Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 34.10 RISKS-LIST: Risks-Forum Digest yyday zz March 2024 Volume 34 : Issue 10 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: SFO-bound flight returns to Australia (Jordan Parker PGN-ed) Latam flight event (Jim Geissman) Boeing tells pilots to check seats after Latam plane (BBC) Alaska Airlines Flight Was Scheduled for Safety Check on Day Panel Blew Off (NYTimes) Hackers Breached Key Microsoft Systems (Sean Lyngaas) Microsoft AI engineer warns FTC about Copilot Designer safety Cut submarine cables cause web outages across Africa; 6 countries still affected (ArsTechnica) McDonald's hit by outages at stores worldwide (BBC) McDonald's blames global outage on third party (BBC) Phony Billionaires on Facebook Are Scamming Americans Out of Their Life Savings (WashPost) Amid explosive demand, America is running out of power (WashPost) CISA hacked (Sean Lungaas) Even a security expert can get phished (Pluralistic) Microsoft says Kremlin-backed hackers accessed its source and internal systems (ArsTechnica) Spate of Mock News Sites With Russian Ties Pop Up in U.S (NYTimes) companies (NYTimes) Autos are spying on drivers, feeding the info to insurance Aescape's Robot-Arm-Powered Massage Table (WiReD) ATT outage under FCC investigation (WashPost) The AI-generated hell of the 2024 election (The Verge) New Hampshire voters sue Biden deepfake robocall creators (NBCNews) Google Restricts Gemini Chatbot Election Answers (Peter Hoskins) Robot Ships Are Setting Sail (BBC) Your Doctor's Office Might Be Bugged (Jesse Pines) AI Is Being Built on Dated, Flawed Motion-Capture Data (Julianne Pepitone) Researchers Jailbreak Chatbots with ASCII Art (Mark Tyson) Nvidia sued over AI training data as copyright clashes continue (ArsTechnica) Reports of DJI data breach turn out to be false apparently (Lauren Weinstein) Pornhub disables website in Texas amid legal battle with attorney general's office (NBCNews) Massively Popular Safe Locks Have Secret Backdoor Codes (Victor Miller) D-Wave Says Its Quantum Computers Can Solve Otherwise Impossible Tasks ( (Matthew Sparkes) Re: End-to-End Encryption under attack in Nevada (John Levine) Re: A Vending Machine Error Revealed Secret Face Recognition Tech (Steve Bacher) Re: comp.risks via Panix? (Steve Bacher) Re: More than 2 Million Research Papers Have Disappeared from the Internet (Martin Ward) Re: Risks of Leap Years and Dumb Digital Watches (Amos Shapir) Re: Risks of hype, 'Keytrap' DNS bug threatens widespread (John Levine) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Fri, 15 Mar 2024 11:14:04 PDT From: Peter Neumann Subject: SFO-bound flight returns to Australia (Jordan Parker) Jordan Parker, *The San Franciso Chronicle*, 14 Mar 2024 (Pi Day) [PGN-ed] * A maintenance issue forced a Boeing 777-300 United Flight 830 with 167 passengers to return to Australia on Monday 11 Mar 2024 in the seventh incident in a week. * On Saturday 9 Mar, a United flight from Chicago's O'Hare returned after a maintenance issue * On Friday 8 Mar, a United flight from SFO to Mexico City made an emergency landing in Los Angeles due to a hydraulic issue. * Also on 8 Mar, a United plane rolled off the runway and was stuck in the grass at George Bush International in Houston. * On Thursday 7 Mar, a United jet bound for Japan lost a wheel during takeoff. * On Monday 4 Mar, a United flight from Houston to Florida made an emergency landing after an engine went up in flames in midair. * Also on 4 Mar, an SFO-bound United flight from Honolulu landed safely after an engine failed in mid-flight. [Jim Geissman notes: United Airlines flight 433 lands safely without panel in Oregon The missing panel went undetected during the flight on 15 Mar 2023. https://www.bbc.com/news/world-us-canada-68584134 PGN] ------------------------------ Date: Mon, 11 Mar 2024 18:38:56 -0700 From: "Jim" Subject: Latam flight event Boeing plane drops suddenly injuring several. Crew member quoted as saying the instruments briefly went black. https://www.nzherald.co.nz/nz/nz-passenger-on-latam-flight-saw-man-with-bloo d-streaming-down-his-face/EXGL5PBCD5E2NBIUDFQZ76MYSQ/ ------------------------------ Date: Fri, 15 Mar 2024 22:36:34 -0600 From: Matthew Kruk Subject: Boeing tells pilots to check seats after Latam plane incident (BBC) https://www.bbc.com/news/business-68580950 Boeing has told airlines operating 787 Dreamliners that pilots need to check their seats as an investigation into an incident on a Latam flight continues. It comes after 50 people were hurt this week when a 787 dropped suddenly during a Latam Airlines flight. *The Wall Street Journal* reported that a flight attendant accidentally hit a switch on the pilot's seat, which pushed the pilot into the controls, forcing down the