[33735] in RISKS Forum
No subject found in mail header
daemon@ATHENA.MIT.EDU (RISKS List Owner)
Tue Jul 22 23:43:04 2025
From: RISKS List Owner <risko@csl.sri.com>
Date: Tue, 22 Jul 2025 20:45:49 PDT
To: risks@mit.edu
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
precedence: bulk
Subject: Risks Digest 34.73
RISKS-LIST: Risks-Forum Digest Tuesday 22 July 2025 Volume 34 : Issue 73
ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
<http://catless.ncl.ac.uk/Risks/34.73>
The current issue can also be found at
<http://www.csl.sri.com/users/risko/risks.txt>
Contents:
Alaska Airlines Grounds All Flights for Three Hours Due to IT Outage
(The New York Times)
Manual workaround of IT system results in $4M damage (Aviation Week)
Another security vulnerability, another legal threat (The Register)
Global Hack on Microsoft Product Hits U.S., State Agencies (WashPost)
Organ retrieval reforms ordered after some donors showed signs of life
(WashPost)
Coins? Cards? Apps? The hell that is paying for parking in LA (LA Times)
Weak password allowed hackers to sink a 158-year-old company (BBC)
Drugmaker Refuses FDA Request to Pull Treatment Linked to Patient Deaths
(NY Times)
Obesity Prediction Could Be Guided by Genetic Risk Scores (NY Times)
U.S. Aims to Ban Chinese Technology in Undersea Cables (Reuters)
Fireside chat: Navigating a cyber incident -- lessons from the British
Library (George Neville-Neil)
UK backing down on Apple encryption backdoor after pressure from U.S.
(ArsTechnica)
Nvidia Warns Its GPUs Need Protection Against Rowhammer Attacks
(The Register)
Eight healthy babies born after IVF using DNA from three people
(The Guardian)
A change in the Southern Ocean structure can have climate implications
(ICM-CSIC)
Cybersecurity Bosses Increasingly Worried About AI Attacks, Misuse
(Cameron Fozi)
Smartphones aren't safe for kids under 13. Here's why. (cnn.com)
Musk's xAI was a late addition to the Pentagon's set of AI contracts
(NBC News)
'Positive review only': Researchers hide AI prompts in papers (Nikkei)
Google to cut thousands of search quality rater jobs after dropping
contract with Appen (Searchengineland)
*Coldplaygate* Is a Stark Reminder That Cameras Are Everywhere (NY Times)
A MAGA bot network on X is divided over the Trump-Epstein backlash
(NBC News)
Re: Bug / Feature of Google Maps (Michael D. Sullivan)
Abridged info on RISKS (comp.risks)
----------------------------------------------------------------------
Date: Mon, 21 Jul 2025 13:55:59 -0400
From: Gabe Goldberg <gabe@gabegold.com>
Subject: Alaska Airlines Grounds All Flights for Three Hours Due to IT
Outage (The New York Times)
Alaska Airlines said it had ended the ground stop, which lasted about three
hours and resulted from a software outage. “Residual impacts” to its
operations were likely, it said.
https://www.nytimes.com/2025/07/20/business/alaska-airlines-grounds-plane-fleet.html?smid=nytcore-ios-share&referringSource=articleShare
Absurdly vague.
------------------------------
Date: Tue, 23 Jan 2024 09:57:44 -0000
From: "Paul Cornish" <paul.a.cornish@gmail.com>
Subject: Manual workaround of IT system results in $4M damage
(Aviation Week)
https://aviationweek.com/defense-space/aircraft-propulsion/forgotten-flashli
ght-causes-4-million-f-35-engine-damage
An F-35 engine worth $14M suffered $4M of damage during maintenance.
[Iatro[en]genic!!! PGN]
------------------------------
Date: Wed, 24 Jan 2024 07:48:03 -0500
From: Cliff Kilby <cliffjkilby@gmail.com>
Subject: Another security vulnerability, another legal threat (The Register)
The Register ran a story about a security researcher who was fined after
reporting a security vulnerability. This case sounds a bit like the 2022
Missouri Post-Dispatch investigation, data was accessible, it was
sensitive, it was reported, and the researcher was subjected to legal
scrutiny.
Mindful of the fact I am a non-lawyer, the following are the ethics of the
situation, though the law may follow.
It's ethical to parse a document format (e.g., view states or binary
strings) according to its well-known document format, if you have reason
to have it. It is ethical to confirm your finding by reproducing it with a
trivial test case (i.e., found one record, searched for another). The key
difference in these cases other than jurisdiction is the fact that the data
in the German case required authentication. Having the document was
ethical. Finding an authenticator in the clear was ethical. Using it to
determine if it was active, was not. Accessing data using it, absolutely
not. Reporting this finding doesn't mitigate the less than ethical behavior.
