RISKS-LIST: Risks-Forum Digest Monday 22 April 2024 Volume 34 : Issue 19

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.19>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>

Contents:
Influential women's tech network shuts down unexpectedly (BBC)
Re: Women Who Code shut down today (Rebecca Mercuri)
Re: Women Who Code shut down today (Wendy Grossman)
‘We’re a dead ship’: Hundreds of cargo ships lost propulsion in
U.S. waters in recent years (WashPost)
Tesla Cybertruck turns into world's most expensive brick after
car wash (The Register)
Software upgrade error grounds all Alaska Airlines flights for 1 hour
(Seattle Times)
San Francisco’s Train System Still Uses Floppy Disks -- and Will for Years
(WiReD)
GPT-4 and CVE = exploit (Rik Farrow)
The invisible seafaring industry that keeps the Internet afloat (The Verge) Microsoft’s VASA-1 can deepfake a person with one photo and one audio track
(Ars Technica)
Hospital prices for the same emergency care vary up to 16-fold,
a study finds (ArsTechnica)
Chirp mandates open-door policy -- in a bad way (Krebs)
Netflix doc accused of using AI to manipulate true crime story (ArsTechnica) China orders Apple to remove Meta apps after “inflammatory” posts about
president (ArsTechnica)
Roku forcing 2-factor authentication after 2 breaches of 600K accounts
(ArsTechnica)
The GMO tooth microbe that is supposed to prevent cavities (Undark)
Virginia to become first state to allow online-only local nesw sites to
publish legal notices (ARLnow)
Amazon is filled with garbage ebooks. Here’s how they get made. (Esquire)\\ Re: Palo Alto Zero Exploit (Martin Ward)
Re: AI chatbots spread falsehoods about the EU elections (Martin Ward)
Re: U.S. Air Force confirms first successful AI dogfight
(Turgut Kalfaoglu)
Re: Wrong button clicked, wrong divorce cannot be undone (Henry Baker)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 19 Apr 2024 15:38:32 -0600
From: Matthew Kruk <[email protected]>
Subject: Influential women's tech network shuts down unexpectedly (BBC)

https://www.bbc.com/news/articles/cw0769446nyo

Women Who Code (WWC), a charity that supports women who work in the
technology sector, has announced it is shutting down because of a lack of funding.

The U.S.-based organisation says it had 360,000 people in its community,
across 145 countries.

[The risks to many women who code around the world could be considerable.
Are there any former members who are also RISKS readers who can share the
back stories? To me this seems like a terrible loss -- even if there was
management malpractice. The Atlanta Journal-Constitution in today's
article by Mirtha Donastorg suggests that WWC had millions of dollars.

However, this is the WWC statement quoted in the AJ-C on 19 Apr 202, the
day of the shut down:

``This decision has not been made lightly. It only comes after careful
consideration of all options and is due to factors that have materially
impacted our funding sources -- funds that were critical to continuing
our programming and delivering on our mission,'' the organization said
in a statement. It did not detail what factors impacted its finances.

PGN]

------------------------------

Date: Sun, 21 Apr 2024 18:58:13 -0400
From: "DrM: Rebecca Mercuri" <[email protected]>
Subject: Re: Women Who Code shut down today (RISKS-34.19)

I am not a member or supporter of either Women Who Code or Girls Who Code (separate non-profits that both started in 2011), but have been aware of the existence of these two groups. Certainly, it is important for women and
girls to feel comfortable learning how to code, and to be able to find work
and equal pay in coding-related fields. Unfortunately, I feel that neither group has/had successfully addressed the problems of bias and harassment against girls and women who code.

What has long been needed for all in the computing fields, is to learn how
to work side-by-side with people of all genders, where mutual respect and acknowledgment of everyone's contributions are encouraged and
nurtured. Splitting into same-sex support groups has not and does not create healthy, safe, and fair workplaces. It is possible that these same-sex non-profits may have inadvertently reinforced the stereotype of "lesser than
or different" while not appropriately addressing the very real biases and affronts that women and girls and others continue to battle in schools and
the workplace.