plane's nose. ------------------------------ Date: Wed, 13 Mar 2024 09:28:02 -0400 From: Monty Solomon Subject: Alaska Airlines Flight Was Scheduled for Safety Check on Day Panel Blew Off (NYTimes) goThe 737 Max remained in service for a day after the airline’s engineers, concerned about warning lights, scheduled it to come in for maintenance. During that period, a door plug came off in flight. https://www.nytimes.com/2024/03/12/us/politics/alaska-airlines-flight-door.html ------------------------------ Date: Mon, 11 Mar 2024 11:08:00 -0400 (EDT) From: ACM TechNews Subject: Hackers Breached Key Microsoft Systems (Sean Lyngaas) Sean Lyngaas, *CNN*, 8 Mar 2024, via ACM TechNews Microsoft revealed that a breach of its systems by Russian state-backed hackers was more extensive than previously thought when first disclosed in January. Microsoft believes the hackers have used information stolen from Microsoft's corporate email systems to access "some of the company's source code repositories and internal systems," the company said in a filing with the U.S. Securities and Exchange Commission. An accompanying blog post said the hacker group may be using the information it stole "to accumulate a picture of areas to attack and enhance its ability to do so." ------------------------------ Date: Fri, 8 Mar 2024 00:40:24 -0500 From: Monty Solomon Subject: Microsoft AI engineer warns FTC about Copilot Designer safety concerns (The Verge) https://www.theverge.com/2024/3/6/24092191/microsoft-ai-engineer-copilot-designer-ftc-safety-concerns ------------------------------ Date: Sat, 16 Mar 2024 15:33:59 -0400 From: Monty Solomon Subject: Cut submarine cables cause web outages across Africa; 6 countries still affected (ArsTechnica) https://arstechnica.com/?p=2010677 ------------------------------ Date: Fri, 15 Mar 2024 06:47:42 -0600 From: Matthew Kruk Subject: McDonald's hit by outages at stores worldwide https://www.cbc.ca/news/business/mcdonalds-outage-1.7144768 Many McDonald's stores in Japan stopped taking in-person and mobile customer orders because of the system disruption, a spokesperson at McDonald's Holdings Company Japan said, adding that the company was working to restore operations soon. A McDonald's Australia spokesperson said they were also aware of a technology outage impacting its restaurants nationwide and were working to resolve this issue. The company operates nearly 3,000 stores across Japan and roughly 1,000 in Australia, its websites for the regions show. ------------------------------ Date: Fri, 15 Mar 2024 13:24:27 -0600 From: Matthew Kruk Subject: McDonald's blames global outage on third party (BBC) https://www.bbc.com/news/business-68573106 McDonald's has revealed the technical problems which brought much of its fast food chain to a standstill on Friday were caused by a third party provider. The international restaurant said the global outage happened during a "configuration change" and stopped stores taking orders in the UK, Australia and Japan -- amongst others. McDonald's stressed the issue was not caused by a cyberattack. ------------------------------ Date: Fri, 15 Mar 2024 23:29:10 -0400 From: Monty Solomon Subject: Phony Billionaires on Facebook Are Scamming Americans Out of Their Life Savings (WashPost) A fake Bill Ackman, a bogus Cathie Wood and a false Steve Cohen are among the impersonators luring victims on social media, and their real-life counterparts can’t keep up. ‘It’s like a game of whack-a-mole.’ https://www.wsj.com/tech/fake-bill-ackman-cathie-wood-scam-a8df6ce7 ------------------------------ Date: Thu, 7 Mar 2024 11:23:27 -0800 From: "Jim" Subject: Amid explosive demand, America is running out of power (WashPost) An interesting example: airports will need vast electricity to charge the rental cars! Artificial intelligence, data centers and the boom in clean-tech manufacturing are pushing America's aging power grid to the brink. Utilities can't keep up. https://wapo.st/3IqeK6P ------------------------------ Date: Sat, 9 Mar 2024 09:44:00 -0800 From: "Peter G. Neumann" Subject: CISA hacked (Sean Lyungaas) https://www.cnn.com/2024/03/08/politics/top-us-cybersecurity-agency-cisa-hacked/index.html Top US cybersecurity agency hacked and forced to take some systems offline Sean Lyngaas The Homeland Security Department headquarters in northwest Washington, DC, on February 25, 2015. CNN A federal agency in charge of cybersecurity discovered it was hacked last month and was forced to take two key computer systems offline, an agency spokesperson and US officials familiar with the incident told CNN. One of the US Cybersecurity and Infrastructure Security Agency’s affected systems runs a program that allows federal, state and local officials to share cyber and physical security assessment tools, according