RISKS Forum mailing list archives
Risks Digest 34.44
From: RISKS List Owner <risko () csl sri com>
Date: Sun, 8 Sep 2024 18:02:45 PDT
RISKS-LIST: Risks-Forum Digest Sunday 8 Sep 2024 Volume 34 : Issue 44 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.44> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Bypassing airport security via SQL injection (Tom Van Vleck How Navy chiefs conspired to get themselves illegal warship Wi-Fi (Navy Times) Chinese Government Hackers Penetrate U.S. ISPs (Joseph Menn) New Yubikey vulnerability (ArsTechnica) JPMorgan Plans to Report Customers Who Exploited TikTok ‘Glitch’ to Authorities (WSJ) California Passes AI Safety Bill (Bloomberg) Musk and xAI accused of worsening Memphis smog with unauthorized turbines (CNBC) AI Could Engineer a Pandemic, Experts Warn (Time) The Bands and the Fans Were Fake. The $10 Million Was Real. (NYTimes) Kids who use ChatGPT as a study assistant do worse on tests (Hechinger Report) Chatbots Are Primed to Warp Reality (The Atlantic) Automated trading bots scheme results in millions of dollars, Teslas, Rolexes, and federal wire-fraud convictions (Justice) Former Tesla Autopilot Head And Ex-OpenAI Researcher Says 'Programming Is Changing So Fast' That He Cannot Think Of Going Back To Coding Without AI (Benzinga) Electric toothbrushes and light-up sneakers are setting France on fire (Politico) Wake me when the Internet of Things is over (StraitsTimes.com) Risks of Rogue WiFi on Navy ships (Navy Times) In feud with Musk, Brazilian justice restricts access to X (LA Times) North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering Attacks (IC3) Five-day O2/Telefonica DSL outage in Berlin, Germany (SCTB) What The CrowdStrike Outage Can Teach Us about Testing and Failure Modes (Packet Pushers) Visa required for EU entry starting next year (Edward Hasbrouck) Russian 'spy whale' found dead off Norway (BBC) Re:_Moscow's Spies Were Stealing U.S. Tech, Until the FBI Started a Sabotage Campaign (Amos Shapir) Foreign Policy: TikTok ban & global data commons (Cliff Kilby) How Telegram Became Criminals’ Favorite Marketplace (WSJ) Telegram Founder's Indictment Thrusts Encryption into the Spotlightooo (NYTimes) Re: Telegram billionaire co-founder Pavel Durov arrested (John Levine) Re: Feds sue Georgia Tech for lying bigly about computer security (Dylan Norhtrup) Re: Standard security policies and variances (Charles Cazabon) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 30 Aug 2024 09:13:33 -0400 From: Tom Van Vleck <thvv () multicians org> Subject: Bypassing airport security via SQL injection https://ian.sh/tsa • Ian Carroll (https://twitter.com/iangcarroll) • Sam Curry (https://twitter.com/samwcyo) ``KCM is a TSA program that allows pilots and flight attendants to bypass security screening, even when flying on domestic personal trips. A similar system also exists for cockpit access, called the Cockpit Access Security System (CASS).'' ARINC (a subsidiary of Collins Aerospace) operates a site called FlyCASS which pitches small airlines a web-based interface to CASS. Apparently this system was operated by only one person. The FlyCASS site was vulnerable to a very simple SQL injection attack. A test of this allowed the researchers to add names, authorizations, and photos to the database. The researchers reported the issue to the Department of Homeland Security and the problem was addressed... see the web page for the story. ------------------------------ Date: Thu, 5 Sep 2024 08:31:14 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: How Navy chiefs conspired to get themselves illegal warship Wi-Fi (Navy Times) A scathing Navy investigation reveals how USS Manchester's enlisted leaders endangered their ship with an unauthorized Starlink Wi-Fi setup. Key paragraphs: Unauthorized Wi-Fi systems <https://www.militarytimes.com/news/your-military/2023/09/12/elon-musk-blocking-starlink-to-stop-ukraine-attack-troubling-for-dod/>like the one Marrero set up are a massive no-no for a deployed Navy ship, and Marrero’s crime occurred as the ship was deploying to the West Pacific, where such security concerns become even more paramount among heightened tensions with the Chinese. “The installation and usage of Starlink, without the approval of higher headquarters, poses a serious risk to mission, operational security, and information security,” the investigation states. https://www.navytimes.com/news/your-navy/2024/09/03/how-navy-chiefs-conspired-to-get-themselves-illegal-warship-wi-fi/ The article also says: Marrero’s “egregious misconduct” with the illegal Wi-Fi “cannot be understated,” the investigating officer wrote [Of course it can be understated! OTOH, it