Nmap Announce Nmap Dev Full Disclosure Security Lists Internet Issues Open Source Dev risks logo

RISKS Forum mailing list archives

From: RISKS List Owner risko () csl sri com Date: Fri, 13 May 2022 17:14:02 PDT RISKS-LIST: Risks-Forum Digest Friday 13 May 2022 Volume 33 : Issue 20 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at http://www.risks.org as http://catless.ncl.ac.uk/Risks/33.20 The current issue can also be found at http://www.csl.sri.com/users/risko/risks.txt Contents: Oops! Looks like your Mirror isn't connected to a network (geoff goodfellow) Companies envision taxis flying above jammed traffic (techxplore) Global cost of cybercrime topped $6 trillion in 2021 (techxplore) As Cryptocurrencies Melt Down, $300 Billion Evaporaites in Days (NYTimes) Crypto's Audacious Algorithmic Stablecoin Experiment Crumbles (Bloomberg) Decade-Old Bugs Discovered in Avast, AVG Antivirus Software (Charlie Osborne) Costa Rica Declares Emergency in Ongoing Cyberattack (ABC) Why Twitter May Be Doomed (Lauren Weinstein) Facebook is trying to capitalize on my grief (Rob Slade) EU plans to require backdoor to encrypted messages for child protection (Apple) Cellphones have no real off switch (Peter Gutmann) ICE 'now operates as a domestic surveillance agency,' think tank says (Engadget) ACM, Ethics, and Corporate Behavior (Moshe Vardi, CACM March 2022) Did bad interface design lead to the sinking of the Moskva? (Paul Robinson) Re: Bitcoin Is Unlikely to Go Green (John Levine) Re: Squirrels (Elinor Mills) Re: FBI Told Israel It Wanted Pegasus Hacking Tool for Investigations (Jan Wolitzky) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Thu, 12 May 2022 18:04:21 -1000 From: geoff goodfellow geoff () iconia com Subject: Oops! Looks like your Mirror isn't connected to a network https://twitter.com/LordRavenscraft/status/1524482648315473922 [That won't work in Red Rock Canyon Park (RISKS-30.72) and many other places with no wireless. PGN] ------------------------------ Date: Tue, 10 May 2022 16:33:53 +0800 From: Richard Stein rmstein () ieee org Subject: Companies envision taxis flying above jammed traffic (techxplore.com) https://techxplore.com/news/2022-05-companies-envision-taxis-traffic.html Without or without pilots? Droned if you or droned if you don't! ------------------------------ Date: Wed, 11 May 2022 09:57:38 +0800 From: Richard Stein rmstein () ieee org Subject: Global cost of cybercrime topped $6 trillion in 2021 (techxplore.com) https://techxplore.com/news/2022-05-global-cybercrime-topped-trillion-defence.html The world's economy, per GDP estimates, is estimated @ US$ ~104T per https://en.wikipedia.org/wiki/World_economy (retrieved on 11MAY2022). The essay cites a deficit of ~200K cyber-security professionals, in Europe specifically, as a possible remedy to reduce grift and cut the skim. Investing in people, training, and infrastructure is proactive and usually, with supportive leadership, effective. The outrage expressed by corporate lobbyists' to recently proposed SEC regulations (see https://www.sec.gov/files/33-11038-fact-sheet.pdf) indicates that disclosing corporate CxO cyber-skillsets for the investing public to assess might accelerate essential investments to tame the cybertheft wildfire. See "Industry Report" in https://www.washingtonpost.com/politics/2022/05/10/costa-rica-shows-damage-ransomware-can-do-country/ (retrieved on 11MAY2022) for a discussion. ------------------------------ Date: Fri, 13 May 2022 15:02:13 PDT From: Peter Neumann neumann () csl sri com Subject: As Cryptocurrencies Melt Down, $300 Billion Evaporaites in Days David Yaffe-Bellany, Erin Griffith, and Ephrat Livni *The New York Times*, 13 May 2022, National Edition front page + A20 [PGN-ed] Bitcoin fell as low as $26,000, down 60% from its November 2021 peak, and down 20% in just the past five days. Just a few months ago, blockchain proponents were predicting the price would rise as high as $100,000 this year. "Stablecoin" TerraUSD imploded to a low of $0.23 (not backed by cash, and depending on Luna, which lost almost its entire value). Treasury's leader suggested a *regulatory framework* is needed. [See also: Cryptocurrencies Melt Down in a 'Perfect Storm' of Fear and Panic https://www.nytimes.com/2022/05/12/technology/cryptocurrencies-crash-bitcoin.html ] ------------------------------ Date: Wed, 11 May 2022 12:03:17 -0400 (EDT) From: ACM TechNews technews-editor () acm org Subject: Crypto's Audacious Algorithmic Stablecoin Experiment Crumbles (Bloomberg) Stacy-Marie Ishmael, Bloomberg, 10 May 