RISKS-LIST: Risks-Forum Digest Wednesday 31 January 2024 Volume 34 : Issue 05

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.05>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Offshore Wind Farms Vulnerable to Cyberattacks (Rizwan Choudhury)
Tesla Hacked at Pwn2Own Automotive 2024 (Sergiu Gatlan)
America's Dangerous Trucks (Frontline)
Authorities investigating massive security breach at Global Affairs Canada
(CBC)
Why the 737 MAX 9 door plug blew out (Lauren Weinstein)
Man sues Macy's, saying false facial recognition match led to jail assault
(WashPost)
Bugs in our pockets: the risks of client-side scanning
(Journal of Cybersecurity Oxford Academic)
Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training
(Arxiv)
ERCIM News 136 published - Special Theme: Large Language Models
(Peter Kunz)
Deepfake Audio of Biden Alarms Experts (Margi Murphy)
The Great Freight-Train Heists of the 21st Century (Slashdot)
Nightshade: a new tool artists can use to *poison* AI models that
scrape their online work (Lauren Weinstein)
ChatGPT is leaking passwords from private conversations of users
(Ars Technica reader says)
Impact of AI on Software Development (Taylor Soper)
AI maxim (Lauren Weinstein)
Is American Journalism Headed Toward an Extinction-Level Event?
(geoff goodfellow)
Huge Proportion of Internet Is AI-Generated Slime, Researchers Find
(Maggie Harrison)
How Beloved Indie Blog 'The Hairpin' Turned Into an AI Clickbait Farm
(WiReD)
Twitter/X says that it has temporarily blocked some searches for
Taylor Swift while they try deal with the flood of AI-porn related to her
(LW)
Taylor Swift, Travis Kelce and a MAGA Meltdown (NYTimes)
YOUR PAPERS PLEASE! - Florida House passes bill that would ban
children under 16 from social media (Axios)
Hawley and the tech CEOs (Lauren Weinstein)
Congress and the states want to bring a Chinese-style police state
Internet to the U.S. (Lauren Weinstein)
iPhone Apps Secretly Harvest Data When They Send Notifications
(Thomas Germain)
In India, an algorithm declares them dead; they have
to prove they're alive (Steve Bacher)
Tech Layoffs Shock Young Workers. The Older People? Not So Much. (NYTimes)
Re: Even after a recall, Tesla's Autopilot does dumb dangerous things
(Geoff Kuenning)
Re: ChatGPT can answer yes or no at the same time (Amos Shapir)
Re: Tesla Drivers in Chicago Confront a Harsh Foe: Cold Weather (Goldberg,
(John Levine)
One-star rating deserved for apps that allow full-screen ads
(Dan Jacobson)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 31 Jan 2024 11:05:43 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Offshore Wind Farms Vulnerable to Cyberattacks
(Rizwan Choudhury)

Rizwan Choudhury, *Interesting Engineering*, 24 Jan 2024
via ACM TechNews, 31 Jan 2024

Researchers at Canada's Concordia University and the Hydro-Quebec Research
Institute studied the cybersecurity risks associated with offshore wind
farms, specifically those using voltage-source-converter high-voltage
direct-current (VSC-HVDC) connections. In simulations, the researchers found
that cyberattacks could cause blackouts or equipment damage by prompting
poorly dampened power oscillations that are amplified by the HVDC system and
spread to the main grid.

------------------------------

Date: Fri, 26 Jan 2024 11:19:56 -0500 (EST)
From: ACM TechNews <technews-editor@acm.org>
Subject: Tesla Hacked at Pwn2Own Automotive 2024 (Sergiu Gatlan)

Sergiu Gatlan, *BleepingComputer*, 24 Jan 2024

On the first day of the Pwn2Own Automotive 2024 hacking contest, security
researchers hacked a Tesla Modem, collecting awards totaling $722,500 for
three bug collisions and 24 unique zero-day exploits. The Synacktiv Team
chained three zero-day bugs to obtain root permissions on a Tesla Modem, for
which it won $100,000. The team won another $120,000 by hacking a Ubiquiti
Connect EV Station and a JuiceBox 40 Smart EV Charging Station using unique
two-bug chains, and $16,000 related to a known exploit chain targeting the
ChargePoint Home Flex EV charger.

------------------------------

Date: Sun, 28 Jan 2024 12:46:13 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: America's Dangerous Trucks (Frontline)

Deadly traffic accidents involving large trucks have surged over the past
decade. FRONTLINE and ProPublica examine one gruesome kind of truck accident
—- underride crashes -— and why they keep happening.

