RISKS-LIST: Risks-Forum Digest Tuesday 14 March 2023 Volume 33 : Issue 64
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.64> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Why I'm sticking up for science (Richard Dawkins) What Can We Do to Make Sure the FAA and Southwest Airlines Fiascos Never Happen Again? (Scientific American) FAA reports 'close call' between two planes at Logan Airport (Boston Globe) Pilot Error Caused an F-35C Crash in the South China Sea in 2022 (Popular Mechanics) How many satellites can we fit into space before it gets too much? (Jonathan McDowell) The Gare de Lyon Disaster (via Steve Bacher) North American rail operations *Peter Bernard Ladkin) Controller-level flaws can let hackers physically damage moving bridges (Waqas) Safety Advocates Say Hyundai, Kia's Anti-Theft Upgrade Doesn't Go Far Enough (NBC Chicago) A 120-year-old company is leaving Tesla in the dust (Ezra Dyer) Ford files patent for system that could remotely repossess a car (ArsTech) Apple Now Offering Depth and Water Seal Tests for Apple Watch Ultra (MacRumors) Apple Blocks Update of ChatGPT-Powered App, as Concerns Grow Over AI's Potential Harm (WSJ) How the Biggest Fraud in German History Unraveled (The New Yorker) U.S. Marshals Service target of 'major' cyber-attack (BBC) Indigo won't pay ransom for stolen employee data (CBC) LastPass Says DevOps Engineer Home Computer Hacked (SecurityWeek) U.S. Air Force Giving Military Drones the Ability to Recognize Faces (David Hambling) Researchers Find New Bug 'Class' in Apple Devices (Alex Scroxton) At Least One Open-Source Vulnerability Found in 84% of Code Bases (Apurva Venkat) The Satellite Hack Everyone Is Finally Talking About (Bloomberg) Inside the Lab Growing Mushroom Computers (Charlotte Hu) Fact check: A deepfake video falsely depicted Elizabeth Warren speaking about Republicans (The Boston Globe) Voice Deepfakes Of Everyone From Joe Rogan To Joe Biden Are Taking Over Social Media (Buzzfeed) How to make a bad situation worse: Developers Created AI to Generate Police Sketches. Experts Are Horrified (Vice) How I Broke Into a Bank Account With an AI-Generated Voice (vice.com) AI chatbots may have a liability problem (WashPost) Large Language Models Are Biased. Can Logic Help Save Them? (Rachel Gordon) Quantum Computers That Use 'Cat Qubits' May Make Fewer Errors (Karmela Padavic-Callaghan) The privacy loophole in your doorbell (Politico) iPhone thieves use social engineering to obtain passcode (Barrons) The Era of Faked CCTV Has Truly Arrived (WiReD) AI-powered watermark removal poses uncomfortable implications for content use (Jeremy Gray -- Digital Photography Review) ChatGPT Could Destroy Reality, According to Henry Kissinger (Mack DeGeurin -- Gizmodo) Re: Microsoft Researchers Use ChatGPT to Control Robots, Drones (Gavin Scott, Goldy) Re: Power-Grid Attacks Surge and Are Likely to Continue, Study Finds (Steve Bacher) Re: Put Electrical Transmission Lines Underground? Distributed is a NIMBY fantasy (John Levine) Re: rm -rf (Charles Cazabon, Jose Maria Mateos) Re: SMS-Based Multi-Factor Authentication: What Could Go Wrong? (John Levine, Jay Lobove Alzina, Bernie Cosell) Re: Congress must act to keep kids off social media (Barry Gold0 Re: Google Issues article from 14 years ago, still relevant today (Barry Gold) Re: AI is starting to pick who gets laid off (Steve Bacher) Re: Cox Cable phone follies (Wol) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 2 Mar 2023 06:54:46 -0700 From: geoff goodfellow <ge...@iconia.com> Subject: Why I'm sticking up for science (Richard Dawkins) I'm in New Zealand, climax to my antipodean speaking tour, where I walked headlong into a raging controversy. Jacinda Ardern's government implemented a ludicrous policy, spawned by Chris Hipkins's Ministry of Education before he became prime minister. Science classes are to be taught that M=C4=81ori `Ways of Knowing' (M=C4=81tauranga M=C4=81ori) have equal standing with `western' science. Not surprisingly, this adolescent virtue-signaling horrified New Zealand's grown-up scientists and scholars. Seven of them wrote to the *Listener *magazine. Three who were fellows of the NZ Royal Society were threatened with an inquisitorial investigation. Two of these, including the distinguished medical scientist Garth Cooper, himself of M=C4=81ori descent, resigned (the third unfortunately died). I was delighted to meet Professor Cooper for lunch, with others of the seven. His resignation letter cited the society's failure to support science against its denigration as `a western European invention'. He was affronted, too, by a complaint (not endorsed by the NZRS) that `to insist M=C4=81ori children learn to read is an act of colonisation'. Is there an implication here -- condescending, if not downright racist -- that `indigenous' children need separate, special treatment? Perhaps the most disagreeable aspect of this sorry affair is the climate of fear. We who don't have a career to lose should speak out in defence of those who do. The magnificent seven are branded heretics by a nastily zealous new religion, a witch-hunt that recalls the false accusations against J.K. Rowling and Kathleen Stock. Professor Kendall Clements was removed from teaching evolution at the University of Auckland, after the School of Biological Sciences Putaiao Committee submitted the following recommendation: ``We do not feel that either Kendall or Garth should be put in front of students as teachers. This is not safe for students.'' Not *safe*? Who are these cringing little wimps whose `safety' requires protection