Uncategorized

The RISKS Digest Volume 34 Issue 01



The RISKS Digest Volume 34 Issue 01

























Saturday, 30th December 2023

Forum on Risks to the Public in Computers and Related Systems

ACM Committee on Computers and Public Policy,
Peter G. Neumann, moderator

Please try the URL privacy information feature enabled by clicking the flashlight icon above. This will reveal two icons after
each link the body of the digest. The shield takes you to a breakdown of Terms of Service for the site – however only a small number of sites are covered at the moment.
The flashlight take you to an analysis of the various trackers etc. that the linked site delivers.
Please let the website maintainer know if
you find this useful or not. As a RISKS reader, you will probably not be surprised by what is revealed…

Contents


DRM bricks Polish trains
404media

Rise of AI fake news is creating a misinformation superspreader
WashPost

Coffee Cty, GA missing laptop may impact Trump, Curling cases
Douglas Lucas

Michael Cohen Used Artificial Intelligence in Feeding Lawyer Bogus Cases
NYTimes

Splitting a Large AI Across Several Devices Lets You Run It in Private
New Scientist

The Times Sues OpenAI and Microsoft Over AI Use of Copyrighted Work
NYTimes

Six Big Questions for Generative AI
Tech Review

FTC slams Rite Aid for misuse of facial recognition technology in stores
The Washington Post

More people at risk as Ontario public bodies face growing wave of cyberattacks, experts say
CBC

New AI model can predict human lifespan, researchers say. They want to make sure it’s used for good
phys.org

BBC has the miraculous report of an AI that is capable of learning.
BBC

A New Kind of AI Copy Can Fully Replicate Famous People
Politico

AI in the Machine Internet
Dana F. Blankenhorn

Chinese Spy Agency Rising to Challenge the CIA
NYTimes

Open-Source Chip Design Takes Hold in Silicon Valley
WSJ

Operation Triangulation: The last ‘hardware’ mystery
Securelist

TERRAPIN: SSH protects the world’s most sensitive networks. It just got a lot weaker
Ars Technica

TERRAPIN and SSH Prefix Truncation Attack
Bob Gezelte

GTA 6 hacker handed indefinite hospital order
Lapsus$

Xfinity waited to patch critical Citrix Bleed 0-day. Now it’s paying the price
Ars Technica

The 2010 Census Confidentiality Protections Failed, Here’s How and Why
Arxiv

Quantum Computing’s Hard, Cold Reality Check*
IEEE

It’s easier to convince kids than adults about quantum mechanics
Physicist Bob Coecke

FCPD Combats Crypto-Related Scams: How to Avoid Falling Victim to Fraud
Fairfax County Police Department News

Israeli hackers shut down 70% of Iran’s gas stations
Times of Israel

Blog post on CSAE and E2EE
Susan Landau

The Disturbing Impact of the Cyberattack at the British Library
The New Yorker

Data for nearly 36 million Comcast customers leaked to hackers
Ars Technica

Online searches to evaluate misinformation can increase its perceived veracity
Nature

The 2023 Good Tech Awards
The NYTimes

Do you need git or Subversion?
Cliff Kilby

iPhone Thief Explains How He Breaks Into Your Phone
WSJ

Former White House scientist was scammed out of $650K and must pay taxes
The Washington Post

Re: Ex-Amazon security engineer admits to stealing over $12M in crypto
Gabe Goldberg

Re: What to do when receiving unprompted MFA OTP codes
Joseph Gwinn

Re: WeWork has failed, leaving damage in its wake
Martin Ward

Info on RISKS (comp.risks)


DRM bricks Polish trains (404media)

“John Levine”
<[email protected]>

17 Dec 2023 23:09:02 -0500

Some Polish trains were sent for routine maintenance, after which they would
not run even though nothing was evidently wrong. As a last resort, the
railway hired the Dragon Sector hacking group which analysed the trains'
software and found code that made the trains fail if their GPS said they'd
been in a list of locations that happened to match repair shops not run by
the trains' manufacturer.

