RISKS-LIST: Risks-Forum Digest Saturday 15 July 2023 Volume 33 : Issue 76

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.76>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Defective train safety controls lead to bus rides for South Auckland
commuters (Gary Hinson)
Blocked Rail Crossings Snarl Towns, but Congress Won't Act (NYTimes)
Key Management problem leads to major security breach (WiReD)
Artificial Intelligence at the Crossroads (Lauren Weinstein)
It's not just Hollywood -- AI is coming for us all (Lauren Weinstein)
Satellite Security Lags Decades Behind the State of the Art (Julia Weiler)
Idaho helicopter crash likely caused by dropped iPad (Monty Solomon)
3 tax-prep firms shared 'extraordinarily sensitive' data about taxpayers
with Meta, lawmakers say (The Boston Globe)
How addictive, endless scrolling is bad for your mental health (WashPost)
Your printing service might read your documents. Here's what to know.
(WashPost)
Printer ink is a scam. Here's how to spend less. (WashPost)
WordPress plugin installed on 1 million+ sites logged plaintext passwords
(Ars Technica)
Re: OceanGate's safety culture (DJC)
Re: A Myth About Innovation ... (3daygoaty, Martyn Thomas, John Levine,
Mark Lutton)
Re: G=C3=B6del, Escher, Bach (3daygoaty)
Re: Italian Data Protection Authority has ordered ChatGPT to stop processing
Italian users' (Rich Kulawiec)
ACM Technology Policy Council Releases Principles for Generative AI
Technologies (ACM)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 12 Jul 2023 09:40:38 +1200
From: Gary Hinson <gary@isect.com>
Subject: Defective train safety controls lead to bus rides for
South Auckland commuters

https://www.stuff.co.nz/national/300925717/te-huia-train-banned-from-auckland-city-after-twice-failing-to-stop-on-red

https://www.rnz.co.nz/news/national/493552/waka-kotahi-temporarily-bans-te-huia-train-from-operating-in-auckland

https://www.nzherald.co.nz/nz/hamilton-to-auckland-train-service-banned-from-auckland-metro-area-due-to-serious-safety-risk-to-passengers/U3L4Z5F3VBEOPOGXDJGUOQR7T4/

According to my layman's understanding of NZ media reports, a commuter
train route from Hamilton, about 100km South, into Auckland has safety
issues -- specifically, trains have passed red on (at least) two occasions,
once earlier this week. The news reports are a little confusing, for
instance claiming that the safety warning worked *but* drivers apparently
ignored them, begging the obvious question about what it means by
"worked".

Waka Kotahi (the NZ transport authority) has evidently responded by banning
the train from entering the city, so now it terminates on the city outskirts
about 30km from the central city, where passengers transfer to buses --
which pose their own safety concerns of course. The train company management
seemingly accepts the need to improve the safety systems but appears
reluctant to do so, presumably due to the costs involved -- a tricky balance
of profitability against the largely external/societal costs of train
accidents. I get the feeling the ban shows the authorities losing patience
with management and sending a strong message via the news media, as much as
through the ban itself - a different form of safety control, one that seems
to be "working".

------------------------------

Date: Tue, 11 Jul 2023 18:23:35 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Blocked Rail Crossings Snarl Towns, but Congress Won't
Act (NYTimes)

The industry has used its muscle to prevent federal, state and local
governments from penalizing companies that park freight trains across roads
for hours or days.

In a response to questions, the Association of American Railroads attributed
blocked crossings to local governments, which, it said, had routed roads
across railway tracks rather than over or under them, an approach that other
industrialized countries had taken.

John Gray, a senior vice president at the association, said in a statement
that railroads had taken steps to reduce the impact of blocked
crossings. "The real solution is not a question of technology or operational
practices by either the railroad or public agencies," Mr. Gray said. "It is
a public infrastructure investment similar to what has taken place in the
rest of the developed world for more than a century and a half."

Local officials and some railway employees said that explanation was
self-serving. They link the rise in blocked crossings to a pursuit of bigger
profits -- Union Pacific, BNSF, CSX and Norfolk Southern have made $96
billion in profits in the last five years, 13 percent more than in the
previous five years. The big railroads' profit margins significantly exceed
those of companies in most other industries.

In search of greater efficiency, railroads have been running longer trains.
As a result, when those trains are moved, assembled and switched at rail
yards, they often spill over into nearby neighborhoods, blocking roads,
local officials and workers said.

Crews have a better sense of the space that shorter trains take up, said
Randy Fannon Jr., a national vice president of the Brotherhood of Locomotive
Engineers and Trainmen union, who also oversees its safety task
force. Longer trains are more difficult to maneuver on single-track
railroads. Such railroads have sections of track, or sidings, where trains
can pull aside to allow other trains to pass, but those sections are not big
enough for very long trains, Mr. Fannon said.

"If you've got two 5,000-foot trains or one 10,000-foot train, you cut your
locomotive use in half and your train crew in half," he said. "That's all
this is about - profit." [...]

The blockages are unrelenting in York - and sometimes extreme.

On a sweltering election day in June 2022, a train blockage lasted more than
10 hours, forcing many people, some old and ill, to shelter in an arts
center. [...]

------------------------------

Date: Fri, 14 Jul 2023 06:41:18 -0400
From: Bob Gezelter <gezelter@rlgsc.com>
Subject: Key Management problem leads to major security breach (WiReD)

A major security breach involving both commercial customers and U.S.
government agencies on the Microsoft cloud apparently exploited a
compromised encryption certificate.

Encryption keys are literally the root of encryption-centered authentication
solutions. In one of my chapters in the Computer Security Handbook, Fourth
Edition (2002), I noted that high-level keys used for credential and code
signing should be zealously protected.

Security precautions are critical to maintaining cybersecurity. Regardless
of the outcome of the investigation into this incident, we should all heed
the warning and re-examine our procedures for certificates and the keys used
to validate them.

https://www.wired.com/story/microsoft-cloud-attack-china-hackers/

------------------------------

Date: Thu, 13 Jul 2023 09:32:07 -0700
From: Lauren Weinstein <lauren@vortex.com>:
Subject: Artificial Intelligence at the Crossroads

https://lauren.vortex.com/2023/07/13/artificial-intelligence-at-the-crossroads

Suddenly there seems to be an enormous amount of political, regulatory, and
legal activity regarding AI, especially generative AI. Much of this is
uncharacteristically bipartisan in nature.

The reasons are clear. The big AI firms are largely depending on their
traditional access to public website data as the justification for their use
of such data for their AI training and generative AI systems.

This is a strong possibility that this argument will ultimately fail
miserably, if not under current laws then under new laws and
regulations likely to be pushed through around the world, quite likely
in a rushed manner that will have an array of negative collateral
effects that could actually end up hurting many ordinary people.

Google for example notes that they have long had access to public
website data for Search.

Absolutely true. The problem is that generative AI is wholly different
in terms of its data usage than anything that has ever come before.

For example, ordinary Search provides a direct value back to sites through
search results pages links -- something that the current Google CEO has said
Google wants to de-emphasize (colloquially, "the ten blue links") in favor
of providing "answers".

Since the dawn of Internet search sites many years ago, search results links
have long represented a usually reasonable fair exchange for public
websites, with robots.txt (Robots Exclusion Protocol) available for
relatively fine-grained access control that can be specified by the websites
themselves, and which at least the major search firms generally have
honored.

But generative AI answers eliminate the need for links or other "easy
to see" references. Even if "Google it!" or other forms of "more
information" links are available related to generative AI answers at
any AI firm's site, few users will bother to view them.