RISKS Forum mailing list archives
Risks Digest 34.46
From: RISKS List Owner <risko () csl sri com>
Date: Tue, 1 Oct 2024 12:06:38 PDT
RISKS-LIST: Risks-Forum Digest Tuesday 1 Oct 2024 Volume 34 : Issue 46 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.46> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: (Somewhat backlogged) When GPS spoofing messes up your airplane... reboot it (WSJ) More than 1,000 people, including Hezbollah members, wounded in Lebanon after pagers detonate (CBC) More on the Hezbollah pagers (Voice of America News) More skynetish than exploding pagers (Axios) More Than 4 Million Robots Are Working in Factories Worldwide Social media platforms engaged in 'vast surveillance' and failed to CISA state of the industry commentary (The Register) Chatbot Pulls People Away from Conspiracy Theories Crash-detection devices can save lives. But false A Canadian has been arrested in global crackdown on the Ghost encrypted app. Here's how it works Millions of Vehicles Could Be Hacked and Tracked Thanks to a Simple Website Bug (WiReD) Ford seeks patent for tech that listens to driver conversations to The Internet's AI Slop Problem Is Only Going to OpenAI Is Growing Fast and Burning Through Piles of California governor blocks landmark AI safety bill (Pivot 5) Southern California's hottest commercial real-estate market is for CISA state of the industry commentary (The Register) A Canadian has been arrested in global crackdown on the Ghost encrypted app. Here's how it works (CBC) Arrests Made in Relation to $243M Crypto Heist Targeting Genesis Creditor (Coindesk) The crypto bros who dream of crowdfunding a new country (BBC) Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks (The Hacker News) Three Mile Island nuclear plant to help power Microsoft's data-center needs (NBC Nees) Why Does My iPhone Keep Asking Me to Check In With My Ex? (NYImes) How pen and paper comes to the rescue in an IT crisis (BBC) Lionsgate sells movie catalog to AI video startup Runway hoping to replace artists and FX (Pivot to AI) Linux RCE, CUPS CVE-2024-47176 (The Register) Re: The U.S. Military Is Not Ready for the New Era of Warfare (Dylan Northrup) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 24 Sep 2024 00:08:51 +0000 () From: danny burstein <dannyb () panix com> Subject: When GPS spoofing messes up your airplane... reboot it! [WSJ] money quote: "Carriers including United Airlines and American Airlines have been discussing new procedures that would allow pilots to reset cockpit circuit breakers when confronted with false GPS data. " ..... Electronic Warfare Spooks Airlines, Pilots and Air-Safety Officials Hundreds of daily flights around the world are running into GPS spoofing, a hazard that poses new risks for pilots and passengers. [....] Pilots, aviation-industry officials and regulators said spoofed Global Positioning System signals are spreading beyond active conflict zones near Ukraine and the Middle East, confusing cockpit navigation and safety systems and taxing pilots' attention in commercial jets carrying passengers and cargo. [...] Pilots are meanwhile getting preflight briefings about how to identify potential spoofing and respond -- which may at times include turning off certain features or ignoring false "pull up!" commands from a safety system heralded for sharply reducing crashes. [...] Other aircraft systems, including pilot messaging services, have been thrown off when cockpits draw false time and position data from spoofed signals. [...] Carriers including United Airlines and American Airlines have been discussing new procedures that would allow pilots to reset cockpit circuit breakers when confronted with false GPS data. ------------------------------ Date: Tue, 17 Sep 2024 10:04:18 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: More than 1,000 people, including Hezbollah members, wounded in Lebanon after pagers detonate (CBC) https://www.cbc.ca/news/world/hezbollah-1.7325436 More than 1,000 people, including Hezbollah fighters and medics, were wounded on Tuesday when the pagers they use to communicate exploded across Lebanon, security sources told Reuters. A Hezbollah official, speaking on condition of anonymity, said the detonation of the pagers was the "biggest security breach" the group had been subjected to in nearly a year of war with Israel. [This is a real harbinger for the future of supply-chain vulnerabilities and exploits. PGN[
HAND-HELD RADIOS WERE PURCHASED BY HEZBOLLAH FIVE MONTHS AGO, AROUND SAME TIME AS PAGERS -SECURITY SOURCE https://t.co/hPkgyl7GGu
[Reportedly, Shell Corp designed the detonators.]
