RISKS Forummailing list archives
Risks Digest 34.53
From: RISKS List Owner <risko () csl sri com>
Date: Sun, 26 Jan 2025 20:44:32 PST
RISKS-LIST: Risks-Forum Digest Sunday 26 Jan 2025 Volume 34 : Issue 53ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)Peter G. Neumann, founder and still moderator***** See last item for further information, disclaimers, caveats, etc. *****This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.53>The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents:Fraud Has Delayed a Cure for Alzheimer's (Charles Piller)Strengthening and Promoting Innovation in the Nation's Cybersecurity (Uncle Sam)White House Disbands Cyber Safety Review Board (John Leyden)Executive Order Calls for AI 'Free from Ideological Bias (AP)The Trump Memecoin's Money-Grab's Economics (WiReD)New AI tool counters health insurance denials decided by automated algorithms (U.S. healthcare in The Guardian)Will we control AI, or will it control us? Top researchers weigh in? (CBC)The Pentagon says AI is speeding up its 'kill chain' (Techcrunch)Arrested by AI: Police ignore standards after facial recognition matches (WashPost)CIA's Chatbot Stands In for World Leaders (NY TImes)Microsoft research finds Microsoft AI products may never be secure (Pivot to AI)The impeccable logic of Sam Altman (Gary Marcus)AI in medicine (Jim Geissman)Signature moves: are we losing the ability to write by hand? (The Guardian)How a Troubled Icebreaker Became America's Newest Military Vessel (ProPublica)MasterCard DNS Error Went Unnoticed for Years (Krebs on Security)Research Uncovers Major Vulnerability in Wireless Networking Technology (Cesareo Contreras)Los Angeles County's evacuation alert system broke down during fires. It's part of a larger problem (LA Times)After safety alert glitches, county overhauls system (LA Times)Fake radiation reports... (Kim Zetter via danny burstein)Traffic jams? Study reveals ants' secrets to smooth traffic flow (PHYS.ORG)Man Loses Bid to Recover Hard Drive Containing Bitcoin Key (ArsTechnica)UK Judge Ends One Man's 11-Year Quest to Recover $765 Million in Bitcoin by Digging Up a Landfill (WiReD)Rsync CVE-2024-12084 (Debian)AHHHHHH TPM2 BROKE LUKS!!! (Cliff Kilby)Re: A non-tech analogy for Google Search AI Overviews (Steve Bacher)Re: LA Sheriff outage (Steve Bacher)Re: Eutelsat resolves OneWeb leap-year software glitch after two-day outage (Steve Bacher)Re: Tech allows Big Auto to evolve into Big Brother (Martin Ward)Abridged info on RISKS (comp.risks)----------------------------------------------------------------------Date: Sun, 26 Jan 2025 11:47:00 PSTFrom: Peter Neumann <neumann () csl sri com>Subject: Fraud Has Delayed a Cure for Alzheimer's (Charles Piller)Charles Piller, *The New York Times*, Sunday Opinion,26 Jan 2025Researchinto a disease that affects millions of Americanshas been rife with deception.If the institutional authorities fail to act, skeptics of science itself,most likely including those inside the Trump administration, surely will.Almost certainly, an ensuing overkill would describe ambiguity or innocenthuman error as fraud and eschew the thoughtful respect and due processneeded to preserve what remains vital and true in neuroscience. That wouldenforce a new calamity on everyone who wants to grow old. [This appears to be an ideal opportunity for radically rethinking what might be possible. Alzheimer's would be a wonderful target to jump-start that quest. I would add that evidence-based neuroscience is desperately needed to surmount the overuse of generic chemotherapy for cancer, when research in this country and elsewhere is showing an extraordinary potential for genetically oriented approaches for treatment and perhaps even prevention of cancer and other neurologically linked problems. PGN]------------------------------Date: Mon, 20 Jan 2025 06:20:30 +0000From: Richard Marlon Stein <rmstein () protonmail com>Subject: Strengthening and Promoting Innovation in the Nation's Cybersecurity (Uncle Sam)https://www.federalregister.gov/documents/2025/01/17/2025-01470/strengthening-and-promoting-innovation-in-the-nations-cybersecurityFor a coffee cup version of this comprehensive executive order, see:https://www.whitehouse.gov/briefing-room/statements-releases/2025/01/15/fact-sheet-new-executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/With the PRC's Salt Typhoon, and numerous other state and rogue hackers,infiltration and subsequent exfiltration