RISKS-LIST: Risks-Forum Digest Monday 2 January 2023 Volume 33 : Issue 59
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.59> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: HAPPY NEW YEAR, with fewer risks? but perhaps more RISKS? Vint Cerf and the Internet (Emily Bobrow) Russians Hacked JFK Airport Taxi Dispatch in Line-Skipping Scheme (WiReD) Biometric devices sold on eBay reportedly contained sensitive U.S. military data (NYTimes) I bought a $15 router at Goodwill, and found a millionaire's dirty secrets (Erin Keller) FBI's Vetted Info-Sharing Network InfraGard Hacked (Krebs on Security) Southwest COO explained that the company's outdated scheduling software quickly became the main culprit of the cancellations once the storm cleared. (CNN with comments from Gabe Goldberg and Richard M Stein) Two Men Arrested For Conspiring With Russian Nationals To Hack the Taxi Dispatch System At JFK Airport (U.S. DoJ) Two men indicted for hacking a dozen Ring cameras and livestreaming swatting attacks (The Verge) As Tesla stock tanks, videos of Teslas malfunctioning in below-freezing temps go viral (Yahoo!) Robocall company may receive the largest FCC fine ever (Engadget) Calculations on Maryland college savings plans lead to account freeze (WashPost via Jeremy Epstein) Ransomware devastates the ALMA Observatory (Physics Today) Windows: Still insecure after all these years (ZDNET) Scammers Are Scamming Other Scammers Out of Millions of Dollars (WiReD) Melbourne Lord Mayor says *vandalism* of QR codes for reporting graffiti ` *so frustrating* (ABC Australia) Meta's new AI is skilled at a ruthless power-seeking game (WashPost) Roomba with a View! (MIT Tech Review) As e-bike fires rise, calls grow for education and regulation (Smart Cities Dive) Samsung Recalls Top-Load Washing Machines Due to Fire Hazard; Software Repair Available (CPSC) Apple's 'unprecedented' engineering snafu reportedly spoiled plans for more powerful iPhone 14 Pro chip (Yahoo!) Studies flag environmental impact of reentry (SpaceNews) A Fight Over Automation Plans at U.S. Hydroelectric Dams (WiReD) Their children went viral. Now they wish they could wipe them from the Internet. (NBC News) A dangerous side of America's digital divide: Who receives emergency alerts (WashPost) DDoS-for-hire sting hits 50 domains, seven people detained (The Register) Card skimming devices found at 7-Eleven locations in Boston (The Globe) Users report Google Calendar bug creating random, fake events (The Verge) Server broke because it was invisibly designed to break (The Register) Bad Santa at Rockettes' Christmas Spectacular (Ars Technica) Celsius hearing, December 8: Selling GK8 to Galaxy Digital (Amy Castor) Bankman-Fried's Cabal of Roommates in the Bahamas Ran His Crypto Empire -- and Dated. Other Employees Have Lots of Questions (Coindesk) Sympathy for the crypto bros (Mother Jones via Gabe Goldberg) Twitter dissolves Trust and Safety Council, Yoel Roth flees home (WashPost) Cats disrupt satellite Internet service (Smithsonian Mag) How Bots Pushing Adult Content Drowned Out Chinese Protest Tweets (NYTimes) Okta had another security incident, this time involving stolen source code (Engadget) There is great danger in training an AI to lie... (Alex Epstein) Code-Generating AI Can Introduce Security Vulnerabilities (Kyle Wiggers) Co-Pilot helps write insecure code (Rik Farrow) ChatGPT Explains Why AIs like ChatGPT Should Be Regulated (SciAm) New bot ChatGPT will force colleges to get creative to prevent cheating, experts say (NBC News) Re: Dreams of a Future in Big Tech Dim for Computer Science Students (Gene Spafford) Re: Pretty Smart AI (David Parnas, Steve Bacher ) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 19 Dec 2022 11:55:21 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Vint Cerf and the Internet (Emily Bobrow) Vint Cerf Helped Create the Internet on the Back of an Envelope. Now He's Calling for More Critical Thinking About How We Use It Emily Bobrow, *The Wall Street Journal*, 16 Dec 2022 via ACM TechNews, 19 Dec 2022 Google Chief Internet Evangelist and 2004 ACM A.M. Turing Award co-recipient Vint Cerf helped invent the Internet but acknowledges its downsides, including its use for spreading misinformation and disinformation. Cerf says addressing this "propagation problem" requires Google and similar companies to better "understand how these mechanisms influence the way people behave." He observes that although commercialization has broadened the Internet's scope, feedback algorithms appear to be directing people toward "more divisive and extreme stuff." Cerf urges more critical thinking to rein in the Internet's sociological and psychological effects, while businesses must make better efforts to contain online trolling, lying, bullying, and surveillance. [Is Emily a niece of Danny Bobrow (BBN, Xerox PARC, etc.), who was a friend and colleague of Vint way back? PGN] ------------------------------ Date: Sun, 25 Dec 2022 02:53:06 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Russians Hacked JFK Airport Taxi Dispatch in Line-Skipping Scheme (WiReD) According to