NEWAG, the manufacturer, denies everything and has sued them for slander.

https://badcyber.com/dieselgate-but-for-trains-some-heavyweight-hardware-hacking/

https://www.404media.co/polish-hackers-repaired-trains-the-manufacturer-artificially-bricked-now-the-train-company-is-threatening-them/


Rise of AI fake news is creating a misinformation superspreader (WashPost)

Steve Bacher
<[email protected]>

Sun, 17 Dec 2023 22:29:07 -0800

www.washingtonpost.com

Artificial intelligence is automating the creation of fake news, spurring an
explosion of websites that can disseminate false information about wars and
elections

https://www.washingtonpost.com/technology/2023/12/17/ai-fake-news-misinformation/


Coffee Cty, GA missing laptop may impact Trump, Curling cases

Douglas Lucas
<[email protected]>

Tue, 19 Dec 2023 13:31:53 -0800

On 19 Dec, the Daily Dot published my new investigative article digging into
the mystery of the missing silver laptop that Coffee County, Georgia—home
of the infamous January 2021 elections office breach captured on
surveillance film—is going to the mat not to turn over, not to even
find. This laptop was used extensively by Trump co-defendant and
then-election supervisor Misty Hampton, charged for facilitating the
MAGA-led intrusions. If found, the laptop's contents would likely impact two
cases in Atlanta courthouses: Trump's criminal one over election
interference, and the long-running federal civil suit *Curling v.
Raffensperger*, in which plaintiffs seek to force the state to abandon
mandatory electronic ballots and, in most circumstances, employ instead
hand-marked paper ones.

Here's the link for my investigative article:
https://www.dailydot.com/news/missing-laptop-trump-case-georgia/

Also on 19 Dec, I self-published an accompanying blog post that includes
several of the cut passages as well as, for the first time, four previously
unreleased surveillance still. My blog pot has a ton of additional
information, including a longtime area lawyer's proposal that the county
adopt independent (not conflicted) and possibly pro bono counsel to aid the
elections board and public with an internal inquiry into the breach and its
aftermath.

Here's the link for my blog post, the deleted scenes if you will:
https://douglaslucas.com/blog/2023/12/19/extra-material-dailydot-investigative-article-laptop/

I worked on this for something like half a year. There's a lot of material
that RISKS may be interested in. Mysteries surrounding the .ost file, the
Microsoft Office 365 licenses, the county refusing to back up official files
on the elections desktop computer, as required by law, when the Georgia
Bureau of Investigation came knocking, they say because they feared
accusations of tampering. One of the most interesting aspects is lawyers
that are more powerful than the people they represesnt, the de jure vs de
facto power landscape of the county, and how all this can fester and get
worse when the underlying digital data, in full, headers, signatures,
everything, is not out in the open. Theopacity allows the overpowered
lawyers and county manager to run the show, merely claiming this, claiming
that, until enough strength shows up to enforce, you know, Rules of
Evidence.


Michael Cohen Used Artificial Intelligence in Feeding Lawyer Bogus Cases (NYTimes)

Jan Wolitzky
<[email protected]>

Fri, 29 Dec 2023 12:05:03 -0800

*The New York Times*, 30 Dec 2023, Front-page story (PGN-ed)
Benjamin Weiser and Jonah Bromwich

Michael D. Cohen, the onetime fixer for former President Donald J. Trump,
said in court papers unsealed on Friday that he had mistakenly given his
lawyer bogus legal citations generated by the artificial intelligence
program Google Bard.

The fictitious citations were used by Mr. Cohen's lawyer in a motion
submitted to a federal judge, Jesse M. Furman. Mr. Cohen, who pleaded guilty
in 2018 to campaign finance violations and served time in prison, had asked
the judge for an early end to the court's supervision of his case now that
he is out of prison and has complied with the conditions of his release.

In a sworn declaration made public on Friday, Mr. Cohen explained that he
had not kept up with “emerging trends (and related risks) in legal
technology and did not realize that Google Bard was a generative text
service that, like ChatGPT, could show citations and descriptions that
looked real but actually were not.''

https://www.nytimes.com/2023/12/29/nyregion/michael-cohen-ai-fake-cases.html

  [Lauren Weinstein had a note on this:   Most ordinary folks do *not
  understand* what AI and Large Language Models are about. They don't read
  the AI company disclaimers that the firms know are basically there to try
  protect the firms—not the users.  PGN]

    [But Michael Cohen was no ordinary person.  Perhaps Google Bard also
    wrote all of “shakespeare'' (The Bard) retroactively?  The illiterate
    Willem Shaksper certainly didn't.  PGN]

  [Gabe Goldberg commented, When will they ever learn...  PGN]


Splitting a Large AI Across Several Devices Lets You Run It in Private (New Scientist)

ACM TechNews
<[email protected]>

Fri, 22 Dec 2023 11:35:51 -0500 (EST)

Jeremy Hsu, *New Scientist*, 15 Dec 2023, via ACM TechNews

An AI system based on large language models (LLMs) developed by University
of California, Irvine researchers can be used locally via smartphone,
eliminating reliance on a cloud service's datacenters and permitting LLM
queries without having to share sensitive personal information. The
LinguaLinked system splits the LLM's computations among several smartphones
based on the phones' available memory and network connectivity. The
researchers used the system to run BLOOM LLMs on four commercial phones,
with an average AI processing speed per token of 2 seconds on a small AI
model with 1.1 billion parameters, and 4 seconds on a larger model with 3
billion parameters.

