Welcome home, fellow Gator.

The Gator Nation's oldest and most active insider community
Join today!

Risks Digest

Discussion in 'Gator Bytes' started by LakeGator, Apr 25, 2015.

  1. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.10

    RISKS List Owner

    Mar 7, 2019 4:28 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 7 March 2019 Volume 31 : Issue 10

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    All Intel chips open to new Spoiler non-Spectre attack: Don't expect a
    quick fix. (ZDNet)
    The rise of the online ticketing bots (David Strom)
    DeepFake litigation (Fortune)
    Fake paid product reviews on Amazon challenged (Consumer Health)
    Siri, What Should I Eat? (Cell.com)
    Goldman Sachs asks in biotech research report: Is curing patients
    a sustainable business model? (Chuck Petras)
    GDPR: Victim of Sheryl Sandberg's "Lean On" Feminism (Henry Baker)
    Phishing Scams: Is Your Financial Institution Helping Cyberthieves?
    (Washington Consumers' Checkbook)
    Once hailed as unhackable, blockchains are now getting hacked
    (MIT Technology Review)
    Uproar Over Facebook 2FA Privacy Violation (Richi Jennings)
    Prosecutors Don't Plan to Charge Uber in Self-Driving Car's Fatal Accident
    (NYTimes)
    Outdoor Tech -- Skiing *and* privacy? (Rob Slade)
    PDF Signatures (Rob Slade)
    Alphabet's Security Start-Up Wants to Offer History Lessons
    (Nicole Perlroth)
    Yet another Facebook privacy leak (Peter Houppermans)
    Re: Robocalls Routed via Virtue Signaling Network? (John Levine)
    Re: Oscars: IBM & Surveillance AI: Clean Hands? (Amos Shapir)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 5 Mar 2019 13:42:38 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: All Intel chips open to new Spoiler non-Spectre attack: Don't
    expect a quick fix. (ZDNet)

    All Intel chips open to new Spoiler non-Spectre attack: Don't expect a quick fix | ZDNet

    Intel CPUs afflicted with simple data-spewing spec-exec vulnerability
    SPOILER alert, literally: Intel CPUs afflicted with simple data-spewing spec-exec vulnerability

    SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks
    https://arxiv.org/pdf/1903.00446.pdf

    ------------------------------

    Date: Tue, 5 Mar 2019 12:33:55 -0600
    From: David Strom via WebInformant <webinf...@list.webinformant.tv>
    Subject: The rise of the online ticketing bots

    Web Informant, March 5, 2019 [via Gabe Goldberg]

    A new report describes the depth of criminality across online ticketing
    websites. I guess I was somewhat naive before I read the report, “How Bots
    affect ticketing,” from Distil Networks
    <How Bots Affect Ticketing
    (Registration is required.) The vendor sells anti-bot security tools, so
    some of what they describe is self-serving to promote their own
    solutions. But the picture they present is chilling and somewhat depressing.

    The ticketing sites are being hit from all sides: from dishonest ticket
    brokers and hospitality agents who scrape details and scalp or spin the
    tickets, to criminals who focus on fan account takeovers to conduct credit
    card fraud with their ticket purchases. These scams are happening 24/7,
    because the bots never sleep. And there are multiple sources of ready-made
    bad bots that can be set loose on any ticketing platform.

    You probably know what scalping is, but spinning was new to me. Basically,
    it involves a mechanism that appears to be an indecisive human who is
    selecting tickets but holding them in their cart and not paying for
    them. This puts the tickets in limbo, and takes them off the active
    marketplace just long enough that the criminals can manipulate their supply
    and prevent the actual people from buying them. That is what lies at the
    heart of the criminal ticketing bot problem: the real folks are denied their
    purchases, and sometimes all seats are snapped up within a few milliseconds
    of when they are put on sale. In many cases, fans quickly abandon the legit
    ticketing site and find a secondary market for their seats, which may be
    where the criminals want them to go. This is because the seat prices are
    marked up, with more profit going to the criminals. It also messes with the
    ticketing site's pricing algorithms, because they don't have an accurate
    picture of ticket supply.

    This is new report from Distil and focusing just on the ticketing
    vendors. In the past year, they have seen a rise in the sophistication of
    the bot owners' methods. That is because like much with cybercrime, there is
    an arms race between defenders and the criminals, with each upping their
    game to get around the other. The report studied 180 different ticketing
    sites for a period of 105 days last fall, analyzing more than 26 billion
    requests.

    Distil found that the average traffic across all 180 sites was close to 40%
    consumed by bad bots. That’s the average: many sites had far higher
    percentages of bad bot traffic.

    Botnets aren’t only a problem with ticketing websites, of course. In an
    article that I wrote recently for CSOonline
    <https://www.csoonline.com/article/3...usiness-should-know.html?nsdr=true#tk.twt_cso
    I discuss how criminals have manipulated online surveys and polls.
    (Registration also required.) Botnets are just one of many methods to fudge
    the results, infect survey participants with malware, and manipulate public
    opinion.

    So what can a ticketing site operator do to fight back? The report has
    several suggestions, including preventing outdated browser versions, using
    better Captchas, blocking known hosting providers popular with criminals,
    and looking carefully at sources of traffic for high bounce rates, a series
    of failed logins and lower conversion rates, three tells that indicate
    botnets.

    Comments always welcome here. <http://blog.strom.com/wp/?p=7061

    ------------------------------

    Date: Tue, 5 Mar 2019 11:37:22 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: DeepFake litigation (Fortune)

    http://fortune.com/2019/01/15/deepf...ApNgf_nEq1zIQAUmjcRJ-1mRpTvy3ZUkmbxPKibDOK1-s

    ------------------------------

    Date: Sun, 3 Mar 2019 21:41:45 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Fake paid product reviews on Amazon challenged (Consumer Health)

    Consumer Health Digest #19-09, 3 Mar 2019

    According to a complaint by the Federal Trade Commission (FTC), Cure
    Encapsulations, Inc. and its owner, Naftula Jacobowitz:
    <https://www.ftc.gov/system/files/documents/cases/quality_encapsulations_complaint_2-26-19.pdf>

    * paid a Web site, amazonverifiedreviews.com to create and post Amazon
    reviews of their product "Quality Encapsulations Garcinia Cambogia
    Extract with HCA" capsules.

    * falsely claimed that the product is an appetite-suppressing,
    fat-blocking, weight-loss pill.

    Jacobowitz allegedly told the site's operator that the product needed to
    have an average rating of 4.3 out of 5 stars in order to have sales and to,
    "Please make my product ... stay a five star." The reviews were posted on
    Amazon and were represented as truthful and written by actual purchasers,
    when in reality they were fabricated. The FTC's complaint also alleges that
    the defendants made false and unsubstantiated claims on their Amazon product
    page, including through the purchased reviews, that their garcinia cambogia
    product is a "powerful appetite suppressant," "Literally BLOCKS FAT From
    Forming," causes significant weight loss, including as much as twenty
    pounds, and causes rapid and substantial weight loss, including as much as
    two or more pounds per week.

    The proposed court order settling the FTC's complaint
    <https://www.ftc.gov/system/files/documents/cases/quality_encapsulations_proposed_order_2-26-19.pdf>:

    * prohibits the defendants from making weight-loss,
    appetite-suppression, fat-blocking, or disease-treatment claims for
    any dietary supplement, food, or drug unless they have competent and
    reliable scientific evidence in the form of human clinical testing
    supporting the claims.
    * requires them to have competent and reliable scientific evidence to
    support any other claims about the health benefits or efficacy of
    such products.
    * prohibits them from making misrepresentations regarding
    endorsements, including that an endorsement is truthful or by an
    actual user.
    * requires the defendants to email notices to consumers who bought the
    capsules detailing the FTC's allegations regarding their efficacy
    claims.
    * requires the defendants to notify Amazon, Inc. that they purchased
    Amazon reviews of their Quality Encapsulations Garcinia Cambogia
    capsules and to identify to Amazon the purchased reviews.
    * imposes a judgment of $12.8 million, which will be suspended upon
    payment of $50,000 to the Commission and the payment of certain
    unpaid income tax obligations.

    If the defendants are later found to have misrepresented their financial
    condition to the FTC, the full amount of the judgment will immediately
    become due. [FTC brings first case challenging fake paid reviews on an
    independent retail website.
    <FTC Brings First Case Challenging Fake Paid Reviews on an Independent Retail Website>
    FTC news release. 26 Feb 2019]

    ------------------------------

    Date: Sun, 3 Mar 2019 14:32:07 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Siri, What Should I Eat? (Cell.com)

    https://www.cell.com/cell/fulltext/S0092-8674(15)01492-0

    NYTimes
    Opinion | The A.I. Diet

    "Coming up with a truly personalized diet would require crunching billions
    of pieces of data about each person. In addition to analyzing the 40
    trillion bacteria from about 1,000 species that reside in our guts, as the
    project I participated in did, it would need to take into account all of the
    aspects of that person's health, including lifestyle, family history,
    medical conditions, immune system, anatomy, physiology, medications and
    environment. This would require developing an artificial intelligence more
    sophisticated than anything yet on the market."

    Risk: Dietary app guidance based on AI requires a randomized control trial
    to establish viability and merit before it can reliably applied for human
    benefit.

    ------------------------------

    Date: Mon, 4 Mar 2019 14:12:41 -0800
    From: <Chuck_...@selinc.com>
    Subject: Goldman Sachs asks in biotech research report: Is curing patients
    a sustainable business model?

    The risks, I think, are self-evident.

    The potential to deliver `one shot cures' is one of the most attractive
    aspects of gene therapy, genetically-engineered cell therapy and gene
    editing. However, such treatments offer a very different outlook with regard
    to recurring revenue versus chronic therapies, analyst Salveen Richter wrote
    in the note to clients Tuesday. ``While this proposition carries tremendous
    value for patients and society, it could represent a challenge for genome
    medicine developers looking for sustained cash flow.''

    Goldman Sachs asks in biotech research report: `` Is curing patients a
    sustainable business model?''

    https://urldefense.proofpoint.com/v...nts-2Da-2Dsustainable-2Dbusiness-2Dmodel.html

    ------------------------------

    Date: Mon, 04 Mar 2019 08:57:08 -0800
    From: Henry Baker <hba...@pipeline.com>
    Subject: GDPR: Victim of Sheryl Sandberg's "Lean On" Feminism

    "... the memo reveals that Sandberg's feminist memoir ["Lean In"] was
    perceived as a *lobbying tool* by the Facebook team and a means of winning
    support from female legislators for Facebook's wider agenda."

    "[George Osborne] offered to host a launch for Sandberg's book in Downing
    Street, an event that went ahead in spring 2013."

    Apparently, Sheryl Sandberg's relationship with feminism was transactional
    all along; she shamelessly traded on her feminist relationships in her
    attempts to destroy GDPR.

    But isn't privacy a feminist issue?



    Isn't Viviane Reding (GDPR's architect) a feminist?

    Viviane Reding: Data protection regulation one more step towards digital single market

    Famous Sandberg quotes:

    "There's a special place in hell for women who don't help other women." --
    Sheryl Sandberg

    "Leadership is not bullying and leadership is not aggression. Leadership is
    the expectation that you can use your voice for good. That you can make the
    world a better place." -- Sheryl Sandberg

    https://www.theguardian.com/technol...campaign-against-data-privacy-laws-investment

    Revealed: Facebook's global lobbying against data privacy laws

    Social network targeted legislators around the world, promising or
    threatening to withhold investment

    Carole Cadwalladr & Duncan Campbell, *The Guardian*, modified 3 Mar 2019

    Facebook has targeted politicians around the world--including the former UK
    chancellor, George Osborne--promising investments and incentives while
    seeking to pressure them into lobbying on Facebook's behalf against data
    privacy legislation, an explosive new leak of internal Facebook documents
    has revealed.

    The documents, which have been seen by the Observer and Computer Weekly,
    reveal a secretive global lobbying operation targeting hundreds of
    legislators and regulators in an attempt to procure influence across the
    world, including in the UK, US, Canada, India, Vietnam, Argentina, Brazil,
    Malaysia and all 28 states of the EU. The documents include details of how
    Facebook:

    * Lobbied politicians across Europe in a strategic operation to head off
    "overly restrictive" GDPR legislation. They include extraordinary claims
    that the Irish prime minister said his country could exercise significant
    influence as president of the EU, promoting Facebook's interests even
    though technically it was supposed to remain neutral.

    * Used chief operating officer Sheryl Sandberg's feminist memoir Lean In to
    "bond" with female European commissioners it viewed as hostile.

    * Threatened to withhold investment from countries unless they supported or
    passed Facebook-friendly laws.

    The documents appear to emanate from a court case against Facebook by the
    app developer Six4Three in California, and reveal that Sandberg considered
    European data protection legislation a "critical" threat to the company. A
    memo written after the Davos economic summit in 2013 quotes Sandberg
    describing the "uphill battle" the company faced in Europe on the "data and
    privacy front" and its "critical" efforts to head off "overly prescriptive
    new laws".

    Most revealingly, it includes details of the company's "great relationship"
    with Enda Kenny, the Irish prime minister at the time, one of a number of
    people it describes as "friends of Facebook". Ireland plays a key role in
    regulating technology companies in Europe because its data protection
    commissioner acts for all 28 member states. The memo has inflamed data
    protection advocates, who have long complained about the company's "cosy"
    relationship with the Irish government.

    The memo notes Kenny's "appreciation" for Facebook's decision to locate its
    headquarters in Dublin and points out that the new proposed data protection
    legislation was a "threat to jobs, innovation and economic growth in
    Europe". It then goes on to say that Ireland is poised to take on the
    presidency of the EU and therefore has the "opportunity to influence the
    European Data Directive decisions". It makes the extraordinary claim that
    Kenny offered to use the "significant influence" of the EU presidency as a
    means of influencing other EU member states "even though technically Ireland
    is supposed to remain neutral in this role".

    It goes on: "The prime minister committed to using their EU presidency to
    achieve a positive outcome on the directive." Kenny, who resigned from
    office in 2017, did not respond to the Observer's request for comment.

    John Naughton, a Cambridge academic and Observer writer who studies the
    democratic implications of digital technology, said the leak was "explosive"
    in the way it revealed the "vassalage" of the Irish state to the big tech
    companies. Ireland had welcomed the companies, he noted, but became "caught
    between a rock and a hard place". "Its leading politicians apparently saw
    themselves as covert lobbyists for a data monster."

    A spokesperson for Facebook said the documents were still under seal
    in a Californian court and it could not respond to them in any detail:
    "Like the other documents that were cherry-picked and released in
    violation of a court order last year, these by design tell one side of
    a story and omit important context."

    The 2013 memo, written by Marne Levine, who is now a Facebook senior
    executive, was cc-ed to Elliot Schrage, Facebook's then head of policy and
    global communications, the role now occupied by Nick Clegg. As well as
    Kenny, dozens of other politicians, US senators and European commissioners
    are mentioned by name, including then Indian president Pranab Mukherjee,
    Michel Barnier, now the EU's Brexit negotiator, and Osborne.

    The then chancellor used the meeting with Sandberg to ask Facebook to invest
    in the government's Tech City venture, the memo claims, and Sandberg said
    she would "review" any proposal. In exchange, she asked him to become "even
    more active and vocal in the European Data Directive debate and really help
    shape the proposals". The memo claims Osborne asked for a detailed briefing
    and said he would "figure out how to get more involved". He offered to host
    a launch for Sandberg's book in Downing Street, an event that went ahead in
    spring 2013.

    Osborne told the Observer: "I don't think it's a surprise that the UK
    chancellor would meet the chief operating officer of one of the world's
    largest companies ... Facebook and other US tech firms, in private, as in
    public, raised concerns about the proposed European Data Directive. To your
    specific inquiry, I didn't follow up on those concerns, or lobby the EU,
    because I didn't agree with them."

    He noted it was "not a secret" that he had helped launch Sandberg's book at
    11 Downing Street and added: "The book's message about female empowerment
    was widely praised, not least in the Guardian and the Observer."

    In fact, the memo reveals that Sandberg's feminist memoir was perceived as a
    lobbying tool by the Facebook team and a means of winning support from
    female legislators for Facebook's wider agenda.

    In a particularly revealing account of a meeting with Viviane Reding, the
    influential European commissioner for justice, fundamental rights and
    citizenship, the memo notes her key role as "the architect of the European
    Data Directive" and describes the company's "difficult" relationship with
    her owing to her being, it claims, "not a fan" of American companies.

    "She attended Sheryl's Lean In dinner and we met with her right afterward,"
    the memo says, but notes that she felt it was a "very 'American'
    discussion", a comment the team regarded as a setback since "getting more
    women into C-level jobs and on boards was supposed to be how they bonded,
    and it backfired a bit".

    The Davos meetings are just the tip of the iceberg in terms of Facebook's
    global efforts to win influence. The documents reveals how in Canada and
    Malaysia it used the promise of siting a new data centre with the prospect
    of job creation to win legislative guarantees. When the Canadians hesitated
    over granting the concession Facebook wanted, the memo notes: "Sheryl took a
    firm approach and outlined that a decision on the data center was imminent.
    She emphasized that if we could not get comfort from the Canadian government
    on the jurisdiction issue, we had other options." The minister supplied the
    agreement Facebook required by the end of the day, it notes.

    ------------------------------

    Date: Wed, 6 Mar 2019 14:34:51 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Phishing Scams: Is Your Financial Institution Helping Cyberthieves?
    (Washington Consumers' Checkbook)

    It's bad enough when financial institutions don't practice what they preach,
    but it only compounds the confusion when they promise one thing and do the
    opposite. For example, Merrill Lynch recently posted this online alert:
    ``Recently, some Merrill Lynch clients have reported receiving emails that
    appear to be from Merrill Lynch but which have, in fact, been sent by
    imposters. ... How can you tell the difference? Fraudulent emails
    typically include website links, and/or request you to provide personal
    information. Merrill Lynch has not and will not initiate a request for
    sensitive information via email.''

    But when we reviewed a legitimate email sent by Merrill Edge, it did contain
    website links and invitations to click to `view statements'. When the link
    is clicked, it takes you to an account login page where Merrill requests
    sensitive information, in the form of your user ID and password.

    Thus, Merrill's own legitimate email is similar to the emails it warns could
    be bogus.

    https://www.checkbook.org/washingto...r-financial-institution-helping-cyberthieves/

    The risk? Nothing new, just same old clueless companies.

    ------------------------------

    Date: Tue, 5 Mar 2019 12:18:19 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Once hailed as unhackable, blockchains are now getting hacked
    (MIT Technology Review)

    https://www.technologyreview.com/s/...nhackable-blockchains-are-now-getting-hacked/

    ------------------------------

    Date: Tue, 5 Mar 2019 12:30:49 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Uproar Over Facebook 2FA Privacy Violation (Richi Jennings)

    Richi Jennings, Security Boulevard, 4 Mar 2019

    Facebook has been caught red-handed again, so say privacy wonks. They accuse
    Zuckerberg's crew of misusing phone numbers given to it for use in
    two-factor authentication.

    Said wonks say Facebook is sharing the data with Instagram and WhatsApp to
    secretly link your profiles together. And that it lets miscreants look you
    up by your phone number, subjecting your identity to stalking, social
    engineering and other malicious awfulness. Facebook is also accused of
    violating GDPR, for using the numbers without consent.

    https://securityboulevard.com/2019/03/uproar-over-facebook-2fa-privacy-violation/

    The risk? Facebook.

    ------------------------------

    Date: Tue, 5 Mar 2019 19:44:03 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Prosecutors Don't Plan to Charge Uber in Self-Driving Car's Fatal
    Accident (NYTimes)

    https://www.nytimes.com/2019/03/05/technology/uber-self-driving-car-arizona.html

    "Arizona prosecutors said Tuesday that they had not found evidence to charge
    Uber with a crime in connection with an accident in which one of its
    autonomous cars hit and killed a pedestrian in Tempe a year ago.

    "On March 18, 2018, a Volvo sport utility vehicle, one of several
    self-driving vehicles that Uber was testing, was traveling about 40 miles
    per hour when it hit Elaine Herzberg, 49, as she was walking her bicycle
    across the street at night, the authorities said. While the car was in
    autonomous mode, a safety driver was sitting in the driver's seat. The
    Yavapai County Attorney's Office, which reviewed the case, said in a letter
    dated Monday that there was 'no basis for criminal liability for the Uber
    corporation.' But it added that investigators should look into what the
    safety driver 'would or should have seen that night given the vehicle's
    speed, lighting conditions, and other relevant factors.'"

    A favorable prosecution determination: blame the carbon component, not the
    silicon. A jury trial on behalf of Ms. Herzberg's estate, if victorious,
    might terminate the entire AV technology industry.

    ------------------------------

    Date: Wed, 6 Mar 2019 09:08:49 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Outdoor Tech -- Skiing *and* privacy?

    Outdoor Tech makes the Chips 2.0 speakers for your audio equipped ski
    helmet. It give you the ability to have conversations with your other
    friends on the ski slope via a Bluetooth connection to your smartphone, and
    thence over the Internet.
    https://nakedsecurity.sophos.com/2019/03/06/ski-headphones-flaw-unlocks-mountain-of-user-data/

    First problem: all the conversations go through Outdoor Tech's servers.

    Second problem: in order to set up conversations with your friends, you have
    to set up a group. You have to search for your friends names. While
    searching, it turns out you can, with very little effort, find absolutely
    anyone who has registered the speakers. And their email addresses. And
    their phone numbers.

    You can also find out where they are.

    And reset their passwords.

    I'm going to recommend this for all my skiing friends who don't think
    security is important ...

    ------------------------------

    Date: Wed, 6 Mar 2019 09:54:03 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: PDF Signatures

    Today someone noted that PDF signatures are broken:

    https://www.pdf-insecurity.org/index.html

    But I don't trust PDF signatures in any case. I am pretty sure that almost
    nobody knows how to use them. (I mean, really. How many security mavens
    who actually understand cryptography and PKI are there in comparison to the
    total number of people using tech they don't understand for almost all of
    their business functions?)

    For example: A certain entity which shall not be named (but whom we all
    know) has asked me to sign an NDA for a process which I can't tell you about
    because it's probably covered by the NDA. I don't have a PDF document
    creation program. So I signed the signature page (of the five page NDA),
    scanned that page, and sent it back.

    (Whilst looking for and printing the NDA PDF I noticed that it had "active"
    fields for name, address, etc. When I went to fill in the date, my reader
    [Foxit] offered to "sign" the document. I don't know how, since I'm not
    particularly aware of any certificates on my machine.)

    I got a message back from an admin saying that the legal team says a JPEG
    isn't good enough, and could I send in a PDF.

    No, I didn't go back and get Foxit to sign it. I opened a document in
    LibreOffice, inserted the JPEG, and "printed" it as a PDF. That seems to
    have been acceptable.

    (Although now they want a PDF of the whole five pages ...)

    Never attribute to technical faults that which can be can be adequately
    explained away by ignorance or pure, blind stupidity ...

    ------------------------------

    Date: Wed, 6 Mar 2019 9:54:52 PST
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Alphabet's Security Start-Up Wants to Offer History Lessons
    (Nicole Perlroth)

    Nicole Perlroth, *The New York Times*, 4 Mar 2019)

    In 2009, Google was hacked by the Chinese military. Now Chronicle, a
    security start-up owned by Google parent company Alphabet, plans to help
    other companies learn from that experience. The company's new Backstory
    product will make Alphabet's storage, indexing, and search capabilities
    available to other companies so they can trace the origins of a malicious
    attack. Chronicle is one of dozens of companies currently promising big
    data threat intelligence and storage. While many customers of other firms
    can't afford to pay to search through huge amounts of information, Chronicle
    says it will charge customer companies by their number of employees.

    ------------------------------

    Date: Tue, 5 Mar 2019 12:37:42 +0100
    From: Peter Houppermans <d1...@phx.li>
    Subject: Yet another Facebook privacy leak

    Yet again, Facebook is caught using data for other purposes than indicated
    at the time of collection (to phrase it in EU privacy law terms). Not that
    this ought to come as a surprise by now, it appears pretty much their modus
    operandi.

    This week's installment:

    "Another week, another Facebook privacy storm. This time, the Silicon
    Valley giant has been caught red-handed using people's cellphone numbers,
    provided exclusively for two-factor authentication, for targeted advertising
    and search -- after it previously insinuated it wouldn't do that.
    Folks handing over their mobile numbers to protect their accounts from
    takeovers and hijackings thought the contact detail would be used for just
    that: security. Instead, Facebook is using the numbers to link netizens to
    other people, and target them with online ads."

    https://www.theregister.co.uk/2019/03/04/facebook_phone_numbers/

    ------------------------------

    Date: 4 Mar 2019 23:50:01 +0900
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: Robocalls Routed via Virtue Signaling Network? (RISKS-31.09)

    > Precisely because Congresspersons utilize robocalls *themselves* for their
    > own re-election campaigns.

    Yes, they exempt themselves but this is a somewhat self limiting issue due
    to campaign schedules. FWIW, in my experience if you tell a candidate to
    stop calling, they usually do.

    > Who else loves robocalls? Phone companies themselves. Robocalls run up
    > lucrative charges on accounts that would otherwise have *zero* traffic and
    > minimum account charges.

    This is simply false. Inter-company accounting these days is all bill and
    keep, so nobody gets paid for robocalls. The problem is that the SS#7
    signaling system was designed for a world in which there was a small number
    of telcos and they all knew each other so there wasn't any internal
    security, sort of like the early Internet. Through the magic of VoIP now
    anyone can dump a call into the network.

    The point of the IETF's STIR and SHAKEN is to add a cryptographic signature
    of the party injecting the call. (The telco or VoIP provider, not the
    individual caller.) People I know at at large telcos say they're planning
    to do what is essentially spam filtering, lose dubious looking calls coming
    from parties with poor reputations.

    > Who else loves robocalls? NSA/intelligence agencies. ...

    Sorry, my tin foil hat is at the cleaners this week.

    ------------------------------

    Date: Tue, 5 Mar 2019 17:09:27 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Oscars: IBM & Surveillance AI: Clean Hands? (RISKS-31.09)

    What happened to IBM had happened to most big US companies in the 2000's.
    Because of reduced regulations, corporations can make more money out of
    their shares value than out of production. This means that IBM is no longer
    a computer company, Ford is no longer a car company, etc. -- they are all
    stock brokerage companies, using their manufacturing part as en excuse.

    Companies are no longer committed to their product, even to their customers,
    and certainly not committed to their workers. (In another Big Company I'd
    worked at, even the wording of the CEO's New Year message had changed from
    ``keep up the good work, generating value for our customers'' to ``making
    value for our shareholders'').

    Consequently, anything which does not affect the share value, preferably
    within the next quarter, is being scaled down. Middle managers know that,
    but are helpless to do anything, they just grind their teeth and cut
    corners; if the increase in raw profits (or even the increase of the
    increase) stops rising for more than one quarter, shareholders will just
    take their money elsewhere, and they'd all be jobless overnight. (Upper
    management have their golden parachutes, of course).

    One effect is that IBM has been growing in the past decades by acquiring
    smaller companies which so far had escaped this fate, and can still do some
    serious R&D. These companies still exist intact as independent business
    units within IBM. So IBM is no longer a big company, it's becoming a
    conglomerate of smaller ones. (Some of the suggested future development
    ideas mentioned at the end of the ad, are actually projects of companies
    acquired by IBM).

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.10
    ************************
     
  2. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.11

    RISKS List Owner

    Mar 12, 2019 7:54 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 12 March 2019 Volume 31 : Issue 11

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    737 MAX 8 to get software upgrade (CBC)
    2 Billion Unencrypted Records Leaked In Marketing Data Breach
    -- What Happened And What To Do Next (Forbes)
    Triton is the world's most murderous malware, and it's spreading
    (TechReview)
    Navy, Industry Partners Are 'Under Cybersiege' by Chinese Hackers,
    Review Asserts (WSJ)
    Mystery Database of 1.8 Million Women in China (Gizmodo)
    America's Undersea Battle With China for Control of the Global
    Internet Grid (WSJ)
    Physician Phishing (JAMA)
    New Zealand Farmers Have New Tool for Herding Sheep: Drones That
    Bark Like Dogs (Peter Holley)
    Hackers breach admissions files at three private colleges (WashPost)
    Internet of Things Cybersecurity Improvement Act of 2019 (scribd.com)
    Revolut, Telcos and phone numbers as unique IDs (Toby Douglass)
    How Kids Are Using Google Docs to Bully Each Other (Offspring)
    Man told he's going to die by doctor on video-link robot (bbc.com)
    Drowning detection system to be set up at 28 public pools
    (Straits Times)
    First print something bad, then cover it up with something good
    (Dan Jacobson)
    U.S. DST change proposals and WWVB radio clocks (Rich Wales)
    Hackers can get into Macs with sneaky tricks, Crowdstrike experts say
    (CNET)
    A woman was trying to take a selfie with a jaguar when it attacked her,
    authorities say (WashPost)
    Bumble Bee Foods Is Tracking Tuna on a Blockchain (Fortune)
    More on the SwissPost hacking challenge (PGN)
    Anticipating a deluge of false...cat belling, revisited? (Mark Norem)
    Re: Robocalls Routed via Virtue Signaling Network? (Kelly Bert Manning)
    Re: but we never activated the cameras (Gabe Goldberg)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 12 Mar 2019 12:27:37 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: 737 MAX 8 to get software upgrade (CBC)

    Boeing is issuing a software upgrade for the troubled 737 MAX 8 aircraft in
    the coming weeks. (The announcement is fairly far down this article.)
    Canada won't ground Boeing 737 Max 8s despite moves by European Union, Asian and Middle Eastern countries | CBC News

    Presumably this will address some issues with the MCAS flight software.

    Hopefully the upgrade won't be online, with aircraft rebooting in mid-flight
    ...

    (I'm waiting for 737 MAX 8 ver. 3.0 ...)

    [Monty Solomon noted
    Boeing to Make Key Change in 737 MAX Cockpit Software.
    Boeing to Make Key Change in 737 MAX Cockpit Software

    ------------------------------

    Date: Sun, 10 Mar 2019 09:24:09 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: 2 Billion Unencrypted Records Leaked In Marketing Data Breach
    -- What Happened And What To Do Next (Forbes)

    Excerpt: I woke up this morning to discover, yet again, that I was one of a
    stupidly large number of people whose personal data had been leaked in the
    latest mega breach. Troy Hunt's 'have i been pwned?' service informed me
    that 763,117,241 people have had their records leaked by Verifications IO:
    including verified emails, phone numbers, addresses, dates of birth,
    Facebook, LinkedIn and Instagram account details, credit scoring and even
    mortgage data such as amount owing and interest rates being charged. Which
    wasn't the best news to receive first thing on a Sunday morning. But then
    things got even worse, a lot worse. SC Media UK reports that Andrew Martin,
    CEO & founder of cybersecurity company DynaRisk, has revealed the true
    number of leaked records is much higher. How much higher? How does a total
    of 2,069,145,043 unencrypted records grab you?

    <Have I Been Pwned: Check if your email has been compromised in a data breach>
    <At 2 billion records leaked, breach is triple size of earlier reports>

    *So, what actually happened?*

    According to Bleeping Computer
    <Insecure Database Leads to Over 800 Million Records Data Breach>
    an unprotected MongoDB database was discovered by security researcher Bob
    Diachenko. Having cross-referenced the data, sitting there in plain text,
    with the have i been pwned site, Diachenko was able to conclude this was
    fresh to the market new information and not just a dump of previously
    breached data as has been seen with the recent Collection 1 leak.
    <2.2 Billion Accounts Found In Biggest Ever Data Dump -- How To Check If You're A Victim>
    After doing some more investigative work, Diachenko was able to track the
    database back to the Verifications IO enterprise email validation service.
    This company validates bulk email lists for companies wanting to remove
    inactive addresses from newsletter mailouts. Diachenko reported, working
    alongside researcher Vinny Troia, that a total of 808,539,939 records had
    been leaked. The 'mailEmailDatabase' contained three sections: Emailrecords,
    emailWithPhone and businessLeads containing that data. However, DynaRisk
    CEO, Andrew Martin, also analyzed the data and came to the conclusion that
    on the one server exposed to the web there were actually four databases not
    just the one. He told The Register
    <That marketing email database that exposed 809 million contact records? Maybe make that two-BILLION-plus?>
    "Our analysis was conducted over all four databases and extracted over two
    billion email addresses. The additional three databases were hosted on the
    same server, which is no longer accessible."

    *What data was leaked?*

    The security researcher who made the discovery, Bob Diachenko
    <800+ Million Emails Leaked Online by Email Verification Service - Security Discovery>
    says that "although not all records contained the detailed profile
    information about the email owner, a large amount of records were very
    detailed." That detail included commonplace breach data such as email
    addresses and phone numbers, but went far beyond the basics as well.
    Information such as dates of birth, mortgages amounts and interest rates
    and social media accounts related to the emails in question. But it doesn't
    stop there, you can also throw in basic credit scoring data, company names
    and revenue figures as well.

    *Should you be worried?*

    Yes, of course you should. This was, after all, a massive leak of the kind
    of personal information that would be a goldmine for the phishers and
    spammers of this world. However, that concern can be diluted by a number of
    factors. Not least there's the small matter that nobody has found any
    compelling evidence that the data has actually been used for any criminal
    purpose as of yet. Although the databases were accessible for some time, as
    soon as the problem was disclosed to Verifications IO the service was taken
    offline and remains so. Which means that bad guys alerted by this news
    won't be able to exploit it. What's just as important as what was in the
    breach is what wasn't. So, there were no social security numbers, no credit
    card numbers, no passwords. And, importantly, this was a leak not a hack:
    white hat researchers found the data was accessible rather than black hats
    looking to exploit it.

    *Can you mitigate your risk?...* [...]

    (Updated) 2 Billion Unencrypted Records Leaked In Marketing Data Breach --What To Do Next

    [Also noted by Jim Reisert and Rob Slade. PGN]

    ------------------------------

    Date: Fri, 8 Mar 2019 02:29:59 +0000 (UTC)
    From: Bill Meacham <bmeac...@yahoo.com>
    Subject: Triton is the world's most murderous malware, and it's spreading
    (TechReview)

    Triton is the world’s most murderous malware, and it’s spreading

    The rogue code can disable safety systems designed to prevent catastrophic
    industrial accidents. It was discovered in the Middle East, but the hackers
    behind it are now targeting companies in North America and other parts of
    the world, too. ...

    Over the past decade or so, companies have been adding Internet connectivity
    and sensors to all kinds of industrial equipment. The data captured is being
    used for everything from predictive maintenance=E2=80=94which means using
    machine-learning models to better anticipate when equipment needs
    servicing=E2=80=94to fine-tuning production processes. There=E2=80=99s also
    been a big push to control processes remotely through things like
    smartphones and tablets.

    All this can make businesses much more efficient and productive, which
    explains why they are expected to spend around $42 billion this year on
    industrial Internet gear such as smart sensors and automated control
    systems, according to the ARC Group, which tracks the market. But the risks
    are also clear: the more connected equipment there is, the more targets
    hackers have to aim at. ...

    ------------------------------

    Date: Tue, 12 Mar 2019 18:26:26 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Navy, Industry Partners Are 'Under Cybersiege' by Chinese Hackers,
    Review Asserts (WSJ)

    Navy, Industry Partners Are ‘Under Cyber Siege’ by Chinese Hackers, Review Asserts

    ------------------------------

    Date: Tue, 12 Mar 2019 12:09:54 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Mystery Database of 1.8 Million Women in China (Gizmodo)

    A database of all kinds of personal information about 1.8 million women in
    China has been found online. Who did it? Unknown. What's it for? Unknown.
    Oh, and one of the, very personal, info fields is "BreedReady."

    https://gizmodo.com/mysterious-leaked-database-labels-the-breedready-status-1833205396

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Tue, 12 Mar 2019 18:26:53 -0400
    Subject: America's Undersea Battle With China for Control of the Global
    Internet Grid (WSJ)

    America’s Undersea Battle With China for Control of the Global Internet Grid

    ------------------------------

    Date: Fri, 8 Mar 2019 13:44:13 -0500
    From: Paul Burke <box...@gmail.com>
    Subject: Physician Phishing (JAMA)

    The Journal of the American Medical Association (JAMA) has an article this
    morning describing 3 million simulated phishing emails sent to staff at 6
    US healthcare systems. 14% resulted in a click. One finding was that the
    odds of clicking dropped to about 5% after 10 fake phishing campaigns. They
    did not test how many people would enter login credentials, but clearly
    some would, having trusted the link in the first place.
    Employee Susceptibility to Phishing Attacks at US Health Care Institutions

    "If the simulated email is clicked, it is used as a real-time opportunity
    to provide short phishing education to the employee." This missed the
    chance to teach about much bigger cyber weaknesses in healthcare.
    Displaying rotating messages about the multitude of cyber risks would help
    administrators and staff think about and reduce risks more widely.

    These efforts do not protect an organization from phishing. At a 5% click
    rate, emails to 24 recipients give a 70% chance that someone will click.
    There is no reliable way to tell phishing emails from legitimate emails.
    When people think an email looks suspicious, and send it for checking, 90%
    are "legitimate," which means most people cannot tell them apart. Sending them
    for checking simply prevents access to the 90% which are legitimate, since
    checkers rarely send them back. Advice never to click an email link is
    impractical too, since the world lives by such links.
    Phishing Scams: Is Your Financial Institution Helping Cyberthieves?
    The State of Phishing Defense 2018 - Cofense

    Even JAMA and Checkbook send email links to their articles, these links ask
    for a login, and it can be hard to find the articles except by clicking.
    One of the JAMA authors used to work for a contractor which sent 135
    million simulated phishing emails. They got similar click rates in every
    industry, so systems need to protect themselves with compartmentalization,
    data transfer only to other hardware-identified health systems, etc.
    https://cofense.com/wp-content/uplo...sePhishingSusceptibilityReport_2015_Final.pdf

    The education offered upon a click is a good time to raise cyber security
    awareness, but it can't stop people clicking on emails. Emails to IT
    administrators can be filtered to remove all links, or this could apply
    after the first time (third time?) they click on a simulated phish.

    ------------------------------

    Date: Fri, 8 Mar 2019 12:13:47 -0500
    From: ACM TechNews <technew...@acm.org>
    Subject: New Zealand Farmers Have New Tool for Herding Sheep: Drones That
    Bark Like Dogs (Peter Holley)

    Peter Holley, *The Washington Post*, 7 Mar 2019, via ACM TechNews 8 Mar 2019

    New Zealand farmers are using drones to herd livestock, with some capable of
    emitting barks like dogs. One drone, the DJI Mavic Enterprise, can record
    sounds and play them over a loudspeaker, allowing the machine to mimic its
    canine counterparts. Shepherd Corey Lambeth said cows are less resistant to
    drones than to actual dogs, which means the machines move livestock faster,
    with less stress. The drones also let farmers monitor their land remotely,
    tracking water and feed levels, and checking on livestock health without
    upsetting the animals. Said farmer Jason Rentoul, "Being a hilly farm where
    a lot of stuff is done on foot, the drones really saved a lot of
    man-hours. The drone does the higher bits that you can't see [from the
    ground], and you would [otherwise] have to walk half an hour to go and have
    a look and then go, 'Oh, there was no sheep there.'"

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1ec00x21abeax069424&

    [Risks? How about hacking into the drone, and reprogramming it to sound
    like a pack of wolves, to herd the sheep into waiting trucks? PGN]

    ------------------------------

    Date: Sat, 9 Mar 2019 11:59:10 -0500
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hackers breach admissions files at three private colleges
    (WashPost)

    The incidents occurred the same week a report revealed that Chinese hackers
    targeted more than two dozen universities in the U.S. and other countries in
    an effort to steal research about maritime technology being developed for
    military use.

    https://www.washingtonpost.com/educ...each-admissions-files-three-private-colleges/

    [More than three in today's news. Tuesday 12 Mar 2019. PGN]

    ------------------------------

    Date: Tue, 12 Mar 2019 11:31:13 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Internet of Things Cybersecurity Improvement Act of 2019
    (scribd.com)


    via the Washington Post at
    https://www.washingtonpost.com/news...-praise-his-policies/5c8703381b326b2d177d6058

    On paper, the senate bill establishes federal IoT baseline standards for
    certain "covered devices." These devices consist of: "(a) capable of
    connecting to and is in regular connection with the Internet; has computer
    processing capabilities that can collect, send, or receive data; and is not
    a general-purpose computing device, including personal computing systems,
    smart mobile communications devices, programmable logic controls, and
    mainframe computing systems."

    Generally, wireless medical devices (pacemakers, etc.), environmental
    controllers (NeST), Zigbee, etc. Should help reduce botnet co-opting via
    common vulnerabilities and exposures (CVEs).

    Risk: Organizational maturity that may prevent implementation compliance and
    operational vigilance after policy enacted into law.

    ------------------------------

    Date: Sat, 9 Mar 2019 19:26:28 +0200
    From: Toby Douglass <ri...@winterflaw.net>
    Subject: Revolut, Telcos and phone numbers as unique IDs

    I hold a Revolut Business account. A counter-party of mine holds a Revolut
    Personal account. Users in the Revolut Personal system are uniquely
    identified by their phone number.

    Some months ago I added this counter-party in my Revolut Business account
    and about two weeks ago made a (small - no need to shed tears) transfer to
    them.

    The transfer did not arrive. We then began a game of customer support
    ping-ping. Revolut Business assured me the transfer had succeeded, and
    referred me to Revolut Personal support. Revolut Personal assured my
    counter-party the transfer was unknown to them, and referred them to Revolut
    Business support. In the end, my counter-party and I realised for ourselves
    what had happened : my counter-party had since I created their counter-party
    entry changed their phone number -- my information for them still used their
    old number.

    (The Revolut Business web-site does not display the phone number of a
    counter-party *anywhere*. In fact, you can retrieve the phone number of a
    counter-party only by contacting customer support.)

    Revolut Business support assert that if a transfer is made to a non-existent
    phone number, the transfer will fail.

    This is not correct (but this is expected - first line customer support for
    any larger company always and invariably is to truth what whiskey is to
    alcoholism).

    The transfer was made, but went and silently into limbo.

    When we had noticed this has happened, and then later had worked out what
    had happened, and informed Revolut Personal customer support, providing the
    old number, they retrieved the funds and moved them to the counter-party's
    account. (I'm not sure how they validated their claim to the old number.)

    This begs the question as to what happens if the phone number has in the
    meantime been reused by the telco and another person has opened a Revolut
    account with that number and, for good measure, while we're asking
    questions, possibly spent those funds. (I would expect the customer to be
    held completely and fully responsible, for using the wrong phone number.)

    In the existing banking system, the unique ID for an account is controlled
    by the bank itself. They do not re-use IDs, or only knowingly re-use IDs.

    In the Revolut system, the unique ID for the account is controlled by the
    telco, who are oblivious to the existence of Revolut and with a complete
    lack of consideration for FinTech startups, re-use IDs.

    (Please bear strongly in mind it is impossible for me to verify or even
    discuss any of this information with Revolut, so it could be there is a
    flaw, or many, in my understanding. What I have written is what is true to
    the best of my knowledge.)

    In general, phone numbers as unique IDs are now not uncommon. This issue of
    a third party controlling ID would seem then on the face of it to extend
    potentially to all such systems, and when there are a range of systems
    facing the same challenge, there exists a range of success in the response
    to that challenge.

    (Actually, using a phone number as an ID is I think extremely unwise always,
    since it enables your identity to be linked up to third party information.
    Privacy is best served with a web-based burner email address service, such
    as mailinator, accessed via Tor. However, burner mobile phones can be found
    on Amazon for 10 USD. Remember the phone has a unique ID, and the SIM also,
    so you need to change both the phone and the SIM; never re-use a burner
    phone with multiple SIMs. Also remember when you do use it, don't use it at
    home - you will be geolocated by the telco, and that will also give you
    away. Go somewhere you've never been before, and never go there again.
    Actually of course, none of this I mean seriously, rather, I write it to
    show how much specialist knowledge, and effort, is required to be
    anonymous.)

    ------------------------------

    Date: Sat, 9 Mar 2019 20:38:12 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How Kids Are Using Google Docs to Bully Each Other (Offspring)

    As a parent, you might walk past your child’s room and see her happily
    typing away on a Google Docs page. ``Lovely!'', you think. ``She's
    probably working on her science report or finishing up her essay on the rise
    of RBG.''

    Or, she could be in a secret chat room.

    In today's edition of Let's Try to Stay One Step Ahead of Our Kids on the
    Internet (spoiler: we can't!), we're offering this heads-up: Some are using
    Google Docs, the seemingly wholesome web-based word processor, to skirt
    their parents' tech rules. It's impressive, really. All they need to do is
    open up a document, invite their friends to become collaborators, and boom
    -- they have a private space to chat, draw, share links, upload photos and
    post memes. Google Docs is hardly a program parents think to block (in fact,
    on tech message boards, I've seen several parents asking how to ban
    everything except for the software) and many kids already have accounts for
    school. After the chat session, they can simply delete the document and
    empty their Trash folder without leaving any record.

    https://offspring.lifehacker.com/how-kids-are-using-google-docs-to-bully-each-other-1833151374

    ------------------------------

    Date: Sat, 9 Mar 2019 10:56:00 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Man told he's going to die by doctor on video-link robot (bbc.com)

    https://www.bbc.com/news/world-us-canada-47510038

    "A doctor in California told a patient he was going to die using a robot
    with a video-link screen.

    "Ernest Quintana, 78, was at Kaiser Permanente Medical Center in Fremont
    when a doctor - appearing on the robot's screen - informed him that he would
    die within a few days.

    "A family friend wrote on social media that it was 'not the way to show
    value and compassion to a patient'.

    "The hospital says it 'regrets falling short' of the family's expectations.

    "Mr Quintana died the next day."

    "Michelle Gaskill-Hames, senior vice-president of Kaiser Permanente Greater
    Southern Alameda County, told the Associated Press that its policy was to
    have a nurse or doctor in the room when remote consultations took place."

    Risk: Telemedicine's convenience eliminates compassion from healthcare
    delivery, especially for acute patient illness.

    [Also noted by Mark Thorson. PGN]

    ------------------------------

    Date: Sat, 9 Mar 2019 11:14:15 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Drowning detection system to be set up at 28 public pools
    (Straits Times)

    https://www.straitstimes.com/singapore/drowning-detection-system-to-be-set-up-at-28-public-pools

    Silicon supplements lifeguard vigilance.

    Risk: Image recognition to detect drowning swimmer and alert public
    safety/lifeguard response.

    ------------------------------

    Date: Sun, 10 Mar 2019 09:14:25 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: First print something bad, then cover it up with something good

    Let's say we first print something bad, then we cover it up with something
    good.

    And say we really shouldn't print something bad in the first place, but it
    doesn't matter, because at today's speeds, users will surely never notice.

    https://debbugs.gnu.org/cgi/bugreport.cgi?bug=34477

    Got me thinking about this.

    ------------------------------

    Date: Sat, 9 Mar 2019 22:46:28 -0800
    From: Rich Wales <ri...@richw.org>
    Subject: U.S. DST change proposals and WWVB radio clocks

    Some U.S. states are mulling proposals to adopt Daylight Saving Time year
    round -- I'm aware of California and Florida, for example. At least one
    Canadian province (British Columbia) is considering doing the same.

    It occurs to me that if states in the Eastern time zone (UTC-5; UTC-4 in
    summer) adopt year-round DST, this will break WWVB-based "atomic clocks" in
    those states during the winter (November through early March).

    WWVB-based clocks currently on the market in the US offer four time zones
    (Pacific, Mountain, Central, and Eastern), plus an option either to move
    between standard and daylight time per the US-wide rules or to stay
    permanently on standard time. If California goes to year-round DST, "atomic
    clock" owners in CA could set their clocks to use Mountain time with no DST.
    These option settings do not provide any way to specify Eastern daylight
    time during winter, however, so if an east- coast state (like Florida) moves
    to year-round DST, "atomic" clocks in use there will be an hour off for four
    months out of the year.

    Two possible solutions would be either to add a third DST setting (i.e., DST
    always on), or else to add a fifth time zone (Atlantic) and tell consumers
    in the affected states to select Atlantic time with no DST. Affected
    consumers would, of course, need to buy new clocks, since it's impossible to
    upgrade the firmware in existing clocks.

    ------------------------------

    Date: Sat, 9 Mar 2019 10:06:22 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Hackers can get into Macs with sneaky tricks, Crowdstrike experts say
    (CNET)

    *The cybersecurity company says it's seen hackers get deep access into the
    Macs of regular users.*

    EXCERPT:

    It's long been legend that Macs are harder to hack than other computers.
    Not only are they said to be more secure, but fewer people use them, so
    hackers have less incentive to break in.
    <https://www.cnet.com/tags/hacking/

    Cybersecurity company Crowdstrike is happy to bust that myth. At the RSA
    Conference on Thursday, CEO George Kurtz and CTO Dmitri Alperovitch
    detailed hacking techniques they've seen used to do a host of bad things on
    Apple-built computers.
    https://www.cnet.com/apple/

    Attackers can trick Mac users into downloading malicious software and then
    get deep access into the computer, the Crowdstrike executives said. They
    also have tools to loot the system's keychain for more passwords and build
    backdoors into the machines, allowing hackers to have repeated access.

    "They have interesting tradecraft on Macs," Alperovitch said of the hackers.
    The Crowdstrike presentation comes in the wake of a flaw found in Apple's
    Facetime app
    <https://www.cnet.com/news/apples-facetime-bug-was-discovered-by-a-teen-playing-fortnite/>
    that could have let hackers listen in on unwitting iPhone
    <https://www.cnet.com/reviews/apple-iphone-xs-review/>
    users, as well as a
    vulnerability in the keychain
    <https://www.cnet.com/news/keysteal-exploit-attacks-macos-keychain-to-take-all-your-passwords/>
    which stores the passwords of apps connected to a Mac. Taken together,
    these flaws mean Mac users should take steps to keep their computers secure
    instead of relying on Apple's reputation for security to keep them safe...

    [...]
    https://www.cnet.com/news/hackers-can-get-into-macs-with-sneaky-tricks-crowdstrike-experts-say/

    ------------------------------

    Date: Sun, 10 Mar 2019 15:58:43 -0600
    From: Jim Reisert AD1C <jjre...@alum.mit.edu>
    Subject: A woman was trying to take a selfie with a jaguar when it attacked
    her, authorities say (WashPost)

    Lindsey Bever, *The Washington Post*, 10 Mar 2019

    A woman was attacked by a jaguar as she was apparently trying to get a
    photo outside the big cat's enclosure at Wildlife World Zoo in Arizona,
    authorities said.

    Shawn Gilleland, a spokesman for the Rural Metro Fire Department, told The
    Washington Post on Sunday that fire crews said the woman, who is in her
    30s, climbed over a barrier at the zoo Saturday to get closer to the
    jaguar's enclosure so that she could get a selfie with the animal. The
    jaguar reached out and grabbed her arm with its paw, leaving lacerations,
    Gilleland said.

    https://www.washingtonpost.com/scie...-jaguar-when-it-attacked-her-authorities-say/

    ------------------------------

    Date: Tue, 12 Mar 2019 00:20:01 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Bumble Bee Foods Is Tracking Tuna on a Blockchain (Fortune)

    Supporters of enterprise blockchains say they tend to work best in
    situations where people want to share tamper-resistant data among many
    parties. Critics of the technology argue that it offers little in the way of
    improvement over traditional database software; still other critics say the
    technology doesn't truly qualify as a blockchain unless it is public and
    open and has a cryptocurrency, like Bitcoin, tied to it.

    http://fortune.com/2019/03/08/tuna-blockchain-bumble-bee-sap/

    As usual, no explanation of what "tracking tuna on a blockchain" MEANS...

    ...as in, how is an individual fish -- or shipment -- irrevocably tied to a
    transaction or data?

    [O ForTuna! (Carl Orff, Carmina Burana) PGN]

    ------------------------------

    Date: Tue, 12 Mar 2019 11:12:27 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: More on the SwissPost hacking challenge (RISKS-30.81-82)

    The Swiss challenge to hack their voting system has moved along. Three
    independent research groups have announced a vulnerability that permits the
    undetectable insertion of bogus votes (and alteration of existing ones?).

    https://motherboard.vice.com/en_us/...itical-backdoor-in-swiss-online-voting-system

    https://people.eng.unimelb.edu.au/vjteague/SwissVote

    ------------------------------

    Date: Fri, 8 Mar 2019 17:02:29 -0600
    From: Not the best way To stay unknown <year.of.t...@gmail.com>
    Subject: Anticipating a deluge of false...cat belling, revisited?

    One of the URLs listed in the Editorial comment had health-data links that
    shared an ironic similarity of some Facebook postings.

    https://www.naturalhealth365.com/vaccinations-autism-news-2849.html

    By comparison, a Slashdot article noted:

    https://science.slashdot.org/story/...ne-doesnt-cause-autism-even-in-high-risk-kids

    I have followed RISKS for decades, finding it providing education and
    information not widely available. I did not expect to be reminded of a
    newspaper city editor's skepticism in "if your mother says she loves you,
    check it out."

    (I recognize that this email is likely to be trashed. [No. Sorry, I could
    not do that. PGN] Thus the reference to who will bell the cat. I do find
    your work on RISKS large-hearted and helping inestimably in pushing back the
    FUD.) Mark Norem

    ------------------------------

    Date: Mon, 11 Mar 2019 15:18:00 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Robocalls Routed via Virtue Signaling Network? (NYTimes)

    Here in Canada a number of classes of operations are exempt from having to
    comply with the National CRTC Do Not Call List, in particular politicians
    and their Opinion Polling Allies, among other exceptions.

    However each of these entities is required to clearly identify themselves,
    and to stop talking if you interrupt. At that point you can order them to
    add your number to their own internal Do Not Call List, giving you a
    confirmation code. After that they cannot call you again. This seems to be
    cloaked in Security by Obscurity, few people seem aware of these secondary
    DNC lists.

    https://crtc.gc.ca/eng/phone/telemarketing/reg.htm

    Am I an exempt telemarketer?

    * registered charities raising funds newspapers looking for subscriptions
    political parties and their candidates companies who only make telemarketing
    calls and send faxes to businesses

    * Being an exempt telemarketer does not eliminate your responsibility
    to maintain your own internal do not call list.

    * You must also maintain your own internal do not call list ...

    * You can't call or send faxes to the consumers on your own internal
    do not call lists."

    ------------------------------

    Date: Fri, 8 Mar 2019 16:25:07 -0500
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: but we never activated the cameras (RISKS-31.10)

    Is Your Seatmate Googling You? (NYTimes)
    We underestimate the risks to privacy in our everyday, offline lives.
    Read More... <https://nyti.ms/2UrV2NE?smid=nytcore-ios-share>

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.11
    ************************
     
  3. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.12

    RISKS List Owner

    Mar 18, 2019 6:13 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 18 March 2019 Volume 31 : Issue 12

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    The Rapid Decline Of The Natural World Is A Crisis Even Bigger Than
    Climate Change (HuffPost via Geoff Goodfellow)
    Boeing promised pilots a 737 software fix last year, but they're
    still waiting (NYTimes)
    American Airlines takes jets out of service, cancels flights due to
    overhead-bin problem (CNBC)
    How Artificial Intelligence Could Transform Medicine (NYTimes)
    Cancer Patients Are Getting Robotic Surgery; there's no evidence
    it's better (NYTimes)
    Toyota patents system to dispense tear gas on car thieves (Autoblog)
    World of hurt: GoDaddy, Apple, and Google misissue >1M certificates
    (Ars Technica)
    When your IoT goes dark: Why every device must be open source and multicloud
    (ZDNet)
    Companies are leaking sensitive files via Box accounts (Catalin Cimpanu)
    Women face greater threat from job automation than men: Study
    (The Straits Times)
    "Security Holes Found in Big Brand Car Alarms" (Dan Simmons)
    A slew of CEOs charged in alleged college entrance cheating scam
    (Monty Solomon)
    Hashing to prevent spread of hate videos? (CNN)
    Tech's Moral Void (CBC)
    U.S. Campaign to Ban Huawei Overseas Stumbles as Allies Resist *NYTimes)
    App notification for a stranger on my phone (Steven Klein)
    Re: U.S. DST change proposals and WWVB radio clocks (John Levine)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 17 Mar 2019 09:38:06 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The Rapid Decline Of The Natural World Is A Crisis Even Bigger
    Than Climate Change

    *A three-year UN-backed study from the Intergovernmental Science-Policy
    Platform On Biodiversity and Ecosystem Services has grim implications for
    the future of humanity.*

    EXCERPT:

    Nature is in freefall and the planet's support systems are so stretched
    that we face widespread species extinctions and mass human migration unless
    urgent action is taken. That's the warning hundreds of scientists are
    preparing to give, and it's stark.

    The last year has seen a slew of brutal and terrifying warnings about the
    threat climate change poses to life. Far less talked about but just as
    dangerous, if not more so, is the rapid decline of the natural world. The
    felling of forests, the over-exploitation of seas and soils, and the
    pollution of air and water are together driving the living world to the
    brink, according to a huge three-year, U.N.-backed landmark study to be
    published in May.

    The study from the Intergovernmental Science-Policy Platform On
    Biodiversity and Ecosystem Services (IPBES), expected to run to over 8,000
    pages, is being compiled by more than 500 experts in 50 countries. It is
    the greatest attempt yet to assess the state of life on Earth and will show
    how tens of thousands of species are at high risk of extinction, how
    countries are using nature at a rate that far exceeds its ability to renew
    itself, and how nature's ability to contribute food and fresh water to a
    growing human population is being compromised in every region on earth.

    Nature underpins all economies with the `free' services it provides in the
    form of clean water, air and the pollination of all major human food crops
    by bees and insects. In the Americas, this is said to total more than $24
    trillion a year. The pollination of crops globally by bees and other animals
    alone is worth up to $577 billion.

    The final report will be handed to world leaders not just to help
    politicians, businesses and the public become more aware of the trends
    shaping life on Earth, but also to show them how to better protect nature.

