RISKS Forum mailing list archives
Risks Digest 34.41
From: RISKS List Owner <risko () csl sri com>
Date: Sat, 24 Aug 2024 19:08:23 PDT
RISKS-LIST: Risks-Forum Digest Saturday 24 Aug 2024 Volume 34 : Issue 41
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS
(comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats,
etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.41>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
FAA Proposes New Cybersecurity Standards For Aircraft (AVweb)
Power Outages at Port of Los Angeles (LA Times)
High-end racing bikes are now vulnerable to hacking (The Verge)
Halliburton Hit by Apparent Cyberattack (Matt Egan)
German Cyber-Agency Wants Changes in Microsoft, CrowdStrike
Products after Outage (Catherine Stupp)
Revoked DigiCert Digital Certificates: 27% Not Yet Replaced
(BankinfoSecurity)
GM to Cut More Than 1,000 Software Engineers, Mostly in U.S.
(David Welch)
Feds sue Georgia Tech for lying bigly about computer security (DoJ)
Policy, due care, and the failure of Heartland Tri-State Bank (NBC News)
Birmingham council faces huge loss over Oracle debacle
(The Register)
Which devices on your network are most vulnerable? (Kaspersky)
The Long Arms of Terms of Service (NYTimes)
Meta Kills Off Misinformation Tracking Tool (Barbara Ortutay)
Microsoft Copilot makes a court reporter into a child molester (Heise)
AI Cheating Is Getting Worse (The Atlantic)
U.S. Government Wants You -- Yes, You -- to Hunt Down
Generative AI Flaws (Lily Hay Newman)
Silicon Valley Is Coming Out in Force Against an AI-Safety Bill
(The Atlantic)
A Loophole in Digital Wallet Security (UMass)
AI is an energy hog. It's a strain on the power grid (LA Times)
AI and stand-up comedy (BBC)
These 'living computers' are made from human neurons — and you can
rent one for $500 a month (LiveScience)
Florida company faces multiple lawsuits after massive data breach (CBC)
Number of Women Taking CS Degrees in UK Continues to Grow (BCS)
Is it safer to use an app or a website on your phone? (WashPost)
My latest column: How the lab leak controversy will harm you
(Jim Geissman)
Android Phones Sold with Hidden Insecure Feature (Joseph Menn)
Nightly Waymo Robotaxi Parking Lot Honkfest Is Waking Neighbors
(Wes Davis)
Denver Water's loss of pressure at 5 AM every Monday is the same problem as
San Francisco's 4 AM robot taxi honkfest (The Verge)
OpenAI Blocks Iranian Influence Operation Using
ChatGPT for U.S. Election Propaganda (geoff goodfellow)
Regulators May Not Like Deepfakes, But Businesses Are Using Them Anyway
(WSJ)
AI Detection Tools Often Fail to Catch Election Deepfakes (WashPost)
Trump posts fake AI images of Taylor Swift and Swifties, falsely
suggesting he has the singer's support (CNN)
Re: Illinois Voter Data Exposed by Unsecured Databases
(Kevin Kostols)
Re: Corporation Email Looks Like A Scam
(Steve Bacher, Geoff Kuenning)
Re: Kroger unveils AI-powered automatic price gouger (John Levine)
Re: NIST announces post quantum encryption standards (John Levine)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Sat, 24 Aug 2024 16:00:47 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: FAA Proposes New Cybersecurity Standards For Aircraft (AVweb)
The Federal Aviation Administration introduced changes to its cybersecurity
standards for new aircraft and equipment in a Notice of Proposed Rulemaking
(NPRM) issued Wednesday.
https://www.avweb.com/aviation-news/faa-introduces-new-cybersecurity-for-airplanes-and-aircraft-equipment/
------------------------------
Date: Fri, 16 Aug 2024 11:37:55 -0700
From: "Jim" <jgeissman () socal rr com>
Subject: Power Outages at Port of Los Angeles (LA Times)
If the public face of the port is the forest of cranes and mountain range of
cargo containers, its invisible heart is a network of computers that
controls almost the entire operation. That system, along with a growing
multitude of electric-powered equipment and vehicles, depends on an
uninterrupted supply of electricity. Rebooting all those smart devices,
sometimes requiring workers to climb to the tops of 200-foot cranes, can
take several hours, no matter how brief the outage.
