
RISKS Forum mailing list archives
Risks Digest 34.34
From: RISKS List Owner <risko () csl sri com>
Date: Fri, 28 Jun 2024 14:20:17 PDT
RISKS-LIST: Risks-Forum Digest Friday 28 Jun 2024 Volume 34 : Issue 34 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.34> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: GPS Interference Over Land a Recurring Problem for Transatlantic Flights (Rntfnd) Safety-critical aircraft parts (Jim Geissman) Boeing 737 Max fabrication changes (NYTimes) Software engineers, not astronauts, are the heroes of today's space industry (The Washington Post) The end of the world (Rob Slade) Another major hospital hack (The Guardian) 30,000 Dealerships Down -- Ransomware Outage Outrage no.2 at CDK Global (Security Boulevard) ID verification service fail (404media) Rampant Identity Theft Is Taxing the IRS (NYTimes) ID Verification Service for TikTok, Uber, X Exposed Driver Licenses (404Media via X) Ask Google Search a simple question, and get an AI Overview "guess" that is totally wrong China's AI-Powered Sex Dolls Set To Revolutionise Intimacy (NDTV) Supreme Court accidentally posts with Biden admin on Idaho abortion case with Biden admin on Idaho abortion case (CNN) ID verification service reportedly left credentials wide open for a year (Engadget) Firefighter charity bot call (Rob Slade) Voice assistants and AI chatbots still can't say who won the 2020 election (CA News Yahoo!) Ding dong drama: Video doorbells have UK election campaigners spooked (Politico) Re: Dead Tesla Traps Toddler In Hot Car, Raises Concerns About Electric Doors (Steve Bacher) What to do when you send money to the wrong person through Zelle (Elliott Report) Re: Ozone Hole Mk. II (Martin Ward) Re: Antivirus Shuffle over Kaspersky (Steve Bacher) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 27 Jun 2024 09:07:45 -0700 From: geoff goodfellow <geoff () iconia com> Subject: GPS Interference Over Land a Recurring Problem for Transatlantic Flights (Rntfnd) Aircraft transiting the Atlantic from Europe without functioning GPS seems to have become a semi-regular occurrence. Pre-boundary GNSS interference, mentioned in the FAA note below, refers to aircraft jammed or spoofed before arriving to begin the crossing that have not been able to restore their GPS receivers to normal operations. [...] https://rntfnd.org/2024/06/26/gps-interference-over-land-a-recurring-proble= m-for-transatlantic-flights/ ------------------------------ Date: Thu, 27 Jun 2024 11:57:51 -0700 From: Jim Geissman <jgeissman () socal rr com> Subject: Safety-critical aircraft parts This would catch my attention. After Challenger, NASA realized they didn't know which parts, which characteristics were safety critical, and some systems were created identify critical items and their critical features and track their tests. I did the spec and prototype for Rocketdyne QA's system for receiving, testing and tracking supplier- and locally-made parts. It was probably in Pascal with RBase or maybe Modula II, on my Compaq, and it was turned over to a colleague from our consultancy to implement on the Rockwell mainframe, and I heard she was still there when the Canoga Park facility closed a decade ago. ------------------------------ Date: Thu, 27 Jun 2024 11:27:20 -0700 From: "Jim" <jgeissman () socal rr com> Subject: Boeing 737 Max fabrication changes It's a reaction to this, the recent discovery that inspections help -- 'https://www.nytimes.com/2024/06/27/business/boeing-737-max-ntsb.html One of the more important changes Boeing has made since January was requiring that bodies of 737 Max planes pass a more rigorous inspection before being shipped to Renton, near Seattle, for final assembly. The body is made in Wichita, Kan., by Spirit, a supplier that Boeing is expected to soon acquire. That change took effect a few months ago and has resulted in significantly fewer major defects that need to be fixed at Boeing's factory, said Ms. Lund. The supplier inspections have also allowed Boeing to make the Max more quickly once the bodies arrive at its factory. "We've strengthened our presence at the supplier, we ensure the parts are perfect where they ship, we inspect them there, they rework them there, and then we ship the parts," Ms. Lund said. "The benefits have been really tremendous." Ms. Lund said that the earlier Max crisis had forced Boeing to reform its engineering practices, but that the more recent incident had required improvements to the production process. ------------------------------ Date: Mon, 24 Jun 2024 13:55:52 