RISKS-LIST: Risks-Forum Digest Saturday 27 April 2024 Volume 34 : Issue 21
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.21> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: AI deepfakes threaten to upend global elections. No one can stop them. (WashPost) Tesla's Autopilot and Full Self-Driving linked to hundreds of crashes, dozens of deaths (The Verge) Cisco Says Hackers Subverted Its Security Devices to Spy on Governments (Reuters) Hackers Use Developing Countries as Testing Ground for New Ransomware Attacks (Ellesheva Kissin) 9 Disturbing Stories From People Who Say They Found Cameras in Their Airbnb (Gizmodo) Millions of IPs remain infected by USB worm years after its creators left it for dead (ArsTechnica) Chinese Firm Is America's Favorite Drone Maker, Except in Washington (NYTimes) Stop Using Your Face or Thumb to Unlock Your Phone (Gizmodo) How Google's SGE Could Destroy the Internet (Lauren Weinstein) FTC questions Amazon's use of disappearing messages on Signal (WashPost) FTC says Amazon executives destroyed potential evidence by using apps like Signal (The Verge) Tech brands are forcing AI into your gadgets, whether you asked for it or not (ArsTechnica) Health insurance giant Kaiser will notify millions of a data breach after sharing patients’ data with advertisers (TechCrunch) Chaturbate Owes Texas $675,000 for Not Verifying the Age of Users (Gizmodo) Android TV has access to your entire account, but Google is changing that (ArsTechnica) Health insurance giant Kaiser will notify millions of a data breach after sharing patients’ data with advertisers (TechCrunch) We're always fighting the last war (Henry Baker) Prescient Fiction: 'Forbidden Planet' & 21st C. AI (Henry Baker) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sat, 27 Apr 2024 8:37:31 PDT From: Peter Neumann <neum...@csl.sri.com> Subject: AI deepfakes threaten to upend global elections. No one can stop them. (WashPost) Pranshu Verma and Cat Zakrzewski, *The Washington Post* Elections from India to Europe have been assailed by AI deepfakes that spread quickly and are no longer easy to debunk -- leaving voters vulnerable. https://www.washingtonpost.com/technology/2024/04/23/ai-deepfake-election-2024-us-india/ ------------------------------ Date: Fri, 26 Apr 2024 19:31:09 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Tesla's Autopilot and Full Self-Driving linked to hundreds of crashes, dozens of deaths (The Verge) https://www.theverge.com/2024/4/26/24141361/tesla-autopilot-fsd-nhtsa-investigation-report-crash-death In March 2023, a North Carolina student was stepping off a school bus when he was struck by a Tesla Model Y traveling at “highway speeds,” according to a federal investigation that published today. The Tesla driver was using Autopilot, the automaker’s advanced driver-assist feature that Elon Musk insists will eventually lead to fully autonomous cars. The 17-year-old student who was struck was transported to a hospital by helicopter with life-threatening injuries. But what the investigation found after examining hundreds of similar crashes was a pattern of driver inattention, combined with the shortcomings of Tesla’s technology, resulting in hundreds of injuries and dozens of deaths. Drivers using Autopilot or the system’s more advanced sibling, Full Self-Driving, “were not sufficiently engaged in the driving task,” and Tesla’s technology “did not adequately ensure that drivers maintained their attention on the driving task,” NHTSA concluded. ------------------------------ Date: Fri, 26 Apr 2024 11:40:26 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: Cisco Says Hackers Subverted Its Security Devices to Spy on Governments (Reuters) Raphael Satter, *Reuters*, 24 Apr 2024, via ACN TechNews Cisco Systems on Wednesday said that hackers have subverted some of its digital security devices to break into government networks globally. In a blog post, Cisco said its Adaptive Security Appliances had previously unknown vulnerabilities that had been exploited by a group of hackers they dubbed "UAT4356." The company described the group as a "sophisticated state-sponsored actor." Cisco said the vulnerabilities have been patched. ------------------------------ Date: Fri, 26 Apr 2024 11:40:26 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: Hackers Use Developing Countries as Testing Ground for New Ransomware Attacks (Ellesheva Kissin) Ellesheva Kissin, *Financial Times*, 24 Apr 2024, via ACN TechNews Cybersecurity firm Performanta reported that businesses in Africa, Asia, and South America increasingly are being used by hackers as testing grounds for their latest ransomware before they turn to higher-value targets in North America and Europe. Recent dry runs in developing countries focused on a Senegalese bank, a Chilean financial services company, a Colombian tax firm, and a government economic agency in Argentina. ------------------------------ Date: Fri, 26 Apr 2024 19:47:27 -0400 From: Monty Solomon <mo...