prosecutors, two Queens men, Daniel Abayev and Peter Leyman, worked with Russian hackers to gain access to the taxi dispatch system for New York'sJFK airport. They then allegedly created a group chat where drivers could secretly pay $10 to skip the sometimes hours-long line to be assigned a pickupâabout a fifth of the $52 flat fee passengers pay for rides from the airport to elsewhere in NYC. The indictment against the two men doesn't name the Russians or detail exactly how they gained access to JFK's dispatch system. But it notes that since 2019, Abayev and Leyman allegedly schemed to get access to the system by multiple methods, including bribing someone to insert a USB drive with malware into one of the dispatch operators' computers, gaining unauthorized access to their systems via Wi-Fi, and stealing one of their tablet computers. ``I know that the Pentagon is being hacked,'' Abayev wrote to his Russian contacts in November 2019, according to the indictment, ``So, can't we hack the taxi industry[?]'' Before the scheme was shut down, prosecutors say it was enabling as many as a thousand fraudulent line-skips a day for drivers, https://www.wired.com/story/russia-jfk-taxi-hack-security-roundup [Monty noted this: https://www.theverge.com/2022/12/22/23522275/nyc-russian-hack-jfk-airport-taxi-dispatch-system ] ------------------------------ Date: Wed, 28 Dec 2022 13:59:59 -0700 From: Jim Reisert AD1C <jjreis...@alum.mit.edu> Subject: Biometric devices sold on eBay reportedly contained sensitive U.S. military data (NYTimes) https://www.nytimes.com/2022/12/27/technology/for-sale-on-ebay-a-military-database-of-fingerprints-and-iris-scans.html By Kashmir Hill, John Ismay, Christopher F. Schuetze and Aaron Krolik, *The New York Times*, 27 Dec 2022l https://www.nytimes.com/2022/12/27/technology/for-sale-on-ebay-a-military-database-of-fingerprints-and-iris-scans.html The shoebox-shaped device, designed to capture fingerprints and perform iris scans, was listed on eBay for $149.95. A German security researcher, Matthias Marx, successfully offered $68, and when it arrived at his home in Hamburg in August, the rugged, hand-held machine contained more than what was promised in the listing. The device's memory card held the names, nationalities, photographs, fingerprints and iris scans of 2,632 people. [Also noted by Jan Wolitzky, PGN] ------------------------------ Date: Wed, 28 Dec 2022 15:35:27 -0500 From: Jan Wolitzky <jan.wolit...@gmail.com> Subject: Lawmakers Signal Inquiries Into U.S. Government's Use of Foreign Spyware (NYTimes) Senior lawmakers said they would investigate the government's purchase and use of powerful spyware made by two Israeli hacking firms, as Congress passed a measure in recent days to try to rein in the proliferation of the hacking tools. Representative Adam Schiff, the California Democrat who is chairman of the House Intelligence Committee, sent a letter last week to the head of the Drug Enforcement Administration asking for detailed information about the agency's use of Graphite, a spyware tool produced by the Israeli company Paragon. ``Such use could have potential implications for U.S. national security, as well as run contrary to efforts to deter the broad proliferation of powerful surveillance capabilities to autocratic regimes and others who may misuse them,'' Mr. Schiff wrote in the letter. Graphite, like the better-known Israeli hacking tool Pegasus, can penetrate the mobile phones of its targets and extract messages, videos, photos and other content. The New York Times revealed this month that the DEA was using Graphite in its foreign operations. The agency has said it uses the tool legally and only outside the United States, but has not answered questions about whether American citizens can be targeted with the hacking tool. https://www.nytimes.com/2022/12/28/us/politics/spyware-israel-dea-fbi.htm ------------------------------ Date: Fri, 30 Dec 2022 10:32:59 -0700 From: Jim Reisert AD1C <jjreis...@alum.mit.edu> Subject: I bought a $15 router at Goodwill, and found a millionaire's dirty secrets (Erin Keller) Erin Keller, *The New York Post*, 28 Decee 2022 A German TikToker, who goes by the name @dankeunextgay on the platform, is going viral for detailing the juicy documents and photos he claims to have found on a $15 Apple Time Capsule he allegedly purchased from the thrift retailer. In his 14 Dec 2022 video, the TikToker showed viewers his MacBook being backed up by the previous owner's files that dated back to 2010, when the wireless router was reportedly last used. https://nypost.com/2022/12/28/i-bought-a-15-router-at-goodwill-and-found-a-millionaires-dirty-secrets/ ------------------------------ Date: Thu, 15 Dec 2022 01:01:35 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: FBI's Vetted Info-Sharing Network InfraGard Hacked (Krebs on Security) InfraGard, a program run by the U.S. Federal Bureau of Investigation (FBI) to build cyber and physical threat information sharing partnerships with the private sector, this week saw its database of contact information on more than 80,000 members go up for sale on an English-language cybercrime forum. Meanwhile, the hackers responsible are communicating directly with members through the InfraGard portal online -- using a new account under the assumed identity of a financial industry CEO that was vetted by the FBI itself. https://krebsonsecurity.com/2022/12/fbis-vetted-info-sharing-network-infragard-hacked/ ------------------------------ Date: Wed, 28 Dec 2022 12:38:28 -0500 From: Jan Wolitzky <jan.wolit...