Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 34.50 RISKS-LIST: Risks-Forum Digest Saturday 23 Nov 2024 Volume 34 : Issue 50 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Mostly caught up Two Baltic Sea cables suffer breaks; Sabotage Suspected (Bob Gezelter) A deadly crash in Toronto raises questions about the dangers when things go wrong for EVs (CBC) Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack (WiReD) Evidence-based high-school grading method (PGN) Human vs. Machine: The Promise and Peril of Artificial Intelligence in the Law Enforcement Context (Cato Institute) AI is supposed to make applying to jobs easier -- but it might be creating another problem (NBC News) AI Chatbot Tells Student to Die (Indiana Express) AI Is Already Taking Jobs (Mark Sullivan) Authors miffed by publisher's offer to use their books for AI training (CBC) There's No Longer Any Doubt That Hollywood Writing Is Powering AI (The Atlantic) U.S. Finalizes $6.6-Billion CHIPS Act Grant to TSMC (Nikkei Asia) Zero-Day Exploits Increasingly Sought Out by Attackers (Alex Scroxton) Hardware Hacking? Study Raises Alarm on 98 Risks (Lars Daniel) Dogs allowed? (BBC) Elon Musk Asked People to Upload Their Health Data. X Users Obliged (The New York Times) The leaks begin! - "Unknown and unauthorized third party" has gained access to Matt Gaetz depositions, source says (CBS News) More on: DOJ "remedies" against Google would be a disaster (Lauren Weinstein) 'You are under digital arrest': Inside a scam looting millions from Indians (BBC) Navy Federal customer forced to pay back loan she didn't take out after being scammed (WTKR) "... you are the product" (Rob Slade) Re: Terrified friends burned to death in Tesla as electronic doors wouldn't open after crash (Steve Bacher) Re: Australia plans social media ban for under-16s (Lars-Henrik Eriksson, Dmitri Maziuk) Re: Robotaxis open for business in Los Angeles (Nicholas Weaver) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 18 Nov 2024 23:44:57 -0500 From: Bob Gezelter Subject: Two Baltic Sea cables suffer breaks; Sabotage Suspected Today, there were two breaks in cables traversing the Baltic Sea: a cable connecting Germany and Finland; and a cable connecting Lithuania and Sweden. Sabotage is suspected. A little over three years ago, I wrote "WorldWide Broadband Vulnerabilities are a Significant Hazard", http://www.rlgsc.com/blog/ruminations/worldwide-bandwidth-vulnerability.html In that entry, I noted the dangers of broadband disruptions to business operations. Today's cable incident is reported by Reuters, full article at: https://www.reuters.com/business/media-telecom/telecoms-cable-linking-finland-germany-likely-severed-owner-says-2024-11-18/ ------------------------------ Date: Fri, 22 Nov 2024 12:34:21 -0500 From: Matthew Kruk Subject: A deadly crash in Toronto raises questions about the dangers when things go wrong for EVs (CBC) https://www.cbc.ca/news/canada/electric-vehicles-safety-toronto-crash-1.7389937 A deadly crash involving an electric car that killed four people in downtown Toronto has raised concerns about the dangers when things go wrong for EVs. That includes whether people can easily extract themselves in the event of a fire, or how significant the fire risk is among the current generation of EVs. Observers say these types of fires may draw media attention, but they aren't that common -- and that analysis of EV safety should focus on products and their components, and any resulting concerns. ------------------------------ Date: Fri, 22 Nov 2024 15:38:30 -0500 From: Gabe Goldberg Subject: Russian Spies Jumped From One Network to Another Via Wi-Fi in an Unprecedented Hack (WiReD) In a first, Russia's APT28 hacking group appears to have remotely breached the Wi-Fi of an espionage target by hijacking a laptop in another building across the street. For determined hackers, sitting in a car outside a target's building and using radio equipment to breach its Wi-Fi network has long been an effective but risky technique. These risks became all too clear when spies working for Russia's GRU military intelligence agency were caught red-handed on a city street in the Netherlands in 2018 using an antenna hidden in their car's