[33455] in RISKS Forum
Risks Digest 34.44
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Sun Sep 8 21:03:00 2024
From: RISKS List Owner <risko@csl.sri.com>
Date: Sun, 8 Sep 2024 18:02:45 PDT
To: risks@mit.edu
RISKS-LIST: Risks-Forum Digest Sunday 8 Sep 2024 Volume 34 : Issue 44
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.44>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Bypassing airport security via SQL injection (Tom Van Vleck
How Navy chiefs conspired to get themselves illegal warship Wi-Fi
(Navy Times)
Chinese Government Hackers Penetrate U.S. ISPs (Joseph Menn)
New Yubikey vulnerability (ArsTechnica)
JPMorgan Plans to Report Customers Who Exploited TikTok ‘Glitch’ to
Authorities (WSJ)
California Passes AI Safety Bill (Bloomberg)
Musk and xAI accused of worsening Memphis smog with unauthorized turbines
(CNBC)
AI Could Engineer a Pandemic, Experts Warn (Time)
The Bands and the Fans Were Fake. The $10 Million Was Real.
(NYTimes)
Kids who use ChatGPT as a study assistant do worse on tests
(Hechinger Report)
Chatbots Are Primed to Warp Reality (The Atlantic)
Automated trading bots scheme results in millions of dollars,
Teslas, Rolexes, and federal wire-fraud convictions (Justice)
Former Tesla Autopilot Head And Ex-OpenAI Researcher Says
'Programming Is Changing So Fast' That He Cannot Think Of Going Back
To Coding Without AI (Benzinga)
Electric toothbrushes and light-up sneakers are setting France on
fire (Politico)
Wake me when the Internet of Things is over (StraitsTimes.com)
Risks of Rogue WiFi on Navy ships (Navy Times)
In feud with Musk, Brazilian justice restricts access to X
(LA Times)
North Korea Aggressively Targeting Crypto Industry with
Well-Disguised Social Engineering Attacks (IC3)
Five-day O2/Telefonica DSL outage in Berlin, Germany (SCTB)
What The CrowdStrike Outage Can Teach Us about Testing and Failure Modes
(Packet Pushers)
Visa required for EU entry starting next year (Edward Hasbrouck)
Russian 'spy whale' found dead off Norway (BBC)
Re:_Moscow's Spies Were Stealing U.S. Tech, Until the FBI Started a Sabotage
Campaign (Amos Shapir)
Foreign Policy: TikTok ban & global data commons (Cliff Kilby)
How Telegram Became Criminals’ Favorite Marketplace (WSJ)
Telegram Founder's Indictment Thrusts Encryption into the Spotlightooo
(NYTimes)
Re: Telegram billionaire co-founder Pavel Durov arrested (John Levine)
Re: Feds sue Georgia Tech for lying bigly about computer security
(Dylan Norhtrup)
Re: Standard security policies and variances (Charles Cazabon)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 30 Aug 2024 09:13:33 -0400
From: Tom Van Vleck <thvv@multicians.org>
Subject: Bypassing airport security via SQL injection
https://ian.sh/tsa
• Ian Carroll (https://twitter.com/iangcarroll)
• Sam Curry (https://twitter.com/samwcyo)
``KCM is a TSA program that allows pilots and flight attendants to bypass
security screening, even when flying on domestic personal trips. A
similar system also exists for cockpit access, called the Cockpit Access
Security System (CASS).''
ARINC (a subsidiary of Collins Aerospace) operates a site called FlyCASS
which pitches small airlines a web-based interface to CASS. Apparently this
system was operated by only one person.
The FlyCASS site was vulnerable to a very simple SQL injection attack. A
test of this allowed the researchers to add names, authorizations, and
photos to the database. The researchers reported the issue to the Department
of Homeland Security and the problem was addressed... see the web page for
the story.
------------------------------
Date: Thu, 5 Sep 2024 08:31:14 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: How Navy chiefs conspired to get themselves illegal warship Wi-Fi
(Navy Times)
A scathing Navy investigation reveals how USS Manchester's enlisted leaders
endangered their ship with an unauthorized Starlink Wi-Fi setup.