@gmail.com> Subject: Southwest COO explained that the company's outdated scheduling software quickly became the main culprit of the cancellations once the storm cleared. The extreme cold, ice and snow grounded planes and left some crew members stranded, so Southwest's crew schedulers worked furiously to put a new schedule together, matching available crew with aircraft that were ready to fly. But the Federal Aviation Administration strictly regulates when flight crews can work, complicating Southwest's scheduling efforts. ``The process of matching up those crew members with the aircraft could not be handled by our technology,'' Watterson said. ``The process of matching up those crew members with the aircraft could not be handled by our technology.'' Southwest ended up with planes that were ready to take off with available crew, but the company's scheduling software wasn't able to match them quickly and accurately, Watterson added. ``As a result, we had to ask our crew schedulers to do this manually, and it's extraordinarily difficult. That is a tedious, long process.'' Watterson noted that manual scheduling left Southwest building an incredibly delicate house of cards that could quickly tumble when the company encountered a problem. ``They would make great progress, and then some other disruption would happen, and it would unravel their work. So, we spent multiple days where we kind of got close to finishing the problem, and then it had to be reset.'' https://amp.cnn.com/cnn/2022/12/27/business/southwest-airlines-service-meltdown/index.html [Richard Marlon Stein noted this item: Southwest didn't heed calls to upgrade tech before meltdown, unions say https://www.washingtonpost.com/transportation/2022/12/28/southwest-airlines-flight-cancellations/ ``The tools we use to recover from disruption serve us well, 99 percent of the time,'' [Gabe Goldberg noted this item: The Shameful Open Secret Behind Southwest's Failure (NYTimes) https://www.nytimes.com/2022/12/31/opinion/southwest-airlines-computers.html ore than 15,000 of its flights were canceled starting on Dec. 22, including more than 2,300 canceled this past Thursday -- almost a week after the storm had passed. PGN] ------------------------------ Date: Fri, 23 Dec 2022 07:16:09 -0700 From: Jim Reisert AD1C <jjreis...@alum.mit.edu> Subject: Two Men Arrested For Conspiring With Russian Nationals To Hack the Taxi Dispatch System At JFK Airport (U.S. DoJ) Department of Justice U.S. Attorney's Office Southern District of New York, 20 Dec 2022 https://www.justice.gov/usao-sdny/pr/two-men-arrested-conspiring-russian-nationals-hack-taxi-dispatch-system-jfk-airport At all relevant times, taxi drivers who sought to pick up a fare at JFK were required to wait in a holding lot at JFK before being dispatched to a specific terminal by the Dispatch System. Taxi drivers were frequently required to wait several hours in the lot before being dispatched to a terminal and were dispatched in approximately the order in which they arrived at the holding lot. Beginning in 2019, ABAYEV and LEYMAN explored and attempted various mechanisms to access the Dispatch System, including bribing someone to insert a flash drive containing malware into computers connected to the Dispatch System, obtaining unauthorized access to the Dispatch System via a Wi-Fi connection, and stealing computer tablets connected to the Dispatch System. ------------------------------ Date: Wed, 21 Dec 2022 10:04:13 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Two men indicted for hacking a dozen Ring cameras and livestreaming swatting attacks (The Verge) https://www.theverge.com/2022/12/20/23517973/ring-doorbells-swatting-yahoo-email-arrest ------------------------------ Date: Tue, 27 Dec 2022 16:23:20 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: As Tesla stock tanks, videos of Teslas malfunctioning in below-freezing temps go viral https://news.yahoo.com/videos-teslas-malfunctioning-below-freezing-215149907.html ------------------------------ Date: Sun, 25 Dec 2022 15:39:42 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Robocall company may receive the largest FCC fine ever (Engadget) https://www.engadget.com/robocall-company-may-receive-the-largest-fine-ever-from-the-fcc-110759522.html ------------------------------ Date: Wed, 21 Dec 2022 22:07:43 -0500 From: Jeremy Epstein <jeremy.j.epst...