RISKS-LIST: Risks-Forum Digest Monday 15 January 2023 Volume 33 : Issue 60
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.60> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: NASA just brought a spacecraft 23 billion kilometres away to LIFE and the results are Astonishing (ViralOnce) Remote Vulnerabilities in Automobiles (Bruce Schneier) Linux Malware Uses 30 Plugin Exploits to Backdoor WordPress Sites (Bill Toulas) Cops Hacked Thousands of Phones. Was It Legal? (WiReD) The next time scammers call your grandparents asking for money, it will be with your voice. (MPost) Ransomware group LockBit apologizes saying 'partner' was behind SickKids attack (CBC-CA) Matt Levine on Ransomware compliance (Joe Loughry) Programming Languages: Why This Old Favorite Is on the Rise Again (Liam Tung) 3rd-party Twitter apps stop working without warning, leaks indicate Twitter did this intentionally (Engadget) How ChatGPT Hijacks Democracy (*The New York Times*) ChatGPT-Written Malware (Bruce Schneier) Microsoft to challenge Google by integrating ChatGPT with Bing Search (The Verge) A New Area of AI Booms, Even Amid the Tech Gloom (NYTimes) Re: Pretty Smart AI (Jurek Kirakowski) State of the cybersecurity art (NCSC UK via Gary Hinson) Artist Banned from reddit/Art Because Mods Thought They Used AI (Vice) Re: Calculations on Maryland college savings plans lead to account freeze) (Martin Ward) Southwest airline disruption (Martin Ward) Amazing Southwest story... (Paul Saffo) The oven won't talk to the fridge: 'smart' homes struggle (techxplore.com) Colorado ski town emergency dispatch centers fielding dozens of automated 911 calls from skier iPhones (Jason Blevins via Paul Saffo) Re: As Tesla stock tanks, videos of Teslas malfunctioning in below-freezing temps go viral (John Levine) Re: Cats disrupt satellite Internet service (Henry Baker) Re: I bought a $15 router at Goodwill, and found a millionaire's dirty secrets (Steve Bacher) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 9 Jan 2023 01:44:56 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: NASA just brought a spacecraft 23 billion kilometres away to LIFE and the results are Astonishing (ViralOnce) Controllers assessing the probe's sent data have now declared that Voyager 1 is once again delivering accurate telemetry data to Earth. >From the very beginning, it was clear that the problem was connected to the mechanism responsible for ensuring that the probeâs antenna was always pointed towards Earth. If the antenna were to flip, we would lose communication with the spaceship (and the history of space exploration knows too many such cases). The engineers discovered that this antenna control system had resumed transmitting telemetry data via an on-board computer that had been decommissioned for many years. This computer was responsible for distorting the data, which ultimately arrived on Earth as a succession of nonsensical facts. Once this was determined, the engineers issued a command to the probe instructing it to send the data via the appropriate computer. As he withdrew his hand, the issue disappeared. Obviously, it takes time to determine if the cure was effective. In fact, Voyager 1 is already almost 23 billion kilometers from Earth, which implies that the signal from Earth takes 22 hours to reach the probe. The signal verifying the command's execution is also traveling towards the Earth. After the probe's health was fully restored, the issue emerged as to how it could suddenly begin using a long-forgotten computer. In the next weeks, experts will examine all computer logs from the spacecraft's onboard systems to determine the source of the misunderstanding. https://viralonce.xyz/nasa-just-brought-a-spacecraft-23-billion-kilometres-away-to-life-and-the-results-are-astonishing/ The risks? Out-of-warranty equipment too remote for service calls, decommissioned computers suddenly awakening. The good news, of course -- a valuable lesson -- is system logs. ------------------------------ Date: Sun, 15 Jan 2023 15:55:00 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Remote Vulnerabilities in Automobiles (Bruce Schneier) This group has found a ton of remote vulnerabilities in all sorts of automobiles. It' enough to make you want to buy a car that is not Internet-connected. Unfortunately, that seems to be impossible. https://www.schneier.com/blog/archives/2023/01/remote-vulnerabilities-in-automobiles.html DC Auto Show is this week -- it'll be interesting grilling executives and boothsters about this. ------------------------------ Date: Wed, 4 Jan 2023 11:44:01 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Linux Malware Uses 30 Plugin Exploits to Backdoor WordPress Sites (Bill Toulas) Bill Toulas, BleepingComputer, 30 Dec 2022, via ACM TechNews; Wednesday, January 4, 2023 Antivirus vendor Dr. Web disclosed a new Linux malware