RISKS-LIST: Risks-Forum Digest Tuesday 7 June 2022 Volume 33 : Issue 26 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.26> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: A New Kind of Genome Editing Is Here to Fine-Tune DNA (WiReD) California Regulators Approve First Driverless Taxi Fleet (AP) Google and Russia's delicate dance (CNN) Advancing security across Central and Eastern Europe (Google) Politicians and ulterior motives (Lauren Weinstein) The Theater of Bitcoin and Data Privacy (Siobhan Roberts) How Anonymous Is Bitcoin, Really? (NYTimes) Security News: Google May Owe You a Chunk of $100 Million Over Google Photos Privacy Violation (WiReD) Big Tech realities (Lauren Weinstein) Bolt Loaned Employees Thousands to Buy Stock -- Then Laid Them Off (WiReD) Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch (WiReD) Reno Trusting the Blockchain with Building Records (Gizmodo) Cryptocurrency (The Washington Post) It's still 2014 in crypto payments, and buying a burrito is now a taxable event (Davidger) Banning Lethal Autonomous Weapons (Stuart Russell) The Coming AI Hackers (Bruce Schneier) How Axon's plans for Taser drones blindsided its AI ethics board (Protocol) Axon Halts Plans to Sell Flying Taser Drones to Schools (Vice) Internal Documents Show Amazon's Dystopian System for Tracking Workers Every Minute of Their Shifts (Vice) The Race to Hide Your Voice (WiReD) Parameter Expansion Considered Dangerous (Cliff Kilby redux) How the Internet Turned Us Into Content Machines (Mony Solomon0 Re: WashDC stop-sign camera brought in $1.3 million in tickets in 2 years (Steve Bacher) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 6 Jun 2022 18:54:48 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: A New Kind of Genome Editing Is Here to Fine-Tune DNA (WiReD) Instead of deleting genes, epigenetic editing modulates their activity. A new paper tests if it's able to undo a genetic effect of early alcohol exposure. Yet, as with directly editing genes, there could be unintended consequences of tweaking their expression. Because Arc is a regulator gene involved in brain plasticity, modifying its expression could have effects beyond alcohol addiction. "We don't know what other behaviors are altered by this change," says Betsy Ferguson, a professor of genetics at Oregon Health and Science University who studies epigenetic mechanisms in addiction and other psychiatric disorders. "It's a balance between finding something that's effective and something that's not disruptive to everyday life." Another complicating factor is that the expression of dozens, perhaps hundreds, of genes are altered by alcohol use over time. In people, it may not be as simple as turning up the expression of Arc, which is only one of them. While it may seem like the solution would be to tweak all of those genes, manipulating the expression of many at once could cause problems. "Knowing that behaviors, including alcohol use behaviors, are regulated by a number of genes, it's really a challenging problem to solve," Ferguson says. https://www.wired.com/story/a-new-kind-of-genome-editing-is-here-to-fine-tune-dna ------------------------------ Date: Mon, 6 Jun 2022 12:06:34 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: California Regulators Approve First Driverless Taxi Fleet (AP) Michael Liedtke, Associated Press, 3 Jun 2022, via ACM TechNews, 6 Jun 2022 The California Public Utilities Commission unanimously approved General Motors' Cruise's bid to offer a driverless ride-hailing service in San Francisco. The robotic taxi service will begin with a fleet of 30 electric vehicles accepting passengers from 10 p.m. to 6 a.m. in less-congested areas of the city, giving regulators the opportunity to assess the technology before allowing expanded service. The driverless service will not operate in heavy rain or fog, restrictions imposed to reduce the potential for property damage, injuries, or deaths. Cruise's Gil West said the approval is "a giant leap for our mission here at Cruise to save lives, help save the planet, and save people time and money." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ebdfx234351x069235& ------------------------------ Date: Fri, 3 Jun 2022 09:41:47 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Google and Russia's delicate dance (CNN) This is an important article, because it helps to crystalize the complexity of these policy decisions. I think that this part is particularly noteworthy, and I agree with it 100%: But some Internet governance experts argue Google's choice to keep services running in the country may have more of a moral imperative than a business one. "I think the moral side is a bigger deal," said Daphne Keller, director of the program on platform regulation at Stanford University's Cyber Policy Center. "Keeping information flowing to dissidents in Russia, or