RISKS-LIST: Risks-Forum Digest Saturday 13 May 2023 Volume 33 : Issue 70

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/33.70>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents: Still backlogged. This is mostly newer stuff
Microsoft Bets That Fusion Power Is Closer Than Many Think (WSJ)
Tourists follow GPS, drive car into Hawaii harbor (WashPost)
Near collision embarrasses Navy, so they order public San Diego webcams
taken down (Fox5)
A Tennessee company is refusing a U.S. request to recall 67 million
air-bag inflators (npr.org)
Automakers are starting to admit that drivers hate touch screens. Buttons
are back! (Slate)
The federal government is not doing their job, NTSB chair says about
automated driving tech (cnn.co)
MASSIVE Toyota vehicles location data breach (BleepingComputer)
Critical-rated security flaw in Illumina DNA sequencing tech exposes patient
data (techcrunch.com)
Ohio Man Sentenced for Stealing Over 712 Bitcoin Subjected to Forfeiture
(USAO-DC Department of Justice)
Major e-problems in Dallas courts (Reuters)
Navy doctors and dentists are told they owe 3 more years of service after
military admits to another record-keeping error (NBC News)
The Untold Story of the Boldest Supply-Chain Hack Ever (WiReD)
Major psychologists' group warns of social media's potential harm to kids
(NPR)
Three Companies Supplied Fake Comments to FCC (NY AG)
Chinese hackers outnumber FBI cyber staff 50 to 1, bureau director says
(cnbc.com)
What Exactly Are the Dangers Posed by AI? (NYTimes)
Doctors warn about AI's "existential threat to humanity (Axios)
ChatGPT Will See You Now: Doctors Using AI to Answer Patient Questions (WSJ) Re: ChatGPT Will See You Now: Doctors Using AI to Answer Patient Questions
(Tom Van Vleck)
Re: ChatGPT detector tools resulting in false accusations of students for
cheating (Amos Shapir)
Italy reinstates an `improved' ChatGPT (PGN)
Wendy's Turns to AI-Powered Chatbots for Drive-Thru Orders (Bloomberg)
Re: AI is now indistinguishable from reality (Steve Bacher)
Dominion tells its Fox story: Axios exclusive interview (PGN)
Re: Security breaches covered up by 30% of companies, reveals study
Jose Maria Mateos)
Re: Farmers crippled by satellite failure as GPS-guided tractors
grind to a halt (John Levine, Brian Inglis)
Re: Farmers crippled by satellite failure as GPS-guided tractors
Re: GPS clock turnover -- again and again (Terje Mathisen, Brian Inglis) Software Obsolescence (Ross Anderson)
Stop Ransomware (CISA)
Correctness-by-Construction - How Can We Build Better Software? (PGN)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Wed, 10 May 2023 15:48:30 -0700
From: Victor Miller <victorsmiller@gmail.com>
Subject: Microsoft Bets That Fusion Power Is Closer Than Many Think (WSJ)

https://www.wsj.com/articles/microsoft-bets-that-fusion-power-is-closer-tha= n-many-think-cb1b09dc

I'd bet against it.
[It certainly adds to the CON-FUSION. PGN]

[Monty Solomon had another related item:
Microsoft just made a huge, far-from-certain bet on nuclear fusion
Scientists have been dreaming about nuclear fusion for
decades. Microsoft thinks the technology is nearly ready to plug into
the grid. https://www.theverge.com/2023/5/10/23717332/microsoft-nuclear-fusion-power-plant-helion-purchase-agreement
PGN]

------------------------------

Date: Sat, 13 May 2023 14:06:59 -0600
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Tourists follow GPS, drive car into Hawaii harbor (WashPost)

Natalie B. Compton, *The Washington Post*, 2 May 2023

Witnesses said two tourists took a wrong turn on April 29 and followed
their GPS straight into Honokohau Harbor in Kailua-Kona, Hawaii.

https://www.washingtonpost.com/travel/2023/05/02/hawaii-tourists-car-sink-harbor/

