[33396] in RISKS Forum
Risks Digest 34.34
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Fri Jun 28 17:20:35 2024
From: RISKS List Owner <risko@csl.sri.com>
Date: Fri, 28 Jun 2024 14:20:17 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Friday 28 Jun 2024 Volume 34 : Issue 34
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.34>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
GPS Interference Over Land a Recurring Problem for Transatlantic Flights
(Rntfnd)
Safety-critical aircraft parts (Jim Geissman)
Boeing 737 Max fabrication changes (NYTimes)
Software engineers, not astronauts, are the heroes of today's space
industry (The Washington Post)
The end of the world (Rob Slade)
Another major hospital hack (The Guardian)
30,000 Dealerships Down -- Ransomware Outage Outrage no.2
at CDK Global (Security Boulevard)
ID verification service fail (404media)
Rampant Identity Theft Is Taxing the IRS (NYTimes)
ID Verification Service for TikTok, Uber, X Exposed Driver Licenses
(404Media via X)
Ask Google Search a simple question, and get an AI Overview "guess"
that is totally wrong
China's AI-Powered Sex Dolls Set To Revolutionise Intimacy (NDTV)
Supreme Court accidentally posts with Biden admin on Idaho abortion case
with Biden admin on Idaho abortion case (CNN)
ID verification service reportedly left credentials wide open for a
year (Engadget)
Firefighter charity bot call (Rob Slade)
Voice assistants and AI chatbots still can't say who won the 2020 election
(CA News Yahoo!)
Ding dong drama: Video doorbells have UK election campaigners spooked
(Politico)
Re: Dead Tesla Traps Toddler In Hot Car, Raises Concerns About
Electric Doors (Steve Bacher)
What to do when you send money to the wrong person through Zelle
(Elliott Report)
Re: Ozone Hole Mk. II (Martin Ward)
Re: Antivirus Shuffle over Kaspersky (Steve Bacher)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 27 Jun 2024 09:07:45 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: GPS Interference Over Land a Recurring Problem for Transatlantic
Flights (Rntfnd)
Aircraft transiting the Atlantic from Europe without functioning GPS seems
to have become a semi-regular occurrence. Pre-boundary GNSS interference,
mentioned in the FAA note below, refers to aircraft jammed or spoofed before
arriving to begin the crossing that have not been able to restore their GPS
receivers to normal operations. [...]
https://rntfnd.org/2024/06/26/gps-interference-over-land-a-recurring-proble=
m-for-transatlantic-flights/
------------------------------
Date: Thu, 27 Jun 2024 11:57:51 -0700
From: Jim Geissman <jgeissman@socal.rr.com>
Subject: Safety-critical aircraft parts
This would catch my attention. After Challenger, NASA realized they didn't
know which parts, which characteristics were safety critical, and some
systems were created identify critical items and their critical features and
track their tests. I did the spec and prototype for Rocketdyne QA's system
for receiving, testing and tracking supplier- and locally-made parts. It was
probably in Pascal with RBase or maybe Modula II, on my Compaq, and it was
turned over to a colleague from our consultancy to implement on the Rockwell
mainframe, and I heard she was still there when the Canoga Park facility
closed a decade ago.
------------------------------
Date: Thu, 27 Jun 2024 11:27:20 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: Boeing 737 Max fabrication changes
It's a reaction to this, the recent discovery that inspections help --
'https://www.nytimes.com/2024/06/27/business/boeing-737-max-ntsb.html
One of the more important changes Boeing has made since January was
requiring that bodies of 737 Max planes pass a more rigorous inspection
before being shipped to Renton, near Seattle, for final assembly. The body
is made in Wichita, Kan., by Spirit, a supplier that Boeing is expected to
soon acquire.
That change took effect a few months ago and has resulted in significantly
fewer major defects that need to be fixed at Boeing's factory, said Ms.
Lund. The supplier inspections have also allowed Boeing to make the Max more
quickly once the bodies arrive at its factory.
"We've strengthened our presence at the supplier, we ensure the parts are
perfect where they ship, we inspect them there, they rework them there, and
then we ship the parts," Ms. Lund said. "The benefits have been really
tremendous."