@gmail.com> Subject: Calculations on Maryland college savings plans lead to account freeze (WashPost) https://www.washingtonpost.com/education/2022/12/21/maryland-529-college-tuition-savings/ Maryland, like most US states, offers a college savings plan. The calculations of account values seem to have been incorrect, and the state is having a hard time figuring out the correct values. In the meantime, accounts are frozen, as is the ability to make withdrawals to pay for college. The only thing surprising about this to me is that it doesn't happen more often -- the calculations for value must be pretty complex, and once a small bug gets in, figuring out the right numbers can't be easy. ------------------------------ Date: Wed, 21 Dec 2022 15:36:01 +0000 (UTC) From: Patrick Mock <pcm...@yahoo.com> Subject: Ransomware devastates the ALMA Observatory (Physics Today) Ransomware has shutdown the ALMA Observatory for over a month. https://physicstoday.scitation.org/do/10.1063/PT.6.2.20221212a/full/ ------------------------------ Date: Fri, 16 Dec 2022 01:53:19 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Windows: Still insecure after all these years (ZDNET) OPINION: With every Windows release, Microsoft promises better security. And, sometimes, it makes improvements. But then, well then, we see truly ancient security holes show up yet again. https://www.zdnet.com/article/windows-still-insecure-after-all-these-years/ ------------------------------ Date: Sun, 11 Dec 2022 01:20:44 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Scammers Are Scamming Other Scammers Out of Millions of Dollars (WiReD) On cybercrime forums, user complaints about being duped may accidentally expose their real identities. Pretty funny: Nobody is immune to beingscammed online -- not even the people running the scams. Cybercriminals using hacking forums to buy software exploits and stolen login details keep falling for cons and are getting ripped off thousands of dollars at a time, a new analysis has revealed. And what's more, when the criminals complain that they are being scammed, they're also leaving a trail of breadcrumbs of their own personal information that could reveal their real-world identities to police and investigators. Hackers and cybercriminals often gather on specific forums and marketplaces to do business with each other. They can advertise upcoming work they need help with, sell databases of people's stolen passwords and credit card information, or tout new security vulnerabilities that can be used to break into people's devices or systems. However, these deals often donn't go to plan. The new research, published today by cybersecurity firm Sophos, examines these failed transactions and the complaints people have made about them. ``Scammers scamming scammers on criminal forums and marketplaces is much bigger than we originally thought it was,'' says Matt Wixey, researcher with Sophos X-Ops who studied the marketplaces. https://www.wired.com/story/cybercrime-hackers-scams-forums/ ------------------------------ Date: Mon, 2 Jan 2023 08:20:07 -0700 From: Jim Reisert AD1C <jjreis...@alum.mit.edu> Subject: Melbourne Lord Mayor says *vandalism* of QR codes for reporting graffiti *so frustrating* (ABC Australia) Emma D'Agostino, ABC News Australia, Updated 1 Jan 2023 The City of Melbourne is investigating how much of a system for reporting graffiti, using QR codes, has been vandalised. ,.. QR codes posted around the Melbourne CBD have been overlaid with alternative codes. These codes, which the ABC has seen, lead to a documentary about hip hop culture on YouTube that explores graffiti as part of hip hop culture. Melbourne Lord Mayor Sally Capp said it was not yet known how many of the QR codes had been vandalised, but believed it was still small in number. ------------------------------ Date: Sun, 11 Dec 2022 23:46:47 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Meta's new AI is skilled at a ruthless power-seeking game (WashPost) The model is adept at negotiation and trickery. One expert called it "super scary." https://www.washingtonpost.com/technology/2022/12/01/meta-diplomacy-ai-cicero/ ------------------------------ Date: Thu, 22 Dec 2022 14:55:18 +0000 From: Henry Baker <hbak...@pipeline.com> Subject: Roomba with a View! (MIT Tech Review) [A Roomba cleaning robot with an imaging camera; what could possibly go wrong?] Eileen Guo, 19 Dec 2022 A Roomba recorded a woman on the toilet. How did screenshots end up on Facebook? https://www.technologyreview.com/2022/12/19/1065306/roomba-irobot-robot-vacuums-artificial-intelligence-training-data-privacy/ In the fall of 2020, gig workers in Venezuela posted a series of images to online forums where they gathered to talk shop. The photos were mundane, if sometimes intimate, household scenes captured from low -- including some you really wouldn't want shared on the Internet. In one particularly revealing shot, a young woman in a lavender T-shirt sits on the toilet, her shorts pulled down to mid-thigh. The images were not taken by a person, but by development versions of iRobot's Roomba J7 series robot vacuum. They were then sent to Scale AI, a startup that contracts workers around the world to label audio, photo, and video data used to train artificial intelligence. [...] [There's always Room-ba for Improve-ment. PGN] ------------------------------ Date: Sun, 25 Dec 2022 02:46:51 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: As e-bike fires rise, calls grow for education and regulation (Smart Cities Dive) Li-ion batteries are "pretty unique fire hazards," said a spokesperson for the National Fire Protection Association. An increase in battery fires linked to electric bicycles has caught the attention of municipal and federal officials, who point to public education rather than bans as the best way to keep people safe. As of late December, there were 206 e-bike fires in New York City in 2022, more than double the number of fires that occurred the year prior, according to a New York Fire Department spokesperson. Those e-bike fires are blamed for 142 injuries in 2022, almost 80% more than in 2021, and six deaths. In 2020, there were just 44 e-bike fires, which were associated with 23 injuries and no deaths, the department said. https://www.smartcitiesdive.com/news/e-bike-fires-rise-calls-grow-education-regulation-scooters-micromobility/639411/ ------------------------------ Date: Fri, 23 Dec 2022 12:49:18 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Samsung Recalls Top-Load Washing Machines Due to Fire Hazard; Software Repair Available (CPSC) https://www.cpsc.gov/Recalls/2023/Samsung-Recalls-Top-Load-Washing-Machines-Due-to-Fire-Hazard-Software-Repair-Available ------------------------------ Date: Sun, 25 Dec 2022 15:41:14 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Apple's 'unprecedented' engineering snafu reportedly spoiled plans for more powerful iPhone 14 Pro chip (Yahoo!) https://news.yahoo.com/videos-teslas-malfunctioning-below-freezing-215149907.html ------------------------------ Date: Sat, 24 Dec 2022 12:18:22 -0700 From: geoff goodfellow <ge...@iconia.com> Subject: Studies flag environmental impact of reentry (SpaceNews) *Megaconstellations promise a steady flow of de-orbiting debris. Can the sky take it?* Space hardware tumbling out of orbit may lead to unforeseen environmental and climate impacts. Due to the growing scale and pace of launch activities, what is needed is better monitoring of the situation, as well as regulation to create an environmentally sustainable space industry. Making that case is Jamie Shutler, associate professor of Earth observation at the University of Exeter, Cornwall. Shutler and colleagues authored the research paper Atmospheric Impacts of the Space Industry Require Oversight in the August issue of the journal *Nature Geoscience.* Decreased satellite costs have led to large spacecraft constellations, thereby creating a constant flow of de-orbiting debris as craft die and are replaced. ``This debris could double the annual injection of aerosol particle mass into the mesosphere,'' the paper explains, thereby increasing the number of aluminum particles that can reach the stratosphere, where they promote ozone loss. Shutler told *SpaceNews, ``We are now realizing the full benefits of access to space, but our understanding of the environmental impact of these activities is currently limited. Maximizing these benefits whilst minimizing the environmental impact is likely to become increasingly important for science and industry.'' [...] https://spacenews.com/studies-flag-environmental-impact-of-reentry/ ------------------------------ Date: Tue, 13 Dec 2022 20:43:19 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: A Fight Over Automation Plans at U.S. Hydroelectric Dams (WiReD) The U.S. government says replacing staff with automation and remote monitoring saves taxpayers money. Some workers fear accidents and cyberattacks. https://www.wired.com/story/a-fight-over-automation-plans-at-us-hydroelectric-dams Maybe Tesla's full-function utterly safe automatic driving software can be adapted to run hydro dams... ------------------------------ Date: Sun, 25 Dec 2022 19:02:25 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Their children went viral. Now they wish they could wipe them from the Internet. (NBC News) Children don't know about the Internet. hey don't know that their images are going to live on forever." https://www.nbcnews.com/pop-culture/influencers-parents-posting-kids-online-privacy-security-concerns-rcna55318 ------------------------------ Date: Thu, 22 Dec 2022 17:58:34 -0500 From: Monty Solomon <mo...@roscom.com> Subject: A dangerous side of America's digital divide: Who receives emergency alerts (WashPost) People with little to no cellphone service, particularly in rural areas, face danger as storms approach and they are unable to receive alerts and make calls. https://www.washingtonpost.com/climate-environment/2022/12/21/weather-alerts= -storms-disasters/ ------------------------------ Date: Mon, 19 Dec 2022 01:36:49 -0500 From: Monty Solomon <mo...