------------------------------

Date: Sat, 13 May 2023 13:38:49 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Near collision embarrasses Navy, so they order public San Diego
webcams taken down (Fox5)

https://fox5sandiego.com/news/local-news/man-who-caught-2-navy-ships-nearly-colliding-ordered-to-take-cameras-down/

------------------------------

Date: Sat, 13 May 2023 06:21:12 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: A Tennessee company is refusing a U.S. request to recall 67 million
air-bag inflators (npr.org)

https://www.npr.org/2023/05/12/1175984778/tennessee-company-refuses-recall-air-bags

Reminiscent of the Takada air-bag inflator debacle affecting ~67 million vehicles in 2014. Takada dug in their corporate heals, refused to initiate a mandatory recall until Toyota bailed out of the keretsu.

GM being proactive about recall demonstrates responsive corporate
governance.

------------------------------

Date: Sat, 29 Apr 2023 08:14:29 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Automakers are starting to admit that drivers hate touch screens.
Buttons are back! (Slate)

And now for something completely different:  some good RISKS news.

https://slate.com/business/2023/04/cars-buttons-touch-screens-vw-porsche-nissan-hyundai.html

Happily, there is one area where we are making at least marginal progress: A growing number of automakers are backpedaling away from the huge, complex
touch screens that have infested dashboard design over the past 15
years. Buttons and knobs are coming back.

------------------------------

Date: Sat, 06 May 2023 13:01:47 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: The federal government is not doing their job, NTSB chair says
about automated driving tech (cnn.co)

https://us.cnn.com/2023/05/06/business/ntsb-automatic-driving-safety/index.html

he NTSB has called on regulators to set performance minimums for these features, to test vehicles rigorously against those standards and provide
the results to consumers. But we're still waiting.

Regulations -- performance standards -- are "set" by regulators via negotiations with industry.

When driverless vehicle manufacturers negotiate, they will advocate for 'achievable' standards which often yield the lowest manufacturing expense
with least consumer risk reduction effectiveness. Nevermind explainability
for DV actions -- that's too hard to achieve in practice.

------------------------------

Date: Sat, 13 May 2023 11:26:57 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: MASSIVE Toyota vehicles location data breach (BleepingComputer)

Toyota: Car location data of 2 million customers exposed for ten years

https://www.bleepingcomputer.com/news/security/toyota-car-location-data-of-2-million-customers-exposed-for-ten-years/

------------------------------

Date: Mon, 01 May 2023 11:57:40 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Critical-rated security flaw in Illumina DNA sequencing
tech exposes patient data (techcrunch.com)

https://techcrunch.com/2023/04/28/illumina-dna-tech-fda-security-flaw/

In separate advisories released on Thursday, U.S. cybersecurity agency CISA
and the U.S. Food and Drug Administration warned that the security flaw -- tracked as CVE-2023-1968 with the maximum vulnerability severity rating of
10 out of 10 -- allows hackers to remotely access an affected device over
the internet without needing a password. If exploited, the bug could allow hackers to compromise devices to produce incorrect or altered results, or
none at all.

[Genetically modified plants will never taste the same.]

------------------------------

Date: Mon, 1 May 2023 00:07:34 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Ohio Man Sentenced for Stealing Over 712 Bitcoin Subjected to
Forfeiture (USAO-DC Department of Justice)

https://www.justice.gov/usao-dc/pr/ohio-man-sentenced-stealing-over-712-bitcoin-subjected-forfeiture

Hackers are breaking into AT&T email accounts to steal cryptocurrency. AT&T says cybercriminals exploited an API issue to take control of victims' email addresses

https://techcrunch.com/2023/04/26/hackers-are-breaking-into-att-email-accounts-to-steal-cryptocurrency/

Makes mattress banking appealing. [Is your house even more secure? PGN]

------------------------------

Date: Fri, 5 May 2023 00:09:46 +0000
From: danny burstein <dannyb@panix.com>
Subject: Major e-problems in Dallas courts (Reuters)

https://www.reuters.com/world/us/dallas-disrupted-by-hackers-courts-closed-police-fire-sites-offline-2023-05-04/

