RISKS-LIST: Risks-Forum Digest Sunday 26 Jan 2025 Volume 34 : Issue 53 ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks) Peter G. Neumann, founder and still moderator
***** See last item for further information, disclaimers, caveats, etc. ***** This issue is archived at <http://www.risks.org> as <http://catless.ncl.ac.uk/Risks/34.53> The current issue can also be found at <http://www.csl.sri.com/users/risko/risks.txt> Contents: Fraud Has Delayed a Cure for Alzheimer's (Charles Piller) Strengthening and Promoting Innovation in the Nation's Cybersecurity (Uncle Sam) White House Disbands Cyber Safety Review Board (John Leyden) Executive Order Calls for AI 'Free from Ideological Bias (AP) The Trump Memecoin's Money-Grab's Economics (WiReD) New AI tool counters health insurance denials decided by automated algorithms (U.S. healthcare in The Guardian) Will we control AI, or will it control us? Top researchers weigh in? (CBC) The Pentagon says AI is speeding up its 'kill chain' (Techcrunch) Arrested by AI: Police ignore standards after facial recognition matches (WashPost) CIA's Chatbot Stands In for World Leaders (NY TImes) Microsoft research finds Microsoft AI products may never be secure (Pivot to AI) The impeccable logic of Sam Altman (Gary Marcus) AI in medicine (Jim Geissman) Signature moves: are we losing the ability to write by hand? (The Guardian) How a Troubled Icebreaker Became America's Newest Military Vessel (ProPublica) MasterCard DNS Error Went Unnoticed for Years (Krebs on Security) Research Uncovers Major Vulnerability in Wireless Networking Technology (Cesareo Contreras) Los Angeles County's evacuation alert system broke down during fires. It's part of a larger problem (LA Times) After safety alert glitches, county overhauls system (LA Times) Fake radiation reports... (Kim Zetter via danny burstein) Traffic jams? Study reveals ants' secrets to smooth traffic flow (PHYS.ORG) Man Loses Bid to Recover Hard Drive Containing Bitcoin Key (ArsTechnica) UK Judge Ends One Man's 11-Year Quest to Recover $765 Million in Bitcoin by Digging Up a Landfill (WiReD) Rsync CVE-2024-12084 (Debian) AHHHHHH TPM2 BROKE LUKS!!! (Cliff Kilby) Re: A non-tech analogy for Google Search AI Overviews (Steve Bacher) Re: LA Sheriff outage (Steve Bacher) Re: Eutelsat resolves OneWeb leap-year software glitch after two-day outage (Steve Bacher) Re: Tech allows Big Auto to evolve into Big Brother (Martin Ward) Abridged info on RISKS (comp.risks) ---------------------------------------------------------------------- Date: Sun, 26 Jan 2025 11:47:00 PST From: Peter Neumann <neum...@csl.sri.com> Subject: Fraud Has Delayed a Cure for Alzheimer's (Charles Piller) Charles Piller, *The New York Times*, Sunday Opinion, 26 Jan 2025 Researchinto a disease that affects millions of Americans has been rife with deception. If the institutional authorities fail to act, skeptics of science itself, most likely including those inside the Trump administration, surely will. Almost certainly, an ensuing overkill would describe ambiguity or innocent human error as fraud and eschew the thoughtful respect and due process needed to preserve what remains vital and true in neuroscience. That would enforce a new calamity on everyone who wants to grow old. [This appears to be an ideal opportunity for radically rethinking what might be possible. Alzheimer's would be a wonderful target to jump-start that quest. I would add that evidence-based neuroscience is desperately needed to surmount the overuse of generic chemotherapy for cancer, when research in this country and elsewhere is showing an extraordinary potential for genetically oriented approaches for treatment and perhaps even prevention of cancer and other neurologically linked problems. PGN] ------------------------------ Date: Mon, 20 Jan 2025 06:20:30 +0000 From: Richard Marlon Stein <rmst...@protonmail.com> Subject: Strengthening and Promoting Innovation in the Nation's Cybersecurity (Uncle Sam) https://www.federalregister.gov/documents/2025/01/17/2025-01470/strengthening -and-promoting-innovation-in-the-nations-cybersecurity For a coffee cup version of this comprehensive executive order, see: https:// www.whitehouse.gov/briefing-room/statements-releases/2025/01/15/fact-sheet-new-executive-order-on-strengthening-and-promoting-innovation-in-the-nations-cybersecurity/ With the PRC's Salt Typhoon, and numerous other state and rogue hackers, infiltration and subsequent exfiltration of sensitive information from US government infrastructure -- for Nth time, the outgoing Biden Administration threw the gauntlet at the technology