Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 34.18
RISKS-LIST: Risks-Forum Digest Friday 19 April 2024 Volume 34 : Issue 18
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.18>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Texas Hack May Be First Disruption of U.S. Water System by Russia (WashPost)
A chunk of metal that tore through a Florida home definitely came from the
ISS (Ars Technica)
FAA investigating after Boston-bound JetBlue flight involved in near
collision (The Boston Globe)
A Paris Olympics' Sure Thing: Cyberattacks (Tariq Panja)
PuTTY vulnerability vuln-p521-bias (sgtatham via Victor Miller)
Multistate 911 outage shows fragility of systems, experts say (NBC News)
Police bust global cyber-gang accused of industrial-scale fraud (BBC)
U.S. Air Force confirms first successful AI dogfight (The Verge)
Feds expand investigation into Honda's automatic emergency braking system
(ArsTechnica)
LastPass users targeted in phishing attacks good enough to trick even the
savvy (ArsTechnica)
Wrong button clicked, wrong divorce cannot be undone (The Guardian)
Big Tech can’t hoard brainwave data for ad targeting, Colorado law says
(ArsTechnica)
Cops can force suspect to unlock phone with thumbprint, U.S. court rules
(ArsTechnica)
Alleged cryptojacking scheme consumed $3.5M of stolen computing to make just
$1M (ArsTechnica)
Tech Friend: Fire at 35,000 feet (WashPost)
Are Flying Cars Finally Here? (Gideon Lewis-Kraus)
Rust Flaw Enables Windows Command Injection Attacks (Sergiu Gatlan)
AI Made These Movies Sharper. Critics Say It Ruined Them. (NYTimes)
Will AI transform baseball forever? (The Washington Post)
Senate advances vote on reauthorizing warrantless surveillance program
(The Verge)
Crypto trader Avi Eisenberg convicted of fraud in $110M tradescheme (Axios)
At Kernel, your veggie burger will be served by a robot (The Verge)
Author granted copyright over book with AI-generated text -- with a twist
(Ars Technica)
Re: AI on Wall Street (Henry Baker)
Re: AI chatbots spread falsehoods about the EU elections, report finds
(Amos Shapir)
Re: Palo Alto Zero Exploit (Steve Bacher, Cliff Kilby)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Fri, 19 Apr 2024 11:25:28 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Texas Hack May Be First Disruption of U.S. Water System by Russia
(WashPost)
Ellen Nakashima and Aaron Schaffer, *The Washington Post*, 17 Apr
2024, via ACM TechNews
A water tower serving the town of Muleshoe, TX, overflowed in the system
controlling it was hacked, releasing tens of thousands of gallons of
water. The hackers, who called themselves the Cyber Army of Russia Reborn
(CARR), posted a video online of the town's water-control system and that of
a nearby town being manipulated, showing how they reset the controls. CARR
is believed to be a front for Russia's military spy agency.
------------------------------
Date: Fri, 19 Apr 2024 14:39:13 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: A chunk of metal that tore through a Florida home definitely came
from the ISS (Ars Technica)
But a series of delays meant the final cargo pallet of old batteries missed
its ride back to Earth, so NASA jettisoned the batteries from the space
station in 2021 to head for an unguided reentry. Ars published details of
the circumstances that led to this in a previous story.
This isn't the way NASA prefers to get rid of space debris, but managers
decided they couldn't keep the pallet at the space station, where it took up
a storage location needed for other purposes. NASA expected the roughly
5,800 (2.6-metric ton) battery pallet to fully burn up during reentry.
https://arstechnica.com/space/2024/04/florida-man-tells-ars-about-his-encounter-with-something-that-fell-from-space/
------------------------------
Date: Fri, 19 Apr 2024 09:12:02 -0400
From: Monty Solomon <monty@roscom.com>
Subject: FAA investigating after Boston-bound JetBlue flight involved in
near collision (The Boston Globe)
The JetBlue flight was aborted at take-off after another plane was cleared
to cross the runway at the same time.
https://www.boston.com/news/transportation/2024/04/18/faa-investigating-after-boston-bound-jetblue-flight-involved-in-near-collision/
------------------------------
Date: Fri, 19 Apr 2024 11:25:28 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: A Paris Olympics' Sure Thing: Cyberattacks (Tariq Panja)
Tariq Panja, The New York Times, 17 Apr 2024, via ACM TechNews
Cybersecurity experts with the organizing committee of the Summer Olympic
Games in Paris are preparing for cyberattacks. There were 450 million
attempted "security events" at the Tokyo Summer Games in 2021, a number
expected to surge by eight to 12 times for the Paris Summer Games. The Paris
organizers joined with the International Olympic Committee and official
technology partner Atos to conduct "war games," offering "bug bounties" to
ethical hackers who identify vulnerabilities in the Games' systems.