------------------------------

Date: Sat, 6 May 2023 09:05:46 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Navy doctors and dentists are told they owe 3 more years of service
after military admits to another record-keeping error (NBC News)

https://www.nbcnews.com/news/us-news/navy-doctors-dentists-are-told-owe-3-years-service-military-admits-ano-rcna82508

------------------------------

Date: Fri, 5 May 2023 16:34:56 -0400
From: Monty Solomon <monty@roscom.com>
Subject: The Untold Story of the Boldest Supply-Chain Hack Ever (WiReD)

The attackers were in thousands of corporate and government networks. They might still be there now. Behind the scenes of the SolarWinds investigation.

https://www.wired.com/story/the-untold-story-of-solarwinds-the-boldest-supply-chain-hack-ever/

------------------------------

Date: Sat, 13 May 2023 11:54:59 -0600
From: Jim Reisert AD1C <jjreisert@alum.mit.edu>
Subject: Major psychologists' group warns of social media's potential harm
to kids (NPR)

Michaeleen Doucleff, *NPR*, May 9, 202312:02 AM ET, Heard on Morning Edition

For the first time, the American Psychological Association has issued recommendations for guiding teenager's use of social media. The advisory, released Tuesday, is aimed at teens, parents, teachers and policy makers.

This comes at a time when teenagers are facing high rates of depression, anxiety and loneliness. And, as NPR has reported, there's mounting evidence that social media can exacerbate and even cause these problems.

"Right now, I think the country is struggling with what we do around
social media," says Dr. Arthur Evans, CEO of the APA. The report, he
says, marshals the latest science about social media to arm people
"with the information that they need to be good parents and to be good
policy makers in this area."

The 10 recommendations in the report summarize recent scientific findings
and advise actions, primarily by parents, such as monitoring teens' feeds
and training them in social media literacy, even before they begin using
these platforms.

https://www.npr.org/sections/health-shots/2023/05/09/1174838633/psychologists-issue-health-advisory-for-teens-and-social-media

------------------------------

Date: Sat, 13 May 2023 10:27:19 -0700
From: Lauren Weinstein <lauren@vortex.com>
Subject: Three Companies Supplied Fake Comments to FCC (NY AG)

Three Companies Supplied Fake Comments to FCC Impersonating Millions of Americans Without Their Knowledge or Consent to Influence Internet Policy
(to repeal net neutrality rules)

https://ag.ny.gov/press-release/2023/attorney-general-james-secures-615000-companies-supplied-fake-comments-influence

------------------------------

Date: Mon, 01 May 2023 12:05:56 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Chinese hackers outnumber FBI cyber staff 50 to 1, bureau director
says (cnbc.com)

https://www.cnbc.com/2023/04/28/chinese-hackers-outnumber-fbi-cyber-staff-50-to-1-director-wray-says.html

Quality of hackers, not quantity, usually determines software product effectiveness in terms of performance, reliability, resource consumption,
and other measurable user-space factors.

Though, defect escape exploitation discovery likely accelerates with
keystroke count.

Is the 50:1 ratio due to some state-sponsored generative AI tool -- a
GPT-like malware generator on steroids, or real bodies typing at keyboards?

------------------------------

Date: Mon, 1 May 2023 19:50:33 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: What Exactly Are the Dangers Posed by AI? (NYTimes)

https://www.nytimes.com/2023/05/01/technology/ai-problems-danger-chatgpt.html

A recent letter calling for a moratorium on AI development blends real
threats with speculation. But concern is growing among experts.

------------------------------

Date: Thu, 11 May 2023 05:34:14 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Doctors warn about AI's "existential threat to humanity (Axios)

Artificial intelligence poses "an existential threat to humanity" akin to nuclear weapons in the 1980s and should be reined in until it can be
properly regulated, an international group of doctors and public health
experts warned Tuesday in *BMJ Global Health <https://globalhealth.bmj.com/lookup/doi/10.1136/bmjgh-2022-010435>*.

What they're saying: "With exponential growth in AI research and
development, the window of opportunity to avoid serious and potentially existential harms is closing," wrote the authors, among them experts from
the International Physicians for the Prevention of Nuclear War and the International Institute for Global Health.

