RISKS-LIST: Risks-Forum Digest Saturday 4 November 2023 Volume 33 : Issue 92

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.92>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
2 Jets Collide at Houston Airport After One Took Off Without Permission
(NYTimes)
Apple Disables Maps Features in Israel and Gaza (Gizmodo)
California halts operations of Cruise self-driving robotaxis (NBC News)
Porsche is adding Google to its cars as VW's software problems worsen?
(The Verge)
Toyota has built an EV with a fake transmission, and we've driven it
(Ars Technica)
Oveview of the iLeakage Attack (Jason Kim et al.)
The Internet Worm at 35 (Gene Spafford)
AI Firms Must Be Held Responsible for Harm They Cause, 'Godfathers' Say
(Dan Milmo)
President Biden Issues Executive Order one Safe, Secure, and
Trustworthy Artificial Intelligence (Whitehouse.gov)
Executive Order on AI (Alan Butler)
Humans Find AI-Generated Faces More Trustworthy Than the Real Thing
(Scientific American)
AI Muddies Israel-Hamas War in Unexpected Way (NYTimes)
AI generated allegations against Big Four consulting firms
(The Guardian)
AI voice clones mimic politicians and celebrities, reshapingo reality
(WashPost)
AI has arrived in your doctor's office. Washington doesn't know what to do
about it. (Politico)
The AI-Generated Child Abuse Nightmare Is Here (WiReD)
Small outtakes from a big war (Amos Shapir)
Cybercriminal group claims responsibility for ransomware attack as
hospital CEO says recovery will take weeks (CBC)
Meta Accused by States of Using Features to Lure Children to
Instagram and Facebook (NYTimes)
IRA accounts drained of $36 million in cryptocurrency (CoinDesk)
A Year of Musk (a trifecta in *The NYTimes*)
Gannett takes down Reviewed articles after outcry from staff
(Angela Fu)
Reddit finally takes its API war where it belongs: to AI companies
(Ars Technica)
They Cracked the Code to a Locked USB Drive Worth $235
Million in Bitcoin. Then It Got Weird. (WiReD)
FCC robocall enforcement does little to stop illegal calls, Senate hears
(Ars Technica)
Pervasive North Korean programmers in U.S.? (Kim Zetter
via Paul Burke)
Amazon, Microsoft, and India crack down on tech support scams (The Verge)
U.S. House Republicans Had Their Phones Confiscated to Stop Leaks (WiReD)
Top Philips Executive Approved Sale of Defective Breathing
Machines by Distributors, Despite Tests Showing Health Risks (ProPublica)o
How a Big Pharma Company Stalled a Potentially Lifesaving
Vaccine in Pursuit of Bigger Profits (PeoPublica)
Education Department penalizes Missouri lender for error that
made 800,000 student loan borrowers delinquent (CNBC)
How a Lucrative Surgery Took Off Online and Disfigured Patients
(NYTimes)
Citrix Bleed: Leaking Session Tokens with CVE-2023-4966 (AssetNote)
YouTube fumbles NFL Sunday Ticket streaming (Ars Technica)
Google promises a rescue patch for Android 14's ransomware bug
(Ars Technica)
This Florida School District Banned Cellphones. Here's What Happened.
(NYTimes)
New Laws on Kids and Social Media Are Stymied by Industry Lawsuits
(NYTimes)
Tesla Wins Suit That Blamed Its Software for Deadly Crash
(NYTimes)
The Telegram app has been a key platform for Hamas. Now it's
being restricted there (NPR)
Gaza's 34-hour phone and Internet blackout, as told in voice memos
(NPR)
YouTube's NFL Sunday Ticket streams are failing today?
(The Verge)
Re: Zoom vulnerability (Victor Miller)
Re: The origin of hacking attempts (Lars-Henrik Eriksson)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 27 Oct 2023 00:00:44 -0400
From: Monty Solomon <monty@roscom.com>
Subject: 2 Jets Collide at Houston Airport After One Took Off Without
Permission (NYTimes)

https://www.nytimes.com/2023/10/25/us/jets-collision-hobby-airport-houston.html

------------------------------

Date: Wed, 25 Oct 2023 09:18:49 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Apple Disables Maps Features in Israel and Gaza
(Gizmodo)

https://gizmodo.com/apple-disables-maps-features-in-israel-and-gaza-1850953585

------------------------------

Date: Tue, 24 Oct 2023 21:38:44 -0400
From: Monty Solomon <monty@roscom.com>
Subject: California halts operations of Cruise self-driving robotaxis
(NBC News)