probably cannot be overstated, and/or should not be understated.] ------------------------------ Date: Fri, 30 Aug 2024 11:23:01 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Chinese Government Hackers Penetrate U.S. ISPs (Joseph Menn) Joseph Menn, *The Washington Post, 27 Aug, via ACM TechNews U.S. Internet service providers (ISPs) have been breached by Chinese government-backed hackers, say researchers, with the goal of gathering intelligence on users. Government and military personnel working undercover and groups of strategic interest to China are thought to be the primary targets. Lumen Technologies researchers said three U.S. ISPs were hacked this summer via a previously unknown zero-day flaw in a Versa Networks program used for managing wide-area networks. ------------------------------ Date: Tue, 3 Sep 2024 16:04:16 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: New Yubikey vulnerability (ArsTechnica) https://arstechnica.com/security/2024/09/yubikeys-are-vulnerable-to-cloning-attacks-thanks-to-newly-discovered-side-channel/2/ FWIW, this changes nothing. FIDO is still better than TOTP is still better than Either SMS or Email verification. To effect a clone, the fob must be out of your possession for an extended period of time (Source denotes 10 hours but calls that short) and the attacker needs a full lab and external data to do anything with it. Do monthly inventories of all assets (including backup fobs), and have a lost device process (which should include fobs). Authentication attempts should be throttled, captcha'ed, and have auto disable/lock enforced. I would add the specifics that any account that is flagged as "break-glass" should be monitored and alarmed for any authentication attempt, successful or not. If attempting to use it doesn't set off every alarm in the building, or it can be used if every alarm isn't already going off, it cannot be a break-glass account. Still, shame on yubico for not validating constant time encryption on all their products. I understand the Infineon cryptographic library comes with a "trust us, bro" NDA, which may have hampered testing. I guess that means that obscurity still means insecurity. [I've had THREE yubikeys lately. The second was part of an SRI-wide, but it could not be installed. PGN] ------------------------------ Date: Sat, 7 Sep 2024 22:23:05 -0400 From: Monty Solomon <monty () roscom com> Subject: JPMorgan Plans to Report Customers Who Exploited TikTok ‘Glitch’ to Authorities (WSJ) Thousands of people withdrew money after depositing bad checks https://www.wsj.com/finance/banking/jpmorgan-plans-to-report-customers-who-exploited-tiktok-glitch-to-authorities-cb5f5cef ------------------------------ Date: Fri, 30 Aug 2024 11:23:01 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: California Passes AI Safety Bill (Bloomberg) Shirin Ghaffary, *Bloomberg*, 29 Aug 2024, via ACM TechNews California's legislature approved an AI safety bill opposed by many tech companies. The measure moved to Governor Gavin Newsom's desk after passing the state Assembly Wednesday, with the Senate granting final approval Thursday. SB 1047 mandates that companies developing AI models take "reasonable care" to ensure that their technologies don't cause "severe harm," such as mass casualties or property damage above $500 million. [One problem with this is that Human Safety is an emergent property of the entire system -- hardware, software, networks, and apps -- and not a property that can be evaluated in the AI alone. If the AI cannot satisfy its own properties, that is a bad thing. However, even if it can do so, the rest of the system may still do harm. Ergo, the AI itself may not be user-friendly and safe unless everything else is also. PGN] ------------------------------ Date: Fri, 30 Aug 2024 10:51:12 -0400 From: Chad Dougherty <crd () acm org> Subject: Musk and xAI accused of worsening Memphis smog with unauthorized turbines (CNBC) https://www.cnbc.com/2024/08/28/musk-xai-accused-of-worsening-memphis-smog-with-unauthorized-turbines.html ------------------------------ Date: Fri, 30 Aug 2024 11:23:01 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: AI Could Engineer a Pandemic, Experts Warn (Time) Tharin Pillay and Harry Booth, *Time*, 27 Aug 2024, via ACM TechNews A policy paper from public health and legal professionals at Stanford School of Medicine, Fordham University, and the Johns Hopkins Center for Health Security calls for mandatory oversight and guardrails for advanced biological AI models. The authors wrote they believe governments should collaborate with machine learning, infectious disease, and ethics experts to develop tests to determine whether