https://www.latimes.com/business/story/2024-08-16/power-outages-a-growing-co
ncern-for-port-of-los-angeles-now-and-down-the-road
------------------------------
Date: Thu, 15 Aug 2024 10:14:09 -0400
From: Tom Van Vleck <thvv () multicians org>
Subject: High-end racing bikes are now vulnerable to hacking (The Verge)
https://www.theverge.com/2024/8/14/24220390/bike-hack-wireless-gear-shifters
Researchers found security vulnerabilities that could let hackers mess with
riders’ gear shifters even from a short distance away. Those weak points
could be exploited “to gain an unfair advantage, potentially causing crashes
or injuries by manipulating gear shifts or jamming the shifting operation.”
------------------------------
Date: Fri, 23 Aug 2024 11:13:43 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Halliburton Hit by Apparent Cyberattack (Matt Egan)
Matt Egan, CNN, 22 Aug 2024, via ACM TechNews
A source said a cyberattack at Halliburton is affecting business operations
at the oilfield services firm's Houston campus and some global networks. In
a statement, Halliburton said, ``We are aware of an issue affecting certain
company systems and are working diligently to assess the cause and potential
impact.'' A U.S. Department of Energy spokesperson said the agency is ``aware
of reports of a cyber-incident impacting an energy services company,''
adding, ``There are no indications that the incident is impacting energy
servics at this tine.''
------------------------------
Date: Fri, 16 Aug 2024 12:24:47 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: German Cyber-Agency Wants Changes in Microsoft, CrowdStrike
Products after Outage (Catherine Stupp)
Catherine Stupp, *WSJ* Pro Cybersecurity, 14 Aug 2024, via ACM TechNews
Germany's Federal Office for Information Security (BSI) wants changes in the
way Microsoft gives security providers access to its Windows kernel and the
way CrowdStrike and other cyber firms design their tools, in hopes of
curbing that access. The agency says that its efforts are focused on
reducing the likelihood of a massive tech outage, like the one that resulted
from faulty CrowdStrike software last month.
------------------------------
Date: Sat, 17 Aug 2024 12:45:48 +0000
From: Victor Miller <victorsmiller () gmail com>
Subject: Revoked DigiCert Digital Certificates: 27% Not Yet Replaced
(BankinfoSecurity)
https://www.bankinfosecurity.com/revoked-digicert-digital-certificates-27-yet-
replaced-a-26032
------------------------------
Date: Fri, 23 Aug 2024 11:13:43 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: GM to Cut More Than 1,000 Software Engineers, Mostly in
U.S. (David Welch)
David Welch, *Bloomberg*, 19 Aug 2024, via ACM TechNews
General Motors Inc. (GM) reportedly will lay off more than 1,000 software
engineers just two months after former Apple executives were hired as senior
vice presidents in the automaker's software and services organization. The
cuts follow GM's increased hiring in software development in recent years as
it expanded into electric vehicles, self-driving cars, and software-related
services.
------------------------------
Date: Fri, 23 Aug 2024 20:55:02 +0000
From: "danny burstein" <dannyb () panix com>
Subject: Feds sue Georgia Tech for lying bigly about computer security
(DoJ)
United States Files Suit Against the Georgia Institute of Technology and
Georgia Tech Research Corporation Alleging Cybersecurity Violations
Specifically, the lawsuit alleges that until at least February 2020, the
Astrolavos Lab at Georgia Tech failed to develop and implement a system
security plan, which is required by DoD cybersecurity regulations, that set out
the cybersecurity controls that Georgia Tech was required to put in place in
the lab. Even when the Astrolavos Lab finally implemented a system security
plan in February 2020, the lawsuit alleges that Georgia Tech failed to properly
scope that plan to include all covered laptops, desktops, and servers.
Additionally, the lawsuit alleges until December 2021, the Astrolavos lab
failed to install, update or run anti-virus or anti-malware tools on
desktops, laptops, servers and networks at the lab. Instead, Georgia Tech
approved the lab's refusal to install antivirus software -- in violation of
both federal cybersecurity requirements and Georgia Tech's own policies --
to satisfy the demands of the professor who headed the lab.