    ``High-level political attention on the environment has been focused largely
    on climate change because energy policy is central to economic growth. But
    biodiversity is just as important for the future of earth as climate
    change,'' said Sir Robert Watson, overall chair of the study, in a telephone
    interview from Washington, D.C.

    ``We are at a crossroads. The historic and current degradation and
    destruction of nature undermine human well-being for current and countless
    future generations,'' added the British-born atmospheric scientist who has
    led programs at NASA and was a science adviser in the Clinton
    administration. ``Land degradation, biodiversity loss and climate change are
    three different faces of the same central challenge: the increasingly
    dangerous impact of our choices on the health of our natural environment.''

    Around the world, land is being deforested, cleared and destroyed with
    catastrophic implications for wildlife and people. Forests are being felled
    across Malaysia, Indonesia and West Africa to give the world the palm oil we
    need for snacks and cosmetics. Huge swaths of Brazilian rainforest are being
    cleared to make way for soy plantations and cattle farms, and to feed the
    timber industry, a situation likely to accelerate under new leader Jair
    Bolsonaro, a right-wing populist.

    Industrial farming is to blame for much of the loss of nature, said Mark
    Rounsevell, professor of land use change at the Karlsruhe Institute of
    Technology in Germany, who co-chaired the European section of the IPBES
    study. ``The food system is the root of the problem. The cost of ecological
    degradation is not considered in the price we pay for food, yet we are still
    subsidizing fisheries and agriculture.''

    This destruction wrought by farming threatens the foundations of our food
    system. A February report from the U.N. warned that the loss of soil,
    plants, trees and pollinators such as birds, bats and bees undermines the
    world's ability to produce food.

    An obsession with economic growth as well as spiraling human populations is
    also driving this destruction, particularly in the Americas where GDP is
    expected to nearly double by 2050 and the population is expected to increase
    20 percent to 1.2 billion over the same period. [...]

    The Rapid Decline Of The Natural World Is A Crisis Even Bigger Than Climate Change | HuffPost

    [Why is this item included in the ACM Forum on Risks to the Public in
    Computers and Related Systems? Because climate change can affect almost
    every related system, one way or another. End of story. And perhaps the
    end of the planet, as well. PGN]

    ------------------------------

    Date: Fri, 15 Mar 2019 10:31:32 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Boeing promised pilots a 737 software fix last year, but they're
    still waiting (NYTimes)

    Boeing Promised Pilots a 737 Software Fix Last Year, but They’re Still Waiting

    Comprehensive avionics software qualification of operational flight plans --
    that stuff blown into PROMs or CPLDs -- requires exceptional organizational
    maturity to achieve.

    One life-cycle maturity indicator resides in collaterals: test plans, test
    results, qualification wall-clock duration, and top-10 defect escapes. These
    data points can indicate production defect escape suppression effectiveness.

    Few, if any, businesses willingly publish this content. Correlate it across
    industrial competition and against mitre.org CVEs to enable and guide
    consumer purchase decisions. Open source "eyes" help to identify code
    defects before publication. Shouldn't commercial-grade mission critical
    software stacks rely on an equivalent inspection mechanism to suppress
    production defect escape potential? IP protection is important, but so are
    the life-critical nature of the product, brand resilience, and the end-user.

    In Boeing's case, there appears to be a maturity gap. Repair deployment
    delay is one, and deficient transition/training of new capabilities is
    another, especially in light the emphasis to "reduce deployment and airline
    operational costs."

    Risk: Change management maturity deficiency and opaque industrial operations
    conceal defective product.

    [Earlier items:
    Pressure on Boeing grows as Europe grounds the 737 MAX
    Boeing Tries to Limit the Fallout After U.S. Grounds 737 MAX
    The world pulls the Andon cord on the 737 Max
    Why Investigators Fear the Two Boeing 737s Crashed for Similar Reasons

    Later items:
    The Aerospace Newcomer Whose Data Helped Make the Difference on Grounding
    the 737 MAX
    The Aerospace Newcomer Whose Data Helped Make the Difference on Grounding the 737 MAX
    Also, *The Seattle Times* today (18Mar2019) has some outstanding reporting:
    Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system

    PGN]

    ------------------------------

    Date: Wed, 13 Mar 2019 00:19:48 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: American Airlines takes jets out of service, cancels flights due to
    overhead-bin problem (CNBC)

    American Airlines takes jets out of service, cancels flights due to overhead bin problem

    ------------------------------

    Date: Thu, 14 Mar 2019 14:44:48 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: How Artificial Intelligence Could Transform Medicine (NYTimes)

    How Artificial Intelligence Could Transform Medicine

    In Deep Medicine,” Dr. Eric Topol looks at the ways that A.I. could improve
    health care, and where it might stumble.

    ------------------------------

    Date: Wed, 13 Mar 2019 17:42:52 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Cancer Patients Are Getting Robotic Surgery; there's no evidence
    it's better (NYTimes)

    Cancer Patients Are Getting Robotic Surgery. There’s No Evidence It’s Better.

    This essay compares surgical outcomes of traditional v. minimally invasive
    (robotic-assist) surgery for cervical cancer. It also discusses use of
    robotic-assist surgery for off-label purposes.

    Between 01/01/2017 and 02/28/2019, the FDA's MAUDE (Manufacturer and User
    Facility Device Experience) database reports the following events: 29
    deaths, 72 injuries, 306 malfunctions, and 10 other attributed to Brand
    Name: da vinci, Manufacturer: intuitive, and product code: nay (System,
    Surgical, Computer Controlled Instrument).

    Cervical Cancer - Cancer Stat Facts estimates 13,240
    cases of cervical cancer and 4170 deaths from the disease in 2018.

    I cannot find a definitive reference for the total number of field deployed
    Da Vinci units, nor a total count of surgeries between 01JAN2017 and
    28FEB2019. These figures are probably closely guarded by Intuitive Surgical,
    the Da Vinci's manufacturer.

    Risk: Patient outcome, including death.

    Refer to earlier comp.risks contributions on Da Vinci and robotic surgery.
    The Risks Digest
    The Risks Digest
    The Risks Digest

    ------------------------------

    Date: Tue, 12 Mar 2019 21:00:15 -0400
    From: Steven J Klein <ste...@klein.us>
    Subject: Toyota patents system to dispense tear gas on car thieves
    (Autoblog)

    The website autoblog says:

    The patent includes a system that will release tear gas into the car. The
    noxious gas is piped in when the vehicle detects an illegitimate engine
    start.

    Toyota patents in-car fragrance system that dispenses tear gas on car thieves

    What could possibly go wrong?

    ------------------------------

    Date: Wed, 13 Mar 2019 23:10:58 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: World of hurt: GoDaddy, Apple, and Google mis-issue >1M certificates
    (Ars Technica)

    A world of hurt after GoDaddy, Apple, and Google misissue >1 million certificates

    ------------------------------

    Date: Thu, 14 Mar 2019 00:06:28 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: When your IoT goes dark: Why every device must be open source and
    multicloud (ZDNet)

    Earlier this month, owners of the Jibo personal social robot -- a servomotor
    animated smart speaker with a friendly circular display "face" that
    underwent $73 million of venture capital funding -- saw their product's
    cloud services go dark after the company had its assets sold to SQN Ventures
    Partners in late 2018.

    The robot, aware of its impending demise, alerted owners with a sad farewell
    message:

    ``While it's not great news, the servers out there that let me do what I
    do are going to be turned off soon. I want to say I've really enjoyed our
    time together. Thank you very, very much for having me around. Maybe
    someday, when robots are way more advanced than today, and everyone has
    them in their homes, you can tell yours that I said hello. I wonder if
    they'll be able to do this.''

    What Jibo, no `Daisy'? So disappointing.

    When your IoT goes dark: Why every device must be open source and multicloud | ZDNet

    ------------------------------

    Date: Tue, 12 Mar 2019 19:43:51 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Companies are leaking sensitive files via Box accounts
    (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 11 Mar 2019
    Companies are leaking sensitive files via Box accounts
    Leaks discovered at Apple, the Discovery Channel, Herbalife,
    Schneider Electric, and even Box itself.

    Companies are leaking sensitive files via Box accounts | ZDNet

    Companies that use Box.com as a cloud-based file hosting and sharing system
    might be accidentally exposing internal files, sensitive documents, or
    proprietary technology.

    The problem lies with Box.com account owners who don't set a default access
    level of "People in your company" for file/folder sharing links, leaving all
    newly created links accessible to the public.

    [What about having a warning message such as 'Warning: The default access
    has not been set to "People in your company". This is dangerous as
    outsiders could access information that should remain private.? Do you
    wish to change this?' [Yes] [Why Not?]]

    If the organization also allows users to customize the link with vanity URLs
    instead of using random characters, then the links of these files can be
    guessed using dictionary attacks.

    [Risk: Calling it a "vanity" URL. Being able to specify a URL is useful
    for mnemonic reasons. Is someone going to think the reason for specifying
    the name is vanity?]

    This is what Adversis did last year. The company says it scanned Box.com for
    accounts belonging to large companies and attempted to guess vanity URLs of
    files or folders that employees shared in the past.

    Its efforts weren't in vain. In a report published today, Adversis said it
    found a trove of highly sensitive data such as:
    [the usual sort of stuff: were you really expecting something else?]

    Most of these file leaks have been fixed, and Box notified all customers
    last September of the dangers of using incorrect access permissions for
    Box.com share links.

    "We provide admins tools to run various reports on open links across their
    enterprise, as well as to disable open and custom URLs for their
    enterprise," a Box spokesperson told us via email. "Admins can also ensure
    that 'People in the Company' is the default setting for all shared links to
    limit the potential for a user to set a [file] as public inadvertently."

    [What about making such a scan being the default action?]

    ------------------------------

    Date: Wed, 13 Mar 2019 18:10:51 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Women face greater threat from job automation than men: Study
    (The Straits Times)

    Women face greater threat from job automation than men: Study

    "Women across the economic spectrum are more vulnerable than men to losing
    their jobs to technology, according to a study released on Wednesday (March
    13) by the Institute for Women's Policy Research.

    "Among the positions with more than a 90 per cent chance of becoming
    automated were administrative assistant, office clerk, bookkeeper and
    cashier, all fields dominated by women.

    "We're already seeing some of that with tasks being replaced by computers,"
    said Ms Chandra Childers, the study director and a senior researcher at the
    IWPR."

    Risk: Gender inequality intensified by technology.

    ------------------------------

    Date: Fri, 15 Mar 2019 12:00:50 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: "Security Holes Found in Big Brand Car Alarms" (Dan Simmons)

    Dan Simmons, BBC News, 8 Mar 2019, via ACM TechNews; Friday, March 15, 2019

    Security researchers in the U.K. have found vulnerabilities in three popular
    smart car alarm apps, making vehicles susceptible to theft or hijacking. The
    apps--from the companies Clifford, Viper, and Pandora--control alarms in 3
    million vehicles. For example, Pandora Alarms, which had hyped its system as
    "unhackable," was found to permit users to reset passwords for any account,
    enabling hackers to activate car alarms, unlock vehicle doors, and start
    engines. The researchers also determined Clifford's app had a bug that
    allowed them to use a legitimate account to access other users' profiles,
    then alter the passwords for those accounts and take control. Viper and
    Clifford parent firm Directed has corrected the bug, while Pandora also said
    it has upgraded security. Alan Woodward at the University of Surrey said it
    was "disappointing" that relatively simple vulnerabilities had been
    introduced by security companies.

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1ed98x21ae50x069377&

    ------------------------------

    Date: Wed, 13 Mar 2019 00:24:24 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: A slew of CEOs charged in alleged college entrance cheating scam
    (Sundry Sources)

    A slew of CEOs charged in alleged college entrance cheating scam
    A slew of CEOs charged in college entrance cheating scam

    FBI accuses wealthy parents, including celebrities, in college-entrance
    bribery scheme
    https://www.washingtonpost.com/worl...1c9942-44d1-11e9-8aab-95b8d80a1e4f_story.html

    College admissions bribery scheme affidavit
    https://games-cdn.washingtonpost.co...note/1310d5d4-ef15-4ea9-ad35-5edaac10cbb5.pdf

    College Admissions Scandal: Actresses, Business Leaders and Other Wealthy Parents Charged
    https://www.nytimes.com/2019/03/12/us/college-admissions-cheating-scandal.html

    >From ‘master coach' to a bribery probe: A college consultant who went off the rails
    https://www.washingtonpost.com/loca...3a6bfe-4501-11e9-aaf8-4512a6fe3439_story.html

    Why the College-Admissions Scandal Is So Absurd
    For the parents charged in a new FBI investigation, crime was a cheaper and
    simpler way to get their kids into elite schools than the typical advantages
    wealthy applicants receive.
    https://www.theatlantic.com/educati...s-scandal-fbi-targets-wealthy-parents/584695/

    Kids Are the Victims of the Elite-College Obsession: Too many families are
    focusing on college prep, molding the student to fit a school.
    https://www.theatlantic.com/ideas/a...scandal-shows-elite-college-obsession/584719/

    [Also:
    https://www.cnn.com/2019/03/12/us/college-admissions-scheme-how-it-worked/index.html
    College scam mastermind Photoshopped students' faces onto athletes:
    prosecutors (NY Post):
    https://nypost.com/2019/03/12/college-scam-mastermind-photoshopped-students-faces-onto-athletes/
    PGN]

    ------------------------------

    Date: Sun, 17 Mar 2019 10:45:56 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Hashing to prevent spread of hate videos? (CNN)

    The general media has (temporarily) discovered hashing.
    https://lite.cnn.io/en/article/h_f53c07f70ccd1b7fd21d53163da2c280

    I predict a short run of calls for social media platforms to use it to
    prevent the spread of hate videos, violent videos, revenge pr0n, etc, etc,
    etc.

    I've seen hashing in use for some time. Fifteen years ago it was very
    popular as the increase in the number of viruses exploded. Not so long ago
    Facebook tried using it in an odd, rather futile, and foolish attempt to
    prevent revenge pr0n. It's been used to prevent the theft of music and
    video as intellectual property for some time.

    It works, a bit, but not terribly well.

    The idea is to detect something you don't want spread, and then take a hash
    of it. You can then search, relatively quickly, and compare that hash value
    against the hash values of either existing files, or newly uploaded files
    (depending upon your application).

    I said "relatively" quickly. One of the people quoted in that article said
    "It's exceedingly fast." It's exceedingly fast compared to more detailed
    forms of analysis. But when around 10 *hours* of video are uploaded to
    YouTube alone every *second* (anybody have current statistics?) ... well,
    hashing does take some time, and little bits add up. And then there is the
    time to compare every hash against every other hash ...

    And hashing works only if nothing has been changed. After all, hash values
    are used, sometimes in digital signatures or certificates, to ensure that
    something hasn't changed. Again, someone in the article referred to
    "'robust' hashing -- a method that should be able to detect variations on
    re-uploads." That's an interesting use of the word "robust." I'd think
    most people in the crypto field would think of a "robust" hash as one that
    would detect any changes, not one that would allow some changes and still
    match. But, quite aside from the use of the word "robust," making a hash
    that will accept some changes and still detect "similar" is a non-trivial
    task. And such a hash function would likely take even more time to run.

    It's easy to use hashes to catch direct and identical copies. But videos
    can be modified in all kinds of ways. They can be edited for length, cut
    into collections, processed to add comments, or even just drop a few packets
    during streaming. Any or all of these events could mean that a hash value
    will not match.

    No, I don't think hashing will be the silver bullet people are looking for ...

    ------------------------------

    Date: Fri, 15 Mar 2019 20:43:36 -0600
    From: "Matthew Kruk" <mkr...@gmail.com>
    Subject: Tech's Moral Void (CBC)

    https://www.cbc.ca/radio/ideas/tech-s-moral-void-1.5056316

    ------------------------------

    Date: Sun, 17 Mar 2019 15:46:47 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: U.S. Campaign to Ban Huawei Overseas Stumbles as Allies Resist
    (NYTimes)

    https://www.nytimes.com/2019/03/17/us/politics/huawei-ban.html

    The Trump administration's effort to ban Huawei from overseas wireless
    networks has suffered from questions over whether the Chinese telecom
    company poses a threat.

    ------------------------------

    Date: Mon, 18 Mar 2019 16:50:22 -0400
    From: <ste...@klein.us>
    Subject: App notification for a stranger on my phone

    My health insurance provider is the largest provider in my state. They have
    an iPhone app that can provide alerts for new claims, explanations of
    benefits, and other related data.

    About 5 minutes ago I got a notification with wording something like this:

    ``The security questions for Carmello have been updated.''

    I'm not Carmello; I don't know anyone by that name.

    Perhaps coincidentally (though probably not), attempts to log into the app
    now fail. When I just now tried to log into the website, I got this vague
    error:

    ``Error - We're sorry, login isn't available at this time. Please log in
    again later.''

    Will I soon be reading about a big data breach at this insurer? I won't be
    surprised.

    ------------------------------

    Date: 13 Mar 2019 17:21:51 +0900
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: U.S. DST change proposals and WWVB radio clocks (RichW, R 31 11)

    > ... I'm aware of California and Florida, for example. At least one
    > Canadian province (British Columbia) is considering doing the same.

    Massachusetts, too.

    For some reason, states can opt out of DST, but they can't opt for
    year-round DST, so if FL or MA does year round DST, they will have to do it
    by moving to the AST time zone with no DST.

    If the clocks don't already handle AST, they're not really fit for purpose,
    since Puerto Rico and the USVI have been on AST for a century.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.12
    ************************
     
  4. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.13

    RISKS List Owner

    Mar 21, 2019 6:55 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 21 March 2019 Volume 31 : Issue 13

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    German Air Traffic Control with software error (Tagesschau)
    Doomed Jets Lacked 2 Safety Features That Boeing Sold as Extras (NYTimes)
    737 Max issues, breakdown and analysis (Bob Poortinga)
    How a 50-year-old design came back to haunt Boeing with its troubled
    737 Max jet (Los Angeles Times)
    Boeing 737 Max: Software patches can only do so much (ZDNet)
    Millions of Facebook passwords exposed internally (BBC News)
    Accidentally exposing the data of 230M people (WiReD)
    Locking more than the doors as cars become computers on wheels (NYTimes)
    The Attack That Broke the Net's Safety Net (NYTimes)
    Inside YouTube's struggles to shut down video of the New Zealand
    shooting -- and the humans who outsmarted its systems (WashPost)
    Fewer than 200 people watched the New Zealand massacre live.
    A hateful group helped it reach millions. (WashPost)
    Aadhaar: unique numbers for all residents in India (Reetika Khera)
    Spy cameras in Seoul secretly live-streamed 1,600 hotel guests for
    subscribers. Then police caught on. (WashPost)
    Ransomware Fighter Lives in Fear for his Life (Security Boulevard)
    Why The Promise Of Electronic Health Records Has Gone Unfulfilled (npr.org)
    How to Check Your Hotel Room for Hidden Cameras (ThePointsGuy)
    Browser also fills in bad guy address with good guy address (Dan Jacobson)
    DNA and a Coincidence Lead to Arrest in 1999 Double (NYTimes)
    Is Computer Code a Foreign Language? (William Egginton)
    Lookin' in my back door (Henry Baker)
    ESPN Slips Up, Revealing the NCAA Women's Bracket Four Hours Early
    (NYTimes)
    Re: Is curing patients, a sustainable business model? (Martin Ward)
    Re: The Rapid Decline Of The Natural World ... (Jurek)
    Re: Security Holes Found in Big Brand Car Alarms (Amos Shapir)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 21 Mar 2019 18:27:50 +0100
    From: weberwu <weberwu@HTW-Berlin.de>
    Subject: German Air Traffic Control with software error (Tagesschau)

    The ARD Tagesschau reports that there is a software error in the air-traffic
    control system over Germany. They are following up a report by
    Deutschlandfunk.

    Softwarestörung bei Deutscher Flugsicherung

    The DFS (Deutsche Flugsicherung) uses a system that displays so-called
    control strips. The control strips contain information for the air traffic
    controllers such as vessel type, route, time of airspace crossing. This
    system is not working correctly. The system used in Langen in Hessia is
    showing errors, so that the controllers must take more time to inspect what
    they are doing. All other systems are said to be operational. This concerns
    the airspace from Constance to Kassel and from the French border to
    Thuringia. No other airspaces are said to be affected. Travelers should
    expect delays of around 30 minutes.

    Prof. Dr. Debora Weber-Wulff, HTW Berlin, Treskowallee 8, 10313 Berlin

    ------------------------------

    Date: Thu, 21 Mar 2019 09:47:42 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Doomed Jets Lacked 2 Safety Features That Boeing Sold as Extras
    (NYTimes)

    Airlines had to pay more for two optional upgrades that could warn pilots
    about sensor malfunctions. The company will now make one of the features
    standard.

    Doomed Boeing Jets Lacked 2 Safety Features That Company Sold Only as Extras

    ------------------------------

    Date: March 20, 2019 at 09:37:23 GMT+9
    From: Bob Poortinga <w9...@w9iz.us>
    Subject: 737 Max issues, breakdown and analysis

    A friend of mine who is both an IT professional and a private pilot has
    written a nice analysis of the 737 Max situation.



    R, Bob Poortinga, Bloomington, IN [via Dave Farber in Japan]

    [Note: Monty Solomon noted a second Seattle Times article after the one
    noted previously:
    Flawed analysis, failed oversight: How Boeing, FAA certified the
    suspect 737 MAX flight control system
    Flawed analysis, failed oversight: How Boeing, FAA certified the suspect 737 MAX flight control system
    PGN]

    ------------------------------

    Date: Mon, 18 Mar 2019 17:55:23 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: How a 50-year-old design came back to haunt Boeing with its
    troubled 737 Max jet (Los Angeles Times)

    How a 50-year-old design came back to haunt Boeing with its troubled 737 Max jet

    "That low-to-the-ground design was a plus in 1968, but it has proved to be a
    constraint that engineers modernizing the 737 have had to work around ever
    since. The compromises required to push forward a more fuel-efficient
    version of the plane -- with larger engines and altered aerodynamics -- led
    to the complex flight control software system that is now under
    investigation in two fatal crashes over the last five months.

    "But the decision to continue modernizing the jet, rather than starting at
    some point with a clean design, resulted in engineering challenges that
    created unforeseen risks."

    Legacy 737 fuselage design constraints led to MCAS development and
    deployment decades later, which apparently caused the deadly aircraft
    incidents.

    Risk: Legacy system feature preservation for economic motives versus a full
    redesign to negate technical debt accumulation.

    ------------------------------

    Date: Tue, 19 Mar 2019 20:20:01 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Boeing 737 Max: Software patches can only do so much (ZDNet)

    Boeing 737 Max: Software patches can only do so much | ZDNet

    ------------------------------

    Date: Thu, 21 Mar 2019 13:53:16 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Millions of Facebook passwords exposed internally (BBC News)

    Developers working for Facebook logged the passwords in plain text as they
    wrote code for the site. User passwords were accessible to as many as
    20,000 FB employees. Brian Krebs noted up to 600M passwords.

    Millions of Facebook passwords exposed

    [Several people have noted this today. PGN]

    ------------------------------

    Date: Tue, 19 Mar 2019 12:00:22 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Accidentally exposing the data of 230M people (WiReD)

    Hardigree also still maintains that the data Exactis aggregated and then
    exposed wasn't actually sensitive, and that the outrage over its exposure
    was overblown. He says much of it was pulled from sources like public
    records and census data. Exactis combined that public information with data
    it traded for and bought, with sources ranging from payday loan and auto
    companies to surveys to registration forms for business publications.
    Hardigree claims that hundreds of small companies possess similar data. He
    argues that anyone can buy a less refined version of the same collection,
    what's known as a Consumer Master File, for around $1,000. "This data is out
    there, and it always has been out there," Hardigree says.

    But Troy Hunt, the security researcher and data breach expert who manages
    HaveIBeenPwned, says that the Exactis data was indeed sensitive enough to
    justify the wave of pain that hit the company after its security lapse. He
    argues the data is, in fact, sufficiently detailed to contribute to identity
    theft, and certainly detailed enough to creep out anyone who finds
    themselves in it.

    Here's What It's Like to Accidentally Expose the Data of 230M People

    ------------------------------

    Date: Mon, 18 Mar 2019 21:50:50 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Locking more than the doors as cars become computers on wheels
    (NYTimes)

    Concern that cars could be seriously hacked —- by criminals, terrorists or
    even rogue governments —- has prompted a new round of security efforts on
    the part of the auto industry.

    Locking More Than the Doors as Cars Become Computers on Wheels

    ------------------------------

    Date: Mon, 18 Mar 2019 21:35:37 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: The Attack That Broke the Net's Safety Net (NYTimes)

    A killer determined to make terrorism go viral beat a system designed to
    keep the worst of the web out of sight.

    Opinion | The Attack That Broke the Net’s Safety Net

    ------------------------------

    Date: Wed, 20 Mar 2019 02:15:05 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Inside YouTube's struggles to shut down video of the New Zealand
    shooting -- and the humans who outsmarted its systems (WashPost)

    https://www.washingtonpost.com/tech...d-shooting-humans-who-outsmarted-its-systems/

    ------------------------------

    Date: Wed, 20 Mar 2019 12:49:17 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Fewer than 200 people watched the New Zealand massacre live.
    A hateful group helped it reach millions. (WashPost)

    New details reveal just how quickly the video spread across the world and
    rocketed out of tech companies' control.

    https://www.washingtonpost.com/tech...-live-hateful-group-helped-it-reach-millions/

    ------------------------------

    From: Reetika Khera <reet...@iima.ac.in>
    Date: Thu, 21 Mar 2019 08:16:05 +0530
    Subject: Aadhaar: unique numbers for all residents in India

    Aadhaar is a 12-digit unique number assigned to all Indian residents. Its
    uniqueness is supposed to be guaranteed by the use of biometrics
    (fingerprints, iris and photographs). Besides biometrics, the Unique
    Identification Authority of India (UIDAI) also collects demographic
    information.

    Aadhaar is being made compulsory for an increasing number of applications in
    India. An extensive household survey conducted by our team [1] revealed
    various issues related to this measure, including exclusion problems,
    transaction costs, and its impact on corruption.

    For example, people experience issues with enrolling [2] for Aadhaar, when
    they lose it [3], when they try to link [4] it to the appropriate registry,
    when they try to authenticate [5] themselves biometrically, and so on.

    More issues are highlighted in this Youtube playlist [6] (not all have
    subtitles). The consequences [7] of this range from cancellation or
    suspension of benefits, to delays and deaths [8].

    1:
    Aadhaar and Food Security in Jharkhand : Pain without Gain?
    2: https://www.youtube.com/watch?v=KYwDkZ0l4wY
    3:
    4:
    5:
    https://www.thequint.com/news/india/uidai-ceo-admits-aadhaar-authentication-failure-rate-12
    6:
    https://www.youtube.com/watch?v=fVSVqbW6dP0&list=PLdHEUXbHHVe30wNaeZqdb04XyJ5j3_ehc
    7:
    https://www.washingtonpost.com/news...aadhaar/?noredirect=on&utm_term=.b57578095146
    8:
    https://www.nytimes.com/2018/01/21/opinion/india-aadhaar-biometric-id.html

    [If you might have any thoughts about youtube/twitter postings possibly
    being being unreliable, what were used here were precisely what was
    recorded and compiled during the data collection exercise. PGN]

    ------------------------------

    Date: Wed, 20 Mar 2019 12:46:57 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Spy cameras in Seoul secretly live-streamed 1,600 hotel guests for
    subscribers. Then police caught on. (WashPost)

    Two arrested after hundreds of hotel guests were filmed in south Korea for
    live-stream subscribers.

    https://www.washingtonpost.com/worl...-hotel-guests-subscribers-then-police-caught/

    ------------------------------

    Date: Tue, 19 Mar 2019 20:22:04 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Ransomware Fighter Lives in Fear for his Life (Security Boulevard)

    https://securityboulevard.com/2019/03/ransomware-fighter-lives-in-fear-for-his-life/

    ------------------------------

    Date: Mon, 18 Mar 2019 16:21:46 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Why The Promise Of Electronic Health Records Has Gone Unfulfilled
    (npr.org)

    https://www.npr.org/sections/health...lectronic-health-records-has-gone-unfulfilled

    A transparency deficit contributes to the EHR catastrophe:

    "Entrenched policies continue to keep software failures out of public
    view. Vendors of electronic health records have imposed contractual 'gag
    clauses' that discourage buyers from speaking out about safety issues and
    disastrous software installations -- and some hospitals fight to withhold
    records from injured patients or their families."

    Risk: Missing incentives among stakeholders (equipment vendors, EHR vendors,
    medical service providers, physicians, administrators) to align and
    standardized EHR content/metadata/coding structures, communications, and
    platform protocols. Possibly corrected through better regulation,
    legislation, or perpwalks.

    ------------------------------

    Date: Thu, 21 Mar 2019 10:17:35 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: How to Check Your Hotel Room for Hidden Cameras (ThePointsGuy)

    https://thepointsguy.com/guide/how-to-detect-hidden-cameras-in-your-hotel-room/

    ------------------------------

    Date: Thu, 21 Mar 2019 08:56:27 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Browser also fills in bad guy address with good guy address

    You know the helpful browser form filler feature where it fills in your
    name, address, phone number, and email?

    It works great, except when reporting crimes, where you better check before
    clicking "submit" that it didn't also helpfully go back and re-fill in the
    bad guys' name, address, phone number... using guess who's data...

    https://bugs.chromium.org/p/chromium/issues/detail?id=944351

    ------------------------------

    Date: Tue, 19 Mar 2019 13:24:46 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: DNA and a Coincidence Lead to Arrest in 1999 Double (NYTimes)

    https://www.nytimes.com/2019/03/19/us/alabama-dna-murder-arrest.html

    For 19 years, police were unable to identify the person who fatally shot two
    17-year-olds. Then they turned to the technique used in the Golden State
    Killer case.

    ------------------------------

    Date: March 18, 2019 at 10:15:32 PM GMT+9
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Is Computer Code a Foreign Language? (William Egginton)

    William Egginton, Mar 17 2019
    No. And high schools shouldn't treat it that way.

    https://www.nytimes.com/2019/03/17/opinion/code-foreign-language.html

    Maryland's legislature is considering a bill to allow computer coding
    courses to fulfill the foreign-language graduation requirement for high
    school. A similar bill passed the Florida State Senate in 2017 (but was
    ultimately rejected by the full Legislature), and a federal version proposed
    by Senators Bill Cassidy, Republican of Louisiana, and Maria Cantwell,
    Democrat of Washington, is being considered in Congress.

    The animating idea behind these bills is that computer coding has become a
    valuable skill. This is certainly true. But the proposal that
    foreign-language learning can be replaced by computer coding knowledge is
    misguided: It stems from a widely held but mistaken belief that science and
    technology education should take precedence over subjects like English,
    history, and foreign languages.

    As a professor of languages and literatures, I am naturally skeptical of
    such a position. I fervently believe that foreign-language learning is
    essential for children's development into informed and productive citizens
    of the world. But even more urgent is my alarm at the growing tendency to
    accept and even foster the decline of the sort of interpersonal human
    contact that learning languages both requires and cultivates.

    Language is an essential -- perhaps the essential -- marker of our species.
    We learn in and through natural languages; we develop our most fundamental
    cognitive skills by speaking and hearing languages; and we ultimately assume
    our identities as human beings and members of communities by exercising
    those languages. Our profound and impressive ability to create complex tools
    with which to manipulate our environments is secondary to our ability to
    conceptualize and communicate about those environments in natural languages.

    The difference between natural and computer languages is not merely one of
    degree, with natural languages' involving vocabularies that are several
    orders of magnitude larger than those of computer languages. Natural
    languages aren't just more complex versions of the algorithms with which we
    teach machines to do tasks; they are also the living embodiments of our
    essence as social animals. We express our love and our losses, explore
    beauty, justice and the meaning of our existence, and even come to know
    ourselves all though natural languages.

    The irony is that few people appreciate the uniqueness of human language
    more than coders working in artificial intelligence, who wrestle with the
    difficulty of replicating our cognitive abilities. The computer scientist
    Alan Turing noted that the question of whether a machine can think is
    incredibly difficult to determine, not least because of the lack of a clear
    definition of `thinking'; he proposed investigating instead the more
    tractable question of whether a machine can convince a human interlocutor
    that it's human -- the so-called Turing test.

    One of the important lessons of Turing's test is the reminder that in our
    interactions with other people, we are fundamentally limited in how much we
    can know about another's thoughts and feelings, and that this limitation and
    the desire to transcend it is essential to our humanity. In other words,
    for us humans, communication is about much more than getting information or
    following instructions; it's about learning who we are by interacting with
    others.

    The interpersonal essence of language learning extends to learning as a
    whole. We know that small-group, in-person instruction is more effective
    than traditional lectures. We ask questions, are asked in return, and we
    learn more, learn faster and retain more when we care about the people we
    are interacting with. It's no accident that despite the initial enthusiasm
    generated by MOOCs, or massive online open courses, they have in fact been a
    major disappointment, with completion rates as low as 5 percent. By
    comparison, online courses with smaller groups of students and direct
    feedback from the professor show completion rates as high as 85 percent.

    [Furthermore, the types of computer-language skills may be quite different
    from natural-language skills. For example, computer programming requires
    some intense left-brained activities that learning to *speak* natural
    languages does not, and total-system design and development requires
    synergy between the left-brain and right-brain activities. (See my
    book chapter,
    Zen and the Art of System Programming: Psychosocial Implications of
    Computer Software Development and Use: Zen and the Art of Computing, in
    Theory and Practice of Software Technology, D. Ferrari, M. Bolognani,
    and J. Goguen (editors), North-Holland, 1983, 221--232.
    However, learning to *write* grammatically in a natural language does
    require more left-brain activity. Besides, adequate natural-language
    learning (even English for a First Language) seems to be declining
    seriously. Sloppy use of natural languages seems to be tolerated, whereas
    sloppy use of computer languages is the source of many of the risks in
    RISKS. The concept of teaching programming as a natural language is
    *really* misguided, for many reasons. PGN]

    ------------------------------

    Date: Tue, 19 Mar 2019 10:25:20 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Lookin' in my back door

    [Apologies to Creedence Clearwater Revival.]

    NSA FOMO...

    Whether you trust Huawei's words or not, at least they give lip service to
    "no back doors", which is more than the 5i's will give.

    "Huawei, in other words, hampers US efforts to spy on whomever it wants."

    "Prism, prism on the wall. Who's the most trustworthy of them all?"

    "Huawei has not and will never plant backdoors. And we will never allow
    anyone to do so in our equipment."

    https://www.ft.com/content/b8307ce8-36b3-11e9-bb0c-42459962a812

    The US attacks on Huawei betray its fear of being left behind

    Proliferation of our technology hampers American efforts to spy on whomever
    it wants

    Guo Ping February 27, 2019

    As a top Huawei executive, I'm often asked why the US has launched a
    full-scale assault on us. The Americans have charged us with stealing
    technology and violating trade sanctions, and largely blocked us from doing
    business there. Mike Pence, US vice-president, recently told Nato of "the
    threat posed by Huawei", and Mike Pompeo, secretary of state, warned allies
    that using our telecommunications equipment would make it harder for the US
    to "partner alongside them."

    On Tuesday at the Mobile World Congress, the industry's largest trade show,
    a US delegation led by Ajit Pai, Federal Communications Commission chair,
    repeated the call to keep Huawei out of global 5G networks.

    Washington has cast aspersions on Huawei for years. A 2012 report by the
    House Intelligence Committee labeled us a threat. But, until recently,
    these attacks were relatively muted. Now that the US has brought out the
    heavy artillery and portrayed Huawei as a threat to western civilisation, we
    must ask why.

    I believe the answer is in the top secret US National Security Agency
    documents leaked by Edward Snowden in 2013. Formed in 1952, the NSA
    monitors electronic communications, such as email and phone calls, for
    intelligence and counter-intelligence purposes.

    The Snowden leaks shone a light on how the NSA's leaders were seeking to
    "collect it all" -- every electronic communication sent, or phone call made,
    by everyone in the world, every day. Those documents also showed that the
    NSA maintains "corporate partnerships" with particular US technology and
    telecom companies that allow the agency to "gain access to high-capacity
    international fibre-optic cables, switches and/or routers throughout the
    world".

    Huawei operates in more than 170 countries and earns half of its revenue
    abroad but its headquarters are in China. This significantly reduces the
    odds of a "corporate partnership". If the NSA wants to modify routers or
    switches in order to eavesdrop, a Chinese company will be unlikely to
    co-operate. This is one reason why the NSA hacked into Huawei's servers.
    "Many of our targets communicate over Huawei-produced products," a 2010 NSA
    document states. "We want to make sure that we know how to exploit these
    products."

    Clearly, the more Huawei gear is installed in the world's telecommunications
    networks, the harder it becomes for the NSA to "collect it all". Huawei, in
    other words, hampers US efforts to spy on whomever it wants. This is the
    first reason for the campaign against us.

    The second reason has to do with 5G. This latest generation of mobile
    technology will provide data connections for everything from smart factories
    to electric power grids. Huawei has invested heavily in 5G research for the
    past 10 years, putting us roughly a year ahead of our competitors. That
    makes us attractive to countries that are preparing to upgrade to 5G in the
    next few months.

    If the U.S. can keep Huawei out of the world's 5G networks by portraying us
    as a security threat, it can retain its ability to spy on whomever it wants.
    America also directly benefits if it can quash a company that curtails its
    digital dominance. Hobbling a leader in 5G technology would erode the
    economic and social benefits that would otherwise accrue to the countries
    that roll it out early. Meanwhile, a range of US laws, including most
    recently the Cloud Act, empowers the US government to compel telecom
    companies to assist America's programme of global surveillance, as long as
    the order is framed as an investigation involving counter-intelligence or
    counterterrorism.

    The fusillade being directed at Huawei is the direct result of Washington's
    realisation that the US has fallen behind in developing a strategically
    important technology. The global campaign against Huawei has little to do
    with security, and everything to do with America's desire to suppress a
    rising technological competitor.

    The writer is a rotating chairman of Huawei Technologies

    https://www.huawei.com/en/press-events/news/2019/2/guoping-global-3rd-party-assurance-cyber-security

    "Choose Huawei for greater security", Says Huawei's Guo Ping

    In his keynote address at MWC 2019, Rotating Chairman Guo Ping calls for
    global 3rd party assurance to cyber security.

    Feb 26, 2019

    [Barcelona, Spain, February 26, 2019] Guo Ping, Huawei's Rotating
    Chairman, calls for international collaboration on industry standards
    and appeals to governments across the world to listen to cyber
    security experts. His requests come during a keynote speech at Mobile
    World Congress 2019.

    Huawei is the first company to deploy 5G networks at scale, Guo said.
    His MWC 2019 keynote address - "Bringing you 5G safer, faster,
    smarter" - outlined how Huawei has developed the most powerful,
    simple, and intelligent 5G networks in the world, and argued that such
    innovation is nothing without security. He urges the industry and
    governments to work together and adopt unified cyber security
    standards.

    Guo Ping, Huawei's Rotating Chairman, made a keynote speech at Mobile
    World Congress 2019.

    Summary of MWC 2019 keynote address by Guo Ping, Rotating Chairman,
    Huawei:

    1. Innovation

    Guo used the first half of his keynote to outline Huawei's position as
    the global leader in 5G but asserted that security is the basis of the
    company's commitment to innovation.

    * "Huawei is the first company that can deploy 5G networks at scale.
    More importantly, we can deliver the simplest possible sites with
    better performance."

    * "The more we invest in engineering science, the more value we can
    create. At Huawei, we can bring powerful, simple, and intelligent
    5G networks to carriers anywhere in the world, faster than anyone
    else. Huawei is the global leader in 5G. But we understand
    innovation is nothing without security."

    2. Security

    In the second half of the keynote, Guo responded to recent allegations
    directed at Huawei by the U.S. government and called for fact-based
    regulation, referring to the recommendations made by GSMA, the
    industry organization for mobile network operators worldwide, for
    governments and mobile operators to work together.

    * "To build a secure cyber environment for everyone, we need
    standards, we need fact-based regulation, and we need to work
    together."

    * "To build a system that we all can trust, we need aligned
    responsibilities, unified standards, and clear regulation."

    * "I fully agree with recent recommendations: Governments and mobile
    operators should work together to agree upon Europe's assurance
    testing and certification regime. NESAS is a very good idea and I
    would recommend extending it to the world."

    * "Huawei has not and will never plant backdoors. And we will never
    allow anyone else to do so in our equipment."

    * The irony is that the US CLOUD Act allows their governmental
    entities to access data across borders.

    FULL TEXT: Guo Ping's Keynote at MWC Barcelona 2019

    Bringing you 5G safer, faster, smarter

    Ladies and gentlemen, good morning.

    It's great to see you all again.

    There has never been more interest in Huawei. We must be doing
    something right.

    Of course, the past few months have been a challenge for us. On one
    hand, our 5G solutions are widely recognized in the industry. On the
    other hand, there has been a lot of speculation about the security of
    our 5G solutions.

    Today, I would like to talk about Huawei's latest innovations and our
    views on cyber security.

    Innovation – It's all in the details

    On the 2018 EU R&D Investment Scoreboard, Huawei ranks number 5
    globally. Last year, we invested more than 15 billion US dollars.

    This consistent investment has produced many positive results.
    Through nonstop investment, we can keep providing our customers with
    new, innovative products and more efficient services.

    5G is a perfect example of this.

    Powerful. Simple. Intelligent.

    Huawei is the first company that can deploy 5G networks at scale.
    More importantly, we can deliver the simplest possible sites with
    better performance.

    With 100 megahertz, our 5G can reach more than 14 gigs-per-second;
    that's for a single sector. We are at the leading edge of
    performance.

    Strong capacity also needs strong transmission equipment.

    * If fiber is available, we only need to install a blade, attach one
    fiber, and we can bring bandwidth up to 200 Gbps. It's incredible.

    * If fiber is not available, carriers can use microwave. However, the
    bandwidth of traditional microwave is only 1 Gbps. To address this
    problem, we use innovative architecture to boost that bandwidth to
    20 Gbps.

    * With our 5G smartphone and CPE, Huawei is able to provide end-to-end
    5G solutions. We have begun to help carriers deploy 5G at scale.

    Proven in field tests and commercial use

    Last month, Zealer published a report, saying that Huawei's 5G is 20
    times faster than the so-called 5G in the US. That's in field tests.
    In commercial use, it is not 20 times faster, but it's still much,
    much faster. So I fully understand what President Donald Trump said
    last week. The United States needs powerful, faster, and smarter 5G.

    In the two charts on the left, we have the results from IMT-2020's
    phase 3 tests in China. As you can see, Huawei is far ahead of the
    game when it comes to single site throughput.

    The third chart compares the speeds of a commercial 5G network
    deployed by several vendors. This is a real customer network. On
    Huawei 5G, single user speed reaches 1.3 Gbps.

    Powerful

    Innovation is in the details.

    Let's start with capacity.

    * For example, with performance algorithm, we can more than triple
    cell throughput.

    * For hardware, our 5G chips support 64 channels, the highest in the
    industry. We have also increased the computing power of these chips
    by 2.5 times.

    For microwave, we can support 10 times greater transmission bandwidth
    than other solutions on the market.

    Little by little, we are pushing the physical limits of our technology.

    Simple

    We are also making sites as simple as possible, without sacrificing
    performance.

    For example, if we made 64T antennas with old techniques, one 5G antenna
    would be bigger than a door. Can you imagine installing that? If we put
    one here on the beach, it would be blown down.

    To address this issue, we are using new materials. We have reduced the
    number of components by 99%, and with lighter covers, we can reduce weight
    by 40%.

    These new AAUs are as wide as a backpack and very strong. They can survive
    grade-15 typhoons. This happened in Shenzhen last year.

    Installation is super easy. We can install them directly on a 4G site, or
    even on a lamp pole. Simple sites greatly reduce carrier CAPEX and OPEX.
    In Europe, where space is limited, we can help you save 10,000 euros on site
    rental, every site, every year.

    Intelligent

    In the telecom industry, someone said we are using 5G networks of the 21st
    century. However, network Operation and Maintenance is still in the 18th
    century.

    Let's look at one figure. Globally, 70% of network faults are from human
    limitations. To make life easier for carriers, our goal is to build
    intelligent networks.

    Last October, Huawei launched the world's most powerful AI chips: Ascend 910
    and Ascend 310. We can use these to bring intelligence to all scenarios,
    and reduce computing power costs for carrier networks.

    Building on these chips, Huawei has developed many algorithms and models for
    carrier networks. With AI, we can increase resource efficiency, make O&M
    easier, and reduce power consumption for telecom networks.

    Conclusion

    The more we invest in engineering science, the more value we can create.

    At Huawei, we can bring powerful, simple, and intelligent 5G networks
    to carriers anywhere in the world, faster than anyone else.

    ------------------------------

    Date: Mon, 18 Mar 2019 21:37:58 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: ESPN Slips Up, Revealing the NCAA Women's Bracket Four Hours Early

    For the second time in three years, an NCAA basketball tournament bracket
    leaked after it was provided to the network that paid to reveal the results.
    Among the revelations? UConn is a No. 2 seed.

    https://www.nytimes.com/2019/03/18/sports/espn-womens-bracket-leak.html

    ------------------------------

    Date: Wed, 20 Mar 2019 12:04:23 +0000
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Is curing patients, a sustainable business model?

    Mixing business with medicine is ethically horrible.

    When healthcare is a business, the more sick people there are (especially
    those that need expensive treatments), the more profit there is to be
    made. This has many bad consequences:

    (1) Managing symptoms is more profitable than curing a disease;

    (2) Expensive drugs are more profitable than, for example, recommending
    simple changes to diet: so vastly more resources are poured into drug
    research than into any other form of cure;

    (3) The more unhealthy the population, the more money is to be made. So
    encouraging unhealthy habits is beneficial to a healthcare company. (It
    might be seen as a bit *too* obviously cynical for a healthcare company to
    buy a tobacco company and heavily advertise and subsidise tobacco: but there
    is a strong business case!)

    (4) Tests, tests and more tests! Testing is expensive but can be carried out
    on apparently healthy people: so its a good business practice to test for
    everything, "just in case". If you are lucky, you might even discover some
    condition that needs expensive treatment.

    Contrast this with universal healthcare and government-funded medical
    research. If you are allocated with a certain budget per person and tasked
    with improving health you will have a very different set of priorities.

    Not having universal healthcare, the U.S. spends around twice as much per
    person, compared to other countries, but millions of people still don't have
    any healthcare, and overall the population is less healthy than other first
    world countries which do have universal health care.

    ------------------------------

    Date: Wed, 20 Mar 2019 14:51:59 +0000
    From: Jurek <j...@uxp.ie>
    Subject: Re: The Rapid Decline Of The Natural World ...

    Is it possible that 500 experts can be found in 50 countries who can compile
    an 8,000 plus page report to the effect that we are actually managing our
    resources as well as we can to accommodate the expanding world population?

    Yes, there *is* a risk here: when a scientific hypothesis (with I presume
    its obligatory attendant verification-only studies) is taken as a statement
    of reality and a political bandwagon is created onto which all sorts of
    famous scientists are keen to hop... rational analysis seems to evaporate.

    In my experience, science and technology courses do not pay enough attention
    to educating students about the philosophy of science... like, who has time
    for THAT kind of stuff in a crowded curriculum, right? That's the real
    risk.

    ------------------------------

    Date: Tue, 19 Mar 2019 17:48:57 +0200
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Security Holes Found in Big Brand Car Alarms (RISKS-31.12)

    ... "enabling hackers to activate car alarms, unlock vehicle doors, and
    start engines"

    In view of another article: "Toyota patents system to dispense tear gas on
    car thieves", it's possible to add to this list "if the hacked car is a
    Toyota, also spray occupants with tear gas"

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.13
    ************************
     
  5. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.14

    RISKS List Owner

    Mar 26, 2019 7:07 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 26 March 2019 Volume 31 : Issue 14


    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Take Another Little Peek at my Heart (Dan Goodin)
    Warnings of a Dark Side to AI in Health Care (NYTimes)
    These 11 Weird Smart Home Devices Can Change Your Life (Lifewire)
    Baristas beware: A robot that makes gourmet cups of coffee has
    arrived (The Washington Post)
    Two Singapore consortia to develop/trial driverless road cleaning
    vehicles (The Straits Times)
    Hackers Hijacked ASUS Software Updates to Install Backdoors on
    Thousands of Computers (motherboard)
    iOS Safari Flaw Allows Deceptive News Headlines in Messages (Intego)
    These Portraits Were Made by AI: None of These People Exist (The Verge)
    The Spring That Prematurely Ended a Magical Summer (Now I Know)
    Detroit Downloads Tesla's Software Strategy (WSJ)
    Russia wants to cut itself off from the global Internet.
    Here's what that really means. (MIT Tech Review)
    Tweet by Soldier of FORTRAN on Twitter (Drew Dean)
    Jeep stuck in Whately woods after GPS gives wrong directions (GazetteNet)
    How Google's Bad Data Wiped a Neighborhood off the Map (Medium)
    The Internet's Phone Book Is Broken (Medium)
    Lithuanian Man Pleads Guilty to $100 Million Fraud Against Google, Facebook
    (SWJ)
    EU passes their nightmare copyright legislation (Lauren Weinstein)
    One dead battery + app = two dead batteries (Dan Jacobson)
    Online voting, again (Fortune)
    Tech subjects and the media (Rob Slade)
    Apple Life+ (Rob Slade)
    Re: Inside YouTube's struggles to shut down video of the New Zealand
    shooting -- and the humans who outsmarted its systems (Arthur Flatau)
    Re: How a 50-year-old design came back... (Craig Burton)
    Unproven declarations about healthcare (Paul Black)
    Re: Is curing patients, a sustainable business model? (Toby Douglass)
    The Newcastle RISKS SSL cert expired (Toby Douglass)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 25 Mar 2019 15:34:23 -0600
    From: Cipher Editor <cipher...@ieee-security.org>
    Subject: Take Another Little Peek at my Heart (Dan Goodin)

    Dan Goodin, Ars Technica, 21 Mar 2019, via IEEE Cipher

    HOT-WIRE MY HEART: Critical flaw lets hackers control lifesaving devices
    implanted inside patients; Implanted devices from Medtronic can have their
    firmware rewritten, DHS warns.

    Critical flaw lets hackers control lifesaving devices implanted inside patients

    Summary: There are many people alive today because they carry implanted
    medical devices in their bodies. The devices have computers and wireless
    communication capabilities. Unsurprisingly, if they are devoid of standard
    security protections, they are completely hackable. The Conexus Radio
    Frequency Telemetry Protocol, which is Medtronic's proprietary means for the
    monitors to wirelessly connect to implanted devices, has a "raft" of
    security weaknesses that leave them open to everything from privacy
    violations to complete reprogramming by anyone within wireless range.
    Medtronic emphasizes that no device has ever actually been hacked, and that
    they are responding to US Department of Homeland Security's Cybersecurity
    and Infrastructure Security Agency' advisory
    Medtronic Conexus Radio Frequency Telemetry Protocol | ICS-CERT with all due speed.

    ------------------------------

    Date: Mon, 25 Mar 2019 12:05:09 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: Warnings of a Dark Side to AI in Health Care (NYTimes)

    Cade Metz and Craig S. Smith, *The New York Times*, 21 Mar 2019
    via ACM TechNews, 25 Mar 2019

    Harvard University and Massachusetts Institute of Technology (MIT)
    researchers warn in a recently published study that new artificial
    intelligence (AI) technology designed to enhance healthcare is vulnerable to
    misuse, with "adversarial attacks" that can deceive the system into making
    misdiagnoses being one example. A more likely scenario is of doctors,
    hospitals, and other organizations manipulating the AI in billing or
    insurance software in an attempt to maximize revenue. The researchers said
    software developers and regulators must consider such possibilities as they
    build and evaluate AI technologies in the years to come. MIT's Samuel
    Finlayson said, "The inherent ambiguity in medical information, coupled with
    often-competing financial incentives, allows for high-stakes decisions to
    swing on very subtle bits of information." Changes doctors make to medical
    scans or other patient data in an effort to satisfy the AI used by insurance
    firms also could wind up in a patient's permanent record.

    Warnings of a Dark Side to A.I. in Health Care

    [Monty Solomon noted from that article:
    Machine-learning systems could be a boon to medicine. But they also can be
    hacked to mislead, researchers are discovering.
    PGN]

    ------------------------------

    Date: Mon, 25 Mar 2019 13:58:11 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: These 11 Weird Smart Home Devices Can Change Your Life (Lifewire)

    11 Weird Smart Home Devices That Can Change Your Life

    Smart:

    * Bed
    * Toaster
    * Fork
    * Garage door opener
    * Toilet
    * Egg tray
    * Toothbrush
    * Hairbrush
    * Pet feeder
    * Frying pan
    * Flood sensor

    What ever could go wrong?

    ------------------------------

    Date: Sun, 24 Mar 2019 11:59:31 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Baristas beware: A robot that makes gourmet cups of coffee has
    arrived (The Washington Post)

    http://www.washingtonpost.com/techn...t-that-makes-gourmet-cups-coffee-has-arrived/

    "The machine can make 100 cups per hour -- the output of four baristas, the
    company says."

    "All the numbers and data in the world can't actually tell you how the
    coffee tastes," Geib said. "A big part of what a human brings is being able
    to taste the coffee during the process of dialing in the flavor."

    Risks: Denial of service, product satisfaction underachievement, and no
    kibitzing with the barista.

    ------------------------------

    Date: Thu, 21 Mar 2019 18:28:48 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Two Singapore consortia to develop/trial driverless road cleaning
    vehicles (The Straits Times)

    Two Singapore consortia to develop, trial driverless road cleaning vehicles

    ------------------------------

    Date: Mon, 25 Mar 2019 10:27:33 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Hackers Hijacked ASUS Software Updates to Install Backdoors on
    Thousands of Computers (motherboard)

    [via Geoff Goodfellow]
    [Be sure to chase down the Kaspersky securelist URL noted herein.
    Also, see Kim Zetter's take on this one:
    Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers
    The cleverness here is quite remarkable. Bottom line for RISKS:
    Beware of compromised automated update mechanisms. PGN]

    The Taiwan-based tech giant ASUS is believed to have pushed the malware to
    hundreds of thousands of customers through its trusted automatic software
    update tool after attackers compromised the company's server and used it to
    push the malware to machines.
    Hackers Hijacked ASUS Software Updates to Install Backdoors on Thousands of Computers

    EXCERPT:

    Researchers at cybersecurity firm Kaspersky Lab say that ASUS, one of the
    world's largest computer makers, was used to unwittingly install a malicious
    backdoor on thousands of its customers' computers last year after attackers
    compromised a server for the company's live software update tool. The
    malicious file was signed with legitimate ASUS digital certificates to make
    it appear to be an authentic software update from the company, Kaspersky Lab
    says.

    ASUS, a multi-billion dollar computer hardware company based in Taiwan
    ASUS USA that manufactures desktop computers, laptops,
    mobile phones, smart home systems, and other electronics, was pushing the
    backdoor to customers for at least five months last year before it was
    discovered, according to new research from the Moscow-based security firm.

    The researchers estimate half a million Windows machines received the
    malicious backdoor through the ASUS update server, although the attackers
    appear to have been targeting only about 600 of those systems. The malware
    searched for targeted systems through their unique MAC addresses. Once on a
    system, if it found one of these targeted addresses, the malware reached out
    to a command-and-control server the attackers operated, which then installed
    additional malware on those machines.

    Kaspersky Lab said it uncovered the attack in January 2019 after adding a
    new supply-chain detection technology to its scanning tool to catch
    anomalous code fragments hidden in legitimate code or catch code that is
    hijacking normal operations on a machine. The company plans to release a
    full technical paper and presentation about the ASUS attack, which it has
    dubbed ShadowHammer, next month at its Security Analyst Summit
    Kaspersky Security Analyst Summit (SAS) – Singapore, April 8-11, 2019 in Singapore. In the meantime, Kaspersky has
    published some of the technical details on its website. [...]
    Operation ShadowHammer

    ------------------------------

    Date: Mon, 25 Mar 2019 21:01:52 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: iOS Safari Flaw Allows Deceptive News Headlines in Messages
    (Intego)

    iOS Safari Flaw Allows Deceptive News Headlines in Messages

    ------------------------------

    Date: Tue, 26 Mar 2019 08:56:07 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: These Portraits Were Made by AI: None of These People Exist
    (The Verge)

    Check out these rather ordinary looking portraits. They're all fake. Not in
    the sense that they were Photoshopped, but rather they were *completely
    generated by artificial intelligence*. That's right: none of these people
    actually exist.

    NVIDIA researchers have published a new paper
    https://arxiv.org/pdf/1812.04948.pdf
    on easily customizing the style of realistic faces created by a generative
    adversarial network (GAN).

    *The Verge* points out that GAN has only existed for about four years.
    These faces show how far AI image generation has advanced in just four years
    In 2014, a landmark paper introduced the concept, and this is what the
    AI-generated results looked like at the time.
    https://arxiv.org/pdf/1406.2661.pdf

    ------------------------------

    Date: Mon, 25 Mar 2019 14:25:25 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Spring That Prematurely Ended a Magical Summer (Now I Know)

    In the spring of 1990, Coke announced something called `MagiCans' — you
    can see a (grainy) ad from the campaign here:
    https://www.youtube.com/watch?v=OBCKnhFwE_4

    The stunt, the centerpiece to their $100 million `Magic Summer' marketing
    push, was simple. Some cans of Coca-Cola Classic were loaded with coupons,
    gift certificates, and most importantly, cash — up to $500. The prize cans
    were spring-loaded, as seen above; if the mechanism worked properly, the
    prize would pop up once the can was popped open. Those cans didn't contain
    Coke, though; as the ad warned, ``If you see anything other than Coca-Cola
    Classic in that can, don't drink from it,'' as prize cans were `winners'
    but, alas, didn't contain any actual soda. Instead, they contained a sealed
    chamber of chlorinated water with a foul odor, intending to mask the weight
    of the prize while also stopping winners from taking a sip in case it
    somehow leaked.