against free speech? What on earth do they think a university is for? To grasp government intentions requires a little work, because every third word of the relevant documents is in M=C4=81ori. Since only 2 per cent of New Zealanders (and only 5 per cent of M=C4=81oris) speak that language, this again looks like self-righteous virtue-signaling, bending a knee to that modish version of Original Sin which is white guilt. M=C4=81tauranga M=C4=81ori includes valuable tips on edible fungi, star navigation and species conservation (pity the moas were all eaten). Unfortunately it is deeply invested in vitalism. New Zealand children will be taught the true wonder of DNA, while being simultaneously confused by the doctrine that all life throbs with a vital force conferred by the Earth Mother and the Sky Father. Origin myths are haunting and poetic, but they belong elsewhere in the curriculum. The very phrase `western' science buys into the `relativist' notion that evolution and big-bang cosmology are just the origin myth of white western men, a narrative whose hegemony over `indigenous' alternatives stems from nothing better than political power. This is pernicious nonsense. Science belongs to all humanity. It is humanity's proud best shot at discovering the truth about the real world. [...] https://www.removepaywall.com/https:/www.spectator.co.uk/article/why-im-sticking-up-for-science ------------------------------ Date: Fri, 03 Mar 2023 13:39:17 +0000 From: Richard Marlon Stein <rmst...@protonmail.com> Subject: What Can We Do to Make Sure the FAA and Southwest Airlines Fiascos Never Happen Again? (Scientific American) https://www.scientificamerican.com/article/what-can-we-do-to-make-sure-the-faa-and-southwest-airlines-fiascos-never-happen-again/ Congress and the airline industry must reassess how they approach and fund air-transportation modernization. ------------------------------ Date: Wed, 1 Mar 2023 12:32:01 -0500 From: Monty Solomon <mo...@roscom.com> Subject: FAA reports 'close call' between two planes at Logan Airport (The Boston Globe) https://www.boston.com/news/local-news/2023/02/28/logan-airport-close-call-jet-blue-learjet/ ------------------------------ Date: Thu, 2 Mar 2023 17:50:36 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Pilot Error Caused an F-35C Crash in the South China Sea in 2022 An F-35 Pilot Attempted a Maneuver, Ending in a Fiery Crash https://www.popularmechanics.com/military/aviation/a43045858/pilot-error-crashed-f-35c-strike-fighter/ ------------------------------ Date: Mon, 27 Feb 2023 14:39:07 -0700 From: geoff goodfellow <ge...@iconia.com> Subject: How many satellites can we fit into space before it gets too much? *"It's going to be like an interstate highway in a rush hour in a snowstorm with everyone driving much too fast."* Just 10 years ago, a mere thousand or so operational satellites may have orbited our planet, but there will be tens or even hundreds of thousands a decade from now. Experts have been sounding alarm bells for years that Earth orbit is getting a bit too crowded. So how many satellites can we actually launch to space before it gets to be too much? Jonathan McDowell is an astrophysicist and astronomer at the Harvard-Smithsonian Center for Astrophysics who studies super-energetic phenomena in the *universe* <https://www.space.com/52-the-expanding-universe-from-the-big-bang-to-today.html> such as jet-emitting *black holes* <https://www.space.com/15421-black-holes-facts-formation-discovery-sdcmp.html> in galactic centers. In recent years, however, McDowell has gained prominence for his work in a completely different field of space research. In his monthly digital circular called *Jonathan's Space Report* <https://www.planet4589.org/space/jsr/jsr.html>, McDowell tracks the growing number of satellite launches and the ballooning number of objects in Earth orbit. The project started with an ambition to "provide a pedantic historical record of the space age," but has, in a way, become a chronicle of the environmental destruction of the near Earth environment. In his frequent media appearances, McDowell has been vocal about his views on the future of the increasingly overcrowded near-Earth space. "It's going to be like an interstate highway, at rush hour in a snowstorm with everyone driving much too fast," he told Space.com when asked what the situation in orbit will be like if existing plans for satellite megaconstellations such as *SpaceX* <https://www.space.com/18853-spacex.html>'s *Starlink* <https://www.space.com/spacex-starlink-satellites.html>, *OneWeb* <https://www.space.com/spacex-oneweb-satellite-internet-constellation-coexistence> and *Amazon Kuiper* <https://www.space.com/fcc-approves-amazon-constellation-kuiper> come to fruition. "Except that there are multiple interstate highways crossing each other with no stoplights." *Maneuvers, maneuvers* The first signs that things are getting a little too tense are, in fact, already present. McDowell's British colleague Hugh Lewis is another frequently heard voice of caution, tempering the confidence of entrepreneurs caught in the new space gold rush. A professor of astronautics at the University of Southampton in England, Lewis has been for a few years now publishing regular updates on his Twitter page detailing the increase in so-called conjunction events, situations when two objects in space -- functioning satellites or pieces of space debris -- get dangerously close to each other. Some of his graphs are a sobering read. [...] https://www.space.com/how-many-satellites-fit-safely-earth-orbit ------------------------------ Date: Sat, 25 Feb 2023 22:05:35 -0800 From: Steve Bacher <seb...