RISKS Forum mailing list archives

RISKS-LIST: Risks-Forum Digest  Saturday 17 May 2025  Volume 34 : Issue 63

ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
Peter G. Neumann, founder and still moderator

***** See last item for further information, disclaimers, caveats, etc. *****
This issue is archived at <http://www.risks.org> as
  <http://catless.ncl.ac.uk/Risks/34.63>
The current issue can also be found at
  <http://www.csl.sri.com/users/risko/risks.txt>

  Contents:
Newark's Air-Traffic Control Staffing Crisis Is Dire. It's Also Not Unique.
 (The New York Times)
Exclusive: NSF faces radical shake-up as officials abolish its 37 divisions
 (Science)
Rogue communication devices found in Chinese solar power inverters
 (PGN, Ben Moore)
EU Security Bug Database Fully Operational (Jessica Lyon)
Researchers Discover New Security Vulnerability in Intel Processors
 (Daniel Meierhans)
Investigation into false evacuation alerts sent during L.A. fires places
 blame, calls for more regulation (LA Times)
Meta to Train AI on EU User Data From May 27 Without Consent; Noyb Threatens
 Lawsuit (The Hacker News)
Young Americans are investing in crypto and meme coins as a path to wealth
 (The Washington Post)
If AI is so good at_coding, where are the open-source contributions
 (Pivot to AI)
How Apple Created a Legal Mess When It Skirted a Judge’s Ruling (NYTimes)
How to Secure Your Phone’s Data Before Traveling Abroad (NYTimes)
Thumbprint on Cigarette Carton Cracks a 48-Year-Old California Murder Case
 (NY Times)
Walgreens doubles down on prescription-filling robots to cut costs, free up
 pharmacists amid turnaround (CNBC)
Smart Phones Finally Getting Expelled in Classes (New York Magazine)
A VPN Company Canceled All Lifetime Subscriptions, Claiming It Didn't Know
 About Them (WiReD)
Why We're Unlikely to Get Artificial General Intelligence Anytime Soon
 (NY Times)
Attack Steals Cryptocurrency by Planting False Memories in Chatbots
 (Dan Goodin)
Young Americans are investing in crypto and meme coins as a path to wealth
 (The Washington Post)
His X Account Was Hijacked to Sell a Fake WIRED Memecoin. Then Came the
 Backlash (WiReD)
CISA mutes own website, shifts routine cyber-alerts to Musk's RSS, email
 (The Register)
Tragedy, Fools but no Iago in sight (Peter Bernard Ladkin)
Riverside wants to become 'the new Detroit.' Can this self-driving electric
 bus get it there? (LA Times)
IBM Vibe coding (Martin Ward)
How to fix your code using OpenAI (Martin Ward)
Case quacked: Flying duck caught by Swiss speed camera is repeat offender
 (BBC)
We live in the tension between overestimating risks and ignoring them
 (Jim Geissman)
RISKS-34.62 layout (Mark Brader)
Re: FBI Says Cybercrime Costs Surpassed $16 Billion in 2024
 (Richard Marlon Stein)
Re: New Zealand's prime minister proposes social media ban for under-16s
 (Steve Bacher)
Re: After an Arizona man was shot, an AI video of him addresses his killer
 in court (Steve Bacher)
Abridged info on RISKS (comp.risks)

----------------------------------------------------------------------

Date: Fri, 16 May 2025 07:32:53 -0700
From: "Jim" <jgeissman () socal rr com>
Subject: Newark's Air-Traffic Control Staffing Crisis Is Dire. It's Also Not
 Unique.  (The New York Times)

NY Times 16 May 2025

Ninety-nine percent of the air traffic control facilities in the United
States are operating below recommended staffing levels, a New York Times
analysis has found.

The ongoing crisis at Newark Liberty International Airport has put a
spotlight on the prolonged nationwide shortage of air traffic
controllers. As of 7 May 2025, only two of 313 facilities - one in Akron,
Ohio, and another in Fort Lauderdale, Fla. -- met staffing targets set by
the Federal Aviation Administration and the union representing controllers,
according to union data obtained by The Times.