that exploits 30 flaws in multiple outdated WordPress plugins and themes to inject malicious JavaScript and give attackers remote command capabilities. The vendor said the trojan targets 32-bit and 64-bit Linux systems; it is mainly designed to penetrate WordPress websites via a series of hardcoded exploits that run successively until one breaks through. If the sites run outdated or vulnerable plugins, the malware automatically injects malicious JavaScript from its command-and-control server. The exploit is most effective on abandoned sites, because infected pages can redirect visitors to a location of the hacker's choosing. Dr. Web advised WordPress website admins to update to the latest available version of the themes and plugins running on the site, and to replace those that are no longer developed with alternatives now being supported. ------------------------------ Date: Thu, 5 Jan 2023 16:03:16 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Cops Hacked Thousands of Phones. Was It Legal? (WiReD) When police infiltrated the EncroChat phone system in 2020, they hit an intelligence gold mine. But subsequent legal challenges have spread across Europe. https://www.wired.com/story/encrochat-phone-police-hacking-encryption-drugs ------------------------------ Date: Mon, 9 Jan 2023 10:47:43 -0500 From: Steve Klein <ste...@klein.us> Subject: The next time scammers call your grandparents asking for money, it will be with your voice. (MPost) Summary: VALL-E is a transformer-based TTS model that can generate speech in any voice after hearing only a three-second sample of that voice. This could routinely enable participation in hearings & trials, bad actors might replace an unfriendly witness with a live deepfake of that same person, testifying against the interest of the person being faked. [Garbled e-mail PGN-ed] Link: https://mpost.io/vall-e-microsofts-new-zero-shot-text-to-speech-model-can-duplicate-everyones-voice-in-three-seconds/ It might be trite, but never more apt, to say ``The risks are obvious.'' ------------------------------ Date: Mon, 2 Jan 2023 22:25:45 -0700 From: Matthew Kruk <mkr...@gmail.com> Subject: Ransomware group LockBit apologizes saying 'partner' was behind SickKids attack (CBC-CA) A global ransomware operator has issued a rare apology after it claims one of its "partners" was behind a cyberattack on Canada's largest pediatric medical centre. LockBit, a ransomware group the U.S. Federal Bureau of Investigation has called one of the most active and destructive in the world, posted a brief statement on what cybersecurity experts say is its data leak site claiming it has blocked its partner responsible for the attack on Toronto's Hospital for Sick Children and offering the code to restore the system. https://www.cbc.ca/news/canada/toronto/ransomware-group-sickkids-cybersecurity-update-1.6701688 ------------------------------ Date: Fri, 6 Jan 2023 14:04:20 -0700 From: Joe Loughry <joe.loug...@gmail.com> Subject: Matt Levine on Ransomware compliance In Matt Levine's "Money Stuff" newsletter, 5 January 2023, he wrote about cybercriminals' need to balance aggressiveness and risk: Ransomware compliance I continue to be fascinated by the role of chief compliance officer at a ransomware company. In general, the chief compliance officer at any company has a dial in front of her that she can turn to get More Crime or Less Crime, and at a normal company -- a bank, for instance -- her job consists of (1) turning it most of the way toward Less Crime, but (2) not all the way, and (3) acting very contrite when politicians and regulators yell at her about the residual crime. ``We have a zero-tolerance policy for crime,'' she will say, and almost mean. But the chief compliance officer at a ransomware company -- I assume that this is not an actual job, but rather one of many hats worn by some senior executive at the ransomware company, though what do I know -- will turn the dial most of the way toward More Crime, since after all a ransomware company's whole business is crime, but, again, not all the way. Sometimes she will say no to crime, or at least act very contrite after doing crime. She will have, like, a 98% tolerance policy for crime. We have talked about this before, and one category of crime that a ransomware compliance officer might reject is ``hacks that are so big and disastrous that they could call down the wrath of the US government and shut down the whole business.'' But another category of off-limits crime appears to be hacks that are so morally reprehensible that they will lead to other criminals boycotting you business.'' Here is a wild story about a ransomware attack on Toronto's Hospital for Sick Children, which is really the sort of name that ought to make you immune from hacking: A global ransomware operator issued an apology and offered to unlock the data