  [This could increase trustworthiness for oneself if one is very careful,
  but could also make it much more difficult for others who won't know
  anything about that trustworthiness—or the lack thereof.  PGN]


The Times Sues OpenAI and Microsoft Over AI Use of Copyrighted Work (NYTimes)

David Farber
<[email protected]>

Thu, 28 Dec 2023 08:13:43 +0900

https://www.nytimes.com/2023/12/27/business/media/new-york-times-open-ai-microsoft-lawsuit.html?smid=nytcore-ios-share&referringSource=articleShare


Six Big Questions for Generative AI (Tech Review)

Peter Neumann
<[email protected]>

Sat, 23 Dec 2023 13:44:36 PST

Will Douglas Heaven, MIT Technology Reveiw, Jan/Feb 2024, pp. 30-37

1. Will we ever mitigate the bias problem?
2. How will AI change the way we apply copyright?
3. How will it change our jobs?
4. What misinformation will it make possible?
5. Will we come to grips with its costs?
6. Will doomerism continue to dominate policymaking?


FTC slams Rite Aid for misuse of facial recognition technology in stores (The Washington Post)

Gabe Goldberg
<[email protected]>

Wed, 20 Dec 2023 00:04:20 -0500

A landmark settlement over the pharmacy chain's use of the surveillance
technology could raise further doubts about facial recognition's use in
stores, airports and other venues

The FTC said huge errors were commonplace. Between December 2019 and July
2020, the system generated more than 2,000 *Match Alerts* for the same
person in faraway stores around the same time, even though the scenarios
were *impossible or implausible*, the FTC said.

In one case, Rite Aid's system generated more than 900 *match alerts* for a
single person over a five-day period across 130 different stores, including
in Seattle, Detroit and Norfolk, regulators said.

The system generated thousands of false matches, and many of them involved
the faces of women, Black people and Latinos, the FTC said.  Federal and
independent researchers in recent years have found that those groups are
more likely to be misidentified by facial-recognition software, though the
technology's boosters say the systems have since improved.

https://www.washingtonpost.com/technology/2023/12/19/ftc-rite-aid-facial-recognition


More people at risk as Ontario public bodies face growing wave of cyberattacks, experts say (CBC)

Matthew Kruk
<[email protected]>

Sat, 23 Dec 2023 09:53:18 -0700

https://www.cbc.ca/news/canada/toronto/cybersecurity-ontario-incidents-2023-1.7048495


New AI model can predict human lifespan, researchers say. They want to make sure it’s used for good (phys.org)

Richard Marlon Stein
<[email protected]>

Sun, 24 Dec 2023 13:11:30 +0000

https://phys.org/news/2023-12-ai-human-lifespan-good.html

"Even though we're using prediction to evaluate how good these models are,
the tool shouldn't be used for prediction on real people."

Ripe for commercial exploitation. Hospitals and insurance companies might
find this model enables cherry picking of patients (ER patient dumping) and
policy price schedules.

  [The old dual-use problem: Anything that can be used for good can be used
  for bad.  That should have been a corollary of Murphy's Law. PGN]


BBC has the miraculous report of an AI that is capable of learning. (BBC)

Cliff Kilby
<[email protected]>

Fri, 22 Dec 2023 18:38:21 -0500

https://www.bbc.com/news/business-67748255

In other slightly less miraculous news, generative modeling is now capable
of doing what used to be done by hand faster than when it was done by hand.
This is improving flood hazard prediction.  I would add to that prediction:
flood insurance premiums are likely to rise.  Umbrella disclaimer,


A New Kind of AI Copy Can Fully Replicate Famous People (Politico)

Steve Bacher
<[email protected]>

Sat, 30 Dec 2023 09:16:40 -0800

The Law Is Powerless. <about:blank?compose#>

New AI-generated digital replicas of real experts expose an unnerving policy
gray zone. Washington wants to fix it, but it’s not clear how.

Martin Seligman, the influential American psychologist, found himself
pondering his legacy at a dinner party in San Francisco one late February
evening. The guest list was shorter than it used to be: Seligman is 81, and
six of his colleagues had died in the early Covid years. His thinking had
already left a profound mark on the field of positive psychology, but the
closer he came to his own death, the more compelled he felt to help his work
survive.

The next morning he received an unexpected email from an old graduate
student, Yukun Zhao. His message was as simple as it was astonishing: Zhao's
team had created a *virtual Seligman*.