of sensitive information from USgovernment infrastructure -- for Nth time, the outgoing Biden Administrationthrew the gauntlet at the technology industrial complex's cosmeticallyvoluntary and wholly ineffective effort to harden cybersecurity practices.In a nutshell, the U.S. government won't buy off-the-shelf software stacksor s ervices unless the manufacturer/supplier demonstrates irrefutable proof-- attestation -- of Federal cybersecurity regulatory compliance. "Justtrust us" won't fly any longer. "Trust but verify" lives, with a vengeancevia procurement regulations on steroids.The EO regulations require in-house adoption and audit of NIST 800-53 andother 'modest' process disciplines before foisting the next software toxicwaste dump into the government's supply chain. [US$5 says the EO is repealed by the incoming administration -- too expense for business to comply.] [Also noted by Gabe Goldberg:https://www.wired.com/story/the-fccs-jessica-rosenworcel-isnt-leaving-without-a-fight/ PGN]------------------------------Date: Fri, 24 Jan 2025 11:12:51 -0500 (EST)From: ACM TechNews <technews-editor () acm org>Subject: White House Disbands Cyber Safety Review Board (John Leyden)John Leyden, CSO, 22 Jan 2025The Trump administration has dismissed all members of the Cyber SafetyReview Board (CSRB), including those investigating the China-linkedhacking group Salt Typhoon. The CSRB was established through anexecutive order by the previous administration and tasked withreviewing major cyber-incidents affecting the U.S. government.------------------------------Date: Fri, 24 Jan 2025 11:12:51 -0500 (EST)From: ACM TechNews <technews-editor () acm org>Subject: Executive Order Calls for AI 'Free from Ideological Bias (CNVC)Matt O'Brien and Sarah Parvini, Associated Press, 23 Jan 2025President Trump on Thursday signed an executive order revoking pastgovernment policies on AI that "act as barriers to American AIinnovation." To maintain global leadership, "We must develop AIsystems that are free from ideological bias or engineered socialagendas," the order states. While the order does not specify whichpolicies are hindering AI development, it calls for a review of "allpolicies, directives, regulations, orders, and other actions taken" asa result of the former administration's AI executive order.------------------------------Date: Wed, 22 Jan 2025 02:37:23 -0500From: Gabe Goldberg <gabe () gabegold com>Subject: The Trump Memecoin's Money-Grab's Economics (WiReD)When he launched his own cryptocurrency, Donald Trump produced unimaginablewealth from thin air. But it will come at a cost to someone.Late Friday evening, three days before his return to the Oval Office, DonaldTrump performed an act of crypto alchemy. Pretty much all it took was a fewstrokes of the keyboard. “My NEW Official Trump Meme is HERE!” the incomingU.S. president wrote in a Truth Social post. “It’s time to celebrateeverything we stand for: WINNING!”The post marked the launch of Trump’s very own memecoin—a type of jokecryptocurrency that typically has no purpose beyond financial speculation,whose value tends to whipsaw dramatically with changes in public sentiment.The price of the TRUMP memecoin began to hare upwards almost immediately,despite speculation that Trump’s account had been hacked. By the followingday, the coins released into circulation -- 20 percent of the total supply-- were valued at $14 billion.https://www.wired.com/story/the-trump-memecoins-money-grab-economics/ [Matthew Kruk had this comment on Trump launches cryptocurrency with price rocketing:https://www.bbc.com/news/articles/c9vmym2jvy9o "It included a disclaimer noting the coin is "not intended to be, or the subject of" an investment opportunity or a security and was "not political and has nothing to do with" any political campaign, political office or government agency." Translation: Scam [?] PGN]------------------------------Date: Sat, 25 Jan 2025 11:53:04 -0800From: Jim Geissman <jgeissman () socal rr com>Subject: New AI tool counters health insurance denials decided by automated algorithms (U.S. healthcare, The Guardian)Some patients and companies have developed AI tools to appeal denials in abattle of the bots<https://www.hfma.org/revenue-cycle/denials-management/health-systems-start-to-fight-back-against-ai-powered-robots-driving-denial-rates-higher/>Companies have launched new generative AI tools to help hospitals<https://www.cnbc.com/2025/01/13/health-waystar-generative-ai-new-tool-will-help-fight-health-insurance-denials.html>and patients <https://www.getclaimable.com/> draft appeal letters, while oneopen-source large language model developed by an engineer promises to helppatients Fight Health Insurance. <https://fighthealthinsurance.com/>https://www.theguardian.com/us-news/2025/jan/25/health-insurers-ai [Having sent that, let me qualify it, so it doesn't sound like the AI did all the medicine.]