[33450] in RISKS Forum

home help back first fref pref prev next nref lref last post

Risks Digest 34.40

daemon@ATHENA.MIT.EDU (RISKS List Owner)
Thu Aug 15 00:58:06 2024

From: RISKS List Owner <risko@csl.sri.com>
Date: Wed, 14 Aug 2024 21:57:42 PDT
To: risks@mit.edu

RISKS-LIST: Risks-Forum Digest  Wednesday 14 Aug 2024  Volume 34 : Issue 40

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/34.40>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Bird Flu Shows That the U.S. Learned All the Wrong Lessons from Covid
 (David Wallace Wells)
Beware Politicians' Newfound Love of Crytpo[currency]
 (Eswar Prasad)
Illinois Voter Data Exposed by Unsecured Databases (Lily Hay Newman)
Trump Campaign Confirms It Was Hacked (Alex Isenstadt)
GPS spoofers 'hack time' on commercial airlines, researchers say
Boeing Starliner software (ArsTechnica)
Outages Plague Trading Platforms During Stock-Market Selloff (WSJ)
Canada's food supply -— under threat? (CBC)
French Museum Network Hit by Ransomware Attack (AP)
UK PM Warns Social Media Firms After Misinformation Fuels Riots (Reuters)
Chipmaking Giant Learns What Works in Taiwan Doesn't in Arizona (John Liu)
Power-hungry AI data centers are raising electric bills and blackout risk
 (LA Times)
Cisco to Lay Off Thousands in Latest Round of Tech Cuts (Reuters)
Intel Will Fire 15,000 Workers (Eva Dou)
Excess memes and ‘reply all’ emails are bad for climate, researcher warns
 (The Guardian)
Experts to PNT leaders: “It’s not working!” (GPS World)
The nation’s best hackers found vulnerabilities in voting machines
 -— but no time to fix them (MSN)
We're Entering an AI Price-Fixing Dystopia (The Atlantic)
 Unfixable Infections (WiReD)
Flaw in Hundreds of Mill?ions of AMD Chips Allows Deep, Virtually
 Unfixable Infections (WiReD)
New Flaws in Sonos Smart Speakers Allow Hackers to Eavesdrop on Users
 (The Hacker News)
Logic Gone Astray: A Security Analysis Framework for the
 Control Plane Protocols of 5G Basebands (USENIX)
Call to ban DJI drones introduced in US Senate, company responds (dronedj)
DDoS Attacks Surge 46% in First Half of 2024 (Gcore Report)
NIST announces post quantum encryption standards (SecurityWeek)
Generative AI Has a 'Shoplifting' Problem. This Startup CEO Has a
 Plan to Fix It (WiReD)
Kroger unveils AI-powered automatic price gouger (Pivot to AI)
Corporation Email Looks Like A Scam (Bob Smith)
ICANN Approves DNS Top-Level Domain for Intranets (Bob Gezelter)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Mon, 12 Aug 2024 19:05:31 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Bird Flu Shows That the U.S. Learned All the Wrong Lessons from
 Covid (David Wallace Wells)

David Wallace Wells, *The New York Times*, Sunday Option, 11 Aug 2024

Two years after H5N1 jumped to mammals, health officials don't
seem to have a plan.

The concluding paragraph is a succinct summary:

  The growing indifference has affected those still worried about Covid --
  last year the CDC stopped a lot of its pandemic data collection, making
  some basic facts like total deaths from Covin-19 much harder to track.

For more backgroumd for those who missed them in earlier issues:

See Robert Redfield's quote:

 It's High Time To Admit Significant Side Effects of COVID-19 Vaccines.
 (RISKS-34.25)

and Zeynep Tufekci's:

 An Object Lesson From Covid on How to Destroy Public Trust: Officials
 should have told us what they knew, or at least leveled with us about what
 they didn't know.  (RISKS-34.30)

------------------------------

Date: Mon, 12 Aug 2024 19:05:31 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Beware Politicians' Newfound Love of Crytpo[currency]
 (Eswar Prasad)

Eswar Prasad, *The New York Times*, 12 Aug 2024

A cynical bid for Silicon Valley cash seeks to prop up a financially
perilous industry.