biological AI models could pose "pandemic-level risks." ------------------------------ Date: Thu, 5 Sep 2024 08:22:45 -0700 From: Jim Geisman <jgeissman () socal rr com> Subject: The Bands and the Fans Were Fake. The $10 Million Was Real. (NYTimes) Federal prosecutors charged a North Carolina musician with gaming the system to win royalties from streaming services including Spotify, Apple Music and Amazon Music. A North Carolina man used artificial intelligence to create hundreds of thousands of fake songs by fake bands, then put them on streaming services where they were enjoyed by an audience of fake listeners, prosecutors said. Penny by penny, he collected a very real $10 million, they said when they charged him with fraud. The man, Michael Smith, 52, was accused in a federal indictment unsealed on Wednesday of stealing royalty payments from digital streaming platforms for seven years. Mr. Smith, a flesh-and-blood musician, produced A.I.-generated music and played it billions of times using bots he had programmed, according to the indictment. The supposed artists had names like "Callous Post," "Calorie Screams" and "Calvinistic Dust" and produced tunes like "Zygotic Washstands," "Zymotechnical" and "Zygophyllum" that were top performers on Amazon Music, Apple Music and Spotify, according to the charges. "Smith stole millions in royalties that should have been paid to musicians, songwriters, and other rights holders whose songs were legitimately streamed," Damian Williams, the U.S. attorney for the Southern District of New York, said in a statement on Wednesday. https://www.nytimes.com/2024/09/05/nyregion/nc-man-charged-ai-fake-music.html [Also noted by Steve Bacher. Matthew Kruk spotted https://www.bbc.com/news/articles/cly3ld9wy3eo PGN] ------------------------------ Date: Sat, 7 Sep 2024 06:34:47 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Kids who use ChatGPT as a study assistant do worse on tests (Hechinger Report) An experiment in a Turkish high school shows that using ChatGPT in math can “substantially inhibit learning.” Even a fine-tuned version of ChatGPT designed to mimic a tutor doesn’t necessarily help. https://hechingerreport.org/kids-chatgpt-worse-on-tests/ ------------------------------ Date: Mon, 2 Sep 2024 06:46:25 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Chatbots Are Primed to Warp Reality (The Atlantic) A growing body of research shows how AI can subtly mislead users -- and even implant false memories. https://www.theatlantic.com/technology/archive/2024/08/chatbots-false-memories/679660/ ------------------------------ Date: Sat, 7 Sep 2024 12:47:25 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Automated trading bots scheme results in millions of dollars, Teslas, Rolexes, and federal wire-fraud convictions (Justice) ALEXANDRIA, VA. –- A Great Falls man pled guilty on July 23 to wire fraud and a Florida man was sentenced yesterday for his role in the wire fraud conspiracy. According to court documents, Rick Tariq Rahim, 56, defrauded customers who wanted to invest using Rahim’s automated trading bots, some of which traded forex, and by “copying” Rahim’s supposed trading activities that he posted to Discord. He marketed his products under BotsforWealth, TradeAutomation.com, ProChartSignals.com, OptionCopier.com, CopyAndWin.com, SnipeAlgo.com, and QQQtrade.com. Rahim charged customers a subscription fee for access to Rahim’s bots, software, and copying his supposed trades. Rahim also offered a “lifetime membership” to which customers received access to Rahim’s private Discord channel, some of his products, as well as his “in-office” trading days. Additionally, Rahim personally traded stocks for at least two individuals, claiming claiming that "We'll hit home runs and make $500k+ per day very very often." Instead, Rahim lost over $300,000 of his clients’ funds in eight months. Rahim induced customers to subscribe to his products by using video-centric, internet-based social media tools, including TikTok, YouTube, and Discord. He posted false information to his websites and to his social media accounts claiming to “beat the stock market every day” and promising extreme profit margins. Rahim also sought to induce customers by claiming he was extremely wealthy, boasting about trading millions of dollars and posting about his large home, pool, and luxury cars, including his Lamborghini. Despite claiming to regularly beat the market, however, he exaggerated his personal trading success, in part by not posting trades in which he lost money. In fact, Rahim realized over $500,000 in losses from February 2021 through December 2022. He did not invest millions in the market during this