trunk to try to hack into the Wi-Fi of the Organization for the Prohibition of Chemical Weapons. Since that incident, however, that same unit of Russian military hackers appears to have developed a new and far safer Wi-Fi hacking technique: Instead of venturing into radio range of their target, they found another vulnerable network in a building across the street, hacked into a laptop in that neighboring building, and used that computer's antenna to break into the Wi-Fi network of their intended victim—a radio-hacking trick that never even required leaving Russian soil. https://www.wired.com/story/russia-gru-apt28-wifi-daisy-chain-breach/ ------------------------------ Date: Sat, 23 Nov 2024 10:58:05 PST From: Peter Neumann Subject: Evidence-based high-school grading method Gunn, the Palo Alto high school my sons attended has decided to have a pilot alternative grading method that looks at progress as well as standing. Perhaps they will also use evidence-based AI! (see my article with Ulf Lindqvist on E-B AI in the November CACM: https://www.csl.sri.com/users/Neumann/cacm255.pdf ------------------------------ Date: Sun, 17 Nov 2024 20:16:20 -0500 From: Gabe Goldberg Subject: Human vs. Machine: The Promise and Peril of Artificial Intelligence in the Law Enforcement Context (Cato Institute) The development and deployment of artificial intelligence (AI) software for a range of applications has sparked intense debate over its implications for privacy and surveillance in multiple contexts. At the same time, police organizations argue that AI could help revolutionize and speed up police investigations by allowing for faster identification of crime suspects or missing or kidnapped persons. What are the kinds of dangers posed by the use of AI by law enforcement agencies? Are there types of crimes where the application of AI might be beneficial? How well or poorly are legislative bodies dealing with this new technology? What is the state of the law at the federal, state, and local levels regarding AI use by law enforcement organizations? Our panel will tackle all these topics. https://www.cato.org/events/human-vs-machine-promise-peril-artificial-intelligence-law-enforcement-context What could go wrong? ------------------------------ Date: Mon, 18 Nov 2024 07:01:13 -0800 From: Steve Bacher Subject: AI is supposed to make applying to jobs easier -- but it might be creating another problem (NBC News) Artificial Intelligence is reshaping the job application process, simplifying some aspects -— and creating new potential frictions in others. https://www.nbcnews.com/tech/innovation/ai-making-job-applications-easier-creating-another-problem-rcna179683 ------------------------------ Date: Tue, 19 Nov 2024 18:07:53 -0500 From: Charles Dunlop Subject: AI Chatbot Tells Student to Die (Indiana Express)e A Michigan student was interacting with a chatbot about a homework assignment, when he suddenly started being threatened. https://indianexpress.com/article/technology/artificial-intelligence/you-are-a-burden-please-die-ai-chatbot-threatens-student-who-sought-help-with-homework-9671494/ [Great topic for a homework assignment: risks of AI and poorly trained chatbots. PGN ------------------------------ Date: Mon, 18 Nov 2024 11:29:18 -0500 (EST) From: ACM TechNews Subject: AI Is Already Taking Jobs (Mark Sullivan) Mark Sullivan, Fast Company, 15 Nov 2024 Generative AI is impacting job markets, according to researchers at Harvard Business School, the German Institute for Economic Research, and the U.K.'s Imperial College London Business School. The researchers studied more than a million job posts on a major global freelance work marketplace from July 2021 to July 2023 and found demand for automation-prone jobs had fallen 21% eight months after the release of ChatGPT in late 2022. ------------------------------ Date: Wed, 20 Nov 2024 06:38:08 -0700 From: Matthew Kruk Subject: Authors miffed by publisher's offer to use their books for AI training (CBC) https://www.cbc.ca/news/entertainment/harpercollins-using-books-ai-1.7387580 Authors are voicing concerns after a major book publisher offered payments in exchange for permission to use their books to train artificial intelligence. Daniel Kibblesmith, an