------------------------------
Date: Tue, 16 Apr 2024 17:33:20 PDT
From: Victor Miller <victorsmiller@gmail.com>
Subject: PuTTY vulnerability vuln-p521-bias (sgtatham)
https://www.chiark.greenend.org.uk/~sgtatham/putty/wishlist/vuln-p521-bias.html
summary: NIST P521 private keys are exposed by biased signature generation
class: vulnerability: This is a security vulnerability.
priority: high: This should be fixed in the next release.
absent-in: 0.67
present-in: 0.68 0.69 0.70 0.71 0.72 0.73 0.74 0.75 0.76 0.77 0.78 0.79 0.80
fixed-in: c193fe9848f50a88a4089aac647fecc31ae96d27 (0.81)
Every version of the PuTTY tools from 0.68 to 0.80 inclusive has a critical
vulnerability in the code that generates signatures from ECDSA private keys
which use the NIST P521 curve. (PuTTY, or Pageant, generates a signature
from a key when using it to authenticate you to an SSH server.)
This vulnerability has been assigned CVE-2024-31497. It was discovered by
Fabian BC$umer and Marcus Brinkmann of the Ruhr University Bochum; see their
write-up on the oss-security mailing list.
The bad news: the effect of the vulnerability is to compromise the private
key. An attacker in possession of a few dozen signed messages and the public
key has enough information to recover the private key, and then forge
signatures as if they were from you, allowing them to (for instance) log in
to any servers you use that key for. To obtain these signatures, an attacker
need only briefly compromise any server you use the key to authenticate to,
or momentarily gain access to a copy of Pageant holding the key. (However,
these signatures are not exposed to passive eavesdroppers of SSH
connections.)
Therefore, if you have a key of this type, we recommend you revoke it
immediately: remove the old public key from all OpenSSH authorized_keys
files, and the equivalent in other SSH servers, so that a signature from the
compromised key has no value any more. Then generate a new key pair to
replace it.
(The problem is not with how the key was originally generated; it doesn't
matter whether it came from PuTTYgen or somewhere else. What matters is
whether it was ever used with PuTTY or Pageant.)
The good news: the only affected key type is 521-bit ECDSA. That is, a key
that appears in Windows PuTTYgen with ecdsa-sha2-nistp521 at the start of
the 'Key fingerprint' box, or is described as 'NIST p521' when loaded into
Windows Pageant, or has an id starting ecdsa-sha2-nistp521 in the SSH
protocol or the key file. Other sizes of ECDSA, and other key algorithms,
are unaffected. In particular, Ed25519 is not affected.
Details of the error: [...]
------------------------------
Date: Fri, 19 Apr 2024 06:51:15 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Multistate 911 outage shows fragility of systems, experts say
(NBC News)
This is a multi-part message in MIME format.
<https://www.nbcnews.com/news/us-news/major-911-outages-4-states-leave-millions-way-contact-local-authoritie-rcna148345>
A major 911 outage Wednesday showed the urgent need for increased
modernization and regulation of the emergency system, experts in
telecommunications and public safety told NBC News.
On Thursday, Lumen Technologies, a telecommunications company based in
Louisiana, said in a statement that "some customers in Nevada, South Dakota,
and Nebraska experienced an outage due to a third-party company installing a
light pole — unrelated to our services."
authorities for about 2½ hours. [...]
Key paragraphs at the end:
[...]
The current system is “missing resilient backups” that could prevent outages
on several levels, Simpson said, like having more cables for path diversity
and multiple telecommunications carriers, updated equipment and multiple
routers.
“Engineers will tell you you don’t assume everything is going to be fine,”
Feld said. “When you build a system like this, you assume things are going
to go wrong, and you build it in a way so that things can go wrong without
taking down the whole system.”
https://www.nbcnews.com/tech/tech-news/multistate-911-outage-shows-fragility-systems-experts-say-rcna148475
The outage left millions in multiple states without emergency access to
[...]
