[33182] in RISKS Forum

home help back first fref pref prev next nref lref last post

Risks Digest 33.85

daemon@ATHENA.MIT.EDU (RISKS List Owner)
Tue Sep 19 23:40:17 2023

From: RISKS List Owner <risko@csl.sri.com>
Date: Tue, 19 Sep 2023 20:39:53 PDT
To: risks@mit.edu

RISKS-LIST: Risks-Forum Digest  Tuesday 19 September 2023  Volume 33 : Issue 85

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

  <http://catless.ncl.ac.uk/Risks/33.85>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Bots are Better than Humans at CAPCHAS (Bruce Schneier)
Cryptocurrency Startup Loses Encryption Key for Electronice
  Wallet (Schneier via Gabe Goldberg)
What politicians are doing about the Internet, RIGHT NOW
 (Lauren Weinstein)
Microsoft AI researchers accidentally exposed terabytes of internal
 sensitive data (TechCrunch)
In Risky Hunt for Secrets, U.S. and China Expand Global Spy Operations
 (NYTimes)
Chinese hackers have unleashed a never-before-seen Linux backdoor
 (Ars Technica)
Scientists warn entire branches of the 'Tree of Life' are going extinct
 (Yahoo! News)
Can the free market ensure artificial intelligence won't wipe out human
 workers? (CBC)
DHS Issues Privacy/Civil Liberties Guidelines, *and* DHS Spies
 Trouble in 2024 in election security (Politico)
Old Google vs. New Google (Lauren Weinstein)
Re: Pedestrian dies after Cruise cars block ambulance
 (Geoff Kuenning, Henry Baker)
Re: Vintage Car prices (Joe Gwinn)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 15 Sep 2023 11:06:31 +0000
From: Bruce Schneier <schneier@schneier.com>
Subject: Bots are Better than Humans at CAPCHAS

  [PGN-Excerpted from Bruce's latest issue.  But why does Bruce have to
  encode commas as "=2C"????  What is so special for Bruce's computer?  As
  Gertrude Stein might have written, a comma is a comma is a comma. PGN]

Abstract: For nearly two decades, CAPTCHAS have been widely used as a MEANS
OF PROTECTION AGAINST bots. Throughout the years, as their use grew,
techniques to defeat or bypass CAPTCHAS have continued to improve.
Meanwhile, CAPTCHAS have also evolved in terms of sophistication and
diversity, becoming increasingly difficult to solve for both bots (machines)
and humans. Given this long-standing and still-ongoing arms race, it is
critical to investigate how long it takes legitimate users to solve modern
CAPTCHAS, and how they are perceived by those users.

In this work, we explore CAPTCHAS *in the wild* by evaluating users' solving
performance and perceptions of *unmodified currently-deployed* CAPTCHAS. We
obtain this data through manual inspection of popular websites and user
studies in which 1,400 participants collectively solved 14,000
CAPTCHAS. Results show significant differences between the most popular
types of CAPTCHAS: surprisingly, solving time and user perception are not
always correlated. We performed a comparative study to investigate the
effect of experimental context specifically the difference between solving
CAPTCHAS directly versus solving them as part of a more natural task, such
as account creation. Whilst there were several potential confounding
factors, our results show that *experimental context* could have an impact
on this task, and must be taken into account in future CAPTCHA
studies. Finally, we investigate CAPTCHA-induced user task *abandonment* by
analyzing participants who start and do not complete the task.

Slashdot thread
[https://hardware.slashdot.org/story/23/08/10/0439241/bots-are-better-than-humans-at-cracking-are-you-a-robot-captcha-tests-study-f
  inds].

And let's all rewatch this great ad
[https://www.youtube.com/watch?v=lhUuzWbrCgU] from 2022.

------------------------------

Date: Sat, 16 Sep 2023 16:37:40 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Cryptocurrency Startup Loses Encryption Key for Electronic
 Wallet (Schneier on Security)

The cryptocurrency fintech startup Prime Trust lost the encryption key to
its hardware wallet—and the recovery key—and therefore $38.9 million.  It is
now in bankruptcy.

I can’t understand why anyone thinks these technologies are a good idea.

https://www.schneier.com/blog/archives/2023/09/cryptocurrency-startup-loses-encryption-key-for-electronic-wallet.html

I mean, nobody could have anticipated that happening... [!!!]

