RISKS-LIST: Risks-Forum Digest  Thursday 15 February 2024  Volume 34 : Issue 07

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/34.0xy>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Waymo recalls software after two self-driving cars hit the same truck (CNN)
Tesla's latest screwup involves making the font size of its braking system
 too small (The Verge)
OpenAI Gives ChatGPT a Memory (WiReD)
Imran Khan's 'Victory Speech' from Jail Shows AI's Peril, Promise"
 (Yan Zhuang)
Threats to Election Systems Prompt U.S. Cybersecurity Agency
 to Boost Cooperation with States (Christina A. Cassidy)
Odometers: A voting machine analogue (Jeremy Epstein)
Spying on Security Cameras Through Walls (Rizwan Choudhury)
Cryptography-Breaking Algorithm Upgraded (Madison Goldberg)
How a 27-Year-Old Codebreaker Busted the Myth of Bitcoin's Anonymity (WiReD)
Anxiety, Mood Swings and Sleepless Nights: Life Near a Bitcoin Mine
 (NYTimes via Jan Wolitzky)
Amazon Prime Video Ad Tier Sparks Class Action Lawsuit From  Subscribers
 (Hollywood Reporter)
Noname Storage Devices are not always what they seem (ArsTechnica)
Mozilla lays off 60 people, wants to build AI into Firefox (ArsTechnica)
Robocalls, ringless voicemails and AI: Real estate enters the age of
 automation (LA Times)
Uber Fined Almost $11 Million by Dutch Privacy Watchdog (WSJ)
Automatic braking systems don't work at typical speeds?
 (Steve Bacher on LA Times coverage)
Chrome devs working on automatic micropayments to websites without
 user interactions directly from wallets (The Register)
Small outtakes from a big war, part 4: The end of GPS (Amos Shapir)
Canada declares Flipper Zero public enemy No. 1 in
 car-theft crackdown (ArsTechnica)
Google Scholar can be manipulated (arxiv via LW)
Google's and Microsoft's chatbots are making up Super Bowl stats
 (TechCrunch)
There's a hole in the boot, part deux (Cliff Kilby)
Amazon hides cheaper items with faster delivery, lawsuit alleges
 (ArsTechnica)
Russia Is Using Elon Musk’s Starlink at the Front Line, Ukraine Says
 (WSJ)
Tech giants prepare pledge to fight deceptive AI election content (Politico)
Help! His HP Envy doesn't work. Can he get a replacement or a refund?
 (Gabe Goldberg)
Re: Why the 737 MAX 9 door plug blew out (Henry Baker)
The Friar Who Became the Vatican's Go-To Guy on AI (NYTimes)
Why Bloat Is Still Software’s Biggest Vulnerability (Steve Bacher)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 14 Feb 2024 16:11:51 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Waymo recalls software after two self-driving cars hit
 the same truck (CNN)

https://www.cnn.com/2024/02/14/business/waymo-recalls-software-after-two-self-driving-cars-hit-the-same-truck/index.html

  [Redundancy is supposed to be constructive!  PGN]

------------------------------

Date: Fri, 2 Feb 2024 18:40:07 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Tesla's latest screwup involves making the font size
 of its braking system too small (The Verge)

https://www.theverge.com/2024/2/2/24059114/tesla-recall-brake-system-font-size-power-steering

------------------------------

Date: Tue, 13 Feb 2024 20:21:54 PST
From: "Peter G. Neumann" <neum...@csl.sri.com>
Subject: OpenAI Gives ChatGPT a Memory (WiReD)

  [Give it a memory so it will remember its previous
  misrepresentations, and repeat them???  PGN]

https://www.wired.com/story/chatgpt-memory-openai/

ChatGPT is now like a first date who never forgets the details.