Politicians’ newfound love of crypto probably has more to do with a cynical
bid for young voter support and Silicon Valley cash than a maturing of a
financially perilous set of assets. If anything, crypto today presents even
greater risks to its investors and to our financial institutions than it did
before. The fact that the Republican Party is publicly celebrating crypto to
American voters could only make matters worse.

The concluding paragraph is both pithy and incisive:

  For all the potential benefits, decentralized finance built around
  cryptocurrencies has essentially imported the fragilities of
  traditional finance, but with much less regulation and with many new
  risks.  While being open to innovations that improve access to and
  efficiency in financial markets, users, investors and regulators
  ought to beware of false premises and hype.  Especially if that hype
  comes from politicians.

https://www.nytimes.com/2024/08/09/opinion/crypto-2024-election.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb

  [Also noted by Gabe Goldberg.  PGN]

------------------------------

Date: Wed, 7 Aug 2024 11:24:44 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Illinois Voter Data Exposed by Unsecured Databases
 (Lily Hay Newman)

Lily Hay Newman, *WiReD&, via ACM TechNews, 2 Aug 2024

More than a dozen databases containing sensitive voter information from
multiple counties in Illinois were openly accessible on the Internet,
revealing 4.6 million records that included driver's license numbers and
other personally identifiable information. Security researcher Jeremiah
Fowler uncovered a total of 13 exposed databases, none of them
password-protected or requiring any type of authentication to access.

------------------------------

Date: Mon, 12 Aug 2024 11:18:03 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Trump Campaign Confirms It Was Hacked (Alex Isenstadt)

Alex Isenstadt, *Politico*, 10 Aug 2024, via ACM TechNews

Former President Donald Trump's campaign said Saturday that some of its
internal emails had been hacked. The admission came after Politico started
receiving emails from an anonymous account with documents from inside
Trump's operation, including a research dossier the campaign had done on
Trump's running mate, Ohio Sen. JD Vance. The campaign blamed "foreign
sources hostile to the U.S.," citing a Microsoft report on Friday that
Iranian hackers "sent a spear-phishing email in June to a high-ranking
official on a presidential campaign."

------------------------------

Date: Sun, 11 Aug 2024 08:31:46 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: GPS spoofers 'hack time' on commercial airlines, researchers say
 (Reuters)

A recent surge in GPS “spoofing”, a form of digital attack which can send
commercial airliners off course, has entered an intriguing new dimension,
according to cybersecurity researchers: The ability to hack time.

There has been a 400% surge in GPS spoofing incidents affecting commercial
airliners in recent months, according to aviation advisory body
OPSGROUP. Many of those incidents involve illicit ground-based GPS systems,
particularly around conflict zones, that broadcast incorrect positions to
the surrounding airspace in a bid to confuse incoming drones or missiles.
[...]

https://www.reuters.com/technology/cybersecurity/gps-spoofers-hack-time-commercial-airlines-researchers-say-2024-08-10/

------------------------------

Date: Tue, 6 Aug 2024 16:18:21 -0400
From: "Jan Wolitzky" <jan.wolitzky@gmail.com>
Subject: Boeing Starliner software (ArsTechnica)

While NASA continues to decide whether the thrusters on the Boeing
Starliner now docked to the International Space Station can be relied upon
to return the two astronauts who rode it up to the ISS back to Earth, a new
issue has apparently arisen:  the current flight software on board
Starliner cannot perform an automated undocking from the space station and
re-entry into Earth’s atmosphere.

>From Ars Technica:

At first blush, this seems absurd. After all, Boeing’s Orbital Flight Test 2
mission in May 2022 was a fully automated test of the Starliner vehicle.
During this mission, the spacecraft flew up to the space station without
crew on board and then returned to Earth six days later. Although the 2022
flight test was completed by a different Starliner vehicle, it clearly
demonstrated the ability of the program's flight software to autonomously
dock and return to Earth. Boeing did not respond to a media query about why
this capability was removed for the crew flight test.

