RISKS-LIST: Risks-Forum Digest Saturday 6 December 2023 Volume 34 : Issue 02
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.02> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Boeing has a risk managment problem with the 737 Max (BBC) Human Error Likely Caused Subway Crash and Derailing, Officials Say (The New York Times) Museum World Hit by Cyberattack on Widely Used Software (Zachary Small) Teen traveling alone on Frontier Airlines from Tampa accidentally flown to Puerto Rico (NBC News) Kai Zhuang: Chinese teen found alive in U.S. after cyber-kidnapping (BBC) How the federal ban on Chinese drones could end up costing lives (UAV Coach) Fire Breaks Out Aboard Ship Carrying Lithium-Ion Batteries (NYTimes) Are Teslas the most or least safe vehicles? (Sam Bull) Theft of Vancouver rape crisis centre server containing sensitive data raises privacy concerns (CBC) 23andMe told victims of data breach that suing is futile, letter shows (Ars Technica) BGP tampering: A "ridiculously weak" password causes disaster for Spain's No. 2 mobile carrier (Ars Technica) Qualcomm chip vulnerability enables remote attack by voice call (SC Media) Google disabling third-party cookies for millions of users without informing them (Lauren Weinstein) Weizenbaum’s nightmares: how the inventor of the first chatbot turned against AI (The Guardian) A Chevrolet dealer offered an AI chatbot on its website. It told customers to buy a Ford. (USA Today) AI’s big test: Making sense of $4 trillion in medical expenses (Politico) A hospital's false death announcement leads to a wife's suicide, husband is later found alive (BoingBoing) Dystopian past...and future (The Guardian) Wife of Investor Who Pushed for Harvard President’s Exit Is Accused of Plagiarism (NYTimes) The NY Times Lawsuit Against OpenAI Would Open Up The NY Times To All Sorts Of Lawsuits Should It Win (Mike Masnick) Wiki[d]pedia? (Stephen Mason) How Tracking and Technology in Cars Is BeingWeaponized by Abusive Partners (The New York Times) Researchers Suggest New AirTag Stalker Preventions That Balance Privacy (PCMag) Re: AI in the Machine Internet (Martin Ward) Re: Do you need git or Subversion (Dmitri Maziuk) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 6 Jan 2024 08:46:38 -0500 From: Cliff Kilby <cliffjki...@gmail.com> Subject: Boeing has a risk management problem with the 737 Max (BBC) The 737 MAX is grounded again after a cabin depressurization incident. This just after Boeing asked for safety exemptions on the 737 MAX due to a known issue with the nacelle deicer which could cause engine damage. After debris was found in a majority of grounded planes fuel tanks. After two total loss crashes. https://www.bbc.com/news/world-us-canada-67899564 https://www.seattletimes.com/business/boeing-aerospace/boeing-wants-faa-to-exempt-max-7-from-safety-rules-to-get-it-in-the-air/ I'm beginning to disbelieve Boeing's commitment to safety. https://www.boeing.com/principles/safety.page Maybe pack a parachute, I'm beginning to disbelieve Boeing's commitment to safety. https://www.boeing.com/principles/safety.page Maybe pack a parachute, [According to Aviation24 via Lauren Weinstein, an emergency door (perhaps over the wing?) blew off: Alaska Airlines Boeing 737 MAX-9 makes emergency landing at Portland after losing emergency exit door https://www.aviation24.be/airlines/alaska-airlines/alaska-airlines-boeing-737-max-9-makes-emergency-landing-at-portland-after-losing-emergency-exit-door/ PGN] ------------------------------ Date: Fri, 5 Jan 2024 23:44:15 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Human Error Likely Caused Subway Crash and Derailing, Officials Say (The New York Times) The collision of two trains, which injured 26 people, appears to have been caused by confusion over which vehicle had the right of way. A crew of four transit workers was aboard the out-of-service train, which forced the rerouting of other No. 1 trains. According to the MTA officials with knowledge of the investigation, near the 96th Street station, the subway’s signal system instructed the out-of-service train to stop at a red light and gave the green light for a rerouted train to go around it on parallel tracks, then move back in front. The out-of-service train continued to inch forward, causing the slow-moving crash [and its derailing], the officials said. https://www.nytimes.com/2024/01/05/nyregion/nyc-subway-derailed.html?smid=nytcore-ios-share&referringSource=articleShare ------------------------------ Date: Thu, 4 Jan 2024 00:55:55 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Museum