time period as he had claimed. As part of his fraud scheme, Rahim also created at least 20 Discord user profiles to post emojis, likes, and symbols showing agreement and excitement regarding Rahim’s posts. Rahim earned at least $1,397,000 in subscription fees during the course of his schemes. After accepting the guilty plea, the court ordered that Rahim not give any financial investment advice to anyone for a fee. https://www.justice.gov/usao-edva/pr/automated-trading-bots-scheme-results-mill ions-dollars-teslas-rolexes-and-federal-wirez ------------------------------ Date: Sun, 25 Aug 2024 08:07:11 -0700 From: "Jim" <jgeissman () socal rr com> Subject: Former Tesla Autopilot Head And Ex-OpenAI Researcher Says 'Programming Is Changing So Fast' That He Cannot Think Of Going Back To Coding Without AI (Benzinga) Having AI to help coding reminds me of how long ago composers like Haydn = might write out the main parts, but give only hints about the = accompaniment, which is left to the copyist to fill in. ------------------------------ Date: Sun, 1 Sep 2024 08:06:12 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Electric toothbrushes and light-up sneakers are setting France on fire (Politico) Waste treatment plants have seen an uptick in fires caused by lithium-ion batteries in household goods. CATUS, France — Every day at the Syded waste treatment plant in the Lot region of southwestern France, the company collects, sorts and treats up to 80 metric**tons of household and business waste. And every day, its 266 employees have to look out for an electric toothbrush, a single-use vape or a broken toy that could set the whole place on fire. “Had you called me 4 or 5 years ago I would have said [fires occur] ‘from time to time’ but now the risk of fire defines my day-to-day,” said Hervé Coulaud, environment director at the Syded plant. The problem, it turns out, is batteries — specifically, lithium-ion batteries. As the technology has advanced and the batteries have become smaller and more efficient, they've shown up in ever more household goods, from musical birthday cards to diapers that beep when they're too wet. But if these tiny power sources aren't removed and disposed of separately when an item is thrown away, they end up in mainstream waste plants and get crushed. And that's the moment they can ignite and send the whole place up in flames. [...] https://www.politico.eu/article/electric-toothbrush-light-up-sneakers-france-ho usehold-waste-fires-studies-product/ ------------------------------ Date: Thu, 05 Sep 2024 06:26:52 +0000 From: Richard Marlon Stein <rmstein () protonmail com> Subject: Wake me when the Internet of Things is over (StraitsTimes.com) https://www.straitstimes.com/opinion/wake-me-when-the-internet-of-things-is-ove r [Reprinted from https://www.bloomberg.com/opinion/articles/2024-09-04/internet- of-things-is-falling-flat-with-consumers] "Makers of smart washing machines and refrigerators should admit defeat and let dumb things remain dumb." Wiser words were never written on IoT. Time to disconnect that IoT-enabled Roti maker. [Guesses are it will never be over, even if it never gets smart and uses trustworthy components. Home owners don't seem to care. PGN] ------------------------------ Date: Wed, 4 Sep 2024 07:17:16 -0400 From: George Neville-Neil <gnn () neville-neil com> Subject: Risks of Rogue WiFi on Navy ships (Navy Times) https://www.navytimes.com/news/your-navy/2024/09/03/how-navy-chiefs-conspired-to-get-themselves-illegal-warship-wi-fi/ [Illegal in the sense it is not sufficiently trustworthy and not certified? Or because it is Chinese or Russian? Or all of the above and more? PGN] ------------------------------ Date: Sun, 1 Sep 2024 18:10:17 -0700 From: "Jim" <jgeissman () socal rr com> Subject: In feud with Musk, Brazilian justice restricts access to X (LA Times) Internet vs national sovereignty. The judge said Musk showed "total disrespect for Brazilian sovereignty and, in particular, for the judiciary, setting himself up as a true supranational entity and immune to the laws of each country." http://enewspaper.latimes.com/infinity/article_share.aspx?guid=c8f44e6b-67e5-4931-974e-f5e1c1fcc546 ------------------------------ Date: Sat, 7 Sep 2024 12:45:46 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: North Korea Aggressively Targeting Crypto Industry with Well-Disguised Social Engineering Attacks (IC3) The Democratic People's Republic of Korea ("DPRK" aka North Korea) is conducting highly tailored, difficult-to-detect social engineering campaigns against employees of decentralized finance ("DeFi"), cryptocurrency, and similar businesses to deploy malware and steal company