RISKS-LIST: Risks-Forum Digest Wednesday 23 August 2023 Volume 33 : Issue 80

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.80>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
'Near Collisions' of Commercial Jets Happen All the Time,
Horrifying FAA Records Show (Gizmodo plus NYTimes)
Cruise Agrees to Reduce Driverless Car Fleet in San Francisco
After Crash (NYTimes)
How a hacking crew overtook a satellite from inside a Las Vegas
convention center and won $50,000 (Cyberscoop)
Fifty minutes to hack ChatGPT: Inside the DEF CON competition to
break AI (Cyberscoop)
Hackers exploit WinRAR zero-day bug to steal funds from broker accounts
(TechCrunch)
Grieving widow sues Tesla over deadly Model 3 crash and explosion
(TechCrunch)
The Case of the Internet Archive vs. Book Publishers (NYTimes)
Google announces new algorithm that makes FIDO encryption safe from quantum
computers (Ars Technica)
Google and YouTube are trying to have it both ways with AI and copyright
(The Verge)
ICANN warns UN may sideline tech community from future Internet governance
(The Register)
``We can always turn off bad AI's'': *NOT* (Henry Baker)
Researchers Demo Fake Airplane Mode Exploit That Trickse iPhone Users
(Alex Scroxton)
American Airlines sues a travel site to crack down on consumers who use this
travel hack to save money (APNews)
Research Hack Reveals Call Security Risk in Smartphones (Texas A&M)
Our health care system may soon receive a much-needed cybersecurity boost
(Lily Hay Newman)
Tesla points to insider wrongdoing as cause of massive employee data leak
(The Verge)
Wegmans Double Charging Affects Credit Card Customers In VA, DC
(Old Town Alexandria VA Patch)
Buyers of Bored Ape NFTs sue after digital apes turn out to be bad
investment (Ars Technica)
Wi-Fi sniffers strapped to drones -- Mike Lindell's odd plan
to stop election fraud (Ars Technica)
How X Is Suing Its Way Out of Accountability (WiReD)
Re: Voyager 2: NASA Didn't Lose Contact With Probe After Sending Wrong
Command (John Levine, Lars-Henrik Eriksson)
Re: Cellphone Radiation Is Harmful, but Few Want to Believe It Martin Ward)
Re: Lahaina: single points of failure (John Levine, Henry Baker, Dick Mills_
Re: Google/AI -- sundry items PGN-ed (Lauren Weinsteain)
Unpacking Cyber Capacity-Building Needs (via Diego Latella)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 23 Aug 2023 09:32:44 -0400
From: Monty Solomon <monty@roscom.com>
Subject: 'Near Collisions' of Commercial Jets Happen All the Time,
Horrifying FAA Records Show (Gizmodo)

https://gizmodo.com/plane-crashes-almost-happen-a-lot-faa-records-1850760132

[Almost half of today's front page of *The New York Times* is devoted to a
graphic and lead: Air Disasters Are Rare in the U.S. Close Calls Are a
Different Story -- Multiple Incidents Each Month Reveal a Safety Net Under
Stress. PGN]

------------------------------

Date: Sun, 20 Aug 2023 18:15:56 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Cruise Agrees to Reduce Driverless Car Fleet in San Francisco
After Crash (NYTimes)

https://www.nytimes.com/2023/08/18/technology/cruise-crash-driverless-car-san-francisco.html

------------------------------

Date: Wed, 23 Aug 2023 10:17:45 -0400
From: Monty Solomon <monty@roscom.com>
Subject: How a hacking crew overtook a satellite from inside a Las Vegas
convention center and won $50,000 (Cyberscoop)

https://cyberscoop.com/mhackeroni-hackasat-space-def-con/

------------------------------

Date: Wed, 23 Aug 2023 10:23:40 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Fifty minutes to hack ChatGPT: Inside the DEF CON competition to
break AI (Cyberscoop)

Fifty minutes to hack ChatGPT: Inside the DEF CON competition to break AI

More than 2,000 hackers attacked cutting-edge chatbots to discover
vulnerabilities — and demonstrated the challenges for red-teaming AI.