industrial complex's cosmetically voluntary and wholly ineffective effort to harden cybersecurity practices. In a nutshell, the U.S. government won't buy off-the-shelf software stacks or s ervices unless the manufacturer/supplier demonstrates irrefutable proof -- attestation -- of Federal cybersecurity regulatory compliance. "Just trust us" won't fly any longer. "Trust but verify" lives, with a vengeance via procurement regulations on steroids. The EO regulations require in-house adoption and audit of NIST 800-53 and other 'modest' process disciplines before foisting the next software toxic waste dump into the government's supply chain. [US$5 says the EO is repealed by the incoming administration -- too expense for business to comply.] [Also noted by Gabe Goldberg: https://www.wired.com/story/the-fccs-jessica-rosenworcel-isnt-leaving-without-a-fight/ PGN] ------------------------------ Date: Fri, 24 Jan 2025 11:12:51 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: White House Disbands Cyber Safety Review Board (John Leyden) John Leyden, CSO, 22 Jan 2025 The Trump administration has dismissed all members of the Cyber Safety Review Board (CSRB), including those investigating the China-linked hacking group Salt Typhoon. The CSRB was established through an executive order by the previous administration and tasked with reviewing major cyber-incidents affecting the U.S. government. ------------------------------ Date: Fri, 24 Jan 2025 11:12:51 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Executive Order Calls for AI 'Free from Ideological Bias (CNVC) Matt O'Brien and Sarah Parvini, Associated Press, 23 Jan 2025 President Trump on Thursday signed an executive order revoking past government policies on AI that "act as barriers to American AI innovation." To maintain global leadership, "We must develop AI systems that are free from ideological bias or engineered social agendas," the order states. While the order does not specify which policies are hindering AI development, it calls for a review of "all policies, directives, regulations, orders, and other actions taken" as a result of the former administration's AI executive order. ------------------------------ Date: Wed, 22 Jan 2025 02:37:23 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: The Trump Memecoin's Money-Grab's Economics (WiReD) When he launched his own cryptocurrency, Donald Trump produced unimaginable wealth from thin air. But it will come at a cost to someone. Late Friday evening, three days before his return to the Oval Office, Donald Trump performed an act of crypto alchemy. Pretty much all it took was a few strokes of the keyboard. “My NEW Official Trump Meme is HERE!” the incoming U.S. president wrote in a Truth Social post. “It’s time to celebrate everything we stand for: WINNING!” The post marked the launch of Trump’s very own memecoin—a type of joke cryptocurrency that typically has no purpose beyond financial speculation, whose value tends to whipsaw dramatically with changes in public sentiment. The price of the TRUMP memecoin began to hare upwards almost immediately, despite speculation that Trump’s account had been hacked. By the following day, the coins released into circulation -- 20 percent of the total supply -- were valued at $14 billion. https://www.wired.com/story/the-trump-memecoins-money-grab-economics/ [Matthew Kruk had this comment on Trump launches cryptocurrency with price rocketing: https://www.bbc.com/news/articles/c9vmym2jvy9o "It included a disclaimer noting the coin is "not intended to be, or the subject of" an investment opportunity or a security and was "not political and has nothing to do with" any political campaign, political office or government agency." Translation: Scam [?] PGN] ------------------------------ Date: Sat, 25 Jan 2025 11:53:04 -0800 From: Jim Geissman <jgeiss...@socal.rr.com> Subject: New AI tool counters health insurance denials decided by automated algorithms (U.S. healthcare, The Guardian) Some patients and companies have developed AI tools to appeal denials in a battle of the bots <https://www.hfma.org/revenue-cycle/denials-management/health-systems-start-to-fight-back-against-ai-powered-robots-driving-denial-rates-higher/> Companies have launched new generative AI tools to help hospitals <https://www.cnbc.com/2025/01/13/health-waystar-generative-ai-new-tool-will-help-fight-health-insurance-denials.html> and patients <https://www.getclaimable.com/> draft appeal letters, while one open-source large language model developed by an engineer promises to help patients Fight Health Insurance. <https://fighthealthinsurance.com/> https://www.theguardian.com/us-news/2025/jan/25/health-insurers-ai [Having sent that, let me qualify it, so it doesn't sound like the AI did all the medicine.] ------------------------------ Date: Sat, 11 Jan 2025 12:56:32 -0700 From: Matthew Kruk <mkr...