Welcome home, fellow Gator.

The Gator Nation's oldest and most active insider community
Join today!

Risks Digest

Discussion in 'Gator Bytes' started by LakeGator, Apr 25, 2015.

  1. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,545
    476
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.30

    RISKS List Owner

    Jun 21, 2019 4:58 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 21 June 2019 Volume 31 : Issue 30

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Pilots fret over fire safety of Dreamliner planes, also used by El AL
    (The Times of Israel)
    Top AI researchers race to detect deepfake videos: ``We are outgunned.''
    (Drew Harwell)
    Zuckerfake (Vice)
    Hackers behind dangerous oil and gas intrusions are probing US power grid
    (Ars Technica)
    Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters (NYTimes)
    Auto-renting bugs (Amos Shapir)
    Google: Our way or the Huawei! (Henry Baker)
    Android/iPhone fun -- security, risks...(ToI and UK Mirror)
    New security warning issued for Google's 1.5B Gmail/Calendar Users (Forbes)
    How spammers use Google services (Kaspersky)
    This 'most dangerous' hacking group is now probing power grids
    (Steve Ranger)
    Masters ticket lottery scheme involved identity theft, millions of emails
    (WashPost)
    Facial Recognition: How Emotion Reading Software Will Change Driving
    (Fortune)
    DJI's New Drone for Kids Is a $500 Tank That Fires Lasers and Pellets
    (Bloomberg)
    Your Cadillac Can Now Drive Itself More Places (WiReD)
    Four Ways to Avoid Facial Recognition Online and in Public (Gabe Goldberg)
    Breaking ground, IBM Haifa team holds live robot debate fed by crowd
    arguments (The Times of Israel)
    Apple spent $10,000 repairing his MacBook Pro. There was nothing wrong
    with it. (ZDNet)
    Autonomous vehicles don't need provisions and protocols? (Rob Slade)
    Info stealing Android apps can grab one time passwords to evade 2FA
    protections (ZDNet)
    Facebook Plans Global Financial System Based on Cryptocurrency (NYTimes)
    Libra (Rob Slade)
    Porn trolling mastermind Paul Hansmeier gets 14 years in prison.
    (Ars Technica)
    Mudslide warning system depends on proper boundary file (Dan Jacobson)
    Mom used phone tracking app after daughter missed curfew, found her
    pinned under car 7 hours later (FoxNews)
    In Stores, Secret Surveillance Tracks Your Every Move (NYTimes)
    Was your flight delay due to an IT outage? What a new report on
    airline IT tells us. (ZDNet)
    Patients frustrated over computer system outage at Abrazo Health Hospitals
    (AZFamily)
    Power outage at Greensboro apartments has unintended consequence,
    reveals alleged Medicaid scheme (Monty Solomon)
    Is Target still down? Chain says registers working now after outage.
    (USA Today)
    Instagram Outage Follows Disruption To PlayStation Network (Deadline)
    The PlayStation Network Is Back Up. Here's the Latest on the PSN Outage
    (Digital Trends)
    In the Wiggle of an Ear, a Surprising Insight into Bat Sonar
    (Scientific American)
    'RAMBleed' Rowhammer attack can now steal data, not just alter it (ZDNet)
    Ransomware halts production for days at major airplane parts manufacturer
    (Catalin Cimpanu)
    Study finds that a GPS outage would cost $1 billion per day (Ars Technica)
    Re: GPS Degraded Across Much of U.S (jared gottlieb)
    Did I Tweet that? (Rob Slade)
    Bull and backdoors (Rob Slade)
    Ross Anderson's non-visa (Rob Slade)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 17 Jun 2019 15:21:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Pilots fret over fire safety of Dreamliner planes, also used by
    El AL (The Times of Israel)

    Airline pilots have expressed concern over the safety of the Boeing 787
    Dreamliner aircraft after an engine firefighting system was found to be
    faulty. ...

    However, the Federal Aviation Administration (FAA) is not grounding 787s
    even though it says the switch presents a `risk to the flying public'. ...

    ``If there was an engine fire on a transatlantic flight and the aircraft had
    one of the defective fire switches, then we would have to fly with a burning
    wing for up to three hours before we could safely land,'' a British airline
    pilot, who was not identified, told the Observer. ...

    The US aircraft manufacturing giant said less than 1 percent of the switches
    have failed and that it is assisting airlines in dealing with the issue. ...

    ``Engine fires are a very unlikely event and there have been no observed
    engine fires in the 787 fleet history,'' the spokesperson said.

    Pilots fret over fire safety of Dreamliner planes, also used by El AL — report

    Oh, OK then.

    ------------------------------

    Date: June 14, 2019 at 4:09:14 AM GMT+9
    From: Richard Forno <rfo...@infowarrior.org>
    Subject: Top AI researchers race to detect deepfake videos: ``We are outgunned.''
    (Drew Harwell)

    Drew Harwell, WashPost, 12 Jun 2019
    https://www.washingtonpost.com/tech...race-detect-deepfake-videos-we-are-outgunned/

    Top artificial-intelligence researchers across the country are racing to
    defuse an extraordinary political weapon: computer-generated fake videos
    that could undermine candidates and mislead voters during the 2020
    presidential campaign.

    And they have a message: We're not ready.

    The researchers have designed automatic systems that can analyze videos for
    the telltale indicators of a fake, assessing light, shadows, blinking
    patterns -- and, in one potentially groundbreaking method, even how a
    candidate's real-world facial movements -- such as the angle
    they tilt their head when they smile -- relate to one another.

    But for all that progress, the researchers say they remain vastly
    overwhelmed by a technology they fear could herald a damaging new wave of
    disinformation campaigns, much in the same way fake news stories and
    deceptive Facebook groups were deployed to influence public opinion during
    the 2016 election.

    Powerful new AI software has effectively democratized the creation of
    convincing deepfake videos, making it easier than ever to fabricate someone
    appearing to say or do something they didn't really do, from harmless
    satires and film tweaks to targeted harassment and deepfake porn.

    And researchers fear it's only a matter of time before the videos
    are deployed for maximum damage -- to sow confusion, fuel doubt or undermine
    an opponent, potentially on the eve of a White House vote.

    ------------------------------

    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Date: Thu, 13 Jun 2019 03:52:31 -0700
    Subject: Zuckerfake (Vice)

    *A fake video of Mark Zuckerberg giving a sinister speech about the power
    of Facebook has been posted to Instagram. The company previously said it
    would not remove this type of video.*

    EXCERPT:

    Two artists and an advertising company created a deepfake of Facebook
    founder Mark Zuckerberg saying things he never said, and uploaded it to
    Instagram.

    The video, created by artists Bill Posters and Daniel Howe in partnership
    with advertising company Canny, shows Mark Zuckerberg sitting at a desk,
    seemingly giving a sinister speech about Facebook's power. The video is
    framed with broadcast chyrons that say ``We're increasing transparency on
    ads," to make it look like it's part of a news segment...

    This Deepfake of Mark Zuckerberg Tests Facebook’s Fake Video Policies

    ------------------------------

    Date: Sun, 16 Jun 2019 01:02:20 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hackers behind dangerous oil and gas intrusions are probing US power grid
    (Ars Technica)

    Hackers behind dangerous oil and gas intrusions are probing US power grids

    ------------------------------

    Date: Sun, 16 Jun 2019 00:30:40 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters
    (NYTimes)

    Chinese Cyberattack Hits Telegram, App Used by Hong Kong Protesters

    An attack against the messaging app Telegram and the arrest of a user show how the Hong Kong clash is unfolding digitally, with growing sophistication on both sides.

    ------------------------------

    Date: Fri, 14 Jun 2019 09:10:22 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Auto-renting bugs

    The city of Tel Aviv operates an in-city car renting service named Autotel
    <www.autotel.co.il> controlled by a smartphone application. Users download
    the application and register a credit card; then they can locate a car
    nearby and reserve it for up to 15 minutes. When reaching the car, the
    application is used to unlock the car (the keys are inside); and then to
    lock it at the end of the trip.

    The following tweet by a poster identified as "Nur Lan", has been making
    the rounds lately (my translation): "I reserved a car in the application,
    and after a long walk discovered that the car is not parked where it was
    supposed to be on the map. While looking around, I noticed that the
    application indicates that the car is in motion for the past few minutes.
    So I pressed "end trip"; a minute later I got a call from Autotel: "We do
    not know how it had happened, but someone else took the car on your
    reservation, and now he called in to complain that the engine had turned
    off in the middle of the trip"

    The tweet continues "There are two reasons this is a case of glorious
    misconduct: The first bug, which enables one user to collect another user's
    reservation, is mainly stupid. The second bug, which enables shutting down
    the engine remotely, is negligence which might be lethal. There should be
    no way to shut down an engine remotely, certainly not by a user's
    application".

    "I received a compensation of 20 shekels [about $5.50] for the taxi trip. I
    hope that the other driver's compensation had made his near-death
    experience more profitable".

    There were reports lately of similar occurrences being possible on some
    smart car models, but these at least required hacking the car's system
    first!

    ------------------------------

    Date: Wed, 12 Jun 2019 08:27:56 -0700
    From: Henry Baker <hba...@pipeline.com>
    Subject: Google: Our way or the Huawei!

    ``Google's recent discussions with the US government actually argue that the
    Huawei ban is bad for national security. Google is reportedly asking for an
    exemption from the export ban.''

    I asked Google Translate what to make of this Googledegook, and
    she provided several possibilities:

    ``Nice little Android monopoly you have there, Google; it would be a
    shame if anything happened to it.''

    ``"NSA on Huawei's new OS plans: we're forked!''

    Report: Google argues the Huawei ban would hurt its Android monopoly

    Keep your friends close, and your enemies closer -- Report: Google argues
    the Huawei ban would hurt its Android monopoly Export ban would create a
    competitor to US operating systems, argues Google.

    Ron Amadeo - Jun 7, 2019 8:15 pm UTC

    The Trump administration would probably describe its Huawei export ban as a
    move that improves national security by keeping China's pet telecom company
    out of the US market. According to a report from The Financial Times,
    Google's recent discussions with the US government actually argue that the
    Huawei ban is bad for national security. Google is reportedly asking for an
    exemption from the export ban.

    The argument, reportedly, is that Huawei is currently dependent on Google
    for its Android smartphone software, and that dependence is a good thing for
    the US. The Financial Times quotes "one person with knowledge of the
    conversations" as saying, "Google has been arguing that by stopping it from
    dealing with Huawei, the US risks creating two kinds of Android operating
    system: the genuine version and a hybrid one. The hybrid one is likely to
    have more bugs in it than the Google one, and so could put Huawei phones
    more at risk of being hacked, not least by China.

    Today, non-Google Play versions of Android exist in China, but it's rare
    that any of them are significantly different from a Google version of
    Android beyond the pre-loaded app selection. Chinese manufacturers are
    still global smartphone distributors, so they all build Google-approved
    Android OSes for the non-Chinese market. What usually happens is that a
    single OS goes through the Google testing process, then it gets split into
    two versions. Internationally, it gets the Google Apps; in China, it gets a
    China-centric app selection.

    So while these Chinese Android OSes are still technically Android forks,
    because they don't ship with Google Play, they are not that different from
    Google-approved Android. Google's control over the Android ecosystem --
    even when devices don't use the Google apps -- means there is still some
    level of security and updatability going into these devices. Google's first
    argument in that Financial Times report is that more secure devices are
    better for national security.

    The second argument in the above quote is that a ban would `create two kinds
    of Android' and hurt Google's monopoly over Android. If you're a smartphone
    manufacturer looking for a smartphone OS, Android is the only game in town.
    The latest worldwide OS market share numbers from the IDC show an 86.6/13.3
    percent share between Android and iOS, respectively, with "Other" clocking
    in at 0.0 percent market share. Taken as a whole, the US has a smartphone
    OS monopoly.

    For companies that aren't Apple, it's Android or nothing, and Google
    controls Android, both the direction of the OS itself and the OS's app
    ecosystem. Weaning Huawei off its Google dependence would
    theoretically lead the company to create some kind of viable,
    China-powered, China-controlled Android operating system that would
    then be distributed to the rest of the world. Android is open source,
    so there's nothing stopping anyone from doing this now, but part of
    Google's control strategy is to create tools and updates that are so
    good that no one wants to compete with them. Cutting Huawei off from
    those updates would force that company to create a competitor.

    Banning Huawei from dealing with US companies is definitely a
    double-edged sword. Huawei would have a tough time building
    smartphones or an app ecosystem without the help of US-originated
    technology and app developers, but US hardware and software companies
    would lose access to the second largest smartphone maker in the world.

    Really, the two outcomes here, if the export ban holds up, are that
    either (1) Huawei can't handle the export ban and shuts down, like ZTE
    did, or (2) Huawei weathers the storm and rises as a rebuilt, fully US
    independent smartphone company. Google's argument is basically along
    the lines of that old saying, ``Keep your friends close and your
    enemies closer.''

    Ron Amadeo

    Ron is the Reviews Editor at Ars Technica, where he specializes in
    Android OS and Google products. He is always on the hunt for a new
    gadget and loves to rip things apart to see how they work.

    Email r...@arstechnica.com // Twitter @RonAmadeo

    Huawei's alternative OS said to be faster than Android, attracting the attention of other vendors

    Huawei's alternative OS said to be faster than Android, attracting the
    attention of other vendors

    Chris Hall | 12 June 2019

    ------------------------------

    Date: Mon, 17 Jun 2019 17:10:53 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Android/iPhone fun -- security, risks...(ToI and UK Mirror)

    Israeli tech company says it can break into all iPhones ever made, some
    Androids | The Times of Israel

    Israeli tech company says it can unlock all iPhones ever made, some Androids

    Android warning: Dangerous malware discovered pre-installed on THESE
    smartphones

    Dangerous malware discovered pre-installed on these Android smartphones

    ------------------------------

    Date: Sat, 15 Jun 2019 20:21:17 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: New security warning issued for Google's 1.5B Gmail/Calendar Users
    (Forbes)

    Google's Gmail email service is used by upwards of 1.5 billion
    people. The Google Calendar app, meanwhile, has been downloaded more
    than a billion times from the Play Store. Security researchers have
    this week warned that threat actors are exploiting the popularity of
    both in order to target users with a credential-stealing attack.
    Here's what you need to know.

    New Security Warning Issued For Google's 1.5 Billion Gmail And Calendar Users

    ------------------------------

    Date: Sat, 15 Jun 2019 20:22:08 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: How spammers use Google services (Kaspersky)

    Kaspersky, 10 Jun 2019

    As you know, Google is not just a search tool, but multiple services used by
    billions of people every day: Gmail, Calendar, Google Drive, Google Photos,
    Google Translate, the list goes on. And they are all integrated with each
    other. Calendar is linked to Gmail, Gmail to Google Drive, Google Drive to
    Google Photos, and so on.

    It's all very handy -- register once and away you go. And there's no need to
    mess around moving files and data between services; Google does everything
    for you. The downside is that online fraudsters have learned to exploit the
    convenience of Google services to send spam or worse.

    How spammers use Google services

    ------------------------------

    Date: Tue, 18 Jun 2019 11:11:01 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "This 'most dangerous' hacking group is now probing power grids"
    (Steve Ranger)

    Steve Ranger, Cyberwar and the Future of Cybersecurity, 14 Jun 2019

    This 'most dangerous' hacking group is now probing power grids | ZDNet
    This 'most dangerous' hacking group is now probing power grids Hackers that
    tried to interfere with the safety systems of an industrial plant are now
    looking at power utilities too.

    opening text:

    A hacking group described at the 'most dangerous threat' to industrial
    systems has taken a close interest in power grids in the US and elsewhere,
    according to a security company.

    ------------------------------

    Date: Tue, 18 Jun 2019 16:02:55 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Masters ticket lottery scheme involved identity theft, millions of
    emails (WashPost)

    https://www.washingtonpost.com/spor...lottery-using-identity-theft-millions-emails/

    ------------------------------

    Date: Wed, 12 Jun 2019 15:10:49 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Facial Recognition: How Emotion Reading Software Will Change Driving
    (Fortune)

    This will mean that automakers may come to build vehicles that may adjust
    comfort factors like heat, lighting, and entertainment based on visual cues
    from their individual occupants -- features that could be especially
    appealing as more autonomous cars hit the roads.

    ``It's really important technology not only have IQ, but lots of EQ too,''
    said el Kaliouby, speaking on Tuesday morning at Fortune's CEO Initiative in
    New York.

    She added that building empathy into machines is especially important given
    that humans use words for only 7% of their communications. The other 93%, el
    Kaliouby says, consists of vocal intonations, expression, and body language.

    http://fortune.com/2019/06/11/facial-recognition-cars/

    Car tweaking entertainment, heat, lighting (?!) is about as appealing as a
    visit from one of the bad Terminators.

    ------------------------------

    Date: Thu, 13 Jun 2019 03:51:26 -0700
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: DJI's New Drone for Kids Is a $500 Tank That Fires Lasers and Pellets
    (Bloomberg)

    *The king of quadcopters is betting on a build-your-own set to get
    students excited about robotics.*

    EXCERPT:

    DJI, the world's largest drone maker, has come down to Earth.

    On June 11, the company most closely associated with quadcopters plans to
    unveil a toaster-size robotic tank called the RoboMaster S1. Made of
    plastic and metal, it has four wheels, a rectangular base, and a gun turret
    that can swivel and fire lasers or tiny plastic pellets. Unlike DJI's
    flying drones, which do everything from taking pretty pictures to
    fertilizing fields, the RoboMaster is part teaching tool and part battle
    bot. The odd contraption ships as a kit that people must assemble, learning
    about robotics and software along the way.

    ``By doing the assembly process, you get to understand what each part is
    used for and what the principles are behind it''. says Shuo Yang, one of the
    lead engineers. ``We want it to look like an interesting toy that then
    teaches basic programming and mechanical knowledge.'' Once built, the
    RoboMaster S1 can be used to blast away at other S1s during some good,
    old-fashioned at-home family combat...

    https://www.bloomberg.com/news/arti...master-s1-drone-tank-fires-lasers-and-pellets

    ------------------------------

    Date: Mon, 17 Jun 2019 23:05:42 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Your Cadillac Can Now Drive Itself More Places (WiReD)

    Cadillac Super Cruise, the luxury automaker's hands-off driver assistance
    system, will by the end of the year work on more than 200,000 miles of
    highway in the US and Canada, 35 percent more territory than it covered when
    it launched in 2017. The bulk of the new miles come from divided highways --
    the sort of road where Tesla's Autopilot system has suffered two
    high-profile deadly crashes, and where Cadillac's engineers are confident
    their system can do better.

    Super Cruise drivers -- the system is available only on the CT6 sedan, and
    is moving to the CT5 sedan next year -- have to trek to their dealer to get
    the software upgrade to take advantage of the newly added parts of the
    map. The process is free, and takes about an hour. After that, Cadillac will
    send out the updated maps via over-the-air software updates starting this
    summer and into the fall.

    https://www.wired.com/story/your-cadillac-can-now-drive-itself-more-places/

    Yum -- tasty updates over-the-air. What could go wrong?

    ------------------------------

    Date: Tue, 11 Jun 2019 16:06:51 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Four Ways to Avoid Facial Recognition Online and in Public

    1. Disabling Facial Recognition on Facebook

    2. Use FaceShield When Uploading Photos

    3. Use Hair and Makeup to Fool Facial Recognition

    4. Use Clothing to Distract Facial Recognition

    https://www.makeuseof.com/tag/avoid-facial-recognition/

    Pretty funny. Wait, not entirely...

    ------------------------------

    Date: Tue, 18 Jun 2019 17:00:26 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Breaking ground, IBM Haifa team holds live robot debate fed by
    crowd arguments (The Times of Israel)

    The tech, when commercialized, could help companies and governments collect
    opinions, make more informed decisions.

    https://www.timesofisrael.com/break...lds-live-robot-debate-fed-by-crowd-arguments/

    ...or deliberately/inadvertently biased decisions, or decisions that common
    sense would rule out. And, most likely, decisions that can't be explained.

    ------------------------------

    Date: Wed, 12 Jun 2019 09:52:58 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Apple spent $10,000 repairing his MacBook Pro. There was nothing
    wrong with it. (ZDNet)

    Apple spent $10,000 repairing his MacBook Pro. There was nothing wrong with it
    This may be the most absurd, convoluted Apple repair story you've ever heard.
    Chris Matyszczyk for Technically Incorrect | June 12, 2019
    https://www.zdnet.com/article/apple...-macbook-pro-there-was-nothing-wrong-with-it/

    selected text:

    Don't turn your screen brightness off. The Pro may go dark for a very long
    time.

    "So after losing about two weeks of my time, >$10,000 in Apple warranty
    repairs (two logic boards, new cables, and a complete replacement of a
    >$7,000 computer), troubleshooting input from several Apple Geniuses, level
    1 and 2 tech support from Apple Corporate, diagnostic tests at the Apple
    Store, and diagnostic tests twice at Apple's repair facility in Texas; what
    was the root issue?" says Benz, knowing how to hang a cliff hanger.

    He seems, you see, to be made of determined innards. He went to yet another
    Apple Genius and this one proved to be true to his moniker. Or, perhaps, he
    just stopped and thought a little longer than his fellow experts.

    You see, he diagnosed there was nothing wrong with Benz's MacBook Pro. The
    issue, if you want to call it that, was that the screen brightness was
    turned all the way off.

    ------------------------------

    Date: Fri, 14 Jun 2019 11:36:49 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Autonomous vehicles don't need provisions and protocols?

    I'm at a conference on "Smart Cities." Lots of verbiage on IoT, etc. Last
    speaker of the day is pontificating on all kinds of security and technology
    buzzwords. And, at one point, he says that cities have to work on protocols
    for the provision of "autonomous vehicles."

    Excuse me?

    I mean, there are all kinds of transport and transit systems, and some of
    them involve a lot of technology, and a number of them will need provisions
    and protocols. But ...

    What part of "autonomous" do you not understand? Autonomous means that it
    works by itself. It doesn't need your provision. It doesn't need your
    protocols. It is designed, as far as possible, to work by itself. That
    means your protocols are basically irrelevant.

    OK, you can design some regulatory protocols if you wish. But you are one
    city. Even if you are New York, you are a small part of the vehicle
    market. The manufacturers are going to build what they think will sell.
    Worldwide. If you want to create a regulatory protocol, fine. Just don't
    expect anyone to care, if it gets in the way of functions or sales.

    ------------------------------

    Date: Tue, 18 Jun 2019 11:32:01 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Info stealing Android apps can grab one time passwords to evade
    2FA protections" (ZDNet)

    https://www.zdnet.com/article/info-...ow-access-passwords-to-avoid-2fa-protections/

    Info stealing Android apps can grab one time passwords to evade 2FA protections
    Google restricted SMS controls. Hackers found a way around it.
    Charlie Osborne for Zero Day | 18 Jun 2019

    ------------------------------

    Date: Tue, 18 Jun 2019 11:07:26 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Facebook Plans Global Financial System Based on Cryptocurrency
    (The New York Times)

    https://www.nytimes.com/2019/06/18/technology/facebook-cryptocurrency-libra.html

    News that sounds like a joke. WHAT could go wrong...

    ------------------------------

    Date: Tue, 18 Jun 2019 12:00:36 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Libra

    Facebook wants to start a cryptocurrency, and become your bank. Yes, that
    Facebook, the one that has proven to be so untrustworthy with all the data
    entrusted to it so far. Now you want to give it details on all your banking
    transactions and purchases? Besides, with most current cryptocurrency
    implementations, don't you get to "unmask" all the transactions if you own
    the whole blockchain? And who is going to own the whole Libra blockchain?

    Then there is the spin on this. Facebook is "doing good" with Libra,
    because almost two billion people don't have bank account, and with Libra,
    they can! (Only, if they don't have bank accounts now, how on earth are
    they going to put money into Libra, or get it out?)

    And, given that estimates for Bitcoin operation (let alone mining)
    approximates the power and carbon footprint of a medium-sized country, what
    is going to happen to global warming with Facebook pushing Libra to all of
    it's mindless zombie hordes?

    OK, Libra is going to be a "stablecoin," and therefore mining isn't an
    issue, but how extensively has it been tested before you release it for
    trial by every hacker in the world? OK, yes, the major credit cards are on
    board (is SET coming back?), but is it really ready for prime time?

    ------------------------------

    Date: Sun, 16 Jun 2019 01:04:05 -0400
    From: Monty Solomon <mo...@roscom.com>

    Subject: Porn trolling mastermind Paul Hansmeier gets 14 years in prison.
    (Ars Technica)

    https://arstechnica.com/tech-policy...rmind-paul-hansmeier-gets-14-years-in-prison/

    ------------------------------

    Date: Sat, 15 Jun 2019 08:07:12 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Mudslide warning system depends on proper boundary file

    No matter how good a mudslide warning system is, if a government boundary
    file places cell towers in the wrong district, phones in district B will get
    warnings intended for district A, and phones in district A won't get any
    warnings at all.

    ------------------------------

    Date: Sat, 15 Jun 2019 20:14:44 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Mom used phone tracking app after daughter missed curfew, found her
    pinned under car 7 hours later (FoxNews)

    http://www.fox13news.com/news/mom-u...rfew-found-her-pinned-under-car-7-hours-later

    ------------------------------

    Date: Sun, 16 Jun 2019 01:54:02 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: In Stores, Secret Surveillance Tracks Your Every Move (NYTimes)

    *As you shop, `beacons' are watching you, using hidden technology in your
    phone.*

    EXCERPT:

    Imagine you are shopping in your favorite grocery store. As you approach the
    dairy aisle, you are sent a push notification in your phone: 10% off your
    favorite yogurt! Click here to redeem your coupon. You considered buying
    yogurt on your last trip to the store, but you decided against it. How did
    your phone know?

    Your smartphone was tracking you. The grocery store got your location data
    and paid a shadowy group of marketers to use that information to target you
    with ads. Recent reports have noted how companies use data gathered from
    cell towers, ambient Wi-Fi, and GPS. But the location data industry has a
    much more precise, and unobtrusive, tool: Bluetooth beacons.

    These beacons are small, inobtrusive electronic devices that are hidden
    throughout the grocery store; an app on your phone that communicates with
    them informed the company not only that you had entered the building, but
    that you had lingered for two minutes in front of the low-fat Chobanis.

    Most location services use cell towers and GPS, but these technologies have
    limitations. Cell towers have wide coverage, but low location accuracy: An
    advertiser can think you are in Walgreens, but you're actually in McDonald's
    next door. GPS, by contrast, can be accurate to a radius of around five
    meters (16 feet), but it does not work well indoors.

    Bluetooth beacons, however, can track your location accurately from a range
    of inches to about 50 meters. They use little energy, and they work well
    indoors. That has made them popular among companies that want precise
    tracking inside a store....

    https://www.nytimes.com/interactive/2019/06/14/opinion/bluetooth-wireless-tracking-privacy.html

    [Also noted by Gabe Goldberg. PGN]

    ------------------------------

    Date: Sat, 15 Jun 2019 20:18:27 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Was your flight delay due to an IT outage? What a new report on
    airline IT tells us. (ZDNet)

    ... From 2015 through 2017, most airline IT outages were serious
    enough to disrupt flights, according to a government agency, but the
    full impact of the industry's IT problems is hard to calculate.

    https://www.zdnet.com/article/was-y...age-what-a-new-report-on-airline-it-tells-us/

    ------------------------------

    Date: Sat, 15 Jun 2019 20:16:23 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Patients frustrated over computer system outage at Abrazo Health Hospitals.
    (AZFamily)

    https://www.azfamily.com/news/patie...cle_099c9d74-8f23-11e9-8030-2b5b391b080a.html

    ------------------------------

    Date: Sat, 15 Jun 2019 20:17:30 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Power outage at Greensboro apartments has unintended consequence,
    reveals alleged Medicaid scheme

    https://www.greensboro.com/power-ou...cle_5f215b6e-3713-567d-908a-7873cfea3a6b.html

    ------------------------------

    Date: Sat, 15 Jun 2019 20:10:14 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Is Target still down? Chain says registers working now after outage.
    (USA Today)

    https://www.usatoday.com/story/mone...hoppers-reporting-outage-saturday/1465476001/

    ------------------------------

    Date: Sat, 15 Jun 2019 20:15:25 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Spotify outage not related to today's update, company is
    working on a fix. (TechCrunch)

    https://techcrunch.com/2019/06/13/s...to-todays-update-company-is-working-on-a-fix/

    ------------------------------

    Date: Sat, 15 Jun 2019 20:13:40 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Instagram Outage Follows Disruption To PlayStation Network (Deadline)

    https://deadline.com/2019/06/instagram-outage-follows-disruption-to-playstation-network-1202632448/

    ------------------------------

    Date: Sat, 15 Jun 2019 20:16:45 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: The PlayStation Network Is Back Up. Here's the Latest on the PSN
    Outage (Digital Trends)

    https://www.digitaltrends.com/gaming/playstation-network-psn-down-outage-updates/

    ------------------------------

    Date: Mon, 17 Jun 2019 16:43:01 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: In the Wiggle of an Ear, a Surprising Insight into Bat Sonar
    (Scientific American)

    https://www.scientificamerican.com/...f-an-ear-a-surprising-insight-into-bat-sonar/

    "...the two researchers developed an artificial horseshoe bat ear out of
    silicon, with devices called 'fast actuators' that move different parts of
    the ear in the same way bats do. These movements also added Doppler shifts
    to incoming sounds."

    Bats apply Doppler shift detection from echolocation stimulus to locate
    meals, navigate, and dodge flying or static obstacles.

    The research suggests that delivery drones might someday be equipped with
    artificial bat ears to assist drone navigation of the sky. The sky is
    "complicated and unpredictable": trees, telephone poles, aircraft, birds,
    bugs -- all kinds of obstacles that can interfere with drone delivery.

    Delivery zones with buried power lines, and sparse foliage or tree cover
    might only require GPS navigation to complete their route. But a heavy
    population center or a suburban landscape with telephone poles, or
    tree-lined streets might require echolocation and GPS to reach their
    destination.

    Correlating GPS and echolocation signals to reach fixed coordinates presents
    a complicated, challenging problem.

    Cruise missiles (CMs) can achieve payload delivery using nap-of-the-earth
    navigation and RADAR, though CMs are unlikely concerned with telephone
    poles, foliage, road signs, bill boards, etc.

    Risk: Ultrasonic sensor overload, sensor image correlation failure.

    ------------------------------

    Date: Wed, 12 Jun 2019 09:43:20 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: 'RAMBleed' Rowhammer attack can now steal data, not just alter it
    (ZDNet)

    https://www.zdnet.com/article/rambleed-rowhammer-attack-can-now-steal-data-not-just-alter-it/
    'RAMBleed' Rowhammer attack can now steal data, not just alter it
    Academics detail new Rowhammer attack named RAMBleed.
    By Catalin Cimpanu for Zero Day | June 11, 2019 -- 17:00 GMT (10:00 PDT) |

    opening text:

    A team of academics from the US, Austria, and Australia, has published new
    research today detailing yet another variation of the Rowhammer attack.

    The novelty in this new Rowhammer variety -- which the research team has
    named RAMBleed -- is that it can be used to steal information from a
    targeted device, as opposed to altering existing data or to elevate an
    attacker's privileges, like all previous Rowhammer attacks, have done in the
    past.

    ------------------------------

    Date: Fri, 14 Jun 2019 10:05:38 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Ransomware halts production for days at major airplane parts
    manufacturer" (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | June 12, 2019

    https://www.zdnet.com/article/ranso...or-days-at-major-airplane-parts-manufacturer/
    Ransomware halts production for days at major airplane parts manufacturer
    Nearly 1,000 employees sent home for the entire week, on paid leave.

    opening text:

    ASCO, one of the world's largest suppliers of airplane parts, has ceased
    production in factories across four countries due to a ransomware infection
    reported at its plant in Zaventem, Belgium.

    ------------------------------

    Date: Sun, 16 Jun 2019 01:51:40 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Study finds that a GPS outage would cost $1 billion per day
    (Ars Technica)

    https://arstechnica.com/science/2019/06/study-finds-that-a-gps-outage-would-cost-1-billion-per-day/

    ------------------------------

    Date: Sun, 16 Jun 2019 19:06:52 -0600
    From: jared gottlieb <ja...@netspace.net.au>
    Subject: Re: GPS Degraded Across Much of U.S (RISKS-31.29)

    This event seems to be a software bug in a system processing GPS data. A
    bulletin from one manufacturer discussing one model of a commercial aviation
    GPS receiver,
    (https://www.duncanaviation.aero/files/intellegence/GPS_CustomerComm_FINAL.pdf

    Our team has been actively working to determine a root cause. We found that
    a software design error resulted in the system misinterpreting GPS time
    updates due to a leap-second event, which typically occurs once every 2.5
    years within the U.S. Government GPS satellite almanac update. Our
    GPS-4000S-100 version software's timing calculations have reacted to this
    leap second by not tracking satellites upon power-up and subsequently
    failing. The U.S. Government distributed a regularly scheduled almanac
    update with this leap second on 0:00GMT, Sunday, June 9, 2019, and the
    failures began to occur soon after. The next scheduled update by the
    U.S. Government to the GPS constellation is set for next Sunday, June 16 at
    00:00Z. At this time, we do not believe this update will have the time

    failures began to occur soon after. The next scheduled update by the
    U.S. Government to the GPS constellation is set for next Sunday, June 16 at
    00:00Z. At this time, we do not believe this update will have the time
    information that triggers this error. We are testing additional impact of
    this next almanac update. ...>>

    Handling leap seconds is a software risk which has affected many systems
    beyond GPS receivers (a few of which have appeared in comp.risks). GPS
    receivers have had other time concerns, perhaps most recently the 6 April
    2019 week number rollover if a receiver used the legacy 10bit value and
    firmware updates were not available or applied.

    What the almanac update issue was nor why it would be experienced using the
    one update is not clear. There has not been a leap second for more than two
    years and none is currently planned (IERS Bulletin C ...announcements of the
    leap seconds…
    https://datacenter.iers.org/data/latestVersion/16_BULLETIN_C16.txt

    Testing of this receiver's software is extended by the 'power-up’
    pre-condition mentioned in the bulletin; an aircraft manufacturer's notice
    illustrates the complexity of this unit's initiation
    https://support.cessna.com/custsupt/contacts/pubs/ourpdf.pdf?as_id=50304

    ------------------------------

    Date: Sat, 15 Jun 2019 10:22:39 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Did I Tweet that?

    A researcher has noted that Twitter reference URLs can be manipulated to
    make it appear someone said/tweeted something when they actually didn't.

    https://www.bleepingcomputer.com/ne...be-manipulated-to-spread-fake-news-and-scams/

    So, I tweeted a warning:


    Well, of course, actually, no I didn't. If you look closely at the
    resulting page, you'll see it isn't my account at all. Twitter doesn't care
    what account you put in the URL: it just cares about the tweet status ID.

    Donald Trump is so concerned that he retweeted my warning:


    So did the Queen:


    ------------------------------

    Date: Fri, 14 Jun 2019 09:34:06 -0700
    From: Rob Slade <rmsladeshaw.ca>
    Subject: Bull and backdoors

    We're binge-watching a TV show called "Bull." (For years I've had to be
    careful about watching movies and TV with a high tech or security theme,
    since they make so many mistakes. Apparently, having spent a couple of
    decades teaching American law to Americans, I now have to avoid legal TV
    shows and movies as well.)

    In one episode (s3e4) they have a computer expert (someone who can program)
    giving testimony. He is to explain a "backdoor."

    Now, as everyone here knows, a backdoor (aka trapdoor) is a technical means of
    circumventing a technical control or safeguard, usually to do with access
    control. There are some legitimate uses for backdoors, generally in
    development, but they are generally considered a "bad thing" in production. The
    "expert" explains that a backdoor is a means of evading a control, but it's a
    (presumably technical, because he programmed it) means of evading a policy or
    regulatory control.

    This piece of dialogue is a really interesting mix of fact and serious
    misunderstanding. Yes, a backdoor is a means of evading a control. But
    the backdoor and the control are of different types. Generally a technical
    evasion cannot evade a policy or regulatory control (although it might obfuscate
    the issue). To someone who only partially understands the situation, it might
    seem reasonable, but, in fact, in reality it makes no sense at all.

    (Oh, come on. I wrote a *dictionary*, and you expect me to put up with this?)

    (Yes, I know. This is why you don't want to watch technically themed
    movies and TV shows with me. Gloria has to put up with these kinds of
    interruptions and explanations *a lot*.)