------------------------------Date: Sat, 11 Jan 2025 12:56:32 -0700From: Matthew Kruk <mkrukg () gmail com>Subject: Will we control AI, or will it control us? Top researchers weigh in? (CBC)https://www.cbc.ca/news/science/artificial-intelligence-predictions-1.7427024Imagine this: you're gently awoken by the dulcet tones of your personalassistant just as you're nearing the end of your final sleep cycle.A disembodied voice informs you of the emails you missed overnight and howthey were responded to in your absence. The same voice lets you know rainis expected this morning and recommends you don your trenchcoatbefore leaving the house. As your car drives you to the office, yourwristwatch announces that lunch from your local steak house has beenpreordered for delivery since your iron levels have been a little lowlately.Having all your needs anticipated and met before you've even had the chanceto realize them yourself is one of the potentials of advanced artificialintelligence. Some of Canada's top AI researchers believe it could create autopia for humankind -- if AI doesn't eradicate our species first.------------------------------Date: Tue, 21 Jan 2025 06:21:54 -0800From: Steve Bacher <sebmb1 () verizon net>Subject: The Pentagon says AI is speeding up its 'kill chain' (Techcrunch)Leading AI developers, such as OpenAI and Anthropic, are threading adelicate needle to sell software to the United States military: make thePentagon more efficient, without letting their AI kill people.https://techcrunch.com/2025/01/19/the-pentagon-says-ai-is-speeding-up-its-kill-chain------------------------------Date: Tue, 14 Jan 2025 08:13:18 -0700From: geoff goodfellow <geoff () iconia com>Subject: Arrested by AI: Police ignore standards after facial recognition matches (WashPost)After two men brutally assaulted a security guard on a desolate trainplatform on the outskirts of St. Louis, county transit police detectiveMatthew Shute struggled to identify the culprits. He studied grainysurveillance videos, canvassed homeless shelters and repeatedly called thevictim of the attack, who said he remembered almost nothing because of abrain injury from the beating.Months later, they tried one more option.Shute uploaded a still image from the blurry video of the incident to afacial recognition program, which uses artificial intelligence to scour themug shots of hundreds of thousands of people arrested in the St. Louisarea. Despite the poor quality of the image, the software spat out thenames and photos of several people deemed to resemble one of the attackers,whose face was hooded by a winter coat and partially obscured by a surgicalmask.Though the city's facial recognition policy warns officers that theresults of the technology are nonscientific andshould not be used as the sole basis for any decision,˜Shute proceeded tobuild a case against one of the AI-generated results:Christopher Gatlin, a 29-year-old father of four who had no apparent ties tothe crime scene nor a history of violent offenses, as Shute would lateracknowledge. [...]https://www.msn.com/en-us/news/us/arrested-by-ai-police-ignore-standards-after-facial-recognition-matches/ar-BB1rnOai------------------------------Date: Sun, 19 Jan 2025 09:13:57 -0500From: Jan Wolitzky <jan.wolitzky () gmail com>Subject: CIA's Chatbot Stands In for World Leaders (NY TImes)Understanding leaders around the world is one of the CIA's most importantjobs. Teams of analysts comb through intelligence collected by spies andpublicly available information to create profiles of leaders that canpredict behaviors.A chatbot powered by artificial intelligence now helps do that work.Over the last two years, the Central Intelligence Agency has developed atool that allows analysts to talk to virtual versions of foreign presidentsand prime ministers, who answer back.