It is not clear what change Boeing officials made to the vehicle or its
software in the two years prior to the launch of Wilmore and Williams. It
is possible that the crew has to manually press an undock button in the
spacecraft, or the purely autonomous software was removed from coding on
board Starliner to simplify its software package. Regardless, sources
described the process to update the software on Starliner as "non-trivial"
and "significant," and that it could take up to four weeks. This is what is
driving the delay to launch Crew 9 later next month.

Notably, NASA's Commercial Crew Program Manager Steve Stich obliquely
referenced this during his most recent press availability on July 25. Stich
was asked whether NASA would certify Starliner for operational missions if
the vehicle returned to Earth autonomously but ultimately safely.

"There are a lot of good reasons to complete this mission and bring Butch
and Suni home on Starliner," he said. "Starliner was designed as a
spacecraft to have the crew in the cockpit. The crew is integral to the
spacecraft."

https://arstechnica.com/space/2024/08/nasa-likely-to-significantly-delay-the-launch-of-crew-9-due-to-starliner-issues/

------------------------------

Date: Wed, 7 Aug 2024 11:24:44 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Outages Plague Trading Platforms During Stock-Market Selloff
 (WSJ)

Hannah Miao and Alexander Osipovich, *The Wall Street Journal*,
6 Aug 2024, via ACM TechNews

Major retail brokerages experienced online outages amid Monday's stock
sell-off, frustrating panicky customers. Charles Schwab, Vanguard Group, and
Fidelity Investments each said some customers experienced difficulties
logging into their accounts on Monday morning. By around midday, the
brokerages said the issues had been resolved.

------------------------------

Date: Sat, 10 Aug 2024 22:10:08 -0600
From: "Matthew Kruk" <mkrukg@gmail.com>
Subject: Canada's food supply -— under threat? (CBC)

https://www.cbc.ca/newsinteractives/features/agri-food-canada-hacking

The oldest piece of equipment on Chris McLaren’s southern Ontario dairy farm
is a W4 International, a four-cylinder tractor his grandfather bought in the
1940s.

Among the newest pieces of equipment is an automated calf feeder that reads
a chip in each animal’s ear and delivers them preset quantities of heated
milk.

That data is uploaded to a server, and McLaren receives alerts on his phone
if one of his calves isn’t drinking enough. If the machine breaks down, a
technician can fix it remotely.

“As farms get bigger and bigger, there gets to be more strain on the time
for the owner and operators of the farm. So moving towards technology
allows you to manage the cattle better,” said McLaren, whose family has
owned the farm for nearly 160 years.

But as farms like McLaren’s increasingly become connected — with reams of
farming data uploaded daily to cloud servers — they also become more
exposed to cyber attacks, including from groups operating with tacit
approval of the Russian government.

“With us moving into robotic milking in the next six to eight months, that
becomes even more concerning. It's definitely top of mind right now.”

  [Different kind of *stock market*, with moo-lah.   PGN]

------------------------------

Date: Wed, 7 Aug 2024 11:24:44 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: French Museum Network Hit by Ransomware Attack (AP)

Associated Press. 06 Aug 2024, via ACM TechNews

The central data systems of dozens of museums in the Reunion des Musees
Nationaux network in France were targeted by a ransomware attack.  While
venues in the network are hosting competitions for the Summer Olympics,
officials say no events have been disrupted thus far. The attack, detected
Sunday, hit data systems used by around 40 museums across the country.

------------------------------

Date: Mon, 5 Aug 2024 11:08:25 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: UK PM Warns Social Media Firms After Misinformation Fuels
 Riots (Reuters)

Alistair Smout and Nick Vant, Reutersm 2 Aug 2024
via ACM TechNews

UK Prime Minister Keir Starmer warned social media companies they must
uphold laws prohibiting incitement of violence online, after
misinformation around a fatal mass stabbing earlier in the week
sparked violent riots. "Let me also say to large social media
companies, and those who run them, violent disorder clearly whipped up
online: that is also a crime," Starmer said, adding there was a
"balance to be struck" in handling such platforms.