Zhao wasn't just bragging. Over two months, by feeding every word Seligman
had ever written into cutting-edge AI software, he and his team had built an
eerily accurate version of Seligman himself—a talking chatbot whose
answers drew deeply from Seligman’s ideas, whose prose sounded like a
folksier version of Seligman’s own speech, and whose wisdom anyone could
access.

Impressed, Seligman circulated the chatbot to his closest friends and family
to check whether the AI actually dispensed advice as well as he did. “I gave
it to my wife and she was blown away by it,” Seligman said.

The bot, cheerfully nicknamed “Ask Martin,” had been built by researchers
based in Beijing and Wuhan ” originally without Seligman’s permission, or
even awareness.

The Chinese-built virtual Seligman is part of a broader wave of AI chatbots
modeled on real humans, using the powerful new systems known as large
language models to simulate their personalities online. Meta is
experimenting with licensed AI celebrity avatars
<https://www.theverge.com/2023/9/27/23891128/meta-ai-assistant-characters-whatsapp-instagram-connect>;
you can already find internet chatbots trained on publicly available
material about dead historical figures <https://www.hellohistory.ai>.

But Seligman’s situation is also different, and in a way more unsettling. It
has cousins in a small handful of projects that have effectively replicated
living people without their consent. In Southern California, tech
entrepreneur Alex Furmansky created a chatbot version of Belgian celebrity
psychotherapist Esther Perel by scraping her podcasts off the internet. He
used the bot to counsel himself through a recent heartbreak, documenting his
journey in a blog post
<https://magneticgrowth.substack.com/p/esther-perel-generative-ai-bot> that
a friend eventually forwarded to Perel herself.  [...]

https://www.politico.com/news/magazine/2023/12/30/ai-psychologist-chatbot-00132682


AI in the Machine Internet (Dana F. Blankenhorn)

Gabe Goldberg
<[email protected]>

Wed, 27 Dec 2023 17:19:05 -0500

Everything is a System. Every system can be more efficient with AI

https://danafblankenhorn.substack.com/p/ai-in-the-machine-internet

  [Everything is indeed a system.  Every system can also be less
  trustworthy with AI.  Cassandra-PGN]


Chinese Spy Agency Rising to Challenge the CIA (NYTimes)

Gabe Goldberg
<[email protected]>

Sat, 30 Dec 2023 00:58:02 -0500

The ambitious Ministry of State Security is deploying AI and other advanced
technology to go toe-to-toe with the United States, even as the two nations
try to pilfer each other's scientific secrets.

https://www.nytimes.com/2023/12/27/us/politics/china-cia-spy-mss.html?smid=nytcore-ios-share&referringSource=articleShare


Open-Source Chip Design Takes Hold in Silicon Valley (WSJ)

ACM TechNews
<[email protected]>

Wed, 20 Dec 2023 11:47:32 -0500 (EST)

Belle Lin, The Wall Street Journal (12/14/23), via ACM TechNews

Because RISC-V, the open-source standard developed in 2010 for designing
semiconductors, is free, it allows for the development of lower-cost,
potentially more efficient processors for artificial intelligence and mobile
devices. Google and Meta have said the open standard enables greater
customization. Forrester Research's Glenn O'Donnell said RISC-V is
particularly attractive for companies because it does not require upfront
licensing fees. However, Dell's John Roese said the "middleware" software
supporting RISC-V has not been fully developed for datacenters and other
high-performance applications. Roese explained, "Until you have enough of a
software and developerecosystem, these things stay very niche."


Operation Triangulation: The last ‘hardware’ mystery (Securelist)

Victor Miller
<[email protected]>

Thu, 28 Dec 2023 02:49:07 +0000

https://securelist.com/operation-triangulation-the-last-hardware-mystery/111669/


TERRAPIN: SSH protects the world’s most sensitive networks. It just got a lot weaker (Ars Technica)

<Lauren Weinstein <[email protected]> ]>

Tue, 19 Dec 2023 10:39:14 -0800

TERRAPIN: SSH protects the world's most sensitive networks. It just
got a lot weaker

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/

  [Also noted by Victor Miller.  PGN]


TERRAPIN and SSH Prefix Truncation Attack

Bob Gezelter
<[email protected]>

Thu, 21 Dec 2023 00:26:32 -0500

ArsTechnica reported that Terrapin, a man-in-the-middle attack against the
widely used SSH protocol, is feasible in combination with widely used
"ChaCha20-Poly1305" or "CBC with Encrypt-then-MAC" encryption modes.