<https://www.nytimes.com/2025/01/18/us/politics/cia-chatbot-technology.html [That is really speCIAl. PGN]------------------------------Date: Fri, 17 Jan 2025 13:45:01 -0500From: Gabe Goldberg <gabe () gabegold com>Subject: Microsoft research finds Microsoft AI products may never be secure (Pivot to AI)Microsoft CEO Satya Nadella is going all-in on AI. Earlier this week, heannounced that the company’s developer division (which makes developer toolsand compilers) has been folded into a new unit called CoreAI. “Thirty yearsof change is being compressed into three years!” [Microsoft]Unfortunately, generative confabulation machines remain difficult to secureagainst data leaks. Microsoft already has problems with Copilot Studioleaking enterprise data and Recall storing sensitive data.Is there hope? Twenty-six Microsoft AI Red Team researchers tested more than100 Microsoft AI products. Their verdict? Probably not. [arXiv; Register]In their paper “Lessons from red-teaming 100 generative AI products,” theauthors conclude that simple attacks work best — you don’t need to break outthe computer science:https://pivot-to-ai.com/2025/01/17/microsoft-research-finds-microsoft-ai-products-may-never-be-secure/ [Last Pivot-to-AI I'll forward -- worth subscribing/supporting.]------------------------------Date: Sat, 11 Jan 2025 20:08:39 -0500From: Gabe Goldberg <gabe () gabegold com>Subject: The impeccable logic of Sam Altman (Gary Marcus)[Sam Altman] can simultaneously think that these risks are real and alsobelieve that the only way to appropriately address them is to ship productand learn.https://garymarcus.substack.com/p/the-impeccable-logic-of-sam-altmanWorks for Boeing, why not.------------------------------Date: Tue, 21 Jan 2025 18:57:20 -0800From: "Jim" <jgeissman () socal rr com>Subject: AI in medicine (Jim Geissman)I just had my annual physical. My doc has long been a user of technology,starting long ago to dictate his notes to voice-to-text. I mentioned thatwhen he started doing that, he would usually spend more time correcting hisnotes than dictating them, but now he's not doing it at all. He said he hasAI in his phone that is listening to the whole conversation and will makethe notes. At one point I heard him tell his phone "load the annual physicalmacro". JRG------------------------------Date: Fri, 24 Jan 2025 07:07:04 -0800From: Steve Bacher <sebmb1 () verizon net>Subject: Signature moves: are we losing the ability to write by hand? (The Guardian)We are far more likely to use our hands to type or swipe than pick up apen. But in the process we are in danger of losing cognitive skills, sensoryexperience –- and a connection to history.https://www.theguardian.com/news/2025/jan/21/signature-moves-are-we-losing-the-ability-to-write-by-hand [I suppose we could learn to sign our ``John Footcock'' instead of our hand-written ``John Hancock''. But grammar schools are not teaching script writing any more, so fewer people know how to write. Have they stopped teaching grammar yet? If so, we won't need grammar schools any more. PGN]------------------------------Date: Sat, 25 Jan 2025 15:55:57 -0500From: Gabe Goldberg <gabe () gabegold com>Subject: How a Troubled Icebreaker Became America's Newest Military Vessel (ProPublica)This Icebreaker Has Design Problems and a History of Failure. It’s America’sLatest Military Vessel.Reporting HighlightsTroubled History: The icebreaker Aiviq was built for oil work in the Arcticbut has design issues. Its maiden voyage to Alaska ended in a rescue at seaand a Coast Guard investigation.Influential Donor: The Aiviq’s Louisiana builder has made more than $7million in political contributions since 2012. For much of that time, EdisonChouest sought to sell or lease the ship.Wider Problem: The Coast Guard’s $125 million purchase of the Aiviq, madeunder congressional pressure, follows the service’s failure to get itspreferred, $1 billion model built.https://www.propublica.org/article/aiviq-icebreaker-military-coast-guard------------------------------Date: Fri, 24 Jan 2025 06:49:42 -0800From: Steve Bacher <sebmb1 () verizon net>Subject: MasterCard DNS Error Went Unnoticed for Years (Krebs on Security)The payment card giant MasterCard just fixed a glaring error in its domainname server settings that could have allowed anyone to intercept or divertInternet traffic for the company by registering an unused domain name. Themisconfiguration persisted for nearly five years until a security researcherspent $300 to register the domain and prevent it from being grabbed bycybercriminals.https://krebsonsecurity.com/2025/01/mastercard-dns-error-went-unnoticed-for-years/------------------------------Date: Mon, 13 Jan 2025 12:06:51 -0500 (EST)From: ACM TechNews <technews-editor () acm org>Subject: Research Uncovers Major Vulnerability in Wireless Networking Technology (Cesareo Contreras)Cesareo Contreras, Northeastern Global News (01/09/25)A security flaw in the MU-MIMO (multi-user, multiple input, multiple output)setup procedure could allow threat actors to deploy malicious information ona Wi-Fi network to dramatically slow Internet speeds, according toNortheastern University researchers. MU-MIMO is a key component of Wi-Finetworks, and Northeastern's Francesco Restuccia said the Wi-Fi standard mayneed to be updated to address the vulnerability.------------------------------Date: Fri, 24 Jan 2025 18:49:15 -0800From: Steve Bacher <sebmb1 () verizon net>Subject: Los Angeles County's evacuation alert system broke down during fires. It's part of a larger problem (LA Times)Despite upgrades to wireless alerts system, emergency warnings were oftenineffective when most needed during the Los Angeles wildfires. Some weresent to too many people, some to too few.https://www.latimes.com/california/story/2025-01-24/california-wildfires-evacuation-alerts-mistakes------------------------------Date: Sun, 12 Jan 2025 10:51:26 -0800From: "Jim" <jgeissman () socal rr com>Subject: After safety alert glitches, county overhauls system (LA Times)After faulty notifications during the fire emergency alert system in favor of the State's.http://enewspaper.latimes.com/infinity/article_share.aspx?guid=b4dbf504-a5c6-4f92-8101-1ad41d61e6ec------------------------------Date: Wed, 8 Jan 2025 23:02:01 +0000 ()From: danny burstein <dannyb () panix com>Subject: Fake radiation reports... (Kim Zetter)https://www.zetter-zeroday.com/anatomy-of-a-nuclear-scare/------------------------------Date: Mon, 20 Jan 2025 05:52:46 +0000From: Richard Marlon Stein <rmstein () protonmail com>Subject: Traffic jams? Study reveals ants' secrets to smooth traffic flow (PHYS.ORG)https://phys.org/news/2025-01-traffic-reveals-ants-secrets-smooth.html"Ants follow pheromone trails marked by a leader ant, and move in platoonswith small gaps and no overtaking," notes Guerrieri."This strategy could make human mobility more efficient. Guerrieri says, 'Inthe future, traffic systems for autonomous vehicles (CAVs) could be inspiredby ant behavior. Just like insects communicate through pheromones, on smartroads, Connected and Automated Vehicles (CAV) could use advancedcommunication technologies to communicate with each other and with the roadinfrastructure management. In this way, they could form coordinatedplatoons, moving at high speeds with close spacing across parallellanes. This approach could enhance traffic efficiency, improve levels ofservice, and reduce gas emissions.'"Ant that CAV right? No, that CAV ant left. [It's really an ANT-iclamax. But tell it to the German driver going way over 200-km/hr on the Autobahn. PGN]------------------------------Date: Sun, 12 Jan 2025 16:54:16 -0500From: Charles Dunlop <cdunlop () umich edu>Subject: Man Loses Bid to Recover Hard Drive Containing Bitcoin Key (ArsTechnica)In 2013 a hard drive belonging to a Wales man was mistakenly discarded,ending up in a landfill. The drive allegedly contained a key to hisbitcoins now worth $765million. The owner has been trying to getpermission to excavate the landfill in an attempt to recover the drive, buta judge has just issued a final ruling against him.https://arstechnica.com/tech-policy/2025/01/judge-ends-mans-11-year-quest-to-dig-up-landfill-and-recover-765m-in-bitcoin/------------------------------Date: Wed, 15 Jan 2025 02:08:43 -0500From: Gabe Goldberg <gabe () gabegold com>Subject: UK Judge Ends One Man's 11-Year Quest to Recover $765 Million in Bitcoin by Digging Up a Landfill (WiReD)A UK judge ruled against James Howells, who has been trying to get a harddrive with private keys to a cryptocurrency fortune out of a landfill forover a decade.In his drawers he found two hard drives: one was the Hard Drive, and theother was a blank hard drive that contained no data. He meant to throw outthe blank hard drive, but instead he mistakenly picked up the Hard Drive andput it into one of the black bin-liners. He then left the two bin bagsdownstairs in his house and asked his partner at the time to take them tothe landfill at the Site the following day after completing the schoolrun. However, she said that