------------------------------

Date: Mon, 12 Aug 2024 11:18:03 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Chipmaking Giant Learns What Works in Taiwan Doesn't in
 Arizona (John Liu)

John Liu, *The New York Times*, 8 Aug 2924,via ACM TechNews

Four years after  announcing plans to build a chip  plant in Arizona, Taiwan
Semiconductor  Manufacturing Company  (TSMC) still  has not  started selling
semiconductors  manufactured there,  with  chip production  now expected  to
commence in  the first half of  2025. Much of  the lag can be  attributed to
cultural clashes between Taiwanese managers  and U.S. workers, prompting the
company to provide  managers with communication training. TSMC  also lacks a
network of  skilled workers and suppliers  in Arizona, and while  it brought
thousands of workers from Taiwan to Phoenix, executives say that strategy is
not sustainable. Meanwhile, local high schools and universities are boosting
efforts to train future TSMC workers.

------------------------------

Date: Tue, 13 Aug 2024 06:35:32 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Power-hungry AI data centers are raising electric bills and
 blackout risk (LA Times)

Experts warn that a frenzy of data center construction could delay
California’s transition away from fossil fuels, raise electric bills and
increase risk of blackouts [...]

While the benefits and risks of AI continue to be debated, one thing is
clear: The technology is rapacious for power. Experts warn that the frenzy
of data center construction could delay California’s transition away from
fossil fuels and raise electric bills for everyone else. The data centers’
insatiable appetite for electricity, they say, also increases the risk of
blackouts.

Even now, California is at the verge of not having enough power. An analysis
of public data by the nonprofit GridClue ranks California 49th of the 50
states in resilience -— or the ability to avoid blackouts by having more
electricity available than homes and businesses need at peak hours.  [...]

https://www.latimes.com/environment/story/2024-08-12/california-data-centers-could-derail-clean-energy-goals

------------------------------

Date: Mon, 12 Aug 2024 11:18:03 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Cisco to Lay Off Thousands in Latest Round of Tech Cuts
 (Reuters)

Utkarsh Shetti and Supantha Mukherjee, *Reuters*, 10 Aug 2024,
via ACM TechNews

Networking equipment maker Cisco will cut thousands of jobs in a second
round of layoffs this year, say insiders. The number of people affected
could be similar to or slightly higher than the 4,000 employees Cisco laid
off in February, the sources said. The layoffs are the latest in the tech
industry, which has been cutting costs this year to offset big investments
in AI. Over 126,000 people have been laid off across 393 tech companies
since the start of the year, according to data from tracking website
Layoffs.

------------------------------

Date: Mon, 5 Aug 2024 11:08:25 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Intel Will Fire 15,000 Workers (Eva Dou)

Eva Dou, *The Washington Post*m 1 Aug 2024, via ACM TechNews

Chip-maker Intel said Thursday it plans to lay off 15,000 people, more
than 15% of its workforce. Intel had emerged as the big winner of the
Chips for America program, with the Biden administration announcing
$8.5 billion in grants and $11 billion in loans for the company this
year to help bring some chip manufacturing operations back to the
U.S. Intel has yet to receive those funds.

------------------------------

Date: Tue, 13 Aug 2024 06:57:09 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Excess memes and ‘reply all’ emails are bad for climate, researcher
 warns (The Guardian)

Most data stored on power-hungry servers is used once then never looked at
again

When “I can has cheezburger?” became one of the first Internet memes to blow
our minds, it’s unlikely that anyone worried about how much energy it would
use up.

But research has now found that the vast majority of data stored in the
cloud is “dark data”, meaning it is used once then never visited again.
That means that all the memes and jokes and films that we love to share with
friends and family – from “All your base are belong to us”, through Ryan
Gosling saying “Hey Girl”, to Tim Walz with a piglet –- are out there
somewhere, sitting in a datacentre, using up energy. By 2030, the National
Grid anticipates that datacentres will account for just under 6% of the UK’s
total electricity consumption, so tackling junk data is an important part of
tackling the climate crisis.  [...]

https://www.theguardian.com/media/article/2024/aug/09/excess-memes-photos-and-reply-all-emails-are-bad-for-climate-finds-study

------------------------------

Date: Tue, 13 Aug 2024 11:55:09 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Experts to PNT leaders: “It’s not working!” (GPS World)

The President’s National Space-based Positioning, Navigation and Timing
(PNT) Advisory Board has warned United States leaders that the nation is
highly vulnerable to disruption of GPS services. Also, national PNT issues
have not received sufficient priority and attention for the last 20 years,
and no one is accountable for system performance.

