Welcome home, fellow Gator.

The Gator Nation's oldest and most active insider community
Join today!

Risks Digest

Discussion in 'Gator Bytes' started by LakeGator, Apr 25, 2015.

  1. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 30.87

    RISKS List Owner

    Oct 19, 2018 8:13 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 19 October 2018 Volume 30 : Issue 87

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <The Risks Digest> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Election Integrity (The New Yorker Radio Hour)
    Election Security (Paul Burke)
    "US voter records from 19 states sold on hacking forum" (ZDNet)
    Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable to
    Attack, GAO Says (NPR)
    US weapons systems can be 'easily hacked' (BBC News)
    "Why Internet Tech Employees Are Rebelling Against Military Contracts
    (Lauren Weinstein)
    Sky battles: Fighting back against rogue drones (bbc.com)
    "Autonomous cars on US roads with no brake pedals, steering wheels
    just edged closer" (ZDNet)
    Why you have (probably) already bought your last car (bbc.com)
    Ford tests technology that could render traffic lights obsolete
    (autoblog.com and ieee.org)
    Amazon Atlas (Gabe Goldberg)
    Turkey obtains recordings of Saudi journalist's purported killing (Yahoo)
    Apple VoiceOver iOS vulnerability permits hacker access to user photos
    (Charlie Osborne)
    Code Signing: Did Someone Hijack Your Software? (Forbes)
    When Your Boss Is an Algorithm (The New York Times)
    Facebook's former security chief warns of plan to help solve negative
    impacts (WashPost)
    The Eight Best Smart Plugs to Buy in 2018 (Lifewire)
    The impending war over deepfakes (Axios)
    What the heck is it with Windows updates? (Computerworld)
    Proof-of-concept code published for Microsoft Edge remote code execution bug
    (ZDNet)
    Donald Daters (Naked Security)
    Paramedic agrees Apple Watch Series 4 will save lives; false positives not a
    problem (9to5Mac)
    Genome Researchers Show No One's DNA Is Anonymous Anymore (Megan Moteni)
    Algorithms Designed to Fight Poverty Can Actually Make It Worse
    (Scientific American)
    Researcher finds simple way of backdooring Windows PCs and nobody notices
    for ten months (ZDNet)
    Experian credit freeze unfrozen by hackers? (Veridium)
    DC Think Tank Used Fake Social Media Accounts, A Bogus Expert, And
    Fancy Events To Reach The NSA, FBI, And White House (BuzzfeedNews)
    I fell for Facebook fake news. Here's why millions of you did, too.
    (WashPost)
    Jury duty (Rob Slade)
    Re: Molecule resonance and cellphone radiation (Richard Stein)
    Re: Fwd: NYTimes: The Auto Industry's VHS-or-Betamax Moment? (Gabe Goldberg)
    Re: innumeracy, or More than 250 people worldwide have died taking selfies
    (John R. Levine)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 15 Oct 2018 11:46:47 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Election Integrity (The New Yorker Radio Hour)

    I happened to hear Susan Greenhalgh being interviewed by Logan Lamb on *The
    New Yorker Radio Hour* on NPR on 13 Oct. She did a superb job of
    summarizing the risks associated with elections.

    Is Voting Safe? | The New Yorker Radio Hour | WNYC Studios

    Also, see Kim Zetter and Denise Merrill on NPR.
    http://www.wnpr.org/post/we-may-have-crisis-brewing-security-our-electronic-voting-machines

    ------------------------------

    From: Paul Burke <box...@gmail.com>
    Date: Wed, 10 Oct 2018 08:08:31 -0400
    Subject: Election Security

    Kim Zetter's article in *The New York Times* (26 Sep 2018) recommends paper
    ballots and better security for election machines. Fine, but not a solution.
    Counting millions of paper ballots in thousands of locations is not secure
    or affordable. Better machine security won't find or stop all bugs, insider
    risks, or serious adversaries using zero-days.

    [Machine-readable paper ballots seem to be widely preferred by people with
    an understanding of the risks. The point has long been noted that
    proprietary direct-recording devices with no paper trail are not an
    adequate solution; even with a voter-verified paper trail they are
    problematic. PGN]

    The following articles recommend security by having multiple officials
    re-tally ballots, using independent machines and software. Each re-tally
    makes it harder for bugs, insiders and hackers to hide. Scans make
    re-tallies cheap, and risk-limiting audits can check the scans' accuracy.

    Every jurisdiction can do plenty of checking now, without waiting for
    improved election machines.

    Citizen Oversight: Who's Counting Our Paper Ballots?

    *Journal of Physical Security*, "Scanners, Hashes and Election Security"
    http://rbsekurity.com/JPS%20Archives/JPS%2011(1).pdf

    ------------------------------

    Date: Mon, 15 Oct 2018 19:45:16 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "US voter records from 19 states sold on hacking forum" (ZDNet)

    Catalin Cimpanu for Zero Day | 15 Oct 2018
    Seller is asking $42,200 for all 19 US state voter databases.
    US voter records from 19 states sold on hacking forum | ZDNet

    The voter information for approximately 35 million US citizens is being
    peddled on a popular hacking forum, two threat intelligence firms have
    discovered. ... The two companies said they've reviewed a sample of the
    database records and determined the data to be valid with a "high degree of
    confidence."

    ------------------------------

    Date: Fri, 12 Oct 2018 12:43:00 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable to
    Attack, GAO Says (NPR)

    Bill Chappell, National Public Radio (10/09/18), via ACM TechNews,
    12 Oct 2018
    Cyber Tests Showed 'Nearly All' New Pentagon Weapons Vulnerable To Attack, GAO Says

    Most of the U.S. Department of Defense's (DoD) newest weapons systems are
    plagued by security issues, including passwords that took seconds to guess
    or were never changed from their factory settings, and cyber vulnerabilities
    that were known but never corrected, according to a new Government
    Accountability Office report. The study found the Pentagon is "just
    beginning to grapple with" the scale of the vulnerabilities to its weapons
    systems. Analysis of data from cybersecurity tests conducted on DoD weapons
    systems from 2012 to 2017 found by using simple tools and techniques,
    malefactors could hijack systems and largely operate undetected because of
    basic vulnerabilities. DoD researchers also interviewed cybersecurity
    officials, analyzing how the systems are protected and their responses to
    attacks. The report cited "widespread examples of weaknesses in each of the
    four security objectives that cybersecurity tests normally examine: protect,
    detect, respond, and recover."

    [See also the GAO report:
    Weapon Systems Cybersecurity: DoD Just Beginning to Grapple with Scale of
    Vulnerabilities, GAO, 9 Oct 2018
    https://www.gao.gov/products/GAO-19-128
    and
    New U.S. Weapons Systems Are a Hackers' Bonanza, Investigators Find
    Authorized hackers needed only hours to break into weapons systems the
    Pentagon is acquiring, and in many cases teams developing the systems were
    oblivious to the hacking.
    https://www.nytimes.com/2018/10/10/us/politics/hackers-pentagon-weapons-systems.html
    The entire 50-page report is at https://www.gao.gov/assets/700/694913.pdf .
    PGN]

    ------------------------------

    Date: Fri, 12 Oct 2018 00:13:02 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: US weapons systems can be 'easily hacked' (BBC News)

    [...] That includes the newest F-35 jet as well as missile systems.

    The report's main findings were:

    * The Pentagon did not change the default passwords on multiple weapons
    systems - and one changed password was guessed in nine seconds.
    * A team appointed by the GAO was able to easily gain control of one weapons
    system and watch in real time as the operators responded to the hackers.
    * It took another two-person team only one hour to gain initial access to a
    weapons system and one day to gain full control.
    * Many of the test teams were able to copy, change or delete system data
    with one team downloading 100 gigabytes of information

    https://www.bbc.com/news/technology-45823180

    ------------------------------

    Date: Mon, 15 Oct 2018 09:30:57 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: "Why Internet Tech Employees Are Rebelling Against Military Contracts"

    via NNSquad
    https://lauren.vortex.com/2018/10/1...yees-are-rebelling-against-military-contracts

    Of late we've seen both leaked and open evidence of many employees at
    Internet tech firms in the U.S. rebelling against their firms participating
    in battlefield systems military contracts, mostly related to cloud services
    and AI systems.

    Some reactions I've seen to this include statements like "those employees
    are unpatriotic and aren't true Americans!" and "if they don't like the
    projects they should just quit the firms!" (the latter as if everybody with
    a family was independently wealthy).

    Many years ago I faced similar questions. My work at UCLA on the early
    ARPANET (a Department of Defense project) was funded by the military, but
    was research, not a battlefield system. A lot of very important positive
    research serving the world has come from military funding over the years and
    centuries.

    When I was doing similar work at RAND, the calculus was a bit more complex
    since RAND's primary funding back then was also DOD, but RAND provided
    analytical reports to decision makers, not actual weapons systems. And RAND
    had a well-earned reputation of speaking truth to power, even when that
    truth was not what the power wanted hear. I liked that.

    But what's happening now is different. The U.S. military is attempting to
    expand its traditional "military-industrial" complex (so named during a
    cautionary speech by President Eisenhower in 1961) beyond the traditional
    defense contractors like Boeing, Lockheed, and Raytheon.

    The new battle systems procurement targets are companies like Google,
    Amazon, and Microsoft.

    And therein lies the root of the problem.

    Projects like Maven and JEDI are not simply research. They are active
    battlefield systems. JEDI has been specifically described by one of its top
    officials as a program aimed at "increasing the lethality of our
    department."

    When you sign on for a job at any of the traditional defense contractors,
    you know full well that battlefield operational systems are a major part of
    the firms' work.

    But when you sign on at Google, or Microsoft, or Amazon, that's a different
    story.

    Whether you're a young person just beginning your career, or an old-timer
    long engaged in Internet work, you might quite reasonably expect to be
    working on search, or ads, or networking, or a thousand other areas related
    to the Net -- but you probably did not anticipate being asked or required to
    work on systems that will actually be used to kill people.

    The arguments in favor of these new kinds of lethal systems are well
    known. For example, they're claimed to replace soldiers with AI and make
    individual soldiers more effective. In theory, fewer of our brave and
    dedicated volunteer military would be injured or killed. That would be great
    -- if it were truly accurate and the end of the story.

    But it's not. History teaches us that with virtually every advance in
    operational battlefield technology, there are new calls for even more
    military operations, more "interventions," more use of military power. And
    somehow the promised technological advantages always seem to be somehow
    largely canceled out in the end.

    So one shouldn't wonder why Google won't renew their participation in Maven,
    and has now announced that they will not participate in JEDI -- or why many
    Microsoft employees are protesting their own firm's JEDI participation.

    And I predict that we're now only seeing the beginnings of employees being
    unwilling to just "go along" with working on lethal systems.

    The U.S. military has made no secret of the fact that they see cloud
    environments, AI, robotics, and an array of allied high technology fields as
    the future of lethal systems going forward.

    It's obvious that we need advanced military systems at least for defensive
    purposes in today's world. But simply assuming that employees at firms that
    are not traditional defense contractors will just "go along" with work on
    lethal systems would be an enormous mistake. Many of these employees are
    making much the same sorts of personal decisions as I did long ago and have
    followed throughout my life, when I decided that I would not work on such
    systems.

    The sooner that DOD actually understands these realities and recalibrates
    accordingly, the better.

    ------------------------------

    Date: Mon, 15 Oct 2018 07:55:51 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Sky battles: Fighting back against rogue drones (bbc.com)

    https://www.bbc.com/news/business-45824096

    Risk: Drone-seeking capture munitions accidentally target low-flying piloted
    air vehicles, like traffic observation or police helicopters.

    ------------------------------

    Date: Thu, 11 Oct 2018 21:50:48 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Autonomous cars on US roads with no brake pedals, steering wheels
    just edged closer" (ZDNet)

    [I so love the smell of a live beta in the morning ...]

    Liam Tung | October 10, 2018
    US paves the way for new rules catering to autonomous vehicles without human
    controls.

    https://www.zdnet.com/article/auton...ake-pedals-steering-wheels-just-edged-closer/

    opening text:

    Road users in the US may soon see self-driving cars without human controls
    under a pilot program proposed by the US National Highway Traffic Safety
    Administration (NHTSA).

    The agency is seeking public feedback on a proposed pilot to test vehicles
    "that lack controls for human drivers and thus may not comply with all
    existing safety standards" and do so in real-world scenarios, it said in a
    document released Thursday.

    ------------------------------

    Date: Fri, 12 Oct 2018 09:45:56 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Why you have (probably) already bought your last car (bbc.com)

    https://www.bbc.com/news/business-45786690

    "The company's exponential growth is evidence of how powerful the Uber
    business model is.

    "Now take out the driver. You've probably cut costs by at least 50%."

    And take out pedestrians. Interesting to watch insurance companies and AV
    manufacturers, with a helping handout to politicians, compete for favorable
    legislation that enables and promotes an silicon-based, AV supreme
    environment that indemnifies liability.

    Some businesses, lobbyists, and politicians are literally banking on the
    idea that the public will become inured to silicon-based AV fatalities and
    injuries. Stephen King's "Christine" was a harbinger for this outcome.

    The foundation to suppress incident reporting already exists within the
    bureaucracy. All that's missing are the "Red Asphalt" streets and wealth
    transferred to the few indemnified purveyors and operators of AVs at the
    expense of public health.

    Oh wait...that situation, courtesy of carbon-based vehicle operators is
    manifest, so what's the AV ruckus all about? In a single symbol: $.

    ------------------------------

    Date: Tue, 16 Oct 2018 10:42:15 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Ford tests technology that could render traffic lights obsolete
    (autoblog.com and ieee.org)

    https://www.autoblog.com/2018/10/14/ford-v2v-technology-eliminate-traffic-lights/

    An enabler for autonomous vehicle transport ecosystems, "smart
    intersections" apparently eliminate traffic signals, and instead substitute
    V2V (vehicle-to-vehicle) communications to avoid collisions or even require
    a full stop before safely proceeding.

    Discussion of "virtual traffic light" technology is fortuitously
    published here:
    https://spectrum.ieee.org/ns/Blast/Oct18/10_Spectrum_2018_INT.pdf
    (pps 25-29).

    RISKS reports several intersection control incidents
    signaling device overrides for emergency vehicle right-of-way
    (https://catless.ncl.ac.uk/Risks/18/94#subj5.1)
    (https://catless.ncl.ac.uk/Risks/24/26#subj7.1)

    Perhaps a pedestrian cellphone app, a V2H or H2V (human-to-vehicle) will be
    available from the motor vehicle department? Will a "California Stop"
    finally be legalized? (see
    https://www.urbandictionary.com/define.php?term=california%20stop

    ------------------------------

    Date: Fri, 12 Oct 2018 16:04:07 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Amazon Atlas

    11 October 2018, WikiLeaks publishes a "Highly Confidential" internal
    document from the cloud computing provider Amazon. The document from late
    2015 lists the addresses and some operational details of over one hundred
    data centers spread across fifteen cities in nine countries. To accompany
    this document, WikiLeaks also created a map showing where Amazon's data
    centers are located. ...[t]his came with skepticism that it's really
    secret, noting that such data centers can be found in other ways. Pushback
    to that said yeah -- by region but not by address. Of course, in Ashburn VA
    -- throw a rock, hit a data center.

    https://wikileaks.org/amazon-atlas/map/

    ------------------------------

    Date: Sat, 13 Oct 2018 08:02:42 -0400
    From: Jose Maria Mateos <ch...@rinzewind.org>
    Subject: Turkey obtains recordings of Saudi journalist's purported killing
    (Yahoo)

    This is some cyberpunk stuff:

    ``The moments when Khashoggi was interrogated, tortured and murdered were
    recorded in the Apple Watch's memory,'' the paper said, adding that the
    watch had synched with his iPhone, which his fiancée was carrying outside
    the consulate.

    https://www.yahoo.com/news/turkey-o...urported-killing-paper-081631331--sector.html

    ------------------------------

    Date: Tue, 16 Oct 2018 19:21:08 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Apple VoiceOver iOS vulnerability permits hacker access to user photos
    (Charlie Osborne)

    Charlie Osborne for Zero Day | 15 Oct 2018
    The bug can be exploited to gain access to photos stored on a user's device.
    https://www.zdnet.com/article/apple-voiceover-iphone-vulnerability-permits-access-to-user-photos/

    ------------------------------

    Date: Fri, 12 Oct 2018 00:11:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Code Signing: Did Someone Hijack Your Software? (Forbes)

    https://www.forbes.com/sites/forbes...id-someone-hijack-your-software/#5b9ca0063a27

    ------------------------------

    Date: Sat, 13 Oct 2018 16:23:48 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: When Your Boss Is an Algorithm (The New York Times)

    There are nearly a million active Uber drivers in the United States and
    Canada, and none of them have human supervisors. It’s better than having a
    real boss, one driver in the Boston area told me, ``except when something
    goes wrong.''

    When something does go wrong, Uber drivers can't tell the boss or a
    co-worker. They can call or write to `community support'. but the results
    can be enraging. Cecily McCall, an African-American driver from Pompano
    Beach, Fla., told me that a passenger once called her `dumb' and `stupid',
    using a racial epithet, so she ended the trip early. She wrote to a support
    rep to explain why and got what seemed like a robotic response: ``We're
    sorry to hear about this. We appreciate you taking the time to contact us
    and share details.''

    The rep offered not to match her with that same passenger again. Disgusted,
    Ms. McCall wrote back, ``So that means the next person that picks him up he
    will do the same while the driver gets deactivated'' —- fired by the
    algorithm -— because of a low rating or complaint from an angry
    passenger. ``Welcome to America.''

    https://www.nytimes.com/2018/10/12/opinion/sunday/uber-driver-life.html

    ------------------------------

    Date: Thu, 18 Oct 2018 17:04:12 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Facebook's former security chief warns of plan to help solve
    negative impacts (WashPost)

    https://www.washingtonpost.com/tech...chs-negative-impacts-has-plan-help-solve-them

    Dr. Strangelove had a plan too...

    Stamos proposes establishing "The Stanford Internet Observatory," a forum to
    debate and assess technology's potential downsides, but behind The Hoover
    Institution's closed doors. "The Hoover Institution seeks to improve the
    human condition by advancing ideas that promote economic opportunity and
    prosperity, while securing and safeguarding peace for America and all
    mankind." https://www.hoover.org/library-archives/about/our-mission

    If the technology is classified, closed doors are essential to protect
    national security. Technology for-profit that potentially jeopardizes public
    health, safety, or institutional trust mandates transparent discussion to
    reveal risks, and assess mitigation prior to deployment.

    Would the Observatory disclose findings that dissuade future investments
    into, or deployment of injurious, capriciously governed, and exploitable
    technology that promotes addiction, weakens democracy, but generates
    "boxcar" investor returns?

    Public injury is one technological downside that has been neglected for too
    long. Jurisprudence offers a certain remedy to redress injury.

    Contractual liability exemptions proliferate, especially for technology
    (principally stacks of software). An indemnification privilege/right often
    appears in user license agreements. https://policies.google.com/terms and
    search for "indemnify" for example.

    Restrict indemnification from user contracts/licenses, and the business
    incentive to publish stacks that injure persons, property, or public trust,
    though unintentional, will diminish. Few organizations possess sufficient
    confidence or maturity to publish software without it.

    One possible alternative to the indemnification privilege might be for a
    software publisher to voluntarily disclose, for independent inspection,
    certain software life cycle collateral: Test plans, test results, defect
    logs, COTS or open source dependencies, product risk and mitigation
    registry, etc. can provide valuable insight into the organizational rigor
    applied to qualify publication viability or fitness.

    An informed body of experts, a technology publication viability board
    (TPVB), can independently assess release readiness and provide an opinion of
    production software life cycle maturity, compare the product to known Common
    Vulnerabilities and Exposures (CVE) records, and offer guidance or a rating
    about potential public impact prior to publication deployment.

    A TPVB enfranchised as a public, non-profit, conflict-free rating agency can
    offer an assessment based on evidence of publication merit that exceeds a
    business' motive to release at all costs and subject to their license terms
    and conditions. No bureaucrats on the TPVB. These investigators must possess
    exceptional interdisciplinary software, hardware, and triage skills. Funding
    might be derived from a flat corporate tax based on product usage
    consumption and public impact, ecosystem size deployment, or stack
    complexity.

    Questions to ask about a TPVB:

    Would the TPVB be similar to the rating agencies that were "shopped" by Wall
    Street bond sellers, a key contributor to the 2008 financial crisis? How to
    suppress institutional corruption, manipulation, and preserve TPVB
    independence and integrity?

    What would be the TPVB's mission scope, priorities, and governing
    parameters? How do existing or forecast user base/audience or access size,
    license price, deployment target by industry or economic segment: critical
    infrastructure, transportation, public service/elections/entitlements,
    entertainment/gaming, medical/hospital/life critical, etc. apply to TPVB's
    operation and mandate?

    Would TPVB grant rating exemptions for "grandfathered" stacks or ecosystems,
    like OS360 or legacy stacks like a Fortran II compiler?

    What standards and industry best practices should the TPVB apply for
    stack/ecosystem evaluation? What weights should be assigned to any
    evaluation factors given the stack's stated business purpose? What
    evaluation factors would represent public interest, health, safety or be
    relevant for institutional trust preservation? What weight would these
    factors deserve and how would they be factored?

    What collateral content items are required to initiate evaluation? Should
    this content use standardized templates to simplify inspection and rating
    determination? Should the TPVB publish a simulator to enable business
    "self-assessment" before submission? Should the TPVB be subject to an
    assessment completion SLA?

    What commercial interfaces/contacts and communication protocols are
    permitted/prohibited during consultation prior to rating determination?

    What criteria would TPVB to generate a public-friendly rating? What
    constraints would be placed on an assigned rating to aid consumer
    interpretation?

    How would financial markets interpret a negative TPVB information and factor
    it into forward earning projections?

    ------------------------------

    Date: Wed, 10 Oct 2018 18:00:20 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Eight Best Smart Plugs to Buy in 2018 (Lifewire)

    https://www.lifewire.com/best-smart-plugs-4163001

    Welcome to basic home automation -- but I'm still not ready to put home IoT
    devices online.

    [Imagine every wall plug in your house or office supposedly being as smart
    as you are with AI controlling every IoT device, but perhaps much dumber
    with respect to risks. Security? Integrity? Surveillance? Privacy
    problems? Fire hazards? Sounds like overkill to me. PGN]

    ------------------------------

    Date: Sun, 14 Oct 2018 19:58:41 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The impending war over deepfakes (Axios)

    https://www.axios.com/the-impending-war-over-deepfakes-b3427757-2ed7-4fbc-9edb-45e461eb87ba.html

    [AND DON'T MISS THE TWO LINKS AT THE END OF THE ARTICLE!)

    EXCERPT:

    Researchers are in a pitched battle against deepfakes, the artificial
    intelligence algorithms that create convincing fake images, audio and
    video, but it could take years before they invent a system that can sniff
    out most or all of them, experts tell Axios.

    Why it matters: A fake video of a world leader making an incendiary threat
    could, if widely believed, set off a trade war -- or a conventional
    one. Just as dangerous is the possibility that deepfake technology spreads
    to the point that people are unwilling to trust video or audio evidence.

    The big picture: Publicly available software makes it easy to create
    sophisticated fake videos without having to understand the machine learning
    that powers it. Most software swaps one person's face onto another's body,
    or makes it look like someone is saying something they didn't.

    This has ignited an arms race between fakers and sleuths.

    ------------------------------

    Date: Sat, 13 Oct 2018 21:50:29 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "What the heck is it with Windows updates?" (Computerworld)

    Steven J. Vaughan-Nichols, *Computerworld*, Oct 10 2018
    Lately, it's been difficult to update Windows systems without running
    into some showstopping bugs. WTH is going on?
    https://www.computerworld.com/artic...what-the-heck-is-it-with-windows-updates.html

    selected text:

    The story, Microsoft now admits, is that the 1809 release erases, for some
    people, all files in the \Documents, \Pictures, \Music, and \Videos folders.
    The folders are still there, but nothing's left in them. It's sort of the
    neutron bomb of Windows updates.

    How could this happen? Seriously, how can you have a release that does this
    to users? Where was the quality assurance team? Where were all those Windows
    10 Insider Preview users? Oh, wait. The brave beta users had seen this
    problem! ZDNet's Ed Bott reported last week that he'd found a report from
    three months ago from a tester who said that "my Documents folder had been
    overwritten with a new Documents folder, complete with custom icon. All
    contents were gone."

    Once more, and with feeling: WTH, Microsoft!

    How hard is this really, Microsoft? You literally have millions of Preview
    users. At least one of them spotted this newest bug months before release.
    There may not be many people running into this problem, but anything bad
    enough to destroy users' files should be a red-letter, fix-it-now bug. It
    has proved bad enough that Microsoft has stopped the 1809 upgrade in its
    tracks until the problem gets resolved.

    ------------------------------

    Date: Thu, 11 Oct 2018 22:29:53 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Proof-of-concept code published for Microsoft Edge remote code
    execution bug" (ZDNet)

    Catalin Cimpanu for Zero Day | October 12, 2018
    The PoC can be hosted on any website and requires that users press the Enter
    key just once.

    https://www.zdnet.com/article/proof...for-microsoft-edge-remote-code-execution-bug/

    selected text:

    A security researcher has published today proof-of-concept code which an
    attacker can use to run malicious code on a remote computer via the
    Microsoft Edge browser.

    Such PoCs are usually quite complex, but Al-Qabandi's code is only HTML and
    JavaScript, meaning it could be be hosted on any website.

    According to the researcher, all the attacker needs to do is trick a user
    into accessing a malicious website hosting the PoC via an Edge browser, and
    then press the Enter key. Once the user lets go of the Enter key, the PoC
    runs and executes a Visual Basic script via the Windows Script Host (WSH)
    default application.

    ------------------------------

    Date: Thu, 18 Oct 2018 09:25:39 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Donald Daters (Naked Security)

    [When I typed in that subject line into the input field on the ISC2
    "community," one of the suggestions that came up was "Twitter and hate
    speech" ...]

    Someone made an app for dating Trump followers. (No, not carbon dating. An
    actual dating app for supporters of Donald Trump, so they could find and
    date other followers of Donald Trump.) It was open to everyone on Monday
    morning.

    https://nakedsecurity.sophos.com/20...o-trump-singles-exposes-users-data-at-launch/
    or https://is.gd/hIr01d

    A little more open than the creators intended (unless the creators are a
    secret cabal of Democrats, wanting information on all of The Donald's
    supporters). The database of pretty much all information, including names,
    profile info and photos, private messages, and session tokens (so that you
    could take over accounts).

    ------------------------------

    Date: Thu, 11 Oct 2018 16:35:53 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Paramedic agrees Apple Watch Series 4 will save lives; false
    positives not a problem (9to5Mac)

    https://9to5mac.com/2018/10/09/paramedic/

    ------------------------------

    Date: Fri, 12 Oct 2018 12:43:00 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: Genome Researchers Show No One's DNA Is Anonymous Anymore
    (Megan Moteni)

    Megan Molteni, WiReD, 11 Oct 2018, via ACM TechNews, Friday, 12 Oct 2018

    Researchers at Columbia University and the Hebrew University of Jerusalem in
    Israel collaborated with MyHeritage chief science officer Yaniv Erlich, a
    computational biologist, to determine a majority of Americans with European
    ancestry can be identified through their DNA via open genetic genealogy
    databases. The team analyzed MyHeritage's dataset of 1.28 million anonymous
    persons, tallying the number of relatives with large segments of matching
    DNA to find 60% of searches returned a third cousin or closer. Further
    examination of 30 genetic profiles with the GEDmatch open data personal
    genomics database and genealogy website could make similar identification of
    relatives at a rate of 76%, yielding a list of about 850 individuals that
    could be narrowed down using basic demographic information. Erlich says he
    expects accurate identity searches in genetic databases to be possible on
    anyone who leaves even traces of DNA behind relatively soon.

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1cc1cx217d2fx068985&

    ------------------------------

    Date: Wed, 17 Oct 2018 15:47:11 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Algorithms Designed to Fight Poverty Can Actually Make It Worse
    (Scientific American)

    https://www.scientificamerican.com/...-to-fight-poverty-can-actually-make-it-worse/

    The Nov 2018 issue of *Scientific American* has a special section on "The
    Science of Inequality." The referenced article presents an in depth
    discussion and investigation of algorithms applied for entitlement
    allocation and tracking/reporting, aka "Poverty Analytics."

    "The rise of automated eligibility systems, algorithmic decision making and
    predictive analytics is often hailed as a revolution in public
    administration. But it may just be a digitized return to the
    pseudoscience-backed economic rationing of the past."

    Risk: Data collection, analysis, and reporting algorithm bias
    disenfranchises elderly, needy, and disabled populations.

    ------------------------------

    Date: Wed, 17 Oct 2018 18:57:51 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Researcher finds simple way of backdooring Windows PCs and nobody
    notices for ten months (ZDNet)

    Catalin Cimpanu for Zero Day | 17 Oct 2018
    https://www.zdnet.com/article/resea...indows-pcs-and-nobody-notices-for-ten-months/

    "RID Hijacking" technique lets hackers assign admin rights to guest and
    other low-level accounts.

    opening text:

    A security researcher from Colombia has found a way of gaining admin rights
    and boot persistence on Windows PCs that's simple to execute and hard to
    stop --all the features that hackers and malware authors are looking for
    from an exploitation technique.

    What's more surprising, is that the technique was first detailed way back in
    December 2017, but despite its numerous benefits and ease of exploitation,
    it has not received either media coverage nor has it been seen employed in
    malware campaigns.

    ------------------------------

    Date: Thu, 18 Oct 2018 13:54:46 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Experian credit freeze unfrozen by hackers? (Veridium)

    Stop using PINs and passwords!

    Another week, another sorry tale of poor identification. This time, it’s
    Experian that failed to properly secure users’ PINs.

    People who froze their credit reports discovered hackers could unfreeze them
    -- even though a PIN was supposed to stop that. But Experian says it’s
    ``confident that our authentication is secure.'' OK then.

    It turns out Experian had a bug in its PIN-recovery system. This was a bug
    so simple to exploit, it was barely a speedbump to a hacker who wanted to
    open credit in a victim's name.

    https://www.veridiumid.com/blog/experian-credit-freeze-unfrozen-by-hackers/

    I guess it wasn't a SAFETY PIN.

    ------------------------------

    Date: Thu, 18 Oct 2018 13:57:40 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: DC Think Tank Used Fake Social Media Accounts, A Bogus Expert, And
    Fancy Events To Reach The NSA, FBI, And White House (BuzzfeedNews)

    ICIT bills itself as "America's Cybersecurity Think Tank." But BuzzFeed News
    found it's running fake Twitter accounts and its top expert has questionable
    credentials.

    https://www.buzzfeednews.com/articl...tt-think-tank-fake-twitter-youtube#.msnKG780x

    ------------------------------

    Date: Fri, 19 Oct 2018 02:12:31 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: I fell for Facebook fake news. Here's why millions of you did, too.
    (WashPost)

    Everyone now knows the Web is filled with lies. So then how do fake Facebook
    posts, YouTube videos and tweets keep making suckers of us?

    https://www.washingtonpost.com/tech...ook-fake-news-heres-why-millions-you-did-too/

    ------------------------------

    Date: Fri, 19 Oct 2018 11:27:44 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Jury duty

    I've just got a summons for jury duty. Jury selection starts Nov. 5 and
    goes all week or until empaneled (with the trial starting as soon as
    empaneled). If I can't get myself disqualified, the trial lasts about 3
    months. So, I may miss both BC Security Day *and* SecSIG due to jury
    selection process alone, and more if I can't get myself kicked off the jury.

    In my standard conference presentation on presenting technical evidence in
    court I always point out the difficulty of giving complicated technical
    evidence, pointing out that you have to convince two lawyers, who are smart
    and knowledgeable enough to have passed law school but don't necessarily
    know technology; plus a judge, who is, by definition, an *old* lawyer; plus
    twelve people who were, you will note, too *stupid* to find a way to get
    disqualified from jury duty. My joke is coming back to haunt me ...

    [On the other hand, serving is a civic duty, and perhaps a lesson in the
    workings of the law. PGN]

    ------------------------------

    Date: Fri, 12 Oct 2018 10:03:16 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Re: Molecule resonance and cellphone radiation (Stein, RISKS-30.85)

    Alan -- Resonance is exactly what happens to water molecules inside a
    microwave oven. They are subject to vibration and rotation -- that's what
    the energy of a microwave can achieve, and hence the heating effect arising
    from friction between the rotating/vibrating molecules.

    Biological molecules also rotate and vibrate at room temperature. Microwave
    radiation (~100 micro-eVolts) from a cellphone is ~250 times less energetic
    than room temperature heat as shown below.

    At room temperature (~298 Kelvins == ~25 degrees Celsius == ~78 degrees
    Fahrenheit), per E = kT (where k is Boltzmann's constant, ~8.61×10−5),
    yields:

    E = 25.7 meV (25 milli-eVolts). That's ~4 orders of magnitude lower than the
    ionization energy of hydrogen, carbon. and oxygen (~13 eVolts).

    Ionization from ultraviolet radiation is another matter: chemical bonds are
    busted clean and can reform incorrectly. Rather dangerous during DNA
    replication when a transcription error might arise that presages cancer
    formation (melanoma, for instance).

    ------------------------------

    Date: Wed, 17 Oct 2018 00:36:17 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: Fwd: NYTimes: The Auto Industry's VHS-or-Betamax Moment?
    (R 30 86)

    Ned Ludd would also dislike auto manufacturers pushing vehicle software
    updates over the air when they please.

    What could go wrong? If you like Windows running updates when you're
    presenting, you'll LOVE your car updating while you're driving ("Car will
    reboot in 30 seconds").

    ------------------------------

    Date: 13 Oct 2018 10:37:05 -0400
    From: "John R. Levine" <jo...@iecc.com>
    Subject: Re: innumeracy, or More than 250 people worldwide have died taking
    selfies (Stein, RISKS-30.86)

    About 150,000 people die every day worldwide from all causes. If 250 people
    have died over six years from selfie-immolation, that is roughly 1/9 person
    per day out of that 150,000, or roughly 0.00008% of them.

    While it is unfortunate and unnecessary that those 250 people died, it is
    absurd to call it a "major public health problem". It's not even a rounding
    error.

    The CDC says 9 people per day die in the US from mobile device distracted
    accidents. That is not the same order of magnitude, it's at least two
    orders more, since the 9 people are just in the US but the 1/9 is worldwide.
    Numbers from the NHTSA say about 10% of all US fatal accidents and 15% of
    injury accidents are due to mobile distraction, so that really is a major
    public health problem.

    https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/812_381_distracteddriving2015.pdf

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.87
    ************************
     
  2. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 30.88

    RISKS List Owner

    Oct 23, 2018 5:37 PM

    Posted in group: comp.risks

    Content-Type: text/plain; charset="iso-8859-1"
    Content-Transfer-Encoding: 8bit
    precedence: bulk
    Subject: Risks Digest 30.88

    RISKS-LIST: Risks-Forum Digest Tuesday 23 October 2018 Volume 30 : Issue 88

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Drivers Wildly Overestimate What 'Semiautonomous' Cars Can Do (WiReD)
    Internet of Things (Don Wagner)
    Toward Human-Understandable, Explainable AI (computer.org)
    When AI Misjudgment Is Not an Accident (Scientific American)
    Drink too much beer at a Dallas Cowboys game? Now a free robot-driven van
    will scoop you up afterward. (WashPost)
    3D Printers Have Fingerprints, a Discovery That Could Help Trace
    3D-Printed Guns, Counterfeit Goods (University of Buffalo)
    SSH Authentication Bug Opens Door If You Say You're Logged-In (ITProToday)
    Hackers steal data of 75,000 users after Healthcare.gov FFE breach (ZDNet)
    Disrupting cyberwar with open-source intelligence (HPE)
    U.S. Begins First Cyberoperation Against Russia Aimed at Protecting
    Elections (NYTimes)
    Twitter publishes dump of accounts tied to Russian, Iranian influence
    campaigns (Ars Technica)
    Saudis' Image Makers: A Troll Army and a Twitter Insider (NYTimes)
    Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)
    IBM Proves a Quantum Computing Advantage Over Classical (Brian Wang)
    Microsoft's problem isn't how often it updates Windows -- it's how it
    develops it (Ars Technica)
    Susan Wojcicki on the EU's horrific Article 13 (Lauren Weinstein)
    Now Apps Can Track You Even After You Uninstall Them (Bloomberg)
    These Researchers Want to Send Smells Over the Internet (ieee.org)
    Risks of voting systems (Stewart Fist)
    Re: Election Security (John Levine, Paul Burke)
    Re: Researcher finds simple way of backdooring Windows PCs and nobody
    notices for ten months (Keith Medcalf)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sat, 20 Oct 2018 23:01:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Drivers Wildly Overestimate What 'Semiautonomous' Cars Can Do
    (WiReD)

    Cars are getting smarter and more capable. They're even starting to drive
    themselves, a little. And they're becoming a cause of concern for European
    and American safety agencies and groups. They're all for putting better tech
    on the road, but automakers are selling systems like Tesla's Autopilot, or
    Nissan's Pro Pilot Assist, with the implied promise that they'll make
    driving easier and safer, and a new study is the latest to say that may not
    always be the case. More worryingly, drivers think these systems are far
    more capable than they really are.

    Drivers Wildly Overestimate What 'Semiautonomous' Cars Do

    ------------------------------

    Date: Sun, 21 Oct 2018 15:08:37 +0200
    From: Zap Katakonk <zapkatakon...@gmail.com>
    Subject: Internet of Things

    In the Wild West, a cowboy was a man who, if he had to go a mile north,
    would walk two miles south to get a horse, so he could ride there. The IoT
    appears to be a product of computer cowboys.

    Don Wagner <http://donwagner.dk>

    ------------------------------

    Date: Sat, 20 Oct 2018 20:26:36 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Toward Human-Understandable, Explainable AI (computer.org)

    http://www.computer.org/csdl/mags/co/2018/09/index.html

    Explainable AI (XAI), as defined by Hani Hagras, possesses these
    characteristics:

    "Transparency: We have a right to have decisions affecting us explained to
    us in terms, formats, and languages we can understand.

    "Causality: If we can learn a model from data, can this model provide us
    with not only correct inferences but also some explanation for the
    underlying phenomena?

    "Bias: How can we ensure that the AI system has not learned a biased view of
    the world based on shortcomings of the training data or objective function?

    "Fairness: If decisions are made based on an AI system, can we verify that
    they were made fairly?

    "Safety: Can we gain confidence in the reliability of our AI system without
    an explanation of how it reaches conclusions?"

    These XAI characteristics, if demonstrably deterministic, can aid triage and
    reconstruction of an AI platform's processing activities. A platform's XAI
    compliance certification may deter and preclude worst-case, post-deployment
    consequences.

    AI platform publishers can serve public health and welfare by demonstrating
    XAI characteristics prior to deployment. A public service that operates a
    compliance simulation can enhance public safety, and reinforce social trust
    for AI. XAI certification might be used as a selling point, similar to a
    label from the Underwriters Laboratory or a Consumer Reports ranking.

    Autonomous vehicles (AVs) exemplify AI platforms. They promote and aspire to
    embody safety capabilities that outperform carbon-based drivers, at least
    per NHTSA statistics. Unless operation and failure modes can be simply
    explained, AVs will remain a technological eight-ball. XAI characterization
    affords one means to educate a skeptical public. But AV manufacturers must
    proactively and transparently disclose traffic accident initiators and
    processing sequences.

    Attorneys will find it difficult to argue that Robocar-5 "LiDAR image
    Bayesian decision anomaly suppression logic" is safer than a distracted or
    inebriated carbon-based driver.

    Given the tarnished reputation acquired from prior incidents, AV
    manufacturers have become taciturn. See
    https://www.washingtonpost.com/tech...bbb99a-91f7-42ec-9b9b-e0cb36ae6be8_story.html

    XAI compliance may be their best hope, and last chance, to rehabilitate
    their image.

    ------------------------------

    Date: Sat, 20 Oct 2018 20:29:48 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: When AI Misjudgment Is Not an Accident (Scientific American)

    https://blogs.scientificamerican.com/observations/when-ai-misjudgment-is-not-an-accident/

    "Injecting deliberate bias into algorithmic decision-making could be
    devastatingly simple and effective. This might involve replicating or
    accelerating pre-existing factors that produce bias. Many algorithms are
    already fed biased data. Attackers could continue to use such data sets to
    train algorithms, with foreknowledge of the bias they contained. The
    plausible deniability this would enable is what makes these attacks so
    insidious and potentially effective. Attackers would surf the waves of
    attention trained on bias in the tech industry, exacerbating polarization
    around issues of diversity and inclusion.

    "The idea of 'poisoning' algorithms by tampering with training data is not
    wholly novel. Top U.S. intelligence officials have warned that cyber
    attackers may stealthily access and then alter data to compromise its
    integrity. Proving malicious intent would be a significant challenge to
    address and therefore to deter."

    Risk: AI-generated, published content that incites widespread civil unrest,
    or financial catastrophe.

    ------------------------------

    Date: Sun, 21 Oct 2018 16:06:21 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Drink too much beer at a Dallas Cowboys game? Now a free
    robot-driven van will scoop you up afterward. (WashPost)

    https://www.washingtonpost.com/tech...-robot-driven-van-will-scoop-you-up-afterward

    "Drive.ai has attempted to distinguish itself by prioritizing
    'recognizability over beauty,' giving its Nissan vehicles bright orange
    paint jobs that are designed to grab the attention of pedestrians and
    drivers, according to company officials.

    "The vehicles operate along fixed routes, include human backup drivers and
    travel up to 35 mph. They also include exterior panels with messages -- such
    as 'waiting for you to cross' -- to take the place of a human driver making
    eye contact or gesturing with a pedestrian at a crosswalk, for example. At
    some point, the CEO said, backup drivers will be removed and the vehicles
    will operate autonomously."

    ------------------------------

    Date: Fri, 19 Oct 2018 12:16:57 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: 3D Printers Have Fingerprints, a Discovery That Could Help Trace
    3D-Printed Guns, Counterfeit Goods (University of Buffalo)

    UB News Center, 16 Oct 2018, via ACM TechNews, 19 Oct 2018

    University at Buffalo researchers have outlined the first accurate technique
    for tracing a three-dimensionally (3D)-printed object to the machine that
    produced it, which they think could help law enforcement and intelligence
    agencies track the origin of 3D-printed firearms and counterfeit products.
    The PrinTracker method identifies the unique signatures of 3D printers by
    reading the tiny imperfections within the in-fill patterns they produce in
    printed objects. The team created a set of keys from 14 common printers,
    then generated digital images of each key. Each image was filtered to
    characterize the in-fill pattern, then an algorithm aligned and calculated
    each key's variations to confirm the printer signature's authenticity;
    PrinTracker matched each key to its originating printer with 99.8% accuracy.
    PrinTracker was presented this week at the ACM Conference on Computer and
    Communications Security (ACM CCS 2018) in Toronto, Canada.

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1ccf3x217f1ax069069&

    ------------------------------

    Date: Sat, 20 Oct 2018 23:17:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: SSH Authentication Bug Opens Door If You Say You're Logged-In
    (ITProToday)

    https://www.itprotoday.com/data-sec...cation-bug-opens-door-if-you-say-youre-logged

    ------------------------------

    Date: Mon, 22 Oct 2018 10:09:46 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hackers steal data of 75,000 users after Healthcare.gov FFE breach
    (ZDNet)

    https://www.zdnet.com/article/hackers-steal-data-of-75000-users-after-healthcare-gov-ffe-breach/

    ------------------------------

    Date: Sat, 20 Oct 2018 23:20:56 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Disrupting cyberwar with open-source intelligence (HPE)

    When invaders turned the digital information space into a battlefield,
    citizen volunteers innovated a new kind of combat. Ukrainian activists are
    working on the front lines to fight information aggression.

    For better or for worse, warfare drives technology innovation. World War I
    turned the airplane from a rickety contraption into an essential force in
    battlefield dominance; World War II brought us jet planes, radar, and atom
    bombs. Today, attacks come through the Internet, not from the sky -- and so
    do the responses.

    The cyberattack offensive that Russia launched in Ukraine in 2014 introduced
    a new doctrine, hybrid warfare, that blends special-forces military action,
    sophisticated propaganda, social media manipulation, and hacking. And the
    resistance is coming from volunteers who work together.

    https://www.hpe.com/us/en/insights/...erwar-with-open-source-intelligence-1810.html

    ------------------------------

    Date: Tue, 23 Oct 2018 09:43:54 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: U.S. Begins First Cyberoperation Against Russia Aimed at Protecting
    Elections (NYTimes)

    https://www.nytimes.com/2018/10/23/us/politics/russian-hacking-usa-cyber-command.html

    American operatives are messaging Russians working on disinformation
    campaigns to let them know they've been identified. It's a measured step to
    keep Moscow from escalating.

    ------------------------------

    Date: Mon, 22 Oct 2018 10:51:34 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Twitter publishes dump of accounts tied to Russian, Iranian
    influence campaigns (Ars Technica)

    Archive for researchers provides picture of Internet Research Agency's
    influence ops.

    https://arstechnica.com/tech-policy...-tied-to-russian-iranian-influence-campaigns/

    ------------------------------

    Date: Mon, 22 Oct 2018 10:39:03 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Saudis' Image Makers: A Troll Army and a Twitter Insider (NYTimes)

    The kingdom silences dissent online by sending operatives to swarm critics.
    It also recruited a Twitter employee suspected of spying on users,
    interviews show.

    https://www.nytimes.com/2018/10/20/us/politics/saudi-image-campaign-twitter.html

    ------------------------------

    Date: Mon, 22 Oct 2018 16:50:22 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)

    Like many cybersecurity bunkers, IBM's foxhole has deliberately theatrical
    touches. Whiteboards and giant monitors fill nearly every wall, with
    graphics that can be manipulated by touch.

    ``You can't have a fusion center unless you have really cool TVs,'' quipped
    Lawrence Zelvin, a former Homeland Security official who is now Citigroup's
    global cybersecurity head, at a recent cybercrime conference. ``It's even
    better if they do something when you touch them. It doesn't matter what
    they do. Just something.''

    Security pros mockingly refer to such eye candy as `pew pew' maps, an
    onomatopoeia for the noise of laser guns in 1980s movies and video
    arcades. They are especially useful, executives concede, to put on display
    when V.I.P.s or board members stop by for a tour. Two popular `pew pew' maps
    are from FireEye and the defunct security vendor Norse, whose video
    game-like maps show laser beams zapping across the globe. Norse went out of
    business two years ago, and no one is sure what data the map is based on,
    but everyone agrees that it looks cool.

    https://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html

    Of course, a comment on the article has the solution:

    BLOCKCHAIN Software guarantees a valid trail of corrupted files, preserving
    the data. I wonder how long it will be until even that system is
    defeated. What BlockChain software the power is its distributive system,
    meaning that the data is stored in multiple private computers. Whether that
    system meets legal requirements for privacy is another question. But the
    logic is clear: if data is distributed according to a randomizing algorithm,
    that makes it a lot more complicated for intruders to be able to follow data
    and to corrupt the system to a point where it shuts down. Or worse, becomes
    subject to malware that results in ransom or other maneuvers of financial
    plundering. it is, no doubt, the bane of our digital world that the
    vulnerabilities are incomprehensible to the lay person and difficult if not
    impossible for the experts to protect fully. Things may not be at the point
    where investors are advised to purchase gold and hide under a mattress. But
    we may well be headed in that direction.

    ------------------------------

    Date: Fri, 19 Oct 2018 12:16:57 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: IBM Proves a Quantum Computing Advantage Over Classical
    (Brian Wang)

    Brian Wang, Next Big Future, 18 Oct 2018, via ACM TechNews, 19 Oct 2018

    IBM researchers have mathematically validated certain problems that require
    only a fixed circuit depth when performed on a quantum computer regardless
    of how the number of quantum bits used for inputs increase; these same
    problems require larger circuit depths on classical computers. The proof is
    that there will be problems that can only be executed on quantum systems,
    and others which can be conducted much faster on quantum computers. The
    research proves fault-tolerant quantum computers will do some tasks better
    than classical computers, and offers guidance on how to further current
    technology to leverage this as rapidly as possible. This marks the first
    demonstration of unconditional partitioning between quantum and classical
    algorithms. In practical terms, short-depth circuits are part of the
    deployments of algorithms, so this result does not specifically state how
    and where quantum computers might be better options for particular business
    problems.

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1ccf3x217f19x069069&

    ------------------------------

    Date: Mon, 22 Oct 2018 10:45:04 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Microsoft's problem isn't how often it updates Windows -- it's how it
    develops it (Ars Technica)

    Buggy updates point at deeper problems.

    https://arstechnica.com/gadgets/201...shipping-windows-updates-its-developing-them/

    ------------------------------

    Date: Mon, 22 Oct 2018 09:25:34 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Susan Wojcicki on the EU's horrific Article 13

    [I agree with Susan]

    A Final Update on Our Priorities for 2018
    https://youtube-creators.googleblog.com/2018/10/a-final-update-on-our-priorities-for.html

    Article 13 as written threatens to shut down the ability of millions of
    people -- from creators like you to everyday users -- to upload content to
    platforms like YouTube. And it threatens to block users in the EU from
    viewing content that is already live on the channels of creators
    everywhere. This includes YouTube's incredible video library of
    educational content, such as language classes, physics tutorials and other
    how-tos. This legislation poses a threat to both your livelihood and
    your ability to share your voice with the world. And, if implemented as
    proposed, Article 13 threatens hundreds of thousands of jobs, European
    creators, businesses, artists and everyone they employ. The proposal could
    force platforms, like YouTube, to allow only content from a small number
    of large companies. It would be too risky for platforms to host content
    from smaller original content creators, because the platforms would now be
    directly liable for that content.

    I agree 100% with Susan regarding the EU's horrific Article 13 and the
    immense damage that it would do, particularly to smaller creators.

    ------------------------------

    From: "Dave Farber" <far...@gmail.com>
    Date: Tue, 23 Oct 2018 09:04:20 +0900
    Subject: Now Apps Can Track You Even After You Uninstall Them (Bloomberg)

    https://www.bloomberg.com/news/arti...s-can-track-you-even-after-you-uninstall-them

    ------------------------------

    Date: Sun, 21 Oct 2018 15:29:24 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: These Researchers Want to Send Smells Over the Internet (ieee.org)

    https://spectrum.ieee.org/the-human...archers-want-to-send-smells-over-the-internet

    Risk: Scent molecules trigger an allergic reaction or are
    accidentally/intentionally blended into a poisonous vapor.

    The IoT evolves into the IoA -- Internet of Aromas; IoO -- Internet of
    Odors.

    "The Emperor of Scent" by Chandler Burr discusses Luca Turin's theory of how
    the human nose scent glands apply inelastic electron tunneling to
    distinguish aromas.

    [See RISKS-28.78 for *Scent Received, With a Tap of a Smartphone*,
    Smell-o-Vision, Scent of Mystery, and Smell-O-Phones. The nose knows, and
    the nos have it? An aye for an aye! Say Neigh to the Internet of
    Thinks Stinks? PGN]

    ------------------------------

    Date: Sat, 20 Oct 2018 16:42:41 +1100
    From: Stewart Fist <stewar...@optusnet.com.au>
    Subject: Risks of voting systems

    Australians are endlessly fascinated by correspondence and articles about
    the failures and fiddles associated with the US voting system. We have
    always believed a stable and trustworthy system of ballots to be fundamental
    to democracy, and we wonder why Americans don't to reform the whole system.

    Australia has a preferential ballot system, and what is erroneously called
    *compulsory voting*.

    No one has to vote, because we also have secret ballots (we claim to have
    invented them). So if you write obscenities on the paper or leave it
    unmarked, then no one will be the wiser.

    However you do need to attend a local booth on the day of the election and
    have your name crossed on the electoral roll, and you might get a small fine
    if you don't vote and don't have a legitimate excuse why you didn't perform
    this basic civil duty.

    My American friends see this as a draconian infringement on their human
    rights. Yet (by comparison) as Rob Slade (Jury Duty, 19 Oct) points out,
    his civic jury duty for a trial is likely to last 3 months - for those too
    *stupid* not to get themselves disqualified.

    So the argument about infringement on rights is trivial to the point of
    ridiculous. In my long life-time, jury duties and Vietnam War/National
    Service conscription have been greater impositions than fifteen minutes
    spent every few years to vote.

    Security comes from the universality of enrollment. Australia rarely has
    more than trivial voting scandals because it is almost impossible to
    manipulate the system without it becoming glaringly obvious.

    So citizens don't need to have identification when they vote; no one ever
    gets scrubbed from the rolls. There are no disputes to hold up the voting
    queues, and you can cast a vote in a distant electoral district if you are
    away from home.

    Voting machines are unnecessary also because many people can vote at the
    time (which saves millions of dollars). We just put numbers alongside the
    names on the ballot paper and most Australians can count from 1 to 5. Local
    scrutineers (who are aligned with the candidates) watch while the count is
    tallied after the close of voting.

    The system is designed to keep it simple, keep technology at a distance, and
    have every citizen involved in making the final decision. You register to
    vote once when you come of age, and that is it -- unless you change
    addresses (or names when women get married).

    Preferential voting also produces an outcome more aligned to the will of the
    local electorate, and it has the additional benefit of diminishing the
    over-riding power of the two major political parties. Preference voting
    encourages independent candidates to enter the political conversation and
    add their weight to the discussion.

    American will always have problems with the current US voting systems, and
    its about time that people faced up to that and looked at alternatives.

    Stewart Fist, 70 Middle Harbour Rd, LINDFIELD NSW 2070

    ------------------------------

    Date: 21 Oct 2018 23:48:58 +0200
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: Election Security (Burke on Zetter, RISKS-30.87)

    > ...Paper ballots and better security for election machines. Fine, but not
    > a solution. Counting millions of paper ballots in thousands of locations
    > is not secure or affordable.

    That is clearly false, since we conducted elections with hand counted paper
    ballots in thousands of locations for centuries. Canada still does.

    The ballot counting machines we use in New York count the ballots as the
    voters put them in the machine. I assume that after the polls close, they
    can lock the machine, read the totals, and call them in to get the tentative
    results. There are procedures for sealing the machines, delivering the
    ballots, and so forth which I used to know when I was an election official,
    but have since forgotten.

    I realize this may come as a surprise for people expecting instant
    gratification, but there is no need to report the results of an election
    quickly. I used to live in Cambridge MA where we used paper ballots to do
    single transferrable vote elections for city council and school committee.
    After the polls closed, they took the ballots to the high school gym where
    they counted them with observers and challenges. It took about a week,
    which was no problem at all since that still left plenty of time before the
    winners were certified and the new boards seated a month and a half later.

    ------------------------------

    Date: Sun, 21 Oct 2018 19:09:59 -0400
    From: Paul Burke <box...@gmail.com>
    Subject: Re: Election Security (Levine, RISKS-30.88)

    I think John Levine sees the need for independently checking paper ballots.
    The story of Cambridge and other places shows that hand-checking is
    expensive. The US has 100 to 140 million long ballots to count, and a
    history of shenanigans. Canadian voters typically vote on one contest during
    each election, so counting is far simpler and cheaper than in the US where
    we often have pages of choices.

    Ballot-counting machines in NY and most states do read each ballot and
    produce totals. Those machines are computers, and can be hacked when they
    get annual updates or sit unguarded at polling places the night before an
    election, so the "totals" they show may not reflect the ballots. A really
    good feature is that NY also recounts ballots from 3% of the machines,
    manually or with an independent machine. I'd like to see more independent
    counts, since a nation-state could hack the independent machine too, but NY
    is far ahead of states which don't check a good sample at all.
    https://www.verifiedvoting.org/state-audit-laws/

    ------------------------------

    Date: Fri, 19 Oct 2018 20:00:14 -0600
    From: "Keith Medcalf" <kmed...@dessus.com>
    Subject: Re: Researcher finds simple way of backdooring Windows PCs and
    nobody notices for ten months (RISKS-30.87)

    This is likely because it is irrelevant.