cryptocurrency. North Korean social engineering schemes are complex and elaborate, often compromising victims with sophisticated technical acumen. Given the scale and persistence of this malicious activity, even those well versed in cybersecurity practices can be vulnerable to North Korea's determination to compromise networks connected to cryptocurrency assets. North Korean malicious cyber actors conducted research on a variety of targets connected to cryptocurrency exchange-traded funds (ETFs) over the last several months. This research included pre-operational preparations suggesting North Korean actors may attempt malicious cyber activities against companies associated with cryptocurrency ETFs or other cryptocurrency-related financial products. https://www.ic3.gov/Media/Y2024/PSA240903 ------------------------------ Date: 30 Aug 2024 13:16:34 +0200 From: risks () sctb ch Subject: Five-day O2/Telefonica DSL outage in Berlin, Germany Monday morning we arose to find ourselves with water, heat, and electricity, but not Internet. We phoned O2, the provider in question, and in doing so discovered their customer support phone number was also out of action: "this number cannot be called, please contact customer support immediately!" We then tried to log in on their website to our account, which turned out to be 404. We then tried live chat and was told there was indeed an outage. Fast-forward to early Friday afternoon (when I now write), and we contacted live chat one more time, prior to changing provider, to see if we could get an ETA, and were told the outage had been resolved late Friday morning. Fast-forward to early Friday afternoon (when I now write), and we contacted live chat one more time, prior to changing provider, to see if we could get an ETA, and were told the outage had been resolved late Friday morning. Power cycling the modem brought us back on line (which was unexpected - I expected the modem to recover by itself). We asked what happened. Translated from German; "A general outage which could be fixed from a distance." So, there was a five day outage, we were not notified when it occurred, or when service resumed, there was no ETA for repair, and there has been no explanation of what happened. I write to RISKS to enquire if anyone here knows anything about what happened? (I have to say, I wish there were small, local providers we could turn to. The service here is what you get with large companies; they can't be different. If you want different, you need to go to a small company.) ------------------------------ Date: Sat, 7 Sep 2024 13:00:25 -0700 From: geoff goodfellow <geoff () iconia com> Subject: What The CrowdStrike Outage Can Teach Us about Testing and Failure Modes (Packet Pushers) Scratch the surface of the Crowdstrike failure, and you'll find more than testing and process failures. You'll find lessons about complexity, unintended consequences, and bringing humility with you during changes made at scale. https://packetpushers.net/blog/what-the-crowdstrike-outage-can-teach-us-abo= ut-testing-and-failure-modes/ ------------------------------ Date: September 7, 2024 at 0:12:35 JST From: Edward Hasbrouck <edward () hasbrouck org> Subject: Visa required for EU entry starting next year [via Dave Farber's IP distribution] What has not been mentionedm in most reports is that the set of= planned EU restrictions on non-EU (non-Schengen, actually) citizens are all modeled on measures the U.S. has already implemented and encouraged other countries to adopt, as I discuss in a report for the Idenity Project: Planned new European travel restrictions follow U.S. precedents and pressure Citizens of the U.S.A and some other most-favored nations have long been able to travel to many European countries for tourism or business without visas or pre-arrangements and with minimal border formalities, as long as they didn't stay too long or seek local residence or employment. This is scheduled to change with the imposition of new controls on foreigners -- including U.S. citizens -- visiting Europe starting in November 2024. This is to be followed by a further ratcheting up of control and surveillance of foreign travelers to Europe scheduled for some time in 2025. Some U.S. citizens are likely to be shocked and humiliated -- as any traveler anywhere in the world should be, regardless of their citizenship. subjected to fingerprinting and mug shots and additional questioning on arrival in Europe and, starting next year, a de-facto visa by another name -- to be that they will have to apply, pay for, and have approved in advance. European citizens can and should object to the imposition by their governments of these new restrictions