The big picture: The warning comes amid increasing calls for improved
oversight of artificial intelligence from the likes of Geoffrey Hinton, the so-called godfather of AI, who announced he was quitting Google over his worries about threats from machine learning, PBS reports <https://www.pbs.org/video/the-future-of-ai-1683317973/>.

Zoom in: The physicians and public health experts say the health care
community needs to sound the alarm "even as parts of our community espouse
the benefits of AI in the fields of health care and medicine."

- They cite AI's ability to rapidly analyze sets of data could be
misused for surveillance and information campaigns to "further undermine
democracy by causing a general breakdown in trust or by driving social
division and conflict, with ensuing public health impacts."
- They also raised concerns about the development of future weapons
systems which could be capable of locating, selecting and killing "at an
industrial scale" without the need for human supervision.
- And they noted AI's potential impact on jobs.
- "While there would be many benefits from ending work that is
repetitive, dangerous, and unpleasant, we already know that unemployment is
strongly associated with adverse health outcomes and behavior," they said.

Between the lines: Health industries have been grappling with the potential benefits of AI -- the improved ability to diagnose disease, discover new therapies, answer patient questions and perform menial tasks -- and its potential harms.

- Studies have cited hospital algorithms that discriminated against
Black patients by allocating less care to them.
<https://www.ehidc.org/sites/default/files/resources/files/Dissecting%20racial%20bias%20in%20an%20algorithm%20used%20to%20manage%20the%20health%20of%20populations.pdf>
Questions have also been raised about the reliability of algorithms, with
researchers warning of a "reproducibility crisis
<https://www.nature.com/articles/d41586-022-02035-w>" in health care
studies...

[...]
https://www.axios.com/2023/05/10/docs-warn-ai-existential-threat-humanity

------------------------------

Date: Sat, 29 Apr 2023 04:24:00 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: ChatGPT Will See You Now: Doctors Using AI to Answer Patient
Questions (WSJ)

*Pilot program aims to see if AI will cut time that medical staff spend replying to online inquiries*

Behind every physician's medical advice is a wealth of knowledge, but
soon, patients across the country might get advice from a different
source: artificial intelligence.

In California and Wisconsin*, *OpenAI's GPT generative artificial
intelligence is reading patient messages and drafting responses from
their doctors. The operation is part of a pilot program in which three
health systems test if the AI will cut the time that medical staff
spend replying to patients' online inquiries.

UC San Diego Health and UW Health began testing the tool in April. Stanford Health Care aims to join the rollout early next week. Altogether, about two dozen healthcare staff are piloting this tool.

Marlene Millen, a primary care physician at UC San Diego Health who is
helping lead the AI test, has been testing GPT in her inbox for about a
week. Early AI-generated responses needed heavy editing, she said, and her
team has been working to improve the replies. They are also adding a kind of bedside manner: If a patient mentioned returning from a trip, the draft
could include a line that asked if their travels went well. ``It gives the human touch that we would,'' Millen said.

There is preliminary data that suggests AI could add value. ChatGPT scored better than real doctors at responding to patient queries posted online, according to a study published Friday in the journal JAMA Internal Medicine,
in which a panel of doctors did blind evaluations of posts. [...]

<https://jamanetwork.com/journals/jamainternalmedicine/fullarticle/10.1001/jamaainternmed.2023.1838?guestAccessKey=6d6e7fbf-54c1-49fc-8f5e-ae7ad3e02231&utm_source=For_The_Media&utm_medium=referral&utm_campaign=ftm_links&utm_content=tfl&utm_term=042823>

------------------------------

Date: Sun, 30 Apr 2023 13:12:04 -0400
From: Tom Van Vleck <thvv@multicians.org>
Subject: Re: ChatGPT Will See You Now: Doctors Using AI to Answer Patient
Questions (RISKS-33.69)

These generative models eat a whole lot of prose and compute the probability
of the next word. (Emacs has had "dissociated-press" for many years.)
There is no logic. prompted with "the Moon is made of..." it can say
"rocks" or "green cheese" but probably not "colorless green ideas."