2022, via ACM TechNews, 11 May 2022 The algorithmic stablecoin cryptocurrency does not provide greater stability than other cryptocurrencies. Conventional stablecoin issuers say their tokens are underpinned by "real" assets like cash or highly rated bonds, and can theoretically maintain stability because they can be readily swapped for cash or highly liquid cash equivalents. Algorithmic stablecoins try holding their value through a mix of instructions encoded in algorithms and active treasury management. The failure of such cryptoassets' price stability mechanisms could carry systemic ramifications for other coins and protocols, as CoinMarketCap counts roughly 18.5 billion TerraUSD stablecoins in circulation. Said Kyle Samani at the Multicoin Capital investment firm, "The biggest losers from all of this will be retail [investors] that didn't understand the risks they were taking." https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e9bfx233b92x071163amp; ------------------------------ Date: Mon, 9 May 2022 12:08:31 -0400 (EDT) From: ACM TechNews technews-editor () acm org Subject: Decade-Old Bugs Discovered in Avast, AVG Antivirus Software (Charlie Osborne) Charlie Osborne, ZDNet, 5 May 2022, via ACM TechNews, 9 May 2022 Researchers at cybersecurity software company SentinelOne reported two high-severity bugs in Avast and AVG antivirus products that have gone undetected for a decade. The researchers said the flaws have existed since 2012, and could have affected "dozens of millions of users worldwide." They found the bugs in the Avast Anti Rootkit driver, and the first vulnerability resided in a socket connection handler used by the kernel driver aswArPot.sys; hackers could hijack a variable during routine operations to escalate privileges, potentially disable security solutions, or meddle with target operating systems. The researchers described the second bug as "very similar" to the first, and rooted in the aswArPot+0xc4a3 function. Sentinel Labs on Dec. 20 informed Avast of the vulnerabilities, and the company had patched them by Feb. 11, with no active exploitation in the wild indicated. https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e95ax233ad9x071942amp; ------------------------------ Date: Fri, 13 May 2022 12:20:02 -0400 (EDT) From: ACM TechNews technews-editor () acm org Subject: Costa Rica Declares Emergency in Ongoing Cyberattack (ABC) Javier Cordoba, ABC News, 12 May 2022 via ACM TechNews; 13 May 2022 Costa Rica has declared a state of emergency after enduring a month of ransomware attacks that have hobbled critical systems. The siege began last month when Costa Rica's Finance Ministry reported that its tax collection, customs, and other systems were affected; the hackers also targeted the nation's social security agency human resources system and its Labor Ministry. The Russian-speaking Conti gang took credit for the attack. Costa Rica's emergency declaration describes the perpetrators as "cybercriminals" and "cyberterrorists." The U.S. State Department said the gang has orchestrated hundreds of ransomware attacks over the past two years, collectively targeting more than 1,000 victims and extorting them for more than $150 million as of January 2022. ' https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e9fdx233c2dx071807amp; ------------------------------ Date: Mon, 9 May 2022 14:56:01 -0700 From: Lauren Weinstein lauren () vortex com Subject: Why Twitter May Be Doomed If a Musk "new regime" ruling @Twitter permits all speech that "is legal" -- Twitter is doomed. Because the parade of legal (in the U.S.) hate speech that will flood the platform will drive away most advertisers, brands, and support services that Twitter needs to operate. ------------------------------ Date: Fri, 13 May 2022 05:49:22 -0700 From: "Rob Slade, greatgrandpa and widower" rslade () gmail com Subject: Facebook is trying to capitalize on my grief So, I posted what I thought was a bit of a joke (albeit maybe a dark one) about being pathetically lonely following bereavement. https://twitter.com/rslade/status/1522345541522235392 https://www.blogger.com/blog/post/edit/626389518384655417/6860285728885858232# https://fibrecookery.blogspot.com/2022/05/ding.html https://www.facebook.com/rslade/posts/10160304212242853?notif_id=1651913627430909 https://www.blogger.com/blog/post/edit/626389518384655417/6860285728885858232# And posted it various places, including Facebook. Facebook has decided that either I am trying to raise money, or that I need to raise money. (Facebook, being obsessed