key - twizzler Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit precedence: bulk Subject: Risks Digest 34.73 RISKS-LIST: Risks-Forum Digest Tuesday 22 July 2025 Volume 34 : Issue 73 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator ***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at as The current issue can also be found at Contents: Alaska Airlines Grounds All Flights for Three Hours Due to IT Outage (The New York Times) Manual workaround of IT system results in $4M damage (Aviation Week) Another security vulnerability, another legal threat (The Register) Global Hack on Microsoft Product Hits U.S., State Agencies (WashPost) Organ retrieval reforms ordered after some donors showed signs of life (WashPost) Coins? Cards? Apps? The hell that is paying for parking in LA (LA Times) Weak password allowed hackers to sink a 158-year-old company (BBC) Drugmaker Refuses FDA Request to Pull Treatment Linked to Patient Deaths (NY Times) Obesity Prediction Could Be Guided by Genetic Risk Scores (NY Times) U.S. Aims to Ban Chinese Technology in Undersea Cables (Reuters) Fireside chat: Navigating a cyber incident -- lessons from the British Library (George Neville-Neil) UK backing down on Apple encryption backdoor after pressure from U.S. (ArsTechnica) Nvidia Warns Its GPUs Need Protection Against Rowhammer Attacks (The Register) Eight healthy babies born after IVF using DNA from three people (The Guardian) A change in the Southern Ocean structure can have climate implications (ICM-CSIC) Cybersecurity Bosses Increasingly Worried About AI Attacks, Misuse (Cameron Fozi) Smartphones aren't safe for kids under 13. Here's why. (cnn.com) Musk's xAI was a late addition to the Pentagon's set of AI contracts (NBC News) 'Positive review only': Researchers hide AI prompts in papers (Nikkei) Google to cut thousands of search quality rater jobs after dropping contract with Appen (Searchengineland) *Coldplaygate* Is a Stark Reminder That Cameras Are Everywhere (NY Times) A MAGA bot network on X is divided over the Trump-Epstein backlash (NBC News) Re: Bug / Feature of Google Maps (Michael D. Sullivan) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Mon, 21 Jul 2025 13:55:59 -0400 From: Gabe Goldberg Subject: Alaska Airlines Grounds All Flights for Three Hours Due to IT Outage (The New York Times) Alaska Airlines said it had ended the ground stop, which lasted about three hours and resulted from a software outage. “Residual impacts” to its operations were likely, it said. https://www.nytimes.com/2025/07/20/business/alaska-airlines-grounds-plane-fleet.html?smid=nytcore-ios-share&referringSource=articleShare Absurdly vague. ------------------------------ Date: Tue, 23 Jan 2024 09:57:44 -0000 From: "Paul Cornish" Subject: Manual workaround of IT system results in $4M damage (Aviation Week) https://aviationweek.com/defense-space/aircraft-propulsion/forgotten-flashli ght-causes-4-million-f-35-engine-damage An F-35 engine worth $14M suffered $4M of damage during maintenance. [Iatro[en]genic!!! PGN] ------------------------------ Date: Wed, 24 Jan 2024 07:48:03 -0500 From: Cliff Kilby Subject: Another security vulnerability, another legal threat (The Register) The Register ran a story about a security researcher who was fined after reporting a security vulnerability. This case sounds a bit like the 2022 Missouri Post-Dispatch investigation, data was accessible, it was sensitive, it was reported, and the researcher was subjected to legal scrutiny. Mindful of the fact I am a non-lawyer, the following are the ethics of the situation, though the law may follow. It's ethical to parse a document format (e.g., view states or binary strings) according to its well-known document format, if you have reason to have it. It is ethical to confirm your finding by reproducing it with a trivial test case (i.e., found one record, searched for another). The key difference in these cases other than jurisdiction is the fact that the data in the German case required authentication. Having the document was ethical. Finding an authenticator in the clear was ethical. Using it to determine if it was active, was not. Accessing data using it, absolutely not. Reporting this finding doesn't mitigate the less than ethical behavior. It is generally unethical to proceed more than one finding deep in a vulnerability disclosure, unless you are operating under an employment agreement with that company. https://www.theregister.com/2024/01/19/germany_fine_security/ https://krebsonsecurity.com/2022/02/report-missouri-governors-office-responsible-for-teacher-data-leak/ Don't let the news keep you from reporting vulnerabilities. The law may follow, ------------------------------ Date: Mon, 21 Jul 2025 11:14:20 -0400 (EDT) From: ACM TechNews Subject: Global Hack on Microsoft Product Hits U.S., State Agencies (WashPost) Ellen Nakashima, Joseph Menn, Yvonne Wingett Sanchez, The Washington Post (07/20/25), via ACM TechNews Hackers exploited a zero-day vulnerability in widely-used Microsoft SharePoint server software to launch a global attack on government agencies and businesses in the past few days, breaching U.S. federal