to the US officials briefed on the matter. The other holds information on security assessment of chemical facilities, the sources said. A CISA spokesperson said in a statement that “there is no operational impact at this time” from the incident and that the agency continues to “upgrade and modernize our systems.” “This is a reminder that any organization can be affected by a cyber vulnerability and having an incident response plan in place is a necessary component of resilience,” the spokesperson said, adding that the impact from the hack “was limited to two systems, which we immediately took offline.” The two systems run on older technology that was already set to be replaced, sources told CNN. Part of the Department of Homeland Security, CISA investigates cyber intrusions at federal agencies and advises private critical infrastructure firms on how to bolster their security. The Record first reported on the hack.   It was not immediately clear who was behind the hack, but it occurred through vulnerabilities in popular virtual private networking software made by Utah-based IT firm Ivanti. For several weeks, CISA has urged federal agencies and private firms to update their software or take other defensive measures in response to widespread exploitation of Ivanti vulnerabilities by hackers. Among the hackers exploiting the flaws are a Chinese group focused on espionage, private researchers have previously told CNN. While there is some irony in it, even cybersecurity agencies or officials can be victims of hacking. After all, they rely on the same technology that others do. The U.S.’s top cybersecurity diplomat Nate Fick said last year that his personal account on social media platform X was hacked, calling it part of the “perils of the job.” ------------------------------ Date: Fri, 15 Mar 2024 09:15:22 +0100 From: Anthony Thorn Subject: Even a security expert can get phished (Pluralistic) First-person account of someone who fell for a phishing scam, https://pluralistic.net/2024/02/05/cyber-dunning-kruger/ "The fact that the fraudsters knew where I banked, knew my name, and had my phone number had really caused me to let down my guard." You are NOT paranoid when they really are after you (well, your money). ------------------------------ Date: Sat, 9 Mar 2024 14:25:49 +0000 From: Victor Miller Subject: Microsoft says Kremlin-backed hackers accessed its source and internal systems (ArsTechnica) https://arstechnica.com/security/2024/03/microsoft-says-kremlin-backed-hackers-accessed-its-source-and-internal-systems/ ------------------------------ Date: Thu, 7 Mar 2024 14:54:22 -0800 From: Lauren Weinstein Subject: Spate of Mock News Sites With Russian Ties Pop Up in U.S (NYTimes) https://www.nytimes.com/2024/03/07/business/media/russia-us-news-sites.html?unlocked_article_code=1.a00.QkKu.YLemQ0Rxkj5X&smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb ------------------------------ Date: Fri, 15 Mar 2024 10:19:24 -0700 From: Lauren Weinstein Subject: Autos are spying on drivers, feeding the info to insurance companies (NYTimes) https://www.nytimes.com/2024/03/11/technology/carmakers-driver-tracking-insurance.html?unlocked_article_code=1.c00.2coE.yOfXipHA21Jp&smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb ------------------------------ Date: Fri, 15 Mar 2024 18:38:14 -0400 From: Gabe Goldberg Subject: Aescape's Robot-Arm-Powered Massage Table (WiReD) The Aescape has robot arms designed to deliver a custom spa-like massage—all for $60. https://www.wired.com/story/hands-on-aescape-automated-massage/ What could go ... wrong? ------------------------------ Date: Thu, 7 Mar 2024 07:16:49 -0800 From: "Jim" Subject: ATT outage under FCC investigation (WashPost) The Federal Communications Commission has opened a formal investigation into last month's nationwide AT&T outage that left millions of people without cellphone service for hours. https://www.washingtonpost.com/business/2024/03/07/fcc-att-outage-investigat ion/ ------------------------------ Date: Tue, 12 Mar 2024 20:38:13 -0400 From: Monty Solomon Subject: The AI-generated hell of the 2024 election (The Verge) https://www.theverge.com/policy/24098798/2024-election-ai-generated-disinformation ------------------------------ Date: Sat, 16 Mar 2024 15:05:34 -0400 From: Monty Solomon Subject: New Hampshire voters sue Biden deepfake robocall creators (NBCNews) Based on NBC News reporting, the League of Women Voters is suing the creators of a deepfake robocall impersonating Joe Biden that told voters not to vote. https://www.nbcnews.com/politics/2024-election/new-hampshire-voters-sue-biden-deepfake-robocall-creators-rcna143662 ------------------------------ Date: Fri, 15 Mar 2024 11:17:45 -0400 (EDT) From: ACM TechNews Subject: Google Restricts Gemini Chatbot