on foreigners, including foreign tourists and business visitors and foreign citizens who reside in Europe. Europe could, and should, set a better example of respect for freedom of movement as a human right that shouldn't depend on citizernship. But U.S. citizens who object to these new European measures should direct their objections and, more importantly, their agitation for changes in travel rules to the U.S. government. These impending new European travel control and surveillance measures are modeled on systems developed, already in use in, and actively promoted to European and other governments around the world by the U.S. government. By its precedents and international pressure, the U.S. government is making travel more difficult for everyone, including U.S. citizens, everywhere in the world including in Europe. [...] More: https://papersplease.org/wp/2024/09/06/planned-new-european-travel-restrictions-follow-us-precedents-and-pressure/ ------------------------------ Date: Sun, 1 Sep 2024 22:13:03 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: Russian 'spy whale' found dead off Norway (BBC) https://www.bbc.com/news/articles/cje2p3z8nlyo A beluga whale suspected of having been trained as a spy by Russia has been found dead off the Norwegian coast. The body of the animal -- nicknamed Hvaldimir -- was found floating off the south-western town of Risavika and taken to the nearest port for examination. The whale was first spotted in Norwegian waters five years ago with a GoPro camera attached to a harness that read "Equipment of St Petersburg". This sparked rumours the mammal could be a spy whale - something experts say happened in the past. Moscow never responded to the allegations. [But the whale had a visa from St. Petersburg and the Norwegian s(t)urgeon might have discovered it was actually smuggling Beluga caviar into Norway? PGN] ------------------------------ Date: Sat, 31 Aug 2024 11:03:31 +0300 From: Amos Shapir <amos083 () gmail com> Subject: Re:_Moscow's Spies Were Stealing U.S. Tech, Until the FBI Started a Sabotage Campaign (Politico, Risks-34.43) According to legend, Digital Equipment's CVAX microchip had an inscription etched into the silicon which said, in Russian, "*CVAX... when you care enough to steal the very best*" (Source: https://en.wikipedia.org/wiki/VAX) ------------------------------ Date: Sat, 31 Aug 2024 14:46:43 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Foreign Policy: TikTok ban & global data commons IMHO, the TikTok ban and other similar stunts with X nee Twitter, Telegram, WeChat et al is theatre. If I may bard for a moment: Oh noes, the chinas haz our datas! (please ignore the fact that by law your voter registration, voter participation, and tax records are public) If we ban the china your datas will be safe! (except you have no/little legal recourse to deal with a company that has allowed your PII to become public, so any data that leaks is your own fault for providing it) I know the EU has GDPR and recourse to punish a company that improperly handles SPI/PII. The US doesn't even recognise SPI, and dropping a lorry full of PII in the nearest Aldi carpark is ... not a crime? But if anyone reports they found a lorry full of PII in the carpark, they'll get sued. https://arstechnica.com/security/2024/08/city-of-columbus-sues-man-after-he-dis closes-severity-of-ransomware-attack/ There can be no meaningful global commons of data without a global right to privacy and right to be forgotten. In my layman's understanding of the current state of the legal framework, you can't stop something as large as a google from direct marketing to you from illegally harvested data, if that data passed through one US company. And that one US company only has to say they found it on the internet to (apparently) convert it to legally obtained data. I cite the ongoing LLM training debacle. https://futurism.com/video-openai-cto-sora-training-data LLM law of finder's keepers: we don't know where the data came from, but it was on the internet. In case my tone belies my beliefs, allow me to unvarnishedly say: All customers should stop doing business with all companies who are not beholden to a legal right to privacy at least as robust as GDPR. But, I cannot be mad at the consumers. In most cases, they have no choice. ------------------------------ Date: Sat, 7 Sep 2024 22:18:54 -0400 From: Monty Solomon <monty () roscom com> Subject: How Telegram Became Criminals’ Favorite Marketplace (WSJ) [Re: RISKS-34.42 and 34.43 for earlier items. PGN] Arrest of founder Pavel Durov has drawn fresh attention to how pedophile rings, identity thieves and drug traffickers use the app as a shop window to