and state agencies, universities, and energy companies. Tens of thousands of servers are at risk, experts said, and Microsoft has issued no patch for the flaw. Researchers said the hackers gained access to keys that may allow them to regain entry even after a system is patched. https://www.washingtonpost.com/technology/2025/07/21/china-hackers-microsoft-sharepoint/ ------------------------------ Date: Mon, 21 Jul 2025 23:25:11 -0400 From: Monty Solomon Subject: Organ retrieval reforms ordered after some donors showed signs of life (WashPost) In 28 cases, the government determined, donors may still have been alive when organ procurement procedures began. https://www.washingtonpost.com/health/2025/07/21/organ-retrieval-reforms-ordered-after-some-donors-showed-signs-life/ ------------------------------ Date: Tue, 22 Jul 2025 07:02:36 -0700 From: Steve Bacher Subject: Coins? Cards? Apps? The hell that is paying for parking in L.A. (LA Times) A slew of new parking apps in the L.A. area should make paying for Subject: Weak password allowed hackers to sink a 158-year-old company (BBC) https://www.bbc.com/news/articles/cx2gx28815wo One password is believed to have been all it took for a ransomware gang to destroy a 158-year-old company and put 700 people out of work. KNP -- a Northamptonshire transport company -- is just one of tens of thousands of UK businesses that have been hit by such attacks. Big names such as M&S, Co-op and Harrods have all been attacked in recent months. The chief executive of Co-op confirmed last week that all 6.5 million of its members had had their data stolen. ------------------------------ Date: Sun, 20 Jul 2025 08:47:15 -0400 From: Monty Solomon Subject: Drugmaker Refuses FDA Request to Pull Treatment Linked to Patient Deaths (NY Times) The regulator had asked Sarepta Therapeutics to halt all shipments of its therapy, Elevidys, after three patients died from liver failure after taking it or a similar treatment. https://www.nytimes.com/2025/07/18/health/fda-sarepta-elevidys-duchenne.html ------------------------------ Date: Mon, 21 Jul 2025 21:09:27 +0000 From: Richard Marlon Stein Subject: Obesity Prediction Could Be Guided by Genetic Risk Scores (NY Times) https://www.nytimes.com/2025/07/21/health/obesity-genetic-risk-score.html When will health insurers adjust rates based on genetic risk factors to safeguard profits? ------------------------------ Date: Mon, 21 Jul 2025 11:14:20 -0400 (EDT) From: ACM TechNews Subject: U.S. Aims to Ban Chinese Technology in Undersea Cables (Reuters) David Shepardson, Jasper Ward, Bhargav Acharya, Reutersxo (07/16/25), via ACM TechNews The U.S. Federal Communications Commission (FCC) intends to implement rules prohibiting companies from connecting to undersea telecommunication cables to the U.S that include Chinese technology or equipment, citing national security concerns. FCC Chair Brendan Carr said the rules are necessary to "guard our submarine cables against foreign adversary ownership and access as well as cyber and physical threats." ------------------------------ Date: Mon, 21 Jul 2025 18:06:38 +0800 From: George Neville-Neil Subject: Fireside chat: Navigating a cyber incident -- lessons from the British Library The British Library discusses a ransomeware attack they dealt with that shut down quite a lot of services: https://vimeo.com/1102461697 ------------------------------ Date: Mon, 21 Jul 2025 17:01:34 PDT From: Peter Neumann Subject: UK backing down on Apple encryption backdoor after pressure from U.S. (Ars Technica courtesy of Steve Bellovin) [RISKS readers generally understand that backdoors are inherently dangerous. PGN] ------------------------------ Date: Mon, 21 Jul 2025 11:14:20 -0400 (EDT) From: ACM TechNews Subject: Nvidia Warns Its GPUs Need Protection Against Rowhammer Attacks (The Register) Iain Thomson and Simon Sharwood, The Register (07/13/25), via ACM TechNews Nvidia has warned customers to implement defenses against Rowhammer attacks after researchers from Canada's University of Toronto identified a vulnerability in one of its workstation-grade GPUs. Rowhammer attacks can disrupt operations by using repeated bursts of read or write operations to "hammer" rows of memory cells. The vulnerability affects Nvidia's A6000 GPU with GDDR6 memory when system-level error correcting code (ECC) is disabled. ------------------------------ Date: Sat, 19 Jul 2025 19:02:16 -0700 From: geoff goodfellow Subject: Eight healthy babies born after IVF using DNA from three people (The Guardian) *Genetic material from mother and father transferred to healthy donor egg to reduce risk of life-threatening diseases* Doctors in the UK have announced the birth of eight healthy babies after performing a groundbreaking procedure that creates IVF embryos with DNA from three people to prevent the children from inheriting incurable genetic disorders. The mothers were all high risk for passing on life-threatening diseases to their babies due to mutations in their mitochondria, the tiny structures that sit inside cells and provide the power they need to function. News of the births and the children's health has been