@roscom.com> Subject: 9 Disturbing Stories From People Who Say They Found Cameras in Their Airbnb (Gizmodo) https://gizmodo.com/airbnb-hidden-cameras-shocking-stories-bedroom-night-1851433108 Airbnb announced in March that all indoor security cameras would be banned at its properties worldwide starting April 30. And if you read through online complaints about cameras that were discovered during Airbnb stays over the years, it’s easy to understand why it’s been such a controversial issue. Gizmodo filed a Freedom of Information Act request with the FTC for any consumer complaints filed about Airbnb that involved cameras. Some of the complaints are fairly mundane, and simply mention how cameras may have been used to prove things that break the rules at Airbnb properties. But others are pretty horrifying and involve hidden cameras in places where people expect privacy. ------------------------------ Date: Fri, 26 Apr 2024 19:57:18 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Millions of IPs remain infected by USB worm years after its creators left it for dead (ArsTechnica) https://arstechnica.com/?p=2020055 ------------------------------ Date: Fri, 26 Apr 2024 11:40:26 -0400 (EDT) From: ACM TechNews <technews-edi...@acm.org> Subject: Chinese Firm Is America's Favorite Drone Maker, Except in Washington (NYTimes) Kate Kelly and Julian E. Barnes. *The New York Times*, 25 Apr 2024, via ACN TechNews The Countering CCP Drones Act, under consideration by the U.S. Congress, would threaten the commercial business of DJI, a Chinese drone manufacturer that dominates sales among U.S. law enforcement agencies and hobbyists. The legislation would put the company on a Federal Communications Commission roster that would prevent it from running on U.S. communications infrastructure. Researchers found vulnerabilities in an app that controls DJI's drones could be used to access personal data (a U.S. official said all known vulnerabilities currently have been patched). ------------------------------ Date: Fri, 26 Apr 2024 19:47:58 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Stop Using Your Face or Thumb to Unlock Your Phone (Gizmodo) Last week, the 9th Circuit Court of Appeals in California released a ruling that concluded state highway police were acting lawfully when they forcibly unlocked a suspect's phone using their fingerprint. You probably didn’t hear about it. The case didn’t get a lot of coverage, especially because the courts weren’t giving a blanket green light for every cop to shove your thumb to your screen during an arrest. But it’s another toll of the warning bell that reminds you to not trust biometrics to keep your phone’s sensitive info private. In many cases, especially if you think you might interact with the police (at a protest, for example), you should seriously consider turning off biometrics on your phone entirely. https://gizmodo.com/stop-using-your-face-or-thumb-to-unlock-your-phone-1851438205 ------------------------------ Date: Sat, 27 Apr 2024 09:26:18 -0700 From: Lauren Weinstein <lau...@vortex.com> Subject: How Google's SGE Could Destroy the Internet (Lauren Weinstein) Google's LLM AI SGE ("Search Generative Experience") could effectively destroy the Internet for all but the largest sites -- the same Internet that #Google so effectively helped to build. This is becoming clear as SGE rolls out to most users, with SGE "answers" now appearing on a vast number of Google queries. Leaving aside the serious questions around the accuracy of such responses and everything associated with that, the mere presence of the responses could be devastating to most sites. These SGE answers are frequently verbose and can take up much of the entire first screen -- or more -- of the results pages. This means you may have to scroll down to even FIND the first organic "blue link" results. Devastating. To be clear, many of the SGE responses are themselves showing links to the answers' source materials (e.g., in colored boxes) -- but the obvious question is, why the hell would most users bother to click on those links once they already have the answers that Google's LLM has provided, based on the information that Google sucked without compensation into their LLM from those sites? It's impossible to imagine that click through rates to those sites won't be crushed. Google executives appear to be thrilled with how well this is going -- FOR THEM. For the sites providing the data that is now powering Google's SGE encroaching, destructive storm, it's likely going to be a disaster, unless Google and other AI firms make major changes in their deployment models -- whether voluntarily or under the force of new regulatory models. -L ------------------------------ Date: Fri, 26 Apr 2024 14:44:21 PDT From: Peter Neumann <neum...