@gmail.com> Subject: Will we control AI, or will it control us? Top researchers weigh in? (CBC) https://www.cbc.ca/news/science/artificial-intelligence-predictions-1.7427024 Imagine this: you're gently awoken by the dulcet tones of your personal assistant just as you're nearing the end of your final sleep cycle. A disembodied voice informs you of the emails you missed overnight and how they were responded to in your absence. The same voice lets you know rain is expected this morning and recommends you don your trenchcoat before leaving the house. As your car drives you to the office, your wristwatch announces that lunch from your local steak house has been preordered for delivery since your iron levels have been a little low lately. Having all your needs anticipated and met before you've even had the chance to realize them yourself is one of the potentials of advanced artificial intelligence. Some of Canada's top AI researchers believe it could create a utopia for humankind -- if AI doesn't eradicate our species first. ------------------------------ Date: Tue, 21 Jan 2025 06:21:54 -0800 From: Steve Bacher <seb...@verizon.net> Subject: The Pentagon says AI is speeding up its 'kill chain' (Techcrunch) Leading AI developers, such as OpenAI and Anthropic, are threading a delicate needle to sell software to the United States military: make the Pentagon more efficient, without letting their AI kill people. https://techcrunch.com/2025/01/19/the-pentagon-says-ai-is-speeding-up-its-kil l-chain ------------------------------ Date: Tue, 14 Jan 2025 08:13:18 -0700 From: geoff goodfellow <ge...@iconia.com> Subject: Arrested by AI: Police ignore standards after facial recognition matches (WashPost) After two men brutally assaulted a security guard on a desolate train platform on the outskirts of St. Louis, county transit police detective Matthew Shute struggled to identify the culprits. He studied grainy surveillance videos, canvassed homeless shelters and repeatedly called the victim of the attack, who said he remembered almost nothing because of a brain injury from the beating. Months later, they tried one more option. Shute uploaded a still image from the blurry video of the incident to a facial recognition program, which uses artificial intelligence to scour the mug shots of hundreds of thousands of people arrested in the St. Louis area. Despite the poor quality of the image, the software spat out the names and photos of several people deemed to resemble one of the attackers, whose face was hooded by a winter coat and partially obscured by a surgical mask. Though the city's facial recognition policy warns officers that the results of the technology are nonscientific and should not be used as the sole basis for any decision,˜Shute proceeded to build a case against one of the AI-generated results: Christopher Gatlin, a 29-year-old father of four who had no apparent ties to the crime scene nor a history of violent offenses, as Shute would later acknowledge. [...] https://www.msn.com/en-us/news/us/arrested-by-ai-police-ignore-standards-after-facial-recognition-matches/ar-BB1rnOai ------------------------------ Date: Sun, 19 Jan 2025 09:13:57 -0500 From: Jan Wolitzky <jan.wolit...@gmail.com> Subject: CIA's Chatbot Stands In for World Leaders (NY TImes) Understanding leaders around the world is one of the CIA's most important jobs. Teams of analysts comb through intelligence collected by spies and publicly available information to create profiles of leaders that can predict behaviors. A chatbot powered by artificial intelligence now helps do that work. Over the last two years, the Central Intelligence Agency has developed a tool that allows analysts to talk to virtual versions of foreign presidents and prime ministers, who answer back. <https://www.nytimes.com/2025/01/18/us/politics/cia-chatbot-technology.html [That is really speCIAl. PGN] ------------------------------ Date: Fri, 17 Jan 2025 13:45:01 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: Microsoft research finds Microsoft AI products may never be secure (Pivot to AI) Microsoft CEO Satya Nadella is going all-in on AI. Earlier this week, he announced that the company’s developer division (which makes developer tools and compilers) has been folded into a new unit called CoreAI. “Thirty years of change is being compressed