    The Spring That Prematurely Ended a Magical Summer | Now I Know

    Technology -- what could go wrong? Too bad pre-Internet cans could have been
    WiFi enabled to automatically broadcast sight and sound of people's
    reactions to surprise contents. Not being a soda drinker, I missed this fun.

    ------------------------------

    Date: Thu, 21 Mar 2019 22:39:30 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Detroit Downloads Tesla's Software Strategy (WSJ)

    Industry moves toward wireless updates to repair problems and deliver extras

    https://www.wsj.com/articles/auto-makers-steer-in-teslas-direction-on-wireless-updates-11553083202

    ------------------------------

    Date: Mon, 25 Mar 2019 10:14:41 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Russia wants to cut itself off from the global Internet.
    Here's what that really means. (MIT Tech Review)

    *The plan is going to be tricky to pull off, both technically and
    politically, but the Kremlin has set its sights on self-sufficiency.*

    EXCERPT:

    In the next two weeks, Russia is planning to attempt something no other
    country has tried before. It's going to test whether it can disconnect from
    the rest of the world electronically while keeping the Internet running for
    its citizens. This means it will have to reroute all its data internally,
    rather than relying on servers abroad.

    The test is key to a proposed `sovereign Internet' law currently working its
    way through Russia's government. It looks likely to be eventually voted
    through and signed into law by President Vladimir Putin, though it has
    stalled in parliament for now.

    Pulling an iron curtain down over the Internet is a simple idea, but don't
    be fooled: it's a fiendishly difficult technical challenge to get right. It
    is also going to be very expensive. The project's initial cost has been set
    at $38 million by Russia's financial watchdog, but it's likely to require
    far more funding than that. One of the authors of the plan has said it'll
    be more like $304 million, Bloomberg reports, but even that figure,
    industry experts say, won't be enough to get the system up and running, let
    alone maintain it.

    Not only that, but it has already proved deeply unpopular with the general
    public. An estimated 15,000 people took to the streets in Moscow earlier
    this month to protest the law, one of the biggest demonstrations in years.

    * Operation disconnect*

    So how will Russia actually disconnect itself from the global Internet?
    ``It is unclear what the `disconnect test' might entail,'' says Andrew
    Sullivan, president and CEO of the Internet Society. All we know is that if
    it passes, the new law will require the nation's Internet service providers
    (ISPs) to use only exchange points inside the country that are approved by
    Russia's telecoms regulator, Roskomnadzor.

    These exchange points are where Internet service providers connect with
    each other. It's where their cabling meets at physical locations to
    exchange traffic. These locations are overseen by organizations known as
    Internet exchange providers (IXPs). Russia's largest IXP is in Moscow,
    connecting cities in Russia's east but also Riga in neighboring Latvia.

    MSK-IX, as this exchange point is known, is one of the world's largest. It
    connects over 500 different ISPs and handles over 140 gigabits of throughput
    during peak hours on weekdays. There are six other Internet exchange points
    in Russia, spanning most of its 11 time zones. Many ISPs also use exchanges
    that are physically located in neighboring countries or that are owned by
    foreign companies. These would now be off limits. Once this stage is
    completed, it would provide Russia with a literal, physical `on/off switch'
    to decide whether its Internet is shielded from the outside world or kept
    open.

    * What's in a name?*

    As well as rerouting its ISPs, Russia will also have to unplug from the
    global domain name system (DNS) so traffic cannot be rerouted through any
    exchange points that are not inside Russia.

    The DNS is basically a phone book for the Internet: when you type, for
    example, `google.com' into your browser, your computer uses the DNS to
    translate this domain name into an IP address, which identifies the correct
    server on the Internet to send the request. If one server won't respond to a
    request, another will step in. Traffic behaves rather like water -- it will
    seek any gap it can to flow through.

    ``The creators of the DNS wanted to create a system able to work even when
    bits of it stopped working, regardless of whether the decision to break
    parts of it was deliberate or accidental,'' says Brad Karp, a computer
    scientist at University College London. This in-built resilience in the
    underlying structure of the Internet will make Russia's plan even harder to
    carry out.

    The actual mechanics of the DNS are operated by a wide variety of
    organizations, but a majority of the `root servers', which are its
    foundational layer, are run by groups in the US. Russia sees this as a
    strategic weakness and wants to create its own alternative, setting up an
    entire new network of its own root servers.

    ``An alternate DNS can be used to create an alternate reality for the
    majority of Russian Internet users,'' says Ameet Naik, an expert on Internet
    monitoring for the software company ThousandEyes. ``Whoever controls this
    directory controls the Internet.'' Thus, if Russia can create its own DNS,
    it will have at least a semblance of control over the Internet within its
    borders.

    This won't be easy, says Sullivan. It will involve configuring tens of
    thousands of systems, and it will be difficult, if not impossible, to
    identify all the different access points citizens use to get online (their
    laptops, smartphones, iPads, and so on). Some of them will be using servers
    abroad, such as Google's Public DNS, which Russia simply won't be able to
    replicate -- so the connection will fail when a Russian user tries to access
    them... [...] MIT
    https://www.technologyreview.com/s/...global-internet-heres-what-that-really-means/

    ------------------------------

    Date: Mon, 25 Mar 2019 18:16:24 -0700
    From: Drew Dean <dd...@csl.sri.com>
    Subject: Tweet by Soldier of FORTRAN on Twitter

    Condensed from a Twitter thread starting at: , @mainframed767 tells the following story:

    Auditors were reviewing logs for some appliance that used a default
    account. Every time the account was used, it wrote the username and
    password in the logs as an easy-to-identify log entry. ... So, how did
    they fix it? The vendor wouldn't fix the issue because the product was no
    longer supported, but the business still needed it for a few more years.
    Search your heart and guess what they did:

    1 - Migrated to a new app
    2 - Disabled logging as a whole
    3 - Changed the default password to ********

    If you guessed option 3 you're right! They changed the password to
    ********, and then when the auditors reviewed it they just assumed it was
    fixed because the passwords looked as if they had been masked! Genius.

    [I took the liberty of a little detwittered editing for readability.
    PGN]

    ------------------------------

    Date: Mon, 25 Mar 2019 09:28:57 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Jeep stuck in Whately woods after GPS gives wrong directions
    (GazetteNet)

    https://www.gazettenet.com/GPS-misleads-Jeep-into-Whately-woods-24262171

    ------------------------------

    Date: Fri, 22 Mar 2019 14:58:43 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: How Google's Bad Data Wiped a Neighborhood off the Map (Medium)

    https://onezero.medium.com/how-googles-bad-data-wiped-a-neighborhood-off-the-map-80c4c13f1c2b

    ------------------------------

    Date: Fri, 22 Mar 2019 15:01:04 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: The Internet's Phone Book Is Broken (Medium)

    https://onezero.medium.com/the-internets-phone-book-is-broken-9fcdd6ca726b

    ------------------------------

    Date: Thu, 21 Mar 2019 20:28:32 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Lithuanian Man Pleads Guilty to $100 Million Fraud Against Google,
    Facebook (WSJ)

    The two tech giants fell victim to an elaborate scheme orchestrated by the
    defendant, prosecutors say

    https://www.wsj.com/articles/lithua...ion-fraud-against-google-facebook-11553126126

    ------------------------------

    Date: Tue, 26 Mar 2019 08:09:51 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: EU passes their nightmare copyright legislation

    The EU has passed their nightmare copyright legislation that will crush the
    rights of ordinary EU users and will attempt to infect the rest of the world
    with its poisons.

    My recommendation -- seriously -- is to cut EU countries off from the Net in
    all related respects as soon as they start to try make trouble for non-EU
    countries or global firms.

    Based on Article 11, I'd cut them off from Google News entirely, and
    drastically cut back their appearances in Google Search if they try to push
    their link tax onto Google.

    Global firms should consider refusing all content uploads from EU countries
    where Article 13 issues are in force.

    If the EU wants to treat their own citizens in such an atrocious way that's
    their business. But the rest of the planet doesn't have to put up with this
    sociopathic behavior by the EU.

    Wall off the EU from all associated global Internet services until they come
    to their senses.

    ------------------------------

    Date: Mon, 25 Mar 2019 11:41:35 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: One dead battery + app = two dead batteries

    It was a foggy night. My pal parked his spanking new rental car on the
    remote mountaintop.

    Everything was fine except that one red blinking dashboard light that we
    couldn't get to turn off. (That might mean a dead battery when we get
    back... Stranded on the mountain!)

    Each "on" part of the light's on-off cycle was so short that there was
    not enough time for the eye to figure out its complex shape and thus
    meaning.

    Shining a flashlight on it just revealed a flat panel, with the shape
    template invisible below.

    "Hmmm, all doors closed, but perhaps not locked." I said. (No criminals
    on the misty mountain, plus I bet he will lock himself out, but let's
    try it anyway.)

    "I need to use the rental company app to lock the doors, but my phone is
    out of battery." he said.

    RISK: one dead battery leads to another dead battery when an app is involved.

    (How about just disconnecting the battery cable? Better not. What if the
    car starts talking in Italian like in Toy Story, or detect it is being
    attacked and lift off and fly home to mother?)

    ------------------------------

    Date: Sun, 24 Mar 2019 20:55:26 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Online voting, again (Fortune)

    Author says:

    I recently spoke to Nimit Sawhney, CEO and cofounder of Voatz, the
    blockchain-based, mobile voting software provider, whose technology West
    Virginia piloted
    https://click.email.fortune.com/%3F...2e501e43c57f03cb6ac596f17e3c2140abff8659b9873

    during last year's general midterm election. Sawhney came up with the idea
    https://click.email.fortune.com/%3F...029bde2823e428c611669ca877284a9c350dfa917201a
    for the project with his brother when the two competed in -- and won -- a
    hackathon at Austin's SXSW festival in 2014. Since then, Sawhney has
    formally established a company, based in Boston, to develop the product.

    Voatz's technology is making inroads. Sawhney's 14-person team recently
    won over Denver, Colo.
    https://click.email.fortune.com/%3F...1e69e65be9ecb502717262fb47d01edd581c6df8536af
    as the second testing ground for its voting system. The city is trying the
    app in its May 7th municipal election, early voting for which starts today.

    I asked Sawhney why he decided to incorporate a blockchain into his
    system. He says it's so that IT administrators within and outside his
    company can't manipulate or delete records at will. Voatz uses so-called
    permissioned ledgers, meaning only authorized parties can operate them. In
    this case, the voting database is distributed across 32 computing nodes
    running the Linux Foundation's Hyperledger Fabric and Hyperledger Sawtooth
    software on machines hosted by Amazon
    https://click.email.fortune.com/%3F...6b5e2f8871bf3335510949d8dfa40f0c9545eda231fb1
    Web Services and Microsoft
    https://click.email.fortune.com/%3F...c43b46a86fb861ee7a3761c4ef590a56aed4e8f9d83d6
    Azure. Voatz stewards the nodes alongside select nonprofits that act as
    independent monitors, a small cadre Voatz hopes to expand to include other
    major stakeholders -- political parties, media entities, and others -- over
    time.

    https://view.email.fortune.com/%3Fqs%592c9ecd5951d82b21b03ca032478224af503a2b8e1ae0ec8aab39184d16029f7ad4c2e57d415978db00277b7fd2de81bdef1c5ab69c08fcd3ab61add7f656fcf3de08f777373f1f

    ------------------------------

    Date: Fri, 22 Mar 2019 11:24:34 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Tech subjects and the media

    I have been known, from time to time, to make ... "unkind" ... remarks about
    the ability of the general (and sometimes even the trade) media to gets
    things right when addressing technical, and particularly infosec, topics.

    So I was intrigued to find that I'm getting some agreement from scientists
    in general. They are even calling it "fake news."
    https://vancouversun.com/news/local...resentation-of-their-work-in-era-of-fake-news
    or
    https://is.gd/pfIFXF

    I'm not sure if the media, under increasing pressure from the online world,
    is getting worse, or if people are getting fed up, or if the increasing mass
    of real fake news (mostly from the online world) is making people more
    attuned to the problem ...

    ------------------------------

    Date: Tue, 26 Mar 2019 08:52:03 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Apple Life+

    Apple has always had partisans with a devotion bordering on fanaticism.
    (Although UNIX is the one, true operating system, and Thompson is its
    prophet, it is Apple that has inspired the most hard core religious wars in
    computerdom.) Apple started out with the "open" Apple ][ system. Since
    then, with the Mac and various iOS devices, Apple has been firmly closed,
    and has increasingly tried to lock users into the Apple branded world.

    With the iPod, and iTunes, Apple moved to control music, expanding somewhat
    into movies, with extensions into podcasts (the very word deriving from the
    iPod) and other audio and video content. Then came Apple TV and Apple News.

    With the recent "plus"es added to those, Apple has an enormous platform for
    information, entertainment, infotainment, and all manner of content
    delivery, all within the Apple environment and under Apple control.
    Interest has been expressed in the medical benefits of the fitness tracker
    on the Apple watch, with its ability to alert the user (or others) when
    anomalous fitness readings are detected. All of this, your phone and email
    contacts and traffic, and many home IoT devices, can be controlled, managed,
    recorded (and the details fed back to Apple) by Siri. People have been
    concerned over the information that Facebook and Google collect on users:
    it's very difficult to believe that Apple has less access to personal user
    data.

    Buried in yesterday's announcement was the Apple credit card. With its
    enormous cash reserves, Apple can easily become a bank, and provide (and
    manage) all kinds of financial services.

    All Apple needs is a piece of Amazon's retail sector, and perhaps a
    ride-sharing service (or, maybe, Apple might do an end-run, and start up a
    drone-sharing telepresence service) and the Apple World+ is complete. Many
    science-fiction stories have posited a world where governments have become
    irrelevant and been replaced by corporations: I suspect Apple is closest to
    making this holistic control over the user's life a reality.

    I expect iReligion+ to be announced any day. Where others might go for the
    cut-rate "Repent and be saved! This is an exclusive TV offer" 20% off
    salvation route, I presume Apple will for for the premium offer to save your
    soul (backed up in the clouds) to an Apple branded heaven, with easy access
    to forbidden fruit, as long as you only take one bite ...

    ------------------------------

    Date: Fri, 22 Mar 2019 11:46:09 -0500
    From: Arthur Flatau <fla...@acm.org>
    Subject: Re: Inside YouTube's struggles to shut down video of the New
    Zealand shooting -- and the humans who outsmarted its systems (RISKS-31.13)

    If YouTube really wanted to be able to control the spread of video like
    this, it would be simple. They could simply shutdown uploads for a time,
    until they can figure out how to screen the videos for the offensive
    content. Or they could, for a period of time, make it so uploads have to be
    reviewed by a person before going live. Obviously this would hinder other
    people uploading to YouTube for a time. However if they really wanted to
    limit the rapid dissemination of certain videos, they could do so easily,
    they just choose not to.

    ------------------------------

    Date: Fri, 22 Mar 2019 10:34:29 +1100
    From: Craig Burton <craig.alex...@gmail.com>
    Subject: Re: How a 50-year-old design came back... (RISKS-31.13)

    > larger engines and altered aerodynamics -- led to the complex flight
    > control software system

    I guess this list is very familiar with these but in case not I have to
    bring up Joseph Tainter here about the increasing cost of complexity (more
    complex solutions solve previous complexity problems)
    https://www.youtube.com/watch?v=G0R...d6ae55cb1d|40779d3379c44626b8bf140c4d5e9075|1
    And an old joke about the Space Shuttle dimensions and two horses' behinds
    http://www.astrodigital.org/space/stshorse.html

    I also understand that the Stealth Bomber is such a complex shape that it
    can only be flown by software.

    It seems like the risk of something going wrong is not a risk but a
    certainty?

    ------------------------------

    Date: Mon, 25 Mar 2019 14:15:07 -0400
    From: Paul Black <drp...@gmail.com>
    Subject: Unproven declarations about healthcare (Re: Ward, RISKS-31.13)

    Mr. Ward made a number of statements about for-profit businesses working in
    healthcare that sound quite reasonable. I ask, are there studies to support
    them?

    For instance, "... the more sick people there are (especially those that
    need expensive treatments), the more profit there is to be made." For the
    same premiums, insurance companies *far* prefer healthy clients to sick
    ones.

    "Managing symptoms is more profitable than curing a disease;" Really?
    Perhaps Big Pharma makes little on cough medicine, but has a tidy margin on
    treatments for TB.

    "Expensive drugs are more profitable than, for example, recommending simple
    changes to diet ..." Sadly, few Americans follow recommendations to change
    their diet. Americans *will* take pills.

    "... encouraging unhealthy habits is beneficial to a healthcare company."
    My insurance company and the mailers I get from hospitals and doctors all
    encourage me to have healthy habits.

    "... its a good business practice to test for everything ..." Much
    over-testing is a reaction to massive litigation in the U.S. Doctors and
    hospitals may be sued for millions if they ever fail to test for some rare
    disease.

    Government-run medicine is no panacea. The U.S. federal government has been
    incredibly wasteful and has not always picked winners, for instance, the
    Tuskegee Syphilis Study and the Enron scandal.

    ------------------------------

    Date: Sat, 23 Mar 2019 14:22:08 +0200
    From: Toby Douglass <ri...@winterflaw.net>
    Subject: Re: Is curing patients, a sustainable business model? (Ward, R-31.13)

    > When healthcare is a business, the more sick people there are
    > (especially those that need expensive treatments), the more profit
    > there is to be made. This has many bad consequences:

    Not directly and not in and of itself.

    In all things, there are factors which encourage, and there are factors
    which discourage, and in the end, you get what you get.

    I may be wrong, but I concur with the above description as *a* factor.

    There are however *more* factors - a primary factor being competition: for
    example, if a single entity offers cure, rather than symptom management,
    they clean up the market, and on sane person will prefer a provider with
    endless tests and symptom management over a few tests and a cure.

    The extent to which competition is removed from the market, which can happen
    through many means, such as absence of information for making choices, or
    through State regulation constraining choice of provider (as happens in the
    USA, through tax relief on employer provided health care) or, by being heavy
    and onerous regulation, preventing new entry to market and so defending a
    few large, existing, entrenched entities, the more the unpleasantness
    Mr. Ward describes becomes less discouraged.

    > Contrast this with universal healthcare and government-funded medical
    > research. If you are allocated with a certain budget per person and
    > tasked with improving health you will have a very different set of
    > priorities.

    The State obtains funding through taxation and creates a health care entity.
    All patients -must- pay (taxation) and if the service is no good, there is
    nowhere else for them to go, or, if private health care is permitted, they
    must continue to pay anyway for State health care.

    In all things there are factors which encourage, and factors which
    discourage, and in the end, you get what you get : to be sure there will be
    professionalism and human decency, both encouraging factors for positive
    patient outcomes, but there will also be apathy, carelessness, inefficiency
    and empire building, with no forces at work to remove them, for the really
    profound encouraging factors, that the customer pays you and can go
    somewhere else, are removed. You then get what you get.

    I may be wrong, but I think the great safety for normal, ordinary, powerless
    people, is competition. Safety lies in choice, which requires both the
    freedom to buy as they wish and the freedom for there to *be* many different
    providers to buy from. Removal of one or both of these freedoms is an
    encumbrance of serfdom.

    Many evils come from ordinary people being constrained, such that they are
    unable then to say "this is bloody awful, I'm leaving" and are instead
    forced to endure.

    ------------------------------

    Date: Sat, 23 Mar 2019 00:28:24 +0200
    From: Toby Douglass <ri...@winterflaw.net>
    Subject: The Newcastle RISKS SSL cert expired

    https://catless.ncl.ac.uk/Risks/
    Cert expired on 22 Mar, apparently.

    [NOW FIXED, TNX to Lindsay. PGN]

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.14
    ************************
     
  6. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.15

    RISKS List Owner

    Apr 1, 2019 6:51 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 1 April 2019 Volume 31 : Issue 15

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Might this be the last vestige of the British Empire? (PGN)
    MIT To Require 'Turing Test' for Admissions (Henry Baker)
    Russian interference alleged in mayor's election (Mark Thorson)
    ThickerThanWater[dot]com (Richard Stein)
    Electric seaplanes? (Rob Stein)
    British Airways flight lands 525 miles away from destination (USA Today)
    Computer outage led to flight delays for some U.S. biggest airlines (Vox)
    HTTPS Isn't Always As Secure As It Seems (WiReD)
    Twitter Network Uses Fake Accounts to Promote Netanyahu (NYTimes)
    Lawmakers Scrutinize Timeline for Boeing 737 MAX Software Fix (WSJ)
    Road safety: UK set to adopt vehicle speed limiters (bbc.com)
    Russia Regularly Spoofs Regional GPS (DarkReading)
    Smart talking: are our devices threatening our privacy? (The Guardian)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 1 Apr 2019 12:00:00 -0700
    From: "Peter G. Neumann" <peter....@sri.com>
    Subject: Might this be the last vestige of the British Empire?

    Given the troubles over the Brexit referendum, where at present no
    acceptable solution appears to be possible, Great Britain seems likely to be
    splitting altogether. A new proposal is that England itself would splinter,
    with London, Oxbridge, and a few other regions becoming part of France
    (Fritainnia?) to remain within the EU, while the rest of England would
    become something like Less Britain. [Some pundits mistakenly see a parallel
    with the Greater Antilles and the Lesser Antilles, although in that case,
    size was the primary measure for the naming.]

    Despite the troubles over the Troubles, it appears that Northern Ireland and
    the Republic of Ireland have finally decided to merge, with a new capital
    city to be built on the border (perhaps Dubbel, with the combined
    population, although Dubfast and Belin might also be under consideration).
    Reversing the 1973 referendum to split, this would enable Northern Ireland
    to remain within the EU, in the face of the uncertainties noted above.
    Scotland and Wales are still contemplating whether to join the new
    Fritainnia, or the new United States of Ireland; remaining with Less Britain
    somehow seems less likely to many observers.

    Finally, given all of the above, the British Parliament seems most likely to
    abolish itself altogether, starting first with the House of Lords (long
    overdue), and then Commons.

    [So, why is this relevant to RISKS? Once again, late-stage maneuvering
    seems to be just one more example of the results of short-term
    optimization instead of long-term planning. The Foresight Saga
    strikes again. PGN]

    ------------------------------

    Date: Mon, 1 Apr 2019 13:00:00 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: MIT To Require 'Turing Test' for Admissions

    Cambridge, MA -- The Massachusetts Institute of Technology ("MIT") today
    announced that -- in addition to the usual SAT, ACT, etc., standardized
    tests -- applicants to MIT will now also have to pass a Turing Test.

    ``The Turing test, developed by [famed English WWII codebreaker and
    computer scientist] Alan Turing in 1950, is a test of a machine's ability
    to exhibit intelligent behavior equivalent to, or indistinguishable from,
    that of a human.'' -- Wikipedia

    ``We've been overwhelmed by applications from robots,'' said Dr. Noah
    Gnurds, MIT Director of Admissions. Dr. Gnurds continued, "If we didn't
    filter out robot applications, our current acceptance ratio of 7.9% would be
    10^-3 times as large. As it is, we send out ten times as many acceptance
    letters to robots as to human applicants. This new test will ensure that we
    admit people, not test scores."

    Tests & scores | MIT Admissions

    NYTimes reporter Ivy Leek asked, ``Is MIT's announcement related in any way
    to the recent 'Operation Varsity Blues' college admissions scandal?''

    ``Not really. We doubt that MIT will be implicated, because MIT doesn't
    admit applicants too stupid not to use Tor, Signal and untraceable
    blockchain cryptocurrencies for their legacies,'' Dr. Gnurds responded.

    When asked how these new Turing Tests would be administered, Dr. Gnurds
    said, ``Due to the substantial effort required to administer these tests,
    MIT has developed a new Artificial Intelligence/Machine Learning program in
    conjunction with IBM's Watson research effort. IBM believes that Watson can
    sniff out even the most sophisticated robots.''

    ``Isn't there some irony in utilizing a robot to test for robots?' asked a
    reporter from MIT Technology Review. Noah replied, ``It takes one to know
    one.''

    ------------------------------

    Date: Mon, 1 Apr 2019 08:00:22
    From: Mark Thorson <e...@dialup4less.com>
    Subject: Russian interference alleged in mayor's election

    WASHINGTON DC (4/1/2019) -- Sources close to the recent Mueller probe leaked
    an unlikely finding in the investigation of Russian interference in U.S.
    elections. According to experts, social-media hackers engineered the upset
    victory of the mayor of a small city in Idaho. Vladimir Jackson won the top
    office of Moscow ID. with an astounding 97% of votes cast. "The election
    had to be rigged," said Solomon Spaulding, owner and operator of Moscow
    Haircuts. "I know most everybody in town, and nobody I know voted for him."

    Jackson, originally from New York City, ran on a black separatist platform,
    which advocates the creation of an independent Afro-American state in a
    region that is presently in Idaho. Reached for comment, Jackson denied any
    illegitimacy in the election. "Isn't that the way it always is?," he asked.
    "When a white guy gets elected nobody says the election is rigged, but when
    a black guy gets elected people just assume it can't be kosher. Give me a
    break!"

    "There is no doubt that Russians exerted influence in the Moscow mayor's
    race," said an informed source on condition of anonymity. "What we don't
    know is whether it's because the town's name is Moscow, the candidate's name
    is Vladimir, or maybe they sought to sow discord by supporting black
    separatism." A spokeperson for the Russian embassy denied any involvement,
    saying, "Why do we care about mayor? We got bigger fish. This is only to
    make us look bad. We no do it."

    ------------------------------

    Date: Mon, 1 Apr 2019 18:46:08 -0800
    From: Richard Stein <rms...@ieee.org>
    Subject: ThickerThanWater[dot]com

    WASHINGTON, D.C. -- In a nationwide sting operation involving 600 federal
    marshals and over 20 FBI field offices, the Justice Department indicted the
    principals of ThickerThanWater.com (TTW), a startup specializing in human
    DNA analysis. The indictment also names intelligence and law enforcement
    personnel. TTW had planned their initial public offering the following week.

    TTW was a deep-state cover business established for one purpose: Create,
    manage, and monetize a vast human DNA database to accelerate cold-case
    closure, exonerate the wrongly convicted, and track foreign espionage
    sleeper agents.

    To promote these objectives, TTW funded a "blood bounty" program enlisting
    nearly 10,000 phlebotomists over a 9-month interval. Records show that each
    participating phlebotomist pocketed almost $500/day, at $5 per sample cash,
    with no questions asked by patients subject to routine blood extraction per
    hospital or doctor wellness visit.

    Dropoff locations reportedly overflowed with blood samples containing
    personal identifying information. Hospital administrators were blind to the
    blood sample tube inventory turnover; the extra consumables were never
    missed.

    TTW's corporate charter sought to commercially exploit DNA telomeric
    extrapolation maps. These maps, when combined with Turing's tNose, enabled
    human exposome tracking.

    The exposome is the unique aroma, a scent-like fingerprint, that each person
    exudes from interactions between skin bacteria and pheromones. Telomeric
    extrapolation maps predetermine each person's mix of skin bacteria and
    pheromone, coupled to DNA replication and protein synthesis.

    Approximately 250 million DNA profiles were created by TTW and their army of
    phlebotomists-for-hire. Each profile was subject to real-time exposomal
    tracing. The Justice Department released a 2 minute-long videoclip of TTW's
    SOC – Smell Operation Center – showing red, blue, and green exposomal tracks
    with metadata updates across a large tessellated display.

    A Justice Department spokeswoman refused to comment on cold-case closures,
    prisoner releases, or sleeper spy discoveries.

    "I thought I was being patriotic when TTW called," said Ann, a phlebotomist
    with 12 years of experience. "I figured that law enforcement and
    intelligence agencies needed the help. The bounty added up quickly. Of
    course, I reported every nickel of bounty-earned income on my taxes -- I
    kept sample records on my phone!"

    As TTW's CEO was perp-walked and frog-marched under police custody, she
    shouted, "Blood is thicker than water!"

    ------------------------------

    Date: Tue, 26 Mar 2019 12:05:58 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Electric seaplanes?

    I've lived around seaplanes all my life. At one point I spent a lot of time
    traveling up and down the coast in seaplanes, particularly Beavers. So I
    was very interested in this story about Harbour Air converting float planes
    to battery power.
    Harbour Air and magniX Partner to Build World’s First All-Electric Airline – Harbour Air Seaplanes: World's Largest Seaplane Airline – Since 1982 – Harbour Air
    Harbour Air to add zero-emission electric plane; aims to convert whole fleet

    The initial conversion of a Beaver will be intriguing. I'll be fascinated
    when they get to convert an Otter (a candidate for world's noisiest
    aircraft) to electricity. (I know Harbour Air has a number of them.)

    I'll be wondering how well electric engines get along with salt water. Most
    of my flying time was at longer distances, so I'm curious about the
    half-hour range. (Although that's well within most of Harbour Air's
    scheduled flights.) I'll be interested in recharge time and reliability.
    (Harbour Air planes do tend to spend a lot of time sitting at the dock in
    the bay.) The complete changeover from turbine engine to electric
    infrastructure will be a non-trivial accomplishment.

    But, if it works, it could be pretty great ...

    ------------------------------

    Date: Tue, 26 Mar 2019 15:23:50 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: British Airways flight lands 525 miles away from destination

    British Airways apologizes to travelers after flight lands 525 miles away from destination

    ------------------------------

    Date: Tue, 26 Mar 2019 15:25:53 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Computer outage led to flight delays for some U.S. biggest airlines
    (Vox)

    The outage affected American Airlines, JetBlue, and other major airlines.

    A computer outage led to flight delays for some of the US’s biggest airlines

    ------------------------------

    Date: Thu, 28 Mar 2019 08:46:53 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: HTTPS Isn't Always As Secure As It Seems (WiReD)

    Widespread adoption of the web encryption scheme HTTPS has added a lot of
    green padlocks and corresponding data protection -- to the web. Almost all
    of the popular sites you visit every day likely offer this defense, called
    Transport Layer Security (TLS), which encrypts data between your browser and
    the web servers it communicates with to protect your travel plans,
    passwords, and embarrassing Google searches from prying eyes. But new
    findings from researchers at Ca' Foscari University of Venice in Italy and
    Tu Wien in Austria indicate that a surprising number of encrypted sites
    still leave these connections exposed.
    Google's Chrome Hackers Are About to Upend Your Idea of Web Security

    In analysis of the web's top 10,000 HTTPS sites -- as ranked by Amazon-owned
    analytics company Alexa -- the researchers found that 5.5 percent had
    potentially exploitable TLS vulnerabilities. These flaws were caused by a
    combination of issues in how sites implemented TLS encryption schemes and
    failures to patch known bugs (of which there are many in TLS and its
    predecessor Secure Sockets Layer. But the worst thing about these flaws is
    they are subtle enough that the green padlock will still appear.

    It's Crazy What Can Be Hacked Thanks to Heartbleed
    There Is a New Security Vulnerability Named POODLE, and It Is Not Cute
    TLS/SSL Explained - Examples of a TLS Vulnerability and Attack, Final Part | Acunetix

    "We assume in the paper that the browser is up to date, but the things that
    we found are not spotted by the browser," says Riccardo Focardi, a network
    security and cryptography researcher at Ca' Foscari University, who also
    co-founded the auditing firm Cryptosense. "These are things that are not
    fixed and are not even noticed. We wanted to identify these problems with
    sites' TLS that are not yet pointed out on the user side."

    The researchers, who will present their full findings at the IEEE Symposium
    on Security and Privacy in May, developed TLS analysis techniques and also
    used some from existing cryptographic literature to crawl and vet the top
    10,000 sites for TLS issues. And they developed three categories for the
    types of vulnerabilities they found...

    HTTPS Isn't Always As Secure As It Seems

    ------------------------------

    Date: Mon, 1 Apr 2019 10:05:31 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Twitter Network Uses Fake Accounts to Promote Netanyahu (NYTimes)

    An Israeli watchdog group has discovered a network of hundreds of fake
    Twitter accounts, all promoting the candidacy of PM Netanyahu and his party,
    using exact wordings of the party's official messages. These accounts
    "like" and re-tweet each other, in an attempt to create the impression of
    large grass-roots support.

    Twitter Network Uses Fake Accounts to Promote Netanyahu, Israel Watchdog Finds

    Luckily, bots cannot actually vote (yet?)

    ------------------------------

    Date: Wed, 27 Mar 2019 07:33:42 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Lawmakers Scrutinize Timeline for Boeing 737 MAX Software Fix (WSJ)

    The basics of the safety change were first described to airlines and pilot
    groups last November

    Lawmakers Scrutinize Timeline for Boeing 737 MAX Software Fix

    ------------------------------

    Date: Thu, 28 Mar 2019 05:38:05 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Road safety: UK set to adopt vehicle speed limiters (bbc.com)



    "Under the ISA system, cars receive information via GPS and a digital map,
    telling the vehicle what the speed limit is. This can be combined with a
    video camera capable of recognising road signs. Under the ISA system, cars
    receive information via GPS and a digital map, telling the vehicle what the
    speed limit is. This can be combined with a video camera capable of
    recognising road signs."

    RISKS Trifecta: GPS spoofing, digital map inaccuracies, digital image
    recognition.

    ------------------------------

    Date: Wed, 27 Mar 2019 22:03:11 -0700
    From: Rich Wales <ri...@richw.org>
    Subject: Russia Regularly Spoofs Regional GPS (DarkReading)

    A large-scale analysis of data has discovered widespread Russian government
    spoofing of the country's satellite navigation system. The findings
    underscore the dangers of relying on global positioning data.

    (This could also presumably lead to problems with Russian time enthusiasts
    using GLONASS for time synchronization in computer networks.)

    Russia Regularly Spoofs Regional GPS

    ------------------------------

    Date: Sun, 31 Mar 2019 19:11:05 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Smart talking: are our devices threatening our privacy?
    (The Guardian)

    Millions of us now have virtual assistants, in our homes and our
    pockets. Even children's toys are getting smart. But when we talk to them,
    who is listening?

    Smart talking: are our devices threatening our privacy?

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    RISKS Info Page

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    The Risks Digest --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: The RISKS Forum Mailing List (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <Join ACM>

    ------------------------------

    End of RISKS-FORUM Digest 31.15
    ************************
     
  7. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.16

    RISKS List Owner

    Apr 6, 2019 5:49 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 6 April 2019 Volume 31 : Issue 16

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    DoD AI's to monitor "Top Secret" employees (Defense One)
    WikiLeaks: "Don't Be Evil!" was Google's "Warrant Canary" (Henry Baker)
    Half of Industrial Control System Networks have Faced Cyberattacks,
    Say Security Researchers (ZDNet)
    Hackers reveal how to trick a Tesla into steering towards oncoming traffic
    (Charlie Osborne)
    Tesla cars keep more data than you think, including this video of a
    crash that totaled a Model 3 (FTC via Geoff Goodfellow)
    What AI Can Tell From Listening to You (WSJ)
    Can we stop AI outsmarting humanity? (The Guardian)
    AI is flying drones -- very, very slowly (NYTimes)
    New Climate Books Stress We Are Already Far Down The Road To A
    Different Earth (TPR)
    Are We Ready For An Implant That Can Change Our Moods? (npr.org)
    Researchers Find Google Play Store Apps Were Actually Government Malware
    (Motherboard)
    Office Depot Pays $25 Million To Settle Deceptive Tech Support
    Lawsuit (Bleeping Computer)
    Why Pedestrian Deaths Are At A 30-Year High (NPR)
    More on the RISKS.ORG Newcastle certificate issue (Lindsay Marshall)
    Insurers Creating a Consumer Ratings Service for Cybersecurity Industry
    (WSJ)
    Another Gigantic Leak (PGN)
    Nokia phones caught mysteriously sending data to Chinese servers (BGR)
    IBM + Flickr + facial recognition + privacy (Fortune via Gabe Goldberg)
    Brits: Huawei's code is a steaming pile... (Henry Baker)
    More on the Swiss electronic voting experiment (Post -- Swiss)
    'The biggest, strangest problem I could find to study' (bbc.com)
    Black-box data shows anti-stalling feature engaged in Ethiopia
    crash (WashPost)
    The emerging Boeing 737 MAX scandal, explained (Vox)
    Re: How a 50-year-old design came back... (David Brodbeck)
    Re: How Google's Bad Data Wiped a Neighborhood off the Map (Dan Jacobson)
    Re: Tweet by Soldier of FORTRAN on Twitter (Dan Jacobson)
    Re: Unproven declarations about healthcare (Martin Ward, Wol)
    Re: Is curing patients, a sustainable business model? (Dmitri Maziuk)
    According to this bank, password managers are bad (Sheldon Sheps)
    "Privacy and Security Across Borders" (Jen Daskel via Marc Rotenberg)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 29 Mar 2019 08:32:22 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: DoD AI's to monitor "Top Secret" employees (Defense One)

    [As this is very near April 1st, RISKS may need a special 'April First
    Really Really Real' edition aka 'You can't make this stuff up' edition for
    items that would otherwise have been thought to be April Fool jokes. HB]

    Wouldn't it be cheaper/simpler/faster to simply outsource this DoD
    monitoring (called 'Project Snowden', perhaps?) to a Chinese company, since
    they already have the SCS software, and -- due to the Chinese having hacked
    all of the Form 86's -- they already have all the data, too?

    "For serious offenders, ... switching the person's ringtone, which
    could begin with the wail of a police siren" -- China's SCS

    Once again, the US is falling behind China in AI technology!

    Patrick Tucker, Technology Editor, *Defense One*, 26 Mar 2019
    The US Military Is Creating the Future of Employee Monitoring
    The US Military Is Creating the Future of Employee Monitoring

    A new AI-enabled pilot project aims to sense "micro changes" in the behavior
    of people with top-secret clearances. If it works, it could be the future
    of corporate HR.

    The U.S. military has the hardest job in human resources: evaluating
    hundreds of thousands of people for their ability to protect the nation's
    secrets. Central to that task is a question at the heart of all labor
    relations: how do you know when to extend trust or take it away?

    The office of the Defense Security Service, or DSS, believes artificial
    intelligence and machine learning can help. Its new pilot project aims to
    sift and apply massive amounts of data on people who hold or are seeking
    security clearances. The goal is not just to detect employees who have
    betrayed their trust, but to predict which ones might -- allowing problems
    to be resolved with calm conversation rather than punishment.

    If the pilot proves successful, it could provide a model for the future of
    corporate HR. But the concept also affords employers an unprecedented
    window into the digital lives of their workers, broaching new questions
    about the relationship between employers, employees, and information in the
    age of big data and AI.

    The pilot is based on an urgent need. Last June, the Defense
    Department took over the task of working through the security
    clearance backlog -- more than 600,000 people. Some people -- and the
    organizations that want to hire them -- wait more than a year,
    according to a September report from the National Background
    Investigations Bureau. Those delays stem from an antiquated system
    that involves mailing questionnaires to former places of employment,
    sometimes including summer jobs held during an applicant's
    adolescence, waiting (and hoping) for a response, and scanning the
    returned paper document into a mainframe database of the sort that
    existed before cloud computing.

    In addition to being old-fashioned, that process sheds light on an
    individual only to the degree that past serves as prologue. As an indicator
    of future behavior, it's deeply wanting, say officials.

    This effort to create a new way to gauge potential employees' risk is being
    led by Mark Nehmer, the technical director of research and development and
    technology transfer at DSS' National Background Investigative Services.

    This spring, DSS is launching what they describe as a "risk-based user
    activity pilot." It involves collecting an individual's digital footprint,
    or "cyber activity," essentially what they are doing online, and then
    matching that with other data that the Defense Department has on the person.
    Since "online" has come to encompass all of life, the effect, they hope,
    will be a full snapshot the person. "We anticipate early results in the
    fall," a DSS official said in an email on Tuesday.

    The Department of Defense already does some digital user activity
    monitoring. But the pilot seeks a lot more information than is currently
    the norm. "In the Department of Defense, user activity monitoring is
    typically constructed around an endpoint. So think of your laptop. It's
    just monitoring activity on your laptop. It's not looking at any other
    cyber data that's available" -- perhaps 20 percent of the available digital
    information on a person, Nehmer said at a November briefing put on by
    company, C3, a California-based technology company serving as a partner on
    the pilot. [...]

    [Very long item pruned for RISKS. PGN]

    ------------------------------

    Date: Sun, 31 Mar 2019 12:09:10 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: WikiLeaks: "Don't Be Evil!" was Google's "Warrant Canary"

    April 1, 2019 [Note: Despite Henry's noting that the previous items might
    be perceived as April Fools's items, this one is a genuine April Fools'
    item ("real fake news"), submitted too late for the previous RISKS issue.
    PGN]

    London, UK -- Documents released by WikiLeaks today show that Google's
    use of the motto "Don't Be Evil!" was actually a warrant canary.

    "A warrant canary is a method by which a [company] aims to inform its users
    that the [company] has been served with a secret government subpoena
    despite legal prohibitions on revealing the existence of the subpoena. The
    warrant canary typically informs users that there has *not* been a secret
    subpoena as of a particular date. ... f the warning is removed, users
    are to assume that the host has been served with such a subpoena. The
    intention is to allow the [company] to warn users of the existence of a
    subpoena passively, without disclosing to others that the government has
    sought or obtained access to information or records under a secret
    subpoena." -- Wikipedia

    "We at Google never wanted to be NSA's evil stooge, but the FISA Court made
    us do it," said a person close to the Google founders. "We knew all hope
    was lost when air traffic control designated our Google 767 jet as 'Air
    Force 666' while landing at Andrews [AF Base outside Washington, DC]."

    The WikiLeaks documents show mostly unwitting collusion between the NSA and
    Google from the very beginning in 1998, but the pressure that triggered the
    warrant canary came to a head after Edward Snowden's disclosures and
    increased NSA pressure for Google to move back into China.

    NSA's budget had suffered from the end of the Soviet Union, just at the time
    the Internet was taking off. NSA couldn't keep pace with the torrid
    technology trends, and also couldn't hire the best talent. However, the NSA
    could ride the coattails of Silicon Valley startups like Google which would
    gather all the intel data, and NSA could subsequently force them to disgorge
    it via the Third Party Doctrine.

    "The third-party doctrine ... holds that people who voluntarily give
    information to third parties--such as [Google]--have "no reasonable
    expectation of privacy." A lack of privacy protection allows the United
    States government to obtain information from third parties without a legal
    warrant and without otherwise complying with the Fourth Amendment
    prohibition against search and seizure without probable cause and a
    judicial search warrant. -- Wikipedia

    "Basically, [ex-NSA official] William Binney was 100% correct; the NSA's
    'Trailblazer' system never worked, but Trailblazer was a smokescreen for the
    NSA's covert access to all of Google's world-wide data. NSA no longer has
    to keep any databases of its own, as it has outsourced all of its
    data-gathering to Google and AWS. For example, the NSA's huge facility in
    Bluffdale, UT, is a hoax intended to fool Russian and Chinese satellites --
    it is the equivalent of Patton's [WWII] Ghost Army," according to the
    WikiLeaks spokesperson.

    "Yes, NSA Bluffdale uses a lot of electricity, but that's primarily for
    mining Bitcoin most likely used to fund illegal CIA operations, a la Contra"
    she speculated.

    While Brin and Page developed the Google search algorithm on their own, the
    WikiLeaks documents show that the shadowy CIA venture fund In-Q-Tel then
    pressured Google into developing cellphones and home surveillance devices
    such as routers, cameras and 'thermostats' [wink! wink! microphones,
    ahem!].

    "The WikiLeaks documents also show that Google's subsequent name 'Alphabet'
    was a paean to all of the 'three letter agencies' (TLA's) that Google had
    been forced to work with over the years," she added.

    ------------------------------

    Date: Mon, 1 Apr 2019 11:45:06 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: Half of Industrial Control System Networks have Faced Cyberattacks,
    Say Security Researchers (ZDNet)

    Danny Palmer, ZDNet, 27 Mar 2019 via ACM TechNews, 1 Apr 2019

    Kaspersky Lab's "Threat Landscape for Industrial Automation Systems" report
    found that almost 50% of industrial systems display evidence of attackers
    attempting malicious activity--in most cases, detected by security software.
    The statistics, which are based on anonymized data submitted to the
    Kaspersky Security network by the company's customers, show that the main
    attack vector for these systems is via the Internet, with hackers on the
    lookout for unsecured ports and systems to gain access to; this method
    accounted for 25% of identified threats. The configuration used by many
    industrial networks leaves them open to self-propagating campaigns that can
    easily find them. Removable media was identified as the second most-common
    threat to industrial networks, following by email-based phishing attacks.
    The Kaspersky researchers recommend regularly updating operating systems and
    software on industrial networks and applying security fixes and patches
    where available.

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1f213x21b4fbx070496&

    ------------------------------

    Date: Tue, 02 Apr 2019 11:25:10 -0700
    From: Gene Wirchenko <ge...@telus.net>
    Subject: Hackers reveal how to trick a Tesla into steering towards oncoming
    traffic (Charlie Osborne)

    Charlie Osborne for Zero Day (2 Apr 2019)
    A root vulnerability and a few stickers were all it took.

    Hackers reveal how to trick a Tesla into steering towards oncoming traffic | ZDNet

    A team of hackers has managed to trick the Tesla Autopilot feature into
    dive-bombing into the wrong lane remotely through root control and a few
    stickers.

    By applying small, inconspicuous stickers to the road, the system failed to
    notice that the fake lane was directed towards another lane -- a scenario
    the team says could have serious real-world consequences.

    The vulnerability and security weaknesses found by Tencent were reported to
    Tesla and have now been resolved. The findings were shared with attendees of
    Black Hat USA 2018.

    ------------------------------

    Date: Sun, 31 Mar 2019 04:17:21 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Tesla cars keep more data than you think, including this video of a
    crash that totaled a Model 3

    -- Crashed Tesla vehicles, sold at junk yards and auctions, contain
    deeply personal and unencrypted data including info from drivers' paired
    mobile devices, and video showing what happened just before the accident.
    -- Security researcher GreenTheOnly extracted unencrypted video,
    phonebooks, calendar items and other data from Model S, Model X and Model 3
    vehicles purchased for testing and research at salvage.
    -- Hackers who test or modify the systems in their own Tesla vehicles are
    flagged internally, ensuring that they are not among the first to receive
    over-the-air software updates first.

    EXCERPT:

    If you crash your Tesla, when it goes to the junk yard, it could carry a
    bunch of your history with it.

    That's because the computers on Tesla vehicles keep everything that drivers
    have voluntarily stored on their cars, plus tons of other information
    generated by the vehicles including video, location and navigational data
    showing exactly what happened leading up to a crash, according to two
    security researchers.

    One researcher, who calls himself GreenTheOnly, describes himself as a
    white-hat hacker and a Tesla enthusiast who drives a Model X. He has
    extracted this kind of data from the computers in a salvaged Tesla Model S,
    Model X and two Model 3 vehicles, while also making tens of thousands of
    dollars cashing in on Tesla bug bounties in recent years. He agreed to speak
    and share data and video with CNBC on the condition of pseudonymity, citing
    privacy concerns.

    Many other cars download and store data from users, particularly information
    from paired cellphones, such as contact information. The practice is
    widespread enough that the US Federal Trade Commission has issued advisories
    to drivers warning them about pairing devices to rental cars
    <https://www.consumer.ftc.gov/blog/2016/08/what-your-phone-telling-your-rental-car>,
    and urging them to learn how to wipe their cars' systems
    <Selling your car? Clear your personal data first.>
    clean before returning a rental or selling a car they owned.

    But the researchers' findings highlight how Tesla is full of contradictions
    on privacy and cybersecurity. On one hand, Tesla holds car-generated data
    closely
    Tesla blames drivers who wreck its cars but won’t hand over crash data without a court order
    and has fought customers in court to refrain from giving up vehicle data.
    https://www.plainsite.org/dockets/3...ew-york-nassau-county/wang-jing-vs-tesla-inc/
    Owners must purchase $995 cables and download a software kit from Tesla to
    get limited information out of their cars via event data recorders there,
    should they need this for legal, insurance or other reasons.

    At the same time, crashed Teslas that are sent to salvage can yield
    unencrypted and personally revealing data to anyone who takes possession of
    the car's computer and knows how to extract it.

    The contrast raises questions about whether Tesla has clearly defined goals
    for data security, and who its existing rules are meant to protect. [...]

    https://www.cnbc.com/2019/03/29/tes...ike-crash-videos-location-phone-contacts.html

    ------------------------------

    Date: Tue, 2 Apr 2019 10:29:43 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: What AI Can Tell From Listening to You (WSJ)

    Artificial intelligence promises new ways to analyze people's voice -- and
    determine their emotions, physical heath, whether they are falling asleep at
    the wheel and much more.

    https://www.wsj.com/articles/what-ai-can-tell-from-listening-to-you-11554169408

    ------------------------------

    Date: Sun, 31 Mar 2019 19:10:51 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Can we stop AI outsmarting humanity? (The Guardian)

    The spectre of superintelligent machines doing us harm is not just science
    fiction, technologists say -- so how can we ensure AI remains *friendly* to
    its makers?

    https://www.theguardian.com/technol...-humanity-artificial-intelligence-singularity

    ------------------------------

    Date: Wed, 27 Mar 2019 22:31:28 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: AI is flying drones -- very, very slowly (NYTimes)

    https://www.nytimes.com/2019/03/26/technology/alphapilot-ai-drone-racing.html

    Artificial intelligence has bested top players in chess, Go and even
    StarCraft. But can it fly a drone faster than a pro racer? More than $1
    million is on the line to find out.

    ------------------------------

    Date: Sat, 30 Mar 2019 06:40:01 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: New Climate Books Stress We Are Already Far Down The Road To A
    Different Earth (TPR)

    It was a telling moment: David Wallace-Wells, author of the new book The
    Uninhabitable Earth, was making an appearance on MSNBC's talk show Morning
    Joe. He took viewers through scientific projections for drowned cities,
    death by heat stroke and a massive, endless refugee crisis -- due to climate
    change. As the interview closed, one of the show's hosts, Willie Geist,
    looked to Wallace-Wells and said, "Let's end on some hope."

    The disconnect speaks volumes about where we are now relative to climate
    change. With his new book, which has quickly become a bestseller,
    Wallace-Wells wants to be the firefighter telling you your house is going up
    in flames right now. The Uninhabitable Earth: Life After Warming's
    perspective can be neatly summed up through its opening line: "It's worse,
    much worse, than you think." Geist, standing in for all of us, seems stunned
    by the scale and urgency of the problem and wants to hear something that
    will make him feel better.

    Feeling better is definitely not what's going happen if you read The
    Uninhabitable Earth or a second new book on climate change, Losing Earth: A
    Recent History by Nathaniel Rich. But that doesn't mean you shouldn't read
    both of them. We humans, and our project of civilization, are entering new
    territory with the climate change we've driven -- and both books offer
    valuable perspectives if we're committed to being adult enough to face the
    future.

    When climate scientists use their models to project forward, they see a
    spread of possible changes in the average temperature of the planet. Over
    the next century or so, the predicted temperature increase ranges from
    about two degrees to an upper limit of about eight degrees. Which path
    Earth takes depends on its innate sensitivity to the carbon dioxide we're
    dumping into the atmosphere combined with -- and most important -- our own
    decisions about how much more carbon dioxide to add.

    In Losing Earth, Rich wants us to understand how policymakers learned of,
    and then ignored, the grave risks these paths represent for our future. In
    The Uninhabitable Earth, Wallace-Wells wants us to understand just how bad
    that future may get.

    The point for humanity is that with every degree of warming, we get further
    from the kind of world we grew up in. For Wallace-Wells this is not just a
    matter of where you can go skiing in 2040. The Uninhabitable Earth focuses
    on the potent cascades that flow through the entirety of the complex
    human-environmental interaction we call "civilization." So, when
    Wallace-Wells talks of economic impacts, he cites a study linking 3.7
    degrees of warming to over $550 trillion of climate-related damage. Since
    $550 trillion is twice today's global wealth, the conclusion is that
    eventually rebuilding from the "n-th" superstorm will stop. We'll just
    abandon our cities or live within the ruin. The Uninhabitable Earth also
    gives us similar visions of rising hunger and conflict. If today's refugee
    problems are straining political systems (the Syrian crisis created 1
    million homeless people), Wallace-Wells asks us to imagine a global politics
    when more than 200 million climate refugees are on the move (a UN projection
    for 2050).

    The picture The Uninhabitable Earth paints is unsparingly bleak. But is it
    correct?

    Prediction is difficult, as Yogi Berra noted, especially about the future.
    One criticism of the book is that it favors worst-case scenarios. Indeed,
    when it comes to extrapolating the human impacts of climate change,
    researchers must rely on separate models of the planet, its ecosystems and,
    say, human economic behavior. Each has its uncertainties and each yields
    not one river-like line for the future but, instead, a spreading delta of
    possibilities. When the models are combined, the uncertainties compound,
    making risk-assessment a difficult task. For a scientist like myself, that
    means we have more possible futures than the one described in The
    Uninhabitable Earth... [...]

    https://www.tpr.org/post/new-climate-books-stress-we-are-already-far-down-road-different-earth

    ------------------------------

    Date: Sun, 31 Mar 2019 07:54:31 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Are We Ready For An Implant That Can Change Our Moods? (npr.org)

    https://www.npr.org/sections/health...eady-for-an-implant-that-can-change-our-moods

    "The idea of changing the brain for the better with electricity is not new,
    but deep brain stimulation takes a more targeted approach than the
    electroconvulsive therapy introduced in the 1930s. DBS seeks to correct a
    specific dysfunction in the brain by introducing precisely timed electric
    pulses to specific regions. It works by the action of a very precise
    electrode that is surgically inserted deep in the brain and typically
    controlled by a device implanted under the collarbone. Once in place,
    doctors can externally tailor the pulses to a frequency that they hope will
    fix the faulty circuit."

    Recall the book "The Danger Within Us: America's Untested, Unregulated
    Medical Device Industry and One Man's Battle to Survive It" by Jeanne Lenzer
    which discusses vagus nerve stimulator implant failure. See
    http://catless.ncl.ac.uk/Risks/30/53#subj1.1

    Without a randomized control trial to validate device efficacy, a cranial
    implant faces significant obstacles to achieve regulatory approval, gain
    widespread acceptance, and become commercially viable. Volunteers will be
    difficult to attract.

    ------------------------------

    Date: March 30, 2019 at 09:41:01 EDT
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Researchers Find Google Play Store Apps Were Actually Government
    Malware (Motherboard)

    Security researchers have found a new kind of government malware that was
    hiding in plain sight within apps on Android's Play Store. And they appear
    to have uncovered a case of lawful intercept gone wrong.

    Hackers working for a surveillance company infected hundreds of people with
    several malicious Android apps that were hosted on the official Google Play
    Store for months, Motherboard has learned.

    In the past, both government hackers and those working for criminal
    organizations have uploaded malicious apps to the Play Store. This new case
    once again highlights the limits of Google's filters that are intended to
    prevent malware from slipping onto the Play Store. In this case, more than
    20 malicious apps went unnoticed by Google over the course of roughly two
    years.

    Motherboard has also learned of a new kind of Android malware on the Google
    Play store that was sold to the Italian government by a company that sells
    surveillance cameras but was not known to produce malware until now. Experts
    told Motherboard the operation may have ensnared innocent victims as the
    spyware appears to have been faulty and poorly targeted. Legal and law
    enforcement experts told Motherboard the spyware could be illegal.

    The spyware apps were discovered and studied in a joint investigation by
    researchers from Security Without Borders, a non-profit that often
    investigates threats against dissidents and human rights defenders, and
    Motherboard. The researchers published a detailed, technical report of their
    findings on Friday.

    ``We identified previously unknown spyware apps being successfully uploaded
    on Google Play Store multiple times over the course of over two years. These
    apps would remain available on the Play Store for months and would
    eventually be re-uploaded,'' the researchers wrote.

    Lukas Stefanko, a researcher at security firm ESET, who specializes in
    Android malware but was not involved in the Security Without Borders
    research, told Motherboard that it's alarming, but not surprising, that
    malware continues to make its way past the Google Play Store's filters.

    ``Malware in 2018 and even in 2019 has successfully penetrated Google Play's
    security mechanisms. Some improvements are necessary, Google is not a
    security company, maybe they should focus more on that.''

    MEET EXODUS

    In an apparent attempt to trick targets to install them, the spyware apps
    were designed to look like harmless apps to receive promotions and marketing
    offers from local Italian cellphone providers, or to improve the device's
    performance...

    https://motherboard.vice.com/en_us/...oid-malware-in-google-play-store-exodus-esurv

    ------------------------------

    Date: Sun, 31 Mar 2019 00:10:49 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Office Depot Pays $25 Million To Settle Deceptive Tech Support
    Lawsuit (Bleeping Computer)

    https://www.bleepingcomputer.com/ne...ion-to-settle-deceptive-tech-support-lawsuit/

    ------------------------------

    Date: Sun, 31 Mar 2019 19:05:29 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Why Pedestrian Deaths Are At A 30-Year High (NPR)



    ------------------------------

    Date: Tue, 2 Apr 2019 09:05:36 +0000
    From: Lindsay Marshall <Lindsay...@ncl.ac.uk>
    Subject: More on the RISKS.ORG Newcastle certificate issue

    The certificate expiration issue for catless at Newcastle was a little more
    complicated than it might appear. catless.ncl.ac.uk exists only on a gateway
    that machine that forwards all calls to another machine that is not visible
    to the outside world. (This causes it's own problems (e.g. logging), but
    they are not relevant here.) This gateway machine is not under my control
    and so I am out of the loop wrt things like certificates. Certificate
    expiration should not be a huge a problem though for the risks site though
    as it does not really need an HTTPS connection for safe operation. However,
    the RISKS site is set up to be highly cacheable and too use a variety of
    other security features, as I use it in my lectures to demonstrate these
    features. (See https://redbot.org/?uri=https://catless.ncl.ac.uk/risks if
    you want the gory details). Recently I added the use of the HSTS
    Strict-Transport-Security header, and, as recommended in various places, set
    a long expiry date -- after all it is not as if I were going to change my
    mind. This does mean though that if your certificate expires, browsers will
    not allow you to get to the site using HTTPS to HTTP, which is indeed what
    happened -- they do not provide useful error messages when this happens
    either. In the end I used lynx to browse to the site and got a sensible
    `certificate expired' error message, and put in a ticket for a new
    certificate. Currently HSTS is not enabled, though many of your browsers
    will be remembering that it is for a long time. It's a difficult call to
    know whether to re-enable it with a short expiry time, go back to what it
    was and keep an eye on the certificate or just turn it off.