Key paragraphs:
Unauthorized Wi-Fi systems
<https://www.militarytimes.com/news/your-military/2023/09/12/elon-musk-blocking-starlink-to-stop-ukraine-attack-troubling-for-dod/>like
the one Marrero set up are a massive no-no for a deployed Navy ship, and
Marrero’s crime occurred as the ship was deploying to the West Pacific,
where such security concerns become even more paramount among heightened
tensions with the Chinese.
“The installation and usage of Starlink, without the approval of higher
headquarters, poses a serious risk to mission, operational security, and
information security,” the investigation states.
https://www.navytimes.com/news/your-navy/2024/09/03/how-navy-chiefs-conspired-to-get-themselves-illegal-warship-wi-fi/
The article also says:
Marrero’s “egregious misconduct” with the illegal Wi-Fi “cannot be
understated,” the investigating officer wrote
[Of course it can be understated!
OTOH, it probably cannot be overstated, and/or should not be
understated.]
------------------------------
Date: Fri, 30 Aug 2024 11:23:01 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Chinese Government Hackers Penetrate U.S. ISPs
(Joseph Menn)
Joseph Menn, *The Washington Post, 27 Aug, via ACM TechNews
U.S. Internet service providers (ISPs) have been breached by Chinese
government-backed hackers, say researchers, with the goal of gathering
intelligence on users. Government and military personnel working undercover
and groups of strategic interest to China are thought to be the primary
targets. Lumen Technologies researchers said three U.S. ISPs were hacked
this summer via a previously unknown zero-day flaw in a Versa Networks
program used for managing wide-area networks.
------------------------------
Date: Tue, 3 Sep 2024 16:04:16 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: New Yubikey vulnerability (ArsTechnica)
https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/2/
FWIW, this changes nothing.
FIDO is still better than
TOTP is still better than
Either SMS or Email verification.
To effect a clone, the fob must be out of your possession for an extended
period of time (Source denotes 10 hours but calls that short) and the
attacker needs a full lab and external data to do anything with it.
Do monthly inventories of all assets (including backup fobs), and have a
lost device process (which should include fobs).
Authentication attempts should be throttled, captcha'ed, and have auto
disable/lock enforced.
I would add the specifics that any account that is flagged as "break-glass"
should be monitored and alarmed for any authentication attempt, successful
or not.
If attempting to use it doesn't set off every alarm in the building, or it
can be used if every alarm isn't already going off, it cannot be a
break-glass account.
Still, shame on yubico for not validating constant time encryption on all
their products. I understand the Infineon cryptographic library comes with
a "trust us, bro" NDA, which may have hampered testing.
I guess that means that obscurity still means insecurity.
[I've had THREE yubikeys lately. The second was part of an SRI-wide, but
it could not be installed. PGN]
------------------------------
Date: Sat, 7 Sep 2024 22:23:05 -0400
From: Monty Solomon <monty@roscom.com>
Subject: JPMorgan Plans to Report Customers Who Exploited TikTok ‘Glitch’ to
Authorities (WSJ)
Thousands of people withdrew money after depositing bad checks
https://www.wsj.com/finance/banking/jpmorgan-plans-to-report-customers-who-exploited-tiktok-glitch-to-authorities-cb5f5cef
------------------------------
Date: Fri, 30 Aug 2024 11:23:01 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: California Passes AI Safety Bill (Bloomberg)
Shirin Ghaffary, *Bloomberg*, 29 Aug 2024, via ACM TechNews
California's legislature approved an AI safety bill opposed by many
tech companies. The measure moved to Governor Gavin Newsom's desk
after passing the state Assembly Wednesday, with the Senate granting
final approval Thursday. SB 1047 mandates that companies developing AI
models take "reasonable care" to ensure that their technologies don't
cause "severe harm," such as mass casualties or property damage above
$500 million.
