RISKS-LIST: Risks-Forum Digest Saturday 26 August 2023 Volume 33 : Issue 81

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.81>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
'Pibot' Better Than Human Pilots Say Researchers (AVweb)
WinRAR 0-day that uses poisoned JPG and TXT files under exploit since April
(Ars Technica)
Windows 11 has made the *clean Windows* install an oxymoron (Ars Technica)
A Right-to-Repair Car Law Makes a Surprising U-Turn in Massachusetts (WiReD)
How NightOwl for Mac Added a Botnet (Gimodo)
Whoops: DEA Falls for Crypto Scam, Hands Fraudster $55,000 in Stolen Funds
(Gizmodo)
Feds Charge Tornado Cash Crypto Mixer Devs With Money Laundering (Gizmodo)
TSA slows push to require additional ID checks for some travelers (WashPost)
The College Board Tells TikTok and Facebook Your SAT Scores (Gizmodo)
Google Passkeys Weakness (Lauren Weinstein)
AI brings researchers one step closer to restoring speech in people with
paralysis (CBC)
Internet Archiving and Radiocarbon dating (Martin Ward)
Re: Hawaii needs better siren codes (Clive Page)
Re: Buyers of Bored Ape NFTs sue after digital apes turn out to be bad
investment (Gabe Goldberg)
More detail on Lindell wants to fly drones near polling places to monitor
voting machines (Gabe Goldberg)
Re: Wegmans Double Charging Affects Credit Card Customers In VA,DC
(John Levine, Gabe Goldberg, Phil Smith III)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Thu, 24 Aug 2023 15:42:02 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: 'Pibot' Better Than Human Pilots Say Researchers (AVweb)

Korean researchers are developing a humanoid “pibot” that looks like a
character from a 1960s science fiction sitcom but unlike most autonomous
flight systems, this one can literally fill in for pilots in any
aircraft. The team at the Korea Advanced Institute of Science and Technology
(KAIST) say their creation can fly a plane without any modifications to the
flight deck. “Pibot is a humanoid robot that can fly an [airplane] just like
a human pilot by manipulating all the single controls in the cockpit, which
is designed for humans,” David Shim, an associate professor of electrical
engineering at KAIST, told Euronews Next.

Pibot has arms and hands with enough dexterity to manipulate controls as
accurately in turbulence as a human, but the team says it has other
capabilities that far outstrip those of mere mortals. For instance, the full
library of Jeppesen charts is stored in memory as are any relevant manuals
and reference material. It also gets real-time video from cameras mounted
inside and outside the flight deck. The data for the aircraft it’s flying is
loaded into that memory without bias learned from other platforms.
Artificial intelligence allows it to understand all that information,
including emergency procedures, and apply it to the mission at hand. “With
the pilot robot, if we teach individual aeroplane configuration, then you
can fly the aeroplane by simply clicking the aeroplane’s type,” Shim told
Euronews Next.

https://www.avweb.com/aviation-news/pibot-better-than-human-pilots-say-researchers/

[A Pibot might also crank out the digits of pi=3.14... while it was at it.
PGN]

------------------------------

Date: Fri, 25 Aug 2023 02:16:35 -0400
From: Monty Solomon <monty@roscom.com>
Subject: WinRAR 0-day that uses poisoned JPG and TXT files under exploit
since April (Ars Technica)

https://arstechnica.com/?p=1962625

------------------------------

Date: Thu, 24 Aug 2023 15:35:07 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Windows 11 has made the *clean Windows* install an oxymoron
(Ars Technica)

Op-ed: PC makers used to need to bring their own add-on bloatware—no longer.

The "out-of-box experience" (OOBE, in Microsoft parlance) for Windows 7
walked users through the process of creating a local user account, naming
their computer, entering a product key, creating a "Homegroup" (a
since-discontinued local file- and media-sharing mechanism), and determining
how Windows Update worked. Once Windows booted to the desktop, you'd find
apps like Internet Explorer and the typical in-box Windows apps (Notepad,
Paint, Calculator, Media Player, Wordpad, and a few other things) installed.