https://arstechnica.com/security/2023/12/hackers-can-break-ssh-channel-integrity-using-novel-data-corruption-attack/


GTA 6 hacker handed indefinite hospital order (Lapsus$)

Victor Miller
<[email protected]>

Fri, 22 Dec 2023 09:44:58 +0000

https://www.bbc.com/news/technology-67663128


Xfinity waited to patch critical Citrix Bleed 0-day. Now it’s paying the price (Ars Technica)

Victor Miller
<[email protected]>

Thu, 21 Dec 2023 03:37:32 +0000

https://arstechnica.com/security/2023/12/hack-of-unpatched-comcast-servers-results-in-stolen-personal-data-including-passwords/


The 2010 Census Confidentiality Protections Failed, Here’s How and Why (Arxiv)

Victor Miller
<[email protected]>

Thu, 21 Dec 2023 13:42:06 +0000

https://arxiv.org/abs/2312.11283


Quantum Computing’s Hard, Cold Reality Check* (IEEE)

Rod Van Meter
<[email protected]>

December 27, 2023 10:38:40 JST

  [Victor Miller noted this item:
https://spectrum.ieee.org/quantum-computing-skeptics
  Rod replied to a separate posting from Dave Farber.  PGN[

Just a few comments on the overall thrust rather than detailed comments, so
rather than top-posting I just deleted the content. You may both post this
to your lists if like.

As a confirmed optimist but realist who has now invested twenty years in
this field, by and large I endorse this. We are moving from analog through
digital to quantum information; in my opinion, quantum represents a fully
fundamental change in processing methods, but we still have a long ways to
go to realize the full impact.

For the most part, unlike many "hit pieces" on quantum, they have talked to
the right people. Le Cun is a known skeptic, and Meta is probably the most
important tech company in the world that is deliberately *NOT* doing
quantum. I don't really know how much he does or doesn't know about quantum,
but his opinion carries weight and I don't think he is simply knee-jerk
opposed. Troyer and Aaronson are both well known and respected researchers
(though Aaronson may be getting a little over-exposed in the media these
days; he's eminently quotable and is the field's most prominent blogger, so
he is the go-to guy for many media, it seems). (Please, PLEASE do not listen
to Michio Kaku on quantum; his explanations of how these things work are far
too garbled to be useful, regardless of what you think about the gauzier
musings about quantum computing and the Universe.)

My own favorite of Troyer's papers is this:
https://www.science.org/doi/abs/10.1126/science.1252319
https://arxiv.org/abs/1401.2910
talking about how to quantify a true quantum speedup.

Oskar Painter is also a professor at a little school called Caltech, which
the article didn't mention. (It's hard to overstate Tech's influence in
quantum. A list of prominent people would take a half a page, with Preskill,
Kitaev, Shor, Bacon, Raussendorf, Wehner, Kimble, Northup, Vuckovic,
Gottesman, Leung, Mabuchi, Brun, Hsin-Yuang Huang, Furusawa, Lloyd, etc. as
undergrads, grads, postdocs and faculty. And me, let's not forget me. Oh,
and some guy named Feynman, who gets a share of the credit for originating
the idea in the first place.)

Anyway, back to the topic...

This year saw huge advances toward effective error correction. The month of
December alone produced several juicy papers. One that is getting a lot of
attention is https://www.nature.com/articles/s41586-023-06927-3 which shows
logical operations using quantum error detection (not really quite
correction yet) on a large number of individual neutral atoms in a trapped
array. Personally, I have to issue a mea culpa here, because in the
mid-2010s I didn't see a path to solid control of neutral systems that
allowed for the individual control and programmability necessary. the
QuEra-Harvard-MIT team has done amazing work.

I could type for an hour about interesting results from this year, but I
don't have time this morning.

Everybody agrees that NISQ (noisy, intermediate-scale quantum) won't
scale. The biggest question on the table is whether NISQ becomes useful
before it stops scaling. I think right now a slim majority people are on the
side of "no", though personally I think the jury is still out.

So, the hardware is progressing; software tools, including compilers,
debuggers, etc. still have a long ways to go.

And it's fair to say that the breadth of applications has not advanced as
much as I might have hoped two decades ago, but our depth of understanding
of what is and isn't possible has continued to grow. I'm optimistic that
when we put these machines in the hands of the next generation of Knuths,
Lamports and Torvaldses, that amazing things will happen.

And we are going to have to continue to rethink education for the
#QuantumNative generation; quantum algorithms require a very different way
of thinking. (And yes, unlike some people, I think the interdisciplinary
skills such students will learn will stand them in good stead throughout
their careers, whether they actually focus on quantum or not.) Assuming
quantum succeeds, we are going to need a LOT of programmers, and not all of
them need to understand the low-level physics of the devices, just as most
software engineers today have a moderate-to-completely-nonexistent
understanding of semiconductor physics.