https://cyberscoop.com/def-con-ai-hacking-red-team/

------------------------------

Date: Wed, 23 Aug 2023 09:15:10 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Hackers exploit WinRAR zero-day bug to steal funds from broker
accounts (TechCrunch)

https://techcrunch.com/2023/08/23/winrar-zero-day-funds-brokers/

------------------------------

Date: Wed, 23 Aug 2023 09:21:58 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Grieving widow sues Tesla over deadly Model 3 crash and
explosion (TechCrunch)

https://techcrunch.com/2023/08/22/grieving-widow-sues-tesla-over-deadly-model-3-crash-and-explosion/

------------------------------

Date: Sun, 20 Aug 2023 02:29:17 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: The Case of the Internet Archive vs. Book Publishers
(The New York Times)

The Dream Was Universal Access to Knowledge. The Result Was a Fiasco.

In the pandemic emergency, Brewster Kahle’s Internet Archive freely lent out
digital scans of its library. Publishers sued. Owning a book means something
different now.

Information wants to be free. That observation, first made in 1984,
anticipated the Internet and the world to come. It cost nothing to digitally
reproduce data and words, and so we have them in numbing abundance.

Information also wants to be expensive. The right information at the right
time can save a life, make a fortune, topple a government. Good information
takes time and effort and money to produce.

https://www.nytimes.com/2023/08/13/business/media/internet-archive-emergency-len
ding-library.html

------------------------------

Date: Tue, 22 Aug 2023 08:30:49 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Google announces new algorithm that makes FIDO encryption safe
from quantum computers (Ars Technica)

https://arstechnica.com/?p=1961906

------------------------------

From: Monty Solomon <monty@roscom.com>
Date: Wed, 23 Aug 2023 09:04:40 -0400
Subject: Google and YouTube are trying to have it both ways with AI and
copyright (The Verge)

Google and YouTube are trying to have it both ways with AI and copyright
https://www.theverge.com/2023/8/22/23841822/google-youtube-ai-copyright-umg-scraping-universal

------------------------------

Date: Tue, 22 Aug 2023 10:55:40 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: ICANN warns UN may sideline tech community from future Internet
governance (The Register)

https://www.theregister.com/2023/08/22/icann_un_digital_compact_warning/

------------------------------

Date: Mon, 21 Aug 2023 16:32:20 +0000
From: Henry Baker <hbaker1@pipeline.com>
Subject: ``We can always turn off bad AI's'': *NOT!*

Let's examine this conceit carefully.

The very *definition* of *war* is the existential struggle to flip the
'power switch' of your enemy into the 'off' position.

If it were so simple to just flip a power switch, the Ukraine war would have
been long since over.

Those whose very *survival* is at stake won't hesitate to use every means at
their disposal -- including AI's -- in order to win their wars.

Since preserving one's own power while attacking your enemy's power switch
is essential, AI's will be deployed to protect our own (and hence the AI's
own) power.

What did you think all of this research into using AI's for
cyber activities is all about ?

What did you think all of this research into using AI's to
'protect the grid' is all about?

The highest priority in AI research today is *already* the
task of keeping any enemies from turning off our AI's own
power.

Let's stop being delusional!

------------------------------

Date: Mon, 21 Aug 2023 11:16:51 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Researchers Demo Fake Airplane Mode Exploit That Tricks
iPhone Users (Alex Scroxton)

Alex Scroxton, *Computer Weekly*, 17 Aug 2023

Jamf Threat Labs researchers demonstrated an exploit chain that allows
attackers to use an artificial 'airplane mode' to remain connected to
exposed devices that users believe are offline. The researchers created a
fake airplane mode by identifying a specific string in the device's console
log, "#N User airplane mode preference changing from kFalse to KTrue,"
accessing the device's code, and replacing the function with an empty or 'do
nothing' function. They also accessed the user interface to add a small
piece of code to dim the mobile connectivity icon and highlight the airplane
mode icon, then exploited the CommCentre to block mobile data access for
certain apps so the user received a "turn off airplane mode"
notification. The researchers believe the technique is most likely to be
used in a targeted attack.