World Hit by Cyberattack on Widely Used Software (Zachary Small) Zachary Small, The New York Times, 5 Jan 2024 Hackers targeted software that many museums use to show their collections online and to manage sensitive information. https://www.nytimes.com/2024/01/03/arts/design/museum-cyberattack.html?smid=nytcore-ios-share&referringSource=articleShare [National Edition title: Hackers targeted software that institutions use to show their collections online (Zachary Small) These ransomware attacks seem to be widespread, apparently afflicting many museums using Gallery Systems software. However, in my opinion, attacking non-profit museums seems to be a particularly poor choice. PGN] ------------------------------ Date: Sat, 30 Dec 2023 22:32:03 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Teen traveling alone on Frontier Airlines from Tampa accidentally flown to Puerto Rico (NBC News) The 16-year-old was supposed to fly to Cleveland. His father said the gate agent did not scan his boarding pass. https://www.nbcnews.com/news/us-news/teen-traveling-alone-frontier-airlines-tampa-accidentally-flown-puerto-rcna131691 ------------------------------ Date: Tue, 2 Jan 2024 20:39:49 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Kai Zhuang: Chinese teen found alive in U.S. after cyber-kidnapping' (BBC) A Chinese foreign exchange student has been found freezing but alive in the US after his parents were extorted out of tens of thousands of dollars in a *cyber kidnapping* scam. Kai Zhuang was discovered "very cold and scared" in a tent in rural Utah, Riverdale Police said in a statement. The 17-year-old is believed to have isolated himself after being manipulated by the kidnappers. His parents were then tricked into paying around $80,000 (£62,600). Zhuang is one of a number of foreign students targeted by so-called cyber kidnappers in the US recently, Riverdale Police added in their statement. Police believe Kai was being controlled by the kidnappers as early as 20 December, when he was seen by officers in Provo, Utah, carrying camping equipment. https://www.bbc.com/news/world-us-canada-67861852 ------------------------------ Date: Sun, 31 Dec 2023 14:24:43 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: How the federal ban on Chinese drones could end up costing lives (UAV Coach) These drones have been heavily used in crucial rescue and infrastructure protection and maintenance operations. It's notable that reportedly there has never been evidence shown that these drones send data back to China, and these drones also have modes that don't connect to the Internet at all. Some observers feel this is all about protecting a single U.S. drone manufacturer. Politics in action. -L https://uavcoach.com/asda-law/ ------------------------------ Date: Tue, 2 Jan 2024 23:50:49 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Fire Breaks Out Aboard Ship Carrying Lithium-Ion Batteries (The New York Times) The vessel, now off the Alaskan coast, is carrying nearly 2,000 tons of lithium-ion batteries, which contain highly flammable materials, officials said. https://www.nytimes.com/2023/12/30/us/cargo-ship-fire-batteries-alaska.html?smid=nytcore-ios-share&referringSource=articleShare [A salt-and-battery attack? PGN] ------------------------------ Date: Sun, 31 Dec 2023 21:34:28 +0000 From: Sam Bull <9wq...@sambull.org> Subject: Are Teslas the most or least safe vehicles? I've seen several news stories posted here about Tesla in the past couple of years. So, I thought I would share this article with some counterpoints to several of the stories previously reported: https://brandonpaddock.substack.com/p/are-teslas-the-most-or-least-safe TLDR: 1. Pretty much every model has achieved 1st place in NHTSA's crash tests (sometimes by a decent margin compared to the nearest competitor). 2. AAA ADAS tests on Tesla, Subaru and Hyundai showed Tesla achieving almost perfect scores (while the other 2 had full-speed collisions and hitting a cyclist in some tests). 3. Analysis of NHTSA fatality rates show Teslas with the same, or slightly lower rate than comparable vehicles. (The analysis is limited by small sample sizes and the fact that we only know that a Tesla was involved, not that the fatality was caused by a Tesla or that the fatality was an occupant of the Tesla). 4. A research paper that tries to correct (Tesla's biased) autopilot crash statistics for road use and owner age showed that driving with autopilot averaged 10% fewer accidents than non-autopilot driving. (This was reported in Rolling Stone as "Autopilot increases accident rates by 11%", the exact opposite of what the paper showed). 