The California DMV suspended the company's driverless permits, citing public
safety. Cruise may apply to reinstate them, but the DMV gave no timeline.

https://www.nbcnews.com/tech/tech-news/cruise-california-halts-operations-cruise-self-driving-robotaxis-rcna121964
https://www.washingtonpost.com/technology/2023/10/28/robotaxi-cruise-crash-driverless-car-san-francisco/

------------------------------

Date: Tue, 31 Oct 2023 09:05:13 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Porsche is adding Google to its cars as VW's software problems
worsen? (The Verge)

https://www.theverge.com/2023/10/30/23938741/porsche-google-built-in-vw-cariad-layoffs

------------------------------

Date: Tue, 31 Oct 2023 09:21:40 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Toyota has built an EV with a fake transmission, and
we've driven it (Ars Technica)

https://arstechnica.com/?p=1980015

------------------------------

Date: Wed, 25 Oct 2023 16:43:41 PDT
From: Victor Miller <victorsmiller@gmail.com>
Subject: Oveview of the iLeakage Attack (Jason Kim et al.)

https://ileakage.com/

Jason Kim (Georgia Tech)
Stephan von Schaik (U. Michigan)
Daniel Genkin (Georgia Tech)
Juval Yarom (Ruhr University Bochum)

Overview of the iLeakage Attack.

We present iLeakage, a transient execution side channel targeting the Safari
web browser present on Macs, iPads and iPhones. iLeakage shows that the
Spectre attack is still relevant and exploitable, even after nearly 6 years
of effort to mitigate it since its discovery. We show how an attacker can
induce Safari to render an arbitrary webpage, subsequently recovering
sensitive information present within it using speculative execution. In
particular, we demonstrate how Safari allows a malicious webpage to recover
secrets from popular high-value targets, such as Gmail inbox content.
Finally, we demonstrate the recovery of passwords, in case these are
autofilled by credential managers.

Demo Videos.
Recovering Instagram Credentials
We show a scenario where the target uses an autofilling credential manager
(LastPass in this demo) to sign into Instagram with Safari on macOS.

------------------------------

Date: Thu, 2 Nov 2023 13:25:19 -0400
From: Gene Spafford <spaf@purdue.edu>
Subject: The Internet Worm at 35

Today is the 35th anniversary of the Internet Worm.

"Ancient history," you say? Or perhaps, "What's that?"

Read my blog post about it to get my perspective on why it is important:
https://www.cerias.purdue.edu/site/blog/post/reflecting_on_the_internet_worm_at_35/

[*Ancient history* is really becoming important in this age of forgetting
why some problems never go away. Buffer overflows were recognized and
resolved in the Multics hardware/OS in 1965. Some of the vulnerability
types Robert Morris exposed in 1988 are still problematic. Many of the
types of risks discussed in my 1995 book are still around. Bad
programming practices in flawed program languages still abound. Please
read Spaf's blog. Spam, ransomware, and so on, ad infinitum? (There is
always another one we forgot.) PGN]

------------------------------

Date: Wed, 25 Oct 2023 11:49:18 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: AI Firms Must Be Held Responsible for Harm They Cause,
'Godfathers' Say (Dan Milmo)

Dan Milmo, *The Guardian*, 25 Oct 2023. via ACM TechNews

A group of experts including "godfathers" of artificial intelligence
(AI) Geoffrey Hinton and Yoshua Bengio, both ACM Turing Award
recipients, said AI companies must be held accountable for the damage
their products cause, ahead of an AI safety summit in London. The
University of California, Berkeley's Stuart Russell, one of 23 experts
who composed AI policy proposals released Tuesday, called developing
increasingly powerful AI systems before understanding how to render
them safe "utterly reckless." The proposed policies include having
governments and companies commit 33% of their AI research and
development resources to safe and ethical AI use. Companies that
discover dangerous capabilities in their AI models also must adopt
specific safeguards.

<https://venturebeat.com/ai/ai-godfathers-bengio-and-hinton-major-tech-companies-should-devote-a-third-of-ai-budget-to-managing-ai-risk/>

------------------------------

Date: Mon, 30 Oct 2023 07:37:51 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: President Biden Issues Executive Order one Safe, Secure, and
Trustworthy Artificial Intelligence (Whitehouse.gov)