into three years!” [Microsoft] Unfortunately, generative confabulation machines remain difficult to secure against data leaks. Microsoft already has problems with Copilot Studio leaking enterprise data and Recall storing sensitive data. Is there hope? Twenty-six Microsoft AI Red Team researchers tested more than 100 Microsoft AI products. Their verdict? Probably not. [arXiv; Register] In their paper “Lessons from red-teaming 100 generative AI products,” the authors conclude that simple attacks work best — you don’t need to break out the computer science: https://pivot-to-ai.com/2025/01/17/microsoft-research-finds-microsoft-ai-prod ucts-may-never-be-secure/ [Last Pivot-to-AI I'll forward -- worth subscribing/supporting.] ------------------------------ Date: Sat, 11 Jan 2025 20:08:39 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: The impeccable logic of Sam Altman (Gary Marcus) [Sam Altman] can simultaneously think that these risks are real and also believe that the only way to appropriately address them is to ship product and learn. https://garymarcus.substack.com/p/the-impeccable-logic-of-sam-altman Works for Boeing, why not. ------------------------------ Date: Tue, 21 Jan 2025 18:57:20 -0800 From: "Jim" <jgeiss...@socal.rr.com> Subject: AI in medicine (Jim Geissman) I just had my annual physical. My doc has long been a user of technology, starting long ago to dictate his notes to voice-to-text. I mentioned that when he started doing that, he would usually spend more time correcting his notes than dictating them, but now he's not doing it at all. He said he has AI in his phone that is listening to the whole conversation and will make the notes. At one point I heard him tell his phone "load the annual physical macro". JRG ------------------------------ Date: Fri, 24 Jan 2025 07:07:04 -0800 From: Steve Bacher <seb...@verizon.net> Subject: Signature moves: are we losing the ability to write by hand? (The Guardian) We are far more likely to use our hands to type or swipe than pick up a pen. But in the process we are in danger of losing cognitive skills, sensory experience –- and a connection to history. https://www.theguardian.com/news/2025/jan/21/signature-moves-are-we-losing-th e-ability-to-write-by-hand [I suppose we could learn to sign our ``John Footcock'' instead of our hand-written ``John Hancock''. But grammar schools are not teaching script writing any more, so fewer people know how to write. Have they stopped teaching grammar yet? If so, we won't need grammar schools any more. PGN] ------------------------------ Date: Sat, 25 Jan 2025 15:55:57 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: How a Troubled Icebreaker Became America's Newest Military Vessel (ProPublica) This Icebreaker Has Design Problems and a History of Failure. It’s America’s Latest Military Vessel. Reporting Highlights Troubled History: The icebreaker Aiviq was built for oil work in the Arctic but has design issues. Its maiden voyage to Alaska ended in a rescue at sea and a Coast Guard investigation. Influential Donor: The Aiviq’s Louisiana builder has made more than $7 million in political contributions since 2012. For much of that time, Edison Chouest sought to sell or lease the ship. Wider Problem: The Coast Guard’s $125 million purchase of the Aiviq, made under congressional pressure, follows the service’s failure to get its preferred, $1 billion model built. https://www.propublica.org/article/aiviq-icebreaker-military-coast-guard ------------------------------ Date: Fri, 24 Jan 2025 06:49:42 -0800 From: Steve Bacher <seb...@verizon.net> Subject: MasterCard DNS Error Went Unnoticed for Years (Krebs on Security) The payment card giant MasterCard just fixed a glaring error in its domain name server settings that could have allowed anyone to intercept or divert Internet traffic for the company by registering an unused domain name. The misconfiguration persisted for nearly five years until a security researcher spent $300 to register the domain and prevent it from being grabbed by cybercriminals. https://krebsonsecurity.com/2025/01/mastercard-dns-error-went-unnoticed-for-y ears/ ------------------------------ Date: Mon, 13 Jan 2025 12:06:51 -0500 (EST) From: ACM TechNews <technews-edi...@acm.org> Subject: Research Uncovers Major Vulnerability in Wireless Networking Technology (Cesareo Contreras) Cesareo Contreras, Northeastern Global News (01/09/25) A security flaw in the MU-MIMO (multi-user, multiple input, multiple output) setup procedure could allow threat actors to deploy malicious information on a Wi-Fi network to dramatically slow Internet speeds, according to Northeastern University researchers. MU-MIMO is a key component of Wi-Fi networks, and Northeastern's Francesco Restuccia said the Wi-Fi standard may need to be updated to address the vulnerability. ------------------------------ Date: Fri, 24 Jan 2025 18:49:15 -0800 From: Steve Bacher <seb...