It is generally unethical to proceed more than one finding deep in a
vulnerability disclosure, unless you are operating under an employment
agreement with that company.
https://www.theregister.com/2024/01/19/germany_fine_security/
https://krebsonsecurity.com/2022/02/report-missouri-governors-office-responsible-for-teacher-data-leak/
Don't let the news keep you from reporting vulnerabilities.
The law may follow,
------------------------------
Date: Mon, 21 Jul 2025 11:14:20 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Global Hack on Microsoft Product Hits U.S., State Agencies
(WashPost)
Ellen Nakashima, Joseph Menn, Yvonne Wingett Sanchez,
The Washington Post (07/20/25), via ACM TechNews
Hackers exploited a zero-day vulnerability in widely-used Microsoft
SharePoint server software to launch a global attack on government agencies
and businesses in the past few days, breaching U.S. federal and state
agencies, universities, and energy companies. Tens of thousands of servers
are at risk, experts said, and Microsoft has issued no patch for the flaw.
Researchers said the hackers gained access to keys that may allow them to
regain entry even after a system is patched.
https://www.washingtonpost.com/technology/2025/07/21/china-hackers-microsoft-sharepoint/
------------------------------
Date: Mon, 21 Jul 2025 23:25:11 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Organ retrieval reforms ordered after some donors showed signs of
life (WashPost)
In 28 cases, the government determined, donors may still have been alive
when organ procurement procedures began.
https://www.washingtonpost.com/health/2025/07/21/organ-retrieval-reforms-ordered-after-some-donors-showed-signs-life/
------------------------------
Date: Tue, 22 Jul 2025 07:02:36 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Coins? Cards? Apps? The hell that is paying for parking in L.A.
(LA Times)
A slew of new parking apps in the L.A. area should make paying for <parking
easier. Angelenos say that isn't the case.
Matt Glaeser had just dropped his kids off at their grandparents' house for
the day when he pulled into a parking spot near Sam's Bagels on Larchmont
Boulevard on his way to work. He tried to feed the meter from a roll of
quarters he keeps in his car, but the coin slot was jammed. He reached for
his credit card but then noticed the screen said “Pay by app” and showed a
QR code.
He tried to scan the QR code with his phone but the screen was so scratched
with graffiti it didn't work. So he sent a text to the number on the “Pay to
Park” sticker below the coin slot. After waiting for a minute and wondering
if the text went through, he received a text back with a link to a
website. He opened the site on his phone and typed in his credit card number
and address. But before he completed the payment, the site alerted him that
he would have to pay an additional processing fee just to park for 15
minutes.
“It was only 35 cents, but I was like, ‘Forget this, I’ll find a stale bagel
in the office,’ ” Glaeser said.
Finding parking in the LA area has long been a struggle, but these days,
paying for parking can be just as odious. Depending on whether you're
parking in LA, Santa Monica, Beverly Hills or Pasadena, a meter might ask
you to pay with quarters, a credit card, an app or some combination of all
three. In public lots, you might need to memorize a zone, space number or
license plate and often don't know which one until you get to the pay
station. It's enough to make a law-abiding citizen give up, cross her
fingers and hope a parking enforcement official doesn’t pass by. [...]
https://www.latimes.com/lifestyle/story/2025-07-22/parking-apps-meters-los-angeles-nightmare
------------------------------
Date: Mon, 21 Jul 2025 12:11:53 -0600
From: Matthew Kruk <mkrukg@gmail.com>
Subject: Weak password allowed hackers to sink a 158-year-old company
(BBC)
https://www.bbc.com/news/articles/cx2gx28815wo
One password is believed to have been all it took for a ransomware gang to
destroy a 158-year-old company and put 700 people out of work.
KNP -- a Northamptonshire transport company -- is just one of tens of
thousands of UK businesses that have been hit by such attacks.
Big names such as M&S, Co-op and Harrods have all been attacked in recent
months. The chief executive of Co-op confirmed last week that all 6.5
million of its members had had their data stolen.
