability has made it difficult to shut off power
when high winds pose a fire risk.

``Pre-emptive, short-notice power shut-offs have to be coordinated with
first-responders and in Lahaina, electricity powers the pumps that provide
the water needed for firefighting,'' said Jim Kelly, a spokesman for the
utility.

  [Re: the sirens, discussed in an earlier RISKS issue, I heard a news
  report faulting officials that the sirens were not used.  The rebuttal
  justification seemed to be that their use was primarily for tsunamis, for
  which people are trained to move inland higher altitudes as fast as
  possible -- which may not have been relevant here.  PGN]

------------------------------

Date: Wed, 16 Aug 2023 22:52:34 -0400
From: Monty Solomon <monty@roscom.com>
Subject: More than 134,000 Mass. residents part of data security breach
 (The Boston Globe)

https://www.boston.com/news/crime/2023/08/16/massachusetts-data-security-breach-moveit-umass-chan-medical-school/

------------------------------

Date: Thu, 17 Aug 2023 11:15:37 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Windows feature that resets system clocks based on random data is
 wreaking havoc (Ars Technica)

Windows Secure Time Seeding resets clocks months or years off the correct
time.

A few months ago, an engineer in a data center in Norway encountered some
perplexing errors that caused a Windows server to suddenly reset its system
clock to 55 days in the future. The engineer relied on the server to
maintain a routing table that tracked cell phone numbers in real time as
they moved from one carrier to the other. A jump of eight weeks had dire
consequences because it caused numbers that had yet to be transferred to be
listed as having already been moved and numbers that had already been
transferred to be reported as pending.  [...]

https://arstechnica.com/security/2023/08/windows-feature-that-resets-system-clocks-based-on-random-data-is-wreaking-havoc

------------------------------

Date: Thu, 17 Aug 2023 12:07:34 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: For the Good of Society, Hackers Prod AI to Be Bad
 (NYTimes)

Sarah Kessler and Tiffany Hsu, *The New York Times* business front
page, 17 Aug 2023

AI Village was part of a White-House endorsed contest to expose weak
spots before the criminals can.   [PGN-ed]

  [Instead of Biden' our time and waiting for rampant Zero-day misuses
  to emerge, RISKS readers should find pre-zero days (subzero?)
  salubrious.  Although it clearly took a village, there were no
  bounties.  However, two of the three top scores of the judges were
  attributed to Cody Ho, a Stanford CS student.  PGN]

------------------------------

Date: Thu, 17 Aug 2023 06:49:19 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: San Francisco robotaxi traffic jam is a warning to the
 world, says city official (CBC)

https://www.cbc.ca/radio/asithappens/san-francisco-robotaxi-traffic-jam-1.6=
938440

The day after California approved an expansion of driverless taxis, 10 of
them came to a grinding halt on a busy San Francisco street, creating a
gridlock that encompassed several blocks.

The culprit? A music festival.

"Cell phones were overwhelmed, and as a result, they were not able to take
control of these cars -- which is a pretty frightening systemic defe= ct,"

Aaron Peskin, president of the San Francisco Board of Supervisors (SFBV),
told As It Happens guest host Paul Hunter.

Not only was there the 10-car back-up of Cruise-owned autonomous taxis in
city's North Shore neighbourhood on Friday, but on the other side of the
city, closer to the Outside Lands music festival, Peskin said "there were
also scores of them that came to a grinding halt."

------------------------------

Date: Fri, 18 Aug 2023 18:57:24 -0700
From: PRIVACY Forum mailing list <privacy@vortex.com>
Subject: CA DMV orders Cruise to reduce robotaxi fleet in SF by 50% after
 collision with fire truck, injuring passenger [on 17 Aug] (TechCrunch)

https://techcrunch.com/2023/08/18/cruise-told-by-regulators-to-immediately-reduce-robotaxi-fleet-50-following-crash/

  Of course, just a handful of days ago the CPUC said Waymo and Cruise could
  vastly expand their fleets in SF. At least the DMV has some sense about
  this half-baked tech. -L