[One problem with this is that Human Safety is an emergent property of the
entire system -- hardware, software, networks, and apps -- and not a
property that can be evaluated in the AI alone. If the AI cannot satisfy
its own properties, that is a bad thing. However, even if it can do so,
the rest of the system may still do harm. Ergo, the AI itself may not be
user-friendly and safe unless everything else is also. PGN]
------------------------------
Date: Fri, 30 Aug 2024 10:51:12 -0400
From: Chad Dougherty <crd@acm.org>
Subject: Musk and xAI accused of worsening Memphis smog with
unauthorized turbines (CNBC)
https://www.cnbc.com/2024/08/28/musk-xai-accused-of-worsening-memphis-smog-with-unauthorized-turbines.html
------------------------------
Date: Fri, 30 Aug 2024 11:23:01 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: AI Could Engineer a Pandemic, Experts Warn (Time)
Tharin Pillay and Harry Booth, *Time*, 27 Aug 2024, via ACM TechNews
A policy paper from public health and legal professionals at Stanford School
of Medicine, Fordham University, and the Johns Hopkins Center for Health
Security calls for mandatory oversight and guardrails for advanced
biological AI models. The authors wrote they believe governments should
collaborate with machine learning, infectious disease, and ethics experts to
develop tests to determine whether biological AI models could pose
"pandemic-level risks."
------------------------------
Date: Thu, 5 Sep 2024 08:22:45 -0700
From: Jim Geisman <jgeissman@socal.rr.com>
Subject: The Bands and the Fans Were Fake. The $10 Million Was Real.
(NYTimes)
Federal prosecutors charged a North Carolina musician with gaming the system
to win royalties from streaming services including Spotify, Apple Music and
Amazon Music.
A North Carolina man used artificial intelligence to create hundreds of
thousands of fake songs by fake bands, then put them on streaming services
where they were enjoyed by an audience of fake listeners, prosecutors said.
Penny by penny, he collected a very real $10 million, they said when they
charged him with fraud.
The man, Michael Smith, 52, was accused in a federal indictment unsealed on
Wednesday of stealing royalty payments from digital streaming platforms for
seven years. Mr. Smith, a flesh-and-blood musician, produced A.I.-generated
music and played it billions of times using bots he had programmed,
according to the indictment.
The supposed artists had names like "Callous Post," "Calorie Screams" and
"Calvinistic Dust" and produced tunes like "Zygotic Washstands,"
"Zymotechnical" and "Zygophyllum" that were top performers on Amazon Music,
Apple Music and Spotify, according to the charges.
"Smith stole millions in royalties that should have been paid to musicians,
songwriters, and other rights holders whose songs were legitimately
streamed," Damian Williams, the U.S. attorney for the Southern District of
New York, said in a statement on Wednesday.
https://www.nytimes.com/2024/09/05/nyregion/nc-man-charged-ai-fake-music.html
[Also noted by Steve Bacher. Matthew Kruk spotted
https://www.bbc.com/news/articles/cly3ld9wy3eo
PGN]
------------------------------
Date: Sat, 7 Sep 2024 06:34:47 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Kids who use ChatGPT as a study assistant do worse on tests
(Hechinger Report)
An experiment in a Turkish high school shows that using ChatGPT in math can
“substantially inhibit learning.” Even a fine-tuned version of ChatGPT
designed to mimic a tutor doesn’t necessarily help.
https://hechingerreport.org/kids-chatgpt-worse-on-tests/
------------------------------
Date: Mon, 2 Sep 2024 06:46:25 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Chatbots Are Primed to Warp Reality (The Atlantic)
A growing body of research shows how AI can subtly mislead users -- and even
implant false memories.
https://www.theatlantic.com/technology/archive/2024/08/chatbots-false-memories/679660/
------------------------------
Date: Sat, 7 Sep 2024 12:47:25 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Automated trading bots scheme results in millions of dollars,
Teslas, Rolexes, and federal wire-fraud convictions (Justice)
ALEXANDRIA, VA. –- A Great Falls man pled guilty on July 23 to wire
fraud and a Florida man was sentenced yesterday for his role in the
wire fraud conspiracy.
According to court documents, Rick Tariq Rahim, 56, defrauded customers who
wanted to invest using Rahim’s automated trading bots, some of which traded
forex, and by “copying” Rahim’s supposed trading activities that he posted
to Discord. He marketed his products under BotsforWealth,
TradeAutomation.com, ProChartSignals.com, OptionCopier.com, CopyAndWin.com,
SnipeAlgo.com, and QQQtrade.com. Rahim charged customers a subscription fee
for access to Rahim’s bots, software, and copying his supposed trades. Rahim
also offered a “lifetime membership” to which customers received access to
Rahim’s private Discord channel, some of his products, as well as his
“in-office” trading days. Additionally, Rahim personally traded stocks for
at least two individuals, claiming claiming that "We'll hit home runs and
make $500k+ per day very very often." Instead, Rahim lost over $300,000 of
his clients’ funds in eight months.