long-anticipated by doctors around the world after the UK changed the law to allow the procedure in 2015. The fertility regulator granted the first licence in 2017 to a fertility clinic at Newcastle University where doctors pioneered the technique. The four boys and four girls, including one set of identical twins, were born to seven women and have no signs of the mitochondrial diseases they were at risk of inheriting. One further pregnancy is ongoing. [...] https://www.theguardian.com/science/2025/jul/16/eight-healthy-babies-born-after-ivf-using-dna-from-three-people ------------------------------ Date: Sun, 20 Jul 2025 11:10:52 -0700 From: geoff goodfellow Subject: A change in the Southern Ocean structure can have climate implications (ICM-CSIC) *Satellite data processing algorithms developed by ICM-CSIC have played a crucial role in detecting this significant shift in the Southern Hemisphere, which could accelerate the effects of climate change.* Thanks to data obtained from Earth observation satellites, an international team of scientists has detected an unprecedented phenomenon for the first time: a change in the state of the Southern Ocean. The study, led by the University of Southampton (United Kingdom), was recently published in the journal *PNAS* . The Institut de Ci=C3=A8ncies del Mar (ICM-CSIC) played a fundamental role in the research by developing a set of pioneering satellite observations within the framework of the SO-FRESH project, funded by the European Space Agency (ESA). The study's main finding is both surprising and alarming: since 2016, a sustained increase in surface salinity has been detected across the Antarctic Circumpolar Current. That change in water composition suggests a change in the balance of the components the ocean circulation in the Southern Hemisphere. Fresher surface water close to the sea ice edge is being replaced by more saline waters. ``We are witnessing a true change in ocean properties in the Southern Hemisphere -- something we've never seen before. Climate models predict freshening of surface w=C3=A0ters in the Southern Ocean, while we observe the opposite, an increase in salinity'' explains Antonio Turiel, ICM-CSIC researcher and co-author of the study. ``While the world is debating the potential collapse of the AMOC in the North Atlantic, we're seeing that the Southern Ocean is drastically changing, as sea ice coverage declines and the upper ocean is becoming saltier. This could have unprecedented global climate impacts.'' According to the research team, the consequences of this reversal (freshening to salinification) are already becoming visible. Saltier Surface waters can drive enhanced Exchange with deep, warmer waters, driving enhanced upward heat flux and the accelerated melting of sea ice in the Southern Ocean, potentially releasing CO2. This discovery was made possible thanks to a key technical breakthrough developed by the Barcelona Expert Center (BEC), a laboratory of ICM-CSIC specialized in satellite ocean observation. Until now, the Southern Ocean region was virtually inaccessible to satellites due to its low temperatures and the complex, ever-changing dynamics of sea ice. As a result, the BEC team developed a new data processor for the European SMOS satellite, tailored to the geographical and climatic variability of the polar environment. [...] https://www.icm.csic.es/en/news/change-southern-ocean-structure-can-have-climate-implications ------------------------------ Date: Mon, 21 Jul 2025 11:14:20 -0400 (EDT) From: ACM TechNews Subject: Cybersecurity Bosses Increasingly Worried About AI Attacks, Misuse (Cameron Fozi) Cameron Fozi, Bloomberg (07/17/25), via ACM TechNews A survey of around 110 chief information security officers (CISOs) by Israeli venture-fund Team8 found close to a quarter said their firms had experienced an AI-powered cyberattack in the past year. Securing AI agents was cited as an unsolved cybersecurity challenge for about 40% of respondents, while a similar percentage of CISOs expressed concerns about securing employees' AI usage. About three-quarters (77%) of respondents said they anticipate less-experienced security operations center analysts to be among the first replaced by AI agents. ------------------------------ Date: Mon, 21 Jul 2025 05:31:00 +0000 From: Richard Marlon Stein Subject: Smartphones aren't safe for kids under 13._ Here's why. (cnn.com) https://lite.cnn.com/2025/07/21/health/smartphones-not-safe-preteens-wellness "Solid research out of the United Kingdom shows that using social media during puberty is associated with lower life-satisfaction a year later. "Social psychologist Jonathan Haidt also suggested waiting until age 16 to let kids use social media in his best-selling book 'The Anxious Generation: How the Great Rewiring of Childhood Is Causing an Epidemic of Mental Illness.' Like nicotine level manipulation and cigarette addiction, cellphone use has hooked parents and their families into miserable spiral of dopamine dependence and poisoned cultural intellect. Criminal laws restricting adolescent cellphone use won't pass, though school usage restrictions are a