------------------------------

Date: Wed, 14 Feb 2024 11:19:18 -0500 (EST)
From: ACM TechNews <technews-edi...@acm.org>
Subject: Imran Khan's 'Victory Speech' from Jail Shows AI's Peril, Promise"
 (Yan Zhuang)

Yan Zhuang, *The New York Times*, 11 Feb 2024

Despite being imprisoned, former Pakistan Prime Minister Imran Khan has
garnered support for his political party using AI. Khan's AI-generated voice
was used to make a victory speech on Feb. 10, stating that his party,
Pakistan Tehreek-e-Insaf, won the most seats in the general election. The
speech, which featured a disclaimer about the use of AI, rejected the
victory claim of Khan's rival and called on supporters to defend the
election's results

------------------------------

Date: Wed, 14 Feb 2024 11:19:18 -0500 (EST)
From: ACM TechNews <technews-edi...@acm.org>
Subject: Threats to Election Systems Prompt U.S. Cybersecurity Agency
 to Boost Cooperation with States (Christina A. Cassidy)

Christina A. Cassidy, *Associated Press*,8 Feb 2024

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) is rolling
out a program to help state and local election officials enhance election
security. The agency hired 10 new people for the program, each with
significant election experience, who will be placed at various locations
nationwide to work alongside staff already performing cyber and physical
security reviews as requested by election offices.

------------------------------

Date: Tue, 13 Feb 2024 10:19:42 -0500
From: Jeremy Epstein <jeremy.j.epst...@gmail.com>
Subject: Odometers: A voting machine analogue

I had a conversation with someone this morning about electronic
odometers in modern cars.  If you recall, they were mandated because
the old (mechanical) odometers were being rolled back, allowing used
cars to be sold for higher prices.

Maybe others were aware, but electronic odometers are now rolled
back. If you go to eBay, "odometer correction tools" for ~$300 can
make whatever adjustments you want.  They're not subtle -- on one I
looked at, it shows the before and after odometer reading, subtracting
off 40,000 kilometers.  (I don't know if the devices are illegal in
the US, or just the act of changing the odometer.) Carfax claims that
rollbacks are up significantly in the past few years (*).  I'd imagine
they have some incentive to detecting manipulations, since they could
get sued by the consumer (or state) if they sell vehicles with
tampered odometers.

Anyway, the motivation for moving from paper to [particularly
unauditable] DREs 25 years ago was (in part) to reduce ballot fraud,
and we know how that went.  I'm not predicting a return to mechanical
odometers the way we've returned to paper ballots, but I found it an
interesting analogue.  Moving to electronic systems doesn't always
have the expected result!

(*) https://www.carfax.com/press/resources/odometer

  [This item is repurposed with permission from a list devoted to
  trustworthy elections.  However, this bit of wisdom also applies to
  the audit trails for security, reliability, and trustworthiness
  monitoring if they can be surreptitiously altered.  PGN]

------------------------------

Date: Wed, 14 Feb 2024 11:19:18 -0500 (EST)
From: ACM TechNews <technews-edi...@acm.org>
Subject: Spying on Security Cameras Through Walls (Rizwan Choudhury)

Rizwan Choudhury, *Interesting Engineering*, 11 Feb 2024

Northeastern University researchers have developed a way to access video
feeds from home security, dashboard, and smartphone cameras through
walls. The EM Eye technique detects electromagnetic radiation emitted by the
cameras' wires using a radio antenna, decodes the signal, and uses machine
learning to reproduce real-time video without sound at a similar quality as
the original. A test on 12 different types of cameras revealed that,
depending on the model, EM Eye could successfully eavesdrop within a range
of up to 16 feet.

------------------------------

Date: Wed, 14 Feb 2024 11:19:18 -0500 (EST)
From: ACM TechNews <technews-edi...@acm.org>
Subject: Cryptography-Breaking Algorithm Upgraded (Madison Goldberg)

Madison Goldberg, *WiReD*, 11 Feb 2024

Cryptographers at the University of California, San Diego have developed a
more efficient LLL-style algorithm, based on the original lattice-based
cryptography-breaking algorithm released in 1982. The algorithm, named after
the researchers who published it -- Arjen Lenstra, Hendrik Lenstra Jr., and
L=C2=B7szl=C3=9B Lov=C2=B7sz -- has also proven useful in advanced
mathematical arenas such as computational number theory. The new algorithm
can break tasks down into smaller pieces and better balance speed and
accuracy.