@verizon.net> Subject: Los Angeles County's evacuation alert system broke down during fires. It's part of a larger problem (LA Times) Despite upgrades to wireless alerts system, emergency warnings were often ineffective when most needed during the Los Angeles wildfires. Some were sent to too many people, some to too few. https://www.latimes.com/california/story/2025-01-24/california-wildfires-evac uation-alerts-mistakes ------------------------------ Date: Sun, 12 Jan 2025 10:51:26 -0800 From: "Jim" <jgeiss...@socal.rr.com> Subject: After safety alert glitches, county overhauls system (LA Times) After faulty notifications during the fire emergency alert system in favor of the State's. http://enewspaper.latimes.com/infinity/article_share.aspx?guid=b4dbf504-a5c6 -4f92-8101-1ad41d61e6ec ------------------------------ Date: Wed, 8 Jan 2025 23:02:01 +0000 () From: danny burstein <dan...@panix.com> Subject: Fake radiation reports... (Kim Zetter) https://www.zetter-zeroday.com/anatomy-of-a-nuclear-scare/ ------------------------------ Date: Mon, 20 Jan 2025 05:52:46 +0000 From: Richard Marlon Stein <rmst...@protonmail.com> Subject: Traffic jams? Study reveals ants' secrets to smooth traffic flow (PHYS.ORG) https://phys.org/news/2025-01-traffic-reveals-ants-secrets-smooth.html "Ants follow pheromone trails marked by a leader ant, and move in platoons with small gaps and no overtaking," notes Guerrieri. "This strategy could make human mobility more efficient. Guerrieri says, 'In the future, traffic systems for autonomous vehicles (CAVs) could be inspired by ant behavior. Just like insects communicate through pheromones, on smart roads, Connected and Automated Vehicles (CAV) could use advanced communication technologies to communicate with each other and with the road infrastructure management. In this way, they could form coordinated platoons, moving at high speeds with close spacing across parallel lanes. This approach could enhance traffic efficiency, improve levels of service, and reduce gas emissions.'" Ant that CAV right? No, that CAV ant left. [It's really an ANT-iclamax. But tell it to the German driver going way over 200-km/hr on the Autobahn. PGN] ------------------------------ Date: Sun, 12 Jan 2025 16:54:16 -0500 From: Charles Dunlop <cdun...@umich.edu> Subject: Man Loses Bid to Recover Hard Drive Containing Bitcoin Key (ArsTechnica) In 2013 a hard drive belonging to a Wales man was mistakenly discarded, ending up in a landfill. The drive allegedly contained a key to his bitcoins now worth $765million. The owner has been trying to get permission to excavate the landfill in an attempt to recover the drive, but a judge has just issued a final ruling against him. https://arstechnica.com/tech-policy/2025/01/judge-ends-mans-11-year-quest-to- dig-up-landfill-and-recover-765m-in-bitcoin/ ------------------------------ Date: Wed, 15 Jan 2025 02:08:43 -0500 From: Gabe Goldberg <g...@gabegold.com> Subject: UK Judge Ends One Man's 11-Year Quest to Recover $765 Million in Bitcoin by Digging Up a Landfill (WiReD) A UK judge ruled against James Howells, who has been trying to get a hard drive with private keys to a cryptocurrency fortune out of a landfill for over a decade. In his drawers he found two hard drives: one was the Hard Drive, and the other was a blank hard drive that contained no data. He meant to throw out the blank hard drive, but instead he mistakenly picked up the Hard Drive and put it into one of the black bin-liners. He then left the two bin bags downstairs in his house and asked his partner at the time to take them to the landfill at the Site the following day after completing the school run. However, she said that she did not want to take the black bin bags to the Site and refused to do so. The claimant was not overly concerned at her refusal, because he decided that on the following morning he would check to make sure that he had put the correct hard drive in the bin bags. However, when he awoke at 9 o'clock the following morning he found that his partner had had a change of heart and had already taken the bin bags to the Site and manually deposited them into the general waste bins at the Site. https://www.wired.com/story/bitcoin-landfill-excavation-james-howells-judge-r uling ------------------------------ Date: Wed, 15 Jan 2025 13:13:07 +0000 From: Cliff Kilby <cliffjki...