<https://www.nytimes.com/2025/05/07/us/politics/newark-airport-delays.html>
<https://www.nytimes.com/interactive/2025/05/08/nyregion/newark-airport-delays.html>

  [Even if you are flying from Akron to Fort Lauderdale, that is not good
  enough, because you have to cross undermanned ATC centers.  PGN]

------------------------------

Date: Fri, 9 May 2025 20:21:24 +0900
From: David Farber <farber () keio jp>
Subject: Exclusive: NSF faces radical shake-up as officials abolish its 37
 divisions (Science)

https://www.science.org/content/article/exclusive-nsf-faces-radical-shake-officials-abolish-its-37-divisions

The National Science Foundation (NSF), already battered by White House
directives and staff reductions, is plunging into deeper turmoil. According
to sources who requested anonymity for fear of retribution, staff were told
today that the agency's 37 divisions -- across all eight NSF directorates --
are being abolished and the number of programs within those divisions will
be drastically reduced. The current directors and deputy directors will lose
their titles and might be reassigned to other positions at the agency or
elsewhere in the federal government.

The consolidation appears to be driven in part by President Donald Trump's
proposal to cut the agency's $9-billion budget by 55% for the 2026 fiscal
year that begins on 1 October. NSF's decision to abolish its divisions could
also be part of a larger restructuring of the agency's grant-making process
that involves adding a new layer of review. NSF watchers fear that a
smaller, restructured agency could be more vulnerable to pressure from the
White House to fund research that suits its ideological bent.

------------------------------

Date: Thu, 15 May 2025 14:09:41 -0700
From: "Peter G. Neumann" <peter.neumann () sri com>
Subject: Rogue communication devices found in Chinese solar power inverters

https://www.reuters.com/sustainability/climate-energy/ghost-machine-rogue-communication-devices-found-chinese-inverters-2025-05-14/

  [This resembles a cross between the DMA problem addressed by the
  Thunderclap paper, and planted Trojan horses.  PGN]

------------------------------

Date: Fri, 16 May 2025 09:37:13 -0500
From: Ben Moore <ben.moore () juno com>
Subject: Rogue communication devices found in Chinese solar power
 inverter (MSN)

As Bruce Schneier says "This is a weird story."

https://www.msn.com/en-us/news/world/ar-AA1EMfHP

But less so when you consider this story.

https://www.huschblackwell.com/newsandinsights/new-executive-order-prohibits-use-of-equipment-produced-by-foreign-adversaries-in-bulk-power-system

------------------------------

Date: Fri, 16 May 2025 11:37:34 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: EU Security Bug Database Fully Operational (Jessica Lyon)

Jessica Lyon, *The Register* (UK) (05/13/25), via ACM TechNews

The European Union Agency for Cybersecurity has rolled out the European
Vulnerability Database (EUVD). Updated in real time and now fully
operational, the database identifies disclosed bugs with their U.S. Common
Vulnerabilities and Exposures (CVE)-assigned IDs and EUVD identifiers,
details their criticality and exploitation status, and provides links to
available advisories and patches.

  [The U.S. mothballing of the MITRE-NIST CVE collection was the
  result of an abonimable showman.  The CVE repository may have been
  the wrong solution to the wrong problem, but it provided a very
  useful catalog of vulnerabilities against which to track progress
  (or the lack of it).  The deeper problem that is not being
  adequately confronted is that commercial-system security sucks,
  so-called best practices are dramatically incomplete, and the
  industry apparently does not want to bother avoiding even the most
  critical flaws, much less the way it develops new systems.  This has
  been going on during all of my 71 years as a computer professional,
  with very few exceptions, and shows few signs of changing (except
  for perhaps our SRI/Cambridge-UK CHERI clean-slate hardware-software
  approach, which earlier this week received this year's Test-of-Time
  award at the 46th IEEE Symposium on Security and Privacy for our
  2015 paper, CHERI: A Hybrid Capability-System Architecture for
  Scalable Software Compartmentalization).  I am delighted to see the
  European Union showing fortitude (although the letters VD in EUVD
  have a connotation that is symbolic of the self-infectious nature of
  system and network vulnerabilities).  PGN]

------------------------------

Date: Fri, 16 May 2025 11:37:34 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Researchers Discover New Security Vulnerability in Intel
 Processors (Daniel Meierhans)