------------------------------

Date: Fri, 9 Feb 2024 12:21:14 -0500
From: Gabe Goldberg <g...@gabegold.com>
Subject: How a 27-Year-Old Codebreaker Busted the Myth
 of Bitcoin's Anonymity (WiReD)

Once, drug dealers and money launderers saw cryptocurrency as perfectly
untraceable. Then a grad student named Sarah Meiklejohn proved them all
wrong —- and set the stage for a decade-long crackdown.

https://www.wired.com/story/27-year-old-codebreaker-busted-myth-bitcoins-anonymity

------------------------------

Date: Sat, 3 Feb 2024 14:28:50 -0500
From: Jan Wolitzky <jan.wolit...@gmail.com>
Subject: Anxiety, Mood Swings and Sleepless Nights: Life Near a Bitcoin Mine
 (NYTimes)

On a sweltering July evening, the din from thousands of computers mining for
Bitcoins pierced the night. Nearby, Matt Brown, a member of the Arkansas
legislature, monitored the noise alongside a local magistrate.

As the two men investigated complaints about the operation, Mr. Brown said,
a security guard for the mine loaded rounds into an AR-15-style assault
rifle that had been stored in a car.

``He wanted to make sure that we knew he had his gun -- that we knew it was
loaded,'' Mr. Brown, a Republican, said in an interview.

The Bitcoin outfit here, 45 minutes north of Little Rock, is one of three
sites in Arkansas owned by a network of companies embroiled in tense
disputes with residents, who say the noise generated by computers performing
trillions of calculations per second ruins lives, lowers property values,
and drives away wildlife.

https://www.nytimes.com/2024/02/03/us/bitcoin-arkansas-noise-pollution.htm=l

------------------------------

Date: Tue, 13 Feb 2024 10:48:42 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Amazon Prime Video Ad Tier Sparks Class Action Lawsuit From
 Subscribers (Hollywood Reporter)

The lawsuit takes aim at the ecommerce giant turning on ads for Prime Video
users and charging them an additional fee for its ad-free tier.

https://www.hollywoodreporter.com/business/business-news/amazon-prime-video-ad-tier-lawsuit-1235822779/

  [Also noted by Gary Goldberg.  PGN]

------------------------------

Date: Thu, 8 Feb 2024 08:30:03 -0500
From: Bob Gezelter <gezel...@rlgsc.com>
Subject: Noname Storage Devices are not always what they seem
 (ArsTechnica)

ArsTechnica reports that teardowns of unbranded USB memory devices have
revealed a fair number to include discarded parts and parts used in
inappropriate ways. This leads to failures and loss of data.

In the past, unbranded media has been a questionable practice. This report
should serve as a warning to carefully consider one's archival practices,
particularly when selecting external storage devices for long-term storage.

https://arstechnica.com/gadgets/2024/02/rejected-chips-hidden-microsd-cards-plague-the-usb-stick-market/

  [If you haven't seen it already, please check out this paper, describing
  how a USB-C stick can stick-it-to-you, taking over your entire system:

    Thunderclap: Exploiting Operating-System IOMMU Bypass Vulnerabilities
    with DMA from Malicious Peripherals, A. Theodore Markettos et al., ICCD 
2017.
    
https://www.cl.cam.ac.uk/research/security/ctsrd/pdfs/201711-iccd2017-efficient-tags.pdf
    https://www.repository.cam.ac.uk/handle/1810/288484
    http://www.thunderclap.io

  PGN]