The lawsuit further alleges that in December 2020 Georgia Tech and GTRC
submitted a false cybersecurity assessment score to DoD for the Georgia Tech
campus. DoD requires contractors to submit summary level scores reflecting
the status of their compliance with applicable cybersecurity requirements on
covered contracting systems that are used to store or access covered defense
information. The submission of this score was a "condition of contract
award" for Georgia Tech's DoD contracts.
The lawsuit alleges that the summary level score of 98 for the Georgia Tech
campus that Georgia Tech and GTRC reported to DoD in December 2020 was false
because (1) Georgia Tech did not actually have a campus-wide IT system and (2)
the score was for a "fictitious" or "virtual" environment and did not apply to
any covered contracting system at Georgia Tech that could or would ever
process, store or transmit covered defense information.
rest:
https://www.justice.gov/opa/pr/united-states-files-suit-against-georgia-institute-technology-and-georgia-tech-research
------------------------------
Date: Thu, 22 Aug 2024 17:10:22 -0400
From: Cliff Kilby <cliffjkilby () gmail com>
Subject: Policy, due care, and the failure of Heartland Tri-State Bank
(NBC News)
Some employees I've interacted with have the mindset that policy can impede
them from doing their job.
This has shown up in many engagements as things like "all the developers
need admin" or "the senior developers need to be able approve their own
pull requests".
Be wary of being asked to do things that violate policy.
https://www.nbcnews.com/business/business-news/cryptocurrency-pig-butchering-s
cam-wrecks-kansas-bank-sends-ex-ceo-pri-rcna167642
If the company adopts a poor practice as policy, follow the policy, but
report the poor practice to your supervisor, the GRC team, or your Ethics
line, should you be in a company large enough to have one.
If you have to deviate from policy to complete a task, it probably is no
longer your job. It can be seen as a violation of due care, and if you have
a professional certification or license you could put yourself at risk.
Obligatory: This is not legal advice as I am not a lawyer, but if you find
yourself in this position, you might one to get one.
------------------------------
Date: Tue, 20 Aug 2024 08:18:13 -0400
From: Tom Van Vleck <thvv () multicians org>
Subject: Birmingham council faces huge loss over Oracle debacle
(The Register)
https://www.theregister.com/2024/08/20/birmingham_oracle_cost/
The total cost of Birmingham City Council's Oracle implementation
disaster is set to reach £216.5 million ($280.4 million) by April
2026, according to a new audit report.
[This known as getting Pounded to Death. PGN]
------------------------------
Date: Thu, 15 Aug 2024 09:42:34 -0700
From: geoff goodfellow <geoff () iconia com>
Subject: Which devices on your network are most vulnerable?
(Kaspersky)
Infosec teams know all about cyberattacks on servers and desktop computers,
and the optimal protective practices are both well-known and
well-developed. But things get a lot more complicated when it comes to less
“visible” devices -— such as routers, printers, medical equipment, and video
surveillance cameras. Yet they too are often connected to the organization’s
general network along with servers and workstations. The question of which
of these devices should be the top infosec priority, and what risk factors
are key in each case, is the subject of the “Riskiest Connected Devices in
2024” report.
<https://www.forescout.com/resources/2024-riskiest-connected-devices/>.
Its authors analyzed more than 19 million devices: work computers, servers,
IoT devices, and specialized medical equipment. For each individual device,
a risk level was calculated based on known and exploitable vulnerabilities,
open ports accessible from the Internet, and malicious traffic sent from or
to the device. Also factored in were the importance of the device to its
respective organization, and the potential critical consequences of
compromise. Here are the devices that researchers found to be most often
vulnerable and high-risk. [...]
https://www.kaspersky.com/blog/riskiest-it-and-iot-devices-in-organization/51958/
------------------------------
Date: Sat, 24 Aug 2024 03:12:51 +0000
From: Richard Marlon Stein <rmstein () protonmail com>
Subject: The Long Arms of Terms of Service (NYTimes)
https://www.nytimes.com/2024/08/20/nyregion/disney-arbitration-allergy-death-lawsuit.html
Terms of service, the fine print most consumers automatically accept w/o
examination when visiting a website, establish corporate indemnification
rights.
Indemnification empowers corporate commercial impunity to deter lawsuits
against employees (with heavier thumb toward CxOs and board members) for
defects arising from products/services issues you purchase.