with money? I think I'll have a heart attack and die from **NOT** being surprised.) Facebook has somehow flagged my post with a suggestion that I ask my "community" for "support," that is, money. They even include a link to a page that will help you create "a fundraiser on Facebook in a few quick steps." (The page opens with a grid of 15 options for different categories of fundraisers, including "Other".) I mean, I understand that you have zero privacy on Facebook. I understand that Facebook considers everything you post there to be Facebook's property. I understand that they have programs that automatically read, categorize, and harvest everything you post. But, somehow, this seems more than vaguely creepy. I assume that Facebook is, somehow, going to monetize (for themselves) any funding that anyone does raise using Facebook. (I don't know those business models, but I assume that, at the very least, any money they raise for **anyone** helps them sell themselves as a fundraising vehicle to major charities.) But flagging (I assume) the word "bereaved" and then tying it to a pitch to raise money just seems a bit beyond the pale. Facebook is trying to capitalize on my (and others') grief. ------------------------------ Date: Wed, 11 May 2022 07:53:40 -0700 From: Lauren Weinstein lauren () vortex com Subject: EU plans to require backdoor to encrypted messages for child protection (Apple) https://appleinsider.com/articles/22/05/11/eu-plans-to-require-backdoor-to-encrypted-messages-for-child-protection ------------------------------ Date: Fri, 13 May 2022 10:24:39 +0000 From: Peter Gutmann pgut001 () cs auckland ac nz Subject: Cellphones have no real off switch [This is an old topic in RISKS -- devices that are never off. PGN] WiSec has an upcoming paper on this for the specific case of iPhones: https://dl.acm.org/doi/10.1145/3507657.3528547 The full paper is available via the parallel-publication mechanism on arXiv: https://arxiv.org/pdf/2205.06114 ------------------------------ Date: May 11, 2022 at 18:53:10 GMT+9 From: Dewayne Hendricks dewayne () warpspeed com Subject: ICE 'now operates as a domestic surveillance agency,' think tank says (Engadget) [Note: This item comes from friend David Rosenthal. DLH] ICE 'now operates as a domestic surveillance agency,' think tank says A study by the Center on Privacy and Technology found that ICE uses data brokers to avoid restrictions. By K. Holt, Engadget, 10 Nay 2022 https://www.engadget.com/ice-surveillance-report-us-government-193206600.html Although it's supposed to be restricted by surveillance rules at local, state and federal levels, Immigration and Customs Enforcement (ICE) has built up a mass surveillance system that includes details on almost all US residents, according to a report from a major think tank. Researchers from Georgetown Law's Center on Privacy and Technology said ICE "now operates as a domestic surveillance agency" and that it was able to bypass regulations in part by purchasing databases from private companies. "Since its founding in 2003, ICE has not only been building its own capacity to use surveillance to carry out deportations but has also played a key role in the federal government's larger push to amass as much information as possible about all of our lives," the report's authors state. "By reaching into the digital records of state and local governments and buying databases with billions of data points from private companies, ICE has created a surveillance infrastructure that enables it to pull detailed dossiers on nearly anyone, seemingly at any time." The researchers spent two years looking into ICE to put together the extensive report, which is called "American Dragnet: Data-Driven Deportation in the 21st Century." They obtained information by filing hundreds of freedom of information requests and scouring more than 100,000 contracts and procurement records. The agency is said to be using data from the Department of Motor Vehicles and utility companies, along with the likes of call records, child welfare records, phone location data, healthcare records and social media posts. ICE is now said to hold driver's license data for 74 percent of adults and can track the movement of cars in cities that are home to 70 percent of the adult population in the US. The study shows that ICE, which falls under the Department of Homeland Security, has already used facial recognition technology to search through driver's license photos of a third of adults in the US. In 2020, the agency signed a deal with Clearview AI to use that