------------------------------

Date: Thu, 17 Aug 2023 12:01:09 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: The rapid expansion of robotaxis in major cities
 MUST BE STOPPED (The Verge and KTVU)

The technology is not ready. The alarms are blinking RED. It's beyond
irresponsible to push out this half-baked tech this way. -L

https://www.theverge.com/2023/8/15/23831170/robotaxi-cpuc-sf-waymo-cruise-traffic-halt

  [Die Verge-ntly?  Deja(kt) Vu?  PGN]

https://www.ktvu.com/news/san-francisco-asks-regulators-to-stop-approval-of-robotaxi-expansion-after-recent-blunders

------------------------------

Date: Thu, 17 Aug 2023 11:39:09 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Potential NYT lawsuit could force OpenAI to wipe ChatGPT and start
 over (Ars Technica)

https://arstechnica.com/tech-policy/2023/08/report-potential-nyt-lawsuit-could-force-openai-to-wipe-chatgpt-and-start-over/

------------------------------

Date: Tue, 15 Aug 2023 23:37:00 -0400
From: Monty Solomon <monty@roscom.com>
Subject: An Iowa school district is using ChatGPT to decide which books to
 ban (The Verge)

https://www.theverge.com/2023/8/15/23833167/iowa-book-ban-chatgpt-mason-city-community-school-district-removal

------------------------------

Date: Thu, 17 Aug 2023 14:29:32 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Not AI?

I know it's difficult to stop a media trend once it has begun but there is
no current functionally complete AI available.  I propose the counter
inflamatory term *Dijkstra's demon*.  The underlying algorithms that drive
LLMs are essentially pathfinders.  Instead of connecting points for paths,
they connect glyphs to form new glyphs (to borrow a term from Hofstadter)
Comparing a LLM to a less than ideal way of connecting two subjects is a
more accurate model to work from than the popular construction of a
"thinking" machine.

Also, in my non-legal opinion, start reserving derivative works in any of
your statement of work negotiations. ChatGPT is almost entirely unusable
now because it doesn't have a provenance for what it's spitting out.
Now that you ask, yes, I am in fact in an armchair.

  [Why did the bot run off the glyph?  It didn't see the other glyph.  PGN
  parodizing the old joke -- Why did the RAM run off the cliff?  (He didn't
  see the EWE-turn.)

------------------------------


Date: Fri, 4 Aug 2023 14:06:42 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Crypto smart contracts still stupid (Amy Castor)

Curve: smart contracts, stupid humans

"Smart contracts" are small programs that run right there inside a
blockchain. In enterprise computing, these would be called "database
triggers" or "stored procedures."

You never use triggers or stored procedures unless you absolutely have to,
because they're very easy to get wrong and a pain in the backside to
debug. In the real world, you keep your financial data and the programs
working on it separate.

So, of course, crypto uses programs embedded in the database for everything
and touts the difficulty in working with them as a feature and not evidence
of the idea's incredible stupidity.

A smart contract full of crypto can reasonably be treated as a piata, just
waiting for you to whack it in the right spot and get the candy.

Today's piñata is Curve Finance, a DeFi exchange used for trading
stablecoins and other tokens. Curve was hacked on July 30 due to a bug in
the Vyper language compiler. Smart contracts that were using Vyper versions
0.2.15, 0.2.16, and 0.3.0 were vulnerable. About $70 million in funds was
drained from liquidity pools whose smart contracts used these
versions. [Twitter, archive; Twitter, archive]

Vyper, which is inspired by Python, was supposed to have been an improvement
over the hilariously awful Solidity -- a.k.a. "JavaScript with a concussion"
-- that most Ethereum Virtual Machine smart contracts are written
in. Unfortunately, the Vyper compiler had a bug that meant compiled code was
exploitable. So you could mathematically prove your smart contract program
was correct # and the compiled version could still be exploited. This could
hit any Vyper smart contract using vulnerable versions. [Twitter, archive]

https://amycastor.com/2023/08/03/crypto-collapse-terra-judge-repudiates-ripple-finding-razzlekhan-cops-a-plea-binances-fdusd-stablecoin-coindesk-sold-smart-contracts-still-stupid/

------------------------------

Date: Tue, 25 Jul 2023 08:01:02 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Attackers find new ways to deliver DDoSes with "alarming
 sophistication (Ars Technica)

Once crude and unsophisticated, DDoSes are now on par with those by
nation-states.

