Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 34.03 RISKS-LIST: Risks-Forum Digest Saturday 13 January 2024 Volume 34 : Issue 03 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Alaska cockpit recording overwritten; limited to 2hrs (Reuters via Henry Baker) United finds loose bolts on plug doors during 737 Max 9 inspections (The Air Current) Security of Georgia's Dominion Voting Machines on Trial (CBS) Linux devices are under attack by a never-before-seen worm (ArsTechnica) OpenAI Quietly Deletes Ban on Using ChatGPT for Military and Warfare (The Intercept) Pennsylvania government workers will start using ChatGPT in test program (The Verge) AI firms' pledges to defend customers from IP issues have real limits (ArsTechnica) Microsoft's Image Creator makes violent AI images of Biden, the Pope and more (The Washington Post) CLEAR wants to scan your face at airports. Privacy experts are worried. (The Washington Post) Advances in Mind-Decoding Technologies Raise Hopes -- and Worries (Undark) More Police Are Using Your Cameras for Video Evidence (The Marshall Project) UK Post Office Horizon scandal now on TV (Jeremy Epstein) How Astronomers Are Saving Astronomy From Satellites -- For Now (NYTimes) U.S. School Shooter Emergency Plans Exposed in a Highly Sensitive Database Leak (WiReD) FTC bans major data broker from selling invasive location tracking details (The Verge) U.S. Criminally Charges EBay in Cyberstalking Case (NYTimes) Needham police warn residents to stop using mail collection boxes (The Globe) AI fears creep into finance, business and law (WashPost) Google is removing 17 'underutilized' Assistant features (TechCrunch) Bitcoin ETF ads have already begun. (Lauren Weinstein) Courts Forced SEC Into This Disaster (Better Markets) Taylor Swift deepfake used for Le Creuset giveaway scam (Engadet) Hackers can infect network-connected wrenches to install ransomware (ArsTechnica) Apple was warned of AirDrop flaws before China's hack (Monty Solomon) Re: The NY Subway crash and derailment (George Neville-Neil) Re: How Tracking and Technology in Cars Is Being Weaponized by Abusive Partners (Steve Bacher) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 08 Jan 2024 21:24:55 +0000 From: Henry Baker Subject: Alaska cockpit recording overwritten; limited to 2hrs As of 2024, a 2-hour limit on voice recordings is disastrously silly. Even without compression, 2 hours is only 2 audio CD's worth of data or ~1.4 GB. I normally fly with my cellphone and 60 GB's worth of podcasts (equivalent to 1000 *hours* @ 1 MB/min MP3 rates), and I'm only one of several hundred passengers on any given flight. Indeed, an Apple iPhone with at least this data capacity *from this very airplane* fell to the ground from 16,000' and was still working perfectly -- the screen wasn't even cracked! Perhaps voice recorders (or at least a USB stick/uSD card) should be *ejected* from the airplanes which have an anomalous event? https://www.reuters.com/business/aerospace-defense/alaska-737-cockpit-voice-recorder-data-erasure-renews-industry-safety-debate-2024-01-08/ [Monty Solomon spotted a related article: Alaska Airlines flight: Cockpit audio is lost, and a mysterious warning light is investigated https://www.latimes.com/california/story/2024-01-07/alaska-flight-door-plug-cockpit-audio-erased-warning-lights PGN] ------------------------------ Date: Mon, 8 Jan 2024 15:13:09 -0800 From: Lauren Weinstein Subject: United finds loose bolts on plug doors during 737 Max 9 inspections (The Air Current) https://theaircurrent.com/feed/dispatches/united-finds-loose-bolts-on-plug-doors-during-737-max-9-inspections/ ------------------------------ Date: Fri, 12 Jan 2024 11:26:34 -0500 (EST) From: ACM TechNews Subject: Security of Georgia's Dominion Voting Machines on Triale (CBS) Jared Eggleston, CBS News, 9 Jan 2024, via ACM TechNews, 12 Jan 2024 A federal trial has begun to determine whether Dominion Voting Systems' touch-screen voting machines used in the U.S. state of Georgia can be hacked or manipulated. In Georgia, once voters make their choices, their ballots are printed with their votes and a QR code; the QR code is ultimately what is read and cast as the voter's ballot. Several voters and the Coalition for Good Governance, who launched the suit, want the state to revert to paper ballots which, they say, will assure voters their ballots are being counted properly. ------------------------------ Date: Wed, 10 Jan 2024 17:54:55 -0500 From: Monty Solomon Subject: Linux devices are under attack by a never-before-seen worm (ArsTechnica) Based on Mirai malware, self-replicating NoaBot installs cryptomining app on infected devices. https://arstechnica.com/security/2024/01/a-previously-unknown-worm-has-been-stealthily-targeting-linux-devices-for-a-year/ ------------------------------ Date: Fri, 12 Jan 2024 20:03:20 -0500 From: Monty Solomon Subject: OpenAI Quietly Deletes Ban on Using ChatGPT for Military and Warfare (The Intercept) https://theintercept.com/2024/01/12/open-ai-military-ban-chatgpt/ ------------------------------ Date: Wed, 10 Jan 2024 09:03:28 -0500 From: Monty Solomon Subject: Pennsylvania government workers will start using ChatGPT in test program (The Verge) https://www.theverge.com/2024/1/9/24031904/openai-pennsylvania-chatgpt-pilot-program-ai ------------------------------ Date: Tue, 9 Jan 2024 00:37:17 -0500 From: Monty Solomon Subject: AI firms' pledges to defend customers from IP issues have real limits (ArsTechnica) https://arstechnica.com/?p=1994243 ------------------------------ Date: Sun, 7 Jan 2024 21:28:14 -0500 From: Gabe Goldberg Subject: Microsoft's Image Creator makes violent AI images of Biden,' the Pope and more (The Washington Post) The AI Image Creator, part of Microsoft’s Bing and Windows Paint, makes extremely violent images of Joe Biden, the pope and others. Microsoft’s failed response points the finger at rogue users. McDuffie’s precise original prompt no longer works, but after he changed around a few words, Image Generator still makes images of people with injuries to their necks and faces. Sometimes the AI responds with the message *Unsafe content detected(, but not always. The images it produces are less bloody now — Microsoft appears to have cottoned on to the red corn syrup — but they’re still awful. [...] ``Fundamentally, I don’t think this is a technology problem; I think it’s a capitalism problem,'' says Hany Farid, a professor at the University of California at Berkeley. ``They’re all looking at this latest wave of AI and thinking, *We can’t miss the boat here.*'' He adds: “The era of ‘move fast and break things’ was always stupid, and now more so than ever.” Profiting from the latest craze while blaming bad people for misusing your tech is just a way of shirking responsibility. https://www.washingtonpost.com/technology/2023/12/28/microsoft-ai-bing-image-creator/ ------------------------------ Date: Sun, 7 Jan 2024 21:32:01 -0500 From: Gabe Goldberg Subject: CLEAR wants to scan your face at airports. Privacy experts are worried. (The Washington Post) The company’s move into facial recognition technology speaks to a broader exchange of privacy for convenience https://www.washingtonpost.com/travel/2023/12/20/clear-facial-recognition-technology-airport-security/ TSA self-screening is the next big step for airport security. Checking in with airport security could soon resemble ordering from a kiosk at a fast-food restaurant In January, select passengers at Harry Reid International Airport in Las Vegas will begin testing a new self-service screening system from the Transportation Security Administration. The setup will resemble a supermarket self-checkout, with travelers scanning their identification and carry-on bags instead of arugula and toilet paper. https://www.washingtonpost.com/travel/2023/12/18/tsa-self-service-screening-las-vegas/ ------------------------------ Date: Sun, 7 Jan 2024 15:11:23 -0800 From: Lauren Weinstein Subject: Advances in Mind-Decoding Technologies Raise Hopes -- and Worries (Undark) https://undark.org/2024/01/03/brain-computer-neurorights/ ------------------------------ Date: Sat, 13 Jan 2024 12:15:17 -0500 From: Monty Solomon Subject: More Police Are Using Your Cameras for Video Evidence (The Marshall Project) Police “nerve centers” are blurring the line between public and private surveillance. https://www.themarshallproject.org/2024/01/13/police-video-surveillance-california ------------------------------ Date: Sat, 13 Jan 2024 13:19:42 -0500 From: Jeremy Epstein Subject: UK Post Office Horizon scandal now on TV I'm sure many UK RISKS subscribers can say more, but a four-part docudrama this month has brought to light the flawed Horizon accounting software used by the UK Post Office, which has led to hundreds of people being falsely accused of theft (and fined and even imprisoned) as a result of software bugs. The show, called "Mr Bates vs. the Post Office", showed earlier in January in the UK (not yet available outside the UK, although a VPN + a free subscription to ITVX will do the trick). The impact has been quite profound, with the Prime Minister Rishi Sindak calling for legislation to overturn verdicts, and the former CEO of the post office agreeing to return her CBE. This is scant comfort to hundreds of people whose lives were tremendously harmed by the prosecutions, including at least four people who committed suicide. The problems with the software are not new to RISKS readers - see for example a note from Lindsay Marshall in RISKS 31.22 (in 2019), a followup from Attila the Hun (sic) in RISKS 31.23, substantial details on one of the cases from Stephen Mason in RISKS 31.51, and an update from David Lesher in RISKS-32.62. The problems behind this aren't new, having been recognized almost since the software was rolled out nearly 25 years ago. Fujitsu, the maker of the software, is seemingly not being held to