RISKS-LIST: Risks-Forum Digest Monday 1 April 2024 Volume 34 : Issue 12

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.12>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents: somewhat backlogged, but No Fooling yet today!
Two major losses (PGN)
America's Nuclear War Plan in the 1960s Was Utter Madness.
It Still Is. (Mother Jones)
FDA Warning Links Heart Pump to Deaths (Christina Jewett)
Persist (NYTimes)
Ransomeware Attack Against UnitedHealth Shows Flaws in Cybersecurty
Iowa fertilizer spell kills 750K fish in Iowa and Missouri over
60-mile stretch of rivers (NYTimes)
Red Hat Fedora 41 hacked (Tom Van Vleck)
Unpatchable vulnerability in Apple chip leaks secret encryption keys
(ArsTechnica via Gabe Goldberg, Gabe Goldberg)
The race between positive and negative applications of Generative
AI is on -���� and not looking pretty (Gary Marcus via Gabe)
U.S. Military's Investments into AI Skyrocket (Will Henshall)
AI bots hallucinate software packages and devs download them
(Steve Bacher via The Register)
OpenAI Reveals but Will Not Release Human Voice Cloning Feature (WSJ)
The Online Degradation of Women and Girls That We Meet With a Shrug
(The New York Times)
America's first biometric 'smart gun' is finally here. Will it work?
(SmartGun)
Hackers Found a Way to Open Any of 3 Million Hotel Keycard Locks in Seconds
(WiReD)
AT&T Resets Millions of Passcodes After Customer Records Are Leaked
(Jan Wolitzky)
Time for Social Engineering Training (Kingfish1935 via Ben Moore)
Internet Age Verification schemes -- e.g., Florida's new law
(Lauren Weinstein)
Scientists aghast at bizarre AI rat with huge genitals in peer-reviewed
article (ArsTechnica)
Israel Deploys Expansive Facial Recognition Program in Gaza (NYTimes)
Facebook snooped on users' Snapchat traffic in secret project,
documents reveal (TechCrunch)
Elon Musk's Starlink Terminals Are Falling Into the Wrong Hands?
(Henry Baker)
Explanations of Australian emergency phone number failure (John Colville)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Sat, 30 Mar 2024 9:02:31 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Two major losses

Ross Anderson
https://twitter.com/duncan_2qq/status/1773752269395099774
https://alecmuffett.com/article/109513

From Ross's University of Cambridge:
Ross pioneered the field of security engineering. Our students were very
fortunate to learn from him over the last few years. In fact, he gave 2
seminars just last Wednesday. He researched many topics within computer
science including cryptology, steganography, dependability, security
economics, adversarial machine learning and more. Ross also used his
position as a researcher to actively advocate for a more secure
world. This included championing individual privacy rights, research into
payments security in developing countries, and protecting vulnerable
people from scams. On a personal level, he will be greatly missed by
students and staff.

Dan Lynch
https://www.nytimes.com/2024/03/31/technology/daniel-c-lynch-dead.html?unlocked_article_code=1.hE0.tCVR.8ASMr_sTSh3W&smid=url-share

Dan's era was long before Ross's. Lauren Weinstein had this note: Dan
Lynch, one of the key people involved in building the Internet and ARPANET
before it, has died. Dan was director of computing facilities at SRI
International, where ARPANET node #2 was located. He worked on
development of TCP/IP, and where the first packets were received from our
site at UCLA node #1 to SRI, and later at USC-ISI led the team that made
the transition from the original ARPANET NCP protocols to TCP/IP for the
Internet. And much more.
https://www.internethalloffame.org/inductee/dan-lynch/

Both of them were major figures in their respective eras, and wonder
friends, Ross much too young at 56, Dan at 82.

------------------------------

Date: Thu, 28 Mar 2024 13:11:21 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: America's Nuclear War Plan in the 1960s Was Utter Madness.
It Still Is. (Mother Jones)

We rarely consider the dangers these days, but our existence depends on it.