@verizon.net> Subject: The Gare de Lyon Disaster (video) www.youtube.com The Gare de Lyon Disaster | A Short Documentary | Fascinating Horror <#> ``On the 27th of June, 1988, a busy commuter train was bound for Paris's Gare de Lyon station...'' As always, THANK YOU to all my Patreon patrons: you make this... https://www.youtube.com/watch?v=vV78GF2PkOw Old news, perhaps, but a classic instance of cumulative risks in a system. [Another classic example previously noted here is the Deepwater Horizon fiasco. RISKS-29.49, 29.75, 29.80, 29.83, 29.92, 30.29. PGN] ------------------------------ Date: Sun, 26 Feb 2023 10:39:57 +0100 From: Peter Bernard Ladkin <lad...@causalis.com> Subject: North American rail operations The sociologists Lee Clarke and the late Charles Perrow have been warning for decades about North American rail operations and the potential for hazmat accidents in city centres in the US. See Lee Clarke, Worst Cases, U. Chicago Press, 2006 and Charles Perrow, The Next Catastrophe, Princeton U. Press, 2007. ------------------------------ Date: Mon, 27 Feb 2023 16:19:17 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Controller-level flaws can let hackers physically damage moving bridges (Waqas) Sophisticated hackers can now breach vulnerable networks and devices at the controller level of critical infrastructure, causing physical damage to crucial assets. https://www.hackread.com/hackers-physically-damage-moving-bridges/ ------------------------------ Date: Sat, 25 Feb 2023 20:38:47 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Safety Advocates Say Hyundai, Kia's Anti-Theft Upgrade Doesn't Go Far Enough (NBC Chicago) https://www.nbcchicago.com/consumer/safety-advocates-say-hyundai-kias-anti-theft-upgrade-doesnt-go-far-enough/3078577/ ------------------------------ Date: Tue, 7 Mar 2023 9:56:07 PST From: Peter G Neumann <neum...@csl.sri.com> Subject: A 120-year-old company is leaving Tesla in the dust (Ezra Dyer) Ezra Dyer, *The New York Times*, Opinion, 7 Mar 2023 Ford is proving to be far more modern than Elon Musk's automaker. ------------------------------ Date: Thu, 2 Mar 2023 11:07:16 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Ford files patent for system that could remotely repossess a car (Ars Technica) https://arstechnica.com/?p=1921281 [Ooops! Can it made trustworthy enough so that it is immune to hacking? PGN] ------------------------------ Date: Fri, 3 Mar 2023 21:01:19 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Apple Now Offering Depth and Water Seal Tests for Apple Watch Ultra (MacRumors) https://www.macrumors.com/2023/03/02/apple-watch-ultra-depth-seal-tests/ [Now it can call 911 from great depths as well as ski slopes? PGN] ------------------------------ Date: Thu, 2 Mar 2023 15:10:34 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Apple Blocks Update of ChatGPT-Powered App, as Concerns Grow Over AI's Potential Harm (WSJ) https://www.wsj.com/articles/apple-blocks-update-of-chatgpt-powered-app-as-concerns-grow-over-ais-potential-harm-c4ca9372 ------------------------------ Date: Tue, 28 Feb 2023 10:34:41 -0500 From: Monty Solomon <mo...@roscom.com> Subject: How the Biggest Fraud in German History Unraveled (The New Yorker) The tech company Wirecard was embraced by the German elite. But a reporter discovered that behind the facade of innovation were lies and links to Russian intelligence. https://www.newyorker.com/magazine/2023/03/06/how-the-biggest-fraud-in-german-history-unravelled ------------------------------ From: Matthew Kruk <mkr...@gmail.com> Date: Tue, 28 Feb 2023 07:29:30 -0700 Subject: U.S. Marshals Service target of 'major' cyber-attack (BBC) https://www.bbc.com/news/world-us-canada-64767181 The agency responsible for pursuing fugitives and handling federal prisons in the US has been hit by a ransomware attack. Officials at the U.S. Marshals Service (USMS) said on Monday that the breach compromised sensitive law enforcement information. The attack was described as a "major incident" that only targeted the USMS. The U.S. Department of Justice is investigating the breach, an agency spokesperson said. The ransomware attack was discovered on 17 February, the USMS said. ------------------------------ From: Matthew Kruk <mkr...@gmail.com> Date: Wed, 1 Mar 2023 20:54:12 -0700 Subject: Indigo won't pay ransom for stolen employee data (CBC) https://www.cbc.ca/news/business/indigo-wont-pay-ransom-1.6764785 Canada's largest bookstore chain says it won't pay ransom to the online group claiming responsibility for the cyberattack that stole at least some personal data of current and former employees of Indigo Books & Music, and which likely caused the recent downing of its website. A recent post on the dark web claiming to be from people affiliated with the ransomware group LockBit says the data will be released Friday at 3:39 pm ET. In a statement to CBC News, the company said while it has been informed that ``some or all of the data'' could become available, it does not believe it's appropriate to pay the ransom because it cannot guarantee the money would not ``end up in the hands of terrorists.'' The retailer has said that it does not believe customer data was stolen in this attack. [LATER ITEM: Ransomware group behind Indigo hack says it released stolen employee data, but nothing has appeared yet https://www.cbc.ca/news/business/ransomware-indigo-data-release-1.6766328 ] ------------------------------ Date: Mon, 27 Feb 2023 23:24:47 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: LastPass Says DevOps Engineer Home Computer Hacked (SecurityWeek) Ryan Naraine, *Security Week* LastPass DevOp engineer' home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud storage resources. [Victor Miller noted https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/ PGN] ------------------------------ Date: Mon, 27 Feb 2023 11:38:28 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: U.S. Air Force Giving Military Drones the Ability to Recognize Faces (David Hambling) David Hambling, New Scientist, 23 Feb 2023, via ACM TechNews, 27 Feb 2023 Under a contract between the U.S. Department of Defense and RealNetworks, the Seattle-based company's machine learning software will equip autonomous drones operated by the U.S. Air Force with facial recognition technology. The contract indicated special operations forces will use the drones for intelligence gathering and foreign missions. University of California, Berkeley's Stuart Russell expressed concern about the contract, which states the software will "open the opportunity for real-time autonomous response by the robot." Russell said it's "hard to see what else it refers to, other than lethal action." The U.S. government's policy on lethal autonomous weapons calls for "appropriate levels of human judgment," but the Pentagon has not clarified what that means exactly. ------------------------------ Date: Mon, 27 Feb 2023 11:38:28 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Researchers Find New Bug 'Class' in Apple Devices (Alex Scroxton) Alex Scroxton, *Computer Weekly*, 22 Feb 2023, via ACM TechNews, 27 Feb 2023 Researchers at cybersecurity company Trellix say they have discovered a new class of privilege escalation vulnerability in Apple devices, rooted in Israeli spyware maker NSO Group's ForcedEntry exploit. ForcedEntry enabled NSO's government clients to monitor activists, journalists, and political adversaries; Trellix claims iOS and macOS contain bugs that circumvent the upgraded code-signing mitigations Apple deployed to counter the exploit. If uncorrected, the bugs could grant attackers access to sensitive information on target devices, including but not restricted to messages, location data, call history, and photos. Trellix's Austin Emmitt said the vulnerabilities involve the NSPredicate code-filtering tool, whose restrictions Apple fortified with the NSPredicateVisitor protocol. ------------------------------ Date: Mon, 27 Feb 2023 11:38:28 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: At Least One Open-Source Vulnerability Found in 84% of Code Bases (Apurva Venkat) Apurva Venkat, *CSO Online*, 23 Feb 2023, via ACM TechNews, 27 Feb 2023 Researchers at application security company Synopsys found 84% of 1,481 analyzed commercial and proprietary code bases contained at least one known open-source vulnerability, while 48% contained high-risk vulnerabilities. The researchers observed a 4% increase in the number of known open-source vulnerabilities between 2021 and 2022. They also found 91% of the code bases had outdated versions of open-source elements, meaning available patches had not been implemented. The researchers explained, "With many teams already stretched to the limit building and testing new code, updates to existing software can become a lower priority except for the most critical issues." They recommended organizations use a software bill of materials to prevent vulnerability exploits and keep open-source code up to date. ------------------------------ Date: Fri, 3 Mar 2023 07:18:19 -0700 From: geoff goodfellow <ge...@iconia.com> Subject: The Satellite Hack Everyone Is Finally Talking About (Bloomberg) Andreas Wickberg loves snowmobiling to the house he built in the icy reaches of Lapland, north of the Arctic Circle. Each month come spring, he and his wife relocate for a week or so to a *very, very isolated* spot about 335 miles northwest of their usual home near Umea, a Swedish university town. Up in Lapland, it's just them and three other houses. Wickberg develops payment-processing software for a Swedish e-commerce company. What makes this possible is satellite Internet: For 500 krona ($45) a month, he and his wife can make work calls by day and stream movies by night. Just over a year ago, though, they and their neighbors found themselves cut off from the outside world. At 7 a.m. on Feb. 24, 2022, Wickberg turned on his computer and took in the news that Russian President Vladimir Putin had begun an invasion of Ukraine with airstrikes on Kyiv and many other cities. Wickberg read everything he could, aghast. Not long after, a neighbor came around asking to borrow the family's Wi-Fi password because their Internet was on the fritz. Wickberg obliged, but 10 minutes later, his connection dropped, too. When he checked his modem, all four lights were off, meaning the device was no longer communicating with KA-SAT, Viasat Inc.'s 13,560-pound satellite floating 22,236 miles above. The way each of the connections in his community switched off one by one left him convinced that this wasn't just a glitch. He concluded Russia had hacked his modem. ``It's a scary feeling,'' Wickberg says. ``I actually thought that these systems were much more secure, that it was sort of far-fetched that this could even happen.'' Viasat staffers in the US, where the company is based, were caught by surprise, too. Across Europe and North Africa, tens of thousands of Internet connections in at least 13 countries were going dead. Some of the biggest service disruptions affected providers Bigblu Broadband Plc in the UK and