[Amos Shapir notes:
Very few people actually use their pocket phones for computing. So
according to their most common use, these devices in our pockets should be
known as "*communicators"*.]
------------------------------
Date: Sat, 28 Sep 2024 20:50:36 -0500
From: Richard Thieme <rthieme () thiemeworks com>
Subject: More on the Hezbollah pagers (Voice of America News)
https://www.voanews.com/a/how-lebanon-s-wireless-paging-system-was-weaponized-to-make-hezbollah-devices-explode/7791044.html
------------------------------
Date: Wed, 18 Sep 2024 11:16:53 -0500
From: Richard Thieme <rthieme () thiemeworks com>
Subject: More skynetish than exploding pagers (Axios)
*from axios military newsletter:*
*A global, high-stakes race* is on to figure out not just how to build
affordable autonomous weapons, but also invent ways they can fight together.
*Why it matters: *Today, individual drones are a tool for troops. Tomorrow,
collaborating swarms will define conflict, turning battlefields into an
unmanned "hellscape," in the words of America's top leader in the
Indo-Pacific.
<https://link.axios.com/click/36767841.15294/
ßhork
*The big picture:* From the Pentagon's $1 billion Replicator bet to the Air
Force's collaborative combat aircraft, the Army's human-machine integrated
formations and the Navy's hybrid fleet, big bets are being made.
* *Mark Milley, the former head of the Joint Chiefs of Staff, in July
told Axios one-third of the U.S. military
<https://link.axios.com/click/36767841.15294/aHR0cHM6Ly93d3cuYXhpb3MuY29tLzIwMjQvMDcvMTEvbWlsaXRhcnktcm9ib3RzLXRlY2hub2xvZ3k_dXRtX3NvdXJjZT1uZXdzbGV0dGVyJnV0bV9tZWRpdW09ZW1haWwmdXRtX2NhbXBhaWduPW5ld3NsZXR0ZXJfYXhpb3NmdXR1cmVvZmRlZmVuc2Umc3RyZWFtPXRvcA/5f19a795f12e7e7ff515ca59B7a24e4d5>
will be robotic in the next 10-15 years.*
* Meanwhile, China dominates the global drone market, Iran feeds
Russia and extremist cells its increasingly popular unmanned
arsenal, and North Korea constructs clones of America's greatest hits.
*Driving the news: *To get a glimpse of this future, I visited the Anduril
Texas Test Site, a brew of Middle East forward-operating base and Burning
Man geekdom near the U.S.-Mexico border.
* /Full disclosure: /Anduril flew a half-dozen reporters down for a
day of demos. The 16-hour roundtrip included a stopover in Dallas
and some Whataburger.
*At the dusty, remote airstrip*, Anduril
<https://link.axios.com/click/36767841.15294/aHR0cHM6Ly93d3cuYXhpb3MuY29tLzIwMjQvMDgvMDgvYW5kdXJpbC0xNC1iaWxsaW9uLWF1dG9ub21vdXMtd2VhcG9ucz91dG1fc291cmNlPW5ld3NsZXR0ZXImdXRtX21lZGl1bT1lbWFpbCZ1dG1fY2FtcGFpZ249bmV3c2xldHRlcl9heGlvc2Z1dHVyZW9mZGVmZW5zZSZzdHJlYW09dG9w/5f19a795f12e7e7ff515ca59B4a916b31>
showed how a single person familiar with Siri and armed with a laptop could
govern a clutch of jet-powered drones.
* Using the company's Lattice for Mission Autonomy software, which
looks like a fancy flight tracker, the commander, "Kobe," oversaw a
team of midsize drones as they took off, circled up, patrolled the
area and downed a simulated enemy aircraft.
* The drones sought permission before making consequential moves, like
intercepting the incoming plane and launching what was described as
a "magic missile." (Nothing actually went boom.)