targeted in a ransomware attack on Toronto's Hospital for Sick Children, a move cybersecurity experts say is rare, if not unprecedented, for the infamous group. LockBit, a ransomware group the U.S. Federal Bureau of Investigation has called one of the world's most active and destructive, issued the brief apology on Dec. 31 to what cybersecurity experts say is the dark web page where it posts about its ransoms and data leaks. In the statement, reviewed directly by The Canadian Press, LockBit claimed to have blocked the partner responsible for the attack and offered SickKids a free decryptor to unlock its data. LockBit's apology, meanwhile, appears to be a way of managing its image, said [cybersecurity researcher Chester] Wisniewski. The group is competing with other high-profile malware operators who are also trying to court hackers to use their system to carry out lucrative cyberattacks, he said. Hackers appear to move between the operators frequently. He suggested the move could be directed at those partners who might see the attack on a children's hospital as a step too far. ``My instinct would be this is more aimed at criminal affiliates themselves trying to not disgust them into switching into a different ransom group,'' said Wisniewski. The way the ransomware business is organized seems to be that there are a couple of, like, malware-as-a-service providers like LockBit and DarkSide that provide software and expertise to independent hacker customers who pick the targets and do the hacks; the providers and the hackers split the ransoms. If you are one of the providers, you have to choose your hacker partners carefully so that they do the right amount of crime: You don't want incompetent or unambitious hackers who can't make any money, but you also don't want overly ambitious hackers who hack, you know, the US Department of Defense, or the Hospital for Sick Children. Meanwhile you also have to market yourself to hacker partners so that they choose your services, which again requires that you have a reputation for being good and bold at crime, but not too bold. Your hacker partners want to do crime, but they have their limits, and if you get a reputation for murdering sick children that will cost you some criminal business. ------------------------------ Date: Fri, 6 Jan 2023 11:36:47 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Programming Languages: Why This Old Favorite Is on the Rise Again (Liam Tung) Liam Tung, ZDNet, 6 Jan 2023, via ACM Tech News, 6 Jan 2023 Software-testing firm Tiobe has selected C++ as its programming language of 2022. Reported Tiobe use rose faster than all other languages last year, up by 4.26% compared with January 2022, yet in this year's first monthly index, it was ranked at No. 3. C++ rose in popularity faster than other languages last year, a result of "its excellent performance while being a high-level object-oriented language," according to Tiobe CEO Paul Jensen. Added Jensen, "Because of this, it is possible to develop fast and vast software systems (over millions of lines of code) in C++ without necessarily ending up in a maintenance nightmare." ------------------------------ Date: Sun, 15 Jan 2023 15:03:47 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: 3rd-party Twitter apps stop working without warning, leaks indicate Twitter did this intentionally (Engadget) 3rd party Twitter apps stop working without warning, leaks indicate Twitter did this intentionally https://www.engadget.com/twitter-may-have-deliberately-cut-off-tweetbot-and-other-third-party-clients-165048001.html?src=rss [PGN-ed excerpt: Earlier LW item: In desperate attempt to increase Twitter revenue, Elon moves to expand political and cause-based ads (without taking his promised poll before such a change). (5 Jan 2023)] ------------------------------ Date: Sun, 15 Jan 2023 12:55:53 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: How ChatGPT Hijacks Democracy (*The New York Times*) Launched just weeks ago, ChatGPT is already threatening to upend how we draft everyday communications like emails, college essays and myriad other forms of writing. Created by the company OpenAI, ChatGPT is a chatbot that can automatically respond to written prompts in a manner that is sometimes eerily close to human. But for all the consternation over the potential for humans to be replaced by machines in formats like poetry and sitcom scripts, a far greater threat looms: artificial intelligence replacing humans in the democratic processes â not through voting, but through lobbying. https://www.nytimes.com/2023/01/15/opinion/ai-chatgpt-lobbying-democracy.html ------------------------------ Date: Sun, 15 Jan 2023 14:29:07 PST From: Bruce Schneier <schne...