Nuclear war is the only scenario other than an asteroid strike that could
end civilization in a matter of hours. The soot from burning cities and
forests will blot out the sun and cause a nuclear winter. Agriculture will
fail. State-of-the-art climate modeling predicts five billion humans will
die. In the words of Nikita Khrushchev, ���the survivors will envy the dead.���

https://www.motherjones.com/politics/2024/03/nuclear-war-scenario-book-siop-weapons-annie-jacobsen/

------------------------------

Date: Sat, 30 Mar 2024 12:07:54 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: FDA Warning Links Heart Pump to Deaths (Christina Jewett)

Christina Jewett, *The New York Times*, 30 Mar 2024

A troubled Impella heart pump that has now been linked to 49 deaths
and dozens of injuries worldwide will be allowed to remain in use,
despite the FDA's decision to issue an alert about the risk that it
could puncture a wall of the heart.

The FDA said Abiomed (the manufacturer of the device) should have
notified the agency more than two years ago, when the company first
posted an updatte on its website about the perforation risk. [Abiomed
was then acquired by Johnson and Johnson in 2022.] [Half-page article
PGN-ed]

``To say that you're addressing 49 deaths by saying `be careful' is not
addressing the problem at all.'' Rita Redberg, UCSF cardiologist and
professor.

------------------------------

Date: Sat, 30 Mar 2024 18:23:42 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Ransomeware Attack Against UnitedHealth Shows Flaws in Cybersecurty
Persist (NYTimes)

Reed Ableson and Margot Sanger-Katz, *The New York Times*, 30 Mar 2024

The recent cyberattack on the billing and payment colossus Change Healthcare
(Making Change as well as Changing Healthcare?) revealed just how serious
the vulnerabilities are throughout the U.S. healthcare system, and alerted
industry leaders and policymakers in the urgent need for better digital
security.

[They clearly have not been reading RISKS for any of the past 38 years!
And this is on top of HIPAA, where none of the systems are secure enough
to begin with and privacy is a huge problem already. PGN]

------------------------------

Date: Sat, 30 Mar 2024 14:44:31 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: Iowa fertilizer spell kills 750K fish in Iowa and Missouri over
60-mile stretch of rivers (NYTimes)

Mitch Smith and Catrin Einhorn (*The New York Times, 30 Mar 2024)

Single valve left open over a weekend.
Lessons from our RISKS community need to be practiced elsewhere.
Flow control Systems? Probably none.
Monitoring? Probably none.
Diagnostics? Probably none.
Risks to human and other lives? Rampant.

[Einhorn is Unicorn in German. I am delighted Einhorns are not totally
extinct, with two in the same issueq. Katrin and Bruce (below) need to
work together -- if they are not already. PGN]

------------------------------

Date: Fri, 29 Mar 2024 15:16:48 -0400
From: Tom Van Vleck <thvv@multicians.org>
Subject: Red Hat Fedora 41 hacked

Red Hat Fedora 41 had a backdoor installed.
The latest version of the "xz" compression tools and libraries had
malicious code inserted that appears to attack SSH authentication.
CVE-2024-3094

Some details at
https://www.openwall.com/lists/oss-security/2024/03/29/4

[Hassen Saidi remarked on the fascinating story:
https://boehs.org/node/everything-i-know-about-the-xz-backdoor

Victor Miller noted
https://infosec.exchange/@tinker/112181161329268317
and Technologist vs spy: the xz backdoor debate
https://lcamtuf.substack.com/p/technologist-vs-spy-the-xz-backdoor
PGN]

------------------------------

Date: Sun, 24 Mar 2024 18:18:12 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Unpatchable vulnerability in Apple chip leaks secret encryption
keys (Ars Technica)

Are these exotic/esoteric threats meaningful in the real
non-high-value-target world?

How is it weaponized?

The attack, which the researchers have named GoFetch
<https://gofetch.fail/>, uses an application that doesn���t require root
access, only the same user privileges needed by most third-party
applications installed on a macOS system. M-series chips are divided into
what are known as clusters. The M1, for example, has two clusters: one
containing four efficiency cores and the other four performance cores. As
long as the GoFetch app and the targeted cryptography app are running on the
same performance cluster����even when on separate cores within that
cluster����GoFetch can mine enough secrets to leak a secret key. [...]