RISKS-LIST: Risks-Forum Digest Saturday 15 Nov 2024 Volume 34 : Issue No 49 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.49> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: [Way backlogged, Running out of time.] Was this election well conducted? (Peter G. Neumann) After Trump Took the Lead, Election Deniers Went Suddenly Silent (The NY Times) Terrified friends burned to death in Tesla as electronic doors (The Mirror) Robotaxis open for business in Los Angele (LsTimes) Zoox's pill-shaped robotaxis become latest self-driving cars to hit California's streets (LA Times) Anomalous Windows Server Update (MSPowerUser) North Korea Jams GPS Signals (The Korea Times) A new iOS 18 security feature makes it harder for police to unlock iPhones (The Verge) A kayaker was missing for months. Authorities say he faked his death. (WashPost) Robotaxis open for business in Los Angeles (LA Times) Fake images of hurricane survivors have become a bizarre meme (NBC News) import what? (The Register) 42% of daily X users have a negative view of it -- losing the block feature won't help (ZDNET) AI fails a student's paper, with "98% accuracy" (The Star via Ed Ravin) Top Routinely Exploited Vulnerabilities in 2023 (CISA.GOV) Inside the Massive Crime Industry Thats Hacking Billion-Dollar Companies (WiReD) How Tech Created a *Recipe for Loneliness* (The NY Times) Hidden Data in Amgen Publicly-released Spreadsheet Possible Cause of Stock Drop (CNBC) I was moderating hundreds of horrific and traumatising videos (BBC) Re: Families Battle Tech Giants as Australia Pushes for an Under-16 Social-Media Ban (WSJ via Monty Solomon) Re: Australia plans social media ban for under-16s (Steve Bacher) Re: Man who made 'depraved' child images with AI jailed (Steve Bacher) Re: Nobody wants Copilot Pro AI for Office365, so Microsoft will force-bundle it and raise the price? (Pivot to AI) (Steve Bacher) Re: AI decodes oinks and grunts to keep pigs happy (Steve Bacher) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 15 Nov 2024 13:02:12 PST From: Peter G Neumann <neumann () csl sri com> Subject: Was this election well conducted? 1. Did the computer technology work correctly? Perhaps the same answer as in the Biden election in 2020 -- with all the preparation and oversight -- despite the President-elect claiming that nothing could be trusted (in case he lost). Nevertheless, most of the technology is not really capable of enforcing string requirements for security integrity, and trustworthiness. 2. Was the election riddled with wrong-doings? Yes, but most of them had very little to do with the technology used in the election. A few of you may remember that my final report for the SRI portion of the NSF ACCURATE team project wrote extensively about how the non-technical issues were beginning to weigh heavily in the overall trustworthiness of the overall election process, character assassination, malicious lies, misinformation, intentional disinformation, death threats to election officials and voters, support from the Supreme Court, dumbing down public education, book burning, claiming slavery was a job-opportunities program, and many other factors unrelated that were almost totally unrelated to the computer technology were all pieces of the puzzle. [Lillie Coney recently mentioned (RISKS-34.47) a joint paper: Lillie Coney, Juan E. Gilbert, Peter G. Neumann, Erik Nilsson, Jon Pincus, and Bruce Schneier, E-Deceptive Campaign Practices, Electronic Privacy Information Center and The Century Foundation 20 Oct 2008: http://votingintegrity.org/pdf/edeceptive_report.pdf PGN] *The NYTimes* had a serious of articles on Sunday and Monday trying to assess blame. For example, President Biden failed to make the positive case for his administration, and he deferred too long before exiting the candidacy. The Democrats violated their own belief in an open convention. Kamala Harris did not adequately defend herself and attack back until it was too late. The voters' concerns were underestimated by pollsters and the Democratic Party. The real issues were never debated or even addressed. Many Democrats apparently stayed home. And that's just a few points discussed post-election from some of the media. Summary: The technology seemed to get an accurate sense of the voters; the