RISKS-LIST: Risks-Forum Digest Saturday 23 April 2022 Volume 33 : Issue 17

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.17>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Tesla owner uses *Smart Summon* feature, crashes it into $3.5M jet
(The Daily Dot)
Tesla Autopilot stirs U.S. alarm as disaster waiting to happen (MSN)
AI Drug Discovery Systems Might Be Repurposed to Make Chemical Weapons,
Researchers Warn (Scientific American)
MetroWest Medical Center Turned Away Ambulances & Patients
(Framinghan Source)
Oracle Java wins cryptography bug of the year for bypass flaw
(The Register and Ars Technica)
Lenovo security flaws risk >100 models *but* local access to the laptop is
required for the attack (Ars Technica)
Lenovo Patches UEFI Firmware Vulnerabilities Impacting Millions of devices
(Ars Technica)
Critical bug could have let hackers commandeer millions of Androido devices
(Ars Technica)
How Democracies Spy on Their Citizens (The New Yorker)
Brave is bypassing Google AMP pages because they're harmful to users
(The Verge)
LinkedIn can't use anti-hacking law to block web scraping, judges rule
(Ars Technica)
CNN's new streaming service, CNNPlus, is already shutting down (WashPost)
What You Don't Know About Amazon (NYTimes)
Barack Obama Takes On a New Role: Fighting Disinformation (NYTimes)
Re: Driverless Cars Can Be Tricked into Seeing Red Traffic Lights
(Martin Ward)
Re: Beanstalk DAO falls to a corporate raid, funded by flash
(George Sicheman)
Re: What Can Hackers Do With Stolen Source Code? (Michael Kohne,
Bernie Cosell)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 22 Apr 2022 16:59:33 -1000
From: geoff goodfellow <geoff@iconia.com>
Subject: Tesla owner uses *Smart Summon* feature, crashes it into $3.5M jet
(The Daily Dot)

A video posted to Reddit this week appears to show a Tesla vehicle driving
into a jet while using one of its self-driving functions.

Uploaded on Thursday by u/smiteme, the footage, reportedly taken at an event held by the aircraft manufacturer Cirrus, shows the vehicle running into
what's known as a Vision Jet.

The vehicle is said to have struck the aircraft, reportedly valued at around $3.5 million, after the owner activated Tesla's Smart Summon feature. The Vision Jet can be seen rotating as the Tesla attempts to drive through it. [...]

https://www.dailydot.com/debug/tesla-crash-vision-jet-autpilot-video/

[Also note by Bryan Webb https://twitter.com/Phylan/status/1517507755162148864
and Daniel H. Eakins, who added:
"Now planes need to be added to the recognition algorithm evidentially." https://www.tmz.com/2022/04/22/tesla-autopilot-crashes-vision-jet-3-million/ https://www.autoevolution.com/news/tesla-model-y-is-summoned-in-air-fair-crashes-into-35-million-vision-jet-187098.html
PGN]

[However, this story might have much longer legs for RISKS. For
example, consider a large class of other obstacles that might appear to
be almost entirely above the car (as perhaps the jet was), such as an
building on narrow stilts that the car video does not detect, after
which the crash causes the entire building to collapse on top of the car
-- as a result of knocking out a few critical stilts? PGN]

------------------------------

Date: Sat, 23 Apr 2022 07:30:58 -1000
From: the keyboard of geoff goodfellow <geoff@iconia.com>
Subject: Tesla Autopilot stirs U.S. alarm as disaster waiting to happen
(MSN)

Derrick Monet and his wife, Jenna, were driving on an Indiana interstate in 2019 when their Tesla Model 3 sedan operating on Autopilot crashed into a parked fire truck. Derrick, then 25, sustained spine, neck, shoulder, rib
and leg fractures. Jenna, 23, died at the hospital.

The incident was one of a dozen in the last four years in which Teslas using this driver-assistance system collided with first-responder vehicles,
raising questions about the safety of technology the world's most valuable
car company considers one of its crown jewels.

