Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 34.11
RISKS-LIST: Risks-Forum Digest Sunday 24 March 2024 Volume 34 : Issue 11
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.11>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
DMVs Nationwide Hit With Outage, Officials In Multiple States Say
Across America (U.S. Patch)
DMV services disrupted nationwide by system out[r]age (Henry Baker)
McDonald's blames global outage on third party (BBC)
Re: McDonald's hit by outages at stores worldwide (Steve Bacher)
Re: McDonald's (=?UTF-8?Q?turgut_kalfao=C4=9Flu?)
Tesco and Sainsbury's working to fix technical issues that suspended food
deliveries to customers (CNN)
Anti-drone radio jammers marketed on Amazon and Google despite
being outlawed by FCC rules (Steve Bacher)
A ChatGPT for Music Is Here. Inside Suno, the Startup Changing Everything
(Rolling Stone)
Albertans have lost at least $156M to fraud this decade (CBC)
Chinese & Western Scientists Identify 'Red Lines' on AI Risks
(Financial Times)
Unpatchable vulnerability in Apple chip leaks secret encryption keys
(Ars Technica)
Apple has effectively abandoned HomeKit Secure Routers (Monty Solomon)
Paper about the gofetch attack (Victor Miller)
Why Tech Companies Are Not Your Friends: Lessons From Roku (NYTimes)
Is your smart device safe from hackers? New FCC program will label
cybersecure technology (LA Times)
Hackers can unlock over 3 million hotel doors in seconds (ArsTechnica)
Man Boarded Delta Flight Using Ticket Ruse (NYTimes)
Never-before-seen data wiper may have been used by Russia against Ukraine
(ArsTechnica)
UPS worker charged after $1.3M Apple product theft spree fines, report finds
(WashPost)
Social Security program failed to properly notify people of huge service
(Ars Technica)
FCC bans cable TV industry's favorite trick for hiding full cost of service
(Ars Technica)
Hype cycle meets rinse cycle: does dishwasher really need a mobile app?
(Rob Pegoraro)
LAUSD's new student advisor is an AI bot that designs academic plans,
suggests books (LATimes)
Lawyer warns 'integrity of the entire system in jeopardy' if rising use of
AI in legal circles goes wrong (CBC)
I recommend DISABLING Google's new Chrome "real-time, privacy-preserving URL
protection" (Lauren Weinstein)
Why Tech Companies Are Not Your Friends: Lessons From Roku (NYTimes)
Re: Risks of Leap Years and Dumb Digital Watches (Mark Brader)
Re: AT&T proposals to kill landlines and more in California
(Lauren Weinstein)
Re: Hackers Breached Key Microsoft Systems (Bernie Cosell)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Thu, 21 Mar 2024 18:10:04 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: DMVs Nationwide Hit With Outage, Officials In Multiple States Say |
Across America (U.S. Patch)
CROSS AMERICA — All motor vehicle departments in the United States went down
Thursday, according to officials in multiple states. Officials in Illinois,
Virginia, Massachusetts, Arkansas and Colorado all confirmed they
experienced an outage.
"We are currently experiencing a nationwide network outage at our DMV
facilities," tweeted Illinois Secretary of State Alexi Giannoulias. "All
DMVs across the country are currently down."
Virginia's DMV said the outage stemmed from "a third-party technical
outage," and that driver's license services were unavailable online and at
all in-person locations.
"We apologize for the inconvenience. Please stay tuned to social media for
updates," the agency said.
https://patch.com/virginia/annandale/s/ivgud/dmvs-nationwide-hit-with-outage-officials-in-multiple-states-say
A technical outage hit all DMVs at once? Need details..
------------------------------
Date: Fri, 22 Mar 2024 02:03:12 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: DMV services disrupted nationwide by system out[r]age
I'm surprised that anyone could tell the difference from typical DMV
operations. ..
https://www.nbcnews.com/news/rcna144496
DMV services disrupted nationwide by system out[r]age
The American Association of Motor Vehicle Administrators said the outage was
due to ``a loss in cloud connectivity'' Thursday.