anomalies in the election generally lay elsewhere. ------------------------------ Date: Sun, 10 Nov 2024 12:22:35 -0500 From: "Monty Solomon" <monty () roscom com> Subject: After Trump Took the Lead, Election Deniers Went Suddenly Silent Trump supporters spent years fomenting concern about election integrity. On Tuesday, they set it all aside. https://www.nytimes.com/2024/11/06/technology/trump-election-denial.html [Surprise? They were wrong along??? PGN] ------------------------------ Date: Tue, 12 Nov 2024 16:59:00 -0700 From: geoff goodfellow <geoff () iconia com> Subject: Terrified friends burned to death in Tesla as electronic doors wouldn't open after crash () The only survivor of the October 24 fire was a woman in her 20s who was able to get to safety after a quick thinking passer-by smashed a window of the burning Model Y car to free her [...] https://www.mirror.co.uk/news/world-news/terrified-friends-burned-death-tesla-34087725 ------------------------------ Date: Wed, 13 Nov 2024 06:35:45 -0800 From: Steve Bacher <sebmb1 () verizon net> Subject: Robotaxis open for business in Los Angeles (LA Times) Angelenos can hail a robotaxi with the Waymo One app starting Tuesday. There are about 100 taxis in the Los Angeles fleet but they don't drive freeways. https://www.latimes.com/california/story/2024-11-12/robotaxis-open-for-business-in-los-angeles [Why? Perhaps because there would be only ONE person in the vehicle, and it could not go in the Diamond lane? Insurance issue? Safety issue when all the human-driven vehicles are routinely doing 80+ mph it can be difficult for CHP law enforcement to stop and arrest the non-driver of the driverless car??? PGN] ------------------------------ Date: Wed, 13 Nov 2024 06:37:04 -0800 From: Steve Bacher <sebmb1 () verizon net> Subject: Zoox's pill-shaped robotaxis become latest self-driving cars to hit California's streets (LA Times) Is it a toaster? Is it a pill on wheels? No, its Zooxs funny-looking robotaxi, the latest fully autonomous vehicle to hit the streets of California. Zooxs self-driving vehicles began rolling out in San Franciscos SoMa neighborhood this week, and are expected to compete with robotaxis designed by Waymo, which started offering rides to the public in San Francisco and Los Angeles earlier this year. But not quite yet. For now, Zooxs driverless trips around SoMa will be for testing and research purposes only. https://www.latimes.com/california/story/2024-11-12/zoox-pill-shaped-robotaxis-latest-self-driving-cars-california-streets ------------------------------ Date: Tue, 5 Nov 2024 10:36:30 -0500 From: Cliff Kilby <cliffjkilby () gmail com> Subject: Anomalous Windows Server Update (MSPowerUser) https://mspoweruser.com/microsoft-reportedly-upgrades-users-with-windows-server-2022-to-2025-without-notice/ It appears that an upgrade has been marked as a security update, and is pushing some versions of Windows Server 2022 to Server 2025. If you're running Server 2022 21h2, you may want to manually flag KB5044284 as skipped until Microsoft clarifies the issue. ------------------------------ Date: Mon, 11 Nov 2024 11:01:10 -0500 (EST) From: ACM TechNews <technews-editor () acm org> Subject: North Korea Jams GPS Signals (The Korea Times) The Korea Times, 9 Nov 2024 North Korea staged GPS jamming attacks for the second consecutive day Saturday, affecting several ships in the Yellow Sea and dozens of civilian aircraft, according to South Korea's Joint Chiefs of Staff (JCS). After being alerted, the International Civil Aviation Organization adopted a decision raising serious concerns over the GPS jamming, naming North Korea explicitly for the first time. [Incidental PGN-added notes: Susan Landau has a post at Lawfare: CALEA Was a National Security Disaster Waiting to Happen: <https://www.lawfaremedia.org/article/calea-was-a-national-security-disaster-waiting-to-happen> Steve Bellovin noted an FBI item on China that was also of interest here: https://www.fbi.gov/news/press-releases/joint-statement-from-fbi-and-cisa-on-the-peoples-republic-of-china-targeting-of-commercial-telecommunications-infrastructure Lauren Weinstein noted: 2022 Russian TV program singing the praises of "our girlfriend" Tulsi Gabbard, who Trump wants to be director of national intelligence