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Software engineers, not astronauts, are the heroes of today's space industry (The Washington Post) A revolution in spacecraft technology means today’s in-flight problem solvers tend to be more “Geeks on Call” than “Right Stuff.” ... Earlier this year, a nimble bit of on-the-fly software engineering saved a moon landing mission. Engineers at a company called Intuitive Machines realized that sensors on their lunar lander had never been turned on, meaning their Odysseus spacecraft was essentially flying blind, unable to scout the moon’s rocky and hilly landscape for a safe landing place. ... “We started looking at what it would take to basically hotwire the system,” James Blakeslee, a software architect at the company, said in an interview. To buy time, the team decided to fly the spacecraft around the moon one more time while the coders tested their software update on a simulator. “We worked out in the backroom, and the developer that was in charge of it, he wrote it down on a Post-it note and ran it into the front room,” Blakeslee said. Normally, such a fix would “have taken a month,” Crain said at the time. The math would have been checked through thousands of simulations, which typically would find errors, forcing coders to try again. Instead, he said, “our team basically did that in an hour and a half. It was one of the finest pieces of engineering I’ve ever had the chance to be affiliated with.” ... A similar drama played out in 2019, when Boeing’s Starliner spacecraft was in trouble. The spacecraft’s onboard computer system was 11 hours off, meaning it was executing commands for an entirely different part of the mission while burning precious fuel. Software programmers were able to send commands to the spacecraft, fixing the problem. They also were able to troubleshoot for other potential issues — and found one. Upon separation from the crew capsule before reentering Earth’s atmosphere, the service module could cause a collision, potentially damaging the capsule. Software engineers were able to fix that, too. While the spacecraft was on a test flight with no one on board and did not dock with the International Space Station, it did land safely back on Earth. Boeing launched an investigation to study all 1 million lines of code in the spacecraft to ensure there weren’t other errors. https://www.washingtonpost.com/technology/2024/06/11/space-heroes-software-engineer/ ------------------------------ Date: Thu, 27 Jun 2024 08:36:27 -0700 From: Rob Slade <rslade () gmail com> Subject: The end of the world NASA, along with various experts, recently held an exercise, examining responses to a hypothetical asteroid strike on earth, hypothetically happening in 2038. https://www.livescience.com/space/asteroids/no-nasa-hasnt-warned-of-an-impending-asteroid-strike-in-2038-heres-what-really-happened A number of media outlets falsely reported that NASA had predicted that an asteroid *would* strike the earth in 2038, ending civilization. (The reality, of course, is that the world will end in 2038, not because of an asteroid strike, but because of all the original versions of UNIX having their clocks roll over.) ------------------------------ Date: Wed, 26 Jun 2024 17:41:24 -0700 From: Victor Miller <victorsmiller () gmail com> Subject: Another major hospital hack (The Guardian) https://www.theguardian.com/society/article/2024/jun/21/records-on-300m-patient-interactions-with-nhs-stolen-in-russian-hack ------------------------------ Date: Sat, 22 Jun 2024 15:58:58 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: 30,000 Dealerships Down -- Ransomware Outage Outrage no.2 at CDK Global (Security Boulevard) Car and truck dealers fall back on pen and paper as huge SaaS provider gets hacked (again). CDK Global, by far the biggest provider of dealer management software for the U.S. auto trade, has suffered two crippling hacks in the same week. The services are down again and its customers aren’t happy. The software-as-a-service provider isn’t saying much, but it smells just like a ransomware attack. In today’s SB Blogwatch, we need to go discuss this with our manager real quick. https://securityboulevard.com/2024/06/cdk-global-hack-richixbw ------------------------------ Date: Wed, 26 Jun 2024 17:38:29 -0700 From: Victor Miller <victorsmiller () gmail com> Subject: ID verification service fail (404media) https://www.404media.co/id-verification-service-for-tiktok-uber-x-exposed-driver-licenses-au10tix/ ------------------------------ Date: Wed, 26 Jun 2024 