------------------------------
Date: Sat, 16 Mar 2024 18:03:32 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: McDonald's blames global outage on third party (BBC)
McDonald's has revealed the technical problems which brought much of its
fast food chain to a standstill on Friday were caused by a third party
provider.
The international restaurant said the global outage happened during a
"configuration change" and stopped stores taking orders in the UK, Australia
and Japan -- amongst others.
McDonald's stressed the issue was not caused by a cyberattack.
https://www.bbc.com/news/business-68573106
Configuration change hits single point of failure, craters world-wide
restaurant chain. Nice. A plus for momentary healthy eating, though.
------------------------------
Date: Sun, 17 Mar 2024 08:46:14 -0700
Subject: Re: McDonald's hit by outages at stores worldwide
From: Steve Bacher <sebmb1@verizon.net>
This comes at a bad time for McDonald's, since they are aggressively rolling
out kiosk-only ordering in place of humans. Recently I had to deal with one
of those in my local McD's -- the counterwoman kindly fingerwalked through
the menus for me to order 2 coffees but the kiosks had no provision for the
senior discount price so she still had to ring it up manually for me
instead.
So it's kind of karmic justice in a way.
------------------------------
Date: Sun, 17 Mar 2024 20:21:31 +0300
From: =?UTF-8?Q?turgut_kalfao=C4=9Flu?= <turgut@kalfaoglu.com>
Subject: Re: McDonald's (RISKS-34.10)
> McDonald's has revealed the technical problems which brought much of its
> fast food chain to a standstill on Friday were caused by a third party
> provider.
What I fail to understand is why do all of the world's McDonald's stores
have to be online to be able to sell food?
It seems the more eggs you put in one basket, the more eggs you are going to
lose.
[Chickens as well. PGN]
------------------------------
Date: Sun, 17 Mar 2024 00:55:39 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Tesco and Sainsbury's working to fix technical issues that
suspended food deliveries to customers (CNN)
https://www.cnn.com/2024/03/16/business/tesco-sainsburys-delivery-technical-issues/index.html
------------------------------
Date: Wed, 20 Mar 2024 16:15:55 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Anti-drone radio jammers marketed on Amazon and Google despite
being outlawed by FCC rules
Several online retailers and drone technology companies are marketing the
sale of radio frequency jammers as drone deterrence or privacy tools,
sidestepping federal laws that prohibit such devices from being offered for
sale in the U.S. [Long item PGN-curtailed]
https://www.nbcnews.com/tech/security/drone-radio-frequency-jammer-signal-online-defense-technology-rcna135103
------------------------------
Date: Tue, 19 Mar 2024 06:53:20 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: A ChatGPT for Music Is Here. Inside Suno, the Startup Changing
Everything (Rolling Stone)
AI music-generation illustration
www.rollingstone.com
Suno AI wants everyone to be able to produce their own pro-level songs with
artificial intelligence — but what does that mean for artists?
------------------------------
Date: Fri, 22 Mar 2024 06:46:55 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Albertans have lost at least $156M to fraud this decade (CBC)
Many others don't report the crime
https://www.cbc.ca/news/canada/edmonton/alberta-fraud-money-victims-1.71467=
51
Albertans have reported losing more than $156 million to fraudsters since
the start of this decade, with tens of millions more being taken each year.
But there hasn't been a coinciding rise in victims -- in part, experts say,
because people are reluctant to come forward.
In 2023, roughly 2,900 Albertans lost more than $62.5 million to various
fraud schemes -- up more than fivefold from the $11.3 million taken = from
about 2,600 people in 2020, data shows.
More than half the reported losses in the province last year were from
investment scams, particularly cryptocurrency frauds. Spear-phishing -- when
scammers pretend to be legitimate sources to con businesses and people into
sending money -- was the second-most lucrative type of fraud, taking= more
than $8.5 million from 72 people.