    ------------------------------

    Date: Wed, 27 Mar 2019 07:35:46 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Insurers Creating a Consumer Ratings Service for Cybersecurity
    Industry (WSJ)

    Collaborative effort led by Marsh & McLennan would score best products for
    reducing hacking risk

    https://www.wsj.com/articles/insure...ervice-for-cybersecurity-industry-11553592600

    ------------------------------

    Date: Thu, 28 Mar 2019 17:12:01 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Another Gigantic Leak

    [Courtesy of Steve Cheung)

    Yet another gigantic data leak. what will the companies ever learn to
    protect our data?

    https://nakedsecurity.sophos.com/20...on-volume-of-exposed-verificationsio-records/

    ------------------------------

    Date: Fri, 22 Mar 2019 12:29:12 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Nokia phones caught mysteriously sending data to Chinese servers

    Nokia fans waited for years for the first Nokia-Android handsets to arrive,
    and it finally happened two years ago, when HMD Global unveiled its first
    Nokia 6 handset, after acquiring the right to use the brand. Since then, HMD
    unveiled a variety of Nokia handsets, culminating with the Nokia 9 PureView
    a few weeks ago.

    However, the old Nokia has nothing to do with the Nokia phones we're seeing
    today, and all these devices are made in China by Foxconn. This brings us
    to HMD's first China-related issue, as some Nokia phones have apparently
    sent data to servers in the region without consent from users.

    A Reuters report says that Finland will investigate the HMD phones, looking
    at whether they breached data rules. It all started with Norwegian public
    broadcaster NRK, which reported the breach on Thursday. A Nokia 7 Plus
    owner was told that his phone contacted a particular server, sending data
    packages in an unencrypted format.

    According to NRK, Nokia had admitted that ``an unspecified number of Nokia 7
    Plus phones had sent data to the Chinese server,'' without disclosing who
    owned the server. [...]

    https://bgr.com/2019/03/21/nokia-data-breach-nokia-7-plus-sent-data-to-chinese-servers/

    ------------------------------

    Date: Thu, 28 Mar 2019 20:16:14 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: IBM + Flickr + facial recognition + privacy (Fortune)

    The recent news that *IBM* used more than a million photos posted on
    *Flickr* to train its facial recognition A.I. software set off alarm bells
    among privacy advocates. But that incident may be just the tip of the
    iceberg. /Fortune's/ Jeff John Roberts takes a deep dive into the facial
    recognition software industry
    https://click.newsletters.fortune.c...9788d7e2e310de3acd3c59a09a6f21b6bf53348fbd781
    where startups created photo sharing apps for smartphones to lure consumers
    into sharing their pictures.

    "We have consumers who tag the same person in thousands of different
    scenarios. Standing in the shadows, with hats-on, you name it," says Doug
    Aley, the CEO of Ever AI, a San Francisco facial recognition startup that
    launched in 2012 as EverRoll, an app to help consumers manage their
    bulging photo collections. Ever AI, which has raised $29 million from
    Khosla Ventures and other Silicon Valley venture capital firms, entered
    NIST's most recent facial recognition competition, and placed second in
    the contest's "Mugshots" category and third in "Faces in the Wild." Aley
    credits the success to the company's immense photo database, which Ever AI
    estimates to number 13 billion images.

    ------------------------------

    Date: Thu, 28 Mar 2019 08:09:19 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Brits: Huawei's code is a steaming pile...

    In short, Huawei's SW is just as crappy as everyone else's, because it was
    developed by coders who learned by copying the crappy coding practices they
    found in earlier versions of Unix/Linux, and who were highly selected
    through programming tests which could only be passed by adhering to these
    same practices (Google early Microsoft programming tests, e.g.). Yes,
    better practices are now being developed in select universities and
    companies, but there are still lots of textbooks out there which teach
    unsafe coding styles.

    I'm not trying to excuse Huawei, but I'm not certain that any other device
    vendor could pass muster, either. For example, what sort of coding style is
    going to protect against Rowhammer? Spectre?

    We need to develop safer HW & SW technologies, and then we need to
    completely rewrite several *generations'* worth of bad software.

    "There were over 5000 direct invocations of 17 different safe memcpy()-like
    functions and over 600 direct invocations of 12 different unsafe
    memcpy()-like functions. Approximately 11% of the direct invocations of
    memcpy()-like functions are to unsafe variants."

    "There were over 1400 direct invocations of 22 different safe
    strcpy()-like functions and over 400 direct invocations of 9 different
    unsafe strcpy()-like functions. Approximately 22% of the direct
    invocations of strcpy()-like functions are to unsafe variants."

    "There were over 2000 direct invocations of 17 different safe sprintf()-like
    functions and almost 200 direct invocations of 12 different unsafe
    sprintf()-like functions. Approximately 9% of the direct invocations of
    sprintf()-like functions are to unsafe variants."

    https://www.theregister.co.uk/2019/03/28/hcsec_huawei_oversight_board_savaging_annual_report/

    Huawei savaged by Brit code review board over pisspoor dev practices

    HCSEC pulls no technical punches in annual report

    By Gareth Corfield 28 Mar 2019 at 12:44

    Britain's Huawei oversight board has said the Chinese company is a threat to
    British national security after all -- and some existing mobile network
    equipment will have to be ripped out and replaced to get rid of said threat.

    "The work of HCSEC [Huawei Cyber Security Evaluation Centre]... reveals
    serious and systematic defects in Huawei's software engineering and cyber
    security competence," said the HCSEC oversight board in its annual report,
    published this morning.

    HCSEC -- aka The Cell -- based in Banbury, Oxfordshire, allows UK spy crew
    GCHQ access to Huawei's software code to inspect it for vulns and backdoors.

    The oversight folk added: "Work has continued to identify concerning issues
    in Huawei's approach to software development bringing significantly
    increased risk to UK operators, which requires ongoing management and
    mitigation."

    While the report itself does not identify any Chinese backdoors, which is
    the current American tech bogeyman du jour, it highlights technical and
    security failures in Huawei's development processes and attitude towards
    security for its mobile network equipment.

    https://www.gov.uk/government/publi...ion-centre-oversight-board-annual-report-2019

    https://assets.publishing.service.g...le/790270/HCSEC_OversightBoardReport-2019.pdf

    "In some cases, remediation will also require hardware replacement (due to
    CPU and memory constraints) which may or may not be part of natural operator
    asset management and upgrade cycles... These findings are about basic
    engineering competence and cyber security hygiene that give rise to
    vulnerabilities that are capable of being exploited by a range of actors."

    Even though Huawei has talked loudly about splurging $2bn on software
    development, heavily hinting that this would include security fixes, HCSEC
    scorned this. Describing the $2bn promise as "no more than a proposed
    initial budget for as yet unspecified activities", HCSEC said it wanted to
    see "details of the transformation plan and evidence of its impact on
    products being used in UK networks before it can be confident it will drive
    change" before giving Huawei the green light.

    The report's findings had been telegraphed long in advance by British
    government officials, who have been waging war with Huawei through the
    medium of press briefings.

    Amateurs in a world desperately needing professionals

    One key problem highlighted by the HCSEC oversight board was "binary
    equivalence", a problem Huawei has been relatively open about. HCSEC
    testers had previously flagged up problems with not knowing whether the
    binaries they were inspecting for Chinese government backdoors were
    compilable into firmware equivalent to what was deployed in live production
    environments. Essentially, the concern is that software would behave
    differently when installed in the UK's telecoms networks than it did during
    HCSEC's tests.

    In today's report, the Banbury centre team said: "Work to validate them by
    HCSEC is still ongoing but has already exposed wider flaws in the underlying
    build process which need to be rectified before binary equivalence can be
    demonstrated at scale."

    "Unless and until this is done it is not possible to be confident that the
    source code examined by HCSEC is precisely that used to build the binaries
    running in the UK networks."

    HCSEC also highlighted something The Register exclusively revealed precise
    details of this morning, saying: "It is difficult to be confident that
    vulnerabilities discovered in one build are remediated in another build
    through the normal operation of a sustained engineering process."

    It also criticised Huawei's "configuration management improvements",
    pointing out that these haven't been "universally applied" across product
    and platform development groups. Huawei's use of "an old and soon-to-be out
    of mainstream support version" of an unnamed real time operating system
    (RTOS) "supplied by a third party" was treated to some HCSEC criticism, even
    though Huawei bought extended support from the RTOS's vendor.

    HCSEC said: "The underlying cyber security risks brought about by the single
    memory space, single user context security model remain," warning that
    Huawei has "no credible plan to reduce the risk in the UK of this real time
    operating system."

    OpenSSL is used extensively by Huawei -- and in HCSEC's view perhaps too
    extensively:

    "In the first version of the software, there were 70 full copies of 4
    different OpenSSL versions, ranging from 0.9.8 to 1.0.2k (including one from
    a vendor SDK) with partial copies of 14 versions, ranging from 0.9.7d to
    1.0.2k, those partial copies numbering 304. Fragments of 10 versions,
    ranging from 0.9.6 to 1.0.2k, were also found across the codebase, with
    these normally being small sets of files that had been copied to import some
    particular functionality."

    Even after HCSEC threw a wobbly and told Huawei to sort itself out pronto,
    the Chinese company still came back with software containing "code that is
    vulnerable to 10 publicly disclosed OpenSSL vulnerabilities, some dating
    back to 2006."

    Huawei also struggles to stick to its own secure coding guidelines' rules on
    memory handling functions, as HCSEC lamented:

    "Analysis of relevant source code worryingly identified a number
    pre-processor directives of the form

    '#define SAFE_LIBRARY_memcpy(dest,destMax,src,count) memcpy(dest,src,count)',

    which redefine a safe function to an unsafe one, effectively removing any
    benefit of the work done to remove the unsafe functions."

    "This sort of redefinition makes it harder for developers to make good
    security choices and the job of any code auditor exceptionally hard," said
    the government reviewers.

    In a statement issued this morning Huawei appeared not to be overly bothered
    about these and the other detailed flaws revealed by NCSC, saying that it
    "understands these concerns and takes them very seriously". It added: "A
    high-level plan for the [software development transformation] programme has
    been developed and we will continue to work with UK operators and the NCSC
    during its implementation to meet the requirements created as cloud,
    digitization, and software-defined everything become more prevalent."

    Commenting on the NCSC's vital conclusion that none of these cockups were
    the fault of the Chinese state's intelligence-gathering organs, Rob
    Pritchard of the Cyber Security Expert told The Register: "I think this
    presents the UK government with an interesting dilemma -- the HCSEC was set
    up essentially because of concerns about threats from the Chinese state to
    UK CNI (critical national infrastructure). Finding general issues is a good
    thing, but other vendors are not subject to this level of scrutiny. We have
    no real (at least not this in depth) assurance that products from rival
    vendors are more secure."

    ------------------------------

    Date: Fri, 29 Mar 2019 9:58:25 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: More on the Swiss electronic voting experiment (Post -- Swiss)

    https://www.post.ch/fr/notre-profil...e-vote-electronique-pour-une-duree-determinee

    ------------------------------

    Date: Wed, 27 Mar 2019 18:28:02 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: 'The biggest, strangest problem I could find to study' (bbc.com)

    https://www.bbc.com/news/technology-47158067

    Discusses Andrew Morris' efforts to profile cybertheft intrusion patterns
    using honeypots. Tallyho!

    "In 2018, Mr Morris's network was hit by up to four million attacks a day.
    His honey-pot computers process between 750 and 2,000 connection requests
    per second - the exact rate depends on how busy the bad guys are at any
    given moment.

    "His analysis shows that only a small percentage of the traffic is benign.

    "That fraction comes from search engines indexing websites or organisations
    such as the Internet Archive scraping sites. Some comes from security
    companies and other researchers.

    "The rest of the Internet's background noise -- about 95% -- is malicious."

    ------------------------------

    Date: Fri, 29 Mar 2019 23:46:04 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Black-box data shows anti-stalling feature engaged in Ethiopia
    crash (WashPost)

    https://www.washingtonpost.com/loca...231ebc-5238-11e9-88a1-ed346f0ec94f_story.html

    ------------------------------

    Date: Fri, 29 Mar 2019 18:58:04 +0000
    From: Drew Dean <drew...@sri.com>
    Subject: The emerging Boeing 737 MAX scandal, explained (Vox)

    https://www.vox.com/business-and-finance/2019/3/29/18281270/737-max-faa-scandal-explained

    ------------------------------

    Date: Fri, 29 Mar 2019 18:58:00 -0700
    From: David Brodbeck <david.m...@gmail.com>
    Subject: Re: How a 50-year-old design came back... (Burton, RISKS-31.13)

    > I also understand that the Stealth Bomber is such a complex shape that it
    > can only be flown by software.

    This is true of most fighter aircraft designed since the mid-70s, although
    it doesn't exactly have to do with shape complexity. Civilian transport
    aircraft have aerodynamic features that make them dynamically stable -- this
    allows humans to fly them directly, because any divergence from straight and
    level happens on a time scale humans can react to. However, those same
    aerodynamic features make them less maneuverable, which is undesirable in a
    fighter.

    The solution is to let a computer fly the airplane, because it can react
    fast enough to stabilize it. The human is then actually maneuvering a
    synthetic "flight model" in the computer, which the computer attempts to
    make the real airplane match.

    The F-16 was the first fighter to use this kind of "relaxed stability"
    system. It originally used a quadruply-redundant analog system.

    Prior art would be birds, which for efficiency reasons are dynamically
    unstable, especially in pitch and yaw. They've had a lot more development
    time to work out the bugs, however. ;)

    ------------------------------

    Date: Thu, 28 Mar 2019 19:15:03 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Re: How Google's Bad Data Wiped a Neighborhood off the Map (Medium)
    (RISKS-31.14)

    Well I bet China's name is still not back on OpenStreeMap,
    https://www.openstreetmap.org/#map=3/34.05/93.16
    by the time the RISKS reader reads this, despite
    https://github.com/gravitystorm/openstreetmap-carto/issues/3725
    https://github.com/openstreetmap/chef/issues/184

    ------------------------------

    Date: Thu, 28 Mar 2019 19:19:54 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Re: Tweet by Soldier of FORTRAN on Twitter (RISKS-31.14)

    > you're right! They changed the password to `********'

    See also https://crbug.com/924903
    "Password filler learns the asterisks version of the password"

    ------------------------------

    Date: Mon, 1 Apr 2019 12:16:58 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Unproven declarations about healthcare (Black and Douglass,
    RISKS-31.14)

    > Are there studies to support

    There are many studies:

    On average, other wealthy countries spend about half as much per person on
    health than the US spends:

    https://www.healthsystemtracker.org/chart-collection/health-spending-u-s-compare-countries/

    But the US generally lags behind comparable countries in prevention and
    other measures of quality, and has by far the highest rates of cost-related
    access problems:

    https://www.healthsystemtracker.org/brief/measuring-the-quality-of-healthcare-in-the-u-s/

    Medical bills were the biggest cause of U.S. bankruptcies:

    https://www.thebalance.com/medical-bankruptcy-statistics-4154729

    A few minutes with Google will uncover many more studies.

    > For instance, "... the more sick people there are (especially those that
    > need expensive treatments), the more profit there is to be made." For the
    > same premiums, insurance companies *far* prefer healthy clients to sick
    > ones.

    Doctors and hospitals make more money from sick people, and insurance
    companies only prefer healthy clients if they are prevented from raising
    premiums for people with pre-existing conditions. Take away this pesky
    Government intervention, and insurance companies will also prefer sick
    people: since they can charge higher premiums and make more profit per
    person.

    > "Managing symptoms is more profitable than curing a disease;" Really?
    > Perhaps Big Pharma makes little on cough medicine, but has a tidy margin on
    > treatments for TB.

    The total sales value of OTC cough, cold and sore throat treatments reached
    460 million British pounds in 2018. Not to be sneezed at! There were 5,664
    TB cases in England in 2016. The average cost to treat drug-susceptible TB
    was about 7,200 pounds: so the TB cure costs less than 1/10th of the cost of
    cough medicine symptom management.

    But we should compare like with like: before antibiotics were discovered and
    TB could be cured, symptom management involved a prolonged stay in an
    expensive sanitorium in the Swiss Alps: which obviously costs a lot more in
    the long term than a course of antibiotics.

    > "Expensive drugs are more profitable than, for example, recommending simple
    > changes to diet ..." Sadly, few Americans follow recommendations to change
    > their diet. Americans *will* take pills.

    And there is a vast advertising and lobbying system in place,
    costing billions of dollars per year, to ensure that it stays this way!

    > "... encouraging unhealthy habits is beneficial to a healthcare company."
    > My insurance company and the mailers I get from hospitals and doctors all
    > encourage me to have healthy habits.

    Well, they feel obliged to pay lip service to "healthy habits". As I said:
    it be seen as a bit *too* obviously cynical to heavily advertise and
    subsidise tobacco. But they *did* manage to heavily advertise and
    over-prescribe opioids (which are far more dangerous and more addictive than
    tobacco), resulting in the current "opioid crisis".
    https://www.drugabuse.gov/drugs-abuse/opioids/opioid-overdose-crisis the
    treatment for which involves: prescribing more of these expensive opioids to
    patients who would otherwise be healthy.

    The Centers for Disease Control and Prevention estimates that the total
    "economic burden" of prescription opioid misuse alone in the United
    States is $78.5 billion a year.

    https://www.drugabuse.gov/related-topics/trends-statistics/overdose-death-rates

    > Government-run medicine is no panacea. The U.S. federal government has been
    > incredibly wasteful and has not always picked winners, for instance, the
    > Tuskegee Syphilis Study and the Enron scandal.

    On 26/03/19 23:07, Toby Douglass wrote:
    > All patients -must- pay (taxation) and if the service is no good, there is
    > nowhere else for them to go

    In a country which has some form of democracy, the public have the means
    to pressurise the Government to improve the health care system.
    On the other hand, if a company has a monopoly on a particular drug
    or treatment, then they can charge "whatever the market will bear".
    There is nowhere else for the sufferer to go.

    The best way to get good health care is to take people who
    are passionate about caring for others (fortunately there are
    many such people to be found) and give them the freedom
    to do what they love doing. People who are motivated primarily
    by money do not necessarily make the best doctors and nurses.
    A public healthcare system is at least *supposed* to put the care
    of the public as first priority. A for-profit system necessarily
    *must* put the maximisation of profit as first priority.
    These two priorities often clash, as many studies have shown.

    ------------------------------

    Date: Mon, 1 Apr 2019 12:16:58 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Unproven declarations about healthcare (Black, RISKS-31.14)

    > Are there studies to support

    There are many studies:

    On average, other wealthy countries spend about half as much per person on
    health than the US spends:

    https://www.healthsystemtracker.org/chart-collection/health-spending-u-s-compare-countries/

    But the US generally lags behind comparable countries in prevention and
    other measures of quality, and has by far the highest rates of cost-related
    access problems:

    https://www.healthsystemtracker.org/brief/measuring-the-quality-of-healthcare-in-the-u-s/

    Medical bills were the biggest cause of U.S. bankruptcies:

    https://www.thebalance.com/medical-bankruptcy-statistics-4154729

    A few minutes with Google will uncover many more studies.

    > For instance, "... the more sick people there are (especially those that
    > need expensive treatments), the more profit there is to be made." For the
    > same premiums, insurance companies *far* prefer healthy clients to sick
    > ones.

    Doctors and hospitals make more money from sick people, and insurance
    companies only prefer healthy clients if they are prevented from raising
    premiums for people with pre-existing conditions. Take away this pesky
    Government intervention, and insurance companies will also prefer sick
    people: since they can charge higher premiums and make more profit per
    person.

    > "Managing symptoms is more profitable than curing a disease;" Really?
    > Perhaps Big Pharma makes little on cough medicine, but has a tidy margin on
    > treatments for TB.

    The total sales value of OTC cough, cold and sore throat treatments reached
    460 million British pounds in 2018. Not to be sneezed at! There were 5,664
    TB cases in England in 2016. The average cost to treat drug-susceptible TB
    was about 7,200 pounds: so the TB cure costs less than 1/10th of the cost of
    cough medicine symptom management.

    But we should compare like with like: before antibiotics were discovered and
    TB could be cured, symptom management involved a prolonged stay in an
    expensive sanitorium in the Swiss Alps: which obviously costs a lot more in
    the long term than a course of antibiotics.

    > "Expensive drugs are more profitable than, for example, recommending simple
    > changes to diet ..." Sadly, few Americans follow recommendations to change
    > their diet. Americans *will* take pills.

    And there is a vast advertising and lobbying system in place,
    costing billions of dollars per year, to ensure that it stays this way!

    > "... encouraging unhealthy habits is beneficial to a healthcare company."
    > My insurance company and the mailers I get from hospitals and doctors all
    > encourage me to have healthy habits.

    Well, they feel obliged to pay lip service to "healthy habits". As I said:
    it be seen as a bit *too* obviously cynical to heavily advertise and
    subsidise tobacco. But they *did* manage to heavily advertise and
    over-prescribe opioids (which are far more dangerous and more addictive than
    tobacco), resulting in the current "opioid crisis".
    https://www.drugabuse.gov/drugs-abuse/opioids/opioid-overdose-crisis the
    treatment for which involves: prescribing more of these expensive opioids to
    patients who would otherwise be healthy.

    The Centers for Disease Control and Prevention estimates that the total
    "economic burden" of prescription opioid misuse alone in the United
    States is $78.5 billion a year.

    https://www.drugabuse.gov/related-topics/trends-statistics/overdose-death-rates

    > Government-run medicine is no panacea. The U.S. federal government has been
    > incredibly wasteful and has not always picked winners, for instance, the
    > Tuskegee Syphilis Study and the Enron scandal.

    On 26/03/19 23:07, Toby Douglass wrote:
    > All patients -must- pay (taxation) and if the service is no good, there is
    > nowhere else for them to go

    In a country which has some form of democracy, the public have the means
    to pressurise the Government to improve the health care system.
    On the other hand, if a company has a monopoly on a particular drug
    or treatment, then they can charge "whatever the market will bear".
    There is nowhere else for the sufferer to go.

    The best way to get good health care is to take people who
    are passionate about caring for others (fortunately there are
    many such people to be found) and give them the freedom
    to do what they love doing. People who are motivated primarily
    by money do not necessarily make the best doctors and nurses.
    A public healthcare system is at least *supposed* to put the care
    of the public as first priority. A for-profit system necessarily
    *must* put the maximisation of profit as first priority.
    These two priorities often clash, as many studies have shown.

    ------------------------------

    Date: Wed, 27 Mar 2019 14:37:30 +0000
    From: Wols Lists <antl...@youngman.org.uk>
    Subject: Unproven declarations about healthcare (Re: Black, RISKS-31.15)

    On 26/03/19 23:03, RISKS List Owner wrote:
    > "... encouraging unhealthy habits is beneficial to a healthcare company."
    > My insurance company and the mailers I get from hospitals and doctors all
    > encourage me to have healthy habits.

    And how do you define healthy habits? The standard advice for people
    with type II diabetes is to eat little and often, but my medical
    research has convinced me that eating little and often *causes* type II
    diabetes.

    The original study on fats in diets is now widely recognised as flawed,
    and indeed all the early "eat margarine not butter" campaigns ended up
    with people dosing themselves very heavily with trans-fats, which is now
    recognised as being very *un*healthy.

    The problem is that much of what we are led to believe is "fake news"
    from the media (as mentioned elsewhere in this digest!) where
    journalists who have no real grasp of the subject grab a snippet of
    news, run with it, and watch it take on a life of its own that bears no
    resemblance to reality. Doctors and insurance companies are not immune
    to being taken in.

    What's that quote? "A lie can make it half way round the world before
    the truth can get its boots on"? People believe what they want to
    believe, and actually it's extremely hard to spot when reason and your
    own prejudices clash. When fed stuff that matches your prejudices, you
    will normally believe it without thinking, and I'm convinced much
    "healthy habits advice" is old wives tales ...

    ------------------------------

    Date: Wed, 27 Mar 2019 09:56:37 -0500
    From: Dmitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: Is curing patients, a sustainable business model?
    (Douglass, RISKS-31.14)

    One small problem with competition is that once your populace is no
    longer constrained by oceans and absence of information, you have to
    compete with e.g., these guys:
    https://www.treatmentabroad.com/destinations/ukraine/why-choose-ukraine

    And these guys:
    https://news.co.cr/need-know-dental-tourism-costa-rica/68797/

    And of course these guys: https://en.wikipedia.org/wiki/Sicko

    ------------------------------

    Date: Thu, 28 Mar 2019 20:03:13 -0400
    From: Sheldon Sheps <sheldo...@gmail.com>
    Subject: According to this bank, password managers are bad

    Hard to believe but true.

    -- ------- begin -------

    Canada's banking system has a few big banks. One of them is the Bank of
    Montreal (BMO). I have a credit card with them. Recently, I got an email
    from them on keeping your account secure online.

    They suggested that you change your password every 6 months. I wrote back
    suggesting that was a bad idea and the bank, which supplied IBM's Trusteer
    service for free, consider providing a password manager. Amazingly, I got a
    reply.

    Here is part of their reply, edited for space.

    I appreciate your concern about being prompted to change your password.

    I can advise that it is important that you create an online password that
    adequately protects your account and personal information. A longer, more
    complex password is less susceptible to being compromised and will provide
    you with greater security...

    I can also advise that there are several programs and browser options that
    can store your Internet passwords and user identifications for you. BMO
    Bank of Montreal does not recommend this feature, as it poses a potential
    security risk. Passwords are confidential and as a security measure we
    suggest that you do not save them.

    The Keepass password manager master password I use for credit cards and
    banking info is 26 characters long. It isn't written down anywhere. BO
    wants me to memorize a strong password that should be different from all my
    other strong passwords and one I have to change every 6 months.

    I think that is ridiculous.

    -- ------- end -------

    [The entire correspondence (PGN-pruned) is illuminating, but much too long
    for RISKS. Contact Sheldon if you are interested. PGN]

    ------------------------------

    Date: Mon, 1 Apr 2019 16:01:50 -0400
    From: Marc Rotenberg <rote...@epic.org>
    Subject: "Privacy and Security Across Borders" (Jen Daskel)

    Jen Daskel, Yale Law Journal, 1 Apr 2019

    Abstract: Three recent initiatives -- by the United States, European Union,
    and Australia -- are opening salvos in what will likely be an ongoing and
    critically important debate about law enforcement access to data, the
    jurisdictional limits to such access, and the rules that apply. Each of
    these developments addresses a common set of challenges posed by the
    increased digitalization of information, the rising power of private
    companies delimiting access to that information, and the cross-border nature
    of investigations that involve digital evidence. And each has profound
    implications for privacy, security, and the possibility of meaningful
    democratic accountability and control.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.16
    ************************
     
  8. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.17

    RISKS List Owner

    Apr 9, 2019 4:38 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 9 April 2019 Volume 31 : Issue 17

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Additional software problem detected in Boeing 737 Max flight control
    system, officials say (WashPost)
    Not Just Airplanes: Why The Government Often Lets Industry Regulate Itself
    (npr.org)
    Makers of self-driving cars should study Boeing crashes (The Straits Times)
    Major US airlines hit by delays after glitch at vendor (The Boston Globe)
    Simulated Engine Failure Led To Crash (Russ Niles)
    Eyes on the Road: Your Car Is Watching (NYTimes)
    Covert data-scraping on watch as EU DPA lays down 'radical' GDPR red-line
    Hospital viruses: Fake cancerous nodes in CT scans, created by malware,
    trick radiologists (WashPost)
    The Newest AI-Enabled Weapon: Deep-Faking Photos of the Earth? (Defense One)
    Backdoor vulnerability in open-source tool exposes thousands of apps to
    remote code execution (Cyberscoope)
    Security analyst finds fake cell carrier apps are tracking iPhone location
    and listening in on phone calls (9to5 Mac)
    UK to keep social networks in check with Internet safety regulator (CNET)
    Should cybersecurity be more chameleon, less rhino? (bbc.com)
    This is not how the secret service should examine a USB stick (TechCrunch)
    Report: Official forgot secret arms-deal file at airport (Times of Israel)
    Hospital says patient info exposed after phishing incident (Boston Globe)
    DHS tech manager admits stealing data on 150,000 internal investigations,
    nearly 250,000 workers (WashPost)
    Online credit-card skimmer (WarbyParker)
    The engineering of living organisms could soon start changing everything
    (The Economist)
    Social media are divisive (WSN/NBC poll)
    The future of news is conversation in small groups with trusted voices
    (Chikai Ohazama)
    Why It's So Easy for a Bounty Hunter to Find You (NYTimes)
    Identity Theft -- Act Now to Protect Yourself (Kiplinger)
    Re: Are We Ready For An Implant That Can Change Our Moods? (Wol)
    Re: How a 50-year-old design came back (Wol)
    Re: New Climate Books Stress We Are Already Far Down The Road To A
    Different Earth (Wol, Amos Shapir)
    Re: Researchers Find Google Play Store Apps Were Actually Government Malware
    Amos Shapir)
    Re: Huawei's code is a steaming pile... (Amos Shapir)
    Re: According to this bank, password managers are bad (Andrew Duane)
    Re: Is curing patients, a sustainable business model? (Toby Douglass,
    Chris Drewe)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 4 Apr 2019 21:26:18 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Additional software problem detected in Boeing 737 Max flight
    control system, officials say (WashPost)

    The findings of the preliminary report in last month's airline crash
    increase the pressure on Boeing, which has announced the imminent rolling
    out of a new software fix for its most popular passenger plane. The
    grounding of the 737 Max 8 following similar crashes in Ethiopia and
    Indonesia has been a massive blow to one […]

    https://www.washingtonpost.com/worl...125942-4fec-11e9-bdb7-44f948cc0605_story.html

    ------------------------------

    Date: Fri, 5 Apr 2019 14:49:02 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Not Just Airplanes: Why The Government Often Lets Industry
    Regulate Itself (npr.org)



    "In fact, the acting director of the FAA told Congress it would take nearly
    $2 billion and 10,000 new employees for the agency to end its reliance on
    aircraft manufacturers to conduct their own certification tests."

    Carbon-extraction (oil/gas), chemicals, railroads, medical devices, food,
    surface vehicles, pharmaceuticals, aircraft, etc. are largely
    self-certifying industries subject to minimal Federal inspection and
    oversight: Uncle Sam finds proactive risk avoidance engagement to be too
    expensive.

    In the US, under a self-certification framework, financial and legal
    penalties are apparently sufficient to deter unsafe product sales or from
    capricious corporate operations that endanger public health and safety.

    "Peter Van Doren, a senior fellow at the libertarian CATO Institute, argues
    self-regulation has largely gone on unnoticed, because, with a few
    exceptions, it has been a success. 'In effect, the delegation of all this to
    experts and the lack of second-guessing about all this occurred because it
    was working.'"

    "Was working" is certainly correct in Boeing's case. Which self-regulating
    US industry will be next to earn the "was working" label and who will bear
    the lesson's burden?

    It is certainly true that "there is only so much risk avoidance you can do"
    per The Risks Digest
    For Boeing's 737 MAX, the risk avoidance practice was ineffective and failed.

    In contrast, the EU applies "precautionary measures" for regulation. See
    "Why Does the U.S. Tolerate So Much Risk?" in
    Opinion | Why Does the U.S. Tolerate So Much Risk?

    "As European policymakers have grown more willing to regulate risks on
    precautionary grounds, increasingly skeptical American policymakers have
    called for higher levels of scientific certainty before imposing additional
    regulatory controls on business," David Vogel, a political scientist at the
    University of California, Berkeley, wrote in a 2012 book on the divide, "The
    Politics of Precaution."

    ------------------------------

    Date: Fri, 5 Apr 2019 10:34:08 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Makers of self-driving cars should study Boeing crashes
    (The Straits Times)

    Brooke Masters byline in
    Makers of self-driving cars should study Boeing crashes
    and via Subscribe to read | Financial Times Both
    behind paywalls.

    "The two disasters...should serve as a warning in other areas where
    technology is taking over part, though not all, of crucial tasks from human
    experts."

    As in-vehicle distractions multiply, drivers are challenged to maintain safe
    operation. Self-driving cars are supposed to eliminate distractions by
    relieving drivers of their operational role, save for command instructions
    like "Take me to the nearest supermarket."

    Masters suggests that human driving skills atrophy from neglect and
    disuse. Self-driving vehicle technology deployments will accelerate
    carbon-based driver skill erosion. Even supplemental, partial automation
    such as the Tesla "autopilot" feature, contributes to driving skill erosion.

    'The chief executive of Volvo Cars, Mr. Hakan Samuelsson, warned last week
    that introducing such semi-automation can be "irresponsible" and cause
    accidents when misplaced confidence leads to "over-reliance" by consumers.'

    In contrast,
    Opinion | Forget Self-Driving Cars. Bring Back the Stick Shift.
    argues that with a manual transmission, both of the driver's hands and feet
    are actively occupied: no free digits for dialing, texting, audio tuning,
    environment adjustment, or navigation system interfacing.

    Vehicle manufacturers are phasing out manual transmission equipment options,
    replacing them with computerized continuously variable mechanisms.

    Long live the Four-on-the-Floor!

    ------------------------------

    Date: Thu, 4 Apr 2019 09:02:56 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Major US airlines hit by delays after glitch at vendor

    Major US airlines hit by delays after glitch at vendor | Boston.com

    ------------------------------

    Date: Thu, 4 Apr 2019 23:56:36 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Simulated Engine Failure Led To Crash (Russ Niles)

    [The risk? Testing a risk...]

    The NTSB says a simulated engine failure on takeoff that turned into the
    real thing led to the crash of a STOL Aircraft UC-1 Twin Seabee into a house
    in Winter Haven, Florida, 23 Feb 2019. The crash killed instructor James
    Wagner while student pilot Timothy Sheehey was slightly injured and a young
    woman in the house was seriously hurt. Sheehey, a commercial pilot training
    for a mult-engine seaplane rating, told NTSB investigators that before
    takeoff, Wagner said he was going to reduce the power on one engine. When he
    chopped the power, the engine quit, the prop feathered and the engine
    couldn't be restarted.

    The report said Wagner headed for an emergency landing spot but determined
    he couldn't make it and turned left to land on a lake instead. He lost
    control and the airplane ended up tail-up vertically in the house. The
    impact knocked the woman in the house through an interior wall. The aircraft
    is based on the original single-engine Seabee but equipped with two
    wing-mounted Lycoming IO-360 engines.

    ------------------------------

    Date: Thu, 4 Apr 2019 23:14:17 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Eyes on the Road: Your Car Is Watching

    Eyes on the Road! (Your Car Is Watching)

    As more technology creeps into the front seat to help drivers, so too will
    systems that eavesdrop on and monitor them.

    ------------------------------

    Date: Wed, 3 Apr 2019 09:22:04 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Covert data-scraping on watch as EU DPA lays down 'radical' GDPR
    red-line

    Covert data-scraping on watch as EU DPA lays down ‘radical’ GDPR red-line

    ------------------------------

    Date: Thu, 4 Apr 2019 16:38:39 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Hospital viruses: Fake cancerous nodes in CT scans, created by
    malware, trick radiologists (WashPost)

    https://www.washingtonpost.com/tech...-scans-created-by-malware-trick-radiologists/

    "Researchers in Israel created malware to draw attention to serious security
    weaknesses in medical imaging equipment and networks."

    Risks: Misdiagnosis from hacked image artifact interpretation. Additional
    diagnostic radiation procedures elevate cancer potential. Unnecessary
    surgical procedures initiated by "ghost" tumors.

    X-ray film capture avoids digital image hacks, but operational logistics
    (storage and supplychain) apparently deter radiology from a technological
    rollback. If CT scans (and presumably MRI, PET, etc.) images are vulnerable
    to malware image hacks, shouldn't providers adopt mitigating strategies?

    ------------------------------

    Date: Wed, 3 Apr 2019 08:45:39 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The Newest AI-Enabled Weapon: Deep-Faking Photos of the Earth?

    *Step 1: Use AI to make undetectable changes to outdoor photos. *
    *Step 2: release them into the open-source world and enjoy the chaos.*

    EXCERPT:

    Worries about deep fakes machine-manipulated videos of celebrities and world
    leaders purportedly saying or doing things that they really
    didn't -- are quaint compared to a new threat: doctored images
    of the Earth itself.
    <https://www.defenseone.com/technology/2017/08/ai-will-make-fake-news-video-and-fight-it-well/140075/>

    China is the acknowledged leader in using an emerging technique called
    generative adversarial networks to trick computers into seeing objects in
    landscapes or in satellite images that aren't there, says Todd Myers,
    automation lead and Chief Information Officer in the Office of the Director
    of Technology at the National Geospatial-Intelligence Agency.

    ``The Chinese are well ahead of us. This is not classified info,'' Myers said
    Thursday at the second annual Genius Machines
    <https://www.defenseone.com/feature/genius-machines-ai-livestream/ summit,
    hosted by *Defense One* and *Nextgov*. ``The Chinese have already designed;
    they're already doing it right now, using GANs -- which are generative
    adversarial networks -- to manipulate scenes and pixels to create things for
    nefarious reasons.''

    For example, Myers said, an adversary might fool your computer-assisted
    imagery analysts into reporting that a bridge crosses an important river at
    a given point.

    ``So from a tactical perspective or mission planning, you train your forces
    to go a certain route, toward a bridge, but it's not there. Then there's a
    big surprise waiting for you,'' he said.

    First described in 2014 https://arxiv.org/pdf/1406.2661.pdf GANs represent a
    big evolution in the way neural networks learn to see and recognize objects
    and even detect truth from fiction... [...]

    http://www.nextgov.com/emerging-tec...abled-weapon-deep-faking-photos-earth/155962/

    ------------------------------

    Date: April 6, 2019 at 00:57:40 EDT
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Backdoor vulnerability in open-source tool exposes thousands
    of apps to remote code execution

    Roughly 28 million users have downloaded a malicious version of a popular
    open-source framework that masquerades as the real thing, but in fact gives
    a hackers a back door into applications.

    A compromised version of the website development tool bootstrap-sass was
    published to the official RubyGems repository, a hub where programmers can
    share their application code. The open source security firm Snyk alerted
    developers to the issue Wednesday, advising users to update their systems
    away from the infected framework (version 3.2.0.3).

    ``That doesn't mean there are something like 27 million apps out there using
    this,'' said Chris Wysopal, chief technology officer at app security company
    Veracode. ``[But] when you're using open source packages to build your
    applications, you're inheriting many of the vulnerabilities. But
    bootstrap-sass is a popular component used by enterprises and startups so
    there's potentially thousands of applications affected by this.''

    While the vulnerability is serious -- hackers can exploit it for remote code
    execution -- the issue also highlights how pervasive such flaws can become
    if they're not fixed quickly, according to application security experts. The
    2017 data breach at Equifax was possible because the company did not act to
    resolve a flaw in the open source Apache Struts framework...

    https://www.cyberscoop.com/bootstrap-sass-infected-snyk-rubygems/

    ------------------------------

    Date: April 9, 2019 at 01:11:01 EDT
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Security analyst finds fake cell carrier apps are tracking iPhone
    location and listening in on phone calls

    EXCERPT:

    In yet another abuse of the enterprise distribution program, security
    analyst Lookout has identified apps (via Techcrunch) that were pretending to
    be published by cell carriers in Italy and Turkmenistan. The apps were
    available for iPhone users to download through Safari as they were signed by
    an enterprise certificate. These apps used carrier branding and pretended to
    offer utilities for the users' cell plans when in reality they would ask for
    every permission they could to track location, collect contact, photos, and
    more, and had the capability to listen in on users' phone conversations.

    Apps using enterprise certificates are not available through the App Store,
    but malicious criminals can target iOS users through Safari (perhaps with a
    phishing attack-esque email) and get people to download the app over the
    web, outside of the purview of the App Store review process.

    Essentially, when an app is distributed with an enterprise certificate,
    there is no accountability over what the app can do. When a developer
    applies for an enterprise certificate, Apple makes it plain that apps should
    only be delivered to employees of the enterprise and not used
    elsewhere. However, as it stands, there is very little Apple can do to
    enforce this beyond the policy of advisory language.

    This year, we have seen countless abuses of the enterprise system, including
    high-profile cases like operations at Facebook and Google. Apple revokes the
    certificate when it becomes aware of individual cases, but it's clear the
    company does not have the overall enterprise certificate program under
    control. In a future software version of iOS, Apple may impose stricter
    requirements to tighten the security screws on the enterprise program. The
    company is yet to commit to any such plans however.

    Certificates are often stolen or sold on, so licenses to the enterprise
    developer program that were once used legitimately are now being used
    nefariously. In the case of the app highlighted by Lookout, it appears to be
    linked to similar malware that existed on Android called `Exodus'...

    https://9to5mac.com/2019/04/08/iphone-tracking-security-carrier-apps/
    https://techcrunch.com/2019/04/08/iphone-spyware-certificate/

    ------------------------------

    Date: April 8, 2019 at 1:14:01 AM EDT
    From: geoff goodfellow <ge...@iconia.com>
    Subject: UK to keep social networks in check with Internet safety regulator
    (CNET)

    Facebook, Twitter, YouTube and a whole bunch of smaller platforms will face
    huge fines if they fail to live up to their "duty of care" to Internet
    users.

    EXCERPT:

    The UK government is taking a hard line when it comes to online safety,
    appointing what it claims is the world's first independent regulator to keep
    social media companies in check.

    Companies that fail to live up to requirements will face huge fines, with
    senior directors who are proven to have been negligent of their
    responsibilities being held personally liable. They may also find access to
    their sites blocked.

    The new measures, designed to make the Internet a safer place, were
    announced jointly by the Home Office and Department of Culture, Media and
    Sport. The introduction of the regulator is the central recommendation of
    the highly anticipated government white paper, published early Monday
    morning in the UK.

    The regulator will be tasked with ensuring social media companies are
    tackling a range of online problems, including:

    * Inciting violence and spreading violent content (including terrorist content)
    * Encouraging self-harm or suicide
    * The spread of disinformation and fake news
    * Cyber bullying
    * Children accessing inappropriate material
    * Child exploitation and abuse content

    As well as applying to the major social networks, such as Facebook, YouTube
    and Twitter, the requirements will also have to be met by file-hosting
    sites, online forums, messaging services and search engines.

    "For too long these companies have not done enough to protect users,
    especially children and young people, from harmful content," said Prime
    Minister Theresa May in a statement. "We have listened to campaigners and
    parents, and are putting a legal duty of care on Internet companies to keep
    people safe."...

    https://www.cnet.com/news/uk-to-keep-social-networks-in-check-with-internet-safety-regulator/

    ------------------------------

    Date: Tue, 9 Apr 2019 16:19:34 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Should cybersecurity be more chameleon, less rhino? (bbc.com)



    Crypto-splitting or Morphisec. "Morphisec -- born out of research done at
    Ben-Gurion University -- has developed what it calls 'moving target
    security'. It's a way of scrambling the names, locations and references of
    each file and software application in a computer's memory to make it harder
    for malware to get its teeth stuck in to your system."

    Sounds like a kind of parallel random access machine, though the difference
    is static resource references (files, hard/soft links, URLs, etc.) are
    hashed, and randomized inside a virtual and possibly distributed address
    space pool to prevent malware detection and then manipulating the
    application or data for fun and profit.

    Risk: The malware can learn to do the same thing as the morphisec stack.
    Alternatively, reverse engineer the run-time stack with Ghidra. Perhaps
    Mayhem can be trained for this purpose?

    ------------------------------

    Date: Tue, 9 Apr 2019 11:27:21 +0100
    From: Neil Youngman <neil.y...@youngman.org.uk>
    Subject: This is not how the secret service should examine a USB stick

    It seems that the secret service are not advised to avoid plugging
    unknown/suspicious USB sticks into their laptops. The risks are all too
    obvious.

    https://techcrunch.com/2019/04/08/secret-service-mar-a-lago/

    ------------------------------

    Date: Tue, 9 Apr 2019 10:44:38 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Report: Official forgot secret arms-deal file at airport
    (The Times of Israel)

    https://www.timesofisrael.com/report-official-forgot-secret-arms-deal-file-at-airport/

    Oops -- better repeat Tradecraft 101.

    ------------------------------

    Date: Tue, 9 Apr 2019 05:47:39 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hospital says patient info exposed after phishing incident
    (Boston Globe)

    https://www.boston.com/news/local-n...-patient-info-exposed-after-phishing-incident

    ------------------------------

    Date: Thu, 4 Apr 2019 21:33:01 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: DHS tech manager admits stealing data on 150,000 internal
    investigations, nearly 250,000 workers (WashPost)

    A Virginia woman pleaded guilty to conspiring with a former DHS acting
    inspector general.

    https://www.washingtonpost.com/loca...053180-56eb-11e9-9136-f8e636f1f6df_story.html

    ------------------------------

    Date: Mon, 8 Apr 2019 20:33:27 -0700
    From: "Ralph Barone" <ralph...@shaw.ca>
    Subject: Online credit-card skimmer (WarbyParker)

    This online optician has an interesting online way to measure your pupillary
    distance online. You just take a picture of yourself with a magstrip
    equipped card beneath your nose, and their algorithms will compare the
    distance between your pupils to the known width of the card (85.60 mm) and
    tell you how far apart your pupils are. However, you are also very likely
    sending them a picture of the back of your credit card, with the embossed
    numbers and expiration date clearly visible, as well as your signature and
    CVV code for the card. So what do you figure the risk/benefit ratio is for
    that?

    <https://ca.warbyparker.com/pd/instructions

    ------------------------------

    Date: Mon, 8 Apr 2019 19:58:57 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: The engineering of living organisms could soon start changing
    everything (The Economist)

    https://www.economist.com/technolog...rganisms-could-soon-start-changing-everything

    The syn-bio field offers substantial promise for healthcare: effective
    cancer treatments, less expensive pharmaceuticals, etc. Carbon-neutral fuel
    sources (biofuels from bacteria) was an early investment target. The
    biofuel startups nose-dived on oil price decline.

    "That made investors very cautious about synthetic biology. But the field
    attracted a bit of support from some governments, such as those of Britain
    and Singapore. In America the Pentagon's far-out-ideas department, DARPA,
    which had taken an early interest, created a new office of biology in
    2013. Two years later it launched a programme that paid for leading
    laboratories in the field to put together pathways which could produce 1,000
    molecules never created biologically before."

    Easy to imagine "The Andromeda Strain" arising from a syn-bio experiment
    gone wrong courtesy of a "repressilator" specification error or a synthesis
    programming error or malware assault.

    ------------------------------

    Date: Fri, 5 Apr 2019 12:13:12 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Social media are divisive

    Social-media services such as Facebook and Twitter do more to divide
    Americans than bring them together, according to a solid majority of
    respondents in a WSJ/NBC poll:

    https://www.wsj.com/articles/americ...-is-divisive-but-we-keep-using-it-11554456600

    ------------------------------

    Date: April 9, 2019 at 07:53:19 EDT
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: The future of news is conversation in small groups with trusted
    voices (Chikai Ohazama)

    Techcrunch, Apr 7 2019
    <https://techcrunch.com/2019/04/07/stuck-at-the-sushi-boat-bar-of-news/

    When I first came out to California, one of my favorite places to go for
    sushi was in downtown Mountain View. They had these little boats that would
    float around the bar, each carrying some sushi on a small plate. You just
    sat down and started picking out the ones you liked, and began eating --
    very efficient and also a little bit of fun.

    I feel like my news consumption these days is like those sushi boats. I sit
    down and the news just streams by and I pick out the articles I like and
    read them. Very efficient and also a little bit of fun. But I've been stuck
    at the sushi boat bar of news for far too long, watching the same imitation
    crab rolls go by. I need a better way to consume better information.

    As you probably guessed, that ``sushi boat bar of news'' is Facebook,
    Twitter and the like. The algorithmic nature of news feeds tends to target
    the lowest common denominator, and it can often pander to people's baser
    instincts. That being said, it does have its place, and provides a glimpse
    into what is capturing the general public's attention -- but it can't be the
    whole meal, and that is what it has become. It's like people who eat
    McDonald's for breakfast, lunch and dinner. It's tasty, addictive, but very
    unhealthy in the long term.

    So what can you do about it, how can you make a change?

    Email newsletters have been making a resurgence in popularity, but they are
    hard to manage and sort through. Christopher Mims of The Wall Street Journal
    tweeted about this problem:

    * If everyone has an email newsletter and someone gets the brilliant idea to
    consolidate them in one place where they can easily be followed or
    unfollowed wouldn't that realize the dream of an open standards-based,
    surveillance-free alternative to Facebook?

    And then Steven Sinofsky had a witty response:

    And let us name it is RSS.

    Indeed, another `old' technology like email that people have been
    gravitating toward as an alternative to get their daily news. Wired has
    proclaimed that ``It's time for an RSS revival'' and it has resonated with
    well-respected thought leaders like Brad Feld. But RSS has had a tumultuous
    past, mainly used by professionals who need to keep up with their respective
    industries, not by the average consumer.

    If email newsletters or RSS were to become the replacement, it would need a
    new approach or framework, not just a rehashing of past products. But that
    is only half the problem. In this day and age, we have become accustomed to
    having our friends and other people around when we read the news. Even if
    you don't make any comments yourself, news exists in a public conversation
    and people's reactions, whether they be from your friends or celebrities,
    are often part of the news itself.

    Now these public conversations can be very toxic and are the very reason
    people are fleeing and looking for alternatives, but I don't think people
    want to turn the dial to zero and go back to the days of reading the
    newspaper by yourself over breakfast. I think people still want others
    around -- they just want it to be safe and free from trolls.

    When the web first started taking off, information propagated via the web
    and hyperlinks, and that world was dominated by Google web search. As
    Facebook and Twitter grew into prominence, information started to propagate
    via social networks. And now people are starting to get more and more of
    their information via messaging, which is looking to be the next step in the
    progression. You can already see this transition happening in places like
    India with WhatsApp, where it is becoming a major source of misinformation.
    And there are interesting experiments out there like Naveen Selvadurai's
    README on Telegram, where he posts articles into a Telegram group.

    But for the most part there hasn't been much evolution or progress on the
    messaging side of the equation to adapt it to become more of an information
    propagation medium. It's still mainly about casual conversation and has
    little overlap with the ``news feed'' use case. But given how things are
    changing, now may be a good time to push the boundaries of what messaging
    could become. I think people are seeking relief from the barrage of social
    media, not knowing who to trust any more and wanting a better channel to the
    truth.

    I'm pretty confident that closing the circle to a closer, trusted group
    would be welcome by most people. It doesn't necessarily mean just friends,
    but it could include trusted experts or voices in the community that can
    help shepherd people through the noise and distractions. [...]

    ------------------------------

    Date: Tue, 2 Apr 2019 23:08:35 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Why It's So Easy for a Bounty Hunter to Find You (NYTimes)

    Wireless companies sell your location data. Federal regulators should stop
    them.
    https://www.nytimes.com/2019/04/02/opinion/fcc-wireless-regulation.html

    ------------------------------

    Date: Sun, 7 Apr 2019 10:56:46 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Identity Theft -- Act Now to Protect Yourself (Kiplinger)

    Identity thieves are more skilled at their nefarious craft than ever,
    more sophisticated.

    As new research on identity theft continues to roll in, it paints an
    unsettling picture of how good crooks are getting at their craft. Although
    the number of U.S. breaches fell in 2018, the number of records exposed
    containing sensitive, personally identifiable information (such as Social
    Security and financial-account numbers) spiked by 126% from the year before,
    according to a report from the Identity Theft Resource Center. ``That tells
    us thieves aren't committing less crime -- they're just getting better at
    it,'' says Eva Velasquez, president and CEO of the ITRC.

    One of the largest breaches disclosed last year was at Marriott
    International, which admitted in November that its Starwood guest
    reservation database had been hacked starting in 2014. That exposed up to
    383 million guest records (though the number of guests affected is likely
    smaller because of multiple records). Many records contained data such as
    passport numbers, addresses, dates of birth and, in some cases, customers'
    payment-card information. Quora, an online question-and-answer platform,
    also discovered a breach of account information including names, e-mail
    addresses and passwords of up to 100 million users. Hackers may try to enter
    stolen usernames and passwords into other sites -- say, those of banks or
    retailers -- in hopes that some customers reuse their log-in details across
    several accounts. ``The chances that some of those credentials will work on
    one or more other websites are exceptionally high,'' says Velasquez.

    Fortunately, none of those 2018 breaches involved Social Security numbers --
    a key piece of information a thief can use to run away with someone else's
    identity. But the 2017 Equifax data breach exposed the names, Social
    Security numbers, birth dates and other sensitive data of more than 145
    million Americans. Those bits of info are permanent pieces of your identity,
    and they may sit idle for years before a criminal puts them to work.

    The overall number of fraud victims fell significantly last year from 2017,
    thanks largely to a decline in fraud against existing credit and debit
    cards, according to a Javelin Strategy & Research report. But in both 2017
    and 2018, the number of victims who faced some liability for fraud more than
    doubled from 2016, and so did the victims' out-of-pocket costs. Incidents
    of fraud in which criminals open new financial accounts in a victim's name
    or take over existing non-card accounts, such as brokerage or retirement
    accounts, were well above historical levels in 2017 and 2018 and ``are much
    more difficult, and frequently expensive, for victims to resolve,'' says
    Javelin.

    https://www.kiplinger.com/article/c...entity-theft-act-now-to-protect-yourself.html

    ------------------------------

    Date: Sun, 7 Apr 2019 08:10:30 +0100
    From: Wols Lists <antl...@youngman.org.uk>
    Subject: Re: Are We Ready For An Implant That Can Change Our Moods? (npr.org,
    RISKS-31.16)

    On 06/04/19 22:46, RISKS List Owner wrote:
    > Without a randomized control trial to validate device efficacy, a cranial
    > implant faces significant obstacles to achieve regulatory approval, gain
    > widespread acceptance, and become commercially viable. Volunteers will be
    > difficult to attract.

    Such devices already have approval, and are part of the neurologist's
    standard arsenal. And volunteers who feel they have nothing to lose are not
    hard to attract.

    Deep Brain Stimulation is a recognised treatment for Parkinsons Dyskinesia
    -- indeed one of my friends has an implant -- and can be very effective. It
    has massively improved my friend's quality of life.

    Using it like a mind-enhancing drug to trigger mood-swings, though -- that's
    a very different kettle of fish. I can't imagine that being approved other
    than for people who suffer severe and sudden or uncontrollable depression -
    life-threatening depression.

    ------------------------------

    Date: Sun, 7 Apr 2019 08:30:20 +0100
    From: Wols Lists <antl...@youngman.org.uk>
    Subject: Re: How a 50-year-old design came back (Broadbeck, RISKS-31.16)

    > This is true of most fighter aircraft designed since the mid-70s, although
    > it doesn't exactly have to do with shape complexity.

    A perfect example of this (although not a fighter aircraft) is the Hawker
    Harrier.

    Look at pretty much any aircraft from the 50s and earlier. The wings all
    slope upwards and outwards (dihedral) from the body. As the aircraft rolls,
    this increases the lift from the dropping wing, and counteracts the roll.

    Then look at the Harrier. Its wings slope DOWNward (anhedral), which means
    if it starts rolling, the roll will accelerate. This is typically countered
    by strong dihedral on the tail to give an aircraft minimum stability rather
    than negative stability as this gives best performance.

    But a very early example of this sort of thing is the Sopwith Camel, from
    1917. While it involved the engine, not the wings, level flight required
    firm left rudder. This killed a lot of novices who didn't realise that as
    soon as the aircraft lifted off it would promptly try and dive to the right,
    but in the hands of an ace they would nearly always turn right because even
    if you wanted to turn left it was far faster to go three-quarters right.

    ------------------------------

    Date: Sun, 7 Apr 2019 09:45:52 +0100
    From: Wols Lists <antl...@youngman.org.uk>
    Subject: Re: New Climate Books Stress We Are Already Far Down The Road To A
    Different Earth (TPR, RISKS-31.16)

    > So, when Wallace-Wells talks of economic impacts, he cites a study linking
    > 3.7 degrees of warming to over $550 trillion of climate-related
    > damage. Since $550 trillion is twice today's global wealth, the conclusion
    > is that eventually rebuilding from the "n-th" superstorm will stop. We'll
    > just abandon our cities or live within the ruin.

    I've been told it's impossible, but I'm afraid of a new "Noah's Flood". The
    probable explanation of the original story is that, 10,000 years ago the
    Rhine flowed into the Atlantic somewhere between Scotland and Norway,
    Britain was part of Europe, and farming was new-fangled technology in the
    fertile Indus plain between Europe and Asia. Then an ice dam in Canada
    failed due to global warming.

    A few short *months* later, the English Channel had appeared, the Rhine
    Estuary had become the North Sea, and the Indus plain had become the Black
    Sea. Farming spread rapidly because all the farmers had been evicted from
    their Garden of Eden, and they took the story of the flood with them.

    At the moment, a huge amount of Antarctic ice is held back by the -- I think
    -- Weddel ice sheet. It might not take much of rise in sea-level to make
    that float such that it no longer holds back the glaciers, and a huge amount
    of ice could slide in to the ocean.

    The recent Japanese tsunami breached a defense designed to withstand a
    10m surge. What would happen if the world suffered not a 10m surge, but
    a 10m rise over a couple of months? London would be gone. New York would
    be gone. Most international shipping would be gone -- the ports would be
    underwater. Much international communication would be gone -- how much
    critical infrastructure is located close to the coast?

    We wouldn't have to worry about the international refugee crisis -- most
    people wouldn't be able to flee far. I expect civilisation would recover
    from such a disaster pretty quickly, but part of the recovery would be
    lethal epidemics that make the Black Death look a picnic -- that took out
    a third of Europe's population. If the world went down to 2 or 3
    billion, those that were left could live very comfortably. And the world
    would hopefully recover as our ability to mine fossil fuels will have
    been severely curtailed.