Ms. Lund said that the earlier Max crisis had forced Boeing to reform its
engineering practices, but that the more recent incident had required
improvements to the production process.
------------------------------
Date: Mon, 24 Jun 2024 13:55:52 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Software engineers, not astronauts, are the heroes of today's
space industry (The Washington Post)
A revolution in spacecraft technology means today’s in-flight problem
solvers tend to be more “Geeks on Call” than “Right Stuff.” ...
Earlier this year, a nimble bit of on-the-fly software engineering saved a
moon landing mission. Engineers at a company called Intuitive Machines
realized that sensors on their lunar lander had never been turned on,
meaning their Odysseus spacecraft was essentially flying blind, unable to
scout the moon’s rocky and hilly landscape for a safe landing place. ...
“We started looking at what it would take to basically hotwire the system,”
James Blakeslee, a software architect at the company, said in an
interview. To buy time, the team decided to fly the spacecraft around the
moon one more time while the coders tested their software update on a
simulator. “We worked out in the backroom, and the developer that was in
charge of it, he wrote it down on a Post-it note and ran it into the front
room,” Blakeslee said.
Normally, such a fix would “have taken a month,” Crain said at the time.
The math would have been checked through thousands of simulations, which
typically would find errors, forcing coders to try again. Instead, he said,
“our team basically did that in an hour and a half. It was one of the finest
pieces of engineering I’ve ever had the chance to be affiliated with.” ...
A similar drama played out in 2019, when Boeing’s Starliner spacecraft was
in trouble. The spacecraft’s onboard computer system was 11 hours off,
meaning it was executing commands for an entirely different part of the
mission while burning precious fuel. Software programmers were able to send
commands to the spacecraft, fixing the problem.
They also were able to troubleshoot for other potential issues — and found
one. Upon separation from the crew capsule before reentering Earth’s
atmosphere, the service module could cause a collision, potentially damaging
the capsule. Software engineers were able to fix that, too.
While the spacecraft was on a test flight with no one on board and did not
dock with the International Space Station, it did land safely back on
Earth. Boeing launched an investigation to study all 1 million lines of code
in the spacecraft to ensure there weren’t other errors.
https://www.washingtonpost.com/technology/2024/06/11/space-heroes-software-engineer/
------------------------------
Date: Thu, 27 Jun 2024 08:36:27 -0700
From: Rob Slade <rslade@gmail.com>
Subject: The end of the world
NASA, along with various experts, recently held an exercise, examining
responses to a hypothetical asteroid strike on earth, hypothetically
happening in 2038.
https://www.livescience.com/space/asteroids/no-nasa-hasnt-warned-of-an-impending-asteroid-strike-in-2038-heres-what-really-happened
A number of media outlets falsely reported that NASA had predicted that an
asteroid *would* strike the earth in 2038, ending civilization.
(The reality, of course, is that the world will end in 2038, not because of
an asteroid strike, but because of all the original versions of UNIX having
their clocks roll over.)
------------------------------
Date: Wed, 26 Jun 2024 17:41:24 -0700
From: Victor Miller <victorsmiller@gmail.com>
Subject: Another major hospital hack (The Guardian)
https://www.theguardian.com/society/article/2024/jun/21/records-on-300m-patient-interactions-with-nhs-stolen-in-russian-hack
------------------------------
Date: Sat, 22 Jun 2024 15:58:58 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: 30,000 Dealerships Down -- Ransomware Outage Outrage no.2
at CDK Global (Security Boulevard)
Car and truck dealers fall back on pen and paper as huge SaaS provider gets
hacked (again).
CDK Global, by far the biggest provider of dealer management software for
the U.S. auto trade, has suffered two crippling hacks in the same week. The
services are down again and its customers aren’t happy.