sell their wares. https://www.wsj.com/business/telecom/how-telegram-became-criminals-favorite-marketplace-8c824dfb How Telegram Became a Playground for Criminals, Extremists and Terrorists Drug dealers, scammers and white nationalists openly conduct business and spread toxic speech on the platform, according to a Times analysis of more than 3.2 million Telegram messages. https://www.nytimes.com/2024/09/07/technology/telegram-crime-terrorism.html ------------------------------ Date: Fri, 30 Aug 2024 11:23:01 -0400 (EDT) From: ACM TechNews <technews-editor () acm org> Subject: Telegram Founder's Indictment Thrusts Encryption into the Spotlightooo (NYTimes) Mike Isaac and Sheera Frenkel, *The New York Times*, 30 Aug 2024, via ACM TechNews [See RISKS-34.42 and 43 for earlier items.] Telegram CEO Pavel Durov's indictment in France for various criminal offenses includes accusations that the messaging platform had provided cryptology services aimed at ensuring confidentiality without a license. Encryption has been a long-running point of friction between governments and tech companies, with the latter arguing it is crucial for digital privacy, while the former say it enables illegal activity. Telegram's encryption does not offer the same transparency as encryption provided on other messaging platforms. ------------------------------ Date: 30 Aug 2024 16:35:15 -0400 From: "John Levine" <johnl () iecc com> Subject: Re: Telegram billionaire co-founder Pavel Durov arrested (Turgut Kalfaoglu, RISKS-34.42) There has been a dismaying amount of ill-informed pontification about the Durov case. A key fact is that Telegram is not, I repeat NOT, an encrypted chat. If you are talking to one other person it is possible to turn on optional encryption using a home-brewed scheme of unknown strength. But nearly all of the traffic is group chats and they are not encrypted at all. The main issue appears to be that when governments ask Telegram for help dealing with material that is egregiously illegal, such as terrorism or CSAM, they don't, even though they could. No government is going to put up with that for long. More info here: https://www.emptywheel.net/2024/08/29/the-missing-detail-about-encryption-in-th e-pavel-durov-investigation/ ------------------------------ Date: Wed, 4 Sep 2024 08:54:19 -0400 From: Dylan Northrup <northrup () gmail com> Subject: Re: Feds sue Georgia Tech for lying bigly about computer security (RISKS-34.42)
"There is a current trend toward blindly applying high-level security rules to all computers in an organization, regardless of their purpose and existing defenses." You mean base-lining?
I'd contend it's not the fact a baseline is being set, but where it's being set. If the "hired-gun outsider" declares there's not a reason for 'ssh' to be available (because they're applying rules crafted for Windows hosts), does that make it true? Security policies should be created in consultation with the administrators of those systems. All too often, however, they are unilaterally imposed by outside entities. Security organizations (internal and external) who are incentivized to say "no" because it's easier and faster than documenting variances; or approving compensating controls... Auditors who don't understand the system holistically and won't/can't see why a compensating control addresses one or more requirements... Or lawyers and insurers who are unwilling or unable to understand the technical nuances and prioritize "exact compliance" over actual security. I'd love to have systems that were both secure and compliant with policy, but if I have to choose one over the other, I'll tend toward actual security. ------------------------------ Date: Wed, 4 Sep 2024 20:27:27 -0600 From: Charles Cazabon <charlesc () pyropus ca> Subject: Re: Standard security policies and variances (Kilby, RISKS-34.43] Having run into this situation myself a number of times, I can relate that things don't always -- or perhaps even usually -- go as smoothly as this suggestion assumes. Large organizations set standard baseline policies. Frontline helpdesk or security folks apply the baseline policies, because it's a Standard Policy. Someone requests a variance - such as me, for accessibility reasons - and it turns out to be essentially impossible to get *any* variance, because in large organizations it's no one's job to create and apply those variances or otherwise deviate from the standard policy, and the incentives are all against doing so. E.g., 18 months later, I was still waiting for that variance... ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.44 ************************
Current thread:
- Risks Digest 34.44 RISKS List Owner (Sep 08)