https://www.youtube.com/watch?v=N2_eL8t8D9Y PGN] ------------------------------ Date: Sat, 9 Nov 2024 12:22:20 -0500 From: Monty Solomon <monty () roscom com> Subject: A new iOS 18 security feature makes it harder for police to unlock iPhones (The Verge) Apple added an inactivity timer that reboots iPhones to a more secure state when they havent been unlocked in a while. https://www.theverge.com/2024/11/9/24292092/ios-18-security-inactivity-reboot-police-complain-unlocking-iphone-difficult ------------------------------ Date: Tue, 12 Nov 2024 10:00:16 -0500 From: Monty Solomon <monty () roscom com> Subject: A kayaker was missing for months. Authorities say he faked his death. (WashPost) After scouring a lake in Wisconsin, authorities now say Ryan Borgwardt staged his drowning to abandon his wife and three children. https://www.washingtonpost.com/nation/2024/11/11/kayaker-drowned-faked-death= -wisconsin/ [PGN: Here are two unresolved disappearances:] [My late wife's oldest dear friend Marilyn had a brother Courtland Mumford who was a former TWA pilot. One morning in 2007 he was out doing touch-and-go landings and takeoffs in his new Cessna to and from the Aurora State Airport in Western Oregon. He and his plane disappeared, and no traces have been found in the past 17 years. Browsing gives some background, and adds other cases: MAST has developed the most accurate and comprehensive database on aircraft that have gone missing in the United States. Many of us remember the wonderful Jim Gray, who took his boat out from the San Francisco marina to the Farallon Islands, to scatter the ashes of his mother. Jim and his boat disappeared and were never found. https://en.m.wikipedia.org/wiki/Jim_Gray_(computer_scientist) PGN] ------------------------------ Date: Wed, 13 Nov 2024 06:35:45 -0800 From: Steve Bacher <sebmb1 () verizon net> Subject: Robotaxis open for business in Los Angeles (LA Times) Angelenos can hail a robotaxi with the Waymo One app starting Tuesday. There are about 100 taxis in the Los Angeles fleet but they don't drive freeways. https://www.latimes.com/california/story/2024-11-12/robotaxis-open-for-business-in-los-angeles ------------------------------ Date: Fri, 11 Oct 2024 06:59:07 -0700 From: Steve Bacher <sebmb1 () verizon net> Subject: Fake images of hurricane survivors have become a bizarre meme (NBC News) Pluto holding a girl in his paws while trekking through a flooded Disney World. Godzilla crying while cradling a giant bug in a flooded city street. A small girl in a lifejacket seated on a boat next to a green alien baby. Absurd and comical rescue images that appear to have been made with artificial intelligence have sprung up on social media this week as Hurricane Milton hit Florida, a reaction to the earlier proliferation of more realistic fake images related to Hurricane Helene. Many of the memes are clearly fake some contain fictional characters, others look like illustrations, most have captions that imply the posts are a joke. But as technology has advanced, fake images generated by AI have continued to proliferate on the Internet, at times making it easier for false information to spread online. Public officials even cautioned Floridians this week to beware of AI-generated images that falsely depict conditions on the ground. [...] https://www.nbcnews.com/tech/fake-images-hurricane-survivors-bizarre-meme-rcna174874 ------------------------------ From: Cliff Kilby <cliffjkilby () gmail com> Date: Wed, 2 Oct 2024 10:47:23 -0400 Subject: Import what? (The Register) https://www.theregister.com/2024/09/30/ai_code_helpers_invent_packages/ Signs of risk in usage of "AI" for application development: 0: Legality of LLM/GPT training sources is still unresolved. Risk the first, that you're using an AI for application development. If you're using TDD or any other code testing framework, you can mitigate this risk by only allowing the AI to create/edit/suggest method/function level code. LLMs and GPTs have shown great promise in assisting with refactoring or suggesting approaches for method level code. The testing framework should help ensure the code does what the AI "thinks" it does and help the org create stable code quickly. Risk number 2: If you let the AI write class level code, it breaks down frequently. As noted in the