Daniel Meierhans, ETH Zurich (Switzerland) (05/13/25)

A new class of vulnerabilities in all Intel processors identified by
computer scientists at Switzerland's ETH Zurich can be exploited to misuse
the central processing unit's (CPU) prediction calculations to gain access
to information from other users of the same CPU. The vulnerabilities enable
the incorrect assignment of privileges during the few nanoseconds when the
CPU switches between prediction calculations for two users with different
permissions. ETH Zurich's Sandro Ruegge said quickly repeating the attack
can result in a more than 5,000-bytes-per-second readout speed, allowing
attackers to read the entire memory over time.

------------------------------

Date: Mon, 12 May 2025 09:14:07 -0700
From: Steve Bacher <sebmb1 () verizon net>
Subject: Investigation into false evacuation alerts sent during L.A. fires
 places blame, calls for more regulation ()

The alerts were intended for a small group of residents near Calabasas, but
stoked panic and confusion as they were blasted out repeatedly to a much
larger area.  [...]

In “Sounding the Alarm: Lessons From the Kenneth Fire False Alerts,”
Garcia’s office reports that Genasys, the software company contracted with
the county to issue wireless emergency alerts, said a technical error caused
the faulty alert to ping across the sprawling metro region.  [...]

https://www.latimes.com/california/story/2025-05-12/report-on-faulty-fire-alert-calls-for-more-federal-regulation-of-private-tech-companies-issuing-alerts

------------------------------

Date: Fri, 16 May 2025 10:38:05 -0700
From: geoff goodfellow <geoff () iconia com>
Subject: IS: Meta to Train AI on EU User Data From May 27 Without Consent;
 Noyb Threatens Lawsuit (The Hacker News)

Austrian privacy non-profit noyb (none of your business) has sent Meta's
Irish headquarters a cease-and-desist letter, threatening the company with
a class action lawsuit if it proceeds with its plans to train users' data
for training its artificial intelligence (AI) models without an explicit
opt-in.

The move comes weeks after the social media behemoth announced
<https://thehackernews.com/2025/04/meta-resumes-eu-ai-training-using.html>
its plans to train its AI models using public data shared by adults across
Facebook and Instagram in the European Union (EU) starting May 27, 2025,
after it paused the efforts in June 2024 following concerns raised by Irish
data protection authorities.

"Instead of asking consumers for opt-in consent, Meta relies on an alleged
'legitimate interest' to just suck up all user data," noyb said
<https://noyb.eu/en/noyb-sends-meta-cease-and-desist-letter-over-ai-trainin-european-class-action-potential-next-step>. 
"Meta may face massive legal
risks -- just because it relies on an 'opt-out' instead of an 'opt-in'
system for AI training."

The advocacy group further noted that Meta AI is not compliant with the
General Data Protection Regulation (GDPR) in the region, and that, besides
claiming that it has a ``legitimate interest in taking user data for AI
training, the company is also limiting the right to opt-out before the
training has started.''
<https://www.gdpreu.org/the-regulation/key-concepts/legitimate-interest/>

------------------------------

Date: Mon, 12 May 2025 12:58:06 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Young Americans are investing in crypto and meme coins as a
 path to wealth (The Washington Post)

These young people see meme coins as their best shot at the American Dream

When traditional routes to wealth feel out of reach, jokey cryptocurrencies
can look more attractive.

“Financial nihilism” is driving some members of Gen Z to crypto, said Joe
McCann, founder and CEO of Asymmetric, a crypto hedge fund that counts
itself as one of the first institutional investors in meme coins.  Young
people with high levels of student debt, who are more likely to live with
their parents than prior generations, are less inclined to stash money into
a 401(k), he said. They’d rather wager a few hundred bucks on a meme coin,
McCann added, because they feel they don’t have other good options.  [...]

Several conference attendees told *The Washington Post( they expected crypto
to thrive during President Donald Trump’s administration in part because he
has a personal stake in meme coins.

The president has been promoting two coins launched in January called $TRUMP
and $MELANIA that were created by a firm affiliated with the Trump
Organization. His association with the coins, including a recent offer to
host a dinner for top investors, has been criticized for creating a conflict
of interest.