@schneier.com> Subject: ChatGPT-Written Malware (Bruce Schneier) PGN-excerpted From Bruce Schneier's CRYPTO-GRAM, 15 Jan 2023 [https://www.schneier.com/blog/archives/2023/01/chatgpt-written-malware.html] I don't know how much of a thing this will end up being, but we are seeing ChatGPT-written malware in the wild, [https://arstechnica.com/information-technology/2023/01/chatgpt-is-enabling-script-kiddies-to-write-functional-malware/] ...within a few weeks of ChatGPT going live, participants in cybercrime forums -- some with little or no coding experience -- were using it to write software and emails that could be used for espionage, ransomware, malicious spam, and other malicious tasks. ``It's still too early to decide whether or not ChatGPT capabilities will become the new favorite tool for participants in the Dark Web company. However, the cybercriminal community has already shown significant interest and are jumping into this latest trend to generate malicious code.'' Last month one forum participant posted what they claimed was the first script they had written, and credited the AI chatbot with providing a nice [helping] hand to finish the script with a nice scope. The Python code combined various cryptographic functions including code signing encryption and decryption. One part of the script generated a key using elliptic curve cryptography and the curve ed25519 for signing files. Another part used a hard-coded password to encrypt system files using the Blowfish and Twofish algorithms. A third used RSA keys and digital signatures message signing and the blake2 hash function to compare various files. ------------------------------ Date: Thu, 5 Jan 2023 15:57:51 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Microsoft to challenge Google by integrating ChatGPT with Bing Search (The Verge) ChatGPT made conversational AI accessible, now Microsoft is rumored to be integrating the machine learning techniques behind it into Bing search queries. Even OpenAI CEO Sam Altman has cautioned that "it's a mistake to be relying on [ChatGPT] for anything important right now." Exactly how Microsoft plans to integrate ChatGPT into Bing will be important, and it's likely the company will start with beta tests and a limited amount of integration before itâs ready for all Bing users to take advantage of. https://www.theverge.com/2023/1/4/23538552/microsoft-bing-chatgpt-search-google-competition ------------------------------ Date: Sat, 7 Jan 2023 23:14:28 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: A New Area of AI Booms, Even Amid the Tech Gloom (NYTimes) An investment frenzy over *generative artificial intelligence* in response to short prompts seize the imagination. Now OpenAI is in the midst of a new gold rush. Five weeks ago, OpenAI, a San Francisco artificial intelligence lab, released ChatGPT, a chatbot that answers questions in clear, concise prose. The AI-powered tool immediately caused a sensation, with more than a million people using it to create everything from poetry to high school term papers to rewrites of Queen songs. Now OpenAI is in the midst of a new gold rush. [...] Five weeks ago, OpenAI, a San Francisco artificial intelligence lab, released ChatGPT, a chatbot that answers questions in clear, concise prose. The AI-powered tool immediately caused a sensation, with more than a million people using it to create everything from poetry to high school term papers to rewrites of Queen songs. Now OpenAI is in the midst of a new gold rush. [...] Five weeks ago, OpenAI, a San Francisco artificial intelligence lab, released ChatGPT, a chatbot that answers questions in clear, concise prose. The AI-powered tool immediately caused a sensation, with more than a million people using it to create everything from poetry to high school term papers to rewrites of Queen songs. Now OpenAI is in the midst of a new gold rush. More than 450 start-ups are now working on generative AI, by one venture capital firm's count. And the frenzy has been compounded by investor eagerness to find the next big thing in a gloomy environment. https://www.nytimes.com/2023/01/07/technology/generative-ai-chatgpt-investments.html ------------------------------ Date: Wed, 4 Jan 2023 14:36:19 +0000 From: Jurek Kirakowski <j...@uxp.ie> Subject: Re: Pretty Smart AI (Bacher, RISKS-33.58) > Those answers appear inconsistent with one another. Google demonstrates > that adagio is faster than either lento or largo, but GPT-3's response > seems to claim that adagio is slower than lento. Maybe GPT-3 is going by > the principle that "slow" is slower than "slower," but that's not how one > reads it when the statements are adjacent to one another. This discussion is terribly wrong. 