5. Another story titled "Tesla drivers have more accidents than any others" was again highly inaccurate. A better summary would be that drivers who recently bought e considering buying a Tesla had the most accidents in the past (but, the accidents were very likely not in a Tesla). Given that this suggests the most dangerous drivers are looking to buy a Tesla, this makes the other stats sound even more impressive. Additionally, some older articles about the videos of Tesla's hitting child mannequins: https://brandonpaddock.substack.com/p/does-tesla-have-a-pedestrian-problem-part-1 https://brandonpaddock.substack.com/p/does-tesla-have-a-pedestrian-problem-pt2 TLDR: The first appears to have been created by someone who probably spent all day attempting to trick a Tesla into hitting a mannequin, eventually managing to figure out some contrived situation where they could get it to knock over the mannequin. The second was a driver overriding the AEB by accelerating (how any manufacturer-fitted AEB works). ------------------------------ Date: Tue, 2 Jan 2024 11:56:30 -0700 From: Matthew Kruk <mkr...@gmail.com> Subject: Theft of Vancouver rape crisis centre server containing sensitive data raises privacy concerns (CBC) https://www.cbc.ca/news/canada/british-columbia/stolen-rape-crisis-centre-server-raises-safety-concerns-1.7071727 Cybersecurity experts are warning of "significant" data privacy risks after a Vancouver rape crisis centre told clients and donors a computer server containing their sensitive personal information and banking details was stolen from its office last month. The 3 Dec break-in at Salal Sexual Violence Support Centre's new downtown office is under investigation, Vancouver police confirmed in an email to CBC News on Friday, and at least one woman who sought counseling at Salal says she is planning to file a complaint with B.C.'s privacy watchdog over the breach. ------------------------------ Date: Thu, 4 Jan 2024 21:48:46 -0500 From: Monty Solomon <mo...@roscom.com> Subject: 23andMe told victims of data breach that suing is futile, letter shows (Ars Technica) https://arstechnica.com/tech-policy/2024/01/23andme-shamelessly-blaming-users-for-data-breach-lawyer-says/ [This follows earlier reports of major privacy leaks attributed to very poor security practices, e.g.: https://www.itpro.com/security/data-breaches/23andme-risks-public-relations-disaster-as-it-blames-customers-for-data-breach PGN] ------------------------------ Date: Thu, 4 Jan 2024 16:09:44 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: BGP tampering: A "ridiculously weak" password causes disaster for Spain's No. 2 mobile carrier (Ars Technica) https://arstechnica.com/security/2024/01/a-ridiculously-weak-password-causes-disaster-for-spains-no-2-mobile-carrier/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social ------------------------------ Date: Thu, 4 Jan 2024 14:57:37 +0000 From: Victor Miller <victorsmil...@gmail.com> Subject: Qualcomm chip vulnerability enables remote attack by voice call (SC Media) https://www.scmagazine.com/news/qualcomm-chip-vulnerability-enables-remote-attack-by-voice-call ------------------------------ Date: Thu, 4 Jan 2024 11:52:13 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: Google disabling third-party cookies for millions of users without informing them CNN just threw up a tease banner "Google disables cookies for 30 million Chrome users". Of course it's only third party cookies, because disabling first party cookies would totally break the Web, and even disabling third party cookies may break a lot of crucial stuff. That's apparently why Google is selecting guinea pigs for this without, uh, informing them about it. ------------------------------ Date: Sat, 6 Jan 2024 12:23:32 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Weizenbaum’s nightmares: how the inventor of the first chatbot turned against AI (The Guardian) Computer scientist Joseph Weizenbaum was there at the dawn of artificial intelligence -– but he was also adamant that we must never confuse computers with humans https://www.theguardian.com/technology/2023/jul/25/joseph-weizenbaum-inventor-eliza-chatbot-turned-against-artificial-intelligence-ai [Joe, I really miss your wisdom over many lunch-time discussions in the last half of the 1960s. But AI itself misses you most. PGN] ------------------------------ Date: Sun, 31 Dec 2023 10:22:00 -0500 From: Monty Solomon <mo...