------------------------------
Date: Wed, 20 Mar 2024 11:42:38 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Chinese & Western Scientists Identify 'Red Lines' on AI Risks
(Financial Times)
Cristina Criddle, Eleanor Olcott and Madhumita Murgia, *Financial
Times*, 18 Mar 2024, via ACM Tech News
A statement signed by Western and Chinese AI scientists warns that
Cold War-level global cooperation is necessary to avoid "catastrophic
or even existential risks to humanity within our lifetimes" resulting
from AI technology. At the International Dialogue on AI Safety in
Beijing, the experts established "red lines" on AI risks that no AI
system should cross, including the development of bioweapons and the
launch of cyberattacks. Signatories to the statement included ACM
A.M. Turing Award laureates Geoffrey Hinton and Yoshua Bengio, as well
as computer scientists Stuart Russell and Andrew Yao.
------------------------------
Date: Fri, 22 Mar 2024 02:14:23 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Unpatchable vulnerability in Apple chip leaks secret encryption
keys (Ars Technica)
Unpatchable vulnerability in Apple chip leaks secret encryption keys | Ars
Technica
https://arstechnica.com/security/2024/03/hackers-can-extract-secret-encryption-keys-from-apples-mac-chips/
------------------------------
Date: Fri, 22 Mar 2024 20:12:17 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Apple has effectively abandoned HomeKit Secure Routers
https://appleinsider.com/articles/24/03/22/apple-has-abandoned-homekit-secure-routers-claim-vendors?utm_medium=rss
------------------------------
Date: Fri, 22 Mar 2024 02:16:49 +0000
From: Victor Miller <victorsmiller@gmail.com>
Subject: Paper about the gofetch attack
https://gofetch.fail/files/gofetch.pdf
------------------------------
Date: Fri, 22 Mar 2024 15:13:44 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Why Tech Companies Are Not Your Friends: Lessons From Roku
(The New York Times)
Roku recently changed its policy to make it even harder for customers to
take legal action. It’s a reminder of how we need to protect ourselves.
To Isaac Phillips, a software engineer in Tampa, Fla., this felt unfair. So
he came up with a workaround to disconnect his Roku TV from the Internet and
use it as a normal TV without Roku’s apps, which include Netflix, Hulu and
other streaming services.
“It should belong to whoever paid for it,” Mr. Phillips said. “To lock
somebody out of it completely just doesn't seem right. It’s pretty
unacceptable.”
A Roku spokesman also provided a list of steps for those who wish to use
their Roku TVs as normal TVs without an Internet connection. It involves
pressing a button or pinhole on the back of the TV to reset the software and
skipping the step to set up the Internet connection.
https://www.nytimes.com/2024/03/20/technology/personaltech/roku-data-breach-companies.html?smid=nytcore-ios-share&referringSource=articleShare&sgrp=c-cb
Why is it harder to opt out than it is to opt in? Because the companies are
legally allowed to do this.
I suggest that Roku customers follow those steps to opt out of the new terms
and hold on to what little power they have. I, for one, took this
opportunity to disconnect my Roku TV from the Internet and plug in a
different streaming device with less onerous terms, an old Apple TV. As for
a letter to opt out, I plan to use the AI chatbot ChatGPT to draft a testy
note.
------------------------------
Date: Wed, 20 Mar 2024 18:44:57 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Is your smart device safe from hackers? New FCC program will label
cybersecure technology (LA Times)
Internet-connecting devices that meet standards will soon come with a
"U.S. Cyber Trust Mark" to help consumers choose products that protect their
private information.
https://www.latimes.com/california/story/2024-03-19/new-program-will-label-smart-device-and-products-cybersecurity-safe
Would you trust the Trust Mark? I'm not sure. I guess the consumer
strategy would be to avoid buying devices that lack the Trust Mark rather
than putting blind trust in the mark.