Using ChatGPT to answer patients is an attempt to trick the patient into thinking that their inquiry is being answered, and sending random garbage instead. People expect their medical advice to be based on knowledge and reasoning. This is not.

Joe would indeed be horrified.

https://www.theregister.com/2023/04/28/column/?td=rt-3a has some facts.

For an article on what people want when accessing medical reports, https://www.newyorker.com/news/essay/the-curious-side-effects-of-medical-transparency

[Tom added later:
I remember Joe telling me, probably late 60s, that he believed that it
was very unethical for any programmer to work on speech recognition,
because of the potential for totalitarian misuse. Now, most smart
phones, smart speakers, etc. listen to what people say and act on what
they hear, and thriller movies give the impression that the NSA listens
in to all phone conversations in the world for key words.
PGN]

------------------------------

Date: Mon, 1 May 2023 14:03:44 +0300
From: Amos Shapir <amos083@gmail.com>
Subject: Re: ChatGPT detector tools resulting in false accusations of
students for cheating (RISKS-33.69)

Using ChatGPT to detect plagiarism is a bit ironic, considering that what ChatGPT does, essentially, is to compose text by combining text written by others -- the very definition of plagiarism.

------------------------------

Date: Sat, 29 Apr 2023 12:13:17 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Italy reinstates an `improved' ChatGPT (Politico Re: RISKS-33.69)

ChatGPT is back in business in Italy, with added privacy features
Alfred Ng, 28 Apr 2023

Italy's data protection officials on Friday said they are reopening the
doors for OpenAI, after the company announced several privacy changes to
its popular artificial intelligence chatbot ChatGPT.

------------------------------

Date: Fri, 12 May 2023 11:54:52 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Wendy's Turns to AI-Powered Chatbots for Drive-Thru Orders
(Bloomberg)

Daniela Sirtori-Cortina and Rachel Metz, Bloomberg 9 May 2023
via ACM TechNews, 12 May 2023

In June, Wendy's plans to test an artificial intelligence (AI)-powered chatbot's ability to take drive-thru orders at a store near Columbus,
OH. Powered by Google Cloud's AI software, the system purportedly can understand requests phrased differently from the menu and answer frequently asked questions. Wendy's said there are no plans to reduce labor in response
to the chatbot's deployment, but it will shift crew responsibilities to
handle an increase in drive-thru and digital orders. During the pilot, staff will oversee the chatbot to ensure it can handle all requests and will be on hand to step in if customers insist on speaking with a human.

[W(h)en-dees boigers are overcooked, I presume the chatbot will have a
smart-ass response ready to go as well. PGN]

------------------------------

Date: Sat, 29 Apr 2023 09:13:11 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Re: AI is now indistinguishable from reality

https://twitter.com/0xgaut/status/1650867275103174660

Twitter says
"Hmm...this page doesn't exist. Try searching for something else."

------------------------------

Date: Mon, 1 May 2023 12:56:38 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Dominion tells its Fox story: Axios exclusive interview

After reaching a settlement with Fox News for $787.5 Million, Dominion
Voting Systems speaks exclusively with Axops Pro Rata author Dan Primack.

Dominion Voting Systems was once an obscure, private equity-owned election machine maker. It seems to wish it still was, despite securing a $787.5
million settlement from Fox News.

Why it matters: Three key players from Dominion, speaking exclusively with Axios Pro Rata author Dan Primack, describe the Fox settlement as a shot
across the bow for defendants in six remaining cases. Four takeaways from Dan's interviews with Dominion CEO John Poulos; Hootan Yaghoobzadeh,
co-founder of Staple Street Capital, Dominion's private equity owner; and Stephen Shackelford, outside attorney on the Fox case:

1. Dominion felt its business was badly burned by accusations Fox aired
about the 2020 presidential election.

Existing employees received death threats, sometimes including their home addresses. Recruiting new employees became almost impossible. Dominion had some customers cancel contracts early. Some potential clients said the firm
was too politically radioactive to hire.Staple Street Capital, which bought
the business in 2018, had laid out a growth plan and was prepping a series
of acquisitions and international expansion. All of that was disrupted in
the days following the 2020 election.