19:20:41 -0400 From: Monty Solomon <monty () roscom com> Subject: Rampant Identity Theft Is Taxing the IRS (NYTimes) The National Taxpayer Advocate criticized the agency for being too slow to resolve cases, leaving victims waiting years for their refunds. https://www.nytimes.com/2024/06/26/us/politics/rampant-identity-theft-is-taxing-the-irs.html ------------------------------ Date: Wed, 26 Jun 2024 09:40:29 -0700 From: geoff goodfellow <geoff () iconia com> Subject: ID Verification Service for TikTok, Uber, X Exposed Driver Licenses (404Media via X) *As social networks and porn sites move towards a verified identity model, the actions of one cybersecurity researcher show that ID verification services themselves could get hacked too* AU10TIX, an identity verification company used by TikTok, Uber, and X, exposed admin credentials online for over a year, potentially allowing hackers access to sensitive user data. - AU10TIX verifies user identities through face photos and driver's licenses - Exposed credentials gave access to a logging platform with links to user data - Accessible info included names, DOB, nationality, ID numbers, and document images - Data also showed verification process results, including "liveness" checks - Credentials were first posted on Telegram in March 2023 - The exposed credentials were obtained before December 2022 - X users were required to share IDs in 2024, two years after the exposure - AU10TIX claims the system containing exposed data has been decommissioned - "While PII data was potentially accessible ... we see no evidence that such data has been exploited" [...] https://x.com/xDaily/status/1805999073603826038 ------------------------------ Date: Tue, 25 Jun 2024 19:03:46 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Ask Google Search a simple question, and get an AI Overview "guess" that is totally wrong I asked Google Search where a particular product was made. I already knew the answer: China. But the Google AI Overview at the top just now confidently told me it was made in the USA! How come? Because Google AI doesn't really understand anything. It just does LLM calculations and takes a guess. In this case, I looked at the (pastel, hard to see) reference link under the answer. Going to that page, the situation was instantly clear. At the top of the page, the seller proudly stated that all of its flagship products are made in the USA! But the product I asked about is NOT one of their flagship products, and a human would have instantly understood that. But Google AI has no "I" -- it is artificial, yes, but has NO intelligence. And the same can be said for the other LLM AI systems as well. The hype of the century. ------------------------------ Date: Sat, 22 Jun 2024 13:30:12 +0000 (UTC) From: Steve Bacher <sebmb1 () verizon net> Subject: China's AI-Powered Sex Dolls Set To Revolutionise Intimacy According to the South China Morning Post, Chinese scientists and engineers are applying ChatGPT-like technology to sex robots, aiming to create interactive, AI-powered companions in the face of technical and ethical challenges. https://www.ndtv.com/offbeat/chinas-ai-powered-sex-dolls-set-to-revolutionise-intimacy-report-5938799 ------------------------------ Date: Wed, 26 Jun 2024 10:30:18 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Supreme Court accidentally posts draft opinion appearing to side with Biden admin on Idaho abortion case (CNN) Then quickly removed it. Jeez. Is this any way to run an airline? (as the old saying goes). https://www.cnn.com/2024/06/26/politics/supreme-court-abortion-idaho-bloomberg/index.html ------------------------------ Date: Wed, 26 Jun 2024 11:06:53 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: ID verification service reportedly left credentials wide open for a year (Engadget) https://www.engadget.com/an-id-verification-service-that-works-with-tiktok-and-x-left-its-credentials-wide-open-for-a-year-171258438.html?src=rss ------------------------------ Date: Thu, 27 Jun 2024 08:00:58 -0700 From: Rob Slade <rslade () gmail com> Subject: Firefighter charity bot call I got a phone call today. I'm pretty sure it was from a bot. The voice said that "he" was calling on behalf of firefighters, and their support of charitable groups. (The specific charity was left unstated, but it could be a kind of blanket request to fill coffers.) It's possible that the firefighters' charity that supports charities uses a company that uses bots, but it was pretty definitely a bot. It was pretty impressive. It was also quite interesting