@roscom.com> Subject: DDoS-for-hire sting hits 50 domains, seven people detained (The Register) https://www.theregister.com/2022/12/15/ddos_sites_takedown_fbi_europol/ ------------------------------ Date: Fri, 23 Dec 2022 11:23:35 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Card skimming devices found at 7-Eleven locations in Boston (The Globe) Police said they expect other devices to be found in the city and beyond. Card skimming devices are used to steal personal financial information. https://www.boston.com/news/local-news/2022/12/22/card-skimming-devices-found-7-eleven-boston/ ------------------------------ Date: Sun, 25 Dec 2022 15:38:30 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Users report Google Calendar bug creating random, fake events (The Verge) https://www.theverge.com/2022/12/23/23524555/google-calendar-ios-android-app-spam-events ------------------------------ Date: Mon, 19 Dec 2022 01:32:24 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Server broke because it was invisibly designed to break (The Register) https://www.theregister.com/2022/12/16/on_call/ ------------------------------ Date: Fri, 23 Dec 2022 02:47:29 +0000 From: Henry Baker <hbak...@pipeline.com> Subject: Bad Santa at Rockettes' Christmas Spectacular (Ars Technica) Bad Santa does facial recognition at Radio City Music Hall (owned by James Dolan, as is MSG Entertainment): He sees you when you are suing He knows when you litigate He knows if you've been bad or good So be good for goodness sake You better watch out, you better not cry You better not pout, I'm telling you why Santa Claus is kicking you down town https://arstechnica.com/tech-policy/2022/12/facial-recognition-flags-girl-scout-mom-as-security-risk-at-rockettes-show/ ------------------------------ Date: Sun, 11 Dec 2022 01:49:39 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Celsius hearing, December 8: Selling GK8 to Galaxy Digital (Amy Castor) Celsius is bankrupt, with liabilities that are hugely greater than its assets. So they're selling what can be sold -- such as subsidiaries that are solvent going concerns. Celsius bought Israeli crypto custody company GK8 in October 2021 for $115 million -- $100 million in cash, and the rest in their own CEL tokens. Now Celsius wants to sell GK8 to Mike Novogratz's Galaxy Digital for $44 million, plus $100,000 assumed liabilities (debts that Galaxy will be responsible for). This is a huge loss -- but Galaxy was the only qualified bidder. [...] It's important to keep in mind that this week's hearings have been furious arguments over the alignment of the deck chairs on the Titanic. But the iceberg is still there. Celsius is flat broke. There's no business. There are pennies left for creditors at best. Celsius is a shambling zombie. It should have been liquidated in July. https://amycastor.com/2022/12/10/celsius-hearing-december-8-selling-gk8-to-galaxy-digital/ I sure can't completely follow these narratives but the writing is brilliant and details are grimly laughable. ------------------------------ Date: Tue, 13 Dec 2022 20:27:27 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Bankman-Fried's Cabal of Roommates in the Bahamas Ran His Crypto Empire -- and Dated. Other Employees Have Lots of Questions (Coindesk) CoinDesk spoke to several current and former FTX and Alameda employees who agreed to talk on the condition of anonymity, citing ongoing harassment and death threats due to the exchangeâs solvency issues. And they said essentially this: It's a place full of conflicts of interest, nepotism and lack of oversight. ``The whole operation was run by a gang of kids in the Bahamas,'' a person familiar with the matter told CoinDesk on the condition of anonymity. FTX and Alameda employees CoinDesk interviewed say they have been kept in the dark about the events of the past week, adding that only CEO Bankman-Fried's inner circle may have had knowledge that the exchange, as reported by the Wall Street Journal, siphoned customer funds into corporate sibling Alameda. https://www.coindesk.com/business/2022/11/10/bankman-frieds-cabal-of-roommates-in-the-bahamas-ran-his-crypto-empire-and-dated-other-employees-have-lots-of-questions/ ------------------------------ Date: Tue, 13 Dec 2022 20:38:06 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Sympathy for the crypto bros (Mother Jones) Things are falling apart for Sam Bankman-Fried, the FTX founder who allegedly defrauded investors before filing bankruptcy and spelling financial ruin for crypto investors, including, as my colleague Ali Breland has reported, those who weren't very rich to start out with. Yesterday, SBF, as he's known, was arrested in the Bahamas. Today, federal prosecutors filed eight charges against him, including wire fraud, money laundering, and making illegal campaign donations. This is all very bad, but I have mainly been interested in SBF's apparent relationships with co-workers and business associates, which, as Intelligencer pointed out, are more than just salacious details and actually pretty important to understanding the company's power dynamics. While it's easy to dismiss the plight of people who invested in cryptocurrency, you can't really blame people for investing in get-rich-quick schemes when wealth inequality is widening and home ownership is a pipe dream for many members of the younger generations. "The moral question upon seeing the gap between owners and buyers, between the poor and ultra-rich, between capitalist owners and workers, is how do we end it?" Ali wrote last year. "Yet