While belated and often posthumous recognitions of female coders
occasionally occurs, such as for the Women of the ENIAC and Grace Murray Hopper, extreme bias in prizes continues to be blatant and overlooked. A
very visible example of gender bias is exemplified by the Association of Computing Machinery's Turing Award. Over the 58 years of its issuance, there have only been 3 women, as compared to 74 men, given this esteemed prize. 
The last woman received her Turing in 2012. Since Google endowed it in 2014 with $1,000,000.00 for each award, precisely ZERO women have been selected
for the honor. It is utterly appalling that Turing himself (wrongly
convicted by the British government of sexual indecency, submitted to
chemical castration, and possibly murdered) continues to be exploited with
this highly biased award being presented annually, often to coders, in his name, without his permission. THIS NEEDS TO STOP.

In conclusion, we must see that new and better support groups are created
that will expose and expunge wrongs and biases in workplaces, schools, governments, professional organizations, non-profits, and other entities
that make decisions and set policies based on antiquated ideas of genders
and sexualities. Those who code should help to create a level playing field, where all people can find ways to work together with egalitarianism and
mutual respect.

Rebecca Mercuri, PhD

[Rebecca should be well-known to long-time RISKS readers. It was her
thesis at Penn a quarter-century ago that broke open how to overcome
voting machines with no audit trails and no possible remediation of
questionable results:
<http://www.notablesoftware.com/Papers/mercuri-thesis.pdf>
PGN]

------------------------------

Date: Sun, 21 Apr 2024 16:36:03 +0100
From: "Wendy M. Grossman" <[email protected]>
Subject: Re: Women Who Code shut down today (RISKS-34.19)

I remember in 1998 attending an event in 1998 at which ACM had a session on
the incredible(?) "shrinking pipeline", which had studied the reasons women were leaving computing.

The choices included image (geeks), the hours (medicine was seen as
eventually getting better, but computing not), etc. Not included, but widely written in: "sexual harassment".

Soon after I had dinner with a woman who sold large computer systems. I told her about the survey. She immediately said: "Did they mention sexual harassment?"

I know I wrote about it somewhere, but can't locate where.

------------------------------

Date: Wed, 17 Apr 2024 02:07:23 -0400
From: Gabe Goldberg <[email protected]>
Subject: ‘We’re a dead ship’: Hundreds of cargo ships lost propulsion in
U.S. waters in recent years (WashPost)

A *WashPost* examination found that losses of engine power, part of what the Dali experienced when it crashed into the Key Bridge in Baltimore, are not uncommon.

https://www.washingtonpost.com/investigations/2024/04/16/dead-ships-propulsion-loss/

[Preventive maintenance seems to be less frequent here, in aviation, and
perhaps even in driverless cars -- although that has other problems, such
as a lack of trustworthiness in design and implementation. PGN]

------------------------------

Date: Sat, 20 Apr 2024 14:18:56 -0400
From: Monty Solomon <[email protected]>
Subject: Tesla Cybertruck turns into world's most expensive brick after
car wash (The Register)

https://www.theregister.com/2024/04/20/cybertruck_car_wash_mode/

------------------------------

Date: Wed, 17 Apr 2024 12:12:01 -0700
From: Rob Wilcox <[email protected]>
Subject: Software upgrade error grounds all Alaska Airlines flights for 1
hour (Seattle Times)

Alaska Airlines briefly grounded all flights after an error was found in a software upgrade calculating the plane mass and balance. "Alaska said it had experienced an issue 'while performing an upgrade to the system that
calculates our weight and balance.'"

The airline had a similar problem in February 2023. In that case:

"To determine the thrust and speed settings for takeoff, Alaska’s pilots
and others use a performance calculation tool supplied by a Swedish
company called DynamicSource.

It delivers a message to the cockpit with crucial weight and balance data,
including how many people are on board, the jet’s empty and gross weight
and the position of its center of gravity.