'Lento', 'Largo' and 'Adagio' are descriptions not only of the pulse of the music *as notated* but also the mood: each word conjures up a different kind of sense in the mind of the experienced musician of how the piece is to be performed. And what would Google make of 'Andante Cantabile' or 'Largo Sostenuto'? As Prof Newman would explain to his first-year music students at Edinburgh University :)# Yes, regrettable that these subtle descriptive terms are reduced to metronome markings -- but in a way characteristic of how technology can eliminate the subjective human dimension. [Beware of Artificial Oversimplification. The real stuff is bad enough. PGN] ------------------------------ Date: Wed, 4 Jan 2023 15:31:59 +1300 From: Gary Hinson <g...@isect.com> Subject: State of the cybersecurity art https://www.ncsc.gov.uk/blog-post/so-long-thanks-for-all-the-bits "So long and thanks for all the bits" is a lengthy, well-written parting blog by Ian Levy, [former] Technical Director of the UK's National Cyber Security Centre, lamenting the sorry state of cybersecurity while holding out some hope of progress through approaches currently being used and developed. ------------------------------ Date: Sat, 7 Jan 2023 03:31:42 -0700 From: Jim Reisert AD1C <jjreis...@alum.mit.edu> Subject: Artist Banned from reddit/Art Because Mods Thought They Used AI (Vice) Moderators for the 22 million member forum banned someone for making an illustration that too closely resembled AI-generated art. https://www.vice.com/en/article/y3p9yg/artist-banned-from-art-reddit ------------------------------ Date: Tue, 3 Jan 2023 14:55:26 +0000 From: Martin Ward <mar...@gkc.org.uk> Subject: Re: Calculations on Maryland college savings plans lead to account freeze (RISKS-33.59) > The calculations of account values seem to have been incorrect, and > the state is having a hard time figuring out the correct values. > The calculations for value must be pretty complex Writing provably correct code for a complex financial calculation is one of the simpler tasks for an expert in formal methods. But it seems likely that the programmers of the Maryland state college savings plan are not familiar with formal methods, or indeed, with mathematics in general, given that they are having a hard time figuring out the correct values. ------------------------------ Date: Tue, 3 Jan 2023 14:54:17 +0000 From: Martin Ward <mar...@gkc.org.uk> Subject: Southwest airline disruption (Re: RISKS-33.59) The most chilling line from this article: > ``The tools we use to recover from disruption serve us well, 99 > percent of the time,'' You are an *airline*! Working 99% of the time is not good enough! I would not like to fly in an airplane that reaches its destination in one piece only 99% of the time. ------------------------------ Date: Tue, 27 Dec 2022 18:22:22 -0800 From: "Paul Saffo" <p...@saffo.com> Subject: Amazing Southwest story... Might be risks-worthy, tho I expect others will have better sourcing for the same issue. Anyway, this from a friend on FB. (I have no idea how many times it has been indirected, so take with a grain of salt!) -p This remarkable tale from a Southwest pilot: ``My friend's husband is a pilot with Southwest. He just posted this an hour ago. I'm not including his name or the photos he shared of packed SWA employee rooms at the airports over the past couple of days (in case his post comes back to bite him with the company -- even though he's stating facts). He also posted a screenshot of a fellow pilot on hold with SWA Scheduling for over 22 hours. Anyway, here's some insight for those wondering if this massive round of SWA cancellations is really all due to weather and staffing issues: ``I don't know what to say. Southwest Airlines has imploded. Their antiquated software system has completely fried. Planes are parked. Crews are stranded in the airports with the passengers, volunteering to take the passengers in the parked planes but the software won't accept it. Phone lines are overwhelmed for both passenger and crews. I personally spent over two hours trying to get hold of anyone in the company last night after midnight. A Captain and I did manage to get the one flight put together on Christmas night and got people home. Kudos to the ops agent and dispatcher for making it happen. We had to manually input a lot of the data and it took over an hour to coordinate with dispatch going back and forth running numbers. We spent hours trying to get the company to answer and get us a hotel when we landed as they're all sold out. We were put in a call queue for hours before hanging up. I found one hotel with 4 rooms and we bought our own rooms at 2:30am. I even paid for a Flight Attendants room. We literally have crews sleeping on the airport floors all over the country with nowhere to go. Crews have been calling to fly anyone, anywhere, but the company says the system needs a reset. They have effectively shut down the operations for the rest of year, running 1/3 of the flights so that they can let the computer find and locate the crews and aircraft. Gate agents are in tears. They've been yelled at, cussed