company's controversial technology. In addition, the report states that when 74 percent of adults hook up gas, electricity, phone or Internet utilities in a new residence, ICE was able to automatically find out their updated address. The authors wrote that ICE is able to carry out these actions in secret and without warrants. Along with the data it acquired from other government departments, utilities, private companies and third-party data brokers, "the power of algorithmic tools for sorting, matching, searching and analysis has dramatically expanded the scope and regularity of ICE surveillance," the report states. Spending transactions reviewed by the researchers showed that, between 2008 and last year, ICE spent around $2.8 billion on "new surveillance, data collection and data-sharing initiatives." It spent approximately $569 million on data analysis, including $186.6 million in contracts with Palantir Technologies to help it make sense of its vast troves of data. Records showed that ICE also spent more than $1.3 billion on geolocation tech during that timeframe and $389 million on telecom interception, which includes tech that helps the agency track someone's phone calls, emails, social media activity and real-time Internet use. In addition, the findings suggest the agency started engaging in certain surveillance activities much earlier than previously believed. The researchers found a contract from 2008 that granted ICE access to the Rhode Island motor vehicle department's facial recognition database. Prior to that, it was understood that ICE started conducting facial recognition search es on state and local data sets in 2013. ------------------------------ Date: Tue, 10 May 2022 09:26:40 +0200 From: "Diego.Latella" diego.latella () isti cnr it Subject: ACM, Ethics, and Corporate Behavior (Moshe Vardi, CACM March 2022) A *great* note by Moshe Vardi. Sorry for late dissemination: ACM, Ethics, and Corporate Behavior https://cacm.acm.org/magazines/2022/3/258894-acm-ethics-and-corporate-behavior/fulltext ------------------------------ Date: Sun, 8 May 2022 11:45:17 +0000 (UTC) From: "Paul Robinson" paul () paul-robinson us Subject: Did bad interface design lead to the sinking of the Moskva? "Bad design can kill: Missile defense and user fatigue" ttps://www.youtube.com/watch?v=gaiVjJWOUWE Russian Cruiser Moskva was sank by the Ukrainian Army. This was a significant win for Ukraine, because the Moskva was the Flagship of the Russian Navy, and its sinking is an irreplaceable loss, since Russia can't build ships due to various problems in its shipyards, as well as sanctions. Now, of course, most of us reading this are glad this happened, but what does it have to do with Risks? I'm glad you asked. Here's why. There is a significant weakness in Russian defense systems, and it may be the reason or a significant reason why the Moskva failed to defend itself against incoming missiles: he user interface of the operator consoles, and operator fatigue. There are some who say the reason the Moskva was sunk was due to holes in radar coverage (like thinking ship's radar only provides 180 degrees of coverage), and thus the ship was blind to the  approaching missiles. This opinion is a misunderstanding how ship's radar works. Instead, it is argued the problem was because the radar operators missed seeing the missiles, and might actually not have been paying attention. Russian military doctrine generally makes soldiers follow the exact plan and not to deviate. This does not promote innovative or "out of the box" thinking. But, however, life has a nasty habit of making plans ineffective or useless. Russian ships tend to be heavily dependent on manual operation. Data from tracking systems is subject to human interpretation, and data in one system has to be transferred by hand. Russian navigation radar tends to be of the classic concentric circles, with refresh caused by a rotating line circling around the radius of the display, technology that was state of the art -- back in the 1980s. Now, it is not that old stuff doesn't work, it is capable of very good performance. The problem is, it's labor-intensive. To be effective in this environment, crews must be of high quality and performance, in order for these manual systems to work. which then moves to the elephant in the room: operator fatigue. Now, in exercises and otherpractice drills, people are often very alert because the exercises are timed and the crew know something is going to happen. On real-world missions, the assumption is that there won't be