Rahim induced customers to subscribe to his products by using video-centric,
internet-based social media tools, including TikTok, YouTube, and
Discord. He posted false information to his websites and to his social media
accounts claiming to “beat the stock market every day” and promising extreme
profit margins.
Rahim also sought to induce customers by claiming he was extremely
wealthy, boasting about trading millions of dollars and posting about
his large home, pool, and luxury cars, including his Lamborghini.
Despite claiming to regularly beat the market, however, he exaggerated
his personal trading success, in part by not posting trades in which
he lost money. In fact, Rahim realized over $500,000 in losses from
February 2021 through December 2022. He did not invest millions in the
market during this time period as he had claimed. As part of his
fraud scheme, Rahim also created at least 20 Discord user profiles to
post emojis, likes, and symbols showing agreement and excitement
regarding Rahim’s posts. Rahim earned at least $1,397,000 in
subscription fees during the course of his schemes. After accepting
the guilty plea, the court ordered that Rahim not give any financial
investment advice to anyone for a fee.
https://www.justice.gov/usao-edva/pr/automated-trading-bots-scheme-results-mill
ions-dollars-teslas-rolexes-and-federal-wirez
------------------------------
Date: Sun, 25 Aug 2024 08:07:11 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: Former Tesla Autopilot Head And Ex-OpenAI Researcher Says
'Programming Is Changing So Fast' That He Cannot Think Of Going Back
To Coding Without AI (Benzinga)
Having AI to help coding reminds me of how long ago composers like Haydn =
might write out the main parts, but give only hints about the =
accompaniment, which is left to the copyist to fill in.
------------------------------
Date: Sun, 1 Sep 2024 08:06:12 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Electric toothbrushes and light-up sneakers are setting France on
fire (Politico)
Waste treatment plants have seen an uptick in fires caused by lithium-ion
batteries in household goods.
CATUS, France — Every day at the Syded waste treatment plant in the Lot
region of southwestern France, the company collects, sorts and treats up to
80 metric**tons of household and business waste.
And every day, its 266 employees have to look out for an electric
toothbrush, a single-use vape or a broken toy that could set the whole place
on fire.
“Had you called me 4 or 5 years ago I would have said [fires occur] ‘from
time to time’ but now the risk of fire defines my day-to-day,” said Hervé
Coulaud, environment director at the Syded plant.
The problem, it turns out, is batteries — specifically, lithium-ion
batteries. As the technology has advanced and the batteries have become
smaller and more efficient, they've shown up in ever more household goods,
from musical birthday cards to diapers that beep when they're too wet.
But if these tiny power sources aren't removed and disposed of separately
when an item is thrown away, they end up in mainstream waste plants and get
crushed.
And that's the moment they can ignite and send the whole place up in flames.
[...]
https://www.politico.eu/article/electric-toothbrush-light-up-sneakers-france-ho
usehold-waste-fires-studies-product/
------------------------------
Date: Thu, 05 Sep 2024 06:26:52 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Wake me when the Internet of Things is over
(StraitsTimes.com)
https://www.straitstimes.com/opinion/wake-me-when-the-internet-of-things-is-ove
r
[Reprinted from https://www.bloomberg.com/opinion/articles/2024-09-04/internet-
of-things-is-falling-flat-with-consumers]
"Makers of smart washing machines and refrigerators should admit defeat and let
dumb things remain dumb."
Wiser words were never written on IoT. Time to disconnect that IoT-enabled Roti
maker.
[Guesses are it will never be over, even if it never gets smart and
uses trustworthy components. Home owners don't seem to care. PGN]
------------------------------
Date: Wed, 4 Sep 2024 07:17:16 -0400
From: George Neville-Neil <gnn@neville-neil.com>
Subject: Risks of Rogue WiFi on Navy ships (Navy Times)
https://www.navytimes.com/news/your-navy/2024/09/03/how-navy-chiefs-conspired-to-get-themselves-illegal-warship-wi-fi/
[Illegal in the sense it is not sufficiently trustworthy
and not certified? Or because it is Chinese or Russian?