    Once you have the requisite NT AUTHORITY\SYSTEM level access that is
    required to carry out the "registry hack" to enable this "backdoor" there is
    no point in going to all the trouble -- and there are much easier ways to
    obtain and maintain "Administrator" rights (or whatever rights you want) on
    Windows -- especially after you have once subverted the Operating System and
    obtained NT AUTHORITY\SYSTEM privileges.

    Besides which, this is not really a security problem/flaw, the system is
    merely working as designed. You can achieve just about the same thing in
    any Operating System authorization system by making similar changes to the
    information base used to generate the authorization token, and it is just as
    trivially easy once you ALREADY HAVE "Act as part of the Operating System"
    privilege.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.88
    ************************
     
  3. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 30.89

    RISKS List Owner

    Oct 30, 2018 8:15 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 30 October 2018 Volume 30 : Issue 89

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/30.89>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    MTR East Rail disruption caused by failure of both primary and backup
    (Hong Kong Free Press)
    Train stops in exactly the wrong place (Mark Brader)
    Texas straight-ticket voters report ballot concerns (Arthur Flatau, MikeA)
    Australian risks of voting systems (Sheldon)
    Re: U.S. Begins First Cyberoperation Against Russia Aimed at Protecting
    Elections (Monty Solomon)
    Tech support -- Hubble telescope (Rob Slade)
    Login glitch behind Tokyo Stock Exchange snafu (Nikkei Asian Review)
    State surveillance company leaked its own data, its customers' data, and
    its customers' victims' data (BoingBoing)
    "New Windows 10 1809 bug: Zip data-loss flaw is months old but Microsoft
    missed it" (Liam Tung via Gene Wirchenko)
    Driverless cars: Who should die in a crash? (bbc.com)
    Every minute for three months, GM secretly gathered data on 90,000
    drivers' radio-listening habits and locations (BoingBoing)
    Surgery students 'losing dexterity to stitch patients' (bbc.com)
    In Cyberwar, There are No Rules (Foreign Policy)
    Lawmakers Seek Review of Pentagon Contract Thought to Favor Amazon (WiReD)
    The customer is always right ... re: Apple iPhones (Rob Slade)
    Fun with source code (Medium)
    A Dark Consensus About Screens and Kids Begins to Emerge in Silicon Valley
    (The New York Times)
    When Trump Phones Friends, the Chinese and the Russians Listen and Learn
    (NYTimes)
    Apple appears to have blocked GrayKey iPhone hacking tool (Lucas Mearian)
    Re: Toward Human-Understandable, Explainable AI (DJC)
    Re: Explainable AI Simulation for AVs (Richard Stein)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 29 Oct 2018 22:06:46 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: MTR East Rail disruption caused by failure of both primary and
    backup (Hong Kong Free Press)

    https://www.hongkongfp.com/2018/01/11/mtr-east-rail-disruption-caused-failure-primary-backup-servers/

    ------------------------------

    Date: Mon, 29 Oct 2018 14:56:29 -0400
    From: Mark Brader <m...@vex.net>
    Subject: Train stops in exactly the wrong place (Modern Railways)

    According to a short item on page 87 of the October issue of "Modern
    Railways", on August 21 a suspected shoplifter was chased into a train
    tunnel at Amsterdam's Schiphol Airport, requiring the train service to be
    temporarily shut down. But when they went to restart it, the entire
    computerized train management system crashed and would not come back up. As
    a result, all trains throughout the greater Amsterdam area were halted from
    some time in the evening rush hour until after midnight when the bug was
    finally identified and fixed.

    "It transpired", the article says, "that one train had been stopped
    at exactly the point where the software determines which platform a
    train should use" and hence "the software continuously detected a train
    arriving at the spot and proceeded to try and allocate the non-existent
    arrival (the train was already there!) 32,000 times before the system
    crashed."

    ------------------------------

    Date: Sat, 27 Oct 2018 08:07:15 -0500
    From: Arthur Flatau <fla...@acm.org>
    Subject: Texas straight-ticket voters report ballot concerns

    Austin American Statesman

    The idea that using hitting a button or other control while a screen is
    rendering is a user error is astounding. If the machine incorrectly
    interprets user input it is a bug plain and simple.

    Amid scattered complaints by straight-ticket early voters of both parties
    that their ballots did not, at first, correctly record their choice of
    either Democrat Beto O'Rourke or Republican Ted Cruz for U.S. Senate, state
    and local election officials are cautioning voters to take their time in
    voting and check the review screen for accuracy before casting ballots.

    The elections officials say the problems resulted from user error in voting
    on the Hart eSlate machines widely used in Texas -- including in Travis,
    Hays and Comal counties -- and are not the result of a machine glitch or
    malfunction.

    ``The Hart eSlate machines are not malfunctioning,'' said Sam Taylor,
    communications director for the Texas secretary of state's office. ``The
    problems being reported are a result of user error -- usually voters hitting
    a button or using the selection wheel before the screen is finished
    rendering.''

    Taylor said the office is aware of a handful of complaints and that the
    voters were able to correct their ballots before casting their votes.

    https://www.statesman.com/news/20181026/texas-straight-ticket-voters-report-ballot-concerns

    [On the other hand, this explanation might be somewhat evasive. For
    example, see Kim Zetter' article on this subject: Voters in Texas aren't
    to blame for vote-switching in Cruz/O'Rourke race; a software issue known
    as a race condition or concurrency bug is, says Dan Wallach, who notes
    machine vendor failed to fix this and many other problems found with the
    Hart machines at least ten years ago.
    https://twitter.com/KimZetter/status/1057332585313910785

    Note: Dan Wallach, Rebecca Mercuri, and I testified before the Houston
    City Council in July 2001 on why the these machines (still in use today)
    were likely to be vulnerable. PGN]

    ------------------------------

    Date: Thu, 25 Oct 2018 20:59:15 -0500
    From: mikea <mi...@mikea.ath.cx>
    Subject: Texas straight-ticket voters report ballot concerns (RISKS-30.89)

    People have been talking about voting machines registering a vote other than
    the one the voter intended. It happened to a friend in Collin County, Texas.
    She voted Straight Democratic Party on an electronic voting machine, and had
    her votes change to all Republican candidates for the same positions. It was
    good that she noticed this before she actually hit the button to register
    her votes. She noticed that the process was repeatable: straignt Democratic
    party changed to straight Republican party a second time, called an election
    judge over, and demonstrated it a third time.

    The election judge reluctantly took that voting machine out of service.

    I find myself wondering if the same thing happened to others who *didn't*
    notice before they completed the vote using that machine.

    My more paranoid self, noting that these machines have no paper ballots as a
    permanent record, wonders if the machine was somehow rigged to change straignt
    Democratic to straight Republican -- the more so because Collin County is
    pure, saturated RGB=(255,0,0) Republican. It also wonders how many more
    machines did the same change.

    My _extremely_ paranoid self wonders if there are documents circulating
    among a small subset of election officials, with titles like "How to rig
    FooCorp voting machines to help your side".

    An acquaintance who works for the election board in a Georgia county tells me
    that the reports that votes for the Democratic candidate for Governor were, at
    the ultimate moment being changed *in the voting machine* to votes for the
    Republican candidate -- again, on all-electronic machines that dont use paper
    ballots and have no audit trail.

    Paper ballots make true recounts possible. Who controls these voting machines
    controls the election.

    ------------------------------

    Date: Tue, 23 Oct 2018 22:44:19 -0400
    From: Sheldon <sheldo...@gmail.com>
    Subject: Australian risks of voting systems (RISKS-30.88)

    The Australian experience with counting votes will not work for the US.
    I've been a DRO, someone who has run a poll, at Canadian Federal, Provincial
    and Municipal Elections.

    Counting by hand the less than 200 ballots for a Federal or Provincial
    election was no problem. There is a paper ballot and one office to count. I
    told the scrutineers (partisans who watched the count) that they had a few
    seconds to look at a ballot and object. Then, I'd decide. If they didn't
    like the decision, that ballot went an envelope for disputed ballots along
    with spoiled ballots. In case the vote was very, very close, they first
    looked at those questionable ballots.I was one of the first to get my ballot
    box back to the riding office.

    Counting by hand a municipal election where there were two different ballots
    and 5 offices on a ballot was a nightmare. After doing one, I never did
    another one. Now there are still two different ballots but, the ballots are
    counted by OCR.

    The Election lists are maintained by a non-partisan body. There are ID
    requirements but, with the liberals in power, very little is required. In
    the past, the position of election officials on the day of the election was
    partisan. Now, they are happy to take anyone.

    Of course, with the mad Doug Ford in power in Ontario, no one knows where
    his madness will lead. Ontario elected an idiot knowing he was an idiot.
    We just didn't know how much of an idiot he would be.

    ------------------------------

    Date: Wed, 24 Oct 2018 18:06:58 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Re: U.S. Begins First Cyberoperation Against Russia Aimed at
    Protecting Elections (Solomon, RISKS-30.84)

    https://techcrunch.com/2018/10/23/first-cyber-operation-gentle-approach-russian-trolls/

    A line in a CV stating: "Recipient of US Cyber Command email advising to
    cease and desist election interference, and immediately end trolling in
    OCT2018" must be an honor among the Russian cyberwarrior cognoscenti.

    RISK: Does it justify a salary raise request?

    ------------------------------

    Date: Thu, 25 Oct 2018 12:10:07 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Tech support -- Hubble telescope

    Two weeks ago, the Hubble telescope experienced a gyroscope failure.

    Hubble has been very important, and has contributed enormously to our
    understanding of the universe. This is a hugely expensive device, which has
    had problems in the past. It's up in space where you can't exactly get
    someone to go and hit it with a hammer in hopes it'll start working again.

    NASA has tried a number of sophisticated procedures to get Hubble
    functioning again. They haven't worked.

    Now NASA has turned it off, and back on again.
    https://gizmodo.com/hubble-telescope-s-broken-gyroscope-seemingly-fixed-aft-1829934018 or
    https://is.gd/JgwOMu

    Hubble is working again ...

    When I'm dying in hosptial I want them to unplug all the tubes and plug them
    back in and see if that works ...

    ------------------------------

    Date: Tue, 30 Oct 2018 14:58:54 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Login glitch behind Tokyo Stock Exchange snafu (Nikkei Asian Review)

    https://asia.nikkei.com/Business/Markets/Login-glitch-behind-Tokyo-Stock-Exchange-snafu

    ------------------------------

    Date: Wed, 24 Oct 2018 11:44:41 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: State surveillance company leaked its own data, its customers'
    data, and its customers' victims' data (BoingBoing)

    via NNSquad
    https://boingboing.net/2018/10/24/20-gb-of-internal-data.html

    ------------------------------

    Date: Tue, 23 Oct 2018 18:31:07 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "New Windows 10 1809 bug: Zip data-loss flaw is months old but
    Microsoft missed it"

    Liam Tung, ZDNet, 23 Oct 2018

    https://www.zdnet.com/article/new-windows-10-1809-bug-zip-data-loss-flaw-is-months-old-but-microsoft-missed-it/

    A Feedback Hub user reported the latest Windows 10 October 2018 Update bug
    three months ago. Microsoft has fixed the issue in preview builds of the
    19H1 version of Windows 10, so it should be fixed in 1809 soon.

    opening text:

    Windows 10 version 1809 update is still on ice due to the data-deletion bug
    embarrassingly missed by Microsoft during preview testing.

    But the few users who did get the Windows 10 October 2018 Update have now
    discovered its built-in zip tool is doing weird things when copying files.

    As one 1809 user reported on Reddit, this version of Windows 10 is missing
    the 'Do you want to replace these files' dialog when copying from a zip
    archive to a folder with an identically named file in it.

    The problem only seems to affect the built-in zip tool in Windows File
    Explorer rather than third-party zip tools.

    The dialog is an important flag when transferring a lot of files, since it's
    an opportunity for the user to choose whether to replace the identical file,
    skip replacing the file, or compare the information stored in both files
    before taking any action.

    Without the dialog, it could be easy to unintentionally overwrite
    non-identical files.

    ------------------------------

    Date: Thu, 25 Oct 2018 15:29:00 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    CTA - Human-Machine Interfaces Evolve in Cars

    Switches and dials have been the norm for controlling things in cars, from
    the side mirrors to audio volume. But norms evolve. As automakers prepare
    for a world of shared self-driving cars, they’re experimenting with an array
    of human-machine interface technologies, or HMIs, including interior-facing
    cameras, gesture and voice controls, and touch-sensitive surfaces — all
    augmented by ever-smarter computing platforms.

    Voice controls are en route to be the second most-prevalent interface by
    2022, when it’s forecast to be in 80 percent of car HMIs, up from 48 percent
    in 2016, according to the consulting firm Frost & Sullivan. Data published
    last year in the firm’s Global Connected Car Market Outlook show
    touchscreens on top, with 90 percent market share by 2022, up from 29
    percent two years ago. Multifunctional controllers (50 percent from 16
    percent), handwriting recognition (30 percent from nine percent), digital
    instrument clusters (25 percent from seven percent) and head-up displays or
    HUDs (20 percent from five percent) follow. Only gesture controls will
    remain relatively rare in four years, with just five percent HMI penetration
    worldwide, but still up tremendously from 0.02 percent in 2016, Frost &
    Sullivan predicts.

    They’re helping the driver “get more accustomed to newer technologies, so
    that the user acceptance is there before he or she is going to give over
    control to the car in autonomous mode,” says Niranjan Manohar, research
    manager for connected car and automotive IoT (Internet of Things) at Frost &
    Sullivan in Detroit.

    https://www.cta.tech/News/i3/Articles/2018/September-October/Human-Machine-Interfaces-Evolve-in-Cars.aspx

    ------------------------------

    Date: Sun, 28 Oct 2018 12:51:47 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Driverless cars: Who should die in a crash? (bbc.com)

    https://www.bbc.com/news/technology-45991093

    "To get closer to an answer - if that were ever possible - researchers from
    the MIT Media Lab have analysed more than 40 million responses to an
    experiment they launched in 2014.

    "Their Moral Machine has revealed how attitudes differ across the world."

    With a software update, an AV "born" in China can be tuned for trolley
    problem "death" preferences anywhere, just like language locales for
    international-friendly applications. All the AV needs to know, per the
    "Moral Machine," are passenger/occupant ages and species.

    RISK: Does the AV have the "right" to act on its own volition if there are
    no human occupants or the passenger "species" are marginalized (insects or
    bacteria)?

    ------------------------------

    Date: Tue, 23 Oct 2018 11:11:03 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Every minute for three months, GM secretly gathered data on 90,000
    drivers' radio-listening habits and locations (BoingBoing)

    via NNSquad
    https://boingboing.net/2018/10/23/dont-touch-that-dial.html

    On September 12th, GM's director of global digital transformation Saejin
    Park gave a presentation to the Association of National Advertisers in
    which he described how the company had secretly gathered data on the
    radio-listening habits of 90,000 GM owners in LA and Chicago for three
    months in 2017, tracking what stations they listened to and for how long,
    and where they were at the time; this data was covertly exfiltrated from
    the cars by means of their built-in wifi. The company says it never sold
    this data, but the presentation to the advertising execs was clearly
    designed to elicit bids for it.

    Unless they had explicit fully-informed consent from drivers, this
    should be -- and may have been -- illegal!

    ------------------------------

    Date: Tue, 30 Oct 2018 10:53:50 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Surgery students 'losing dexterity to stitch patients' (bbc.com)

    https://www.bbc.com/news/education-46019429

    "A professor of surgery says students have spent so much time in front of
    screens and so little time using their hands that they have lost the
    dexterity for stitching or sewing up patients."

    Western medical training today emphasizes computer simulation over the
    "human touch" to learn the art. Simulated triage procedure rehearsals,
    especially from mass shooting incidents or industrial accidents, can help
    prepare medical team readiness.

    Would a surgical patient feel reassured to know that their physician learned
    colectomy or appendectomy exclusively by computer simulation rather than
    acquired via hands-on experience?

    Should surgeons be required to publicly disclose performance statistics: #
    of hours simulation practice for specific surgery, # of hands-on vs. robot
    surgery assists, # of computer-assist fatalities and incidents, etc.?

    Intuitive Surgical can cite this article to promote their da Vinci Surgical
    System.

    ------------------------------

    Date: Fri, 26 Oct 2018 10:55:32 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: In Cyberwar, There are No Rules (Foreign Policy)

    https://foreignpolicy.com/2018/09/12/in-cyberwar-there-are-no-rules-cybersecurity-war-defense/

    "If a country or terrorist group decided to take out a sitting U.S. senator
    undergoing robotically assisted surgery and then covered its tracks, the
    perpetrator's identity would be hard to pinpoint, and there would be no
    clear U.S. legal precedent for classifying the hacking of hospital equipment
    as an assassination or an act of war. Nor do there appear to be clear
    protocols for retaliation."

    A verifiable cyberweapons treaty urgently required to establish rules of
    conduct and preempt escalation.

    ------------------------------

    Date: Sun, 28 Oct 2018 21:44:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Lawmakers Seek Review of Pentagon Contract Thought to Favor Amazon
    (WiReD)

    Amazon long has been considered the likely winner of JEDI contract, as it is
    one of the only cloud providers with the infrastructure, funds, and security
    clearance necessary to meet all of the Pentagon’s requirements. The
    criticism is more acute because of the Pentagon’s insistence on awarding
    JEDI to a single bidder, rather than several companies and contractors.

    Both Oracle and IBM have filed official protests with the US Government
    Accountability Office, on the grounds that the DOD’s decision to award the
    $10 billion contract to just one company both restricts innovation and poses
    a massive security risk. “JEDI turns its back on the preferences of Congress
    and the administration, is a bad use of taxpayer dollars, and was written
    with just one company in mind,” IBM General Manager Sam Gordy said in a
    statement in advance of JEDI’s bid deadline.

    https://www.wired.com/story/lawmakers-seek-review-pentagon-contract-thought-favor-amazon/

    ------------------------------

    Date: Fri, 26 Oct 2018 10:59:22 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: The customer is always right ... re: Apple iPhones

    A while back, users of older Apple iPhones started making noises about their
    phones being "throttled" and running slower.

    Turns out they were right. Apple had found that, for certain applications,
    if the batteries were older (and possibly dying) the demands of the
    application could cause the phone to simply quit, and stop working. So an
    upgrade to the operating system checked for these conditions, and, if the
    battery showed signs of failing, would dial back the CPU cycles so that the
    crash wouldn't happen.

    Trouble is, they didn't tell people first, didn't allow any options, and
    people got upset.

    Now, they probably did the right thing, technically. (Politically, it
    wasn't so smart.) And now an Italian court has decided they did the wrong
    thing, and has fined them. (They have also fined Samsung, which may not be
    guilty of anything, for the same thing.)
    https://nakedsecurity.sophos.com/2018/10/26/apple-and-samsung-punished-for-slowing-down-old-smartphones/ or
    https://is.gd/523V2E

    If this ruling stands, it's going to make deciding on upgrades and fixes a
    very complicated business. Politically. (It was already complicated
    enough, technically ...)

    ------------------------------

    Date: Sun, 28 Oct 2018 15:46:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Fun with source code (Medium)

    Why the NSA Called Him After Midnight and Requested His Source Code
    https://medium.com/datadriveninvestor/why-the-nsa-called-me-after-midnight-and-requested-my-source-code-f7076c59ab3d

    ------------------------------

    Date: Mon, 29 Oct 2018 21:53:57 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: A Dark Consensus About Screens and Kids Begins to Emerge in Silicon
    Valley (The New York Times)

    https://www.nytimes.com/2018/10/26/style/phones-children-silicon-valley.html

    Mental illness traced to wireless mobile device (WMD) addiction has a label:
    The 'iDisorder.' See
    (https://www.nytimes.com/2012/05/13/business/in-idisorder-a-look-at-mobile-device-addiction-review.html
    for a book review.

    Excessive mobile device usage, induced by applications that easily
    captivate, is unhealthy. Children are especially susceptible to overuse.
    While there's no equivalent to the US Surgeon General's "Smoking causes
    cancer" warning, strictly enforced mobile device access restrictions for
    adolescents constitute wise parental guidance.

    The National Institutes for Health archives several studies on the
    physiological effects arising from excessive mobile device usage.

    "The Potential Impact of Internet and Mobile Use on Headache and Other
    Somatic Symptoms in Adolescence. A Population-Based Cross-Sectional Study"
    at https://www.ncbi.nlm.nih.gov/pubmed/27255862.

    "Conclusion: Results highlighted the potential impact of excessive internet
    and mobile use, which ranges from different types of headache to other
    somatic symptoms. Further studies are needed to confirm these findings and
    to determine if there is a need for promoting preventive health
    interventions, especially in school setting."

    "Evaluation of mobile phone addiction level and sleep quality in university
    students" at https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3817775/.

    "Conclusion: The sleep quality worsens with increasing addiction level. It
    was concluded that referring the students with suspected addiction to
    advanced healthcare facilities, performing occasional scans for early
    diagnosis and informing the students about controlled mobile phone use would
    be useful."

    ------------------------------

    Date: Wed, 24 Oct 2018 16:35:22 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: When Trump Phones Friends, the Chinese and the Russians Listen and
    Learn (NYTimes)

    https://www.nytimes.com/2018/10/24/us/politics/trump-phone-security.html

    When President Trump calls old friends on one of his iPhones to gossip,
    gripe or solicit their latest take on how he is doing, American
    intelligence reports indicate that Chinese spies are often listening --
    and putting to use invaluable insights into how to best work the president
    and affect administration policy, current and former American officials
    said. Mr. Trump's aides have repeatedly warned him that his cellphone
    calls are not secure, and they have told him that Russian spies are
    routinely eavesdropping on the calls, as well. But aides say the voluble
    president, who has been pressured into using his secure White House
    landline more often these days, has still refused to give up his iPhones.
    White House officials say they can only hope he refrains from discussing
    classified information when he is on them.

    So, Trump's cellphone use is being routinely monitored by our adversaries.
    Perhaps part of his plan?

    ------------------------------

    Date: Tue, 30 Oct 2018 13:05:51 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Apple appears to have blocked GrayKey iPhone hacking tool"
    (Lucas Mearian)

    Lucas Mearian, Computerworld | Oct 25, 2018
    Apple and two companies that have worked to enable iPhone
    de-encryption continue their back-and-forth efforts.
    https://www.computerworld.com/article/3268729/apple-ios/apple-appears-to-have-blocked-graykey-iphone-hacking-tool.html

    selected text:

    Apple has apparently been able to permanently block de-encryption technology
    from a mysterious Atlanta-based company whose blackbox device was embraced
    by government agencies to bypass iPhone passcodes.

    Atlanta-based Grayshift is one of two companies that claimed it could thwart
    Apple iPhone passcode security through brute-force attacks.

    The blackbox technology purportedly worked, as Grayshift's technology was
    snapped up by regional law enforcement and won contracts with Immigration
    and Customs Enforcement (ICE) and the U.S. Secret Service.

    All GrayShift customers sign very strict non-disclosure agreements, as any
    leaked information could help Apple close the vulnerabilities they are
    using, whether they find them themselves or buy zero-day flaws in Darknet,
    said Vladimir Katalov, CEO of Russian forensic tech provider ElcomSoft.

    "Honestly, we are not absolutely sure that the hole has been completely
    closed; or maybe they will still find a workaround, or develop/buy another
    way," Katalov said via email. "So that is [a] cat and mouse game that is
    still ongoing. Now..., GrayShift will probably spend even more efforts to
    hide their findings from the media.

    "That is probably good for law enforcement, but definitely bad for the
    community, as it leaves some doors still open," Katalov added. "That's only
    a question of time when GrayKey will become available to some criminals."

    [The usual about the cat and mouse game. What I am wondering is whether
    those non-disclosure agreements are actually enforceable?]

    ------------------------------

    Date: Thu, 25 Oct 2018 09:57:27 +0200
    From: DJC <d...@resiak.org>
    Subject: Re: Toward Human-Understandable, Explainable AI (RISKS-30.88)

    We're wary about giving present-day AI the power to make decisions, partly
    because we don't know *why* it makes particular decisions, so its
    objectivity, fairness, common sense, etc., are opaque. At least where human
    beings decide, we can ask them the basis for their decisions.

    But as a matter of fact -- honesty and integrity aside -- humans aren't very
    good at knowing the grounds for their important decisions. Daniel Kahneman
    got the Nobel Prize for studying the reality of how people decide; cf. his
    book "Thinking, Fast And Slow". He and his colleagues did many, many
    experiments to expose the *real* bases for how people make decisions; and
    those bases are often not only unknown to their subjects, but impossible for
    them to know, because they happen in inaccessible processes of their
    cognition. Yet some of those processes can be exposed through careful
    experimentation over people's concrete behavior -- not what they
    self-report, but what they *do*. And that was worth a Nobel Prize.

    Kahneman acknowledges the impossibility of knowing everything about how one
    makes one's decisions, much less controlling it all. (In his book he
    proposes some personal strategies to ameliorate how bad it can be.)

    So what hope have we of transparency for the ever-more-complex AI mechanisms
    into which, even already today, we have no insight at all? Should we demand
    that, at a certain level of "importance", an AI system should be subject to
    the kind of concrete experimentation that Kahneman carried out in his
    research? How do we even know what to look for?

    Though I'm all in favor of the kind of transparency Hani Hagras proposes, I
    find it difficult to imagine how we can effectively grasp and achieve it.

    I can, though, imagine that if you're planning to do something of
    consequence -- possibly bad consequence -- that can be accomplished only
    through mechanisms neither you nor anyone else can understand, it may be
    time to step back and, simply, not do it. And that notion isn't new with
    AI.

    ------------------------------

    Date: Thu, 25 Oct 2018 18:37:52 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Re: Explainable AI Simulation for AVs

    Explainable AI (XAI), per http://catless.ncl.ac.uk/Risks/30/88/%23subj3.1
    posits that (T)ransparency, (C)ausality, (B)ias, (F)airness, (S)afety
    characteristics must be demonstrable for an AI platform to establish a basis
    for triage and public comprehension of exhibited AI behavior.

    As a release metric, suppose that AV operational control program (OCP), the
    vehicular equivalent of an aircraft Operational Flight Program (OFP) has to
    demonstrate viability V = T + C + B + F + S == 5 (assigning 1 point for each
    XAI viability factor if it passes the stimulus/response pass-fail criterion,
    0 if not), and don't publish the OCP bits until it does. Publishing with a
    viability score of 4, should (S)afety fail, implies significantly
    compromised XAI. Potential unexplained defect escape and elevated risk of AV
    OCP underachievement -- meaning public safety traffic incident frequency is
    likely to be higher, placing the AV's brand in jeopardy.

    Note: Release viability includes additional factors that I'm not being
    explicit about. Memory/descriptor leak, basic OCP function/operation,
    performance, payload/message passing, built-in-self test, behavior under
    sensor/processor error or fail-over conditions, etc. comprise a big
    "foundational" readiness component to deterministically achieve before
    attempting XAI qualification.

    Given a pile of GPUs or equivalent, construct a fictitious city-scape, that
    also has rural and suburban characteristics (buildings, fireplugs, houses,
    bushes, trees, parks, squirrels, etc). Have people, dogs, motorcycles, and
    other obstacles pop out into the driving surface, or on sidewalks at various
    distances/times, at controlled intersections, randomly/unexpectedly cross
    the street on bicycles, wheelchairs, scooters, skateboards, etc. Vary the
    weather conditions, terrain, pavement markers, hostile WiFi DoS stimulus,
    earthquakes, lighting, etc. Conceal obstacles or scenery, and then reveal
    it (remove billboards or restaurant placards), throw in some bicycles that
    swerve to avoid "dooring" incidents, or even experience "dooring" and toss
    out some tacoed bicycle wheels and prostrate bicyclists. Use buses,
    streetcars, street sweepers, free-rolling baby trolleys, swerving vehicles,
    ambulances/emergency vehicles, small aircraft landing, overturned fuel
    trucks, fiddle with the sound system, a/c, power seats, windows and door
    locks, sunroof, etc.

    The AV simulation's stimulus must generate real-time perspective images and
    sensor signaling content as detected/interpreted by LiDAR, BlueTooth, WiFi,
    RADAR, or whatever comprises standard AV sensor suites. Each stimulus
    condition must trace to one or more of the XAI viability attributes: T, C,
    B, F, S.

    Run the simulation for at least and equivalent of ~160 kilometers (100
    miles) @ 60 MPH/100 KPH duration with stops, traffic jams, parallel parking,
    highway merges, varying speeds, etc. and process the log files to show that
    V is achieved unconditionally or with five or more nines reliability. Then
    randomly modify it, and run again and repeat, for a total of ~1.6Mhours to
    show V deterministically achieves or over-achieves the viability score
    threshold required to publish. Publicly release all the AV OCP simulation
    stimulus conditions and processing results for review.

    https://teslatap.com/undocumented/model-s-processors-count/ says a model-S
    has ~65 cores among its LRUs (line replaceable units) suite. Call it 100
    cores to host LRU software stacks for sensor stimulus. That implies 100
    cores x 100 inputs/sec = 10000 inputs for the cores to process and output
    per second. 10000 events/sec x 3600 secs/H x 1.6H = ~58M simulated sensor
    stimulus inputs to generate, process, and output log for one
    scenario. Assumes the AV OCPs landscape is pre-generated, save for random
    physical perturbations (weather, obstacles, etc). Each scenario must be
    reproducible to assist thorough triage and reconstruct anomalies that
    generate a viability score less than 5. The scenario generator would be a
    "work of art" unto itself.

    To complete OCP qualification by divide and conquer in 1 week (24*7 = 168H)
    of wall clock means ~9Kcores + memory + disk + net, etc. rigged for
    real-time processing. Feed a credit card to Amazon Web Services and
    provision a hunk of data center (GovCloud, r5 instances, reserved for 1
    year, etc) gives ~US$ 42M for data center with 1000 GBs of network I/O.
    $42M/52 weeks ~= US$ 807K/data center week.

    Given this XAI simulator qualification scenario, the key question I think,
    is what objective criteria are used to specify and constitute T, C, B, F,
    and S for stimulus input and measurement? What standards are relevant, and
    should these factors be legislated and subject to regulation by an
    independent, conflict-free panel?

    If there's regulatory oversight for AV OCP pre-deployment qualification,
    would AV XAI be achieved under an ethically reasonable, publicly acceptable,
    and sufficiently rigorous process that entitles manufacturer indemnification
    against AV incidents and fatal accidents? Can any manufacturer engineer and
    achieve to XAI's expected qualification rigor?

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.89
    ************************
     
  4. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 30.90

    RISKS List Owner

    Nov 1, 2018 4:51 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 2 November 2018 Volume 30 : Issue 90

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/30.90>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Oops! on RISKS issues with missing subject lines (PGN)
    "Why a Helium Leak Disabled Every iPhone in a Medical Facility"
    (Daniel Oberhaus)
    Chinese spies orchestrated massive hack that stole aviation secrets
    (Ars Technica)
    How'd this government agency get infected with malware? 9,000 pages
    of porn. (WashPost)
    The spreading scourge of broken SSL implementation (Mark Thorson)
    Feds took woman's iPhone at border, she sued, now they agree to delete data
    (Ars Technica)
    Feds Also Using 'Reverse Warrants' To Gather Location/Identifying
    Info On Thousands Of Non-Suspects (TechDirt)
    The ethics of who to kill in a crash ... (Rob Slade)
    Robot backpack: How this Fusion bot aids collaboration (bbc.com)
    Bolton says he is conducting offensive cyber-action to thwart
    would-be election disrupters (WashPost)
    A new study finds potentially manipulative ads in apps for preschoolers
    (WashPost)
    Re: Explainable AI Simulation for AVs (Amos Shapir)
    Re: Toward Human-Understandable, Explainable AI (Richard Stein)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 1 Nov 2018 11:12:15 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Oops! on RISKS issues with missing subject lines

    Apologies for causing the subject line of the previous two RISKS issues to
    disappear, because of my forgetting to remove a header line in the draft
    issue that comes from my mail system and enables me to append more items.
    We are supposed to learn from our failures; long ago Henry Petroski noted
    that we don't do that very well -- and that we don't even learn enough from
    our successes either.

    This issue explicitly avoids the previous problem (which I have almost
    always assiduously avoided in past RISKS issues), and I will revert to my
    usual check-list in the future. The combination of extraneous text
    introduced by SRI's Office-365 mail system (safelinks messing with URLs,
    insertion of `[EXTERNAL SENDER]' -- which yesterday was changed to `[CAUTION
    EXTERNAL]' -- after protests that the clutter was annoying! -- in subject
    lines from mail from non-SRI subscribers, and huge piles of additional
    header cruft) are making the editing of RISKS issues much more onerous and
    time-consuming.

    If you are submitting something for consideration for RISKS, please avoid
    duplicating html versions of your ASCII submission, avoid including entire
    copies of previous messages to which you are responding, try to minimize
    non-utf-8 text, and otherwise reduce the amount of editing I have to do.
    That will help me considerably. Thanks! PGN

    ------------------------------

    Date: Thu, 01 Nov 2018 09:18:11 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Why a Helium Leak Disabled Every iPhone in a Medical Facility"
    (Daniel Oberhaus)

    Motherboard, 30 Oct 2018,

    https://motherboard.vice.com/en_us/article/gye4aw/why-a-helium-leak-disabled-every-iphone-in-a-medical-facility
    Why a Helium Leak Disabled Every iPhone in a Medical FacilityT
    The bizarre incident happened during the installation of an MRI machine and
    was a surprise to everyone except Apple.

    selected text:

    An IT worker at a medical facility made a remarkable discovery about iPhones
    and Apple watches earlier this month, after a freshly installed MRI machine
    appeared to disable every iOS device in the hospital.

    According to Woolridge, most of the Apple devices in the facility "seemed
    completely dead." Many wouldn't give any indication of charging when plugged
    into the wall and had issues connecting to the cellular network, but not the
    wifi.

    Woolridge ran some tests of his own to see if helium could shut down an
    iPhone. He placed an iPhone 8+ in a sealed bag and added some helium. In a
    video of the test Woolridge runs a stopwatch app on the phone. The stopwatch
    increasingly speeds up throughout the course of the video before the iPhone
    freezes at around eight minutes. The helium, it seemed, was messing with the
    iPhone's clock.

    [Gabe Goldberg added:
    Helium: It's not just to make your voice sound funny. PGN]

    ------------------------------

    Date: Wed, 31 Oct 2018 23:15:36 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Chinese spies orchestrated massive hack that stole aviation secrets
    (Ars Technica)

    Feds say campaign hacked 13 firms in bid to help Chinese state-owned aerospace company.

    https://arstechnica.com/tech-policy/2018/10/feds-say-chinese-spies-and-their-hired-hackers-stole-aviation-secrets/

    ------------------------------

    Date: Tue, 30 Oct 2018 23:11:54 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: How'd this government agency get infected with malware? 9,000 pages
    of porn. (WashPost)

    How'd this government agency get infected with malware? 9,000 pages of porn.

    An employee at the U.S. Geological Survey visited more than 9,000
    pornography websites and infected the agency's network with malware,
    prompting calls to bolster security measures.

    https://www.washingtonpost.com/technology/2018/10/30/howd-this-government-agency-get-infected-with-malware-pages-porn/

    ------------------------------

    Date: Wed, 31 Oct 2018 17:00:19 -0700
    From: Mark Thorson <e...@dialup4less.com>
    Subject: The spreading scourge of broken SSL implementation

    I run the Safari browser on an iBook G4. Sure, it's an old machine, but it
    works just fine for most of what I use it for. There have always been
    websites that don't work or work well with the Safari browser, and it was no
    big deal not to bother looking at those ones. But in the last year or so,
    there has been a proliferation of broken websites I can't access at all, and
    it has now spread to websites I care about.

    When I write to the people who run these websites, the answer is always the
    same: We have to go to https otherwise Google will penalize us in the page
    rankings. When I pointed out that I can access many https sites just fine,
    one of them said that they checked with their ISP and were told that they
    are running the latest SSL implementation. I believe that is the problem.

    What would be an example of a website that works perfectly fine with my
    computer? This one:

    https://www.google.com/

    What would be examples of websites that I care about which have dropped off
    the web (as far as I'm concerned)? Here's a few of my recently deceased
    former favorites:

    https://www.ncahf.org/
    https://marginalrevolution.com/
    https://www.goldmine-elec-products.com/

    I think we can presume that Google has web engineers that are as good as any
    in the business, and they don't run broken SSL, even if it is the latest
    version. They probably check many computers and browsers to see that they
    work with the Google website, probably including mine. And they made the
    decision to use what they use because they don't want to dump any users like
    me for no good reason.

    The only solution appears to be to convince webmasters to use an SSL
    implementation that isn't broken, like what Google itself uses. And the
    only way to do that is for Google to downgrade broken SSL in page rank,
    upgrade the sites that use unbroken SSL, and make sure everybody knows it.

    ------------------------------

    Date: Wed, 31 Oct 2018 23:19:03 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Feds took woman's iPhone at border, she sued, now they agree to
    delete data

    CAIR lawyer pleasantly surprised: "We were prepared for much more pushback."

    https://arstechnica.com/tech-policy/2018/10/feds-agree-to-delete-data-seized-off-womans-iphone-during-border-search/

    ------------------------------

    Date: Thu, 1 Nov 2018 11:59:59 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Feds Also Using 'Reverse Warrants' To Gather Location/Identifying
    Info On Thousands Of Non-Suspects (TechDirt)

    https://www.techdirt.com/articles/20181027/08301740920/feds-also-using-reverse-warrants-to-gather-location-identifying-info-thousands-non-suspects.shtml

    ------------------------------

    Date: Wed, 31 Oct 2018 09:42:58 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: The ethics of who to kill in a crash ...

    Over on the (ISC)^2 "community" we're discussing the ethics of who to kill
    in a crash, a la the old trolley problem. Someone stated that he'd never
    buy/get into a car that would choose to kill him.

    The Faraday Auto Navigating Locomotive Company is proud to announce the
    2019 Faraday Watt!

    The Watt is our premier model, but priced for families. It has the greatest
    range of options in its class, including 29 cup-holders (unprecedented for a
    five seat model) and a 73 inch dashboard display.

    It also has the greatest range of user-selectable moral driving options,
    including "don't kill me," "kill me but leave my passengers alive," and "I'm
    done for, you go on and marry Alice."

    Watt! The fun moral driving solution!

    Personally, I suspect I'll have problems with cars that think they are
    smarter than I am, but I know that we should implement them as soon as
    possible because they already drive better than we do and there would be an
    instant saving of lives as soon as we do it. That's risk management.

    (And, yes, I know that there are wonderfully horrifying tales of
    self-driving cars failing recently. The plural of anecdote is not data.)

    ------------------------------

    Date: Thu, 1 Nov 2018 13:17:12 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Robot backpack: How this Fusion bot aids collaboration (bbc.com)

    https://www.bbc.com/news/av/technology-45992475/robot-backpack-how-this-fusion-bot-aids-collaboration

    Risk: GBH (grievous bodily harm) via remote takeover.

    ------------------------------

    Date: Thu, 1 Nov 2018 13:01:14 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Bolton says he is conducting offensive cyber-action to thwart
    would-be election disrupters (WashPost)

    [Note: Might make a good April Fools contribution for 2019]

    https://www.washingtonpost.com/world/national-security/bolton-acknowledges-us-has-taken-action-to-thwart-would-be-election-disrupters/2018/10/31/0c5dfa64-dd3d-11e8-85df-7a6b4d25cfbb_story.html

    "Brett Bruen, a former National Security Council official who has worked on
    countering Russian disinformation, called signaling 'a pretty ineffective'
    warning shot. 'What we have seen over recent months have been largely
    superficial steps, mostly for domestic consumption, to be able to say that
    we are doing something,' he said."

    A more effective warning shot would be analogous to what transpired in
    "French Connection 2." The French Chief Superintendent of Police in
    Marseilles called Popeye Doyle's mother.

    Call the hacker's mother and explain that her son or daughter is paid to
    interfere with American elections and post fake news stories to disrupt
    democracy. If a mother's admonishment can't change a hacker's behavior, and
    convince them to pursue less provocative career employment, nothing will!

    ------------------------------

    Date: Wed, 31 Oct 2018 20:17:45 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: A new study finds potentially manipulative ads in apps for
    preschoolers (WashPost)

    https://www.washingtonpost.com/technology/the-switch/a-new-study-finds-potentially-manipulative-ads-in-apps-for-preschoolers/2018/10/30/3cc5b606-d764-496b-a5be-b8977fbb9b4c_story.html

    "'Our findings show that the early childhood app market is a Wild West, with
    a lot of apps appearing more focused on making money than the child's play
    experience,' Jenny Radesky, a developmental behavioral expert and an author
    of the study, said in a statement. 'This has important implications for
    advertising regulation, the ethics of child app design, as well as how
    parents discern which children's apps are worth downloading.'

    "Children use mobile devices one hour every day, on average, highlighting
    the importance of researching what they encounter and how it may affect
    their health, Radesky added."

    ------------------------------

    Date: Thu, 1 Nov 2018 18:07:25 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Explainable AI Simulation for AVs (Stein, Risks 30.89)

    What's missing from the detailed list of suggested tests for qualifying
    AV's is, IMHO, the most important aspect of driving: interaction with other
    drivers, understanding their intentions, and conveying our intentions to
    them.

    This point is exemplified by the accident in Las Vegas, where a truck
    backed into the path of an AV: A human driver would have either used his
    horn to alert the truck's driver, or start backing up, assuming the driver
    behind him would realize what was going on, and also back up; the AV in
    this case did neither.

    Human drivers make a lot of decisions based upon their social experience,
    not available to the current generation of AV (and probably many future
    generations): How to make sure other drivers understand our intentions?
    How are they going to react to our actions? Such decisions take into
    account our assessment of who the other driver is -- male or female, young
    or old, etc. -- and also on parameters like "Is it socially acceptable to
    use the horn in this place, or at this time of night?"

    Driving is a team effort; it seem likely that AVs will need to share the
    roads with human drivers for quite a long time, and would have to be taught
    some social skills, before they can blend in safely.

    ------------------------------

    Date: Wed, 31 Oct 2018 12:08:35 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Re: Toward Human-Understandable, Explainable AI (Resiak,
    RISKS-30.88)

    d...@resiak.org wrote:

    >Though I'm all in favor of the kind of transparency Hani Hagras proposes,
    >I find it difficult to imagine how we can effectively grasp and achieve
    >it.

    Vehicular manslaughter trial juries will likely be equally confounded.
    Consequently, vehicle manufacturers/operators will need hefty product
    liability insurance policies, unless there's regulatory or legislative
    indemnification relief.

    Unlike nuclear warfare's existential threat, the AV experiment on public
    roads raises a public health and safety risk. I certainly agree that
    sometimes, it is best to not pursue a solution that risks public health and
    safety.

    There's a lot of VC and institutional investor money expecting rapid AV
    industrial expansion. No risk, no reward. The wheels are greased to move
    forward with a bet that AVs constitute a "good enough" simulated equivalence
    of carbon-based motorist accident potential. Only a "Red Asphalt" outcome
    comparison per NHTSA statistics will prove this equivalence.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.90
    ************************
     
  5. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 30.91

    RISKS List Owner

    Nov 6, 2018 1:44 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 6 November 2018 Volume 30 : Issue 91

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/30.91>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Like clockwork: How daylight saving time stumps hospital record
    keeping (Sydney Lupkin)
    Daylight Savings results in hospital records shutdown (New Yorker)
    How Daylight Saving Time Messes With Hospitals (Fortune)
    File-Sharing Software on State Election Servers Could Expose Them
    to Intruders (ProPublica)
    Your brain: The next hacking frontier (TechBeacon)
    Selfie attempt results in damage to artwork by Dali and Goya (CNN)
    Facebook adding extra CGI parameters to other people's links (ycombinator)
    What it's like to use Tesla's newest self-driving tech (Gabe Goldberg)
    Why Big Tech pays poor Kenyans to programme self-driving cars (bbc.com)
    EU border `lie detector' system criticised as pseudoscience (The Guardian)
    Credit Card Chips Have Failed to Halt Fraud, Survey Shows (Fortune)
    Check this out: Radisson Hotel Group 'fesses up to `security incident'
    (The Register)
    A new study finds potentially manipulative ads in apps for preschoolers
    (WashPost)
    Cisco Adaptive Security Appliance Software and Cisco Firepower Threat
    Defense Software Denial of Service Vulnerability (Cisco)
    The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can pwn a
    vulnerable Linux box. (The Register)
    T Wi-Fi kit bit by TI chip slip: Wireless gateways open to
    hijacking via BleedingBit chipset vulnerability (The Register)
    ISP pissed at Elsevier Takedowns/blocks, so... (danny burstein)
    Re: Ethics of whom to kill (Wol)
    Re: Explainable AI Simulation for AVs (Richard Stein, Erling Kristiansen)
    Re: Toward Human-Understandable, Explainable AI (John Beattie)
    Re: Driverless cars: Who should die in a crash? (John Beattie)
    Re: The spreading scourge of broken SSL implementation (Sergio Gelato,
    Julian Bradfield)
    Jury duty, recidivus (Rob Slade)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 4 Nov 2018 07:45:25 -0700
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Like clockwork: How daylight saving time stumps hospital record
    keeping (Sydney Lupkin)

    Sydney Lupkin, Kaiser Health News, 3 Nov 2018

    https://www.usatoday.com/story/news/health/2018/11/03/daylight-saving-time-hospital-electronic-medical-records-emergency-fall-back/1864579002/

    Modern technology has helped medical professionals perform robot-assisted
    surgeries and sequence whole genomes. But hospital software still can't
    handle daylight saving time.

    Epic Systems, one of the most popular electronic health records software
    systems used by hospitals, can delete records or require cumbersome
    workarounds when clocks are set back for an hour -- prompting many
    hospitals to opt for paper records for part of the night shift.

    And it happens every year.

    "It's mind-boggling," said Dr. Mark Friedberg, a senior physician policy
    researcher at RAND. In 2018, he said, "we expect electronics to handle
    something as simple as a time change."

    "Nobody is surprised by daylight savings time. They have years to prep.
    Only, surprise, it hasn't been fixed."

    ------------------------------

    Date: Tue, 6 Nov 2018 12:05:29 -0500
    From: Steve Golson <sgo...@trilobyte.com>
    Subject: Daylight Savings results in hospital records shutdown (New Yorker)

    Problems with new electronic medical records system:

    Last fall, the night before daylight-saving time ended, an all-user e-mail
    alert went out. The system did not have a way to record information when
    the hour from 1 a.m. to 1:59 a.m. repeated in the night. This was, for the
    system, a surprise event. The only solution was to shut down the lab
    systems during the repeated hour. Data from integrated biomedical devices
    (such as monitoring equipment for patients' vital signs) would be
    unavailable and would have to be recorded by hand. Fetal monitors in the
    obstetrics unit would have to be manually switched off and on at the top
    of the repeated hour.

    The whole article is well worth reading:

    https://www.newyorker.com/magazine/2018/11/12/why-doctors-hate-their-computers

    ------------------------------

    Date: Mon, 5 Nov 2018 17:29:20 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How Daylight Saving Time Messes With Hospitals (Fortune)

    The clocks went back one hour in (almost all) U.S. counties and states at 2
    A.M. on Sunday, marking the `fall back' that signals
    the end of Daylight Saving.
    <https://click.email.fortune.com/%3Fqs%3D4781bb52c80c7dabf45d7dda982bf7332691a035149964328f3b1d2019da6f49e5165b3ed7f92087ee25bd7ca483ee0d75e810ac628562c1
    And, as a report from Kaiser Health News highlights
    <https://click.email.fortune.com/%3Fqs%3D4781bb52c80c7dabc89230e068d424c4153d8f87150658730d6df86797ea708c88a662f84d5a93723c93f10be314c25b6b57d510611fb2f4
    that brings with it a whole bunch of technical headaches for hospital
    systems and their electronic record keeping systems.

    Modern medical innovations include the ability to transform human immune
    cells into cancer-destroying mercenaries. And yet, a one-hour shifting of
    clocks can force hospitals to temporarily switch from ostensibly newfangled
    (and expensive) electronic health records to old-fashioned paperwork. In
    fact, popularly used systems like Epic Systems software can delete records
    or require cumbersome workarounds when clocks are set back for an hour,
    according to KHN. (Epic, for its part, told the publication that, Daylight
    savings time is inherently nuanced for healthcare organizations, which is
    why we work closely with customers to provide guidance on how to most
    effectively use their system to care for their patients during this time
    period.)

    One hour may not seem like a whole lot of time. But it can make a big
    difference when it comes to keeping tabs on patients vitals or whether or
    not they need scheduled medication.

    https://view.email.fortune.com/%3Fqs%3D161a5916fd2cfcbc55f8fc149eae8b7ab098b460bce21e7b1922c7d87a7a9e9b37e1e68aa5fc8fc8eaddf8badad6ff68c28abd39418efffbeb08875c11c8ffbf5d76f3898e08b242

    It's not just health IT that notices; databases, security systems, anything
    logging events has to deal with a missing hour in spring and a duplicated
    hour in fall.

    ------------------------------

    Date: Fri, 2 Nov 2018 19:37:27 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: File-Sharing Software on State Election Servers Could Expose Them
    to Intruders (ProPublica)

    ProPublica analysis found election computer servers in Wisconsin and
    Kentucky could be susceptible to hacking by anonymous FTP. Wisconsin shut
    down its service after complaints.

    https://www.propublica.org/article/file-sharing-software-on-state-election-servers-could-expose-them-to-intruders

    ------------------------------

    Date: Thu, 1 Nov 2018 20:51:13 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Your brain: The next hacking frontier (TechBeacon)

    This week, researchers unveiled worrying results about how easy it is to
    hack medical implants, such as brain stimulators.

    The claim is that hackers are a decade or two away from being able to mess
    with our memories -- the very essence of who we are. But neuro-modulation is
    a promising branch of medical science, so it would be a shame if these
    worries were overblown, right?

    Sci-fi it's not, they claim. In this week's Security Blogwatch, we're
    even more scared than we were yesterday.
    <https://techbeacon.com/contributors/richi-jennings>

    Your humble blogwatcher <http://richi.uk/> curated these bloggy bits for
    your entertainment. Not to mention: Thought-provoking stuff about nitrogen.

    https://techbeacon.com/your-brain-next-hacking-frontier

    ------------------------------

    Date: Sat, 3 Nov 2018 19:54:54 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Selfie attempt results in damage to artwork by Salvador Dali
    and Francisco Goya (CNN)

    Not again......

    Amir Vera, Jennifer Hauser and Alla Eshchenko, CNN

    https://www.cnn.com/2018/11/03/europe/russian-women-damage-artwork/

    8:13 PM ET, Sat November 3, 2018

    A young woman trying to take a selfie knocked over two works of art at a
    gallery in Yekaterinburg, Russia, on October 27, 2018. A picture is worth a
    thousand words, but what about a selfie?

    A group of women in Yekaterinburg, Russia, may find out soon after one of
    them tried to take a selfie on October 27 and accidentally knocked over a
    structure at the International Arts Center Main Avenue. The structure was
    carrying two works of art, according to the Russian Ministry of Internal
    Affairs (MIA) and state-run news agency TASS.

    The damaged artworks, according to TASS, include a Francisco Goya etching
    from the Los Caprichos series and Salvador Dali's interpretation of
    it. Goya's work was also part of the gallery owner's private collection.

    ------------------------------

    Date: Sat, 3 Nov 2018 04:10:34 -0400
    From: Eli the Bearded <*@eli.users.panix.com>
    Subject: Facebook adding extra CGI parameters to other people's links
    (ycombinator)

    https://news.ycombinator.com/item%3Fid%3D18275061
    https://community.cloudflare.com/t/facebook-now-adds-fbclid-query-string-to-urls-busting-cloudflares-cache/40355

    In some apparent attempt to better track user clicks, Facebook has
    started adding an extra parameter to links. This will break many
    mechanisms for caching dynamic content, as the Cloudflare discussion
    illustrates. In the case of my site it turns a URL like this:

    http://abc.def/ghijklmno.cgi%3Fpqrs%3Dtuvw
    Into this:

    http://abc.def/ghijklmno.cgi%3Fpqrs%3Dtuvw%26fbclid%3DxyzR0bBzJRwc-q1btq_wHCtliXasz-C66UzxCc6DuqIBAYu9setNAg-IJ1nY8

    (Censored to not advertise) Note how the parameter is *longer* than the
    whole original URL. And this is not something I get any benefit from, I
    do not use Facebook at all.

    Besides breaking caching, it will destroy any CGI already using a fbclid
    query parameter, has been breaking some links as reported in the
    ycombinator piece, and it is also likely to seriously pollute other
    people's log summaries.

    I have decided that is a good thing, and have configured my site to now
    generate 4xx errors in response to unexpected fbclid parameters. I don't
    want people to think they can willy-nilly add extra things to CGI requests.
    This needs to be coordinated with the target sites.

    Unfortunately many people will decide they do need Facebook and will
    rollover for this.

    ------------------------------

    Date: Fri, 2 Nov 2018 16:02:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: What it's like to use Tesla's newest self-driving tech

    Autopass. If the person in front of you is driving too slowly -- 45 in a 55
    mph zone, for example -- what would you do? Why, you'd pass them.

    Now, the Tesla can do that, too. If it notices that you're being blocked,
    and that there's room in the next lane, a notification appears on your
    screen. It informs you that if you put on your turn signal, Autopilot will
    take it from there. It does the passing maneuver smoothly and
    gracefully. (It doesn't actually return to your original lane, however --
    just changes into a faster lane, passing the slowpoke, and stays there.)

    How aggressive is it? That's up to you. In the onscreen settings, you can
    adjust how impatient your car is. The options are Disabled (off), Mild,
    Average, and Mad Max. In Mad Max mode, the Tesla will suggest passing if the
    guy in front of you is going even a couple of mph below the speed limit.

    (The Mad Max setting is characteristic of the Musk-esque sense of humor
    that's baked in to Teslas. The acceleration options on the Model S are
    labeled Chill, Standard, Sport, Insane, and Ludicrous.)

    https://finance.yahoo.com/news/tesla-now-self-drivingest-car-road-063800677.html

    Mad Max passing and Ludicrous acceleration. Just what the world needs.

    ------------------------------

    Date: Mon, 5 Nov 2018 12:10:37 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Why Big Tech pays poor Kenyans to programme self-driving cars
    (bbc.com)

    https://www.bbc.com/news/technology-46055595

    No need to build an explainable AI simulator when there's an army of
    carbon-based trainers assisting AV neural network/image recognition learning
    processes.

    To their credit and initiative, Samasource's staffing model remotely and
    inexpensively empowers Kenyan women. They construct the training images
    applied to condition AV reactions/behavior.

    "Brenda loads up an image, and then uses the mouse to trace around just
    about everything. People, cars, road signs, lane markings -- even the sky,
    specifying whether it's cloudy or bright. Ingesting millions of these images
    into an artificial intelligence system means a self-driving car, to use one
    example, can begin to 'recognise' those objects in the real world. The more
    data, the supposedly smarter the machine.

    "She and her colleagues sit close -- often too close -- to their monitors,
    zooming in on the images to make sure not a single pixel is tagged
    incorrectly. Their work will be checked by a superior, who will send it back
    if it's not up to scratch. For the fastest, most accurate trainers, the
    honor of having your name up on one of the many TV screens around the
    office. And the most popular perk of all: shopping vouchers."

    Driver social skills, per https://catless.ncl.ac.uk/Risks/30/90%23subj12
    (Shaprio), are neither integrated nor accountable. Training data set
    localized bias may influence AV obstacle reaction.