In a cockpit check before takeoff, this data is entered into the flight
computer to determine how much thrust the engines will provide and at what
speed the jet will be ready to lift off."

https://www.seattletimes.com/business/boeing-aerospace/all-alaska-airline-flights-grounded/

------------------------------

Date: Mon, 15 Apr 2024 11:50:43 -0700
From: Steve Bacher <[email protected]>
Subject: San Francisco’s Train System Still Uses Floppy Disks --
and Will for Years (WiReD)

Three 5.25-inch floppy disks help keep Muni running every morning. A tech upgrade could take until 2030.

https://www.wired.com/story/san-francisco-muni-trains-floppy-disks/

------------------------------

Date: Sun, 21 Apr 2024 16:20:54 -0700
From: Rik Farrow <[email protected]>
Subject: GPT-4 and CVE = exploit

Interesting, a bit surprising, but still:

https://www.theregister.com/2024/04/17/gpt4_can_exploit_real_vulnerabilities/

OpenAI's GPT-4 large language model (LLM) can autonomously exploit vulnerabilities in real-world systems if given a CVE advisory describing
the flaw.

[... if GPT-4 handles the CVE correctly and the CVE is adequately defined,
which is usually totally unassured. Thus, the claim seems highly
overblown. I think this claim is very suspect and over-hyped. PGN]

------------------------------

Date: Sat, 20 Apr 2024 08:10:11 -0700
From: Steve Bacher <[email protected]>
Subject: The invisible seafaring industry that keeps the Internet afloat
(The Verge)

[Long article PGN-ed]

The global Internet relies on 800,000 miles of undersea cables that are constantly breaking. This is the story of the 22 aging ships that fix them.

The world’s emails, TikToks, classified memos, bank transfers, satellite surveillance, and FaceTime calls travel on cables that are about as thin as
a garden hose. There are about 800,000 miles of these skinny tubes crisscrossing the Earth’s oceans, representing nearly 600 different systems, according to the industry tracking organization TeleGeography. The cables
are buried near shore, but for the vast majority of their length, they just
sit amid the gray ooze and alien creatures of the ocean floor, the hair-thin strands of glass at their center glowing with lasers encoding the world’s data.

If, hypothetically, all these cables were to simultaneously break, modern civilization would cease to function. The financial system would immediately freeze. Currency trading would stop; stock exchanges would close. Banks and governments would be unable to move funds between countries because the
Swift and U.S. interbank systems both rely on submarine cables to settle
over $10 trillion in transactions each day. In large swaths of the world, people would discover their credit cards no longer worked and ATMs would dispense no cash. As U.S. Federal Reserve staff director Steve Malphrus said
at a 2009 cable security conference, “When communications networks go down, the financial services sector does not grind to a halt. It snaps to a halt.”

Corporations would lose the ability to coordinate overseas manufacturing and logistics. Seemingly local institutions would be paralyzed as outsourced accounting, personnel, and customer service departments went
dark. Governments, which rely on the same cables as everyone else for the
vast majority of their communications, would be largely cut off from their overseas outposts and each other. Satellites would not be able to pick up
even half a percent of the traffic. Contemplating the prospect of a mass
cable cut to the UK, then-MP Rishi Sunak concluded, “Short of nuclear or biological warfare, it is difficult to think of a threat that could be more justifiably described as existential.”

Fortunately, there is enough redundancy in the world’s cables to make it nearly impossible for a well-connected country to be cut off, but cable
breaks do happen. On average, they happen every other day, about 200 times a year. The reason websites continue to load, bank transfers go through, and civilization persists is because of the thousand or so people living aboard 20-some ships stationed around the world, who race to fix each cable as soon
as it breaks.

https://www.theverge.com/c/24070570/internet-cables-undersea-deep-repair-ships

------------------------------

Date: Sat, 20 Apr 2024 14:38:44 -0400
From: Monty Solomon <[email protected]>
Subject: Microsoft’s VASA-1 can deepfake a person with one photo and one
audio track (Ars Technica)

YouTube videos of 6K celebrities helped train AI model to animate photos in real time.