* During a Blue Angels-style
<https://link.axios.com/click/36767841.15294/aHR0cHM6Ly93d3cuYXhpb3MuY29tLzIwMjIvMDcvMTgvYmx1ZS1hbmdlbHMtZmlyc3QtZmVtYWxlLWZpZ2h0ZXItamV0LXBpbG90P3V0bV9zb3VyY2U9bmV3c2xldHRlciZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1uZXdzbGV0dGVyX2F4aW9zZnV0dXJlb2ZkZWZlbnNlJnN0cmVhbT10b3A/5f19a795f12e7e7ff515ca59B5ac0e836>
flyby, the drones bunched together with just 20 feet of separation.
Their callsign was "Mustang," a callback to the World War II-era
P-51 the U.S. produced en masse.
*Between the lines: *The event offered a peek at how Anduril is thinking
about airpower, autonomy and their digital interstice amid a competition to
build the Air Force's fleet of robo-wingmen
* The service selected Anduril and General Atomics to develop CCA
prototypes in April.
* Air Force Secretary Frank Kendall
<https://link.axios.com/click/36767841.15294/aHR0cHM6Ly93d3cuYXhpb3MuY29tLzIwMjMvMDUvMzAvY2hpbmEtbW9vbi0yMDMwLXVzLWNvbmZsaWN0P3V0bV9zb3VyY2U9bmV3c2xldHRlciZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1uZXdzbGV0dGVyX2F4aW9zZnV0dXJlb2ZkZWZlbnNlJnN0cmVhbT10b3A/5f19a795f12e7e7ff515ca59B0af18eb3>
said both "will be flying in the near future, and at least one of
them will be in our inventory in meaningful numbers in the next few
years."
* Different loadouts are envisioned for different tasks: spying from
afar, jamming signals, drawing fire as decoys and striking targets
with their own munitions.
*What they're saying: *"What makes a good wingman? I want to trust them. I
want them to be predictable," said Kevin Chlan, Anduril's senior director of
air dominance and strike.
* "We get bored. We need a drink, a snack, go to the restroom.
Whatever," added Chlan, a former fighter pilot. "The robots don't
have any of that."
* The company declined to discuss government contracts during the trip.
*Zoom in:* To get air autonomy
<https://link.axios.com/click/36767841.15294/aHR0cHM6Ly93d3cuYXhpb3MuY29tLzIwMjQvMDkvMTMvdGVjaC1pbmR1c3RyeS1uZXctYWktbW9kZWxzLXJlYXNvbmluZz91dG1fc291cmNlPW5ld3NsZXR0ZXImdXRtX21lZGl1bT1lbWFpbCZ1dG1fY2FtcGFpZ249bmV3c2xldHRlcl9heGlvc2Z1dHVyZW9mZGVmZW5zZSZzdHJlYW09dG9w/5f19a795f12e7e7ff515ca59B9fe02427>
right, Anduril launched an internal campaign dubbed Hyperion, after the
Greek titan. More than 200 live flights have been conducted.
* "The reason we're here and we live-flight test is because it allows
us to do it faster," said Diem Salmon, vice president of air
dominance and strike. "Doing it in simulation will get you very
little in the long run, especially as you start moving toward
platform integration."
*Yes, but: *While the routes were not planned and the showcase resembled
real-world operations, it lacked the electronic harassment and general chaos
of war.
* A ferocious fight over the electromagnetic spectrum
<https://link.axios.com/click/36767841.15294/aHR0cHM6Ly93d3cuYzRpc3JuZXQuY29tL2VsZWN0cm9uaWMtd2FyZmFyZS8yMDI0LzA1LzA2L2VsZWN0cm9uaWMtd2FyZmFyZS1pbi11a3JhaW5lLWhhcy1sZXNzb25zLWZvci11cy13ZWFwb25zLW5hdmlnYXRpb24vP3V0bV9zb3VyY2U9bmV3c2xldHRlciZ1dG1fbWVkaXVtPWVtYWlsJnV0bV9jYW1wYWlnbj1uZXdzbGV0dGVyX2F4aW9zZnV0dXJlb2ZkZWZlbnNlJnN0cmVhbT10b3A/5f19a795f12e7e7ff515ca59B5a877876>
would erupt in any conflict with China or Russia.