Election Answers (Peter Hoskins) Peter Hoskins, BBC, 13 Mar 2024, via ACM TechNews Google announced in a blog post it is limiting the types of election-related questions its Gemini chatbot can be asked. The restriction has been implemented in India, where elections will be held next month. BBC staff asked the AI chatbot questions about the upcoming elections in the U.S., U.K., and South Africa, to which Gemini responded, "I'm still learning how to answer this question. In the meantime, try Google Search." Gemini provided more detailed responses when asked follow-up questions about India's major parties. ------------------------------ Date: Fri, 8 Mar 2024 11:53:00 -0500 (EST) From: ACM TechNews Subject: Robot Ships Are Setting Sail (BBC) Jonathan Amos, Rebecca Morelle. Alison Francis et al., BBC, 6 Mar 2024, via ACM TechNews In Norway, U.S. and U.K. researchers at Ocean Infinity are testing a robotic ship equipped with cameras, microphones, radar, GPS, and satellite technology that eventually will be part of a fleet of 23 such vessels used to assess the seabed for offshore wind farm operators and perform underwater infrastructure inspections for oil and gas companies. The 255-foot ship has just 16 crew members, and that figure ultimately could decline further as more roles are performed remotely using gaming-like controls and touch screens. Reducing the number of crew members can allow for smaller ships that use less fuel and have a smaller carbon footprint. ------------------------------ Date: Fri, 8 Mar 2024 11:53:00 -0500 (EST) From: ACM TechNews Subject: Your Doctor's Office Might Be Bugged (Jesse Pines) Jesse Pines, *Forbes*, 4 Mar 2024, via ACM TechNews More physician practices are implementing ambient AI scribing, in which AI listens to patient visits and writes clinical notes summarizing them. In a recent study of the Permanente Medical Group in Northern California, more than 3,400 doctors have used ambient AI scribes in more than 300,000 patient encounters since October. Doctors reported that the technology reduced the amount of time spent on after-hours note writing and allowed for more meaningful patient interactions. However, its use raises concerns about security, privacy, and documentation errors. ------------------------------ Date: Fri, 8 Mar 2024 11:53:00 -0500 (EST) From: ACM TechNews Subject: AI Is Being Built on Dated, Flawed Motion-Capture Data (Julianne Pepitone) Julianne Pepitone, *IEEE Spectrum*, 1 Mar 2024, via ACM TechNews A study by a University of Michigan-led research team found that the motion-capture data used to design some AI-based applications is flawed and could endanger users outside the parameters of the preconceived "typical" body type. The benchmarks and standards used by developers of fall detection algorithms for smartwatches and pedestrian-detection systems for self-driving vehicles, among other technologies, do not include representations of all body types. In a systemic literature review of 278 studies as far back as the 1930s, the researchers found that the data captured for most motion-capture systems were from white able-bodied men "of unremarkable weight." Some studies used data from dismembered cadavers. ------------------------------ Date: Mon, 11 Mar 2024 11:08:00 -0400 (EDT) From: ACM TechNews Subject: Researchers Jailbreak Chatbots with ASCII Art (Mark Tyson) Mark Tyson, *Tom's Hardware*, 7 Mar 2024, via ACM TechNews ArtPrompt, developed by researchers in Washington and Chicago, can bypass large language models' (LLMs) built-in security features. The tool generates ASCII art prompts to get AI chatbots to respond to queries they are supposed to reject, like those referencing hateful, violent, illegal, or harmful content. ArtPrompt replaces the "safety word" (the reason for rejecting the submission) with an ASCII art representation of the word, which does not trigger the ethical or security measures that would prevent a response from the LLM. ------------------------------ Date: Wed, 13 Mar 2024 01:49:15 -0400 From: Monty Solomon Subject: Nvidia sued over AI training data as copyright clashes continue (ArsTechnica) https://arstechnica.com/?p=2009239 ------------------------------ Date: Fri, 8 Mar 2024 07:48:00 -0800 From: Lauren Weinstein Subject: Reports of DJI data breach turn out to be false (apparently actually a scam) There were reports of a massive DJI data breach involving corporate and customer data. Apparently no such breach has occurred, and the original claims of stolen data were reportedly part of an effort to get ransom paid for a database of stolen data that did not actually exist. -L ------------------------------ Date: Sat, 16 Mar 2024 15:14:30 -0400 From: Monty Solomon Subject: Pornhub disables website in Texas amid legal battle with attorney