@csl.sri.com> Subject: FTC questions Amazon's use of disappearing messages on Signal (WashPost) *The Washington Post*, 26 Apr 2026 https://www.washingtonpost.com/technology/2024/04/26/amazon-ftc-messages-de=ted-bezos/ The Federal Trade Commission is accusing Amazon founder Jeff Bezos and other top company executives of using disappearing messaging apps such as Signal to conceal potential evidence in the agency's ongoing antitrust case against the e-commerce behemoth. ``For years, Amazon's top executives, including founder and former CEO Jeff Bezos, discuss[ed] sensitive business matters, including antitrust, over the Signal encrypted-messaging app instead of email,'' the FTC alleged in a document filed Thursday evening. ``These executives turned on Signal's *disappearing message* feature, which irrevocably destroys messages, even after Amazon was on notice that Plaintiffs were investigating its conduct.'' The agency, which first accused Amazon of intentionally deleting messages in its original antitrust complaint last fall, is now asking a U.S. District Court judge to order the company to turn over documents related to its handling of data. It's the latest salvo in a landmark case in which the FTC is arguing that Amazon abused its dominance of e-commerce to squeeze merchants and bury rivals, leading to higher prices for Bezos owns The Washington Post. ``The FTC's contentions are baseless,'' Amazon spokesman Tim Doyle said in a statement, responding to the filing alleging destruction of evidence. ``Amazon voluntarily disclosed employees' limited Signal use to the FTC years ago, thoroughly collected Signal conversations from its employees' phones, and allowed agency staff to inspect those conversations even when they had nothing to do with the FTC's investigation. The FTC has a complete picture of Amazon's decision-making in this case, including 1.7 million documents from sources like email, internal messaging applications, and laptops (among other sources), and over 100 terabytes of data.'' [..] ------------------------------ Date: Fri, 26 Apr 2024 19:32:39 -0400 From: Monty Solomon <mo...@roscom.com> Subject: FTC says Amazon executives destroyed potential evidence by using apps like Signal (The Verge) https://www.theverge.com/2024/4/26/24141801/ftc-amazon-antitrust-signal-ephemeral-messaging-evidence ------------------------------ Date: Fri, 26 Apr 2024 19:54:32 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Tech brands are forcing AI into your gadgets, whether you asked for it or not (ArsTechnica) https://arstechnica.com/gadgets/2024/04/ai-marketing-hype-is-coming-for-your-favorite-gadgets ------------------------------ Date: Fri, 26 Apr 2024 19:43:32 -0400 From: "Monty Solomon" <mo...@roscom.com> Subject: Health insurance giant Kaiser will notify millions of a data breach after sharing patients’ data with advertisers (TechCrunch) https://techcrunch.com/2024/04/25/kaiser-permanente-health-plan-million s-data-breach/ ------------------------------ Date: Fri, 26 Apr 2024 19:45:49 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Chaturbate Owes Texas $675,000 for Not Verifying the Age of Users (Gizmodo) https://gizmodo.com/chaturbate-porn-age-verification-law-ken-paxton-pornhub-1851439770 ------------------------------ Date: Fri, 26 Apr 2024 19:51:57 -0400 From: Monty Solomon <mo...@roscom.com> Subject: Android TV has access to your entire account, but Google is changing that (ArsTechnica) https://arstechnica.com/?p=2020252 ------------------------------ Date: Fri, 26 Apr 2024 19:43:32 -0400 From: "Monty Solomon" <mo...@roscom.com> Subject: Health insurance giant Kaiser will notify millions of a data breach after sharing patients’ data with advertisers https://techcrunch.com/2024/04/25/kaiser-permanente-health-plan-million s-data-breach/ ------------------------------ Date: Sat, 27 Apr 2024 03:34:57 +0000 From: "Henry Baker" <hbak...