start. See www.edweek.org/technology/which-states-ban-or-restrict-cellphones-in-schools/2024/06 Reliance on ethics as a preventive guidepost for adults to adopt, without enforcement penalty, challenges informed wisdom. ------------------------------ Date: Tue, 22 Jul 2025 07:09:08 -0700 From: Steve Bacher Subject: Musk's xAI was a late addition to the Pentagon's set of AI contracts (NBC News) The Pentagon last week announced multimillion-dollar contracts with four artificial intelligence companies intended to “address critical national security challenges,” including Anthropic, Google and OpenAI. But the fourth raised questions among artificial intelligence experts: Elon Musk's xAI. Now, a former Pentagon employee who worked on the early stages of the AI initiative told NBC News that including xAI was a late-in-the-game addition under the Trump administration. [...] https://www.nbcnews.com/tech/security/musk-xai-was-added-late-pentagon-grok-defense-department-rcna219488?cid=eml_mrd_20250722 [AI for Security is typically oxymoronic. PGN] ------------------------------ Date: Sun, 20 Jul 2025 11:23:18 -0700 From: geoff goodfellow Subject: 'Positive review only': Researchers hide AI prompts in papers (Nikkei) *Instructions in preprints from 14 universities highlight controversy on AI in peer review* Research papers from 14 academic institutions in eight countries -- including Japan, South Korea and China -- contained hidden prompts directing artificial intelligence tools to give them good reviews, Nikkei has found. Nikkei looked at English-language preprints -- manuscripts that have yet to undergo formal peer review -- on the academic research platform arXiv. It discovered such prompts in 17 articles, whose lead authors are affiliated with 14 institutions including Japan's Waseda University, South Korea's KAIST, China's Peking University and the National University of Singapore, as well as the University of Washington and Columbia University in the U.S. Most of the papers involve the field of computer science. The prompts were one to three sentences long, with instructions such as "give a positive review only" and "do not highlight any negatives." Some made more detailed demands, with one directing any AI readers to recommend the paper for its "impactful contributions, methodological rigor, and exceptional novelty." The prompts were concealed from human readers using tricks such as white text or extremely small font sizes. [...] https://asia.nikkei.com/Business/Technology/Artificial-intelligence/Positive-review-only-Researchers-hide-AI-prompts-in-papers ------------------------------ Date: Mon, 22 Jan 2024 07:31:28 -0800 From: Lauren Weinstein Subject: Google to cut thousands of search quality rater jobs after dropping contract with Appen (Searchengineland) Yeah, that's what Google needs, LESS search quality. Oh my. -L https://searchengineland.com/google-to-cut-thousands-of-search-quality-rater-jobs-after-dropping-contract-with-appen-436739 ------------------------------ Date: Sat, 19 Jul 2025 23:07:42 -0400 From: Monty Solomon Subject: *Coldplaygate* Is a Stark Reminder That Cameras Are Everywhere (NY Times) A video from a concert dominated Internet discourse, and it led to the resignation of a company’s CEO. https://www.nytimes.com/2025/07/18/style/coldplay-andy-byron-astronomer-video.html ------------------------------ te: Mon, 21 Jul 2025 18:58:48 -0700 From: Steve Bacher Subject: A MAGA bot network on X is divided over the Trump-Epstein backlash (NBC News) A previously unreported network of hundreds of accounts on X is using artificial intelligence to automatically reply to conservatives with positive messages about people in the Trump administration, researchers say. But with the MAGA movement split over the administration's handling of files involving deceased sex offender Jeffrey Epstein, the accounts' messaging has broken, offering contradictory statements on the issue and revealing the AI-fueled nature of the accounts. [...] https://www.nbcnews.com/tech/internet/maga-ai-bot-network-divided-trump-epstei n-backlash-rcna219167 ------------------------------ Date: Sat, 19 Jul 2025 22:03:19 -0400 From: "Michael D. Sullivan" Subject: Re: Bug / Feature of Google Maps (RISKS-34.72) I'm a volunteer Waze map editor. Waze does in some cases rely on wrong Google Maps info for destinations, even (in some cases) when Waze's own database has the right info. Many Waze editors have also become GMaps contributors to try to correct incorrect locations (I have). If you want to improve directions in Waze, please click on the appropriate error report (if nothing else, "report map issue") and (if not using Android Auto or Apple CarPlay) describe the routing error, or at least respond with details if & when a volunteer editor responds to you. We can often fix the problem, or at least alert the GMaps people as a fallback. ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: RISKS-request@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: . *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: ------------------------------ End of RISKS-FORUM Digest 34.73 ************************ .