Now, U.S. regulators are applying greater scrutiny to Autopilot than ever before. The National Highway Traffic Safety Administration, which has the authority to force recalls, has opened two formal defect investigations
that could ultimately lead Tesla Inc. to have to retrofit cars and restrict
use of Autopilot in situations it still can't safely handle.

A clampdown on Autopilot could tarnish Tesla's reputation with consumers and spook investors whose belief in the company's self-driving bona fides have helped make Tesla Chief Executive Officer Elon Musk the world's wealthiest person. It could damage confidence in technology other auto and software companies are spending billions to develop in hope of reversing a troubling trend of soaring U.S. traffic fatalities. [...]

https://www.msn.com/en-us/autos/news/tesla-autopilot-stirs-us-alarm-as-disa= ster-waiting-to-happen/ar-AAWkGtE

------------------------------

Date: Fri, 22 Apr 2022 08:13:48 +0800
From: Richard Stein <rmstein@ieee.org>
Subject: AI Drug Discovery Systems Might Be Repurposed to Make Chemical
Weapons, Researchers Warn (Scientific American)

https://www.scientificamerican.com/article/ai-drug-discovery-systems-might-be-repurposed-to-make-chemical-weapons-researchers-warn/

"The team ran MegaSyn overnight and came up with 40,000 substances,
including not only VX but other known chemical weapons, as well as many completely new potentially toxic substances. All it took was a bit of programming, open-source data, a 2015 Mac computer and less than six hours
of machine time. 'It just felt a little surreal,' Urbina says, remarking on
how the software’s output was similar to the company's commercial drug-development process. 'It wasn't any different from something we had
done before—use these generative models to generate hopeful new drugs.'"

An AI drug discovery platform cooks new CW formulations. They may be easy to prepare in a binary form for dispersal, a possibly convenient deployment composition. Frightening to imagine this situation.

AI drug discovery applications are not new. Their possible exploitation as eventual open-source instruments that can enable CW preparation, is
alarming.

The Risks Forum lists ~20 prior submissions on chemical weapons.

------------------------------

Date: Fri, 22 Apr 2022 22:45:42 -0400
From: Monty Solomon <monty@roscom.com>
Subject: MetroWest Medical Center Turned Away Ambulances & Patients
(Framinghan Source)

https://framinghamsource.com/index.php/2022/04/20/updated-metrowest-medical-center-turned-away-ambulances-patients-earlier-today/

------------------------------

Date: Thu, 21 Apr 2022 10:47:58 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Oracle Java wins cryptography bug of the year for bypass flaw
(The Register and Ars Technica)

[Thanks to Steven Cheung, Li Gong, and Drew Dean for these urls.
PGN-ed for RISKS]

This looks like a serious bug for Java, which enables one to forge signatures.

Twenty-some years ago, someone at what was then Sun did not understand the importance of proper use of nonces. They hard-coded the nonce in Java's DSA implementation.

https://www.theregister.com/2022/04/20/java_authentication_bug/ https://arstechnica.com/information-technology/2022/04/major-crypto-blunder-in-java-enables-psychic-paper-forgeries/

[Drew suggests this bug may be Snoracle's Strike Two implementing DSA?]

------------------------------

Date: Thu, 21 Apr 2022 01:03:50 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Lenovo security flaws risk >100 models *but* local access to
the laptop is required for the attack (Ars Technica)

Hackers can infect >100 Lenovo models with unremovable malware. Are you patched?

Lenovo has released security updates for more than 100 laptop models to
fix critical vulnerabilities that make it possible for advanced hackers to surreptitiously install malicious firmware that can be next to impossible to remove or, in some cases, to detect.