Or all of the above and more? PGN]
------------------------------
Date: Sun, 1 Sep 2024 18:10:17 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: In feud with Musk, Brazilian justice restricts access to X
(LA Times)
Internet vs national sovereignty. The judge said Musk showed "total
disrespect for Brazilian sovereignty and, in particular, for the judiciary,
setting himself up as a true supranational entity and immune to the laws of
each country."
http://enewspaper.latimes.com/infinity/article_share.aspx?guid=c8f44e6b-67e5-4931-974e-f5e1c1fcc546
------------------------------
Date: Sat, 7 Sep 2024 12:45:46 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: North Korea Aggressively Targeting Crypto Industry with
Well-Disguised Social Engineering Attacks (IC3)
The Democratic People's Republic of Korea ("DPRK" aka North Korea) is
conducting highly tailored, difficult-to-detect social engineering
campaigns against employees of decentralized finance ("DeFi"),
cryptocurrency, and similar businesses to deploy malware and steal
company cryptocurrency.
North Korean social engineering schemes are complex and elaborate,
often compromising victims with sophisticated technical acumen. Given
the scale and persistence of this malicious activity, even those well
versed in cybersecurity practices can be vulnerable to North Korea's
determination to compromise networks connected to cryptocurrency
assets.
North Korean malicious cyber actors conducted research on a variety of
targets connected to cryptocurrency exchange-traded funds (ETFs) over
the last several months. This research included pre-operational
preparations suggesting North Korean actors may attempt malicious
cyber activities against companies associated with cryptocurrency ETFs
or other cryptocurrency-related financial products.
https://www.ic3.gov/Media/Y2024/PSA240903
------------------------------
Date: 30 Aug 2024 13:16:34 +0200
From: risks@sctb.ch
Subject: Five-day O2/Telefonica DSL outage in Berlin, Germany
Monday morning we arose to find ourselves with water, heat, and electricity,
but not Internet.
We phoned O2, the provider in question, and in doing so discovered their
customer support phone number was also out of action: "this number cannot
be called, please contact customer support immediately!"
We then tried to log in on their website to our account, which turned out
to be 404.
We then tried live chat and was told there was indeed an outage.
Fast-forward to early Friday afternoon (when I now write), and we contacted
live chat one more time, prior to changing provider, to see if we could get
an ETA, and were told the outage had been resolved late Friday morning.
Fast-forward to early Friday afternoon (when I now write), and we contacted
live chat one more time, prior to changing provider, to see if we could get
an ETA, and were told the outage had been resolved late Friday morning.
Power cycling the modem brought us back on line (which was unexpected - I
expected the modem to recover by itself).
We asked what happened. Translated from German;
"A general outage which could be fixed from a distance."
So, there was a five day outage, we were not notified when it occurred, or
when service resumed, there was no ETA for repair, and there has been no
explanation of what happened.
I write to RISKS to enquire if anyone here knows anything about what happened?
(I have to say, I wish there were small, local providers we could turn to.
The service here is what you get with large companies; they can't be
different. If you want different, you need to go to a small company.)
------------------------------
Date: Sat, 7 Sep 2024 13:00:25 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: What The CrowdStrike Outage Can Teach Us about Testing
and Failure Modes (Packet Pushers)
Scratch the surface of the Crowdstrike failure, and you'll find more
than testing and process failures. You'll find lessons about
complexity, unintended consequences, and bringing humility with you
during changes made at scale.
https://packetpushers.net/blog/what-the-crowdstrike-outage-can-teach-us-abo=
ut-testing-and-failure-modes/
------------------------------
Date: September 7, 2024 at 0:12:35 JST
From: Edward Hasbrouck <edward@hasbrouck.org>
Subject: Visa required for EU entry starting next year
[via Dave Farber's IP distribution]
What has not been mentionedm in most reports is that the set of=
planned EU restrictions on non-EU (non-Schengen, actually) citizens are all
modeled on measures the U.S. has already implemented and encouraged other
countries to adopt, as I discuss in a report for the Idenity Project:
Planned new European travel restrictions follow U.S. precedents and pressure
Citizens of the U.S.A and some other most-favored nations have long been
able to travel to many European countries for tourism or business without
visas or pre-arrangements and with minimal border formalities, as long as
they didn't stay too long or seek local residence or employment.
This is scheduled to change with the imposition of new controls on
foreigners -- including U.S. citizens -- visiting Europe starting in November
2024. This is to be followed by a further ratcheting up of control and
surveillance of foreign travelers to Europe scheduled for some time in 2025.