2. Staple Street's CEO felt a sense of deja vu.

Yaghoobzadeh's family immigrated to the U.S. from Iran when he was 5-years
old, fearing persecution during that country's revolution.

3. Dominion wasn't very interested in an on-air apology.

The company didn't believe it would have been sincere. Shackelford adds
that things might have gone a bit differently if Fox had publicly apologized early.

4. Tucker Carlson's firing wasn't a condition of the settlement. But
Dominion and its lawyers believe the lawsuit and the pre-trial discovery
"got that rock moving."

Dominion appears to be going full steam ahead on six other pending lawsuits against One America News, Newsmax, Sidney Powell, Rudy Giuliani, Patrick
Byrne and Mike Lindell. Reality check: None of those are expected to reach trial before 2024." Dominion Voting Systems tells its Fox News lawsuit
story

------------------------------

Date: Tue, 2 May 2023 07:39:09 -0400
From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <chema@rinzewind.org>
Subject: Re: Security breaches covered up by 30% of companies,
reveals study (RISKS-33.69)

This item reminded me of this survey published recently in Canada: https://bcchamber.org/wp-content/uploads/2021/10/Cyber-Security-and-Business-Survey-Summary-Report.pdf

I think the main difference wrt the original submission is that this survey includes all types of businesses, not only IT firms.

"While 72% of responding businesses rated their level of cyber security knowledge as average, above average, or expert, nearly two thirds (61%) of businesses have experienced a cyber security incident. ***Despite this,
almost three quarters (74%) of businesses didn't report it.***"

------------------------------

Date: 28 Apr 2023 21:54:42 -0400
From: "John Levine" <johnl@iecc.com>
Subject: Re: Farmers crippled by satellite failure as GPS-guided
tractosr grind to a halt (RISKS-33.69)

All that went out the window when the Inmarsat-41 satellite signal failed.

Something is seriously garbled here. There is no Inmarsat-41 satellite.
They are probably referring to Inmarsat-4 F1 which failed on April 16 and
came back into service on 19 Apr 2023.

BUT, that is a geosynchronous communication satellite in orbit at about
36000 Km. It has nothing whatsoever to do with GPS, which is an unrelated system using 38 satellites in 20000 Km orbits.

I believe something went wrong that made the tractors fail, but it wasn't
GPS. I wonder what it was.

------------------------------

Date: Sat, 29 Apr 2023 11:24:24 -0600
From: Brian Inglis <Brian.Inglis@Shaw.ca>
Subject: Re: Farmers crippled by satellite failure as GPS-guided tractors
grind, to a halt (RISKS-33.69)

GNSS positioning needs at least four good quality satellite signals to calculate an accurate 3-D+Time fix (by solving simultaneous equations).

To get cm level accuracy requires a GPS receiver which also receives
messages with accuracy corrections for satellite orbits, regional
ionospheric and tropospheric conditions; see:

https://www.septentrio.com/en/learn-more/insights/gnss-corrections-demystified

Because of space weather, satellite signal interference, and occasional
service outages, these signals from regional broadcast satellite services,
like that from Inmarsat I-4 F1, are usually backed up by other satellites, terrestrial internet and/or radio alternatives, including mobile 3GPP, which these Australian farmers, or their equipment suppliers, appear not to have considered essential to ensure operation.

------------------------------

Date: Tue, 2 May 2023 13:35:00 +0200
From: Terje Mathisen <terje.mathisen@tmsw.no>
Subject: Re: GPS clock turnover -- again and again (RISKS-33.69)

Does anyone know if there have been any desire to automagically fix this problem? or do we just continue to kick the can down another 1024
[weeks]? PGN

This *has* been addressed, by kicking the can even further down the road:
For several years now, the GPS signal has extended the 10-bit week number
by an additional 3 bits, i.e., it is now a ~160-year rollover instead of
every ~20 years.

You do need updated GPS receiver firmware to be able to use that 13-bit week number though, and there are many other ways to solve the issue:

The most obvious is probably to just have a writable flash-memory record
where the current year is written every week/month/year: On a full reset/restart you read that field and use it to determine which week epoch
you are in. This works as long as the year field is updated at least once
every 20 years.