@gmail.com> Subject: Rsync CVE-2024-12084 (Debian) As has become the trend in the industry, the vulnerability reports have summaries that ignore the fact that several vendors maintain backports. https://kb.cert.org/vuls/id/952657 claims the vulnerabilities are in 3.3.0 and below. https://thehackernews.com/2025/01/google-cloud-researchers-uncover-flaws.html maintains that it was fixed in 3.4.0 https://lists.debian.org/debian-security-announce/2025/msg00004.html Debian patched it in 3.2.7-1. If you're auditing vulnerabilities, make sure you check your vendor's security patch notes before trying to force an upgrade beyond the vendor's version. ------------------------------ Date: Fri, 17 Jan 2025 18:04:20 +0000 From: Cliff Kilby <cliffjki...@gmail.com> Subject: AHHHHHH TPM2 BROKE LUKS!!! Calm down, calm down. Yes. It is a real problem. https://www.jedi-sec.com/2025/01/17/bypassing-disk-encryption-on-systems-with -automatic-tpm2unlock/ Even if you are selecting all the right PCRs, TPM2 has no idea if the disk was swapped. Most tutorials for auto unlock also fail to include all the PCRs because of a tradeoff for convenience. So if you aren't already using at least PCRS 0-5,7,8,9,14, your machine was vulnerable to other attacks. MORE: Given the first article for TPM auto unlock of LUKS for a debian derivative referenced dracut, and there has been no indication of an existing solution for people who are running non-UEFI kernels, I decided to fix this myself today. dracut has a pcr-measure module. systemd-pcrphase. There is a lot of discussion about this, as it was apparently modified and renamed upstream, so I discounted it as a solution. Having a non-unified, secure booting OS, that doesn't measure the LUKS header already from a previous attempt to learn secure boot, I started from there. My baseline install was based on https://blog.fernvenue.com/archives/debian-with-luks-and-tpm-auto-decryption/ My PCRs were *not* 0+7, because leaving PCR8 out would allow anyone to reboot to init=bin/bash. My initial PCRs after rebooting twice, and checking what was being measured: 0+1+2+3+4+5+7+8+9+14 I admittedly misunderstood PCR5 to include the LUKS headers. I was wrong about that, as my previous post indicated. I was also under the assumption that PCR9 would have changed if the kernel it was booted to changed. This hasn't been confirmed, so I presume it does not, or is spoofable. Given I am now in the state of being impacted, and need to address it in a better way that removing TPM2 unlocking, or replacing the LUKS passphrase with a TPM2 pin: What to do? Dracut uses a modular system with built in hooks that allows it to be extensible to do things like find and then unlock a LUKS volume without prompting for a passphrase. The hooks system has a pre-mount hook, but pre-mount is too late for LUKS, as the LVM container inside the LUKS volume has already attempted to mount by this hook. The pre-trigger hook is too early, as the udev rules haven't run and the LUKS block device is non-existent. Investigating the dracut crypt module provides no easy hook to intercept, as it is implemented as a udev rule target. The udev rule in crypt is 70. I need to get into dracut in udev, before 70. Checking the other modules loaded in this environment, 69 is free, so that's my target. Using the crypto module from dracut as a template, I create a module-setup, a parser, and a udev target. The udev target takes the same arguments the crypto module does: /dev/device luks-label. Now what to measure? Checking the output of cryptsetup, which is already provided by crypto in the dracut environment, I can pull the digest of the keys. The simple method of sending this output to sha256sum is bound to fail. The luksDump format doesn't have a filter, and the TPM token would be in the hash. In order for TPM to release the key, I need static data from the drive that is not dependent on the tokens, only the keyslots. The cryptsetup tool does dump a json format of the data, and jq is already in this dracut environment. So cryptsetup dumps everything to jq which filters to the specific element ".digests". This content will only change if the static keys change, so I can swap tokens as frequently as I need to. The TPM I have access to knows sha1 and sha256, but tpm-tss is configured to read from the sha256 banks only. So, jq is piped out to sha256sum, and the trailing "-" is cut away to give me a sha256 hash that tpm2_pcrextend will accept. tpm2_pcrextend is already loaded in this dracut environment as a side effect of enabling