Keeping that baseline in mind, here's everything that happens during the
OOBE stage in a clean install of Windows 11 22H2 (either Home or Pro) if you
don't have active Microsoft 365/OneDrive/Game Pass subscriptions tied to
your Microsoft account:

    (Mostly) mandatory Microsoft account sign-in.
    Setup screen asking you about data collection and telemetry settings.

* (skippable) screen asking you to "customize your experience."
    * prompt to pair your phone with your PC.
    * Microsoft 365 trial offer.
    * 100GB OneDrive offer.
    * $1 introductory PC Game Pass offer.

This process is annoying enough the first time, but at some point down the
line, you'll also be offered what Microsoft calls the "second chance
out-of-box experience," or SCOOBE (not a joke), which will try to get you to
do all of this stuff again if you skipped some of it the first time. This
also doesn't account for the numerous one-off post-install notification
messages you'll see on the desktop for OneDrive and Microsoft 365. (And it's
not just new installs; I have seen these notifications appear on systems
that have been running for months even if they're not signed in to a
Microsoft account, so no one is safe).

And the Windows desktop, taskbar, and Start menu are no longer the pristine
places they once were. Due to the Microsoft Store, you'll find several
third-party apps taking up a ton of space in your Start menu by default,
even if they aren't technically downloaded and installed until you run them
for the first time. Spotify, Disney+, Prime Video, Netflix, and Facebook
Messenger all need to be removed if you don't want them (this list can vary
a bit over time).

https://arstechnica.com/gadgets/2023/08/windows-11-has-made-the-clean-windows-install-an-oxymoron/

------------------------------

Date: Fri, 25 Aug 2023 17:59:18 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: A Right-to-Repair Car Law Makes a Surprising U-Turn in
Massachusetts (WiReD)

The Biden administration has changed its mind about a Massachusetts state
law giving mechanics and car owners access to more diagnostic data.

https://www.wired.com/story/nhtsa-massachusetts-right-to-repair-letter/

[Now it will be a Left-Right-to-Repair law? PGN]

------------------------------

Date: Sat, 26 Aug 2023 10:13:36 -0400
From: Monty Solomon <monty@roscom.com>
Subject: How NightOwl for Mac Added a Botnet (Gizmodo)

How a Well-Regarded Mac App Became a Trojan Horse

NightOwl was supposed to make Macs work in dark mode. After a recent update,
one developer discovered it was siphoning users’ data through a botnet.

https://gizmodo.com/how-nightowl-for-mac-added-a-botnet-1850740785

------------------------------

Date: Fri, 25 Aug 2023 02:08:55 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Whoops: DEA Falls for Crypto Scam, Hands Fraudster $55,000 in
Stolen Funds (Gizmodo)

https://gizmodo.com/dea-falls-for-crypto-scam-55-000-dollars-stolen-funds-1850771607

------------------------------

Date: Fri, 25 Aug 2023 02:12:12 -040
From: Monty Solomon <monty@roscom.com>
Subject: Feds Charge Tornado Cash Crypto Mixer Devs With Money Laundering
(Gizmodo)

https://gizmodo.com/tornado-cash-money-laundering-charges-1850767649

------------------------------

Date: Fri, 25 Aug 2023 12:24:10 -0400
From: Monty Solomon <monty@roscom.com>
Subject: TSA slows push to require additional ID checks for some travelers
(WashPost)

Recent reports of new security incidents involving Clear have some lawmakers
concerned that TSA isn't doing enough to keep airports safe.

https://www.washingtonpost.com/transportation/2023/08/10/tsa-clear-enhanced-=
id-checks/

------------------------------

Date: Sat, 26 Aug 2023 10:08:38 -0400
From: Monty Solomon <monty@roscom.com>
Subject: The College Board Tells TikTok and Facebook Your SAT Scores
(Gizmodo)

Gizmodo’s tests found the higher-ed gatekeeper shares GPAs, SAT scores, and
other data with big tech.

https://gizmodo.com/sat-college-board-tells-facebook-tiktok-your-scores-gpa-1850768077

------------------------------

Date: Sat, 26 Aug 2023 10:50:04 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Google Passkeys Weakness

[...] I'll note here the fundamental issue. In their promotion of passkeys,
Google attempts to gloss over a key weakness (no pun intended) in their
passkey implementation, and in my discussions with them to try "minimize"
the importance of this problem.