people who want information from a source other than state media, is incredibly important." https://www.cnn.com/2022/06/03/tech/google-russia-youtube/index.html ------------------------------ Date: Fri, 3 Jun 2022 12:40:30 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Advancing security across Central and Eastern Europe (Google) https://blog.google/technology/safety-security/advancing-security-across-central-and-eastern-europe/ ------------------------------ Date: Tue, 7 Jun 2022 08:47:37 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Politicians and ulterior motives It's ironic, sad, and scary that after Google has spent so many years building world class systems to protect the security of users, politicians are so anxious to throw it all away and put users at massive risk, mostly for their own ulterior political motives. ------------------------------ Date: Tue, 7 Jun 2022 11:25:34 PDT From: Peter Neumann <neum...@csl.sri.com> Subject: The Theater of Bitcoin and Data Privacy (Siobhan Roberts) In myth, the cryptocurrency is decentralized and anonymous. Data scientists find a different reality. *The New York Times* Science Times National Edition front page, continued on the entire page D5. In my printed hardcopy, the black ink on the front page is imprinted on a mysteriously dark green background with extremely dark borders. This makes it *really hard to read*. BTW, The "and Data Privacy" appears only as the title of the continuation page D5, not on the front page. There is a self-standing quote from Alyssa Blackburn (Rice University): "Drip by drip. information leakage erodes the once-impenetrable blocks." The caption of a photo of Alyssa and Erez Lieberman Aiden says they tested Bitcoin's identity protections and claims of decentralization. [and found to the contrary]... PGN ------------------------------ Date: Mon, 6 Jun 2022 21:44:27 -0400 From: Monty Solomon <mo...@roscom.com> Subject: How Anonymous Is Bitcoin, Really? In myth, the cryptocurrency is egalitarian, decentralized and all but anonymous. The reality is very different, scientists have found. https://www.nytimes.com/2022/06/06/science/bitcoin-nakamoto-blackburn-crypto.html ------------------------------ Date: Sun, 5 Jun 2022 21:35:25 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Security News: Google May Owe You a Chunk of $100 Million Over Google Photos Privacy Violation (WiReD) Plus: The U.S. admits to cyber operations supporting Ukraine, SCOTUS investigates its own, and a Michael Flynn surveillance mystery is solved. https://www.wired.com/story/google-photos-settlement-us-ukraine-hacks-michael-flynn-unmasking ------------------------------ Date: Fri, 3 Jun 2022 12:32:39 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Big Tech realities I feel that much of the increasing animosity against Big Tech, fueling the ulterior motives of some notable critics, is that social media and other Big Tech firms have been deficient for many years, even decades, at educating the public about the realities of these systems. ------------------------------ Date: Mon, 6 Jun 2022 18:50:08 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Bolt Loaned Employees Thousands to Buy Stock -- Then Laid Them Off (WiReD) Even before May's layoffs, industry veterans warned that taking out loans to buy company stock was a mistake. "It's a significant risk that I don't think most employees can afford," says Oren Barzilai, the cofounder and CEO of Equity Bee, a platform that helps startup employees exercise their stock options. "If the company fails -- and obviously, many startups fail -- they would need to pay out of pocket to pay back that loan." https://www.wired.com/story/bolt-stock-loans Ya think? ------------------------------ Date: Mon, 6 Jun 2022 12:06:34 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: Actively Exploited Microsoft Zero-Day Flaw Still Has No Patch (WiReD) Lily Hay Newman, *WiReD*, 3 Jun 2022, via ACM TechNews, 6 Jun 2022 A zero-day flaw in Microsoft's Support Diagnostic Tool that researchers said could be exploited to remotely hijack targeted devices remains unpatched. Hackers can pass malicious Word documents through the Follina vulnerability using a remote template that retrieves a malicious HTML file and enables execution of Powershell commands within Windows. Tom Hegel at security company SentinelOne said, "After public knowledge of the exploit grew, we began seeing an immediate response from a variety of attackers beginning to use it." Hackers have been seen exploiting Follina through malicious documents, but Hegel warned less-documented exploits, including manipulating HTML content in network traffic, also remain unpatched. Microsoft proposed disabling a protocol within Support Diagnostic Tool and using Microsoft Defender Antivirus to monitor for and block the flaw's exploitation; incident responders are urging more action. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ebdfx234353x069235& ------------------------------ Date: Mon, 6 Jun 2022 12:06:34 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: Reno Trusting the Blockchain with Building Records (Gizmodo) Lucas Ropek, Gizmodo, 2 Jun 2022, via ACM TechNews, 6 Jun 2022 Reno, NV, has launched a blockchain-based program for storing records in order to improve "clarity and transparency" in record-keeping. The Web portal will let residents more easily engage with the city's government, and the site records interactions using blockchain software. The platform initially will be used to enhance access to Reno's Historic Registry records system, so users can file requests for repairs or modifications to historic buildings; the portal will record and validate the requests, along with the government's responses. The program is built on the STRATO application from the BlockApps software company. The city said in a press release that STRATO is "purpose-built for permanent record-keeping and is not a significant source of energy usage or greenhouse gas emissions." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2ebdfx234352x069235& ------------------------------ Date: Sun, 5 Jun 2022 21:09:27 -0400 From: Gabe Goldberg <g...@gabegold.com>] Subject: Cryptocurrency (The Washington Post) Useful reading before Post talk: https://www.washingtonpost.com/business/2022/06/03/crypto-skeptics-growing/ https://www.washingtonpost.com/technology/2022/05/29/molly-white-crypto/ Interested in digital currency? this program from WaPo looks at the regulation of bitcoins: The Evolution of Money:orypto Currency Regulation. https://cryptojune8livestream.splashthat.com/?utm_medium=email&utm_source=retention&utm_campaign=wp_pw_ret_WPLive_060522&wpisrc=pw_ret_WPLive_060522 https://foxtrot.com/2022/06/05/when-life-gives-you-lemon-jpegs/ ------------------------------ Date: Sun, 5 Jun 2022 21:53:12 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: It's still 2014 in crypto payments, and buying a burrito is now a taxable event (Davidger) Chipotle is using a platform called Flexa, which is connected in some unclear manner to the Gemini crypto-exchange. You put your cryptos into your Flexa wallet, which is called Spedn -- a registered typo-mark, in the finest dot-com manner. Then you use the Spedn app on your phone to generate a "flexcode" barcode, which presents to Chipotle as a gift card. Then they hand you a burrito! Flexa sells the crypto, and sends the dollars to Chipotle. You're topping up a prepaid gift card with crypto. If you put your cryptos into Flexa, you can't ever take them out again. This is for (checks Crypto Excuse Calendar) anti-money-laundering. But Flexa is sure they'll work out how to let you get your money out in some non-burrito form within the next (rolls dice) several months. [Flexa] https://davidgerard.co.uk/blockchain/2022/06/05/its-still-2014-in-crypto-payments-and-buying-a-burrito-is-now-a-taxable-event/ ------------------------------ Date: Tue, 7 Jun 2022 12:47:18 PDT From: Peter Neumann <neum...@csl.sri.com> Subject: Banning Lethal Autonomous Weapons (Stuart Russell) Stuart Russell Banning Lethal Autonomous Weapons: An Education Issues in Science and Technology (Spring 2022) https://issues.org/banning-lethal-autonomous-weapons-stuart-russell/ Lethal autonomous weapons systems-commonly but misleadingly known as "killer robots" are weapons systems that, once activated, can attack objects and people without further human intervention. With more than a dozen nations working to develop highly capable versions of them for use in the air, at sea, and on land, these weapons are not science fiction: they exist now, and they are already being used in some current conflicts. Since 2014, the United Nations has held discussions around a treaty to ban autonomous weapons systems (AWS). So far, in addition to the UN secretary-general and the International Committee of the Red Cross, 30 countries have declared support for such a treaty. But the United States and Russia have combined forces to prevent any discussion of a legally binding instrument. Instead, in 2021 the United States called for a "non-binding code of conduct." My involvement in the AWS policy discussion began in February 2013 when a puzzling email arrived from Human Rights Watch (HRW). I have studied artificial intelligence (AI) topics for 45 years and spent more than a decade working on verification for the Comprehensive Nuclear-Test-Ban Treaty. And I have been a member of HRW's Northern California committee for some time. For more than four decades, the organization had investigated atrocities around the world-atrocities committed by humans. [...] [PGN-truncated. However, this is really worth reading in its entirety. It raises and discusses many of our RISKS issues, especially with respect to autonomous AI. PGN] ------------------------------ Date: Sat, 4 Jun 2022 16:35:14 -0400 From: Tom Van Vleck <t...