Some U.S. citizens are likely to be shocked and humiliated -- as any
traveler anywhere in the world should be, regardless of their citizenship.
subjected to fingerprinting and mug shots and additional questioning on
arrival in Europe and, starting next year, a de-facto visa by another name
-- to be that they will have to apply, pay for, and have approved in
advance.
European citizens can and should object to the imposition by their
governments of these new restrictions on foreigners, including foreign
tourists and business visitors and foreign citizens who reside in Europe.
Europe could, and should, set a better example of respect for freedom of
movement as a human right that shouldn't depend on citizernship.
But U.S. citizens who object to these new European measures should direct
their objections and, more importantly, their agitation for changes in
travel rules to the U.S. government.
These impending new European travel control and surveillance measures are
modeled on systems developed, already in use in, and actively promoted to
European and other governments around the world by the U.S. government.
By its precedents and international pressure, the U.S. government is making
travel more difficult for everyone, including U.S. citizens, everywhere in
the world including in Europe. [...]
More:
https://papersplease.org/wp/2024/09/06/planned-new-european-travel-restrictions-follow-us-precedents-and-pressure/
------------------------------
Date: Sun, 1 Sep 2024 22:13:03 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Russian 'spy whale' found dead off Norway (BBC)
https://www.bbc.com/news/articles/cje2p3z8nlyo
A beluga whale suspected of having been trained as a spy by Russia has been
found dead off the Norwegian coast.
The body of the animal -- nicknamed Hvaldimir -- was found floating
off the south-western town of Risavika and taken to the nearest port
for examination.
The whale was first spotted in Norwegian waters five years ago with a GoPro
camera attached to a harness that read "Equipment of St Petersburg".
This sparked rumours the mammal could be a spy whale - something experts
say happened in the past. Moscow never responded to the allegations.
[But the whale had a visa from St. Petersburg and the Norwegian
s(t)urgeon might have discovered it was actually smuggling Beluga
caviar into Norway? PGN]
------------------------------
Date: Sat, 31 Aug 2024 11:03:31 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re:_Moscow's Spies Were Stealing U.S. Tech, Until
the FBI Started a Sabotage Campaign (Politico, Risks-34.43)
According to legend, Digital Equipment's CVAX microchip had an
inscription etched into the silicon which said, in Russian,
"*CVAX... when you care enough to steal the very best*"
(Source: https://en.wikipedia.org/wiki/VAX)
------------------------------
Date: Sat, 31 Aug 2024 14:46:43 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Foreign Policy: TikTok ban & global data commons
IMHO, the TikTok ban and other similar stunts with X nee Twitter, Telegram,
WeChat et al is theatre.
If I may bard for a moment:
Oh noes, the chinas haz our datas!
(please ignore the fact that by law your voter registration, voter
participation, and tax records are public)
If we ban the china your datas will be safe!
(except you have no/little legal recourse to deal with a company that has
allowed your PII to become public, so any data that leaks is your own fault
for providing it)
I know the EU has GDPR and recourse to punish a company that improperly
handles SPI/PII. The US doesn't even recognise SPI, and dropping a lorry
full of PII in the nearest Aldi carpark is ... not a crime?
But if anyone reports they found a lorry full of PII in the carpark,
they'll get sued.
https://arstechnica.com/security/2024/08/city-of-columbus-sues-man-after-he-dis
closes-severity-of-ransomware-attack/
There can be no meaningful global commons of data without a global right to
privacy and right to be forgotten.
In my layman's understanding of the current state of the legal framework,
you can't stop something as large as a google from direct marketing to you
from illegally harvested data, if that data passed through one US company.
And that one US company only has to say they found it on the internet to
(apparently) convert it to legally obtained data. I cite the ongoing LLM
training debacle.
https://futurism.com/video-openai-cto-sora-training-data
LLM law of finder's keepers: we don't know where the data came from, but it
was on the internet.
In case my tone belies my beliefs, allow me to unvarnishedly say: All
customers should stop doing business with all companies who are not
beholden to a legal right to privacy at least as robust as GDPR. But,
I cannot be mad at the consumers.
In most cases, they have no choice.