Trump has also overseen a pullback in regulatory scrutiny of crypto
firms. In February, the U.S. Securities and Exchange Commission ruled that
meme coins are collectibles, not securities. Industry players say that could
lead to a bumper crop of newly minted meme coins.  [...]

Following the meme coin market’s moves requires dedication as the Internet
cycles from one punch line to the next. “I always have my phone in my hand,”
said Jeff Matthews, who estimates that he notches 14 to 17 hours of screen
time daily, mostly spent trading meme coins.

------------------------------

Date: Tue, 13 May 2025 17:53:56 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: If AI is so good at_coding, where are the open-source contributions
 (Pivot to AI)

It’s true that a lot of open source projects really hate AI code.  There’s
several objections, but the biggest one is that users who don't understand
their own lack of competence spam the projects with time-wasting AI
garbage. The Curl project banned AI-generated security reports because they
were getting flooded with automated AI-generated “bug bounty” requests.
[LinkedIn]

More broadly, the very hardest problem in open source is not code, it’s
people -— how to work with others. Some AI users just don’t understand the
level they simply aren't working at.

One user of the LLVM compiler complained that his AI-generated pull requests
were not being taken seriously — by a compiler project, where correct
computer science and knowing precisely what the heck you’re doing is
profoundly important.

The user considered it was the unpaid volunteer coders’ “job” to take his AI
submissions seriously. He even filed a code of conduct complaint with the
project against the developers. This was not upheld. So he proclaimed the
project corrupt. [GitHub; Seylaw, archive]

This is an actual comment that this user left on another project: [GitLab]

  As a non-programmer, I have zero understanding of the code and the
  analysis and fully rely on AI and even reviewed that AI analysis with a
  different AI to get the best possible solution (which was not good enough
  in this case).

  You can see why people don’t really want to deal with this sort of
  contribution. But maybe we’ll get a flood of obviously excellent AI code
  -— and AI code submitters —- next year.

https://pivot-to-ai.com/2025/05/13/if-ai-is-so-good-at-coding-where-are-the-open-source-contributions/

------------------------------

Date: Sat, 10 May 2025 21:31:38 -0400
From: Monty Solomon <monty () roscom com>
Subject: How Apple Created a Legal Mess When It Skirted a Judge’s Ruling

Court documents show the company commissioned a sham report and lied on the
stand to justify its actions, which will cast a shadow over future lawsuits.

https://www.nytimes.com/2025/05/09/technology/apple-app-store-antitrust.html

------------------------------

Date: Sat, 10 May 2025 21:39:32 -0400
From: Monty Solomon <monty () roscom com>
Subject: How to Secure Your Phone’s Data Before Traveling Abroad (NYTimes)

Here are some best practices for safeguarding sensitive personal data.

https://www.nytimes.com/2025/04/30/technology/personaltech/travel-burner-phone-cbp.html

------------------------------

Date: Sat, 10 May 2025 22:54:46 -0400
From: Monty Solomon <monty () roscom com>
Subject: Thumbprint on Cigarette Carton Cracks a 48-Year-Old California
 Murder Case (NY Times)

A young mother told friends that she’d be “back in 10 minutes.” She never
returned, and the police in San Jose have now charged a man in her death.

https://www.nytimes.com/2025/05/10/us/jeanette-ralston-cold-case-murder-suspect.html

------------------------------

Date: Sun, 11 May 2025 07:00:32 -0700
From: Steve Bacher <sebmb1 () verizon net>
Subject: Walgreens doubles down on prescription-filling robots to cut costs,
 free up pharmacists amid turnaround (CNBC)

Walgreens is expanding the number of its retail stores served by its
micro-fulfillment centers as it works to turn itself around and prepares to
go private.

As struggling drugstore chains work to regain their footing, Walgreens is
doubling down on automation.

The company is expanding the number of retail stores served by its
micro-fulfillment centers, which use robots to fill thousands of
prescriptions for patients who take medications to manage or treat diabetes,
high blood pressure and other conditions.