source the current models will gladly pull in libraries that don't exist. This creates its own unique risks for languages that can fetch packages. Sure that package didn't exist when the AI made it up, but after looking at import trends, I've now created the package and its malicious. Don't let the AI make import statements or fetch dependencies. ------------------------------ Date: Thu, 3 Oct 2024 18:14:20 -0400 From: Gabe Goldberg <gabe () gabegold com> Subject: 42% of daily X users have a negative view of it -- losing the block feature won't help (ZDNET) What X needs is stronger blocking, not this. X CEO Elon Musk announced earlier this week that he's pulling the teeth out of X's (formerly Twitter) blocking feature. Soon, users you've blocked will be able to view your posts again. Nina Owji, a web developer, posted, "X is about to remove the current block button, meaning that if an account is public, their posts will be visible to the blocked users as well!" Musk's reply: "High time this happened. The block function will block that account from engaging with, but not block seeing, public posts." If Musk insists on going through with the weakened block, even more users will flee X. In the US, daily active X users fell to 27 million in February 2024, down 18% from a year earlier and 23% since Musk took over in November 2022. The people who are staying, by the way, don't like X much. I'm one of those. An August YouGov survey found that 42% of those who use X daily have a negative view of it. https://www.zdnet.com/article/42-of-daily-x-users-have-a-negative-view-of-it-losing-the-block-feature-wont-help/ ------------------------------ Date: Mon 11 Nov 2024 00:09:33 -0500 From: Ed Ravin <eravin () panix com> Subject: AI fails a student's paper, with "98% accuracy" An Ontario Canada student attending an online school had her paper rejected by a 3rd-party system used by the school to check papers for plagiarism or ChatGPT use. When her mother complained, the school responded that the system was "98% foolproof" and they would not reconsider: https://www.thestar.com/news/canada/this-ontario-student-accused-of-cheating-was-flagged-by-an-ai-detection-program-but-the/article_569418c8-9869-11ef-a909-2f6c58004801.html Even if the 98% claim is true, that still leaves a lot of students in the lurch, especially if the school acts as if the cheat-detection is 100% perfect... ------------------------------ Date: Fri, 15 Nov 2024 09:50:21 -0500 From: Monty Solomon <monty () roscom com> Subject: Top Routinely Exploited Vulnerabilities in 2023 https://www.cisa.gov/news-events/cybersecurity-advisories/aa24-317a ------------------------------ Date: Tue, 12 Nov 2024 01:34:17 -0500 From: "Gabe Goldberg" <gabe () gabegold com> Subject: Inside the Massive Crime Industry Thats Hacking Billion-Dollar Companies (WiReD) When you download a piece of pirated software, you might also be getting a piece of infostealer malware, and entering a highly complex hacking ecosystem thats fueling some of the biggest breaches on the planet. https://www.wired.com/story/inside-the-massive-crime-industry-thats-hacking-billion-dollar-companies/ ------------------------------ Date: Sun, 10 Nov 2024 22:08:53 -0500 From: "Monty Solomon" <monty () roscom com> Subject: How Tech Created a *Recipe for Loneliness (The NY Times) Technology and loneliness are interlinked, researchers have found, stoked by the ways we interact with social media, text messaging and binge-watching. https://www.nytimes.com/2024/11/10/technology/personaltech/technology-loneliness.html ------------------------------ Date: Tue, 12 Nov 2024 23:43:13 -0500 From: Bob Gezelter <gezelter () rlgsc com> Subject: Hidden Data in Amgen Publicly-released Spreadsheet Possible Cause of Stock Drop (CNBC) While I am not an attorney, I often speak on the technical aspects of electronically stored information (ESI), I advise attendees to take care to produce the requested material. I also caution that it is important to understand what information was produced. Today, Amgen stock suffered a decline when a Cantor Fitzgerald analyst reported that they had uncovered hidden, potentially adverse, data in the publicly-released spreadsheet from an early stage trial of a weight-loss drug. The complete article, including video