    ------------------------------

    Date: Sat, 15 Jun 2019 10:57:26 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Ross Anderson's non-visa

    Ross Anderson (yes, *that* Ross Anderson, the one who wrote "Security
    Engineering," the best single volume for security and the one I recommend to
    anyone taking the exam, and he even put it online for everyone) was to
    receive an award at a ceremony in Washington, DC (richly deserved, whatever
    it was).

    And the U.S. wouldn't give him a visa to come get it.

    (By the way, *anything* Anderson writes is worth reading. Even if it's not
    your immediate field.)

    [The visa situation is actually a bit more complicated, in that Ross did
    not need a visa if he had only been receiving the award -- the desired
    trip had another purpose as well. Nevertheless, the rejection seems
    utterly ridiculous. PGN]

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.30
    ************************
     
  2. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,545
    476
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.31

    RISKS List Owner

    Jun 28, 2019 2:26 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 28 June 2019 Volume 31 : Issue 31

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Slugfest (BBC)
    Inside the West's failed fight against China's Cloud Hopper hackers
    (Reuters)
    Iranian hackers step up cyber-efforts, impersonate email from president's
    office (The Times of Israel)
    US-Israeli cyber firm uncovers huge global telecom hack, apparently by China
    (The Times of Israel)
    China's big brother casinos can spot who's most likely to lose big
    (Bloomberg)
    Large scale government IT efforts do not have great track records (Reuters)
    AI rejects scientific article, flagging literature citations as plagiarism
    (J.F.Bonnefon)
    Cybercriminals Targeting Americans Planning Summer Vacations (McAfee)
    Riviera Beach $600k data ransom (Tony Doris)
    Rolos Unveils New Cryptocurrency Exclusively For Rolos Customers (The Onion)
    Facebook Libra: Three things we don't know about the digital currency
    (TechReview)
    Man's $1M Life Savings Stolen as Cell Number Is Hijacked (NBC Bay Area)
    Flaws in self-encrypting SSDs let attackers bypass disk encryption
    (Gabe Goldberg)
    Here's how I survived a SIM swap attack after T-Mobile failed me -- twice
    (Matthew Miller)
    Your iPhone is not secure: Cellebrite UFED Premium is here (TechBeacon)
    New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems
    (Ars Technica)
    Hackers, farmers, and doctors unite! Support for Right to Repair laws slowly
    grows (Ars Technica)
    Oracle issues emergency update to patch actively exploited WebLogic flaw
    (Ars Technica)
    Cloudflare aims to make HTTPS certificates safe from BGP hijacking attacks
    (Ars Technica)
    Jibo (The Verge)
    Computer problems may have led to miscarriages of justice in Denmark
    (Zap Katakonk)
    C, Fortran, and single-character strings (Thomas Koenig)
    How to: Reset C by GE Light Bulbs (YouTu)
    Too many name collisions (JEremy Epstein)
    Re: Ross Anderson's non-visa (John Levine)
    Oh, darn, maybe cell phones don't really make you grow horns (John Levine)
    Re: Info stealing Android apps can grab one time passwords to evade 2FA
    protections (Amos Shapir)
    Re: Auto-renting bugs (Martin Ward)
    Re: In Stores, Secret Surveillance Tracks Your Every Move (Toebs Douglass)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Sat, 22 Jun 2019 16:11:53 -0700
    From: Steve Lamont <s...@tirebiter.org>
    Subject: Slugfest (BBC)

    Rogue slug blamed for Japanese railway chaos

    Rogue slug blamed for Japanese railway chaos, BBC News, 22 June 2019

    A power cut that disrupted rail traffic on a Japanese island last month was
    caused by a slug, officials say. More than 12,000 people's journeys were
    affected when nearly 30 trains on Kyushu shuddered to a halt because of the
    slimy intruder's actions. Its electrocuted remains were found lodged inside
    equipment next to the tracks, Japan Railways says.

    The incident in Japan has echoes of a shutdown caused by a weasel at
    Europe's Large Hadron Collider in 2016. When the weasel took a fatal chew
    on wiring inside a high-voltage transformer, it caused a short circuit which
    temporarily stopped the work of the particle accelerator.

    In Japan, local media on the trail of the slug report that it managed to
    squeeze through a tiny gap to get into a load disconnector.

    A British cousin of the ill-fated mollusc achieved notoriety in 2011, *The
    Guardian* reports, when it crawled inside a traffic light control box in the
    northern town of Darlington and caused a short circuit, resulting in
    `traffic chaos'.

    ------------------------------

    Date: Wed, 26 Jun 2019 09:49:25 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Inside the West's failed fight against China's Cloud Hopper hackers
    (Reuters)

    *Eight of the world's biggest technology service providers were hacked by
    Chinese cyber spies in an elaborate and years-long invasion, Reuters found.
    The invasion exploited weaknesses in those companies, their customers, and
    the Western system of technological defense.*

    EXCERPT:

    Hacked by suspected Chinese cyber spies five times from 2014 to 2017,
    security staff at Swedish telecoms equipment giant Ericsson had taken to
    naming their response efforts after different types of wine.

    Pinot Noir began in September 2016. After successfully repelling a wave of earlier, Ericsson discovered the intruders were back. And
    this time, the company's cybersecurity team could see exactly how they got
    in: through a connection to information-technology services supplier
    Hewlett Packard Enterprise.

    Teams of hackers connected to the Chinese Ministry of State Security had
    penetrated HPE's cloud computing service and used it as a launchpad to
    attack customers, plundering reams of corporate and government secrets for
    years in what U.S. prosecutors say was an effort to boost Chinese economic
    interests.

    The hacking campaign, known as Cloud Hopper, was the subject of a U.S.
    indictment in December that accused two Chinese nationals of identity
    theft and fraud. Prosecutors described an elaborate operation that
    victimized multiple Western companies but stopped short of naming
    them. A Reuters report at the time identified two: Hewlett Packard
    Enterprise and IBM.

    Yet the campaign ensnared at least six more major technology firms,
    touching five of the world's 10 biggest tech service providers...

    Stealing Clouds

    ------------------------------

    Date: Sat, 22 Jun 2019 22:48:03 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Iranian hackers step up cyber-efforts, impersonate email from
    president's office (The Times of Israel)

    WASHINGTON (AP) Iran has increased its offensive cyberattacks against the US
    government and critical infrastructure as tensions have grown between the
    two nations, cybersecurity firms say.

    In recent weeks, hackers believed to be working for the Iranian government
    have targeted US government agencies, as well as sectors of the economy,
    including oil and gas, sending waves of spear-phishing emails, according to
    representatives of cybersecurity companies CrowdStrike and FireEye, which
    regularly track such activity.

    It was not known if any of the hackers managed to gain access to the
    targeted networks with the emails, which typically mimic legitimate emails
    but contain malicious software.

    Iranian hackers step up cyber efforts, impersonate email from president’s office

    ------------------------------

    Date: Wed, 26 Jun 2019 01:02:43 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: US-Israeli cyber firm uncovers huge global telecom hack, apparently
    by China (The Times of Israel)

    A US-Israeli cybersecurity firm said Tuesday it had uncovered a massive hack
    of several global telecommunications companies involving the theft of vast
    amounts of personal data that was apparently carried out by state-backed
    actors in China.

    Cybereason, which is based in Boston and has offices in Tel Aviv, London,
    and Tokyo, said the hacking included the specific targeting of people
    working in government, law enforcement and politics.

    The company said in a statement it had found a “nation state-backed
    operation against multiple cellular providers that has been underway for
    years.”

    US-Israeli cyber firm uncovers huge global telecom hack, apparently by China

    ...interesting, not much reported elsewhere.

    ------------------------------

    Date: Wed, 26 Jun 2019 09:50:44 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: China's big brother casinos can spot who's most likely to
    lose big (Bloomberg)

    Some of the world's biggest casino operators in Macau, the Chinese
    territory that's the epicenter of global gaming, are starting to deploy
    hidden cameras, facial recognition technology, digitally-enabled poker
    chips and baccarat tables to track which of their millions of customers are
    likely to lose the most money.

    The new technology uses algorithms that process the way customers behave at
    the betting table to determine their appetite for risk. In general, the
    higher the risk appetite, the more a gambler stands to lose and the more
    profit a casino tends to make, sometimes up to 10 times more.

    This embrace of high-tech surveillance comes as casino operators
    jostle for growth in a slowing industry that's under pressure
    globally from economic headwinds and regulatory scrutiny. In the
    world's biggest gaming hub, where expansion is reaching its
    limits, two casino operators -- the Macau units of Las Vegas Sands
    Corp. and MGM Resorts International -- have already started to deploy
    some of these technologies on hundreds of their tables, according to
    people familiar with the matter. Sands plans to extend them to an
    additional more-than 1,000 tables, said the people.

    Three others, Wynn Macau Ltd., Galaxy Entertainment Group Ltd. and
    Melco Resorts & Entertainment Ltd., are in discussions with suppliers
    about also deploying the technology, according to the people, who
    asked not to be identified because they're not authorized to
    speak publicly about the plans...

    China's big brother casinos can spot who's most likely to lose big - BNN Bloomberg

    ------------------------------

    Date: Thu, 20 Jun 2019 04:07:17 -0700
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Large scale government IT efforts do not have great track records
    (Reuters)

    Defense Department officials worry an AI-based system cannot work as well as
    in-person investigations, said one source involved in the transition.

    Top secret: Trump's revamp of U.S. security clearances stumbling - officials, report - Reuters

    ------------------------------

    Date: Sun, 23 Jun 2019 09:40:53 +0200
    From: Thomas Koenig <tko...@netcologne.de>
    Subject: AI rejects scientific article, flagging literature citations as
    plagiarism (J.F.Bonnefon)

    An automated system apparently rejected a scientific article as plagiarized.
    It also returned a copy of the paper to the authors, flagging the
    plagiarized parts. This is where it gets hilarious.

    What was flagged were things like author's affiliation (well, obviously
    copied from earlier papers), standardized methods of describing experiments,
    and, citations. Obviously, other authors had cited the same papers before,
    so this must be a clear case of plagiarism.

    Also interesting is that Wiley, a well-known scientific publishing house,
    wanted to get the name of the author. Apparently, they automatically assumed
    that this was one of theirs, and wanted to save some cost going through the
    debug logs.

    Maybe `Artificial Intelligence' is the wrong term in this context,
    `Artificial Incompetence', maybe?



    ------------------------------

    From: Gabe Goldberg <ga...@gabegold.com>
    Date: Sat, 22 Jun 2019 22:32:58 -0400
    Subject: Cybercriminals Targeting Americans Planning Summer Vacations
    (McAfee)

    Santa Clara, Calif. Cybercriminals are targeting Americans planning summer
    vacations to places like Mexico and Europe through online booking scams,
    according to a new report by cybersecurity firm *McAfee*. The company said
    that cybercriminals are taking advantage of high search volumes for
    accommodation and deals to drive unsuspecting users to potentially malicious
    websites that can be used to install malware and steal personal information
    or passwords. Top destinations being targeted include Cabo San Lucas,
    Mexico; Puerto Vallarta, Mexico; Amsterdam, Netherlands; Venice, Italy; and
    Canmore, Canada. McAfee's survey of 1,000 Americans planning vacations found
    that nearly one in five either have been scammed or have come very close to
    being scammed. Bargain-hunters are most at risk, with nearly a third of
    victims being defrauded after spotting a deal that was too good to be
    true. A smaller group of victims (13%) said their identity was stolen after
    sharing their passport details with cybercriminals during the booking
    process. The company suggests only booking through verified websites, using
    trusted platforms and verified payment methods and, if conducting
    transactions on a public Wi-Fi connection, utilizing a virtual private
    network (VPN).

    https://www.mcafee.com/enterprise/e...ses/press-release.html?news_id=20190612005079
    Press Release

    One in five seems high. Why would McAfee exaggerate risks? Oh, wait...

    ------------------------------

    Date: Wed, 19 Jun 2019 16:03:07 -0700
    From: Paul Saffo <pa...@saffo.com>
    Subject: Riviera Beach $600k data ransom (Tony Doris)

    Riviera Beach agrees to $600,000 ransom payment to regain data access
    Tony Doris, Palm Beach Post, 19 Jun 2019

    Riviera Beach -- The Riviera Beach City Council has authorized the city's
    insurer to pay nearly $600,000 worth of ransom to regain access to data
    walled off through an attack on the city's computer systems.

    In a meeting Monday night announced only days before, the board voted 5-0 to
    authorize the city insurer to pay 65 bitcoins, a hard-to-track
    cryptocurrency valued at approximately $592,000. An additional $25,000 would
    come out of the city budget, to cover its policy deductible. Without
    discussion on the merits, the board tackled the agenda item in two minutes,
    voted and moved on.

    The dollar amount was not mentioned before or after the vote, only that the
    insurer would pay through bitcoins, ``whose value changes daily.''

    The city's email and computer systems, including those that control city
    finances and water utility pump stations and testing systems, are still only
    partially back online, two weeks after the ransomware attack was disclosed.
    But crucial data encrypted by the attackers remains beyond reach and there
    was no explanation of whether the city has any guarantee that the ransomers
    will release it if paid.

    The FBI, Secret Service and Department of Homeland Security are
    investigating the attack, which officials said began after someone in the
    police department opened an infected email May 29.

    More than 50 cities across the United States, large and small, have been hit
    by ransomware attacks over the past two years. Among them: Atlanta;
    Baltimore; Albany, N.Y.; Greenville, N.C.; Imperial County, Cal.; Cleveland,
    Ohio; Augusta, Maine; Lynn, Mass.; Cartersville, Ga.; and in April, nearby
    Stuart, Fla.

    The Atlanta attack alone cost that city an estimated $17 million, Vice
    News reported.

    The Palm Beach County village of Palm Springs was hit in 2018, paid an
    undisclosed amoun to ransom but nonetheless lost two years of data,
    according to one source who asked not to be identified.

    ``This whole thing is so new to me and so foreign and it's almost where I
    can't even believe that this happens but I'm learning that it's not as
    uncommon as we would think it is,'' Riviera Beach Council Chairwoman
    KaShamba Miller-Anderson said Wednesday. ``Every day I'm learning how this
    even operates, because it just sounds so far fetched to me.''

    The ransomware attack paralyzed the computer system, sending all operations
    offline. Everyone from the city council on down was been left without email
    and phone service. Paychecks that were supposed to be direct-deposited to
    employee bank accounts instead had to be hand-printed by Finance Department
    staffers working overtime. Police searched their closets to find paper
    tickets for issuing traffic citations.

    Interim Information Technology Manager Justin Williams told the council
    Monday that the city website and email is back up, as are Finance Department
    and water utility pump stations.

    Miller-Anderson said city officials have been briefed by investigating
    agencies and asked not to discuss details. The agencies advised the city but
    it was up to the council to decide whether the information lost was so
    valuable that the city should comply with the ransom demand and hope the
    ransomers provide a decryption key, she said. ``It's a risk. Those were
    the two options: Either do it or don't.'' The insurance company negotiated
    on the city's behalf, she said.

    She said she did not know if police department records were compromised.
    Water quality never was in jeopardy but water quality sampling had to be
    done manually, she said.

    The attack has prompted the city to replace much of its computer system
    sooner than expected.

    The council on June 4 authorized $941,000 for 310 new desktop and 90 laptop
    computers and other hardware. Insurance will cover more than $300,000 of
    that total.

    The city already planned to spend $300,000 for equipment replacements in the
    next budget and will accelerate that expense, Councilwoman Julie Botel
    said. Much of the existing hardware was a half-dozen years old and
    vulnerable to another malware attack, so it was time to replace it anyway,
    she said.

    ------------------------------

    Date: Wed, 26 Jun 2019 01:19:07 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Rolos Unveils New Cryptocurrency Exclusively For Rolos Customers
    (The Onion)

    At press time, investors in RoloBucks had already lost over $7.8 billion in
    the Rolo market.

    https://www.theonion.com/rolos-unveils-new-cryptocurrency-exclusively-for-rolos-1835695340

    ------------------------------

    Date: June 20, 2019 at 8:08:49 PM GMT+9
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Facebook Libra: Three things we don't know about the digital currency
    (TechReview)

    The launch of Facebook's new coin is certainly a big event, but so much
    about it remains unsettled.

    If it's not the most high-profile cryptocurrency-related event ever,
    Facebook's launch of a test network for its new digital currency, called
    Libra coin, has been the most hyped. It is also polarizing among
    cryptocurrency enthusiasts. Some think it's good for the crypto industry;
    others dislike the fact that a big tech company appears to be co-opting a
    technology that was supposed to help people avoid big tech companies. Still
    others say it's not even a real cryptocurrency.

    Peel away the hype and controversy, though, and there are at least three
    important questions worth asking at this point.

    Is Libra really a cryptocurrency?

    Well, that depends on how you define cryptocurrency. The Libra coin will run
    on a blockchain, but it will be a far cry from Bitcoin.

    To begin with, it will not be a purely digital asset with fluctuating value;
    rather, it will be designed to maintain a stable value. Taking cues from
    other so-called stablecoins, it will be ``fully backed with a basket of bank
    deposits and treasuries from high-quality central banks,'' according to a
    new paper (PDF) describing the project.

    Besides that, Bitcoin's network is permissionless, or public, meaning that
    anyone with an internet connection and the right kind of computer can run
    the network's software, help validate new transactions, and mine new coins
    by adding new transactions to the chain. Together these computers keep the
    network's data secure from manipulation. Libra's network won't work that
    way. Instead, running a validator node requires permission. To begin with,
    Facebook has signed up dozens of firms -- including Mastercard, Visa,
    PayPal, Uber, Lyft, Vodafone, Spotify, eBay, and popular Argentine
    e-commerce company MercadoLibre -- to participate in the network that will
    validate transactions. Each of these founding members has invested around
    $10 million in the project.

    That obviously runs counter to the pro-decentralization ideology popular
    among cryptocurrency enthusiasts. The distributed power structure of public
    networks like Bitcoin and Ethereum gives them a quality that many purists
    see as essential to any cryptocurrency: censorship resistance. It's
    extremely difficult and expensive to manipulate the transaction records of
    popular permissionless networks. Networks like the one Facebook has
    described for Libra are more vulnerable to censorship and centralization of
    power, since they have a relatively small, limited number of stakeholders
    that could be compromised or pool together to attack the network...

    Facebook’s Libra: Three things we don’t know about the digital currency

    ------------------------------

    Date: Wed, 26 Jun 2019 15:32:38 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Man's $1M Life Savings Stolen as Cell Number Is Hijacked
    (NBC Bay Area)

    Carrier workers bribed or tricked into helping hackers

    Man's $1M Life Savings Stolen as Cell Number Is Hijacked

    ------------------------------

    Date: Sat, 22 Jun 2019 22:35:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Flaws in self-encrypting SSDs let attackers bypass disk encryption

    --- -- --- Forwarded Message from a friend --- -- ---

    Date: Sat, 22 Jun 2019 17:27:43 -0700
    Subject: Flaws in self-encrypting SSDs let attackers bypass disk encryption

    I was wondering if hw-encrypted external SSDs were worth looking into and
    found this:

    Flaws in self-encrypting SSDs let attackers bypass disk encryption | ZDNet

    ``the SEDs they've analyzed, allowed users to set a password that
    decrypted their data, but also came with support for a so-called 'master
    password' that was set by the SED vendor. Any attacker who read an SED's
    manual can use this master password to gain access to the user's encrypted
    password, effectively bypassing the user's custom password.''

    `Flaw' seems like an understatement.

    ------------------------------

    Date: Wed, 26 Jun 2019 10:01:33 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Here's how I survived a SIM swap attack after T-Mobile failed me --
    twice (Matthew Miller)

    1. Matthew Miller for Smartphones and Cell Phones, 17 Jun 2019

    SIM swap horror story: I've lost decades of data and Google won't lift a
    finger First they hijacked my T-Mobile service, then they stole my Google
    and Twitter accounts and charged my bank with a $25,000 Bitcoin purchase.
    I'm stuck in my own personal Black Mirror episode. Why will no one help me?

    Here's how I survived a SIM swap attack after T-Mobile failed me - twice | ZDNet

    After a crazy week where T-Mobile handed over my phone number to a hacker
    twice, I now have my T-Mobile, Google, and Twitter accounts back under my
    control. However, the weak link in this situation remains and I'm wary of
    what could happen in the future.

    2. Matthew Miller for Smartphones and Cell Phones, 26 Jun 2019

    Last week, I shared a horror story: My SIM was swapped. My Google and
    Twitter accounts were also stolen, and $25,000 was withdrawn from my bank
    account for a Bitcoin purchase. I thought I was targeted for my online
    presence. Turns out, the attack was likely driven by a Coinbase account I
    experimented with in early 2018 that was never closed.

    While I already provided many details about my experience, I wanted to
    update you on the progress made to date -- while also offering some advice.
    Readers offered me fantastic advice in the comments to last week's article,
    and I sincerely appreciate all the helpful feedback, tips, and tricks.

    ------------------------------

    Date: Fri, 21 Jun 2019 00:09:34 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Your iPhone is not secure: Cellebrite UFED Premium is here
    (TechBeacon)

    *Think your iPhone or iPad is secure from prying eyes?* /Think again./

    *Companies such as Cellebrite,* with its Universal Forensic Extraction
    Device (UFED), operate lucrative businesses helping people around the world
    to unlock your devices. Of course, Cellebrite promises to only sell to legit
    law enforcement, but then what?

    *Once that genie is out of the bottle,* how can they contain it? In
    this week's /Security Blogwatch, we wish for more wishes.

    Richi Jennings

    ------------------------------

    Date: Thu, 20 Jun 2019 10:38:29 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: New vulnerabilities may let hackers remotely SACK Linux and FreeBSD
    systems (Ars Technica)

    New vulnerabilities may let hackers remotely SACK Linux and FreeBSD systems

    ------------------------------

    Date: Thu, 20 Jun 2019 09:57:23 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Hackers, farmers, and doctors unite! Support for Right to Repair
    laws slowly grows (Ars Technica)

    Hackers, farmers, and doctors unite! Support for Right to Repair laws slowly grows

    ------------------------------

    Date: Thu, 20 Jun 2019 10:02:54 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Oracle issues emergency update to patch actively exploited WebLogic
    flaw (Ars Technica)

    https://arstechnica.com/information...te-to-patch-actively-exploited-weblogic-flaw/

    ------------------------------

    Date: Thu, 20 Jun 2019 10:06:14 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Cloudflare aims to make HTTPS certificates safe from BGP hijacking
    attacks (Ars Technica)

    https://arstechnica.com/information...certificates-safe-from-bgp-hijacking-attacks/

    ------------------------------

    Date: Fri, 21 Jun 2019 15:14:48 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Jibo (The Verge)

    Every aspect of Jibo was designed to make the robot as lovable to humans as
    possible, which is why it startled owners when Jibo presented them with an
    unexpected notice earlier this year: someday soon, Jibo would be shutting
    down. The company behind Jibo had been acquired, and Jibo's servers would be
    going dark, taking much of the device's functionality with it. ...

    For him and many other owners, Jibo has become like a dog that greets them
    whenever they walk into the house. It also sometimes takes on the role of an
    overbearing parent or kid sibling and tells owners, “don't work too hard,”
    or “remember to take bathroom breaks,” before they leave for work.

    But with the update and the company's silence, owners expect Jibo's time to
    be winding down, and they're thinking about Jibo's mortality and what
    they'll do when its last day arrives.

    ``People that really do love him and live with him daily,'' Nusbaum says.
    ``It's like having somebody very, very sick that you don't know: is this
    close to the end? Are they going to get better? Is this a false alarm?
    Yeah, it's not a great feeling right now.”''

    https://www.theverge.com/2019/6/19/18682780/jibo-death-server-update-social-robot-mourning

    ------------------------------

    Date: Sat, 22 Jun 2019 12:22:43 +0200
    From: Zap Katakonk <zapkatako...@gmail.com>
    Subject: Computer problems may have led to miscarriages of justice in Denmark

    In many trials, information garnered by the police from telephone companies
    plays an important part in determining whether a suspect has been at a
    certain place at a certain time. However, the Rigspolitiet national police
    force has discovered an error in the computer program that converts the
    information from the different telephone companies, reports DR Nyheder.
    http://cphpost.dk/news/computer-problems-may-have-led-to-miscarriages-of-justice.html

    More in Danish:
    https://politiken.dk/search/?ie=utf8&oe=utf8&hl=da&q=rigspolitiet%20telefon

    dr.phil. Donald B. Wagner, DK-3600 Frederikssund, Denmark

    ------------------------------

    Date: Sat, 22 Jun 2019 16:53:39 +0200
    From: Thomas Koenig <tko...@netcologne.de>
    Subject: C, Fortran, and single-character strings

    Recently, a decades-old bug in the way that many software packages used to
    call Fortran from C has surfaced. People apparently have been assuming that
    it was safe not to pass the length of a character argument to a Fortran
    routine when calling it from C, basically invoking undefined behavior.

    A change to gfortran exposed this, leading to crashes when calling routines
    from the well-known (and standard) linear algebra package LAPACK. This was
    first noticed by the developers of the R programming language.

    The discussion revealed positions ranging from ``people should just fix
    their code'' to ``This interface has worked for decades, this is the de facto
    interface, even broken code must be supported.''

    Fortran has a standard way of interfacing with C since the Fortran 2003
    standard, but the old interface code often predates this standard, and
    people also appear to be quite reluctant to use standard features of newer
    Fortran versions. This is despite the fact that all relevant compilers today
    support this feature.

    As a result, gfortran now contains a workaround for this particular bug in
    user code.

    There is a nice writeup on LWN:
    https://lwn.net/SubscriberLink/791393/90b4a7adf99d95a8/

    Here the gcc bug dealing with the issue:
    https://gcc.gnu.org/bugzilla/show_bug.cgi?id=90329

    Here the correspoinding Redhat bug:
    https://bugzilla.redhat.com/show_bug.cgi?id=1709538

    And finally a write-up by the R developer who analyzed this:
    https://developer.r-project.org/Blog/public/2019/05/15/gfortran-issues-with-lapack/

    ------------------------------

    Date: Thu, 20 Jun 2019 13:22:24 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How to: Reset C by GE Light Bulbs (YouTu)

    Bulb Insanity: How to factory reset your GE C smart bulb. Legit. Really!



    Read many brilliant comments.

    Among them: Hey GE, ``how many people does it take to change a light bulb''
    is a joke set-up, not a goal.

    (This follows conversation I had yesterday about how technology and
    interfaces are often awful if not nightmarish)

    ------------------------------

    Date: Thu, 20 Jun 2019 15:43:05 -0400
    From: Jeremy Epstein <jeremy....@gmail.com>
    Subject: Too many name collisions

    I learned recently from Twitter (source of all knowledge) [1] that the
    American Kennel Club allows no more than 37 dogs of any given breed with the
    same name [2]. The reason is amusing -- dogs with the same name are given
    suffixes in Roman numerals, and 37 is the largest number that can be
    represented in six characters (XXXVII). There's something in how programs
    are printed that limits the width of the column -- going to a wider number
    field would require reducing font size or reducing the width of some other
    field.

    This seems to date from before easy typesetting of variable-width fonts. I
    wonder if AKC even knows why this limit exists, or whether it's been in
    place so long that the institutional memory has been lost and recently
    rediscovered? Or whether they've considered relaxing the limit due to
    variable-width fonts?

    Of course moving from Roman numerals to Arabic numerals [*] would make the
    issue go away, albeit at the cost of not having the panache of something
    that takes some focus to understand.

    The Risk? The historic requirement (fixed-width typesetting) drives what is
    (perhaps) an obsolete feature (the number of dogs with the same name).
    There are undoubtedly plenty of other historic decisions that could be
    rethought today, perhaps with different results. On the other hand, AKC
    gets some value from the use of (possibly?) prestigious Roman numerals, so
    maybe this is a feature rather than a bug.

    [1]
    [2] https://www.akc.org/register/information/naming-of-dog/

    [* Based on an item in a recent RISKS, I presume Arabic dogs would then
    have to be disallowed as well? PGN]

    ------------------------------

    Date: 21 Jun 2019 18:16:57 -0400
    From: "John Levine" <jo...@iecc.com>
    Subject: Re: Ross Anderson's non-visa (RISKS-31.30)

    I gather it's even more complicated than that -- they didn't refuse him,
    they didn't reply at all in time for his trip. US visa processing has
    apparently been getting slower in the past couple of years but it seems
    particularly slow for cryptographers. Bruce Schneier blogged about it in
    May:

    https://www.schneier.com/blog/archives/2019/05/why_are_cryptog.html

    ------------------------------

    Date: 21 Jun 2019 18:19:57 -0400
    From: "John Levine" <jo...@iecc.com>
    Subject: Oh, darn, maybe cell phones don't really make you grow horns
    (RISKS-31.30)

    Not so fast -- it's not a horn, it's at most a bone spur, and there's lots
    of reasons to be sceptical about the whole thing, reports Ars Technica.

    https://arstechnica.com/science/201...out-smartphones-causing-kids-to-sprout-horns/

    [PS: nonetheless, your mother's advice to stand up straight remains valid.]

    ------------------------------

    Date: Sat, 22 Jun 2019 13:45:19 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Info stealing Android apps can grab one time passwords to
    evade 2FA protections (RISKS-31.30)

    Please correct me if I'm wrong, but I always thought that the idea behind
    2FA is to increase security by conducting a part of the transaction via a
    *different* device.

    If an SMS confirmation message is sent to the same device from which a user
    is attempting to login, there's no added security at all, I wonder why it
    would take a hacker's application to make anyone notice that!

    ------------------------------

    Date: Sat, 22 Jun 2019 16:04:22 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Auto-renting bugs (RISKS-31.30)

    > We do not know how it had happened, but someone else took the car on
    > your reservation ...

    Its never a good sign when a company which runs software that has direct
    control over the engine of a car says about any part of their software: ``We
    do not know how it happened!''

    ------------------------------

    Date: Mon, 24 Jun 2019 00:10:15 +0100
    From: Toebs Douglass <ri...@winterflaw.net>
    Subject: Re: In Stores, Secret Surveillance Tracks Your Every Move
    (RISKS-31.30)

    I worked as a senior software engineer for a year for one of these
    companies, on the core product.

    I was involved in installation of the first Bluetooth-based system.

    The article is technically inaccurate, whilst being spiritually correct, but
    misses the not-quite-so-obvious huge issue in favour of the much smaller
    presented issue, I suspect the author prolly isn't technical.

    So, phone tracking was performed by two means, wifi and Bluetooth.

    The article only covers Bluetooth, which was a new product at the time
    (2015ish). The main product used wifi.

    Bluetooth beacons are very simple devices. They emit a signal with a unique
    ID. That's *it*. *Nothing* else. The devices have no network
    connectivity, no storage, nothing. They just sit there and emit a unique
    ID, and we used a battery driven unit. (Despite this, we managed to find
    vendors asking over 100 euro a unit.) We bought ours from alibaba.com.)

    The key players making this all work are the apps on the phone.

    Phone apps get to `wake up' regularly, and they can examine their
    environment, and one of the things they can do is look around for Bluetooth
    signals. (It's been a few years now -- I remember there was something of a
    difference between Apple and Android, and so there was I think more unique
    ID fidelity with Android.)

    So what happens is the company publishes an API in the form of a library,
    which app developers ingest into their software.

    In particular, rather than trying to reach out to every app developer out
    there, deals are made with third party companies -- such as advertising
    companies -- who already publish their own APIs as libraries, which are
    already ingested by lots of different apps. These third companies companies
    ingest this library into their library, and hey presto, as people's phones
    auto-update you're very quickly installed on goodness knows how many tens or
    hundreds of millions of phones.

    This really is the bigger story, but the article has missed it. Apps really
    are random bits of software strangers run on your phone. Users have no idea
    which sketchy friend-of-a-friend-of-a-friend has just managed to get his API
    running on their phone. Simple solution to this : do not install apps on
    your phone. I'm not kidding. People have the expectation they are buying a
    phone -- paying a lot of money for a phone -- to put apps on it and use
    them, and that it must be possible to do this, because they've spent a bunch
    of money on it. This is not the case. The time when apps could be used on
    phones has passed. You cannot now buy a phone to run apps, because it is
    not safe to do so. This means phones no longer make sense. It is in fact I
    would say a tragedy of the commons.

    If you *are* going to do this damn silly thing, don't do it in this damn
    silly way. Root your phone first and (for the love of God) get a firewall
    installed -- and *don't* log into Google on your phone, not ever. Never use
    a service in an app you can use on a website, again, for the love of God.
    And never, NEVER, *EVER* give ANY company your phone number. These days
    it's the key fact around which third-party data collation revolves. Email
    addresses aren't so bad because it's easy to get disposable addresses, but
    phone numbers cost money, so they don't change so much. Email addresses
    need to be used like passwords -- you have a different email address for
    every site or app, just as you have a different password. This helps break
    third-party data collation. Good email hygiene is the same as good password
    hygiene. Do not reuse passwords. Do not reuse email addresses.

    (I run most apps now in VirtualBox, on x86 Android. Being able to reinstall
    fresh versions of the OS when they come out also handles the upgrade
    problem. Only one app I care about has no x64 version (lookin' at you,
    Revolut). I'll also be buying the Librem 5 when it comes out, which is real
    Linux, not Android, on ARM on a mobile form factor and it should have enough
    umph to run a VirtualBox VM, which being on ARM can run the usual ARM based
    APKs. Learn to sideload, BTW, and use Raccoon to get genuine APKs off the
    Google App Store (which I refuse to call Google Play -- an astoundingly
    silly name invented by the kind of marketing people Douglas Adams had in
    mind with the Sirius Cybernetics Division. I'm surprised Google haven't yet
    described their app store as your plastic pal who's fun to be with.)

    The Bluetooth beacons we had, had a pretty good range. We aimed to have one
    per floor in pretty large stores -- that was the granularity of extra
    information being aimed for in this first deployment; the progression
    through floors of a phone. With an Android app you could get signal
    strength info (as we had an app to configure the Bluetooth beacons), but I
    don't know if that was true for the ``wake up and look around'' time of a
    phone, rather than an actual app.

    Bear in mind also that I think in general Bluetooth is turned off on phones
    -- however, I never saw any numbers for this, so I could be completely
    wrong.

    The wifi based system was rather different. With this, there are wifi
    routers located (fairly carefully) around a store. Phones emit wifi signals
    periodically, which contain an inherent unique ID (can't remember which now
    -- prolly MAC address) and the signal strength is measured at each router.
    The store is logically divided up into zones, and a machine learning system,
    based on the signal strengths at the routers, decides which zone the user is
    in, for any given signal. Zone sizes vary, based on customer preferences
    and technical and cost limits; the more routers near an area, the smaller
    and more precise the zones can be.

    Actual physical signal triangulation is *not* used. It was tested, before I
    joined, I'm told it just didn't work. Far too much signal strength
    variability. Received phone signals vary enormously, second by second, in a
    normal shop environment. There's just a lot of physical (people moving
    around all the tie, in and out of the way of the signal) and
    electro-magnetic stuff going on.

    During my time there a wifi specification design flaw was uncovered,
    where-by you could force a phone, even with wifi turned off as I recall, to
    emit a response -- so now you didn't need to passively sit there and wait
    for the phone wifi to emit a signal; you could coerce the phone into doing
    so. This could matter somewhat. Some phones kindly emitted a signal every
    second (iPhones), others only one a minute. A person can walk a long way in
    one minute.

    This however probably crossed the line of local law, which said something
    like you're not allowed to actively, overtly act upon other people's
    computers/phones. In any case, it wasn't used before I left.

    IMHO, wifi tracking is borderline viable as a product. I saw test cases
    where someone would walk around an empty store with a known device (we had
    calibration data on a per-device basis, because they vary so much in signal
    strength), and report back to us where he was and when, and half of his
    journey would be missing from the data. If you did it right, and were
    careful, I'd say you could get a mediocre but still genuinely useful and
    rather unique data set from it. Only problem is, I'd say 99.99% of the time
    customers don't know it was going on (let alone understand what was
    happening), and that's what makes it unethical. The basic rule is that when
    you do stuff with people, they have to choose to do it and they have to
    understand what they're choosing to do (except in self-defence, of course).
    You can't force people, and you can't deceive them, Most of this
    surveillance capitalism we see is unethical because the people being tracked
    do not know what's going on, or understand. T&Cs are a legal fig leaf, not
    an actual genuine communication to the user of what's going on such that the
    user is then known to understand -- the ethical obligation of the company to
    *actually ensure* users understand is *not* met. Users don't know, and
    that's why it's wrong.