@multicians.org> Subject: The Coming AI Hackers (Bruce Schneier) Bruce Schneier, April 2021 https://www.belfercenter.org/publication/coming-ai-hackers Workshop on Security and Human Behaviour (SHB 2022), 30-31 May, Cambridge UK. ------------------------------ Date: Fri, 3 Jun 2022 13:07:22 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: How Axon's plans for Taser drones blindsided its AI ethics board (Protocol.com) https://www.protocol.com/policy/axon-taser-drone-ethics ------------------------------ Date: Mon, 6 Jun 2022 08:22:48 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Axon Halts Plans to Sell Flying Taser Drones to Schools (Vice) https://www.vice.com/en/article/88q4gk/axon-halts-plans-to-sell-flying-taser-drones-to-schools ------------------------------ Date: Mon, 6 Jun 2022 16:54:30 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Internal Documents Show Amazon's Dystopian System for Tracking Workers Every Minute of Their Shifts (Vice) The documents provide new clarity about a much-talked-about but until now opaque process Amazon uses to punish associates it believes are wasting time. https://www.vice.com/en/article/5dgn73/internal-documents-show-amazons-dystopian-system-for-tracking-workers-every-minute-of-their-shifts ------------------------------ Date: Mon, 6 Jun 2022 16:50:03 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: The Race to Hide Your Voice (WiReD) Voice recognition -- and data collection -- have boomed in recent years. Researchers are figuring out how to protect your privacy. https://www.wired.com/story/voice-recognition-privacy-speech-changer/ ------------------------------ Date: Fri, 3 Jun 2022 13:30:15 -0400 From: Cliff Kilby <cliffjki...@gmail.com> Subject: Parameter Expansion Considered Dangerous [I am rerunning this item its entirety. Due to an emacs deletion fiasco that was caught too late to back up, this item got accidentally truncated when i manually had to recapture what had been lost. Sorry. See our previous items on Log4j in RISKS-33.11, 13, and 14. PGN] After the Log4j issue came to light <https://www.cisa.gov/uscert/apache-log4j-vulnerability-guidance>, I would have expected the industry to realize the problem wasn't just with Log4j, or even Java. It's unguarded user submitted parameter expansion. https://thehackernews.com/2022/06/hackers-exploiting-unpatched-critical.html Seems to indicate I was overly optimistic. Several templating engines exist with several parameter formats. Offhand, there is jsp with <jsp, <%, <c, ${, asp(x) with <%, smarty and freemarker with {$, Django, Mustache and Jinja with {{. Apache's Velocity templates have a list worthy of a BNF rule, but I don't know BNF, so how about "dollar-sign or hash optional bang optional bracket optional sq-bracket optional paren optional text". Your application should be sanitizing all user input, but if your framework won't, start adding blocks to your WAF for parameter wrappers. This is only going to get worse. Also, I am not Dijkstra. A grain of salt may be needed here. ------------------------------ Date: Sat, 4 Jun 2022 17:25:00 -0400 From: Monty Solomon <mo...@roscom.com> Subject: How the Internet Turned Us Into Content Machines Two new books examine how social media traps users in a brutal race to the bottom. https://www.newyorker.com/culture/infinite-scroll/how-the-internet-turned-us-into-content-machines ------------------------------ Date: Sun, 5 Jun 2022 09:15:47 -0700 From: Steve Bacher <seb...@verizon.net> Subject: Re: WashDC stop-sign camera brought in $1.3 million in tickets in 2 years (RISKS-33:25) This is yet another instance that violates a basic principle of mine: A government should not make a law that is at cross-purposes with itself. "Sin" taxes on things like tobacco, alcohol and sugary drinks are common examples of the same thing. You cannot attempt to reduce or eliminate a practice while at the same time benefiting from infractions of that practice. That produces a conflict of interest with the inevitable result of hoping more people will violate the law in order to keep the funds flowing from the source. A common rationalization is that society benefits either way:either fewer people die or there's more money for education. But ultimately one result wins out over the other; you don't get both. It's better if the revenues are earmarked for something that won't be needed if the practice being discouraged gets reduced. For example, tobacco tax revenue can be restricted to funding anti-smoking programs. But we've seen too often how municipalities fund basic services through speed traps, not to mention the Constitutional questions of being charged in absentia et al. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.26 ************************