    ------------------------------

    Date: Mon, 8 Apr 2019 10:27:04 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: New Climate Books Stress We Are Already Far Down The Road To A
    Different Earth (TPR, RISKS-31.16)

    The trouble with such books is that when the most extreme scenario does not
    happen (or is rather bad, but not outright catastrophic), there would be a
    lot of deniers who'd use it to declare "Global Warming is a hoax, we can go
    on polluting as usual".

    [That argument merely contributes to the hoax that "Global Warming is a
    hoax." However, there is a difference between anticipating the future and
    chronicling the past -- as in new findings on evolution, dinosaur
    extinctions, the effects of the monster meteor strike on the climate based
    on geological evidence, But those don't hinder the deniers. PGN]

    ------------------------------

    From: Amos Shapir <amo...@gmail.com>
    Date: Mon, 8 Apr 2019 10:28:51 +0300
    Subject: Re: Researchers Find Google Play Store Apps Were Actually
    Government Malware (Motherboard, RISKS-31.16)

    This gives new meaning to "hidden in plain site"...

    ------------------------------

    Date: Mon, 8 Apr 2019 10:54:46 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Huawei's code is a steaming pile... (Henry Baker, RISKS-31.16)

    The main fault of memcpy() and strcpy()-like functions is that they believe
    their input; but that might be dangerous only if such input originates
    externally and is not sanitized before use.

    IMHO most of the thousands of calls mentioned process data internal to the
    program, which is sure not to cause overflow or to have been injected with
    malicious code, and in any case in under the programmer's control and cannot
    be modified by external sources. But in some cases, it might take very
    sophisticated software analysis tools to identify the few truly risky calls.

    ------------------------------

    Date: Mon, 8 Apr 2019 09:45:57 -0400
    From: Andrew Duane <e91....@gmail.com>
    Subject: Re: According to this bank, password managers are bad (Sheps,
    RISKS-31.16)

    My company, a very high-tech established company, has a similar requirement
    for passwords: incredibly complex rules and length requirements and an
    absolutely mandated 6-month change period (else you get locked out of
    everything). Repeated attempts to get our IT security group to understand
    that multiple frequent change requirements are incompatible with developing
    good secure passwords have failed. Luckily, they are silent on password
    managers, which everyone here uses.

    ------------------------------

    Date: Sun, 7 Apr 2019 21:30:40 +0300
    From: Toby Douglass <ri...@winterflaw.net>
    Subject: Re: Is curing patients, a sustainable business model? (RISKS-31.???)

    > In a country which has some form of democracy, the public have the means
    > to pressurise the Government to improve the health care system.

    I may be wrong, but I do not see this occurring in the world now or in the
    past for at least some decades.

    In the UK, the NHS has been providing poor care, and has been a political
    football, for as long as I can remember. In the US, tax relief on employer
    provided insurance, which I think a profoundly discouraging factor for
    patient health care, began around the same time, originating if the chain of
    events is fully followed to the wage freezes imposed by the State in the USA
    in WW2.

    I suspect they both persist for essentially the same reason. It may be
    extremely arrogant and egoistic to say this, and I may be utterly wrong, but
    I think in general people do not understand the nature and necessity of
    competition, and so when in situations where they receive an immediate
    benefit for the removal of competition ("free" health care in the UK, tax
    relief in the US) they prefer that benefit.

    The population as a whole is unable then to pressure the Government to
    improve the situation because they do not understand the situation, either
    to know what to do instead, or to have reason to bear the cost of the loss
    of the immediate benefit. The Government in turn cannot change the
    situation to improve competition, because people would lose their immediate
    benefit, and they get unhappy about that. Attempts by the State in the UK
    to change the NHS have been political suicide.

    Democracy, if it works by mass will, only works when that will has enough
    knowledge and intelligence to act effectively.

    > On the other hand, if a company has a monopoly on a particular drug or
    > treatment, then they can charge "whatever the market will bear". There is
    > nowhere else for the sufferer to go.

    Yes and yes. Monopoly however is almost always enforced by the State. In
    the absence of patents, or excessively long patents, other companies rapidly
    introduce similar products.

    I see this as being an example of ordinary people being forced to endure.
    Patents were originally intended to last only for four years.

    > The best way to get good health care is to take people who are passionate
    > about caring for others (fortunately there are many such people to be
    > found) and give them the freedom to do what they love doing.

    How does one choose these particular people? how does one choose the
    choosers?

    Setting this side, to give them freedom, you must be giving them money.
    Where does the money come from?

    If it comes from the State, by taxation, then the State, by controlling the
    money, controls the health care system. That system will necessarily come
    to prioritize the needs of State -- all care primarily for the needs and
    concerns of those who pay their salaries and control their job security.

    Voters only very, very weakly control the State. Taxation is mandatory, and
    all they can do is every few years vote, which may switch between one party
    and one other party. Their influence over the practise of medicine,
    transmitted through the State, is both minimal and although I may be wrong,
    I think *also* mis-directed, given a lack of understanding of the necessity
    of competition, and in some cases, such as the UK and US, the loss of
    immediate benefit were competition to be introduced.

    The State, where it controls funding, will inexorably, inevitably,
    unavoidably, impose its own wishes upon the practise of medicine, and those
    wishes will reflect, in proportion to their strength and importance to the
    State, its own self-interest, politics often partisan, the self-interest of
    large companies with lobbying power, and the interest, I think often
    mis-directed, of the voting public.

    ------------------------------

    Date: Mon, 08 Apr 2019 22:13:40 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: Is curing patients, a sustainable business model? (R-31,13-16)

    As a Brit who 'enjoys' the National Health Service ("the envy of the
    world"), which I haven't needed to make much use of, I'm inclined to agree
    with this view. The good thing about the NHS is that we can be ill without
    having to worry about paying medical bills. The bad thing is that health
    treatment is something that we have done to us, with little say in the
    matter; the NHS can do a great job, but with the efficiency and
    user-friendliness expected of a taxpayer-funded monopoly. No matter how
    rich or poor we are, or how serious our medical problem is, we have to wait
    in line with everybody else for whatever service the NHS deigns to offer.
    As well as endless arguments about funding, the big difficulty with a
    free-on-demand service is the lack of a customer/supplier relationship as
    exists in other fields.

    Everybody needs something to eat and something to wear, but I've never heard
    a good argument that food and clothing should be issued to the populace free
    of charge by a government agency, and indeed groceries and garment sales are
    among the most dynamic sectors of the retail environment. In particular,
    people who work in supermarkets are not superhuman but are generally helpful
    and professional -- they have to be, because they know that keeping their
    jobs relies on customers wanting to buy stuff. By contrast, in the
    Stakhanovite world of non-commercial monopolies, everything depends on
    goodwill.

    [...] it can take a lot of time and effort to change government policy (this
    has been called "the long route of accountability") -- better to allow
    people to have a choice of service providers.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.17
    ************************
     
  9. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.18

    RISKS List Owner

    Apr 11, 2019 7:09 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 11 April 2019 Volume 31 : Issue 18

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    NOAA Monitoring Stations Are Off-Line from a GPS Y2K Moment
    (EOS via danny burstein)
    That GPS rollover that everyone poo-pooed? Well, NYC... (NYTimes)
    Somebody forgot to upgrade: Flights delayed, canceled by GPS rollover
    (Ars Technica)
    24 Charged in $1.2 Billion Medicare Scheme, U.S. Says. (NYTimes)
    Israeli election problem (JPost via PGN-ed)
    EU Tells Internet Archive That Much Of Its Site Is 'Terrorist Content'
    (TechDirt)
    Amazon' Alexa isn't just AI; thousands of humans are listening (Bloomberg)
    Not a burglar after all (NPR via Mark Brader)
    Computers Turn an Ear on New York City (Scientific American)
    The language of InfoSec (Rob Slade)
    New wire-fraud scam targets your direct deposit info, reroutes your paycheck
    (CNBC)
    Verizon issues patch for vulnerabilities on millions of Fios routers (CNET)
    Assange arrested and charged after Ecuador rescinds asylum (WashPost)
    Re: Are We Ready For An Implant That Can Change Our Moods? (Richard Stein)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 11 Apr 2019 12:30:00 -0400
    From: danny burstein <dan...@panix.com>
    Subject: NOAA Monitoring Stations Are Off-Line from a GPS Y2K Moment (EOS)

    NOAA = National Oceanic and Atmospheric Administration
    [eos.org - from the American Geophysical Union]

    Many of the world's older GPS devices had a Y2K moment on 6 April. Devices
    made more than 10 years ago had a finite amount of storage for their date
    accounting system, and that number maxed out on Saturday, 6 April.

    Nineteen National Oceanic and Atmospheric Administration (NOAA) coastal and
    marine automated stations were not updated to mitigate the issue, and those
    stations are out of commission until workers can service them on
    location. The outage has the National Weather Service (NWS) office in
    Anchorage, Alaska, hurrying to fix their downed stations before bad weather
    comes in this week.

    rest:
    NOAA Monitoring Stations Are Off-Line from a GPS Y2K Moment - Eos

    ------------------------------

    Date: Thu, 11 Apr 2019 00:44:19 -0400
    From: danny burstein <dan...@panix.com>
    Subject: That GPS rollover that everyone poo-pooed? Well, NYC... (NYTimes)

    New York City Has a Y2K-Like Problem, and It Doesn't Want You to Know About It

    On 6 Apr 6, something known as the GPS rollover, a cousin to the dreaded Y2K
    bug, mostly came and went, as businesses and government agencies around the
    world heeded warnings and made software or hardware updates in advance.

    But in New York, something went wrong -- and city officials seem to not want
    anyone to know.

    At 07:59pm EDT on Saturday, the New York City Wireless Network, or NYCWiN,
    went dark, waylaying numerous city tasks and functions, including the
    collection and transmission of information from some Police Department
    license plate readers.

    The shutdown also interrupted the ability of the Department of
    Transportation to program traffic lights, and prevented agencies such as the
    sanitation and parks departments to stay connected with far-flung offices
    and work sites.

    New York City Has a Y2K-Like Problem, and It Doesn’t Want You to Know About It

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Wed, 10 Apr 2019 01:30:52 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Somebody forgot to upgrade: Flights delayed, canceled by GPS rollover
    (Ars Technica)

    Somebody forgot to upgrade: Flights delayed, cancelled by GPS rollover

    ------------------------------

    Date: Wed, 10 Apr 2019 14:28:03 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: 24 Charged in $1.2 Billion Medicare Scheme, U.S. Says. (NYTimes)

    24 Charged in $1.2 Billion Medicare Scheme, U.S. Says

    The scheme, which involved the prescribing of unnecessary back, shoulder, wrist and knee braces, spanned multiple continents, according to the authorities.

    ------------------------------

    Date: Thu, 11 Apr 2019 10:31:30 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Israeli election problem (JPost)

    Earlier Thursday, a technical error on the Central Elections Committee's
    website prevented publicly available numbers on the vote count from
    reflecting the real results of the election, sparking hours of confusion and
    a lack of clarity on whether the soldiers' votes changed the final results
    on Thursday. [....] At about 11 a.m., the elections committee announced it
    had finished counting the double envelopes [including absentee ballots] and
    that it was starting a [routine] review of the figures entered into the
    computers. [...] The source of the technical problem seemed to be that the
    Central Elections Committee website was based on the format from the
    previous elections, and the number of votes -- both in total and in
    individual ballot boxes -- was unable to be updated, such that the
    percentages were wrong on the website. This also explained why some towns
    had a voting rate of over 100%.

    Final results: Likud wins most seats, one more than Blue and White

    ------------------------------

    Date: April 11, 2019 at 8:24:26 PM GMT+9
    From: Richard Forno <rfo...@infowarrior.org>
    Subject: EU Tells Internet Archive That Much Of Its Site Is 'Terrorist
    Content' (TechDirt)

    We've been trying to explain for the past few months just how absolutely
    insane the new EU Terrorist Content Regulation will be for the Internet.
    Among many other bad provisions, the big one is that it would require
    content removal within one hour as long as any "competent authority" within
    the EU sends a notice of content being designated as "terrorist"
    content. The law is set for a vote in the EU Parliament just next week.

    And as if they were attempting to show just how absolutely insane the law
    would be for the Internet, multiple European agencies (we can debate if
    they're "competent") decided to send over 500 totally bogus takedown demands
    to the Internet Archive last week, claiming it was hosting terrorist
    propaganda content.

    EU Tells Internet Archive That Much Of Its Site Is 'Terrorist Content'

    ------------------------------

    Date: Thu, 11 Apr 2019 11:07:24 +0300
    From: tur...@kalfaoglu.com
    Subject: Amazon' Alexa isn't just AI; thousands of humans are listening
    (Bloomberg)

    What Amazon doesn't tell you explicitly, as highlighted by an in-depth
    investigation from /Bloomberg/ published this evening
    <Bloomberg - Are you a robot?>
    is that one of the only, and often the best, ways Alexa improves over time
    is by having human beings listen to recordings of your voice requests. Of
    course, this is all buried in product and service terms few consumers will
    ever read, and Amazon has often downplayed the privacy implications of
    having cameras and microphones in millions of homes around the globe

    Amazon’s Alexa isn’t just AI — thousands of humans are listening

    ------------------------------

    Date: Thu, 11 Apr 2019 01:36:35 -0400
    From: Mark Brader <m...@vex.net>
    Subject: Not a burglar after all

    A guest in someone's house in Oregon was there alone when he heard noises
    coming from the bathroom. He called police to report a possible burglary.
    They arrived and approached the bathroom with drawn guns and two dogs. When
    nobody responded to their shouts, they opened the door... and found a
    Roomba.

    Oregon Man Called Police About A Burglar. Armed Officers Found A Rogue Roomba

    [There's Always Roomba for Home Improvement. PGN]

    ------------------------------

    Date: Thu, 11 Apr 2019 13:49:03 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Computers Turn an Ear on New York City (Scientific American)

    Computers Turn an Ear on New York City

    "'Over the past two years, our sensors collected huge amounts of urban sound
    data.' But computers don't know what different sounds mean -- until they're
    trained by people.

    "That's where citizen science comes in: SONYC needs members of the public to
    listen to ambient sounds picked up by noise monitors and label the sounds so
    the computers can learn to independently recognize them.

    "Labeling sound is harder than labeling images because sound is invisible
    and ephemeral."

    Music or voice synthesizers can certainly be programmed to emulate sounds.
    Individual culture and ecosystem surroundings are applied to authenticate
    sounds. Hypothetically, some animals (mammals/birds) can sing or holler like
    a siren, and vice-versa.

    The SONYC project might be applied as an early warning platform by criminals
    to detect if the "cops are rolling" assuming is it a public common deployed
    to help law enforcement or people identify gunfire v. backfire, chemical
    explosions v. structural collapse, live assaults v. movie screeches, etc.

    Risk: Incorrect or inaccurate metadata audio content tags/labels by pollutes
    the repository. Need editorial oversight/confirmation to authenticate audio
    origin/source before record can serve as a baseline system of record.

    ------------------------------

    Date: Tue, 9 Apr 2019 12:05:53 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: The language of InfoSec

    Ann Johnson, Corporate Vice President (Cybersecurity Solutions Group) over
    at Microsoft, is concerned that we are using too much jargon in
    information/cyber security work. People don't understand what we're talking
    about.
    The language of InfoSec - Microsoft Security

    (Of course, "Cybersecurity Solutions Group" sounds like "marketing," so it's
    quite possible that Ann Johnson doesn't actually know what actual security
    people are talking about ...)

    I do sympathize, in general. There are people in security, as in any field,
    who actually create jargon in order to hide the fact that a) they don't
    actually know what they are talking about, or b) they are only talking about
    the same stuff you are, but they want it to sound like they know a secret
    you don't. (See pretty much any episode of "Yes, Prime Minister." YouTube
    is your friend.)

    However, as the psycholinguistics people note, if you don't have a word for
    it, you can't really think about it. We have lots of concepts that we have
    to know about, and which are important to the protect of the systems under
    our care. We have to have our infosec language.

    And that is, after all, why I wrote the dictionary ...

    Postscript: So I'm talking about words and dictionaries
    The language of InfoSec - (ISC)² Community
    and check that mine is still on Amazon, and note that someone, slanging
    mine, says that all you need is Google, "just enter DEFINE:word to be
    defined, and wallah," and realize that when she says "wallah" she actually
    is trying to use "voila,"and I find it hysterical that in trashing a
    glossary she doesn't know what word she is trying to use ...

    ------------------------------

    Date: Tue, 9 Apr 2019 17:26:40 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: New wire-fraud scam targets your direct deposit info, reroutes your
    paycheck (CNBC)

    * Fraudsters are targeting the HR functions of businesses of all types
    and convincing employees to swap out your direct deposit banking
    information to an offshore account.
    * One nonprofit in Kansas City describes several attempts per month,
    involving scammers trying to convince payroll personnel to change
    information about where to send employee pay.
    * The IRS has warned of an uptick in a wide range of fraud attempts
    involving payroll information.

    A new scam targets your direct deposit info and sends your paycheck to a criminal's account

    ------------------------------

    Date: Wed, 10 Apr 2019 09:01:53 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Verizon issues patch for vulnerabilities on millions of Fios routers
    (CNET)

    Verizon issues patch for vulnerabilities on millions of Fios routers

    ------------------------------

    Date: Thu, 11 Apr 2019 08:13:31 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Assange arrested and charged after Ecuador rescinds asylum

    https://www.washingtonpost.com/worl...d87b58-8f5f-11e8-ae59-01880eac5f1d_story.html

    British authorities arrested WikiLeaks founder Julian Assange on Thursday
    in response to a U.S. extradition request, and a U.S. federal court
    unsealed an indictment charging him with a single count of conspiracy to
    disclose classified information that could be used to injure the United
    States. Assange was taken into custody by British police after Ecuador
    rescinded his asylum at its embassy in London, ending a standoff that
    lasted nearly seven years.

    ------------------------------

    Date: Thu, 11 Apr 2019 00:14:47 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Re: Are We Ready For An Implant That Can Change Our Moods?
    (npr.org, RISKS-31.16)

    > Deep Brain Stimulation is a recognised treatment for Parkinsons
    > Dyskinesia -- indeed one of my friends has an implant -- and can be very
    > effective. It has massively improved my friend's quality of life.

    Consider your friend to be VERY FORTUNATE that the implantation achieved a
    favorable therapeutic outcome!

    The PRODUCTCODE (PC) and DEVICENAME fields I list below, extracted from FDA
    MAUDE
    (https://www.accessdata.fda.gov/scripts/cdrh/cfdocs/cfmaude/search.cfm),
    possess terms related to brain stimulation for Parkinson's treatment/tremor,
    or for behaviorial changes through electro-stimulus. I won't name the
    manufacturers shown in the pareto aggregate analysis below; you can get
    these details from MAUDE records yourself.

    PC DEVICENAME
    MFR Stimulator, Brain, Implanted, For Behavior Modification
    MHY Stimulator, Electrical, Implanted, For Parkinsonian Tremor
    NHL Stimulator, Electrical, Implanted, For Parkinsonian Symptoms
    OLM Deep Brain Stimulator For Obsessive Compulsive Disorder (Ocd)
    PFN Implanted Brain Stimulator For Epilepsy
    PJS Stimulator, Electrical, Implanted, For Essential Tremor

    FDA's MAUDE enumerates events arising from medical devices as: DEATH (D),
    INJURY (I), MALFUNCTION (M), OTHER (O), and NO ANSWER SUPPLIED (N).

    I note that the MAUDE pareto analysis below shows a surprising result for
    PRODUCTCODE == MHY: 80 Deaths, 3732 Injuries, and 5032 Malfunction reports
    between 01JAN2017-31MAR2019. I picked this reporting interval arbitrarily to
    explore "production defect escape density." The pareto aggregate values
    strongly suggest that something in those devices is seriously
    under-performing. Total device implant sales/counts are closely guarded by
    manufacturers.

    I believe the MAUDE reports are distinct: Device INJURY reports are unique,
    and separate from MALFUNCTION reports. This means that a device implant
    recipient can experience multiple events.

    Over 8700 patients unfortunately experienced at least one clinical issue
    from their DBS implant device. How has their quality of life been impacted?

    PC EVENT/COUNT EVENT/COUNT EVENT/COUNT EVENT/COUNT EVENT/COUNT
    MFR D/1 I/24 M/19 O/0 N/44
    MHY D/80 I/3732 M/5032 O/0 N/0
    NHL D/0 I/96 M/7 O/0 N/0
    OLM D/6 I/2 M/3 O/0 N/0
    PFN D/0 I/119 M/7 O/0 N/0
    PJS D/0 I/1 M/0 O/0 N/0

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.18
    ************************
     
  10. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.19

    RISKS List Owner

    Apr 20, 2019 1:40 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 20 April 2019 Volume 31 : Issue 19

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    AA 300 JFK-LAX incident (CBS via PGN)
    1983 Soviet nuclear false alarm incident (Dan Jacobson)
    Contractor identifies new problems with phase 2 of the Silver Line
    (WashPost)
    "Fallible machines, fallible humans" (The Straits Times and Financial Times)
    A computerized YouTube fact-checking tool goes very wrong: In flaming Notre
    Dame, it somehow sees 9/11 tragedy (WashPost)
    Election systems in 50 states were targeted in 2016 (DHS/FBI via
    Ars Technica)
    Mysterious operative haunted Kaspersky critics (AP)
    Samsung's $2,000 folding phone is breaking for some users after two days
    (CNBC)
    Cyberspies Hijacked the Internet Domains of Entire Countries (WiReD)
    Man Bites Dog Dept: MSFT supports human rights!! (Reuters)
    Microsoft Email Hack Shows the Lurking Danger of Customer Support (WiReD)
    As China Hacked, U.S. Businesses Turned A Blind Eye (npr.org)
    Wipro customers hacked, says Krebs. Nothing to see here, says Wipro
    (TechBeacon)
    Facebook has admitted to unintentionally uploading the address books of 1.5
    million users without consent (The Guardian)
    Utah Bans Police From Searching Digital Data Without A Warrant,
    Closes Fourth Amendment Loophole (Forbes)
    AppleWatch or AnkleMonitor: You Decide (Henry Baker)
    Fintech fiddles as home burns: 97% of apps lack basic security (TechBeacon)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Wed, 17 Apr 2019 15:04:30 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: AA 300 JFK-LAX incident

    On 10 Apr 2019, an American Airlines Airbus A321 jet `nearly crashed' during
    takeoff at JFK. The wing apparently scraped the ground and hit a sign and
    light pole during takeoff, bending the wing. "We were banking, uncontrolled
    bank 45 degrees to the left," a pilot could be heard saying on the air
    traffic control audio of the incident. It was evidently an `uncommanded
    roll to the left', with no explanation yet as to the cause. Although the
    plane did manage to take off, it then returned to JFK 28 minutes later.

    American Airlines Flight 300: JFK close call appears far worse than first reported - CBS News

    ------------------------------

    Date: Fri, 12 Apr 2019 11:47:21 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: 1983 Soviet nuclear false alarm incident

    "...the system reported that a missile had been launched from the United
    States, followed by up to five more. Petrov judged the reports to be a
    false alarm, and his decision to disobey orders, against Soviet military
    protocol, is credited with having prevented an erroneous retaliatory
    nuclear attack on the United States and its NATO allies that could have
    resulted in large-scale nuclear war. Investigation later confirmed that
    the Soviet satellite warning system had indeed malfunctioned."
    1983 Soviet nuclear false alarm incident - Wikipedia
    Stanislav Petrov - Wikipedia

    [In RISKS-3.39, 18 Aug 1986, we had a "Nuclear false alarm" item,
    contributed by Robert Stroud. That case triggered nuclear attack sirens
    in Edinburgh. PGN]

    ------------------------------

    Date: Fri, 12 Apr 2019 19:36:28 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Contractor identifies new problems with phase 2 of the Silver Line
    (WashPost)

    The structures that support the Dulles Airport Metro station's glass wall
    are cracked and lack proper reinforcement.

    Keith Couch, project director for CRC, downplayed the problems at the Dulles
    station, saying that officials are working to find a solution. He said the
    fact that the problems were discovered before the project was completed is a
    sign that the company's quality control program is working. CRC's
    inspections and quality control have come under criticism as the project's
    problems have mounted.

    Project executive director Charles Stark characterized the issues at the
    Dulles station as a “workmanship problem.”

    https://www.washingtonpost.com/loca...412180-5a2a-11e9-a00e-050dc7b82693_story.html

    "QC is working" to detect workmanship problems.

    "workmanship" appears in article once, as does "improve" -- but referring to
    schedule, not workmanship.

    The risk? Nothing changing.

    ------------------------------

    Date: Wed, 17 Apr 2019 14:04:14 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: "Fallible machines, fallible humans"
    (The Straits Times and Financial Times)

    Robert Wright byline, behind paywalls as:

    1) "Fallible machines, fallible humans," via
    Fallible machines, fallible humans
    retrieved on 17APR2019;

    2) "Autonomous machines: industry grapples with Boeing lessons" via
    Subscribe to read | Financial Times

    The cited news articles discuss technology-dependent systems (medical
    infusion pumps, aircraft, industrial robotic manufacturing) and their
    dependency on human engagement to monitor activity.

    Today's AI cannot independently comprehend context: they can match patterns,
    but cannot rationalize the recognized pattern in a way that emulates a
    human's mind.

    No machine can be programmed today to process contextual awareness and
    independently act to preserve and protect human life during an emergency. An
    organization or individual expecting this outcome apparently believes that
    science fiction is real. They must be disabused of this fallacy.

    In the FT and Straits Times articles, Mark Sujan of University of Warwick
    asks, "How do we ensure that the system knows enough about the world within
    which it's operation? That's a complex thing."

    As noted by Don Norman (see
    The Risks Digest for example),
    "The real RISK in computer system design is NOT human error. It is designers
    who are content to blame human error and thereby wash their hands of
    responsibility."

    Demonstrating system behavior when subjected to erroneous or negative input
    stimulus can reveal more about system safety-readiness and resilience than
    demonstration of behavior under nominal stimulus conditions. Anomalous
    system states, in a simulator, can instruct and refine operational
    readiness.

    Successful and effective system operation depends on informed, trained, and
    engaged human oversight. Safety critical system operators must possess
    perspicacity. Clear indicators of anomalous behavior, and insightful
    operator reaction to them, are essential to ensure a safe outcome.

    ------------------------------

    Date: Wed, 17 Apr 2019 16:17:13 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: A computerized YouTube fact-checking tool goes very wrong: In
    flaming Notre Dame, it somehow sees 9/11 tragedy (WashPost)

    https://www.washingtonpost.com/tech...aming-notre-dame-it-somehow-sees-sept-tragedy

    "If the algorithm saw a video of tall structures engulfed in smoke and
    inferred that it was related to the attack on the World Trade Center, that
    speaks well of the state of the art in video system understanding, that it
    would see the similarity to 9/11. There was a point where that would have
    been impossible.

    "But the algorithms lack the comprehension of human context or common sense,
    making them woefully unprepared for news events. YouTube, he said, is poorly
    equipped to fix such problems now and probably will remain so for years to
    come.

    "'They have to depend on these algorithms, but they all have sorts of
    failure modes. And they can't fly under the radar anymore,' Domingos said.
    'It's not just whack-a-mole. It's a losing game.'"

    Risk: Brand outrage incidence frequency multiplies with business
    accumulation of technical debt.

    ------------------------------

    Date: Fri, 12 Apr 2019 9:09:05 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Election systems in 50 states were targeted in 2016 (DHS/FBI via
    Ars Technica)

    DHS, FBI say election systems in all 50 states were targeted in 2016

    *A joint intelligence bulletin (JIB) has been issued by the Department of
    Homeland Security and Federal Bureau of Investigation to state and local
    authorities regarding Russian hacking activities during the 2016
    presidential election. While the bulletin contains no new technical
    information, it is the first official report to confirm that the Russian
    reconnaissance and hacking efforts in advance of the election went well
    beyond the 21 states confirmed in previous reports.*

    ------------------------------

    Date: Thu, 18 Apr 2019 14:13:57 +0100
    From: J Coe <spen...@gmail.com>
    Subject: Mysterious operative haunted Kaspersky critics (AP)

    The Associated Press has learned that the mysterious man (who said his name
    was Lucas Lambert) spent several months last year investigating critics of
    Kaspersky Lab, organizing at least four meetings with cybersecurity experts
    in London and New York.

    https://apnews.com/a3144f4ef5ab4588af7aba789e9892ed

    ------------------------------

    Date: Wed, 17 Apr 2019 19:39:58 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Samsung's $2,000 folding phone is breaking for some users after two
    days (CNBC)

    Samsung's Galaxy Fold is already breaking.
    Reviewers who got the device are seeing flickering screens. Some think
    because a protective film was removed.
    But CNBC's unit is also broken and we did not remove the film.

    Samsung's $2,000 folding phone is breaking for some users after two days
    https://www.cnbc.com/2019/04/17/samsung-galaxy-fold-screen-breaking-and-flickering.html

    Gadget gimmick for its own sake? I use two PC monitors for Windows but don't
    have windows span their border -- bezels would be intrusive. I can't see
    using this phone with a single app spanning the displays and am skeptical
    about people paying that much for two separate screens -- if it even
    operates that way. Surprise, the hinge is a likely failure point.

    ------------------------------

    Date: Wed, 17 Apr 2019 20:41:13 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Cyberspies Hijacked the Internet Domains of Entire Countries
    (WiReD)

    The discovery of a new, sophisticated team of hackers spying on dozens of
    government targets is never good news. But one team of cyberspies has pulled
    off that scale of espionage with a rare and troubling trick, exploiting a
    weak link in the Internet's cybersecurity that experts have warned about for
    years: DNS hijacking, a technique that meddles with the fundamental address
    book of the Internet.

    Researchers at Cisco's Talos security division on Wednesday revealed that a
    hacker group it's calling Sea Turtle carried out a broad campaign of
    espionage via DNS hijacking, hitting 40 different organizations. In the
    process, they went so far as to compromise multiple country-code top-level
    domains -- the suffixes like .co.uk or .ru that end a foreign web address --
    putting all the traffic of every domain in multiple countries at risk.

    The hackers' victims include telecoms, Internet service providers, and
    domain registrars responsible for implementing the domain name system. But
    the majority of the victims and the ultimate targets, Cisco believes, were a
    collection of mostly governmental organizations, including ministries of
    foreign affairs, intelligence agencies, military targets, and energy-related
    groups, all based in the Middle East and North Africa. By corrupting the
    Internet's directory system, hackers were able to silently use "man in the
    middle" attacks to intercept all Internet data from email to web traffic
    sent to those victim organizations.

    https://www.wired.com/story/sea-turtle-dns-hijacking/

    ------------------------------

    Date: Wed, 17 Apr 2019 21:24:08 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Man Bites Dog Dept: MSFT supports human rights!! (Reuters)

    [Once again, I had to carefully check the date on this article to make
    sure that it wasn't April 1st!]

    As much as I applaud the zeal of all the newly converted, I'm far too
    cynical to believe a word of Brad Smith, given the *second* article about
    Microsoft, below. Perhaps St. Augustine's prayer is more appropriate for
    Microsoft: "Please God, make me good, but not just yet".

    My prayer for Microsoft: "May the Farce be with you!" *

    (* See below.)

    https://www.reuters.com/article/us-...-sales-on-human-rights-concerns-idUSKCN1RS2FV

    Microsoft turned down facial-recognition sales on human rights concerns

    Joseph Menn April 16, 2019 / 11:33 PM / Updated a day ago

    PALO ALTO (Reuters) - Microsoft Corp recently rejected a California law
    enforcement agency's request to install facial recognition technology in
    officers' cars and body cameras due to human rights concerns, company
    President Brad Smith said on Tuesday.

    Microsoft concluded it would lead to innocent women and minorities being
    disproportionately held for questioning because the artificial intelligence
    has been trained on mostly white and male pictures.

    AI has more cases of mistaken identity with women and minorities, multiple
    research projects have found.

    "Anytime they pulled anyone over, they wanted to run a face scan" against a
    database of suspects, Smith said without naming the agency. After thinking
    through the uneven impact, "we said this technology is not your answer."

    Speaking at a Stanford University conference on "human-centered artificial
    intelligence," Smith said Microsoft had also declined a deal to install
    facial recognition on cameras blanketing the capital city of an unnamed
    country that the nonprofit Freedom House had deemed not free. Smith said it
    would have suppressed freedom of assembly there.

    On the other hand, Microsoft did agree to provide the technology to an
    American prison, after the company concluded that the environment would be
    limited and that it would improve safety inside the unnamed institution.

    Smith explained the decisions as part of a commitment to human rights that
    he said was increasingly critical as rapid technological advances empower
    governments to conduct blanket surveillance, deploy autonomous weapons and
    take other steps that might prove impossible to reverse.

    Microsoft said in December it would be open about shortcomings in its facial
    recognition and asked customers to be transparent about how they intended to
    use it, while stopping short of ruling out sales to police.

    Smith has called for greater regulation of facial recognition and other uses
    of artificial intelligence, and he warned Tuesday that without that,
    companies amassing the most data might win the race to develop the best AI
    in a "race to the bottom."

    He shared the stage with the United Nations High Commissioner for Human
    Rights, Michelle Bachelet, who urged tech companies to refrain from building
    new tools without weighing their impact.

    "Please embody the human rights approach when you are developing
    technology," said Bachelet, a former president of Chile.

    Microsoft spokesman Frank Shaw declined to name the prospective customers
    the company turned down.

    Reporting by Joseph Menn; Editing by Greg Mitchell and Lisa Shumaker

    https://www.nextgov.com/emerging-te...ters-built-classified-government-data/156376/

    Frank Konkel, 17 Apr 2019

    Microsoft Unveils Two Secret Data Centers Built for Classified Government
    Data

    ... Microsoft's announcement is part of the company's plan to compete with
    Amazon--the only company cleared to host the CIA and Defense Department's
    secret and top secret classified data--and comes as both companies compete
    for a $10 billion military cloud contract called *JEDI*. ...

    ------------------------------

    Date: Tue, 16 Apr 2019 20:22:03 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Microsoft Email Hack Shows the Lurking Danger of Customer Support
    (WiReD)

    On Friday night, Microsoft sent notification emails to an unknown number of
    its individual email users -- across Outlook, MSN, and Hotmail -- warning
    them about a data breach. Between January 1 and March 28 of this year,
    hackers used a set of stolen credentials for a Microsoft customer support
    platform to access account data like email addresses in messages, message
    subject lines, and folder names inside accounts. By Sunday, it acknowledged
    that the problem was actually much worse.

    After tech news site Motherboard showed Microsoft evidence from a source
    that the scope of the incident was more extensive, the company revised its
    initial statement, saying instead that for about 6 percent of users who
    received a notification, hackers could also access the text of their
    messages and any attachments. Microsoft had previously denied to TechCrunch
    that full email messages were affected.

    https://www.wired.com/story/microsoft-email-hack-outlook-hotmail-customer-support/

    ------------------------------

    Date: Wed, 17 Apr 2019 12:33:07 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: As China Hacked, U.S. Businesses Turned A Blind Eye (npr.org)



    "Technology theft and other unfair business practices originating from China
    are costing the American economy more than $57 billion a year, White House
    officials believe, and they expect that figure to grow.

    "Yet an investigation by NPR and the PBS television show Frontline into why
    three successive administrations failed to stop cyberhacking from China
    found an unlikely obstacle for the government -- the victims themselves."

    Why do for-profit organizations, possessing vast stores of valuable
    intellectual property, apparently accept and anticipate theft of this
    content? Because the PRC marketplace is "too big" to ignore.

    US businesses display a remarkable, and convenient, myopia when it suits
    their primary objective: capture and realize revenue. Corporations are
    inured to theft and breach, exhausted by defense against the inevitable.

    Businesses budget for theft losses and pay insurance premiums as an
    operational expense. No longer is an eyelash of concern raised. These
    expenses are considered leakage. (See the movie classic "Casino.").
    Business continuity is the objective.

    When pushed against the wall (if revenue capture is threatened by
    'unfavorable or unfair' competition), business can prevail upon political
    governance to embargo foreign-products, or savage their competitor's product
    capabilities like HuaWei 5G per
    http://catless.ncl.ac.uk/Risks/31/16#subj19

    A calculated brand outrage assault and reputation sabotage campaign can tip
    procurement scales against certain suppliers.

    Given visible product defect escape and zero-day density reports (as noted
    in RISKS-31.16 and elsewhere), how do data breach and IP theft incidents
    arising from deployed gear (be they domestic or foreign), constitute a
    favorable outcome for dependent end-users and businesses?

    Whether the PRC or the US/EU "wins the contest" for most rapacious and
    effective data breach and IP theft exploitation capabilities is immaterial
    to governments.

    International economic dominance -- hegemony -- appears to motivate PRC IP
    theft and intrusion frequency: Become the world's largest economy and bask
    in the bragging rights limelight by any conceivable means. The US/EU
    apparently do not enlist their intelligence services for this purpose, at
    least as vigorously engaged or as visibly compared to the #2 global economy.

    Risks: Exhausted business strategies and weak operational practices that
    rely on government intervention to rebalance the marketplace. Insufficient
    or ineffective safeguards applied to suppress IP Internet theft, intrusions,
    and digital data exfiltration.

    ------------------------------

    Date: Thu, 18 Apr 2019 13:38:48 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Wipro customers hacked, says Krebs. Nothing to see here, says Wipro
    (TechBeacon)

    https://techbeacon.com/security/wipro-customers-hacked-says-krebs-nothing-see-here-says-wipro

    ------------------------------

    Date: Thu, 18 Apr 2019 08:05:53 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Facebook has admitted to unintentionally uploading the address
    books of 1.5 million users without consent (The Guardian)

    EXCERPT:

    Facebook has admitted to `unintentionally' uploading the address books of
    1.5 million users without consent, and says it will delete the collected
    data and notify those affected.
    https://www.theguardian.com/technology/facebook

    The discovery follows criticism of Facebook by security experts for a
    feature that asked new users for their email password as part of the sign-up
    process. As well as exposing users to potential security breaches, those who
    provided passwords found that, immediately after their email was verified,
    the site began importing contacts without asking for permission.

    Facebook has now admitted it was wrong to do so, and said the upload was
    inadvertent. ``Last month we stopped offering email password verification
    as an option for people verifying their account when signing up for Facebook
    for the first time,'' the company said. ``When we looked into the steps
    people were going through to verify their accounts we found that in some
    cases people's email contacts were also unintentionally uploaded to Facebook
    when they created their account, We estimate that up to 1.5 million people's
    email contacts may have been uploaded. These contacts were not shared with
    anyone and we're deleting them. We've fixed the underlying issue and are
    notifying people whose contacts were imported. People can also review and
    manage the contacts they share with Facebook in their settings.''

    The issue was first noticed in early April, when the Daily Beast reported
    on Facebook's practice of asking for email passwords to verify new users. The
    feature, which allows Facebook to automatically log in to a webmail account
    to effectively click the link on an email verification itself, was
    apparently intended to smooth the workflow for signing up for a new account.
    https://www.thedailybeast.com/beyond-sketchy-facebook-demanding-some-new-users-email-passwords

    But security experts said the practice was `beyond sketchy', noting that
    it gave Facebook access to a large amount of personal data and may have led
    to users adopting unsafe practices around password confidentiality. The
    company was ``practically fishing for passwords you are not supposed to
    know,'' according to cybersecurity tweeter e-sushi who first raised concern
    about the feature, which Facebook says has existed since 2016...
    https://twitter.com/originalesushi?lang=en

    https://www.theguardian.com/technol...d-email-contacts-of-15m-users-without-consent

    ------------------------------

    Date: Thu, 18 Apr 2019 11:00:29 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Utah Bans Police From Searching Digital Data Without A Warrant,
    Closes Fourth Amendment Loophole (Forbes)

    https://www.forbes.com/sites/nicksi...t-a-warrant-closes-fourth-amendment-loophole/

    ------------------------------

    Date: Fri, 12 Apr 2019 07:01:53 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: AppleWatch or AnkleMonitor: You Decide

    "Ankle monitor" and Fitbit/AppleWatch are becoming indistinguishable in the
    new world of Chinese/Uber/AirBnB-style Social Credit Systems.

    Three excellent 11-16 minute videos of Big Tech's version of Social
    Credit Systems in action. Well done, with high production values.

    This dystopian world is no longer "far into the future", but already
    here.

    https://www.sscqueens.org/news/launch-of-screening-surveillance
    https://www.sscqueens.org/projects/screening-surveillance
    https://www.youtube.com/channel/UCpEmA7HemoLdu-bZsr63y-Q

    Blaxites

    https://www.sscqueens.org/projects/screening-surveillance/blaxites
    https://www.youtube.com/watch?v=yfVNDuWGZTs

    Blaxites

    Published on Apr 9, 2019

    Jai's celebratory social media post affects her access to vital medication.
    Her attempts to circumvent the system leads to even more dire consequences.

    Written by: Nehal El-Hadi Directed by: Josh Lyon

    https://www.sscqueens.org/projects/screening-surveillance/frames
    https://www.youtube.com/watch?v=jfJX8HaGy6s

    Frames

    Published on Apr 9, 2019

    A smart city tracks and analyzes a woman walking through the city.
    Things she does are interpreted and logged by the city system, but are
    they drawing an accurate picture of the woman?

    Written by: Madeline Ashby Directed by: Farhad Pakdel

    https://www.sscqueens.org/projects/screening-surveillance/a-model-employee
    https://www.youtube.com/watch?v=kBeggSzwKQ4

    A Model Employee

    Published on Mar 29, 2019

    To keep her day job at a local restaurant, Neeta, an aspiring DJ, has
    to wear a tracking wristband. As it tracks her life outside of work,
    she tries to fool the system, but a new device upgrade means trouble.

    Written by: Tim Maughan Directed by: Leila Khalilzadeh

    ------------------------------

    Date: Fri, 12 Apr 2019 18:46:56 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Fintech fiddles as home burns: 97% of apps lack basic security
    (TechBeacon)

    This is not fine. A white-hat researcher examined 30 financial apps, looking
    for information security issues -- worryingly, all but one of them were
    insecure.

    The failures were mind-numbingly familiar, and dead easy to find. It's as if
    the industry has learned nothing and is walking around with a sign on its
    back, saying, “Rob me.”

    https://techbeacon.com/security/fintech-fiddles-home-burns-97-apps-found-insecure

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.19
    ************************
     
  11. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.20

    RISKS List Owner

    Apr 23, 2019 7:34 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 23 April 2019 Volume 31 : Issue 20

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    A Marriage Made in Hell": The growing partnership between Russia's
    government and cybercriminals (CBS)
    The Mueller Report includes lots of information on Russian election
    interference (PGN)
    Sometimes Bitcoin makes you easier to trace ... (CNN)
    How the Boeing 737 Max Disaster Looks to a Software Developer
    (IEEE Spectrum)
    A video showed a parked Tesla Model S exploding in Shanghai (qz.com)
    Roman Mars Mazda virus (Jeremy Epstein)
    Nokia 9 buggy update lets anyone bypass fingerprint scanner with a
    pack of gum (Catalin Cimpanu)
    How sovereign citizens helped swindle $1 billion from the government
    they disavow (NYTimes)
    How *not* to kill a news cycle ... (Rob Slade)
    "Can Facebook be trusted with a virtual assistant?" (Computerworld)
    The trouble with tech unicorns Tech's new stars have it all --
    Silicon Valley Came to Kansas Schools. That Started a Rebellion (NYTimes)
    Domain transfer at gunpoint ... (CNN via Rob Slade)
    Battle for .amazon Domain Pits Retailer Against South American Nations
    (E-Week)
    Should AI be used to catch shoplifters? (cnn.com)
    Facebook Uses Mueller Report to Distract from Security Breach (The Register)
    Facial Recognition in NYC (NYTimes)
    An Interesting Juxtaposition in RISKS 31.18 (Gene Wirchenko)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 23 Apr 2019 07:27:27 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: A Marriage Made in Hell": The growing partnership between Russia's
    government and cybercriminals (CBS)

    The growing partnership between Russia's government and cybercriminals

    Assessing the threats in the new "code war":

    A new war is taking place online -- and the former head of national security
    at the Justice Department says Russia is the biggest threat

    Assessing the threats in the new "code war" - 60 Minutes - CBS News
    60 Minutes (Official Site) Watch on CBS All Access

    ------------------------------

    Date: Mon, 22 Apr 2019 9:31:14 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: The Mueller Report includes lots of information on Russian election
    interference (various sources)

    Here are just three recent items:

    National: Mueller report highlights scope of election security challenge
    (The Washington Post)
    Mueller Report: Russia Funded US Election Snooping, Manipulation with Bitcoin

    Mueller Report: Russia Funded US Election Snooping, Manipulation with
    Bitcoin (CCN)
    Mueller Report: Russia Funded US Election Snooping, Manipulation with Bitcoin

    Mueller report says Russian hacking once went through Arizona server
    (Cronkite News)
    Mueller report says Russian hacking once went through Arizona server | Cronkite News - Arizona PBS

    ------------------------------

    Date: Sat, 20 Apr 2019 12:10:16 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Sometimes Bitcoin makes you easier to trace ... (CNN)

    Bitcoin, and cryptocurrencies in general, are seen as being anonymous, like
    cash transactions.

    Not quite.

    Bitcoin, and the blockchain, may be encrypted, but, once you've identified
    an account of note, you can get all kinds of information about transactions.

    CNN - Breaking News, Latest News and Videos

    ------------------------------

    Date: Tue, 23 Apr 2019 01:06:56 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: How the Boeing 737 Max Disaster Looks to a Software Developer
    (IEEE Spectrum)

    https://spectrum.ieee.org/aerospace...37-max-disaster-looks-to-a-software-developer

    ------------------------------

    Date: Mon, 22 Apr 2019 14:06:19 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: A video showed a parked Tesla Model S exploding in Shanghai (qz.com)

    A video showed a parked Tesla Model S exploding in Shanghai

    From the video, the vehicle appears to be in a quiescent state.

    Henry Baker noted the vehicle fire risk at home while charging in
    The Risks Digest

    The energy density of aiLithium storage battery, per
    Lithium–air battery - Wikipedia

    In the same table, TNT (TNT - Wikipedia) is
    4.1 MJ/kg.

    Risk: Fire via electric-vehicle battery thermal runaway.

    ------------------------------

    Date: Fri, 19 Apr 2019 09:53:23 -0400
    From: Jeremy Epstein <jeremy....@gmail.com>
    Subject: Roman Mars Mazda virus

    A flaw in the MP3 player in some Mazda cars causes the MP3 player to lock up
    when playing a particular podcast. The problem appears to be the use of the
    string "%I" in the name of the podcast, which (based on discussions with the
    author of the software) seems to be causing problems with the URI
    interpretation software. Unfortunately, the podcast doesn't explore a step
    further, looking at whether the flaw can be exploited to take control of
    vehicle systems, for example.

    The podcast is interesting listening even for geeks (although the answer was
    fairly obvious from the beginning), simply to understand how a non-technical
    person tries to solve a technical problem. I'd imagine it's the same as a
    doctor watching a parent trying to figure out why a baby is crying, without
    having much data on how to distinguish the trivial (wet diaper, hungry) from
    a serious illness.

    The Roman Mars Mazda Virus - 99% Invisible

    ------------------------------

    Date: Tue, 23 Apr 2019 10:43:41 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Nokia 9 buggy update lets anyone bypass fingerprint scanner with a
    pack of gum (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 22 Apr 2019
    Only Nokia 9 PureView handsets appear to be impacted.
    Nokia 9 buggy update lets anyone bypass fingerprint scanner with a pack of gum | ZDNet

    selected text:

    A buggy update for Nokia 9 PureView handsets has apparently impacted the
    smartphone model's in-screen fingerprint scanner, which can now be bypassed
    using unregistered fingerprints or even with something as banal as a pack of
    gum.

    The update was meant to improve the phone's in-screen fingerprint scanner
    module --so that users won't have to press their fingers too hard on the
    screen before the phone unlocks-- yet it had the exact opposite effect the
    company hoped for.

    While initially, the reported issues appeared to be new, a video recorded by
    another user showed the same problem (unlocking phones with unregistered
    fingerprints) even before the v4.22 update, meaning that the update just
    made the unlocking bug worse than it already was.

    This means that rolling back the faulty v4.22 firmware update, or waiting on
    v4.21, won't fix the fingerprint scanner problems, as even before this
    patch, the scanner appeared to have a pretty high false negatives rate,
    allowing strangers to bypass the phone's screenlock.

    In the meantime, users are advised to switched to another mode of
    authentication, such as using facial recognition, a PIN code, or a password.

    ------------------------------

    Date: Fri, 19 Apr 2019 15:15:44 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How sovereign citizens helped swindle $1 billion from the
    government they disavow (NYTimes)

    Sovereigns, who sometimes call themselves `freemen' or `state citizens',
    have no foundational document, but broadly they subscribe to an alternate
    version of American history. The tale can vary from sovereign to sovereign,
    but it goes roughly like this: At some point, a corporation secretly usurped
    the United States government, then went bankrupt and sought aid from
    international bankers. As collateral, the corporation offered the financiers
    ... us. As sovereigns tell it, your birth certificate and Social Security
    card are not benign documents, but contracts that enslave you.

    There is, they believe, a pathway to freedom: Renounce these contracts or
    otherwise assert your sovereignty. (Mr. Morton said he once told the Social
    Security Administration, ``I don't want this number.'' Then no one -- not
    the taxman, not the police -- can tell you what to do. Not all sovereigns
    are con men, but their belief system lends itself to deceit. You might
    declare yourself a `diplomat' from a nonexistent country. (Mr. Morton
    represented the Republic of New Lemuria and the Dominion of Melchizedek.) Or
    start a fake Native American tribe. Or blow off a court case because the
    American flag in the courtroom has gold fringe. Some sovereigns have even
    lashed out violently at law enforcement officers, which is why they're
    considered a domestic terrorism threat.

    How Sovereign Citizens Helped Swindle $1 Billion From the Government They Disavow

    The risk? Crooks, fools, and an IRS starved for funds.

    ------------------------------

    Date: Tue, 23 Apr 2019 12:15:09 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: How *not* to kill a news cycle ...

    OK, now, I don't want to get accused of "controversial political statements"
    so I'm not naming any names, all right?

    But lets, hypothetically and purely for the sake of argument, say that some
    document or piece of news is going to come out, and you want to minimize the
    attention paid to it. (Lets call it the Miller Time Report, just for
    illustrative purposes.)

    Now, the *right* way to ensure that bad news is buried is to release but
    distract. For example, if you are a company called "Fact"book, and you have
    yet another egregious failure of security and privacy to report, you do it
    an hour after the release of the Miller Time Report, which you know lots of
    people are interested in. In fact, if you have two pieces of bad news,
    release them both at the same time, just after the Miller Time Report, and
    that way lots of people don't actually realize that you made two mistakes,
    since they are all mostly interested in the Miller Time Report and won't
    read yours in any detail.

    Now, if you are responsible for releasing the Miller Time Report, and it's a
    huge report (say, something along the lines of 400 pages), you might think
    it clever to release it in a difficult format, like an unsearchable PDF.
    This means that people can't go searching for details they think might be in
    it. People, even reporters, are basically lazy, and you might think that
    this will discourage them from actually having to read the whole report.

    That's actually a bad idea, on two counts. First, it's not that hard for
    technically adept people to run the document through OCR (optical character
    recognition) and create a searchable document, and release that themselves.

    The second issue is that, while most people *are* basically lazy, when a
    whole bunch of people are interested in something, then, even if you make it
    difficult, they will put in the work. And, if you make it hard for them to
    find the highlights, then, by forcing them to read the whole thing, you risk
    the fact that they will, over time, find all kinds of interesting bits and
    pieces. And, because it's taking them time to read the whole thing, the
    bits and pieces get released as they are found, and that extends the "news
    cycle" for the Miller Time Report. A kind kind of corollary of the
    Streisand Effect takes over, and what you tried to minimize gets extended,
    instead.

    ------------------------------

    Date: Sun, 21 Apr 2019 18:56:51 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Can Facebook be trusted with a virtual assistant?" (Computerworld)

    Can Facebook be trusted with a virtual assistant?

    Mike Elgan, Computerworld,
    A look at recent news has a lot to tell us about Facebook's trustworthiness.

    [Given the list of offenses, the author's answer is no.]

    ------------------------------

    Date: Sun, 21 Apr 2019 07:26:36 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: The trouble with tech unicorns Tech's new stars have it all --
    except a path to high profits (The Economist)

    Millions of users, cool brands and charismatic bosses are not enough

    EXCERPT:

    Investors often describe the world of business in terms of animals, such as
    bears, bulls, hawks, doves and dogs. Right now, mere ponies are being
    presented as unicorns: privately held tech firms worth over $1bn that are
    supposedly strong and world-beating -- miraculous almost. Next month Uber will
    raise some $10bn in what may turn out to be this year's biggest initial
    public offering (ipo). It will be America's third-biggest-ever tech ipo,
    after Alibaba and Facebook. Airbnb and WeWork could follow Lyft, which has
    already floated, and Pinterest, which was set to do so as The Economist
    went to press. In China, an ipo wave that began last year rumbles on.
    Thanks to fashionable products and armies of users, these firms have a
    total valuation in the hundreds of billions of dollars. They and their
    venture-capital (vc) backers are rushing to sell shares at high prices to
    mutual funds and pension schemes run for ordinary people. There is,
    however, a problem with the unicorns: their business models.

    As we report this week, a dozen unicorns that have listed, or are likely to,
    posted combined losses of $14bn last year. Their cumulative losses are $47bn
    (see Briefing). Their services, from ride-hailing to office rental, are
    often deeply discounted in order to supercharge revenue growth. The
    justification for this is the Silicon Valley doctrine of `blitz-scaling' in
    order to conquer `winner-takes-all' markets -- or in plain English,
    conducting a high-speed land grab in the hope of finding gold.

    Yet some unicorns lack the economies of scale and barriers to entry that
    their promoters proclaim. At the same time, tighter regulation will
    constrain their freedom to move fast and break things. Investors should
    demand lower prices in the ipos, or stay away. Tech entrepreneurs and their
    backers need to rethink what has become an unsustainable approach to
    building firms and commercialising ideas.

    Today's unicorn-breeding industry would not have been possible 25 years
    ago. In 1994 only $6bn flowed into vc funds, which doled out cheques in the
    single-digit millions. Before Amazon staged its ipo in 1997 it had raised a
    total of only $10m. Three things changed. Growing fast became easier thanks
    to cloud computing, smartphones and social media, which let startups spread
    rapidly around the world. Low interest rates left investors chasing
    returns. And a tiny elite of superstar firms, including Google, Facebook and
    China's Alibaba and Tencent, proved that huge markets, high profits and
    natural monopolies, along with limited physical assets and light regulation,
    were the secret to untold riches. Suddenly tech became all about applying
    this magic formula to as many industries as possible, using piles of money
    to speed up the process.

    Make no mistake, the unicorns are more substantial than the turkeys of the
    2000 tech bubble, such as Pets.com, which went bust ten months after its
    ipo. Ride apps are more convenient than taxis, food delivery is lightning
    quick, and streaming music is better than downloading files. Like Google
    and Alibaba, the unicorns have large user bases. Their core businesses can
    avoid owning physical assets by outsourcing their it to cloud providers. As
    ipo documents point out, their sales are growing fast...

    [...]
    Tech’s new stars have it all—except a path to high profits

    ------------------------------

    Date: Mon, 22 Apr 2019 13:39:58 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Silicon Valley Came to Kansas Schools. That Started a Rebellion
    (NYTimes)

    “We're allowing the computers to teach and the kids all looked like
    zombies,” said Tyson Koenig, a factory supervisor in McPherson, who visited
    his son's fourth-grade class. In October, he pulled the 10-year-old out of
    the school.

    https://www.nytimes.com/2019/04/21/technology/silicon-valley-kansas-schools.html

    ------------------------------

    Date: Mon, 22 Apr 2019 12:17:12 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Domain transfer at gunpoint ... (CNN)

    No, this is not the way to do a domain transfer ...
    https://lite.cnn.io/en/article/h_f12d9a252633c427e47b1109a0af7d85

    ------------------------------

    Date: Fri, 19 Apr 2019 02:18:13 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Battle for .amazon Domain Pits Retailer Against South American
    Nations (E-Week)

    https://www.eweek.com/security/oracle-patches-3-year-old-java-deserialization-flaw-in-april-update

    ------------------------------

    Date: Fri, 19 Apr 2019 11:51:36 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Should AI be used to catch shoplifters? (cnn.com)

    https://edition.cnn.com/2019/04/18/business/ai-vaak-shoplifting/index.html

    New artificial intelligence software is being used in Japan to monitor the
    body language of shoppers and look for signs that they are planning to
    shoplift. "The software, which is made by a Tokyo startup called Vaak,
    differs from similar products that work by matching faces to criminal
    records. Instead, VaakEye uses behavior to predict criminal action."

    Perhaps a more effective use of AI would be to deter its own deployment?
    Wait...that means AI needs common sense and contextual awareness to
    ethically perceive and judge its own actions. No sense holding back the
    kitchen sink from being thrown -- throw that too!

    Risk: AI interpolation of human intent to shoplift.

    Do these bits automatically summon authorities for a Slurpee takedown?

    ------------------------------

    Date: Sat, 20 Apr 2019 11:28:54 -0400
    From: Charles Dunlop <cdu...@umich.edu>
    Subject: Facebook Uses Mueller Report to Distract from Security Breach
    (The Register)

    It's common practice for organizations to release bad news at the end of a
    week, hoping that it will be buried. But Facebook hit a bonanza, when at
    the end of this week the news focus was on the Muller report. See

    https://www.theregister.co.uk/2019/04/18/facebook_instagram_passwords/

    ------------------------------

    Date: Fri, 19 Apr 2019 01:04:40 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Facial Recognition in NYC (NYTimes)

    Most people pass through some type of public space in their daily routine —-
    sidewalks, roads, train stations. Thousands walk through Bryant Park every
    day. But we generally think that a detailed log of our location, and a list
    of the people we're with, is private. Facial recognition, applied to the web
    of cameras that already exists in most cities, is a threat to that privacy.

    https://www.nytimes.com/interactive/2019/04/16/opinion/facial-recognition-new-york-city.html

    Privacy? How quaint.

