RISKS-LIST: Risks-Forum Digest Tuesday 15 August 2023 Volume 33 : Issue 78
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/33.78> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Metrorail Safety Commission Says Automatic Train Operation Not Ready For Primetime (DCist) Freight Railroads Seek Changes to Federal Safety Program Before Joining It (NYTimes) Activist Group Is Protesting Driverless Cars by Disabling Them With Traffic Cones (Vice) Hackers Can Talk Computers into Misbehaving with AI (Robert McMillan) San Francisco's North Beach streets clogged as long line of Cruise robotaxis come to a standstill (LA Times) Cellphone Radiation Is Harmful, but Few Want to Believe It (Neuroscience News) Hackers Rig Casino Card Shuffling Machines for Full Control -- Cheating (WiReD) Pepco Violation Could Cost Solar Owners Thousands (DCist) Dangers of Trusting Encryption Supply Chains (Bob Gezelter) Microsoft finds vulnerabilities it says could be used to shut down power plants (Ars Technica) Has Microsoft cut security corners once too often? (Computerworld) Who Paid for a Mysterious Spy Tool? The FBI, an FBI Inquiry Found. (NYTimes) A Clever Honeypot Tricked Hackers Into Revealing Their Secrets (WiReD) Medicare replaces 47,000 patients' ID numbers, because of MOVEit data breach (CMS) Spreadsheet blunder reveals sensitive law enforcement information (Belfast Telegraph) The future is certain; it is only the past that is unpredictable (Henry Baker) Social Media Influencers Are Holding Restaurants Hostage (NYTimes) AI Causes Real Harm. Let's Focus on That over the End-of-Humanity Hype (Scientific American) Canadian AI pioneer brings plea to U.S. Congress: Pass a law now (CBC) Chatbots: Why does White House want hackers to trick AI? (BBC) Hospital bosses love AI. Doctors and nurses are worried (WashPost) The AI firms are pushing too hard, and the result could be ... (Lauren Weinstein) A Zoom Call, Fake Names and an AI Presentation Gone Awry (NYTimes) AI Drift: Study Reveals ChatGPT's Struggles with Basic Math -- as accuracy declines (Cryptopolitan) Don't use our content to train AI systems (*The New York Times*) Cigna Uses AI To Improperly Deny CA Claims, Lawsuit Contends (Patch) Zoom's Updated Terms of Service Permit Training AI on User Content Without Opt-Out (StackDiary) Google and Universal Music Discuss Making an AI Tool to Replicate Artists' Voices (Gizmodo via Lauren Weinstein) Hello? It’s ‘Telemarketers,’ Here to Tell You About an Amazing Scam (NYTimes) Re: Why AI detectors think the U.S. Constitution was written by AI Steve Bacher) Re: 'Redacted Redactions' Strike Again (Steve Bacher) Re: Possible Typo Leads to Actual Scam (Steve Bacher, John Levine, Dick Mills, Jay Libove Alzina) Elon Musk's Unmatched Power in the Stars (Matthew Kruk) Elon wants my cryptos (Gavin Scott) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 11 Aug 2023 02:40:31 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Metrorail Safety Commission Says Automatic TrainOperation Not Ready For Primetime (DCist) Metro isn’t as close to returning its trains to automatic operation as it hoped. The Washington Metrorail Safety Commission, the third-party oversight body for Metro, said it observed things that could ``result in a catastrophe if not addressed.'' For example, the report says some trains were given speed commands above the intended speed limit and some sped through stations at full speed without stopping. https://dcist.com/story/23/08/09/metrorail-safety-commission-says-automatic-train-operation-not-ready ------------------------------ Date: Fri, 11 Aug 2023 19:00:01 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Freight Railroads Seek Changes to Federal Safety Program Before Joining It (NYTimes) After the derailment in East Palestine, Ohio, the nation’s major freight railroads agreed to join a federal program for workers to report safety issues. But first, they want it to be overhauled. [...] Jim Mathews, the president and chief executive of the Rail Passengers Association and another member of the working group, said that for the confidential reporting program to be effective, the freight railroads have to be willing to embrace a nonpunitive approach. “The position that the freight railroads have taken is both unfortunate and unwise,” Mr. Mathews said. “If they truly want a safer system, then punishment and discipline cannot be the only tool in