------------------------------
Date: Sat, 7 Sep 2024 22:18:54 -0400
From: Monty Solomon <monty@roscom.com>
Subject: How Telegram Became Criminals’ Favorite Marketplace (WSJ)
[Re: RISKS-34.42 and 34.43 for earlier items. PGN]
Arrest of founder Pavel Durov has drawn fresh attention to how pedophile
rings, identity thieves and drug traffickers use the app as a shop window to
sell their wares.
https://www.wsj.com/business/telecom/how-telegram-became-criminals-favorite-marketplace-8c824dfb
How Telegram Became a Playground for Criminals, Extremists and Terrorists
Drug dealers, scammers and white nationalists openly conduct business and spread toxic speech on the platform, according to a Times analysis of more than 3.2 million Telegram messages.
https://www.nytimes.com/2024/09/07/technology/telegram-crime-terrorism.html
------------------------------
Date: Fri, 30 Aug 2024 11:23:01 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Telegram Founder's Indictment Thrusts Encryption into the
Spotlightooo (NYTimes)
Mike Isaac and Sheera Frenkel, *The New York Times*, 30 Aug 2024, via ACM
TechNews [See RISKS-34.42 and 43 for earlier items.]
Telegram CEO Pavel Durov's indictment in France for various criminal
offenses includes accusations that the messaging platform had provided
cryptology services aimed at ensuring confidentiality without a
license. Encryption has been a long-running point of friction between
governments and tech companies, with the latter arguing it is crucial for
digital privacy, while the former say it enables illegal activity.
Telegram's encryption does not offer the same transparency as encryption
provided on other messaging platforms.
------------------------------
Date: 30 Aug 2024 16:35:15 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Re: Telegram billionaire co-founder Pavel Durov arrested
(Turgut Kalfaoglu, RISKS-34.42)
There has been a dismaying amount of ill-informed pontification about the
Durov case.
A key fact is that Telegram is not, I repeat NOT, an encrypted chat. If you
are talking to one other person it is possible to turn on optional
encryption using a home-brewed scheme of unknown strength. But nearly all of
the traffic is group chats and they are not encrypted at all.
The main issue appears to be that when governments ask Telegram for
help dealing with material that is egregiously illegal, such as
terrorism or CSAM, they don't, even though they could. No government
is going to put up with that for long.
More info here:
https://www.emptywheel.net/2024/08/29/the-missing-detail-about-encryption-in-th
e-pavel-durov-investigation/
------------------------------
Date: Wed, 4 Sep 2024 08:54:19 -0400
From: Dylan Northrup <northrup@gmail.com>
Subject: Re: Feds sue Georgia Tech for lying bigly about computer
security (RISKS-34.42)
> "There is a current trend toward blindly applying high-level
> security rules to all computers in an organization, regardless of
> their purpose and existing defenses." You mean base-lining?
I'd contend it's not the fact a baseline is being set, but where it's being
set.
If the "hired-gun outsider" declares there's not a reason for 'ssh' to be
available (because they're applying rules crafted for Windows hosts),
does that make it true?
Security policies should be created in consultation with the
administrators of those systems. All too often, however, they are
unilaterally imposed by outside entities. Security organizations
(internal and external) who are incentivized to say "no" because it's
easier and faster than documenting variances; or approving
compensating controls... Auditors who don't understand the system
holistically and won't/can't see why a compensating control addresses
one or more requirements... Or lawyers and insurers who are unwilling
or unable to understand the technical nuances and prioritize "exact
compliance" over actual security.
I'd love to have systems that were both secure and compliant with
policy, but if I have to choose one over the other, I'll tend toward
actual security.
------------------------------
Date: Wed, 4 Sep 2024 20:27:27 -0600
From: Charles Cazabon <charlesc@pyropus.ca>
Subject: Re: Standard security policies and variances (Kilby, RISKS-34.43]
Having run into this situation myself a number of times, I can relate that
things don't always -- or perhaps even usually -- go as smoothly as this
suggestion assumes.
Large organizations set standard baseline policies. Frontline helpdesk or
security folks apply the baseline policies, because it's a Standard Policy.
Someone requests a variance - such as me, for accessibility reasons - and it
turns out to be essentially impossible to get *any* variance, because in
large organizations it's no one's job to create and apply those variances or
otherwise deviate from the standard policy, and the incentives are all
against doing so.
E.g., 18 months later, I was still waiting for that variance...
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 34.44
************************