It’s easier to convince kids than adults about quantum mechanics (Physicist Bob Coecke)

Victor Miller
<[email protected]>

Tue, 19 Dec 2023 14:14:02 +0000

https://www.theguardian.com/science/2023/dec/16/physicist-bob-coecke-its-easier-to-convince-kids-than-adults-about-quantum-mechanics?CMP=Share_iOSApp_Other


FCPD Combats Crypto-Related Scams: How to Avoid Falling

Gabe Goldberg
<[email protected]>

Thu, 28 Dec 2023 15:49:04 -0500

Damn. All too common crypto use case. In spite of years-long ongoing
publicity and warnings.

https://fcpdnews.wordpress.com/2023/12/28/fcpd-combats-crypto-related-scams-how-to-avoid-falling-victim-to-fraud/


Israeli hackers shut down 70% of Iran’s gas stations (Times of Israel)

Amos Shapir
<[email protected]>

Sat, 23 Dec 2023 10:40:57 +0200

No details were released, but it seems that the hackers had targeted a
central payment system.

Full story at:
https://www.timesofisrael.com/israel-linked-group-claims-cyberattack-that-shuts-down-70-of-irans-gas-stations/


Blog post on CSAE and E2EE

Susan Landau
<[email protected]>

Wed, 20 Dec 2023 14:40:44 -0500

I have a short blog post that may be of interest to some of you:
https://www.lawfaremedia.org/article/write-the-laws-for-the-world-in-which-we-live-not-the-one-we-imagine.


The Disturbing Impact of the Cyberattack at the British Library (The New Yorker)

Jan Wolitzky
<[email protected]>

Mon, 25 Dec 2023 08:57:03 -0500

The library has been incapacitated since October, and the effects have
spread beyond researchers and book lovers.

https://www.newyorker.com/news/letter-from-the-uk/the-disturbing-impact-of-the-cyberattack-at-the-british-library


Data for nearly 36 million Comcast customers leaked to hackers (Ars Technica)

Lauren Weinstein
<[email protected]>

Wed, 20 Dec 2023 10:43:07 -0800

Data for nearly 36 million Comcast customers leaked to hackers
https://arstechnica.com/security/2023/12/hack-of-unpatched-comcast-servers-results-in-stolen-personal-data-including-passwords/?utm_brand=arstechnica&utm_social-type=owned&utm_source=mastodon&utm_medium=social


Online searches to evaluate misinformation can increase its perceived veracity (Nature)

Gabe Goldberg
<[email protected]>

Wed, 20 Dec 2023 23:46:08 -0500

Considerable scholarly attention has been paid to understanding belief in
online misinformation, with a particular focus on social networks.  However,
the dominant role of search engines in the information environment remains
underexplored, even though the use of online search to evaluate the veracity
of information is a central component of media literacy interventions.
Although conventional wisdom suggests that searching online when evaluating
misinformation would reduce belief in it, there is little empirical evidence
to evaluate this claim. Here, across five experiments, we present consistent
evidence that online search to evaluate the truthfulness of false news
articles actually increases the probability of believing them.

https://www.nature.com/articles/s41586-023-06883-y

  [See the full article for the footnotes not available here.  PGN]


The 2023 Good Tech Awards (The NYTimes)

Steve Bacher
<[email protected]>

Tue, 26 Dec 2023 14:51:10 +0000 (UTC)

A positive look back at this year's tech developments, from one journalist's
viewpoint.  Perhaps a refreshing change from the usual RISKS negativity.

  [I.e., our positive focus on reducing risks!  But we are always looking
  for items that minimize the risks.  Thanks, Steve.  Happy New Year with
  fewer risks.  PGN].

https://www.nytimes.com/2023/12/25/technology/the-2023-good-tech-awards.html


Do you need git or Subversion?

Cliff Kilby
<[email protected]>

Sat, 30 Dec 2023 11:51:28 -0500

You do not need either one specifically. A software development company
should have a version control system (VCS). DVCS (distributed) is very
popular with developers as they are less likely to complain about slow
transfers, or merge problems. The slow transfer problem is specific to
Subversion's storage and transfer model, which operates at the document
level. Git operates on a mixed model of objects and archives. Mercurial uses
a similar DVC model. Developers don't complain about merges in git because
they tend to make that the problem for the person processing pull
requests. Subversion and Team Foundation are CVCS (centralized).  Subversion
distributed merge conflicts to the developers, and they don't like You
cannot commit a merge conflict in Subversion. I have not personally worked
with Team Foundation, but it is my understanding you cannot commit merge
conflicts in that system either.