------------------------------

Date: Wed, 14 Feb 2024 12:53:45 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Mozilla lays off 60 people, wants to build AI into Firefox
 (ArsTechnica)

Uh, no thanks -- There goes Firefox down the drain! -L

https://arstechnica.com/gadgets/2024/02/mozilla-lays-off-60-people-wants-to-build-ai-into-firefox/

------------------------------

Date: Wed, 14 Feb 2024 06:56:46 -0800
From: Steve Bacher <seb...@verizon.net>
Subject: Robocalls, ringless voicemails and AI: Real estate enters the age
 of automation (LA Times)

https://www.latimes.com/california/story/2024-02-14/robocalls-ringless-voicemails-and-ai-real-estate-enters-the-age-of-automation

------------------------------

Date: Thu, 1 Feb 2024 02:45:15 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Uber Fined Almost $11 Million by Dutch Privacy Watchdog (WSJ)

Ride-hailing company made it difficult for drivers to access their
information and failed to sufficiently disclose its data practices,
regulator says

https://www.wsj.com/articles/uber-fined-almost-11-million-by-dutch-privacy-watchdog-ddd57a80

------------------------------

Date: Sat, 10 Feb 2024 09:42:43 -0800
From: Steve Bacher <seb...@verizon.net>
Subject: Automatic braking systems don't work at typical speeds?

This is from the LA Times coverage of the Rebecca Grossman hit-and-run
murder case:

https://www.latimes.com/california/story/2024-02-10/judge-declines-to-dismiss-murder-charges-against-rebecca-grossman-as-prosecution-rests

Excerpts:

Prosecutors rested their case with a retired California Highway Patrol
officer turned crash expert, John Grindey, who testified that Grossman *was
going so fast that her Mercedes safety system couldn't detect the two boys
in the crosswalk to automatically apply the brakes.*

Emphasizing the repeated prosecution theme of deadly speed, Grindey said
Grossman’s Mercedes 43 GLE approached the Triunfo Canyon Road crosswalk at
81 mph.

*“Over ... 44 mph, [the safety system] does not detect small children,”* he
told jurors.

  [Really?  These highly touted safety systems aren't effective enough to be
  relied upon?  "Over 44 mph" is well below the standard speed limit on
  American highways.]

------------------------------

Date: Wed, 14 Feb 2024 08:09:19 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Chrome devs working on automatic micropayments to websites without
 user interactions directly from wallets

What could possibly go wrong?

Oh yeah, count me OUT. -L

https://www.theregister.com/2024/02/13/google_micropayments_plan/

Also, scroll down for the comments on Slashdot:

https://tech.slashdot.org/story/24/02/13/2244212/chrome-engine-devs-experiment-with-automatic-browser-micropayments

------------------------------

Date: Wed, 14 Feb 2024 18:25:09 +0200
From: Amos Shapir <amos...@gmail.com>
Subject: Small outtakes from a big war, part 4: The end of GPS

Over the weekend I was hiking in northern Israel, using a free navigation
app.  Somewhere along the route, the app noted: "Distance to target: 144
km", so I asked it to show me where it thinks I was:  In the middle of an
airport.  Beirut airport.  At the end of the hike, it showed that I'd
walked 878 km -- 8 km actual hiking, plus 870 km of phantom-hiking 3 times
to Beirut and back.

It seems that on a few spots along the way, someone (or something) was
spoofing GPS, in order to deflect or confuse incoming GPS-guided missiles.
I don't know if that actually worked, but it's a fact that since the start
of the war, hundreds of rockets were fired across the border, but none of
them were the supposedly accurate long-range ones.

More serious apps like Waze and Google Maps did not fall for this trick,
and just marked those spots as temporary loss of GPS signal, but my Google
timeline still shows this visit to Beirut.