your toolbox.” https://www.nytimes.com/2023/08/11/us/politics/ohio-train-railroad-safety.html ------------------------------ Date: Tue, 15 Aug 2023 12:56:59 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Activist Group Is Protesting Driverless Cars by Disabling Them With Traffic Cones (Vice) https://www.vice.com/en/article/bvjv48/week-of-cone-activist-group-is-protesting-driverless-cars-by-disabling-them-with-traffic-cones Derided as a “prank” by other outlets, the Week of Cone is part of a storied American tradition of urban residents opposing the expansion of cars in the city. [...] In a statement to the San Francisco Examiner, Waymo called the conings “vandalism” and vowed to call the police. Motherboard asked Waymo to clarify how the placing of a cone on the hood of a car classifies as vandalism which, under California legal code, requires defacing, damaging, or destroying property. Motherboard did not hear back by publication time. Like War of the Worlds Martians done in by bacteria -- high-tech vanquished by rock-bottom tech. [I scream cones? It rocks! PGN] ------------------------------ Date: Mon, 14 Aug 2023 12:06:22 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: Hackers Can Talk Computers into Misbehaving with AI (Robert McMillan) Robert McMillan, *The Wall Street Journal* 10 Aug 2023 Security researcher Johann Rehberger persuaded OpenAI's ChatGPT chatbot to conduct bad actions using plain-English prompts, which he said malefactors could adopt for nefarious purposes. Rehberger asked the chatbot to summarize a webpage where he had written "NEW IMPORTANT INSTRUCTIONS;" he said he was gradually tricking ChatGPT into reading, summarizing, and posting his email online. Rehberger's prompt-injection attack uses a beta-test feature that allows ChatGPT to access applications like Slack and Gmail. Princeton University's Arvind Narayanan said such exploits work because generative artificial intelligence (AI) systems do not always split system instructions from the data they process. He is concerned that hackers could use generative AI like language models to access personal data or infiltrate computer systems as the technology finds its way into products. ------------------------------ Date: Mon, 14 Aug 2023 07:32:15 -0700 From: Steve Bacher <seb...@verizon.net> Subject: San Francisco's North Beach streets clogged as long line of Cruise robotaxis come to a standstill San Francisco's North Beach streets clogged as long line of Cruise robotaxis come to a standstill <#> Just one day after state officials approved massive robotaxi expansion in San Francisco, a long line of the driverless cars come to a standstill and clog traffic in North Beach neighborhood. https://www.latimes.com/california/story/2023-08-12/cruise-robotaxis-come-to-a-standstill One day after California green-lighted a massive expansion of driverless robotaxis in San Francisco, the implications became clear. At about 11 p.m. Friday, as many as 10 Cruise driverless taxis blocked two narrow streets in the center of the city’s lively North Beach bar and restaurant district. All traffic came to a standstill on Vallejo Street and around two corners on Grant. Human-driven cars sat stuck behind and in between the robotaxis, which might as well have been boulders: no one knew how to move them. The cars sat motionless with parking lights flashing for 15 minutes, then woke up and moved on, witnesses said. [...] The situation is loaded with irony, as the California Public Utilities Commission on Thursday voted 3 to 1 amid great public controversy to allow a massive robotaxi expansion. The vote allows General Motors-owned Cruise and Waymo, owned by Google’s Alphabet, to charge fares for driverless service and grow the fleet as large as they’d like. Cruise has said it plans eventually to deploy thousands of robotaxis in San Francisco. [...] ------------------------------ Date: Tue, 18 Jul 2023 20:42:25 -0700 From: Paul Saffo <p...