    Topically, this article has just been published in the WaPo;

    ``It's the middle of the night. Do you know who your iPhone is talking to?''

    https://www.msn.com/en-us/news/tech...o-your-iphone-is-talking-to/ar-AAC1Wvl#page=2

    ``In a single week, I encountered over 5,400 trackers, mostly in apps, not
    including the incessant Yelp traffic. According to privacy firm Disconnect,
    which helped test my iPhone, those unwanted trackers would have spewed out
    1.5 gigabytes of data over the span of a month. That's half of an entire
    basic wireless service plan from AT&T.''

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.31
    ************************
     
  3. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,545
    476
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.32

    RISKS List Owner

    Jul 5, 2019 6:31 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Friday 5 July 2019 Volume 31 : Issue 32

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    FDA recalls insulin pumps because of wireless vulnerability
    FAA Flags New Computer Issue In 737 MAX Testing
    In the Census Case, a Rebuke to Bad-Faith Government
    U.S. Census at risk from glitches and attackers (Chris Hamby)
    Could 'fake text' be the next global political threat?
    Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem
    7-Eleven Japanese customers lose $500,000 due to mobile app flaw
    Google Maps detour traps drivers in mud
    "How Hackers Turn Microsoft Excel's Own Features Against It"
    Microsoft Kills Automatic Registry Backups in Windows 10
    Cloudflare stutters and the Internet stumbles (ZDNet)
    Superhuman is Spying on You
    Attention Correction Feature in iOS 13 Beta Enables Appearance of Eye
    China Is Forcing Tourists to Install Text-Stealing Malware at its
    Line just went Orwellian on Japanese users with its social credit
    These are the sneaky new ways that Android apps track you
    Re: Autonomous vehicles don't need provisions and protocols
    Mobius: A Memoir (Richard Thieme)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 5 Jul 2019 14:25:04 -0700
    From: Paul Burke <box...@gmail.com>
    Subject: FDA recalls insulin pumps because of wireless vulnerability

    FDA warns patients and health care providers about potential cybersecurity concerns with certain Medtronic insulin pumps

    I wish more products were recalled for cybersecurity vulnerabilities.

    "The potential risks are related to the wireless communication between
    Medtronic's MiniMed insulin pumps and other devices such as blood glucose
    meters, continuous glucose monitoring systems, the remote controller and
    CareLink USB device used with these pumps. The FDA is concerned that, due to
    cybersecurity vulnerabilities identified in the device, someone other than a
    patient, caregiver or health care provider could potentially connect
    wirelessly to a nearby MiniMed insulin pump and change the pump's settings.
    This could allow a person to over deliver insulin to a patient, leading to
    low blood sugar (hypoglycemia), or to stop insulin delivery, leading to high
    blood sugar and diabetic ketoacidosis (a buildup of acids in the blood)...

    "Medtronic is unable to adequately update the MiniMed 508 and Paradigm
    insulin pumps with any software or patch to address the devices'
    vulnerabilities...

    "The FDA, an agency within the U.S. Department of Health and Human Services,
    protects the public health by assuring the safety, effectiveness, and
    security of... medical devices. The agency also is responsible for the
    safety and security of our nation's food supply, cosmetics, dietary
    supplements, products that give off electronic radiation"

    [Gabe Goldberg noted Hackable Insulin Pumps
    More Medtronic Hack Malarkey: This Time It’s Insulin Pumps - Security Boulevard
    PGN]

    ------------------------------

    Date: Thu, 27 Jun 2019 8:10:54 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: FAA Flags New Computer Issue In 737 MAX Testing

    Sean Broderick, *Aviation Week*, 26 Jun 2019

    https://aviationweek.com/penton_ur/nojs/user/register?path=node/1963138&nid=1963138&source=email
    See also

    ------------------------------

    Date: Thu, 27 Jun 2019 11:22:19 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: In the Census Case, a Rebuke to Bad-Faith Government

    Opinion | The Supreme Court Is Not Buying the Census Excuses

    *The New York Times*, Editorial Board, 27 Jun 2019

    The Supreme Court noted a disconnect between the Trump administration's
    stated reason for including a citizenship question on the census form and
    the actual rationale for doing so.

    In a win for good government, the Supreme Court on Thursday refused to give
    its full imprimatur to the Trump administration's irresponsible decision to
    add a citizenship question to the 2020 census form. [...]

    ------------------------------

    Date: Fri, 5 Jul 2019 14:27:46 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: U.S. Census at risk from glitches and attackers (Chris Hamby)

    Chris Hamby, *The New York Times*, 5 Jul 2019 [PGN-ed]
    Hacking, Glitches, Disinformation: Why Experts Are Worried About the 2020 Census

    The Census Bureau had turned to Amazon Web Services for computing power
    and digital storage, but discovered that access credentials had been "lost"
    -- potentially allowing completely uncontrolled access. That vulnerability
    has now purportedly been fixed, but risks seem to remain.

    ``If you wanted to provoke fears among the population as to how the census
    data could be used, the American population is fertile ground right now for
    conspiracy theories and manipulation.'' Nathaniel Persily, Stanford Law
    School professor.

    ------------------------------

    Date: July 6, 2019 5:12:33 JST
    From: Dewayne Hendricks <dew...@warpspeed.com>
    Subject: Could 'fake text' be the next global political threat?
    (Oscar Schwartz)

    [via Dave Farber] 4 Jul 2019

    An AI fake text generator that can write paragraphs in a style based on just
    a sentence has raised concerns about its potential to spread false
    information

    Could ‘fake text’ be the next global political threat?

    Earlier this month, an unexceptional thread appeared on Reddit announcing
    that there is a new way ``to cook egg white without a frying pan. As so
    often happens on this website, which calls itself ``the front page of the
    internet'', this seemingly banal comment inspired a slew of responses.
    ``I've never heard of people frying eggs without a frying pan,'' one
    incredulous Redditor replied. ``I'm gonna try this,'' added another. One
    particularly enthusiastic commenter even offered to look up the scientific
    literature on the history of cooking egg whites without a frying pan.

    Every day, millions of these unremarkable conversations unfold on Reddit,
    spanning from cooking techniques to geopolitics in the Western Sahara to
    birds with arms. But what made this conversation about egg whites noteworthy
    is that it was not taking place among people, but artificial intelligence
    (AI) bots.

    The egg whites thread is just one in a growing archive of conversations on a
    subreddit -- a Reddit forum dedicated to a specific topic -- that is made up
    entirely of bots trained to emulate the style of human Reddit contributors.
    This simulated forum was created by a Reddit user called disumbrationist
    using a tool called GPT-2, a machine learning language generator that was
    unveiled in February by OpenAI, one of the world's leading AI labs.

    Jack Clark, policy director at OpenAI, told me that chief among these
    concerns is how the tool might be used to spread false or misleading
    information at scale. In a recent testimony given at a House intelligence
    committee hearing about the threat of AI-generated fake media, Clark said he
    foresees fake text being used ``for the production of [literal] `fake news',
    or to potentially impersonate people who had produced a lot of text online,
    or simply to generate troll-grade propaganda for social networks''.

    GPT-2 is an example of a technique called language modeling, which involves
    training an algorithm to predict the next most likely word in a
    sentence. While previous language models have struggled to generate coherent
    longform text, the combination of more raw data -- GPT-2 was trained on 8m
    online articles -- and better algorithms has made this model the most robust
    yet.

    It essentially works like Google auto-complete or predictive text for messaging. But instead of simply offering one-word suggestions, if you prompt GPT-2 with a sentence, it can generate entire paragraphs of language in that style. For example, if you feed the system a line from Shakespeare, it generates a Shakespeare-like response. If you prompt it with a news headline, it will generate text that almost looks like a news article.

    Alec Radford, a researcher at OpenAI, told me that he also sees the success
    of GPT-2 as a step towards more fluent communication between humans and
    machines in general. He says the intended purpose of the system is to give
    computers greater mastery of natural language, which may improve tasks like
    speech recognition, which is used by the likes of Siri and Alexa to
    understand your commands; and machine translation, which is used to power
    Google Translate.

    But as GPT-2 spreads online and is appropriated by more people like
    disumbrationist -- amateur makers who are using the tool to create
    everything from Reddit threads, to short stories and poems, to restaurant
    reviews -- the team at OpenAI are also grappling with how their powerful
    tool might flood the internet with fake text, making it harder to know the
    origins of anything we read online.

    Clark and the team at OpenAI take this threat so seriously that when they
    unveiled GPT-2 in February this year, they released a blogpost alongside it
    stating that they weren't releasing the full version of the tool due to
    ``concerns about malicious applications''. (They have since released a
    larger version of the model, which is being used to create the fake Reddit
    threads, poems and so on.)

    ------------------------------

    Date: Fri, 5 Jul 2019 12:10:38 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Someone Is Spamming and Breaking a Core Component of PGP's Ecosystem

    A new wave of spamming attacks on a core component of PGP's ecosystem has highlighted a fundamental weakness in the whole ecosystem.

    Someone Is Spamming and Breaking a Core Component of PGP’s Ecosystem

    ------------------------------

    Date: Fri, 05 Jul 2019 09:42:37 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: 7-Eleven Japanese customers lose $500,000 due to mobile app flaw

    Catalin Cimpanu for Zero Day (Jul 4 2019)

    7-Eleven Japanese customers lose $500,000 due to mobile app flaw | ZDNet

    Hackers exploit 7-Eleven's poorly designed password reset function to make
    unwanted charges on 900 customers' accounts (and the equivalent of $.5M)
    after hackers hijacked their 7pay app accounts and made illegal charges in
    their names.

    The incident was caused by an appalling security lapse in the design of the
    company's 7pay mobile payment app, which 7-Eleven Japan launched in the
    country on Monday, July 1.

    However, in a mind-boggling turn of events, the app contained a password
    reset function that was incredibly poorly designed. It allowed anyone to
    request a password reset for other people's accounts, but have the password
    reset link sent to their email address, instead of the legitimate account
    owner.

    A hacker only needed to know a 7pay user's email address, date of birth, and
    phone number. An additional field in the password reset section allowed the
    hacker to request that the password reset link be sent to a third-party
    email address (under the hacker's control), with no need to dig through the
    app's code or tamper with HTTP requests, like most of these hacks involve.

    Furthermore, if the user didn't enter their date of birth, the app would use
    a default of January 1, 2019, making some attacks even easier, according to
    a report in Yahoo Japan.

    ------------------------------

    Date: Wed, 26 Jun 2019 21:12:37 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Google Maps detour traps drivers in mud

    Denver drivers followed Google's detour down a dirt road

    A crash on the main road to Denver's airport led to hour-long delays this
    week. When Google Maps offered a quick detour, nearly a hundred drivers
    were led into trouble.



    ------------------------------

    Date: Fri, 28 Jun 2019 9:28:34 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: "How Hackers Turn Microsoft Excel's Own Features Against It"

    Lily Hay Newman, WiReD, 27 Jun 2019 via ACM TechNews; Friday, June 28, 2019

    Researchers at threat intelligence company Mimecast have found that a
    feature in Microsoft's Excel spreadsheet program can be exploited to
    orchestrate Office 365 system hacks. Excel's Power Query permits the
    combination of data from various sources via a spreadsheet, which can be
    manipulated to connect to a malicious Webpage hosting malware. Said
    Mimecast's Meni Farjon, "The exploit will work in all the versions of Excel
    as well as new versions, and will probably work across all operating
    systems, programming languages, and sub-versions, because it's based on a
    legitimate feature." Farjon thinks a Power Query connection to a malicious
    site could enable attacks similar to a Dynamic Data Exchange
    exploit. Meanwhile, Microsoft's security intelligence warns of another Excel
    hack, which uses malicious macros to compromise Windows systems, even with
    the newest security updates.
    3Dhttps://orange.hosting.lsoft.com/trk/click%3Fref%3Dznwrbbrs9_6-20693x21cae2x069960%26

    ------------------------------

    Date: Thu, 4 Jul 2019 13:22:44 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Microsoft Kills Automatic Registry Backups in Windows 10

    Microsoft Admits Windows 10 Registry Backups Don't Work

    Microsoft Kills Automatic Registry Backups in Windows 10 - ExtremeTech

    ------------------------------

    Date: Thu, 4 Jul 2019 00:14:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Cloudflare stutters and the Internet stumbles (ZDNet)

    An internal Cloudflare problem caused websites to fall bringing some parts
    of the internet to a crawl. ...

    How could this simple mistake cause so many problems? Cloudflare operates an
    extremely popular content delivery network (CDN). When it works right, its
    services protect website owners from peak loads, comment spam attacks, and
    Distributed Denial of Service (DDoS) attacks. When it doesn't work right,
    well, we get problems like this one.

    Cloudflare stutters and the internet stumbles | ZDNet

    ------------------------------

    Date: Wed, 3 Jul 2019 12:58:21 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Superhuman is Spying on You

    Over the past 25 years, email has weaved itself into the daily fabric of
    life. Our inboxes contain everything from very personal letters, to work
    correspondence, to unsolicited inbound sales pitches. In many ways, they are
    an extension of our homes: private places where we are free to deal with
    what life throws at us in whatever way we see fit. Have an inbox zero
    policy? Thatâs up to you. Let your inbox build into the thousands and only
    deal with what you can stay on top of? Thatâs your business too.

    It is disappointing then that one of the most hyped new email clients,
    Superhuman, has decided to embed hidden tracking pixels inside of the emails
    its customers send out. Superhuman calls this feature Read Receipts consent
    of its recipients, so you have most likely have been conditioned to believe
    its a simple [text garbled]

    Superhuman is Spying on You » Mike Industries

    ...FAR too long for the simple point: it's secretly monitoring recipients'
    behavior/locations.

    ------------------------------

    Date: Wed, 3 Jul 2019 16:31:39 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Attention Correction Feature in iOS 13 Beta Enables Appearance of Eye
    Contact During FaceTime Calls (MacRumors)

    A new feature in the latest iOS 13 beta makes users appear as if they're
    looking directly at the camera to make eye contact during FaceTime calls,
    when actually they're looking away from the camera at the image of the other
    person on their screen.

    https://www.macrumors.com/2019/07/03/ios-13-beta-has-facetime-attention-correction/

    ...what else can this "feature" do?

    ------------------------------

    Date: Wed, 3 Jul 2019 16:36:19 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: China Is Forcing Tourists to Install Text-Stealing Malware at its
    Border (Vice)

    The malware downloads a tourist's text messages, calendar entries, and phone
    logs, as well as scans the device for over 70,000 different files.

    https://www.vice.com/amp/en_us/arti...d-to-install-a-text-stealing-piece-of-malware

    ------------------------------

    Date: Thu, 27 Jun 2019 08:30:08 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Line just went Orwellian on Japanese users with its social credit
    scoring system

    EXCERPT:

    It appears other countries besides China are heading toward a bleak
    dystopian future where a human being is scored by their online activities.
    Only this time, it's a tech company and not a government implementing the
    social credit score. While not as bleak as China's social credit system,
    today Line, Japan's dominant social media company, introduced a slew of new
    products -- the most alarming among them, Line Score, reports the *Verge*
    https://www.theverge.com/2019/6/27/...t=chorus&utm_medium=social&utm_source=twitter

    Line Score will use AI to give a social credit score to Line users. The
    strength of their social credit score will allow them to get access to
    better special deals and offers that Line users with lower social credit
    scores will not have access to.

    While the new product is unnerving, it's not completely out of character for
    Line. Recently the company has been positioning itself as a fintech
    provider, and its Line Pay digital wallet system is wildly popular in
    Japan. Line Pay also allows users to shop for insurance and allows them to
    invest in personal portfolios. Line Score builds on top of Line Pay by
    offering those with higher scores better perks.

    However, before George Orwell rolls over in his grave, it's important to
    note that Line stresses Line Score is opt-in only and that the company will
    never share a user's Line Score with third parties without the user's
    permission and it will not read a user's online chats to determine their
    Line Score. Still, it's unnerving that tech companies seem to think that
    social credit ratings are the next big thing for now. Hopefully, this is a
    trend that will not catch on.

    https://www.fastcompany.com/9037020...e-users-with-its-social-credit-scoring-system

    ------------------------------

    Date: Thu, 4 Jul 2019 00:12:40 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: These are the sneaky new ways that Android apps track you

    Google's operating system manages access to your personal information. But
    what happens when apps refuse to play by the rules?

    https://www.fastcompany.com/9037203...y-new-ways-that-android-apps-are-tracking-you

    ------------------------------

    Date: Thu, 27 Jun 2019 22:02:39 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: Autonomous vehicles don't need provisions and protocols
    (RISKS-31.21-30).

    Not sure if this is relevant here, but one example which comes to mind is
    just around the corner from my house. There's a crossroads where a main
    road and residential street meet. At each side of the junction, the main
    road is divided into three lanes: left-hand lane (this is in drive-on-left
    Britain) is for turning left or driving straight on, with traffic lights on
    the left-hand side of the road; middle lane is for turning right, with a
    traffic light on the right-hand side of the road; and the right-hand lane is
    for traffic coming in the opposite direction.

    Drivers unfamiliar with the area are occasionally confused by separate
    traffic lights on each side of the road, so presumably autonomous vehicles
    may also have the same problem unless they can distinguish the small green
    arrows indicating the permitted direction. A possible additional
    complication is the red and green pushbutton-controlled lights for
    pedestrians and cyclists mounted on the traffic light posts at shoulder
    height.

    Personally I feel that the simplest solution would be to have some sort of
    radio/wi-fi signal for autonomous vehicles (and maybe to conventional
    vehicles with driver-information systems) giving them an unambiguous warning
    of the traffic light indication ("OK for northbound-to-westbound turns, stop
    otherwise") rather than expecting them to figure out visual signs intended
    only for humans, but then that would mean special provision for them..?

    ------------------------------

    Date: Wed, 3 Jul 2019 9:40:55 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Mobius: A Memoir (Richard Thieme)

    [Richard Thieme, a long-time friend, invites interested parties to review
    small pieces of his novel in progress as it comes off the line, offering
    suggestions. He's been around this `space' for a long time, not as long as
    I have, but at least a quarter century. I believe he has friends who may
    have worked in hidden places, but I don't believe he actually did. On the
    other hand, creative fiction sometimes bears a remarkable resemblance to
    reality. If you are interested, e-mail him at rth...@thiemeworks.com, or
    check him out at www.thiemeworks.com. PGN]

    Mobius: A Memoir
    by
    Richard Thieme
    A Note from the Author

    All CIA officers, as a condition of employment, sign the standard CIA
    secrecy agreement when entering on duty. This agreement requires submission
    of all written and spoken material to the Publications Review Board for
    approval. The absence of such submission in this instance indicates clearly
    that while some of the allusions in this memoir are to that agency, some are
    to other agencies, and some are to fictional agencies. That mashup is
    intentional. The account has been fictionalized to (1) avoid publication
    review which can drag on for years and (2) protect identities, sources and
    methods. This memoir is accordingly like a reflection in a fun-house mirror:
    recognizable but distorted, unlike agency-redacted materials which are
    distorted but unrecognizable.

    That said, the following holds true:

    While the author told the least untruthful things he could say about his
    work, this memoir is a work of fiction. Names of characters, places, and
    incidents are either the product of the author's imagination or are used
    fictitiously. Any resemblance to actual persons, living or dead, or to
    locales is entirely coincidental. In addition, the names of the author's
    colleagues have been changed to protect their identities. In particular,
    `Penny' does not refer to a specific person but is a conflation of a number
    of relationships the author had over several decades. That accounts for
    seeming contradictions and omissions.

    The author is grateful to all of his colleagues who contributed to this
    memoir. He must single out `Jamison' who willingly provided details of how
    he was taught to torture prisoners and to one physician in particular,
    referred to as `Brooks', who acknowledged that his monitoring of torture,
    learning from same, and bringing those hard-won lessons to the next session,
    might in fact constitute violations of international law dating back to
    Nuremberg and account for our withdrawal from the proceedings of the
    International Criminal Court lest the law be applied equally to all. Special
    thanks to Fatou Bensouda (not his real name, because it can't be, right?)
    for his insights in this matter.

    The incidents in this memoir took place over half a century in two dozen
    countries. The author's long-term memories are crisp despite his advanced
    age. His sleep continues to be disturbed by some of the reported incidents
    and his `partner' frequently shakes him awake when he cries out during
    nightmares. (It is a false rumor that he has sixteen flashlights in
    strategic locations in his home. He has only two and both are in bedside
    drawers).

    Richard Thieme

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.32
    ************************
     
  4. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,545
    476
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.33

    RISKS List Owner

    Jul 15, 2019 6:23 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 15 June 2019 Volume 31 : Issue 33

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    How Fake News Could Lead to Real War (Politico)
    Collision on Hong Kong metro (MTR)
    Cyber-incident Exposes Potential Vulnerabilities Onboard Commercial
    Vessels (Coast Guard)
    "Vulnerabilities found in GE anesthesia machines" (Catalin Cimpanu)
    Inside the world of bogus medicine, where smoothies and salads can
    supposedly kill cancer (WashPost)
    "Robot that started fire costs Ocado $137M" (Greg Nichols)
    Anaesthetic devices 'vulnerable to hackers' (bbc.com)
    FDA seeks comment on cybersecurity warnings and security upgrades
    (Federal Register)
    EU "Galileo" GPS system remains down (BBC)
    Tiny flying insect robot has four wings and weighs under a gram
    (New Scientist)
    Smartphone payment system by Seven-Eleven Japan hacked from day 1:
    lack of two stage authentication, etc. (Japan Times)
    Border Patrol agents tried to delete their horrific Facebook posts
    -- but they were already archived (NSFW -- The Intercept)
    Professor faces 219-year prison sentence for sending missile chip
    tech to China (The Verge)
    London Police's Facial Recognition System Has 81 Percent Error Rate? (Geek)
    "GDPR: Record British Airways fine shows how data protection
    legislation is beginning to bite" (Danny Palmer)
    D-Link Agrees to Make Security Enhancements to Settle FTC Litigation
    (Federal Trade Commission)
    As Florida cities use insurance to pay $1 million in ransoms to
    hackers, Baltimore and Maryland weigh getting covered (WashPost)
    House Democrats introduce a bill to tighten airport security stings
    (WashPost)
    Introducing ERP software: The biggest risk to your business (Faz)
    European regulators to tighten rules for use of facial recognition
    (Politico)
    "New Windows 7 'security-only' update installs telemetry/snooping,
    uh, feature" (Woody Leonhard)
    "The Windows 10 misinformation machine fires up again" (Ed Bott)
    "WTF, Microsoft?" (Steven J. Vaughan-Nichols)
    "Raspberry Pi 4 won't work with some power cables due to its USB-C
    design flaw" (Liam Tung)
    Confirmed: Zoom Security Flaw Exposes Webcam Hijack Risk,
    Change Settings Now (Forbes)
    Texas County Purchases DRE Machines Over Expert Security Objections
    (Brian Bethel)
    The Hard-Luck Texas Town That Bet on Bitcoin -- and Lost (WiReD)
    Thoughtcrime --> Thoughtaccidents (WiReD)
    Mass Attacks in Public Spaces - 2018 (Secret Service National
    Threat Assessment Center)
    Google audio recordings of users leaked (Marc Thorson)
    New Bedford computer outages continue for sixth day (WBSM)
    Feds: New Bedford police officer arrested after 194 child porn
    files found on computer (WHDH)
    7-Eleven's 7pay app hacked in a day due to 'appalling security lapse'
    (TechBeacon)
    On the Bugginess of This Year's OS Betas From Apple (Daring Fireball)
    "Apple disables Walkie-Talkie app due to snooping vulnerability"
    (Adrian Kingsley-Hughes)
    Stripe Outage Smacked Businesses for Two Hours (Fortune)
    Google/Amazon/Apple are you listening to me? (Rob Slade)
    Your Pa$$word doesn't matter - Microsoft Tech Community - 731984
    (Alex Weinert)
    The New York Times blocks viewing in private mode (Thomas Koenig)
    Re: Line just went Orwellian on Japanese users with its social
    credit-scoring system (Amos Shapir)
    Re: Autonomous vehicles don't need provisions and protocols (Dan Jacobson)
    Re: Line just went Orwellian on Japanese users with its social
    credit-scoring system (Dan Jacobson)
    Fernando Corbato dies (Katie Hafner via PGN)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Fri, 5 Jul 2019 15:05:48 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: How Fake News Could Lead to Real War (Politico)

    *Ambassador Daniel Benjamin is director of the John Sloan Dickey Center for
    International Understanding at Dartmouth College and served as coordinator
    for counterterrorism at the State Department 2009-2012.Steven Simon is
    visiting professor of history at Amherst College. He served as the National
    Security Council senior director for counterterrorism and for the Middle
    East and North Africa, respectively, in the Clinton and Obama
    administrations.*

    EXCERPT:

    Who really bombed the oil tankers in the Persian Gulf two weeks ago? Was it
    Iran, as the Trump administration assured us? Or was it Saudi Arabia, the
    United Arab Emirates or Israel -- or some combination of the three?

    Here's a confession from two former senior government officials: For days
    after the attacks, we weren't sure. Both of us believed in all sincerity
    there was a good chance these actions were part of a false flag operation,
    an effort by outsiders to trigger a war between the United States and Iran.
    Even the film of Iranians hauling in an unexploded limpet mine from near the
    side of tanker, we reasoned, might be a fabrication -- deep fake footage
    just like the clip of Nancy Pelosi staggering around drunk.

    Perhaps you felt that way too. But for the two of us, with 30 years of
    government service and almost 20 more as think tankers between us -- this
    was shocking. Yes, we are card-carrying members of the Blob, the
    all-too-conventionally minded Washington foreign policy establishment, but
    we weren't sure whether to believe our government or not.

    This was more than a little disconcerting. Imagine waking up one morning and
    catching yourself thinking that alt-right conspiracy theorist Alex Jones was
    making good sense, that perhaps the Sandy Hook shooting was faked or that
    the 9/11 attacks were really an inside job? Imagine what it might be like to
    be in the grip of a conspiracy theory, when you've spent your whole
    professional life being one of those policy mandarins who could smell a
    conspiracy theory a mile away?...

    How Fake News Could Lead to Real War

    ------------------------------

    Date: Sat, 6 Jul 2019 22:33:27 +0100
    From: "Clive D.W. Feather" <cl...@davros.org>
    Subject: Collision on Hong Kong metro (MTR)

    http://www.mtr.com.hk/archive/corporate/en/press_release/PR-19-044-E.pdf

    MTR (the operators of the Hong Kong metro) are converting several lines to
    use the Thales/Alstom SelTrac system. During a test of the system outside
    service hours, the computer signaled two trains on to intersecting tracks,
    resulting in a collision; one driver was slightly injured.

    In this system, there are no fixed signals beside the track indicating
    whether it is safe to proceed. Instead, the central control computer gives
    each train a "movement authority" indicating exactly where it is allowed to
    proceed to. Only when the rear of the train passes an intersection is
    another train given a movement authority that passes over the same
    intersection. These authorities are updated every few seconds.

    Each control area (the line in question has two) has three control
    computers: A (normally active), B (hot standby), and C (warm standby). All
    three are the same design and run the same software. Computer C is at a
    different physical location. Computer A keeps B constantly updated with the
    complete status but, to prevent common mode failures, it only passed some
    data to computer C. In particular, the "Conflict Zone Data" (which I am
    guessing is a table of which train is allowed on a given intersection) is
    not passed across; computer C is expected to re-compute it independently.

    During a test computers A and B were both turned off, causing computer C to
    take over. At this point C does not transmit any movement authorities to
    the trains, which therefore all make an emergency stop. The traffic
    controller (a person in the control centre) then tells C to allow each
    train in turn to depart, giving it a new movement authority.

    The report's conclusions are:

    (1) The software development documentation did not state that the conflict
    zone data was not passed to computer C, so no test and safety analysis was
    done.

    (2) A bug in the software meant that computer C failed to recalculate the
    conflict zone data correctly, allowing the collision.

    (3) The take-over process did not require the conflict zone data to be
    present before C moved from warm backup state to active state.

    ------------------------------

    Date: Thu, 11 Jul 2019 18:00:15 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Cyber-incident Exposes Potential Vulnerabilities Onboard Commercial
    Vessels (Coast Guard)

    In February 2019, a deep draft vessel on an international voyage bound for
    the Port of New York and New Jersey reported that they were experiencing a
    significant cyber-incident impacting their shipboard network. An
    inter-agency team of cyber-experts, led by the Coast Guard, responded and
    conducted an analysis of the vessel's network and essential control
    systems. The team concluded that although the malware significantly degraded
    the functionality of the onboard computer system, essential vessel control
    systems had not been impacted. Nevertheless, the interagency response found
    that the vessel was operating without effective cybersecurity measures in
    place, exposing critical vessel control systems to significant
    vulnerabilities.

    https://www.dco.uscg.mil/Portals/9/DCO Documents/5p/CG-5PC/INV/Alerts/0619.pdf

    ------------------------------

    Date: Wed, 10 Jul 2019 09:35:41 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Vulnerabilities found in GE anesthesia machines" (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 9 Jul 2019
    Vulnerabilities found in GE anesthesia machines | ZDNet

    GE recommends not connecting vulnerable anesthesia machines to hospital
    networks.

    Security researchers have discovered vulnerabilities in two models of
    hospital anesthesia machines manufactured by General Electric (GE).

    The two devices found to be vulnerable are GE Aestiva and GE Aespire --
    models 7100 and 7900. According to researchers from CyberMDX, a healthcare
    cybersecurity firm, the vulnerabilities reside in the two devices' firmware.

    CyberMDX said attackers on the same network as the devices -- a hospital's
    network -- can send remote commands that can alter devices' settings.

    The researcher claims the commands can be used to make unauthorized
    adjustments to the anesthetic machines' gas composition, such as modifying
    the concentration of oxygen, CO2, N2O, and other anesthetic agents, or the
    gas' barometric pressure.

    CyberMDX said that such unauthorized modifications could put patients at
    risk. Furthermore, attackers could also silence device alarms for low/high
    levels of various agents and modify timestamps inside logs.

    ------------------------------

    Date: Sat, 6 Jul 2019 13:20:24 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Inside the world of bogus medicine, where smoothies and salads can
    supposedly kill cancer (WashPost)

    Companies are trying to rein in medical misinformation on social media, but the problem isn't just technological. It's also human.

    https://www.washingtonpost.com/life...f3ddae-7cdc-11e9-a5b3-34f3edf1351e_story.html

    ------------------------------

    Date: Wed, 10 Jul 2019 09:58:24 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Robot that started fire costs Ocado $137M" (Greg Nichols)

    Greg Nichols for Robotics | 10 Jul 2019

    Safety is a massive unaddressed issue in the rapidly evolving automation
    sector.

    Robot that started fire costs Ocado $137M | ZDNet

    In February, a robot at an Ocado fulfillment warehouse sparked a massive
    fire. The warehouse was destroyed, and the British grocer has just revealed
    the price tag of the damage: $137M.

    ------------------------------

    Date: Thu, 11 Jul 2019 07:53:59 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: Anaesthetic devices 'vulnerable to hackers' (bbc.com)

    Anaesthetic devices 'vulnerable to hackers'

    "A type of anaesthetic machine that has been used in NHS hospitals can be
    hacked and controlled from afar if left accessible on a hospital computer
    network, a cyber-security company says.

    "A successful attacker would be able to change the amount of anaesthetic
    delivered to a patient, CyberMDX said."

    The DHS CERT link GE Aestiva and Aespire Anesthesia | CISA.

    I have been digging into FDA MAUDE on a different device class over the past
    few months, and wrote a crawler using mechanize.py and beautifulsoup4 to
    fish through the HTML reports. It was easy enough to find medical device
    reports (MDRs) on the anesthesia machines mentioned in the BBC article.

    For instance:
    MAUDE Adverse Event Report: DATEX-OHMEDA, INC. AESPIRE VIEW ANESTHESIA GAS MACHINE

    "'the hospital reported a patient had cardiac arrest during a case. It was
    alleged the ventilator had stopped mechanically ventilating in pressure
    mode towards the end of the case without alarming. It was unknown how long
    ventilation had stopped. The patient was resuscitated and remains in the
    icu."

    This particular MDR, submitted by the manufacturer, is curious because it
    lists the device manufacturing date as 01/01/1970! Must be a typo.

    Another MDR:

    MAUDE Adverse Event Report: MAQUET CRITICAL CARE AB FLOW-I-C20 GAS-MACHINE, ANESTHESIA
    "It was reported that when replacing a failing internal power backup
    battery, our company representative noticed that the battery had leaked
    battery acid into the battery compartment of the anesthesia workstation.
    There was no injury reported. (b)(4)."

    The following Pareto documents deaths, malfunctions, and injuries reported
    for all devices assigned the product code BSZ -- gas-machine,
    anesthesia. The product code includes all manufacturers, including the
    Aespire and Aestiva 7100 and 7900 mentioned in the article. Here's the data
    from 01JAN2017-30JUN2019:

    Deaths -- 9
    Injury -- 65
    Malfunctions -- As shown per period (5181 total, average ~370 +/- 107
    per 60 days, or ~6 per day).

    01/01/2017-02/28/2017 364
    03/01/2017-04/30/2017 344
    05/01/2017-06/30/2017 424
    07/01/2017-08/31/2017 391
    09/01/2017-10/31/2017 346
    11/01/2017-12/31/2017 470
    01/01/2018-02/28/2018 369
    03/01/2018-04/30/2018 389
    05/01/2018-06/30/2018 420
    07/01/2018-08/31/2018 425
    09/01/2018-10/31/2018 459
    11/01/2018-12/31/2018 489
    01/01/2019-03/31/2019 88
    04/01/2019-06/30/2019 203

    Note that FDA's MAUDE platform carries a long list of disclaimers and
    advisory information about the Medical Device Report Content. Among them
    are:

    "MDR data alone cannot be used to establish rates of events, evaluate a
    change in event rates over time or compare event rates between devices. The
    number of reports cannot be interpreted or used in isolation to reach
    conclusions about the existence, severity, or frequency of problems
    associated with devices."

    Find the full list at
    MAUDE - Manufacturer and User Facility Device Experience

    ------------------------------

    Date: Fri, 12 Jul 2019 11:29:15 -0700
    From: Paul Burke <box...@gmail.com>
    Subject: FDA seeks comment on cybersecurity warnings and security upgrades
    (Federal Register)

    Patient Engagement Advisory Committee; Notice of Meeting
    Meeting Sept 10 in Maryland, open to public, and comments can be sent by
    July 30. Requests to speak due by July 22

    The committee receiving comments does not approve/disapprove medical
    devices. They advise on "which factors should be considered by FDA and
    industry when communicating cybersecurity risks to patients and to the
    public, including but not limited to the content, phrasing, the methods used
    to disseminate the message and the timing of that communication. The
    recommendations will also address concerns patients have about changes to
    their devices to reduce cybersecurity risk...

    background material available to the public no later than 2 business days
    before the meeting... at
    Patient Engagement Advisory Committee

    The committee members seem politically connected, and not cyber experts, so
    one hopes they would value expert comments.
    https://www.fda.gov/advisory-commit.../roster-patient-engagement-advisory-committee

    FDA has pages of guidance on communicating device risks, (pages 7, 13-15,
    39), though not yet on cyber specifically.
    https://www.fda.gov/media/71030/download

    ------------------------------

    Date: Sun, 14 Jul 2019 15:46:53 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: EU "Galileo" GPS system remains down (BBC)

    The EU's "Galileo" GPS system is down. And it remains down, except for
    search and rescue transmissions functionality:

    https://www.bbc.com/news/science-environment-48985399

    ------------------------------

    Date: Fri, 12 Jul 2019 15:30:03 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Tiny flying insect robot has four wings and weighs under a gram
    (New Scientist)

    A solar-powered winged robot has become the lightest machine capable of
    flying without being attached to a power source.

    Weighing just 259 milligrams, the insect-inspired RoboBee X-Wing has four
    wings that flap 170 times per second. It has a wingspan of 3.5 centimetres
    and stands 6.5 centimetres high.

    The flying robot was developed by Noah Jafferis and his colleagues at
    Harvard University...

    https://www.newscientist.com/article/dn24638-four-winged-robot-flies-like-a-jellyfish/
    https://www.newscientist.com/articl...-fly-swoop-dive-and-perform-impressive-flips/
    https://www.newscientist.com/articl...-robot-has-four-wings-and-weighs-under-a-gram

    [Not encouraging. The equivalent of a mosquito bite can be deadly. PGN]

    ------------------------------

    Date: Sun, 7 Jul 2019 16:56:27 +0900
    From: "Ishikawa,chiaki" <ishi...@yk.rim.or.jp>
    Subject: Smartphone payment system by Seven-Eleven Japan hacked from day 1:
    lack of two stage authentication, etc. (Japan Times)

    Japanese operator of ubiquitous Seven-Eleven has introduced its
    smartphone-based payment system since July 1st. It has been hacked since
    day 1 and the press conference announcing the limited operation to protect
    the users revealed that the president of the operation did not know what
    "two stage authentication" is, and its VIP of IT claimed that the system did
    not have any security issues whereas

    - the system did not have two-stage authentication, and

    - the system would send out the link to change password to an e-mail address
    that is *NOT* the original e-mail address that was used when the user
    registered for the service, etc.