    A preference would be to apply training datasets that demonstrate courteous
    v. aggressive driving, professional v. amateur, or reckless v.
    cautious. Possibly based on US driving habits per Boston, Los Angeles, New
    York, Miami, Philadelphia, Sydney AU, Beijing or Shanghai PRC, etc. Use
    real-time sequences (~50-100Hz) as training input. Clearly a very
    challenging problem.

    Risk: AV training strategy using discrete images discount localized
    carbon-based driver intent and precursor conditions.

    On 02OCT2018, the NHTSA published "A Framework for Automated Driving System
    Testable Cases and Scenarios," retrieved on 04NOV2018 from
    https://www.nhtsa.gov/document/framework-automated-driving-system-testable-cases-and-scenarios.
    This document details a range of test scenarios for automated driving system
    (ADS) response intervals from 0.1 to ~15 seconds (see document pg. 12 for
    ADS task decomposition hierarchy).

    This document does not establish or mandate compliance. Unclear if AV
    manufacturers will be required to disclose ADS test results based on the
    document and attach to the "car window sticker."

    ------------------------------

    Date: Fri, 02 Nov 2018 07:44:21 -0400
    From: Jose Maria Mateos <ch...@rinzewind.org>
    Subject: EU border `lie detector' system criticised as pseudoscience
    (The Guardian)

    https://www.theguardian.com/world/2018/nov/02/eu-border-lie-detection-system-criticised-as-pseudoscience

    The EU has been accused of promoting pseudoscience after announcing plans
    for a `smart lie-detection system' at its busiest borders in an attempt to
    identify illegal migrants.

    The lie detector, to be tried in Hungary, Greece and Latvia, involves the
    use of a computer animation of a border guard, personalised to the
    traveler's gender, ethnicity and language, asking questions via a webcam.

    The deception-detection system will analyse the micro-expressions of those
    seeking to enter EU territory to see if they are being truthful about their
    personal background and intentions. Those arriving at the border will be
    required to have uploaded pictures of their passport, visa and proof of
    funds.

    ------------------------------

    Date: Mon, 5 Nov 2018 17:33:38 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Credit Card Chips Have Failed to Halt Fraud, Survey Shows (Fortune)

    New chip-enabled credit cards, which were rolled out to U.S. consumers
    starting in 2015, were supposed to put an end to rampant credit card fraud.

    So much for that.

    A new report from the research firm Gemini Advisory has found that, of more
    than 60 million cases of credit card theft in the last 12 months, a whopping
    93% of the stolen cards had the new chip technology.

    This represents a major setback for the technology, known as the EMV
    standard, which is named after the companies (Europay, Mastercard and Visa)
    that created it.

    45.8 million records [were] likely compromised through card-sniffing and
    point-of-sale (POS) breaches of businesses such as Saks, Lord & Taylor,
    Jason's Deli, Cheddar's Scratch Kitchen, Forever 21, and Whole Foods. To
    break it down even further, 90% or 41.6 million of those records were EMV
    chip-enabled, states the report.

    In theory, EMV should reduce fraud because every card transaction requires
    an encrypted connection between the chip card and the merchant's
    point-of-sale terminal. EMV is meant to replace conventional swipe
    transactions that rely on magnetic strips, which contain data that is
    relatively easy for criminals to intercept and then copy on to a new card.

    But while the EMV standard is supposed to ensure the card data cannot be
    captured, many merchants are failing to properly configure their systems,
    according to a Gemini Advisory executive who spoke with Fortune. (Fortune
    has also reached out to the payment processors for comment and will update
    this article accordingly.) The upshot is that criminals have been able to
    insert themselves into the transaction data steam, either by hacking into
    merchant networks or installing skimmer devices in order to capture card
    information.

    The stolen data is typically sold on the so-called dark web, which is where
    Gemini Advisory compiled the data for its report.

    http://fortune.com/2018/11/05/credit-card-chips-fail-to-halt-fraud-survey-says/

    ------------------------------

    Date: Fri, 2 Nov 2018 01:20:34 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Check this out: Radisson Hotel Group 'fesses up to `security
    incident' (The Register)

    Loyalty card members deets exposed
    https://www.theregister.co.uk/2018/10/31/radisson_hotel_group_fesses_up_to_security_incident/

    ------------------------------

    Date: Fri, 02 Nov 2018 07:54:23 -0400
    From: Jose Maria Mateos <ch...@rinzewind.org>
    Subject: A new study finds potentially manipulative ads in apps for
    preschoolers (WashPost)

    https://www.washingtonpost.com/amphtml/technology/2018/10/30/new-study-finds-potentially-manipulative-ads-apps-preschoolers/

    Apps marketed to children 5 and younger deploy potentially manipulating
    tactics to deliver ads to children, raising questions about the ethics of
    child software design and consumer protection, according to a new study.

    Researchers from the University of Michigan C.S. Mott Children's Hospital
    looked at more than 100 apps, mostly from the Google Play app store, and
    found that nearly all of them had at least one type of ad, often interwoven
    into the apps' activities and games. The apps, according to the researchers,
    used a variety of methods to deliver ads to children, including commercial
    characters, pop-up ads, in-app purchases, and, in some cases, distracting
    ads, hidden ads or ads that were posed as gameplay items.

    The authors suggest that the deceptive and persuasive nature of the ads
    leaves children susceptible to them, because of their lack of mental
    development in controlling their impulses and attention.

    ------------------------------

    Date: Fri, 2 Nov 2018 01:46:21 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Cisco Adaptive Security Appliance Software and Cisco Firepower
    Threat Defense Software Denial of Service Vulnerability (Cisco)

    A vulnerability in the Session Initiation Protocol (SIP) inspection engine
    of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower
    Threat Defense (FTD) Software could allow an unauthenticated, remote
    attacker to cause an affected device to reload or trigger high CPU,
    resulting in a denial of service (DoS) condition.

    The vulnerability is due to improper handling of SIP traffic. An attacker
    could exploit this vulnerability by sending SIP requests designed to
    specifically trigger this issue at a high rate across an affected device.
    Software updates that address this vulnerability are not yet
    available. There are no workarounds that address this
    vulnerability. Mitigation options that address this vulnerability are
    available.

    This advisory is available at the following link:
    https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20181031-asaftd-sip-dos

    https://tools.cisco.com/security/center/downloadPDF.pdf

    ------------------------------

    Date: Fri, 2 Nov 2018 01:32:41 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: The D in Systemd stands for 'Dammmmit!' A nasty DHCPv6 packet can
    pwn a vulnerable Linux box. (The Register)

    Hole opens up remote-code execution to miscreants – or a crash,
    if you're lucky

    https://www.theregister.co.uk/2018/10/26/systemd_dhcpv6_rce/

    ------------------------------

    Date: Fri, 2 Nov 2018 01:35:50 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: T Wi-Fi kit bit by TI chip slip: Wireless gateways open to
    hijacking via BleedingBit chipset vulnerability (The Register)

    Firmware security patches hit to fix critical holes in enterprise network
    access points

    https://www.theregister.co.uk/2018/11/01/it_bit_by_ti_chip_slipup_dubbed_bleedingbit/

    ------------------------------

    Date: Sat, 3 Nov 2018 00:37:51 -0400
    From: danny burstein <dan...@panix.com>
    Subject: ISP pissed at Elsevier Takedowns/blocks, so...

    Lots, make that LOTS, of slippery slopes here...

    [Twitter]

    Mike Masnick

    Whoa. Elsevier forces an ISP to block some websites... so the ISP also
    blocks Elsevier's websites, giving everyone who visits an explanation about
    the evils of forced censorship...

    <https://twitter.com/torrentfreak/status/1058427804637782016

    and

    [torrentfreak]

    Swedish ISP Protests "Site Blocking" by Blocking Rightsholders Website Too

    Ernesto on 2 Nov 2018

    Bahnhof has suffered a major defeat against publisher Elsevier after a court
    ordered the Swedish ISP to block a series of domain names, including
    Sci-Hub. The decision goes against everything the company stands for but it
    can't ignore the blocking order. Instead, the ISP has gone on the offensive
    by blocking Elsevier's own website and barring the court from visiting
    Bahnhof.se.

    ------------------------------

    Date: Fri, 2 Nov 2018 01:48:19 +0000
    From: Wols Lists <antl...@youngman.org.uk>
    Subject: Re: Ethics of whom to kill (Slade, RISKS-30.90)

    Has Rob Slade not heard of "The exception proves the rule"? Yes I know this
    saying is horribly mis-used, but it almost certainly comes from the fact
    that it only takes ONE inconvenient fact to destroy a scientific theory.

    It is also an inconvenient fact that people dismiss inconvenient facts
    as "oh that's just an anecdote". But it only takes one inconvenient
    anecdote to be verifiable, at which point it becomes a data point
    capable of destroying your theory and lifetime's work.

    If there are a lot of anecdotes out there you cannot just dismiss and
    ignore them. That's how the ozone hole was missed by computers ignoring
    strange readings, until a scientist actually looked and thought "that's
    not right!" You need to look at the anecdotes and explain them away,
    otherwise they could well be inconvenient facts that mean you are
    completely wrong.

    ------------------------------

    Date: Fri, 2 Nov 2018 12:28:28 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Re: Explainable AI Simulation for AVs (Shapir Response in
    RISKS-30.90 to Stein, RISKS-30.89)

    In Risks-30.90, Amos Shapir wrote: >Driving is a team effort; it seem likely
    that AVs will need to share >the roads with human drivers for quite a long
    time, and would have to >be taught some social skills, before they can blend
    in safely.

    I agree with you. How to telescope carbon-based motorist intent to a robot?
    Turn signals and brake lights are not always applied in a timely
    fashion. Hand signals are probably a no-op for AV vision recognition and
    interpretation. What about spilled coffee, DUI swerving, etc. per
    https://catless.ncl.ac.uk/Risks/30/82%23subj23.1 therein, which might compel
    a Trolley Problem scenario?

    How to construct an "anxiety" algorithm component into an AV operational
    control program? Anxiety -- anticipatory fear -- would play an important
    role in silicon-based v. carbon-based vehicle interaction. When an AV
    demonstrates safe/defensive driving techniques due to internal distraction
    via a BlueTooth or WiFi hack attack, blown tire, collision, bird poo on the
    sensors, skunk or chicken crossing the road, low fuel warning, LRU
    malfunction, or smokey road conditions due to nearby fires etc., then I'll
    believe AI has arrived.

    If AV capabilities mature to show benefit via NHTSA statistics, feckless
    parallel parking attempts by carbon-based drivers will make "AV Funniest
    Videos" highlight reels.

    In https://catless.ncl.ac.uk/Risks/30/56%23subj33.1
    transition risk arising from AV introduction. Until an AV supreme transport
    system materializes, adaptation to a "shared road" model constitutes a
    paramount public health and safety objective.

    The Pepsi Challenge on public health and safety benefits from AV deployment
    has a heavy thumb on the scale tipped against it.

    ------------------------------

    Date: Fri, 2 Nov 2018 20:41:20 +0100
    From: Erling Kristiansen <erling.kr...@xs4all.nl>
    Subject: Re: Explainable AI Simulation for AVs (Amos Shapir)

    And let's not forget that there are around 200 countries on our globe.
    Traffic rules vary, sometimes significantly, sometimes very subtly, from one
    country to another. Some countries drive on the right, some on the left.
    And driver `culture' differs quite a lot. And traffic signs and road
    markings are different.

    And how about non-standard signs? If a human sees a warning sign with a duck
    or a cow, it is immediately obvious what it means, but what will an AV that
    was not trained on such non-official signs do? And how about signs
    containing text, that are obvious to a human, but likely make no sense to an
    AV? And stuff that may resemble a sign, but is not.

    ------------------------------

    Date: Fri, 2 Nov 2018 18:21:34 +0000
    From: John Beattie <j...@jkbsc.co.uk>
    Subject: Re: Toward Human-Understandable, Explainable AI (RISKS-30.88)

    DJC writes:

    But as a matter of fact -- honesty and integrity aside -- humans aren't
    very good at knowing the grounds for their important decisions. Daniel
    Kahneman got the Nobel Prize for studying the reality of how people
    decide; cf. his book "Thinking, Fast And Slow". He and his colleagues did
    many, many experiments to expose the *real* bases for how people make
    decisions; and those bases are often not only unknown to their subjects,
    but impossible for them to know, because they happen in inaccessible
    processes of their cognition.

    This is true and not very relevant. An AI making a decision about, for example,
    insurance or, say, an application at the local county hall needs to be able to
    show the basis for the decision. An arbitrary decision is not acceptable.

    ------------------------------

    Date: Fri, 2 Nov 2018 18:26:18 +0000
    From: John Beattie <j...@jkbsc.co.uk>
    Subject: Re: Driverless cars: Who should die in a crash? (bbc.com)

    There is a basic mismatch with reality about all those hypothetical cases
    about who dies in a crash, speaking purely on engineering and commercial
    grounds.

    In practice, the AI will be challenged exactly as a car driver is: why did
    you do that, why didn't you do the other. FWIW, the answer will be something
    along the lines of, "The car was about to crash I didn't have time to make
    fine decisions, I just hit the brakes and turned the steering as best I
    could".

    No AI in a car will have the extra resources to determine the locations and
    motion of all or even some humans in the environment. It will have exactly
    and only the resources to drive the car reasonably well in most of the
    circumstances it is likely to meet.

    ------------------------------

    Date: Sat, 3 Nov 2018 17:40:48 +0100
    From: Sergio Gelato <Sergio...@astro.su.se>
    Subject: Re: The spreading scourge of broken SSL implementation (RISKS-30.90)

    [note to moderator: feel free not to run this if other contributors have made
    the same point.]

    Mark Thorson complains about the growing number of HTTPS webservers that are
    incompatible with Safari on his iBook G4, pointing out that some, like
    www.google.com

    The sites he describes as broken require TLS 1.2. The versions of Safari that
    have been released for PowerPC Macs do not support this protocol. Given
    https://tools.ietf.org/html/draft-moriarty-tls-oldversions-diediedie-00
    the chances of reversing the trend look slim. Interposing proxy software that
    performs protocol conversion (and HSTS enforcement, etc.) on the client
    seems a better bet.

    The RISK here, as I see it, is of making a poor tradeoff between security,
    cost of maintenance and backwards compatibility.

    ------------------------------

    Date: Mon, 5 Nov 2018 15:16:45 +0000
    From: Julian Bradfield <j...@inf.ed.ac.uk>
    Subject: Re: The spreading scourge of broken SSL implementation (Thorson,
    RISKS-30.90)

    Mark Thorson complained that there is a recent spread of broken SSL
    implementations on the Web, as he cannot access some sites from his iBook
    G4.

    He is partly correct, but not in the way he thinks. What he actually
    experiences is that he is using a machine and OS that only supports the
    obsolete and now deprecated TLS version 1.0 protocol - a protocol which is
    now explicitly forbidden to be supported by any site taking credit card
    payments. Therefore his browser is unable to establish a secure connection
    to sites that no longer support insecure versions, although some sites such
    as Google (and my own institution's academic site) still allow it.

    So what is broken? Of the three sites he mentions, one,
    https://www.ncahf.org/
    behaves correctly and returns a protocol_version alert, so that a
    decent browser (whether this includes an ancient Safari predating the
    existence of more than one TLS protocol version, I don't know) will
    display an appropriate error screen.

    The other two sites https://marginalrevolution.com/
    https://www.goldmine-elec-products.com/ both break the TLS protocol by
    closing the connection without sending an alert message. marginalrevolution
    also only supports weak ciphers.

    ------------------------------

    Date: Sat, 3 Nov 2018 09:55:51 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Jury duty, recidivus

    I'm off the hook for jury duty, so my presentation joke remains intact.

    The jury or trial was canceled, almost literally at the last minute.
    Selection was to start on Monday, and I got a call yesterday (Friday) late
    in the afternoon. (I almost didn't answer it, since it was on my cell,
    which I vaguely recall them asking for when I registered my confirmation.
    Almost nobody knows my cell, so I generally know who is calling, and I
    didn't recognize the number.) After the call I realized that the person who
    claimed to be from the sheriff's office had given me almost no checkable
    information. (I did later find find an email notifying me of the
    cancellation, so that was something.)

    But it did put me in mind of a possible form of jury tampering. Anyone can
    call and claim to be from the sheriff's office. (In Canada sheriffs handle
    court security, and some other forms of court administration, such as jury
    pool management.) And, if there is no way for the juror to confirm, then it
    would be easy enough to get rid of jurors you don't want. Just have them
    not show up.

    Of course, this risk is slight. To gain access to information about the
    jury pool you would have to suborn a member of the sheriff's office and, if
    you could do that, there would be a number of other ways to tamper with the
    jury.

    Just an idle security maven thought ...

    [The risk may seem slight. However, jury tampering and juror conflicting
    are very old lawyerly arts. PGN]

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.91
    ************************
     
  6. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 30.93

    RISKS List Owner

    Dec 1, 2018 7:08 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 1 November 2018 Volume 30 : Issue 93

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/30.93>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents: [Backlogged again]
    Belfast plane incident could have been 'catastrophic' (BBC News)
    Indonesian JT610 Flight Data (Robert Dorsett)
    China Copied This Russian Jet Fighter (And It Has All Sorts of Problems
    (Yahoo)
    Medical device rules need 'drastic change' to protect patients (BBC)
    Marriott discloses massive data breach affecting up to 500M guests
    (WashPost)
    The US Postal Service exposed data of 60 million users (TechCrunch)
    Constructive software engineering? (Tom Van Vleck)
    Israeli artificial intelligence company improves highway safety in
    Las Vegas (The Times of Israel)
    Potentially Disastrous Rowhammer Bitflips Can Bypass ECC Protections
    (Dan Goodin)
    Climate Change and the Savage Human Future (NYTimes)
    Now it's Office's turn to have a load of patches pulled (Ars Technica)
    Windows 10 October 2018 Update is back, this time without deleting your data
    (Ars Technica)
    E-commerce site is infected not by one, but two card skimmers (Ars Technica)
    The Snowden Legacy, part one: What's changed, really? (Ars Technica)
    Christmas spirit triumphs over data law (CNN)
    Apple pitches 9M VA medical records on iPhone format (Fortune)
    A Clearer Message on Cochlear Implants (NY Times)
    This new weapon alerts police as soon as it's fired (WashPost)
    How The Wall Street Journal is preparing its journalists to detect deepfakes
    (NiemanLab.Org)
    Huron Daily Tribune reporter Brenda Battel fired over voicemail for
    Republican candidate (John James, WashPost)
    You snooze, you lose: Insurers make the old adage literally true
    (Ars Technica)
    GMail's spam filter is getting vicious? (Rob Slade
    FCC Launches New Offensive Against Scam, Robo Calls (EWeek)
    Who lives with you? Facebook seeks to patent software to figure out profiles
    of households (Los Angeles Times)
    This bill includes prison for CEOs who fail to take consumer privacy
    seriously (Los Angeles Times)
    Can The Police Remotely Drive Your Stolen Car Into Custody? (Slashdot)
    Free Software Messiah Richard Stallman: We Can Do Better Than Bitcoin
    (CoinDesk)
    Mobile Application/Social Media Addiction Freedom Experiment
    (TechCrunch.com and The Economist)
    China Creating Gene-Edited Babies (MIT Technology Review)
    British Parliament seizes internal Facebook documents by threatening to jail
    a different CEO (Rob Slade)
    The Dangerous Junk Science of Vocal Risk Assessment (The Intercept)
    Can The Police Remotely Drive Your Stolen Car [or you?] Into Custody?
    (Slashdot)
    LinkedIn used 18 million non-user e-mails to target Facebook ads
    (The Verge)
    Study: Smart Speakers Make Passive Listeners (Melanie Lefkowitz)
    Re: 670 ballots in a precinct with 276 voters (David Tarabar)
    Re: Russia suspected of jamming GPS signal in Finland (Henry Baker)
    Re: Japan cybersecurity minister admits he has never used a computer
    (Attila the Hun)
    Re: Tesla (Attila the Hun)
    Re: Awful AI is a curated list to track current scary usages of AI
    (Amos Shapir)
    Re: The Cleaners' Looks At Who Cleans Up The Internet's Toxic Content (NPR)
    Book review: EFF's The End of Trust (David Strom)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 22 Nov 2018 07:00:12 -0500
    From: Jose Maria Mateos <ch...@rinzewind.org>
    Subject: Belfast plane incident could have been 'catastrophic' (BBC News)

    https://www.bbc.com/news/uk-northern-ireland-46297710

    The report stated that an outside air temperature of -52C was mistakenly
    entered into the Flight Management Computer by a crew member, instead of the
    actual temperature of 16C.

    "This, together with the correctly calculated assumed temperature thrust reduction of 48C, meant the aircraft engines were delivering only 60% of their maximum rated thrust," continued the report.

    The plane took off from the airport with "insufficient power to meet regulated performance requirements" and struck the light.

    Crew on the flight did not recognise the issue until they reached the end of the runway.

    ------------------------------

    Date: Sun, 25 Nov 2018 22:23:33 -0600
    From: Robert Dorsett <r...@dorsett.us>
    Subject: Indonesian JT610 Flight Data

    https://www.satcom.guru/2018/11/first-look-at-jt610-flight-data.html%3Fm%3D1

    ------------------------------

    Date: Fri, 23 Nov 2018 16:59:39 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: China Copied This Russian Jet Fighter (And It Has All Sorts of
    Problems) (yahoo.com)

    https://www.yahoo.com/news/china-copied-russian-jet-fighter-125900746.html

    Risk: "Copy and paste" a fighter jet is similar to "copy and paste" for
    software: new defects can emerge.

    ------------------------------

    Date: Mon, 26 Nov 2018 13:24:40 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Medical device rules need 'drastic change' to protect patients
    (bbc.com)

    https://www.bbc.com/news/health-46337937

    A cautionary and balanced essay on medical device risks and regulatory
    reform within the EU.

    ------------------------------

    Date: Fri, 30 Nov 2018 09:20:58 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Marriott discloses massive data breach affecting up to 500M guests

    via NNSquad

    https://www.washingtonpost.com/business/2018/11/30/marriott-discloses-massive-data-breach-impacting-million-guests/

    Security experts also questioned the extent and quality of the encryption
    used by Marriott. The news release specified that the company used
    encryption to protect credit card numbers, but the company did not specify
    whether other personally identifiable information --including names,
    addresses, phone numbers, email addresses and passport numbers -- was
    protected in this way, as security experts recommend. The company did not
    immediately respond to a request for comment as to whether all of the data
    had been encrypted when accessed by the hackers. The company
    acknowledged, however, a possible failing in the encryption security it
    had for credit card numbers, saying that it could not "rule out the
    possibility" that encryption keys were taken by hackers, allowing access
    to massive troves of data.

    ------------------------------

    Date: Mon, 26 Nov 2018 08:54:57 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: The US Postal Service exposed data of 60 million users

    via NNSquad [Grade-school level coding error]

    https://techcrunch.com/2018/11/26/the-us-postal-service-exposed-data-of-60-million-users/

    A broken US Postal Service API exposed from over 60 million users and
    allowed a researcher to pull millions of rows of data by sending wildcard
    requests to the server. The resulting security hole has been patched after
    repeated requests to the USPS. The USPS service, called InformedDelivery,
    allows you to view your mail before it arrives at your home and offered an
    API to allow users to connect their mail to specialized services like
    CRMs. We profiled in the service in 2017. The anonymous researcher showed
    that the service accepted wildcards for many searches, allowing any user
    to see any other users on the site. Brian Krebs has a copy of the API on
    his site.

    ------------------------------

    Date: Fri, 23 Nov 2018 13:09:51 -0500
    From: Tom Van Vleck <th...@multicians.org>
    Subject: Constructive software engineering?

    Think of a past disaster you've been a part of, a project that failed.
    Can we learn from it?

    We used to call these events "tanker collisions." The idea was, they
    were slow motion disasters; everyone could see that something terrible
    was inevitable, but it was too late to do anything.

    Ask yourself: was it the people, were they too dumb? Usually the
    answer is no, they were fine people, as good as you can hire. Maybe
    they weren't all geniuses, but they should have been good enough.

    How about the tools: did they cause the failure? Lots of people
    complain about their tools. But we've seen groups with really fancy
    tools fail to produce, and other projects succeed with very imperfect
    tools. And "it's a poor workman who blames his tools."

    Was it management? Yeah! Ask anybody, and they'll tell you it was
    management's fault. "Management blew it. The project was in the weeds
    and management was counting paperclips. They didn't act in time.
    They flew the plane right into the mountain."

    It seems to be very hard to think about management problems. Often,
    when we decide something is a management problem, that's shorthand for
    "unsolvable, not gonna go there." As soon as the trail leads into
    that thicket, we abandon it and look elsewhere for ways to make things
    better.

    When I look back at failed projects I know about, many seem to have
    had major management problems. But when I look at future plans, we
    seem to spend our planning time on technical issues. We don't
    anticipate management problems or do anything to prevent them, no
    matter how often we've had them in the past.

    [We have names for a few kinds of management problems, but we have no
    taxonomy or principle of enumeration. That is, we don't know how many
    ways management could go wrong, and if there is a management problem,
    everybody will have a different name for it.]

    Each new project sets out with the basic plan of doing new things,
    using new tools, and managing things in the same way that didn't work
    last time. If management is the cause of many of our problems, can we
    talk about changing how we manage?

    We could start by listing some approaches that won't work, and
    giving them entertaining names and descriptions.

    Cuisinart Management: I love metrics, when I can use them to convince
    people to do the right thing. At the same time, I worry that metrics
    may become a goal in themselves, that we may spend time getting good
    numbers instead of getting good quality. The basic idea in measuring
    a process is that one can add data about two different events
    together. But every bug is different, every line of code unique. We
    don't order software by the cubic yard. And mincing all the programs,
    or bugs, or tests, or whatever up in a grinder and then counting the
    semicolons, or basic blocks, or paths, can lose sight of the code, and
    the way it runs, and the way bugs get into the code.

    Dumbo Management: Suppose the Circus Engineering Institute does a
    study and determines that all the elephants that can fly are holding
    little feathers. Then it proposes to give all the big elephants
    feathers too, so they'll be able to fly. This is the problem with
    process evaluations. A good organization will (often) get a good
    assessment score. Often it is possible to change a terrible
    organization to get a better score without really improving the
    quality of its output. Some organizations with organized processes
    can produce good products. The inference that the good product is
    caused by the organized process needs support, in the form of an
    explanation of how particular good or bad features are caused. (Other
    organizations have many rules and procedures, and still fail to
    produce good products.) Remember my story of Andre, who wrote perfect
    code in pencil? Don't buy everybody a pencil and expect perfect code.

    New Communication Tool: Sometimes an organization will mandate a new
    tool, hoping that this will produce better products. Some caution is
    advisable. Management tools may focus on neatness, on "doing
    everything the same way," rather than on quality. I have worked on
    projects where the development progress recording tools were so slow
    and hard to use that product productivity was trashed.

    Throw the Management Out: After a disaster, sometimes even part way
    through one, it's common to replace the management, and permute the
    organization chart. The troops know that this rarely helps. Why
    should we expect the new managers or new structure to work any better?
    Change alone may get people interested in new approaches to the
    problem for a while, but there are other effects of opposite sign,
    such as the cost to educate newcomers. It's like throwing out your
    pencil when you make a spelling error.

    read Parnas and Clements, "A rational design process: how and why to fake it" (IEEE TOSE, Feb 1986)
    https://www.researchgate.net/publication/225524076_A_rational_design_process_how_and_why_to_fake_IT

    ------------------------------

    Date: Fri, 23 Nov 2018 19:18:40 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Israeli artificial intelligence company improves highway safety in
    Las Vegas (The Times of Israel)

    Waycare startup platform uses in-vehicle information and municipal traffic
    data to understand road conditions in real time; year-long test reduced
    traffic accidents by 17%

    https://www.timesofisrael.com/israeli-artificial-intelligence-company-improves-highway-safety-in-las-vegas/

    Maybe addressing risks? Will it scale? Will it be hackable? We'll see.

    ------------------------------

    Date: Mon, 26 Nov 2018 11:46:00 -0500
    From: ACM TechNews <technew...@acm.org>
    Subject: Potentially Disastrous Rowhammer Bitflips Can Bypass ECC Protections

    Dan Goodin, Ars Technica, 21 Nov 2018
    via ACM TechNews, Monday, November 26, 2018

    Researchers at Vrije University Amsterdam in the Netherlands found a way to
    circumvent an error-correcting code (ECC) patch in high-end DDR3 memory
    chips thought to prevent exploitation by the Rowhammer hack. ECC adds
    sufficient redundancy to repair single bitflips in a 64-bit word, and when
    two bitflips occur in a word, it causes the underlying program to crash;
    when three bitflips occur in the right places, ECC can be bypassed. The team
    found a timing side channel by measuring the amount of time it took to
    execute certain processes to extract granular details about bitflips
    occurring within the silicon. Said the researchers, "Armed with this
    knowledge, we then proceeded to show that ECC merely slows down the
    Rowhammer attack and is not enough to stop it." Although they acknowledged
    the new exploit presents no immediate threat, the researchers said these
    findings show that Rowhammer is continuously evolving and should not be
    discounted.

    https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d4b6x218c55x070404%26

    ------------------------------

    Date: Sun, 25 Nov 2018 16:15:26 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Climate Change and the Savage Human Future (NYTimes)

    Homo Sapiens Was The First Species To Alter The Environment That Sustained
    Us -- To The Point That It Might Not Sustain Us Anymore.
    https://www.nytimes.com/interactive/2018/11/16/magazine/tech-design-nature.html

    Long after the last print copy of the King James Bible has disintegrated and
    the Venus de Milo has gone to powder, the glory of our civilization will
    survive in misshapen, neon-flecked rocks called plastiglomerate: compounds
    of sand, shells and molten plastic, forged when discarded wrappers and
    bottle caps burn in beach campfires. Additional clues about the way we lived
    will be found in the ubiquity of cesium-137, the synthetic isotope produced
    by every nuclear detonation, and in the glacial ice (should any glaciers
    remain) that will register a spike of atmospheric carbon dioxide beginning
    in the Industrial Revolution. Future anthropologists might not be able to
    learn everything there is to know about our culture from these geological
    markers, but they will be a good start.

    In the beginning, human beings tended to view nature as a mortal enemy --
    with wariness, dread and aggression. The closer we were to the other
    animals, the more threatened we were by their proximity -- geographical and
    behavioral. `Wilderness': from the Old English -ness + wild + deor, `the
    place of wild beasts.' In the Old and New Testaments, `the wilderness' is a
    godless, hostile domain, the anti-Eden; Samuel Johnson defined it as ``a
    tract of solitude and savageness''; William Bradford, a founder of Plymouth
    Colony, reacted to the untrammeled New World with horror, calling it
    ``hideous & desolate ... full of wild beasts & wild men.''

    These examples come from Roderick Nash's totemic history, `Wilderness and
    the American Mind' (1967). Nash describes how, in the 19th century, the
    terms of humanity's relationship with nature flipped. It was no longer
    possible to take seriously the premise that nature was a threat to
    civilization; civilization, it was understood, was a threat to nature. This
    observation, developed by Alexander von Humboldt and successors like George
    Perkins Marsh (who worried that `climatic excess' might lead to the
    extinction of the human species) and John Muir (who sought to protect
    America's natural cathedrals from human defilement), helped inspire the
    birth of the American environmental movement. It took decades for a new
    conception of wilderness -- sacred, virginal, innocent of human influence --
    to take hold, and it may take decades more before it is widely understood to
    be a myth. [PGN-truncated]

    https://www.nytimes.com/interactive/2018/08/01/magazine/climate-change-losing-earth.html

    ------------------------------

    Date: Wed, 21 Nov 2018 08:00:00 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Now it's Office's turn to have a load of patches pulled

    Now it's Office's turn to have a load of patches pulled

    Two patches pulled altogether; another is known to cause crashes but should
    be used anyway.

    https://arstechnica.com/gadgets/2018/11/now-its-offices-turn-to-have-a-load-of-patches-pulled/

    ------------------------------

    Date: Wed, 21 Nov 2018 08:03:54 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Windows 10 October 2018 Update is back, this time without deleting
    your data

    Microsoft is opening up about some of its testing procedures, too.

    https://arstechnica.com/gadgets/2018/11/windows-10-october-2018-update-is-back-this-time-without-deleting-your-data/

    ------------------------------

    Date: Wed, 21 Nov 2018 08:10:14 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: E-commerce site is infected not by one, but two card skimmers

    Rival crime gangs race against each other to steal consumers' personal data

    https://arstechnica.com/information-technology/2018/11/sign-of-the-times-payment-card-skimmers-go-head-to-head-on-e-commerce-site/

    ------------------------------

    Date: Wed, 21 Nov 2018 08:12:02 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject Uber self-driving team was preparing for CEO demo before fatal crash

    Engineers were reportedly encouraged to limit "bad experiences" to one per
    trip.

    https://arstechnica.com/cars/2018/11/report-uber-self-driving-team-was-preparing-for-ceo-demo-before-fatal-crash/

    ------------------------------

    Date: Wed, 21 Nov 2018 08:09:12 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: The Snowden Legacy, part one: What's changed, really?

    In our two-part series, Ars looks at what Snowden's disclosures have wrought politically and institutionally.

    https://arstechnica.com/tech-policy/2018/11/the-snowden-legacy-part-one-whats-changed-really/

    ------------------------------

    Date: Wed, 21 Nov 2018 07:37:24 -0700
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Christmas spirit triumphs over data law (CNN)

    Tara John and Nina Avramova, CNN, November 21, 2018
    https://www.cnn.com/2018/11/21/europe/germany-christmas-gdpr-grm-scli-intl/

    (CNN) A German town managed to revive a children's Christmas tradition
    after European data protection laws very nearly scrapped it. In previous
    years up to 4,000 wishes to Father Christmas were placed on a tree at a
    Christmas market in the southern town of Roth, according to German
    newspaper Die Welt. The city council would then attempt to fulfill those
    wishes, which included the names and addresses of the children who wrote
    them.

    Previous requests granted included trips to the fire station, books and
    visits to the mayor. The festive event was seen as a major highlight for
    local kids. But the popular activity had to stop in 2016 because of
    Germany's data privacy legislation, *Die Welt* reports. Roth found a
    workaround -- putting the wishes in a locked box -- but that was made
    redundant in May when the European Union's General Data Protection
    Regulation (GDPR) came into force.

    That legislation states that parents of minors have to provide consent to
    the use of their kids' data. Organizations that fail to comply face big
    financial penalties. Providing proof of this was deemed too onerous by
    the council and the city decided against festive wish lists for 2018.
    [...]

    Local radio station Antenne Bayern found a solution. It created a wish
    list, which included a parental consent disclaimer, which can be printed
    from their website and put in the wishing box at the Christmas market.

    ------------------------------

    Date: Wed, 21 Nov 2018 15:42:37 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Apple pitches 9M VA medical records on iPhone format (Fortune)

    As part of its push into healthcare, *Apple* has pitched the *Department of
    Veterans Affairs* on incorporating the medical records of the 9 million vets
    currently in the federal system into the company's portable, iPhone-based
    format. No word on whether the project will come to fruition, or even if
    talks are still active.
    <https://click.email.fortune.com/%3Fqs%3D924a6ff868f5934d43c6a7d1612ce671c6520ab3d8f7e20f7e3265cec8cda34666fa2c1f17d0465e025d67a0dba9eeee308c2f8f02f9c0f2>

    ------------------------------

    Date: Thu, 22 Nov 2018 14:12:19 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: A Clearer Message on Cochlear Implants (NY Times)

    https://www.nytimes.com/2018/11/21/opinion/deaf-cochlear-implants-sign-language.html

    "A cochlear implant isn't inherently bad, but it isn't inherently good,
    either; it is a neutral piece of technology, a tool, like a hammer.
    Expecting an implant to cure deafness or magically generate speech is to
    await the moment the hammer will fly out of one's hand and build a house on
    its own. The value of the tool lies only in the skill of its user, and for
    the cochlear implant user, that skill is learned with much effort. To
    suggest otherwise is to give a disingenuous prognosis to potential patients
    and their parents, and discounts the hard work successful C.I. users do to
    communicate in a way the hearing world deems acceptable."

    A worthy lesson to heed for all technology, including toothpicks.

    ------------------------------

    Date: Thu, 22 Nov 2018 21:03:56 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: This new weapon alerts police as soon as it's fired (WashPost)

    https://www.washingtonpost.com/technology/this-new-weapon-alerts-police-as-soon-as-its-fired/2018/11/21/1474aa12-e7b2-484e-bfe6-c872a8876419_story.html

    "Electronic weapons rarely work all the time," Ron Martinelli, a forensic
    criminologist, told CNN in 2015, noting that incapacitation can hinge upon
    where and how both electrical probes strike the body. "Historically, they
    tend to be about 60 percent effective."

    Risk: Easy to imagine someone hacking the auto-dial phone number to order
    pizza and beer.

    ------------------------------

    Date: Fri, 23 Nov 2018 11:25:14 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: How The Wall Street Journal is preparing its journalists to
    detect deepfakes (NiemanLab.Org)

    http://www.niemanlab.org/2018/11/how-the-wall-street-journal-is-preparing-its-journalists-to-detect-deepfakes/

    This essay reveals techniques that can be applied to generate and detect
    "deepfake" content -- disguised mashup video, audio, etc. that misrepresents
    speech, sows controversy, and spreads disinformation. A "fine eye" is needed
    to scrutinize the content to look for telltale signs of in-authenticity.

    Risk: Over-reliance on video frame analysis may lead to incorrect
    determination of authenticity. A time-consuming process is required to
    correlate multiple sources (speech transcripts, news articles, etc.) to
    determine speech attribution and origin. Unchecked disinformation circulates
    in the wild until a net is thrown over it.

    ------------------------------

    Date: Fri, 23 Nov 2018 13:51:02 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Huron Daily Tribune reporter Brenda Battel fired over voicemail for
    Republican candidate (John James, WashPost)

    The Monday afternoon call was innocuous at first.

    Brenda Battel, a staff writer for the Huron Daily Tribune in rural Michigan,
    was seeking a chance to speak with Republican Senate candidate John James on
    Wednesday after the election.

    Battel left a voice-mail message with the James campaign, and alerted it to
    a potential follow-up email to further discuss his campaign against
    Sen. Debbie Stabenow (D).

    Then Battel hung up the phone — or so she believed, she later said.

    https://www.washingtonpost.com/politics/2018/11/06/reporter-unwittingly-left-voicemail-gop-candidate-she-was-fired-what-she-said/

    The risk? User error. More broadly, it's the "hot mic".

    ------------------------------

    Date: Fri, 23 Nov 2018 14:03:31 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: You snooze, you lose: Insurers make the old adage literally true
    (Ars Technica)

    Why insurers spy on sleep apnea sufferers via connected CPAP machines.

    https://arstechnica.com/science/2018/11/you-snooze-you-lose-insurers-make-the-old-adage-literally-true/

    Let's put everything online; what could go wrong...

    ------------------------------

    Date: Fri, 23 Nov 2018 12:01:03 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: GMail's spam filter is getting vicious?

    I send Gloria an awful lot of email, for somebody who lives in the same room.

    In particular, I send her notifications of appointments I've made. I send
    these to her GMail account, since she can get that on her phone, and
    therefore it's easier for her to transfer the appointments to her calendar.
    (No, not the calendar app. A real, honest-to-goodness book-with-paper-pages
    appointment calendar. It usually sits on the kitchen table.)

    Gloria doesn't use her GMail account much, so she doesn't get much spam. So
    when she noticed an entry in her spam folder, she checked it out. Lo and
    behold, it was a message from me. Subsequent messages from me, over the
    next few days, also went into the spam folder.

    I'd sent a message to my baby brother and he hadn't responded. I know his
    email domain is hosted through GMail, so I mentioned it to him in a phone
    call. He checked, and my messages to him were being sent to spam.

    So I did one of my sporadic forays into the spam folder in my own GMail
    account, and, yes, my messages from me were being sent to spam. I also
    found a few messages from friends in there, but most of the wrongly filtered
    messages were from me.

    I don't know what I've done to offend GMail ...

    ------------------------------

    Date: Fri, 23 Nov 2018 15:07:16 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: FCC Launches New Offensive Against Scam, Robo Calls

    http://www.eweek.com/networking/fcc-launches-new-offensive-against-scam-robo-calls

    ------------------------------

    Date: Sun, 25 Nov 2018 13:52:00 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Who lives with you? Facebook seeks to patent software to
    figure out profiles of households (Los Angeles Times)

    https://www.latimes.com/business/technology/la-fi-tn-facebook-patent-family-photos-20181116-story.html

    "This is what I would call a classic case of secondary use," said Pam Dixon,
    founder and executive director of the World Privacy Forum. "Someone is
    signing up to Facebook, or Instagram for that matter, to post photos or
    maybe keep in touch with old college friends. I don't think people intend to
    have all their relational outlines queried and mapped by Facebook and used
    for purposes that people aren't expecting."

    The marketplace for family demographics may entice insurance companies
    especially when coupled to environmental, health, or geographic information
    systems. Politicians might exploit the analysis to assist with election or
    jurisdiction (gerrymandering) activities.

    Too much to ask for a profile opt-in "secondary use" selection?

    ------------------------------

    Date: Sun, 25 Nov 2018 15:54:50 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: This bill includes prison for CEOs who fail to take consumer
    privacy seriously (Los Angeles Times)

    https://www.latimes.com/business/lazarus/la-fi-lazarus-data-privacy-prison-for-ceos-20181116-story.html

    "It's gotten to the point that there are so many data breaches, people can
    find it hard to work up a sense of outrage over their privacy being violated
    again and again and again.

    "The business world is counting on such breach fatigue to keep meaningful
    privacy safeguards at bay.

    "Consumers shouldn't hand them such a huge victory."

    "Under Wyden's bill, any company with revenue topping $1 billion a year, or
    that stores data on more than 50 million consumers or consumer devices,
    would have to submit an annual 'data protection report' to the FTC detailing
    all activities related to keeping people's info under wraps."

    The private companies with revenues of over US$ 2B in 2018 can be found here
    <https://www.forbes.com/largest-private-companies/list/> There are 230
    listed. A guestimate says that there are 2X this number, or ~500 private
    companies with revenue over US$ 1B in the US.

    The Fortune 1000 (public companies) bottoms out at ~US$ 1.8B (see
    https://www.someka.net/excel-template/fortune-1000-excel-list/ for 2018). A
    guestimate says there are 2X (~2000) public companies valued at US$ 1B or
    more.

    So...a maximum of ~2500 potential data breach CEO prosecutions from
    negligent infosec practices.

    Assuming Wyden's bill passes both houses of Congress, and is signed into
    law:

    Risk1: Weak FTC regulations and capricious enforcement practice
    substantially mitigates deterrence effectiveness. No prosecutions arise from
    data breach epidemic.

    Conversely: Data breach prosecution becomes more popular than a traffic
    ticket. USA Today (see
    https://www.usatoday.com/story/money/personalfinance/2014/03/24/20-ways-we-blow-our-money/6826633/
    says that ~40M traffic tickets are issued annually in the US per 2014
    statistics.

    Risk2: Strict enforcement boosts a prison construction boom and a swift
    return to filing cabinets and paper, elevating paper company and office
    furniture supplier stocks.

    The data breach perpwalk: a new dance step for corporate boardroom members
    to master.

    ------------------------------

    Date: Sun, 25 Nov 2018 14:45:59 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Can The Police Remotely Drive Your Stolen Car Into Custody? (Slashdot)

    https://yro.slashdot.org/story/18/11/25/0137258/can-the-police-remotely-drive-your-stolen-car-into-custody

    A little like Fairfax County VA "bait cars" -- cars left as tempting theft
    targets. They're rigged to alert if doors are opened, fitted with tracking
    gear and remote lock/slow/kill switches. So cops will locate/pursue when
    they're stolen, wait until it's safe, then lock/slow/kill car. And chat with
    occupants. Quite different, of course, from seizing control of random
    private vehicles stolen.

    ------------------------------

    Date: Sun, 25 Nov 2018 19:13:25 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Free Software Messiah Richard Stallman: We Can Do Better Than
    Bitcoin (CoinDesk)

    And speaking broadly, Stallman continued:

    “If bitcoin protected privacy, I'd probably have found a way to use
    it by now.”

    https://www.coindesk.com/free-software-messiah-richard-stallman-we-can-do-better-than-bitcoin

    ------------------------------

    Date: Mon, 26 Nov 2018 11:06:43 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Mobile Application/Social Media Addiction Freedom Experiment
    (TechCrunch.com and The Economist)

    https://techcrunch.com/2018/11/25/nowhere-to-go/
    https://www.economist.com/business/2018/11/24/facebook-should-heed-the-lessons-of-internet-history

    Profile-driven advertisements fuel Internet-based social media and mobile
    device application business profit. A user profile is assessed to target ad
    content delivery. Various attributes: age, gender, geographic location,
    income level, site content viewing/visit preference/frequency,
    etc. contribute to the ad delivery calculus.

    Businesses track daily, weekly, monthly usage of their services and
    applications to determine the ad billing cost.

    Measuring and characterizing certain user access patterns can indicate
    addictive predilection.

    Social media and application businesses can proactively attempt to dissuade
    service/application overuse and taper addictive behavior. This effort
    depends on an inversion of profile attributes: what is assigned as an
    "appeal to target" must be switched to "repellent to target" as necessary. A
    form of aversion therapy. Literary note: In Anthony Burgess' "A Clockwork
    Orange," aversion therapy was used as a behavioral cure.

    As an example, for ages 8-12, target the audience with ads about retirement
    communities, collecting butterflies, coal mine stockpiles, The Dow Jones, or
    the importance of eating your spinach. Compilation of equivalent repellent
    ad cohorts can be assembled by profile attribute inversion. Wise and mature
    editorial oversight is essential to compile these content libraries.

    Preventing exposure to violent, horrifying, and other inappropriate or toxic
    material is required. Audience/ad mismatch, not "shock, awe and frighten,"
    should guide ad population target selection.

    Measure the state of addiction before and after the experiment per standard
    business performance metrics. Outsource to a trusted and neutral non-profit
    to oversee the measurement, compiled statistics, and write the summary
    findings.

    This experiment may afford one means for mobile applications and social
    media business to restore their rapidly tarnishing reputation. The outcome
    can provide a forum to discuss public brand addiction and how to best
    suppress it.

    Risk: Contractual SLA underachievement for target audience ad delivery
    fulfillment incurs business finance loss.

    ------------------------------

    Date: Sun, 25 Nov 2018 16:23:50 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: China Creating Gene-Edited Babies (MIT Technology Review)

    Rewriting Life

    Chinese scientists are creating CRISPR babies. A daring effort is underway
    to create the first children whose DNA has been tailored using gene-editing.

    https://www.TechnologyReview.com/s/612458/exclusive-chinese-scientists-are-creating-crispr-babies/

    EXCERPT:

    When Chinese researchers first edited the genes of a human embryo in a lab
    dish in 2015, it sparked global outcry and pleas from scientists not to make
    a baby using the technology, at least for the present.

    It was the invention of a powerful gene editing tool, CRISPR, which is cheap
    and easy to deploy, that made the birth of humans genetically modified in an
    in-vitro fertilization (IVF) center a theoretical possibility
    <https://www.technologyreview.com/s/535661/engineering-the-perfect-baby/

    Now, it appears it may already be happening.

    According to Chinese medical documents posted online this month (here
    <http://www.chictr.org.cn/showprojen.aspx%3Fproj%3D32758 and here
    <http://www.chictr.org.cn/uploads/file/201811/bb9c5996d8fd476eacb4aeecf5fd2a01.pdf>
    a team at the Southern University of Science and Technology, in Shenzhen,
    has been recruiting couples in an effort to create the first gene-edited
    babies. They planned to eliminate a gene called CCR5 in order to render the
    offspring resistant to HIV, smallpox, and cholera.

    The clinical trial documents describe a study to employ CRISPR to modify
    human embryos, then to transfer them into the uterus of mothers and deliver
    healthy children...

    ------------------------------

    Date: Mon, 26 Nov 2018 10:01:38 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: British Parliament seizes internal Facebook documents by
    threatening to jail a different CEO

    https://boingboing.net/2018/11/25/by-any-means-necessary.html

    The British Parliament has been able to obtain internal Facebook documents,
    even though Facebook didn't want to give them up, and they were sealed by a
    judge in California.

    If you don't like Facebook, you can can enjoy the schadenfreude in
    Facebook's continuing troubles. If you do like Facebook, you can take this
    as a warning that there is more than one way to skin a cat (or obtain
    confidential information).

    Regardless of how you feel about Facebook, it's a warning about wandering
    around with really sensitive information on your laptop ...

    ------------------------------

    Date: Mon, 26 Nov 2018 13:58:27 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Dangerous Junk Science of Vocal Risk Assessment (The Intercept)

    _Is it possible_ to tell whether someone is a criminal just from looking at
    their face or listening to the sound of their voice? The idea may seem
    ludicrous, like something out of science fiction -- Big Brother in *1984*
    detects any unconscious look ``that carried with it the suggestion of
    abnormality' -- and yet, some companies have recently begun to answer this
    question in the affirmative. AC Global Risk, a startup founded in 2016,
    claims to be able to determine your level of *risk* as an employee or an
    asylum-seeker based not on what you say, but how you say it.

    https://theintercept.com/2018/11/25/voice-risk-analysis-ac-global/

    ...joining dowsing rods, polygraphs, homeopathy...

    ------------------------------

    Date: Sun, 25 Nov 2018 08:45:40 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Can The Police Remotely Drive Your Stolen Car [or you?] Into
    Custody? (Slashdot)

    https://yro.slashdot.org/story/18/11/25/0137258/can-the-police-remotely-drive-your-stolen-car-into-custody

    Autonomous cars will give police states surveillance and control powers that
    they've only dreamed of. I continue to be flabbergasted how proponents of
    autonomous vehicles seem unwilling to discuss how these vehicles can be used
    as instruments of individualized and/or mass control and suppression by
    governments.

    ------------------------------

    Date: Sun, 25 Nov 2018 11:39:25 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: LinkedIn used 18 million non-user e-mails to target Facebook ads
    (The Verge)

    LinkedIn used 18 million non-user e-mails to target Facebook ads
    https://www.theverge.com/2018/11/25/18111087/linkedin-ireland-data-protection-commission-18-million-non-user-e-mails-targeted-facebook-ads

    ------------------------------

    Date: Wed, 28 Nov 2018 11:54:00 -0500
    From: ACM TechNews <technew...@acm.org>
    Subject: Study: Smart Speakers Make Passive Listeners (Melanie Lefkowitz)

    Melanie Lefkowitz, Cornell Chronicle (NY), 27 Nov 2018 via
    ACM TechNews, 28 Nov 2018

    Cornell University researchers investigating the wider ramifications of
    content discovery with smart speaker products found people who read choices
    online digested information nine times faster and explored at least three
    times as much as those who heard them listed by a Siri, Alexa, or similar
    product. Recommendation algorithms generally prioritize popular content,
    with people who read their recommendations less likely to select the most
    popular or top-rated options. Said Cornell's Longqi Yang, "With these
    devices becoming more popular and more people adopting them, this kind of
    interface becomes very important, because it's one of the major channels for
    people to be exposed to information." Yang said these devices could be
    redesigned to meet this challenge; his team recommended that smart speakers
    offer top-ranked choices that are diverse, personalized, and frequently
    changed, giving users access to a broader range of information. These
    findings were presented at the ACM Conference on Recommender Systems (RecSys
    2018) in Vancouver, Canada.

    https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d52cx218d83x070148%26

    ------------------------------

    Date: Mon, 26 Nov 2018 17:44:52 -0500
    From: David Tarabar <dtar...@acm.org>
    Subject: Re: 670 ballots in a precinct with 276 voters
    (Douglass, RISKS-30.92)

    There were actually 3,704 registered voters. The 276 number was an error
    that was corrected at the Georgia Secretary of State website in August..

    But on the web, an error rarely is corrected. This false headline (from
    months ago) was circulated during the November election and no doubt will
    reappear during future.elections Apparently only the McClatchy news
    organization bothered to do a simple fact check of a curious `fact'.

    ------------------------------

    Date: Thu, 22 Nov 2018 07:15:06 -0800
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: Russia suspected of jamming GPS signal in Finland (BBC)

    If GPS jamming was NOT part of *war games*, then NATO would be criminally
    negligent, since the first activities in any future war would include
    taking out GPS satellites and/or jamming their signals. Recall that the
    Brits took down all of their street signs in the initial days of WWII.

    Google "GPS" and "war games".

    If the Russians did this jamming (which I highly doubt), they did NATO a
    favor by making the games more realistic.

    ------------------------------

    Date: Thu, 22 Nov 2018 16:51:15 +0000
    From: Attila the Hun <attilath...@tiscali.co.uk>
    Subject: Re: Japan cybersecurity minister admits he has never used a
    computer (RISKS-30.92)

    How many Health Ministers have performed brain surgery? How many Defence
    Ministers have held a Commission in the military? How many Interior
    Ministers have been in the police? How many Foreign Ministers have been
    diplomats? How many Chancellors of the Exchequer can add up?

    Government Ministers are figureheads, it's the Civil Service that has the
    knowledge and skills [allegedly]. Search YouTube for `Yes Minister' and
    `Yes Prime Minister' for the classic satires on the relationship between
    Ministers and Whitehall in Britain. Made in the early '80s, they're as true
    and funny today as they were then. Loved, apparently, by Margaret Thatcher.

    ------------------------------

    Date: Thu, 22 Nov 2018 17:08:52 +0000
    From: Attila the Hun <attilath...@tiscali.co.uk>
    Subject: Re: Tesla (RISKS-30.91,93)

    I'm afraid that Wols Lists is misinformed about the illegality of remaining
    in the outside lane of a British road after completing an overtaking
    manoeuvre.

    The Highway Code (the driving bible, but largely advisory) states:

    Rule 137 On a two-lane dual carriageway you should stay in the left-hand
    lane. Use the right-hand lane for overtaking or turning right. After
    overtaking, move back to the left-hand lane when it is safe to do so. Rule
    138 On a three-lane dual carriageway, you may use the middle lane or the
    right-hand lane to overtake but return to the middle and then the left-hand
    lane when it is safe. Note the `should' in rule 137. Rules containing the
    word `must' are backed by explicit law, those stating `should' are not.
    Albeit, they might still be deemed to constitute a generic offence under
    section 3 of the Road Traffic Act 1988: ``Careless, and inconsiderate,
    driving. If a person drives a mechanically propelled vehicle on a road or
    other public place without due care and attention, or without reasonable
    consideration for other persons using the road or place, he is guilty of an
    offence'') and certain breaches can attract an on-the-spot fixed penalty.

    ------------------------------

    Date: Fri, 23 Nov 2018 00:29:41 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Awful AI is a curated list to track current scary usages of AI
    (RISKS-30.92)

    Another list of AI (mainly machine learning) failures and strange results
    is available in this shared spreadsheet file:
    https://docs.google.com/spreadsheets/u/1/d/e/2PACX-1vRPiprOaC3HsCf5Tuum8bRfzYUiKLRqJmbOoC-32JorNdfyTiRRsR7Ea5eWtvsWzuxo8bjOxCG84dAg/pubhtml

    ------------------------------

    Date: Fri, 23 Nov 2018 12:30:22 +0200
    From: Toby Douglass <ri...@winterflaw.net>
    Subject: Re: The Cleaners' Looks At Who Cleans Up The Internet's Toxic
    Content (npr.org)

    The issue covered by the article and the submission to RISKS is worthy of
    the forum.

    I may be wrong, but I would say the *manner* of discussion was not worthy of
    the forum.

    I am reminded of the bus bombings in London.

    A serious event and in some forums, seriously discussed.