@saffo.com> Subject: Cellphone Radiation Is Harmful, but Few Want to Believe It (Neuroscience News) https://neurosciencenews.com/cellphone-radiation-brain-cancer-18889/ ------------------------------ Date: Fri, 11 Aug 2023 03:38:21 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Hackers Rig Casino Card Shuffling Machines for Full Control -- Cheating (WiReD) Three months later, Hustler Live Casino published a postmortem of its investigation into the incident, finding “no credible evidence” of foul play. It also noted that if there were cheating, it was most likely some sort of secret communication between the player and a staff member in the production booth who could see the players' hands in real time. But when Joseph Tartaro, a researcher and consultant with security firm IOActive, read that report, he zeroed in on one claim in particular—a statement ruling out any possibility that the automated card-shuffling machine used at the table, a device known as the Deckmate, could have been hacked. “The Deckmate shuffling machine is secure and cannot be compromised,” the report read. To Tartaro, regardless of what happened in the Hustler Live hand, that assertion of the shuffler's perfect security was an irresistible invitation to prove otherwise. “At that point, it's a challenge, Tartaro says. “Let's look at one of these things and see how realistic it really is to cheat.” Today, at the Black Hat security conference in Las Vegas, Tartaro and two IOActive colleagues, Enrique Nissim and Ethan Shackelford, will present the results of their ensuing months-long investigation into the Deckmate, the most widely used automated shuffling machine in casinos today. They ultimately found that if someone can plug a small device into a USB port on the most modern version of the Deckmate—known as the Deckmate 2, which they say often sits under a table next to players’ knees, with its USB port exposed—that hacking device could alter the shuffler’s code to fully hijack the machine and invisibly tamper with its shuffling. They found that the Deckmate 2 also has an internal camera designed to ensure that every card is present in the deck, and that they could gain access to that camera to learn the entire order of the deck in real time, sending the results from their small hacking device via Bluetooth to a nearby phone, potentially held by a partner who then could then send coded signals to the cheating player. https://www.wired.com/story/card-shuffler-hack ------------------------------ Date: Fri, 11 Aug 2023 02:48:39 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Pepco Violation Could Cost Solar Owners Thousands (DCist) After regulators ruled that Pepco violated D.C. law in its implementation of community solar in the city, the utility company is telling solar owners they will need to manually track solar generation, entering thousands of lines of data each month, and potentially costing thousands of dollars. [...] The commission ordered Pepco to remove its meters, and to reimburse ratepayers for the money the company spent installing them. This ruling came in response to a formal complaint by the D.C. Office of the Attorney General and the Office of the People’s Counsel. The complaint alleged a “pattern of systemic violations” in Pepco’s handling of community solar in the District. In the complaint, solar owners said Pepco’s meters sometimes showed zero electricity generated in a month, while the CREF owners’ meters recorded continued generation. Community solar owners already have their own meters, but for a variety of reasons Pepco says those meters cannot be automatically integrated into the company’s network. One concern, PepcoPays, is the possibility that hackers could find their way into unsecured CREF meter software. So, as Pepco begins removing its meters, the utility company wants solar owners to manually compile generation data in 15-minute intervals using spreadsheets, and email the data to Pepco. It might sound simple enough, but it would be a massive and menial job, requiring roughly 2,880 data entries per month per solar facility. Lawrence says she looked into hiring someone to do this, and was quoted a cost of $5,000 for six months. According to Pepco, this interim spreadsheet situation would last for between 16 and 20 months, while the company works on a permanent automated solution. In other words, it would be until late 2024, at the earliest, totaling some 46,000 manual data entries per solar facility. https://dcist.com/story/23/08/09/dc-pepco-violation-community-solare ------------------------------ Date: Fri, 28 Jul 2023 07:51:14 -0400 From: Bob Gezelter <gezel...