All three of the Lenovo vulnerabilities discovered by ESET require local access, meaning that the attacker must already have control over the
vulnerable machine with unfettered privileges. The bar for that kind of
access is high and would likely require exploiting one or more critical
other vulnerabilities elsewhere that would already put a user at
considerable risk.

https://arstechnica.com/information-technology/2022/04/bugs-in-100-lenovo-models-fixed-to-prevent-unremovable-infections/

------------------------------

Date: Fri, 22 Apr 2022 12:42:16 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Lenovo Patches UEFI Firmware Vulnerabilities Impacting Millions of
Users (Charlie Osborne)

Charlie Osborne, ZDNet. 19 Apr 2022,
via ACM TechNews, Friday, April 22, 2022

Lenovo Patches UEFI Firmware Vulnerabilities Impacting Millions of Users

Chinese multinational technology company Lenovo has patched three Unified Extensible Firmware Interface (UEFI) vulnerabilities discovered by Martin Smol=B7r at Slovak Internet security firm ESET. The bugs reportedly could be leveraged to "deploy and successfully execute UEFI malware either in the
form of SPI [Serial Peripheral Interface] flash implants like LoJax, or ESP implants like ESPecter" in the Lenovo Notebook BIOS. ESET said the bugs,
caused by drivers only intended for use during product development, affected "more than 100 different consumer laptop models with millions of users worldwide." ESET advised using Trusted Platform Module-aware full-disk encryption software to block access to information, if UEFI Secure Boot configurations are meddled with in out-of-support devices.

https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-2e7b9x2334c3x072707&

------------------------------

Date: Fri, 22 Apr 2022 02:14:23 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Critical bug could have let hackers commandeer millions of Android
devices (Ars Technica)

https://arstechnica.com/information-technology/2022/04/critical-bug-could-have-let-hackers-commandeer-millions-of-android-devices/

------------------------------

Date: Wed, 20 Apr 2022 05:42:39 -0400
From: Jan Wolitzky <jan.wolitzky@gmail.com>
Subject: How Democracies Spy on Their Citizens (The New Yorker)

The inside story of the world's most notorious commercial spyware and the
big tech companies waging war against it.

https://www.newyorker.com/magazine/2022/04/25/how-democracies-spy-on-their-citizens

------------------------------

Date: Wed, 20 Apr 2022 09:16:54 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Brave is bypassing Google AMP pages because they're harmful to
users (The Verge)

https://www.theverge.com/2022/4/19/23032776/brave-de-amp-google-browser

------------------------------

Date: Wed, 20 Apr 2022 09:34:13 -0400
From: Monty Solomon <monty@roscom.com>
Subject: LinkedIn can't use anti-hacking law to block web scraping,
judges rule (Ars Technica)

https://arstechnica.com/tech-policy/2022/04/linkedin-cant-use-anti-hacking-law-to-block-web-scraping-judges-rule/

------------------------------

Date: Thu, 21 Apr 2022 20:04:53 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: CNN's new streaming service, CNNPlus, is already shutting down
(WashPost)

New parent company, Warner Bros. Discovery, decided to pull the plug on the streaming service after a slow first month.

https://www.washingtonpost.com/media/2022/04/21/cnn-plus-streaming-shut-down-warner-bros/

The risk? Doing anything new? Planting a seed and being insanely impatient
for it to bear fruit? Looking ridiculous?

------------------------------

Date: Sat, 23 Apr 2022 12:14:04 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: What You Don't Know About Amazon (NYTimes)

When Carey Gartner ordered a TV remote on Amazon in 2017, it arrived
promptly at his home in Texas, most likely in one of those standard brown
boxes with the company's logo: an arrow tilting up in a half-smile. A year later, the battery cover popped off the remote, exposing a lithium battery,
and Gartner's 19-month-old swallowed it, severely burning and permanently damaging her esophagus, according to allegations in a court filing. His
wife, Morgan McMillan, sued Amazon on their daughter’s behalf.

Last June, the Supreme Court of Texas ruled that Amazon was not liable for
her injuries, because even if the company had listed, warehoused and
delivered the remote control, it had not sold it. The seller was a
third-party merchant with an address in China, who had registered an account with Amazon under the name Hu Xi Jie. Ms. McMillan subpoenaed Mr. Hu through Texas’ secretary of state, but he did not respond to the subpoena, if it
ever reached him, or to a request from Amazon for information.