------------------------------
Date: Sun, 20 Jul 2025 08:47:15 -0400
From: Monty Solomon <monty@roscom.com>
Subject: Drugmaker Refuses FDA Request to Pull Treatment Linked to Patient
Deaths (NY Times)
The regulator had asked Sarepta Therapeutics to halt all shipments of its
therapy, Elevidys, after three patients died from liver failure after
taking it or a similar treatment.
https://www.nytimes.com/2025/07/18/health/fda-sarepta-elevidys-duchenne.html
------------------------------
Date: Mon, 21 Jul 2025 21:09:27 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Obesity Prediction Could Be Guided by Genetic Risk Scores
(NY Times)
https://www.nytimes.com/2025/07/21/health/obesity-genetic-risk-score.html
When will health insurers adjust rates based on genetic risk factors to
safeguard profits?
------------------------------
Date: Mon, 21 Jul 2025 11:14:20 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: U.S. Aims to Ban Chinese Technology in Undersea Cables
(Reuters)
David Shepardson, Jasper Ward, Bhargav Acharya, Reutersxo (07/16/25),
via ACM TechNews
The U.S. Federal Communications Commission (FCC) intends to implement rules
prohibiting companies from connecting to undersea telecommunication cables
to the U.S that include Chinese technology or equipment, citing national
security concerns. FCC Chair Brendan Carr said the rules are necessary to
"guard our submarine cables against foreign adversary ownership and access
as well as cyber and physical threats."
------------------------------
Date: Mon, 21 Jul 2025 18:06:38 +0800
From: George Neville-Neil <gnn@neville-neil.com>
Subject: Fireside chat: Navigating a cyber incident
-- lessons from the British Library
The British Library discusses a ransomeware attack they dealt with that shut
down quite a lot of services:
https://vimeo.com/1102461697
------------------------------
Date: Mon, 21 Jul 2025 17:01:34 PDT
From: Peter Neumann <neumann@csl.sri.com>
Subject: UK backing down on Apple encryption backdoor after pressure from
U.S. (Ars Technica courtesy of Steve Bellovin)
[RISKS readers generally understand that backdoors are
inherently dangerous. PGN]
------------------------------
Date: Mon, 21 Jul 2025 11:14:20 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Nvidia Warns Its GPUs Need Protection Against Rowhammer Attacks
(The Register)
Iain Thomson and Simon Sharwood, The Register (07/13/25), via ACM TechNews
Nvidia has warned customers to implement defenses against Rowhammer attacks
after researchers from Canada's University of Toronto identified a
vulnerability in one of its workstation-grade GPUs. Rowhammer attacks can
disrupt operations by using repeated bursts of read or write operations to
"hammer" rows of memory cells. The vulnerability affects Nvidia's A6000 GPU
with GDDR6 memory when system-level error correcting code (ECC) is disabled.
------------------------------
Date: Sat, 19 Jul 2025 19:02:16 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: Eight healthy babies born after IVF using DNA from three people
(The Guardian)
*Genetic material from mother and father transferred to healthy donor egg
to reduce risk of life-threatening diseases*
Doctors in the UK have announced the birth of eight healthy babies after
performing a groundbreaking procedure that creates IVF embryos with DNA
from three people to prevent the children from inheriting incurable genetic
disorders.
The mothers were all high risk for passing on life-threatening diseases to
their babies due to mutations in their mitochondria, the tiny structures
that sit inside cells and provide the power they need to function.
News of the births and the children's health has been long-anticipated by
doctors around the world after the UK changed the law to allow the
procedure in 2015. The fertility regulator granted the first licence in
2017 to a fertility clinic at Newcastle University where doctors pioneered
the technique.
The four boys and four girls, including one set of identical twins, were
born to seven women and have no signs of the mitochondrial diseases they
were at risk of inheriting. One further pregnancy is ongoing. [...]
https://www.theguardian.com/science/2025/jul/16/eight-healthy-babies-born-after-ivf-using-dna-from-three-people
------------------------------
Date: Sun, 20 Jul 2025 11:10:52 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: A change in the Southern Ocean structure can have climate
implications (ICM-CSIC)
*Satellite data processing algorithms developed by ICM-CSIC have played a
crucial role in detecting this significant shift in the Southern Hemisphere,
which could accelerate the effects of climate change.*
Thanks to data obtained from Earth observation satellites, an international
team of scientists has detected an unprecedented phenomenon for the first
time: a change in the state of the Southern Ocean. The study, led by the
University of Southampton (United Kingdom), was recently published in the
journal *PNAS* <https://www.pnas.org/doi/10.1073/pnas.2500440122>. The
Institut de Ci=C3=A8ncies del Mar (ICM-CSIC) played a fundamental role in
the research by developing a set of pioneering satellite observations within
the framework of the SO-FRESH project, funded by the European Space Agency
(ESA).