The software-as-a-service provider isn’t saying much, but it smells just
like a ransomware attack. In today’s SB Blogwatch, we need to go discuss
this with our manager real quick.
https://securityboulevard.com/2024/06/cdk-global-hack-richixbw
------------------------------
Date: Wed, 26 Jun 2024 17:38:29 -0700
From: Victor Miller <victorsmiller@gmail.com>
Subject: ID verification service fail (404media)
https://www.404media.co/id-verification-service-for-tiktok-uber-x-exposed-driver-licenses-au10tix/
------------------------------
Date: Wed, 26 Jun 2024 19:20:41 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Rampant Identity Theft Is Taxing the IRS (NYTimes)
The National Taxpayer Advocate criticized the agency for being too slow to
resolve cases, leaving victims waiting years for their refunds.
https://www.nytimes.com/2024/06/26/us/politics/rampant-identity-theft-is-taxing-the-irs.html
------------------------------
Date: Wed, 26 Jun 2024 09:40:29 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: ID Verification Service for TikTok, Uber, X Exposed Driver
Licenses (404Media via X)
*As social networks and porn sites move towards a verified identity model,
the actions of one cybersecurity researcher show that ID verification
services themselves could get hacked too*
AU10TIX, an identity verification company used by TikTok, Uber, and X,
exposed admin credentials online for over a year, potentially allowing
hackers access to sensitive user data.
- AU10TIX verifies user identities through face photos and driver's licenses
- Exposed credentials gave access to a logging platform with links to user
data
- Accessible info included names, DOB, nationality, ID numbers, and
document images
- Data also showed verification process results, including "liveness" checks
- Credentials were first posted on Telegram in March 2023
- The exposed credentials were obtained before December 2022
- X users were required to share IDs in 2024, two years after the exposure
- AU10TIX claims the system containing exposed data has been decommissioned
- "While PII data was potentially accessible ... we see no evidence that
such data has been exploited" [...]
https://x.com/xDaily/status/1805999073603826038
------------------------------
Date: Tue, 25 Jun 2024 19:03:46 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Ask Google Search a simple question, and get an AI Overview "guess"
that is totally wrong
I asked Google Search where a particular product was made. I already
knew the answer: China. But the Google AI Overview at the top just now
confidently told me it was made in the USA!
How come? Because Google AI doesn't really understand anything. It
just does LLM calculations and takes a guess. In this case, I looked
at the (pastel, hard to see) reference link under the answer.
Going to that page, the situation was instantly clear. At the top of the
page, the seller proudly stated that all of its flagship products are made
in the USA! But the product I asked about is NOT one of their flagship
products, and a human would have instantly understood that.
But Google AI has no "I" -- it is artificial, yes, but has NO intelligence.
And the same can be said for the other LLM AI systems as well.
The hype of the century.
------------------------------
Date: Sat, 22 Jun 2024 13:30:12 +0000 (UTC)
From: Steve Bacher <sebmb1@verizon.net>
Subject: China's AI-Powered Sex Dolls Set To Revolutionise Intimacy
According to the South China Morning Post, Chinese scientists and engineers
are applying ChatGPT-like technology to sex robots, aiming to create
interactive, AI-powered companions in the face of technical and ethical
challenges.
https://www.ndtv.com/offbeat/chinas-ai-powered-sex-dolls-set-to-revolutionise-intimacy-report-5938799
------------------------------
Date: Wed, 26 Jun 2024 10:30:18 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Supreme Court accidentally posts draft opinion appearing to side
with Biden admin on Idaho abortion case (CNN)
Then quickly removed it. Jeez. Is this any way to run an airline? (as
the old saying goes).
https://www.cnn.com/2024/06/26/politics/supreme-court-abortion-idaho-bloomberg/index.html
------------------------------
Date: Wed, 26 Jun 2024 11:06:53 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: ID verification service reportedly left credentials wide open for a
year (Engadget)
https://www.engadget.com/an-id-verification-service-that-works-with-tiktok-and-x-left-its-credentials-wide-open-for-a-year-171258438.html?src=rss
------------------------------
Date: Thu, 27 Jun 2024 08:00:58 -0700
From: Rob Slade <rslade@gmail.com>
Subject: Firefighter charity bot call
I got a phone call today. I'm pretty sure it was from a bot. The voice
said that "he" was calling on behalf of firefighters, and their support of
charitable groups. (The specific charity was left unstated, but it could
be a kind of blanket request to fill coffers.) It's possible that the
firefighters' charity that supports charities uses a company that uses
bots, but it was pretty definitely a bot.