she did not want to take the black bin bags tothe Site and refused to do so. The claimant was not overly concerned at herrefusal, because he decided that on the following morning he would check tomake sure that he had put the correct hard drive in the bin bags. However,when he awoke at 9 o'clock the following morning he found that his partnerhad had a change of heart and had already taken the bin bags to the Site andmanually deposited them into the general waste bins at the Site.https://www.wired.com/story/bitcoin-landfill-excavation-james-howells-judge-ruling------------------------------Date: Wed, 15 Jan 2025 13:13:07 +0000From: Cliff Kilby <cliffjkilby () gmail com>Subject: Rsync CVE-2024-12084 (Debian)As has become the trend in the industry, the vulnerability reports havesummaries that ignore the fact that several vendors maintain backports.https://kb.cert.org/vuls/id/952657 claims the vulnerabilities are in 3.3.0and below.https://thehackernews.com/2025/01/google-cloud-researchers-uncover-flaws.htmlmaintains that it was fixed in 3.4.0https://lists.debian.org/debian-security-announce/2025/msg00004.htmlDebian patched it in 3.2.7-1.If you're auditing vulnerabilities, make sure you check your vendor'ssecurity patch notes before trying to force an upgrade beyond the vendor'sversion.------------------------------Date: Fri, 17 Jan 2025 18:04:20 +0000From: Cliff Kilby <cliffjkilby () gmail com>Subject: AHHHHHH TPM2 BROKE LUKS!!!Calm down, calm down.Yes. It is a real problem.https://www.jedi-sec.com/2025/01/17/bypassing-disk-encryption-on-systems-with-automatic-tpm2unlock/Even if you are selecting all the right PCRs, TPM2 has no idea if the diskwas swapped.Most tutorials for auto unlock also fail to include all the PCRs because ofa tradeoff for convenience. So if you aren't already using at least PCRS0-5,7,8,9,14, your machine was vulnerable to other attacks.MORE:Given the first article for TPM auto unlock of LUKS for a debian derivativereferenced dracut, and there has been no indication of an existing solutionfor people who are running non-UEFI kernels, I decided to fix this myselftoday.dracut has a pcr-measure module. systemd-pcrphase. There is a lot ofdiscussion about this, as it was apparently modified and renamed upstream,so I discounted it as a solution.Having a non-unified, secure booting OS, that doesn't measure the LUKSheader already from a previous attempt to learn secure boot, I started fromthere.My baseline install was based onhttps://blog.fernvenue.com/archives/debian-with-luks-and-tpm-auto-decryption/My PCRs were *not* 0+7, because leaving PCR8 out would allow anyone toreboot to init=bin/bash.My initial PCRs after rebooting twice, and checking what was beingmeasured: 0+1+2+3+4+5+7+8+9+14I admittedly misunderstood PCR5 to include the LUKS headers. I was wrongabout that, as my previous post indicated.I was also under the assumption that PCR9 would have changed if the kernelit was booted to changed. This hasn't been confirmed, so I presume it doesnot, or is spoofable.Given I am now in the state of being impacted, and need to address it in abetter way that removing TPM2 unlocking, or replacing the LUKS passphrasewith a TPM2 pin: What to do?Dracut uses a modular system with built in hooks that allows it to beextensible to do things like find and then unlock a LUKS volume withoutprompting for a passphrase.The hooks system has a pre-mount hook, but pre-mount is too late for LUKS,as the LVM container inside the LUKS volume has already attempted to mountby this hook. The pre-trigger hook is too early, as the udev rules haven'trun and the LUKS block device is non-existent. Investigating the dracutcrypt module provides no easy hook to intercept, as it is implemented as audev rule target. The udev rule in crypt is 70. I need to get into dracutin udev, before 70. Checking the other modules loaded in this environment,69 is free, so that's my target.Using the crypto module from dracut as a template, I create a module-setup,a parser, and a udev target. The udev target takes the same arguments thecrypto module does: /dev/device luks-label.Now what to measure? Checking the output of cryptsetup, which is alreadyprovided by crypto in the dracut environment, I can pull the digest of thekeys. The simple method of sending this output to sha256sum is bound tofail. The luksDump format doesn't have a filter, and the TPM token would bein the hash. In order for TPM to release the key, I need