You'd think that eating a meal at a Disney theme park should be safe 99.99%
of the time (or better). But if you are injured, or die from food poisoning
or an allergic reaction, you'd think your family or estate would have the
right to sue?
Not if you're a Disney+ product subscriber where the ToSes consumer accept
extend across the entire Disney empire!
Disney backed down from challenging the lawsuits legitimacy. Other
monopolies may not indulge consumers, and their legal rights, to sue.
Guess the Disney brand outrage valuation was greater than the comparative
chump change they'd disgorge to settle out-of-court.
------------------------------
Date: Fri, 16 Aug 2024 12:24:47 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Meta Kills Off Misinformation Tracking Tool (Barbara Ortutay)
Barbara Ortutay, *Associated Press*, 14 Aug 2024, via ACM TechNews
Meta Platforms on Wednesday shut down CrowdTangle, a tool widely used by
researchers, watchdog organizations, and journalists to track how
misinformation spreads on the company's platforms. In May, dozens of groups
sent a letter to the company asking that it keep the tool running through at
least January so it would be available through the U.S. presidential
elections. Meta has released an alternative, called the Meta Content
Library, but access is limited to academic researchers and nonprofits, which
excludes most news organizations.
------------------------------
Date: Tue, 20 Aug 2024 19:01:00 +0200
From: Thomas Koenig <tkoenig () netcologne de>
Subject: Microsoft Copilot makes a court reporter into a child
molester (Heise)
Most AI fails are fairly funny. This one is not.
Microsoft Copilot [turned] a court reporter into a child molester, a cheater
of widows, and more, because he reported on those cases. He also provided
the reporter's private address, phone number and even offered to plan a
route to his home.
"Horrible" does not even begin to describe this.
https://www.heise.de/news/Copilot-macht-aus-einem-Gerichtsreporter-einen-Kinderschaender-9840437.html
------------------------------
Date: Wed, 21 Aug 2024 00:24:37 -0700
From: Steve Bacher <sebmb1 () verizon net>
Subject: AI Cheating Is Getting Worse (The Atlantic)
Colleges still don’t have a plan.
https://www.theatlantic.com/technology/archive/2024/08/another-year-ai-college
-cheating/679502/
------------------------------
Date: Fri, 23 Aug 2024 11:13:43 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: U.S. Government Wants You -- Yes, You -- to Hunt Down
Generative AI Flaws (Lily Hay Newman)
Lily Hay Newman, *WiReD*,21 Aug 2024, via ACM TechNews
Ethical AI and algorithmic assessment nonprofit Humane Intelligence and the
National Institute of Standards and Technology (NIST) are calling for public
participation in the qualifying round of NIST's Assessing Risks and Impacts
of AI challenge. Those who make it through the online qualifier will
participate in an in-person red-teaming event to assess AI office
productivity software at the Conference on Applied Machine Learning in
Information Security in October. Said Humane Intelligence's Theo Skeadas,
"We want to democratize the ability to conduct evaluations and make sure
everyone using these models can assess for themselves whether or not the
model is meeting their needs."
------------------------------
Date: Thu, 22 Aug 2024 17:29:31 -0400
From: Jan Wolitzky <jan.wolitzky () gmail com>
Subject: Silicon Valley Is Coming Out in Force Against an AI-Safety
Bill (The Atlantic)
Since the start of the AI boom, the attention on this technology has
focused on not just its world-changing potential, but also fears of how it
could go wrong. A set of so-called AI doomers have suggested that
artificial intelligence could grow powerful enough to spur nuclear war or
enable large-scale cyberattacks. Even top leaders in the AI industry have
said that the technology is so dangerous, it needs to be heavily regulated.