The protracted arms race between criminals who wage Distributed Denial-
of-Service attacks and the defenders who attempt to stop them continues, as
the former embraces *alarming* new methods to make their online offensives
more powerful and destructive, researchers from content-delivery network
Cloudflare reported Wednesday.  With a global network spanning more than 300
cities in more than 100 countries around the world, Cloudflare has
visibility into these types of attacks that's shared by only a handful of
other companies. The company said it delivers more than 63 million network
requests per second and more than 2 trillion domain lookups per day during
peak times. Among the services that Cloudflare provides is mitigation for
the[se] attacks.  [...  LONG and rather repetitive text PGN-truncated]

https://arstechnica.com/security/2023/07/attackers-find-new-ways-to-deliver=
-ddoses-with-alarming-sophistication/

------------------------------

Date: Fri, 4 Aug 2023 18:22:48 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: `Bitcoin Bonnie and Clyde' plead guilty in `spy novel'-like
 laundering case (WashPost)

María Luisa Paúl
https://www.washingtonpost.com/nation/2023/08/04/bitfinex-hack-guilty-plea/

Heather Morgan and Ilya Lichtenstein hadn't been implicated in the 2016
Bitfinex hack itself - until Lichtenstein delivered a bombshell revelation
Thursday.

------------------------------

Date: Fri, 18 Aug 2023 21:06:02 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Microsoft pulls article recommending Ottawa Food Bank to tourists
 (CBC)

https://www.cbc.ca/news/canada/ottawa/artificial-intelligence-microsoft-travel-ottawa-food-bank-1.6940356

Microsoft has removed an article that advised tourists to visit the
"beautiful" Ottawa Food Bank on an empty stomach, after facing ridicule
about the company's reliance on artificial intelligence for news.

But an unnamed Microsoft spokesperson later blamed the article's
publication on "human error," rather than "unsupervised AI."

------------------------------

Date: Sat, 19 Aug 2023 14:31:55 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Cheese and chips: parmesan producers fight fakes with
 micro-transponders (The Guardian)

https://www.theguardian.com/food/2023/aug/18/parmesan-producers-fight-fakes-microtransponders-chips-rind

Counterfeits are the bane of the Parmigiano Reggiano Consortium, which is
now trialling tech in the rind

------------------------------

Date: Thu, 20 Jul 2023 12:52:24 +0200
From: Peter Houppermans <peter@houppermans.net>
Subject: Ukraine busts bot farm spreading Russian infowar propaganda
 and fraud (The Register)

https://www.theregister.com/2023/07/20/ukraine_busts_russian_bot_farm/

"Ukrainian cops have disrupted a massive bot farm with more than 100
operators allegedly spreading fake news about the Russian invasion, leaking
personal information belonging to Ukrainian citizens, and instigating fraud
schemes.

After conducting 21 searches, the country's cyber and national police seized
computer equipment, mobile phones, more than 250 GSM gateways, and about
150,000 SIM cards.

"The Cyber Police established that the attackers used special equipment and
software to register thousands of bot accounts in various social networks
and subsequently launch advertisements that violated the norms and
legislation of Ukraine," according to machine translation of the news alert
issued by the police.

Insiders in Vinnytsia, Zaporizhzhia, and Lviv were involved in the bot farm,
we're told.

  I'm guessing that will also take some of the load problems from Twitter..

------------------------------

Date: Wed, 16 Aug 2023 01:17:34 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Imposter scams are the top U.S. fraud (NPR)

A 3-hour phone call that brought her to tears: Imposter scams cost Americans
billions

Valeria Haedo, a visual artist based in New York City, was caught off guard
when she was targeted in a complex phone scam.