in an economy where most people work long hours, are struggling to get by, and have deeply internalized the status quo, that question becomes: How do I get in?" https://link.motherjones.com/view/5eb475c1b01fd7378a674535hufgc.sdi/02467db4 Not all victims were downtrodden proles. How about the well-off who should have known better? Or did, just figuring there's be bigger fools to buy them out nicely. Then the music stopped. ------------------------------ Date: Mon, 12 Dec 2022 20:50:16 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Twitter dissolves Trust and Safety Council, Yoel Roth flees home (WashPost) Meanwhile, a former top Twitter official fled his home amid attacks following Musk tweets. https://www.washingtonpost.com/technology/2022/12/12/musk-twitter-harass-yoel-roth ------------------------------ Date: Mon, 2 Jan 2023 13:29:44 -0500 From: Jan Wolitzky <jan.wolit...@gmail.com> Subject: Cats disrupt satellite Internet service (Smithsonian Mag) Okay, enough with the stories of rats chewing through data cables and squirrels self-immolating to cause power blackouts. Here's a story of cats disrupting satellite Internet service because they discovered that Elon Musk's Starlink dishes are heated (to prevent snow build-up disrupting Satellite Internet service [!!!]). Cute cat pix included. https://www.smithsonianmag.com/smart-news/outdoor-cats-are-using-500-starlink-satellite-dishes-as-self-heating-beds-180979401/ ------------------------------ Date: Mon, 19 Dec 2022 14:53:52 -0500 From: Monty Solomon <mo...@roscom.com> Subject: How Bots Pushing Adult Content Drowned Out Chinese Protest Tweets (NYTimes) How Bots Pushing Adult Content Drowned Out Chinese Protest Tweets https://www.nytimes.com/interactive/2022/12/19/technology/twitter-bots-china-protests-elon-musk.html ------------------------------ Date: Thu, 22 Dec 2022 14:44:22 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Okta had another security incident, this time involving stolen source code (Engadget) Okta had another security incident, this time involving stolen source code https://www.engadget.com/okta-stolen-source-code-205601214.html ALSO: Okta says source code for Workforce Identity Cloud service was copied (Ars Technica) https://arstechnica.com/information-technology/2022/12/okta-says-source-code-for-workforce-identity-cloud-service-was-copied/ ------------------------------ Date: Sat, 24 Dec 2022 08:43:29 -0700 From: geoff goodfellow <ge...@iconia.com> Subject: There is great danger in training an AI to lie... https://twitter.com/AlexEpstein/status/1606347326624215040 ------------------------------ Date: Fri, 30 Dec 2022 12:09:31 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Code-Generating AI Can Introduce Security Vulnerabilities (Kyle Wiggers) Kyle Wiggers, TechCrunch, 28 Dec 2022, via ACM TechNews, 30 Dec 2022 Software engineers who use code-generating artificial intelligence (AI) systems are more likely to cause security vulnerabilities in the apps they develop, according to researchers affiliated with Stanford University. Their study looked at Codex, an AI code-generating system developed by research lab OpenAI. The researchers recruited developers to use Codex to complete security-related problems across programming languages, including Python, JavaScript, and C. Participants who had access to Codex were more likely to write incorrect and *insecure* solutions to programming problems compared to a control group, and they were more likely to say that their insecure answers were secure compared to the people in the control. ------------------------------ Date: Tue, 27 Dec 2022 09:35:15 -0700 From: Rik Farrow <r...@rikfarrow.com> Subject: Co-Pilot helps write insecure code An article in *The Register* (including the word 'boffins') describes two papers that show that programmers using Co-Pilot think they write more secure code, but actually are doing the opposite: https://www.theregister.com/2022/12/21/ai_assistants_bad_code/ Does this suggest that if Skynet becomes a reality, it can be hacked? More likely, that the training code used for Co-Pilot started out as insecure and buggy. ------------------------------ Date: Thu, 29 Dec 2022 02:18:52 +0000 From: Richard Marlon Stein <rmst...@protonmail.com> Subject: ChatGPT Explains Why AIs like ChatGPT Should Be Regulated (Scientific American) https://www.scientificamerican.com/article/chatgpt-explains-why-ais-like-chatgpt-should-be-regulated/ I'm surprised ChatGPT -- AI generally -- didn't suggest self-regulation. The AI-authoring industry appears to favor that approach versus explainability via Hagras' criteria (https://www.researchgate.net/publication/328088140_Toward_Human-Understandable_Explainable_AI) or the equivalent. ------------------------------ Date: Sun, 25 Dec 2022 18:38:42 -0500 From: Monty Solomon <mo...@roscom.com> Subject: New bot ChatGPT will force colleges to get creative to prevent cheating, experts say (NBC News) New bot ChatGPT will force colleges to get creative to prevent cheating, experts say Those who work with AI in their classrooms said they're not panicking about ChatGPT, which went viral after its launch last week. https://www.nbcnews.com/tech/chatgpt-can-generate-essay-generate-rcna60362 ------------------------------ Date: Sun, 11 Dec 2022 11:45:24 -0500 From: Gene Spafford <s...