Walgreens aims to free up time for pharmacy staff, reducing their routine
tasks and eliminating inventory waste. Fewer prescription fills would allow
employees to interact directly with patients and perform more clinical
services such as vaccinations and testing.  [...]

https://www.cnbc.com/2025/05/11/walgreens-doubles-down-on-robots-to-fill-prescriptions-amid-turnaround.html

------------------------------

Date: Fri, 9 May 2025 10:12:25 PDT
From: Peter Neumann <neumann () csl sri com>
Subject: Smart Phones Finally Getting Expelled in Classes (New York Magazine)

NY Magazine, 8 May 2025

Starting at the beginning of the 2025–26 school year, New York public and
charter schools will be implementing plans for “bell-to-bell” smartphone
bans, which prohibit the “unsanctioned use of smartphones and other
Internet-enabled personal devices on school grounds in K-12 schools for the
entire school day.”

Yes, there is a growing trend of schools and states banning or restricting
student smartphone use, particularly during class time. This is driven by
concerns about student distraction, mental health, and the potential for
bullying and negative social behaviors. Many states, including Florida,
Indiana, and New York, have already implemented or are planning to implement
such bans.

------------------------------

Date: Wed, 14 May 2025 22:46:42 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: A VPN Company Canceled All Lifetime Subscriptions, Claiming It
 Didn't Know About Them (WiReD)

In March, complaints started appearing online about lifetime subscriptions
to VPNSecure no longer working.

The new owners of VPN provider VPNSecure have drawn ire after canceling
lifetime subscriptions. The owners told customers that they didn’t know
about the lifetime subscriptions when they bought VPNSecure, and they cannot
honor the purchases.

The first public response Ars Technica found came on April 28, when lifetime
subscription holders reported receiving an email from the VPN provider
saying: “To continue providing a secure and high-quality experience for all
users, Lifetime Deal accounts have now been deactivated as of April 28th,
2025.”

A copy of the email from “The VPN Secure Team” and posted on Reddit notes
that VPNSecure had previously deactivated accounts with lifetime
subscriptions that it said hadn’t been used in “over 6 months.” The message
noted that VPNSecure was acquired in 2023, “including the technology,
domain, and customer database—but not the liabilities.” The email continues:

  Unfortunately, the previous owner did not disclose that thousands of
  Lifetime Deals (LTDs) had been sold through platforms like StackSocial. We
  discovered this only months later—when a large portion of our resources
  were strained by these LTD accounts and high support volume from users,
  who through part of the database, provided no sustaining income to help us
  improve and maintain the service.

https://www.wired.com/story/vpnsecure-canceled-all-lifetime-subscriptions-claiming-it-didnt-know-about-them

------------------------------

Date: Sat, 17 May 2025 11:32:33 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Why We're Unlikely to Get Artificial General Intelligence
 Anytime Soon (NY Times)

The titans of the tech industry say artificial intelligence will soon match
the powers of humans’ brains. Are they underestimating us?

  [(No) surprise]

https://www.nytimes.com/2025/05/16/technology/what-is-agi.html?smid=nytcore-ios-share&referringSource=articleShare

------------------------------

Date: Fri, 16 May 2025 11:37:34 -0400 (EDT)
From: ACM TechNews <technews-editor () acm org>
Subject: Attack Steals Cryptocurrency by Planting False Memories in
 Chatbots (Dan Goodin)

Dan Goodin, *Ars Technica* (05/13/25), via ACM TechNews

A "context manipulation" exploit developed by Princeton University
researchers leverages prompt injection attacks against the open source
framework ElizaOS to steal cryptocurrency. ElizaOS uses large language
models to undertake blockchain-based transactions for users based on
predefined rules. The attacks depend on a feature of ElizaOS in which past
conversations are stored in an external database, which allows anyone
authorized to transact with an agent to create a false memory that triggers
an override of security defenses.

------------------------------

Date: Mon, 12 May 2025 12:58:06 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: Young Americans are investing in crypto and meme coins as a
 path to wealth (The Washington Post)

These young people see meme coins as their best shot at the American Dream.
When traditional routes to wealth feel out of reach, jokey cryptocurrencies
can look more attractive.

“Financial nihilism” is driving some members of Gen Z to crypto, said Joe
McCann, founder and CEO of Asymmetric, a crypto hedge fund that counts
itself as one of the first institutional investors in meme coins.  Young
people with high levels of student debt, who are more likely to live with
their parents than prior generations, are less inclined to stash money into
a 401(k), he said. They’d rather wager a few hundred bucks on a meme coin,
McCann added, because they feel they don’t have other good options.  [...]