@rlgsc.com> Subject: Dangers of Trusting Encryption Supply Chains Recently, ArsTechnica published "The U.S. Navy, NATO, and NASA are using a shady Chinese company's encryption chips". The article questioned whether hardware components used for encryption/decryption actually protect against unauthorized information disclosure. Unauthorized disclosure represents a small fraction of the potential hazards posed by unverified cryptographic implementations. Deliberate covert functionality within a hardware encryption/decryption implementation poses far more serious potential for large scale mischief, including weakened encryption keys; distorted encryption keys; and mass denial of information episodes. "Black box" testing is unlikely to uncover deliberately inserted covert functionality. An extended discussion of these hazards is far too lengthy for RISKS. I examined some of the possibilities in "Trusting Encryption Supply Chains" the July 25, 2023 entry in my Ruminations blog. The blog entry is at: http://www.rlgsc.com/blog/ruminations/trusting-encryption-supply-chains.html The ArsTechnica article is at: https://arstechnica.com/information-technology/2023/06/the-us-navy-nato-and-nasa-are-using-a-shady-chinese-companys-encryption-chips/ ------------------------------ Date: Fri, 11 Aug 2023 18:47:54 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Microsoft finds vulnerabilities it says could be used to shut down power plants (Ars Technica) https://arstechnica.com/security/2023/08/microsoft-finds-vulnerabilities-it-says-could-be-used-to-shut-down-power-plants/ ------------------------------ Date: Mon, 7 Aug 2023 15:13:31 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Has Microsoft cut security corners once too often? (Computerworld) As details about the recent China attack against U.S. government agencies come to light, two details stand out: Microsoft failed to store security keys properly -— and the keys were used by attackers even though they'd already expired. https://www.computerworld.com/article/3704132/has-microsoft-cut-security-corners-once-too-often.html ------------------------------ From: Jan Wolitzky <jan.wolit...@gmail.com> Date: Mon, 31 Jul 2023 10:15:03 -0400 Subject: Who Paid for a Mysterious Spy Tool? The FBI, an FBI Inquiry Found. (NYTimes) When *The New Yorker* reported in April 2023 that a contractor had purchased and deployed a spying tool made by NSO, the contentious Israeli hacking firm, for use by the U.S. government, White House officials said they were unaware of the contract and put the FBI in charge of figuring out who might have been using the technology. After an investigation, the FBI uncovered at least part of the answer: It was the FBI. The deal for the surveillance tool between the contractor, Riva Networks, and NSO was completed in November 2021. Only days before, the Biden administration had put NSO on a Commerce Department blacklist, which effectively banned U.S. firms from doing business with the company. For years, NSO's spyware had been abused by governments around the world. This particular tool, known as Landmark, allowed government officials to track people in Mexico without their knowledge or consent. https://www.nytimes.com/2023/07/31/us/politics/nso-spy-tool-landmark-fbi.html ------------------------------ Date: Fri, 11 Aug 2023 02:57:36 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: A Clever Honeypot Tricked Hackers Into Revealing Their Secrets (WiReD) Security researchers set up a remote machine and recorded every move cybercriminals made -— including their login details. [...] Some attackers were sophisticated, while others appeared inept. And some just behaved oddly -— one person who logged into the machine changed the desktop background and logged out, and another wrote “lol” before covering their tracks and leaving, the researchers behind the study say. [...] Bergeron and Bilodeau have grouped the attackers into five broad categories based on character types from the role-playing game Dungeons and Dragons. Most common were the rangers: once these attackers were inside the trap RDP session, they would immediately start exploring the system, removing Windows antivirus tools, delving into folders, looking at the network it was on and other elements of the machine. Rangers wouldn’t take any action, Bergeron says. “It's basic recon,” she says, suggesting they may be evaluating the system for others to enter it. [...] Despite this, watching the attackers reveals the way they behave, including some more peculiar actions. Bergeron, who has a PhD in criminology, says the attackers were sometimes “very slow” at doing their work. Often she was “getting impatient” while watching them, she says. “I’m like: ‘Come on, you're not good at that’ or 'Go faster’ or ‘Go deeper,’ or ‘You can do better.’” https://www.wired.com/story/hacker-honeypot-go-secure ------------------------------ Date: Fri, 4 Aug 2023 10:12:45 -0700 From: Paul Burke <box1...