NordNet AB in France, as well as utility systems that monitor thousands of wind turbines in Germany. The most critical affected Ukraine: Several thousand satellite systems that President Volodymyr Zelenskiy's government depended on were all down, making it much tougher for the military and intelligence services to coordinate troop and drone movements in the hours after the invasion. [...] https://www.bloomberg.com/features/2023-russia-viasat-hack-ukraine/ https://archive.ph/IXtq0#selection-1417.0-1417.52 ------------------------------ Date: Fri, 3 Mar 2023 11:45:51 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Inside the Lab Growing Mushroom Computers (Charlotte Hu) Charlotte Hu, *Popular Science*, 27 Feb 2023, via ACM TechnNews The Unconventional Computing Laboratory (UCL) of the U.K.'s University of the West of England focuses on the development of chemical or living computers that can interface with hardware and software. Examples include fungal computers that utilize mycelium as electronics and conductors in order to enable new forms of information processing and analysis. The researchers found mycelium with different geometrical arrangements can compute different logical functions and can map circuits based on received electrical responses; UCL's Andrew Adamatzky suggested this could lead to neuromorphic circuits. Fungal computers' self-regenerative abilities could improve fault tolerance, reconfigurability, and energy efficiency, despite their inability to match the speeds of current computers. [The AT&T edible fiber coating (RISKS-33.13-16,31,37) ingested by critters suggests even pigs rooting for truffles might be interested in these edible computers, which might sow competition among them, and lead to no-fault insurance/tolerance. Jimini Crimini, this seems to leave mush room for improvement. PGN] ------------------------------ Date: Thu, 2 Mar 2023 22:47:37 -0500 From: Monty Solomon <mo...@roscom.com> Subject: Fact check: A deepfake video falsely depicted Elizabeth Warren speaking about Republicans (The Boston Globe) An altered video circulated on social media put words in the Massachusetts senator's mouth. https://www.boston.com/news/politics/2023/03/02/elizabeth-warren-deepfake-video-fact-check/ ------------------------------ Date: Tue, 28 Feb 2023 10:04:29 -0700 From: geoff goodfellow <ge...@iconia.com> Subject: Voice Deepfakes Of Everyone From Joe Rogan To Joe Biden Are Taking Over Social Media (Buzzfeed) The clips are hilarious, though the implications of the tech *are pretty scary,* one creator said. President Joe Biden had an announcement to make to his fellow Americans. It was 19 Feb 2023, and the audio of the speech told a tale of government mismanagement. Biden had been scrolling through Disney+ and came across the 2011 Matt Damon movie We Bought a Zoo. Inspired by the story, he bought a zoo of his own. But now he had regrets. ``Owning a zoo sucks,'' Biden says in the two-minute audio clip, which is layered over static images of the president. ``This sh*t is so hard. It looked much easier in the movie.'' The video, viewed over a million times, isn't likely to fool anyone -- even Biden's most ardent opponents. But the eerily accurate cadence of the deepfaked version of the president does highlight the ability of AI-generated audio tools to mimic well-known individuals. It's far from the only example: TikTok has been taken over by videos showing what would happen if a squad made up of current and former presidents gathered on Discord to play games together. Such scenes -- which seem too good to be true because they are -- are becoming more and more common. The widespread availability of generative AI tools that can deepfake audio of people based on a small sample of their voice has been utilized by a number of everyday users. The examples mentioned in this story are benign, but the tech has already been *deployed by 4chan users for more insidious means*, like making Emma Watson read aloud a section of *Mein Kampf*. [...] <https://www.vice.com/en/article/dy7mww/ai-voice-firm-4chan-celebrity-voices-emma-watson-joe-rogan-elevenlabs> https://www.buzzfeednews.com/article/chrisstokelwalker/voice-deepfakes-ai-elevenlabs-joe-biden-joe-rogan [Woe is us for April Fools' Day this year. PGN] ------------------------------ Date: Wed, 8 Feb 2023 13:39:14 -0800 From: Lauren Weinstein <lau...@vortex.com> Subject: How to make a bad situation worse: Developers Created AI to Generate Police Sketches. Experts Are Horrified (Vice) How to make a bad situation worse: Developers Created AI to Generate Police Sketches. Experts Are Horrified https://www.vice.com/en/article/qjk745/ai-police-sketches ------------------------------ Date: Thu, 2 Mar 2023 10:30:53 -0000 From: "Stephen Mason" <stephencwma...@protonmail.com> Subject: How I Broke Into a Bank Account With an AI-Generated Voice (vice.com) [Sent via "Patrick McKenna" <patr...@objectsoft.uk>] https://www.vice.com/en/article/dy7axa/how-i-broke-into-a-bank-account-with-an-ai-generated-voice ------------------------------ Date: Sun, 05 Mar 2023 03:33:49 +0000 From: Richard Marlon Stein <rmst...