------------------------------

Date: Wed, 14 Feb 2024 00:55:39 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Canada declares Flipper Zero public enemy No. 1 in
 car-theft crackdown

https://arstechnica.com/?p=2002579

  [Also noted by Gary Goldberg and Lauren Weinstein
  who suggests that Banning such a device is useless. It's all
  open source. -L
https://arstechnica.com/security/2024/02/canada-vows-to-ban-flipper-zero-device-in-crackdown-on-car-theft/
  PGN]

------------------------------

Date: Thu, 8 Feb 2024 10:39:28 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Google Scholar can be manipulated

https://arxiv.org/abs/2402.04607

------------------------------

Date: Sun, 11 Feb 2024 16:57:03 -0800
From: Lauren Weinstein <lau...@vortex.com>
Subject: Google's and Microsoft's chatbots are making up Super Bowl stats
 (TechCrunch)

https://techcrunch.com/2024/02/11/googles-and-microsofts-chatbots-are-making-up-super-bowl-stats/

------------------------------

Date: Tue, 6 Feb 2024 23:57:59 -0500
From: Cliff Kilby <cliffjki...@gmail.com>
Subject: There's a hole in the boot (part deux)

Everyone recall boothole?
https://eclypsium.com/research/theres-a-hole-in-the-boot/#breaking

yadda yadda buffer overflow, yadda malicious bootloader...cue massive UEFI
patch and dbx update scramble.

It's back.

Similar root cause, buffer overflow, different vector. This ones in
netbooting (i/PXE).

https://eclypsium.com/blog/the-real-shim-shady-how-cve-2023-40547-impacts-most-linux-systems/

This one isn't as concerning though. Certainly no system is in place that
sources boot images outside of your local datacenter. Right?

------------------------------

Date: Wed, 14 Feb 2024 00:54:09 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Amazon hides cheaper items with faster delivery, lawsuit alleges
 (ArsTechica)

https://arstechnica.com/?p=2002777

------------------------------

Date: Sun, 11 Feb 2024 12:46:35 -0500
From: Monty Solomon <mo...@roscom.com>
Subject: Russia Is Using Elon Musk’s Starlink at the Front Line, Ukraine
 Says

Russian access to satellite Internet system would negate a major battlefield
advantage for Kyiv.

https://www.wsj.com/world/russia-using-musks-starlink-at-the-front-line-ukraine-says-516701f0

------------------------------

Date: Tue, 13 Feb 2024 9:34:12 PST
From: Peter Neumann <neum...@csl.sri.com>
Subject: Tech giants prepare pledge to fight deceptive AI
 election content (Politico)

Oc=E9ane Herrero, Gian Volpicelli, Antoaneta Roussi
Politico, 13 Feb 2024

Technology giants are planning a new industry accord to fight back
against deceptive AI artificial intelligence election content that is
threatening the integrity of major democratic elections across the
world this year.

A draft Tech Accord, seen by POLITICO, showed technology companies want to
work together to create tools like watermarks and detection techniques to
spot, label and debunk deepfake AI-manipulated images and audio of public
figures. The pledge also includes commitments to open up more about how the
firms are fighting AI-generated disinformation on their platforms.

``We affirm that the protection of electoral integrity and public trust is a
shared responsibility and a common good that transcends partisan interests
and national borders.''

The text, which is a draft and could still change, is planned to be
presented when political and security leaders gather at the Munich Security
Conference starting Friday. The conference has seen tech firms take up
increasing attention and space throughout the years, as threats like
informational warfare and cyberattacks have risen.

The draft Tech Accord has the backing of technology giants Microsoft, Google
and Facebook and Instagram owner Meta, according to four people with
knowledge of the process, granted anonymity because discussions were
ongoing. Three of the people said TikTok, OpenAI and Adobe are also planning
to sign.  Other companies are likely to join the initiative still.

Meta confirmed to POLITICO it was part of the accord, adding that Adobe,
Google, LinkedIn, Microsoft, OpenAI and TikTok would also join.

Google and OpenAI did not respond to a request for comment in time for
publication. Microsoft declined to comment.