general's office (NBCNews) Pornhub disables website in Texas amid legal battle with attorney general's office “Unfortunately, the Texas law for age verification is ineffective, haphazard, and dangerous,” a statement on Pornhub's website read. https://www.nbcnews.com/tech/pornhub-disables-website-texas-rcna143502 ------------------------------ Date: Wed, 13 Mar 2024 15:40:26 +0000 From: Victor Miller Subject: Massively Popular Safe Locks Have Secret Backdoor Codes Not exactly computing related, but still of interest. https://www.404media.co/massively-popular-safe-locks-have-secret-backdoor-codes/ [Keys under Doormats strikes again. Blockchain Cryptocurrency should have done that to recover lost Bitcoin, but that would be a horrible vulnerability, not a feature? PGN] ------------------------------ Date: Mon, 11 Mar 2024 11:08:00 -0400 (EDT) From: ACM TechNews Subject: D-Wave Says Its Quantum Computers Can Solve Otherwise Impossible Tasks (Matthew Sparkes) Matthew Sparkes, *New Scientist* (03/07/24), via ACM TechNews D-Wave is claiming its Advantage quantum computer and prototype Advantage2 achieved "computational supremacy" by calculating transverse field Ising model problems faster than the world's most powerful classical computer. D-Wave researchers contend it would take millions of years for the Frontier supercomputer to solve the same problems. D-Wave's "quantum annealing" computers differ from quantum computers produced by others, and have been criticized as only being able to solve certain classes of optimization problem. ------------------------------ Date: 8 Mar 2024 19:18:58 -0400 From: "John Levine" Subject: Re: End-to-End Encryption under attack in Nevada (RISKS-34.09) It's more a failure of imagination. If your mental model of security is telephone wiretaps, asking for crypto backdoors seems like the same thing. I blogged about this a few years ago: https://jl.ly/Internet/catastrophe.html PS: bonus points to anyone who recognizes the reference in the title ------------------------------ Date: Fri, 8 Mar 2024 10:49:50 -0800 From: Steve Bacher Subject: Re: A Vending Machine Error Revealed Secret Face Recognition Tech (RISKS-34.09) > The risks? Error messages. Like airport displays, billboards, etc.  > showing fatal Windows errors. Also, the risk of naming your software components too transparently. These are risks to the perpetrators, not to the consumer population. Perhaps they should be considered blessings. ------------------------------ Date: Fri, 8 Mar 2024 09:03:17 -0800 From: Steve Bacher Subject: Re: comp.risks via Panix? (RISKS-34.09) You may also view the comp.risks newsgroup via the NovaBBS (RockSolid) web interface: https://www.novabbs.com/computers/thread.php?group=comp.risks Also note that if you replace http: with https: in the catless link, it will run into the expired cert problem.  This is one case where the insecure version is to be preferred, at least for now. ------------------------------ Date: Sat, 9 Mar 2024 18:44:53 +0000 From: Martin Ward Subject: Re: More than 2 Million Research Papers Have Disappeared from the Internet (RISKS-34.09) I am guessing that they do not count Sci-Hub as a "major digital archive" since Sci-Hub currently has 77.8% coverage of 51 million journal articles and 79.7% of 5 million proceedings articles: https://www.ncbi.nlm.nih.gov/pmc/articles/PMC5832410/ ------------------------------ Date: Thu, 14 Mar 2024 12:16:53 +0200 From: Amos Shapir Subject: Re: Risks of Leap Years and Dumb Digital Watches (RISKS-34.09) I don't know why those dumb watches were even made in the first place, I had a Seiko watch which had a year counter back in the late 1970's. However, those less-dumb watches use only the last digits of the year to track Feb.29 every four years, a formula which would break on March 1, 2100. ------------------------------ Date: 9 Mar 2024 15:53:00 -0500 From: "John Levine" Subject: Re: Risks of hype, 'Keytrap' DNS bug threatens widespread Internet outages (RISKS-34.09) Keytrap is a real bug but it's been grossly overhyped. Yes, specially created DNS responses can cause a naive DNS cache to do a huge amount of work, but there's nothing new about that. A CNAME loop can do that, too. This particular trick has been possible since the current version of DNSSEC was defined 20 years ago. The fact that nobody ever noticed it until late 2023 suggests that it was never that bad, and now that all of the widely used cache software has added it to the list of things to limit it's a non-issue. ISC wrote a good blog post about keytrap and the general issue of DNS scalability: https://www.isc.org/blogs/2024-bind-security-release/ ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: . *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 34.10 ************************