Emmy-nominated writer and comedian who writes for The Late Show with Stephen Colbert, posted a memo from HarperCollins -- a major publisher that is also home to dozens of Canadian authors -- offering $2,500 US to use his children's book Santa's Husband to train an AI model for an unnamed "large tech company." "Abominable," Kibblesmith posted to the social media platform Bluesky on Friday -- with screenshots of the messages alongside his response. He declined. ------------------------------ Date: Wed, 20 Nov 2024 07:01:42 -0800 From: Steve Bacher Subject: There's No Longer Any Doubt That Hollywood Writing Is Powering AI (The Atlantic) Dialogue from these movies and TV shows has been used by companies such as Apple and Anthropic to train AI systems. For as long as generative-AI chatbots have been on the Internet, Hollywood writers have wondered if their work has been used to train them. The chatbots are remarkably fluent with movie references, and companies seem to be training them on all available sources. One screenwriter recently told me he’s seen generative AI reproduce close imitations of /The Godfather/ and the 1980s TV show /Alf/, but he had no way to prove that a program had been trained on such material. I can now say with absolute confidence that many AI systems have been trained on TV and film writers’ work. Not just on /The Godfather /and /Alf/, but on more than 53,000 other movies and 85,000 other TV episodes: Dialogue from all of it is included in an AI-training data set that has been used by Apple, Anthropic, Meta, Nvidia, Salesforce, Bloomberg, and other companies. I recently downloaded this data set, which I saw referenced in papers about the development of various large language models (or LLMs). It includes writing from every film nominated for Best Picture from 1950 to 2016, at least 616 episodes of /The Simpsons/, 170 episodes of /Seinfeld/, 45 episodes of /Twin Peaks/, and every episode of /The Wire/, /The Sopranos/, and /Breaking Bad/. It even includes prewritten “live” dialogue from Golden Globes and Academy Awards broadcasts. If a chatbot can mimic a crime-show mobster or a sitcom alien—or, more pressingly, if it can piece together whole shows that might otherwise require a room of writers—data like this are part of the reason why. [..] https://www.theatlantic.com/technology/archive/2024/11/opensubtitles-ai-data-set/680650/ ------------------------------ Date: Mon, 18 Nov 2024 11:29:18 -0500 (EST) From: ACM TechNews Subject: U.S. Finalizes $6.6-Billion CHIPS Act Grant to TSMC (Nikkei Asia) Yifan Yu, Nikkei Asiam, 15 Nov 2024 The U.S. finalized a CHIPS Act grant of $6.6 billion to Taiwan Semiconductor Manufacturing Co. (TSMC), with at least $1 billion to be disbursed by the end of the year. The funds will be distributed in phases as the company hits certain project milestones. TSCMC will produce 3 nanometer (nm), 2 nm, and A16 chips at three Arizona fabs. ------------------------------ Date: Mon, 18 Nov 2024 11:29:18 -0500 (EST) From: ACM TechNews Subject: Zero-Day Exploits Increasingly Sought Out by Attackers (Alex Scroxton) Alex Scroxton, Computer Weekly, 12 Nov 2024 Cyber agencies from the Five Eyes governments published a list of the 15 most exploited vulnerabilities of last year, the majority of which were zero-days, a trend that has continued this year. "More routine initial exploitation of zero-day vulnerabilities represents the new normal which should concern end-user organizations and vendors alike as malicious actors seek to infiltrate networks," said Ollie Whitehouse at the UK's National Cyber Security Centre. ------------------------------ Date: Mon, 18 Nov 2024 11:29:18 -0500 (EST) From: ACM TechNews Subject: Hardware Hacking? Study Raises Alarm on 98 Risks (Lars Daniel) Lars Daniel, Forbes, 15 Nov 2024 Researchers at the U.S. National Institute of Standards and Technology identified 98 vulnerabilities that allow chips to be hacked. Most involve access control, with 43 different scenarios identified that would allow unauthorized users to access sensitive data or control systems. The researchers noted modern computer chips contain millions of components and software that are physically embedded in silicon and thus difficult