    In others, such as the tabloid newspapers, a full colour, full-page,
    front-page photo (presumably from CCTV) of the actual moment one of the
    bombs exploded with people just beginning to be thrown out of their seats,
    or in some cases, torn apart, by the blast.

    That photo was gruesome.

    I am sure there were some or many for whom that photo had no or little
    effect, mainly I suspect by desensitization through repeated exposure to
    similar material.

    I am sure there were at least some for whom it was distressing, as gruesome
    material will in the normal case be.

    The quote in the submission from the (presumably Facebook) content moderator
    was gruesome.

    ------------------------------

    Date: Mon, 26 Nov 2018 09:02:02 -0600
    From: David Strom via WebInformant <webinf...@list.webinformant.tv>
    Subject: Book review: The End of Trust (EFF)

    [via Gabe Goldberg]

    Last week the Electronic Frontier Foundation published an interesting book
    called The End of Trust <https://www.eff.org/the-end-of-trust>. It was
    published in conjunction with the writing quarterly McSweeneys, which I have
    long been a subscriber and enjoy its more usual fiction short story
    collections. This issue is its first total non-fiction effort and it is
    worthy of your time.

    There are more than a dozen interviews and essays from major players in the
    security, privacy, surveillance and digital rights communities. The book
    tackles several basic issues: first the fact that privacy is a team sport,
    as Cory Doctorow opines -- meaning we have to work together to ensure
    it. Second, there are numerous essays about the role of the state in a
    society that has accepted surveillance, and the equity issues surrounding
    these efforts. Third, what is the outcome and implications of outsourcing of
    digital trust. Finally, various authors explore the difference between
    privacy and anonymity and what this means for our future.

    While you might be drawn to articles from notable security pundits, such as
    an interview where Edward Snowden explains the basics behind blockchain and
    where Bruce Schneier discusses the gap between what is right and what is
    moral, I found myself reading other less infamous authors that had a lot to
    say on these topics.

    Let's start off by saying there should be no `I' in privacy, and we have to
    look beyond ourselves to truly understand its evolution in the digital
    age. The best article in the book is an interview with Julia Angwin, who
    wrote an interesting book several years ago called Dragnet Nation
    <https://www.amazon.com/Dragnet-Nation-Security-Relentless-Surveillance/dp/0805098070>
    She says ``the word formerly known as privacy is not about individual harm,
    it is about collective harm. Google and Facebook are usually thought of as
    monopolies in terms of their advertising revenue, but I tend to think about
    them in terms of acquiring training data for their algorithms. That's the
    thing what makes them impossible to compete with.'' In the same article,
    Trevor Paglen says, ``we usually think about Facebook and Google as
    essentially advertising platforms. That's not the long-term trajectory of
    them, and I think about them as extracting-money-out-of-your-life
    platforms.''

    Role of the state

    Many authors spoke about the role that law enforcement and other state
    actors have in our new always-surveilled society. Author Sara
    Wachter-Boettcher <http://www.sarawb.com/d> said ``I don't just feel seen
    anymore. I feel surveilled.'' Thenmozhi Soundararajan
    <http://equalitylabs.org> writes that ``mass surveillance is an equity issue
    and it cuts across the landscape of rare, class and gender.'' This is
    supported by Alvaro Bedoya, the director of a Georgetown Law school think
    tank <https://www.law.georgetown.edu/privacy-technology-center/>. He took
    issue about the statement that everyone is being watched, because some are
    watched an awful lot more than others. With new technologies, it is becoming
    harder to hide in a crowd and thus we have to be more careful about crafting
    new laws that allow the state access to this data, because we could lose our
    anonymity in those crowds. ``For certain communities (such as LBGTQ),
    privacy is what lets its members survive. Privacy is what let's them do what
    is right when what's right is illegal. Digital tracking of people's
    associations requires the same sort of careful First Amendment analysis that
    collecting NAACP membership lists in Alabama in the 1960s did. Privacy can
    be a shield for the vulnerable and is what let's those first `dangerous'
    conversations happen.''

    Scattered throughout the book are descriptions of various law enforcement
    tools, such as drones facial recognition systems, license plate readers and
    cell-phone simulators. While I knew about most of these technologies,
    collected together in this fashion makes them seem all the more insidious.

    Outsourcing our digital trust

    Angwin disagrees with the title and assumed premise of the book, saying the
    point is more about the outsourcing of trust than its complete end. That
    outsourcing has led to where we prefer to trust data over human
    interactions. As one example, consider the website Predictim
    <https://www.predictim.com/>, which scans a potential babysitter or dog
    walker to determine if they are trustworthy and reliable using various
    facial recognition and AI algorithms.Back in the pre-digital era, we asked
    for personal references and interviewed our neighbors and colleagues for
    this information. Now we have the Internet to vet an applicant.

    When eBay was just getting started, they had to build their own trust proxy
    so that buyers would feel comfortable with their purchases. They came up
    with early reputation algorithms, which today have evolved into the
    Uber/Lyft star-rating for their drivers and passengers. Some of the writers
    in this book mention how Blockchain-based systems could become the latest
    incarnation for outsourcing trust.

    Privacy vs. anonymity

    The artist Trevor Paglen
    <https://art21.org/artist/trevor-paglen/%3Fgclid%3DEAIaIQobChMIqrz0_KTy3gIVUL7ACh2JEwG_EAAYASAAEgIAufD_BwE
    says, ``we are more interested not so much in privacy as a concept but more
    about anonymity, especially the political aspects.'' In her essay, McGill
    ethics professor Gabriella Coleman says, ``Anonymity tends to nullify
    accountability, and thus responsibility. Transparency and anonymity rarely
    follow a binary moral formula, with the former being good and the latter
    being bad.''

    Some authors explore the concept of privacy nihilism, or disconnecting
    completely from one's social networks. This was explored by Ethan Zuckerman,
    who wrote in his essay: ``When we think about a data breach, companies tend
    to think about their data like a precious asset like oil, so breaches are
    more like oil spills or toxic waste. Even when companies work to protect our
    data and use it ethically, trusting a platform gives that institution
    control over your speech. The companies we trust most can quickly
    become near-monopolies whom we are then forced to trust because they have
    eliminated their most effective competitors. Facebook may not deserve our
    trust, but to respond with privacy nihilism is to exit the playing field and
    cede the game to those who exploit mistrust.'' agree, and while I am not
    happy about what Facebook has done, I am also sticking with them for the
    time being too.

    This notion of the relative morality of our digital tools is also taken up
    in a recent NY Times op/ed by NYU philosopher Matthew Liao
    <https://www.nytimes.com/2018/11/24/opinion/sunday/facebook-immoral.html Do
    you have a moral duty to leave Facebook? He says that the social media
    company has come close to crossing a `red line', but for now he is staying
    with them.

    The book has a section for practical IT-related suggestions to improve your
    trust and privacy footprint, many of which will be familiar to my readers
    (MFA, encryption, and so forth). But another article by Douglas Rushkoff
    goes deeper. He talks about the rise of fake news in our social media feeds
    and says that it doesn't matter what side of an issue people are on for them
    to be infected by the fake news item. This is because the item is designed
    to provoke a response and replicate. A good example of this is one
    individual recently mentioned in this WaPost piece who has created his own
    fake news business out of a parody website here
    <https://www.washingtonpost.com/national/nothing-on-this-page-is-real-how-lies-become-truth-in-online-america/2018/11/17/edd44cc8-e85a-11e8-bbdb-72fdbf9d4fed_story.html%3Ffbclid%3DIwAR0dmdRIv6ShQu_1OiibK0pHQ9EGK_K-rx8Sk7lPc7t8u3l1EFTh-ELJxbU%26noredirect%3Don%26utm_term%3D.6e2ad78f7bad>

    Rushkoff recommends three strategies for fighting back: attacking bad memes
    with good ones, insulating people from dangerous memes via digital filters
    and the equivalent of AV software, and better education about the underlying
    issues. None of these are simple.

    This morning the news was about how LinkedIn harvested 18M emails
    <https://techcrunch.com/2018/11/24/linkedin-ireland-data-protection/> from
    to target ads to recruit people to join its social network. What is chilling
    about this is how all of these email addresses were from non-members that it
    had collected, of course without their permission.

    You can go to the EFF link above where you can download a PDF copy or go to
    McSweeneys and buy the hardcover book
    <https://store.mcsweeneys.net/products/mcsweeney-s-issue-54-the-end-of-trust%3Ftaxon_id%3D1
    Definitely worth reading.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.93
    ************************
     
  7. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 30.94

    RISKS List Owner

    Dec 3, 2018 11:25 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 3 December 2018 Volume 30 : Issue 94

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/30.94>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Ping of Death comes to aircraft avionics (John Clear)
    Tesla driver asleep at the wheel on automatic (PaloAltoOnline)
    Overtrust as a safety issue: The dangers of Autonomous Vehicles (Don Norman)
    Israeli Software Helped Saudis Spy on Khashoggi, Lawsuit Says (NYT)
    Sec. Def. Mattis: Putin tried to "muck around" with U.S. midterms (The Hill)
    How Trump, ISIS, and Russia have mastered the Internet as a weapon (WashPo)
    How creative foreign hackers crack into a vulnerable U.S. (John P. Carlin)
    After a Hiatus, China Accelerates Cyberspying Efforts to Obtain U.S.
    Technology (NYTimes)
    Justice Department charges Iranians with hacking attacks on U.S. cities,
    companies (WashPost)
    Deputy AG Rod Rosenstein Is Still Calling for an Encryption Backdoor
    (WiRed)
    DriveSavers claims it can break into any locked iPhone (The Verge)
    Risks of Airport Wi-Fi (LATimes)
    How I changed the law with a GitHub pull request (ArsTechnica)
    When the Internet Archive Forgets (Gizmodo)
    Payless prank: Social media influencers thought they were buying Palessi
    (WashPost)
    "Human intelligence is needed." Want to Purge Fake News? Try Crowdsourcing
    (NYTimes)
    U.S. Asks, Are You a Terrorist? Scottish Grandfather Gives Wrong Answer
    (NYTimes)
    AI thinks like a corporation -- and that's worrying (The Economist)
    Chinese genomics scientist defends his gene-editing research in first public
    appearance (WashPost)
    Be careful how you make DMCA complaints (The Register)
    How long fumbling with cellphone before monkeys close in? (Dan Jacobson)
    Chinese businesswoman accused of jaywalking after AI camera spots her
    face on an advert (The Telegraph)
    EU data rules have not stopped spam emails, Nesta survey finds
    (The Telegraph)
    Re: The Cleaners' Looks At Who Cleans Up The Internet's (Richard Stein)
    Re: Constructive software engineering? (Toby Douglass)
    Re: EMV card fraud statistics (Phil Smith III)
    Re: GMail's spam filter is getting vicious? (Rex Sanders)
    Inside the futuristic restaurant where a robot has replaced the bartender
    (WashPost)
    A QA engineer walks into a bar... (Gabe Goldberg)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Wed, 28 Nov 2018 10:03:29 -0800
    From: John Clear <j...@panix.com>
    Subject: Ping of Death comes to aircraft avionics

    FAA Bulletin Addresses Aspen Display Resets

    According to the Special Airworthiness Information Bulletin (SAIB),
    affected systems will repeatedly reset themselves at five- to ten-minute
    intervals, resulting in the temporary loss of all flight display
    information for up to one minute during each reset.

    "The cause of this safety issue is currently under investigation; however,
    preliminary information suggests that the cause of the continuous reset is
    related to the ADS-B In interface" said the FAA.

    https://www.avweb.com/avwebflash/news/FAA-Bulletin-Addresses-Aspen-Display-Resets-231918-1.html

    ADS-B is a data link protocol for weather, traffic and other flight related
    information. It seems that certain Aspen Primary Flight Displays (PFD) and
    Multifunction Displays (MFD) have issues with ADS-B data, and are reseting
    in flight.

    PFDs display attitude, altitude, speed and other flight information. Loss
    of a PFD can lead to loss of control of an aircraft. MFDs display charts,
    weather engine and other information. Loss of an MFD in cruise is a minor
    issue, but during an approach can cause a loss of situational awareness if
    on an instrument approch.

    ------------------------------

    Date: Mon, 3 Dec 2018 13:49:11 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Tesla driver asleep at the wheel on automatic

    Very interesting story. Los Altos Planning Commission chair was asleep at
    wheel of his Tesla in auto mode going 70 on 101. CHP pulled him off the
    road by forcing the car to stop by putting enough police cars in front of
    and next to him, and slowing down. He didn't wake up until they all had
    stopped. No accident, no one hurt, but not clear why the autopilot didn't
    shut down.

    [PGN-ed From a note from Ray Perrault.]

    https://www.paloaltoonline.com/news/2018/11/30/los-altos-planning-commissioner-arrested-for-tesla-dui

    ------------------------------

    Date: Mon, 3 Dec 2018 18:47:25 -0800
    From: Don Norman <dno...@ucsd.edu>
    Subject: Overtrust as a safety issue: The dangers of Autonomous Vehicles

    https;//www.wired.com/story/tesla-sleeping-driver-dui-arrest-autopilot/

    There are two issues with this event, neither of them particularly new.

    *Overtrust*. People often worry a lot about *undertrust*: how do we convince
    people to trust a new system. They seldom worry about over trust. Well, the
    recent incidents (e.g., Uber and Tesla indicate that overtrust is a real
    danger. See the UrL above).

    *System design.* Tesla (and all OEMs) claim to be able to detect when the
    driver is not paying attention. Obviously, Tesla failed.

    *Safety driver*. The notion of a safety driver is fundamentally flawed, as
    the Uber situation demonstrates. The Human-Systems Integration folks (which
    includes me) have been demonstrating for many decades now that people can
    not take over rapidly enough when there has been nothing to do for many
    hours, and where the system has performed quite well for weeks, months or
    years. (My paper on this topic was about 4 decades ago, and I was nit the
    first.)

    The one lesson we have learned from the recent events is that people do not
    learn. Each new field of ap[lication ignores all the findings of the
    previous other fields. In my opinion, the levels of automation argument is
    fundamentally flawed. Take the 0 - 5 levels described by SAE. (0=fully
    manual. 5 = perfect, full-time automation, so no controls are required).

    https://www.nhtsa.gov/sites/nhtsa.dot.gov/files/documents/13069a-ads2.0_090617_v9a_tag.pdf
    (See page 10 of the PDF).

    At best we are today at level 2 for commercial vehicles. (We are at level 5
    for special cases, such as transporting materials on factory floors.)

    Here are my opinions. We should permit levels 0, 1, and 2; prohibit levels 3
    and 4, and allow only level 5. And place restrictions on advertisements of
    vehicle capability.

    Makes great scientific sense, but fails politically and in today's
    competitive environment, it fails the marketing test.

    Autonomous vehicles are rapidly advancing in capability. Their most
    dangerous issues will be overtrust once we hit levels of 3 and 4 (we already
    see overtrust at level 2). And the next major problem facing us is the
    complexity of the transition when some vehicles that are truly at level 5
    intermix with vehicles at level 1 or 2 -- to say nothing of level 0
    vehicles. (Levels 0 and 1 are apt to game the system, assuming that level 5
    systems are programmed not to hit them, so they can ignore them. Among the
    many RISKS this presupposes is the difficulty of knowing what level of
    automation a car is using.

    (Caveat I do research for numerous automobile companies on several
    continents: however, none of them have been asked to review this email.)

    Don Norman, Prof. and Director, DesignLab, UC San Diego

    ------------------------------

    Date: Sun, 2 Dec 2018 22:44:59 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Israeli Software Helped Saudis Spy on Khashoggi, Lawsuit Says (NYT)

    https://www.nytimes.com/2018/12/02/world/middleeast/saudi-khashoggi-spyware-israel.html

    A Saudi dissident based in Canada claims the Saudi government planted
    spyware in his phone to eavesdrop on his talks with Jamal Khashoggi.

    ------------------------------

    Date: Sun, 2 Dec 2018 11:12:59 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Sec. Def. Mattis: Putin tried to "muck around" with U.S. midterms
    (The Hill)

    The Hill quotes Secretary of Defense Mattis that the Russians tried to "muck
    around" the U.S. midterm elections.

    https://thehill.com/policy/international/419282-mattis-russia-interfered-in-2018-midterms

    Mattis: Russia tried to interfere in 2018 midterms
    John Bowden, 1 Dec 2018

    Defense Secretary James Mattis said Saturday that Russian operatives
    attempted to interfere in the 2018 midterm elections, apparently confirming
    for the first time that Moscow attempted to meddle in last month's
    elections.

    Mattis spoke of the relationship between the Trump administration and
    Russian President Vladimir Putin during an interview Saturday at the Ronald
    Reagan Presidential Library in California.

    "There is no doubt the relationship has worsened. He tried again to muck
    around in our elections this last month," Mattis said. "We are seeing a
    continued effort around those lines."

    ------------------------------

    Date: Sun, 2 Dec 2018 01:44:59 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: How Trump, ISIS, and Russia have mastered the Internet as a weapon

    Peter Singer and Emerson Brooking explore how harmless apps become an
    arsenal of war.
    https://www.washingtonpost.com/outlook/how-trump-isis-and-russia-have-mastered-the-internet-as-a-weapon/2018/11/29/5a6e44c8-c58e-11e8-9b1c-a90f1daae309_story.html

    ------------------------------

    Date: Sun, 2 Dec 2018 01:44:21 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: How creative foreign hackers crack into a vulnerable U.S.
    (John P. Carlin)

    John P. Carlin details the many destructive incursions into U.S. networks.

    https://www.washingtonpost.com/outlook/how-creative-foreign-hackers-crack-into-a-vulnerable-us/2018/11/29/053ecca2-f126-11e8-bc79-68604ed88993_story.html

    ------------------------------

    Date: Thu, 29 Nov 2018 09:38:33 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: After a Hiatus, China Accelerates Cyberspying Efforts to Obtain
    U.S. Technology

    https://www.nytimes.com/2018/11/29/us/politics/china-trump-cyberespionage.html

    China’s practice of breaking into American computers has become a core
    grievance of the Trump administration as leaders of the two nations prepare
    to meet.

    ------------------------------

    Date: Thu, 29 Nov 2018 02:23:22 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Justice Department charges Iranians with hacking attacks on
    U.S. cities, companies (WashPost)

    According to a newly unsealed indictment, the targets included the cities of
    Atlanta and Newark and the port of San Diego.

    https://www.washingtonpost.com/world/national-security/justice-dept-charges-iranian-hackers-with-attacks-on-us-cities-companies/2018/11/28/cad313d0-f29b-11e8-80d0-f7e1948d55f4_story.html

    ------------------------------

    Date: Sun, 2 Dec 2018 22:56:27 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Deputy AG Rod Rosenstein Is Still Calling for an Encryption
    Backdoor (WiReD)

    Tension has existed for decades between law enforcement and privacy
    advocates over data encryption. The United States government has
    consistently lobbied for the creation of so-called backdoors in encryption
    schemes that would give law enforcement a way in to otherwise unreadable
    data. Meanwhile, cryptographers have universally decried the notion as
    unworkable. But at a cybercrime symposium at the Georgetown University Law
    School on Thursday, deputy attorney general Rod Rosenstein renewed the call.

    "Some technology experts castigate colleagues who engage with law
    enforcement to address encryption and similar challenges," Rosenstein
    said. "Just because people are quick to criticize you does not mean that you
    are doing the wrong thing. Take it from me."

    https://www.wired.com/story/rod-rosenstein-encryption-backdoor/

    [The UK and Australians are still barking up this tree, although one of
    them has a caveat that suggests they don't want to weaken the protection.
    Considering that no systems are adequately secure in the first place, the
    Keys Under Doormats report still gets to the heart of the matter. There
    is really no such thing as a sufficiently secure backdoor that can be used
    *only* by the supposed "good guys".
    https://dspace.mit.edu/handle/1721.1/97690 PGN]

    ------------------------------

    Date: Wed, 28 Nov 2018 17:14:44 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: DriveSavers claims it can break into any locked iPhone (The Verge)

    https://www.theverge.com/2018/11/27/18115176/drivesavers-locked-iphone-break-in-unlock

    ------------------------------

    Date: Mon, 3 Dec 2018 15:11:20 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Risks of Airport Wi-Fi (LATimes)

    [From Geoff Goodfellow]

    Here's what you can do to stop cyber criminals

    *Airport Wi-Fi can be a security nightmare. Here's what you can do to stop
    cyber criminals*

    https://www.latimes.com/travel/la-tr-spot-cyber-security-threats-20181202-story.html

    You may find an evil twin out there -- not your own but one that still can
    do great harm. That nasty double often awaits you at your airport, ready to
    attack when you least expect it.

    That's just one of the findings in a report that assesses the vulnerability
    of airport Wi-Fi, done not to bust the airports' chops,but to make airports
    and travelers aware of the problems they could encounter.

    Of the 45 airports reviewed, the report by Coronet said, two we might use
    could pose a special risk: San Diego and Orange County's John Wayne, which
    rated No. 1 and No. 2, respectively, on the ``Top 10 Most Vulnerable
    Airports.''

    Airports, said Dror Liwer, chief security officer for Coronet, a
    cyber-security firm, are a fertile field because there's a concentration of
    ``high-value assets,'' which include business travelers who may unwittingly
    open themselves up to an attack, he said.

    That's where the evil twin comes in. Let's say you're sitting in an airport
    lounge or maybe right outside the lounge. You see a Wi-Fi network that says,
    ``FreeAirportWiFi.'' Great, you think. Most airports do have free
    Wi-Fi. They may make you watch a couple of commercials (or you may pay a bit
    to skip those), but otherwise, the connectivity is there for you. ``I
    always say that in the balance between convenience and security, convenience
    always wins,'' Liwer said.

    And you lose. Because if you take the bait and log in, that evil twin
    posing as the airport Wi-Fi then has access to your closely held secrets.

    In some cases, Liwer said, the person creating this trap may be sitting next
    to you, which means the signal is strong and attractive. It takes only some
    inexpensive equipment and know-how for a thief to succeed, and presto,
    you're in the cyber-security soup.

    ``Most attackers are trying to get your credentials, and if they have those,
    they have the keys to the kingdom. If I know your password, I own your
    life.''

    Chilling.

    It is as sinister as it sounds. Liwer said. For theives, it's a business,
    he said. ``What they are looking for is something that will make them
    money.''

    What makes it worse: You're getting on a plane and won't be checking your
    bank balance any time soon.

    The sites that will do you harm are hard to detect with the naked,
    inexperienced eye. How do you protect yourself? Here are ways to keep your
    data safe, with help from Liwer; Vyas Sekar, an assistant professor of
    electrical and computer engineering at Carnegie Mellon's College of
    Engineering; Jake Lehmann, managing director of Friedman CyZen, a
    cyber-security consulting service; and Michael Tanenbaum, executive vice
    president North America cyber practice for Chubb Ltd. [...]

    ------------------------------

    Date: Wed, 28 Nov 2018 17:24:43 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: How I changed the law with a GitHub pull request (ArsTechnica)

    https://arstechnica.com/tech-policy/2018/11/how-i-changed-the-law-with-a-github-pull-request

    I wonder if Washington DC's git repository is subject to regular audit
    against an authenticated reference to ensure content integrity to show that
    the revision history aligns with legislative approval/voting processes? Is
    there an off-site hardcopy backup in case github suffers a permanent outage?

    The Federal Register (https://www.archives.gov/federal-register) embodies
    the official publication of Federal Laws, Presidential Documents,
    Administrative Regulations and Notices. When a bill passes the legislative
    processes in both houses, and the President signs it, the law becomes
    enforceable *after* Federal Register publication.

    Technology certainly advances convenience for accessibility: no more treks
    to the library or City Hall to look up zoning ordinances, birth
    certificates, real estate transactions, etc.

    Surreptitious and untraceable modification to regulations or legal guidance
    elevates the risk of civil disruption. Strict revision control oversight is
    essential create and preserve unrepudiated content integrity.

    Risks: Digital storage reliability issues (see
    https://catless.ncl.ac.uk/Risks/28/52%23subj11.1 ex-legislative system of
    record changes (revision log deletion, untraceable provisions inserted or
    exceptions appended, etc.) revise laws and regulations to suit special
    interests.

    A soft Constitution is easier to revise than a hard one!

    ------------------------------

    Date: Mon, 3 Dec 2018 12:46:49 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: When the Internet Archive Forgets (

    On the Internet, there are certain institutions we have come to rely on
    daily to keep truth from becoming nebulous or elastic. Not necessarily in
    the way that something stupid like Verrit aspired to, but at least in
    confirming that you aren’t losing your mind, that an old post or article you
    remember reading did, in fact, actually exist. It can be as fleeting as
    using Google Cache to grab a quickly deleted tweet, but it can also be as
    involved as doing a deep dive of a now-dead site’s archive via the Wayback
    Machine. But what happens when an archive becomes less reliable, and
    arguably has legitimate reasons to bow to pressure and remove controversial
    archived material?

    https://gizmodo.com/when-the-internet-archive-forgets-1830462131

    ------------------------------

    Date: Sun, 2 Dec 2018 00:23:57 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Payless prank: Social media influencers thought they were buying
    Palessi (The Washington Post)

    But the prank also points to a reality about the human mind: Consumers are
    not capable of discerning the quality and value of the things they buy, said
    Philip Graves, a consumer behavior consultant from Britain. Slap a
    fancy-sounding European label on $30 shoes, and you have an illusion of
    status that people will pay an exorbitant amount of money for. ...

    After attendees purchased overpriced shoes ― some for $200, $400 and $600 ―
    they were taken toward the backroom, where the prank was revealed. “You’ve
    got to be kidding me,” said the woman who had gushed about the pair of
    floral stiletto heels, her eyes wide as she stared down at the overpriced
    shoes in her hands.

    https://www.washingtonpost.com/business/2018/11/30/they-had-us-fooled-inside-paylesss-elaborate-prank-dupe-people-into-paying-shoes/

    ...but, of course -- could never happen online -- people are too cautious
    and well-informed. Wait, what?

    ------------------------------

    Date: Fri, 30 Nov 2018 14:53:36 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: "Human intelligence is needed." Want to Purge Fake News? Try
    Crowdsourcing (NYTimes)

    *Removing misinformation is too big a job for any single company. Facebook
    and others should enlist users to help.*

    https://www.bloomberg.com/opinion/articles/2018-11-30/facebook-should-enlist-its-users-to-clean-up-fake-news

    EXCERPT:

    A recent New York Times investigation described how Facebook has bungled its
    response to the misinformation that has proliferated on its platform. Chief
    Executive Mark Zuckerberg acknowledged in an interview that the problems his
    company is grappling with ``Care not issues that anyone company can
    address.'' He's right: The problem of fake news has become too big for any
    social network to address on its own. Instead, the company should call on
    its users for help though crowdsourcing.

    Misinformation is rife on Facebook and other social networks: Russia
    attempted to interfere in the U.S. midterm elections, the Saudis employ
    hundreds of trolls to attack critics, fake activists in Bangladesh have been
    promoting nonexistent U.S. women's marches, to sell merchandise, there was a
    huge disinformation campaign during last month's general election in Brazil,
    and fake news has triggered episodes of violence in countries including
    India, Myanmar and Germany.

    Facebook has created a War Room, where staffers try to identify
    misinformation, but they're clearly outnumbered and unable to keep up with
    fake news from the platform. Part of the problem is the team is relying on
    artificial intelligence, but, as experts recently explained in *The Times*
    keywords often can't effectively identify misinformation. Human intelligence
    is needed. To combat fake news, Facebook needs to ask the public for help
    identifying false reporting.

    The best way to handle a project too large for any one organization is to
    ask lots of volunteers to help. That's how the Oxford English Dictionary was
    created: The editors asked members of the public to search the books they
    owned for definitions of particular words and mail in their findings.
    Thousands participated. As James Surowiecki argued in *The Wisdom of Crowds:
    Why the Many Are Smarter Than the Few and How Collective Wisdom Shapes
    Business, Economies, Societies and Nations*, large groups tend to accurately
    answer questions, even if most of the individuals in the group aren't very
    rational or well-informed.

    In this case, Facebook should add buttons that appear prominently below any
    purported news stories posted on its site, asking members of the public to
    weigh in on whether an article is true or false. Of course, some people
    would report news as fake simply because they disagree with it, while others
    might be genuinely duped by false reports. But Facebook has reportedly
    already assigned their users internal reputation scores that would help the
    company discount false or gullible reporters. And the number of flags on a
    truly false story would be expected to rise above the typical number of
    complaints that merely polarizing posts engender. Facebook staff would then
    monitor and investigate in real time any posts that are being
    disproportionately flagged... [...]

    [If you want the huge collection of URLs that I have removed, please go to
    the original. They completely cluttered up our RISKS ASCII READER. PGN]

    ------------------------------

    Date: 1 Dec 2018 14:07:44 -0500
    From: "Bob Frankston" <Bob19...@bobf.frankston.com>
    Subject: U.S. Asks, Are You a Terrorist? Scottish Grandfather Gives Wrong
    Answer (NYTimes)

    https://www.nytimes.com/2018/11/30/world/europe/terrorist-question-scottish-traveler.html

    Putting aside the question of why we ask people if they are terrorists --
    when will we design systems that account for human foibles. It's far too
    easy to click the wrong box and even worse on touch systems with parallax.
    How much worse will these get with AI system that can't explain why they
    reach their conclusions?

    [Mark Thorson noticed a similar item at
    http://loweringthebar.net/2018/11/scottish-grandpa-visa.html

    ------------------------------

    Date: Fri, 30 Nov 2018 23:11:09 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: AI thinks like a corporation -- and that's worrying
    (The Economist)

    https://www.economist.com/open-future/2018/11/26/ai-thinks-like-a-corporation-and-thats-worrying

    'David Runciman, a political scientist at the University of Cambridge, has
    argued that to understand AI, we must first understand how it operates
    within the capitalist system in which it is embedded. "Corporations are
    another form of artificial thinking-machine in that they are designed to be
    capable of taking decisions for themselves," he explains.

    '"Many of the fears that people now have about the coming age of intelligent
    robots are the same ones they have had about corporations for hundreds of
    years," says Mr Runciman. The worry is, these are systems we "never really
    learned how to control."

    'After the 2010 BP oil spill, for example, which killed 11 people and
    devastated the Gulf of Mexico, no one went to jail. The threat that Mr
    Runciman cautions against is that AI techniques, like playbooks for escaping
    corporate liability, will be used with impunity.

    'Today, pioneering researchers such as Julia Angwin, Virginia Eubanks and
    Cathy O'Neil reveal how various algorithmic systems calcify oppression,
    erode human dignity and undermine basic democratic mechanisms like
    accountability when engineered irresponsibly. Harm need not be deliberate;
    biased data-sets used to train predictive models also wreak havoc. It may
    be, given the costly labour required to identify and address these harms,
    that something akin to "ethics as a service" will emerge as a new cottage
    industry. Ms O'Neil, for example, now runs her own service that audits
    algorithms.'

    Risk: Ethics as a service (EAAS) platforms evolve into profit-seeking
    services via corporate acquisition.

    EAAS, given sufficient public trust and independent reputation, might serve
    to police corporate entities that illegally capture profit by intentionally
    exploiting biased data-sets. EAAS can become an autonomous public
    arbitration service if proven bias-free.

    Data-set bias is a long-standing issue that challenges AI deployment for
    profit or specific purpose. Prior technology deployments that hinged on bias
    were clumsy, led by carbon, and relatively easy to detect given the volume
    of affected subjects: (a) home loans (BofA redlining in Detroit.

    http://www.michiganradio.org/post/data-analysis-modern-day-redlining-happening-detroit-and-lansing

    (b) Wells Fargo's phony account creation
    (https://catless.ncl.ac.uk/Risks/29/76%23subj9.1
    illustrate two examples.

    Note that
    https://catless.ncl.ac.uk/Risks/16/41%23subj9.2
    discusses credit redlining from neural networks in 1994.

    How best to excise data-set bias? How to quickly test and detect AI platform
    bias before go-live? Can EAAS reliably detect and characterize data set bias
    or an algorithm's bias via access to a commercial website or service (say
    amazon.com or ebay.com) using fictitious, but random and bias-free customer
    profiles and input data?

    To become a trusted arbiter, an EAAS must be demonstrated to be optimally
    unbiased to serve as a bias detection reference standard. How does one
    create an optimally unbiased baseline standard? A bias-free algorithm
    oracle, the equivalent of a standard kilogram, volt, or second is needed for
    reference comparison.

    It appears that to end data bias, and demonstrate bias-free AI capabilities,
    true random data generation capability is required. This requirement has
    been a long-standing challenge for cryptography and other fields.

    See "Spooky Action" By Ronald Hanson and Krister Shalm, Scientific American,
    DEC2018 on mechanisms to generate seed-free, true random numbers using
    quantum entangled tests of Bell's Inequality.

    ------------------------------

    Date: Thu, 29 Nov 2018 02:22:44 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Chinese genomics scientist defends his gene-editing research in
    first public appearance (Re: RISKS-30.93)

    He Jiankui says he is “proud” that his work on genetically altering babies
    could help save lives.

    https://www.washingtonpost.com/world/chinese-genomics-scientist-defends-his-gene-editing-research-in-first-public-appearance/2018/11/28/b99b5eba-f2e1-11e8-9240-e8028a62c722_story.html

    ------------------------------

    Date: Mon, 26 Nov 2018 16:32:28 -0800
    From: Mark Thorson <e...@dialup4less.com>
    Subject: Be careful how you make DMCA complaints (The Register)

    There's a right way and a wrong way.
    This is an example of the latter.

    https://www.theregister.co.uk/2018/10/19/google_fake_court_orders/

    ------------------------------

    Date: Tue, 27 Nov 2018 13:16:51 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: How long fumbling with cellphone before monkeys close in?

    THERE I (RISKS reader) WAS, fumbling with my cellphone, as the monkeys
    got closer and closer.

    I was poking around a trail in the westernmost part of Heping District,
    Taichung, Taiwan, when I encountered a group of 30 macaques in the bamboos.

    I thought it might be cool to record their grunts, but for some reason I
    couldn't find the Sound Recorder app in the Launcher of my cellphone.

    As they had come down from the bamboos and were inching closer and closer,
    now at about 10 meters from me, I waved my orange folding saw at them while
    making some firm sounds, thinking it would buy me some more time to find the
    app.

    But they only retreated about a meter. OK, I finally found the app and
    recorded three minutes before having had enough (they were now in a semi
    circle around me. Me in the meadow, they in the bushes, at seven meters,
    still inching closer...)

    Never letting them know that we humans (merely twice their size) were
    actually scared of them (30 / 2 = 15 humans), I closed my cellphone and
    retreated with dignity. Phew.

    ------------------------------

    Date: Tue, 27 Nov 2018 21:32:40 +0000
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Chinese businesswoman accused of jaywalking after AI camera spots her
    face on an advert

    *The Telegraph*,25 Nov 2018
    https://www.telegraph.co.uk/technology/2018/11/25/chinese-businesswoman-accused-jaywalking-ai-camera-spots-face/

    Chinese police have admitted to wrongly shaming a famous businesswoman after
    a facial recognition system designed to catch jaywalkers mistook an advert
    on the side of a bus for her actual face.

    ["Big Brother is always watching you..."]

    ------------------------------

    Date: Tue, 27 Nov 2018 21:32:40 +0000
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: EU data rules have not stopped spam emails, Nesta survey finds
    (The Telegraph)

    https://www.telegraph.co.uk/technology/2018/11/24/eu-data-rules-have-not-stopped-spam-emails-nesta-survey-finds/

    Hannah Boland, *The Telegraph*, 24 Nov 2018

    More than half of Brits think European data regulations have not given them
    more control over how many junk emails they receive, with one in five saying
    they are getting more spam since General Data Protection Rules were brought
    in. GDPR was rolled out earlier this year as a set of standards for how
    companies could gather and use people's data.

    Many had hoped the rules, which came into effect across the EU on May 25,
    would bring an end to junk emails, as consumers would have to opt in to
    receiving marketing emails from companies, whereas previously many
    businesses had only given people the option to opt-out.

    [I'd always understood that most junk e-mail comes from fake addresses in
    other parts of the world, i.e., difficult to trace and outside EU (or US or
    wherever) jurisdiction, so regulations wouldn't really help.]

    ------------------------------

    Date: Mon, 3 Dec 2018 09:08:47 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Re: The Cleaners' Looks At Who Cleans Up The Internet's
    Toxic Content (Douglass/NPR.org, Risks-30.93)

    Toby -- By posting that objectionable quote, I intended to elevate attention
    to employee hardship, and promote occupational sympathy.

    The ghastly imagery mentioned by the content reviewer graphically resonates.
    The Cleaners immersive work environment is fraught with severe psychological
    consequences.

    Social media services are free to the consumer, but a severe emotional price
    is exacted on the employees who attempt to scrub it free of divisive and
    horrifying content. Employees experience significant trauma from repeat and
    continuous exposure to depraved and inhumane, nihilistic images. Their
    effort helps sustain a service and brand that might otherwise drown from
    digital content pollution without deliberate intervention.

    Employment laws and occupational health and safety rules in the EU and North
    America prohibit exposure to toxic content in the workplace. I do not know
    if Philippine employment law stipulates mandatory psychological service
    assignment in this workplace scenario. Are these employees subsidized to
    engage in group therapy to help combat and diminish the emotional toll they
    experience? That 'Internet Cleaning' roles are sourced to a location where
    strict workplace employment rules are either poorly enforced or overly
    tolerant is not surprising.

    Corporations are well known for their regulatory arbitrage practices, and
    have become especially adept at their exploitation to dispose of toxic
    substances: lead, plastic, toxic waste, and now, the objectionable digital
    content which threatens a brand's very existence.

    ------------------------------

    Date: Mon, 3 Dec 2018 11:45:38 +0200
    From: Toby Douglass <ri...@winterflaw.net>
    Subject: Re: Constructive software engineering?

    I may be completely wrong, but I think this is an information problem, and
    it is the problem identified by Hayek, namely, the more information is
    processed, and the further it moves from its origin, the more misleading the
    information is, and the more the interests of the person who will act upon
    that information deviate from the interests of those who experience the
    consequences of their action.

    This problem is inherent and it would appear unavoidable within hierarchical
    management structures, such as companies.

    A company can be imagined as an information pyramid.

    At the base are the ordinary workers, who generate information.

    As we climb the pyramid, we ascend ever less populous layers of management,
    with ever more executive power.

    Inherently, each layer being more populated than that above generates more
    information than the layer above can handle. Information is necessarily
    then aggregated on the way up - so we have a team of software developers,
    who report to their team lead, who reports to his lead, and so on.

    Aggregation qualitatively changes the meaning of information.

    Additionally, bad news never travels more than one layer up the pyramid, to
    a significant extent from human factors. How do you tell your boss' boss
    that he's incompetent and making not just wrong, but profoundly wrong
    decisions? you do not.

    In fact, of course, said boss is an intelligent and sensible man, who given
    the qualitatively distorted information he receives, and given the entirely
    different set of incentives placed upon him, makes decisions are for him in
    his position absolutely rational and correct.

    He is competent, but he is effectively incompetent by the structure he is
    placed within.

    We then must also factor in the law of unintended consequences, which makes
    a mockery anyway of all high-level decisions imposed upon complex structures
    or organizations.

    The hierarchy is invested with executive power, and so there is nothing or
    almost nothing those lower down the pyramid can do about this.

    In all things, there are factors which encourage, and there are factors
    which discourage, and in the end, you get what you get.

    In my experience, only very small companies are efficient and effective in
    their decision making. This is then is in larger companies a significant
    factor discouraging success. Such companies however have other factors,
    which encourage success, and so they often do well for long periods.

    What's needed really is a different form of company.

    I suspect they may already exist, it's just they are not common knowledge.
    You can only have a form of governance that is understood by those who are
    governed by it.

    ------------------------------

    Date: Thu, 29 Nov 2018 17:56:57 -0500
    From: Phil Smith III <phs3...@cox.net>
    Subject: Re: EMV card fraud statistics (Goldberg, RISKS-30.91)

    David Alexander wrote, in part:
    >I would just like to point out that, just because a card is EMV enabled, it
    >does not mean it cannot be attacked by other means such as compromising the
    >POS device.

    David's statement is true, but is worthy of expansion. The POS device may or
    may not be the terminal, which is the little box where you swipe the
    card. The POS may be the actual cash register. In cases like the Target
    hack, the POS was what was compromised, not the terminal.

    In any case, EMV says nothing about encryption: the card information is NOT
    encrypted between the terminal and the POS, nor between the POS and the
    processor, unless something else does so.

    All EMV protects against is cloned magstripe cards made using stolen
    magstripe data (since the CVV on the magstripe does not match the CVV
    printed on the card, you can't even clone a magstripe card using a picture
    of a card).

    Furthermore, fraud has, as expected, shifted from card-present to
    card-not-present since EMV was introduced in the U.S., as it has in every
    other market.

    Was EMV introduction a failure? No, it did what the issuers wanted it to do:
    - calmed down consumers
    - let them shift liability to the merchants

    Did it reduce fraud? Not so much.
    Was it expected to? Not so much.

    A better way to reduce fraud is to encrypt the data in the terminal, so a
    compromised POS is unable to exfiltrate useful data. There are products that
    provide this. The POS is relatively immune from compromise, since it's a
    relatively dumb device and usually needs physical access for update. Of
    course that happens too, but it's typically on a smaller scale (skimmers,
    for example).

    ------------------------------

    Date: Mon, 3 Dec 2018 10:13:48 -0800
    From: Rex Sanders <rsan...@usgs.gov>
    Subject: Re: GMail's spam filter is getting vicious?

    Not only is GMail's spam filter vicious, it doesn't learn from mistakes.

    GMail has tagged Risks Digest as spam dozens of times over the last few
    years. Just as many times, I've told GMail it's not spam.

    Of course, the Digest with Rob Slade's complaint was tagged as spam.

    I'm glad Google gave their spam filters a sense of irony. Wish they'd work
    on the other problems now.

    [Rob Slade comments: Maybe this is caused by using the name "Rob", the
    spam filter might think it has something to do with robbery... RS
    [In which case this issue will be spam-filtered as well. PGN]

    [Toby Douglass added: I have had this problem for a few years. Filtering
    is variable, over periods on the order of months. Sometimes for a while
    emails will get through. Other times, silence - all going to spam, or, I
    speculate, sometimes not being delivered at all. Linus Torvalds once
    complained about a 30% false positive rate for Gmail on the Linux kernel
    mailing list. TD]

    ------------------------------

    Date: Fri, 30 Nov 2018 12:58:47 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Inside the futuristic restaurant where a robot has replaced
    the bartender (WashPost)

    https://www.washingtonpost.com/technology/2018/11/29/inside-futuristic-restaurant-where-robot-has-replaced-bartender

    Risk: Commiserating with a robot bartender after a tough day at work is bad
    for mental health.

    ------------------------------

    Date: Sun, 2 Dec 2018 14:23:04 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: A QA engineer walks into a bar...

    [A friend forwarded this:]

    A QA engineer walks into a bar.
    Orders a beer.
    Orders 0 beers.
    Orders 99999999999 beers.
    Orders a lizard.
    Orders -1 beers.
    Orders a ueicbksjdhd.

    First real customer walks in and asks where the bathroom is.
    The bar bursts into flames, killing everyone.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.94
    ************************
     
  8. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 30.95

    RISKS List Owner

    Dec 8, 2018 1:48 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 8 December 2018 Volume 30 : Issue 95

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/30.95>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Deadly Soul of a New Machine: Bots, AI, and Algorithms (Timothy Egan)
    How to train an AI (Mark Thorson)
    Texas straight-ticket voters report ballot concerns
    (Austin American Statesman)
    O2 outage: more than 30m mobile customers unable to get online
    (The Guardian et al.)
    Homeland Security Will Let Computers Predict Who Might Be a Terrorist
    on Your Plane -- Just Don't Ask How It Works (The Intercept)
    A Dark Consensus About Screens and Kids Begins to Emerge in Silicon Valley
    (NYTimes)
    Rudy Giuliani Says Twitter Sabotaged His Tweet. Actually, He Did It
    Himself. (NYTimes)
    Teen electrocuted while using headphones on plugged-in mobile phone
    (yahoo.com)
    Auto theft on the rise in Toronto area, and a security expert thinks he
    knows why (CBC News)
    Starbucks and passwords ... (Rob Slade)
    New Attack Could Make Website Security Captchas Obsolete (ACM Tech News)
    Teachers Say There's a Disconnect in Computer Science Education
    (Tina Nazerian)
    Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)
    The backdrop of Jamal Khashoggi's killing: A chilling cyberwar (WashPost)
    Re: EU data rules have not stopped spam emails (DJC)
    Re: "Human intelligence is needed." Want to Purge Fake News?
    Try Crowdsourcing (Tom Russ)
    Re: Risks of Airport Wi-Fi (Jay Libove)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sat, 8 Dec 2018 10:09:43 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Deadly Soul of a New Machine: Bots, AI, and Algorithms
    (Timothy Egan)

    Timothy Egan, *The New York Times*, 8 Dec 2018,
    op-ed below the main editorial

    At what point is control lost and the creations take over?
    How about now?

    This mentions the Lion Air Flight 610, where the pilots did not realize
    that what they needed to do was to disable the autopilot. It concludes:

    As haunting as those final moments inside the cockpit of Flight 610 were,
    it's equally haunting to grasp the full meaning of what happened. The
    system overrode the humans and killed everyone. Our invention. Our
    folly.

    ------------------------------

    Date: Wed, 5 Dec 2018 16:46:05 -0800
    From: Mark Thorson <e...@dialup4less.com>
    Subject: How to train an AI

    The obvious solution is a training signal.

    http://www.smbc-comics.com/comics/1543932715-20181204.png

    ------------------------------

    Date: Sat, 27 Oct 2018 08:07:15 -0500
    From: Arthur Flatau <fla...@acm.org>
    Subject: Texas straight-ticket voters report ballot concerns
    (Austin American Statesman)

    The idea that using hitting a button or other control while a screen is
    rendering is a user error is astounding. If the machine incorrectly
    interprets user input it is a bug plain and simple.

    Amid scattered complaints by straight-ticket early voters of both parties
    that their ballots did not, at first, correctly record their choice of
    either Democrat Beto O'Rourke or Republican Ted Cruz for U.S. Senate, state
    and local election officials are cautioning voters to take their time in
    voting and check the review screen for accuracy before casting ballots.

    The elections officials say the problems resulted from user error in voting
    on the Hart eSlate machines widely used in Texas -- including in Travis,
    Hays and Comal counties -- and are not the result of a machine glitch or
    malfunction.

    ``The Hart eSlate machines are not malfunctioning,'' said Sam Taylor,
    communications director for the Texas secretary of state's office. ``The
    problems being reported are a result of user error -- usually voters hitting
    a button or using the selection wheel before the screen is finished
    rendering.''

    Taylor said the office is aware of a handful of complaints and that the
    voters were able to correct their ballots before casting their votes.

    3Dhttps://www.statesman.com/news/20181026/texas-straight-ticket-voters-report-ballot-concerns

    ------------------------------

    Date: Fri, 7 Dec 2018 21:13:07 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: O2 outage: more than 30m mobile customers unable to get online
    (The Guardian et al.)

    Users of Tesco Mobile and Sky Mobile also hit as O2 blames supplier’s
    software glitch
    https://www.theguardian.com/business/2018/dec/06/o2-customers-unable-to-get-online

    O2 announces goodwill gestures after millions hit by data outage
    Provider repeats apology for customers’ loss of connection and offers
    compensation.
    https://www.theguardian.com/business/2018/dec/07/o2-services-restored-after-millions-hit-by-data-outage

    Ericsson apologises for O2 network outage
    The data network crash, which affected millions of people worldwide, was
    caused by an expired software certificate.
    https://www.computing.co.uk/ctg/news/3067847/ericsson-apologises-for-o2-network-outage

    Update on software issue impacting certain customers
    https://www.ericsson.com/en/press-releases/2018/12/update-on-software-issue-impacting-certain-customers

    SoftBank Apology for Mobile Communication Service Troubles
    https://www.softbank.jp/en/corp/group/sbm/news/press/2018/20181206_02/

    ------------------------------

    Date: Wed, 5 Dec 2018 15:30:49 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Homeland Security Will Let Computers Predict Who Might Be a
    Terrorist on Your Plane -- Just Don't Ask How It Works (The Intercept)

    https://theintercept.com/2018/12/03/air-travel-surveillance-homeland-security/

    Among the data items the DHS's GTAS (Global Travel Assessment System) will
    consume when augmented by Virgina-based DataRobot's stack are:

    "...the software's predictions must be able to function 'solely' using data
    gleaned from ticket records and demographics -- criteria like origin
    airport, name, birthday, gender, and citizenship. The software can also draw
    from slightly more complex inputs, like the name of the associated travel
    agent, seat number, credit card information, and broader travel itinerary."

    "If you ask DHS, this is a categorical win-win for all parties involved.
    Foreign governments are able to enjoy a higher standard of security
    screening; the United States gains some measure of confidence about the
    millions of foreigners who enter the country each year; and passengers can
    drink their complimentary beverage knowing that the person next to them
    wasn't flagged as a terrorist by DataRobot's algorithm. But watchlists,
    among the most notorious features of post-9/11 national security mania, are
    of questionable efficacy and dubious legality. A 2014 report by The
    Intercept pegged the U.S. Terrorist Screening Database, an FBI data set from
    which the no-fly list is excerpted, at roughly 680,000 entries, including
    some 280,000 individuals with 'no recognized terrorist group affiliation.'

    Risk: Security by obscurity.

    What historical data, beyond watch list name match, will tip the algorithm
    into flagging a ticketed passenger for a pre-board interrogation? Perhaps a
    preference for pretzels over peanuts?

    ------------------------------

    Date: Mon, 29 Oct 2018 21:53:57 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: A Dark Consensus About Screens and Kids Begins to Emerge in
    Silicon Valley (NYTimes)

    https://www.nytimes.com/2018/10/26/style/phones-children-silicon-valley.html

    Mental illness traced to wireless mobile device (WMD) addiction has a label:
    The 'iDisorder.' See a book review:
    https://www.nytimes.com/2012/05/13/business/in-idisorder-a-look-at-mobile-device-addiction-review.html

    Excessive mobile device usage, induced by applications that easily
    captivate, is unhealthy. Children are especially susceptible to overuse.
    While there's no equivalent to the US Surgeon General's "Smoking causes
    cancer" warning, strictly enforced mobile device access restrictions for
    adolescents constitute wise parental guidance.

    The National Institutes for Health archives several studies on the
    physiological effects arising from excessive mobile device usage.

    "The Potential Impact of Internet and Mobile Use on Headache and Other
    Somatic Symptoms in Adolescence. A Population-Based Cross-Sectional Study"
    published JUL2016 at https://www.ncbi.nlm.nih.gov/pubmed/27255862.

    "Conclusion: Results highlighted the potential impact of excessive internet
    and mobile use, which ranges from different types of headache to other
    somatic symptoms. Further studies are needed to confirm these findings and
    to determine if there is a need for promoting preventive health
    interventions, especially in school setting."

    "Evaluation of mobile phone addiction level and sleep quality in university
    students" published JUL-AUG2013 at
    https://www.ncbi.nlm.nih.gov/pmc/articles/PMC3817775/.

    "Conclusion: The sleep quality worsens with increasing addiction level. It
    was concluded that referring the students with suspected addiction to
    advanced healthcare facilities, performing occasional scans for early
    diagnosis and informing the students about controlled mobile phone use would
    be useful."

    ------------------------------

    Date: Thu, 6 Dec 2018 11:51:05 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Rudy Giuliani Says Twitter Sabotaged His Tweet. Actually, He Did It
    Himself. (NYTimes)

    A tweet from Mr. Giuliani now links to an anti-Trump page. The president’s
    lawyer blamed Twitter, but the culprit was his own typo (plus a prankster in
    Atlanta).

    https://www.nytimes.com/2018/12/05/us/politics/rudy-giuliani-twitter-links.html

    Risks? Technology + Giuliani.

    ------------------------------

    Date: Wed, 5 Dec 2018 16:03:11 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Teen electrocuted while using headphones on plugged-in mobile phone
    (yahoo.com)

    https://sg.news.yahoo.com/teen-electrocuted-while-using-headphones-053237666.html

    "Injuries and accidents caused by power surges while mobile phones are
    charging are not uncommon, and by now we should all know a few tips to keep
    us safe while using mobile devices. Namely, try not to use your charging
    phone. Plugged into a wall, the live socket could deliver up to 230 volts of
    electric charge, which could be leaked by a loose cable, or inferior quality
    charger than the one the manufacturer gave you."

    The "stuff that comes out of the wall" in Malaysia is 230 volts @ 50Hz.

    From Brazil, a similar event was reported 20FEB2018 at
    https://www.thesun.co.uk/news/5626441/girl-17-electrocuted-with-headphones-melted-in-her-ears-while-using-her-mobile-that-was-charging/

    ------------------------------

    Date: Wed, 05 Dec 2018 15:33:07 -0500
    From: Jose Maria Mateos <ch...@rinzewind.org>
    Subject: Auto theft on the rise in Toronto area, and a security expert
    thinks he knows why (CBC News)

    https://www.cbc.ca/news/canada/toronto/car-thefts-rising-1.4930890

    According to Bates, many of these thieves are using a method called "relay
    theft." Key fobs are constantly broadcasting a signal that communicates
    with a specific vehicle, he said, and when it comes into a close enough
    range, the vehicle will open and start. "The way that the thieves are
    getting around this is they're essentially amplifying that low power signal
    coming off of the push start fob," he said. "They will prey upon the
    general consensus that most people are leaving their key fobs close to the
    front door of their home and the vehicle will be in the driveway."

    The thief will bring a device close to the home's door, close to where most
    keys are sitting, to boost the fob's signal. They leave another device near
    the vehicle, which receives the signal and opens the car. Many people don't
    realize it, Bates said, but the thieves don't need the fob in the car to
    drive it away.

    ------------------------------

    Date: Thu, 6 Dec 2018 09:57:45 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Starbucks and passwords ...

    For me, Starbucks is not the religious experience it is for those who call
    it St. Arbucks. But somebody gave me a Starbucks card, and I thought I'd
    try out their registration and rewards program.

    OK, I'm quitting the Starbucks rewards program. I don't drink enough coffee
    to justify it anyway, but I've got lots of other accounts lying around the
    Net that I just let go dormant. The thing is, I can't use the Starbucks
    system. Literally. I can't sign back in.

    The system refuses to let me use my existing password. It tells me that
    password is invalid. When I try to reset my password, Starbucks sends me
    email with a link. It is some kind of weird formatting, because it won't
    show as a link on that email system, and I have to read the raw message and
    HTML and try to find the link.

    Having found the link, I try to reset and set it to the one I have used when
    I created the account. But the system tells me I can't use it since I've
    used it before. But if I try to log in with it, the system tells me it is
    invalid.

    Starbucks also has one of those huge lists of requirements for passwords.
    It's gotta be mixed case. It's gotta have numbers. It's gotta have
    symbols. It can't have certain symbols. It's gotta have emojis. It's
    gotta have your favourite Star wars character. (Regardless of whether or
    not your even know what Star Wars is.)

    I suppose I could figure out how to create a password acceptable to their
    system, and hope that the system doesn't forget the new one like it did the
    old one, but, frankly, Starbucks just isn't that important ...