tpm-tss. Eliding the udev guards and the dracut framework, I end up with a udev target of: tpm2_pcrextend 15:sha256=`cryptsetup --dump-json-metadata luksDump "$device" | jq '.digests' | sha256sum | cut -d" " -f1` 2>/dev/null After regenerating the initramfs, and rebooting twice to ensure the TPM is settled, I can confirm that PCR15 is being populated and is static. Validating in dracut that the udev rules are working, and PCR15 is populated before dracut attempts to open it using crypt, I can now change my cryptsetup enrollment to include bank 15: systemd-cryptenroll --tpm2-device=auto --tpm2-pcrs=0+1+2+3+4+5+7+8+9+14+15 /dev/device Mitigation removed, fix in place. If you have the ability to run a UEFI system, it might be simpler to go ahead and move to UEFI. If you are stuck on a initrd kernel, TPM auto unlocking is not a lost cause. ------------------------------ Date: Sun, 12 Jan 2025 09:04:44 -0800 From: Steve Bacher <seb...@verizon.net> Subject: Re: A non-tech analogy for Google Search AI Overviews "Some or all of this food may be fine. Some or all of this food may have a bad taste. Some or all may give you food poisoning. It's up to you to double check this food before eating it—we take no responsibility for any ill effects it may have on you." This is very similar to the notices all over the state of California that warn customers that some of the items in this location may contain cancer-causing ingredients. Totally complies with local laws and is totally useless at the same time. ------------------------------ Date: Sun, 12 Jan 2025 08:45:43 -0800 From: Steve Bacher <seb...@verizon.net> Subject: Re: LA Sheriff outage (LA Times, RISKS-34.52) > PGN wrote: "It still smells like a residual Y2K-type poor retrofix." That's likely, if the fix was to treat 2-digit years less than 25 as being 20xx but values 25 or greater as being 19xx. That kind of fix was common in 1999. ------------------------------ Date: Sun, 12 Jan 2025 08:47:37 -0800 From: Steve Bacher <seb...@verizon.net> Subject: Re: Eutelsat resolves OneWeb leap-year software glitch after two-day outage (SpaceNews) Hold on. The error was failing to identify 2024 as a leap year but the problem didn't occur until now? Not on 29 February 2024? ------------------------------ Date: Sun, 12 Jan 2025 13:08:29 +0000 From: Martin Ward <mar...@gkc.org.uk> Subject: Re: Tech allows Big Auto to evolve into Big Brother > "You might want law enforcement to have the data to crack down on > criminals, but can anyone have access to it?" said Jodi Daniels, chief > executive of the privacy consulting firm Red Clover Advisors. "Where is > the line?" Where it has always been: at the bottom! The bottom line is the only line that matters. [Roll Over, Red Clover.] ------------------------------ Date: Sat, 28 Oct 2023 11:11:11 -0800 From: risks-requ...@csl.sri.com Subject: Abridged info on RISKS (comp.risks) The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is comp.risks, the feed for which is donated by panix.com as of June 2011. => SUBSCRIPTIONS: The mailman Web interface can be used directly to subscribe and unsubscribe: http://mls.csl.sri.com/mailman/listinfo/risks => SUBMISSIONS: to risks@CSL.sri.com with meaningful SUBJECT: line that includes the string `notsp'. Otherwise your message may not be read. *** This attention-string has never changed, but might if spammers use it. => SPAM challenge-responses will not be honored. Instead, use an alternative address from which you never send mail where the address becomes public! => The complete INFO file (submissions, default disclaimers, archive sites, copyright policy, etc.) has moved to the ftp.sri.com site: <risksinfo.html>. *** Contributors are assumed to have read the full info file for guidelines! => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's delightfully searchable html archive at newcastle: http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue. Also, ftp://ftp.sri.com/risks for the current volume/previous directories or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume If none of those work for you, the most recent issue is always at http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00 ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001) *** NOTE: If a cited URL fails, we do not try to update them. Try browsing on the keywords in the subject line or cited article leads. Apologies for what Office365 and SafeLinks may have done to URLs. ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: <http://www.acm.org/joinacm1> ------------------------------ End of RISKS-FORUM Digest 34.53 ************************