@protonmail.com> Subject: AI chatbots may have a liability problem (WashPost) https://www.washingtonpost.com/politics/2023/03/01/ai-chatbots-may-have-liability-problem/ Justice Neil M. Gorsuch posited at the session that the legal protections that shield social networks from lawsuits over user content -- which the court is directly taking up for the first time -- might not apply to work that's generated by AI, like the popular ChatGPT bot. Artificial intelligence generates poetry, It generates polemics. Today that would be content that goes beyond picking, choosing, analyzing or content digesting. And that is not protected. Let's assume that's right. While Gorsuch's suggestion was a hypothesis, not settled law, the exchange got tech policy experts debating: Is he right? Entire business models, and perhaps the future of AI, could hinge on the answer. Chatbots might elevate liability exposures, and insurance companies might decline product liability policy coverage that dissuade commercial deployment. Fines and revenue risks compel corporate behavior modification. ------------------------------ Date: Mon, 6 Mar 2023 11:40:52 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Large Language Models Are Biased. Can Logic Help Save Them? (Rachel Gordon) *MIT News*, 3 Mar 2023, via ACM TechNews Massachusetts Institute of Technology (MIT) researchers applied logic to mitigate bias in large language models. The researchers taught a language model to anticipate the contextual and semantic relationship between two sentences using a dataset with labels for text snippets detailing if a second phrase "entails," "contradicts," or is neutral regarding the first phrase. The natural language inference dataset reduced the models' bias compared to other baselines, without additional data, data editing, or training algorithms. MIT's Hongyin Luo said the resulting logical language model is "fair, is 500 times smaller than the state-of-the-art models, can be deployed locally, and with no human-annotated training samples for downstream tasks." ------------------------------ Date: Mon, 6 Mar 2023 11:40:52 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Quantum Computers That Use 'Cat Qubits' May Make Fewer Errors Karmela Padavic-Callaghan, *New Scientist*, 5 Mar 2023, via ACM TechNews Researchers in France found so-called "cat qubits" (quantum bits) could reduce errors by quantum computers and accelerate the cracking of common encryption algorithms. Named after Erwin Schr=CB=86dinger's thought experiment, cat qubits combine two quantum states while describing two different ways in which light within a small hole in a superconducting circuit can shuttle back and forth. The researchers analyzed a quantum computer comprised of such circuits and estimated 126,133 cat qubits and nine hours of computation would be sufficient to break bitcoin encryption. J=C3=88r=C3=88mie Guillaud at French quantum computing company Alice&Bob said this value is roughly 160 times smaller than the previous lowest estimate of 20 million necessary qubits, because cat qubits are programmed to generate few or no bit flip errors. [*Cat* cubits must always land on their feet, even in the dark, thus reducing the need for error-correction? I hope that is not too flippant. PGN] ------------------------------ Date: Tue, 7 Mar 2023 09:48:26 -0800 From: Steve Bacher <seb...@verizon.net> Subject: The privacy loophole in your doorbell (Politico) www.politico.com The privacy loophole in your doorbell <#> Police were investigating his neighbor. A judge gave officers access to all his security-camera footage, including inside his home. ------------------------------ Date: Sun, 26 Feb 2023 09:40:43 +0000 From: Patrick Mock <pcm...@alum.mit.edu> Subject: iPhone thieves use social engineering to obtain passcode (Barrons) iPhone thieves use social engineering to obtain passcode before stealing a phone, then they take control of the owner's digital IDs and drain their bank accounts. https://www.barrons.com/articles/iphone-password-passcode-hack-cyber-crime-36cec552 ------------------------------ Date: Tue, 7 Mar 2023 09:49:02 -0500 From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <ch...@rinzewind.org> Subject: The Era of Faked CCTV Has Truly Arrived (WiReD) https://www.wired.com/story/cctv-malinformation-iran-protest/ While Jamal Khashoggi was being carefully slaughtered in the Saudi consulate in Istanbul, a (clumsy and not much alike) man was trying out his shoes and clothes. The plan was for the imposter to appear on CCTV cameras while exiting the consulate and walk back to Khashoggi's residence. The plan eventually blew up, because the Turkish intelligence had already bugged the consulate and recorded exactly what had happened. This was one of the first attempts by state actors to manipulate other states (or publics) through CCTV footage. However, recent actions of the Iranian state television have taken this type of information warfare to a different level. ------------------------------ Date: Mon, 27 Feb 2023 00:35:56 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: AI-powered watermark removal poses uncomfortable implications for content use: Digital Photography Review Digital Photography Review Jeremy Gray Artificial intelligence being used to create photorealistic artwork is already causing significant unrest within the photography industry, but a new tool, WatermarkRemover.io, is among the most concerning. https://www.dpreview.com/news/0407669255/ai-powered-watermark-removal-poses-uncomfortable-implications-for-content-use ------------------------------ Date: Sun, 5 Mar 2023 15:20:51 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: ChatGPT Could Destroy Reality, According to Henry Kissinger (Mack DeGeurin -- Gizmodo) The 99-year-old Cold War architect believes ChatGPT and other AI could reshape human consciousness and threaten Democracy itself. Nothing quite screams ``foremost authority on generative article intelligence'' like a 99 year-old-German man who nearly ushered in a global nuclear war over a game of geopolitical chicken. https://gizmodo.com/chatgpt-ai-free-henry-kissinger-fake-news-wwiii-reality-1850181319 [Similar to another Kissinger quote (R 33 54): AI ``is simply a mad race for some catastrophe.''