    ------------------------------

    Date: Fri, 7 Dec 2018 11:41:40 -0500
    From: ACM TechNews <technew...@acm.org>
    Subject: New Attack Could Make Website Security Captchas Obsolete

    Lancaster University (12/05/18) via ACM TechNews

    Researchers at Lancaster University in the U.K., Northwest University, and
    Peking University in China have demonstrated a deep learning algorithm that
    could render captcha security and authentication redundant. The algorithm
    solves captchas with substantially greater accuracy than earlier captcha
    attack systems, and successfully cracks captcha versions that defeated
    previous hacks. The system uses a generative adversarial network (GAN),
    educating a captcha generator to produce large numbers of training captchas
    that are indistinguishable from actual captchas. These are employed to
    quickly train a solver, which is tested against real captchas; the algorithm
    only needs 500 genuine captchas, rather than the millions required to train
    a conventional attack program. Lancaster's Zheng Wang said, "Our work shows
    that the security features employed by the current text-based captcha
    schemes are particularly vulnerable under deep learning methods."

    https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d719x2190f8x069241%26

    ------------------------------

    Date: Fri, 7 Dec 2018 11:41:40 -0500
    From: ACM TechNews <technew...@acm.org>
    Subject: Teachers Say There's a Disconnect in Computer Science Education
    (Tina Nazerian)

    Tina Nazerian, EdSurge (CA) (3 Dec 2018 via ACM TechNews

    Eighty-eight percent of teachers said computer science is critical for
    students' success in the workplace, but two in 10 said their students are
    not taught any computer science, according to a survey of 540 K-12 teachers
    in the U.S. that was commissioned by Microsoft. The teachers attributed the
    gap to computer science not being part of their schools' curricula, a lack
    of funding for it, and computer science not being a subject on which
    students are tested. Microsoft's Mark Sparvell said, "Computer science is
    clearly in high demand. Teachers see it as a priority, parents see it as a
    priority from previous research. And yet, it's in low supply." Sheena
    Vaidyanathan, a computer science integration specialist in the Los Altos
    School District in California, said computer science should be part of the
    core U.S. education curriculum, like math and reading, rather than being
    dependent on funding and involvement from tech companies.

    https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d719x2190fex069241%26

    ------------------------------

    Date: Mon, 22 Oct 2018 16:50:22 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Banks Adopt Military-Style Tactics to Fight Cybercrime (NYTimes)

    Like many cybersecurity bunkers, IBM’s foxhole has deliberately theatrical
    touches. Whiteboards and giant monitors fill nearly every wall, with
    graphics that can be manipulated by touch.

    “You can’t have a fusion center unless you have really cool TVs,” quipped
    Lawrence Zelvin, a former Homeland Security official who is now Citigroup's
    global cybersecurity head, at a recent cybercrime conference. “It’s even
    better if they do something when you touch them. It doesn’t matter what
    they do. Just something.”

    Security pros mockingly refer to such eye candy as “pew pew” maps, an
    onomatopoeia for the noise of laser guns in 1980s movies and video
    arcades. They are especially useful, executives concede, to put on display
    when V.I.P.s or board members stop by for a tour. Two popular “pew pew” maps
    are from FireEye and the defunct security vendor Norse, whose video
    game-like maps show laser beams zapping across the globe. Norse went out of
    business two years ago, and no one is sure what data the map is based on,
    but everyone agrees that it looks cool.

    https://www.nytimes.com/2018/05/20/business/banks-cyber-security-military.html

    Of course, a comment on the article has the solution:

    BLOCKCHAIN Software guarantees a valid trail of corrupted files, preserving
    the data. I wonder how long it will be until even that system is
    defeated. What BlockChain software the power is its distributive system,
    meaning that the data is stored in multiple private computers. Whether that
    system meets legal requirements for privacy is another question. But the
    logic is clear: if data is distributed according to a randomizing algorithm,
    that makes it a lot more complicated for intruders to be able to follow data
    and to corrupt the system to a point where it shuts down. Or worse, becomes
    subject to malware that results in ransom or other maneuvers of financial
    plundering. it is, no doubt, the bane of our digital world that the
    vulnerabilities are incomprehensible to the lay person and difficult if not
    impossible for the experts to protect fully. Things may not be at the point
    where investors are advised to purchase gold and hide under a mattress. But
    we may well be headed in that direction.

    ------------------------------

    Date: Fri, 7 Dec 2018 22:19:30 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: The backdrop of Jamal Khashoggi's killing: A chilling cyberwar
    (WashPost)

    Inside the 21st-century battle of ideas waged by the fearful crown prince
    and a conniving courtier.

    https://www.washingtonpost.com/opinions/global-opinions/how-a-chilling-saudi-cyberwar-ensnared-jamal-khashoggi/2018/12/07/f5f048fe-f975-11e8-8c9a-860ce2a8148f_story.html

    ------------------------------

    Date: Tue, 4 Dec 2018 10:12:59 +0100
    From: DJC <d...@resiak.org>
    Subject: Re: EU data rules have not stopped spam emails

    I get spam and phishing mail in English, many different accents of broken
    English, Chinese, Korean, Spanish, Serbian, German, French, and Hungarian;
    and perhaps I've forgotten a couple. The originating systems can be
    anywhere on the net, lately with an unusual concentration of personal
    systems in South America, probably infected, plus lots of Russian systems.

    The GDPR doesn't seem likely to touch this business, and I can't imagine why
    people ever thought it would. The GDPR does, however, impede a nonprofit I
    work with from helping many of our signed-up email recipients actually get
    the mail they want from us.

    You might say it could use more thinking and more work.

    ------------------------------

    Date: Tue, 4 Dec 2018 11:36:27 -0800
    From: Tom Russ <tar...@google.com>
    Subject: Re: "Human intelligence is needed." Want to Purge Fake News?
    Try Crowdsourcing (RISKS-30.94)

    It seems that a major problem with the fake news epidemic has been the use
    of bot networks to promote articles. It seems like any sort of
    crowd-sourcing of news validation will just cause the bad actors to move
    their botnets to the new feedback buttons to swamp the real users in the
    voting process. The "wisdom of the crowd" presumes that you have some
    reasonable sample of people and not an auditorium packed with your paid
    shills.

    ------------------------------

    Date: Tue, 4 Dec 2018 08:48:06 +0000
    From: Jay Libove <lib...@felines.org>
    Subject: Re: Risks of Airport Wi-Fi (RISKS-30.94)

    Responding to Geoff Goodfellow's posting about an LA Times article about the
    risks of airport Wi-Fi, I've never understood why we consider this such a
    high threat. All mobile devices which ever sit outside of very strongly
    secured networks (which is basically all mobile devices) must be their own
    security perimeters. We must assume, and appropriately configure our devices
    to work securely in the case, that the Internet connection is being
    monitored, DNS can be hijacked, and unencrypted data sessions may be
    monitored or even tampered with. On that basis, an airport or coffee shop
    or any other Wi-Fi or 3G mobile or hotel or friend's home or any other
    network at all is no different than computing/networking in the general use
    case. So why do we continue to raise flags about "insecure WiFi" and evil
    twins, rather than push for secure-enough general configurations?

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.95
    ************************
     
  9. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 30.96

    RISKS List Owner

    Dec 12, 2018 8:39 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Wednesday 12 December 2018 Volume 30 : Issue 96

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/30.96>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    A note on submissions to RISKS (PGN)
    The War on Truth Spreads (NYTimes)
    Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee Kids'
    (npr.org)
    Your apps know where you were last night, and they're not keeping
    it secret (NYTimes)
    The 'Weird Events' That Make Machines Hallucinate (Linda Geddes)
    Barclays customers can now 'switch off' spending (bbc.com)
    Ships infected with ransomware, USB malware, worms (Catalin Cimpanu)
    Taylor Swift tracked stalkers with facial recognition tech at her concert
    (The Verge)
    What Happens When You Reply All to 22,000 State Workers[?] (NYTimes)
    U.S. border officers don't always delete collected traveler data
    (Engadget.com)
    Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies
    Crackdown on Beijing (NYTimes)
    Starwood Hotels (PGN via Mabry Tyson)
    Why I'm done with Chrome / A Few Thoughts on Cryptographic Engineering
    (Cryptography Engineering)
    Screen Time Changes Structure of Kids' Brains: Groundbreaking study
    (Bloomberg)
    Re: Teen electrocuted while using headphones on plugged-in mobile phone
    (Richard M Stein)
    Re: Toronto auto theft ... (Steve Lamont)
    Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Amos Shapir)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 10 Dec 2018 11:11:14 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: A note on submissions to RISKS

    - BEGIN RANT -

    OK, RISKS readers, ``I'm mad as hell, and I'm not going to take it any
    more.'' I'm really fed up with trying to edit what some of you send me,
    trying to produce nice clean readable issues of RISKS, without errors. I'm
    not giving up on putting out RISKS issues, but the time it takes to put out
    each issue has recently been escalating. Please don't bother to complain
    about characters that are garbled. It's wasting your time. I'm not
    perfect.

    >From the very early RISKS issues in 1985, I have expressed a desire to
    receive messages with ASCII characters; later on, I made a plea to
    completely avoid attachments in Word, pdf, html, or even encoded ASCII. I
    process RISKS e-mail with an archaic ASCII-happy mail system, because it
    hugely simplifies my ability to delete more than 80% of the incoming mail
    sight unseen (lots of spam), and then trying to cull out and lightly edit
    your *good* contributions. Nevertheless, I still get smart quotes and smart
    apostrophes from Mac users, encodings of spaces as underscores (or some
    weird unprintable character) and equal signs from Windows systems that
    insist on encoding certain ASCII characters as non-ascii characters, rampant
    =E2=80 encodings, long lines split with an equal sign at the end of each
    line, non-ASCII From: addresses (e.g., from Mateo), copies of entire RISKS
    issues as attachments when you are responding to an item in a previous
    issue, the entire ASCII text of your would-be contributions completely
    duplicated in horribly fulsome html, rampant extra junk appended (from
    Richard Stein *), URLs that come out with %3A%2F%2F encodings, and more.
    UTF-8 might help a little, but is primarily useful for attachments that use
    it consistently. Then, for your ease of reading, I try to unscramble overly
    long URLs and verify my attempts at creating shorter ones, and remove all
    the extra cruft created by Office-365-safelinks URL enscramblings that
    evidently offer no real security anyway. Furthermore, I do not have time to
    cope with alternative approaches, such as your putting jpeg files on your
    website for me to view with a browser.

    Perhaps needless to say, I would greatly appreciate if you can spend just a
    few more moments in your submissions to have a little more concern for my
    own well-being. ASCII is ASCII, and emacs is emacs, and I will remain a
    troglodyte in order to continue to moderate RISKS for you. I am sorry that
    I do not readily handle all of your special characters. Clearly, if RISKS
    had to deal with submissions in Cyrillic, Kanji, Farsi, Arabic or whatever,
    I would have to do things very differently -- or simply completely give up
    running a seriously moderated digested new group (where you can create your
    own undigestifier if you prefer). However, if you think you have a better
    solution, please let me know. THANKS in advance for your consideration.

    - END RANT -

    [* Footnote from each of Richard Stein's contributions in this issue:
    MDAwMDAwMCAgIGggICB0ICAgdCAgIHAgICBzICAgOiAgIC8gICAvICAgdyAgIHcgICB3ICAg ...
    ad finitum -- for 77 lines of similar meaningless garbage.
    PGN]

    Let's see who gags on this issue, where I have intentionally left in
    a few outliers.

    ------------------------------

    Date: Mon, 10 Dec 2018 12:33:42 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: The War on Truth Spreads (NYTimes)

    An editorial with the above caption in the 10 Dec 2018 issue of *The New
    York Times* considers systemic incursions on freedom of the news media
    around the world, including the Philippines. Hungary. Saudi Arabia. Turkey,
    China, Russia. and even the U.S. Internet censorship and Internet misuse
    have both played significant roles. In short, we have vastly transcended
    even the horrors of George Orwell's *1984*.

    ------------------------------

    Date: Mon, 10 Dec 2018 10:39:01 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee
    Kids' (npr.org)

    https://www.npr.org/2018/12/09/667155718/annoyed-baltimore-drivers-want-city-to-crack-down-on-squeegee-kids

    How will an autonomous vehicle will address a squeegee bum assault? A horn
    toot? Redirection of windshield sprayers?

    ------------------------------

    Date: Mon, 10 Dec 2018 08:55:07 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Your apps know where you were last night, and they're not keeping
    it secret (NYTimes)

    Every moment of every day, mobile phone apps collect detailed location
    data.Data reviewed by The New York Times shows over 235 million locations
    captured from more than 1.2 million unique devices during a three-day period
    in 2017.

    Dozens of companies use smartphone locations to help advertisers and even
    hedge funds. They say it's anonymous, but the data shows how personal it is.

    EXCERPT:

    The millions of dots on the map trace highways, side streets and bike trails
    -- each one following the path of an anonymous cellphone user.

    One path tracks someone from a home outside Newark to a nearby Planned
    Parenthood, remaining there for more than an hour. Another represents a
    person who travels with the mayor of New York during the day and returns to
    Long Island at night.

    Yet another leaves a house in upstate New York at 7 a.m. and travels to a
    middle school 14 miles away, staying until late afternoon each school day.
    Only one person makes that trip: Lisa Magrin, a 46-year-old math teacher.
    Her smartphone goes with her.

    An app on the device gathered her location information, which was then sold
    without her knowledge. It recorded her whereabouts as often as every two
    seconds, according to a database of more than a million phones in the New
    York area that was reviewed by The New York Times. While Ms. Magrin's
    identity was not disclosed in those records, The Times was able to easily
    connect her to that dot...

    [...]
    https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html

    ------------------------------

    Date: Mon, 10 Dec 2018 11:36:58 -0500
    From: ACM TechNews <technew...@acm.org>
    Subject: The 'Weird Events' That Make Machines Hallucinate (Linda Geddes)

    Linda Geddes, BBC News, 5 Dec 2018 via ACM TechNews, 10 Dec 2018

    Computers can be tricked into misidentifying objects and sounds, raising
    issues about the real-world use of artificial intelligence (AI); experts
    call such glitches `adversarial examples' or `weird events'. Said the
    Massachusetts Institute of Technology (MIT)'s Anish Athalye, ``We can think
    of them as inputs that we expect the network to process in one way, but the
    machine does something unexpected upon seeing that input.'' In one
    experiment, Athalye's team slightly modified the texture and coloring of
    certain physical objects to fool machine learning AI into thinking they were
    something else. MIT's Aleksander Madry said the problem may be rooted partly
    in the tendency to engineer machine learning frameworks to optimize their
    performance on average. Neural networks might be fortified against outliers
    by feeding them more challenging examples of whatever scientists are trying
    to teach them.

    https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d7a4x219197x069560%26

    ------------------------------

    Date: Tue, 11 Dec 2018 13:13:05 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Barclays customers can now 'switch off' spending (bbc.com)

    https://www.bbc.com/news/business-46512030

    ``The idea is to help vulnerable customers, particularly problem gamblers, or
    those in serious debt.''

    Cellphones, while generally indispensable for communication purposes, are
    gateway devices that can enable addictive behaviors. A compulsive gambler
    smart enough to configure a cellphone application should recognize that
    professional counseling and therapy is more effective than a voluntary, and
    easily overridden, videogame context configuration setting.

    A flick of the cellphone application switch precludes a bank debt card from
    being used for problematic and harmful purposes at certain `classes' of
    vendors: ``Groceries and supermarkets, restaurants, takeaways, pubs and bars,
    petrol stations, gambling - including websites, betting shops and lottery
    tickets, premium rate websites and phone lines, including TV voting,
    competitions and adult services.''

    Risk: Financial/lifestyle surveillance and profile disclosure via data
    breach or explicit sale.

    That a financial institution, not widely known for their altruism, promotes
    this application implies that an intimate profile of an addict as customer
    arises from consolidated spending patterns. Difficult to assess how this
    business intelligence might be exploited internally, or by a 3rd party if
    terms of service stipulate sale and reuse conditions.

    ------------------------------

    Date: Wed, 12 Dec 2018 11:38:44 -0800
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Ships infected with ransomware, USB malware, worms
    (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day, 12 Dec 2018

    https://www.zdnet.com/article/ships-infected-with-ransomware-usb-malware-worms/

    Ships infected with ransomware, USB malware, worms
    Ships are the victims of cyber-security incidents more often than people
    think. Industry groups publish cyber-security guidelines to address issues.

    selected text:

    For example, the guidelines include the case of a mysterious virus infection
    of the Electronic Chart Display and Information System (ECDIS) that ships
    use for sailing.

    A new-build dry bulk ship was delayed from sailing for several days
    because its ECDIS was infected by a virus. The ship was designed for
    paperless navigation and was not carrying paper charts.

    [No backup!]

    Ships were also impacted by ransomware, sometimes directly, while in other
    incidents the ransomware hit backend systems and servers used by ships
    already in their voyage at sea.

    For example, in an incident detailed in the report, a shipowner reported not
    one, but two ransomware infections, both occurring due to partners, and not
    necessarily because of the ship's crew.

    [And there are other examples given.]

    ------------------------------

    Date: Wed, 12 Dec 2018 15:13:09 -0500
    From: =?utf-8?Q?Jos=C3=A9=20Mar=C3=ADa=20Mateos?= <ch...@rinzewind.org>
    Subject: Taylor Swift tracked stalkers with facial recognition tech at her
    concert (The Verge)

    https://www.theverge.com/2018/12/12/18137984/taylor-swift-facial-recognition-tech-concert-attendees-stalkers

    Taylor Swift held a concert at California's Rose Bowl this past May that was
    monitored by a facial recognition system. The system's target? Hundreds of
    Swift's stalkers.

    Swift's facial recognition system was built into a kiosk that displayed
    highlights of her rehearsals, which would secretly record onlookers' faces.
    According to Rolling Stone, which spoke with a concert security expert who
    observed the kiosk, attendees who looked at the kiosk were immediately scanned.
    Afterward, the data was sent to a `command post' in Nashville, Tennessee that
    attempted to match hundreds of images to a database of her known stalkers.

    José María (Chema) Mateos

    ------------------------------

    Date: Tue, 11 Dec 2018 01:26:32 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: What Happens When You Reply All to 22,000 State Workers[?]
    (NYTimes)

    https://www.nytimes.com/2018/12/10/us/reply-all-utah-state-workers.html

    Reply All, the scourge that has afflicted office workers everywhere, has hit
    22,000 government employees in Utah.

    ------------------------------

    Date: Wed, 12 Dec 2018 16:39:58 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: U.S. border officers don't always delete collected traveler data
    (Engadget.com)

    https://www.engadget.com/2018/12/11/cbp-officers-fail-to-delete-traveler-data

    ``Privacy advocates aren't just concerned about warrantless device searches
    at the border because of the potential for deliberate abuse -- it's that the
    officials might be reckless. And unfortunately, there's evidence this is the
    case in the U.S. Homeland Security's Office of the Inspector General has
    released audit findings showing that Customs and Border Protection (CBP)
    officers didn't properly follow data handling procedures in numerous
    instances, increasing the chances for data leaks and hurting
    accountability.''

    Assembled and maintained by CBP, this honeypot of mobile device contacts,
    photos, downloads, browser history, call logs, and credit card/app profiles
    will likely attract ex-filtration attempts.

    A comprehensive repository of personal data that can be correlated against
    many other dark-net sources, and maliciously exploited for profit or
    criminal intent.

    ------------------------------

    Date: Wed, 12 Dec 2018 10:07:20 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies
    Crackdown on Beijing (NYTimes)

    Marriott Data Breach Is Traced to Chinese Hackers as U.S. Readies Crackdown
    on Beijing

    https://www.nytimes.com/2018/12/11/us/politics/trump-china-trade.html

    The Trump administration is expected to indict hackers and roll out import
    restrictions out of concern that Beijing will not easily change its trade,
    cyber[security? privacy? ...] and economic practices.

    ------------------------------

    Date: Wed, 12 Dec 2018 16:19:45 -0800
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Starwood Hotels

    [Thanks to Mabry Tyson.]

    https://web.archive.org/web/20151123153316/http%3A//www.cio-today.com/article/index.php%3Fstory_id%3D112003V3SRQ8

    21 Nov 2015 (a year or so after the initiation of the intrusion currently in
    the news)

    Starwood Hotels and Resorts Worldwide Inc. is the latest known hotel
    target of cyber-attackers. The company on Friday announced that hackers
    had injected malware into point of sale systems at some of its hotels in
    North America.

    That malware ultimately made it possible for unauthorized parties to tap
    into the payment card data of some hotel guests. Starwood, which operates
    brands including Four Points by Sheraton, Aloft, Element, and Westin, now
    joins the *Trump Hotel Collection and the Hilton chain* of hotels on the
    list of hotel data breaches.

    As soon as it discovered the breach, Starwood hired outside forensics
    experts to investigate the depth and breadth of the attack. The result:
    investigators discovered malware installed in the point of sale systems of
    some of its restaurants, gift shops and other systems. *The company said,
    at this time it doesn't appear Starwood's guest reservation or preferred
    guest membership systems were breached.*

    ``Starwood certainly isn't the first company to be affected by point of
    sale malware. The path from discovery to recovery is well-worn at this
    point. In some cases this malware has been present for *more than a
    year.*'' While the incident may seem like a point in time, it's really a
    lengthy campaign of data theft, Erlin said, adding that he's surprised
    that fraudulent activity from stolen card data wasn't discovered sooner.

    Incidentally, a better reference on the 2015 MARRIOTT intrusion (which
    started July 2014, and ended April 2015) is this (which refers to an earlier
    malware incident in 2014):

    https://www.prnewswire.com/news-releases/white-lodging-releases-information-about-data-breach-investigation-at-select-food-and-beverage-outlets-300062065.html

    ------------------------------

    Date: Wed, 12 Dec 2018 02:45:00 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Why I'm done with Chrome / A Few Thoughts on Cryptographic
    Engineering (Cryptography Engineering)

    https://blog.cryptographyengineering.com/2018/09/23/why-im-leaving-chrome/

    ``One argument is that Google already spies on you via cookies and its
    pervasive advertising network and partnerships, so what's the big deal if
    they force your browser into a logged-in state? One individual I respect
    described the Chrome change as `making you wear two name tags instead of
    one'.''

    ------------------------------

    Date: Sun, 9 Dec 2018 16:13:57 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Screen Time Changes Structure of Kids' Brains: Groundbreaking study
    (Bloomberg)

    Smartphones, tablets and video games are physically changing the brains of
    adolescents, early results from an ongoing $300 million study funded by the
    National Institute of Health have shown, according to a report by *60
    Minutes*.

    Scientists will follow more than 11,000 nine- to 10-year-olds for a decade
    to see how childhood experiences impact the brain and affect emotional
    development and mental health. The first bits of data suggest that the
    onslaught of tech screens has been transformative for young people -- and
    maybe not for the better.

    In brain scans of 4,500 children, daily screen usage of more than seven
    hours showed premature thinning of the brain cortex, the outermost layer
    that processes information from the physical world. Though the difference
    was significant from participants who spent less screen time, NIH study
    director Gaya Dowling cautioned against drawing a conclusion. ``We don't
    know if it's being caused by the screen time. We don't know if it's a bad
    thing. It won't be until we follow them over time that we will see if there
    are outcomes that are associated with the differences that we're seeing in
    this single snapshot.'' (according to an advance script)

    Early results from the study, called Adolescent Brain Cognitive Development
    (ABCD), have determined that children who spend more than two hours of
    daily screen time score lower on thinking and language tests. A major data
    release is scheduled for early 2019...

    https://www.bloombergquint.com/onweb/screen-time-changes-structure-of-kids-brains-60-minutes-says
    YOU CAN VIEW the (~13 min) segment here:
    https://www.cbsnews.com/news/groundbreaking-study-examines-effects-of-screen-time-on-kids-60-minutes/58aa54508d65e455307%7C40779d3379c44626b8bf140c4d5e9075%7C1

    ------------------------------

    From: Richard M Stein <rms...@ieee.org>
    Date: Sun, 9 Dec 2018 16:37:24 +0800
    Subject: Re: Teen electrocuted while using headphones on plugged-in mobile
    phone (Lesher, RISKS-30.95)

    [It is not] surprising to learn about counterfeit chargers and phony
    qualification labels that certify safety. Not many consumers can distinguish
    real labels from fake, nor are they inclined when price often determines
    purchase motive. Similar problem for pharmaceuticals, auto parts, and
    aircraft parts. Makes you wonder about drug and travel safety given forgery
    incident frequency. Thx.

    ------------------------------

    Date: Tue, 11 Dec 2018 14:43:59 -0800
    From: Steve Lamont <s...@tirebiter.org>
    Subject: Re: Toronto auto theft ... (RISKS-30.95)

    You will note if you read the story that no one has produced an actual relay
    device in evidence. The rather murky surveillance video still shows the
    alleged miscreant carrying. . . something but whether it's a fob repeater or
    just a plastic bag containing standard burglar tools is entirely unclear to
    me.

    Until I see an actual device, color me skeptical.

    ------------------------------

    Date: Mon, 10 Dec 2018 09:43:10 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (RISKS-30.95)

    Actually this *is* Twitter's fault! (Though not in the way Giuliani
    thinks). It is obvious that Giuliani was not aware that Twitter is turning
    periods in his post into links. But did Twitter do anything to make their
    users -- especially the less technically inclined -- aware of this fact? Is
    there a way to turn this mis-feature off? Why did Twitter make it active by
    default, and in such a dumb way (the generated link was not valid as
    written, so it's obvious the user did not intend to enter a link there)?

    I have been struggling for years with Gmail's habit of inserting links into
    my incoming mail. In a past project, I had to analyse data sent in by mail
    as rows of numbers; Gmail insists on turning some of them into links to (non
    existent) phone numbers and addresses, which greatly complicates automatic
    analysis. (I'd love to hear from anyone who knows how to turn this off).

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.96
    ************************
     
  10. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 30.97

    RISKS List Owner

    Dec 20, 2018 6:40 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 20 December 2018 Volume 30 : Issue 97

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/30.97>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents: Several approaches to resolve the Emacs/UTF-8/mailer problems.
    Sneaky parrot uses Amazon Alexa to shop while owner is away (WFLA)
    The GPS wars are here (Foreign Policy)
    Both engines on Virgin Australia ATR 72 "flame out" (SMH)
    Drone shatters passenger jet's nose-cone, radar (RT)
    Uber exec warned of rampant safety problems before fatal crash
    (Ars Technica)
    Ingestible Capsule Can Be Controlled Wirelessly (MIT News)
    How a National Security Investigation of Huawei Set Off an International
    Incident (NYTimes)
    Apache Misconfig Leaks Data on 120 Million Brazilians (InfoSecurity)
    "Market volatility: Fake news spooks trading algorithms" (Tom Foremski)
    "Rhode Island sues Google after latest Google+ API leak" (Catalin Cimpanu)
    New Zealand courts banned naming Grace Millane's accused killer; Google
    just emailed it out. (The Guardian)
    Iranian phishers bypass 2fa protections offered by Yahoo Mail and Gmail
    (Ars Technica)
    Turning on 2FA potentially harmful (Toby Douglass)
    Top 10 worst password FAILS of 2018 (CSO)
    She'd just had a stillborn child. Tech companies wouldn't let her forget it
    (Chris Matyszczyk)
    Thousands of Jenkins servers will let anonymous users become admins
    (Catalin Cimpanu)
    "Bing recommends piracy tutorial when searching for Office 2019"
    (Catalin Cimpanu)
    "Big Brother is driving with you!" (Rob Hull)
    Delivery robot bursts into flames at UC Berkeley, students hold it a vigil
    (SanFranChronicle)
    Re: Your apps know where you were last night, and they're not
    (Kelly Bert Manning)
    Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Kurt Seifried)
    Re: What Happens When You Reply All to 22,000 State Workers (Amos Shapir)
    Re: Annoyed Baltimore Drivers Want City To Crack Down On `Squeegee Kids'
    (Richard M Stein, John R. Levine, David Waitzman)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 17 Dec 2018 16:52:35 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Sneaky parrot uses Amazon Alexa to shop while owner is away
    (WFLA)

    TAMPA, Fla. (WFLA) - A foul-mouthed parrot, who was kicked out of an animal
    sanctuary for swearing too much, is using technology to cause even more
    trouble. The Times of London reports Rocco, an African grey, has been using
    Amazon Alexa to shop online while his owner was away.

    His owner, Marion Wis[c]hnewski told the newspaper she was shocked to find
    that her Amazon account suddenly had pending orders for various snacks,
    including watermelon and ice cream and also a kettle. “I have to check the
    shopping list when I come in from work and cancel all the items he's
    ordered,” Wischnewski told *The Daily Mail*.

    https://www.wfla.com/news/viral-news/sneaky-parrot-uses-amazon-alexa-to-shop-while-owner-is-away/1662596515

    [Coyly, that case is the ``real macaw'' (at least in English-speaking
    idioms, but perhaps not in Macao). However, it reminds me of several very
    funny parroting jokes -- one that makes sense only when told in German,
    one about a seemingly very devout parrot who surprisingly turns
    foul-mouthed, and more. Best wishes for some Holiday Cheer! PGN]

    ------------------------------

    Date: Tue, 18 Dec 2018 11:12:22 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The GPS wars are here (Foreign Policy)

    The problem first hit during Russia's September 2017 Zapad military exercise
    in its western regions, near the Baltic states. Then it happened again in
    October during NATO’s Trident Juncture exercise, held in Norway. GPS signals
    across far northern Norway and Finland failed. Civilian airplanes were
    forced to navigate manually, and ordinary citizens could no longer trust
    their smartphones.

    https://foreignpolicy.com/2018/12/17/the-gps-wars-are-here/

    ------------------------------

    Date: Tue, 18 Dec 2018 20:08:03 +0000
    From: John Colville <John.C...@uts.edu.au>
    Subject: Both engines on Virgin Australia ATR 72 "flame out" (SMH)

    https://www.smh.com.au/national/virgin-australia-under-investigation-after-engines-flame-out-during-landing-20181218-p50n22.html

    Virgin Australia is under investigation after two engines on one of its
    aircraft "flamed out" during descent and had to be manually re-ignited
    before the aircraft hit the tarmac. The incident, which involved an ATR 72
    twin-engine turboprop aircraft en route from Sydney to Canberra on December
    13, has been categorised as "serious" by the Australian Transport Safety
    Bureau (ATSB).

    ------------------------------

    Date: Fri, 14 Dec 2018 13:34:16 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Drone shatters passenger jet's nose-cone, radar (RT)

    Imagine if that goes through a window or an engine.

    https;//www.rt.com/news/446416-plane-drone-collision-mexico/

    ------------------------------

    Date: Tue, 18 Dec 2018 16:47:16 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Uber exec warned of rampant safety problems before fatal crash
    (Ars Technica)

    "They told me incidents like that happen all of the time," whistleblower
    wrote.

    https://arstechnica.com/tech-policy/2018/12/uber-exec-warned-of-rampant-safety-problems-days-before-fatal-crash/

    ------------------------------

    Date: Mon, 17 Dec 2018 11:17:19 -0500
    From: ACM TechNews <technew...@acm.org>
    Subject: Ingestible Capsule Can Be Controlled Wirelessly (MIT News)

    Anne Trafton, MIT News, 13 Dec 2018, via ACM TechNews, 17 Dec 2018

    Researchers at the Massachusetts Institute of Technology (MIT) and Brigham
    and Women's Hospital have designed an ingestible capsule that can be
    controlled wirelessly via Bluetooth. The three-dimensionally-printed
    capsules, which can be customized to dispatch drugs, sense environmental
    conditions, or both, can remain in the stomach for at least a month,
    transmitting information and responding to instructions from a smartphone.
    The capsules also could be used to communicate with other wearable and
    implantable devices, transmitting their pooled information to the patient or
    doctor's smartphone. Within the capsule is a device with six arms that fold
    up before encasement; once swallowed, the capsule dissolves and the arms
    expand so the device can lodge in the stomach. Said former MIT postdoc Yong
    Lin Kong, "The self-isolation of wireless signal strength within the user's
    physical space could shield the device from unwanted connections, providing
    a physical isolation for additional security and privacy protection."

    https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1d946x2192dfx068970%26

    [Risks in ingested capsules? They are not "in jest". Compromised 3-D
    printing instructions? sharp arms? embedded transmitters? monitoring?
    interference with brain signals? doping? absorbable toxins triggered
    remotely? And others left to your imaginations. PGN]

    ------------------------------

    Date: Fri, 14 Dec 2018 22:46:03 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: How a National Security Investigation of Huawei Set Off an
    International Incident (NYTimes)

    https://www.nytimes.com/2018/12/14/business/huawei-meng-hsbc-canada.html

    The chief financial officer was arrested after a years-long American inquiry
    into the Chinese telecommunications company.

    ------------------------------

    Date: Fri, 14 Dec 2018 23:18:35 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Apache Misconfig Leaks Data on 120 Million Brazilians
    (InfoSecurity)
    https://www.infosecurity-magazine.com/news/apache-misconfig-leaks-data-120/

    ------------------------------

    Date: Thu, 13 Dec 2018 09:00:56 -0800
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Market volatility: Fake news spooks trading algorithms"
    (Tom Foremski)

    ZDnet, 10 Dec 2018
    Stock trading algorithms know how to read news headlines, but they don't
    know what's real.

    https://www.zdnet.com/article/market-volatility-fake-news-spooks-trading-algorithms/

    selected text:

    Fake news and inaccurate headlines may have contributed to recent stock
    market volatility, as trading algorithms try to interpret market-related
    news.

    Hugh Son, at CNBC reported that in a note written to clients by J.P. Morgan
    Chase's top quant, Marko Kolanovic, blamed a media landscape that's a mix of
    real and fake news, which makes it easy for others to amplify negative
    news. The effects can be seen that, in spite of a booming economy and
    positive signals, the markets are reacting strongly to this mix of negative
    news.

    High-speed trading algorithms scan news stories to try and quickly determine
    if there is any market-moving information that affects their portfolios. It
    doesn't give them much time to determine which news stories are real.

    For example, a few years ago stock trading algorithms were buying Berkshire
    Hathaway stock because actress Anne Hathaway was in the news with a new
    movie.

    ------------------------------

    Date: Thu, 13 Dec 2018 08:57:02 -0800
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Rhode Island sues Google after latest Google+ API leak"
    (Catalin Cimpanu)

    ZDNet,12 Dec 2018
    Google sued within a day after announcing latest Google+ API leak.
    https://www.zdnet.com/article/rhode-island-sues-google-after-latest-google-api-leak/

    opening text:

    A day after Google announced a Google+ API leak that could have exposed the
    personal information of over 52.5 million users, a Rhode Island government
    entity filed a class-action lawsuit in a California court.

    ------------------------------

    Date: Wed, 12 Dec 2018 20:36:55 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: New Zealand courts banned naming Grace Millane's accused
    killer; Google just emailed it out. (The Guardian)

    That one of the world's biggest companies rides roughshod over a court order
    tells you all you need to know about the giants of Silicon Valley

    EXCERPT:

    Imagine if a media company told you the name of the man accused of killing
    Grace Millane. Imagine if, in defiance of a very clear court ruling of
    interim name suppression, that company told you his name in an email --
    spelling it out, even, in the subject header.

    Unthinkable? That's exactly what happened in the early hours of Tuesday.

    The media company wasn't (New Zealand's) the Herald or Stuff. It wasn't
    TVNZ or Newshub or RNZ. New Zealand media outlets, from the hobbyist
    bloggers to the biggest broadcasters, respected the proscription on naming
    the accused. Of course they did: they understand consequences for breaching
    such an order, and in fact spend significant time and resource policing
    their social media channels to ensure their audience doesn't breach
    suppression either.

    Not just because the courts would take action against them for doing so.
    They understand, too, that it would be morally odious to do so: it could
    risk damaging the course of justice in an appalling murder that has left a
    family distraught and sent waves of grief and upset through the country.

    The company that paid precisely zero heed to all that is a media and
    technology corporation from Silicon Valley. A global colossus against which
    all of New Zealand;s media companies combined amount to a dim pixel. The
    company is Google. Shortly after midnight on Tuesday this week, it delivered
    to everyone signed up to its `what's trending in New Zealand' email the name
    of the 26-year-old accused of the most headlined crime in this country in
    2018...

    https://www.theguardian.com/world/2018/dec/13/new-zealand-courts-banned-naming-grace-millanes-accused-killer-google-just-emailed-it-out

    ------------------------------

    Date: Thu, 13 Dec 2018 14:48:52 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Iranian phishers bypass 2fa protections offered by Yahoo Mail and
    Gmail (Ars Technica)

    (via NNSquad)

    "In other words, they check victims' usernames and passwords in realtime
    on their own servers, and even if 2 factor authentication such as text
    message, authenticator app or one-tap login are enabled they can trick
    targets and steal that information too," Certfa Lab researchers wrote.

    https://arstechnica.com/information-technology/2018/12/iranian-phishers-bypass-2fa-protections-offered-by-yahoo-mail-and-gmail/

    Avoid using text messaging as a second factor whenever possible!

    ------------------------------

    Date: Mon, 17 Dec 2018 19:52:37 +0200
    From: Toby Douglass <ri...@winterflaw.net>
    Subject: Turning on 2FA potentially harmful

    When you make an account with a username, email address and password, it's
    usual that a verification email is sent. If the password is later lost, it
    is again an email which is used to send the password reset link, so here we
    see the mechanism to make the account is the mechanism to recover the
    account. If you can make the account, then you possess the means to recover
    the account.

    Two factor authentication when enabled guarantees that the person attempting
    to log in knows the username, email, password and possesses the 2FA device.
    If the device is lost, email cannot be used for recovery, because then both
    the password and device can be compromised by access to the email address.

    The question then is how to recover from loss of the 2FA device, and there
    is no obviously easy way. It actually seems to come down to methods to
    obtain a partial or full proof of identity - something, critically, which
    was *not* required to *enable* 2FA.

    It is then that the mechanisms to activate and to recover 2FA are not the
    same, and so it can be one works while the other does not, and so it can be
    that 2FA is activated, but does not work, and cannot be recovered because
    the provided mechanisms do not or cannot work, which means the account is
    inaccessible.

    Turning on 2FA can be in and of itself a risk.

    (As you gentle reader may have guessed, this is what happened today, with
    Amazon. In the light of the recent kernel.org DNS hijack, I activated 2FA
    on my Amazon account. 2FA activation worked, but log in to Amazon did not,
    and both the 2FA resync and account recovery pages seemed broken server-side
    ("internal error"), and 2FA support is only available in the form of Amazon
    phoning you, and I cannot currently be phoned. I thought then to try my
    luck with AWS rather than Amazon, log in failed still but the resync page on
    AWS worked, and having worked, I could log into both retail Amazon and AWS.
    If AWS resync also had not worked, I would now be locked out of my account.)

    ------------------------------

    Date: Fri, 14 Dec 2018 23:21:54 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Top 10 worst password FAILS of 2018 (CSO)

    https://www.csoonline.com/article/3326830/security/top-10-worst-password-fails-of-2018.html

    ------------------------------

    Date: Thu, 13 Dec 2018 09:09:47 -0800
    From: Gene Wirchenko <ge...@telus.net>
    Subject: She'd just had a stillborn child. Tech companies wouldn't let her
    forget it (Chris Matyszczyk)

    Technically Incorrect, ZDnet, 13 Dec 2018

    A woman pleads with tech companies like Facebook and Twitter to stop serving
    her ads to intensify her grief.

    https://www.zdnet.com/article/shed-just-had-a-stillborn-child-tech-companies-wouldnt-let-her-forget-it/

    [A summary would not do this article justice. GW]

    ------------------------------

    Date: Sun, 16 Dec 2018 16:13:41 -0800
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Thousands of Jenkins servers will let anonymous users become admins
    (Catalin Cimpanu)

    ZDNet, 16 Dec 2018
    Two vulnerabilities discovered and patched over the summer expose Jenkins
    servers to mass exploitation.
    https://www.zdnet.com/article/thousands-of-jenkins-servers-will-let-anonymous-users-become-admins/

    ------------------------------

    Date: Sun, 16 Dec 2018 16:09:44 -0800
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Bing recommends piracy tutorial when searching for Office 2019"
    (Catalin Cimpanu)

    ZDNet, 14 Dec 2018
    Oh, Bing! Not again!
    https://www.zdnet.com/article/bing-recommends-piracy-tutorial-when-searching-for-office-2019/

    opening text:

    Microsoft is sending users who search for Office 2019 download links via its
    Bing search engine to a website that teaches them the basics about pirating
    the company's Office suite.

    This happens every time users search for the term "office 2019 download" on
    Bing. The result is a Bing search card (highlighted search results) that
    links to a piracy tutorial.

    ------------------------------

    Date: Sun, 16 Dec 2018 19:55:10 +0000
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: "Big Brother is driving with you!" (Rob Hull)

    Thisismoney.co.uk, Daily Mail, 5 Dec 2018

    Item in newspaper seen this week. There's a lot of debate about driverless
    vehicles, but how much control will drivers still be allowed to have? And
    what about older cars (mine was made in 1988) -- will they just be banned,
    or only allowed on the roads under strict supervision?

    https://www.dailymail.co.uk/money/cars/article-6462429/All-new-cars-fitted-black-box-devices-log-speed.html

    Big Brother is driving with you! All new cars could be fitted with black
    boxes to log speed and systems to slow them automatically under EU
    proposals
    https://www.dailymail.co.uk/money/cars/article-6462429/All-new-cars-fitted-black-box-devices-log-speed.html

    Big Brother is driving with you! All new cars could be fitted with black
    boxes to log speed and systems to slow them automatically under EU
    proposals

    * The European Council has called for all cars to have data loggers
    fitted by law
    * These would be able to record speed and which safety features were
    activated before, during and after a collision
    * Proposals also want new cars to have intelligent speed assistance
    systems and pre-wiring so an in-car breathalyser can be installed
    * Other requirements for new cars could include lane assist and
    fatigue monitors

    ------------------------------

    Date: Sun, 16 Dec 2018 11:46:43 -0500
    From: Tom Van Vleck <th...@multicians.org>
    Subject: Delivery robot bursts into flames at UC Berkeley, students hold it
    a vigil (SanFranChronicle)

    *The San Francisco Chronicle* website:
    https://www.sfgate.com/bayarea/article/Delivery-robot-catches-fire-at-UC-Berkeley-13470063.php

    hmm.

    [The amount needed to pony up must have been a Vigil-ante. PGN]

    ------------------------------

    Date: Fri, 14 Dec 2018 18:54:09 -0500
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Your apps know where you were last night, and they're not
    keeping it secret (NYTimes)

    If memory serves me correctly, back in the 1950s and 1960s we were told that
    one of the freedoms we enjoyed in the "Free West" was not having to
    constantly carry Internal Passports to be produced on demand by police and
    other officials. Sounded like a Killer Argument to me.

    What a change. Even if you don't carry an electronic ball and chain your
    movements could be tracked by licence plate scanners or by facial
    recognition. Seems more and more like Moscow or Beijing during the Cold War
    to me. Greyhound recently ceased operation in Western Canada, but the last
    time I used it in 2005 I saw someone being released from handcuffs after
    Vancouver Police decided that him giving the same name as a fugitive to the
    bus ticket agent was just a coincidence.

    I have never had a personal wireless digital device, so the main exposure
    would probably be if I bought a new automobile with some sort of wireless
    "feature / vulnerability". I would like to see wireless access in autos made
    modular, pull the module and carry on without it. Connect a plug to the
    engine interface for diagnosis and firmware updating. I use 100 mpbs wired
    ethernet for my home network, not WiFi.

    At home web pages ask permission to find the location of my PC. I just say
    NO. I have a used laptop with wireless that started out with XP
    Professional, but it usually boots with Linux.

    For the 2015 Victoria Privacy and Security conference one of the presenters
    did the usual live demonstration of a Pineapple type attack. I mentioned my
    laptop during the Q&A session, and the fact that I had booted it with Tails
    from an optical disk instead of Linux from the hard drive.

    Such conferences are places where someone might see a challenge or an
    opportunity. An IBM employee gave up a phone number to Kevin Mitnick for a
    demo of caller ID spoofing during a previous conference.

    Back when I had to carry a work phone I turned off the WiFi and GPS to make
    the battery life last longer. I am aware that GPS can be turned on again
    problematically. Calling 911 turns on GPS if it has been disabled.

    Our current auto is more than 10 years old and lacks that "feature".

    At least the e-trike I bought in 2016 does not have wireless, although
    it does have a USB port for powering a wireless or other device.

    https://www.youtube.com/watch%3Fv%3D1xbPm01fWHM

    ------------------------------

    Date: Wed, 12 Dec 2018 22:22:04 -0700
    From: Kurt Seifried <ku...@seifried.org>
    Subject: Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Shapir, 30.96)

    In all the twitter clients/web interface I use, if I type text it is black,
    until twitter or the client make it a link and then it's blue. Just like in
    literally every GUI piece of software I've used for 20+ years that
    auto-creates hyperlinks based on what you type. If you are typing text and
    some of it turns blue... it's probably because it's now a hyperlink.

    Attach it as a text file.

    ------------------------------

    Date: Sat, 15 Dec 2018 11:26:33 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: What Happens When You Reply All to 22,000 State Workers
    (RISKS-30.96)

    This looks less like a case of recipients using "Reply to All" -- which is
    the default mode in many mailers, making mistakes unavoidable -- and more a
    case of senders who do not know how to use "Bcc" when sending to a large
    list of recipients.

    ------------------------------

    Date: Thu, 13 Dec 2018 12:57:32 +0800
    From: Richard M Stein <rms...@ieee.org>
    Subject: Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee
    Kids' (Levine, RISKS-30.06)

    John -- You might be right: the AV idles until the way forward is
    obstacle-free.

    We'll have to wait this trolley problem outcome. Alternatively, Waymo in
    Chandler, AZ could share a live scenario demo with the world to prove that
    "My Mother the Car" is sharp enough to respectfully manage hostile
    pedestrian interaction.

    I'd put my money on the vehicle occupants, if present, to issue one or more
    verbal command overrides or set a new destination with their hailing
    application if the squeegee crew acts aggressively. If AV is payload empty,
    an infinite standoff might manifest at the intersection/stop point...or not
    -- low fuel or diminished reserve power-level might compel AV return to
    depot to refuel rather than exhaust reserves and wait AAA for a tow.

    Suppose the AV is stuck due to obstacles that shuffle around it and
    otherwise impede forward motion -- and possibly at a controlled intersection
    or behind another vehicle. I wonder if it'll try to rabbit should the signal
    light change to green or remain neutralized until obstacles clear? Possibly,
    AV depot control will sense a "help me I am stuck" signal and call the cops
    to intervene and run the squeegees off?

    ------------------------------

    Date: 13 Dec 2018 08:28:23 -0500
    From: "John R. Levine" <jo...@iecc.com>
    Subject: Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee
    Kids' (Stein, RISKS-30.97)

    Having been in NYC when it had squeegee guys, this isn't the trolley
    problem. They dart out when the light is red, they don't deliberately block
    traffic, since that would get them arrested instantly.

    ------------------------------

    Date: Sun, 16 Dec 2018 15:51:37 -0500
    From: David Waitzman <dwai...@gmail.com>
    Subject: Re: Annoyed Baltimore Drivers Want City To Crack Down On 'Squeegee
    Kids' (npr.org)

    I would not feel safe, in Baltimore particularly, of rolling down my car
    windows for a squeegee kid nor anyone else.

    Jacquelyn Smith was killed on December 1st in Baltimore when she "and her
    husband saw a woman asking for money. She rolled down her car window to
    hand over some cash when her husband said a man approached the car, reached
    inside to try to take Smith’s purse and necklace before stabbing her. She
    later died at the hospital."

    https://www.baltimoresun.com/news/maryland/crime/bs-md-ci-jacquelyn-smith-funeral-20181213-story.html

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.97
    ************************
     
  11. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 30.98

    RISKS List Owner

    Dec 27, 2018 7:39 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 27 December 2018 Volume 30 : Issue 98

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/30.98>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Largest car recalls in 2018 (Car and Driver)
    Best Cyber Stories of 2018 (Motherboard)
    How Much of the Internet Is Fake? Turns Out, a Lot of It, Actually.
    (Geoff Goodfellow)
    Inspector General audit finds basic cybersecurity lax for US
    ballistic missile defense systems (Rob Wilcox)
    Our Cellphones Aren't Safe (Cooper Quintin, The New York Times)
    Our Cellphones Aren't Safe (2018) and The Electronic Serial Number:
    A cellular 'sieve' -- 'spoofers' can defraud users and carriers (June 1987)
    Parachutes are no better than backpacks-- randomized trial (BMJ)
    Facebook shared even more than previously known (NYTimes)
    UK security researchers find lax security in app-controlled
    consumer hot tubs (BBC)
    Apple Watch ECG is putting a lot of health control in consumers' hands
    (CNBC)
    Innovation and Immigration (W.A. Griffin on Wiiliam Kerr)
    Tesla Mobile Service (Rob Slade)
    Computers Determine States of Consciousness (Scientific American)
    Facebook, recidivus -- again -- and yet again .. (Rob Slade))
    IRS Linux move delayed by lingering Oracle Solaris systems (ZDNet)
    Canada: OPC publishes guidance for organizations and individualso
    related to protecting personal information collected during cannabis
    transactions (GC)
    FCC Launches New Offensive Against Scam, Robo Calls (EWeek)
    This patent shows Amazon may seek to create a database of
    suspicious persons using facial-recognition technology (WashPost)
    Re: Sneaky parrot uses Amazon Alexa to shop ... (danny burstein)
    Re: Drone shatters passenger jet's nose-cone, radar (Amos Shapir)
    Re: The GPS wars are here (Erling Kristiansen)
    Re: "Market volatility: Fake news spooks trading algorithms" (paul wallich)
    Re: New Zealand courts banned ...; Google just emailed it out. (Dick Mills)
    Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Amos Shapir)
    Re: Risks of `Reply All' and failing to BCC (Paul Robinson)
    Re: She'd just had a stillborn child. Tech companies wouldn't let her
    forget it (Amos Shapir)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Wed, 19 Dec 2018 17:33:07 -0500
    From: George Sherwood <sher...@testcover.com>
    Subject: Largest car recalls in 2018 (Car and Driver)

    Annie White lists the 10 largest recalls in Car and Driver's January 2019
    issue:

    4,846,885 FCA. Cruise control cannot be canceled.

    1,619,112 Ford. Fire after seatbelt pretensioner deployment.

    1,357,311 Honda. Passenger frontal airbag inflator may explode.

    1,301,986 Ford. Steering wheel may detach.

    1,282,596 Ford. Stuck canister purge valve may cause stall.

    1,149,237 FCA. Tailgate may open unexpectedly.

    1,015,918 GM. Temporary loss of electric power steering.

    807,329 Toyota. Hybrid system may shut down and cause stall.

    691,726 Honda. Passenger frontal airbag inflator may explode.

    622,657 Toyota & Pontiac. Passenger frontal airbag inflator may explode.

    Recall numbers, listed on page 019, are from January--October 2018.

    ------------------------------

    Date: Sun, 23 Dec 2018 09:15:42 -0800
    From: Henry Baker <hba...@pipeline.com>
    Subject: Best Cyber Stories of 2018 (Motherboard)

    Dead CIA agents, ignored whistleblowers, Irresponsible encryption mongers,
    what-were-they-thinking ethics failures X N, election hacking,
    reaping-what-you-sow govt hacking blowback, Congressional
    oversight^H^H^H^H^Hlook, ordinary-citizens-are-human-shields-and- collateral
    damage, etc.

    In other words, 2018 was a very good year, if you happened to be a
    malicious hacker or a govt contractor (but I repeat myself).

    https://motherboard.vice.com/en_us/article/xwj38j/motherboard-cybersecurity-jealousy-list-2018

    The Cybersecurity Stories We Were Jealous of in 2018

    by Lorenzo Franceschi-Bicchierai and Joseph Cox Dec 21 2018, 7:10am

    Here at Motherboard, we are passionate about cybersecurity.

    ...

    here's a very incomplete list of our favorite stories ... that
    we wish we had done ourselves.

    Kaspersky's 'Slingshot' Report Burned An Isis-focused Intelligence
    Operation (Cyberscoop)

    https://www.cyberscoop.com/kaspersky-slingshot-isis-operation-socom-five-eyes/

    What is a cybersecurity firm's responsibility around not exposing
    certain hacking operations? Here, Cyberscoop showed that sometimes
    companies do decide to unmask campaigns targeting arguably legitimate
    threats, such as terrorists. We also explored this dilemma in our
    feature on Kaspersky Lab a few weeks after Chis Bing and Patrick
    O'Neill's scoop.

    The CIA's Communications Suffered A Catastrophic Compromise.
    It Started In Iran. (Yahoo News)

    https://www.yahoo.com/news/cias-communications-suffered-catastrophic-compromise-started-iran-090018710.html

    The US government and its intelligence apparatus suffered a deadly
    blow in China in 2011 and 2012, when more than two dozen CIA sources
    and informants were killed. But it all started in Iran in 2009, when
    hackers broke into a CIA "Internet-based covert communications
    system," as revealed in this bombshell report by Zach Dorfman and
    Jenna McLaughlin.

    How Persian Gulf Rivals Turned US Media Into Their Battleground
    (BuzzFeed News)

    https://www.buzzfeednews.com/article/kevincollier/qatar-uae-iran-trump-leaks-emails-broidy

    Sometimes the best weapon a hacker can use is not an exploit or
    phishing kit, but the media. If you can discredit your enemy through
    the relatively cheap method of enticing a journalist with a scoop,
    you're onto a winning strategy. Just look at how Guccifier 2.0--a
    persona allegedly created by the Russian government--distributed the
    hacked Democrats material too.

    Mysterious $15,000 'GrayKey' Promises To Unlock iPhone X For The Feds (Forbes)

    https://www.forbes.com/sites/thomasbrewster/2018/03/05/apple-iphone-x-graykey-hack/

    This story broke open an entire avenue of reporting for us and others:
    finally, someone was selling relatively cheap tools for unlocking
    iPhones, which led to widespread proliferation of the tech not just
    among the three-letter intelligence agencies of the world, but also
    among state- and local law enforcement. This has ramifications for
    all sorts of things in the so-called Going Dark debate, and kicked off
    a new game of security cat-and-mouse between Apple and Grayshift.

    FBI Repeatedly Overstated Encryption Threat Figures To Congress,
    Public (The Washington Post)

    https://www.washingtonpost.com/world/national-security/fbi-repeatedly-overstated-encryption-threat-figures-to-congress-public/2018/05/22/5b68ae90-5dce-11e8-a4a4-c070ef53f315_story.html

    The FBI has been complaining about encryption ... well, pretty much
    since the 1990s. And in the last few years, particularly after Apple
    refused to help unlock an alleged terrorist's iPhone, the battle has
    intensified. This Washington Post scoop showed that the numbers
    trotted out by FBI officials when talking about how damaging strong
    encryption is during investigations were overstated and sometimes
    incorrect. In other words, encryption isn't as much of an hurdle as
    the FBI would like us to believe.

    Google Plans to Launch Censored Search Engine in China, Leaked
    Documents Reveal (The Intercept)

    https://theintercept.com/2018/08/01/google-china-search-engine-censorship/

    Ryan Gallagher not only broke the news that Google was developing a
    search engine for China, one that would censor terms around human
    rights and protests, but he's also remained on top of the story. His
    reporting sparked widespread protests both internally at Google and
    among human rights organizations, questions at a Congressional
    hearing, and, just this week, he reported that Google has hit a major
    roadblock with the project as disputes have grown internally. This
    story reminded us--once again--that companies that have a good track
    record for caring about human rights don't always stay that way, and
    that a handful of employees speaking up can change the course of a
    multi-billion company.

    Google Is Helping the Pentagon Build AI for Drones (Gizmodo)

    https://gizmodo.com/google-is-helping-the-pentagon-build-ai-for-drones-1823464533

    Speaking of Google employees standing up against a controversial
    program, this story about the Internet giant's secret Pentagon
    contract broke long before Googlers organized marches to protest their
    own company. Kate Conger's relentless reporting on the story led to
    Google shutting down the program and was one of the original stories
    that helped kick off a new wave of protests by Silicon Valley
    employees against their own companies.