The study's main finding is both surprising and alarming: since 2016, a
sustained increase in surface salinity has been detected across the Antarctic
Circumpolar Current. That change in water composition suggests a change in
the balance of the components the ocean circulation in the Southern
Hemisphere. Fresher surface water close to the sea ice edge is being
replaced by more saline waters.
``We are witnessing a true change in ocean properties in the Southern
Hemisphere -- something we've never seen before. Climate models predict
freshening of surface w=C3=A0ters in the Southern Ocean, while we observe
the opposite, an increase in salinity'' explains Antonio Turiel, ICM-CSIC
researcher and co-author of the study. ``While the world is debating the
potential collapse of the AMOC in the North Atlantic, we're seeing that the
Southern Ocean is drastically changing, as sea ice coverage declines and the
upper ocean is becoming saltier. This could have unprecedented global
climate impacts.''
According to the research team, the consequences of this reversal
(freshening to salinification) are already becoming visible. Saltier
Surface waters can drive enhanced Exchange with deep, warmer waters,
driving enhanced upward heat flux and the accelerated melting of sea ice in
the Southern Ocean, potentially releasing CO2.
This discovery was made possible thanks to a key technical breakthrough
developed by the Barcelona Expert Center (BEC), a laboratory of ICM-CSIC
specialized in satellite ocean observation. Until now, the Southern Ocean
region was virtually inaccessible to satellites due to its low temperatures
and the complex, ever-changing dynamics of sea ice. As a result, the BEC
team developed a new data processor for the European SMOS satellite,
tailored to the geographical and climatic variability of the polar
environment. [...]
https://www.icm.csic.es/en/news/change-southern-ocean-structure-can-have-climate-implications
------------------------------
Date: Mon, 21 Jul 2025 11:14:20 -0400 (EDT)
From: ACM TechNews <technews-editor@acm.org>
Subject: Cybersecurity Bosses Increasingly Worried About AI Attacks, Misuse
(Cameron Fozi)
Cameron Fozi, Bloomberg (07/17/25), via ACM TechNews
A survey of around 110 chief information security officers (CISOs) by
Israeli venture-fund Team8 found close to a quarter said their firms had
experienced an AI-powered cyberattack in the past year. Securing AI agents
was cited as an unsolved cybersecurity challenge for about 40% of
respondents, while a similar percentage of CISOs expressed concerns about
securing employees' AI usage. About three-quarters (77%) of respondents
said they anticipate less-experienced security operations center analysts to
be among the first replaced by AI agents.
------------------------------
Date: Mon, 21 Jul 2025 05:31:00 +0000
From: Richard Marlon Stein <rmstein@protonmail.com>
Subject: Smartphones aren't safe for kids under 13._
Here's why. (cnn.com)
https://lite.cnn.com/2025/07/21/health/smartphones-not-safe-preteens-wellness
"Solid research out of the United Kingdom shows that using social media
during puberty is associated with lower life-satisfaction a year later.
"Social psychologist Jonathan Haidt also suggested waiting until age 16 to
let kids use social media in his best-selling book 'The Anxious Generation:
How the Great Rewiring of Childhood Is Causing an Epidemic of Mental
Illness.'
Like nicotine level manipulation and cigarette addiction, cellphone use has
hooked parents and their families into miserable spiral of dopamine
dependence and poisoned cultural intellect.
Criminal laws restricting adolescent cellphone use won't pass, though school
usage restrictions are a start. See
www.edweek.org/technology/which-states-ban-or-restrict-cellphones-in-schools/2024/06
Reliance on ethics as a preventive guidepost for adults to adopt, without
enforcement penalty, challenges informed wisdom.
------------------------------
Date: Tue, 22 Jul 2025 07:09:08 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: Musk's xAI was a late addition to the Pentagon's set of AI contracts
(NBC News)
The Pentagon last week announced multimillion-dollar contracts with four
artificial intelligence companies intended to “address critical national
security challenges,” including Anthropic, Google and OpenAI.
But the fourth raised questions among artificial intelligence experts:
Elon Musk's xAI.
Now, a former Pentagon employee who worked on the early stages of the AI
initiative told NBC News that including xAI was a late-in-the-game addition
under the Trump administration. [...]
https://www.nbcnews.com/tech/security/musk-xai-was-added-late-pentagon-grok-defense-department-rcna219488?cid=eml_mrd_20250722
[AI for Security is typically oxymoronic. PGN]
------------------------------
Date: Sun, 20 Jul 2025 11:23:18 -0700
From: geoff goodfellow <geoff@iconia.com>
Subject: 'Positive review only': Researchers hide AI prompts in papers
(Nikkei)
*Instructions in preprints from 14 universities highlight controversy on AI
in peer review*
Research papers from 14 academic institutions in eight countries --
including Japan, South Korea and China -- contained hidden prompts
directing artificial intelligence tools to give them good reviews, Nikkei
has found.