Key paragraphs at the end:
The current system is “missing resilient backups” that could prevent outages
on several levels, Simpson said, like having more cables for path diversity
and multiple telecommunications carriers, updated equipment and multiple
routers.
“Engineers will tell you you don’t assume everything is going to be fine,”
Feld said. “When you build a system like this, you assume things are going
to go wrong, and you build it in a way so that things can go wrong without
taking down the whole system.”
https://www.nbcnews.com/tech/tech-news/multistate-911-outage-shows-fragility-systems-experts-say-rcna148475
------------------------------
Date: Thu, 18 Apr 2024 07:27:11 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Police bust global cyber-gang accused of industrial-scale fraud
(BBC)
https://www.bbc.com/news/uk-68838977
Police have taken down a gang accused of using a technology service that
helped criminals use fraudulent text messages to steal from victims.
They have arrested 37 people worldwide and are contacting victims.
Officers say younger people who grew up with the internet were the most
likely to fall for the "phishing" scam.
The technology allowed scammers without technical skills to bombard victims
likely to fall for the "phishing" scam.
The technology allowed scammers without technical skills to bombard victims
with messages designed to trick them into making payments online.
Police targeted the gang's site, LabHost, which helped criminals send the
messages and direct victims to fake websites appearing to be legitimate
online payment or shopping services.
It had enabled the criminals to steal identity information, including
480,000 card numbers and 64,000 Pin codes, known in criminal slang as
"fullz data", the police said.
------------------------------
Date: Thu, 18 Apr 2024 18:11:22 -0400
From: Monty Solomon <monty@roscom.com>
Subject: U.S. Air Force confirms first successful AI dogfight (The Verge)
The U.S. Air Force is putting AI in the pilot’s seat. In an update on
Thursday, the Defense Advanced Research Projects Agency (DARPA) revealed
that an AI-controlled jet successfully faced a human pilot during an in-air
dogfight test carried out last year.
DARPA began experimenting with AI applications in December 2022 as part of
its Air Combat Evolution (ACE) program. It worked to develop an AI system
capable of autonomously flying a fighter jet, while also adhering to the Air
Force’s safety protocols. [...]
https://www.theverge.com/2024/4/18/24133870/us-air-force-ai-dogfight-test-x-62a
------------------------------
Date: Thu, 18 Apr 2024 18:52:34 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Feds expand investigation into Honda's automatic emergency braking
system (ArsTechnica)
https://arstechnica.com/?p=2017732
------------------------------
Date: Thu, 18 Apr 2024 18:45:07 -0400
From: Monty Solomon <monty@roscom.com>
Subject: LastPass users targeted in phishing attacks good enough to trick
even the savvy (ArsTechnica)
Password-manager LastPass users were recently targeted by a convincing
phishing campaign that used a combination of email, SMS, and voice calls to
trick targets into divulging their master passwords, company officials said.
The attackers used an advanced phishing-as-a-service kit discovered in
February by researchers from mobile security firm Lookout. Dubbed
CryptoChameleon for its focus on cryptocurrency accounts, the kit provides
all the resources needed to trick even relatively savvy people into
believing the communications are legitimate. Elements include high-quality
URLs, a counterfeit single sign-on page for the service the target is using,
and everything needed to make voice calls or send emails or texts in real
time as targets are visiting a fake site. The end-to-end service can also
bypass multi-factor authentication in the event a target is using the
protection. [...]
https://arstechnica.com/?p=2018339
------------------------------
Date: Mon, 15 Apr 2024 14:58:17 +0100
From: "Wendy M. Grossman" <wendyg@pelicancrossing.net>
Subject: Wrong button clicked, wrong divorce cannot be undone (The Guardian)
A London solicitor clicked the wrong button and applied for a final divorce
order for the wrong couple. The court says the final order cannot be
overturned.
https://www.theguardian.com/lifeandstyle/2024/apr/15/wrong-couple-divorced-solicitor-clicks-wrong-button
------------------------------
Date: Thu, 18 Apr 2024 18:48:12 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Big Tech can’t hoard brainwave data for ad targeting, Colorado law
says (ArsTechnica)
On Wednesday, Colorado expanded the scope of its privacy law initially
designed to protect biometric data like fingerprints or face images to
become first in the nation to also shield sensitive neural data.