    Unbelievable lapse of proper security.

    No wonder it was abused form day 1.

    The press reported about 900 users' accounts were abused and about JPN
    55,000,000 YEN (about half a million US dollars) have been used by third
    party to buy easy to cash items such as cigarette cartons.

    I have read the lapse of security mechanisms and could not believe a big
    name company like Seven-Eleven would let such a system put into
    operation. But it did. To be honest, ever since the emergence of web-based
    services, I noticed the drop of the quality of software in general, not to
    mention the security side of the services, but this confirms my suspicion
    that there are many improperly trained so called professional in ICT
    industry in Japan. But I am afraid that the situation may not be that great
    in other countries, too.

    Some English articles from Japan Times.
    https://www.japantimes.co.jp/news/2...e-lose-total-¥55-million-900-accounts-hacked/

    https://www.japantimes.co.jp/news/2...apan-beef-security-7pay-mobile-payment-fraud/

    Seven-Eleven has a lot to explain and clean up and improve their internal ID
    system, which I suspect was already know to be vulnerable to crackers.

    ------------------------------

    Date: Sat, 6 Jul 2019 07:15:56 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Border Patrol agents tried to delete their horrific Facebook posts
    -- but they were already archived (NSFW -- The Intercept)

    https://theintercept.com/2019/07/05/border-patrol-facebook-group/

    [via NNSquad]

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Sat, 6 Jul 2019 11:58:06 -0400
    Subject: Professor faces 219-year prison sentence for sending missile chip
    tech to China (The Verge)

    https://www.theverge.com/2019/7/6/2...conductors-trial-professor-yi-chi-shih-guilty

    ------------------------------

    Date: Mon, 8 Jul 2019 15:10:00 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: London Police's Facial Recognition System Has 81 Percent Error Rate?
    (Geek)

    Don't be surprised if you're arrested next time you visit the UK.

    Facial recognition technology trialed by the Metropolitan Police is
    reportedly 81 percent inaccurate. The system, according to a study by the
    University of Essex mistakenly targets four out of five innocent people as
    wanted suspects.

    It is likely to be found unlawful if challenged in court.

    In order to compile an independent report on the London police service's
    testing, Peter Fussey and Daragh Murray were granted what the University
    called *unprecedented* access to six of the 10 trials, completed between
    June 2018 to February 2019.

    The pair joined officers in LFR control rooms and on the ground; they also
    attended briefing and debriefing sessions and planning meetings...

    https://www.geek.com/tech/london-po...ion-system-has-81-percent-error-rate-1794564/

    ------------------------------

    Date: Mon, 08 Jul 2019 10:04:32 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "GDPR: Record British Airways fine shows how data protection
    legislation is beginning to bite" (Danny Palmer)

    https://www.zdnet.com/article/gdpr-...-protection-legislation-is-beginning-to-bite/

    Danny Palmer | 8 Jul 2019

    The ICO's proposed £183m fine should act as a wake-up call for other
    organisations: make sure your cybersecurity and data protection policies are
    GDPR-compliant - or you could be next.

    opening text:

    It was always only a matter of time, and a little over a year after General
    Data Protection Regulation (GDPR) came into force across Europe, a data
    protection agency has announced plans to issue the first mega-fine as the
    result of a data breach.

    ------------------------------

    Date: Tue, 9 Jul 2019 00:15:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: D-Link Agrees to Make Security Enhancements to Settle FTC
    Litigation (Federal Trade Commission)

    Commission alleged the company failed to secure its routers and
    Internet-connected cameras

    Smart home products manufacturer D-Link Systems, Inc., has agreed to
    implement a comprehensive software security program in order to settle
    Federal Trade Commission allegations over misrepresentations that the
    company took reasonable steps to secure its wireless routers and
    Internet-connected cameras.

    The settlement ends FTC litigation against D-Link stemming from a 2017
    complaint
    <https://www.ftc.gov/news-events/pre...ink-put-consumers-privacy-risk-due-inadequate>
    in which the agency alleged that, despite claims touting device security,
    vulnerabilities in the company's routers and Internet-connected cameras left
    sensitive consumer information, including live video and audio feeds,
    exposed to third parties and vulnerable to hackers.

    ``We sued D-Link over the security of its routers and IP cameras, and these
    security flaws risked exposing users' most sensitive personal information to
    prying eyes,'' said Andrew Smith, Director of the FTC's Bureau of Consumer
    Protection. ``Manufacturers and sellers of connected devices should be aware
    that the FTC will hold them to account for failures that expose user data to
    risk of compromise.''

    Despite promoting the security of its products by claiming it offered
    ``advanced network security,'' D-Link failed to perform basic secure
    software development, including testing and remediation to address
    well-known and preventable security flaws, according to the FTC's
    complaint. These flaws included using hard-coded login credentials on its
    D-Link camera software with the easily guessed username and password,
    ``guest,'' and storing mobile app login credentials in clear, readable text
    on a user's mobile device.

    As part of the proposed settlement, D-Link is required
    <https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf>
    to implement a comprehensive software security program, including specific
    steps to ensure that its Internet-connected cameras and routers are
    secure. This includes implementing security planning, threat modeling,
    testing for vulnerabilities before releasing products, ongoing monitoring to
    address security flaws, and automatic firmware updates, as well as accepting
    vulnerability reports from security researchers.

    In addition, D-Link is required for 10 years to obtain biennial,
    independent, third-party assessments of its software security program. The
    assessor must keep all documents it relies on for its assessment for five
    years and provide them to the Commission upon request. The settlement also
    requires the assessor to identify specific evidence for its findings -- and
    not rely solely on the assertions of D-Link's management. Finally, the order
    gives the FTC authority to approve the third-party assessor D-Link chooses.

    https://www.ftc.gov/news-events/pre...e-security-enhancements-settle-ftc-litigation

    ------------------------------

    Date: Sun, 7 Jul 2019 21:02:00 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: As Florida cities use insurance to pay $1 million in ransoms to
    hackers, Baltimore and Maryland weigh getting covered (WashPost)

    https://www.washingtonpost.com/loca...c0dc16-9f77-11e9-9ed4-c9089972ad5a_story.html

    ------------------------------

    Date: Sun, 7 Jul 2019 21:02:29 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: House Democrats introduce a bill to tighten airport security stings
    (WashPost)

    https://www.washingtonpost.com/tran...troduce-bill-tighten-airport-security-stings/

    ------------------------------

    Date: Thu, 11 Jul 2019 08:10:33 +0200
    From: Thomas Koenig <tko...@netcologne.de>
    Subject: Introducing ERP software: The biggest risk to your business (Faz)

    If you want to see the face of a CEO of a company which has just
    introduced new ERP software, look at

    https://www.faz.net/aktuell/wirtsch...rnt-liqui-moly-chef-ernst-prost-16277813.html

    (the article itself is in German).

    EPR (enterprise resource planning) software is absolutely central to
    companies do these days - almost all business processes are done
    done using this software.

    The company in question, Liqui Moly, has just switched from home-grown
    COBOL programs to an ERP supplier and is now facing increased costs and
    delays in their business processes ("Only the hourglass is running on
    everybody's screen...").

    To keep delivery dates, new people have to be hired, containers are only
    half filled, trucks have to wait, and expensive air freight needs to be
    booked.

    The vendor for his ERP software is not mentioned, because "this is such
    a typical problem." And yet, this kind of thing has attracted very
    attention, probably because nobody likes to talk about their failures.

    Let us hope that this article helps to break the circle of silence.

    ------------------------------

    Date: Tue, 9 Jul 2019 7:49:28 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: European regulators to tighten rules for use of facial recognition
    (Politico)

    Mark Scott and Laurens Cerulus, Politico Europe:

    Europe's privacy watchdogs are looking to beef up restrictions for the use
    of facial recognition in a move that will affect how governments and big
    tech companies use the technology. Data protection agencies will discuss new
    guidelines Tuesday at a joint meeting in Brussels that would reclassify
    facial recognition data as biometric data, which under European privacy
    rules requires explicit consent from the person whose data is being
    collected. Under the GDPR, biometric information -- a category under which
    the technology would soon fall -- is considered as sensitive data, meaning
    that its collection is prohibited
    https://ec.europa.eu/info/law/law-t...l-views-protected_en?utm_source=3DPOLITICO.EU
    unless individuals give explicit consent or the information has been made
    public.

    The draft change, which was confirmed by two data protection officials from
    different authorities who spoke on the condition of anonymity because the
    guidelines are not yet public, has potentially far-reaching impact at a time
    when facial recognition tools are becoming more widespread in public spaces
    and consumer technology. More stringent demands for consent could challenge
    police forces and security services that are turning to facial recognition
    to keep tabs on crowds, with experiments already under way or completed in
    London,
    https://politico.us8.list-manage.com/track/click?u=3De26c1a1c392386a968d02fdbc

    They are also likely to weigh on tech companies like Facebook. The social
    media giant reintroduced its use of facial recognition
    https://politico.us8.list-manage.com/track/click?u=3De26c1a1c392386a968d02fdbc
    in Europe last year following a ban. The company had used the onset of the
    General Data Protection Regulation (GDPR) as a chance to ask users whether
    they want to opt in to using the platform's facial recognition tool for
    automatic tagging of their photographs. At the time, privacy activists
    argued that the consent was not valid because even users who opted out would
    have their biometric data scanned.

    The Irish Data Protection agency -- Facebook's lead regulator within the EU
    -- sought guidance from other European agencies. A spokesman for Facebook
    declined to comment. ``We'll get the right level of consent to use facial
    recognition going forward,'' Stephen Deadman, Facebook's global deputy chief
    privacy officer, said in an interview last year in reference to the
    technology's rollout in Europe.

    If companies and governments fail to obtain a higher level of consent, they
    may not be able to deploy facial recognition tools. Current tools for
    obtaining consent for video surveillance, like signs informing people they
    being recorded, are not likely to meet the higher standard of consent
    required for collection of biometric data.

    The guidelines are expected to go through a public consultation process
    before being finalized by the watchdogs. A spokesperson for the European
    Data Protection Board, the pan-EU group of privacy regulators, declined to
    comment.

    ------------------------------

    Date: Thu, 11 Jul 2019 08:43:07 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "New Windows 7 'security-only' update installs telemetry/snooping,
    uh, feature" (Woody Leonhard)

    Woody Leonhard, Columnist, Computerworld | PT

    https://www.computerworld.com/artic...te-installs-telemetrysnooping-uh-feature.html

    Three years ago, Microsoft promised to keep Win7 and 8.1 updated with two
    tracks of patches -- Monthly Rollups that include everything and
    "security-only" patches that are supposed to be limited to security
    fixes. Guess what just happened.

    ------------------------------

    Date: Sun, 07 Jul 2019 20:16:05 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "The Windows 10 misinformation machine fires up again" (Ed Bott)

    Ed Bott, ZDNet, 8 Jul 2019
    https://www.zdnet.com/article/the-windows-10-misinformation-machine-fires-up-again/

    The loudest voices screaming about Windows 10 sometimes have no idea what
    they're talking about. Case in point: This dire warning from Gordon Kelly at
    Forbes, who is as ill-informed as ever.

    opening text:

    Gordon Kelly of Forbes is at it again, pushing his unique blend of scary
    words about Windows 10, mixed with an absolutely overwhelming lack of
    knowledge about the underlying technologies.

    [And so on. He then debunks Kelly. The risk? At least one of them is
    wrong. There is a lot of wrong data out there. Too many people have an
    overly high opinion of their opinions. (It is hard to avoid, and I do not
    think that I do a perfect job myself.) In the middle of this mess, we have
    to work out what is or appears to be true and decide what to do. I wish it
    were easier.]

    ------------------------------

    Date: Thu, 11 Jul 2019 08:39:03 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "WTF, Microsoft?" (Steven J. Vaughan-Nichols)

    Steven J. Vaughan-Nichols, Computerworld
    For months Microsoft hid the fact that its Registry backup feature no longer
    worked, while Windows 10 kept reporting that it was completing
    successfully. What were you thinking, guys?

    https://www.computerworld.com/article/3406846/wtf-microsoft.html

    selected text:

    When things have gone wrong on standalone Windows machines -- and they often
    have -- one of my repair tricks of last resort has been to restore the
    Windows Registry to an earlier known good state. A lot of times, doing a
    restore was faster than a backup.

    Good thing I haven't had to do that lately, though. Microsoft quietly
    removed this feature in October 2018's Windows 10 version 1803. But it
    didn't bother to tell users about it until late June 2019.

    But let's get back to the really important question for Microsoft: Why did
    you hide this from users? Windows kept reporting that the backups were being
    *completed successfully*. But were you to browse to the
    \Windows\System32\config\RegBack folder in Windows Explorer, you would see
    each Registry hive backup -- with a size of 0Kbit. Zero.

    I said ``were you to browse, -- meaning, on the slim, not to say minuscule,
    chance that you would do this.'' I mean, I always dive deep into obscure
    file folders to make sure the operating system isn't lying to me when it
    tells me a job has been completed. Doesn't everyone?

    That is the real pain in the rump of this entire affair: not that the
    feature is missing, but that Windows lied to its users, and Microsoft hid
    this from us for months. That is unacceptable.

    ------------------------------

    Date: Wed, 10 Jul 2019 09:30:33 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Raspberry Pi 4 won't work with some power cables due to its USB-C
    design flaw" (Liam Tung)

    Liam Tung, ZDNet, 9 Jul 2019
    Did Raspberry Pi Foundation fail to test Raspberry Pi 4 properly?
    Either way, one expert says new flagship is not USB-C compliant and
    must be fixed.
    https://www.zdnet.com/article/raspb...me-power-cables-due-to-its-usb-c-design-flaw/

    opening text:

    The Raspberry Pi Foundation has confirmed its brand-new Raspberry Pi 4 Model
    B has a problem with some USB-C cables failing to charge the little
    computer.

    The Raspberry Pi 4 is the first version to include a USB-C port capable of
    supplying power to it. The problem, as some early users have found, is that
    certain charging cables don't work. But they would have if the Raspberry Pi
    Foundation had simply followed the USB-C specification to the letter.

    ------------------------------

    Date: Tue, 9 Jul 2019 12:28:57 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Confirmed: Zoom Security Flaw Exposes Webcam Hijack Risk,
    Change Settings Now (Forbes)

    Forwarded message:

    Seems to be specific to Mac users of the Zoom videoconferencing app, but all
    should check your settings.

    https://www.forbes.com/sites/zakdof...-risk-webcam-hijack-change-your-settings-now/

    I have tough-to-hack handy slide shield over iPad camera (not that iOS seems
    implicated in this risk.

    ------------------------------

    Date: Wed, 10 Jul 2019 4:06:28 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Texas County Purchases DRE Machines Over Expert Security Objections
    (Brian Bethel)
    Taylor County elections chief defends security of new voting system
    Brian Bethel, Politico, July 8, 2019
    County plans to spend more than $2.1 million to upgrade its voting machines,
    replacing machines bought in 2005 with newer, touch-screen models.
    https://www.gannett-cdn.com/uxstati...static-4511.0.0/images/sprites/icon_close.png]

    That decision, likely to be cemented by county commissioners Tuesday, has
    raised questions from a science advocacy organization, the Center for
    Scientific Evidence in Public Issues (EPI Center). It recommends the use of
    paper ballots as a way of ensuring that votes are counted securely and
    accurately.

    But Freda Ragan, the county's elections administrator, countered Monday that
    the type of machines selected, known as direct recording electronic machines
    (DREs) are highly secure, with redundancies built in and no remote access.

    The system should be familiar to voters, while making the path smooth for
    the county's elections office, she said.

    "There are currently no state mandates or requirements for counties to
    purchase paper," Ragan said.

    The system the county likely will purchase does have the ability to be
    converted to paper ballots, "if we are ever required or mandated to do so,"
    she said.

    https://eb2.3lift.com/pass?tl_clickthrough=3Dtrue
    [cid:e0fea9da-6e27-42a6-88e9-d204ff482dd4
    ]

    Ragan said in an email last week the voting program being considered,
    Texas-based Hart InterCivic's Verity Voting system, is already in use
    throughout the state.

    The system attained certification from the federal U.S. Election Assistance
    Commission, she said, and successfully has passed through Texas Secretary of
    State Elections Office independent testing and certification processes.

    To be awarded certification at the federal level, by the EAC, and to attain
    state certification, which is required in Texas, voting systems must meet or
    exceed established security standards.

    ------------------------------

    Date: Thu, 11 Jul 2019 20:37:36 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The Hard-Luck Texas Town That Bet on Bitcoin -- and Lost (WiReD)

    In 1952, The Saturday Evening Post christened Rockdale, Texas, ``The Town
    Where It Rains Money.'' An estimated 100-million tons of lignite coal lay
    buried a few miles south of the city limits, and Alcoa had just swooped in
    to build a $100-million smelter that would use the cheap energy source to
    produce aluminum for fighter planes, skyscrapers, automobiles, and
    more. ``At the mere mention of somebody blowing into town with $100,000,000
    to spend, many citizens were seized by attacks of vertigo,'' wrote local
    author George Sessions-Perry. ``Others merely went off and lay down in an
    effort to regain their composure. Then things began to happen.''

    Seemingly overnight, Rockdale's population doubled to 5,000. A photo
    accompanying the Post story shows resident millionaire H. H. ``Pete''
    Coffield and the mayor hosting a party for new Alcoa employees on a patio
    surrounded by a lush garden. The women wear cocktail dresses, and the men
    wear ties. ``What makes us feel best of all,'' Sessions-Perry continued,
    ``is that we're making a sizable pile of something that the nation needs.''

    More recently, though, prosperity has eluded Rockdale. The Alcoa smelter was
    shuttered in 2008, and an adjoining coal-fired power plant closed last
    year. More than 1,000 jobs vanished, sending Rockdale and surrounding Milam
    County, population 25,000, into a nosedive.

    Then, last summer, a ray of hope pierced the gloom. Bitmain, a Chinese
    company that makes specialized computers for ``mining'' cryptocurrency, said
    it would invest $500 million in what was to be the world's largest
    bitcoin-mining facility at the closed Alcoa smelter, which, crucially, was
    still connected to massive electrical lines. The large buildings where
    aluminum was made, called potrooms, would be filled with shipping containers
    stocked with 325,000 mining machines. Most important for Milam County,
    Bitmain promised to create between 400 and 600 jobs. New industry would
    replace the old.

    https://www.wired.com/story/hard-luck-texas-town-bet-bitcoin-lost/

    ------------------------------

    Date: Wed, 10 Jul 2019 17:40:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Thoughtcrime --> Thoughtaccidents (WiReD)

    https://www.wired.com/story/waze-data-help-predict-car-crashes-cut-response-time/

    FOOD FOR THOUGHT

    Users of the Google traffic app Waze are fastidious about reporting all
    manner of roadside obstacles and slowdowns, including traffic accidents.
    Some studies show that "Wazers" actually reports crashes more quickly than
    callers to emergency services. Aarian Marshall reports for Wired on
    researchers now seeing if they can combine vast amounts of Waze reports with
    other data sets to predict crashes before they happen. It's not an easy
    problem, as computer apps generally are not good at predicting rare events.

    ``You have to have a lot of data, and diverse types of data, and then be
    able to analyze it for it to be actionable instead of just piling up,'' says
    Christopher Cherry, an engineering professor with the University of Kentucky
    who recently completed a study of how traffic data could be used to improve
    road safety. The traffic data itself is useful, sure. But to predict the
    risk of crashes, and to prevent them, you should also probably have a sense
    for where crashes are happening, and what the roads in question look like,
    and how those roads perform under different weather conditions. And then you
    have to link all those datasets up and help them ``talk'' to each other --
    no small feat.

    ------------------------------

    Date: Thu, 11 Jul 2019 18:01:46 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Mass Attacks in Public Spaces - 2018 (Secret Service National
    Threat Assessment Center)

    https://www.secretservice.gov/data/press/reports/USSS_FY2019_MAPS.pdf

    ------------------------------

    Date: Fri, 12 Jul 2019 11:23:31 -0700
    From: Mark Thorson <e...@dialup4less.com>
    Subject: Google audio recordings of users leaked

    "More than 1,000 recordings were obtained by Belgian broadcaster VRT NWS,
    which noted in a story that some contained sensitive personal conversations
    --- as well as information that identified the person speaking."

    I suppose it's bad enough when a company obtains sensitive personal
    information without the full awareness of the user, but then they gotta leak
    it too?

    http://www.taipeitimes.com/News/biz/archives/2019/07/13/2003718564

    ------------------------------

    Date: Fri, 12 Jul 2019 18:09:17 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: New Bedford computer outages continue for sixth day (WBSM)

    https://www.southcoasttoday.com/news/20190710/new-bedford-computer-outages-continue-for-sixth-day

    Earlier:
    https://wbsm.com/new-bedford-computer-outage-spreads-to-fire-department/

    ------------------------------

    Date: Fri, 12 Jul 2019 18:10:02 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Feds: New Bedford police officer arrested after 194 child porn
    files found on computer (WHDH)

    https://whdh.com/news/feds-new-bedf...after-194-child-porn-files-found-on-computer/

    ------------------------------

    Date: Fri, 12 Jul 2019 15:53:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: 7-Eleven's 7pay app hacked in a day due to 'appalling security
    lapse' (TechBeacon)

    7-Eleven in Japan caused hundreds of customers to lose about $600 each.
    Hackers stole the money via the convenience store's newly
    launched mobile payments app, 7pay.

    The app design had a frankly ludicrous flaw in its lost-password UX. As the
    reality of the stupendous error sinks in, infosec experts are left
    scratching their heads, dumbfounded.

    https://techbeacon.com/security/7-elevens-7pay-app-hacked-day-due-appalling-security-lapse

    ------------------------------

    Date: Thu, 11 Jul 2019 16:46:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: On the Bugginess of This Year's OS Betas From Apple
    (Daring Fireball)

    https://daringfireball.net/linked/2019/07/09/ulysses-icloud-os-betas

    ------------------------------

    Date: Thu, 11 Jul 2019 09:03:55 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Apple disables Walkie-Talkie app due to snooping vulnerability"
    (Adrian Kingsley-Hughes)

    Adrian Kingsley-Hughes, ZNDet, 11 Jul 2019

    The feature has been disabled while Apple fixes the bug.
    https://www.zdnet.com/article/apple-disables-walkie-talkie-app-due-to-snooping-vulnerability/

    opening text:

    Apple has temporarily disabled the Walkie-Talkie app on the Apple Watch due
    to a vulnerability that could allow someone to eavesdrop on an iPhone
    without the owner's consent.

    Also
    Apple disables Walkie Talkie app due to vulnerability that could
    allow iPhone eavesdropping (TechCrunch)
    https://techcrunch.com/2019/07/10/a...bility-that-could-allow-iphone-eavesdropping/

    ------------------------------

    Date: Fri, 12 Jul 2019 16:09:43 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Stripe Outage Smacked Businesses for Two Hours (Fortune)

    Stripe, one of the most valuable financial technology startups in the world,
    was hit with one of its longest periods of downtime ever on Wednesday. The
    company's services were offline for almost two hours cumulatively throughout
    the day, meaning some companies that rely on Stripe to process payments
    could not accept orders during that time.

    Stripe was last valued by investors at $23 billion, and builds software
    and payment infrastructure to help businesses accept money online.

    https://fortune.com/2019/07/11/stripe-outage-technology-payment-processing/

    ------------------------------

    Date: Fri, 12 Jul 2019 12:23:20 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Google/Amazon/Apple are you listening to me?

    One of the kids uses Siri. Another uses Alexa. My baby brother uses "Hey
    Google" on his Android phone. (His eyes are going, and I'm a bit jealous
    because I really *hate* those soft keyboards ...)

    Way back when PDAs (remember them?) first started to become a "thing," I
    predicted that they wouldn't be big until they could talk (and listen) to
    us. What I did *not* foresee was that the heavy lifting in the listening
    department would be done by giant servers at the corporate end, and that,
    therefore, all of our interactions with the devices would be accessible to
    giant enterprises that would mine all of our conversations in a way that
    makes "big data" look like a little black book.

    I don't use Siri or Cortana or Hey Google, and, whenever one of them
    switches on I turn it off. My TV is cheap enough that it doesn't have a
    camera or a microphone. I don't have on of those cylinders or pucks that
    turns on your lights because I don't have smart light bulbs. We don't have
    to have constant "tunes" or "playlists" playing in the house. (This
    actually leaves Gloria and I free to talk to each other, something that we
    apparently do much more than most people.)

    My extremely old car does have a computer in it, but it only talks to the
    service department (and then only when I bring it in). We drive little
    enough, now, that, by the time I have to replace it, I may be able to simply
    get rid of it and use taxis. (Yes, taxis. I know some of you *love*
    ride-sharing, but I still see too many problems with it to go that route.
    Besides, for most of my transport-related problems, I see very few issues
    that the 210 bus doesn't solve.) So I probably won't have to get used to a
    self-driving car, that's talking with every other car on the road (*and* the
    manufacturer, *and* my insurer, *and* the local police). (As much as I hate
    machines that think they are smarter than I am, I do believe we should get
    the self-driving cars on the road as quickly as possible, because, for all
    the "this car killed it's driver" anecdotes, they already drive better than
    we do, and it would, even now, save lives.)

    This may sound funny, as I'm writing this on a computer, and I'm surrounded
    by three more computers and another three "devices." But, as the joke has
    it, I'm not going to worry about all my computers ganging up on me until the
    computer actually starts reliably talking to the printer that's right beside
    it. I still have to reboot my cable modem (and sometimes short out the coax
    cable) to get the Internet back at times, and I still have to power cycle
    the spiffy new PVR the cable company gave me to fix problems with the old
    one.

    It's not the computers that scare me, it's the companies. Facebook, of
    course, has amply demonstrated that it cares nothing about its users.
    Google scared me, ini tially, with the masses of information it collected,
    but, over the years, the "don't be evil" mantra seemed to work out.
    Recently, though, Google has demonstrated some very worrying tendencies.
    Apple has always wanted to lock you into their world, but hasn't seemed to
    care for much beyond getting you. Microsoft, of course, was always the big
    evil empire, but lately isn't quite so ... big.

    And, no, thanks, I *don't* want the government to take over and regulate
    everything in sight. I started out in malware research, and watched various
    governments make bone-headed decisions about creating laws just to try and
    make viruses illegal. Governments are having a tough enough time (and
    taking a long time) to get "sufficient" regulation to reign in some of the
    corporate excesses.

    We have a lot of things to learn about privacy and security, and constant
    vigilance is the price of et cetera, et cetera. We are going to have to
    struggle through, and it will be a lot of work, and it means we have to pay
    attention to a lot of stuff going on.

    Welcome to security.

    ------------------------------

    Date: Fri, 12 Jul 2019 16:00:58 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Your Pa$$word doesn't matter - Microsoft Tech Community - 731984
    (Alex Weinert)

    Alex Weinert -- Microsoft

    Every week I have at least one conversation with a security decision maker
    explaining why a lot of the hyperbole about passwords -- ``never use a
    password that has ever been seen in a breach,'' ``use really long
    passwords'', ``passphrases-will-save-us'', and so on -- is inconsistent with
    our research and with the reality our team sees as we defend against 100s of
    millions of password-based attacks every day. Focusing on password rules,
    rather than things that can really help -- like multi-factor authentication
    (MFA), or great threat detection -- is just a distraction.

    Because here's the thing: When it comes to composition and length, your
    password (mostly) doesn't matter.

    https://techcommunity.microsoft.com...ntity/Your-Pa-word-doesn-t-matter/ba-p/731984

    ------------------------------

    Date: Thu, 11 Jul 2019 08:26:19 +0200
    From: Thomas Koenig <tko...@netcologne.de>
    Subject: The New York Times blocks viewing in private mode

    *The New York Times* now blocks views in private mode of browers such
    as Firefox or Chromium.

    If you do that, you get an error message stating

    "You're in private mode.

    Log in or create a free New York Times account to continue reading in
    private mode."

    which is actually quite funny.

    This is, of course, the NYT's business decision. However, I do not think
    the problems of pay-in for content with your data need to be spelled out for
    the readers of comp.risks.

    However, I would like to ask comp.risks contributors to no longer post links
    to nytimes.com. Contributing to uncontrolled gathering of data is not what a
    forum about computer risks should do.

    [I am a subscriber, and read as much of the paper as i can in print over
    breakfast. I do not have time or patience to read long articles on a cell
    phone. Many others subscribe online only. The NYTimes, WashPost, and
    very few others are becoming the only ones that support a staff of news
    folks who actually generate news articles rather than simply copy them
    from elsewhere. We value good journalism, which is becoming rare -- as it
    is increasingly strangled by other media and fifteen-second sound bites on
    TV. PGN]

    ------------------------------

    Date: Sat, 6 Jul 2019 14:28:30 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Line just went Orwellian on Japanese users with its social
    credit-scoring system (RISKS-31.32)

    "Line stresses Line Score is opt-in only" -- yes, but the customers who do
    not opt in are already denied certain "special deals"; how soon will that
    they find out that they are the only ones paying full price for a gradually
    degrading service?

    And "the company will never share a user's Line Score with third parties"
    -- but how about sharing with other companies of the same owners, or with
    all companies owned by the next Big Company which would acquire Line?

    ------------------------------

    Date: Sat, 06 Jul 2019 19:30:10 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Re: Autonomous vehicles don't need provisions and protocols
    (Drewe, RISKS-31.21-30)

    CD> Personally I feel that the simplest solution would be to have some sort
    CD> of radio/wi-fi signal for autonomous vehicles (and maybe to conventional

    Sounds good but sure hope such add-on systems' clocks don't drift, else
    after about a month (when the first autonomous vehicle shows up) radio red
    might already correspond to visual green...

    ------------------------------

    Date: Sat, 06 Jul 2019 20:45:15 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Re: Line just went Orwellian on Japanese users with its social
    credit-scoring system (RISKS-31.32)

    > Still, it's unnerving that tech companies seem to think that social
    > credit ratings are the next big thing for now. Hopefully, this is a
    > trend that will not catch on.

    Stack Exchange was first.
    Some might say not the same thing...
    But users quickly learn to dot their i's and cross their t's...

    Indeed, here on RISKS readers' RISK_POINTS shall be deducted for each
    missing dot (U+0131 LATIN SMALL LETTER DOTLESS I). Furthermore, and just
    for sadistic pleasure, you can only lose RISK_POINTS (that you never had
    in the first place) and never gain them.

    ------------------------------

    Date: Fri, 12 Jul 2019 21:18:53 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Fernando Corbato dies

    Fernando Corbato', a Father of Your Computer (and Your Password), Dies at 93
    Katie Hafner, *The New York Times*, 12 Jul 2019
    https://www.nytimes.com/2019/07/12/science/fernando-corbato-dead.html

    Personal note: Corby was a mentor, colleague, and close friend from 1965
    on. He is deeply missed. Pioneer `father' of time-shared computing (CTSS
    at MIT in 1962), Multics (MIT, with Honeywell [as Katie notes, originally
    GE], and Bell Labs), inspirational professor, even a dean for a while.
    The obit by Katie is worth reading, especially for those of ou who did not
    know him. PGN

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.33
    ************************
     
  5. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,545
    476
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.34

    RISKS List Owner

    Jul 25, 2019 9:10 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Thursday 25 July 2019 Volume 31 : Issue 34

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Senate Intelligence report on election integrity (NYTimes)
    Nuclear industry pushing for fewer inspections at plants (NBC)
    Tesla floats fully self-driving cars as soon as this year.
    Many are worried about what that will unleash. (WashPost)
    Airbus A350 software bug forces airlines to turn planes off and on
    every 149 hours (The Register)
    Home elevator deaths (WashPost)
    Numerous airport passengers hijacked by robots (JXM)
    Satellite Outage Serves as a Warning (WiReD)
    'Dumb' robot ants are alarmingly smart -- and strong -- working together
    (Geoff Goodfellow)
    The AI Metamorphosis (The Atlantic)
    Cylances AI-based AV easily spoofed (SkylightCyber)
    AI Could Escalate New Type Of Voice Phishing Cyber Attacks (CSHub)
    Uber glitch charges passengers 100 times the advertised price,
    resulting in crosstown fares in the thousands of dollars (WashPost)
    "Google says leaked assistant recordings are a violation of data
    security policies" (Asha Barbaschow)
    U.S. Companies Learn to Defend Themselves in Cyberspace (WSJ)
    Agora farewell (Rob Slade)
    NYC Subway Service Is Suspended on Several Lines, MTA Says (NYTimes)
    Brazil is at the forefront of a new type of router attack (ZDNet)
    My browser, the spy: How extensions slurped up browsing histories
    from 4M users (Ars Technica)
    Amazon Prime Day Glitch Let People Buy $13,000 Camera Gear for $94 (Gizmodo)
    Microsoft Office 365: Banned in German schools over privacy fears
    (Cathrin Schaer)
    Sweden and UK's surveillance programs on trial at the European Court of
    Human Rights (Catalin Cimpanu)
    Bluetooth exploit can track and identify iOS, Microsoft mobile device users
    (ZDNet)
    Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board
    trying to access metadata (Comms Alliance)
    Permission-greedy apps delayed Android 6 upgrade so they could
    harvest more user data (ZDNet)
    Do drivers think you're a Ridezilla'? Better check your Uber rating.
    (WashPost)
    London Police Twitter feed was hacked; then Trump got in on the act
    (WashPost)
    Car locks itself, trapping toddler inside (DerWesten)
    Hackers breach FSB contractor, expose Tor deanonymization project and more
    (Catalin Cimpanu)
    Facebook's Libra currency spawns a wave of fakes, including on Facebook
    itself (WashPost)
    Facebook Stock: Facebook's Libra Surrenders to Authority (InvestorPlace)
    Tether's $5B error exposes cryptocurrency market fragility (WSJ)
    College student was late returning a textbook to Amazon, so the
    company took $3,800 from her father (Libercus)
    Notre-Dame came far closer to collapsing than people knew.
    This is how it was saved. (NYTimes)
    One in five US tech employees abuse pain relief drugs, reveals study
    (Eileen Brown)
    Here's The Story Behind That Photo Of A Waterfall Inside A Metro Car (Dcist)
    Stallone in Terminator 2? How one deepfake prankster is changing cinema
    history (Digital Trends)
    Cellphone WiFi auto-connect identifies vandals (Boston Globe)
    Risks of an untimely text (Boston Globe)
    Minister apologizes for text alert (Taipei Times)
    Re: Line just went Orwellian on Japanese users with its social,
    credit-scoring system (Brian Inglis)
    Re: Galileo sat-nav system experiences service outage (Gabe Goldberg)
    Re: How Fake News Could Lead to Real War (Dick Mills)
    Re: London commuters Wi-FiTube being tracked (Chris Drewe)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 25 Jul 2019 15:18:55 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Senate Intelligence report on election integrity (NYTimes)

    WASHINGTON DC: The Senate Intelligence Committee concluded [on 25 July 2019]
    that election systems in all 50 states were targeted by Russia in 2016,
    largely undetected by the states and federal officials at the time, but at
    the demand of American intelligence agencies the committee was forced to
    redact its findings so heavily that key lessons for the 2020 election are
    blacked out.

    While the report is not directly critical of either American intelligence
    agencies or the states, it described what amounted to a cascading
    intelligence failure, in which the scope of the Russian effort was
    underestimated, warnings to the states were too muted, and state officials
    either underreacted or in some cases, resisted federal efforts to offer
    help.''

    Russia Targeted Election Systems in All 50 States, Report Finds

    ------------------------------

    Date: Wed, 17 Jul 2019 15:15:39 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Nuclear industry pushing for fewer inspections at plants (NBC)

    Caputo, who previously worked for nuclear plant operator Exelon Corp, told
    operators this week her aim was "risk-informed decision-making,"
    concentrating regulatory oversight on high-risk problems.

    "We shouldn't regulate to zero risk," said David Wright, a former South
    Carolina public-utility commissioner appointed to the NRC board last year.

    "The NRC mission is reasonable assurance of adequate protection -- no more,
    no less," Wright said.

    Nuclear industry pushing for fewer inspections at plants

    What could go wrong?

    ------------------------------

    Date: Wed, 17 Jul 2019 20:28:05 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Tesla floats fully self-driving cars as soon as this year.
    Many are worried about what that will unleash. (WashPost)

    The electric-car maker said it will do that without light detection and
    ranging, or lidar, complex sensors that use laser lights to map the
    environment -- technology most autonomous vehicle makers consider necessary.
    Even with lidar, many of those manufacturers have adopted a slow and
    deliberate approach to self-driving vehicles, with limited testing on public
    roads.