Several conference attendees told The Washington Post they expected crypto
to thrive during President Donald Trump’s administration in part because he
has a personal stake in meme coins.

The president has been promoting two coins launched in January called $TRUMP
and $MELANIA that were created by a firm affiliated with the Trump
Organization. His association with the coins, including a recent offer to
host a dinner for top investors, has been criticized for creating a conflict
of interest.

Trump has also overseen a pullback in regulatory scrutiny of crypto
firms. In February, the U.S. Securities and Exchange Commission ruled that
meme coins are collectibles, not securities. Industry players say that could
lead to a bumper crop of newly minted meme coins.  [...]

Following the meme coin market’s moves requires dedication as the Internet
cycles from one punch line to the next. “I always have my phone in my hand,”
said Jeff Matthews, who estimates that he notches 14 to 17 hours of screen
time daily, mostly spent trading meme coins.

------------------------------

Date: Mon, 12 May 2025 12:55:31 -0400
From: Gabe Goldberg <gabe () gabegold com>
Subject: His X Account Was Hijacked to Sell a Fake WIRED Memecoin. Then
 Came the Backlash (WiReD)

Earlier this year, a hacker used his X account to hawk a fraudulent
WIRED-branded crypto coin. After they pulled the rug on investors, he faced
the aftermath.

https://www.wired.com/story/wired-memecoin-scam-hacked-x-account/

------------------------------

Date: Tue, 13 May 2025 08:12:00 -0700
From: "Jim" <jgeissman () socal rr com>
Subject: CISA mutes own website, shifts routine cyber-alerts to Musk's
 RSS, email (The Register)

Cripes, we were only joking when we called Elon's social network the new
state media

Iain Thomson  <https://www.theregister.com/Author/Iain-Thomson>

------------------------------

Date: Mon, 12 May 2025 14:05:28 +0200
From: "Prof. Dr. Peter Bernard Ladkin" <ladkin () causalis com>
Subject: Tragedy, Fools but no Iago in sight

On Friday, 2 May, at about 17.50 local time, the driver of a Mercedes SUV
ran into pedestrians on a busy street near the centre of the city of
Stuttgart in Germany. One died; seven others were injured. It seems to have
all the indications of a tragic accident. The car is (very) expensive; the
owner was driving; his young son was sitting in the passenger seat. The
most-read newspaper in Germany is the "tabloid" Bild-Zeitung. Bild reported
the accident, as well as that the driver is a "Selfmade-Millionär" (which is
German for "selfmade millionaire") with an Internet portal on which he sells
stuff. Bild also invented a pseudonym for him, "Markus S." (German law
prevents reporting full last names in potential criminal cases, in this case
a possible charge of "causing death by negligence", fahrlässige Tötung).

There is, however, a real Markus S., last name "Schön", who is an Internet
entrepreneur in Detmold, a city some 450+km north of the accident site in
Stuttgart. Herr Schön's site sells office and school supplies. He started
receiving hate mails and death threats almost immediately, it seems, and
sales on his site went precipitiously down.

Sunday 4 May he posted on LinkedIn to say it wasn't him. The editor of Bild
got in touch. Bild amended its story to make it clear that it wasn't him,
and offered him space to do so himself (which he didn't take).

By Friday 9 May it seems things were back to "normal" for Herr Schön and his
business.

All this courtesy of a story in my local paper at the weekend (10-11 May) by
Silke Buhrmester entitled "Detmolder Unternehmer bedroht" ("Detmold
businessman threatened").

   [PDL, Danke Schön.  PGN]

------------------------------

Date: Fri, 16 May 2025 07:50:00 -0700
From: Steve Bacher <sebmb1 () verizon net>
Subject: Riverside wants to become 'the new Detroit.' Can this self-driving
 electric bus get it there? (LA Times)

In 2023, the Riverside (CA) City Council approved a two-year pilot program
to have the Riverside Transit Agency operate, staff and maintain three
automated, fully electric shuttle buses. The first bus began serving the
Riverside Municipal Airport this week.