Trucking industry representatives and the government’s lead agency on
traffic safety have said that their top priority is safety. Drawing on more
than a year of reporting —- including leaked documents and interviews with
former government insiders, trucking industry representatives, and families
of underride crash victims —- the documentary reveals how, for decades,
federal regulators proposed new rules to try to prevent underride
crashes. Over and over, pushback from trucking industry lobbyists won the
day, leaving drivers of smaller vehicles vulnerable.

https://www.pbs.org/wgbh/frontline/documentary/americas-dangerous-trucks/

The risks? Regulatory capture and science denial. Plus a cavalier attitude
towards people dying. Stay away from trucks.

------------------------------

Date: Tue, 30 Jan 2024 16:41:06 -0700
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Authorities investigating massive security breach at Global Affairs
Canada (CBC)

https://www.cbc.ca/news/politics/global-affairs-security-breach-1.7099290

Canadian authorities are investigating a prolonged data security breach
following the "detection of malicious cyber activity" affecting the internal
network used by Global Affairs Canada staff, according to internal
department emails viewed by CBC News.

The breach affects at least two internal drives, as well as emails,
calendars and contacts of many staff members.

CBC News spoke to multiple sources with knowledge of the situation,
including employees who have received instructions on how the breach affects
their ability to work. Some were told to stop working remotely as of last
Wednesday.

------------------------------

Date: Tue, 30 Jan 2024 10:20:52 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Why the 737 MAX 9 door plug blew out

It is now reported that the reason the door plug blew out on that 737
MAX 9 is that Boeing workers at the factory failed to install the
necessary bolts to hold it in place. This permitted the plug to
gradually move upward out of its slot and then ultimately blow out.
This also is the probable reason why that plane had a number of
pressure warnings in preceding days, because air would have likely
been leaking past the plug as it worked loose. -L

[added later:
Just to be clear, the actual bolt installation failure may have been
by a subsidiary/contractor, but Boeing was responsible in any case
since the plane left their factory in that condition. -L
]

------------------------------

Date: Mon, 22 Jan 2024 19:01:31 -0500
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: Man sues Macy's, saying false facial recognition match led to jail
assault (WashPost)

A man was sexually assaulted in jail after being falsely accused of armed
robbery due to a faulty facial recognition match, his attorneys said, in a
case that further highlights the dangers of the technology's expanding use
by law enforcement.

Harvey Murphy Jr., 61, said he was beaten and raped by three men in a Texas
jail bathroom in 2022 after being booked on charges he'd held up employees
at gunpoint inside a Sunglass Hut in a Houston shopping center, according to
a lawsuit he filed last week.

A representative of a nearby Macy's told Houston police during the
investigation that the company's system, which scanned surveillance-camera
footage for faces in an internal shoplifter database, found evidence that
Murphy had robbed both stores, leading to his arrest.

But at the time of the robbery, his attorneys said, Murphy was in a
Sacramento jail on unrelated charges, nearly 2,000 miles away. Hours after
his sexual assault, prosecutors released him with all charges dropped, his
attorneys said.

https://www.washingtonpost.com/technology/2024/01/22/facial-recognition-wrongful-identification-assault/

------------------------------

Date: Tue, 30 Jan 2024 13:26:08 -0500
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Bugs in our pockets: the risks of client-side scanning
(Journal of Cybersecurity Oxford Academic)

Our increasing reliance on digital technology for personal, economic, and
government affairs has made it essential to secure the communications and
devices of private citizens, businesses, and governments. This has led to
pervasive use of cryptography across society. Despite its evident
advantages, law enforcement and national security agencies have argued that
the spread of cryptography has hindered access to evidence and
intelligence. Some in industry and government now advocate a new technology
to access targeted data: client-side scanning (CSS). Instead of weakening
encryption or providing law enforcement with backdoor keys to decrypt
communications, CSS would enable on-device analysis of data in the clear. If
targeted information were detected, its existence and, potentially, its
source would be revealed to the agencies; otherwise, little or no
information would leave the client device. Its proponents claim that CSS is
a solution to the encryption versus public safety debate: it offers
privacy—in the sense of unimpeded end-to-end encryption—and the ability to
successfully investigate serious crime. In this paper, we argue that CSS
neither guarantees efficacious crime prevention nor prevents surveillance.
Indeed, the effect is the opposite. CSS by its nature creates serious
security and privacy risks for all society, while the assistance it can
provide for law enforcement is at best problematic. There are multiple ways
in which CSS can fail, can be evaded, and can be abused.