    ------------------------------

    Date: Thu, 18 Apr 2019 21:40:21 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: An Interesting Juxtaposition in RISKS-31.18

    RISKS-31.18 has interesting juxtaposition of articles: "Not a burglar after
    all" and "Computers Turn an Ear on New York City (Scientific American)". In
    the second article, what is going to be the authority for what sounds
    represent? The first article has a case of police officers not being able
    to identify what sights and sounds represented. They were concerned, and it
    could have been a serious situation.

    Misidentification could have severe consequences. This could be similar to
    GPSs. Some are meant for general use and some for specific areas. (An
    example of this is truckers going through villages with roads ill-suited for
    this because of the trucker using a run-of-the-garden GPS. Or is that
    run-through-the-garden?)

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.20
    ************************
     
  12. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.21

    RISKS List Owner

    Apr 29, 2019 8:34 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 29 April 2019 Volume 31 : Issue 21

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Russian hackers were in position to alter Florida voter rolls (Rubio))
    National Security Council cyberchief: Criminals are closing the gap with
    nation-state hackers (Cyberscoop)
    Cryptocurrencies shed $10 billion in an hour on worries over 'stablecoin'
    tether (CNBC)
    City of Chicago Almost Lost More Than $1 Million In Phishing Scam (CBS)
    Invisible Malware Is Here and Your Security Software Can't Catch It (PCMag)
    Using side-channel attacks to detect malware? (Science Daily)
    Man guilty for using "USB Killer" against college computers (DoJ)
    A 'Blockchain Bandit' Is Guessing Private Keys and Scoring Millions (WiReD)
    Japan Has a New Emperor. Now It Needs a Software Update. (NYTimes)
    Japan develops app that yells 'stop' to scare off molesters
    (The Straits Times)
    NSA wants to stop drinking from the fire hose (Naked Security)
    Don't get phished (The Straits Times)
    "Why I've learned to hate my Apple Watch" (Evan Schuman)
    Virtual dress-up website settles with the FTC following data breach
    (The Verge)
    Docker Hub Breached, Impacting 190,000 Accounts (E-Week)
    Apple Cracks Down on Apps That Fight iPhone Addiction (NYTimes)
    Marathon training risk over fitness trackers that 'can't be trusted' to
    measure distance (Telegraph.co.uk)
    In Australia, hacked Lime scooters spew racism and profanity (WashPost)
    The invisibility pic ... (Rob Slade)
    Travis in IEEE Spectrum on Boeing 737 MAX MCAS software (Peter B Ladkin)
    Re: How the Boeing 737 Max Disaster Looks to a Software Developer
    (Dan Jacobson, Thomas Koenig)
    Re: Is curing patients, a sustainable business model? (Martin Ward,
    Martin Ward)
    Re: Should AI be used to catch shoplifters? (Antonomasia)
    Re: How *not* to kill a news cycle ... (Dan Pritts)
    Re: Battle for .amazon Domain Pits Retailer Against South American
    (Dan Jacobson)
    Re: A video showed a parked Tesla Model S exploding in Shanghai
    Re: Huawei's code is a steaming pile... (Richard Stein, Martin Ward)
    Re: EU Tells Internet Archive That Much Of Its Site Is 'Terrorist Content'
    (TechDirt)
    Re: An Interesting Juxtaposition (Wol)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 28 Apr 2019 11:43:35 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Russian hackers were in position to alter Florida voter rolls (Rubio)

    Russian Hackers Were ‘In a Position’ to Alter Florida Voter Rolls, Rubio Confirms

    ------------------------------

    Date: Fri, 26 Apr 2019 14:53:27 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: National Security Council cyberchief: Criminals are closing the
    gap with nation-state hackers (Cyberscoop)

    EXCERPT:

    Cybercriminals are catching up to nation-states' hacking capabilities, and
    it's making attribution more difficult, the National Security Council's
    senior director for cybersecurity policy said Thursday.

    ``They're not five years behind nation-states anymore, because the tools
    have become more ubiquitous,'' said Grant Schneider, who also holds the
    title of federal CISO, at the Security Through Innovation Summit presented
    by McAfee and produced by CyberScoop and FedScoop.

    Schneider told CyberScoop that he thinks the implants cybercriminals are
    using in their cyberattacks have been improving. ``The actual sophistication
    of the tool is better with criminals than we saw in the past.''

    Steve Grobman, the chief technology officer for McAfee, told CyberScoop
    that advanced crooks are behaving more corporately, which means they are
    able to proliferate higher-quality hacking tools.

    ``One of the things we're seeing on the business-model side is
    cybercriminals are starting to use innovative processes like franchises --
    affiliate groups where a cybercriminal will develop technology [and] make it
    available to other cybercriminals,'' he said...

    National Security Council cyber chief: Criminals are closing the gap with nation-state hackers - CyberScoop

    ------------------------------

    Date: Fri, 26 Apr 2019 11:11:48 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Cryptocurrencies shed $10 billion in an hour on worries over
    'stablecoin' tether (CNBC)

    <https://www.cnbc.com/2019/04/26/cry...e=iosappshare%7Ccom.apple.UIKit.activity.Mail

    What could go wrong?<‎CNBC: Stock Market & Business

    ------------------------------

    Date: Fri, 26 Apr 2019 12:58:58 -0400
    From: =?UTF-8?Q?Jos=C3=A9_Mar=C3=ADa_Mateos?= <ch...@rinzewind.org>
    Subject: City of Chicago Almost Lost More Than $1 Million In Phishing Scam
    (CBS)

    ‘Easier Than Robbing A Bank:’ City of Chicago Almost Lost More Than $1 Million In Phishing Scam

    The City of Chicago's Department of Aviation thought it was paying an
    approved vendor more than $1 million for services earlier this year.

    [...] According to a police report recently obtained by The 2 Investigators,
    the Department of Aviation received an email Jan. 24 from what appeared to
    be a city-approved vendor, Skyline Management.

    The company has been paid more than a quarter of a billion dollars —-
    $284,628,921.17 -– for custodial services at Midway International Airport
    and O'Hare International Airport since 2008, city documents show.

    The email requested that Skyline's account payable information be changed
    from US Bank to Wells Fargo Bank.

    The request was referred to the city comptroller's office to make the
    change, which is routine procedure, according to the report. The change was
    made, and less than a month later, the city paid the updated account
    $1,150,759.82 for services.

    But in a call to the Department of Aviation weeks later, Skyline Management
    stated they had not received a payment for their services. That’s when the
    discovery was made: Skyline never requested an account change.

    ------------------------------

    Date: Fri, 26 Apr 2019 13:44:54 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Invisible Malware Is Here and Your Security Software Can't Catch It
    (PCMag)

    Unfortunately, there's not much you can do to protect existing machines.
    "You need to replace critical servers," Knight said, adding that you will
    also need to determine what your critical data is and where it's running.
    ... Knight added that the only way for most companies to avoid the problem
    is to move their critical data and processes to the cloud, if only because
    cloud service providers can better protect against this kind of hardware
    attack. "It's time to transfer the risk," she said. And Knight warned that,
    at the speed things are moving, there's little time to protect your critical
    data. "This is going to get turned into a worm," she predicted. "It will
    become some sort of self-propagating worm." It's the future of cyberwarfare,
    Knight said. It won't stay the purview of state-sponsored actors forever.

    Invisible Malware Is Here and Your Security Software Can't Catch It
    [sic! if that does note work, browse on the subject line. PGN]

    Of course -- replace all servers AND move everything critical to cloud.
    Easy solutions...

    ------------------------------

    Date: Sat, 27 Apr 2019 11:59:45 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Using side-channel attacks to detect malware? (Science Daily)

    If there's an anomaly in power consumption for your device or embedded
    system it could be infected with malware.
    New technique uses power anomalies to ID malware in embedded systems

    It's a variation of the long-standing change detection (or "integrity"
    monitoring) type of malware detection. I suspect it has a ways to go, but
    it is an interesting idea ...

    ------------------------------

    Date: Fri, 26 Apr 2019 12:05:11 -0400
    From: danny burstein <dan...@panix.com>
    Subject: Man guilty for using "USB Killer" against college computers (DoJ)

    Akuthota admitted that on February 14, 2019, he inserted a "USB Killer"
    device into 66 computers, as well as numerous computer monitors and
    computer-enhanced podiums, owned by the college in Albany. The "USB Killer"
    device, when inserted into a computer's USB port, sends a command causing
    the computer's on-board capacitors to rapidly charge and then discharge
    repeatedly, thereby overloading and physically destroying the computer's USB
    port and electrical system. [DOJ press release]

    Former Student Pleads Guilty to Destroying Computers at The College of St. Rose

    ------------------------------

    Date: Wed, 24 Apr 2019 14:31:39 +0000 (UTC)
    From: Bill Meacham <bmeac...@yahoo.com>
    Subject: A 'Blockchain Bandit' Is Guessing Private Keys and Scoring Millions
    (WiReD)

    Your bitcoin wallet may not be as secure as you think it is ... A
    'Blockchain Bandit' Is Guessing Private Keys and Scoring Millions
    A 'Blockchain Bandit' Is Guessing Private Keys and Scoring Millions
    ... researchers not only found that cryptocurrency users have in the last
    few years stored their crypto treasure with hundreds of easily guessable
    private keys, but also uncovered what they call a "blockchain bandit." A
    single Ethereum account seems to have siphoned off a fortune of 45,000 ether
    -- worth at one point more than $50 million -- using ... key-guessing
    tricks.

    ... the odds of guessing a randomly generated Ethereum private key is 1 in
    115 quattuorvigintillion. (Or, as a fraction: 1/2256.) That denominator is
    very roughly around the number of atoms in the universe. ... But as he
    looked at the Ethereum blockchain, Bednarek could see evidence that some
    people had stored ether at vastly simpler, more easily guessable keys. The
    mistake was probably the result, he says, of Ethereum wallets that cut off
    keys at just a fraction of their intended length due to coding errors, or
    let inexperienced users choose their own keys, or even that included
    malicious code, corrupting the randomization process to make keys easy to
    guess for the wallet's developer.

    ------------------------------

    Date: Wed, 24 Apr 2019 09:55:29 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Japan Has a New Emperor. Now It Needs a Software Update. (NYTimes)

    It isn't exactly Y2K, but the country is scrambling to reconcile its systems
    with the ancient demands of an imperial calendar.

    Japan Has a New Emperor. Now It Needs a Software Update.

    ------------------------------

    Date: Mon, 29 Apr 2019 10:08:16 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Japan develops app that yells 'stop' to scare off molesters
    (The Straits Times)

    Japan develops app that yells 'stop' to scare off molesters

    "The Metropolitan Police Department in Tokyo has developed a free smartphone
    app that can help scare off would-be molesters as well as activate a
    security alarm. Dubbed the Digi Police, the app has been downloaded more
    than 220,000 times so far. A smartphone voice would shout `stop!' when a
    Digi Police user activates one of the app's functions to stymie molesters."

    Risks: Accidental/unintentional invocation, malicious activation to
    dilute/distract police resources. No backup if you have a sore throat and a
    flat battery.

    ------------------------------

    Date: Fri, 26 Apr 2019 12:07:00 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: NSA wants to stop drinking from the fire hose (Naked Security)

    In the beginning was the 9/11. (Well, actually, in the beginning was the
    first crypto war, back in the 90s, but ...) And the government said, let
    there be the PATRIOT Act (Providing Appropriate Tools Required to Intercept
    and Obstruct Terrorism). And there was all kinds of warrantless activity.
    And the government said, let there be warrantless collection of data about
    international (and some local) emails and phone calls. And there was bulk
    metadata collection, and metadata became a new "thing."

    And ever since, the NSA has been collecting huge amounts of data, most of
    which doesn't indicate much of anything. Remember cost/benefit analysis?
    Well, now the NSA wants to stop doing it. Or, at least, stop doing most of
    it. Because it's just not worth it.
    NSA asks to end mass phone surveillance or
    NSA asks to end mass phone surveillance

    Lots of things in security sound like maybe a good idea--until you try them.
    I well remember the trouble Fred Cohen got into when he started teaching his
    security students how to write viruses, as an exercise in trying to improve
    security. He doesn't do that any more. His students just didn't learn that
    much from it. It's not worth it.

    (Oh, and remember: if you're not doing anything wrong, you have nothing to
    fear from the gigantic surveillance apparatus that the government is hiding
    from you ...)

    ------------------------------

    Date: Wed, 24 Apr 2019 10:48:49 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Don't get phished (The Straits Times)

    Don't get phished: Businesses here lost around $43 million in 2017 due to e-mail impersonation scams

    Singapore's government estimates business phishing losses (via e-mail
    impersonation, business email compromise) @ ~S$ 43M in 2017; that's ~US$ 32M
    (@ 1.35 SGD/USD).

    Using a simple population ratio (SG: 5.5M; US: 330M), equivalent US business
    phishing loss estimates rise to 330M/5.5M * US$32M =~ US$ 1.9B.

    A similar computation, based on GDP (SG: US$ 0.33T; US: US$ 19.5T),
    estimates phishing losses US$ 19.5T/US$ 0.33T * US$ 32M = 59 * US$ 32M =~
    US$ 19B. See 2017 GDP estimates:
    https://countryeconomy.com/countries/[singapore,usa

    Forbes concludes US business losses @ ~US$ 500M per year.
    Phishing Scams Cost American Businesses Half A Billion Dollars A Year

    The FBI investigated ~22,000 business email compromise (BEC) scams between
    OCT2013-DEC2016. So, the population scaling method appears to be more
    realistic than the GDP scaling approach.

    Out of curiosity, I looked up the US Justice Department budget for 2017: US$
    28.7B (https://www.justice.gov/jmd/file/821916/download).

    With email scams exploding, and human frailties being what they are, it
    appears that ~10% of the Justice Department's budget (at 2017 funding
    levels) will be consumed by BEC investigations in the near future. Whew!

    ------------------------------

    Date: Thu, 25 Apr 2019 10:29:20 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Why I've learned to hate my Apple Watch" (Evan Schuman)

    The risk here is that if you brag about your marvelous UX, some mean people
    may make fun of you when you fail badly. ("Gene" rhymes with "mean" in case
    you were wondering.) This article is sadly hilarious or hilariously sad or
    something. Enjoy.

    Evan Schuman, Computerworld
    Why I've learned to hate my Apple Watch

    In a perfect world, the Apple Watch Series 4 could be great. With a few easy
    settings, a glance at the watch would deliver time, temperature, the dial-in
    details for your next appointment or many other things that would be
    helpful. But we don't live in a perfect world.

    ------------------------------

    Date: Mon, 29 Apr 2019 10:09:56 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Virtual dress-up website settles with the FTC following data breach
    (The Verge)

    ``I cannot open i-dressup. Its showing SQL ERROR...why?? I am scared''

    Virtual dress-up website settles with the FTC following data breach

    ------------------------------

    Date: Mon, 29 Apr 2019 10:16:06 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Docker Hub Breached, Impacting 190,000 Accounts (E-Week)

    Docker Hub Breached, Impacting 190,000 Accounts

    ------------------------------

    Date: Sun, 28 Apr 2019 17:09:26 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Apple Cracks Down on Apps That Fight iPhone Addiction (NYTimes)

    https://www.nytimes.com/2019/04/27/technology/apple-screen-time-trackers.html

    Over the past year, Apple has removed or restricted at least 11 of the 17
    most downloaded screen-time and parental-control apps, according to an
    analysis by *The New York Times* and Sensor Tower, an app-data firm.
    Apple has also clamped down on a number of lesser-known apps.

    In some cases, Apple forced companies to remove features that allowed
    parents to control their children's devices or that blocked children's
    access to certain apps and adult content. In other cases, it simply pulled
    the apps from its App Store.

    Some app makers with thousands of paying customers have shut down. Most
    others say their futures are in jeopardy.

    Chronic iDisorder (see http://catless.ncl.ac.uk/Risks/30/89#subj18.1)
    depends on eyeballs hooked by a content-enabled, continuous dopamine flow.

    Periodic reminders from an app to "put the device down for 15 minutes" can
    disrupt the dopamine flow. Dam the dopamine flow, and content-driven revenue
    capture is dammed along with it.

    Apple's AppStore dams disruptive apps with impunity.

    ------------------------------

    Date: Sun, 28 Apr 2019 10:17:20 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Marathon training risk over fitness trackers that 'can't be
    trusted' to measure distance (Telegraph.co.uk)

    https://www.telegraph.co.uk/news/20...arned-fitness-trackers-inaccurately-measuring

    "Our tests have found a number of models from big-name brands that can't be
    trusted when it comes to measuring distance, so before you buy, make sure
    you do your research to find a model that you can rely on."

    The article identifies GPS-unequipped fitness tracker measurement variances
    of between ~25-50% over/under a full marathon (~26.2 miles/42.2 km).

    ------------------------------

    Date: Thu, 25 Apr 2019 11:18:45 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: In Australia, hacked Lime scooters spew racism and profanity
    (WashPost)

    https://www.washingtonpost.com/tech...ia-hacked-lime-scooters-spew-racism-profanity

    "The video is straight out of a goofy, low budget horror movie: A row of
    bright-green Lime scooters, parked neatly on a sidewalk, have come to life,
    unleashing a filthy flush of human speech."

    "In a statement online, the researchers said a potential hacker -- using a
    Bluetooth-enabled app from nearly 330 feet away -- could lock a scooter,
    deploy malware that could take full control of a device or target an
    individual rider, causing their scooter to unexpectedly brake or
    accelerate."

    A "Red Asphalt" warning label, in addition to a helmet, should be
    mandatory. They are not your father's Cyclops scooter.

    ------------------------------

    Date: Sat, 27 Apr 2019 12:35:03 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: The invisibility pic ...

    OK, this seems weird, like the hapless bank robbers who smear lemon juice on
    the faces because they think CCTV won't be able to see them.

    But a new paper, examining artificial intelligence and vision systems, has
    found a way to generate images (or "patches") that prevent AI vision systems
    from "seeing" you: or, at least, identifying you as a person.
    https://arxiv.org/pdf/1904.08653.pdf

    And so, a new round of patch image generation, and patch image detection and
    avoidance, begins ...

    ------------------------------

    Date: Sun, 28 Apr 2019 21:16:32 +0200
    From: Peter Bernard Ladkin <lad...@causalis.com>
    Subject: Travis in IEEE Spectrum on Boeing 737 MAX MCAS software

    Gregory Travis published an article on the involvement of the MCAS software
    on Boeing 737 MAX aircraft in two recent crashed, on 2019-04-18 in IEEE
    Spectrum. The article is available at
    https://spectrum.ieee.org/aerospace...37-max-disaster-looks-to-a-software-developer
    (site registration is required).

    [See Jacobson and my comment on Koenig, the next two items. PGN]

    The article has recently been praised by Bruce Schneier in his Crypto-Gram
    newsletter and blog
    https://www.schneier.com/blog/archives/2019/04/excellent_analy.html and John
    Naughton in The Observer newspaper (in "What I'm reading" at
    https://www.theguardian.com/comment...iew-calculate-car-accident-risks-digital-tech).

    Travis has written a readable, but unfortunately technically misleading,
    article on the accidents to Boeing 737 MAX 8 aircraft and the involvement of
    the MCAS software in those accidents. The purpose of this note is solely to
    point out some technically misleading parts of Travis's article and correct
    them.

    Travis suggests that MCAS was devised to inhibit a tendency to stall in
    certain flight regimes. As far as I know, this is incorrect. Boeing has
    said in public that MCAS is not `anti-stall SW'. For example, Flight
    International's test pilot Mike Gerzanics operates the type for a `major
    carrier' and says in his very first sentence of an article on the
    preliminary report of the Ethiopian crash to ET-302. ``the 737 Max family's
    Maneuvering Characteristics Augmentation System (MCAS) is not a
    `stall-prevention' or `safety' feature.
    https://www.flightglobal.com/news/a...-interim-report-raises-more-questions-457369/

    I understand the situation as follows. MCAS was devised to fulfill an
    airworthiness certification condition in 14 CFR 25.173 and 14 CFR 25.175. In
    high angle-of-attack (AoA) flight configuration, it is required that stick
    force/g (the stick force necessary to produce (hold) an incremental normal
    acceleration of 1g) and stick movement/g (ditto mutatis mutandis) must
    increase (or at least not decrease) with an increase in AoA. I understand
    that in flight test, in which `wind-up turns' were conducted (a turn with
    increasing angle of bank; an increasing angle of bank means ceteris paribus
    increasing AoA), this condition was not fulfilled. MCAS was devised to
    ensure its fulfillment.

    The reason this characteristic is different in this flight regime from
    previous 737 models apparently concerns the engine nacelles, which produce
    lift at high AoA, and apparently the lift they produce as AoA increases
    means that the stick force/g decreases.

    Travis suggests that the geometry of the engines means there is a greater
    tendency for the 737 MAX to pitch up on power application than on previous
    versions of the 737. I haven't seen a good argument that this is the
    case. Indeed, there is reason to think it might well be lower than on
    previous 737 models. The `pitch up' is related to the torque generated
    about the centre of lift (on the underside of the wing) by the engines. The
    centerline of the engines is, I think, closer to the underside of the wing
    than it was in previous models (I don't have a figure), so the `lever arm'
    (technical term) from the centre of thrust to the centre of lift (on the
    wing) may well be reduced. Engines of the previous generation of 737 were
    the CFM 56-7 series, which had 89-120kN of thrust, depending on the precise
    model. The CFM LEAP-1B engines on the MAX have 130kN of thrust
    https://en.wikipedia.org/wiki/Boeing_737 . 120kN to 130kN is not a big
    increase - the shorter lever arm may well make the pitch-up torque less
    than it was on previous models with 120kN-thrust engines during power
    increase (Travis: `propensity to pitch up with power application'). Travis
    connects this `propensity' with a `tendency to stall'; this `tendency'
    might in fact be reduced on the 737 MAX.

    Travis says the `nacelles cause the 737 Max at a high angle of attack to
    go to a higher angle of attack'. As far as I know, this is not the case. He
    is correct to call such a phenomenon `dynamic instability' but the 737 MAX,
    like all other passenger transports, is not dynamically unstable. It is
    dynamically stable.

    Travis suggests that MCAS is `a cheap way to prevent a stall when the pilots
    punch it'. This is manifestly not the intended purpose of MCAS.

    Travis also suggests that in modern transport aircraft there often are ``no
    actual mechanical connections' between control-command systems available to
    the pilots and the control surfaces. In the 737, all such connections are
    mechanical -- cables and hydraulics -- with the exception of the
    spoilers. http://www.b737.org.uk/max-spoilers.htm This argument is here a
    red herring.

    Travis suggests AoA sensors are unreliable: `..particular angle of attack
    sensor goes haywire -- which happens all the time'. It does not happen `all
    the time', or even very often. Peter Lemme writes `Reliability of the AoA
    sensor was evaluated over a 4-6 year period, with a mean time between
    unscheduled removals was 93,000 hours. A typical airframe is modeled at
    about 100,000 hours, so the AoA vane typically last nearly the lifetime of
    the airplane.''
    https://www.satcom.guru/2019/03/aoa-vane-must-have-failed-boeing-fix.html

    Travis writes that there are `...several other instruments that can be used
    to determine things like angle of attack. such as the pitot tubes, the
    artificial horizons, etc.'' I don't see how pitot tubes can be used to sense
    AoA. Pitot tubes measure dynamic air pressure, which, along with static
    ports to measure static air pressure, are used to determine airspeed
    (usually so-called `indicated airspeed', IAS). When the pitot is not
    directly in line with the flow of air around the aircraft, say when the
    aircraft is at a high AoA, then errors can be induced into IAS; AoA acts
    rather as a corrective input to pitot/static sensing, rather than the other
    way around. Artificial horizons are display instruments, not sensors; I see
    no way they can be used to sense AoA.

    One astonishing misleading statement from Travis reads as follows: ``In a
    pinch, a human pilot could just look out the window to confirm, visually and
    directly, that, no, the aircraft is not pitched up dangerously. That is the
    ultimate check.'' No, it is not the `ultimate check'. Travis seems to be
    confusing AoA with pitch angle/attitude. This is something which pilots from
    the beginning of their training are expressly taught not to do.

    The reason for this early emphasis on not confusing pitch angle with AoA is
    as follows. There are still too many general aviation accidents in the
    landing pattern, often when pilots are turning on to their final approach,
    lined up with the runway, from `base leg', which is at right angles to
    final. Pilots can misjudge the turn and `overshoot', that is, reach their
    line up to the left of the runway centreline (when flying base from the
    right of the runway), resp. right of the centreline (when flying base from
    the left). Pilots seeing they might overshoot are tempted to turn more
    steeply, which increases AoA and can lead to a stall. Recovering from a
    stall, especially an unanticipated stall, often takes more altitude than the
    airplane has when turning base-to-final; and the airplane augurs in. It
    still happens.

    Travis writes ``It is astounding that no one who wrote the MCAS software for
    the 737 Max seems even to have raised the possibility of using multiple
    inputs.'' Quite why he thinks this is any responsibility of the software
    engineers is unclear. It is not. It is the responsibility of the control
    engineers who designed the system and the safety engineers who performed the
    safety analysis.

    The safety engineers will have performed a Failure Mode and Effects
    Analysis, FMEA, which consists in listing all the possible failures you can
    think of, and determining their effects on the flight situation. They will
    then have classified those effects according to their severity as none,
    minor, major, hazardous and catastrophic (these all have explicit
    definitions). According to unverified information I received from a usual
    ly-reliable source, the effect was classified as `major' in level flight and
    `hazardous' in turns.

    We now know after two accidents in level flight that this classification, if
    so, is inappropriate. A further issue, to which I do not know the answer, is
    whether the analysis was performed on the STS system as a whole, or MCAS
    separately. The manufacturer and regulator classify MCAS as a function of
    the STS: ``Pitch stability augmentation is provided by the MCAS function of
    STS'', FAA Flight Standardisation Board Report Draft 17.
    https://www.faa.gov/aircraft/draft_docs/media/afx/FSBR_B737_Rev17_draft.pdf

    This is all specialist analysis which is generally not performed by software
    engineers (although the best software engineers are aware of how to perform
    such analyses). Nothing follows from this that software engineering was
    somehow responsible for the outcome.

    In this context, Travis repeats his assertion that the Boeing 737 MAX is
    `dynamically unstable'. It is not. I don't think any dynamically unstable
    aircraft could be certified according to 14 CFR 25.

    As an aside, Travis suggests that "the Lycoming O-360 engine in my Cessna
    has pistons the size of dinner plates". The cylinder bore for 0-360 engines
    (I flew one for 12 years) is 13cm. My dinner plates (small) have a diameter
    of 21cm. My espresso saucers are 12.5 cm. I commend Travis's nourishment
    discipline at dinner, but suggest it does not easily generalise.

    ------------------------------

    Date: Fri, 26 Apr 2019 05:55:30 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Re: How the Boeing 737 Max Disaster Looks to a Software Developer
    (IEEE Spectrum)

    MS> https://spectrum.ieee.org/
    Hmmm, requires a (free) account. Maybe I can find another version...
    Wait, what's this,
    https://nicolas-hoizey.com/2019/04/...x-disaster-looks-to-a-software-developer.html

    Experienced plane pilot and software developer Gregory Travis explains in
    details what led to Boeing 737 Max recent disasters in this long article:
    How the Boeing 737 Max Disaster Looks to a Software Developer.

    Why do I even care?

    My family and I were in one of these Ethiopian Airlines' Boeing 737 Max
    just two weeks before the crash of flight 302, on the same flight from
    Addis Ababa to Nairobi!

    The one that crashed was registered ET-AVJ. The one we took was registered
    ET-AVI. Very close. I guess both have had the very same hardware and
    software.

    It gives me chills every time I think about it...

    ------------------------------

    Date: Wed, 24 Apr 2019 23:52:49 +0200
    From: Thomas Koenig <tko...@netcologne.de>
    Subject: Re: How the Boeing 737 Max Disaster Looks to a Software Developer
    (IEEE Spectrum)

    The article in question consisted of a single URL. Following the URL,
    one is asked to register an account.

    The RISK? Paying for content with your data is a bad habit, for reasons
    that most people on this list, including its moderator, should know
    fully well. Please do not contribute to this by posting such
    articles.

    [In most cases you can find a mirrored free copy. Having the
    title is often sufficient. PGN]

    ------------------------------

    Date: Thu, 25 Apr 2019 13:51:58 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Is curing patients, a sustainable business model? (Drewe,
    R-31.17)

    Coincidentally the following news story appeared on the BBC today:
    https://www.bbc.co.uk/news/education-48037122

    Personally, I think that death by starvation is an excessive punishment for
    missing an appointment and getting your benefits sanctioned. So I would
    consider "not allowing people to starve to death" to be a good argument that
    food should be issued to the populace free of charge.

    ------------------------------

    Date: Sat, 27 Apr 2019 14:03:13 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Is curing patients, a sustainable business model? (RISKS-31.20)

    For those who still think that competition improves heathcare, consider the
    drug naloxone hydrochloride. This is sold by five big pharmaceutical
    companies and demand is soaring, but far from driving the price down, the
    cost has soared: from $0.92 a dose ten years ago up to $15.00 a dose. Why is
    this? Google "Opioid Crisis" for the answer.

    Drug companies in the US spend tens of billions a year advertising drugs:
    how does this help anyone's health? The USA has some of the highest levels
    of anxiety and depression in the world: not surprising when you consider
    that the purpose of advertising is to make people more anxious and unhappy.
    Naturally, the drug companies are ready with a handful of pills to relieve
    the anxiety: followed by another handful to alleviate the side-effects from
    the first lot! A happy, contented population would be terrible for the drug
    companies bottom line: so must be averted at all costs.

    Attempts to introduce competition into the NHS have been a disaster and,
    rightly, resisted by the public.

    How do you choose the people who are passionate about caring for others?
    Fortunately, they are largely self-selecting: you set up an organisation
    whose explicit purpose and top priority is caring for others. Pay enough
    for a comfortable living, but not so much that you attract those who are
    "just in it for the money". Beyond that, it is a case of trying to create a
    society as a whole in which caring for others is viewed as a noble passion,
    and not despised and excoriated as "Socialism".

    ------------------------------

    Date: Sat, 27 Apr 2019 10:31:07 +0100
    From: antonomasia <a...@notatla.org.uk>
    Subject: Re: Should AI be used to catch shoplifters? (cnn.com, R 31 20))

    Instead of mocking such efforts you could recognise that prior to
    the crime of leaving the shop with goods not paid for there could
    have been preparation (perhaps conspiracy but not actual theft).

    example video: https://www.youtube.com/watch?v=OGcYFG7WzaY

    ------------------------------

    Date: Wed, 24 Apr 2019 00:01:42 -0400
    From: Dan Pritts <da...@dogcheese.net>
    Subject: Re: How *not* to kill a news cycle ... (Slade, RISKS-31.20)

    > you might think it clever to release it in a difficult format, like an
    > unsearchable PDF.

    It's possible this was the motivation. It's also possible that they wanted
    to be REALLY sure that they didn't fall prey to the well-known RISK of PDFs
    that aren't really redacted. RISKS-22.97 has an account of the DOJ
    themselves falling prey to this issue.

    ------------------------------

    Date: Fri, 26 Apr 2019 06:47:04 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Re: Battle for .amazon Domain Pits Retailer Against South American
    Nations (E-Week)

    >>>>> "MS" == Monty Solomon <mo...@roscom.com> writes:
    MS> https://www.eweek.com/security/oracle-patches-3-year-old-java-deserialization-flaw-in-april-update

    You mean
    https://www.nytimes.com/2019/04/18/world/americas/amazon-domain-name.html

    ------------------------------

    Date: Fri, 26 Apr 2019 09:45:41 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Re: A video showed a parked Tesla Model S exploding in Shanghai
    (RISKS-31.20)

    http://catless.ncl.ac.uk/Risks/31/20#subj5

    Resubmitting original post. Visible text omitted comparison between Li-Air
    Battery and TNT energy density.

    The energy density of a Lithium storage battery, per
    https://en.wikipedia.org/wiki/Lithium_air_battery
    In the same table, TNT
    (https://en.wikipedia.org/wiki/Trinitrotoluene
    is 4.1 MJ/kg.

    More than 2X!

    ------------------------------

    Date: Thu, 25 Apr 2019 13:53:09 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Huawei's code is a steaming pile... (Shapir, RISKS-31.17)

    Juggling chainsaws is perfectly safe if you are a highly skilled juggler
    and you know exactly what you are doing and can control the surrounding
    environment.

    But wouldn't it be better if you could use a programming language
    which did *not* force you to juggle chainsaws?

    ------------------------------

    Date: Fri, 26 Apr 2019 11:39:37 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Huawei's code is a steaming pile... (Ward, RISKS-31.21)

    C does not force anyone to use strcpy() etc., it had always provided also
    similar length-limiting functions strncpy() etc.

    Besides, C is a language which lets the programmer control every bit of the
    machine, while also demanding that the programmer knows exactly what s/he's
    doing (and providing a lot of opportunity for shooting oneself in the foot).

    So strcpy() is provided for instances where a programmer is sure that any
    possible string given as a source, would never overflow the one given as
    destination. Keep in mind that C was invented at a time when saving 2-3
    assembly instructions on every iteration of the copy loop, was considered a
    significant improvement!

    ------------------------------

    Date: Fri, 26 Apr 2019 19:59:36 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: EU Tells Internet Archive That Much Of Its Site Is 'Terrorist
    Content' (TechDirt)

    There is a simple fix to this particular problem: the "competent authority"
    has to be a named person who signs an affidavit under penalty of perjury
    that they have personally reviewed the request and that every web page that
    they demand to be taken down does indeed contain "terrorist" content. So
    if, as in this case, they demand the takedown of the entire Project
    Gutenberg archive, it would be sufficient to find a single file in the
    archive that is not "terrorist content" (perhaps ebook number 3651 which the
    one listing the square root of four to one million decimal places), and the
    "competent authority" will be on their way to jail.

    ------------------------------

    Date: Fri, 26 Apr 2019 15:39:39 +0100
    From: Wols Lists <antl...@youngman.org.uk>
    Subject: Re: An Interesting Juxtaposition (Wirchenko, RISKS-31.20)

    I use an expensive (allegedly) truck GPS at work. It allegedly knows my
    vehicle is 6'10" wide. So why does it seem to prefer width restrictions
    (typically 6'6") and country lanes?

    My guess is that while Google has a lot of live data and prefers roads it
    knows are flowing, the expensive sat-navs rely on national speed limits. So
    rather than picking a road where the traffic is flowing at 50mph, it would
    rather pick a country lane where there is no speed limit. The assumption is
    that the National Speed Limit is 60mph (it isn't, it's 50mph for a light van
    on a single-carriageway road), and that I can actually *do* that speed - I
    daren't, many of these roads are not merely single-carriageway but single
    track, sunken, with blind bends, and anything much over 20mph is foolhardy.

    I think Gene should be blaming the expensive GPS's, not the cheap ones!
    Many of my colleagues use Google Maps or Waze because they're so much
    better.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.21
    ************************
     
  13. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.22

    RISKS List Owner

    May 4, 2019 6:37 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Saturday 4 May 2019 Volume 31 : Issue 22

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    World's Top Internet User Taps Fake News Busters for Elections
    (Bloomberg)
    Wells Fargo and Post Office Horizon (Lindsay Marshall)
    Database Exposes Medical Info, PII Data of 137k People in U.S.
    (Bleeping Computer)
    Ladders Data Leak: Over 13M User Records Exposed Due To Cloud
    Misconfiguration (IBTimes)
    How angry pilots got the Navy to stop dismissing UFO sightings; UFO
    information not expected to go to general public, Navy says (Wash Post)
    This $1,650 pill will tell your doctors whether you've taken it.
    Is it the future of medicine? (WashPost)
    "Telecom giants battle bill which bans Internet service throttling for
    firefighters in emergencies" (ZDNet)
    UK Police Have a Message for Crime Victims- Hand Over Your Private Data
    (NYTimes)
    NSA Reports 75% Increase in Unmasking U.S. Identities... (WSJ)
    New Documents Reveal DHS Asserting Broad, Unconstitutional Authority to
    Search Travelers' Phones and Laptops (EFF)
    Zero-day attackers deliver a double dose of ransomware -- no clicking
    required? (Ars Technica)
    Electronic Health Records and Doctor Burnout (Scientific American)
    Hertz, Accenture, and the blame game (Browser London)
    Monster screwup on dividends (Korea Herald)
    NSA-inspired vulnerability found in Huawei laptops (Bruce Schneier)
    Vodafone found hidden backdoors in Huawei equipment (Bloomberg)
    Vodafone denies Huawei Italy security risk (BBC)
    Re: Huawei's code is a steaming pile... (Keith Thompson, Dmitri Maziuk,
    phil colbourn)
    Re: Should AI be used to catch shoplifters? (Richard Stein)
    Re: A video showed a parked Tesla Model S exploding in Shanghai
    (Roger Bell-West)
    Re: A 'Blockchain Bandit' Is Guessing Private Keys and Scoring Millions
    (Dan Jacobson)
    Re: An Interesting Juxtaposition (Gene Wirchenko)
    Re: Gregory Travis' article on the 737 MAX (Gregory Travis)
    Digital health ... (Rob Slade)
    Re: Is curing patients, a sustainable business model? (Toby Douglass)
    "Bernie Sanders wants you to expose your friends, Facebook-style" (ZDNet)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sat, 4 May 2019 10:00:56 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: World's Top Internet User Taps Fake News Busters for Elections
    (Bloomberg)

    ** Philippines' elections body cracks down on misleading posts*
    ** Media, academe team up to fact check election-related news*
    EXCERPT:

    In the Philippines -- where 76 million Internet users stay online the
    longest in the world -- just a handful of people spend a few hours each day
    to fight fake news about the upcoming midterm elections.

    The Commission on Elections has formed a team of 10 government workers to
    spot and report misleading online posts to Facebook Inc., with whom the
    poll body has an agreement to quickly take down false information. Weeks
    before the May 13 elections, the group has already identified hundreds of
    fake news posts -- mostly those claiming ballots have been tampered with,
    or that the poll results are predetermined.

    ``What we're trying to do is to institutionalize this reporting process in a
    way that Facebook will not have any other recourse but to act on it,''
    Election Commission spokesman James Jimenez said in an interview. ``Fake
    news could affect how people see the credibility of the elections and the
    mandate of the winner.''

    Read more: What Happens When the Government Uses Facebook as a Weapon?
    Bloomberg - Are you a robot?

    With more voters using social media now, the election body expects fake news
    to spread faster this time compared to the 2016 vote, when President Rodrigo
    Duterte won. Still, Jimenez said the team formed to fight fake news is not
    enough to adequately combat disinformation...

    Bloomberg - Are you a robot?

    ------------------------------

    Date: Fri, 3 May 2019 14:13:55 +0000
    From: Lindsay Marshall <Lindsay...@newcastle.ac.uk>
    Subject: Wells Fargo and Post Office Horizon

    I was recently asked by the BBC to comment on two `computer glitches', and,
    naturally, I turned to RISKS to get more information. I found to my surprise
    that neither seemed to have been mentioned. Here are links for the cases:

    Horizon (IT system) - Wikipedia

    'I begged them for help' -- Wells Fargo foreclosure nightmare - CNN

    Note that neither of these seem to be even remotely ´glitches'.

    ------------------------------

    Date: Fri, 3 May 2019 21:25:56 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Database Exposes Medical Info, PII Data of 137k People in U.S.
    (Bleeping Computer)

    Database Exposes Medical Info, PII Data of 137k People in U.S.

    ------------------------------

    Date: Fri, 3 May 2019 21:27:20 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Ladders Data Leak: Over 13M User Records Exposed Due To Cloud
    Misconfiguration (IBTimes)

    Ladders Data Leak: Over 13M User Records Exposed Due To Cloud Misconfiguration

    ------------------------------

    Date: Thu, 2 May 2019 15:18:03 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: How angry pilots got the Navy to stop dismissing UFO sightings;
    UFO information not expected to go to general public, Navy says (Wash Post)

    http://www.washingtonpost.com/natio...ilots-got-navy-stop-dismissing-ufo-sightings/
    [AND]
    https://www.washingtonpost.com/worl...ef6426-6b82-11e9-9d56-1c0cf2c7ac04_story.html

    UFO information not expected to go to general public, Navy says

    ------------------------------

    Date: Wed, 1 May 2019 14:26:17 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: This $1,650 pill will tell your doctors whether you've taken it.
    Is it the future of medicine? (WashPost)

    When the Food and Drug Administration approved in late 2017 a schizophrenia
    pill that sends a signal to a patient's doctor when ingested, it was
    seen not only as a major step forward for the disease but as a new frontier
    of Internet-connected medicine.

    Patients who have schizophrenia often stop taking their medicine, triggering
    psychotic episodes that can have severe consequences. So the pill, a
    16-year-old medication combined with a tiny microchip, would help doctors
    intervene before a patient went dangerously off course.

    Seventeen months later, few patients use the medication, known as Abilify
    MyCite. Doctors and insurance companies say it is a case in which real-world
    limitations, as well as costs, outweigh the innovations that the medical
    industry can produce.

    In the case of schizophrenia patients, some doctors warn that Abilify
    MyCite could exacerbate the very delusions that the medication is designed
    to prevent.

    ``Patients who have a lot of paranoia might be uncomfortable with the idea
    of a medicine that is transmitting signals. The patient may be afraid to
    take it,'' said Richmond psychiatrist James Levenson. ``The science of this
    one is kind of ahead of the data.''

    The debate over Abilify MyCite underscores a dilemma American health care
    will increasingly face as the medical industry and Silicon Valley try to
    promote innovation. For decades, medicine has been effectively delivered
    through a few simple mechanisms: a pill, a cream, a nose spray, a needle.

    But in the hopes of improving outcomes further, the industry is turning to
    an array of new technologies against one of the biggest, and most human,
    challenges in treating disease: getting people to take their medicine in a
    consistent way.

    Companies are producing apps for substance abuse treatment, diabetes
    management, and heart and blood pressure monitoring at a rapid clip.
    Studies are underway for more digital pills to treat cancer, cardiovascular
    conditions and infectious disease.

    And while many of these may pass regulatory hurdles that show they're safe
    -- especially at a time when the Trump administration has been leaning into
    medical innovation and pushing back against excessive regulation -- doctors
    and insurers are not convinced that the technologies will so easily make
    the difference that the pharmaceutical industry is betting billions on.

    ``I think that these technologies have a lot of potential benefits, but it's
    going to be a question of evidence -- that they can demonstrate value to
    patients and payers,'' said Scott Gottlieb, who stepped down this month as
    FDA commissioner, a job in which he made approval of leading technology a
    hallmark.

    The first digital therapy to win FDA market clearance, Abilify MyCite's
    sensor-embedded pill remains off the market because of physician and
    insurance industry reservations.

    Now Maryland-based Otsuka Pharmaceutical, which makes the medication, may be
    able to jump-start its acceptance by offering it to mentally ill people who
    qualify for low-income government health insurance. Otsuka won approval from
    Virginia Medicaid authorities last month to begin coverage. The company also
    is starting a pilot program in Florida and is considering another in
    Oklahoma.

    Otsuka considers itself a pioneer. Abilify is an older brand-name drug
    marketed by the company to treat schizophrenia and other serious mental
    illnesses. Abilify MyCite adds the electronic tracking component and, at
    $1,650 a month, costs almost 30 times as much as a 30-day supply of generic
    Abilify at a Costco pharmacy.

    Otsuka developed the treatment with Proteus Digital Health, a Silicon
    Valley company that markets the digital component. Proteus is pioneering
    its use in other therapies including cancer patients taking chemotherapy
    drugs.

    After the daily antipsychotic pill is swallowed, a digital sensor the size
    of a grain of sand (and made of copper, magnesium and silicon, which Proteus
    says are all found in food) transmits a signal when it comes into contact
    with stomach acid. The signal is captured by a patch worn on the patient's
    torso. The patch sends a signal to an app on the patient's smartphone. The
    app uploads data to a secure website for viewing by doctors. Otsuka has won
    special federal approval to provide smartphones ``with highly limited
    functionality'' to people who can't afford them.

    The goal is to solve a vexing problem: Schizophrenia patients often stop
    taking their medicine, triggering psychotic episodes that can have severe
    consequences. Abilify MyCite is supposed to help doctors keep track of
    which patients are staying on their medication. The app also allows
    patients to enter information about their mood.

    The approval led to debate among psychiatrists about the ethics of invasive
    monitoring for patients whose mental competency at times may be borderline.
    They raised questions about patients' autonomy, data privacy and ability to
    navigate the technical challenges of the system.

    But proponents say the medical need is so great that Abilify MyCite
    deserves a close look.

    Virginia state Sen. R. Creigh Deeds (D-Bath), who chairs a special mental
    health committee in the legislature, said he had not heard of the therapy
    until contacted by The Washington Post. But he said in an interview that he
    was intrigued by a technology that could help people like his mentally ill
    son, Austin `Gus' Deeds, 24, who slashed Deeds on the face in 2013 before
    taking his own life. Deeds said his son had stopped taking medication nearly
    a year beforehand. ``There is a need for people who are caregivers to make
    sure the person's taking the medicine, The other side of it is the civil
    liberty issue for the person who is sick.''

    Gus Deeds thought his medications ``made him less of who he was. It dumbed
    down his personality,'' Deeds said. But, he added, ``a person does not have
    the right to destroy their life, or the life of others.''

    He said he did not have an opinion on whether Virginia Medicaid should add
    Abilify MyCite to its list of approved prescription drugs.

    Otsuka emphasizes that no patient will be asked to use Abilify MyCite
    without showing a clear desire to do so. Schizophrenia patients who have
    paranoid feelings about ingesting a digital pill are unlikely candidates for
    the drug, the company said.

    ``It's unlike a pharmaceutical launch where you proactively blitz all the
    states. We're not doing that,'' said John Bardi, Otsuka's vice president
    for public affairs and digital business development. ``It's really about
    patients who want to improve their treatment goals. If they have any
    concerns, it's probably not the right solution for them.'' ...

    https://www.washingtonpost.com/busi...3281b2-4c10-11e9-b79a-961983b7e0cd_story.html

    ------------------------------

    Date: Wed, 01 May 2019 10:15:03 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Telecom giants battle bill which bans Internet service throttling
    for firefighters in emergencies" (ZDnet)

    [What a PR blunder by the telecom industry!]

    Charlie Osborne for Between the Lines | 26 Apr 2019
    The industry faced backlash following last year's wildfires and
    firefighter service throttling.
    https://www.zdnet.com/article/telec...rvice-demand-for-firefighters-in-emergencies/

    selected text:

    Internet service providers (ISPs) and telecom firms are fighting a bill
    which would force them to provide unfettered broadband services and prevent
    them from throttling data use in emergency situations.

    The proposed legislation is due to voted upon by California's Communications
    and Conveyance Committee next week.

    As reported by StateScoop, the bill -- introduced in February -- aims to
    prevent a repeat of what happened in summer 2018 during the Mendocino
    Complex Fire, one of the largest wildfires recorded in California's history.

    As firefighters from the Santa Clara County Central Fire Protection District
    fought to contain the fires, they found their Internet service drastically
    reduced, having been throttled in what Verizon Wireless later called a
    "customer support mistake."

    Such connectivity can be crucial in emergency situations to coordinate
    rescue and firefighting efforts. The fire department had an "unlimited" plan
    with Verizon, but Ars Technica reports this service was throttled to speeds
    of either 200kbps or 600kbps once 25GB -- the monthly cap -- was surpassed.

    Verizon said at the time that the company has an internal policy to remove
    "data speed restrictions when contacted in emergency situations," but this
    did not happen during the wildfires.

    To lift the throttling, instead, Verizon told the department to upgrade to a
    more expensive plan.

    ------------------------------

    Date: Wed, 1 May 2019 14:31:01 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: UK Police Have a Message for Crime Victims- Hand Over Your
    Private Data (NYTimes)

    The British police delivered a striking warning to crime victims on Monday:
    If you want the case to be pursued, be prepared to turn over personal data
    from your mobile phone, laptop, tablet or smart watches.

    ``Police have a duty to pursue all reasonable lines of enquiry,'' Assistant
    Commissioner Nick Ephgrave, the National Police Chiefs' Council lead for
    criminal justice, said in a statement. ``Those now frequently extend into
    the devices of victims and witnesses as well as suspects -- particularly in
    cases where suspects and victims know each other.''

    But the new policy raised concerns about potential invasions of privacy and
    the risk of discouraging people from reporting crimes, particularly
    offenses like sexual assault that are already underreported because victims
    fear being treated like the guilty ones.

    In many cases, the police already search digital trails, which can produce
    evidence that either backs up an accusation or casts doubt on it. Privacy
    advocates say that police departments often improperly download cellphone
    data from people they detain, without their knowledge or consent.

    Under the new approach, victims and witnesses will routinely be asked to
    sign a form saying that they consent to the police extracting data from
    their electronic devices, which can mean text messages, emails, contacts,
    social media records, Internet browsing history and more. Otherwise, the
    case might not proceed...

    https://www.nytimes.com/2019/04/29/world/europe/rape-victim-data-privacy-uk.html

    ------------------------------

    Date: Wed, 1 May 2019 14:29:09 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: NSA Reports 75% Increase in Unmasking U.S. Identities... (WSJ)

    *The National Security Agency, responsible for electronic eavesdropping,
    disclosed the identities of people or entities that are normally redacted
    in intelligence reports*
    EXCERPT:

    The National Security Agency revealed to federal agencies the identities of
    almost 17,000 U.S. residents or corporations whose information was
    collected under a foreign surveillance law in 2018, registering about a 75%
    increase in unmaskings over the previous year, according to an annual
    transparency report released Tuesday.

    The NSA, responsible for electronic eavesdropping, disclosed the identities
    of people or entities that are normally redacted in intelligence reports --
    in response to specific requests from other government agencies to reveal
    the identities, a process known as unmasking.

    In 2018, NSA said it unmasked 16,721 U.S. identities caught up in
    intelligence intercepts produced by a foreign intelligence law, the report
    said. It unmasked 9,529 in 2017 and 9,217 in a 12-month period across 2015
    and 2016.

    The surge in the number of unmaskings last year was fueled in part by an
    effort to determine the identities of victims of cyberattacks from foreign
    intelligence agencies, according to Alex Joel, head of civil liberties and
    transparency at the Office of the Director of National Intelligence which
    released Tuesday's report.

    Mr. Joel, in a call with reporters, said there were a number of varied
    factors -- including world events and evolving threats--that could result in
    statistical fluctuations in a given year for a certain type of surveillance.

    Unmasking is a term used when the identity of a U.S. citizen, lawful
    resident, or corporate entity is revealed in classified intelligence
    reports. Unmasking is designed to be only used for national-security
    reasons, such as helping officials assess intelligence by providing the
    identity of someone two foreign spies may be discussing on a call. But the
    process is governed by strict rules across the U.S. intelligence apparatus
    that make it illegal to use unmaskings for political purposes or to leak
    classified information...

    [...]
    https://www.wsj.com/articles/nsa-re...-foreign-surveillance-law-in-2018-11556641509

    https://www.washingtonpost.com/worl...19/04/30/35739e80-6b50-11e9-9d56-1c0cf2c7ac04 story.html

    ------------------------------

    Date: Wed, 1 May 2019 14:32:01 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: New Documents Reveal DHS Asserting Broad, Unconstitutional
    Authority to Search Travelers' Phones and Laptops (EFF)

    *EFF, ACLU Move for Summary Judgment to Block Warrantless Searches of
    Electronic Devices at Airports, U.S. Ports of Entry*

    BOSTON--The Electronic Frontier Foundation (EFF) and the ACLU today asked a
    federal court to rule without trial that the Department of Homeland Security
    violates the First and Fourth Amendments by searching travelers' smartphones
    and laptops at airports and other U.S. ports of entry without a warrant.

    The request for summary judgment
    https://www.eff.org/document/alasaad-motion-summary-judgment comes
    after the groups obtained documents and deposition testimony revealing that
    U.S. Customs and Border Protection and U.S. Immigration and Customs
    Enforcement authorize border officials to search travelers' phones and
    laptops for general law enforcement purposes, and consider requests from
    other government agencies when deciding whether to conduct such warrantless
    searches.

    EFF Senior Staff Attorney Adam Schwartz: ``The evidence we have presented
    the court shows that the scope of ICE and CBP border searches is
    unconstitutionally broad. ICE and CBP policies and practices allow
    unfettered, warrantless searches of travelers' digital devices, and empower
    officers to dodge the Fourth Amendment when rifling through highly personal
    information contained on laptops and phones.''

    The previously undisclosed government information was obtained as part of a
    lawsuit, Alasaad v. McAleenan
    https://www.eff.org/cases/alasaad-v-duke
    EFF, ACLU, and ACLU of Massachusetts filed in September 2017 on behalf of
    11 travelers--10 U.S. citizens and one lawful permanent resident=94whose
    smartphones and laptops were searched without warrants at U.S. ports of
    entry.

    Esha Bhandari, staff attorney with the ACLU's Speech, Privacy, and
    Technology Project: ``This new evidence reveals that government agencies are
    using the pretext of the border to make an end run around the First and
    Fourth Amendments, The border is not a lawless place, ICE and CBP are not
    exempt from the Constitution, and the information on our electronic devices
    is not devoid of Fourth Amendment protections. We're asking the court to
    stop these unlawful searches and require the government to get a warrant.''

    The government documents and testimony, portions of which were publicly
    filed in court today, reveal CBP and ICE are asserting broad and
    unconstitutional authority to search and seize travelers' devices. The
    evidence includes ICE and CBP policies and practices that authorize border
    officers to conduct warrantless and suspicionless device searches for
    purposes beyond the enforcement of immigration and customs laws. Officials
    can search devices for general law enforcement purposes, such as enforcing
    bankruptcy, environmental, and consumer protection laws, and for
    intelligence gathering or to advance pre-existing investigations. Officers
    also consider requests from other government agencies to search devices. In
    addition, the agencies assert the authority to search electronic devices
    when the subject of interest is someone other than the traveler -- such as
    when the traveler is a journalist or scholar with foreign sources who are of
    interest to the U.S. government, or even when the traveler is the business
    partner of someone under investigation. Both agencies further allow officers
    to retain information from travelers' electronic devices and share it with
    other government entities, including state, local, and foreign law
    enforcement agencies.

    The plaintiffs are asking the court to rule that the government must have a
    warrant based on probable cause before conducting searches of electronic
    devices, which contain highly detailed personal information about people's
    lives. The plaintiffs, which include a limousine driver, a military veteran,
    journalists, students, an artist, a NASA engineer, and a business owner, are
    also requesting the court to hold that the government must have probable
    cause to confiscate a traveler's device.

    The district court previously rejected the government's motion to dismiss the lawsuit.

    https://www.eff.org/deeplinks/2018/05/victory-alasaad-our-digital-privacy-border

    The number of electronic device searches at the border has increased
    dramatically in the last few years. Last year, CBP conducted more than
    33,000 border device searches, almost four times the number from just three
    years prior. CBP and ICE policies allow border officers to manually search
    anyone's smartphone with no suspicion at all, and to conduct a forensic
    search with reasonable suspicion of wrongdoing. CBP also allows
    suspicionless device searches for a `national security concern'.
    [PGN-pruned for RISKS ...]

    <https://www.cbp.gov/newsroom/nation...eases-statistics-electronic-device-searches-0>

    For more information about this case:
    https://www.eff.org/cases/alasaad-v-duke
    https://www.eff.org/press/releases/...d-unconstitutional-authority-search-travelers

    ------------------------------

    Date: Thu, 2 May 2019 15:16:07 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Zero-day attackers deliver a double dose of ransomware -- no
    clicking required? (Ars Technica)

    *High-severity hole in Oracle WebLogic under active exploit for 9 days.
    Patch now.*

    EXCERPT:

    Attackers have been actively exploiting a critical zero-day vulnerability
    in the widely used Oracle WebLogic server to install ransomware, with no
    clicking or other interaction necessary on the part of end users,
    researchers from Cisco Talos said on Tuesday.

    The vulnerability and working exploit code first became public two weeks
    ago on the Chinese National Vulnerability Database, according to
    researchers from the security educational group SANS ISC, who warned that
    the vulnerability was under active attack. The vulnerability is easy to
    exploit and gives attackers the ability to execute code of their choice on
    cloud servers. Because of their power, bandwidth, and use in high-security
    cloud environments, these servers are considered high-value targets. The
    disclosure prompted Oracle to release an emergency patch on Friday.

    On Tuesday, researchers with Cisco Talos said CVE-2019-2725, as the
    vulnerability has been indexed, has been under active exploit since at least
    April 21. Starting last Thursday -- a day before Oracle patched the zero-day
    vulnerability, attackers started using the exploits in a campaign to install
    `Sodinokibi', a new piece of ransomware. In addition to encrypting valuable
    data on infected computers, the malicious program attempts to destroy shadow
    copy backups to prevent targets from simply restoring the lost data. Oddly
    enough, about eight hours after infection, the attackers exploited the same
    vulnerability to install a different piece of ransomware known as GandCrab.

    No interaction required...

    https://arstechnica.com/information...uble-dose-of-ransomware-no-clicking-required/

    ------------------------------

    Date: Fri, 3 May 2019 21:23:06 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Electronic Health Records and Doctor Burnout (Scientific American)

    [Beware of Dr. Burnout. He is notoriously unready. PGN]

    https://blogs.scientificamerican.com/observations/electronic-health-records-and-doctor-burnout/

    The essay cites numerous factors contributing to physician burnout, the the
    Agency for Healthcare Research and Quality (AHRQ) identifies: "family
    responsibilities, time pressure, chaotic environment, low control of pace,
    and the electronic health record."