account: https://techcrunch.com/2024/01/10/fujitsu-post-office-scandal-government/ Much more detail in the Wikipedia page: https://en.wikipedia.org/wiki/British_Post_Office_scandal The RISKS? Flawed software isn't new; what's sad is how many have been harmed, and how long it's taken before real action is (finally) occurring. ------------------------------ Date: Sat, 13 Jan 2024 16:33:33 -0500 From: Gabe Goldberg Subject: How Astronomers Are Saving Astronomy From Satellites -- For Now (The New York Times) Earth’s orbits are filling with satellites at an astounding pace. Already there are more than 9,000 satellites orbiting the planet, and more than 5,000 of them belong to Starlink, the constellation built by SpaceX to beam Interne service down to Earth. They are to be joined by thousands of satellites from other companies and countries in the decades ahead.an The more of them there are, the greater the satellites’ interference with ground astronomy’s ability to answer questions about the cosmos — and humanity’s place in it. https://www.nytimes.com/2024/01/09/science/astronomy-telescopes-satellites-spacex-starlink.html?smid=nytcore-ios-share&referringSource=articleShare ------------------------------ Date: Fri, 12 Jan 2024 16:58:10 -0500 From: Gabe Goldberg Subject: U.S. School Shooter Emergency Plans Exposed in a Highly Sensitive Database Leak (WiReD) David Rogers, chief marketing officer at Raptor Technologies, tells WIRED the company “immediately implemented remediation protocols” to secure the exposed data once it was contacted and started an investigation into the issue. “We have communicated with all Raptor customers,” Rogers says. “There is no indication at this time that any such data was accessed by third parties beyond the cybersecurity researcher and Raptor Technologies personnel,” he says, adding there is no reason to believe there has been any misuse of the information. “We sincerely regret this issue and any concern or inconvenience it may have caused,” Rogers says. The company's investigation into the incident is ongoing, Rogers says, adding that the “safety and wellbeing of children, staff, and the community members of our customers is the top priority of Raptor Technologies.” https://www.wired.com/story/us-school-shooter-emergency-plans-leak ------------------------------ Date: Wed, 10 Jan 2024 17:38:25 -0500 From: Monty Solomon Subject: FTC bans major data broker from selling invasive location tracking details (The Verge) https://www.theverge.com/2024/1/10/24032966/ftc-bans-outlogic-location-data-sales-tracking-settlement ------------------------------ Date: Fri, 12 Jan 2024 15:57:33 -0500 From: Gabe Goldberg Subject: U.S. Criminally Charges EBay in Cyberstalking Case (The New York Times) The case involves eBay employees trying to intimidate a Massachusetts couple who write and produce an e-commerce newsletter. The company will pay a criminal penalty of $3 million. “EBay engaged in absolutely horrific, criminal conduct,” said Joshua S. Levy, the acting U.S. attorney. “The company’s employees and contractors involved in this campaign put the victims through pure hell, in a petrifying campaign aimed at silencing their reporting and protecting the eBay brand.” David and Ina Steiner, writers and publishers of a news site and blog called EcommerceBytes, live in Natick, Mass.; eBay is based in San Jose, Calif. During the course of the harassment campaign, eBay security team members flew to Boston to accelerate their activities against the couple in-person. When they were caught, they began a cover-up and destroyed incriminating messages. The forms of harassment included: threatening direct messages over Twitter, the social media platform that is now called X; attempts to install a GPS device on the Steiners’ car; posting ads for fictitious sexual events at the Steiners’ house; and sending anonymous and scary items like a bloody pig’s mask to the couple’s home. A 24-page document detailing the charges that was released on Thursday broadens the number of eBay executives in the case. In earlier documents, only two executives were mentioned — the chief executive and the chief communications officer. Now there is a third executive, identified as eBay’s senior vice president for global operations. “Sometimes, you just need to make an example out of someone,” read a text that the chief communications officer sent to the senior vice president on May 31, 2019. “Justice,” the text continued. The chief communications officer then wrote, referring to Ms. Steiner: “We are too nice. She needs to be crushed.” A spokesman for Devin Wenig, who was eBay’s chief executive at the time, had no comment. The other two former executives could not be reached. https://www.nytimes.com/2024/01/11/technology/ebay-cyberstalking-charges.html?smid=nytcore-ios-share&referringSource=articleShare ------------------------------ Date: Mon, 8 Jan 2024 21:34:01 -0500 From: Monty Solomon Subject: Needham