On Tuesday, Microsoft Research Asia unveiled VASA-1, an AI model that can create a synchronized animated video of a person talking or singing from a single photo and an existing audio track. In the future, it could power
virtual avatars that render locally and don't require video feeds—or allow anyone with similar tools to take a photo of a person found online and make them appear to say whatever they want.

https://arstechnica.com/information-technology/2024/04/microsofts-vasa-1-can-deepfake-a-person-with-one-photo-and-one-audio-track/

------------------------------

Date: Sat, 20 Apr 2024 14:41:23 -0400
From: Monty Solomon <[email protected]>
Subject: Hospital prices for the same emergency care vary up to 16-fold,
a study finds (ArsTechnica)

Hospitals' *trauma activation fees* are unregulated and extremely variable.

Since 2021, federal law has required hospitals to publicly post their
prices, allowing Americans to easily anticipate costs and shop around for affordable care -- as they would for any other marketed service or product.
But hospitals have mostly failed miserably at complying with the law.

A 2023 KFF analysis on compliance found that the pricing information
hospitals provided is ``messy, inconsistent, and confusing, making it challenging, if not impossible, for patients or researchers to use them for their intended purpose.'' A February 2024 report from the nonprofit organization Patient Rights Advocate found that only 35 percent of 2,000 US hospitals surveyed were in full compliance with the 2021 rule.

But even if hospitals dramatically improved their price transparency, it
likely wouldn't help when patients need emergency trauma care. After an unexpected, major injury, people are sent to the closest hospital and aren't likely to be shopping around for the best price from the back of an
ambulance. If they did, though, they might also need to be treated for
shock.

According to a study published Wednesday in JAMA Surgery, hospitals around
the country charge wildly different prices for trauma care. Prices for the
same care can be up to 16-fold different between hospitals, and cash prices
are sometimes significantly cheaper than the negotiated prices that
insurance companies pay.

https://arstechnica.com/science/2024/04/hospital-prices-for-the-same-emergency-care-vary-up-to-16x-study-finds/

------------------------------

Date: Mon, 15 Apr 2024 21:12:20 -0400
From: Cliff Kilby <[email protected]>
Subject: Chirp mandates open-door policy -- in a bad way (Krebs)

[This has been known since Mar 2021.]

If you have a Chirp lock, someone else could have already been home by now.

https://krebsonsecurity.com/2024/04/crickets-from-chirp-systems-in-smart-lock-key-leak/

------------------------------

Date: Sat, 20 Apr 2024 14:37:24 -0400
From: Monty Solomon <[email protected]>
Subject: Netflix doc accused of using AI to manipulate true crime story
(ArsTechnica)

Producer remained vague about whether AI was used to edit photos.

An executive producer of the Netflix hit *What Jennifer Did* has responded
to accusations that the true crime documentary used AI images when depicting Jennifer Pan, a woman currently imprisoned in Canada for orchestrating a murder-for-hire scheme targeting her parents.

*What Jennifer Did* shot to the top spot in Netflix's global top 10 when it debuted in early April, attracting swarms of true crime fans who wanted to
know more about why Pan paid hitmen $10,000 to murder her parents. But
quickly the documentary became a source of controversy, as fans started noticing glaring flaws in images used in the movie, from weirdly mismatched earrings to her nose appearing to lack nostrils, the Daily Mail reported, in
a post showing a plethora of examples of images from the film.

https://arstechnica.com/tech-policy/2024/04/netflix-doc-accused-of-using-ai-to-manipulate-true-crime-story/

------------------------------

Date: Sat, 20 Apr 2024 14:32:42 -0400
From: Monty Solomon <[email protected]>
Subject: China orders Apple to remove Meta apps after “inflammatory” posts
about president (ArsTechnica)