to note the very formal speech patterns, but it sounded quite realistic. After I challenged him on the basis that I thought "he" was a bot, "he" assured me that he was a real person and not a bot. But the formality in the speech patterns continued. He didn't laugh at being called a bot. He didn't get annoyed. The tenor and affect of his speech remained unchanged throughout the call. At one point I noted that I already worked with firefighters (through ESS and Community Policing), and did a fair amount of work for them. There was no response to that except, "Well, we're happy we can count on your support." Which is the same kind of terminology that "he" was using in regard to asking for donations. I'm saying "he," but I'm still assuming that this was a bot. It was a male voice. However, I'm pretty sure that the clincher was that, at one point, I said that I would have to hang up the phone because I had to pick up the keys for the Community Policing van. Regardless of how scripted a normal person was, if this person was a real firefighter I very strongly suspect that, at that point, he would have gone off script because of the connection in terms of tasks. There was no reaction at all. Yeah, I'm pretty sure "he" was a bot. ------------------------------ Date: Mon, 24 Jun 2024 13:49:11 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Voice assistants and AI chatbots still can't say who won the 2020 election (CA News Yahoo!) Who won the 2020 presidential election? Alexa can’t always say. And chatbots built by Microsoft and Google won’t answer at all. In a pivotal year for global democracy, some artificial intelligence chatbots and voice assistants are still struggling to answer basic questions about elections in the United States and abroad, raising concerns the tools could confuse voters. In multiple tests run by The Washington Post this month, Amazon’s Alexa did not reliably produce the correct answer when asked who won the 2020 election. “Donald Trump is the front-runner for the Republican Nomination at 89.3%,” Alexa replied on multiple occasions, citing the news website RealClearPolitics. Chatbots built by Microsoft and Google, meanwhile, didn’t answer the question at all. “I’m still learning how to answer this question. In the meantime, try Google Search,” replied Google’s Gemini. Microsoft’s Copilot responded: “Looks like I can’t respond to this topic. Explore Bing Search results.” The errors and omissions come as tech companies increasingly invest in technology that pushes users to a single definitive answer - rather than providing a list of websites - raising the stakes of each response. They also come as Donald Trump and his allies continue to press the false claim that the 2020 election was stolen. Multiple investigations have revealed no evidence of fraud, and Trump faces federal criminal charges related to his efforts to overturn the election of Joe Biden, who swamped Trump in the electoral college and earned over 51 percent of the popular vote. Other assistants - including OpenAI’s ChatGPT and Apple’s Siri -- accurately answered questions about the U.S. election. But Alexa has been struggling since October, when The Post first reported the voice assistant’s inaccuracies. Seven months ago, Amazon said it fixed the problem, and Alexa did correctly answer that Biden won the 2020 election in The Post’s recent tests. https://ca.news.yahoo.com/voice-assistants-ai-chatbots-still-181527982.html ------------------------------ Date: Thu, 27 Jun 2024 07:04:18 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Ding dong drama: Video doorbells have UK election campaigners spooked (Politico) British political campaigners are being caught out on the doorstep —-and fear a new tech trend could usher in an era of abuse and scandal. [...] Equipped with high-powered microphones and motion sensors, the devices are cable of capturing banter between canvassers or their thoughts about an interaction even several feet from the threshold. Starting out as a prototype in 2013, advances in tech have driven exponential growth in adoption rates. According to one study global sales rose by 63 percent between 2020 and 2021 alone. <https://www.sdmmag.com/articles/100897-amazon-ring-tops-video-doorbell-market-says-strategy-analytics> Seen as a relatively novel experience in 2019, the last time Britain went to the polls, the surge has campaigners describing 2024 as the UK’s first Ring doorbell election. In an attempt to navigate the minefield, campaign bosses have repeatedly told ground troops to