Merge conflicts arise from multiple developers working on the same
document/object at the same time. If you have merge conflicts on a regular
basis, your developers are working on a crappy codebase. Moving to DVCS
won't fix that.

Git was developed by the hardest working man in IT to deal with a project
that was intentionally designed to be mostly monolithic as it was the
source for a kernel, which is monolithic.

Are you developing a monolithic kernel? No? Then you do not need git nor
DVCS. You need to fix your codebase.

Are you developing open-source software? No? Then you do not need git nor
DVCS.

Are you developing software which has a GRC mandate to be tracked? Yes?
Then you need CVCS. Unless you take a lot of extra time to ensure that your
git is setup for signed commits and that your developers are using signing
by whoever the developer said their email address was at the time.

Subversion only operates in two modes, anonymous and authenticated. If you
set authentication up, every commit is authenticated. Developers cannot
attempt a commit without authentication.

Are you working on a codebase which needs additional restrictions on
branches or specific files? DVCS pushes the whole codebase to everyone. If
you can see the project, you can see everything in it. And the file that
was deleted because it had a raw key in it? Hope you pruned your history,
otherwise, it's still there.

What do you mean you moved to git to stop having to deal with
administrative issues with the Subversion repository? Git still needs
things like historical pruning, backups, dead branch deletion. You can kick
the can down the road a bit longer with git because its model is smaller on
disk, but those 200 dead branches are going to prevent any new developers
from being able to onboard rapidly.

If you are using Subversion, the historical-key-file problem still exists,
if the developer can see the file, they can roll the history back on it.
However, as Subversion requires each revision checkout to be a separate
request, your inside threat is going to leave some very blatant log
activity.

What do you mean that Bitbucket Cloud doesn't provide access logs for
repos? How does your security team review potential internal threats or
access control misconfigurations? GitHub Cloud does. Maybe if you were
running your VCS internally you could use the server logs? Also if your VCS
was internal, those access logs would be a little smaller as the whole
world couldn't attempt bulk logins. Oh, your access log doesn't have
attempts. Only successes. Cool. How do you know if someone is prodding your
publicly-accessible private repo more or less than usual?

You're not that concerned because you're using VCS to host your
documentation? Why? Are you going to merge your old documents and your new
documents? Oh, so you didn't have to setup a CMS (content management system).

I am also fond of using the electrician's hammer.

Does that screw look like a nail to you,

  [Cliff, In defense of Subversion and github, you may have overstated your
  case a bit.  Both take a bit of learning to cover certaub corner cases,
  and they do have benefits in highly distributed team efforts.  PGN]


iPhone Thief Explains How He Breaks Into Your Phone (WSJ)

Gabe Goldberg
<[email protected]>

Sun, 24 Dec 2023 20:13:56 -0500

Thieves are stealing Apple iPhones, passcodes and thousands of dollars from
their victims' bank accounts.

WSJ's Joanna Stern sat down with a convicted thief in a high-security prison
to find how”and how you can protect yourself.

https://www.youtube.com/watch?v=gi96HKr2vo8

  [High-security has (at least) TWO meanings here.  I wonder if Joanna
  came out with her phone intact.  PGN]


Former White House scientist was scammed out of $650K and must pay taxes (The Washington Post)

Gabe Goldberg
<[email protected]>

Fri, 22 Dec 2023 01:08:59 -0500

The government that Frances Sharples served for more than four decades
considers the money to be income, compounding her pain

Frances Sharples walked through the glass doors of her credit union, ready
to make the worst decision of her life.

She had a script from the man promising to save the retirement account she
built over decades as a science adviser to the U.S. government, including in
the White House.

He told her to transfer more than $600,000 ” and to keep her cellphone on so
he could listen to her. If anyone asked whether she was put up to it, she
was to reply: “No, absolutely not,” according to her hand-scrawled notes. No
one did. She handed the clerk the routing number, walked back to her dented
2005 Honda and returned home.

“Now I'm good,” she told herself. “Now, I'm safe.”  [...]

Billings started small, saying Sharples first needed to protect the $25,000
in her savings account at Commerce Federal. Williams would keep her on the
line from 7 a.m. until bedtime ” claiming to be removing malicious software
from her computer but mostly lingering silently ” for more than two weeks.

Finally, a document appeared on her screen with a list of account names and
numbers. Print it out, Billings told her. Drive to your credit union.

She did.

According to the script he gave her, if asked, she should say she was moving
the money to her investment account, something she does frequently.  [...]