There is a little shuttle bus in the Inland Empire that’s fueled with big
aspirations.

It’s electric, tops out at 25 mph, and can only go on a pre-designated route
set up by the Riverside Transit Agency.

But here’s a catch — it also drives itself.

As of Monday, commuters in Riverside are the first in the country to ride a
fully self-driving, publicly accessible bus that is deployed by a city
transit agency.  [...]

https://www.latimes.com/california/story/2025-05-15/riverside-self-driving-buses

------------------------------

Date: Thu, 15 May 2025 12:56:54 +0100
From: Martin Ward <martin () gkc org uk>
Subject: IBM Vibe coding

IBM is really into the new vibe of "vibe coding":

https://www.ibm.com/think/topics/vibe-coding

There are just a few, really minor, limitations:
"for real world applications ... vibe coding becomes challenging."
"Code generated by AI is challenging to debug because it's dynamic
and lacks architectural structure."
"Applications built using AI generated code face maintenance
and update challenges"
"This can cause developers to struggle to understand the underlying logic"
"Security concerns ... unseen vulnerabilities that can go unnoticed
and be exploited"

But hey, as long as your application isn't a real world application,
does not need optimisation, you don't care about bugs, you don't
need to maintain it or understand the underlying logic,
and you don't care about security, then vibe coding is for you!

------------------------------

Date: Thu, 15 May 2025 12:56:18 +0100
From: Martin Ward <martin () gkc org uk>
Subject: How to fix your code using OpenAI

You write a try/catch and in the catch send a message to OpenAI: "Fix this
error but return only the code" and then you eval the result!

https://www.youtube.com/watch?v=TZt6thN7AU8

------------------------------

Date: Tue, 13 May 2025 21:47:44 -0600
From: Matthew Kruk <mkrukg () gmail com>
Subject: Case quacked: Flying duck caught by Swiss speed camera is
 repeat offender (BBC)

https://www.bbc.com/news/articles/c1ldnedvde9o

A duck has been caught speeding on traffic cameras in the town of Koeniz in
central Switzerland.

Local police said the mallard -- a wild duck -- was snapped on radar images
on 13 April clocking in at 52km (32 miles per hour) in a 30km zone.

Adding to the mystery, authorities said the duck was likely a repeat
offender and shared an image of a similar looking duck traveling in the
same spot, at the same speed and on the same date in 2018.

  [Perhaps the duck thought the zone was 30mph?  There's a somewhat tortured
  German pun here: Gans Gut!  However, Gans is a Goose not a duck (Ente),
  and Ganz is German for more-or-less.  So, since it might be the same duck,
  it might be flying until Die Ente Time.  PGN]

------------------------------

Date: Fri, 16 May 2025 07:13:49 -0700
From: "Jim" <jgeissman () socal rr com>
Subject: We live in the tension between overestimating risks and ignoring
 them

http://enewspaper.latimes.com/infinity/article_share.aspx?guid=80b7df93-cfb5
-4ba3-a2b2-0a87bb7cd025

  [I wish it were so simple.  Lately, I have been unable to keep up with the
  huge pile of e-mail, which suggests that our readers are more tuned to the
  middle ground -- some sort of huge area in between, in which veteran RISKS
  readers are not overestimating the risks.  However, I have had to ignore a
  few items because of the huge pile of potentially fascinating items
  submitted that I cannot always read.  If you ever submit something really
  germane that I seem to have overlooked, please RESUBMIT with a subject
  line that says perhaps I UNDERLOOKED it and ask me to consider it.  That
  would make me feel much better about not missing a superb item.  PGN]

------------------------------

Date: Wed, 14 May 2025 03:35:23 -0400 (EDT)
From: Mark Brader <msb () Vex Net>
Subject: RISKS-34.62 layout

As seen in comp.risks, RISKS-34.62 contains 12 items that are second or
third occurrences of earlier items in the same issue.  (That was based
on the table of contents, but I think the body was the same way.)