A high-profile bill in California is now attempting to do that. The proposed
law, Senate Bill 1047, introduced by State Senator Scott Wiener in February,
hopes to stave off the worst possible effects of AI by requiring companies
to take certain safety precautions. Wiener objects to any characterization
of it as a doomer bill. ``AI has the potential to make the world a better
place,'' he told me yesterday. ``But as with any powerful technology, it
brings benefits and also risks.''
https://www.theatlantic.com/technology/archive/2024/08/california-ai-bill-s?cott-wiener/679554/?gift=Qx7fRJFS6bOSKQEaDyJsUFZg62Uk8_L5u692B7yn8pA&utm_source=copy-link&utm_medium=social&utm_campaign=share
------------------------------
Date: Fri, 23 Aug 2024 11:13:43 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: A Loophole in Digital Wallet Security (UMass)
University of Massachusetts Amherst, 14 Aug 2024, via ACM TechNews
University of Massachusetts Amherst computer engineers found that Apple Pay,
Google Pay, PayPal, and similar digital wallets are not secure, as they rely
on outdated authentication methods and put a higher priority on convenience
than security. The researchers noted that digital wallets lack an adequate
mechanism to authenticate whether the user of a payment card is the
registered cardholder, adding that when cards are reported stolen, banks
block transactions from the physical card, but not digital wallet
transactions.
------------------------------
Date: Thu, 15 Aug 2024 07:09:10 -0700
From: "Jim" <jgeissman () socal rr com>
Subject: AI is an energy hog. It's a strain on the power grid
(LA Times)
http://enewspaper.latimes.com/infinity/article_share.aspx?guid=9d48d648-d627-4aed-b665-4a0e785907d4
------------------------------
Date: Fri, 16 Aug 2024 07:04:36 -0700
From: Steve Bacher <sebmb1 () verizon net>
Subject: AI and stand-up comedy
Some comedians are turning to artificial intelligence for their new new
material.
“Why did the politician bring a ladder to the debate? To make sure he
could reach new heights with his promises!”
Ask AI to write a political joke, and the above is an example of what you
can get.
Perhaps not funny enough to deliver on stage in front of a paying audience,
but that doesn’t mean there is no room for AI in comedy.
Comedians are increasingly experimenting with the technology to write
scripts and brainstorm ideas, including Anesti Danelis. Earlier this year,
the Canadian asked popular AI chatbot ChatGPT to write him a show.
The result is what he has been performing throughout this summer, including
at this month’s Edinburgh Festival Fringe. [...]
https://www.bbc.com/news/articles/c1jll2k0gewo
------------------------------
Date: Thu, 22 Aug 2024 06:44:54 -0700
From: "Steve Bacher" <sebmb1 () verizon net>
Subject: These 'living computers' are made from human neurons — and you can
rent one for $500 a month (LiveScience)
These 'living computers' are made from human neurons — and you can rent
one for $500 a month <about:blank?compose#>
In the search for less energy-hungry artificial intelligence, some
scientists are exploring living computers.
https://www.livescience.com/technology/artificial-intelligence/these-living-computers-are-made-from-human-neurons
------------------------------
Date: Fri, 16 Aug 2024 21:53:11 -0600
From: Matthew Kruk <mkrukg () gmail com>
Subject: Florida company faces multiple lawsuits after massive data breach
(CBC)
https://www.cbc.ca/news/national-public-data-breach-lawsuits-1.7297197
A Florida-based company is facing multiple proposed class actions, after a
massive data breach that one suit claims leaked nearly three billion files
containing personal data on people in Canada, the U.S. and the U.K.,
including names and home addresses.
One of the first suit to be reported on was a proposed class action filed 1
Aug by California resident Christopher Hofmann in the U.S. District Court
for the Southern District of Florida. It alleges that a hacking group called
USDoD posted a database on 8 Apr called "National Public Data" on a dark web
forum claiming to have the personal data of 2.9 billion individuals, and
attempted to sell it for $3.5 million U.S.
Tech site Bleeping Computer reported that a hacker then leaked a version of
the stolen data for free on a hacking forum on 6 Aug 2024.
------------------------------
Date: Mon, 19 Aug 2024 10:59:08 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Number of Women Taking CS Degrees in UK Continues to Grow (BCS)
British Computer Society (08/15/24), via ACM TechNews
The Chartered Institute for IT, cited data from the Universities and
Colleges Admissions Service in reporting an 8% increase in UK-domiciled
18-year-old women enrolled in degree-level computing programs this fall,
compared to the 2023-24 school year. While still at around 4:1, the male to
female ratio in the area continues to narrow as participation by female
students increases.
------------------------------
Date: Tue, 4 Jun 2024 09:58:31 -0700
From: "Jim" <jgeissman () socal rr com>
Subject: Is it safer to use an app or a website on your phone?