    Facebook Is Giving Advertisers Access to Your Shadow Contact
    Information (Gizmodo)

    https://gizmodo.com/facebook-is-giving-advertisers-access-to-your-shadow-co-1828476051

    It wasn't a great year for Facebook's bosses either. Cambridge
    Analytica, a constant struggle to moderate content, and some
    embarrassing breaches affecting millions of people, among a slew of
    seemingly endless scandals. You may have missed or forgotten this
    story, but it's worth your time. Kashmir Hill, with the help of a
    team of smart researchers, proved how Facebook mines your cell phone's
    contact data to suggest new friends on the social network, and to
    serve you better targeted ads.

    Your Apps Know Where You Were Last Night, and They're Not Keeping It
    Secret (The New York Times)

    https://www.nytimes.com/interactive/2018/12/10/business/location-data-privacy-apps.html

    Speaking of apps that know too much ... there are only a few outlets
    with the resources, reach, and dedication to take a story and present
    it in such a way that the general public can really understand a
    security issue. This is one of those stories--the sharing of location
    data lifted by apps may not be a new phenomenon, but the Times team
    produced the definitive piece tangibly explaining what this means for
    the privacy of everyone with a smartphone.

    Thermostats, Locks and Lights: Digital Tools of Domestic Abuse (The
    New York Times)

    https://www.nytimes.com/2018/06/23/technology/smart-home-devices-domestic-abuse.html

    We've extensively covered how malware is used in cases of domestic
    violence, stalking, and abuse. This Times piece looked at the next
    step in that use of technology at home: the Internet of Things.
    Definitely worth a read if you are concerned with how technology can
    impact the lives of ordinary, non-technical people. And if you don't,
    why are you reading a post about cyber articles?

    Russian Troll Farm Hijacked American Teen Girls' Computers for Likes
    (The Daily Beast)

    https://www.thedailybeast.com/russia-troll-farm-hijacked-american-teen-girls-computers-for-likes

    As a hacker, Kevin Poulsen brings some of the coolest technological
    approaches into journalism. Here, Poulsen found a dodgy browser
    extension belonging to Russia's controversial troll army, the Internet
    Research Agency. He then bought the domain linked to it, letting him
    see what sort of data it was collecting, and from where. He found the
    IRA's software on computers all over the place. A great reminder to
    think how can journalists approach a story from a different,
    technological angle.

    A Quebecer Spoke Out Against The Saudis--Then Learned He Had Spyware
    On His iPhone (CBC)

    https://www.cbc.ca/news/technology/omar-abdulaziz-spyware-saudi-arabia-nso-citizen-lab-quebec-1.4845179

    What's the point of writing about malware, spyware, and hacking if you
    can't show readers how the technology affects real people? Every
    great infosec story should have a human angle. This is a great
    example of that. Former Motherboard editor Matt Braga visited one of
    the latest victims of government-sponsored hacking, a growing problem
    that's putting regular people all over the world in danger.

    Gray Hat--Marcus Hutchins' Profile (New York Magazine)

    https://nymag.com/intelligencer/2018/03/marcus-hutchins-hacker.html

    The security researcher better known as MalwareTech helped stop
    WannaCry, one of the most virally infectious malware outbreaks ever.
    Months later, the FBI arrested him for a crime he's accused to have
    committed when he was a teen. This in-depth profile tries to answer a
    universal question in the world of cybersecurity: does a hacker hero
    always have to have a past? And if so, what should authorities do
    with them?

    Service Meant to Monitor Inmates' Calls Could Track You, Too (The New
    York Times)

    https://www.nytimes.com/2018/05/10/technology/cellphone-tracking-law-enforcement.html

    File this under "companies you probably never heard of doing sketchy
    things that can affect us all." The Times scored another huge scoop
    revealing that Securus Technologies, a firm that provides and monitors
    inmates phone calls, was letting pretty much anyone track people's
    cell phones for a fee. Thanks to Securus, anyone "can find the
    whereabouts of almost any cell phone in the country within seconds,"
    according to the investigation. As we found out later, and rather
    unsurprisingly, Securus wasn't securing this data at all.

    The Crisis of Election Security (The New York Times)

    https://www.nytimes.com/2018/09/26/magazine/election-security-crisis-midterms.html

    You've heard about election hacking for years. Everyone is worried
    about it, but seemingly no one is doing anything to prevent it.
    Veteran infosec reporter (and Motherboard contributor) Kim Zetter goes
    deep into the history and crisis of election security, writing perhaps
    the definitive piece about the subject. A must-read for anyone who
    cares about democracy and the integrity of the elections.

    The Untold Story Of NotPetya, The Most Devastating Cyberattack In
    History (Wired)

    https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/

    The outbreak of destructive malware NotPetya never got the attention
    it deserved, perhaps because it came a few weeks after the
    headline-grabbing WannaCry ransomware outbreak. Andy Greenberg makes
    it justice in this thrilling tale, part of his upcoming book, on how
    NotPetya crippled the largest shipping company in the world. The only
    downside of this story is that it will make you want to read more, but
    you'll have to wait until the book comes out.

    In Leaked Chats, Wikileaks Discusses Preference For Gop Over Clinton,
    Russia, Trolling, And Feminists They Don't Like (The Intercept)

    https://theintercept.com/2018/02/14/julian-assange-wikileaks-election-clinton-trump/

    WikiLeaks and Julian Assange's fall from grace has been documented
    over the last few years, but this report built on a treasure trove of
    leaked chat logs, felt like the nail in the coffin. The Intercept
    revealed how the secret-spilling organization candidly talked about
    their preference for the Republican party to win the 2016 election,
    their thoughts on the "bright, well connected, sadistic sociopath"
    Hillary Clinton, and some unsavory comments about feminist activists.

    Israeli Cyber Firm Negotiated Advanced Attack Capabilities Sale With
    Saudis, Haaretz Reveals (Haaretz)

    https://www.haaretz.com/israel-news/.premium-israeli-company-negotiated-to-sell-advanced-cybertech-to-the-saudis-1.6680618

    The controversial and successful spyware vendor NSO Group has been in
    the headlines for a couple of years, after researchers caught
    government hackers using sophisticated hacking tools developed by the
    company to hack a Dubai-based human rights activist. This
    investigation by Israeli newspaper Haaretz exposed the behind the
    scenes story of how Saudi Arabia bought iPhone malware from NSO for
    more than $200 million.

    Russian Hackers Posed As ISIS To Threaten Military Wives (Associated
    Press)

    https://apnews.com/4d174e45ef5843a0ba82e804f080988f

    The threat of ISIS hackers has often been unjustifiably hyped up. But
    in this deeply reported story, people like Angela Ricketts show that
    the threat was real enough for some people. The AP's Raphael Satter
    talked to several people targeted by ISIS sympathizers, putting a face
    to the victims of a scary online campaign. We need more stories that
    focus on the victims of hacking, this was a great example of that.
    And Satter and his colleagues at the AP have produced several more in
    the last few months that are also worth your time.

    Living with Depression in Tech (Jonathan Zdziarski's personal blog)

    https://www.zdziarski.com/blog//ZUp=7437

    Apple security researcher and forensic expert Jonathan Zdziarski here opened
    up about an incredibly important and often overlooked topic: mental health
    in tech. Zdziarski powerfully details his own struggle with depression, and
    at the same time offers a hopeful tale of overcoming it with a lot of hard
    work, introspection, and learning. ...

    ------------------------------

    Date: Thu, 27 Dec 2018 06:50:35 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: How Much of the Internet Is Fake? Turns Out, a Lot of It, Actually.

    In late November, the Justice Department unsealed indictments against eight
    people accused of fleecing advertisers of $36 million in two of the largest
    digital ad-fraud operations ever uncovered. Digital advertisers tend to want
    two things: people to look at their ads and premium websites -- i.e.,
    established and legitimate publications -- on which to host them.

    The two schemes at issue in the case, dubbed Methbot and 3ve by the security
    researchers who found them, faked both. Hucksters infected 1.7 million
    computers with malware that remotely directed traffic to spoofed websites --
    empty websites designed for bot traffic.

    https://services.google.com/fh/files/blogs/3ve_google_whiteops_whitepaper_final_nov_2018.pdf
    that served up a video ad purchased from one of the Internet's vast
    programmatic ad-exchanges, but that were designed, according to the
    indictments, ``to fool advertisers into thinking that an impression of their
    ad was served on a premium publisher site,'' like that of *Vogue* or *The
    Economist*. Views, meanwhile, were faked by malware-infected computers with
    marvelously sophisticated techniques to imitate humans: bots *faked* clicks,
    mouse movements, and social network login information to masquerade as
    engaged human consumers
    https://cdn2.hubspot.net/hubfs/3400937/WO_Methbot_Operation_WP_01.pdf/

    Some were sent to browse the Internet to gather tracking cookies from other
    websites, just as a human visitor would have done through regular behavior.
    Fake people with fake cookies and fake social-media accounts, fake-moving
    their fake cursors, fake-clicking on fake websites -- the fraudsters had
    essentially created a simulacrum of the Internet, where the only real things
    were the ads.

    How much of the Internet is fake? Studies generally suggest that, year after
    year, less than 60 percent of web traffic is human; some years, according to
    some researchers, a healthy majority of it is bot. For a period of time in
    2013, *The Times* reported
    https://www.nytimes.com/interactive/2018/01/27/technology/social-media-bots.html
    this year, a full half of YouTube traffic was `bots masquerading as people',
    a portion so high that employees feared an inflection point after which
    YouTube's systems for detecting fraudulent traffic would begin to regard bot
    traffic as real and human traffic as fake. They called this hypothetical
    event *The Inversion*.

    In the future, when I look back from the high-tech gamer jail in which
    President PewDiePie will have imprisoned me.

    http://nymag.com/intelligencer/2018/12/why-pewdiepies-anti-semitic-youtube-jokes-dont-hurt-him.html

    http://nymag.com/intelligencer/2018/12/how-much-of-the-internet-is-fake.html

    ------------------------------

    Date: Thu, 20 Dec 2018 22:17:38 -0800
    From: Rob Wilcox <robwi...@gmail.com>
    Subject: Inspector General audit finds basic cybersecurity lax for US
    ballistic missile defense systems

    [Note the cover story in the latest issue of *The Nation*, which
    goes into huge details on related cases. PGN]

    Cabinet departments have Inspectors General (IG) with wide and deep audit
    responsibility. Most agencies take IG reports seriously; the IG reports high
    in hierarchically-cultured agencies.

    The Department of Defense has released an audit of select ballistic missile
    defense-related facilities. These facilities manage information and
    operations, which if known, would compromise function of these systems. The
    IG audited a sample of facilities.

    (Longtime RISKS readers may be aware that many believe these systems will
    never work as represented. One need only read back to the work of Dr David
    Parnas.)

    Flaws included lack of two-factor authentication, encryption, intrusion
    detection and prevention systems, physical access to servers and least
    privilege authorization processes.

    ``During our site visit, we observed security footage showing that a
    representative from the [redacted] gained unauthorized access to the
    [redacted] facility by simply pulling the door open. The security camera
    footage also showed that although the representative stopped to ask for
    directions, the individual she stopped did not request to see her [redacted]
    badge or question her facility access. Furthermore, the security footage
    showed that the security officer at the front desk also did not request to
    see her [redacted] badge.''

    Enterprise IT security, credit card security, critical infrastructure,
    federal IT standards, NIST and cybersecurity professional NGO entities have
    recommended these basic controls for many years.

    Unclassified report:
    https://media.defense.gov/2018/Dec/14/2002072642/-1/-1/1/DODIG-2019-034.PDF.

    ------------------------------

    Date: Thy, 27 Dec 2018 14:59:18 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Our Cellphones Aren't Safe (Cooper Quintin, The New York Times)

    https://www.nytimes.com/2018/12/26/opinion/cellphones-security-spying.html

    This article my not be new to you, but it raises a plethora of issues with
    landline and cellular telephones that have existed for many years, and
    indeed many that have been well know -- e.g., see Geoff Goodfellow's message
    from 1987, which follows this one. Risks noted in Cooper's article include
    fake cell towers siphoning off information, readily available spying tools,
    SS7 security weaknesses, governmental desires for easy access, and lots more.
    Some of the issues from the Keys Under Doormats report are also present.

    [Note: I started writing this while reading *The Times* over breakfast,
    and revised it after reading Geoff's item this afternoon. PGN]

    ------------------------------

    Date: Thu, 27 Dec 2018 09:56:49 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Our Cellphones Aren't Safe (2018) and The Electronic Serial Number:
    A cellular 'sieve' -- 'spoofers' can defraud users and carriers (June 1987)

    Cooper Quintin (EFF), *The New York Times*, 27 December 2018 Security flaws
    threaten bank accounts. So why aren't we fixing them?
    https://www.nytimes.com/2018/12/26/opinion/cellphones-security-spying.html

    EXCERPT:

    America's cellular network is as vital to society as the highway system
    and power grids. Vulnerabilities in the mobile phone infrastructure threaten
    not only personal privacy and security, but also the country's. According to
    intelligence reports, spies are eavesdropping on President Trump's cellphone
    conversations and using fake cellular towers in Washington to intercept
    phone calls. Cellular communication infrastructure, the system at the heart
    of modern communication, commerce and governance, is woefully insecure. And
    we are doing nothing to fix it.

    This should be at the top of our cybersecurity agenda, yet policymakers and
    industry leaders have been nearly silent on the issue. While government
    officials are looking the other way, an increasing number of companies are
    selling products that allow buyers to take advantage of these
    vulnerabilities.

    Spying tools, which are becoming increasingly affordable, include cell-site
    simulators (commonly known by the brand name Stingray), which trick
    cellphones into connecting with them without the cellphone owners'
    knowledge. Sophisticated programs can exploit vulnerabilities in the
    backbone of the global telephone system (known as Signaling System 7, or
    SS7) to track mobile users, intercept calls and text messages, and disrupt
    mobile communications.

    These attacks have real financial consequences. In 2017, for example,
    criminals took advantage of SS7 weaknesses to carry out financial fraud by
    redirecting and intercepting text messages containing one-time passwords for
    bank customers in Germany. The criminals then used the passwords to steal
    money from the victims' accounts.

    How did we get here, and why is our cellular infrastructure so insecure?...

    [...]

    [And, PGN notes, here is Geoff's excerpt from something he wrote
    originally in 1985]

    > Date: 12 Jun *1987* 13:40-PDT
    > From: Geoffrey S. Goodfellow <Ge...@CSL.SRI.COM>
    > Subject: Article on Cellular [in]security.

    The following is reprinted from the *November 1985* issue of Personal
    Communications Technology magazine by permission of the authors and
    the publisher, FutureComm Publications Inc., 4005 Williamsburg Ct.,
    Fairfax, VA 22032, 703/352-1200.
    Copyright 1985 by FutureComm Publications Inc. All rights reserved.

    THE ELECTRONIC SERIAL NUMBER: A CELLULAR 'SIEVE'?
    'SPOOFERS' CAN DEFRAUD USERS AND CARRIERS

    by Geoffrey S. Goodfellow, Robert N. Jesse, and Andrew H. Lamothe, Jr.

    What's the greatest security problem with cellular phones? Is it privacy of
    communications? No.

    Although privacy is a concern, it will pale beside an even greater problem:
    spoofing.

    [*Security flaws threaten our privacy and bank accounts. So why aren't we
    fixing them?*]

    'Spoofing' is the process through which an agent (the 'spoofer') pretends to
    be somebody he isn't by proffering false identification, usually with intent
    to defraud. This deception, which cannot be protected against using the
    current U.S. cellular standards, has the potential to create a serious
    problem -- unless the industry takes steps to correct some loopholes in the
    present cellular standards.

    Compared to spoofing, the common security concern of privacy is not so
    severe. Most cellular subscribers would, at worst, be irked by having their
    conversational privacy violated. A smaller number of users might actually
    suffer business or personal harm if their confidential exchanges were
    compromised. For them, voice encryption equipment is becoming increasingly
    available if they are willing to pay the price for it.

    Thus, even though technology is available now to prevent an interloper from
    overhearing sensitive conversations, cellular systems cannot -- at any cost
    -- prevent pirates from charging calls to any account. This predicament is
    not new to the industry. Even though cellular provides a modern,
    sophisticated quality mobile communications service, it is not fundamentally
    much safer than older forms of mobile telephony.

    History of Spoofing Vulnerability... [...]

    http://massis.lcs.mit.edu/archives/cellular/cellular.sieve

    [When will they ever learn? (Little boxes made of Ticky-Tacky.) PGN]

    ------------------------------

    Date: Sat, 22 Dec 2018 09:36:40 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Parachutes are no better than backpacks-- randomized trial (BMJ)

    The actual paper: Parachute use to prevent death and major trauma when
    jumping from aircraft: randomized controlled trial.
    https://www.bmj.com/content/363/bmj.k5094

    An article explaining the situation in a slightly more readable fashion.
    https://www.npr.org/sections/health-shots/2018/12/22/679083038/researchers-show-parachutes-dont-work-but-there-s-a-catch

    The point being: be careful when relying on the outcome of studies.

    ------------------------------

    Date: Wed, 19 Dec 2018 9:49:49 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Facebook shared even more than previously known (NYTimes)

    Facebook network gave Microsoft, Amazon, Spotify and others far greater
    access to people's data than it has disclosed.

    https://www.nytimes.com/2018/12/18/technology/facebook-privacy.html

    ------------------------------

    Date: Tue, 25 Dec 2018 05:26:55 -0800
    From: Rob Wilcox <robwi...@gmail.com>
    Subject: UK security researchers find lax security in app-controlled
    consumer hot tubs (BBC)

    About 30,000 hot tubs are controlled by Balboa Water App. The app uses a
    cloud service to access a WiFi controller attached to the hot tub through
    the consumer's Internet-connected home network. The researchers explored and
    found common IOT (Internet of Things) security flaws.

    - Simplified setup of the WiFi network made it susceptible to hackers within
    local range. There was no MAC-level security.

    - One of those modes allowed the controllers to be discoverable by anyone on
    the Internet.

    - The tub controller authentication to the cloud uses a static
    username/password sent in the clear and easily discoverable (now
    published.) There is no authentication of the user to the mobile app.

    - Software quality poor and poor vendor response to the threat.

    All those resulted in the capability to compromise the clock, temperature
    and pumps.

    Interestingly, the programmers used a faulty conversion between Fahrenheit
    and Celsius!

    The whole story is a fascinating read: humorous, for the researchers
    justifying buying a hot tub and controller to their management - then
    photographing themselves in Santa caps using the tub; and sad ,because the
    vendor only returned calls to the researchers after the BBC broke the story.

    The system vendor has been very naughty this year. We hope this story brings
    a smile (and maybe a groan) to Risks readers! And we wish you all a secure
    new year!

    https://www.pentestpartners.com/security-blog/hackers-in-hot-water-pwning-smart-hot-tubs-yes-really/

    https://www.bbc.com/news/technology-46674706

    [Richard Stein noted the BBC item and commented, ``The home is a castle,
    unless connected to The Internet of Mistakes.'' PGN]

    ------------------------------

    Date: Fri, 21 Dec 2018 17:16:01 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Apple Watch ECG is putting a lot of health control in consumers'
    hands (CNBC)o

    As more people have access to an ECG, doctors are being inundated with
    patient data, and it's not all good.

    Apple says users of its watch should still consult their doctor.

    https://www.cnbc.com/2018/12/19/apple-watch-ecg-is-putting-a-lot-of-health-control-in-consumers-hands.html

    ------------------------------

    Date: Mon, 24 Dec 2018 12:00:20 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Innovation and Immigration (W.A. Griffin on William Kerr)

    The Innovation Engine, an article in the Jan-Feb 2019 Harvard Magazine by
    William A. Griffin discusses research by Professor William Kerr, and makes
    some interesting points regarding innovation and immigration. For example,

    * 33% of U.S. Nobel Laureates since 1901 have been immigrants.

    * 40% of American doctoral degrees were awarded to noncitizens.

    * More than 25% of American entrepeneurs were born overseas.

    Kerr is quoted: ``powerful ideas are the main force behind long-term
    economic growth.''

    [Xenophobia involves less logic than Zeno's paradoxes, and might
    be mistaken for Zenophobia, PGN]

    ------------------------------

    Date: Fri, 21 Dec 2018 16:15:22 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Tesla Mobile Service

    So, I saw a car labeled "Tesla Mobile Service."

    Do they go to where a driver is in trouble, unplug the car, and plug it in
    again?

    ------------------------------

    Date: Thu, 20 Dec 2018 11:09:43 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Computers Determine States of Consciousness (Scientific American)

    https://www.scientificamerican.com/article/computers-determine-states-of-consciousness/

    In "Google is training machines to predict when a patient will die"
    (http://catless.ncl.ac.uk/Risks/30/74%23subj22.1, we learned that
    physiological measurements might be someday be applied by a machine-based
    algorithm to assess "death likelihood," and possibly advise a hastening or
    postponement of palliative healthcare treatment. Basically, Google's gizmo
    will yield a number of sorts indicative of a patient's viability to sustain
    biological activity.

    Now add in another data point via a machine capability based on the
    "DOC-Forest" algorithm trained to interpret EEG signals and conclude a value
    for "Disorder of Consciousness."

    https://en.wikipedia.org/wiki/Disorders_of_consciousness identifies several
    states of consciousness: locked in syndrome, minimally conscious, persistent
    vegetative, chronic coma, and brain death.

    Apparently, neurologists are sometimes challenged to accurately determine
    patient consciousness level (based on arousal and awareness): can they hear
    spoken words or music? Feel a touch though they don't react? Or smell odors?
    If yes, what does this imply about patient recovery and rehabilitation
    potential?

    Medical imaging (MRI, PET, CT, etc.) may yield inconclusive evidence, or are
    difficult to assess for an unconscious patient's brain state and recovery
    likelihood.

    If two points determine a line, would this hypothetical line's 1st
    derivative (the slope) imply "terminate life support" or "sustain life
    support"?

    Risk: Medical practice decision support via black box, inexplicable AI.

    Might be time to add a "Black Box" warning to some medical technology.
    See https://www.fda.gov/downloads/ForConsumers/ConsumerUpdates/UCM107976.pdf

    ------------------------------

    Date: Thu, 20 Dec 2018 11:05:48 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Facebook, recidivus -- again -- and yet again ...

    Facebook exposes your pics. And sells the phone number you gave them for
    security purposes. And tries to predict your movements. And has breaches
    they try to hide. And tries to ad-block even when it hurts you. And gives
    you a VPN that spies on you.

    None of this is new, of course. Those of us in the security field are
    possibly getting a wee bit tired of continuing "news" of Facebook's
    misdeeds. (And probably expect to be hearing the same of Instagram and
    Whatsapp at any moment.)

    The thing is, Facebook keeps on promising to do better, but actions that
    they take appear to be minimal and feckless. When Facebook is caught out,
    they seem to immediately want to turn the tables and say it is the fault of
    the users (or someone else). But, if you can find actual facts, Facebook
    never seems to come out clean.

    Some have posited that Facebook's whole structure and business model is
    simply inherently bad. Whether that is true or not, unethical behaviour is
    deeply entrenched at Facebook, and, in corporations, ethics always derive
    from the top. Some companies, even with deep problems with misfeasance (if
    not malfeasance) do manage to turn things around, but only with a
    housecleaning at the top. Facebook seems completely unwilling to take the
    necessary steps.

    https://lite.cnn.io/en/article/h_d6f18ad97cce69b248364fa11ff2902c

    If you want to get at the reports behind some of the items mentioned, see
    https://community.isc2.org/t5/Industry-News/Facebook-recidivus-again-and-yet-again/m-p/17181 or https://is.gd/zoHD6G

    ------------------------------

    Date: Wed, 19 Dec 2018 20:13:08 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: IRS Linux move delayed by lingering Oracle Solaris systems (ZDNet)

    The auditors missed two reasons why this migration has gone so wrong:
    Politics and funding. Rep. Gerry Connolly (D-Va) told NextGov, a federal
    technology news publication, "Since Republicans gained control of the House
    of Representatives in 2010, their partisan attacks have left the IRS with
    nearly 10,000 fewer customer service representatives to assist taxpayers and
    a patchwork of IT systems, some dating back to the Kennedy Administration,
    which is ultimately harming all taxpayers."

    Or, as IRS CTO Terence Milholland told Congress in 2016, "The situation is
    analogous to operating a 1960s automobile with the original chassis, two
    suspension and drivetrain, but with a more modern engine, satellite radio,
    and a GPS navigation system. It runs better than the original model but not
    nearly as efficiently as a system bought today."

    More recently, Nina Olson, the IRS national taxpayer advocate, told
    Congress, "Since FY 2010, the IRS budget has been reduced by 20 percent on
    an inflation-adjusted basis, and the IRS workforce has declined by about the
    same percentage. These reductions have led to significant cuts in taxpayer
    service levels and have prevented the IRS from deploying new technology that
    would improve the taxpayer experience."

    Linux could improve technology and save funding, but to save money, first
    you have to spend money. If, and only if, the IRS can modernize its systems
    can Linux show what it can do for both the agency and the American taxpayer.

    https://www.zdnet.com/article/irs-linux-move-delayed-by-lingering-oracle-solaris-systems/

    ------------------------------

    Date: Wed, 19 Dec 2018 11:06:31 -0500
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Canada: OPC publishes guidance for organizations and individuals
    related to protecting personal information collected during cannabis
    transactions (GC)

    https://www.priv.gc.ca/en/opc-news/news-and-announcements/2018/an 181217/
    https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/gd_can_201812/

    "Cannabis is illegal in most jurisdictions outside of Canada. The personal
    information of cannabis users is therefore very sensitive. For example,
    some countries may deny entry to individuals if they know they have
    purchased cannabis, even lawfully."

    https://www.oipc.bc.ca/guidance-documents/2248

    The bottom line seems to be use cash, not a bank card, to limit the data
    trail. Not using pot might be an even better idea if you plan to travel to
    other countries in the future.

    This seems to be directed at people who will be buying pot now that it is
    legal in Canada. It is a non-issue for the rest of us who do not use pot.

    Apparently we can expect higher produce prices as greenhouses convert from
    tomatoes, peppers and lettuce to pot. I don't recall that being mentioned
    previously as a likely outcome of pot legalization.

    https://www.ctvnews.ca/canada/what-does-cannabis-cost-across-canada-1.4138585

    ------------------------------

    Date: Wed, 19 Dec 2018 10:10:11 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: FCC Launches New Offensive Against Scam, Robo Calls (EWeek)

    Carriers were required to explain their plans for comprehensive call
    blocking on 19 Nov, with the ability to be in place in 2019.

    http://www.eweek.com/networking/fcc-launches-new-offensive-against-scam-robo-calls

    The risk? Security better late than never. But very late.

    ------------------------------

    Date: Wed, 19 Dec 2018 12:52:49 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: This patent shows Amazon may seek to create a database of
    suspicious persons using facial-recognition technology (WashPost)

    https://www.washingtonpost.com/technology/2018/12/13/this-patent-shows-amazon-may-seek-create-database-suspicious-persons-using-facial-recognition-technology

    The patent application proposes to use doorbell camera photo-capture with
    resident approval/disapproval input supplements to compile an "Ok to pass"
    and "Not ok to pass" database shared among neighbors, a digitally-surveilled
    'Neighborhood Watch' program. This database would be shared with local law
    enforcement community.

    "An algorithm shouldn't be deciding whether someone is suspicious," he
    said. "We're [Jake Snow of ACLU Northern California] calling on Amazon to be
    more thoughtful of the consequences of their technology being deployed in
    communities and to put people before profit."

    Risk: False-positive profiling potential and 'suspicious label' attribution
    via algorithmic physical appearance interpretation.

    Perhaps the algorithm may be more effective if it applied tactile phrenology
    as an image capture supplement?

    ------------------------------

    Date: Thu, 20 Dec 2018 19:44:25 -0500
    From: danny burstein <dan...@panix.com>
    Subject: Re: Sneaky parrot uses Amazon Alexa to shop ...

    TAMPA, Fla. (WFLA) - A foul-mouthed parrot, who was kicked out of an animal
    sanctuary for swearing too much, is using technology to cause even more
    trouble. The Times of London reports Rocco, an African grey, has been using
    Amazon Alexa to shop online while his owner was away.

    [snip]

    The default "wake up" call to the Alexa Echo Spybot is the word "Alexa".
    However, you can change it to "Echo" and a couple of others.

    Yeah, it's a pain to do so, involving pulling up the Alexa application on
    your phone and going through a bunch of menus, but it would solve this
    specific problem.

    ------------------------------

    Date: Sat, 22 Dec 2018 11:22:29 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Drone shatters passenger jet's nose-cone, radar (RISKS-30.97)

    This incident, and the one in Gatwick yesterday, raise the notion that it's
    time to require that each drone over a certain size carry an ID chip, and
    have these registered somewhere; this way a drone's owner could be
    identified in case of an incident.

    Such regulations are in effect for dogs in many jurisdictions, it seems
    that drones need an even stricter supervision.

    ------------------------------

    Date: Fri, 21 Dec 2018 11:04:44 +0100
    From: Erling Kristiansen <erling.kr...@xs4all.nl>
    Subject: Re: The GPS wars are here

    I wonder how future AVs (autonomous vehicles) will react to GPS jamming. And
    GPS spoofing, making the AV think it is in a different place, might be even
    more fun.

    ------------------------------

    Date: Thu, 20 Dec 2018 19:46:28 -0500
    From: paul wallich <p...@panix.com>
    Subject: Re: "Market volatility: Fake news spooks trading algorithms"

    [all about how the market has been so volatile downward because of
    high-speed trading algorithms getting suckered by fake news]

    Don't blame the algorithm, blame the training set. The kinds of
    news-scanning programs described are ultimately trying to get ahead of what
    their programmers/trainers/historical data say human traders would do in a
    similar situation. And pretty much since the founding of markets, human
    traders have been making ill-informed hair-trigger trades based on faulty
    analysis of rumors or questionable headlines. The pattern has been around in
    all the decades I've been watching: some piece of news or non-news triggers
    a spike in buying or selling of a particular company's stock, and then
    within hours or days the stock is back to its previous value/trend. The
    money that's made in these swings comes from figuring out what all the other
    lemmings (apology to the real rodents in question) are going to do, and
    doing it faster or in the other direction.

    So the algorithms are just being thoughtlessly greedy faster and with more
    resources at their command. (Once again, a computer can make a mistake in
    microseconds that would take humans working with paper and pencil several
    minutes to make).

    ------------------------------

    Date: Sun, 23 Dec 2018 15:37:05 -0500
    From: Dick Mills <dickandl...@gmail.com>
    Subject: Re: New Zealand courts banned ...; Google just emailed it out.
    (RISKS-30.97)

    I have two problems with that report.

    1. It is a disturbing trend when every local judge in every country
    issues orders that he expects to be enforced globally. By what authority
    do they claim that power? Can a Russian judge order silence about hacking
    elections?

    2. Google is not an originator of news. In all likelihood, the name of
    the accused was being discussed openly in NZ sources, and was indeed
    "trending" as Google said. Only American firms are accused of evil
    behavior, while home-grown companies, forums, and news sources get a free
    pass.

    I expect that we'll see the day when The Guardian UK editorializes about
    how evil Google is for indexing an article from The Guardian web site.

    ------------------------------

    Date: Sat, 22 Dec 2018 11:10:45 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Shapir, 30.96)

    Thanks for this, and many other answers I have received, but they all refer
    to *outgoing* mail; my question was how to stop Google from inserting links
    into *incoming* mail, over whose contents and format I have no control.

    ------------------------------

    Date: Wed, 26 Dec 2018 22:11:56 +0000 (UTC)
    From: Paul Robinson <pa...@paul-robinson.us>
    Subject: Re: Risks of `Reply All' and failing to BCC (Shapir, RISKS-30.97)

    I've seen it myself. I was on the mailing list for potential suppliers to
    the Washington Metropolitan Area Transit Authority (the Washington, DC bus
    and rail transit provider) a few years ago when they sent out a notice of an
    upcoming request for bid to me and the other 1645 subscribers to that
    mailing list, because whoever sent it out posted all 1646 names in the "To;"
    field. The message header ran for 75 screens; the message was one screen,
    about 10-15 lines.

    ------------------------------

    Date: Sat, 22 Dec 2018 11:15:20 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: She'd just had a stillborn child. Tech companies wouldn't let
    her forget it (RISKS-30.97)

    This reminds me of the story (urban legend?) about a search site's
    algorithm which noticed that some people who had searched for a certain
    cancer medicine, also searched later for funeral homes and tombstones...

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-30.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 30.98
    ************************
     
  12. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 31.01

    RISKS List Owner

    Jan 4, 2019 5:54 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 4 January 2019 Volume 31 : Issue 01

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/31.01>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    911 emergency services go down across the US after CenturyLink outage (ABC)
    Pilots Kept Losing Oxygen and the Military Had No Idea Why.
    Now There's a Possible Fix. (NYTimes)
    Huawei gives the US & allies security nightmares (Henry Baker)
    Wielding Rocks and Knives, Arizonans Attack Self-Driving Cars (NYTimes)
    Oregon Unconstitutionally Fined a Man $500 for Saying 'I am an Engineer',
    Federal Judge Rules (Motherboard via PGN)
    Computer Virus Disrupts Delivery Of San Diego Union-Tribune (LA Times)
    Car Smarts: The Future of Vehicle Tech (CTA)
    Drones Used to Find Toy-Like Butterfly Land Mines (Scientific American)
    Instagram Update Brings Horizontal Scrolling to Horrified Users (NYTimes)
    USA Wants to Restrict AI Exports: A Stupid and Dangerous Idea
    (Lauren Weinstein)
    Hazing (Rob Slade)
    Google sat on Chromecast bug for years, now hackers can wreak havoc
    (TechCrunch)
    Google erases Kurdistan from maps in compliance with Turkish gov. (LW)
    Re: New Zealand courts banned ...; Google just emailed it out. (Chris Drewe)
    Re: IRS Linux move delayed (Dmitri Maziuk)
    Re: Innovation and Immigration (John Levine)
    Re: New Zealand courts banned ...; Google just emailed it out.
    (Steve Bacher)
    Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Peter Houppermans,
    Amos Shapir)
    Re: MTR East Rail disruption caused by failure of both primary
    (Richard Stein)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 28 Dec 2018 10:10:30 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: 911 emergency services go down across the US after CenturyLink outage
    (ABC)

    via NNSquad
    http://worldabcnews.com/911-emergency-services-go-down-across-the-us-after-centurylink-outage-techcrunch/

    CenturyLink, one of the largest telecommunications providers in the U.S.,
    provides Internet and phone backbone services to major cell carriers,
    including AT&T and Verizon. Datacenter or fiber issues can have a knock-on
    effect to other companies, cutting out service and causing cell site
    blackouts. In this case, the outage affected only cellular calls to 911,
    and not landline calls.

    ------------------------------

    Date: Sat, 29 Dec 2018 10:53:55 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Pilots Kept Losing Oxygen and the Military Had No Idea Why.
    Now There's a Possible Fix. (NYTimes)

    https://www.nytimes.com/2018/12/27/magazine/air-force-hypoxia-pilots-navy.html

    The Air Force and the Navy are rolling out new hardware and software for
    their trainer aircraft to stop the oxygen-deprivation problems that have
    plagued pilots for several years.

    ------------------------------

    Date: Mon, 31 Dec 2018 07:21:10 -0800
    From: Henry Baker <hba...@pipeline.com>
    Subject: Huawei gives the US & allies security nightmares

    I don't know if Huawei devices have "kill switches" or "backdoors", but if
    they did, the big iron-y would be rich indeed.

    For decades, the 5i's have pushed for "backdoors" in encryption and pseudo
    RNG's, and the laughable number of "backdoors" in Cisco and Juniper routers
    belie any plausible deniability; thar be NSL's, most likely.

    Let's call a spade a spade; let's call them "blowbackdoors", because the
    U.S. intelligence community is now reaping what it sowed.

    The intel community's current freakout is raw jealousy -- if the 5G device
    manufacturers in the 5i countries could be forced to insert "kill switches"
    and "backdoors" into their own products and distribute them worldwide, it
    would be done in a New York minute -- so they know full well whereof they
    speak.

    Also, ignoring its own history of winning wars through manufacturing
    prowess, the U.S. has now ceded the vast majority of its manufacturing to
    China, only to wake up just yesterday to the fact that it is now more
    "taker" than "maker" ?

    Duh!!

    https://www.schneier.com/blog/archives/2018/08/backdoors_in_ci.html
    https://www.reddit.com/r/technology/comments/90gpd5/backdoors_keep_appearing_in_ciscos_routers/
    https://www.computerworlduk.com/security/security-backdoors-that-heped-kill-faith-in-security-3634220/
    https://www.schneier.com/blog/archives/2015/12/back_door_in_ju.html
    https://www.technologyreview.com/s/612556/the-6-reasons-why-huawei-gives-the-us-and-its-allies-security-nightmares/

    The 6 reasons why Huawei gives the US and its allies security nightmares

    The biggest fear is that China could exploit the telecom giant's gear
    to wreak havoc in a crisis.

    Martin Giles and Elizabeth Woyke December 7, 2018

    The detention in Canada of Meng Wanzhou, Huawei's CFO and the daughter of
    its founder, is further inflaming tensions between the US and China. Her
    arrest is linked to a US extradition request. On December 7 a Canadian
    court heard that the request relates to Huawei's alleged use of Skycom Tech,
    a company that dealt with Iranian telecom firms, to sell equipment to Iran
    between 2009 and 2014 in contravention of US sanctions on the country.
    China says her detention is a human rights violation and is demanding her
    swift release.

    Behind this very public drama is a long-running, behind-the-scenes one
    centered on Western intelligence agencies' fears that Huawei poses a
    significant threat to global security. Among the spooks' biggest concerns:

    There could be "kill switches" in Huawei equipment ...

    The Chinese firm is the world's largest manufacturer of things like base
    stations and antennas that mobile operators use to run wireless networks.
    And those networks carry data that's used to help control power grids,
    financial markets, transport systems, and other parts of countries' vital
    infrastructure. The fear is that China's military and intelligence services
    could insert software or hardware "back doors" into Huawei's gear that they
    could exploit to degrade or disable foreign wireless networks in the event
    of a crisis. This has led to moves in the US to block Chinese equipment
    from being used.

    ... that even close inspections miss

    Since 2010, the UK has been running a special center, whose staff includes
    members of its GCHQ signal intelligence agency, to vet Huawei gear before
    it's deployed. But earlier this year, it warned that it had "only limited
    assurance" that the company's equipment didn't pose a security threat.
    According to press reports, the center had found that some of Huawei's code
    behaved differently on actual networks from the way it did when it was
    tested, and that some of its software suppliers weren't subject to rigorous
    controls.

    Back doors could be used for data snooping

    Huawei claims its equipment connects over a third of the world's population.
    It's also handling vast amounts of data for businesses. That's why there's
    fear in Western intelligence circles that back doors could be used to tap
    into sensitive information using the firm's equipment. This would be tricky
    to do undetected, but not impossible. Huawei doesn't just build equipment;
    it can also connect to it wirelessly to issue upgrades and patches to fix
    bugs. There's concern that this remote connectivity could be exploited by
    Chinese cyber spies.

    The company is also one of the world's biggest makers of smartphones and
    other consumer devices, which has raised the prospect that China might
    exploit these products for espionage. In May, the US Department of Defense
    ordered retail stores on US military bases to stop selling phones from
    Huawei and ZTE, another big Chinese tech giant, because of fears they could
    be hacked to reveal the locations and movements of military personnel.

    The rollout of 5G wireless networks will make everything worse

    Telecom companies around the world are about to roll out the next generation
    of cellular wireless, known as 5G. As well as speeding up data transfers,
    5G networks will enable self-driving cars to talk to each other and to
    things like smart traffic lights. They'll also connect and control a vast
    number of robots in factories and other locations. And the military will
    use them for all kinds of applications, too. This will dramatically expand
    the number of connected devices--and the chaos that can be caused if the
    networks supporting them are hacked. It will also ramp up the amount of
    corporate and other data that hackers can target. Both Australia and New
    Zealand have recently banned the use of Huawei equipment in new 5G wireless
    infrastructure. This week, the UK's BT followed suit.

    Chinese firms will ship tech to countries in defiance of a US trade embargo

    The US has been investigating claims that Huawei shipped products with US
    tech components to Iran and other countries subject to a US embargo. In the
    court hearing, a lawyer for the Canadian government said that Ms Meng is
    accused of telling US bankers there was no connection between Skycom and
    Huawei, when in fact there was. The alleged fraud caused the banks to make
    transactions that violated US sanctions against Iran. Chinese officials
    have repeatedly said they don't consider China's companies to be bound by
    other nations' trade edicts.

    Huawei isn't as immune to Chinese government influence as it claims to be

    Huawei has repeatedly stressed it's a private company that's owned by its
    employees. The implication is that it has no incentive to cause customers
    to lose confidence in the integrity of its products. On the other hand, its
    governance structures are still something of a mystery, and its founder, Ren
    Zhengfei, who was once an officer in the Chinese People's Liberation Army,
    keeps a low profile. Such things "make you question just how much
    independence it really has," says Adam Segal, a cybersecurity expert at the
    Council on Foreign Relations in New York.

    In its defense, Huawei can point to the fact that no security researchers
    have found back doors in its products. "There's all this concern, but
    there's never been a smoking gun," says Paul Triolo of the Eurasia Group.
    While that's true, it won't change the view of the US, which is stepping up
    its efforts to persuade its allies to keep Huawei out of all their networks.

    This story was updated on December 7 to include details of a court hearing
    in Canada about Ms Meng's detention.

    ------------------------------

    Date: Tue, 1 Jan 2019 12:50:31 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Wielding Rocks and Knives, Arizonans Attack Self-Driving Cars
    (New York Times)

    https://www.nytimes.com/2018/12/31/us/waymo-self-driving-cars-arizona-attacks.html

    While idled at a controlled stop without backup driver, can an AV passenger
    issue a command to "rabbit through the intersection" and evade onslaught by
    "stick and stone" wielding protesters?

    Should an AV w/o backup driver, under hostile domestic operating conditions,
    be required to satisfy a specific regulation? See
    https://www.nhtsa.gov/laws-regulations for airbags, etc.

    Certain individuals perceive AV technology as a threat. Their aggressive
    behavior mirrors the 19th Century Luddites who damaged mechanized weaving
    machinery in protest against job displacement.

    Neo-Luddites will likely become more effective if and when they deploy WiFi
    and Bluetooth disruption stacks and tools targeting AVs.

    https://en.wikipedia.org/wiki/Luddite

    "According to a manifesto drawn up by the Second Luddite Congress (April
    1996; Barnesville, Ohio), Neo-Luddism is 'a leaderless movement of passive
    resistance to consumerism and the increasingly bizarre and frightening
    technologies of the Computer Age.'"

    ------------------------------

    Date: Wed, 2 Jan 2019 16:27:57 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Oregon Unconstitutionally Fined a Man $500 for Saying 'I am an
    Engineer', Federal Judge Rules (Motherboard)

    Here's the other side of the Oregon Software Engineer story from 2014. PGN

    https://motherboard.vice.com/en_us/article/yw798m/oregon-unconstitutionally-fined-a-man-dollar500-for-saying-i-am-an-engineer-federal-judge-rules%3Futm_source%3Dreddit.com

    A federal district court has ruled that the state of Oregon illegally
    infringed on a man's First Amendment rights for fining him $500 because he
    wrote "I am an engineer" in a 2014 email to the state's Engineering
    Board. The court ruled that the provision in the law he broke is
    unconstitutional, which opens the door for people in the state to legally
    call themselves "engineers."

    ------------------------------

    Date: Sat, 29 Dec 2018 17:24:05 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Computer Virus Disrupts Delivery Of San Diego Union-Tribune
    (LA Times)

    https://www.npr.org/2018/12/29/680920575/computer-virus-infects-print-production-systems-tribune-publishing-says

    Also:

    Suspected malware attack causes major LA Times newspaper delivery
    interruptions
    https://www.latimes.com/local/lanow/la-me-ln-times-delivery-breakdown-20181229-story.html

    ------------------------------

    Date: Sat, 29 Dec 2018 23:41:44 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Car Smarts: The Future of Vehicle Tech (CTA)

    The computers, sensors and software in cars are getting so smart they may
    eventually detect whether the driver and passengers are happy or sad,
    comfortable or uncomfortable, alert or distracted. And as a result, driving
    automobiles can be made safer and more enjoyable.

    ``Driver monitoring is extremely important for active safety systems as well
    as automated systems,'' says Phil Magney, founder and principal at VSI Labs,
    an automotive technology applied research firm-based in St. Louis Park, MN.
    ``It may have been a nice-to-have feature beforehand. Now you can say it
    definitely is a must-have feature.''

    Nevertheless, he says, car occupant monitoring overall remains in a state of
    flux -- particularly regarding user experience. ...

    For example, Shapiro says a camera inside the vehicle could determine a
    driver's attentiveness by detecting their eye blink rate and sensing their
    head pose. These checks could also determine if the driver is close to
    falling asleep. This could be merged with input from outside sensors that
    detect a pedestrian preparing to cross the car's path. And the car may then
    determine if it needs to issue a collision warning and autobrake sooner than
    it would otherwise, to give a tired or distracted driver extra time to
    react, Shapiro says.

    Emotion-sensing technology could lead the car to take actions proactively,
    such as playing certain music or adjusting cabin temperature. Or it may make
    suggestions and engage in a conversation with a passenger, for instance,
    offering to lower a window if lip-reading software senses someone
    complaining about being hot.

    https://www.cta.tech/News/i3/Articles/2018/November-December/Car-Smarts-The-Future-of-Vehicle-Tech.aspx

    Didn't HAL read lips? That didn't end well.

    ------------------------------

    Date: Tue, 1 Jan 2019 19:21:11 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Drones Used to Find Toy-Like Butterfly Land Mines
    (Scientific American)

    https://www.scientificamerican.com/article/drones-used-to-find-toy-like-butterfly-land-mines/

    "In field trials conducted in September 2017 at a New York state park, the
    team was able to pick up almost 78 percent of the mines during four
    trials. That is not yet good enough to fully replace survey work by ground
    teams. But it could help narrow down the locations and general layout of
    [Russian-made] PFM-1 minefields, says Alex van Roy, deputy head of
    operations at the Geneva-based Swiss Foundation for Mine Action (FSD) -- and
    a mine action specialist who formerly served in the Australian Army."

    Risk: Over-reliance on image processing to resolve and detect a mine to
    defuse, and eventually declare a "mine-free" zone when undetected residuals
    remain.

    Similar problems exist for other domains where image inspection is applied
    (diagnostic x-rays, etc.).

    ------------------------------

    Date: Tue, 1 Jan 2019 18:18:47 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Instagram Update Brings Horizontal Scrolling to Horrified Users
    (NYTimes)

    ``Just a test that went to a few orders of magnitude more people than
    intended... sorry about that,'' he wrote in one tweet.

    The feature was intended as a test but was released widely by mistake, the
    head of Instagram said. Closing and reopening the app turns it off.

    https://www.nytimes.com/2018/12/27/technology/instagram-update-horizontal-scroll.html

    The risk? Testing with live data and unsuspecting (live) users.

    Also, causing hysteria with first-world problems:

    Instagram briefly changed how users moved through their feeds Thursday
    morning, forcing them to swipe left or tap through horizontally rather than
    scroll vertically.

    If it had been Apple, it would have been a six-finger dance on the screen.
    <https://www.nytimes.com/services/mobile/apps/

    ------------------------------

    Date: Wed, 2 Jan 2019 08:25:57 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: USA Wants to Restrict AI Exports: A Stupid and Dangerous Idea

    https://lauren.vortex.com/2019/01/02/usa-wants-to-restrict-ai-exports-a-stupid-and-dangerous-idea

    When small, closed minds tackle big issues, the results are rarely good, and
    frequently are awful. This tends to be especially true when governments
    attempt to restrict the development and evolution of technology. Not only do
    those attempts routinely fail at their stated and ostensible purposes, but
    they often do massive self-inflicted damage along the way, and end up
    further empowering our adversaries.

    Much as Trump's expensive fantasy wall ("Mexico will pay for it!") would
    have little ultimate impact on genuine immigration problems -- other than to
    further exacerbate them -- his Commerce department's new plans for
    restricting the export of technologies such as AI, speech recognition,
    natural language understanding, and computer vision would be yet another
    unforced error that could decimate the USA's leading role in these areas.

    We've been down this kind of road before. Years ago, the USA federal
    government placed draconian restrictions on the export of encryption
    technologies, classifying them as a form of munitions. The result was that
    the rest of the world zoomed ahead in crypto tech. This also triggered
    famously bizarre situations like t-shirts with encryption source code
    printed on them being restricted, and the co-inventor of the UNIX operating
    system -- Ken Thompson -- battling to take his "Belle" chess-playing
    computer outside the country, because the U.S. government felt that various
    of the chips inside fell into this restricted category. (At the time, Ken
    was reportedly quoted as saying that the only way you could hurt someone
    with Belle was by dropping it out of a plane -- you might kill someone if it
    hit them!)

    As is the case with AI and the other technologies that Commerce is talking
    about restricting today, encryption R&D information is widely shared among
    researchers, and likewise, any attempts to stop these new technologies from
    being widely available, even attempts at restricting access to them by
    specific countries on our designated blacklist of the moment, will
    inevitably fail.

    Even worse, the reaction of the global community to such ill-advised actions
    by the U.S. will inevitably tend to put us at a disadvantage yet again, as
    other countries with more intelligent and insightful leadership race ahead
    leaving us behind in the dust of politically motivated export control
    regimes.

    To restrict the export of AI and affiliated technologies is shortsighted,
    dangerous, and will only accomplish damaging our own interests, by
    restricting our ability to participate fully and openly in these crucial
    areas. It's the kind of self-destructive thinking that we've come to expect
    from the anti-science, "build walls" Trump administration, but it must be
    firmly and completely rejected nonetheless.

    [Geoff Goodfellow noted this item. PGN]
    https://techcrunch.com/2018/12/31/this-clever-ai-hid-data-from-its-creators-to-cheat-at-its-appointed-task/
    ]

    [This is really short-sighted, and resembles efforts from the early
    crypto wars by attempting to put export controls on cryptography, or
    backdoors that only trusted entities can use. PGN]

    ------------------------------

    Date: Wed, 2 Jan 2019 11:50:47 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Hazing

    A while ago there were a number of stories about investigations into serious
    assaults at a private school. These assaults have gone way beyond hazing
    and into sexual assault, and even, because the episodes were filmed,
    possible child pornography charges. The situation has been very disturbing.

    Hazing, and hazing culture, are often "justified" by the assertion that
    "mild" forms of hazing are harmless. This statement ignores two important
    facts. One is that hazing inherently relies upon a culture of silence. In
    any such situation there can be no controls, and therefore no ability to
    ensure that "mild" hazing does not escalate. The second point is that
    hazing is a form of bullying, and it has been amply demonstrated that any
    form of bullying has long term negative impacts, both on the victims, and on
    the perpetrators.

    I've never understood hazing. Not really. It happens a lot in sports, and
    I've never been into sports. It happens in some professions, but not the
    ones I've worked in. As far as I can determine, hazing, and all the culture
    that goes with it, indicates that your job is either a) not very important,
    or b) doesn't require any skills.

    I can't say I've experienced it in information security. I started in
    malware research, which has always been occupied by charter members of
    "Egos-BackwardsR-Us." Back when I started you had to be not just a systems
    programmer, but a specialist systems programmer to make a significant
    contribution to the field, and those guys have always been the elite. Even
    so, if you studied and made even a modest contribution, you were in. I
    wasn't a systems programmer, and my contributions were very modest. But I
    was accepted.

    It's probably because the job was so big, and the workers so small (or too
    few). Anybody who wanted to help was welcome. Anybody who wanted to do
    some research would be given some tips and starters. Anybody who helped was
    in the community. Nobody had to jump through artificial hoops because the
    real barriers to entry were already formidable enough.

    (Actually, there were some in computer security, back then, who did try to
    keep you out. They were the ones who knew barely enough to charge for
    computer security consulting. Some of them claimed that computer viruses
    were not a security issue -- mostly because they didn't know what computer
    viruses were.)

    Come to think of it, I've never really seen hazing in the tech field, as
    such. Oh, there are jerks, I grant you. There are those who are so into
    the technology that social skills, human communication, and even personal
    hygiene take a very distant back seat to whatever they are working on right
    now. But, generally speaking, they don't try to keep you out. They may
    have given up trying to teach people what it is that they are doing but, if
    you take the time to try and learn, they are generally delighted to have
    someone to talk to. (They may not show it very well.)

    (The closest I've ever seen hazing in tech is the ITIL certification. Since
    ITIL is a library, it's hard to figure out how to certify that someone knows
    it. Since it's hard to assess that, you just drown the poor candidate in
    work and hope that the ones who don't know it will give up before they get
    to the end of the process. I think PMP runs it a close second.)

    I suppose I have to address the issue of women in tech. Yes, women are
    definitely underrepresented in tech. And, yes, there is a lot of irrational
    bias against women, as you find in any male-dominated field. (Not just from
    the techies: I've found it in management, too, where you'd think they should
    know better.) I do not want to minimize the issue: misogyny anywhere is
    ridiculous and wasteful. But sometimes it doesn't take much to make geeks
    realize they've been sexist jerks, and make some (possibly modest) changes.
    In one department I came in to manage, they regularly went to strip bars
    after work, and had a signed poster from one of the "performers" up on the
    wall. As I was hiring the first (female) secretary for the office, I noted
    that this wall decoration might be subject to less prominent placement. I
    never saw the poster again, and the team also removed the porn directory on
    the development server (which I'd never mentioned).

    I can't claim that all is sweetness and light in the security community.
    There are in-fights: there are personality clashes. And there are those who
    are in it just to claim status. The community usually sorts them out in
    short order. Status, in security, is most often achieved by helping others.
    If you can answer newbie questions; if your answers are true and useful;
    then you have status. If you try and claim status, and try and hold others
    back in order to hold onto it, you are the one who gets shunned.

    In information security, we have too much work, and too few resources. We
    don't have time to waste on hazing. We also aren't going to block anyone
    who actually wants to help. In any security community I've been part of,
    newbies are welcome. OK, dumb questions may get sarcastic responses, but
    they have to be pretty seriously stupid to make the grade. Otherwise, if
    someone wants to get in and help, those of us who can answer questions do.
    Ask, and a pointer will be given. Seek, and ye shall be given a direction
    to go find. Knock, and the door will be opened, and you'll be hustled in,
    and usually put to work right away.

    ------------------------------

    Date: Wed, 2 Jan 2019 16:23:59 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Google sat on Chromecast bug for years, now hackers can wreak havoc
    (TechCrunch)

    [From Lauren Weinstein's Network Neutrality Squad]
    https://techcrunch.com/2019/01/02/chromecast-bug-hackers-havoc/

    A hacker, known as Hacker Giraffe, has become the latest person to figure
    out how to trick Google's media streamer into playing any YouTube video
    they want -- including videos that are custom-made. This time around, the
    hacker hijacked thousands of Chromecasts, forcing them to display a pop-up
    notice that's viewable on the connected TV, warning the user that their
    misconfigured router is exposing their Chromecast and smart TV to hackers
    like himself. Not one to waste an opportunity, the hacker also asks that
    you subscribe to PewDiePie, an awful Internet person with a popular
    YouTube following. (He's the same hacker who tricked thousands of exposed
    printers into printing support for PewDiePie.)

    Google should have fixed this Chromecast bug years ago. On the other hand,
    UPnP has always been a train wreck, and that's not Google's fault.