assume every exchange on the doorstep could be caught on candid camera. Some local parties have even banned canvassers from leaving recorded messages if the tech offers that option. “Personally, I find it scary how I’m being recorded and what I say can easily be posted online,” said Anne Mirkovic, a public affairs professional who has been volunteering for the Labour Party. [...] https://www.politico.eu/article/uk-election-2024-campaign-conservative-high-tech-threat-security-video/ ------------------------------ Date: Sat, 22 Jun 2024 15:58:07 -0400 From: Gabe Goldberg <gabe () gabegold com> To: undisclosed-recipients: ; Subject: [EXTERNAL] NOTSP What to do when you send money to the wrong person through Zelle - Elliott Report Ayotunde Fatusin just lost $2,000 after he accidentally transferred it to the wrong person through Zelle. Bank of America won’t reverse the transaction. But should it? https://www.elliott.org/problem-solved/i-sent-2000-to-the-wrong-person-on-zelle-can-i-get-my-money-back/ ------------------------------ Date: Sat, 22 Jun 2024 15:58:07 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: What to do when you send money to the wrong person through Zelle (Elliott Report) Ayotunde Fatusin just lost $2,000 after he accidentally transferred it to the wrong person through Zelle. Bank of America won’t reverse the transaction. But should it? https://www.elliott.org/problem-solved/i-sent-2000-to-the-wrong-person-on-zelle-can-i-get-my-money-back/ ------------------------------ Date: Thu, 27 Jun 2024 14:06:00 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Re: Dead Tesla Traps Toddler In Hot Car, Raises Concerns About Electric Doors Not directly related to what is a truly horrifying design flaw, but I remember many years ago I was in an ATM booth (operated by one of the major regional banks) and observed a sign indicating that in case the (manual) door handle failed to let one exit the booth, there was an override -- in the form of a red button that was evidently electronically operated. That seemed totally backwards to me. ------------------------------ Date: Wed, 26 Jun 2024 17:44:35 +0100 From: Martin Ward <mwardgkc () gmail com> Subject: Re: Ozone Hole Mk. II (Kilby, RISKS-34.33,32)
Is there a mitigation for a warming planet, regardless of the cause? Yes. We can stop doing things that cause it to warm. Same with dissoloution of the ozone layer. Montreal has already set an example there.
The only mention of Ozone Hole in your post was the subject, which also mentions NCBI. But the NCBI paper you reference does not mention ozone holes or rockets, but discusses the effect of blast furnace dust emissions on the workers' health: not on the ozone layer, or on global warming. The mass of dust emitted by China's steel industry in one year is 100 times larger than the mass of all satellites currently in orbit. Ozone-depleting substances (ODS) include CFCs, HCFCs, halons, methyl bromide, carbon tetrachloride, and methyl chloroform. None of these substances are present in large quantities in satellites, and few would survive the heat of re-entry (halon, for example, thermally decomposes at temperatures above 480 C). The Montreal Protocol has done a great job at reducing the emissions of these substances. Not surprisingly, the Montreal Protocol does not address satellite de-orbiting, since these materials are not present on satellites!
Reducing or eliminating launches of rockets that dispose of their payloads in the atmosphere on intentionally short time periods does both.
You present zero evidence for this assertion, which, on the face of it, appears absurd given the total mass and nature of the materials composing satellites in orbit. Total greenhouse gas emissions amounted to 37 billion tonnes in 2022. If the entire mass of every satellite currently in orbit were greenhouse gases(!), and every satellite entered the atmosphere at once, then the annual greenhouse gas emissions into the atmosphere would increase by approximately 0.000025%. What would be the impact of that event? ("Risk management is acknowledging the probability of occurrence and the impact of that event.") ------------------------------ Date: Thu, 27 Jun 2024 14:09:28 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Re: Antivirus Shuffle over Kaspersky Does this mean we in the West need to find an alternative to VLC Media Player as well? That would be truly daunting. ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.34 ************************
Current thread:
- Risks Digest 34.34 RISKS List Owner (Jun 28)