  [Mark, My apologies to all readers.  I had a series of EMACS accidents
  after having completed an earlier version of the issue and then tried to
  add lots more items to try to catch up.  I think there were actually some
  dupes that were not duped in the ToC but duped in the text.  I won't try
  that again -- as it evidently created unneeded risks!  I usually keep a
  backup once I get a stable version, but did not do so this time.  And I
  don't have time to try to fix it now after it was immediately discovered
  by Lindsay Marshall in Newcastle... PGN]

------------------------------

Date: Mon, 12 May 2025 06:19:30 +0000
From: Richard Marlon Stein <rmstein () protonmail com>
Subject: Re: FBI Says Cybercrime Cost Surpassed $16 Billion in 2024
 (Raphael Satter, RISKS 34.62)

The Internet Crime Complaint Center of the U.S. >Federal Bureau of
Investigation (FBI) said global cybercrime costs topped $16 billion in
2024, up a third from the prior year.

US$ 16B is apparently hot-dog money and chump change.

The "60 Minutes" episode from 11MAY2025 entitled, "Fraud costing
U.S. government hundreds of billions a year as crime rings use stolen
identities" (see https://
www.cbsnews.com/news/fraud-costing-us-government-as-crime-rings-use-stolen-identities-60-minutes-transcript/)
reports APTs -- state sponsored gangs of hackers in the PRC, DPKR, Russian
Federation, iran, etc. -- liberate between US$ 500B to 750B per year using
the snowballing dark-web trove of breached PII from US citizens to commit
disaster claim fraud.

FEMA recovery funds from fires, hurricanes, and floods, and COVID-19
pandemic monies fall from cyberspace into criminal's pockets like radial
tires shed micro/n ano-plastics.

------------------------------

Date: Mon, 12 May 2025 11:08:13 -0700
From: Steve Bacher <sebmb1 () verizon net>
Subject: Re: New Zealand's prime minister proposes social media ban for
 under-16s (RISKS-34.62)

As usual, the most contentious issue is not whether under-16s should have
their access controlled, but the proposed mechanism for verifying age, which
generally involves a scheme that impacts on the privacy rights of over-16s. 
I don't know enough about New Zealand's legal or Constitutional system to
know how much of a concern that is, but I'd guess it's not zero.  On the
positive side, at least it's not porn being talked about here.

------------------------------

Date: Mon, 12 May 2025 11:10:49 -0700
From: Steve Bacher <sebmb1 () verizon net>
Subject: Re: After an Arizona man was shot, an AI video of him addresses his
 killer in court (RISKS-34.62)

I'm satisfied that the question of juries and evidence is addressed in the
article.  But more generally, how much weight should be attached to how well
a victim impact statement is produced?  Is it a greater crime to murder a
super nice person than an average jerk?  I don't think so.

------------------------------

Date: Sat, 28 Oct 2023 11:11:11 -0800
From: RISKS-request () csl sri com
Subject: Abridged info on RISKS (comp.risks)

 The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is
 comp.risks, the feed for which is donated by panix.com as of June 2011.
=> SUBSCRIPTIONS: The mailman Web interface can be used directly to
 subscribe and unsubscribe:
   http://mls.csl.sri.com/mailman/listinfo/risks

=> SUBMISSIONS: to risks () CSL sri com with meaningful SUBJECT: line that
   includes the string `notsp'.  Otherwise your message may not be read.
 *** This attention-string has never changed, but might if spammers use it.
=> SPAM challenge-responses will not be honored.  Instead, use an alternative
 address from which you never send mail where the address becomes public!
=> The complete INFO file (submissions, default disclaimers, archive sites,
 copyright policy, etc.) has moved to the ftp.sri.com site:
   <risksinfo.html>.
 *** Contributors are assumed to have read the full info file for guidelines!

=> OFFICIAL ARCHIVES:  http://www.risks.org takes you to Lindsay Marshall's
    delightfully searchable html archive at newcastle:
  http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
  Also, ftp://ftp.sri.com/risks for the current volume/previous directories
     or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
  If none of those work for you, the most recent issue is always at
     http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-34.00
  ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
 *** NOTE: If a cited URL fails, we do not try to update them.  Try
  browsing on the keywords in the subject line or cited article leads.
  Apologies for what Office365 and SafeLinks may have done to URLs.
==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

------------------------------

End of RISKS-FORUM Digest 34.63
************************

Current thread:

• Risks Digest 34.63 RISKS List Owner (May 17)