Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 34.08 RISKS-LIST: Risks-Forum Digest Tuesday 20 February 2024 Volume 34 : Issue 08 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: How persuasive is AI-generated propaganda? (Lauren Weinstein) New Era of AI Deepfakes Complicates 2024 Elections (WSJ) Cybercriminals are stealing iOS users' face scans to break into mobile banking accounts (The Register) Air Canada chatbot makes up travel rules Big Tech tells politicians: We'll control the deepfakes (Politico) New bill would let defendants inspect algorithms used against them in court (The Verge) Chinese hackers infiltrated home wifi routers to attack infrastructure, FBI warns (MSN) DOJ quietly removed Russian malware from routers in U.S. homes and businesses (ArsTechnica) TETRA Radio Code Encryption Has a Flaw: A Backdoor (WiReD) Chinese hackers infiltrated home wifi routers to attack infrastructure, FBI warns (MSN) The $50K Scam: FTC, CIA, and Amazon Weigh In on NY Magazine's Charlotte Cowles (The New York Times) TETRA Radio Code Encryption Has a Flaw: A Backdoor (WiReD) Powerball Posted the Wrong Numbers. Now He’s Suing for $340M (NYTimes) `Most Wanted’ man pleads guilty in cyberattack that upended Vermont hospital (The Globe) Nginx core developer quits project in security dispute, starts free-nginx fork (ArsTechnica) Officials Investigate How a Woman Flew to Los Angeles Without a Ticket (NYTimes) This Is Why Tesla's Stainless Steel Cybertrucks May Be Rusting (WiReD) The Tech Friend: Apple's nanny state (WashPost) An Important Security Message from Wyze (via Victor Miller) Report on Intelligent Vehicle Dependability and Security (Chuck Weinstock) Re: Odometers: A voting machine analogue (Wol) Re: Tesla's latest screwup (Andrew) Re: Waymo recalls software after two self-driving cars hit the same truck (Ned Harris, Sam Bull) Re: Software bloat (Roderick Rees) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Tue, 20 Feb 2024 17:20:28 -0800 From: Lauren Weinstein Subject: How persuasive is AI-generated propaganda? A LOT. -L https://academic.oup.com/pnasnexus/article/3/2/pgae034/7610937?searchresult=1&login=false ------------------------------ Date: Thu, 15 Feb 2024 08:43:03 -0500 From: Monty Solomon Subject: New Era of AI Deepfakes Complicates 2024 Elections (WSJ) Deceptive videos, audio and images are more sophisticated, easier to make as tech industry wrestles with how to keep up https://www.wsj.com/tech/ai/new-era-of-ai-deepfakes-complicates-2024-elections-aa529b9e ------------------------------ Date: Sun, 18 Feb 2024 12:50:14 -0500 From: Monty Solomon Subject: Cybercriminals are stealing iOS users' face scans to break into mobile banking accounts (The Register) Deepfake-enabled attacks against Android and iPhone users are netting criminals serious cash. https://www.theregister.com/2024/02/15/cybercriminals_stealing_face_id/ ------------------------------ Date: Fri, 16 Feb 2024 20:41:32 -0500 From: Jeremy Epstein Subject: Air Canada chatbot makes up travel rules (ArsTechnica) A customer asked the Air Canada chatbot about the rules for bereavement fares. The customer believed the chatbot's answer (basically "buy the ticket and then ask for a credit"), but Air Canada refused to honor the guidance, since elsewhere on the site it had a different set of rules. The court ruled that Air Canada had to honor the instructions provided by the chatbot, rejecting Air Canada's statement that the customer never should have trusted the chatbot and the airline should not be liable for the chatbot's misleading information because Air Canada essentially argued that "the chatbot is a separate legal entity that is responsible for its own actions." "Air Canada argues it cannot be held liable for information provided by one of its agents, servants, or representatives -- including a chatbot," [= the judge] wrote. "It does not explain why it believes that is the case" or "why the webpage titled 'Bereavement travel' was inherently more trustworthy than its chatbot." The chatbot is apparently no longer active on the Air Canada site. This was a case in Canada involving a Canadian and a Canadian company. IANAL, so curious what the analogous results would be in the US or other countries. This certainly won't be the only case where a chatbot will give erroneous advice. This isn't to say that human customer service agents never make mistakes (we all do!), but the attempt to avoid responsibility is troubling. https://arstechnica.com/tech-policy/2024/02/air-canada-must-honor-refund-po= licy-invented-by-airlines-chatbot/ [Matthew Kruk noted this: Air Canada found liable for chatbot's bad advice on airline tickets https://www.cbc.ca/news/canada/british-columbia/air-canada-chatbot-lawsuit-1.7116416 Monty Solomon found this: Air Canada must honor refund policy invented by airline’s chatbot https://arstechnica.com/tech-policy/2024/02/air-canada-must-honor-refund-policy-invented-by-airlines-chatbot/ PGN] ------------------------------ Date: Fri, 14 Feb 2024 17:42:11 PST From: Peter Neumann Subject: Big Tech tells