any events. So imagine a sailor in the combat information center in a Russian warship is watching a green, circular "rotating cursor" radar display, for hours on end. Modern radar displays provide much more information, in ways that aren't effectively hypnotic. The average person -- or even the average sailor -- probably could not stare at that display for 30 solid minutes and maintain focus. Now, consider that sailor is staring at that screen, eight hours a day for seven weeks, and nothing happened. I think it is very likely that it would be difficult to maintain focus. So operator fatigue sets in. Consider that, with incoming missiles, the operator has about two minutes from first appearance of a dot on the radar until the missile hits. This demands immediate action to engage the missile, not enough time to call battle stations or their commanding officer for orders. So, after weeks of intense boredom, the operator might be distracted, half asleep, or smoking. The operator might not have seen the missile for maybe a minute, or never saw it at all, and even if the alarm was sounded, there is now not enough time to stop the missile from striking the ship. In short, only a well-trained crew and defined procedures to handle the attack could have saved them. So, this is one example of the potential risk of badly designed operator interfaces. ------------------------------ Date: 8 May 2022 18:42:57 -0400 From: "John Levine" johnl () iecc com Subject: Re: Bitcoin Is Unlikely to Go Green (RISKS-33.18) The most illuminating aspect of Proof of Stake is that it shows that many blockchain technologists/boosters are entirely innocent of any knowledge of business, or, at least, the history of business failures and frauds. Considering that they equally don't know economic history, such as why every country abandoned the gold standard, why deflation makes countries miserable, and why hyperinflation was always a political decision, it's not surprising. ------------------------------ Date: Mon, 9 May 2022 06:52:03 -0700 From: Peter G Neumann neumann () CSL SRI COM Subject: Re: Squirrels [Thanks to Elinor Mills. PGN] Free *Washington Post* article: https://wapo.st/3yn5L2u Kicking off Squirrel Week 2022 with some squirrels in the news "Meanwhile, in early March, the power went out in 4,000 homes in three New Orleans neighborhoods. A squirrel got the blame. https://www.wwltv.com/article/news/local/orleans/first-bird-now-squirrel-second-animal-related-power-outage-in-week/289-280c3d91-68a0-47dd-91d3-3f41af6d925b We look out here and we can see the squirrels, Jim Bulling told WWL-TV squirrels commuting along the power lines." Bulling lives across the street from a substation and every morning watches... ------------------------------ Date: Fri, 13 May 2022 05:20:08 -0400 From: Jan Wolitzky jan.wolitzky () gmail com Subject: Re: FBI Told Israel It Wanted Pegasus Hacking Tool for Investigations (NYTimes) [See RISKS-33.02,03,05,06 for earlier items on this. PGN] WASHINGTON -- The FBI informed the Israeli government in a 2018 letter that it had purchased Pegasus, the notorious hacking tool, to collect data from mobile phones to aid ongoing investigations, the clearest documentary evidence to date that the bureau weighed using the spyware as a tool of law enforcement. The FBI's description of its intended use of Pegasus came in a letter from a top FBI official to Israel's Ministry of Defense that was reviewed by *The New York Times(. Pegasus is produced by an Israeli firm, NSO Group, which needs to gain approval from the Israeli government before it can sell the hacking tool to a foreign government. https://www.nytimes.com/2022/05/12/us/politics/fbi-pegasus-spyware-israel.h= tml ------------------------------ Date: Mon, 1 Aug 2020 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. = SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks = SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. = SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! = The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) is online. http://www.CSL.sri.com/risksinfo.html *** Contributors are assumed to have read the full info file for guidelines! = OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS -- VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. == Special Offer to Join ACM for readers of the ACM RISKS Forum: http://www.acm.org/joinacm1 ------------------------------ End of RISKS-FORUM Digest 33.20 ************************

Current thread:

  • Risks Digest 33.20 RISKS List Owner (May 13)

Related Posts