It was a Monday in the middle of the day when Valeria Haedo got a phone call
from a number she didn't recognize. She doesn't normally pick those up, but
she did that day. The caller said his name was Officer Robert Daniels from
U.S. Customs and Border Protection and he had a warrant for her arrest.

He told Haedo she could verify him by Googling his name and department. She
did, and it checked out. But what Haedo didn't realize in that moment is
she'd just been targeted in an intricate scam. She was kept on the phone for
more than three hours and eventually brought to tears.

The scam is known as an imposter scam and is the top fraud in the U.S. right
now. It involves the perpetrator impersonating an authority figure and using
scare tactics to reel in victims. While these scams have been around
forever, they've become more believable because con artists use real names
of law enforcement officers that show up with caller ID from an actual
office and even local accents.  [...]

https://www.npr.org/2023/06/19/1182464826/scammer-phone-calls-imposter-fraud\

------------------------------

Date: Fri, 21 Jul 2023 00:52:47 -0400
From: Bob Gezelter <gezelter@rlgsc.com>
Subject: good reason to keep BMC LAN connections on an isolated LAN
 (Ars Technica)

A 2021 ransomware breach at Gigabyte reportedly compromised more than 112
gigabytes of data including code and other information related to
widely-used baseboard management controllers (BMC) processors on system
boards.

The exposed defects reportedly include zero-day and code execution
vulnerabilities. An update is being prepared to address known issues.

  I have long advocated connecting to BMC and similar control interfaces
  using a physically separate LAN. Remote access is necessary, but access to
  the isolated "walled garden" should be through a separate gateway portal.

The Ars Technica article:

https://arstechnica.com/security/2023/07/millions-of-servers-inside-data-centers-imperiled-by-flaws-in-ami-bmc-firmware/

------------------------------

Date: Wed, 16 Aug 2023 00:17:09 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Internet Archive's legal woes mount as record labels sue for $400M
 (Ars Technica)

The Internet Archive also reached a confidential settlement with book
publishers.

Major record labels are suing the Internet Archive, accusing the nonprofit
of "massive" and "blatant" copyright infringement "of works by some of the
greatest artists of the Twentieth Century."

The lawsuit was filed Friday in a US district court in New York by UMG
Recordings, Capitol Records, Concord Bicycle Assets, CMGI, Sony Music
Entertainment, and Arista Music. It targets the Internet Archive's "Great 78
Project," which was launched in 2006.   [...]

https://arstechnica.com/tech-policy/2023/08/record-labels-sue-internet-archive-for-digitizing-obsolete-vintage-records/

------------------------------

Date: Fri, 18 Aug 2023 02:36:39 -0400
From: Monty Solomon <monty@roscom.com>
Subject: AI chatbot scares Snapchat users by posting mysterious video
 (Ars Technica)

https://arstechnica.com/?p=1961146

------------------------------

Date: Fri, 18 Aug 2023 11:32:33 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: Don't use our content to train AI systems (NYTimes, R 33 78)

There's a simple and inexpensive way to fight back: The NYT could surround
the real text of their sites by a thick wall of AI-generated nonsense,
invisible to regular users but accessible to parasitic AI's crawlers.

This way, their sites would quickly become detrimental to the parasite's
contents.

------------------------------

Date: Thu, 17 Aug 2023 12:59:12 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Re: Cellphone Radiation Is Harmful, but Few Want to Believe It
 (Neuroscience News, RISKS-33.78)

>https://neurosciencenews.com/cellphone-radiation-brain-cancer-18889/

It has come to my attention that the same publication published the exactly
opposite results in 2022:

  https://neurosciencenews.com/cell-phone-brain-tumor-20314/

  [It's the old story.  Whom should you trust on the Internet?  Neuroscience
  News or Neuroscience News?  Or has the neuroscience simply changed that
  much?  Or are they both right, in some quantum-theoretical sense?  PGN

------------------------------

Date: Sat, 1 Jul 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) has moved to the ftp.sri.com site:
   <risksinfo.html>.
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.79
************************

home help back first fref pref prev next nref lref last post