A report
<https://y3r710.r.eu-west-1.awstrack.me/L0/https:%2F%2Fdmp.politico.eu%2F%3Femail=eisg...@hq.acm.org%26destination=https:%2F%2Fsecurityconference.org%2Fen%2Fpublications%2Fmunich-security-report-2024%2F/1/0102018da0d736fa-aa3488f1-c874-4b13-b314-7c53289fb400-000000/j_oILCStne_BdVJquv0ThZAm4dc=360>
by the Munich Security Conference organizers, presented Monday, showed how
fears around artificial intelligence had shot up in the past year in major
global economies, especially in Italy, France and Brazil.

Tools to fight the deepfake flood

Tech firms are under pressure from governments including the European Union
to get a grip on the problem of AI-generated deepfakes and misleading
material. Several firms, including OpenAI and Meta, have said they will
start labeling deepfakes in the coming months.

Political deepfakes have already popped up in the United States, Poland and
the United Kingdom, among many other countries. Most recently, the U.S. was
rocked by a robocall impersonating President Joe Biden, raising fears over
the tech's impact on the country's politics.

The European Union's Artificial Intelligence Act would require all
AI-generated content to be clearly labeled as such; the bloc is also using
its Digital Services Act to force the tech industry to curb deepfakes.

The draft accord floated ideas including developing detection technology,
open standards-based identifiers for deepfake content and watermarks
using the standards C2PA and SynthID, which are existing initiatives that
involve Microsoft, Google and a wide range of other tech firms.

But it added technical tools like metadata, watermarking, classifiers, or
other forms of provenance or detection techniques can't fully mitigate the
risks of AI, suggesting that the initiative would need the support of
governments and other organizations to raise public awareness on the issue
of deepfakes.

Others in the technology industry criticized the initiative because it would
divert attention from keeping tech companies in check with regulation and
oversight.

Democracies are ``well past the era where we can trust companies to self
regulate,'' Meredith Whittaker, co-founder of the AI Now Institute, who saw
a draft of the document last week, told POLITICO.  ``Deepfake doesn't really
matter unless you have a platform you can disseminate it on,'' arguing the
pledge failed to address issues with how social media platforms and
advertising models are used to target certain voters

------------------------------

Date: Fri, 9 Feb 2024 12:28:16 -0500
From: Gabe Goldberg <g...@gabegold.com>
Subject: Help! His HP Envy doesn't work. Can he get a replacement
 or a refund?

(NOT MY) Question to consumer advocate:

I recently had a very, very painful experience when I bought an HP Envy x360
2-in-1 laptop. I received it a few months ago, and the product was
defective.

The touch screen did not work. I wasted 40 hours on the phone with HP tech
support but could not get a replacement screen. I finally sent it back to HP
for a repair.

HP recently told me that it couldn't get a replacement screen because it
discontinued the laptop. I asked the company to send me a similar product,
the HP Spectre x360 2-in-1 laptop,  or refund the $1,434 I spent. But HP
denied the exchange and refused me a full refund (it said I could not get
the sales taxes back).

I’d like HP to replace my broken laptop with one of equal or better value or
send me a full $1,434 refund. Can you help?

https://www.elliott.org/problem-solved/help-my-hp-envy-doesnt-work-can-i-get-a-replacement-or-a-refund/

  [In RISKS, we generally do not run second-hand disgruntlements in which
  there would seem to be no likelihood of an end -- happy or otherwise -- to
  the story.  But this type of problem appears to becoming more prevalent.
  PGN]

------------------------------

Date: Tue, 13 Feb 2024 03:20:44 +0000
From: Henry Baker <hbak...@pipeline.com>
Subject: Re: Why the 737 MAX 9 door plug blew out

Perhaps I'm incredibly naive, but it sounds to me that the 737 MAX 9 would
be *safer* if the 'door plug' were replaced by an *actual door* !