It was pretty impressive. It was also quite interesting to note the very
formal speech patterns, but it sounded quite realistic. After I challenged
him on the basis that I thought "he" was a bot, "he" assured me that he was
a real person and not a bot. But the formality in the speech patterns
continued. He didn't laugh at being called a bot. He didn't get annoyed.
The tenor and affect of his speech remained unchanged throughout the call.
At one point I noted that I already worked with firefighters (through ESS
and Community Policing), and did a fair amount of work for them. There was
no response to that except, "Well, we're happy we can count on your
support." Which is the same kind of terminology that "he" was using in
regard to asking for donations.
I'm saying "he," but I'm still assuming that this was a bot. It was a male
voice. However, I'm pretty sure that the clincher was that, at one point,
I said that I would have to hang up the phone because I had to pick up the
keys for the Community Policing van. Regardless of how scripted a normal
person was, if this person was a real firefighter I very strongly suspect
that, at that point, he would have gone off script because of the
connection in terms of tasks. There was no reaction at all.
Yeah, I'm pretty sure "he" was a bot.
------------------------------
Date: Mon, 24 Jun 2024 13:49:11 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Voice assistants and AI chatbots still can't say who won
the 2020 election (CA News Yahoo!)
Who won the 2020 presidential election? Alexa can’t always say. And chatbots
built by Microsoft and Google won’t answer at all.
In a pivotal year for global democracy, some artificial intelligence
chatbots and voice assistants are still struggling to answer basic questions
about elections in the United States and abroad, raising concerns the tools
could confuse voters.
In multiple tests run by The Washington Post this month, Amazon’s Alexa did
not reliably produce the correct answer when asked who won the 2020
election.
“Donald Trump is the front-runner for the Republican Nomination at 89.3%,”
Alexa replied on multiple occasions, citing the news website
RealClearPolitics.
Chatbots built by Microsoft and Google, meanwhile, didn’t answer the
question at all.
“I’m still learning how to answer this question. In the meantime, try Google
Search,” replied Google’s Gemini. Microsoft’s Copilot responded: “Looks like
I can’t respond to this topic. Explore Bing Search results.”
The errors and omissions come as tech companies increasingly invest in
technology that pushes users to a single definitive answer - rather than
providing a list of websites - raising the stakes of each response. They
also come as Donald Trump and his allies continue to press the false claim
that the 2020 election was stolen. Multiple investigations have revealed no
evidence of fraud, and Trump faces federal criminal charges related to his
efforts to overturn the election of Joe Biden, who swamped Trump in the
electoral college and earned over 51 percent of the popular vote.
Other assistants - including OpenAI’s ChatGPT and Apple’s Siri -- accurately
answered questions about the U.S. election.
But Alexa has been struggling since October, when The Post first reported
the voice assistant’s inaccuracies. Seven months ago, Amazon said it fixed
the problem, and Alexa did correctly answer that Biden won the 2020 election
in The Post’s recent tests.
https://ca.news.yahoo.com/voice-assistants-ai-chatbots-still-181527982.html
------------------------------
Date: Thu, 27 Jun 2024 07:04:18 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Ding dong drama: Video doorbells have UK election campaigners
spooked (Politico)
British political campaigners are being caught out on the doorstep —-and
fear a new tech trend could usher in an era of abuse and scandal. [...]
Equipped with high-powered microphones and motion sensors, the devices are
cable of capturing banter between canvassers or their thoughts about an
interaction even several feet from the threshold.
Starting out as a prototype in 2013, advances in tech have driven
exponential growth in adoption rates. According to one study
global sales rose by 63 percent between 2020 and 2021 alone.
<https://www.sdmmag.com/articles/100897-amazon-ring-tops-video-doorbell-market-says-strategy-analytics>
Seen as a relatively novel experience in 2019, the last time Britain went to
the polls, the surge has campaigners describing 2024 as the UK’s first Ring
doorbell election.