------------------------------
Date: Fri, 27 Sep 2024 11:58:33 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: More Than 4 Million Robots Are Working in Factories Worldwide
(Alexandre Tanzi)
Alexandre Tanzi, *Bloomberg*, 24 Sep 2024 According to the International
Federation of Robotics' World Robotics Report, 4.3 million robots were
deployed in factories worldwide as of the end of 2023, marking the third
consecutive yearly increase of more than 500,000. Of the newly deployed
robots, Asia accounted for 70%, Europe for 17%, and the Americas (primarily
the U.S.) for 10%. Although China accounted for more than 50% of new
industrial robot installations globally, its annual installations fell 5%
from 2022.
------------------------------
Date: Fri, 20 Sep 2024 06:57:41 -0700
From: Steve Bacher <sebmb1 () verizon net>
Subject: Social media platforms engaged in 'vast surveillance' and failed to
protect young people, FTC finds (LA Times)
The Federal Trade Commission released a report Thursday slamming social
media platforms including Facebook's parent company, Meta, as well as
TikTok, Google-owned YouTube, Snap and other online services over privacy
and youth safety concerns.
https://www.latimes.com/business/story/2024-09-19/social-media-platforms-engaged-in-vast-surveillance-and-failed-to-protect-young-people-ftc-finds
[Why are RISKS readers not surprised? PGN]
------------------------------
Date: Fri, 20 Sep 2024 11:11:19 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Chatbot Pulls People Away from Conspiracy Theories
Teddy Rosenbluth, *The New York Times*, 19 Sep 2024
An AI chatbot developed by Cornell University researchers aims to
persuade users to stop believing conspiracy theories. In their study,
more than 2,000 U.S. adults were asked to describe a conspiracy they
believed; some then engaged in discussions with DebunkBot in which
they presented evidence supporting their position and DebunkBot
provided information to combat their misinformation. Participants'
belief ratings fell around 20% after three exchanges with DebunkBot,
and around 25% of participants no longer believed the conspiracy
theory.
------------------------------
Date: Sat, 28 Sep 2024 10:50:23 -0600
From: Matthew Kruk <mkrukg () gmail com>
Subject: Crash-detection devices can save lives. But false
alarms are a problem for first responders (CBC)
https://www.cbc.ca/news/canada/nova-scotia/crash-detection-technology-false-alarms-1.7336226
First responders in Nova Scotia say they recognize the value of
crash-detection technology to help improve response times, but false alarms
are adding to the demand for emergency services.
Two years ago, Apple introduced a crash-detection feature for iPhone and
smart watches. The company said an algorithm, based on crash data and
real-world driving, uses accelerator, gyroscope, GPS, barometer and
microphone inputs to detect severe crashes.
RCMP Sgt. Natasha Farrell, the district commander in Guysborough County,
said in one instance three people were helped from a vehicle after first
responders received an iPhone crash notification.
But in many other cases there hasn't been an emergency.
------------------------------
Date: Wed, 18 Sep 2024 23:24:01 -0600
From: Matthew Kruk <mkrukg () gmail com>
Subject: A Canadian has been arrested in global crackdown on the
Ghost encrypted app. Here's how it works
https://www.cbc.ca/news/world/ghost-cybercrime-encrypted-app-1.7327379
An international law enforcement operation has dismantled an encrypted
communication platform, known as Ghost, notorious for enabling large-scale
drug trafficking and money laundering, leading to the arrest of 51 suspects
from multiple countries including one in Canada.
The platform had gained popularity among criminal organizations for its
advanced security features and its dismantling marks a significant blow to
global organized crime networks.
Europol said on Wednesday
<https://www.europol.europa.eu/media-press/newsroom/news/global-coalition-takes-down-new-criminal-communication-platform>
------------------------------
Date: Fri, 27 Sep 2024 15:22:10 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Millions of Vehicles Could Be Hacked and Tracked Thanks to
a Simple Website Bug (WiReD)
https://techcommunity.microsoft.com/t5/windows-it-pro-blog/windows-server-update-services-wsus-deprecation/ba-p/4250436
Microsoft isn't removing it as SCCM (now CM) still uses WSUS, so there's no
rush to get WSUS out of your environment.
https://learn.microsoft.com/en-us/mem/configmgr/sum/deploy-use/third-party-software-updates
As usual with Microsoft and their well integrated and reliable operating
system, there is no single replacement for WSUS anyway.