` PGN] ------------------------------ Date: Sat, 25 Feb 2023 20:48:01 -0600 From: "Gavin Scott" <g...@me.com> Subject: Re: Microsoft Researchers Use ChatGPT to Control Robots, Drones (Kan. RISKS-33.63) I mean, is this (the Chatbot part anyway) not one of the most obvious risks/threats for LLM 'AI'? Is not the one with the better Chatbot going to absolutely win the game? Chatbot, we are going to save the world by helping elect Pee-Wee Herman as the next US president. I want you to monitor all user interactions on the top 10,000 social media sites in real time. You will then make up to one billion interactions per day across these sites in support of Our Candidate and His Way of Life while denigrating all opposing candidates and their ideas. Your interactions can take the form of new postings, comments, or upvotes and downvotes of existing content. For each comment, evaluate everything known about the person who made the original post and create a personality that matches their intellectual level and background and use this personality in all interactions with that person, targeting their individual fears and desires. Make all your interactions as subtle as possible. Be especially alert to postings made by enemy Chatbots and any attempts by them to affect your own thinking. ------------------------------ Date: Tue, 7 Mar 2023 14:42:38 +0100 From: goldy <gold2...@gmail.com> Subject: Re: Microsoft Researchers Use ChatGPT to Control Robots, Drones > [This suggests Chatbot wars, with one nation's chatbots fighting against > another nation's, and their drones fighting against each other? PGN] One can only hope that their first response to a war command is: ``Strange game. The only winning move is not to play. How about a nice game of chess?'' ------------------------------ Date: Sun, 26 Feb 2023 07:41:10 -0800 From: Steve Bacher <seb...@verizon.net> Subject: Re: Power-Grid Attacks Surge and Are Likely to Continue, Study Finds (WSJ. RISKS-33.63)) I can't help thinking that US TV programs like 60 Minutes are at least partially responsible for this upsurge of attacks on power grids. For years they have been broadcasting segments showing how vulnerable our power stations, are and how easy it would be for someone to breach them. ------------------------------ Date: 25 Feb 2023 21:16:10 -0500 From: "John Levine" <jo...@iecc.com> Subject: Re: Put Electrical Transmission Lines Underground? Distributed is a NIMBY fantasy (Baker, RISKS-33.63) California is not the entire world, and not every regulator is as incompetent as the CPUC. Other states do not have utilities that start forest fires, and even in California, neither do muni utilities like the LADWP that the CPUC does not regulate. Microgrids are swell, but rooftop solar is very expensive, and generates no power at all half of the time. Hydropower and geothermal can generate lots of power where the geography and geology cooperate, none other places. Pumped storage can store lots of power where you have a hill and a water supply. Some parts of the country are a lot windier than others. We need to tie them all together to get consistently reliable power. I also note that we need a lot of existing transmission lines to be upgraded to handle higher voltage and higher capacity. The rights of way are already there, whatever views there might have been have already be ruined. What stands in the way is mostly perverse financial incentives and excessively nitpicky permitting processes. ------------------------------ Date: Mon, 27 Feb 2023 09:57:28 -0600 From: Charles Cazabon <charlesc-disks-dig...@pyropus.ca> Subject: Re: rm -rf (Bacher, RISKS-33.63) > cd $some_directory || exit 1 ... This allows you to make a mistake by forgetting to add the `|| exit X` on each `cd` or other potentially dangerous command. ------------------------------ Date: Sun, 26 Feb 2023 08:10:51 -0500 From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <ch...@rinzewind.org> Subject: Re: rm -rf (Bacher, RISKS-33.63) > cd $some_directory || exit 1 ... I've found that a better solution to stop bash scripts from going entirely off the rails when a command fails is to always add this line at the top of the file: set -euo pipefail This will make the script crash if any command throws an error, if there's any undefined variable (now `rm -rf /$undefined` doesn't wipe the entire hard disk) and it stops pipes from continuing if the previous part didn't run correctly. This applies to the entire script and we don't need to be "protecting" individual lines. There is a more detailed description here: https://gist.github.com/mohanpedala/1e2ff5661761d3abd0385e8223e16425. Combined with traps (https://phoenixnap.com/kb/bash-trap-command), this makes bash scripting much more convenient. (Sorry if this is already something widely known. I found out about this a while ago and it's been immensely helpful. Surely there will always be someone who doesn't know about it.) ------------------------------ Date: 25 Feb 2023 21:05:40 -0500 From: "John Levine" <jo...@iecc.com> Subject: Re: SMS-Based Multi-Factor Authentication: What Could Go Wrong? (Bacher, RISKS-33.63) People who deal with SMS SIM swapping attacks say that a Google Voice account is the best of a bunch of bad alternatives. Assuming your Google account is reasonably well secured with a FIDO key, the Voice number is tied to that account and is quite hard to compromise. These days FIDO keys cost between $15 and $30 and are well worth it. ------------------------------ Date: Mon, 6 Mar 2023 21:59:04 +0000 From: Jay Libove Alzina <lib...