That could stop companies from hoarding brain activity data without
residents realizing the risks. The New York Times reported that neural data
is increasingly being collected and sold nationwide. And after a market
analysis showed that investments in neurotechnology leapt by 60 percent
globally from 2019 to 2020—and were valued at $30 billion in 2021—Big Tech
companies have significantly intensified plans to develop their own products
to rake in potentially billions. [...]
https://arstechnica.com/?p=2018276
------------------------------
Date: Thu, 18 Apr 2024 18:42:27 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Cops can force suspect to unlock phone with thumbprint, U.S. court
rules (ArsTechnica)
The U.S. Constitution's Fifth Amendment protection against
self-incrimination does not prohibit police officers from forcing a suspect
to unlock a phone with a thumbprint scan, a federal appeals court ruled
yesterday. The ruling does not apply to all cases in which biometrics are
used to unlock an electronic device but is a significant decision in an
unsettled area of the law.
The U.S. Court of Appeals for the 9th Circuit had to grapple with the
question of "whether the compelled use of Payne's thumb to unlock his phone
was testimonial," the ruling in United States v. Jeremy Travis Payne
said. "To date, neither the Supreme Court nor any of our sister circuits
have addressed whether the compelled use of a biometric to unlock an
electronic device is testimonial."
A three-judge panel at the 9th Circuit ruled unanimously against Payne,
affirming a US District Court's denial of Payne's motion to suppress
evidence. Payne was a California parolee who was arrested by California
Highway Patrol (CHP) after a 2021 traffic stop and charged with possession
with intent to distribute fentanyl, fluorofentanyl, and cocaine. [...]
https://arstechnica.com/tech-policy/2024/04/cops-can-force-suspect-to-unlock-phone-with-thumbprint-us-court-rules/
------------------------------
Date: Tue, 16 Apr 2024 21:42:37 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Alleged cryptojacking scheme consumed $3.5M of stolen computing
to make just $1M (ArsTechnica)
https://arstechnica.com/?p=2017285
------------------------------
Date: Fri, 19 Apr 2024 15:40:25 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Tech Friend: Fire at 35,000 feet
When we fly, there’s a small risk that a battery powering our phones or
laptops could start a dangerous fire on board.
But the most common source of battery-related fires in airplane travel is
surprising: vape pens.
A safety organization that tracks airline battery incidents grew so
concerned that it recently flagged the vaping fire trend to the Food and
Drug Administration, which oversees electronic smoking devices.
On average in the United States, there are more than two reports each week
of battery-related fires, smoke or similar incidents on planes or at
airports, according to voluntary reporting by passenger and cargolines.
How to reduce the risk of in-flight battery fires
Don’t pack e-cigarettes or other battery-powered devices in your checked
luggage. Airlines tell you this, but people may not know the rules or forget
that they packed a vape pen or portable battery in a suitcase that gets
gate-checked.
The risk is that no one will see a fire that starts in the baggage hold
before it grows out of control.
Don’t charge vape pens on board the plane. It’s not allowed. Take that rule
seriously. There’s typically a higher fire risk when a battery is charging.
Last year, a Spirit Airlines flight to Orlando made an emergency landing
because of a fire from a vape pen that was charging in an overhead bin.
A reminder: You’re not allowed to smoke on planes. That includes
e-cigarettes.
Tell a flight attendant or other personnel immediately if you see smoke or
fire. Airline crews have special training and fire containment bags for
battery-powered gadgets.
https://s2.washingtonpost.com/camp-rw/?trackId=596b22969bbc0f403f8bcc25&s=66229c2c847347087352364b&linknum=2&linktot=37
------------------------------
Date: Tue, 16 Apr 2024 14:22:53 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Are Flying Cars Finally Here? (Gideon Lewis-Kraus)
Long article in *The New Yorker*, 22-29 Apr 2024
They have long been a symbol of a future that never came. Now a variety of
companies are building them—or something close.
By 2030, customers could have access to self-driving, electric air taxis
that travel between neighborhood “vertiports.” One company promises a
seven-minute trip from Manhattan to the airport for the price of a
rideshare.