(WashPost)
We asked the experts, and share steps to be safer and more private online.
https://wapo.st/3Ku5lfz
------------------------------
Date: Thu, 15 Aug 2024 06:39:11 -0700
From: "Jim" <jgeissman () socal rr com>
Subject: My latest column: How the lab leak controversy will harm you
We now see a long-term risk of having fewer experts engaged in work that may
help thwart future pandemics, and of fewer scientists willing to communicate
the findings of sophisticated, fast-moving research topics that are
important for global health.
------------------------------
Date: Mon, 19 Aug 2024 10:59:08 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Android Phones Sold with Hidden Insecure Feature
(Joseph Menn)
Joseph Menn, *The Washington Post*, 15 Aug 2024, via ACM TechNews
Google's master software for some Android phones includes a hidden feature
that could be activated to allow remote control or spying on users,
according to security company iVerify, which found the feature inside phones
at a U.S. intelligence contractor. The feature is intended to give employees
at stores deep access to phones so they can demonstrate how they work. The
application, called Showcase.apk, is normally dormant, but iVerify was able
to enable it on a device in its possession.
------------------------------
Date: Fri, 16 Aug 2024 12:24:47 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Nightly Waymo Robotaxi Parking Lot Honkfest Is Waking Neighbors
(Wes Davis)
Wes Davis, *The Verge*, 14 Aug 2024, via ACM TechNews
San Francisco-based software engineer Sophia Tung launched a livestream
earlier this month showing the late-night activity in a parking lot rented
by Waymo for its robotaxis. Tung noted that the parking lot generally fills
up with the robotaxis around 4am, with an hour or so of honking as the
vehicles back up and pull in or out. Waymo's Chris Bonelli said the company
is "aware that in some scenarios our vehicles may briefly honk while
navigating our parking lots" and is working to fix the behavior.
[Also noted by Gabe Goldberg. PGN]
------------------------------
Date: Mon, 19 Aug 2024 08:13:05 -0600
From: Joe Loughry <joe () netoir com>
Subject: Denver Water's loss of pressure at 5 AM every Monday
is the same problem as San Francisco's 4 AM robot taxi honkfest
"A nightly Waymo robotaxi parking lot honkfest is waking San Francisco
neighbors”
https://www.theverge.com/2024/8/11/24218134/waymo-parking-lot-livestream-honki
ng-4am-san-francisco
"Monday morning blues strike Denver Water as heavy auto sprinkler use
stresses its system”
Denver-area homeowners and businesses, in their race to start their automatic sprinklers at 5am on Monday mornings, are putting unprecedented stress on Denver Water’s delivery system, threatening its supply of locally stored, treated water. [...]
https://coloradosun.com/2024/08/19/denver-water-lawn-sprinkling-monday-morning -drought/ [WatEr You Waiting For? Why not 4am? That seems to be even more attention-grabbing, especially on a Monday morning. PGN] ------------------------------ Date: Sat, 17 Aug 2024 00:16:13 -0700 From: geoff goodfellow <geoff () iconia com> Subject: OpenAI Blocks Iranian Influence Operation Using ChatGPT for U.S. Election Propaganda OpenAI on Friday said it banned a set of accounts linked to what it said was an Iranian covert influence operation that leveraged ChatGPT to generate content that, among other things, focused on the upcoming U.S. presidential election. "This week we identified and took down a cluster of ChatGPT accounts that were generating content for a covert Iranian influence operation identified as Storm-2035," OpenAI said. "The operation used ChatGPT to generate content focused on a number of topics -- including commentary on candidates on both sides in the U.S. ------------------------------ Date: Sat, 24 Aug 2024 19:37:16 -0400 From: Monty Solomon <monty () roscom com> Subject: Regulators May Not Like Deepfakes, But Businesses Are Using Them Anyway (WSJ) With AI regulation at an embryonic stage, companies are charting their own course in creating audio and video avatars, cognizant of the legal hazards. ``It's a minefield right now,'' says one executive. https://www.wsj.com/articles/regulators-may-not-like-deepfakes-but-businesses-are-using-them-anyway-1c3a5ccb ------------------------------ Date: Fri, 23 Aug 2024 11:13:43 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: AI Detection Tools Often Fail to Catch Election Deepfakes (WashPost) Kevin Schaul, Pranshu Vermam and Cat Zakrzewski, The Washington Post 15 Aug 2024, via ACM TechNews An April study