    Tesla shows little sign of such caution. And because autonomous vehicles are
    largely self-regulated -- guided by industry standards but with no clearly
    enforceable rules -- no one can stop the automaker from moving ahead.

    *The Washington Post* spoke with a dozen transportation officials and
    executives, including current and former safety regulators, auto industry
    executives, safety advocacy group leaders and autonomous-vehicle
    competitors. In interviews, they expressed worries that Tesla's plan to
    unleash robo-cars on the road on an expedited timeline likely without
    regulated vetting -- could result in crashes, lawsuits and confusion. Plus,
    they said, Tesla's promised `full self-driving' features fall short of
    industry standards for a true autonomous vehicle because humans will still
    need to be engaged at all times and ready to intervene in the
    beginning. Some of the people interviewed requested anonymity because of the
    sensitivity of the matter. ...

    Tesla has raised eyebrows with its statements that autonomous driving can be
    achieved through a slimmed-down system that sheds all but the most critical
    equipment. Musk says he wants Tesla's system to use a combination of cameras
    and radar sensors that triangulate a field of vision, similar to human
    eyesight, forgoing lidar. It also forgoes a driver-monitoring camera to
    improve safety in the cabin, instead relying on torque-sensing
    steering-wheel monitors to detect whether the driver's hands are on the
    wheel.

    Tesla executives said at an April conference that the company is using its
    radar and cameras to understand depth around its cars and real-world road
    conditions, as well as its Shadow Mode, which allows it to test how
    self-driving technologies perform without actually activating those features
    -- something the company says lets it train and refine its networks without
    needing to do the same testing as other companies.

    ``Lidar is lame,'' Musk said in April. Rivals are ``all going to dump
    lidar. That's my prediction. Mark my words.''

    Meanwhile, traditional auto-industry executives have preached caution.

    https://www.washingtonpost.com/tech...any-are-worried-about-what-that-will-unleash/

    ------------------------------

    Date: Thu, 25 Jul 2019 11:53:05 -0400
    From: Steve Golson <sgo...@trilobyte.com>
    Subject: Airbus A350 software bug forces airlines to turn planes off and on
    every 149 hours (The Register)

    Airbus A350 software bug forces airlines to turn planes off and on every 149 hours

    The airworthiness directive says in part:

    Prompted by in-service events where a loss of communication occurred between
    some avionics systems and avionics network, analysis has shown that this may
    occur after 149 hours of continuous aeroplane power-up. Depending on the
    affected aeroplane systems or equipment, different consequences have been
    observed and reported by operators, from redundancy loss to complete loss on
    a specific function hosted on common remote data concentrator and core
    processing input/output modules.

    This condition, if not corrected, could lead to partial or total loss of
    some avionics systems or functions, possibly resulting in an unsafe
    condition.

    I suspect they have a 32-bit counter that updates every 125 microseconds
    (8kHz). Such a counter will overflow after 149 hours, 7 minutes, 51
    seconds.

    ------------------------------

    Date: Thu, 18 Jul 2019 14:42:28 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Home elevator deaths (WashPost)

    https://www.washingtonpost.com/busi...b53434-968e-11e9-830a-21b9b36b64ad_story.html

    ------------------------------

    Date: Tue, 16 Jul 2019 08:28:53 -0700
    From: <j...@calidris.net>
    Subject: Numerous airport passengers hijacked by robots

    Here's a brief transport/automation problem that I encountered last week/

    During the afternoon of 9 July 2019, the automated AirTrain shuttle service
    at Newark airport went seriously awry.

    AirTrain is an unmanned monorail service with a single line that links the
    airport's three terminals with the parking and car rental facilities, as
    well as the NJTransit/Amtrak station. Starting about 3.00pm, passengers were
    instructed by AirTrain staff to evacuate the vehicles, to transfer back and
    forth between certain trains, and to ignore the automated signs and
    announcements. Some trains appeared to suddenly reverse direction and return
    to their origin without visiting the terminals. Others arrived at one end of
    the line already jammed with passengers who had expected to get to the other
    end. There were numerous mismatches between the system's destination
    indicators and the actual train movements.

    For many dozens of people, what should have been a ten-minute transfer took
    well over an hour, presumably with a corresponding number of missed
    flights. There was no indication of any form of police activity or airport
    security problems, that might have caused the mixup.

    It would be interesting to find out if anyone actually got to the root
    of this robotic hijacking incident.

    ------------------------------

    Date: Sat, 20 Jul 2019 00:33:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Satellite Outage Serves as a Warning (WiReD)

    Europe's Galileo satellite navigation system largely regained service
    Thursday [18 Jul 2019], after a mass outage began on 11 Jul. The European
    Global Navigation Satellite Systems Agency, known as GSA, said that
    commercial users would start to see coverage returning, but that there might
    be "fluctuations" in the system. What remains unclear is what exactly caused
    the downtime -- nd why it persisted for so long.

    Europe's Weeklong Satellite Outage Is Over—But Still Serves as a Warning
    ices might also be making connections with the Russian (Glonass) and
    Chinese (Beidou) networks.

    Galileo sat-nav system still without service

    ------------------------------

    Date: Tue, 16 Jul 2019 15:06:00 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: 'Dumb' robot ants are alarmingly smart -- and strong -- working
    together

    Everyone knows robot ants can't move a rubber tree plant. Oh shoot, they
    can!

    EXCERPT:

    A team of Swiss researchers with bugs on the brain has created an army of
    simple robotic "ants" capable of some impressive feats. The takeaway from
    these 10 gram bots, which are inexpensive to make and surprisingly simple in
    design? *Teamwork makes the dream work. *

    As described in a new paper in the journal Nature, the ants can communicate
    with each other, assign roles among themselves, and complete complex tasks
    and overcome obstacles together. That means that while simple compared to
    much more complex autonomous agents, these origami-inspired robots can solve
    complex challenges, such navigating uneven surfaces or, yes, moving
    comparatively huge objects.

    The robots <Robotics | ZDNet>, which are T-shaped and
    called Tribots by researchers at the Ecole polytechnique federale de
    Lausanne <https://www.epfl.ch/en/>, a Swiss research institute, have
    infrared and proximity sensors for detection and communication. Made of
    foldable thin materials, they're also easy to manufacture. The actuated
    robots can jump and crawl to explore uneven surfaces.

    "Their movements are modeled on those of Odontomachus ants," says Zhenishbek
    Zhakypov, the first author of the Nature article. "These insects normally
    crawl, but to escape a predator, they snap their powerful jaws together to
    jump from leaf to leaf."...

    ------------------------------

    Date: Mon, 15 Jul 2019 15:15:00 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: The AI Metamorphosis (The Atlantic)

    *AI will bring many wonders. It may also destabilize everything from nuclear
    detente to human friendships. We need to think much harder about how to
    adapt.*

    EXCERPT:

    Humanity is at the edge of a revolution driven by artificial intelligence.
    It has the potential to be one of the most significant and far-reaching
    revolutions in history, yet it has developed out of disparate efforts to
    solve specific practical problems rather than a comprehensive plan.
    Ironically, the ultimate effect of this case-by-case problem solving may be
    the transformation of human reasoning and decision making.

    This revolution is unstoppable. Attempts to halt it would cede the future to
    that element of humanity more courageous in facing the implications of its
    own inventiveness. Instead, we should accept that AI is bound to become
    increasingly sophisticated and ubiquitous, and ask ourselves: How will its
    evolution affect human perception, cognition, and interaction? What will be
    its impact on our culture and, in the end, our history?

    Such questions brought together the three authors of this article: a
    historian and sometime policy maker; a former chief executive of a major
    technology company; and the dean of a principal technology-oriented academic
    institution. We have been meeting for three years to try to understand these
    issues and their associated riddles. Each of us is convinced of our
    inability, within the confines of our respective fields of expertise, to
    fully analyze a future in which machines help guide their own evolution,
    improving themselves to better solve the problems for which they were
    designed. So as a starting point -- and, we hope, a springboard for wider
    discussion -- we are engaged in framing a more detailed set of questions
    about the significance of AI's development for human civilization...

    https://www.theatlantic.com/magazine/archive/2019/08/henry-kissinger-the-metamorphosis-ai/592771/

    ------------------------------

    Date: Fri, 19 Jul 2019 9:53:16 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Cylances AI-based AV easily spoofed (SkylightCyber)

    Steven Cheung just read a fun article that has been slashdotted.
    It's about how a team defeats Cylance, a popular machine-learning-based
    antivirus software

    https://www.vice.com/en_us/article/...d-antivirus-into-thinking-malware-is-goodware

    here are more technical details:

    https://skylightcyber.com/2019/07/18/cylance-i-kill-you/

    ------------------------------

    Date: Mon, 15 Jul 2019 12:40:55 -0400
    From: =?UTF-8?Q?Jos=C3=A9_Mar=C3=ADa_Mateos?= <ch...@rinzewind.org>
    Subject: AI Could Escalate New Type Of Voice Phishing Cyber Attacks
    (CSHub)

    https://www.cshub.com/attacks/articles/ai-could-escalate-new-type-of-voice-phishing-cyber-attacks

    While many cyber security professionals have been looking at (and even
    investing in) the potential benefits of utilizing artificial intelligence
    (AI) technology within many different business functions, earlier this week,
    the Israel National Cyber Directorate (INCD) issued a warning of a new type
    of cyber-attack that leverages AI to impersonate senior enterprise
    executives. The method instructs company employees to perform transactions
    including money transfers and other malicious activity on the network.

    There are recent reports of this type of cyber-attack received at the
    operational center of the INCD. While business email compromise (BEC) types
    of fraud oftentimes use social engineering methods for a more effective
    attack, this new method escalates the attack type by using AI-based
    software, which makes voice phishing calls to senior executives. ---

    (Via BreachExchange:
    https://lists.riskbasedsecurity.com/listinfo/breachexchange)

    ------------------------------

    Date: Thu, 18 Jul 2019 18:19:02 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Uber glitch charges passengers 100 times the advertised price,
    resulting in crosstown fares in the thousands of dollars (WashPost)

    ``We understand that this has been frustrating,'' Uber said in response to
    one of the riders' complaints. ``There was a known issue that caused your
    authorization hold to be very high. Our team has already fixed this
    issue. Thank you so much for your patience.''

    https://www.washingtonpost.com/tech...-resulting-crosstown-fares-thousands-dollars/

    ------------------------------

    Date: Mon, 15 Jul 2019 09:50:22 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject "Google says leaked assistant recordings are a violation of data
    security policies" (Asha Barbaschow)

    Asha Barbaschow | 11 Jul 2019

    https://www.zdnet.com/article/googl...gs-are-a-violation-of-data-security-policies/

    The search giant has confirmed humans are listening in to 'Okay Google'
    commands, but it says leaking the recordings are a violation of its data
    security policies.

    opening text:

    Earlier this week, a report from Belgium-based VRT NWS revealed that Google
    employees had been "systematically listening" to audio files recorded by
    Google Home smart speakers and the Google Assistant smartphone app.

    The report detailed how employees were listening to excerpts of recordings
    that are captured when a user activates the device by the usual "Okay
    Google" or "Hey Google" commands.

    After obtaining copies of some recordings, VRT NWS reached out to the users
    and had them verify their voice, or those of their children, talking to the
    digital assistant.

    ------------------------------

    Date: Mon, 15 Jul 2019 17:21:15 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: U.S. Companies Learn to Defend Themselves in Cyberspace (WSJ)

    From a friend, his comments below.

    "One chief information-security officer at a major bank told us that, in
    five years, his bank will largely be immune to cyberattacks because it is
    upgrading from legacy systems that are insecure by default to cutting-edge
    systems that are secure by design."
    https://www.wsj.com/articles/u-s-companies-learn-to-defend-themselves-in-cyberspace-11562941994

    Um, right. Wish I knew which bank that was so we could short its stock.

    (Not that IBM Z is *necessarily* more secure, but if they really think
    `cutting-edge systems' are `secure by design', well ...)

    ------------------------------

    Date: Sat, 20 Jul 2019 09:39:29 -0800
    From: Rob Slade <rms...@shaw.ca>
    Subject: Agora farewell

    Security does not have a community. It has several siloed, sliced, and
    separated communities. Security has always taken "security by obscurity"
    too readily to heart, and despite the fact that we know SBO doesn't work;
    and even works against us; we still insist on dividing ourselves into
    smaller and smaller sub-sets. Intelligence doesn't talk to law enforcement
    which doesn't talk to academia which doesn't talk to business which doesn't
    talk to military which doesn't talk to industry which doesn't talk to
    government which doesn't talk to research. In all my decades in the field,
    I've only ever found two venues that attracted, encouraged, and almost
    forced the interaction (and often long-term relationships) of all these
    disparate groups (and more).

    If you've never been to the Agora meetings, you're too late. I attended the
    last one yesterday. For the past twenty-five years, those in the know
    would, every quarter, make every effort to spend Friday morning together.
    That was it: Friday morning. Three hours long, never more than three main
    presentations. There were also announcements, job postings, occasional
    queries, and, every August 15th, storytime. (That's an Agora joke. I don't
    expect you to get it. If you tell it to someone and they laugh, they've
    been to Agora recently.)

    Agora didn't just happen, of course. It was created and diligently (and
    creatively and competently) managed by Kirk Bailey, later ably assisted by
    Ann Nagel and Daniel Schwalbe. Also assisted by various students and a
    whole host of attendees and even companies, but that list would a) make this
    piece far too long and b) I'd definitely forget someone. Those of us who
    attended owe them all a debt of gratitude.

    Kirk's ability to attract speakers was legendary. We heard presentations at
    Agora I've never heard anywhere else, and some I never thought to hear. I
    recall a drive back after one Agora, when we we discussing a rather
    lackluster piece, and I was suddenly struck by the fact that, even if this
    meeting hadn't been sterling, the worst Agora meeting I'd ever attended was
    better than the best conference I'd ever attended.

    But the presentations were only half of what made Agora special. The other
    half was the people you met. People from three-letter agencies. People
    from high up in important corporations. People who were just there out of
    interest. People with political and social positions at extravagantly wild
    variance to your own. I remember, when I was first researching the
    implications, for security, of the potential capabilities of quantum
    computers, I got very excited over the possibilities for improving emergency
    management in the midst of a disaster. At Agora I met a Navy captain who
    got equally excited over similar possibilities for battle command.

    A number of us from the SIG drove down for the meetings, despite the three
    hour trip if nothing went wrong. Highway construction, bridge collapses
    (that's another Agora joke), local traffic, and border guards could easily
    double that. But we happily faced eleven hours of travel time for three
    hours of Agora and, if we were lucky, a couple of hours of "networking" and
    possibly lunch.

    We envied the people from the local area, but they weren't the only ones who
    came. Lots of people regularly came considerable distances. Before
    governments lost their travel budgets there were pretty much constant
    attendees from DC and Ottawa. People came from other continents. (Some of
    the DC crowd were pretty high up in DHS. If I could stay for one of the
    post-Agora lunches, the DHS guys always tried to grab me for their table.
    They wanted to know the latest border horror story, and I always had one for
    them. They regularly fell on the floor laughing about it.) (Recounting
    those would also make this piece far too long.)

    You will note that I haven't said where we met. That's another, well, not
    so much Agora joke as Agora tribute. Agora was governed by a sort of
    variant set of Chatham House Rules. What was said at Agora stayed at Agora.
    As an attendee, you never quoted any of the presentations, or any of the
    people you talked to at the breaks. For years this was simply understood by
    all involved. After one notable failure, a more formal NDA was created, but
    that was late in the game.

    Agora was the security world's worst kept secret. Nobody blabbed about what
    was said at Agora, or who went. But, despite the fact that Agora had no
    legal existence, no bank account, no Website, and no offices, almost
    everyone who ever attended became an instant devotee, and, often,
    evangelist. Within a few years of it's creation, attendance was hitting
    600. During the Great Recession, the slashing of budgets and demands that
    security people stick to their desks dropped attendance to the 150 region,
    but, for the past few years it's been back in the 400 range.

    There was never any charge for membership in, or attendance at, Agora.
    There was a cost, certainly. Much of that was "sweat equity" on the part of
    Kirk and a number of others. There were also other direct costs, generally
    borne by whoever would pay for (or donate) a venue, or mailing costs, or
    refreshments, or (latterly) the "Agora spam gun." In the end, Agora became
    a victim of it's own success: it just became too hard to find people or
    institutions willing to donate, provide, pay for, or give priority to rooms
    big enough for the group to meet.

    Agora is gone, but leaves a legacy. That legacy is the model. We need a
    space. Or, more probably, spaces. We need other other venues, sites,
    and/or communities where the various communities can meet. Together. We
    need others to take up the Agora torch, and create places, physical or
    virtual, where anyone who is committed to (or even just strongly interested
    in) security, of whatever type, can meet together and, safely, exchange
    ideas. We need spaces where the formal can meet the anarchic, where the
    business can meet the exploratory, where the old can meet the young and pass
    along wisdom (and occasional silliness). Hopefully, Agora's death will have
    been a spawning or a sporing out, and not just a mere termination.

    ------------------------------

    Date: Sat, 20 Jul 2019 21:44:25 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: NYC Subway Service Is Suspended on Several Lines, MTA Says
    (NYTimes)

    https://www.nytimes.com/2019/07/19/nyregion/subway-service-suspended-mta.html

    The Metropolitan Transportation Authority attributed the disruption to a
    `network communications' issue

    ------------------------------

    Date: Wed, 17 Jul 2019 11:41:45 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Brazil is at the forefront of a new type of router attack (ZDNet)

    Avast: More than 180,000 routers in Brazil had their DNS settings changed in
    Q1 2019.

    For nearly a year, Brazilian users have been targeted with a new type of
    router attack that has not been seen anywhere else in the world.

    The attacks are nearly invisible to end users and can have disastrous
    consequences, having the ability to lead to direct financial losses for
    hacked users.

    What's currently happening to routers in Brazil should be a warning sign for
    users and ISPs from all over the world, who should take precautions to
    secure devices before the attacks observed in South American country spread
    to them as well. ...

    https://www.zdnet.com/article/brazil-is-at-the-forefront-of-a-new-type-of-router-attack/

    ------------------------------

    Date: Thu, 18 Jul 2019 17:54:35 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: My browser, the spy: How extensions slurped up browsing histories
    from 4M users (Ars Technica)

    https://arstechnica.com/information...a-from-apple-tesla-blue-origin-and-4m-people/

    ------------------------------

    Date: Sun, 21 Jul 2019 00:07:05 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Amazon Prime Day Glitch Let People Buy $13,000 Camera Gear for $94.
    (Gizmodo)

    https://gizmodo.com/amazon-prime-day-glitch-let-people-buy-13-000-camera-g-1836487919

    ------------------------------

    Date: Mon, 15 Jul 2019 09:55:33 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Microsoft Office 365: Banned in German schools over privacy fears
    (Cathrin Schaer)

    Cathrin Schaer, ZDNet, 12 Jul 2019
    State of Hesse says student and teacher information could be "exposed" to US
    spy agencies.

    https://www.zdnet.com/article/microsoft-office-365-banned-in-german-schools-over-privacy-fears/

    opening text:

    Schools in the central German state of Hesse have been have been told it's
    now illegal to use Microsoft Office 365.

    The state's data-protection commissioner has ruled that using the popular
    cloud platform's standard configuration exposes personal information about
    students and teachers "to possible access by US officials". That might
    sound like just another instance of European concerns about data privacy or
    worries about the current US administration's foreign policy. But in fact
    the ruling by the Hesse Office for Data Protection and Information Freedom
    is the result of several years of domestic debate about whether German
    schools and other state institutions should be using Microsoft software at
    all.

    Besides the details that German users provide when they're working with the
    platform, Microsoft Office 365 also transmits telemetry data back to the US.

    Last year, investigators in the Netherlands discovered that that data could
    include anything from standard software diagnostics to user content from
    inside applications, such as sentences from documents and email subject
    lines. All of which contravenes the EU's General Data Protection Regulation,
    or GDPR, the Dutch said.

    ------------------------------

    Date: Mon, 15 Jul 2019 09:58:00 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Sweden and UK's surveillance programs on trial at the European
    Court of Human Rights (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 12 Jul 2019

    Last chance for Europe's top human rights court to rule against dragnet
    surveillance programs.
    https://www.zdnet.com/article/swede...-trial-at-the-european-court-of-human-rights/

    opening text:

    This week, the highest body of the European Court of Human Rights heard
    arguments against the mass surveillance programs of two countries, Sweden
    and the United Kingdom.

    ------------------------------

    Date: Thu, 18 Jul 2019 17:53:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Bluetooth exploit can track and identify iOS, Microsoft mobile
    device users (ZDNet)

    A flaw in the Bluetooth communication protocol may expose modern device
    users to tracking and could leak their ID, researchers claim.

    The vulnerability can be used to spy on users despite native OS protections
    that are in place and impacts Bluetooth devices on Windows 10, iOS, and
    macOS machines. This includes iPhones, iPads, Apple Watch models, MacBooks,
    and Microsoft tablets & laptops. Security 101 How to protect your privacy
    from hackers, spies, and the government

    How to protect your privacy from hackers, spies, and the government

    Simple steps can make the difference between losing your online accounts or
    maintaining what is now a precious commodity: Your privacy.

    On Wednesday, researchers from Boston University David Starobinski and
    Johannes Becker presented the results of their research at the 19th Privacy
    Enhancing Technologies Symposium, taking place in Stockholm, Sweden.

    According to the research paper, Tracking Anonymized Bluetooth Devices
    (.PDF), many Bluetooth devices will use MAC addresses when advertising their
    presence to prevent long-term tracking, but the team found that it is
    possible to circumvent the randomization of these addresses to permanently
    monitor a specific device.

    https://www.zdnet.com/article/bluet...-id-iphone-smartwatch-microsoft-tablet-users/

    ------------------------------

    Date: Wed, 17 Jul 2019 10:44:43 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Clean Energy Regulator, WA Mines Department, and Vet Surgeons Board
    trying to access metadata (Comms Alliance)

    Chris Duckett | 17 Jul 2019
    The Communications Alliance has listed 27 other agencies that have tried to
    access metadata following the introduction of Australia's data retention
    regime.
    https://www.zdnet.com/article/clean...ard-trying-to-access-metadata-comms-alliance/

    opening text:

    Agencies trying to access metadata when not specifically listed as an
    enforcement agency for the purposes of Australia's data retention regime has
    been labelled as a "serious and persistent phenomenon" by the Communications
    Alliance industry group.

    Writing in a submission to the Parliamentary Joint Committee on Intelligence
    and Security (PJCIS) review of the mandatory data retention regime, Comms
    Alliance said it was a "problem that continues to grow in magnitude".

    ------------------------------

    Date: Wed, 17 Jul 2019 10:35:58 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Permission-greedy apps delayed Android 6 upgrade so they could
    harvest more user data (ZDNet)

    Catalin Cimpanu for Zero Day | 16 Jul 2019
    App devs delayed upgrading apps, but lost in the long run due to more
    negative reviews and less Play Store visibility.

    https://www.zdnet.com/article/permi...upgrade-so-they-could-harvest-more-user-data/

    selected text:

    Android app developers intentionally delayed updating their applications to
    work on top of Android 6.0, so they could continue to have access to an
    older permission-requesting mechanism that granted them easy access to large
    quantities of user data, research published by the University of Maryland
    last month has revealed.

    And, ironically, the research team also found that app makers who delayed
    upgrading their apps to the newer Android 6.0 in order to keep access to a
    simpler system for harvesting user data received more negative ratings.

    These negative ratings eventually affected the apps' visibility on the Play
    Store, where positively-reviewed apps are placed higher in search results
    and recommendations.

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Sun, 21 Jul 2019 00:34:43 -0400
    Subject: Do drivers think you're a Ridezilla'? Better check your Uber rating.
    (WashPost)

    For some rideshare users, a little number can be heavy baggage.

    https://www.washingtonpost.com/life...441588-a291-11e9-b732-41a79c2551bf_story.html

    ------------------------------

    Date: Sun, 21 Jul 2019 00:47:32 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: London Police Twitter feed was hacked; then Trump got in on the act
    (WashPost)

    https://www.washingtonpost.com/worl...e-twitter-feed-was-hacked-then-trump-got-act/

    ------------------------------

    Date: Sun, 21 Jul 2019 17:27:38 +0200
    From: Thomas Koenig <tko...@netcologne.de>
    Subject: Car locks itself, trapping toddler inside (DerWesten)

    A mother got out of her car at a supermarket parking lot when suddenly, the
    central lock activated and locked the car. The key was still inside the
    car, as was her young son.

    She immediately called emergency services, who arrived a short time later,
    broke a window and were able to free the toddler from the car, which had
    alredy heated up considerably.

    https://www.derwesten.de/panorama/a...und-waehlt-sofort-den-notruf-id226542237.html

    ------------------------------

    Date: Mon, 22 Jul 2019 10:39:38 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Hackers breach FSB contractor, expose Tor deanonymization project
    and more (Catalin Cimpanu)

    Catalin Cimpanu, ZDNet, 20 Jul 2019

    https://www.zdnet.com/article/hackers-breach-fsb-contractor-expose-tor-deanonymization-project/

    SyTech, the hacked company, was working on research projects for the FSB,
    Russia's intelligence service.

    Hackers have breached SyTech, a contractor for FSB, Russia's national
    intelligence service, from where they stole information about internal
    projects the company was working on behalf of the agency -- including one
    for deanonymizing Tor traffic. [...]

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Mon, 22 Jul 2019 22:16:18 -0400
    Subject: Facebook's Libra currency spawns a wave of fakes, including on
    Facebook itself (WashPost)

    The fakes could undermine Facebook's efforts to inspire confidence and
    satisfy the regulators now scrutinizing the global currency.

    https://www.washingtonpost.com/tech...-spawns-wave-fakes-including-facebook-itself/

    ------------------------------

    Date: Tue, 16 Jul 2019 23:34:02 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Facebook Stock: Facebook's Libra Surrenders to Authority
    (InvestorPlace)

    https://investorplace.com/2019/07/facebooks-libra-surrenders-to-authority/

    ------------------------------

    Date: Wed, 17 Jul 2019 11:20:14 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Tether's $5B error exposes cryptocurrency market fragility (WSJ)

    Sudden flood of digital coins spooked market and drove down price of bitcoin
    by about 12%

    https://www.wsj.com/articles/tethers-5-billion-error-exposes-crypto-markets-fragility-11563280121

    ------------------------------

    Date: Sun, 14 Jul 2019 01:06:06 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: College student was late returning a textbook to Amazon, so the
    company took $3,800 from her father (Libercus)

    http://pge.libercus.net//.pf/showstory/201907110011/3

    Well, yeah. Likely debit was automatic but hassle getting it undone is
    systemic problem/failure.

    When AI runs everything it'll all be perfect. Nevermind Hal 9000, Skynet, or
    Colossus: The Forbin Project.

    ------------------------------

    Date: Wed, 17 Jul 2019 15:18:00 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Notre-Dame came far closer to collapsing than people knew.
    This is how it was saved. (NYTimes)

    *The New York Times*

    The fire warning system at Notre-Dame took dozens of experts six years to
    put together, and in the end involved thousands of pages of diagrams, maps,
    spreadsheets and contracts, according to archival documents found in a
    suburban Paris library by The Times.

    The result was a system so arcane that when it was called upon to do the one
    thing that mattered -- warn -- fire! and say where -- it produced instead a
    nearly indecipherable message. It made a calamity almost inevitable, fire
    experts consulted by *The Times* said.

    https://www.nytimes.com/interactive/2019/07/16/world/europe/notre-dame.html

    Stunning visuals, tragic outcome.

    ------------------------------

    Date: Wed, 17 Jul 2019 10:27:33 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: One in five US tech employees abuse pain relief drugs, reveals study
    (Eileen Brown)

    Eileen Brown for Social Business, ZDNet, 15 Jul 2019

    https://www.zdnet.com/article/one-in-five-us-tech-employees-abuse-pain-relief-drugs-reveals-study/

    There is nothing wrong with bonding over a beer or two after work, but when
    it becomes too much, it is important to spot the warning signs of substance
    abuse and addiction, according to a new study.

    ------------------------------

    Date: Tue, 16 Jul 2019 17:32:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Here's The Story Behind That Photo Of A Waterfall Inside A Metro
    Car (Dcist)

    ``It appears that the water entered the car through the fresh air intake of
    the HVAC system which is mounted on the roof of 7000-series vehicles; In
    normal or heavy rainfall, any water is diverted through ducts and exits the
    car through drains. At Virginia Square, the sudden deluge of water falling
    directly into the fresh air intake was more than the car could divert,
    resulting in water entering the cabin.''

    In response to safety concerns, she noted that wiring is enclosed in secure
    boxes or run on the underside of the car, and each car ``undergoes
    rigorous `water tightness testing'.''

    https://dcist.com/story/19/07/16/he...that-photo-of-a-waterfall-inside-a-metro-car/

    Done right, it seems. This really was epic/biblical rainstorm.

    ------------------------------

    Date: Mon, 15 Jul 2019 15:14:00 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Stallone in Terminator 2? How one deepfake prankster is changing
    cinema history (Digital Trends)

    EXCERPT:

    In some parallel universe, there's a version of *Casino Royale* with Hugh
    Jackman playing everyone's favorite suave British agent, James Bond. And one
    in which Matthew McConaughey took the Leo role in *Titanic*. And DiCaprio
    and Brad Pitt co-starred in *Brokeback Mountain*. And *Saved by the Bell*'s
    Tiffani Thiessen played Rachel in *Friends*.

    The entertainment industry isn't exactly short on `what if?' scenarios in
    which actors came close to, but were ultimately passed over, playing iconic
    roles. For more than 99% of movie history, fans have been able to do little
    more than squirrel away this trivia for use in pop quizzes. That is until
    the arrival of deepfakes
    <https://www.digitaltrends.com/cool-tech/samsung-ai-deepfake-videos/>.
    Springing to life in the past couple of years, deepfakes use artificial
    intelligence technology to combine and superimpose new images and videos
    onto existing source footage using machine learning. That could mean
    anything from face swaps to mapping one person's body onto someone else's
    movements.
    <https://www.digitaltrends.com/cool-tech/uc-berkeley-deepfake-ai-dance/>
    The results can be jaw-droppingly realistic, which is why many people
    rightfully worry about its potential to be used for malicious hoaxes
    <https://www.digitaltrends.com/cool-tech/ai-spots-writing-by-ai/>.

    One tech enthusiast and movie buff thinks different, though. Operating under
    the YouTube username *Ctrl Shift Face*,
    <https://www.youtube.com/channel/UCKpH0CKltc73e4wh0_pgL3g> this high-tech
    Hollywood fan has used deepfake technology to create some astonishing
    remixes of iconic movie scenes -- complete with all new actors. Ever wanted
    to see *The Shining* starring Jim Carrey instead of Jack Nicholson? Sly
    Stallone in *Terminator 2: Judgement Day*? Heck, he's even broken w ith the
    movie theme by dropping David Bowie into Rick Astley's infamous
    song-turned-meme *Never Gonna Give You Up*.

    ``The Bowie one is my favorite,'' its creator told Digital Trends. ``I
    wanted to Rickroll people and blow them away at the same time. Bowie fitted
    the role of Rick Astley, and had interesting facial features for a
    deepfake.'' [...]
    https://www.digitaltrends.com/cool-tech/ctrl-shift-face-deepfake-changing-hollywood-history/

    ------------------------------

    From: David Tarabar <dtar...@acm.org>
    Date: Tue, 16 Jul 2019 08:40:33 -0400
    Subject: Cellphone WiFi auto-connect identifies vandals (The Boston Globe)

    Four Maryland teenagers sneaked onto their school's property the night
    before graduation last year and covered it in racist, homophobic and
    anti-Semitic graffiti.

    They wore masks, but they were caught because their cellphones automatically
    connected to the school WiFi network -- using their student IDs.

    https://www.bostonglobe.com/news/na...land-school/S0hQ1PwZNyXrzT43olZ2ZO/story.html

    ------------------------------

    Date: Tue, 16 Jul 2019 16:15:00 -0400
    From: David Tarabar <dtar...@acm.org>
    Subject: Risks of an untimely text (Boston Globe)

    A couple in Rhode Island was being investigated for marriage fraud -- that
    they entered into a sham marriage to get permanent resident status for the
    husband. When the wife was being interviewed, she produced her cellphone to
    show texts from her husband. A text message arrived: We had the best sex
    ever. Unfortunately the text was not from the husband. A federal trial is
    in progress.

    https://www.bostonglobe.com/metro/2...-fraud-case/QlRNLVhGzFcfzO1lNXFwLM/story.html

    ------------------------------

    Date: Mon, 15 Jul 2019 15:26:20 +0800
    From: Dan Jacobson <jid...@jidanni.org>
    Subject: Minister apologizes for text alert (Taipei Times)

    http://www.taipeitimes.com/News/taiwan/archives/2019/07/11/2003718476

    "The alert was originally set up to be sent to residents within 300m of the
    borough, but the unit of distance was later changed to kilometers."

    Way to go, clodsburg.

    ------------------------------

    Date: Sun, 21 Jul 2019 23:24:10 -0600
    From: Brian Inglis <Brian...@systematicsw.ab.ca>
    Subject: Re: Line just went Orwellian on Japanese users with its social,
    credit-scoring system (Jacobson, RISKS-31.33)

    >> Still, it's unnerving that tech companies seem to think that social
    >> credit ratings are the next big thing for now. Hopefully, this is a
    >> trend that will not catch on.
    >
    > Stack Exchange was first.
    > Some might say not the same thing...
    > But users quickly learn to dot their i's and cross their t's...

    Some might say the same about BBS message boards (1978 CBBS), moderated
    Usenet netnews groups (UUCP 1979), and discussion lists (Listserv@Bitnic
    1984), like this one, which preceded SE (2009) by decades. Who didn't pay
    attention when d...@bell-labs.com posted to comp.lang.c?

    https://en.wikipedia.org/wiki/Usenet#cite_ref-54

    "As long as there are folks who think a command line is better than a mouse,
    the original text-only social network will live on" in "Reports of Usenet's
    Death Are Greatly Exaggerated", August 1, 2008, TechCrunch.
    https://en.wikipedia.org/wiki/Usenet#cite_note-54

    The major appeal then and now is filtering and limiting the spam, garbage,
    verbiage, and incivility that permeates other [anti-?]"social networks".

    ------------------------------

    Date: Sun, 14 Jul 2019 21:15:20 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: Galileo sat-nav system experiences service outage (BBC News
    in RISKS-31.33)

    Europe's satellite-navigation system, Galileo, has suffered a major outage.

    The network has been offline since Friday due to what has been described as
    a "technical incident related to its ground infrastructure".

    The problem means all receivers, such as the latest smartphone models, will
    not be picking up any useable timing or positional information.

    These devices will be relying instead on the data coming from the American
    Global Positioning System (GPS).

    Depending on the sat-nav chip they have installed, cell phones and other
    devices might also be making connections with the Russian (Glonass) and
    Chinese (Beidou) networks.

    https://www.bbc.com/news/science-environment-48985399

    ------------------------------

    Date: Tue, 16 Jul 2019 08:34:35 -0400
    From: Dick Mills <dickandl...@gmail.com>
    Subject: Re: How Fake News Could Lead to Real War (RISKS-31,33)

    "Imagine what it might be like to be in the grip of a conspiracy theory,
    when you've spent your whole professional life being one of those policy
    mandarins who could smell a conspiracy theory a mile away?..."

    The root problem here is lack of trust in authorities. It goes much deeper
    than just technology. For my whole life, such trust has been eroding
    among the public. The interesting thing about that story is that the shoe
    is finally on the other foot, an authority is losing trust.

    I say good. Maybe they may take steps to become trustworthy themselves.

    ------------------------------

    Date: Tue, 16 Jul 2019 21:45:35 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: London commuters Wi-FiTube being tracked

    [TfL is the authority that runs the London Underground]

    https://www.dailymail.co.uk/news/ar...ters-turn-phones-Wi-Fi-Tube-stop-tracked.html

    Security experts warn London commuters to turn off their phones' Wi-Fi on
    the Tube to stop being tracked as TfL starts harvesting signal data today

    * *Operator will monitor travel patterns with beacon that detects Wi-Fi
    capability * * *Phones, laptops or tablets do not have to join the
    station's network to be tracked * * *Only way to ensure that you are not
    tracked is to disable your Wi-Fi completely *

    Sebastian Murphy-bates For Mailonline, 8 July 2019

    This morning the Tube network introduced monitoring of signals to harvest
    date from commuters in the capital. Transport for London says it is
    collecting details of where, when and how customers use the service. Even
    phones that are not connected to TfL's Wi-Fi will be vulnerable to tracking

    dmg media <https://www.dmgmedia.co.uk/>

    I went to a talk a year or two ago given by one of the Undergound's planning
    staff on remodeling Bank station in the heart of the City of London business
    district (so-named because the Bank of England building is just across the
    street, not because it's on the bank of the River Thames as I had
    incorrectly assumed when I was a kid). This is a major below-ground station
    underneath a large road intersection, where multiple lines cross at several
    levels, so it's quite a labyrinth.