You have CM( nee SCCM), Windows Autopatch, Microsoft Intune, and Azure
Update Manager to chose from.
NB: No one of the replacements appears to support on-premise client updates.
Microsoft seems hell-bent on making sure systems admins have no choice but
to allow employee devices to have access to the Internet.
Secure deployment of Windows may soon no longer be an option, if it isn't
already.
------------------------------
Date: Wed, 18 Sep 2024 23:24:01 -0600
From: Matthew Kruk <mkrukg () gmail com>
Subject: A Canadian has been arrested in global crackdown on the
Ghost encrypted app. Here's how it works
https://www.cbc.ca/news/world/ghost-cybercrime-encrypted-app-1.7327379
An international law enforcement operation has dismantled an encrypted
communication platform, known as Ghost, notorious for enabling large-scale
drug trafficking and money laundering, leading to the arrest of 51 suspects
from multiple countries including one in Canada.
The platform had gained popularity among criminal organizations for its
advanced security features and its dismantling marks a significant blow to
global organized crime networks.
Europol said on Wednesday
<Https://www.europol.europa.eu/media-press/newsroom/news/global-coalition-takes-down-new-criminal-communication-platform>
------------------------------
Date: Thu, 26 Sep 2024 16:49:04 -0700
From: Steve Bacher <sebmb1 () verizon net>
Subject: The Internet's AI Slop Problem Is Only Going to
GetWorse (NYMag)
Drowning in Slop
A thriving underground economy is clogging the Internet with AI garbage --
and it’s only going to get worse.
Slop started seeping into Neil Clarke’s life in late 2022. Something strange
was happening at Clarkesworld, the magazine Clarke had founded in 2006 and
built into a pillar of the world of speculative fiction. Submissions were
increasing rapidly, but “there was something off about them,” he told me
recently. He summarized a typical example: “Usually, it begins with the
phrase ‘In the year 2250-something’ and then it goes on to say the Earth’s
environment is in collapse and there are only three scientists who can save
us. Then it describes them in great detail, each one with its own
paragraph. And then — they’ve solved it! You know, it skips a major plot
element, and the final scene is a celebration out of the ending of Star
Wars.” Clarke said he had received “dozens of this story in various
incarnations.”
These are prime examples of what is now known as slop: a term of art, akin
to spam, for low-rent, scammy garbage generated by artificial intelligence
and increasingly prevalent across the Internet -- and beyond. From their
weird narrative instincts and inert prose, Clarke realized the stories came
straight from ChatGPT. Sometimes they would arrive with the original prompt
included, which was often as simple as “Write a 1,000-word science-fiction
story.” [...]
https://nymag.com/intelligencer/article/ai-generated-content-internet-online-slop-spam.html
------------------------------
Date: Fri, 27 Sep 2024 22:42:45 -0600
From: Matthew Kruk <mkrukg () gmail com>
Subject: OpenAI Is Growing Fast and Burning Through Piles of
Money (NYTimes)
https://www.nytimes.com/2024/09/27/technology/openai-chatgpt-investors-funding.html
As the company looks for more outside investors, documents reviewed by The
New York Times show consumer fascination with ChatGPT and a serious need
for more cash.
------------------------------
Date: Tue, 01 Oct 2024 11:55:51 +0000 (UTC)
From: Pivot 5 <daily () pivot5 ai>
Subject: California governor blocks landmark AI safety bill
https://www.bbc.com/news/articles/cj9jwyr3kgeo
[It was too harsh on developers, according to the Governor. PGN]
------------------------------
Date: Fri, 27 Sep 2024 07:49:28 -0700
From: Steve Bacher <sebmb1 () verizon net>
Subject: Southern California's hottest commercial real-estate market is for
tenants that aren't human (LA Times)
As artificial intelligence and cloud storage hoover up more and more space
on the nation’s computer servers, real-estate developers are racing to build
new data centers or convert existing buildings to data uses. The need is so
great, they’re having a hard time keeping up with demand as businesses in
search of secure spots for their servers rent nearly every square foot that
becomes available. Large-scale backup generators to keep the 24-7 operations
running in the event of a power failure are in short supply.