Apple said it complied with orders from the Chinese government to remove the Meta-owned WhatsApp and Threads from its App Store in China. Apple also
removed Telegram and Signal from China.

https://arstechnica.com/tech-policy/2024/04/china-orders-apple-to-remove-meta-apps-after-inflammatory-posts-about-president/

[The NYTimes has a similar story on the front page of today's National
Edition Business section. PGN]

------------------------------

Date: Sat, 20 Apr 2024 14:31:37 -0400
From: Monty Solomon <[email protected]>
Subject: Roku forcing 2-factor authentication after 2 breaches of 600K
accounts (ArsTechnica)

Accounts with stored payment information went for as little as $0.50 each.

Everyone with a Roku TV or streaming device will eventually be forced to
enable two-factor authentication after the company disclosed two separate incidents in which roughly 600,000 customers had their accounts accessed through credential stuffing.

Credential stuffing is an attack in which usernames and passwords exposed in one leak are tried out against other accounts, typically using automated scripts. When people reuse usernames and passwords across services or make small, easily intuited changes between them, actors can gain access to
accounts with even more identifying information and access.

https://arstechnica.com/security/2024/04/roku-forcing-2-factor-authentication-after-breach-of-600k-accounts/

------------------------------

Date: Sat, 20 Apr 2024 14:28:18 -0400
From: Monty Solomon <[email protected]>
Subject: The GMO tooth microbe that is supposed to prevent cavities
(Undark)

Christina Szalinski, Undark Magazine, 29 Apr 2024

Some experts have concerns over the safety of the genetically modified bacteria.

https://arstechnica.com/health/2024/04/the-gmo-tooth-microbe-that-is-supposed-to-prevent-cavities/

------------------------------

Date: Mon, 22 Apr 2024 09:16:09 -0400
From: Monty Solomon <[email protected]>
Subject: Virginia to become first state to allow online-only local news
sites to publish legal notices (

https://www.arlnow.com/2024/04/05/virginia-to-become-first-state-to-allow-online-only-local-news-sites-to-publish-legal-notices/

------------------------------

Date: Sun, 21 Apr 2024 08:07:59 -0700
From: Steve Bacher <[email protected]>
Subject: Amazon is filled with garbage ebooks. Here’s how they get made.
(Esquire)

How AI Publishing Academy works.

https://www.esquire.com/entertainment/books/a45751827/make-a-living-as-a-writer/

It’s so difficult for most authors to make a living from their writing that we sometimes lose track of how much money there is to be made from books, if only we could save costs on the laborious, time-consuming process of writing them.

The Internet, though, has always been a safe harbor for those with plans to innovate that pesky writing part out of the actual book publishing. On the Internet, it’s possible to copy text from one platform <https://www.poetryfoundation.org/harriet-books/2010/04/retyping-an-entire-book-is-one-thing-cutting-pasting-an-entire-book-is-another>
and paste it into another seamlessly, to share text files <https://bookriot.com/how-easy-is-it-to-pirate-books/>, to build vast
databases of stolen books <https://www.theatlantic.com/technology/archive/2023/08/books3-ai-meta-llama-pirated-books/675063/>.
If you wanted to design a place specifically to pirate and sleazily monetize books, it would be hard to do better than the Internet as it has long
existed.

Now, generative AI has made it possible to create cover images, outlines,
and even text at the click of a button.

https://www.vox.com/culture/24128560/amazon-trash-ebooks-mikkelsen-twins-ai-publishing-academy-scam

------------------------------

Date: Sat, 20 Apr 2024 10:34:32 +0100
From: Martin Ward <[email protected]>
Subject: Re: Palo Alto Zero Exploit (Ward/Kilby, RISKS-34.18)

The answer has been known for many decades: for any safety-critical software you develop the software using formal methods to prove that it is correct.
You implement it in a compiled language that is designed from the start to
have no undefined behavior, to check for and prevent array index overflow
and to handle all memory management. The language is compiled using a
provably correct compiler. And you also have extensive unit and system
tests.