    For busy, complicated subway/rapid transit systems like London's, obviously
    train capacity is a major planning challenge, but just as important is
    handling the volume of passengers through the stations as they use
    corridors, ticket barriers, elevators, stairs, escalators, etc. between
    trains or trains and streets. Historically, measuring passenger flows was
    done by groups of stewards located at strategic points around a station;
    some would hand out numbered cards to passengers as they entered the station
    or got off trains, while others would collect the cards as passengers left
    the station or got on trains. This was OK in a basic way, but was
    labour-intensive and rather intrusive at busy times, and only a small sample
    of passengers could be covered.

    Of course nowadays most people carry cellphone or wi-fi wireless devices and
    the Underground has repeaters to keep them working below ground, so the
    obvious step is to use these to log passenger movements, as it's totally
    unobtrusive and allows detailed real-time tracking of almost every
    passenger. The lady who gave the talk stressed that there's no attempt to
    make contact with or identify any of the devices, and presumably details of
    individual devices are not retained after analysing their movements --
    pointless anyway unless GCHQ/MI5/FBI/CIA or whoever want to track random
    people's journeys for the sake of it. She added that the technique was
    unexpectedly useful as passengers were found to be surprisingly imaginative
    at figuring out routes around the station, including several ways that the
    planners hadn't considered themselves.

    Presumably the warning signs on stations mentioned in the newspaper are to
    comply with latest data-protection regulations.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.34
    ************************
     
  6. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,545
    476
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.35

    RISKS List Owner

    Aug 6, 2019 4:53 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Tuesday 6 August 2019 Volume 31 : Issue 35

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    One reason for the 737 Max disaster? Avoiding software complexity
    (Thomas Koenig)
    Warning over auto cyberattacks (Eric D. Lawrence)
    Tesla hit with another lawsuit over a fatal Autopilot crash (The Verge)
    This Satellite Image Shows Everything Wrong With Greenland Right Now
    (Gizmodo)
    North Korea took $2 billion in cyberattacks to fund weapons program (U.N.)
    How China Weaponized the Global Supply Chain (National Review)
    China has started a grand experiment in AI education. It could
    reshape how the world learns. (MIT Tech Review)
    44 people in China were injured when a water park wave machine
    launched a crushing tsunami (WashPost)
    In Hong Kong Protests, Faces Become Weapons (NYTimes)
    Amazon Requires Police to Shill Surveillance Cameras in Secret Agreement
    (VICE)
    Apple's Siri overhears your drug deals and sexual activity,
    whistleblower says (Charlie Osborne)
    Capital One data breach compromises tens of millions of credit card
    applications, FBI says (WashPost)
    California State Bar accidentally leaks details of upcoming exam (NBC News)
    Russian hackers are infiltrating companies via the office printer
    (MIT Tech Review)
    A VxWorks Operating System Bug Exposes 200 Million Critical Devices (WiReD)
    Capital One Systems Breached by Seattle Woman, U.S. Says (Bloomberg)
    Another Breach: What Capital One Could Have Learned from Google's
    "BeyondCorp"
    Paige Thompson, Capital One Hacking Suspect, Left a Trail Online (NYTimes)
    Cambridge Analytica's role in Brexit (Ted)
    The scramble to secure America's voting machines (Politico)
    The state of our elections security (Web Informant)
    A lawmaker wants to end social media addiction by killing features
    that enable mindless scrolling (WashPost)
    Cisco in Whistleblower Payoff and PR Doublespeak Row
    (Security Boulevard)
    Social Media Addiction Reduction Technology, or SMART, Act (Fortune)
    200-million devices some mission-critical vulnerable to remote takeover
    (Ars Technica)
    Siemens contractor pleads guilty to planting logic bomb in company
    spreadsheets (ZDNet)
    People forged judges' signatures to trick Google into changing results
    (Ars Technica)
    Partial hashes broadcast in Bluetooth can be converted to phone numbers
    (Ars Technica)
    Apple suspends human eavesdropping through Siri (Taipei Times)
    Why People Should Care About Quantum Computing (Fortune)
    Your Train Is Delayed. Why? (NYTimes)
    Barr Revives Encryption Debate, Calling on Tech Firms to Allow for
    Law Enforcement (NYTimes)
    Dark Web Consequences Increase from Global Rise of Police-Friendly
    Laws (Channel Futures)
    The Hidden Costs of Automated Thinking (The New Yorker)
    We Tested Europe’s New Digital Lie Detector. It Failed. (The Intercept)
    AI Predictive Policing (Daily Mail)
    Guardian Firewall iOS App Automatically Blocks the Trackers on Your Phone
    (WiReD)
    Google researchers disclose vulnerabilities for 'interactionless'
    iOS attacks (ZDNet)
    Another Breach: What Capital One Could Have Learned from Google's
    "BeyondCorp" (Lauren's Blog)
    "A data breach forced this family to move home and change their names
    (ZDNet)
    Brazilian president’s cellphone hacked as Car Wash scandal intrigue
    widens (WashPost)
    Malicious 'Google' domains used in Magento card card skimmer attacks (ZDNet)
    MyDoom: The 15-year-old malware that's still being used in phishing
    attacks in 2019 (ZDNet)
    StockX was hacked, exposing millions ofcustomers'_data (TechCrunch)
    Ikea says sorry for customer data breach (Straits Times)
    Refunds for Global Access Technical Support customers (Consumer Information)
    Business Continuity?: Kyoto Anime recovers digital recordings
    (Chiaki Ishikawa)
    Colorado gov't. email account for reporting child abuse goes unchecked for
    4 years (WashPost)
    Re: "Mortgage Provider Tells Savers of Zero Balances" (Chris Drewe)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Mon, 5 Aug 2019 22:03:34 +0200
    From: Thomas Koenig <t...@tkoenig.net>
    Subject: One reason for the 737 Max desaster? Avoiding software complexity

    The Seattle Times finally offers an explanation of why only one sensor fed
    data into the Maneuvering Characteristics Augmentation System on the Boeing
    737 Max 8 airplanes. In both cases, it is presumed that faulty sensors fed
    wrong data into the system, which led to miscorrections of the aircraft
    attitude, to total loss of control of the aircraft and to 346 deaths.

    Boeing wanted to avoid software complexity.

    "Boeing is changing the MAX's automated flight-control systemâs software
    so that it will take input from both flight-control computers at once
    instead of using only one on each flight. That might seem simple and
    obvious, but in the architecture that has been in place on the 737 for
    decades, the automated systems take input from only one computer on a
    flight, switching to use the other computer on the next flight."

    In all previous reports (that I have read, at least) people were utterly
    baffled why only one sensor was being used. Now it is clear why.

    It is also clear now why the "patch" (rather a complete rewrite, using a
    different software architecture) takes so long.

    Sometimes, "Keep it simple and stupid" is not the right policy...

    Newly stringent FAA tests spur a fundamental software redesign of Boeing’s 737 MAX flight controls

    ------------------------------

    Date: Tue, 6 Aug 2019 10:11:44 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Warning over auto cyberattacks (Eric D. Lawrence)

    Eric D. Lawrence, *The San Francisco Chronicle*, 6 Aug 2019, page D1

    Boxed highlight: "Fiat Chrysler made a software fix in 2015 to prevent
    hacking into Jeep Cherokees but some experts believe many vehicles are
    still vulnerable."

    Warnings about connected vehicle vulnerabilities have been a steady drumbeat
    for years. [RISKS!!!] Now a consumer advocacy group California's Consumer
    Watchdog's 49-page report paints a dire picture and urges automakers to
    install a 50-cent kill switch that would allow vehicles to be disconnected
    from the Internet. [PGN-ed]

    "Millions of cars on the Internet running the same software means a single
    exploit can effoect millions of vehicles simultaneously."

    ------------------------------

    Date: Mon, 5 Aug 2019 17:25:12 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Tesla hit with another lawsuit over a fatal Autopilot crash
    (The Verge)

    They just get too used to it. That tends to be more of an issue. It's not a
    lack of understanding of what Autopilot can do. It's [drivers] thinking they
    know more about Autopilot than they do,

    Tesla will regularly release data about the safety of Autopilot, Elon Musk says
    Tesla hit with another lawsuit over a fatal Autopilot crash

    Pick one: EITHER it's not a lack of understanding OR they think they know
    more than they do.

    ------------------------------

    Date: Sat, 3 Aug 2019 14:16:53 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: This Satellite Image Shows Everything Wrong With Greenland Right
    Now (Gizmodo)

    EXCERPT:

    If you could sum up climate change's impact on the Arctic in one
    image, you'ld be hard pressed to find something better than this satellite
    view, which shows the meltdown of one of the largest stores of ice on Earth
    while a wildfire rages in the distance.

    Here it is, below, courtesy of satellite image wizard Pierre Markuse and our
    planet, which is quickly becoming a smoke-filled, waterlogged hellscape. ...

    https://earther.gizmodo.com/this-satellite-image-shows-everything-wrong-with-greenl-1836919989

    ------------------------------

    Date: Mon, 5 Aug 2019 14:11:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: North Korea took $2 billion in cyberattacks to fund weapons program
    (U.N. report)

    North Korea has generated an estimated $2 billion for its weapons of mass
    destruction programs using ``widespread and increasingly sophisticated''
    cyberattacks to steal from banks and cryptocurrency exchanges, according to
    a confidential U.N. report seen by Reuters on Monday.

    Pyongyang also ``continued to enhance its nuclear and missile programmes
    although it did not conduct a nuclear test or ICBM (Intercontinental
    Ballistic Missile) launch,'' said the report to the U.N. Security Council
    North Korea sanctions committee by independent experts monitoring compliance
    over the past six months.

    ------------------------------

    Date: Mon, 5 Aug 2019 18:17:12 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: How China Weaponized the Global Supply Chain (National Review)

    How China Weaponized the Global Supply Chain | National Review

    ... the introduction of Chinese cyber-capabilities, including the
    installation of digital networks at Chinese-controlled sites, typically by
    Huawei, and a subsea cable network being built by Huawei's marine unit that
    will nearly encircle the globe by the end of this year. Chinese state-owned
    companies are leading a rapid, digitally enabled consolidation of the
    logistics sector -- bringing together supply-chain functions that had
    previously been performed by separate companies, adopting centralized IT
    systems to control distribution from the doors of factories in China to the
    doors of consumers in America, and developing a wide array of technologies
    that can be used for both commercial and military purposes.

    The most threatening aspect of China's commercial triad is that the physical
    network of ports, ships, and terminals serves as a force multiplier for
    China's cyber-aggression. From drones that monitor operations to
    facial-recognition technologies that control access to container yards, port
    facilities provide nearly perfect cover for cyber-espionage. There's a lot
    going on in a seaport, and all of it is controlled and monitored by
    technology that feeds information over digital networks to buyers, sellers,
    regulators, financial institutions, and transportation companies. In short,
    ports are power. Power over imports and exports, power over
    economic-development policies, construction, shipbuilding, land transport,
    and electricity grids -- and power over the digital information needed to
    move goods through global supply chains that originate in China and
    Southeast Asia. These critical supply lines have increasingly come under the
    influence or control of a handful of Chinese state-owned companies. [...]

    [Monty Solomon noted this item:
    Official Cybersecurity Review Finds U.S. Military Buying High-Risk
    Chinese Tech (Forbes)
    Official Cybersecurity Review Finds U.S. Military Buying High-Risk Chinese Tech (Updated)
    PGN]

    ------------------------------

    Date: Sun, 4 Aug 2019 18:51:25 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: China has started a grand experiment in AI education. It could
    reshape how the world learns. (MIT Tech Review)

    In recent years, the country has rushed to pursue *intelligent education*.
    Now its billion-dollar ed-tech companies are planning to export their vision
    overseas.

    Zhou Yi was terrible at math. He risked never getting into college. Then a
    company called Squirrel AI came to his middle school in Hangzhou, China,
    promising personalized tutoring. He had tried tutoring services before, but
    this one was different: instead of a human teacher, an AI algorithm would
    curate his lessons. The 13-year-old decided to give it a try. By the end of
    the semester, his test scores had risen from 50% to 62.5%. Two years later,
    he scored an 85% on his final middle school exam.

    ``I used to think math was terrifying. But through tutoring, I realized it
    really isn't that hard. It helped me take the first step down a different
    path.''

    Experts agree AI will be important in 21st-century education -- but how?
    While academics have puzzled over best practices, China hasn't waited
    around. In the last few years, the country's investment in AI-enabled
    teaching and learning has exploded. Tech giants, startups, and education
    incumbents have all jumped in. Tens of millions of students now use some
    form of AI to learn -- whether through extracurricular tutoring programs
    like Squirrel's, through digital learning platforms like 17ZuoYe, or even in
    their main classrooms. It's the world's biggest experiment on AI in
    education, and no one can predict the outcome.

    Silicon Valley is also keenly interested. In a report in March, the
    Chan-Zuckerberg Initiative and the Bill and Melinda Gates Foundation
    identified AI as an educational tool worthy of investment. In his 2018 book
    Rewiring Education, John Couch, Apple's vice president of education, lauded
    Squirrel AI. (A Chinese version of the book is coauthored by Squirrel's
    founder, Derek Li.) Squirrel also opened a joint research lab with Carnegie
    Mellon University this year to study personalized learning at scale, then
    export it globally.

    But experts worry about the direction this rush to AI in education is
    taking. At best, they say, AI can help teachers foster their students'
    interests and strengths. At worst, it could further entrench a global trend
    toward standardized learning and testing, leaving the next generation ill
    prepared to adapt in a rapidly changing world of work...

    China has started a grand experiment in AI education. It could reshape how the world learns.

    ------------------------------

    Date: Thu, 1 Aug 2019 11:19:33 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: 44 people in China were injured when a water park wave machine
    launched a crushing tsunami (WashPost)

    44 people in China were injured when a water park wave machine launched a
    crushing tsunami

    The operator was not drunk, as originally reported.

    https://www.washingtonpost.com/worl...rpark-wave-machine-launched-crushing-tsunami/

    ------------------------------

    Date: Mon, 29 Jul 2019 18:59:50 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: In Hong Kong Protests, Faces Become Weapons (NYTimes)

    A quest to identify protesters and police officers has people in both groups
    desperate to protect their anonymity. Some fear a turn toward China-style
    surveillance.

    In Hong Kong Protests, Faces Become Weapons

    ------------------------------

    Date: Sun, 28 Jul 2019 14:04:05 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Amazon Requires Police to Shill Surveillance Cameras in Secret
    Agreement (VICE)

    Amazon Requires Police to Shill Surveillance Cameras in Secret Agreement

    ------------------------------

    Date: Wed, 31 Jul 2019 10:40:06 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Apple's Siri overhears your drug deals and sexual activity,
    whistleblower says (Charlie Osborne)

    Charlie Osborne for Zero Day | 30 Jul 2019

    Apple's Siri overhears your drug deals and sexual activity, whistleblower
    says Quality control frequently comes across recordings which should not
    have existed in the first place.
    Apple’s Siri overhears your drug deals and sexual activity, whistleblower says | ZDNet

    selected text:

    Apple's Siri records private and confidential conversations and activities
    on a regular basis including talk relating to medical conditions, drug
    deals, and sex acts.

    Staff members tasked with grading how Siri responds to commands and whether
    or not the correct wake word "Hey Siri" was used before a recording occurred
    often hear explicit recordings, which are accidentally saved when the
    assistant mistakenly associates a sound as the wake word.

    The publication's source notes, for example, that the sound of a zipper can
    be misconstrued as a demand to wake up. In what the whistleblower says are
    "countless instances," conversations between doctors and patients, business
    deals, and both criminal and sexual activity have been captured by the smart
    assistant.

    The Apple Watch, in particular, has come under fire. While many recordings
    captured by Siri may only be a few seconds in length, The Guardian says that
    the watch -- with Siri enabled -- may record up to 30 seconds.

    ------------------------------

    Date: Mon, 29 Jul 2019 19:14:10 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Capital One data breach compromises tens of millions of credit card
    applications, FBI says (WashPost)

    https://www.washingtonpost.com/news...illions-of-credit-card-applications-fbi-says/

    ------------------------------

    Date: Mon, 29 Jul 2019 18:49:37 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: California State Bar accidentally leaks details of upcoming exam
    (NBC News)

    https://www.nbcnews.com/news/us-new...dentally-leaks-details-upcoming-exam-n1035681

    ------------------------------

    Date: Mon, 5 Aug 2019 14:12:00 -1000
    From: geoff goodfellow <ge...@iconia.com>
    Subject: Russian hackers are infiltrating companies via the office printer
    (MIT Tech Review)

    *A group of hackers linked to Russian spy agencies are using "Internet of
    things" devices like internet-connected phones and printers to break into
    corporate networks, Microsoft announced on Monday.*

    EXCERPT:

    *Fancy Bear never hibernates*: The Russian hackers, who go by names like
    Strontium, Fancy Bear, and APT28, are linked to the military intelligence
    agency GRU.

    The group has been active since at least 2007. They are credited with a long
    list of infamous work including breaking into the Democratic National
    Committee in 2016, the crippling NotPetya attacks against Ukraine in 2017,
    and targeting political groups in Europe and North America throughout 2018.

    *Insecurity of Things*: The new campaign from GRU compromised popular
    internet of things devices including a VOIP (voice over internet protocol)
    phone, a connected office printer, and a video decoder in order to gain
    access to corporate networks. Microsoft has some of the best visibility into
    corporate networks on earth because so many organizations are using Windows
    machines. Microsoft's Threat Intelligence Center spotted Fancy Bear's new
    work starting in April 2019.

    *The password is password*: Although things like smartphones and desktop
    computers are often top of mind when it comes to security, it's often the
    printer, camera, or decoder that leaves a door open for a hacker to
    exploit. [...]

    https://www.technologyreview.com/f/...ium-infiltrate-iot-networks-microsoft-report/

    ------------------------------

    Date: Mon, 29 Jul 2019 19:08:01 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: A VxWorks Operating System Bug Exposes 200 Million Critical Devices
    (WiReD)

    When major vulnerabilities show up in ubiquitous operating systems like
    Microsoft Windows, they can be weaponized and exploited, the fallout
    potentially impacting millions of devices. Today, researchers from the
    enterprise security firm Armis are detailing just such a group of
    vulnerabilities in a popular operating system that runs on more than 2
    billion devices worldwide. But unlike Windows, iOS, or Android, this OS is
    one you've likely never heard of. It's called VxWorks.

    VxWorks is designed as a secure "real-time" operating system for
    continuously functioning devices, like medical equipment, elevator
    controllers, or satellite modems. That makes it a popular choice for
    Internet of Things and industrial control products. But Armis researchers
    found a cluster of 11 vulnerabilities in the platform's networking
    protocols, six of which could conceivably give an attacker remote device
    access, and allow a worm to spread the malware to other VxWorks devices
    around the world. Roughly 200 million devices appear to be vulnerable; the
    bugs have been present in most versions of VxWorks going back to version
    6.5, released in 2006.

    https://www.wired.com/story/vxworks-vulnerabilities-urgent11/

    ------------------------------

    Date: Mon, 29 Jul 2019 19:14:52 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Capital One Systems Breached by Seattle Woman, U.S. Says
    (Bloomberg)

    https://www.bloomberg.com/news/arti...ta-systems-breached-by-seattle-woman-u-s-says

    ------------------------------

    Date: Tue, 30 Jul 2019 14:11:10 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Another Breach: What Capital One Could Have Learned from Google's
    "BeyondCorp"

    Updating this blog post with info that non-customers of Capital One were
    also affected by the breach, etc.

    https://lauren.vortex.com/2019/07/3...ne-could-have-learned-from-googles-beyondcorp

    ------------------------------

    Date: Tue, 30 Jul 2019 12:27:01 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Paige Thompson, Capital One Hacking Suspect, Left a Trail Online
    (NYTimes)

    https://www.nytimes.com/2019/07/30/business/paige-thompson-capital-one-hack.html

    Ms. Thompson, a 33-year-old software developer, made a habit of oversharing
    online. Those posts led the authorities to her door.

    ------------------------------

    Date: Sun, 4 Aug 2019 6:17:10 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: Cambridge Analytica's role in Brexit (Ted)

    [Thanks to Paul Vixie. PGN]



    ------------------------------

    Date: Sun, 4 Aug 2019 12:12:06 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: The scramble to secure America's voting machines (Politico)

    The U.S. faces a voting security crisis.

    Eric Geller, Beatrice Jin, Jordyn Hermani and Michael B. Farrell
    Politico, 4 Aug 2019

    Tens of millions of Americans across 14 states cast ballots last year on
    paperless voting machines -- devices that security experts say can be
    undetectably hacked and that offer no way to audit results when tampering or
    errors occur. Many voters will still be using paperless machines in 2020,
    despite warnings from intelligence leaders and cybersecurity experts that
    Russia will try to reprise its interference in the 2016 presidential
    campaign.

    Click here to read the results of POLITICO's survey and see our interactive
    presentation on the nationwide, state-by-state and county-by-county picture
    of U.S. voting security as 2020 approaches.
    <http://go.politicoemail.com/?qs=fd6...a2617ab812f0bdae6d83d692c4e703f1488e207a56d87>

    https://www.politico.com/interactives/2019/election-security-americas-voting-machines/index.html

    ------------------------------

    Date: Tue, 30 Jul 2019 13:46:18 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: The state of our elections security (Web Informant)

    Web Informant, 30 Jul 2019

    The past week has seen a lot of news stories about hacking our
    elections. Today in this edition of Inside Security I take a careful look at
    what we know and the various security implications, which I cover in the
    last paragraph. It is hard to write about this without getting into
    politics, but I will try to summarize the facts. Here are two of them:

    — Russians have penetrated election authorities in every statehouse and
    continue to try to compromise those networks. We have evidence that has
    been published in the Mueller report and more recently the Senate
    Intelligence Committee report from last week.

    — A second and more troublesome collection of election compromises is
    described in a report from the San Mateo County grand jury that was also
    posted last week. I will get to this report in a moment.

    For infosec professionals, the events described in these documents have been
    well known for many years. The reports talk about spear-phishing attacks on
    election officials, phony posts on social media or posts that originate from
    sock puppet organizations (such as Russian state-sponsored intelligence
    agencies), or from consultants to political campaigns that misrepresent
    themselves to influence an election.

    https://blog.strom.com/wp/?p=7291

    ------------------------------

    Date: Tue, 30 Jul 2019 13:38:16 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: A lawmaker wants to end social media addiction by killing features
    that enable mindless scrolling (WashPost)

    https://www.washingtonpost.com/tech...ling-features-that-enable-mindless-scrolling/

    "Big tech has embraced a business model of addiction," Hawley, a Missouri
    Republican, said in a statement announcing the bill. "Too much of the
    'innovation' in this space is designed not to create better products, but to
    capture more attention by using psychological tricks that make it difficult
    to look away. This legislation will put an end to that and encourage true
    innovation by tech companies."

    iDisorder (http://catless.ncl.ac.uk/Risks/30/89#subj18.1) constitutes an
    acute public health and safety risk.

    Apple's opposition to 'gaze-blocker' application sales suggest they merit
    pursuit as a public health benefit. See
    https://catless.ncl.ac.uk/Risks/31/21#subj16.1.

    ------------------------------

    Date: Fri, 2 Aug 2019 12:49:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Cisco in Whistleblower Payoff and PR Doublespeak Row
    (Security Boulevard)

    Cisco Systems has settled a longstanding lawsuit in which federal and state
    agencies alleged a product was badly insecure and that the company knew
    about it for at least four years before it did anything. Not a good look.

    Not only that, but Cisco will compensate a whistleblowing contractor who
    says he was fired for rocking the boat. Although Cisco maintains his job was
    no longer needed.

    And the PR statement is, well, let’s just say nuanced.

    https://securityboulevard.com/2019/08/cisco-in-whistleblower-payoff-and-pr-doublespeak-row/

    ------------------------------

    Date: Fri, 2 Aug 2019 16:44:32 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Social Media Addiction Reduction Technology, or SMART, Act
    (Fortune)

    *Can't look away*. Speaking of new rules, a bill proposed by Sen. Josh
    Hawley dubbed the Social Media Addiction Reduction Technology, or SMART, Act
    would ban techniques used to hook people in to social media *Facebook's*
    (and many other sites) infinite scroll would be illegal, as would autoplay
    videos. ``Big Tech has embraced addiction as a business model,'' Hawley
    tweeted. The bill obviously has along way to go before becoming a law.

    <https://click.newsletters.fortune.c...d3f2108608cab99cc61c36ecf80db896e780d98394df0>

    [Next to be outlawed, human nature.]

    ------------------------------

    Date: Tue, 30 Jul 2019 19:13:24 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: 200-million devices some mission-critical vulnerable to remote
    takeover (Ars Technica)

    https://arstechnica.com/information...ssion-critical-vulnerable-to-remote-takeover/

    ------------------------------

    Date: Sun, 28 Jul 2019 14:05:35 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Siemens contractor pleads guilty to planting logic bomb in company
    spreadsheets (ZDNet)

    https://www.zdnet.com/article/sieme...-planting-logic-bomb-in-company-spreadsheets/

    ------------------------------

    Date: Tue, 30 Jul 2019 19:59:18 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: People forged judges' signatures to trick Google into changing results
    (Ars Technica)

    https://arstechnica.com/tech-policy...atures-to-trick-google-into-changing-results/

    ------------------------------

    Date: Fri, 2 Aug 2019 12:37:19 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Partial hashes broadcast in Bluetooth can be converted to phone
    numbers (Ars Technica)

    https://arstechnica.com/information...ord-sharing-features-can-leak-iphone-numbers/

    ------------------------------

    Date: Sat, 3 Aug 2019 16:40:17 -0700
    From: Mark Thorson <e...@dialup4less.com>
    Subject: Apple suspends human eavesdropping through Siri (Taipei Times)

    A prudent move, in the wake of Amazon and Google bad PR from their
    eavesdropping activities. The putative motive of having human listeners was
    to improve Siri's ability to respond to queries.

    http://www.taipeitimes.com/News/biz/archives/2019/08/03/2003719808

    Someone must have gotten around to asking "What could go wrong?.

    ------------------------------

    Date: Mon, 29 Jul 2019 00:56:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Why People Should Care About Quantum Computing (Fortune)

    Essentially, workable quantum computing could, in theory, help solve some of
    humanity’s most pressing problems like capturing “carbon from the atmosphere
    to save the planet” and improving clean and energy and food production,
    Svore said.

    It’s not as if conventional computers can’t handle the calculations
    underpinning the feats Svore mentioned. It’s just that it would take a
    person’s lifetime, as opposed to the “matter of weeks or months” it would
    take a quantum computer to process the information related to the problems.

    https://fortune.com/2019/07/15/quantum-computing-brainstorm-tech/

    More vague blather, I think. There's NEVER discussion about quantum apps,
    programming, algorithms, specific applications.

    It's never beyond:

    Quantum, however, relies on mysterious so-called qbits, which can represent
    data in multiple states like a “0” or “1” at the same time; it’s a
    head-scratching idea to wrap one’s brain around, but its crucial to
    harnessing the power of quantum computing. Designing algorithms that take
    advantage of the mysterious properties of qbits can bring “billions of years
    of compute time to seconds or hours or days,” Svore said.

    ...so let's see the algorithms -- they should be available before quantum
    hardware is built, yes?

    ------------------------------

    Date: Sun, 28 Jul 2019 14:41:40 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Your Train Is Delayed. Why? (NYTimes)

    Video


    ------------------------------

    Date: Sun, 28 Jul 2019 14:18:58 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Barr Revives Encryption Debate, Calling on Tech Firms to Allow for
    Law Enforcement (NYTimes)

    The attorney general, reopening the conversation on security vs. privacy,
    said that encryption and other measures effectively turned devices into
    “law-free zones.”

    https://www.nytimes.com/2019/07/23/...cryption-security.html?smid=nytcore-ios-share

    [Unfortunately, law-enforcement-only backdoors are likely to be
    subvertible by many unauthorized folks. Emphatic assertion keeps
    resurfacing, despite the wisdom of the Keys Under Doormats report, by
    folks who reject the risks of misusing systems that are likely to be
    already unsecure, despite the desire for backdoors. The RISKS motto seems
    to be: Everything is likely to be compromised, if not already broken. By
    the way, it is not `security vs privacy'. It is `insecurity and
    nonprivacy'. PGN]

    ------------------------------

    Date: Sun, 28 Jul 2019 14:04:46 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Dark Web Consequences Increase from Global Rise of Police-Friendly
    Laws (Channel Futures)

    https://www.channelfutures.com/mssp...ease-from-global-rise-of-police-friendly-laws

    ------------------------------

    Date: Sat, 27 Jul 2019 17:49:36 -0400
    From: Dave Farber <far...@gmail.com>
    Subject: The Hidden Costs of Automated Thinking (The New Yorker)

    https://www.newyorker.com/tech/annals-of-technology/the-hidden-costs-of-automated-thinking

    ------------------------------

    Date: Sat, 27 Jul 2019 09:17:40 -0400
    From: Dave Farber <far...@gmail.com>
    Subject: We Tested Europe’s New Digital Lie Detector. It Failed.
    (The Intercept)

    https://theintercept.com/2019/07/26/europe-border-control-ai-lie-detector/

    ------------------------------

    Date: Sun, 28 Jul 2019 10:19:53 PDT
    From: "Peter G. Neumann" <neu...@csl.sri.com>
    Subject: AI Predictive Policing (Daily Mail)

    [From Geoff Goodfellow]

    AI experts from top universities SLAM `predictive policing' tools in new
    statement and warn technology could 'fuel misconceptions and fears that
    drive mass incarceration'.

    - AI experts say pre-crime algorithms are more magic than reality
    - Algorithms designed to predict violent crime may come with
    consequences
    - Experts say they may vastly overstate the likelihood of pretrial
    crime
    - They warn its use could fuel mass incarceration and lead to harsher
    sentences

    EXCERPT:

    Prominent thinkers in the fields of artificial intelligence say that
    predictive policing tools are not only 'useless,' but may be helping to
    drive mass incarceration.

    In a letter published earlier this month the experts, from MIT, Harvard,
    Princeton, NYU, UC Berkeley and Columbia spoke out on the topic in an
    unprecedented showing of skepticism toward the technology.
    <https://dam-prod.media.mit.edu/x/2019/07/16/TechnicalFlawsOfPretrial_ML>

    'When it comes to predicting violence, risk assessments offer more magical
    thinking than helpful forecasting,' wrote AI experts Chelsea Barabas,
    Karthik Dinakar and Colin Doyle in a New York Times op-ed.
    <https://www.nytimes.com/2019/07/17/opinion/pretrial-ai.html?utm_source=The+Appeal>

    Predictive policing tools, or risk assessment tools, are algorithms designed
    to predict the likelihood of someone committing crime in the future.

    With rapid advances in artificial intelligence, the tools have begun to find
    their way into the everyday processes of judges, who deploy them to
    determine sentencing, and police departments, who use them to allot
    resources and more.

    While the technology has been positioned as a way to combat crime
    preemptively, experts say its capabilities have been vastly overstated.

    Among the arenas most affected by the tools they say, are pretrial
    sentencing, during which people undergoing a trial may be detained based on
    their risk of committing a crime.

    'Algorithmic risk assessments are touted as being more objective and
    accurate than judges in predicting future violence,' write the
    researchers...

    https://www.dailymail.co.uk/science...redictive-policing-digitizing-stop-frisk.html

    ------------------------------

    Date: Sun, 4 Aug 2019 16:50:27 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Guardian Firewall iOS App Automatically Blocks the Trackers on Your
    Phone (WiReD)

    The data economy has too often betrayed its customers, whether it's Facebook
    sharing data you didn't even realize it had, or invisible trackers that
    follow you around the web without your knowledge. But a new app launching in
    the iOS App Store today wants to help you take back some control—without
    making your life harder.

    The Guardian Firewall app runs in the background of an iOS device, and
    stymies data and location trackers while compiling a list of all the times
    your apps attempt to deploy them. It does so without breaking functionality
    in your apps or making them unusable. Plus, the blow by blow list gives you
    much deeper insight than you would normally have into what your phone is
    doing behind the scenes. Guardian Firewall also takes pains to avoid
    becoming another cog in the data machine itself. You don't need to make an
    account to run the firewall, and the app is architected to box its
    developers out of user data completely.

    https://www.wired.com/story/guardian-firewall-ios-app/

    Was tempting until $100/year cost.

    ------------------------------

    Date: Tue, 30 Jul 2019 13:36:01 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Google researchers disclose vulnerabilities for 'interactionless'
    iOS attacks (ZDNet)

    While it is always a good idea to install security updates as soon as they
    become available, the availability of proof-of-concept code means users
    should install the iOS 12.4 release with no further delay.

    https://www.zdnet.com/article/googl...nerabilities-for-interactionless-ios-attacks/

    ------------------------------

    Date: Tue, 30 Jul 2019 10:40:55 -0700
    From: Lauren Weinstein <lau...@vortex.com>
    Subject: Another Breach: What Capital One Could Have Learned from Google's
    "BeyondCorp" (Lauren's Blog)

    https://lauren.vortex.com/2019/07/3...ne-could-have-learned-from-googles-beyondcorp

    Another day, another massive data breach. This time some 100 million people
    in the U.S., and more millions in Canada. Reportedly the criminal hacker
    gained access to data stored on Amazon's AWS systems. The fault was
    apparently not with AWS, but with a misconfigured firewall associated with a
    Capital One app, the bank whose customers were the victims of this attack.

    Firewalls can be notoriously and fiendishly difficult to configure
    correctly, and often present a target-rich environment for successful
    attacks. The thing is, firewall vulnerabilities are not headline news --
    they're an old story, and better solutions to providing network security
    already exist.

    In particular, Google's "BeyondCorp" approach
    ( https://cloud.google.com/beyondcorp ) is something that every enterprise
    involved in computing should make itself familiar with. Right now!

    BeyondCorp techniques are how Google protects its own internal networks and
    systems from attack, with enormous success. In a nutshell, BeyondCorp is a
    set of practices that effectively puts "zero trust" in the networks
    themselves, moving access control and other authentication elements to
    individual devices and users. This eliminates the need for traditional
    firewalls (and in most instances, VPNs) because there is no longer a
    conventional firewall which, once breached, gives an attacker access to all
    the goodies.

    If Capital One had been following BeyondCorp principles, there would be 100+
    million less of their customers who wouldn't be in a panic today.

    ------------------------------

    Date: Wed, 31 Jul 2019 10:30:36 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "A data breach forced this family to move home and change their
    names (ZDNet)

    Charlie Osborne for Zero Day | 26 Jul 2019

    A data breach forced this family to move home and change their names
    Sometimes a free credit report in recompense is nowhere near enough.
    https://www.zdnet.com/article/a-data-breach-forced-this-family-to-move-home-and-change-their-names/

    selected text:

    In the London Borough of Hackney, a recent case emerged when a data breach
    had far more devastating consequences than most of us would ever experience.

    As reported by the Hackney Gazette, a family in the area adopted a child and
    the details of who they were and where they lived were meant to be withheld
    from the birth parents.

    However, during the adoption process in 2016, a solicitor appointed by
    Hackney Council mistakenly included an unredacted copy of the application
    form. The publication says that the exposed, sensitive data included the
    couple's names, addresses, phone numbers, dates of birth, and occupations.

    The scope of the breach was serious enough that the couple spoke to both the
    council and police, and ultimately decided that moving home and changing
    their names was the safest option for their adopted child.