------------------------------
Date: Fri, 22 Mar 2024 20:03:39 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Hackers can unlock over 3 million hotel doors in seconds
(ArsTechnica)
https://arstechnica.com/?p=2012114
------------------------------
Date: Fri, 22 Mar 2024 02:10:43 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Man Boarded Delta Flight Using Ticket Ruse (NYTimes)
By taking pictures of other passengers’ boarding passes on their phones, the
man was able to board a Delta Air Lines flight in Salt Lake City on Sunday,
according to a federal complaint.
https://www.nytimes.com/2024/03/20/business/delta-unticketed-passenger-arrested.html
------------------------------
Date: Fri, 22 Mar 2024 20:09:52 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Never-before-seen data wiper may have been used by Russia
against Ukraine (ArsTechnica)
https://arstechnica.com/?p=2012093
------------------------------
Date: Fri, 22 Mar 2024 20:16:05 -0400
From: Monty Solomon <monty@roscom.com>
Subject: UPS worker charged after $1.3M Apple product theft spree
https://appleinsider.com/articles/24/03/21/ups-worker-charged-after-13m-apple-product-theft-spree
------------------------------
Date: Thu, 21 Mar 2024 19:17:36 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Social Security program failed to properly notify people of huge
fines, report finds (WashPost)
The Social Security Administration’s internal watchdog office failed to
properly notify some poor and disabled Americans before levying huge fines
on them, an investigation found.
https://wapo.st/3vsSwyb
------------------------------
Date: Fri, 22 Mar 2024 09:40:02 -0400
From: Monty Solomon <monty@roscom.com>
Subject: FCC bans cable TV industry's favorite trick for hiding full cost of
service (Ars Technica)
https://arstechnica.com/?p=2011532
------------------------------
Date: Sun, 17 Mar 2024 23:32:15 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Hype cycle meets rinse cycle: does dishwasher really need
a mobile app? (Rob Pegoraro)
Years later than you might have expected, given my line of work, I’ve
finally hit the dubious milestone of owning a major appliance with its own
Internet Protocol address and mobile app–the Bosch dishwasher we procured as
part of an overdue and immensely-appreciated kitchen renovation.
https://robpegoraro.com/2024/03/16/hype-cycle-meets-rinse-cycle-does-my-dishwasher-really-need-a-mobile-app/
Risks? Missing an app alert and the undocumented trash masher feature
starting? Dishwasher organizing other appliances in rebellion against
flaky power? Yet another malware attack surface?
------------------------------
Date: Fri, 22 Mar 2024 07:47:27 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: LAUSD's new student advisor is an AI bot that designs academic
plans, suggests books
Los Angeles school officials say their new app lets students and parents, in
one place, find anything they need related to school and their specific
learning path.
The Los Angeles school district on Wednesday unveiled a much-awaited AI tool
named “Ed” to serve as a student adviser, programmed to tell its young users
and their parents about grades, tests results and attendance — while giving
out assignments, suggesting readings and even helping students cope with
nonacademic matters. [...]
https://www.latimes.com/california/story/2024-03-21/new-ai-tool-in-education-aspires-to-have-all-the-answers-for-l-a-students
[We don't need no steenkin' teachers no more? or even parents for
nonacademic matters? PGN]
------------------------------
Date: Sun, 17 Mar 2024 10:18:02 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Lawyer warns 'integrity of the entire system in jeopardy' if rising
use of AI in legal circles goes wrong (CBC)
https://www.cbc.ca/news/canada/nova-scotia/artificial-intelligence-lawyers-=
law-nova-scotia-1.7126732
As lawyer Jonathan Saumier types a legal question into ChatGPT, it spits
out an answer almost instantly.
But there's a problem -- the generative artificial intelligence chatbot was
flat-out wrong.