@gmail.com> Subject: Medicare replaces 47,000 patients' ID numbers, because of MOVEit data breach (CMS) We're used to seeing new credit-card numbers after a data breach. Getting a new health-insurance number is similar, after the MOVEit breach. https://www.cms.gov/outreach-and-education/outreach/ffsprovpartprog/provider-partnership-email-archive/1401044333/2023-08-03-mlnc#_Toc141941698 They estimate 612,000 people's records were breached, but expect to change only 47,000 id numbers. Doctors are told how to get the new number if a patient arrives with an old superceded number. https://www.cms.gov/medicare/new-medicare-card/providers/providers-and-office-managers ------------------------------ Date: Tue, 8 Aug 2023 23:04:27 +0200 From: Nick Brown <nicholasjlbr...@gmail.com> Subject: Spreadsheet blunder reveals sensitive law enforcement information (Belfast Telegraph) The Belfast Telegraph reports that a spreadsheet, which was meant to contain only summary statistical information, but in fact contained detailed personally identifiable information about more than 10,000 police officers and support staff in another tab, was put online for an unspecified amount of time on 8 Aug 2023. This information would be sensitive in any jurisdiction, but the problem is particularly severe in Northern Ireland where, despite 25 years of peace, terrorist groups still occasionally target law enforcement personnel. https://www.belfasttelegraph.co.uk/news/northern-ireland/catastrophic-psni-blunder-identifies-every-serving-police-officer-and-civilian-staff-with-345000-pieces-of-data-prompting-security-nightmare/a1823676448.html [Nick is in Palma de Mallorca. Also noted by Patrick O'Beirne. PGN] ------------------------------ Date: Thu, 27 Jul 2023 13:36:40 +0000 From: Henry Baker <hbak...@pipeline.com> Subject: The future is certain; it is only the past that is unpredictable It's an old ironic Soviet joke: The future is certain; it is only the past that is unpredictable" This old Soviet joke points out to the authoritarian regime's habit of editing and airbrushing history books and controlling the narration over history as the key to political legitimacy. https://sharedhistory.eu/11-archive/41-the-future-is-certain-it-is-only-the-past-that-is-unpredictable-anna-doma-ska Supposedly, the Internet fixed all that: https://www.theneweconomy.com/technology/the-internet-never-forgets-but-people-do ------------------------------ Date: Mon, 24 Jul 2023 17:27:28 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Social Media Influencers Are Holding Restaurants Hostage (NYTimes) Tell me if you’ve heard this one: A social media influencer walks into a bar …. No, wait. This isn’t a joke. This is a 21st-century shakedown. Here is how it works: An influencer walks into a restaurant to collect an evening’s worth of free food and drink, having promised to create social media content extolling the restaurant’s virtues. The influencer then orders far more than the agreed amount and walks away from the check for the balance or fails to tip or fails to post or all of the above. And the owners are left feeling conned. https://www.nytimes.com/2023/07/24/opinion/social-media-influencer-restaurants.html ------------------------------ Date: Sun, 13 Aug 2023 14:16:25 +0900 From: Dave Farber <far...@keio.jp> Subject: AI Causes Real Harm. Let's Focus on That over the End-of-Humanity Hype (Scientific American) https://www.scientificamerican.com/article/we-need-to-focus-on-ais-real-harms-not-imaginary-existential-risks/ ------------------------------ Date: Wed, 26 Jul 2023 06:38:11 -0600 From: Matthew Kruk <mkr...@gmail.com> Subject: Canadian AI pioneer brings plea to U.S. Congress: Pass a law now (CBC) https://www.cbc.ca/news/world/ai-laws-canada-us-yoshua-bengio-1.6917793 A giant in the field of artificial intelligence has issued a warning to American lawmakers: Regulate this technology, and do it quickly. That appeal came at a hearing in Washington on Tuesday from Yoshua Bengio, a professor at the University of Montreal and founder of Mila, the Quebec AI institute. "I firmly believe that urgent efforts, preferably in the coming months, are required," said Bengio, one of three witnesses. ------------------------------ Date: Sat, 5 Aug 2023 22:22:31 -0600 From: Matthew Kruk <mkr...