    A few cherry-picked items from the essay follow. Attributed to the EHR, the
    author writes:

    "In 2013 the Journal of Emergency Medicine reported that, over the course of
    a 10-hour shift, resident physicians in a busy emergency room spent 28
    percent of their work time with patients and 43 percent on data entry,
    during which they made 4,000 keystrokes."

    These input keystrokes trace to patient outcome/care/administration metrics:
    "159 publicly available measures of outpatient care and that physicians
    spent 2.6 hours and staff 12.5 hours per week attending to them. Insurers
    and government massaged clinical and billing data with over 500 insurer and
    1,700 government standards."

    "No matter how good your intentions, if you just keep piling onto a harried
    clinician's workday more stuff to do and more data to collect, you run the
    risk of actually making care worse, angering patients and alienating
    providers. Time pressure, chaotic environment, and low control of pace are
    all exacerbated by overzealous oversight via the EHR."

    The author suggests one technological fix to lighten clinicians' manual data
    entry load: "To date, no maker of an electronic health record has figured
    out how to do adequate justice to [patient] stories without sacrificing
    data. Automated transcription of dictated notes is a start. Artificial
    intelligence that can parse sentences and paragraphs into data should help a
    lot."

    Certain speech-to-text (STT) platforms advertise transcription success rates
    at 99% for certain vocabularies and contexts, with medical specialties of
    particular focus.

    https://en.wikipedia.org/wiki/Speech_recognition#Accuracy

    "Error rates increase as the vocabulary size grows: e.g. the 10 digits
    'zero' to 'nine' can be recognized essentially perfectly, but vocabulary
    sizes of 200, 5000 or 100000 may have error rates of 3%, 7% or 45%
    respectively."

    Single word error rate and command success rate are two key metrics which
    are influenced by numerous usage/capability attributes:

    "Vocabulary size and confusability, speaker dependence versus independence,
    isolated, discontinuous or continuous speech, task and language constraints,
    read versus spontaneous speech, and adverse conditions."

    https://www.nejm.org/doi/abs/10.1056/NEJMp0910140 on early voice
    recognition/transcription. There are numerous commercial blogs that offer
    automated voice transcription systems. See
    https://blog.speech.com/2019/01/03/voice-recognition-and-the-electronic-health-record
    for example.

    Risks: Patient outcome benefit by replacing manual data entry with
    speech-to-text (STT) transcription. Physician burnout reduction attributed
    to STT deployment v. manual data entry.

    Why not hire more physicians to unburden their clinical load? $, probably.

    ------------------------------

    Date: Thu, 2 May 2019 23:52:26 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Hertz, Accenture, and the blame game (Browser London)

    The author says:

    Either way, much of the reporting I’ve seen on this story has focused on the
    sheer cost of the works and made many excellent points suggesting that the
    business model of companies such as Accenture deliberately works to inflate
    fees once the client is already heavily committed. Beyond $7 million for
    the initial discovery work
    https://www.browserlondon.com/services/research-analysis/ doesn't
    say what the agreed contract fee was, but it does detail how -- once tied in
    -- Hertz was continually billed by Accenture for fixes or new technology of
    dubious value.

    What stands out to me, however, is the other aspect of this situation. How
    did the amount spent by Hertz balloon up to $32 million before a stop was
    called to the work?

    This highlights to me the fundamental issue many businesses seem to
    encounter when embarking on large projects that are not within their own
    core competency – namely their engagement with the day to day running of the
    project. After all, it wasn't until Hertz executive asked about progress on
    tablet views that the penny dropped that Accenture simply hadn't done many
    of the things Hertz has asked of it.

    I’ve read anecdotal evidence
    https://news.ycombinator.com/item?id=19740706 on this project with
    Accenture, Hertz, in fact, fired much of its internal digital and
    developmental talent, handing over full control to Accenture. This, in my
    opinion, is its first (if not biggest) mistake.

    https://www.browserlondon.com/blog/2019/04/30/hertz-accenture-blame-game/

    ------------------------------

    Date: Tue, 30 Apr 2019 00:30:34 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Monster screwup on dividends (Korea Herald)

    But someone screwed up. Instead of issuing a ₩1,000 per share dividend, the
    person in charge of hitting that button issued a 1,000 share per share
    dividend. As the Korea Herald reported, dividends offered to employees due
    to the `fat-finger' slip-up came to 112.6 trillion won (about $100
    million), over 40,000 times the intended value and 33 times greater than the
    company's market cap. Suffice it to say that, if the company couldn’t
    reverse the error, the company would cease to exist once these 200 or so
    employees sold these phantom shares.

    http://www.koreaherald.com/view.php?ud=20180408000221
    http://nowiknow.com/why-you-shouldnt-take-advice-from-a-board-game/

    ------------------------------

    Date: Mon, 15 Apr 2019 06:51:56 +0000
    From: Bruce Schneier <schn...@schneier.com>
    Subject: NSA-inspired vulnerability found in Huawei laptops

    CRYPTO-GRAM, April 15, 2019

    This is an interesting story of a serious vulnerability in a Huawei driver
    that Microsoft found. The vulnerability is similar in style to the NSA's
    DOUBLEPULSAR that was leaked by the Shadow Brokers -- believed to be the
    Russian government -- and it's obvious that this attack copied that
    technique.

    What is less clear is whether the vulnerability -- which has been fixed --
    was put into the Huwei driver accidentally or on purpose.

    https://arstechnica.com/gadgets/201...awei-driver-that-opened-systems-up-to-attack/

    https://www.schneier.com/blog/archives/2019/03/nsa-inspired_vu.html

    ------------------------------

    Date: Tue, 30 Apr 2019 15:24:55 -0700
    From: "Peter G. Neumann" <neu...@CSL.SRI.COM>
    Subject: Vodafone found hidden backdoors in Huawei equipment

    For more than a decade, executives, intelligence agencies and conspiracy
    theorists have been warning about the dangers of equipment from China's
    Huawei Technologies Co.

    And for almost as long, Huawei has denied that its telecommunications
    products pose any kind of security threat.

    The West has finally found its smoking gun. Yet it may not be enough
    to sway those on either side of the debate.

    As far back as 2009, Vodafone Group Plc -- one of the world's most powerful
    and far-reaching telecom companies -- found hidden backdoors that could have
    given Huawei access to its fixed-line network in Italy, Bloomberg News's
    Daniele Lepido reported Tuesday, citing security briefing documents from the
    London-based company.

    https://www.bloomberg.com/opinion/a...backdoors-found-by-vodafone-are-a-smoking-gun

    ------------------------------

    Date: Tue, 30 Apr 2019 11:53:53 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Vodafone denies Huawei Italy security risk (BBC)

    Vodafone has denied a report saying issues found in equipment supplied to it
    by Huawei in Italy in 2011 and 2012 could have allowed unauthorised access
    to its fixed-line network there.

    A Bloomberg report said that Vodafone spotted security flaws in software
    that could have given Huawei unauthorised access to Italian homes and
    businesses.

    The US refuses to use Huawei equipment for security reasons.

    However, reports suggest the UK may let the firm help build its 5G network.

    This is despite the US wanting the UK and its other allies in the "Five
    Eyes" intelligence grouping -- Canada, Australia and New Zealand -- to
    exclude the company.

    Australia and New Zealand have already blocked telecoms companies from using
    Huawei equipment in 5G networks, while Canada is reviewing its relationship
    with the Chinese telecoms firm.

    https://www.bloomberg.com/news/arti...ne-found-hidden-backdoors-in-huawei-equipment

    ------------------------------

    Date: Mon, 29 Apr 2019 18:53:09 -0700
    From: Keith Thompson <keithst...@gmail.com>
    Subject: Re: Huawei's code is a steaming pile... (Shapir, RISKS-31.21)

    Amos Shapir <amo...@gmail.com> writes:
    > C does not force anyone to use strcpy() etc., it had always provided also
    > similar length-limiting functions strncpy() etc.

    strncpy() is not a "safer" version of strcpy(), as I've discussed here:
    https://the-flat-trantor-society.blogspot.com/2012/03/no-strncpy-is-not-safer-strcpy.html

    Even a length-limiting string copy function would not necessarily be
    "safe". Consider a copying operation that silently truncates

    "rm -rf /home/username/tmpdir"
    to
    "rm -rf /home/user/name"

    ------------------------------

    Date: Tue, 30 Apr 2019 13:51:04 -0500
    From: Dimitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: Huawei's code is a steaming pile ... (Ward, RISKS-31.21)

    First, nobody's *forcing* anyone to juggle chainsaws.

    Second, short answer is no, longer one is "define 'better'". Programming
    language is a tool just like a hammer: you can make one that won't hurt your
    thumb when you hit it. There will be a trade-off, though. Those trying to
    drive in nails might even call that trade-off "undesirable".

    (There is in fact a whole "c-minus" argument along the lines that modern
    C has already gone too far in the "thumb safety" direction.)

    Third, and on another tangent, the idea that computer programs are not aware
    of the larger context seems to a recurring motif in RISKS lately.

    The problem with "unsafe foo()-like functions" is whether the tool that
    classified it "unsafe" based on the context in which the function is
    invoked; if not, it may well be a false positive. Without knowing the
    specificity and sensitivity of the "safety" test, assertion that "22% of
    foo() invocations are unsafe" isn't really worth much, and if lack of
    context awareness is a systemic problem, it likely isn't.

    ------------------------------

    Date: Fri, 3 May 2019 14:01:17 +1000
    From: phil colbourn <philco...@gmail.com>
    Subject: Re: Huawei's code is a steaming pile... (RISKS 31.16)

    If Cisco is correct (see
    https://blogs.cisco.com/news/huawei-and-ciscos-source-code-correcting-the-record
    then Huawei's code may still be Cisco's code (or based on it).

    Comparing Cisco STRCMP and Huawei's
    Code:
    : ``It must be concluded that 
    Huawei misappropriated this code.'' 
    
    ``Because of the many functional choices available to the Huawei developers 
    (including three of their own routines), the fact that they made the same 
    functional choice as Cisco would suggest access to the Cisco code even if 
    the routines had implementation differences.  The exactness of the comments 
    and spacing not only indicate that Huawei has access to the Cisco code but 
    that the Cisco code was electronically copied and inserted into [Huawei's] 
    [CODE].'' 
    
    ``The nearly identical STRCMP routines are beyond coincidence.  The Huawei 
    [CODE] routine was copied from the strcmp routine in Cisco strcmp.c file.'' 
    
    Therefore, HCSEC [Huawei Cyber Security Evaluation Centre] should consider 
    reviewing code of other manufacturer's equipment used in UK critical 
    national infrastructure. 
    
    If Cisco is correct, then Huawei's code may still be Cisco. 
    [URL]https://blogs.cisco.com/news/huawei-and-ciscos-source-code-correcting-the-record[/URL] 
    
    ------------------------------ 
    
    Date: Tue, 30 Apr 2019 18:54:34 +0800 
    From: Richard Stein <rms...@ieee.org>
    Subject: Re: Should AI be used to catch shoplifters? ([URL='http://cnn.com/']cnn.com[/URL], R 31 20)) 
    
    Busted! That is, I have been busted for expressing highly cynical and 
    condescending, even snarky, remarks about AI deployment as a crime deterrent 
    mechanism. 
    
    A software stack that can accurately and consistently detect larceny or 
    discriminate larcenous intent from a random customer pool, and then alert 
    authorities, would be astonishing. 
    
    [URL]https://edition.cnn.com/2019/04/18/business/ai-vaak-shoplifting/index.html[/URL] 
    
    The article mentions: 
    
    1) The "VaakEye" algorithm was trained against 100K hours of 
       store-captured surveillance video; 
    2) A 77% reduction in shoplifting across 50 stores in Japan; 
    3) Global retail shoplifting losses accrued to $34 billion in 2017. 
    
    I will be convinced of VaakEye's product efficacy when/if statistics are 
    published that confirm accuracy and consistency of larcenous detection, and 
    show a sufficient reliability guarantee of false positive/negative findings. 
    Sufficient means 3+ nines, preferably 4+ nines, of accurate and consistent 
    theft detection. 
    
    Until then, a big warning sign should be posted at the shop entrance that 
    states something like: 
    
    "These premises deploy automated shoplifting surveillance technology to 
    deter stock theft. The surveillance captures and analyzes your shopping 
    habits, including hand/arm motion between the stock items and your clothes 
    and/or shopping cart/toke bag. Your facial profile is automatically 
    constructed and mapped to improve future theft detection capabilities. We 
    hope your shopping experience is pleasant. Come back again soon!" 
    
    ------------------------------ 
    
    Date: Tue, 30 Apr 2019 09:14:17 +0100 
    From: Roger Bell-West <ro...@nospam.firedrake.org>
    Subject: Re: A video showed a parked Tesla Model S exploding in Shanghai 
      (Stein, RISKS-31.21) 
    
    But the energy density of petrol (gasoline) is over ten times as much 
    (46.7MJ/kg), which is what makes it such a good fuel in the first place; 
    and yet, somehow, parked conventional cars rarely catch fire. 
    
    ------------------------------ 
    
    Date: Tue, 30 Apr 2019 19:27:25 +0800 
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Re: A 'Blockchain Bandit' Is Guessing Private Keys and Scoring 
      Millions (WiReD via Meacham) 
    
    >>>>> "BM" -- Bill Meacham <bmeac...@yahoo.com> writes: 
    BM> ... the odds of guessing a randomly generated Ethereum private key is 1 in 
    BM> 115 quattuorvigintillion. (Or, as a fraction: 1/2256.) That denominator is 
    BM> very roughly around the number of atoms in the universe. ... But as he 
    
    I just see "1/2256" above. One in two thousand. 
    
    ------------------------------ 
    
    Date: Tue, 30 Apr 2019 18:57:24 -0700 
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Re: An Interesting Juxtaposition (Wol, RISKS-31.21) 
    
    "I think Gene should be blaming the expensive GPS's, not the cheap ones! 
    Many of my colleagues use Google Maps or Waze because they're so much 
    better." 
    
      How about I blame them all? 
    
      Google Maps has some, ah, interesting quirks. 
    
    ------------------------------ 
    
    Date: Sat, 4 May 2019 00:23:39 -0400 
    From: Gregory Travis <gr...@littlebear.com>
    Subject: Re: Gregory Travis' article on the 737 MAX 
    
    First, I am delighted to once again be a part of the RISKS community.  Some 
    may remember postings I made in the (very) early 1990s here, including a 
    (humorous) sendup of the A320. 
    
    Second, the point of my article was to convey to the lay public: 
    
    1. Unlike previous 737 models, Boeing's 737 MAX 8 airframe could (and does) 
       not meet the pitch stability and control force requirements of FAR part 25. 
    2. Boeing realized this fairly early in the development process with wind 
       tunnel and computer simulations. 
    3. Boeing determined that a fairly simple bit of software would make the 
       problem “go away.”  Namely programming that took AOA input from a single 
       (AOA) sensor and used that input to determine whether or not to drive the 
       horizontal stabilizer trim. 
    4. Later, during actual flight tests, it was determined that the pitch 
       instability and control force problems of the airframe were far more 
       serious than the early wind tunnel and simulations indicated (this is 
       somewhat common in the industry). 
    5.  Conversely, the software was changed to MUCH more aggressively trim the 
       horizontal stabilizer.  In fact, it could drive the stabilizer to its 
       mechanical stops in roughly 20-30 seconds. 
    
    And: 
    
    1. There is an inherent and deep engineering problem in any system that 
       relies on a single sensor as input without any data validation, 
       particular a system that can use that data to drive very large flight 
       surfaces to their mechanical stops in seconds (I am sure some pedant will 
       complain that the electric motor running the jackscrew has a different 
       set of stops than the mechanical trim wheel.  I am tired of responding to 
       such irrelevant nonsense). 
    2. What is often not mentioned is that Boeing explicitly changed the trim 
      disconnect function for this system.  It will not stop if the pilot exerts 
      countering control force.  This is a nonintuitive behavior for any pilot who 
      are used to autopilots and electric trim automatic disconnects if the pilots 
      exert a control force contrary to the direction of trim. 
    3. Aerodynamic loads on the horizontal stabilizer can exceed a human’s 
      ability to move the stabilizer trim manually.  Boeing has known this for 
      nearly thirty years, yet they suggested a fix to the problem was to 
      disconnect the electric trim (use the cutoff switches) and manually trim. 
      As the Ethiopian Air pilots found out, that is impossible.  Boeing knew 
      this. 
    
    And: 
    
    1. Boeing intentionally hid the existence of this system (so that pilot 
      training would not be required) not only from the line pilots flying 
      revenue, but from its own test pilots. 
    2. For example, the Master Minimum Equipment List (MMEL) for the 737 MAX 
      makes no mention of the system.  Although there are cockpit failure 
      indications for the yaw damper, the speed trim system, the mach trim 
      system, etc. there is no failure indication for MCAS. 
    3. Angle of attack sensor failure is common, contrary to assertions 
      otherwise.  The service difficulty database has about 200 entries and that 
      typically represents 5% of the real-world situation.,  Frozen water 
      (heater failure) in the system is a very common failure cause. 
    4. The 737 MAX MMEL allows the 737 MAX to take off with all angle of attack 
      sensor heaters inoperative.even though Boeing knew that a single angle of 
      attack sensor failure could render the aircraft uncontrollable with this 
      system. 
    5. In contrast, the MMEL for the A320 requires that at least two of the 
      three angle of attack sensor heaters be operational before flight. 
    
    And: 
    
    1. All of this can be traced back to a change in Boeing's corporate culture 
      that began with the McDonnell Douglas takeover of Boeing in 1997 (where they 
      used Boeing's own money). 
    2. Because the cultural change was most manifested in the tying of executive 
      compensation to stock price, not revenue or other metrics.  Stock prices 
      are irrational, as John Maynard Keynes so famously noted and easily 
      manipulated by statements from management that sound good to Wall Street 
      but are devastating to the company’s ability to create new products, build 
      quality products, or even stay in business (as McDonnell Douglas 
      discovered). 
    3. 1&2, above, were enabled by regulatory changes, particularly the 2005 
      change, that delegated virtually *all* certification from the FAA to Boeing 
      itself. 
    
    Finally, I am delighted that some of the most substantive criticism of my 
    article has been the inaccuracy of equating Lycoming pistons to dinner 
    plates.  Some people just don’t get it, and never will. 
    
    ------------------------------ 
    
    Date: Tue, 30 Apr 2019 15:56:10 -0700 
    From: Rob Slade <rms...@shaw.ca>
    Subject: Digital health ... 
    
    So Gloria found, and read to me, an article on "digital nutrition."  The 
    term seems to be promoted by one Jocelyn Brewer, and is probably trademarked 
    and copyrighted all to heck, even though is it just a variation on digital 
    detox/digital vacation, with some "vary your online activity diet" thrown in 
    for good measure. 
    
    Martin Ward wrote: 
    > For those who still think that competition improves heathcare, consider the 
    > drug naloxone hydrochloride. This is sold by five big pharmaceutical 
    > companies and demand is soaring, but far from driving the price down, the 
    > cost has soared: 
    
    Martin Ward wrote: 
    > For those who still think that competition improves heathcare, consider the 
    > drug naloxone hydrochloride. This is sold by five big pharmaceutical 
    > companies and demand is soaring, but far from driving the price down, the 
    > cost has soared: 
    
    [URL]https://community.isc2.org/t5/Industry-News/Digital-Detox/m-p/19740[/URL] 
    
    I tend to think more in terms of a healthy attitude to the net.  The phrase 
    "benign neglect" somehow seems appropriate. 
    
    Every time I come across one of these pieces, it seems everyone is using the 
    Internet differently than I am.  Everyone else is madly glued to their 
    smartphones and the apps on them.  Mostly I use the computer, usually with a 
    Web browser.  At my desk.  Everyone else gets alerted by their apps.  I 
    allow most of my apps to notify me, but the volume is turned way down, and 
    often, when I'm out, I miss the notifications.  Sorry for those who are 
    desperately trying to reach me on Whatsapp, but I just haven't yet found 
    that any of those missed notifications could have changed my life. 
    
    I really wonder why I use the Internet so differently than most other 
    people.  I use the same social media applications.  I just use them 
    differently.  I really like Twitter.  To a certain extent I use it to follow 
    some of my friends.  But mostly I follow news sources.  CBC, BBC, NPR, The 
    Economist, Sydney Morning Herald, and others.  And, of course, a number of 
    sources of information security news.  I use other news sources, of course, 
    but Twitter gives me a bit more breadth.  (Knowing that Twitter, like most 
    social media, supports a kind of "bubble effect" of reinforcing views you 
    already agree with, I deliberately follow some people I don't like, just to 
    mess with the algorithm.) 
    
    It's possible that it's because I've been on the Internet a lot longer than 
    most people.  I was using the Internet in 1983.  At that time it wasn't even 
    called the Internet, yet, and the population, as near as I can estimate, was 
    about a thousand people.  Social media was mostly mailing lists (mail was 
    used for almost everything, including file transfers), with some people 
    having various levels of access to Usenet.  I had, perforce, to learn an 
    awful lot about the underlying technologies, since it was extremely unlikely 
    that I was going to find anyone to give me any help if I ran into any 
    problems.  This kind of background is not good if you want to continue to 
    view each new social media app as a magical new toy.  You tend to see each 
    one as yet another database, with yet another new interface. 
    
    Which tends to give you a different perspective.  Instead of a new bandwagon 
    to jump on, or group to join, you tend to think of new systems in terms of 
    "what new information can I get here that I can't get elsewhere?"  If I can 
    get this info elsewhere, is it sufficiently worthwhile, in terms of 
    accuracy, volume, or query granularity, to learn this new interface?  (The 
    answer, very often, is "no.") 
    
    I love the Internet.  I really do.  I have, ever since I first discovered 
    it.  I hate it, almost to the point of feeling physical pain, whenever there 
    is some new attack on it or through it.  But I've got more than three and a 
    half decades of experience on it.  I know how important it is, and isn't.  I 
    know which parts are important, and which are temporary fads.  (I get it 
    wrong, sometimes.  I admit it.  One of my biggest mistakes was in thinking 
    the World Wide Web was only another interface, like gopher.  Why did we need 
    it, when we had archie?)  (Anybody remember gopher?  Or archie?  No, I 
    didn't think so.) 
    
    The Internet is great.  It's informative, and entertaining.  But it's not 
    everything. 
    
    And now I'm going to stop wasting time posting this, and go for a walk.  In 
    the sunshine. 
    
    ------------------------------ 
    
    Date: Tue, 30 Apr 2019 22:40:14 +0100 
    From: Toby Douglass <ri...@winterflaw.net>
    Subject: Re: Is curing patients, a sustainable business model? (Ward, R-31.21) 
    
    An increase in demand, all other things being equal, in a free market, leads 
    to an increase in price.  I may be wrong, and I certainly am not looking to 
    put words in your mouth so you must correct me if I am mistaken, but I think 
    perhaps what you may have in mind is that you expect, when demand increases, 
    for supply to increase, and so for prices not to soar. 
    
    > from $0.92 a dose ten years ago up to $15.00 a dose. Why is 
    > this?  Google "Opioid Crisis" for the answer. 
    
    Given an increase in demand, in a free market, supply should increase. 
    Although I may be wrong, when this does not happen, I always or almost 
    always find it is due to a lack of competition, and that lack usually comes 
    from State regulation.  For example, why are there only a few big 
    pharmaceutical companies?  I may be wrong, but I think the answer is that 
    regulation has led to enormous barriers to enter that market.  New entry is 
    basically impossible. 
    
    > Drug companies in the US spend tens of billions a year advertising drugs: 
    > how does this help anyone's health?  The USA has some of the highest levels 
    > of anxiety and depression in the world: 
    
    I suspect those living in repressive or violent countries, such as Venezuela 
    or Ethiopia, or those countries where mass poverty leads hundreds of 
    millions to live on one or two dollars a day, have a great deal more on 
    their plates. 
    
    It may be you have in mind *of comparable countries*, so first world Western 
    countries.  In this case, perhaps we are comparing on a scale of 1 to 100 a 
    range which goes from say 10 to 15, with the USA at 15 and Venezuela at say 
    80.  I don't know, though, since I've never seen a study investigating this 
    matter and so I've no idea how the research would be done, and so if it is 
    credible. 
    
    Finally, I would point out that happiness and unhappiness are not absolutes. 
    People can be happy for the wrong reasons, and it would be better if they 
    were unhappy, but living with their eyes open.  I see some cultures where 
    the people are when growing up and when educated inculcated with a certain 
    social uniformity, with certain sets of beliefs, and so they fit better into 
    the societies in which they live (Japan comes to mind -- the recent case 
    where a girl with brown hair was instructed to dye her hair black so she 
    would fit in with the rest of the class).  This is really properly 
    tantamount to mild brainwashing, since the infants and children on the 
    receiving end have no choice in the matter, and so that it makes them 
    happier as adults does not mean it is actually a good thing. 
    
    I am of the view the USA, of all countries I know, has the most 
    individualism. 
    
    > not surprising when you consider that the purpose of advertising is to 
    > make people more anxious and unhappy. 
    
    I may be wrong, but I find it hard to imagine advertising is so effective 
    that it is a primary factor in shaping the minds and characters of hundreds 
    of millions of people.  I suspect there are larger factors at work in 
    people's lives, such as their health, income, job security and personal 
    relationships with their family and partners. 
    
    > Naturally, the drug companies are ready with a handful of pills to relieve 
    > the anxiety: followed by another handful to alleviate the side-effects 
    > from the first lot!  A happy, contented population would be terrible for 
    > the drug companies bottom line: so must be averted at all costs. 
    
    I think you could say the same about any advertising.  Car companies wish 
    for a population of people wholly unsatisfied with their current vehicle; a 
    population happy with their current models would be a disaster!  Cue demonic 
    advertising to induce mass auto dissatisfaction. 
    
    MacDonald's, similarly, dreads a world where people are satisfied with 
    burgers from Burger King!  cue massive advertising budgets to convince 
    people they desperately need a Big Mac. 
    
    I rather think most people have become very good at ignoring most 
    advertising. 
    
    A friend of mine once opined that advertising was a zero-sum game.  If no 
    one advertised, it would be the same as if everyone was doing it -- so if we 
    could all trust each other never to advertise, we could use all that money 
    for something else!  the problem of course is that if even one company 
    begins to advertise, then all must, or their sales go through the floor. 
    Not sure if I agree or not, but it's interesting. 
    
    > Attempts to introduce competition into the NHS have been a disaster and, 
    > rightly, resisted by the public. 
    
    Attempts to introduce competition into the Soviet economy were a disaster. 
    However, attempts to run an economy (the Soviet economy again) without 
    competition were also a disaster.  It's entirely possible to fall between 
    two stools.  If you have for example a centralized, command economy, and you 
    attempt to introduce competition, it's a disaster.  The two are not 
    compatible -- it's one or the other.  However, if you try to run a large 
    system or economy as a centralized, command economy, you find out it's 
    staggeringly inefficient and just doesn't work, so actually it's not one or 
    the other, it's competition only, because centralized control of any large 
    system doesn't work as there are fundamental problems of incentives and 
    information, to which no one has ever found a solution -- the Soviets 
    certainty didn't, and the UK hasn't in the NHS either.  You pump more and 
    more money into these systems, for less and less output.  (There are other 
    problems too, such as a profound discouragement to technical innovation; you 
    need to meet your targets, and the disruption from introducing new 
    technology only hinders this.) 
    
    > How do you choose the people who are passionate about caring for others? 
    > Fortunately, they are largely self-selecting: you set up an organisation 
    > whose explicit purpose and top priority is caring for others.  Pay enough 
    > for a comfortable living, but not so much that you attract those who are 
    > "just in it for the money". 
    
    Whomever pays the money controls the organization, and it will, in the end, 
    be shaped to meet their needs.  If the State is paying the money, it will be 
    held responsible for the performance of the organization, and it will 
    consequently want to control that organization; there is no way, ever, under 
    any circumstances whatsoever, that the State will take a hands-off approach 
    and simply hand the money over.  No State has ever done this, and no State 
    ever will. 
    
    When the State intervenes, it is unavoidable that control as it is from 
    on-high fails utterly, purely to the law of unintended consequences, where a 
    simple system attempts to control a complex system, even without considering 
    the incredible blunders and appalling choices political control always 
    inflicts, in pursuit of populism, votes, pork-barrel politics or simply 
    hair-brained schemes. 
    
    Finally, I must mention supply and demand and the pricing of wages for 
    medical staff.  The economy is large and complex.  There are a multitude of 
    different professions.  All of these will then be priced by the market, 
    except for medical care.  What happens to the quantity and quality of the 
    supply of medical staff if the "comfortable-living" wages chosen by the 
    State are lower, or much lower, or if they are higher, or much higher, than 
    comparable wages in other professions for the same investment of training 
    and skill?  you end up either with too many, perhaps far too many, or too 
    few, perhaps far too few, people wanting to be doctors. 
    
    Talking about people only coming into the profession because they care, I 
    mean, how does this respond to and meet the actual level of demand for 
    medical care?  what if we actually *do* need to give people money to be 
    doctors, so there are *enough* doctors?  right now we live in a world with a 
    massive shortage of doctors, because the supply of doctors is so tightly 
    constrained by State regulation -- we find it hard to imagine a world where 
    there could be a shortage of people actually *wanting* to become a doctor. 
    However, if the pay for the profession is, compared to other choices, far 
    too low, it would be so.  You cannot say "people would come because they 
    care" and then assume there would be enough people.  There is no mechanism 
    which links these two statements. 
    
    This then leads to the problem of getting the price right -- of manually 
    emulating the mechanism which the free market provides.  The State is 
    incapable of this, absolutely and totally, because there is too much 
    information involved, and because of political meddling.  This can be seen 
    already in the UK, with the NHS.  Nurses are paid the same, everywhere, 
    except for an increment if they live in London.  Those nurses living in the 
    North do well, where living costs are lower.  Those living in the South, and 
    in London even with the increment, do badly and in the South, and in London, 
    there is a chronic shortage of nursing staff and as such, heavy use of 
    temporary staff.  Teams which work together and know each other are more 
    efficient, and morality rates in hospitals in the South and in London which 
    heavily use temporary staff are consequently significantly higher -- people 
    are *dying* because of this -- and this has never been fixed, and will never 
    be fixed, because span-of-control problems dictate simple solutions. 
    
    The State cannot handle large number of different options, because it is 
    impossible to process the data involved (let alone whether anyone actually 
    *cares* enough to solve this problem, or get past bureaucratic inertia). 
    This is why the Soviets had collective farms; the system couldn't handle a 
    few million farms of the correct size, but it could handle 50,000 or so 
    enormous farms (which were fabulously inefficient -- far too big and this in 
    fact, along with general economic stagnation, ultimately led to the collapse 
    of the Soviet Union). 
    
    ------------------------------ 
    
    Date: Tue, 30 Apr 2019 21:44:01 -0700 
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Bernie Sanders wants you to expose your friends, Facebook-style" 
    
    Chris Matyszczyk for Technically Incorrect | 30 Apr 2019 
    [URL]https://www.zdnet.com/article/bernie-sanders-wants-you-to-expose-your-friends-facebook-style/[/URL] 
    
    The Democratic candidate launches an app that asks users to snitch on the 
    political beliefs of family, friends, and even strangers. 
    
      [``even strangers'' is `even stranger'!  ``odd strangers'' would 
      certainly be uneven.  PGN] 
    
    ------------------------------ 
    
    Date: Mon, 14 Jan 2019 11:11:11 -0800 
    From: RISKS-...@csl.sri.com 
    Subject: Abridged info on RISKS (comp.risks) 
    
     The ACM RISKS Forum is a MODERATED digest.  Its Usenet manifestation is 
     comp.risks, the feed for which is donated by [URL='http://panix.com/']panix.com[/URL] as of June 2011. 
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to 
     subscribe and unsubscribe: 
       [URL]http://mls.csl.sri.com/mailman/listinfo/risks[/URL] 
    
    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that 
       includes the string `notsp'.  Otherwise your message may not be read. 
     *** This attention-string has never changed, but might if spammers use it. 
    => SPAM challenge-responses will not be honored.  Instead, use an alternative 
     address from which you never send mail where the address becomes public! 
    => The complete INFO file (submissions, default disclaimers, archive sites, 
     copyright policy, etc.) is online. 
       <[URL='http://www.csl.sri.com/risksinfo.html']http://www.CSL.sri.com/risksinfo.html[/URL]>
     *** Contributors are assumed to have read the full info file for guidelines! 
    
    => OFFICIAL ARCHIVES:  [URL='http://www.risks.org/']http://www.risks.org[/URL] takes you to Lindsay Marshall's 
        searchable html archive at newcastle: 
      [URL]http://catless.ncl.ac.uk/Risks/VL.IS[/URL] --> VoLume, ISsue. 
      Also,  [URL]ftp://ftp.sri.com/risks[/URL] for the current volume 
         or [URL]ftp://ftp.sri.com/VL/risks-VL.IS[/URL] for previous VoLume 
      If none of those work for you, the most recent issue is always at 
         [URL]http://www.csl.sri.com/users/risko/risks.txt[/URL], and index at /risks-31.00 
      Lindsay has also added to the Newcastle catless site a palmtop version 
      of the most recent RISKS issue and a WAP version that works for many but 
      not all telephones: [URL]http://catless.ncl.ac.uk/w/r[/URL] 
      ALTERNATIVE ARCHIVES: [URL]http://seclists.org/risks/[/URL] (only since mid-2001) 
     *** NOTE: If a cited URL fails, we do not try to update them.  Try 
      browsing on the keywords in the subject line or cited article leads. 
      Apologies for what Office365 and SafeLinks may have done to URLs. 
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum: 
        <[URL]http://www.acm.org/joinacm1[/URL]>
    
    ------------------------------ 
    
    End of RISKS-FORUM Digest 31.22 
    ************************
     
  14. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.23

    RISKS List Owner

    May 9, 2019 3:11 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 9 May 2019 Volume 31 : Issue 23

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    80,000 Deaths. 2 Million Injuries. It's Time for a Reckoning on
    Medical Devices (NYTimes)
    `Deep fake' videos that can make anyone say anything worry
    U.S. intelligence agencies (Fox5NY)
    Mystery Frequency Disrupted Car Fobs in an Ohio City, and Now
    Residents Know Why (PGN-ed)
    *Really* active defense ... (The Hacker News via Rob Slade)
    How a Google Street View image of your house predicts your
    risk of a car accident (MIT Technology Review)
    Another one bites the dust: Why consumer robotics companies keep folding
    (Robotics)
    Risks of FAX (Hackaday)
    Cosmos, Quantum and Consciousness: Is Science Doomed to Leave Some
    Questions Unanswered? (Scientific American)
    The Fight for the Right to Drive (Suzanne Johnson, Richard Stein)
    Massachusetts judge granted warrant to unlock suspects iPhone with
    Touch ID (Apple Insider)
    Forgers forcing $12.3 trillion trade financing sector to go
    digital: Experts (The Straits Times)
    Malvertiser behind 100+ million bad ads arrested and extradited to
    the U.S. (Catalin Cimpanu)
    A doorbell company owned by Amazon wants to start producing `crime news',
    and it'll definitely end well
    How the UK Won't Keep Porn Away From Teens (NYTimes)
    "Unhackable" CPU? (Rob Slade)
    Too proud of my house number (Dan Jacobson)
    How to Quickly Disable Fingerprint and Facial Recognition on Your Phone
    (LifeHacker)
    Re: Post Office Horizon (Attila the Hun)
    Re: A 'Blockchain Bandit' Is Guessing Private Keys and Scoring
    (Peter Houppermans)
    Re: A video showed a parked Tesla Model S exploding in Shanghai (Wol)
    Re: Electronic Health Records... (Craig Burton)
    Re: Is curing patients, a sustainable business model? (Sparse Matrix)
    Re: Gregory Travis's article on the 737 MAX (Ladkin, Travis)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sun, 5 May 2019 10:47:50 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: 80,000 Deaths. 2 Million Injuries. It's Time for a Reckoning on
    Medical Devices (NYTimes)

    Patients suffer as the FDA fails to adequately screen or monitor products.
    Opinion | 80,000 Deaths. 2 Million Injuries. It’s Time for a Reckoning on Medical Devices.

    ------------------------------

    Date: Wed, 8 May 2019 09:19:32 -0700
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: `Deep fake' videos that can make anyone say anything worry
    U.S. intelligence agencies (Fox5NY)

    A video of a seemingly real news anchor, reading a patently false script
    saying things like the "subways always run on time" and "New York City pizza
    is definitely not as good as Chicago" gives a whole new meaning to the term
    fake news.

    But that fake news anchor is a real example of a fascinating new technology
    with frightening potential uses.

    I was stunned watching the Frankenstein mix of Steve Lacy's voice coming
    out of what looks like my mouth.

    "That's how well the algorithm knows your face," Professor Siwei Lyu told
    me.

    The video is what is known as a deep fake: a computer-generated clip using
    an algorithm that learned my face so well that is can recreate it with
    remarkable accuracy.

    My generated face can be swapped onto someone else's head (like that
    original video with Steve) or it can be used to make me look like I'm saying
    things I've never said.

    For this piece, I worked with Lyu and his team at the College of Engineering
    and Applied Sciences at the University at Albany.

    For many people, seeing is believing.

    "I would say it's not 100% true anymore. What we're doing here is providing
    a kind of detection method to authenticate these videos," Lyu said.

    Their deep fake research is funded by the Defense Advanced Research Projects
    Agency, or DARPA, which acts as the research and development wing of the
    U.S. Defense Department. They're working to develop a set of tools the
    government and public can use to detect and combat the rise of deep fakes.

    What's more, deep fakes technically aren't that hard to make. All it takes
    is a few seconds of video of someone, a powerful computer, and some code,
    which Lyu and his team don't release publicly...

    'Deep fake' videos that can make anyone say anything worry U.S. intelligence agencies

    ------------------------------

    Date: Tue, 7 May 2019 00:48:02 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Mystery Frequency Disrupted Car Fobs in an Ohio City, and Now
    Residents Know Why (PGN-ed)

    It sounded like something from an episode of The X-Files: Starting a few
    weeks ago, in a suburban neighborhood a few miles from a NASA research
    center in Ohio, garage-door openers and car key fobs mysteriously stopped
    working.

    Garage door repair people, local ham radio enthusiasts and other volunteer
    investigators descended on the neighborhood with various meters. Everyone
    agreed that something powerful was interfering with the radio frequency that
    many fobs rely on, but no one could identify the source.

    Officials of North Olmsted, a city just outside Cleveland, began receiving
    calls about the problems in late April, Donald Glauner, the safety and
    service director for North Olmsted, said on Saturday.

    In the weeks that followed, more than a dozen residents reported
    intermittent issues getting their car fobs and garage door openers to work.
    Most lived within a few blocks of one another in North Olmsted, though some
    were from the nearby city of Fairview Park.

    https://www.nytimes.com/2019/05/04/us/key-fobs-north-olmsted-ohio.html?smid=nytcore-ios-share

    [`Fobbing off' the blame (behind the NYTimes paywall)? Well, here's the
    rest of the story that is more accessible (PGN-ed):]

    North Olmsted councilman Chris Glassburn and Bill Hertzel, a retired
    communication employee, found a homemade device that was causing the
    interference, after a resident agreed to allow them inside his home.

    Glassburn: ``The device, which ran on a battery backup, was identified and
    disabled, There will be no further interference and the resident has agreed
    to not make such devices in the future. There are no implications for the
    future or other communities in this matter.''

    Mystery in North Olmsted solved: Source of key fob, garage opener problems identified

    [Shades of Sputnik opening and closing garage-door openers as it transited
    [reprised in RISKS-23.19,20], and Reagan's Air Force One jamming
    garage-door openers in the Los Angeles area, as well as a case in Florida
    noted in RISKS-23.20. PGN]

    ------------------------------

    Date: Mon, 6 May 2019 12:16:11 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: *Really* active defense ... (The Hacker News)

    So Hamas had a cyber-unit of hackers trying to attack Israeli cyberspace.

    So Israel had fighter drones attack the building from which the Hamas
    hackers were working.

    Israel Neutralizes Cyber Attack by Blowing Up A Building With Hackers

    ------------------------------

    Date: Tue, 7 May 2019 11:48:33 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: How a Google Street View image of your house predicts your
    risk of a car accident (MIT Technology Review)

    How a Google Street View image of your house predicts your risk of a car accident

    ``Insurance companies, banks, and health-care organizations can dramatically
    improve their risk models by analyzing images of policyholders' houses, say
    researchers.''

    ``The result raises important questions about the way personal information
    can leak from seemingly innocent data sets and whether organizations should
    be able to use it for commercial purposes.''

    Risk: Invasive digital profiles by business without consumer consent.

    ------------------------------

    Date: Mon, 06 May 2019 15:18:52 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Another one bites the dust: Why consumer robotics companies keep
    folding (Robotics)

    Greg Nichols for Robotics | 1 May 2019
    Another one bites the dust: Why consumer robotics companies keep folding
    After raising more than $200M, Anki, the delightful dozer-bot, is no more.
    Another one bites the dust: Why consumer robotics companies keep folding | ZDNet

    selected text:

    Fact is, despite massive funding in the space, no one has been able to
    successfully bring a social robot into the consumer market. In fact, no one
    except iRobot has successfully brought a robotics product of any kind to
    market that anyone on your block is likely to have.

    So what gives? Is the technology crappy? After years of sci-fi
    acculturation, are people still not ready for robot friends?

    The answer has more to do with a massive failure on the part of automation
    entrepreneurs (and, absolutely, the tech press) to recognize a bedrock rule
    of market capitalism: No matter how impressive a piece of automation
    technology is, if it doesn't solve a clear problem or increase efficiency in
    a major way, it's not a very good product.

    ------------------------------

    Date: Sun, 5 May 2019 16:06:36 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Risks of FAX

    [via Phil Porras]

    Faxsploit – Exploiting A Fax With A Picture

    ``Security researchers have found a way to remotely execute code on a fax
    machine by sending a specially crafted document to it.''

    A key weakness was that HP rolled their own jpeg handling library rather than
    re-using a tried and tested option such as libjpeg.

    ------------------------------

    Date: Sun, 5 May 2019 04:32:34 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Cosmos, Quantum and Consciousness: Is Science Doomed to Leave Some
    Questions Unanswered? (Scientific American)

    EXCERPT:

    As a science journalist, I've been to countless science conferences over
    the years where I'd hear about the latest discoveries or a plug for a new
    telescope or particle accelerator destined to yield fresh insights into the
    workings of nature. But last week I found myself in a small but elegant
    auditorium at Dartmouth College for a different kind of meeting. Scientists
    and philosophers had gathered not to celebrate research accomplishments but
    to argue that science itself is inadequate. As successful as it has
    undeniably been, they say it cannot provide all the answers we seek.

    Now, make no mistake -- they admit there is a certain kind of science that
    works incredibly well, when a little portion of the universe is cordoned off
    for study, with the scientist positioned outside of the carefully defined
    region under investigation. Galileo is usually credited with this
    extraordinary intellectual breakthrough, one that is often said to have
    paved the way for modern science. His observations of a swinging pendulum,
    and of balls rolling down inclined planes, are classic examples.

    But what happens when we* cannot* draw a clear line between the observer and
    the observed? This, according to Dartmouth physicist Marcelo Gleiser and
    some of his colleagues, is a serious problem. And because these cases
    concern some of the most important unanswered questions in physics, they
    potentially undermine the idea that science can explain `everything'.

    Gleiser laid out this argument earlier this year in a provocative essay
    The blind spot of science is the neglect of lived experience | Aeon Essays
    in *Aeon*, co-authored with astrophysicist Adam Frank of the University of
    Rochester and philosopher Evan Thompson of the University of British
    Columbia; and it was the focus of the two-day workshop
    Public Dialogues & Workshops — Institute for Cross Disciplinary Engagement At Dartmouth organized, titled *The
    Blind Spot: Experience, Science, and the Search for `Truth'*. held at
    Dartmouth in Hanover, New Hampshire, on April 22 and 23. ``Everything we do
    in science is conditioned by the way we look at the world.
    And the way we look at the world is necessarily limited.''

    Gleiser, Frank, and Thompson highlight three particular stumbling blocks:
    cosmology (we cannot view the universe from the `outside'); consciousness (a
    phenomenon we experience only from within); and what they call *the nature
    of matter* -- roughly, the idea that quantum mechanics appears to involve
    the act of observation in a way that is not clearly understood.

    Consequently, they say, we must admit that there are some mysteries science
    may never be able to solve. For instance, we may never find a *Theory of
    Everything* to explain the entire universe. This view contrasts sharply with
    the ideal that Nobel laureate physicist Sheldon Glashow expressed in the
    1990s: ``We believe that the world is knowable: that there are simple rules
    governing the behavior of matter and the evolution of the universe. We
    affirm that there are eternal, objective, extra-historical,
    socially-neutral, external and universal truths. The assemblage of these
    truths is what we call science, and the proof of our assertion lies in the
    pudding of its success.''

    What Gleiser and his colleagues are critiquing, he says, is ``this notion of
    scientific triumphalism -- the idea that,1Just give us enough time, and
    there are no problems that science cannot solve.' We point out that that is
    in fact not true. Because there are many problems that we cannot solve.'' ...

    https://www.scientificamerican.com/...ce-doomed-to-leave-some-questions-unanswered/

    ------------------------------

    Date: May 6, 2019 at 7:53:54 AM GMT+9
    From: Suzanne Johnson <fu...@pobox.com>
    Subject: The Fight for the Right to Drive

    [via David J. Farber]

    ``It's easier to imagine that technology can solve a problem that education
    or regulation could also fix,'' he said. In place of the driverless utopia
    that technologists often picture, he asked me to consider another
    possibility: a congested urban hellscape in which autonomous vehicles are
    subsidized by companies that pump them full of advertising; in exchange for
    free rides, companies might require you to pass by particular stores or
    watch commercial messages displayed on the vehicles' windows. (A future very
    much like this was recently imagined by T. Coraghessan Boyle, in his short
    story, Asleep at the Wheel.)

    The Fight for the Right to Drive

    ------------------------------

    Date: Mon, 6 May 2019 17:49:46 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: The Fight for the Right to Drive (The New Yorker)

    The Fight for the Right to Drive

    The New Yorker essay discusses the clash between organizations favoring
    carbon-based drivers as an undeniable human right versus industrial
    organizations and interests that want to banish carbon-based drivers from US
    roads and highways.

    Instead of the idyllic holiday family road trip, consider this alternative:

    "a congested urban hellscape in which autonomous vehicles are subsidized by
    companies that pump them full of advertising; in exchange for free rides,
    companies might require you to pass by particular stores or watch commercial
    messages displayed on the vehicles windows."

    The Self Drive Act (HR 3388) promotes autonomous vehicle deployment.
    Passed by the House during the 2017-2018 Congress; the Senate killed it.

    The House legislation can be found here:
    Text - H.R.3388 - 115th Congress (2017-2018): SELF DRIVE Act. The first
    two sentences succinctly summarize the Bill's objectives:

    "This bill establishes the federal role in ensuring the safety of highly
    automated vehicles by encouraging the testing and deployment of such
    vehicles. A 'highly automated vehicle' is a motor vehicle, other than a
    commercial motor vehicle, that is equipped with an automated driving system
    capable of performing the entire dynamic driving task on a sustained basis.

    "The bill preempts states from enacting laws regarding the design,
    construction, or performance of highly automated vehicles or automated
    driving systems unless such laws enact standards identical to federal
    standards."

    The legislation promises 'boxcar' AV industry profits: Self-driving vehicle
    fleets, being scheduled/dispatched like trains/buses/airplanes, can generate
    revenue as they ferry carbon and other goods from points A-to-B.

    The legislation promises safer highways: There are too many deaths (~35,000
    annually) attributed to carbon-based driver errors. Self-driving vehicles,
    once carbon-based drivers are proscribed from motoring (save for off-road or
    military purposes), will usher in an new era of reduce fatalities. No more
    distracted or drunk drivers.

    Section 4 establishes a requirement for a standard safety certification.
    "Nothing in this subsection may be construed to limit or affect the
    Secretary's authority under any other provision of law. The Secretary may
    not condition deployment or testing of highly automated vehicles on review
    of safety assessment certifications."

    Self-certification is in scope. Just like commercial aircraft, and medical
    devices...

    Section 5 establishes a requirement that AV manufacturers develop a
    cybersecurity plan. There's no requirement for the manufacturer to publicly
    disclose the plan's test results, nor other indicators of software life
    cycle maturity.

    Risk: NHTSA regulatory capture adjusts AV performance standards to suit
    industry interests at the expense of public health/safety. Production defect
    escape concealment/non-disclosure compromises AV safety benefits as the
    deployment transition from carbon-based vehicle drivers to AV-supremacy
    initiates.

    ------------------------------

    Date: Mon, 6 May 2019 12:41:08 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Massachusetts judge granted warrant to unlock suspects iPhone with
    Touch ID (Apple Insider)

    Law enforcement can compel a suspect to unlock their iPhone using Touch ID
    under a warrant, a Massachusetts federal judge ruled in April, muddying the
    waters in the ongoing battle in courts over whether the contents of a mobile
    device secured with biometrics are protected by the Fifth Amendment, or not.

    Massachusetts judge granted warrant to unlock suspects iPhone with Touch ID

    ------------------------------

    Date: Tue, 7 May 2019 11:22:52 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Forgers forcing $12.3 trillion trade financing sector to go
    digital: Experts (The Straits Times)

    https://www.straitstimes.com/busine...-trade-financing-sector-to-go-digital-experts

    "The increasing dangers from forgery mean the US$9 trillion (S$12.3
    trillion) business of financing global trade has to go digital, said an OCBC
    Bank executive."

    This is an old news to Risks readers. See
    http"//catless.ncl.ac.uk/Risks/3/28%23subj1
    -- that's from 1986, for example.

    Paper authentication of transactions, like humans, are no longer considered
    a trustworthy provenance proxy. Documents are cumbersome to manage in a
    digital global economy. Documents, and attempted authentication, add
    friction and lengthen the duration of a financial transaction life cycle.

    Blockchain (or the digital equivalent) mechanisms are vulnerable to endpoint
    theft, and various software stack hacks. They apparently embody less
    friction given that there's no paper shuffling.

    Is there benefit in the substitution of one risk with another to merely
    accelerate business activity? Is there a reasonable mitigation alternative
    other than full digitization of a business process? Theft statistics will
    eventually reveal the wisdom of this choice.

    ------------------------------

    Date: Mon, 06 May 2019 15:14:26 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Malvertiser behind 100+ million bad ads arrested and extradited to
    the U.S. (Catalin Cimpanu)

    Catalin Cimpanu, ZDNet, 6 May 2019
    Ukrainian man behind slew of fake companies that delivered malicious
    ads on legitimate sites.
    https://www.zdnet.com/article/malve...on-bad-ads-arrested-and-extradited-to-the-us/

    ------------------------------

    Date: Sat, 4 May 2019 18:32:27 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: A doorbell company owned by Amazon wants to start producing `crime
    news', and it'll definitely end well

    https://www.niemanlab.org/2019/04/a...cing-crime-news-and-itll-definitely-end-well/

    ------------------------------

    Date: Sun, 5 May 2019 02:00:24 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: How the UK Won't Keep Porn Away From Teens

    Complying with a new law, the largest online porn company has set itself up
    to be the youth gatekeeper of British smut. What could go wrong?

    https://www.nytimes.com/2019/05/03/style/britain-age-porn-law.html

    ------------------------------

    Date: Tue, 7 May 2019 09:50:25 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: "Unhackable" CPU?

    Researchers at the University of Michigan claim they have a processor that
    can't be hacked.
    https://securityboulevard.com/2019/05/scientists-claim-to-have-invented-the-unhackable-processor/

    The description is a bit thin, but it seems a variation on memory shuffling
    to avoid direct attacks on specific locations.

    I very much doubt that it is hack proof. (I'd go for "denial of service" first off ...)

    ------------------------------

    Date: Sun, 05 May 2019 23:43:41 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Too proud of my house number

    You know I was real proud of my house number.

    I put in on my name cards and on my website and on my
    https://www.jidanni.org/location/directions/

    I even remember when one could type "1-6 Qingfu St." into Google Maps
    and it would find it.

    But not lately. 1-3, 1-6, etc. now all translate to "1". At least "1" is in
    Google's system. For numbers that are not in its system Google just sends
    the user to the halfway point of a highway's length... Long story short: my
    guests were getting out of the cab on the other site of the valley and had
    to figure out how walk back three kilometers uphill etc.

    Simple: just push the feedback button, type in your problem, and Google will
    fix it.

    Well even if I had a relative working at Google it would still be hard to
    get a word in edgewise. Alas that is the reality when companies get too big.

    So then it dawned on me: the problem was that I was too proud of my house
    number. Now I removed it from all my directions, going back to only
    mentioning latitude and longitude... problem solved!

    ------------------------------

    Date: Mon, 6 May 2019 13:07:38 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How to Quickly Disable Fingerprint and Facial Recognition on Your
    Phone

    https://lifehacker.com/how-to-quickly-disable-fingerprint-and-facial-recogniti-1827454157

    [This is in response to Gabe's posting of Massachusetts judge granted
    warrant to unlock suspects iPhone with Touch ID in RISKS-31.22. PGN]

    ------------------------------

    Date: Mon, 6 May 2019 15:25:41 +0100
    From: Attila the Hun <attilath...@tiscali.co.uk>
    Subject: Re: Post Office Horizon (RISKS-31.22)

    The UK's Post Office 'Horizon' issue is complex, but basically the company
    pursued sub-postmasters and mistresses for monies the PO claimed had been
    stolen ... a claim hotly denied by those accused.

    An independent investigation commissioned by the PO was arbitrarily canceled
    the day before the report -- believed to be highly critical of the system
    and the PO's actions -- was due to be published, and the investigator
    (Second Sight) was ordered to destroy all the paperwork not yet handed over.
    The PO also scrapped the independent committee set up to oversee the
    investigation, and the mediation scheme for sub-postmasters; then published
    a report in which they cleared themselves.

    The PO has lost the first case brought against it in Bates & Ors v. Post
    Office Ltd and four court rulings, but is still fighting tooth and nail,
    recently accusing the Judge in the latest trial of bias ... much to the
    surprise of the PO's own legal team who were unaware of the PO's accusation.

    Methinks they doth protest too much.

    As the PO is publicly-funded, the costs it is running up are underwritten by
    the tax-payer, and Kevan Jones MP has formally questioned these. The
    case(s) appears un-winnable, and the money would surely be better spent
    recompensing the unfortunate victims than further enriching the legal
    eagles.

    https://news.sky.com/story/hundreds...t-post-office-over-horizon-it-fiasco-11666249
    https://www.theregister.co.uk/2019/04/10/post_office_trial_judge_not_biased/
    https://high-court-justice.vlex.co.uk/vid/hq16x01238-696547977
    http"//www.bestpracticegroup.com/post-office-horizon-system-legal-fees-of-3m-and-2-years-of-legal-action-3-key-lessons-learned/
    https://www.computerweekly.com/news/252461728/MP-questions-government-over-Post-Office-Horizon-case

    ------------------------------

    Date: Sun, 5 May 2019 12:02:57 +0200
    From: <not.f...@houppermans.net>
    Subject: Re: A 'Blockchain Bandit' Is Guessing Private Keys and Scoring
    (RISKS-31.22)
    CC: <bmeac...@yahoo.com>, <jid...@jidanni.org>

    Them errors, sometimes they are subtle..

    BM>> 115 quattuorvigintillion. (Or, as a fraction: 1/2256.)

    I suspect there's a small character missing. Try 1/2^256.

    (which is hard to type with auto-incorrect aggressively trying to change
    it to =C2=BD^256)

    ------------------------------

    Date: Mon, 6 May 2019 19:34:38 +0100
    From: Wols Lists <antl...@youngman.org.uk>
    Subject: Re: A video showed a parked Tesla Model S exploding in Shanghai
    (Bell-West, RISKS-31.22)

    > But the energy density of petrol (gasoline) is over ten times as much
    > (46.7MJ/kg), which is what makes it such a good fuel in the first place;
    > and yet, somehow, parked conventional cars rarely catch fire.

    Your own words give it away -- petrol is a fuel, not an explosive.

    Without an EXTERNAL supply of oxygen, petrol will not do anything.

    ------------------------------

    Date: Sun, 5 May 2019 14:00:44 +1000
    From: Craig Burton <craig.alex...@gmail.com>
    Subject: Re: Electronic Health Records... (Risks-31.22)

    I suppose this is too techno-optimistic of me but it seems wise for FDA/WHO
    approval to potentially test new drug names for how machines can
    differentiate them when they are spoken.

    "This is a drug used to treat HIV infection, and its chemical name is
    ({[(2R)-1-(6-amino-9H-purin-9-yl)propan-2-yl]oxy}methyl)phosphonic acid.
    Want to read that over the phone to a pharmacist? Neither does any human
    anywhere. So instead, the people who discovered it came up with tenofovir.
    Given the right stem, describing structure and function-- the -vir --
    researchers can tack on syllables of their choice. ... New generic names
    must meet standards set by the World Health Organization's International
    Nonproprietary Names (INN) and the United States Adopted Names for
    pharmaceuticals, and brand names must pass muster with the FDA"
    https://www.popsci.com/science/article/2013-04/fyi-how-does-drug-get-its-name#page-2

    But also many of these drug names are very similar, viz "Here are a couple
    of recent reports involving look-alike and/or sound-alike drug names
    reported to the Institute for Safe Medication Practices Medication Errors
    Reporting Program (ISMP MERP)"
    https://www.pharmacytimes.com/publications/issue/2010/december2010/medicationsafety-1210

    So perhaps the WHO has a central register of drug names and a candidate new
    name is said (by TTS, by people with various accents?) and the system can
    differentiate the new name from the others, or it can't. I can now imagine
    an adversarial system to pick the new names, less like Xeljanz and more
    like FlipRizKitPutz (with lots of fricatives and plosives):

    "sonorant, sibilant and burst properties were the most important parameters
    influencing phoneme recognition"

    https://journals.plos.org/plosone/article?id=10.1371/journal.pone.0079279

    ------------------------------

    Date: Mon, 06 May 2019 10:40:06 -0400
    From: sparse...@wattfamily.ca
    Subject: Re: Is curing patients, a sustainable business model?
    Cost of naloxone (RISKS-31.21)

    A quick search on the Web provided ample confirmation of the high cost of
    naloxone in the USA. See, for instance:

    https://www.statnews.com/2018/11/08/costs-heroin-naloxone-tragic-snapshot-opioid-crisis/

    Piqued by these prices I decided to check the situation in Canada. In
    Canada naloxone is freely available, i.e., without prescription, and it is
    available in some provinces at no cost.

    https://www.pharmacists.ca/cpha-ca/assets/File/cpha-on-the-issues/Naloxone_Scan.pdf

    It is to weep.