------------------------------

Date: Sun, 10 Sep 2023 08:11:37 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: What politicians are doing about the Internet, RIGHT NOW

Keep in mind that right now, at this very moment, politicians in BOTH
PARTIES are pushing legislation to require you to show a government ID to
use most major Internet sites. Some of these laws have already been passed,
and litigation all the way up to the Supreme Court is very likely. The goal
of BOTH PARTIES is to create a Chinese-style Internet with everyone fully
identified, all anonymity effectively lost (irrespective of the "safeguards"
U.S. officials will promise), and all content tightly micromanaged by
officials on the Left and Right not only to "protect the children" but to
keep all Internet users firmly under the government's control. Yes, it's
that bad. -L

------------------------------

Date: Mon, 18 Sep 2023 15:30:26 -0700
From: Victor Miller <victorsmiller@gmail.com>
Subject: Microsoft AI researchers accidentally exposed terabytes of internal
 sensitive data (TechCrunch)

https://techcrunch.com/2023/09/18/microsoft-ai-researchers-accidentally-exposed-terabytes-of-internal-sensitive-data/

  [Monty Solomon spotted the above and also found this:
  Microsoft AI team accidentally leaks 38TB of private company data:
https://mashable.com/article/microsoft-ai-researchers-leaked-private-data-azure-link-github
  PGN]

------------------------------

Date: Mon, 18 Sep 2023 10:34:42 -0400
From: Monty Solomon <monty@roscom.com>
Subject: In Risky Hunt for Secrets, U.S. and China Expand Global Spy Operations
 (NYTimes)

The nations are taking bold steps in the espionage shadow war to try to
collect intelligence on leadership thinking and military capabilities.

https://www.nytimes.com/2023/09/17/us/politics/us-china-global-spy-operations.html

------------------------------

Date: Mon, 18 Sep 2023 19:55:29 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Chinese hackers have unleashed a never-before-seen Linux backdoor
 (Ars Technica)

https://arstechnica.com/?p=1969201

------------------------------

Date: Tue, 19 Sep 2023 09:02:26 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Scientists warn entire branches of the 'Tree of Life'
 are going extinct (Yahoo! News)

Humans are driving the loss of entire branches of the "Tree of Life,"
according to a new study published on Monday which warns of the threat of a
sixth mass extinction.

"The extinction crisis is as bad as the climate change crisis. It is not
recognized," said Gerardo Ceballos, professor at the National Autonomous
University of Mexico, and co-author of the study published in Proceedings
of the National Academy of Sciences (PNAS).

"What is at stake is the future of mankind," he told AFP.

The study is unique because instead of merely examining the loss of a
species, it examines the extinction of entire genera.

In the classification of living beings, the genus lies between the rank of
species and that of family. For example, dogs are a species belonging to
the genus canis -- itself in the canid family.

"It is a really significant contribution, I think the first time anyone has
attempted to assess modern extinction rates at a level above the species,"
Robert Cowie, a biologist at the University of Hawaii who was not involved
in the study, told AFP.

"As such it really demonstrates the loss of entire branches of the Tree of
Life," a representation of living things first developed by Charles Darwin.

The study shows that "we aren't just trimming terminal twigs, but rather
are taking a chainsaw to get rid of big branches," agreed Anthony Barnosky,
professor emeritus at the University of California, Berkeley.

The researchers relied largely on species listed as extinct by the
International Union for Conservation of Nature (IUCN). They focused on
vertebrate species (excluding fish), for which more data are available.

Of some 5,400 genera (comprising 34,600 species), they concluded that 73
had become extinct in the last 500 years -- most of them in the last two
centuries.

The researchers then compared this with the extinction rate estimated from
the fossil record over the very long term.  [...]

https://news.yahoo.com/scientists-warn-entire-branches-tree-011943508.html

  [If the skunks don't prevail, they will become Ex-Stinked.  PGN]

------------------------------

Date: Mon, 18 Sep 2023 19:00:06 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Can the free market ensure artificial intelligence
 won't wipe out human workers? (CBC)

https://www.cbc.ca/news/business/post-ai-jobs-column-don-pittis-1.6962905

What will you be doing only a decade from now when advanced versions of the
artificial intelligence program ChatGPT have wormed their way into the
fabric of life?

According to some experts, you may be out of a job. Two current labour
disputes involving autoworkers and screenwriters are at least partly about
the future threat of AI.

When AI comes for the jobs, writers may be among the first to go, warn two
respected technology mavens writing in Foreign Affairs magazine. And they
are not alone in that view. Even current versions of the AI program ChatGPT
can sketch clearer prose than most humans, they say. And those programs are
getting better.

By 2035, as "white-collar workers lose their jobs en masse," declare Ian
Bremmer and Mustafa Suleyman, AI will be running hospitals and airlines and
courtrooms. "A year ago, that scenario would have seemed purely fictional;
today, it seems nearly inevitable."

------------------------------

Date: Mon, 18 Sep 2023 10:41:08 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: DHS Issues Privacy/Civil Liberties Guidelines, *and* DHS Spies
 Trouble in 2024 in election security (Politico)

DHS also joined the Washington emerging tech frenzy on Thursday by
introducing new guidelines on responsible use of AI with a focus on privacy
and civil liberties.