politicians: We'll control the deepfakes (Politico) Laurens Cerulus, Antoaneta Roussi, Gian Volpicelli, Politico, 16 Feb 2024, Munich -- The world's largest technology companies on Friday announced an industry alliance to stop AI-generated pictures and clips from disrupting elections taking place around the world in 2024. ------------------------------ Date: Sat, 17 Feb 2024 20:23:27 -0500 From: Monty Solomon Subject: New bill would let defendants inspect algorithms used against them in court (The Verge) https://www.theverge.com/2024/2/15/24074214/justice-in-forensic-algorithms-act-democrats-mark-takano-dwight-evans ------------------------------ Date: Thu, 15 Feb 2024 16:08:18 -0500 From: Gabe Goldberg Subject: Chinese hackers infiltrated home wifi routers to attack infrastructure, FBI warns On Wednesday, the FBI said Volt Typhoon had used its malware to disguise the fact that the hack had been conducted by the Chinese government, adding that the “vast majority” of routers affected were out-of-date Cisco and NetGear machines that had not received recent security updates. Unlike previous attacks, the hack was directed at internet routers in small businesses and home offices, rather than at government agencies or infrastructure providers. https://www.msn.com/en-us/money/other/chinese-hackers-infiltrated-home-wifi-routers-to-attack-infrastructure-fbi-warns/ar-BB1hza67 ------------------------------ Date: Sat, 17 Feb 2024 21:44:44 -0500 From: Monty Solomon Subject: DOJ quietly removed Russian malware from routers in US homes and businesses (ArsTechnica) https://arstechnica.com/?p=2003936 ------------------------------ Date: Thu, 15 Feb 2024 16:09:46 -0500 From: Gabe Goldberg Subject: TETRA Radio Code Encryption Has a Flaw: A Backdoor (WiReD) A secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others around the world is finally seeing sunlight. Researchers say it isn’t pretty. https://www.wired.com/story/tetra-radio-encryption-backdoor/ ------------------------------ Date: Thu, 15 Feb 2024 16:08:18 -0500 From: Gabe Goldberg Subject: Chinese hackers infiltrated home wifi routers to attack infrastructure, FBI warns (MSN) On Wednesday, the FBI said Volt Typhoon had used its malware to disguise the fact that the hack had been conducted by the Chinese government, adding that the “vast majority” of routers affected were out-of-date Cisco and NetGear machines that had not received recent security updates. Unlike previous attacks, the hack was directed at Internet routers in small businesses and home offices, rather than at government agencies or infrastructure providers. https://www.msn.com/en-us/money/other/chinese-hackers-infiltrated-home-wifi-routers-to-attack-infrastructure-fbi-warns/ar-BB1hza67 ------------------------------ Date: Sat, 17 Feb 2024 14:07:51 -0500 From: Gabe Goldberg Subject: The $50K Scam: FTC, CIA, and Amazon Weigh In on NY Magazine's Charlotte Cowles (The New York Times) What Amazon, FTC, and CIA Won't Say When You've Been Scammed New York magazine’s money columnist wrote about being conned out of $50,000 by crooks pretending to be from Amazon and government agencies. We asked the company and agencies for comment. https://www.nytimes.com/2024/02/16/your-money/scam-new-york-magazine-amazon-ftc-cia.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb There's much here that makes this hard to believe; it's a collection of every scam red flag that says, *Run away*. Amazon-->FTC-->CIA? $50,000 cash? Don't tell family? ------------------------------ Date: Thu, 15 Feb 2024 16:09:46 -0500 From: Gabe Goldberg Subject: TETRA Radio Code Encryption Has a Flaw: A Backdoor (WiReD) A secret encryption cipher baked into radio systems used by critical infrastructure workers, police, and others around the world is finally seeing sunlight. Researchers say it isn’t pretty. https://www.wired.com/story/tetra-radio-encryption-backdoor/ ------------------------------ Date: Tue, 20 Feb 2024 19:17:58 -0500 From: Monty Solomon Subject: Powerball Posted the Wrong Numbers. Now He’s Suing for $340M (NYTimes) Powerball organizers in Washington DC said they “mistakenly posted” winning numbers in January 2023. The holder of those numbers is suing for negligence and emotional distress. https://www.nytimes.com/2024/02/20/us/powerball-lottery-lawsuit.html ------------------------------ Date: Tue, 20 Feb 2024 09:42:58 -0500 From: Monty Solomon From: Monty Solomon Subject: `Most Wanted’ man pleads guilty in cyberattack that upended Vermont hospital (The Globe) Vyacheslav Igorevich Penchukov, 37, of Ukraine, pleaded guilty in federal court for his role in two separate malware schemes that caused tens of millions of dollars in losses. https://www.boston.com/news/national-news/2024/02/19/most-wanted-man-pleads-guilty-in-cyberattack-that-upended-vermont-hospital-2/ ------------------------------ Date: Fri, 16 Feb 2024 09:48:02 -0500 From: Monty Solomon Subject: Nginx core developer quits project in security dispute, starts free-nginx fork (ArsTechnica) https://arstechnica.com/?p=2003602 ------------------------------ Date: Sat, 17 Feb 2024 21:18:13 -0500 From: Monty Solomon Subject: Officials Investigate How a Woman Flew to Los Angeles Without a Ticket (NYTimes) The woman bypassed a Transportation Security Administration check and boarded an American Airlines flight in Nashville, officials said. https://www.nytimes.com/2024/02/16/us/tsa-security-breach-nashville.html ------------------------------ Date: Sat, 17 Feb 2024 15:28:39 -0500 From: Gabe Goldberg Subject: This Is Why Tesla's Stainless Steel Cybertrucks May Be Rusting (WiReD) Who knew stainless steel might not be such a good idea for the exterior of an electric SUV? The entire automotive industry, that’s who. Posting on the Cybertruck Owners Club forum, a user named Raxar risked the wrath of the Tesla faithful—already exercised by the Cybertruck's numerous alleged design flaws—by stating that when they collected the $61,000 truck, "the advisor specifically mentioned the Cybertrucks develop orange rust marks in the rain." In a separate thread, the user vertigo3pc reported that "corrosion was forming on the metal" of his Cybertruck after it spent 11 days in the rain in Los Angeles. Raxar, who also lives in California, posted what appeared to be close-up, rust-flecked images of his truck after driving it for two days in rain. The Cybertruck does not ship with clear coat, that outermost layer of transparent paint that comes as standard on almost every new motor vehicle on the planet. Instead, each Cybertruck owner has the option to purchase a $5,000 urethane-based film to "wrap your Cybertruck in our premium satin clear paint films. Only available through Tesla." [...] Once the chromium oxide barrier is breached, corrosion takes hold. And caveat emptor, because Tesla's owner's manual advises promptly removing corrosive substances, emphasizing not to wait until the Cybertruck is scheduled for a "complete wash," whatever that is. The documentation says: “To prevent damage to the exterior, immediately remove corrosive substances (such as grease, oil, bird droppings, tree resin, dead insects, tar spots, road salt, industrial fallout, etc.). Do not wait until Cybertruck is due for a complete wash. If necessary use denatured alcohol to remove tar spots and stubborn grease stains, then immediately wash the area with water and a mild, non-detergent soap to remove the alcohol.” Pigeon poo is a well-known corrosive agent—guano is no friend to the fastidious car owner—but tree sap and bugs? Maybe that $5,000 Cybertruck wrap should ship as standard. Other care instructions—highlighted in this YouTube video at 23 minutes in—reveal how delicately Cybertruck owners need to treat their stainless steel electric SUVs. The washing stipulations alone include, somewhat amazingly, “Do not wash in direct sunlight,” “Some cleaners and car shampoos contain chemicals that can cause damage or discoloration,” and even “Do not Subject: The Tech Friend: Apple's nanny state (WashPost) The Internet in the United States leans toward permissiveness within the bounds of the law. But with your iPhone apps, Apple makes the rules. [...] In other words, iPhone apps could become a little more like the web — for better and for worse. Apple says this is a bad idea. Drop her a line and let her know what you think. https://s2.washingtonpost.com/camp-rw/?trackId=596b22969bbc0f403f8bcc25&s=65cf9b9d1782475ec0c79ee2&linknum=2&linktot=43 ------------------------------ Date: Mon, Feb 19, 2024 at 01:17 From: Wyze Subject: An Important Security Message from Wyze [via Victor Miller, a Wyze Man. PGN] Wyze Friends, On Friday morning, we had a service outage that led to a security incident. Your account and over 99.75% of all Wyze accounts were not affected by the security event, but we wanted to make you aware of the incident and let you know what we are doing to make sure it doesn't happen again. The outage originated from our partner AWS and took down Wyze devices for several hours early Friday morning. If you tried to view live cameras or Events during that time, you likely weren't able to. We're very sorry for the frustration and confusion this caused. As we worked to bring cameras back online, we experienced a security issue. Some users reported seeing the wrong thumbnails and Event Videos in their Events tab. We immediately removed access to the Events tab and started an investigation. We can now confirm that as cameras were coming back online, about 13,000 Wyze users received thumbnails from cameras that were not their own and 1,504 users tapped on them. Most taps enlarged the thumbnail, but in some cases an Event Video was able to be viewed. All affected users have been notified. Your account was not one of the accounts affected. The incident was caused by a third-party caching client library that was recently integrated into our system. This client library received unprecedented load conditions caused by devices coming back online all at once. As a result of increased demand, it mixed up device ID and user ID mapping and connected some data to incorrect accounts. To make sure this