    ------------------------------

    Date: Mon, 6 May 2019 09:20:53 +0200
    From: Peter Bernard Ladkin <lad...@causalis.com>
    Subject: Re: Gregory Travis's article on the 737 MAX (Travis, R-31.22)

    Gregory Travis has given us some useful further information.

    I note that he did not disagree with my technical treatment of his mistakes,
    except in one point, namely the frequency of occurrence of AoA-sensor
    anomalies. Rather than use the informal terms "all the time", "not very
    often", "common", and so on, I suggest we use the defined terms from the
    airworthiness regulations, which are "probable", "remote", "extremely
    remote" and "extremely improbable".

    AoA sensor anomalies do not by themselves entail MCAS failure conditions. An
    AoA sensor can fail high, or it can fail low. In both JT-610 and ET-302 the
    DFDR readouts show one AoA sensor failing high. The example Travis cites of
    ingested water, freezing at altitude, leads most likely to a fail-low
    condition (the water freezes when the aircraft is in its climb-out to
    altitude, at a reasonable AoA).

    A fail-high apparently triggered MCAS anomalously and this, amongst other
    things, led to the demise of JT-610 and ET-302. In contrast, a fail-low
    (such as through water ingestion and freezing) may or may not lead to an
    MCAS failure. It will not lead to MCAS failure if trigger-AoA for MCAS is
    not achieved during the flight. We can expect that this will be the case on
    most flights. On some flights, it may be that trigger-AoA is attained and
    MCAS does not cut in because AoA is sensed low. This is an MCAS failure. In
    this flight regime, the quality of the aircraft's handling does not meet
    regulation, but it by no means follows that the flight crew will have
    difficulty in controlling the flight.

    It seems that, in consideration of MCAS failure criticality, then, one needs
    to distinguish between AoA-fail-high and AoA-fail-low. Travis doesn't give
    the numbers; neither have I been able to find any on-line source for the
    SDRs to see for myself. It turns out that if more than about 1 in 300 of the
    AoA SDRs involves fail-high, the frequency of such failures is unlikely to
    satisfy the "extremely remote" requirement for a "hazardous" failure
    condition in 14 CFR 25.1309, resp. CS-25.1309.

    More details, plus references to other helpful on-line articles, in
    https://abnormaldistribution.org/in...on-the-ieee-spectrum-article-concerning-mcas/

    ------------------------------

    Date: Mon, 6 May 2019 07:20:34 -0400
    From: Gregory Travis <gr...@littlebear.com>
    Subject: Re: Gregory Travis's article on the 737 MAX (Ladkin, R-31.22)

    > Rather than use the informal terms "all the time", "not very often",
    > "common", and so on, I suggest we use the defined terms from the
    > airworthiness regulations, which are "probable", "remote", "extremely
    > remote" and "extremely improbable".

    I suggest we absolutely do not. That is an intentional re-framing of a
    story away from the dimensions of one of the greatest human and social
    tragedies of our time and back to the restrictive world of engineering
    lingua franca. It is an insidious way to suppress the truth, masked as a
    way to actually uncover the truth.

    This is so far past the engineering world with its lexicon, its arcane
    acronyms, and its processes. That whole world fell apart as the forces of
    human greed, fear, hubris and hope tore asunder the thin veil of
    civilization that tells us ``if we just follow the rules, everything will be
    all right.'' For a select few, the rules were inconvenient to their
    financial needs. And so bugger the rules. 340+ people are dead and their
    families are grieving.

    Because it's not an engineering story, I deliberately took the approach of
    using informal terms and a non-engineering approach to describing what looks
    like an engineering failure on its surface but is instead a tragedy,
    consisting of villains, victims and (hopefully) heroes. I suspect that
    PBL's objections to my article, like others that I have received from the
    engineering community, reflect a kind of professional visceral pain that
    their profession had such a large and central role in the execution of this
    catastrophe. And because of that pain, they are lashing out as shame turns
    to anger.

    'Tis better to fail-high, or fail low. That is not the question.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.23
    ************************
     
  15. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.24

    RISKS List Owner

    May 14, 2019 8:52 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 14 May 2019 Volume 31 : Issue 24

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Silicon Valley makes everything worse: Four industries that Big Tech has
    ruined (Salon)
    "Do we need 6G wireless already? 5G engineers debate" (ZDNet via GeneW)
    "Over 25,000 smart Linksys routers are leaking sensitive data"
    (Charlie Osborne)
    The Future Is Here, and It Features Hackers Getting Bombed
    (Foreign Policy)
    Ford to expand medical transport service (Detroit News)
    Australian $50 note typo: spelling mistake printed 46 million times
    (The Guardian)
    SHA-1 collision attacks are now actually practical and a looming danger
    (Catalin Cimpanu)
    TOCTOU Attacks Against BootGuard (PGN via sundry sources)
    Sharp increase in ransomware attacks on Swiss SMEs (GovCert via
    Peter Houppermans)
    AI Can Now Defend Itself Against Malicious Messages Hidden in Speech
    (Matthew Hutson)
    Singlish also can, for this AI call system (The Straits Times)
    Special issue: The global competition for AI dominance
    Bulletin of the Atomic Scientists: Vol 75, No 3
    Who[m] to Sue When a Robot Loses Your Fortune (Bloomberg.com)
    What Sony's robot dog teaches us about biometric data privacy (CNET)
    New e-voting support system by Microsoft (via Diego Latella)
    Boeing Knew About Safety-Alert Problem for a Year Before Telling FAA,
    Airlines (WSJ)
    Unless you want your payment card data skimmed, avoid these commerce sites
    (Ars Technica)
    Hey, Alexa: Stop recording me (WashPost)
    "RobbinHood" ransomware takes down Baltimore City government networks
    (Ars Technica)
    Buying a replacement iPhone battery? Be careful you don't get ripped off
    (ZDNet)
    Software update crashes police ankle monitors in the Netherlands
    (Catalin Cimpanu)
    Tenants win as settlement orders landlords give physical keys over
    smart locks (CNET)
    Re: The Fight for the Right to Drive (Dan Jacobson)
    Re: Drug names (Robert R. Fenichel)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 13 May 2019 19:35:01 -0700
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Silicon Valley makes everything worse: Four industries that Big
    Tech has ruined (Salon)

    *The tech industry sells itself as improving our lives. So why does it seem
    to always do the opposite?*
    EXCERPT:

    Adapted from *A People's History of Silicon Valley: How the Tech Industry
    Exploits Workers, Erodes Privacy and Undermines Democracy*, by Keith A.
    Spencer, on sale now from major booksellers. Eyewear Publishing, 2018.
    Excerpted with permission.

    The word `innovation' has become synonymous with Silicon Valley to the point
    of absurdity. Indeed, the tech industry's entrepreneurs and
    "thoughtfluencers" throw it around as casually as a dodgeball in a
    middle-school P.E. class; what it really means is perpetually unclear and
    purposefully hazy. It is vague enough to be suitable in nearly any situation
    where a new product, service or "thing" is advertised as superior to the old
    -- never mind if the so-called "old" thing has some distinct advantages, or
    if the new thing's superiority is solely that it makes more money than the
    old thing, or if there are other old things that are actually superior yet
    which won't make anyone rich. (Consider Apple removing the headphone jack
    from its new phones to be Exhibit A.)

    That summary may sound flippant, but it is a good explication of the path of
    the tech industry over the past two decades: Some venture capital-backed
    entrepreneurs jackhammer their way into a new industry, "tech"-ify it in
    some way, undermine the competition and declare their new way superior once
    the old is bankrupted.

    Thus, rather than confine themselves to operating systems and PC software
    like they did in the 1980s and 1990s, the tech industry has figured out
    that the real money lies in being a middleman. By that I mean serving as
    the in-between point for, say, web traffic to newspapers and magazines
    (like this one); or being the go-between for taxi services, coordinating
    drivers and passengers through apps. In both of these examples, the
    original product isn't that different from the pre-tech world: a taxi ride,
    in the latter case, a news article in the former. The difference is that a
    tech behemoth takes a cut of the transaction. And also in many cases, the
    labor -- the people making and producing and doing the things the tech
    industry takes a slice from -- is more precarious, less well-remunerated,
    and less safe than it was in the pre-tech era.

    Looking at it this way, the tech industry doesn't really seem innovative at
    all. Or rather, its sole innovation seems to be exploiting workers with more
    cruelty, and positioning itself in the middle of more transactions.
    Granted, there are certain services that have become more convenient because
    of apps and smartphones -- but there is no reason that convenience must come
    at the high cost that it does, besides the tech industry's insatiable lust
    for profit. Here are but a few examples of how our livelihoods and our
    societies have been worsened by Silicon Valley as it sinks its talons into
    new industries.

    Taxis

    Public transit was never great in the United States, with the exception of a
    few big cities like New York, and thus private taxi services were around to
    supplement. Being a taxi driver was once a much-vaunted job, so much so that
    a taxi medallion was perceived of as a ticket to the middle class.

    Then came Uber and Lyft, who flooded the market for private transit and
    undercut the taxi industry by de-skilling the industry and paying their
    workers far, far less. Driving a taxi is no longer a middle class job;
    once-valuable taxi medallions have become burdens for some taxi drivers.
    The outlook for career taxi drivers is so dismal that an alarming number of
    taxi drivers have been committing suicide.

    Meanwhile, because of the precarious nature of Lyft and Uber jobs, those
    drivers are frequently not vetted or under-vetted -- resulting in
    significant safety concerns for passengers. And unlike a taxi back in the
    old days, being a rideshare driver isn't a ticket to the middle-class at
    all: a recent study of such employees revealed that most contractors use
    these kinds of jobs not as their sole source of income, but as supplementary
    jobs to make ends meet.

    Richard D. Wolff, an economics professor at the New School in New York
    City, describes gig economy companies like Uber as "winning the
    competition" by taking shortcuts that "frequently endanger the public."
    Regulatory agencies for taxis were created in most countries, Wolff says,
    because taxi companies were historically unsafe. "Taxi companies are
    required now to have insurance, training for drivers, well-inspected cars,
    and other safeguards to protect the public. The cost of riding in a taxi
    reflects those safeguards," Wolff said, adding:

    ...there's always the incentive for somebody to come in and operate, once
    again, inadequately insured, inadequately maintained, inadequately vetted
    drivers -- to come in with a cheaper cab service [that is] unregulated by
    the taxi commission. That's all that Uber and Lyft [are]... they undercut
    the old arrangement and offer cheaper and more competitive services by
    cutting corners.

    Home appliances

    Lightbulbs have existed for around 140 years, and home refrigerators for
    about 100. In that span, they haven't changed too much, besides getting more
    energy-efficient, mostly because they haven't really needed to: we need to
    keep food cold, and we need light. The appliances that do these things don't
    really need to do much else.

    Now, tech companies are putting wi-fi and Bluetooth chips in all kinds of
    things that didn't used to be Internet-connected. They call it the "smart
    home," and while the word is open-ended, the common thread with smart home
    devices is that they can generally be monitored via an app...

    Silicon Valley makes everything worse: Four industries that Big Tech has ruined

    ------------------------------

    Date: Tue, 14 May 2019 10:12:10 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Do we need 6G wireless already? 5G engineers debate"

    [On the part about standards being too early or late, early in my career,
    I worked with CP/M on 8-bit micros. The version that was most widely used
    was 2.2. 3.0 came out later, but too late. How many ever used it? It
    had some nice features that should have been in 2.2 but were not.
    However, it was late in the life of CP/M, and it was unlikely programs
    would be rewritten to take advantage of the features.]

    Do we need 6G wireless already? 5G engineers debate | ZDNet

    The race to 6G has already begun, according to a certain head of state. This
    while 5G firms in China may be helping other countries to race ahead. What
    if a "6G" isn't such a good idea? By Scott Fulton III | April 25, 2019 --
    12:57 GMT (05:57 PDT) | Topic: 5G 5G will be popularized via telecom
    carriers and the marketing of wire-cutting services, but the biggest impact
    and returns will come from connecting the Internet of things, edge computing
    and analytics infrastructure with minimal latency.

    selected text:

    It was a minefield that attendees of the first day of sessions at Brooklyn
    5G Summit 2019 on Wednesday maneuvered through: The topic of whether the
    world's governmental policy makers have blown 5G wireless all out of
    proportion. Representatives of the world's three principal
    telecommunications equipment suppliers -- Huawei, Ericsson, and Nokia --
    took the stage at NYU's Tandon School of Engineering, along with other
    stakeholders in the 5G global standard.

    At issue: Have the expectations of both policy makers and wireless customers
    been raised so high that the development of "6G Wireless" -- until now
    merely a placeholder for future discussion -- actually begins now?

    "Let's be fair. Presidents of countries are saying, 'My country's going to
    be the first to deploy.' The UK prime minister at the time, [David]
    Cameron, said the UK is going to be the first country in Europe to deploy
    5G. (He's now an ex-prime minister, but that's for a different reason.) My
    point is, standardization takes time. It takes several years to write a
    generation of standards. When we set about this process in 2015, there were
    many, many operators saying, 'We don't need this right now. Please slow down
    the standardization process! We don't need 5G, because LTE's doing fine.'
    And yet when we started the three- or four-year program of writing these
    standards, during that process, there was this massive acceleration, and the
    political push that said, 'We want these standards right now! Why are you
    so slow, 3GPP? You need to speed up!'

    "My point is," Scrase wrapped up, "standards historically are either too
    early or too late. It's very difficult to have standards that are perfectly
    on-time. It's even more difficult when the timeline keeps shifting forwards
    and backwards."

    ------------------------------

    Date: Tue, 14 May 2019 10:29:04 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Over 25,000 smart Linksys routers are leaking sensitive data"
    (Charlie Osborne)

    Charlie Osborne for Zero Day | 14 May 2019
    A security flaw grants remote access to router information.
    Over 25,000 smart Linksys routers are leaking sensitive data | ZDNet

    Over 25,000 Linksys Smart Wi-Fi routers are believed to be vulnerable to
    remote exploit by attackers, leading to the leak of sensitive information.

    [Note that this article is about Linksys routers. The word "Huawei" does
    not occur in the text. Nonetheless, if you check the article, you will
    see a Huawei picture. Is this a simple mistake or propaganda? (Huawei
    has been attacked by the USA, and I have not seen much evidence.) The
    risks of the Web.]

    ------------------------------

    Date: Wed, 8 May 2019 12:05:02 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: The Future Is Here, and It Features Hackers Getting Bombed
    (Foreign Policy)

    The Future Is Here, and It Features Hackers Getting Bombed

    A pinpoint accuracy, drone-delivered incentive and deterrent against hacking
    Israeli infrastructure.

    Only a matter of time before an equivalent commercial capability can be
    purchased using virtual currency.

    Risks: Target selection error, munition guidance compromise.

    ------------------------------

    Date: Wed, 8 May 2019 12:24:39 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Ford to expand medical transport service (Detroit News)

    Ford to expand medical transport service

    "Despite a critical and growing need across our country, most patients are
    unable to find reliable transportation and drivers who understand their
    needs. GoRide Health can fill that gap."

    Well I'll be darned...silicon-driven wheels that "understands their
    [patients] needs." Good spin for self-driving wheel promotion.

    Risk: Without a carbon-backup driver, patient safety and evacuation assist
    during an accident.

    ------------------------------

    Date: Thu, 9 May 2019 08:54:49 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Australian $50 note typo: spelling mistake printed 46 million times
    (The Guardian)

    Australian $50 note typo: spelling mistake printed 46 million times

    ------------------------------

    Date: Mon, 13 May 2019 08:45:38 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: SHA-1 collision attacks are now actually practical and a looming
    danger (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 13 May 2019
    Research duo showcases first-ever SHA-1 chosen-prefix collision attack.
    SHA-1 collision attacks are now actually practical and a looming danger | ZDNet

    opening text:

    Attacks on the SHA-1 hashing algorithm just got a lot more dangerous last
    week with the discovery of the first-ever "chosen-prefix collision attack,"
    a more practical version of the SHA-1 collision attack first carried out by
    Google two years ago.

    What this means is that SHA-1 collision attacks can now be carried out with
    custom inputs, and they're not just accidental mishaps anymore, allowing
    attackers to target certain files to duplicate and forge.

    ------------------------------

    Date: Mon, 13 May 2019 21:37:04 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: TOCTOU Attacks Against BootGuard

    Now You See It... TOCTOU Attacks Against BootGuard

    "malicious and unsigned code is executed successfully, something that Boot
    Guard was designed to prevent."

    https://conference.hitb.org/hitbsec...ttacks Against Secure Boot - Trammell Hudson

    https://bugzilla.tianocore.org/show_bug.cgi?id=1614

    tianocore/edk2-staging

    ------------------------------

    Date: Thu, 9 May 2019 21:50:55 +0200
    From: <not.f...@houppermans.net>
    Subject: Sharp increase in ransomware attacks on Swiss SMEs

    I suspect this is not a uniquely Swiss situation, but the size of the nation
    makes for a better signal-to-noise ratio: it takes fewer attacks for it to
    pop up on the radar.

    Attacking SMEs is a fairly standard approach - they're the weak underbelly
    of commerce as their size typically makes for less process driven security,
    and they serve as a possible entry point to bigger fish as part of a supply
    chain.

    Swiss government agencies GovCERT and MELANI already have analysis online:

    Severe Ransomware Attacks Against Swiss SMEs

    ------------------------------

    Date: Mon, 13 May 2019 12:08:45 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: AI Can Now Defend Itself Against Malicious Messages Hidden in Speech
    (Matthew Hutson)

    Matthew Hutson, *Nature*, 10 May 2019 via ACM TechNews, Monday, May 13, 2019

    University of Illinois at Urbana-Champaign researchers have developed a
    technique to protect artificial intelligence (AI) against deception by
    adversarial examples, like audio clips. The researchers created an algorithm
    that transcribes a full audio clip, as well as an independent segment of it;
    the program flagged a clip as potentially compromised if transcription of
    that segment did not closely correspond to the transcription of the complete
    audio file. Testing revealed that the algorithm always spotted meddling in
    several attack scenarios, even when the attacker was aware of the
    countermeasures.

    https://orange.hosting.lsoft.com/trk/click?ref=znwrbbrs9_6-1fc39x21c22bx068806&

    ------------------------------

    Date: Sat, 11 May 2019 10:36:10 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Singlish also can, for this AI call system (The Straits Times)

    Singlish also can, for this AI call system

    When traveling internationally, one is likely to encounter English spoken
    with unique accents and semantic features. One example being Singapore's
    Singlish. One overheard Singlish sentence at Changi Airport: "Everything so
    blur" means "I am confused."

    The government is developing, and will eventually deploy, a speech
    recognition system that performs speech-to-text (STT) translation to assist
    Singapore's civil defense force dispatchers. Singapore's four official
    languages are: Mandarin, Tamil, Malay, and English.

    Adding Singlish into the interpretative voice space, given 4 predecessor
    languages, enlarges the STT test space. While unlikely to encounter an
    emergency call that simultaneously combines words and semantics from 5
    distinct languages (save for a lively UN debate), one might want to test the
    STT platform with certain concurrently mixed language tuples to assess
    translation outcome.

    Public interest can be served by determining and disclosing how well an STT
    platform responds during a cacophonous call for emergency assistance.

    An AUCROC assessment -- area under curve/radar operating characteristic --
    can provide a telling measure of concurrent, multi-lingual STT effectiveness
    in terms of false positive/negative determinations.

    Note: Thanks to Chris Elsaesser for pointing out the importance of AUCROC
    measures to characterize and quantify AI platform discrimination
    capabilities and limits.

    ------------------------------

    Date: Mon, 13 May 2019 09:16:24 +0900
    From: Dave Farber <far...@gmail.com>
    Subject: Special issue: The global competition for AI dominance
    (Bulletin of the Atomic Scientists: Vol 75, No 3)

    Topicbox

    ------------------------------

    Date: Sun, 12 May 2019 16:55:38 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: Who[m] to Sue When a Robot Loses Your Fortune (Bloomberg.com)

    Bloomberg - Are you a robot?

    "The legal battle is a sign of what's in store as AI is incorporated into
    all facets of life, from self-driving cars to virtual assistants. When the
    technology misfires, where the blame lies is open to interpretation."

    Risk: Overtrust (see
    The Risks Digest
    in an AI-driven, equity trading platform to out-perform market indices.

    UNIX message of the day: "The way to make a small fortune in the commodities
    market is to start with a large fortune."

    ------------------------------

    Date: Fri, 10 May 2019 22:41:00 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: What Sony's robot dog teaches us about biometric data privacy
    (CNET)

    The state's Biometric Information Privacy Act prevents Sony from selling it
    there.

    https://www.cnet.com/news/what-sonys-robot-dog-teaches-us-about-biometric-data-privacy/

    ------------------------------

    Date: Mon, 13 May 2019 10:57:51 +0200
    From: Diego Latella <Diego....@isti.cnr.it>
    Subject: New e-voting support system by Microsoft

    https://blogs.microsoft.com/on-the-...c-elections-through-secure-verifiable-voting/

    ElectionGuard can be used to build systems with five major benefits that
    will protect the vote against tampering by anyone, and improve the voting
    process for citizens and officials:

    Verifiable: Allowing voters and third-party organizations to verify
    election results.
    Secure: Built with advanced encryption techniques developed by
    Microsoft Research.
    Auditable: Supporting risk-limiting audits that help assure the
    accuracy of elections.
    Open source: Free and flexible with the ability to be used with
    off-the-shelf hardware.
    Make voting better: Supporting standard accessibility tools and
    improving the voting experience.
    [...]

    The ElectionGuard SDK will be available through GitHub beginning this
    summer. We encourage the election technology community to begin building
    offerings based on this technology and expect early prototypes using
    ElectionGuard will be ready for piloting during the 2020 elections in the
    United States, with significant deployments for subsequent election cycles.
    Over time we will seek to update and improve the SDK to support additional
    voting scenarios such as mail-in ballots and ranked choice voting.
    Microsoft will not charge for using ElectionGuard and will not profit from
    partnering with election technology suppliers that incorporate it into their
    products.

    ------------------------------

    Date: Thu, 9 May 2019 09:23:56 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Boeing Knew About Safety-Alert Problem for a Year Before Telling
    FAA, Airlines (WSJ)

    https://www.wsj.com/articles/boeing...-year-before-telling-faa-airlines-11557087129

    ------------------------------

    Date: Thu, 9 May 2019 09:40:46 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Unless you want your payment card data skimmed, avoid these
    commerce sites (Ars Technica)

    https://arstechnica.com/information...cted-with-code-that-steals-payment-card-data/

    ------------------------------

    Date: Thu, 9 May 2019 19:45:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Hey, Alexa: Stop recording me (WashPost)

    When Alexa runs your home, Amazon tracks you in more ways than you might
    want.

    https://www.washingtonpost.com/tech...a-has-been-eavesdropping-you-this-whole-time/

    ------------------------------

    Date: Thu, 9 May 2019 09:41:33 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: "RobbinHood" ransomware takes down Baltimore City government networks
    (Ars Technica)

    https://arstechnica.com/information...city-government-hit-by-robbinhood-ransomware/

    ------------------------------

    Date: Fri, 10 May 2019 09:53:11 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Buying a replacement iPhone battery? Be careful you don't get
    ripped off (ZDNet)

    Adrian Kingsley-Hughes for Hardware 2.0 | 10 May 2019
    Buying a replacement iPhone battery? Be careful you don't get ripped off
    Just because you're told that the replacement iPhone battery you're buying
    is new doesn't mean that it is. It could be old and worn out.
    https://www.zdnet.com/article/buyin...e-battery-be-careful-you-dont-get-ripped-off/

    selected text:

    For example, eBay is awash with iPhone battery testers that allow the
    recharge cycle count to be cleared or set to a low level (and tools that can
    read the recharge cycles, such as Coconut Battery, cannot tell that this
    figure has been reset). Other than duping people, I'm having a hard time
    coming up with a legitimate use for this feature, especially since you have
    to physically remove the battery from the iPhone to do it.

    ------------------------------

    Date: Fri, 10 May 2019 09:59:32 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Software update crashes police ankle monitors in the Netherlands
    (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 10 May 2019
    Borked update prevents ankle monitors from sending data back to police
    control rooms.
    https://www.zdnet.com/article/software-update-crashes-police-ankle-monitors-in-the-netherlands/

    selected text:

    A borked software update has crashed hundreds of ankle monitoring devices
    used by Dutch police, Dutch government officials said today.

    The issue was fixed later in the day, on Thursday; however, the Dutch
    Ministry of Justice and Security had to step in and preemptively arrest and
    jail some of its most high-risk suspects.

    [I find this bit darkly amusing. "You're under arrest for our ankle
    monitoring system crashing."?]

    ------------------------------

    Date: Fri, 10 May 2019 14:52:03 -0400
    From: =?UTF-8?Q?Jos=C3=A9_Mar=C3=ADa_Mateos?= <ch...@rinzewind.org>
    Subject: Tenants win as settlement orders landlords give physical keys over
    smart locks (CNET)

    https://www.cnet.com/news/tenants-win-rights-to-physical-keys-over-smart-locks-from-landlords/

    The physical key has prevailed over the smart lock for a group of tenants
    with privacy concerns.

    In a settlement released Tuesday, a judge ordered landlords of an apartment
    building in New York to provide physical keys to any tenants who don't want
    to use the Latch smart locks installed on the building last September.

    The settlement is a first, as there's no legal precedent or legislation
    deciding how landlords can use smart home technology. Since the technology
    is relatively new, lawmakers haven't had time to catch up with smart home
    devices, and this case in New York is one of the few legal challenges to
    appear in court. It won't set a legal precedent because it's a settlement,
    but it represents a win for tenants who had issues with smart locks and
    landlords installing them against their will.

    "This is a huge victory for these tenants and tenants throughout New York
    City. These types of systems, which landlords have used to surveil, track
    and intimidate tenants, have been used frequently in New York City," Michael
    Kozek, the attorney representing the tenants in Manhattan, said in a
    statement. "These tenants refused to accept the system, and the negative
    impact it had on their lives. Hopefully they will be an inspiration for
    other tenants to fight back."

    ------------------------------

    Date: Fri, 10 May 2019 10:54:53 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Re: The Fight for the Right to Drive (The New Yorker via Stein)

    RS> companies might require you to ... watch commercial messages displayed
    on the vehicles windows."

    They already do, but it is on the outside, not the inside, and it make it
    tough to look out, almost impossible on rainy days etc.
    https://www.brisbanetimes.com.au/na...to-be-removed-from-buses-20161221-gtfvz3.html

    ------------------------------

    Date: Thu, 9 May 2019 13:42:40 -0700
    From: "Robert R. Fenichel" <b...@fenichel.net>
    Subject: Re: Drug names (RISKS-31.23)

    There's another level to the drug-name issue raised by Craig Burton. Each
    brand-name drug you receive has three different names, not just two. [*]

    First, there is the chemical _structural name_, constructed according to
    strict, non-contentious international conventions. Given, for example, the
    structural name (S)-1- [N 2-(1-carboxy-3- phenylpropyl)-L-lysyl]-L-proline
    dihydrate, anyone with basic chemical training could draw a diagram of the
    molecule..

    This example, like the one given by Burton, exemplifies the ponderous nature
    of structural names, so WHO has a means of assigning pronounceable _generic
    names_. Generic names draw upon a growing suffix vocabulary ("vir" for
    antivirals, "pine" for dihydropyridine calcium-channel blockers, "olol" for
    beta-blockers, "pril" for ACE inhibitors, and so on) and then WHO tries to
    coordinate generic names (for example, benazepril, captopril, enalapril,
    fosinopril, lisinopril, moexipril, perindopril, quinapril, ramipril,
    trandolapril are all ACE inhibitors) to minimize confusion. Some older
    drugs have different generic names in different parts of the world
    (adrenaline/epinephrine, meperidine/pethidine, acetaminophen/paracetamol),
    but new examples of that sort are not appearing, thanks to WHO.

    It doesn't stop there. The structural name that I gave above is that of
    lisinopril. In North America, lisinopril is available as generic
    lisinopril, as Prinivil(R), and as Zestril(R). The assignment of _brand
    names_ is regulated nationally (in the US by the FDA). There is a committee
    at FDA that passes on proposed names, trying to head off aural confusion.
    Sometimes they turn out to have got it wrong: Omeprazole was originally
    (1996) allowed to use the brand name Losec(R), but there were persistent
    reports of mixups with the much-older brand name Lasix(R) (furosemide), so
    approval for "Losec" was withdrawn, and Astra Zeneca had to reissue
    omeprazole under another name (Prilosec(R)).

    I have been out of FDA since before machine interpretation of speech became
    important, but I'd be surprised to hear that the brand-name committee at FDA
    is not now worrying about computer errors as well as human errors.

    [* Old Possum's Book of Practical Cats: The naming of cats is a difficult
    matter, for a cat must have three different names. PGN]

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.24
    ************************
     
  16. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,771
    568
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.25

    RISKS List Owner

    May 17, 2019 3:58 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 17 May 2019 Volume 31 : Issue 25

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Vote-by-phone tech trend is scaring the life out of security experts
    (SDUnionTrib)
    worldwide (Japan Times)
    FBI can't say with certainty that Florida voter databases not affected by
    2016 hack (Politico)
    U.S. Senate election security bill requiring paper ballots (Maggie Miller)
    WhatsApp flaw let hackers install spyware on cellphones when people
    made or got calls (CBS)
    Facebook busts Israel-based 'fake news' campaign to disrupt elections
    Israeli TV Eurovision webcast hacked with fake missile alert (The Guardian)
    CRYPTO-GRAM, May 15, 2019 (Bruce Schneier PGN-ed)
    San Francisco Bans Facial Recognition Technology (NYTimes)
    Britain_risks_heading_to_US_levels_of_inequality, warns_top_economist
    (The Guardian)
    Poll says that 56% of Americans don't want kids taught Arabic numerals.
    We have some bad news. (Marissa Higgins)
    New speculative execution bug leaks data from Intel chips' internal
    buffers (Ars Technica)
    GozNym cyber-crime gang which stole millions busted (BBC.com)
    Ransomware Is Putting a Damper on Our Smart City Future (Gizmodo)
    Re: Gregory Travis's article on the 737 MAX (Chris Drewe)
    Re: Healthcare spending (Martin Ward)
    Re: Is curing patients a sustainable business model? (Martin Ward)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 16 May 2019 20:42:21 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Vote-by-phone tech trend is scaring the life out of security experts
    (SDUnionTrib)

    The vote-by-phone tech trend is scaring the life out of security experts

    With their playbook for pushing government boundaries as a guide, some
    Silicon Valley investors are nudging election officials toward an innovation
    that prominent coders and cryptographers warn is downright dangerous for
    democracy.

    Voting by phone could be coming soon to an election near you.

    As seasoned disruptors of the status quo, tech pioneers have proven
    persuasive in selling the idea, even as the National Academies of Science,
    Engineering and Medicine specifically warn against any such experiment.

    The fight over mobile voting pits technologists who warn about the risks of
    entrusting voting to apps and cellphones against others who see Internet
    voting as the only hope for getting most Americans to consistently
    participate on election day.

    "There are so many things that could go wrong," said Marian Schneider,
    president of Verified Voting, a coalition of computer scientists and
    government transparency advocates pushing for more-secure elections. "It is
    an odd time for this to be gaining momentum."

    [PGN-truncated for RISKS. Lots more on Bradley Tusk, who is spearheading
    vote-by-phone, and Voatz, with responses from Josh Benaloh, who responds
    that this is just `Magic beans', also relating to using blockchains:
    Blockchains "don't solve any of the problems," Benaloh said. "They
    actually introduce new ones, and make things worse." Worth reading in
    its entirety if you believe this is a good idea! PGN-ed]

    ------------------------------

    Date: Fri, 17 May 2019 10:26:07 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: FBI can't say with certainty that Florida voter databases not
    affected by 2016 hack (Politico)

    Martin Matishak and Gary Fineout, Politico

    Florida lawmakers once again railed against the FBI on Thursday for its
    handling of the investigation into Russian election tampering in the state,
    and expressed skepticism that the intrusion didn't alter voter rolls.

    After a briefing with the FBI about its investigation into the 2016
    cyber-attacks, members of the state's congressional delegation blasted the
    bureau for not even revealing the names of the affected counties for almost
    three years.

    "I don't know who the hell they think they are not to share that information
    with us," said Republican Rep. Matt Gaetz.

    Congressional lawmakers just found out Thursday the identities of the
    counties but did not reveal the names to reporters following the closed-door
    meeting with FBI officials.

    Thursday's briefing marked the latest chapter in the ongoing saga since
    March, when special counsel Robert Mueller issued his redacted report on
    Russian interference in the 2016 election, which concluded that at least one
    Florida county had been hacked.

    While the FBI and Department of Homeland Security say they have "no
    evidence" the voter databases were tampered with by Russian hackers,
    "there's more to follow there," said Rep. Michael Waltz (R-Fla.) said during
    a Capitol Hill press conference that followed a classified briefing from the
    agencies.

    "We have a lot of questions across our delegation on how the FBI came to
    that determination," added Waltz. He noted bureau officials were "very
    clear" that voter rolls were not manipulated and that the election results
    were not impacted by the breaches.

    Rep. Debbie Mucarsel-Powell (D-Fla.) likewise said lawmakers weren't able to get with "certainty" that the databases had been left alone, explaining the FBI told them hackers were able to "enter the garage" but "not the house" of the two county networks.

    Still, the revelations that Russian hackers were able to penetrate another Florida county do raise new troubling questions about the scope of Moscow's attempts to tamper with the 2016 presidential election, which has been the subject of much confusion.

    Incumbent Sen. Bill Nelson, a Democrat, asserted that Russians had
    successfully hacked Florida's systems, Sen. Rick Scott assailed him on the
    campaign trail, demanding proof and calling the comment ``irresponsible''.
    D Scott, a Republican and governor at the time, unseated Nelson in November.

    Scott, who had his own briefing a day earlier, said in a statement he had
    urged the FBI to divulge the name of the two counties the Russians
    successfully targeted but that he was ``confident'' in Florida's election
    security efforts.

    He also defended his attacks on Nelson, saying ``the FBI could not provide
    any evidence to support the claims about security during the 2018 election
    made by then-Senator Nelson, which confirms the conclusion of both the FBI
    and the Department of Homeland Security at the time.''

    Scott's statement, however, is not completely accurate. His campaign also
    assailed Nelson for asserting that the Russians obtained access in
    2016. Additionally, the DHS last year said the Russians were unable to
    access ``vote tallying systems'' in 2016. They said nothing at the time
    about accessing voter information records.

    After a meeting with the FBI and DHS last week, Florida Gov. Ron DeSantis
    Tuesday held a press conference where he revealed that two counties had been
    breached. However, the FBI made him sign a nondisclosure agreement to not
    reveal details of the meeting.

    Waltz said the FBI sent ``multiple warnings'' to state officials about the
    possible threat, held a conference call with local leaders and had a "back
    and forth" with vendors responsible for the voter database software.

    While the FBI argued it couldn't reveal the names in order to "protect
    sources and methods" and because the bureau had labeled the supervisor of
    elections in the counties as the "victims," members still expressed
    bipartisan outrage over the level of secrecy surrounding the 2016 hacks.

    Rep. Stephanie Murphy (D-Fla.), who along with Waltz originally requested
    Thursday's briefing, called the lack of transparency ``~counter-productive''
    and predicted it would erode confidence in the election systems.

    Lawmakers said they asked FBI and DHS to go back and review their
    notification system, adding they asked a lot of questions about the nature
    of the communications between the bureau and local and state officials.

    Rep. Darren Soto (D-Fla.) said it was "critical" that members come together
    to support legislation that would require DHS to brief the congressional
    delegations of states that had been targeted or successfully hacked.

    Murphy said the delegation had asked the FBI to review if the information
    shared Thursday could be made available before the 2020 elections.

    There is "more work that needs to be done," she said.

    ------------------------------

    Date: Wed, 15 May 2019 22:48:26 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: U.S. Senate election security bill requiring paper ballot
    (Maggie Miller)

    Maggie Miller, The Hill, 15 May 2019

    Senate Dems introduce election security bill requiring paper ballots
    Senate Dems introduce election security bill requiring paper ballots

    Sen. Ron Wyden (D-Ore.) and a group of 12 other senators introduced a bill
    Wednesday to mandate the use of paper ballots in U.S. elections and also ban
    all Internet, Wi-Fi and mobile connections to voting machines in order to
    limit the potential for cyber interference.

    Wyden's office described the Protecting American Votes and Elections (PAVE)
    Act as ``providing the strongest protections for American elections of any
    proposal currently before Congress.''
    <https://www.wyden.senate.gov/imo/me...Votes and Elections Act of 2019 Bill Text.pdf>

    The legislation would also give the Department of Homeland Security the
    power to set minimum cybersecurity standards for U.S. voting machines,
    authorize a one-time $500 million grant program for states to buy
    ballot-scanning machines to count paper ballots and require states to
    conduct risk-limiting audits of all federal elections in order to detect any
    cyber hacks.

    Among the bill's co-sponsors are 2020 presidential candidates Sens. Bernie
    Sanders (I-Vt.),Elizabeth Warren (D-Mass.), Cory Booker (D-N.J.), Kirsten
    Gillibrand (D-N.Y.), and Kamala Harris (D-Calif.). Rep. Earl Blumenauer
    (D-Ore.) is planning to introduce a companion bill in the House.

    ``The Russian government interfered in American elections in 2016 and if we
    don't stop them, they and other governments are going to do it again,''
    Wyden said in a statement. ``The administration refuses to do what it takes
    to protect our democracy, so Congress has to step up. Our bill will give
    voters the confidence they need that our elections are secure.''

    Blumenauer said that ``if the 2016 and 2018 elections taught us anything, it
    is that our election security systems are woefully inadequate.'' [...]

    ------------------------------

    Date: Wed, 15 May 2019 18:59:13 -0700
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: WhatsApp flaw let hackers install spyware on cellphones when people
    made or got calls (CBS)

    Spyware created by a sophisticated group of hackers-for-hire took advantage
    of a flaw in the WhatsApp communications program used by more than 1.5
    billion people worldwide to remotely hijack dozens of phones, the company
    said late Monday. The Financial Times identified the firm as Israel's NSO
    Group, and WhatsApp all but confirmed the identification.

    WhatsApp described the hackers to CBS News as having "all the hallmarks of a
    private company that works with a number of governments around the world,"
    adding to The Associated Press that they do so "to deliver spyware." A
    spokesman for the Facebook subsidiary later told the AP: "We're certainly
    not refuting any of the coverage you've seen."

    WhatsApp also told CBS News, "We have made information available to U.S.
    law enforcement for further review. We may make additional information
    available as appropriate."...

    WhatsApp flaw let hackers install spyware on cellphones when people made or got calls

    [See also Attacks used app's call function. Targets didn't have to answer
    to be infected, noted by Monty Solomon:
    WhatsApp vulnerability exploited to infect phones with Israeli spyware
    PGN]

    ------------------------------

    Date: Fri, 17 May 2019 10:27:19 +0900
    From: Dave Farber <far...@gmail.com>
    Subject: Facebook busts Israel-based 'fake news' campaign to disrupt

    Facebook busts Israel-based 'fake news' campaign to disrupt elections
    worldwide (The Japan Times)

    https://www.japantimes.co.jp/news/2...9BF3-DF21-40C3-BD24-C3937A2D1577#.XN4NthKRWnM

    ------------------------------

    Date: Wed, 15 May 2019 08:17:37 -0400
    From: =?ISO-8859-1?Q?Jos=E9_Mar=EDa_Mateos?= <ch...@rinzewind.org>
    Subject: Israeli TV Eurovision webcast hacked with fake missile alert
    (The Guardian)

    Israeli TV Eurovision webcast hacked with fake missile alert

    The online stream of the Eurovision semi-finals in Israel was hacked to show
    warnings of a missile strike and images of blasts in the host city, Tel
    Aviv.

    The website for KAN's television stations was interrupted on Tuesday evening
    -– just as the competition’s first round was beginning – with a fake alert
    from Israel’s army telling of an impending attack.

    Messages such as: ``Risk of Missile Attack, Please Take Shelter'' and:
    ``Israel is NOT Safe. You Will See!'' appeared on the screen. Animated
    satellite footage showed explosions in the coastal city.

    ------------------------------

    Date: Wed, 15 May 2019 07:05:05 +0000
    From: Bruce Schneier <schn...@schneier.com>
    Subject: CRYPTO-GRAM, May 15, 2019 (PGN-excerpted)

    [Bruce's Crypto-gram has so many RISKS-worthy items that I am going to
    stop trying to pick out a few. Here I picked a few items to list from the
    table of contents of his latest issue, and only the first item. I urge
    some of you to subscribe. PGN]

    Bruce Schneier, CTO, IBM Resilient
    schn...@schneier.com
    https://www.schneier.com

    A free monthly newsletter providing summaries, analyses, insights, and
    commentaries on security: computer and otherwise.

    For back issues, or to subscribe, visit Crypto-Gram's web page
    Schneier on Security: Crypto-Gram

    Read this issue on the web
    Crypto-Gram: May 15, 2019 - Schneier on Security

    ** *** ***** ******* *********** *************

    ** IN THIS ISSUE: [PGN-excerpted just a few items]

    * China Spying on Undersea Internet Cables
    * Vulnerabilities in the WPA3 Wi-Fi Security Protocol
    * More on the Triton Malware
    * New DNS Hijacking Attacks
    * Iranian Cyberespionage Tools Leaked Online
    * Excellent Analysis of the Boeing 737 Max Software Problems
    * Vulnerability in French Government Tchap Chat App
    * Fooling Automated Surveillance Cameras with Patchwork Color Printout
    * Stealing Ethereum by Guessing Weak Private Keys
    * Why Isn't GDPR Being Enforced?
    * Malicious MS Office Macro Creator
    * Leaked NSA Hacking Tools
    * Amazon Is Losing the War on Fraudulent Sellers
    * Another NSA Leaker Identified and Charged
    * Cryptanalyzing a Pair of Russian Encryption Algorithms
    * Reverse Engineering a Chinese Surveillance App
    * Cryptanalysis of SIMON-32/64

    ** CHINA SPYING ON UNDERSEA INTERNET CABLES

    China Spying on Undersea Internet Cables - Schneier on Security

    Supply chain security is an insurmountably hard problem. The recent focus is
    on Chinese 5G equipment, but the problem is much broader. This opinion piece
    looks at undersea communications cables.
    Bloomberg - Are you a robot?

    But now the Chinese conglomerate Huawei Technologies, the leading firm
    working to deliver 5G telephony networks globally, has gone to sea. Under
    its Huawei Marine Networks component, it is constructing or improving nearly
    100 submarine cables around the world. Last year it completed a cable
    stretching nearly 4,000 miles from Brazil to Cameroon. (The cable is partly
    owned by China Unicom, a state-controlled telecom operator.) Rivals claim
    that Chinese firms are able to lowball the bidding because they receive
    subsidies from Beijing.

    Just as the experts are justifiably concerned about the inclusion of
    espionage "back doors" in Huawei's 5G technology, Western intelligence
    professionals oppose the company's engagement in the undersea version, which
    provides a much bigger bang for the buck because so much data rides on so
    few cables.

    This shouldn't surprise anyone. For years, the US and the Five Eyes have had
    a monopoly on spying on the Internet around the globe. Other countries want
    in.

    As I have repeatedly said, we need to decide if we are going to build our
    future Internet systems for security or surveillance. Either everyone gets
    to spy, or no one gets to spy. And I believe we must choose security over
    surveillance, and implement a defense-dominant strategy.

    ------------------------------

    Date: Tue, 14 May 2019 20:44:48 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: San Francisco Bans Facial Recognition Technology (NYTimes)

    San Francisco Bans Facial Recognition Technology

    It is the first ban by a major city on the use of facial recognition
    technology by the police and all other municipal agencies.

    ------------------------------

    Date: May 15, 2019 at 8:09:49 AM GMT+9
    From: Brian Randell <brian....@newcastle.ac.uk>
    Subject: Britain_risks_heading_to_US_levels_of_inequality, warns_top_economist
    (The Guardian)

    [via Dave Farber]

    "Rising inequality in Britain risks putting the country on the same path
    as the US to become one of the most unequal nations on earth, according to
    a Nobel-prize winning economist.

    Sir Angus Deaton is leading a landmark review of inequality in the UK amid
    fears that the country is at a tipping point due to a decade of stagnant
    pay growth for British workers. The Institute for Fiscal Studies
    thinktank, which is working with Deaton on the study, said the
    British-born economist would ``point to the risk of the UK following the
    U.S.'' -- which has extreme inequality levels in pay, wealth and health.

    Speaking to The Guardian at the launch of the study, he said: There's a
    real question about whether democratic capitalism is working, when it's
    only working for part of the population."

    Britain risks heading to US levels of inequality, warns top economist

    ------------------------------

    Date: May 15, 2019 at 8:31:28 AM GMT+9
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Poll says that 56% of Americans don't want kids taught Arabic
    numerals. We have some bad news. (Marissa Higgins)

    Marissa Higgins, Daily Kos, 13 May 2019

    Poll says that 56% of Americans don't want kids taught Arabic numerals. We have some bad news

    [...] An astounding 56% of Americans said Arabic numerals should not be
    taught in American schools. Arabic numerals. Which are, you know, the ones
    we use. [1,2,3, etc.] Is there an explanation that doesn't have to do with
    bigotry? I think not. Islamophobia is a huge problem in the U.S. My guess
    (and the only explanation I can gather) is that people read `Arabic' and
    immediately went negative. Gross.

    ------------------------------

    Date: Tue, 14 May 2019 22:23:38 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: New speculative execution bug leaks data from Intel chips' internal
    buffers (Ars Technica)

    Intel-specific vulnerability was found by researchers both inside and
    outside the company.

    New speculative execution bug leaks data from Intel chips’ internal buffers

    ------------------------------

    Date: Fri, 17 May 2019 16:16:19 +0800
    From: Richard Stein <rms...@ieee.org>
    Subject: GozNym cyber-crime gang which stole millions busted (BBC.com)

    International cyber-crime gang busted

    Mario Puzo wrote that "A lawyer with his briefcase can steal more than a
    hundred men with guns."

    "What is known as 'crime as a service' has been a growing feature in recent
    years, allowing organised crime gangs to switch from their traditional
    haunts of drugs to much more lucrative cyber-crime."

    CaaS only requires quick hands to type faster than law enforcement can
    apprehend criminals. CaaS proudly exploits IaaS, PaaS, and SaaS.

    Risk: Internet-based business resilience and continuity, critical
    infrastructure, etc.

    ------------------------------

    Date: May 17, 2019 9:15:06 JST
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Ransomware Is Putting a Damper on Our Smart City Future (Gizmodo)

    Patrick Howell O'Neill, Gizmodo, 14 May 2019

    [Note: This item comes from reader Randall Head. DLH]

    https://gizmodo.com/ransomware-is-putting-a-damper-on-our-smart-city-future-1834731404

    Last month, we found out that hackers took down a county government in
    California. Around the same time, a city in Maine lost control of all its
    data. These followed New York state's capital, Albany, admitting that
    hackers had crippled the city's technology operations, which means just
    about everything important in the city was taken down. And just last week,
    Baltimore was hit by a successful ransomware attack that demanded 13 bitcoin
    to decrypt city files that were being held hostage.

    The world is supposed to be launching into a dazzling smart city future
    where governments are always connected and, therefore, move quicker and more
    efficiently than before. But if that's where we're going, we
    have to deal with the fact that many cities fall victim to profit-driven
    hackers.

    The weapon often used against cities is ransomware, a type of malware
    designed to gain access, take control of important data and then demand
    money to end the ensuing crisis. It's a popular extortion-hacking
    scheme that's now seeing a new source of success.

    American governments, particularly cities, states, law enforcement agencies,
    and schools, are being increasingly targeted by ransomware, according to a
    new report from the cybersecurity firm Recorded Future. At least 170
    government systems have been attacked since 2013, according to public
    reports. And there have been 21 attacks so far this year, Recorded Future
    found, and 2019 is on pace to tally the highest ever number of ransomware
    attacks against cities. But due to the lack of transparency and
    accountability, there are likely more attacks unknown to both the public and
    many defenders.

    Is this due to an overall rise in ransomware attacks, or is it a result of
    more cities bringing their systems online? No one knows the full answer
    because, thanks to a lack of transparency and information sharing rules, no
    one knows fully what's happening.

    In a time when American cities are struggling to deal with crumbling
    infrastructure -- bad roads, collapsing bridges, old hospitals -- it's
    becoming increasingly clear that vulnerable networks ought to be added to
    the list of decaying necessities in dire need of an upgrade. With the
    emergence of the so-called smart city, in which everything is connecting to
    the Internet -- including those very same roads, bridges, and hospitals --
    the challenges facing cities loom even larger.

    ``We see with cities coming online in every respect so that when ransomware
    takes them offline, how much it affects constituents,'' Recorded Future's
    Allan Liska told Gizmodo. ``Atlanta had everything in the `smart city', so
    even court systems were taken offline, no one could pay anything through the
    city because the systems were taken offline.''

    Cities around the country are racing to become `smart'. Tech and federal
    money along with an undeniable popular sentiment to modernize government is
    driving the push to connect. But it's one thing to let an algorithm direct
    road crews or build a facial recognition system to identify drivers -- it's
    an entirely different issue to have cities prepared to deal with the
    inevitable security problems that will pop up. That's to say nothing of the
    looming privacy concerns of smart cities.

    ------------------------------

    Date: Thu, 16 May 2019 22:12:37 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: Gregory Travis's article on the 737 MAX (RISKS-31.21-23)

    RISKS-31.21-23 have had several posts on this item:

    My knowledge of modern passenger aircraft design and operation is
    negligible, along with the relationships between manufacturers and airlines,
    but obviously there's an enormously-complicated combination of systems
    interacting here. Topics like these are not well covered by mainstream
    media, so it's useful to have informed debates in forums like RISKS.
    Investigations are still ongoing as I write.

    Personally, I find it NOT useful to have soap opera-style name-calling,
    intentionally avoiding scientific rigour to maximise emotional impact.
    Total safety is pretty easy to achieve, it just needs infinite quantities of
    time, money, and resources. In real life these are all restricted, so
    compromises are necessary. A good design isn't one which is almost perfect
    but never gets made because it's too expensive, it's one which makes the
    best trade-offs between conflicting demands, which in turn require value
    judgments, which is one reason why we have agreed safety standards. The
    safety of aircraft can always be improved by spending more money, but the
    planes have to be low-cost enough for airlines to afford to buy or lease
    them, and the tickets affordable for passengers, and air-related businesses
    have to make money or they go bust. It's easy to be wise with hindsight.

    ------------------------------

    Date: Wed, 15 May 2019 12:29:39 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Healthcare spending (RISKS-31.22)

    A couple of posts in Risks Digest 31.22 seemed related:

    > Abilify MyCite adds the electronic tracking component and, at $1,650 a
    > month, costs almost 30 times as much as a 30-day supply of generic Abilify
    > at a Costco pharmacy.

    How much would a daily visit from a carer cost? If one carer had only three
    people to look after, then this would save nearly $60,000 a year to cover
    their employment. There would also be a number of other benefits, besides
    ensuring that the patient takes their medication.

    > resident physicians in a busy emergency room spent 28 percent of their
    > work time with patients and 43 percent on data entry, during which they
    > made 4,000 keystrokes.

    Providing each physician with a secretary proficient in typing and medical
    terminology would appear to allow them to at least double the time they
    spend with patients, while costing far less than doubling the number of
    physicians.

    But in a Capitalist economy the technological solution is much more
    attractive than the human solution: because there is more profit to be made
    from a technological solution, and profit is everything!

    ------------------------------

    Date: Wed, 15 May 2019 12:29:49 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Is curing patients a sustainable business model?

    > A friend of mine once opined that advertising was a zero-sum game.

    This is clearly incorrect: it can only be a negative-sum game. The name of
    the game (as with competition in so many other areas) is to try to hurt your
    opponent *more* than you hurt yourself. Then you have "won" the game.

    You seem to think it incredible that billions of dollars spent in
    advertising will actually have a measurable psychological effect on hundreds
    of millions of people. But advertising *works*: otherwise nobody would do
    it!

    > Attempts to introduce competition into the Soviet economy were a disaster.
    > However, attempts to run an economy (the Soviet economy again) without
    > competition were also a disaster.

    This is also factually incorrect.

    This Reddit post gives a carefully argued, factually supported,
    comparison between US capitalism and Soviet communism:



    Let's unpack the idea that "Capitalism works". In the US, the most
    developed Capitalist country, the richest country in the history of the
    world:

    1 out of every 7 US citizens needs to visit food banks to survive, despite
    having enough food to feed 10 billion people. Half of all food produced is
    thrown away by retailers.

    Empty homes outnumber the homeless by 6 to 1. Bank foreclosures and housing
    speculators have left 18.9 million empty homes. 2.5 million homeless
    children, or ~1 / 30. In the UK, there are 10x more empty houses than
    homeless families.

    UNICEF, RESULTS, and Bread for the World estimate that 15 million people die
    each year from preventable poverty, of whom 11 million are children under
    the age of five.

    In the US alone, 20-40k deaths every year because of lack of health
    insurance / care. On average, that's 300k over the last decade.

    Average US household carries ~$140k in debt. Median household income only
    $60k, 40% of millennials live with their parents.

    8 men control as much wealth as half the worlds population. Anyone wanna
    take a guess at how this game of monopoly ends?

    80% of US workers live paycheck to paycheck, 40% cannot cover a $400
    emergency.

    US Life expectancy peaked in 2015, is on the decline, and is now lower than
    in China.

    Suicide rates have leaped more than 25% in the last 20 years.

    Committed countless atrocities, killing millions directly and indirectly
    across the globe. Imperialist network of 800 military bases in 70
    countries.

    Most prisoners per capita AND by total. Makes sense, since prison is
    Capitalism's boarding house. Runs least 54 agricultural slave labor camps.

    Capitalist hegemony has short-circuited people into buying wildly illogical
    and ridiculous propaganda like: "Lift yourselves up by the bootstraps"
    (which shows the almost religious power of capitalist propaganda, that the
    impossible can become possible), or "Communism doesn't work", when in fact
    Communism did work extremely well.

    Examples from this post by /u/bayarea415 about the USSR specifically:

    * USSR had more nutritious food than the US (CIA). Calories consumed
    surpassed the US. Ended famines. Had the 2nd fastest growing economy of
    the 20th century after Japan. The USSR started out at the same level of
    economic development and population as Brazil in 1920, which makes
    comparisons to the US, an already industrialized country by the 1920s,
    even more spectacular.

    * Free Universal Health care, and most doctors per capita in the world. 42
    doctors per 10,000 population, vs 24 in Denmark and Sweden, 19 in US.

    * Had zero unemployment, continuous economic growth for 70 straight years.
    The "continuous" part should make sense --- the USSR was a planned,
    non-market economy, so market crashes á la capitalism were pretty much
    impossible.

    * All education, including university level, free.

    * 99% literacy.

    * Saved the world from Fascism, killing 7 out of every 10 fascist soldier,
    bore the enormous cost of blood and pain). Nazis were in retreat after
    the battle of Stalingrad in 1942, a full 2 years before the US landed
    troops in normandy.

    * Doubled life expectancy. Eliminated poverty.

    * End gender inequality. Equal wages for men and women mandated by law, but
    gender inequality, although not as pronounced as under capitalism, was
    perpetuated in social roles. Very important lesson to learn.

    * End racial inequality.

    * Feudalism to space travel in 40 years. First satellite, rocket, space
    walk, woman, man, animal, space station, moon and mars probes.

    * Had zero homelessness. Houses were often shared by two families
    throughout the 20s and 30s--so unlike capitalism, there were no empty
    houses, but the houses were very full. In the 40s there was the war, and
    in the 50s there were a number of orphans from the war. The mass housing
    projects began in the 60s, they were completed in the 70s, and by the 70s,
    there were homeless people, but they often had genuine issues with mental
    health.

    Now let's take a look at what happens after the USSR collapse:

    * Life expectancy decreases by 10 years. 7.7 million excess deaths
    in the first year.

    * 40% of population drops into poverty.

    * GDP instantly halves.

    * One in ten children now live on the streets. Infant mortality increases.
    Was 29.3 in 2003 which is around (current) Syria and Micronesia, 7.9 in
    2013. Infant mortality in USSR was 1.92, literally the lowest in the
    world.

    * 1996 election rigged by the US, Yeltsin sends in tanks to disperse the
    supreme soviet.

    For an overview of the soviet experiment, watch this brilliant talk by
    Micheal Parenti, or read his article, Left anticommunism, the unkindest cut.

    Also read this great article by Stephen Gowans, Do publicly owned, planned
    economies work?. Audio on youtube

    Bonus vid about cyber-communism: Paul Cockshott, Going beyond money.

    More sources: Socialism Crash Course, Socialism FAQ, Glossary.

    Follow this link for the above references:



    > a profound discouragement to technical innovation

    That is the propaganda. The reality is (as discussed above):

    If you follow the Reddit links, then you will find that all of the above
    statements are supported with factual documentation. None of your statements
    come with any factual support.

    I am happy to continue the debate, but please can we stick to facts only
    and leave out the opinion and propaganda?

    Note: I am not suggesting that Communism is the ideal. I prefer
    G.K.Chesterton's Distributism to either Capitalism or Communism.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.25
    ************************