The warning came in a four-page memo to the Deputy Secretaries of Defense
and Transportation from retired Admiral Thad Allen, Chair of the advisory
board. The memo was nominally a report of the board’s April 2024 meeting in
Colorado Springs.

The overwhelming majority of Allen’s message, though, dealt with GPS and
U.S. PNT being vulnerable, the importance of PNT to the nation’s safety and
security and the failure of the government to do the things it said it
should and would do. It says:

“America’s continued over-reliance on GPS for PNT makes critical
infrastructure and applications vulnerable to a variety of well-documented
accidental, natural and malicious threats.

…our conclusion is that PNT, in general, and GPS, in particular, have not
been accorded their rightful prominence in the national policy agenda.

Simply put, the Board believes that the 20-year-old framework for GPS
governance and the current policy statements establish neither the priority
that the system deserves nor sufficiently clear accountability for its
performance.”

The reason for this was assessed to be that the leadership and governance
structure established by 2004’s NSPD-39 and confirmed in 2021’s SPD-7 was
not working.

Allen gave a recent policy document on critical infrastructure as an
example. All critical infrastructure sectors use PNT, and most depend on it.

“These findings were reinforced just earlier this year by the release of
the National Security Memorandum on Critical Infrastructure Security and
Resilience (NSM-22, April 30, 2024). We were surprised to discover that GPS
is nowhere mentioned in that important document.”

While not mentioned in the memo, PNT was also not mentioned in national
cybersecurity documents issued last year. This is despite timing being
essential to the operation of IT systems, and time and location data being
key elements in many applications. [...]

https://www.gpsworld.com/experts-to-pnt-leaders-its-not-working/

------------------------------

Date: Tue, 13 Aug 2024 15:57:56 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: The nation’s best hackers found vulnerabilities in voting machines
 -— but no time to fix them (MSN)

Some of the best hackers in the world gathered in Las Vegas over the weekend
to try to break into voting machines that will be used in this year’s
election -— all with an eye to helping officials identify and fix
vulnerabilities.

The problem? Their findings will likely come too late to make any fixes
before Nov. 5.

In one sense, it’s the normal course of events: Every August, hackers at
the DEF CON conference find security gaps in voting equipment, and every
year the long and complex process of fixing them means nothing is
implemented until the next electoral cycle.

But Election Day security is under particular scrutiny in 2024. That’s both
because of increasing worries that foreign adversaries will figure out how
to breach machines, and because President Donald Trump’s unsubstantiated
allegations of widespread fraud in 2020 undermined confidence in the vote
among his supporters.

As a result, many in the election security community are bemoaning the fact
that no system has been developed to roll out fixes faster and worrying that
the security gaps that get identified this year will provide fodder for
those who may want to question the results.

“As far as time goes, it is hard to make any real, major, systemic changes,
but especially 90 days out from the election,” said Catherine Terranova,
one of the organizers of the DEF CON “Voting Village” hacking event. She
argued that’s particularly troubling during “an election year like this.”
[...]

https://www.msn.com/en-us/news/politics/the-nation-s-best-hackers-found-vulnerabilities-in-voting-machines-but-no-time-to-fix-them/ar-AA1oFNBX

------------------------------

Date: Mon, 12 Aug 2024 06:58:32 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: We're Entering an AI Price-Fixing Dystopia (The Atlantic)

Algorithmic collusion appears to be spreading to more and more industries.
And existing laws may not be equipped to stop it.

If you rent your home, there’s a good chance your landlord uses RealPage to
set your monthly payment. The company describes itself as merely helping
landlords set the most profitable price. But a series of lawsuits says it’s
something else: an AI-enabled price-fixing conspiracy.