Construction of new data centers is at “extraordinary levels” driven by
*insatiable demand*, a recent report on the industry by real-estate
brokerage JLL found. [ ... ]
https://www.latimes.com/business/story/2024-09-27/insatiable-demand-for-data-centers-reported-as-ai-and-cloud-service-expand
(Good for commercial real-estate business, a RISK for everybody else?)
------------------------------
Date: Fri, 20 Sep 2024 22:35:08 -0400
From: Cliff Kilby <cliffjkilby () gmail com>
Subject: CISA state of the industry commentary (The Register)
https://www.theregister.com/2024/09/20/cisa_sloppy_vendors_cybercrime_villains/
From the source:
"Software developers who ship buggy, insecure code are the true baddies in the cyber crime story, Jen Easterly, boss of the U.S. Government' Cybersecurity and Infrastructure Security Agency, has argued." I have no insight to add other than: louder for the people in the back. ------------------------------ Date: Wed, 18 Sep 2024 23:24:01 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: A Canadian has been arrested in global crackdown on the Ghost encrypted app. Here's how it works https://www.cbc.ca/news/world/ghost-cybercrime-encrypted-app-1.7327379 An international law enforcement operation has dismantled an encrypted communication platform, known as Ghost, notorious for enabling large-scale drug trafficking and money laundering, leading to the arrest of 51 suspects from multiple countries including one in Canada. The platform had gained popularity among criminal organizations for its advanced security features and its dismantling marks a significant blow to global organized crime networks. Europol said on Wednesday <https://www.europol.europa.eu/media-press/newsroom/news/global-coalition-takes-down-new-criminal-communication-platform> ------------------------------ Date: Sun, 22 Sep 2024 16:30:24 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Arrests Made in Relation to $243M Crypto Heist Targeting Genesis Creditor (Coindesk) More than $9 million has been frozen and $500,000 has been returned as a result of the investigation. On Aug. 19, a creditor of defunct trading firm Genesis fell victim to a sophisticated social engineering scam after being contacted by a spoofed number that posed as a member of Google support, according to information first reported by blockchain sleuth ZachXBT. https://www.coindesk.com/business/2024/09/19/police-arrests-two-people-related-to-243m-crypto-heist-targeting-genesis-creditor/ ...only $234M left to recover. And, social engineering -- who could have anticipated THAT? ------------------------------ Date: Fri, 20 Sep 2024 06:55:56 -0600 From: Matthew Kruk <mkrukg () gmail com> Subject: The crypto bros who dream of crowdfunding a new country (BBC) https://www.bbc.com/news/articles/cwyl171lyewo Do you look at the possibility of political turbulence ahead of November's US presidential election and think: democracy could be in trouble? So does a group of tech entrepreneurs backed by big Silicon Valley money. And they love it. Imagine if you could choose your citizenship the same way you choose your gym membership. That's a vision of the not-too-distant future put forward by Balaji Srinivasan. Balaji -- who, like Madonna, is mostly just known by his first name -- is a rockstar in the world of crypto. A serial tec= h entrepreneur and venture capitalist who believes that pretty much everything governments currently do, tech can do better. ------------------------------ Date: Mon, 16 Sep 2024 01:45:16 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks (The Hacker News) https://thehackernews.com/2024/09/cybercriminals-exploit-http-headers-for.html ------------------------------ Date: Mon, 16 Sep 2024 01:45:16 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks (The Hacker News) https://thehackernews.com/2024/09/cybercriminals-exploit-http-headers-for.html ------------------------------ Date: Mon, 16 Sep 2024 01:45:16 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Cybercriminals Exploit HTTP Headers for Credential Theft via Large-Scale Phishing Attacks (The Hacker News) https://thehackernews.com/2024/09/cybercriminals-exploit-http-headers-for.html ------------------------------ Date: Mon, 23 Sep 2024 06:56:37 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Three Mile Island nuclear plant to help power Microsoft's data-center needs (NBC Nees) A unit of Pennsylvania's Three Mile Island nuclear plant will be restarted as part of a new energy-sharing agreement with Microsoft, which plans to use it to power the data centers it operates as part of its push into artificial intelligence. https://www.nbcnews.com/business/business-news/three-mile-island-nuclear-plant-help-power-microsoft-data-center-needs-rcna171958 [Probably the only thing worse than nuclear waste -- which we