police warn residents to stop using mail collection boxes (The Globe) https://www.boston.com/news/local-news/2024/01/08/thefts-mail-collection-boxes-needham/ [Should you trust e-mail instead? PGN] ------------------------------ Date: Sat, 13 Jan 2024 14:06:59 -0500 From: Monty Solomon Subject: AI fears creep into finance, business and law (WashPost) Silicon Valley figures have long warned about the dangers of artificial intelligence. Now their anxiety has migrated to other halls of power: the legal system, global gatherings of business leaders and top Wall Street regulators. https://www.washingtonpost.com/technology/2024/01/13/davos-ai-risk-finra/ ------------------------------ Date: Thu, 11 Jan 2024 08:03:20 -0800 From: Lauren Weinstein Subject: Google is removing 17 'underutilized' Assistant features (TechCrunch) Seems that Google is continuing to kill or hobble core services while they continue their AI binge. This won't end well, for Google or its users, or society at large, given the political climate that is going to come down on AI like a ton of bricks. -L https://techcrunch.com/2024/01/11/google-is-removing-17-underutilized-assistant-features/ ------------------------------ Date: Fri, 12 Jan 2024 10:42:55 -0800 From: Lauren Weinstein Subject: Bitcoin ETF ads have already begun. Millions are going to lose everything. ------------------------------ Date: Wed, 10 Jan 2024 14:07:44 -0800 From: Lauren Weinstein Subject: Courts Forced SEC Into This Disaster (Better Markets) SEC'S APPROVAL OF A BITCOIN CRYPTO ETF IS AN HISTORIC MISTAKE THAT WILL HARM INVESTORS, MARKETS, AND FINANCIAL STABILITY https://bettermarkets.org/newsroom/secs-approval-of-a-bitcoin-crypto-etf-is-an-historic-mistake-that-will-harm-investors-markets-and-financial-stability/ ------------------------------ Date: Wed, 10 Jan 2024 17:41:35 -0500 From: Monty Solomon Subject: Taylor Swift deepfake used for Le Creuset giveaway scam (Engadet) https://www.engadget.com/taylor-swift-deepfake-used-for-le-creuset-giveaway-scam-123231417.html ------------------------------ Date: Wed, 10 Jan 2024 18:01:35 -0500 From: Monty Solomon Subject: Hackers can infect network-connected wrenches to install ransomware (ArsTechnica) https://arstechnica.com/?p=1994532 ------------------------------ Date: Wed, 10 Jan 2024 18:07:31 -0500 From: Monty Solomon Subject: Apple was warned of AirDrop flaws before China's hack https://appleinsider.com/articles/24/01/10/apple-was-warned-of-airdrop-flaws-before-chinas-hack ------------------------------ Date: Sun, 07 Jan 2024 11:53:07 +0700 From: George Neville-Neil Subject: Re: The NY Subway crash and derailment (RISKS-34.02) The recent slow moving derailment on the NYC subway is, of course, due to human error as the subway has little or no automation as we would think of it. Trains are prevented from colliding through the use of physical trips at the sides of the tracks at each block. Each train car has a matching lever that, if it is tripped "dumps" the brakes. Train brakes are fail safe, meaning when there is no air the brakes are applied. In this case both trains were in a complex interlocking of several sets of crossovers (switches for Americans, points to the British) and it seems that the block trip that would have thrown the offending train's brakes allowed the nose of the train into the path of the train crossing in front of it, which seems like en error in placement, as well as the motorperson (we don't call them drivers or engineers on the subway) being foolish in inching closer to a red signal. For anyone on the list who is interested in the NYC subway system I recommend the following book, which is updated annually, and is maintained by one author and a bunch of people who send in what they see in the system: https://www.nyctrackbook.com The interlocking in question is shown on page/map 11 labeled "96th-103rd Closeup". ------------------------------ Date: Sun, 7 Jan 2024 10:02:58 -0800 From: Steve Bacher Subject: Re: How Tracking and Technology in Cars Is Being Weaponized by Abusive Partners (RISKS-34:02) In the NYT article it says: "She instead found evidence that the husband was using the Mercedes Me app by obtaining records of his Internet activity." How she obtained these records is left unstated.  It could be relatively benign, like the the two of them sharing access to a Gmail account.  But if not, one has to wonder if the ability for the wife to gain access to the husband's Internet activity is not as disturbing as the husband's access to the wife's car functions (though less directly harmful).  Apparently it was in connection with a restraining order and an (implied) search warrant. Especially since "Mercedes [...] failed to respond to a search warrant" when requested to do so; what other source did she go to in order to get this data? ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: . *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 34.03 ************************ .