at, slapped and spit on. Flight attendants have been taking a beating. The frontline employees have had little support or communication. Terminals are standing room only with people having been there for days. Pilot lounges are packed with pilots ready to fly and nowhere to go. Embarrassing is an understatement. I’m going on my second of three days off, still stuck on the east coast and still expected to show up in the morning with no schedule. And I’m willing to fly all day if needed. Because that’s nothing compared to the passengers needing meds in bags that are lost and mothers traveling with kids, having been stuck for the same amount of days in the terminal. In 24 years, I’ve never seen anything like this. Heads need to roll! Rumors on media are floating that there is a lack of crews and pilots are staging sick calls. Absolutely not true at all. This is a computer system meltdown. Thousands of crew members are sitting in hotels and airports with nowhere to go. This airline has failed miserably. ------------------------------ Date: Sun, 08 Jan 2023 02:39:57 +0000 From: Richard Marlon Stein <rmst...@protonmail.com> Subject: The oven won't talk to the fridge: 'smart' homes struggle (techxplore.com) https://techxplore.com/news/2023-01-oven-wont-fridge-smart-homes.html The Matter protocol apparently solves the long-standing interoperability issue preventing seamless home-appliance device integration through WiFi. I wonder if this protocol will be deployed among hospital refrigerators that store blood, plasma, vaccines, and other temperature sensitive health products? IoT device exploit perimeter expansion. ------------------------------ Date: Tue, 27 Dec 2022 20:28:31 -0800 From: Paul Saffo <p...@saffo.com> Subject: Colorado ski town emergency dispatch centers fielding dozens of automated 911 calls from skier iPhones (Jason Blevins in The Colorado Sun) And another: https://www.skyhinews.com/news/colorado-ski-town-emergency-dispatch-centers-fielding-dozens-of-automated-911-calls-from-skier-iphones/ ------------------------------ Date: 2 Jan 2023 21:52:06 -0500 From: "John Levine" <jo...@iecc.com> Subject: Re: As Tesla stock tanks, videos of Teslas malfunctioning in below-freezing temps go viral (RISKS-33.59) Someone once commented that we are lucky that the car industry grew up in Detroit. If it were in Miami, cars would fail whenever it freezes. If it were in Los Angeles they'd fail whenever it rains. ------------------------------ Date: Tue, 03 Jan 2023 20:23:05 +0000 From: Henry Baker <hbak...@pipeline.com> Subject: Re: Cats disrupt satellite Internet service (RISKS-33.59) Apparently, some personnel assigned to the 'DEW Line' in Alaska & other arctic locations sometimes kept warm by standing in front of the radar transmitters. https://en.wikipedia.org/wiki/Distant_Early_Warning_Line While this activity can result in *cooking* one's insides and producing eye cataracts, it did eventually lead to the invention of *microwave ovens*. Google "Hazard of Electromagnetic Radiation to Personnel", i.e., "HERP" The Starlink uplink frequencies (14GHz) are higher than those used in microwave ovens (2.4GHz), but the Starlink does require a 100-watt power supply -- and a significant fraction of this power ends up being converted into microwave energy . I'd be worried about cute cats with not-so-cute eye cataracts. I've heard of 'cats on a hot tin roof', but ... ------------------------------ Date: Thu, 5 Jan 2023 09:28:54 -0800 From: Steve Bacher <seb...@verizon.net> Subject: Re: I bought a $15 router at Goodwill, and found a millionaire's dirty secrets (RISKS 33.59) I found it hard to believe that the headline would refer to a backup device as a router, but Wikipedia says it's true: https://en.wikipedia.org/wiki/AirPort_Time_Capsule "The *AirPort Time Capsule* (originally named *Time Capsule*) is a wireless router <https://en.wikipedia.org/wiki/Wireless_router> which was sold by Apple Inc. <https://en.wikipedia.org/wiki/Apple_Inc.>, featuring network-attached storage <https://en.wikipedia.org/wiki/Network-attached_storage> (NAS) and a residential gateway router <https://en.wikipedia.org/wiki/Residential_gateway>, and is one of Apple's AirPort <https://en.wikipedia.org/wiki/AirPort> products. They are, essentially, versions of the AirPort Extreme <https://en.wikipedia.org/wiki/AirPort_Extreme> with an internal hard drive <https://en.wikipedia.org/wiki/Hard_drive>. Apple describes it as a "Backup Appliance", designed to work in tandem with the Time Machine <https://en.wikipedia.org/wiki/Time_Machine_(macOS)> backup software utility introduced in MacOS 10.5 <https://en.wikipedia.org/wiki/Mac_OS_X_10.5>.^" Seems there is an inherent privacy risk in having a device function as both a network router and a local backup drive. ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.60 ************************