@purdue.edu> Subject: Re: Dreams of a Future in Big Tech Dim for Computer Science Students (RISKS-33.57) > I have no idea how many computer science curricula include relevant > courses today. ABET certification requires coverage of ethics. The ACM/IEEE curricular recommendations include ethics. So, common curricula generally include the topic. Of course, that doesn't mean that it is covered in any meaningful way. I know some institutions give it only a passing mention. At others, it is likely a topic at the end of some courses that is viewed as expendable when there is more to cover from the syllabus than there is class time in the semester. Thankfully, this is not the case everywhere. I haven't found meaningful coverage in many textbooks, which means it is easy to overlook. For faculty who are uncomfortable with the topic, or who have no experience in presenting it, this often means the topic is given superficial (if any) coverage in classes. In a sense, professional ethics is a CS topic similar to writing safe code: It is in the syllabi at most schools but given only a vague hand wave at too many schools because the potential employers of students are more interested in a few more weeks of instruction in some fad topic. In the view of faculty, students are more likely to get employed if they know how to build a blockchain or ML system rather than spend time learning how to employ them in an ethical manner, and recent news continues to illustrate the problems with that approach. To relate a particular positive example: I include a section on professional ethics in every course I have taught at Purdue since I got here 35 years ago. I have created both an undergrad and a grad course that include multi-week discussions of ethics (and bias, logical fallacies, and misinformation, among other topics) that seem to be well-received by students, although both are electives. A decade ago, the department adopted an ethics requirement for grad students. This involves an introductory lecture that I give and a requirement to complete the CITI course on responsible conduct of research. I'm told by people at companies and government agencies (and by alumni) that they wish other schools devoted time and resources to the topic the way we do. Meanwhile, I know we could do more at the undergrad level. (I'm writing this as someone who has participated in the development of the last 2 iterations of the ACM Code of Professional Ethics, as an attendee of Terry Bynum's '81 conference[*], and as leader of ACM's committee on publication ethics. So I cannot make any claim to being a *typical* faculty member in this regard or that the Purdue experience is more generalizable.) The science-fiction stories of rogue AI, concerns about autonomous weapons systems, issues of cryptocurrency fraud, and the other topics we have seen for decades in RISKS (thanks, Peter) are not solely traceable to technical faults -- or even primarily traceable to the technology. They are based on choices and decisions by people who, too often, are thinking about whether they can do something rather than whether it is proper to do those things, and evaluating the consequences. We can definitely do better. [Thanks, Spaf. Having known you for so long, this is very helpful. Please note: Ethics, Liability, and Responsibility (Gene Spafford), RISKS-5.60 18 Nov 87 * Also, two of Terry Bynum's meetings that we both attended were NSF Ethics Panel, 1 Nov 1989 at SRI WashDC, and The National Conference on Computing and Values, 12-16 Aug 1991 New Haven. PGN] ------------------------------ Date: Mon, 19 Dec 2022 06:18:51 +0000 From: Parnas, David <par...@mcmaster.ca> Subject: Re: Pretty Smart AI (RISKS-33.58) > A more interesting question is, ``What would Joe Weizenbaum think about > ChatGPT?" I think he would be turning over in his grave seeing his > lessons about Eliza forgotten. An even more interesting question is, ``Would anyone trust that technology if the results mattered?'' Who? ------------------------------ Date: Tue, 20 Dec 2022 13:06:23 -0800 From: Steve Bacher <seb...@verizon.net> Subject: Re: Pretty Smart AI (RISKS-33.58) > Q: What is the difference between lento and adagio?// > A: Lento is a tempo marking that indicates a slow and leisurely pace, while > adagio is a tempo marking that indicates a slower and more solemn pace. > C: Correct. > G: *Lento -- slowly (40--45 BPM)** > *Largo -- Broadly (45--50 BPM)*//* > *Adagio --slow and stately (literally, at ease=) (55--65 BPM)*/( Those answers appear inconsistent with one another. Google demonstrates that adagio is faster than either lento or largo, but GPT-3's response seems to claim that adagio is slower than lento. Maybe GPT-3 is going by the principle that "slow" is slower than "slower," but that's not how one reads it when the statements are adjacent to one another. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.59 ************************