clip, can be found at: https://www.cnbc.com/2024/11/12/amgen-stock-falls-on-weight-loss-drugs-bone-density-loss-data.html ------------------------------ Date: Mon, 11 Nov 2024 12:13:26 -0700 From: "Matthew Kruk" <mkrukg () gmail com> Subject: I was moderating hundreds of horrific and traumatising videos https://www.bbc.com/news/articles/crr9q2jz7y0o Over the past few months the BBC has been exploring a dark, hidden world a world where the very worst, most horrifying, distressing, and in many cases, illegal online content ends up. Beheadings, mass killings, child abuse, hate speech all of it ends up in the inboxes of a global army of content moderators. You dont often see or hear from them but these are the people whose job it is to review and then, when necessary, delete content that either gets reported by other users, or is automatically flagged by tech tools. The issue of online safety has become increasingly prominent, with tech firms under more pressure to swiftly remove harmful material. And despite a lot of research and investment pouring into tech solutions to help, ultimately for now, its still largely human moderators who have the final say. ------------------------------ Date: Sun, 10 Nov 2024 12:25:17 -0500 From: "Monty Solomon" <monty () roscom com> Subject: Re: Families Battle Tech Giants as Australia Pushes for an Under-16 Social-Media Ban (WSJ) [Another take on the item in the previous issue, Australia plans social media ban for under-16s (BBC) https://www.bbc.com/news/articles/c4gzd62g1r3o PGN] Proposal, considered among the strictest of its kind, stirs controversy over how best to protect children online https://www.wsj.com/world/oceania/families-battle-tech-giants-as-australia-pushes-for-an-under-16s-social-media-ban-7045f224 ------------------------------ Date: Sat, 9 Nov 2024 10:43:58 -0800 From: Steve Bacher <sebmb1 () verizon net> Subject: Re: Australia plans social media ban for under-16s (RISKS-34.48) What the articles (at least those that I've read) fail to mention is that you can't implement a reliable age-based restriction without demanding verifiable proof of age from *every* customer, which means sharing private information with government or other institutions about what you desire to access. You can guess which kinds of sites are most concerned about these proposals. ------------------------------ Date: Sat, 9 Nov 2024 10:47:19 -0800 From: Steve Bacher <sebmb1 () verizon net> Subject: Re: Man who made 'depraved' child images with AI jailed (BBC) (RISKS 34.48) You write that "the legal problems created by AI-generated content depicting criminal offenses against childrenbut where no real children are involved nor hurtare still not resolved." Heck, the legal problems with *any* depictions that don't involve real children haven't been resolved, or at least not in a way compatible with US free speech protections (which I acknowledge are stronger than those in the UK). ------------------------------ Date: Sat, 9 Nov 2024 11:02:51 -0800 From: Steve Bacher <sebmb1 () verizon net> Subject: Re: Nobody wants Copilot Pro AI for Office365, so Microsoft will force-bundle it and raise the price? (Pivot to AI) (RISKS 34.48) This is an old, old practice. My first encounter with it was in the Seventies when Rolling Stone magazine decided to switch from black and white to color (I don't recall anyone asking for this) and then raising the newsstand price to cover the increased costs. ------------------------------ Date: Sat, 9 Nov 2024 11:18:25 -0800 From: Steve Bacher <sebmb1 () verizon net> Subject: Re: AI decodes oinks and grunts to keep pigs happy (RISKS 34.48) It wasn't that long ago (in fact it may have been as recently as April 1, 2024) that an April Fool's Day prank was circulating about an app that would translate dog barks. How little time it has taken for this joke to be rendered obsolete by reality. Today's pigs may be tomorrow's dogs. Has anyone consulted Dr. Dolittle about his experience with interpreting pig speech? [I think he moved to Oinkers, NY, but still has to do little. PGN] ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request () csl sri com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string 'notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.49 ************************