still have no clue as to how to deal with safely -- is the immense waste of AI from these Big Tech firms trying to ram it down our throats no matter how much they wreck society in the process. DISGUSTING. -Lauren Weinstein] ------------------------------ Date: Sat, 28 Sep 2024 20:49:34 -0400 From: Monty Solomon <monty () roscom com> Subject: Why Does My iPhone Keep Asking Me to Check In With My Ex? (NYImes) An iPhone feature has some users baffled as they are asked to share their location with work acquaintances, dead relatives and people on other continents. https://www.nytimes.com/2024/09/26/style/apple-check-ins.html ------------------------------ Date: Sun, 29 Sep 2024 08:17:38 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: How pen and paper comes to the rescue in an IT crisis (BBC) Firms are advised to practice operating with pens and paper in case of a computer meltdown. In July a botched software update caused chaos for the airline industry worldwide. When the CrowdStrike software bug bricked 8.5 million computers around the world on 19 July, some of the first people to notice the effects were air travelers. [...] For a brief moment in July, some organisations had to forget about their computer-based processes and do things the old-fashioned way. [...] It sounds an almost pitiful predicament. And yet, while it certainly isn’t desirable, some cyber-experts are now advising companies to plan for switching to paper-based processes in the event of IT failure. [...] https://www.bbc.com/news/articles/ce9zx22ley8o ------------------------------ Date: Sun, 22 Sep 2024 15:58:07 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: Lionsgate sells movie catalog to AI video startup Runway hoping to replace artists and FX (Pivot to AI) Hollywood studio Lionsgate has sold its entire back catalog of movies and TV shows to AI video startup Runway to train a new model on, which Lionsgate will then have access to. [WSJ, archive] Lionsgate hopes to save “millions and millions” replacing all those tawdry storyboard artists and visual effects crew with “cutting-edge, capital-efficient content creation opportunities,” said vice chairman Michael Burns. [Hollywood Reporter] https://pivot-to-ai.com/2024/09/22/lionsgate-sells-movie-catalog-to-ai-video-startup-runway-hoping-to-replace-artists-and-fx/ [Who is going to ROAR at this? PGN] ------------------------------ Date: Sat, 28 Sep 2024 10:10:38 -0400 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Linux RCE, CUPS CVE-2024-47176 (The Register) https://www.theregister.com/2024/09/26/cups_linux_rce_disclosed/ I am ignoring this CVE. My servers do not print. My desktops do not print. Following the existing prior guidance I have removed all services my computer does not depend on. Even if they did print, existing prior guidance advises against allowing access to a resource without a clearly defined need, and all incoming ports on each machine's and edge firewall is closed by default, and I have no variance requests for port 631 anywhere. If you're running a desktop distro do note, some distros have created false or excessive "requires" statements in their package managers. Issuing a 'apt purge cups*' may hork your box. e.g., Debian's current distro will let you purge cups* but not libcups*. If you happen to be running zeroconf or mDNS in your environment, it is now time to apply prior guidance before the LAN proof of concept is released. ------------------------------ Date: Wed, 18 Sep 2024 10:04:25 -0400 From: Dylan Northrup <northrup () gmail com> Subject: Re: The U.S. Military Is Not Ready for the New Era of Warfare (NYTimes, RISKS-34.45) The reasons for this are readily apparent. The billions (though soon to be trillions) of dollars spent by the Pentagon on those weapons programs goes to defense contractors. Those defense contractors make sure to lobby legislators as well as make generous donations to their campaigns. The contractors also arrange to locate their facilities (and facilities of their sub-contractors) in the states and districts of influential legislators. And those legislators continually vote to increase defense spending and fund long-term, big-budget projects like these so they can say they "Support the Military" and "Bring good white-collar jobs" to their districts. The incentives don't align for efficiency or effectiveness and, for those on the inside, the millions of dollars spent is a feature, not a bug. Unfortunately for the rest of us, human nature has not yet evolved to incentivize the kind of long-term, collective action necessary to overcome the powerful, entrenched interests and change the status quo. I am hopeful, but not optimistic. ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.46 ************************
Current thread:
- Risks Digest 34.46 RISKS List Owner (Oct 01)