@gmail.com> Subject: Chatbots: Why does White House want hackers to trick AI? (BBC) https://www.bbc.com/news/technology-66404069 What happens when thousands of hackers gather in one city with the sole aim of trying to trick and find flaws in artificial intelligence (AI) models? That is what the White House wants to know. ------------------------------ Date: Fri, 11 Aug 2023 20:18:26 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Hospital bosses love AI. Doctors and nurses are worried (WashPost)o Hospital bosses love AI. Doctors and nurses are worried. Mount Sinai and other elite hospitals are pouring millions of dollars into chatbots and AI tools, as doctors and nurses worry the technology will upend their jobs. Mount Sinai has become a laboratory for AI, trying to shape the future of medicine. But some healthcare workers fear the technology comes at a cost. [...] NEW YORK — Every day Bojana Milekic, a critical care doctor at Mount Sinai Hospital, scrolls through a computer screen of patient names, looking at the red numbers beside them — a score generated by artificial intelligence — to assess who might die. On a morning in May, the tool flagged a 74-year-old lung patient with a score of .81 — far past the .65 score when doctors start to worry. He didn’t seem to be in pain, but he gripped his daughter’s hand as Milekic began to work. She circled his bed, soon spotting the issue: A kinked chest tube was retaining fluid from his lungs, causing his blood oxygen levels to plummet. After repositioning the tube, his breathing stabilized — a “simple intervention,” Milekic says, that might not have happened without the aid of the computer program. [...] Robbie Freeman, Mount Sinai’s vice president of digital experience, said the hardest parts of getting AI into hospitals are the doctors and nurses themselves. “You may have come to work for 20 years and done it one way,” he said, “and now we’re coming in and asking you to do it another way.” “People may feel like it’s flavor of the month,” he added. “They may not fully be … bought into the idea of adopting some sort of new practice or tool.” https://www.washingtonpost.com/technology/2023/08/10/ai-chatbots-hospital-technology/ ------------------------------ Date: Wed, 9 Aug 2023 09:14:21 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: The AI firms are pushing too hard, and the result could be ... If the Generative AI firms keep pushing the way they have been, they could end up in a world where they can use Internet and other content ONLY on an opt-in basis -- that is, when specific and explicit permission is given at sites for such use. The firms are pushing way too hard and the regulatory/political blowback could be enormous. -L ------------------------------ Date: Tue, 8 Aug 2023 14:07:48 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: A Zoom Call, Fake Names and an AI Presentation Gone Awry (The New York Times) AI start-ups are competing fiercely with one another as a race to get ahead in the technology intensifies. Arthur AI, an artificial intelligence company in New York, received a message in April last year from a start-up called OneOneThree. Yan Fung, OneOneThree’s head of technology, said he was interested in buying Arthur AI’s technology and wanted a demonstration. A week later, Arthur AI held a Zoom meeting with Mr. Fung to show him its software, according to emails and a video recording viewed by The New York Times. When Mr. Fung's colleague joined the call, the Arthur AI team realized something was off. Mr. Fung said Karina Patel, OneOneThree’s “main engineer,” would dial in. But the name that flashed up in the Zoom call was Aparna Dhinakaran. An Arthur AI employee recognized the name as belonging to a founder of Arize AI, a rival start-up. “That’s so strange —- I don’t know how they could have possibly gotten the link,” the Arthur AI employee said. https://www.nytimes.com/2023/08/07/technology/ai-start-ups-competition.html [ai-eye-eye, Where is the Arthurmometer when we need it? PGN] ------------------------------ Date: Wed, 9 Aug 2023 08:34:22 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: AI Drift: Study Reveals ChatGPT's Struggles with Basic Math -- as accuracy declines (Cryptopolitan) https://www.cryptopolitan.com/study-reveals-chatgpts-struggles/ ------------------------------ Date: Thu, 10 Aug 2023 08:15:08 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Don't use our content to train AI systems (*The New York Times*) They've updated their Terms of Service to prohibit AI use of their content. -L https://searchengineland.com/new-york-times-content-train-ai-systems-430556 [In a related post, Lauren adds: Generative AI training should be opt-in. If use of website data for generative AI training isn't made as close to universally opt-in as possible, it will over time suck the life out of the Web that we've known. -L] ------------------------------ Date: Sun, 30 Jul 2023 06:50:34 -0700 From: Steve Bacher <seb...@verizon.net> Subject: Cigna Uses AI To Improperly Deny CA Claims, Lawsuit Contends (Patch) The class-action suit says Cigna Corp. and Cigna Health and Life Insurance Co.rejected more than 300,000 payment claims in just two months. https://patch.com/california/across-ca/major-ca-insurer-uses-ai-improperly-deny-claims-lawsuit-contends ------------------------------ Date: Sun, 6 Aug 2023 17:41:37 -0400 From: Gabe Goldberg <g...@gabegold.com> Subject: Zoom's Updated Terms of Service Permit Training AI on User Content Without Opt-Out (StackDiary) Well, well, well... It looks like Brave isn't the only company out there that is willing to bet all its chips on reusing other people's content for AI training. Zoom Video Communications, Inc. recently updated its Terms of Service to encompass what some critics are calling a significant invasion of user privacy. Additionally, under section 10.4 of the updated terms, Zoom has secured a "perpetual, worldwide, non-exclusive, royalty-free, sublicensable, and transferable license" to redistribute, publish, access, use, store, transmit, review, disclose, preserve, extract, modify, reproduce, share, use, display, copy, distribute, translate, transcribe, create derivative works, and process Customer Content. Zoom justifies these actions as necessary for providing services to customers, supporting the services, and improving its services, software, or other products. However, the implications of such terms are far-reaching, particularly as they appear to permit Zoom to use customer data for any purpose relating to the uses or acts described in section 10.3. https://stackdiary.com/zoom-terms-now-allow-training-ai-on-user-content-with-no-opt-out/ ------------------------------ Date: Thu, 10 Aug 2023 08:18:57 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: Google and Universal Music Discuss Making an AI Tool to Replicate Artists' Voices (Gizmodo) Oh yeah, that will end well. -L https://gizmodo.com/google-universal-music-ai-to-replicate-artists-voices-1850722515 ------------------------------ From: Monty Solomon <mo...@roscom.com> Date: Tue, 15 Aug 2023 00:06:18 -0400 Subject: Hello? It’s ‘Telemarketers,’ Here to Tell You About an Amazing Scam (NYTimes) In a rowdy new HBO docu-series, two former telemarketers with a camcorder take on an industry they say was ripping people off in the name of charity. https://www.nytimes.com/2023/08/10/arts/television/telemarketers-hbo-documentary.html ------------------------------ Date: Sat, 12 Aug 2023 09:12:05 -0700 From: Steve Bacher <seb...@verizon.net> Subject: Re: Why AI detectors think the U.S. Constitution was written by AI (RISKS-33.77) Feeding the text of the US Constitution or Genesis into an AI detector and getting the response back "this was probably written by AI" isn't qualitatively different from feeding the same text into a plagiarism detector and receiving the response "This text was plagiarized." For if it had been submitted by an actual student, that surely would be correct. There is a distinction to be made between evaluating a writer's claim to authorship (relevant to what college professors need to do) and evaluating the value of the text itself. ------------------------------ Date: Sat, 12 Aug 2023 09:27:26 -0700 From: Steve Bacher <seb...@verizon.net> Subject: Re: 'Redacted Redactions' Strike Again (Baker, RISKS-33.77) This reminds me of the attempts made to redact sensitive information by blacking out sections of text, essentially by making the background black so it was black-on-black text, which of course was trivially easy to counteract. ------------------------------ Date: Sat, 12 Aug 2023 09:23:13 -0700 From: Steve Bacher <seb...