[Martin, Thanks for channeling Edsger Dijkstra. When he was working for
Burroughs long ago, I asked him walking back from lunch one day at a WG2.3
meeting in Santa Cruz what he was teaching the Burroughs programmers about
writing operating systems. He said that if he couldn't get them to write
a simple program on the back of an envelope and prove that it was correct
with respect to its specifications, it was utterly pointless to teach them
anything about operating systems. His wisdom must not be forgotten, along
with that of his colleagues Tony Hoare, Niklaus Wirth, David Parnas, Brian
Randell, and others from that wonderfully seminal era. PGN]

------------------------------

Date: Sat, 20 Apr 2024 10:50:43 +0100
From: Martin Ward <[email protected]>
Subject: Re: AI chatbots spread falsehoods about the EU elections,
report finds (RISKS-34.17)

Another possibility is that the very wealthy companies who produce these chatbots have an interest in influencing the outcome of the elections, and
that the factually false information they are spreading may be a feature,
not a bug.

The companies certainly do have QA departments, but maybe the department's
job is to ensure that the correct biases are being promulgated by the
chatbots. Just as Microsoft's QA department was tasked to ensure that
Windows would not work properly with DR-DOS.

Brad Silverberg wrote to Jim Allchin ``DR-DOS has problems running windows today, and I assume will have more problems in the future.'' Allchin
replied: ``You should make sure it has problems in the future. :-)''

https://www.theregister.com/1999/11/05/how_ms_played_the_incompatibility/

------------------------------

Date: Mon, 22 Apr 2024 12:28:48 +0300
From: =?UTF-8?Q?turgut_kalfao=C4=9Flu?= <[email protected]>
Subject: Re: U.S. Air Force confirms first successful AI dogfight
(RISKS-34.18)

The U.S. Air Force is putting AI in the pilot’s seat.

After the use of drones to kill enemies half way around and thus avoid the guilt and the possibility of getting the killers arrested and prosecuted,
this is the second bad idea that the Pentagon had.

If a weapon can be used remotely, it can also be hacked remotely.

[Once again, dual-Use rears its head, especially with AI. PGN]

------------------------------

Date: Sat, 20 Apr 2024 00:43:56 +0000
From: Henry Baker <[email protected]>
Subject: Re: Wrong button clicked, wrong divorce cannot be undone

A real-life 'Azdak' judge !!

Berthold Brecht's play *The Caucasian Chalk Circle* includes a character
named *Azdak* who is an idiot, but who inadvertently becomes a judge in the middle of political chaos.

Apparently, Brecht's feeling was that a completely *random* judge is fairer than a judge who judiciously applies the law in a universally biased
fashion. https://www.litcharts.com/lit/the-caucasian-chalk-circle/act-5-the-chalk-circle

``Azdak removes his judge's gown, stating that it has gotten too hot for
him to wear it any longer -- he signs the elderly couple's divorce papers
and leaves the chambers, inviting all present to join him outside for a
dance. When Shauwa checks the divorce document, he sees that ***Azdak has
divorced the wrong couple*** -- he has divorced Grusha from Jussup rather
than divorcing the elderly couple.''

[Grushan Groulette? Wassup, Jussup? There really needs to be an UNDO
here. Controlled revocation and do-overs are an important part of life
when something goes awry. It's common in banking, credit card fraud,
golf mulligans, and many other areas. Why not here, especially when AI
misuses are rampant. PGN]

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: [email protected]
Subject: Abridged info on RISKS (comp.risks)

The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.

SUBSCRIPTIONS: The mailman Web interface can be used directly to

subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks

SUBMISSIONS: to [email protected] with meaningful SUBJECT: line that

includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.

SPAM challenge-responses will not be honored. Instead, use an alternative

address from which you never send mail where the address becomes public!

The complete INFO file (submissions, default disclaimers, archive sites,

copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!

OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's

delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.

Special Offer to Join ACM for readers of the ACM RISKS Forum:

<http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.19
************************

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)