static data fromthe drive that is not dependent on the tokens, only the keyslots. Thecryptsetup tool does dump a json format of the data, and jq is already inthis dracut environment. So cryptsetup dumps everything to jq which filtersto the specific element ".digests". This content will only change if thestatic keys change, so I can swap tokens as frequently as I need to.The TPM I have access to knows sha1 and sha256, but tpm-tss is configuredto read from the sha256 banks only. So, jq is piped out to sha256sum, andthe trailing "-" is cut away to give me a sha256 hash that tpm2_pcrextendwill accept. tpm2_pcrextend is already loaded in this dracut environment asa side effect of enabling tpm-tss.Eliding the udev guards and the dracut framework, I end up with a udevtarget of:tpm2_pcrextend 15:sha256=`cryptsetup --dump-json-metadata luksDump"$device" | jq '.digests' | sha256sum | cut -d" " -f1` 2>/dev/nullAfter regenerating the initramfs, and rebooting twice to ensure the TPM issettled, I can confirm that PCR15 is being populated and is static.Validating in dracut that the udev rules are working, and PCR15 ispopulated before dracut attempts to open it using crypt, I can now changemy cryptsetup enrollment to include bank 15:systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+1+2+3+4+5+7+8+9+14+15/dev/deviceMitigation removed, fix in place.If you have the ability to run a UEFI system, it might be simpler to goahead and move to UEFI. If you are stuck on a initrd kernel, TPM autounlocking is not a lost cause.------------------------------Date: Sun, 12 Jan 2025 09:04:44 -0800From: Steve Bacher <sebmb1 () verizon net>Subject: Re: A non-tech analogy for Google Search AI Overviews"Some or all of this food may be fine. Some or all of this food mayhave a bad taste. Some or all may give you food poisoning. It's up toyou to double check this food before eating it—we take noresponsibility for any ill effects it may have on you."This is very similar to the notices all over the state of California thatwarn customers that some of the items in this location may containcancer-causing ingredients. Totally complies with local laws and is totallyuseless at the same time.------------------------------Date: Sun, 12 Jan 2025 08:45:43 -0800From: Steve Bacher <sebmb1 () verizon net>Subject: Re: LA Sheriff outage (LA Times, RISKS-34.52)
PGN wrote: "It still smells like a residual Y2K-type poor retrofix."
That's likely, if the fix was to treat 2-digit years less than 25 as being20xx but values 25 or greater as being 19xx. That kind of fix was common in1999.------------------------------Date: Sun, 12 Jan 2025 08:47:37 -0800From: Steve Bacher <sebmb1 () verizon net>Subject: Re: Eutelsat resolves OneWeb leap-year software glitch after two-day outage (SpaceNews)Hold on. The error was failing to identify 2024 as a leap year but theproblem didn't occur until now? Not on 29 February 2024?------------------------------Date: Sun, 12 Jan 2025 13:08:29 +0000From: Martin Ward <martin () gkc org uk>Subject: Re: Tech allows Big Auto to evolve into Big Brother
"You might want law enforcement to have the data to crack down oncriminals, but can anyone have access to it?" said Jodi Daniels, chiefexecutive of the privacy consulting firm Red Clover Advisors. "Where isthe line?"
Where it has always been: at the bottom!The bottom line is the only line that matters. [Roll Over, Red Clover.]------------------------------Date: Sat, 28 Oct 2023 11:11:11 -0800From: RISKS-request () csl sri comSubject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011.=> SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe:http://mls.csl.sri.com/mailman/listinfo/risks=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it.=> SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public!=> The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines!=> OFFICIAL ARCHIVES:http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle:http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also,ftp://ftp.sri.com/risks for the current volume/previous directories orftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always athttp://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES:http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs.==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1>------------------------------End of RISKS-FORUM Digest 34.53************************
Current thread:
- Risks Digest 34.53RISKS List Owner (Jan 26)