    ------------------------------

    Date: Fri, 28 Dec 2018 08:56:47 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Google erases Kurdistan from maps in compliance with Turkish gov.

    via NNSquad
    http://www.kurdistan24.net/en/news/e6a0b65e-84fa-447b-9ed4-5df8390961d3

    Google incorporation [sic] removed a map outlining the geographical extent
    of the Greater Kurdistan after the Turkish state asked it to do so, a
    simple inquiry on the Internet giant's search engine from Wednesday on can
    show. "Unavailable. This map is no longer available due to a violation
    of our Terms of Service and/or policies," a note on the page that the map
    was previously on read. Google did not provide further details on how the
    Kurdistan map violated its rules. The map in question, available for
    years, used to be on Google's My Maps service, a feature of Google Maps
    that enables users to create custom maps for personal use or sharing
    through search. Because the map was created and shared publicly by a user
    through their personal account, it remains unknown if their rights have
    been violated or if they will appeal.

    If the Turkish government wants the map removed as shown to users
    INSIDE TURKEY, fine. But Turkey should not have veto rights over maps
    shown to the rest of planet, just like the EU should not have the
    right to censor search results globally. Google's willingness to slide
    down this lowest-common-denominator razor blade is dangerous to an
    extreme.

    ------------------------------

    Date: Wed, 02 Jan 2019 22:25:02 +0000
    From: Chris Drew <e76...@yahoo.co.uk>
    Subject: Re: New Zealand courts banned ...; Google just emailed it out.
    (RISKS-30.98)

    A problem that *I* have with this sort of thing is the idea that the answer
    to any problem is legislation -- it can only fix things if it's enforceable
    *and* enforced. In the UK, a common response to the Gatwick drone incident
    was "why was this allowed to happen?", as if tougher regulations would stop
    illicit drones without further action. For instance, we have very strict
    firearms laws in the UK (to the extent that an Olympic sport is illegal),
    but most gun crime involves the use of illegal guns, so even-stricter laws
    won't help.

    In the case of Google, in recent years there have been occasional incidents
    like the following example in the UK: when one wants to obtain or renew a
    passport, driver's licence, travel visa, or suchlike, or pay a road toll,
    one normally contacts the appropriate authority and pays the fee directly.
    What happens is that people Google for "passport/licence/visa/whatever" and
    are presented with a choice of sites, then one of two things may happen:

    (1) They actually get the site of an agency, who promise a prompt, efficient
    service at a competitive price (the site may imply that this can only be
    done through an agency, as I believe is the case in some countries), so they
    get their new passport/licence/visa/whatever but unexpectedly pay an
    unnecessary supplemental charge. (As I understand it, this is cheeky but
    legal.)

    (2) They get an impostor site which looks exactly like an official one, but
    again they may either pay an unnecessary fee and/or personal details are
    captured for identity theft.

    The usual response of victims is to say "why is Google allowed to show links
    to unofficial sites?", as if Google should have a legal obligation to verify
    the bona fides of every site indexed, which sounds impractical to me,
    especially considering different countries' legal systems which may be
    encountered. In the days of printed directories for land- line telephones,
    there used to be a note in the small print that any professional or business
    descriptions shown were as supplied by subscribers and not independently
    verified, so for instance a guy listed as 'dentist' may not actually be
    approved to practise dentistry, as it was not practical for a telephone
    company to check details like this.

    Incidentally, a commentator in a newspaper (don't have details to hand)
    recently predicted that the World Wide Web would likely become the
    'Splinternet', i.e., a series of walled gardens, in 5-10 years; I feel that
    this will happen much sooner.

    ------------------------------

    Date: Fri, 28 Dec 2018 11:02:22 -0600
    From: Dmitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: IRS Linux move delayed (Goldberg, RISKS-30.98)

    It's worth reading the one-page report and do a little
    background check, e.g.
    https://www.nextgov.com/it-modernization/2018/03/irs-system-processing-your-taxes-almost-60-years-old/146770/
    and
    https://en.wikipedia.org/wiki/Customer_Account_Data_Engine

    For those too lazy to follow the links, two of the applications involved are
    at sixty years old "the oldest code in .gov" and are made of 20M lines of
    assembly that IRS, IBM, Northrop Grumman, and a bunch of assorted
    subcontractors been failing to port to The Big Iron since the turn of the
    century.

    Back in 2000 it was COBOL and Java were going to show what they can do for
    the American taxpayer. Now it's zLinux to the rescue.

    ------------------------------

    Date: 28 Dec 2018 17:34:40 -0500
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: Innovation and Immigration (RISKS-30.98)

    > * 33% of U.S. Nobel Laureates since 1901 have been immigrants.
    > * 40% of American doctoral degrees were awarded to noncitizens.
    > * More than 25% of American entrepeneurs were born overseas.

    People in New York live longer than people elsewhere in the U.S. Why?
    Because 38% of New Yorkers are immigrants, and immigrants live longer than
    people born in the US, per this 2014 paper:

    https://www.popcouncil.org/uploads/pdfs/councilarticles/pdr/PDR401Preston.pdf

    ------------------------------

    Date: Mon, 31 Dec 2018 11:23:56 -0500
    From: "Steve and Micki Bacher" <seb...@verizon.net>
    Subject: Re: New Zealand courts banned ...; Google just emailed it out.
    (RISKS-30.97)

    So, are we to conclude from this item that Google ought to be faithful to
    the laws and regulations of the respective nations in which it operates?

    If so, then what about Google's censored searches for China? Oh, but that's
    different, right?

    ------------------------------

    Date: Fri, 28 Dec 2018 14:21:37 +0100
    From: Peter Houppermans <d1...@phx.li>
    Subject: Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Shapir, 30.98)

    Umm, not using Gmail? You agreed to Terms which give Google the right to
    MODIFY contents too (the right persists in the new Terms that take effect on
    22 January 2019). The "limitations" on that right are woolly enough to
    permit Google to even alter email, which may come in handy when people start
    sending or receiving too much email critical of Google..

    In the contexts of online agreements you may enjoy the Freefall cartoon at
    http://freefall.purrsia.com/ff2900/fc02870.htm

    ------------------------------

    Date: Sat, 29 Dec 2018 11:09:10 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Rudy Giuliani Says Twitter Sabotaged His Tweet (Shapir, 30.96)

    I know that sadly, anything Google does is perfectly legal; my post was
    meant mainly to attract attention to their unfair conduct.

    ------------------------------

    Date: Sun, 30 Dec 2018 15:39:37 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Re: MTR East Rail disruption caused by failure of both primary
    and backup (Stein, RISKS-30.89)

    https://www.mtr.com.hk/archive/corporate/en/press_release/PR-18-108-E.pdf

    Released on 19DEC2018, the incident investigation summary report found:

    "The Panel concluded that the root cause was the different software counter
    re-initialization arrangements of the two connected systems when the
    re-initialization was activated at the incident time on 16 October
    2018. Since the four lines are connected, the inconsistent re-initialization
    situation led to repeated re-synchronization causing instability in sector
    computers. The software counter re-initialization algorithm, the differences
    in the counter re-initialization arrangements between the Alstom and Siemens
    systems and the possible impact on the train service were not known to the
    operators and maintainers, nor were they explicitly described in the
    Operation and Maintenance Manuals."

    RISK: Communication gap between multiple vendors governing train signaling
    system journey counter re-initialization protocol alignment.

    Appears that software engineers did not account for train journey counter
    reset conditions as part of system integration test for signaling system
    release qualification. Non-existent disclosure of counter re-initialization
    state dependency by either vendor implies there was a common operational
    assumption about, but not verification of, self-consistent signaling
    platform state management. No mention of counter word-length in the summary
    report.

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.01
    ************************
     
  13. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 31.02

    RISKS List Owner

    Jan 11, 2019 6:48 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 11 January 2019 Volume 31 : Issue 02

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/31.02>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Heathrow flights disrupted by yet another drone (Ars)
    Gatwick and Heathrow buying anti-drone equipment (bbc.com)
    Inaccurate Software for Brain Surgery (Medscape)
    Can't connect to that *.gov website? Here's why... (Micah Lee via
    danny burstein)
    Denver was ground zero for CenturyLink's recent network outage
    ... and it can be explained by a Mickey Mouse movie (Aldo Svladi)
    Astronaut sparks panic after accidentally dialing 911 from space
    sending NASA security teams into a frenzy (The Sun)
    USB Type-C Authentication Program Officially Launches (EWeek)
    Finally, Some Good News About the EU's Horrendous "Right To Be Forgotten"
    Law (Lauren Weinstein)
    "Market volatility: Fake news spooks trading algorithms" (Tom Foremski)
    Is it time for Linux? (Dave Crooke)
    'Chipping' Is the Next Frontier for Biohackers (Fortune)
    Facebook appending ?fbclid to links (Dan Jacobson)
    US Air Force: 5G Dominance Critical to National Security (Security Now)
    Marriott Concedes 5 Million Passport Numbers Lost to Hackers Were Not
    Encrypted (NYTimes)
    Hackers Leak Details of German Lawmakers, Except Those on Far Right
    (NYTimes)
    A DNS hijacking wave is targeting companies at an almost unprecedented scale
    (Ars)
    Hot new trading site leaked oodles of user data, including login tokens
    (Ars)
    The Risk of Twitter knowing all, telling all (Taipei Times)
    Chinese phone maker Huawei punishes employees for iPhone tweet blunder
    (CNBC)
    Los Angeles Accuses Weather Channel App of Covertly Mining User Data
    (NYTimes)
    Could a Chinese-made Metro car spy on us? Many experts say yes. (WashPost)
    Alexia really is a spy (The Register)
    Kingpin Used Spyware to Obsessively Monitor His Wife and Mistress:
    El Chapo Trial (NYTimes)
    T-Mobile, Sprint, and AT&T Are Selling Customers' Real-Time
    Location Data, And It's Falling Into the Wrong Hands (Motherboard)
    For Owners of Amazon's Ring Security Cameras, Strangers May Have
    Been Watching (The Intercept)
    Aging In Place Technology Watch (CES 2019)
    Escalating Value of iOS Bug Bounties Hits $2M Milestone (EWeek)
    Zeroday Exploit Prices Are Higher Than Ever, Especially for iOS
    and Messaging Apps (Dan Goodin)
    Phone-staring warning after Wellingborough 'hit-and-run' (bbc.com)
    Manafort Accused of Sharing Trump Campaign Data With Russian Associate
    (NYTimes)
    Democrats Faked Online Push to Outlaw Alcohol in Alabama Race (NYTimes)
    Google search results listings can be manipulated for propaganda
    (Catalin Cimpanu)
    Disney, Apple and Facebook will be among your new streaming options
    in 2019 (WashPost)
    What Happens When Facebook Goes the Way of Myspace? (NYTimes)
    Hackers Target Chromecast Devices, Smart TVs With PewDiePie Message
    (Variety)
    Taking the smarts out of smart TVs would make them more expensive
    (The Verge)
    Why it pays to declutter your digital life (bbc.com)
    Is Gamification Working in Security Training? (Channel Futures)
    U.S. Announces Settlement With Fiat Chrysler Over Emissions (NYTimes)
    Apple trolls Google at CES 2019 with massive iMessage privacy ad
    (Business Insider)
    Re: New Zealand courts banned ... (Dimitri Maziuk)
    Re: Huawei gives the US & allies security nightmares (Amos Shapir)
    Re: USA Wants to Restrict AI Exports: A Stupid and Dangerous Idea
    (Amos Shapir)
    The AI Winter is coming (Mark Thorson)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 8 Jan 2019 21:45:47 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Heathrow flights disrupted by yet another drone (Ars)

    https://arstechnica.com/tech-policy/2019/01/heathrow-flights-disrupted-by-yet-another-drone/

    ------------------------------

    Date: Fri, 4 Jan 2019 18:08:10 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Gatwick and Heathrow buying anti-drone equipment (bbc.com)

    https://www.bbc.com/news/uk-46754489

    "The equipment, which can detect and jam communications between a drone and
    its operator, was deployed by the RAF on a roof at Gatwick last month."

    One trusts that this gear does not interfere with commercial aviation
    signals or RF-dependent devices used for emergency service.

    ------------------------------

    Date: Wed, 9 Jan 2019 15:39:59 -0500
    From: Paul Burke <box...@gmail.com>
    Subject: Inaccurate Software for Brain Surgery (Medscape)

    https://www.medscape.com/viewarticle/907429
    https://www.fda.gov/MedicalDevices/Safety/ListofRecalls/ucm629348.htm

    Some surgery is only possible with imaging software, but the software can
    have bugs.

    "The software monitor may show that the tip of the surgical tool has not
    yet reached the planned target and may prevent the neurosurgeon from being
    able to accurately see the location of surgical tools in the patient's
    brain."

    ------------------------------

    Date: Thu, 10 Jan 2019 22:13:18 -0500
    From: danny burstein <dan...@panix.com>
    Subject: Can't connect to that *.gov website? Here's why... (Micah Lee)

    [twitter]
    Micah Lee
    Verified account @micahflee

    Since the government shutdown started "more than 80 TLS certificates used
    by .gov websites have so far expired without being renewed"

    https://news.netcraft.com/archives/2019/01/10/gov-security-falters-during-u-s-shutdown.html

    Micah Lee Verified account @micahflee
    I do computer security, open source software development, and journalism
    at the Intercept

    ------------------------------

    Date: Fri, 11 Jan 2019 08:01:24 -0700
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: Denver was ground zero for CenturyLink's recent network outage
    ... and it can be explained by a Mickey Mouse movie (Aldo Svladi)

    Aldo Svaldi, *The Denver Post*, 11 Jan 2019

    https://www.denverpost.com/2019/01/11/centurylink-network-outage-denver/

    For about 30 hours, from the early morning hours of Dec. 27 until late on
    Dec. 28, chaos reigned on CenturyLink's system. Western states that depend
    most heavily on the company's fiber-optic system were hardest hit, but
    reports of outages and slower speeds came in from Alaska to Florida,
    according to downdetector.com.

    "CenturyLink experienced a network event on one of our six transport
    networks beginning on December 27 that impacted voice, IP, and transport
    services for some of our customers. The event also impacted CenturyLink’s
    visibility into our network management system, impairing our ability to
    troubleshoot and prolonging the duration of the outage," the company said in
    a statement.

    Technicians were left scrambling trying to pinpoint the root cause, and that
    resulted in them losing time on fixes that didn't work. New Orleans as
    ground zero was an early suspect, and then it was San Antonio, Texas. Teams,
    which had to make physical site visits, went into action in Kansas City,
    Mo., and then Atlanta, and so on.

    But as they tried fixes in different areas, the problem didn't go away.
    Making matters worse, the reporting system that gathered customer complaints
    also failed.

    The source of all that turmoil and hours of angst for affected customers
    came down to one piece of equipment —- a faulty third-party network
    management card in Denver, according to the company.

    ------------------------------

    Date: Fri, 4 Jan 2019 23:23:48 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Astronaut sparks panic after accidentally dialing 911 from space
    sending NASA security teams into a frenzy (The Sun)

    https://www.thesun.co.uk/news/8116475/astronaut-calls-911-space-nasa-security/

    ------------------------------

    Date: Fri, 4 Jan 2019 15:32:31 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: USB Type-C Authentication Program Officially Launches (EWeek)

    The USB Type-C authentication standard is moving forward in an effort to
    help protect systems against malicious USB devices.

    http://www.eweek.com/security/usb-type-c-to-become-more-secure-with-authentication-standard

    ------------------------------

    Date: Thu, 10 Jan 2019 08:42:46 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Lauren's Blog: Finally, Some Good News About the EU's Horrendous
    "Right To Be Forgotten" Law

    via NNSquad
    https://lauren.vortex.com/2019/01/10/finally-some-good-news-about-the-eus-horrendous-right-to-be-forgotten-law

    I've been highly critical -- to say the least -- of the European Union's
    insane global censorship regime -- "The Right To Be Forgotten" (RTBF) --
    since well before it became actual, enacted law.

    But there's finally some good news about RTBF -- in the form of a formal
    opinion from EU Advocate General Maciej Szpunar, chief adviser at Europe's
    highest court.

    I'm not sure offhand when I first began writing about the monstrosity that
    is RTBF, but a small subset of related posts includes:

    The "Right to Be Forgotten": A Threat We Dare Not Forget (2/2012):
    https://lauren.vortex.com/archive/000938.html

    Why the "Right To Be Forgotten" is the Worst Kind of Censorship (8/2015):
    https://lauren.vortex.com/archive/001119.html

    RTBF was always bad, but it became a full-fledged dumpster fire when (as
    many of us had predicted from the beginning) efforts were made to enforce
    its censorship demands globally. This gave the EU effectively worldwide
    censorship powers via RTBF's "hide the library index cards" approach,
    creating a lowest common denominator "race to the bottom" of expanding mass,
    government-directed censorship of search results related to usually
    completely accurate and still published news and other information items.

    In a nutshell, Maciej Szpunar's opinion -- which is not binding but is
    likely to be a strong indicator of how related final decisions will turn out
    -- is that global application of EU RTBF decisions is usually unreasonable.
    While he doesn't rule out the possibility of global "enforcement" in
    "certain situations" (an aspect that will need to be clarified), it's
    obvious that he views routine global enforcement of EU RTBF demands to be
    untenable.

    This is of course only a first step toward reining in the RTBF monster, but
    it's potentially an enormously important one, and we'll be watching further
    developments in this arena with great interest indeed.

    ------------------------------

    Date: Thu, 13 Dec 2018 09:00:56 -0800
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Market volatility: Fake news spooks trading algorithms"
    (Tom Foremski)

    ZDnet, 10 Dec 2018
    Stock trading algorithms know how to read news headlines, but they don't

    ------------------------------

    Date: Sat, 5 Jan 2019 08:40:25 -0600
    From: Dave Crooke <dcr...@gmail.com>
    Subject: Is it time for Linux?

    For decades, Microsoft products have been very vulnerable to viruses and
    other exploits. This does not seem to be a solvable problem.

    For over two decades, I have used Linux in some form as my primary laptop
    or desktop OS, mostly because I'm old enough to have grown up with Unix and
    VMS. Back in the day, I would use a Windows VM as a way to run products
    like MS-Office, but now the open source alternatives have gotten to the
    point where I never do so -- car diagnostic software is the only reason to
    fire up the VM. LibreOffice is more compatible with MS-Office than
    Microsoft's own Office:mac

    Many years ago, Linux support for hardware was variable, now it's rarely a
    concern. Installs and upgrades were awkward, now Ubuntu is very slick, and
    easy for IT to manage centrally.

    The need for Windows to support fat client business software is far less,
    as most applications are now thin client requiring only a good browser
    (Chrome) and indeed in the cloud.

    Is it time for the security community to recommend "run Linux if you can?"

    ------------------------------

    Date: Wed, 9 Jan 2019 18:05:09 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: 'Chipping' Is the Next Frontier for Biohackers (Fortune)

    The incredibly promising business behind people injecting themselves with
    microchips. Bye-bye keys, passwords, and tickets -- they're all on the chip.

    Down a narrow side street in the Swedish city of Gothenburg sits the
    Barbarella piercing parlor, a regular haunt for locals who decorate their
    bodies with piercings and tattoos, and which claims to offer the area;s
    finest collection of ear discs and nose rings. But on a frigid evening in
    November, the shop is the setting for a very different kind of body
    enhancement: biochips. As darkness falls on the port town of nearly 600,000
    people, Jowan Ö\226sterlund wanders in, wearing a baseball cap and
    T-shirt, to meet two new clients for his small startup, ÂBiohax
    International. From his backpack, he pulls plastic-wrapped syringes, each
    containing a tiny, dark microchip that is barely visible from the
    outside. Inside the unassuming package is Österlund's prized product, a
    window into what today is a fringe tech obsession but which, he believes,
    will one day be a giant industry. ``You are creating an entirely new type of
    behavior and entirely new types of data that will be massively more valuable
    than what we have now. It is kind of a moonshot. But in the long run, this
    is what is going to happen.''

    http://fortune.com/longform/biochipping-biohax-microchip/

    ------------------------------

    Date: Thu, 10 Jan 2019 13:44:26 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Facebook appending ?fbclid to links

    Facebook user sends another user a vital link about a disease:
    https://www.cdc.gov.tw/home/Scrub_typhus
    But because Facebook appends ?fbclid... to the link,
    the second user cannot open it, and eventually perhaps dies.
    Yup, some sites rightly do not expect random parameters randomly added...

    ------------------------------

    Date: Wed, 9 Jan 2019 00:11:08 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: US Air Force: 5G Dominance Critical to National Security
    (Security Now)

    https://www.securitynow.com/author.asp%3Fsection_id%3D706%26doc_id%3D748435%26

    Lots of risks but not clear they justify the headline, nor are all related
    to 5G.

    ------------------------------

    Date: Fri, 4 Jan 2019 11:05:12 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Marriott Concedes 5 Million Passport Numbers Lost to Hackers Were
    Not Encrypted (NYTimes)

    https://www.nytimes.com/2019/01/04/us/politics/marriott-hack-passports.html

    The overall number of guests affected by the hacking, in which Chinese
    intelligence is the leading suspect, declined to 383 million. But the
    passport data is critical to intelligence agencies.

    ------------------------------

    Date: Fri, 4 Jan 2019 11:05:49 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hackers Leak Details of German Lawmakers, Except Those on Far Right
    (NYTimes)

    https://www.nytimes.com/2019/01/04/world/europe/germany-hacking-politicians-leak.html

    Twitter has shut down an account that had been posting personal data for
    weeks. Only the Alternative for Germany party appeared to be unscathed.

    ------------------------------

    Date: Thu, 10 Jan 2019 23:54:14 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: A DNS hijacking wave is targeting companies at an almost
    unprecedented scale (Ars)

    Clever trick allows attackers to obtain valid TLS certificate for hijacked
    domains.

    https://arstechnica.com/information-technology/2019/01/a-dns-hijacking-wave-is-targeting-companies-at-an-almost-unprecedented-scale/

    ------------------------------

    Date: Thu, 10 Jan 2019 23:59:42 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hot new trading site leaked oodles of user data, including login
    tokens (Ars)

    Data leaked by DX.Exchange would be "super easy" to criminalize.

    https://arstechnica.com/information-technology/2019/01/hot-new-trading-site-leaked-oodles-of-user-data-including-login-tokens/

    ------------------------------

    Date: Fri, 4 Jan 2019 12:52:37 -0800
    From: Mark Thorson <e...@dialup4less.com>
    Subject: The Risk of Twitter knowing all, telling all (Taipei Times)

    Huawei's New Year's greeting was sent from their official account, tagged
    "via Twitter for iPhone". At least two employees have been demoted with
    reduction of pay.

    http://www.taipeitimes.com/News/biz/archives/2019/01/05/2003707357

    ------------------------------

    Date: Fri, 4 Jan 2019 15:02:52 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Chinese phone maker Huawei punishes employees for iPhone tweet blunder
    (CNBC)

    https://www.cnbc.com/2019/01/04/chinese-phone-maker-huawei-punishes-employees-for-iphone-tweet-blunder.html%3F__source%3Diosappshare%257Ccom.apple.UIKit.activity.Mail

    The risk? Insufficient loyalty to house brand.

    ------------------------------

    Date: Fri, 4 Jan 2019 11:08:28 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Los Angeles Accuses Weather Channel App of Covertly Mining User Data
    (NYTimes)

    https://www.nytimes.com/2019/01/03/technology/weather-channel-app-lawsuit.html

    In a lawsuit on Thursday, the city attorney said tracking was used not just
    for local forecasts but also for commercial purposes like targeted
    marketing.

    [Gabe Goldberg noted this item as well:
    L.A. Sues IBM's Weather Company over 'Deceptive' Weather Channel App
    http://fortune.com/2019/01/04/la-ibm-weather-channel-app/
    The risk? Everything spies/leaks/sells personal data.
    PGN]

    ------------------------------

    Date: Thu, 10 Jan 2019 12:08:30 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Could a Chinese-made Metro car spy on us? Many experts say yes.
    (WashPost)

    https://www.washingtonpost.com/local/trafficandcommuting/could-a-chinese-made-metro-car-spy-on-us-many-experts-say-yes/2019/01/07/00304b2c-03c9-11e9-b5df-5d3874f1ac36_story.html

    It would be quaint and surprising to learn about technology-enabled
    transportation that DID NOT spy on passengers!

    To counteract intrusive surveillance, each seat should have a built-in
    personal "Cone of Silence" ala Mel Brooks' "Get Smart."

    ------------------------------

    Date: Sat, 5 Jan 2019 20:24:53 +0100
    From: Benoit Goas <goa...@hawk.iit.edu>
    Subject: Alexia really is a spy (The Register)

    If the risks of keeping a voice activated device at home were not obvious
    enough, here are some more proofs: the recordings are kept for a while, and
    may even be provided to the wrong user.

    https://www.theregister.co.uk/2018/12/20/amazon_alexa_recordings_stranger/
    pointing to
    https://www.heise.de/downloads/18/2/5/6/5/3/9/6/ct.0119.016-018_engl.pdf

    ------------------------------

    Date: Thu, 10 Jan 2019 05:15:28 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Kingpin Used Spyware to Obsessively Monitor His Wife and Mistress:
    El Chapo Trial (NYTimes)

    https://www.nytimes.com/2019/01/09/nyregion/el-chapo-trial.html

    An IT expert working for the crime lord helped the FBI obtain dozens of
    intimate -- and incriminating -- text messages he wrote to the women.

    ------------------------------

    Date: Tue, 8 Jan 2019 23:51:43 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: T-Mobile, Sprint, and AT&T Are Selling Customers' Real-Time
    Location Data, And It's Falling Into the Wrong Hands (Motherboard)

    He Gave a Bounty Hunter $300. Then He Located His Phone

    T-Mobile, Sprint, and AT&T are selling access to their customers' location
    data, and that data is ending up in the hands of bounty hunters and others
    not authorized to possess it, letting them track most phones in the country.

    https://motherboard.vice.com/en_us/article/nepxbz/i-gave-a-bounty-hunter-300-dollars-located-phone-microbilt-zumigo-tmobile

    ------------------------------

    Date: Fri, 11 Jan 2019 17:44:33 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: For Owners of Amazon's Ring Security Cameras, Strangers May Have
    Been Watching (The Intercept)

    The `smart home' [isn't] just supposed to be a monument to convenience,
    weâre told, but also to protection, a Tony Stark-like bubble of vigilant
    algorithms and Internet-connected sensors working ceaselessly to watch over
    us. But for some who've welcomed in Amazon's Ring security cameras, there
    have been more than just algorithms watching through the lens, according to
    sources alarmed by Ring's dismal privacy practices.

    Ring has a history of lax, sloppy oversight when it comes to deciding who
    has access to some of the most precious, intimate data belonging to any
    person: a live, high-definition feed from around -- and perhaps inside --
    their house. The company has marketed its line of miniature cameras,
    designed to be mounted as doorbells, in garages, and on bookshelves, not
    only as a means of keeping tabs on your home while you're away, but of
    creating a sort of privatized neighborhood watch, a constellation of
    overlapping camera feeds that will help police detect and apprehend burglars
    (and worse) as they approach. ``Our mission to reduce crime in
    neighborhoods has been at the core of everything we do commemorate the
    company's reported $1 billion acquisition payday from Amazon, a company with
    its own recent history of troubling facial recognition practices. The
    marketing is working; Ring is a consumer hit and a press darling.

    Despite its mission to keep people and their property secure, the company's
    treatment of customer video feeds has been anything but, people familiar
    with the company's practices told The Intercept. Beginning in 2016,
    according to one source, Ring provided its Ukraine-based research and
    development team virtually unfettered access to a folder on Amazon's S3
    cloud storage service that contained every video created by every Ring
    camera around the world. This would amount to an enormous list of highly
    sensitive files that could be easily browsed and viewed. Downloading and
    sharing these customer video files would have required little more than a
    click. The Information, which has aggressively covered Ring's security
    lapses, reported on these practices last month.

    https://theintercept.com/2019/01/10/amazon-ring-security-camera/

    The risk? Believing advertising?

    [PGN's risk -- large number of garbled characters approximated
    from this and the next posting from Gabe. Note `[??]' in the
    next item.]

    ------------------------------

    Date: Fri, 11 Jan 2019 17:45:42 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Aging In Place Technology Watch (CES 2019)

    Ten Technology Offerings

    Bright Lights, thick smoke, constant walking and avoidance maneuvers. After
    taking a year or two off, returning to CES is a chore and a revelation -- it
    clearly is the major event for new technology announcements. Gadgets, yes,
    too many smart wearables, including underwear, too many near misses of being
    run over by gangs of oblivious young guys staring at their phones. If there
    was a key trend in all of this racket, Sleep has become a tech obsession,
    the uptake of Digital Health is almost here, new variants of companions and
    assistants were pervasive, including Google Assistant inside everything and
    Amazon voice devices everywhere.

    Self-service increasingly matters in unexpected health categories. As with
    nearly every [?], we want to serve ourselves, no matter what. One day soon,
    onset of a stroke can be detected (Celloscope) when your smartphone watches
    your face droop as you read your email. A robotics company, Intuition
    Robotics, launches its cognitive AI Q[?] for 3rd-party companies to use as a
    digital companion agent, for example, in a car. In subsequent posts, others
    will be noted from the exhibit hall books, but for now, here are 10 other
    new companies/new offerings in alphabetical order from CES 2019 with content
    from the press releases/sites of the companies:

    https://www.ageinplacetech.com/blog/ten-technology-offerings-ces-2019

    The risks? TBD

    ------------------------------

    Date: Fri, 11 Jan 2019 16:39:41 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Escalating Value of iOS Bug Bounties Hits $2M Milestone (EWeek)

    In the escalating market for security vulnerabilities, a new milestone has
    been recorded early in the new year, with $2 million now being offered for a
    remote Apple iOS exploit.

    The $2 million award is being offered by vulnerability acquisition firm
    Zerodium, which first achieved global notoriety for offering $1 million for
    an iOS 9 zero-day exploit back in September 2015. In September 2016,
    Zerodium increased its top iOS exploit award to a $1.5 million, which has
    now been topped by the $2 million bounty.

    http://www.eweek.com/security/escalating-value-of-ios-bug-bounties-hits-2m-threshold

    ------------------------------

    Date: Tue, 8 Jan 2019 21:47:37 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Zeroday Exploit Prices Are Higher Than Ever, Especially for iOS
    and Messaging Apps (Dan Goodin)

    Dan Goodin, Ars Technica, 7 Jan 2019

    Governments and police forces around the world are trying harder than ever
    to exploit software that is becoming increasingly difficult to compromise.
    Market-leading software exploit broker Zerodium recently said it would pay
    up to $2 million for zero-click jailbreaks of Apple's iOS, $1.5 million for
    one-click iOS jailbreaks, and $1 million for exploits that take over
    security messaging apps WhatsApp and iMessage. These prices are up about
    $500,000 from previous levels, an indication that the demand for them
    continues to grow, and that reliable exploitation of these targets is
    becoming increasingly difficult. Zerodium said it sells the exploits only to
    lawful governments, although it has never provided details to verify those
    claims.

    https://arstechnica.com/information-technology/2019/01/zeroday-exploit-prices-continue-to-soar-especially-for-ios-and-messaging-apps/

    [MISPLACED ONLY PGN-ed above. See my long-ago analysis of that problem:
    http://www.csl.sri.com/neumann/only.html
    PGN]

    ------------------------------

    Date: Sat, 5 Jan 2019 20:22:03 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Phone-staring warning after Wellingborough 'hit-and-run' (bbc.com)

    https://www.bbc.com/news/uk-england-northamptonshire-46762571

    A woman has warned of the dangers of looking at phones while crossing roads
    after being hit by a vehicle in a suspected hit-and run. Olivia Keane, 20,
    was knocked unconscious while walking across Butts Road in Wellingborough,
    Northamptonshire, on New Year's Eve. Police believe she was hit by a
    vehicle that failed to stop. Miss Keane cannot remember the details, but
    believes she was looking down at her phone at the time.

    Lucky to be alive after this hit-and-run incident.

    I lost count of pedestrians in Singapore and Malaysia descending stairs
    and fully engrossed typing SMS content or playing a mobile game, oblivious
    to their peril.

    See http://catless.ncl.ac.uk/Risks/30/89%23subj18.1
    cellphone addiction.

    Some people can't live without 'em until they die with 'em.

    ------------------------------

    Date: Wed, 9 Jan 2019 01:47:34 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Manafort Accused of Sharing Trump Campaign Data With Russian Associate
    (NYTimes)

    https://www.nytimes.com/2019/01/08/us/politics/manafort-trump-campaign-data-kilimnik.html

    Mr. Manafort's lawyers made the disclosure by accident, through a formatting
    error in a document filed to respond to charges that he had lied to
    prosecutors working for the special counsel, Robert S. Mueller III, after
    agreeing to cooperate with their investigation into Russian interference in
    the election.

    ------------------------------

    Date: Mon, 7 Jan 2019 21:05:12 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Democrats Faked Online Push to Outlaw Alcohol in Alabama Race
    (NYTimes)

    https://www.nytimes.com/2019/01/07/us/politics/alabama-senate-facebook-roy-moore.html

    A prohibitionist campaign appeared to be led by supporters of the Republican
    Senate candidate in 2017. But it was created by progressives -- the second
    such secret effort to be unmasked.

    ------------------------------

    Date: Thu, 10 Jan 2019 21:18:00 -0800
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Google search results listings can be manipulated for propaganda
    (Catalin Cimpanu)

    Catalin Cimpanu, ZDNet, 9 Jan 2019
    https://www.zdnet.com/article/google-search-results-listings-can-be-manipulated-for-propaganda/

    Google search results listings can be manipulated for propaganda
    Dutch researcher argues that Google should remove support for knowledge panels.

    opening text:

    A feature of the Google search engine lets threat actors alter search
    results in a way that could be used to push political propaganda, oppressive
    views, or promote fake news.

    The feature is known as the "knowledge panel", and is a box that usually
    appears at the right side of the search results, usually highlighting the
    main search result for a very specific query.

    [The article then gives details that, while I have not tried this myself,
    appear to suffice to reproduce the problem.]

    ------------------------------

    Date: Tue, 8 Jan 2019 23:17:19 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Disney, Apple and Facebook will be among your new streaming options
    in 2019 (WashPost)

    Overwhelmed by all the TV you haven't seen? Get ready for even more.

    https://www.washingtonpost.com/classic-apps/the-new-streaming-services-you-should-watch-in-2019/2019/01/04/1c40d660-106c-11e9-831f-3aa2c2be4cbd_story.html

    ------------------------------

    Date: Mon, 7 Jan 2019 21:29:32 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: What Happens When Facebook Goes the Way of Myspace? (NYTimes)

    If the past teaches us anything, it will happen one day. In fact, the
    process might have already started.

    https://www.nytimes.com/2018/12/12/magazine/what-happens-when-facebook-goes-the-way-of-myspace.html

    ------------------------------

    Date: Wed, 2 Jan 2019 22:16:06 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hackers Target Chromecast Devices, Smart TVs With PewDiePie Message
    (Variety)

    Hackers Target Chromecast Devices, Smart TVs With PewDiePie Message
    https://variety.com/2019/digital/news/chromecast-hacked-pewdiepie-1203097889/

    ------------------------------

    Date: Wed, 9 Jan 2019 22:48:15 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Taking the smarts out of smart TVs would make them more expensive
    (The Verge)

    https://www.theverge.com/2019/1/7/18172397/airplay-2-homekit-vizio-tv-bill-baxter-interview-vergecast-ces-2019

    ------------------------------

    Date: Tue, 8 Jan 2019 19:20:10 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Why it pays to declutter your digital life (bbc.com)

    http://www.bbc.com/future/story/20190104-are-you-a-digital-hoarder

    "With the storage capacity of our devices increasing with every upgrade and
    cloud storage plans costing peanuts, it might not seem like a problem to
    hold on to thousands of emails, photos, documents and various other digital
    belongings.

    "But emerging research on digital hoarding -- a reluctance to get rid of the
    digital clutter we accumulate through our work and personal lives --
    suggests that it can make us feel just as stressed and overwhelmed as
    physical clutter. Not to mention the cybersecurity problems it can cause for
    individuals and businesses and the way it makes finding that one email you
    need sometimes seem impossible."

    Digital storage ubiquity promotes monomaniacal behavior.

    Horder iDisorder disorder? IDisorder Horder disorder?

    ------------------------------

    Date: Sat, 5 Jan 2019 19:03:52 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Is Gamification Working in Security Training? (Channel Futures)

    One need only to look at hacker games and competitions to see the compelling
    allure of gamification in training and practice for security pros.

    https://www.channelfutures.com/mssp-insider/is-gamification-working-in-security-training

    Wait, what?

    ------------------------------

    Date: Thu, 10 Jan 2019 21:34:06 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: U.S. Announces Settlement With Fiat Chrysler Over Emissions
    (NYTimes)

    https://www.nytimes.com/2019/01/10/business/fiat-chrysler-justice-emissions-settlement.html

    The accord in lawsuits over false readings on diesel vehicles could cost
    nearly $800 million, including penalties, fixes, warranties and
    compensation.

    ------------------------------

    Date: Tue, 8 Jan 2019 21:35:57 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Apple trolls Google at CES 2019 with massive iMessage privacy ad
    (Business Insider)

    https://www.businessinsider.com/apple-google-ad-ces-2019-privacy-imessage-2019-1

    ------------------------------

    Date: Fri, 4 Jan 2019 17:41:53 -0600
    From: Dimitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: New Zealand courts banned ... (Drewe, RISKS-31.01)

    Is that the Google that removes the little padlock icon from their browser
    because "the web is now safe by default"? The one that's pushing https down
    our throats to ensure the ads we (don't) see came from bona fide
    Google-paying advertisers?

    Was it Bruce Schneier who said this isn't techno-feudalism because in
    feudalism the feudal actually had obligations towards his vassals?

    No obligation indeed.

    ------------------------------

    Date: Mon, 7 Jan 2019 09:59:48 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Huawei gives the US & allies security nightmares (RISKS-31.01)

    The initial role of the Internet (in its first incarnation as Arpanet) was
    to provide a medium, detached from the phone network, for secure and stable
    communication even during a nuclear emergency.

    It's ironic is that the same network had become a Trojan horse within the
    US national security infrastructure.

    ------------------------------

    Date: Mon, 7 Jan 2019 10:13:53 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: USA Wants to Restrict AI Exports: A Stupid and Dangerous Idea
    (RISKS-31.01)

    This is yet another symptom of the "US first" fallacy. Such laws and
    regulations are based on an inherent assumption that the US is first in
    everything, so any new technology would be made in the USA, and the only way
    adversaries could get it is by export from the USA.

    During the encryption exports craze of the 1980's, I came into the US
    carrying a computer board for an exhibition; I was employed by an American
    company, but the board was designed and built in their Israeli branch. When
    leaving the US, I was stopped by customs -- it seems the board's CPU was too
    fast, so it was categorized as an encryption device. I had no problem just
    leaving it there, we had plenty more back home. (I have no idea if the
    company had ever redeemed the board, it may sill be stored in some customs
    warehouse at JFK).

    ------------------------------

    Date: Fri, 11 Jan 2019 10:41:20 -0800
    From: Mark Thorson <e...@dialup4less.com>
    Subject: The AI Winter is coming

    No, not that one. The other one.

    http://www.smbc-comics.com/comics/1547218636-20190111.png

    ------------------------------

    Date: Tue, 5 May 2018 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    <http://the.wiretapped.net/security/info/textfiles/risks-digest/>
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks have done to URLs. I have
    tried to extract the essence.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.02
    ************************
     
  14. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 31.03

    RISKS List Owner

    Jan 17, 2019 2:26 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 17 January 2019 Volume 31 : Issue 03

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/31.03>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    In the Shutdown, the U.S. Government Is Flirting with Cybersecurity
    Disaster (DataCenterKnowledge)
    "Why is my keyboard connected to the cloud?" (Chris Duckett)
    USB Type-C Authentication Program Officially Launches (E-Week)
    The Super-Secure Quantum Cable Hiding in the Holland Tunnel (Jeremy Kahn)
    America's Electric Grid Has a Vulnerable Back Door -- and Russia
    Walked Through It. (WSJ)
    A Worldwide Hacking Spree Uses DNS Trickery to Nab Data (WiReD)
    Dark markets have evolved to use encrypted messengers/dead-drops
    (Cory Doctorow)
    A Simple Bug Makes It Easy to Spoof Google Search Results into
    Spreading Misinformation (Zack Whittaker)
    Pilot project demos credit cards with shifting CVV codes to stop fraud
    (Ars Technica)
    Veterans of the News Business Are Now Fighting Fakes (NYTimes)
    When Chinese hackers declared war on the rest of us (MIT TechReview)
    200 million Chinese resumes leak in huge database breach (TheNextWeb)
    North Korean hackers infiltrate Chile's ATM network after Skype job
    interview (ZDNet)
    Chinese Internet censors turn attention to rest of world (MIT TechReview)
    State-backed Hackers Sought and Stole Singapore Leader's Medical Data (WSJ)
    Man gets 10 years for cyberattack on Boston Children's Hospital
    (BostonGlobe)
    The Danger of Calling Out Cyberattackers (Bloomberg)
    How a little-known Democratic firm cashed in on the wave of midterm money
    (WashPost)
    Deepak Chopra has a prescription for what ails technology (WashPost)
    GoDaddy injecting site-breaking JavaScript into customer websites, here's a
    fix (TechRepublic)
    "How three rude iPhone users ruined an evening" (Chris Matyszczyk)
    Re: Escalating Value of iOS Bug Bounties Hits $2M Milestone
    (Richard Stein)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 14 Jan 2019 10:52:12 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: In the Shutdown, the U.S. Government Is Flirting with Cybersecurity
    Disaster (DataCenterKnowledge)

    Network security is an around-the-clock battle. Agency cybersecurity teams
    are left with skeleton staff, and many furloughed security experts may not
    come back.

    https://www.datacenterknowledge.com/security/shutdown-us-government-flirting-cybersecurity-disaster

    ------------------------------

    Date: Sun, 13 Jan 2019 21:47:42 -0800
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "Why is my keyboard connected to the cloud?" (Chris Duckett)

    Chris Duckett, ZDnet, 13 Jan 2019
    Just because you can, doesn't mean that you should.
    https://www.zdnet.com/article/why-is-my-keyboard-connected-to-the-cloud/

    selected text:

    Everything is becoming a thing connected to the Internet, but some things
    really shouldn't be.

    First cab off that rank should be input devices, because what sort of maniac
    thinks the advantages of a roaming cloud-based configuration outweighs the
    potential explosion in surface area to attack and compromise? That maniac is
    called Razer, and it has been connecting keyboards to its Synapse software
    for years. At last week's CES, Razer took it a step further when it
    announced it is adding support for users to use Alexa to control their
    peripherals. "Alexa, ask Chroma to change my lighting profile to FPS mode,"
    Razer cheerily proclaims as an example of its upcoming functionality.

    For this to work, the software that usually controls keyboard and mice
    settings needs to be connected to Amazon Alexa. Also in Razer's favour is
    that it acknowledged it was responsible, which is more than can be said for
    Gigabyte.

    On 18 Dec 2018, SecureAuth detailed an exchange of when it discovered that
    software utilities for Gigabyte and Aorus motherboards had privilege
    escalation vulnerabilities. "There is ring0 memcpy-like functionality
    ... allowing a local attacker to take complete control of the affected
    system," SecureAuth said. In the end, SecureAuth said Gigabyte eventually
    responded by saying its products did not have any issues.

    If a vendor with the experience and sales of Gigabyte responds by denying
    responsibility for its software, it doesn't bode well for smaller players.

    If a bad actor was looking for a shortcut into a modern Windows system,
    trying to find your way in via Microsoft's code will be time wasting when
    the Camembert-like underbelly of a modern system is likely to be crap
    software from peripheral makers.

    ------------------------------

    Date: Fri, 4 Jan 2019 15:32:31 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: USB Type-C Authentication Program Officially Launches (E-Week)

    The USB Type-C authentication standard is moving forward in an effort to
    help protect systems against malicious USB devices.

    http://www.eweek.com/security/usb-type-c-to-become-more-secure-with-authentication-standard

    ------------------------------

    Date: Mon, 14 Jan 2019 08:30:42 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The Super-Secure Quantum Cable Hiding in the Holland Tunnel
    (Jeremy Kahn)

    Jeremy Kahn, Bloomberg Businessweek, 14 Jan 2019

    Commuters inching through rush-hour traffic in the Holland Tunnel between
    Lower Manhattan and New Jersey don't know it, but a technology likely to be
    the future of communication is being tested right outside their car windows.
    Running through the tunnel is a fiber-optic cable that harnesses the power
    of quantum mechanics to protect critical banking data from potential spies.

    The cable's trick is a technology called quantum key distribution, or QKD.
    Any half-decent intelligence agency can physically tap normal fiber optics
    and intercept whatever messages the networks are carrying: They bend the
    cable with a small clamp, then use a specialized piece of hardware to split
    the beam of light that carries digital ones and zeros through the line. The
    people communicating have no way of knowing someone is eavesdropping,
    because they're still getting their messages without any perceptible delay.

    QKD solves this problem by taking advantage of the quantum physics notion
    that light -- normally thought of as a wave -- can also behave like a
    particle. At each end of the fiber-optic line, QKD systems, which from the
    outside look like the generic black-box servers you might find in any data
    center, use lasers to fire data in weak pulses of light, each just a little
    bigger than a single photon. If any of the pulses' paths are interrupted and
    they don't arrive at the endpoint at the expected nanosecond, the sender and
    receiver know their communication has been compromised.
    [Long item, PGN-truncated ...]

    https://www.bloombergquint.com/businessweek/the-super-secure-quantum-cable-hiding-in-the-holland-tunnel#gs.Bpu8HlON

    ------------------------------

    Date: Sun, 13 Jan 2019 14:42:37 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: America's Electric Grid Has a Vulnerable Back Door -- and Russia
    Walked Through It. (WSJ)

    A (*Wall Street Journal* reconstruction of the worst known hack into the
    nation's power system reveals attacks on hundreds of small contractors

    https://www.wsj.com/articles/americas-electric-grid-has-a-vulnerable-back-doorand-russia-walked-through-it-11547137112

    ------------------------------

    Date: Fri, 11 Jan 2019 23:50:35 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: A Worldwide Hacking Spree Uses DNS Trickery to Nab Data (WiReD)

    Iranian hackers have been busy lately, ramping up an array of targeted
    attacks across the Middle East and abroad. And a report this week from the
    threat intelligence firm FireEye details a massive global data-snatching
    campaign, carried out over the last two years, that the firm has
    preliminarily linked to Iran.

    Using a classic tactic to undermine data security as it moves across the
    web, hackers have grabbed sensitive data like login credentials and business
    details from telecoms, Internet service providers, government organizations,
    and other institutions in the Middle East, North Africa, Europe, and North
    America. FireEye researchers say the targets and types of data stolen are
    consistent with Iranian government espionage interests -- and that whoever
    is behind the massive assault now has a trove of data that could fuel future
    cyberattacks for years.

    https://www.wired.com/story/iran-dns-hijacking/

    ------------------------------

    From: Dewayne Hendricks <dew...@warpspeed.com>
    Date: January 15, 2019 at 7:41:24 AM GMT+9
    Subject: Dark markets have evolved to use encrypted messengers/dead-drops
    (Cory Doctorow)

    [Note: This item comes from friend David Rosenthal. DLH]

    Cory Doctorow, Jan 14 2019
    Dark markets have evolved to use encrypted messengers and dead-drops

    https://boingboing.net/2019/01/14/drone-serviced-dead-drops.html

    Cryptocurrencies and Tor hidden services ushered in a new golden age for
    markets in illegal goods, especially banned or circumscribed drugs: Bitcoin
    was widely (and incorrectly) viewed as intrinsically anonymous, while the
    marketplaces themselves were significantly safer and more reliable than
    traditional criminal markets, and as sellers realized real savings in losses
    due to law enforcement and related risks, the prices of their merchandise
    plummeted, while their profits soared.

    But much of the security of dark markets was an illusion. The anonymity of
    cryptocurrencies could often be pierced; the services themselves could be
    subverted by law enforcement in order to roll up many sellers and buyers at
    once; and the "last mile" problem of shipping illegal substances through the
    mails exposed buyers and sellers to real risks.

    The buyers and sellers in dark markets have responded to these revelations
    and new facts on the ground with a range of ingenious, high-tech
    countermeasures.

    Buyers are now more likely to conduct sales negotiations through encrypted
    messenger technologies, and each customer is assigned their own unique
    contact, staffed by a bot that can answer questions on pricing and
    availability and broker transactions. Many of these transactions now take
    place through "private cryptocurrencies" that have improved anonymity
    functions (there is a lot of development on these technologies).

    Delivery is now largely managed through single-use "dead drops" --
    hidden-in-plain-sight caches that are pre-seeded by sellers, who sometimes
    use low-cost Bluetooth beacons to identify them (these beacons can be
    programmed to activate only in the presence of a wifi network with a
    specific name: a seller provides the buyer with a codeword and a GPS
    coordinate; the buyer goes to the assigned place and creates a wifi network
    on their phone with the codeword for its name, and this activates the
    Bluetooth beacon that guides the buyer to their merchandise).

    The logistics of these dead-drops are fascinating: there's a hierarchy on
    the distribution side, with procurers who source merchandise and smuggle it
    into each region; sellers who divide the smuggled goods into portions sized
    for individual transactions, and sellers, whose "product" is just a set of
    locations and secret words that they give to buyers.

    The hierarchy creates the need for auditing and traitor-tracing to prevent
    the different layers from ripping each other off. Dead drops are randomly
    audited and audits are verified by reporting on the contents of unique
    printed codes that accompany each drop. Distributors post cryptocurrency
    "security" (bonds) with sellers and lose their deposits when their dead
    drops fail.

    In a fascinating paper on the rise of these "dropgangs," Jonathan "smuggler"
    Logan identifies some key weaknesses in the scheme, including the
    persistence of trackable coins being spent by buyers at the end of the
    transaction (dropgang members are more likely to adopt private coins than
    buyers); and the lack of the buyer-and-seller reputation systems that the
    dark markets provide.

    Logan proposes that this can be resolved with "proofs of sale" that would be
    published on public forums, which increases the risk from law enforcement.

    Logan also proposes that ultrasonic chirps may replace Bluetooth beacons,
    with per-drop codephrases doing a call-and-response to help buyers home in
    on their purchases.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:27:24 -0500
    From: ACM TechNews <technew...@acm.org>
    Subject: A Simple Bug Makes It Easy to Spoof Google Search Results into
    Spreading Misinformation (Zack Whittaker)

    Zack Whittaker, TechCrunch, 09 Jan 2019 via ACM TechNews, 14 Jan 2019

    A bug discovered in Google by security researcher Wietze Beukema can be
    exploited to generate misinformation by distributing rigged search
    results. Beukema said values from a Google search result's "knowledge graph"
    can be spliced together to spread false information, because the shareable
    URL entered into a search result can be segmented and added to the Web
    address of any other search query. A malefactor can easily put the contents
    of a knowledge card within a search result; the rigged query does not break
    HTTPS, so anyone can craft a link, send it in an email or tweet, or share it
    on Facebook without arousing the recipient's suspicions. Beukema said anyone
    can "generate normal-looking Google URLs that make controversial
    assertions," which can "either look bad on Google, or worse, people will
    accept them as being true." He also said his report of the bug to Google in
    December was closed with the company taking no corrective action.

    https://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-1deb4x2197c8x069056%26

    ------------------------------

    Date: Mon, 14 Jan 2019 20:12:41 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Pilot project demos credit cards with shifting CVV codes to stop fraud
    (Ars Technica)

    https://arstechnica.com/information-technology/2018/12/pnc-bank-testing-dynamic-cvv-codes-to-combat-online-card-fraud/

    ------------------------------

    Date: Wed, 16 Jan 2019 17:38:23 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Veterans of the News Business Are Now Fighting Fakes (NYTimes)

    https://www.nytimes.com/2019/01/16/business/media/media-steve-brill-fake-news.html

    After raising $6 million, the start-up NewsGuard, co-founded by Steve Brill,
    has signed Microsoft as its first major client. The main goal: to combat the
    spread of false stories on the Internet.

    ------------------------------

    Date: Sun, 13 Jan 2019 07:59:30 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: When Chinese hackers declared war on the rest of us
    (MIT TechReview)

    via NNSquad
    https://www.technologyreview.com/s/612638/when-chinese-hackers-declared-war-on-the-rest-of-us/

    Many thought the Internet would bring democracy to China. Instead, it
    empowered rampant government oppression, and now the censors are turning
    their attention to the rest of the world.

    ------------------------------

    Date: Sun, 13 Jan 2019 18:07:01 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: 200 million Chinese resumes leak in huge database breach
    (TheNextWeb)

    via NNSquad

    Last night, HackenProof published a report stating that a database
    containing resumes of over 200 million job seekers in China was exposed
    last month. The leaked info included not just the name and working
    experience of people, but also their mobile phone number, email, marriage
    status, children, politics, height, weight, driver license, and literacy
    level as well.

    https://thenextweb.com/security/2019/01/11/200-million-chinese-resumes-leak-in-huge-database-breach/

    ------------------------------

    Date: Thu, 17 Jan 2019 13:59:29 -0500
    From: =?utf-8?Q?Jos=C3=A9=20Mar=C3=ADa=20Mateos?= <ch...@rinzewind.org>
    Subject: North Korean hackers infiltrate Chile's ATM network after Skype job
    interview (ZDNet)

    [Don't know why the headline highlights the Skype job interview. I think
    the meat is a few paragraphs in:]

    According to reporters, the source of the hack was identified as a LinkedIn
    ad for a developer position at another company to which one of the Redbanc
    employees applied.

    The hiring company, believed to be a front for the Lazarus Group operators
    who realized they baited a big fish, approached the Redbanc employee for an
    interview, which they conducted in Spanish via a Skype call.

    trendTIC reports that during this interview, the Redbanc employee was asked
    to download, install, and run a file named ApplicationPDF.exe, a program
    that would help with the recruitment process and generate a standard
    application form.

    But according to an analysis of this executable by Vitali Kremez, Director
    of Research at Flashpoint, the file downloaded and installed PowerRatankba,
    a malware strain previously linked to Lazarus Group hacks, according to a
    Proofpoint report published in December 2017."

    https://www.zdnet.com/article/north-korean-hackers-infiltrate-chiles-atm-network-after-skype-job-interview/

    ------------------------------

    Date: Fri, 11 Jan 2019 17:33:22 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Chinese Internet censors turn attention to rest of world
    (MIT Tech Review)

    When Chinese hackers declared war on the rest of us

    Many thought the Internet would bring democracy to China. Instead it
    empowered rampant government oppression, and now the censors are turning
    their attention to the rest of the world.

    EXCERPT:

    Late one Wednesday in March 2015, an alarm sounded in the offices of GitHub,
    a San Francisco-based software firm. The company's offices exemplified the
    kind of Scandinavia-meets-soul-lessness style that has spread out from
    Silicon Valley to take over modern workplaces: exposed wood, open spaces,
    and lots of natural light. Most employees were preparing to leave, if they
    hadn't already. Outside, the sun had started to set and it was balmy and
    clear.

    Alarms weren't uncommon at GitHub. The company claims to maintain the
    largest repository of computer code in the world. It had some 14 million
    users at the time, and prides itself on maintaining its service and staying
    online. GitHub's core product is a set of editing tools that allow large
    numbers of programmers to collaborate on software and keep track of changes
    as bugs are fixed. In October 2018, Microsoft would buy it for $7.5 billion.

    Back in 2015, though, GitHub was still an up-and-coming, independent
    company whose success came from making it considerably easier for other
    people to create computer software. The first alarm indicated there was a
    large amount of incoming traffic to several projects stored on GitHub. This
    could be innocent -- maybe a company had just launched a big new update
    -- or something more sinister. Depending on how the traffic was clustered, more
    alarms would sound if the sudden influx was impacting service sitewide. The
    alarms sounded. GitHub was being DDoS-ed.