Gideon Lewis-Kraus writes about the BlackFly, a flying vehicle developed by
Pivotal, and companies developing other eVTOL aircraft, including Wisk and
Beta.
------------------------------
Date: Mon, 15 Apr 2024 11:08:08 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Rust Flaw Enables Windows Command Injection Attacks
(Sergiu Gatlan)
Sergiu Gatlan, *BleepingComputer*, 9 Apr 2024
A security flaw in the Rust standard library could be used by hackers
to launch command injection attacks targeting Windows systems. The
vulnerability stems from OS command and argument injection weaknesses.
The Rust Security Response Working Group said it was notified that the
Rust standard library did not properly escape arguments when invoking
batch files on Windows using the Command API. Flatt Security engineer
RyotaK, who discovered the vulnerability, said it also impacts other
major programming languages.
------------------------------
Date: Sun, 14 Apr 2024 19:37:50 -0400
From: Monty Solomon <monty@roscom.com>
Subject: AI Made These Movies Sharper. Critics Say It Ruined Them.
(NYTimes)
Machine-learning technologies are being used in film restoration for new
home video releases. But some viewers strongly dislike the results.
https://www.nytimes.com/2024/04/13/movies/ai-blu-ray-true-lies.html
------------------------------
Date: Thu, 18 Apr 2024 17:14:38 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Will AI transform baseball forever? (The Washington Post)
Boddy immediately bought an Edgertronic on eBay. He also had a crucial
insight about how to use it. Camera data could help players experiment with
new pitch grips and refine their swings, and the avalanche of statistical
data could confirm the outcomes. But to revolutionize player performance —
to get athletes to really understand what they needed to do — the two had to
converge in simple and elegant software. And the means of that convergence
was artificial intelligence.
I’ve spoken to a lot of people about AI, and there’s an awkward point in
almost every conversation where we both admit we don’t know exactly what AI
is. In fairness, it can be a lot of things. There’s no fixed definition. But
people are pretty assertive about the money they expect to make from it, and
I’m an AI columnist, so it’d be nice not to have to talk about the benefits
of this technology in the vague way people talk about, I dunno, Herbalife?
All of which is to say, Boddy has the most practical definition of AI I’ve
heard. “It’s the best translator ever,” he says. “In the literal sense, we
communicate with our athletes in Japanese and Korean and Spanish with a
ChatGPT plug-in that translates baseball slang flawlessly in real time.
https://www.washingtonpost.com/opinions/2024/04/10/op-moneyballai/
“It’s the best translator ever,” he says.
What could go wrong?
------------------------------
Date: Thu, 18 Apr 2024 18:14:42 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Senate advances vote on reauthorizing warrantless surveillance
program (The Verge)
https://www.theverge.com/2024/4/18/24134196/senate-cloture-vote-fisa-section-702-surveillance
[Senator, Be careful what you ask for. We've been around this issue
in all of the previous crypto wars. The slippery slope is immense. [GN]
------------------------------
Date: Thu, 18 Apr 2024 17:54:58 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Crypto trader Avi Eisenberg convicted of fraud in $110M trade
scheme (Axios)
https://www.axios.com/2024/04/18/avi-eisenberg-convicted-crypto-defi-mango-markets
------------------------------
Date: Thu, 18 Apr 2024 18:17:52 -0400
From: Monty Solomon <monty@roscom.com>
Subject: At Kernel, your veggie burger will be served by a robot (The Verge)
Its robotic arm heats vegan burgers and crispy potatoes while relegating
humans to assembly line jobs.
In many ways, Kernel resembles other restaurants catering to office workers.
It has a smartphone app. It has scheduled pickups. It [is] a vegan
fast-casual joint sitting in an unassuming block of Manhattan, nestled
between outposts of Paris Baguette and Just Salad. It has sandwiches. It has
sides. It has a smartphone app. It has scheduled pickups. It has a robotic
arm.
Kernel, the brainchild of Chipotle co-founder Steve Ells, has been called a
possible reinvention of lunch. The menu was designed by former Eleven
Madison Park chef and Kernel chief culinary officer Andrew Black. Unlike
other restaurants serving Manhattan’s office workers, Kernel only has three
human employees on-site at all times, which Black tells The Verge is the
point.
https://www.theverge.com/2024/4/18/24130997/kernel-ai-robot-vegan-burgers-potatoes
[Somewhat gibberished item PGN-ed.]