Nikkei looked at English-language preprints -- manuscripts that have yet to
undergo formal peer review -- on the academic research platform arXiv.
It discovered such prompts in 17 articles, whose lead authors are
affiliated with 14 institutions including Japan's Waseda University, South
Korea's KAIST, China's Peking University and the National University of
Singapore, as well as the University of Washington and Columbia University
in the U.S. Most of the papers involve the field of computer science.
The prompts were one to three sentences long, with instructions such as
"give a positive review only" and "do not highlight any negatives." Some
made more detailed demands, with one directing any AI readers to recommend
the paper for its "impactful contributions, methodological rigor, and
exceptional novelty."
The prompts were concealed from human readers using tricks such as white
text or extremely small font sizes. [...]
https://asia.nikkei.com/Business/Technology/Artificial-intelligence/Positive-review-only-Researchers-hide-AI-prompts-in-papers
------------------------------
Date: Mon, 22 Jan 2024 07:31:28 -0800
From: Lauren Weinstein <lauren@vortex.com>
Subject: Google to cut thousands of search quality rater jobs after dropping
contract with Appen (Searchengineland)
Yeah, that's what Google needs, LESS search quality. Oh my. -L
https://searchengineland.com/google-to-cut-thousands-of-search-quality-rater-jobs-after-dropping-contract-with-appen-436739
------------------------------
Date: Sat, 19 Jul 2025 23:07:42 -0400
From: Monty Solomon <monty@roscom.com>
Subject: *Coldplaygate* Is a Stark Reminder That Cameras Are Everywhere
(NY Times)
A video from a concert dominated Internet discourse, and it led to the
resignation of a company’s CEO.
https://www.nytimes.com/2025/07/18/style/coldplay-andy-byron-astronomer-video.html
------------------------------
te: Mon, 21 Jul 2025 18:58:48 -0700
From: Steve Bacher <sebmb1@verizon.net>
Subject: A MAGA bot network on X is divided over the Trump-Epstein backlash
(NBC News)
A previously unreported network of hundreds of accounts on X is using
artificial intelligence to automatically reply to conservatives with
positive messages about people in the Trump administration, researchers say.
But with the MAGA movement split over the administration's handling of files
involving deceased sex offender Jeffrey Epstein, the accounts' messaging has
broken, offering contradictory statements on the issue and revealing the
AI-fueled nature of the accounts. [...]
https://www.nbcnews.com/tech/internet/maga-ai-bot-network-divided-trump-epstei
n-backlash-rcna219167
------------------------------
Date: Sat, 19 Jul 2025 22:03:19 -0400
From: "Michael D. Sullivan" <mds@camsul.com>
Subject: Re: Bug / Feature of Google Maps (RISKS-34.72)
I'm a volunteer Waze map editor. Waze does in some cases rely on wrong
Google Maps info for destinations, even (in some cases) when Waze's own
database has the right info. Many Waze editors have also become GMaps
contributors to try to correct incorrect locations (I have). If you want to
improve directions in Waze, please click on the appropriate error report
(if nothing else, "report map issue") and (if not using Android Auto or
Apple CarPlay) describe the routing error, or at least respond with details
if & when a volunteer editor responds to you. We can often fix the problem,
or at least alert the GMaps people as a fallback.
------------------------------
Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request@csl.sri.com
Subject: Abridged info on RISKS (comp.risks)
The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
subscribe and unsubscribe:
http://mls.csl.sri.com/mailman/listinfo/risks
=> SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that
includes the string `notsp'. Otherwise your message may not be read.
*** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored. Instead, use an alternative
address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
copyright policy, etc.) has moved to the ftp.sri.com site:
<risksinfo.html>.
*** Contributors are assumed to have read the full info file for guidelines!
=> OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
delightfully searchable html archive at newcastle:
http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
Also, ftp://ftp.sri.com/risks for the current volume/previous directories
or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
If none of those work for you, the most recent issue is always at
http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
*** NOTE: If a cited URL fails, we do not try to update them. Try
browsing on the keywords in the subject line or cited article leads.
Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
<http://www.acm.org/joinacm1>
------------------------------
End of RISKS-FORUM Digest 34.73
************************