doesn't happen again, we have added a new layer of verification before users are connected to Event Videos. We have also modified our system to bypass caching for checks on user-device relationships until we identify new client libraries that are thoroughly stress tested for extreme events like we experienced on Friday. We know this is very disappointing news. It does not reflect our commitment to protect customers or mirror the other investments and actions we have taken in recent years to make security a top priority at Wyze. We built a security team, implemented multiple processes, created new dashboards, maintained a bug bounty program, and were undergoing multiple 3rd party audits and penetration testing when this event occurred. We must do more and be better, and we will. We are so sorry for this incident and are dedicated to rebuilding your trust. If you have questions about your account, please visit support.wyze.com. Wyze Team ------------------------------ Date: Fri, 16 Feb 2024 11:00:29 -0500 From: Chuck Weinstock Subject: Report on Intelligent Vehicle Dependability and Security I retired from the SEI in February 2022 and then rejoined part-time in April 2022. Independent of the SEI I’ve been working with colleagues at IFIP WG10.4 (specifically Jay Lala, John Meyer, Carl Landwehr, Wilfried Steiner) on an internal-to-the Working Group project on intelligent vehicle dependability and security. The project has just concluded and issued a final report which can be found at https://ivds.dependability.org/final-report.html . Principal findings of the project, conducted over the past four plus years, point to significant shortfalls in technologies, cost, governance, and societal aspects in achieving the end goal of safe and secure SAE Level 4 or 5 self-driving intelligent vehicles. [Chuck, Welcome back. PGN] ------------------------------ Date: Fri, 16 Feb 2024 08:21:49 +0000 From: Wols Lists Subject: Re: Odometers: A voting machine analogue (Epstein) In the UK, there is now a requirement for the odometer reading to be logged at the annual road safety check. This is available on line. So if you roll it back to less than the previous year's reading, it will show up. We have been quite lucky - the last two second-hand cars we purchased were three years old and had known-genuine readings of 6000 and 1250 miles -- absolute bargains. ------------------------------ Date: Mon, 19 Feb 2024 06:33:08 +0000 From: Andrew Subject: Re: Tesla's latest screwup Ford, GM and others have been caught out by this regulation in the past They argued that whilst their vehicles did not comply with the letter of the law, the impact was inconsequential, so they petitioned to ignore the issue in existing cars and not perform a recall. The request to ignore was granted. Tesla simply fixed the issue over the air for American vehicles. No change was made to non-americas vehicles where the move to pure English language indications (as opposed to icon-with-English) would not be appropriate. ------------------------------ Date: Thu, 15 Feb 2024 21:27:21 -0500 From: Ned Harris Subject: Re: Waymo recalls software after two self-driving cars hit the same truck (RISKS-34.07) I can hear the discussion (many times, as a former software developer and then quality consultant) among the software developers: Question from the software quality guy: ``Well what if the car being towed is at an angle to the tow truck?'' Response from the developers (who've never had their car towed): ``Oh, no, that's not going to happen! The towed car is *ALWAYS* directly behind the truck.'' [One-towed sloth truck? PGN] ------------------------------ Date: Sat, 17 Feb 2024 14:51:59 +0000 From: Sam Bull <9wqnn1@sambull.org> Subject: Re: Waymo recalls software after two self-driving cars hit the same truck (RISKS-34.07) It's interesting that Waymo, not long ago, was trying to sound like their software was years ahead of Tesla's, because this seems to highlight some things that Tesla have moved away from. ------------------------------ Date: Sun, 18 Feb 2024 14:50:28 -0800 From: Roderick Rees Subject: Re: Software bloat Bloat has been a problem for a long time for two reasons. Onw is that there seems to be little teaching of how to recognise simple and direct expression of any intended idea. It is not natural because the thinking behind conversation is extremely old -- probably several hundred thousand years -- and because working programmers are under pressure to produce results quickly. That's because managers themselves are under pressure to get to market before the competition. So the environment is the basic cause of inefficient software. It is made more critical because any idea (or legal requirement) is basically a set of descriptions - and all descriptions, though useful and necessary, are inherently incomplete and wrong. I can't suggest a way to overcome either influence. Anybody have any ideas? ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: . *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 34.08 ************************ .