and expensive to patch. ------------------------------ Date: Sun, 17 Nov 2024 07:49:50 -0800 From: Steve Lamont Subject: Dogs allowed? (BBC) https://www.bbc.com/news/articles/c30p16gn3pvo On patrol at Mar-a-Lago, robotic dogs have their moment British Broadcasting Corporation, 17 Nov 2024 A robotic dog named "Spot" made by Boston Dynamics is the latest tool in the arsenal of the US Secret Service. The device has lately been spotted patrolling the perimeter of President-elect Donald Trump's Mar-a-Lago resort in Palm Beach, Florida. They do not have weapons - and each can be controlled remotely or automatically -- as long as its route is pre-programmed. [The new despot*-in-chief might decide to de-spot Spot? Especially if Spot is realistic enough to poop on the golf course? But is a loud robo-dog allowed? ALLowed be his name. PGN [* DESPOT. In its most simple and original acceptation, signifies master and supreme lord; it is synonymous with monarch.] ------------------------------ Date: Tue, 19 Nov 2024 01:36:25 -0500 From: Gabe Goldberg Subject: Elon Musk Asked People to Upload Their Health Data. X Users Obliged (The New York Times) Privacy experts cringed when people started feeding their medical images to the AI tool Grok. https://www.nytimes.com/2024/11/18/well/x-grok-health-privacy.html?smid=nytcore-ios-share&referringSource=articleShare ------------------------------ Date: Tue, 19 Nov 2024 08:46:50 -0800 From: Lauren Weinstein Subject: The leaks begin! - "Unknown and unauthorized third party" has gained access to Matt Gaetz depositions, source says (CBS News) As predicted. -L https://www.cbsnews.com/news/matt-gaetz-depositions-leak-investigations/ ------------------------------ Date: Wed, 20 Nov 2024 17:27:06 -0800 From: Lauren Weinstein Subject: More on: DOJ "remedies" against Google would be a disaster Re: DOJ's call for Google to sell off Chrome could be a disaster for users Google over recent years, I can't emphasize enough what an utter disaster for the privacy and security of ordinary users most of the DOJ "remedies" being suggested to the judge in the Google antitrust case would be. I can't figure out if DOJ just isn't considering these issues in their rush to create "competition" in a manner that wouldn't actually help ordinary consumers at all -- and more likely just cause them more tech-related problems and confusion -- or if the folks at DOJ working on this simply don't really understand the technical realities involved. -L ------------------------------ Date: Sun, 17 Nov 2024 22:47:03 -0700 From: "Matthew Kruk" Subject: 'You are under digital arrest': Inside a scam looting millions from Indians (BBC) https://www.bbc.com/news/articles/cdrdyxk4k4ro For a harrowing week in August, Ruchika Tandon, a 44-year-old neurologist at one of India’s top hospitals, was ensnared in what felt like a high-stakes federal crime investigation. Yet, it was an elaborate scam -- a web of deceit spun by scammers who manipulated her every move and drained her and her family’s life savings. Under the pretense of “digital arrest” -- a term fabricated by her perpetrators -- Dr Tandon was coerced to take leave from work, surrender her daily freedoms, and comply with nonstop surveillance and instructions from strangers on the phone, who convinced her she was at the centre of a grave investigation. The “digital arrest” scam involves fraudsters impersonating law enforcement officials on video calls, threatening victims with arrest over fake charges, and pressuring them to transfer large sums of money. ------------------------------ Date: Fri, 22 Nov 2024 15:37:14 -0500 From: Gabe Goldberg Subject: Navy Federal customer forced to pay back loan she didn't take out after being scammed (WTKR) NEWPORT NEWS, VA. -— There's an alarming scam targeting Navy Federal customers in our area. Someone takes out a loan in a customer's name, and they're left out to dry and forced to pay it back, police say. https://www.wtkr.com/investigations/another-navy-federal-customer-forced-to-pay-back-loan-she-didnt-take-out-after-scam#google_vignette ------------------------------ Date: Fri, 22 Nov 2024 08:56:50 -0800 From: Rob Slade Subject: "... you are the product" It is not exactly news that the corporate