The move, the first of its kind for the agency, emphasizes the need for
transparency and accountability in AI, while setting the stage for agencies
to take steps to blunt bias in its systems.

The guidelines also give us a sneak peek on how the agency plans to
prioritize AI, honing in on its use for decision-making, the collection and
use of data, and the development and testing of AI systems.

  [ALSO from the same source:]

DHS Spies Trouble in 2024 in election security
 [don't forget integrity!!! PGN]

Next year's election is shaping up to be a doozy -- and the country has a
toxic triad of foreign cyberthreats, increasingly powerful AI models and
rising domestic extremism to thank for it, according to a new government
report<https://www.dhs.gov/news/2023/09/14/dhs-continues-see-high-risk-foreign-and-domestic-terrorism-2024-homeland-threat>.

The Department of Homeland Security's 2024 threat assessment, which came out
Thursday courtesy of its office of Intel and analysis, warns those three
variables together will present significant risks to the integrity of the
presidential election and the physical well-being of those involved in it.

------------------------------

Date: Mon, 18 Sep 2023 11:12:00 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Old Google vs. New Google

* OLD GOOGLE: We prefer websites be written by people, for people.  QUALITY
  MATTERS!

* NEW GOOGLE: AI writing trash is OK. It's the clicks that count! Never mind
  about that people writing for people quality stuff. Ancient history.

------------------------------

Date: Fri, 15 Sep 2023 13:20:27 -0700
From: Geoff Kuenning <geoff@cs.hmc.edu>
Subject: Re: Pedestrian dies after Cruise cars block ambulance
 (RISKS-33.83)

You'll note that I used the word "allege".

Even if this case turns out to be not the fault of the Cruise cars, I think
that it highlights an important point that has been repeatedly raised over
the past year or so: driving is about more than safely staying within the
lane (and the rules) and avoiding obstacles.  Drivers have to deal with all
sorts of unusual situations where the usual rules don't apply, such as
police officers (or cones) directing them into the oncoming lane, turning
around because a stuck semi has blocked the road, avoiding dangerously
flooded intersections, etc.  It's likely to be a long time before
self-driving cars can handle all of those exceptions as well as a human can.

------------------------------

Date: Fri, 15 Sep 2023 17:14:50 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: Re: Pedestrian dies after Cruise cars blocks ambulance
 (Lamont, RISKS-33.83)

I think that we need to consider this incident a *wakeup call* re the risks
 of 'smart' vehicles.

The newest cars are literally computers that happen to have wheels attached,
and nearly everything about these cars can be hacked via the Internet --
either using the car's own radios or utilizing Bluetooth/Wifi connected
smartphones provided by the car's passengers.

So here are some obvious hacking risks:

1. EV's could be hacked to cause their batteries to melt down; catch fire --
literally execute 'HCF' -- perhaps an entire city's worth of EV's at exactly
the same time.  Since a lot of EV's would be parked *inside garages*, an
entire city could be burned to the ground via an organized hack.

[No need for censorship; I'm certain that the Chinese have already thought
of this.  Oh wait, aren't most EV batteries built in China?  What could
possibly go wrong? ]

2. Self-driving vehicles could be hacked to all drive to the same location
at the same time to block all the main streets in a city.  An optimized
algorithm could block all of a city's streets with relatively few
strategically placed 'self' driving vehicles.

[Once again, I'm sure that Chinese/Russian/Iranian/NKorean hackers have
already thought of this.]

3. Another terrifying prospect: an AI-operated system of traffic lights that
decides on its own how to 'optimize' traffic -- e.g., to/from a major event
like a football game -- but gets too clever and cuts off access to
hospitals. Programs like 'Waze' have already shown us how directed traffic
can go wrong.

Partial solution: we desperately need *diversity* in the HW/SW of our
vehicles, so that no *single* attack vector can zombify *all* of our
vehicles simultaneously.

Partial solution: much, much stronger controls to make sure that vehicle SW
can be updated to respond to newly discovered threats, and that the SW can
be updated *safely* -- i.e., the update channel itself cannot be compromised
to provide an attack mechanism.

------------------------------

Date: Thu, 14 Sep 2023 16:01:08 -0400
From: Joe Gwinn <joegwinn@comcast.net>
Subject: Re: Vintage Car prices (Thorn, RISKS-33.84)

>  NO data collection included.-)

And no unreliable electronics and dependence on the web and various
servers working, or subscription fees.

Not to mention that the electronics may well have outlived its manufacturer,
rendering the car scrap.  See the Right-to-Repair topic for examples.

------------------------------

Date: Sat, 1 Jul 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) has moved to the ftp.sri.com site:
   <risksinfo.html>.
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.85
************************

home help back first fref pref prev next nref lref last post