An actual door can be seen and monitored; checked, whereas the 'door plug'
(aka 'fake door') is painted over and ignored.

There's a long history in the computer community of 'unintended/unexpected'
*'upgrades'* -- e.g., pulling a wire 'upgrades' a computer to higher
performance, dormant code that was never intended for execution suddenly
becomes a platform for exploitation, etc.  Sometimes excess 'optionality'
has overwhelming costs...

------------------------------

Date: Sat, 10 Feb 2024 20:54:47 -0500
From: Jan Wolitzky <jan.wolit...@gmail.com>
Subject: The Friar Who Became the Vatican's Go-To Guy on AI (NYTimes)

Paolo Benanti advises the Roman Catholic Church and the Italian government
on the tricky questions, moral and otherwise, raised by the rapidly
advancing technology.

https://www.nytimes.com/2024/02/09/world/europe/italy-artificial-intelligence-ethics.html?unlocked_article_code=1.Uk0.sIKe.loHOSAschYr4&smid=url-share

  (But who advises them on the semiconductors needed to implement that AI?
  Why, he's the Chip Monk.)

------------------------------

Date: Sat, 10 Feb 2024 09:46:56 -0800
From: Steve Bacher <seb...@verizon.net>
Subject: Why Bloat Is Still Software’s Biggest Vulnerability

    A 2024 plea for lean software
    Bert Hubert <https://spectrum.ieee.org/u/bert_hubert> writes:
https://ethz.ch/en/news-and-events/eth-news/news/2024/01/computer-pioneer-niklaus-wirth-has-died.html>/

    /This post is dedicated to the memory of //Niklaus Wirth/ computing
    pioneer who passed away 1 January 2024. In 1995 he wrote an influential
    article called “//A Plea for Lean Software/
    <https://cr.yp.to/bib/1995/wirth.pdf>/,”//published in /Computer
    <https://ieeexplore.ieee.org/document/348001>/, the magazine for members
    of the IEEE Computer Society, which I read early in my career as an
    entrepreneur and software developer. In what follows, I try to make the
    same case nearly 30 years later, updated for today’s computing
    horrors. A version of this post was originally published/
    <https://berthub.eu/articles/posts/a-2024-plea-for-lean-software/>/on my
    personal blog, Berthub.eu <http://berthub.eu>./us-wirth-has-died.html>/

      [Niklaus was a legend.  But the Bloat Still Rocks! and Leans.  PGN]

    [Steve, The article is a bit wonky, for example:

      Software is now (rightfully) considered so dangerous that we tell
      everyone not to run it themselves. Instead, you are supposed to leave
      that to [?] a service provider, or perhaps just to the cloud.  Compare
      this to a hypothetical situation where cars are so likely to catch
      fire that the advice is not to drive a car yourself, but to leave that
      to professionals who are always accompanied by professional
      firefighters.

      The assumption is then that the cloud is somehow able to make insecure
      software trustworthy. Yet in the past year, we've learned that
      Microsoft's email platform was thoroughly hacked
  <https://thehackernews.com/2023/09/outlook-breach-microsoft-reveals-how.html>,
      including classified government email.   (Twice!)
  <https://metacurity.substack.com/p/russian-hacking-group-midnight-blizzard>)
      There are also well-founded worries about the security of the Azure
      cloud.
  
<https://www.lastweekinaws.com/blog/azures-terrible-security-posture-comes-home-to-roost/>
      Meanwhile, industry darling Okta, which provides cloud-based software
      that enables user log-in to various applications, got comprehensively
      owned
  
<https://www.reuters.com/technology/cybersecurity/okta-says-hackers-stole-data-all-customer-support-users-cyber-breach-2023-11-29/>.
      This was their second breach within two years. Also, there was a 
suspicious
      spate of Okta users subsequently getting hacked.
    PGN]

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: risks-requ...@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) has moved to the ftp.sri.com site:
   <risksinfo.html>.
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.07
************************

Reply via email to