@roscom.com> Subject: A Chevrolet dealer offered an AI chatbot on its website. It told customers to buy a Ford. (USA Today) https://www.usatoday.com/story/money/cars/2023/12/19/chevy-of-watsonville-chatgpt-use/71976591007/ ------------------------------ Date: Sun, 31 Dec 2023 07:58:00 -0800 From: Steve Bacher <seb...@verizon.net> Subject: AI’s big test: Making sense of $4 trillion in medical expenses (Politico) Hospitals and insurers are racing to find new artificial intelligence tools to give them an edge in billing and processing their part of the $4 trillion in medical expenses Americans accrue each year. As one of the largest parts of the U.S. economy undergoes perhaps its biggest transition in decades, billions of dollars are at stake — not only for health care providers and insurers, but also for the government, which handles millions of Medicare and Medicaid claims every year. For providers, the dream is an AI tool that can quickly and aggressively code procedures and file claims. Insurers — and the government agencies that pay for health care — want comparable technology to scrub those bills. [...] But Congress has barely begun to grapple with how AI could affect these issues. And the administration is just beginning to work out its approach to regulating the technology — even as the ground is shifting for hospitals, doctors and insurers vying for a tech edge. [...] https://www.politico.com/news/2023/12/31/ai-medical-expenses-00132557 ------------------------------ Date: Sat, 6 Jan 2024 12:11:23 -0500 From: Monty Solomon <mo...@roscom.com> Subject: A hospital's false death announcement leads to a wife's suicide, husband is later found alive (BoingBoing) https://boingboing.net/2024/01/06/a-hospitals-false-death-announcement-leads-to-the-wifes-suicide-husband-is-later-found-alive.html [ChatBot-generated announcement? PGN] ------------------------------ Date: Tue, 2 Jan 2024 13:05:24 -0800 From: John Rushby <j...@rushby.org> Subject: Dystopian past...and future (The Guardian) I found this article pretty interesting, and true: https://www.theregister.com/2023/12/25/the_war_of_the_workstations/ I guess it's an inevitable and universal consequence of *disruptive innovation*. For the dystopian future, see this article about the IDF "gospel" AI (what a name!): https://www.theguardian.com/world/2023/dec/01/the-gospel-how-israel-uses-ai-to-select-bombing-targets ------------------------------ Date: Sat, 6 Jan 2024 12:52:39 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Wife of Investor Who Pushed for Harvard President’s Exit Is Accused of Plagiarism (NYTimes) Neri Oxman, a former MIT professor, is accused of copying from Wikipedia. Her husband, Bill Ackman, vowed to check the work of the entire MIT faculty. https://www.nytimes.com/2024/01/05/us/plagiarism-bill-ackman-neri-oxman-claudine-gay-harvard.html ------------------------------ Date: Thu, 4 Jan 2024 08:19:02 -0800 From: Steve Bacher <seb...@verizon.net> Subject: The NY Times Lawsuit Against OpenAI Would Open Up The NY Times To All Sorts Of Lawsuits Should It Win (Mike Masnick) Mike Masnick writes: from the /it's-okay-when-we-do-it,-we're-the-new-york-times/ dept This week *The NY Times* somehow broke the story <https://www.nytimes.com/2023/12/27/business/media/new-york-times-open-ai-microsoft-lawsuit.html?smid=nytcore-ios-share&referringSource=articleShare> of… well, the NY Times suing OpenAI and Microsoft. I wonder who tipped them off. Anyhoo, the lawsuit <https://storage.courtlistener.com/recap/gov.uscourts.nysd.612697/gov.uscourts.nysd.612697.1.0.pdf> in many ways is similar to some of the over a dozen lawsuits filed by copyright holders against AI companies. We’ve written about how silly <https://www.techdirt.com/2023/07/11/a-bunch-of-authors-sue-openai-claiming-copyright-infringement-because-they-dont-understand-copyright/> many of these lawsuits are, in that they appear to be written by people who don’t much understand copyright law. And, as we noted <https://www.techdirt.com/2023/12/04/if-creators-suing-ai-companies-over-copyright-win-it-will-further-entrench-big-tech/>, even if courts actually decide in favor of the copyright holders, it’s not like it will turn into any major windfall. All it will do is create another corruptible collection point, while locking in only a few large AI companies who can afford to pay up. I’ve seen some people arguing that the NY Times lawsuit is somehow “stronger” and more effective than the others, but I honestly don’t see that. Indeed, the NY Times itself seems to think its case is so similar to the ridiculously bad Authors Guild case, that it’s looking to combine the