The classic image of price-fixing involves the executives of rival companies
gathering behind closed doors and secretly agreeing to charge the same
inflated price for whatever they’re selling. This type of collusion is one
of the gravest sins you can commit against a free-market economy; the late
Justice Antonin Scalia once called price-fixing the “supreme evil” of
antitrust law. Agreeing to fix prices is punishable with up to 10 years in
prison and a $100 million fine.

But, as the RealPage example suggests, technology may offer a
workaround. Instead of getting together with your rivals and agreeing not to
compete on price, you can all independently rely on a third party to set
your prices for you. Property owners feed RealPage’s “property management
software” their data, including unit prices and vacancy rates, and the
algorithm—which also knows what competitors are charging—spits out a rent
recommendation. If enough landlords use it, the result could look the same
as a traditional price-fixing cartel: lockstep price increases instead of
price competition, no secret handshake or clandestine meeting needed.  [...]

https://www.theatlantic.com/ideas/archive/2024/08/ai-price-algorithms-realpage/679405/

------------------------------

Date: Sun, 11 Aug 2024 15:22:58 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Flaw in Hundreds of Mill?ions of AMD Chips Allows Deep, Virtually
 Unfixable Infections (WiReD)

https://www.wired.com/story/amd-chip-sinkclose-flaw/

------------------------------

From: the keyboard of geoff goodfellow <geoff@iconia.com>
Date: Fri, 9 Aug 2024 07:13:52 -0700
Subject: New Flaws in Sonos Smart Speakers Allow Hackers to
 Eavesdrop on Users (The Hacker News)

Cybersecurity researchers have uncovered weaknesses in Sonos smart speakers
that could be exploited by malicious actors to clandestinely eavesdrop on
users.

The vulnerabilities "led to an entire break in the security of Sonos's
secure boot process across a wide range of devices and remotely being able
to compromise several devices over the air," NCC Group security researchers
Alex Plaskett and Robert Herrera said.
<https://www.nccgroup.com/us/research-blog/blackhat-usa-2024-listen-up-sonos-over-the-air-remote-kernel-exploitation-and-covert-wiretap/>

Successful exploitation of one of these flaws could allow a remote attacker
to obtain covert audio capture from Sonos devices by means of an
over-the-air attack. They impact all versions
<https://www.sonos.com/en-gb/security-advisory-2024-0001> prior to Sonos S2
release 15.9 and Sonos S1 release 11.12, which were shipped in October and
November 2023.

The findings were presented at Black Hat USA 2024. A description of the two
security defects is as follows:

 * CVE-2023-50809 --  A vulnerability  in the Sonos  One Gen 2  Wi-Fi stack
   does  not properly validate  an information  element while  negotiating a
   WPA2 four-way handshake, leading to remote code execution

 * CVE-2023-50810 -- A vulnerability in the U-Boot component of the Sonos
   Era-100 firmware that would allow for persistent arbitrary code execution
   with Linux kernel privileges

NCC Group, which reverse-engineered the  boot process to achieve remote code
execution on Sonos Era-100 and the Sonos One devices, said CVE-2023-50809 is
the result of a memory  corruption vulnerability in the Sonos One's wireless
driver, which is a third-party chipset manufactured by MediaTek.  [...]

https://thehackernews.com/2024/08/new-flaws-in-sonos-smart-speakers-allow.html

------------------------------

Date: Wed, 7 Aug 2024 23:45:16 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Logic Gone Astray: A Security Analysis Framework for the
 Control Plane Protocols of 5G Basebands (USENIX)

https://www.usenix.org/conference/usenixsecurity24/presentation/tu

 ALSO:
Hackers could exploit major 5G baseband security flaw, researchers say
https://readwrite.com/hackers-5g-baseband-security-flaw/

------------------------------

Date: Sun, 4 Aug 2024 16:59:34 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Call to ban DJI drones introduced in US Senate, company
 responds (dronedj)

Two U.S. Senators have formally introduced their version of the Countering
CCP Drones Act as an amendment to the Senate’s FY25 National Defense
Authorization Act (NDAA), reintroducing the call for a ban on the sale of
new DJI drones in the US. To be clear, this amendment has not been
considered yet. But tech giant DJI has expressed concerns about the
recommendations outlined in the amendment, emphasizing that they are
extremely problematic and damaging for the US drone industry.