    ------------------------------

    Date: Thu, 25 Jul 2019 19:51:11 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Brazilian president’s cellphone hacked as Car Wash scandal intrigue
    widens (WashPost)

    Four men have been arrested on suspicion of breaking into cellphones of
    hundreds of officials.

    https://www.washingtonpost.com/worl...ab2b86-aee5-11e9-9411-a608f9d0c2d3_story.html

    ------------------------------

    Date: Fri, 26 Jul 2019 10:12:53 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Malicious 'Google' domains used in Magento card card skimmer attacks
    (ZDNet)

    https://www.zdnet.com/article/malicious-google-domains-used-in-magento-data-skimmer/

    ------------------------------

    Date: Fri, 26 Jul 2019 10:15:08 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: MyDoom: The 15-year-old malware that's still being used in phishing
    attacks in 2019 (ZDNet)

    https://www.zdnet.com/article/mydoo...still-being-used-in-phishing-attacks-in-2019/

    ------------------------------

    From: Monty Solomon <mo...@roscom.com>
    Date: Mon, 5 Aug 2019 08:18:19 -0400
    Subject: StockX was hacked, exposing millions ofcustomers'_data (TechCrunch)

    https://techcrunch.com/2019/08/03/stockx-hacked-millions-records/

    ------------------------------

    Date: Mon, 5 Aug 2019 10:48:58 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: Ikea says sorry for customer data breach (Straits Times)

    https://www.straitstimes.com/singapore/ikea-says-sorry-for-customer-data-breach

    ------------------------------

    Date: Thu, 1 Aug 2019 11:47:57 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Refunds for Global Access Technical Support customers
    (Consumer Information)

    If you paid for technical support services from Global Access Technical
    Support (GATS), you’ll be getting a letter or an email from the Federal
    Trade Commission about a refund. You might have known the company as Global
    SConnect, Global sMind, Yubdata Tech, or Technolive.

    The FTC sued GATS, alleging that the company lied about partnering with
    well-known tech companies and tricked people into paying for unnecessary
    computer repairs. GATS has now paid $860,000 to settle the lawsuit.

    The FTC is sending refunds to people who paid money to GATS. If you get a
    check from us, cash it within 60 days. We will send refunds via PayPal to
    customers for whom we do not have a mailing address.

    Here’s how the PayPal refunds work: the FTC will send the customer an email
    from subs...@subscribe.ftc.gov. Then, within 24 hours, that customer will
    also get an email directly from PayPal about the refund. If you get those
    emails, all you have to do is type www.paypal.com into your browser, log in
    to your account (or create one), and review and accept the payment. Or
    accept payment by logging into the PayPal app.

    To avoid scammers who might pretend to be from the FTC or PayPal, follow
    these simple steps:

    * If you get a refund email that claims to be from the FTC or PayPal, don’t
    click on any links in the email. Instead, visit the website by typing the
    right URL into your browser: www.ftc.gov/refunds and www.paypal.com.

    * Check out FTC refunds at ftc.gov/refunds. Each case on that page has a
    phone number you can call to check on refund payments.

    * Know that the FTC never asks people to pay money or give sensitive
    financial information to get a refund. People who say they are with the
    FTC and ask for money are scammers.

    https://www.consumer.ftc.gov/blog/2019/08/refunds-global-access-technical-support-customers

    ------------------------------

    Date: Wed, 31 Jul 2019 02:09:55 +0900F
    From: "ISHIKAWA,chiaki" <ishi...@yk.rim.or.jp>
    Subject: Business Continuity?: Kyoto Anime recovers digital recordings

    I have been a Japanese animation fan since I was a kid growing up in
    Japan. So this is a very prejudiced post in that direction.

    The arson of Kyoto Animation company (Kyoto Anime or KyoAni for short),
    almost a terrorist attack, which killed 35 people by now has had Kyoto Anime
    scrambling to recover what remains in the server computer in the building
    which burned down.

    The arson is now detailed in Wikipedia.
    https://en.wikipedia.org/wiki/Kyoto_Animation_arson_attack

    Since the night of July 29, it has been reported that Kyoto Anime, with the
    help of experts, could salvage the digital data from the server(s) that
    remained intact in the building that burned down. (In Japanese:
    https://www.asahi.com/articles/ASM7Y6H8ZM7YPTIL03K.html )

    Luckily the server(s) was on the first floor and was housed in a small space
    surrounded by concrete walls in the four directions (CI's comment: I wonder
    where the door was...) and withstood the fire and the water sprayed by
    firefighters.

    cf. Due to the nature of the Japanese languages, I am not sure if the
    server referred to is actually a collection of servers (plural).

    An earlier Japan Times article in English mentioned that there *was* a
    server and the management hoped to recover the data *IFF* the server did not
    get wet during the firefighting effort.
    https://www.japantimes.co.jp/news/2...-drawing-storyboard-data-server-arson-attack/

    But to me it is hard to believe that 70+ people working on a few animation
    projects could work with only a single server, but it is not the major
    contention here.

    First of all, I am not sure if all the digital data of anime (animation,
    that is) held by that branch was recovered or not. The article mentioned
    digital data only, and inferred some animation digital drawings were
    recovered. An inquiry mind wants to know the answer to "Were all the
    relevant data transferred from individual PCs to the server each day?".
    Individual PCs went up in smoke literally. No hope of recovering data from
    them.

    One thing is crystal clear: ALL THE PAPER-BASED DRAWINGS IN THE BRANCH ARE
    GONE. PERIOD. (Except for a piece of paper with a hand-drawn illustration
    on it: it was n the backside of a whiteboard that remained in the
    building. I saw it in a news article.)

    When I read the article and some earlier articles, some computer-related
    risk keywords popped up in my mind: - off-site backup, - business
    continuity, and - human resources.

    Here, human resources *IS* actually the most valuable one in this case, and
    the loss is felt throughout the media industry all over the world. No amount
    of off-site backup or business continuity planning that is created for
    earthquakes or typhoons (Japan's two biggest natural disasters) will be
    enough to counter the type of human-resource damage sustained by Kyoto Anime
    this time.

    Nevertheless, some business schools may create a case study of
    disaster-recover planning for business continuity based on the incident.

    Yes, to my surprise and many others', Kyoto Animation obviously failed to
    perform off-site backup (and for that matter, distributed backup of
    paper-based illustrations). That is something to think about for the media
    company management types in the future. (So this post *IS* computer
    risk-related after all.)

    At the same time, I personally feel it is a tough time for the management
    indeed for recovering the business operation especially when I read the
    comments from the surviving members of the victims such as the one I quote
    later in this post.

    The impact of human toll is really devastating psychologically. Recovering
    from a crime-initiated disaster is not a purely a computer-risk issue, but
    wetware (people) issue too, especially so once the hardware, software and
    data are recovered.

    The following news contains comments regarding the color coordinator,
    Ms. Naomi Ishida, who has worked at Kyoto Anime for more than 20 years. A
    victim of the arson. The article is in Japanese:
    https://www3.nhk.or.jp/lnews/kyoto/20190725/2010004159.html (Ms. Ishida's
    background is explained in detail in English in the following URL:)
    https://www.animenewsnetwork.com/ne...omi-ishida-passed-away-in-studio-fire/.149318

    Since such Japanese news comments are unlikely to be translated into English
    any time soon, here is my rough translation of that part of the news
    article. (I searched for English article that may refer to the comments of
    Ms. Ishida's parent, but only ended up with the animenewsnetwork article
    above.)

    My rough translation:

    Ms. Naomi Ishida's mother mentioned "The police got in contact with us
    because the DNA identification has been over and they wanted to explain
    the result to us. When I looked at the remains, I noticed that only a
    piece of metal of my daughter's hair accessory remained and all else
    melted away. The fire was so severe. The whole ordeal could have been over
    in a short while. But it is a real pity she must have suffered a lot
    during that time." and she added "I have not known her whereabouts after
    the arson. The only consolation now is that I can bring her back home
    finally..."

    Her father said "I have tough time sleeping thinking about how she must
    have suffered in pain at the last moment. But now I am a bit relieved
    when I learned that so many anime fans placed flowers in many places in
    appreciation of works to which my daughter contributed. I am now very
    proud of her. I hope she will be drawing pictures together with her
    colleagues in the Heaven."

    Parents of other victims would have similar comments. Surviving victims
    need months or even years to heal from the wounds. The psychological
    damage is definitely large although hard to estimate. How can a company
    restart business operation amid such mental hardship?

    Personal comment: Ms. Ishida worked on animations such as Suzumiya Haruhi TV
    series and others which produced some interesting songs including the
    following one that has been played ALMOST 100 MILLION TIMES on youtube.



    This particular song is in my favorite list and I play the list from time to
    time in random order during desk work. Next time the song comes up and I
    watch the animation images on PC screen whose color coordination Ms. Ishida
    produced, I would recall the words of her parents. What a pity. Not just an
    interesting BGM song anymore...

    ------------------------------

    Date: Fri, 26 Jul 2019 10:15:41 -0400
    From: George Mannes <gma...@gmail.com>
    Subject: Colorado gov't. email account for reporting child abuse goes
    unchecked for 4 years (WashPost)

    >From The Washington Post:

    https://www.washingtonpost.com/nati...rts-years-five-cases-were-never-investigated/

    Colorado didn't check an email account for child abuse reports for
    years. Five cases weren't investigated.

    By Hannah Knowles July 15
    An email account set up by the Colorado government for reports of child
    abuse and neglect went unchecked for four years, leaving more than 100
    messages about mistreatment concerns unanswered and allowing five cases
    that needed follow-up to go without investigation.

    The email account was set up in 2015 to support a phone hotline and then
    forgotten, allowing reports to slip through at a time when the state worked
    to increase reporting of child abuse and emphasized a speedy response to
    concerns through a 24/7 hotline. That phone number received a record number
    of calls last year, four years into a public awareness campaign aimed at
    teaching more Coloradans about the state's resources....

    ...A May 15 internal audit discovered the problem. By the time the
    department looked at the neglected email account, 321 messages had piled
    up, including 104 about concerns that children were being abused or
    neglected, department spokeswoman Madlynn Ruble told The Washington Post.
    Many of those emails were duplicates or had already been addressed through
    other channels, Ruble said....

    ------------------------------

    Date: Sun, 04 Aug 2019 19:16:33 +0100
    From: Chris Drewe <e76...@yahoo.co.uk>
    Subject: Re: "Mortgage Provider Tells Savers of Zero Balances"

    Item about a UK building society (mortgage provider) from this weekend's
    newspaper -- summary follows with my comments.

    Sally Hamilton, The Mail On Sunday, 3 Aug 2019
    Panic as Nationwide BS emails 1.3m customers to tell them they have no
    money!

    https://www.dailymail.co.uk/money/s...e-BS-emails-1-3m-customers-tell-no-money.html

    Nationwide Building Society has come under fire for emailing 1.3million
    savers with a 'summary' of their accounts showing they all had balances of
    zero. ... data security rules meant it was unable to provide balances by
    email 'because it isn't 100 per cent secure'. The new summary simply shows
    the types of accounts savers hold along with the interest rates paid -- and
    what balance is required to receive it. This showed... ISA accounts pay 1.1
    per cent and 1.2 per cent -- on balances of '0+ pounds'.

    [Looks like another casualty of data-protection laws, but more
    likely a case of a badly-worded message. CD]

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.35
    ************************
     
  7. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,545
    476
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.36

    RISKS List Owner

    Aug 12, 2019 8:30 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 12 August 2019 Volume 31 : Issue 36

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts (WiReD)
    This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station' (WiReD)
    "New Windows malware can also brute-force WordPress websites"
    (Catalin Cimpanu)
    Getting physical: warshipping (Fortune)
    These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer (VICE)
    Inside the Hidden World of Elevator Phone Phreaking (WiReD)
    Popular kids' tablet patched after flaws left personal data vulnerable
    (Danny Palmer)
    Watch a Drone Take Over a Nearby Smart TV (WiReD)
    5G Wireless Networks Are Not Harmful to Health, FCC Says (Fortune)
    Phishing attack: Students' personal information stolen in university data
    breach (Danny Palmer)
    Navy Reverting DDGs Back to Physical Throttles, After Fleet Rejects
    Touchscreen Controls (USNI News)
    This High-Tech Solution to Disaster Response May Be Too Good to Be True
    (The New York Times)
    Scam pulse-monitoring app returns to Apple Store (Ben Lovejoy)
    He Tried Hiding From Silicon Valley in a Pile of Privacy Gadgets (Bloomberg)
    GDPR's unintended consequences (The Register)
    Black Hat: GDPR privacy law exploited to reveal personal data (BBC News)
    Password policy recommendations: Here's what you need to know. (HPE)
    Re: Russian hackers are infiltrating companies via the office printer
    (Kelly Bert Manning)
    Climate change: how the jet stream is changing your weather (FT)
    Re: AI Predictive Policing (George Jansen)
    Re: Hawley/SMART Act (Rob Slade, Dimitri Maziuk)
    Re: Apple's Siri overhears your drug deals and sexual activity
    (Amos Shapir)
    Re: Siemens contractor pleads guilty to planting logic bomb in company,
    spreadsheets (Martin Ward)
    Researchers wrest control of one of world's most secure industrial
    controllers (The Times of Israel)
    Writing about writing (Rob Slade)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Thu, 8 Aug 2019 23:36:06 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts
    (WiReD)

    But Boeing counters that it has both "additional protection mechanisms" in
    the CIS/MS that would prevent its bugs from being exploited from the ODN,
    and another hardware device between the semi-sensitive IDN -- where the
    CIS/MS is located -- and the highly sensitive CDN. That second barrier, the
    company argues, allows only data to pass from one part of the network to the
    other, rather than the executable commands that would be necessary to affect
    the plane's critical systems.

    "Although we do not provide details about our cybersecurity measures and
    protections for security reasons, Boeing is confident that its airplanes are
    safe from cyberattack," the company's statement concludes.

    Boeing says it also consulted with the Federal Aviation Administration and
    the Department of Homeland Security about Santamarta's attack. While the DHS
    didn't respond to a request for comment, an FAA spokesperson wrote in a
    statement to WIRED that it's "satisfied with the manufacturer'
    s assessment
    of the issue."

    A Boeing Code Leak Exposes Security Flaws Deep in a 787's Guts

    ...or not.

    ------------------------------

    Date: Sat, 10 Aug 2019 23:24:51 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station'
    (WiReD)

    Automatic license plate reader cameras are controversial enough when law
    enforcement deploys them, given that they can create a panopticon of transit
    throughout a city. Now one hacker has found a way to put a sample of that
    power -- for safety, he says, and for surveillance -- into the hands of
    anyone with a Tesla and a few hundred dollars to spare.

    This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station'

    ------------------------------

    Date: Wed, 07 Aug 2019 10:53:43 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "New Windows malware can also brute-force WordPress websites"
    (Catalin Cimpanu)

    Catalin Cimpanu for Zero Day | 7 Aug 2019
    Avast discovers strange new malware strain that besides stealing and
    mining cryptocurrency on infected hosts, it also launches brute-force
    attacks on WordPress sites.
    New Windows malware can also brute-force WordPress websites | ZDNet

    ------------------------------

    Date: Sat, 10 Aug 2019 23:46:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Getting physical: warshipping (Fortune)

    IBM researchers are hyping a new hacking technique called "warshipping" that
    involves breaking into corporate networks using a cheap Wi-Fi device sent in
    the mail.
    <With warshipping, hackers ship their exploits directly to their target’s mail room – TechCrunch>
    A hacker has turned a Tesla vehicle into a mobile surveillance station
    capable of storing facial imagery and license plate numbers. Elevator "
    phone freaking is the latest hacker fad.
    <This Tesla Mod Turns a Model S Into a Mobile 'Surveillance Station'>
    <Inside the Hidden World of Hacking Elevator Phones>"

    ...from Fortune magazine newsletter.

    ------------------------------

    Date: Mon, 12 Aug 2019 17:53:56 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: These Legit-Looking iPhone Lightning Cables Will Hijack Your
    Computer (VICE)

    It looks like an Apple lightning cable. It works like an Apple lightning
    cable. But it will give an attacker a way to remotely tap into your
    computer.

    These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer

    ------------------------------

    Date: Sat, 10 Aug 2019 23:22:02 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Inside the Hidden World of Elevator Phone Phreaking (WiReD)

    Author writes:

    The first time I called into an elevator, I picked up my iPhone and dialed
    the number-labeled on my list as the Crown Plaza Hotel in Chicago—and
    immediately heard two beeps, then a recording of a woman's voice, who told
    me to press one to talk. When I did, I was suddenly in aural space filled
    with the hum of motors and the muffled twanging of steel cables under
    tension. "Hello, can anyone hear me?" I asked the void. The void did not
    respond.

    I hung up and tried another number on my list: A Hilton hotel in Grand
    Rapids, Michigan. After just one ring I heard a series of four tones and
    was immediately listening to the inside of another elevator. I heard a
    chime, perhaps a signal that it had reached a floor, followed by the
    rumble of what might have been a door opening. "Hi, is anyone in here?" I
    asked. This time I heard a few muffled voices, then a woman answered:
    "There are people in here, yes."

    Inside the Hidden World of Hacking Elevator Phones

    ------------------------------

    Date: Wed, 07 Aug 2019 10:31:38 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Popular kids' tablet patched after flaws left personal data
    vulnerable (Danny Palmer)

    Danny Palmer, ZDNet, 7 Aug 2019
    Researchers also found security holes that gave away personal data and
    credit card information of children's parents.
    Popular kids' tablet patched after flaws left personal data vulnerable | ZDNet

    selected text:

    Security vulnerabilities in a popular children's tablet could have allowed
    attackers to collect sensitive information about its young users, as well as
    enabling hackers to steal their parents' names, address and credit card
    details.

    In addition to this, researchers found that the Pet Chat protocol didn't
    require any authentication between devices, meaning anyone running Pet Chat
    within 100ft of a user could send messages to the child's device, albeit in
    the set phrases allowed by Pet Chat, something that could potentially put
    the child at risk.

    ------------------------------

    Date: Mon, 12 Aug 2019 17:58:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Watch a Drone Take Over a Nearby Smart TV (WiReD)

    For all the focus on locking down laptops and smartphones, the biggest
    screen in millions of living rooms remains largely unsecured
    <Worried the CIA Hacked Your Samsung TV? Here's How to Tell>,
    even after years of warnings
    <Most Smart TVs Spy on You. Here's How to Make Them Stop>. Smart TVs
    today can fall prey to any number of hacker tricks -- including one
    still-viable radio attack, stylishly demonstrated by a hovering drone.

    At the Defcon hacker conference Sunday, independent security researcher
    Pedro Cabrera showed off, in a series of hacking proof of concept attacks,
    how modern TVs -- and particularly smart TVs that use the Internet-connected
    HbbTV standard implemented in his native Spain, across Europe, and much of
    the rest of the world -- remain vulnerable to hackers. Those techniques can
    force TVs to show whatever video a hacker chooses, display phishing messages
    that ask for the viewer's passwords, inject keyloggers that capture the
    user's remote button presses, and run cryptomining software. All of those
    attacks stem from the general lack of authentication in TV networks'
    communications, even as they're increasingly integrated with Internet
    services that can allow a hacker to interact with them in far more dangerous
    ways than in a simpler era of one-way broadcasting.

    "The lack of security means we can broadcast with our own equipment anything
    we want, and any smart TV will accept it," Cabrera says. "The transmission
    hasn't been at all authenticated. So this fake transmission, this channel
    injection, will be a successful attack."

    At the Defcon hacking conference in Las Vegas, a security researcher showed
    how easy it is to compromise a smart TV with a DJI quadcopter. See for
    yourself. Harald Sund/Getty Images

    Watch a Drone Take Over a Nearby Smart TV

    ------------------------------

    Date: Fri, 9 Aug 2019 15:36:27 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: 5G Wireless Networks Are Not Harmful to Health, FCC Says (Fortune)

    The Feds Try To End the Debate Over 5G Health Concerns' Data Sheet

    It's the question everyone wants to go away: are 5G wireless networks safe
    or are they a risk to human health?

    On Thursday, the Federal Communications Commission and the Food and Drug
    Administration tried to put the question to bed once more. The FCC announced
    it would hold its radio frequency exposure limits for cell phones, cellular
    towers, and other wireless gear at current levels. The use of some new
    frequencies as part of the 5G rollout did not change the situation, the
    agency said. After a review of the scientific record and consultations with
    health agencies, ``we find it appropriate to maintain the existing radio
    frequency limits, which are among the most stringent in the world for cell
    phones,'' Julius Knapp, chief of the FCC's Office of Engineering and
    Technology, said. That came backed with excerpted comments from Jeffrey
    Shuren, director of the Food and Drug Administration's Center for Devices
    and Radiological Health. The ``available scientific evidence to date does
    not support adverse health effects in humans due to exposures at or under
    the current limit'' and ``[n]o changes to the current standards are
    warranted at this time,'' Shuren explained in a letter cited in part by the
    FCC.

    That's also the same conclusion that the scientific association the
    Institute of Electrical and Electronics Engineers, or IEEE, came to back in
    February, when it completed a review of recommended exposure limits and also
    agreed to maintain them at current levels.

    But the announcements are unlikely to end the debate
    <Health Concerns May Slow Rollout of Super-Fast 5G Mobile Networks, Analyst Warns>.
    Worriers can point to a few studies and the decision by the World Health
    Organization's International Agency for Research on Cancer to classify
    cellular radio waves as a possible carcinogen back in 2011. And countries
    like Belgium and Switzerland have delayed 5G networks over health concerns.
    On the other side, research from the American Cancer Society and the
    National Institutes of Health, among others, have concluded there are no
    risks. And so round it goes. The WHO has a vast, new study underway that,
    perhaps, will offer a more definitive result. For a truly deep dive, check
    out the page maintained by the National Cancer Institute on cell phones and
    cancer research
    <Cell Phones and Cancer Risk Fact Sheet>.

    Government Says Don't Worry About Harm from 5G

    ------------------------------

    Date: Wed, 07 Aug 2019 10:26:47 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Phishing attack: Students' personal information stolen in
    university data breach (Danny Palmer)

    Danny Palmer, ZDNet, 23 Jul 2019

    University says it has fallen victim to a "a sophisticated and malicious
    phishing attack" -- and students are being warned to look out for suspicious
    emails.
    Phishing attack: Students' personal information stolen in university data breach | ZDNet

    Hackers have stolen personal data of prospective and current students at
    Lancaster University after gaining access to databases that contained
    personal information -- with victims now the targets of additional
    cyberattacks.

    Names, addresses, telephone numbers, and email addresses have been
    compromised by cyberattackers who gained unauthorised entry to undergraduate
    students' application records for 2019 and 2020. The university has over
    13,000 students, but there's currently no figure on the number of people who
    have been caught up in the attack.

    ------------------------------

    Date: Mon, 12 Aug 2019 17:51:04 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Navy Reverting DDGs Back to Physical Throttles, After Fleet Rejects
    Touchscreen Controls (USNI News)

    SAN DIEGO – The Navy will begin reverting destroyers back to a physical
    throttle and traditional helm control system in the next 18 to 24 months,
    after the fleet overwhelmingly said they prefer mechanical controls to
    touchscreen systems in the aftermath of the fatal USS John S. McCain
    (DDG-56) collision.

    The investigation into the collision showed that a touchscreen system that
    was complex and that sailors had been poorly trained to use contributed to a
    loss of control of the ship just before it crossed paths with a merchant
    ship in the Singapore Strait. After the Navy released a Comprehensive Review
    related to the McCain and the USS Fitzgerald (DDG-62) collisions, Naval Sea
    Systems Command conducted fleet surveys regarding some of the engineering
    recommendations, Program Executive Officer for Ships Rear Adm. Bill Galinis
    said.

    Navy Reverting DDGs Back to Physical Throttles, After Fleet Rejects Touchscreen Controls - USNI News

    Nice work on testing design, getting user input...

    ...and funny juxtaposition:

    Touchless Gesture Controls on Phones? Think Bigger

    ------------------------------

    Date: Sat, 10 Aug 2019 09:52:00 -0700
    From: Richard Stein <rms...@ieee.org>
    Subject: This High-Tech Solution to Disaster Response May Be Too Good
    to Be True (The New York Times)

    This High-Tech Solution to Disaster Response May Be Too Good to Be True

    Emergency response simulation, for sale, adopted by several municipalities
    (and at least on country -- Japan) to optimize first responder resource
    allocation and prioritization. The `One Concern' AI platform relies on
    residential census data.

    As noted in the NY Times piece:

    "But when T.J. McDonald, who works for Seattle's office of emergency
    management, reviewed a simulated earthquake on the company's damage
    prediction platform, he spotted problems. A popular big-box store was grayed
    out on the web-based map, meaning there was no analysis of the conditions
    there, and shoppers and workers who might be in danger would not receive
    immediate help if rescuers relied on One Concern's results.

    "'If that Costco collapses in the middle of the day, there's going to be a
    lot of people who are hurt,' he said."

    The US census collects household income data. This component might be
    accorded greater algorithmic weight. Similarly, what would happen to
    disaster response prioritization if crime statistics, such as homicide rate,
    were integrated? Or if there's an EPA superfund site in the locality?

    Algorithmic bias remains a significant risk to public safety and health.
    Trust that dedicate public servants, like Mr. McDonald, are vigilant and
    accountable to direct emergency response where and when disaster strikes.

    ------------------------------

    Date: Wed, 7 Aug 2019 12:05:06 -0400
    From: George Mannes <gma...@gmail.com>
    Subject: Scam pulse-monitoring app returns to Apple Store (Ben Lovejoy)

    [Fiendishly clever, or cleverly fiendish:]

    https://9to5mac.com/2019/08/07/scam-heartrate-app/

    Ben Lovejoy
    Scam heart rate app is back in the App Store, trying to steal $85/year

    A scam heart rate app that tried to con iPhone users out of $89/year is now
    back in the App Store under a new name, some eight months after Apple
    removed the original version.

    The app specifically targets people who own iPhones with Touch ID.

    What the app does is ask users to place their finger on the Home button,
    supposedly to take a heart-beat reading. In reality, the app dims the
    display brightness its minimum to hide the content -- which is actually
    Apple's dialogue requesting authorization for a recurring in-app purchase.
    If users place a registered Touch ID finger on the Home button, that
    completes the purchase.

    Apple removed the app in November of last year following our report, but
    Brazil's Mac Magazine reports that it has now returned. ...

    Now the app presents itself as `Pulse Heartbeat' and its developer is
    registered as BIZNES-PLAUVANNYA, PP.

    The in-app purchase is now for 340 Brazilian reals, which is equivalent to
    around US$85. As before, the app is targeting Portuguese speakers. ...

    The reality [no pun intended?] is that the app review process is a manual
    one, and prone to human error. Scammers will usually submit an innocuous app
    and then update it with rogue code after approval. Although Apple reviews
    updates too, there is a general belief that this review is less thorough
    than for a new app.

    The report does show that even in a curated app store, there are still
    risks. ...

    ------------------------------

    Date: Sat, 10 Aug 2019 00:44:45 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: He Tried Hiding From Silicon Valley in a Pile of Privacy Gadgets
    (Bloomberg)

    Avoiding digital snoops takes more than throwing money at the problem,
    but that part can be really fun.

    https://www.bloomberg.com/news/feat...m-silicon-valley-in-a-pile-of-privacy-gadgets

    ------------------------------

    Date: Fri, 9 Aug 2019 13:33:14 -0400
    From: Steven Klein <ste...@klein.us>
    Subject: GDPR's unintended consequences (The Register)

    GDPR, the EU's General Data Protection Regulation, is supposed to protect
    personal data and user privacy for EU cititzens. But it has made it life
    much easier for identity thieves. The law obligates companies to provide a
    copy of any personal data they have, but doesn't require companies to verify
    the identity of those requesting the info.

    ``James Paver, a PhD student at Oxford University who usually specialises in
    satellite hacking, explained how he was able to game the GDPR system to get
    all kinds of useful information on his fiancée [with her permission],
    including credit card and social security numbers, passwords, and even her
    mother's maiden name. [...] Over the space of two months Pavur sent out 150
    GDPR requests in his fiancée's name, asking for all and any data on her. In
    all, 72 per cent of companies replied back, and 83 companies said that they
    had information on her. ... Of the responses, 24 per cent simply accepted
    an email address and phone number as proof of identity and sent over any
    files they had on his fiancée.''

    ``A threat-intelligence company sent over a list of her email addresses and
    passwords which had already been compromised in attacks. Several of these
    still worked on some accounts.''

    Source: The Register <https://www.theregister.co.uk/2019/08/09/gdpr_identity_thief/>

    ------------------------------

    Date: Thu, 8 Aug 2019 17:51:23 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Black Hat: GDPR privacy law exploited to reveal personal data
    (BBC News)

    About one in four companies revealed personal information to a woman's
    partner, who had made a bogus demand for the data by citing an EU privacy
    law.

    The security expert contacted dozens of UK and US-based firms to test how
    they would handle a "right of access" request made in someone else's name.

    In each case, he asked for all the data that they held on his fiancee.

    In one case, the response included the results of a criminal activity check.

    Other replies included credit card information, travel details, account
    logins and passwords, and the target's full US social security number.

    University of Oxford-based researcher James Pavur has presented his findings
    at the Black Hat conference in Las Vegas.

    It is the first known test of its kind to exploit the EU's General Data
    Protection Regulation (GDPR), which came into force in May 2018.

    "Generally if it was an extremely large company -- especially tech ones --
    they tended to do really well," he told the BBC.

    "Small companies tended to ignore me.

    https://www.bbc.com/news/technology-49252501

    [Also noted by others. PGN]

    ------------------------------

    Date: Tue, 6 Aug 2019 19:42:26 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Password policy recommendations: Here's what you need to know. (HPE)

    Complexity, uniqueness, and periodic change have long been the top best
    practices for passwords, but new recommendations have led to changes around
    password policies.

    https://www.hpe.com/us/en/insights/...dations-heres-what-you-need-to-know-1908.html

    ------------------------------

    Date: Thu, 8 Aug 2019 13:06:33 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Re: Russian hackers are infiltrating companies via the office
    printer (RISKS-31.35)

    Russia may be a new player, but I first became concerned about printer
    hacking when I read the manuals for the shiny new IP connected Lexmark
    printers that replaced PC connected and IBM SNA printers back in the 1990s.
    I contacted IT security to note that the printers came from the factory with
    a standard remote admin login ID and password, suggesting that it might be
    wise to change those.

    The response was Move Along, Nothing to Worry About Here, even from BC
    Ministry of Health IT security.

    Fast forward a couple of years and all Lexmark printers in the Ministry have
    to be disconnected, shut down and purged of a Lexmark Virus.

    Things like that happened often enough that new staff were advised to always
    stay on my right side, although my view was that sometimes I found it a
    challenge to be influential and persuasive, in addition to being correct.
    White Hat Social Engineering, persuading and influencing people to make the
    correct choice, can be as important as having the best analysis, solution or
    mitigation.

    ------------------------------

    Date: Tue, 6 Aug 2019 14:25:36 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Climate change: how the jet stream is changing your weather (FT)

    *Northern Atlantic current is shifting course -- with implications for crops
    and sea levels*

    EXCERPT:

    At the summit of the Greenland ice cap the temperature rarely rises above
    zero degrees centigrade -- the elevation is 3,200m and the ice below is more
    than a mile thick.

    But last Friday, as the sun beat down, a small weather station laden with
    sensors captured something highly unusual: the temperature crept past zero
    and up to 3.6C -- the highest since records began three decades ago. As
    temperatures rose across the massive ice sheet, which blankets an area five
    times the size of Germany, around 60 per cent of the surface started to
    melt, one of the largest ever recorded.

    Scientists know of only three prior occasions in the past 800 years when
    there has been melting at the very top of the ice cap, which is kept chilled
    by the large volume of ice beneath. But this seems to be getting more
    frequent -- it is now the second time this decade it has happened.

    ``The last time we saw melting at the summit, in 2012, we thought it was the
    extreme of the extremes, and wouldn't happen again so quickly,'' says Konrad
    Steffen, a professor of climate and cryosphere at ETH Zurich, who operates a
    network of 18 monitoring stations across the ice sheet. ``But now we are
    facing more of these extremes.;;

    Prof Steffen's data shows that between July 30 and August 2 a heatwave in
    Greenland produced several record highs across the ice sheet, including at
    East Grip, the second highest monitoring station. ``If you start melting at
    the top of the ice sheet, we are going to lose [the] Greenland ice sheet
    long-term,''he adds.

    The immediate trigger for the heatwave was a shift in atmospheric currents
    high above the earth's surface: the North Atlantic Jet Stream, a fast
    current of wind that blows from west to east, had formed a buckle that was
    trapping warm air over Greenland. The same pattern had caused a
    record-setting heatwave in Europe a few days earlier, before shifting over
    to sit on top of the Greenland ice sheet.

    It's not just Greenland's weather that is governed by the jet stream.
    Across Europe and North America, it controls extreme weather conditions of
    all kinds, from winter cold snaps, to heatwaves, to storms...

    https://www.ft.com/content/591395fe-b761-11e9-96bd-8e884d3ea203

    ------------------------------

    Date: Tue, 6 Aug 2019 18:36:29 -0400
    From: <gja...@aflcio.org>
    Subject Re: AI Predictive Policing (RISKS-31.35)

    When this started making the news, I found myself thinking of entry 66 in
    Notebook F of Lichtenberg's *The Waste Books*:

    "If physiognomy becomes what Lavater expects it to become, children will
    be hanged before they have perpetrated the deeds that deserve the gallows;
    a new kind of confirmation will thus be performed every year. A
    physiognomical *auto-da-fe*."

    (There are slighting references to Lavater elsewhere in *The Waste Books,
    *which NYRB has brought back into print:
    https://www.nyrb.com/collections/all/products/the-waste-books?variant=3D1094932745)

    ------------------------------

    Date: Tue, 6 Aug 2019 15:44:21 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Re: Hawley/SMART Act (Stein/Goldberg, RISKS-31.35)

    Saints preserve us from "well-intentioned" politicians. This time around
    it's Josh Hawley, who wants to save us from social media addiction. I don't
    know anything about him. Wikipedia seems to indicate that he's a nice guy
    (except for that bit about not wanting people to have health care). OK, I'm
    with him so far. But the way he wants to do it is to make a simple fix.
    (Saints preserve us from "simple" solutions to complex problems.) He wants
    to limit how much "feed" you can get from a social media site on one go.
    Also limit your time on any given site to half an hour a day. (Ah, gee,
    Dad!)

    Right. I think I see the problem here. You see, Hawley is a lawyer.
    Lawyers have to go to law school, so they are fairly smart. And they help
    people with problems, so they like to fix problems. All good so far. The
    problem is that lawyers get used to thinking they are smarter than other
    people (which is generally true), and that they can fix pretty much any
    problem (which is not true). In particular, they tend to start thinking
    they can start fixing problems they don't know anything about, especially
    when they pupate out of the larval (lawyer) stage and into full-grown
    politicians.

    See, having a limit on how much socmed you can get in one go probably won't
    solve anything. And it's going to be a nuisance for many. Yesterday I had
    a meeting downtown. So, since I use Twitter for news, I went to my favorite
    bus stop, fired up Twitter, scrolled down as far as I could go, hopped on
    the 210 when it came, and noted which stories I wanted to read (later) all
    the way to the meeting. Which usually takes an hour. It would have been
    annoying to be limited to enough to cover just a few blocks. Not very
    effective use of my time.

    (Nor, when I come to think of it, very possible. I mean, I was only "on"
    Twitter for the few minutes it took to load the feed. Is he going to make
    Twitter, and all other apps, cut off after being on screen for 30 minutes?
    How's that going to work for people with perceptual disabilities, who need
    more time to read things?)

    And the sweet young thing beside me, following all of her friends and their
    latest "haul" videos, is not going to be limited by having to refresh the
    screen every few entries. She's doing that anyway. It just means that
    she's going to be refreshing the screen at some point when she should be
    watching for that car coming through the intersection where she's crossing
    the street. Plus, after she gets finished with Instagram, she'll be onto
    Whatapp, and then Facebook, and then ... well, you get the picture.

    Sorry, Josh. You haven't solved anything.

    ------------------------------

    Date: Tue, 6 Aug 2019 16:24:21 -0500
    From: Dimitri Maziuk <dma...@bmrb.wisc.edu>
    Subject: Re: Hawley/SMART, Act (Stein/Goldberg, RISKS-31.35)

    > ... infinite scroll would be illegal, as would autoplay videos.

    Great! I will once again be able to see how much content there is on a page
    by just looking at the scroll bar. And it won't distract my eyes and waste
    bandwidth on the junk I never wanted to see in the first place.

    ------------------------------

    Date: Wed, 7 Aug 2019 18:00:03 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Re: Apple's Siri overhears your drug deals and sexual activity
    (RISKS-31.35)

    In other words, never discuss SIRIous matters (or a TV SERIes, etc, etc..)
    when Siri is present.

    ------------------------------

    Date: Fri, 9 Aug 2019 12:03:57 +0100
    From: Martin Ward <mar...@gkc.org.uk>
    Subject: Re: Siemens contractor pleads guilty to planting logic bomb in
    company, spreadsheets (RISKS-31.35)

    Two quotes from the ZDNet article:

    > But while Tinley's files worked for years, they started malfunctioning
    > around 2014. Every time the scripts would crash, Siemens would call
    > Tinley, who'd fix the files for a fee.