cases <https://storage.courtlistener.com/recap/gov.uscourts.nysd.612697/gov.uscourts.nysd.612697.3.0.pdf>. But while there are some unique aspects to the NY Times case, I’m not sure they are nearly as compelling as the NY Times and its supporters think they are. Indeed, I think if the Times actually wins its case, it would open the Times itself up to some fairly damning lawsuits itself, given its somewhat infamous journalistic practices regarding summarizing other people’s articles without credit. But, we’ll get there. [...] https://www.techdirt.com/2023/12/28/the-ny-times-lawsuit-against-openai-would-open-up-the-ny-times-to-all-sorts-of-lawsuits-should-it-win ------------------------------ Date: Tue, 02 Jan 2024 16:20:26 +0000 From: Stephen Mason <stephencwma...@protonmail.com> Subject: Wiki[d]pedia? Below are 5 Wikipedia sites that I have added to over the years, trying to be helpful by adding useful information about books and journals on the relevant topics. I have, naturally, included the following 2 useful items -- both are open-source (!!): Stephen Mason and Daniel Seng, editors, Electronic Evidence and Electronic Signatures (5th edition, Institute of Advanced Legal Studies for the SAS Humanities Digital Library, School of Advanced Study, University of London, 2021) https://uolpress.co.uk/book/electronic-evidence-and-electronic-signatures/ Digital Evidence and Electronic Signature Law Review https://journals.sas.ac.uk/index.php/deeslr For some reason best known to themselves, some person has totally removed our book from all of these web sites, and in some cases, the journal as well. I am somewhat perturbed, as you can imagine. Both are free. I and my authors are not seeking financial gain. We only want to share knowledge. Do you or any of your readers know how to reinstate these references in such a way that they will not be removed again?? https://en.wikipedia.org/wiki/Digital_evidence *External links:* all the books I added have been removed, including the Digital Evidence and Electronic Signature Law Review ------------------------------ Date: Sun, 31 Dec 2023 20:42:51 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: How Tracking and Technology in Cars Is Being Weaponized by Abusive Partners (The New York Times) Apps that remotely track and control cars are being weaponized by abusive partners. Car manufacturers have been slow to respond, according to victims and experts. https://www.nytimes.com/2023/12/31/technology/car-trackers-gps-abuse.html?smid=nytcore-ios-share&referringSource=articleShare ------------------------------ Date: Tue, 2 Jan 2024 20:03:58 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Researchers Suggest New AirTag Stalker Preventions That Balance Privacy (PCMag) In a new paper, researchers discuss methods to enhance privacy on AirTags and prevent stalkers from abusing them. Will Apple implement any of their suggestions? https://www.pcmag.com/news/researchers-suggest-new-airtag-stalker-preventions-that-balance-privacy ------------------------------ Date: Sun, 31 Dec 2023 13:43:27 +0000 From: Martin Ward <mward...@gmail.com> Subject: Re: AI in the Machine Internet (Goldberg, R 34 01) > Everything is a System. Every system can be more efficient with AI As I wrote earlier: "If the purpose [of the economic system] is the long term thriving of the human race, then capitalism is a terrible system: the thing you are optimisimg for (called *profit*) is actually a form of friction and *loss* to the system, as stores of value (money) get extracted from the economic cycle and stashed away unproductively." If AI makes capitalism more "efficient" at extracting profit from the economy and accumulating wealth for billionaires at the expense of everyone else, then AI will only make things even worse. ------------------------------ Date: Sun, 31 Dec 2023 19:42:17 -0600 From: Dmitri Maziuk <dmitri.maz...@gmail.com> Subject: Re: Do you need git or Subversion (Kilby, RISKS-34.01) > ... you're using VCS to host your documentation? Why? Are you going to > merge your old documents and your new documents? Oh, so you didn't have to > setup a CMS (content management system). I'm not sure CMS means what you think it means, but that aside: * I use git to save games that have no "save" option. I never merge them but I do "reset --hard". * I use git to save our dive logs. I never merge them but I do push them to a private github repo for off-site backup. ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From; risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.02 ************************