Now, the earliest the Senate will vote on NDAA amendments is in September,
if at all. It is also important to note that the amendment introduced by
Senator Rick Scott (R-FL) and Senator Mark Warner (D-VA) is significantly
different from the House version, which passed in June.  If it is included
in the Senate’s NDAA, it will require the Senate and House to hold a
conference to reconcile differences between the two versions of the FY25
NDAA before it can become law.

https://dronedj.com/2024/07/31/dji-drone-ban-us-senate/

------------------------------

Date: Wed, 14 Aug 2024 10:17:07 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: DDoS Attacks Surge 46% in First Half of 2024 (Gcore Report)

Monitoring evolving DDoS trends is essential for anticipating threats and
adapting defensive strategies. The comprehensive Gcore Radar Report
<https://gcore.com/library/wp-security-gcore-radar-q1-2-2024> for the first
half of 2024 provides detailed insights into DDoS attack data, showcasing
changes in attack patterns and the broader landscape of cyber threats.
Here, we share a selection of findings from the full report.
Key Takeaways#
<https://thehackernews.com/2024/08/ddos-attacks-surge-46-in-first-half-of.h=
tml#key-takeaways>

The number of DDoS attacks in H1 2024 has increased by 46% compared to the
same period last year, reaching 445K in Q2 2024. Compared to data for the
previous six months (Q3--4 2023), it increased by 34%. [...]

https://thehackernews.com/2024/08/ddos-attacks-surge-46-in-first-half-of.html

------------------------------

Date: Wed, 14 Aug 2024 10:19:22 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: NIST announces post quantum encryption standards
 (SecurityWeek)

https://www.securityweek.com/post-quantum-cryptography-standards-officially-announced-by-nist-a-history-and-explanation/

TL;DR: nothing has changed. If your org is using strong encryption, this is
a horizon problem. If your org isn't using strong encryption or is using a
soon to be deprecated encryption method, these new standards will likely
not exist in your vendor or standard library soon enough to adopt.

https://csrc.nist.gov/Projects/Cryptographic-Standards-and-Guidelines

https://www.nist.gov/news-events/news/2024/08/nist-releases-first-3-finalized-post-quantum-encryption-standards

  Replacing all your existing encryption methods should go in the 5 year
  roadmap.

------------------------------

Date: Sat, 10 Aug 2024 07:56:40 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Generative AI Has a 'Shoplifting' Problem. This Startup CEO Has a
 Plan to Fix It (WiReD)

Bill Gross’ ProRata, which has struck deals with partners like Time and
Universal Music Group, has a strategy for making AI powerhouses pay for
content.

Bill Gross made his name in the tech world in the 1990s, when he came up
with a novel way for search engines to make money on advertising. Under his
pricing scheme, advertisers would pay when people clicked on their ads. Now,
the “pay-per-click” guy has founded a startup called ProRata, which has an
audacious, possibly pie-in-the-sky business model: “AI pay-per-use.” Gross,
who is CEO of the Pasadena, California, company, doesn't mince words about
the generative AI industry. “It’s stealing,” he says.  “They’re shoplifting
and laundering the world’s knowledge to their benefit.”  [...]

But Gross thinks ProRata offers a solution that beats legal battles. “To
make it fair—that’s what I’m trying to do,” he says. “I don’t think this
should be solved by lawsuits.”

His company aims to arrange revenue-sharing deals so publishers and
individuals get paid when AI companies use their work. Gross explains it
like this: “We can take the output of generative AI, whether it's text or an
image or music or a movie, and break it down into the components, to figure
out where they came from, and then give a percentage attribution to each
copyright holder, and then pay them accordingly.” ProRata has filed patent
applications for the algorithms it created to assign attribution and make
the appropriate payments.  [...]

https://www.wired.com/story/bill-gross-prorata-generative-ai-business/

------------------------------

Date: Wed, 14 Aug 2024 14:51:38 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Kroger unveils AI-powered automatic price gouger
 (Pivot to AI)

Kroger, the U.S.’s largest supermarket chain, has been rolling out
AI-powered “dynamic pricing” -— hooked to cameras on its display shelves.