    One of the most frequent causes of any website going down is a sharp spike
    in traffic. Servers get overwhelmed with requests, causing them to crash or
    slow to a torturous grind. Sometimes this happens simply because the website
    suddenly becomes popular. Other times, as in a distributed denial of service
    (DDoS) attack, the spike is maliciously engineered. In recent years, such
    attacks have grown more common: hackers have taken to infecting large
    numbers of computers with viruses, which they then use to take control of
    the computers, enlisting them in the DDoS attack.

    In the company's internal chat room, GitHub engineers realized they would be
    tackling the attack *for some time*. As the hours stretched into days, it
    became something of a competition between the GitHub engineers and whoever
    was on the other end of the attack. Working long, frantic shifts, the team
    didn't have much time to speculate about the attackers' identity. As rumors
    abounded online, GitHub would only say, ``We believe the intent of this
    attack is to convince us to remove a specific class of content.'' About a
    20-minute drive away, across San Francisco Bay, Nicholas Weaver thought he
    knew the culprit: China. ``We are currently experiencing the largest DDoS
    attack in GitHub's history,'' senior developer Jesse Newland wrote in a blog
    post almost 24 hours after the attack had begun. Over the next five days, as
    engineers spent 120 hours combating the attack, GitHub went down nine
    times. It was like a hydra: every time the team thought they had a handle on
    it, the attack adapted and redoubled its efforts. GitHub wouldn't comment on
    the record, but a team member who spoke to me anonymously said it was ``very
    obvious that this was something we'd never seen before.''

    Weaver is a network-security expert at the International Computer Science
    Institute, a research center in Berkeley, California. Together with other
    researchers, he helped pinpoint the targets of the attack: two GitHub-hosted
    projects connected to GreatFire.org, a China-based anti-censorship
    organization. The two projects enabled users in China to visit both
    GreatFire's website and the Chinese-language version of *the New York Times,
    both of which are normally inaccessible to users in China. GreatFire,
    dubbed a foreign anti-Chinese organization by the Cyberspace Administration
    of China, had long been a target of DDoS and hacking attacks, which is why
    it moved some of its services to GitHub, where they were nominally out of
    harm's way.

    ``Whoever was controlling the Great Cannon would use it to selectively
    insert malicious JavaScript code into search queries and advertisements
    served by Baidu, a popular Chinese search engine. That code then directed
    enormous amounts of traffic to the cannon's targets.'' By sending a number
    of requests to the servers from which the Great Cannon was directing
    traffic, the researchers were able to piece together how it behaved and gain
    insight into its inner workings. The cannon could also be used for other
    malware attacks besides denial-of-service attacks. It was a powerful new
    tool: ``Deploying the Great Cannon is a major shift in tactics, and has a
    highly visible impact,'' Weaver and his coauthors wrote... Weaver found
    something new and worrisome when he examined the attack. In a paper
    coauthored https://citizenlab.ca/2015/04/chinas-great-cannon/
    with researchers at Citizen Lab, an activist and research group at the
    University of Toronto, Weaver described a new Chinese cyberweapon that he
    dubbed the `Great Cannon'. The Great Firewall -- an elaborate scheme of
    interrelated technologies for censoring Internet content coming from outside
    China -- was already well-known. Weaver and the Citizen Lab researchers
    found that not only was China blocking bits and bytes of data that were
    trying to make their way into China, but it was also channeling the flow of
    data out of China. [...]

    MIT Tech Review
    https://www.TechnologyReview.com/s/612638/when-chinese-hackers-declared-war-on-the-rest-of-us/

    ------------------------------

    Date: Sun, 13 Jan 2019 14:54:50 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: State-backed Hackers Sought and Stole Singapore Leader's Medical
    Data (WSJ)

    Unprecedented breach led to theft of personal details of a quarter of the
    city-state's population, inquiry finds

    https://www.wsj.com/articles/state-backed-hackers-sought-and-stole-singapore-leaders-medical-data-11547109852

    ------------------------------

    Date: Sun, 13 Jan 2019 23:22:34 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Man gets 10 years for cyberattack on Boston Children's Hospital
    (BostonGlobe)

    https://www.boston.com/news/local-news/2019/01/11/martin-gottesfeld-boston-childrens-hospital

    ------------------------------

    Date: Mon, 14 Jan 2019 11:34:56 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: The Danger of Calling Out Cyberattackers (Bloomberg)

    "A bizarre $100 million lawsuit shows that companies can be collateral
    damage when governments publicly blame other countries for hacks."

    https://www.bloomberg.com/opinion/articles/2019-01-11/mondelez-lawsuit-shows-the-dangers-of-attributing-cyberattacks

    ------------------------------

    Date: Sun, 13 Jan 2019 09:22:22 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: How a little-known Democratic firm cashed in on the wave of midterm
    money (WashPost)

    D.C.-based Mothership Strategies rose in four years to become one of the
    top-paid consulting firms of the fall elections.

    https://www.washingtonpost.com/politics/how-a-little-known-democratic-firm-cashed-in-on-the-wave-of-midterm-money/2019/01/08/f91b04bc-fef5-11e8-862a-b6a6f3ce8199_story.html

    ------------------------------

    Date: Sun, 13 Jan 2019 11:03:47 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Deepak Chopra has a prescription for what ails technology (WashPost)

    https://www.washingtonpost.com/technology/2019/01/10/deepak-chopra-has-prescription-what-ails-technology

    "Chopra's prescription for what ails technology is more technology, just
    used in a different way. It goes way beyond meditation apps."

    The hackneyed aphorism that "more is better" should be replaced by an
    admonition to "close the wallet, turn off, and get some rest."

    Sliding sales resonate louder with any for-profit entity than Chopra's
    enunciation.

    ------------------------------

    Date: Mon, 14 Jan 2019 10:34:06 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: GoDaddy injecting site-breaking JavaScript into
    customer websites, here's a fix (TechRepublic)

    via NNSquad
    https://www.techrepublic.com/article/godaddy-injecting-site-breaking-javascript-into-customer-websites-heres-a-fix/

    Kromin notes that he is ``not against web host providers monitoring how
    their servers are running, [but that] Injecting JavaScript into pages
    being served is far from passive and ... a violation of trust between the
    web host and the customer.''

    ------------------------------

    Date: Sun, 13 Jan 2019 21:53:59 -0800
    From: Gene Wirchenko <ge...@telus.net>
    Subject: "How three rude iPhone users ruined an evening" (Chris Matyszczyk)

    Chris Matyszczyk, ZDnet, 13 Jan 2019)
    How three rude iPhone users ruined an evening
    Is it now entirely acceptable to play videos on your phone in public,
    full volume and without headphones? It seems to be.
    https://www.zdnet.com/article/how-three-rude-iphone-users-ruined-an-evening/

    ------------------------------

    Date: Sat, 12 Jan 2019 17:49:33 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Re: Escalating Value of iOS Bug Bounties Hits $2M Milestone
    (Goldberg, RISKS-31.02)

    "An Apple iOS remote jailbreak that can be achieved with no clicks required
    by the end user while maintaining persistence on the device, even after it
    is rebooted" implies a sinister payload.

    The rising zero-day price tag is apparently a good thing, no? Perhaps
    indicating that all the low-hanging, zero-day fruit have been harvested?

    Or, is it the case that the specific zero-day end-point breach path is so
    desirous that the purchaser will shell for exploit proof?

    Must be a high-priority target to specify a particular exploitation
    path. Apparently because it would be difficult to trace, detect or identify
    via a device's anti-virus or malware sniffing stack?

    Uncertain what constitutes "high-priority" in this case, unless Apple is
    expressing exploit curiosity existence, or investigations have reached an
    exploratory impasse.

    As a BS guess to achieve this exploit:

    Using either IMEI/MAC identifiers, or a target telephone number, a live
    device's network stack (TCP/IP or telecom signaling system) would probably
    have to initiate an exec(2) or invoke a signal handler to load a sibling
    payload from a known buffer address that's been force-fed into and written
    to the file system. How to achieve this without invoking a dynamic link
    loader is a mystery to me. This file then can be reloaded/initiated through
    some follow up protocol signal to effectively su(1) on the smellphone.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.03
    ************************
     
  15. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 31.04

    RISKS List Owner

    Jan 28, 2019 3:24 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 28 January 2019 Volume 31 : Issue 04

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/31.04>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    If 5G Is So Important, Why Isn't It Secure? (Henry Baker on NYT item)
    Everybody Does It: The Messy Truth About Infiltrating Computer Supply
    Chains (The Intercept)
    Digital Assistants Inside Cars Raise Serious Privacy Concerns (Fortune)
    Toilet seat sensor tracks blood pressure, stroke volume, blood oxygenation
    (MobiHealthNews)
    The Hidden Automation Agenda of the Davos Elite (NYT)
    Prepare for the Smart Home Fitness Revolution (WIRED)
    The Prime Challenges for Scout, Amazon's New Delivery Robot (Gabe Goldberg)
    Why Uber wants to build scooters and bikes that can drive themselves
    (Ars Technica)
    "Our worst fears have come true," VW Group exec wrote to Audi exec. (Ars)
    The World Economy Runs on GPS. It Needs a Backup Plan (Bloomberg)
    Runner found to be a hitman after GPS Watch ties him to crime scene
    (Runner's World)
    Buy Bitcoin at the Grocery Store via Coinstar (Fortune)
    The Internet of human things: Implants for everybody and how we get there
    (ZDNet)
    Drone activity halts air traffic at Newark Liberty International (WashPo)
    How Volunteers for India's Ruling Party Are Using WhatsApp to Fuel
    Fake News Ahead of Elections (Time)
    Family says hacked Nest camera warned them of North Korean missile attack
    (WashPost)
    GoDaddy weakness let bomb threat scammers hijack thousands of big-name
    domains (Ars Technica)
    Google ordered to submit search index to state sponsorship in Russia
    (SearchEngineLand)
    Why Hackers Had Thousands of DNA Tests Delivered to Random People
    Over the Holidays (Fortune)
    The Duty to Read the Unreadable (Monty Solomon)
    Amazon software works best on white men, study says (WashPost)
    Risks of Deepfake videos (Geoff Goodfellow)
    Here's how you can stay clear of online scams (CNET)
    Data Broker That Sold Phone Locations Used by Bounty Hunters Lobbied FCC
    to Scrap User Consent (Motherboard)
    Researchers discover state actor's mobile malware efforts because of YOLO
    OPSEC (Ars Technica)
    1000 Vulnerable Cranes (Trendmicro via Henry Baker)
    When your landlord installs smart locks (José María Mateos)
    Hundreds of popular cars at risk from key compromise (BBC)
    Coming Soon to a Police Station Near You: The DNA 'Magic Box' (NYT)
    An IoT security mailing list (Firemountain via JMM)
    Japan to regulate foreign companies use of e-mail content (Mark Thorson)
    Facebook "real names" policy forces you to sign up with a fake name
    (Neil Youngman)
    Reaction to the #10YearChallenge circulating on Facebook: Nope.
    (Gabe Goldberg)
    How Reserved Storage Works in the Next Version of Windows 10 (MS)
    Security, Compliance Add-Ons Offered to Microsoft 365 Users (GG)
    How Reserved Storage Works in the Next Version of Windows 10 (MS via GG)
    US Patent for Drone delivery of coffee based on a cognitive state (GG)
    Did Australia Hurt Phone Security Around the World? (NYTimes)
    Location-Based Little Brothers (Henry Baker)
    How We Destroy Lives Today (NYTimes)
    Covington and the Pundit Apocalypse (NYTimes)
    Re: A Simple Bug Makes It Easy to Spoof Google Search Results (Vint Cerf)
    Re: How three rude iPhone users ruined an evening (Henry Baker)
    Cyber Security Hall of Fame Nominations now open (Spaf)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 21 Jan 2019 09:54:06 -0800
    From: Henry Baker <hba...@pipeline.com>
    Subject: If 5G Is So Important, Why Isn't It Secure?

    The network must be secure enough for the innovations it promises.
    https://www.nytimes.com/2019/01/21/opinion/5g-cybersecurity-china.html

    While I'm not so wild about some of Wheeler's detailed recommendations,
    he's correct that security should be a paramount goal for 5G.

    Some quotes from this article and referenced reports:

    "When 5G enables autonomous vehicles, do we want those cars and trucks
    crashing into each other because the Russians hacked the network?"

    "If 5G will be the backbone of breakthroughs such as remote surgery, should
    that network be vulnerable to the North Koreans breaking into a surgical
    procedure?"

    "Make the Internet safe and secure for the functioning of Government and
    critical services for the American people."

    "5G Communications and other next generation networks designed and
    architected at the outset with enhanced security, connectivity, and
    availability."

    "Decades of well-intentioned but disjointed activities have made the
    Internet progressively less safe for the critical services which depend upon
    it."

    "Embrace a 'secure to market' over a 'first to market' mentality"

    "Unfortunately, relying on market forces alone fails to adequately
    weigh the risks imposed on third parties who rely on the networks and
    services they provision."

    "Problems known as 'market failures' can discourage investment and
    contribute to the insecurity of the critical communications network."

    "Because of negative externalities (third parties affected by insecure IoT),
    the private sector may not have sufficient incentives to invest in
    cybersecurity beyond their own corporate interests."

    "5G will enable a massive expansion of IoT endpoints that lack the
    processing power and memory needed for robust security protections.
    Fortunately, 5G is at an early phase in its development and, if security is
    designed in, it may be able to mitigate the cyber risk from these IoT
    endpoints."

    "Firms make decisions that strike a balance between the costs and benefits
    of cybersecurity investments for themselves. But they do not consider the
    additional benefit to the public at large of investing in cybersecurity.
    The result is a gap in cybersecurity preparedness that the market, on its
    own, is unlikely to fill."

    "The attack surface offered by the IoT is growing rapidly, calling for
    concerted effort to improve security. Multiple network providers are
    impacted by the IoT, rendering a consistent response difficult. In
    addition, the multiplicity of price-competitive vendors hinders concerted
    efforts to build in voluntary security by design into the IoT."

    More:

    The Trump administration's so-called "race" with China to build new
    fifth-generation (5G) wireless networks is speeding toward a network
    vulnerable to Chinese (and other) cyberattacks. ... We cannot allow the hype
    about 5G to overshadow the absolute necessity that it be secure. [...]

    Leadership in 5G technology is not just about building a network, but also
    about whether that network will be secure enough for the innovations it
    promises. And the 5G "race" is more complex and dangerous than industry and
    the Trump administration portray. When 5G enables autonomous vehicles, do
    we want those cars and trucks crashing into each other because the Russians
    hacked the network? If 5G will be the backbone of breakthroughs such as
    remote surgery, should that network be vulnerable to the North Koreans
    breaking into a surgical procedure? ... Nowhere in the president's
    directive, for instance, was there a word about protecting the cybersecurity
    of the new network.

    As the President's National Security Telecommunications Advisory Committee
    told him in November, "the cybersecurity threat now poses an existential
    threat to the future of the Nation." Last January, the brightest technical
    minds in the intelligence community, working with the White House National
    Security Council (NSC), warned of the 5G cybersecurity threat. ...

    https://www.dhs.gov/sites/default/files/publications/DRAFT NSTAC_ReportToThePresidentOnACybersecurityMoonshot_508c.pdf

    ... Shortly after taking office, the Trump FCC removed a requirement
    imposed by the Obama FCC that the 5G technical standard must be designed
    from the outset to withstand cyberattacks. For the first time in history,
    cybersecurity was being required as a forethought in the design of a new
    network standard -- until the Trump FCC repealed it. The Trump FCC also
    canceled a formal inquiry seeking input from the country's best technical
    minds about 5G security, retracted an Obama-era FCC white paper about
    reducing cyberthreats, and questioned whether the agency had any
    responsibility for the cybersecurity of the networks they are entrusted with
    overseeing.

    https://docs.fcc.gov/public/attachments/DOC-343096A1.pdf

    The simple fact is that our wireless networks are not as secure as they
    could be because they weren't designed to withstand the kinds of
    cyberattacks that are now common. ...

    ------------------------------

    Date: Sat, 26 Jan 2019 15:09:28 -0500
    From: José María Mateos <ch...@rinzewind.org>
    Subject: Everybody Does It: The Messy Truth About Infiltrating Computer
    Supply Chains (The Intercept)

    https://theintercept.com/2019/01/24/computer-supply-chain-attacks/

    >From the article:

    In October, Bloomberg Businessweek published an alarming story: Operatives
    working for China’s People’s Liberation Army had secretly implanted
    microchips into motherboards made in China and sold by U.S.-based
    Supermicro. This allegedly gave Chinese spies clandestine access to servers
    belonging to over 30 American companies, including Apple, Amazon, and
    various government suppliers, in an operation known as a “supply chain
    attack,” in which malicious hardware or software is inserted into products
    before they are shipped to surveillance targets.

    [...] But while Bloomberg's story may well be completely (or partly) wrong,
    the danger of China compromising hardware supply chains is very real,
    judging from classified intelligence documents. U.S. spy agencies were
    warned about the threat in stark terms nearly a decade ago and even assessed
    that China was adept at corrupting the software bundled closest to a
    computer’s hardware at the factory, threatening some of the U.S.
    government's most sensitive machines, according to documents provided by
    National Security Agency whistleblower Edward Snowden. The documents also
    detail how the U.S. and its allies have themselves systematically targeted
    and subverted tech supply chains, with the NSA conducting its own such
    operations, including in China, in partnership with the CIA and other
    intelligence agencies. The documents also disclose supply chain operations
    by German and French intelligence.

    ------------------------------

    Date: Sat, 26 Jan 2019 18:30:14 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Digital Assistants Inside Cars Raise Serious Privacy Concerns
    (Fortune)

    Currently automakers say they get customer permission before they use the
    individual data they collect for marketing or share it with third
    parties. Volvo said in a statement that its technology ``takes full account
    of legal, security, and privacy obligations on a global scale'' and complies
    with a European Union law that lets residents control how their personal
    data is shared.

    An Amazon spokesman says that the company merely shares ``anonymized,
    aggregated performance data to help automakers improve the customer
    experience'' and that it doesn’t provide personally identifiable information
    to car companies or developers.

    BMW shares the data it collects but says it doesn’t make money from it
    directly. “Let’s say the person is listening to certain music, and we know
    there’s a big concert,” says Dieter May, senior vice president of digital
    products for BMW. “Then we would probably give that to our salespeople to
    make an offer for a special ticket.”

    But even as governments and corporations begin to address security
    questions, it’s unclear who will control the data that is collected.

    http://fortune.com/2019/01/24/the-spy-inside-your-car/

    Hey, Siri -- what could go wrong?

    I'm sorry Dave, I can't answer that.

    ------------------------------

    Date: Wed, 23 Jan 2019 00:51:58 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Toilet seat sensor tracks blood pressure, stroke volume, blood
    oxygenation (MobiHealthNews)

    A recently published study found the toilet seat's readings to align with
    those measured through more conventional means.

    https://www.mobihealthnews.com/content/toilet-seat-sensor-tracks-blood-pressure-stroke-volume-blood-oxygenation

    Risks? Privacy, multi-person households, guests...

    ------------------------------

    Date: Sun, 27 Jan 2019 20:22:25 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: The Hidden Automation Agenda of the Davos Elite (NYT)

    *This year's World Economic Forum in Davos, Switzerland, where business
    leaders' public positions on automation's impact on workers did not match
    the views they shared privately.*

    EXCERPT:

    They'll never admit it in public, but many of your bosses want machines to
    replace you as soon as possible.

    I know this because, for the past week, I've been mingling with corporate
    executives at the World Economic Forum's annual meeting in Davos. And I've
    noticed that their answers to questions about automation depend very much
    on who is listening.

    In public, many executives wring their hands over the negative consequences
    that artificial intelligence and automation could have for workers. They
    take part in panel discussions about building `human-centered AI' for the
    ``Fourth Industrial Revolution'' -- Davos-speak for the corporate adoption
    of machine learning and other advanced technology -- and talk about the need
    to provide a safety net for people who lose their jobs as a result of
    automation.

    But in private settings, including meetings with the leaders of the many
    consulting and technology firms whose pop-up storefronts line the Davos
    Promenade, these executives tell a different story: They are racing to
    automate their own work forces to stay ahead of the competition, with
    little regard for the impact on workers.

    All over the world, executives are spending billions of dollars to
    transform their businesses into lean, digitized, highly automated
    operations. They crave the fat profit margins automation can deliver, and
    they see AI as a golden ticket to savings, perhaps by letting them
    whittle departments with thousands of workers down to just a few dozen.

    ``People are looking to achieve very big numbers,'' said Mohit Joshi, the
    president of Infosys, a technology and consulting firm that helps other
    businesses automate their operations. ``Earlier they had incremental, 5 to
    10 percent goals in reducing their work force. Now they're saying, `Why
    can't we do it with 1 percent of the people we have?' ''

    Few American executives will admit wanting to get rid of human workers, a
    taboo in today's age of inequality. So they've come up with a long list of
    buzzwords and euphemisms to disguise their intent. Workers aren't being
    replaced by machines, they're being `released' from onerous, repetitive
    tasks. Companies aren't laying off workers, they're ``undergoing digital
    transformation.''

    A 2017 survey by Deloitte found that 53 percent of companies had already
    started to use machines to perform tasks previously done by humans. The
    figure is expected to climb to 72 percent by next year.

    The corporate elite's AI obsession has been lucrative for firms that
    specialize in `robotic process automation', or RPA. Infosys, which is based
    in India, reported a 33 percent increase in year-over-year revenue in its
    digital division. IBM's ``cognitive solutions'' unit, which uses AI to help
    businesses increase efficiency, has become the company's second-largest
    division, posting $5.5 billion in revenue last quarter. The investment bank
    UBS projects that the artificial intelligence industry could be worth as
    much as $180 billion by next year.

    Kai-Fu Lee, the author of `AI Superpowers' and a longtime technology
    executive, predicts that artificial intelligence will eliminate 40 percent
    of the world's jobs within 15 years. In an interview, he said that chief
    executives were under enormous pressure from shareholders and boards to
    maximize short-term profits, and that the rapid shift toward automation was
    the inevitable result.

    The Milwaukee offices of the Taiwanese electronics maker Foxconn, whose
    chairman has said he plans to replace 80 percent of the company's workers
    with robots in five to 10 years.

    ``They always say it's more than the stock price, But in the end, if you
    screw up, you get fired.''

    Other experts have predicted that AI will create more new jobs than it
    destroys, and that job losses caused by automation will probably not be
    catastrophic. They point out that some automation helps workers by improving
    productivity and freeing them to focus on creative tasks over routine ones.

    But at a time of political unrest and anti-elite movements on the
    progressive left and the nationalist right, it's probably not surprising
    that all of this automation is happening quietly, out of public view. In
    Davos this week, several executives declined to say how much money they had
    saved by automating jobs previously done by humans. And none were willing
    to say publicly that replacing human workers is their ultimate goal.

    ``That's the great dichotomy,'' said Ben Pring, the director of the Center
    for the Future of Work at Cognizant, a technology services firm. ``On one
    hand,'' he said, profit-minded executives ``absolutely want to automate as
    much as they can. On the other hand, they're facing a backlash in civic
    society.''

    For an unvarnished view of how some American leaders talk about automation
    in private, you have to listen to their counterparts in Asia, who often make
    no attempt to hide their aims. Terry Gou, the chairman of the Taiwanese
    electronics manufacturer Foxconn, has said the company plans to replace 80
    percent of its workers with robots in the next five to 10 years. Richard
    Liu, the founder of the Chinese e-commerce company JD.com, said at a
    business conference last year that ``I hope my company would be 100 percent
    automation someday.''

    One common argument made by executives is that workers whose jobs are
    eliminated by automation can be `reskilled' to perform other jobs in an
    organization. They offer examples like Accenture, which claimed in 2017 to
    have replaced 17,000 back-office processing jobs without layoffs, by
    training employees to work elsewhere in the company. In a letter to
    shareholders last year, Jeff Bezos, Amazon's chief executive, said that more
    than 16,000 Amazon warehouse workers had received training in high-demand
    fields like nursing and aircraft mechanics, with the company covering 95
    percent of their expenses. [...]

    https://www.nytimes.com/2019/01/25/technology/automation-davos-world-economic-forum.html

    ------------------------------

    Date: Thu, 17 Jan 2019 18:17:48 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Prepare for the Smart Home Fitness Revolution (WIRED)

    Connected fitness started out with apps, says Tonal founder and CEO Aly
    Orady. ``Then we went to trackers, and then connected cardio equipment.
    We’re focused on the next layer, and that’s intelligence.''

    These devices also simulate a sense of togetherness you can’t get from a
    video. Hop on the Peloton bike and you’re not just slogging through a
    workout, you’re joining a full-fledged party led by Alex or Cody or Jenn.
    One of them might ask a DJ to play records during their spin class. Another
    might wish you a happy birthday, or even send you a bouquet of flowers if
    you mention the recent passing of a loved one. (Yes, that actually
    happened.)

    Forget wearables. The next wave of exercise tech includes home fitness
    machines that respond directly to you.

    https://www.wired.com/story/smart-home-fitness-revolution/

    The risk? Mistaking technology for intelligence?

    ------------------------------

    Date: Thu, 24 Jan 2019 19:49:12 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Prime Challenges for Scout, Amazon's New Delivery Robot

    No matter who you ask, the near-future of delivery seems to involve fleets
    of robots shuffling packages from stores, down sidewalks, and onto
    doorsteps. Robots will lug grocery bags
    <https://www.wired.com/story/nuro-grocery-delivery-robot/ from market to
    kitchen; they'll begin to replace humans delivering take-out
    <https://www.wired.com/story/postmates-delivery-robot-serve/ and dropping
    off parcels. And soon, your Amazon Prime packages may show up courtesy of
    Scout, Amazon's new six-wheeled autonomous delivery robot built to withstand
    the sidewalk.

    https://www.wired.com/story/amazon-new-delivery-robot-scout/

    I'm in a DC suburb (VA) with spotty/inconsistent sidewalks. Is that a bigger
    or smaller risk than cities with funloving teenagers? Article didn't say
    what defensive weapons these things carry, whether they're self-righting if
    tipped over, and if they can signal distress.

    ------------------------------

    Date: Wed, 23 Jan 2019 00:47:55 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Why Uber wants to build scooters and bikes that can drive
    themselves (Ars Technica)

    Uber is looking to hire people to help it develop autonomous scooter and
    bike technology, according to Wired-editor-turned-robotics-entrepreneur
    Chris Anderson. The goal would be to allow bikes and scooters to "drive
    themselves to charging or better locations." People interested in joining
    the project can fill out this form
    <http://t.uber.com/micromobility_robotics>..

    https://arstechnica.com/cars/2019/01/uber-wants-bicycles-and-scooters-that-can-drive-themselves-to-recharge/

    The risks? If you have to ask...

    ------------------------------

    Date: Mon, 21 Jan 2019 19:44:13 -0800
    From: Monty Solomon <mo...@roscom.com>
    Subject: "Our worst fears have come true," VW Group exec wrote to Audi exec.

    Four Audi executives were indicted on Thursday.

    http://arstechnica.com/tech-policy/2019/01/need-for-a-large-trunk-and-a-high-end-sound-system-pushed-audi-to-cheat/

    ------------------------------

    Date: Sun, 20 Jan 2019 00:42:47 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The World Economy Runs on GPS. It Needs a Backup Plan (Bloomberg)

    https://www.bloomberg.com/news/features/2018-07-25/the-world-economy-runs-on-gps-it-needs-a-backup-plan

    ------------------------------

    Date: Fri, 18 Jan 2019 20:36:22 -0800
    From: Tim Lavoie <tim.l...@gmail.com>
    Subject: Runner found to be a hitman after GPS Watch ties him to crime scene
    (Runner's World)

    https://www.runnersworld.com/uk/news/a25945315/mark-fellows-runner-hitman-murder/

    ------------------------------

    Date: Fri, 18 Jan 2019 16:50:44 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Buy Bitcoin at the Grocery Store via Coinstar (Fortune)

    Don’t count on using spare quarters, dimes and pennies in this case, though.
    Bitcoin via Coinstar can only be purchased with paper money (as much as
    $2,500). Investors will go to one of the company's participating machines
    and select the `Buy Bitcoin' option on the screen, entering their phone
    number.

    http://fortune.com/2019/01/18/buy-bitcoin-grocery-store-coinstar/

    Right next to lottery ticket vending machines.

    Coming next? Cash lottery winnings out as bitcoin?

    ------------------------------

    Date: Sun, 27 Jan 2019 23:36:38 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Internet of human things: Implants for everybody and how we get
    there (ZDNet)

    For most adults, I do not see more than basic data stored on an implant
    itself -- it would be a serial number/unique ID, which would be linked to
    the cloud provider, where encrypted user information would be stored or
    federated. This virtual wallet would contain credit cards, virtual ID cards
    for health insurance, corporate IDs, licenses, and permits.

    https://www.zdnet.com/article/the-internet-of-human-things-implants-for-everybody-and-how-we-get-there/

    What could go wrong?

    ------------------------------

    Date: Wed, 23 Jan 2019 02:05:24 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Drone activity halts air traffic at Newark Liberty International

    A spokesman for the Federal Aviation Administration said that two drones
    were spotted near Teterboro Airport.

    https://www.washingtonpost.com/transportation/2019/01/22/drone-activity-halts-air-traffic-newark-liberty-international-airport/

    ------------------------------

    Date: Sun, 27 Jan 2019 12:42:14 -0500
    From: José María Mateos <ch...@rinzewind.org>
    Subject: How Volunteers for India's Ruling Party Are Using WhatsApp to Fuel
    Fake News Ahead of Elections

    http://time.com/5512032/whatsapp-india-election-2019/

    >From the article:

    Ahead of national elections in April and May, India's political parties are
    pouring money into creating hundreds of thousands of WhatsApp group chats to
    spread political messages and memes. Prime Minister Narendra Modi’s ruling
    Bharatiya Janata Party (BJP) has drawn up plans to have three WhatsApp
    groups for each of India's 927,533 polling booths, according to
    reports. With each group containing a maximum of 256 members, that number of
    group chats could theoretically reach more than 700 million people out of
    India's population of 1.3 billion.

    [...] [A]ccording to researchers, as well as screenshots of group chats from
    as recently as January seen by TIME, these WhatsApp group chats frequently
    contain and disseminate false information and hateful rhetoric, much of
    which comes from forwarded messages. Experts say the Hindu nationalist BJP
    is fueling this trend, although opposition parties are using the same
    tactics.

    ------------------------------

    Date: Wed, 23 Jan 2019 02:03:34 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Family says hacked Nest camera warned them of North Korean missile
    attack

    The hack may have been the result of a compromised password.

    https://www.washingtonpost.com/technology/2019/01/23/family-says-hacked-nest-camera-warned-them-north-korean-missile-attack/

    ------------------------------

    Date: Wed, 23 Jan 2019 02:39:47 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: GoDaddy weakness let bomb threat scammers hijack thousands of
    big-name domains

    https://arstechnica.com/information-technology/2019/01/godaddy-weakness-let-bomb-threat-scammers-hijack-thousands-of-big-name-domains/

    ------------------------------

    Date: Wed, 16 Jan 2019 11:32:32 -0800
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Google ordered to submit search index to state sponsorship in
    Russia (SearchEngineLand)

    via NNSquad
    https://searchengineland.com/google-ordered-to-submit-search-index-to-state-sponsorship-in-russia-310533

    Russian information agency Roskomnadzor is requiring Google and Bing to
    subject their results to government censorship. (Yandex has reportedly
    already complied.) A law passed last year in the country mandates that
    search engine results be filtered through the federal state information
    system (FGIS). Russia increases Internet censorship. The new Russian
    situation is comparable to Chinese rules requiring Internet companies to
    censor results to block officially undesirable or threatening
    information. In addition to censoring online content, China is using
    Internet and mobile technology to spy on its citizens.

    ------------------------------

    Date: Sat, 19 Jan 2019 21:03:42 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Why Hackers Had Thousands of DNA Tests Delivered to Random People
    Over the Holidays (Fortune)

    http://fortune.com/2019/01/17/hackers-send-dna-test-kits/

    The risk? Complex scams leveraging business/marketing practices...

    ------------------------------

    Date: Sat, 26 Jan 2019 11:40:28 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: The Duty to Read the Unreadable

    https://papers.ssrn.com/sol3/papers.cfm%3Fabstract_id%3D3313837

    Abstract

    The duty to read doctrine is a well-recognized building block of U.S.
    contract law. Under this doctrine, contracting parties are held responsible
    for the written terms of their contract, whether or not they actually read
    them. The application of duty to read is especially interesting in the
    context of consumer contracts, which consumers generally do not read.

    Under U.S. law, courts routinely impose this doctrine on consumers. However,
    the application of this doctrine to consumer contracts is one-sided. While
    consumers are excepted to read their contracts, suppliers are generally not
    required to offer readable contracts. This asymmetry creates a serious
    public policy challenge. Put simply, consumers might be expected to read
    contracts that are, in fact, rather unreadable. This, in turn, undermines
    market efficiency and raises fairness concerns.

    Numerous scholars have suggested that consumer contracts are indeed written
    in a way that dissuades consumers from reading them. This Article aims to
    empirically test whether this concern is justified. The Article focuses on
    the readability of an important and prevalent type of consumer agreements:
    the sign-in-wrap contract. Such contracts, which have already been the focal
    point of many legal battles, are routinely accepted by consumers when
    signing up for popular websites such as Facebook, Amazon, Uber, and Airbnb.

    The Article applies well-established linguistic readability tests to the 500
    most popular websites in the U.S. that use sign-in-wrap agreements. We find,
    among other things, that effectively reading these agreements requires, on
    average, more than 14.5 years of education. This result is troubling, given
    that the majority of U.S. adults read at an 8th-grade level. These empirical
    findings hence have significant implications for the design of consumer
    contract law.

    ------------------------------

    Date: Sun, 27 Jan 2019 23:31:33 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Amazon software works best on white men, study says (WashPost)

    The new research is raising concerns about how biased results could tarnish
    the artificial-intelligence technology's exploding use by police and in
    public venues, including airports and schools.

    https://www.washingtonpost.com/technology/2019/01/25/amazon-facial-identification-software-used-by-police-falls-short-tests-accuracy-bias-new-research-finds/

    ------------------------------

    Date: Sun, 27 Jan 2019 20:14:31 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Risks of Deepfake videos

    If you see a video of a politician speaking words he never would utter, or a
    Hollywood star improbably appearing in a cheap adult movie, don't adjust
    your television set -- you may just be witnessing the future of "fake news."
    "Deepfake" videos that manipulate reality are becoming more sophisticated
    due to advances in artificial intelligence, creating the potential for new
    kinds of misinformation with devastating consequences. As the technology
    advances, worries are growing about how deepfakes can be used for nefarious
    purposes by hackers or state actors. "We're not quite to the stage where we
    are seeing deepfakes weaponized, but that moment is coming," Robert Chesney,
    a University of Texas law professor who has researched the topic, told
    AFP. Chesney argues that deepfakes could add to the current turmoil over
    disinformation and influence operations. "A well-timed and thoughtfully
    scripted deepfake or series of deepfakes could tip an election, spark
    violence in a city primed

    EXCERPTS:

    If you see a video of a politician speaking words he never would utter, or
    a Hollywood star improbably appearing in a cheap adult movie, don't adjust
    your television set -- you may just be witnessing the future of "fake news."

    "Deepfake" videos that manipulate reality are becoming more sophisticated
    due to advances in artificial intelligence, creating the potential for new
    kinds of misinformation with devastating consequences. As the technology
    advances, worries are growing about how deepfakes can be used for nefarious
    purposes by hackers or state actors.

    "We're not quite to the stage where we are seeing deepfakes weaponized, but
    that moment is coming," Robert Chesney, a University of Texas law professor
    who has researched the topic, told AFP. Chesney argues that deepfakes could
    add to the current turmoil over disinformation and influence operations. "A
    well-timed and thoughtfully scripted deepfake or series of deepfakes could
    tip an election, spark violence in a city primed for civil unrest, bolster
    insurgent narratives about an enemy's supposed atrocities, or exacerbate
    political divisions in a society," Chesney and University of Maryland
    professor Danielle Citron said in a blog post for the Council on Foreign
    Relations.

    Digital manipulation may be good for Hollywood but new "deepfake" techniques
    could create a new kind of misinformation, according to researchers. Paul
    Scharre, a senior fellow at the Center for a New American Security, a think
    tank specializing in AI and security issues, said it was almost inevitable
    that deepfakes would be used in upcoming elections.

    A fake video could be deployed to smear a candidate, Scharre said, or to
    enable people to deny actual events captured on authentic video.
    With believable fake videos in circulation, he added, "people can choose to
    believe whatever version or narrative that they want, and that's a real
    concern." [...]
    https://www.afp.com/en/news/717/misinformation-woes-could-multiply-deepfake-videos-doc-1cn3in2

    ------------------------------

    Date: Thu, 17 Jan 2019 14:51:21 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Here's how you can stay clear of online scams (CNET)

    [Scammers everywhere]

    CNET Magazine: Don't get fooled like he was.

    The story doesn't end here, because Hal said he never had an eBay
    account. It turns out, he'd been scammed too. In his case, it was by an
    online "girlfriend" he'd never met — not even through video chats. Hal was
    the unwitting victim of a well-known scheme to dupe people into forwarding
    items bought in their name outside the country.

    https://www.cnet.com/news/heres-how-you-can-stay-clear-of-online-scams/

    Scammers are creative. Of course, old scams still work too -- I just heard
    that friend-of-friend fell for "grandson kidnapped" routine -- had never
    heard of it. Was told to wrap $2000/$3000 in separate bundles, send via
    FedEx, did. Fortunately, her son -- a cop! -- was able to intercept the
    package.

    ------------------------------

    Date: Sun, 27 Jan 2019 16:09:12 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Data Broker That Sold Phone Locations Used by Bounty Hunters
    Lobbied FCC to Scrap User Consent - Motherboard

    Zumigo, which sold the location data of American cell phone users, wanted
    the FCC to remove requirements around user consent.

    Another slide adds, “We strongly believe that if consumers understood the
    vulnerabilities they face, and their carrier’s ability to help prevent it,
    they would want the carrier data to be shared in order to keep them safe.”

    https://motherboard.vice.com/en_us/article/vbwgw8/zumigo-phone-location-data-sold-lobbied-fcc-consent

    For our own good, yes.

    ------------------------------

    Date: Tue, 22 Jan 2019 09:36:54 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Researchers discover state actor's mobile malware efforts because
    of YOLO OPSEC (Ars Technica)

    *Ran malware on own phones as test, uploading all their WhatsApp messages,
    other data.*

    At the Shmoocon security conference here on January 19, two researchers from
    the mobile security provider Lookout revealed the first details of a mobile
    surveillance effort run by a yet-to-be-named state intelligence agency that
    they had discovered by exploring the command-and-control infrastructure
    behind a novel piece of mobile malware.

    In the process of exploring the malware's infrastructure, Lookout
    researchers found iOS, Android, and Windows versions of the malware, as well
    as data uploaded from a targeted phone's WhatsApp data. That phone turned
    out to be one that belonged to one of the state-backed surveillance efforts
    -- and the WhatsApp messages and other data found on the server provided a
    nearly full contact list for the actors and details of their interactions
    with commercial hacking companies and eventual decision to build their own
    malware. [...]

    https://arstechnica.com/information-technology/2019/01/researchers-discover-state-actors-mobile-malware-efforts-because-of-yolo-opsec/

    ------------------------------

    Date: Fri, 18 Jan 2019 07:11:41 -0800
    From: Henry Baker <hba...@pipeline.com>
    Subject: 1000 Vulnerable Cranes (

    It's easier to RF hack an industrial crane than to hack a garage door
    opener. $40-60 of RF parts gives you control.

    Recommendation: off-the-shelf open source protocols rather than proprietary
    roll-your-own "security through obscurity" protocols. But you already knew
    that.

    Here are some selected paragraphs from a recent report.

    https://documents.trendmicro.com/assets/white_papers/wp-a-security-analysis-of-radio-remote-controllers.pdf

    A Security Analysis of Radio Remote Controllers for Industrial Applications

    Our research shows that there is a discrepancy between the consumer and
    industrial worlds. In the consumer world, the perceived risks have pushed
    the vendors to find reasonably secure, albeit imperfect, solutions such as
    rolling codes. In the industrial world, where the assets at risk are much
    more valuable than a fancy house or car, there seems to be less awareness.

    By exploiting various vulnerabilities that we discovered, we were able to
    move full-sized cranes deployed in production at construction sites,
    factories, and transportation businesses. In all of the cases, we were able
    to confirm and run the attacks very quickly. In each of the cases, we were
    able to switch on the controlled industrial machine even after the operator
    had issued an e-stop, which put the machine in a "stop" state.

    Apart from leaked schematics, the only available "technical" documentation
    is limited to user manuals, and we are unaware of any public research about
    the digital security risks in this space. We hope that our findings will
    inspire the RF- and hardware-hacking communities to continue looking at
    these protocols, and to encourage vendors to focus on open, standard RF
    protocols.

    In conclusion, given that the kind of machinery these remote controllers are
    managing can be dangerous if hijacked or disabled, manufacturers need to
    start thinking about moving to stronger open-source protocols rather than
    relying on security through obscurity. It could be challenging to balance
    the almost real-time requirements and secure RF transmission, but the
    hardware technology is there, ready to be used.

    ------------------------------

    Date: Thu, 24 Jan 2019 10:30:42 -0500
    From: José María Mateos <ch...@rinzewind.org>
    Subject: When your landlord installs smart locks

    I don't particularly like to use Twitter threads as sources (all of them
    will go away when Twitter (hopefully soon) implodes), but this is quite on
    point:

    https://twitter.com/hacks4pancakes/status/1086000837615382529

    ------------------------------

    Date: Mon, 28 Jan 2019 12:37:26 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Hundreds of popular cars at risk from key compromise

    https://www.bbc.com/news/business-47023003

    New cars are more secure than ever, and the latest technology has helped
    bring down theft dramatically with, on average, less than 0.3% of the cars
    on our roads stolen. Criminals will always look for new ways to steal cars;
    it's an ongoing battle and why manufacturers continue to invest billions in
    ever more sophisticated security features -- ahead of any regulation.
    However, technology can only do so much and we continue to call for action
    to stop the open sale of equipment with no legal purpose that helps
    criminals steal cars.

    Prohibition didn't work for booze; why should it be expected to succeed for
    {RFID, WiFi, or Bluetooth}-enabled vehicle heists?

    https://www.statista.com/statistics/859950/vehicles-in-operation-by-quarter-united-states/
    estimates that ~263Mvehicles were in operation during 1st quarter of
    2017. This implies, assuming they are equally vulnerable to RFID/Bluetooth
    access theft: ~789K thefts.

    https://ucr.fbi.gov/crime-in-the-u.s/2017/preliminary-report/cius-2017-preliminary-excel-tables.zip
    shows that for the 6 month period, an estimated 289K vehicle thefts were
    reported within the 50 US states with cities of 100Kpeople or greater; a
    vehicle theft each 50 seconds or so.

    ------------------------------

    Date: Mon, 21 Jan 2019 09:21:08 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Coming Soon to a Police Station Near You: The DNA 'Magic Box' (NYT)

    *With Rapid DNA machines, genetic fingerprinting could become as routine as
    the old-fashioned kind. But forensic experts see a potential for misuse.*

    ... many legal experts and scientists are troubled by the way the technology
    is being used. As police agencies build out their local DNA databases, they
    are collecting DNA not only from people who have been charged with major
    crimes but also, increasingly, from people who are merely deemed suspicious,
    permanently linking their genetic identities to criminal databases. [...]

    If the Rapid DNA system has flaws, now is the moment to address them, many
    experts argue. Peter Stout, president of the Houston Forensic Science
    Center, was left with concerns after completing a Rapid DNA pilot program
    with the Houston Police Department last February. ``We need fast and cheap.
    It also needs to be right.''

    https://www.nytimes.com/2019/01/21/science/dna-crime-gene-technology.html

    ------------------------------

    Date: Fri, 25 Jan 2019 09:56:31 -0500
    From: José María Mateos <ch...@rinzewind.org>
    Subject: An IoT security mailing list

    I think regular RISKS readers might be interested in a new mailing list
    devoted to IoT security:
    http://www.firemountain.net/mailman/listinfo/dumpsterfire

    Initial message and administrivia:
    http://www.firemountain.net/pipermail/dumpsterfire/2019-January/000000.html

    ------------------------------

    Date: Sat, 19 Jan 2019 16:32:11 -0800
    From: Mark Thorson <e...@dialup4less.com>
    Subject: Japan to regulate foreign companies use of e-mail content

    It's already illegal for domestic companies to use the content of users'
    e-mail. Government is now planning to apply this to foreign companies like
    Google and Facebook. Almost makes me want to move to Japan.

    http://the-japan-news.com/news/article/0005488933

    ------------------------------

    Date: Sun, 27 Jan 2019 11:16:26 +0000
    From: Neil Youngman <neil.y...@youngman.org.uk>
    Subject: Facebook "real names" policy forces you to sign up with a fake name

    RISKS readers are familiar with Facebook's Orwellian "real names" policy I
    didn't realise how poor the implementation is. I only discovered when my
    daughter wanted to sign up that it's so bad that many people will be forced
    to sign up with a fake name to get around it.

    When my daughter wanted to sign up Facebook decided that it didn't like her
    name. The help pages are pretty useless and their is no real indication of
    why. You have to guess why the name is rejected, but the solution appears to
    be to go through the name verification process. The "clever" bit is that
    there seems to be no way to start the name verification process until you
    create an account, so you have to make up a name that it will accept and use
    that to create the account.

    At this point I'm guessing that a lot of people don't bother to verify their
    real name and continue with the fake name. I can think of at least 2 of my
    Facebook friends using names that aren't "the name they go by in everyday
    life" (https://www.facebook.com/help/112146705538576) good guess that it's
    either not worth the effort of verifying their real name, or because their
    official documents use a different form of their name to the one they
    normally use in real life.

    As currently implemented the policy seems to prevent you signing up with an
    unusual name, but pretty much anybody can sign up as Paul Smith with no
    checks.

    ------------------------------

    Date: Sat, 19 Jan 2019 20:59:00 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Reaction to the #10YearChallenge circulating on Facebook: Nope.

    He writes:

    Perhaps I am a curmudgeon. In my view, the meme, which prompts people to
    post before-and-after photos of themselves on Facebook
    <https://click.email.fortune.com/%3Fqs%3D449fa3686574c81be466f38d7c0cebbbe083520f6bf4d366ddb2482a4d929c0691638fbad4d87d593874c9eaaa6ffeb4c09fa97b64b0f52e>
    Instagram, and other social media sites, is no better than a data-siphoning
    social engineering attempt. The viral campaign exploits our vanity,
    encouraging us to surrender images of ourselves from a decade ago. People
    just happen to be packaging the chronology of their physiognomy in a usable
    format for machines to parse.

    https://view.email.fortune.com/%3Fqs%3D0201bad8c93739fd5962676018096aced0f8602d66109218173392a5b675b1535d006a5a5b019814f916959e973fb36f41b44d801423e04d1e0e6b4a4119a8d65899f9866c6d8e60

    The risk? Willingly feeding the beast.

    ------------------------------

    Date: Sat, 26 Jan 2019 22:32:11 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How Reserved Storage Works in the Next Version of Windows 10

    In a blog post, Microsoft stated that Reserved Storage will be available
    only on devices that come with Windows 10 19H1 (version 1903) pre-installed
    or those where 1903 was clean installed. Those who upgrade to the next
    version will not utilize this feature.

    Problems with the current update process

    In Windows 10 October 2018 Update or older, if a user begins to run out of
    storage space, Windows may not run smoothly and many apps may not work as
    expected. Even worse, Microsoft has had a rough track record recently when
    it comes to updates and those who have no free space may not be able to
    install updates correctly.

    https://www.bleepingcomputer.com/news/microsoft/how-reserved-storage-works-in-the-next-version-of-windows-10/

    It took 10 versions to notice?

    ------------------------------

    Date: Thu, 24 Jan 2019 00:36:12 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Security, Compliance Add-Ons Offered to Microsoft 365 Users

    Two new security and compliance packages are available at extra cost to
    protect enterprise Microsoft 365 users from wider threats.

    https://www.eweek.com/enterprise-apps/microsoft-bolstering-security-compliance-with-microsoft-365-add-ons

    ------------------------------

    Date: Sat, 26 Jan 2019 22:32:11 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How Reserved Storage Works in the Next Version of Windows 10

    In a blog post, Microsoft stated that Reserved Storage will be available
    only on devices that come with Windows 10 19H1 (version 1903) pre-installed
    or those where 1903 was clean installed. Those who upgrade to the next
    version will not utilize this feature.

    Problems with the current update process

    In Windows 10 October 2018 Update or older, if a user begins to run out of
    storage space, Windows may not run smoothly and many apps may not work as
    expected. Even worse, Microsoft has had a rough track record recently when
    it comes to updates and those who have no free space may not be able to
    install updates correctly.

    https://www.bleepingcomputer.com/news/microsoft/how-reserved-storage-works-in-the-next-version-of-windows-10/

    It took 10 versions to notice?

    ------------------------------

    Date: Sun, 20 Jan 2019 16:51:01 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: US Patent for Drone delivery of coffee based on a cognitive state
    of an individual Patent

    (Patent # 10,040,551 issued August 7, 2018) - Justia Patents Search

    Coffee or other drink, for example a caffeine containing drink, is delivered
    to individuals that would like the drink, or who have a predetermined
    cognitive state, using an unmanned aerial vehicle (UAV)/drone. The drink is
    connected to the UAV, and the UAV flies to an area including people, and
    uses sensors to scan the people for an individual who has gestured that they
    would like the drink, or for whom an electronic analysis of sensor data
    indicates to be in a predetermined cognitive state. The UAV then flies to
    the individual to deliver the drink. The analysis can include profile data
    of people, including electronic calendar data, which can be used to
    determine a potentially predetermined cognitive state.

    https://patents.justia.com/patent/10040551
    https://www.inc.com/geoffrey-james/the-best-invention-of-2018-is-ibm-coffee-drone.html -- note graphics
    https://www.popularmechanics.com/flight/drones/a22813997/ibm-patent-coffee-delivery-drone/

    ...so this is how IBM wins the patents battle every year.

    ------------------------------

    Date: Thu, 24 Jan 2019 00:28:07 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Did Australia Hurt Phone Security Around the World? (NYTimes)

    But politicians said the risk of encryption technology’s being used by
    terrorists was too significant. Prime Minister Malcolm Turnbull of Australia
    said in July, “The laws of mathematics are very commendable, but the only
    law that applies in Australia is the law of Australia.”

    https://www.nytimes.com/2019/01/22/technology/australia-cellphone-encryption-security.html

    ------------------------------

    Date: Wed, 23 Jan 2019 07:53:53 -0800
    From: Henry Baker <hba...@pipeline.com>
    Subject: Location-Based Little Brothers

    A Chinese WeChat app displays the people in your vicinity who are in debt.

    Given the data publicly available (or via Facebook/Google/Twitter API's),
    consider the endless possibilities for future apps:

    * Find My Credit Scores - notifies you of the credit scores of those around
    you (thanks, Experian!!)

    * Find My Sugar Daddy / Find My Gold Digger - notifies you of the financial
    capacity of the people around you

    * Find My Real Daddy - utilizing 23&me DNA data, notifies you of genetic
    relationships of the people around you

    * Find My Sex Offender - notifies you if a registered sex offender is nearby

    * Find My Felon - notifies you of the arrest history of those around you and
    pulls up mugshots

    * Find My Ex's - notifies you if a previous lover is nearby

    * Find MeToo - notifies you if someone nearby was blacklisted as an
    *alleged* sexual harasser by someone

    * Find My Pwned - notifies you if someone nearby has been pwned and provides
    password(s)

    * Find My Echo Chamber - identifies the political party registration of
    those nearby

    * Find My Immigrant - check the E-Verify status of those nearby

    * Improve My Gaydar - obvious

    Once these apps surface, you'll probably never leave your house again!

    http://www.chinadaily.com.cn/a/201901/16/WS5c3edfb8a3106c65c34e4d75.html

    Hebei court unveils program to expose deadbeat debtors
    Zhang Yu in Shijiazhuang, chinadaily.com.cn, 16 Jan 2019:

    Deadbeat debtors in North China's Hebei province will find it more difficult
    to abscond as the Higher People's Court of Hebei on Monday introduced a
    mini-program on WeChat targeting them.

    Called "a map of deadbeat debtors", the program allows users to find out
    whether there are any debtors within 500 meters.

    The debtor's information is available to check in the program, making it
    easier for people to whistle-blow on debtors capable of paying their debts.

    "It's a part of our measures to enforce our rulings and create a socially
    credible environment," said a spokesman of the court.

    ------------------------------

    Date: Wed, 23 Jan 2019 07:48:10 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: How We Destroy Lives Today (NYTimes)

    https://www.nytimes.com/2019/01/21/opinion/covington-march-for-life.html

    Will the Covington Catholic High School fiasco change social media?

    ------------------------------

    Date: Wed, 23 Jan 2019 07:53:00 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Covington and the Pundit Apocalypse (NYTimes)

    https://www.nytimes.com/2019/01/22/opinion/covington-teenagers-twitter.html

    Our hasty condemnation of these teenagers reveals the cold truth about hot
    takes.

    ------------------------------

    Date: Sun, Jan 20, 2019 at 3:27 PM
    From: Vint Cerf <vi...@google.com>
    Subject: Re: A Simple Bug Makes It Easy to Spoof Google Search Results
    into Spreading Misinformation (RISKS-31.03)

    Bug has been fixed.

    ------------------------------

    Date: Thu, 17 Jan 2019 12:25:03 -0800
    From: Henry Baker <hba...@pipeline.com>
    Subject: Re: How three rude iPhone users ruined an evening (Wirchenko,
    RISKS-31.03)

    Thank Apple for removing the jack from their iPhones.

    I carry around a lot of <$5 earbuds for my own use on airplanes & my digital
    audio player, so I'm happy to donate them to someone to listen privately.

    Cheap headphones for modern USB and Bluetooth never materialized, so I'm not
    about to carry around $100 earbuds to donate.

    ------------------------------

    Date: Thu, 24 Jan 2019 09:28:05 -0500
    From: Gene Spafford <sp...@purdue.edu>
    Subject: Cyber Security Hall of Fame Nominations now open

    The Cyber Security Hall of Fame was on hiatus while stable funding was
    secured. That has happened, and nominations are open for the class of 2019.

    [Stable funding? Who's horsing around here while there is always room for
    more in the ever-growing stable of honorees? PGN]

    Current honorees are listed at http://www.cybersecurityhalloffame.com

    Help by nominating qualified candidates! See bit.ly/CSHOFNom
    http://bit.ly/CSHOFNom for details of nominations.

    Help spread the word.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.04
    ************************
     
  16. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,701
    563
    343
    Apr 3, 2007
    Tampa
    Risks Digest 31.05

    RISKS List Owner

    Feb 4, 2019 6:15 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 4 February 2019 Volume 31 : Issue 05

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <http://catless.ncl.ac.uk/Risks/31.05>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    A study of fake news in 2016 (Science via PGN)
    Deep Fakes: A Looming Challenge for Privacy, Democracy, and
    National Security by Robert Chesney, Danielle Keats Citron (SSRN)
    Japanese government plans to hack into citizens' IoT devices (ZDNet)
    "This smart light bulb could leak your Wi-Fi password" (ZDNet via
    Gene Wirchenko)
    Tech addicts seek solace in 12 steps and rehab (AP)
    How Machine Learning Could Keep Dangerous DNA Out of Terrorists' Hands
    (Scientific American via Richard Stein)
    Taking apart a botnet ... (Naked Security via Rob Slade)
    What If Your Fitbit Could Run on a Wi-Fi Signal? (SciAm)
    iPhone FaceTime Bug That Allows Spying Was