At that point, a precaution set up to backstop bad customer decisions kicked
in. After Sharples asked TIAA ” which managed the retirement account ” to
transfer her money, a senior fraud investigator with the company called to
question her decision.

“Is someone else telling you to do this?” he asked.

“No, it’s my idea,” she said, following the script. “I’ve decided I want to
invest in a different way.” [...]

As she prepared her taxes online, Sharples was sickened by what she saw on
her Form 1040, which showed the fraud raising her taxes by hundreds of
thousands of dollars. She was then drawn through an excruciating education
in the nation's sprawling tax code.

https://www.washingtonpost.com/dc-md-va/2023/12/14/cyber-crime-scams-irs-taxes/


Re: Ex-Amazon security engineer admits to stealing over $12M in crypto (ReadWrite)

Gabe Goldberg
<[email protected]>

Mon, 18 Dec 2023 17:08:11 -0500

Ahmed's first target was the undisclosed crypto exchange on the Solana
blockchain. He manipulated a smart contract to introduce false pricing data,
which led to the generation of approximately $9 million in inflated
fees. After withdrawing these funds, Ahmed brazenly offered to return the
stolen amount, minus $1.5 million, on the condition that the exchange would
not involve law enforcement. This attack closely resembles the breach that
impacted the Crema Finance decentralized finance platform in July 2022.

Following this initial hack, Ahmed turned his attention to Nirvana
Finance. He exploited a loophole in the DeFi protocol's smart contract,
taking a flash loan of ANA cryptocurrency tokens at a low price and selling
them back at a higher rate. This maneuver netted him around $3.6
million. Despite being offered a $300,000 bounty to return the stolen
assets, Ahmed refused, demanding $1.4 million and ultimately leading to the
shutdown of Nirvana Finance after no agreement was reached.

https://readwrite.com/ex-amazon-security-engineer-admits-to-stealing-over-12m-in-crypto/

If those are smart contracts, what would dumb ones be?


Re: What to do when receiving unprompted MFA OTP codes (RISKS-33.97)

Joseph Gwinn
<[email protected]>

Mon, 18 Dec 2023 18:07:43 -0500

The bleeping computer article misses the distinction between TFA (two-factor
authentication) and TSA (two-step authentication), TFA being far more secure
than TSA.

With TFA, one must possess a physical crypto token (like an RSA SecureID
token) plus a password, the factors being something one possesses (token)
and something one knows (password).  The computer is not providing
authentication.

With the TSA, no physical token is used, it's something one knows (a
password) provided to a computer, and it is done in two steps.  If malware
has managed to sufficiently infect the computer, the malware can perform
both steps.

In the story of unsolicited OTP codes, the malware had not gained sufficient
control and was thwarted.  But the whole drama would not have happened if
true TFA had been implemented.

Amazon certainly knows the difference, which is why they call what they do
TSA, not TFA.


Re: WeWork has failed, leaving damage in its wake (Kilby and Ward)

Martin Ward
<[email protected]>

Sat, 23 Dec 2023 11:25:56 +0000

Is capitalism an efficient economic system?  It depends on what you want to
optimise for: if the purpose of your economic system is to transfer wealth
from everyone else to a handful of billionaires, then capitalism is already
very efficient and becoming ever more efficient.  If the purpose is the long
term thriving of the human race, then capitalism is a terrible system: the
thing you are optimisimg for (called "profit") is actually a form of
friction and *loss* to the system as stores of value (money) get extracted
from the economic cycle and stashed away unproductively.  Whole industries,
such as advertising and banking, are purely destructive of value.

A better economic system would eliminate the concept of "profit" as
something extracted by shareholders and board members.  Activities that are
most efficient when nationalised, such as fire service, police, army, energy
distribution, transport, and of course, the health service, should never be
allowed to fall into private hands or should be taken out of private hands.
Each of these activities gets a budget to do a certain thing and should be
laser focused on doing that thing.  The post office delivers letters and
parcels, the railway network runs railways, the health service keeps the
population healthy, the universities generate knowledge and so on. This
leads to a lot of difficult discussions about how much each service needs in
order to ensure human thriving without a negative impact on other
services. But the current approach where everything is reduced to profit is
once again, optimising for the wrong thing.

For private industry, small family businesses and small to medium
cooperatives will ensure that any "profit" is recycled back into the
economy.

In conclusion: The reason that poverty and homelessness exist is not because
capitalism is not working properly, but because that is the way it works.poappp

Please report problems with the web pages to the maintainer

Top



Source link

Leave a Reply

Your email address will not be published. Required fields are marked *