Since 2018, the chain has been using digital price labels that can change in
real-time based on the mountains of data the store collects on
shoppers. Kroger expanded this system to 500 of its 2,750 retail grocery
stores in 2023.

Kroger has been working with Microsoft since 2018 to put cameras on its
so-called EDGE (Enhanced Display for Grocery Environment) shelf
displays. These let them do video analytics to enable “personalized offers”
based on “customer demographics” — and certainly not price gouging based on
age, sex, or color. [Supermarket News, 2019]

Microsoft insists that these “smart shelves” will “delight the shoppers.”
[Microsoft, 2018]

In February 2024, Kroger partnered with AI company Intelligence Node to
analyze their growing piles of customer data in the quest for “unparalleled
digital shelf optimization.” Intelligence Node sells the dynamic pricing
software. [Press release; Intelligence Node]

Senators Elizabeth Warren (D-MA) and Bob Casey (D-PA) wrote a letter to
Kroger CEO Rodney McCullen on August 5. They worry about the potential for
price gouging and exploiting sensitive consumer data. [Letter, PDF]

Kroger insists that “any test of electronic shelf tags is to lower prices
more for customers where it matters most. To suggest otherwise is not true.”
For some reason, nobody trusts them. [Progressive Grocer]

We can hardly wait for the followup story: “Whoops! Kroger’s dynamic pricing
system turns out to be savagely racist.”

https://pivot-to-ai.com/2024/08/13/kroger-unveils-ai-powered-automatic-price-gouger/

------------------------------

Date: Mon, 12 Aug 2024 21:53:36 -0400
From: Bob Smith <bsmith@sudleyplace.com>
Subject: Corporation Email Looks Like A Scam

I made a purchase at Lowes for which there was a substantial discount if I
signed up for their credit card, so I did.

A few days later I received an email about my new Lowes.com credit card
which looked legit except for the fact that none of the links pointed to
anything within the Lowes.com domain.  This break in the chain of trust is a
common way scammers exploit the trusting public.

I contacted Lowes by phone and pointed out to them the email I received was
in a format commonly used by scammers.  The person I contacted told me that
the links were to a legitimate bank and didn't seem to understand the
general issue for our society if legitimate emails from banks look similar
to scammer emails.

The links were to synchronyfinancial.com and syf.com which I did not
recognize but I later determined are in fact to a legitimate banking
institution.

Perhaps I'm being too paranoid, but it seems that without too much effort,
Lowes could arrange with the out-sourced financial institution to use links
which always point to a CNAME on Lowes.com which Lowes can then redirect to
the appropriate destination at synchronyfinancial bank.

I guess the issue is the extent to which a legitimate business like Lowes
should go out of their way to make sure its email messages are clearly
distinct from language and formats commonly used by scammers.

------------------------------

Date: Sat, 10 Aug 2024 07:02:50 -0400
From: Bob Gezelter <gezelter@rlgsc.com>
Subject: ICANN Approves DNS Top-Level Domain for Intranets

The ICANN Board has approved the resolution reserving the DNS TLD
".INTERNAL" for internal organization use. This parallels the decades-long
reservation of intranet IPv4 addresses, e.g., 10.*.*.*,
172.16.0.0-172.31.255.255, and 192.168.*.*, under RFC 1918 -- Address
Allocation for Private Internets, and the reserved intranet addresses under
IPv6.

Now one can use ".INTERNAL" for systems within the organization without fear
that someone, somewhere will register the corresponding TLD.

Board notes at:
https://www.icann.org/en/board-activities-and-meetings/materials/approved-resolutions-special-meeting-of-the-icann-board-29-07-2024-en#section2.a

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) has moved to the ftp.sri.com site:
   <risksinfo.html>.
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.40
************************

home help back first fref pref prev next nref lref last post