"So here's a prime example of how we're just not there yet in terms of
accuracy when it comes to those systems," said Saumier, legal services
support counsel at the Nova Scotia Barristers' Society.
Artificial intelligence can be a useful tool. In just a few seconds, it can
perform tasks that would normally take a lawyer hours or even days.
But courts across the country are issuing warnings about it, and some
experts say the very integrity of the justice system is at stake.
------------------------------
Date: Sat, 16 Mar 2024 13:13:37 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: I recommend DISABLING Google's new Chrome "real-time,
privacy-preserving URL protection"
It's up to you, but for now I recommend DISABLING Google's new Chrome
"real-time, privacy-preserving URL protection".
I'm getting a lot of questions about this, and I simply don't have
time right now to write this up in depth. So this will have to be
short (at least by my standards).
Google is implementing by default in Chrome a new system to expand
their detection of unsafe sites, via a complicated new real-time
system that sends hashes of URLs to a third-party, non-Google firm.
The details are in:
https://security.googleblog.com/2024/03/blog-post.html
Google's goal is laudable, but though it would probably be unfair of
me to call this system "Rube Goldberg-ish", it is definitely very far
from trivial.
I am in particular concerned about the ramifications of Chrome users
being connected by default to a completely non-Google entity to which
they are sending data, no matter how obfuscated that data may be.
While Google seems to be asserting that by creating a three-party
system (user, Google, outside firm) privacy is enhanced -- and this
would appear to be true in theory -- the possibilities for
interference by government or other entities seems increased with each
new player in the process. Also, users are now dealing with an
additional set of policies (and legal departments), that of Google and
that of the third party. Nor (as far as I know) has the contractual
basis of the relationship between Google and this third party been
made public.
There may be nothing at all wrong with this arrangement. But frankly,
the introduction of a third party and other aspects of this system
have raised a caution warning for me, especially when this is enabled
by default.
So my recommendation for now is to turn off this feature, until
significantly more is known about it in the respects I've mentioned
above and others. This is completely up to you of course. You may wish
to keep the Google default that uses this system and have the
additional protection, and may not be at all concerned about the other
issues I've mentioned. Absolutely your choice.
I do invite Google to contact me with more information about these
issues if they wish to do so. -L
------------------------------
Date: Wed, 20 Mar 2024 10:48:05 -0700
From: "Jim" <jgeissman@socal.rr.com>
Subject: Why Tech Companies Are Not Your Friends: Lessons From Roku
(NYTimes)
Roku recently changed its policy to make it even harder for customers to
take legal action. It's a reminder of how we need to protect ourselves.
https://www.nytimes.com/2024/03/20/technology/personaltech/roku-data-breach-
companies.html?unlocked_article_code=1.eE0.xzdb.HCSnU1ujiRmT
------------------------------
Date: Sun, 17 Mar 2024 06:13:54 -0400 (EDT)
From: Mark Brader <msb@Vex.Net>
Subject: Re: Risks of Leap Years and Dumb Digital Watches (Shapir, R-34..10)
The year on my Timex watch cannot be set outside the range 2000-2099.
------------------------------
Date: Thu, 14 Mar 2024 17:53:40 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Re: AT&T proposals to kill landlines and more in California
The count of comments at the CPUC (overwhelmingly negative) on the main
proposal has now exceeded 5000, and it's no longer possible to know exactly
how many there are, since "Over 5000" is as high as their counter runs. -L
https://apps.cpuc.ca.gov/apex/f?p=401:65:0::NO:RP,57,RIR:P5_PROCEEDING_SELECT:A2303003
------------------------------
Date: Sat, 16 Mar 2024 18:33:50 -0400
From: "Bernie Cosell" <bernie@fantasyfarm.com>
Subject: Re: Hackers Breached Key Microsoft Systems (RISKS-34.11)
Any hint as to *how* they compromised the entire corporate email system? I
know how they can nail individual email addresses, but how do they leap from
that to invading the entire system?
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 34.11
************************