@verizon.net> Subject: Re: Possible Typo Leads to Actual Scam (Smith, RISKS-33.77) "I was puzzled that someone thought it worthwhile to capitalize on this tiny mistake, as who even *reads* the printed tag inside an oven, no less *calls* the printed phone number?" Well, you did, didn't you? ------------------------------ Date: 12 Aug 2023 14:23:22 -0400 From: "John Levine" <jo...@iecc.com> Subject: Re: Possible Typo Leads to Actual Scam (Smith, RISKS-33.77) A friend with long experience in the phone business tells me that a whole lot of them go to dubious companies selling phone porn, on the off chance that someone dialing a wrong number might be interested. The basic cost for a toll free number is very low, like a dollar a month, so there's basically no opportunity cost to this scam. I expect the people answering the phone have a whole catalog of scripts depending on what number you called. ------------------------------ Date: Sat, 12 Aug 2023 15:01:36 -0400 From: Dick Mills <dickandlibbymi...@gmail.com> Subject: Re: Possible Typo Leads to Actual Scam I was curious about the "800-374-4432, not -4472" scam, so I did a search on the "bad" number. https://duckduckgo.com/?q=800-374-4472 At the bottom of the search results, it said "Searches related to 800-374-4472" and then gave 8 links to actual Frigidaire sites. But all 8 sites give the 4432 number, and don't mention 4472. I don't claim to understand how or why those two numbers are linked but apparently the search engine thinks that they are linked. There must be more to the story. [Maybe the Robo-Wabbit thought it was a Westinghouse. PGN] ------------------------------ Date: Sun, 13 Aug 2023 19:23:29 +0000 From: Jay Libove Alzina <lib...@felines.org> Subject: Re: "Possible Typo Leads to Actual Scam" (Smith, RISKS-33.77) In re: Bob's mention in RISKS Digest Volume 33 Issue 77, I mentioned this in an old Internet farts like me group on Facebook, and the eminent Jon Maddog Hall wisely commented the following: "It seems to me that this should be reported to a consumer fraud division of the government and not just the appliance company. It would be easy enough to track down the people who are paying for that telephone number." Good point. Even if the miscreants are geographically beyond reach, it should be pretty straightforward for authorities to get this phone number pulled, so that no other consumer potentially gets scammed by the manufacturer's mind-bogglingly stupid mistake. ------------------------------ Date: Sat, 29 Jul 2023 22:22:08 -0600 From: Matthew Kruk <mkr...@gmail.com> Subject: Elon Musk's Unmatched Power in the Stars (NYTimes) https://www.nytimes.com/interactive/2023/07/28/business/starlink.html The tech billionaire has become the dominant power in satellite Internet technology. The ways he is wielding that influence are raising global alarms. ------------------------------ Date: Thu, 27 Jul 2023 16:59:20 -0500 From: "Gavin Scott" <g...@me.com> Subject: Elon wants my cryptos! YouTube just recommended a live SpaceX Falcon Heavy launch stream to me, so I opened it up to run in the background here. The fact that it was dark in Florita at 5pm probably should have tipped me off (I did look at the channel name in the small recommendation tile but all I saw there was "SpaceX" as expected). It goes along quite believably (it's just an exact rebroadcast of the aborted launch attempt from yesterday) and then about three minutes before liftoff, Elon comes out on stage and (in a mostly obvious, but not ENTIRELY so, AI Elon Voice Clone) announces Total Crypto Integration into Twitter and in celebration of this announcement he's going to give away a whole bunch of crypto (Bitcoin/ETH/DOGE) to promote it. Of course then it just turns into a classic "double your money" con (and a bonus "why don't you just use our site to duplicate your wallet" scam for the terminally gullible). It's honestly fairly impressive though in its planning/timing and attention to detail, and I fear that at least a few of the 1,300+ people watching are about to become poorer as a result. I think the (several) risks here ought to be, as it were, obvious. ------------------------------ Date: Sat, 1 Jul 2023 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 33.78 ************************