``It's like whack-a-mole, Jeff Meyerson, the Gartner-McMillan family's attorney, told *The Times*. ``You can't find these entities when it's time
for them to compensate anybody.'' Amazon removed the product from its
website, but the family was out of luck. (An Amazon representative told The Times, ``Amazon invests heavily in the safety and authenticity of all
products offered in our store, including proactively vetting sellers and products before being listed and continuously monitoring our store for
signals of a concern.''

But a series of product safety cases that have been brought against Amazon
over the past few years makes clear that its rewiring of retail poses risks
to customers as well. Above all, the cases highlight a significant gap
between how most people understand the world's largest e-commerce company
and what that company actually does.

https://www.nytimes.com/2022/04/21/opinion/amazon-product-liability.html

------------------------------

Date: Thu, 21 Apr 2022 21:51:43 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Barack Obama Takes On a New Role: Fighting Disinformation (

The former president has embarked on a campaign to warn that the scourge of online falsehoods has eroded the foundations of democracy.

https://www.nytimes.com/2022/04/20/technology/barack-obama-disinformation.html

------------------------------

Date: Wed, 20 Apr 2022 11:35:41 +0100
From: Martin Ward <martin@gkc.org.uk>
Subject: Re: Driverless Cars Can Be Tricked into Seeing Red Traffic Lights

Cars with drivers can *also* be caused to stop by shining
a laser into the windscreen.

------------------------------

Date: Wed, 20 Apr 2022 09:44:32 -0400
From: George Sicherman <colonel@monmouth.com>
Subject: Re: Beanstalk DAO falls to a corporate raid, funded by flash
loan (RISKS-33.16))

*The Financial Times* Alphaville section has a reasonable and very sceptical
take on it:

https://on.ft.com/3xDvUK3

There are reasons that laws are interpreted by people rather than by
software. You can't write either complex software or complex laws without errors. When there are poorly drafted laws, judges have rules of
construction to try and find the most sensible interpretation, and above
that some overriding principles. If a badly drafted law somehow said that
you were allowed to kill people without consequence, a court would observe
that laws can't say that and ignore the law. We are a long, long, way from software that works like that.

------------------------------

Date: Wed, 20 Apr 2022 06:37:22 -0400
From: Michael Kohne <mhkohne@kohne.org>
Subject: Re: What Can Hackers Do With Stolen Source Code? (Cosell,
RISKS-33.16)

It's not that simple. Having source MAY make it a little bit easier to find
an exploit in a system, but it's not like you can look at a piece of code
and easily spot the problems. If you could, they'd have been spotted by the people who wrote the code! Most exploitable vulnerabilities are the result
of strange interactions between various portions of a system, and looking at the source doesn't necessarily give you the slightest clue as to how they happen.

Being afraid of the release of source code is like being afraid of the
release of a cryptographic algorithm -- if that's what gives the bad
guy a leg up, then you've always had a problem, and you were just
hiding it.

------------------------------

Date: Wed, 20 Apr 2022 07:22:39 -0400
From: "Bernie Cosell" <bernie@fantasyfarm.com>
Subject: Re: What Can Hackers Do With Stolen Source Code? (Kohne, RISKS-33.17)

The problem is motivation. An attacker with source code will double check
each strcmp for a buffer overflow.. the author, who has seen the code dozens
of times, often can't see the trees for the forest. Another problem is
skill set: it takes different skills to analyze code for weaknesses than it does to write the code so that it seems to operate correctly

I don't think RISKS it the right forum to discuss/argue this, but this does give me a chance to plug the book "This Is How They Tell Me the World Ends:
The Cyberweapons Arms Race" by Nicole Perlroth is eye opening on how
attackers can analyze system for vulnerabilities *without* having the source code. There's actually a marketplace for zero-day vulnerabilities... who
knew?

[See RISKS-32.48]

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) is online.
<http://www.CSL.sri.com/risksinfo.html>
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-33.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 33.17
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)