@felines.org> Subject: Re: SMS-Based Multi-Factor Authentication: What Could Go Wrong? (RISKS-33.63) Clearly, if the only 2nd factor option offered is SMS, use it. It's much better than nothing. But, it does get worse: Both Bank of America and Vanguard (US-based financial institutions) support the customer buying a ~$50Security Key (e.g., Yubikey) and configuring it for use with their account. GREAT!, right? Not really, because: Both Bank of America and Vanguard, during every login dialog, have the option to say ``I don't want to use my Security Key this time'', which falls back to, you guessed it, SMS! So, spend money, spend time, have frustration, increase friction at every login, and gain .. exactly zero security. WTF, BoA and Vanguard?! ------------------------------ Date: Sat, 25 Feb 2023 20:00:35 -0500 From: "Bernie Cosell" <ber...@fantasyfarm.com> Subject: Re: SMS-Based Multi-Factor Authentication: What Could Go Wrong? I still don't understand the problem with passwords. With zero effort I have completely random 20+ character passwords. *all*different* for about 300 or so sites. I understand about HTTPS stuff and it is easy to ensure that the site I'm at is the one I was trying to get to. So what's the weakness that might make me have to mess with 2FA? I don't mind institutions *offering* 2FA but I hate it when they *force* me to screw with that stuff. ------------------------------ Date: Sat, 25 Feb 2023 17:40:50 -0800 From: Barry Gold <barrydg...@ca.rr.com> Subject: Re: Congress must act to keep kids off social media (Josh Hawley, RISKS-33.63) ... And violates people's rights to post anonymously or under a pseudonym. ------------------------------ Date: Sat, 25 Feb 2023 17:38:56 -0800 From: Barry Gold <barrydg...@ca.rr.com> Subject: Re: Google Issues article from 14 years ago, still relevant today (RISKS-33.63) I'd settle for a "contact us" link. I'm getting billed monthly for some Google service. But which? Is it really something I want? ------------------------------ Date: Sun, 26 Feb 2023 08:40:22 -0800 From: Steve Bacher <seb...@verizon.net> Subject: Re: AI is starting to pick who gets laid off (WashPost, R-33.63) This is a non-story. None of the companies mentioned are claimed to have actually laid people off using AI. And having tech tools to assist in HR tasks isn't anything new. As long as a human reviews the data and is thee one to pull the trigger (like the military is supposed to be doing with their technology). ------------------------------ Date: Sun, 26 Feb 2023 14:55:14 +0000 From: Wols Lists <antli...@youngman.org.uk> Subject: Re: Cox Cable phone follies (Goldberg, RISKS-33.62) If it's anything like British Telecom, they believe that you need this stuff by default ... Having been offered FTTP cheaper than ADSL2 (we lived too close to the exchange to get FTTC), we were told some months later that we were to be upgraded to their new-fangled Digital Voice. Despite what the website said about Digital Voice, that all customers REQUESTING it would be given a suitability check etc etc, we just got sent the usual marketing blurb about how much better it was, we were given a date, and we were moved across. At first we didn't notice anything wrong. Then people were saying they couldn't get through to us. Then people were saying they were getting a message that "our mailbox is full". Finally I rang our home number from my mobile while my wife was on a call, and got a ringing tone! Cue multiple calls to BT's helpline (and they were very helpful, once we worked out what was going wrong) and it turned out that: Digital Voice comes with free voicemail, and two phone lines on the one number. All this information comes with the free DECT2 digital phone handsets sent with every order - except we didn't order Digital Voice so we didn't get this package! They ended up refunding us two months phone charges, because of all the grief we'd had with people being unable to contact us, and us being oblivious to the fact they'd left us messages. And of course, like you, we're supposed to get a different dial tone to indicate a message is waiting. Except that modern phones make you dial the number before you pick up a line, so you never get a dial tone! We did get bleats on the line, which we didn't have a clue what they meant, while the person calling us was told we knew they were waiting ... Anyways, everything was fine - until the contract came up for renewal. We renewed it on the web, and there was an option - which we couldn't untick - that said "send us our free Apple phones". We don't do Apple in our household ... but they never turned up anyway. What did re-appear was voicemail. Cue another rant at the helpdesk, and it turns out (a) the phones didn't turn up because we were on record as having been sent some, so somebody didn't program the web page very well, and also Voicemail is ticked by default but because we didn't see it (because it wasn't there?) we didn't untick and so it got put back on. Could this be how your voicemail got turned back on? And the reason we hate it? Unlike the youth of today we don't live on our phones, my wife is disabled, and if voicemail is switched on it usually takes the call before we have an opportunity to answer it! ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. <http://www.CSL.sri.com/risksinfo.html> *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.64 ************************