by the Reuters Institute for the Study of Journalism revealed how basic software tricks and editing techniques can fool many deepfake detectors. A 2023 study by U.S., Australian, and Indian researchers found accuracy rates for deepfake detectors ranged from just 25% to 82%. University of California at Berkeley computer science professor Hany Farid said the datasets used to train detectors mainly contain lab-created, not real-world, deepfakes and perform poorly in identifying abnormal patterns in body movement or lighting. ------------------------------ Date: Mon, 19 Aug 2024 10:58:18 -0700 From: Lauren Weinstein <lauren () vortex com> Subject: Trump posts fake AI images of Taylor Swift and Swifties, falsely suggesting he has the singer's support (CNN) https://www.cnn.com/2024/08/19/politics/donald-trump-taylor-swift-ai/index.htm l ------------------------------ Date: Mon, 19 Aug 2024 08:37:08 -0500 From: Kevin Kostolo <kevinkostolo2005 () gmail com> Subject: Re: Illinois Voter Data Exposed by Unsecured Databases [RISKS] (RISKS-34.40) Googling the subject line brings up at least a half-dozen articles that are less informative than the paragraph in RISKS. Wired even tries to capitalize on the news by putting it behind a paywall. The best source of information is from the security research himself. https://www.vpnmentor.com/news/report-election-records-breach/ ------------------------------ Date: Thu, 15 Aug 2024 08:59:50 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Re: Corporation Email Looks Like A Scam (RiSKS-34.40) I have seen the same thing with survey requests coming from major outfits with which I conduct business. The links to complete the survey usually point to some third party surveying site (which is usually unfamiliar to me if it's not a well-known site like surveymonkey.com). That makes me hesitant to respond, which doesn't help the business very much. ------------------------------ Date: Thu, 15 Aug 2024 15:31:44 -0700 From: Geoff Kuenning <geoff () cs hmc edu> Subject: Re: Corporation Email Looks Like A Scam (RISKS-34.40) I have found that lots of corporations send spammy emails; every month when I clean out my spam boxes I find legitimate messages (although they're rarely important). The problem is so bad that it's common for companies to tell you either to add something to your don't-block list (usually your contacts folder) or to just look in your spam folder for the message. But it never occurs to them to examine their own emails for widely recognized spam flags even though it's trivial to run stuff through tools like spamassassin. I suppose it's because marketing people never talk to IT people. ------------------------------ Date: 15 Aug 2024 17:01:36 -0400 From: "John Levine" <johnl () iecc com> Subject: Re: Kroger unveils AI-powered automatic price gouger (Pivot to AI, RISKS-34.40) A chain in Europe has been doing this for a while, but after some initial screwups they are now careful that during the day the prices only drop, and any increases happen overnight while the store is closed. There are reasonable uses for this, perishable stuff like produce and fresh bread where they drop the price late in the day for stuff they will have to discard if it doesn't sell. ------------------------------ Date: 15 Aug 2024 17:09:46 -0400 From: "John Levine" <johnl () iecc com> Subject: Re: NIST announces post quantum encryption standards (SecurityWeek, RISKS-34.40) According to Cliff Kilby <cliffjkilby () gmail com>: https://www.securityweek.com/post-quantum-cryptography-standards-officially-announced-by-nist-a-history-and-explanation/ Nothing has changed. If your org is using strong encryption, this is >a horizon problem. If your org isn't using strong encryption or is using a >soon to be deprecated encryption method, these new standards will likely
not exist in your vendor or standard library soon enough to adopt.
More to the point, this only matters if you are encrypting stuff where it would be a problem if someone saved a copy of it and decrypted it a decade or two from now. There is material like that in the national security world, but for the usual stuff like TLS certificates or DKIM mail signatures, it doesn't matter. Those keys are usually rotated at least yearly, the encrypted data or signature is interesting for at most a few weeks, and it's going to be many years, if ever, before there are quantum computers that would be worth using to crack them. ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.41 ************************
Current thread:
- Risks Digest 34.41 RISKS List Owner (Aug 24)