An even cheaper solution would be to hardcode the compilation date of the firmware, but this has already failed (after 20 years!) in embedded
equipment where firmware is effectively never updated.

------------------------------

Date: Sat, 29 Apr 2023 10:13:46 -0600
From: Brian Inglis <Brian.Inglis@Shaw.ca>
Subject: Re: GPS clock turnover -- again and again (RISKS-33.69)

It could be caused by your provider's network signal being weak sending or
your phone decoding glitchy https://en.wikipedia.org/wiki/NITZ messages,
your phone roaming to another provider's network with a weak signal, or it could be an improperly configured Cell-Site Simulator/IMSI
Catcher/"Stringray" device run by law enforcement or other entity or organization, drowning out any cell network provider signal.

There is a GPS 1024 week rollover about every 19.6 years, the last was 2019
Apr 6 Sat/7 Sun, the next will be 2038 Nov 20 Sat/21 Sun (GPS time - epoch
== TAI @ 1980 Jan 6 Sun == TAI - 19s since 2017 == UTC + 18s since 2017).

The real problem is cheap receivers do not decode the GPS messages with extended 13-bit 8192-week numbers (possibly using only a receiver chip
vendor's basic reference design or licensed IP), so they add windowing based
on some build date, and after 1024 weeks, or sometimes a smaller portion of that (as decided by the vendor), the receiver time decoding reaches EoL and wraps around.

Does anyone know if there have been any desire to automagically fix this problem? or do we just continue to kick the can down another 1024 [weeks]?

Effectively, yes, but with more engineering in the major supported NTP
daemons ntpd, chrony, ntpsec, which have all added similar GPS week rollover window mitigation, based on the daemon build date (perhaps by now some significant accurate persistent file system date info also), to compensate
for GPS dates before the build (or file system or file) date, and add weeks
to adjust the messages to the current time.

------------------------------

Date: Mon, 8 May 2023 11:28:53 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Software Obsolescence (Ross Anderson)

Rebecca Mercuri noted a remarkably relevant one-hour Software Engineering podcast episode, from the IEEE Computer Society, with Ross Anderson on
Software Obsolescence, with interesting related links: https://www.se-radio.net/2023/04/se-radio-559-ross-anderson-on-software-obsolescence/

There are some pithy examples for RISKS, but I would rather you got them
from Ross.

------------------------------

Date: Thu, 11 May 2023 15:27:27 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Stop Ransomware (CISA)

StopRansomware.gov is the U.S. Government's official one-stop location for resources to tackle ransomware more effectively.

https://www.cisa.gov/stopransomware

------------------------------

Date: Thu, 11 May 2023 16:26:38 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Correctness-by-Construction - How Can We Build Better Software?

May 31 Talk with Ina Schaefer, Professor of Software Engineering

Register now for the next free ACM TechTalk,
"Correctness-by-Construction - How Can We Build Better Software?" (https://acm-org.zoom.us/webinar/register/WN_354Ix98JTSSKqVoxqKGmyg),
presented on Wednesday, May 31 at 12:00 PM ET/16:00 UTC by Ina
Schaefer, Professor of Software Engineering at Karlsruhe Institute of Technology (KIT), Germany. Will Tracz, Former Chair of ACM SIGSOFT and
member of the ACM Professional Development Committee, will moderate
the questions and answers session following the talk.

Leave your comments and questions with our speaker now and any time
before the live event on ACM's Discourse Page (https://on.acm.org/t/correctness-by-construction-how-can-we-build-better-softwa
re/2805).
And check out the page after the webcast for extended discussion with
your peers in the computing community, as well as further resources on
large language models, generative AI, and more.

(If you'd like to attend but can't make it to the virtual event, you
still need to register to receive a recording of the TechTalk when it
becomes available.)

Note: You can stream this and all ACM TechTalks on your mobile device, including smartphones and tablets.

------------------------------

Date: Mon, 1 Aug 2020 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks


[continued in next message]

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)