------------------------------
Date: Thu, 18 Apr 2024 18:38:07 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Author granted copyright over book with AI-generated text --
with a twist (Ars Technica)
https://arstechnica.com/?p=201815 [SEEMS NOT TO WORK, Try
an alterative provided by Steve Bacher. PGN]
https://arstechnica.com/tech-policy/2024/04/author-granted-copyright-over-book-with-ai-generated-text-with-a-twist/
------------------------------
Date: Mon, 15 Apr 2024 21:23:35 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: Re: AI on Wall Street (NYTimes, RISKS-34.17)
Having known Wall Street analysts, I would imagine that their jobs are
threatened not just by AI, but also by 'high frequency trading'. The
combination of AI/HFT will completely revolutionize Wall Street, because an
AI/HFT 'analyst' can respond within micro- or milli-seconds, rather than
within days.
You may recall that AlphaGo revolutionized the game of Go, by playing with
itself thousands upon thousands of games, enabling the creation of new
strategies never before known to human Go players.
Similarly, an AI/HFT (legal) 'person' could learn about trading patterns,
first as a completely passive study of past trading activity, followed by a
gentle introduction to active trading in small volumes, completely hedged by
the SPX/QQQ indices, followed by an acceleration of volume into large scale
activities.
With risk minimized by constant hedging, such an AI/HFT bot could eventually
figure out non- (in-?) human strategies that might make very little on each
transaction, but could coordinate the transactions over a large number of
stocks/bonds/commodities and world-wide exchanges in every time zones to
beat most -- if not all -- human traders.
At some point, the 'coupon clip machine' would no longer have any need for
outside investors, but would have accumulated enough capital to trade only
for its own account. If it were part of a non-profit, e.g., a university
endowment fund (Harvard??), then it wouldn't even have to worry about taxes.
Bostrom's 'paper clip machine' would then be outclassed by this 'coupon clip
machine', which cared nothing about humans but only about 'shareholders'
such as itself.
I suspect that such coupon clip machine(s) are already in training
(Simons??), and may already be making outsized profits -- at least enough to
pay a larger premium for whatever nVidia boxes they need than anyone else
can afford to pay.
------------------------------
Date: Wed, 17 Apr 2024 09:50:51 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: AI chatbots spread falsehoods about the EU elections,
report finds (RISKS-34.17)
For an application whose main job is gathering and presenting information,
results which are factually false should be considered a serious bug. Don't
these companies have QA departments? Such applications are obviously not
yet ready for public distribution, and should be recalled.
The solution suggested by Google's spokesperson -- to use Google Search to
verify results -- is not feasible where large amounts of data are presented;
users cannot be expected to sift through all of it to check which results
are false. Maybe we need another AI application for that...
------------------------------
Date: Mon, 15 Apr 2024 11:19:40 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Re: Palo Alto Zero Exploit (Kilby, RISKS-34.17)
"Perhaps avoid the use of dynamic scripting languages in what should be a
secure context? Or, why does my firewall have python?"
Perhaps, but does that mean the choice for developers comes down to this:
have your programmers code in a compiled language that makes code
susceptible to buffer-overflow and use-after-free style bugs, or code in a
scripting language whose behavior is dependent on the resident interpreter
libraries?
Is there a happy medium?
[No, most mediums today are likely to be very unhappy because they tend to
be more trustworthy than AI, even if professionally as a group they tend
to be less trusted by the general public! PGN]
------------------------------
Date: Mon, 15 Apr 2024 14:45:50 -0400
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Re: Palo Alto Zero Exploit (Bacher, RISKS-34.18)
I'm not against scriptable languages, I've written in a few and they are
extremely useful for last mile extensibility.
My complaint is more along the lines of why is it a full interpreter, and
not restricted like the f5 or a10 tcl interpreter, or even the pfSense php
interpreter (to a lesser extent). AWS already very publicly learned the
lesson about interpreter escapes in python with its RDS python adoption.
You can useafterfree, or bufferoverflow, or offbyone in any language. The
features that prevent it in dynamic languages are as good as the
interpreter. The features that prevent it in compiled languages are as good
as the libraries.
When crashing isn't an option, behavior becomes undefined.
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 34.18
************************