tech giants are using us, their *clients*. in every possible way that they can. I just thought that this particular example is an illustration of just how far it goes. Niantic is the company and technology behind Pokemon Go. I know very little about the game: at various times various of my grandsons have been enthralled with Pokemon *cards*, but I don't think any of them ever got into the online game. I did, once, encounter a person wandering around with a cell phone, who admitted to searching for ... well, whatever you search for in Pokemon Go. Apparently, Niantic has been collecting visual and location data from those who have been playing the game. They are now feeding this into a geospatially-oriented large language model AI. https://nianticlabs.com/news/largegeospatialmodel ------------------------------ Date: Thu, 21 Nov 2024 15:01:35 -0800 From: Steve Bacher Subject: Re: Terrified friends burned to death in Tesla as electronic doors wouldn't open after crash (RISKS-34.69) Final paragraph of the article: In the event of a crash passengers are directed to pull away a palen in the door and tug at a cable underneath to open the doors, but safety watchdogs have said dazed or panicked crash victims may not be able to search for the feature after a car crash. What the hell is a "palen"?  A Google search comes up with nothing but brand names, except for the Wiktionary definition. [omitted here -- better yet, see impale. PGN] [could it be Sarah running a line from Alaska?] ------------------------------ Date: Thu, 21 Nov 2024 19:47:51 +0100 From: Lars-Henrik Eriksson Subject: Re: Australia plans social media ban for under-16s (RISKS-34.48) I don't see that electronic verification of age (or other identity information) means that you need to "share private information with government or other institutions about what you desire to access." The electronic ID needs to be issued by a government or institution, but verification does not have to involve them. Public-key cryptography can be used to verify the authenticity of the ID. The risk is rather that the ID is used by someone other than the holder, but that risk exists also with physical ID cards. ------------------------------ Date: Sun, 17 Nov 2024 17:40:55 -0600 From: Dmitri Maziuk Subject: Re: Australia plans social media ban for under-16s (RISKS-34.48) This is nothing new: back in late 1990s I worked at a Computer Telephony service provider Down Under when the legislature pushed down the age verification law for "adult chat" phone services. *After* it has been repeatedly explained to them by many consultations with Telcos and other relevant players that a) there isn't a way to implement reliable age verification mechanism over telephone lines and b) there is no infrastructure to support any kind of age verification over said lines; it would have to be invented and built first. That never stopped them, and we (I) had to scramble to re-code a bunch of service scripts from 1-800 to direct credit card bulling as that made them not "open" and thus no subject to the "child protection". The running joke at the office cooler was "this is an adult chat service billed to your credit card at $4.95 a minute; if you are over 18, please have your credit card ready; if you are under 18, please have your dad's credit card ready." ------------------------------ Date: Sat, 16 Nov 2024 20:01:50 -0800 From: Nicholas Weaver Subject: Re: Robotaxis open for business in Los Angeles (R 34 69) The lack of freeways is prudent risk-management. Freeways are actually far easier for a self driving vehicle (far fewer exceptional cases, its why proper level-2 systems (aka not Tesla) are restricted to freeways and similar locations), but the penalty for errors is much higher as the energy levels are much higher. Since one of the biggest risks for an autonomous vehicle company is an accident, whether or not the autonomous vehicle is at fault, it is best for the company's interests to ensure that accidents are at dense city street speed where a "high speed" crash is 25 MPH rather than 75 MPH and 9x the energy. ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: . *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 34.50 ************************