@pipeline.com> Subject: We're always fighting the last war The first few minutes of the Pearl Harbor attack which caused the U.S. entry into WWII sadly proved Billy Mitchell 100% correct. The good news re Dec. 7th -- if there was any -- was that no U.S. aircraft carriers were in Pearl Harbor that day. Ditto with the 'Millennium Challenge 2002' wargames, in which essentially the entire U.S. Mediterranean fleet was 'virtually' sunk within days using 'asymmetric warfare'. Ditto with 'cheap drones' in the current Ukraine war; they have rebalanced the battle between infantry -- now equipped with cheap drones for surveillance and attack -- and tanks -- a balance which has existed for a century since the battle tank appeared near the end of WWI. Cheap drones put into serious question most -- if not almost all -- of the 'prevailing wisdom' re strategy/tactics/weapons of modern warfare. These put big '?' marks next to *every* 'big ticket' asset in modern warfare -- from $billion ships/aircraft carriers, to $100m fighters, to $10m battle tanks, to $billion spy satellites. In chess terminology, coordinated pawns beat rare expensive bishops, rooks, and queens. https://nationalinterest.org/blog/reboot/exact-day-navy-battleships-became-obsolete-clear-209558 "In 1921, General Billy Mitchell, a vocal advocate of airpower, staged a controversial exercise sinking obsolete battleship with bombers. This foreshadowed the dominance of aircraft carriers in World War II despite Mitchell's goal of a separate air force. The Navy initially dismissed his claims, but the sinking of the 'unsinkable' German battleship Ostfriesland proved the vulnerability of battleships." "Mitchell believed that aviation -- which could respond to both air and naval threats -- much better suited to protecting the country's coastline than battleships. Mitchell was fond of stating that a thousand bombers could be purchased for the cost of a single battleship, and told a House subcommittee that properly equipped, an Air Service could sink any battleship in existence." https://www.msn.com/en-us/news/world/ar-AA1nIxGp "Cheap Russian drones overwhelm US-made Abrams tanks, taken out of action" "Ukrainian forces are withdrawing US-provided Abrams M1A1 main battle tanks from the front lines after at least five have been destroyed by cheap Russian drones, according to the AP." "The failure of the Abrams to make a difference is a costly miscalculation. The export cost of an Abrams tank can be around $10mn, while Col. Markus Reisner, an Austrian military trainer who follows the weapons being used in Ukraine, told the Euromaidan Press that the Russian suicide drones being used to destroy them can be as cheap as $500 each (a ratio of 20,000:1)." https://en.wikipedia.org/wiki/Millennium_Challenge_2002 "In a preemptive strike, Red launched a massive salvo of cruise missiles that overwhelmed the Blue forces' electronic sensors and destroyed sixteen warships: one aircraft carrier, ten cruisers and five of Blue's six amphibious ships. An equivalent success in a real conflict would have resulted in the deaths of over 20,000 service personnel. Soon after the cruise missile offensive, another significant portion of Blue's navy was "sunk" by an armada of small Red boats, which carried out both conventional and suicide attacks that capitalized on Blue's inability to detect them as well as expected." https://www.theguardian.com/world/2002/sep/06/usa.iraq "In the first few days of the [Millennium Challenge] exercise, using surprise and unorthodox tactics, the wily 64-year-old Vietnam veteran sank most of the US expeditionary fleet in the Persian Gulf, bringing the US assault to a halt." ------------------------------ Date: Fri, 26 Apr 2024 00:44:55 +0000 From: Henry Baker <hbak...@pipeline.com> Subject: Prescient Fiction: 'Forbidden Planet' & 21st C. AI All of the recent discussions of the risks of AI bring to mind the incredibly prescient movie (& radio play) 'Forbidden Planet': https://en.wikipedia.org/wiki/Forbidden_Planet In addition to being a pretty decent takeoff on Shakespeare's 'The Tempest', the movie version of 'Forbidden Planet' introduces us to talking robots (now almost passe !), and incredibly power- hungry planet-sized data centers capable of turning human thoughts into reality. Amazingly, this 1956 movie still holds up for modern viewers, thanks to the supplanting of typical cheesy 1950's scifi effects in favor of laserlike animations and electronic music. The risks of AI, according to this movie: be very careful what you wish for, because an AI with access to planet-sized energy capabilities can fulfill even your worst nightmare. Your choice: watch it again (safely) in movie form, or watch it play out in real life. BTW, I listened as a young boy to a radio serial version of Forbidden Planet during the summer of either 1955 or 1956; but after extensive Google searching, I have been unable to find a reference to this radio play version. I know exactly where I was while listening to it on my grandmother's huge radio with quite decent fidelity; perhaps someone else here also heard it at the same time? ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.21 ************************