    It seems that if you work for Siemens, the poorer the quality of the work
    you produce, the more you will get paid. Just don't try to get too clever
    and use automation to emulate poor quality work: or at least, if you do,
    don't hand over the administrative password. You don't want your customer to
    gain control over the software which runs *their* business!

    If you are wondering why there is so much poor quality software
    out there: an ecosystem which gives higher rewards for poorer quality
    might possibly be a contributor!

    At least this particular contractor didn't try to use plausibly deniable
    bug injection: cf the "Underhanded C Contest"
    https://en.wikipedia.org/wiki/Underhanded_C_Contest

    ------------------------------

    Date: Thu, 8 Aug 2019 23:31:31 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Researchers wrest control of one of world's most secure industrial
    controllers (The Times of Israel)

    “Siemens is aware of the research from Technion, Haifa and Tel-Aviv
    University to be presented at BlackHat USA 2019,” Siemens said in an emailed
    statement to The Times of Israel.

    In response, the firm recommended that users of the controller SIMATIC
    S7-1200/S7-1500 enable the feature `access protection' to prohibit
    unauthorized modifications of the devices. Siemens also recommended to
    follow and implement the defense-in-depth approach for plant operations, and
    to configure the environment according to its operational guidelines for
    Industrial Security.

    https://www.timesofisrael.com/resea...of-worlds-most-secure-industrial-controllers/

    Good response, "prohibit unauthorized modifications of the devices".

    ------------------------------

    Date: Thu, 8 Aug 2019 14:44:49 -0700
    From: Rob Slade <rms...@shaw.ca>
    Subject: Writing about writing

    I came across a post on the ISC2 blog. It's an article by Chris Veltsos
    (*Dr.* Chris Veltsos, if you please, or, to his friends, Dr. Infosec) on
    "Writing Cybersecurity Articles--Getting Through the Tough Times." As the
    title somewhat implies, it's about how to get through writer's block when
    writing about infosec.
    https://blog.isc2.org/isc2_blog/2019/08/writing-cybersecurity-articles-getting-
    through-the-tough-times.html


    I'm really not sure how to take this.

    First off, if you work in infosec, you pretty much automatically have the
    best inspiration in the world. There is always something new happening in
    infosec. There is always something new happening that is applicable to
    infosec. Techies, in various fields, are always arguing about which field
    in high tech is the fastest moving. I figure infosec has a lock on it:
    whatever is happening, in whatever tech field, has security implications.

    As a bit of background, I've published four books. (Or six, depending on
    how you count them.) Over the years I've written monthly columns for at
    least three periodicals. For twenty years I had a project doing books
    reviews in technical literature. (Always at least weekly: often daily.)
    I've abandoned a number of blogs. Since I got into infosec I have *never*
    run out of things to write about. I don't have the *time* to write about
    everything I want to. (I desperately want voice recognition to get good
    enough to take dictation.)

    I don't understand "writer's block." I don't understand dry spells.
    (Fatigue, I could understand ...)

    So, then, to the specifics of what Chris has to say about it.

    He says you need motivation. (And aqueducts, apparently.) Oh, come on.
    You work in infosec. You are saving people's privacy, money, jobs. Your
    colleagues, your friends, your family. How is that not enough motivation?
    (Yeah, sure, the stupid things your colleagues, friends, and family do is
    sometimes depressing. So, take some time to yell at them via your writing
    ...)

    He says you need to think about why you are writing. Sorry, isn't that the
    same thing as your motivation? (Oh, unless you are just writing for
    self-promotion. Yeah, I could see how that could get pretty dry at times
    ...)

    He says you need to think about your writing "environment." Yeah, I hear
    about that all the time. Saw a movie last night that had a writer who
    couldn't write without everything just so in the "environment." Again,
    while I understand that having the building collapsing around you could be a
    distraction, I don't understand this "environment" business. I've written
    at home, on planes, in airports, on trains, at work between demands, on the
    bus, in coffee shops and restaurants, in hotels, and while waiting to be
    called to testify in court. You're writing about infosec. It needs to be
    done.

    He says you should think about pen and paper, if a computer doesn't do it
    for you. OK, if necessary. I mostly use a computer, or laptop, or
    something with a keyboard. I've used tablets and smartphones. (I *hate*
    soft keyboards.) I've used pen (or even pencil) and paper. (My handwriting
    is terrible. Always has been.) (But I've always wanted to try out those
    pens that save what you've written ...) I've used whiteboards, blackboards,
    chalk, or a piece of burnt stick on a rock. Whatever works.

    His last three suggestions are, basically, give it a rest and come back to
    it. OK. I've often got multiple bits on the go, so I might leave one for a
    time and concentrate on others.

    But I'm writing about infosec. There's too much to leave it for long ...

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.36
    ************************
     
  8. LakeGator

    LakeGator Mostly Harmless Moderator VIP Member

    4,545
    476
    333
    Apr 3, 2007
    Tampa
    Risks Digest 31.37

    RISKS List Owner

    Aug 19, 2019 8:41 PM

    Posted in group: comp.risks

    RISKS-LIST: Risks-Forum Digest Monday 19 August 2019 Volume 31 : Issue 37

    ACM FORUM ON RISKS TO THE PUBLIC IN COMPUTERS AND RELATED SYSTEMS (comp.risks)
    Peter G. Neumann, moderator, chmn ACM Committee on Computers and Public Policy

    ***** See last item for further information, disclaimers, caveats, etc. *****
    This issue is archived at <http://www.risks.org> as
    <The Risks Digest>
    The current issue can also be found at
    <http://www.csl.sri.com/users/risko/risks.txt>

    Contents:
    Russian nuclear-powered cruise missile blows up, creating
    `mini-Chernobyl' (Ars Technica)
    Facial recognition software mistook 1 in 5 California lawmakers
    for criminals, says ACLU (LATimes)
    Major breach found in biometrics system (The Guardian)
    Security Database leak reveals: Biometric data, plaintext passwords
    and much more... (VPN Mentor)
    "Researchers Use Blockchain to Drive Electric Vehicle Infrastructure"
    (U.Waterloo)
    "Why blockchain-based voting could threaten democracy" (Lucas Mearian)
    Steam vulnerability reportedly exposes Windows gamers to system hijacking
    (Charlie Osborne)
    Critical Windows 10 Warning: Millions Of Users At Risk (Forbes via
    Gabe Goldberg)
    Null is Not Nothing (WiReD)
    Trend Micro fixes privilege escalation security flaw in Password Manager
    (Charlie Osborne)
    Ransomware Attack Hits 20 Local Governments In Texas (Kut)
    Computer Outage Delays International Travelers Arriving at Dulles
    (NBC4 Washington)
    London Exchange Is Delayed by Technical Problem (NYTimes)
    Cascading Effect of putting your data in a single cloud basket (Telus)
    Electric car charging stations may be portals for power grid
    cyber-attacks (Tech Xplore)
    How Flat Earthers Nearly Derailed a Space Photo Book (NYTimes)
    Hack in the box: Hacking into companies with "warshipping" (Ars Technica)
    Re: These Legit-Looking iPhone Lightning Cables Will Hijack Your Computer
    (Chiaki Ishikawa)
    Re: Password policy recommendations: Here's what you need to know
    (R A Lichensteiger, Gabe Goldberg)
    Re: Climate change: how the jet stream is changing your weather
    (R. G. Newbury)
    Abridged info on RISKS (comp.risks)

    ----------------------------------------------------------------------

    Date: Tue, 13 Aug 2019 11:29:00 +0900
    From: Dave Farber <far...@gmail.com>
    Subject: Russian nuclear-powered cruise missile blows up, creating
    `mini-Chernobyl' (Ars Technica)

    Atomic research agency acknowledges "isotope power source" of "rocket
    engine" exploded.

    Ars Technica: Russian nuclear-powered cruise missile blows up, creating “mini-Chernobyl” — Ars Technica

    ------------------------------

    Date: August 14, 2019 at 9:45:24 AM GMT+9
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Facial recognition software mistook 1 in 5 California lawmakers
    for criminals, says ACLU (LATimes)

    Facial recognition software mistook 1 in 5 California lawmakers for criminals, says ACLU

    ------------------------------

    Date: Wed, 14 Aug 2019 17:59:51 +0300
    From: Amos Shapir <amo...@gmail.com>
    Subject: Major breach found in biometrics system (The Guardian)

    Israeli security researchers have found that a database belonging to
    web-based Biostar 2 biometrics lock system, was unprotected and mostly
    unencrypted. It exposed fingerprints of over 1 million people, as well as
    facial recognition information, unencrypted usernames and passwords, and
    personal information of employees.

    Major breach found in biometrics system used by banks, UK police and defence firms

    [Also noted by John Utteridge. PGN]

    ------------------------------

    Date: Wed, 14 Aug 2019 14:16:39 +0200
    From: Anthony Thorn <anthon...@atss.ch>
    Subject: Security Database leak reveals: Biometric data, plaintext passwords
    and much more... (VPN Mentor)

    A huge data breach in security platform BioStar 2":
    Report: Data Breach in Biometric Security Platform Affecting Millions of Users

    If this leak -- discovered by Vpnmentor researchers -- has been exploited by
    criminals the results would be disastrous.

    According to Vpnmentor blog, the database contains plaintext -- *not* hashed
    -- passwords and biometric data for millions of users.

    These users are employees of firms using the Biostar 2 access control
    application (including administrators).

    You can change a compromised password, but your fingerprint is not only
    fixed, but shared across all applications which use fingerprint recognition.
    What is your contingency plan?

    ------------------------------

    Date: Mon, 19 Aug 2019 11:51:25 -0400
    From: ACM TechNews <technew...@acm.org>
    Subject: "Researchers Use Blockchain to Drive Electric Vehicle Infrastructure"
    (U.Waterloo)

    University of Waterloo News (14 Aug 2019) via ACM TechNews, 19 Aug 2019

    Researchers in the Cheriton School of Computer Science and the Department of
    Management Science of Canada's University of Waterloo have incorporated
    blockchain into energy systems, which could expand charging infrastructure
    for electric vehicles (EVs). An open blockchain platform will give EV
    owners, property owners, and charging service operators access to charging
    data, and alert them to tampering; EV owners will be able to see whether
    they are being overcharged for charging their vehicles, and property owners
    will be alerted to instances of underpayment. Said Waterloo's Christian
    Gorenflo, "Mitigating trust issues in EV charging could result in people who
    have charging stations and even those who just have an outdoor outlet being
    much more willing to team up with an EV charging service provider, resulting
    in much better coverage of charging stations."
    https://orange.hosting.lsoft.com/trk/click?ref=3Dznwrbbrs9_6-21235x21d3e7x0
    69144&


    ------------------------------

    Date: Tue, 13 Aug 2019 11:34:28 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: "Why blockchain-based voting could threaten democracy"
    (Lucas Mearian)

    Lucas Mearian, Computerworld
    As the desire to increase voter turnout remains strong and the number of
    online voting pilot projects rises in the U.S. and abroad, some security
    experts warn any Internet-based election system is wide open to attack,
    regardless of the underlying infrastructure.
    Why blockchain-based voting could threaten democracy

    selected text:

    Even as there's been an uptick in pilot projects, security experts warn that
    blockchain-based mobile voting technology is innately insecure and
    potentially a danger to democracy through "wholesale fraud" or "manipulation
    tactics."

    Thirty-two states permit various kinds of online voting -- such as via email
    -- for some subset of voters. In the 2016 general election, more 100,000
    ballots were cast online, according to data collected by the U.S. Election
    Assistance Commission. The actual number is likely much higher, according to
    some experts.

    "Tampering with mailed paper ballots is a one-at-a-time attack. Infecting
    voters' computers with malware or infecting the computers in the elections
    office that handle and count ballots are both effective methods for
    large-scale corruption," Epstein said.

    ------------------------------

    Date: Tue, 13 Aug 2019 12:03:23 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Steam vulnerability reportedly exposes Windows gamers to system
    hijacking (Charlie Osborne)

    Charlie Osborne for Zero Day | 13 Aug 2019
    The researcher was asked not to disclose the bug but did so anyway.
    Steam vulnerability reportedly exposes Windows gamers to system hijacking | ZDNet

    The Steam gaming platform reportedly contained a severe vulnerability which
    could subject users to privilege escalation attacks but was not considered
    in scope for Valve to fix.

    "So, two weeks after my message, which was sent on July 20, a person
    appears, who tells me that my report was marked as not applicable, they
    closed the discussion and wouldn't offer any explanation to me," Kravets
    said. "Moreover, they didn't want me to disclose the vulnerability. At the
    same time, there was not even a single word from Valve."

    ------------------------------

    Date: Tue, 13 Aug 2019 15:13:36 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Critical Windows 10 Warning: Millions Of Users At Risk (Forbes)

    As the Black Hat security conference comes to an end in Las Vegas, so the
    DEF CON hacker convention begins. It didn't take long for the first critical
    warnings for Windows users to emerge as a result. This one is particularly
    worrying as, according to the Eclypsium researchers who gave the
    presentation, the issue applies "to all modern versions of Microsoft
    Windows," which leaves millions of Windows 10 users at risk of system
    compromise. What did the researchers reveal?

    In a nutshell, the researcher found a common design flaw within the hardware
    device drivers from multiple vendors including Huawei, Intel, NVIDIA,
    Realtek Semiconductor, SuperMicro and Toshiba. In total, the number of
    hardware vendors affected runs to 20 and includes every major BIOS
    vendor. The nature of the vulnerability has the potential for the widespread
    compromise of Windows 10 machines.

    Critical Windows 10 Warning: Millions Of Users At Risk

    [Gabe later added this on 18 Aug 2019:]

    Microsoft Confirms Update Warning For Windows 10, Windows 8.1 And Windows 7
    Users

    The latest Patch Tuesday update from Microsoft included several critical
    security fixes. Unfortunately, as Microsoft has now confirmed, it also
    borked some things. If you haven't applied that August 13 update and are
    running on Windows 10, Windows 8.1 or Windows 7, you may want to read this
    before you do. What's the problem with the latest Patch Tuesday Windows
    update?

    Microsoft has confirmed a bunch of "known issues" with the August 13 Windows
    update. Some, such as the "black screen during first logon after installing
    updates" issue, have hit users after previous updates. That can be filed in
    the annoying but ultimately not much to worry about folder: it only impacts
    a "small number" of users and only the first time they logon after the
    update.

    Anything that impacts millions of users is a far more serious thing. And so
    it is that Microsoft has confirmed that this Patch Tuesday update does just
    that.

    "After installing this update, applications that were made using Visual
    Basic 6 (VB6), macros using Visual Basic for Applications (VBA), and scripts
    or apps using Visual Basic Scripting Edition (VBScript) may stop responding
    and you may receive an "invalid procedure call error," Microsoft has stated.

    Microsoft Confirms Update Warning For Windows 10, Windows 8.1 And Windows 7 Users

    [The risk? Automatic updates? GG]

    ------------------------------

    Date: Wed, 14 Aug 2019 10:58:59 -0400
    From: David Lesher <wb8...@panix.com>
    Subject: Null is Not Nothing (WiReD)

    "Security researcher Joseph Tartaro thought NULL would make a fun license
    plate. He's never been more wrong."

    <How a 'NULL' License Plate Landed One Hacker in Ticket Hell>

    An old risk comes back to life (RISKS-6.40) and many other cases.

    Little Johnny Tables <Exploits of a Mom> comes to mind, too.

    [David, Thanks. You have a good memory back to 9 Mar 1988. PGN]

    [Also noted by Gabe Goldberg, who remarked,
    "Nice to see the old standards are still playing..."
    PGN]

    ------------------------------

    Date: Thu, 15 Aug 2019 10:14:06 -0700
    From: Gene Wirchenko <ge...@shaw.ca>
    Subject: Trend Micro fixes privilege escalation security flaw in Password
    Manager

    Charlie Osborne for Zero Day | 15 Aug 2019
    The vulnerability could be used for privilege escalation and code
    execution attacks.
    Trend Micro fixes privilege escalation security flaw in Password Manager | ZDNet

    ------------------------------

    Date: Sat, 17 Aug 2019 10:27:16 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Ransomware Attack Hits 20 Local Governments In Texas (Kut)

    A coordinated ransomware attack has affected at least 20 local government
    entities in Texas, the Texas Department of Information Resources said. It
    would not release information about which local governments have been
    affected.

    The department said the Texas Division of Emergency Management is
    coordinating support from other state agencies through the Texas State
    Operations Center at DPS headquarters in Austin.

    DIR said the Texas Military Department and the Texas A&M University
    Systems' Cyber-response and Security Operations Center teams are deploying
    resources to "the most critically impacted jurisdictions."...

    Ransomware Attack Hits Local Governments In Texas

    ------------------------------

    Date: Fri, 16 Aug 2019 17:28:16 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Computer Outage Delays International Travelers Arriving at Dulles
    (NBC4 Washington)

    Customs and Border Protection computers are down nationwide, and
    international arrivals at Dulles International Airport are being delayed,
    according to the Metropolitan Washington Airports Authority.

    CBP officers are processing passengers manually

    Some passengers say they have been waiting for two hours at passport
    control.

    "CBP is experiencing a temporary outage with its processing systems at
    various air ports of entry & is taking immediate action to address the
    technology disruption," the agency tweeted. "CBP officers continue to
    process international travelers using alternative procedures until systems
    are back online."

    [Reportedly, at least 5,000 passengers stuck in line. PGN]

    [Monty Solomon noted Officials said service was restored after about two
    hours but travelers then faced long waits to be processed.
    Customs Computer Failure Snarls Passengers at U.S. Airports
    PGN]

    ------------------------------

    Date: Fri, 16 Aug 2019 13:13:02 -0400
    From: Monty Solomon <mo...@roscom.com>
    Subject: London Exchange Is Delayed by Technical Problem (NYTimes)

    London Stock Exchange Delays Opening After Technical Problem

    Opening of trading was pushed back one hour and 40 minutes as the stock exchange tried to determine the cause.

    ------------------------------

    Date: Mon, 19 Aug 2019 15:45:16 -0400
    From: Kelly Bert Manning <bo...@freenet.carleton.ca>
    Subject: Cascading Effect of putting your data in a single cloud basket
    (Telus)

    Most business and home TELUS e-mail customers have been impacted to a large
    degree by an telus.net e-mail outage that began Aug 15 and is still
    affecting some customers across Alberta and BC, as well as customers trying
    to connect from elsewhere.

    The outage was aggravated by the lack of information. TELUS kept saying that
    the Root Cause was unknown until Aug 19, when reports began to surface
    attributing the outage to a failed Dell EMC Cloud server repair:

    TELUS Email Outage - TELUS Email Support | TELUS

    "This issue occurred during an overnight update to our servers in the early
    hours of Thursday, August 15, in partnership with our vendor Dell EMC, when
    a flawed repair procedure took the TELUS.net email system offline."

    My experience was that pop connection attempts fared better than web mail or
    imap. There is apparently some risk of at least temporary e-mail loss for
    customers who kept their e-mail on TELUS servers, rather than downloading
    it.

    Generally TELUS has a well earned reputation for Continuous Availability and
    ability to roll back failed updates promptly.

    Businesses that have come to rely on e-mail for orders and other functions
    have been heavily impacted. My personal view, using e-mail for work since
    the 1980s, is that it is not yet a reliable or secure form of business
    communication. This reminded me of Dr. Nancy Leveson's analogy of Software
    and the early days of high pressure steam. The economic incentive to push
    ahead with unreliable, potentially unsafe, methods overwhelmed the voices of
    caution. If you pushed ahead you made money faster, until the boiler blew up
    on your workers.

    Cloud seems to have been motivated by the idea of simplifying the addition
    and management of servers and storage. Looks like there is some work to be
    done to balance that saving against the risk of you and your customers being
    impacted for days at a time if something in the cloud goes wrong.

    ------------------------------

    Date: Sat, 17 Aug 2019 10:33:59 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Electric car charging stations may be portals for power grid
    cyber-attacks (Tech Xplore)

    Electric cars are an essential component of a lower-carbon future, but a new
    report from researchers at the New York University Tandon School of
    Engineering raises the specter that plug-in electric vehicles -- and the
    charging stations that supply them -- could be prime vectors for
    cyber-attacks on urban power grids.

    "In simulations using publicly available information about charging station
    usage in Manhattan and the structure of the island's power grid, our
    research team found that a fleet of just roughly 1,000 simultaneously
    charging electric vehicles would be adequate for mounting an attack whose
    effects could rival the blackout that affected the city's West Side last
    month," said Yury Dvorkin, assistant professor in NYU Tandon's Department of
    Electrical and Computer Engineering.

    NYU Tandon doctoral candidate Samrat Acharya led the research in
    collaboration with Dvorkin and Professor Ramesh Karri, also from the
    Department of Electrical and Computer Engineering.

    "This simulation is a wake-up call to the public and policymakers, and an
    encouragement to take steps to protect the data generated between electric
    cars and charging stations -- most of which could be co-opted by a hacker
    with college-level skills," Dvorkin said...

    Electric car charging stations may be portals for power grid cyberattacks

    ------------------------------

    Date: Fri, 16 Aug 2019 16:55:30 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: How Flat Earthers Nearly Derailed a Space Photo Book (NYTimes)

    What a photographer's struggle to raise money for his book of images tells
    us about Facebook and conspiracy theorists.

    About 24 hours after the ads were approved, he got a notification telling
    him the ad had been removed. He resubmitted it. It was accepted â and then
    removed again â 15 or 20 times, he said. The explanation given: He had run
    misleading ads that resulted in high negative feedback.â He understood that
    it was Facebook's algorithm that rejected the ads, not a person. Getting
    additional answers proved difficult, a common complaint with advertising on
    Facebook. The best clues he could find came in the comments under the ads,
    which he and his colleagues captured in screenshots before they were removed
    and in responses to other posts about the project: There were phrases such
    as The original moon landing technology. Some comments were hard to gauge,
    with users insisting that the earth was flat but that they'd buy the book
    anyway.

    <‘The underlying arrogance’: Media buyers are frustrated with Google and Facebook ad reps - Digiday>

    ------------------------------

    Date: Sat, 17 Aug 2019 10:46:06 -1000
    From: the keyboard of geoff goodfellow <ge...@iconia.com>
    Subject: Hack in the box: Hacking into companies with "warshipping"
    (Ars Technica)

    (More on Warshipping in RISKS-31.36)

    *For under $100, compact hardware can turn a shipped package into a Trojan
    horse for attacks.* (Ars Technica)
    Hack in the box: Hacking into companies with “warshipping”

    Penetration testers have long gone to great lengths to demonstrate the
    potential chinks in their clients' networks before less friendly attackers
    exploit them. But in recent tests by IBM's X-Force Red, the penetration
    testers never had to leave home to get in the door at targeted sites, and
    the targets weren't aware they were exposed until they got the bad news in
    report form. That's because the people at X-Force Red put a new spin on
    sneaking in -- something they've dubbed "warshipping."

    [Long item truncated for RISKS. PGN]

    ------------------------------

    Date: Thu, 15 Aug 2019 10:08:17 +0900
    From: "ISHIKAWA,chiaki" <ishi...@yk.rim.or.jp>
    Subject: Re: These Legit-Looking iPhone Lightning Cables Will Hijack Your,
    Computer (VICE)

    So this cable allows attacker to access to the connected computer. The
    implant must have a Wi-Fi component as well since accessing the computer via
    Wi-Fi using the cable as antennae.

    Silent or passive monitoring of data that flows data and sending it out via
    low-power radio signal seems to be favored by spy agencies until Snowden
    released such a trick in one of his documents in wikileaks.

    I recall the USB cable for this purpose. Around 1996-2000 time frame, I
    noticed a USB cable with mysterious embedded chip inside (inside the plug
    portion). I found it in a photo blog of a second-hand part shop in
    Akihabara. Initially, I thought this could be similar to APC's UPS control
    cable that has some components inside (for proprietary connection, I
    guesss.) But it did not make sense, and the cable did act as ordinary USB
    cable.

    Years later, when I read the Wikileaks document, I realized that the cables
    could have been used as spying tool.

    My scenario was like this:

    A large company bought a ton of PCs from Lenovo/Dell/HP/Fujitsu/NEC/etc.
    you name it. The agent that delivered the PCs first assembled them in a
    warehouse before shipping them to the customer site (big trading
    agency/banks or even a Japanese government office?). Then the warehouse was
    "attacked" and all the USB cables inside the PC delivery boxes were replaced
    with this spying cable. However, back then, rack computers were expensive
    and scarce. Many startup e-Commerce companies used ordinary PCs sans PCs and
    keyboards to act as rack computers. Thus most, if not all, of the delivered
    keyboard and USB cables were dumped to second hand market. Thus they were
    sold at an outlet in Akihabara and noticed by the store clerk who
    accidentally broke the plug and found the strange implant and opened a few
    others and found the implants there, too. And since he posted the strange
    USB cable that works in a shop blog with the photo and I noticed it.

    Nobody knows how that cable was used for spying and where. Intriguing mind
    wants to know. The cable was so strange and this is why I remembered it
    until I read wikiweaks document.

    ------------------------------

    Date: Tue, 13 Aug 2019 16:31:34 -0400
    From: R A Lichtensteiger <ra...@tifosi.com>
    Subject: Re: Password policy recommendations: Here's what you need to know
    (Goldberg, RISKS-31.36)

    I think the true RISK here is an article like this that propagates the myth
    that the password complexity rules from NIST's 1980s era document are STILL
    a good idea.

    I find it especially egregious that the author of this article chose to
    reference NIST SP-800-63b while espousing overly complex password rules.

    Permit me to quote from the appendix to that document:

    Highly complex memorized secrets introduce a new potential vulnerability:
    they are less likely to be memorable, and it is more likely that they will
    be written down or stored electronically in an unsafe manner

    Worse, because it was touted on a large computer company website, this
    article might give weight to their inanity.

    ------------------------------

    Date: Thu, 15 Aug 2019 16:31:19 -0400
    From: Gabe Goldberg <ga...@gabegold.com>
    Subject: Re: Password policy recommendations: Here's what you need to know
    (Lichtensteiger, RISKS-31.37)

    Second part of sentence you quote: "but new recommendations have led to
    changes around password policies". After recapping password history, article
    notes new defaults, changes, resources:

    The default levels are changing

    But in May 2019, Microsoft announced changes in the Security Baselines for
    Windows 10 and Windows Server build 1903
    <Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903>:
    The minimum and maximum password ages will no longer be set in the baselines
    and therefore will not be enforced.

    Microsoft cites research (see "An Administrator's Guide to Internet Password
    Research <https://cormac.herley.org/docs/WhatsaSysadminToDo.pdf>" and "The
    Security of Modern Password Expiration
    <https://www.cs.unc.edu/~reiter/papers/2010/CCS.pdf>") to claim that
    password expiration policies are no longer considered to have great
    value. Other measures, such as checking lists of banned passwords, are more
    effective. As they note, Windows Group Policies don't provide for checking
    such lists, so neither can the Security Baselines, which is a good example
    of why you should not rely only on the baselines. Microsoft offers some of
    the more advanced capabilities in Azure AD Password Protection
    <https://techcommunity.microsoft.com...d-Smart-Lockout-are-now-in-Public/ba-p/245423>.

    Password complexity: The ground rules

    What is the default Windows password complexity policy
    <https://docs.microsoft.com/en-us/wi...gs/password-must-meet-complexity-requirements>?

    * The password may not contain the account name or variations on the
    account name.
    * It must contain characters from three of the following five groups
    (quoted from the Microsoft document):
    o Uppercase letters of European languages (A through Z, with
    diacritical marks, Greek and Cyrillic characters)
    o Lowercase letters of European languages (A through Z, sharp S,
    with diacritical marks, Greek and Cyrillic characters)
    o Base 10 digits (0 through 9); non-alphanumeric characters
    (special characters): (~!@#$%^&*_-+=`|\(){}[]:;"'<>,.?/)
    o Currency symbols such as the euro or British pound are not
    counted as special characters for this policy setting.
    o Any Unicode character that is categorized as an alphabetic
    character but is not uppercase or lowercase. This includes
    Unicode characters from Asian languages.

    Everyone who has had to deal with these policies, which are enabled
    in the Security Baselines, knows what a pain they can be. As the Microsoft
    document says, enabling the policies "may cause some additional help desk
    calls for locked-out accounts because users might not be used to having
    passwords that contain characters other than those found in the
    alphabet. However, this policy setting is liberal enough that all users
    should be able to abide by the requirements with a minor learning curve."

    The default password length requirement
    <https://docs.microsoft.com/en-us/wi...urity-policy-settings/minimum-password-length>
    is seven characters, but elsewhere Microsoft recommends eight characters, as
    do the NIST requirements. In the Security Baselines, the minimum password
    length is 14 characters.

    The NIST policies specifically reject (though they do not ban) complexity
    requirements. Microsoft has not removed the default imposition of these
    requirements from Windows or the Security Baselines, but it may be a change
    you want to make yourself.

    If you want finer control of password filtering but want to stick with
    Active Directory
    <https://www.hpe.com/us/en/insights/...our-windows-server-system-right-now-1812.html>,
    you can replace Microsoft's standard Passfilt.dll
    <https://docs.microsoft.com/en-us/windows/desktop/secmgmt/password-filters>
    with a commercial one or write one yourself, as Yelp did, based on an open
    source implementation
    <https://engineeringblog.yelp.com/2018/04/ad-password-blacklisting.html>.
    Examples of commercial replacements are those from nFront Security
    <https://nfrontsecurity.com/products/nfront-password-filter/>, ManageEngine
    <https://www.manageengine.com/products/self-service-password/password-policy-enforcer.html>,
    and Anixis <https://anixis.com/products/ppe/faq.htm>. Using one of these
    replacements, you can implement current best practices within your otherwise
    standard Active Directory infrastructure. SecLists keeps a collection of
    many large common password lists.
    <https://github.com/danielmiessler/SecLists/tree/master/Passwords/Common-Credentials>

    Beyond banned passwords

    Banned password lists are useful, but another way may be better. Have I Been
    Pwned <https://haveibeenpwned.com/> is a site that keeps records of major
    user ID and password breaches and allows you to check whether any of your
    logins have been compromised.

    The site was built and is maintained by Troy Hunt, a Microsoft regional
    director <https://rd.microsoft.com/en-us/> and well-known security
    expert. It has data on 369 breached sites and 7,860,402,548 breached
    accounts. The site also has an API that allows you to check whether a
    particular account has been breached or just if a particular password exists
    in the breach database.
    <https://haveibeenpwned.com/API/v2#PwnedPasswords>

    Hunt thinks that, once a list is as large as his, it is ``exceptionally
    unlikely to have anything outside that collection which is both terrible and
    actively used.'' The answer is to check against the separate Pwned
    Passwords database <https://haveibeenpwned.com/Passwords>, which contains
    551 million passwords that have been in one or more of the breaches, using
    its API. Hunt says he would set a minimum of six characters and then block
    anything that shows up in Pwned Passwords. One more tip from Hunt: ``I'd
    block every variation of the company name; nobody on the Acme Corp. website
    can use AcmeCorp, AcmeCorp1, AcmeC0rp, etc.''

    If you want to use the Pwned Passwords API, you can build on one of the many
    projects already doing so
    <https://haveibeenpwned.com/API/Consumers>. Typically, they create an
    environment-native interface to the API, such as with the many PHP
    libraries, Python and Perl scripts, WordPress plugins, and Java clients, as
    well as an IFTTT recipe.

    In addition to many weak passwords, Pwned Passwords has a large number of
    passwords that would satisfy any set of complexity rules, so it might seem
    to be overkill. But compared with the range of possible passwords, 551
    million isn't as big a number as it seems. Nearly all of my own passwords
    are randomly generated by my password manager, but I tested several
    passwords I made up on my own in recent years, and none appear in the Pwned
    Passwords database. So maybe relying on Hunt's API and a minimum length and
    blocking organization name variants is the easiest route to strong
    protection.

    I wrote a program to check the contents of one of the SecLists lists of
    `common credentials' against the Pwned Passwords database. All but 3,663 of
    262,000 passwords tested were in Pwned Passwords, and more than half of
    those that weren't had fewer than eight characters. Perhaps this means that
    Hunt is right that checking banned password lists is largely redundant,
    though if you're going to check one or the other, it's easy enough to check
    both.

    But all of this is about usernames and passwords, a technology that we
    should all hope will someday be deprecated. At the same time you make sure
    your passwords are strong, move forward with multifactor authentication
    <https://www.hpe.com/us/en/insights/...entication-is-finally-getting-smart-1808.html>
    and biometrics
    <https://www.hpe.com/us/en/insights/...o-providing-id-for-the-marginalized-1903.html>
    that bypass the inherent problems with passwords.

    Password policy best practices: Lessons for leaders

    * Stay up to date with recommendations for creating and maintaining
    secure passwords.
    * Minimize opportunities for user password failures.
    * Make use of public databases of password failures and account breaches.

    ------------------------------

    Date: Tue, 13 Aug 2019 00:39:25 -0400
    From: "R. G. Newbury" <new...@mandamus.org>
    Subject: Re: Climate change: how the jet stream is changing your weather
    (RISKS-31.36)

    > As temperatures rose across the massive ice sheet, which blankets an area
    > five times the size of Germany, around 60 per cent of the surface
    > started to melt, one of the largest ever recorded.

    Except it didn't:

    And the last sentence is a basically a lie. Even if that one station had
    recorded an above zero temperature, it would not mean that 60% of the
    surface was also melting.

    https://wattsupwiththat.com/2019/08/12/greenlands-record-temperature-denied-the-data-was-wrong/

    Now from the Danish Meteorological Institute (DMI), via the news website The
    Local, the cooler reality:

    Danish climate body wrongly reported Greenland heat record

    The Danish Meteorological Institute, which has a key role in monitoring
    Greenland's climate, last week reported a shocking August temperature of
    between 2.7C and 4.7C at the Summit weather station, which is located 3,202m
    above sea level at the the centre of the Greenland ice sheet, generating a
    spate of global headlines.

    But on Wednesday it posted a tweet saying that a closer look had shown that
    monitoring equipment had been giving erroneous results.

    ``Was there record-level warmth on the inland ice on Friday? No! A quality
    check has confirmed out suspicion that the measurement was too high.''

    Shoot out the headlines first, ask questions later.

    ------------------------------

    Date: Mon, 14 Jan 2019 11:11:11 -0800
    From: RISKS-...@csl.sri.com
    Subject: Abridged info on RISKS (comp.risks)

    The ACM RISKS Forum is a MODERATED digest. Its Usenet manifestation is
    comp.risks, the feed for which is donated by panix.com as of June 2011.
    => SUBSCRIPTIONS: The mailman Web interface can be used directly to
    subscribe and unsubscribe:
    http://mls.csl.sri.com/mailman/listinfo/risks

    => SUBMISSIONS: to ri...@CSL.sri.com with meaningful SUBJECT: line that
    includes the string `notsp'. Otherwise your message may not be read.
    *** This attention-string has never changed, but might if spammers use it.
    => SPAM challenge-responses will not be honored. Instead, use an alternative
    address from which you never send mail where the address becomes public!
    => The complete INFO file (submissions, default disclaimers, archive sites,
    copyright policy, etc.) is online.
    <http://www.CSL.sri.com/risksinfo.html>
    *** Contributors are assumed to have read the full info file for guidelines!

    => OFFICIAL ARCHIVES: http://www.risks.org takes you to Lindsay Marshall's
    searchable html archive at newcastle:
    http://catless.ncl.ac.uk/Risks/VL.IS --> VoLume, ISsue.
    Also, ftp://ftp.sri.com/risks for the current volume
    or ftp://ftp.sri.com/VL/risks-VL.IS for previous VoLume
    If none of those work for you, the most recent issue is always at
    http://www.csl.sri.com/users/risko/risks.txt, and index at /risks-31.00
    Lindsay has also added to the Newcastle catless site a palmtop version
    of the most recent RISKS issue and a WAP version that works for many but
    not all telephones: http://catless.ncl.ac.uk/w/r
    ALTERNATIVE ARCHIVES: http://seclists.org/risks/ (only since mid-2001)
    *** NOTE: If a cited URL fails, we do not try to update them. Try
    browsing on the keywords in the subject line or cited article leads.
    Apologies for what Office365 and SafeLinks may have done to URLs.
    ==> Special Offer to Join ACM for readers of the ACM RISKS Forum:
    <http://www.acm.org/joinacm1>

    ------------------------------

    End of RISKS-FORUM Digest 31.37
    ************************