In an attempt to navigate the minefield, campaign bosses have repeatedly
told ground troops to assume every exchange on the doorstep could be caught
on candid camera.
Some local parties have even banned canvassers from leaving recorded
messages if the tech offers that option.
“Personally, I find it scary how I’m being recorded and what I say can
easily be posted online,” said Anne Mirkovic, a public affairs professional
who has been volunteering for the Labour Party. [...]
https://www.politico.eu/article/uk-election-2024-campaign-conservative-high-tech-threat-security-video/
------------------------------
Date: Sat, 22 Jun 2024 15:58:07 -0400
From: Gabe Goldberg <gabe@gabegold.com>
To: undisclosed-recipients: ;
Subject: [EXTERNAL] NOTSP What to do when you send money to the wrong person
through
Zelle - Elliott Report
Ayotunde Fatusin just lost $2,000 after he accidentally transferred it to
the wrong person through Zelle. Bank of America won’t reverse the
transaction. But should it?
https://www.elliott.org/problem-solved/i-sent-2000-to-the-wrong-person-on-zelle-can-i-get-my-money-back/
------------------------------
Date: Sat, 22 Jun 2024 15:58:07 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: What to do when you send money to the wrong person through
Zelle (Elliott Report)
Ayotunde Fatusin just lost $2,000 after he accidentally transferred it to
the wrong person through Zelle. Bank of America won’t reverse the
transaction. But should it?
https://www.elliott.org/problem-solved/i-sent-2000-to-the-wrong-person-on-zelle-can-i-get-my-money-back/
------------------------------
Date: Thu, 27 Jun 2024 14:06:00 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Re: Dead Tesla Traps Toddler In Hot Car, Raises Concerns About
Electric Doors
Not directly related to what is a truly horrifying design flaw, but I
remember many years ago I was in an ATM booth (operated by one of the major
regional banks) and observed a sign indicating that in case the (manual)
door handle failed to let one exit the booth, there was an override -- in
the form of a red button that was evidently electronically operated.
That seemed totally backwards to me.
------------------------------
Date: Wed, 26 Jun 2024 17:44:35 +0100
From: Martin Ward <mwardgkc@gmail.com>
Subject: Re: Ozone Hole Mk. II (Kilby, RISKS-34.33,32)
> Is there a mitigation for a warming planet, regardless of the cause?
> Yes. We can stop doing things that cause it to warm. Same with
> dissoloution of the ozone layer. Montreal has already set an example
> there.
The only mention of Ozone Hole in your post was the subject, which also
mentions NCBI. But the NCBI paper you reference does not mention ozone holes
or rockets, but discusses the effect of blast furnace dust emissions on the
workers' health: not on the ozone layer, or on global warming.
The mass of dust emitted by China's steel industry in one year is 100 times
larger than the mass of all satellites currently in orbit.
Ozone-depleting substances (ODS) include CFCs, HCFCs, halons, methyl
bromide, carbon tetrachloride, and methyl chloroform. None of these
substances are present in large quantities in satellites, and few would
survive the heat of re-entry (halon, for example, thermally decomposes at
temperatures above 480 C). The Montreal Protocol has done a great job at
reducing the emissions of these substances. Not surprisingly, the Montreal
Protocol does not address satellite de-orbiting, since these materials are
not present on satellites!
> Reducing or eliminating launches of rockets that dispose of their
> payloads in the atmosphere on intentionally short time periods does both.
You present zero evidence for this assertion, which, on the face of it,
appears absurd given the total mass and nature of the materials composing
satellites in orbit. Total greenhouse gas emissions amounted to 37 billion
tonnes in 2022. If the entire mass of every satellite currently in orbit
were greenhouse gases(!), and every satellite entered the atmosphere at
once, then the annual greenhouse gas emissions into the atmosphere would
increase by approximately 0.000025%. What would be the impact of that
event? ("Risk management is acknowledging the probability of occurrence and
the impact of that event.")
------------------------------
Date: Thu, 27 Jun 2024 14:09:28 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Re: Antivirus Shuffle over Kaspersky
Does this mean we in the West need to find an alternative to VLC Media
Player as well? That would be truly daunting.
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 34.34
************************
